-
Notifications
You must be signed in to change notification settings - Fork 326
/
CAR-2021-05-010.yaml
65 lines (65 loc) · 2.78 KB
/
CAR-2021-05-010.yaml
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
---
title: Create local admin accounts using net exe
submission_date: 2021/05/11
information_domain: Analytic
platforms:
- Windows
subtypes:
- Process
analytic_types:
- TTP
contributors:
- Splunk Threat Research <[email protected]>
id: CAR-2021-05-010
description: This search looks for the creation of local administrator accounts using
net.exe.
coverage:
- technique: T1136
subtechniques:
- T1136.001
tactics:
- TA0003
coverage: Moderate
implementations:
- name: Pseudocode – CertUtil certificate extraction
description: Pseudocode implementation of the Splunk search below
code: |
processes = search Process:Create
certutil_downloads = filter processes where (
(exe = C:\Windows\System32\net.exe OR exe = C:\Windows\System32\net1.exe ) AND (command_line = *localgroup* OR command_line = */add* OR command_line = *user* ))
output certutil_downloads
data_model: CAR native
type: Pseudocode
- name: Splunk code
description: You must be ingesting data that records process activity from your
hosts to populate the Endpoint data model in the Processes node. You must also
be ingesting logs with both the process name and command line from your endpoints.
The command-line arguments are mapped to the "process" field in the Endpoint data
model.
code: '| tstats count values(Processes.user) as user values(Processes.parent_process)
as parent_process min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes
where (Processes.process_name=net.exe OR Processes.process_name=net1.exe) AND
(Processes.process=*localgroup* OR Processes.process=*/add* OR Processes.process=*user*)
by Processes.process Processes.process_name Processes.dest |`create_local_admin_accounts_using_net_exe_filter`'
type: Splunk
data_model: Endpoint
unit_tests:
- configurations:
- Using Splunk [Attack Range](https://github.com/splunk/attack_range)
description: Replay the detection [dataset](https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1136.001/atomic_red_team/windows-security.log) using
the Splunk attack range with the commands below
commands:
- python attack_range.py replay -dn data_dump [--dump NAME_OF_DUMP]
- configurations:
- Using [Invoke-AtomicRedTeam](https://github.com/redcanaryco/invoke-atomicredteam)
description: execute the atomic test [T1136.001](https://github.com/redcanaryco/atomic-red-team/tree/master/atomics/T1136.001)
against a Windows target.
commands:
- Invoke-AtomicTest T1136.001
data_model_references:
- process/create/exe
- process/create/command_line
d3fend_mappings:
- iri: d3f:ProcessSpawnAnalysis
id: D3-PSA
label: Process Spawn Analysis