Process

Instances of computer programs that are being executed by at least one thread. Processes have memory space for process executables, loaded modules (DLLs or shared libraries), and allocated memory regions containing everything from user input to application-specific data structures[1]

ID: DS0009
Platforms: Android, Linux, Windows, iOS, macOS
Collection Layer: Host
Contributors: Center for Threat-Informed Defense (CTID)
Version: 1.1
Created: 20 October 2021
Last Modified: 20 April 2023

Data Components

Process: OS API Execution

Operating system function/method calls executed by a process

Process: OS API Execution

Operating system function/method calls executed by a process

Domain ID Name Detects
Enterprise T1548 Abuse Elevation Control Mechanism

Also look for any process API calls for behavior that may be indicative of Process Injection. Monitoring OS API callbacks for the execution can also be a way to detect this behavior but requires specialized security tooling.

.004 Elevated Execution with Prompt

Monitoring OS API callbacks for the execution can also be a way to detect this behavior but requires specialized security tooling.

Enterprise T1134 Access Token Manipulation

Monitor for API calls, loaded by a payload, for token manipulation only through careful analysis of user network activity, examination of running processes, and correlation with other endpoint and network behavior. There are many Windows API calls a payload can take advantage of to manipulate access tokens (e.g., LogonUser [2], DuplicateTokenEx[3], and ImpersonateLoggedOnUser[4]). Please see the referenced Windows API pages for more information.

.001 Token Impersonation/Theft

Monitor for API calls associated with other suspicious behavior to reduce false positives that may be due to normal benign use by users and administrators, such as DuplicateToken(Ex), ImpersonateLoggedOnUser , and SetThreadToken.

.002 Create Process with Token

Monitor for API calls associated with detecting token manipulation only through careful analysis of user activity, examination of running processes, and correlation with other endpoint and network behavior. Analysts can also monitor for use of Windows APIs such as CreateProcessWithTokenW and correlate activity with other suspicious behavior to reduce false positives that may be due to normal benign use by users and administrators.

.003 Make and Impersonate Token

Monitor for API calls associated with detecting token manipulation only through careful analysis of user activity, examination of running processes, and correlation with other endpoint and network behavior, such as LogonUser and SetThreadToken. Correlate activity with other suspicious behavior to reduce false positives that may be due to normal benign use by users and administrators

.004 Parent PID Spoofing

Monitor for API calls to CreateProcess/CreateProcessA, specifically those from user/potentially malicious processes and with parameters explicitly assigning PPIDs (ex: the Process Creation Flags of 0x8XXX, indicating that the process is being created with extended startup information[5]). Malicious use of CreateProcess/CreateProcessA may also be proceeded by a call to UpdateProcThreadAttribute, which may be necessary to update process creation attributes.[6]This may generate false positives from normal UAC elevation behavior, so compare to a system baseline/understanding of normal system activity if possible.

.005 SID-History Injection

Monitor for API calls, such as PowerShell's Get-ADUser cmdlet or Windows API DsAddSidHistory function, to examine data in user’s SID-History attributes, especially users who have SID-History values from the same domain.

Enterprise T1087 .001 Account Discovery: Local Account

Monitor for API calls (such as NetUserEnum()) that may attempt to gather local accounts information such as type of user, privileges and groups.

.002 Account Discovery: Domain Account

Monitor for API calls that may attempt to gather information about domain accounts such as type of user, privileges and groups.

Enterprise T1010 Application Window Discovery

Monitor for API calls (such as GetForegroundWindow()) that may attempt to get a listing of open application windows. GetForegroundWindow api returns a handle to the foreground window (the window with which the user is currently working). Other API calls relevant to Local Group discovery include GetProcesses and GetForegroundWindow. GetProcesses api returns an array of type Process that represents all the process resources running on the local computer.

Note: Most EDR tools do not support direct monitoring of API calls due to the sheer volume of calls produced by an endpoint but may have alerts or events that are based on abstractions of OS API calls. Dynamic malware analysis tools (i.e., sandboxes) can be used to trace the execution, including OS API calls, for a single PE binary.

Enterprise T1123 Audio Capture

Monitor for API calls associated with leveraging a computer's peripheral devices (e.g., microphones and webcams) or applications (e.g., voice and video call services) to capture audio recordings for the purpose of listening into sensitive conversations to gather information.

Enterprise T1547 Boot or Logon Autostart Execution

Monitor for API calls that may configure system settings to automatically execute a program during system boot or logon to maintain persistence or gain higher-level privileges on compromised systems.

.010 Port Monitors

Monitor process API calls to AddMonitor.[7]

.012 Print Processors

Monitor process API calls to AddPrintProcessor and GetPrintProcessorDirectory.

Enterprise T1115 Clipboard Data

Monitor API calls that could collect data stored in the clipboard from users copying information within or between applications.

Enterprise T1059 .002 Command and Scripting Interpreter: AppleScript

Monitor for execution of AppleScript through osascript and usage of the NSAppleScript and OSAScript APIs that may be related to other suspicious behavior occurring on the system.

Enterprise T1543 Create or Modify System Process

Monitor for API calls that may create or modify system-level processes to repeatedly execute malicious payloads as part of persistence.

.003 Windows Service

Monitor for API calls that may create or modify Windows services (ex: CreateServiceW()) to repeatedly execute malicious payloads as part of persistence.

Enterprise T1555 Credentials from Password Stores

Monitor for API calls that may search for common password storage locations to obtain user credentials.

.001 Keychain

Monitor for Keychain Services API calls, specifically legacy extensions such as SecKeychainFindInternetPassword, that may collect Keychain data from a system to acquire credentials.[8]

.003 Credentials from Web Browsers

Monitor for API calls that may acquire credentials from web browsers by reading files specific to the target browser.[9]

.004 Windows Credential Manager

Consider monitoring API calls such as CredEnumerateA that may list credentials from the Windows Credential Manager.[10][11]

.005 Password Managers

Monitor for API calls that may search for common password storage locations to obtain user credentials.

Enterprise T1005 Data from Local System

Monitor for API calls that may search local system sources, such as file systems or local databases, to find files of interest and sensitive data prior to Exfiltration.

ICS T0893 Data from Local System

Monitor for API calls that may search local system sources, such as file systems or local databases, to find files of interest and sensitive data.

Enterprise T1565 Data Manipulation

Monitor for API calls associated with altering data. Remote access tools with built-in features may interact directly with the Windows API to gather information.

.002 Transmitted Data Manipulation

Monitor for API calls associated with altering data. Remote access tools with built-in features may interact directly with the Windows API to gather information.

.003 Runtime Data Manipulation

Monitor for API calls associated with altering data. Remote access tools with built-in features may interact directly with the Windows API to gather information.

Enterprise T1622 Debugger Evasion

Monitor for API calls (such as IsDebuggerPresent()) that may employ various means to detect and avoid debugged environments. Detecting actions related to debugger identification may be difficult depending on the adversary's implementation and monitoring required.

Enterprise T1652 Device Driver Discovery

Monitor for API calls (such as EnumDeviceDrivers()) that may attempt to gather information about local device drivers.

Enterprise T1482 Domain Trust Discovery

Monitor for API calls associated with gathering information on domain trust relationships that may be used to identify lateral movement like DSEnumerateDomainTrusts() Win32 API call to spot activity associated with Domain Trust Discovery.[12] Information may also be acquired through Windows system management tools such as PowerShell. The .NET method GetAllTrustRelationships() can be an indicator of Domain Trust Discovery.[13]

Enterprise T1611 Escape to Host

Monitor for unexpected usage of syscalls such as mount that may indicate an attempt to escape from a privileged container to host.

Enterprise T1546 .009 Event Triggered Execution: AppCert DLLs

Monitor and analyze application programming interface (API) calls that are indicative of Registry edits, such as RegCreateKeyEx and RegSetValueEx. [14]

.010 Event Triggered Execution: AppInit DLLs

Monitor and analyze application programming interface (API) calls that are indicative of Registry edits such as RegCreateKeyEx and RegSetValueEx. [14]

ICS T0871 Execution through API

Devices that provide user access to the underlying operating system may allow the installation of custom software to monitor OS API execution. Monitoring API calls may generate a significant amount of data and may not be useful for defense unless collected under specific circumstances, since benign use of API functions are common and may be difficult to distinguish from malicious behavior. Correlation of other events with behavior surrounding API function calls using API monitoring will provide additional context to an event that may assist in determining if it is due to malicious behavior.

Enterprise T1083 File and Directory Discovery

Monitor for API calls that may enumerate files and directories or may search in specific locations of a host or network share for certain information within a file system.

Enterprise T1564 Hide Artifacts

Monitor for API calls that may attempt to hide artifacts associated with their behaviors to evade detection.

.004 NTFS File Attributes

Monitor calls to the ZwSetEaFile and ZwQueryEaFile Windows API functions as well as binaries used to interact with EA, [15] [16] and consider regularly scanning for the presence of modified information. [17]

Enterprise T1574 .013 Hijack Execution Flow: KernelCallbackTable

Monitoring Windows API calls indicative of the various types of code injection may generate a significant amount of data and may not be directly useful for defense unless collected under specific circumstances. for known bad sequence of calls, since benign use of API functions may be common and difficult to distinguish from malicious behavior. Windows API calls such as WriteProcessMemory() and NtQueryInformationProcess() with the parameter set to ProcessBasicInformation may be used for this technique.[18]

ICS T0874 Hooking

Monitor for API calls that can be used to install a hook procedure, such as the SetWindowsHookEx and SetWinEventHook functions.[19][20] Also consider analyzing hook chains (which hold pointers to hook procedures for each type of hook) using tools[20][21][22] or by programmatically examining internal kernel structures.[23][24]

Enterprise T1562 Impair Defenses

Monitor for the abnormal execution of API functions associated with system logging.

.012 Disable or Modify Linux Audit System

Monitor for abnormal execution of syslog and other functions associated with system logging.

Enterprise T1070 Indicator Removal

Monitor for API calls that may delete or alter generated artifacts on a host system, including logs or captured files such as quarantined malware.

.001 Clear Windows Event Logs

Monitor for Windows API calls that may clear Windows Event Logs to hide the activity of an intrusion.

ICS T0872 Indicator Removal on Host

Monitor for API calls that may delete or alter generated artifacts on a host system, including logs or captured files such as quarantined malware.

Enterprise T1056 Input Capture

Monitor for API calls to SetWindowsHook, GetKeyState, and GetAsyncKeyState [25]

.001 Keylogging

Monitor for API calls to the SetWindowsHook, GetKeyState, and GetAsyncKeyState.[25] and look for common keylogging API calls. API calls alone are not an indicator of keylogging, but may provide behavioral data that is useful when combined with other information such as new files written to disk and unusual processes.

.004 Credential API Hooking

Monitor for API calls to the SetWindowsHookEx and SetWinEventHook functions, which install a hook procedure.[19][20] Also consider analyzing hook chains (which hold pointers to hook procedures for each type of hook) using tools[20][21][22] or by programmatically examining internal kernel structures.[23][24]

Enterprise T1036 Masquerading

Monitor for API calls such as fork() which can be abused to masquerade or manipulate process metadata.

.009 Break Process Trees

Monitor for API calls such as fork() which can be abused to masquerade or manipulate process metadata.

Enterprise T1556 Modify Authentication Process

Monitor for calls to OpenProcess that can be used to manipulate lsass.exe running on a domain controller as well as for malicious modifications to functions exported from authentication-related system DLLs (such as cryptdll.dll and samsrv.dll).[26]

Monitor for abnormal API calls to NPLogonNotify() that may highlight malicious network provider DLLs.[27]

.001 Domain Controller Authentication

Monitor for API calls to OpenProcess that can be used to manipulate lsass.exe running on a domain controller

.008 Network Provider DLL

Monitor for abnormal API calls to NPLogonNotify().[27]

Enterprise T1112 Modify Registry

Monitor for API calls associated with concealing Registry keys, such as Reghide. [28] Inspect and cleanup malicious hidden Registry entries using Native Windows API calls and/or tools such as Autoruns [29] and RegDelNull [30]. Other API calls relevant to Registry Modification include RegOpenKeyExA, RegCreateKeyExA, RegDeleteKeyExA, RegDeleteValueExA, RegEnumKeyExA, RegEnumValueExA, among others.

Note: Most EDR tools do not support direct monitoring of API calls due to the sheer volume of calls produced by an endpoint but may have alerts or events that are based on abstractions of OS API calls. Dynamic malware analysis tools (i.e., sandboxes) can be used to trace the execution, including OS API calls, for a single PE binary.

Enterprise T1111 Multi-Factor Authentication Interception

Monitor for API calls associated with polling to intercept keystrokes.

Enterprise T1106 Native API

Monitoring API calls may generate a significant amount of data and may not be useful for defense unless collected under specific circumstances, since benign use of API functions are common and may be difficult to distinguish from malicious behavior. Correlation of other events with behavior surrounding API function calls using API monitoring will provide additional context to an event that may assist in determining if it is due to malicious behavior. Correlation of activity by process lineage by process ID may be sufficient.

ICS T0834 Native API

Devices that provide user access to the underlying operating system may allow the installation of custom software to monitor OS API execution. Monitoring API calls may generate a significant amount of data and may not be useful for defense unless collected under specific circumstances, since benign use of API functions are common and may be difficult to distinguish from malicious behavior. Correlation of other events with behavior surrounding API function calls using API monitoring will provide additional context to an event that may assist in determining if it is due to malicious behavior.

ICS T0840 Network Connection Enumeration

Monitor for API calls (such as GetAdaptersInfo() and GetIpNetTable()) that may gather details about the network configuration and settings, such as IP and/or MAC addresses. Also monitor for API calls that may attempt to get a listing of network connections to or from the compromised system they are currently accessing or from remote systems by querying for information over the network. For added context on adversary procedures and background see System Network Configuration Discovery and System Network Connections Discovery.

Enterprise T1135 Network Share Discovery

Monitor for API calls that may look for folders and drives shared on remote systems as a means of identifying sources of information to gather as a precursor for Collection and to identify potential systems of interest for Lateral Movement.

Enterprise T1027 Obfuscated Files or Information

Monitor and analyze calls to functions such as GetProcAddress() that are associated with malicious code obfuscation.[31]

.007 Dynamic API Resolution

Monitor and analyze calls to functions such as GetProcAddress() and LoadLibrary() that are associated with dynamically loading API functions.[31]

Enterprise T1003 OS Credential Dumping

Monitor for API calls that may attempt to dump credentials to obtain account login and credential material, normally in the form of a hash or a clear text password, from the operating system and software.

.001 LSASS Memory

Monitor for API calls that may attempt to access credential material stored in the process memory of the Local Security Authority Subsystem Service (LSASS). OS API calls associated with LSASS process dumping include OpenProcess and MiniDumpWriteDump. Execution of these functions might trigger security log ids such as 4663 (Microsoft Security Auditing) and 10 (Microsoft Sysmon)

Note: Most EDR tools do not support direct monitoring of API calls due to the sheer volume of calls produced by an endpoint but may have alerts or events that are based on abstractions of OS API calls. Dynamic malware analysis tools (i.e., sandboxes) can be used to trace the execution, including OS API calls, for a single PE binary.

Enterprise T1120 Peripheral Device Discovery

Monitor for API calls that may attempt to gather information about attached peripheral devices and components connected to a computer system.

Enterprise T1069 .001 Permission Groups Discovery: Local Groups

Monitor for API calls associated with finding local system groups and permission settings, such as NetLocalGroupEnum. Other API calls relevant to Local Group discovery include NetQueryDisplayInformation and NetGetDisplayInformationIndex.

Note: Most EDR tools do not support direct monitoring of API calls due to the sheer volume of calls produced by an endpoint but may have alerts or events that are based on abstractions of OS API calls. Dynamic malware analysis tools (i.e., sandboxes) can be used to trace the execution, including OS API calls, for a single PE binary.

.002 Permission Groups Discovery: Domain Groups

Monitor for API calls associated with finding domain-level groups and permission settings, such as NetGroupEnum. Other API calls relevant to Domain Group discovery include NetQueryDisplayInformation and NetGetDisplayInformationIndex.

Note: Most EDR tools do not support direct monitoring of API calls due to the sheer volume of calls produced by an endpoint but may have alerts or events that are based on abstractions of OS API calls. Dynamic malware analysis tools (i.e., sandboxes) can be used to trace the execution, including OS API calls, for a single PE binary.

Enterprise T1542 Pre-OS Boot

Monitor for API calls that may abuse Pre-OS Boot mechanisms as a way to establish persistence on a system. Disk check, forensic utilities, and data from device drivers (i.e. API calls) may reveal anomalies that warrant deeper investigation. [32]

.002 Component Firmware

Monitor for API calls associated with the use of device drivers and/or provided by SMART (Self-Monitoring, Analysis and Reporting Technology) [33] [34] disk monitoring may reveal malicious manipulations of components. Otherwise, this technique may be difficult to detect since malicious activity is taking place on system components possibly outside the purview of OS security and integrity mechanisms.

Enterprise T1057 Process Discovery

Monitor for API calls may attempt to get information about running processes on a system.

Enterprise T1055 Process Injection

Monitoring Windows API calls indicative of the various types of code injection may generate a significant amount of data and may not be directly useful for defense unless collected under specific circumstances for known bad sequences of calls, since benign use of API functions may be common and difficult to distinguish from malicious behavior. Windows API calls such as CreateRemoteThread, SuspendThread/SetThreadContext/ResumeThread, QueueUserAPC/NtQueueApcThread, and those that can be used to modify memory within another process, such as VirtualAllocEx/WriteProcessMemory, may be used for this technique.[14] Monitoring for Linux specific calls such as the ptrace system call should not generate large amounts of data due to their specialized nature, and can be a very effective method to detect some of the common process injection methods.[35] [36] [37] [38]

.001 Dynamic-link Library Injection

Monitoring Windows API calls indicative of the various types of code injection may generate a significant amount of data and may not be directly useful for defense unless collected under specific circumstances for known bad sequences of calls, since benign use of API functions may be common and difficult to distinguish from malicious behavior. Windows API calls such as CreateRemoteThread and those that can be used to modify memory within another process, such as VirtualAllocEx/WriteProcessMemory, may be used for this technique.[14]

Search for remote thread creations that start at LoadLibraryA or LoadLibraryW. Depending on the tool, it may provide additional information about the DLL string that is an argument to the function. If there is any security software that legitimately injects DLLs, it must be carefully whitelisted.

Microsoft Windows allows for processes to remotely create threads within other processes of the same privilege level. This functionality is provided via the Windows API CreateRemoteThread. Both Windows and third-party software use this ability for legitimate purposes. For example, the Windows process csrss.exe creates threads in programs to send signals to registered callback routines. Both adversaries and host-based security software use this functionality to inject DLLs, but for very different purposes. An adversary is likely to inject into a program to evade defenses or bypass User Account Control, but a security program might do this to gain increased monitoring of API calls. One of the most common methods of DLL Injection is through the Windows API LoadLibrary.

  • Allocate memory in the target program with VirtualAllocEx
  • Write the name of the DLL to inject into this program with WriteProcessMemory
  • Create a new thread and set its entry point to LoadLibrary using the API CreateRemoteThread.

This behavior can be detected by looking for thread creations across processes, and resolving the entry point to determine the function name. If the function is LoadLibraryA or LoadLibraryW, then the intent of the remote thread is clearly to inject a DLL. When this is the case, the source process must be examined so that it can be ignored when it is both expected and a trusted process.

.002 Portable Executable Injection

Monitoring Windows API calls indicative of the various types of code injection may generate a significant amount of data and may not be directly useful for defense unless collected under specific circumstances for known bad sequences of calls, since benign use of API functions may be common and difficult to distinguish from malicious behavior. Windows API calls such as CreateRemoteThread and those that can be used to modify memory within another process, such as VirtualAllocEx/WriteProcessMemory, may be used for this technique.[14]

.003 Thread Execution Hijacking

Monitoring Windows API calls indicative of the various types of code injection may generate a significant amount of data and may not be directly useful for defense unless collected under specific circumstances for known bad sequences of calls, since benign use of API functions may be common and difficult to distinguish from malicious behavior. Windows API calls such as CreateRemoteThread, SuspendThread/SetThreadContext/ResumeThread, and those that can be used to modify memory within another process, such as VirtualAllocEx/WriteProcessMemory, may be used for this technique.[14]

.004 Asynchronous Procedure Call

Monitoring Windows API calls indicative of the various types of code injection may generate a significant amount of data and may not be directly useful for defense unless collected under specific circumstances for known bad sequences of calls, since benign use of API functions may be common and difficult to distinguish from malicious behavior. Windows API calls such as SuspendThread/SetThreadContext/ResumeThread, QueueUserAPC/NtQueueApcThread, and those that can be used to modify memory within another process, such as VirtualAllocEx/WriteProcessMemory, may be used for this technique.[14]

.005 Thread Local Storage

Monitoring Windows API calls indicative of the various types of code injection may generate a significant amount of data and may not be directly useful for defense unless collected under specific circumstances for known bad sequences of calls, since benign use of API functions may be common and difficult to distinguish from malicious behavior. Windows API calls such as CreateRemoteThread, SuspendThread/SetThreadContext/ResumeThread, and those that can be used to modify memory within another process, such as VirtualAllocEx/WriteProcessMemory, may be used for this technique.[14]

.008 Ptrace System Calls

Monitoring for Linux specific calls such as the ptrace system call should not generate large amounts of data due to their specialized nature, and can be a very effective method to detect some of the common process injection methods.[35] [36] [37] [38]

.011 Extra Window Memory Injection

Monitor for API calls related to enumerating and manipulating EWM such as GetWindowLong [39] and SetWindowLong [40]. Malware associated with this technique have also used SendNotifyMessage [41] to trigger the associated window procedure and eventual malicious injection. [14]

.012 Process Hollowing

Monitoring Windows API calls indicative of the various types of code injection may generate a significant amount of data and may not be directly useful for defense unless collected under specific circumstances for known bad sequences of calls, since benign use of API functions may be common and difficult to distinguish from malicious behavior. Windows API calls such as CreateRemoteThread, SuspendThread/SetThreadContext/ResumeThread, and those that can be used to modify memory within another process, such as VirtualAllocEx/WriteProcessMemory, may be used for this technique.[14]

.013 Process Doppelgänging

Monitor and analyze calls to CreateTransaction, CreateFileTransacted, RollbackTransaction, and other rarely used functions indicative of TxF activity. Process Doppelgänging also invokes an outdated and undocumented implementation of the Windows process loader via calls to NtCreateProcessEx and NtCreateThreadEx as well as API calls used to modify memory within another process, such as WriteProcessMemory. [42] [43]

.014 VDSO Hijacking

Monitor for malicious usage of system calls, such as ptrace and mmap, that can be used to attach to, manipulate memory, then redirect a processes' execution path. Monitoring for Linux specific calls such as the ptrace system call should not generate large amounts of data due to their specialized nature, and can be a very effective method to detect some of the common process injection methods.[35][36][37][38]

.015 ListPlanting

Consider monitoring for excessive use of SendMessage and/or PostMessage API functions with LVM_SETITEMPOSITION and/or LVM_GETITEMPOSITION arguments.

