From 542f2294578b093866f93d6753a40fc23be9eb4a Mon Sep 17 00:00:00 2001 From: bpatel Date: Wed, 12 May 2021 12:37:33 -0700 Subject: [PATCH 01/38] story_file --- stories/ransomware_darkside.yml | 21 +++++++++++++++++++++ 1 file changed, 21 insertions(+) create mode 100644 stories/ransomware_darkside.yml diff --git a/stories/ransomware_darkside.yml b/stories/ransomware_darkside.yml new file mode 100644 index 0000000000..328a9fb57a --- /dev/null +++ b/stories/ransomware_darkside.yml @@ -0,0 +1,21 @@ +name: DarkSide Ransomware +id: 507edc74-13d5-4339-878e-b9114ded1f35 +version: 1 +date: '2020-06-12' +author: Bhavin Patel, Splunk +type: batch +description: Leverage searches that allow you to detect and investigate unusual activities + that might relate to the DarkSide Ransomware +narrative: +references: +- https://www.splunk.com/en_us/blog/security/the-darkside-of-the-ransomware-pipeline.htmlbig-game-hunting-with-ryuk-another-lucrative-targeted-ransomware/ +- https://www.fireeye.com/blog/threat-research/2021/05/shining-a-light-on-darkside-ransomware-operations.html +tags: + analytic_story: DarkSide Ransomware + category: + - Malware + product: + - Splunk Enterprise + - Splunk Enterprise Security + - Splunk Cloud + usecase: Advanced Threat Detection From 4a840d41840fec2f026f351e8f183efe612708db Mon Sep 17 00:00:00 2001 From: bpatel Date: Wed, 12 May 2021 12:58:00 -0700 Subject: [PATCH 02/38] ericks detections from xmrig --- .../delete_shadowcopy_with_powershell.yml | 39 +++++++++++++++++++ .../ransomware_notes_bulk_creation.yml | 13 ++++--- macros/powershell.yml | 4 ++ 3 files changed, 50 insertions(+), 6 deletions(-) create mode 100644 detections/endpoint/delete_shadowcopy_with_powershell.yml create mode 100644 macros/powershell.yml diff --git a/detections/endpoint/delete_shadowcopy_with_powershell.yml b/detections/endpoint/delete_shadowcopy_with_powershell.yml new file mode 100644 index 0000000000..25cb159580 --- /dev/null +++ b/detections/endpoint/delete_shadowcopy_with_powershell.yml @@ -0,0 +1,39 @@ +name: Delete ShadowCopy With PowerShell +id: 5ee2bcd0-b2ff-11eb-bb34-acde48001122 +version: 1 +date: '2021-05-12' +author: Teoderick Contreras, Splunk +type: batch +datamodel: +- Endpoint +description: this search is to detect powershell command to delete shadow copy using wmic powershell module. + This technique was seen in darkside ransomware where it will execute a child process powershell to execute an hex encoded + command to delete shadow copy. This hex encoded command was able to decrypt by powershell log. +search: '`powershell` EventCode=4104 Message= "*ShadowCopy*" Message = "*Delete*" + stats count min(_time) as firstTime max(_time) as lastTime by EventCode Message ComputerName User + | `security_content_ctime(firstTime)` + | `security_content_ctime(lastTime)` + | `delete_shadowcopy_with_powershell_filter`' +how_to_implement: To successfully implement this search, you need to be ingesting + logs with the powershell logs from your endpoints. make sure you enable needed registry to monitor this event. +known_false_positives: unknown +references: +- https://www.fireeye.com/blog/threat-research/2021/05/shining-a-light-on-darkside-ransomware-operations.html +tags: + analytic_story: + - Ransomware + kill_chain_phases: + - Exploitation + mitre_attack_id: + - T1490 + product: + - Splunk Enterprise + - Splunk Enterprise Security + - Splunk Cloud + required_fields: + - _time + - EventCode + - Message + - ComputerName + - User + security_domain: endpoint \ No newline at end of file diff --git a/detections/endpoint/ransomware_notes_bulk_creation.yml b/detections/endpoint/ransomware_notes_bulk_creation.yml index bbe1e912ab..9260b44103 100644 --- a/detections/endpoint/ransomware_notes_bulk_creation.yml +++ b/detections/endpoint/ransomware_notes_bulk_creation.yml @@ -10,11 +10,11 @@ description: The following analytics identifies a big number of instance of rans notes (filetype e.g .txt, .html, .hta) file creation to the infected machine. This behavior is a good sensor if the ransomware note filename is quite new for security industry or the ransomware note filename is not in your lookup table list for monitoring. -search: '`sysmon` EventCode=11 file_name IN ("*\.txt","*\.html","*\.hta") | stats - min(_time) as firstTime max(_time) as lastTime dc(TargetFilename) as unique_readme_path_count - values(TargetFilename) as list_of_readme_path by Computer Image file_name | where - unique_readme_path_count >= 50 | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` - | `ransomware_notes_bulk_creation_filter`' +search: '`sysmon` EventCode=11 file_name IN ("*\.txt","*\.html","*\.hta") |bin _time + span=10s | stats min(_time) as firstTime max(_time) as lastTime dc(TargetFilename) + as unique_readme_path_count values(TargetFilename) as list_of_readme_path by Computer + Image file_name | where unique_readme_path_count >= 15 | `security_content_ctime(firstTime)` + | `security_content_ctime(lastTime)` | `ransomware_notes_bulk_creation_filter`' how_to_implement: You must be ingesting data that records the filesystem activity from your hosts to populate the Endpoint file-system data model node. If you are using Sysmon, you will need a Splunk Universal Forwarder on each endpoint from which @@ -26,6 +26,7 @@ references: tags: analytic_story: - Clop Ransomware + - DarkSide Ransomware automated_detection_testing: passed dataset: - https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/malware/clop/clop_a/windows-sysmon.log @@ -45,4 +46,4 @@ tags: - Computer - Image - user - security_domain: endpoint + security_domain: endpoint \ No newline at end of file diff --git a/macros/powershell.yml b/macros/powershell.yml new file mode 100644 index 0000000000..69edb779a1 --- /dev/null +++ b/macros/powershell.yml @@ -0,0 +1,4 @@ +definition: sourcetype=wineventlog OR source=WinEventLog:Microsoft-Windows-PowerShell/Operational +description: customer specific splunk configurations(eg- index, source, sourcetype). + Replace the macro definition with configurations for your Splunk Environmnent. +name: powershell From 09e6d43e5251dc1f029a6497f9f1d940db7a6f41 Mon Sep 17 00:00:00 2001 From: mhaag-spl <5632822+MHaggis@users.noreply.github.com> Date: Wed, 12 May 2021 14:22:01 -0600 Subject: [PATCH 03/38] Added Cobalt Named pIpe --- detections/endpoint/cobalt_strike_named_pipes.yml | 4 +++- 1 file changed, 3 insertions(+), 1 deletion(-) diff --git a/detections/endpoint/cobalt_strike_named_pipes.yml b/detections/endpoint/cobalt_strike_named_pipes.yml index e8b8cd15e7..4ebce333a1 100644 --- a/detections/endpoint/cobalt_strike_named_pipes.yml +++ b/detections/endpoint/cobalt_strike_named_pipes.yml @@ -19,7 +19,7 @@ description: 'The following analytic identifies the use of default or publicly k connection, review and follow the connection back to identify any file modifications.' search: '`sysmon` EventID=17 OR EventID=18 PipeName IN (\\msagent_*, \\wkssvc*, \\DserNamePipe*, \\srvsvc_*, \\mojo.*, \\postex_*, \\status_*, \\MSSE-*, \\spoolss_*, \\win_svc*, - \\ntsvcs*, \\winsock*) | stats count min(_time) as firstTime max(_time) as lastTime + \\ntsvcs*, \\winsock*, \\UIA_PIPE*) | stats count min(_time) as firstTime max(_time) as lastTime by Computer, process_name, process_id process_path, PipeName | rename Computer as dest | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `cobalt_strike_named_pipes_filter`' @@ -36,10 +36,12 @@ references: - https://www.cobaltstrike.com/help-smb-beacon - https://blog.cobaltstrike.com/2021/02/09/learn-pipe-fitting-for-all-of-your-offense-projects/ - https://gist.github.com/MHaggis/6c600e524045a6d49c35291a21e10752 +- https://www.fireeye.com/blog/threat-research/2021/05/shining-a-light-on-darkside-ransomware-operations.html tags: analytic_story: - Cobalt Strike - Trickbot + - DarkSide Ransomware asset_type: Endpoint automated_detection_testing: passed cis20: From f4f519f6aa172ae621b748b17ed926ccf3904b63 Mon Sep 17 00:00:00 2001 From: mhaag-spl <5632822+MHaggis@users.noreply.github.com> Date: Wed, 12 May 2021 14:45:55 -0600 Subject: [PATCH 04/38] Extract SAM from registry --- .../endpoint/extract_sam_from_registry.yml | 45 +++++++++++++++++++ .../extract_sam_from_registry.test.yml | 12 +++++ 2 files changed, 57 insertions(+) create mode 100644 detections/endpoint/extract_sam_from_registry.yml create mode 100644 tests/endpoint/extract_sam_from_registry.test.yml diff --git a/detections/endpoint/extract_sam_from_registry.yml b/detections/endpoint/extract_sam_from_registry.yml new file mode 100644 index 0000000000..346236de63 --- /dev/null +++ b/detections/endpoint/extract_sam_from_registry.yml @@ -0,0 +1,45 @@ +name: Extract SAM from Registry +id: 8bbb7d58-b360-11eb-ba21-acde48001122 +version: 1 +date: '2021-05-12' +author: Michael Haag, Splunk +type: batch +datamodel: +- Endpoint +description: The following analytic identifies the use of `reg.exe` exporting Windows Registry hives containing credentials. + Adversaries may use this technique to export registry hives for offline credential access attacks. Typically found executed from a untrusted process or script. Upon execution, a file will be written to disk. +search: '| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) + as lastTime from datamodel=Endpoint.Processes where Processes.process_name=reg.exe (Processes.process=*save* OR Processes.process=*export*) AND (Processes.process=*sam* OR Processes.process=*system* OR Processes.process=*security*) by Processes.dest Processes.user Processes.parent_process Processes.process_name Processes.process Processes.process_id Processes.parent_process_id + | `drop_dm_object_name(Processes)` + | `security_content_ctime(firstTime)` + | `security_content_ctime(lastTime)` + | `extract_sam_from_registry_filter`' +how_to_implement: To successfully implement this search you need to be ingesting information + on process that include the name of the process responsible for the changes from + your endpoints into the `Endpoint` datamodel in the `Processes` node. +known_false_positives: It is possible some agent based products will generate false positives. Filter as needed. +references: + - https://www.fireeye.com/blog/threat-research/2021/05/shining-a-light-on-darkside-ransomware-operations.html +tags: + analytic_story: + - DarkSide Ransomware + - Credential Dumping + dataset: [] + kill_chain_phases: + - Exploitation + mitre_attack_id: + - T1003.002 + product: + - Splunk Enterprise + - Splunk Enterprise Security + - Splunk Cloud + required_fields: + - _time + - Processes.dest + - Processes.user + - Processes.parent_process + - Processes.process_name + - Processes.process + - Processes.process_id + - Processes.parent_process_id + security_domain: endpoint \ No newline at end of file diff --git a/tests/endpoint/extract_sam_from_registry.test.yml b/tests/endpoint/extract_sam_from_registry.test.yml new file mode 100644 index 0000000000..3115761dc0 --- /dev/null +++ b/tests/endpoint/extract_sam_from_registry.test.yml @@ -0,0 +1,12 @@ +name: Extract SAM from Registry Unit Test +tests: +- name: Extract SAM from Registry + file: endpoint/extract_sam_from_registry.yml + pass_condition: '| stats count | where count > 0' + earliest_time: '-24h' + latest_time: 'now' + attack_data: + - file_name: windows-sysmon.log + data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1003.002/atomic_red_team/windows-sysmon.log + source: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational + sourcetype: xmlwineventlog From 1992d8fe8b221f5522a7c8c85513259cd647e957 Mon Sep 17 00:00:00 2001 From: mhaag-spl <5632822+MHaggis@users.noreply.github.com> Date: Wed, 12 May 2021 14:49:44 -0600 Subject: [PATCH 05/38] Update extract_sam_from_registry.yml --- detections/endpoint/extract_sam_from_registry.yml | 1 + 1 file changed, 1 insertion(+) diff --git a/detections/endpoint/extract_sam_from_registry.yml b/detections/endpoint/extract_sam_from_registry.yml index 346236de63..4da9554ad1 100644 --- a/detections/endpoint/extract_sam_from_registry.yml +++ b/detections/endpoint/extract_sam_from_registry.yml @@ -20,6 +20,7 @@ how_to_implement: To successfully implement this search you need to be ingesting known_false_positives: It is possible some agent based products will generate false positives. Filter as needed. references: - https://www.fireeye.com/blog/threat-research/2021/05/shining-a-light-on-darkside-ransomware-operations.html + - https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1003.002/T1003.002.md tags: analytic_story: - DarkSide Ransomware From 03444a29e9537fa7fffdcc5274941ffc87513059 Mon Sep 17 00:00:00 2001 From: bpatel Date: Wed, 12 May 2021 13:50:03 -0700 Subject: [PATCH 06/38] test file --- stories/ransomware_darkside.yml | 2 +- .../delete_shadowcopy_with_powershell.test.yml | 12 ++++++++++++ 2 files changed, 13 insertions(+), 1 deletion(-) create mode 100644 tests/endpoint/delete_shadowcopy_with_powershell.test.yml diff --git a/stories/ransomware_darkside.yml b/stories/ransomware_darkside.yml index 328a9fb57a..745cebc6d3 100644 --- a/stories/ransomware_darkside.yml +++ b/stories/ransomware_darkside.yml @@ -6,7 +6,7 @@ author: Bhavin Patel, Splunk type: batch description: Leverage searches that allow you to detect and investigate unusual activities that might relate to the DarkSide Ransomware -narrative: +narrative: '' references: - https://www.splunk.com/en_us/blog/security/the-darkside-of-the-ransomware-pipeline.htmlbig-game-hunting-with-ryuk-another-lucrative-targeted-ransomware/ - https://www.fireeye.com/blog/threat-research/2021/05/shining-a-light-on-darkside-ransomware-operations.html diff --git a/tests/endpoint/delete_shadowcopy_with_powershell.test.yml b/tests/endpoint/delete_shadowcopy_with_powershell.test.yml new file mode 100644 index 0000000000..b53c03377c --- /dev/null +++ b/tests/endpoint/delete_shadowcopy_with_powershell.test.yml @@ -0,0 +1,12 @@ +name: Delete ShadowCopy With PowerShell Unit Test +tests: +- name: Delete ShadowCopy With PowerShell + file: endpoint/delete_shadowcopy_with_powershell.yml + pass_condition: '| stats count | where count > 0' + earliest_time: '-24h' + latest_time: 'now' + attack_data: + - file_name: windows-powershell.log + data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1490/shadowcopy_del/windows-powershell.log + source: XmlWinEventLog:Microsoft-Windows-PowerShell/Operational + sourcetype: wineventlog \ No newline at end of file From 545951b315f6f3207eff07fe8e98608cba47e9a4 Mon Sep 17 00:00:00 2001 From: bpatel Date: Wed, 12 May 2021 14:06:53 -0700 Subject: [PATCH 07/38] narrative --- stories/ransomware_darkside.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/stories/ransomware_darkside.yml b/stories/ransomware_darkside.yml index 745cebc6d3..fa49d4adf1 100644 --- a/stories/ransomware_darkside.yml +++ b/stories/ransomware_darkside.yml @@ -6,7 +6,7 @@ author: Bhavin Patel, Splunk type: batch description: Leverage searches that allow you to detect and investigate unusual activities that might relate to the DarkSide Ransomware -narrative: '' +narrative: 'This story addresses Darkside ransomware. This ransomware payload has many similarities to common ransomware however there are certain items particular to it. The creation of a .TXT log that shows every item being encrypted as well as the creation of ransomware notes and files adding a machine ID created based on CRC32 checksum algorithm. This ransomware payload leaves machines in minimal operation level,enough to browse the attackers websites. A customized URI with leaked information is presented to each victim.This is the ransomware payload that shut down the Colonial pipeline. The story is composed of several detection searches covering similar items to other ransomware payloads and those particular to Darkside payload.' references: - https://www.splunk.com/en_us/blog/security/the-darkside-of-the-ransomware-pipeline.htmlbig-game-hunting-with-ryuk-another-lucrative-targeted-ransomware/ - https://www.fireeye.com/blog/threat-research/2021/05/shining-a-light-on-darkside-ransomware-operations.html From 1b5bf2a065790bec699d42e41903c8c4a236dccd Mon Sep 17 00:00:00 2001 From: bpatel Date: Wed, 12 May 2021 14:52:06 -0700 Subject: [PATCH 08/38] story namne --- detections/endpoint/delete_shadowcopy_with_powershell.yml | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/detections/endpoint/delete_shadowcopy_with_powershell.yml b/detections/endpoint/delete_shadowcopy_with_powershell.yml index 25cb159580..a8dbaf0f10 100644 --- a/detections/endpoint/delete_shadowcopy_with_powershell.yml +++ b/detections/endpoint/delete_shadowcopy_with_powershell.yml @@ -6,10 +6,10 @@ author: Teoderick Contreras, Splunk type: batch datamodel: - Endpoint -description: this search is to detect powershell command to delete shadow copy using wmic powershell module. +description: This search is to detect powershell command to delete shadow copy using wmic powershell module. This technique was seen in darkside ransomware where it will execute a child process powershell to execute an hex encoded command to delete shadow copy. This hex encoded command was able to decrypt by powershell log. -search: '`powershell` EventCode=4104 Message= "*ShadowCopy*" Message = "*Delete*" +search: '`powershell` EventCode=4104 Message= "*ShadowCopy*" Message = "*Delete*" | stats count min(_time) as firstTime max(_time) as lastTime by EventCode Message ComputerName User | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` @@ -21,7 +21,7 @@ references: - https://www.fireeye.com/blog/threat-research/2021/05/shining-a-light-on-darkside-ransomware-operations.html tags: analytic_story: - - Ransomware + - DarkSide Ransomware kill_chain_phases: - Exploitation mitre_attack_id: From 4f9b8a2b1b0742251de8bd36e3610eb68faaeb02 Mon Sep 17 00:00:00 2001 From: bpatel Date: Wed, 12 May 2021 14:53:27 -0700 Subject: [PATCH 09/38] test time --- tests/endpoint/delete_shadowcopy_with_powershell.test.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/tests/endpoint/delete_shadowcopy_with_powershell.test.yml b/tests/endpoint/delete_shadowcopy_with_powershell.test.yml index b53c03377c..0d7d2a2e00 100644 --- a/tests/endpoint/delete_shadowcopy_with_powershell.test.yml +++ b/tests/endpoint/delete_shadowcopy_with_powershell.test.yml @@ -3,7 +3,7 @@ tests: - name: Delete ShadowCopy With PowerShell file: endpoint/delete_shadowcopy_with_powershell.yml pass_condition: '| stats count | where count > 0' - earliest_time: '-24h' + earliest_time: '-7d' latest_time: 'now' attack_data: - file_name: windows-powershell.log From 5ff8c6372cc5280f2e7dfc9c0056209a436c6566 Mon Sep 17 00:00:00 2001 From: mhaag-spl <5632822+MHaggis@users.noreply.github.com> Date: Thu, 13 May 2021 06:52:59 -0600 Subject: [PATCH 10/38] SLUI --- detections/endpoint/slui_runas_elevated.yml | 49 ++++++++++++++++++ .../endpoint/slui_spawning_a_process.yml | 50 +++++++++++++++++++ tests/endpoint/slui_runas_elevated.test.yml | 12 +++++ .../endpoint/slui_spawning_a_process.test.yml | 12 +++++ 4 files changed, 123 insertions(+) create mode 100644 detections/endpoint/slui_runas_elevated.yml create mode 100644 detections/endpoint/slui_spawning_a_process.yml create mode 100644 tests/endpoint/slui_runas_elevated.test.yml create mode 100644 tests/endpoint/slui_spawning_a_process.test.yml diff --git a/detections/endpoint/slui_runas_elevated.yml b/detections/endpoint/slui_runas_elevated.yml new file mode 100644 index 0000000000..ddd95d9bac --- /dev/null +++ b/detections/endpoint/slui_runas_elevated.yml @@ -0,0 +1,49 @@ +name: SLUI RunAs Elevated +id: 8d124810-b3e4-11eb-96c7-acde48001122 +version: 1 +date: '2021-05-13' +author: Michael Haag, Splunk +type: batch +datamodel: +- Endpoint +description: The following analytic identifies the Microsoft Software Licensing User Interface Tool, `slui.exe`, elevating access using the `-verb runas` function. This particular bypass utilizes a registry key/value. Identified by two sources, the registry keys are `HKCU\Software\Classes\exefile\shell` and `HKCU\Software\Classes\launcher.Systemsettings\Shell\open\command`. To simulate this behavior, multiple POC are available. + The analytic identifies the use of `runas` by `slui.exe`. +search: '| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) + as lastTime from datamodel=Endpoint.Processes where Processes.process_name=slui.exe + (Processes.process=*-verb* Processes.process=*runas*) by Processes.dest + Processes.user Processes.parent_process Processes.process_name Processes.process + Processes.process_id Processes.parent_process_id | `drop_dm_object_name(Processes)` + | `security_content_ctime(firstTime)`| `security_content_ctime(lastTime)`| `slui_runas_elevated_filter`' +how_to_implement: To successfully implement this search you need to be ingesting information + on process that include the name of the process responsible for the changes from + your endpoints into the `Endpoint` datamodel in the `Processes` node. +known_false_positives: Limited false positives should be present as this is not commonly used by legitimate applications. +references: + - https://www.exploit-db.com/exploits/46998 + - https://medium.com/@mattharr0ey/privilege-escalation-uac-bypass-in-changepk-c40b92818d1b + - https://gist.github.com/r00t-3xp10it/0c92cd554d3156fd74f6c25660ccc466 + - https://www.rapid7.com/db/modules/exploit/windows/local/bypassuac_sluihijack/ + - https://www.fireeye.com/blog/threat-research/2021/05/shining-a-light-on-darkside-ransomware-operations.html +tags: + analytic_story: + - DarkSide Ransomware + - Windows Defense Evasion Tactics + dataset: [] + kill_chain_phases: + - Exploitation + mitre_attack_id: + - T1548.002 + product: + - Splunk Enterprise + - Splunk Enterprise Security + - Splunk Cloud + required_fields: + - _time + - Processes.dest + - Processes.user + - Processes.parent_process + - Processes.process_name + - Processes.process + - Processes.process_id + - Processes.parent_process_id + security_domain: endpoint \ No newline at end of file diff --git a/detections/endpoint/slui_spawning_a_process.yml b/detections/endpoint/slui_spawning_a_process.yml new file mode 100644 index 0000000000..9530061d61 --- /dev/null +++ b/detections/endpoint/slui_spawning_a_process.yml @@ -0,0 +1,50 @@ +name: SLUI Spawning a Process +id: 879c4330-b3e0-11eb-b1b1-acde48001122 +version: 1 +date: '2021-05-13' +author: Michael Haag, Splunk +type: batch +datamodel: +- Endpoint +description: The following analytic identifies the Microsoft Software Licensing User Interface Tool, `slui.exe`, spawning a child process. This behavior is associated with publicly known UAC bypass. + `slui.exe` is commonly associated with software updates and is most often spawned by `svchost.exe`. + The `slui.exe` process should not have child processes, and any processes spawning from it will be running with elevated privileges. + During triage, review the child process and additional parallel processes. Identify any file modifications that may have lead to the bypass. +search: '| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) + as lastTime from datamodel=Endpoint.Processes where Processes.parent_process_name=slui.exe + (Processes.process_name!=*slui* OR Processes.process_name=!firefox.exe OR Processes.process_name!=chrome.exe OR Processes.process_name!=iexplore.exe OR Processes.process_name!=msedge.exe) by Processes.dest + Processes.user Processes.parent_process Processes.process_name Processes.process + Processes.process_id Processes.parent_process_id | `drop_dm_object_name(Processes)` + | `security_content_ctime(firstTime)`| `security_content_ctime(lastTime)` + | `slui_spawning_a_process_filter`' +how_to_implement: To successfully implement this search you need to be ingesting information + on process that include the name of the process responsible for the changes from + your endpoints into the `Endpoint` datamodel in the `Processes` node. +known_false_positives: Certain applications may spawn from `slui.exe` that are legitimate. Filtering will be needed to ensure proper monitoring. +references: + - https://www.exploit-db.com/exploits/46998 + - https://www.rapid7.com/db/modules/exploit/windows/local/bypassuac_sluihijack/ + - https://www.fireeye.com/blog/threat-research/2021/05/shining-a-light-on-darkside-ransomware-operations.html +tags: + analytic_story: + - DarkSide Ransomware + - Windows Defense Evasion Tactics + dataset: [] + kill_chain_phases: + - Exploitation + mitre_attack_id: + - T1548.002 + product: + - Splunk Enterprise + - Splunk Enterprise Security + - Splunk Cloud + required_fields: + - _time + - Processes.dest + - Processes.user + - Processes.parent_process + - Processes.process_name + - Processes.process + - Processes.process_id + - Processes.parent_process_id + security_domain: endpoint \ No newline at end of file diff --git a/tests/endpoint/slui_runas_elevated.test.yml b/tests/endpoint/slui_runas_elevated.test.yml new file mode 100644 index 0000000000..254825e506 --- /dev/null +++ b/tests/endpoint/slui_runas_elevated.test.yml @@ -0,0 +1,12 @@ +name: SLUI RunAs Elevated Unit Test +tests: +- name: SLUI RunAs Elevated + file: endpoint/slui_runas_elevated.yml + pass_condition: '| stats count | where count > 0' + earliest_time: '-24h' + latest_time: 'now' + attack_data: + - file_name: windows-sysmon.log + data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1548.002/slui/windows-sysmon.log + source: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational + sourcetype: xmlwineventlog \ No newline at end of file diff --git a/tests/endpoint/slui_spawning_a_process.test.yml b/tests/endpoint/slui_spawning_a_process.test.yml new file mode 100644 index 0000000000..0d01ed56c4 --- /dev/null +++ b/tests/endpoint/slui_spawning_a_process.test.yml @@ -0,0 +1,12 @@ +name: SLUI Spawning a Process Unit Test +tests: +- name: SLUI Spawning a Process + file: endpoint/slui_spawning_a_process.yml + pass_condition: '| stats count | where count > 0' + earliest_time: '-24h' + latest_time: 'now' + attack_data: + - file_name: windows-sysmon.log + data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1548.002/slui/windows-sysmon.log + source: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational + sourcetype: xmlwineventlog \ No newline at end of file From c24f154dcee1ddf602674551349cf9719facbbf0 Mon Sep 17 00:00:00 2001 From: tcontreras Date: Thu, 13 May 2021 18:58:14 +0200 Subject: [PATCH 11/38] com_obj --- .../endpoint/cmlua_or_cmstplua_uac_bypass.yml | 43 +++++++++++++++++++ .../cmlua_or_cmstplua_uac_bypass.test.yml | 12 ++++++ 2 files changed, 55 insertions(+) create mode 100644 detections/endpoint/cmlua_or_cmstplua_uac_bypass.yml create mode 100644 tests/endpoint/cmlua_or_cmstplua_uac_bypass.test.yml diff --git a/detections/endpoint/cmlua_or_cmstplua_uac_bypass.yml b/detections/endpoint/cmlua_or_cmstplua_uac_bypass.yml new file mode 100644 index 0000000000..ca7aad1281 --- /dev/null +++ b/detections/endpoint/cmlua_or_cmstplua_uac_bypass.yml @@ -0,0 +1,43 @@ +name: CMLUA Or CMSTPLUA UAC Bypass +id: f87b5062-b405-11eb-a889-acde48001122 +version: 1 +date: '2021-05-13' +author: Teoderick Contreras, Splunk +type: batch +datamodel: +- Endpoint +description: This search is to detect a potential process using COM Object like CMLUA or CMSTPLUA + to bypassed UAC. This technique used by ransomware to gain administrative privileges to its running process. +search: '`sysmon` EventCode=7 process_name ="darkside.exe" ImageLoaded IN ("*\\CMLUA.dll", "*\\CMSTPLUA.dll", "*\\CMLUAUTIL.dll") NOT(process_name IN("CMSTP.exe", "CMMGR32.exe")) +| stats count min(_time) as firstTime max(_time) as lastTime by Image ImageLoaded process_name Computer EventCode Signed ProcessId +| `security_content_ctime(firstTime)` +| `security_content_ctime(lastTime)` +| `cmlua_or_cmstplua_uac_bypass_filter`' +how_to_implement: To successfully implement this search, you need to be ingesting + logs with the process name and imageloaded executions from your + endpoints. If you are using Sysmon, you must have at least version 6.0.4 of the + Sysmon TA. +known_false_positives: normal windows application that are not on the list loading this dll. +references: +- https://attack.mitre.org/techniques/T1218/003/ +tags: + analytic_story: + - darkside + kill_chain_phases: + - Exploitation + mitre_attack_id: + - T1218.003 + product: + - Splunk Enterprise + - Splunk Enterprise Security + - Splunk Cloud + required_fields: + - _time + - Image + - ImageLoaded + - process_name + - Computer + - EventCode + - Signed + - ProcessId + security_domain: endpoint \ No newline at end of file diff --git a/tests/endpoint/cmlua_or_cmstplua_uac_bypass.test.yml b/tests/endpoint/cmlua_or_cmstplua_uac_bypass.test.yml new file mode 100644 index 0000000000..770b92cacb --- /dev/null +++ b/tests/endpoint/cmlua_or_cmstplua_uac_bypass.test.yml @@ -0,0 +1,12 @@ +name: CMLUA Or CMSTPLUA UAC Bypass Unit Test +tests: +- name: CMLUA Or CMSTPLUA UAC Bypass + file: endpoint/cmlua_or_cmstplua_uac_bypass.yml + pass_condition: '| stats count | where count > 0' + earliest_time: '-24h' + latest_time: 'now' + attack_data: + - file_name: windows-sysmon.log + data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1548/darkside_cmstp_com/windows-sysmon.log + source: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational + sourcetype: xmlwineventlog \ No newline at end of file From 71b3e135dff7b8118b567b9b3011409b023b2d91 Mon Sep 17 00:00:00 2001 From: root Date: Thu, 13 May 2021 17:21:20 +0000 Subject: [PATCH 12/38] Added detection testing service results inCMLUA Or CMSTPLUA UAC Bypass --- .../endpoint/cmlua_or_cmstplua_uac_bypass.yml | 30 +++++++++++-------- 1 file changed, 17 insertions(+), 13 deletions(-) diff --git a/detections/endpoint/cmlua_or_cmstplua_uac_bypass.yml b/detections/endpoint/cmlua_or_cmstplua_uac_bypass.yml index ca7aad1281..cc3ad9e6b5 100644 --- a/detections/endpoint/cmlua_or_cmstplua_uac_bypass.yml +++ b/detections/endpoint/cmlua_or_cmstplua_uac_bypass.yml @@ -6,18 +6,19 @@ author: Teoderick Contreras, Splunk type: batch datamodel: - Endpoint -description: This search is to detect a potential process using COM Object like CMLUA or CMSTPLUA - to bypassed UAC. This technique used by ransomware to gain administrative privileges to its running process. -search: '`sysmon` EventCode=7 process_name ="darkside.exe" ImageLoaded IN ("*\\CMLUA.dll", "*\\CMSTPLUA.dll", "*\\CMLUAUTIL.dll") NOT(process_name IN("CMSTP.exe", "CMMGR32.exe")) -| stats count min(_time) as firstTime max(_time) as lastTime by Image ImageLoaded process_name Computer EventCode Signed ProcessId -| `security_content_ctime(firstTime)` -| `security_content_ctime(lastTime)` -| `cmlua_or_cmstplua_uac_bypass_filter`' +description: This search is to detect a potential process using COM Object like CMLUA + or CMSTPLUA to bypassed UAC. This technique used by ransomware to gain administrative + privileges to its running process. +search: '`sysmon` EventCode=7 process_name ="darkside.exe" ImageLoaded IN ("*\\CMLUA.dll", + "*\\CMSTPLUA.dll", "*\\CMLUAUTIL.dll") NOT(process_name IN("CMSTP.exe", "CMMGR32.exe")) + | stats count min(_time) as firstTime max(_time) as lastTime by Image ImageLoaded + process_name Computer EventCode Signed ProcessId | `security_content_ctime(firstTime)` + | `security_content_ctime(lastTime)` | `cmlua_or_cmstplua_uac_bypass_filter`' how_to_implement: To successfully implement this search, you need to be ingesting - logs with the process name and imageloaded executions from your - endpoints. If you are using Sysmon, you must have at least version 6.0.4 of the - Sysmon TA. -known_false_positives: normal windows application that are not on the list loading this dll. + logs with the process name and imageloaded executions from your endpoints. If you + are using Sysmon, you must have at least version 6.0.4 of the Sysmon TA. +known_false_positives: normal windows application that are not on the list loading + this dll. references: - https://attack.mitre.org/techniques/T1218/003/ tags: @@ -39,5 +40,8 @@ tags: - Computer - EventCode - Signed - - ProcessId - security_domain: endpoint \ No newline at end of file + - ProcessId + security_domain: endpoint + automated_detection_testing: passed + dataset: + - https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1548/darkside_cmstp_com/windows-sysmon.log From b600c1283bb76097d2766fd21edf95ce7ba53c8e Mon Sep 17 00:00:00 2001 From: Michael Haag <5632822+MHaggis@users.noreply.github.com> Date: Thu, 13 May 2021 11:49:30 -0600 Subject: [PATCH 13/38] Update cmlua_or_cmstplua_uac_bypass.yml --- detections/endpoint/cmlua_or_cmstplua_uac_bypass.