mitre-attack / car Goto Github PK

Analytic Name

Describe what your analytic does and how it does it. A description is required.

ATT&CK Coverage

Describe what ATT&CK techniques your analytic covers. This is required. Add as many rows as necessary

Analytic Code

The code for this analytic. CAR pseudocode is preferred, but any search syntax is fine. At least one type of code is required but more are encouraged (e.g. both pseudocode and a Splunk search).

Test Cases

Optionally, one or more command lines or other actions that can be taken to test this analytic.

Data Model Mappings

Elements from the CAR data model that are required for this analytic. This is required.

Developer Certificate of Origin

Insert your DCO signoff here, e.g. "DCO signed-off-by: Joe Smith [email protected]"

CAR-2021-02-12: Common Windows Process Masquerading

Masquerading (T1036) is defined by MITRE ATT&CK as follows:

Masquerading occurs when the name or location of an object, legitimate or malicious, is manipulated or abused for the sake of evading defenses and observation. This may include manipulating file metadata, tricking users into misidentifying the file type, and giving legitimate task or service names.

Malware authors often use this technique to hide malicious executables behind legitimate Windows executable's names (e.g. lsass.exe, svchost.exe, ...).

There are several sub-techniques, but this analytics focuses on Match Legitimate Name or Location only.

ATT&CK Coverage

Data Model Mappings

Analytic Code

With process monitoring, hunt for processes matching these criteria:

• process name is svchost.exe, smss.exe, wininit.exe, taskhost.exe, ...
• process path is not C:\Windows\System32\ or C:\Windows\SysWow64\

Examples:

C:\Users\administrator\svchost.exe

To make sure the rule doesn't miss cases where the executable would be started from a sub-folder of these locations, the entire path is checked for the process path. The below example should be considered as suspicious:

C:\Windows\System32\srv\svchost.exe

Splunk Search (Splunk, Sysmon native)

index=windows source="XmlWinEventLog:Microsoft-Windows-Sysmon/Operational" AND (
(process_name=svchost.exe AND NOT (process_path="C:\\Windows\\System32\\svchost.exe" OR process_path="C:\\Windows\\SysWow64\\svchost.exe"))
OR (process_name=smss.exe AND NOT process_path="C:\\Windows\\System32\\smss.exe")
OR (process_name=wininit.exe AND NOT process_path="C:\\Windows\\System32\\wininit.exe")
OR (process_name=taskhost.exe AND NOT process_path="C:\\Windows\\System32\\taskhost.exe")
OR (process_name=lsass.exe AND NOT process_path="C:\\Windows\\System32\\lsass.exe")
OR (process_name=winlogon.exe AND NOT process_path="C:\\Windows\\System32\\winlogon.exe")
OR (process_name=csrss.exe AND NOT process_path="C:\\Windows\\System32\\csrss.exe")
OR (process_name=services.exe AND NOT process_path="C:\\Windows\\System32\\services.exe")
OR (process_name=lsm.exe AND NOT process_path="C:\\Windows\\System32\\lsm.exe")
OR (process_name=explorer.exe AND NOT process_path="C:\\Windows\\explorer.exe")
)

CAR-2020-11-001 has duplicated definition for 'd3fend_mappings'.

If you want I can do a pull request from forked repo with this modification:

Credential Dumping via Windows Task Manager

The NTDSUtil tool may be used to dump a Microsoft Active Directory database to disk for processing with a credential access tool such as Mimikatz. This is performed by launching ntdsutil.exe as a privileged user with command line arguments indicating that media should be created for offline Active Directory installation and specifying a folder path. This process will create a copy of the Active Directory database, ntds.dit, to the specified folder path.

This requires filesystem data to determine whether files have been created.

ATT&CK Coverage

Analytic Code

The code for this analytic. CAR pseudocode is preferred, but any search syntax is fine. At least one type of code is required but more are encouraged (e.g. both pseudocode and a Splunk search).