Monitoring Windows API calls indicative of the various types of code injection may generate a significant amount of data and may not be directly useful for defense unless collected under specific circumstances for known bad sequences of calls, since benign use of API functions may be common and difficult to distinguish from malicious behavior. Windows API calls such as FindWindow, FindWindowEx, EnumWindows, EnumChildWindows, and those that can be used to modify memory within another process, such as VirtualAllocEx/WriteProcessMemory, may be abused for this technique.

Enterprise T1012 Query Registry

Monitor for API calls (such as RegOpenKeyExA) that may interact with the Windows Registry to gather information about the system, configuration, and installed software. OS API calls associated with querying the Windows Registry are RegOpenKeyEx , RegOpenUserClassesRoot, RegQueryValueExA, and RegQueryValueExW. Execution of these functions might trigger security log ids such as 4663 (Microsoft Security Auditing). Also monitor for RegOpenUserClassesRoot api to retrieve a handle to the HKEY_CLASSES_ROOT key for a specified user. The returned key has a view of the registry that merges the contents of the HKEY_LOCAL_MACHINE\Software\Classes key with the contents of the Software\Classes keys in the user's registry hive.

Note: Most EDR tools do not support direct monitoring of API calls due to the sheer volume of calls produced by an endpoint but may have alerts or events that are based on abstractions of OS API calls.

Enterprise T1620 Reflective Code Loading

Monitor for code artifacts associated with reflectively loading code, such as the abuse of .NET functions such as Assembly.Load() and Native API functions such as CreateThread(), memfd_create(), execve(), and/or execveat().[44][45]

Enterprise T1113 Screen Capture

Monitoring for screen capture behavior will depend on the method used to obtain data from the operating system and write output files. Detection methods could include collecting information from unusual processes using API calls used to obtain image data, and monitoring for image files written to disk, such as CopyFromScreen, xwd, or screencapture.[46][47]. The sensor data may need to be correlated with other events to identify malicious activity, depending on the legitimacy of this behavior within a given network environment.

ICS T0852 Screen Capture

Monitoring for screen capture behavior will depend on the method used to obtain data from the operating system and write output files. Detection methods could include collecting information from unusual processes using API calls used to obtain image data, and monitoring for image files written to disk, such as CopyFromScreen, xwd, or screencapture.[46][47] The data may need to be correlated with other events to identify malicious activity, depending on the legitimacy of this behavior within a given network environment.

Enterprise T1489 Service Stop

Remote access tools with built-in features may interact directly with the Windows API to perform these functions outside of typical system utilities. For example, ChangeServiceConfigW may be used by an adversary to prevent services from starting.[9]

ICS T0881 Service Stop

Remote access tools with built-in features may interact directly with the Windows API to perform these functions outside of typical system utilities. For example, ChangeServiceConfigW may be used by an adversary to prevent services from starting. For added context on adversary procedures and background see Service Stop.

Enterprise T1129 Shared Modules

Monitor for API calls that may execute malicious payloads via loading shared modules.

Enterprise T1518 Software Discovery

Monitor for API calls that may attempt to get a listing of software and software versions that are installed on a system or in a cloud environment.

.001 Security Software Discovery

Monitor for API calls that may attempt to get a listing of security software, configurations, defensive tools, and sensors that are installed on a system or in a cloud environment. OS API calls associated with LSASS process dumping include EnumProcesses, which can be used to enumerate the set of processes running on a host and filtered to look for security-specific processes.

Note: Most EDR tools do not support direct monitoring of API calls due to the sheer volume of calls produced by an endpoint but may have alerts or events that are based on abstractions of OS API calls. Dynamic malware analysis tools (i.e., sandboxes) can be used to trace the execution, including OS API calls, for a single PE binary.

Enterprise T1218 System Binary Proxy Execution

Monitor for API calls that bypass process and/or signature based defenses by proxying execution of malicious content with signed, or otherwise trusted, binaries.

.002 Control Panel

Monitor for API calls that may forge web cookies that can be used to gain access to web applications or Internet services.

Enterprise T1082 System Information Discovery

Monitor for API calls that may attempt to get detailed information about the operating system and hardware, including version, patches, hotfixes, service packs, and architecture. Remote access tools with built-in features may interact directly with the Windows API to gather information. Information may also be acquired through Windows system management tools such as Windows Management Instrumentation and PowerShell. In cloud-based systems, native logging can be used to identify access to certain APIs and dashboards that may contain system information. Depending on how the environment is used, that data alone may not be useful due to benign use during normal operations.

Enterprise T1614 System Location Discovery

Remote access tools with built-in features may interact directly with the Windows API, such as calling GetLocaleInfoW to gather information.[48]

.001 System Language Discovery

Monitor for API calls that may attempt to gather information about the system language of a victim in order to infer the geographical location of that host.

Enterprise T1016 System Network Configuration Discovery

Monitor for API calls (such as GetAdaptersInfo() and GetIpNetTable()) that may gather details about the network configuration and settings, such as IP and/or MAC addresses.

.002 Wi-Fi Discovery

Monitor for API calls (such as those from wlanAPI.dll) that may gather details about locally reachable Wi-Fi networks.

Enterprise T1049 System Network Connections Discovery

Monitor for API calls that may attempt to get a listing of network connections to or from the compromised system they are currently accessing or from remote systems by querying for information over the network.

Enterprise T1033 System Owner/User Discovery

Monitor for API calls that may attempt to dump credentials to obtain account login and credential material, normally in the form of a hash or a clear text password, from the operating system and software.

Enterprise T1007 System Service Discovery

Monitor for API calls associated with gathering information about registered local system services, such as QueryServiceStatusEx. Other Windows API calls worth monitoring include EnumServicesStatusExA, which can be used to enumerate services in the service control manager database.

Note: Most EDR tools do not support direct monitoring of API calls due to the sheer volume of calls produced by an endpoint but may have alerts or events that are based on abstractions of OS API calls. Dynamic malware analysis tools (i.e., sandboxes) can be used to trace the execution, including OS API calls, for a single PE binary.

Enterprise T1124 System Time Discovery

Monitor for API calls that may gather the system time and/or time zone from a local or remote system. Remote access tools with built-in features may interact directly with the Windows API to gather information.

Enterprise T1125 Video Capture

Detection of this technique may be difficult due to the various APIs that may be used. Telemetry data regarding API use may not be useful depending on how a system is normally used, but may provide context to other potentially malicious activity occurring on a system. Behavior that could indicate technique use include an unknown or unusual process accessing APIs associated with devices or software that interact with the video camera, recording devices, or recording software, and a process periodically writing files to disk that contain video or camera image data.

Enterprise T1497 Virtualization/Sandbox Evasion

Monitor for API calls that may employ various means to detect and avoid virtualization and analysis environments. Detecting actions related to virtualization and sandbox identification may be difficult depending on the adversary's implementation and monitoring required.

.001 System Checks

Monitor for API calls that may employ various means to detect and avoid virtualization and analysis environments. Detecting actions related to virtualization and sandbox identification may be difficult depending on the adversary's implementation and monitoring required.

.002 User Activity Based Checks

Monitor for API calls that may employ various means to detect and avoid virtualization and analysis environments. Detecting actions related to virtualization and sandbox identification may be difficult depending on the adversary's implementation and monitoring required.

.003 Time Based Evasion

Monitor for API calls that may employ various time-based methods to detect and avoid virtualization and analysis environments. Detecting actions related to virtualization and sandbox identification may be difficult depending on the adversary's implementation and monitoring required.

Process: Process Access

Opening of a process by another process, typically to read memory of the target process (ex: Sysmon EID 10)

Process: Process Access

Opening of a process by another process, typically to read memory of the target process (ex: Sysmon EID 10)

Domain ID Name Detects
Enterprise T1185 Browser Session Hijacking

This may be a difficult technique to detect because adversary traffic may be masked by normal user traffic. Monitor for Process Injection against browser applications.

Enterprise T1555 Credentials from Password Stores

Monitor for processes being accessed that may search for common password storage locations to obtain user credentials.

.002 Securityd Memory

Monitor for processes being accessed that may obtain root access (allowing them to read securityd’s memory), then they can scan through memory to find the correct sequence of keys in relatively few tries to decrypt the user’s logon keychain.

.003 Credentials from Web Browsers

Monitor process execution logs to include PowerShell Transcription focusing on those that perform a combination of behaviors including reading web browser process memory, utilizing regular expressions, and those that contain numerous keywords for common web applications (Gmail, Twitter, Office365, etc.).

.005 Password Managers

Monitor process being accessed that may acquire user credentials from third-party password managers.[49]

Enterprise T1559 Inter-Process Communication

Monitor for processes making abnormal calls to higher privileged processes, such as a user application connecting to a VPN service.[50]

.003 XPC Services

Monitor for processes making abnormal calls to higher privileged processes, such as a user application connecting to a VPN service.[50]

Enterprise T1556 Modify Authentication Process

Monitor for unexpected processes interacting with authentication mechanisms and processes to access user credentials or enable otherwise unwarranted access to accounts.

.001 Domain Controller Authentication

Monitor for unexpected processes interacting with the authentication process on a domain controller to bypass the typical authentication mechanisms and enable access to accounts.

Enterprise T1003 OS Credential Dumping

Monitor for unexpected processes interacting with lsass.exe.[51] Common credential dumpers such as Mimikatz access the LSA Subsystem Service (LSASS) process by opening the process, locating the LSA secrets key, and decrypting the sections in memory where credential details are stored. Credential dumpers may also use methods for reflective Process Injection to reduce potential indicators of malicious activity.

Linux

To obtain the passwords and hashes stored in memory, processes must open a maps file in the /proc filesystem for the process being analyzed. This file is stored under the path /proc/<pid>/maps, where the <pid> directory is the unique pid of the program being interrogated for such authentication data. The AuditD monitoring tool, which ships stock in many Linux distributions, can be used to watch for hostile processes opening this file in the proc file system, alerting on the pid, process name, and arguments of such programs.

.001 LSASS Memory

Monitor for unexpected processes interacting with LSASS.exe.[51] Common credential dumpers such as Mimikatz access LSASS.exe by opening the process, locating the LSA secrets key, and decrypting the sections in memory where credential details are stored. Credential dumpers may also use methods for reflective Process Injection to reduce potential indicators of malicious activity.

Usage of Procdump and Windows Task Manager for LSASS dumping can also be detected via process creation events, since they both have a predictable set of command-line arguments (i.e., for specifying the process to be dumped).

Note: Sysmon process access events (Event ID 10) can be extremely noisy, which necessitates tweaking the Sysmon configuration file. We recommend taking an approach analogous to that of the Sysmon Modular Configuration project (https://github.com/olafhartong/sysmon-modular) and filtering out any benign processes in your environment that produce large volumes of process access events.

The GrantedAccess value in the below analytic for Mimikatz is meant to be used solely as an illustrative example of detecting Mimikatz LSASS access. However, actual GrantedAccess values change over time with different versions of Mimikatz and therefore detection engineers need to verify the accuracy of any GrantedAccess values that their analytics are using.

Analytic 1 - Mimikatz

(source=WinEventLog:"Microsoft-Windows-Sysmon/Operational" EventCode="10" AND TargetImage= "lsass.exe" AND (GrantedAccess=0x1410 OR GrantedAccess=0x1010 OR GrantedAccess=0x1438 OR GrantedAccess=0x143a OR GrantedAccess=0x1418)CallTrace="C:\windows\SYSTEM32\ntdll.dll+|C:\windows\System32\KERNELBASE.dll+20edd|UNKNOWN()")

Analytic 2 - Procdump

((sourceType=WinEventLog:"*Microsoft-Windows-Sysmon/Operational" EventCode="10") AND TargetImage= "*lsass.exe" AND SourceImage= "*procdump.exe")

Analytic 3 - Windows Task Manager

((sourceType=WinEventLog:"*Microsoft-Windows-Sysmon/Operational" EventCode="10") AND TargetImage="*lsass.exe" AND SourceImage= "c:\windows*\taskmgr.exe")

Enterprise T1055 Process Injection

Monitor for processes being viewed that may inject code into processes in order to evade process-based defenses as well as possibly elevate privileges.

.001 Dynamic-link Library Injection

Monitor for process being viewed that may inject dynamic-link libraries (DLLs) into processes in order to evade process-based defenses as well as possibly elevate privileges.

.002 Portable Executable Injection

Monitor for processes being viewed that may inject portable executables (PE) into processes in order to evade process-based defenses as well as possibly elevate privileges.

.003 Thread Execution Hijacking

Monitor for processes being viewed that may inject malicious code into hijacked processes in order to evade process-based defenses as well as possibly elevate privileges.

.004 Asynchronous Procedure Call

Monitor for processes being viewed that may inject malicious code into processes via the asynchronous procedure call (APC) queue in order to evade process-based defenses as well as possibly elevate privileges.

.005 Thread Local Storage

Monitor for processes being viewed that may inject malicious code into processes via thread local storage (TLS) callbacks in order to evade process-based defenses as well as possibly elevate privileges.

.008 Ptrace System Calls

Monitor for processes being viewed that may inject malicious code into processes via ptrace (process trace) system calls in order to evade process-based defenses as well as possibly elevate privileges.

.012 Process Hollowing

Monitor for processes being viewed that may inject malicious code into suspended and hollowed processes in order to evade process-based defenses.

Enterprise T1539 Steal Web Session Cookie

Monitor for attempts by programs to inject into or dump browser process memory.

Enterprise T1033 System Owner/User Discovery

Monitor for unexpected processes interacting with lsass.exe.[51] Common credential dumpers such as Mimikatz access the LSA Subsystem Service (LSASS) process by opening the process, locating the LSA secrets key, and decrypting the sections in memory where credential details are stored. Credential dumpers may also use methods for reflective Process Injection to reduce potential indicators of malicious activity.

Linux

To obtain the passwords and hashes stored in memory, processes must open a maps file in the /proc filesystem for the process being analyzed. This file is stored under the path /proc/<pid>/maps, where the <pid> directory is the unique pid of the program being interrogated for such authentication data. The AuditD monitoring tool, which ships stock in many Linux distributions, can be used to watch for hostile processes opening this file in the proc file system, alerting on the pid, process name, and arguments of such programs.

Process: Process Creation

The initial construction of an executable managed by the OS, that may involve one or more tasks or threads. (e.g. Win EID 4688, Sysmon EID 1, cmd.exe > net use, etc.)

Process: Process Creation

The initial construction of an executable managed by the OS, that may involve one or more tasks or threads. (e.g. Win EID 4688, Sysmon EID 1, cmd.exe > net use, etc.)

Domain ID Name Detects
Enterprise T1548 Abuse Elevation Control Mechanism

Monitor for newly executed processes that may circumvent mechanisms designed to control elevate privileges to gain higher-level permissions. Cyber actors frequently escalate to the SYSTEM account after gaining entry to a Windows host, to enable them to carry out various attacks more effectively. Tools such as Meterpreter, Cobalt Strike, and Empire carry out automated steps to "Get System", which is the same as switching over to the System user account. Most of these tools utilize multiple techniques to try and attain SYSTEM: in the first technique, they create a named pipe and connects an instance of cmd.exe to it, which allows them to impersonate the security context of cmd.exe, which is SYSTEM. In the second technique, a malicious DLL is injected into a process that is running as SYSTEM; the injected DLL steals the SYSTEM token and applies it where necessary to escalate privileges. This analytic looks for both of these techniques.

Analytic 1 - Get System Elevation

(source="WinEventLog:Microsoft-Windows-Sysmon/Operational" EventCode="1") OR (source="WinEventLog:Security" EventCode="4688")(ParentImage="C:\Windows\System32\services.exe" Image="C:\Windows\System32\cmd.exe" CommandLine="echo" CommandLine="\pipe*") OR (Image="C:\Windows\System32\rundll32.exe" CommandLine=",a /p:*")

.002 Bypass User Account Control

Monitor newly executed processes, such as eventvwr.exe and sdclt.exe, that may bypass UAC mechanisms to elevate process privileges on system.

Threat actors often, after compromising a machine, try to disable User Access Control (UAC) to escalate privileges. This is often done by changing the registry key for system policies using "reg.exe", a legitimate tool provided by Microsoft for modifying the registry via command prompt or scripts. This action interferes with UAC and may enable a threat actor to escalate privileges on the compromised system, thereby allowing further exploitation of the system.

Analytic 1 - UAC Bypass

(source="WinEventLog:Microsoft-Windows-Sysmon/Operational" EventCode="1") OR (source="WinEventLog:Security" EventCode="4688") IntegrityLevel=High|search (ParentCommandLine="\"c:\windows\system32\dism.exe\""".xml" AND Image!="c:\users\\appdata\local\temp\\dismhost.exe") OR ParentImage=c:\windows\system32\fodhelper.exe OR (CommandLine="\"c:\windows\system32\wusa.exe\"/quiet" AND User!=NOT_TRANSLATED AND CurrentDirectory=c:\windows\system32\ AND ParentImage!=c:\windows\explorer.exe) OR CommandLine=".exe\"cleanmgr.exe /autoclean" OR (ParentImage="c:\windows\dccw.exe" AND Image!="c:\windows\system32\cttune.exe") OR Image="c:\program files\windows media player\osk.exe" OR ParentImage="c:\windows\system32\slui.exe"|eval PossibleTechniques=case(like(lower(ParentCommandLine),"%c:\windows\system32\dism.exe%"), "UACME #23", like(lower(Image),"c:\program files\windows media player\osk.exe"), "UACME #32", like(lower(ParentImage),"c:\windows\system32\fodhelper.exe"), "UACME #33", like(lower(CommandLine),"%.exe\"%cleanmgr.exe /autoclean%"), "UACME #34", like(lower(Image),"c:\windows\system32\wusa.exe"), "UACME #36", like(lower(ParentImage),"c:\windows\%dccw.exe"), "UACME #37", like(lower(ParentImage),"c:\windows\system32\slui.exe"), "UACME #45")

Analytic 2 - Disable UAC

(source="WinEventLog:Microsoft-Windows-Sysmon/Operational" EventCode="1") OR (source="WinEventLog:Security" EventCode="4688") ParentImage="C:\Windows\System32\cmd.exe" CommandLine="reg.exeHKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\SystemREG_DWORD /d 0*""

.003 Sudo and Sudo Caching

Monitor newly executed processes that may perform sudo caching and/or use the suoders file to elevate privileges.

.004 Elevated Execution with Prompt

Consider monitoring for /usr/libexec/security_authtrampoline executions which may indicate that AuthorizationExecuteWithPrivileges is being executed. MacOS system logs may also indicate when AuthorizationExecuteWithPrivileges is being called.

.006 TCC Manipulation

Monitor for newly executed processes that may circumvent TCC mechanisms designed to control access to elevated privileges. macOS system logs may also indicate when AuthorizationExecuteWithPrivileges is being called.

Enterprise T1134 Access Token Manipulation

Monitor for executed processes that may modify access tokens to operate under a different user or system security context to perform actions and bypass access controls.

.004 Parent PID Spoofing

Monitor for newly constructed processes and/or command-lines that may abuse mechanisms to evade defenses, such as those blocking processes spawning directly from Office documents, and analysis targeting unusual/potentially malicious parent-child process relationships, such as spoofing the PPID of PowerShell/Rundll32 to be explorer.exe

Enterprise T1087 Account Discovery

Monitor for processes that can be used to enumerate user accounts and groups such as net.exe and net1.exe, especially when executed in quick succession.[52] Information may also be acquired through Windows system management tools such as Windows Management Instrumentation and PowerShell.

.001 Local Account

Monitor for processes that can be used to enumerate user accounts and groups such as net.exe and net1.exe, especially when executed in quick succession.[52] Information may also be acquired through Windows system management tools such as Windows Management Instrumentation and PowerShell.

Note: Event IDs are for Sysmon (Event ID 1 - process creation) and Windows Security Log (Event ID 4688 - a new process has been created). - For Linux, auditing frameworks such as the Linux Auditing System (auditd) can be used to alert on the enumeration/reading of files that store local users, including /etc/passwd. - For MacOS, utilities that work in concert with Apple’s Endpoint Security Framework such as Process Monitor can be used to track usage of commands such as id and groups.

Analytic 1 - Net Discovery Commands

(source="WinEventLog:Microsoft-Windows-Sysmon/Operational" EventCode="1") OR (source="WinEventLog:Security" EventCode="4688") Image="net.exe" OR Image="net1.exe"

.002 Domain Account

Monitor for processes that can be used to enumerate domain accounts and groups, such as net.exe and net1.exe, especially when executed in quick succession.[52] Information may also be acquired through Windows system management tools such as Windows Management Instrumentation and PowerShell.