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/detections/endpoint/cmlua_or_cmstplua_uac_bypass.yml b/detections/endpoint/cmlua_or_cmstplua_uac_bypass.yml index cc3ad9e6b5..a781e80161 100644 --- a/detections/endpoint/cmlua_or_cmstplua_uac_bypass.yml +++ b/detections/endpoint/cmlua_or_cmstplua_uac_bypass.yml @@ -9,7 +9,7 @@ datamodel: description: This search is to detect a potential process using COM Object like CMLUA or CMSTPLUA to bypassed UAC. This technique used by ransomware to gain administrative privileges to its running process. -search: '`sysmon` EventCode=7 process_name ="darkside.exe" ImageLoaded IN ("*\\CMLUA.dll", +search: '`sysmon` EventCode=7 ImageLoaded IN ("*\\CMLUA.dll", "*\\CMSTPLUA.dll", "*\\CMLUAUTIL.dll") NOT(process_name IN("CMSTP.exe", "CMMGR32.exe")) | stats count min(_time) as firstTime max(_time) as lastTime by Image ImageLoaded process_name Computer EventCode Signed ProcessId | `security_content_ctime(firstTime)` From fdb96e514a8650b7e591a5fcace4ef1580b10976 Mon Sep 17 00:00:00 2001 From: bpatel Date: Thu, 13 May 2021 10:50:29 -0700 Subject: [PATCH 14/38] mapping existing dettections --- .../attempted_credential_dump_from_registry_via_reg_exe.yml | 1 + detections/endpoint/bitsadmin_download_file.yml | 1 + .../certutil_download_with_urlcache_and_split_arguments.yml | 1 + .../certutil_download_with_verifyctl_and_split_arguments.yml | 1 + detections/endpoint/detect_mimikatz_using_loaded_images.yml | 1 + 5 files changed, 5 insertions(+) diff --git a/detections/endpoint/attempted_credential_dump_from_registry_via_reg_exe.yml b/detections/endpoint/attempted_credential_dump_from_registry_via_reg_exe.yml index b954523f7b..d6f1b914d4 100644 --- a/detections/endpoint/attempted_credential_dump_from_registry_via_reg_exe.yml +++ b/detections/endpoint/attempted_credential_dump_from_registry_via_reg_exe.yml @@ -25,6 +25,7 @@ references: [] tags: analytic_story: - Credential Dumping + - DarkSide Ransomware asset_type: Endpoint automated_detection_testing: passed cis20: diff --git a/detections/endpoint/bitsadmin_download_file.yml b/detections/endpoint/bitsadmin_download_file.yml index b25ad8dd5a..e63975b329 100644 --- a/detections/endpoint/bitsadmin_download_file.yml +++ b/detections/endpoint/bitsadmin_download_file.yml @@ -38,6 +38,7 @@ tags: analytic_story: - Ingress Tool Transfer - BITS Jobs + - DarkSide Ransomware automated_detection_testing: passed dataset: - https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1197/atomic_red_team/windows-sysmon.log diff --git a/detections/endpoint/certutil_download_with_urlcache_and_split_arguments.yml b/detections/endpoint/certutil_download_with_urlcache_and_split_arguments.yml index 87fbbfd62a..2ec1788a60 100644 --- a/detections/endpoint/certutil_download_with_urlcache_and_split_arguments.yml +++ b/detections/endpoint/certutil_download_with_urlcache_and_split_arguments.yml @@ -31,6 +31,7 @@ references: tags: analytic_story: - Ingress Tool Transfer + - DarkSide Ransomware automated_detection_testing: passed dataset: - https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1105/atomic_red_team/windows-sysmon.log diff --git a/detections/endpoint/certutil_download_with_verifyctl_and_split_arguments.yml b/detections/endpoint/certutil_download_with_verifyctl_and_split_arguments.yml index 7c58bc5d30..90045fc832 100644 --- a/detections/endpoint/certutil_download_with_verifyctl_and_split_arguments.yml +++ b/detections/endpoint/certutil_download_with_verifyctl_and_split_arguments.yml @@ -32,6 +32,7 @@ references: tags: analytic_story: - Ingress Tool Transfer + - DarkSide Ransomware automated_detection_testing: passed dataset: - https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1105/atomic_red_team/windows-sysmon.log diff --git a/detections/endpoint/detect_mimikatz_using_loaded_images.yml b/detections/endpoint/detect_mimikatz_using_loaded_images.yml index 02658570ca..567c7f6913 100644 --- a/detections/endpoint/detect_mimikatz_using_loaded_images.yml +++ b/detections/endpoint/detect_mimikatz_using_loaded_images.yml @@ -29,6 +29,7 @@ tags: - Credential Dumping - Detect Zerologon Attack - Cloud Federated Credential Abuse + - DarkSide Ransomware asset_type: Windows automated_detection_testing: passed cis20: From 9a1bd49ca50e04fd266f77142cdf00be0ee5388a Mon Sep 17 00:00:00 2001 From: bpatel Date: Thu, 13 May 2021 10:55:09 -0700 Subject: [PATCH 15/38] more mappings --- detections/endpoint/cmlua_or_cmstplua_uac_bypass.yml | 2 +- detections/endpoint/detect_psexec_with_accepteula_flag.yml | 1 + 2 files changed, 2 insertions(+), 1 deletion(-) diff --git a/detections/endpoint/cmlua_or_cmstplua_uac_bypass.yml b/detections/endpoint/cmlua_or_cmstplua_uac_bypass.yml index a781e80161..53d47f3a4a 100644 --- a/detections/endpoint/cmlua_or_cmstplua_uac_bypass.yml +++ b/detections/endpoint/cmlua_or_cmstplua_uac_bypass.yml @@ -23,7 +23,7 @@ references: - https://attack.mitre.org/techniques/T1218/003/ tags: analytic_story: - - darkside + - DarkSide Ransomware kill_chain_phases: - Exploitation mitre_attack_id: diff --git a/detections/endpoint/detect_psexec_with_accepteula_flag.yml b/detections/endpoint/detect_psexec_with_accepteula_flag.yml index 464e574aba..d257cbbeff 100644 --- a/detections/endpoint/detect_psexec_with_accepteula_flag.yml +++ b/detections/endpoint/detect_psexec_with_accepteula_flag.yml @@ -34,6 +34,7 @@ tags: - SamSam Ransomware - DHS Report TA18-074A - HAFNIUM Group + - DarkSide Ransomware asset_type: Endpoint automated_detection_testing: passed cis20: From e63e6c4cfb2c9a49426df8241695e0eadc2dd4f9 Mon Sep 17 00:00:00 2001 From: mhaag-spl <5632822+MHaggis@users.noreply.github.com> Date: Thu, 13 May 2021 12:14:03 -0600 Subject: [PATCH 16/38] rclone --- .../detect_rclone_command_line_usage.yml | 46 +++++++++++++++++++ detections/endpoint/detect_renamed_rclone.yml | 43 +++++++++++++++++ .../detect_rclone_command_line_usage.test.yml | 12 +++++ tests/endpoint/detect_renamed_rclone.test.yml | 12 +++++ 4 files changed, 113 insertions(+) create mode 100644 detections/endpoint/detect_rclone_command_line_usage.yml create mode 100644 detections/endpoint/detect_renamed_rclone.yml create mode 100644 tests/endpoint/detect_rclone_command_line_usage.test.yml create mode 100644 tests/endpoint/detect_renamed_rclone.test.yml diff --git a/detections/endpoint/detect_rclone_command_line_usage.yml b/detections/endpoint/detect_rclone_command_line_usage.yml new file mode 100644 index 0000000000..c5fbe3f58b --- /dev/null +++ b/detections/endpoint/detect_rclone_command_line_usage.yml @@ -0,0 +1,46 @@ +name: Detect RClone Command-Line Usage +id: 32e0baea-b3f1-11eb-a2ce-acde48001122 +version: 1 +date: '2021-05-13' +author: Michael Haag, Splunk +type: batch +datamodel: +- Endpoint +description: This analytic identifies commonly used command-line arguments used by `rclone.exe to initiate a file transfer. Some arguments were negated as they are specific to the configuration used by adversaries. + In particular, an adversary may list the files or directories of the remote file share using `ls` or `lsd`, which is not indicative of malicious behavior. + During triage, at this stage of a ransomware event, exfiltration is about to occur or has already. Isolate the endpoint and continue investigating by review file modifications and parallel processes. +search: '| tstats `security_content_summariesonly` count min(_time) as firstTime + max(_time) as lastTime from datamodel=Endpoint.Processes where Processes.process IN ("*copy*", "*mega*", "*pcloud*", "*ftp*", "*--config*", "*--progress*", "*--no-check-certificate*", "*--ignore-existing*", "*--auto-confirm*", "*--transfers*", "*--multi-thread-streams*") by Processes.dest Processes.user Processes.parent_process Processes.process_name + Processes.process Processes.process_id Processes.parent_process_id + | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)`| `security_content_ctime(lastTime)` | `detect_rclone_command_line_usage_filter`' +how_to_implement: To successfully implement this search you need to be ingesting information + on process that include the name of the process responsible for the changes from + your endpoints into the `Endpoint` datamodel in the `Processes` node. +known_false_positives: There is potential for false positives as these arguments may be used by other applications. Filter or tune the analytic as needed. +references: + - https://redcanary.com/blog/rclone-mega-extortion/ + - https://www.fireeye.com/blog/threat-research/2021/05/shining-a-light-on-darkside-ransomware-operations.html + - https://thedfirreport.com/2021/03/29/sodinokibi-aka-revil-ransomware/ +tags: + analytic_story: + - DarkSide Ransomware + - Ransomware + dataset: [] + kill_chain_phases: + - Exfiltration + mitre_attack_id: + - T1020 + product: + - Splunk Enterprise + - Splunk Enterprise Security + - Splunk Cloud + required_fields: + - _time + - Processes.dest + - Processes.user + - Processes.parent_process + - Processes.process_name + - Processes.process + - Processes.process_id + - Processes.parent_process_id + security_domain: endpoint \ No newline at end of file diff --git a/detections/endpoint/detect_renamed_rclone.yml b/detections/endpoint/detect_renamed_rclone.yml new file mode 100644 index 0000000000..26ad52ea0a --- /dev/null +++ b/detections/endpoint/detect_renamed_rclone.yml @@ -0,0 +1,43 @@ +name: Detect Renamed RClone +id: 6dca1124-b3ec-11eb-9328-acde48001122 +version: 1 +date: '2021-05-13' +author: Michael Haag, Splunk +type: batch +datamodel: [] +description: The following analytic identifies the usage of `rclone.exe`, renamed, being used to exfiltrate data to a remote destination. RClone has been used by multiple ransomware groups to exfiltrate data. In many instances, it will be downloaded from the legitimate site and executed accordingly. + During triage, isolate the endpoint and begin to review parallel processes for additional behavior. At this stage, the adversary may have staged data to be exfiltrated. +search: '`sysmon` EventID=1 OriginalFileName=rclone.exe NOT process_name=rclone.exe | stats + count min(_time) as firstTime max(_time) as lastTime by Computer, User, parent_process_name, + process_name, OriginalFileName, process_path, CommandLine | rename Computer as dest + | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `detect_renamed_rclone_filter`' +how_to_implement: To successfully implement this search, you need to be ingesting + logs with the process name, parent process, and command-line executions from your + endpoints. If you are using Sysmon, you must have at least version 6.0.4 of the + Sysmon TA. +known_false_positives: False positives should be limited as this analytic identifies renamed instances of `rclone.exe`. Filter as needed if there is a legitimate business use case. +references: + - https://redcanary.com/blog/rclone-mega-extortion/ + - https://www.fireeye.com/blog/threat-research/2021/05/shining-a-light-on-darkside-ransomware-operations.html + - https://thedfirreport.com/2021/03/29/sodinokibi-aka-revil-ransomware/ +tags: + analytic_story: + - DarkSide Ransomware + - Ransomware + dataset: [] + kill_chain_phases: + - Exfiltration + mitre_attack_id: + - T1020 + product: + - Splunk Enterprise + - Splunk Enterprise Security + - Splunk Cloud + required_fields: + - _time + - OriginalFileName + - process_name + - process_path + - CommandLine + - dest + security_domain: endpoint \ No newline at end of file diff --git a/tests/endpoint/detect_rclone_command_line_usage.test.yml b/tests/endpoint/detect_rclone_command_line_usage.test.yml new file mode 100644 index 0000000000..029bbfe41b --- /dev/null +++ b/tests/endpoint/detect_rclone_command_line_usage.test.yml @@ -0,0 +1,12 @@ +name: Detect RClone Command-Line Usage Unit Test +tests: +- name: Detect RClone Command-Line Usage + file: endpoint/detect_rclone_command_line_usage.yml + pass_condition: '| stats count | where count > 0' + earliest_time: '-24h' + latest_time: 'now' + attack_data: + - file_name: windows-sysmon.log + data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1020/windows-sysmon.log + source: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational + sourcetype: xmlwineventlog \ No newline at end of file diff --git a/tests/endpoint/detect_renamed_rclone.test.yml b/tests/endpoint/detect_renamed_rclone.test.yml new file mode 100644 index 0000000000..592b5da53d --- /dev/null +++ b/tests/endpoint/detect_renamed_rclone.test.yml @@ -0,0 +1,12 @@ +name: Detect Renamed RClone Unit Test +tests: +- name: Detect Renamed RClone + file: endpoint/detect_renamed_rclone.yml + pass_condition: '| stats count | where count > 0' + earliest_time: '-24h' + latest_time: 'now' + attack_data: + - file_name: windows-sysmon.log + data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1020/windows-sysmon.log + source: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational + sourcetype: xmlwineventlog \ No newline at end of file From eaae607c1213851d795740c9606bc8173316d080 Mon Sep 17 00:00:00 2001 From: tcontreras Date: Thu, 13 May 2021 20:21:22 +0200 Subject: [PATCH 17/38] com_obj2 --- detections/endpoint/cmlua_or_cmstplua_uac_bypass.yml | 11 ++++++----- 1 file changed, 6 insertions(+), 5 deletions(-) diff --git a/detections/endpoint/cmlua_or_cmstplua_uac_bypass.yml b/detections/endpoint/cmlua_or_cmstplua_uac_bypass.yml index ca7aad1281..3860d56b07 100644 --- a/detections/endpoint/cmlua_or_cmstplua_uac_bypass.yml +++ b/detections/endpoint/cmlua_or_cmstplua_uac_bypass.yml @@ -8,11 +8,12 @@ datamodel: - Endpoint description: This search is to detect a potential process using COM Object like CMLUA or CMSTPLUA to bypassed UAC. This technique used by ransomware to gain administrative privileges to its running process. -search: '`sysmon` EventCode=7 process_name ="darkside.exe" ImageLoaded IN ("*\\CMLUA.dll", "*\\CMSTPLUA.dll", "*\\CMLUAUTIL.dll") NOT(process_name IN("CMSTP.exe", "CMMGR32.exe")) -| stats count min(_time) as firstTime max(_time) as lastTime by Image ImageLoaded process_name Computer EventCode Signed ProcessId -| `security_content_ctime(firstTime)` -| `security_content_ctime(lastTime)` -| `cmlua_or_cmstplua_uac_bypass_filter`' +search: '`sysmon` EventCode=7 ImageLoaded IN ("*\\CMLUA.dll", "*\\CMSTPLUA.dll", "*\\CMLUAUTIL.dll") NOT(process_name IN("CMSTP.exe", "CMMGR32.exe")) + NOT(Image IN("*\\windows\\*", "*\\program files\\*")) + | stats count min(_time) as firstTime max(_time) as lastTime by Image ImageLoaded process_name Computer EventCode Signed ProcessId + | `security_content_ctime(firstTime)` + | `security_content_ctime(lastTime)` + | `cmlua_or_cmstplua_uac_bypass_filter`' how_to_implement: To successfully implement this search, you need to be ingesting logs with the process name and imageloaded executions from your endpoints. If you are using Sysmon, you must have at least version 6.0.4 of the From d631a7e2f2d58c15a7dbf299175153d5334f3397 Mon Sep 17 00:00:00 2001 From: tcontreras Date: Thu, 13 May 2021 20:32:25 +0200 Subject: [PATCH 18/38] fail --- ...dential_dump_from_registry_via_reg_exe.yml | 1 + .../endpoint/bitsadmin_download_file.yml | 1 + ...load_with_urlcache_and_split_arguments.yml | 1 + ...oad_with_verifyctl_and_split_arguments.yml | 1 + .../detect_mimikatz_using_loaded_images.yml | 1 + .../detect_rclone_command_line_usage.yml | 46 ++ detections/endpoint/detect_renamed_rclone.yml | 43 ++ ..._authenticate_from_host_using_kerberos.yml | 60 ++ ..._authenticate_from_host_using_kerberos.yml | 60 ++ ...g_to_authenticate_from_host_using_ntlm.yml | 60 ++ ...uthenticate_using_explicit_credentials.yml | 61 ++ ..._authenticate_from_host_using_kerberos.yml | 61 ++ ...g_to_authenticate_from_host_using_ntlm.yml | 64 +++ ...s_failing_to_authenticate_from_process.yml | 70 +++ ...tely_failing_to_authenticate_from_host.yml | 62 ++ ...em_process_running_unexpected_location.yml | 2 +- dist/escu/lookups/mitre_enrichment.csv | 544 +++++++++++------- .../active_directory_password_spraying.yml | 35 ++ .../detect_rclone_command_line_usage.test.yml | 12 + tests/endpoint/detect_renamed_rclone.test.yml | 12 + ...enticate_from_host_using_kerberos.test.yml | 12 + ...enticate_from_host_using_kerberos.test.yml | 15 + ...authenticate_from_host_using_ntlm.test.yml | 12 + ...ticate_using_explicit_credentials.test.yml | 12 + ...enticate_from_host_using_kerberos.test.yml | 12 + ...authenticate_from_host_using_ntlm.test.yml | 12 + ...ling_to_authenticate_from_process.test.yml | 12 + ...failing_to_authenticate_from_host.test.yml | 12 + 28 files changed, 1085 insertions(+), 211 deletions(-) create mode 100644 detections/endpoint/detect_rclone_command_line_usage.yml create mode 100644 detections/endpoint/detect_renamed_rclone.yml create mode 100644 detections/endpoint/multiple_disabled_users_failing_to_authenticate_from_host_using_kerberos.yml create mode 100644 detections/endpoint/multiple_invalid_users_failing_to_authenticate_from_host_using_kerberos.yml create mode 100644 detections/endpoint/multiple_invalid_users_failing_to_authenticate_from_host_using_ntlm.yml create mode 100644 detections/endpoint/multiple_users_attempting_to_authenticate_using_explicit_credentials.yml create mode 100644 detections/endpoint/multiple_users_failing_to_authenticate_from_host_using_kerberos.yml create mode 100644 detections/endpoint/multiple_users_failing_to_authenticate_from_host_using_ntlm.yml create mode 100644 detections/endpoint/multiple_users_failing_to_authenticate_from_process.yml create mode 100644 detections/endpoint/multiple_users_remotely_failing_to_authenticate_from_host.yml create mode 100644 stories/active_directory_password_spraying.yml create mode 100644 tests/endpoint/detect_rclone_command_line_usage.test.yml create mode 100644 tests/endpoint/detect_renamed_rclone.test.yml create mode 100644 tests/endpoint/multiple_disabled_users_failing_to_authenticate_from_host_using_kerberos.test.yml create mode 100644 tests/endpoint/multiple_invalid_users_failing_to_authenticate_from_host_using_kerberos.test.yml create mode 100644 tests/endpoint/multiple_invalid_users_failing_to_authenticate_from_host_using_ntlm.test.yml create mode 100644 tests/endpoint/multiple_users_attempting_to_authenticate_using_explicit_credentials.test.yml create mode 100644 tests/endpoint/multiple_users_failing_to_authenticate_from_host_using_kerberos.test.yml create mode 100644 tests/endpoint/multiple_users_failing_to_authenticate_from_host_using_ntlm.test.yml create mode 100644 tests/endpoint/multiple_users_failing_to_authenticate_from_process.test.yml create mode 100644 tests/endpoint/multiple_users_remotely_failing_to_authenticate_from_host.test.yml diff --git a/detections/endpoint/attempted_credential_dump_from_registry_via_reg_exe.yml b/detections/endpoint/attempted_credential_dump_from_registry_via_reg_exe.yml index b954523f7b..d6f1b914d4 100644 --- a/detections/endpoint/attempted_credential_dump_from_registry_via_reg_exe.yml +++ b/detections/endpoint/attempted_credential_dump_from_registry_via_reg_exe.yml @@ -25,6 +25,7 @@ references: [] tags: analytic_story: - Credential Dumping + - DarkSide Ransomware asset_type: Endpoint automated_detection_testing: passed cis20: diff --git a/detections/endpoint/bitsadmin_download_file.yml b/detections/endpoint/bitsadmin_download_file.yml index b25ad8dd5a..e63975b329 100644 --- a/detections/endpoint/bitsadmin_download_file.yml +++ b/detections/endpoint/bitsadmin_download_file.yml @@ -38,6 +38,7 @@ tags: analytic_story: - Ingress Tool Transfer - BITS Jobs + - DarkSide Ransomware automated_detection_testing: passed dataset: - https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1197/atomic_red_team/windows-sysmon.log diff --git a/detections/endpoint/certutil_download_with_urlcache_and_split_arguments.yml b/detections/endpoint/certutil_download_with_urlcache_and_split_arguments.yml index 87fbbfd62a..2ec1788a60 100644 --- a/detections/endpoint/certutil_download_with_urlcache_and_split_arguments.yml +++ b/detections/endpoint/certutil_download_with_urlcache_and_split_arguments.yml @@ -31,6 +31,7 @@ references: tags: analytic_story: - Ingress Tool Transfer + - DarkSide Ransomware automated_detection_testing: passed dataset: - https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1105/atomic_red_team/windows-sysmon.log diff --git a/detections/endpoint/certutil_download_with_verifyctl_and_split_arguments.yml b/detections/endpoint/certutil_download_with_verifyctl_and_split_arguments.yml index 7c58bc5d30..90045fc832 100644 --- a/detections/endpoint/certutil_download_with_verifyctl_and_split_arguments.yml +++ b/detections/endpoint/certutil_download_with_verifyctl_and_split_arguments.yml @@ -32,6 +32,7 @@ references: tags: analytic_story: - Ingress Tool Transfer + - DarkSide Ransomware automated_detection_testing: passed dataset: - https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1105/atomic_red_team/windows-sysmon.log diff --git a/detections/endpoint/detect_mimikatz_using_loaded_images.yml b/detections/endpoint/detect_mimikatz_using_loaded_images.yml index 02658570ca..567c7f6913 100644 --- a/detections/endpoint/detect_mimikatz_using_loaded_images.yml +++ b/detections/endpoint/detect_mimikatz_using_loaded_images.yml @@ -29,6 +29,7 @@ tags: - Credential Dumping - Detect Zerologon Attack - Cloud Federated Credential Abuse + - DarkSide Ransomware asset_type: Windows automated_detection_testing: passed cis20: diff --git a/detections/endpoint/detect_rclone_command_line_usage.yml b/detections/endpoint/detect_rclone_command_line_usage.yml new file mode 100644 index 0000000000..c5fbe3f58b --- /dev/null +++ b/detections/endpoint/detect_rclone_command_line_usage.yml @@ -0,0 +1,46 @@ +name: Detect RClone Command-Line Usage +id: 32e0baea-b3f1-11eb-a2ce-acde48001122 +version: 1 +date: '2021-05-13' +author: Michael Haag, Splunk +type: batch +datamodel: +- Endpoint +description: This analytic identifies commonly used command-line arguments used by `rclone.exe to initiate a file transfer. Some arguments were negated as they are specific to the configuration used by adversaries. + In particular, an adversary may list the files or directories of the remote file share using `ls` or `lsd`, which is not indicative of malicious behavior. + During triage, at this stage of a ransomware event, exfiltration is about to occur or has already. Isolate the endpoint and continue investigating by review file modifications and parallel processes. +search: '| tstats `security_content_summariesonly` count min(_time) as firstTime + max(_time) as lastTime from datamodel=Endpoint.Processes where Processes.process IN ("*copy*", "*mega*", "*pcloud*", "*ftp*", "*--config*", "*--progress*", "*--no-check-certificate*", "*--ignore-existing*", "*--auto-confirm*", "*--transfers*", "*--multi-thread-streams*") by Processes.dest Processes.user Processes.parent_process Processes.process_name + Processes.process Processes.process_id Processes.parent_process_id + | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)`| `security_content_ctime(lastTime)` | `detect_rclone_command_line_usage_filter`' +how_to_implement: To successfully implement this search you need to be ingesting information + on process that include the name of the process responsible for the changes from + your endpoints into the `Endpoint` datamodel in the `Processes` node. +known_false_positives: There is potential for false positives as these arguments may be used by other applications. Filter or tune the analytic as needed. +references: + - https://redcanary.com/blog/rclone-mega-extortion/ + - https://www.fireeye.com/blog/threat-research/2021/05/shining-a-light-on-darkside-ransomware-operations.html + - https://thedfirreport.com/2021/03/29/sodinokibi-aka-revil-ransomware/ +tags: + analytic_story: + - DarkSide Ransomware + - Ransomware + dataset: [] + kill_chain_phases: + - Exfiltration + mitre_attack_id: + - T1020 + product: + - Splunk Enterprise + - Splunk Enterprise Security + - Splunk Cloud + required_fields: + - _time + - Processes.dest + - Processes.user + - Processes.parent_process + - Processes.process_name + - Processes.process + - Processes.process_id + - Processes.parent_process_id + security_domain: endpoint \ No newline at end of file diff --git a/detections/endpoint/detect_renamed_rclone.yml b/detections/endpoint/detect_renamed_rclone.yml new file mode 100644 index 0000000000..26ad52ea0a --- /dev/null +++ b/detections/endpoint/detect_renamed_rclone.yml @@ -0,0 +1,43 @@ +name: Detect Renamed RClone +id: 6dca1124-b3ec-11eb-9328-acde48001122 +version: 1 +date: '2021-05-13' +author: Michael Haag, Splunk +type: batch +datamodel: [] +description: The following analytic identifies the usage of `rclone.exe`, renamed, being used to exfiltrate data to a remote destination. RClone has been used by multiple ransomware groups to exfiltrate data. In many instances, it will be downloaded from the legitimate site and executed accordingly. + During triage, isolate the endpoint and begin to review parallel processes for additional behavior. At this stage, the adversary may have staged data to be exfiltrated. +search: '`sysmon` EventID=1 OriginalFileName=rclone.exe NOT process_name=rclone.exe | stats + count min(_time) as firstTime max(_time) as lastTime by Computer, User, parent_process_name, + process_name, OriginalFileName, process_path, CommandLine | rename Computer as dest + | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `detect_renamed_rclone_filter`' +how_to_implement: To successfully implement this search, you need to be ingesting + logs with the process name, parent process, and command-line executions from your + endpoints. If you are using Sysmon, you must have at least version 6.0.4 of the + Sysmon TA. +known_false_positives: False positives should be limited as this analytic identifies renamed instances of `rclone.exe`. Filter as needed if there is a legitimate business use case. +references: + - https://redcanary.com/blog/rclone-mega-extortion/ + - https://www.fireeye.com/blog/threat-research/2021/05/shining-a-light-on-darkside-ransomware-operations.html + - https://thedfirreport.com/2021/03/29/sodinokibi-aka-revil-ransomware/ +tags: + analytic_story: + - DarkSide Ransomware + - Ransomware + dataset: [] + kill_chain_phases: + - Exfiltration + mitre_attack_id: + - T1020 + product: + - Splunk Enterprise + - Splunk Enterprise Security + - Splunk Cloud + required_fields: + - _time + - OriginalFileName + - process_name + - process_path + - CommandLine + - dest + security_domain: endpoint \ No newline at end of file diff --git a/detections/endpoint/multiple_disabled_users_failing_to_authenticate_from_host_using_kerberos.yml b/detections/endpoint/multiple_disabled_users_failing_to_authenticate_from_host_using_kerberos.yml new file mode 100644 index 0000000000..3ba03e214a --- /dev/null +++ b/detections/endpoint/multiple_disabled_users_failing_to_authenticate_from_host_using_kerberos.yml @@ -0,0 +1,60 @@ +name: Multiple Disabled Users Failing To Authenticate From Host Using Kerberos +id: 98f22d82-9d62-11eb-9fcf-acde48001122 +version: 1 +date: '2021-04-14' +author: Mauricio Velazco, Splunk +type: batch +datamodel: +- Endpoint +description: 'The following analytic identifies one source endpoint failing to authenticate + with multiple disabled domain users using the Kerberos protocol. This behavior could + represent an adversary performing a Password Spraying attack against an Active Directory + environment using Kerberos to obtain initial access or elevate privileges. As attackers + progress in a breach, mistakes will be made. In certain scenarios, adversaries may + execute a password spraying attack against disabled users. Event 4768 is generated every time + the Key Distribution Center issues a Kerberos Ticket Granting Ticket (TGT). Failure code `0x12` stands for + `clients credentials have been revoked` (account disabled, expired or locked out).