From a6dc82a65a699614642ea3b7486f1646cb369a8d Mon Sep 17 00:00:00 2001 From: carel-v98 <109933205+carel-v98@users.noreply.github.com> Date: Mon, 19 Feb 2024 11:05:47 +0800 Subject: [PATCH 1/3] 20240219002-Guidance-following-nation-state-attack-on-Microsoft (#522) --- ...lowing-nation-state-attack-on-Microsoft.md | 28 +++++++++++++++++++ 1 file changed, 28 insertions(+) create mode 100644 docs/advisories/20240219002-Guidance-following-nation-state-attack-on-Microsoft.md diff --git a/docs/advisories/20240219002-Guidance-following-nation-state-attack-on-Microsoft.md b/docs/advisories/20240219002-Guidance-following-nation-state-attack-on-Microsoft.md new file mode 100644 index 00000000..2c754999 --- /dev/null +++ b/docs/advisories/20240219002-Guidance-following-nation-state-attack-on-Microsoft.md @@ -0,0 +1,28 @@ +# Guidance following nation state attack on Microsoft - 20240219002 + +## Overview + +The recent nation state [attack on Microsoft](https://www.microsoft.com/en-us/security/blog/2024/01/25/midnight-blizzard-guidance-for-responders-on-nation-state-attack/ "https://www.microsoft.com/en-us/security/blog/2024/01/25/midnight-blizzard-guidance-for-responders-on-nation-state-attack/") highlighted significant configuration vulnerabilities that may be present in Entra ID (previously known as Azure AD) tenants. + +## What is vulnerable? + +- If a principal holds the **AppRoleAssignment.ReadWrite.All** app role, that principal may grant any principal (including itself) any app role against any resource app, including the **RoleManagement.ReadWrite.Directory** MS Graph app role +- With the **RoleManagement.ReadWrite.Directory** MS Graph app role, a principal may assign itself or any other principal to any Entra ID role, including Global Administrator + +Based on this information, we know we need to look for two primary things: + +1. Foreign principals (i.r., those coming from a tenant outside of your own) with escalation privileges which create paths to highly privileged roles +2. Foreign principals that already hold highly-privileged roles + +## What has been observed? + +There is no evidence of exploitation affecting Western Australian Government networks at the time of publishing. + +## Recommendations + + Due to the severity of a compromise of an Entra ID tenant managing privileges for an organisation, the WA SOC recommends reviewing the below guidance and ensuring that Enterprise Applications, Application Registrations and Service Principle role assignments are audited regularly as part of operational account audits and [Secure Configuration Assessments](https://soc.cyber.wa.gov.au/guidelines/secure-configuration/ "https://soc.cyber.wa.gov.au/guidelines/secure-configuration/"). + +## Additional References + +- [**Microsoft Breach — How Can I See This In BloodHound?**](https://posts.specterops.io/microsoft-breach-how-can-i-see-this-in-bloodhound-33c92dca4c65) +- [**AzureHound Community Edition**](https://support.bloodhoundenterprise.io/hc/en-us/articles/17481394564251-AzureHound-Community-Edition) From 651bd854c55be861adb7d37597b0544f6fc27b36 Mon Sep 17 00:00:00 2001 From: GitHub Actions Date: Mon, 19 Feb 2024 03:06:59 +0000 Subject: [PATCH 2/3] Format markdown files --- ...dance-following-nation-state-attack-on-Microsoft.md | 10 +++++----- 1 file changed, 5 insertions(+), 5 deletions(-) diff --git a/docs/advisories/20240219002-Guidance-following-nation-state-attack-on-Microsoft.md b/docs/advisories/20240219002-Guidance-following-nation-state-attack-on-Microsoft.md index 2c754999..062e75e9 100644 --- a/docs/advisories/20240219002-Guidance-following-nation-state-attack-on-Microsoft.md +++ b/docs/advisories/20240219002-Guidance-following-nation-state-attack-on-Microsoft.md @@ -6,13 +6,13 @@ The recent nation state [attack on Microsoft](https://www.microsoft.com/en-us/se ## What is vulnerable? -- If a principal holds the **AppRoleAssignment.ReadWrite.All** app role, that principal may grant any principal (including itself) any app role against any resource app, including the **RoleManagement.ReadWrite.Directory** MS Graph app role -- With the **RoleManagement.ReadWrite.Directory** MS Graph app role, a principal may assign itself or any other principal to any Entra ID role, including Global Administrator +- If a principal holds the **AppRoleAssignment.ReadWrite.All** app role, that principal may grant any principal (including itself) any app role against any resource app, including the **RoleManagement.ReadWrite.Directory** MS Graph app role +- With the **RoleManagement.ReadWrite.Directory** MS Graph app role, a principal may assign itself or any other principal to any Entra ID role, including Global Administrator Based on this information, we know we need to look for two primary things: -1. Foreign principals (i.r., those coming from a tenant outside of your own) with escalation privileges which create paths to highly privileged roles -2. Foreign principals that already hold highly-privileged roles +1. Foreign principals (i.r., those coming from a tenant outside of your own) with escalation privileges which create paths to highly privileged roles +1. Foreign principals that already hold highly-privileged roles ## What has been observed? @@ -20,7 +20,7 @@ There is no evidence of exploitation affecting Western Australian Government net ## Recommendations - Due to the severity of a compromise of an Entra ID tenant managing privileges for an organisation, the WA SOC recommends reviewing the below guidance and ensuring that Enterprise Applications, Application Registrations and Service Principle role assignments are audited regularly as part of operational account audits and [Secure Configuration Assessments](https://soc.cyber.wa.gov.au/guidelines/secure-configuration/ "https://soc.cyber.wa.gov.au/guidelines/secure-configuration/"). +Due to the severity of a compromise of an Entra ID tenant managing privileges for an organisation, the WA SOC recommends reviewing the below guidance and ensuring that Enterprise Applications, Application Registrations and Service Principle role assignments are audited regularly as part of operational account audits and [Secure Configuration Assessments](https://soc.cyber.wa.gov.au/guidelines/secure-configuration/ "https://soc.cyber.wa.gov.au/guidelines/secure-configuration/"). ## Additional References From 63b3aaa06883821e5c1483153ddf36464d4ba60d Mon Sep 17 00:00:00 2001 From: mahmadhabib076 <125419051+mahmadhabib076@users.noreply.github.com> Date: Mon, 19 Feb 2024 16:04:22 +0800 Subject: [PATCH 3/3] Updated TTP hunt Guidelines table (#524) * Deleted old AdSes * Added new ADSes * Deleted outdated ADS * Updated TTP guidelines Table * Updated TTP detection guideline Table * Format markdown files --------- Co-authored-by: GitHub Actions --- .../ADS_forms/S0154-CobaltStrike-DNS.md | 39 +++++---- .../ADS_forms/S0154-CobaltStrike-NamedPipe.md | 39 +++++---- .../ADS_forms/S0357-Impacket-DirCommand.md | 33 +++---- .../S0357-Impacket-SecretdumpSMB2.md | 33 +++---- .../ADS_forms/S0521-BloodHound-Commandlets.md | 23 +++-- .../ADS_forms/S0552-ADFind-Execution.md | 67 +++++++++++++++ .../S0650-Qakbot-DefenderExclusions.md | 31 +++---- .../S0650-Qakbot-Post-compromise-commands.md | 48 +++++++++++ .../S0650-Qakbot-ProcessExecution.md | 29 ++++--- ...003.001-OSCredentialDumping-LSASSMemory.md | 40 +++++---- ...-OSCredentialDumping-Exfiltratentds.dit.md | 31 +++---- ....003-OSCredentialDumping-NTDSusingTools.md | 31 +++---- .../T1003.006-OSCredentialDumping-DCSyncAD.md | 50 ----------- .../T1016-EnumerateNetworkTopology.md | 4 +- .../T1016-Info-stealer-tool-Grixba.md | 46 ++++++++++ ...picious-Process-Created-By-Rundll32.EXE.md | 50 +++++++++++ .../T1021-LateralMovement-RemoteServices.md | 41 --------- .../ADS_forms/T1027.006-HTMLSmuggling.md | 4 +- .../T1033-IdentifySuccessfulLogons.md | 4 +- .../TTP_Hunt/ADS_forms/T1047-WMICCommands.md | 4 +- ...et-APT-Scheduled-Task-Creation-Registry.md | 7 +- ...1059-MicroSCADA-SCILC-Command-Execution.md | 6 +- .../T1082-SystemInformationDiscovery.md | 24 +++--- .../TTP_Hunt/ADS_forms/T1090-Proxy.md | 4 +- .../T1189-Drive-byCompromise-FakeUpdate.md | 4 +- .../ADS_forms/T1190-WebshellsSuspiciousURI.md | 55 ------------ .../T1505.003-IISWebshellFileWrites.md | 4 +- .../T1505.003-Linux-Webshell-Indicators.md | 51 +++++++++++ ...5.003-SuspiciousChildProcessOfSQLServer.md | 6 +- ...T1505.003-SuspiciousWindowsStringsInURI.md | 48 ----------- .../T1505.003-WindowsWebshellCreation.md | 4 +- ....004-Suspicious-IIS-Module-Registration.md | 4 + ...ltStrike-ServiceInstallationsInRegistry.md | 4 +- ...ccess-Tool-Services-Have-Been-Installed.md | 50 ----------- ...-Via-Existing-Service-Tampering(sc.exe).md | 8 +- ...ia-Existing-Service-Tampering-(reg.exe).md | 2 + ...ence-Attempt-Via-Run-Keys-Using-Reg.EXE.md | 50 +++++++++++ .../T1552.002-REGISTRYPasswordDumping.md | 4 +- .../T1555-CredentialsPasswordStores.md | 4 +- .../ADS_forms/T1557-AiTM-PhishingLogging.md | 5 +- ...> T1562.001-Impair-Defenses-AMSIBypass.md} | 2 + ...ender-Functionalities-Via-Registry-Keys.md | 59 +++++++++++++ ...-Tools-Defender-Disabling-or-Exclusions.md | 46 ++++++++++ ...s-Potential-PowerShell-Downgrade-Attack.md | 46 ++++++++++ ...Removal-Of-AMSI-Provider-Registry-Keys.md} | 10 +-- ...Disable-Windows-Logging-using-wevtutil.md} | 22 ++--- ...-Defenses-Disable-WindowsLoggingMiniNT.md} | 5 +- ...efenses-DisableWindowsLoggingonEventID.md} | 8 +- ...001-QR-CodePhishingAttachment(Quishing).md | 4 +- ...d-Sleet-APT-Process-Activity-Indicators.md | 45 ++++++++++ .../TTP_Hunt/ttp-detection-guidelines.md | 86 +++++++++---------- 51 files changed, 810 insertions(+), 514 deletions(-) create mode 100644 docs/guidelines/TTP_Hunt/ADS_forms/S0552-ADFind-Execution.md create mode 100644 docs/guidelines/TTP_Hunt/ADS_forms/S0650-Qakbot-Post-compromise-commands.md delete mode 100644 docs/guidelines/TTP_Hunt/ADS_forms/T1003.006-OSCredentialDumping-DCSyncAD.md create mode 100644 docs/guidelines/TTP_Hunt/ADS_forms/T1016-Info-stealer-tool-Grixba.md create mode 100644 docs/guidelines/TTP_Hunt/ADS_forms/T1016.001-Potential-Pikabot-C2-Activity-Suspicious-Process-Created-By-Rundll32.EXE.md delete mode 100644 docs/guidelines/TTP_Hunt/ADS_forms/T1021-LateralMovement-RemoteServices.md delete mode 100644 docs/guidelines/TTP_Hunt/ADS_forms/T1190-WebshellsSuspiciousURI.md create mode 100644 docs/guidelines/TTP_Hunt/ADS_forms/T1505.003-Linux-Webshell-Indicators.md delete mode 100644 docs/guidelines/TTP_Hunt/ADS_forms/T1505.003-SuspiciousWindowsStringsInURI.md delete mode 100644 docs/guidelines/TTP_Hunt/ADS_forms/T1543.003-Create-or-Modify-System-Process-Remote-Access-Tool-Services-Have-Been-Installed.md create mode 100644 docs/guidelines/TTP_Hunt/ADS_forms/T1547.001-Potential-Persistence-Attempt-Via-Run-Keys-Using-Reg.EXE.md rename docs/guidelines/TTP_Hunt/ADS_forms/{T1562.001-ImpairDefenses-AMSIBypass.md => T1562.001-Impair-Defenses-AMSIBypass.md} (98%) create mode 100644 docs/guidelines/TTP_Hunt/ADS_forms/T1562.001-Impair-Defenses-Disable-Defender-Functionalities-Via-Registry-Keys.md create mode 100644 docs/guidelines/TTP_Hunt/ADS_forms/T1562.001-Impair-Defenses-Disable-or-Modify-Tools-Defender-Disabling-or-Exclusions.md create mode 100644 docs/guidelines/TTP_Hunt/ADS_forms/T1562.001-Impair-Defenses-Disable-or-Modify-Tools-Potential-PowerShell-Downgrade-Attack.md rename docs/guidelines/TTP_Hunt/ADS_forms/{T1562.001-ImpairDefenses-Removal-Of-AMSI-Provider-Registry-Keys.md => T1562.001-Impair-Defenses-Removal-Of-AMSI-Provider-Registry-Keys.md} (90%) rename docs/guidelines/TTP_Hunt/ADS_forms/{T1562.002-ImpairDefenses-DisableWindowsLoggingWevtutil.md => T1562.002-Impair-Defenses-Disable-Windows-Logging-using-wevtutil.md} (80%) rename docs/guidelines/TTP_Hunt/ADS_forms/{T1562.002-ImpairDefenses-DisableWindowsLoggingMiniNT.md => T1562.002-Impair-Defenses-Disable-WindowsLoggingMiniNT.md} (92%) rename docs/guidelines/TTP_Hunt/ADS_forms/{T1562.002-ImpairDefenses-DisableWindowsLoggingonEventID.md => T1562.002-Impair-Defenses-DisableWindowsLoggingonEventID.md} (91%) create mode 100644 docs/guidelines/TTP_Hunt/ADS_forms/T1574.002-Diamond-Sleet-APT-Process-Activity-Indicators.md diff --git a/docs/guidelines/TTP_Hunt/ADS_forms/S0154-CobaltStrike-DNS.md b/docs/guidelines/TTP_Hunt/ADS_forms/S0154-CobaltStrike-DNS.md index b794bdb3..5e248328 100644 --- a/docs/guidelines/TTP_Hunt/ADS_forms/S0154-CobaltStrike-DNS.md +++ b/docs/guidelines/TTP_Hunt/ADS_forms/S0154-CobaltStrike-DNS.md @@ -1,33 +1,34 @@ -## S0154 - Cobalt Strike: DNS Beaconing +### S0154 - Cobalt Strike: DNS Beaconing + +#### DESCRIPTION Cobalt Strike is a famous Pen Test tool that is used by pen testers as well as attackers alike to compromise an environment. The query tries to detect suspicious DNS queries known from Cobalt Strike beacons. -!!! example - ``` - aaa.stage.[encryptedstage].MaliciousDomain.com - baa.stage.[encryptedstage].MaliciousDomain.com - caa.stage.[encryptedstage].MaliciousDomain.com - post.[EncryptedData].[RandomValue].MaliciousDomain.com - ``` +**Example:** + +> aaa.stage.\[encryptedstage\].MaliciousDomain.com,\ +> baa.stage.\[encryptedstage\].MaliciousDomain.com,\ +> caa.stage.\[encryptedstage\].MaliciousDomain.com, +> post.\[EncryptedData\].\[RandomValue\].MaliciousDomain.com -!!! tip "Related" - CobaltStrike +**Related**\ +CobaltStrike -!!! abstract "Reference" - - - - - - +**Reference:**\ +https://github.com/SigmaHQ/sigma/blob/dcfb4c5c28431dcdc1d26ed4e008945965afd8ed/rules/network/dns/net_dns_mal_cobaltstrike.yml#L4\ +https://blog.sekoia.io/hunting-and-detecting-cobalt-strike/\ +https://blog.gigamon.com/2017/07/26/footprints-of-fin7-tracking-actor-patterns-part-1/ -### ATT&CK TACTICS +#### ATT&CK TACTICS
{{mitre("S0154")}} Data Source(s): [Network Traffic](https://attack.mitre.org/datasources/DS0029) -### SENTINEL RULE QUERY +#### SENTINEL RULE QUERY
