Instances of computer programs that are being executed by at least one thread. Processes have memory space for process executables, loaded modules (DLLs or shared libraries), and allocated memory regions containing everything from user input to application-specific data structures[1]
Operating system function/method calls executed by a process
Operating system function/method calls executed by a process
Domain | ID | Name | Detects | |
---|---|---|---|---|
Enterprise | T1548 | Abuse Elevation Control Mechanism |
Also look for any process API calls for behavior that may be indicative of Process Injection. Monitoring OS API callbacks for the execution can also be a way to detect this behavior but requires specialized security tooling. |
|
.004 | Elevated Execution with Prompt |
Monitoring OS API callbacks for the execution can also be a way to detect this behavior but requires specialized security tooling. |
||
Enterprise | T1134 | Access Token Manipulation |
Monitor for API calls, loaded by a payload, for token manipulation only through careful analysis of user network activity, examination of running processes, and correlation with other endpoint and network behavior. There are many Windows API calls a payload can take advantage of to manipulate access tokens (e.g., |
|
.001 | Token Impersonation/Theft |
Monitor for API calls associated with other suspicious behavior to reduce false positives that may be due to normal benign use by users and administrators, such as DuplicateToken(Ex), ImpersonateLoggedOnUser , and SetThreadToken. |
||
.002 | Create Process with Token |
Monitor for API calls associated with detecting token manipulation only through careful analysis of user activity, examination of running processes, and correlation with other endpoint and network behavior. Analysts can also monitor for use of Windows APIs such as |
||
.003 | Make and Impersonate Token |
Monitor for API calls associated with detecting token manipulation only through careful analysis of user activity, examination of running processes, and correlation with other endpoint and network behavior, such as LogonUser and SetThreadToken. Correlate activity with other suspicious behavior to reduce false positives that may be due to normal benign use by users and administrators |
||
.004 | Parent PID Spoofing |
Monitor for API calls to CreateProcess/CreateProcessA, specifically those from user/potentially malicious processes and with parameters explicitly assigning PPIDs (ex: the Process Creation Flags of 0x8XXX, indicating that the process is being created with extended startup information[5]). Malicious use of CreateProcess/CreateProcessA may also be proceeded by a call to UpdateProcThreadAttribute, which may be necessary to update process creation attributes.[6]This may generate false positives from normal UAC elevation behavior, so compare to a system baseline/understanding of normal system activity if possible. |
||
.005 | SID-History Injection |
Monitor for API calls, such as PowerShell's Get-ADUser cmdlet or Windows API DsAddSidHistory function, to examine data in user’s SID-History attributes, especially users who have SID-History values from the same domain. |
||
Enterprise | T1087 | .001 | Account Discovery: Local Account |
Monitor for API calls (such as |
.002 | Account Discovery: Domain Account |
Monitor for API calls that may attempt to gather information about domain accounts such as type of user, privileges and groups. |
||
Enterprise | T1010 | Application Window Discovery |
Monitor for API calls (such as Note: Most EDR tools do not support direct monitoring of API calls due to the sheer volume of calls produced by an endpoint but may have alerts or events that are based on abstractions of OS API calls. Dynamic malware analysis tools (i.e., sandboxes) can be used to trace the execution, including OS API calls, for a single PE binary. |
|
Enterprise | T1123 | Audio Capture |
Monitor for API calls associated with leveraging a computer's peripheral devices (e.g., microphones and webcams) or applications (e.g., voice and video call services) to capture audio recordings for the purpose of listening into sensitive conversations to gather information. |
|
Enterprise | T1547 | Boot or Logon Autostart Execution |
Monitor for API calls that may configure system settings to automatically execute a program during system boot or logon to maintain persistence or gain higher-level privileges on compromised systems. |
|
.010 | Port Monitors |
Monitor process API calls to |
||
.012 | Print Processors |
Monitor process API calls to |
||
Enterprise | T1115 | Clipboard Data |
Monitor API calls that could collect data stored in the clipboard from users copying information within or between applications. |
|
Enterprise | T1059 | .002 | Command and Scripting Interpreter: AppleScript |
Monitor for execution of AppleScript through |
Enterprise | T1543 | Create or Modify System Process |
Monitor for API calls that may create or modify system-level processes to repeatedly execute malicious payloads as part of persistence. |
|
.003 | Windows Service |
Monitor for API calls that may create or modify Windows services (ex: |
||
Enterprise | T1555 | Credentials from Password Stores |
Monitor for API calls that may search for common password storage locations to obtain user credentials. |
|
.001 | Keychain |
Monitor for Keychain Services API calls, specifically legacy extensions such as |
||
.003 | Credentials from Web Browsers |
Monitor for API calls that may acquire credentials from web browsers by reading files specific to the target browser.[9] |
||
.004 | Windows Credential Manager |
Consider monitoring API calls such as |
||
.005 | Password Managers |
Monitor for API calls that may search for common password storage locations to obtain user credentials. |
||
Enterprise | T1005 | Data from Local System |
Monitor for API calls that may search local system sources, such as file systems or local databases, to find files of interest and sensitive data prior to Exfiltration. |
|
ICS | T0893 | Data from Local System |
Monitor for API calls that may search local system sources, such as file systems or local databases, to find files of interest and sensitive data. |
|
Enterprise | T1565 | Data Manipulation |
Monitor for API calls associated with altering data. Remote access tools with built-in features may interact directly with the Windows API to gather information. |
|
.002 | Transmitted Data Manipulation |
Monitor for API calls associated with altering data. Remote access tools with built-in features may interact directly with the Windows API to gather information. |
||
.003 | Runtime Data Manipulation |
Monitor for API calls associated with altering data. Remote access tools with built-in features may interact directly with the Windows API to gather information. |
||
Enterprise | T1622 | Debugger Evasion |
Monitor for API calls (such as |
|
Enterprise | T1652 | Device Driver Discovery |
Monitor for API calls (such as |
|
Enterprise | T1482 | Domain Trust Discovery |
Monitor for API calls associated with gathering information on domain trust relationships that may be used to identify lateral movement like DSEnumerateDomainTrusts() Win32 API call to spot activity associated with Domain Trust Discovery.[12] Information may also be acquired through Windows system management tools such as PowerShell. The .NET method GetAllTrustRelationships() can be an indicator of Domain Trust Discovery.[13] |
|
Enterprise | T1611 | Escape to Host |
Monitor for unexpected usage of syscalls such as |
|
Enterprise | T1546 | .009 | Event Triggered Execution: AppCert DLLs |
Monitor and analyze application programming interface (API) calls that are indicative of Registry edits, such as |
.010 | Event Triggered Execution: AppInit DLLs |
Monitor and analyze application programming interface (API) calls that are indicative of Registry edits such as |
||
ICS | T0871 | Execution through API |
Devices that provide user access to the underlying operating system may allow the installation of custom software to monitor OS API execution. Monitoring API calls may generate a significant amount of data and may not be useful for defense unless collected under specific circumstances, since benign use of API functions are common and may be difficult to distinguish from malicious behavior. Correlation of other events with behavior surrounding API function calls using API monitoring will provide additional context to an event that may assist in determining if it is due to malicious behavior. |
|
Enterprise | T1083 | File and Directory Discovery |
Monitor for API calls that may enumerate files and directories or may search in specific locations of a host or network share for certain information within a file system. |
|
Enterprise | T1564 | Hide Artifacts |
Monitor for API calls that may attempt to hide artifacts associated with their behaviors to evade detection. |
|
.004 | NTFS File Attributes |
Monitor calls to the |
||
Enterprise | T1574 | .013 | Hijack Execution Flow: KernelCallbackTable |
Monitoring Windows API calls indicative of the various types of code injection may generate a significant amount of data and may not be directly useful for defense unless collected under specific circumstances. for known bad sequence of calls, since benign use of API functions may be common and difficult to distinguish from malicious behavior. Windows API calls such as |
ICS | T0874 | Hooking |
Monitor for API calls that can be used to install a hook procedure, such as the SetWindowsHookEx and SetWinEventHook functions.[19][20] Also consider analyzing hook chains (which hold pointers to hook procedures for each type of hook) using tools[20][21][22] or by programmatically examining internal kernel structures.[23][24] |
|
Enterprise | T1562 | Impair Defenses |
Monitor for the abnormal execution of API functions associated with system logging. |
|
.012 | Disable or Modify Linux Audit System |
Monitor for abnormal execution of syslog and other functions associated with system logging. |
||
Enterprise | T1070 | Indicator Removal |
Monitor for API calls that may delete or alter generated artifacts on a host system, including logs or captured files such as quarantined malware. |
|
.001 | Clear Windows Event Logs |
Monitor for Windows API calls that may clear Windows Event Logs to hide the activity of an intrusion. |
||
ICS | T0872 | Indicator Removal on Host |
Monitor for API calls that may delete or alter generated artifacts on a host system, including logs or captured files such as quarantined malware. |
|
Enterprise | T1056 | Input Capture |
Monitor for API calls to SetWindowsHook, GetKeyState, and GetAsyncKeyState [25] |
|
.001 | Keylogging |
Monitor for API calls to the SetWindowsHook, GetKeyState, and GetAsyncKeyState.[25] and look for common keylogging API calls. API calls alone are not an indicator of keylogging, but may provide behavioral data that is useful when combined with other information such as new files written to disk and unusual processes. |
||
.004 | Credential API Hooking |
Monitor for API calls to the SetWindowsHookEx and SetWinEventHook functions, which install a hook procedure.[19][20] Also consider analyzing hook chains (which hold pointers to hook procedures for each type of hook) using tools[20][21][22] or by programmatically examining internal kernel structures.[23][24] |
||
Enterprise | T1036 | Masquerading |
Monitor for API calls such as |
|
.009 | Break Process Trees |
Monitor for API calls such as |
||
Enterprise | T1556 | Modify Authentication Process |
Monitor for calls to Monitor for abnormal API calls to |
|
.001 | Domain Controller Authentication |
Monitor for API calls to OpenProcess that can be used to manipulate lsass.exe running on a domain controller |
||
.008 | Network Provider DLL |
Monitor for abnormal API calls to |
||
Enterprise | T1112 | Modify Registry |
Monitor for API calls associated with concealing Registry keys, such as Reghide. [28] Inspect and cleanup malicious hidden Registry entries using Native Windows API calls and/or tools such as Autoruns [29] and RegDelNull [30]. Other API calls relevant to Registry Modification include Note: Most EDR tools do not support direct monitoring of API calls due to the sheer volume of calls produced by an endpoint but may have alerts or events that are based on abstractions of OS API calls. Dynamic malware analysis tools (i.e., sandboxes) can be used to trace the execution, including OS API calls, for a single PE binary. |
|
Enterprise | T1111 | Multi-Factor Authentication Interception |
Monitor for API calls associated with polling to intercept keystrokes. |
|
Enterprise | T1106 | Native API |
Monitoring API calls may generate a significant amount of data and may not be useful for defense unless collected under specific circumstances, since benign use of API functions are common and may be difficult to distinguish from malicious behavior. Correlation of other events with behavior surrounding API function calls using API monitoring will provide additional context to an event that may assist in determining if it is due to malicious behavior. Correlation of activity by process lineage by process ID may be sufficient. |
|
ICS | T0834 | Native API |
Devices that provide user access to the underlying operating system may allow the installation of custom software to monitor OS API execution. Monitoring API calls may generate a significant amount of data and may not be useful for defense unless collected under specific circumstances, since benign use of API functions are common and may be difficult to distinguish from malicious behavior. Correlation of other events with behavior surrounding API function calls using API monitoring will provide additional context to an event that may assist in determining if it is due to malicious behavior. |
|
ICS | T0840 | Network Connection Enumeration |
Monitor for API calls (such as GetAdaptersInfo() and GetIpNetTable()) that may gather details about the network configuration and settings, such as IP and/or MAC addresses. Also monitor for API calls that may attempt to get a listing of network connections to or from the compromised system they are currently accessing or from remote systems by querying for information over the network. For added context on adversary procedures and background see System Network Configuration Discovery and System Network Connections Discovery. |
|
Enterprise | T1135 | Network Share Discovery |
Monitor for API calls that may look for folders and drives shared on remote systems as a means of identifying sources of information to gather as a precursor for Collection and to identify potential systems of interest for Lateral Movement. |
|
Enterprise | T1027 | Obfuscated Files or Information |
Monitor and analyze calls to functions such as |
|
.007 | Dynamic API Resolution |
Monitor and analyze calls to functions such as |
||
Enterprise | T1003 | OS Credential Dumping |
Monitor for API calls that may attempt to dump credentials to obtain account login and credential material, normally in the form of a hash or a clear text password, from the operating system and software. |
|
.001 | LSASS Memory |
Monitor for API calls that may attempt to access credential material stored in the process memory of the Local Security Authority Subsystem Service (LSASS). OS API calls associated with LSASS process dumping include Note: Most EDR tools do not support direct monitoring of API calls due to the sheer volume of calls produced by an endpoint but may have alerts or events that are based on abstractions of OS API calls. Dynamic malware analysis tools (i.e., sandboxes) can be used to trace the execution, including OS API calls, for a single PE binary. |
||
Enterprise | T1120 | Peripheral Device Discovery |
Monitor for API calls that may attempt to gather information about attached peripheral devices and components connected to a computer system. |
|
Enterprise | T1069 | .001 | Permission Groups Discovery: Local Groups |
Monitor for API calls associated with finding local system groups and permission settings, such as NetLocalGroupEnum. Other API calls relevant to Local Group discovery include NetQueryDisplayInformation and NetGetDisplayInformationIndex. Note: Most EDR tools do not support direct monitoring of API calls due to the sheer volume of calls produced by an endpoint but may have alerts or events that are based on abstractions of OS API calls. Dynamic malware analysis tools (i.e., sandboxes) can be used to trace the execution, including OS API calls, for a single PE binary. |
.002 | Permission Groups Discovery: Domain Groups |
Monitor for API calls associated with finding domain-level groups and permission settings, such as Note: Most EDR tools do not support direct monitoring of API calls due to the sheer volume of calls produced by an endpoint but may have alerts or events that are based on abstractions of OS API calls. Dynamic malware analysis tools (i.e., sandboxes) can be used to trace the execution, including OS API calls, for a single PE binary. |
||
Enterprise | T1542 | Pre-OS Boot |
Monitor for API calls that may abuse Pre-OS Boot mechanisms as a way to establish persistence on a system. Disk check, forensic utilities, and data from device drivers (i.e. API calls) may reveal anomalies that warrant deeper investigation. [32] |
|
.002 | Component Firmware |
Monitor for API calls associated with the use of device drivers and/or provided by SMART (Self-Monitoring, Analysis and Reporting Technology) [33] [34] disk monitoring may reveal malicious manipulations of components. Otherwise, this technique may be difficult to detect since malicious activity is taking place on system components possibly outside the purview of OS security and integrity mechanisms. |
||
Enterprise | T1057 | Process Discovery |
Monitor for API calls may attempt to get information about running processes on a system. |
|
Enterprise | T1055 | Process Injection |
Monitoring Windows API calls indicative of the various types of code injection may generate a significant amount of data and may not be directly useful for defense unless collected under specific circumstances for known bad sequences of calls, since benign use of API functions may be common and difficult to distinguish from malicious behavior. Windows API calls such as |
|
.001 | Dynamic-link Library Injection |
Monitoring Windows API calls indicative of the various types of code injection may generate a significant amount of data and may not be directly useful for defense unless collected under specific circumstances for known bad sequences of calls, since benign use of API functions may be common and difficult to distinguish from malicious behavior. Windows API calls such as Search for remote thread creations that start at LoadLibraryA or LoadLibraryW. Depending on the tool, it may provide additional information about the DLL string that is an argument to the function. If there is any security software that legitimately injects DLLs, it must be carefully whitelisted. Microsoft Windows allows for processes to remotely create threads within other processes of the same privilege level. This functionality is provided via the Windows API CreateRemoteThread. Both Windows and third-party software use this ability for legitimate purposes. For example, the Windows process csrss.exe creates threads in programs to send signals to registered callback routines. Both adversaries and host-based security software use this functionality to inject DLLs, but for very different purposes. An adversary is likely to inject into a program to evade defenses or bypass User Account Control, but a security program might do this to gain increased monitoring of API calls. One of the most common methods of DLL Injection is through the Windows API LoadLibrary.
