mitre-attack / car Goto Github PK
View Code? Open in Web Editor NEWCyber Analytics Repository
License: Apache License 2.0
Cyber Analytics Repository
License: Apache License 2.0
Right now the per-technique table of CAR analytics is buried under the main table (/analytics) so we should consider moving it to its own page.
For our analytics list, we should add the ability to view the latest analytics, either as a new table or converting the current table into a sortable representation.
We should add a current_working_directory field to the Process object model, which captures the absolute path to the current working directory of the process.
Field | Description | Example |
---|---|---|
current_working_directory | The current working directory string contains the absolute path to the current working directory of the process. | c:\windows\system32\ |
Current working directory is associated with UAC Bypass.
We should add a parent_command_line field to the Process object model, which captures the command line used to spawn its parent process. Sometimes having the parent process/image is not enough, and we need the full command line in order to write effective analytics.
Field | Description | Example |
---|---|---|
parent_command_line | The parent command line string contains all arguments passed to the parent process upon execution. | c:\\windows\\system32\\dism.exe foo.xml |
Parent command line is associated with UAC Bypass.
Describe what your analytic does and how it does it. A description is required.
Describe what ATT&CK techniques your analytic covers. This is required. Add as many rows as necessary
Technique | Level of Coverage |
---|---|
technique_name | Moderate |
The code for this analytic. CAR pseudocode is preferred, but any search syntax is fine. At least one type of code is required but more are encouraged (e.g. both pseudocode and a Splunk search).
Optionally, one or more command lines or other actions that can be taken to test this analytic.
Elements from the CAR data model that are required for this analytic. This is required.
Object | Action | Field |
---|---|---|
object_name | action_name | field_name |
Insert your DCO signoff here, e.g. "DCO signed-off-by: Joe Smith [email protected]"
We're missing the markdown for the HTTP data model object (the current URL yields a 404).
Right now it's tricky to understand the full set of fields available in a YAML CAR analytic, so we should create and maintain a template that describes this.
We should map our analytics to existing open datasets (e.g., Splunk BOTS) so that we can give users an easy way to find example data of true positives.
API (Application Programming Interface) is a set of functions and the procedures which allows the creation of the applications to access the features or information of an operating system, application, or any other service. It likely returns the data in JSON or XML.
Action | Description |
---|---|
create | The action corresponds to the creation of new data. |
delete | The action corresponds to the deletion of an existing data. |
update | The action corresponds to the modification of existing data parameters or values. |
read | The action corresponds to the accessing of the data. |
Field | Description | Example |
---|---|---|
auth_token | The user authentication token of an API. Applicable to the user session and will persist until logout occurs. | 4ercs243-retr34t-3refer5 |
api_key | The api_key to generate an authentication token or to access the content of the user data . | 453hdsgqdsk243kfd |
create | delete | update | read | |
---|---|---|---|---|
auth_token | ||||
api_key |
The proposed change is to extend the Process data model to include environment variables set for a process at the time of execution. This could be included as a field in the Process model.
The justification is to monitor for process injection via LD_PRELOAD environment variables. A sample analytic for this would be:
SELECT process_envs.pid as source_process_id, process_envs.key as environment_variable_key, process_envs.value as environment_variable_value, processes.name as source_process, processes.path as file_path, processes.cmdline as source_process_commandline, processes.cwd as current_working_directory, 'T1055' as event_attack_id, 'Process Injection' as event_attack_technique, 'Defense Evasion, Privilege Escalation' as event_attack_tactic FROM process_envs join processes USING (pid) WHERE key = 'LD_PRELOAD';
We should add a search feature to the website to make it easier to find specific analytics etc.
The Windows Task Manager may be used to dump the memory space of lsass.exe
to disk for processing with a credential access tool such as Mimikatz. This is performed by launching Task Manager as a privileged user, selecting lsass.exe
, and clicking "Create dump file". This saves a dump file to disk with the process's name in the file name.
This requires filesystem data to determine whether files have been created.
Technique | Level of Coverage |
---|---|
Credential Dumping | Moderate |
The code for this analytic. CAR pseudocode is preferred, but any search syntax is fine. At least one type of code is required but more are encouraged (e.g. both pseudocode and a Splunk search).
files = search File:Create
lsass_dump = filter files where (
file_name = "lsass*.dmp" and
image_path = "C:\Windows\*\taskmgr.exe")
index=__your_sysmon_index__ EventCode=11 TargetFilename="*lsass*.dmp" Image="C:\\Windows\\*\\taskmgr.exe"
file where file_name == "lsass*.dmp" and process_name == "taskmgr.exe"
lsass.exe
lsass.exe
and select "Create dump file".Elements from the CAR data model that are required for this analytic. This is required.
