-
Notifications
You must be signed in to change notification settings - Fork 326
/
CAR-2014-11-008.yaml
61 lines (59 loc) · 2.81 KB
/
CAR-2014-11-008.yaml
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
---
title: Command Launched from WinLogon
submission_date: 2014/11/19
information_domain: Host
platforms:
- Windows
subtypes:
- Process
analytic_types:
- TTP
contributors:
- MITRE
id: CAR-2014-11-008
description: |-
An adversary can use [accessibility features](https://attack.mitre.org/techniques/T1546/008) (Ease of Access), such as StickyKeys or Utilman, to launch a command shell from the logon screen and gain SYSTEM access. Since an adversary does not have physical access to the machine, this technique must be run within [Remote Desktop](https://attack.mitre.org/techniques/T1021/001). To prevent an adversary from getting to the login screen without first authenticating, Network-Level Authentication (NLA) must be enabled. If a debugger is set up for one of the accessibility features, then it will intercept the process launch of the feature and instead execute a new command line. This analytic looks for instances of `cmd.exe` or `powershell.exe` launched directly from the logon process, `winlogon.exe`. It should be used in tandem with [CAR-2014-11-003](../CAR-2014-11-003), which detects the accessibility programs in the command line.
Several accessibility programs can be run using the Ease of Access center
- `sethc.exe` handles StickyKeys
- `utilman.exe` is the Ease of Access menu
- `osk.exe` runs the On-Screen Keyboard
- `narrator.exe` reads screen text over audio
- `magnify.exe` magnifies the view of the screen near the cursor
coverage:
- technique: T1546
tactics:
- TA0004
- TA0003
subtechniques:
- T1546.008
coverage: Moderate
implementations:
- description: 'Look for instances of processes where the parent executable is winlogon.exe and the child is an instance of a command prompt. '
code: |-
processes = search Process:Create
winlogon_cmd = filter processes where (parent_exe == "winlogon.exe" and exe == "cmd.exe")
output winlogon_cmd
type: pseudocode
- description: Splunk version of the above pseudocode.
code: |-
index=__your_sysmon_index__ EventCode=1 ParentImage="C:\\Windows\\*\\winlogon.exe" Image="C:\\Windows\\*\\cmd.exe"
type: Splunk
data_model: Sysmon native
- description: EQL version of the above pseudocode.
code: |-
process where subtype.create and
(process_name == "cmd.exe" and parent_process_name == "winlogon.exe")
type: EQL
data_model: EQL native
- description: LogPoint version of the above pseudocode.
code: |-
norm_id=WindowsSysmon event_id=1 parent_image="C:\Windows\System32\winlogon.exe" parent_image="C:\Windows\System32\cmd.exe"
type: LogPoint
data_model: LogPoint native
data_model_references:
- process/create/exe
- process/create/parent_exe
d3fend_mappings:
- iri: d3f:ProcessLineageAnalysis
id: D3-PLA
label: Process Lineage Analysis