-
Notifications
You must be signed in to change notification settings - Fork 327
/
CAR-2020-11-004.yaml
77 lines (77 loc) · 5.45 KB
/
CAR-2020-11-004.yaml
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
title: Processes Started From Irregular Parent
submission_date: 2020/11/30
information_domain: Host
platforms:
- Windows
subtypes:
- Process
analytic_types:
- TTP
contributors:
- Olaf Hartong
id: CAR-2020-11-004
description: |-
Adversaries may start legitimate processes and then use their memory space to run malicious code. This analytic looks for common Windows processes that have been abused this way in the past; when the processes are started for this purpose they may not have the standard parent that we would expect. This list is not exhaustive, and it is possible for cyber actors to avoid this discepency. These signatures only work if Sysmon reports the parent process, which may not always be the case if the parent dies before sysmon processes the event.
coverage:
- technique: T1055
tactics:
- TA0005
subtechniques:
- T1055.012
coverage: Low
implementations:
- name: Pseudocode - common processes that do not have the correct parent
description: This is a pseudocode representation of the below splunk search.
code: |-
processes = search Process:Create
mismatch_processes = filter processes where ( parent_exe exists AND
(exe="smss.exe" AND (parent_exe!="smss.exe" AND parent_exe!="System") OR
(exe="csrss.exe" AND (parent_exe!="smss.exe" AND parent_exe!="svchost.exe")) OR
(exe="wininit.exe" AND parent_exe!="smss.exe") OR
(exe="winlogon.exe" AND parent_exe!="smss.exe") OR
(exe="lsass.exe" AND (parent_exe!="wininit.exe" AND parent_exe!="winlogon.exe")) OR
(exe="LogonUI.exe" AND (parent_exe!="winlogon.exe" AND parent_exe!="wininit.exe")) OR
(exe="services.exe" AND parent_exe!="wininit.exe") OR
(exe="spoolsv.exe" AND parent_exe!="services.exe") OR
(exe="taskhost.exe" AND (parent_exe!="services.exe" AND parent_exe!="svchost.exe")) OR
(exe="taskhostw.exe" AND (parent_exe!="services.exe" AND parent_exe!="svchost.exe")) OR
(exe="userinit.exe" AND (parent_exe!="dwm.exe" AND parent_exe!="winlogon.exe"))
output mismatch_processes
data_model: CAR native
type: Pseudocode
- name: Splunk Search - parent/child mismatch
description: Looks for processes that do not have the expected parent. Common Splunk forwarder applications that break these rules are whitelisted; unique environments may require additional whitelist items.
code: |-
(index=__your_sysmon_index__ EventCode=1) AND ParentImage!="?" AND ParentImage!="C:\\Program Files\\SplunkUniversalForwarder\\bin\\splunk-regmon.exe" AND ParentImage!="C:\\Program Files\\SplunkUniversalForwarder\\bin\\splunk-powershell.exe" AND
((Image="C:\\Windows\System32\\smss.exe" AND (ParentImage!="C:\\Windows\\System32\\smss.exe" AND ParentImage!="System")) OR
(Image="C:\\Windows\\System32\\csrss.exe" AND (ParentImage!="C:\\Windows\\System32\\smss.exe" AND ParentImage!="C:\\Windows\\System32\\svchost.exe")) OR
(Image="C:\\Windows\\System32\\wininit.exe" AND ParentImage!="C:\\Windows\\System32\\smss.exe") OR
(Image="C:\\Windows\\System32\\winlogon.exe" AND ParentImage!="C:\\Windows\\System32\\smss.exe") OR
(Image="C:\\Windows\\System32\\lsass.exe" and ParentImage!="C:\\Windows\\System32\\wininit.exe") OR
(Image="C:\\Windows\\System32\\LogonUI.exe" AND (ParentImage!="C:\\Windows\\System32\\winlogon.exe" AND ParentImage!="C:\\Windows\\System32\\wininit.exe")) OR
(Image="C:\\Windows\\System32\\services.exe" AND ParentImage!="C:\\Windows\\System32\\wininit.exe") OR
(Image="C:\\Windows\\System32\\spoolsv.exe" AND ParentImage!="C:\\Windows\\System32\\services.exe") OR
(Image="C:\\Windows\\System32\\taskhost.exe" AND (ParentImage!="C:\\Windows\\System32\\services.exe" AND ParentImage!="C:\\Windows\\System32\\svchost.exe")) OR
(Image="C:\\Windows\\System32\\taskhostw.exe" AND (ParentImage!="C:\\Windows\\System32\\services.exe" AND ParentImage!="C:\\Windows\\System32\\svchost.exe")) OR
(Image="C:\\Windows\System32\\userinit.exe" AND (ParentImage!="C:\\Windows\\System32\\dwm.exe" AND ParentImage!="C:\\Windows\\System32\\winlogon.exe")))
data_model: Sysmon native
type: Splunk
- name: LogPoint Search - parent/child mismatch
description: Looks for processes that do not have the expected parent. Unique environments may require additional whitelist items.
code: |-
norm_id=WindowsSysmon event_id=1 -parent_image="?" ((image="*\smss.exe" (-parent_image="*\smss.exe" -parent_image="*\System")) OR
(image="*\csrss.exe" (-parent_image="*\smss.exe" -parent_image="*\svchost.exe")) OR (image="*\wininit.exe" -parent_image="*\smss.exe") OR
(image="*\winlogon.exe" -parent_image="*\smss.exe") OR (image="*\lsass.exe" (-parent_image="*\wininit.exe" -parent_image="*\winlogon.exe")) OR
(image="*\LogonUI.exe" (-parent_image="*\winlogon.exe" -parent_image="*\wininit.exe")) OR (image="*\services.exe" -parent_image="*\wininit.exe") OR
(image="*\spoolsv.exe" -parent_image="*\services.exe") OR (image="*\taskhost.exe" (-parent_image="*\services.exe" -parent_image="*\svchost.exe")) OR
(image="*\taskhostw.exe" (-parent_image="*\services.exe" -parent_image="*\svchost.exe")) OR
(image="*\userinit.exe" (-parent_image="*\dwm.exe" -parent_image="*\winlogon.exe")))
data_model: LogPoint native
type: LogPoint
data_model_references:
- process/create/exe
- process/create/parent_exe
d3fend_mappings:
- iri: d3f:ProcessLineageAnalysis
id: D3-PLA
label: Process Lineage Analysis