<!DOCTYPE html> <html lang='en'> <head> <script async src="https://www.googletagmanager.com/gtag/js?id=UA-62667723-1"></script> <script> window.dataLayer = window.dataLayer || []; function gtag(){dataLayer.push(arguments);} gtag('js', new Date()); gtag('config', 'UA-62667723-1'); </script> <meta name="google-site-verification" content="2oJKLqNN62z6AOCb0A0IXGtbQuj-lev5YPAHFF_cbHQ"/> <meta charset='utf-8'> <meta name='viewport' content='width=device-width, initial-scale=1,shrink-to-fit=no'> <meta http-equiv="X-UA-Compatible" content="IE=edge"> <link rel='shortcut icon' href='/theme/favicon.ico' type='image/x-icon'> <title>Process, Data Source DS0009 | MITRE ATT&CK&reg;</title> <!-- USWDS CSS --> <!-- Bootstrap CSS --> <link rel='stylesheet' href='/theme/style/bootstrap.min.css' /> <link rel='stylesheet' href='/theme/style/bootstrap-tourist.css' /> <link rel='stylesheet' href='/theme/style/bootstrap-select.min.css' /> <!-- Fontawesome CSS --> <link rel="stylesheet" href="/theme/style/fontawesome-6.5.1/css/fontawesome.min.css"/> <link rel="stylesheet" href="/theme/style/fontawesome-6.5.1/css/brands.min.css"/> <link rel="stylesheet" href="/theme/style/fontawesome-6.5.1/css/solid.min.css"/> <link rel="stylesheet" type="text/css" href="/theme/style.min.css?6689c2db"> </head> <body> <div class="container-fluid attack-website-wrapper d-flex flex-column h-100"> <div class="row sticky-top flex-grow-0 flex-shrink-1"> <!-- header elements --> <header class="col px-0"> <nav class='navbar navbar-expand-lg navbar-dark position-static'> <a class='navbar-brand' href='/'><img src="/theme/images/mitre_attack_logo.png" class="attack-logo"></a> <button class='navbar-toggler' type='button' data-toggle='collapse' data-target='#navbarCollapse' aria-controls='navbarCollapse' aria-expanded='false' aria-label='Toggle navigation'> <span class='navbar-toggler-icon'></span> </button> <div class='collapse navbar-collapse' id='navbarCollapse'> <ul class='nav nav-tabs ml-auto'> <li class="nav-item dropdown"> <a class="nav-link dropdown-toggle" href="/matrices/" id="navbarDropdown" role="button" data-toggle="dropdown" aria-haspopup="true" aria-expanded="false"> <b>Matrices</b> </a> <div class="dropdown-menu " aria-labelledby="navbarDropdown"> <a class="dropdown-item" href="/matrices/enterprise/">Enterprise</a> <a class="dropdown-item" href="/matrices/mobile/">Mobile</a> <a class="dropdown-item" href="/matrices/ics/">ICS</a> </div> </li> <li class="nav-item dropdown"> <a class="nav-link dropdown-toggle" href="/tactics/" id="navbarDropdown" role="button" data-toggle="dropdown" aria-haspopup="true" aria-expanded="false"> <b>Tactics</b> </a> <div class="dropdown-menu " aria-labelledby="navbarDropdown"> <a class="dropdown-item" href="/tactics/enterprise/">Enterprise</a> <a class="dropdown-item" href="/tactics/mobile/">Mobile</a> <a class="dropdown-item" href="/tactics/ics/">ICS</a> </div> </li> <li class="nav-item dropdown"> <a class="nav-link dropdown-toggle" href="/techniques/" id="navbarDropdown" role="button" data-toggle="dropdown" aria-haspopup="true" aria-expanded="false"> <b>Techniques</b> </a> <div class="dropdown-menu " aria-labelledby="navbarDropdown"> <a class="dropdown-item" href="/techniques/enterprise/">Enterprise</a> <a class="dropdown-item" href="/techniques/mobile/">Mobile</a> <a class="dropdown-item" href="/techniques/ics/">ICS</a> </div> </li> <li class="nav-item dropdown"> <a class="nav-link dropdown-toggle" href="/datasources" id="navbarDropdown" role="button" data-toggle="dropdown" aria-haspopup="true" aria-expanded="false"> <b>Defenses</b> </a> <div class="dropdown-menu " aria-labelledby="navbarDropdown"> <a class="dropdown-item" href="/datasources">Data Sources</a> <div class="dropright dropdown"> <a class="dropdown-item dropdown-toggle" href="/mitigations/" id="navbarDropdown" role="button" data-toggle="dropdown" aria-haspopup="true" aria-expanded="false"> <b>Mitigations</b> </a> <div class="dropdown-menu " aria-labelledby="navbarDropdown"> <a class="dropdown-item" href="/mitigations/enterprise/">Enterprise</a> <a class="dropdown-item" href="/mitigations/mobile/">Mobile</a> <a class="dropdown-item" href="/mitigations/ics/">ICS</a> </div> </div> <a class="dropdown-item" href="/assets">Assets</a> </div> </li> <li class="nav-item dropdown"> <a class="nav-link dropdown-toggle" href="/groups" id="navbarDropdown" role="button" data-toggle="dropdown" aria-haspopup="true" aria-expanded="false"> <b>CTI</b> </a> <div class="dropdown-menu " aria-labelledby="navbarDropdown"> <a class="dropdown-item" href="/groups">Groups</a> <a class="dropdown-item" href="/software">Software</a> <a class="dropdown-item" href="/campaigns">Campaigns</a> </div> </li> <li class="nav-item dropdown"> <a class="nav-link dropdown-toggle" href="/resources/" id="navbarDropdown" role="button" data-toggle="dropdown" aria-haspopup="true" aria-expanded="false"> <b>Resources</b> </a> <div class="dropdown-menu " aria-labelledby="navbarDropdown"> <a class="dropdown-item" href="/resources/">Get Started</a> <a class="dropdown-item" href="/resources/learn-more-about-attack/">Learn More about ATT&CK</a> <a class="dropdown-item" href="/resources/attackcon/">ATT&CKcon</a> <a class="dropdown-item" href="/resources/attack-data-and-tools/">ATT&CK Data & Tools</a> <a class="dropdown-item" href="/resources/faq/">FAQ</a> <a class="dropdown-item" href="/resources/engage-with-attack/contact/">Engage with ATT&CK</a> <a class="dropdown-item" href="/resources/versions/">Version History</a> <a class="dropdown-item" href="/resources/legal-and-branding/">Legal & Branding</a> </div> </li> <li class="nav-item"> <a href="/resources/engage-with-attack/benefactors/" class="nav-link" ><b>Benefactors</b></a> </li> <li class="nav-item"> <a href="https://medium.com/mitre-attack/" target="_blank" class="nav-link"> <b>Blog</b>&nbsp; <img src="/theme/images/external-site.svg" alt="External site" class="external-icon" /> </a> </li> <li class="nav-item"> <button id="search-button" class="btn search-button">Search <div id="search-icon" class="icon-button search-icon"></div></button> </li> </ul> </div> </nav> </header> </div> <div class="row flex-grow-0 flex-shrink-1"> <!-- banner elements --> <div class="col px-0"> <!-- don't edit or remove the line below even though it's commented out, it gets parsed and replaced by the versioning feature --> <!-- !versions banner! --> <div class="container-fluid banner-message"> ATT&CK v16 has been released! Check out the <a href='https://medium.com/mitre-attack/attack-v16-561c76af94cf'>blog post</a> for more information. </div> </div> </div> <div class="row flex-grow-1 flex-shrink-0"> <!-- main content elements --> <!--start-indexing-for-search--> <div class="sidebar nav sticky-top flex-column pr-0 pt-4 pb-3 pl-3" id="v-tab" role="tablist" aria-orientation="vertical"> <div class="resizer" id="resizer"></div> <!--stop-indexing-for-search--> <div id="v-tab" role="tablist" aria-orientation="vertical" class="h-100"> <div class="sidenav-wrapper"> <div class="heading" data-toggle="collapse" data-target="#sidebar-collapse" id="v-home-tab" aria-expanded="true" aria-controls="#sidebar-collapse" aria-selected="false">DATA SOURCES <i class="fa-solid fa-fw fa-chevron-down"></i> <i class="fa-solid fa-fw fa-chevron-up"></i> </div> <div class="checkbox-div" id="v-home-tab" aria-selected="false"> <div class="custom-control custom-switch"> <input type="checkbox" class="custom-control-input" id="enterpriseSwitch" onchange="filterTables(enterpriseSwitch, icsSwitch)"> <label class="custom-control-label" for="enterpriseSwitch">Enterprise</label> </div> <div class="custom-control custom-switch"> <input type="checkbox" class="custom-control-input" id="mobileSwitch" onchange="filterTables(mobileSwitch, enterpriseSwitch)"> <label class="custom-control-label" for="mobileSwitch">Mobile</label> </div> <div class="custom-control custom-switch"> <input type="checkbox" class="custom-control-input" id="icsSwitch" onchange="filterTables(icsSwitch, enterpriseSwitch)"> <label class="custom-control-label" for="icsSwitch">ICS</label> </div> </div> <br class="br-mobile"> <div class="sidenav-list collapse show" id="sidebar-collapse" aria-labelledby="v-home-tab"> <div class="sidenav"> <div class="sidenav-head enterprise " id="DS0026"> <a href="/datasources/DS0026/"> Active Directory </a> <div class="expand-button collapsed" id="DS0026-header" data-toggle="collapse" data-target="#DS0026-body" aria-expanded="false" aria-controls="#DS0026-body"></div> </div> <div class="sidenav-body collapse" id="DS0026-body" aria-labelledby="DS0026-header"> <div class="sidenav"> <div class="sidenav-head enterprise " id="DS0026-Active Directory Credential Request"> <a href="/datasources/DS0026/#Active%20Directory%20Credential%20Request"> Active Directory Credential Request </a> </div> </div> <div class="sidenav"> <div class="sidenav-head enterprise " id="DS0026-Active Directory Object Access"> <a href="/datasources/DS0026/#Active%20Directory%20Object%20Access"> Active Directory Object Access </a> </div> </div> <div class="sidenav"> <div class="sidenav-head enterprise " id="DS0026-Active Directory Object Creation"> <a href="/datasources/DS0026/#Active%20Directory%20Object%20Creation"> Active Directory Object Creation </a> </div> </div> <div class="sidenav"> <div class="sidenav-head enterprise " id="DS0026-Active Directory Object Deletion"> <a href="/datasources/DS0026/#Active%20Directory%20Object%20Deletion"> Active Directory Object Deletion </a> </div> </div> <div class="sidenav"> <div class="sidenav-head enterprise " id="DS0026-Active Directory Object Modification"> <a href="/datasources/DS0026/#Active%20Directory%20Object%20Modification"> Active Directory Object Modification </a> </div> </div> </div> </div> <div class="sidenav"> <div class="sidenav-head enterprise ics " id="DS0015"> <a href="/datasources/DS0015/"> Application Log </a> <div class="expand-button collapsed" id="DS0015-header" data-toggle="collapse" data-target="#DS0015-body" aria-expanded="false" aria-controls="#DS0015-body"></div> </div> <div class="sidenav-body collapse" id="DS0015-body" aria-labelledby="DS0015-header"> <div class="sidenav"> <div class="sidenav-head enterprise ics " id="DS0015-Application Log Content"> <a href="/datasources/DS0015/#Application%20Log%20Content"> Application Log Content </a> </div> </div> </div> </div> <div class="sidenav"> <div class="sidenav-head mobile " id="DS0041"> <a href="/datasources/DS0041/"> Application Vetting </a> <div class="expand-button collapsed" id="DS0041-header" data-toggle="collapse" data-target="#DS0041-body" aria-expanded="false" aria-controls="#DS0041-body"></div> </div> <div class="sidenav-body collapse" id="DS0041-body" aria-labelledby="DS0041-header"> <div class="sidenav"> <div class="sidenav-head mobile " id="DS0041-API Calls"> <a href="/datasources/DS0041/#API%20Calls"> API Calls </a> </div> </div> <div class="sidenav"> <div class="sidenav-head mobile " id="DS0041-Application Assets"> <a href="/datasources/DS0041/#Application%20Assets"> Application Assets </a> </div> </div> <div class="sidenav"> <div class="sidenav-head mobile " id="DS0041-Network Communication"> <a href="/datasources/DS0041/#Network%20Communication"> Network Communication </a> </div> </div> <div class="sidenav"> <div class="sidenav-head mobile " id="DS0041-Permissions Requests"> <a href="/datasources/DS0041/#Permissions%20Requests"> Permissions Requests </a> </div> </div> <div class="sidenav"> <div class="sidenav-head mobile " id="DS0041-Protected Configuration"> <a href="/datasources/DS0041/#Protected%20Configuration"> Protected Configuration </a> </div> </div> </div> </div> <div class="sidenav"> <div class="sidenav-head ics " id="DS0039"> <a href="/datasources/DS0039/"> Asset </a> <div class="expand-button collapsed" id="DS0039-header" data-toggle="collapse" data-target="#DS0039-body" aria-expanded="false" aria-controls="#DS0039-body"></div> </div> <div class="sidenav-body collapse" id="DS0039-body" aria-labelledby="DS0039-header"> <div class="sidenav"> <div class="sidenav-head ics " id="DS0039-Asset Inventory"> <a href="/datasources/DS0039/#Asset%20Inventory"> Asset Inventory </a> </div> </div> <div class="sidenav"> <div class="sidenav-head ics " id="DS0039-Software"> <a href="/datasources/DS0039/#Software"> Software </a> </div> </div> </div> </div> <div class="sidenav"> <div class="sidenav-head enterprise " id="DS0037"> <a href="/datasources/DS0037/"> Certificate </a> <div class="expand-button collapsed" id="DS0037-header" data-toggle="collapse" data-target="#DS0037-body" aria-expanded="false" aria-controls="#DS0037-body"></div> </div> <div class="sidenav-body collapse" id="DS0037-body" aria-labelledby="DS0037-header"> <div class="sidenav"> <div class="sidenav-head enterprise " id="DS0037-Certificate Registration"> <a href="/datasources/DS0037/#Certificate%20Registration"> Certificate Registration </a> </div> </div> </div> </div> <div class="sidenav"> <div class="sidenav-head enterprise " id="DS0025"> <a href="/datasources/DS0025/"> Cloud Service </a> <div class="expand-button collapsed" id="DS0025-header" data-toggle="collapse" data-target="#DS0025-body" aria-expanded="false" aria-controls="#DS0025-body"></div> </div> <div class="sidenav-body collapse" id="DS0025-body" aria-labelledby="DS0025-header"> <div class="sidenav"> <div class="sidenav-head enterprise " id="DS0025-Cloud Service Disable"> <a href="/datasources/DS0025/#Cloud%20Service%20Disable"> Cloud Service Disable </a> </div> </div> <div class="sidenav"> <div class="sidenav-head enterprise " id="DS0025-Cloud Service Enumeration"> <a href="/datasources/DS0025/#Cloud%20Service%20Enumeration"> Cloud Service Enumeration </a> </div> </div> <div class="sidenav"> <div class="sidenav-head enterprise " id="DS0025-Cloud Service Metadata"> <a href="/datasources/DS0025/#Cloud%20Service%20Metadata"> Cloud Service Metadata </a> </div> </div> <div class="sidenav"> <div class="sidenav-head enterprise " id="DS0025-Cloud Service Modification"> <a href="/datasources/DS0025/#Cloud%20Service%20Modification"> Cloud Service Modification </a> </div> </div> </div> </div> <div class="sidenav"> <div class="sidenav-head enterprise " id="DS0010"> <a href="/datasources/DS0010/"> Cloud Storage </a> <div class="expand-button collapsed" id="DS0010-header" data-toggle="collapse" data-target="#DS0010-body" aria-expanded="false" aria-controls="#DS0010-body"></div> </div> <div class="sidenav-body collapse" id="DS0010-body" aria-labelledby="DS0010-header"> <div class="sidenav"> <div class="sidenav-head enterprise " id="DS0010-Cloud Storage Access"> <a href="/datasources/DS0010/#Cloud%20Storage%20Access"> Cloud Storage Access </a> </div> </div> <div class="sidenav"> <div class="sidenav-head enterprise " id="DS0010-Cloud Storage Creation"> <a href="/datasources/DS0010/#Cloud%20Storage%20Creation"> Cloud Storage Creation </a> </div> </div> <div class="sidenav"> <div class="sidenav-head enterprise " id="DS0010-Cloud Storage Deletion"> <a href="/datasources/DS0010/#Cloud%20Storage%20Deletion"> Cloud Storage Deletion </a> </div> </div> <div class="sidenav"> <div class="sidenav-head enterprise " id="DS0010-Cloud Storage Enumeration"> <a href="/datasources/DS0010/#Cloud%20Storage%20Enumeration"> Cloud Storage Enumeration </a> </div> </div> <div class="sidenav"> <div class="sidenav-head enterprise " id="DS0010-Cloud Storage Metadata"> <a href="/datasources/DS0010/#Cloud%20Storage%20Metadata"> Cloud Storage Metadata </a> </div> </div> <div class="sidenav"> <div class="sidenav-head enterprise " id="DS0010-Cloud Storage Modification"> <a href="/datasources/DS0010/#Cloud%20Storage%20Modification"> Cloud Storage Modification </a> </div> </div> </div> </div> <div class="sidenav"> <div class="sidenav-head enterprise mobile ics " id="DS0017"> <a href="/datasources/DS0017/"> Command </a> <div class="expand-button collapsed" id="DS0017-header" data-toggle="collapse" data-target="#DS0017-body" aria-expanded="false" aria-controls="#DS0017-body"></div> </div> <div class="sidenav-body collapse" id="DS0017-body" aria-labelledby="DS0017-header"> <div class="sidenav"> <div class="sidenav-head enterprise mobile ics " id="DS0017-Command Execution"> <a href="/datasources/DS0017/#Command%20Execution"> Command Execution </a> </div> </div> </div> </div> <div class="sidenav"> <div class="sidenav-head enterprise " id="DS0032"> <a href="/datasources/DS0032/"> Container </a> <div class="expand-button collapsed" id="DS0032-header" data-toggle="collapse" data-target="#DS0032-body" aria-expanded="false" aria-controls="#DS0032-body"></div> </div> <div class="sidenav-body collapse" id="DS0032-body" aria-labelledby="DS0032-header"> <div class="sidenav"> <div class="sidenav-head enterprise " id="DS0032-Container Creation"> <a href="/datasources/DS0032/#Container%20Creation"> Container Creation </a> </div> </div> <div class="sidenav"> <div class="sidenav-head enterprise " id="DS0032-Container Enumeration"> <a href="/datasources/DS0032/#Container%20Enumeration"> Container Enumeration </a> </div> </div> <div class="sidenav"> <div class="sidenav-head enterprise " id="DS0032-Container Start"> <a href="/datasources/DS0032/#Container%20Start"> Container Start </a> </div> </div> </div> </div> <div class="sidenav"> <div class="sidenav-head enterprise " id="DS0038"> <a href="/datasources/DS0038/"> Domain Name </a> <div class="expand-button collapsed" id="DS0038-header" data-toggle="collapse" data-target="#DS0038-body" aria-expanded="false" aria-controls="#DS0038-body"></div> </div> <div class="sidenav-body collapse" id="DS0038-body" aria-labelledby="DS0038-header"> <div class="sidenav"> <div class="sidenav-head enterprise " id="DS0038-Active DNS"> <a href="/datasources/DS0038/#Active%20DNS"> Active DNS </a> </div> </div> <div class="sidenav"> <div class="sidenav-head enterprise " id="DS0038-Domain Registration"> <a href="/datasources/DS0038/#Domain%20Registration"> Domain Registration </a> </div> </div> <div class="sidenav"> <div class="sidenav-head enterprise " id="DS0038-Passive DNS"> <a href="/datasources/DS0038/#Passive%20DNS"> Passive DNS </a> </div> </div> </div> </div> <div class="sidenav"> <div class="sidenav-head enterprise ics " id="DS0016"> <a href="/datasources/DS0016/"> Drive </a> <div class="expand-button collapsed" id="DS0016-header" data-toggle="collapse" data-target="#DS0016-body" aria-expanded="false" aria-controls="#DS0016-body"></div> </div> <div class="sidenav-body collapse" id="DS0016-body" aria-labelledby="DS0016-header"> <div class="sidenav"> <div class="sidenav-head enterprise " id="DS0016-Drive Access"> <a href="/datasources/DS0016/#Drive%20Access"> Drive Access </a> </div> </div> <div class="sidenav"> <div class="sidenav-head enterprise ics " id="DS0016-Drive Creation"> <a href="/datasources/DS0016/#Drive%20Creation"> Drive Creation </a> </div> </div> <div class="sidenav"> <div class="sidenav-head enterprise " id="DS0016-Drive Modification"> <a href="/datasources/DS0016/#Drive%20Modification"> Drive Modification </a> </div> </div> </div> </div> <div class="sidenav"> <div class="sidenav-head enterprise " id="DS0027"> <a href="/datasources/DS0027/"> Driver </a> <div class="expand-button collapsed" id="DS0027-header" data-toggle="collapse" data-target="#DS0027-body" aria-expanded="false" aria-controls="#DS0027-body"></div> </div> <div class="sidenav-body collapse" id="DS0027-body" aria-labelledby="DS0027-header"> <div class="sidenav"> <div class="sidenav-head enterprise " id="DS0027-Driver Load"> <a href="/datasources/DS0027/#Driver%20Load"> Driver Load </a> </div> </div> <div class="sidenav"> <div class="sidenav-head enterprise " id="DS0027-Driver Metadata"> <a href="/datasources/DS0027/#Driver%20Metadata"> Driver Metadata </a> </div> </div> </div> </div> <div class="sidenav"> <div class="sidenav-head enterprise ics " id="DS0022"> <a href="/datasources/DS0022/"> File </a> <div class="expand-button collapsed" id="DS0022-header" data-toggle="collapse" data-target="#DS0022-body" aria-expanded="false" aria-controls="#DS0022-body"></div> </div> <div class="sidenav-body collapse" id="DS0022-body" aria-labelledby="DS0022-header"> <div class="sidenav"> <div class="sidenav-head enterprise ics " id="DS0022-File Access"> <a href="/datasources/DS0022/#File%20Access"> File Access </a> </div> </div> <div class="sidenav"> <div class="sidenav-head enterprise ics " id="DS0022-File Creation"> <a href="/datasources/DS0022/#File%20Creation"> File Creation </a> </div> </div> <div class="sidenav"> <div class="sidenav-head enterprise ics " id="DS0022-File Deletion"> <a href="/datasources/DS0022/#File%20Deletion"> File Deletion </a> </div> </div> <div class="sidenav"> <div class="sidenav-head enterprise ics " id="DS0022-File Metadata"> <a href="/datasources/DS0022/#File%20Metadata"> File Metadata </a> </div> </div> <div class="sidenav"> <div class="sidenav-head enterprise ics " id="DS0022-File Modification"> <a href="/datasources/DS0022/#File%20Modification"> File Modification </a> </div> </div> </div> </div> <div class="sidenav"> <div class="sidenav-head enterprise " id="DS0018"> <a href="/datasources/DS0018/"> Firewall </a> <div class="expand-button collapsed" id="DS0018-header" data-toggle="collapse" data-target="#DS0018-body" aria-expanded="false" aria-controls="#DS0018-body"></div> </div> <div class="sidenav-body collapse" id="DS0018-body" aria-labelledby="DS0018-header"> <div class="sidenav"> <div class="sidenav-head enterprise " id="DS0018-Firewall Disable"> <a href="/datasources/DS0018/#Firewall%20Disable"> Firewall Disable </a> </div> </div> <div class="sidenav"> <div class="sidenav-head enterprise " id="DS0018-Firewall Enumeration"> <a href="/datasources/DS0018/#Firewall%20Enumeration"> Firewall Enumeration </a> </div> </div> <div class="sidenav"> <div class="sidenav-head enterprise " id="DS0018-Firewall Metadata"> <a