.003 Email Account

Monitor for newly executed processes, such as Windows Management Instrumentation and PowerShell , with arguments that can be used to enumerate email addresses and accounts.

Enterprise T1098 Account Manipulation

Monitor for newly constructed processes indicative of modifying account settings, such as those that modify authorized_keys or /etc/ssh/sshd_config files.

.004 SSH Authorized Keys

Monitor for suspicious processes modifying the authorized_keys or /etc/ssh/sshd_config files.

ICS T0830 Adversary-in-the-Middle

Host-based implementations of this technique may utilize networking-based system calls or network utility commands (e.g., iptables) to locally intercept traffic. Monitor for relevant process creation events.

Enterprise T1010 Application Window Discovery

Monitor for newly executed processes that may attempt to get a listing of open application windows. System and network discovery techniques normally occur throughout an operation as an adversary learns the environment. Data and events should not be viewed in isolation, but as part of a chain of behavior that could lead to other activities based on the information obtained.

Note: Event IDs are for Sysmon (Event ID 1 - process create) and Windows Security Log (Event ID 4688 - a new process has been created).

Analytic 1 - Suspicious Processes

(source="WinEventLog:Microsoft-Windows-Sysmon/Operational" EventCode="1") OR (source="WinEventLog:Security" EventCode="4688") | where CommandLine LIKE "%Get-Process%" AND CommandLine LIKE "%mainWindowTitle%"

Enterprise T1560 Archive Collected Data

Monitor for newly constructed processes and/or command-lines that aid in compression or encrypting data that is collected prior to exfiltration, such as 7-Zip, WinRAR, and WinZip.

.001 Archive via Utility

Monitor for newly constructed processes and/or command-lines that aid in compression or encrypting data that is collected prior to exfiltration, such as 7-Zip, WinRAR, and WinZip. Before Exfiltration that an adversary has Collection, it is very likely that a Archive Collected Data will be created, so that transfer times are minimized and fewer files are transmitted. There is variety between the tools used to compress data, but the command line usage and context of archiving tools, such as ZIP, RAR, and 7ZIP, should be monitored.In addition to looking for RAR or 7z program names, command line usage of 7Zip or RAR can be detected with the flag usage of "* a *". This is helpful, as adversaries may change program names.

Note: This analytic looks for the command line argument a, which is used by RAR. However, there may be other programs that have this as a legitimate argument and may need to be filtered out.

Analytic 1 - Command Line Usage of Archiving Software

(source="WinEventLog:Microsoft-Windows-Sysmon/Operational" EventCode="1") OR (source="WinEventLog:Security" EventCode="4688") CommandLine=" a "

ICS T0895 Autorun Image

Monitor for newly executed processes that execute from removable media after it is mounted or when initiated by a user.

Enterprise T1197 BITS Jobs

Monitor for newly constructed BITS tasks to enumerate using the BITSAdmin tool (bitsadmin /list /allusers /verbose).

Note: Event IDs are for Sysmon (Event ID 1 - process create) and Windows Security Log (Event ID 4688 - a new process has been created). Analytic 1 is oriented around looking for the creation of Microsoft Background Intelligent Transfer Service utility (bitsadmin.exe) processes that schedule a BITS job to persist on an endpoint. The analytic identifies the command-line parameters used to create, resume or add a file to a BITS job; these are typically seen combined in a single command-line or executed in sequence.

Analytic 2 identifies Microsoft Background Intelligent Transfer Service utility bitsadmin.exe using the transfer parameter to download a remote object. In addition, look for download or upload on the command-line, the switches are not required to perform a transfer. Capture any files downloaded. Review the reputation of the IP or domain used. Typically once executed, a follow on command will be used to execute the dropped file. Network connection or file modification events related will not spawn or create from bitsadmin.exe , but the artifacts will appear in a parallel process of svchost.exe with a command-line similar to svchost.exe -k netsvcs -s BITS . It’s important to review all parallel and child processes to capture any behaviors and artifacts. In some suspicious and malicious instances, BITS jobs will be created. You can use bitsadmin /list /verbose to list out the jobs during investigation.

Analytic 1 - BITS Job Persistence

(source="WinEventLog:Microsoft-Windows-Sysmon/Operational" EventCode="1") OR (source="WinEventLog:Security" EventCode="4688") Image="C:\Windows\System32\bitsadmin.exe" AND (CommandLine= "create" OR CommandLine= "addfile" OR CommandLine= "setnotifyflags" OR CommandLine= "setnotifycmdline" OR CommandLine= "setminretrydelay" OR CommandLine= "setcustomheaders" OR CommandLine= "resume")

Analytic 2 - BITSAdmin Download File

(source="WinEventLog:Microsoft-Windows-Sysmon/Operational" EventCode="1") OR (source="WinEventLog:Security" EventCode="4688") Image="C:\Windows\System32\bitsadmin.exe" AND CommandLine= transfer

Enterprise T1547 Boot or Logon Autostart Execution

Suspicious program execution as autostart programs may show up as outlier processes that have not been seen before when compared against historical data to increase confidence of malicious activity, data and events should not be viewed in isolation, but as part of a chain of behavior that could lead to other activities, such as network connections made for Command and Control, learning details about the environment through Discovery, and Lateral Movement.

.001 Registry Run Keys / Startup Folder

Monitor for newly executed processes executed from the Run/RunOnce registry keys through Windows EID 9707 or "Software\Microsoft\Windows\CurrentVersion\Run" and "Software\Microsoft\Windows\CurrentVersion\RunOnce" registry keys with the full command line.

Registry modifications are often essential in establishing persistence via known Windows mechanisms. Many legitimate modifications are done graphically via regedit.exe or by using the corresponding channels, or even calling the Registry APIs directly. The built-in utility reg.exe provides a command-line interface to the registry, so that queries and modifications can be performed from a shell, such as cmd.exe. When a user is responsible for these actions, the parent of cmd.exe will likely be explorer.exe. Occasionally, power users and administrators write scripts that do this behavior as well, but likely from a different process tree. These background scripts must be learned so they can be tuned out accordingly.

Output DescriptionThe sequence of processes that resulted in reg.exe being started from a shell. That is, a hierarchy that looks like• great-grand_parent.exe• grand_parent.exe• parent.exe• reg.exe

Analytic 1 - Reg.exe called from Command Shell

(source="WinEventLog:Microsoft-Windows-Sysmon/Operational" EventCode="1") OR (source="WinEventLog:Security" EventCode="4688") Image="reg.exe" AND ParentImage="cmd.exe"| join left=L right=R where L.ParentProcessGuid = R.ProcessGuid [search EventCode IN (1, 4688) Image="cmd.exe" ParentImage!="explorer.exe"]

.003 Time Providers

Monitor newly executed processes, such as the W32tm.exe utility. [53] The Sysinternals Autoruns tool may also be used to analyze auto-starting locations, including DLLs listed as time providers. [54]

.004 Winlogon Helper DLL

Monitor for the execution of processes that may abuse features of Winlogon to execute DLLs and/or executables when a user logs in.

Analytic 1 - Modification of the Winlogon Registry Key

(source="WinEventLog:Microsoft-Windows-Sysmon/Operational" EventCode="1") OR (source="WinEventLog:Security" EventCode="4688") | where (CommandLine LIKE "%Microsoft\Windows NT\CurrentVersion\Winlogon%" AND (CommandLine LIKE "%Userinit%" OR CommandLine LIKE "%Shell%" OR CommandLine LIKE "%Notify%")) AND (CommandLine LIKE "%reg%" OR CommandLine LIKE "%add%" OR CommandLine LIKE "%/d%" OR CommandLine LIKE "%Set-ItemProperty%" OR CommandLine LIKE "%New-ItemProperty%" CommandLine LIKE "%-value%")

.006 Kernel Modules and Extensions

Monitor for newly created processes that may modify the kernel to automatically execute programs on system boot.

.009 Shortcut Modification

Monitor for newly executed processes that may create or edit shortcuts to run a program during system boot or user login.

.013 XDG Autostart Entries

Monitor newly executed processes that may modify XDG autostart entries to execute programs or commands during system boot.

.014 Active Setup

Monitor newly executed processes that may achieve persistence by adding a Registry key to the Active Setup of the local machine.

.015 Login Items

Monitor processes that start at login for unusual or unknown applications. Usual applications for login items could include what users add to configure their user environment, such as email, chat, or music applications, or what administrators include for organization settings and protections. Check for running applications from login items that also have abnormal behavior, such as establishing network connections.

Enterprise T1037 Boot or Logon Initialization Scripts

Monitor for newly executed processes that may use scripts automatically executed at boot or logon initialization to establish persistence. Adversaries may schedule software to run whenever a user logs into the system; this is done to establish persistence and sometimes for lateral movement. This trigger is established through the registry key HKEY_CURRENT_USER\EnvironmentUserInitMprLogonScript. This signature looks edits to existing keys or creation of new keys in that path. Users purposefully adding benign scripts to this path will result in false positives; that case is rare, however. There are other ways of running a script at startup or login that are not covered in this signature. Note that this signature overlaps with the Windows Sysinternals Autoruns tool, which would also show changes to this registry path.

Analytic 1 - Boot or Logon Initialization Scripts

(source="WinEventLog:Microsoft-Windows-Sysmon/Operational" EventCode="1") OR (source="WinEventLog:Security" EventCode="4688") AND CommandLine="regadd\EnvironmentUserInitMprLogonScript"

.001 Logon Script (Windows)

Monitor for newly constructed processes and/or command-lines that execute logon scripts

Analytic 1 - Boot or Logon Initialization Scripts

(source="WinEventLog:Microsoft-Windows-Sysmon/Operational" EventCode="1") OR (source="WinEventLog:Security" EventCode="4688") AND CommandLine="regadd\EnvironmentUserInitMprLogonScript"

.002 Login Hook

Monitor for processes and/or command-lines to install or modify login hooks, as well as processes spawned at user login by these hooks.

.003 Network Logon Script

Monitor for newly constructed processes and/or command-lines that execute logon scripts

.004 RC Scripts

Monitor for newly constructed processes and/or command-lines that execute /etc/rc.local if present.

.005 Startup Items

Monitor for newly constructed processes and/or command-lines that execute during the boot up process to check for unusual or unknown applications and behavior

Enterprise T1176 Browser Extensions

Monitor for newly executed processes that could be used to abuse internet browser extensions to establish persistence.

Enterprise T1217 Browser Information Discovery

Monitor for processes with arguments that may be associated with gathering browser information, such as local files and databases (e.g., %APPDATA%/Google/Chrome).[55]

Enterprise T1651 Cloud Administration Command

Monitor virtual machines for the creation of processes associated with cloud virtual machine agents. In Windows-based Azure machines, monitor for the WindowsAzureGuestAgent.exe process.[56]

Enterprise T1059 Command and Scripting Interpreter

Monitor log files for process execution through command-line and scripting activities. This information can be useful in gaining additional insight to adversaries' actions through how they use native processes or custom tools. Also monitor for loading of modules associated with specific languages.

.001 PowerShell

Monitor for newly executed processes that may abuse PowerShell commands and scripts for execution. PowerShell is a scripting environment included with Windows that is used by both attackers and administrators. Execution of PowerShell scripts in most Windows versions is opaque and not typically secured by antivirus which makes using PowerShell an easy way to circumvent security measures. This analytic detects execution of PowerShell scripts.

Powershell can be used to hide monitored command line execution such as:

net usesc start

Note: - The logic for Analytic 1 is based around detecting on non-interactive Powershell sessions (i.e., those not launched by a user through explorer.exe). This may lead to false positives when used in a production environment, so we recommend tuning any such analytics by including additional logic (e.g., looking for suspicious parent processes) that helps filter such events.- The logic for Analytic 2 is based around detecting on remote Powershell sessions. PowerShell can be used over WinRM to remotely run commands on a host. When a remote PowerShell session starts, svchost.exe executes wsmprovhost.exe.

Analytic 1 - Non-interactive Powershell Sessions

(source="WinEventLog:Microsoft-Windows-Sysmon/Operational" EventCode="1") OR (source="WinEventLog:Security" EventCode="4688") Image="powershell.exe" AND ParentImage!="explorer.exe"

Analytic 2 - Remote Powershell Sessions

(source="WinEventLog:Microsoft-Windows-Sysmon/Operational" EventCode="1") OR (source="WinEventLog:Security" EventCode="4688") Image="wsmprovhost.exe" AND ParentImage="svchost.exe"

Analytic 3 - Powershell Execution

(source="WinEventLog:Microsoft-Windows-Sysmon/Operational" EventCode="1") Image="C:\Windows\\powershell.exe" ParentImage!="C:\Windows\explorer.exe"|stats values(CommandLine) as "Command Lines" values(ParentImage) as "Parent Images" by ComputerName

.002 AppleScript

Monitor for newly executed processes that may abuse AppleScript for execution. Scripts are likely to perform actions with various effects on a system that may generate events, depending on the types of monitoring used. Actions may be related to network and system information Discovery, Collection, or other scriptable post-compromise behaviors and could be used as indicators of detection leading back to the source script.

Analytic 1 - Unusual Execution

source="Osquery:" EventCode="process_added" AND CommandLine LIKE "osascript"

Analytic 2 - Untrusted Locations

source="Osquery:" EventCode="process_added" AND Path LIKE "/Users//Downloads/" OR Path LIKE "/tmp/*"

Analytic 3 - Parent/Child Process Relationship

source="Osquery:" EventCode="process_added" AND ParentImage= "/System/Library/CoreServices/Finder.app/Contents/MacOS/Finder" AND Image LIKE "osascript"

.003 Windows Command Shell

Monitor for newly executed processes that may abuse the Windows command shell for execution.

Note: Try an Analytic by creating a baseline of parent processes of cmd seen over the last 30 days and a list of parent processes of cmd seen today. Parent processes in the baseline are removed from the set of parent processes seen today, leaving a list of new parent processes. This analytic attempts to identify suspicious programs spawning cmd by looking for programs that do not normally create cmd.  It is very common for some programs to spawn cmd as a subprocess, for example to run batch files or Windows commands. However, many processes don’t routinely launch a command prompt - e.g., Microsoft Outlook. A command prompt being launched from a process that normally doesn’t launch command prompts could be the result of malicious code being injected into that process, or of an attacker replacing a legitimate program with a malicious one.

Analytic 1 - Unusual Command Execution

(source="WinEventLog:Microsoft-Windows-Sysmon/Operational" EventCode="1") OR (source="WinEventLog:Security" EventCode="4688") AND CommandLine="cmd.exe" AND (CommandLine REGEXP "./c." OR CommandLine REGEXP ".._ \/k.*")

.004 Unix Shell

Monitor for newly executed processes that may abuse Unix shell commands and scripts for execution.

.005 Visual Basic

Monitor for events associated with VB execution, such as Office applications spawning processes, usage of the Windows Script Host (typically cscript.exe or wscript.exe). VB execution is likely to perform actions with various effects on a system that may generate events, depending on the types of monitoring used.

.006 Python

Monitor systems for abnormal Python usage and python.exe behavior, which could be an indicator of malicious activity. Understanding standard usage patterns is important to avoid a high number of false positives. If scripting is restricted for normal users, then any attempts to enable scripts running on a system would be considered suspicious. If scripts are not commonly used on a system, but enabled, scripts running out of cycle from patching or other administrator functions are suspicious. Scripts should be captured from the file system when possible to determine their actions and intent. Scripts are likely to perform actions with various effects on a system that may generate events, depending on the types of monitoring used. Monitor newly executed processes that may abuse Python commands and scripts for execution.

.007 JavaScript

Monitor for events associated with scripting execution, such as process activity, usage of the Windows Script Host (typically cscript.exe or wscript.exe), file activity involving scripts

.010 AutoHotKey & AutoIT

Monitor and analyze the execution and arguments of the AutoIt3.exe and AutoHotkey.exe interpreters. Non-standard process execution trees may also indicate suspicious or malicious behavior, such as if AutoHotkey.exe is the parent process for additional suspicious processes and activity.

Mobile T1623 Command and Scripting Interpreter

Mobile Threat Defense (MTD) with lower-level OS APIs integrations may have access to newly created processes and their parameters, potentially detecting unwanted or malicious shells.

.001 Unix Shell

Mobile Threat Defense (MTD) with lower-level OS APIs integrations may have access to newly created processes and their parameters, potentially detecting unwanted or malicious shells.

ICS T0807 Command-Line Interface

Monitor for processes spawning from known command shell applications (e.g., PowerShell, Bash). Benign activity will need to be allow-listed. This information can be useful in gaining additional insight to adversaries' actions through how they use native processes or custom tools.

Enterprise T1609 Container Administration Command

Container administration service activities and executed commands can be captured through logging of process execution with command-line arguments on the container as well as within the underlying host.

Enterprise T1659 Content Injection

Look for behaviors on the endpoint system that might indicate successful compromise, such as abnormal behaviors of browser processes. This could include suspicious files written to disk, evidence of Process Injection for attempts to hide execution, or evidence of Discovery.

Enterprise T1136 Create Account

Monitor newly executed processes associated with account creation, such as net.exe

.001 Local Account

Monitor newly executed processes associated with account creation, such as net.exe

Analytic 1 - Create local admin accounts using net.exe

(source="WinEventLog:Microsoft-Windows-Sysmon/Operational" EventCode="1") OR (source="WinEventLog:Security" EventCode="4688") (Image= C:\Windows\System32\net.exe OR Image= C:\Windows\System32\net1.exe ) AND CommandLine = * -exportPFX * )

.002 Domain Account

Monitor newly executed processes associated with account creation, such as net.exe

Enterprise T1543 Create or Modify System Process

New, benign system processes may be created during installation of new software.

.002 Systemd Service

Suspicious processes or scripts spawned in this manner will have a parent process of ‘systemd’, a parent process ID of 1, and will usually execute as the ‘root’ user.

.003 Windows Service

Suspicious program execution through services may show up as outlier processes that have not been seen before when compared against historical data. Look for abnormal process call trees from known services and for execution of other commands that could relate to Discovery or other adversary techniques. Data and events should not be viewed in isolation, but as part of a chain of behavior that could lead to other activities, such as network connections made for Command and Control, learning details about the environment through Discovery, and Lateral Movement.

Windows runs the Service Control Manager (SCM) within the process services.exe. Windows launches services as independent processes or DLL loads within a svchost.exe group. To be a legitimate service, a process (or DLL) must have the appropriate service entry point SvcMain. If an application does not have the entry point, then it will timeout (default is 30 seconds) and the process will be killed.

To survive the timeout, adversaries and red teams can create services that direct to cmd.exe with the flag /c, followed by the desired command. The /c flag causes the command shell to run a command and immediately exit. As a result, the desired program will remain running and it will report an error starting the service. This analytic will catch that command prompt instance that is used to launch the actual malicious executable. Additionally, the children and descendants of services.exe will run as a SYSTEM user by default.

Note: Create a baseline of services seen over the last 30 days and a list of services seen today. Remove services in the baseline from services seen today, leaving a list of new services. Returns all processes named cmd.exe that have services.exe as a parent process. Because this should never happen, the /c flag is redundant in the search.

Analytic 2 - Services launching CMD

(source="WinEventLog:Microsoft-Windows-Sysmon/Operational" EventCode="1") OR (source="WinEventLog:Security" EventCode="4688") Image="cmd.exe" and ParantImage="services.exe"

.004 Launch Daemon

Monitor for newly executed processes that may create or modify Launch Daemons to execute malicious payloads as part of persistence.

Enterprise T1555 Credentials from Password Stores

Monitor newly executed processes that may search for common password storage locations to obtain user credentials.

.001 Keychain

Monitor processes spawned by command line utilities to manipulate keychains directly, such as security, combined with arguments to collect passwords, such as dump-keychain -d.

.004 Windows Credential Manager

Monitor newly executed processes for suspicious activity listing credentials from the Windows Credentials locker (e.g. vaultcmd /listcreds:"Windows Credentials").[57]

Enterprise T1485 Data Destruction

Monitor for newly executed processes of binaries that could be involved in data destruction activity, such as SDelete.

ICS T0809 Data Destruction

Monitor for newly executed processes of binaries that could be involved in data destruction activity, such as SDelete.

Enterprise T1486 Data Encrypted for Impact

Monitor for newly constructed processes and/or command-lines involved in data destruction activity, such as vssadmin, wbadmin, and bcdedit.

Enterprise T1005 Data from Local System

Monitor for newly executed processes that may search local system sources, such as file systems or local databases, to find files of interest and sensitive data prior to Exfiltration.

ICS T0893 Data from Local System

Monitor for newly executed processes that may search local system sources, such as file systems or local databases, to find files of interest and sensitive data.

Enterprise T1622 Debugger Evasion

Monitoring for suspicious processes being spawned that gather a variety of system information or perform other forms of Discovery, especially in a short period of time, may aid in detection. Debugger related system checks will likely occur in the first steps of an operation but may also occur throughout as an adversary learns the environment. Data and events should not be viewed in isolation, but as part of a chain of behavior that could lead to other activities, such as lateral movement, based on the information obtained.

Enterprise T1140 Deobfuscate/Decode Files or Information

Monitor for newly executed processes that attempt to hide artifacts of an intrusion, such as common archive file applications and extensions (ex: Zip and RAR archive tools), and correlate with other suspicious behavior to reduce false positives from normal user and administrator behavior.

CertUtil.exe may be used to encode and decode a file, including PE and script code. Encoding will convert a file to base64 with -----BEGIN CERTIFICATE----- and -----END CERTIFICATE----- tags. Malicious usage will include decoding an encoded file that was downloaded. Once decoded, it will be loaded by a parallel process. Note that there are two additional command switches that may be used - encodehex and decodehex. Similarly, the file will be encoded in HEX and later decoded for further execution. During triage, identify the source of the file being decoded. Review its contents or execution behavior for further analysis.