-```kusto +``` let badNames = dynamic(["aaa.stage","baa.stage","caa.stage", "post.1"]); (union isfuzzy=true (DnsEvents @@ -43,11 +44,11 @@ let badNames = dynamic(["aaa.stage","baa.stage","caa.stage", "post.1"]); )) ``` -### Triage +#### Triage 1. Inspect DNS queries and destination IP 1. Note source of endpoint beaconing -### VERSION +#### VERSION Version 2.0 (date: 19/12/2023) diff --git a/docs/guidelines/TTP_Hunt/ADS_forms/S0154-CobaltStrike-NamedPipe.md b/docs/guidelines/TTP_Hunt/ADS_forms/S0154-CobaltStrike-NamedPipe.md index 69a5f9c2..eadd49af 100644 --- a/docs/guidelines/TTP_Hunt/ADS_forms/S0154-CobaltStrike-NamedPipe.md +++ b/docs/guidelines/TTP_Hunt/ADS_forms/S0154-CobaltStrike-NamedPipe.md @@ -1,32 +1,33 @@ -## S0154 - Cobalt Strike: NamedPipe +### S0154 - Cobalt Strike: NamedPipe + +#### DESCRIPTION Cobalt Strike is a famous Pen Test tool that is used by pen testers as well as attackers alike to compromise an environment. CobaltStrike uses named pipes for communication between processes. Default beacon configs use pipes in the format "MSSE-x-server", where "x" is a number from 1 to 4 characters. -!!! example - ``` - "MSSE-x-server", where "x" is a number from 1 to 4 characters - ``` +**Example:** + +> "MSSE-x-server", where "x" is a number from 1 to 4 characters -!!! tip "Related" - CobaltStrike +**Related**\ +CobaltStrike -!!! abstract "Reference" - - - - - - - - - - - - - - +**Reference:**\ +https://github.com/SigmaHQ/sigma/blob/dcfb4c5c28431dcdc1d26ed4e008945965afd8ed/rules/windows/pipe_created/pipe_created_mal_cobaltstrike.yml#L4\ +https://twitter.com/d4rksystem/status/1357010969264873472\ +https://labs.f-secure.com/blog/detecting-cobalt-strike-default-modules-via-named-pipe-analysis/\ +https://github.com/SigmaHQ/sigma/issues/253\ +https://blog.cobaltstrike.com/2021/02/09/learn-pipe-fitting-for-all-of-your-offense-projects/\ +https://redcanary.com/threat-detection-report/threats/cobalt-strike/\ +https://github.com/Azure/Azure-Sentinel/blob/master/Hunting%20Queries/Microsoft%20365%20Defender/Command%20and%20Control/C2-NamedPipe.yaml -### ATT&CK TACTICS +#### ATT&CK TACTICS
{{mitre("S0154")}} Data Source(s): [Named Pipe](https://attack.mitre.org/datasources/DS0023) -### SENTINEL RULE QUERY +#### SENTINEL RULE QUERY
``` let selection_MSSE = dynamic([@'\MSSE-', '-server']); @@ -41,12 +42,12 @@ DeviceEvents //| summarize count(), earliest_Timestamp=min(TimeGenerated) by ActionType, DeviceName, InitiatingProcessParentFileName, InitiatingProcessAccountDomain, InitiatingProcessAccountName, InitiatingProcessFolderPath, InitiatingProcessCommandLine, FileOperation_, PipeName_, TenantId ``` -### Triage +#### Triage 1. Remove the comment "//" in 'summarize' statement in above KQL to assist in analysis and removing data duplicates. 1. Inspect named pipe pattern if matching "MSSE-x-server" 1. Examine the InitiatingProcessFolderPath folder location, and check for any mistype on service name -### VERSION +#### VERSION Version 2.1 (date: 08/11/2023) diff --git a/docs/guidelines/TTP_Hunt/ADS_forms/S0357-Impacket-DirCommand.md b/docs/guidelines/TTP_Hunt/ADS_forms/S0357-Impacket-DirCommand.md index e2d2379a..9e1040bb 100644 --- a/docs/guidelines/TTP_Hunt/ADS_forms/S0357-Impacket-DirCommand.md +++ b/docs/guidelines/TTP_Hunt/ADS_forms/S0357-Impacket-DirCommand.md @@ -1,40 +1,41 @@ -## S0357 - Potential Impacket Execution "dir" command +### S0357 - Potential Impacket Execution "dir" command + +#### DESCRIPTION Actor may use Impacket’s wmiexec, which redirects output to a file within the victim host’s ADMIN$ share (C:\\Windows) containing an epoch timestamp in its name. -!!! example - ``` - cmd.exe /Q /c dir 1> \\127.0.0.1\\ADMIN$\_\_1684944005.9400265 2>&1 - ``` +**Example:** + +> cmd.exe /Q /c dir 1> \\127.0.0.1\\ADMIN$\_\_1684944005.9400265 2>&1 -!!! tip "Related" - Volt Typhoon activity +**Related**\ +Volt Typhoon activity -!!! abstract "Reference" - - - - - - - - +**Reference:**\ +https://www.cyber.gov.au/about-us/advisories/prc-state-sponsored-cyber-actor-living-off-the-land-to-evade-detection\ +https://www.microsoft.com/en-us/security/blog/2023/05/24/volt-typhoon-targets-us-critical-infrastructure-with-living-off-the-land-techniques/\ +https://www.cisa.gov/news-events/cybersecurity-advisories/aa22-277a\ +https://github.com/Azure/Azure-Sentinel/blob/3833100de05ce61d6972c43dd5af7b9706e4674c/Solutions/Windows%20Security%20Events/Hunting%20Queries/CommandsexecutedbyWMIonnewhosts-potentialImpacket.yaml#L21 -### ATT&CK TACTICS
+#### ATT&CK TACTICS
{{mitre("S0357")}} Data Source(s): [Process](https://attack.mitre.org/datasources/DS0009/), [Command](https://attack.mitre.org/datasources/DS0017/) -### SENTINEL RULE QUERY
+#### SENTINEL RULE QUERY
``` let c1 = dynamic(["cmd.exe", "2>&1", "ADMIN$"]); find where InitiatingProcessCommandLine has_all (c1) or ProcessCommandLine has_all (c1) or CommandLine has_all (c1) ``` -### Triage +#### Triage 1. Identify user/service triggering the activity 1. Check time of activity if within business hours 1. Investigate further if the activity is expected and approved -### VERSION +#### VERSION Version 1.0 (date: 10/07/2023) diff --git a/docs/guidelines/TTP_Hunt/ADS_forms/S0357-Impacket-SecretdumpSMB2.md b/docs/guidelines/TTP_Hunt/ADS_forms/S0357-Impacket-SecretdumpSMB2.md index d67ac703..70f4dbe3 100644 --- a/docs/guidelines/TTP_Hunt/ADS_forms/S0357-Impacket-SecretdumpSMB2.md +++ b/docs/guidelines/TTP_Hunt/ADS_forms/S0357-Impacket-SecretdumpSMB2.md @@ -1,28 +1,29 @@ -## S0357 - Impacket Secretdump with SMB2 +### S0357 - Impacket Secretdump with SMB2 + +#### DESCRIPTION Actor may use Impacket’s wmiexec, which redirects output to a file within the victim host’s ADMIN$ share (C:\\Windows) containing an epoch timestamp in its name. -!!! example - ``` - cmd.exe /Q /c dir 1> \\127.0.0.1\\ADMIN$\_\_1684944005.9400265 2>&1 - ``` +**Example:** + +> cmd.exe /Q /c dir 1> \\127.0.0.1\\ADMIN$\_\_1684944005.9400265 2>&1 -!!! tip "Related" - Volt Typhoon activity +**Related**\ +Volt Typhoon activity -!!! abstract "Reference" - - - - - - - - +**Reference:**\ +https://www.cyber.gov.au/about-us/advisories/prc-state-sponsored-cyber-actor-living-off-the-land-to-evade-detection\ +https://www.microsoft.com/en-us/security/blog/2023/05/24/volt-typhoon-targets-us-critical-infrastructure-with-living-off-the-land-techniques/\ +https://www.cisa.gov/news-events/cybersecurity-advisories/aa22-277a\ +https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Attacker%20Tools%20Threat%20Protection%20Essentials/Hunting%20Queries/PotentialImpacketExecution.yaml -### ATT&CK TACTICS +#### ATT&CK TACTICS
{{mitre("S0357")}} Data Source(s): [Process](https://attack.mitre.org/datasources/DS0009/), [Command](https://attack.mitre.org/datasources/DS0017/) -### SENTINEL RULE QUERY +#### SENTINEL RULE QUERY ``` (union isfuzzy=true @@ -49,12 +50,12 @@ Data Source(s): [Process](https://attack.mitre.org/datasources/DS0009/), [Comman | extend Host_0_DnsDomain = DnsDomain ``` -### Triage +#### Triage 1. Identify user/service triggering the activity 1. Validate .tmp file names and location 1. Investigate further if the activity is expected and approved -### VERSION +#### VERSION Version 1.1 (date: 26/10/2023) diff --git a/docs/guidelines/TTP_Hunt/ADS_forms/S0521-BloodHound-Commandlets.md b/docs/guidelines/TTP_Hunt/ADS_forms/S0521-BloodHound-Commandlets.md index 1654a4b0..d3589d15 100644 --- a/docs/guidelines/TTP_Hunt/ADS_forms/S0521-BloodHound-Commandlets.md +++ b/docs/guidelines/TTP_Hunt/ADS_forms/S0521-BloodHound-Commandlets.md @@ -1,20 +1,25 @@ -## S0521 - Bloodhound/Sharphound Execution Commandlets +### S0521 - Bloodhound/Sharphound Execution Commandlets + +#### DESCRIPTION Detects BloodHound activity in commandlines. Bloodhound is and Active Directory (AD) reconnaissance tool that can reveal hidden relationships and identify attack paths within an AD environment -!!! tip "Related" - Bloodhound/Sharphound +**example:**\ +N/A + +**Related**\ +Bloodhound/Sharphound -!!! abstract "Reference" - - +**Reference:**\ +https://github.com/SigmaHQ/sigma/blob/cf29e28a54daa9d52f7d1a5996f023e2d08cde84/rules/windows/process_creation/proc_creation_win_hktl_bloodhound_sharphound.yml#L40 -### ATT&CK TACTICS +#### ATT&CK TACTICS {{mitre("S0521")}} Data Source(s): [Command](https://attack.mitre.org/datasources/DS001/) -### SENTINEL RULE QUERY +#### SENTINEL RULE QUERY ``` let c1 = dynamic([' -CollectionMethod All ', ' --CollectionMethods Session ', ' --Loop --Loopduration ', ' --PortScanTimeout ', '.exe -c All -d', 'Invoke-Bloodhound', 'Get-BloodHoundData']); @@ -25,11 +30,11 @@ Data Source(s): [Command](https://attack.mitre.org/datasources/DS001/) InitiatingProcessCommandLine has_all (c3) or ProcessCommandLine has_any (c3) or CommandLine has_all (c3) ``` -### Triage +#### Triage 1. Inspect if the activity is expected and performed by an admin or a pen-test 1. Check if other programs that use these command line option and accepts an 'All' parameter -### VERSION +#### VERSION Version 1.0 (date: 10/07/2023) diff --git a/docs/guidelines/TTP_Hunt/ADS_forms/S0552-ADFind-Execution.md b/docs/guidelines/TTP_Hunt/ADS_forms/S0552-ADFind-Execution.md new file mode 100644 index 00000000..30efb0ca --- /dev/null +++ b/docs/guidelines/TTP_Hunt/ADS_forms/S0552-ADFind-Execution.md @@ -0,0 +1,67 @@ +### S0552 - AdFind Execution + +#### DESCRIPTION
+ +Detects the use of Adfind. AdFind continues to be seen across majority of breaches. It is used to domain trust discovery to plan out subsequent steps in the attack chain. + +**Example:** + +> adfind.exe -f "(objectcategory=person)" > ad_users.txt +> +> objectcategory=person – Finds all person objects\ +> objectcategory=computer – Finds all computers in domain\ +> trustdmp – Dumps trust objects.\ +> objectcategory=subnet – Finds all subnets\ +> domainlist – Dumps all Domain NCs in forest in sorted DNS list format\ +> dcmodes – Shows modes of all DCs in forest from config\ +> adinfo – Shows Active Directory Info with whoami info.\ +> dclist – Dumps Domain Controllers FQDNs.\ +> computers_pwdnotreqd – Dumps users set with password not required. + +**Related**\ +Common tool + +**Reference:**\ +https://github.com/SigmaHQ/sigma/blob/cac07b8ecd07ffe729ed82dfa2082fdb6a1ceabc/rules/windows/process_creation/proc_creation_win_pua_adfind_susp_usage.yml\ +https://github.com/SigmaHQ/sigma/blob/b9c0dd661eac6b6efdb47f7cfcbb20b5a5c169da/rules/windows/process_creation/proc_creation_win_renamed_adfind.yml +https://thedfirreport.com/2020/05/08/adfind-recon/\ +https://thedfirreport.com/2021/01/11/trickbot-still-alive-and-well/ + +#### ATT&CK TACTICS
+ +{{mitre("S0552")}} + +``` +- attack.discovery +- attack.t1018 +- attack.t1087.002 +- attack.t1482 +- attack.t1069.002 +``` + +Data Source(s): [Command](https://attack.mitre.org/datasources/DS0017/) + +#### SENTINEL RULE QUERY
+ +``` +let selection_1 = dynamic(['domainlist', 'trustdmp', 'dcmodes', 'adinfo', ' dclist ', 'computer_pwdnotreqd', 'objectcategory=', '-subnets -f', 'name="Domain Admins"', '-sc u:', 'domainncs', 'dompol', ' oudmp ', 'subnetdmp', 'gpodmp', 'fspdmp', 'users_noexpire', 'computers_active', 'computers_pwdnotreqd']); +DeviceProcessEvents +| where ActionType == "ProcessCreated" +| where FileName == "AdFind.exe" or FolderPath endswith @"\AdFind.exe" +| where ProcessCommandLine has_any (selection_1) +``` + +#### Triage
+ +1. This is a high-fidelity threat hunt rules, check the user that performed this action. +1. Inspect if the activity is expected and approved. +1. If this process is unexpected, build further context upon user and device's activities using timeline analysis + +#### FalsePositive
+ +1. Legitimate administrative activity. +1. Tuned, high-fidelity threat hunt rules + +#### VERSION
+ +Version 2.0 (date: 10/02/2024) diff --git a/docs/guidelines/TTP_Hunt/ADS_forms/S0650-Qakbot-DefenderExclusions.md b/docs/guidelines/TTP_Hunt/ADS_forms/S0650-Qakbot-DefenderExclusions.md index 92f9c3f2..086d53e4 100644 --- a/docs/guidelines/TTP_Hunt/ADS_forms/S0650-Qakbot-DefenderExclusions.md +++ b/docs/guidelines/TTP_Hunt/ADS_forms/S0650-Qakbot-DefenderExclusions.md @@ -1,27 +1,28 @@ -## S0650 - Qakbot: Defender Exclusions +### S0650 - Qakbot: Defender Exclusions + +#### DESCRIPTION Qbot used reg.exe to add Defender folder exceptions for folders within AppData and ProgramData. -!!! example - ``` - C:\\Windows\\system32\\reg.exe ADD "HKLM\\SOFTWARE\\Microsoft\\Microsoft Antimalware\\Exclusions\\Paths" /f /t REG_DWORD /v "C:\\ProgramData\\Microsoft\\Oweboiqnb" /d "0" - C:\\Windows\\system32\\reg.exe ADD "HKLM\\SOFTWARE\\Microsoft\\Windows Defender\\Exclusions\\Paths" /f /t REG_DWORD /v "C:\\ProgramData\\Microsoft\\Oweboiqnb" /d "0" - ``` +**Example:** + +> C:\\Windows\\system32\\reg.exe ADD "HKLM\\SOFTWARE\\Microsoft\\Microsoft Antimalware\\Exclusions\\Paths" /f /t REG_DWORD /v "C:\\ProgramData\\Microsoft\\Oweboiqnb" /d "0" +> C:\\Windows\\system32\\reg.exe ADD "HKLM\\SOFTWARE\\Microsoft\\Windows Defender\\Exclusions\\Paths" /f /t REG_DWORD /v "C:\\ProgramData\\Microsoft\\Oweboiqnb" /d "0" -!!! tip "Related" - Malware +**Related**\ +Malware -!!! abstract "Reference" - - - - +**Reference**\ +https://github.com/SigmaHQ/sigma/blob/4de6102dc7d94c9ee70995aeea27b77184d62c35/rules/windows/process_creation/proc_creation_win_reg_defender_exclusion.yml#L4\ +https://thedfirreport.com/2022/02/07/qbot-likes-to-move-it-move-it/ -### ATT&CK TACTICS +#### ATT&CK TACTICS {{ mitre("T1562.001")}} Data Source(s): [Process Creation](https://attack.mitre.org/datasources/DS0009/#Process%20Creation) -### SENTINEL RULE QUERY +#### SENTINEL RULE QUERY ``` let selection_1 = dynamic([@'SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths', @'SOFTWARE\Microsoft\Microsoft Antimalware\Exclusions\Paths']); @@ -32,11 +33,11 @@ DeviceProcessEvents | where ProcessCommandLine has_any (selection_1) and ProcessCommandLine has_all (selection_2) ``` -### Triage +#### Triage 1. Inspect commands and check whether it's expected 1. Verify on folders path and name being added into Defender exclusion -### Version +#### Version Version 1.0 (date 26/10/2023) diff --git a/docs/guidelines/TTP_Hunt/ADS_forms/S0650-Qakbot-Post-compromise-commands.md b/docs/guidelines/TTP_Hunt/ADS_forms/S0650-Qakbot-Post-compromise-commands.md new file mode 100644 index 00000000..a12c1575 --- /dev/null +++ b/docs/guidelines/TTP_Hunt/ADS_forms/S0650-Qakbot-Post-compromise-commands.md @@ -0,0 +1,48 @@ +### S0650 - Qakbot: Post compromise commands + +#### DESCRIPTION + +Detect when multiple Qakbot post compromise commands have been executed + +**example:**\ +Automated reconnaissance commands: +nslookup -querytype=ALL -timeout=12 \_ldap.\_tcp.dc.\_msdcs.\ + +**Related**\ +Malware + +**Reference**\ +https://github.com/Bert-JanP/Hunting-Queries-Detection-Rules/blob/22cf7b2e0ef909e3f8ba1b39e2a8e897b6f49fb5/Defender%20For%20Endpoint/QakbotPostCompromiseCommandsExecuted.md?plain=1\ +https://github.com/Azure/Azure-Sentinel/blob/2030f55a46b18e9d9723b06557d0653f38e21724/Hunting%20Queries/Microsoft%20365%20Defender/Campaigns/Qakbot/Qakbot%20reconnaissance%20activities.yaml#L2\ +https://www.trendmicro.com/en_au/research/22/j/black-basta-infiltrates-networks-via-qakbot-brute-ratel-and-coba.html + +#### ATT&CK TACTICS