This behavior can be detected by looking for thread creations across processes, and resolving the entry point to determine the function name. If the function is LoadLibraryA or LoadLibraryW, then the intent of the remote thread is clearly to inject a DLL. When this is the case, the source process must be examined so that it can be ignored when it is both expected and a trusted process. |
||
.002 | Portable Executable Injection |
Monitoring Windows API calls indicative of the various types of code injection may generate a significant amount of data and may not be directly useful for defense unless collected under specific circumstances for known bad sequences of calls, since benign use of API functions may be common and difficult to distinguish from malicious behavior. Windows API calls such as |
||
.003 | Thread Execution Hijacking |
Monitoring Windows API calls indicative of the various types of code injection may generate a significant amount of data and may not be directly useful for defense unless collected under specific circumstances for known bad sequences of calls, since benign use of API functions may be common and difficult to distinguish from malicious behavior. Windows API calls such as |
||
.004 | Asynchronous Procedure Call |
Monitoring Windows API calls indicative of the various types of code injection may generate a significant amount of data and may not be directly useful for defense unless collected under specific circumstances for known bad sequences of calls, since benign use of API functions may be common and difficult to distinguish from malicious behavior. Windows API calls such as |
||
.005 | Thread Local Storage |
Monitoring Windows API calls indicative of the various types of code injection may generate a significant amount of data and may not be directly useful for defense unless collected under specific circumstances for known bad sequences of calls, since benign use of API functions may be common and difficult to distinguish from malicious behavior. Windows API calls such as |
||
.008 | Ptrace System Calls |
Monitoring for Linux specific calls such as the ptrace system call should not generate large amounts of data due to their specialized nature, and can be a very effective method to detect some of the common process injection methods.[35] [36] [37] [38] |
||
.011 | Extra Window Memory Injection |
Monitor for API calls related to enumerating and manipulating EWM such as GetWindowLong [39] and SetWindowLong [40]. Malware associated with this technique have also used SendNotifyMessage [41] to trigger the associated window procedure and eventual malicious injection. [14] |
||
.012 | Process Hollowing |
Monitoring Windows API calls indicative of the various types of code injection may generate a significant amount of data and may not be directly useful for defense unless collected under specific circumstances for known bad sequences of calls, since benign use of API functions may be common and difficult to distinguish from malicious behavior. Windows API calls such as |
||
.013 | Process Doppelgänging |
Monitor and analyze calls to |
||
.014 | VDSO Hijacking |
Monitor for malicious usage of system calls, such as ptrace and mmap, that can be used to attach to, manipulate memory, then redirect a processes' execution path. Monitoring for Linux specific calls such as the ptrace system call should not generate large amounts of data due to their specialized nature, and can be a very effective method to detect some of the common process injection methods.[35][36][37][38] |
||
.015 | ListPlanting |
Consider monitoring for excessive use of Monitoring Windows API calls indicative of the various types of code injection may generate a significant amount of data and may not be directly useful for defense unless collected under specific circumstances for known bad sequences of calls, since benign use of API functions may be common and difficult to distinguish from malicious behavior. Windows API calls such as |
||
Enterprise | T1012 | Query Registry |
Monitor for API calls (such as Note: Most EDR tools do not support direct monitoring of API calls due to the sheer volume of calls produced by an endpoint but may have alerts or events that are based on abstractions of OS API calls. |
|
Enterprise | T1620 | Reflective Code Loading |
Monitor for code artifacts associated with reflectively loading code, such as the abuse of .NET functions such as |
|
Enterprise | T1113 | Screen Capture |
Monitoring for screen capture behavior will depend on the method used to obtain data from the operating system and write output files. Detection methods could include collecting information from unusual processes using API calls used to obtain image data, and monitoring for image files written to disk, such as |
|
ICS | T0852 | Screen Capture |
Monitoring for screen capture behavior will depend on the method used to obtain data from the operating system and write output files. Detection methods could include collecting information from unusual processes using API calls used to obtain image data, and monitoring for image files written to disk, such as CopyFromScreen, xwd, or screencapture.[46][47] The data may need to be correlated with other events to identify malicious activity, depending on the legitimacy of this behavior within a given network environment. |
|
Enterprise | T1489 | Service Stop |
Remote access tools with built-in features may interact directly with the Windows API to perform these functions outside of typical system utilities. For example, |
|
ICS | T0881 | Service Stop |
Remote access tools with built-in features may interact directly with the Windows API to perform these functions outside of typical system utilities. For example, ChangeServiceConfigW may be used by an adversary to prevent services from starting. For added context on adversary procedures and background see Service Stop. |
|
Enterprise | T1129 | Shared Modules |
Monitor for API calls that may execute malicious payloads via loading shared modules. |
|
Enterprise | T1518 | Software Discovery |
Monitor for API calls that may attempt to get a listing of software and software versions that are installed on a system or in a cloud environment. |
|
.001 | Security Software Discovery |
Monitor for API calls that may attempt to get a listing of security software, configurations, defensive tools, and sensors that are installed on a system or in a cloud environment. OS API calls associated with LSASS process dumping include EnumProcesses, which can be used to enumerate the set of processes running on a host and filtered to look for security-specific processes. Note: Most EDR tools do not support direct monitoring of API calls due to the sheer volume of calls produced by an endpoint but may have alerts or events that are based on abstractions of OS API calls. Dynamic malware analysis tools (i.e., sandboxes) can be used to trace the execution, including OS API calls, for a single PE binary. |
||
Enterprise | T1218 | System Binary Proxy Execution |
Monitor for API calls that bypass process and/or signature based defenses by proxying execution of malicious content with signed, or otherwise trusted, binaries. |
|
.002 | Control Panel |
Monitor for API calls that may forge web cookies that can be used to gain access to web applications or Internet services. |
||
Enterprise | T1082 | System Information Discovery |
Monitor for API calls that may attempt to get detailed information about the operating system and hardware, including version, patches, hotfixes, service packs, and architecture. Remote access tools with built-in features may interact directly with the Windows API to gather information. Information may also be acquired through Windows system management tools such as Windows Management Instrumentation and PowerShell. In cloud-based systems, native logging can be used to identify access to certain APIs and dashboards that may contain system information. Depending on how the environment is used, that data alone may not be useful due to benign use during normal operations. |
|
Enterprise | T1614 | System Location Discovery |
Remote access tools with built-in features may interact directly with the Windows API, such as calling |
|
.001 | System Language Discovery |
Monitor for API calls that may attempt to gather information about the system language of a victim in order to infer the geographical location of that host. |
||
Enterprise | T1016 | System Network Configuration Discovery |
Monitor for API calls (such as |
|
.002 | Wi-Fi Discovery |
Monitor for API calls (such as those from |
||
Enterprise | T1049 | System Network Connections Discovery |
Monitor for API calls that may attempt to get a listing of network connections to or from the compromised system they are currently accessing or from remote systems by querying for information over the network. |
|
Enterprise | T1033 | System Owner/User Discovery |
Monitor for API calls that may attempt to dump credentials to obtain account login and credential material, normally in the form of a hash or a clear text password, from the operating system and software. |
|
Enterprise | T1007 | System Service Discovery |
Monitor for API calls associated with gathering information about registered local system services, such as QueryServiceStatusEx. Other Windows API calls worth monitoring include EnumServicesStatusExA, which can be used to enumerate services in the service control manager database. Note: Most EDR tools do not support direct monitoring of API calls due to the sheer volume of calls produced by an endpoint but may have alerts or events that are based on abstractions of OS API calls. Dynamic malware analysis tools (i.e., sandboxes) can be used to trace the execution, including OS API calls, for a single PE binary. |
|
Enterprise | T1124 | System Time Discovery |
Monitor for API calls that may gather the system time and/or time zone from a local or remote system. Remote access tools with built-in features may interact directly with the Windows API to gather information. |
|
Enterprise | T1125 | Video Capture |
Detection of this technique may be difficult due to the various APIs that may be used. Telemetry data regarding API use may not be useful depending on how a system is normally used, but may provide context to other potentially malicious activity occurring on a system. Behavior that could indicate technique use include an unknown or unusual process accessing APIs associated with devices or software that interact with the video camera, recording devices, or recording software, and a process periodically writing files to disk that contain video or camera image data. |
|
Enterprise | T1497 | Virtualization/Sandbox Evasion |
Monitor for API calls that may employ various means to detect and avoid virtualization and analysis environments. Detecting actions related to virtualization and sandbox identification may be difficult depending on the adversary's implementation and monitoring required. |
|
.001 | System Checks |
Monitor for API calls that may employ various means to detect and avoid virtualization and analysis environments. Detecting actions related to virtualization and sandbox identification may be difficult depending on the adversary's implementation and monitoring required. |
||
.002 | User Activity Based Checks |
Monitor for API calls that may employ various means to detect and avoid virtualization and analysis environments. Detecting actions related to virtualization and sandbox identification may be difficult depending on the adversary's implementation and monitoring required. |
||
.003 | Time Based Evasion |
Monitor for API calls that may employ various time-based methods to detect and avoid virtualization and analysis environments. Detecting actions related to virtualization and sandbox identification may be difficult depending on the adversary's implementation and monitoring required. |
Opening of a process by another process, typically to read memory of the target process (ex: Sysmon EID 10)
Opening of a process by another process, typically to read memory of the target process (ex: Sysmon EID 10)
Domain | ID | Name | Detects | |
---|---|---|---|---|
Enterprise | T1185 | Browser Session Hijacking |
This may be a difficult technique to detect because adversary traffic may be masked by normal user traffic. Monitor for Process Injection against browser applications. |
|
Enterprise | T1555 | Credentials from Password Stores |
Monitor for processes being accessed that may search for common password storage locations to obtain user credentials. |
|
.002 | Securityd Memory |
Monitor for processes being accessed that may obtain root access (allowing them to read securityd’s memory), then they can scan through memory to find the correct sequence of keys in relatively few tries to decrypt the user’s logon keychain. |
||
.003 | Credentials from Web Browsers |
Monitor process execution logs to include PowerShell Transcription focusing on those that perform a combination of behaviors including reading web browser process memory, utilizing regular expressions, and those that contain numerous keywords for common web applications (Gmail, Twitter, Office365, etc.). |
||
.005 | Password Managers |
Monitor process being accessed that may acquire user credentials from third-party password managers.[49] |
||
Enterprise | T1559 | Inter-Process Communication |
Monitor for processes making abnormal calls to higher privileged processes, such as a user application connecting to a VPN service.[50] |
|
.003 | XPC Services |
Monitor for processes making abnormal calls to higher privileged processes, such as a user application connecting to a VPN service.[50] |
||
Enterprise | T1556 | Modify Authentication Process |
Monitor for unexpected processes interacting with authentication mechanisms and processes to access user credentials or enable otherwise unwarranted access to accounts. |
|
.001 | Domain Controller Authentication |
Monitor for unexpected processes interacting with the authentication process on a domain controller to bypass the typical authentication mechanisms and enable access to accounts. |
||
Enterprise | T1003 | OS Credential Dumping |
Monitor for unexpected processes interacting with lsass.exe.[51] Common credential dumpers such as Mimikatz access the LSA Subsystem Service (LSASS) process by opening the process, locating the LSA secrets key, and decrypting the sections in memory where credential details are stored. Credential dumpers may also use methods for reflective Process Injection to reduce potential indicators of malicious activity. LinuxTo obtain the passwords and hashes stored in memory, processes must open a maps file in the /proc filesystem for the process being analyzed. This file is stored under the path |
|
.001 | LSASS Memory |
Monitor for unexpected processes interacting with LSASS.exe.[51] Common credential dumpers such as Mimikatz access LSASS.exe by opening the process, locating the LSA secrets key, and decrypting the sections in memory where credential details are stored. Credential dumpers may also use methods for reflective Process Injection to reduce potential indicators of malicious activity. Usage of Procdump and Windows Task Manager for LSASS dumping can also be detected via process creation events, since they both have a predictable set of command-line arguments (i.e., for specifying the process to be dumped). Note: Sysmon process access events (Event ID 10) can be extremely noisy, which necessitates tweaking the Sysmon configuration file. We recommend taking an approach analogous to that of the Sysmon Modular Configuration project (https://github.com/olafhartong/sysmon-modular) and filtering out any benign processes in your environment that produce large volumes of process access events. The GrantedAccess value in the below analytic for Mimikatz is meant to be used solely as an illustrative example of detecting Mimikatz LSASS access. However, actual GrantedAccess values change over time with different versions of Mimikatz and therefore detection engineers need to verify the accuracy of any GrantedAccess values that their analytics are using. Analytic 1 - Mimikatz
Analytic 2 - Procdump
Analytic 3 - Windows Task Manager
|
||
Enterprise | T1055 | Process Injection |
Monitor for processes being viewed that may inject code into processes in order to evade process-based defenses as well as possibly elevate privileges. |
|
.001 | Dynamic-link Library Injection |
Monitor for process being viewed that may inject dynamic-link libraries (DLLs) into processes in order to evade process-based defenses as well as possibly elevate privileges. |
||
.002 | Portable Executable Injection |
Monitor for processes being viewed that may inject portable executables (PE) into processes in order to evade process-based defenses as well as possibly elevate privileges. |
||
.003 | Thread Execution Hijacking |
Monitor for processes being viewed that may inject malicious code into hijacked processes in order to evade process-based defenses as well as possibly elevate privileges. |
||
.004 | Asynchronous Procedure Call |
Monitor for processes being viewed that may inject malicious code into processes via the asynchronous procedure call (APC) queue in order to evade process-based defenses as well as possibly elevate privileges. |
||
.005 | Thread Local Storage |
Monitor for processes being viewed that may inject malicious code into processes via thread local storage (TLS) callbacks in order to evade process-based defenses as well as possibly elevate privileges. |
||
.008 | Ptrace System Calls |
Monitor for processes being viewed that may inject malicious code into processes via ptrace (process trace) system calls in order to evade process-based defenses as well as possibly elevate privileges. |
||
.012 | Process Hollowing |
Monitor for processes being viewed that may inject malicious code into suspended and hollowed processes in order to evade process-based defenses. |
||
Enterprise | T1539 | Steal Web Session Cookie |
Monitor for attempts by programs to inject into or dump browser process memory. |
|
Enterprise | T1033 | System Owner/User Discovery |
Monitor for unexpected processes interacting with lsass.exe.[51] Common credential dumpers such as Mimikatz access the LSA Subsystem Service (LSASS) process by opening the process, locating the LSA secrets key, and decrypting the sections in memory where credential details are stored. Credential dumpers may also use methods for reflective Process Injection to reduce potential indicators of malicious activity. LinuxTo obtain the passwords and hashes stored in memory, processes must open a maps file in the /proc filesystem for the process being analyzed. This file is stored under the path |
The initial construction of an executable managed by the OS, that may involve one or more tasks or threads. (e.g. Win EID 4688, Sysmon EID 1, cmd.exe > net use, etc.)