Pseudocode

files = search File:Create
ntds_dump = filter files where (
    file_name = "ntds.dit"  and
    image_path = "*ntdsutil.exe")

Splunk, Sysmon native

index=__your_sysmon_index__ EventCode=11 TargetFilename="*ntds.dit" Image="*ntdsutil.exe"

EQL

file where file_name == "ntds.dit" and process_name == "ntdsutil.exe"

Test Cases

1. Open a Windows Command Prompt or PowerShell instance as Administrator
2. Execute ntdsutil.exe “ac i ntds” “ifm” “create full c:\temp” q q

Data Model Mappings

Elements from the CAR data model that are required for this analytic. This is required.

Developer Certificate of Origin

DCO signed-off-by: Tony M Lambert [email protected]

Generic Regsvr32.exe

Regsvr32 can be used to execute arbitrary code in the context of a Windows signed binary, which can be used to bypass application whitelisting. This analytic looks for suspicious usage of the tool. It's not likely that you'll get millions of hits, but it does occur during normal activity so some form of baselining would be necessary for this to be an alerting analytic. Alternatively, it can be used for hunt by looking for new or anomalous DLLs manually.

ATT&CK Coverage

Implementations

Main Pattern (no baselining)

This just looks for all executions of regsvr32.exe that have a parent of regsvr32.exe but are not regsvr32.exe themselves (which happens). This will have a very high FP rate, but likely not on the order of millions.

Language: Splunk
Data Model: Sysmon

index=__your_sysmon_data__ EventCode=1 regsvr32.exe
  | search ParentImage="*regsvr32.exe" AND Image!="*regsvr32.exe*"

Identify new items since last month

This uses the same logic as above, but adds lightweight baselining by ignoring all results that also showed up in the previous 30 days (it runs over 1 day).

Language: Splunk
Data Model: Sysmon

index=__your_sysmon_data__ earliest=-d@d latest=now() EventCode=1 regsvr32.exe | search ParentImage="*regsvr32.exe" AND Image!="*regsvr32.exe*"
| search NOT [
  search index=client earliest=-60d@d latest=-30d@d EventCode=1 regsvr32.exe
  | search ParentImage="*regsvr32.exe" AND Image!="*regsvr32.exe*"
  | dedup CommandLine | fields CommandLine
]

Test Cases

Any of the Atomic Red Team tests for regsvr32.exe should trigger this.

False Positives

• WerFault (Windows Error Reporting) is a very common false positive.

Data Model Mappings

References

As usual, credit to Roberto Rodriguez and the ThreatHunter Playbook.

Developer Certificate of Origin

DCO signed-off-by: John Wunder [email protected]

We should add an ATT&CK Navigator layer with links that take you to all of the analytics for a specific technique. This might need to done in conjunction with #67.

The script generate_analytics fails when I use this on a Windows machine. I fixed this by passing the errors='ignore' parameter to the open function within the python script. The other way to fix this was to remove unknown characters from the yaml files (provided by Mitre)

title: Detect Access Token Manipulation Token Impersonation and Theft
submission_date: 2022/04/28
information_domain: Analytic
platforms:

• Windows
  subtypes:
• Access token
  analytic_types:
• TTP
  contributors:
• Michaela Adams [email protected]
  id: CAR-2022-04-001
  description: This analytic detects the use of Access Token Manipulation, specifically token impersonation and theft. This analytic detects the use of DuplicateToken(Ex) and ImpersonateLoggedOnUser with the LOGON32_LOGON_NEW_CREDENTIALS flag to prevent adversaries and tools from impersonating tokens.
  coverage:
• technique: T1134
  tactics:
  • TA0005
  • TA0004
    subtecniques:
  • T1134.001
    coverage: Moderate
    implementations:
• name: Splunk Search - Access Token Manipulation Token Impersonation/Theft through Windows API call
  description: This analytic detects the use of Access Token Manipulation with the LOGON32_LOGON_NEW_CREDENTIALS flag to prevent adversaries and tools from impersonating users.
  code: |-
  sourcetype=WinEventLog EventCode=4624 Impersonation_Level=Impersonation Authentication_Package=Negotiate Logon_Type=9 Logon_Process=Advapi Elevated_Token=No
  data_model: Windows Event Log
  type: Splunk

We should develop a YAML format for capturing our sensor coverage, so it doesn't have to be done in MD/HTML.

