-
Notifications
You must be signed in to change notification settings - Fork 327
/
CAR-2013-04-002.yaml
225 lines (220 loc) · 6 KB
/
CAR-2013-04-002.yaml
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
title: Quick execution of a series of suspicious commands
submission_date: 2013/04/11
information_domain: 'Analytic, Host'
platforms:
- Windows
- Linux
- macOS
subtypes:
- Process
analytic_types:
- TTP
contributors:
- MITRE
id: CAR-2013-04-002
description: |-
Certain commands are frequently used by malicious actors and infrequently used by normal users. By looking for execution of these commands in short periods of time, we can not only see when a malicious user was on the system but also get an idea of what they were doing.
Commands of interest:
- arp.exe
- at.exe
- attrib.exe
- cscript.exe
- dsquery.exe
- hostname.exe
- ipconfig.exe
- mimikatz.exe
- nbstat.exe
- net.exe
- netsh.exe
- nslookup.exe
- ping.exe
- quser.exe
- qwinsta.exe
- reg.exe
- runas.exe
- sc.exe
- schtasks.exe
- ssh.exe
- systeminfo.exe
- taskkill.exe
- telnet.exe
- tracert.exe
- wscript.exe
- xcopy.exe
### Output Description
The host on which the commands were executed, the time of execution, and what commands were executed
coverage:
- technique: T1087
tactics:
- TA0007
subtechniques:
- T1087.001
- T1087.002
coverage: Low
- technique: T1003
tactics:
- TA0006
subtechniques:
- T1003.002
coverage: Low
- technique: T1069
tactics:
- TA0007
subtechniques:
- T1069.001
- T1069.002
coverage: Low
- technique: T1057
tactics:
- TA0007
coverage: Low
- technique: T1021
tactics:
- TA0008
subtechniques:
- T1021.002
coverage: Low
- technique: T1543
tactics:
- TA0003
- TA0004
subtechniques:
- T1543.003
coverage: Low
- technique: T1112
tactics:
- TA0005
coverage: Low
- technique: T1574
tactics:
- TA0003
- TA0004
subtechniques:
- T1574.011
coverage: Low
- technique: T1018
tactics:
- TA0007
coverage: Low
- technique: T1569
tactics:
- TA0002
subtechniques:
- T1569.002
coverage: Low
- technique: T1053
tactics:
- TA0003
- TA0004
- TA0002
subtechniques:
- T1053.002
- T1053.005
coverage: Low
- technique: T1029
tactics:
- TA0010
coverage: Low
- technique: T1033
tactics:
- TA0007
coverage: Low
- technique: T1007
tactics:
- TA0007
coverage: Low
- technique: T1082
tactics:
- TA0007
coverage: Low
- technique: T1049
tactics:
- TA0007
coverage: Low
- technique: T1016
tactics:
- TA0007
coverage: Low
- technique: T1010
tactics:
- TA0007
coverage: Low
- technique: T1518
tactics:
- TA0007
subtechniques:
- T1518.001
coverage: Low
- technique: T1046
tactics:
- TA0007
coverage: Low
- technique: T1562
tactics:
- TA0005
subtechniques:
- T1562.001
- T1562.006
coverage: Low
- technique: T1098
tactics:
- TA0006
coverage: Low
- technique: T1059
tactics:
- TA0002
subtechniques:
- T1059.005
coverage: Moderate
- technique: T1012
tactics:
- TA0007
coverage: Low
implementations:
- code: |-
processes = search Process:Create
reg_processes = filter processes where (exe == "arp.exe" or exe == "at.exe" or exe == "attrib.exe"
or exe == "cscript.exe" or exe == "dsquery.exe" or exe == "hostname.exe"
or exe == "ipconfig.exe" or exe == "mimikatz.exe" or exe == "nbstat.exe"
or exe == "net.exe" or exe == "netsh.exe" or exe == "nslookup.exe"
or exe == "ping.exe" or exe == "quser.exe" or exe == "qwinsta.exe"
or exe == "reg.exe" or exe == "runas.exe" or exe == "sc.exe"
or exe == "schtasks.exe" or exe == "ssh.exe" or exe == "systeminfo.exe"
or exe == "taskkill.exe" or exe == "telnet.exe" or exe == "tracert.exe"
or exe == "wscript.exe" or exe == "xcopy.exe")
reg_grouped = group reg by hostname, ppid where(max time between two events is 30 minutes)
output reg_grouped
type: pseudocode
- description: '[Sigma version](https://github.com/Neo23x0/sigma/blob/master/rules/windows/process_creation/win_multiple_suspicious_cli.yml) of the above pseudocode, with some modifications.'
type: Sigma
- description: DNIF version of the above pseudocode.
code: |-
_fetch * from event where $LogName=WINDOWS-SYSMON AND $EventID=1 AND $App=regex(arp\.exe|at\.exe|attrib\.exe|cscript\.exe|dsquery\.exe|hostname\.exe|ipconfig\.exe|mimikatz.exe|nbstat\.exe|net\.exe|netsh\.exe|nslookup\.exe|ping\.exe|quser\.exe|qwinsta\.exe|reg\.exe|runas\.exe|sc\.exe|schtasks\.exe|ssh\.exe|systeminfo\.exe|taskkill\.exe|telnet\.exe|tracert\.exe|wscript\.exe|xcopy\.exe)i group count_unique $App limit 100
>>_agg count
>>_checkif int_compare Count > 1 include
type: DNIF
data_model: Sysmon native
- description: LogPoint version of the above pseudocode.
code: |-
norm_id=WindowsSysmon event_id=1 image IN ["*\arp.exe", "*\at.exe", "*\attrib.exe", "*\cscript.exe", "*\dsquery.exe", "*\hostname.exe", "*\ipconfig.exe", "*\mimikatz.exe", "*\nbstat.exe", "*\net.exe", "*\netsh.exe", "*\nslookup.exe", "*\ping.exe", "*\quser.exe", "*\qwinsta.exe", "*\reg.exe", "*\runas.exe", "*\sc.exe", "*\schtasks.exe", "*\ssh.exe", "*\systeminfo.exe", "*\taskkill.exe", "*\telnet.exe", "*\tracert.exe", "*\wscript.exe", "*\xcopy.exe"]
| chart count() as cnt by host
| search cnt > 1
type: LogPoint
data_model: LogPoint native
data_model_references:
- process/create/hostname
- process/create/ppid
- process/create/exe
unit_tests:
- configurations:
- Windows 7
description: 'Within a command window, execute several of the commands in quick succession.'
commands:
- ipconfig /all
- hostname
- systeminfo
- reg.exe Query HKLM\Software\Microsoft
d3fend_mappings:
- iri: d3f:ProcessLineageAnalysis
id: D3-PLA
label: Process Lineage Analysis