The initial construction of an executable managed by the OS, that may involve one or more tasks or threads. (e.g. Win EID 4688, Sysmon EID 1, cmd.exe > net use, etc.)
Domain | ID | Name | Detects | |
---|---|---|---|---|
Enterprise | T1548 | Abuse Elevation Control Mechanism |
Monitor for newly executed processes that may circumvent mechanisms designed to control elevate privileges to gain higher-level permissions. Cyber actors frequently escalate to the SYSTEM account after gaining entry to a Windows host, to enable them to carry out various attacks more effectively. Tools such as Meterpreter, Cobalt Strike, and Empire carry out automated steps to "Get System", which is the same as switching over to the System user account. Most of these tools utilize multiple techniques to try and attain SYSTEM: in the first technique, they create a named pipe and connects an instance of cmd.exe to it, which allows them to impersonate the security context of cmd.exe, which is SYSTEM. In the second technique, a malicious DLL is injected into a process that is running as SYSTEM; the injected DLL steals the SYSTEM token and applies it where necessary to escalate privileges. This analytic looks for both of these techniques. Analytic 1 - Get System Elevation
|
|
.002 | Bypass User Account Control |
Monitor newly executed processes, such as Threat actors often, after compromising a machine, try to disable User Access Control (UAC) to escalate privileges. This is often done by changing the registry key for system policies using "reg.exe", a legitimate tool provided by Microsoft for modifying the registry via command prompt or scripts. This action interferes with UAC and may enable a threat actor to escalate privileges on the compromised system, thereby allowing further exploitation of the system. Analytic 1 - UAC Bypass
Analytic 2 - Disable UAC
|
||
.003 | Sudo and Sudo Caching |
Monitor newly executed processes that may perform sudo caching and/or use the suoders file to elevate privileges. |
||
.004 | Elevated Execution with Prompt |
Consider monitoring for |
||
.006 | TCC Manipulation |
Monitor for newly executed processes that may circumvent TCC mechanisms designed to control access to elevated privileges. macOS system logs may also indicate when |
||
Enterprise | T1134 | Access Token Manipulation |
Monitor for executed processes that may modify access tokens to operate under a different user or system security context to perform actions and bypass access controls. |
|
.004 | Parent PID Spoofing |
Monitor for newly constructed processes and/or command-lines that may abuse mechanisms to evade defenses, such as those blocking processes spawning directly from Office documents, and analysis targeting unusual/potentially malicious parent-child process relationships, such as spoofing the PPID of PowerShell/Rundll32 to be explorer.exe |
||
Enterprise | T1087 | Account Discovery |
Monitor for processes that can be used to enumerate user accounts and groups such as |
|
.001 | Local Account |
Monitor for processes that can be used to enumerate user accounts and groups such as Note: Event IDs are for Sysmon (Event ID 1 - process creation) and Windows Security Log (Event ID 4688 - a new process has been created). - For Linux, auditing frameworks such as the Linux Auditing System (auditd) can be used to alert on the enumeration/reading of files that store local users, including Analytic 1 - Net Discovery Commands
|
||
.002 | Domain Account |
Monitor for processes that can be used to enumerate domain accounts and groups, such as |
||
.003 | Email Account |
Monitor for newly executed processes, such as Windows Management Instrumentation and PowerShell , with arguments that can be used to enumerate email addresses and accounts. |
||
Enterprise | T1098 | Account Manipulation |
Monitor for newly constructed processes indicative of modifying account settings, such as those that modify |
|
.004 | SSH Authorized Keys |
Monitor for suspicious processes modifying the authorized_keys or /etc/ssh/sshd_config files. |
||
ICS | T0830 | Adversary-in-the-Middle |
Host-based implementations of this technique may utilize networking-based system calls or network utility commands (e.g., iptables) to locally intercept traffic. Monitor for relevant process creation events. |
|
Enterprise | T1010 | Application Window Discovery |
Monitor for newly executed processes that may attempt to get a listing of open application windows. System and network discovery techniques normally occur throughout an operation as an adversary learns the environment. Data and events should not be viewed in isolation, but as part of a chain of behavior that could lead to other activities based on the information obtained. Note: Event IDs are for Sysmon (Event ID 1 - process create) and Windows Security Log (Event ID 4688 - a new process has been created). Analytic 1 - Suspicious Processes
|
|
Enterprise | T1560 | Archive Collected Data |
Monitor for newly constructed processes and/or command-lines that aid in compression or encrypting data that is collected prior to exfiltration, such as 7-Zip, WinRAR, and WinZip. |
|
.001 | Archive via Utility |
Monitor for newly constructed processes and/or command-lines that aid in compression or encrypting data that is collected prior to exfiltration, such as 7-Zip, WinRAR, and WinZip. Before Exfiltration that an adversary has Collection, it is very likely that a Archive Collected Data will be created, so that transfer times are minimized and fewer files are transmitted. There is variety between the tools used to compress data, but the command line usage and context of archiving tools, such as ZIP, RAR, and 7ZIP, should be monitored.In addition to looking for RAR or 7z program names, command line usage of 7Zip or RAR can be detected with the flag usage of "* a *". This is helpful, as adversaries may change program names. Note: This analytic looks for the command line argument a, which is used by RAR. However, there may be other programs that have this as a legitimate argument and may need to be filtered out. Analytic 1 - Command Line Usage of Archiving Software
|
||
ICS | T0895 | Autorun Image |
Monitor for newly executed processes that execute from removable media after it is mounted or when initiated by a user. |
|
Enterprise | T1197 | BITS Jobs |
Monitor for newly constructed BITS tasks to enumerate using the BITSAdmin tool (bitsadmin /list /allusers /verbose). Note: Event IDs are for Sysmon (Event ID 1 - process create) and Windows Security Log (Event ID 4688 - a new process has been created). Analytic 1 is oriented around looking for the creation of Microsoft Background Intelligent Transfer Service utility (bitsadmin.exe) processes that schedule a BITS job to persist on an endpoint. The analytic identifies the command-line parameters used to create, resume or add a file to a BITS job; these are typically seen combined in a single command-line or executed in sequence. Analytic 2 identifies Microsoft Background Intelligent Transfer Service utility Analytic 1 - BITS Job Persistence
Analytic 2 - BITSAdmin Download File
|
|
Enterprise | T1547 | Boot or Logon Autostart Execution |
Suspicious program execution as autostart programs may show up as outlier processes that have not been seen before when compared against historical data to increase confidence of malicious activity, data and events should not be viewed in isolation, but as part of a chain of behavior that could lead to other activities, such as network connections made for Command and Control, learning details about the environment through Discovery, and Lateral Movement. |
|
.001 | Registry Run Keys / Startup Folder |
Monitor for newly executed processes executed from the Run/RunOnce registry keys through Windows EID 9707 or "Software\Microsoft\Windows\CurrentVersion\Run" and "Software\Microsoft\Windows\CurrentVersion\RunOnce" registry keys with the full command line. Registry modifications are often essential in establishing persistence via known Windows mechanisms. Many legitimate modifications are done graphically via regedit.exe or by using the corresponding channels, or even calling the Registry APIs directly. The built-in utility reg.exe provides a command-line interface to the registry, so that queries and modifications can be performed from a shell, such as cmd.exe. When a user is responsible for these actions, the parent of cmd.exe will likely be explorer.exe. Occasionally, power users and administrators write scripts that do this behavior as well, but likely from a different process tree. These background scripts must be learned so they can be tuned out accordingly. Output DescriptionThe sequence of processes that resulted in reg.exe being started from a shell. That is, a hierarchy that looks like• great-grand_parent.exe• grand_parent.exe• parent.exe• reg.exe Analytic 1 - Reg.exe called from Command Shell
|
||
.003 | Time Providers |
Monitor newly executed processes, such as the W32tm.exe utility. [53] The Sysinternals Autoruns tool may also be used to analyze auto-starting locations, including DLLs listed as time providers. [54] |
||
.004 | Winlogon Helper DLL |
Monitor for the execution of processes that may abuse features of Winlogon to execute DLLs and/or executables when a user logs in. Analytic 1 - Modification of the Winlogon Registry Key
|
||
.006 | Kernel Modules and Extensions |
Monitor for newly created processes that may modify the kernel to automatically execute programs on system boot. |
||
.009 | Shortcut Modification |
Monitor for newly executed processes that may create or edit shortcuts to run a program during system boot or user login. |
||
.013 | XDG Autostart Entries |
Monitor newly executed processes that may modify XDG autostart entries to execute programs or commands during system boot. |
||
.014 | Active Setup |
Monitor newly executed processes that may achieve persistence by adding a Registry key to the Active Setup of the local machine. |
||
.015 | Login Items |
Monitor processes that start at login for unusual or unknown applications. Usual applications for login items could include what users add to configure their user environment, such as email, chat, or music applications, or what administrators include for organization settings and protections. Check for running applications from login items that also have abnormal behavior, such as establishing network connections. |
||
Enterprise | T1037 | Boot or Logon Initialization Scripts |
Monitor for newly executed processes that may use scripts automatically executed at boot or logon initialization to establish persistence. Adversaries may schedule software to run whenever a user logs into the system; this is done to establish persistence and sometimes for lateral movement. This trigger is established through the registry key Analytic 1 - Boot or Logon Initialization Scripts
|
|
.001 | Logon Script (Windows) |
Monitor for newly constructed processes and/or command-lines that execute logon scripts Analytic 1 - Boot or Logon Initialization Scripts
|
||
.002 | Login Hook |
Monitor for processes and/or command-lines to install or modify login hooks, as well as processes spawned at user login by these hooks. |
||
.003 | Network Logon Script |
Monitor for newly constructed processes and/or command-lines that execute logon scripts |
||
.004 | RC Scripts |
Monitor for newly constructed processes and/or command-lines that execute /etc/rc.local if present. |
||
.005 | Startup Items |
Monitor for newly constructed processes and/or command-lines that execute during the boot up process to check for unusual or unknown applications and behavior |
||
Enterprise | T1176 | Browser Extensions |
Monitor for newly executed processes that could be used to abuse internet browser extensions to establish persistence. |
|
Enterprise | T1217 | Browser Information Discovery |
Monitor for processes with arguments that may be associated with gathering browser information, such as local files and databases (e.g., |
|
Enterprise | T1651 | Cloud Administration Command |
Monitor virtual machines for the creation of processes associated with cloud virtual machine agents. In Windows-based Azure machines, monitor for the WindowsAzureGuestAgent.exe process.[56] |
|
Enterprise | T1059 | Command and Scripting Interpreter |
Monitor log files for process execution through command-line and scripting activities. This information can be useful in gaining additional insight to adversaries' actions through how they use native processes or custom tools. Also monitor for loading of modules associated with specific languages. |
|
.001 | PowerShell |
Monitor for newly executed processes that may abuse PowerShell commands and scripts for execution. PowerShell is a scripting environment included with Windows that is used by both attackers and administrators. Execution of PowerShell scripts in most Windows versions is opaque and not typically secured by antivirus which makes using PowerShell an easy way to circumvent security measures. This analytic detects execution of PowerShell scripts. Powershell can be used to hide monitored command line execution such as: net usesc start Note: - The logic for Analytic 1 is based around detecting on non-interactive Powershell sessions (i.e., those not launched by a user through explorer.exe). This may lead to false positives when used in a production environment, so we recommend tuning any such analytics by including additional logic (e.g., looking for suspicious parent processes) that helps filter such events.- The logic for Analytic 2 is based around detecting on remote Powershell sessions. PowerShell can be used over WinRM to remotely run commands on a host. When a remote PowerShell session starts, svchost.exe executes wsmprovhost.exe. Analytic 1 - Non-interactive Powershell Sessions
Analytic 2 - Remote Powershell Sessions
Analytic 3 - Powershell Execution
|
||
.002 | AppleScript |
Monitor for newly executed processes that may abuse AppleScript for execution. Scripts are likely to perform actions with various effects on a system that may generate events, depending on the types of monitoring used. Actions may be related to network and system information Discovery, Collection, or other scriptable post-compromise behaviors and could be used as indicators of detection leading back to the source script. Analytic 1 - Unusual Execution
Analytic 2 - Untrusted Locations
Analytic 3 - Parent/Child Process Relationship
|
||
.003 | Windows Command Shell |
Monitor for newly executed processes that may abuse the Windows command shell for execution. Note: Try an Analytic by creating a baseline of parent processes of cmd seen over the last 30 days and a list of parent processes of cmd seen today. Parent processes in the baseline are removed from the set of parent processes seen today, leaving a list of new parent processes. This analytic attempts to identify suspicious programs spawning cmd by looking for programs that do not normally create cmd. It is very common for some programs to spawn cmd as a subprocess, for example to run batch files or Windows commands. However, many processes don’t routinely launch a command prompt - e.g., Microsoft Outlook. A command prompt being launched from a process that normally doesn’t launch command prompts could be the result of malicious code being injected into that process, or of an attacker replacing a legitimate program with a malicious one. Analytic 1 - Unusual Command Execution
|
||
.004 | Unix Shell |
Monitor for newly executed processes that may abuse Unix shell commands and scripts for execution. |
||
.005 | Visual Basic |
Monitor for events associated with VB execution, such as Office applications spawning processes, usage of the Windows Script Host (typically cscript.exe or wscript.exe). VB execution is likely to perform actions with various effects on a system that may generate events, depending on the types of monitoring used. |
||
.006 | Python |
Monitor systems for abnormal Python usage and python.exe behavior, which could be an indicator of malicious activity. Understanding standard usage patterns is important to avoid a high number of false positives. If scripting is restricted for normal users, then any attempts to enable scripts running on a system would be considered suspicious. If scripts are not commonly used on a system, but enabled, scripts running out of cycle from patching or other administrator functions are suspicious. Scripts should be captured from the file system when possible to determine their actions and intent. Scripts are likely to perform actions with various effects on a system that may generate events, depending on the types of monitoring used. Monitor newly executed processes that may abuse Python commands and scripts for execution. |
||
.007 | JavaScript |
Monitor for events associated with scripting execution, such as process activity, usage of the Windows Script Host (typically cscript.exe or wscript.exe), file activity involving scripts |
||
.010 | AutoHotKey & AutoIT |
Monitor and analyze the execution and arguments of the |
||
Mobile | T1623 | Command and Scripting Interpreter |
Mobile Threat Defense (MTD) with lower-level OS APIs integrations may have access to newly created processes and their parameters, potentially detecting unwanted or malicious shells. |
|
.001 | Unix Shell |
Mobile Threat Defense (MTD) with lower-level OS APIs integrations may have access to newly created processes and their parameters, potentially detecting unwanted or malicious shells. |
||
ICS | T0807 | Command-Line Interface |
Monitor for processes spawning from known command shell applications (e.g., PowerShell, Bash). Benign activity will need to be allow-listed. This information can be useful in gaining additional insight to adversaries' actions through how they use native processes or custom tools. |
|
Enterprise | T1609 | Container Administration Command |
Container administration service activities and executed commands can be captured through logging of process execution with command-line arguments on the container as well as within the underlying host. |
|
Enterprise | T1659 | Content Injection |
Look for behaviors on the endpoint system that might indicate successful compromise, such as abnormal behaviors of browser processes. This could include suspicious files written to disk, evidence of Process Injection for attempts to hide execution, or evidence of Discovery. |