Object | Action | Field |
---|---|---|
file | create | file_name |
file | create | file_name |
DCO signed-off-by: Tony M Lambert [email protected]
We should add an integrity_level field to the Process object model, which is part of Windows' Mandatory Integrity Control.
Field | Description | Example |
---|---|---|
integrity_level | The Windows integrity level associated with the process. Must be one of: low, medium, high, or system. | high |
Integrity level is a key field associated with UAC Bypass.
This is great; thanks for releasing it, but I'm running into a zeek/bzar compatibility issue. Bzar loads successfully for me on zeek 2.5.5, but after an upgrade to v2.6.1, I'm getting type and redef errors like:
error in /opt/bro/share/bro/base/bif/plugins/./Bro_DCE_RPC.events.bif.bro, line 125 and /opt/bro/share/bro/bzar/./bzar_dce-rpc.bro, line 224: incompatible types (event(c:connection; fid:count; ctx_id:count; opnum:count; stub_len:count;) and event(c:connection; fid:count; opnum:count; stub_len:count;))
error in /opt/bro/share/bro/bzar/./bzar_smb.bro, line 39: "redef" used but not previously defined (SMB::write_cmd_log)
error in /opt/bro/share/bro/base/bif/plugins/./Bro_SMB.smb2_com_create.bif.bro, line 17 and /opt/bro/share/bro/bzar/./bzar_smb.bro, line 252: incompatible types (event(c:connection; hdr:SMB2::Header; request:SMB2::CreateRequest;) and event(c:connection; hdr:SMB2::Header; name:string;))
That's not a complete list, but I don't know broscript (zeekscript?) well enough to attempt a fix and get it running on the later version. I also see a deprecation warning:
warning in /opt/bro/share/bro/policy/protocols/smb/load.bro, line 1: deprecated script loaded from /opt/bro/share/bro/bzar/./main.bro:10 "Use '@load base/protocols/smb' instead"
FWIW, this is on SecurityOnion, but I don't think it's specific to that platform's zeek installation. That makes duplicating this issue easy, though, as you can boot the SecurityOnion ISO in live mode to test it out.
Fix name of field for thread ID in Module.yaml
Lines 40 to 45 in 94cb682
We should develop a YAML format for capturing our sensor coverage, so it doesn't have to be done in MD/HTML.
The text of the Pseudocode section does not match. The system and security events are backwords
Pseudocode
[THIS SECTION IS WRONG]
When an eventlog is cleared, a new event is created that alerts that the eventlog was cleared. For System logs, its event code 104. For Security logs, it is event code 1100 and 1102.
{the System logs are 1100 and 1102 while the Security logs are 104}
[THIS SECTION IS CORRECT]
([log_name] == "System" and [event_code] in [1100, 1102]) or
([log_name] == "Security" and [event_code] == 104)
The Sysinternals ProcDump utility may be used to dump the memory space of lsass.exe
to disk for processing with a credential access tool such as Mimikatz. This is performed by launching procdump.exe
as a privileged user with command line options indicating that lsass.exe
should be dumped to a file with an arbitrary name.
Technique | Level of Coverage |
---|---|
Credential Dumping | Moderate |
The code for this analytic. CAR pseudocode is preferred, but any search syntax is fine. At least one type of code is required but more are encouraged (e.g. both pseudocode and a Splunk search).
processes = search Process:Create
procdump_lsass = filter processes where (
exe = "procdump*.exe" and
command_line = "*lsass*")
index=__your_sysmon_index__ EventCode=1 Image="*\\procdump*.exe" CommandLine="*lsass*"
process where subtype.create and
process_name == "procdump*.exe" and command_line == "*lsass*"
procdump.exe -ma lsass.exe lsass_dump
Elements from the CAR data model that are required for this analytic. This is required.
Object | Action | Field |
---|---|---|
process | create | exe |
process | create | command_line |
DCO signed-off-by: Tony M Lambert [email protected]
Bypassing user account control (UAC Bypass) is generally done by piggybacking on a system process that has auto-escalate privileges. This analytic looks to detect those cases as described by the open-source UACME tool.