href="/datasources/DS0018/#Firewall%20Metadata"> Firewall Metadata </a> </div> </div> <div class="sidenav"> <div class="sidenav-head enterprise " id="DS0018-Firewall Rule Modification"> <a href="/datasources/DS0018/#Firewall%20Rule%20Modification"> Firewall Rule Modification </a> </div> </div> </div> </div> <div class="sidenav"> <div class="sidenav-head enterprise ics " id="DS0001"> <a href="/datasources/DS0001/"> Firmware </a> <div class="expand-button collapsed" id="DS0001-header" data-toggle="collapse" data-target="#DS0001-body" aria-expanded="false" aria-controls="#DS0001-body"></div> </div> <div class="sidenav-body collapse" id="DS0001-body" aria-labelledby="DS0001-header"> <div class="sidenav"> <div class="sidenav-head enterprise ics " id="DS0001-Firmware Modification"> <a href="/datasources/DS0001/#Firmware%20Modification"> Firmware Modification </a> </div> </div> </div> </div> <div class="sidenav"> <div class="sidenav-head enterprise " id="DS0036"> <a href="/datasources/DS0036/"> Group </a> <div class="expand-button collapsed" id="DS0036-header" data-toggle="collapse" data-target="#DS0036-body" aria-expanded="false" aria-controls="#DS0036-body"></div> </div> <div class="sidenav-body collapse" id="DS0036-body" aria-labelledby="DS0036-header"> <div class="sidenav"> <div class="sidenav-head enterprise " id="DS0036-Group Enumeration"> <a href="/datasources/DS0036/#Group%20Enumeration"> Group Enumeration </a> </div> </div> <div class="sidenav"> <div class="sidenav-head enterprise " id="DS0036-Group Metadata"> <a href="/datasources/DS0036/#Group%20Metadata"> Group Metadata </a> </div> </div> <div class="sidenav"> <div class="sidenav-head enterprise " id="DS0036-Group Modification"> <a href="/datasources/DS0036/#Group%20Modification"> Group Modification </a> </div> </div> </div> </div> <div class="sidenav"> <div class="sidenav-head enterprise " id="DS0007"> <a href="/datasources/DS0007/"> Image </a> <div class="expand-button collapsed" id="DS0007-header" data-toggle="collapse" data-target="#DS0007-body" aria-expanded="false" aria-controls="#DS0007-body"></div> </div> <div class="sidenav-body collapse" id="DS0007-body" aria-labelledby="DS0007-header"> <div class="sidenav"> <div class="sidenav-head enterprise " id="DS0007-Image Creation"> <a href="/datasources/DS0007/#Image%20Creation"> Image Creation </a> </div> </div> <div class="sidenav"> <div class="sidenav-head enterprise " id="DS0007-Image Deletion"> <a href="/datasources/DS0007/#Image%20Deletion"> Image Deletion </a> </div> </div> <div class="sidenav"> <div class="sidenav-head enterprise " id="DS0007-Image Metadata"> <a href="/datasources/DS0007/#Image%20Metadata"> Image Metadata </a> </div> </div> <div class="sidenav"> <div class="sidenav-head enterprise " id="DS0007-Image Modification"> <a href="/datasources/DS0007/#Image%20Modification"> Image Modification </a> </div> </div> </div> </div> <div class="sidenav"> <div class="sidenav-head enterprise " id="DS0030"> <a href="/datasources/DS0030/"> Instance </a> <div class="expand-button collapsed" id="DS0030-header" data-toggle="collapse" data-target="#DS0030-body" aria-expanded="false" aria-controls="#DS0030-body"></div> </div> <div class="sidenav-body collapse" id="DS0030-body" aria-labelledby="DS0030-header"> <div class="sidenav"> <div class="sidenav-head enterprise " id="DS0030-Instance Creation"> <a href="/datasources/DS0030/#Instance%20Creation"> Instance Creation </a> </div> </div> <div class="sidenav"> <div class="sidenav-head enterprise " id="DS0030-Instance Deletion"> <a href="/datasources/DS0030/#Instance%20Deletion"> Instance Deletion </a> </div> </div> <div class="sidenav"> <div class="sidenav-head enterprise " id="DS0030-Instance Enumeration"> <a href="/datasources/DS0030/#Instance%20Enumeration"> Instance Enumeration </a> </div> </div> <div class="sidenav"> <div class="sidenav-head enterprise " id="DS0030-Instance Metadata"> <a href="/datasources/DS0030/#Instance%20Metadata"> Instance Metadata </a> </div> </div> <div class="sidenav"> <div class="sidenav-head enterprise " id="DS0030-Instance Modification"> <a href="/datasources/DS0030/#Instance%20Modification"> Instance Modification </a> </div> </div> <div class="sidenav"> <div class="sidenav-head enterprise " id="DS0030-Instance Start"> <a href="/datasources/DS0030/#Instance%20Start"> Instance Start </a> </div> </div> <div class="sidenav"> <div class="sidenav-head enterprise " id="DS0030-Instance Stop"> <a href="/datasources/DS0030/#Instance%20Stop"> Instance Stop </a> </div> </div> </div> </div> <div class="sidenav"> <div class="sidenav-head enterprise " id="DS0035"> <a href="/datasources/DS0035/"> Internet Scan </a> <div class="expand-button collapsed" id="DS0035-header" data-toggle="collapse" data-target="#DS0035-body" aria-expanded="false" aria-controls="#DS0035-body"></div> </div> <div class="sidenav-body collapse" id="DS0035-body" aria-labelledby="DS0035-header"> <div class="sidenav"> <div class="sidenav-head enterprise " id="DS0035-Response Content"> <a href="/datasources/DS0035/#Response%20Content"> Response Content </a> </div> </div> <div class="sidenav"> <div class="sidenav-head enterprise " id="DS0035-Response Metadata"> <a href="/datasources/DS0035/#Response%20Metadata"> Response Metadata </a> </div> </div> </div> </div> <div class="sidenav"> <div class="sidenav-head enterprise " id="DS0008"> <a href="/datasources/DS0008/"> Kernel </a> <div class="expand-button collapsed" id="DS0008-header" data-toggle="collapse" data-target="#DS0008-body" aria-expanded="false" aria-controls="#DS0008-body"></div> </div> <div class="sidenav-body collapse" id="DS0008-body" aria-labelledby="DS0008-header"> <div class="sidenav"> <div class="sidenav-head enterprise " id="DS0008-Kernel Module Load"> <a href="/datasources/DS0008/#Kernel%20Module%20Load"> Kernel Module Load </a> </div> </div> </div> </div> <div class="sidenav"> <div class="sidenav-head enterprise ics " id="DS0028"> <a href="/datasources/DS0028/"> Logon Session </a> <div class="expand-button collapsed" id="DS0028-header" data-toggle="collapse" data-target="#DS0028-body" aria-expanded="false" aria-controls="#DS0028-body"></div> </div> <div class="sidenav-body collapse" id="DS0028-body" aria-labelledby="DS0028-header"> <div class="sidenav"> <div class="sidenav-head enterprise ics " id="DS0028-Logon Session Creation"> <a href="/datasources/DS0028/#Logon%20Session%20Creation"> Logon Session Creation </a> </div> </div> <div class="sidenav"> <div class="sidenav-head enterprise ics " id="DS0028-Logon Session Metadata"> <a href="/datasources/DS0028/#Logon%20Session%20Metadata"> Logon Session Metadata </a> </div> </div> </div> </div> <div class="sidenav"> <div class="sidenav-head enterprise " id="DS0004"> <a href="/datasources/DS0004/"> Malware Repository </a> <div class="expand-button collapsed" id="DS0004-header" data-toggle="collapse" data-target="#DS0004-body" aria-expanded="false" aria-controls="#DS0004-body"></div> </div> <div class="sidenav-body collapse" id="DS0004-body" aria-labelledby="DS0004-header"> <div class="sidenav"> <div class="sidenav-head enterprise " id="DS0004-Malware Content"> <a href="/datasources/DS0004/#Malware%20Content"> Malware Content </a> </div> </div> <div class="sidenav"> <div class="sidenav-head enterprise " id="DS0004-Malware Metadata"> <a href="/datasources/DS0004/#Malware%20Metadata"> Malware Metadata </a> </div> </div> </div> </div> <div class="sidenav"> <div class="sidenav-head enterprise ics " id="DS0011"> <a href="/datasources/DS0011/"> Module </a> <div class="expand-button collapsed" id="DS0011-header" data-toggle="collapse" data-target="#DS0011-body" aria-expanded="false" aria-controls="#DS0011-body"></div> </div> <div class="sidenav-body collapse" id="DS0011-body" aria-labelledby="DS0011-header"> <div class="sidenav"> <div class="sidenav-head enterprise ics " id="DS0011-Module Load"> <a href="/datasources/DS0011/#Module%20Load"> Module Load </a> </div> </div> </div> </div> <div class="sidenav"> <div class="sidenav-head enterprise " id="DS0023"> <a href="/datasources/DS0023/"> Named Pipe </a> <div class="expand-button collapsed" id="DS0023-header" data-toggle="collapse" data-target="#DS0023-body" aria-expanded="false" aria-controls="#DS0023-body"></div> </div> <div class="sidenav-body collapse" id="DS0023-body" aria-labelledby="DS0023-header"> <div class="sidenav"> <div class="sidenav-head enterprise " id="DS0023-Named Pipe Metadata"> <a href="/datasources/DS0023/#Named%20Pipe%20Metadata"> Named Pipe Metadata </a> </div> </div> </div> </div> <div class="sidenav"> <div class="sidenav-head enterprise ics " id="DS0033"> <a href="/datasources/DS0033/"> Network Share </a> <div class="expand-button collapsed" id="DS0033-header" data-toggle="collapse" data-target="#DS0033-body" aria-expanded="false" aria-controls="#DS0033-body"></div> </div> <div class="sidenav-body collapse" id="DS0033-body" aria-labelledby="DS0033-header"> <div class="sidenav"> <div class="sidenav-head enterprise ics " id="DS0033-Network Share Access"> <a href="/datasources/DS0033/#Network%20Share%20Access"> Network Share Access </a> </div> </div> </div> </div> <div class="sidenav"> <div class="sidenav-head enterprise mobile ics " id="DS0029"> <a href="/datasources/DS0029/"> Network Traffic </a> <div class="expand-button collapsed" id="DS0029-header" data-toggle="collapse" data-target="#DS0029-body" aria-expanded="false" aria-controls="#DS0029-body"></div> </div> <div class="sidenav-body collapse" id="DS0029-body" aria-labelledby="DS0029-header"> <div class="sidenav"> <div class="sidenav-head enterprise mobile ics " id="DS0029-Network Connection Creation"> <a href="/datasources/DS0029/#Network%20Connection%20Creation"> Network Connection Creation </a> </div> </div> <div class="sidenav"> <div class="sidenav-head enterprise mobile ics " id="DS0029-Network Traffic Content"> <a href="/datasources/DS0029/#Network%20Traffic%20Content"> Network Traffic Content </a> </div> </div> <div class="sidenav"> <div class="sidenav-head enterprise mobile ics " id="DS0029-Network Traffic Flow"> <a href="/datasources/DS0029/#Network%20Traffic%20Flow"> Network Traffic Flow </a> </div> </div> </div> </div> <div class="sidenav"> <div class="sidenav-head ics " id="DS0040"> <a href="/datasources/DS0040/"> Operational Databases </a> <div class="expand-button collapsed" id="DS0040-header" data-toggle="collapse" data-target="#DS0040-body" aria-expanded="false" aria-controls="#DS0040-body"></div> </div> <div class="sidenav-body collapse" id="DS0040-body" aria-labelledby="DS0040-header"> <div class="sidenav"> <div class="sidenav-head ics " id="DS0040-Device Alarm"> <a href="/datasources/DS0040/#Device%20Alarm"> Device Alarm </a> </div> </div> <div class="sidenav"> <div class="sidenav-head ics " id="DS0040-Process History/Live Data"> <a href="/datasources/DS0040/#Process%20History/Live%20Data"> Process History/Live Data </a> </div> </div> <div class="sidenav"> <div class="sidenav-head ics " id="DS0040-Process/Event Alarm"> <a href="/datasources/DS0040/#Process/Event%20Alarm"> Process/Event Alarm </a> </div> </div> </div> </div> <div class="sidenav"> <div class="sidenav-head enterprise " id="DS0021"> <a href="/datasources/DS0021/"> Persona </a> <div class="expand-button collapsed" id="DS0021-header" data-toggle="collapse" data-target="#DS0021-body" aria-expanded="false" aria-controls="#DS0021-body"></div> </div> <div class="sidenav-body collapse" id="DS0021-body" aria-labelledby="DS0021-header"> <div class="sidenav"> <div class="sidenav-head enterprise " id="DS0021-Social Media"> <a href="/datasources/DS0021/#Social%20Media"> Social Media </a> </div> </div> </div> </div> <div class="sidenav"> <div class="sidenav-head enterprise " id="DS0014"> <a href="/datasources/DS0014/"> Pod </a> <div class="expand-button collapsed" id="DS0014-header" data-toggle="collapse" data-target="#DS0014-body" aria-expanded="false" aria-controls="#DS0014-body"></div> </div> <div class="sidenav-body collapse" id="DS0014-body" aria-labelledby="DS0014-header"> <div class="sidenav"> <div class="sidenav-head enterprise " id="DS0014-Pod Creation"> <a href="/datasources/DS0014/#Pod%20Creation"> Pod Creation </a> </div> </div> <div class="sidenav"> <div class="sidenav-head enterprise " id="DS0014-Pod Enumeration"> <a href="/datasources/DS0014/#Pod%20Enumeration"> Pod Enumeration </a> </div> </div> <div class="sidenav"> <div class="sidenav-head enterprise " id="DS0014-Pod Modification"> <a href="/datasources/DS0014/#Pod%20Modification"> Pod Modification </a> </div> </div> </div> </div> <div class="sidenav"> <div class="sidenav-head active enterprise mobile ics " id="DS0009"> <a href="/datasources/DS0009/"> Process </a> <div class="expand-button collapsed" id="DS0009-header" data-toggle="collapse" data-target="#DS0009-body" aria-expanded="false" aria-controls="#DS0009-body"></div> </div> <div class="sidenav-body collapse" id="DS0009-body" aria-labelledby="DS0009-header"> <div class="sidenav"> <div class="sidenav-head enterprise ics " id="DS0009-OS API Execution"> <a href="/datasources/DS0009/#OS%20API%20Execution"> OS API Execution </a> </div> </div> <div class="sidenav"> <div class="sidenav-head enterprise " id="DS0009-Process Access"> <a href="/datasources/DS0009/#Process%20Access"> Process Access </a> </div> </div> <div class="sidenav"> <div class="sidenav-head enterprise mobile ics " id="DS0009-Process Creation"> <a href="/datasources/DS0009/#Process%20Creation"> Process Creation </a> </div> </div> <div class="sidenav"> <div class="sidenav-head enterprise mobile ics " id="DS0009-Process Metadata"> <a href="/datasources/DS0009/#Process%20Metadata"> Process Metadata </a> </div> </div> <div class="sidenav"> <div class="sidenav-head enterprise " id="DS0009-Process Modification"> <a href="/datasources/DS0009/#Process%20Modification"> Process Modification </a> </div> </div> <div class="sidenav"> <div class="sidenav-head enterprise mobile ics " id="DS0009-Process Termination"> <a href="/datasources/DS0009/#Process%20Termination"> Process Termination </a> </div> </div> </div> </div> <div class="sidenav"> <div class="sidenav-head enterprise ics " id="DS0003"> <a href="/datasources/DS0003/"> Scheduled Job </a> <div class="expand-button collapsed" id="DS0003-header" data-toggle="collapse" data-target="#DS0003-body" aria-expanded="false" aria-controls="#DS0003-body"></div> </div> <div class="sidenav-body collapse" id="DS0003-body" aria-labelledby="DS0003-header"> <div class="sidenav"> <div class="sidenav-head enterprise ics " id="DS0003-Scheduled Job Creation"> <a href="/datasources/DS0003/#Scheduled%20Job%20Creation"> Scheduled Job Creation </a> </div> </div> <div class="sidenav"> <div class="sidenav-head enterprise " id="DS0003-Scheduled Job Metadata"> <a href="/datasources/DS0003/#Scheduled%20Job%20Metadata"> Scheduled Job Metadata </a> </div> </div> <div class="sidenav"> <div class="sidenav-head enterprise ics " id="DS0003-Scheduled Job Modification"> <a href="/datasources/DS0003/#Scheduled%20Job%20Modification"> Scheduled Job Modification </a> </div> </div> </div> </div> <div class="sidenav"> <div class="sidenav-head enterprise ics " id="DS0012"> <a href="/datasources/DS0012/"> Script </a> <div class="expand-button collapsed" id="DS0012-header" data-toggle="collapse" data-target="#DS0012-body" aria-expanded="false" aria-controls="#DS0012-body"></div> </div> <div class="sidenav-body collapse" id="DS0012-body" aria-labelledby="DS0012-header"> <div class="sidenav"> <div class="sidenav-head enterprise ics " id="DS0012-Script Execution"> <a href="/datasources/DS0012/#Script%20Execution"> Script Execution </a> </div> </div> </div> </div> <div class="sidenav"> <div class="sidenav-head enterprise mobile " id="DS0013"> <a href="/datasources/DS0013/"> Sensor Health </a> <div class="expand-button collapsed" id="DS0013-header" data-toggle="collapse" data-target="#DS0013-body" aria-expanded="false" aria-controls="#DS0013-body"></div> </div> <div class="sidenav-body collapse" id="DS0013-body" aria-labelledby="DS0013-header"> <div class="sidenav"> <div class="sidenav-head enterprise mobile " id="DS0013-Host Status"> <a href="/datasources/DS0013/#Host%20Status"> Host Status </a> </div> </div> </div> </div> <div class="sidenav"> <div class="sidenav-head enterprise ics " id="DS0019"> <a href="/datasources/DS0019/"> Service </a> <div class="expand-button collapsed" id="DS0019-header" data-toggle="collapse" data-target="#DS0019-body" aria-expanded="false" aria-controls="#DS0019-body"></div> </div> <div class="sidenav-body collapse" id="DS0019-body" aria-labelledby="DS0019-header"> <div class="sidenav"> <div class="sidenav-head enterprise ics " id="DS0019-Service Creation"> <a href="/datasources/DS0019/#Service%20Creation"> Service Creation </a> </div> </div> <div class="sidenav"> <div class="sidenav-head enterprise ics " id="DS0019-Service Metadata"> <a href="/datasources/DS0019/#Service%20Metadata"> Service Metadata </a> </div> </div> <div class="sidenav"> <div class="sidenav-head enterprise ics " id="DS0019-Service Modification"> <a href="/datasources/DS0019/#Service%20Modification"> Service Modification </a> </div> </div> </div> </div> <div class="sidenav"> <div class="sidenav-head enterprise " id="DS0020"> <a href="/datasources/DS0020/"> Snapshot </a> <div class="expand-button collapsed" id="DS0020-header" data-toggle="collapse" data-target="#DS0020-body" aria-expanded="false" aria-controls="#DS0020-body"></div> </div> <div class="sidenav-body collapse" id="DS0020-body" aria-labelledby="DS0020-header"> <div class="sidenav"> <div class="sidenav-head enterprise " id="DS0020-Snapshot Creation"> <a href="/datasources/DS0020/#Snapshot%20Creation"> Snapshot Creation </a> </div> </div> <div class="sidenav"> <div class="sidenav-head enterprise " id="DS0020-Snapshot Deletion"> <a href="/datasources/DS0020/#Snapshot%20Deletion"> Snapshot Deletion </a> </div> </div> <div class="sidenav"> <div class="sidenav-head enterprise " id="DS0020-Snapshot Enumeration"> <a href="/datasources/DS0020/#Snapshot%20Enumeration"> Snapshot Enumeration </a> </div> </div> <div class="sidenav"> <div class="sidenav-head enterprise " id="DS0020-Snapshot Metadata"> <a href="/datasources/DS0020/#Snapshot%20Metadata"> Snapshot Metadata </a> </div> </div> <div class="sidenav"> <div class="sidenav-head enterprise " id="DS0020-Snapshot Modification"> <a href="/datasources/DS0020/#Snapshot%20Modification"> Snapshot Modification </a> </div> </div> </div> </div> <div class="sidenav"> <div class="sidenav-head enterprise ics " id="DS0002"> <a href="/datasources/DS0002/"> User Account </a> <div class="expand-button collapsed" id="DS0002-header" data-toggle="collapse" data-target="#DS0002-body" aria-expanded="false" aria-controls="#DS0002-body"></div> </div> <div class="sidenav-body collapse" id="DS0002-body" aria-labelledby="DS0002-header"> <div class="sidenav"> <div class="sidenav-head enterprise ics " id="DS0002-User Account Authentication"> <a href="/datasources/DS0002/#User%20Account%20Authentication"> User Account Authentication </a> </div> </div> <div class="sidenav"> <div class="sidenav-head enterprise " id="DS0002-User Account Creation"> <a href="/datasources/DS0002/#User%20Account%20Creation"> User Account Creation </a> </div> </div> <div class="sidenav"> <div class="sidenav-head enterprise " id="DS0002-User Account Deletion"> <a href="/datasources/DS0002/#User%20Account%20Deletion"> User Account Deletion </a> </div> </div> <div class="sidenav"> <div class="sidenav-head enterprise " id="DS0002-User Account Metadata"> <a href="/datasources/DS0002/#User%20Account%20Metadata"> User Account Metadata </a> </div> </div> <div class="sidenav"> <div class="sidenav-head enterprise " id="DS0002-User Account Modification"> <a href="/datasources/DS0002/#User%20Account%20Modification"> User Account Modification </a> </div> </div> </div> </div> <div class="sidenav"> <div class="sidenav-head mobile " id="DS0042"> <a href="/datasources/DS0042/"> User Interface </a> <div class="expand-button collapsed" id="DS0042-header" data-toggle="collapse" data-target="#DS0042-body" aria-expanded="false" aria-controls="#DS0042-body"></div> </div> <div class="sidenav-body collapse" id="DS0042-body" aria-labelledby="DS0042-header"> <div class="sidenav"> <div class="sidenav-head mobile " id="DS0042-Permissions Request"> <a href="/datasources/DS0042/#Permissions%20Request"> Permissions Request </a> </div> </div> <div class="sidenav"> <div class="sidenav-head mobile " id="DS0042-System Notifications"> <a href="/datasources/DS0042/#System%20Notifications"> System Notifications </a> </div> </div> <div class="sidenav"> <div class="sidenav-head mobile " id="DS0042-System Settings"> <a href="/datasources/DS0042/#System%20Settings"> System Settings </a> </div> </div> </div> </div> <div class="sidenav"> <div class="sidenav-head enterprise " id="DS0034"> <a href="/datasources/DS0034/"> Volume </a> <div class="expand-button collapsed" id="DS0034-header" data-toggle="collapse" data-target="#DS0034-body" aria-expanded="false" aria-controls="#DS0034-body"></div> </div> <div class="sidenav-body collapse" id="DS0034-body" aria-labelledby="DS0034-header"> <div class="sidenav"> <div class="sidenav-head enterprise " id="DS0034-Volume Creation"> <a href="/datasources/DS0034/#Volume%20Creation"> Volume Creation </a> </div> </div> <div class="sidenav"> <div class="sidenav-head enterprise " id="DS0034-Volume Deletion"> <a href="/datasources/DS0034/#Volume%20Deletion"> Volume Deletion </a> </div> </div> <div class="sidenav"> <div class="sidenav-head enterprise " id="DS0034-Volume Enumeration"> <a href="/datasources/DS0034/#Volume%20Enumeration"> Volume Enumeration </a> </div> </div> <div class="sidenav"> <div class="sidenav-head enterprise " id="DS0034-Volume Metadata"> <a href="/datasources/DS0034/#Volume%20Metadata"> Volume Metadata </a> </div> </div> <div class="sidenav"> <div class="sidenav-head enterprise " id="DS0034-Volume Modification"> <a href="/datasources/DS0034/#Volume%20Modification"> Volume Modification </a> </div> </div> </div> </div> <div class="sidenav"> <div class="sidenav-head enterprise " id="DS0006"> <a href="/datasources/DS0006/"> Web Credential </a> <div class="expand-button collapsed" id="DS0006-header" data-toggle="collapse" data-target="#DS0006-body" aria-expanded="false" aria-controls="#DS0006-body"></div> </div> <div class="sidenav-body collapse" id="DS0006-body" aria-labelledby="DS0006-header"> <div class="sidenav"> <div class="sidenav-head enterprise " id="DS0006-Web Credential Creation"> <a href="/datasources/DS0006/#Web%20Credential%20Creation"> Web Credential Creation </a> </div> </div> <div class="sidenav"> <div class="sidenav-head enterprise " id="DS0006-Web Credential Usage"> <a href="/datasources/DS0006/#Web%20Credential%20Usage"> Web Credential Usage </a> </div> </div> </div> </div> <div class="sidenav"> <div class="sidenav-head enterprise ics " id="DS0024"> <a href="/datasources/DS0024/"> Windows Registry </a> <div class="expand-button collapsed" id="DS0024-header" data-toggle="collapse" data-target="#DS0024-body" aria-expanded="false" aria-controls="#DS0024-body"></div> </div> <div class="sidenav-body collapse" id="DS0024-body" aria-labelledby="DS0024-header"> <div class="sidenav"> <div class="sidenav-head enterprise " id="DS0024-Windows Registry Key Access"> <a href="/datasources/DS0024/#Windows%20Registry%20Key%20Access"> Windows Registry Key Access </a> </div> </div> <div class="sidenav"> <div class="sidenav-head enterprise " id="DS0024-Windows Registry Key Creation"> <a href="/datasources/DS0024/#Windows%20Registry%20Key%20Creation"> Windows Registry Key Creation </a> </div> </div> <div class="sidenav"> <div class="sidenav-head enterprise ics " id="DS0024-Windows Registry Key Deletion"> <a href="/datasources/DS0024/#Windows%20Registry%20Key%20Deletion"> Windows Registry Key Deletion </a> </div> </div> <div class="sidenav"> <div class="sidenav-head enterprise ics " id="DS0024-Windows Registry Key Modification"> <a href="/datasources/DS0024/#Windows%20Registry%20Key%20Modification"> Windows Registry Key Modification </a> </div> </div> </div> </div> <div class="sidenav"> <div class="sidenav-head enterprise " id="DS0005"> <a href="/datasources/DS0005/"> WMI </a> <div class="expand-button collapsed" id="DS0005-header" data-toggle="collapse" data-target="#DS0005-body" aria-expanded="false" aria-controls="#DS0005-body"></div> </div> <div class="sidenav-body collapse" id="DS0005-body" aria-labelledby="DS0005-header"> <div class="sidenav"> <div class="sidenav-head enterprise " id="DS0005-WMI Creation"> <a href="/datasources/DS0005/#WMI%20Creation"> WMI Creation </a> </div> </div> </div> </div> </div> </div> </div> <!