|
Enterprise | T1136 | Create Account |
Monitor newly executed processes associated with account creation, such as net.exe |
|
.001 | Local Account |
Monitor newly executed processes associated with account creation, such as net.exe Analytic 1 - Create local admin accounts using net.exe
|
||
.002 | Domain Account |
Monitor newly executed processes associated with account creation, such as net.exe |
||
Enterprise | T1543 | Create or Modify System Process |
New, benign system processes may be created during installation of new software. |
|
.002 | Systemd Service |
Suspicious processes or scripts spawned in this manner will have a parent process of ‘systemd’, a parent process ID of 1, and will usually execute as the ‘root’ user. |
||
.003 | Windows Service |
Suspicious program execution through services may show up as outlier processes that have not been seen before when compared against historical data. Look for abnormal process call trees from known services and for execution of other commands that could relate to Discovery or other adversary techniques. Data and events should not be viewed in isolation, but as part of a chain of behavior that could lead to other activities, such as network connections made for Command and Control, learning details about the environment through Discovery, and Lateral Movement. Windows runs the Service Control Manager (SCM) within the process services.exe. Windows launches services as independent processes or DLL loads within a svchost.exe group. To be a legitimate service, a process (or DLL) must have the appropriate service entry point SvcMain. If an application does not have the entry point, then it will timeout (default is 30 seconds) and the process will be killed. To survive the timeout, adversaries and red teams can create services that direct to cmd.exe with the flag /c, followed by the desired command. The /c flag causes the command shell to run a command and immediately exit. As a result, the desired program will remain running and it will report an error starting the service. This analytic will catch that command prompt instance that is used to launch the actual malicious executable. Additionally, the children and descendants of services.exe will run as a SYSTEM user by default. Note: Create a baseline of services seen over the last 30 days and a list of services seen today. Remove services in the baseline from services seen today, leaving a list of new services. Returns all processes named cmd.exe that have services.exe as a parent process. Because this should never happen, the /c flag is redundant in the search. Analytic 2 - Services launching CMD
|
||
.004 | Launch Daemon |
Monitor for newly executed processes that may create or modify Launch Daemons to execute malicious payloads as part of persistence. |
||
Enterprise | T1555 | Credentials from Password Stores |
Monitor newly executed processes that may search for common password storage locations to obtain user credentials. |
|
.001 | Keychain |
Monitor processes spawned by command line utilities to manipulate keychains directly, such as |
||
.004 | Windows Credential Manager |
Monitor newly executed processes for suspicious activity listing credentials from the Windows Credentials locker (e.g. |
||
Enterprise | T1485 | Data Destruction |
Monitor for newly executed processes of binaries that could be involved in data destruction activity, such as SDelete. |
|
ICS | T0809 | Data Destruction |
Monitor for newly executed processes of binaries that could be involved in data destruction activity, such as SDelete. |
|
Enterprise | T1486 | Data Encrypted for Impact |
Monitor for newly constructed processes and/or command-lines involved in data destruction activity, such as vssadmin, wbadmin, and bcdedit. |
|
Enterprise | T1005 | Data from Local System |
Monitor for newly executed processes that may search local system sources, such as file systems or local databases, to find files of interest and sensitive data prior to Exfiltration. |
|
ICS | T0893 | Data from Local System |
Monitor for newly executed processes that may search local system sources, such as file systems or local databases, to find files of interest and sensitive data. |
|
Enterprise | T1622 | Debugger Evasion |
Monitoring for suspicious processes being spawned that gather a variety of system information or perform other forms of Discovery, especially in a short period of time, may aid in detection. Debugger related system checks will likely occur in the first steps of an operation but may also occur throughout as an adversary learns the environment. Data and events should not be viewed in isolation, but as part of a chain of behavior that could lead to other activities, such as lateral movement, based on the information obtained. |
|
Enterprise | T1140 | Deobfuscate/Decode Files or Information |
Monitor for newly executed processes that attempt to hide artifacts of an intrusion, such as common archive file applications and extensions (ex: Zip and RAR archive tools), and correlate with other suspicious behavior to reduce false positives from normal user and administrator behavior. CertUtil.exe may be used to encode and decode a file, including PE and script code. Encoding will convert a file to base64 with -----BEGIN CERTIFICATE----- and -----END CERTIFICATE----- tags. Malicious usage will include decoding an encoded file that was downloaded. Once decoded, it will be loaded by a parallel process. Note that there are two additional command switches that may be used - encodehex and decodehex. Similarly, the file will be encoded in HEX and later decoded for further execution. During triage, identify the source of the file being decoded. Review its contents or execution behavior for further analysis. Analytic Event IDs are for Sysmon (Event ID 1 - process create) and Windows Security Log (Event ID 4688 - a new process has been created). The analytic is oriented around the creation of CertUtil.exe processes, which may be used to encode and decode files, including PE and script code. Malicious usage will include decoding a encoded file that was downloaded. Once decoded, it will be loaded by a parallel process. Analytic 1 - CertUtil with Decode Argument
|
|
Enterprise | T1652 | Device Driver Discovery |
Monitor processes ( |
|
Enterprise | T1561 | Disk Wipe |
Monitor newly executed processes that may wipe or corrupt raw disk data on specific systems or in large numbers in a network to interrupt availability to system and network resources. |
|
.001 | Disk Content Wipe |
Monitor newly executed processes that may erase the contents of storage devices on specific systems or in large numbers in a network to interrupt availability to system and network resources. |
||
.002 | Disk Structure Wipe |
Monitor newly executed processes that may corrupt or wipe the disk data structures on a hard drive necessary to boot a system; targeting specific critical systems or in large numbers in a network to interrupt availability to system and network resources. |
||
Enterprise | T1482 | Domain Trust Discovery |
Monitor for newly executed processes that may attempt to gather information on domain trust relationships that may be used to identify lateral movement opportunities in Windows multi-domain/forest environments. |
|
Enterprise | T1189 | Drive-by Compromise |
Look for behaviors on the endpoint system that might indicate successful compromise, such as abnormal behaviors of browser processes. This could include suspicious files written to disk, evidence of Process Injection for attempts to hide execution, or evidence of Discovery. |
|
ICS | T0817 | Drive-by Compromise |
Monitor for behaviors on the endpoint system that might indicate successful compromise, such as abnormal behaviors of browser processes. This could include suspicious files written to disk. |
|
Enterprise | T1611 | Escape to Host |
Monitor for process activity (such as unexpected processes spawning outside a container and/or on a host) that might indicate an attempt to escape from a privileged container to host. |
|
Enterprise | T1546 | Event Triggered Execution |
Tools such as Sysinternals Autoruns can be used to detect changes to execution triggers that could be attempts at persistence. Also look for abnormal process call trees for execution of other commands that could relate to Discovery actions or other techniques. |
|
.001 | Change Default File Association |
Monitor for newly executed processes that may establish persistence by executing malicious content triggered by a file type association. |
||
.002 | Screensaver |
Monitor newly executed processes that may establish persistence by executing malicious content triggered by user inactivity. Analytic 1 - HKCU\Control Panel\Desktop registry key
|
||
.003 | Windows Management Instrumentation Event Subscription |
Monitor newly executed processes that result from the execution of subscriptions (i.e. spawning from the WmiPrvSe.exe WMI Provider Host process). Note: Windows Event ID 4688 (A new process has been created) and Sysmon Event ID 1 (Process creation) can be used to alert on processes created by WMI event subscription triggers by filtering on events with a parent process name of Monitor for execution of mofcomp.exe as a child of a suspicious shell or script running utility – |
||
.004 | Unix Shell Configuration Modification |
Monitor newly executed processes that may establish persistence through executing malicious commands triggered by a user’s shell. |
||
.005 | Trap |
Monitor newly executed processes that may establish persistence by executing malicious content triggered by an interrupt signal. |
||
.006 | LC_LOAD_DYLIB Addition |
Monitor processes for those that may be used to modify binary headers. |
||
.007 | Netsh Helper DLL |
It is likely unusual for netsh.exe to have any child processes in most environments. Monitor process executions and investigate any child processes spawned by netsh.exe for malicious behavior. |
||
.008 | Accessibility Features |
Monitor newly executed processes that may establish persistence and/or elevate privileges by executing malicious content triggered by accessibility features. An adversary can use accessibility features (Ease of Access), such as StickyKeys or Utilman, to launch a command shell from the logon screen and gain SYSTEM access. Since an adversary does not have physical access to the machine, this technique must be run within Remote Desktop. To prevent an adversary from getting to the login screen without first authenticating, Network-Level Authentication (NLA) must be enabled. If a debugger is set up for one of the accessibility features, then it will intercept the process launch of the feature and instead execute a new command line. This analytic looks for instances of cmd.exe or powershell.exe launched directly from the logon process, winlogon.exe. Several accessibility programs can be run using the Ease of Access center
One simple way to implement this technique is to note that in a default Windows configuration there are no spaces in the path to the system32 folder. If the accessibility programs are ever run with a Debugger set, then Windows will launch the Debugger process and append the command line to the accessibility program. As a result, a space is inserted in the command line before the path. Looking for any instances of a space in the command line before the name of an accessibility program will help identify when Debuggers are set. The Windows Registry location HKLM\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options allows for parameters to be set for applications during execution. One feature used by malicious actors is the "Debugger" option. When a key has this value enabled, a Debugging command line can be specified. Windows will launch the Debugging command line, and pass the original command line in as an argument. Adversaries can set a Debugger for Accessibility Applications. The analytic looks for the original command line as an argument to the Debugger. When the strings "sethc.exe", "utilman.exe", "osk.exe", "narrator.exe", and "Magnify.exe" are detected in the arguments, but not as the main executable, it is very likely that a Debugger is set. Note: Event IDs are for Sysmon (Event ID 1 - process create) and Windows Security Log (Event ID 4688 - a new process has been created). The Analytic example looks for any creation of common accessibility processes such as sethc.exe but does no other filtering, which may result in false positives. Therefore, we recommend tuning any such analytics by including additional logic (e.g., testing the name of the parent process) that helps reduce false positives. Analytic 2 could depend on the possibility of the known strings used as arguments for other applications used in the day-to-day environment. Although the chance of the string "sethc.exe" being used as an argument for another application is unlikely, it still is a possibility. Analytic 1 - Command Launched from Winlogon
Analytic 2 - Debuggers for Accessibility Applications
|
||
.009 | AppCert DLLs |
Monitor newly executed processes that may establish persistence and/or elevate privileges by executing malicious content triggered by AppCert DLLs loaded into processes. |
||
.010 | AppInit DLLs |
Monitor newly executed processes that may establish persistence and/or elevate privileges by executing malicious content triggered by AppInit DLLs loaded into processes. Note: Sysmon Event ID 1 (process create) and Windows Security Log Event ID 4688 (a new process has been created) can be used to detect new reg.exe processes that modify the AppInit DLL registry keys since the registry keys are specified as a command-line parameter. |
||
.011 | Application Shimming |
Monitor newly executed processs for sdbinst.exe for potential indications of application shim abuse. There are several public tools available that will detect shims that are currently available [60]:* Shim-Process-Scanner - checks memory of every running process for any shim flags* Shim-Detector-Lite - detects installation of custom shim databases* Shim-Guard - monitors registry for any shim installations* ShimScanner - forensic tool to find active shims in memory* ShimCacheMem - Volatility plug-in that pulls shim cache from memory (note: shims are only cached after reboot) |
||
.012 | Image File Execution Options Injection |
Monitor for abnormal usage of the GFlags tool as well as common processes spawned under abnormal parents and/or with creation flags indicative of debugging such as |
||
.013 | PowerShell Profile |
Monitor newly executed processes that may gain persistence and elevate privileges by executing malicious content triggered by PowerShell profiles. |
||
.014 | Emond |
Monitor newly executed processes that may gain persistence and elevate privileges by executing malicious content triggered by the Event Monitor Daemon (emond). |
||
.015 | Component Object Model Hijacking |
Monitor newly executed processes that may establish persistence by executing malicious content triggered by hijacked references to Component Object Model (COM) objects. |
||
.016 | Installer Packages |
Monitor processes with arguments that may be related to abuse of installer packages, including malicious, likely elevated processes triggered by application installations. |
||
Enterprise | T1480 | Execution Guardrails |
Monitoring for suspicious processes being spawned that gather a variety of system information or perform other forms of Discovery, especially in a short period of time, may aid in detection. Detecting the use of guardrails may be difficult depending on the implementation. |
|
.001 | Environmental Keying |
Monitoring for suspicious processes being spawned that gather a variety of system information or perform other forms of Discovery, especially in a short period of time, may aid in detection. Detecting the use of environmental keying may be difficult depending on the implementation. |
||
Enterprise | T1052 | Exfiltration Over Physical Medium |
Monitor for newly executed processes when removable media is mounted. |
|
.001 | Exfiltration over USB |
Monitor for newly executed processes when removable media is mounted |
||
Enterprise | T1203 | Exploitation for Client Execution |
Monitor for abnormal process creations, such as a Command and Scripting Interpreter spawning from a potentially exploited application. Also look for other behavior on the endpoint system that might indicate successful compromise, such as abnormal behavior of browser or Office processes. Example, it is not expected behavior for print spool service to be executing discovery type processes. However, this is one example and could be any number of native or third party processes that are executing either unusual or unknown (potentially adversary brought) processes. Note:- Analytic 1, look for instances where Office Applications (e.g., Word, Excel, PowerPoint) are launched with suspicious parameters or from unusual locations- Analytic 2, look for abnormal child process creation by Office Applications especially when accompanied by suspicious command-line parameters Analytic 1 - Office Application Process Execution
Analytic 2 - Unusual Child Process Creation
|
|
Enterprise | T1212 | Exploitation for Credential Access |
Monitor for abnormal process creations, such as a Command and Scripting Interpreter spawning from a potentially exploited application. Also look for behavior on the system that might indicate successful compromise, such as abnormal behavior of processes. |
|
Enterprise | T1211 | Exploitation for Defense Evasion |
Monitor for abnormal process creations, such as a Command and Scripting Interpreter spawning from a potentially exploited application. Also look for behavior on the system that might indicate successful compromise, such as abnormal behavior of processes. |
|
Enterprise | T1068 | Exploitation for Privilege Escalation |