Technique | Level of Coverage |
---|---|
Bypass User Account Control | Medium |
Language: Splunk .
Data Model: Sysmon Native
index=_your_sysmon_index_ EventCode=1 IntegrityLevel=High|search (ParentCommandLine="\"c:\\windows\\system32\\dism.exe\"*""*.xml" AND Image!="c:\\users\\*\\appdata\\local\\temp\\*\\dismhost.exe") OR ParentImage=c:\\windows\\system32\\fodhelper.exe OR (CommandLine="\"c:\\windows\\system32\\wusa.exe\"*/quiet*" AND User!=NOT_TRANSLATED AND CurrentDirectory=c:\\windows\\system32\\ AND ParentImage!=c:\\windows\\explorer.exe) OR CommandLine="*.exe\"*cleanmgr.exe /autoclean*" OR (ParentImage="c:\\windows\\*dccw.exe" AND Image!="c:\\windows\\system32\\cttune.exe") OR Image="c:\\program files\\windows media player\\osk.exe" OR ParentImage="c:\\windows\\system32\\slui.exe"|eval PossibleTechniques=case(like(lower(ParentCommandLine),"%c:\\windows\\system32\\dism.exe%"), "UACME #23", like(lower(Image),"c:\\program files\\windows media player\\osk.exe"), "UACME #32", like(lower(ParentImage),"c:\\windows\\system32\\fodhelper.exe"), "UACME #33", like(lower(CommandLine),"%.exe\"%cleanmgr.exe /autoclean%"), "UACME #34", like(lower(Image),"c:\\windows\\system32\\wusa.exe"), "UACME #36", like(lower(ParentImage),"c:\\windows\\%dccw.exe"), "UACME #37", like(lower(ParentImage),"c:\\windows\\system32\\slui.exe"), "UACME #45")
Using UACME:
akagi64.exe 23
akagi64.exe 32
akagi64.exe 33
akagi64.exe 34
akagi64.exe 36
akagi64.exe 37
akagi64.exe 45
Object | Action | Field |
---|---|---|
process |
create |
image_path |
process |
create |
parent_image_path |
process |
create |
integrity_level |
process |
create |
user |
process |
create |
parent_command_line |
DCO signed-off-by: Ivan Kirillov [email protected]
Right now our ATT&CK Coverage is purely based on how well an analytic covers an entire Tactic/Technique pair. This is useful to get a general sense of how applicable an analytic is, but has its limitations:
This Analytics is inspired from the excellent post from RedCanary available here.
Windows Services often need this level of privilege for system management. Client management and deployment products often use SYSTEM
to allow software installations. Security software often uses SYSTEM
to peer into the activity of other users on a system, a use case that also appeals to adversaries. When using SYSTEM
, an adversary can monitor and manipulate data from any other user on that local computer. While this account doesn’t allow an adversary network access to log on to other computers, it does allow the adversary to execute credential access attacks against files and memory on a computer to compromise credentials for network access. This is commonly seen with attacks that use tools like Mimikatz. In the really unfortunate cases where adversaries gain access to the SYSTEM
account on Active Directory domain controllers, they can grab credentials for any users within the domain and manipulate Active Directory to add accounts for themselves.
This is why many offensive security tools include a command named getsystem
or similar. These commands make those tools try one or more things to elevate privileges to that SYSTEM
account so the adversary can own everything on the victim host.
Technique | Level of Coverage |
---|---|
Abuse Elevation Control Mechanism | Moderate |
Object | Action | Field |
---|---|---|
process | create | command_line |
process | create | exe |
With process monitoring, hunt for processes matching these criteria:
services.exe
cmd.exe
echo
AND \pipe\
Examples:
cmd.exe /c echo ba80ae80df9 > \\.\pipe\66bee3
cmd.exe /c echo fvxens > \\.\pipe\fvxens
The second GetSystem
method uses rundll32.exe
and a few hardcoded command line options to execute a DLL for privilege escalation. Thankfully, the command line options are consistent and appear similar to this:
rundll32.exe C:\Users\user\AppData\Local\Temp\fvxens.dll,a /p:fvxens
As with named pipe impersonation, you can use process monitoring to hunt for this. Look for processes matching these criteria:
rundll32.exe
,a /p:
Example:
cmd.exe /C start %COMSPEC% /C `"timeout /t 3 >nul&&echo TestSVC > \\.\pipe\TestSVC`
cmd.exe
OR %COMSPEC%
echo
AND \pipe\
Meterpreter and Cobalt Strike:
(
index=__your_sysmon_index__
ParentImage="C:\\Windows\\System32\\services.exe"
Image="C:\\Windows\\System32\\cmd.exe"
(CommandLine="*echo*" AND CommandLine="*\\pipe\\*")
) OR (
index=__your_sysmon_index__
Image="C:\\Windows\\System32\\rundll32.exe"
CommandLine="*,a /p:*"
)
Empire and PoshC2:
index=__your_sysmon_index__
(Image="C:\\Windows\\System32\\cmd.exe" OR CommandLine="*%COMSPEC%*")
(CommandLine="*echo*" AND CommandLine="*\pipe\*")
https://car.mitre.org/data_model/file
timestomp is really just a specific type of modify action as described.