--start-indexing-for-search--> </div> <div class="tab-content col-xl-9 pt-4" id="v-tabContent"> <div class="tab-pane fade show active" id="v-attckmatrix" role="tabpanel" aria-labelledby="v-attckmatrix-tab"> <ol class="breadcrumb"> <li class="breadcrumb-item"><a href="/">Home</a></li> <li class="breadcrumb-item"><a href="/datasources/">Data Sources</a></li> <li class="breadcrumb-item">Process</li> </ol> <div class="tab-pane fade show active" id="v-" role="tabpanel" aria-labelledby="v--tab"></div> <div class="row"> <div class="col-xl-12"> <div class="jumbotron jumbotron-fluid"> <div class="container-fluid"> <h1> Process </h1> <div class="row"> <div class="col-md-8"> <div class="description-body"> <p>Instances of computer programs that are being executed by at least one thread. Processes have memory space for process executables, loaded modules (DLLs or shared libraries), and allocated memory regions containing everything from user input to application-specific data structures<span onclick=scrollToRef('scite-1') id="scite-ref-1-a" class="scite-citeref-number" title="Microsoft. (2018, May 31). Processes and Threads. Retrieved September 28, 2021."data-reference="Microsoft Processes and Threads">^{<a href="https://docs.microsoft.com/en-us/windows/win32/procthread/processes-and-threads" target="_blank" data-hasqtip="0" aria-describedby="qtip-0">[1]</a>}</span></p> </div> </div> <div class="col-md-4"> <div class="card"> <div class="card-body"> <div class="row card-data"> <div class="col-1 px-0 text-center"></div> <div class="col-11 pl-0"> <span class="h5 card-title">ID:&nbsp;</span>DS0009 </div> </div> <div class="row card-data"> <div class="col-1 px-0 text-center"> <span data-toggle="tooltip" data-placement="left" title="" data-test-ignore="true" data-original-title="The system an adversary is operating within; could be an operating system or application">&#9432;</span> </div> <div class="col-11 pl-0"> <span class="h5 card-title">Platforms:&nbsp;</span>Android, Linux, Windows, iOS, macOS </div> </div> <div class="row card-data"> <div class="col-1 px-0 text-center"> <span data-toggle="tooltip" data-placement="left" title="" data-test-ignore="true" data-original-title="A description of where the data source may be physically collected (ex: Host, Network, Cloud Control Plane, etc.)">&#9432;</span> </div> <div class="col-11 pl-0"> <span class="h5 card-title">Collection Layer:&nbsp;</span>Host </div> </div> <div class="row card-data"> <div class="col-1 px-0 text-center"></div> <div class="col-11 pl-0"> <span class="h5 card-title">Contributors</span>: Center for Threat-Informed Defense (CTID) </div> </div> <div class="row card-data"> <div class="col-1 px-0 text-center"></div> <div class="col-11 pl-0"> <span class="h5 card-title">Version</span>: 1.1 </div> </div> <div class="row card-data"> <div class="col-1 px-0 text-center"></div> <div class="col-11 pl-0"> <span class="h5 card-title">Created:&nbsp;</span>20 October 2021 </div> </div> <div class="row card-data"> <div class="col-1 px-0 text-center"></div> <div class="col-11 pl-0"> <span class="h5 card-title">Last Modified:&nbsp;</span>20 April 2023 </div> </div> </div> </div> <div class="text-center pt-2 version-button live"> <div class="live"> <a data-toggle="tooltip" data-placement="bottom" title="Permalink to this version of DS0009" href="/versions/v16/datasources/DS0009/" data-test-ignore="true">Version Permalink</a> </div> <div class="permalink"> <a data-toggle="tooltip" data-placement="bottom" title="Go to the live version of DS0009" href="/versions/v16/datasources/DS0009/" data-test-ignore="true">Live Version</a><!--do not change this line without also changing versions.py--> </div> </div> </div> </div> <h2 class="pt-3" id="datacomponents">Data Components</h2> <div class="row no-techniques-in-data-source-message" style="display: none"> <div class="col-md-12 description-body"> <p>This data source does not have any techniques in the selected domain(s)</p> </div> </div> <div class="row"> <div class="col-md-12 section-view enterprise ics "> <a class="anchor" id="OS API Execution"></a> <div class="section-desktop-view anchor-section"> <h4 class="pt-3">Process: OS API Execution</h4> <div class="description-body"> <p>Operating system function/method calls executed by a process</p> </div> <div class="section-shadow"></div> </div> <div class="section-mobile-view anchor-section"> <h4 class="pt-3">Process: OS API Execution</h4> <div class="section-shadow"></div> </div> <div class="section-mobile-view"> <div class="description-body"> <p>Operating system function/method calls executed by a process</p> </div> </div> <div class="tables-mobile"> <table class="table techniques-used background table-bordered"> <thead> <tr> <th class="p-2" scope="col">Domain</th> <th class="p-2" colspan="2">ID</th> <th class="p-2" scope="col">Name</th> <th class="p-2" scope="col">Detects</th> </tr> </thead> <tbody> <tr class="technique enterprise" id="enterprise"> <td> Enterprise </td> <td colspan="2"> <a href="/techniques/T1548">T1548</a> </td> <td> <a href="/techniques/T1548">Abuse Elevation Control Mechanism</a> </td> <td> <p>Also look for any process API calls for behavior that may be indicative of <a href="/techniques/T1055">Process Injection</a>. Monitoring OS API callbacks for the execution can also be a way to detect this behavior but requires specialized security tooling.</p> </td> </tr> <tr class="sub technique enterprise" id="enterprise"> <td></td> <td></td> <td> <a href="/techniques/T1548/004">.004</a> </td> <td> <a href="/techniques/T1548/004">Elevated Execution with Prompt</a> </td> <td> <p>Monitoring OS API callbacks for the execution can also be a way to detect this behavior but requires specialized security tooling.</p> </td> </tr> <tr class="technique enterprise" id="enterprise"> <td> Enterprise </td> <td colspan="2"> <a href="/techniques/T1134">T1134</a> </td> <td> <a href="/techniques/T1134">Access Token Manipulation</a> </td> <td> <p>Monitor for API calls, loaded by a payload, for token manipulation only through careful analysis of user network activity, examination of running processes, and correlation with other endpoint and network behavior. There are many Windows API calls a payload can take advantage of to manipulate access tokens (e.g., <code>LogonUser</code> <span onclick=scrollToRef('scite-2') id="scite-ref-2-a" class="scite-citeref-number" title="Microsoft TechNet. (n.d.). Retrieved April 25, 2017."data-reference="Microsoft LogonUser">^{<a href="https://msdn.microsoft.com/en-us/library/windows/desktop/aa378184(v=vs.85).aspx" target="_blank" data-hasqtip="1" aria-describedby="qtip-1">[2]</a>}</span>, <code>DuplicateTokenEx</code><span onclick=scrollToRef('scite-3') id="scite-ref-3-a" class="scite-citeref-number" title="Microsoft TechNet. (n.d.). Retrieved April 25, 2017."data-reference="Microsoft DuplicateTokenEx">^{<a href="https://msdn.microsoft.com/en-us/library/windows/desktop/aa446617(v=vs.85).aspx" target="_blank" data-hasqtip="2" aria-describedby="qtip-2">[3]</a>}</span>, and <code>ImpersonateLoggedOnUser</code><span onclick=scrollToRef('scite-4') id="scite-ref-4-a" class="scite-citeref-number" title="Microsoft TechNet. (n.d.). Retrieved April 25, 2017."data-reference="Microsoft ImpersonateLoggedOnUser">^{<a href="https://msdn.microsoft.com/en-us/library/windows/desktop/aa378612(v=vs.85).aspx" target="_blank" data-hasqtip="3" aria-describedby="qtip-3">[4]</a>}</span>). Please see the referenced Windows API pages for more information.</p> </td> </tr> <tr class="sub technique enterprise" id="enterprise"> <td></td> <td></td> <td> <a href="/techniques/T1134/001">.001</a> </td> <td> <a href="/techniques/T1134/001">Token Impersonation/Theft</a> </td> <td> <p>Monitor for API calls associated with other suspicious behavior to reduce false positives that may be due to normal benign use by users and administrators, such as DuplicateToken(Ex), ImpersonateLoggedOnUser , and SetThreadToken. </p> </td> </tr> <tr class="sub technique enterprise" id="enterprise"> <td></td> <td></td> <td> <a href="/techniques/T1134/002">.002</a> </td> <td> <a href="/techniques/T1134/002">Create Process with Token</a> </td> <td> <p>Monitor for API calls associated with detecting token manipulation only through careful analysis of user activity, examination of running processes, and correlation with other endpoint and network behavior. Analysts can also monitor for use of Windows APIs such as <code>CreateProcessWithTokenW</code> and correlate activity with other suspicious behavior to reduce false positives that may be due to normal benign use by users and administrators.</p> </td> </tr> <tr class="sub technique enterprise" id="enterprise"> <td></td> <td></td> <td> <a href="/techniques/T1134/003">.003</a> </td> <td> <a href="/techniques/T1134/003">Make and Impersonate Token</a> </td> <td> <p>Monitor for API calls associated with detecting token manipulation only through careful analysis of user activity, examination of running processes, and correlation with other endpoint and network behavior, such as LogonUser and SetThreadToken. Correlate activity with other suspicious behavior to reduce false positives that may be due to normal benign use by users and administrators</p> </td> </tr> <tr class="sub technique enterprise" id="enterprise"> <td></td> <td></td> <td> <a href="/techniques/T1134/004">.004</a> </td> <td> <a href="/techniques/T1134/004">Parent PID Spoofing</a> </td> <td> <p>Monitor for API calls to CreateProcess/CreateProcessA, specifically those from user/potentially malicious processes and with parameters explicitly assigning PPIDs (ex: the Process Creation Flags of 0x8XXX, indicating that the process is being created with extended startup information<span onclick=scrollToRef('scite-5') id="scite-ref-5-a" class="scite-citeref-number" title="Schofield, M. & Satran, M. (2018, May 30). Process Creation Flags. Retrieved June 4, 2019."data-reference="Microsoft Process Creation Flags May 2018">^{<a href="https://docs.microsoft.com/windows/desktop/ProcThread/process-creation-flags" target="_blank" data-hasqtip="4" aria-describedby="qtip-4">[5]</a>}</span>). Malicious use of CreateProcess/CreateProcessA may also be proceeded by a call to UpdateProcThreadAttribute, which may be necessary to update process creation attributes.<span onclick=scrollToRef('scite-6') id="scite-ref-6-a" class="scite-citeref-number" title="Secuirtyinbits . (2019, May 14). Parent PID Spoofing (Stage 2) Ataware Ransomware Part 3. Retrieved June 6, 2019."data-reference="Secuirtyinbits Ataware3 May 2019">^{<a href="https://www.securityinbits.com/malware-analysis/parent-pid-spoofing-stage-2-ataware-ransomware-part-3" target="_blank" data-hasqtip="5" aria-describedby="qtip-5">[6]</a>}</span>This may generate false positives from normal UAC elevation behavior, so compare to a system baseline/understanding of normal system activity if possible.</p> </td> </tr> <tr class="sub technique enterprise" id="enterprise"> <td></td> <td></td> <td> <a href="/techniques/T1134/005">.005</a> </td> <td> <a href="/techniques/T1134/005">SID-History Injection</a> </td> <td> <p>Monitor for API calls, such as PowerShell's Get-ADUser cmdlet or Windows API DsAddSidHistory function, to examine data in user’s SID-History attributes, especially users who have SID-History values from the same domain.</p> </td> </tr> <tr class="sub technique noparent enterprise" id="enterprise"> <td> Enterprise </td> <td> <a href="/techniques/T1087">T1087</a> </td> <td> <a href="/techniques/T1087/001">.001</a> </td> <td> <a href="/techniques/T1087">Account Discovery</a>: <a href="/techniques/T1087/001">Local Account</a> </td> <td> <p>Monitor for API calls (such as <code>NetUserEnum()</code>) that may attempt to gather local accounts information such as type of user, privileges and groups.</p> </td> </tr> <tr class="sub technique enterprise" id="enterprise"> <td></td> <td></td> <td> <a href="/techniques/T1087/002">.002</a> </td> <td> <a href="/techniques/T1087">Account Discovery</a>: <a href="/techniques/T1087/002">Domain Account</a> </td> <td> <p>Monitor for API calls that may attempt to gather information about domain accounts such as type of user, privileges and groups.</p> </td> </tr> <tr class="technique enterprise" id="enterprise"> <td> Enterprise </td> <td colspan="2"> <a href="/techniques/T1010">T1010</a> </td> <td> <a href="/techniques/T1010">Application Window Discovery</a> </td> <td> <p>Monitor for API calls (such as <code>GetForegroundWindow()</code>) that may attempt to get a listing of open application windows. <code>GetForegroundWindow</code> api returns a handle to the foreground window (the window with which the user is currently working). Other API calls relevant to Local Group discovery include <code> GetProcesses</code> and <code>GetForegroundWindow</code>. <code>GetProcesses</code> api returns an array of type Process that represents all the process resources running on the local computer.</p><p>Note: Most EDR tools do not support direct monitoring of API calls due to the sheer volume of calls produced by an endpoint but may have alerts or events that are based on abstractions of OS API calls. Dynamic malware analysis tools (i.e., sandboxes) can be used to trace the execution, including OS API calls, for a single PE binary. </p> </td> </tr> <tr class="technique enterprise" id="enterprise"> <td> Enterprise </td> <td colspan="2"> <a href="/techniques/T1123">T1123</a> </td> <td> <a href="/techniques/T1123">Audio Capture</a> </td> <td> <p>Monitor for API calls associated with leveraging a computer's peripheral devices (e.g., microphones and webcams) or applications (e.g., voice and video call services) to capture audio recordings for the purpose of listening into sensitive conversations to gather information.</p> </td> </tr> <tr class="technique enterprise" id="enterprise"> <td> Enterprise </td> <td colspan="2"> <a href="/techniques/T1547">T1547</a> </td> <td> <a href="/techniques/T1547">Boot or Logon Autostart Execution</a> </td> <td> <p>Monitor for API calls that may configure system settings to automatically execute a program during system boot or logon to maintain persistence or gain higher-level privileges on compromised systems.</p> </td> </tr> <tr class="sub technique enterprise" id="enterprise"> <td></td> <td></td> <td> <a href="/techniques/T1547/010">.010</a> </td> <td> <a href="/techniques/T1547/010">Port Monitors</a> </td> <td> <p>Monitor process API calls to <code>AddMonitor</code>.<span onclick=scrollToRef('scite-7') id="scite-ref-7-a" class="scite-citeref-number" title="Microsoft. (n.d.). AddMonitor function. Retrieved September 12, 2024."data-reference="AddMonitor">^{<a href="https://learn.microsoft.com/en-us/windows/win32/printdocs/addmonitor" target="_blank" data-hasqtip="6" aria-describedby="qtip-6">[7]</a>}</span></p> </td> </tr> <tr class="sub technique enterprise" id="enterprise"> <td></td> <td></td> <td> <a href="/techniques/T1547/012">.012</a> </td> <td> <a href="/techniques/T1547/012">Print Processors</a> </td> <td> <p>Monitor process API calls to <code>AddPrintProcessor</code> and <code>GetPrintProcessorDirectory</code>.</p> </td> </tr> <tr class="technique enterprise" id="enterprise"> <td> Enterprise </td> <td colspan="2"> <a href="/techniques/T1115">T1115</a> </td> <td> <a href="/techniques/T1115">Clipboard Data</a> </td> <td> <p>Monitor API calls that could collect data stored in the clipboard from users copying information within or between applications.</p> </td> </tr> <tr class="sub technique noparent enterprise" id="enterprise"> <td> Enterprise </td> <td> <a href="/techniques/T1059">T1059</a> </td> <td> <a href="/techniques/T1059/002">.002</a> </td> <td> <a href="/techniques/T1059">Command and Scripting Interpreter</a>: <a href="/techniques/T1059/002">AppleScript</a> </td> <td> <p>Monitor for execution of AppleScript through <code>osascript</code> and usage of the <code>NSAppleScript</code> and <code>OSAScript</code> APIs that may be related to other suspicious behavior occurring on the system.</p><p>Analytic 1 - Look for unusual OS API execution related to AppleScript.</p><p><code>sourcetype=macOS:Syslog OR sourcetype=macOS:Process| search (process_name="<em>NSAppleScript</em>" OR process_name="<em>OSAScript</em>") </code></p> </td> </tr> <tr class="technique enterprise" id="enterprise"> <td> Enterprise </td> <td colspan="2"> <a href="/techniques/T1543">T1543</a> </td> <td> <a href="/techniques/T1543">Create or Modify System Process</a> </td> <td> <p>Monitor for API calls that may create or modify system-level processes to repeatedly execute malicious payloads as part of persistence.</p> </td> </tr> <tr class="sub technique enterprise" id="enterprise"> <td></td> <td></td> <td> <a href="/techniques/T1543/003">.003</a> </td> <td> <a href="/techniques/T1543/003">Windows Service</a> </td> <td> <p>Monitor for API calls that may create or modify Windows services (ex: <code>CreateServiceW()</code>) to repeatedly execute malicious payloads as part of persistence.</p> </td> </tr> <tr class="technique enterprise" id="enterprise"> <td> Enterprise </td> <td colspan="2"> <a href="/techniques/T1555">T1555</a> </td> <td> <a href="/techniques/T1555">Credentials from Password Stores</a> </td> <td> <p>Monitor for API calls that may search for common password storage locations to obtain user credentials.</p> </td> </tr> <tr class="sub technique enterprise" id="enterprise"> <td></td> <td></td> <td> <a href="/techniques/T1555/001">.001</a> </td> <td> <a href="/techniques/T1555/001">Keychain</a> </td> <td> <p>Monitor for Keychain Services API calls, specifically legacy extensions such as <code>SecKeychainFindInternetPassword</code>, that may collect Keychain data from a system to acquire credentials.<span onclick=scrollToRef('scite-8') id="scite-ref-8-a" class="scite-citeref-number" title="Apple. (n.d.). Keychain Items. Retrieved April 12, 2022."data-reference="Keychain Items Apple Dev API">^{<a href="https://developer.apple.com/documentation/security/keychain_services/keychain_items" target="_blank" data-hasqtip="7" aria-describedby="qtip-7">[8]</a>}</span></p><p>Analytic 1 - Suspicious Keychain API calls.</p><p><code>index=security sourcetype="macos_secure"(event_type="api_call" AND api IN ("SecKeychainCopySearchList", "SecKeychainFindGenericPassword", "SecKeychainFindInternetPassword", "SecKeychainOpen", "SecKeychainCopyDefault", "SecItemCopyMatching")) </code></p> </td> </tr> <tr class="sub technique enterprise" id="enterprise"> <td></td> <td></td> <td> <a href="/techniques/T1555/003">.003</a> </td> <td> <a href="/techniques/T1555/003">Credentials from Web Browsers</a> </td> <td> <p>Monitor for API calls that may acquire credentials from web browsers by reading files specific to the target browser.