UAC Bypass

Bypassing user account control (UAC Bypass) is generally done by piggybacking on a system process that has auto-escalate privileges. This analytic looks to detect those cases as described by the open-source UACME tool.

ATT&CK Coverage

Analytic Code

Language: Splunk .
Data Model: Sysmon Native

index=_your_sysmon_index_ EventCode=1 IntegrityLevel=High|search (ParentCommandLine="\"c:\\windows\\system32\\dism.exe\"*""*.xml" AND Image!="c:\\users\\*\\appdata\\local\\temp\\*\\dismhost.exe") OR ParentImage=c:\\windows\\system32\\fodhelper.exe OR (CommandLine="\"c:\\windows\\system32\\wusa.exe\"*/quiet*" AND User!=NOT_TRANSLATED AND CurrentDirectory=c:\\windows\\system32\\ AND ParentImage!=c:\\windows\\explorer.exe) OR CommandLine="*.exe\"*cleanmgr.exe /autoclean*" OR (ParentImage="c:\\windows\\*dccw.exe" AND Image!="c:\\windows\\system32\\cttune.exe") OR Image="c:\\program files\\windows media player\\osk.exe" OR ParentImage="c:\\windows\\system32\\slui.exe"|eval PossibleTechniques=case(like(lower(ParentCommandLine),"%c:\\windows\\system32\\dism.exe%"), "UACME #23", like(lower(Image),"c:\\program files\\windows media player\\osk.exe"), "UACME #32", like(lower(ParentImage),"c:\\windows\\system32\\fodhelper.exe"), "UACME #33", like(lower(CommandLine),"%.exe\"%cleanmgr.exe /autoclean%"), "UACME #34", like(lower(Image),"c:\\windows\\system32\\wusa.exe"), "UACME #36", like(lower(ParentImage),"c:\\windows\\%dccw.exe"), "UACME #37", like(lower(ParentImage),"c:\\windows\\system32\\slui.exe"), "UACME #45")

Test Cases

Using UACME:

• akagi64.exe 23
• akagi64.exe 32
• akagi64.exe 33
• akagi64.exe 34
• akagi64.exe 36
• akagi64.exe 37
• akagi64.exe 45

Data Model Mappings

Developer Certificate of Origin

DCO signed-off-by: Ivan Kirillov [email protected]

Proposed Change

We should add a current_working_directory field to the Process object model, which captures the absolute path to the current working directory of the process.

Justification

Current working directory is associated with UAC Bypass.

Credential Dumping via Mimikatz

Credential dumpers like Mimikatz can be loaded into memory and from there read data from another processes. This analytic looks for instances where processes are requesting specific permissions to read parts of the LSASS process in order to detect when credential dumping is occurring. One weakness is that all current implementations are "overtuned" to look for common access patterns used by Mimikatz.

ATT&CK Coverage

Implementations

Common Mimikatz GrantedAccess Patterns

This is specific to the way Mimikatz works currently, and thus is fragile to both future updates and non-default configurations of Mimikatz.

Language: Splunk .
Data Model: Sysmon Native

index=__your_sysmon_data__ EventCode=10 
 TargetImage="C:\\WINDOWS\\system32\\lsass.exe"
 (GrantedAccess=0x1410 OR GrantedAccess=0x1010 OR GrantedAccess=0x1438 OR GrantedAccess=0x143a OR GrantedAccess=0x1418)
 CallTrace="C:\\windows\\SYSTEM32\\ntdll.dll+*|C:\\windows\\System32\\KERNELBASE.dll+20edd|UNKNOWN(*)" 
| table _time hostname user SourceImage GrantedAccess

Outliers

This is an outlier version of the above without including the specific call trace. This should work in more (but not all) situations however runs more slowly and will have more false positives - typically installers.