"The event corresponding to the modification of a file or its metadata."
How granular is the data model supposed to get with subsets of actions and activity ?
IMO it doesn't make sense to have a subset of another action at the same level.
It should be able to be modeled as a graph structure, with specific subset of actions under the main action.
Example:
car/analytics/CAR-2014-11-007.yaml
Line 16 in 8edc8a8
Because of the trailing slash redirect, the link becomes https://car.mitre.org/analytics/CAR-2014-11-007/CAR-2014-05-001
instead of https://car.mitre.org/analytics/CAR-2014-05-001
Noob question -
I see Splunk, EQL, DNIF, etc in Implementations section of Analytics.
Can I contribute to adding queries for LogPoint SIEM as LogPoint has extensive support for the ATT&CK framework.
Detection of creation of registry key HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Session Manager\SafeDllSearchMode. The key SafeDllSearchMode, if set to 0, will block the Windows mechanism for the search DLL order.
Technique | Level of Coverage |
---|---|
Hijack Execution Flow: DLL Search Order Hijacking | Moderate |
Modify Registry | Moderate |
(("reg "AND "add" AND "/d") OR ("Set-ItemProperty" AND "-value")) AND ("Session Manager" AND "SafeDllSearchMode")
reg add "HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Session Manager" /v SafeDllSearchMode /d 0
Set-ItemProperty -Path "HKLM:\System\CurrentControlSet\Control\Session Manager" -Name SafeDllSearchMode -Value 0
Object | Action | Field |
---|---|---|
process | create | command_line |
DCO signed-off-by: Lucas Heiligenstein [email protected]
There are a few cases where ATT&CK technique names and tactic alignments are wrong, either because of errors or because they were written against a previous version of ATT&CK.
At least one example via Twitter:
We should try to tag all of our analytics with the most applicable verb from D3fend, such as "process lineage analysis".
CAR-2020-11-001 has duplicated definition for 'd3fend_mappings'.
If you want I can do a pull request from forked repo with this modification:
CAR-2015-07-001 is missing the coverage section and the associated Tactics/Techniques. Not a big deal, I can code around the "key error" from my YAML parser but figured others would have similar issues.
We should look into developing/leveraging Jupyter notebooks for CAR visualizations. Maybe something we can do instead of CARET?
Adversaries sometimes modify object access rights on operating systems level. There might be different motivations behind this action. Sometimes they do not want some files/ objects on systems to be persistent and provides admin only rights and sometimes they want the files to be accessible with lower levels of permissions.
For windows environment logs may seem too noisy, analysts shall take following into consideration;
-We need to exclude events generated by local system(subject security ID "NT AUTHORITY\SYSTEM") and focus on actual users
-When a permission modification is made for a folder a new event log is generated for each subfolder and file under that folder. It is advised to group logs based on handle ID or user id.
-Windows log (event ID 4670) also includes the process that modifies permissions. It is advised to focus on uncommon process names. It is uncommon for real-users to perform this task without GUI.
Technique | Level of Coverage |
---|---|
File Permissions Modification(https://attack.mitre.org/techniques/T1222/) | Moderate |
For Windows;
EventID: 4670 and
Object Type: File and
Subject Security ID not "NT AUTHORITY\SYSTEM"
For Linux/Mac;
terminal commands with chmod in it.
for windows;
rightclick any file and change permissions under properties.
