-
Notifications
You must be signed in to change notification settings - Fork 327
/
CAR-2020-08-001.yaml
67 lines (67 loc) · 3.35 KB
/
CAR-2020-08-001.yaml
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
---
title: NTFS Alternate Data Stream Execution - System Utilities
submission_date: 2020/08/03
information_domain: 'Host'
platforms:
- Windows
subtypes:
- Process
analytic_types:
- TTP
contributors:
- MITRE
id: CAR-2020-08-001
description: |-
NTFS Alternate Data Streams (ADSs) may be used by adversaries as a means of evading security tools by storing malicious data or binaries in file attribute metadata. ADSs are also powerful because they can be directly executed by various Windows tools; accordingly, this analytic looks at common ways of executing ADSs using system utilities such as powershell.
coverage:
- technique: T1564
tactics:
- TA0005
subtechniques:
- T1564.004
coverage: Low
implementations:
- name: NTFS ADS - pseudocode
description: This is generic pseudocode that lines up with the below Splunk queries.
code: |-
processes = search Process:Create
ads_processes = filter processes where (
exe == "powershell.exe OR rundll32.exe OR wmic.exe OR wscript.exe OR cscript.exe" and command_line.matches("__some_regex__")
)
output ads_processes
type: pseudocode
data_model: CAR native
- name: NTFS ADS - powershell
description: This Splunk query looks for invocations of powershell used to execute NTFS alternate data streams.
code: |-
index=__sysmon_index__ EventCode=1 Image=C:\\Windows\\*\\powershell.exe|regex CommandLine="Invoke-CimMethod\s+-ClassName\s+Win32_Process\s+-MethodName\s+Create.*\b(\w+(\.\w+)?):(\w+(\.\w+)?)|-ep bypass\s+-\s+<.*\b(\w+(\.\w+)?):(\w+(\.\w+)?)|-command.*Get-Content.*-Stream.*Set-Content.*start-process .*(\w+(\.\w+)?)"
type: splunk
data_model: Sysmon native
- name: NTFS ADS - wmic
description: This Splunk query looks for invocations of WMIC used to execute NTFS alternate data streams.
code: |-
index=__sysmon_index__ EventCode=1 Image=C:\\Windows\\*\\wmic.exe | regex CommandLine="process call create.*\"(\w+(\.\w+)?):(\w+(\.\w+)?)"
type: splunk
data_model: Sysmon native
- name: NTFS ADS - rundll32
description: This Splunk query looks for invocations of rundll32 used to execute NTFS alternate data streams.
code: |-
index=__sysmon_index__ EventCode=1 Image=C:\\Windows\\*\\rundll32.exe | regex CommandLine="\"?(\w+(\.\w+)?):(\w+(\.\w+)?)?\"?,\w+\|(advpack\.dll\|ieadvpack\.dll),RegisterOCX\s+(\w+\.\w+):(\w+(\.\w+)?)\|(shdocvw\.dll\|ieframe\.dll),OpenURL.*(\w+\.\w+):(\w+(\.\w+)?)"
type: splunk
data_model: Sysmon native
- name: NTFS ADS - wscript/cscript
description: This Splunk query looks for invocations of the windows scripting host used to execute NTFS alternate data streams.
code: |-
index=__sysmon_index__ EventCode=1 (Image=C:\\Windows\\*\\wscript.exe OR Image=C:\\Windows\\*\\cscript.exe) | regex CommandLine="(?<!\/)\b\w+(\.\w+)?:\w+(\.\w+)?$"
type: splunk
data_model: Sysmon native
data_model_references:
- process/create/exe
- process/create/command_line
references:
- Oddvar Moe has created an excellent NTFS ADS execution reference [here on github](https://gist.github.com/api0cradle/cdd2d0d0ec9abb686f0e89306e277b8f), which was used as the basis for many of these analytics.
- The [LOLBAS project](https://lolbas-project.github.io/) is an amazing resource for anything LOLBAS.
d3fend_mappings:
- iri: d3f:ProcessSpawnAnalysis
id: D3-PSA
label: Process Spawn Analysis