Monitor for newly executed processes that may exploit software vulnerabilities in an attempt to elevate privileges. After gaining initial access to a system, threat actors attempt to escalate privileges as they may be operating within a lower privileged process which does not allow them to access protected information or carry out tasks which require higher permissions. A common way of escalating privileges in a system is by externally invoking and exploiting spoolsv or connhost executables, both of which are legitimate Windows applications. This query searches for an invocation of either of these executables by a user, thus alerting us of any potentially malicious activity. Note: Event IDs are for Sysmon (Event ID 1 - process create) and Windows Security Log (Event ID 4688 - a new process has been created). The Analytic is oriented around looking for an invocation of either spoolsv.exe or conhost.exe by a user, thus alerting us of any potentially malicious activity. A common way of escalating privileges in a system is by externally invoking and exploiting these executables, both of which are legitimate Windows applications. Analytic 1 - Unusual Child Process for spoolsv.exe or connhost.exe
|
|
Enterprise | T1083 | File and Directory Discovery |
Monitor newly executed processes that may enumerate files and directories or may search in specific locations of a host or network share for certain information within a file system. |
|
Enterprise | T1222 | File and Directory Permissions Modification |
Monitor for newly executed processes that may modify file or directory permissions/attributes to evade access control lists (ACLs) and access protected files.[62][63] |
|
.001 | Windows File and Directory Permissions Modification |
Monitor for newly constructed processes and/or command-lines that can interact with the DACLs using built-in Windows commands, such as icacls, cacls, takeown, and attrib, which can grant adversaries higher permissions on specific files and folders. |
||
.002 | Linux and Mac File and Directory Permissions Modification |
Monitor for newly executed processes that may modify file or directory permissions/attributes to evade access control lists (ACLs) and access protected files.[62][63] |
||
Enterprise | T1606 | .002 | Forge Web Credentials: SAML Tokens |
This search looks for arguments to certutil.exe indicating the manipulation or extraction of Certificate. This certificate can then be used to sign new authentication tokens specially inside Federated environments such as Windows ADFS. Analytic 1 - Certutil.exe Certificate Extraction
|
ICS | T0823 | Graphical User Interface |
Monitor for newly executed processes related to services specifically designed to accept remote graphical connections, such as RDP and VNC. Remote Services and Valid Accounts may be used to access a host’s GUI. |
|
Enterprise | T1615 | Group Policy Discovery |
Monitor for newly executed processes that may gather information on Group Policy settings to identify paths for privilege escalation, security measures applied within a domain, and to discover patterns in domain objects that can be manipulated or used to blend in the environment. |
|
Enterprise | T1564 | Hide Artifacts |
Monitor newly executed processes that may attempt to hide artifacts associated with their behaviors to evade detection. |
|
.001 | Hidden Files and Directories |
Monitor newly executed processes that may set files and directories to be hidden to evade detection mechanisms. |
||
.002 | Hidden Users |
Monitor newly executed processes for actions that could be taken to add a new user and subsequently hide it from login screens. |
||
.003 | Hidden Window |
Monitor newly executed processes that may use hidden windows to conceal malicious activity from the plain sight of users. For example, monitor suspicious windows explorer execution – such as an additional |
||
.004 | NTFS File Attributes |
Monitor for process execution that may use NTFS file attributes to hide their malicious data in order to evade detection. Analytic 1 - NTFS Alternate Data Stream Execution : System Utilities (Powershell)
Analytic 2 - NTFS Alternate Data Stream Execution : System Utilities (WMIC)
Analytic 3 - NTFS Alternate Data Stream Execution : System Utilities (rundll32)
Analytic 4 - NTFS Alternate Data Stream Execution : System Utilities (wscript/cscript)
|
||
.006 | Run Virtual Instance |
Monitor newly executed processes associated with running a virtual instance, such as those launched from binary files associated with common virtualization technologies (ex: VirtualBox, VMware, QEMU, Hyper-V). |
||
.009 | Resource Forking |
Monitor newly executed processes that may abuse resource forks to hide malicious code or executables to evade detection and bypass security applications. |
||
.010 | Process Argument Spoofing |
Analyze process behavior to determine if a process is performing actions it usually does not and/or do no align with its logged command-line arguments. Detection of process argument spoofing may be difficult as adversaries may momentarily modify stored arguments used for malicious execution. These changes may bypass process creation detection and/or later process memory analysis. Consider monitoring for Process Hollowing, which includes monitoring for process creation (especially those in a suspended state) as well as access and/or modifications of these processes (especially by the parent process) via Windows API calls.[65][66] |
||
.011 | Ignore Process Interrupts |
Monitor newly created processes for artifacts, such as |
||
Enterprise | T1574 | Hijack Execution Flow |
Monitor processes for unusual activity (e.g., a process that does not use the network begins to do so, abnormal process call trees). Track library metadata, such as a hash, and compare libraries that are loaded at process execution time against previous executions to detect differences that do not correlate with patching or updates. |
|
.002 | DLL Side-Loading |
Monitor newly constructed processes for unusual activity (e.g., a process that does not use the network begins to do so) as well as the introduction of new files/programs. |
||
.005 | Executable Installer File Permissions Weakness |
Monitor for newly constructed processes to match an existing service executables. |
||
.006 | Dynamic Linker Hijacking |
Monitor for newly executed processes for unusual activity (e.g., a process that does not use the network begins to do so). |
||
.007 | Path Interception by PATH Environment Variable |
Monitor for newly executed processes for process executable paths that are named for partial directories. |
||
.008 | Path Interception by Search Order Hijacking |
Monitor for newly executed processes for process executable paths that are named for partial directories. |
||
.009 | Path Interception by Unquoted Path |
Monitor for newly executed processes that may execute their own malicious payloads by hijacking vulnerable file path references. |
||
.010 | Services File Permissions Weakness |
Monitor for newly executed processes that may execute their own malicious payloads by hijacking the binaries used by services. |
||
.011 | Services Registry Permissions Weakness |
Monitor suspicious programs execution through services. These processes may show up as outlier processes that have not been seen before when compared against historical data. |
||
.012 | COR_PROFILER |
Monitor for newly executed processes, such as setx.exe, that may abuse of the COR_PROFILER variable, monitor for new suspicious unmanaged profiling DLLs loading into .NET processes shortly after the CLR causing abnormal process behavior.[67] |
||
.014 | AppDomainManager |
Monitor newly constructed processes for unusual activity (e.g., a process that does not use the network begins to do so) as well as the loading of unexpected .NET resources. |
||
Enterprise | T1562 | Impair Defenses |
Monitor newly executed processes that may maliciously modify components of a victim environment in order to hinder or disable defensive mechanisms. |
|
.001 | Disable or Modify Tools |
In an attempt to avoid detection after compromising a machine, threat actors often try to disable Windows Defender. This is often done using "sc" [service control], a legitimate tool provided by Microsoft for managing services. This action interferes with event detection and may lead to a security event going undetected, thereby potentially leading to further compromise of the network. Note: Though this analytic is utilizing Event ID 1 for process creation, the arguments are specifically looking for the use of service control for querying or trying to stop Windows Defender. Analytic 1 - Detecting Tampering of Windows Defender Command Prompt
|
||
.002 | Disable Windows Event Logging |
Monitor newly executed processes that may disable Windows event logging to limit data that can be leveraged for detections and audits. Analytic 1 - Disable Windows Event Logging
|
||
.006 | Indicator Blocking |
Monitor for executed processes that may attempt to block indicators or events typically captured by sensors from being gathered and analyzed. Analytic 1 - Indicator Blocking - Driver Unloaded
|
||
.009 | Safe Mode Boot |
Monitor newly executed processes that may abuse Windows safe mode to disable endpoint defenses. |
||
.010 | Downgrade Attack |
Monitor newly executed processes that may downgrade or use a version of system features that may be outdated, vulnerable, and/or does not support updated security controls such as logging. |
||
.011 | Spoof Security Alerting |
Consider monitoring for suspicious processes that may be spoofing security tools and monitoring messages. |
||
Enterprise | T1070 | Indicator Removal |
Monitor for newly executed processes that may delete or alter generated artifacts on a host system, including logs or captured files such as quarantined malware. |
|
.001 | Clear Windows Event Logs |
Monitor for newly executed processes that may clear Windows Event Logs to hide the activity of an intrusion. In an attempt to clear traces after compromising a machine, threat actors often try to clear Windows Event logs. This is often done using "wevtutil", a legitimate tool provided by Microsoft. This action interferes with event collection and notification, and may lead to a security event going undetected, thereby potentially leading to further compromise of the network. Note: This search query looks for wevtutil, Clear-EventLog, Limit-EventLog, Remove-Item or Remove-EventLog inside a command that may cause the system to remove Windows Event logs. Analytic 1 - Clearing Windows Logs with Wevtutil
|
||
.003 | Clear Command History |
Monitor for the suspicious execution of processes that may clear the command history of a compromised account to conceal the actions undertaken during an intrusion. Analytic 1 - Clear Powershell Console Command History
|
||
.005 | Network Share Connection Removal |
Monitor for newly constructed processes and/or command line execution that can be used to remove network share connections via the net.exe process. Note: Event IDs are for Sysmon (Event ID 1 - process create) and Windows Security Log (Event ID 4688 - a new process has been created). The Analytic is oriented around looking for various methods of removing network shares via the command line, which is otherwise a rare event. Analytic 1- Network Share Connection Removal
|
||
.007 | Clear Network Connection History and Configurations |
Monitor created processes with arguments that may delete or alter malicious network configuration settings as well as generated artifacts that highlight network connection history on a host system -- which may include logs, files, or Registry values. |
||
.008 | Clear Mailbox Data |
Monitor for newly executed processes with arguments that may delete or alter generated artifacts on a host system, including logs or captured files such as quarantined emails. |
||
.009 | Clear Persistence |
Monitor for newly executed processes that may delete or alter generated artifacts associated with persistence on a host system. |
||
ICS | T0872 | Indicator Removal on Host |
Monitor for newly executed processes that may delete or alter generated artifacts on a host system, including logs or captured files such as quarantined malware. |
|
Enterprise | T1202 | Indirect Command Execution |
Monitor for newly constructed processes and/or command-lines that can be used instead of invoking cmd (i.e. pcalua.exe, winrs.exe, cscript/wscript.exe, hh.exe, or bash.exe) |
|
Enterprise | T1490 | Inhibit System Recovery |
Use process monitoring to monitor the execution and command line parameters of binaries involved in inhibiting system recovery, such as Analytic 1 - Detecting Shadow Copy Deletion or Resize
Analytic 2 - BCDEdit Failure Recovery Modification
|
|
Enterprise | T1056 | Input Capture |
Monitor for newly executed processes conducting malicious activity |
|
.002 | GUI Input Capture |
Monitor for newly executed processes |
||
Enterprise | T1559 | Inter-Process Communication |
Monitor for newly executed processes that are associated with abuse of IPC mechanisms |
|
.001 | Component Object Model |
Monitor for newly executed processes that are associated with COM objects, especially those invoked by a user different than the one currently logged on. |
||
.002 | Dynamic Data Exchange |
Monitor for newly executed processes that may use Windows Dynamic Data Exchange (DDE) to execute arbitrary commands. Adversaries may use Windows Dynamic Data Exchange (DDE) to execute arbitrary commands. DDE is a client-server protocol for one-time and/or continuous inter-process communication (IPC) between applications. Once a link is established, applications can autonomously exchange transactions consisting of strings, warm data links (notifications when a data item changes), hot data links (duplications of changes to a data item), and requests for command execution. Analytic 1 - Unusual Child Process spawned using DDE exploit
|
||
Enterprise | T1570 | Lateral Tool Transfer |
Monitor newly constructed processes that assist in lateral tool transfers. |
|
ICS | T0867 | Lateral Tool Transfer |
Monitor newly constructed processes that assist in lateral tool transfers, such as file transfer programs. |
|
Enterprise | T1654 | Log Enumeration |
Monitor for unexpected process activity associated with utilities that can access and export logs, such as |
|
Enterprise | T1036 | Masquerading |
Monitor for newly executed processes that may attempt to manipulate features of their artifacts to make them appear legitimate or benign to users and/or security tools. The RECYCLER and SystemVolumeInformation directories will be present on every drive. Replace %systemroot% and %windir% with the actual paths as configured by the endpoints. Analytic 1 - Suspicious Run Locations
|
|
.005 | Match Legitimate Name or Location |
Monitor for newly executed processes that may match or approximate the name or location of legitimate files or resources when naming/placing them. Looks for mismatches between process names and their image paths.Malware authors often use this technique to hide malicious executables behind legitimate Windows executable names (e.g. lsass.exe, svchost.exe, etc).There are several sub-techniques, but this analytic focuses on Match Legitimate Name or Location only. Note: With process monitoring, hunt for processes matching these criteria:
Examples (true positive):C:\Users\administrator\svchost.exe To make sure the rule doesn’t miss cases where the executable would be started from a sub-folder of these locations, the entire path is checked for the process path. The below example should be considered as suspicious: C:\Windows\System32\srv\svchost.exe Analytic 1 - Common Windows Process Masquerading
|
||
.009 | Break Process Trees |
Monitor for the abnormal creation of background processes as well as processes executing from abnormal locations, such as |
||
Enterprise | T1112 | Modify Registry |
Monitor processes and command-line arguments for actions that could be taken to change, conceal, and/or delete information in the Registry. (i.e. reg.exe, regedit.exe). The analytic is oriented around detecting invocations of Reg where the parent executable is an instance of cmd.exe that wasn’t spawned by explorer.exe. The built-in utility reg.exe provides a command-line interface to the registry, so that queries and modifications can be performed from a shell, such as cmd.exe. When a user is responsible for these actions, the parent of cmd.exewill typically be explorer.exe. Occasionally, power users and administrators write scripts that do this behavior as well, but likely from a different process tree. These background scripts must be baselined so they can be tuned out accordingly. Analytic Event IDs are for Sysmon (Event ID 1 - process create) and Windows Security Log (Event ID 4688 - a new process has been created). Analytic 1 - Registry Edit with Modification of Userinit, Shell or Notify
Analytic 2 - Modification of Default Startup Folder in the Registry Key 'Common Startup'
Analytic 3 - Registry Edit with Creation of SafeDllSearchMode Key Set to 0
|
|
ICS | T0840 | Network Connection Enumeration |
Monitor for executed processes (such as ipconfig/ifconfig and arp) with arguments that may look for details about the network configuration and settings, such as IP and/or MAC addresses. Also monitor for executed processes that may attempt to get a listing of network connections to or from the compromised system they are currently accessing or from remote systems by querying for information over the network. |
|
Enterprise | T1135 | Network Share Discovery |
Monitor for newly executed processes that may look for folders and drives shared on remote systems as a means of identifying sources of information to gather as a precursor for Collection and to identify potential systems of interest for Lateral Movement. |
|
Enterprise | T1040 | Network Sniffing |
Monitor for newly executed processes that can aid in sniffing network traffic to capture information about an environment, including authentication material passed over the network Note: The Analytic is for Windows systems and looks for new processes that have the names of the most common network sniffing tools. While this may be noisy on networks where sysadmins are using any of these tools on a regular basis, in most networks their use is noteworthy. Analytic 1 - Windows
|
|
ICS | T0842 | Network Sniffing |
Monitor for newly executed processes that can aid in sniffing network traffic to capture information about an environment. |
|
Enterprise | T1027 | Obfuscated Files or Information |
Monitor for newly executed processes that may attempt to make an executable or file difficult to discover or analyze by encrypting, encoding, or otherwise obfuscating its contents on the system or in transit. |
|
.004 | Compile After Delivery |