+ +{{mitre("S0650")}} + +Data Source(s): [Command](https://attack.mitre.org/datasources/DS0017), [Process](https://attack.mitre.org/datasources/DS0009/) + +#### SENTINEL RULE QUERY
+ +``` +let QakBotCommands = dynamic(['net view', 'cmd /c set', 'arp -a', 'ipconfig /all', 'nslookup-querytype=ALL -timeout=12', '_ldap._tcp.dc._msdcs.WORKGROUP', 'net share', 'net1 share', 'route print', 'net localgroup', 'whoami /all']); // source: https://twitter.com/1ZRR4H/status/1568395544359309312 +DeviceProcessEvents +| where TimeGenerated between (startofmonth(ago(15d)) .. endofmonth(ago(15d))) //workaround for datetime filtering to run previous month data +| where ProcessCommandLine in (QakBotCommands) +| summarize TotalCommandsFound = count(), CommandLineList = make_set(ProcessCommandLine), TimeGenerated = min(TimeGenerated) by DeviceName, AccountName, TenantId //dummy TimeGenerated +| extend TotalUniqueCommandsFound = array_length(CommandLineList) +| where TotalUniqueCommandsFound > 3 // Adjust to reduce false positives +| sort by TotalUniqueCommandsFound, TotalCommandsFound +``` + +#### Triage
+ +1. This is high-fidelity detections, collect information on the device(s) and understand the context of activities occurred using timeline analysis + +#### FalsePositive
+ +1. Threat Hunt rules tuned, this is a high-fidelity detections + +#### Version
+ +Version 2.0 (date 09/02/2024) diff --git a/docs/guidelines/TTP_Hunt/ADS_forms/S0650-Qakbot-ProcessExecution.md b/docs/guidelines/TTP_Hunt/ADS_forms/S0650-Qakbot-ProcessExecution.md index 757c2e7d..b1853cad 100644 --- a/docs/guidelines/TTP_Hunt/ADS_forms/S0650-Qakbot-ProcessExecution.md +++ b/docs/guidelines/TTP_Hunt/ADS_forms/S0650-Qakbot-ProcessExecution.md @@ -1,26 +1,27 @@ -## S0650 - Qakbot: Process executions +### S0650 - Qakbot: Process executions + +#### DESCRIPTION Detects potential QBot activity by looking for process executions used previously by QBot -!!! example - ``` - "C:\\Windows\\System32\\cmd.exe" /c ping.exe -n 6 127.0.0.1 & type "C:\\Windows\\System32\\calc.exe" > "C:\\Users\\admin\\AppData\\Local\\Temp\\aNkxbUo.exe" - ``` +**Example:** + +> "C:\\Windows\\System32\\cmd.exe" /c ping.exe -n 6 127.0.0.1 & type "C:\\Windows\\System32\\calc.exe" > "C:\\Users\\admin\\AppData\\Local\\Temp\\aNkxbUo.exe" -!!! tip "Related" - Malware +**Related**\ +Malware -!!! abstract "Reference" - - - - +**Reference**\ +https://github.com/SigmaHQ/sigma/blob/4de6102dc7d94c9ee70995aeea27b77184d62c35/rules-emerging-threats/2019/Malware/QBot/proc_creation_win_malware_qbot.yml#L4\ +https://www.trendmicro.com/en_au/research/22/j/black-basta-infiltrates-networks-via-qakbot-brute-ratel-and-coba.html -### ATT&CK TACTICS +#### ATT&CK TACTICS {{mitre("S0650")}} Data source - Command -### SENTINEL RULE QUERY +#### SENTINEL RULE QUERY ``` let c1 = dynamic([@'/c ping.exe -n 6 127.0.0.1 & type']); @@ -29,10 +30,10 @@ find where InitiatingProcessCommandLine has_all (c1) or ProcessCommandLine has_a InitiatingProcessCommandLine has_all (c2) or ProcessCommandLine has_all (c2) or CommandLine has_all (c2) ``` -### Triage +#### Triage 1. Inspect commands to identify Qbot activity -### Version +#### Version Version 1.0 (date 5/7/2023) diff --git a/docs/guidelines/TTP_Hunt/ADS_forms/T1003.001-OSCredentialDumping-LSASSMemory.md b/docs/guidelines/TTP_Hunt/ADS_forms/T1003.001-OSCredentialDumping-LSASSMemory.md index 8cc1e73d..fb01ec12 100644 --- a/docs/guidelines/TTP_Hunt/ADS_forms/T1003.001-OSCredentialDumping-LSASSMemory.md +++ b/docs/guidelines/TTP_Hunt/ADS_forms/T1003.001-OSCredentialDumping-LSASSMemory.md @@ -1,32 +1,34 @@ -## T1003.001 - OS Credential Dumping LSASS Memory +### T1003.001 - OS Credential Dumping LSASS Memory + +#### DESCRIPTION A technique by which the adversary may attempt to dump credentials to obtain account login and credential material, normally in the form of a hash or a clear text password. -!!! example - ``` - procdump -ma lsass.exe lsass_dump\ - rundll32.exe C:\\Windows\\System32\\comsvcs.dll, MiniDump 552 C:\\Windows\\Temp\\vmware-vhost.dmp full - ``` +**Example:** + +> procdump -ma lsass.exe lsass_dump\ +> rundll32.exe C:\\Windows\\System32\\comsvcs.dll, MiniDump 552 C:\\Windows\\Temp\\vmware-vhost.dmp full -!!! tip "Related" - Volt Typhoon activity +**Related**\ +Volt Typhoon activity -!!! abstract "Reference" - - - - - - - - +### Reference: -### ATT&CK TACTICS +https://www.microsoft.com/en-us/security/blog/2022/10/05/detecting-and-preventing-lsass-credential-dumping-attacks/\ +https://www.cyber.gov.au/about-us/advisories/prc-state-sponsored-cyber-actor-living-off-the-land-to-evade-detection\ +https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Windows%20Security%20Events/Hunting%20Queries/SuspectedLSASSDump.yaml\ +https://docs.microsoft.com/sysinternals/downloads/procdump + +#### ATT&CK TACTICS {{ mitre("T1003.001")}}\ {{ mitre("T1003.003")}} Data Source(s): [Process](https://attack.mitre.org/datasources/DS0009/), [Command](https://attack.mitre.org/datasources/DS0017/) -### SENTINEL RULE QUERY +#### SENTINEL RULE QUERY
-```kusto +``` let c1 = dynamic(["procdump", "lsass"]); let c2 = dynamic(["rundll32", "comsvcs", "MiniDump"]); let c3 = dynamic(['MiniDump',' full']); @@ -37,15 +39,15 @@ InitiatingProcessCommandLine has_all (c3) or ProcessCommandLine has_all (c3) or InitiatingProcessCommandLine has c4 or ProcessCommandLine has c4 or CommandLine has c4 ``` -### Triage +#### Triage 1. Inspect which account and at what time the activity was performed 1. Question the user if the activity was expected and approved -### FalsePositive +#### FalsePositive Legitimate administrative or pentesting activity -### VERSION +#### VERSION Version 1.0 (date: 10/07/2023) diff --git a/docs/guidelines/TTP_Hunt/ADS_forms/T1003.003-OSCredentialDumping-Exfiltratentds.dit.md b/docs/guidelines/TTP_Hunt/ADS_forms/T1003.003-OSCredentialDumping-Exfiltratentds.dit.md index b0fc2b4c..d429c74e 100644 --- a/docs/guidelines/TTP_Hunt/ADS_forms/T1003.003-OSCredentialDumping-Exfiltratentds.dit.md +++ b/docs/guidelines/TTP_Hunt/ADS_forms/T1003.003-OSCredentialDumping-Exfiltratentds.dit.md @@ -1,46 +1,47 @@ -## T1003 - OS Credential Dumping: Exfiltrate ntds.dit +### T1003 - OS Credential Dumping: Exfiltrate ntds.dit + +#### DESCRIPTION A technique by which the adversary may attempt to dump credentials to obtain account login and credential material, normally in the form of a hash or a clear text password. -!!! example - ``` - cmd /c copy \\?\\GLOBALROOT\\Device\\HarddiskVolumeShadowCopy3\\Windows\\NTDS\\ntds.dit C:\\Windows\\Temp > C:\\Windows\\Temp\.tmp - ``` +**Example:** + +> cmd /c copy \\?\\GLOBALROOT\\Device\\HarddiskVolumeShadowCopy3\\Windows\\NTDS\\ntds.dit C:\\Windows\\Temp > C:\\Windows\\Temp\.tmp -!!! tip "Related" - Volt Typhoon activity +**Related**\ +Volt Typhoon activity ### Reference: -https://www.microsoft.com/en-us/security/blog/2022/10/05/detecting-and-preventing-lsass-credential-dumping-attacks/%5C -https://www.cyber.gov.au/about-us/advisories/prc-state-sponsored-cyber-actor-living-off-the-land-to-evade-detection%5C -https://risksense.com/blog/hidden-gems-in-windows-the-hunt-is-on%5C +https://www.microsoft.com/en-us/security/blog/2022/10/05/detecting-and-preventing-lsass-credential-dumping-attacks/\ +https://www.cyber.gov.au/about-us/advisories/prc-state-sponsored-cyber-actor-living-off-the-land-to-evade-detection\ +https://risksense.com/blog/hidden-gems-in-windows-the-hunt-is-on\ https://docs.microsoft.com/sysinternals/downloads/procdump -### ATT&CK TACTICS +#### ATT&CK TACTICS {{ mitre("T1003.001")}}\ {{ mitre("T1003.003")}} Data Source(s): [Process](https://attack.mitre.org/datasources/DS0009/), [Command](https://attack.mitre.org/datasources/DS0017/) -### SENTINEL RULE QUERY +#### SENTINEL RULE QUERY
``` let c1 = dynamic(["ntds.dit"]); find where InitiatingProcessCommandLine has_all (c1) or ProcessCommandLine has_all (c1) or CommandLine has_all (c1) ``` -### Triage +#### Triage 1. Inspect which account and at what time the activity was performed 1. Question the user if the activity was expected and approved -### False Positive +#### False Positive 1. Back up software > "ESENTUTL.EXE" .. "C:\\Program Files\\Veritas.." "\\?...\\NTDS\\ntds.dit" -### VERSION +#### VERSION Version 1.1 (date: 16/10/2023) diff --git a/docs/guidelines/TTP_Hunt/ADS_forms/T1003.003-OSCredentialDumping-NTDSusingTools.md b/docs/guidelines/TTP_Hunt/ADS_forms/T1003.003-OSCredentialDumping-NTDSusingTools.md index b441c510..d8432352 100644 --- a/docs/guidelines/TTP_Hunt/ADS_forms/T1003.003-OSCredentialDumping-NTDSusingTools.md +++ b/docs/guidelines/TTP_Hunt/ADS_forms/T1003.003-OSCredentialDumping-NTDSusingTools.md @@ -1,42 +1,43 @@ -## T1003.003 - OS Credential Dumping: NTDS using Tools +### T1003.003 - OS Credential Dumping: NTDS using Tools + +#### DESCRIPTION A technique by which the adversary may attempt to dump credentials to obtain account login and credential material, normally in the form of a hash or a clear text password. -!!! example - ``` - cmd /c copy \\?\\GLOBALROOT\\Device\\HarddiskVolumeShadowCopy3\\Windows\\NTDS\\ntds.dit C:\\Windows\\Temp > C:\\Windows\\Temp\.tmp - ``` +**Example:** + +> cmd /c copy \\?\\GLOBALROOT\\Device\\HarddiskVolumeShadowCopy3\\Windows\\NTDS\\ntds.dit C:\\Windows\\Temp > C:\\Windows\\Temp\.tmp -!!! tip "Related" - Volt Typhoon activity +**Related**\ +Volt Typhoon activity ### Reference: -https://www.microsoft.com/en-us/security/blog/2022/10/05/detecting-and-preventing-lsass-credential-dumping-attacks/%5C -https://www.cyber.gov.au/about-us/advisories/prc-state-sponsored-cyber-actor-living-off-the-land-to-evade-detection%5C -https://risksense.com/blog/hidden-gems-in-windows-the-hunt-is-on%5C +https://www.microsoft.com/en-us/security/blog/2022/10/05/detecting-and-preventing-lsass-credential-dumping-attacks/\ +https://www.cyber.gov.au/about-us/advisories/prc-state-sponsored-cyber-actor-living-off-the-land-to-evade-detection\ +https://risksense.com/blog/hidden-gems-in-windows-the-hunt-is-on\ https://docs.microsoft.com/sysinternals/downloads/procdump -### ATT&CK TACTICS +#### ATT&CK TACTICS {{ mitre("T1003.003")}} Data Source(s): [Process](https://attack.mitre.org/datasources/DS0009/), [Command](https://attack.mitre.org/datasources/DS0017/) -### SENTINEL RULE QUERY
+#### SENTINEL RULE QUERY
-### T1003.003 - OS Credential Dumping: NTDS using tools +#### T1003.003 - OS Credential Dumping: NTDS using tools ``` let c1 = dynamic(["Invoke-NinjaCopy","Secretsdump.py","DSInternals"]); find where InitiatingProcessCommandLine has_any (c1) or ProcessCommandLine has_any (c1) or CommandLine has_any (c1) ``` -### Triage +#### Triage 1. Inspect which account and at what time the activity was performed 1. Question the user if the activity was expected and approved -### VERSION +#### VERSION Version 1.0 (date: 10/07/2023) diff --git a/docs/guidelines/TTP_Hunt/ADS_forms/T1003.006-OSCredentialDumping-DCSyncAD.md b/docs/guidelines/TTP_Hunt/ADS_forms/T1003.006-OSCredentialDumping-DCSyncAD.md deleted file mode 100644 index 33eea3e9..00000000 --- a/docs/guidelines/TTP_Hunt/ADS_forms/T1003.006-OSCredentialDumping-DCSyncAD.md +++ /dev/null @@ -1,50 +0,0 @@ -## T1003.006 - OS Credential Dumping: DCSync - -Detects Mimikatz DC sync activity - -!!! example - ``` - "mimikatz.exe" "lsadump::dcsync /domain:somedomain.gov.au /user:someusername.gov.au" exit - ``` - -!!! tip "Related" - mimikatz - -**Reference:**\ -https://github.com/SigmaHQ/sigma/blob/0bd067ce9b767737155e3fb6c45a330d943d4820/rules/windows/builtin/security/win_security_dcsync.yml#L4%5C -https://www.sentinelone.com/blog/active-directory-dcsync-attacks/ - -#### ATT&CK TACTICS - -{{mitre("T1003.006")}} - -Data Source(s): [Active Directory](https://attack.mitre.org/datasources/DS0026/) - -#### SENTINEL RULE QUERY - -``` -let selection_properties = dynamic(['Replicating Directory Changes All','1131f6ad-9c07-11d1-f79f-00c04fc2dcd2','1131f6aa-9c07-11d1-f79f-00c04fc2dcd2','9923a32a-3607-11d2-b9be-0000f87a36b2','89e95b76-444d-4c62-991a-0facbeda640c']); -let selection_AccessMask = '0x100'; -let filter1 = 'Window Manager'; -let filter2 = @"^(NT AUT|MSOL_)"; -let filter3 = "$"; -SecurityEvent -| where EventID == 4662 -| where Properties has_any (selection_properties) and AccessMask == selection_AccessMask -| where not(SubjectDomainName == filter1 or SubjectUserName matches regex filter2 or SubjectUserName endswith filter3) -//| summarize first_TimeStamp=min(TimeGenerated), last_TimeStamp=max(TimeGenerated), count(), set_SubjectDomainNAme = make_set(SubjectDomainName), set_SubjectUserName = make_set(SubjectUserName), set_Properties=make_set(Properties) by Account, Computer, TenantId -``` - -#### Triage - -1. Remove the comment "//" in 'summarize' statement in above KQL to assist in analysis and removing data duplicates. -1. Evaluate the Account and SubjectUserName, check if DC Sync expected and approved. - -#### FalsePositive - -1. Valid DC Sync that is not covered by the filters; please report -1. Local Domain Admin account used for Azure AD Connect - -#### VERSION - -Version 2.1 (date: 08/11/2023) diff --git a/docs/guidelines/TTP_Hunt/ADS_forms/T1016-EnumerateNetworkTopology.md b/docs/guidelines/TTP_Hunt/ADS_forms/T1016-EnumerateNetworkTopology.md index d6abe65b..c127fb2b 100644 --- a/docs/guidelines/TTP_Hunt/ADS_forms/T1016-EnumerateNetworkTopology.md +++ b/docs/guidelines/TTP_Hunt/ADS_forms/T1016-EnumerateNetworkTopology.md @@ -9,8 +9,8 @@ Detects commands that are used to enumerate the network topology. > curl www\<.>ip-api\<.>com\ > ldifde.exe -f c:\\windows\\temp\\cisco_up.txt -p subtree -!!! tip "Related" - Volt Typhoon activity +**Related**\ +Volt Typhoon activity **Reference**\ https://www.cyber.gov.au/about-us/advisories/prc-state-sponsored-cyber-actor-living-off-the-land-to-evade-detection diff --git a/docs/guidelines/TTP_Hunt/ADS_forms/T1016-Info-stealer-tool-Grixba.md b/docs/guidelines/TTP_Hunt/ADS_forms/T1016-Info-stealer-tool-Grixba.md new file mode 100644 index 00000000..9a43e039 --- /dev/null +++ b/docs/guidelines/TTP_Hunt/ADS_forms/T1016-Info-stealer-tool-Grixba.md @@ -0,0 +1,46 @@ +### T1016 - Info stealer Grixba + +#### DESCRIPTION + +Detects custom info stealer tool Grixba used by Play ransomware +It was developed by Play ransomware actors using Costura, a popular.NET development tool for embedding an application's dependencies into a single executable file + +**example:**\ +Imageload log containing file name costura.commandline.dll which is used by Grixba + +**Related**\ +Play ransomware + +**Reference:**\ +https://www.cisa.gov/news-events/cybersecurity-advisories/aa23-352a\ +https://symantec-enterprise-blogs.security.com/blogs/threat-intelligence/play-ransomware-volume-shadow-copy\ +https://www.bleepingcomputer.com/news/security/play-ransomware-gang-uses-custom-shadow-volume-copy-data-theft-tool/ + +#### ATT&CK TACTICS