\ + + The detection calculates the standard deviation for each host and leverages + the 3-sigma statistical rule to identify an unusual number of users. To customize this analytic, + users can try different combinations of the `bucket` span time and the calculation of the `upperBound` field. + This logic can be used for real time security monitoring as well as threat hunting exercises.\ + + This detection will only trigger on domain controllers, not on member servers or workstations.\ + + The analytics returned fields allow analysts to investigate the event further by providing fields like source ip and attempted user accounts.' +search: '`wineventlog_security` EventCode=4768 Account_Name!="*$" Result_Code=0x12 + | bucket span=2m _time | stats dc(Account_Name) AS unique_accounts values(Account_Name) + as tried_accounts by _time, Client_Address | eventstats avg(unique_accounts) as + comp_avg , stdev(unique_accounts) as comp_std by Client_Address | eval upperBound=(comp_avg+comp_std*3) + | eval isOutlier=if(unique_accounts > 10 and unique_accounts >= upperBound, 1, 0) + | search isOutlier=1 | `multiple_disabled_users_failing_to_authenticate_from_host_using_kerberos_filter` ' +how_to_implement: To successfully implement this search, you need to be ingesting + Domain Controller and Kerberos events. The Advanced Security Audit policy setting + `Audit Kerberos Authentication Service` within `Account Logon` needs to be enabled. +known_false_positives: A host failing to authenticate with multiple disabled domain + users is not a common behavior for legitimate systems. Possible false positive scenarios + include but are not limited to vulnerability scanners, multi-user systems missconfigured systems. +references: +- https://attack.mitre.org/techniques/T1110/003/ +tags: + analytic_story: + - Active Directory Password Spraying + kill_chain_phases: + - Exploitation + mitre_attack_id: + - T1110.003 + product: + - Splunk Enterprise + - Splunk Enterprise Security + - Splunk Cloud + required_fields: + - _time + - EventCode + - Result_Code + - Account_Name + - Client_Address + security_domain: endpoint + automated_detection_testing: passed + dataset: + - https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1110.003/purplesharp_disabled_users_kerberos/windows-security.log diff --git a/detections/endpoint/multiple_invalid_users_failing_to_authenticate_from_host_using_kerberos.yml b/detections/endpoint/multiple_invalid_users_failing_to_authenticate_from_host_using_kerberos.yml new file mode 100644 index 0000000000..cb357e355b --- /dev/null +++ b/detections/endpoint/multiple_invalid_users_failing_to_authenticate_from_host_using_kerberos.yml @@ -0,0 +1,60 @@ +name: Multiple Invalid Users Failing To Authenticate From Host Using Kerberos +id: 001266a6-9d5b-11eb-829b-acde48001122 +version: 1 +date: '2021-04-14' +author: Mauricio Velazco, Splunk +type: batch +datamodel: +- Endpoint +description: 'The following analytic identifies one source endpoint failing to authenticate + with multiple invalid domain users using the Kerberos protocol. This behavior could + represent an adversary performing a Password Spraying attack against an Active Directory + environment using Kerberos to obtain initial access or elevate privileges. As attackers + progress in a breach, mistakes will be made. In certain scenarios, adversaries may + execute a password spraying attack using an invalid list of users. Event 4768 is generated + every time the Key Distribution Center issues a Kerberos Ticket Granting Ticket (TGT). + Failure code 0x6 stands for `client not found in Kerberos database` (the attempted user is not a valid domain user).\ + + The detection calculates the standard deviation for each host and leverages + the 3-sigma statistical rule to identify an unusual number of users. To customize this analytic, + users can try different combinations of the `bucket` span time and the calculation of the `upperBound` field. + This logic can be used for real time security monitoring as well as threat hunting exercises.\ + + This detection will only trigger on domain controllers, not on member servers or workstations.\ + + The analytics returned fields allow analysts to investigate the event further by providing fields like source ip and attempted user accounts.' +search: '`wineventlog_security` EventCode=4768 Result_Code=0x6 Account_Name!="*$" + | bucket span=2m _time | stats dc(Account_Name) AS unique_accounts values(Account_Name) + as tried_accounts by _time, Client_Address | eventstats avg(unique_accounts) as + comp_avg , stdev(unique_accounts) as comp_std by Client_Address | eval upperBound=(comp_avg+comp_std*3) + | eval isOutlier=if(unique_accounts > 10 and unique_accounts >= upperBound, 1, 0) + | search isOutlier=1 | `multiple_invalid_users_failing_to_authenticate_from_host_using_kerberos_filter` ' +how_to_implement: To successfully implement this search, you need to be ingesting + Domain Controller and Kerberos events. The Advanced Security Audit policy setting + `Audit Kerberos Authentication Service` within `Account Logon` needs to be enabled. +known_false_positives: A host failing to authenticate with multiple invalid domain + users is not a common behavior for legitimate systems. Possible false positive scenarios + include but are not limited to vulnerability scanners, multi-user systems and missconfigured systems. +references: +- https://attack.mitre.org/techniques/T1110/003/ +tags: + analytic_story: + - Active Directory Password Spraying + kill_chain_phases: + - Exploitation + mitre_attack_id: + - T1110.003 + product: + - Splunk Enterprise + - Splunk Enterprise Security + - Splunk Cloud + required_fields: + - _time + - EventCode + - Result_Code + - Account_Name + - Client_Address + security_domain: endpoint + automated_detection_testing: passed + dataset: + - https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1110.003/purplesharp_invalid_users_kerberos/windows-security.log diff --git a/detections/endpoint/multiple_invalid_users_failing_to_authenticate_from_host_using_ntlm.yml b/detections/endpoint/multiple_invalid_users_failing_to_authenticate_from_host_using_ntlm.yml new file mode 100644 index 0000000000..2ae0ec1b18 --- /dev/null +++ b/detections/endpoint/multiple_invalid_users_failing_to_authenticate_from_host_using_ntlm.yml @@ -0,0 +1,60 @@ +name: Multiple Invalid Users Failing To Authenticate From Host Using NTLM +id: 57ad5a64-9df7-11eb-a290-acde48001122 +version: 1 +date: '2021-04-15' +author: Mauricio Velazco, Splunk +type: batch +datamodel: +- Endpoint +description: 'The following analytic identifies one source endpoint failing to authenticate with multiple invalid users using the NTLM protocol. + This behavior could represent an adversary performing a Password Spraying attack against an Active Directory environment using NTLM to obtain + initial access or elevate privileges. As attackers progress in a breach, mistakes will be made. In certain scenarios, adversaries may execute a password spraying attack using an invalid list of users. + Event 4776 is generated on the computer that is authoritative for the provided credentials. For domain accounts, the domain controller is authoritative. + For local accounts, the local computer is authoritative. Error code 0xC0000064 stands for `The username you typed does not exist` (the attempted user is a legitimate domain user).\ + + The detection calculates the standard deviation for each host and leverages + the 3-sigma statistical rule to identify an unusual number of users. To customize this analytic, + users can try different combinations of the `bucket` span time and the calculation of the `upperBound` field. + This logic can be used for real time security monitoring as well as threat hunting exercises.\ + + This detection will only trigger on domain controllers, not on member servers or workstations.\ + + The analytics returned fields allow analysts to investigate the event further by providing fields like source workstation name and attempted user accounts.' +search: ' `wineventlog_security` EventCode=4776 Logon_Account!="*$" 0xC0000064 action=failure + | bucket span=2m _time + | stats dc(Logon_Account) AS unique_accounts values(Logon_Account) as tried_accounts by _time, Source_Workstation + | eventstats avg(unique_accounts) as comp_avg , stdev(unique_accounts) as comp_std by Source_Workstation + | eval upperBound=(comp_avg+comp_std*3) + | eval isOutlier=if(unique_accounts > 10 and unique_accounts >= upperBound, 1, 0) + | search isOutlier=1 + | `multiple_invalid_users_failing_to_authenticate_from_host_using_ntlm_filter`' +how_to_implement: To successfully implement this search, you need to be ingesting Domain Controller events. The Advanced Security Audit policy setting `Audit Credential + Validation' within `Account Logon` needs to be enabled. +known_false_positives: A host failing to authenticate with multiple invalid domain users is not a common behavior for legitimate systems. Possible false positive scenarios + include but are not limited to vulnerability scanners and missconfigured systems. If this detection triggers on a host other than a Domain Controller, the behavior could + represent a password spraying attack against the host's local accounts. +references: +- https://attack.mitre.org/techniques/T1110/003/ +- https://docs.microsoft.com/en-us/windows/security/threat-protection/auditing/audit-credential-validation +- https://docs.microsoft.com/en-us/windows/security/threat-protection/auditing/event-4776 +tags: + analytic_story: + - Active Directory Password Spraying + kill_chain_phases: + - Exploitation + mitre_attack_id: + - T1110.003 + product: + - Splunk Enterprise + - Splunk Enterprise Security + - Splunk Cloud + required_fields: + - _time + - EventCode + - action + - Logon_Account + - Source_Workstation + security_domain: endpoint + automated_detection_testing: passed + dataset: + - https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1110.003/purplesharp_invalid_users_ntlm/windows-security.log diff --git a/detections/endpoint/multiple_users_attempting_to_authenticate_using_explicit_credentials.yml b/detections/endpoint/multiple_users_attempting_to_authenticate_using_explicit_credentials.yml new file mode 100644 index 0000000000..8999955b61 --- /dev/null +++ b/detections/endpoint/multiple_users_attempting_to_authenticate_using_explicit_credentials.yml @@ -0,0 +1,61 @@ +name: Multiple Users Attempting To Authenticate Using Explicit Credentials +id: e61918fa-9ca4-11eb-836c-acde48001122 +version: 1 +date: '2021-04-13' +author: Mauricio Velazco, Splunk +type: batch +datamodel: +- Endpoint +description: 'The following analytic identifies a source user failing to authenticate with multiple users using explicit credentials on a host. + This behavior could represent an adversary performing a Password Spraying attack against an Active Directory environment to obtain initial access or elevate privileges. + Event 4648 is generated when a process attempts an account logon by explicitly specifying that accounts credentials. This event generates on domain controllers, member servers, and workstations.\ + + The detection calculates the standard deviation for each host and leverages + the 3-sigma statistical rule to identify an unusual number of users. To customize this analytic, + users can try different combinations of the `bucket` span time and the calculation of the `upperBound` field. + This logic can be used for real time security monitoring as well as threat hunting exercises.\ + + This detection will trigger on the potenfially malicious host, perhaps controlled via a trojan or operated by an insider threat, from where a password spraying attack is being executed.\ + + The analytics returned fields allow analysts to investigate the event further by providing fields like source account, attempted user accounts and the endpoint were the behavior was identified.' +search: ' `wineventlog_security` EventCode=4648 + | bucket span=2m _time + | eval Source_Account = mvindex(Account_Name, 0) + | eval Destination_Account = mvindex(Account_Name, 1) + | search Source_Account != "*$" Source_Account !="-" Destination_Account !="*$" + | stats dc(Destination_Account) AS unique_accounts values(Destination_Account) as tried_account by _time, ComputerName, Source_Account + | eventstats avg(unique_accounts) as comp_avg , stdev(unique_accounts) as comp_std by ComputerName + | eval upperBound=(comp_avg+comp_std*3) + | eval isOutlier=if(unique_accounts > 10 and unique_accounts >= upperBound, 1, 0) + | search isOutlier=1 + | `multiple_users_attempting_to_authenticate_using_explicit_credentials_filter` ' +how_to_implement: To successfully implement this search, you need to be ingesting Windows Event Logs from domain controllers as + well as member servers and workstations. The Advanced Security Audit policy setting `Audit Logon` within `Logon/Logoff` needs to be enabled. +known_false_positives: A source user failing attempting to authenticate multiple users on a host is not a common behavior for regular systems. + Some applications, however, may exhibit this behavior in which case sets of users hosts can be added to an allow list. + Possible false positive scenarios include systems where several users connect to like Mail servers, identity providers, remote desktop services, Citrix, etc. +references: +- https://attack.mitre.org/techniques/T1110/003/ +- https://docs.microsoft.com/en-us/windows/security/threat-protection/auditing/event-4648 +- https://docs.microsoft.com/en-us/windows/security/threat-protection/auditing/basic-audit-logon-events +tags: + analytic_story: + - Active Directory Password Spraying + kill_chain_phases: + - Exploitation + mitre_attack_id: + - T1110.003 + product: + - Splunk Enterprise + - Splunk Enterprise Security + - Splunk Cloud + required_fields: + - _time + - EventCode + - Security_ID + - Account_Name + - ComputerName + security_domain: endpoint + automated_detection_testing: passed + dataset: + - https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1110.003/purplesharp_explicit_credential_spray/windows-security.log diff --git a/detections/endpoint/multiple_users_failing_to_authenticate_from_host_using_kerberos.yml b/detections/endpoint/multiple_users_failing_to_authenticate_from_host_using_kerberos.yml new file mode 100644 index 0000000000..e5cf6b75a4 --- /dev/null +++ b/detections/endpoint/multiple_users_failing_to_authenticate_from_host_using_kerberos.yml @@ -0,0 +1,61 @@ +name: Multiple Users Failing To Authenticate From Host Using Kerberos +id: 3a91a212-98a9-11eb-b86a-acde48001122 +version: 1 +date: '2021-04-08' +author: Mauricio Velazco, Splunk +type: batch +datamodel: +- Endpoint +description: 'The following analytic identifies one source endpoint failing to authenticate + with multiple valid users using the Kerberos protocol. This behavior could represent + an adversary performing a Password Spraying attack against an Active Directory environment + using Kerberos to obtain initial access or elevate privileges. Event 4771 is generated when + the Key Distribution Center fails to issue a Kerberos Ticket Granting Ticket (TGT). Failure code + 0x18 stands for `wrong password provided` (the attempted user is a legitimate domain user).\ + + The detection calculates the standard deviation for each host and leverages + the 3-sigma statistical rule to identify an unusual number of users. To customize this analytic, + users can try different combinations of the `bucket` span time and the calculation of the `upperBound` field. + This logic can be used for real time security monitoring as well as threat hunting exercises.\ + + This detection will only trigger on domain controllers, not on member servers or workstations.\ + + The analytics returned fields allow analysts to investigate the event further by providing fields like source ip and attempted user accounts.' +search: '`wineventlog_security` EventCode=4771 Failure_Code=0x18 Account_Name!="*$" + | bucket span=2m _time | stats dc(Account_Name) AS unique_accounts values(Account_Name) + as tried_accounts by _time, Client_Address | eventstats avg(unique_accounts) as + comp_avg , stdev(unique_accounts) as comp_std by Client_Address | eval upperBound=(comp_avg+comp_std*3) + | eval isOutlier=if(unique_accounts > 10 and unique_accounts >= upperBound, 1, 0) + | search isOutlier=1 | `multiple_users_failing_to_authenticate_from_host_using_kerberos_filter`' +how_to_implement: To successfully implement this search, you need to be ingesting + Domain Controller and Kerberos events. The Advanced Security Audit policy setting + `Audit Kerberos Authentication Service` within `Account Logon` needs to be enabled. +known_false_positives: A host failing to authenticate with multiple valid domain users + is not a common behavior for legitimate systems. Possible false positive scenarios + include but are not limited to vulnerability scanners, missconfigured systems and + multi-user systems like Citrix farms. +references: +- https://attack.mitre.org/techniques/T1110/003/ +- https://docs.microsoft.com/en-us/previous-versions/windows/it-pro/windows-server-2012-r2-and-2012/dn319109(v=ws.11) +- https://docs.microsoft.com/en-us/windows/security/threat-protection/auditing/event-4771 +tags: + analytic_story: + - Active Directory Password Spraying + kill_chain_phases: + - Exploitation + mitre_attack_id: + - T1110.003 + product: + - Splunk Enterprise + - Splunk Enterprise Security + - Splunk Cloud + required_fields: + - _time + - EventCode + - Result_Code + - Account_Name + - Client_Address + security_domain: endpoint + automated_detection_testing: passed + dataset: + - https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1110.003/purplesharp_valid_users_kerberos/windows-security.log diff --git a/detections/endpoint/multiple_users_failing_to_authenticate_from_host_using_ntlm.yml b/detections/endpoint/multiple_users_failing_to_authenticate_from_host_using_ntlm.yml new file mode 100644 index 0000000000..e58c223ac8 --- /dev/null +++ b/detections/endpoint/multiple_users_failing_to_authenticate_from_host_using_ntlm.yml @@ -0,0 +1,64 @@ +name: Multiple Users Failing To Authenticate From Host Using NTLM +id: 7ed272a4-9c77-11eb-af22-acde48001122 +version: 1 +date: '2021-04-13' +author: Mauricio Velazco, Splunk +type: batch +datamodel: +- Endpoint +description: 'The following analytic identifies one source endpoint failing to authenticate + with multiple valid users using the NTLM protocol. This behavior could represent + an adversary performing a Password Spraying attack against an Active Directory environment + using NTLM to obtain initial access or elevate privileges. Event 4776 is generated on the + computer that is authoritative for + the provided credentials. For domain accounts, the domain controller is authoritative. + For local accounts, the local computer is authoritative. Error code 0xC000006A means: + misspelled or bad password (the attempted user is a legitimate domain user).\ + + The detection calculates the standard deviation for each host and leverages + the 3-sigma statistical rule to identify an unusual number of users. To customize this analytic, + users can try different combinations of the `bucket` span time and the calculation of the `upperBound` field. + This logic can be used for real time security monitoring as well as threat hunting exercises.\ + + This detection will only trigger on domain controllers, not on member servers or workstations.\ + + The analytics returned fields allow analysts to investigate the event further by providing fields like source workstation name and attempted user accounts.' +search: ' `wineventlog_security` EventCode=4776 Logon_Account!="*$" 0xC000006A action=failure + | bucket span=2m _time | stats dc(Logon_Account) AS unique_accounts values(Logon_Account) + as tried_accounts by _time, Source_Workstation | eventstats avg(unique_accounts) + as comp_avg , stdev(unique_accounts) as comp_std by Source_Workstation | eval upperBound=(comp_avg+comp_std*3) + | eval isOutlier=if(unique_accounts > 10 and unique_accounts >= upperBound, 1, 0) + | search isOutlier=1 | `multiple_users_failing_to_authenticate_from_host_using_ntlm_filter`' +how_to_implement: To successfully implement this search, you need to be ingesting + Domain Controller events. The Advanced Security Audit policy setting `Audit Credential + Validation` within `Account Logon` needs to be enabled. +known_false_positives: A host failing to authenticate with multiple valid domain users + is not a common behavior for legitimate systems. Possible false positive scenarios + include but are not limited to vulnerability scanners and missconfigured systems. + If this detection triggers on a host other than a Domain Controller, the behavior + could represent a password spraying attack against the host's local accounts. +references: +- https://attack.mitre.org/techniques/T1110/003/ +- https://docs.microsoft.com/en-us/windows/security/threat-protection/auditing/audit-credential-validation +- https://docs.microsoft.com/en-us/windows/security/threat-protection/auditing/event-4776 +tags: + analytic_story: + - Active Directory Password Spraying + kill_chain_phases: + - Exploitation + mitre_attack_id: + - T1110.003 + product: + - Splunk Enterprise + - Splunk Enterprise Security + - Splunk Cloud + required_fields: + - _time + - EventCode + - action + - Logon_Account + - Source_Workstation + security_domain: endpoint + automated_detection_testing: passed + dataset: + - https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1110.003/purplesharp_valid_users_ntlm/windows-security.log diff --git a/detections/endpoint/multiple_users_failing_to_authenticate_from_process.yml b/detections/endpoint/multiple_users_failing_to_authenticate_from_process.yml new file mode 100644 index 0000000000..cd6474499d --- /dev/null +++ b/detections/endpoint/multiple_users_failing_to_authenticate_from_process.yml @@ -0,0 +1,70 @@ +name: Multiple Users Failing To Authenticate From Process +id: 9015385a-9c84-11eb-bef2-acde48001122 +version: 1 +date: '2021-04-13' +author: Mauricio Velazco, Splunk +type: batch +datamodel: +- Endpoint +description: 'The following analytic identifies a source process name failing to authenticate + with multiple users. This behavior could represent an adversary performing a Password + Spraying attack against an Active Directory environment to obtain initial access + or elevate privileges. Event 4625 generates + on domain controllers, member servers, and workstations when an account fails to logon. Logon Type 2 describes + an iteractive logon attempt.\ + + The detection calculates the standard deviation for each host and leverages + the 3-sigma statistical rule to identify an unusual number of users. To customize this analytic, + users can try different combinations of the `bucket` span time and the calculation of the `upperBound` field. + This logic can be used for real time security monitoring as well as threat hunting exercises.\ + + This detection will trigger on the potenfially malicious host, perhaps controlled + via a trojan or operated by an insider threat, from where a password spraying attack + is being executed. This could be a domain controller as well as a member server + or workstation.\ + + The analytics returned fields allow analysts to investigate the event further by providing fields like source process name, source account and attempted user + accounts.' +search: ' `wineventlog_security` EventCode=4625 Logon_Type=2 Caller_Process_Name!="-" + | bucket span=2m _time | eval Source_Account = mvindex(Account_Name, 0) | eval Destination_Account + = mvindex(Account_Name, 1) | stats dc(Destination_Account) AS unique_accounts values(Account_Name) + as tried_accounts by _time, Caller_Process_Name, Source_Account, ComputerName | + eventstats avg(unique_accounts) as comp_avg , stdev(unique_accounts) as comp_std + by Caller_Process_Name, Source_Account, ComputerName | eval upperBound=(comp_avg+comp_std*3) + | eval isOutlier=if(unique_accounts > 10 and unique_accounts >= upperBound, 1, 0) + | search isOutlier=1 | `multiple_users_failing_to_authenticate_from_process_filter` ' +how_to_implement: To successfully implement this search, you need to be ingesting + Windows Event Logs from domain controllers aas well as member servers and workstations. + The Advanced Security Audit policy setting `Audit Logon` within `Logon/Logoff` needs + to be enabled. +known_false_positives: A process failing to authenticate with multiple users is not + a common behavior for legitimate user sessions. Possible false positive scenarios + include but are not limited to vulnerability scanners and missconfigured systems. +references: +- https://attack.mitre.org/techniques/T1110/003/ +- https://docs.microsoft.com/en-us/windows/security/threat-protection/auditing/event-4625 +- https://www.ultimatewindowssecurity.com/securitylog/encyclopedia/event.aspx?eventID=4625 +- https://docs.microsoft.com/en-us/windows/security/threat-protection/auditing/basic-audit-logon-events +tags: + analytic_story: + - Active Directory Password Spraying + kill_chain_phases: + - Exploitation + mitre_attack_id: + - T1110.003 + product: + - Splunk Enterprise + - Splunk Enterprise Security + - Splunk Cloud + required_fields: + - _time + - EventCode + - Logon_Type + - Caller_Process_Name + - Security_ID + - Account_Name + - ComputerName + security_domain: endpoint + automated_detection_testing: passed + dataset: + - https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1110.003/purplesharp_multiple_users_from_process/windows-security.log diff --git a/detections/endpoint/multiple_users_remotely_failing_to_authenticate_from_host.yml b/detections/endpoint/multiple_users_remotely_failing_to_authenticate_from_host.yml new file mode 100644 index 0000000000..0dcf433565 --- /dev/null +++ b/detections/endpoint/multiple_users_remotely_failing_to_authenticate_from_host.yml @@ -0,0 +1,62 @@ +name: Multiple Users Remotely Failing To Authenticate From Host +id: 80f9d53e-9ca1-11eb-b0d6-acde48001122 +version: 1 +date: '2021-04-13' +author: Mauricio Velazco, Splunk +type: batch +datamodel: +- Endpoint +description: The following analytic identifies a source host failing to authenticate against a remote host with multiple users. This behavior could represent an adversary + performing a Password Spraying attack against an Active Directory environment to obtain initial access or elevate privileges. + Event 4625 documents each and every failed attempt to logon to the local computer. This event generates on domain controllers, member servers, and workstations. Logon Type 3 + describes an remote authentication attempt.