Monitor for newly constructed processes and/or command-lines that look for non-native binary formats and cross-platform compiler and execution frameworks like Mono and determine if they have a legitimate purpose on the system. Typically these should only be used in specific and limited cases, like for software development. |
||
Enterprise | T1137 | Office Application Startup |
Monitor newly executed processes that may leverage Microsoft Office-based applications for persistence between startups. Collect process execution information including process IDs (PID) and parent process IDs (PPID) and look for abnormal chains of activity resulting from Office processes. Non-standard process execution trees may also indicate suspicious or malicious behavior. If winword.exe is the parent process for suspicious processes and activity relating to other adversarial techniques, then it could indicate that the application was used maliciously. |
|
.001 | Office Template Macros |
Monitor newly executed processes that may abuse Microsoft Office templates to obtain persistence on a compromised system. |
||
.002 | Office Test |
Monitor newly executed processes that may abuse the Microsoft Office "Office Test" Registry key to obtain persistence on a compromised system. |
||
.003 | Outlook Forms |
Monitor newly executed processes that may abuse Microsoft Outlook forms to obtain persistence on a compromised system. |
||
.004 | Outlook Home Page |
Monitor newly executed processes that may abuse Microsoft Outlook's Home Page feature to obtain persistence on a compromised system. |
||
.005 | Outlook Rules |
Monitor newly executed processes that may abuse Microsoft Outlook rules to obtain persistence on a compromised system. |
||
.006 | Add-ins |
Monitor newly executed processes that may abuse Microsoft Office add-ins to obtain persistence on a compromised system. |
||
Enterprise | T1003 | OS Credential Dumping |
Monitor for newly executed processes that may be indicative of credential dumping. On Windows 8.1 and Windows Server 2012 R2, monitor Windows Logs for LSASS.exe creation to verify that LSASS started as a protected process. |
|
.001 | LSASS Memory |
Monitor for newly executed processes that may be indicative of credential dumping. On Windows 8.1 and Windows Server 2012 R2, monitor Windows Logs for LSASS.exe creation to verify that LSASS started as a protected process. Try monitoring for Sysmon Event ID 1 and/or Windows Security Event ID 4688 for process activity. Note: - Rundll32/MiniDump has a different command-line syntax than that of Procdump, in that the process being dumped is specified via process ID instead of name (as with Procdump). Therefore, because the LSASS process ID is non-deterministic, the MiniDump detection isn’t specific to LSASS dumping and may need to be tuned to help reduce false positives.- When monitoring for .dll functions on the command-line be sure to also check for the ordinal associated with the function. Analytic 1 - Procdump
Analytic 2 - MiniDump via rundll32
|
||
Enterprise | T1201 | Password Policy Discovery |
Monitor for newly executed processes that may attempt to access detailed information about the password policy used within an enterprise network or cloud environment. |
|
Enterprise | T1120 | Peripheral Device Discovery |
Monitor for newly executed processes that may attempt to gather information about attached peripheral devices and components connected to a computer system. |
|
Enterprise | T1069 | Permission Groups Discovery |
Monitor for newly constructed processes and/or command-lines for actions that could be taken to gather system and network information. System and network discovery techniques normally occur throughout an operation as an adversary learns the environment. Data and events should not be viewed in isolation, but as part of a chain of behavior that could lead to other activities, such as Lateral Movement, based on the information obtained. |
|
.001 | Local Groups |
Monitor newly executed processes that may attempt to find local system groups and permission settings. Note: Event IDs are for Sysmon (Event ID 1 - process creation) and Windows Security Log (Event ID 4688 - a new process has been created). The logic in the Analytic looks for any instances of net.exe used for local user/group discovery; although this utility is not normally used for benign purposes, such usage by system administrator actions may trigger false positives. Analytic 1 - Local Permission Group Discovery
|
||
.002 | Domain Groups |
Monitor newly executed processes that may attempt to find domain-level groups and permission settings. For Linux, auditing frameworks that support alerting on process creation, including the audit daemon (auditd), can be used to alert on invocations of commands such as For MacOS, utilities that work in concert with Apple’s Endpoint Security Framework such as Process Monitor can be used to track usage of commands such as Note: Event IDs are for Sysmon (Event ID 10 - process access) and Windows Security Log (Event ID 4688 - a new process has been created). Analytic 1 - Local Permission Group Discovery - Net
|
||
.003 | Cloud Groups |
Monitor newly executed processes that may attempt to find cloud groups and permission settings. |
||
Enterprise | T1647 | Plist File Modification |
Monitor for newly executed processes with arguments that can modify property list (plist) files. |
|
Enterprise | T1057 | Process Discovery |
Monitor for newly executed processes that may attempt to get information about running processes on a system. To be effective in deciphering malicious and benign activity, the full command line is essential. Similarly, having information about the parent process can help with making decisions and tuning to an environment. Because these commands are built in, they may be run frequently by power users or even by normal users. Thus, an analytic looking at this information should have well-defined white- or blacklists, and should consider looking at an anomaly detection approach, so that this information can be learned dynamically.Within the built-in Windows Commands:
Analytic 1 - Host Discovery Commands
|
|
Enterprise | T1055 | .012 | Process Injection: Process Hollowing |
Monitor for newly executed processes that may inject malicious code into suspended and hollowed processes in order to evade process-based defenses. Adversaries may start legitimate processes and then use their memory space to run malicious code. This analytic looks for common Windows processes that have been abused this way in the past; when the processes are started for this purpose they may not have the standard parent that we would expect. This list is not exhaustive, and it is possible for cyber actors to avoid this discepency. These signatures only work if Sysmon reports the parent process, which may not always be the case if the parent dies before sysmon processes the event. Analytic 1 - Processes Started From Irregular Parents
|
Enterprise | T1012 | Query Registry |
Monitor for newly executed processes that may interact with the Windows Registry to gather information about the system, configuration, and installed software. Note: The New-PSDrive PowerShell cmdlet creates temporary and persistent drives that are mapped to or associated with a location in a data store, such a registry key (PSProvider "Registry"). The Get-ChildItem gets the items in one or more specified locations. By using both, you can enumerate COM objects in one or more specified locations. Note for Analytic 3: Replace FilePathToLolbasProcessXX.exe with lolBAS process names that are used by your organization. The number_standard_deviations parameter should be tuned accordingly. Identifying outliers by comparing distance from a data point to the average value against a certain number of standard deviations is recommended for data values that are symmetrical distributed. If your data is not distributed, try a different algorithm such as the Interquartile Range (IQR). Analytic 1 - Suspicious Processes with Registry keys
Analytic 2 - reg.exe spawned from suspicious cmd.exe
Analytic 3 - Rare LolBAS command lines
|
|
Enterprise | T1219 | Remote Access Software |
Monitor for applications and processes related to remote admin software. Correlate activity with other suspicious behavior that may reduce false positives if this type of software is used by legitimate users and administrators. Domain Fronting may be used in conjunction to avoid defenses. Adversaries will likely need to deploy and/or install these remote software to compromised systems. It may be possible to detect or prevent the installation of this type of software with host-based solutions. |
|
Enterprise | T1563 | Remote Service Session Hijacking |
Monitor newly executed processes that may take control of preexisting sessions with remote services to move laterally in an environment. |
|
.001 | SSH Hijacking |
Monitor newly executed processes that may hijack a legitimate user's SSH session to move laterally within an environment. |
||
.002 | RDP Hijacking |
Consider monitoring processes for tscon.exe usage. Using tscon.exe to hijack an RDP session requires SYSTEM level permissions. Therefore, we recommend also looking for Privilege Escalation techniques that may be used for this purpose in conjunction with RDP Session Hijacking. In addition to tscon.exe, mstsc.exe can similarly be used to hijack existing RDP sessions. In this case, we recommend looking for the command-line parameters of |
||
Enterprise | T1021 | Remote Services |
Monitor for newly executed processes that may use Valid Accounts to log into a service specifically designed to accept remote connections, such as RDP, telnet, SSH, and VNC. The adversary may then perform actions that spawn additional processes as the logged-on user. Malicious actors may rename built-in commands or external tools, such as those provided by SysInternals, to better blend in with the environment. In those cases, the file path name is arbitrary and may blend in well with the background. If the arguments are closely inspected, it may be possible to infer what tools are running and understand what an adversary is doing. When any legitimate software shares the same command lines, it must be whitelisted according to the expected parameters. Any tool of interest with commonly known command line usage can be detecting by command line analysis. Known substrings of command lines include
Analytic 1 - Suspicious Arguments
|
|
.001 | Remote Desktop Protocol |
Monitor for newly executed processes (such as |
||
.002 | SMB/Windows Admin Shares |
Monitor for the creation of WMI Win32_Process class and method Create to interact with a remote network share using Server Message Block (SMB). Relevant indicators detected by Bro/Zeek is IWbemServices::ExecMethod or IWbemServices::ExecMethodAsync. One thing to notice is that when the Create method is used on a remote system, the method is run under a host process named "Wmiprvse.exe". The process WmiprvSE.exe is what spawns the process defined in the CommandLine parameter of the Create method. Therefore, the new process created remotely will have Wmiprvse.exe as a parent. WmiprvSE.exe is a DCOM server and it is spawned underneath the DCOM service host svchost.exe with the following parameters C:\WINDOWS\system32\svchost.exe -k DcomLaunch -p. From a logon session perspective, on the target, WmiprvSE.exe is spawned in a different logon session by the DCOM service host. However, whatever is executed by WmiprvSE.exe occurs on the new network type (3) logon session created by the user that authenticated from the network. Analytic 1 - Basic
|
||
.003 | Distributed Component Object Model |
Monitor for newly executed processes associated with DCOM activity, especially those invoked by a user different than the one currently logged on. Enumeration of COM objects, via Query Registry or PowerShell, may also precede malicious use.[68][69] The Microsoft Management Console (mmc.exe) can be by used by threat actors used to spawn arbitrary processes through DCOM. The typical process tree for this method looks like: svchost.exe —> mmc.exe —> Accordingly, look for process creation events of mmc.exe in conjunction with the -Embedding command-line argument, along with suspicious child processes that can be used for malicious purposes, such as cmd.exe, reg.exe, etc. Similar to the Microsoft Management Console, Excel can also be used to execute processes through DCOM. In this case, the typical process tree looks like: svchost.exe —> excel.exe —> Look for process creation events of excel.exe in conjunction with the /automation -Embedding command-line argument, along with suspicious child processes that can be used for malicious purposes, such as cmd.exe, reg.exe, etc. |
||
.004 | SSH |
Monitor for newly executed processes that may use Valid Accounts to log into remote machines using Secure Shell (SSH). For example, on macOS systems For Linux systems, the Audit framework (auditd) can be used to monitor for the creation of SSH related processes such as ssh. For macOS systems (10.12+), the above command can be used to look through the Unified Logs for SSH connection activity, though we also recommend including the "—debug" parameter to ensure that all relevant data is returned: |
||
.005 | VNC |
Monitor for newly executed processes that may use Valid Accounts to remotely control machines using Virtual Network Computing (VNC). For example, on macOS systems the |
||
.006 | Windows Remote Management |
Monitor for newly executed processes that may use Valid Accounts to interact with remote systems using Windows Remote Management (WinRM), as well as service processes such as |
||
ICS | T0886 | Remote Services |
Monitor for newly executed processes related to services specifically designed to accept remote connections, such as RDP, Telnet, SSH, and VNC. The adversary may use Valid Accounts to login and may perform follow-on actions that spawn additional processes as the user. |
|
Enterprise | T1018 | Remote System Discovery |
Monitor for newly executed processes that can be used to discover remote systems, such as |
|
ICS | T0846 | Remote System Discovery |
Monitor for newly executed processes that can be used to discover remote systems, such as ping.exe and tracert.exe , especially when executed in quick succession.[52] Consider monitoring for new processes engaging in scanning activity or connecting to multiple systems by correlating process creation network data. |
|
ICS | T0888 | Remote System Information Discovery |
Monitor for newly executed processes that can be used to discover remote systems, such as ping.exe and tracert.exe, especially when executed in quick succession.[52] Consider monitoring for new processes engaging in scanning activity or connecting to multiple systems by correlating process creation network data. |
|
Enterprise | T1091 | Replication Through Removable Media |
Monitor for newly executed processes that execute from removable media after it is mounted or when initiated by a user. If a remote access tool is used in this manner to move laterally, then additional actions are likely to occur after execution, such as opening network connections for Command and Control and system and network information Discovery. |
|
ICS | T0847 | Replication Through Removable Media |
Monitor for newly executed processes that execute from removable media after it is mounted or when initiated by a user. If a remote access tool is used in this manner to move laterally, then additional actions are likely to occur after execution, such as opening network connections for Command and Control and system and network information Discovery. |
|
Enterprise | T1496 | Resource Hijacking |
Monitor for common cryptomining or proxyware software process names that may indicate compromise and resource usage. |
|
Enterprise | T1053 | Scheduled Task/Job |
Monitor for newly executed processes that may abuse task scheduling functionality to facilitate initial or recurring execution of malicious code. |
|
.002 | At |
Monitor for newly constructed processes with command-lines that create/modify or are executed from tasks. For example, on Windows tasks may spawn from Analytic 1 - Scheduled Task
|
||
.003 | Cron |
Create a baseline of cron jobs and the processes that they spawn in your environment. Monitor for newly spawned outlier processes that are executed through cron jobs that have not been seen before when compared against the baseline data. Analytic 1 - Unusual Cron Job Creation
Analytic 2 - Unusual Execution Frequency
|
||
.005 | Scheduled Task |
Monitor for newly constructed processes and/or command-lines that execute from the svchost.exe in Windows 10 and the Windows Task Scheduler taskeng.exe for older versions of Windows. [71] If scheduled tasks are not used for persistence, then the adversary is likely to remove the task when the action is complete. Look for instances of Detection of the creation or modification of Scheduled Tasks with a suspicious script, extension or user writable path. Attackers may create or modify Scheduled Tasks for the persistent execution of malicious code. This detection focuses at the same time on EventIDs 4688 and 1 with process creation (SCHTASKS) and EventID 4698, 4702 for Scheduled Task creation/modification event log. Analytic 1 - New processes whose parent processes are svchost.exe or taskeng.exe
Analytic 2 - Scheduled Task Creation or Modification Containing Suspicious Scripts, Extensions or User Writable Paths
|
||
.006 | Systemd Timers |
Monitor for newly constructed processes and/or command-lines that will have a parent process of ‘systemd’, a parent process ID of 1, and will usually execute as the ‘root’ user. |
||
ICS | T0853 | Scripting |
Monitor log files for process execution through command-line and scripting activities. This information can be useful in gaining additional insight to adversaries' actions through how they use native processes or custom tools. Also monitor for loading of modules associated with specific languages. |
|
Enterprise | T1505 | Server Software Component |
Process monitoring may be used to detect servers components that perform suspicious actions such as running cmd.exe or accessing files. |
|
.003 | Web Shell |
Web shells can be difficult to detect. Unlike other forms of persistent remote access, they do not initiate connections. The portion of the Web shell that is on the server may be small and innocuous looking. The PHP version of the China Chopper Web shell, for example, is very similar to the following short payload: [72]
