Audit

Perform audits or scans of systems, permissions, insecure software, insecure configurations, etc. to identify potential weaknesses.

ID: M1047
Version: 1.2
Created: 11 June 2019
Last Modified: 31 March 2023

Techniques Addressed by Mitigation

Domain ID Name Use
Enterprise T1548 Abuse Elevation Control Mechanism

Check for common UAC bypass weaknesses on Windows systems to be aware of the risk posture and address issues where appropriate.[1]

.002 Bypass User Account Control

Check for common UAC bypass weaknesses on Windows systems to be aware of the risk posture and address issues where appropriate.[1]

Enterprise T1087 .004 Account Discovery: Cloud Account

Routinely check user permissions to ensure only the expected users have the ability to list IAM identities or otherwise discover cloud accounts.

Enterprise T1560 Archive Collected Data

System scans can be performed to identify unauthorized archival utilities.

.001 Archive via Utility

System scans can be performed to identify unauthorized archival utilities.

Enterprise T1176 Browser Extensions

Ensure extensions that are installed are the intended ones as many malicious extensions will masquerade as legitimate ones.

Enterprise T1612 Build Image on Host

Audit images deployed within the environment to ensure they do not contain any malicious components.

Enterprise T1059 .006 Command and Scripting Interpreter: Python

Inventory systems for unauthorized Python installations.

Enterprise T1543 Create or Modify System Process

Use auditing tools capable of detecting privilege and service abuse opportunities on systems within an enterprise and correct them.

.003 Windows Service

Use auditing tools capable of detecting privilege and service abuse opportunities on systems within an enterprise and correct them.

.004 Launch Daemon

Use auditing tools capable of detecting folder permissions abuse opportunities on systems, especially reviewing changes made to folders by third-party software.

Enterprise T1530 Data from Cloud Storage

Frequently check permissions on cloud storage to ensure proper permissions are set to deny open or unprivileged access to resources.[2]

Enterprise T1213 Data from Information Repositories

Consider periodic review of accounts and privileges for critical and sensitive repositories.

.001 Confluence

Consider periodic review of accounts and privileges for critical and sensitive Confluence repositories.

.002 Sharepoint

Consider periodic review of accounts and privileges for critical and sensitive SharePoint repositories.

.003 Code Repositories

Consider periodic reviews of accounts and privileges for critical and sensitive code repositories. Scan code repositories for exposed credentials or other sensitive information.

Enterprise T1610 Deploy Container

Scan images before deployment, and block those that are not in compliance with security policies. In Kubernetes environments, the admission controller can be used to validate images after a container deployment request is authenticated but before the container is deployed.[3]

Enterprise T1484 Domain Policy Modification

Identify and correct GPO permissions abuse opportunities (ex: GPO modification privileges) using auditing tools such as BloodHound (version 1.5.1 and later)[4].

.001 Group Policy Modification

Identify and correct GPO permissions abuse opportunities (ex: GPO modification privileges) using auditing tools such as BloodHound (version 1.5.1 and later).[4]

Enterprise T1482 Domain Trust Discovery

Map the trusts within existing domains/forests and keep trust relationships to a minimum.

Enterprise T1114 Email Collection

Enterprise email solutions have monitoring mechanisms that may include the ability to audit auto-forwarding rules on a regular basis.

In an Exchange environment, Administrators can use Get-InboxRule to discover and remove potentially malicious auto-forwarding rules.[5]

.003 Email Forwarding Rule

Enterprise email solutions have monitoring mechanisms that may include the ability to audit auto-forwarding rules on a regular basis.

In an Exchange environment, Administrators can use Get-InboxRule / Remove-InboxRule and Get-TransportRule / Remove-TransportRule to discover and remove potentially malicious auto-fowarding and transport rules.[5][6][7] In addition to this, a MAPI Editor can be utilized to examine the underlying database structure and discover any modifications/tampering of the properties of auto-forwarding rules.[8]

Enterprise T1546 .006 Event Triggered Execution: LC_LOAD_DYLIB Addition

Binaries can also be baselined for what dynamic libraries they require, and if an app requires a new dynamic library that wasn\u2019t included as part of an update, it should be investigated.