Language: Splunk .
Data Model: Sysmon Native

earliest=-d@d latest=now() index=__your_sysmon_data__
  EventCode=10
  TargetImage="C:\\WINDOWS\\system32\\lsass.exe"
  (GrantedAccess=0x1410 OR GrantedAccess=0x1010 OR GrantedAccess=0x1438 OR GrantedAccess=0x143a OR GrantedAccess=0x1418) 
| search NOT [ search earliest=-7d@d latest=-2d@d index=__your_sysmon_data__ EventCode=10 TargetImage="C:\\WINDOWS\\system32\\lsass.exe" (GrantedAccess=0x1410 OR GrantedAccess=0x1010 OR GrantedAccess=0x1438 OR GrantedAccess=0x143a OR GrantedAccess=0x1418) 
  | dedup SourceImage 
  | fields SourceImage ]
| table  _time hostname user SourceImage GrantedAccess

Data Model Mappings

This requires information about process access, e.g. Sysmon Event ID 10. That currently doesn't have a CAR data model mapping.

References

Analytic developed by Sean Whitley @ MITRE, received his permission to post these two implementations.

Credit to Cyb3rWard0g, dim0x69 (blog.3or.de), and Mark Russinovich for providing much of the information used to construct these analytics.
https://github.com/Cyb3rWard0g/ThreatHunter-Playbook/blob/master/attack_matrix/windows/credential_access/credential_dumping/mimikatz_inmem.md

Developer Certificate of Origin

DCO signed-off-by: John Wunder [email protected]

We should look into developing/leveraging Jupyter notebooks for CAR visualizations. Maybe something we can do instead of CARET?

Proposed Change

The proposed change is to extend the Process data model to include environment variables set for a process at the time of execution. This could be included as a field in the Process model.

Justification

The justification is to monitor for process injection via LD_PRELOAD environment variables. A sample analytic for this would be:

SELECT process_envs.pid as source_process_id, process_envs.key as environment_variable_key, process_envs.value as environment_variable_value, processes.name as source_process, processes.path as file_path, processes.cmdline as source_process_commandline, processes.cwd as current_working_directory, 'T1055' as event_attack_id, 'Process Injection' as event_attack_technique, 'Defense Evasion, Privilege Escalation' as event_attack_tactic FROM process_envs join processes USING (pid) WHERE key = 'LD_PRELOAD';

Proposed Change

Explain your proposed change. Preferably, copy the markdown text from docs/data_model and paste the updated markdown here.

Justification

Link to or copy an analytic that you have that requires this change.

Proposed Change

We should add an integrity_level field to the Process object model, which is part of Windows' Mandatory Integrity Control.

Justification

Integrity level is a key field associated with UAC Bypass.

We should update the ATT&CK navigator layer for sub-techniques, now that they've been incorporated into CAR.

Right now it's tricky to understand the full set of fields available in a YAML CAR analytic, so we should create and maintain a template that describes this.

Web Shell Suspicious Process Tree (I´m not good in naming things >___<'

*Web Shell usually does post exploitation activities, as host/network discovery through commands issued to the installed command line interpreters spawned from the web server application directly when we review the related process tree. The nature of encrypted web traffic make harder the detection at network level, moreover, some web shells also obfuscate their commands to difficult the analysis based on GET parameters or pass them just in POST requests, which rarely has their content fully logged. Hence, the analysis at endpoint level is a good option to lead with these difficulties inherent in many environments. Even though the spawning of process from the web server is not malicious by definition, some process tree are uncommon and should be reviewed to deliberate why it was created and if is there some malicious intent behind.

ATT&CK Coverage

|Web Shell|https://attack.mitre.org/techniques/T1505/003/|High

Observation: I put High since we have very few events in a huge set of Windows Servers. From this small set of servers, some FPs were encountered, because, for some reason, some app do that spawning in a benign way.

Analytic Code

parent_exe IN ("*w3wp.exe","*httpd.exe","tomcat.exe",") AND exe IN ("*cmd.exe","*powershell.exe","*net.exe","*whoami.exe","*hostname.exe","*systeminfo.exe",”ipconfig.exe”)

PS: tomcat*.exe is to cover any Tomcat process variant. In some cases I also include java.exe as parent process to cover some websphere scenarios, but when I do that some FP occurs, at your wish, MITRE fellows :). Please feel free to contact me if some change is needed.

Best, Nichols.