Analytic Event IDs are for Sysmon (Event ID 1 - process create) and Windows Security Log (Event ID 4688 - a new process has been created). The analytic is oriented around the creation of CertUtil.exe processes, which may be used to encode and decode files, including PE and script code. Malicious usage will include decoding a encoded file that was downloaded. Once decoded, it will be loaded by a parallel process.

Analytic 1 - CertUtil with Decode Argument

(source="WinEventLog:Microsoft-Windows-Sysmon/Operational" EventCode="1") OR (source="WinEventLog:Security" EventCode="4688") Image="C:\Windows\System32\certutil.exe" AND CommandLine= decode )

Enterprise T1652 Device Driver Discovery

Monitor processes (lsmod, driverquery.exe, etc.) for events that may highlight potentially malicious attempts to enumerate device drivers.

Enterprise T1561 Disk Wipe

Monitor newly executed processes that may wipe or corrupt raw disk data on specific systems or in large numbers in a network to interrupt availability to system and network resources.

.001 Disk Content Wipe

Monitor newly executed processes that may erase the contents of storage devices on specific systems or in large numbers in a network to interrupt availability to system and network resources.

.002 Disk Structure Wipe

Monitor newly executed processes that may corrupt or wipe the disk data structures on a hard drive necessary to boot a system; targeting specific critical systems or in large numbers in a network to interrupt availability to system and network resources.

Enterprise T1482 Domain Trust Discovery

Monitor for newly executed processes that may attempt to gather information on domain trust relationships that may be used to identify lateral movement opportunities in Windows multi-domain/forest environments.

Enterprise T1189 Drive-by Compromise

Look for behaviors on the endpoint system that might indicate successful compromise, such as abnormal behaviors of browser processes. This could include suspicious files written to disk, evidence of Process Injection for attempts to hide execution, or evidence of Discovery.

ICS T0817 Drive-by Compromise

Monitor for behaviors on the endpoint system that might indicate successful compromise, such as abnormal behaviors of browser processes. This could include suspicious files written to disk.

Enterprise T1611 Escape to Host

Monitor for process activity (such as unexpected processes spawning outside a container and/or on a host) that might indicate an attempt to escape from a privileged container to host.

Enterprise T1546 Event Triggered Execution

Tools such as Sysinternals Autoruns can be used to detect changes to execution triggers that could be attempts at persistence. Also look for abnormal process call trees for execution of other commands that could relate to Discovery actions or other techniques.

.001 Change Default File Association

Monitor for newly executed processes that may establish persistence by executing malicious content triggered by a file type association.

.002 Screensaver

Monitor newly executed processes that may establish persistence by executing malicious content triggered by user inactivity.

Analytic 1 - HKCU\Control Panel\Desktop registry key

(source="WinEventLog:Microsoft-Windows-Sysmon/Operational" EventCode="1") OR (source="WinEventLog:Security" EventCode="4688") | where CommandLine LIKE "%reg%" AND CommandLine LIKE "%add%" AND CommandLine LIKE "%HKCU\Control Panel\Desktop\%"

.003 Windows Management Instrumentation Event Subscription

Monitor newly executed processes that result from the execution of subscriptions (i.e. spawning from the WmiPrvSe.exe WMI Provider Host process).

Note: Windows Event ID 4688 (A new process has been created) and Sysmon Event ID 1 (Process creation) can be used to alert on processes created by WMI event subscription triggers by filtering on events with a parent process name of WmiPrvSe.exe.

Monitor for execution of mofcomp.exe as a child of a suspicious shell or script running utility – \powershell.exe or \cmd.exe – or by having a suspicious path in the command line, such as %temp%.[58][59] Adversaries may compile modified MOF files using mofcomp.exe to create malicious WMI event subscriptions.

.004 Unix Shell Configuration Modification

Monitor newly executed processes that may establish persistence through executing malicious commands triggered by a user’s shell.

.005 Trap

Monitor newly executed processes that may establish persistence by executing malicious content triggered by an interrupt signal.

.006 LC_LOAD_DYLIB Addition

Monitor processes for those that may be used to modify binary headers.

.007 Netsh Helper DLL

It is likely unusual for netsh.exe to have any child processes in most environments. Monitor process executions and investigate any child processes spawned by netsh.exe for malicious behavior.

.008 Accessibility Features

Monitor newly executed processes that may establish persistence and/or elevate privileges by executing malicious content triggered by accessibility features.

An adversary can use accessibility features (Ease of Access), such as StickyKeys or Utilman, to launch a command shell from the logon screen and gain SYSTEM access. Since an adversary does not have physical access to the machine, this technique must be run within Remote Desktop. To prevent an adversary from getting to the login screen without first authenticating, Network-Level Authentication (NLA) must be enabled. If a debugger is set up for one of the accessibility features, then it will intercept the process launch of the feature and instead execute a new command line. This analytic looks for instances of cmd.exe or powershell.exe launched directly from the logon process, winlogon.exe.

Several accessibility programs can be run using the Ease of Access center

  • sethc.exe handles StickyKeys
  • utilman.exe is the Ease of Access menu
  • osk.exe runs the On-Screen Keyboard
  • narrator.exe reads screen text over audio
  • magnify.exe magnifies the view of the screen near the cursor

One simple way to implement this technique is to note that in a default Windows configuration there are no spaces in the path to the system32 folder. If the accessibility programs are ever run with a Debugger set, then Windows will launch the Debugger process and append the command line to the accessibility program. As a result, a space is inserted in the command line before the path. Looking for any instances of a space in the command line before the name of an accessibility program will help identify when Debuggers are set.

The Windows Registry location HKLM\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options allows for parameters to be set for applications during execution. One feature used by malicious actors is the "Debugger" option. When a key has this value enabled, a Debugging command line can be specified. Windows will launch the Debugging command line, and pass the original command line in as an argument. Adversaries can set a Debugger for Accessibility Applications. The analytic looks for the original command line as an argument to the Debugger. When the strings "sethc.exe", "utilman.exe", "osk.exe", "narrator.exe", and "Magnify.exe" are detected in the arguments, but not as the main executable, it is very likely that a Debugger is set.

Note: Event IDs are for Sysmon (Event ID 1 - process create) and Windows Security Log (Event ID 4688 - a new process has been created). The Analytic example looks for any creation of common accessibility processes such as sethc.exe but does no other filtering, which may result in false positives. Therefore, we recommend tuning any such analytics by including additional logic (e.g., testing the name of the parent process) that helps reduce false positives.

Analytic 2 could depend on the possibility of the known strings used as arguments for other applications used in the day-to-day environment. Although the chance of the string "sethc.exe" being used as an argument for another application is unlikely, it still is a possibility.

Analytic 1 - Command Launched from Winlogon

(source="WinEventLog:Microsoft-Windows-Sysmon/Operational" EventCode="1") OR (source="WinEventLog:Security" EventCode="4688") AND ParentImage="winlogon.exe" AND Image="cmd.exe"AND (CommandLine="sethc.exe"OR CommandLine="utilman.exe"OR CommandLine="osk.exe" OR CommandLine="narrator.exe" OR CommandLine="*magnify.exe"

Analytic 2 - Debuggers for Accessibility Applications

(source="WinEventLog:Microsoft-Windows-Sysmon/Operational" EventCode="1") OR (source="WinEventLog:Security" EventCode="4688") | where CommandLine match "$. .(sethcutilmanosknarratormagnify).exe"

.009 AppCert DLLs

Monitor newly executed processes that may establish persistence and/or elevate privileges by executing malicious content triggered by AppCert DLLs loaded into processes.

.010 AppInit DLLs

Monitor newly executed processes that may establish persistence and/or elevate privileges by executing malicious content triggered by AppInit DLLs loaded into processes.

Note: Sysmon Event ID 1 (process create) and Windows Security Log Event ID 4688 (a new process has been created) can be used to detect new reg.exe processes that modify the AppInit DLL registry keys since the registry keys are specified as a command-line parameter.

.011 Application Shimming

Monitor newly executed processs for sdbinst.exe for potential indications of application shim abuse. There are several public tools available that will detect shims that are currently available [60]:* Shim-Process-Scanner - checks memory of every running process for any shim flags* Shim-Detector-Lite - detects installation of custom shim databases* Shim-Guard - monitors registry for any shim installations* ShimScanner - forensic tool to find active shims in memory* ShimCacheMem - Volatility plug-in that pulls shim cache from memory (note: shims are only cached after reboot)

.012 Image File Execution Options Injection

Monitor for abnormal usage of the GFlags tool as well as common processes spawned under abnormal parents and/or with creation flags indicative of debugging such as DEBUG_PROCESS and DEBUG_ONLY_THIS_PROCESS. [61]

.013 PowerShell Profile

Monitor newly executed processes that may gain persistence and elevate privileges by executing malicious content triggered by PowerShell profiles.

.014 Emond

Monitor newly executed processes that may gain persistence and elevate privileges by executing malicious content triggered by the Event Monitor Daemon (emond).

.015 Component Object Model Hijacking

Monitor newly executed processes that may establish persistence by executing malicious content triggered by hijacked references to Component Object Model (COM) objects.

.016 Installer Packages

Monitor processes with arguments that may be related to abuse of installer packages, including malicious, likely elevated processes triggered by application installations.

Enterprise T1480 Execution Guardrails

Monitoring for suspicious processes being spawned that gather a variety of system information or perform other forms of Discovery, especially in a short period of time, may aid in detection. Detecting the use of guardrails may be difficult depending on the implementation.

.001 Environmental Keying

Monitoring for suspicious processes being spawned that gather a variety of system information or perform other forms of Discovery, especially in a short period of time, may aid in detection. Detecting the use of environmental keying may be difficult depending on the implementation.

Enterprise T1052 Exfiltration Over Physical Medium

Monitor for newly executed processes when removable media is mounted.

.001 Exfiltration over USB

Monitor for newly executed processes when removable media is mounted

Enterprise T1203 Exploitation for Client Execution

Monitor for abnormal process creations, such as a Command and Scripting Interpreter spawning from a potentially exploited application. Also look for other behavior on the endpoint system that might indicate successful compromise, such as abnormal behavior of browser or Office processes.

Example, it is not expected behavior for print spool service to be executing discovery type processes. However, this is one example and could be any number of native or third party processes that are executing either unusual or unknown (potentially adversary brought) processes.

Note:- Analytic 1, look for instances where Office Applications (e.g., Word, Excel, PowerPoint) are launched with suspicious parameters or from unusual locations- Analytic 2, look for abnormal child process creation by Office Applications especially when accompanied by suspicious command-line parameters

Analytic 1 - Office Application Process Execution

(source="WinEventLog:Microsoft-Windows-Sysmon/Operational" EventCode="1") OR (source="WinEventLog:Security" EventCode="4688") AND (Image= "\winword.exe" OR Image= "\excel.exe" OR Image= "\powerpnt.exe") AND (CommandLine= "macro" OR CommandLine= "automation" OR CommandLine= "shellcode") AND ParentCommandLine= "open*"

Analytic 2 - Unusual Child Process Creation

(source="WinEventLog:Microsoft-Windows-Sysmon/Operational" EventCode="1") OR (source="WinEventLog:Security" EventCode="4688") AND (ParentImage= "\winword.exe" OR ParentImage= "\excel.exe" OR ParentImage= "\powerpnt.exe") AND (Image != "\system32\" OR Image != "*\program files")

Enterprise T1212 Exploitation for Credential Access

Monitor for abnormal process creations, such as a Command and Scripting Interpreter spawning from a potentially exploited application. Also look for behavior on the system that might indicate successful compromise, such as abnormal behavior of processes.

Enterprise T1211 Exploitation for Defense Evasion

Monitor for abnormal process creations, such as a Command and Scripting Interpreter spawning from a potentially exploited application. Also look for behavior on the system that might indicate successful compromise, such as abnormal behavior of processes.

Enterprise T1068 Exploitation for Privilege Escalation

Monitor for newly executed processes that may exploit software vulnerabilities in an attempt to elevate privileges. After gaining initial access to a system, threat actors attempt to escalate privileges as they may be operating within a lower privileged process which does not allow them to access protected information or carry out tasks which require higher permissions. A common way of escalating privileges in a system is by externally invoking and exploiting spoolsv or connhost executables, both of which are legitimate Windows applications. This query searches for an invocation of either of these executables by a user, thus alerting us of any potentially malicious activity.

Note: Event IDs are for Sysmon (Event ID 1 - process create) and Windows Security Log (Event ID 4688 - a new process has been created). The Analytic is oriented around looking for an invocation of either spoolsv.exe or conhost.exe by a user, thus alerting us of any potentially malicious activity. A common way of escalating privileges in a system is by externally invoking and exploiting these executables, both of which are legitimate Windows applications.

Analytic 1 - Unusual Child Process for spoolsv.exe or connhost.exe

(source="WinEventLog:Microsoft-Windows-Sysmon/Operational" EventCode="1") OR (source="WinEventLog:Security" EventCode="4688") (Image="C:\Windows\System32\spoolsv.exe" OR Image="C:\Windows\System32\conhost.exe") AND ParentImage= "C:\Windows\System32\cmd.exe")

Enterprise T1083 File and Directory Discovery

Monitor newly executed processes that may enumerate files and directories or may search in specific locations of a host or network share for certain information within a file system.

Enterprise T1222 File and Directory Permissions Modification

Monitor for newly executed processes that may modify file or directory permissions/attributes to evade access control lists (ACLs) and access protected files.[62][63]

.001 Windows File and Directory Permissions Modification

Monitor for newly constructed processes and/or command-lines that can interact with the DACLs using built-in Windows commands, such as icacls, cacls, takeown, and attrib, which can grant adversaries higher permissions on specific files and folders.

.002 Linux and Mac File and Directory Permissions Modification

Monitor for newly executed processes that may modify file or directory permissions/attributes to evade access control lists (ACLs) and access protected files.[62][63]

Enterprise T1606 .002 Forge Web Credentials: SAML Tokens

This search looks for arguments to certutil.exe indicating the manipulation or extraction of Certificate. This certificate can then be used to sign new authentication tokens specially inside Federated environments such as Windows ADFS.

Analytic 1 - Certutil.exe Certificate Extraction

(source="WinEventLog:Microsoft-Windows-Sysmon/Operational" EventCode="1") OR (source="WinEventLog:Security" EventCode="4688") AND Image= "C:\Windows\System32\certutil.exe" AND CommandLine= " -exportPFX ")

ICS T0823 Graphical User Interface

Monitor for newly executed processes related to services specifically designed to accept remote graphical connections, such as RDP and VNC. Remote Services and Valid Accounts may be used to access a host’s GUI.

Enterprise T1615 Group Policy Discovery

Monitor for newly executed processes that may gather information on Group Policy settings to identify paths for privilege escalation, security measures applied within a domain, and to discover patterns in domain objects that can be manipulated or used to blend in the environment.

Enterprise T1564 Hide Artifacts

Monitor newly executed processes that may attempt to hide artifacts associated with their behaviors to evade detection.

.001 Hidden Files and Directories

Monitor newly executed processes that may set files and directories to be hidden to evade detection mechanisms.

.002 Hidden Users

Monitor newly executed processes for actions that could be taken to add a new user and subsequently hide it from login screens.

.003 Hidden Window

Monitor newly executed processes that may use hidden windows to conceal malicious activity from the plain sight of users. For example, monitor suspicious windows explorer execution – such as an additional explorer.exe holding a handle to an unknown desktop – that may be used for hidden malicious activity via hVNC.[64]

.004 NTFS File Attributes

Monitor for process execution that may use NTFS file attributes to hide their malicious data in order to evade detection.

Analytic 1 - NTFS Alternate Data Stream Execution : System Utilities (Powershell)

(source="WinEventLog:Microsoft-Windows-Sysmon/Operational" EventCode="1") OR (source="WinEventLog:Security" EventCode="4688") Image= "C:\Windows\\powershell.exe" | regex CommandLine= "Invoke-CimMethod\s+-ClassName\s+Win32_Process\s+-MethodName\s+Create.\b(\w+(.\w+)?):(\w+(.\w+)?)|-ep bypass\s+-\s+<.\b(\w+(.\w+)?):(\w+(.\w+)?)|-command.Get-Content.-Stream.Set-Content.start-process .(\w+(.\w+)?)"

Analytic 2 - NTFS Alternate Data Stream Execution : System Utilities (WMIC)

(source="WinEventLog:Microsoft-Windows-Sysmon/Operational" EventCode="1") OR (source="WinEventLog:Security" EventCode="4688") Image= "C:\Windows\\wmic.exe" | regex CommandLine= "process call create.\"(\w+(.\w+)?):(\w+(.\w+)?)"

Analytic 3 - NTFS Alternate Data Stream Execution : System Utilities (rundll32)

(source="WinEventLog:Microsoft-Windows-Sysmon/Operational" EventCode="1") OR (source="WinEventLog:Security" EventCode="4688") Image= "C:\Windows\\rundll32.exe" | regex CommandLine= "\"?(\w+(.\w+)?):(\w+(.\w+)?)?\"?,\w+\|(advpack.dll\|ieadvpack.dll),RegisterOCX\s+(\w+.\w+):(\w+(.\w+)?)\|(shdocvw.dll\|ieframe.dll),OpenURL.(\w+.\w+):(\w+(.\w+)?)"

Analytic 4 - NTFS Alternate Data Stream Execution : System Utilities (wscript/cscript)

(source="WinEventLog:Microsoft-Windows-Sysmon/Operational" EventCode="1") OR (source="WinEventLog:Security" EventCode="4688") Image= "C:\Windows\\wscript.exe" OR Image= "C:\Windows\\cscript.exe)" | regex CommandLine= "(?<!\/)\b\w+(.\w+)?:\w+(.\w+)?$"

.006 Run Virtual Instance

Monitor newly executed processes associated with running a virtual instance, such as those launched from binary files associated with common virtualization technologies (ex: VirtualBox, VMware, QEMU, Hyper-V).

.009 Resource Forking

Monitor newly executed processes that may abuse resource forks to hide malicious code or executables to evade detection and bypass security applications.

.010 Process Argument Spoofing

Analyze process behavior to determine if a process is performing actions it usually does not and/or do no align with its logged command-line arguments.

Detection of process argument spoofing may be difficult as adversaries may momentarily modify stored arguments used for malicious execution. These changes may bypass process creation detection and/or later process memory analysis. Consider monitoring for Process Hollowing, which includes monitoring for process creation (especially those in a suspended state) as well as access and/or modifications of these processes (especially by the parent process) via Windows API calls.[65][66]

.011 Ignore Process Interrupts

Monitor newly created processes for artifacts, such as nohup or PowerShell -ErrorAction SilentlyContinue, that may attempt to hide processes from interrupt signals.

Enterprise T1574 Hijack Execution Flow

Monitor processes for unusual activity (e.g., a process that does not use the network begins to do so, abnormal process call trees). Track library metadata, such as a hash, and compare libraries that are loaded at process execution time against previous executions to detect differences that do not correlate with patching or updates.

.002 DLL Side-Loading

Monitor newly constructed processes for unusual activity (e.g., a process that does not use the network begins to do so) as well as the introduction of new files/programs.

.005 Executable Installer File Permissions Weakness

Monitor for newly constructed processes to match an existing service executables.

.006 Dynamic Linker Hijacking

Monitor for newly executed processes for unusual activity (e.g., a process that does not use the network begins to do so).

.007 Path Interception by PATH Environment Variable

Monitor for newly executed processes for process executable paths that are named for partial directories.

.008 Path Interception by Search Order Hijacking

Monitor for newly executed processes for process executable paths that are named for partial directories.

.009 Path Interception by Unquoted Path

Monitor for newly executed processes that may execute their own malicious payloads by hijacking vulnerable file path references.

.010 Services File Permissions Weakness

Monitor for newly executed processes that may execute their own malicious payloads by hijacking the binaries used by services.

.011 Services Registry Permissions Weakness

Monitor suspicious programs execution through services. These processes may show up as outlier processes that have not been seen before when compared against historical data.

.012 COR_PROFILER

Monitor for newly executed processes, such as setx.exe, that may abuse of the COR_PROFILER variable, monitor for new suspicious unmanaged profiling DLLs loading into .NET processes shortly after the CLR causing abnormal process behavior.[67]

.014 AppDomainManager

Monitor newly constructed processes for unusual activity (e.g., a process that does not use the network begins to do so) as well as the loading of unexpected .NET resources.

Enterprise T1562 Impair Defenses

Monitor newly executed processes that may maliciously modify components of a victim environment in order to hinder or disable defensive mechanisms.

.001 Disable or Modify Tools

In an attempt to avoid detection after compromising a machine, threat actors often try to disable Windows Defender. This is often done using "sc" [service control], a legitimate tool provided by Microsoft for managing services. This action interferes with event detection and may lead to a security event going undetected, thereby potentially leading to further compromise of the network.

Note: Though this analytic is utilizing Event ID 1 for process creation, the arguments are specifically looking for the use of service control for querying or trying to stop Windows Defender.

Analytic 1 - Detecting Tampering of Windows Defender Command Prompt

(source="WinEventLog:Microsoft-Windows-Sysmon/Operational" EventCode="1") OR (source="WinEventLog:Security" EventCode="4688") Image="C:\Windows\System32\sc.exe" (CommandLine="sc config" OR CommandLine="sc stop" OR CommandLine="sc query" )

.002 Disable Windows Event Logging

Monitor newly executed processes that may disable Windows event logging to limit data that can be leveraged for detections and audits.