<span onclick=scrollToRef('scite-9') id="scite-ref-9-a" class="scite-citeref-number" title="Mercer, W. and Rascagneres, P. (2018, February 12). Olympic Destroyer Takes Aim At Winter Olympics. Retrieved March 14, 2019."data-reference="Talos Olympic Destroyer 2018">^{<a href="https://blog.talosintelligence.com/2018/02/olympic-destroyer.html" target="_blank" data-hasqtip="8" aria-describedby="qtip-8">[9]</a>}</span></p><p>Analytic 1 - Suspicious API calls related to web browser credential access.</p><p><code> index=security sourcetype IN ("WinEventLog:Microsoft-Windows-Sysmon/Operational", "linux_secure", "macos_secure") event_type="api_call"(api IN ("CryptUnprotectData", "NSS_Init", "PK11SDR_Decrypt", "SecItemCopyMatching", "SecItemAdd", "SecItemUpdate", "SecItemDelete"))</code></p> </td> </tr> <tr class="sub technique enterprise" id="enterprise"> <td></td> <td></td> <td> <a href="/techniques/T1555/004">.004</a> </td> <td> <a href="/techniques/T1555/004">Windows Credential Manager</a> </td> <td> <p>Consider monitoring API calls such as <code>CredEnumerateA</code> that may list credentials from the Windows Credential Manager.<span onclick=scrollToRef('scite-10') id="scite-ref-10-a" class="scite-citeref-number" title="Microsoft. (2018, December 5). CredEnumarateA function (wincred.h). Retrieved November 24, 2020."data-reference="Microsoft CredEnumerate">^{<a href="https://docs.microsoft.com/en-us/windows/win32/api/wincred/nf-wincred-credenumeratea" target="_blank" data-hasqtip="9" aria-describedby="qtip-9">[10]</a>}</span><span onclick=scrollToRef('scite-11') id="scite-ref-11-a" class="scite-citeref-number" title="Delpy, B. (2017, December 12). howto ~ credential manager saved credentials. Retrieved November 23, 2020."data-reference="Delpy Mimikatz Crendential Manager">^{<a href="https://github.com/gentilkiwi/mimikatz/wiki/howto-~-credential-manager-saved-credentials" target="_blank" data-hasqtip="10" aria-describedby="qtip-10">[11]</a>}</span></p><p>Analytic 1 - Suspicious API calls related to Windows Credential Manager access.</p><p><code> index=security sourcetype="WinEventLog:Microsoft-Windows-Sysmon/Operational" event_type="api_call"(api IN ("CredEnumerateA", "CredEnumerateW", "CredReadA", "CredReadW", "CryptUnprotectData"))</code></p> </td> </tr> <tr class="sub technique enterprise" id="enterprise"> <td></td> <td></td> <td> <a href="/techniques/T1555/005">.005</a> </td> <td> <a href="/techniques/T1555/005">Password Managers</a> </td> <td> <p>Monitor for API calls that may search for common password storage locations to obtain user credentials.</p><p>Analytic 1 - Suspicious API calls related to password manager access.</p><p><code> index=security sourcetype IN ("WinEventLog:Microsoft-Windows-Sysmon/Operational", "linux_secure", "macos_secure") EventCode IN (1, 11, 4688)(api IN ("CryptUnprotectData", "OpenProcess", "ReadProcessMemory", "EnumProcesses", "EnumProcessModules") OR CommandLine IN ("<em>keepass</em>", "<em>lastpass</em>", "<em>1password</em>", "<em>bitwarden</em>", "<em>dashlane</em>", "<em>passwordsafe</em>")) </code></p> </td> </tr> <tr class="technique enterprise" id="enterprise"> <td> Enterprise </td> <td colspan="2"> <a href="/techniques/T1005">T1005</a> </td> <td> <a href="/techniques/T1005">Data from Local System</a> </td> <td> <p>Monitor for API calls that may search local system sources, such as file systems or local databases, to find files of interest and sensitive data prior to Exfiltration. </p> </td> </tr> <tr class="technique ics" id="ics"> <td> ICS </td> <td colspan="2"> <a href="/techniques/T0893">T0893</a> </td> <td> <a href="/techniques/T0893">Data from Local System</a> </td> <td> <p>Monitor for API calls that may search local system sources, such as file systems or local databases, to find files of interest and sensitive data. </p> </td> </tr> <tr class="technique enterprise" id="enterprise"> <td> Enterprise </td> <td colspan="2"> <a href="/techniques/T1565">T1565</a> </td> <td> <a href="/techniques/T1565">Data Manipulation</a> </td> <td> <p>Monitor for API calls associated with altering data. Remote access tools with built-in features may interact directly with the Windows API to gather information.</p> </td> </tr> <tr class="sub technique enterprise" id="enterprise"> <td></td> <td></td> <td> <a href="/techniques/T1565/002">.002</a> </td> <td> <a href="/techniques/T1565/002">Transmitted Data Manipulation</a> </td> <td> <p>Monitor for API calls associated with altering data. Remote access tools with built-in features may interact directly with the Windows API to gather information.</p> </td> </tr> <tr class="sub technique enterprise" id="enterprise"> <td></td> <td></td> <td> <a href="/techniques/T1565/003">.003</a> </td> <td> <a href="/techniques/T1565/003">Runtime Data Manipulation</a> </td> <td> <p>Monitor for API calls associated with altering data. Remote access tools with built-in features may interact directly with the Windows API to gather information.</p> </td> </tr> <tr class="technique enterprise" id="enterprise"> <td> Enterprise </td> <td colspan="2"> <a href="/techniques/T1622">T1622</a> </td> <td> <a href="/techniques/T1622">Debugger Evasion</a> </td> <td> <p>Monitor for API calls (such as <code>IsDebuggerPresent()</code>) that may employ various means to detect and avoid debugged environments. Detecting actions related to debugger identification may be difficult depending on the adversary's implementation and monitoring required.</p> </td> </tr> <tr class="technique enterprise" id="enterprise"> <td> Enterprise </td> <td colspan="2"> <a href="/techniques/T1652">T1652</a> </td> <td> <a href="/techniques/T1652">Device Driver Discovery</a> </td> <td> <p>Monitor for API calls (such as <code>EnumDeviceDrivers()</code>) that may attempt to gather information about local device drivers.</p> </td> </tr> <tr class="technique enterprise" id="enterprise"> <td> Enterprise </td> <td colspan="2"> <a href="/techniques/T1482">T1482</a> </td> <td> <a href="/techniques/T1482">Domain Trust Discovery</a> </td> <td> <p>Monitor for API calls associated with gathering information on domain trust relationships that may be used to identify lateral movement like DSEnumerateDomainTrusts() Win32 API call to spot activity associated with Domain Trust Discovery.<span onclick=scrollToRef('scite-12') id="scite-ref-12-a" class="scite-citeref-number" title="Schroeder, W. (2017, October 30). A Guide to Attacking Domain Trusts. Retrieved February 14, 2019."data-reference="Harmj0y Domain Trusts">^{<a href="https://posts.specterops.io/a-guide-to-attacking-domain-trusts-971e52cb2944" target="_blank" data-hasqtip="11" aria-describedby="qtip-11">[12]</a>}</span> Information may also be acquired through Windows system management tools such as PowerShell. The .NET method GetAllTrustRelationships() can be an indicator of Domain Trust Discovery.<span onclick=scrollToRef('scite-13') id="scite-ref-13-a" class="scite-citeref-number" title="Microsoft. (n.d.). Domain.GetAllTrustRelationships Method. Retrieved February 14, 2019."data-reference="Microsoft GetAllTrustRelationships">^{<a href="https://docs.microsoft.com/en-us/dotnet/api/system.directoryservices.activedirectory.domain.getalltrustrelationships?redirectedfrom=MSDN&view=netframework-4.7.2#System_DirectoryServices_ActiveDirectory_Domain_GetAllTrustRelationships" target="_blank" data-hasqtip="12" aria-describedby="qtip-12">[13]</a>}</span></p> </td> </tr> <tr class="technique enterprise" id="enterprise"> <td> Enterprise </td> <td colspan="2"> <a href="/techniques/T1611">T1611</a> </td> <td> <a href="/techniques/T1611">Escape to Host</a> </td> <td> <p>Monitor for unexpected usage of syscalls such as <code>mount</code> that may indicate an attempt to escape from a privileged container to host. </p> </td> </tr> <tr class="sub technique noparent enterprise" id="enterprise"> <td> Enterprise </td> <td> <a href="/techniques/T1546">T1546</a> </td> <td> <a href="/techniques/T1546/009">.009</a> </td> <td> <a href="/techniques/T1546">Event Triggered Execution</a>: <a href="/techniques/T1546/009">AppCert DLLs</a> </td> <td> <p>Monitor and analyze application programming interface (API) calls that are indicative of Registry edits, such as <code>RegCreateKeyEx</code> and <code>RegSetValueEx</code>. <span onclick=scrollToRef('scite-14') id="scite-ref-14-a" class="scite-citeref-number" title="Hosseini, A. (2017, July 18). Ten Process Injection Techniques: A Technical Survey Of Common And Trending Process Injection Techniques. Retrieved December 7, 2017."data-reference="Elastic Process Injection July 2017">^{<a href="https://www.endgame.com/blog/technical-blog/ten-process-injection-techniques-technical-survey-common-and-trending-process" target="_blank" data-hasqtip="13" aria-describedby="qtip-13">[14]</a>}</span></p> </td> </tr> <tr class="sub technique enterprise" id="enterprise"> <td></td> <td></td> <td> <a href="/techniques/T1546/010">.010</a> </td> <td> <a href="/techniques/T1546">Event Triggered Execution</a>: <a href="/techniques/T1546/010">AppInit DLLs</a> </td> <td> <p>Monitor and analyze application programming interface (API) calls that are indicative of Registry edits such as <code>RegCreateKeyEx</code> and <code>RegSetValueEx</code>. <span onclick=scrollToRef('scite-14') id="scite-ref-14-a" class="scite-citeref-number" title="Hosseini, A. (2017, July 18). Ten Process Injection Techniques: A Technical Survey Of Common And Trending Process Injection Techniques. Retrieved December 7, 2017."data-reference="Elastic Process Injection July 2017">^{<a href="https://www.endgame.com/blog/technical-blog/ten-process-injection-techniques-technical-survey-common-and-trending-process" target="_blank" data-hasqtip="13" aria-describedby="qtip-13">[14]</a>}</span></p> </td> </tr> <tr class="sub technique noparent enterprise" id="enterprise"> <td> Enterprise </td> <td> <a href="/techniques/T1480">T1480</a> </td> <td> <a href="/techniques/T1480/002">.002</a> </td> <td> <a href="/techniques/T1480">Execution Guardrails</a>: <a href="/techniques/T1480/002">Mutual Exclusion</a> </td> <td> <p>Monitor for suspicious API calls associated with system mutex creation, such as <code>CreateMutex/CreateMutexA</code> on Windows systems.<span onclick=scrollToRef('scite-15') id="scite-ref-15-a" class="scite-citeref-number" title="Microsoft. (2023, February 8). CreateMutexA function (synchapi.h). Retrieved September 19, 2024."data-reference="Microsoft CreateMutexA">^{<a href="https://learn.microsoft.com/en-us/windows/win32/api/synchapi/nf-synchapi-createmutexa" target="_blank" data-hasqtip="14" aria-describedby="qtip-14">[15]</a>}</span> For example, it is rare for legitimate programs to create random mutex names.<span onclick=scrollToRef('scite-16') id="scite-ref-16-a" class="scite-citeref-number" title="Lenny Zeltser. (2012, July 24). Looking at Mutex Objects for Malware Discovery & Indicators of Compromise. Retrieved September 19, 2024."data-reference="Sans Mutexes 2012">^{<a href="https://www.sans.org/blog/looking-at-mutex-objects-for-malware-discovery-indicators-of-compromise/" target="_blank" data-hasqtip="15" aria-describedby="qtip-15">[16]</a>}</span> Additionally, monitor for suspicious syscalls associated with lock files, such as <code>flock</code> on Linux.</p> </td> </tr> <tr class="technique ics" id="ics"> <td> ICS </td> <td colspan="2"> <a href="/techniques/T0871">T0871</a> </td> <td> <a href="/techniques/T0871">Execution through API</a> </td> <td> <p>Devices that provide user access to the underlying operating system may allow the installation of custom software to monitor OS API execution. Monitoring API calls may generate a significant amount of data and may not be useful for defense unless collected under specific circumstances, since benign use of API functions are common and may be difficult to distinguish from malicious behavior. Correlation of other events with behavior surrounding API function calls using API monitoring will provide additional context to an event that may assist in determining if it is due to malicious behavior.</p> </td> </tr> <tr class="technique enterprise" id="enterprise"> <td> Enterprise </td> <td colspan="2"> <a href="/techniques/T1083">T1083</a> </td> <td> <a href="/techniques/T1083">File and Directory Discovery</a> </td> <td> <p>Monitor for API calls that may enumerate files and directories or may search in specific locations of a host or network share for certain information within a file system.</p> </td> </tr> <tr class="technique enterprise" id="enterprise"> <td> Enterprise </td> <td colspan="2"> <a href="/techniques/T1564">T1564</a> </td> <td> <a href="/techniques/T1564">Hide Artifacts</a> </td> <td> <p>Monitor for API calls that may attempt to hide artifacts associated with their behaviors to evade detection.</p> </td> </tr> <tr class="sub technique enterprise" id="enterprise"> <td></td> <td></td> <td> <a href="/techniques/T1564/004">.004</a> </td> <td> <a href="/techniques/T1564/004">NTFS File Attributes</a> </td> <td> <p>Monitor calls to the <code>ZwSetEaFile</code> and <code>ZwQueryEaFile</code> Windows API functions as well as binaries used to interact with EA, <span onclick=scrollToRef('scite-17') id="scite-ref-17-a" class="scite-citeref-number" title="Moe, O. (2018, January 14). Putting Data in Alternate Data Streams and How to Execute It. Retrieved June 30, 2018."data-reference="Oddvar Moe ADS1 Jan 2018">^{<a href="https://oddvar.moe/2018/01/14/putting-data-in-alternate-data-streams-and-how-to-execute-it/" target="_blank" data-hasqtip="16" aria-describedby="qtip-16">[17]</a>}</span> <span onclick=scrollToRef('scite-18') id="scite-ref-18-a" class="scite-citeref-number" title="Moe, O. (2018, April 11). Putting Data in Alternate Data Streams and How to Execute It - Part 2. Retrieved June 30, 2018."data-reference="Oddvar Moe ADS2 Apr 2018">^{<a href="https://oddvar.moe/2018/04/11/putting-data-in-alternate-data-streams-and-how-to-execute-it-part-2/" target="_blank" data-hasqtip="17" aria-describedby="qtip-17">[18]</a>}</span> and consider regularly scanning for the presence of modified information. <span onclick=scrollToRef('scite-19') id="scite-ref-19-a" class="scite-citeref-number" title="Atkinson, J. (2017, July 18). Host-based Threat Modeling & Indicator Design. Retrieved March 21, 2018."data-reference="SpectorOps Host-Based Jul 2017">^{<a href="https://posts.specterops.io/host-based-threat-modeling-indicator-design-a9dbbb53d5ea" target="_blank" data-hasqtip="18" aria-describedby="qtip-18">[19]</a>}</span></p> </td> </tr> <tr class="sub technique noparent enterprise" id="enterprise"> <td> Enterprise </td> <td> <a href="/techniques/T1574">T1574</a> </td> <td> <a href="/techniques/T1574/013">.013</a> </td> <td> <a href="/techniques/T1574">Hijack Execution Flow</a>: <a href="/techniques/T1574/013">KernelCallbackTable</a> </td> <td> <p>Monitoring Windows API calls indicative of the various types of code injection may generate a significant amount of data and may not be directly useful for defense unless collected under specific circumstances. for known bad sequence of calls, since benign use of API functions may be common and difficult to distinguish from malicious behavior. Windows API calls such as <code>WriteProcessMemory()</code> and <code>NtQueryInformationProcess()</code> with the parameter set to <code>ProcessBasicInformation</code> may be used for this technique.<span onclick=scrollToRef('scite-20') id="scite-ref-20-a" class="scite-citeref-number" title="Saini, A. and Hossein, J. (2022, January 27). North Korea’s Lazarus APT leverages Windows Update client, GitHub in latest campaign. Retrieved January 27, 2022."data-reference="Lazarus APT January 2022">^{<a href="https://blog.malwarebytes.com/threat-intelligence/2022/01/north-koreas-lazarus-apt-leverages-windows-update-client-github-in-latest-campaign/" target="_blank" data-hasqtip="19" aria-describedby="qtip-19">[20]</a>}</span></p> </td> </tr> <tr class="technique ics" id="ics"> <td> ICS </td> <td colspan="2"> <a href="/techniques/T0874">T0874</a> </td> <td> <a href="/techniques/T0874">Hooking</a> </td> <td> <p>Monitor for API calls that can be used to install a hook procedure, such as the SetWindowsHookEx and SetWinEventHook functions.<span onclick=scrollToRef('scite-21') id="scite-ref-21-a" class="scite-citeref-number" title="Microsoft. (n.d.). Hooks Overview. Retrieved December 12, 2017."data-reference="Microsoft Hook Overview">^{<a href="https://msdn.microsoft.com/library/windows/desktop/ms644959.aspx" target="_blank" data-hasqtip="20" aria-describedby="qtip-20">[21]</a>}</span><span onclick=scrollToRef('scite-22') id="scite-ref-22-a" class="scite-citeref-number" title="Volatility Labs. (2012, September 24). MoVP 3.1 Detecting Malware Hooks in the Windows GUI Subsystem. Retrieved December 12, 2017."data-reference="Volatility Detecting Hooks Sept 2012">^{<a href="https://volatility-labs.blogspot.com/2012/09/movp-31-detecting-malware-hooks-in.html" target="_blank" data-hasqtip="21" aria-describedby="qtip-21">[22]</a>}</span> Also consider analyzing hook chains (which hold pointers to hook procedures for each type of hook) using tools<span onclick=scrollToRef('scite-22') id="scite-ref-22-a" class="scite-citeref-number" title="Volatility Labs. (2012, September 24). MoVP 3.1 Detecting Malware Hooks in the Windows GUI Subsystem. Retrieved December 12, 2017."data-reference="Volatility Detecting Hooks Sept 2012">^{<a href="https://volatility-labs.blogspot.com/2012/09/movp-31-detecting-malware-hooks-in.html" target="_blank" data-hasqtip="21" aria-describedby="qtip-21">[22]</a>}</span><span onclick=scrollToRef('scite-23') id="scite-ref-23-a" class="scite-citeref-number" title="Prekas, G. (2011, July 11). Winhook. Retrieved December 12, 2017."data-reference="PreKageo Winhook Jul 2011">^{<a href="https://github.com/prekageo/winhook" target="_blank" data-hasqtip="22" aria-describedby="qtip-22">[23]</a>}</span><span onclick=scrollToRef('scite-24') id="scite-ref-24-a" class="scite-citeref-number" title="Satiro, J. (2011, September 14). GetHooks. Retrieved December 12, 2017."data-reference="Jay GetHooks Sept 2011">^{<a href="https://github.com/jay/gethooks" target="_blank" data-hasqtip="23" aria-describedby="qtip-23">[24]</a>}</span> or by programmatically examining internal kernel structures.<span onclick=scrollToRef('scite-25') id="scite-ref-25-a" class="scite-citeref-number" title="Felici, M. (2006, December 6). Any application-defined hook procedure on my machine?. Retrieved December 12, 2017."data-reference="Zairon Hooking Dec 2006">^{<a href="https://zairon.wordpress.com/2006/12/06/any-application-defined-hook-procedure-on-my-machine/" target="_blank" data-hasqtip="24" aria-describedby="qtip-24">[25]</a>}</span><span onclick=scrollToRef('scite-26') id="scite-ref-26-a" class="scite-citeref-number" title="Eye of Ra. (2017, June 27). Windows Keylogger Part 2: Defense against user-land. Retrieved December 12, 2017."data-reference="EyeofRa Detecting Hooking June 2017">^{<a href="https://eyeofrablog.wordpress.com/2017/06/27/windows-keylogger-part-2-defense-against-user-land/" target="_blank" data-hasqtip="25" aria-describedby="qtip-25">[26]</a>}</span></p> </td> </tr> <tr class="technique enterprise" id="enterprise"> <td> Enterprise </td> <td colspan="2"> <a href="/techniques/T1562">T1562</a> </td> <td> <a href="/techniques/T1562">Impair Defenses</a> </td> <td> <p>Monitor for the abnormal execution of API functions associated with system logging.</p> </td> </tr> <tr class="sub technique enterprise" id="enterprise"> <td></td> <td></td> <td> <a href="/techniques/T1562/012">.012</a> </td> <td> <a href="/techniques/T1562/012">Disable or Modify Linux Audit System</a> </td> <td> <p>Monitor for abnormal execution of syslog and other functions associated with system logging.</p> </td> </tr> <tr class="technique enterprise" id="enterprise"> <td> Enterprise </td> <td colspan="2"> <a href="/techniques/T1070">T1070</a> </td> <td> <a href="/techniques/T1070">Indicator Removal</a> </td> <td> <p>Monitor for API calls that may delete or alter generated artifacts on a host system, including logs or captured files such as quarantined malware.</p> </td> </tr> <tr class="sub technique enterprise" id="enterprise"> <td></td> <td></td> <td> <a href="/techniques/T1070/001">.001</a> </td> <td> <a href="/techniques/T1070/001">Clear Windows Event Logs</a> </td> <td> <p>Monitor for Windows API calls that may clear Windows Event Logs to hide the activity of an intrusion.</p> </td> </tr> <tr class="sub technique enterprise" id="enterprise"> <td></td> <td></td> <td> <a href="/techniques/T1070/006">.006</a> </td> <td> <a href="/techniques/T1070/006">Timestomp</a> </td> <td> <p>Monitor for API calls that may delete or alter generated artifacts on a host system. APIs (e.g., <code>SetFileTime</code>, <code>NtSetInformationFile</code>, <code>NtQueryInformationFile</code>) can be utilized to manipulate timestamps.<span onclick=scrollToRef('scite-27') id="scite-ref-27-a" class="scite-citeref-number" title="Vishavjit Singh. (2023, June 22). TIMESTOMPING EXPLAINED ON API LEVEL. Retrieved June 20, 2024."data-reference="API">^{<a href="https://medium.com/@vishavjitsingh.csi/timestomping-explained-on-api-level-f0c219cf3dc9" target="_blank" data-hasqtip="26" aria-describedby="qtip-26">[27]</a>}</span><span onclick=scrollToRef('scite-28') id="scite-ref-28-a" class="scite-citeref-number" title="Lina Lau. (2022, April 28). Defence Evasion Technique: Timestomping Detection – NTFS Forensics. Retrieved September 30, 2024."data-reference="Inversecos Timestomping 2022">^{<a href="https://www.inversecos.com/2022/04/defence-evasion-technique-timestomping.html" target="_blank" data-hasqtip="27" aria-describedby="qtip-27">[28]</a>}</span></p> </td> </tr> <tr class="technique ics" id="ics"> <td> ICS </td> <td colspan="2"> <a href="/techniques/T0872">T0872</a> </td> <td> <a href="/techniques/T0872">Indicator Removal on Host</a> </td> <td> <p>Monitor for API calls that may delete or alter generated artifacts on a host system, including logs or captured files such as quarantined malware.