Proposed Change

Fix name of field for thread ID in Module.yaml

Justification

Noob question -

I see Splunk, EQL, DNIF, etc in Implementations section of Analytics.
Can I contribute to adding queries for LogPoint SIEM as LogPoint has extensive support for the ATT&CK framework.

API

API (Application Programming Interface) is a set of functions and the procedures which allows the creation of the applications to access the features or information of an operating system, application, or any other service. It likely returns the data in JSON or XML.

Actions

Fields

Coverage Map

Developer Certificate of Origin

DCO signed-off-by: Sanyam Jain: [email protected]

Sysmon 11.0

On April 28th, Sysinternals upgrade its tool to version 11.0. This contribution is an update for the Sysmon sensor (https://github.com/mitre-attack/car/blob/master/sensors/sysmon_10.4.yaml).
Related to #59 pull request.

Mapping

Here is the mapping for this sensor, based on your 10.4 version.
Please note that I only fill fields that are present in logs without needing any transformation. For example, the field fqdn is present as Computer but the field hostname could be extracted from this value. Same thing for file_name, exe, hive, etc.

I also upload on my GitHub the full mapping, if you want to check it: https://github.com/inmadria/sysmon-11-examples/blob/master/CAR_MAPPING.md

registry

module

process

thread

driver

file

flow

Proposed Change

https://car.mitre.org/data_model/file

timestomp is really just a specific type of modify action as described.
"The event corresponding to the modification of a file or its metadata."

How granular is the data model supposed to get with subsets of actions and activity ?

IMO it doesn't make sense to have a subset of another action at the same level.
It should be able to be modeled as a graph structure, with specific subset of actions under the main action.

Justification

T1547.002 - Registry Edit to Register a New LSA Authentication Package DLL

Flags the modification of the "Authentication Packages" value "HKLM\SYSTEM\CurrentControlSet\Control\Lsa" Key. Attackers may append malicious DLL names (without extension) to the key. These DLLs need to be placed in "%WINDIR%\System32" and will be loaded by the lsass process at boot to archive persistence.

References:
https://attack.mitre.org/techniques/T1547/002/
https://github.com/persistence-info/persistence-info.github.io/blob/main/Data/authenticationpackages.md
https://pentestlab.blog/2019/10/21/persistence-security-support-provider/

ATT&CK Coverage

Analytic Code

LSA Authentication Package Registry Modification (Pseudocode, CAR)
This search detects modifications of the registry key value via registry events.

reg_keys = search Registry:value_edit
lsa_authpackage_reg_key = filter reg_keys where (value="Authentication Packages") AND reg_keys (key="HKLM\SYSTEM\CurrentControlSet\Control\Lsa")
output lsa_authpackage_reg_key

Splunk Search - Modification of LSA Authentication Packages key value (Splunk)

event_id=13 TargetObject="HKLM\\SYSTEM\\CurrentControlSet\\Control\\Lsa\\Authentication Packages"

Test Cases

*(Requires Atomic red team) https://github.com/redcanaryco/atomic-red-team
Invoke-AtomicTest -TestGuids be2590e8-4ac3-47ac-b4b5-945820f2fbe9

Data Model Mappings

Elements from the CAR data model that are required for this analytic. This is required.

Developer Certificate of Origin

DCO signed-off-by: Thomas de Brelaz [email protected]

The text of the Pseudocode section does not match. The system and security events are backwords

Pseudocode
[THIS SECTION IS WRONG]
When an eventlog is cleared, a new event is created that alerts that the eventlog was cleared. For System logs, its event code 104. For Security logs, it is event code 1100 and 1102.
{the System logs are 1100 and 1102 while the Security logs are 104}

[THIS SECTION IS CORRECT]
([log_name] == "System" and [event_code] in [1100, 1102]) or
([log_name] == "Security" and [event_code] == 104)

We should map our analytics to existing open datasets (e.g., Splunk BOTS) so that we can give users an easy way to find example data of true positives.

We should create a new top-level page for car.mitre.org that better describes BZAR.

CAR-2015-07-001 is missing the coverage section and the associated Tactics/Techniques. Not a big deal, I can code around the "key error" from my YAML parser but figured others would have similar issues.

