-
Notifications
You must be signed in to change notification settings - Fork 326
/
CAR-2014-02-001.yaml
66 lines (62 loc) · 2.36 KB
/
CAR-2014-02-001.yaml
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
---
title: Service Binary Modifications
submission_date: 2014/02/14
information_domain: Host
platforms:
- Windows
subtypes:
- Registry File Process
analytic_types:
- Situational Awareness
- TTP
contributors:
- MITRE
id: CAR-2014-02-001
description: |
Adversaries may modify the binary file for an existing service to achieve [Persistence](https://attack.mitre.org/tactics/TA0003) while potentially [evading defenses](https://attack.mitre.org/tactics/TA0005). If a newly created or modified runs as a service, it may indicate APT activity. However, services are frequently installed by legitimate software. A well-tuned baseline is essential to differentiating between benign and malicious service modifications.
### Output Description
The Service Name and approximate time in which changes occurred on each host
coverage:
- technique: T1543
tactics:
- TA0003
- TA0004
subtechniques:
- T1543.003
coverage: Moderate
- technique: T1574
tactics:
- TA0003
- TA0004
subtechniques:
- T1574.010
coverage: Moderate
- technique: T1569
tactics:
- TA0002
subtechniques:
- T1569.002
coverage: Moderate
implementations:
- description: 'Look for events where a file was created and then later run as a service. In these cases, a new service has been created or the binary has been modified. Many programs, such as `msiexec.exe`, do these behaviors legitimately and can be used to help validate legitimate service creations/modifications.'
code: |
legitimate_installers = ["C:\windows\system32\msiexec.exe", "C:\windows\syswow64\msiexec.exe", ...]
file_change = search File:Create,Modify
process = search Process:Create
service_process = filter processes where (parent_exe == "services.exe")
modified_service = join (search, filter) where (
file_change.time < service_process.time and
file_change.file_path == service_process.image_path
)
modified_service = filter modified_service where (modified_service.file_change.image_path not in legitimate_installers)
output modified_service
type: pseudocode
data_model_references:
- file/create/file_path
- file/create/image_path
- process/create/image_path
- process/create/parent_exe
d3fend_mappings:
- iri: d3f:ServiceBinaryVerification
id: D3-SBV
label: Service Binary Verification