Analytic 1 - Disable Windows Event Logging

(source="WinEventLog:Microsoft-Windows-Sysmon/Operational" EventCode="1") OR (source="WinEventLog:Security" EventCode="4688") ((CommandLine="New-Item" OR CommandLine="reg add") CommandLine="MiniNt") OR (CommandLine="Stop-Service" CommandLine="EventLog") OR (CommandLine="EventLog" (CommandLine="Set-Service" OR CommandLine="reg add" OR CommandLine="Set-ItemProperty" OR CommandLine="New-ItemProperty" OR CommandLine="sc config")) OR (CommandLine="auditpol" (CommandLine="/set" OR CommandLine="/clear" OR CommandLine="/revove")) OR (CommandLine="wevtutil" (CommandLine="sl" OR CommandLine="set-log"))

.006 Indicator Blocking

Monitor for executed processes that may attempt to block indicators or events typically captured by sensors from being gathered and analyzed.

Analytic 1 - Indicator Blocking - Driver Unloaded

(source="WinEventLog:Microsoft-Windows-Sysmon/Operational" EventCode="1") OR (source="WinEventLog:Security" EventCode="4688") Image= "fltmc.exe" AND CommandLine= "unload"

.009 Safe Mode Boot

Monitor newly executed processes that may abuse Windows safe mode to disable endpoint defenses.

.010 Downgrade Attack

Monitor newly executed processes that may downgrade or use a version of system features that may be outdated, vulnerable, and/or does not support updated security controls such as logging.

.011 Spoof Security Alerting

Consider monitoring for suspicious processes that may be spoofing security tools and monitoring messages.

Enterprise T1070 Indicator Removal

Monitor for newly executed processes that may delete or alter generated artifacts on a host system, including logs or captured files such as quarantined malware.

.001 Clear Windows Event Logs

Monitor for newly executed processes that may clear Windows Event Logs to hide the activity of an intrusion. In an attempt to clear traces after compromising a machine, threat actors often try to clear Windows Event logs. This is often done using "wevtutil", a legitimate tool provided by Microsoft. This action interferes with event collection and notification, and may lead to a security event going undetected, thereby potentially leading to further compromise of the network.

Note: This search query looks for wevtutil, Clear-EventLog, Limit-EventLog, Remove-Item or Remove-EventLog inside a command that may cause the system to remove Windows Event logs.

Analytic 1 - Clearing Windows Logs with Wevtutil

(source="WinEventLog:Microsoft-Windows-Sysmon/Operational" EventCode="1") OR (source="WinEventLog:Security" EventCode="4688") (Image=wevtutil CommandLine=cl (CommandLine=System OR CommandLine=Security OR CommandLine=Setup OR CommandLine=Application) OR Clear-EventLog OR Limit-EventLog OR (Remove-Item AND .evtx) OR Remove-EventLog)

.003 Clear Command History

Monitor for the suspicious execution of processes that may clear the command history of a compromised account to conceal the actions undertaken during an intrusion.

Analytic 1 - Clear Powershell Console Command History

(source="WinEventLog:Microsoft-Windows-Sysmon/Operational" EventCode="1") OR (source="WinEventLog:Security" EventCode="4688") AND (CommandLine="rm (Get-PSReadlineOption).HistorySavePath" OR CommandLine="del (Get-PSReadlineOption).HistorySavePath" OR CommandLine="Set-PSReadlineOption –HistorySaveStyle SaveNothing" OR CommandLine="Remove-Item (Get-PSReadlineOption).HistorySavePath" OR (CommandLine="del" AND CommandLine="Microsoft\Windows\Powershell\PSReadline\ConsoleHost_history.txt"))

.005 Network Share Connection Removal

Monitor for newly constructed processes and/or command line execution that can be used to remove network share connections via the net.exe process.

Note: Event IDs are for Sysmon (Event ID 1 - process create) and Windows Security Log (Event ID 4688 - a new process has been created). The Analytic is oriented around looking for various methods of removing network shares via the command line, which is otherwise a rare event.

Analytic 1- Network Share Connection Removal

(source="WinEventLog:Microsoft-Windows-Sysmon/Operational" EventCode="1") OR (source="WinEventLog:Security" EventCode="4688") (Image= "C:\Windows\System32\net.exe" AND CommandLine= "delete") OR CommandLine="Remove-SmbShare" OR CommandLine="Remove-FileShare" )

.007 Clear Network Connection History and Configurations

Monitor created processes with arguments that may delete or alter malicious network configuration settings as well as generated artifacts that highlight network connection history on a host system -- which may include logs, files, or Registry values.

.008 Clear Mailbox Data

Monitor for newly executed processes with arguments that may delete or alter generated artifacts on a host system, including logs or captured files such as quarantined emails.

.009 Clear Persistence

Monitor for newly executed processes that may delete or alter generated artifacts associated with persistence on a host system.

ICS T0872 Indicator Removal on Host

Monitor for newly executed processes that may delete or alter generated artifacts on a host system, including logs or captured files such as quarantined malware.

Enterprise T1202 Indirect Command Execution

Monitor for newly constructed processes and/or command-lines that can be used instead of invoking cmd (i.e. pcalua.exe, winrs.exe, cscript/wscript.exe, hh.exe, or bash.exe)

Enterprise T1490 Inhibit System Recovery

Use process monitoring to monitor the execution and command line parameters of binaries involved in inhibiting system recovery, such as vssadmin, wbadmin, and bcdedit. After compromising a network of systems, threat actors often try to delete/resize Shadow Copy in an attempt to prevent administrators from restoring the systems to versions present before the attack. This is often done via vssadmin, a legitimate Windows tool to interact with shadow copies. This action is often employed by ransomware, may lead to a failure in recovering systems after an attack. The pseudo code detection focus on Windows Security and Sysmon process creation (4688 and 1). The use of wmic to delete shadow copy generates WMI-Activity Operationnal 5857 event and could generate 5858 (if the operation fails). These 2 EventIDs could be interesting when attackers use wmic without process creation and/or for forensics.

Analytic 1 - Detecting Shadow Copy Deletion or Resize

(source="WinEventLog:Microsoft-Windows-Sysmon/Operational" EventCode="1") OR (source="WinEventLog:Security" EventCode="4688")(CommandLine="vssadmin delete shadows" OR CommandLine="wmic shadowcopy delete" OR CommandLine="vssadmin resize shadowstorage")) OR (EventCode="5857" ProviderName="MSVSS__PROVIDER") OR (EventCode="5858" Operation="Win32_ShadowCopy")

Analytic 2 - BCDEdit Failure Recovery Modification

(source="WinEventLog:Microsoft-Windows-Sysmon/Operational" EventCode="1") OR (source="WinEventLog:Security" EventCode="4688") Image= "C:\Windows\System32\bcdedit.exe" AND CommandLine="recoveryenabled"

Enterprise T1056 Input Capture

Monitor for newly executed processes conducting malicious activity

.002 GUI Input Capture

Monitor for newly executed processes

Enterprise T1559 Inter-Process Communication

Monitor for newly executed processes that are associated with abuse of IPC mechanisms

.001 Component Object Model

Monitor for newly executed processes that are associated with COM objects, especially those invoked by a user different than the one currently logged on.

.002 Dynamic Data Exchange

Monitor for newly executed processes that may use Windows Dynamic Data Exchange (DDE) to execute arbitrary commands. Adversaries may use Windows Dynamic Data Exchange (DDE) to execute arbitrary commands. DDE is a client-server protocol for one-time and/or continuous inter-process communication (IPC) between applications. Once a link is established, applications can autonomously exchange transactions consisting of strings, warm data links (notifications when a data item changes), hot data links (duplications of changes to a data item), and requests for command execution.

Analytic 1 - Unusual Child Process spawned using DDE exploit

(source="WinEventLog:Microsoft-Windows-Sysmon/Operational" EventCode="1") OR (source="WinEventLog:Security" EventCode="4688") Image=".exe" (ParentImage="excel.exe" OR ParentImage="word.exe" OR ParentImage="outlook.exe")

Enterprise T1570 Lateral Tool Transfer

Monitor newly constructed processes that assist in lateral tool transfers.

ICS T0867 Lateral Tool Transfer

Monitor newly constructed processes that assist in lateral tool transfers, such as file transfer programs.

Enterprise T1654 Log Enumeration

Monitor for unexpected process activity associated with utilities that can access and export logs, such as wevutil.exe on Windows and CollectGuestLogs.exe on Azure hosted VMs.

Enterprise T1036 Masquerading

Monitor for newly executed processes that may attempt to manipulate features of their artifacts to make them appear legitimate or benign to users and/or security tools. The RECYCLER and SystemVolumeInformation directories will be present on every drive. Replace %systemroot% and %windir% with the actual paths as configured by the endpoints.

Analytic 1 - Suspicious Run Locations

(source="WinEventLog:Microsoft-Windows-Sysmon/Operational" EventCode="1") OR (source="WinEventLog:Security" EventCode="4688") AND ( Image=":\RECYCLER*" OR Image=":\SystemVolumeInformation*" OR Image="%windir%\Tasks*" OR Image="%systemroot%\debug*")

.005 Match Legitimate Name or Location

Monitor for newly executed processes that may match or approximate the name or location of legitimate files or resources when naming/placing them. Looks for mismatches between process names and their image paths.Malware authors often use this technique to hide malicious executables behind legitimate Windows executable names (e.g. lsass.exe, svchost.exe, etc).There are several sub-techniques, but this analytic focuses on Match Legitimate Name or Location only.

Note: With process monitoring, hunt for processes matching these criteria:

  • process name is svchost.exe, smss.exe, wininit.exe, taskhost.exe, etc.
  • process path is not C:\Windows\System32\ or C:\Windows\SysWow64\

Examples (true positive):C:\Users\administrator\svchost.exe

To make sure the rule doesn’t miss cases where the executable would be started from a sub-folder of these locations, the entire path is checked for the process path. The below example should be considered as suspicious: C:\Windows\System32\srv\svchost.exe

Analytic 1 - Common Windows Process Masquerading

(source="WinEventLog:Microsoft-Windows-Sysmon/Operational" EventCode="1") OR (source="WinEventLog:Security" EventCode="4688")AND ( (Image=svchost.exe AND (image_path!="C:\Windows\System32\svchost.exe" OR process_path!="C:\Windows\SysWow64\svchost.exe")) OR (Image="*smss.exe" AND image_path!="C:\Windows\System32\smss.exe") OR (Image="wininit.exe" AND image_path!="C:\Windows\System32\wininit.exe") OR (Image="taskhost.exe" AND image_path!="C:\Windows\System32\taskhost.exe") OR (Image="lasass.exe" AND image_path!="C:\Windows\System32\lsass.exe") OR (Image="winlogon.exe" AND image_path!="C:\Windows\System32\winlogon.exe") OR (Image="csrss.exe" AND image_path!="C:\Windows\System32\csrss.exe") OR (Image="services.exe" AND image_path!="C:\Windows\System32\services.exe") OR (Image="lsm.exe" AND image_path!="C:\Windows\System32\lsm.exe") OR (Image="explorer.exe" AND image_path!="C:\Windows\explorer.exe")

.009 Break Process Trees

Monitor for the abnormal creation of background processes as well as processes executing from abnormal locations, such as /dev/shm.

Enterprise T1112 Modify Registry

Monitor processes and command-line arguments for actions that could be taken to change, conceal, and/or delete information in the Registry. (i.e. reg.exe, regedit.exe). The analytic is oriented around detecting invocations of Reg where the parent executable is an instance of cmd.exe that wasn’t spawned by explorer.exe. The built-in utility reg.exe provides a command-line interface to the registry, so that queries and modifications can be performed from a shell, such as cmd.exe. When a user is responsible for these actions, the parent of cmd.exewill typically be explorer.exe. Occasionally, power users and administrators write scripts that do this behavior as well, but likely from a different process tree. These background scripts must be baselined so they can be tuned out accordingly. Analytic Event IDs are for Sysmon (Event ID 1 - process create) and Windows Security Log (Event ID 4688 - a new process has been created).

Analytic 1 - Registry Edit with Modification of Userinit, Shell or Notify

(source="WinEventLog:Microsoft-Windows-Sysmon/Operational" EventCode="1") OR (source="WinEventLog:Security" EventCode="4688") ((CommandLine="reg" CommandLine="add" CommandLine="/d") OR ((CommandLine="Set-ItemProperty" OR CommandLine="New-ItemProperty") AND CommandLine="-value")) CommandLine="\Microsoft\Windows NT\CurrentVersion\Winlogon" (CommandLine="Userinit" OR CommandLine="Shell" OR CommandLine="Notify")

Analytic 2 - Modification of Default Startup Folder in the Registry Key 'Common Startup'

(source="WinEventLog:Microsoft-Windows-Sysmon/Operational" EventCode="1") OR (source="WinEventLog:Security" EventCode="4688") (CommandLine="reg" AND CommandLine="add" AND CommandLine="/d") OR (CommandLine="Set-ItemProperty" AND CommandLine="-value") CommandLine="Common Startup"

Analytic 3 - Registry Edit with Creation of SafeDllSearchMode Key Set to 0

(source="WinEventLog:Microsoft-Windows-Sysmon/Operational" EventCode="1") OR (source="WinEventLog:Security" EventCode="4688")((CommandLine="reg" CommandLine="add" CommandLine="/d") OR (CommandLine="Set-ItemProperty" CommandLine="-value")) (CommandLine="00000000" OR CommandLine="0") CommandLine="SafeDllSearchMode")

ICS T0840 Network Connection Enumeration

Monitor for executed processes (such as ipconfig/ifconfig and arp) with arguments that may look for details about the network configuration and settings, such as IP and/or MAC addresses. Also monitor for executed processes that may attempt to get a listing of network connections to or from the compromised system they are currently accessing or from remote systems by querying for information over the network.

Enterprise T1135 Network Share Discovery

Monitor for newly executed processes that may look for folders and drives shared on remote systems as a means of identifying sources of information to gather as a precursor for Collection and to identify potential systems of interest for Lateral Movement.

Enterprise T1040 Network Sniffing

Monitor for newly executed processes that can aid in sniffing network traffic to capture information about an environment, including authentication material passed over the network

Note: The Analytic is for Windows systems and looks for new processes that have the names of the most common network sniffing tools. While this may be noisy on networks where sysadmins are using any of these tools on a regular basis, in most networks their use is noteworthy.

Analytic 1 - Windows

(source="WinEventLog:Microsoft-Windows-Sysmon/Operational" EventCode="1") OR (source="WinEventLog:Security" EventCode="4688") ANDImage="tshark.exe" ORImage="windump.exe" OR(Image="*logman.exe" AND ParentImage!="C:\Program Files\Windows Event Reporting\Core\EventReporting.AgentService.exe") ORImage= "tcpdump.exe" ORImage= "wprui.exe" ORImage= "wpr.exe" )

ICS T0842 Network Sniffing

Monitor for newly executed processes that can aid in sniffing network traffic to capture information about an environment.

Enterprise T1027 Obfuscated Files or Information

Monitor for newly executed processes that may attempt to make an executable or file difficult to discover or analyze by encrypting, encoding, or otherwise obfuscating its contents on the system or in transit.

.004 Compile After Delivery

Monitor for newly constructed processes and/or command-lines that look for non-native binary formats and cross-platform compiler and execution frameworks like Mono and determine if they have a legitimate purpose on the system. Typically these should only be used in specific and limited cases, like for software development.

Enterprise T1137 Office Application Startup

Monitor newly executed processes that may leverage Microsoft Office-based applications for persistence between startups. Collect process execution information including process IDs (PID) and parent process IDs (PPID) and look for abnormal chains of activity resulting from Office processes. Non-standard process execution trees may also indicate suspicious or malicious behavior. If winword.exe is the parent process for suspicious processes and activity relating to other adversarial techniques, then it could indicate that the application was used maliciously.

.001 Office Template Macros

Monitor newly executed processes that may abuse Microsoft Office templates to obtain persistence on a compromised system.

.002 Office Test

Monitor newly executed processes that may abuse the Microsoft Office "Office Test" Registry key to obtain persistence on a compromised system.

.003 Outlook Forms

Monitor newly executed processes that may abuse Microsoft Outlook forms to obtain persistence on a compromised system.

.004 Outlook Home Page

Monitor newly executed processes that may abuse Microsoft Outlook's Home Page feature to obtain persistence on a compromised system.

.005 Outlook Rules

Monitor newly executed processes that may abuse Microsoft Outlook rules to obtain persistence on a compromised system.

.006 Add-ins

Monitor newly executed processes that may abuse Microsoft Office add-ins to obtain persistence on a compromised system.

Enterprise T1003 OS Credential Dumping

Monitor for newly executed processes that may be indicative of credential dumping. On Windows 8.1 and Windows Server 2012 R2, monitor Windows Logs for LSASS.exe creation to verify that LSASS started as a protected process.

.001 LSASS Memory

Monitor for newly executed processes that may be indicative of credential dumping. On Windows 8.1 and Windows Server 2012 R2, monitor Windows Logs for LSASS.exe creation to verify that LSASS started as a protected process. Try monitoring for Sysmon Event ID 1 and/or Windows Security Event ID 4688 for process activity.

Note: - Rundll32/MiniDump has a different command-line syntax than that of Procdump, in that the process being dumped is specified via process ID instead of name (as with Procdump). Therefore, because the LSASS process ID is non-deterministic, the MiniDump detection isn’t specific to LSASS dumping and may need to be tuned to help reduce false positives.- When monitoring for .dll functions on the command-line be sure to also check for the ordinal associated with the function.

Analytic 1 - Procdump

(source=WinEventLog:"*Security" EventCode="4688") OR (source=WinEventLog:"*Microsoft-Windows-Sysmon/Operational" EventCode="1") AND Image="procdump*.exe" | where CommandLine LIKE "%lsass%"

Analytic 2 - MiniDump via rundll32

(source=WinEventLog:"*Security" EventCode="4688") OR (source=WinEventLog:"*Microsoft-Windows-Sysmon/Operational" EventCode="1") AND Image="\*rundll32.exe" | where CommandLine LIKE "%comsvcs.dll MiniDump%" OR CommandLine="_comsvcs.dll,#24")

Enterprise T1201 Password Policy Discovery

Monitor for newly executed processes that may attempt to access detailed information about the password policy used within an enterprise network or cloud environment.

Enterprise T1120 Peripheral Device Discovery

Monitor for newly executed processes that may attempt to gather information about attached peripheral devices and components connected to a computer system.

Enterprise T1069 Permission Groups Discovery

Monitor for newly constructed processes and/or command-lines for actions that could be taken to gather system and network information. System and network discovery techniques normally occur throughout an operation as an adversary learns the environment. Data and events should not be viewed in isolation, but as part of a chain of behavior that could lead to other activities, such as Lateral Movement, based on the information obtained.

.001 Local Groups

Monitor newly executed processes that may attempt to find local system groups and permission settings.

Note: Event IDs are for Sysmon (Event ID 1 - process creation) and Windows Security Log (Event ID 4688 - a new process has been created). The logic in the Analytic looks for any instances of net.exe used for local user/group discovery; although this utility is not normally used for benign purposes, such usage by system administrator actions may trigger false positives.

Analytic 1 - Local Permission Group Discovery

(source="WinEventLog:Microsoft-Windows-Sysmon/Operational" EventCode="1") OR (source="WinEventLog:Security" EventCode="4688") Image="net.exe" AND ( CommandLine="net user" OR CommandLine="net group" OR CommandLine="net localgroup" OR CommandLine="get-localgroup" OR CommandLine="get-ADPrincipalGroupMembership*" )

.002 Domain Groups

Monitor newly executed processes that may attempt to find domain-level groups and permission settings.

For Linux, auditing frameworks that support alerting on process creation, including the audit daemon (auditd), can be used to alert on invocations of commands such as ldapsearch.

For MacOS, utilities that work in concert with Apple’s Endpoint Security Framework such as Process Monitor can be used to track usage of commands such as dscacheutil -q group.

Note: Event IDs are for Sysmon (Event ID 10 - process access) and Windows Security Log (Event ID 4688 - a new process has been created).

Analytic 1 - Local Permission Group Discovery - Net

(source="WinEventLog:Microsoft-Windows-Sysmon/Operational" EventCode="1") OR (source="WinEventLog:Security" EventCode="4688") (Image= "net.exe" OR Image= "net1.exe") AND CommandLine="group/domain*")

.003 Cloud Groups

Monitor newly executed processes that may attempt to find cloud groups and permission settings.

Enterprise T1647 Plist File Modification

Monitor for newly executed processes with arguments that can modify property list (plist) files.

Enterprise T1057 Process Discovery

Monitor for newly executed processes that may attempt to get information about running processes on a system. To be effective in deciphering malicious and benign activity, the full command line is essential. Similarly, having information about the parent process can help with making decisions and tuning to an environment.

Because these commands are built in, they may be run frequently by power users or even by normal users. Thus, an analytic looking at this information should have well-defined white- or blacklists, and should consider looking at an anomaly detection approach, so that this information can be learned dynamically.Within the built-in Windows Commands:

  • hostname
  • ipconfig
  • net
  • quser
  • qwinsta
  • sc with flags query, queryex, qc
  • systeminfo
  • tasklist
  • dsquery
  • whoamiNote: To be effective in deciphering malicious and benign activity, the full command line is essential. Similarly, having information about the parent process can help with making decisions and tuning to an environment.

Analytic 1 - Host Discovery Commands

(source="WinEventLog:Microsoft-Windows-Sysmon/Operational" EventCode="1") OR (source="WinEventLog:Security" EventCode="4688") (Image="C:\Windows\\hostname.exe" OR Image="C:\Windows\\ipconfig.exe" OR Image="C:\Windows\\net.exe" OR Image="C:\Windows\\quser.exe" OR Image="C:\Windows\\qwinsta.exe" OR (Image="C:\Windows\\sc.exe" AND (CommandLine=" query " OR CommandLine=" qc ")) OR Image="C:\Windows\\systeminfo.exe" OR Image="C:\Windows\\tasklist.exe" OR Image="C:\Windows\*\whoami.exe")|stats values(Image) as "Images" values(CommandLine) as "Command Lines" by ComputerName

Enterprise T1055 .012 Process Injection: Process Hollowing

Monitor for newly executed processes that may inject malicious code into suspended and hollowed processes in order to evade process-based defenses. Adversaries may start legitimate processes and then use their memory space to run malicious code. This analytic looks for common Windows processes that have been abused this way in the past; when the processes are started for this purpose they may not have the standard parent that we would expect. This list is not exhaustive, and it is possible for cyber actors to avoid this discepency. These signatures only work if Sysmon reports the parent process, which may not always be the case if the parent dies before sysmon processes the event.

