-
Notifications
You must be signed in to change notification settings - Fork 327
/
CAR-2015-07-001.yaml
40 lines (33 loc) · 2.05 KB
/
CAR-2015-07-001.yaml
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
title: All Logins Since Last Boot
submission_date: 2015/07/17
information_domain: Host
platforms:
- Windows
- Linux
- macOS
subtypes:
- Login
analytic_types:
- Situational Awareness
contributors:
- MITRE
id: CAR-2015-07-001
description: |-
Once a credential dumper like [mimikatz](https://attack.mitre.org/software/S0002) runs, every user logged on since boot is potentially compromised, because the credentials were accessed via the memory of `lsass.exe`. When such an event occurs, this analytic will give the forensic context to identify compromised users. Those users could potentially be used in later events for additional logons.
The time field indicates the first and last time a system reported a user logged into a given system. This means that activity could be intermittent between the times given and should not be considered a duration.
### Output Description
A list of hostnames and the users that had been logged into the system at some point after to the system's last restart.
implementations:
- description: 'This analytic requires some means of accessing system logs to get records of boot times for hosts (in the example as `SystemLogs:Bootup`. It looks for the latest boot time to happen before some user-defined point in time. Once the boot time is identified, all of the important user login events can be gathered to create a list of potentially compromised accounts. This could be critical for identifying steps an adversary could have taken after stealing credentials with a tool that operates like [mimikatz](https://attack.mitre.org/software/S0002/).'
code: |-
input target_host
input event_time
all_boots = search SystemLogs:BootUp where (hostname == target_host and time < event_time)
boot_time = max(all_boots.time)
user_logins = search UserSession:Login
host_logins = filter user_logins where (hostname == target_host and boot_time < time < event_time)
compromised_accounts = unique(user_logins.user)
output users
type: pseudocode
data_model_references:
- user_session/login/user