</p> </td> </tr> <tr class="technique enterprise" id="enterprise"> <td> Enterprise </td> <td colspan="2"> <a href="/techniques/T1056">T1056</a> </td> <td> <a href="/techniques/T1056">Input Capture</a> </td> <td> <p>Monitor for API calls to SetWindowsHook, GetKeyState, and GetAsyncKeyState <span onclick=scrollToRef('scite-29') id="scite-ref-29-a" class="scite-citeref-number" title="Tinaztepe, E. (n.d.). The Adventures of a Keystroke: An in-depth look into keyloggers on Windows. Retrieved April 27, 2016."data-reference="Adventures of a Keystroke">^{<a href="http://opensecuritytraining.info/Keylogging_files/The%20Adventures%20of%20a%20Keystroke.pdf" target="_blank" data-hasqtip="28" aria-describedby="qtip-28">[29]</a>}</span></p> </td> </tr> <tr class="sub technique enterprise" id="enterprise"> <td></td> <td></td> <td> <a href="/techniques/T1056/001">.001</a> </td> <td> <a href="/techniques/T1056/001">Keylogging</a> </td> <td> <p>Monitor for API calls to the SetWindowsHook, GetKeyState, and GetAsyncKeyState.<span onclick=scrollToRef('scite-29') id="scite-ref-29-a" class="scite-citeref-number" title="Tinaztepe, E. (n.d.). The Adventures of a Keystroke: An in-depth look into keyloggers on Windows. Retrieved April 27, 2016."data-reference="Adventures of a Keystroke">^{<a href="http://opensecuritytraining.info/Keylogging_files/The%20Adventures%20of%20a%20Keystroke.pdf" target="_blank" data-hasqtip="28" aria-describedby="qtip-28">[29]</a>}</span> and look for common keylogging API calls. API calls alone are not an indicator of keylogging, but may provide behavioral data that is useful when combined with other information such as new files written to disk and unusual processes.</p> </td> </tr> <tr class="sub technique enterprise" id="enterprise"> <td></td> <td></td> <td> <a href="/techniques/T1056/004">.004</a> </td> <td> <a href="/techniques/T1056/004">Credential API Hooking</a> </td> <td> <p>Monitor for API calls to the SetWindowsHookEx and SetWinEventHook functions, which install a hook procedure.<span onclick=scrollToRef('scite-21') id="scite-ref-21-a" class="scite-citeref-number" title="Microsoft. (n.d.). Hooks Overview. Retrieved December 12, 2017."data-reference="Microsoft Hook Overview">^{<a href="https://msdn.microsoft.com/library/windows/desktop/ms644959.aspx" target="_blank" data-hasqtip="20" aria-describedby="qtip-20">[21]</a>}</span><span onclick=scrollToRef('scite-22') id="scite-ref-22-a" class="scite-citeref-number" title="Volatility Labs. (2012, September 24). MoVP 3.1 Detecting Malware Hooks in the Windows GUI Subsystem. Retrieved December 12, 2017."data-reference="Volatility Detecting Hooks Sept 2012">^{<a href="https://volatility-labs.blogspot.com/2012/09/movp-31-detecting-malware-hooks-in.html" target="_blank" data-hasqtip="21" aria-describedby="qtip-21">[22]</a>}</span> Also consider analyzing hook chains (which hold pointers to hook procedures for each type of hook) using tools<span onclick=scrollToRef('scite-22') id="scite-ref-22-a" class="scite-citeref-number" title="Volatility Labs. (2012, September 24). MoVP 3.1 Detecting Malware Hooks in the Windows GUI Subsystem. Retrieved December 12, 2017."data-reference="Volatility Detecting Hooks Sept 2012">^{<a href="https://volatility-labs.blogspot.com/2012/09/movp-31-detecting-malware-hooks-in.html" target="_blank" data-hasqtip="21" aria-describedby="qtip-21">[22]</a>}</span><span onclick=scrollToRef('scite-23') id="scite-ref-23-a" class="scite-citeref-number" title="Prekas, G. (2011, July 11). Winhook. Retrieved December 12, 2017."data-reference="PreKageo Winhook Jul 2011">^{<a href="https://github.com/prekageo/winhook" target="_blank" data-hasqtip="22" aria-describedby="qtip-22">[23]</a>}</span><span onclick=scrollToRef('scite-24') id="scite-ref-24-a" class="scite-citeref-number" title="Satiro, J. (2011, September 14). GetHooks. Retrieved December 12, 2017."data-reference="Jay GetHooks Sept 2011">^{<a href="https://github.com/jay/gethooks" target="_blank" data-hasqtip="23" aria-describedby="qtip-23">[24]</a>}</span> or by programmatically examining internal kernel structures.<span onclick=scrollToRef('scite-25') id="scite-ref-25-a" class="scite-citeref-number" title="Felici, M. (2006, December 6). Any application-defined hook procedure on my machine?. Retrieved December 12, 2017."data-reference="Zairon Hooking Dec 2006">^{<a href="https://zairon.wordpress.com/2006/12/06/any-application-defined-hook-procedure-on-my-machine/" target="_blank" data-hasqtip="24" aria-describedby="qtip-24">[25]</a>}</span><span onclick=scrollToRef('scite-26') id="scite-ref-26-a" class="scite-citeref-number" title="Eye of Ra. (2017, June 27). Windows Keylogger Part 2: Defense against user-land. Retrieved December 12, 2017."data-reference="EyeofRa Detecting Hooking June 2017">^{<a href="https://eyeofrablog.wordpress.com/2017/06/27/windows-keylogger-part-2-defense-against-user-land/" target="_blank" data-hasqtip="25" aria-describedby="qtip-25">[26]</a>}</span></p> </td> </tr> <tr class="technique enterprise" id="enterprise"> <td> Enterprise </td> <td colspan="2"> <a href="/techniques/T1036">T1036</a> </td> <td> <a href="/techniques/T1036">Masquerading</a> </td> <td> <p>Monitor for API calls such as <code>fork()</code> which can be abused to masquerade or manipulate process metadata.</p> </td> </tr> <tr class="sub technique enterprise" id="enterprise"> <td></td> <td></td> <td> <a href="/techniques/T1036/009">.009</a> </td> <td> <a href="/techniques/T1036/009">Break Process Trees</a> </td> <td> <p>Monitor for API calls such as <code>fork()</code> which can be abused to masquerade or manipulate process metadata.</p> </td> </tr> <tr class="technique enterprise" id="enterprise"> <td> Enterprise </td> <td colspan="2"> <a href="/techniques/T1556">T1556</a> </td> <td> <a href="/techniques/T1556">Modify Authentication Process</a> </td> <td> <p>Monitor for calls to <code>OpenProcess</code> that can be used to manipulate lsass.exe running on a domain controller as well as for malicious modifications to functions exported from authentication-related system DLLs (such as cryptdll.dll and samsrv.dll).<span onclick=scrollToRef('scite-30') id="scite-ref-30-a" class="scite-citeref-number" title="Dell SecureWorks. (2015, January 12). Skeleton Key Malware Analysis. Retrieved April 8, 2019."data-reference="Dell Skeleton">^{<a href="https://www.secureworks.com/research/skeleton-key-malware-analysis" target="_blank" data-hasqtip="29" aria-describedby="qtip-29">[30]</a>}</span></p><p>Monitor for abnormal API calls to <code>NPLogonNotify()</code> that may highlight malicious network provider DLLs.<span onclick=scrollToRef('scite-31') id="scite-ref-31-a" class="scite-citeref-number" title="Microsoft. (2021, October 21). NPLogonNotify function (npapi.h). Retrieved March 30, 2023."data-reference="NPLogonNotify">^{<a href="https://learn.microsoft.com/en-us/windows/win32/api/npapi/nf-npapi-nplogonnotify" target="_blank" data-hasqtip="30" aria-describedby="qtip-30">[31]</a>}</span></p><p>Analytic 1 - Unauthorized API calls to manipulate lsass.exe or abnormal API calls </p><p><code> index=security sourcetype IN ("Sysmon", "WinEventLog:Security", "Powershell", "linux_audit", "macos_secure")(EventCode=4688 OR EventCode=10 OR EventID=4104)| eval CommandLine=coalesce(CommandLine, process_command_line, message)| eval User=coalesce(User, user, user_name)| eval Platform=case( sourcetype=="WinEventLog:Microsoft-Windows-Sysmon/Operational", "Windows", sourcetype=="linux_audit", "Linux", sourcetype=="macos_secure", "macOS", true(), "Unknown")| search CommandLine IN ("<em>SetWindowsHookEx</em>", "<em>LogonUser</em>", "<em>AuthenticateUser</em>", "<em>pam_unix</em>", "<em>pam_exec</em>", "<em>osascript</em>", "<em>launchctl</em>")| eval isSuspicious=if( (Platform="Windows" AND (match(CommandLine, ".<em>SetWindowsHookEx.</em>|.<em>LogonUser.</em>|.<em>CredWrite.</em>"))), (Platform="Linux" AND (match(CommandLine, ".<em>pam_unix.</em>|.<em>pam_exec.</em>"))), (Platform="macOS" AND (match(CommandLine, ".<em>osascript.</em>|.<em>launchctl.</em>"))), "Yes", "No")| where isSuspicious="Yes"| stats count by _time, User, CommandLine, Platform, host| where count &gt; 1| table _time, User, CommandLine, Platform, host, count| sort -count</code></p><p>Analytic 2 - Unauthorized API calls to manipulate lsass.exe or abnormal API calls to NPLogonNotify().</p><p><code>index=security_logs source="WinEventLog:Security" | eval suspicious_processes=if((process_name="lsass.exe" AND action="OpenProcess") OR (dll_name IN ("cryptdll.dll", "samsrv.dll") AND (action="modify" OR action="load")) OR (api_call="NPLogonNotify" AND dll_name="unknown")), "true", "false")| search suspicious_processes="true"| stats count by host, process_name, dll_name, api_call, user, action| where count &gt; 1</code></p> </td> </tr> <tr class="sub technique enterprise" id="enterprise"> <td></td> <td></td> <td> <a href="/techniques/T1556/001">.001</a> </td> <td> <a href="/techniques/T1556/001">Domain Controller Authentication</a> </td> <td> <p>Monitor for API calls to OpenProcess that can be used to manipulate lsass.exe running on a domain controller</p> </td> </tr> <tr class="sub technique enterprise" id="enterprise"> <td></td> <td></td> <td> <a href="/techniques/T1556/008">.008</a> </td> <td> <a href="/techniques/T1556/008">Network Provider DLL</a> </td> <td> <p>Monitor for abnormal API calls to <code>NPLogonNotify()</code>.<span onclick=scrollToRef('scite-31') id="scite-ref-31-a" class="scite-citeref-number" title="Microsoft. (2021, October 21). NPLogonNotify function (npapi.h). Retrieved March 30, 2023."data-reference="NPLogonNotify">^{<a href="https://learn.microsoft.com/en-us/windows/win32/api/npapi/nf-npapi-nplogonnotify" target="_blank" data-hasqtip="30" aria-describedby="qtip-30">[31]</a>}</span></p> </td> </tr> <tr class="technique enterprise" id="enterprise"> <td> Enterprise </td> <td colspan="2"> <a href="/techniques/T1112">T1112</a> </td> <td> <a href="/techniques/T1112">Modify Registry</a> </td> <td> <p>Monitor for API calls associated with concealing Registry keys, such as Reghide. <span onclick=scrollToRef('scite-32') id="scite-ref-32-a" class="scite-citeref-number" title="Russinovich, M. & Sharkey, K. (2006, January 10). Reghide. Retrieved August 9, 2018."data-reference="Microsoft Reghide NOV 2006">^{<a href="https://docs.microsoft.com/sysinternals/downloads/reghide" target="_blank" data-hasqtip="31" aria-describedby="qtip-31">[32]</a>}</span> Inspect and cleanup malicious hidden Registry entries using Native Windows API calls and/or tools such as Autoruns <span onclick=scrollToRef('scite-33') id="scite-ref-33-a" class="scite-citeref-number" title="Reitz, B. (2017, July 14). Hiding Registry keys with PSReflect. Retrieved August 9, 2018."data-reference="SpectorOps Hiding Reg Jul 2017">^{<a href="https://posts.specterops.io/hiding-registry-keys-with-psreflect-b18ec5ac8353" target="_blank" data-hasqtip="32" aria-describedby="qtip-32">[33]</a>}</span> and RegDelNull <span onclick=scrollToRef('scite-34') id="scite-ref-34-a" class="scite-citeref-number" title="Russinovich, M. & Sharkey, K. (2016, July 4). RegDelNull v1.11. Retrieved August 10, 2018."data-reference="Microsoft RegDelNull July 2016">^{<a href="https://docs.microsoft.com/en-us/sysinternals/downloads/regdelnull" target="_blank" data-hasqtip="33" aria-describedby="qtip-33">[34]</a>}</span>. Other API calls relevant to Registry Modification include <code>RegOpenKeyExA</code>,<code> RegCreateKeyExA</code>,<code> RegDeleteKeyExA</code>,<code> RegDeleteValueExA</code>,<code> RegEnumKeyExA</code>,<code> RegEnumValueExA</code>, among others.</p><p>Note: Most EDR tools do not support direct monitoring of API calls due to the sheer volume of calls produced by an endpoint but may have alerts or events that are based on abstractions of OS API calls. Dynamic malware analysis tools (i.e., sandboxes) can be used to trace the execution, including OS API calls, for a single PE binary. </p> </td> </tr> <tr class="technique enterprise" id="enterprise"> <td> Enterprise </td> <td colspan="2"> <a href="/techniques/T1111">T1111</a> </td> <td> <a href="/techniques/T1111">Multi-Factor Authentication Interception</a> </td> <td> <p>Monitor for API calls associated with polling to intercept keystrokes.</p> </td> </tr> <tr class="technique enterprise" id="enterprise"> <td> Enterprise </td> <td colspan="2"> <a href="/techniques/T1106">T1106</a> </td> <td> <a href="/techniques/T1106">Native API</a> </td> <td> <p>Monitoring API calls may generate a significant amount of data and may not be useful for defense unless collected under specific circumstances, since benign use of API functions are common and may be difficult to distinguish from malicious behavior. Correlation of other events with behavior surrounding API function calls using API monitoring will provide additional context to an event that may assist in determining if it is due to malicious behavior. Correlation of activity by process lineage by process ID may be sufficient.</p> </td> </tr> <tr class="technique ics" id="ics"> <td> ICS </td> <td colspan="2"> <a href="/techniques/T0834">T0834</a> </td> <td> <a href="/techniques/T0834">Native API</a> </td> <td> <p>Devices that provide user access to the underlying operating system may allow the installation of custom software to monitor OS API execution. Monitoring API calls may generate a significant amount of data and may not be useful for defense unless collected under specific circumstances, since benign use of API functions are common and may be difficult to distinguish from malicious behavior. Correlation of other events with behavior surrounding API function calls using API monitoring will provide additional context to an event that may assist in determining if it is due to malicious behavior.</p> </td> </tr> <tr class="technique ics" id="ics"> <td> ICS </td> <td colspan="2"> <a href="/techniques/T0840">T0840</a> </td> <td> <a href="/techniques/T0840">Network Connection Enumeration</a> </td> <td> <p>Monitor for API calls (such as GetAdaptersInfo() and GetIpNetTable()) that may gather details about the network configuration and settings, such as IP and/or MAC addresses. Also monitor for API calls that may attempt to get a listing of network connections to or from the compromised system they are currently accessing or from remote systems by querying for information over the network. For added context on adversary procedures and background see <a href="/techniques/T1016">System Network Configuration Discovery</a> and <a href="/techniques/T1049">System Network Connections Discovery</a>.</p> </td> </tr> <tr class="technique enterprise" id="enterprise"> <td> Enterprise </td> <td colspan="2"> <a href="/techniques/T1135">T1135</a> </td> <td> <a href="/techniques/T1135">Network Share Discovery</a> </td> <td> <p>Monitor for API calls that may look for folders and drives shared on remote systems as a means of identifying sources of information to gather as a precursor for Collection and to identify potential systems of interest for Lateral Movement.</p> </td> </tr> <tr class="technique enterprise" id="enterprise"> <td> Enterprise </td> <td colspan="2"> <a href="/techniques/T1027">T1027</a> </td> <td> <a href="/techniques/T1027">Obfuscated Files or Information</a> </td> <td> <p>Monitor and analyze calls to functions such as <code>GetProcAddress()</code> that are associated with malicious code obfuscation.<span onclick=scrollToRef('scite-35') id="scite-ref-35-a" class="scite-citeref-number" title="Brennan, M. (2022, February 16). Hackers No Hashing: Randomizing API Hashes to Evade Cobalt Strike Shellcode Detection. Retrieved August 22, 2022."data-reference="Huntress API Hash">^{<a href="https://www.huntress.com/blog/hackers-no-hashing-randomizing-api-hashes-to-evade-cobalt-strike-shellcode-detection" target="_blank" data-hasqtip="34" aria-describedby="qtip-34">[35]</a>}</span></p> </td> </tr> <tr class="sub technique enterprise" id="enterprise"> <td></td> <td></td> <td> <a href="/techniques/T1027/007">.007</a> </td> <td> <a href="/techniques/T1027/007">Dynamic API Resolution</a> </td> <td> <p>Monitor and analyze calls to functions such as <code>GetProcAddress()</code> and <code>LoadLibrary()</code> that are associated with dynamically loading API functions.<span onclick=scrollToRef('scite-35') id="scite-ref-35-a" class="scite-citeref-number" title="Brennan, M. (2022, February 16). Hackers No Hashing: Randomizing API Hashes to Evade Cobalt Strike Shellcode Detection. Retrieved August 22, 2022."data-reference="Huntress API Hash">^{<a href="https://www.huntress.com/blog/hackers-no-hashing-randomizing-api-hashes-to-evade-cobalt-strike-shellcode-detection" target="_blank" data-hasqtip="34" aria-describedby="qtip-34">[35]</a>}</span></p> </td> </tr> <tr class="technique enterprise" id="enterprise"> <td> Enterprise </td> <td colspan="2"> <a href="/techniques/T1003">T1003</a> </td> <td> <a href="/techniques/T1003">OS Credential Dumping</a> </td> <td> <p>Monitor for API calls that may attempt to dump credentials to obtain account login and credential material, normally in the form of a hash or a clear text password, from the operating system and software.</p> </td> </tr> <tr class="sub technique enterprise" id="enterprise"> <td></td> <td></td> <td> <a href="/techniques/T1003/001">.001</a> </td> <td> <a href="/techniques/T1003/001">LSASS Memory</a> </td> <td> <p>Monitor for API calls that may attempt to access credential material stored in the process memory of the Local Security Authority Subsystem Service (LSASS). OS API calls associated with LSASS process dumping include <code>OpenProcess</code> and <code>MiniDumpWriteDump</code>. Execution of these functions might trigger security log ids such as 4663 (Microsoft Security Auditing) and 10 (Microsoft Sysmon)</p><p>Note: Most EDR tools do not support direct monitoring of API calls due to the sheer volume of calls produced by an endpoint but may have alerts or events that are based on abstractions of OS API calls. Dynamic malware analysis tools (i.e., sandboxes) can be used to trace the execution, including OS API calls, for a single PE binary. </p> </td> </tr> <tr class="technique enterprise" id="enterprise"> <td> Enterprise </td> <td colspan="2"> <a href="/techniques/T1120">T1120</a> </td> <td> <a href="/techniques/T1120">Peripheral Device Discovery</a> </td> <td> <p>Monitor for API calls that may attempt to gather information about attached peripheral devices and components connected to a computer system.</p> </td> </tr> <tr class="sub technique noparent enterprise" id="enterprise"> <td> Enterprise </td> <td> <a href="/techniques/T1069">T1069</a> </td> <td> <a href="/techniques/T1069/001">.001</a> </td> <td> <a href="/techniques/T1069">Permission Groups Discovery</a>: <a href="/techniques/T1069/001">Local Groups</a> </td> <td> <p>Monitor for API calls associated with finding local system groups and permission settings, such as NetLocalGroupEnum. Other API calls relevant to Local Group discovery include NetQueryDisplayInformation and NetGetDisplayInformationIndex.</p><p>Note: Most EDR tools do not support direct monitoring of API calls due to the sheer volume of calls produced by an endpoint but may have alerts or events that are based on abstractions of OS API calls. Dynamic malware analysis tools (i.e., sandboxes) can be used to trace the execution, including OS API calls, for a single PE binary. </p> </td> </tr> <tr class="sub technique enterprise" id="enterprise"> <td></td> <td></td> <td> <a href="/techniques/T1069/002">.002</a> </td> <td> <a href="/techniques/T1069">Permission Groups Discovery</a>: <a href="/techniques/T1069/002">Domain Groups</a> </td> <td> <p>Monitor for API calls associated with finding domain-level groups and permission settings, such as <code>NetGroupEnum</code>. Other API calls relevant to Domain Group discovery include <code>NetQueryDisplayInformation</code> and <code>NetGetDisplayInformationIndex</code>.</p><p>Note: Most EDR tools do not support direct monitoring of API calls due to the sheer volume of calls produced by an endpoint but may have alerts or events that are based on abstractions of OS API calls. Dynamic malware analysis tools (i.e., sandboxes) can be used to trace the execution, including OS API calls, for a single PE binary. </p> </td> </tr> <tr class="technique enterprise" id="enterprise"> <td> Enterprise </td> <td colspan="2"> <a href="/techniques/T1542">T1542</a> </td> <td> <a href="/techniques/T1542">Pre-OS Boot</a> </td> <td> <p>Monitor for API calls that may abuse Pre-OS Boot mechanisms as a way to establish persistence on a system. Disk check, forensic utilities, and data from device drivers (i.e. API calls) may reveal anomalies that warrant deeper investigation. <span onclick=scrollToRef('scite-36') id="scite-ref-36-a" class="scite-citeref-number" title="Pinola, M. (2014, December 14). 3 tools to check your hard drive's health and make sure it's not already dying on you. Retrieved October 2, 2018."data-reference="ITWorld Hard Disk Health Dec 2014">^{<a href="https://www.itworld.com/article/2853992/3-tools-to-check-your-hard-drives-health-and-make-sure-its-not-already-dying-on-you.html" target="_blank" data-hasqtip="35" aria-describedby="qtip-35">[36]</a>}</span></p> </td> </tr> <tr class="sub technique enterprise" id="enterprise"> <td></td> <td></td> <td> <a href="/techniques/T1542/002">.002</a> </td> <td> <a href="/techniques/T1542/002">Component Firmware</a> </td> <td> <p>Monitor for API calls associated with the use of device drivers and/or provided by SMART (Self-Monitoring, Analysis and Reporting Technology) <span onclick=scrollToRef('scite-37') id="scite-ref-37-a" class="scite-citeref-number" data-reference="SanDisk SMART"title="SanDisk. (n.d.). Self-Monitoring, Analysis and Reporting Technology (S.M.A.R.T.). Retrieved October 2, 2018.">^[37]</span> <span onclick=scrollToRef('scite-38') id="scite-ref-38-a" class="scite-citeref-number" title="smartmontools. (n.d.). smartmontools. Retrieved October 2, 2018."data-reference="SmartMontools">^{<a href="https://www.smartmontools.org/" target="_blank" data-hasqtip="37" aria-describedby="qtip-37">[38]</a>}</span> disk monitoring may reveal malicious manipulations of components. Otherwise, this technique may be difficult to detect since malicious activity is taking place on system components possibly outside the purview of OS security and integrity mechanisms.