Enterprise T1606 Forge Web Credentials

Administrators should perform an audit of all access lists and the permissions they have been granted to access web applications and services. This should be done extensively on all resources in order to establish a baseline, followed up on with periodic audits of new or updated resources. Suspicious accounts/credentials should be investigated and removed.

Enable advanced auditing on ADFS. Check the success and failure audit options in the ADFS Management snap-in. Enable Audit Application Generated events on the AD FS farm via Group Policy Object.[9]

.001 Web Cookies

Administrators should perform an audit of all access lists and the permissions they have been granted to access web applications and services. This should be done extensively on all resources in order to establish a baseline, followed up on with periodic audits of new or updated resources. Suspicious accounts/credentials should be investigated and removed.

.002 SAML Tokens

Enable advanced auditing on AD FS. Check the success and failure audit options in the AD FS Management snap-in. Enable Audit Application Generated events on the AD FS farm via Group Policy Object.[9]

Enterprise T1564 .008 Hide Artifacts: Email Hiding Rules

Enterprise email solutions may have monitoring mechanisms that may include the ability to audit inbox rules on a regular basis.

In an Exchange environment, Administrators can use Get-InboxRule / Remove-InboxRule and Get-TransportRule / Remove-TransportRule to discover and remove potentially malicious inbox and transport rules.[7][6]

Enterprise T1574 Hijack Execution Flow

Use auditing tools capable of detecting hijacking opportunities on systems within an enterprise and correct them. Toolkits like the PowerSploit framework contain PowerUp modules that can be used to explore systems for hijacking weaknesses.[10]

Use the program sxstrace.exe that is included with Windows along with manual inspection to check manifest files for side-loading vulnerabilities in software.

Find and eliminate path interception weaknesses in program configuration files, scripts, the PATH environment variable, services, and in shortcuts by surrounding PATH variables with quotation marks when functions allow for them. Be aware of the search order Windows uses for executing or loading binaries and use fully qualified paths wherever appropriate.

Clean up old Windows Registry keys when software is uninstalled to avoid keys with no associated legitimate binaries. Periodically search for and correct or report path interception weaknesses on systems that may have been introduced using custom or available tools that report software using insecure path configurations.[11][12][13]

.001 DLL Search Order Hijacking

Use auditing tools capable of detecting DLL search order hijacking opportunities on systems within an enterprise and correct them. Toolkits like the PowerSploit framework contain PowerUp modules that can be used to explore systems for DLL hijacking weaknesses.[10]

Use the program sxstrace.exe that is included with Windows along with manual inspection to check manifest files for side-by-side problems in software.[14]

.005 Executable Installer File Permissions Weakness

Use auditing tools capable of detecting file system permissions abuse opportunities on systems within an enterprise and correct them. Toolkits like the PowerSploit framework contain PowerUp modules that can be used to explore systems for service file system permissions weaknesses.[10]

.007 Path Interception by PATH Environment Variable

Find and eliminate path interception weaknesses in program configuration files, scripts, the PATH environment variable, services, and in shortcuts by surrounding PATH variables with quotation marks when functions allow for them. Be aware of the search order Windows uses for executing or loading binaries and use fully qualified paths wherever appropriate.

Clean up old Windows Registry keys when software is uninstalled to avoid keys with no associated legitimate binaries. Periodically search for and correct or report path interception weaknesses on systems that may have been introduced using custom or available tools that report software using insecure path configurations.[11][12][13]

.008 Path Interception by Search Order Hijacking

Find and eliminate path interception weaknesses in program configuration files, scripts, the PATH environment variable, services, and in shortcuts by surrounding PATH variables with quotation marks when functions allow for them. Be aware of the search order Windows uses for executing or loading binaries and use fully qualified paths wherever appropriate.

Clean up old Windows Registry keys when software is uninstalled to avoid keys with no associated legitimate binaries. Periodically search for and correct or report path interception weaknesses on systems that may have been introduced using custom or available tools that report software using insecure path configurations.[11][12][13]

.009 Path Interception by Unquoted Path

Find and eliminate path interception weaknesses in program configuration files, scripts, the PATH environment variable, services, and in shortcuts by surrounding PATH variables with quotation marks when functions allow for them. Be aware of the search order Windows uses for executing or loading binaries and use fully qualified paths wherever appropriate.