Credential Dumping via Sysinternals ProcDump

The Sysinternals ProcDump utility may be used to dump the memory space of lsass.exe to disk for processing with a credential access tool such as Mimikatz. This is performed by launching procdump.exe as a privileged user with command line options indicating that lsass.exe should be dumped to a file with an arbitrary name.

ATT&CK Coverage

Analytic Code

The code for this analytic. CAR pseudocode is preferred, but any search syntax is fine. At least one type of code is required but more are encouraged (e.g. both pseudocode and a Splunk search).

Pseudocode

processes = search Process:Create
procdump_lsass = filter processes where (
    exe = "procdump*.exe"  and
    command_line = "*lsass*")

Splunk, Sysmon native

index=__your_sysmon_index__ EventCode=1 Image="*\\procdump*.exe" CommandLine="*lsass*"

EQL

process where subtype.create and
  process_name == "procdump*.exe" and command_line == "*lsass*"

Test Cases

1. Open a Windows Command Prompt or PowerShell instance.
2. Navigate to folder containing ProcDump.
3. Execute procdump.exe -ma lsass.exe lsass_dump

Data Model Mappings

Elements from the CAR data model that are required for this analytic. This is required.

Developer Certificate of Origin

DCO signed-off-by: Tony M Lambert [email protected]

Right now our ATT&CK Coverage is purely based on how well an analytic covers an entire Tactic/Technique pair. This is useful to get a general sense of how applicable an analytic is, but has its limitations:

1. For analytics that may have multiple implementations, it doesn't say anything about the level of coverage of each implementation.
2. Analytics may be brittle, in the sense that it's easy for an adversary to evade them. We should try to take this into account, either as a sub-component of coverage or as a separate section.
3. With ATT&CK sub-techniques on the horizon, we'll want to think about re-architecting coverage around sub-techniques for better accuracy.

There are a few cases where ATT&CK technique names and tactic alignments are wrong, either because of errors or because they were written against a previous version of ATT&CK.

At least one example via Twitter:

• Powershell in CAR-2014-04-003

Creation of SafeDllSearchMode

Detection of creation of registry key HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Session Manager\SafeDllSearchMode. The key SafeDllSearchMode, if set to 0, will block the Windows mechanism for the search DLL order.

ATT&CK Coverage

Analytic Code

(("reg "AND "add" AND "/d") OR ("Set-ItemProperty" AND "-value")) AND ("Session Manager" AND "SafeDllSearchMode")

Test Cases

reg add "HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Session Manager" /v SafeDllSearchMode /d 0

Set-ItemProperty -Path "HKLM:\System\CurrentControlSet\Control\Session Manager" -Name SafeDllSearchMode -Value 0

Data Model Mappings

Developer Certificate of Origin

DCO signed-off-by: Lucas Heiligenstein [email protected]

We should add a search feature to the website to make it easier to find specific analytics etc.

Squiblydoo

Squiblydoo is a specific usage of regsvr32.dll to load a COM scriptlet directly from the internet and execute it in a way that bypasses application whitelisting. It can be seen by looking for regsvr32.exe executions that load the scrobj.dll (which execute the COM scriptlet) or, if that is too noisy, those that also load content directly via HTTP or HTTPS.

Squiblydoo was first written up by Casey Smith at Red Canary, though that blog post is no longer accessible.

ATT&CK Coverage

Implementations

This looks for any and all usage of the scrobj DLL, which is what is used to run COM scriptlets, so it'll detect both loading from network as well as filesystem. This will have almost zero false positives so is suitable for alerting.

Language: Splunk
Data Model: Sysmon

index=__your_sysmon_events__ EventCode=1 regsvr32.exe scrobj.dll | search Image="*regsvr32.exe"

Test Cases

The Atomic Red Team test for Squiblydoo is a good test case for this.

Data Model Mappings

References

As usual, credit to Roberto Rodriguez and the ThreatHunter Playbook.

Developer Certificate of Origin

DCO signed-off by: John Wunder [email protected]

Credential Dumping via Windows Task Manager

The Windows Task Manager may be used to dump the memory space of lsass.exe to disk for processing with a credential access tool such as Mimikatz. This is performed by launching Task Manager as a privileged user, selecting lsass.exe, and clicking "Create dump file". This saves a dump file to disk with the process's name in the file name.