+ +{{mitre("T1016")}} + +Data Source(s): [Module](https://attack.mitre.org/datasources/DS0011/) + +#### SENTINEL RULE QUERY
+ +``` +let filter_signOriginalFileName = dynamic(['MacDrive.exe', 'MacDrive Service.exe', 'MacDrive Helper.exe', 'SoftRAID.exe', 'SoftRAID Service.exe', 'SoftRAID Helper.exe']); +let filter_signCompanyName = dynamic(['Other World Computing, Inc.', 'OWC']); +DeviceImageLoadEvents +| where FileName contains "costura" +| where InitiatingProcessVersionInfoOriginalFileName !in (filter_signOriginalFileName) and InitiatingProcessVersionInfoCompanyName !in (filter_signCompanyName) +``` + +#### Triage
+ +1. Inspect if DLL image loaded's FileName is 'costura.commandline.dll', which is used by Grixba to parse command lines +1. Inspect InitiatingProcessFolderPath for any anomalies/ suspicious process + +#### False Positive
+ +Known good used by legitimate companies + +#### VERSION
+ +Version 1.0 (date: 06/02/2024) diff --git a/docs/guidelines/TTP_Hunt/ADS_forms/T1016.001-Potential-Pikabot-C2-Activity-Suspicious-Process-Created-By-Rundll32.EXE.md b/docs/guidelines/TTP_Hunt/ADS_forms/T1016.001-Potential-Pikabot-C2-Activity-Suspicious-Process-Created-By-Rundll32.EXE.md new file mode 100644 index 00000000..b4a3f7cc --- /dev/null +++ b/docs/guidelines/TTP_Hunt/ADS_forms/T1016.001-Potential-Pikabot-C2-Activity-Suspicious-Process-Created-By-Rundll32.EXE.md @@ -0,0 +1,50 @@ +### T1016.001 - Potential Pikabot C2 Activity - Suspicious Process Created By Rundll32.EXE + +#### DESCRIPTION + +Detects the execution of rundll32 that leads to system discovery activity, such as incl. network, user info and domain groups. +The malware Pikabot has been seen to use this technique as part of its C2-botnet registration with a short collection time frame (less than 1 minute). + +Credit: Andreas Braathen (mnemonic.io) + +**example:**\ +APT1 used the ipconfig /all command to gather network configuration information. +[APT1](https://attack.mitre.org/groups/G0006/) + +**Reference:**\ +https://github.com/SigmaHQ/sigma/blob/65ceeeea6fec56c673cf9ff6a4a9b14dc4eea191/rules-emerging-threats/2023/Malware/Pikabot/proc_creation_win_malware_pikabot_rundll32_discovery.yml + +**Related**\ +https://www.virustotal.com/gui/file/72f1a5476a845ea02344c9b7edecfe399f64b52409229edaf856fcb9535e3242 + +#### ATT&CK TACTICS
+ +{{ mitre("T1016")}}\ +{{ mitre("T1049")}}\ +{{ mitre("T1087")}} + +Data Source(s): +[Process](https://attack.mitre.org/datasources/DS0009/#Process%20Creation) + +#### SENTINEL RULE QUERY
+ +``` +let selection_cmdline = dynamic(['ipconfig.exe /all','netstat.exe -aon','whoami.exe /all']); +DeviceProcessEvents +| where ActionType == "ProcessCreated" +| where InitiatingProcessParentFileName == "rundll32.exe" //grandparent process to be rundll32.exe +| where ProcessCommandLine has_any (selection_cmdline) +``` + +#### Triage
+ +1. This is a high fidelity threat hunt, analyse and triage the findings +1. Understand context of the activities, e.g. user, time, process, intent + +### False Positives
+ +1.Unlikely, high fidelity threat hunt + +#### VERSION
+ +Version 1.0 (date: 07/02/2024) diff --git a/docs/guidelines/TTP_Hunt/ADS_forms/T1021-LateralMovement-RemoteServices.md b/docs/guidelines/TTP_Hunt/ADS_forms/T1021-LateralMovement-RemoteServices.md deleted file mode 100644 index 26ca0900..00000000 --- a/docs/guidelines/TTP_Hunt/ADS_forms/T1021-LateralMovement-RemoteServices.md +++ /dev/null @@ -1,41 +0,0 @@ -### T1021 - Lateral Movement - Remote Services - -#### DESCRIPTION - -Detects lateral movement activity of webservers onto core systems. - -**example:**\ -N/A - -!!! tip "Related" - N/A - -**Reference:**\ -https://attack.mitre.org/techniques/T1021/ - -#### ATT&CK TACTICS - -{{ mitre("T1003.001")}} - -Data Source(s): [Network Traffic](https://attack.mitre.org/datasources/DS0029) - -#### SENTINEL RULE QUERY - -``` -let webserver_ip = () -{DeviceNetworkEvents -| where InitiatingProcessFileName has_any ('w3wp','nginx','apache') and LocalIPType == "Private" -| distinct LocalIP}; -DeviceNetworkEvents -| where (LocalIP has_any (webserver_ip()) or DeviceName contains "Web") and RemotePort in (3389,22) -| distinct RemoteIP, DeviceName,RemotePort, InitiatingProcessCommandLine -``` - -#### Triage - -1. Inspect command lines for suspicious activity -1. Inspect if the activity is expected and approved. It may be performed by an admin or a service - -#### VERSION - -Version 1.0 (date: 10/07/2023) diff --git a/docs/guidelines/TTP_Hunt/ADS_forms/T1027.006-HTMLSmuggling.md b/docs/guidelines/TTP_Hunt/ADS_forms/T1027.006-HTMLSmuggling.md index 5c6da69b..9fc5b53a 100644 --- a/docs/guidelines/TTP_Hunt/ADS_forms/T1027.006-HTMLSmuggling.md +++ b/docs/guidelines/TTP_Hunt/ADS_forms/T1027.006-HTMLSmuggling.md @@ -7,8 +7,8 @@ Detects a device launching a browser to visit a URL that contains a base64 encod **example:**\ Clicked url has hidden second stager url(s) and encoded user name that is passed to the phishing site -!!! tip "Related" - AiTM phishing +**Related**\ +AiTM phishing **Reference:**\ https://securelist.com/html-attachments-in-phishing-e-mails/106481/ diff --git a/docs/guidelines/TTP_Hunt/ADS_forms/T1033-IdentifySuccessfulLogons.md b/docs/guidelines/TTP_Hunt/ADS_forms/T1033-IdentifySuccessfulLogons.md index ab499dd5..b127c163 100644 --- a/docs/guidelines/TTP_Hunt/ADS_forms/T1033-IdentifySuccessfulLogons.md +++ b/docs/guidelines/TTP_Hunt/ADS_forms/T1033-IdentifySuccessfulLogons.md @@ -8,8 +8,8 @@ The actor gathered information about successful logons to the host using a Power > Get-EventLog security -instanceid 4624 -!!! tip "Related" - Volt Typhoon activity +**Related**\ +Volt Typhoon activity **Reference**\ https://www.cyber.gov.au/about-us/advisories/prc-state-sponsored-cyber-actor-living-off-the-land-to-evade-detection diff --git a/docs/guidelines/TTP_Hunt/ADS_forms/T1047-WMICCommands.md b/docs/guidelines/TTP_Hunt/ADS_forms/T1047-WMICCommands.md index 35da9755..a8a0fc7d 100644 --- a/docs/guidelines/TTP_Hunt/ADS_forms/T1047-WMICCommands.md +++ b/docs/guidelines/TTP_Hunt/ADS_forms/T1047-WMICCommands.md @@ -10,8 +10,8 @@ The actor has executed WMIC commands to create a copy of the ntds.dit file and S > wmic process call create "cmd.exe /c ntdsutil "ac i ntds" ifm "create full C:\\Windows\\Temp\\Pro"\ > wmic process call create "cmd.exe /c mkdir C:\\Windows\\Temp\\tmp & ntdsutil "ac i ntds" ifm -!!! tip "Related" - Volt Typhoon activity +**Related**\ +Volt Typhoon activity **Reference**\ https://www.cyber.gov.au/about-us/advisories/prc-state-sponsored-cyber-actor-living-off-the-land-to-evade-detection diff --git a/docs/guidelines/TTP_Hunt/ADS_forms/T1053.005-Diamond-Sleet-APT-Scheduled-Task-Creation-Registry.md b/docs/guidelines/TTP_Hunt/ADS_forms/T1053.005-Diamond-Sleet-APT-Scheduled-Task-Creation-Registry.md index d315f3b6..e6ce7003 100644 --- a/docs/guidelines/TTP_Hunt/ADS_forms/T1053.005-Diamond-Sleet-APT-Scheduled-Task-Creation-Registry.md +++ b/docs/guidelines/TTP_Hunt/ADS_forms/T1053.005-Diamond-Sleet-APT-Scheduled-Task-Creation-Registry.md @@ -8,9 +8,10 @@ Detects registry event related to the creation of a scheduled task used by Diamo > Forest64.exe create a scheduled task named 'Windows TeamCity Settings User Interface' -!!! tip "Related" - - Ransomware - - Diamond Sleet APT +**Related**
+ +- Ransomware +- Diamond Sleet APT **Reference:**\ https://www.microsoft.com/en-us/security/blog/2023/10/18/multiple-north-korean-threat-actors-exploiting-the-teamcity-cve-2023-42793-vulnerability/ diff --git a/docs/guidelines/TTP_Hunt/ADS_forms/T1059-MicroSCADA-SCILC-Command-Execution.md b/docs/guidelines/TTP_Hunt/ADS_forms/T1059-MicroSCADA-SCILC-Command-Execution.md index ed54225f..55147e84 100644 --- a/docs/guidelines/TTP_Hunt/ADS_forms/T1059-MicroSCADA-SCILC-Command-Execution.md +++ b/docs/guidelines/TTP_Hunt/ADS_forms/T1059-MicroSCADA-SCILC-Command-Execution.md @@ -8,9 +8,9 @@ Identification of Events or Host Commands that are related to the MicroSCADA SCI > C:\\sc\\prog\\exec\\scilc.exe -do pack\\scil\\s1.txt -!!! tip "Related" - - SCADA - - [Sandworm](https://attack.mitre.org/groups/G0034/) +**Related**\ +SCADA +[Sandworm](https://attack.mitre.org/groups/G0034/) **Reference:**\ https://www.mandiant.com/resources/blog/sandworm-disrupts-power-ukraine-operational-technology diff --git a/docs/guidelines/TTP_Hunt/ADS_forms/T1082-SystemInformationDiscovery.md b/docs/guidelines/TTP_Hunt/ADS_forms/T1082-SystemInformationDiscovery.md index 49e7015e..41a40bea 100644 --- a/docs/guidelines/TTP_Hunt/ADS_forms/T1082-SystemInformationDiscovery.md +++ b/docs/guidelines/TTP_Hunt/ADS_forms/T1082-SystemInformationDiscovery.md @@ -1,4 +1,4 @@ -### T1082 - System Information Discovery +### T1082 - SystemInformationDiscovery #### DESCRIPTION @@ -8,31 +8,35 @@ The actor has executed commands to gather information about the storage devices > "cmd.exe /C "wmic path win32_logicaldisk get caption,filesystem,freespace,size,volumename" -!!! tip "Related" - Volt Typhoon activity +**Related**\ +Volt Typhoon activity **Reference**\ https://www.cyber.gov.au/about-us/advisories/prc-state-sponsored-cyber-actor-living-off-the-land-to-evade-detection https://www.microsoft.com/en-us/security/blog/2023/05/24/volt-typhoon-targets-us-critical-infrastructure-with-living-off-the-land-techniques/ -#### ATT&CK TACTICS +#### ATT&CK TACTICS
{{ mitre("T1082")}} Data source - [Command](https://attack.mitre.org/datasources/DS0017) -#### SENTINEL RULE QUERY +#### SENTINEL RULE QUERY
``` -let c1 = dynamic(["cmd", "wmic", "caption", "filesystem"]); -find where InitiatingProcessCommandLine has_all (c1) or ProcessCommandLine has_all (c1) or CommandLine has_all (c1) +let selection_cmd = dynamic(["cmd", "wmic", "caption", "filesystem"]); +DeviceProcessEvents +| where ActionType == "ProcessCreated" +| where FileName == "cmd.exe" +| where ProcessCommandLine has_all (selection_cmd) +//| summarize count(), first_seen = min(TimeGenerated), last_seen = max(TimeGenerated) by TenantId, DeviceName, AccountName, InitiatingProcessFolderPath, FolderPath, ProcessCommandLine ``` -#### Triage +#### Triage
1. Inspect which account and at what time the activity was performed 1. Question the user if the activity was expected and approved -#### Version +#### Version
-Version 1.0 (date 5/7/2023) +Version 1.1 (date 07/02/2024) diff --git a/docs/guidelines/TTP_Hunt/ADS_forms/T1090-Proxy.md b/docs/guidelines/TTP_Hunt/ADS_forms/T1090-Proxy.md index f9f0a103..56004d1c 100644 --- a/docs/guidelines/TTP_Hunt/ADS_forms/T1090-Proxy.md +++ b/docs/guidelines/TTP_Hunt/ADS_forms/T1090-Proxy.md @@ -9,8 +9,8 @@ Adversary may use connection proxy to direct network traffic between systems or > "cmd.exe /c "netsh interface portproxy add v4tov4 listenaddress=0.0.0.0 listenport=9999 connectaddress= connectport=8443 protocol=tcp"" > "cmd.exe /c netsh interface portproxy add v4tov4 listenport=50100 listenaddress=0.0.0.0 connectport=1433 connectaddress=" -!!! tip "Related" - Volt Typhoon activity +**Related**\ +Volt Typhoon activity **Reference:**\ https://www.cyber.gov.au/about-us/advisories/prc-state-sponsored-cyber-actor-living-off-the-land-to-evade-detection diff --git a/docs/guidelines/TTP_Hunt/ADS_forms/T1189-Drive-byCompromise-FakeUpdate.md b/docs/guidelines/TTP_Hunt/ADS_forms/T1189-Drive-byCompromise-FakeUpdate.md index bf67d088..2d9b2690 100644 --- a/docs/guidelines/TTP_Hunt/ADS_forms/T1189-Drive-byCompromise-FakeUpdate.md +++ b/docs/guidelines/TTP_Hunt/ADS_forms/T1189-Drive-byCompromise-FakeUpdate.md @@ -9,8 +9,8 @@ Detects the existence of FakeUpdate .zip file, commonly associated with SocGholi > Edge.6ebddd.zip\ > Edge.7a859a.zip -!!! tip "Related" - +**Related**\ +https://www.secureworks.com/research/threat-profiles/gold-prelude **Reference:**\ https://redcanary.com/threat-detection-report/threats/socgholish/ diff --git a/docs/guidelines/TTP_Hunt/ADS_forms/T1190-WebshellsSuspiciousURI.md b/docs/guidelines/TTP_Hunt/ADS_forms/T1190-WebshellsSuspiciousURI.md deleted file mode 100644 index 8caa5741..00000000 --- a/docs/guidelines/TTP_Hunt/ADS_forms/T1190-WebshellsSuspiciousURI.md +++ /dev/null @@ -1,55 +0,0 @@ -### T1190 - Webshell by suspicious URI requests - -#### DESCRIPTION - -This will look for connections to files on the server that are requested by only a single client. -This analytic will be effective where an actor is utilising relatively static operational IP addresses. The threshold can be modified. -The larger the execution window for this query the more reliable the results returned. - -**example:**\ -NA - -!!! tip "Related" - common persistance - -**Reference:**\ -https://attack.mitre.org/techniques/T1505/003/%5C -https://github.com/Azure/Azure-Sentinel/blob/master/Hunting%20Queries/W3CIISLog/RareClientFileAccess.yaml - -#### ATT&CK TACTICS - -{{ mitre("T1190")}} - -Data Source(s): [Network Traffic](https://attack.mitre.org/datasources/DS0029/) - -#### SENTINEL RULE QUERY - -``` -let clientThreshold = 1; - let scriptExtensions = dynamic([".php", ".aspx", ".asp", ".cfml"]); - let