-
Notifications
You must be signed in to change notification settings - Fork 327
/
CAR-2021-05-011.yaml
60 lines (60 loc) · 2.59 KB
/
CAR-2021-05-011.yaml
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
title: Create Remote Thread into LSASS
submission_date: 2021/05/11
information_domain: Analytic
platforms:
- Windows
subtypes:
- Process
analytic_types:
- TTP
contributors:
- Splunk Threat Research <[email protected]>
id: CAR-2021-05-011
description: Actors may create a remote thread into the LSASS service as part of a workflow to dump credentials.
coverage:
- technique: T1003
subtechniques:
- T1003.001
tactics:
- TA0006
coverage: Moderate
implementations:
- name: Pseudocode – Remote thread creation into LSASS
description: Pseudocode implementation of the Splunk search below. The CAR data model does not currently contain a Target Image field, for remote thread creation, so this code Is somewhat inexact. See the Splunk implementation for a more precise search for the lsass image target.
code: |-
remote_threads = search Thread:remote_create
lsass_remote_create = filter remote_threads where "lsass" in raw event
output lsass_remote_create
data_model: CAR native
type: Pseudocode
- name: Splunk code
description: This search needs Sysmon Logs with a Sysmon configuration, which includes
EventCode 8 with lsass.exe. This search uses an input macro named `sysmon`. We
strongly recommend that you specify your environment-specific configurations (index,
source, sourcetype, etc.) for Windows Sysmon logs. Replace the macro definition
with configurations for your Splunk environment. The search also uses a post-filter
macro designed to filter out known false positives.
code: '`sysmon` EventID=8 TargetImage=*lsass.exe | stats count min(_time) as firstTime
max(_time) as lastTime by Computer, EventCode, TargetImage, TargetProcessId |
rename Computer as dest'
type: Splunk
data_model: ''
unit_tests:
- configurations:
- Using Splunk [Attack Range](https://github.com/splunk/attack_range)
description: Replay the detection [dataset](https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1003.001/atomic_red_team/windows-sysmon.log) using
the Splunk attack range with the commands below
commands:
- python attack_range.py replay -dn data_dump [--dump NAME_OF_DUMP]
- configurations:
- Using [Invoke-AtomicRedTeam](https://github.com/redcanaryco/invoke-atomicredteam)
description: execute the atomic test [T1003.001](https://github.com/redcanaryco/atomic-red-team/tree/master/atomics/T1003.001)
against a Windows target.
commands:
- Invoke-AtomicTest T1003.001
data_model_references:
- thread/remote_create
d3fend_mappings:
- iri: d3f:SystemCallAnalysis
id: D3-SCA
label: System Call Analysis