Analytic 1 - Processes Started From Irregular Parents

(source="WinEventLog:Microsoft-Windows-Sysmon/Operational" EventCode="1") OR (source="WinEventLog:Security" EventCode="4688") AND ParentImage!="?" AND ParentImage!="C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe" AND ParentImage!="C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe" AND((Image="C:\Windows\System32\smss.exe" AND (ParentImage!="C:\Windows\System32\smss.exe" AND ParentImage!="System")) OR(Image="C:\Windows\System32\csrss.exe" AND (ParentImage!="C:\Windows\System32\smss.exe" AND ParentImage!="C:\Windows\System32\svchost.exe")) OR(Image="C:\Windows\System32\wininit.exe" AND ParentImage!="C:\Windows\System32\smss.exe") OR(Image="C:\Windows\System32\winlogon.exe" AND ParentImage!="C:\Windows\System32\smss.exe") OR(Image="C:\Windows\System32\lsass.exe" and ParentImage!="C:\Windows\System32\wininit.exe") OR(Image="C:\Windows\System32\LogonUI.exe" AND (ParentImage!="C:\Windows\System32\winlogon.exe" AND ParentImage!="C:\Windows\System32\wininit.exe")) OR(Image="C:\Windows\System32\services.exe" AND ParentImage!="C:\Windows\System32\wininit.exe") OR(Image="C:\Windows\System32\spoolsv.exe" AND ParentImage!="C:\Windows\System32\services.exe") OR(Image="C:\Windows\System32\taskhost.exe" AND (ParentImage!="C:\Windows\System32\services.exe" AND ParentImage!="C:\Windows\System32\svchost.exe")) OR(Image="C:\Windows\System32\taskhostw.exe" AND (ParentImage!="C:\Windows\System32\services.exe" AND ParentImage!="C:\Windows\System32\svchost.exe")) OR(Image="C:\Windows\System32\userinit.exe" AND (ParentImage!="C:\Windows\System32\dwm.exe" AND ParentImage!="C:\Windows\System32\winlogon.exe")))

Enterprise T1012 Query Registry

Monitor for newly executed processes that may interact with the Windows Registry to gather information about the system, configuration, and installed software.

Note: The New-PSDrive PowerShell cmdlet creates temporary and persistent drives that are mapped to or associated with a location in a data store, such a registry key (PSProvider "Registry"). The Get-ChildItem gets the items in one or more specified locations. By using both, you can enumerate COM objects in one or more specified locations.

Note for Analytic 3: Replace FilePathToLolbasProcessXX.exe with lolBAS process names that are used by your organization. The number_standard_deviations parameter should be tuned accordingly. Identifying outliers by comparing distance from a data point to the average value against a certain number of standard deviations is recommended for data values that are symmetrical distributed. If your data is not distributed, try a different algorithm such as the Interquartile Range (IQR).

Analytic 1 - Suspicious Processes with Registry keys

(source="WinEventLog:Microsoft-Windows-Sysmon/Operational" EventCode="1") OR (source="WinEventLog:Security" EventCode="4688") | search (CommandLine LIKE "%reg%" AND CommandLine LIKE "%query%") OR (CommandLine LIKE "%Registry%" AND (CommandLine LIKE "%HKEY_CLASSES_ROOT%" OR CommandLine "%HKCR%"))

Analytic 2 - reg.exe spawned from suspicious cmd.exe

((source="WinEventLog:Microsoft-Windows-Sysmon/Operational" EventCode="1") OR (source="WinEventLog:Security" EventCode="4688") | WHERE (Image LIKE "%reg.exe%" AND ParentImage LIKE "%cmd.exe%")| rename ProcessParentGuid as guid| join type=inner guid[ | search ((source="WinEventLog:Microsoft-Windows-Sysmon/Operational" EventCode="1") OR (source="WinEventLog:Security" EventCode="4688") AND (Image LIKE "%cmd.exe%" AND ParentImage NOT LIKE "%explorer.exe%")| rename ProcessGuid as guid ]

Analytic 3 - Rare LolBAS command lines

((source="WinEventLog:Microsoft-Windows-Sysmon/Operational" EventCode="1") OR (source="WinEventLog:Security" EventCode="4688") AND Image IN ('FilePathToLolbasProcess01.exe','FilePathToLolbasProcess02.exe') AND number_standard_deviations = 1.5| select Image, ProcessCount, AVG(ProcessCount) Over() - STDEV(ProcessCount) Over() * number_standard_deviations AS LowerBound | WHERE ProcessCount < LowerBound

Enterprise T1219 Remote Access Software

Monitor for applications and processes related to remote admin software. Correlate activity with other suspicious behavior that may reduce false positives if this type of software is used by legitimate users and administrators. Domain Fronting may be used in conjunction to avoid defenses. Adversaries will likely need to deploy and/or install these remote software to compromised systems. It may be possible to detect or prevent the installation of this type of software with host-based solutions.

Enterprise T1563 Remote Service Session Hijacking

Monitor newly executed processes that may take control of preexisting sessions with remote services to move laterally in an environment.

.001 SSH Hijacking

Monitor newly executed processes that may hijack a legitimate user's SSH session to move laterally within an environment.

.002 RDP Hijacking

Consider monitoring processes for tscon.exe usage. Using tscon.exe to hijack an RDP session requires SYSTEM level permissions. Therefore, we recommend also looking for Privilege Escalation techniques that may be used for this purpose in conjunction with RDP Session Hijacking.

In addition to tscon.exe, mstsc.exe can similarly be used to hijack existing RDP sessions. In this case, we recommend looking for the command-line parameters of /noconsentPrompt and /shadow:, which allow for stealthy hijacking of an RDP session with no prompt and without kicking off the existing session.

Enterprise T1021 Remote Services

Monitor for newly executed processes that may use Valid Accounts to log into a service specifically designed to accept remote connections, such as RDP, telnet, SSH, and VNC. The adversary may then perform actions that spawn additional processes as the logged-on user.

Malicious actors may rename built-in commands or external tools, such as those provided by SysInternals, to better blend in with the environment. In those cases, the file path name is arbitrary and may blend in well with the background. If the arguments are closely inspected, it may be possible to infer what tools are running and understand what an adversary is doing. When any legitimate software shares the same command lines, it must be whitelisted according to the expected parameters.

Any tool of interest with commonly known command line usage can be detecting by command line analysis. Known substrings of command lines include

  • PuTTY
  • port forwarding -R * -pw
  • secure copy (scp) -pw * * @
  • mimikatz sekurlsa::
  • RAR  -hp
  • Archive* a * Additionally, it may be useful to find IP addresses in the command line
  • \d{1,3}.\d{1,3}.\d{1,3}.\d{1,3}

Analytic 1 - Suspicious Arguments

(source="WinEventLog:Microsoft-Windows-Sysmon/Operational" EventCode="1") OR (source="WinEventLog:Security" EventCode="4688") AND CommandLine="-R . -pw" OR CommandLine="-pw . . .@." OR CommandLine="sekurlsa" OR CommandLine=" -hp " OR CommandLine=". a .*"

.001 Remote Desktop Protocol

Monitor for newly executed processes (such as mstsc.exe) that may use Valid Accounts to log into a computer using the Remote Desktop Protocol (RDP). The adversary may then perform actions that spawn additional processes as the logged-on user.

.002 SMB/Windows Admin Shares

Monitor for the creation of WMI Win32_Process class and method Create to interact with a remote network share using Server Message Block (SMB). Relevant indicators detected by Bro/Zeek is IWbemServices::ExecMethod or IWbemServices::ExecMethodAsync. One thing to notice is that when the Create method is used on a remote system, the method is run under a host process named "Wmiprvse.exe".

The process WmiprvSE.exe is what spawns the process defined in the CommandLine parameter of the Create method. Therefore, the new process created remotely will have Wmiprvse.exe as a parent. WmiprvSE.exe is a DCOM server and it is spawned underneath the DCOM service host svchost.exe with the following parameters C:\WINDOWS\system32\svchost.exe -k DcomLaunch -p. From a logon session perspective, on the target, WmiprvSE.exe is spawned in a different logon session by the DCOM service host. However, whatever is executed by WmiprvSE.exe occurs on the new network type (3) logon session created by the user that authenticated from the network.

Analytic 1 - Basic

(source="WinEventLog:Microsoft-Windows-Sysmon/Operational" EventCode="1") OR (source="WinEventLog:Security" EventCode="4688") AND ParentImage="*wmiprvse.exe" AND TargetLogonID="0x3e7"

.003 Distributed Component Object Model

Monitor for newly executed processes associated with DCOM activity, especially those invoked by a user different than the one currently logged on. Enumeration of COM objects, via Query Registry or PowerShell, may also precede malicious use.[68][69]

The Microsoft Management Console (mmc.exe) can be by used by threat actors used to spawn arbitrary processes through DCOM. The typical process tree for this method looks like: svchost.exe —> mmc.exe —> .exe.

Accordingly, look for process creation events of mmc.exe in conjunction with the -Embedding command-line argument, along with suspicious child processes that can be used for malicious purposes, such as cmd.exe, reg.exe, etc.

Similar to the Microsoft Management Console, Excel can also be used to execute processes through DCOM. In this case, the typical process tree looks like: svchost.exe —> excel.exe —> .exe.

Look for process creation events of excel.exe in conjunction with the /automation -Embedding command-line argument, along with suspicious child processes that can be used for malicious purposes, such as cmd.exe, reg.exe, etc.

.004 SSH

Monitor for newly executed processes that may use Valid Accounts to log into remote machines using Secure Shell (SSH). For example, on macOS systems log show --predicate 'process = "sshd"' can be used to review incoming SSH connection attempts for suspicious activity. The command log show --info --predicate 'process = "ssh" or eventMessage contains "ssh"' can be used to review outgoing SSH connection activity.[70]

For Linux systems, the Audit framework (auditd) can be used to monitor for the creation of SSH related processes such as ssh.

For macOS systems (10.12+), the above command can be used to look through the Unified Logs for SSH connection activity, though we also recommend including the "—debug" parameter to ensure that all relevant data is returned: log show --info --debug --predicate 'process = "ssh" or eventMessage contains "ssh"'

.005 VNC

Monitor for newly executed processes that may use Valid Accounts to remotely control machines using Virtual Network Computing (VNC). For example, on macOS systems the screensharingd process may be related to VNC connection activity.[70]

.006 Windows Remote Management

Monitor for newly executed processes that may use Valid Accounts to interact with remote systems using Windows Remote Management (WinRM), as well as service processes such as wmiprvse.exe on destination hosts.

ICS T0886 Remote Services

Monitor for newly executed processes related to services specifically designed to accept remote connections, such as RDP, Telnet, SSH, and VNC. The adversary may use Valid Accounts to login and may perform follow-on actions that spawn additional processes as the user.

Enterprise T1018 Remote System Discovery

Monitor for newly executed processes that can be used to discover remote systems, such as ping.exe and tracert.exe, especially when executed in quick succession.[52]

ICS T0846 Remote System Discovery

Monitor for newly executed processes that can be used to discover remote systems, such as ping.exe and tracert.exe , especially when executed in quick succession.[52] Consider monitoring for new processes engaging in scanning activity or connecting to multiple systems by correlating process creation network data.

ICS T0888 Remote System Information Discovery

Monitor for newly executed processes that can be used to discover remote systems, such as ping.exe and tracert.exe, especially when executed in quick succession.[52] Consider monitoring for new processes engaging in scanning activity or connecting to multiple systems by correlating process creation network data.

Enterprise T1091 Replication Through Removable Media

Monitor for newly executed processes that execute from removable media after it is mounted or when initiated by a user. If a remote access tool is used in this manner to move laterally, then additional actions are likely to occur after execution, such as opening network connections for Command and Control and system and network information Discovery.

ICS T0847 Replication Through Removable Media

Monitor for newly executed processes that execute from removable media after it is mounted or when initiated by a user. If a remote access tool is used in this manner to move laterally, then additional actions are likely to occur after execution, such as opening network connections for Command and Control and system and network information Discovery.

Enterprise T1496 Resource Hijacking

Monitor for common cryptomining or proxyware software process names that may indicate compromise and resource usage.

Enterprise T1053 Scheduled Task/Job

Monitor for newly executed processes that may abuse task scheduling functionality to facilitate initial or recurring execution of malicious code.

.002 At

Monitor for newly constructed processes with command-lines that create/modify or are executed from tasks. For example, on Windows tasks may spawn from svchost.exe or the Windows Task Scheduler taskeng.exe for older OS versions. [71] Suspicious program execution through scheduled tasks may show up as outlier processes that have not been seen before when compared against historical data. Instances of the process at.exe running imply the querying or creation of tasks. Although the command_line is not essential for the analytic to run, it is critical when identifying the command that was scheduled.

Analytic 1 - Scheduled Task

(source="WinEventLog:Microsoft-Windows-Sysmon/Operational" EventCode="1") OR (source="WinEventLog:Security" EventCode="4688") Image="*at.exe"

.003 Cron

Create a baseline of cron jobs and the processes that they spawn in your environment. Monitor for newly spawned outlier processes that are executed through cron jobs that have not been seen before when compared against the baseline data.

Analytic 1 - Unusual Cron Job Creation

source="Linux:" Image= "crontab" OR Image= "cron" AND CommandLine LIKE "crontab -e" OR CommandLine LIKE "cron"

Analytic 2 - Unusual Execution Frequency

source="Linux:" Image= "crond" OR Image= "cron" AND ImageCount >= "100"

.005 Scheduled Task

Monitor for newly constructed processes and/or command-lines that execute from the svchost.exe in Windows 10 and the Windows Task Scheduler taskeng.exe for older versions of Windows. [71] If scheduled tasks are not used for persistence, then the adversary is likely to remove the task when the action is complete. Look for instances of schtasks.exe running as processes. The command_line field is necessary to disambiguate between types of schtasks commands. These include the flags /create , /run, /query, /delete, /change, and /end.

Detection of the creation or modification of Scheduled Tasks with a suspicious script, extension or user writable path. Attackers may create or modify Scheduled Tasks for the persistent execution of malicious code. This detection focuses at the same time on EventIDs 4688 and 1 with process creation (SCHTASKS) and EventID 4698, 4702 for Scheduled Task creation/modification event log.

Analytic 1 - New processes whose parent processes are svchost.exe or taskeng.exe

(source="WinEventLog:Microsoft-Windows-Sysmon/Operational" EventCode="1") OR (source="WinEventLog:Security" EventCode="4688") AND (ParentImage="svchost.exe" OR ParentImage="taskeng.exe")

Analytic 2 - Scheduled Task Creation or Modification Containing Suspicious Scripts, Extensions or User Writable Paths

( (source="WinEventLog:Microsoft-Windows-Sysmon/Operational" EventCode="1") OR (source="WinEventLog:Security" EventCode="4688") CommandLine="SCHTASKS" (CommandLine="/CREATE" OR CommandLine="/CHANGE") ) ( ( CommandLine=".cmd" OR CommandLine=".ps1" OR CommandLine=".vbs" OR CommandLine=".py" OR CommandLine=".js" OR CommandLine=".exe" OR CommandLine=".bat" ) OR ( CommandLine="javascript" OR CommandLine="powershell" OR CommandLine="wmic" OR CommandLine="rundll32" OR CommandLine="cmd" OR CommandLine="cscript" OR CommandLine="wscript" OR CommandLine="regsvr32" OR CommandLine="mshta" OR CommandLine="bitsadmin" OR CommandLine="certutil" OR CommandLine="msiexec" OR CommandLine="javaw" ) OR ( CommandLine="%APPDATA%" OR CommandLine="\AppData\Roaming" OR CommandLine="%PUBLIC%" OR CommandLine="C:\Users\Public" OR CommandLine="%ProgramData%" OR CommandLine="C:\ProgramData" OR CommandLine="%TEMP%" OR CommandLine="\AppData\Local\Temp" OR CommandLine="\Windows\PLA\System" OR CommandLine="\tasks" OR CommandLine="\Registration\CRMLog" OR CommandLine="\FxsTmp" OR CommandLine="\spool\drivers\color" OR CommandLine="\tracing" ) )

.006 Systemd Timers

Monitor for newly constructed processes and/or command-lines that will have a parent process of ‘systemd’, a parent process ID of 1, and will usually execute as the ‘root’ user.

ICS T0853 Scripting

Monitor log files for process execution through command-line and scripting activities. This information can be useful in gaining additional insight to adversaries' actions through how they use native processes or custom tools. Also monitor for loading of modules associated with specific languages.

Enterprise T1505 Server Software Component

Process monitoring may be used to detect servers components that perform suspicious actions such as running cmd.exe or accessing files.

.003 Web Shell

Web shells can be difficult to detect. Unlike other forms of persistent remote access, they do not initiate connections. The portion of the Web shell that is on the server may be small and innocuous looking. The PHP version of the China Chopper Web shell, for example, is very similar to the following short payload: [72]

<?php @evaI($_P0ST['password']);>

Nevertheless, detection mechanisms exist. Process monitoring may be used to detect Web servers that perform suspicious actions such as spawning cmd.exe or accessing files that are not in the Web directory.[73]

A web shell is a web script placed on an openly accessible web server to allow an adversary to use the server as a gatway in a network. As the shell operates, commands will be issued from within the web application into the broader server operating system. This analytic looks for host enumeration executables initiated by any web service that would not normally be executed within that environment.

Analytic 1 - Webshell-Indicative Process Tree

(source="WinEventLog:Microsoft-Windows-Sysmon/Operational" EventCode="1") OR (source="WinEventLog:Security" EventCode="4688") (ParentImage="C:\Windows\System32\w3wp.exe" OR ParentImage="httpd.exe" OR ParentImage="tomcat.exe" OR ParentImage="nginx.exe")(Image="C:\Windows\System32\cmd.exe OR Image="C:\Windows\SysWOW64\cmd.exe" OR Image="C:\Windows\System32\\powershell.exe OR Image="C:\Windows\SysWOW64\\powershell.exe OR Image="C:\Windows\System32\net.exe" OR Image="C:\Windows\System32\hostname.exe" OR Image="C:\Windows\System32\whoami.exe" OR Image="systeminfo.exe OR Image="C:\Windows\System32\ipconfig.exe")

.005 Terminal Services DLL

Monitor processes with arguments that may potentially highlight adversary actions to modify Registry values (ex: reg.exe) or modify/replace the legitimate termsrv.dll.

Enterprise T1489 Service Stop

Monitor for newly executed processes that may stop or disable services on a system to render those services unavailable to legitimate users.

ICS T0881 Service Stop

Monitor for newly executed processes that may stop or disable services on a system to render those services unavailable to legitimate users.

Enterprise T1072 Software Deployment Tools

Monitor for newly executed processes that does not correlate to known good software. Analyze the process execution trees, historical activities from the third-party application (such as what types of files are usually pushed), and the resulting activities or events from the file/binary/script pushed to systems.

Enterprise T1518 Software Discovery

Monitor newly executed processes that may attempt to get a listing of software and software versions that are installed on a system or in a cloud environment.

.001 Security Software Discovery

Monitor newly executed processes that may attempt to get a listing of security software, configurations, defensive tools, and sensors that are installed on a system or in a cloud environment.

ICS T0865 Spearphishing Attachment

Monitor for suspicious descendant process spawning from Microsoft Office and other productivity software.[52] For added context on adversary procedures and background see Spearphishing Attachment.

Enterprise T1553 Subvert Trust Controls

Monitor processes and arguments for malicious attempts to modify trust settings, such as the installation of root certificates or modifications to trust attributes/policies applied to files.

.001 Gatekeeper Bypass

Monitor and investigate attempts to modify extended file attributes with utilities such as xattr. Built-in system utilities may generate high false positive alerts, so compare against baseline knowledge for how systems are typically used and correlate modification events with other indications of malicious activity where possible.

.004 Install Root Certificate

Monitor for processes, such as certmgr.exe (macOS) or certutil.exe (Windows), that can be used to install root certificates. A system's root certificates are unlikely to change frequently. Monitor new certificates installed on a system that could be due to malicious activity. [74] Check pre-installed certificates on new systems to ensure unnecessary or suspicious certificates are not present. Microsoft provides a list of trustworthy root certificates online and through authroot.stl. [74] The Sysinternals Sigcheck utility can also be used (sigcheck[64].exe -tuv) to dump the contents of the certificate store and list valid certificates not rooted to the Microsoft Certificate Trust List. [75]

Analytic 1 - Attempt to Add Certificate to Untrusted Store

(source="WinEventLog:Microsoft-Windows-Sysmon/Operational" EventCode="1") OR (source="WinEventLog:Security" EventCode="4688") AND Image="C:\Windows\System32\certutil.exe" CommandLine="-addstore"

.006 Code Signing Policy Modification

Monitor processes and command-line arguments for actions that could be taken to modify the code signing policy of a system, such as bcdedit.exe -set TESTSIGNING ON[76]

Enterprise T1218 System Binary Proxy Execution

Monitor processes and command-line parameters for signed binaries that may be used to proxy execution of malicious files. Compare recent invocations of signed binaries that may be used to proxy execution with prior history of known good arguments and loaded files to determine anomalous and potentially adversarial activity. Legitimate programs used in suspicious ways, like msiexec.exe downloading an MSI file from the Internet, may be indicative of an intrusion. Correlate activity with other suspicious behavior to reduce false positives that may be due to normal benign use by users and administrators.

