Windows-specific environmental keying behavioral chain: (1) Rapid system information discovery through multiple techniques (WMI queries, registry enumeration, network share discovery, hostname/domain checks), (2) Target validation through specific environmental artifact collection (AD domain membership, network topology, installed software versions), (3) Cryptographic operation correlation indicating payload decryption based on collected environmental values, (4) Subsequent malicious code execution following successful environmental validation, (5) Temporal clustering of discovery activities suggesting automated environmental assessment
| Data Component | Name | Channel |
|---|---|---|
| Logon Session Creation (DC0067) | WinEventLog:Security | EventCode=4624,4648, 4672 |
| Process Creation (DC0032) | WinEventLog:Sysmon | EventCode=1 |
| Network Connection Creation (DC0082) | WinEventLog:Sysmon | EventCode=3 |
| Module Load (DC0016) | WinEventLog:Sysmon | EventCode=7 |
| Process Access (DC0035) | WinEventLog:Sysmon | EventCode=25 |
| WMI Creation (DC0008) | WinEventLog:WMI | EventCode=5857, 5860, 5861 |
| Command Execution (DC0064) | WinEventLog:PowerShell | EventCode=4103 |
| Field | Description |
|---|---|
| DiscoveryTimeWindow | Time window for correlating multiple discovery activities as part of environmental assessment - adjust based on observed attack patterns and system performance (default: 300 seconds) |
| CriticalDiscoveryThreshold | Minimum number of distinct discovery techniques within time window to trigger detection - tune based on environment's normal administrative activity levels |
| TargetSpecificArtifacts | Organization-specific environmental elements that adversaries might target (domain names, network shares, specific hostnames, software versions) |
| CryptographicIndicatorPatterns | Process names, command lines, and API calls indicating potential decryption operations - customize based on observed cryptographic tool usage in environment |
| LegitimateAdminAccounts | User accounts authorized to perform extensive system discovery - maintain current list to reduce false positives from legitimate administrative activities |
| BusinessHoursBaseline | Normal business hours for risk scoring adjustment - discovery activities outside these hours receive higher risk scores |
| WMIQueryComplexityThreshold | Complexity metric for WMI queries to identify sophisticated environmental assessment versus simple system checks |
Linux environmental keying behavioral chain: (1) System information gathering through native commands (uname, hostname, id, whoami, ifconfig/ip) and file system enumeration, (2) Network configuration discovery (route tables, DNS settings, network interfaces), (3) Filesystem and mount point analysis for target-specific directories or devices, (4) Process and service enumeration to identify target-specific software, (5) Cryptographic library usage correlation with collected environmental data, (6) Payload execution following successful environmental validation
| Data Component | Name | Channel |
|---|---|---|
| Command Execution (DC0064) | auditd:SYSCALL | execve syscalls for discovery commands (uname, hostname, id, whoami, ps, netstat, mount) with command-line parameter analysis |
| File Access (DC0055) | linux:syslog | kernel messages related to cryptographic operations, module loading, and filesystem access patterns |
| Process Creation (DC0032) | linux:osquery | process_events |
| Field | Description |
|---|---|
| DiscoveryCommandSequenceThreshold | Number of distinct discovery commands within time window to trigger detection - adjust based on normal system administration patterns in environment |
| ProcessAncestryDepth | Depth of process parent-child relationships to analyze for discovery activity clustering - balance between detection efficacy and performance |
| CryptographicLibraryIndicators | Shared libraries and system calls indicating cryptographic operations (libcrypto, libssl, openssl) - customize based on environment-specific crypto tools |
| TargetSpecificFilesystems | Organization-specific mount points, network filesystems, or device paths that adversaries might validate against |
| AuthorizedDiscoveryUsers | User accounts and service accounts authorized for extensive system discovery operations - maintain for false positive reduction |
| NetworkConfigurationBaseline | Normal network interface configurations and routing tables to identify anomalous network discovery patterns |
| ContainerContextIdentifiers | Container runtime identifiers and namespace patterns to detect environmental assessment targeting container environments |
macOS environmental keying behavioral chain: (1) System information discovery through native utilities (system_profiler, sw_vers, hostname, dscl) and Security framework queries, (2) Hardware and software enumeration including serial numbers, installed applications, and system versions, (3) Network configuration assessment (networksetup, scutil) and wireless network discovery, (4) Keychain and security context validation, (5) Unified Logs correlation with cryptographic framework usage (CommonCrypto, Security.framework), (6) Application bundle execution following environmental validation
| Data Component | Name | Channel |
|---|---|---|
| Process Creation (DC0032) | macos:unifiedlog | process execution events for discovery utilities (system_profiler, sw_vers, dscl, networksetup) with command-line parameter analysis |
| Command Execution (DC0064) | macos:unifiedlog | Security framework operations including keychain access, cryptographic operations, and certificate validation |
| File Access (DC0055) | fs:fsevents | file system events indicating access to system configuration files and environmental information sources |
| Field | Description |
|---|---|
| SystemProfilerDataTypes | Specific system_profiler data types that adversaries commonly target (SPHardwareDataType, SPSoftwareDataType, SPNetworkDataType) - customize based on threat intelligence |
| SecurityFrameworkOperationPatterns | Security.framework and CommonCrypto API usage patterns indicating cryptographic operations for environmental keying |
| UnifiedLogRetentionWindow | Time window for correlating discovery activities with subsequent cryptographic operations - balance between detection coverage and log volume |
| ApplicationBundleValidationPaths | Specific application bundle paths and identifiers that might be subject to environmental validation |
| NetworkConfigurationIdentifiers | Organization-specific network configurations, WiFi SSIDs, and network services that adversaries might validate against |
| MacOSVersionBaseline | Expected macOS versions and configurations in environment to identify version-specific environmental targeting |
| FSEventsFilteringCriteria | File system event filtering criteria to focus on security-relevant file access patterns while managing event volume |