or execute following command
icacls "C:<fileName>" /grant :F
for linux/mac;
chmod 777 "fileName"
Object | Action | Field |
---|---|---|
file | modify | permissions |
"DCO signed-off-by: Meric Degirmenci [email protected]"*
*Web Shell usually does post exploitation activities, as host/network discovery through commands issued to the installed command line interpreters spawned from the web server application directly when we review the related process tree. The nature of encrypted web traffic make harder the detection at network level, moreover, some web shells also obfuscate their commands to difficult the analysis based on GET parameters or pass them just in POST requests, which rarely has their content fully logged. Hence, the analysis at endpoint level is a good option to lead with these difficulties inherent in many environments. Even though the spawning of process from the web server is not malicious by definition, some process tree are uncommon and should be reviewed to deliberate why it was created and if is there some malicious intent behind.
|Web Shell|https://attack.mitre.org/techniques/T1505/003/|High
Observation: I put High since we have very few events in a huge set of Windows Servers. From this small set of servers, some FPs were encountered, because, for some reason, some app do that spawning in a benign way.
parent_exe IN ("*w3wp.exe","*httpd.exe","tomcat.exe",") AND exe IN ("*cmd.exe","*powershell.exe","*net.exe","*whoami.exe","*hostname.exe","*systeminfo.exe",”ipconfig.exe”)
PS: tomcat*.exe is to cover any Tomcat process variant. In some cases I also include java.exe as parent process to cover some websphere scenarios, but when I do that some FP occurs, at your wish, MITRE fellows :). Please feel free to contact me if some change is needed.
Best, Nichols.
We need to create a script to automate the generation of the MD data model files from the YAML. Right now it's a manual process.
Squiblydoo is a specific usage of regsvr32.dll to load a COM scriptlet directly from the internet and execute it in a way that bypasses application whitelisting. It can be seen by looking for regsvr32.exe executions that load the scrobj.dll (which execute the COM scriptlet) or, if that is too noisy, those that also load content directly via HTTP or HTTPS.
Squiblydoo was first written up by Casey Smith at Red Canary, though that blog post is no longer accessible.
Technique | Level of Coverage |
---|---|
Regsvr32 | Low |
This looks for any and all usage of the scrobj DLL, which is what is used to run COM scriptlets, so it'll detect both loading from network as well as filesystem. This will have almost zero false positives so is suitable for alerting.
Language: Splunk
Data Model: Sysmon
index=__your_sysmon_events__ EventCode=1 regsvr32.exe scrobj.dll | search Image="*regsvr32.exe"
The Atomic Red Team test for Squiblydoo is a good test case for this.
Object | Action | Field |
---|---|---|
process | create | exe |
process | create | command_line |
As usual, credit to Roberto Rodriguez and the ThreatHunter Playbook.
DCO signed-off by: John Wunder [email protected]
We should add an ATT&CK Navigator layer with links that take you to all of the analytics for a specific technique. This might need to done in conjunction with #67.
The NTDSUtil tool may be used to dump a Microsoft Active Directory database to disk for processing with a credential access tool such as Mimikatz. This is performed by launching ntdsutil.exe
as a privileged user with command line arguments indicating that media should be created for offline Active Directory installation and specifying a folder path. This process will create a copy of the Active Directory database, ntds.dit
, to the specified folder path.
This requires filesystem data to determine whether files have been created.
Technique | Level of Coverage |
---|---|
Credential Dumping | Moderate |
The code for this analytic. CAR pseudocode is preferred, but any search syntax is fine. At least one type of code is required but more are encouraged (e.g. both pseudocode and a Splunk search).
files = search File:Create
ntds_dump = filter files where (
file_name = "ntds.dit" and
image_path = "*ntdsutil.exe")
index=__your_sysmon_index__ EventCode=11 TargetFilename="*ntds.dit" Image="*ntdsutil.exe"
file where file_name == "ntds.dit" and process_name == "ntdsutil.exe"
ntdsutil.exe “ac i ntds” “ifm” “create full c:\temp” q q
Elements from the CAR data model that are required for this analytic. This is required.
Object | Action | Field |
---|---|---|
file | create | file_name |
file | create | image_path |
DCO signed-off-by: Tony M Lambert [email protected]
Masquerading (T1036) is defined by MITRE ATT&CK as follows:
Masquerading occurs when the name or location of an object, legitimate or malicious, is manipulated or abused for the sake of evading defenses and observation. This may include manipulating file metadata, tricking users into misidentifying the file type, and giving legitimate task or service names.
Malware authors often use this technique to hide malicious executables behind legitimate Windows executable's names (e.g. lsass.exe
, svchost.exe
, ...).
There are several sub-techniques, but this analytics focuses on Match Legitimate Name or Location only.