Nevertheless, detection mechanisms exist. Process monitoring may be used to detect Web servers that perform suspicious actions such as spawning cmd.exe or accessing files that are not in the Web directory.[73] A web shell is a web script placed on an openly accessible web server to allow an adversary to use the server as a gatway in a network. As the shell operates, commands will be issued from within the web application into the broader server operating system. This analytic looks for host enumeration executables initiated by any web service that would not normally be executed within that environment. Analytic 1 - Webshell-Indicative Process Tree
|
||
.005 | Terminal Services DLL |
Monitor processes with arguments that may potentially highlight adversary actions to modify Registry values (ex: |
||
Enterprise | T1489 | Service Stop |
Monitor for newly executed processes that may stop or disable services on a system to render those services unavailable to legitimate users. |
|
ICS | T0881 | Service Stop |
Monitor for newly executed processes that may stop or disable services on a system to render those services unavailable to legitimate users. |
|
Enterprise | T1072 | Software Deployment Tools |
Monitor for newly executed processes that does not correlate to known good software. Analyze the process execution trees, historical activities from the third-party application (such as what types of files are usually pushed), and the resulting activities or events from the file/binary/script pushed to systems. |
|
Enterprise | T1518 | Software Discovery |
Monitor newly executed processes that may attempt to get a listing of software and software versions that are installed on a system or in a cloud environment. |
|
.001 | Security Software Discovery |
Monitor newly executed processes that may attempt to get a listing of security software, configurations, defensive tools, and sensors that are installed on a system or in a cloud environment. |
||
ICS | T0865 | Spearphishing Attachment |
Monitor for suspicious descendant process spawning from Microsoft Office and other productivity software.[52] For added context on adversary procedures and background see Spearphishing Attachment. |
|
Enterprise | T1553 | Subvert Trust Controls |
Monitor processes and arguments for malicious attempts to modify trust settings, such as the installation of root certificates or modifications to trust attributes/policies applied to files. |
|
.001 | Gatekeeper Bypass |
Monitor and investigate attempts to modify extended file attributes with utilities such as |
||
.004 | Install Root Certificate |
Monitor for processes, such as Analytic 1 - Attempt to Add Certificate to Untrusted Store
|
||
.006 | Code Signing Policy Modification |
Monitor processes and command-line arguments for actions that could be taken to modify the code signing policy of a system, such as |
||
Enterprise | T1218 | System Binary Proxy Execution |
Monitor processes and command-line parameters for signed binaries that may be used to proxy execution of malicious files. Compare recent invocations of signed binaries that may be used to proxy execution with prior history of known good arguments and loaded files to determine anomalous and potentially adversarial activity. Legitimate programs used in suspicious ways, like msiexec.exe downloading an MSI file from the Internet, may be indicative of an intrusion. Correlate activity with other suspicious behavior to reduce false positives that may be due to normal benign use by users and administrators. |
|
.001 | Compiled HTML File |
Monitor and analyze the execution and arguments of hh.exe. [77] Compare recent invocations of hh.exe with prior history of known good arguments to determine anomalous and potentially adversarial activity (ex: obfuscated and/or malicious commands). Non-standard process execution trees may also indicate suspicious or malicious behavior, such as if hh.exe is the parent process for suspicious processes and activity relating to other adversarial techniques. Note: Event IDs are for Sysmon (Event ID 1 - process create) and Windows Security Log (Event ID 4688 - a new process has been created). The Analytic looks for the creation of any HTML Help Executable ( Analytic 1 - Compiled HTML Access
|
||
.002 | Control Panel |
Monitor and analyze activity related to items associated with CPL files, such as the control.exe. Analyze new Control Panel items as well as those present on disk for malicious content. Both executable and CPL formats are compliant Portable Executable (PE) images and can be examined using traditional tools and methods, pending anti-reverse-engineering techniques.[78] |
||
.003 | CMSTP |
Use process monitoring to detect and analyze the execution and arguments of CMSTP.exe. Compare recent invocations of CMSTP.exe with prior history of known good arguments and loaded files to determine anomalous and potentially adversarial activity. Sysmon events can also be used to identify potential abuses of CMSTP.exe. Detection strategy may depend on the specific adversary procedure, but potential rules include: [79]* To detect loading and execution of local/remote payloads - Event 1 (Process creation) where ParentImage contains CMSTP.exe* Also monitor for events, such as the creation of processes (Sysmon Event 1), that involve auto-elevated CMSTP COM interfaces such as CMSTPLUA (3E5FC7F9-9A51-4367-9063-A120244FBEC7) and CMLUAUTIL (3E000D72-A845-4CD9-BD83-80C07C3B881F). |
||
.004 | InstallUtil |
Use process monitoring to monitor the execution and arguments of InstallUtil.exe. Compare recent invocations of InstallUtil.exe with prior history of known good arguments and executed binaries to determine anomalous and potentially adversarial activity |
||
.005 | Mshta |
Use process monitoring to monitor the execution and arguments of mshta.exe. |
||
.007 | Msiexec |
Use process monitoring to monitor the execution and arguments of msiexec.exe. Compare recent invocations of msiexec.exe with prior history of known good arguments and executed MSI files. |
||
.008 | Odbcconf |
Use process monitoring to monitor the execution and arguments of odbcconf.exe. Compare recent invocations of odbcconf.exe with prior history of known good arguments and loaded DLLs to determine anomalous and potentially adversarial activity. |
||
.009 | Regsvcs/Regasm |
Use process monitoring to monitor the execution and arguments of Regsvcs.exe and Regasm.exe. Compare recent invocations of Regsvcs.exe and Regasm.exe with prior history of known good arguments and executed binaries to determine anomalous and potentially adversarial activity. |
||
.010 | Regsvr32 |
Use process monitoring to monitor the execution and arguments of regsvr32.exe. Compare recent invocations of regsvr32.exe with prior history of known good arguments and loaded files to determine anomalous and potentially adversarial activity. Note: Event IDs are for Sysmon (Event ID 1 - process create) and Windows Security Log (Event ID 4688 - a new process has been created). - Analytic 1 is a more generic analytic that looks for suspicious usage of regsvr32.exe, specifically for cases where regsvr32.exe creates child processes that aren’t itself. It’s not likely that this will result in millions of hits, but it does occur during benign activity so some form of baselining would be necessary for this to be useful as an alerting analytic.- Analytic 2 is around "Squiblydoo", which is a specific usage of regsvr32.exe to load a COM scriptlet directly from the internet and execute it in a way that bypasses application whitelisting. It looks for regsvr32.exe process creation events that load scrobj.dll via the command-line (which executes the COM scriptlet).- Analytic 3 This uses the same logic as above, but adds lightweight baselining by ignoring all results that also showed up in the previous 30 days (it runs over 1 day).- Analytic 4 This looks for child processes that may be spawend by regsvr32, while attempting to eliminate some of the common false positives such as werfault (Windows Error Reporting). Analytic 1 - Generic Regsvr32
Analytic 2 - Squiblydoo
Analyt 3 - New Items since last month
Analytic 4 - Spawning Child Processes
|
||
.011 | Rundll32 |
Use process monitoring to monitor the execution and arguments of rundll32.exe. Compare recent invocations of rundll32.exe with prior history of known good arguments and loaded DLLs to determine anomalous and potentially adversarial activity. When monitoring for all instances of Rundll32 execution, as defined by the logic in the Detection Pseudocode, it is imperative to also investigate the full set of command-line parameters used. These parameters contain key information about the DLL payload, including the name, entry point, and optional arguments. Note: Event IDs are for Sysmon (Event ID 10 - process create) and Windows Security Log (Event ID 4688 - a new process has been created). The Analytic looks for any instances of rundll32.exe but does no other filtering, which may result in false positives. Therefore, we recommend tuning any such analytics by including additional logic (e.g., testing the name of the user that created the process) that helps reduce false positives. Analytic 1 - RunDLL32.exe Monitoring
|
||
.012 | Verclsid |
Use process monitoring to monitor the execution and arguments of verclsid.exe. Compare recent invocations of verclsid.exe with prior history of known good arguments and loaded files to determine anomalous and potentially adversarial activity. Depending on the environment, it may be unusual for verclsid.exe to have a parent process of a Microsoft Office product. It may also be unusual for verclsid.exe to have any child processes or to make network connections or file modifications. |
||
.013 | Mavinject |
Monitor the execution and arguments of mavinject.exe. Compare recent invocations of mavinject.exe with prior history of known good arguments and injected DLLs to determine anomalous and potentially adversarial activity. |
||
.014 | MMC |
Monitor processes for suspicious or malicious use of MMC. Since MMC is a signed Windows binary, verify use of MMC is legitimate and not malicious. |
||
.015 | Electron Applications |
Monitor processes and command-line parameters for binaries associated with Electron apps that may be used to proxy execution of malicious content. Compare recent invocations of these binaries with prior history of known good arguments to determine anomalous and potentially adversarial activity. Correlate activity with other suspicious behavior to reduce false positives that may be due to normal benign use by users and administrators. |
||
ICS | T0894 | System Binary Proxy Execution |
Monitor for unusual processes execution, especially for processes that allow the proxy execution of malicious files. |
|
Enterprise | T1082 | System Information Discovery |
Monitor newly executed processes that may attempt to get detailed information about the operating system and hardware, including version, patches, hotfixes, service packs, and architecture. |
|
Enterprise | T1614 | System Location Discovery |
Monitor newly executed processes that may gather information in an attempt to calculate the geographical location of a victim host. |
|
.001 | System Language Discovery |
Monitor for newly executed processes that may attempt to gather information about the system language of a victim in order to infer the geographical location of that host. |
||
Enterprise | T1016 | System Network Configuration Discovery |
Monitor for executed processes (such as ipconfig/ifconfig and arp) with arguments that may look for details about the network configuration and settings, such as IP and/or MAC addresses. Note: The Analytic looks for the creation of ipconfig, route, and nbtstat processes, all of which are system administration utilities that can be used for the purpose of system network configuration discovery. If these tools are commonly used in your environment (e.g., by system administrators) this may lead to false positives and this analytic will therefore require tuning. Analytic 1 - Suspicious Process
|
|
.001 | Internet Connection Discovery |
Monitor for executed processes (such as tracert or ping) that may check for Internet connectivity on compromised systems. |
||
Enterprise | T1049 | System Network Connections Discovery |
Monitor for executed processes that may attempt to get a listing of network connections to or from the compromised system they are currently accessing or from remote systems by querying for information over the network. |
|
Enterprise | T1033 | System Owner/User Discovery |
Monitor for newly executed processes that may be indicative of credential dumping. On Windows 8.1 and Windows Server 2012 R2, monitor Windows Logs for LSASS.exe creation to verify that LSASS started as a protected process. Note: Event IDs are for Sysmon (Event ID 1 - process create) and Windows Security Log (Event ID 4688 - a new process has been created). The Analytic looks for any instances of at being created, therefore implying the querying or creation of tasks. If this tools is commonly used in your environment (e.g., by system administrators) this may lead to false positives and this analytic will therefore require tuning. Analytic 1 - Suspicious Process Execution
|
|
Enterprise | T1216 | System Script Proxy Execution |
Monitor script processes, such as `cscript that may be used to proxy execution of malicious files. |
|
.001 | PubPrn |
Monitor script processes, such as `cscript that may be used to proxy execution of malicious files. |
||
.002 | SyncAppvPublishingServer |
Monitor script processes, such as |
||
Enterprise | T1007 | System Service Discovery |
Monitor for newly executed processes with arguments that may try to get information about registered services. System and network discovery techniques normally occur throughout an operation as an adversary learns the environment. Data and events should not be viewed in isolation, but as part of a chain of behavior that could lead to other activities, such as Lateral Movement, based on the information obtained. Note: Event IDs are for Sysmon (Event ID 1 - process create) and Windows Security Log (Event ID 4688 - a new process has been created). For event id 4688, depending on Windows version, you might need to enable Analytic 1 - Suspicious Processes
|
|
Enterprise | T1569 | System Services |
Monitor newly executed processes that may abuse system services or daemons to execute commands or programs. |
|
.001 | Launchctl |
Monitor for newly executed daemons that may abuse launchctl to execute commands or programs. |
||
.002 | Service Execution |
Monitor for newly executed processes that may abuse the Windows service control manager to execute malicious commands or payloads. Events 4688 (Microsoft Windows Security Auditing) and 1 (Microsoft Windows Sysmon) provide context of Windows processes creation that can be used to implement this detection. This detection is based on uncommon process and parent process relationships. Service Control Manager spawning command shell is a good starting point. Add more suspicious relationships based on the reality of your network environment. In order to reduce false positives, you can also filter the CommandLine event field using parameters such as /c which carries out the command specified by the parent process. Analytic 1 - Service Execution
|
||
Enterprise | T1529 | System Shutdown/Reboot |
Monitor for newly executed processes of binaries involved in shutting down or rebooting systems. |
|
Enterprise | T1124 | System Time Discovery |
Monitor for newly executed processes that may gather the system time and/or time zone from a local or remote system. |
|
Enterprise | T1080 | Taint Shared Content |
Monitor processes that are executed from removable media for malicious or abnormal activity such as network connections due to Command and Control and possible network Discovery techniques. |
|
Enterprise | T1221 | Template Injection |
Analyze process behavior to determine if an Office application is performing actions, such as opening network connections, reading files, spawning abnormal child processes (ex: PowerShell), or other suspicious actions that could relate to post-compromise behavior. |
|
Enterprise | T1205 | Traffic Signaling |
Identify running processes with raw sockets. Ensure processes listed have a need for an open raw socket and are in accordance with enterprise policy.[80] |
|
.002 | Socket Filters |
Identify running processes with raw sockets. Ensure processes listed have a need for an open raw socket and are in accordance with enterprise policy.[80] |
||
Enterprise | T1127 | Trusted Developer Utilities Proxy Execution |
Monitor for abnormal presence of these or other utilities that enable proxy execution that are typically used for development, debugging, and reverse engineering on a system that is not used for these purposes may be suspicious. Use process monitoring to monitor the execution and arguments of from developer utilities that may be abused. Compare recent invocations of those binaries with prior history of known good arguments and executed binaries to determine anomalous and potentially adversarial activity. It is likely that these utilities will be used by software developers or for other software development related tasks, so if it exists and is used outside of that context, then the event may be suspicious. |
|
.001 | MSBuild |
Monitor for newly executed processes of MSBuild.exe. Compare recent invocations of those binaries with prior history of known good arguments and executed binaries to determine anomalous and potentially adversarial activity. Trusted developer utilities such as MSBuild may be leveraged to run malicious code with elevated privileges. This analytic looks for any instances of msbuild.exe, which will execute any C# code placed within a given XML document; and msxsl.exe, which processes xsl transformation specifications for XML files and will execute a variaty of scripting languages contained within the XSL file. Both of these executables are rarely used outside of Visual Studio. Analytic 1 - MSBuild and msxsl
|
||
Enterprise | T1552 | Unsecured Credentials |
Monitor newly executed processes that may search compromised systems to find and obtain insecurely stored credentials. |
|
.001 | Credentials In Files |
