-
Notifications
You must be signed in to change notification settings - Fork 327
/
CAR-2020-11-006.yaml
56 lines (56 loc) · 2.13 KB
/
CAR-2020-11-006.yaml
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
title: Local Permission Group Discovery
submission_date: 2020/11/30
information_domain: Host
platforms:
- Windows
subtypes:
- Process
analytic_types:
- TTP
contributors:
- Olaf Hartong
id: CAR-2020-11-006
description: |-
Cyber actors frequently enumerate local or domain permissions groups. The net utility is usually used for this purpose. This analytic looks for any instances of net.exe, which is not normally used for benign purposes, although system administrator actions may trigger false positives.
coverage:
- technique: T1069
tactics:
- TA0007
subtechniques:
- T1069.001
- T1069.002
coverage: Moderate
implementations:
- name: Pseudocode - net.exe instances
description: This is a pseudocode representation of the below splunk search.
code: |-
processes = search Process:Create
net_processes = filter processes where (
exe = "net.exe" AND (
command_line="*net* user*" OR
command_line="*net* group*" OR
command_line="*net* localgroup*" OR
command_line="*get-localgroup*" OR
command_line="*get-ADPrincipalGroupMembership*" )
output net_processes
data_model: CAR native
type: Pseudocode
- name: Splunk Search - net.exe instances
description: Look for instances of net.exe
code: |-
(index=__your_sysmon_index__ EventCode=1) Image="C:\\Windows\\System32\\net.exe" AND (CommandLine="* user*" OR CommandLine="* group*" OR CommandLine="* localgroup*" OR CommandLine="*get-localgroup*" OR CommandLine="*get-ADPrincipalGroupMembership*")
data_model: Sysmon native
type: Splunk
- name: LogPoint Search - net.exe instances
description: Look for instances of net.exe
code: |-
norm_id=WindowsSysmon event_id=1 image="C:\Windows\System32\net.exe" (command="* user*" OR command="* group*" OR command="* localgroup*" OR command="*get-localgroup*" OR command="*get-ADPrincipalGroupMembership*")
data_model: LogPoint native
type: LogPoint
data_model_references:
- process/create/exe
- process/create/command_line
d3fend_mappings:
- iri: d3f:ProcessSpawnAnalysis
id: D3-PSA
label: Process Spawn Analysis