Technique | Sub-Technique | Level of Coverage |
---|---|---|
Masquerading | Match Legitimate Name or Location | Moderate |
Object | Action | Field |
---|---|---|
process | create | command_line |
process | create | exe |
With process monitoring, hunt for processes matching these criteria:
svchost.exe
, smss.exe
, wininit.exe
, taskhost.exe
, ...C:\Windows\System32\
or C:\Windows\SysWow64\
Examples:
C:\Users\administrator\svchost.exe
To make sure the rule doesn't miss cases where the executable would be started from a sub-folder of these locations, the entire path is checked for the process path. The below example should be considered as suspicious:
C:\Windows\System32\srv\svchost.exe
index=windows source="XmlWinEventLog:Microsoft-Windows-Sysmon/Operational" AND (
(process_name=svchost.exe AND NOT (process_path="C:\\Windows\\System32\\svchost.exe" OR process_path="C:\\Windows\\SysWow64\\svchost.exe"))
OR (process_name=smss.exe AND NOT process_path="C:\\Windows\\System32\\smss.exe")
OR (process_name=wininit.exe AND NOT process_path="C:\\Windows\\System32\\wininit.exe")
OR (process_name=taskhost.exe AND NOT process_path="C:\\Windows\\System32\\taskhost.exe")
OR (process_name=lsass.exe AND NOT process_path="C:\\Windows\\System32\\lsass.exe")
OR (process_name=winlogon.exe AND NOT process_path="C:\\Windows\\System32\\winlogon.exe")
OR (process_name=csrss.exe AND NOT process_path="C:\\Windows\\System32\\csrss.exe")
OR (process_name=services.exe AND NOT process_path="C:\\Windows\\System32\\services.exe")
OR (process_name=lsm.exe AND NOT process_path="C:\\Windows\\System32\\lsm.exe")
OR (process_name=explorer.exe AND NOT process_path="C:\\Windows\\explorer.exe")
)
We should update the ATT&CK navigator layer for sub-techniques, now that they've been incorporated into CAR.
We should create a new top-level page for car.mitre.org that better describes BZAR.
Flags the modification of the "Authentication Packages" value "HKLM\SYSTEM\CurrentControlSet\Control\Lsa" Key. Attackers may append malicious DLL names (without extension) to the key. These DLLs need to be placed in "%WINDIR%\System32" and will be loaded by the lsass process at boot to archive persistence.
References:
https://attack.mitre.org/techniques/T1547/002/
https://github.com/persistence-info/persistence-info.github.io/blob/main/Data/authenticationpackages.md
https://pentestlab.blog/2019/10/21/persistence-security-support-provider/
Technique | Level of Coverage |
---|---|
T1547.002 | Moderate |
LSA Authentication Package Registry Modification (Pseudocode, CAR)
This search detects modifications of the registry key value via registry events.
reg_keys = search Registry:value_edit
lsa_authpackage_reg_key = filter reg_keys where (value="Authentication Packages") AND reg_keys (key="HKLM\SYSTEM\CurrentControlSet\Control\Lsa")
output lsa_authpackage_reg_key
Splunk Search - Modification of LSA Authentication Packages key value (Splunk)
event_id=13 TargetObject="HKLM\\SYSTEM\\CurrentControlSet\\Control\\Lsa\\Authentication Packages"
*(Requires Atomic red team) https://github.com/redcanaryco/atomic-red-team
Invoke-AtomicTest -TestGuids be2590e8-4ac3-47ac-b4b5-945820f2fbe9
Elements from the CAR data model that are required for this analytic. This is required.
Object | Action | Field |
---|---|---|
Registry | value_edit | key |
Registry | value_edit | value |
DCO signed-off-by: Thomas de Brelaz [email protected]
Now that Splunk is publishing their security content analytics on GitHub, we should add them to our coverage comparison page.
https://github.com/splunk/security_content/tree/develop/detections
Credential dumpers like Mimikatz can be loaded into memory and from there read data from another processes. This analytic looks for instances where processes are requesting specific permissions to read parts of the LSASS process in order to detect when credential dumping is occurring. One weakness is that all current implementations are "overtuned" to look for common access patterns used by Mimikatz.
Technique | Level of Coverage |
---|---|
Credential Dumping | Low |
This is specific to the way Mimikatz works currently, and thus is fragile to both future updates and non-default configurations of Mimikatz.
Language: Splunk .