Clean up old Windows Registry keys when software is uninstalled to avoid keys with no associated legitimate binaries. Periodically search for and correct or report path interception weaknesses on systems that may have been introduced using custom or available tools that report software using insecure path configurations.[11][12][13]

.010 Services File Permissions Weakness

Use auditing tools capable of detecting file system permissions abuse opportunities on systems within an enterprise and correct them. Toolkits like the PowerSploit framework contain PowerUp modules that can be used to explore systems for service file system permissions weaknesses.[10]

Enterprise T1562 Impair Defenses

Routinely check account role permissions to ensure only expected users and roles have permission to modify defensive tools and settings.

.002 Disable Windows Event Logging

Consider periodic review of auditpol settings for Administrator accounts and perform dynamic baselining on SIEM(s) to investigate potential malicious activity. Also ensure that the EventLog service and its threads are properly running.

.004 Disable or Modify System Firewall

Routinely check account role permissions to ensure only expected users and roles have permission to modify system firewalls.

.007 Disable or Modify Cloud Firewall

Routinely check account role permissions to ensure only expected users and roles have permission to modify cloud firewalls.

.012 Disable or Modify Linux Audit System

Routinely check account role permissions to ensure only expected users and roles have permission to modify logging settings.

To ensure Audit rules can not be modified at runtime, add the auditctl -e 2 as the last command in the audit.rules files. Once started, any attempt to change the configuration in this mode will be audited and denied. The configuration can only be changed by rebooting the machine.

Enterprise T1525 Implant Internal Image

Periodically check the integrity of images and containers used in cloud deployments to ensure they have not been modified to include malicious software.

Enterprise T1070 .008 Indicator Removal: Clear Mailbox Data

In an Exchange environment, Administrators can use Get-TransportRule / Remove-TransportRule to discover and remove potentially malicious transport rules.[6]

Enterprise T1556 Modify Authentication Process

Review authentication logs to ensure that mechanisms such as enforcement of MFA are functioning as intended.

Periodically review the hybrid identity solution in use for any discrepancies. For example, review all Pass Through Authentication (PTA) agents in the Azure Management Portal to identify any unwanted or unapproved ones.[15] If ADFS is in use, review DLLs and executable files in the AD FS and Global Assembly Cache directories to ensure that they are signed by Microsoft. Note that in some cases binaries may be catalog-signed, which may cause the file to appear unsigned when viewing file properties.[16]

Periodically review for new and unknown network provider DLLs within the Registry (HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\<NetworkProviderName>\NetworkProvider\ProviderPath). Ensure only valid network provider DLLs are registered. The name of these can be found in the Registry key at HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\NetworkProvider\Order, and have corresponding service subkey pointing to a DLL at HKEY_LOCAL_MACHINE\SYSTEM\CurrentC ontrolSet\Services\<NetworkProviderName>\NetworkProvider.

.006 Multi-Factor Authentication

Review MFA actions alongside authentication logs to ensure that MFA-based logins are functioning as intended. Review user accounts to ensure that all accounts have MFA enabled.[17]

.007 Hybrid Identity

Periodically review the hybrid identity solution in use for any discrepancies. For example, review all PTA agents in the Azure Management Portal to identify any unwanted or unapproved ones.[15] If ADFS is in use, review DLLs and executable files in the AD FS and Global Assembly Cache directories to ensure that they are signed by Microsoft. Note that in some cases binaries may be catalog-signed, which may cause the file to appear unsigned when viewing file properties.[16]

.008 Network Provider DLL

Periodically review for new and unknown network provider DLLs within the Registry (HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\<NetworkProviderName>\NetworkProvider\ProviderPath).

Ensure only valid network provider DLLs are registered. The name of these can be found in the Registry key at HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\NetworkProvider\Order, and have corresponding service subkey pointing to a DLL at HKEY_LOCAL_MACHINE\SYSTEM\CurrentC ontrolSet\Services\<NetworkProviderName>\NetworkProvider.

Enterprise T1578 Modify Cloud Compute Infrastructure

Routinely monitor user permissions to ensure only the expected users have the capability to modify cloud compute infrastructure components.

.001 Create Snapshot

Routinely check user permissions to ensure only the expected users have the capability to create snapshots and backups.

.002 Create Cloud Instance

Routinely check user permissions to ensure only the expected users have the capability to create new instances.