This requires filesystem data to determine whether files have been created.

ATT&CK Coverage

Analytic Code

The code for this analytic. CAR pseudocode is preferred, but any search syntax is fine. At least one type of code is required but more are encouraged (e.g. both pseudocode and a Splunk search).

Pseudocode

files = search File:Create
lsass_dump = filter files where (
    file_name = "lsass*.dmp"  and
    image_path = "C:\Windows\*\taskmgr.exe")

Splunk, Sysmon native

index=__your_sysmon_index__ EventCode=11 TargetFilename="*lsass*.dmp" Image="C:\\Windows\\*\\taskmgr.exe"

EQL

file where file_name == "lsass*.dmp" and process_name == "taskmgr.exe"

Test Cases

1. Open Windows Task Manager as Administrator
2. Select lsass.exe
3. Right-click on lsass.exe and select "Create dump file".

Data Model Mappings

Elements from the CAR data model that are required for this analytic. This is required.

Developer Certificate of Origin

DCO signed-off-by: Tony M Lambert [email protected]

For our analytics list, we should add the ability to view the latest analytics, either as a new table or converting the current table into a sortable representation.

Right now the per-technique table of CAR analytics is buried under the main table (/analytics) so we should consider moving it to its own page.

We should try to tag all of our analytics with the most applicable verb from D3fend, such as "process lineage analysis".

This is great; thanks for releasing it, but I'm running into a zeek/bzar compatibility issue. Bzar loads successfully for me on zeek 2.5.5, but after an upgrade to v2.6.1, I'm getting type and redef errors like:

error in /opt/bro/share/bro/base/bif/plugins/./Bro_DCE_RPC.events.bif.bro, line 125 and /opt/bro/share/bro/bzar/./bzar_dce-rpc.bro, line 224: incompatible types (event(c:connection; fid:count; ctx_id:count; opnum:count; stub_len:count;) and event(c:connection; fid:count; opnum:count; stub_len:count;))

error in /opt/bro/share/bro/bzar/./bzar_smb.bro, line 39: "redef" used but not previously defined (SMB::write_cmd_log)

error in /opt/bro/share/bro/base/bif/plugins/./Bro_SMB.smb2_com_create.bif.bro, line 17 and /opt/bro/share/bro/bzar/./bzar_smb.bro, line 252: incompatible types (event(c:connection; hdr:SMB2::Header; request:SMB2::CreateRequest;) and event(c:connection; hdr:SMB2::Header; name:string;))

That's not a complete list, but I don't know broscript (zeekscript?) well enough to attempt a fix and get it running on the later version. I also see a deprecation warning:

warning in /opt/bro/share/bro/policy/protocols/smb/load.bro, line 1: deprecated script loaded from /opt/bro/share/bro/bzar/./main.bro:10 "Use '@load base/protocols/smb' instead"

FWIW, this is on SecurityOnion, but I don't think it's specific to that platform's zeek installation. That makes duplicating this issue easy, though, as you can boot the SecurityOnion ISO in live mode to test it out.

We're missing the markdown for the HTTP data model object (the current URL yields a 404).

CAR-2021-01-15: GetSystem in Meterpreter & Cobalt Strike & Empire & PoshC2 Beacon

This Analytics is inspired from the excellent post from RedCanary available here.

Windows Services often need this level of privilege for system management. Client management and deployment products often use SYSTEM to allow software installations. Security software often uses SYSTEM to peer into the activity of other users on a system, a use case that also appeals to adversaries. When using SYSTEM, an adversary can monitor and manipulate data from any other user on that local computer. While this account doesn’t allow an adversary network access to log on to other computers, it does allow the adversary to execute credential access attacks against files and memory on a computer to compromise credentials for network access. This is commonly seen with attacks that use tools like Mimikatz. In the really unfortunate cases where adversaries gain access to the SYSTEM account on Active Directory domain controllers, they can grab credentials for any users within the domain and manipulate Active Directory to add accounts for themselves.