Data Model: Sysmon Native
index=__your_sysmon_data__ EventCode=10
TargetImage="C:\\WINDOWS\\system32\\lsass.exe"
(GrantedAccess=0x1410 OR GrantedAccess=0x1010 OR GrantedAccess=0x1438 OR GrantedAccess=0x143a OR GrantedAccess=0x1418)
CallTrace="C:\\windows\\SYSTEM32\\ntdll.dll+*|C:\\windows\\System32\\KERNELBASE.dll+20edd|UNKNOWN(*)"
| table _time hostname user SourceImage GrantedAccess
This is an outlier version of the above without including the specific call trace. This should work in more (but not all) situations however runs more slowly and will have more false positives - typically installers.
Language: Splunk .
Data Model: Sysmon Native
earliest=-d@d latest=now() index=__your_sysmon_data__
EventCode=10
TargetImage="C:\\WINDOWS\\system32\\lsass.exe"
(GrantedAccess=0x1410 OR GrantedAccess=0x1010 OR GrantedAccess=0x1438 OR GrantedAccess=0x143a OR GrantedAccess=0x1418)
| search NOT [ search earliest=-7d@d latest=-2d@d index=__your_sysmon_data__ EventCode=10 TargetImage="C:\\WINDOWS\\system32\\lsass.exe" (GrantedAccess=0x1410 OR GrantedAccess=0x1010 OR GrantedAccess=0x1438 OR GrantedAccess=0x143a OR GrantedAccess=0x1418)
| dedup SourceImage
| fields SourceImage ]
| table _time hostname user SourceImage GrantedAccess
This requires information about process access, e.g. Sysmon Event ID 10. That currently doesn't have a CAR data model mapping.
Analytic developed by Sean Whitley @ MITRE, received his permission to post these two implementations.
Credit to Cyb3rWard0g, dim0x69 (blog.3or.de), and Mark Russinovich for providing much of the information used to construct these analytics.
https://github.com/Cyb3rWard0g/ThreatHunter-Playbook/blob/master/attack_matrix/windows/credential_access/credential_dumping/mimikatz_inmem.md
DCO signed-off-by: John Wunder [email protected]
On April 28th, Sysinternals upgrade its tool to version 11.0. This contribution is an update for the Sysmon sensor (https://github.com/mitre-attack/car/blob/master/sensors/sysmon_10.4.yaml).
Related to #59 pull request.
Here is the mapping for this sensor, based on your 10.4 version.
Please note that I only fill fields that are present in logs without needing any transformation. For example, the field fqdn
is present as Computer
but the field hostname
could be extracted from this value. Same thing for file_name
, exe
, hive
, etc.
I also upload on my GitHub the full mapping, if you want to check it: https://github.com/inmadria/sysmon-11-examples/blob/master/CAR_MAPPING.md
data |
fqdn |
hive |
hostname |
image_path |
key |
pid |
type |
user |
value |
|
---|---|---|---|---|---|---|---|---|---|---|
add |
✓ | ✓ | ✓ | ✓ | ✓ | ✓ | ||||
edit |
✓ | ✓ | ✓ | ✓ | ✓ | ✓ | ||||
remove |
✓ | ✓ | ✓ | ✓ | ✓ | ✓ |
base_address |
fqdn |
hostname |
image_path |
md5_hash |
module_name |
module_path |
pid |
sha1_hash |
sha256_hash |
signer |
|
---|---|---|---|---|---|---|---|---|---|---|---|
load |
✓ | ✓ | ✓ | ✓ | ✓ | ✓ | ✓ | ✓ | |||
unload |
command_line |
current_working_directory |
exe |
fqdn |
hostname |
image_path |
integrity_level |
md5_hash |
parent_command_line |
parent_exe |
parent_image_path |
pid |
ppid |
sha1_hash |
sha256_hash |
sid |
signer |
user |
|
---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
create |
✓ | ✓ | ✓ | ✓ | ✓ | ✓ | ✓ | ✓ | ✓ | ✓ | ✓ | ✓ | ✓ | ✓ | ||||
terminate |
✓ | ✓ | ✓ |
hostname |
src_pid |
src_tid |
stack_base |
stack_limit |
start_address |
start_function |
start_module |
start_module_name |
tgt_pid |
tgt_tid |
user |
user_stack_base |
user_stack_limit |
|
---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
create |
✓ | ✓ | ✓ | ✓ | ✓ | ✓ | ✓ | |||||||
remote_create |
✓ | ✓ | ✓ | ✓ | ✓ | ✓ | ✓ | |||||||
suspend |
||||||||||||||
terminate |
base_address |
fqdn |
hostname |
image_path |
md5_hash |
module_name |
sha1_hash |
sha256_hash |
signer |
|
---|---|---|---|---|---|---|---|---|---|
load |
✓ | ✓ | ✓ | ✓ | ✓ | ✓ | |||
unload |
company |
creation_time |
file_name |