\ + + The detection calculates the standard deviation for each host and leverages + the 3-sigma statistical rule to identify an unusual number of users. To customize this analytic, + users can try different combinations of the `bucket` span time and the calculation of the `upperBound` field. + This logic can be used for real time security monitoring as well as threat hunting exercises.\ + + This detection will trigger on the host that is the target of the password spraying attack. This could be a domain controller as well as a member server or workstation.\ + + The analytics returned fields allow analysts to investigate the event further by providing fields like source process name, source account and attempted user accounts. +search: ' `wineventlog_security` EventCode=4625 Logon_Type=3 Source_Network_Address!="-" + | bucket span=2m _time + | eval Destination_Account = mvindex(Account_Name, 1) + | stats dc(Destination_Account) AS unique_accounts values(Destination_Account) as tried_accounts by _time, Source_Network_Address, ComputerName + | eventstats avg(unique_accounts) as comp_avg , stdev(unique_accounts) as comp_std by Source_Network_Address, ComputerName + | eval upperBound=(comp_avg+comp_std*3) + | eval isOutlier=if(unique_accounts > 10 and unique_accounts >= upperBound, 1, 0) + | search isOutlier=1 + | `multiple_users_remotely_failing_to_authenticate_from_host_filter` ' +how_to_implement: To successfully implement this search, you need to be ingesting Windows Event Logs from domain controllers as + as well as member servers and workstations. The Advanced Security Audit policy setting `Audit Logon` within `Logon/Logoff` needs to be enabled. +known_false_positives: A host failing to authenticate with multiple valid users against a remote host is not a common behavior for legitimate systems. + Possible false positive scenarios include but are not limited to vulnerability scanners, remote administration tools, missconfigyred systems, etc. +references: +- https://attack.mitre.org/techniques/T1110/003/ +- https://docs.microsoft.com/en-us/windows/security/threat-protection/auditing/event-4625 +- https://www.ultimatewindowssecurity.com/securitylog/encyclopedia/event.aspx?eventID=4625 +- https://docs.microsoft.com/en-us/windows/security/threat-protection/auditing/basic-audit-logon-events +tags: + analytic_story: + - Active Directory Password Spraying + kill_chain_phases: + - Exploitation + mitre_attack_id: + - T1110.003 + product: + - Splunk Enterprise + - Splunk Enterprise Security + - Splunk Cloud + required_fields: + - _time + - EventCode + - Logon_Type + - Security_ID + - Account_Name + - ComputerName + - Source_Network_Address + security_domain: endpoint + automated_detection_testing: passed + dataset: + - https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1110.003/purplesharp_remote_spray/windows-security.log diff --git a/detections/endpoint/ssa___system_process_running_unexpected_location.yml b/detections/endpoint/ssa___system_process_running_unexpected_location.yml index 8257e37e3d..470afb0ec1 100644 --- a/detections/endpoint/ssa___system_process_running_unexpected_location.yml +++ b/detections/endpoint/ssa___system_process_running_unexpected_location.yml @@ -224,7 +224,7 @@ search: ' $ssa_input = | from read_ssa_enriched_events() | eval device=ucast(map OR process_name="xcopy.exe" OR process_name="xpsrchvw.exe" OR process_name="xwizard.exe"; | from $cond_1 | union $cond_2 | union $cond_3 | union $cond_4 | union $cond_5 | - union $cond_6 | | where process_path NOT LIKE "%\\windows\\system32%" OR process_path + union $cond_6 | where process_path NOT LIKE "%\\windows\\system32%" OR process_path NOT LIKE "%\\windows\\syswow64%" | eval start_time=timestamp, end_time=timestamp, entities=mvappend(device, user), body=create_map(["process_path", process_path, "process_name", process_name]) | into write_ssa_detected_events();' diff --git a/dist/escu/lookups/mitre_enrichment.csv b/dist/escu/lookups/mitre_enrichment.csv index 0717cbc6ba..5347a9e765 100644 --- a/dist/escu/lookups/mitre_enrichment.csv +++ b/dist/escu/lookups/mitre_enrichment.csv @@ -1,59 +1,182 @@ mitre_id,technique,tactics,groups -T1205.001,Port Knocking,Defense Evasion|Persistence|Command And Control,no +T1553.006,Code Signing Policy Modification,Defense Evasion,Turla|APT39 +T1614,System Location Discovery,Discovery,no +T1613,Container and Resource Discovery,Discovery,no +T1552.007,Container API,Credential Access,no +T1612,Build Image on Host,Defense Evasion,no +T1611,Escape to Host,Privilege Escalation,no +T1204.003,Malicious Image,Execution,no +T1053.007,Container Orchestration Job,Execution|Persistence|Privilege Escalation,no +T1610,Deploy Container,Defense Evasion|Execution,no +T1609,Container Administration Command,Execution,no +T1608.005,Link Target,Resource Development,Silent Librarian +T1608.004,Drive-by Target,Resource Development,APT32|Threat Group-3390 +T1608.003,Install Digital Certificate,Resource Development,no +T1608.002,Upload Tool,Resource Development,Threat Group-3390 +T1608.001,Upload Malware,Resource Development,APT32 +T1608,Stage Capabilities,Resource Development,no +T1016.001,Internet Connection Discovery,Discovery,APT29|UNC2452|Turla +T1553.005,Mark-of-the-Web Bypass,Defense Evasion,TA505 +T1555.005,Password Managers,Credential Access,Fox Kitten|Operation Wocao +T1484.002,Domain Trust Modification,Defense Evasion|Privilege Escalation,APT29|UNC2452 +T1484.001,Group Policy Modification,Defense Evasion|Privilege Escalation,Indrik Spider +T1547.014,Active Setup,Persistence|Privilege Escalation,no +T1606.002,SAML Tokens,Credential Access,APT29|UNC2452 +T1606.001,Web Cookies,Credential Access,APT29|UNC2452 +T1606,Forge Web Credentials,Credential Access,no +T1555.004,Windows Credential Manager,Credential Access,Stealth Falcon|OilRig|Turla +T1059.008,Network Device CLI,Execution,no +T1602.002,Network Device Configuration Dump,Collection,no +T1542.005,TFTP Boot,Defense Evasion|Persistence,no +T1542.004,ROMMONkit,Defense Evasion|Persistence,no +T1602.001,SNMP (MIB Dump),Collection,no +T1602,Data from Configuration Repository,Collection,no +T1601.002,Downgrade System Image,Defense Evasion,no +T1601.001,Patch System Image,Defense Evasion,no +T1601,Modify System Image,Defense Evasion,no +T1600.002,Disable Crypto Hardware,Defense Evasion,no +T1600.001,Reduce Key Space,Defense Evasion,no +T1600,Weaken Encryption,Defense Evasion,no +T1556.004,Network Device Authentication,Credential Access|Defense Evasion|Persistence,no +T1599.001,Network Address Translation Traversal,Defense Evasion,no +T1599,Network Boundary Bridging,Defense Evasion,no +T1020.001,Traffic Duplication,Exfiltration,no +T1557.002,ARP Cache Poisoning,Credential Access|Collection,Cleaver +T1588.006,Vulnerabilities,Resource Development,Sandworm Team +T1053.006,Systemd Timers,Execution|Persistence|Privilege Escalation,no +T1562.008,Disable Cloud Logs,Defense Evasion,no +T1547.012,Print Processors,Persistence|Privilege Escalation,no +T1598.003,Spearphishing Link,Reconnaissance,Silent Librarian|Sidewinder|Sandworm Team|APT32|Kimsuky +T1598.002,Spearphishing Attachment,Reconnaissance,Sidewinder +T1598.001,Spearphishing Service,Reconnaissance,no +T1598,Phishing for Information,Reconnaissance,ZIRCONIUM|APT28 +T1597.002,Purchase Technical Data,Reconnaissance,no +T1597.001,Threat Intel Vendors,Reconnaissance,no +T1597,Search Closed Sources,Reconnaissance,no +T1596.005,Scan Databases,Reconnaissance,no +T1596.004,CDNs,Reconnaissance,no +T1596.003,Digital Certificates,Reconnaissance,no +T1596.001,DNS/Passive DNS,Reconnaissance,no +T1596.002,WHOIS,Reconnaissance,no +T1596,Search Open Technical Databases,Reconnaissance,no +T1595.002,Vulnerability Scanning,Reconnaissance,Volatile Cedar|APT28|Sandworm Team +T1595.001,Scanning IP Blocks,Reconnaissance,no +T1595,Active Scanning,Reconnaissance,no +T1594,Search Victim-Owned Websites,Reconnaissance,Silent Librarian|Sandworm Team +T1593.002,Search Engines,Reconnaissance,no +T1593.001,Social Media,Reconnaissance,no +T1593,Search Open Websites/Domains,Reconnaissance,Sandworm Team +T1592.004,Client Configurations,Reconnaissance,HAFNIUM +T1592.003,Firmware,Reconnaissance,no +T1592.002,Software,Reconnaissance,Sandworm Team +T1592.001,Hardware,Reconnaissance,no +T1592,Gather Victim Host Information,Reconnaissance,no +T1591.004,Identify Roles,Reconnaissance,no +T1591.003,Identify Business Tempo,Reconnaissance,no +T1591.001,Determine Physical Locations,Reconnaissance,no +T1591.002,Business Relationships,Reconnaissance,Sandworm Team +T1591,Gather Victim Org Information,Reconnaissance,no +T1590.006,Network Security Appliances,Reconnaissance,no +T1590.005,IP Addresses,Reconnaissance,HAFNIUM +T1590.004,Network Topology,Reconnaissance,no +T1590.003,Network Trust Dependencies,Reconnaissance,no +T1590.002,DNS,Reconnaissance,no +T1590.001,Domain Properties,Reconnaissance,Sandworm Team +T1590,Gather Victim Network Information,Reconnaissance,HAFNIUM +T1589.003,Employee Names,Reconnaissance,Silent Librarian|Sandworm Team +T1589.002,Email Addresses,Reconnaissance,TA551|MuddyWater|HAFNIUM|APT32|Silent Librarian|Sandworm Team +T1589.001,Credentials,Reconnaissance,APT28|Magic Hound|Chimera +T1589,Gather Victim Identity Information,Reconnaissance,APT32 +T1588.005,Exploits,Resource Development,no +T1588.004,Digital Certificates,Resource Development,Lazarus Group|Silent Librarian +T1588.003,Code Signing Certificates,Resource Development,Wizard Spider +T1588.002,Tool,Resource Development,MuddyWater|Silent Librarian|GALLIUM|Sandworm Team +T1588.001,Malware,Resource Development,Turla|APT1 +T1588,Obtain Capabilities,Resource Development,no +T1587.004,Exploits,Resource Development,no +T1587.003,Digital Certificates,Resource Development,APT29|PROMETHIUM +T1587.002,Code Signing Certificates,Resource Development,PROMETHIUM|Patchwork +T1587.001,Malware,Resource Development,APT29|Lazarus Group|UNC2452|Sandworm Team|Turla|FIN7|Night Dragon|Cleaver +T1587,Develop Capabilities,Resource Development,Kimsuky +T1586.002,Email Accounts,Resource Development,Magic Hound|Kimsuky +T1586.001,Social Media Accounts,Resource Development,no +T1586,Compromise Accounts,Resource Development,no +T1585.002,Email Accounts,Resource Development,Magic Hound|Silent Librarian|Sandworm Team|APT1 +T1585.001,Social Media Accounts,Resource Development,Fox Kitten|Sandworm Team|APT32|Cleaver +T1585,Establish Accounts,Resource Development,Fox Kitten|APT17 +T1584.006,Web Services,Resource Development,Turla +T1584.005,Botnet,Resource Development,no +T1584.004,Server,Resource Development,Indrik Spider|Turla|APT16 +T1584.003,Virtual Private Server,Resource Development,Turla +T1584.002,DNS Server,Resource Development,no +T1584.001,Domains,Resource Development,APT29|UNC2452|APT1 +T1583.006,Web Services,Resource Development,ZIRCONIUM|MuddyWater|HAFNIUM|Lazarus Group|Turla|APT32|APT17|APT29 +T1583.005,Botnet,Resource Development,no +T1583.004,Server,Resource Development,GALLIUM|Sandworm Team +T1583.003,Virtual Private Server,Resource Development,HAFNIUM|TEMP.Veles +T1583.002,DNS Server,Resource Development,no +T1584,Compromise Infrastructure,Resource Development,no +T1583.001,Domains,Resource Development,APT29|Mustang Panda|ZIRCONIUM|UNC2452|Lazarus Group|Silent Librarian|menuPass|Sandworm Team|APT32|Kimsuky|APT1|APT28 +T1583,Acquire Infrastructure,Resource Development,no +T1564.007,VBA Stomping,Defense Evasion,no +T1558.004,AS-REP Roasting,Credential Access,no +T1580,Cloud Infrastructure Discovery,Discovery,no +T1218.012,Verclsid,Defense Evasion,no +T1205.001,Port Knocking,Defense Evasion|Persistence|Command And Control,PROMETHIUM T1564.006,Run Virtual Instance,Defense Evasion,no T1564.005,Hidden File System,Defense Evasion,Strider|Equation -T1556.003,Pluggable Authentication Modules,Credential Access|Defense Evasion,no +T1556.003,Pluggable Authentication Modules,Credential Access|Defense Evasion|Persistence,no T1574.012,COR_PROFILER,Persistence|Privilege Escalation|Defense Evasion,Blue Mockingbird T1562.007,Disable or Modify Cloud Firewall,Defense Evasion,no T1098.004,SSH Authorized Keys,Persistence,no T1480.001,Environmental Keying,Defense Evasion,APT41|Equation -T1059.007,JavaScript/JScript,Execution,APT32|FIN7|Cobalt Group|Molerats|TA505|Silence|Leafminer +T1059.007,JavaScript,Execution,MuddyWater|Turla|Higaisa|Sidewinder|Evilnum|Kimsuky|FIN6|APT32|FIN7|Cobalt Group|Molerats|TA505|Silence|Leafminer T1578.004,Revert Cloud Instance,Defense Evasion,no T1578.003,Delete Cloud Instance,Defense Evasion,no T1578.001,Create Snapshot,Defense Evasion,no T1578.002,Create Cloud Instance,Defense Evasion,no T1127.001,MSBuild,Defense Evasion,Frankenstein -T1027.005,Indicator Removal from Tools,Defense Evasion,Soft Cell|TEMP.Veles|Patchwork|APT3|Turla|OilRig|Deep Panda +T1027.005,Indicator Removal from Tools,Defense Evasion,Operation Wocao|GALLIUM|TEMP.Veles|Patchwork|APT3|Turla|OilRig|Deep Panda T1562.006,Indicator Blocking,Defense Evasion,no -T1573.002,Asymmetric Cryptography,Command And Control,Tropic Trooper|Cobalt Group|OilRig|FIN8|FIN6 -T1573.001,Symmetric Cryptography,Command And Control,Frankenstein|Inception|APT28|APT33|BRONZE BUTLER|Stealth Falcon|Lazarus Group +T1573.002,Asymmetric Cryptography,Command And Control,Operation Wocao|Tropic Trooper|Cobalt Group|OilRig|FIN8|FIN6 +T1573.001,Symmetric Cryptography,Command And Control,Mustang Panda|Darkhotel|ZIRCONIUM|Higaisa|Frankenstein|Inception|APT28|APT33|BRONZE BUTLER|Stealth Falcon|Lazarus Group T1573,Encrypted Channel,Command And Control,Tropic Trooper T1027.004,Compile After Delivery,Defense Evasion,Gamaredon Group|Rocke|MuddyWater T1574.004,Dylib Hijacking,Persistence|Privilege Escalation|Defense Evasion,no T1546.015,Component Object Model Hijacking,Privilege Escalation|Persistence,APT28 -T1071.004,DNS,Command And Control,APT39|Tropic Trooper|OilRig|Ke3chang|Cobalt Group|APT18|APT41|FIN7 -T1071.003,Mail Protocols,Command And Control,APT32|SilverTerrier|APT28 -T1071.002,File Transfer Protocols,Command And Control,APT41|SilverTerrier|Machete|Honeybee -T1071.001,Web Protocols,Command And Control,Sandworm Team|TA505|Rocke|APT39|Tropic Trooper|MuddyWater|Wizard Spider|Inception|APT41|SilverTerrier|Machete|APT28|WIRTE|APT33|FIN4|Night Dragon|APT18|APT38|Cobalt Group|APT19|Threat Group-3390|Rancor|Orangeworm|APT37|Ke3chang|Dark Caracal|Turla|Lazarus Group|BRONZE BUTLER|APT32|OilRig|Magic Hound|Gamaredon Group|Stealth Falcon -T1572,Protocol Tunneling,Command And Control,OilRig|Cobalt Group|FIN6 -T1048.003,Exfiltration Over Unencrypted/Obfuscated Non-C2 Protocol,Exfiltration,APT32|APT33|Thrip|FIN8|OilRig|Lazarus Group -T1048.002,Exfiltration Over Asymmetric Encrypted Non-C2 Protocol,Exfiltration,no +T1071.004,DNS,Command And Control,Chimera|APT39|Tropic Trooper|OilRig|Ke3chang|Cobalt Group|APT18|APT41|FIN7 +T1071.003,Mail Protocols,Command And Control,Turla|Kimsuky|APT32|SilverTerrier|APT28 +T1071.002,File Transfer Protocols,Command And Control,Kimsuky|APT41|SilverTerrier|Honeybee +T1071.001,Web Protocols,Command And Control,APT29|Mustang Panda|Windshift|TA551|Higaisa|HAFNIUM|Sidewinder|Chimera|UNC2452|Sandworm Team|TA505|Rocke|APT39|Tropic Trooper|MuddyWater|Wizard Spider|Inception|APT41|SilverTerrier|APT28|WIRTE|APT33|FIN4|Night Dragon|APT18|APT38|Ke3chang|Orangeworm|APT19|Cobalt Group|Threat Group-3390|Rancor|APT37|Dark Caracal|Turla|Lazarus Group|BRONZE BUTLER|Magic Hound|APT32|OilRig|Gamaredon Group|Stealth Falcon +T1572,Protocol Tunneling,Command And Control,Chimera|Fox Kitten|OilRig|Cobalt Group|FIN6 +T1048.003,Exfiltration Over Unencrypted/Obfuscated Non-C2 Protocol,Exfiltration,Wizard Spider|FIN6|APT32|APT33|Thrip|FIN8|OilRig|Lazarus Group +T1048.002,Exfiltration Over Asymmetric Encrypted Non-C2 Protocol,Exfiltration,APT29|UNC2452 T1048.001,Exfiltration Over Symmetric Encrypted Non-C2 Protocol,Exfiltration,no -T1001.003,Protocol Impersonation,Command And Control,Lazarus Group -T1001.002,Steganography,Command And Control,Axiom +T1001.003,Protocol Impersonation,Command And Control,Higaisa|Lazarus Group +T1001.002,Steganography,Command And Control,APT29|Axiom T1001.001,Junk Data,Command And Control,APT28 T1132.002,Non-Standard Encoding,Command And Control,no -T1132.001,Standard Encoding,Command And Control,Sandworm Team|Tropic Trooper|MuddyWater|APT33|APT19|Lazarus Group|BRONZE BUTLER|Patchwork +T1132.001,Standard Encoding,Command And Control,HAFNIUM|TA551|Sandworm Team|Tropic Trooper|MuddyWater|APT33|APT19|Lazarus Group|BRONZE BUTLER|Patchwork T1090.004,Domain Fronting,Command And Control,APT29 -T1090.003,Multi-hop Proxy,Command And Control,Inception|FIN4|APT29 -T1090.002,External Proxy,Command And Control,APT39|Silence|Soft Cell|MuddyWater|APT3|FIN5|Lazarus Group|menuPass|APT28 -T1090.001,Internal Proxy,Command And Control,APT39|Strider +T1090.003,Multi-hop Proxy,Command And Control,APT28|Operation Wocao|Inception|FIN4|APT29 +T1090.002,External Proxy,Command And Control,APT39|Silence|GALLIUM|MuddyWater|APT3|FIN5|Lazarus Group|menuPass|APT28 +T1090.001,Internal Proxy,Command And Control,APT29|Higaisa|UNC2452|Operation Wocao|APT39|Strider T1102.003,One-Way Communication,Command And Control,Leviathan -T1102.002,Bidirectional Communication,Command And Control,Sandworm Team|APT39|APT12|Turla|FIN7|APT37|Magic Hound|Carbanak +T1102.002,Bidirectional Communication,Command And Control,ZIRCONIUM|MuddyWater|APT28|APT29|Sandworm Team|APT39|APT12|FIN7|Turla|APT37|Magic Hound|Carbanak T1102.001,Dead Drop Resolver,Command And Control,Rocke|APT41|BRONZE BUTLER|RTM|Patchwork T1571,Non-Standard Port,Command And Control,Sandworm Team|Rocke|DarkVishnya|Silence|APT-C-36|Magic Hound|APT33|APT32|TEMP.Veles|Lazarus Group|FIN7 -T1074.002,Remote Data Staging,Collection,Threat Group-3390|menuPass|FIN6|Night Dragon|FIN8 -T1074.001,Local Data Staging,Collection,Machete|Soft Cell|TEMP.Veles|Patchwork|Dragonfly 2.0|Honeybee|Leviathan|APT3|FIN5|menuPass|FIN6|Lazarus Group|Threat Group-3390|APT28 +T1074.002,Remote Data Staging,Collection,APT29|Chimera|UNC2452|Threat Group-3390|menuPass|FIN6|Night Dragon|FIN8 +T1074.001,Local Data Staging,Collection,Mustang Panda|Sidewinder|Chimera|Kimsuky|APT39|Operation Wocao|GALLIUM|TEMP.Veles|Patchwork|Honeybee|Dragonfly 2.0|Leviathan|APT3|FIN5|menuPass|Lazarus Group|Threat Group-3390|APT28 T1078.004,Cloud Accounts,Defense Evasion|Persistence|Privilege Escalation|Initial Access,APT33 T1564.004,NTFS File Attributes,Defense Evasion,APT32 -T1564.003,Hidden Window,Defense Evasion,Gorgon Group|Deep Panda|DarkHydrus|CopyKittens|APT19|APT32|APT28|APT3|Magic Hound -T1078.003,Local Accounts,Defense Evasion|Persistence|Privilege Escalation|Initial Access,Tropic Trooper|FIN10|Stolen Pencil|APT32 -T1078.002,Domain Accounts,Defense Evasion|Persistence|Privilege Escalation|Initial Access,TA505|APT3|Threat Group-1314 +T1564.003,Hidden Window,Defense Evasion,Higaisa|Gorgon Group|Deep Panda|DarkHydrus|CopyKittens|APT19|APT32|APT28|APT3|Magic Hound +T1078.003,Local Accounts,Defense Evasion|Persistence|Privilege Escalation|Initial Access,HAFNIUM|Turla|Operation Wocao|PROMETHIUM|Tropic Trooper|FIN10|Stolen Pencil|APT32 +T1078.002,Domain Accounts,Defense Evasion|Persistence|Privilege Escalation|Initial Access,Indrik Spider|Chimera|Operation Wocao|Sandworm Team|Wizard Spider|APT29|TA505|APT3|Threat Group-1314 T1078.001,Default Accounts,Defense Evasion|Persistence|Privilege Escalation|Initial Access,no T1564.002,Hidden Users,Defense Evasion,no -T1574.006,LD_PRELOAD,Persistence|Privilege Escalation|Defense Evasion,Rocke -T1574.002,DLL Side-Loading,Persistence|Privilege Escalation|Defense Evasion,BRONZE BUTLER|Naikon|APT41|Soft Cell|Tropic Trooper|Patchwork|APT19|APT32|APT3|menuPass|Threat Group-3390 -T1574.001,DLL Search Order Hijacking,Persistence|Privilege Escalation|Defense Evasion,Whitefly|RTM|Threat Group-3390|menuPass +T1574.006,Dynamic Linker Hijacking,Persistence|Privilege Escalation|Defense Evasion,APT41|Rocke +T1574.002,DLL Side-Loading,Persistence|Privilege Escalation|Defense Evasion,Mustang Panda|Higaisa|BlackTech|Sidewinder|Chimera|BRONZE BUTLER|Naikon|APT41|GALLIUM|Tropic Trooper|Patchwork|APT19|APT32|APT3|menuPass|Threat Group-3390 +T1574.001,DLL Search Order Hijacking,Persistence|Privilege Escalation|Defense Evasion,Evilnum|APT41|Whitefly|RTM|Threat Group-3390|menuPass T1574.008,Path Interception by Search Order Hijacking,Persistence|Privilege Escalation|Defense Evasion,no T1574.007,Path Interception by PATH Environment Variable,Persistence|Privilege Escalation|Defense Evasion,no T1574.009,Path Interception by Unquoted Path,Persistence|Privilege Escalation|Defense Evasion,no @@ -61,174 +184,174 @@ T1574.011,Services Registry Permissions Weakness,Persistence|Privilege Escalatio T1574.005,Executable Installer File Permissions Weakness,Persistence|Privilege Escalation|Defense Evasion,no T1574.010,Services File Permissions Weakness,Persistence|Privilege Escalation|Defense Evasion,no T1574,Hijack Execution Flow,Persistence|Privilege Escalation|Defense Evasion,no -T1069.001,Local Groups,Discovery,Turla|OilRig|admin@338 -T1570,Lateral Tool Transfer,Lateral Movement,APT32|Wizard Spider|Turla|FIN10 +T1069.001,Local Groups,Discovery,Chimera|Operation Wocao|Turla|OilRig|admin@338 +T1570,Lateral Tool Transfer,Lateral Movement,Chimera|GALLIUM|Operation Wocao|APT32|Wizard Spider|Turla|FIN10 T1568.003,DNS Calculation,Command And Control,APT12 -T1204.002,Malicious File,Execution,Magic Hound|Windshift|APT33|Sandworm Team|Naikon|Whitefly|Tropic Trooper|Gamaredon Group|Sharpshooter|Molerats|Wizard Spider|Mofang|Frankenstein|RTM|Inception|BlackTech|APT-C-36|Machete|admin@338|APT12|TA505|Silence|The White Company|APT39|FIN4|Darkhotel|Gallmaker|APT19|Dragonfly 2.0|BRONZE BUTLER|Cobalt Group|DarkHydrus|Gorgon Group|Patchwork|OilRig|Dark Caracal|MuddyWater|Lazarus Group|FIN7|APT32|Rancor|APT37|FIN8|APT28|Elderwood|TA459|APT29|Leviathan|menuPass|PLATINUM -T1204.001,Malicious Link,Execution,Patchwork|Windshift|APT32|Molerats|Mofang|BlackTech|TA505|OilRig|Machete|Leviathan|FIN8|FIN4|Elderwood|Dragonfly 2.0|Cobalt Group|APT39|Night Dragon|APT33|Turla +T1204.002,Malicious File,Execution,Ajax Security Team|Mustang Panda|TA551|Higaisa|Sidewinder|Kimsuky|FIN6|PROMETHIUM|APT30|Windshift|APT33|Sandworm Team|Naikon|Whitefly|Tropic Trooper|Gamaredon Group|Sharpshooter|Molerats|Wizard Spider|Mofang|Frankenstein|RTM|Inception|BlackTech|APT-C-36|Machete|admin@338|APT12|TA505|Silence|The White Company|APT39|FIN4|Darkhotel|Gallmaker|Dragonfly 2.0|Dark Caracal|Cobalt Group|DarkHydrus|OilRig|Rancor|BRONZE BUTLER|FIN7|APT19|Patchwork|APT32|Gorgon Group|MuddyWater|Lazarus Group|APT37|TA459|Leviathan|APT29|APT28|FIN8|Elderwood|PLATINUM|menuPass +T1204.001,Malicious Link,Execution,APT28|APT29|Mustang Panda|Sidewinder|ZIRCONIUM|MuddyWater|Evilnum|Sandworm Team|Wizard Spider|Patchwork|Windshift|APT32|Molerats|Mofang|BlackTech|TA505|OilRig|Machete|Leviathan|FIN8|FIN4|Elderwood|Dragonfly 2.0|Cobalt Group|APT39|Night Dragon|Turla|APT33 T1195.003,Compromise Hardware Supply Chain,Initial Access,no -T1195.002,Compromise Software Supply Chain,Initial Access,Sandworm Team|APT41 +T1195.002,Compromise Software Supply Chain,Initial Access,APT29|UNC2452|Cobalt Group|GOLD SOUTHFIELD|Dragonfly|Sandworm Team|APT41 T1195.001,Compromise Software Dependencies and Development Tools,Initial Access,no -T1568.001,Fast Flux DNS,Command And Control,TA505 -T1052.001,Exfiltration over USB,Exfiltration,Tropic Trooper -T1569.002,Service Execution,Execution,Blue Mockingbird|APT39|APT41|Silence|FIN6|APT32|Honeybee|Ke3chang +T1568.001,Fast Flux DNS,Command And Control,menuPass|TA505 +T1052.001,Exfiltration over USB,Exfiltration,Mustang Panda|Tropic Trooper +T1569.002,Service Execution,Execution,Chimera|Operation Wocao|Wizard Spider|Blue Mockingbird|APT39|APT41|Silence|FIN6|APT32|Honeybee|Ke3chang T1569.001,Launchctl,Execution,no T1569,System Services,Execution,no -T1568.002,Domain Generation Algorithms,Command And Control,APT41 -T1568,Dynamic Resolution,Command And Control,no +T1568.002,Domain Generation Algorithms,Command And Control,TA551|APT41 +T1568,Dynamic Resolution,Command And Control,APT29|UNC2452 T1011.001,Exfiltration Over Bluetooth,Exfiltration,no -T1567.002,Exfiltration to Cloud Storage,Exfiltration,Leviathan|Turla +T1567.002,Exfiltration to Cloud Storage,Exfiltration,ZIRCONIUM|HAFNIUM|Chimera|Leviathan|Turla T1567.001,Exfiltration to Code Repository,Exfiltration,no -T1059.006,Python,Execution,Rocke|BRONZE BUTLER|APT39|Dragonfly 2.0|Machete -T1059.005,Visual Basic,Execution,APT33|Sandworm Team|Gamaredon Group|Sharpshooter|Molerats|Frankenstein|Inception|APT-C-36|Rancor|Patchwork|MuddyWater|Honeybee|FIN7|APT37|BRONZE BUTLER|APT32|Turla|TA505|Silence|WIRTE|FIN4|Cobalt Group|Gorgon Group|Leviathan|TA459|Magic Hound +T1059.006,Python,Execution,ZIRCONIUM|MuddyWater|Turla|Operation Wocao|Kimsuky|APT29|Rocke|BRONZE BUTLER|APT39|Dragonfly 2.0|Machete +T1059.005,Visual Basic,Execution,Mustang Panda|Windshift|Higaisa|Sidewinder|APT39|Machete|Operation Wocao|Kimsuky|Lazarus Group|APT33|Sandworm Team|Gamaredon Group|Sharpshooter|Molerats|Frankenstein|Inception|APT-C-36|Rancor|Patchwork|MuddyWater|Honeybee|FIN7|APT37|BRONZE BUTLER|APT32|Turla|TA505|Silence|WIRTE|FIN4|Cobalt Group|Gorgon Group|Leviathan|TA459|Magic Hound T1059.004,Unix Shell,Execution,Rocke|APT41 -T1059.003,Windows Command Shell,Execution,TA505|Blue Mockingbird|Tropic Trooper|Frankenstein|OilRig|Lazarus Group|Honeybee|Cobalt Group|FIN7|APT41|Soft Cell|Turla|Silence|APT32|APT39|Darkhotel|MuddyWater|APT18|APT38|Dark Caracal|Gorgon Group|Dragonfly 2.0|Rancor|Ke3chang|APT37|Leviathan|FIN8|APT28|Magic Hound|Sowbug|BRONZE BUTLER|FIN10|Threat Group-3390|menuPass|Gamaredon Group|Suckfly|Patchwork|Threat Group-1314|APT3|admin@338|APT1 +T1059.003,Windows Command Shell,Execution,APT29|Mustang Panda|ZIRCONIUM|TA551|Higaisa|Indrik Spider|Chimera|UNC2452|Fox Kitten|Machete|Operation Wocao|Wizard Spider|FIN6|TA505|Blue Mockingbird|Tropic Trooper|Frankenstein|OilRig|Lazarus Group|Honeybee|Cobalt Group|FIN7|APT41|GALLIUM|Turla|Silence|APT32|Darkhotel|MuddyWater|APT18|APT38|Dragonfly 2.0|Rancor|Gorgon Group|Ke3chang|Dark Caracal|Leviathan|APT37|APT28|FIN8|Magic Hound|Sowbug|BRONZE BUTLER|FIN10|Threat Group-3390|menuPass|Gamaredon Group|Patchwork|Suckfly|Threat Group-1314|APT3|admin@338|APT1 T1059.002,AppleScript,Execution,no -T1059.001,PowerShell,Execution,Blue Mockingbird|APT39|DarkVishnya|Molerats|Wizard Spider|Frankenstein|Inception|Silence|APT41|Kimsuky|Soft Cell|TA505|WIRTE|TEMP.Veles|APT33|Gallmaker|Turla|APT19|DarkHydrus|APT28|Thrip|Gorgon Group|Cobalt Group|Dragonfly 2.0|Leviathan|TA459|FIN8|MuddyWater|Magic Hound|OilRig|BRONZE BUTLER|CopyKittens|APT32|FIN7|FIN10|Threat Group-3390|menuPass|Patchwork|Stealth Falcon|FIN6|Poseidon Group|APT3|APT29|Deep Panda -T1567,Exfiltration Over Web Service,Exfiltration,no +T1059.001,PowerShell,Execution,Mustang Panda|Indrik Spider|HAFNIUM|Sidewinder|UNC2452|Fox Kitten|GOLD SOUTHFIELD|Sandworm Team|Operation Wocao|Lazarus Group|Chimera|Blue Mockingbird|APT39|DarkVishnya|Molerats|Wizard Spider|Frankenstein|Inception|Silence|APT41|Kimsuky|GALLIUM|TA505|WIRTE|TEMP.Veles|APT33|Gallmaker|APT28|Thrip|Cobalt Group|Turla|APT19|Dragonfly 2.0|Gorgon Group|DarkHydrus|Leviathan|TA459|MuddyWater|FIN8|OilRig|Magic