Monitor newly executed processes for local file systems and remote file shares for files containing insecurely stored credentials. Note: Pseudocode Event IDs are for Sysmon (Event ID 1 - process create) and Windows Security Log (Event ID 4688 - a new process has been created). The Analytic looks for command-line instances of searching the Windows Registry for insecurely stored credentials. This can be accomplished using the query functionality of the Reg system utility, by looking for keys and values that contain strings such as "password". In addition, adversaries may use toolkits such as PowerSploit in order to dump credentials from various applications such as IIS. Accordingly, this analytic looks for invocations of reg.exe in this capacity as well as that of several PowerSploit modules with similar functionality. Analytic 1 - Credentials in Files & Registry
|
||
.002 | Credentials in Registry |
Monitor newly executed processes for applications that can be used to query the Registry, such as Reg, and collect command parameters that may indicate credentials are being searched. Correlate activity with related suspicious behavior that may indicate an active intrusion to reduce false positives. Note: Pseudocode Event IDs are for Sysmon (Event ID 1 - process create) and Windows Security Log (Event ID 4688 - a new process has been created). The Analytic looks for command-line instances of searching the Windows Registry for insecurely stored credentials. This can be accomplished using the query functionality of the Reg system utility, by looking for keys and values that contain strings such as "password". In addition, adversaries may use toolkits such as PowerSploit in order to dump credentials from various applications such as IIS. Accordingly, this analytic looks for invocations of reg.exe in this capacity as well as that of several PowerSploit modules with similar functionality. Analytic 1 - Credentials in Files & Registry
|
||
Enterprise | T1204 | User Execution |
Monitor for newly executed processes that may be used by an adversary to gain Initial Access that require user interaction. This includes compression applications, such as those for zip files, that can be used to Deobfuscate/Decode Files or Information in payloads. |
|
.002 | Malicious File |
Monitor for newly constructed processes and/or command-lines for applications that may be used by an adversary to gain initial access that require user interaction. This includes compression applications, such as those for zip files, that can be used to Deobfuscate/Decode Files or Information in payloads. |
||
ICS | T0863 | User Execution |
Monitor for newly executed processes that depend on user interaction, especially for applications that can embed programmatic capabilities (e.g., Microsoft Office products with scripts, installers, zip files). This includes compression applications, such as those for zip files, that can be used to Deobfuscate/Decode Files or Information in payloads. |
|
Enterprise | T1497 | Virtualization/Sandbox Evasion |
Virtualization, sandbox, user activity, and related discovery techniques will likely occur in the first steps of an operation but may also occur throughout as an adversary learns the environment. Data and events should not be viewed in isolation, but as part of a chain of behavior that could lead to other activities, such as lateral movement, based on the information obtained. Detecting actions related to virtualization and sandbox identification may be difficult depending on the adversary's implementation and monitoring required. Monitoring for suspicious processes being spawned that gather a variety of system information or perform other forms of Discovery, especially in a short period of time, may aid in detection. |
|
.001 | System Checks |
Virtualization, sandbox, user activity, and related discovery techniques will likely occur in the first steps of an operation but may also occur throughout as an adversary learns the environment. Data and events should not be viewed in isolation, but as part of a chain of behavior that could lead to other activities, such as lateral movement, based on the information obtained. Detecting actions related to virtualization and sandbox identification may be difficult depending on the adversary's implementation and monitoring required. Monitoring for suspicious processes being spawned that gather a variety of system information or perform other forms of Discovery, especially in a short period of time, may aid in detection. |
||
.002 | User Activity Based Checks |
User activity-based checks will likely occur in the first steps of an operation but may also occur throughout as an adversary learns the environment. Data and events should not be viewed in isolation, but as part of a chain of behavior that could lead to other activities, such as lateral movement, based on the information obtained. Detecting actions related to virtualization and sandbox identification may be difficult depending on the adversary's implementation and monitoring required. Monitoring for suspicious processes being spawned that gather a variety of system information or perform other forms of Discovery, especially in a short period of time, may aid in detection. |
||
.003 | Time Based Evasion |
Time-based evasion will likely occur in the first steps of an operation but may also occur throughout as an adversary learns the environment. Data and events should not be viewed in isolation, but as part of a chain of behavior that could lead to other activities, such as lateral movement, based on the information obtained. Detecting actions related to virtualization and sandbox identification may be difficult depending on the adversary's implementation and monitoring required. Monitoring for suspicious processes being spawned that gather a variety of system information or perform other forms of Discovery, especially in a short period of time, may aid in detection. |
||
Enterprise | T1047 | Windows Management Instrumentation |
Monitor for newly constructed processes and/or command-lines of "wmic". If the command line utility Note: Event IDs are for Sysmon (Event ID 10 - process access) and Windows Security Log (Event ID 4688 - a new process has been created). Besides executing arbitrary processes, wmic.exe can also be used to executed data stored in NTFS alternate data streams NTFS File Attributes.Looks for instances of wmic.exe as well as the substrings in the command line:- process call create- /node: Analytic 1 : Create Remote Process via WMIC
|
|
Enterprise | T1220 | XSL Script Processing |
Use process monitoring to monitor the execution and arguments of msxsl.exe and wmic.exe. [81] [82] Command arguments used before and after the script invocation may also be useful in determining the origin and purpose of the payload being loaded. The presence of msxsl.exe or other utilities that enable proxy execution that are typically used for development, debugging, and reverse engineering on a system that is not used for these purposes may be suspicious. |
Contextual data about a running process, which may include information such as environment variables, image name, user/owner, etc.
Contextual data about a running process, which may include information such as environment variables, image name, user/owner, etc.
Domain | ID | Name | Detects | |
---|---|---|---|---|
Enterprise | T1548 | Abuse Elevation Control Mechanism |
Monitor contextual data about a running process, which may include information such as environment variables, image name, user/owner that may circumvent mechanisms designed to control elevate privileges to gain higher-level permissions. |
|
.002 | Bypass User Account Control |
Monitor contextual data about a running process, which may include information such as environment variables, image name, user/owner that may bypass UAC mechanisms to elevate process privileges on system. |
||
.003 | Sudo and Sudo Caching |
Monitor contextual data about a running process, which may include information such as environment variables, image name, user/owner that may perform sudo caching and/or use the suoders file to elevate privileges. |
||
Enterprise | T1134 | Access Token Manipulation |
Query systems for process and thread token information and look for inconsistencies such as user owns processes impersonating the local SYSTEM account.[83] Look for inconsistencies between the various fields that store PPID information, such as the EventHeader ProcessId from data collected via Event Tracing for Windows (ETW), Creator Process ID/Name from Windows event logs, and the ProcessID and ParentProcessID (which are also produced from ETW and other utilities such as Task Manager and Process Explorer). The ETW provided EventHeader ProcessId identifies the actual parent process. |
|
.004 | Parent PID Spoofing |
Look for inconsistencies between the various fields that store PPID information, such as the EventHeader ProcessId from data collected via Event Tracing for Windows (ETW), Creator Process ID/Name from Windows event logs, and the ProcessID and ParentProcessID (which are also produced from ETW and other utilities such as Task Manager and Process Explorer). The ETW provided EventHeader ProcessId identifies the actual parent process.[84] |
||
Enterprise | T1059 | Command and Scripting Interpreter |
Monitor contextual data about a running process, which may include information such as environment variables, image name, user/owner, or other information that may reveal abuse of system features. For example, consider monitoring for Windows Event ID (EID) 400, which shows the version of PowerShell executing in the |
|
.001 | PowerShell |
Consider monitoring for Windows event ID (EID) 400, which shows the version of PowerShell executing in the |
||
Mobile | T1623 | Command and Scripting Interpreter |
Mobile Threat Defense (MTD) with lower-level OS APIs integrations may have access to running processes and their parameters, potentially detecting unwanted or malicious shells. |
|
.001 | Unix Shell |
Mobile Threat Defense (MTD) with lower-level OS APIs integrations may have access to running processes and their parameters, potentially detecting unwanted or malicious shells. |
||
ICS | T0874 | Hooking |
Verify integrity of live processes by comparing code in memory to that of corresponding static binaries, specifically checking for jumps and other instructions that redirect code flow. |
|
Enterprise | T1562 | .010 | Impair Defenses: Downgrade Attack |
Monitor contextual data about a running process, which may include information such as environment variables, image name, user/owner, or other information that may reveal use of a version of system features that may be outdated, vulnerable, and/or does not support updated security controls such as logging. For example, monitoring for Windows event ID (EID) 400, specifically the |
Enterprise | T1056 | Input Capture |
Verify integrity of live processes by comparing code in memory to that of corresponding static binaries, specifically checking for jumps and other instructions that redirect code flow. |
|
.004 | Credential API Hooking |
Verify integrity of live processes by comparing code in memory to that of corresponding static binaries, specifically checking for jumps and other instructions that redirect code flow. |
||
Enterprise | T1036 | Masquerading |
Monitor for file names that are mismatched between the file name on disk and that of the binary's PE metadata, this is a likely indicator that a binary was renamed after it was compiled. |
|
.003 | Rename System Utilities |
Monitor for file names that are mismatched between the file name on disk and that of the binary's PE metadata, this is a likely indicator that a binary was renamed after it was compiled. |
||
.005 | Match Legitimate Name or Location |
Collecting and comparing disk and resource filenames for binaries by looking to see if the InternalName, OriginalFilename, and/or ProductName match what is expected could provide useful leads, but may not always be indicative of malicious activity. |
||
ICS | T0849 | Masquerading |
Monitor for file names that are mismatched between the file name on disk and that of the binary's metadata. This is a likely indicator that a binary was renamed after it was compiled. For added context on adversary procedures and background see Masquerading and applicable sub-techniques. |
|
Enterprise | T1055 | Process Injection |
Monitor for process memory inconsistencies, such as checking memory ranges against a known copy of the legitimate module.[86] |
|
.001 | Dynamic-link Library Injection |
Monitor for process memory inconsistencies compared to DLL files on disk by checking memory ranges against a known copy of the legitimate module.[86] |
||
ICS | T0853 | Scripting |
Monitor contextual data about a running process, which may include information such as environment variables, image name, user/owner, or other information that may reveal abuse of system features. |
Changes made to a process, or its contents, typically to write and/or execute code in the memory of the target process (ex: Sysmon EID 8)
Changes made to a process, or its contents, typically to write and/or execute code in the memory of the target process (ex: Sysmon EID 8)
Domain | ID | Name | Detects | |
---|---|---|---|---|
Enterprise | T1185 | Browser Session Hijacking |
This may be a difficult technique to detect because adversary traffic may be masked by normal user traffic. Monitor for Process Injection against browser applications. |
|
Enterprise | T1562 | Impair Defenses |
Using another process or third-party tools, monitor for modifications or access to system processes associated with logging. |
|
.012 | Disable or Modify Linux Audit System |
Using another process or third-party tools, monitor for potentially malicious modifications or access to the |
||
Enterprise | T1055 | Process Injection |
Monitor for changes made to processes that may inject code into processes in order to evade process-based defenses as well as possibly elevate privileges. |
|
.001 | Dynamic-link Library Injection |
Monitor for changes made to processes that may inject dynamic-link libraries (DLLs) into processes in order to evade process-based defenses as well as possibly elevate privileges. Injecting a malicious DLL into a process is a common adversary TTP. Although the ways of doing this are numerous, mavinject.exe is a commonly used tool for doing so because it roles up many of the necessary steps into one, and is available within Windows. Attackers may rename the executable, so we also use the common argument "INJECTRUNNING" as a related signature here. Whitelisting certain applications may be necessary to reduce noise for this analytic. Analytic 1 - DLL Injection with Mavinject
|
||
.002 | Portable Executable Injection |
Monitor for changes made to processes that may inject portable executables (PE) into processes in order to evade process-based defenses as well as possibly elevate privileges. |
||
.003 | Thread Execution Hijacking |
Monitor for changes made to processes that may inject malicious code into hijacked processes in order to evade process-based defenses as well as possibly elevate privileges. |
||
.004 | Asynchronous Procedure Call |
Monitor for changes made to processes that may inject malicious code into processes via the asynchronous procedure call (APC) queue in order to evade process-based defenses as well as possibly elevate privileges. |
||
.005 | Thread Local Storage |
Monitor for changes made to processes that may inject malicious code into processes via thread local storage (TLS) callbacks in order to evade process-based defenses as well as possibly elevate privileges. |
||
.008 | Ptrace System Calls |
Monitor for changes made to processes that may inject malicious code into processes via ptrace (process trace) system calls in order to evade process-based defenses as well as possibly elevate privileges. |
||
.012 | Process Hollowing |
Monitor for changes made to processes that may inject malicious code into suspended and hollowed processes in order to evade process-based defenses. |
||
.015 | ListPlanting |
Monitor for changes made to processes that may inject code into processes in order to evade process-based defenses as well as possibly elevate privileges. Analyze process behavior to determine if a process is performing unusual actions, such as opening network connections, reading files, or other suspicious actions that could relate to post-compromise behavior. |
Exit of a running process (ex: Sysmon EID 5 or Windows EID 4689)
Exit of a running process (ex: Sysmon EID 5 or Windows EID 4689)
Domain | ID | Name | Detects | |
---|---|---|---|---|
ICS | T0803 | Block Command Message |
Monitor for the termination of processes or services associated with ICS automation protocols and application software which could help detect blocked communications. |
|
ICS | T0804 | Block Reporting Message |
Monitor for the termination of processes or services associated with ICS automation protocols and application software which could help detect blocked communications. |
|
ICS | T0805 | Block Serial COM |
Monitor for the termination of processes or services associated with ICS automation protocols and application software which could help detect blocked communications. |
|
Enterprise | T1562 | Impair Defenses |
Monitor for unexpected deletions of a running process (ex: Sysmon EID 5 or Windows EID 4689) that may maliciously modify components of a victim environment in order to hinder or disable defensive mechanisms. |
|
.001 | Disable or Modify Tools |
Monitor processes for unexpected termination related to security tools/services. Specifically, before execution of ransomware, monitor for rootkit tools, such as GMER, PowerTool or TDSSKiller, that may detect and terminate hidden processes and the host antivirus software. |
||
Mobile | T1629 | Impair Defenses |
Mobile security products integrated with Samsung Knox for Mobile Threat Defense can monitor processes to see if security tools are killed or stop running. |
|
Enterprise | T1489 | Service Stop |
Monitor processes and command-line arguments to see if critical processes are terminated or stop running. |
|
ICS | T0881 | Service Stop |
Monitor processes and command-line arguments to see if critical processes are terminated or stop running. For added context on adversary procedures and background see Service Stop. |