.001 Compiled HTML File

Monitor and analyze the execution and arguments of hh.exe. [77] Compare recent invocations of hh.exe with prior history of known good arguments to determine anomalous and potentially adversarial activity (ex: obfuscated and/or malicious commands). Non-standard process execution trees may also indicate suspicious or malicious behavior, such as if hh.exe is the parent process for suspicious processes and activity relating to other adversarial techniques.

Note: Event IDs are for Sysmon (Event ID 1 - process create) and Windows Security Log (Event ID 4688 - a new process has been created). The Analytic looks for the creation of any HTML Help Executable ( hh.exe ) processes. Adversaries may hide malicious code in .chm compiled help files; whenever a user tries to open one of these files, Windows executes the HTML Help Executable. Therefore, if there are legitimate uses of compiled help files in your environment, this analytic may lead to false positives and will require additional tuning.

Analytic 1 - Compiled HTML Access

(source="WinEventLog:Microsoft-Windows-Sysmon/Operational" EventCode="1") OR (source="WinEventLog:Security" EventCode="4688") Image="C:\Windows\syswow64\hh.exe" OR Image="C:\Windows\system32\hh.exe"

.002 Control Panel

Monitor and analyze activity related to items associated with CPL files, such as the control.exe. Analyze new Control Panel items as well as those present on disk for malicious content. Both executable and CPL formats are compliant Portable Executable (PE) images and can be examined using traditional tools and methods, pending anti-reverse-engineering techniques.[78]

.003 CMSTP

Use process monitoring to detect and analyze the execution and arguments of CMSTP.exe. Compare recent invocations of CMSTP.exe with prior history of known good arguments and loaded files to determine anomalous and potentially adversarial activity. Sysmon events can also be used to identify potential abuses of CMSTP.exe. Detection strategy may depend on the specific adversary procedure, but potential rules include: [79]* To detect loading and execution of local/remote payloads - Event 1 (Process creation) where ParentImage contains CMSTP.exe* Also monitor for events, such as the creation of processes (Sysmon Event 1), that involve auto-elevated CMSTP COM interfaces such as CMSTPLUA (3E5FC7F9-9A51-4367-9063-A120244FBEC7) and CMLUAUTIL (3E000D72-A845-4CD9-BD83-80C07C3B881F).

.004 InstallUtil

Use process monitoring to monitor the execution and arguments of InstallUtil.exe. Compare recent invocations of InstallUtil.exe with prior history of known good arguments and executed binaries to determine anomalous and potentially adversarial activity

.005 Mshta

Use process monitoring to monitor the execution and arguments of mshta.exe.

.007 Msiexec

Use process monitoring to monitor the execution and arguments of msiexec.exe. Compare recent invocations of msiexec.exe with prior history of known good arguments and executed MSI files.

.008 Odbcconf

Use process monitoring to monitor the execution and arguments of odbcconf.exe. Compare recent invocations of odbcconf.exe with prior history of known good arguments and loaded DLLs to determine anomalous and potentially adversarial activity.

.009 Regsvcs/Regasm

Use process monitoring to monitor the execution and arguments of Regsvcs.exe and Regasm.exe. Compare recent invocations of Regsvcs.exe and Regasm.exe with prior history of known good arguments and executed binaries to determine anomalous and potentially adversarial activity.

.010 Regsvr32

Use process monitoring to monitor the execution and arguments of regsvr32.exe. Compare recent invocations of regsvr32.exe with prior history of known good arguments and loaded files to determine anomalous and potentially adversarial activity.

Note: Event IDs are for Sysmon (Event ID 1 - process create) and Windows Security Log (Event ID 4688 - a new process has been created). - Analytic 1 is a more generic analytic that looks for suspicious usage of regsvr32.exe, specifically for cases where regsvr32.exe creates child processes that aren’t itself. It’s not likely that this will result in millions of hits, but it does occur during benign activity so some form of baselining would be necessary for this to be useful as an alerting analytic.- Analytic 2 is around "Squiblydoo", which is a specific usage of regsvr32.exe to load a COM scriptlet directly from the internet and execute it in a way that bypasses application whitelisting. It looks for regsvr32.exe process creation events that load scrobj.dll via the command-line (which executes the COM scriptlet).- Analytic 3 This uses the same logic as above, but adds lightweight baselining by ignoring all results that also showed up in the previous 30 days (it runs over 1 day).- Analytic 4 This looks for child processes that may be spawend by regsvr32, while attempting to eliminate some of the common false positives such as werfault (Windows Error Reporting).

Analytic 1 - Generic Regsvr32

(source="WinEventLog:Microsoft-Windows-Sysmon/Operational" EventCode="1") OR (source="WinEventLog:Security" EventCode="4688") regsvr32.exe | search ParentImage="regsvr32.exe" AND Image!="regsvr32.exe*"

Analytic 2 - Squiblydoo

(source="WinEventLog:Microsoft-Windows-Sysmon/Operational" EventCode="1") OR (source="WinEventLog:Security" EventCode="4688") regsvr32.exe scrobj.dll | search Image="*regsvr32.exe"

Analyt 3 - New Items since last month

(source="WinEventLog:Microsoft-Windows-Sysmon/Operational" EventCode="1") earliest=-d@d latest=now() regsvr32.exe | search ParentImage="regsvr32.exe" AND Image!="regsvr32.exe" | search NOT [search (source="WinEventLog:Microsoft-Windows-Sysmon/Operational" EventCode="1") earliest=-60d@d latest=-30d@d regsvr32.exe | search ParentImage="regsvr32.exe" AND Image!="regsvr32.exe" | dedup CommandLine | fields CommandLine ]

Analytic 4 - Spawning Child Processes

(source="*WinEventLog:Microsoft-Windows-Sysmon/Operational" EventCode="1") (ParentImage="C:\Windows\System32\regsvr32.exe" OR ParentImage="C:\Windows\SysWOW64\regsvr32.exe") AND Image!="C:\Windows\System32\regsvr32.exe" AND Image!="C:\Windows\SysWOW64\regsvr32.exe" AND Image!="C:\WINDOWS\System32\regsvr32.exe" AND Image!="C:\WINDOWS\SysWOW64\regsvr32.exe" AND Image!="C:\Windows\SysWOW64\WerFault.exe" AND Image!="C:\Windows\System32\wevtutil.exe" AND Image!="C:\Windows\System32\WerFault.exe"|stats values(ComputerName) as "Computer Name" values(ParentCommandLine) as "Parent Command Line" count(Image) as ImageCount by Image

.011 Rundll32

Use process monitoring to monitor the execution and arguments of rundll32.exe. Compare recent invocations of rundll32.exe with prior history of known good arguments and loaded DLLs to determine anomalous and potentially adversarial activity.

When monitoring for all instances of Rundll32 execution, as defined by the logic in the Detection Pseudocode, it is imperative to also investigate the full set of command-line parameters used. These parameters contain key information about the DLL payload, including the name, entry point, and optional arguments.

Note: Event IDs are for Sysmon (Event ID 10 - process create) and Windows Security Log (Event ID 4688 - a new process has been created). The Analytic looks for any instances of rundll32.exe but does no other filtering, which may result in false positives. Therefore, we recommend tuning any such analytics by including additional logic (e.g., testing the name of the user that created the process) that helps reduce false positives.

Analytic 1 - RunDLL32.exe Monitoring

(source="WinEventLog:Microsoft-Windows-Sysmon/Operational" EventCode="1") OR (source="WinEventLog:Security" EventCode="4688") Image= "rundll32.exe"

.012 Verclsid

Use process monitoring to monitor the execution and arguments of verclsid.exe. Compare recent invocations of verclsid.exe with prior history of known good arguments and loaded files to determine anomalous and potentially adversarial activity. Depending on the environment, it may be unusual for verclsid.exe to have a parent process of a Microsoft Office product. It may also be unusual for verclsid.exe to have any child processes or to make network connections or file modifications.

.013 Mavinject

Monitor the execution and arguments of mavinject.exe. Compare recent invocations of mavinject.exe with prior history of known good arguments and injected DLLs to determine anomalous and potentially adversarial activity.

.014 MMC

Monitor processes for suspicious or malicious use of MMC. Since MMC is a signed Windows binary, verify use of MMC is legitimate and not malicious.

.015 Electron Applications

Monitor processes and command-line parameters for binaries associated with Electron apps that may be used to proxy execution of malicious content. Compare recent invocations of these binaries with prior history of known good arguments to determine anomalous and potentially adversarial activity.

Correlate activity with other suspicious behavior to reduce false positives that may be due to normal benign use by users and administrators.

ICS T0894 System Binary Proxy Execution

Monitor for unusual processes execution, especially for processes that allow the proxy execution of malicious files.

Enterprise T1082 System Information Discovery

Monitor newly executed processes that may attempt to get detailed information about the operating system and hardware, including version, patches, hotfixes, service packs, and architecture.

Enterprise T1614 System Location Discovery

Monitor newly executed processes that may gather information in an attempt to calculate the geographical location of a victim host.

.001 System Language Discovery

Monitor for newly executed processes that may attempt to gather information about the system language of a victim in order to infer the geographical location of that host.

Enterprise T1016 System Network Configuration Discovery

Monitor for executed processes (such as ipconfig/ifconfig and arp) with arguments that may look for details about the network configuration and settings, such as IP and/or MAC addresses.

Note: The Analytic looks for the creation of ipconfig, route, and nbtstat processes, all of which are system administration utilities that can be used for the purpose of system network configuration discovery. If these tools are commonly used in your environment (e.g., by system administrators) this may lead to false positives and this analytic will therefore require tuning.

Analytic 1 - Suspicious Process

(source="WinEventLog:Microsoft-Windows-Sysmon/Operational" EventCode="1") OR (source="WinEventLog:Security" EventCode="4688") AND (Image="C:\Windows\System32\ipconfig.exe" OR Image="C:\Windows\System32\route.exe" OR Image="C:\Windows\System32\nbtstat.exe")

.001 Internet Connection Discovery

Monitor for executed processes (such as tracert or ping) that may check for Internet connectivity on compromised systems.

Enterprise T1049 System Network Connections Discovery

Monitor for executed processes that may attempt to get a listing of network connections to or from the compromised system they are currently accessing or from remote systems by querying for information over the network.

Enterprise T1033 System Owner/User Discovery

Monitor for newly executed processes that may be indicative of credential dumping. On Windows 8.1 and Windows Server 2012 R2, monitor Windows Logs for LSASS.exe creation to verify that LSASS started as a protected process.

Note: Event IDs are for Sysmon (Event ID 1 - process create) and Windows Security Log (Event ID 4688 - a new process has been created). The Analytic looks for any instances of at being created, therefore implying the querying or creation of tasks. If this tools is commonly used in your environment (e.g., by system administrators) this may lead to false positives and this analytic will therefore require tuning.

Analytic 1 - Suspicious Process Execution

(source="WinEventLog:Microsoft-Windows-Sysmon/Operational" EventCode="1") OR (source="WinEventLog:Security" EventCode="4688") AND Image="*at.exe"

Enterprise T1216 System Script Proxy Execution

Monitor script processes, such as `cscript that may be used to proxy execution of malicious files.

.001 PubPrn

Monitor script processes, such as `cscript that may be used to proxy execution of malicious files.

.002 SyncAppvPublishingServer

Monitor script processes, such as wscript.exe, that may be used to proxy execution of malicious files.

Enterprise T1007 System Service Discovery

Monitor for newly executed processes with arguments that may try to get information about registered services. System and network discovery techniques normally occur throughout an operation as an adversary learns the environment. Data and events should not be viewed in isolation, but as part of a chain of behavior that could lead to other activities, such as Lateral Movement, based on the information obtained.

Note: Event IDs are for Sysmon (Event ID 1 - process create) and Windows Security Log (Event ID 4688 - a new process has been created). For event id 4688, depending on Windows version, you might need to enable Administrative Templates\System\Audit Process Creation\Include command line in process creation events group policy to include command line in process creation events.

Analytic 1 - Suspicious Processes

((source=WinEventLog:"Security" EventCode="4688") OR (source=WinEventLog:"Microsoft-Windows-Sysmon/Operational" EventCode="1") | WHERE ((CommandLine LIKE "%sc%" AND CommandLine LIKE "%query%") OR (CommandLine LIKE "%tasklist%" AND CommandLine LIKE "%/svc%") OR (CommandLine LIKE "%systemctl%" AND CommandLine LIKE "%--type=service%") OR (CommandLine LIKE "%net%" AND CommandLine LIKE "%start%"))

Enterprise T1569 System Services

Monitor newly executed processes that may abuse system services or daemons to execute commands or programs.

.001 Launchctl

Monitor for newly executed daemons that may abuse launchctl to execute commands or programs.

.002 Service Execution

Monitor for newly executed processes that may abuse the Windows service control manager to execute malicious commands or payloads.

Events 4688 (Microsoft Windows Security Auditing) and 1 (Microsoft Windows Sysmon) provide context of Windows processes creation that can be used to implement this detection.

This detection is based on uncommon process and parent process relationships. Service Control Manager spawning command shell is a good starting point. Add more suspicious relationships based on the reality of your network environment.

In order to reduce false positives, you can also filter the CommandLine event field using parameters such as /c which carries out the command specified by the parent process.

Analytic 1 - Service Execution

(source="WinEventLog:Microsoft-Windows-Sysmon/Operational" EventCode="1") OR (source="WinEventLog:Security" EventCode="4688") | WHERE Image LIKE "services.exe" AND Image LIKE "cmd.exe"

Enterprise T1529 System Shutdown/Reboot

Monitor for newly executed processes of binaries involved in shutting down or rebooting systems.

Enterprise T1124 System Time Discovery

Monitor for newly executed processes that may gather the system time and/or time zone from a local or remote system.

Enterprise T1080 Taint Shared Content

Monitor processes that are executed from removable media for malicious or abnormal activity such as network connections due to Command and Control and possible network Discovery techniques.

Enterprise T1221 Template Injection

Analyze process behavior to determine if an Office application is performing actions, such as opening network connections, reading files, spawning abnormal child processes (ex: PowerShell), or other suspicious actions that could relate to post-compromise behavior.

Enterprise T1205 Traffic Signaling

Identify running processes with raw sockets. Ensure processes listed have a need for an open raw socket and are in accordance with enterprise policy.[80]

.002 Socket Filters

Identify running processes with raw sockets. Ensure processes listed have a need for an open raw socket and are in accordance with enterprise policy.[80]

Enterprise T1127 Trusted Developer Utilities Proxy Execution

Monitor for abnormal presence of these or other utilities that enable proxy execution that are typically used for development, debugging, and reverse engineering on a system that is not used for these purposes may be suspicious. Use process monitoring to monitor the execution and arguments of from developer utilities that may be abused. Compare recent invocations of those binaries with prior history of known good arguments and executed binaries to determine anomalous and potentially adversarial activity. It is likely that these utilities will be used by software developers or for other software development related tasks, so if it exists and is used outside of that context, then the event may be suspicious.

.001 MSBuild

Monitor for newly executed processes of MSBuild.exe. Compare recent invocations of those binaries with prior history of known good arguments and executed binaries to determine anomalous and potentially adversarial activity.

Trusted developer utilities such as MSBuild may be leveraged to run malicious code with elevated privileges. This analytic looks for any instances of msbuild.exe, which will execute any C# code placed within a given XML document; and msxsl.exe, which processes xsl transformation specifications for XML files and will execute a variaty of scripting languages contained within the XSL file. Both of these executables are rarely used outside of Visual Studio.

Analytic 1 - MSBuild and msxsl

(source="WinEventLog:Microsoft-Windows-Sysmon/Operational" EventCode="1") OR (source="WinEventLog:Security" EventCode="4688")(Image="C:\Program Files (x86)\Microsoft Visual Studio\\bin\MSBuild.exe" OR Image="C:\Windows\Microsoft.NET\Framework\msbuild.exe" OR Image="C:\users\\appdata\roaming\microsoft\msxsl.exe") ParentImage!="\Microsoft Visual Studio*")

Enterprise T1552 Unsecured Credentials

Monitor newly executed processes that may search compromised systems to find and obtain insecurely stored credentials.

.001 Credentials In Files

Monitor newly executed processes for local file systems and remote file shares for files containing insecurely stored credentials.

Note: Pseudocode Event IDs are for Sysmon (Event ID 1 - process create) and Windows Security Log (Event ID 4688 - a new process has been created). The Analytic looks for command-line instances of searching the Windows Registry for insecurely stored credentials. This can be accomplished using the query functionality of the Reg system utility, by looking for keys and values that contain strings such as "password". In addition, adversaries may use toolkits such as PowerSploit in order to dump credentials from various applications such as IIS. Accordingly, this analytic looks for invocations of reg.exe in this capacity as well as that of several PowerSploit modules with similar functionality.

Analytic 1 - Credentials in Files & Registry

(source="WinEventLog:Microsoft-Windows-Sysmon/Operational" EventCode="1") OR (source="WinEventLog:Security" EventCode="4688")
CommandLine="reg query HKLM /f password /t REG_SZ /s" ORCommandLine="reg query HKCU /f password /t REG_SZ /s" ORCommandLine="Get-UnattendedInstallFile" ORCommandLine="Get-Webconfig" ORCommandLine="Get-ApplicationHost" ORCommandLine="Get-SiteListPassword" ORCommandLine="Get-CachedGPPPassword" ORCommandLine="Get-RegistryAutoLogon*"

.002 Credentials in Registry

Monitor newly executed processes for applications that can be used to query the Registry, such as Reg, and collect command parameters that may indicate credentials are being searched. Correlate activity with related suspicious behavior that may indicate an active intrusion to reduce false positives.

Note: Pseudocode Event IDs are for Sysmon (Event ID 1 - process create) and Windows Security Log (Event ID 4688 - a new process has been created). The Analytic looks for command-line instances of searching the Windows Registry for insecurely stored credentials. This can be accomplished using the query functionality of the Reg system utility, by looking for keys and values that contain strings such as "password". In addition, adversaries may use toolkits such as PowerSploit in order to dump credentials from various applications such as IIS. Accordingly, this analytic looks for invocations of reg.exe in this capacity as well as that of several PowerSploit modules with similar functionality.

Analytic 1 - Credentials in Files & Registry

(source="WinEventLog:Microsoft-Windows-Sysmon/Operational" EventCode="1") OR (source="WinEventLog:Security" EventCode="4688")
CommandLine="reg query HKLM /f password /t REG_SZ /s" ORCommandLine="reg query HKCU /f password /t REG_SZ /s" ORCommandLine="Get-UnattendedInstallFile" ORCommandLine="Get-Webconfig" ORCommandLine="Get-ApplicationHost" ORCommandLine="Get-SiteListPassword" ORCommandLine="Get-CachedGPPPassword" ORCommandLine="Get-RegistryAutoLogon*"

Enterprise T1204 User Execution

Monitor for newly executed processes that may be used by an adversary to gain Initial Access that require user interaction. This includes compression applications, such as those for zip files, that can be used to Deobfuscate/Decode Files or Information in payloads.

.002 Malicious File

Monitor for newly constructed processes and/or command-lines for applications that may be used by an adversary to gain initial access that require user interaction. This includes compression applications, such as those for zip files, that can be used to Deobfuscate/Decode Files or Information in payloads.

ICS T0863 User Execution

Monitor for newly executed processes that depend on user interaction, especially for applications that can embed programmatic capabilities (e.g., Microsoft Office products with scripts, installers, zip files). This includes compression applications, such as those for zip files, that can be used to Deobfuscate/Decode Files or Information in payloads.

Enterprise T1497 Virtualization/Sandbox Evasion

Virtualization, sandbox, user activity, and related discovery techniques will likely occur in the first steps of an operation but may also occur throughout as an adversary learns the environment. Data and events should not be viewed in isolation, but as part of a chain of behavior that could lead to other activities, such as lateral movement, based on the information obtained. Detecting actions related to virtualization and sandbox identification may be difficult depending on the adversary's implementation and monitoring required. Monitoring for suspicious processes being spawned that gather a variety of system information or perform other forms of Discovery, especially in a short period of time, may aid in detection.

.001 System Checks

Virtualization, sandbox, user activity, and related discovery techniques will likely occur in the first steps of an operation but may also occur throughout as an adversary learns the environment. Data and events should not be viewed in isolation, but as part of a chain of behavior that could lead to other activities, such as lateral movement, based on the information obtained. Detecting actions related to virtualization and sandbox identification may be difficult depending on the adversary's implementation and monitoring required. Monitoring for suspicious processes being spawned that gather a variety of system information or perform other forms of Discovery, especially in a short period of time, may aid in detection.

.002 User Activity Based Checks

User activity-based checks will likely occur in the first steps of an operation but may also occur throughout as an adversary learns the environment. Data and events should not be viewed in isolation, but as part of a chain of behavior that could lead to other activities, such as lateral movement, based on the information obtained. Detecting actions related to virtualization and sandbox identification may be difficult depending on the adversary's implementation and monitoring required. Monitoring for suspicious processes being spawned that gather a variety of system information or perform other forms of Discovery, especially in a short period of time, may aid in detection.

.003 Time Based Evasion

Time-based evasion will likely occur in the first steps of an operation but may also occur throughout as an adversary learns the environment. Data and events should not be viewed in isolation, but as part of a chain of behavior that could lead to other activities, such as lateral movement, based on the information obtained. Detecting actions related to virtualization and sandbox identification may be difficult depending on the adversary's implementation and monitoring required. Monitoring for suspicious processes being spawned that gather a variety of system information or perform other forms of Discovery, especially in a short period of time, may aid in detection.