file_path |
fqdn |
hostname |
image_path |
md5_hash |
pid |
ppid |
previous_creation_time |
sha1_hash |
sha256_hash |
signer |
user |
|
---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
create |
✓ | ✓ | ✓ | ✓ | ✓ | ||||||||||
delete |
✓ | ✓ | ✓ | ✓ | ✓ | ✓ | ✓ | ✓ | |||||||
modify |
|||||||||||||||
read |
|||||||||||||||
timestomp |
✓ | ✓ | ✓ | ✓ | ✓ | ✓ | |||||||||
write |
content |
dest_fqdn |
dest_hostname |
dest_ip |
dest_port |
end_time |
exe |
flags |
fqdn |
hostname |
image_path |
packet_count |
pid |
ppid |
proto_info |
protocol |
src_fqdn |
src_hostname |
src_ip |
src_port |
start_time |
user |
|
---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
end |
||||||||||||||||||||||
message |
||||||||||||||||||||||
start |
✓ | ✓ | ✓ | ✓ | ✓ | ✓ | ✓ | ✓ | ✓ | ✓ | ✓ | ✓ |
Regsvr32 can be used to execute arbitrary code in the context of a Windows signed binary, which can be used to bypass application whitelisting. This analytic looks for suspicious usage of the tool. It's not likely that you'll get millions of hits, but it does occur during normal activity so some form of baselining would be necessary for this to be an alerting analytic. Alternatively, it can be used for hunt by looking for new or anomalous DLLs manually.
Technique | Level of Coverage |
---|---|
Regsvr32.exe | High |
This just looks for all executions of regsvr32.exe that have a parent of regsvr32.exe but are not regsvr32.exe themselves (which happens). This will have a very high FP rate, but likely not on the order of millions.
Language: Splunk
Data Model: Sysmon
index=__your_sysmon_data__ EventCode=1 regsvr32.exe
| search ParentImage="*regsvr32.exe" AND Image!="*regsvr32.exe*"
This uses the same logic as above, but adds lightweight baselining by ignoring all results that also showed up in the previous 30 days (it runs over 1 day).
Language: Splunk
Data Model: Sysmon
index=__your_sysmon_data__ earliest=-d@d latest=now() EventCode=1 regsvr32.exe | search ParentImage="*regsvr32.exe" AND Image!="*regsvr32.exe*"
| search NOT [
search index=client earliest=-60d@d latest=-30d@d EventCode=1 regsvr32.exe
| search ParentImage="*regsvr32.exe" AND Image!="*regsvr32.exe*"
| dedup CommandLine | fields CommandLine
]
Any of the Atomic Red Team tests for regsvr32.exe should trigger this.
Object | Action | Field |
---|---|---|
process | create | exe |
process | create | parent_exe |
process | create | command_line |
As usual, credit to Roberto Rodriguez and the ThreatHunter Playbook.
DCO signed-off-by: John Wunder [email protected]
Explain your proposed change. Preferably, copy the markdown text from docs/data_model
and paste the updated markdown here.
Link to or copy an analytic that you have that requires this change.
We should create a basic checklist that covers what should be included with analytic submissions.
title: Detect Access Token Manipulation Token Impersonation and Theft
submission_date: 2022/04/28
information_domain: Analytic
platforms:
A declarative, efficient, and flexible JavaScript library for building user interfaces.
🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
An Open Source Machine Learning Framework for Everyone
The Web framework for perfectionists with deadlines.
A PHP framework for web artisans
Bring data to life with SVG, Canvas and HTML. 📊📈🎉
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
Some thing interesting about web. New door for the world.
A server is a program made to process requests and deliver data to clients.
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
Some thing interesting about visualization, use data art
Some thing interesting about game, make everyone happy.
We are working to build community through open source technology. NB: members must have two-factor auth.
Open source projects and samples from Microsoft.
Google ❤️ Open Source for everyone.
Alibaba Open Source for everyone
Data-Driven Documents codes.
China tencent open source team.