-
Notifications
You must be signed in to change notification settings - Fork 327
/
CAR-2021-05-003.yaml
63 lines (63 loc) · 2.5 KB
/
CAR-2021-05-003.yaml
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
title: BCDEdit Failure Recovery Modification
submission_date: 2021/05/11
information_domain: Analytic
platforms:
- Windows
subtypes:
- Process
analytic_types:
- TTP
contributors:
- Splunk Threat Research <[email protected]>
id: CAR-2021-05-003
description: This search looks for flags passed to bcdedit.exe modifications to the
built-in Windows error recovery boot configurations. This is typically used by ransomware
to prevent recovery.
coverage:
- technique: T1490
tactics:
- TA0040
coverage: Moderate
implementations:
- name: Pseudocode – detect attempts to add a certificate to a certificate store
description: Pseudocode implementation of the splunk search below
code: |-
processes = search Process:Create
bcdedit_commands = filter processes where (
exe = "C:\Windows\System32\bcdedit.exe" AND command_line="*recoveryenabled*" )
output bcedit_commands
data_model: CAR native
type: Pseudocode
- name: Splunk code
description: You must be ingesting endpoint data that tracks process activity, including
parent-child relationships from your endpoints to populate the Endpoint data model
in the Processes node. Tune based on parent process names.
code: '| tstats count min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes
where Processes.process_name = bcdedit.exe Processes.process="*recoveryenabled*"
(Processes.process="* no*") by Processes.process_name Processes.process Processes.parent_process_name
Processes.dest Processes.user'
type: Splunk
data_model: Endpoint
unit_tests:
- configurations:
- Using Splunk [Attack Range](https://github.com/splunk/attack_range)
description: Replay the detection [dataset](https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1490/atomic_red_team/windows-sysmon.log) using
the Splunk attack range with the commands below
commands:
- python attack_range.py replay -dn data_dump [--dump NAME_OF_DUMP]
- configurations:
- Using [Invoke-AtomicRedTeam](https://github.com/redcanaryco/invoke-atomicredteam)
description: execute the atomic test [T1490](https://github.com/redcanaryco/atomic-red-team/tree/master/atomics/T1490)
against a Windows target.
commands:
- Invoke-AtomicTest T1490
data_model_references:
- process/create/exe
- process/create/command_line
d3fend_mappings:
- iri: d3f:ProcessSpawnAnalysis
id: D3-PSA
label: Process Spawn Analysis
- iri: d3f:ProcessLineageAnalysis
id: D3-PLA
label: Process Lineage Analysis