Enterprise T1047 Windows Management Instrumentation

Monitor for newly constructed processes and/or command-lines of "wmic". If the command line utility wmic.exe is used on the source host, then it can additionally be detected on an analytic. The command line on the source host is constructed into something like wmic.exe /node:"\<hostname>" process call create "\<command line>". It is possible to also connect via IP address, in which case the string "\<hostname>" would instead look like IP Address. Processes can be created remotely via WMI in a few other ways, such as more direct API access or the built-in utility PowerShell.

Note: Event IDs are for Sysmon (Event ID 10 - process access) and Windows Security Log (Event ID 4688 - a new process has been created).

Besides executing arbitrary processes, wmic.exe can also be used to executed data stored in NTFS alternate data streams NTFS File Attributes.Looks for instances of wmic.exe as well as the substrings in the command line:- process call create- /node:

Analytic 1 : Create Remote Process via WMIC

(source="WinEventLog:Microsoft-Windows-Sysmon/Operational" EventCode="1") OR (source="WinEventLog:Security" EventCode="4688") AND Image="wmic.exe" AND CommandLine=" process call create *"

Enterprise T1220 XSL Script Processing

Use process monitoring to monitor the execution and arguments of msxsl.exe and wmic.exe. [81] [82] Command arguments used before and after the script invocation may also be useful in determining the origin and purpose of the payload being loaded. The presence of msxsl.exe or other utilities that enable proxy execution that are typically used for development, debugging, and reverse engineering on a system that is not used for these purposes may be suspicious.

Process: Process Metadata

Contextual data about a running process, which may include information such as environment variables, image name, user/owner, etc.

Process: Process Metadata

Contextual data about a running process, which may include information such as environment variables, image name, user/owner, etc.

Domain ID Name Detects
Enterprise T1548 Abuse Elevation Control Mechanism

Monitor contextual data about a running process, which may include information such as environment variables, image name, user/owner that may circumvent mechanisms designed to control elevate privileges to gain higher-level permissions.

.002 Bypass User Account Control

Monitor contextual data about a running process, which may include information such as environment variables, image name, user/owner that may bypass UAC mechanisms to elevate process privileges on system.

.003 Sudo and Sudo Caching

Monitor contextual data about a running process, which may include information such as environment variables, image name, user/owner that may perform sudo caching and/or use the suoders file to elevate privileges.

Enterprise T1134 Access Token Manipulation

Query systems for process and thread token information and look for inconsistencies such as user owns processes impersonating the local SYSTEM account.[83] Look for inconsistencies between the various fields that store PPID information, such as the EventHeader ProcessId from data collected via Event Tracing for Windows (ETW), Creator Process ID/Name from Windows event logs, and the ProcessID and ParentProcessID (which are also produced from ETW and other utilities such as Task Manager and Process Explorer). The ETW provided EventHeader ProcessId identifies the actual parent process.

.004 Parent PID Spoofing

Look for inconsistencies between the various fields that store PPID information, such as the EventHeader ProcessId from data collected via Event Tracing for Windows (ETW), Creator Process ID/Name from Windows event logs, and the ProcessID and ParentProcessID (which are also produced from ETW and other utilities such as Task Manager and Process Explorer). The ETW provided EventHeader ProcessId identifies the actual parent process.[84]

Enterprise T1059 Command and Scripting Interpreter

Monitor contextual data about a running process, which may include information such as environment variables, image name, user/owner, or other information that may reveal abuse of system features. For example, consider monitoring for Windows Event ID (EID) 400, which shows the version of PowerShell executing in the EngineVersion field (which may also be relevant to detecting a potential Downgrade Attack) as well as if PowerShell is running locally or remotely in the HostName field. Furthermore, EID 400 may indicate the start time and EID 403 indicates the end time of a PowerShell session.[85]

.001 PowerShell

Consider monitoring for Windows event ID (EID) 400, which shows the version of PowerShell executing in the EngineVersion field (which may also be relevant to detecting a potential Downgrade Attack) as well as if PowerShell is running locally or remotely in the HostName field. Furthermore, EID 400 may indicate the start time and EID 403 indicates the end time of a PowerShell session.[85]

Mobile T1623 Command and Scripting Interpreter

Mobile Threat Defense (MTD) with lower-level OS APIs integrations may have access to running processes and their parameters, potentially detecting unwanted or malicious shells.

.001 Unix Shell

Mobile Threat Defense (MTD) with lower-level OS APIs integrations may have access to running processes and their parameters, potentially detecting unwanted or malicious shells.

ICS T0874 Hooking

Verify integrity of live processes by comparing code in memory to that of corresponding static binaries, specifically checking for jumps and other instructions that redirect code flow.

Enterprise T1562 .010 Impair Defenses: Downgrade Attack

Monitor contextual data about a running process, which may include information such as environment variables, image name, user/owner, or other information that may reveal use of a version of system features that may be outdated, vulnerable, and/or does not support updated security controls such as logging. For example, monitoring for Windows event ID (EID) 400, specifically the EngineVersion field which shows the version of PowerShell running, may highlight a malicious downgrade attack.[85]

Enterprise T1056 Input Capture

Verify integrity of live processes by comparing code in memory to that of corresponding static binaries, specifically checking for jumps and other instructions that redirect code flow.

.004 Credential API Hooking

Verify integrity of live processes by comparing code in memory to that of corresponding static binaries, specifically checking for jumps and other instructions that redirect code flow.

Enterprise T1036 Masquerading

Monitor for file names that are mismatched between the file name on disk and that of the binary's PE metadata, this is a likely indicator that a binary was renamed after it was compiled.

.003 Rename System Utilities

Monitor for file names that are mismatched between the file name on disk and that of the binary's PE metadata, this is a likely indicator that a binary was renamed after it was compiled.

.005 Match Legitimate Name or Location

Collecting and comparing disk and resource filenames for binaries by looking to see if the InternalName, OriginalFilename, and/or ProductName match what is expected could provide useful leads, but may not always be indicative of malicious activity.

ICS T0849 Masquerading

Monitor for file names that are mismatched between the file name on disk and that of the binary's metadata. This is a likely indicator that a binary was renamed after it was compiled. For added context on adversary procedures and background see Masquerading and applicable sub-techniques.

Enterprise T1055 Process Injection

Monitor for process memory inconsistencies, such as checking memory ranges against a known copy of the legitimate module.[86]

.001 Dynamic-link Library Injection

Monitor for process memory inconsistencies compared to DLL files on disk by checking memory ranges against a known copy of the legitimate module.[86]

ICS T0853 Scripting

Monitor contextual data about a running process, which may include information such as environment variables, image name, user/owner, or other information that may reveal abuse of system features.

Process: Process Modification

Changes made to a process, or its contents, typically to write and/or execute code in the memory of the target process (ex: Sysmon EID 8)

Process: Process Modification

Changes made to a process, or its contents, typically to write and/or execute code in the memory of the target process (ex: Sysmon EID 8)

Domain ID Name Detects
Enterprise T1185 Browser Session Hijacking

This may be a difficult technique to detect because adversary traffic may be masked by normal user traffic. Monitor for Process Injection against browser applications.

Enterprise T1562 Impair Defenses

Using another process or third-party tools, monitor for modifications or access to system processes associated with logging.

.012 Disable or Modify Linux Audit System

Using another process or third-party tools, monitor for potentially malicious modifications or access to the auditd system process.

Enterprise T1055 Process Injection

Monitor for changes made to processes that may inject code into processes in order to evade process-based defenses as well as possibly elevate privileges.

.001 Dynamic-link Library Injection

Monitor for changes made to processes that may inject dynamic-link libraries (DLLs) into processes in order to evade process-based defenses as well as possibly elevate privileges. Injecting a malicious DLL into a process is a common adversary TTP. Although the ways of doing this are numerous, mavinject.exe is a commonly used tool for doing so because it roles up many of the necessary steps into one, and is available within Windows. Attackers may rename the executable, so we also use the common argument "INJECTRUNNING" as a related signature here. Whitelisting certain applications may be necessary to reduce noise for this analytic.

Analytic 1 - DLL Injection with Mavinject

(source="WinEventLog:Microsoft-Windows-Sysmon/Operational" EventCode="1") OR (source="WinEventLog:Security" EventCode="4688") Image="C:\Windows\SysWOW64\mavinject.exe" OR Image="C:\Windows\System32\mavinject.exe" OR CommandLine="/INJECTRUNNING""

.002 Portable Executable Injection

Monitor for changes made to processes that may inject portable executables (PE) into processes in order to evade process-based defenses as well as possibly elevate privileges.

.003 Thread Execution Hijacking

Monitor for changes made to processes that may inject malicious code into hijacked processes in order to evade process-based defenses as well as possibly elevate privileges.

.004 Asynchronous Procedure Call

Monitor for changes made to processes that may inject malicious code into processes via the asynchronous procedure call (APC) queue in order to evade process-based defenses as well as possibly elevate privileges.

.005 Thread Local Storage

Monitor for changes made to processes that may inject malicious code into processes via thread local storage (TLS) callbacks in order to evade process-based defenses as well as possibly elevate privileges.

.008 Ptrace System Calls

Monitor for changes made to processes that may inject malicious code into processes via ptrace (process trace) system calls in order to evade process-based defenses as well as possibly elevate privileges.

.012 Process Hollowing

Monitor for changes made to processes that may inject malicious code into suspended and hollowed processes in order to evade process-based defenses.

.015 ListPlanting

Monitor for changes made to processes that may inject code into processes in order to evade process-based defenses as well as possibly elevate privileges. Analyze process behavior to determine if a process is performing unusual actions, such as opening network connections, reading files, or other suspicious actions that could relate to post-compromise behavior.

Process: Process Termination

Exit of a running process (ex: Sysmon EID 5 or Windows EID 4689)

Process: Process Termination

Exit of a running process (ex: Sysmon EID 5 or Windows EID 4689)

Domain ID Name Detects
ICS T0803 Block Command Message

Monitor for the termination of processes or services associated with ICS automation protocols and application software which could help detect blocked communications.

ICS T0804 Block Reporting Message

Monitor for the termination of processes or services associated with ICS automation protocols and application software which could help detect blocked communications.

ICS T0805 Block Serial COM

Monitor for the termination of processes or services associated with ICS automation protocols and application software which could help detect blocked communications.

Enterprise T1562 Impair Defenses

Monitor for unexpected deletions of a running process (ex: Sysmon EID 5 or Windows EID 4689) that may maliciously modify components of a victim environment in order to hinder or disable defensive mechanisms.

.001 Disable or Modify Tools

Monitor processes for unexpected termination related to security tools/services. Specifically, before execution of ransomware, monitor for rootkit tools, such as GMER, PowerTool or TDSSKiller, that may detect and terminate hidden processes and the host antivirus software.

Mobile T1629 Impair Defenses

Mobile security products integrated with Samsung Knox for Mobile Threat Defense can monitor processes to see if security tools are killed or stop running.

Enterprise T1489 Service Stop

Monitor processes and command-line arguments to see if critical processes are terminated or stop running.

ICS T0881 Service Stop

Monitor processes and command-line arguments to see if critical processes are terminated or stop running. For added context on adversary procedures and background see Service Stop.

References

  1. Microsoft. (2018, May 31). Processes and Threads. Retrieved September 28, 2021.
  2. Microsoft TechNet. (n.d.). Retrieved April 25, 2017.
  3. Microsoft TechNet. (n.d.). Retrieved April 25, 2017.
  4. Microsoft TechNet. (n.d.). Retrieved April 25, 2017.
  5. Schofield, M. & Satran, M. (2018, May 30). Process Creation Flags. Retrieved June 4, 2019.
  6. Secuirtyinbits . (2019, May 14). Parent PID Spoofing (Stage 2) Ataware Ransomware Part 3. Retrieved June 6, 2019.
  7. Microsoft. (n.d.). AddMonitor function. Retrieved November 12, 2014.
  8. Apple. (n.d.). Keychain Items. Retrieved April 12, 2022.
  9. Mercer, W. and Rascagneres, P. (2018, February 12). Olympic Destroyer Takes Aim At Winter Olympics. Retrieved March 14, 2019.
  10. Microsoft. (2018, December 5). CredEnumarateA function (wincred.h). Retrieved November 24, 2020.
  11. Delpy, B. (2017, December 12). howto ~ credential manager saved credentials. Retrieved November 23, 2020.
  12. Schroeder, W. (2017, October 30). A Guide to Attacking Domain Trusts. Retrieved February 14, 2019.
  13. Microsoft. (n.d.). Domain.GetAllTrustRelationships Method. Retrieved February 14, 2019.
  14. Hosseini, A. (2017, July 18). Ten Process Injection Techniques: A Technical Survey Of Common And Trending Process Injection Techniques. Retrieved December 7, 2017.
  15. Moe, O. (2018, January 14). Putting Data in Alternate Data Streams and How to Execute It. Retrieved June 30, 2018.
  16. Moe, O. (2018, April 11). Putting Data in Alternate Data Streams and How to Execute It - Part 2. Retrieved June 30, 2018.
  17. Atkinson, J. (2017, July 18). Host-based Threat Modeling & Indicator Design. Retrieved March 21, 2018.
  18. Saini, A. and Hossein, J. (2022, January 27). North Korea’s Lazarus APT leverages Windows Update client, GitHub in latest campaign. Retrieved January 27, 2022.
  19. Microsoft. (n.d.). Hooks Overview. Retrieved December 12, 2017.
  20. Volatility Labs. (2012, September 24). MoVP 3.1 Detecting Malware Hooks in the Windows GUI Subsystem. Retrieved December 12, 2017.
  21. Prekas, G. (2011, July 11). Winhook. Retrieved December 12, 2017.
  22. Satiro, J. (2011, September 14). GetHooks. Retrieved December 12, 2017.
  23. Felici, M. (2006, December 6). Any application-defined hook procedure on my machine?. Retrieved December 12, 2017.
  24. Eye of Ra. (2017, June 27). Windows Keylogger Part 2: Defense against user-land. Retrieved December 12, 2017.
  25. Tinaztepe, E. (n.d.). The Adventures of a Keystroke: An in-depth look into keyloggers on Windows. Retrieved April 27, 2016.
  26. Dell SecureWorks. (2015, January 12). Skeleton Key Malware Analysis. Retrieved April 8, 2019.
  27. Microsoft. (2021, October 21). NPLogonNotify function (npapi.h). Retrieved March 30, 2023.
  28. Russinovich, M. & Sharkey, K. (2006, January 10). Reghide. Retrieved August 9, 2018.
  29. Reitz, B. (2017, July 14). Hiding Registry keys with PSReflect. Retrieved August 9, 2018.
  30. Russinovich, M. & Sharkey, K. (2016, July 4). RegDelNull v1.11. Retrieved August 10, 2018.
  31. Brennan, M. (2022, February 16). Hackers No Hashing: Randomizing API Hashes to Evade Cobalt Strike Shellcode Detection. Retrieved August 22, 2022.
  32. Pinola, M. (2014, December 14). 3 tools to check your hard drive's health and make sure it's not already dying on you. Retrieved October 2, 2018.
  33. SanDisk. (n.d.). Self-Monitoring, Analysis and Reporting Technology (S.M.A.R.T.). Retrieved October 2, 2018.
  34. smartmontools. (n.d.). smartmontools. Retrieved October 2, 2018.
  35. Ligh, M.H. et al.. (2014, July). The Art of Memory Forensics: Detecting Malware and Threats in Windows, Linux, and Mac Memory. Retrieved December 20, 2017.
  36. GNU. (2010, February 5). The GNU Accounting Utilities. Retrieved December 20, 2017.
  37. Jahoda, M. et al.. (2017, March 14). redhat Security Guide - Chapter 7 - System Auditing. Retrieved December 20, 2017.
  38. stderr. (2014, February 14). Detecting Userland Preload Rootkits. Retrieved December 20, 2017.
  39. Microsoft. (n.d.). GetWindowLong function. Retrieved December 16, 2017.
  40. Microsoft. (n.d.). SetWindowLong function. Retrieved December 16, 2017.
  41. Microsoft. (n.d.). SendNotifyMessage function. Retrieved December 16, 2017.
  42. Liberman, T. & Kogan, E. (2017, December 7). Lost in Transaction: Process Doppelgänging. Retrieved December 20, 2017.
  43. hasherezade. (2017, December 18). Process Doppelgänging – a new way to impersonate a process. Retrieved December 20, 2017.
  1. 0x00pico. (2017, September 25). Super-Stealthy Droppers. Retrieved October 4, 2021.
  2. Landry, J. (2016, April 21). Teaching an old RAT new tricks. Retrieved October 4, 2021.
  3. Microsoft. (n.d.). Graphics.CopyFromScreen Method. Retrieved March 24, 2020.
  4. Thomas Reed. (2017, January 18). New Mac backdoor using antiquated code. Retrieved July 5, 2017.
  5. FBI. (2020, November 19). Indicators of Compromise Associated with Ragnar Locker Ransomware. Retrieved April 1, 2021.
  6. ise. (2019, February 19). Password Managers: Under the Hood of Secrets Management. Retrieved January 22, 2021.
  7. VerSprite. (2018, January 24). Exploiting VyprVPN for MacOS. Retrieved April 20, 2022.
  8. French, D. (2018, October 2). Detecting Attempts to Steal Passwords from Memory. Retrieved October 11, 2019.
  9. Stepanic, D.. (2020, January 13). Embracing offensive tooling: Building detections against Koadic using EQL. Retrieved November 30, 2020.
  10. Mathers, B. (2017, May 31). Windows Time Service Tools and Settings. Retrieved March 26, 2018.
  11. Russinovich, M. (2016, January 4). Autoruns for Windows v13.51. Retrieved June 6, 2016.
  12. Chrome Enterprise and Education Help. (n.d.). Use Chrome Browser with Roaming User Profiles. Retrieved March 28, 2023.
  13. Adrien Bataille, Anders Vejlby, Jared Scott Wilson, and Nader Zaveri. (2021, December 14). Azure Run Command for Dummies. Retrieved March 13, 2023.
  14. Arntz, P. (2016, March 30). The Windows Vault . Retrieved November 23, 2020.
  15. detection.fyi. (2023, October 28). Potential Suspicious Mofcomp Execution. Retrieved February 9, 2024.
  16. The DFIR Report. (2023, January 8). proc_creation_win_mofcomp_execution.yml. Retrieved February 9, 2024.
  17. Pierce, Sean. (2015, November). Defending Against Malicious Application Compatibility Shims. Retrieved June 22, 2017.
  18. Shanbhag, M. (2010, March 24). Image File Execution Options (IFEO). Retrieved December 18, 2017.
  19. Hybrid Analysis. (2018, June 12). c9b65b764985dfd7a11d3faf599c56b8.exe. Retrieved August 19, 2018.
  20. Hybrid Analysis. (2018, May 30). 2a8efbfadd798f6111340f7c1c956bee.dll. Retrieved August 19, 2018.
  21. Safran, Or. Asinovsky, Pavel. (2017, November). Who Hid My Desktop: Deep Dive Into HVNC. Retrieved November 28, 2023.
  22. Daman, R. (2020, February 4). The return of the spoof part 2: Command line spoofing. Retrieved November 19, 2021.
  23. Pena, E., Erikson, C. (2019, October 10). Staying Hidden on the Endpoint: Evading Detection with Shellcode. Retrieved November 29, 2021.
  24. Brown, J. (2020, May 7). Detecting COR_PROFILER manipulation for persistence. Retrieved June 24, 2020.
  25. Hamilton, C. (2019, June 4). Hunting COM Objects. Retrieved June 10, 2019.
  26. Nelson, M. (2017, January 5). Lateral Movement using the MMC20 Application COM Object. Retrieved November 21, 2017.
  27. Sarah Edwards. (2020, April 30). Analysis of Apple Unified Logs: Quarantine Edition [Entry 6] – Working From Home? Remote Logins. Retrieved August 19, 2021.
  28. Loobeek, L. (2017, December 8). leoloobeek Status. Retrieved December 12, 2017.
  29. Lee, T., Hanzlik, D., Ahl, I. (2013, August 7). Breaking Down the China Chopper Web Shell - Part I. Retrieved March 27, 2015.
  30. NSA Cybersecurity Directorate. (n.d.). Mitigating Web Shells. Retrieved July 22, 2021.
  31. Graeber, M. (2017, December 22). Code Signing Certificate Cloning Attacks and Defenses. Retrieved April 3, 2018.
  32. Russinovich, M. et al.. (2017, May 22). Sigcheck. Retrieved April 3, 2018.
  33. Microsoft. (2021, February 15). Enable Loading of Test Signed Drivers. Retrieved April 22, 2021.
  34. Moe, O. (2017, August 13). Bypassing Device guard UMCI using CHM – CVE-2017-8625. Retrieved October 3, 2018.
  35. Mercês, F. (2014, January 27). CPL Malware - Malicious Control Panel Items. Retrieved January 18, 2018.
  36. Seetharaman, N. (2018, July 7). Detecting CMSTP-Enabled Code Execution and UAC Bypass With Sysmon.. Retrieved August 6, 2018.
  37. Jamie Harries. (2022, May 25). Hunting a Global Telecommunications Threat: DecisiveArchitect and Its Custom Implant JustForFun. Retrieved October 18, 2022.
  38. LOLBAS. (n.d.). Wmic.exe. Retrieved July 31, 2019.
  39. Desimone, J. (2018, April 18). Status Update. Retrieved July 3, 2018.
  40. Atkinson, J., Winchester, R. (2017, December 7). A Process is No One: Hunting for Token Manipulation. Retrieved December 21, 2017.
  41. Loh, I. (2018, December 21). Detecting Parent PID Spoofing. Retrieved June 3, 2019.
  42. Hastings, M. (2014, July 16). Investigating PowerShell Attacks. Retrieved December 1, 2021.
  43. Aliz Hammond. (2019, August 15). Hiding Malicious Code with "Module Stomping": Part 1. Retrieved July 14, 2022.