</p> </td> </tr> <tr class="technique enterprise" id="enterprise"> <td> Enterprise </td> <td colspan="2"> <a href="/techniques/T1057">T1057</a> </td> <td> <a href="/techniques/T1057">Process Discovery</a> </td> <td> <p>Monitor for API calls may attempt to get information about running processes on a system. </p> </td> </tr> <tr class="technique enterprise" id="enterprise"> <td> Enterprise </td> <td colspan="2"> <a href="/techniques/T1055">T1055</a> </td> <td> <a href="/techniques/T1055">Process Injection</a> </td> <td> <p>Monitoring Windows API calls indicative of the various types of code injection may generate a significant amount of data and may not be directly useful for defense unless collected under specific circumstances for known bad sequences of calls, since benign use of API functions may be common and difficult to distinguish from malicious behavior. Windows API calls such as <code>CreateRemoteThread</code>, <code>SuspendThread</code>/<code>SetThreadContext</code>/<code>ResumeThread</code>, <code>QueueUserAPC</code>/<code>NtQueueApcThread</code>, and those that can be used to modify memory within another process, such as <code>VirtualAllocEx</code>/<code>WriteProcessMemory</code>, may be used for this technique.<span onclick=scrollToRef('scite-14') id="scite-ref-14-a" class="scite-citeref-number" title="Hosseini, A. (2017, July 18). Ten Process Injection Techniques: A Technical Survey Of Common And Trending Process Injection Techniques. Retrieved December 7, 2017."data-reference="Elastic Process Injection July 2017">^{<a href="https://www.endgame.com/blog/technical-blog/ten-process-injection-techniques-technical-survey-common-and-trending-process" target="_blank" data-hasqtip="13" aria-describedby="qtip-13">[14]</a>}</span> Monitoring for Linux specific calls such as the ptrace system call should not generate large amounts of data due to their specialized nature, and can be a very effective method to detect some of the common process injection methods.<span onclick=scrollToRef('scite-39') id="scite-ref-39-a" class="scite-citeref-number" data-reference="ArtOfMemoryForensics"title="Ligh, M.H. et al.. (2014, July). The Art of Memory Forensics: Detecting Malware and Threats in Windows, Linux, and Mac Memory. Retrieved December 20, 2017.">^[39]</span> <span onclick=scrollToRef('scite-40') id="scite-ref-40-a" class="scite-citeref-number" title="GNU. (2010, February 5). The GNU Accounting Utilities. Retrieved December 20, 2017."data-reference="GNU Acct">^{<a href="https://www.gnu.org/software/acct/" target="_blank" data-hasqtip="39" aria-describedby="qtip-39">[40]</a>}</span> <span onclick=scrollToRef('scite-41') id="scite-ref-41-a" class="scite-citeref-number" title="Jahoda, M. et al.. (2017, March 14). redhat Security Guide - Chapter 7 - System Auditing. Retrieved December 20, 2017."data-reference="RHEL auditd">^{<a href="https://access.redhat.com/documentation/en-us/red_hat_enterprise_linux/6/html/security_guide/chap-system_auditing" target="_blank" data-hasqtip="40" aria-describedby="qtip-40">[41]</a>}</span> <span onclick=scrollToRef('scite-42') id="scite-ref-42-a" class="scite-citeref-number" title="stderr. (2014, February 14). Detecting Userland Preload Rootkits. Retrieved December 20, 2017."data-reference="Chokepoint preload rootkits">^{<a href="http://www.chokepoint.net/2014/02/detecting-userland-preload-rootkits.html" target="_blank" data-hasqtip="41" aria-describedby="qtip-41">[42]</a>}</span></p> </td> </tr> <tr class="sub technique enterprise" id="enterprise"> <td></td> <td></td> <td> <a href="/techniques/T1055/001">.001</a> </td> <td> <a href="/techniques/T1055/001">Dynamic-link Library Injection</a> </td> <td> <p>Monitoring Windows API calls indicative of the various types of code injection may generate a significant amount of data and may not be directly useful for defense unless collected under specific circumstances for known bad sequences of calls, since benign use of API functions may be common and difficult to distinguish from malicious behavior. Windows API calls such as <code>CreateRemoteThread</code> and those that can be used to modify memory within another process, such as <code>VirtualAllocEx</code>/<code>WriteProcessMemory</code>, may be used for this technique.<span onclick=scrollToRef('scite-14') id="scite-ref-14-a" class="scite-citeref-number" title="Hosseini, A. (2017, July 18). Ten Process Injection Techniques: A Technical Survey Of Common And Trending Process Injection Techniques. Retrieved December 7, 2017."data-reference="Elastic Process Injection July 2017">^{<a href="https://www.endgame.com/blog/technical-blog/ten-process-injection-techniques-technical-survey-common-and-trending-process" target="_blank" data-hasqtip="13" aria-describedby="qtip-13">[14]</a>}</span></p><p>Search for remote thread creations that start at LoadLibraryA or LoadLibraryW. Depending on the tool, it may provide additional information about the DLL string that is an argument to the function. If there is any security software that legitimately injects DLLs, it must be carefully whitelisted.</p><p>Microsoft Windows allows for processes to remotely create threads within other processes of the same privilege level. This functionality is provided via the Windows API CreateRemoteThread. Both Windows and third-party software use this ability for legitimate purposes. For example, the Windows process csrss.exe creates threads in programs to send signals to registered callback routines. Both adversaries and host-based security software use this functionality to inject DLLs, but for very different purposes. An adversary is likely to inject into a program to evade defenses or bypass User Account Control, but a security program might do this to gain increased monitoring of API calls. One of the most common methods of DLL Injection is through the Windows API LoadLibrary.</p><ul><li>Allocate memory in the target program with VirtualAllocEx</li><li>Write the name of the DLL to inject into this program with WriteProcessMemory</li><li>Create a new thread and set its entry point to LoadLibrary using the API CreateRemoteThread.</li></ul><p>This behavior can be detected by looking for thread creations across processes, and resolving the entry point to determine the function name. If the function is LoadLibraryA or LoadLibraryW, then the intent of the remote thread is clearly to inject a DLL. When this is the case, the source process must be examined so that it can be ignored when it is both expected and a trusted process.</p> </td> </tr> <tr class="sub technique enterprise" id="enterprise"> <td></td> <td></td> <td> <a href="/techniques/T1055/002">.002</a> </td> <td> <a href="/techniques/T1055/002">Portable Executable Injection</a> </td> <td> <p>Monitoring Windows API calls indicative of the various types of code injection may generate a significant amount of data and may not be directly useful for defense unless collected under specific circumstances for known bad sequences of calls, since benign use of API functions may be common and difficult to distinguish from malicious behavior. Windows API calls such as <code>CreateRemoteThread</code> and those that can be used to modify memory within another process, such as <code>VirtualAllocEx</code>/<code>WriteProcessMemory</code>, may be used for this technique.<span onclick=scrollToRef('scite-14') id="scite-ref-14-a" class="scite-citeref-number" title="Hosseini, A. (2017, July 18). Ten Process Injection Techniques: A Technical Survey Of Common And Trending Process Injection Techniques. Retrieved December 7, 2017."data-reference="Elastic Process Injection July 2017">^{<a href="https://www.endgame.com/blog/technical-blog/ten-process-injection-techniques-technical-survey-common-and-trending-process" target="_blank" data-hasqtip="13" aria-describedby="qtip-13">[14]</a>}</span></p> </td> </tr> <tr class="sub technique enterprise" id="enterprise"> <td></td> <td></td> <td> <a href="/techniques/T1055/003">.003</a> </td> <td> <a href="/techniques/T1055/003">Thread Execution Hijacking</a> </td> <td> <p>Monitoring Windows API calls indicative of the various types of code injection may generate a significant amount of data and may not be directly useful for defense unless collected under specific circumstances for known bad sequences of calls, since benign use of API functions may be common and difficult to distinguish from malicious behavior. Windows API calls such as <code>CreateRemoteThread</code>, <code>SuspendThread</code>/<code>SetThreadContext</code>/<code>ResumeThread</code>, and those that can be used to modify memory within another process, such as <code>VirtualAllocEx</code>/<code>WriteProcessMemory</code>, may be used for this technique.<span onclick=scrollToRef('scite-14') id="scite-ref-14-a" class="scite-citeref-number" title="Hosseini, A. (2017, July 18). Ten Process Injection Techniques: A Technical Survey Of Common And Trending Process Injection Techniques. Retrieved December 7, 2017."data-reference="Elastic Process Injection July 2017">^{<a href="https://www.endgame.com/blog/technical-blog/ten-process-injection-techniques-technical-survey-common-and-trending-process" target="_blank" data-hasqtip="13" aria-describedby="qtip-13">[14]</a>}</span></p> </td> </tr> <tr class="sub technique enterprise" id="enterprise"> <td></td> <td></td> <td> <a href="/techniques/T1055/004">.004</a> </td> <td> <a href="/techniques/T1055/004">Asynchronous Procedure Call</a> </td> <td> <p>Monitoring Windows API calls indicative of the various types of code injection may generate a significant amount of data and may not be directly useful for defense unless collected under specific circumstances for known bad sequences of calls, since benign use of API functions may be common and difficult to distinguish from malicious behavior. Windows API calls such as <code>SuspendThread</code>/<code>SetThreadContext</code>/<code>ResumeThread</code>, <code>QueueUserAPC</code>/<code>NtQueueApcThread</code>, and those that can be used to modify memory within another process, such as <code>VirtualAllocEx</code>/<code>WriteProcessMemory</code>, may be used for this technique.<span onclick=scrollToRef('scite-14') id="scite-ref-14-a" class="scite-citeref-number" title="Hosseini, A. (2017, July 18). Ten Process Injection Techniques: A Technical Survey Of Common And Trending Process Injection Techniques. Retrieved December 7, 2017."data-reference="Elastic Process Injection July 2017">^{<a href="https://www.endgame.com/blog/technical-blog/ten-process-injection-techniques-technical-survey-common-and-trending-process" target="_blank" data-hasqtip="13" aria-describedby="qtip-13">[14]</a>}</span></p> </td> </tr> <tr class="sub technique enterprise" id="enterprise"> <td></td> <td></td> <td> <a href="/techniques/T1055/005">.005</a> </td> <td> <a href="/techniques/T1055/005">Thread Local Storage</a> </td> <td> <p>Monitoring Windows API calls indicative of the various types of code injection may generate a significant amount of data and may not be directly useful for defense unless collected under specific circumstances for known bad sequences of calls, since benign use of API functions may be common and difficult to distinguish from malicious behavior. Windows API calls such as <code>CreateRemoteThread</code>, <code>SuspendThread</code>/<code>SetThreadContext</code>/<code>ResumeThread</code>, and those that can be used to modify memory within another process, such as <code>VirtualAllocEx</code>/<code>WriteProcessMemory</code>, may be used for this technique.<span onclick=scrollToRef('scite-14') id="scite-ref-14-a" class="scite-citeref-number" title="Hosseini, A. (2017, July 18). Ten Process Injection Techniques: A Technical Survey Of Common And Trending Process Injection Techniques. Retrieved December 7, 2017."data-reference="Elastic Process Injection July 2017">^{<a href="https://www.endgame.com/blog/technical-blog/ten-process-injection-techniques-technical-survey-common-and-trending-process" target="_blank" data-hasqtip="13" aria-describedby="qtip-13">[14]</a>}</span></p> </td> </tr> <tr class="sub technique enterprise" id="enterprise"> <td></td> <td></td> <td> <a href="/techniques/T1055/008">.008</a> </td> <td> <a href="/techniques/T1055/008">Ptrace System Calls</a> </td> <td> <p>Monitoring for Linux specific calls such as the ptrace system call should not generate large amounts of data due to their specialized nature, and can be a very effective method to detect some of the common process injection methods.<span onclick=scrollToRef('scite-39') id="scite-ref-39-a" class="scite-citeref-number" data-reference="ArtOfMemoryForensics"title="Ligh, M.H. et al.. (2014, July). The Art of Memory Forensics: Detecting Malware and Threats in Windows, Linux, and Mac Memory. Retrieved December 20, 2017.">^[39]</span> <span onclick=scrollToRef('scite-40') id="scite-ref-40-a" class="scite-citeref-number" title="GNU. (2010, February 5). The GNU Accounting Utilities. Retrieved December 20, 2017."data-reference="GNU Acct">^{<a href="https://www.gnu.org/software/acct/" target="_blank" data-hasqtip="39" aria-describedby="qtip-39">[40]</a>}</span> <span onclick=scrollToRef('scite-41') id="scite-ref-41-a" class="scite-citeref-number" title="Jahoda, M. et al.. (2017, March 14). redhat Security Guide - Chapter 7 - System Auditing. Retrieved December 20, 2017."data-reference="RHEL auditd">^{<a href="https://access.redhat.com/documentation/en-us/red_hat_enterprise_linux/6/html/security_guide/chap-system_auditing" target="_blank" data-hasqtip="40" aria-describedby="qtip-40">[41]</a>}</span> <span onclick=scrollToRef('scite-42') id="scite-ref-42-a" class="scite-citeref-number" title="stderr. (2014, February 14). Detecting Userland Preload Rootkits. Retrieved December 20, 2017."data-reference="Chokepoint preload rootkits">^{<a href="http://www.chokepoint.net/2014/02/detecting-userland-preload-rootkits.html" target="_blank" data-hasqtip="41" aria-describedby="qtip-41">[42]</a>}</span></p> </td> </tr> <tr class="sub technique enterprise" id="enterprise"> <td></td> <td></td> <td> <a href="/techniques/T1055/011">.011</a> </td> <td> <a href="/techniques/T1055/011">Extra Window Memory Injection</a> </td> <td> <p>Monitor for API calls related to enumerating and manipulating EWM such as GetWindowLong <span onclick=scrollToRef('scite-43') id="scite-ref-43-a" class="scite-citeref-number" title="Microsoft. (n.d.). GetWindowLong function. Retrieved December 16, 2017."data-reference="Microsoft GetWindowLong function">^{<a href="https://msdn.microsoft.com/library/windows/desktop/ms633584.aspx" target="_blank" data-hasqtip="42" aria-describedby="qtip-42">[43]</a>}</span> and SetWindowLong <span onclick=scrollToRef('scite-44') id="scite-ref-44-a" class="scite-citeref-number" title="Microsoft. (n.d.). SetWindowLong function. Retrieved December 16, 2017."data-reference="Microsoft SetWindowLong function">^{<a href="https://msdn.microsoft.com/library/windows/desktop/ms633591.aspx" target="_blank" data-hasqtip="43" aria-describedby="qtip-43">[44]</a>}</span>. Malware associated with this technique have also used SendNotifyMessage <span onclick=scrollToRef('scite-45') id="scite-ref-45-a" class="scite-citeref-number" title="Microsoft. (n.d.). SendNotifyMessage function. Retrieved December 16, 2017."data-reference="Microsoft SendNotifyMessage function">^{<a href="https://msdn.microsoft.com/library/windows/desktop/ms644953.aspx" target="_blank" data-hasqtip="44" aria-describedby="qtip-44">[45]</a>}</span> to trigger the associated window procedure and eventual malicious injection. <span onclick=scrollToRef('scite-14') id="scite-ref-14-a" class="scite-citeref-number" title="Hosseini, A. (2017, July 18). Ten Process Injection Techniques: A Technical Survey Of Common And Trending Process Injection Techniques. Retrieved December 7, 2017."data-reference="Elastic Process Injection July 2017">^{<a href="https://www.endgame.com/blog/technical-blog/ten-process-injection-techniques-technical-survey-common-and-trending-process" target="_blank" data-hasqtip="13" aria-describedby="qtip-13">[14]</a>}</span></p> </td> </tr> <tr class="sub technique enterprise" id="enterprise"> <td></td> <td></td> <td> <a href="/techniques/T1055/012">.012</a> </td> <td> <a href="/techniques/T1055/012">Process Hollowing</a> </td> <td> <p>Monitoring Windows API calls indicative of the various types of code injection may generate a significant amount of data and may not be directly useful for defense unless collected under specific circumstances for known bad sequences of calls, since benign use of API functions may be common and difficult to distinguish from malicious behavior. Windows API calls such as <code>CreateRemoteThread</code>, <code>SuspendThread</code>/<code>SetThreadContext</code>/<code>ResumeThread</code>, and those that can be used to modify memory within another process, such as <code>VirtualAllocEx</code>/<code>WriteProcessMemory</code>, may be used for this technique.<span onclick=scrollToRef('scite-14') id="scite-ref-14-a" class="scite-citeref-number" title="Hosseini, A. (2017, July 18). Ten Process Injection Techniques: A Technical Survey Of Common And Trending Process Injection Techniques. Retrieved December 7, 2017."data-reference="Elastic Process Injection July 2017">^{<a href="https://www.endgame.com/blog/technical-blog/ten-process-injection-techniques-technical-survey-common-and-trending-process" target="_blank" data-hasqtip="13" aria-describedby="qtip-13">[14]</a>}</span></p> </td> </tr> <tr class="sub technique enterprise" id="enterprise"> <td></td> <td></td> <td> <a href="/techniques/T1055/013">.013</a> </td> <td> <a href="/techniques/T1055/013">Process Doppelgänging</a> </td> <td> <p>Monitor and analyze calls to <code>CreateTransaction</code>, <code>CreateFileTransacted</code>, <code>RollbackTransaction</code>, and other rarely used functions indicative of TxF activity. Process Doppelgänging also invokes an outdated and undocumented implementation of the Windows process loader via calls to <code>NtCreateProcessEx</code> and <code>NtCreateThreadEx</code> as well as API calls used to modify memory within another process, such as <code>WriteProcessMemory</code>. <span onclick=scrollToRef('scite-46') id="scite-ref-46-a" class="scite-citeref-number" title="Liberman, T. & Kogan, E. (2017, December 7). Lost in Transaction: Process Doppelgänging. Retrieved December 20, 2017."data-reference="BlackHat Process Doppelgänging Dec 2017">^{<a href="https://www.blackhat.com/docs/eu-17/materials/eu-17-Liberman-Lost-In-Transaction-Process-Doppelganging.pdf" target="_blank" data-hasqtip="45" aria-describedby="qtip-45">[46]</a>}</span> <span onclick=scrollToRef('scite-47') id="scite-ref-47-a" class="scite-citeref-number" title="hasherezade. (2017, December 18). Process Doppelgänging – a new way to impersonate a process. Retrieved December 20, 2017."data-reference="hasherezade Process Doppelgänging Dec 2017">^{<a href="https://hshrzd.wordpress.com/2017/12/18/process-doppelganging-a-new-way-to-impersonate-a-process/" target="_blank" data-hasqtip="46" aria-describedby="qtip-46">[47]</a>}</span></p> </td> </tr> <tr class="sub technique enterprise" id="enterprise"> <td></td> <td></td> <td> <a href="/techniques/T1055/014">.014</a> </td> <td> <a href="/techniques/T1055/014">VDSO Hijacking</a> </td> <td> <p>Monitor for malicious usage of system calls, such as ptrace and mmap, that can be used to attach to, manipulate memory, then redirect a processes' execution path. Monitoring for Linux specific calls such as the ptrace system call should not generate large amounts of data due to their specialized nature, and can be a very effective method to detect some of the common process injection methods.<span onclick=scrollToRef('scite-39') id="scite-ref-39-a" class="scite-citeref-number" data-reference="ArtOfMemoryForensics"title="Ligh, M.H. et al.. (2014, July). The Art of Memory Forensics: Detecting Malware and Threats in Windows, Linux, and Mac Memory. Retrieved December 20, 2017.">^[39]</span><span onclick=scrollToRef('scite-40') id="scite-ref-40-a" class="scite-citeref-number" title="GNU. (2010, February 5). The GNU Accounting Utilities. Retrieved December 20, 2017."data-reference="GNU Acct">^{<a href="https://www.gnu.org/software/acct/" target="_blank" data-hasqtip="39" aria-describedby="qtip-39">[40]</a>}</span><span onclick=scrollToRef('scite-41') id="scite-ref-41-a" class="scite-citeref-number" title="Jahoda, M. et al.. (2017, March 14). redhat Security Guide - Chapter 7 - System Auditing. Retrieved December 20, 2017."data-reference="RHEL auditd">^{<a href="https://access.redhat.com/documentation/en-us/red_hat_enterprise_linux/6/html/security_guide/chap-system_auditing" target="_blank" data-hasqtip="40" aria-describedby="qtip-40">[41]</a>}</span><span onclick=scrollToRef('scite-42') id="scite-ref-42-a" class="scite-citeref-number" title="stderr. (2014, February 14). Detecting Userland Preload Rootkits. Retrieved December 20, 2017."data-reference="Chokepoint preload rootkits">^{<a href="http://www.chokepoint.net/2014/02/detecting-userland-preload-rootkits.html" target="_blank" data-hasqtip="41" aria-describedby="qtip-41">[42]</a>}</span></p> </td> </tr> <tr class="sub technique enterprise" id="enterprise"> <td></td> <td></td> <td> <a href="/techniques/T1055/015">.015</a> </td> <td> <a href="/techniques/T1055/015">ListPlanting</a> </td> <td> <p>Consider monitoring for excessive use of <code>SendMessage</code> and/or <code>PostMessage</code> API functions with <code>LVM_SETITEMPOSITION</code> and/or <code>LVM_GETITEMPOSITION</code> arguments.