Hound|BRONZE BUTLER|CopyKittens|APT32|FIN10|menuPass|Threat Group-3390|FIN7|Patchwork|Stealth Falcon|FIN6|Poseidon Group|APT3|APT29|Deep Panda +T1567,Exfiltration Over Web Service,Exfiltration,APT28 T1497.003,Time Based Evasion,Defense Evasion|Discovery,no -T1497.002,User Activity Based Checks,Defense Evasion|Discovery,FIN7 -T1497.001,System Checks,Defense Evasion|Discovery,Frankenstein +T1497.002,User Activity Based Checks,Defense Evasion|Discovery,Darkhotel|FIN7 +T1497.001,System Checks,Defense Evasion|Discovery,Darkhotel|Evilnum|Frankenstein T1498.002,Reflection Amplification,Impact,no T1498.001,Direct Network Flood,Impact,no -T1566.003,Spearphishing via Service,Initial Access,Magic Hound|Windshift|FIN6|OilRig|Dark Caracal -T1566.002,Spearphishing Link,Initial Access,Windshift|Molerats|Mofang|BlackTech|Machete|Kimsuky|TA505|Stolen Pencil|APT39|FIN4|APT32|Night Dragon|Turla|APT28|Cobalt Group|Dragonfly 2.0|OilRig|APT33|Elderwood|Leviathan|Magic Hound|Patchwork|APT29|FIN8 -T1566.001,Spearphishing Attachment,Initial Access,Magic Hound|Windshift|APT33|Sandworm Team|Naikon|Gamaredon Group|Sharpshooter|Molerats|Mofang|Wizard Spider|RTM|Frankenstein|Inception|BlackTech|APT-C-36|APT41|Machete|admin@338|Kimsuky|APT12|TA505|Silence|The White Company|APT39|FIN4|Darkhotel|Gallmaker|Tropic Trooper|Turla|Gorgon Group|Rancor|DarkHydrus|Cobalt Group|FIN7|OilRig|Lazarus Group|APT19|Dragonfly 2.0|BRONZE BUTLER|APT32|FIN8|MuddyWater|APT28|TA459|Leviathan|Patchwork|PLATINUM|Elderwood|APT29|APT37|menuPass -T1566,Phishing,Initial Access,no +T1566.003,Spearphishing via Service,Initial Access,Ajax Security Team|Lazarus Group|Magic Hound|Windshift|FIN6|OilRig|Dark Caracal +T1566.002,Spearphishing Link,Initial Access,Mustang Panda|ZIRCONIUM|MuddyWater|Sidewinder|Evilnum|Sandworm Team|Wizard Spider|APT1|Windshift|Molerats|Mofang|BlackTech|Machete|Kimsuky|TA505|Stolen Pencil|APT39|FIN4|APT32|Night Dragon|Cobalt Group|Turla|APT28|Dragonfly 2.0|OilRig|APT29|APT33|Leviathan|FIN8|Elderwood|Patchwork|Magic Hound +T1566.001,Spearphishing Attachment,Initial Access,Ajax Security Team|Mustang Panda|TA551|Higaisa|Sidewinder|APT1|FIN6|APT30|Windshift|APT33|Sandworm Team|Naikon|Gamaredon Group|Sharpshooter|Molerats|Mofang|Wizard Spider|RTM|Frankenstein|Inception|BlackTech|APT-C-36|APT41|Machete|admin@338|Kimsuky|APT12|TA505|Silence|The White Company|APT39|FIN4|Darkhotel|Gallmaker|Tropic Trooper|OilRig|BRONZE BUTLER|Cobalt Group|FIN7|APT19|Gorgon Group|Rancor|APT32|DarkHydrus|Lazarus Group|Dragonfly 2.0|MuddyWater|APT28|FIN8|Elderwood|APT37|menuPass|TA459|PLATINUM|APT29|Leviathan|Patchwork +T1566,Phishing,Initial Access,GOLD SOUTHFIELD|Dragonfly T1565.003,Runtime Data Manipulation,Impact,APT38 T1565.002,Transmitted Data Manipulation,Impact,APT38 T1565.001,Stored Data Manipulation,Impact,FIN4|APT38 T1565,Data Manipulation,Impact,no -T1564.001,Hidden Files and Directories,Defense Evasion,Rocke|APT32|Tropic Trooper|APT28|Lazarus Group +T1564.001,Hidden Files and Directories,Defense Evasion,Mustang Panda|Rocke|APT32|Tropic Trooper|APT28|Lazarus Group T1564,Hide Artifacts,Defense Evasion,no T1563.002,RDP Hijacking,Lateral Movement,no T1563.001,SSH Hijacking,Lateral Movement,no T1563,Remote Service Session Hijacking,Lateral Movement,no -T1518.001,Security Software Discovery,Discovery,Turla|Rocke|Frankenstein|The White Company|Cobalt Group|Darkhotel|MuddyWater|Tropic Trooper|FIN8|Patchwork|Naikon +T1518.001,Security Software Discovery,Discovery,Windshift|Sidewinder|Operation Wocao|Wizard Spider|Turla|Rocke|Frankenstein|The White Company|Cobalt Group|Darkhotel|MuddyWater|Tropic Trooper|FIN8|Patchwork|Naikon T1069.003,Cloud Groups,Discovery,no -T1069.002,Domain Groups,Discovery,Turla|Wizard Spider|Inception|OilRig|FIN6|Dragonfly 2.0|Ke3chang +T1069.002,Domain Groups,Discovery,Turla|Inception|OilRig|Dragonfly 2.0|Ke3chang T1087.004,Cloud Account,Discovery,no T1087.003,Email Account,Discovery,Sandworm Team|TA505 -T1087.002,Domain Account,Discovery,Turla|Sandworm Team|Dragonfly 2.0|OilRig|BRONZE BUTLER|menuPass|FIN6|Poseidon Group|Ke3chang -T1087.001,Local Account,Discovery,Turla|Poseidon Group|OilRig|Ke3chang|APT32|APT1|Threat Group-3390|APT3|admin@338 +T1087.002,Domain Account,Discovery,MuddyWater|Fox Kitten|Operation Wocao|Wizard Spider|Chimera|Turla|Sandworm Team|Dragonfly 2.0|OilRig|BRONZE BUTLER|menuPass|FIN6|Poseidon Group|Ke3chang +T1087.001,Local Account,Discovery,Chimera|Fox Kitten|Turla|Poseidon Group|OilRig|Ke3chang|APT32|APT1|Threat Group-3390|APT3|admin@338 T1553.004,Install Root Certificate,Defense Evasion,no -T1562.004,Disable or Modify System Firewall,Defense Evasion,Rocke|Lazarus Group|Kimsuky|Dragonfly 2.0|Carbanak -T1562.003,HISTCONTROL,Defense Evasion,no -T1562.002,Disable Windows Event Logging,Defense Evasion,Threat Group-3390 -T1562.001,Disable or Modify Tools,Defense Evasion,Gamaredon Group|BRONZE BUTLER|Rocke|Kimsuky|Turla|Night Dragon|Gorgon Group|Lazarus Group|Putter Panda +T1562.004,Disable or Modify System Firewall,Defense Evasion,APT29|UNC2452|Operation Wocao|Rocke|Lazarus Group|Kimsuky|Dragonfly 2.0|Carbanak +T1562.003,Impair Command History Logging,Defense Evasion,no +T1562.002,Disable Windows Event Logging,Defense Evasion,APT29|UNC2452|Threat Group-3390 +T1562.001,Disable or Modify Tools,Defense Evasion,APT29|MuddyWater|UNC2452|Wizard Spider|FIN6|Gamaredon Group|BRONZE BUTLER|Rocke|Kimsuky|Turla|Night Dragon|Gorgon Group|Lazarus Group|Putter Panda T1562,Impair Defenses,Defense Evasion,no T1003.004,LSA Secrets,Credential Access,OilRig|MuddyWater|menuPass|Leafminer|Ke3chang|Dragonfly 2.0|APT33|Threat Group-3390 T1003.005,Cached Domain Credentials,Credential Access,OilRig|MuddyWater|Leafminer|APT33 T1561.002,Disk Structure Wipe,Impact,Sandworm Team|Lazarus Group|APT38|APT37 T1561.001,Disk Content Wipe,Impact,Lazarus Group T1561,Disk Wipe,Impact,no -T1560.003,Archive via Custom Method,Collection,Lazarus Group|Kimsuky|CopyKittens|FIN6 +T1560.003,Archive via Custom Method,Collection,Mustang Panda|Lazarus Group|Kimsuky|CopyKittens|FIN6 T1560.002,Archive via Library,Collection,Lazarus Group|Threat Group-3390 -T1560.001,Archive via Utility,Collection,APT41|Soft Cell|Turla|Gallmaker|APT33|APT39|MuddyWater|Magic Hound|FIN8|BRONZE BUTLER|CopyKittens|APT3|Sowbug|menuPass|APT1|Ke3chang +T1560.001,Archive via Utility,Collection,APT29|Mustang Panda|HAFNIUM|UNC2452|Fox Kitten|Operation Wocao|Chimera|APT41|GALLIUM|Turla|Gallmaker|APT33|APT39|MuddyWater|Magic Hound|FIN8|BRONZE BUTLER|CopyKittens|Sowbug|APT3|menuPass|APT1|Ke3chang T1560,Archive Collected Data,Collection,menuPass|APT32|Honeybee|Patchwork|APT28|Dragonfly 2.0|FIN6|Lazarus Group|Ke3chang T1499.004,Application or System Exploitation,Impact,no T1499.003,Application Exhaustion Flood,Impact,no T1499.002,Service Exhaustion Flood,Impact,no T1499.001,OS Exhaustion Flood,Impact,no -T1491.002,External Defacement,Impact,no +T1491.002,External Defacement,Impact,Sandworm Team T1491.001,Internal Defacement,Impact,Lazarus Group -T1114.003,Email Forwarding Rule,Collection,no -T1114.002,Remote Email Collection,Collection,APT1|FIN4|APT28|Dragonfly 2.0|Ke3chang|Leafminer -T1114.001,Local Email Collection,Collection,Magic Hound|APT1 +T1114.003,Email Forwarding Rule,Collection,Silent Librarian|Kimsuky +T1114.002,Remote Email Collection,Collection,APT29|HAFNIUM|Chimera|UNC2452|APT1|FIN4|Dragonfly 2.0|APT28|Leafminer|Ke3chang +T1114.001,Local Email Collection,Collection,Chimera|Magic Hound|APT1 T1134.005,SID-History Injection,Defense Evasion|Privilege Escalation,no T1134.004,Parent PID Spoofing,Defense Evasion|Privilege Escalation,no T1134.003,Make and Impersonate Token,Defense Evasion|Privilege Escalation,no T1134.002,Create Process with Token,Defense Evasion|Privilege Escalation,Turla|Lazarus Group T1134.001,Token Impersonation/Theft,Defense Evasion|Privilege Escalation,APT28 -T1213.002,Sharepoint,Collection,Ke3chang|APT28 +T1213.002,Sharepoint,Collection,Chimera|Ke3chang|APT28 T1213.001,Confluence,Collection,no -T1555.003,Credentials from Web Browsers,Credential Access,Magic Hound|Sandworm Team|Inception|Stealth Falcon|OilRig|Leafminer|APT33|APT3|Kimsuky|TA505|Stolen Pencil|MuddyWater|APT37|Patchwork|Molerats +T1555.003,Credentials from Web Browsers,Credential Access,Ajax Security Team|ZIRCONIUM|FIN6|Sandworm Team|Inception|Stealth Falcon|OilRig|Leafminer|APT33|APT3|Kimsuky|TA505|Stolen Pencil|MuddyWater|APT37|Patchwork|Molerats T1555.002,Securityd Memory,Credential Access,no T1555.001,Keychain,Credential Access,no -T1559.002,Dynamic Data Exchange,Execution,Sharpshooter|TA505|MuddyWater|Gallmaker|Patchwork|Cobalt Group|APT37|APT28|FIN7 +T1559.002,Dynamic Data Exchange,Execution,Sidewinder|Sharpshooter|TA505|MuddyWater|Gallmaker|Cobalt Group|Patchwork|APT37|APT28|FIN7 T1559.001,Component Object Model,Execution,Gamaredon Group|MuddyWater T1559,Inter-Process Communication,Execution,no T1558.002,Silver Ticket,Credential Access,no T1558.001,Golden Ticket,Credential Access,Ke3chang T1558,Steal or Forge Kerberos Tickets,Credential Access,no -T1557.001,LLMNR/NBT-NS Poisoning and SMB Relay,Credential Access|Collection,no -T1557,Man-in-the-Middle,Credential Access|Collection,no -T1556.002,Password Filter DLL,Credential Access|Defense Evasion,Strider -T1556.001,Domain Controller Authentication,Credential Access|Defense Evasion,no -T1556,Modify Authentication Process,Credential Access|Defense Evasion,no +T1557.001,LLMNR/NBT-NS Poisoning and SMB Relay,Credential Access|Collection,Wizard Spider +T1557,Man-in-the-Middle,Credential Access|Collection,Kimsuky +T1556.002,Password Filter DLL,Credential Access|Defense Evasion|Persistence,Strider +T1556.001,Domain Controller Authentication,Credential Access|Defense Evasion|Persistence,Chimera +T1556,Modify Authentication Process,Credential Access|Defense Evasion|Persistence,no T1056.004,Credential API Hooking,Collection|Credential Access,PLATINUM T1056.003,Web Portal Capture,Collection|Credential Access,no T1056.002,GUI Input Capture,Collection|Credential Access,FIN4 -T1056.001,Keylogging,Collection|Credential Access,APT32|Sandworm Team|APT39|APT41|Kimsuky|menuPass|Stolen Pencil|FIN4|APT38|Ke3chang|OilRig|PLATINUM|Sowbug|Magic Hound|Group5|Lazarus Group|Threat Group-3390|APT3|Darkhotel|APT28 -T1555,Credentials from Password Stores,Credential Access,APT39|OilRig|MuddyWater|Leafminer|APT33|Turla|Stealth Falcon +T1056.001,Keylogging,Collection|Credential Access,Ajax Security Team|Operation Wocao|APT32|Sandworm Team|APT39|APT41|Kimsuky|menuPass|Stolen Pencil|FIN4|APT38|OilRig|Ke3chang|PLATINUM|Sowbug|Magic Hound|Group5|Lazarus Group|Threat Group-3390|APT3|Darkhotel|APT28 +T1555,Credentials from Password Stores,Credential Access,APT29|Evilnum|UNC2452|FIN6|APT39|OilRig|MuddyWater|Leafminer|APT33|Stealth Falcon T1552.005,Cloud Instance Metadata API,Credential Access,no T1003.008,/etc/passwd and /etc/shadow,Credential Access,no T1003.007,Proc Filesystem,Credential Access,no -T1003.006,DCSync,Credential Access,no -T1558.003,Kerberoasting,Credential Access,no +T1003.006,DCSync,Credential Access,APT29|UNC2452|Operation Wocao +T1558.003,Kerberoasting,Credential Access,APT29|UNC2452|Operation Wocao|Wizard Spider T1552.006,Group Policy Preferences,Credential Access,APT33 -T1003.003,NTDS,Credential Access,FIN6|Dragonfly 2.0 -T1003.002,Security Account Manager,Credential Access,Threat Group-3390|Ke3chang|Soft Cell|Night Dragon|Dragonfly 2.0|menuPass -T1003.001,LSASS Memory,Credential Access,Sandworm Team|Whitefly|Blue Mockingbird|Silence|Threat Group-3390|Leviathan|APT41|Soft Cell|TEMP.Veles|APT33|APT39|Stolen Pencil|APT32|Lazarus Group|Leafminer|Magic Hound|MuddyWater|PLATINUM|FIN8|BRONZE BUTLER|OilRig|FIN6|APT3|APT28|APT1|Ke3chang|Cleaver -T1110.004,Credential Stuffing,Credential Access,no -T1110.003,Password Spraying,Credential Access,APT33|Leafminer|Lazarus Group -T1110.002,Password Cracking,Credential Access,APT41|Dragonfly 2.0|APT3 -T1110.001,Password Guessing,Credential Access,no -T1021.006,Windows Remote Management,Lateral Movement,Threat Group-3390 -T1021.005,VNC,Lateral Movement,GCMAN -T1021.004,SSH,Lateral Movement,Rocke|TEMP.Veles|Leviathan|APT39|OilRig|menuPass|GCMAN +T1003.003,NTDS,Credential Access,Mustang Panda|HAFNIUM|Fox Kitten|menuPass|Wizard Spider|Chimera|FIN6|Dragonfly 2.0 +T1003.002,Security Account Manager,Credential Access,Wizard Spider|Threat Group-3390|Ke3chang|GALLIUM|Night Dragon|Dragonfly 2.0|menuPass +T1003.001,LSASS Memory,Credential Access,HAFNIUM|Fox Kitten|Operation Wocao|Kimsuky|Sandworm Team|Whitefly|Blue Mockingbird|Silence|Threat Group-3390|Leviathan|APT41|GALLIUM|TEMP.Veles|APT33|APT39|Stolen Pencil|APT32|Leafminer|Magic Hound|Lazarus Group|PLATINUM|FIN8|MuddyWater|BRONZE BUTLER|OilRig|FIN6|APT3|APT28|APT1|Ke3chang|Cleaver +T1110.004,Credential Stuffing,Credential Access,Chimera +T1110.003,Password Spraying,Credential Access,Silent Librarian|Chimera|APT28|APT33|Leafminer|Lazarus Group +T1110.002,Password Cracking,Credential Access,FIN6|APT41|Dragonfly 2.0|APT3 +T1110.001,Password Guessing,Credential Access,APT28 +T1021.006,Windows Remote Management,Lateral Movement,APT29|UNC2452|Chimera|Wizard Spider|Threat Group-3390 +T1021.005,VNC,Lateral Movement,Fox Kitten|GCMAN +T1021.004,SSH,Lateral Movement,Fox Kitten|Rocke|TEMP.Veles|Leviathan|APT39|OilRig|menuPass|GCMAN T1021.003,Distributed Component Object Model,Lateral Movement,no -T1021.002,SMB/Windows Admin Shares,Lateral Movement,Blue Mockingbird|APT39|APT32|Orangeworm|FIN8|APT3|Lazarus Group|Threat Group-1314|Turla|Deep Panda|Ke3chang -T1021.001,Remote Desktop Protocol,Lateral Movement,Blue Mockingbird|Wizard Spider|Silence|APT41|TEMP.Veles|Leviathan|APT39|Stolen Pencil|Cobalt Group|Dragonfly 2.0|FIN8|APT3|OilRig|menuPass|FIN10|Patchwork|FIN6|Lazarus Group|APT1|Axiom +T1021.002,SMB/Windows Admin Shares,Lateral Movement,Fox Kitten|APT41|Operation Wocao|Wizard Spider|Chimera|Blue Mockingbird|APT39|APT32|Orangeworm|FIN8|APT3|Lazarus Group|Threat Group-1314|Turla|Deep Panda|Ke3chang +T1021.001,Remote Desktop Protocol,Lateral Movement,Fox Kitten|Chimera|Blue Mockingbird|Wizard Spider|Silence|APT41|TEMP.Veles|Leviathan|APT39|Stolen Pencil|Cobalt Group|Dragonfly 2.0|FIN8|APT3|OilRig|FIN10|menuPass|Patchwork|FIN6|Lazarus Group|APT1|Axiom T1554,Compromise Client Software Binary,Persistence,no T1036.006,Space after Filename,Defense Evasion,no -T1036.005,Match Legitimate Name or Location,Defense Evasion,Rocke|Sandworm Team|APT39|Blue Mockingbird|Whitefly|Tropic Trooper|Silence|APT41|menuPass|TEMP.Veles|MuddyWater|BRONZE BUTLER|Sowbug|APT32|Patchwork|Poseidon Group|admin@338|Carbanak|APT1 -T1036.004,Masquerade Task or Service,Defense Evasion,Wizard Spider|APT-C-36|Carbanak|APT32|FIN6|FIN7 -T1036.003,Rename System Utilities,Defense Evasion,menuPass|APT32|Soft Cell|PLATINUM +T1036.005,Match Legitimate Name or Location,Defense Evasion,APT29|Mustang Panda|Sidewinder|Darkhotel|Lazarus Group|Indrik Spider|UNC2452|Fox Kitten|Machete|Chimera|PROMETHIUM|Rocke|Sandworm Team|APT39|Blue Mockingbird|Whitefly|Tropic Trooper|Silence|APT41|menuPass|TEMP.Veles|MuddyWater|BRONZE BUTLER|Sowbug|APT32|Patchwork|Poseidon Group|admin@338|Carbanak|APT1 +T1036.004,Masquerade Task or Service,Defense Evasion,ZIRCONIUM|APT29|Higaisa|UNC2452|Fox Kitten|Kimsuky|Lazarus Group|PROMETHIUM|Wizard Spider|APT-C-36|Carbanak|APT32|FIN6|FIN7 +T1036.003,Rename System Utilities,Defense Evasion,menuPass|APT32|GALLIUM T1036.002,Right-to-Left Override,Defense Evasion,BRONZE BUTLER|BlackTech|Ke3chang|Scarlet Mimic -T1036.001,Invalid Code Signature,Defense Evasion,Windshift +T1036.001,Invalid Code Signature,Defense Evasion,Windshift|APT37 T1553.003,SIP and Trust Provider Hijacking,Defense Evasion,no -T1553.002,Code Signing,Defense Evasion,Patchwork|Silence|APT41|FIN6|TA505|FIN7|Honeybee|Leviathan|APT37|CopyKittens|Winnti Group|Suckfly|Molerats|Darkhotel +T1553.002,Code Signing,Defense Evasion,APT29|GALLIUM|UNC2452|Wizard Spider|Kimsuky|PROMETHIUM|Patchwork|Silence|APT41|FIN6|TA505|FIN7|Honeybee|Leviathan|CopyKittens|Winnti Group|Suckfly|Molerats|Darkhotel T1553.001,Gatekeeper Bypass,Defense Evasion,no T1553,Subvert Trust Controls,Defense Evasion,no -T1027.003,Steganography,Defense Evasion,BRONZE BUTLER|Tropic Trooper|MuddyWater|APT37 -T1027.002,Software Packing,Defense Evasion,TA505|Rocke|Soft Cell|The White Company|APT39|APT38|Dark Caracal|Elderwood|APT3|Patchwork|APT29|Night Dragon -T1027.001,Binary Padding,Defense Evasion,Gamaredon Group|Patchwork|APT32|Leviathan|BRONZE BUTLER|Moafee +T1027.003,Steganography,Defense Evasion,TA551|BRONZE BUTLER|Tropic Trooper|MuddyWater|APT37 +T1027.002,Software Packing,Defense Evasion,ZIRCONIUM|Lazarus Group|TA505|Rocke|GALLIUM|The White Company|APT39|APT38|Dark Caracal|Elderwood|APT3|Patchwork|APT29|Night Dragon +T1027.001,Binary Padding,Defense Evasion,Mustang Panda|Higaisa|Gamaredon Group|APT32|Patchwork|Leviathan|BRONZE BUTLER|Moafee T1222.002,Linux and Mac File and Directory Permissions Modification,Defense Evasion,Rocke|APT32 -T1222.001,Windows File and Directory Permissions Modification,Defense Evasion,no -T1552.004,Private Keys,Credential Access,Rocke +T1222.001,Windows File and Directory Permissions Modification,Defense Evasion,Wizard Spider +T1552.004,Private Keys,Credential Access,APT29|UNC2452|Operation Wocao|Rocke T1552.003,Bash History,Credential Access,no T1552.002,Credentials in Registry,Credential Access,APT32 -T1552.001,Credentials In Files,Credential Access,Leafminer|APT33|OilRig|TA505|Stolen Pencil|MuddyWater|APT3 +T1552.001,Credentials In Files,Credential Access,Fox Kitten|Leafminer|APT33|OilRig|TA505|Stolen Pencil|MuddyWater|APT3 T1552,Unsecured Credentials,Credential Access,no T1216.001,PubPrn,Defense Evasion,APT32 -T1070.006,Timestomp,Defense Evasion,Rocke|TEMP.Veles|APT32|Lazarus Group|APT28 +T1070.006,Timestomp,Defense Evasion,APT29|UNC2452|Chimera|Kimsuky|Rocke|TEMP.Veles|APT32|Lazarus Group|APT28 T1070.005,Network Share Connection Removal,Defense Evasion,Threat Group-3390 -T1070.004,File Deletion,Defense Evasion,Sandworm Team|Rocke|Tropic Trooper|Gamaredon Group|Wizard Spider|APT41|Kimsuky|Silence|The White Company|TEMP.Veles|APT32|APT38|Patchwork|Honeybee|Cobalt Group|Dragonfly 2.0|menuPass|FIN8|OilRig|FIN5|BRONZE BUTLER|Magic Hound|APT3|FIN10|APT28|Threat Group-3390|Group5|Lazarus Group|APT18|APT29 +T1070.004,File Deletion,Defense Evasion,APT39|Mustang Panda|Chimera|Evilnum|UNC2452|Operation Wocao|FIN6|Sandworm Team|Rocke|Tropic Trooper|Gamaredon Group|Wizard Spider|APT41|Kimsuky|Silence|The White Company|TEMP.Veles|APT32|APT38|Honeybee|Patchwork|Cobalt Group|Dragonfly 2.0|menuPass|FIN8|FIN5|BRONZE BUTLER|OilRig|APT3|Magic Hound|APT28|FIN10|Threat Group-3390|Group5|Lazarus Group|APT18|APT29 T1070.003,Clear Command History,Defense Evasion,APT41 -T1550.004,Web Session Cookie,Defense Evasion|Lateral Movement,no +T1550.004,Web Session Cookie,Defense Evasion|Lateral Movement,APT29|UNC2452 T1550.001,Application Access Token,Defense Evasion|Lateral Movement,APT28 T1550.003,Pass the Ticket,Defense Evasion|Lateral Movement,APT32|BRONZE BUTLER|APT29 -T1550.002,Pass the Hash,Defense Evasion|Lateral Movement,Soft Cell|APT32|Night Dragon|APT28|APT1 -T1550,Use Alternate Authentication Material,Defense Evasion|Lateral Movement,no +T1550.002,Pass the Hash,Defense Evasion|Lateral Movement,Chimera|Kimsuky|GALLIUM|APT32|Night Dragon|APT28|APT1 +T1550,Use Alternate Authentication Material,Defense Evasion|Lateral Movement,APT29|UNC2452 T1548.004,Elevated Execution with Prompt,Privilege Escalation|Defense Evasion,no T1548.003,Sudo and Sudo Caching,Privilege Escalation|Defense Evasion,no -T1548.002,Bypass User Access Control,Privilege Escalation|Defense Evasion,APT37|MuddyWater|Honeybee|Cobalt Group|Threat Group-3390|BRONZE BUTLER|Patchwork|APT29 +T1548.002,Bypass User Account Control,Privilege Escalation|Defense Evasion,Evilnum|APT37|MuddyWater|Cobalt Group|Honeybee|Threat Group-3390|BRONZE BUTLER|Patchwork|APT29 T1548.001,Setuid and Setgid,Privilege Escalation|Defense Evasion,no T1548,Abuse Elevation Control Mechanism,Privilege Escalation|Defense Evasion,no T1136.003,Cloud Account,Persistence,no T1070.002,Clear Linux or Mac System Logs,Defense Evasion,Rocke -T1070.001,Clear Windows Event Logs,Defense Evasion,APT41|APT38|Dragonfly 2.0|APT32|FIN8|FIN5|APT28 -T1136.002,Domain Account,Persistence,Soft Cell -T1136.001,Local Account,Persistence,APT39|APT41|Dragonfly 2.0|Leafminer|APT3 +T1070.001,Clear Windows Event Logs,Defense Evasion,Chimera|Operation Wocao|APT41|APT38|APT32|Dragonfly 2.0|FIN8|FIN5|APT28 +T1136.002,Domain Account,Persistence,HAFNIUM|GALLIUM +T1136.001,Local Account,Persistence,Fox Kitten|APT39|APT41|Dragonfly 2.0|Leafminer|APT3 T1547.011,Plist Modification,Persistence|Privilege Escalation,no T1547.010,Port Monitors,Persistence|Privilege Escalation,no T1547.009,Shortcut Modification,Persistence|Privilege Escalation,APT39|Darkhotel|APT29|Gorgon Group|Dragonfly 2.0|Leviathan|Lazarus Group T1547.008,LSASS Driver,Persistence|Privilege Escalation,no T1547.007,Re-opened Applications,Persistence|Privilege Escalation,no T1547.006,Kernel Modules and Extensions,Persistence|Privilege Escalation,no -T1547.005,Security Support Provider,Persistence|Privilege Escalation,no -T1547.004,Winlogon Helper DLL,Persistence|Privilege Escalation,Tropic Trooper|Turla +T1547.005,Security Support Provider,Persistence|Privilege Escalation,Lazarus Group +T1547.004,Winlogon Helper DLL,Persistence|Privilege Escalation,Wizard Spider|Tropic Trooper|Turla T1547.003,Time Providers,Persistence|Privilege Escalation,no T1546.014,Emond,Privilege Escalation|Persistence,no T1546.013,PowerShell Profile,Privilege Escalation|Persistence,Turla @@ -236,38 +359,38 @@ T1546.012,Image File Execution Options Injection,Privilege Escalation|Persistenc T1218.008,Odbcconf,Defense Evasion,Cobalt Group T1546.011,Application Shimming,Privilege Escalation|Persistence,FIN7 T1547.002,Authentication Package,Persistence|Privilege Escalation,no -T1546.010,AppInit DLLs,Privilege Escalation|Persistence,no +T1546.010,AppInit DLLs,Privilege Escalation|Persistence,APT39 T1546.009,AppCert DLLs,Privilege Escalation|Persistence,Honeybee -T1218.007,Msiexec,Defense Evasion,TA505|Rancor -T1546.008,Accessibility Features,Privilege Escalation|Persistence,APT41|APT3|APT29|Deep Panda|Axiom +T1218.007,Msiexec,Defense Evasion,ZIRCONIUM|Molerats|Machete|TA505|Rancor +T1546.008,Accessibility Features,Privilege Escalation|Persistence,Fox Kitten|APT41|APT3|APT29|Deep Panda|Axiom T1546.007,Netsh Helper DLL,Privilege Escalation|Persistence,no T1546.006,LC_LOAD_DYLIB Addition,Privilege Escalation|Persistence,no T1546.005,Trap,Privilege Escalation|Persistence,no -T1546.004,.bash_profile and .bashrc,Privilege Escalation|Persistence,no -T1546.003,Windows Management Instrumentation Event Subscription,Privilege Escalation|Persistence,APT33|Blue Mockingbird|Turla|Leviathan|APT29 +T1546.004,Unix Shell Configuration Modification,Privilege Escalation|Persistence,no +T1546.003,Windows Management Instrumentation Event Subscription,Privilege Escalation|Persistence,Mustang Panda|UNC2452|APT33|Blue Mockingbird|Turla|Leviathan|APT29 T1546.002,Screensaver,Privilege Escalation|Persistence,no T1546.001,Change Default File Association,Privilege Escalation|Persistence,Kimsuky -T1547.001,Registry Run Keys / Startup Folder,Persistence|Privilege Escalation,Rocke|Tropic Trooper|Gamaredon Group|Sharpshooter|Molerats|Silence|RTM|Inception|APT41|Machete|Kimsuky|APT33|APT39|APT32|APT18|Turla|Dark Caracal|Cobalt Group|Honeybee|Threat Group-3390|Dragonfly 2.0|Gorgon Group|Ke3chang|APT19|Leviathan|MuddyWater|APT37|BRONZE BUTLER|Magic Hound|APT3|FIN10|FIN7|Patchwork|FIN6|Lazarus Group|Putter Panda|APT29|Darkhotel +T1547.001,Registry Run Keys / Startup Folder,Persistence|Privilege Escalation,Windshift|Mustang Panda|ZIRCONIUM|Higaisa|Sidewinder|APT28|Wizard Spider|PROMETHIUM|Rocke|Tropic Trooper|Gamaredon Group|Sharpshooter|Molerats|Silence|RTM|Inception|APT41|Kimsuky|APT33|APT39|APT32|APT18|Dark Caracal|Threat Group-3390|Turla|Honeybee|APT19|Cobalt Group|Ke3chang|Dragonfly 2.0|Gorgon Group|Leviathan|APT37|MuddyWater|BRONZE BUTLER|APT3|Magic Hound|FIN10|FIN7|Patchwork|FIN6|Lazarus Group|Putter Panda|APT29|Darkhotel T1218.002,Control Panel,Defense Evasion,no -T1218.010,Regsvr32,Defense Evasion,Blue Mockingbird|Inception|WIRTE|Cobalt Group|APT19|Leviathan|APT32|Deep Panda +T1218.010,Regsvr32,Defense Evasion,TA551|Blue Mockingbird|Inception|WIRTE|Cobalt Group|APT19|Leviathan|APT32|Deep Panda T1218.009,Regsvcs/Regasm,Defense Evasion,no -T1218.005,Mshta,Defense Evasion,Inception|Kimsuky|APT32|MuddyWater|FIN7 -T1218.004,InstallUtil,Defense Evasion,no -T1218.001,Compiled HTML File,Defense Evasion,APT41|Silence|Lazarus Group|Dark Caracal|OilRig +T1218.005,Mshta,Defense Evasion,Mustang Panda|TA551|Sidewinder|Lazarus Group|Inception|Kimsuky|APT32|MuddyWater|FIN7 +T1218.004,InstallUtil,Defense Evasion,Mustang Panda|menuPass +T1218.001,Compiled HTML File,Defense Evasion,APT41|Silence|Lazarus Group|OilRig|Dark Caracal T1218.003,CMSTP,Defense Evasion,Cobalt Group|MuddyWater -T1218.011,Rundll32,Defense Evasion,APT32|Sandworm Team|Blue Mockingbird|TA505|MuddyWater|APT29|APT19|CopyKittens|APT3|Carbanak|APT28 +T1218.011,Rundll32,Defense Evasion,HAFNIUM|TA551|UNC2452|APT41|Gamaredon Group|APT32|Sandworm Team|Blue Mockingbird|TA505|MuddyWater|APT29|APT19|CopyKittens|APT3|Carbanak|APT28 T1547,Boot or Logon Autostart Execution,Persistence|Privilege Escalation,no T1546,Event Triggered Execution,Privilege Escalation|Persistence,no T1098.003,Add Office 365 Global Administrator Role,Persistence,no -T1098.002,Exchange Email Delegate Permissions,Persistence,Magic Hound -T1098.001,Additional Azure Service Principal Credentials,Persistence,no +T1098.002,Exchange Email Delegate Permissions,Persistence,APT29|UNC2452|Magic Hound +T1098.001,Additional Cloud Credentials,Persistence,APT29|UNC2452 T1543.004,Launch Daemon,Persistence|Privilege Escalation,no -T1543.003,Windows Service,Persistence|Privilege Escalation,Blue Mockingbird|DarkVishnya|Wizard Spider|APT32|APT41|Kimsuky|Tropic Trooper|Cobalt Group|Ke3chang|Honeybee|FIN7|Threat Group-3390|APT19|APT3|Lazarus Group|Carbanak +T1543.003,Windows Service,Persistence|Privilege Escalation,PROMETHIUM|Blue Mockingbird|DarkVishnya|Wizard Spider|APT32|APT41|Kimsuky|Tropic Trooper|Cobalt Group|Ke3chang|FIN7|APT19|Threat Group-3390|Honeybee|APT3|Lazarus Group|Carbanak T1543.002,Systemd Service,Persistence|Privilege Escalation,Rocke T1543.001,Launch Agent,Persistence|Privilege Escalation,no T1037.005,Startup Items,Persistence|Privilege Escalation,no -T1037.004,Rc.common,Persistence|Privilege Escalation,no -T1055.012,Process Hollowing,Defense Evasion|Privilege Escalation,Threat Group-3390|menuPass|Gorgon Group|Patchwork +T1037.004,RC Scripts,Persistence|Privilege Escalation,no +T1055.012,Process Hollowing,Defense Evasion|Privilege Escalation,Gorgon Group|Threat Group-3390|menuPass|Patchwork T1055.013,Process Doppelgänging,Defense Evasion|Privilege Escalation,Leafminer T1055.011,Extra Window Memory Injection,Defense Evasion|Privilege Escalation,no T1055.014,VDSO Hijacking,Defense Evasion|Privilege Escalation,no @@ -277,7 +400,7 @@ T1055.005,Thread Local Storage,Defense Evasion|Privilege Escalation,no T1055.004,Asynchronous Procedure Call,Defense Evasion|Privilege Escalation,no T1055.003,Thread Execution Hijacking,Defense Evasion|Privilege Escalation,no T1055.002,Portable Executable Injection,Defense Evasion|Privilege Escalation,Rocke|Gorgon Group -T1055.001,Dynamic-link Library Injection,Defense Evasion|Privilege Escalation,TA505|Turla|Tropic Trooper|Lazarus Group|Putter Panda +T1055.001,Dynamic-link Library Injection,Defense Evasion|Privilege Escalation,Wizard Spider|TA505|Turla|Tropic Trooper|Lazarus Group|Putter Panda T1037.003,Network Logon Script,Persistence|Privilege Escalation,no T1543,Create or Modify System Process,Persistence|Privilege Escalation,no T1037.002,Logon Script (Mac),Persistence|Privilege Escalation,no @@ -285,13 +408,13 @@ T1037.001,Logon Script (Windows),Persistence|Privilege Escalation,Cobalt Group|A T1542.003,Bootkit,Persistence|Defense Evasion,APT41|Lazarus Group|APT28 T1542.002,Component Firmware,Persistence|Defense Evasion,Equation T1542.001,System Firmware,Persistence|Defense Evasion,no -T1505.003,Web Shell,Persistence,Tropic Trooper|Soft Cell|Threat Group-3390|TEMP.Veles|Leviathan|APT39|Dragonfly 2.0|APT32|OilRig|Deep Panda +T1505.003,Web Shell,Persistence,Sandworm Team|HAFNIUM|Volatile Cedar|Fox Kitten|Operation Wocao|Kimsuky|Tropic Trooper|GALLIUM|Threat Group-3390|TEMP.Veles|Leviathan|APT39|Dragonfly 2.0|APT32|OilRig|Deep Panda