data = W3CIISLog - | where csUriStem has_any(scriptExtensions) - |where scStatus == 200 - |where ipv4_is_private(cIP) == false and cIP !startswith "fe80" and cIP !startswith "::" and cIP !startswith "127." - |where ipv4_is_private(sIP) == false - | summarize StartTime = min(TimeGenerated), EndTime = max(TimeGenerated), makelist(cIP), dcount(TimeGenerated) by csUriStem, sSiteName, csUserAgent; - data - | mvexpand list_cIP - | distinct StartTime, EndTime, tostring(list_cIP), csUriStem, sSiteName, csUserAgent - | summarize StartTime = min(StartTime), EndTime = max(StartTime), dcount(list_cIP), makelist(list_cIP), makelist(sSiteName) by csUriStem, csUserAgent - | where dcount_list_cIP == clientThreshold - | where csUserAgent startswith "Mozilla" - | extend timestamp = StartTime, UserAgentCustomEntity = csUserAgent -``` - -#### Triage - -1. Inspect network traffic to potential web shells. Most webshells take commands via POSTs. Successfull commands are met with a "200" - -#### FalsePositive - -unknown - -#### VERSION - -Version 1.0 (date: 10/07/2023) diff --git a/docs/guidelines/TTP_Hunt/ADS_forms/T1505.003-IISWebshellFileWrites.md b/docs/guidelines/TTP_Hunt/ADS_forms/T1505.003-IISWebshellFileWrites.md index 67b0c21a..ebb50d44 100644 --- a/docs/guidelines/TTP_Hunt/ADS_forms/T1505.003-IISWebshellFileWrites.md +++ b/docs/guidelines/TTP_Hunt/ADS_forms/T1505.003-IISWebshellFileWrites.md @@ -7,8 +7,8 @@ Detects IIS file writes that may be web shells. Adversaries may backdoor web ser **Example:**\ NA -!!! tip "Related" - Common Persistance +**Related**\ +Common Persistance **Reference:**\ https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Web%20Shells%20Threat%20Protection/Hunting%20Queries/Possible%20webshell%20drop.yaml diff --git a/docs/guidelines/TTP_Hunt/ADS_forms/T1505.003-Linux-Webshell-Indicators.md b/docs/guidelines/TTP_Hunt/ADS_forms/T1505.003-Linux-Webshell-Indicators.md new file mode 100644 index 00000000..caa59571 --- /dev/null +++ b/docs/guidelines/TTP_Hunt/ADS_forms/T1505.003-Linux-Webshell-Indicators.md @@ -0,0 +1,51 @@ +### T1505.003 - Linux Webshell Indicators + +#### DESCRIPTION + +Detects suspicious linux sub processes of web server processes. + +**Reference:** + + + + + + + +**Related**\ +common persistence - Linux + +#### ATT&CK TACTICS + +{{mitre(T1505)}} + +Data Source(s): [Process](https://attack.mitre.org/datasources/DS0009/) + +#### SENTINEL RULE QUERY + +``` +let selection_general = @".*(/httpd|/lighttpd|/nginx|/apache2|/node|/caddy)$"; +let selection_websphere = dynamic(['/bin/java','websphere']); +let sub_processes= @"/(whoami|ifconfig|ip|bin/uname|bin/cat|bin/crontab|hostname|iptables|netstat|pwd|route)$"; +let filter_command = dynamic(['httpd -D FOREGROUND','apache2 -D FOREGROUND']); +DeviceProcessEvents +| where InitiatingProcessFolderPath matches regex selection_general or InitiatingProcessCommandLine has_all (selection_websphere) +| where FolderPath matches regex sub_processes +| where InitiatingProcessCommandLine !in (filter_command) +//| summarize count(), earliest_time=min(TimeGenerated), set_DeviceName=make_set(DeviceName), set_AccountName=make_set(AccountName) by TenantId, InitiatingProcessFolderPath,InitiatingProcessCommandLine, FolderPath, ProcessCommandLine, SHA256 +``` + +#### Triage + +1. Remove the comment "//" in 'summarize' statement in above KQL to assist in analysis and removing data duplicates. +1. Examine the sub processes (under FolderPath) and the command-line whether the activity is suspicious +1. Check for additional suspicious sub processes detected from the same hosts +1. Verify if the location of the parent process and the process is expected + +#### FalsePositive + +Web applications that invoke Linux command line tools + +#### VERSION + +Version 2.0 (date: 09/02/2024) diff --git a/docs/guidelines/TTP_Hunt/ADS_forms/T1505.003-SuspiciousChildProcessOfSQLServer.md b/docs/guidelines/TTP_Hunt/ADS_forms/T1505.003-SuspiciousChildProcessOfSQLServer.md index 744aeabd..cc6b761f 100644 --- a/docs/guidelines/TTP_Hunt/ADS_forms/T1505.003-SuspiciousChildProcessOfSQLServer.md +++ b/docs/guidelines/TTP_Hunt/ADS_forms/T1505.003-SuspiciousChildProcessOfSQLServer.md @@ -8,12 +8,12 @@ author: FPT.EagleEye Team, wagga **Example:**\ N/A -!!! tip "Related" - common persistence - SQL Server - **Reference:**\ https://github.com/SigmaHQ/sigma/blob/eb2f82cbc35909a9657aada437a59a70b5610818/rules/windows/process_creation/proc_creation_win_mssql_susp_child_process.yml +**Related**\ +common persistence - SQL Server + #### ATT&CK TACTICS
{{mitre("T1505.003")}} diff --git a/docs/guidelines/TTP_Hunt/ADS_forms/T1505.003-SuspiciousWindowsStringsInURI.md b/docs/guidelines/TTP_Hunt/ADS_forms/T1505.003-SuspiciousWindowsStringsInURI.md deleted file mode 100644 index 81b87325..00000000 --- a/docs/guidelines/TTP_Hunt/ADS_forms/T1505.003-SuspiciousWindowsStringsInURI.md +++ /dev/null @@ -1,48 +0,0 @@ -### T1505.003 - Suspicious Windows Strings In URI - -#### DESCRIPTION - -Detects suspicious Windows strings in URI which could indicate possible exfiltration or webshell communication -author: Nasreddine Bencherchali (Nextron Systems). - -**Example:** - -> /custom/login/fm2.jsp?p=C:/Windows/Temp&action=get\ -> /custom/login/fm2.jsp?p=C:/Windows&action=get\ -> /custom/login/fm2.jsp?p=C:/Users&action=get - -!!! tip "Related" - - Common persistence - webserver - - Common exfiltration - webserver - -**Reference:**\ -https://thedfirreport.com/2022/06/06/will-the-real-msiexec-please-stand-up-exploit-leads-to-data-exfiltration/ -https://github.com/SigmaHQ/sigma/blob/eb2f82cbc35909a9657aada437a59a70b5610818/rules/web/webserver_generic/web_susp_windows_path_uri.yml - -#### ATT&CK TACTICS
- -{{mitre("T1505.003")}} - -Data Source(s): [TBA](<>) - -#### SENTINEL RULE QUERY
- -``` -let cs_uri_query=dynamic(['=C:/Users', '=C:/Program%20Files', '=C:/Windows', '=C%3A%5CUsers', '=C%3A%5CProgram%20Files', '=C%3A%5CWindows']); -AzureDiagnostics //SOC-754348 -| where action_s == "Allowed" //minimise noise -| where requestUri_s has_any (cs_uri_query) -``` - -#### Triage - -1. Examine the uri requests for suspicious activities -1. Check if connection from source IP address was expected - -#### FalsePositives: - -Legitimate application and websites that use windows paths in their URL - -#### VERSION - -Version 1.0 (date: 31/10/2023) diff --git a/docs/guidelines/TTP_Hunt/ADS_forms/T1505.003-WindowsWebshellCreation.md b/docs/guidelines/TTP_Hunt/ADS_forms/T1505.003-WindowsWebshellCreation.md index 99bf35b1..b6199793 100644 --- a/docs/guidelines/TTP_Hunt/ADS_forms/T1505.003-WindowsWebshellCreation.md +++ b/docs/guidelines/TTP_Hunt/ADS_forms/T1505.003-WindowsWebshellCreation.md @@ -7,8 +7,8 @@ Possible webshell file creation on a static web site. **Reference:**\ https://github.com/SigmaHQ/sigma/blob/bd4542448564d8c9bbdac8a6b32b3975af153772/rules/windows/file/file_event/file_event_win_webshell_creation_detect.yml -!!! tip "Related" - Common Persistence - Windows +**Related**\ +Common Persistence - Windows #### ATT&CK TACTICS
diff --git a/docs/guidelines/TTP_Hunt/ADS_forms/T1505.004-Suspicious-IIS-Module-Registration.md b/docs/guidelines/TTP_Hunt/ADS_forms/T1505.004-Suspicious-IIS-Module-Registration.md index ee2a667f..5a826ad3 100644 --- a/docs/guidelines/TTP_Hunt/ADS_forms/T1505.004-Suspicious-IIS-Module-Registration.md +++ b/docs/guidelines/TTP_Hunt/ADS_forms/T1505.004-Suspicious-IIS-Module-Registration.md @@ -5,10 +5,14 @@ Detects a suspicious IIS module registration as described in Microsoft threat report on IIS backdoors. Author: Florian Roth (Nextron Systems), Microsoft (idea) +**Example:** + **Reference:**\ https://www.microsoft.com/security/blog/2022/07/26/malicious-iis-extensions-quietly-open-persistent-backdoors-into-servers/ https://github.com/SigmaHQ/sigma/blob/8dc32d6dffe89f014912dea9719e6a95577a6725/rules/windows/process_creation/proc_creation_win_iis_susp_module_registration.yml#L12 +**Related** + #### ATT&CK TACTICS
{{mitre("T1505.004")}} diff --git a/docs/guidelines/TTP_Hunt/ADS_forms/T1543.003-CobaltStrike-ServiceInstallationsInRegistry.md b/docs/guidelines/TTP_Hunt/ADS_forms/T1543.003-CobaltStrike-ServiceInstallationsInRegistry.md index 74152299..d208ef82 100644 --- a/docs/guidelines/TTP_Hunt/ADS_forms/T1543.003-CobaltStrike-ServiceInstallationsInRegistry.md +++ b/docs/guidelines/TTP_Hunt/ADS_forms/T1543.003-CobaltStrike-ServiceInstallationsInRegistry.md @@ -12,8 +12,8 @@ Detects known malicious service installs that appear in cases in which a Cobalt https://www.sans.org/webcasts/tech-tuesday-workshop-cobalt-strike-detection-log-analysis-119395 https://github.com/SigmaHQ/sigma/blob/master/rules/windows/builtin/win_cobaltstrike_service_installs.yml -!!! tip "Related" - CobaltStrike - Persistence Registry_set +**Related**\ +CobaltStrike - Persistence Registry_set #### ATT&CK TACTICS
diff --git a/docs/guidelines/TTP_Hunt/ADS_forms/T1543.003-Create-or-Modify-System-Process-Remote-Access-Tool-Services-Have-Been-Installed.md b/docs/guidelines/TTP_Hunt/ADS_forms/T1543.003-Create-or-Modify-System-Process-Remote-Access-Tool-Services-Have-Been-Installed.md deleted file mode 100644 index 5785c7f1..00000000 --- a/docs/guidelines/TTP_Hunt/ADS_forms/T1543.003-Create-or-Modify-System-Process-Remote-Access-Tool-Services-Have-Been-Installed.md +++ /dev/null @@ -1,50 +0,0 @@ -### T1543.003 - Create or Modify System Process - Remote Access Tool Services Have Been Installed - -#### DESCRIPTION - -Detects service installation of different remote access tools software. These software are often abused by threat actors. - -!!! tip "Related" - Ransomware - -**Reference:**\ -https://github.com/SigmaHQ/sigma/blob/8dc32d6dffe89f014912dea9719e6a95577a6725/rules/windows/builtin/security/win_security_service_install_remote_access_software.yml#L11 - -#### ATT&CK TACTICS - -{{mitre("T1543.003")}} - -Data Source(s): -[File](https://attack.mitre.org/datasources/DS0022/), [Windows Registry](https://attack.mitre.org/datasources/DS0024), [Process](https://attack.mitre.org/datasources/DS0009/), [Application Log](https://attack.mitre.org/datasources/DS0015/) - -#### SENTINEL RULE QUERY - -``` -let selection=dynamic(['AmmyyAdmin','Atera','BASupportExpressSrvcUpdater','BASupportExpressStandaloneService','chromoting', 'GoToAssist','GoToMyPC','jumpcloud','LMIGuardianSvc','LogMeIn','monblanking','Parsec','RManService','RPCPerformanceService','RPCService','SplashtopRemoteService','SSUService','TightVNC','vncserver','Zoho']); -union -( -SecurityEvent -| where EventID == 4697 -| where ServiceFileName has_any (selection) -| extend TableName_ = "SecurityEvent" -| summarize count(), set_Tables=make_set(TableName_) by FileName=ServiceFileName, TenantId -), -( -union withsource=TableName_ Device* -| where FileName has_any (selection) -| where FileName endswith ".exe" -| summarize count(), set_Tables=make_set(TableName_) by FileName, TenantId -) -``` - -#### Triage - -1. Inspect if the existence of the tools were expected and approved. It may be performed by an admin or a service - -#### FalsePositive - -1. The rule doesn't look for anything suspicious so false positives are expected. If you use one of the tools mentioned, comment it out - -#### VERSION - -Version 1.0 (date: 06/10/2023) diff --git a/docs/guidelines/TTP_Hunt/ADS_forms/T1543.003-Potential-Persistence-Attempt-Via-Existing-Service-Tampering(sc.exe).md b/docs/guidelines/TTP_Hunt/ADS_forms/T1543.003-Potential-Persistence-Attempt-Via-Existing-Service-Tampering(sc.exe).md index 4f67f6f3..55f58263 100644 --- a/docs/guidelines/TTP_Hunt/ADS_forms/T1543.003-Potential-Persistence-Attempt-Via-Existing-Service-Tampering(sc.exe).md +++ b/docs/guidelines/TTP_Hunt/ADS_forms/T1543.003-Potential-Persistence-Attempt-Via-Existing-Service-Tampering(sc.exe).md @@ -10,13 +10,15 @@ Credit(s): [Sreeman](https://github.com/SigmaHQ/sigma/blob/8dc32d6dffe89f014912d **example:** -> sc config Fax binPath= "C:\\Windows\\System32\\suspicious.exe" start="auto" obj="LocalSystem"\ +> sc config Fax binPath= "C:\\Windows\\System32\\suspicious.exe" start="auto" obj="LocalSystem" > sc failure Fax command= ""c:\\Windows\\system32\\malicious.exe"" **Reference:**\ https://pentestlab.blog/2020/01/22/persistence-modify-existing-service/ https://github.com/SigmaHQ/sigma/blob/8dc32d6dffe89f014912dea9719e6a95577a6725/rules/windows/process_creation/proc_creation_win_sc_service_tamper_for_persistence.yml#L8 +**Related** + #### ATT&CK TACTICS
{{mitre("T1543.003")}}\ @@ -35,7 +37,7 @@ DeviceProcessEvents | where InitiatingProcessParentFileName <> "msiexec.exe" | where FolderPath endswith "sc.exe" | where (ProcessCommandLine has_all (selection_sc_1) or ProcessCommandLine has_all (selection_sc_2)) -| summarize count(), earliest_Timestamp=min(TimeGenerated) by AccountDomain, AccountName, InitiatingProcessParentFileName, InitiatingProcessFolderPath, InitiatingProcessFileName, ProcessCommandLine, TenantId +//| summarize count(), earliest_Timestamp=min(TimeGenerated) by AccountDomain, AccountName, InitiatingProcessParentFileName, InitiatingProcessFolderPath, InitiatingProcessFileName, ProcessCommandLine, TenantId ``` #### Triage @@ -50,4 +52,4 @@ DeviceProcessEvents #### VERSION -Version 1.0 (date: 03/11/2023) +Version 1.1 (date: 13/02/2024) diff --git a/docs/guidelines/TTP_Hunt/ADS_forms/T1543.003-Potential-Persistence-Attempt-Via-Existing-Service-Tampering-(reg.exe).md b/docs/guidelines/TTP_Hunt/ADS_forms/T1543.003-Potential-Persistence-Attempt-Via-Existing-Service-Tampering-(reg.exe).md index 26120700..77513b48 100644 --- a/docs/guidelines/TTP_Hunt/ADS_forms/T1543.003-Potential-Persistence-Attempt-Via-Existing-Service-Tampering-(reg.exe).md +++ b/docs/guidelines/TTP_Hunt/ADS_forms/T1543.003-Potential-Persistence-Attempt-Via-Existing-Service-Tampering-(reg.exe).md @@ -16,6 +16,8 @@ https://pentestlab.blog/2020/01/22/persistence-modify-existing-service/ https://github.com/SigmaHQ/sigma/blob/8dc32d6dffe89f014912dea9719e6a95577a6725/rules/windows/process_creation/proc_creation_win_sc_service_tamper_for_persistence.yml#L7 https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1574.011/T1574.011.md#atomic-test-2---service-imagepath-change-with-regexe +**Related** + #### ATT&CK TACTICS
