-
Notifications
You must be signed in to change notification settings - Fork 326
/
CAR-2014-03-005.yaml
54 lines (52 loc) · 2.25 KB
/
CAR-2014-03-005.yaml
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
---
title: Remotely Launched Executables via Services
submission_date: 2014/03/18
information_domain: 'Host, Network'
platforms:
- Windows
subtypes:
- Network Process
- Hostflow
analytic_types:
- TTP
contributors:
- MITRE
id: CAR-2014-03-005
description: |
There are several ways to cause code to [execute](https://attack.mitre.org/tactics/TA0002) on a remote host. One of the most common methods is via the Windows [Service Control Manager](https://en.wikipedia.org/wiki/Service_Control_Manager) (SCM), which allows authorized users to remotely create and modify services. Several tools, such as [PsExec](https://attack.mitre.org/software/S0029), use this functionality.
When a client remotely communicates with the Service Control Manager, there are two observable behaviors. First, the client connects to the [RPC Endpoint Mapper](../CAR-2014-05-001) over 135/tcp. This handles authentication, and tells the client what port the endpoint—in this case the SCM—is listening on. Then, the client connects directly to the listening port on `services.exe`. If the request is to start an existing service with a known command line, the the SCM process will run the corresponding command.
This compound behavior can be detected by looking for `services.exe` receiving a network connection and immediately spawning a child process.
coverage:
- technique: T1543
tactics:
- TA0003
subtechniques:
- T1543.003
coverage: Moderate
- technique: T1569
tactics:
- TA0002
subtechniques:
- T1569.002
coverage: Moderate
implementations:
- description: 'Look for processes launched from `services.exe` within 1 second of services.exe receiving a network connection.'
code: |
process = search Process:Create
flow = search Flow:Start
service = filter process where (parent_exe == "services.exe")
remote_start = join (flow, service ) where (
flow.hostname == service.hostname and
flow.pid == service.pid and
(flow.time < service.time < flow.time + 1 second)
)
output remote_start
type: pseudocode
data_model_references:
- flow/start/pid
- process/create/parent_exe
- process/create/pid
d3fend_mappings:
- iri: d3f:RPCTrafficAnalysis
id: D3-RTA
label: RPC Traffic Analysis