T1505.002,Transport Agent,Persistence,no T1505.001,SQL Stored Procedures,Persistence,no T1053.003,Cron,Execution|Persistence|Privilege Escalation,Rocke T1053.004,Launchd,Execution|Persistence|Privilege Escalation,no T1053.001,At (Linux),Execution|Persistence|Privilege Escalation,no -T1053.005,Scheduled Task,Execution|Persistence|Privilege Escalation,Gamaredon Group|Blue Mockingbird|MuddyWater|Wizard Spider|Frankenstein|APT-C-36|BRONZE BUTLER|APT41|Machete|Soft Cell|Silence|TEMP.Veles|APT33|APT39|Dragonfly 2.0|Patchwork|OilRig|Rancor|Cobalt Group|FIN8|menuPass|FIN10|APT32|FIN7|Stealth Falcon|FIN6|APT3|APT29 +T1053.005,Scheduled Task,Execution|Persistence|Privilege Escalation,Mustang Panda|Higaisa|UNC2452|Fox Kitten|Molerats|Machete|Operation Wocao|Chimera|Gamaredon Group|Blue Mockingbird|MuddyWater|Wizard Spider|Frankenstein|APT-C-36|BRONZE BUTLER|APT41|GALLIUM|Silence|TEMP.Veles|APT33|APT39|Dragonfly 2.0|Rancor|Cobalt Group|OilRig|Patchwork|FIN8|FIN7|menuPass|FIN10|APT32|Stealth Falcon|FIN6|APT3|APT29 T1053.002,At (Windows),Execution|Persistence|Privilege Escalation,BRONZE BUTLER|Threat Group-3390|APT18 T1542,Pre-OS Boot,Defense Evasion|Persistence,no T1137.001,Office Template Macros,Persistence,MuddyWater @@ -301,140 +424,141 @@ T1137.005,Outlook Rules,Persistence,no T1137.006,Add-ins,Persistence,Naikon T1137.002,Office Test,Persistence,APT28 T1531,Account Access Removal,Impact,no -T1539,Steal Web Session Cookie,Credential Access,no +T1539,Steal Web Session Cookie,Credential Access,Evilnum T1529,System Shutdown/Reboot,Impact,Lazarus Group|APT38|APT37 -T1518,Software Discovery,Discovery,BRONZE BUTLER|Tropic Trooper|Inception +T1518,Software Discovery,Discovery,Mustang Panda|Windshift|MuddyWater|Windigo|Sidewinder|Operation Wocao|BRONZE BUTLER|Tropic Trooper|Inception +T1547.013,XDG Autostart Entries,Persistence|Privilege Escalation,no T1534,Internal Spearphishing,Lateral Movement,Gamaredon Group T1528,Steal Application Access Token,Credential Access,APT28 T1535,Unused/Unsupported Cloud Regions,Defense Evasion,no -T1525,Implant Container Image,Persistence,no +T1525,Implant Internal Image,Persistence,no T1538,Cloud Service Dashboard,Discovery,no -T1530,Data from Cloud Storage Object,Collection,no +T1530,Data from Cloud Storage Object,Collection,Fox Kitten T1578,Modify Cloud Compute Infrastructure,Defense Evasion,no T1537,Transfer Data to Cloud Account,Exfiltration,no T1526,Cloud Service Discovery,Discovery,no T1505,Server Software Component,Persistence,no -T1499,Endpoint Denial of Service,Impact,no -T1497,Virtualization/Sandbox Evasion,Defense Evasion|Discovery,no -T1498,Network Denial of Service,Impact,no +T1499,Endpoint Denial of Service,Impact,Sandworm Team +T1497,Virtualization/Sandbox Evasion,Defense Evasion|Discovery,Darkhotel +T1498,Network Denial of Service,Impact,APT28 T1496,Resource Hijacking,Impact,Blue Mockingbird|Rocke|APT41|Lazarus Group T1495,Firmware Corruption,Impact,no T1491,Defacement,Impact,no T1490,Inhibit System Recovery,Impact,no -T1489,Service Stop,Impact,Lazarus Group -T1486,Data Encrypted for Impact,Impact,APT41|TA505|APT38 +T1489,Service Stop,Impact,Wizard Spider|Lazarus Group +T1486,Data Encrypted for Impact,Impact,Indrik Spider|APT41|TA505|APT38 T1485,Data Destruction,Impact,Sandworm Team|Lazarus Group|APT38 -T1484,Group Policy Modification,Defense Evasion|Privilege Escalation,no -T1482,Domain Trust Discovery,Discovery,Wizard Spider +T1484,Domain Policy Modification,Defense Evasion|Privilege Escalation,no +T1482,Domain Trust Discovery,Discovery,APT29|Chimera|UNC2452 T1480,Execution Guardrails,Defense Evasion,no -T1222,File and Directory Permissions Modification,Defense Evasion,no T1221,Template Injection,Defense Evasion,Gamaredon Group|Frankenstein|Inception|APT28|Tropic Trooper|Dragonfly 2.0|DarkHydrus -T1220,XSL Script Processing,Defense Evasion,Cobalt Group -T1197,BITS Jobs,Defense Evasion|Persistence,Patchwork|APT41|Leviathan -T1217,Browser Bookmark Discovery,Discovery,no -T1213,Data from Information Repositories,Collection,Turla -T1189,Drive-by Compromise,Initial Access,Turla|Windshift|RTM|Darkhotel|APT38|Dragonfly 2.0|BRONZE BUTLER|Leafminer|Dark Caracal|APT19|APT32|Lazarus Group|Threat Group-3390|Elderwood|APT37|Patchwork|PLATINUM -T1203,Exploitation for Client Execution,Execution,Sandworm Team|MuddyWater|Frankenstein|Inception|BlackTech|APT41|admin@338|Threat Group-3390|APT12|The White Company|APT33|APT32|APT28|Tropic Trooper|Lazarus Group|BRONZE BUTLER|Cobalt Group|APT37|Patchwork|Leviathan|Elderwood|TA459|APT29 +T1220,XSL Script Processing,Defense Evasion,Higaisa|Cobalt Group +T1222,File and Directory Permissions Modification,Defense Evasion,no +T1189,Drive-by Compromise,Initial Access,Machete|Windigo|Dragonfly|PROMETHIUM|Turla|Windshift|RTM|Darkhotel|APT38|Lazarus Group|BRONZE BUTLER|Threat Group-3390|Dragonfly 2.0|APT32|Leafminer|APT19|Dark Caracal|Elderwood|Patchwork|PLATINUM|APT37 +T1207,Rogue Domain Controller,Defense Evasion,no +T1199,Trusted Relationship,Initial Access,Sandworm Team|GOLD SOUTHFIELD|APT28|menuPass +T1197,BITS Jobs,Defense Evasion|Persistence,APT39|Patchwork|APT41|Leviathan +T1217,Browser Bookmark Discovery,Discovery,Chimera|Fox Kitten +T1213,Data from Information Repositories,Collection,Fox Kitten|FIN6|Turla T1212,Exploitation for Credential Access,Credential Access,no T1211,Exploitation for Defense Evasion,Defense Evasion,APT28 -T1190,Exploit Public-Facing Application,Initial Access,Blue Mockingbird|Rocke|APT39|BlackTech|APT41|Soft Cell|Night Dragon|Axiom -T1210,Exploitation of Remote Services,Lateral Movement,Threat Group-3390|APT28 -T1202,Indirect Command Execution,Defense Evasion,no T1200,Hardware Additions,Initial Access,DarkVishnya -T1201,Password Policy Discovery,Discovery,Turla|OilRig -T1219,Remote Access Software,Command And Control,Sandworm Team|DarkVishnya|RTM|Kimsuky|Night Dragon|Thrip|Cobalt Group|Carbanak -T1207,Rogue Domain Controller,Defense Evasion,no -T1199,Trusted Relationship,Initial Access,APT28|menuPass -T1218,Signed Binary Proxy Execution,Defense Evasion,no +T1202,Indirect Command Execution,Defense Evasion,no +T1201,Password Policy Discovery,Discovery,Chimera|Turla|OilRig +T1190,Exploit Public-Facing Application,Initial Access,Volatile Cedar|UNC2452|Fox Kitten|Operation Wocao|APT28|APT29|GOLD SOUTHFIELD|Blue Mockingbird|Rocke|APT39|BlackTech|APT41|GALLIUM|Night Dragon|Axiom +T1210,Exploitation of Remote Services,Lateral Movement,Fox Kitten|menuPass|Wizard Spider|Threat Group-3390|APT28 +T1219,Remote Access Software,Command And Control,Mustang Panda|MuddyWater|Evilnum|GOLD SOUTHFIELD|Sandworm Team|DarkVishnya|RTM|Kimsuky|Night Dragon|Thrip|Cobalt Group|Carbanak +T1195,Supply Chain Compromise,Initial Access,no T1204,User Execution,Execution,no -T1216,Signed Script Proxy Execution,Defense Evasion,no -T1195,Supply Chain Compromise,Initial Access,Elderwood +T1203,Exploitation for Client Execution,Execution,Mustang Panda|Darkhotel|Higaisa|HAFNIUM|Sidewinder|Sandworm Team|MuddyWater|Frankenstein|Inception|BlackTech|APT41|admin@338|Threat Group-3390|APT12|The White Company|APT33|APT32|APT28|Tropic Trooper|BRONZE BUTLER|Cobalt Group|Lazarus Group|APT29|TA459|APT37|Leviathan|Patchwork|Elderwood +T1218,Signed Binary Proxy Execution,Defense Evasion,no T1205,Traffic Signaling,Defense Evasion|Persistence|Command And Control,no +T1216,Signed Script Proxy Execution,Defense Evasion,no T1176,Browser Extensions,Persistence,Kimsuky|Stolen Pencil T1175,Component Object Model and Distributed COM,Lateral Movement|Execution,no -T1187,Forced Authentication,Credential Access,DarkHydrus|Dragonfly 2.0 +T1187,Forced Authentication,Credential Access,Dragonfly 2.0|DarkHydrus T1185,Man in the Browser,Collection,no -T1134,Access Token Manipulation,Defense Evasion|Privilege Escalation,Blue Mockingbird +T1134,Access Token Manipulation,Defense Evasion|Privilege Escalation,FIN6|Blue Mockingbird T1136,Create Account,Persistence,no -T1140,Deobfuscate/Decode Files or Information,Defense Evasion,Rocke|Sandworm Team|Gamaredon Group|Molerats|Frankenstein|Turla|WIRTE|Darkhotel|Tropic Trooper|menuPass|Honeybee|Threat Group-3390|APT19|Gorgon Group|Leviathan|MuddyWater|APT28|OilRig|BRONZE BUTLER T1149,LC_MAIN Hijacking,Defense Evasion,no -T1135,Network Share Discovery,Discovery,APT32|APT39|DarkVishnya|APT41|Tropic Trooper|APT1|Dragonfly 2.0|Sowbug T1137,Office Application Startup,Persistence,Gamaredon Group|APT32 +T1140,Deobfuscate/Decode Files or Information,Defense Evasion,APT39|APT29|ZIRCONIUM|Higaisa|UNC2452|Rocke|Sandworm Team|Gamaredon Group|Molerats|Frankenstein|Turla|WIRTE|Darkhotel|Tropic Trooper|Threat Group-3390|menuPass|Gorgon Group|Honeybee|APT19|Leviathan|MuddyWater|APT28|OilRig|BRONZE BUTLER +T1135,Network Share Discovery,Discovery,Chimera|Operation Wocao|Wizard Spider|APT32|APT39|DarkVishnya|APT41|Tropic Trooper|APT1|Dragonfly 2.0|Sowbug T1153,Source,Execution,no -T1133,External Remote Services,Persistence|Initial Access,Sandworm Team|APT41|Soft Cell|TEMP.Veles|Night Dragon|OilRig|Dragonfly 2.0|Ke3chang|FIN5|Threat Group-3390|APT18 +T1133,External Remote Services,Persistence|Initial Access,APT29|UNC2452|Operation Wocao|Wizard Spider|Kimsuky|GOLD SOUTHFIELD|Chimera|Sandworm Team|APT41|GALLIUM|TEMP.Veles|Night Dragon|OilRig|Dragonfly 2.0|Ke3chang|FIN5|Threat Group-3390|APT18 T1132,Data Encoding,Command And Control,no T1129,Shared Modules,Execution,no T1127,Trusted Developer Utilities Proxy Execution,Defense Evasion,no T1125,Video Capture,Collection,Silence|FIN7 -T1124,System Time Discovery,Discovery,The White Company|Lazarus Group|BRONZE BUTLER|Turla +T1124,System Time Discovery,Discovery,Darkhotel|ZIRCONIUM|Higaisa|Sidewinder|Chimera|Operation Wocao|The White Company|Lazarus Group|BRONZE BUTLER|Turla T1123,Audio Capture,Collection,APT37 -T1120,Peripheral Device Discovery,Discovery,Turla|APT37|Gamaredon Group|Equation|APT28 -T1119,Automated Collection,Collection,Tropic Trooper|Frankenstein|APT1|APT28|Patchwork|OilRig|FIN5|Threat Group-3390|FIN6 -T1115,Clipboard Data,Collection,APT39|APT38 -T1114,Email Collection,Collection,no -T1113,Screen Capture,Collection,Gamaredon Group|APT39|Silence|MuddyWater|Dragonfly 2.0|OilRig|Dark Caracal|FIN7|BRONZE BUTLER|Magic Hound|Group5|APT28 -T1112,Modify Registry,Defense Evasion,Gamaredon Group|Blue Mockingbird|Wizard Spider|Silence|APT41|Turla|APT32|APT38|Dragonfly 2.0|APT19|Threat Group-3390|Honeybee|Patchwork|Gorgon Group|FIN8 -T1111,Two-Factor Authentication Interception,Credential Access,no -T1110,Brute Force,Credential Access,DarkVishnya|APT39|OilRig|FIN5|Turla +T1120,Peripheral Device Discovery,Discovery,Operation Wocao|Turla|APT37|Gamaredon Group|Equation|APT28 +T1119,Automated Collection,Collection,Mustang Panda|Sidewinder|Chimera|menuPass|Operation Wocao|Gamaredon Group|Tropic Trooper|Frankenstein|APT1|APT28|Patchwork|OilRig|FIN5|Threat Group-3390|FIN6 +T1115,Clipboard Data,Collection,Operation Wocao|APT39|APT38 +T1114,Email Collection,Collection,Silent Librarian +T1113,Screen Capture,Collection,GOLD SOUTHFIELD|Gamaredon Group|APT39|Silence|MuddyWater|OilRig|Dragonfly 2.0|Dark Caracal|FIN7|BRONZE BUTLER|Magic Hound|Group5|APT28 +T1112,Modify Registry,Defense Evasion,Operation Wocao|Kimsuky|Lazarus Group|Gamaredon Group|Blue Mockingbird|Wizard Spider|Silence|APT41|Turla|APT32|APT38|Patchwork|Gorgon Group|Dragonfly 2.0|APT19|Threat Group-3390|Honeybee|FIN8 +T1111,Two-Factor Authentication Interception,Credential Access,Chimera|Operation Wocao +T1110,Brute Force,Credential Access,APT28|Fox Kitten|DarkVishnya|APT39|OilRig|FIN5|Turla T1108,Redundant Access,Defense Evasion|Persistence,no -T1106,Native API,Execution,Gamaredon Group|Tropic Trooper|Sharpshooter|Turla|Silence|Gorgon Group|APT37 -T1105,Ingress Tool Transfer,Command And Control,Sandworm Team|Whitefly|Rocke|APT39|Tropic Trooper|Sharpshooter|Molerats|Frankenstein|Silence|APT-C-36|APT41|Soft Cell|TA505|WIRTE|APT33|MuddyWater|APT18|APT38|Rancor|Cobalt Group|Turla|Gorgon Group|OilRig|Dragonfly 2.0|APT37|FIN8|PLATINUM|Leviathan|Elderwood|Magic Hound|APT3|APT32|BRONZE BUTLER|menuPass|FIN7|Gamaredon Group|Patchwork|Lazarus Group|Threat Group-3390|APT28 +T1106,Native API,Execution,Higaisa|menuPass|Operation Wocao|Chimera|Gamaredon Group|Tropic Trooper|Sharpshooter|Turla|Silence|APT37|Gorgon Group +T1105,Ingress Tool Transfer,Command And Control,HAFNIUM|APT29|Ajax Security Team|Mustang Panda|Windshift|Darkhotel|ZIRCONIUM|TA551|Volatile Cedar|Indrik Spider|Evilnum|Sidewinder|UNC2452|Fox Kitten|Kimsuky|Operation Wocao|Chimera|Sandworm Team|Whitefly|Rocke|APT39|Tropic Trooper|Sharpshooter|Molerats|Frankenstein|Silence|APT-C-36|APT41|GALLIUM|TA505|WIRTE|APT33|MuddyWater|APT18|APT38|Turla|OilRig|Rancor|Cobalt Group|Gorgon Group|Dragonfly 2.0|APT37|Elderwood|Leviathan|FIN8|PLATINUM|Magic Hound|BRONZE BUTLER|APT3|APT32|menuPass|FIN7|Gamaredon Group|Patchwork|Lazarus Group|Threat Group-3390|APT28 T1104,Multi-Stage Channels,Command And Control,APT41|MuddyWater|APT3 -T1102,Web Service,Command And Control,Gamaredon Group|Rocke|Inception|FIN6 +T1102,Web Service,Command And Control,Fox Kitten|Turla|APT32|Gamaredon Group|Rocke|Inception|FIN6 T1098,Account Manipulation,Persistence,APT3|Dragonfly 2.0|Lazarus Group -T1095,Non-Application Layer Protocol,Command And Control,APT29|PLATINUM|APT3 +T1095,Non-Application Layer Protocol,Command And Control,HAFNIUM|Operation Wocao|FIN6|APT29|PLATINUM|APT3 T1092,Communication Through Removable Media,Command And Control,APT28 -T1091,Replication Through Removable Media,Lateral Movement|Initial Access,Tropic Trooper|Darkhotel|APT28 -T1090,Proxy,Command And Control,Sandworm Team|Blue Mockingbird|Wizard Spider|APT41|Turla -T1087,Account Discovery,Discovery,no -T1083,File and Directory Discovery,Discovery,Gamaredon Group|Tropic Trooper|Inception|APT41|Kimsuky|APT32|MuddyWater|APT18|Leafminer|Honeybee|Dark Caracal|Dragonfly 2.0|Magic Hound|Sowbug|BRONZE BUTLER|APT3|APT28|Patchwork|Lazarus Group|Dust Storm|admin@338|Turla|Ke3chang -T1082,System Information Discovery,Discovery,Rocke|Sandworm Team|Blue Mockingbird|Tropic Trooper|Frankenstein|Inception|Kimsuky|Darkhotel|MuddyWater|APT18|Honeybee|APT19|APT37|APT32|Magic Hound|OilRig|APT3|Sowbug|Gamaredon Group|Patchwork|Stealth Falcon|Lazarus Group|admin@338|Turla|Ke3chang -T1080,Taint Shared Content,Lateral Movement,BRONZE BUTLER|Darkhotel -T1078,Valid Accounts,Defense Evasion|Persistence|Privilege Escalation|Initial Access,Sandworm Team|Wizard Spider|Silence|APT41|Soft Cell|TEMP.Veles|APT39|FIN4|Night Dragon|Dragonfly 2.0|FIN8|Leviathan|APT33|OilRig|FIN5|menuPass|APT28|FIN10|Suckfly|FIN6|Threat Group-3390|APT18|PittyTiger|Carbanak +T1091,Replication Through Removable Media,Lateral Movement|Initial Access,Mustang Panda|Tropic Trooper|Darkhotel|APT28 +T1090,Proxy,Command And Control,Windigo|Fox Kitten|Operation Wocao|Sandworm Team|Blue Mockingbird|APT41|Turla +T1087,Account Discovery,Discovery,APT29|UNC2452 +T1083,File and Directory Discovery,Discovery,APT29|Mustang Panda|Darkhotel|Windigo|Sidewinder|Chimera|UNC2452|Fox Kitten|menuPass|APT39|Sandworm Team|Operation Wocao|Gamaredon Group|Tropic Trooper|Inception|APT41|Kimsuky|APT32|MuddyWater|APT18|Leafminer|Honeybee|Dragonfly 2.0|Dark Caracal|Sowbug|APT3|Magic Hound|BRONZE BUTLER|APT28|Patchwork|Lazarus Group|Dust Storm|admin@338|Turla|Ke3chang +T1082,System Information Discovery,Discovery,APT29|Mustang Panda|Windshift|ZIRCONIUM|Higaisa|Windigo|Sidewinder|UNC2452|Chimera|Operation Wocao|Wizard Spider|Rocke|Sandworm Team|Blue Mockingbird|Tropic Trooper|Frankenstein|Inception|Kimsuky|Darkhotel|MuddyWater|APT18|APT32|APT37|Honeybee|APT19|Magic Hound|Sowbug|OilRig|APT3|Gamaredon Group|Patchwork|Stealth Falcon|Lazarus Group|admin@338|Turla|Ke3chang +T1080,Taint Shared Content,Lateral Movement,Gamaredon Group|BRONZE BUTLER|Darkhotel +T1078,Valid Accounts,Defense Evasion|Persistence|Privilege Escalation|Initial Access,APT29|Silent Librarian|UNC2452|Fox Kitten|Operation Wocao|Chimera|Sandworm Team|Wizard Spider|Silence|APT41|GALLIUM|TEMP.Veles|APT39|FIN4|Night Dragon|Dragonfly 2.0|APT33|Leviathan|FIN8|OilRig|FIN5|menuPass|APT28|FIN10|Suckfly|FIN6|Threat Group-3390|APT18|PittyTiger|Carbanak T1074,Data Staged,Collection,Wizard Spider T1072,Software Deployment Tools,Execution|Lateral Movement,Silence|APT32|Threat Group-1314 T1071,Application Layer Protocol,Command And Control,Rocke|Magic Hound|Dragonfly 2.0 -T1070,Indicator Removal on Host,Defense Evasion,no -T1069,Permission Groups Discovery,Discovery,TA505|APT3 -T1068,Exploitation for Privilege Escalation,Privilege Escalation,Whitefly|APT33|Cobalt Group|PLATINUM|FIN8|APT32|Threat Group-3390|FIN6|APT28 +T1070,Indicator Removal on Host,Defense Evasion,APT29|UNC2452 +T1069,Permission Groups Discovery,Discovery,APT29|UNC2452|TA505|APT3 +T1068,Exploitation for Privilege Escalation,Privilege Escalation,ZIRCONIUM|Turla|Whitefly|APT33|Cobalt Group|PLATINUM|FIN8|APT32|Threat Group-3390|FIN6|APT28 T1064,Scripting,Defense Evasion|Execution,no T1062,Hypervisor,Persistence,no T1061,Graphical User Interface,Execution,no -T1059,Command and Scripting Interpreter,Execution,APT32|Molerats|Whitefly|Dragonfly 2.0|APT19|FIN7|OilRig|FIN5|Stealth Falcon|FIN6|Ke3chang -T1057,Process Discovery,Discovery,Rocke|Frankenstein|Inception|Darkhotel|MuddyWater|APT1|APT38|Tropic Trooper|APT37|Honeybee|OilRig|APT3|Magic Hound|APT28|Winnti Group|Stealth Falcon|Poseidon Group|Lazarus Group|Molerats|Turla|Deep Panda|Ke3chang -T1056,Input Capture,Collection|Credential Access,no -T1055,Process Injection,Defense Evasion|Privilege Escalation,APT32|Sharpshooter|Silence|APT41|Kimsuky|Turla|Cobalt Group|APT37|Honeybee|PLATINUM +T1059,Command and Scripting Interpreter,Execution,Windigo|Fox Kitten|APT32|Whitefly|APT39|Dragonfly 2.0|APT19|FIN7|OilRig|FIN5|Stealth Falcon|FIN6|Ke3chang +T1057,Process Discovery,Discovery,APT29|Mustang Panda|Windshift|Higaisa|Sidewinder|Chimera|UNC2452|Operation Wocao|Rocke|Frankenstein|Inception|Darkhotel|MuddyWater|APT1|APT38|Tropic Trooper|APT37|Honeybee|OilRig|APT3|Magic Hound|APT28|Winnti Group|Stealth Falcon|Poseidon Group|Lazarus Group|Molerats|Turla|Deep Panda|Ke3chang +T1056,Input Capture,Collection|Credential Access,APT39 +T1055,Process Injection,Defense Evasion|Privilege Escalation,Operation Wocao|APT32|Sharpshooter|Silence|APT41|Kimsuky|APT37|Cobalt Group|Turla|Honeybee|PLATINUM T1053,Scheduled Task/Job,Execution|Persistence|Privilege Escalation,no T1052,Exfiltration Over Physical Medium,Exfiltration,no T1051,Shared Webroot,Lateral Movement,no -T1049,System Network Connections Discovery,Discovery,Tropic Trooper|APT41|APT38|Soft Cell|APT32|APT1|OilRig|APT3|menuPass|Threat Group-3390|Poseidon Group|admin@338|Turla|Ke3chang +T1049,System Network Connections Discovery,Discovery,Mustang Panda|MuddyWater|Chimera|Sandworm Team|Operation Wocao|Tropic Trooper|APT41|APT38|GALLIUM|APT32|APT1|APT3|OilRig|menuPass|Threat Group-3390|Poseidon Group|admin@338|Turla|Ke3chang T1048,Exfiltration Over Alternative Protocol,Exfiltration,no -T1047,Windows Management Instrumentation,Execution,Blue Mockingbird|Wizard Spider|Frankenstein|APT41|FIN6|Soft Cell|APT32|MuddyWater|OilRig|Threat Group-3390|FIN8|Leviathan|menuPass|Stealth Falcon|Lazarus Group|APT29|Deep Panda -T1046,Network Service Scanning,Discovery,Rocke|DarkVishnya|APT41|Tropic Trooper|APT39|APT32|Leafminer|OilRig|Cobalt Group|menuPass|Suckfly|FIN6|Threat Group-3390 -T1043,Commonly Used Port,Command And Control,Machete|OilRig|APT28|TEMP.Veles|Night Dragon|APT29|APT18|APT19|Dragonfly 2.0|FIN7|FIN8|APT37|Magic Hound|APT3|Lazarus Group|Threat Group-3390 -T1041,Exfiltration Over C2 Channel,Exfiltration,Sandworm Team|MuddyWater|Wizard Spider|Frankenstein|Kimsuky|Soft Cell|APT32|APT3|Gamaredon Group|Stealth Falcon|Lazarus Group|Ke3chang -T1040,Network Sniffing,Credential Access|Discovery,Sandworm Team|DarkVishnya|APT33|Stolen Pencil|APT28 -T1039,Data from Network Shared Drive,Collection,Sowbug|BRONZE BUTLER|menuPass +T1047,Windows Management Instrumentation,Execution,Mustang Panda|Windshift|UNC2452|Operation Wocao|Chimera|Blue Mockingbird|Wizard Spider|Frankenstein|APT41|FIN6|GALLIUM|APT32|MuddyWater|Threat Group-3390|OilRig|FIN8|Leviathan|menuPass|Stealth Falcon|Lazarus Group|APT29|Deep Panda +T1046,Network Service Scanning,Discovery,Chimera|Fox Kitten|Operation Wocao|Rocke|DarkVishnya|APT41|Tropic Trooper|APT39|APT32|Cobalt Group|OilRig|Leafminer|menuPass|Suckfly|FIN6|Threat Group-3390 +T1043,Commonly Used Port,Command And Control,OilRig|APT28|TEMP.Veles|Night Dragon|APT29|APT18|APT19|FIN7|Dragonfly 2.0|FIN8|APT37|APT3|Magic Hound|Lazarus Group|Threat Group-3390 +T1041,Exfiltration Over C2 Channel,Exfiltration,ZIRCONIUM|Higaisa|Chimera|APT39|Operation Wocao|Sandworm Team|MuddyWater|Wizard Spider|Frankenstein|Kimsuky|GALLIUM|APT32|APT3|Gamaredon Group|Stealth Falcon|Lazarus Group|Ke3chang +T1040,Network Sniffing,Credential Access|Discovery,Kimsuky|Sandworm Team|DarkVishnya|APT33|Stolen Pencil|APT28 +T1039,Data from Network Shared Drive,Collection,Chimera|Fox Kitten|Gamaredon Group|BRONZE BUTLER|Sowbug|menuPass T1037,Boot or Logon Initialization Scripts,Persistence|Privilege Escalation,Rocke -T1036,Masquerading,Defense Evasion,Windshift|APT32|BRONZE BUTLER|menuPass|Dragonfly 2.0 +T1036,Masquerading,Defense Evasion,APT29|Mustang Panda|ZIRCONIUM|TA551|UNC2452|Windshift|APT32|BRONZE BUTLER|menuPass|PLATINUM|Dragonfly 2.0 T1034,Path Interception,Persistence|Privilege Escalation,no -T1033,System Owner/User Discovery,Discovery,Frankenstein|APT41|Soft Cell|Tropic Trooper|APT39|MuddyWater|APT32|APT37|APT19|Dragonfly 2.0|OilRig|Magic Hound|FIN10|Gamaredon Group|Patchwork|Stealth Falcon|Lazarus Group|APT3 +T1033,System Owner/User Discovery,Discovery,Windshift|ZIRCONIUM|Sidewinder|Chimera|Sandworm Team|Operation Wocao|Wizard Spider|Frankenstein|APT41|GALLIUM|Tropic Trooper|APT39|MuddyWater|Dragonfly 2.0|APT37|APT19|APT32|OilRig|Magic Hound|FIN10|Gamaredon Group|Patchwork|Stealth Falcon|Lazarus Group|APT3 T1030,Data Transfer Size Limits,Exfiltration,Threat Group-3390 -T1029,Scheduled Transfer,Exfiltration,no -T1027,Obfuscated Files or Information,Defense Evasion,Gamaredon Group|Rocke|Sandworm Team|Blue Mockingbird|Whitefly|Molerats|Wizard Spider|Mofang|Frankenstein|Inception|APT-C-36|APT41|Machete|Soft Cell|Turla|TA505|Silence|APT33|Night Dragon|Darkhotel|Gallmaker|APT29|APT18|Tropic Trooper|Cobalt Group|Patchwork|Leafminer|APT37|Threat Group-3390|Honeybee|Dark Caracal|menuPass|APT19|BlackOasis|FIN8|Leviathan|Elderwood|MuddyWater|FIN7|Magic Hound|OilRig|APT3|APT32|Group5|Dust Storm|Lazarus Group|Putter Panda|APT28 +T1029,Scheduled Transfer,Exfiltration,Higaisa +T1027,Obfuscated Files or Information,Defense Evasion,APT39|Mustang Panda|Windshift|TA551|Higaisa|Sidewinder|UNC2452|Fox Kitten|GOLD SOUTHFIELD|Operation Wocao|Kimsuky|FIN6|Chimera|Gamaredon Group|Rocke|Sandworm Team|Blue Mockingbird|Whitefly|Molerats|Wizard Spider|Mofang|Frankenstein|Inception|APT-C-36|APT41|GALLIUM|Turla|TA505|Silence|APT33|Night Dragon|Darkhotel|Gallmaker|APT29|APT18|Tropic Trooper|Cobalt Group|Patchwork|APT37|Honeybee|Dark Caracal|Leafminer|menuPass|Threat Group-3390|APT19|BlackOasis|FIN8|FIN7|Elderwood|MuddyWater|Leviathan|Magic Hound|OilRig|APT3|APT32|Group5|Lazarus Group|Dust Storm|Putter Panda|APT28 T1026,Multiband Communication,Command And Control,Lazarus Group -T1025,Data from Removable Media,Collection,Machete|Turla|Gamaredon Group|APT28 +T1025,Data from Removable Media,Collection,Turla|Gamaredon Group|APT28 T1021,Remote Services,Lateral Movement,no -T1020,Automated Exfiltration,Exfiltration,Tropic Trooper|Frankenstein|Honeybee -T1018,Remote System Discovery,Discovery,Sandworm Team|Rocke|Wizard Spider|Silence|Soft Cell|APT39|APT32|Deep Panda|Threat Group-3390|Dragonfly 2.0|Leafminer|Ke3chang|FIN8|APT3|FIN5|BRONZE BUTLER|menuPass|FIN6|Turla -T1016,System Network Configuration Discovery,Discovery,Sandworm Team|Tropic Trooper|Frankenstein|APT41|Soft Cell|APT32|Darkhotel|MuddyWater|APT1|APT19|Dragonfly 2.0|Magic Hound|OilRig|menuPass|Threat Group-3390|Stealth Falcon|Lazarus Group|APT3|Naikon|admin@338|Turla|Ke3chang +T1020,Automated Exfiltration,Exfiltration,Sidewinder|Gamaredon Group|Tropic Trooper|Frankenstein|Honeybee +T1018,Remote System Discovery,Discovery,APT29|UNC2452|Chimera|Fox Kitten|Operation Wocao|Sandworm Team|Rocke|Wizard Spider|Silence|GALLIUM|APT39|APT32|Deep Panda|Dragonfly 2.0|Threat Group-3390|Leafminer|Ke3chang|FIN8|BRONZE BUTLER|FIN5|APT3|menuPass|FIN6|Turla +T1016,System Network Configuration Discovery,Discovery,ZIRCONIUM|Mustang Panda|Higaisa|Sidewinder|Chimera|Operation Wocao|Wizard Spider|Sandworm Team|Tropic Trooper|Frankenstein|APT41|GALLIUM|APT32|Darkhotel|MuddyWater|APT1|APT19|Dragonfly 2.0|OilRig|Magic Hound|menuPass|Threat Group-3390|Stealth Falcon|Lazarus Group|APT3|Naikon|admin@338|Turla|Ke3chang T1014,Rootkit,Defense Evasion,Rocke|APT41|APT28|Winnti Group -T1012,Query Registry,Discovery,APT32|Dragonfly 2.0|Threat Group-3390|OilRig|Stealth Falcon|Lazarus Group|Turla +T1012,Query Registry,Discovery,ZIRCONIUM|Chimera|Fox Kitten|APT39|Operation Wocao|APT32|Threat Group-3390|Dragonfly 2.0|OilRig|Stealth Falcon|Lazarus Group|Turla T1011,Exfiltration Over Other Network Medium,Exfiltration,no T1010,Application Window Discovery,Discovery,Lazarus Group -T1008,Fallback Channels,Command And Control,APT41|OilRig|Lazarus Group -T1007,System Service Discovery,Discovery,BRONZE BUTLER|APT1|OilRig|Poseidon Group|admin@338|Turla|Ke3chang +T1008,Fallback Channels,Command And Control,Carbanak|APT41|OilRig|Lazarus Group +T1007,System Service Discovery,Discovery,Chimera|Operation Wocao|BRONZE BUTLER|APT1|OilRig|Poseidon Group|admin@338|Turla|Ke3chang T1006,Direct Volume Access,Defense Evasion,no -T1005,Data from Local System,Collection,Gamaredon Group|APT39|Frankenstein|Inception|Kimsuky|Soft Cell|Turla|menuPass|Dark Caracal|Dragonfly 2.0|Honeybee|APT37|APT28|APT3|BRONZE BUTLER|Patchwork|Stealth Falcon|Lazarus Group|Dust Storm|Threat Group-3390|APT1|Ke3chang +T1005,Data from Local System,Collection,APT29|Windigo|UNC2452|Fox Kitten|Sandworm Team|Operation Wocao|FIN6|Gamaredon Group|APT39|Frankenstein|Inception|Kimsuky|GALLIUM|Turla|menuPass|Dragonfly 2.0|Dark Caracal|Honeybee|APT37|APT28|BRONZE BUTLER|APT3|Patchwork|Stealth Falcon|Lazarus Group|Dust Storm|Threat Group-3390|APT1|Ke3chang T1003,OS Credential Dumping,Credential Access,APT39|Frankenstein|APT32|APT28|Leviathan|Sowbug|Suckfly|Poseidon Group|Axiom -T1001,Data Obfuscation,Command And Control,Axiom +T1001,Data Obfuscation,Command And Control,Operation Wocao|Axiom diff --git a/stories/active_directory_password_spraying.yml b/stories/active_directory_password_spraying.yml new file mode 100644 index 0000000000..0b96099ec6 --- /dev/null +++ b/stories/active_directory_password_spraying.yml @@ -0,0 +1,35 @@ +name: Active Directory Password Spraying +id: 3de109da-97d2-11eb-8b6a-acde48001122 +version: 1 +date: '2021-04-07' +author: Mauricio Velazco, Splunk +type: batch +description: Monitor for activities and techniques associated with Password Spraying attacks within Active Directory environments. +narrative: In a password spraying attack, adversaries leverage one or a small list of commonly used / popular passwords against a large volume of usernames to acquire valid account credentials. + Unlike a Brute Force attack that targets a specific user or small group of users with a large number of passwords, password spraying follows the opposite aproach and increases the chances of obtaining valid credentials while avoiding account lockouts. + This allows adversaries to remain undetected if the target organization does not have the proper monitoring and detection controls in place.\ + + Password Spraying can be leveraged by adversaries across different stages in an attack. It can be used to obtain an iniial access to an environment but can also be used + to escalate privileges when access has been already achieved. In some scenarios, this technique capitalizes on a security policy most organizations implement, password rotation. + As enterprise users change their passwords, it is possible some pick predictable, seasonal passwords such as `$CompanyNameWinter`, `Summer2021`, etc.