{{mitre("T1543.003")}}\ diff --git a/docs/guidelines/TTP_Hunt/ADS_forms/T1547.001-Potential-Persistence-Attempt-Via-Run-Keys-Using-Reg.EXE.md b/docs/guidelines/TTP_Hunt/ADS_forms/T1547.001-Potential-Persistence-Attempt-Via-Run-Keys-Using-Reg.EXE.md new file mode 100644 index 00000000..85f9958a --- /dev/null +++ b/docs/guidelines/TTP_Hunt/ADS_forms/T1547.001-Potential-Persistence-Attempt-Via-Run-Keys-Using-Reg.EXE.md @@ -0,0 +1,50 @@ +### T1547.001 - Potential Persistence Attempt Via Run Keys Using Reg.EXE + +#### DESCRIPTION + +Detects suspicious command line reg.exe tool adding key to Autoruns key in Registry + +**example:**\ +REG ADD "HKCU\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run" /V "softoz" /t REG_SZ /F /D "C:\\Users\\admin\\AppData\\Roaming\\sihostt.exe" + +**Related** \ +common persistance + +**Reference:**\ +https://github.com/SigmaHQ/sigma/blob/cac07b8ecd07ffe729ed82dfa2082fdb6a1ceabc/rules/windows/process_creation/proc_creation_win_reg_add_run_key.yml#L22\ +https://docs.microsoft.com/en-us/windows/win32/setupapi/run-and-runonce-registry-keys + +#### ATT&CK TACTICS
+ +T1547.001 + +Data Source(s): [Command](https://attack.mitre.org/datasources/DS0017/) + +#### SENTINEL RULE QUERY
+ +``` +let selection= dynamic(['reg',' ADD', @'Software\Microsoft\Windows\CurrentVersion\Run']); +let filter_known = dynamic(['Discord.exe','Skype.exe','LiveChat.exe','Promethean Desktop.exe']); +DeviceProcessEvents +| where ActionType == "ProcessCreated" +| where ProcessCommandLine has_all (selection) +| where InitiatingProcessFileName !in (filter_known) //Known False-Positive +| where ProcessCommandLine !contains "PaperCut" +//| summarize count(), set_InitiatingProcessFolderPath = make_set(InitiatingProcessFolderPath) by InitiatingProcessFileName, FolderPath, FileName, ProcessCommandLine, TenantId +``` + +#### Triage
+ +1. Inspect if the software is approved +1. Validate the folder path of the initiating process +1. Use summarize statement to remove duplication + +#### FalsePositive
+ +- Legitimate software automatically (mostly, during installation) sets up autorun keys for legitimate reasons. +- Legitimate administrator sets up autorun keys for legitimate reasons. +- Discord/ Skype/ Other applications + +#### VERSION
+ +Version 2.0 (date: 09/02/2024) diff --git a/docs/guidelines/TTP_Hunt/ADS_forms/T1552.002-REGISTRYPasswordDumping.md b/docs/guidelines/TTP_Hunt/ADS_forms/T1552.002-REGISTRYPasswordDumping.md index 6ee475d4..0422fbca 100644 --- a/docs/guidelines/TTP_Hunt/ADS_forms/T1552.002-REGISTRYPasswordDumping.md +++ b/docs/guidelines/TTP_Hunt/ADS_forms/T1552.002-REGISTRYPasswordDumping.md @@ -9,8 +9,8 @@ Detects scanning of registry hives for the value password. Adversaries may query > reg query HKLM /f password /t REG_SZ /s\ > reg query HKCU /f password /t REG_SZ /s -!!! tip "Related" - Agent Tesla, TrickBot, APT32, others +**Related**\ +Agent Tesla, TrickBot, APT32, others **Reference:**\ https://github.com/SigmaHQ/sigma/blob/cf29e28a54daa9d52f7d1a5996f023e2d08cde84/rules/windows/process_creation/proc_creation_win_reg_enumeration_for_credentials_in_registry.yml#L9 diff --git a/docs/guidelines/TTP_Hunt/ADS_forms/T1555-CredentialsPasswordStores.md b/docs/guidelines/TTP_Hunt/ADS_forms/T1555-CredentialsPasswordStores.md index 962a9ad4..c308cd25 100644 --- a/docs/guidelines/TTP_Hunt/ADS_forms/T1555-CredentialsPasswordStores.md +++ b/docs/guidelines/TTP_Hunt/ADS_forms/T1555-CredentialsPasswordStores.md @@ -18,8 +18,8 @@ Detects suspicious credential access commands. Alone they may be normal but in c > reg save hklm\\sam ss.dat > reg save hklm\\system sy.dat -!!! tip "Related" - Volt Typhoon +**Related**\ +Volt Typhoon **Reference:**\ https://www.cisa.gov/news-events/cybersecurity-advisories/aa23-144a diff --git a/docs/guidelines/TTP_Hunt/ADS_forms/T1557-AiTM-PhishingLogging.md b/docs/guidelines/TTP_Hunt/ADS_forms/T1557-AiTM-PhishingLogging.md index 5a5dd189..67c5b9e0 100644 --- a/docs/guidelines/TTP_Hunt/ADS_forms/T1557-AiTM-PhishingLogging.md +++ b/docs/guidelines/TTP_Hunt/ADS_forms/T1557-AiTM-PhishingLogging.md @@ -7,8 +7,9 @@ Detects potential successful AITM-Phishing-Login based on risk sign in level and **Example:**\ Successful Sign-in logs with ResultType == "0" from a malicious (unexpected) IP Address -!!! tip "Related" - +**Related** + +https://www.microsoft.com/en-us/security/blog/2023/06/08/detecting-and-mitigating-a-multi-stage-aitm-phishing-and-bec-campaign/ **Reference:** diff --git a/docs/guidelines/TTP_Hunt/ADS_forms/T1562.001-ImpairDefenses-AMSIBypass.md b/docs/guidelines/TTP_Hunt/ADS_forms/T1562.001-Impair-Defenses-AMSIBypass.md similarity index 98% rename from docs/guidelines/TTP_Hunt/ADS_forms/T1562.001-ImpairDefenses-AMSIBypass.md rename to docs/guidelines/TTP_Hunt/ADS_forms/T1562.001-Impair-Defenses-AMSIBypass.md index 2bd59a0c..c71a46fe 100644 --- a/docs/guidelines/TTP_Hunt/ADS_forms/T1562.001-ImpairDefenses-AMSIBypass.md +++ b/docs/guidelines/TTP_Hunt/ADS_forms/T1562.001-Impair-Defenses-AMSIBypass.md @@ -8,6 +8,8 @@ This query detects attempts to disable AMSI (Antimalware Scripting Interface) in > \[Ref\].Assembly.GetType(‘System.Management.Automation.Am’+’siUtils’).GetField(‘amsiInitFailed’,’NonPublic,Static’).SetValue($null,$true) +**Related** + **Reference:**\ https://github.com/SigmaHQ/sigma/blob/8d28609c041867e1cea7821900e43c0106e6c766/deprecated/windows/proc_creation_win_powershell_amsi_bypass_pattern_nov22.yml diff --git a/docs/guidelines/TTP_Hunt/ADS_forms/T1562.001-Impair-Defenses-Disable-Defender-Functionalities-Via-Registry-Keys.md b/docs/guidelines/TTP_Hunt/ADS_forms/T1562.001-Impair-Defenses-Disable-Defender-Functionalities-Via-Registry-Keys.md new file mode 100644 index 00000000..dbc8fad9 --- /dev/null +++ b/docs/guidelines/TTP_Hunt/ADS_forms/T1562.001-Impair-Defenses-Disable-Defender-Functionalities-Via-Registry-Keys.md @@ -0,0 +1,59 @@ +### T1562.001 ImpairDefenses - Disable Defender Functionalities Via Registry Keys + +#### DESCRIPTION + +Detects when attackers or tools disable Windows Defender functionalities via the Windows registry + +**example:** + +> reg add "HKLM\\Software\\Policies\\Microsoft\\Windows Defender\\Real-Time Protection" /v "DisableOnAccessProtection" /t REG_DWORD /d "1" /f +> reg add "HKLM\\Software\\Policies\\Microsoft\\Windows Defender\\Real-Time Protection" /v "DisableRealtimeMonitoring" /t REG_DWORD /d "1" /f + +**Related**\ +Ransomware + +**Reference:**\ +https://github.com/SigmaHQ/sigma/blob/8d28609c041867e1cea7821900e43c0106e6c766/rules/windows/registry/registry_set/registry_set_windows_defender_tamper.yml#L42\ +https://admx.help/?Category=Windows_7_2008R2&Policy=Microsoft.Policies.WindowsDefender::DisableAntiSpyware + +#### ATT&CK TACTICS
+ +{{ mitre("T1562.001")}} + +Data Source(s): [Windows Registry](https://attack.mitre.org/datasources/DS0024) + +#### SENTINEL RULE QUERY
+ +``` +let selection_main = dynamic([@'\SOFTWARE\Microsoft\Windows Defender\', @'\SOFTWARE\Policies\Microsoft\Windows Defender Security Center\',@'\SOFTWARE\Policies\Microsoft\Windows Defender\']); +let selection_dword_1 = dynamic(['DisableAntiSpyware','DisableAntiVirus', 'DisableBehaviorMonitoring','DisableIntrusionPreventionSystem', 'DisableIOAVProtection', 'DisableOnAccessProtection','DisableScanOnRealtimeEnable','DisableScriptScanning','DisableEnhancedNotifications', 'DisableBlockAtFirstSeen']); +let selection_dword_0 = dynamic(['DisallowExploitProtectionOverride', 'TamperProtection', 'MpEnablePus', 'PUAProtection', 'ForceUpdateFromMU','SubmitSamplesConsent','EnableControlledFolderAccess']); +let exclusion_defender = dynamic([@'c:\programdata\microsoft\windows defender',@'c:\program files\windows defender']); //Exclude activities from Microsoft Defender itself +let filter_folderPath = dynamic([@'c:\windows\system32\deviceenroller.exe',@'c:\windows\system32\omadmclient.exe', @'c:\windows\system32\hvsievaluator.exe']); //Exclude activities from known processes +DeviceRegistryEvents +| where ActionType == "RegistryValueSet" +| where RegistryKey has_any (selection_main) +| where (RegistryKey matches regex @"(?i)(\\Real-Time Protection|\\Reporting|\\SpyNet)$" and RegistryValueName has_any (selection_dword_1) and RegistryValueType =~ "Dword" and RegistryValueData == 1 )//DWORD (0x00000001) +or +(RegistryKey matches regex @"(?i)(\\App and Browser protection|\\Features|\\MpEngine|\\Signature Update|\\SpyNet|\\Windows Defender Exploit Guard\\Controlled Folder Access)$" and RegistryValueName has_any(selection_dword_0) and RegistryValueType =~ "Dword" and RegistryValueData == 0 )//DWORD (0x00000000) +| where not(InitiatingProcessFolderPath has_any (exclusion_defender) and InitiatingProcessFileName == "msmpeng.exe") //Exclude activities from Microsoft Defender itself +| where not(InitiatingProcessFolderPath has_any (filter_folderPath)) //Exclude activities from known processes +| where not(InitiatingProcessFolderPath == @'c:\windows\system32\svchost.exe' and InitiatingProcessCommandLine startswith "svchost.exe -k ") //exclude activities initiated from group policy +//| summarize count(), start_TimeStamp =min(TimeGenerated),last_TimeStamp=max(TimeGenerated), set_DeviceName=make_set(DeviceName), DeviceNum=dcount(DeviceName), set_RegistryValueName=make_set(RegistryValueName) by ActionType, InitiatingProcessAccountDomain, InitiatingProcessAccountName, InitiatingProcessFolderPath, InitiatingProcessParentFileName, InitiatingProcessFileName, InitiatingProcessCommandLine, RegistryKey, TenantId +//| project start_TimeStamp, last_TimeStamp, ActionType, InitiatingProcessParentFileName, InitiatingProcessFolderPath, InitiatingProcessFileName, InitiatingProcessCommandLine, RegistryKey, set_RegistryValueName, DeviceNum, set_DeviceName, count_, TenantId +``` + +#### Triage
+ +1. Remove the comment "//" in 'summarize' statement in above KQL to assist in analysis and removing data duplicates. +1. Inspect the InitiatingProcessFolderPath, InitiatingProcessFileName, and InitiatingProcessCommandLine, and see any suspicious process adding defender exclusion +1. Check why Defender was disabled. + +#### FalsePositive
+ +1. Legitimate application adding folder exceptions to the registry key +1. Group policy being used to disabling defender (added to exclusion-out of scope of this detection) + +#### VERSION
+ +Version 2.0 (date: 07/02/2024) diff --git a/docs/guidelines/TTP_Hunt/ADS_forms/T1562.001-Impair-Defenses-Disable-or-Modify-Tools-Defender-Disabling-or-Exclusions.md b/docs/guidelines/TTP_Hunt/ADS_forms/T1562.001-Impair-Defenses-Disable-or-Modify-Tools-Defender-Disabling-or-Exclusions.md new file mode 100644 index 00000000..8c9e7b43 --- /dev/null +++ b/docs/guidelines/TTP_Hunt/ADS_forms/T1562.001-Impair-Defenses-Disable-or-Modify-Tools-Defender-Disabling-or-Exclusions.md @@ -0,0 +1,46 @@ +### T1562.001 - Impair Defenses: Disable or Modify Tools - Defender Disabling or Exclusions + +#### DESCRIPTION + +This query detects attempts to disable defender or it detects attempts to add exclusions. + +**Example:** + +> C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe” Set-MpPreference -ExclusionPath ‘C:\\’ + +**Related**\ +Malware, Ransomware + +**Reference:**\ +https://github.com/SigmaHQ/sigma/blob/8d28609c041867e1cea7821900e43c0106e6c766/rules/windows/process_creation/proc_creation_win_powershell_defender_exclusion.yml#L24 + +#### ATT&CK TACTICS
+ +{{ mitre("T1562.001")}} + +Data Source(s): [Command](https://attack.mitre.org/datasources/DS001/) + +#### SENTINEL RULE QUERY
+ +``` +let selection_1 = dynamic(['Set-MpPreference ', 'Add-MpPreference ']); +let selection_2 = dynamic([' -ExclusionPath ', ' -ExclusionExtension ', ' -ExclusionProcess ', ' -ExclusionIpAddress ']); +DeviceProcessEvents +| where ActionType == "ProcessCreated" +| where ProcessCommandLine has_any (selection_1) and ProcessCommandLine has_any (selection_2) +| where InitiatingProcessFileName <> "JetBrains.Rider.AfterInstall.exe" and InitiatingProcessVersionInfoCompanyName <> "JetBrains" //Exclude JetBrains auto-exclusion +//| summarize count(), first_seen = min(TimeGenerated), last_seen = max(TimeGenerated) by TenantId, DeviceName, AccountName, InitiatingProcessFolderPath, FolderPath, ProcessCommandLine +``` + +#### Triage
+ +1. Inspect if the activities were expected and approved. It may be performed by an admin or part of service installation +1. Validate the initiating process, and location of the executables. + +#### FalsePositive
+ +1. Jetbrains excluding itself from Defender during installation process. + +#### VERSION
+ +Version 2.0 (date: 08/02/2024) diff --git a/docs/guidelines/TTP_Hunt/ADS_forms/T1562.001-Impair-Defenses-Disable-or-Modify-Tools-Potential-PowerShell-Downgrade-Attack.md b/docs/guidelines/TTP_Hunt/ADS_forms/T1562.001-Impair-Defenses-Disable-or-Modify-Tools-Potential-PowerShell-Downgrade-Attack.md new file mode 100644 index 00000000..9391bfa0 --- /dev/null +++ b/docs/guidelines/TTP_Hunt/ADS_forms/T1562.001-Impair-Defenses-Disable-or-Modify-Tools-Potential-PowerShell-Downgrade-Attack.md @@ -0,0 +1,46 @@ +### T1562.001 - Impair Defenses: Disable or Modify Tools - Potential PowerShell Downgrade Attack + +#### DESCRIPTION + +Detects command execution and arguments associated with disabling or modification of security software processes or services. PowerShell Downgrade attack is a downgrade to an older versions of PowerShell that doesn’t contain security controls such as AMSI protection + +**Example:** + +> PowerShell –Version 2 –Command \<…> + +**Related**\ +N/A + +**Reference:** +https://github.com/SigmaHQ/sigma/blob/6eaba7e37ebb17541991c99a764ccb6866696bc6/rules/windows/process_creation/proc_creation_win_powershell_downgrade_attack.yml\ +https://www.leeholmes.com/detecting-and-preventing-powershell-downgrade-attacks/ + +#### ATT&CK TACTICS
+ +{{ mitre("T1562.001")}} + +Data Source(s): [Command](https://attack.mitre.org/datasources/DS001/) + +#### SENTINEL RULE QUERY
+ +``` +let selection_CommandLine = dynamic([' -version 2 ',' -versio 2 ',' -versi 2 ', ' -vers 2 ', ' -ver 2 ', ' -ve 2 ', ' -v 2 ']); +DeviceProcessEvents +| where ActionType == "ProcessCreated" +| where FolderPath endswith "\\powershell.exe" and ProcessCommandLine has_any (selection_CommandLine) +| where InitiatingProcessFolderPath !endswith "\\microsoft monitoring agent\\agent\\monitoringhost.exe" //Microsoft Monitoring Agent +//| summarize count(), first_seen = min(TimeGenerated), last_seen = max(TimeGenerated) by TenantId, DeviceName, AccountName, InitiatingProcessFolderPath, FolderPath, ProcessCommandLine +``` + +#### Triage
