-
Notifications
You must be signed in to change notification settings - Fork 327
/
CAR-2013-09-005.yaml
46 lines (46 loc) · 1.69 KB
/
CAR-2013-09-005.yaml
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
title: Service Outlier Executables
submission_date: 2013/09/23
information_domain: Host
platforms:
- Windows
subtypes:
- Process
analytic_types:
- Detection
contributors:
- MITRE
id: CAR-2013-09-005
description: New executables that are started as a service are suspicious. This analytic looks for anomalous service executables.
coverage:
- technique: T1543
tactics:
- TA0003
subtechniques:
- T1543.003
coverage: Moderate
implementations:
- description: 'Create a baseline of services seen over the last 30 days and a list of services seen today. Remove services in the baseline from services seen today, leaving a list of new services.'
code: |-
processes = search Process:Create
services = filter processes where (parent_image_path == "C:\Windows\System32\services.exe")
historic_services = filter services (where timestamp < now - 1 day AND timestamp > now - 1 day)
current_services = filter services (where timestamp >= now - 1 day)
new_services = historic_services - current_services
output new_services
type: pseudocode
- name: Sigma (Windows Event Log)
description: '[Sigma/Windows Event Log](https://github.com/Neo23x0/sigma/blob/master/rules/windows/builtin/win_rare_service_installs.yml) rule with similar logic to the above pseudocode'
type: Sigma
- description: LogPoint version of the above sigma rule.
code: |-
norm_id=WinServer event_id=7045
| chart count() as cnt by file
| search cnt < 5
type: LogPoint
data_model: LogPoint native
data_model_references:
- process/create/parent_image_path
d3fend_mappings:
- iri: d3f:ProcessLineageAnalysis
id: D3-PLA
label: Process Lineage Analysis