.003 Delete Cloud Instance

Routinely check user permissions to ensure only the expected users have the capability to delete new instances.

.005 Modify Cloud Compute Configurations

Routinely monitor user permissions to ensure only the expected users have the capability to request quota adjustments or modify tenant-level compute settings.

Enterprise T1027 Obfuscated Files or Information

Consider periodic review of common fileless storage locations (such as the Registry or WMI repository) to potentially identify abnormal and malicious data.

.011 Fileless Storage

Consider periodic review of common fileless storage locations (such as the Registry or WMI repository) to potentially identify abnormal and malicious data.

Enterprise T1566 .002 Phishing: Spearphishing Link

Audit applications and their permissions to ensure access to data and resources are limited based upon necessity and principle of least privilege.

Enterprise T1653 Power Settings

Periodically inspect systems for abnormal and unexpected power settings that may indicate malicious activty.

Enterprise T1542 .004 Pre-OS Boot: ROMMONkit

Periodically check the integrity of system image to ensure it has not been modified. [18] [19] [20]

.005 Pre-OS Boot: TFTP Boot

Periodically check the integrity of the running configuration and system image to ensure they have not been modified. [19] [18] [20]

Enterprise T1563 .002 Remote Service Session Hijacking: RDP Hijacking

Audit the Remote Desktop Users group membership regularly. Remove unnecessary accounts and groups from Remote Desktop Users groups.

Enterprise T1021 .001 Remote Services: Remote Desktop Protocol

Audit the Remote Desktop Users group membership regularly. Remove unnecessary accounts and groups from Remote Desktop Users groups.

.005 Remote Services: VNC

Inventory workstations for unauthorized VNC server software.

Enterprise T1053 Scheduled Task/Job

Toolkits like the PowerSploit framework contain PowerUp modules that can be used to explore systems for permission weaknesses in scheduled tasks that could be used to escalate privileges. [10]

.002 At

Toolkits like the PowerSploit framework contain PowerUp modules that can be used to explore systems for permission weaknesses in scheduled tasks that could be used to escalate privileges. [10] Windows operating system also creates a registry key specifically associated with the creation of a scheduled task on the destination host at: Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tree\At1. [21] In Linux and macOS environments, scheduled tasks using at can be audited locally, or through centrally collected logging, using syslog, or auditd events from the host. [22]

.003 Cron

Review changes to the cron schedule. cron execution can be reviewed within the /var/log directory. To validate the location of the cron log file, check the syslog config at /etc/rsyslog.conf or /etc/syslog.conf

.005 Scheduled Task

Toolkits like the PowerSploit framework contain PowerUp modules that can be used to explore systems for permission weaknesses in scheduled tasks that could be used to escalate privileges. [10]

Enterprise T1593 Search Open Websites/Domains

Scan public code repositories for exposed credentials or other sensitive information before making commits. Ensure that any leaked credentials are removed from the commit history, not just the current latest version of the code.

.003 Code Repositories

Scan public code repositories for exposed credentials or other sensitive information before making commits. Ensure that any leaked credentials are removed from the commit history, not just the current latest version of the code.

Enterprise T1505 Server Software Component

Regularly check component software on critical services that adversaries may target for persistence to verify the integrity of the systems and identify if unexpected changes have been made.

.001 SQL Stored Procedures

Regularly check component software on critical services that adversaries may target for persistence to verify the integrity of the systems and identify if unexpected changes have been made.

.002 Transport Agent

Regularly check component software on critical services that adversaries may target for persistence to verify the integrity of the systems and identify if unexpected changes have been made.

.004 IIS Components

Regularly check installed IIS components to verify the integrity of the web server and identify if unexpected changes have been made.

.005 Terminal Services DLL

Regularly check component software on critical services that adversaries may target for persistence to verify the integrity of the systems and identify if unexpected changes have been made.

Enterprise T1528 Steal Application Access Token

Administrators should audit all cloud and container accounts to ensure that they are necessary and that the permissions granted to them are appropriate. Additionally, administrators should perform an audit of all OAuth applications and the permissions they have been granted to access organizational data. This should be done extensively on all applications in order to establish a baseline, followed up on with periodic audits of new or updated applications. Suspicious applications should be investigated and removed.