+ +1. Inspect if the activity if it is expected and approved performed by an admin or a service + +#### FalsePositive
+ +1. Microsft monitoring agent +1. This is a high fidelity threat hunt detection + +#### VERSION
+ +Version 2.0 (date: 07/02/2024) diff --git a/docs/guidelines/TTP_Hunt/ADS_forms/T1562.001-ImpairDefenses-Removal-Of-AMSI-Provider-Registry-Keys.md b/docs/guidelines/TTP_Hunt/ADS_forms/T1562.001-Impair-Defenses-Removal-Of-AMSI-Provider-Registry-Keys.md similarity index 90% rename from docs/guidelines/TTP_Hunt/ADS_forms/T1562.001-ImpairDefenses-Removal-Of-AMSI-Provider-Registry-Keys.md rename to docs/guidelines/TTP_Hunt/ADS_forms/T1562.001-Impair-Defenses-Removal-Of-AMSI-Provider-Registry-Keys.md index 7ebbfc68..7680d068 100644 --- a/docs/guidelines/TTP_Hunt/ADS_forms/T1562.001-ImpairDefenses-Removal-Of-AMSI-Provider-Registry-Keys.md +++ b/docs/guidelines/TTP_Hunt/ADS_forms/T1562.001-Impair-Defenses-Removal-Of-AMSI-Provider-Registry-Keys.md @@ -9,13 +9,13 @@ Credit(s): [frack113](https://github.com/frack113) > Remove-Item -Path "HKLM:\\SOFTWARE\\Microsoft\\AMSI\\Providers{2781761E-28E0-4109-99FE-B9D127C57AFE}" -Recurse -!!! tip "Related" - - Ransomware - - Persistence +**Related**\ +Ransomware\ +Persistence **Reference:**\ -https://github.com/SigmaHQ/sigma/blob/8d28609c041867e1cea7821900e43c0106e6c766/rules/windows/registry/registry_delete/registry_delete_removal_amsi_registry_key.yml%5C -https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1562.001/T1562.001.md%5C +https://github.com/SigmaHQ/sigma/blob/8d28609c041867e1cea7821900e43c0106e6c766/rules/windows/registry/registry_delete/registry_delete_removal_amsi_registry_key.yml\ +https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1562.001/T1562.001.md\ https://seclists.org/fulldisclosure/2020/Mar/45 #### ATT&CK TACTICS diff --git a/docs/guidelines/TTP_Hunt/ADS_forms/T1562.002-ImpairDefenses-DisableWindowsLoggingWevtutil.md b/docs/guidelines/TTP_Hunt/ADS_forms/T1562.002-Impair-Defenses-Disable-Windows-Logging-using-wevtutil.md similarity index 80% rename from docs/guidelines/TTP_Hunt/ADS_forms/T1562.002-ImpairDefenses-DisableWindowsLoggingWevtutil.md rename to docs/guidelines/TTP_Hunt/ADS_forms/T1562.002-Impair-Defenses-Disable-Windows-Logging-using-wevtutil.md index 58f9b2f1..877603b7 100644 --- a/docs/guidelines/TTP_Hunt/ADS_forms/T1562.002-ImpairDefenses-DisableWindowsLoggingWevtutil.md +++ b/docs/guidelines/TTP_Hunt/ADS_forms/T1562.002-Impair-Defenses-Disable-Windows-Logging-using-wevtutil.md @@ -1,6 +1,6 @@ ### T1562.002 Impair Defenses: Disable Windows Logging using wevtutil -#### DESCRIPTION +#### DESCRIPTION
Detects Log Clear events and commandlets that can be used to disable logging using wevtutil @@ -8,21 +8,21 @@ Detects Log Clear events and commandlets that can be used to disable logging usi wevtutil cl Application // Clear all of the events from the Application\ wevtutil /e:false // Disables a log -!!! tip "Related" - Ransomware +**Related** \ +Ransomware **Reference:**\ -https://www.microsoft.com/en-us/security/blog/2021/01/20/deep-dive-into-the-solorigate-second-stage-activation-from-sunburst-to-teardrop-and-raindrop/%5C +https://www.microsoft.com/en-us/security/blog/2021/01/20/deep-dive-into-the-solorigate-second-stage-activation-from-sunburst-to-teardrop-and-raindrop/\ https://github.com/Azure/Azure-Sentinel/blob/c6dce9c3aa4d4b4d02423ac4eb5a6b677a39e432/Hunting%20Queries/Microsoft%20365%20Defender/Ransomware/Clearing%20of%20forensic%20evidence%20from%20event%20logs%20using%20wevtutil.yaml -#### ATT&CK TACTICS +#### ATT&CK TACTICS
{{ mitre("T1562.002")}} Data Source(s): [Process](https://attack.mitre.org/datasources/DS0009/) -#### SENTINEL RULE QUERY +#### SENTINEL RULE QUERY
``` let selection_wevtutil = dynamic(["/e:false", "cl", "clear-log"]); @@ -31,14 +31,14 @@ DeviceProcessEvents //| summarize count(), first_seen = min(TimeGenerated), last_seen = max(TimeGenerated) by TenantId, DeviceName, AccountName, InitiatingProcessFolderPath, FolderPath, ProcessCommandLine ``` -#### Triage +#### Triage
1. Inspect if the activities were expected and approved. -#### FalsePositive +#### FalsePositive
-1. Legitimate administrative activity +1. Legitimate/ agency-specific administrative activity -#### VERSION +#### VERSION
-Version 2.0 (date: 04/12/2023) +Version 2.1 (date: 09/02/2024) diff --git a/docs/guidelines/TTP_Hunt/ADS_forms/T1562.002-ImpairDefenses-DisableWindowsLoggingMiniNT.md b/docs/guidelines/TTP_Hunt/ADS_forms/T1562.002-Impair-Defenses-Disable-WindowsLoggingMiniNT.md similarity index 92% rename from docs/guidelines/TTP_Hunt/ADS_forms/T1562.002-ImpairDefenses-DisableWindowsLoggingMiniNT.md rename to docs/guidelines/TTP_Hunt/ADS_forms/T1562.002-Impair-Defenses-Disable-WindowsLoggingMiniNT.md index 4ef7a55a..7ad48bbb 100644 --- a/docs/guidelines/TTP_Hunt/ADS_forms/T1562.002-ImpairDefenses-DisableWindowsLoggingMiniNT.md +++ b/docs/guidelines/TTP_Hunt/ADS_forms/T1562.002-Impair-Defenses-Disable-WindowsLoggingMiniNT.md @@ -8,8 +8,11 @@ Detects the addition of the MiniNT registry key in HKEY_LOCAL_MACHINE\\SYSTEM\\C > reg add "HKEY_LOCAL_MACHINE\\SYSTEM\\CurrentControlSet\\Control\\MiniNt" +**Related**\ +N/A + **Reference:**\ -https://github.com/SigmaHQ/sigma/blob/cac07b8ecd07ffe729ed82dfa2082fdb6a1ceabc/rules/windows/registry/registry_event/registry_event_disable_security_events_logging_adding_reg_key_minint.yml%5C +https://github.com/SigmaHQ/sigma/blob/cac07b8ecd07ffe729ed82dfa2082fdb6a1ceabc/rules/windows/registry/registry_event/registry_event_disable_security_events_logging_adding_reg_key_minint.yml\ https://twitter.com/0gtweet/status/1182516740955226112 #### ATT&CK TACTICS diff --git a/docs/guidelines/TTP_Hunt/ADS_forms/T1562.002-ImpairDefenses-DisableWindowsLoggingonEventID.md b/docs/guidelines/TTP_Hunt/ADS_forms/T1562.002-Impair-Defenses-DisableWindowsLoggingonEventID.md similarity index 91% rename from docs/guidelines/TTP_Hunt/ADS_forms/T1562.002-ImpairDefenses-DisableWindowsLoggingonEventID.md rename to docs/guidelines/TTP_Hunt/ADS_forms/T1562.002-Impair-Defenses-DisableWindowsLoggingonEventID.md index 91a71487..8765d963 100644 --- a/docs/guidelines/TTP_Hunt/ADS_forms/T1562.002-ImpairDefenses-DisableWindowsLoggingonEventID.md +++ b/docs/guidelines/TTP_Hunt/ADS_forms/T1562.002-Impair-Defenses-DisableWindowsLoggingonEventID.md @@ -7,12 +7,12 @@ Checks for event id 1102 and 104 which indicates the security event log was clea **example:**\ N/A -!!! tip "Related" - Log clearing +**Related**\ +Log clearing **Reference:**\ -https://www.microsoft.com/en-us/security/blog/2020/04/01/microsoft-works-with-healthcare-organizations-to-protect-from-popular-ransomware-during-covid-19-crisis-heres-what-to-do/%5C -https://github.com/SigmaHQ/sigma/blob/cac07b8ecd07ffe729ed82dfa2082fdb6a1ceabc/rules/windows/builtin/security/win_security_event_log_cleared.yml#L4%5C +https://www.microsoft.com/en-us/security/blog/2020/04/01/microsoft-works-with-healthcare-organizations-to-protect-from-popular-ransomware-during-covid-19-crisis-heres-what-to-do/\ +https://github.com/SigmaHQ/sigma/blob/cac07b8ecd07ffe729ed82dfa2082fdb6a1ceabc/rules/windows/builtin/security/win_security_event_log_cleared.yml#L4\ https://lantern.splunk.com/Splunk_Platform/UCE/Security/Threat_Hunting/Detecting_a_ransomware_attack/Windows_event_log_cleared #### ATT&CK TACTICS diff --git a/docs/guidelines/TTP_Hunt/ADS_forms/T1566.001-QR-CodePhishingAttachment(Quishing).md b/docs/guidelines/TTP_Hunt/ADS_forms/T1566.001-QR-CodePhishingAttachment(Quishing).md index f5416af3..9803cb6d 100644 --- a/docs/guidelines/TTP_Hunt/ADS_forms/T1566.001-QR-CodePhishingAttachment(Quishing).md +++ b/docs/guidelines/TTP_Hunt/ADS_forms/T1566.001-QR-CodePhishingAttachment(Quishing).md @@ -6,8 +6,8 @@ Detects for email that’s delivered to inbox, potentially containing any QR cod Author: DGov WA - Threat Hunt -!!! tip "Related" - phishing - Quishing +**Related** +phishing - Quishing **Reference**: diff --git a/docs/guidelines/TTP_Hunt/ADS_forms/T1574.002-Diamond-Sleet-APT-Process-Activity-Indicators.md b/docs/guidelines/TTP_Hunt/ADS_forms/T1574.002-Diamond-Sleet-APT-Process-Activity-Indicators.md new file mode 100644 index 00000000..d8c8e860 --- /dev/null +++ b/docs/guidelines/TTP_Hunt/ADS_forms/T1574.002-Diamond-Sleet-APT-Process-Activity-Indicators.md @@ -0,0 +1,45 @@ +### T1574.002 - Diamond Sleet APT Process Activity Indicators + +#### DESCRIPTION
+ +Detects process creation activity indicators related to Diamond Sleet APT + +**Example:** + +> c:\\ProgramData\\Forest64.exe uTYNkfKxHiZrx3KJ + +**Related**\ +Diamond Sleet + +**Reference:** +https://github.com/SigmaHQ/sigma/blob/7509f6ab6bc32e7bca66fc638363a92dfbf0449d/rules-emerging-threats/2023/TA/Diamond-Sleet/proc_creation_win_apt_diamond_sleet_indicators.yml\ +https://www.microsoft.com/en-us/security/blog/2023/10/18/multiple-north-korean-threat-actors-exploiting-the-teamcity-cve-2023-42793-vulnerability/ + +#### ATT&CK TACTICS
+ +{{ mitre("T1574.002")}} + +Data Source(s): +[Process](https://attack.mitre.org/datasources/DS0009/) + +#### SENTINEL RULE QUERY
+ +``` +let selection = ' uTYNkfKxHiZrx3KJ'; +DeviceProcessEvents +| where ActionType == "ProcessCreated" +| where ProcessCommandLine contains (selection) or InitiatingProcessCommandLine contains (selection) +``` + +#### Triage
+ +1. Initiate incident response process to analyse further on the suspicious activities +1. Possibly related to Diamond Sleet activities + +#### FalsePositive
+ +Highly Unlikely, this is a high fidelity threat hunt rules + +#### VERSION + +Version 1.1 (date: 13/02/2024) diff --git a/docs/guidelines/TTP_Hunt/ttp-detection-guidelines.md b/docs/guidelines/TTP_Hunt/ttp-detection-guidelines.md index f6651472..d0509fdc 100644 --- a/docs/guidelines/TTP_Hunt/ttp-detection-guidelines.md +++ b/docs/guidelines/TTP_Hunt/ttp-detection-guidelines.md @@ -20,7 +20,6 @@ This section highlights queries that can be mapped in the MITRE ATT&CK Framework | Technique ID | Title | Data Source | ADS | | ------------ | ------------------- | --------------------------------------------------------------- | -------------------------------------------------------------------------------------------------------- | -| T1190 | Web shells | [Network Traffic](https://attack.mitre.org/datasources/DS0029/) | [Webshells Suspicious URI](./ADS_forms/T1190-WebshellsSuspiciousURI.md) | | T1566 | Phishing | [Application Log](https://attack.mitre.org/datasources/DS0015/) | [QR Code Phishing Attachment (Quishing)](<./ADS_forms/T1566.001-QR-CodePhishingAttachment(Quishing).md>) | | T1189 | Drive-by Compromise | [File](https://attack.mitre.org/datasources/DS0022/) | [Drive-by Compromise - FakeUpdate](./ADS_forms/T1189-Drive-byCompromise-FakeUpdate.md) | @@ -33,29 +32,33 @@ This section highlights queries that can be mapped in the MITRE ATT&CK Framework ## Persistence -| Technique ID | Title | Data Source | ADS | -| ------------ | ---------------------------------------------------------------------- | ----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | --------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | -| T1505.003 | Web shells | [Process](https://attack.mitre.org/datasources/DS0009/) | [IIS Webshell File Writes](./ADS_forms/T1505.003-IISWebshellFileWrites.md) | -| T1505.003 | Suspicious Windows Strings In URI | [NA](<>) | [Suspicious Windows Strings In URI](./ADS_forms/T1505.003-SuspiciousWindowsStringsInURI.md) | -| T1505.003 | Windows Webshell Creation | [File](https://attack.mitre.org/datasources/DS0022/) | [Windows Webshell Creation](./ADS_forms/T1505.003-WindowsWebshellCreation.md) | -| T1505.003 | Suspicious Child Process Of SQL Server | [Process Creation](https://attack.mitre.org/datasources/DS0009/#Process%20Creation) | [Suspicious Child Process Of SQL Server](./ADS_forms/T1505.003-SuspiciousChildProcessOfSQLServer.md) | -| T1505.004 | Suspicious IIS Module Registration | [NA](<>) | [Suspicious IIS Module Registration](./ADS_forms/T1505.004-Suspicious-IIS-Module-Registration.md) | -| T1543.003 | Service Installations in Registry | [registry_set](https://attack.mitre.org/datasources/DS0024/) | [CobaltStrike: Service Installations in Registry](./ADS_forms/T1543.003-CobaltStrike-ServiceInstallationsInRegistry.md) | -| T1543.003 | Create or Modify System Process | [File](https://attack.mitre.org/datasources/DS0022/), [Windows Registry](https://attack.mitre.org/datasources/DS0024), [Process](https://attack.mitre.org/datasources/DS0009/), [Application Log](https://attack.mitre.org/datasources/DS0015/) | [Create or Modify System Process - Remote Access Tool Services Have Been Installed](./ADS_forms/T1543.003-Create-or-Modify-System-Process-Remote-Access-Tool-Services-Have-Been-Installed.md) | -| T1543.003 | Potential Persistence Attempt Via Existing Service Tampering (reg.exe) | [Process](https://attack.mitre.org/datasources/DS0009/) | [Potential Persistence Attempt Via Existing Service Tampering (reg.exe)](<./ADS_forms/T1543.003-Potential-Persistence-Attempt-Via-Existing-Service-Tampering-(reg.exe).md>) | -| T1543.003 | Potential Persistence Attempt Via Existing Service Tampering (sc.exe) | [Process](https://attack.mitre.org/datasources/DS0009/) | [Potential Persistence Attempt Via Existing Service Tampering (sc.exe)](<./ADS_forms/T1543.003-Potential-Persistence-Attempt-Via-Existing-Service-Tampering(sc.exe).md>) | -| T1053.005 | Diamond Sleet APT Scheduled Task Creation - Registry | [Windows Registry](https://attack.mitre.org/datasources/DS0024/) | [Diamond Sleet APT Scheduled Task Creation - Registry](./ADS_forms/T1053.005-Diamond-Sleet-APT-Scheduled-Task-Creation-Registry.md) | +| Technique ID | Title | Data Source | ADS | +| ------------ | ---------------------------------------------------------------------- | ----------------------------------------------------------------------------------- | --------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | +| T1505.003 | Web shells | [Process](https://attack.mitre.org/datasources/DS0009/) | [IIS Webshell File Writes](./ADS_forms/T1505.003-IISWebshellFileWrites.md) | +| T1505.003 | Windows Webshell Creation | [File](https://attack.mitre.org/datasources/DS0022/) | [Windows Webshell Creation](./ADS_forms/T1505.003-WindowsWebshellCreation.md) | +| T1505.003 | Linux Webshell Indicators | [Process](https://attack.mitre.org/datasources/DS0009/) | [Linux Webshell Indicators](./ADS_forms/T1505.003-Linux-Webshell-Indicators.md) | +| T1505.003 | Suspicious Child Process Of SQL Server | [Process Creation](https://attack.mitre.org/datasources/DS0009/#Process%20Creation) | [Suspicious Child Process Of SQL Server](./ADS_forms/T1505.003-SuspiciousChildProcessOfSQLServer.md) | +| T1505.004 | Suspicious IIS Module Registration | [NA](<>) | [Suspicious IIS Module Registration](./ADS_forms/T1505.004-Suspicious-IIS-Module-Registration.md) | +| T1543.003 | Service Installations in Registry | [registry_set](https://attack.mitre.org/datasources/DS0024/) | [CobaltStrike: Service Installations in Registry](./ADS_forms/T1543.003-CobaltStrike-ServiceInstallationsInRegistry.md) | +| T1543.003 | Potential Persistence Attempt Via Existing Service Tampering (reg.exe) | [Process](https://attack.mitre.org/datasources/DS0009/) | [Potential Persistence Attempt Via Existing Service Tampering (reg.exe)](<./ADS_forms/T1543.003-Potential-Persistence-Attempt-Via-Existing-Service-Tampering-(reg.exe).md>) | +| T1543.003 | Potential Persistence Attempt Via Existing Service Tampering (sc.exe) | [Process](https://attack.mitre.org/datasources/DS0009/) | [Potential Persistence Attempt Via Existing Service Tampering (sc.exe)](<./ADS_forms/T1543.003-Potential-Persistence-Attempt-Via-Existing-Service-Tampering(sc.exe).md>) | +| T1053.005 | Diamond Sleet APT Scheduled Task Creation - Registry | [Windows Registry](https://attack.mitre.org/datasources/DS0024/) | [Diamond Sleet APT Scheduled Task Creation - Registry](./ADS_forms/T1053.005-Diamond-Sleet-APT-Scheduled-Task-Creation-Registry.md) | +| T1547.001 | Potential Persistence Attempt Via Run Keys | [Command](https://attack.mitre.org/datasources/DS0017/) | [Potential Persistence Attempt Via Run Keys Using Reg.EXE](./ADS_forms/T1547.001-Potential-Persistence-Attempt-Via-Run-Keys-Using-Reg.EXE.md) | +| T1547.001 | Diamond Sleet APT Process Activity Indicators | [Process](https://attack.mitre.org/datasources/DS0009/) | [Potential Persistence Attempt Via Run Keys Using Reg.EXE](./ADS_forms/T1574.002-Diamond-Sleet-APT-Process-Activity-Indicators.md) | ## Defense Evasion -| Technique ID | Title | Data Source | ADS | -| ------------ | ------------------------------------------------------- | --------------------------------------------------------------- | ----------------------------------------------------------------------------------------------------------------------------------------- | -| T1562.001 | AMSI Bypass attack | [Command](https://attack.mitre.org/datasources/DS0017/) | [ImpairDefenses - AMSIBypass Attack](./ADS_forms/T1562.001-ImpairDefenses-AMSIBypass.md) | -| T1562.001 | Impair Defenses: Removal Of AMSI Provider Registry Keys | [Windows Registry](https://attack.mitre.org/datasources/DS0024) | [Impair Defenses: Removal Of AMSI Provider Registry Keys](./ADS_forms/T1562.001-ImpairDefenses-Removal-Of-AMSI-Provider-Registry-Keys.md) | -| T1562.002 | Disable Windows Logging MiniNT | [Windows Registry](https://attack.mitre.org/datasources/DS0024) | [ImpairDefenses - Disable Windows Logging Mini NT](./ADS_forms/T1562.002-ImpairDefenses-DisableWindowsLoggingMiniNT.md) | -| T1562.002 | Impair Defenses: Disable Windows Logging on EventID | [Active Directory](https://attack.mitre.org/datasources/DS0026) | [ImpairDefenses - Disable Windows Logging on EventID](./ADS_forms/T1562.002-ImpairDefenses-DisableWindowsLoggingonEventID.md) | -| T1562.002 | Impair Defenses: Disable Windows Logging using wevtutil | [Process](https://attack.mitre.org/datasources/DS0009/) | [Impair Defenses: Disable Windows Logging using wevtutil](./ADS_forms/T1562.002-ImpairDefenses-DisableWindowsLoggingWevtutil.md) | -| T1027.006 | HTML Smuggling | [NA](<>) | [HTML Smuggling](./ADS_forms/T1027.006-HTMLSmuggling.md) | +| Technique ID | Title | Data Source | ADS | +| ------------ | -------------------------------------------------------------------------------- | --------------------------------------------------------------- | ------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------ | +| T1562.001 | AMSI Bypass attack | [Command](https://attack.mitre.org/datasources/DS0017/) | [Impair Defenses - AMSIBypass Attack](./ADS_forms/T1562.001-Impair-Defenses-AMSIBypass.md) | +| T1562.001 | Impair Defenses - Disable Defender Functionalities Via Registry Keys | [Windows Registry](https://attack.mitre.org/datasources/DS0024) | [Impair Defenses - Disable Defender Functionalities Via Registry Keys](./ADS_forms/T1562.001-Impair-Defenses-Disable-Defender-Functionalities-Via-Registry-Keys.md) | +| T1562.001 | Impair Defenses: Disable or Modify Tools - Defender Disabling or Exclusions | [Command](https://attack.mitre.org/datasources/DS001/) | [Impair Defenses: Disable or Modify Tools - Defender Disabling or Exclusions](./ADS_forms/T1562.001-Impair-Defenses-Disable-or-Modify-Tools-Defender-Disabling-or-Exclusions.md) | +| T1562.001 | Impair Defenses: Disable or Modify Tools - Potential PowerShell Downgrade Attack | [Command](https://attack.mitre.org/datasources/DS001/) | [Impair Defenses: Disable or Modify Tools - Potential PowerShell Downgrade Attack](./ADS_forms/T1562.001-Impair-Defenses-Disable-or-Modify-Tools-Potential-PowerShell-Downgrade-Attack.md) | +| T1562.001 | Impair Defenses: Removal Of AMSI Provider Registry Keys | [Windows Registry](https://attack.mitre.org/datasources/DS0024) | [Impair Defenses: Removal Of AMSI Provider Registry Keys](./ADS_forms/T1562.001-Impair-Defenses-Removal-Of-AMSI-Provider-Registry-Keys.md) | +| T1562.002 | Disable Windows Logging MiniNT | [Windows Registry](https://attack.mitre.org/datasources/DS0024) | [ImpairDefenses - Disable Windows Logging Mini NT](./ADS_forms/T1562.002-Impair-Defenses-Disable-WindowsLoggingMiniNT.md) | +| T1562.002 | Impair Defenses: Disable Windows Logging on EventID | [Active Directory](https://attack.mitre.org/datasources/DS0026) | [ImpairDefenses - Disable Windows Logging on EventID](./ADS_forms/T1562.002-Impair-Defenses-DisableWindowsLoggingonEventID.md) | +| T1562.002 | Impair Defenses: Disable Windows Logging using wevtutil | [Process](https://attack.mitre.org/datasources/DS0009/) | [Impair Defenses: Disable Windows Logging using wevtutil](./ADS_forms/T1562.002-Impair-Defenses-Disable-Windows-Logging-using-wevtutil.md) | +| T1027.006 | HTML Smuggling | [NA](<>) | [HTML Smuggling](./ADS_forms/T1027.006-HTMLSmuggling.md) | @@ -66,26 +69,19 @@ This section highlights queries that can be mapped in the MITRE ATT&CK Framework | T1003.001 | OS Credential Dumping | [Command](https://attack.mitre.org/datasources/DS0017/) | [OS Credential Dumping: LSASS Memory](./ADS_forms/T1003.001-OSCredentialDumping-LSASSMemory.md) | | T1003.003 | OS Credential Dumping | [Process](https://attack.mitre.org/datasources/DS0009/), [Command](https://attack.mitre.org/datasources/DS0017/) | [OS Credential Dumping: Exfiltrate ntds.dit](./ADS_forms/T1003.003-OSCredentialDumping-Exfiltratentds.dit.md) | | T1003.003 | OS Credential Dumping | [Command](https://attack.mitre.org/datasources/DS0017/) | [OS Credential Dumping: NTDS using tools](./ADS_forms/T1003.003-OSCredentialDumping-NTDSusingTools.md) | -| T1003.006 | OS Credential Dumping | [Command](https://attack.mitre.org/datasources/DS0017/) | [OS Credential Dumping: DCSync](./ADS_forms/T1003.006-OSCredentialDumping-DCSyncAD.md) | | T1552.002 | Unsecured Credentials | [Command](https://attack.mitre.org/datasources/DS001/), [Windows Registry](https://attack.mitre.org/datasources/DS0024) | [REGISTRY Password Dumping](./ADS_forms/T1552.002-REGISTRYPasswordDumping.md) | | T1555 | Credentials from Password Stores | [Command](https://attack.mitre.org/datasources/DS001/) | [Credentials from Password Stores](./ADS_forms/T1555-CredentialsPasswordStores.md) | | T1557 | AiTM - Phishing logging | [Security Events](https://attack.mitre.org/datasources/DS0026/) | [AiTM - Phishing logging](./ADS_forms/T1557-AiTM-PhishingLogging.md) | ## Discovery -| Technique ID | Title | Data Source | ADS | -| ------------ | -------------------------------------- | ------------------------------------------------------- | --------------------------------------------------------------------------------------- | -| T1016 | System Network Configuration Discovery | [Command](https://attack.mitre.org/datasources/DS0017/) | [EnumerateNetworkTopology](./ADS_forms/T1016-EnumerateNetworkTopology.md) | -| T1033 | System Owner/User Discovery | [Command](https://attack.mitre.org/datasources/DS0017/) | [Identify successful logons to the host](./ADS_forms/T1033-IdentifySuccessfulLogons.md) | -| T1082 | System Information Discovery | [NA](<>) | [System Information Discovery](./ADS_forms/T1082-SystemInformationDiscovery.md) | - -## Lateral Movement - -| Technique ID | Title | Data Source | ADS | -| ------------ | ---------------------------------- | -------------------------------------------------------------- | ----------------------------------------------------------------------------------------- | -| T1021 | Lateral Movement - Remote Services | [Network Traffic](https://attack.mitre.org/datasources/DS0029) | [Lateral Movement - Remote Services](./ADS_forms/T1021-LateralMovement-RemoteServices.md) | - - +| Technique ID | Title | Data Source | ADS | +| ------------ | -------------------------------------- | -------------------------------------------------------------------------- | ----------------------------------------------------------------------------------------------------------------------------------------------- | +| T1016 | System Network Configuration Discovery | [Command](https://attack.mitre.org/datasources/DS0017/) | [EnumerateNetworkTopology](./ADS_forms/T1016-EnumerateNetworkTopology.md) | +| T1016 | Info stealer | [Module](https://attack.mitre.org/datasources/DS0011/) | [Info stealer Grixba](./ADS_forms/T1016-Info-stealer-tool-Grixba.md) | +| T1016.001 | Potential Pikabot C2 Activity | [Process](https://attack.mitre.org/datasources/DS0009/#Process%20Creation) | [Suspicious Process Created By Rundll32.EXE](./ADS_forms/T1016.001-Potential-Pikabot-C2-Activity-Suspicious-Process-Created-By-Rundll32.EXE.md) | +| T1033 | System Owner/User Discovery | [Command](https://attack.mitre.org/datasources/DS0017/) | [Identify successful logons to the host](./ADS_forms/T1033-IdentifySuccessfulLogons.md) | +| T1082 | System Information Discovery | [NA](<>) | [System Information Discovery](./ADS_forms/T1082-SystemInformationDiscovery.md) | ## Command and Control @@ -95,12 +91,14 @@ This section highlights queries that can be mapped in the MITRE ATT&CK Framework ## Malware / Tools -| Technique ID | Title | Data Source | ADS | -| ------------ | --------------------- | -------------------------------------------------------------- | -------------------------------------------------------------------------------------------- | -| S0357 | Impacket | [Command](https://attack.mitre.org/datasources/DS0017/) | [Impacket - DirCommand](./ADS_forms/S0357-Impacket-DirCommand.md) | -| S0357 | Impacket | [Command](https://attack.mitre.org/datasources/DS0017/) | [Impacket - SecretDumpSMB2](./ADS_forms/S0357-Impacket-SecretdumpSMB2.md) | -| S0154 | Cobalt Strike | [Network Traffic](https://attack.mitre.org/datasources/DS0029) | [CobaltStrike - DNS](./ADS_forms/S0154-CobaltStrike-DNS.md) | -| S0154 | Cobalt Strike | [Named Pipe](https://attack.mitre.org/datasources/DS0023) | [CobaltStrike - NamedPipe](./ADS_forms/S0154-CobaltStrike-NamedPipe.md) | -| S0650 | QakBot | [Command](https://attack.mitre.org/datasources/DS0017/) | [Qakbot - Process Execution](./ADS_forms/S0650-Qakbot-ProcessExecution.md) | -| S0650 | QakBot | [Command](https://attack.mitre.org/datasources/DS0017/) | [Qakbot - Defender Exclusions](./ADS_forms/S0650-Qakbot-DefenderExclusions.md) | -| S0521 | Bloodhound/Sharphound | [Command](https://attack.mitre.org/datasources/DS0017/) | [Bloodhound/Sharphound - Execution Commandlets](./ADS_forms/S0521-BloodHound-Commandlets.md) | +| Technique ID | Title | Data Source | ADS | +| ------------ | --------------------- | ------------------------------------------------------------------------------------------------------------------ | -------------------------------------------------------------------------------------------- | +| S0357 | Impacket | [Command](https://attack.mitre.org/datasources/DS0017/) | [Impacket - DirCommand](./ADS_forms/S0357-Impacket-DirCommand.md) | +| S0357 | Impacket | [Command](https://attack.mitre.org/datasources/DS0017/) | [Impacket - SecretDumpSMB2](./ADS_forms/S0357-Impacket-SecretdumpSMB2.md) | +| S0154 | Cobalt Strike | [Network Traffic](https://attack.mitre.org/datasources/DS0029) | [CobaltStrike - DNS](./ADS_forms/S0154-CobaltStrike-DNS.md) | +| S0154 | Cobalt Strike | [Named Pipe](https://attack.mitre.org/datasources/DS0023) | [CobaltStrike - NamedPipe](./ADS_forms/S0154-CobaltStrike-NamedPipe.md) | +| S0650 | QakBot | [Command](https://attack.mitre.org/datasources/DS0017/) | [Qakbot - Process Execution](./ADS_forms/S0650-Qakbot-ProcessExecution.md) | +| S0650 | QakBot | [Command](https://attack.mitre.org/datasources/DS0017/) | [Qakbot - Defender Exclusions](./ADS_forms/S0650-Qakbot-DefenderExclusions.md) | +| S0650 | Qakbot | [Command](https://attack.mitre.org/datasources/DS0017/) , [Process](https://attack.mitre.org/datasources/DS0009/) | [Qakbot: Post compromise commands](./ADS_forms/S0650-Qakbot-Post-compromise-commands.md) | +| S0521 | Bloodhound/Sharphound | [Command](https://attack.mitre.org/datasources/DS0017/) | [Bloodhound/Sharphound - Execution Commandlets](./ADS_forms/S0521-BloodHound-Commandlets.md) | +| S0522 | ADFind | [Command](https://attack.mitre.org/datasources/DS0017/) | [ADFind Execution](./ADS_forms/S0552-ADFind-Execution.md) |