</p><p>Monitoring Windows API calls indicative of the various types of code injection may generate a significant amount of data and may not be directly useful for defense unless collected under specific circumstances for known bad sequences of calls, since benign use of API functions may be common and difficult to distinguish from malicious behavior. Windows API calls such as <code>FindWindow</code>, <code>FindWindowEx</code>, <code>EnumWindows</code>, <code>EnumChildWindows</code>, and those that can be used to modify memory within another process, such as <code>VirtualAllocEx</code>/<code>WriteProcessMemory</code>, may be abused for this technique. </p> </td> </tr> <tr class="technique enterprise" id="enterprise"> <td> Enterprise </td> <td colspan="2"> <a href="/techniques/T1012">T1012</a> </td> <td> <a href="/techniques/T1012">Query Registry</a> </td> <td> <p>Monitor for API calls (such as <code>RegOpenKeyExA</code>) that may interact with the Windows Registry to gather information about the system, configuration, and installed software. OS API calls associated with querying the Windows Registry are RegOpenKeyEx , RegOpenUserClassesRoot, RegQueryValueExA, and RegQueryValueExW. Execution of these functions might trigger security log ids such as 4663 (Microsoft Security Auditing). Also monitor for RegOpenUserClassesRoot api to retrieve a handle to the HKEY_CLASSES_ROOT key for a specified user. The returned key has a view of the registry that merges the contents of the HKEY_LOCAL_MACHINE\Software\Classes key with the contents of the Software\Classes keys in the user's registry hive.</p><p>Note: Most EDR tools do not support direct monitoring of API calls due to the sheer volume of calls produced by an endpoint but may have alerts or events that are based on abstractions of OS API calls.</p> </td> </tr> <tr class="technique enterprise" id="enterprise"> <td> Enterprise </td> <td colspan="2"> <a href="/techniques/T1620">T1620</a> </td> <td> <a href="/techniques/T1620">Reflective Code Loading</a> </td> <td> <p>Monitor for code artifacts associated with reflectively loading code, such as the abuse of .NET functions such as <code>Assembly.Load()</code> and <a href="/techniques/T1106">Native API</a> functions such as <code>CreateThread()</code>, <code>memfd_create()</code>, <code>execve()</code>, and/or <code>execveat()</code>.<span onclick=scrollToRef('scite-48') id="scite-ref-48-a" class="scite-citeref-number" title="0x00pico. (2017, September 25). Super-Stealthy Droppers. Retrieved October 4, 2021."data-reference="00sec Droppers">^{<a href="https://0x00sec.org/t/super-stealthy-droppers/3715" target="_blank" data-hasqtip="47" aria-describedby="qtip-47">[48]</a>}</span><span onclick=scrollToRef('scite-49') id="scite-ref-49-a" class="scite-citeref-number" title="Landry, J. (2016, April 21). Teaching an old RAT new tricks. Retrieved October 4, 2021."data-reference="S1 Old Rat New Tricks">^{<a href="https://www.sentinelone.com/blog/teaching-an-old-rat-new-tricks/" target="_blank" data-hasqtip="48" aria-describedby="qtip-48">[49]</a>}</span></p> </td> </tr> <tr class="technique enterprise" id="enterprise"> <td> Enterprise </td> <td colspan="2"> <a href="/techniques/T1113">T1113</a> </td> <td> <a href="/techniques/T1113">Screen Capture</a> </td> <td> <p>Monitoring for screen capture behavior will depend on the method used to obtain data from the operating system and write output files. Detection methods could include collecting information from unusual processes using API calls used to obtain image data, and monitoring for image files written to disk, such as <code>CopyFromScreen</code>, <code>xwd</code>, or <code>screencapture</code>.<span onclick=scrollToRef('scite-50') id="scite-ref-50-a" class="scite-citeref-number" title="Microsoft. (n.d.). Graphics.CopyFromScreen Method. Retrieved March 24, 2020."data-reference="CopyFromScreen .NET">^{<a href="https://docs.microsoft.com/en-us/dotnet/api/system.drawing.graphics.copyfromscreen?view=netframework-4.8" target="_blank" data-hasqtip="49" aria-describedby="qtip-49">[50]</a>}</span><span onclick=scrollToRef('scite-51') id="scite-ref-51-a" class="scite-citeref-number" title="Thomas Reed. (2017, January 18). New Mac backdoor using antiquated code. Retrieved July 5, 2017."data-reference="Antiquated Mac Malware">^{<a href="https://blog.malwarebytes.com/threat-analysis/2017/01/new-mac-backdoor-using-antiquated-code/" target="_blank" data-hasqtip="50" aria-describedby="qtip-50">[51]</a>}</span>. The sensor data may need to be correlated with other events to identify malicious activity, depending on the legitimacy of this behavior within a given network environment.</p> </td> </tr> <tr class="technique ics" id="ics"> <td> ICS </td> <td colspan="2"> <a href="/techniques/T0852">T0852</a> </td> <td> <a href="/techniques/T0852">Screen Capture</a> </td> <td> <p>Monitoring for screen capture behavior will depend on the method used to obtain data from the operating system and write output files. Detection methods could include collecting information from unusual processes using API calls used to obtain image data, and monitoring for image files written to disk, such as CopyFromScreen, xwd, or screencapture.<span onclick=scrollToRef('scite-50') id="scite-ref-50-a" class="scite-citeref-number" title="Microsoft. (n.d.). Graphics.CopyFromScreen Method. Retrieved March 24, 2020."data-reference="CopyFromScreen .NET">^{<a href="https://docs.microsoft.com/en-us/dotnet/api/system.drawing.graphics.copyfromscreen?view=netframework-4.8" target="_blank" data-hasqtip="49" aria-describedby="qtip-49">[50]</a>}</span><span onclick=scrollToRef('scite-51') id="scite-ref-51-a" class="scite-citeref-number" title="Thomas Reed. (2017, January 18). New Mac backdoor using antiquated code. Retrieved July 5, 2017."data-reference="Antiquated Mac Malware">^{<a href="https://blog.malwarebytes.com/threat-analysis/2017/01/new-mac-backdoor-using-antiquated-code/" target="_blank" data-hasqtip="50" aria-describedby="qtip-50">[51]</a>}</span> The data may need to be correlated with other events to identify malicious activity, depending on the legitimacy of this behavior within a given network environment.</p> </td> </tr> <tr class="technique enterprise" id="enterprise"> <td> Enterprise </td> <td colspan="2"> <a href="/techniques/T1489">T1489</a> </td> <td> <a href="/techniques/T1489">Service Stop</a> </td> <td> <p>Remote access tools with built-in features may interact directly with the Windows API to perform these functions outside of typical system utilities. For example, <code>ChangeServiceConfigW</code> may be used by an adversary to prevent services from starting.<span onclick=scrollToRef('scite-9') id="scite-ref-9-a" class="scite-citeref-number" title="Mercer, W. and Rascagneres, P. (2018, February 12). Olympic Destroyer Takes Aim At Winter Olympics. Retrieved March 14, 2019."data-reference="Talos Olympic Destroyer 2018">^{<a href="https://blog.talosintelligence.com/2018/02/olympic-destroyer.html" target="_blank" data-hasqtip="8" aria-describedby="qtip-8">[9]</a>}</span></p> </td> </tr> <tr class="technique ics" id="ics"> <td> ICS </td> <td colspan="2"> <a href="/techniques/T0881">T0881</a> </td> <td> <a href="/techniques/T0881">Service Stop</a> </td> <td> <p>Remote access tools with built-in features may interact directly with the Windows API to perform these functions outside of typical system utilities. For example, ChangeServiceConfigW may be used by an adversary to prevent services from starting. For added context on adversary procedures and background see <a href="/techniques/T1489">Service Stop</a>.</p> </td> </tr> <tr class="technique enterprise" id="enterprise"> <td> Enterprise </td> <td colspan="2"> <a href="/techniques/T1129">T1129</a> </td> <td> <a href="/techniques/T1129">Shared Modules</a> </td> <td> <p>Monitor API calls such as LoadLibrary (Windows) or dlopen (Linux/macOS) that load shared modules.</p> </td> </tr> <tr class="technique enterprise" id="enterprise"> <td> Enterprise </td> <td colspan="2"> <a href="/techniques/T1518">T1518</a> </td> <td> <a href="/techniques/T1518">Software Discovery</a> </td> <td> <p>Monitor for API calls that may attempt to get a listing of software and software versions that are installed on a system or in a cloud environment.</p> </td> </tr> <tr class="sub technique enterprise" id="enterprise"> <td></td> <td></td> <td> <a href="/techniques/T1518/001">.001</a> </td> <td> <a href="/techniques/T1518/001">Security Software Discovery</a> </td> <td> <p>Monitor for API calls that may attempt to get a listing of security software, configurations, defensive tools, and sensors that are installed on a system or in a cloud environment. OS API calls associated with LSASS process dumping include EnumProcesses, which can be used to enumerate the set of processes running on a host and filtered to look for security-specific processes. </p><p>Note: Most EDR tools do not support direct monitoring of API calls due to the sheer volume of calls produced by an endpoint but may have alerts or events that are based on abstractions of OS API calls. Dynamic malware analysis tools (i.e., sandboxes) can be used to trace the execution, including OS API calls, for a single PE binary. </p> </td> </tr> <tr class="technique enterprise" id="enterprise"> <td> Enterprise </td> <td colspan="2"> <a href="/techniques/T1218">T1218</a> </td> <td> <a href="/techniques/T1218">System Binary Proxy Execution</a> </td> <td> <p>Monitor for API calls that bypass process and/or signature based defenses by proxying execution of malicious content with signed, or otherwise trusted, binaries. </p> </td> </tr> <tr class="sub technique enterprise" id="enterprise"> <td></td> <td></td> <td> <a href="/techniques/T1218/002">.002</a> </td> <td> <a href="/techniques/T1218/002">Control Panel</a> </td> <td> <p>Monitor for API calls that may forge web cookies that can be used to gain access to web applications or Internet services.</p> </td> </tr> <tr class="technique enterprise" id="enterprise"> <td> Enterprise </td> <td colspan="2"> <a href="/techniques/T1082">T1082</a> </td> <td> <a href="/techniques/T1082">System Information Discovery</a> </td> <td> <p>Monitor for API calls that may attempt to get detailed information about the operating system and hardware, including version, patches, hotfixes, service packs, and architecture. Remote access tools with built-in features may interact directly with the Windows API to gather information. Information may also be acquired through Windows system management tools such as <a href="/techniques/T1047">Windows Management Instrumentation</a> and <a href="/techniques/T1059/001">PowerShell</a>. In cloud-based systems, native logging can be used to identify access to certain APIs and dashboards that may contain system information. Depending on how the environment is used, that data alone may not be useful due to benign use during normal operations.</p> </td> </tr> <tr class="technique enterprise" id="enterprise"> <td> Enterprise </td> <td colspan="2"> <a href="/techniques/T1614">T1614</a> </td> <td> <a href="/techniques/T1614">System Location Discovery</a> </td> <td> <p>Remote access tools with built-in features may interact directly with the Windows API, such as calling <code> GetLocaleInfoW</code> to gather information.<span onclick=scrollToRef('scite-52') id="scite-ref-52-a" class="scite-citeref-number" title="FBI. (2020, November 19). Indicators of Compromise Associated with Ragnar Locker Ransomware. Retrieved September 12, 2024."data-reference="FBI Ragnar Locker 2020">^{<a href="https://s3.documentcloud.org/documents/20413525/fbi-flash-indicators-of-compromise-ragnar-locker-ransomware-11192020-bc.pdf" target="_blank" data-hasqtip="51" aria-describedby="qtip-51">[52]</a>}</span></p> </td> </tr> <tr class="sub technique enterprise" id="enterprise"> <td></td> <td></td> <td> <a href="/techniques/T1614/001">.001</a> </td> <td> <a href="/techniques/T1614/001">System Language Discovery</a> </td> <td> <p>Monitor for API calls that may attempt to gather information about the system language of a victim in order to infer the geographical location of that host.</p> </td> </tr> <tr class="technique enterprise" id="enterprise"> <td> Enterprise </td> <td colspan="2"> <a href="/techniques/T1016">T1016</a> </td> <td> <a href="/techniques/T1016">System Network Configuration Discovery</a> </td> <td> <p>Monitor for API calls (such as <code>GetAdaptersInfo()</code> and <code>GetIpNetTable()</code>) that may gather details about the network configuration and settings, such as IP and/or MAC addresses.</p> </td> </tr> <tr class="sub technique enterprise" id="enterprise"> <td></td> <td></td> <td> <a href="/techniques/T1016/002">.002</a> </td> <td> <a href="/techniques/T1016/002">Wi-Fi Discovery</a> </td> <td> <p>Monitor for API calls (such as those from <code>wlanAPI.dll</code>) that may gather details about locally reachable Wi-Fi networks.</p> </td> </tr> <tr class="technique enterprise" id="enterprise"> <td> Enterprise </td> <td colspan="2"> <a href="/techniques/T1049">T1049</a> </td> <td> <a href="/techniques/T1049">System Network Connections Discovery</a> </td> <td> <p>Monitor for API calls that may attempt to get a listing of network connections to or from the compromised system they are currently accessing or from remote systems by querying for information over the network.</p> </td> </tr> <tr class="technique enterprise" id="enterprise"> <td> Enterprise </td> <td colspan="2"> <a href="/techniques/T1033">T1033</a> </td> <td> <a href="/techniques/T1033">System Owner/User Discovery</a> </td> <td> <p>Monitor for API calls that may attempt to dump credentials to obtain account login and credential material, normally in the form of a hash or a clear text password, from the operating system and software.</p> </td> </tr> <tr class="technique enterprise" id="enterprise"> <td> Enterprise </td> <td colspan="2"> <a href="/techniques/T1007">T1007</a> </td> <td> <a href="/techniques/T1007">System Service Discovery</a> </td> <td> <p>Monitor for API calls associated with gathering information about registered local system services, such as QueryServiceStatusEx. Other Windows API calls worth monitoring include EnumServicesStatusExA, which can be used to enumerate services in the service control manager database.</p><p>Note: Most EDR tools do not support direct monitoring of API calls due to the sheer volume of calls produced by an endpoint but may have alerts or events that are based on abstractions of OS API calls. Dynamic malware analysis tools (i.e., sandboxes) can be used to trace the execution, including OS API calls, for a single PE binary.</p> </td> </tr> <tr class="technique enterprise" id="enterprise"> <td> Enterprise </td> <td colspan="2"> <a href="/techniques/T1124">T1124</a> </td> <td> <a href="/techniques/T1124">System Time Discovery</a> </td> <td> <p>Monitor for API calls that may gather the system time and/or time zone from a local or remote system. Remote access tools with built-in features may interact directly with the Windows API to gather information.</p> </td> </tr> <tr class="technique enterprise" id="enterprise"> <td> Enterprise </td> <td colspan="2"> <a href="/techniques/T1125">T1125</a> </td> <td> <a href="/techniques/T1125">Video Capture</a> </td> <td> <p>Detection of this technique may be difficult due to the various APIs that may be used. Telemetry data regarding API use may not be useful depending on how a system is normally used, but may provide context to other potentially malicious activity occurring on a system. Behavior that could indicate technique use include an unknown or unusual process accessing APIs associated with devices or software that interact with the video camera, recording devices, or recording software, and a process periodically writing files to disk that contain video or camera image data.</p> </td> </tr> <tr class="technique enterprise" id="enterprise"> <td> Enterprise </td> <td colspan="2"> <a href="/techniques/T1497">T1497</a> </td> <td> <a href="/techniques/T1497">Virtualization/Sandbox Evasion</a> </td> <td> <p>Monitor for API calls that may employ various means to detect and avoid virtualization and analysis environments. Detecting actions related to virtualization and sandbox identification may be difficult depending on the adversary's implementation and monitoring required.</p> </td> </tr> <tr class="sub technique enterprise" id="enterprise"> <td></td> <td></td> <td> <a href="/techniques/T1497/001">.001</a> </td> <td> <a href="/techniques/T1497/001">System Checks</a> </td> <td> <p>Monitor for API calls that may employ various means to detect and avoid virtualization and analysis environments. Detecting actions related to virtualization and sandbox identification may be difficult depending on the adversary's implementation and monitoring required.</p> </td> </tr> <tr class="sub technique enterprise" id="enterprise"> <td></td> <td></td> <td> <a href="/techniques/T1497/002">.002</a> </td> <td> <a href="/techniques/T1497/002">User Activity Based Checks</a> </td> <td> <p>Monitor for API calls that may employ various means to detect and avoid virtualization and analysis environments. Detecting actions related to virtualization and sandbox identification may be difficult depending on the adversary's implementation and monitoring required.</p> </td> </tr> <tr class="sub technique enterprise" id="enterprise"> <td></td> <td></td> <td> <a href="/techniques/T1497/003">.003</a> </td> <td> <a href="/techniques/T1497/003">Time Based Evasion</a> </td> <td> <p>Monitor for API calls that may employ various time-based methods to detect and avoid virtualization and analysis environments. Detecting actions related to virtualization and sandbox identification may be difficult depending on the adversary's implementation and monitoring required.</p> </td> </tr> </tbody> </table> </div> </div> <div class="col-md-12 section-view enterprise "> <a class="anchor" id="Process Access"></a> <div class="section-desktop-view anchor-section"> <h4 class="pt-3">Process: Process Access</h4> <div class="description-body"> <p>Opening of a process by another process, typically to read memory of the target process (ex: Sysmon EID 10)</p> </div> <div class="section-shadow"></div> </div> <div class="section-mobile-view anchor-section"> <h4 class="pt-3">Process: Process Access</h4> <div class="section-shadow"></div> </div> <div class="section-mobile-view"> <div class="description-body"> <p>Opening of a process by another process, typically to read memory of the target process (ex: Sysmon EID 10)</p> </div> </div> <div class="tables-mobile"> <table class="table techniques-used background table-bordered"> <thead> <tr> <th class="p-2" scope="col">Domain</th> <th class="p-2" colspan="2">ID</th> <th class="p-2" scope="col">Name</th> <th class="p-2" scope="col">Detects</th> </tr> </thead> <tbody> <tr class="technique enterprise" id="enterprise"> <td> Enterprise </td> <td colspan="2"> <a href="/techniques/T1185">T1185</a> </td> <td> <a href="/techniques/T1185">Browser Session Hijacking</a> </td> <td> <p>This may be a difficult technique to detect because adversary traffic may be masked by normal user traffic. Monitor for <a href="/techniques/T1055">Process Injection</a> against browser applications.</p> </td> </tr> <tr class="technique enterprise" id="enterprise"> <td> Enterprise </td> <td colspan="2"> <a href="/techniques/T1555">T1555</a> </td> <td> <a href="/techniques/T1555">Credentials from Password Stores</a> </td> <td> <p>Monitor for processes being accessed that may search for common password storage locations to obtain user credentials.</p><p>Analytic 1 - Unauthorized process access indicating credential searches.</p><p><code> index=security sourcetype IN ("WinEventLog:Microsoft-Windows-Sysmon/Operational", "linux_secure", "macos_secure")(EventCode=10 TargetImage IN ("<em>lsass.exe", "</em>securityd<em>", "</em>ssh-agent<em>", "</em>gpg-agent<em>") OR EventCode=11 TargetObject IN ("</em>password<em>", "</em>creds<em>", "</em>credentials<em>", "</em>secrets<em>", "</em>keychain<em>", "</em>.kdbx", "<em>.pfx", "</em>.pem", "<em>.p12", "</em>.key") OR EventCode=1 CommandLine IN ("<em>mimikatz</em>", "<em>procdump</em>", "<em>gcore</em>", "<em>dbxutil</em>", "<em>security find-generic-password</em>", "<em>security find-internet-password</em>", "<em>security dump-keychain</em>", "<em>gsettings get org.gnome.crypto.cache</em>"))</code></p> </td> </tr> <tr class="sub technique enterprise" id="enterprise"> <td></td> <td></td> <td> <a href="/techniques/T1555/002">.002</a> </td> <td> <a href="/techniques/T1555/002">Securityd Memory</a> </td> <td> <p>Monitor for processes being accessed that may obtain root access (allowing them to read securityd’s memory), then they can scan through memory to find the correct sequence of keys in relatively few tries to decrypt the user’s logon keychain.</p><p>Analytic 1 - Unauthorized process access indicating attempts to read securityd’s memory.