-
Notifications
You must be signed in to change notification settings - Fork 327
/
CAR-2020-08-002.yaml
85 lines (85 loc) · 4.37 KB
/
CAR-2020-08-002.yaml
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
---
title: NTFS Alternate Data Stream Execution - LOLBAS
submission_date: 2020/08/03
information_domain: 'Host'
platforms:
- Windows
subtypes:
- Process
analytic_types:
- TTP
contributors:
- MITRE
id: CAR-2020-08-002
description: |-
NTFS Alternate Data Streams (ADSs) may be used by adversaries as a means of evading security tools by storing malicious data or binaries in file attribute metadata. ADSs are also powerful because their contents can be directly executed by various Windows tools; accordingly, this analytic looks at common ways of executing ADSs using Living off the Land Binaries and Scripts (LOLBAS).
coverage:
- technique: T1564
tactics:
- TA0005
subtechniques:
- T1564.004
coverage: Low
implementations:
- name: NTFS ADS - pseudocode
description: This is generic pseudocode that lines up with the below Splunk queries.
code: |-
processes = search Process:Create
ads_processes = filter processes where (
exe == "control.exe OR appvlp.exe OR cmd.exe OR ftp.exe OR bash.exe OR mavinject.exe OR bitsadmin.exe" and command_line.matches("__some_regex__")
)
output ads_processes
type: pseudocode
data_model: CAR native
- name: NTFS ADS - control
description: This Splunk query looks for invocations of control.exe used to execute NTFS alternate data streams.
code: |-
index=__sysmon_index__ EventCode=1 (Image=C:\\Windows\System32\\control.exe OR Image=C:\\Windows\SysWOW64\\control.exe) | regex CommandLine="(\w+(\.\w+)?):(\w+\.dll)"
type: splunk
data_model: Sysmon native
- name: NTFS ADS - appvlp
description: This Splunk query looks for invocations of appvlp.exe used to execute NTFS alternate data streams.
code: |-
index=__sysmon_index__ EventCode=1 (Image="C:\\Program Files\\Microsoft Office\\root\\Client\\AppVLP.exe" OR Image="C:\\Program Files (x86)\\Microsoft Office\\root\\Client\\AppVLP.exe") | regex CommandLine="(\w+(\.\w+)?):(\w+(\.\w+)?)"
type: splunk
data_model: Sysmon native
- name: NTFS ADS - cmd
description: This Splunk query looks for invocations of cmd.exe used to execute NTFS alternate data streams.
code: |-
index=__sysmon_index__ EventCode=1 (Image=C:\\Windows\\System32\\cmd.exe OR Image=C:\\Windows\\SysWOW64\\cmd.exe) | regex CommandLine="-\s+<.*\b(\w+(\.\w+)?):(\w+(\.\w+)?)"
type: splunk
data_model: Sysmon native
- name: NTFS ADS - ftp
description: This Splunk query looks for invocations of ftp.exe used to execute NTFS alternate data streams.
code: |-
index=__sysmon_index__ EventCode=1 (Image=C:\\Windows\\System32\\ftp.exe OR Image=C:\\Windows\\SysWOW64\\ftp.exe) | regex CommandLine="-s:(\w+(\.\w+)?):(\w+(\.\w+)?)"
type: splunk
data_model: Sysmon native
- name: NTFS ADS - bash
description: This Splunk query looks for invocations of bash.exe used to execute NTFS alternate data streams.
code: |-
index=__sysmon_index__ EventCode=1 (Image=C:\\Windows\\System32\\bash.exe OR C:\\Windows\\SysWOW64\\bash.exe) | regex CommandLine="-c.*(\w+(\.\w+)?):(\w+(\.\w+)?)"
type: splunk
data_model: Sysmon native
- name: NTFS ADS - mavinject
description: This Splunk query looks for invocations of mavinject.exe used to execute NTFS alternate data streams.
code: |-
index=__sysmon_index__ EventCode=1 (Image=C:\\Windows\\System32\\mavinject.exe OR C:\\Windows\\SysWOW64\\mavinject.exe) | regex CommandLine="\d+\s+\/INJECTRUNNING.*\b(\w+(\.\w+)?):(\w+(\.\w+)?)"
type: splunk
data_model: Sysmon native
- name: NTFS ADS - bitsadmin
description: This Splunk query looks for invocations of bitsadmin.exe used to execute NTFS alternate data streams.
code: |-
index=__sysmon_index__ EventCode=1 (Image=C:\\Windows\\System32\\bitsadmin.exe OR C:\\Windows\\SysWOW64\\bitsadmin.exe) | regex CommandLine="\/create.*\/addfile.*\/SetNotifyCmdLine.*\b(\w+\.\w+):(\w+(\.\w+)?)"
type: splunk
data_model: Sysmon native
data_model_references:
- process/create/exe
- process/create/command_line
references:
- The [LOLBAS project](https://lolbas-project.github.io/) is an amazing resource and was used as the basis for many of these analytics.
- Oddvar Moe has created an excellent NTFS ADS execution reference [here on github](https://gist.github.com/api0cradle/cdd2d0d0ec9abb686f0e89306e277b8f).
d3fend_mappings:
- iri: d3f:ProcessSpawnAnalysis
id: D3-PSA
label: Process Spawn Analysis