-
Notifications
You must be signed in to change notification settings - Fork 326
/
CAR-2021-04-001.yaml
92 lines (81 loc) · 4.32 KB
/
CAR-2021-04-001.yaml
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
---
title: Common Windows Process Masquerading
submission_date: 2021/02/12
information_domain: Host
platforms:
- Windows
subtypes:
- Process
analytic_types:
- TTP
contributors:
- Sebastien Damaye
id: CAR-2021-04-001
description: |
[Masquerading (T1036)](https://attack.mitre.org/techniques/T1036/) is defined by ATT&CK as follows:
"Masquerading occurs when the name or location of an object, legitimate or malicious, is manipulated or abused for the sake of evading defenses and observation. This may include manipulating file metadata, tricking users into misidentifying the file type, and giving legitimate task or service names."
Malware authors often use this technique to hide malicious executables behind legitimate Windows executable names (e.g. `lsass.exe`, `svchost.exe`, etc).
There are several sub-techniques, but this analytic focuses on [Match Legitimate Name or Location](https://attack.mitre.org/techniques/T1036/005/) only.
**Analytic Methodology**
With process monitoring, hunt for processes matching these criteria:
* process name is `svchost.exe`, `smss.exe`, `wininit.exe`, `taskhost.exe`, etc.
* process path is not `C:\Windows\System32\` or `C:\Windows\SysWow64\`
Examples (true positive):
`C:\Users\administrator\svchost.exe`
To make sure the rule doesn't miss cases where the executable would be started from a sub-folder of these locations, the entire path is checked for the process path. The below example should be considered as suspicious:
`C:\Windows\System32\srv\svchost.exe`
coverage:
- technique: T1036
tactics:
- TA0005
subtechniques:
- T1036.005
coverage: Moderate
implementations:
- name: Pseudocode - Common Windows Process Masquerading
description: Looks for mismatches between process names and their image paths.
code: |
processes = search Process:*
suspicious_processes = filter processes where (
(exe=svchost.exe AND (image_path!="C:\\Windows\\System32\\svchost.exe" OR process_path!="C:\\Windows\\SysWow64\\svchost.exe"))
OR (exe=smss.exe AND image_path!="C:\\Windows\\System32\\smss.exe")
OR (exe=wininit.exe AND image_path!="C:\\Windows\\System32\\wininit.exe")
OR (exe=taskhost.exe AND image_path!="C:\\Windows\\System32\\taskhost.exe")
OR (exe=lasass.exe AND image_path!="C:\\Windows\\System32\\lsass.exe")
OR (exe=winlogon.exe AND image_path!="C:\\Windows\\System32\\winlogon.exe")
OR (exe=csrss.exe AND image_path!="C:\\Windows\\System32\\csrss.exe")
OR (exe=services.exe AND image_path!="C:\\Windows\\System32\\services.exe")
OR (exe=lsm.exe AND image_path!="C:\\Windows\\System32\\lsm.exe")
OR (exe=explorer.exe AND image_path!="C:\\Windows\\explorer.exe")
)
output suspicious_processes
data_model: CAR native
type: Pseudocode
- name: Splunk Search - Common Windows Process Masquerading
description: Splunk search version of the above pseudocode.
code: |
index=__your_sysmon_index__ source="XmlWinEventLog:Microsoft-Windows-Sysmon/Operational" AND (
(process_name=svchost.exe AND NOT (process_path="C:\\Windows\\System32\\svchost.exe" OR process_path="C:\\Windows\\SysWow64\\svchost.exe"))
OR (process_name=smss.exe AND NOT process_path="C:\\Windows\\System32\\smss.exe")
OR (process_name=wininit.exe AND NOT process_path="C:\\Windows\\System32\\wininit.exe")
OR (process_name=taskhost.exe AND NOT process_path="C:\\Windows\\System32\\taskhost.exe")
OR (process_name=lasass.exe AND NOT process_path="C:\\Windows\\System32\\lsass.exe")
OR (process_name=winlogon.exe AND NOT process_path="C:\\Windows\\System32\\winlogon.exe")
OR (process_name=csrss.exe AND NOT process_path="C:\\Windows\\System32\\csrss.exe")
OR (process_name=services.exe AND NOT process_path="C:\\Windows\\System32\\services.exe")
OR (process_name=lsm.exe AND NOT process_path="C:\\Windows\\System32\\lsm.exe")
OR (process_name=explorer.exe AND NOT process_path="C:\\Windows\\explorer.exe")
)
data_model: Sysmon native
type: Splunk
data_model_references:
- process/create/exe
- process/create/image_path
- process/access/exe
- process/access/image_path
- process/terminate/exe
- process/terminate/image_path
d3fend_mappings:
- iri: d3f:ProcessSpawnAnalysis
id: D3-PSA
label: Process Spawn Analysis