\ + + Specifically, this Analytic Story is focused on detecting possible Password Spraying attacks against Active Directory environments leveraging Windows Event Logs in the + `Account Logon` and `Logon/Logoff` Advanced Audit Policy categories. It presents 9 detection analytics which can aid defenders in identifyng instances where one source + user, source host or source process attempts to authenticate against a target or targets using a high, unsual, number of unique users. A user, host or process attempting to authenticate with multiple + users is not common behavior for legitimate systems and should be monitored by security teams. Possible false positive scenarios include but are not limited to + vulnerability scanners, remote administration tools, multi-user systems and missconfigured systems. These should be easily spotted when first implementing the detection and addded to an allow list or lookup table. + The presented detections can also be used in Threat Hunting exercises. +references: +- https://attack.mitre.org/techniques/T1110/003/ +- https://www.microsoft.com/security/blog/2020/04/23/protecting-organization-password-spray-attacks/ +- https://docs.microsoft.com/en-us/previous-versions/windows/it-pro/windows-server-2012-r2-and-2012/dn452415(v=ws.11) +tags: + analytic_story: + - Active Directory Password Spraying + category: + - Adversary Tactics + product: + - Splunk Enterprise + - Splunk Enterprise Security + - Splunk Cloud + usecase: Advanced Threat Detection \ No newline at end of file diff --git a/tests/endpoint/detect_rclone_command_line_usage.test.yml b/tests/endpoint/detect_rclone_command_line_usage.test.yml new file mode 100644 index 0000000000..029bbfe41b --- /dev/null +++ b/tests/endpoint/detect_rclone_command_line_usage.test.yml @@ -0,0 +1,12 @@ +name: Detect RClone Command-Line Usage Unit Test +tests: +- name: Detect RClone Command-Line Usage + file: endpoint/detect_rclone_command_line_usage.yml + pass_condition: '| stats count | where count > 0' + earliest_time: '-24h' + latest_time: 'now' + attack_data: + - file_name: windows-sysmon.log + data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1020/windows-sysmon.log + source: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational + sourcetype: xmlwineventlog \ No newline at end of file diff --git a/tests/endpoint/detect_renamed_rclone.test.yml b/tests/endpoint/detect_renamed_rclone.test.yml new file mode 100644 index 0000000000..592b5da53d --- /dev/null +++ b/tests/endpoint/detect_renamed_rclone.test.yml @@ -0,0 +1,12 @@ +name: Detect Renamed RClone Unit Test +tests: +- name: Detect Renamed RClone + file: endpoint/detect_renamed_rclone.yml + pass_condition: '| stats count | where count > 0' + earliest_time: '-24h' + latest_time: 'now' + attack_data: + - file_name: windows-sysmon.log + data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1020/windows-sysmon.log + source: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational + sourcetype: xmlwineventlog \ No newline at end of file diff --git a/tests/endpoint/multiple_disabled_users_failing_to_authenticate_from_host_using_kerberos.test.yml b/tests/endpoint/multiple_disabled_users_failing_to_authenticate_from_host_using_kerberos.test.yml new file mode 100644 index 0000000000..d0f1540cc5 --- /dev/null +++ b/tests/endpoint/multiple_disabled_users_failing_to_authenticate_from_host_using_kerberos.test.yml @@ -0,0 +1,12 @@ +name: Multiple Disabled Users Failing To Authenticate From Host Using Kerberos Unit Test +tests: +- name: Multiple Disabled Users Failing To Authenticate From Host Using Kerberos + file: endpoint/multiple_disabled_users_failing_to_authenticate_from_host_using_kerberos.yml + pass_condition: '| stats count | where count > 0' + earliest_time: '-24h' + latest_time: 'now' + attack_data: + - file_name: windows-security.log + data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1110.003/purplesharp_disabled_users_kerberos/windows-security.log + source: WinEventLog:Security + sourcetype: WinEventLog \ No newline at end of file diff --git a/tests/endpoint/multiple_invalid_users_failing_to_authenticate_from_host_using_kerberos.test.yml b/tests/endpoint/multiple_invalid_users_failing_to_authenticate_from_host_using_kerberos.test.yml new file mode 100644 index 0000000000..21ab5d03d6 --- /dev/null +++ b/tests/endpoint/multiple_invalid_users_failing_to_authenticate_from_host_using_kerberos.test.yml @@ -0,0 +1,15 @@ +name: Multiple Invalid Users Failing To Authenticate From Host Using Kerberos Unit Test +tests: +- name: Multiple Invalid Users Failing To Authenticate From Host Using Kerberos + file: endpoint/multiple_invalid_users_failing_to_authenticate_from_host_using_kerberos.yml + pass_condition: '| stats count | where count > 0' + earliest_time: '-24h' + latest_time: 'now' + attack_data: + - file_name: windows-security.log + data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1110.003/purplesharp_invalid_users_kerberos/windows-security.log + source: WinEventLog:Security + sourcetype: WinEventLog + + + \ No newline at end of file diff --git a/tests/endpoint/multiple_invalid_users_failing_to_authenticate_from_host_using_ntlm.test.yml b/tests/endpoint/multiple_invalid_users_failing_to_authenticate_from_host_using_ntlm.test.yml new file mode 100644 index 0000000000..06f44387f7 --- /dev/null +++ b/tests/endpoint/multiple_invalid_users_failing_to_authenticate_from_host_using_ntlm.test.yml @@ -0,0 +1,12 @@ +name: Multiple Invalid Users Failing To Authenticate From Host Using NTLM Unit Test +tests: +- name: Multiple Invalid Users Failing To Authenticate From Host Using NTLM + file: endpoint/multiple_invalid_users_failing_to_authenticate_from_host_using_ntlm.yml + pass_condition: '| stats count | where count > 0' + earliest_time: '-24h' + latest_time: 'now' + attack_data: + - file_name: windows-security.log + data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1110.003/purplesharp_invalid_users_ntlm/windows-security.log + source: WinEventLog:Security + sourcetype: WinEventLog \ No newline at end of file diff --git a/tests/endpoint/multiple_users_attempting_to_authenticate_using_explicit_credentials.test.yml b/tests/endpoint/multiple_users_attempting_to_authenticate_using_explicit_credentials.test.yml new file mode 100644 index 0000000000..1f438d0a3a --- /dev/null +++ b/tests/endpoint/multiple_users_attempting_to_authenticate_using_explicit_credentials.test.yml @@ -0,0 +1,12 @@ +name: Multiple Users Attempting To Authenticate Using Explicit Credentials Unit Test +tests: +- name: Multiple Users Attempting To Authenticate Using Explicit Credentials + file: endpoint/multiple_users_attempting_to_authenticate_using_explicit_credentials.yml + pass_condition: '| stats count | where count > 0' + earliest_time: '-24h' + latest_time: 'now' + attack_data: + - file_name: windows-security.log + data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1110.003/purplesharp_explicit_credential_spray/windows-security.log + source: WinEventLog:Security + sourcetype: WinEventLog \ No newline at end of file diff --git a/tests/endpoint/multiple_users_failing_to_authenticate_from_host_using_kerberos.test.yml b/tests/endpoint/multiple_users_failing_to_authenticate_from_host_using_kerberos.test.yml new file mode 100644 index 0000000000..4d91d51ec5 --- /dev/null +++ b/tests/endpoint/multiple_users_failing_to_authenticate_from_host_using_kerberos.test.yml @@ -0,0 +1,12 @@ +name: Multiple Users Failing To Authenticate From Host Using Kerberos Unit Test +tests: +- name: Multiple Users Failing To Authenticate From Host Using Kerberos + file: endpoint/multiple_users_failing_to_authenticate_from_host_using_kerberos.yml + pass_condition: '| stats count | where count > 0' + earliest_time: '-24h' + latest_time: 'now' + attack_data: + - file_name: windows-security.log + data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1110.003/purplesharp_valid_users_kerberos/windows-security.log + source: WinEventLog:Security + sourcetype: WinEventLog \ No newline at end of file diff --git a/tests/endpoint/multiple_users_failing_to_authenticate_from_host_using_ntlm.test.yml b/tests/endpoint/multiple_users_failing_to_authenticate_from_host_using_ntlm.test.yml new file mode 100644 index 0000000000..628a04e034 --- /dev/null +++ b/tests/endpoint/multiple_users_failing_to_authenticate_from_host_using_ntlm.test.yml @@ -0,0 +1,12 @@ +name: Multiple Users Failing To Authenticate From Host Using NTLM Unit Test +tests: +- name: Multiple Users Failing To Authenticate From Host Using NTLM + file: endpoint/multiple_users_failing_to_authenticate_from_host_using_ntlm.yml + pass_condition: '| stats count | where count > 0' + earliest_time: '-24h' + latest_time: 'now' + attack_data: + - file_name: windows-security.log + data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1110.003/purplesharp_valid_users_ntlm/windows-security.log + source: WinEventLog:Security + sourcetype: WinEventLog \ No newline at end of file diff --git a/tests/endpoint/multiple_users_failing_to_authenticate_from_process.test.yml b/tests/endpoint/multiple_users_failing_to_authenticate_from_process.test.yml new file mode 100644 index 0000000000..e3b73b81d6 --- /dev/null +++ b/tests/endpoint/multiple_users_failing_to_authenticate_from_process.test.yml @@ -0,0 +1,12 @@ +name: Multiple Users Failing To Authenticate From Process Unit Test +tests: +- name: Multiple Users Failing To Authenticate From Process + file: endpoint/multiple_users_failing_to_authenticate_from_process.yml + pass_condition: '| stats count | where count > 0' + earliest_time: '-24h' + latest_time: 'now' + attack_data: + - file_name: windows-security.log + data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1110.003/purplesharp_multiple_users_from_process/windows-security.log + source: WinEventLog:Security + sourcetype: WinEventLog \ No newline at end of file diff --git a/tests/endpoint/multiple_users_remotely_failing_to_authenticate_from_host.test.yml b/tests/endpoint/multiple_users_remotely_failing_to_authenticate_from_host.test.yml new file mode 100644 index 0000000000..7dc381b88b --- /dev/null +++ b/tests/endpoint/multiple_users_remotely_failing_to_authenticate_from_host.test.yml @@ -0,0 +1,12 @@ +name: Multiple Users Remotely Failing To Authenticate From Host Unit Test +tests: +- name: Multiple Users Remotely Failing To Authenticate From Host + file: endpoint/multiple_users_remotely_failing_to_authenticate_from_host.yml + pass_condition: '| stats count | where count > 0' + earliest_time: '-24h' + latest_time: 'now' + attack_data: + - file_name: windows-security.log + data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1110.003/purplesharp_remote_spray/windows-security.log + source: WinEventLog:Security + sourcetype: WinEventLog \ No newline at end of file From 03e516338f1549c90ae05005acf702e3674f25a6 Mon Sep 17 00:00:00 2001 From: tcontreras Date: Thu, 13 May 2021 20:35:56 +0200 Subject: [PATCH 19/38] com_obj --- .../endpoint/cmlua_or_cmstplua_uac_bypass.yml | 19 +++++-------------- 1 file changed, 5 insertions(+), 14 deletions(-) diff --git a/detections/endpoint/cmlua_or_cmstplua_uac_bypass.yml b/detections/endpoint/cmlua_or_cmstplua_uac_bypass.yml index 8843771b28..74edf01ce9 100644 --- a/detections/endpoint/cmlua_or_cmstplua_uac_bypass.yml +++ b/detections/endpoint/cmlua_or_cmstplua_uac_bypass.yml @@ -6,25 +6,16 @@ author: Teoderick Contreras, Splunk type: batch datamodel: - Endpoint -<<<<<<< HEAD description: This search is to detect a potential process using COM Object like CMLUA or CMSTPLUA - to bypassed UAC. This technique used by ransomware to gain administrative privileges to its running process. -search: '`sysmon` EventCode=7 ImageLoaded IN ("*\\CMLUA.dll", "*\\CMSTPLUA.dll", "*\\CMLUAUTIL.dll") NOT(process_name IN("CMSTP.exe", "CMMGR32.exe")) + to bypassed UAC. This technique used by ransomware to gain administrative privileges to its running process + to encrypt compromise host. +search: '`sysmon` EventCode=7 ImageLoaded IN ("*\\CMLUA.dll", "*\\CMSTPLUA.dll", "*\\CMLUAUTIL.dll") + NOT(process_name IN("CMSTP.exe", "CMMGR32.exe")) NOT(Image IN("*\\windows\\*", "*\\program files\\*")) | stats count min(_time) as firstTime max(_time) as lastTime by Image ImageLoaded process_name Computer EventCode Signed ProcessId | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `cmlua_or_cmstplua_uac_bypass_filter`' -======= -description: This search is to detect a potential process using COM Object like CMLUA - or CMSTPLUA to bypassed UAC. This technique used by ransomware to gain administrative - privileges to its running process. -search: '`sysmon` EventCode=7 ImageLoaded IN ("*\\CMLUA.dll", - "*\\CMSTPLUA.dll", "*\\CMLUAUTIL.dll") NOT(process_name IN("CMSTP.exe", "CMMGR32.exe")) - | stats count min(_time) as firstTime max(_time) as lastTime by Image ImageLoaded - process_name Computer EventCode Signed ProcessId | `security_content_ctime(firstTime)` - | `security_content_ctime(lastTime)` | `cmlua_or_cmstplua_uac_bypass_filter`' ->>>>>>> 82f9a5f69d687907e6c5b04ca10fcf2458fdf578 how_to_implement: To successfully implement this search, you need to be ingesting logs with the process name and imageloaded executions from your endpoints. If you are using Sysmon, you must have at least version 6.0.4 of the Sysmon TA. @@ -34,7 +25,7 @@ references: - https://attack.mitre.org/techniques/T1218/003/ tags: analytic_story: - - DarkSide Ransomware + - darkside kill_chain_phases: - Exploitation mitre_attack_id: From 2db1f87aff0bf927be2d3eb6bfb83969068e33de Mon Sep 17 00:00:00 2001 From: bpatel Date: Thu, 13 May 2021 11:38:40 -0700 Subject: [PATCH 20/38] manifest errors --- detections/endpoint/cmlua_or_cmstplua_uac_bypass.yml | 11 ----------- 1 file changed, 11 deletions(-) diff --git a/detections/endpoint/cmlua_or_cmstplua_uac_bypass.yml b/detections/endpoint/cmlua_or_cmstplua_uac_bypass.yml index 8843771b28..53d47f3a4a 100644 --- a/detections/endpoint/cmlua_or_cmstplua_uac_bypass.yml +++ b/detections/endpoint/cmlua_or_cmstplua_uac_bypass.yml @@ -6,16 +6,6 @@ author: Teoderick Contreras, Splunk type: batch datamodel: - Endpoint -<<<<<<< HEAD -description: This search is to detect a potential process using COM Object like CMLUA or CMSTPLUA - to bypassed UAC. This technique used by ransomware to gain administrative privileges to its running process. -search: '`sysmon` EventCode=7 ImageLoaded IN ("*\\CMLUA.dll", "*\\CMSTPLUA.dll", "*\\CMLUAUTIL.dll") NOT(process_name IN("CMSTP.exe", "CMMGR32.exe")) - NOT(Image IN("*\\windows\\*", "*\\program files\\*")) - | stats count min(_time) as firstTime max(_time) as lastTime by Image ImageLoaded process_name Computer EventCode Signed ProcessId - | `security_content_ctime(firstTime)` - | `security_content_ctime(lastTime)` - | `cmlua_or_cmstplua_uac_bypass_filter`' -======= description: This search is to detect a potential process using COM Object like CMLUA or CMSTPLUA to bypassed UAC. This technique used by ransomware to gain administrative privileges to its running process. @@ -24,7 +14,6 @@ search: '`sysmon` EventCode=7 ImageLoaded IN ("*\\CMLUA.dll", | stats count min(_time) as firstTime max(_time) as lastTime by Image ImageLoaded process_name Computer EventCode Signed ProcessId | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `cmlua_or_cmstplua_uac_bypass_filter`' ->>>>>>> 82f9a5f69d687907e6c5b04ca10fcf2458fdf578 how_to_implement: To successfully implement this search, you need to be ingesting logs with the process name and imageloaded executions from your endpoints. If you are using Sysmon, you must have at least version 6.0.4 of the Sysmon TA. From 54a3f8e3a7b495b80e66425f45c006e3eeee7c63 Mon Sep 17 00:00:00 2001 From: tcontreras Date: Thu, 13 May 2021 20:43:54 +0200 Subject: [PATCH 21/38] com --- detections/endpoint/cmlua_or_cmstplua_uac_bypass.yml | 9 +++++---- 1 file changed, 5 insertions(+), 4 deletions(-) diff --git a/detections/endpoint/cmlua_or_cmstplua_uac_bypass.yml b/detections/endpoint/cmlua_or_cmstplua_uac_bypass.yml index a781e80161..c30e2d2cc1 100644 --- a/detections/endpoint/cmlua_or_cmstplua_uac_bypass.yml +++ b/detections/endpoint/cmlua_or_cmstplua_uac_bypass.yml @@ -9,10 +9,11 @@ datamodel: description: This search is to detect a potential process using COM Object like CMLUA or CMSTPLUA to bypassed UAC. This technique used by ransomware to gain administrative privileges to its running process. -search: '`sysmon` EventCode=7 ImageLoaded IN ("*\\CMLUA.dll", - "*\\CMSTPLUA.dll", "*\\CMLUAUTIL.dll") NOT(process_name IN("CMSTP.exe", "CMMGR32.exe")) - | stats count min(_time) as firstTime max(_time) as lastTime by Image ImageLoaded - process_name Computer EventCode Signed ProcessId | `security_content_ctime(firstTime)` +search: '`sysmon` EventCode=7 ImageLoaded IN ("*\\CMLUA.dll", "*\\CMSTPLUA.dll", "*\\CMLUAUTIL.dll") + NOT(process_name IN("CMSTP.exe", "CMMGR32.exe")) + NOT(Image IN("*\\windows\\*", "*\\program files*")) + | stats count min(_time) as firstTime max(_time) as lastTime by Image ImageLoaded process_name Computer EventCode Signed ProcessId + | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `cmlua_or_cmstplua_uac_bypass_filter`' how_to_implement: To successfully implement this search, you need to be ingesting logs with the process name and imageloaded executions from your endpoints. If you From b3dd86837de747f40e5fdf5d3e1b59f9888b47d0 Mon Sep 17 00:00:00 2001 From: root Date: Thu, 13 May 2021 19:02:02 +0000 Subject: [PATCH 22/38] Added detection testing service results inCMLUA Or CMSTPLUA UAC Bypass --- detections/endpoint/cmlua_or_cmstplua_uac_bypass.yml | 9 ++++----- 1 file changed, 4 insertions(+), 5 deletions(-) diff --git a/detections/endpoint/cmlua_or_cmstplua_uac_bypass.yml b/detections/endpoint/cmlua_or_cmstplua_uac_bypass.yml index c30e2d2cc1..ec0ede5de9 100644 --- a/detections/endpoint/cmlua_or_cmstplua_uac_bypass.yml +++ b/detections/endpoint/cmlua_or_cmstplua_uac_bypass.yml @@ -9,11 +9,10 @@ datamodel: description: This search is to detect a potential process using COM Object like CMLUA or CMSTPLUA to bypassed UAC. This technique used by ransomware to gain administrative privileges to its running process. -search: '`sysmon` EventCode=7 ImageLoaded IN ("*\\CMLUA.dll", "*\\CMSTPLUA.dll", "*\\CMLUAUTIL.dll") - NOT(process_name IN("CMSTP.exe", "CMMGR32.exe")) - NOT(Image IN("*\\windows\\*", "*\\program files*")) - | stats count min(_time) as firstTime max(_time) as lastTime by Image ImageLoaded process_name Computer EventCode Signed ProcessId - | `security_content_ctime(firstTime)` +search: '`sysmon` EventCode=7 ImageLoaded IN ("*\\CMLUA.dll", "*\\CMSTPLUA.dll", + "*\\CMLUAUTIL.dll") NOT(process_name IN("CMSTP.exe", "CMMGR32.exe")) NOT(Image IN("*\\windows\\*", + "*\\program files*")) | stats count min(_time) as firstTime max(_time) as lastTime + by Image ImageLoaded process_name Computer EventCode Signed ProcessId | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `cmlua_or_cmstplua_uac_bypass_filter`' how_to_implement: To successfully implement this search, you need to be ingesting logs with the process name and imageloaded executions from your endpoints. If you From 13af359b6bf202fac9abe820428ee818b7772e3b Mon Sep 17 00:00:00 2001 From: root Date: Thu, 13 May 2021 19:06:14 +0000 Subject: [PATCH 23/38] Added detection testing service results inDetect RClone Command-Line Usage --- .../detect_rclone_command_line_usage.yml | 42 ++++++++++++------- 1 file changed, 26 insertions(+), 16 deletions(-) diff --git a/detections/endpoint/detect_rclone_command_line_usage.yml b/detections/endpoint/detect_rclone_command_line_usage.yml index c5fbe3f58b..41c1d93444 100644 --- a/detections/endpoint/detect_rclone_command_line_usage.yml +++ b/detections/endpoint/detect_rclone_command_line_usage.yml @@ -6,26 +6,35 @@ author: Michael Haag, Splunk type: batch datamodel: - Endpoint -description: This analytic identifies commonly used command-line arguments used by `rclone.exe to initiate a file transfer. Some arguments were negated as they are specific to the configuration used by adversaries. - In particular, an adversary may list the files or directories of the remote file share using `ls` or `lsd`, which is not indicative of malicious behavior. - During triage, at this stage of a ransomware event, exfiltration is about to occur or has already. Isolate the endpoint and continue investigating by review file modifications and parallel processes. -search: '| tstats `security_content_summariesonly` count min(_time) as firstTime - max(_time) as lastTime from datamodel=Endpoint.Processes where Processes.process IN ("*copy*", "*mega*", "*pcloud*", "*ftp*", "*--config*", "*--progress*", "*--no-check-certificate*", "*--ignore-existing*", "*--auto-confirm*", "*--transfers*", "*--multi-thread-streams*") by Processes.dest Processes.user Processes.parent_process Processes.process_name - Processes.process Processes.process_id Processes.parent_process_id - | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)`| `security_content_ctime(lastTime)` | `detect_rclone_command_line_usage_filter`' +description: This analytic identifies commonly used command-line arguments used by + `rclone.exe to initiate a file transfer. Some arguments were negated as they are + specific to the configuration used by adversaries. In particular, an adversary may + list the files or directories of the remote file share using `ls` or `lsd`, which + is not indicative of malicious behavior. During triage, at this stage of a ransomware + event, exfiltration is about to occur or has already. Isolate the endpoint and continue + investigating by review file modifications and parallel processes. +search: '| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) + as lastTime from datamodel=Endpoint.Processes where Processes.process IN ("*copy*", + "*mega*", "*pcloud*", "*ftp*", "*--config*", "*--progress*", "*--no-check-certificate*", + "*--ignore-existing*", "*--auto-confirm*", "*--transfers*", "*--multi-thread-streams*") by + Processes.dest Processes.user Processes.parent_process Processes.process_name Processes.process Processes.process_id + Processes.parent_process_id | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)`| `security_content_ctime(lastTime)` + | `detect_rclone_command_line_usage_filter`' how_to_implement: To successfully implement this search you need to be ingesting information on process that include the name of the process responsible for the changes from your endpoints into the `Endpoint` datamodel in the `Processes` node. -known_false_positives: There is potential for false positives as these arguments may be used by other applications. Filter or tune the analytic as needed. +known_false_positives: There is potential for false positives as these arguments may + be used by other applications. Filter or tune the analytic as needed. references: - - https://redcanary.com/blog/rclone-mega-extortion/ - - https://www.fireeye.com/blog/threat-research/2021/05/shining-a-light-on-darkside-ransomware-operations.html - - https://thedfirreport.com/2021/03/29/sodinokibi-aka-revil-ransomware/ +- https://redcanary.com/blog/rclone-mega-extortion/ +- https://www.fireeye.com/blog/threat-research/2021/05/shining-a-light-on-darkside-ransomware-operations.html +- https://thedfirreport.com/2021/03/29/sodinokibi-aka-revil-ransomware/ tags: analytic_story: - DarkSide Ransomware - Ransomware - dataset: [] + dataset: + - https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1020/windows-sysmon.log kill_chain_phases: - Exfiltration mitre_attack_id: @@ -36,11 +45,12 @@ tags: - Splunk Cloud required_fields: - _time - - Processes.dest - - Processes.user + - Processes.dest + - Processes.user - Processes.parent_process - Processes.process_name - Processes.process - - Processes.process_id + - Processes.process_id - Processes.parent_process_id - security_domain: endpoint \ No newline at end of file + security_domain: endpoint + automated_detection_testing: passed From 7b32d0f413055fb1d7c72c2af1f36da226a46b35 Mon Sep 17 00:00:00 2001 From: root Date: Thu, 13 May 2021 19:15:05 +0000 Subject: [PATCH 24/38] Added detection testing service results inDetect Renamed RClone --- detections/endpoint/detect_renamed_rclone.yml | 35 ++++++++++++------- 1 file changed, 22 insertions(+), 13 deletions(-) diff --git a/detections/endpoint/detect_renamed_rclone.yml b/detections/endpoint/detect_renamed_rclone.yml index 26ad52ea0a..689472f456 100644 --- a/detections/endpoint/detect_renamed_rclone.yml +++ b/detections/endpoint/detect_renamed_rclone.yml @@ -5,26 +5,34 @@ date: '2021-05-13' author: Michael Haag, Splunk type: batch datamodel: [] -description: The following analytic identifies the usage of `rclone.exe`, renamed, being used to exfiltrate data to a remote destination. RClone has been used by multiple ransomware groups to exfiltrate data. In many instances, it will be downloaded from the legitimate site and executed accordingly. - During triage, isolate the endpoint and begin to review parallel processes for additional behavior. At this stage, the adversary may have staged data to be exfiltrated. -search: '`sysmon` EventID=1 OriginalFileName=rclone.exe NOT process_name=rclone.exe | stats - count min(_time) as firstTime max(_time) as lastTime by Computer, User, parent_process_name, - process_name, OriginalFileName, process_path, CommandLine | rename Computer as dest - | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `detect_renamed_rclone_filter`' +description: The following analytic identifies the usage of `rclone.exe`, renamed, + being used to exfiltrate data to a remote destination. RClone has been used by multiple + ransomware groups to exfiltrate data. In many instances, it will be downloaded from + the legitimate site and executed accordingly. During triage, isolate the endpoint + and begin to review parallel processes for additional behavior. At this stage, the + adversary may have staged data to be exfiltrated. +search: '`sysmon` EventID=1 OriginalFileName=rclone.exe NOT process_name=rclone.exe + | stats count min(_time) as firstTime max(_time) as lastTime by Computer, User, + parent_process_name, process_name, OriginalFileName, process_path, CommandLine | + rename Computer as dest | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` + | `detect_renamed_rclone_filter`' how_to_implement: To successfully implement this search, you need to be ingesting logs with the process name, parent process, and command-line executions from your endpoints. If you are using Sysmon, you must have at least version 6.0.4 of the - Sysmon TA. -known_false_positives: False positives should be limited as this analytic identifies renamed instances of `rclone.exe`. Filter as needed if there is a legitimate business use case. + Sysmon TA. +known_false_positives: False positives should be limited as this analytic identifies + renamed instances of `rclone.exe`. Filter as needed if there is a legitimate business + use case. references: - - https://redcanary.com/blog/rclone-mega-extortion/ - - https://www.fireeye.com/blog/threat-research/2021/05/shining-a-light-on-darkside-ransomware-operations.html - - https://thedfirreport.com/2021/03/29/sodinokibi-aka-revil-ransomware/ +- https://redcanary.com/blog/rclone-mega-extortion/ +- https://www.fireeye.com/blog/threat-research/2021/05/shining-a-light-on-darkside-ransomware-operations.html +- https://thedfirreport.com/2021/03/29/sodinokibi-aka-revil-ransomware/ tags: analytic_story: - DarkSide Ransomware - Ransomware - dataset: [] + dataset: + - https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1020/windows-sysmon.log kill_chain_phases: - Exfiltration mitre_attack_id: @@ -40,4 +48,5 @@ tags: - process_path - CommandLine - dest - security_domain: endpoint \ No newline at end of file + security_domain: endpoint + automated_detection_testing: passed From 8c175d5af37e074950738ef74438177baa13037e Mon Sep 17 00:00:00 2001 From: root Date: Thu, 13 May 2021 19:15:48 +0000 Subject: [PATCH 25/38] Added detection testing service results inExtract SAM from Registry --- .../endpoint/extract_sam_from_registry.yml | 38 +++++++++++-------- 1 file changed, 22 insertions(+), 16 deletions(-) diff --git a/detections/endpoint/extract_sam_from_registry.yml b/detections/endpoint/extract_sam_from_registry.yml index 4da9554ad1..4f84d7050f 100644 --- a/detections/endpoint/extract_sam_from_registry.yml +++ b/detections/endpoint/extract_sam_from_registry.yml @@ -6,26 +6,31 @@ author: Michael Haag, Splunk type: batch datamodel: - Endpoint -description: The following analytic identifies the use of `reg.exe` exporting Windows Registry hives containing credentials. - Adversaries may use this technique to export registry hives for offline credential access attacks. Typically found executed from a untrusted process or script. Upon execution, a file will be written to disk. +description: The following analytic identifies the use of `reg.exe` exporting Windows + Registry hives containing credentials. Adversaries may use this technique to export + registry hives for offline credential access attacks. Typically found executed from + a untrusted process or script. Upon execution, a file will be written to disk. search: '| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) - as lastTime from datamodel=Endpoint.Processes where Processes.process_name=reg.exe (Processes.process=*save* OR Processes.process=*export*) AND (Processes.process=*sam* OR Processes.process=*system* OR Processes.process=*security*) by Processes.dest Processes.user Processes.parent_process Processes.process_name Processes.process Processes.process_id Processes.parent_process_id - | `drop_dm_object_name(Processes)` - | `security_content_ctime(firstTime)` - | `security_content_ctime(lastTime)` - | `extract_sam_from_registry_filter`' + as lastTime from datamodel=Endpoint.Processes where Processes.process_name=reg.exe + (Processes.process=*save* OR Processes.process=*export*) AND (Processes.process=*sam* + OR Processes.process=*system* OR Processes.process=*security*) by Processes.dest + Processes.user Processes.parent_process Processes.process_name Processes.process + Processes.process_id Processes.parent_process_id | `drop_dm_object_name(Processes)` + | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `extract_sam_from_registry_filter`' how_to_implement: To successfully implement this search you need to be ingesting information on process that include the name of the process responsible for the changes from your endpoints into the `Endpoint` datamodel in the `Processes` node. -known_false_positives: It is possible some agent based products will generate false positives. Filter as needed. -references: - - https://www.fireeye.com/blog/threat-research/2021/05/shining-a-light-on-darkside-ransomware-operations.html - - https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1003.002/T1003.002.md +known_false_positives: It is possible some agent based products will generate false + positives. Filter as needed. +references: +- https://www.fireeye.com/blog/threat-research/2021/05/shining-a-light-on-darkside-ransomware-operations.html +- https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1003.002/T1003.002.md tags: analytic_story: - DarkSide Ransomware - Credential Dumping - dataset: [] + dataset: + - https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1003.002/atomic_red_team/windows-sysmon.log kill_chain_phases: - Exploitation mitre_attack_id: @@ -36,11 +41,12 @@ tags: - Splunk Cloud required_fields: - _time - - Processes.dest - - Processes.user + - Processes.dest + - Processes.user - Processes.parent_process - Processes.process_name - Processes.process - - Processes.process_id + - Processes.process_id - Processes.parent_process_id - security_domain: endpoint \ No newline at end of file + security_domain: endpoint + automated_detection_testing: passed From dccb38e8774ab40ee2eef85186836bdbef5bf75d Mon Sep 17 00:00:00 2001 From: mhaag-spl <5632822+MHaggis@users.noreply.github.com> Date: Thu, 13 May 2021 13:34:37 -0600 Subject: [PATCH 26/38] Update slui_spawning_a_process.yml --- detections/endpoint/slui_spawning_a_process.yml | 8 +++----- 1 file changed, 3 insertions(+), 5 deletions(-) diff --git a/detections/endpoint/slui_spawning_a_process.yml b/detections/endpoint/slui_spawning_a_process.yml index 9530061d61..40ea23cc4d 100644 --- a/detections/endpoint/slui_spawning_a_process.yml +++ b/detections/endpoint/slui_spawning_a_process.yml @@ -11,11 +11,9 @@ description: The following analytic identifies the Microsoft Software Licensing The `slui.exe` process should not have child processes, and any processes spawning from it will be running with elevated privileges. During triage, review the child process and additional parallel processes. Identify any file modifications that may have lead to the bypass. search: '| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) - as lastTime from datamodel=Endpoint.Processes where Processes.parent_process_name=slui.exe - (Processes.process_name!