This is why many offensive security tools include a command named getsystem or similar. These commands make those tools try one or more things to elevate privileges to that SYSTEM account so the adversary can own everything on the victim host.

ATT&CK Coverage

Data Model Mappings

Analytic Code

GetSystem in Meterpreter & Cobalt Strike’s Beacon

With process monitoring, hunt for processes matching these criteria:

• parent process is services.exe
• process name is cmd.exe
• command line includes echo AND \pipe\

Examples:

cmd.exe /c echo ba80ae80df9 > \\.\pipe\66bee3
cmd.exe /c echo fvxens > \\.\pipe\fvxens

The second GetSystem method uses rundll32.exe and a few hardcoded command line options to execute a DLL for privilege escalation. Thankfully, the command line options are consistent and appear similar to this:

rundll32.exe C:\Users\user\AppData\Local\Temp\fvxens.dll,a /p:fvxens

As with named pipe impersonation, you can use process monitoring to hunt for this. Look for processes matching these criteria:

• process name is rundll32.exe
• command line includes ,a /p:

GetSystem in Empire & PoshC2

Example:

cmd.exe /C start %COMSPEC% /C `"timeout /t 3 >nul&&echo TestSVC > \\.\pipe\TestSVC`

• ServiceFileName contains cmd.exe OR %COMSPEC%
• ServiceFileName contains echo AND \pipe\

Splunk Search (Splunk, Sysmon native)

Meterpreter and Cobalt Strike:

(
index=__your_sysmon_index__
ParentImage="C:\\Windows\\System32\\services.exe"
Image="C:\\Windows\\System32\\cmd.exe"
(CommandLine="*echo*" AND CommandLine="*\\pipe\\*")
) OR (
index=__your_sysmon_index__
Image="C:\\Windows\\System32\\rundll32.exe"
CommandLine="*,a /p:*"
)

Empire and PoshC2:

index=__your_sysmon_index__
(Image="C:\\Windows\\System32\\cmd.exe" OR CommandLine="*%COMSPEC%*")
(CommandLine="*echo*" AND CommandLine="*\pipe\*")

Example:

Because of the trailing slash redirect, the link becomes https://car.mitre.org/analytics/CAR-2014-11-007/CAR-2014-05-001 instead of https://car.mitre.org/analytics/CAR-2014-05-001

Now that Splunk is publishing their security content analytics on GitHub, we should add them to our coverage comparison page.

https://github.com/splunk/security_content/tree/develop/detections

We should create a basic checklist that covers what should be included with analytic submissions.

Access Permission Modification

Adversaries sometimes modify object access rights on operating systems level. There might be different motivations behind this action. Sometimes they do not want some files/ objects on systems to be persistent and provides admin only rights and sometimes they want the files to be accessible with lower levels of permissions.

For windows environment logs may seem too noisy, analysts shall take following into consideration;
-We need to exclude events generated by local system(subject security ID "NT AUTHORITY\SYSTEM") and focus on actual users
-When a permission modification is made for a folder a new event log is generated for each subfolder and file under that folder. It is advised to group logs based on handle ID or user id.
-Windows log (event ID 4670) also includes the process that modifies permissions. It is advised to focus on uncommon process names. It is uncommon for real-users to perform this task without GUI.

ATT&CK Coverage

Analytic Code

For Windows;
EventID: 4670 and
Object Type: File and
Subject Security ID not "NT AUTHORITY\SYSTEM"

For Linux/Mac;
terminal commands with chmod in it.

Test Cases

for windows;
rightclick any file and change permissions under properties.
or execute following command

icacls "C:<fileName>" /grant :F

for linux/mac;

chmod 777 "fileName"

Data Model Mappings

Developer Certificate of Origin

"DCO signed-off-by: Meric Degirmenci [email protected]"*

We need to create a script to automate the generation of the MD data model files from the YAML. Right now it's a manual process.

Proposed Change

We should add a parent_command_line field to the Process object model, which captures the command line used to spawn its parent process. Sometimes having the parent process/image is not enough, and we need the full command line in order to write effective analytics.

Justification

Parent command line is associated with UAC Bypass.