-
Notifications
You must be signed in to change notification settings - Fork 327
/
CAR-2013-05-009.yaml
69 lines (66 loc) · 2.99 KB
/
CAR-2013-05-009.yaml
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
title: Running executables with same hash and different names
submission_date: 2013/05/23
information_domain: Host
platforms:
- Windows
- Linux
- macOS
subtypes:
- Process
analytic_types:
- TTP
contributors:
- MITRE
id: CAR-2013-05-009
description: |-
Executables are generally not renamed, thus a given hash of an executable should only have ever one name. Identifying instances where multiple process names share the same hash may find cases where tools are copied by attackers to different folders or hosts to [avoid detection](https://attack.mitre.org/tactics/TA0005).
Although this analytic was initially based on MD5 hashes, it is equally applicable to any hashing convention.
### Output Description
A list of hashes and the different executables associated with each one
coverage:
- technique: T1036
tactics:
- TA0005
subtechniques:
- T1036.003
coverage: Moderate
implementations:
- name: Basic Query
description: This is a basic Splunk search that will output all of the sysmon-reported process images and their respective hashes, for cases where an image has more than one set of hashes. Thus, this will output a large amount of data and should be filtered by the analyst in order to make the results more useful.
code: |-
index=__your_sysmon_index__ EventCode=1|stats dc(Hashes) as Num_Hashes values(Hashes) as "Hashes" by Image|where Num_Hashes > 1
type: splunk
data_model: Sysmon native
- name: Sigma/Sysmon
description: '[Sigma includes](https://github.com/Neo23x0/sigma/blob/master/rules/windows/process_creation/win_renamed_binary.yml) a Sysmon-specific rule for detecting this, using the OriginalFilename field.'
type: Sigma
- name: Sigma (renamed powershell)
description: '[Sigma includes](https://github.com/Neo23x0/sigma/blob/master/rules/windows/process_creation/win_powershell_renamed_ps.yml) a rule specifically for detecting instances of Powershell being renamed.'
type: Sigma
- name: Sigma (renamed paexec)
description: '[Sigma includes](https://github.com/Neo23x0/sigma/blob/master/rules/windows/process_creation/win_renamed_paexec.yml) a rule specifically for detecting instances of paexec being renamed.'
type: Sigma
- description: DNIF version of the above pseudocode.
code: |-
_fetch * from event where $LogName=WINDOWS-SYSMON AND $EventID=1 group count_unique $App, $HashMD5 limit 100
>>_agg count_unique $HashMD5
>>_checkif int_compare count_unique > 1 include
type: DNIF
data_model: Sysmon native
- description: LogPoint version of the above pseudocode.
code: |-
norm_id=WindowsSysmon event_id=1
| chart distinct_count(hash) as cnt by image
| search cnt > 1
type: LogPoint
data_model: LogPoint native
data_model_references:
- process/create/exe
- process/create/md5_hash
d3fend_mappings:
- iri: d3f:ServiceBinaryVerification
id: D3-SBV
label: Service Binary Verification
- iri: d3f:SystemFileAnalysis
id: D3-SFA
label: System File Analysis