=*slui* OR Processes.process_name=!firefox.exe OR Processes.process_name!=chrome.exe OR Processes.process_name!=iexplore.exe OR Processes.process_name!=msedge.exe) by Processes.dest - Processes.user Processes.parent_process Processes.process_name Processes.process - Processes.process_id Processes.parent_process_id | `drop_dm_object_name(Processes)` - | `security_content_ctime(firstTime)`| `security_content_ctime(lastTime)` + as lastTime from datamodel=Endpoint.Processes where Processes.parent_process_name=slui.exe by Processes.dest Processes.user Processes.parent_process Processes.process_name Processes.process Processes.process_id Processes.parent_process_id | `drop_dm_object_name(Processes)` + | `security_content_ctime(firstTime)` + | `security_content_ctime(lastTime)` | `slui_spawning_a_process_filter`' how_to_implement: To successfully implement this search you need to be ingesting information on process that include the name of the process responsible for the changes from From bab3434e540872c4e6afa257cc16fbde4e627f5d Mon Sep 17 00:00:00 2001 From: root Date: Thu, 13 May 2021 20:11:55 +0000 Subject: [PATCH 27/38] Added detection testing service results inSLUI Spawning a Process --- .../endpoint/slui_spawning_a_process.yml | 40 +++++++++++-------- 1 file changed, 23 insertions(+), 17 deletions(-) diff --git a/detections/endpoint/slui_spawning_a_process.yml b/detections/endpoint/slui_spawning_a_process.yml index 40ea23cc4d..6317e6f2b8 100644 --- a/detections/endpoint/slui_spawning_a_process.yml +++ b/detections/endpoint/slui_spawning_a_process.yml @@ -6,28 +6,33 @@ author: Michael Haag, Splunk type: batch datamodel: - Endpoint -description: The following analytic identifies the Microsoft Software Licensing User Interface Tool, `slui.exe`, spawning a child process. This behavior is associated with publicly known UAC bypass. - `slui.exe` is commonly associated with software updates and is most often spawned by `svchost.exe`. - The `slui.exe` process should not have child processes, and any processes spawning from it will be running with elevated privileges. - During triage, review the child process and additional parallel processes. Identify any file modifications that may have lead to the bypass. +description: The following analytic identifies the Microsoft Software Licensing User + Interface Tool, `slui.exe`, spawning a child process. This behavior is associated + with publicly known UAC bypass. `slui.exe` is commonly associated with software + updates and is most often spawned by `svchost.exe`. The `slui.exe` process should + not have child processes, and any processes spawning from it will be running with + elevated privileges. During triage, review the child process and additional parallel + processes. Identify any file modifications that may have lead to the bypass. search: '| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) - as lastTime from datamodel=Endpoint.Processes where Processes.parent_process_name=slui.exe by Processes.dest Processes.user Processes.parent_process Processes.process_name Processes.process Processes.process_id Processes.parent_process_id | `drop_dm_object_name(Processes)` - | `security_content_ctime(firstTime)` - | `security_content_ctime(lastTime)` - | `slui_spawning_a_process_filter`' + as lastTime from datamodel=Endpoint.Processes where Processes.parent_process_name=slui.exe + by Processes.dest Processes.user Processes.parent_process Processes.process_name + Processes.process Processes.process_id Processes.parent_process_id | `drop_dm_object_name(Processes)` + | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `slui_spawning_a_process_filter`' how_to_implement: To successfully implement this search you need to be ingesting information on process that include the name of the process responsible for the changes from your endpoints into the `Endpoint` datamodel in the `Processes` node. -known_false_positives: Certain applications may spawn from `slui.exe` that are legitimate. Filtering will be needed to ensure proper monitoring. +known_false_positives: Certain applications may spawn from `slui.exe` that are legitimate. + Filtering will be needed to ensure proper monitoring. references: - - https://www.exploit-db.com/exploits/46998 - - https://www.rapid7.com/db/modules/exploit/windows/local/bypassuac_sluihijack/ - - https://www.fireeye.com/blog/threat-research/2021/05/shining-a-light-on-darkside-ransomware-operations.html +- https://www.exploit-db.com/exploits/46998 +- https://www.rapid7.com/db/modules/exploit/windows/local/bypassuac_sluihijack/ +- https://www.fireeye.com/blog/threat-research/2021/05/shining-a-light-on-darkside-ransomware-operations.html tags: analytic_story: - DarkSide Ransomware - Windows Defense Evasion Tactics - dataset: [] + dataset: + - https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1548.002/slui/windows-sysmon.log kill_chain_phases: - Exploitation mitre_attack_id: @@ -38,11 +43,12 @@ tags: - Splunk Cloud required_fields: - _time - - Processes.dest - - Processes.user + - Processes.dest + - Processes.user - Processes.parent_process - Processes.process_name - Processes.process - - Processes.process_id + - Processes.process_id - Processes.parent_process_id - security_domain: endpoint \ No newline at end of file + security_domain: endpoint + automated_detection_testing: passed From 18ff60e2317e32c4422e91f8159b93d35272e573 Mon Sep 17 00:00:00 2001 From: root Date: Thu, 13 May 2021 20:14:18 +0000 Subject: [PATCH 28/38] Added detection testing service results inSLUI RunAs Elevated --- detections/endpoint/slui_runas_elevated.yml | 41 ++++++++++++--------- 1 file changed, 24 insertions(+), 17 deletions(-) diff --git a/detections/endpoint/slui_runas_elevated.yml b/detections/endpoint/slui_runas_elevated.yml index ddd95d9bac..86b9df2f1f 100644 --- a/detections/endpoint/slui_runas_elevated.yml +++ b/detections/endpoint/slui_runas_elevated.yml @@ -6,29 +6,35 @@ author: Michael Haag, Splunk type: batch datamodel: - Endpoint -description: The following analytic identifies the Microsoft Software Licensing User Interface Tool, `slui.exe`, elevating access using the `-verb runas` function. This particular bypass utilizes a registry key/value. Identified by two sources, the registry keys are `HKCU\Software\Classes\exefile\shell` and `HKCU\Software\Classes\launcher.Systemsettings\Shell\open\command`. To simulate this behavior, multiple POC are available. - The analytic identifies the use of `runas` by `slui.exe`. +description: The following analytic identifies the Microsoft Software Licensing User + Interface Tool, `slui.exe`, elevating access using the `-verb runas` function. This + particular bypass utilizes a registry key/value. Identified by two sources, the + registry keys are `HKCU\Software\Classes\exefile\shell` and `HKCU\Software\Classes\launcher.Systemsettings\Shell\open\command`. + To simulate this behavior, multiple POC are available. The analytic identifies the + use of `runas` by `slui.exe`. search: '| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes where Processes.process_name=slui.exe - (Processes.process=*-verb* Processes.process=*runas*) by Processes.dest - Processes.user Processes.parent_process Processes.process_name Processes.process - Processes.process_id Processes.parent_process_id | `drop_dm_object_name(Processes)` - | `security_content_ctime(firstTime)`| `security_content_ctime(lastTime)`| `slui_runas_elevated_filter`' + (Processes.process=*-verb* Processes.process=*runas*) by Processes.dest Processes.user + Processes.parent_process Processes.process_name Processes.process Processes.process_id + Processes.parent_process_id | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)`| + `security_content_ctime(lastTime)`| `slui_runas_elevated_filter`' how_to_implement: To successfully implement this search you need to be ingesting information on process that include the name of the process responsible for the changes from your endpoints into the `Endpoint` datamodel in the `Processes` node. -known_false_positives: Limited false positives should be present as this is not commonly used by legitimate applications. +known_false_positives: Limited false positives should be present as this is not commonly + used by legitimate applications. references: - - https://www.exploit-db.com/exploits/46998 - - https://medium.com/@mattharr0ey/privilege-escalation-uac-bypass-in-changepk-c40b92818d1b - - https://gist.github.com/r00t-3xp10it/0c92cd554d3156fd74f6c25660ccc466 - - https://www.rapid7.com/db/modules/exploit/windows/local/bypassuac_sluihijack/ - - https://www.fireeye.com/blog/threat-research/2021/05/shining-a-light-on-darkside-ransomware-operations.html +- https://www.exploit-db.com/exploits/46998 +- https://medium.com/@mattharr0ey/privilege-escalation-uac-bypass-in-changepk-c40b92818d1b +- https://gist.github.com/r00t-3xp10it/0c92cd554d3156fd74f6c25660ccc466 +- https://www.rapid7.com/db/modules/exploit/windows/local/bypassuac_sluihijack/ +- https://www.fireeye.com/blog/threat-research/2021/05/shining-a-light-on-darkside-ransomware-operations.html tags: analytic_story: - DarkSide Ransomware - Windows Defense Evasion Tactics - dataset: [] + dataset: + - https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1548.002/slui/windows-sysmon.log kill_chain_phases: - Exploitation mitre_attack_id: @@ -39,11 +45,12 @@ tags: - Splunk Cloud required_fields: - _time - - Processes.dest - - Processes.user + - Processes.dest + - Processes.user - Processes.parent_process - Processes.process_name - Processes.process - - Processes.process_id + - Processes.process_id - Processes.parent_process_id - security_domain: endpoint \ No newline at end of file + security_domain: endpoint + automated_detection_testing: passed From 0a5f0acc651378f827b34048d344a200513f028b Mon Sep 17 00:00:00 2001 From: Michael Haag <5632822+MHaggis@users.noreply.github.com> Date: Thu, 13 May 2021 14:33:34 -0600 Subject: [PATCH 29/38] Update cmlua_or_cmstplua_uac_bypass.yml --- detections/endpoint/cmlua_or_cmstplua_uac_bypass.yml | 11 ++++++----- 1 file changed, 6 insertions(+), 5 deletions(-) diff --git a/detections/endpoint/cmlua_or_cmstplua_uac_bypass.yml b/detections/endpoint/cmlua_or_cmstplua_uac_bypass.yml index ec0ede5de9..ddf8ffa9ac 100644 --- a/detections/endpoint/cmlua_or_cmstplua_uac_bypass.yml +++ b/detections/endpoint/cmlua_or_cmstplua_uac_bypass.yml @@ -6,8 +6,8 @@ author: Teoderick Contreras, Splunk type: batch datamodel: - Endpoint -description: This search is to detect a potential process using COM Object like CMLUA - or CMSTPLUA to bypassed UAC. This technique used by ransomware to gain administrative +description: This analytic detects a potential process using COM Object like CMLUA + or CMSTPLUA to bypass UAC. This technique has been used by ransomware adversaries to gain administrative privileges to its running process. search: '`sysmon` EventCode=7 ImageLoaded IN ("*\\CMLUA.dll", "*\\CMSTPLUA.dll", "*\\CMLUAUTIL.dll") NOT(process_name IN("CMSTP.exe", "CMMGR32.exe")) NOT(Image IN("*\\windows\\*", @@ -17,13 +17,14 @@ search: '`sysmon` EventCode=7 ImageLoaded IN ("*\\CMLUA.dll", "*\\CMSTPLUA.dll" how_to_implement: To successfully implement this search, you need to be ingesting logs with the process name and imageloaded executions from your endpoints. If you are using Sysmon, you must have at least version 6.0.4 of the Sysmon TA. -known_false_positives: normal windows application that are not on the list loading - this dll. +known_false_positives: Legitimate windows application that are not on the list loading + this dll. Filter as needed. references: - https://attack.mitre.org/techniques/T1218/003/ tags: analytic_story: - - darkside + - DarkSide Ransomware + - Ransomware kill_chain_phases: - Exploitation mitre_attack_id: From d003c79d2f46e468baf87ed906090a98b8820418 Mon Sep 17 00:00:00 2001 From: bpatel Date: Thu, 13 May 2021 13:36:28 -0700 Subject: [PATCH 30/38] search_formatting --- .../endpoint/delete_shadowcopy_with_powershell.yml | 10 +++++----- 1 file changed, 5 insertions(+), 5 deletions(-) diff --git a/detections/endpoint/delete_shadowcopy_with_powershell.yml b/detections/endpoint/delete_shadowcopy_with_powershell.yml index a8dbaf0f10..1f6535f072 100644 --- a/detections/endpoint/delete_shadowcopy_with_powershell.yml +++ b/detections/endpoint/delete_shadowcopy_with_powershell.yml @@ -9,11 +9,11 @@ datamodel: description: This search is to detect powershell command to delete shadow copy using wmic powershell module. This technique was seen in darkside ransomware where it will execute a child process powershell to execute an hex encoded command to delete shadow copy. This hex encoded command was able to decrypt by powershell log. -search: '`powershell` EventCode=4104 Message= "*ShadowCopy*" Message = "*Delete*" | - stats count min(_time) as firstTime max(_time) as lastTime by EventCode Message ComputerName User - | `security_content_ctime(firstTime)` - | `security_content_ctime(lastTime)` - | `delete_shadowcopy_with_powershell_filter`' +search: '`powershell` EventCode=4104 Message= "*ShadowCopy*" Message = "*Delete*" +| stats count min(_time) as firstTime max(_time) as lastTime by EventCode Message ComputerName User +| `security_content_ctime(firstTime)` +| `security_content_ctime(lastTime)` +| `delete_shadowcopy_with_powershell_filter`' how_to_implement: To successfully implement this search, you need to be ingesting logs with the powershell logs from your endpoints. make sure you enable needed registry to monitor this event. known_false_positives: unknown From 2d22e600c8e638485c26d8fb3cc48a7f9196ef21 Mon Sep 17 00:00:00 2001 From: Michael Haag <5632822+MHaggis@users.noreply.github.com> Date: Thu, 13 May 2021 14:39:11 -0600 Subject: [PATCH 31/38] Update delete_shadowcopy_with_powershell.yml --- .../endpoint/delete_shadowcopy_with_powershell.yml | 9 +++++---- 1 file changed, 5 insertions(+), 4 deletions(-) diff --git a/detections/endpoint/delete_shadowcopy_with_powershell.yml b/detections/endpoint/delete_shadowcopy_with_powershell.yml index 1f6535f072..d16f7441d3 100644 --- a/detections/endpoint/delete_shadowcopy_with_powershell.yml +++ b/detections/endpoint/delete_shadowcopy_with_powershell.yml @@ -6,9 +6,9 @@ author: Teoderick Contreras, Splunk type: batch datamodel: - Endpoint -description: This search is to detect powershell command to delete shadow copy using wmic powershell module. - This technique was seen in darkside ransomware where it will execute a child process powershell to execute an hex encoded - command to delete shadow copy. This hex encoded command was able to decrypt by powershell log. +description: This following analytic detects PowerShell command to delete shadow copy using the WMIC PowerShell module. + This technique was seen used by a recent adversary to deploy DarkSide Ransomware where it executed a child process of PowerShell to execute a hex encoded + command to delete shadow copy. This hex encoded command was able to be decrypted by PowerShell log. search: '`powershell` EventCode=4104 Message= "*ShadowCopy*" Message = "*Delete*" | stats count min(_time) as firstTime max(_time) as lastTime by EventCode Message ComputerName User | `security_content_ctime(firstTime)` @@ -19,6 +19,7 @@ how_to_implement: To successfully implement this search, you need to be ingestin known_false_positives: unknown references: - https://www.fireeye.com/blog/threat-research/2021/05/shining-a-light-on-darkside-ransomware-operations.html +- https://searchwindowsserver.techtarget.com/tutorial/Set-up-PowerShell-script-block-logging-for-added-security tags: analytic_story: - DarkSide Ransomware @@ -36,4 +37,4 @@ tags: - Message - ComputerName - User - security_domain: endpoint \ No newline at end of file + security_domain: endpoint From 7c15ac9730e6cc4c8a88b7856b9b3cde92cc068f Mon Sep 17 00:00:00 2001 From: Michael Haag <5632822+MHaggis@users.noreply.github.com> Date: Thu, 13 May 2021 14:39:55 -0600 Subject: [PATCH 32/38] Update detect_rclone_command_line_usage.yml --- detections/endpoint/detect_rclone_command_line_usage.yml | 5 ++++- 1 file changed, 4 insertions(+), 1 deletion(-) diff --git a/detections/endpoint/detect_rclone_command_line_usage.yml b/detections/endpoint/detect_rclone_command_line_usage.yml index 41c1d93444..f2148ebe09 100644 --- a/detections/endpoint/detect_rclone_command_line_usage.yml +++ b/detections/endpoint/detect_rclone_command_line_usage.yml @@ -18,7 +18,10 @@ search: '| tstats `security_content_summariesonly` count min(_time) as firstTime "*mega*", "*pcloud*", "*ftp*", "*--config*", "*--progress*", "*--no-check-certificate*", "*--ignore-existing*", "*--auto-confirm*", "*--transfers*", "*--multi-thread-streams*") by Processes.dest Processes.user Processes.parent_process Processes.process_name Processes.process Processes.process_id - Processes.parent_process_id | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)`| `security_content_ctime(lastTime)` + Processes.parent_process_id + | `drop_dm_object_name(Processes)` + | `security_content_ctime(firstTime)` + | `security_content_ctime(lastTime)` | `detect_rclone_command_line_usage_filter`' how_to_implement: To successfully implement this search you need to be ingesting information on process that include the name of the process responsible for the changes from From 1acad6953e802ea3f9f9cb64f5feb838f8798090 Mon Sep 17 00:00:00 2001 From: Michael Haag <5632822+MHaggis@users.noreply.github.com> Date: Thu, 13 May 2021 14:40:25 -0600 Subject: [PATCH 33/38] Update detect_rclone_command_line_usage.yml --- detections/endpoint/detect_rclone_command_line_usage.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/detections/endpoint/detect_rclone_command_line_usage.yml b/detections/endpoint/detect_rclone_command_line_usage.yml index f2148ebe09..7be4dd0dea 100644 --- a/detections/endpoint/detect_rclone_command_line_usage.yml +++ b/detections/endpoint/detect_rclone_command_line_usage.yml @@ -7,7 +7,7 @@ type: batch datamodel: - Endpoint description: This analytic identifies commonly used command-line arguments used by - `rclone.exe to initiate a file transfer. Some arguments were negated as they are + `rclone.exe` to initiate a file transfer. Some arguments were negated as they are specific to the configuration used by adversaries. In particular, an adversary may list the files or directories of the remote file share using `ls` or `lsd`, which is not indicative of malicious behavior. During triage, at this stage of a ransomware From 2d0c62921c73686908dc87cac82296ac13923ed1 Mon Sep 17 00:00:00 2001 From: Michael Haag <5632822+MHaggis@users.noreply.github.com> Date: Thu, 13 May 2021 14:41:54 -0600 Subject: [PATCH 34/38] Update detect_renamed_rclone.yml --- detections/endpoint/detect_renamed_rclone.yml | 4 +++- 1 file changed, 3 insertions(+), 1 deletion(-) diff --git a/detections/endpoint/detect_renamed_rclone.yml b/detections/endpoint/detect_renamed_rclone.yml index 689472f456..e6f10f60b1 100644 --- a/detections/endpoint/detect_renamed_rclone.yml +++ b/detections/endpoint/detect_renamed_rclone.yml @@ -14,7 +14,9 @@ description: The following analytic identifies the usage of `rclone.exe`, rename search: '`sysmon` EventID=1 OriginalFileName=rclone.exe NOT process_name=rclone.exe | stats count min(_time) as firstTime max(_time) as lastTime by Computer, User, parent_process_name, process_name, OriginalFileName, process_path, CommandLine | - rename Computer as dest | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` + rename Computer as dest + | `security_content_ctime(firstTime)` + | `security_content_ctime(lastTime)` | `detect_renamed_rclone_filter`' how_to_implement: To successfully implement this search, you need to be ingesting logs with the process name, parent process, and command-line executions from your From eac3adc300e95151e1e24146b9eb943876125d22 Mon Sep 17 00:00:00 2001 From: Michael Haag <5632822+MHaggis@users.noreply.github.com> Date: Thu, 13 May 2021 14:43:12 -0600 Subject: [PATCH 35/38] Update slui_runas_elevated.yml --- detections/endpoint/slui_runas_elevated.yml | 7 +++++-- 1 file changed, 5 insertions(+), 2 deletions(-) diff --git a/detections/endpoint/slui_runas_elevated.yml b/detections/endpoint/slui_runas_elevated.yml index 86b9df2f1f..6958a8b244 100644 --- a/detections/endpoint/slui_runas_elevated.yml +++ b/detections/endpoint/slui_runas_elevated.yml @@ -16,8 +16,11 @@ search: '| tstats `security_content_summariesonly` count min(_time) as firstTime as lastTime from datamodel=Endpoint.Processes where Processes.process_name=slui.exe (Processes.process=*-verb* Processes.process=*runas*) by Processes.dest Processes.user Processes.parent_process Processes.process_name Processes.process Processes.process_id - Processes.parent_process_id | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)`| - `security_content_ctime(lastTime)`| `slui_runas_elevated_filter`' + Processes.parent_process_id + | `drop_dm_object_name(Processes)` + | `security_content_ctime(firstTime)` + | `security_content_ctime(lastTime)` + | `slui_runas_elevated_filter`' how_to_implement: To successfully implement this search you need to be ingesting information on process that include the name of the process responsible for the changes from your endpoints into the `Endpoint` datamodel in the `Processes` node. From 9a7ac4edf80cb5551670a4a055e1fc0c97dd4e11 Mon Sep 17 00:00:00 2001 From: Michael Haag <5632822+MHaggis@users.noreply.github.com> Date: Thu, 13 May 2021 14:44:05 -0600 Subject: [PATCH 36/38] Update slui_spawning_a_process.yml --- detections/endpoint/slui_spawning_a_process.yml | 7 +++++-- 1 file changed, 5 insertions(+), 2 deletions(-) diff --git a/detections/endpoint/slui_spawning_a_process.yml b/detections/endpoint/slui_spawning_a_process.yml index 6317e6f2b8..e2e2b4b8c2 100644 --- a/detections/endpoint/slui_spawning_a_process.yml +++ b/detections/endpoint/slui_spawning_a_process.yml @@ -16,8 +16,11 @@ description: The following analytic identifies the Microsoft Software Licensing search: '| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes where Processes.parent_process_name=slui.exe by Processes.dest Processes.user Processes.parent_process Processes.process_name - Processes.process Processes.process_id Processes.parent_process_id | `drop_dm_object_name(Processes)` - | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `slui_spawning_a_process_filter`' + Processes.process Processes.process_id Processes.parent_process_id + | `drop_dm_object_name(Processes)` + | `security_content_ctime(firstTime)` + | `security_content_ctime(lastTime)` + | `slui_spawning_a_process_filter`' how_to_implement: To successfully implement this search you need to be ingesting information on process that include the name of the process responsible for the changes from your endpoints into the `Endpoint` datamodel in the `Processes` node. From 888aae21d3f5f9f047ae997a4e2eb020860df951 Mon Sep 17 00:00:00 2001 From: bpatel Date: Thu, 13 May 2021 14:22:07 -0700 Subject: [PATCH 37/38] moving to experimental --- .../delete_shadowcopy_with_powershell.yml | 0 1 file changed, 0 insertions(+), 0 deletions(-) rename detections/{endpoint => experimental}/delete_shadowcopy_with_powershell.yml (100%) diff --git a/detections/endpoint/delete_shadowcopy_with_powershell.yml b/detections/experimental/delete_shadowcopy_with_powershell.yml similarity index 100% rename from detections/endpoint/delete_shadowcopy_with_powershell.yml rename to detections/experimental/delete_shadowcopy_with_powershell.yml From a55a6bff0acaafcc856d18b10cf641e39332e0c1 Mon Sep 17 00:00:00 2001 From: bpatel Date: Thu, 13 May 2021 14:26:55 -0700 Subject: [PATCH 38/38] delete test file --- .../delete_shadowcopy_with_powershell.test.yml | 12 ------------ 1 file changed, 12 deletions(-) delete mode 100644 tests/endpoint/delete_shadowcopy_with_powershell.test.yml diff --git a/tests/endpoint/delete_shadowcopy_with_powershell.test.yml b/tests/endpoint/delete_shadowcopy_with_powershell.test.yml deleted file mode 100644 index 0d7d2a2e00..0000000000 --- a/tests/endpoint/delete_shadowcopy_with_powershell.test.yml +++ /dev/null @@ -1,12 +0,0 @@ -name: Delete ShadowCopy With PowerShell Unit Test -tests: -- name: Delete ShadowCopy With PowerShell - file: endpoint/delete_shadowcopy_with_powershell.yml - pass_condition: '| stats count | where count > 0' - earliest_time: '-7d' - latest_time: 'now' - attack_data: - - file_name: windows-powershell.log - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1490/shadowcopy_del/windows-powershell.log - source: XmlWinEventLog:Microsoft-Windows-PowerShell/Operational - sourcetype: wineventlog \ No newline at end of file