Enterprise T1649 Steal or Forge Authentication Certificates

Check and remediate unneeded existing authentication certificates as well as common abusable misconfigurations of CA settings and permissions, such as AD CS certificate enrollment permissions and published overly permissive certificate templates (which define available settings for created certificates). For example, available AD CS certificate templates can be checked via the Certificate Authority MMC snap-in (certsrv.msc). certutil.exe can also be used to examine various information within an AD CS CA database.[23][24][25]

Enterprise T1558 .004 Steal or Forge Kerberos Tickets: AS-REP Roasting

Kerberos preauthentication is enabled by default. Older protocols might not support preauthentication therefore it is possible to have this setting disabled. Make sure that all accounts have preauthentication whenever possible and audit changes to setting. Windows tools such as PowerShell may be used to easily find which accounts have preauthentication disabled. [26][27]

Enterprise T1552 Unsecured Credentials

Preemptively search for files containing passwords or other credentials and take actions to reduce the exposure risk when found.

.001 Credentials In Files

Preemptively search for files containing passwords and take actions to reduce the exposure risk when found.

.002 Credentials in Registry

Proactively search for credentials within the Registry and attempt to remediate the risk.

.004 Private Keys

Ensure only authorized keys are allowed access to critical resources and audit access lists regularly.

.006 Group Policy Preferences

Search SYSVOL for any existing GGPs that may contain credentials and remove them.[28]

.008 Chat Messages

Preemptively search through communication services to find shared unsecured credentials. Searching for common patterns like "password is ", "password=" and take actions to reduce exposure when found.

Enterprise T1550 .001 Use Alternate Authentication Material: Application Access Token

Administrators should audit all cloud and container accounts to ensure that they are necessary and that the permissions granted to them are appropriate. Where possible, the ability to request temporary account tokens on behalf of another accounts should be disabled. Additionally, administrators can leverage audit tools to monitor actions that can be conducted as a result of OAuth 2.0 access. For instance, audit reports enable admins to identify privilege escalation actions such as role creations or policy modifications, which could be actions performed after initial access.

Enterprise T1204 .003 User Execution: Malicious Image

Audit images deployed within the environment to ensure they do not contain any malicious components.

References

  1. Mike Burns. (2020, September 30). Detecting Microsoft 365 and Azure Active Directory Backdoors. Retrieved September 28, 2022.
  2. Microsoft Threat Intelligence Center, Microsoft Detection and Response Team, Microsoft 365 Defender Research Team . (2022, August 24). MagicWeb: NOBELIUM’s post-compromise trick to authenticate as anyone. Retrieved September 28, 2022.
  3. Pany, D. & Hanley, C. (2023, May 3). Cloudy with a Chance of Bad Logs: Cloud Platform Log Configurations to Consider in Investigations. Retrieved October 16, 2023.
  4. Cisco. (n.d.). Cisco IOS Software Integrity Assurance - Image File Integrity. Retrieved October 21, 2020.
  5. Cisco. (n.d.). Cisco IOS Software Integrity Assurance - Cisco IOS Image File Verification. Retrieved October 19, 2020.
  6. Cisco. (n.d.). Cisco IOS Software Integrity Assurance - Change Control. Retrieved October 21, 2020.
  7. Carvey, H.. (2014, September). Where You AT?: Indicators of Lateral Movement Using at.exe on Windows 7 Systems. Retrieved November 27, 2019.
  8. Koromicha. (2019, September 7). Scheduling tasks using at command in Linux. Retrieved December 3, 2019.
  9. Schroeder, W. & Christensen, L. (2021, June 22). Certified Pre-Owned - Abusing Active Directory Certificate Services. Retrieved August 2, 2022.
  10. HarmJ0y et al. (2021, June 16). PSPKIAudit. Retrieved August 2, 2022.
  11. HarmJ0y et al. (2021, June 9). Certify. Retrieved August 4, 2022.
  12. Microsoft. (2012, July 18). Preauthentication. Retrieved August 24, 2020.
  13. Jeff Warren. (2019, June 27). Cracking Active Directory Passwords with AS-REP Roasting. Retrieved August 24, 2020.
  14. Sean Metcalf. (2015, December 28). Finding Passwords in SYSVOL & Exploiting Group Policy Preferences. Retrieved February 17, 2020.