</p><p><code> index=security sourcetype IN ("linux_secure", "macos_secure") event_type="process"(CommandLine IN ("<em>gcore</em>", "<em>dbxutil</em>", "<em>vmmap</em>", "<em>gdb</em>", "<em>lldb</em>", "<em>memdump</em>", "<em>strings</em>", "<em>cat /proc/</em>/maps<em>", "</em>grep /proc/<em>/maps</em>") OR (CommandLine IN ("<em>securityd</em>" AND CommandLine IN ("<em>ps</em>", "<em>lsof</em>", "<em>pmap</em>")))</code></p> </td> </tr> <tr class="sub technique enterprise" id="enterprise"> <td></td> <td></td> <td> <a href="/techniques/T1555/003">.003</a> </td> <td> <a href="/techniques/T1555/003">Credentials from Web Browsers</a> </td> <td> <p>Monitor process execution logs to include PowerShell Transcription focusing on those that perform a combination of behaviors including reading web browser process memory, utilizing regular expressions, and those that contain numerous keywords for common web applications (Gmail, Twitter, Office365, etc.).</p><p>Analytic 1 - Unauthorized process access indicating credential searches in web browsers.</p><p><code>index=security sourcetype IN ("WinEventLog:Microsoft-Windows-Sysmon/Operational", "linux_secure", "macos_secure") event_type="process"(CommandLine IN ("<em>sqlite3</em> <em>logins</em>", "<em>sqlcipher</em> <em>logins</em>", "<em>db-browser</em> <em>Login Data</em>", "<em>db-browser</em> <em>logins.json</em>", "<em>CryptUnprotectData</em>", "<em>security find-internet-password</em>", "<em>security dump-keychain</em>", "<em>strings</em> <em>Login Data</em>", "<em>cat</em> <em>Login Data</em>", "<em>cat</em> <em>logins.json</em>", "<em>sqlite3</em> <em>signons.sqlite</em>")) </code></p> </td> </tr> <tr class="sub technique enterprise" id="enterprise"> <td></td> <td></td> <td> <a href="/techniques/T1555/005">.005</a> </td> <td> <a href="/techniques/T1555/005">Password Managers</a> </td> <td> <p>Monitor process being accessed that may acquire user credentials from third-party password managers.<span onclick=scrollToRef('scite-53') id="scite-ref-53-a" class="scite-citeref-number" title="ise. (2019, February 19). Password Managers: Under the Hood of Secrets Management. Retrieved January 22, 2021."data-reference="ise Password Manager February 2019">^{<a href="https://www.ise.io/casestudies/password-manager-hacking/" target="_blank" data-hasqtip="52" aria-describedby="qtip-52">[53]</a>}</span></p><p>Analytic 1 - Unauthorized process access indicating credential searches in password managers.</p><p><code> index=security sourcetype IN ("WinEventLog:Microsoft-Windows-Sysmon/Operational", "linux_secure", "macos_secure") EventCode IN (1, 10, 11)(Image IN ("<em>keepass</em>", "<em>lastpass</em>", "<em>1password</em>", "<em>bitwarden</em>", "<em>dashlane</em>", "<em>passwordsafe</em>") OR TargetImage IN ("<em>keepass</em>", "<em>lastpass</em>", "<em>1password</em>", "<em>bitwarden</em>", "<em>dashlane</em>", "<em>passwordsafe</em>"))</code></p> </td> </tr> <tr class="technique enterprise" id="enterprise"> <td> Enterprise </td> <td colspan="2"> <a href="/techniques/T1559">T1559</a> </td> <td> <a href="/techniques/T1559">Inter-Process Communication</a> </td> <td> <p>Monitor processes that attempt to access other processes, especially if the access is unusual (such as low-privileged processes interacting with high-privileged processes like a VPN service).<span onclick=scrollToRef('scite-54') id="scite-ref-54-a" class="scite-citeref-number" title="VerSprite. (2018, January 24). Exploiting VyprVPN for MacOS. Retrieved April 20, 2022."data-reference="versprite xpc vpn">^{<a href="https://versprite.com/blog/exploiting-vyprvpn-for-macos/" target="_blank" data-hasqtip="53" aria-describedby="qtip-53">[54]</a>}</span></p><p>Analytic 1 - Abnormal process access.</p><p><code>sourcetype=Sysmon EventCode=10| search access_type="IPC" AND process_privilege!="high"| stats count by process_name target_process_name user| where target_process_name IN ("VPNService", "Systemd", "svchost.exe") </code></p> </td> </tr> <tr class="sub technique enterprise" id="enterprise"> <td></td> <td></td> <td> <a href="/techniques/T1559/003">.003</a> </td> <td> <a href="/techniques/T1559/003">XPC Services</a> </td> <td> <p>Monitor for processes making abnormal calls to higher privileged processes, such as a user application connecting to a VPN service.<span onclick=scrollToRef('scite-54') id="scite-ref-54-a" class="scite-citeref-number" title="VerSprite. (2018, January 24). Exploiting VyprVPN for MacOS. Retrieved April 20, 2022."data-reference="versprite xpc vpn">^{<a href="https://versprite.com/blog/exploiting-vyprvpn-for-macos/" target="_blank" data-hasqtip="53" aria-describedby="qtip-53">[54]</a>}</span></p> </td> </tr> <tr class="technique enterprise" id="enterprise"> <td> Enterprise </td> <td colspan="2"> <a href="/techniques/T1556">T1556</a> </td> <td> <a href="/techniques/T1556">Modify Authentication Process</a> </td> <td> <p>Monitor for unexpected processes interacting with authentication mechanisms and processes to access user credentials or enable otherwise unwarranted access to accounts.</p><p>Analytic 1 - Unauthorized process interactions with authentication mechanisms.</p><p><code>( index=your_index source="WinEventLog:Security" EventCode=4688 | where (New_Process_Name IN ("C:\Windows\System32\lsass.exe", "C:\Windows\System32\winlogon.exe"))AND (Parent_Process_Name != "C:\Windows\System32\services.exe")| stats count by New_Process_Name, Parent_Process_Name, Account_Name, ComputerName) OR (index=your_index sourcetype=linux_auditd| where file IN ("/etc/pam.d/", "/etc/passwd", "/etc/shadow")| stats count by file, user, host )</code></p> </td> </tr> <tr class="sub technique enterprise" id="enterprise"> <td></td> <td></td> <td> <a href="/techniques/T1556/001">.001</a> </td> <td> <a href="/techniques/T1556/001">Domain Controller Authentication</a> </td> <td> <p>Monitor for unexpected processes interacting with the authentication process on a domain controller to bypass the typical authentication mechanisms and enable access to accounts.</p><p>Analytic 1 - Unauthorized process interactions with domain controller authentication processes.</p><p><code> index=windows_logs (sourcetype="WinEventLog:Security" OR sourcetype="XmlWinEventLog:Microsoft-Windows-Sysmon/Operational")| search (EventCode=4688 AND New_Process_Name="<em>\lsass.exe") OR (EventCode=10 AND TargetImage="</em>\lsass.exe")| eval suspicious_process=case( match(New_Process_Name, "regex_for_unusual_process_paths"), "High", match(New_Process_Name, ".<em>\system32\.</em>"), "Medium", true(), "Low" )| stats count by Host, User, New_Process_Name, CommandLine, suspicious_process| where suspicious_process="High"| lookup domain_admins user as User OUTPUT admin_status| where isnotnull(admin_status)| join type=left Host [ search index=windows_logs sourcetype="WinEventLog:Security" EventCode=4624 | eval login_time=strftime(_time, "%Y-%m-%d %H:%M:%S") | fields Host, login_time, Logon_Type, User ]| eval login_behavior=if(Logon_Type="10" AND admin_status="true", "External_Admin_Login", "Normal_Login")| table _time, Host, User, New_Process_Name, CommandLine, suspicious_process, login_behavior, login_time| sort - _time</code></p> </td> </tr> <tr class="technique enterprise" id="enterprise"> <td> Enterprise </td> <td colspan="2"> <a href="/techniques/T1003">T1003</a> </td> <td> <a href="/techniques/T1003">OS Credential Dumping</a> </td> <td> <p>Monitor for unexpected processes interacting with lsass.exe.<span onclick=scrollToRef('scite-55') id="scite-ref-55-a" class="scite-citeref-number" title="French, D. (2018, October 2). Detecting Attempts to Steal Passwords from Memory. Retrieved October 11, 2019."data-reference="Medium Detecting Attempts to Steal Passwords from Memory">^{<a href="https://medium.com/threatpunter/detecting-attempts-to-steal-passwords-from-memory-558f16dce4ea" target="_blank" data-hasqtip="54" aria-describedby="qtip-54">[55]</a>}</span> Common credential dumpers such as <a href="/software/S0002">Mimikatz</a> access the LSA Subsystem Service (LSASS) process by opening the process, locating the LSA secrets key, and decrypting the sections in memory where credential details are stored. Credential dumpers may also use methods for reflective <a href="/techniques/T1055">Process Injection</a> to reduce potential indicators of malicious activity.</p><h5>Linux</h5><p>To obtain the passwords and hashes stored in memory, processes must open a maps file in the /proc filesystem for the process being analyzed. This file is stored under the path <code>/proc/&lt;pid&gt;/maps</code>, where the <code>&lt;pid&gt;</code> directory is the unique pid of the program being interrogated for such authentication data. The AuditD monitoring tool, which ships stock in many Linux distributions, can be used to watch for hostile processes opening this file in the proc file system, alerting on the pid, process name, and arguments of such programs.</p><p>Analytic 1 - Unauthorized access to credential managers.</p><p><code> (index=security sourcetype="WinEventLog:Security" EventCode=10 TargetImage="<em>lsass.exe" SourceImage IN ("</em>mimikatz.exe", "<em>procdump.exe"))OR (index=security sourcetype="linux_secure" (key="path" value IN ("/etc/passwd", "/etc/shadow")) (key="cmdline" value IN ("</em>mimikatz<em>", "</em>procdump<em>")))OR(index=security sourcetype="macOS:UnifiedLog" message IN ("/var/db/shadow/hash/</em>", "/private/etc/master.passwd") process IN ("mimikatz", "procdump"))</code></p> </td> </tr> <tr class="sub technique enterprise" id="enterprise"> <td></td> <td></td> <td> <a href="/techniques/T1003/001">.001</a> </td> <td> <a href="/techniques/T1003/001">LSASS Memory</a> </td> <td> <p>Monitor for unexpected processes interacting with LSASS.exe.<span onclick=scrollToRef('scite-55') id="scite-ref-55-a" class="scite-citeref-number" title="French, D. (2018, October 2). Detecting Attempts to Steal Passwords from Memory. Retrieved October 11, 2019."data-reference="Medium Detecting Attempts to Steal Passwords from Memory">^{<a href="https://medium.com/threatpunter/detecting-attempts-to-steal-passwords-from-memory-558f16dce4ea" target="_blank" data-hasqtip="54" aria-describedby="qtip-54">[55]</a>}</span> Common credential dumpers such as Mimikatz access LSASS.exe by opening the process, locating the LSA secrets key, and decrypting the sections in memory where credential details are stored. Credential dumpers may also use methods for reflective <a href="/techniques/T1055">Process Injection</a> to reduce potential indicators of malicious activity.</p><p>Usage of Procdump and Windows Task Manager for LSASS dumping can also be detected via process creation events, since they both have a predictable set of command-line arguments (i.e., for specifying the process to be dumped). </p><p>Note: Sysmon process access events (Event ID 10) can be extremely noisy, which necessitates tweaking the Sysmon configuration file. We recommend taking an approach analogous to that of the Sysmon Modular Configuration project (https://github.com/olafhartong/sysmon-modular) and filtering out any benign processes in your environment that produce large volumes of process access events. </p><p>The GrantedAccess value in the below analytic for Mimikatz is meant to be used solely as an illustrative example of detecting Mimikatz LSASS access. However, actual GrantedAccess values change over time with different versions of Mimikatz and therefore detection engineers need to verify the accuracy of any GrantedAccess values that their analytics are using. </p><p>Analytic 1 - Mimikatz</p><p><code>(sourcetype=WinEventLog:Microsoft-Windows-Sysmon/Operational EventCode="10" AND TargetImage= "<em>lsass.exe" AND (GrantedAccess=0x1410 OR GrantedAccess=0x1010 OR GrantedAccess=0x1438 OR GrantedAccess=0x143a OR GrantedAccess=0x1418)CallTrace="C:\windows\SYSTEM32\ntdll.dll+</em>|C:\windows\System32\KERNELBASE.dll+20edd|UNKNOWN(*)")</code></p><p>Analytic 2 - Suspicious process access to LSASS memory.</p><p><code>((sourceType=WinEventLog:Microsoft-Windows-Sysmon/Operational EventCode="10") AND TargetImage= "*lsass.exe" AND SourceImage IN ("*mimikatz.exe", "*procdump.exe", "*rundll32.exe", "*taskmgr.exe", "*powershell.exe")</code></p> </td> </tr> <tr class="technique enterprise" id="enterprise"> <td> Enterprise </td> <td colspan="2"> <a href="/techniques/T1055">T1055</a> </td> <td> <a href="/techniques/T1055">Process Injection</a> </td> <td> <p>Monitor for processes being viewed that may inject code into processes in order to evade process-based defenses as well as possibly elevate privileges.</p> </td> </tr> <tr class="sub technique enterprise" id="enterprise"> <td></td> <td></td> <td> <a href="/techniques/T1055/001">.001</a> </td> <td> <a href="/techniques/T1055/001">Dynamic-link Library Injection</a> </td> <td> <p>Monitor for process being viewed that may inject dynamic-link libraries (DLLs) into processes in order to evade process-based defenses as well as possibly elevate privileges.</p> </td> </tr> <tr class="sub technique enterprise" id="enterprise"> <td></td> <td></td> <td> <a href="/techniques/T1055/002">.002</a> </td> <td> <a href="/techniques/T1055/002">Portable Executable Injection</a> </td> <td> <p>Monitor for processes being viewed that may inject portable executables (PE) into processes in order to evade process-based defenses as well as possibly elevate privileges.</p> </td> </tr> <tr class="sub technique enterprise" id="enterprise"> <td></td> <td></td> <td> <a href="/techniques/T1055/003">.003</a> </td> <td> <a href="/techniques/T1055/003">Thread Execution Hijacking</a> </td> <td> <p>Monitor for processes being viewed that may inject malicious code into hijacked processes in order to evade process-based defenses as well as possibly elevate privileges.</p> </td> </tr> <tr class="sub technique enterprise" id="enterprise"> <td></td> <td></td> <td> <a href="/techniques/T1055/004">.004</a> </td> <td> <a href="/techniques/T1055/004">Asynchronous Procedure Call</a> </td> <td> <p>Monitor for processes being viewed that may inject malicious code into processes via the asynchronous procedure call (APC) queue in order to evade process-based defenses as well as possibly elevate privileges.</p> </td> </tr> <tr class="sub technique enterprise" id="enterprise"> <td></td> <td></td> <td> <a href="/techniques/T1055/005">.005</a> </td> <td> <a href="/techniques/T1055/005">Thread Local Storage</a> </td> <td> <p>Monitor for processes being viewed that may inject malicious code into processes via thread local storage (TLS) callbacks in order to evade process-based defenses as well as possibly elevate privileges.</p> </td> </tr> <tr class="sub technique enterprise" id="enterprise"> <td></td> <td></td> <td> <a href="/techniques/T1055/008">.008</a> </td> <td> <a href="/techniques/T1055/008">Ptrace System Calls</a> </td> <td> <p>Monitor for processes being viewed that may inject malicious code into processes via ptrace (process trace) system calls in order to evade process-based defenses as well as possibly elevate privileges.</p> </td> </tr> <tr class="sub technique enterprise" id="enterprise"> <td></td> <td></td> <td> <a href="/techniques/T1055/012">.012</a> </td> <td> <a href="/techniques/T1055/012">Process Hollowing</a> </td> <td> <p>Monitor for processes being viewed that may inject malicious code into suspended and hollowed processes in order to evade process-based defenses.</p> </td> </tr> <tr class="technique enterprise" id="enterprise"> <td> Enterprise </td> <td colspan="2"> <a href="/techniques/T1539">T1539</a> </td> <td> <a href="/techniques/T1539">Steal Web Session Cookie</a> </td> <td> <p>Monitor for attempts by programs to inject into or dump browser process memory.</p><p>Analytic 1 - Unauthorized access or injection into browser processes.</p><p><code> (index=security sourcetype="WinEventLog:Security" EventCode=4688 OR EventCode=4663) OR(index=sysmon sourcetype="WinEventLog:Microsoft-Windows-Sysmon/Operational" EventCode=1 OR EventCode=10) OR(index=os sourcetype="linux_secure" action="execve" OR action="ptrace") OR(index=os sourcetype="macos_secure" event_type="execve" OR event_type="ptrace") OR(index=gsuite sourcetype="gsuite:admin" event_name="LOGIN" event_type="cookie_auth") OR(index=o365 sourcetype="o365:management:activity" Operation="UserLoginViaCookie")</code></p> </td> </tr> <tr class="technique enterprise" id="enterprise"> <td> Enterprise </td> <td colspan="2"> <a href="/techniques/T1033">T1033</a> </td> <td> <a href="/techniques/T1033">System Owner/User Discovery</a> </td> <td> <p>Monitor for unexpected processes interacting with lsass.exe.<span onclick=scrollToRef('scite-55') id="scite-ref-55-a" class="scite-citeref-number" title="French, D. (2018, October 2). Detecting Attempts to Steal Passwords from Memory. Retrieved October 11, 2019."data-reference="Medium Detecting Attempts to Steal Passwords from Memory">^{<a href="https://medium.com/threatpunter/detecting-attempts-to-steal-passwords-from-memory-558f16dce4ea" target="_blank" data-hasqtip="54" aria-describedby="qtip-54">[55]</a>}</span> Common credential dumpers such as <a href="/software/S0002">Mimikatz</a> access the LSA Subsystem Service (LSASS) process by opening the process, locating the LSA secrets key, and decrypting the sections in memory where credential details are stored. Credential dumpers may also use methods for reflective <a href="/techniques/T1055">Process Injection</a> to reduce potential indicators of malicious activity.</p><h5>Linux</h5><p>To obtain the passwords and hashes stored in memory, processes must open a maps file in the /proc filesystem for the process being analyzed. This file is stored under the path <code>/proc/&lt;pid&gt;/maps</code>, where the <code>&lt;pid&gt;</code> directory is the unique pid of the program being interrogated for such authentication data. The AuditD monitoring tool, which ships stock in many Linux distributions, can be used to watch for hostile processes opening this file in the proc file system, alerting on the pid, process name, and arguments of such programs.</p> </td> </tr> </tbody> </table> </div> </div> <div class="col-md-12 section-view enterprise mobile ics "> <a class="anchor" id="Process Creation"></a> <div class="section-desktop-view anchor-section"> <h4 class="pt-3">Process: Process Creation</h4> <div class="description-body"> <p>The initial construction of an executable managed by the OS, that may involve one or more tasks or threads. (e.g. Win EID 4688, Sysmon EID 1, cmd.exe &gt; net use, etc.)</p> </div> <div class="section-shadow"></div> </div> <div class="section-mobile-view anchor-section"> <h4 class="pt-3">Process: Process Creation</h4> <div class="section-shadow"></div> </div> <div class="section-mobile-view"> <div class="description-body"> <p>The initial construction of an executable managed by the OS, that may involve one or more tasks or threads. (e.g. Win EID 4688, Sysmon EID 1, cmd.exe &gt; net use, etc.)</p> </div> </div> <div class="tables-mobile"> <table class="table techniques-used background table-bordered"> <thead> <tr> <th class="p-2" scope="col">Domain</th> <th class="p-2" colspan="2">ID</th> <th class="p-2" scope="col">Name</th> <th class="p-2" scope="col">Detects</th> </tr> </thead> <tbody> <tr class="technique enterprise" id="enterprise"> <td> Enterprise </td> <td colspan="2"> <a href="/techniques/T1548">T1548</a> </td> <td> <a href="/techniques/T1548">Abuse Elevation Control Mechanism</a> </td> <td> <p>Monitor for newly executed processes that may circumvent mechanisms designed to control elevate privileges to gain higher-level permissions. Cyber actors frequently escalate to the SYSTEM account after gaining entry to a Windows host, to enable them to carry out various attacks more effectively. Tools such as Meterpreter, Cobalt Strike, and Empire carry out automated steps to "Get System", which is the same as switching over to the System user account. Most of these tools utilize multiple techniques to try and attain SYSTEM: in the first technique, they create a named pipe and connects an instance of cmd.exe to it, which allows them to impersonate the security context of cmd.exe, which is SYSTEM. In the second technique, a malicious DLL is injected into a process that is running as SYSTEM; the injected DLL steals the SYSTEM token and applies it where necessary to escalate privileges. This analytic looks for both of these techniques.</p><p>Analytic 1 - Get System Elevation</p><p><code>(source="<em>WinEventLog:Microsoft-Windows-Sysmon/Operational" EventCode="1") OR (source="</em>WinEventLog:Security" EventCode="4688")(ParentImage="C:\Windows\System32\services.exe" Image="C:\Windows\System32\cmd.exe" CommandLine="<em>echo</em>" CommandLine="<em>\pipe*") OR (Image="C:\Windows\System32\rundll32.exe" CommandLine="</em>,a /p:*")</code></p> </td> </tr> <tr class="sub technique enterprise" id="enterprise"> <td></td> <td></td> <td> <a href="/techniques/T1548/002">.002</a> </td> <td> <a href="/techniques/T1548/002">Bypass User Account Control</a> </td> <td> <p>Monitor newly executed processes, such as <code>eventvwr.exe</code> and <code>sdclt.exe</code>, that may bypass UAC mechanisms to elevate process privileges on system.</p><p>Threat actors often, after compromising a machine, try to disable User Access Control (UAC) to escalate privileges. This is often done by changing the registry key for system policies using "reg.exe", a legitimate tool provided by Microsoft for modifying the registry via command prompt or scripts. This action interferes with UAC and may enable a threat actor to escalate privileges on the compromised system, thereby allowing further exploitation of the system.</p><p>Analytic 1 - UAC Bypass</p><p><code>(source="<em>WinEventLog:Microsoft-Windows-Sysmon/Operational" EventCode="1") OR (source="</em>WinEventLog:Security" EventCode="4688") IntegrityLevel=High|search (ParentCommandLine="\"c:\windows\system32\dism.exe\"<em>""</em>.xml" AND Image!="c:\users\<em>\appdata\local\temp\</em>\dismhost.exe") OR ParentImage=c:\windows\system32\fodhelper.exe OR (CommandLine="\"c:\windows\system32\wusa.exe\"<em>/quiet</em>" AND User!=NOT_TRANSLATED AND CurrentDirectory=c:\windows\system32\ AND ParentImage!=c:\windows\explorer.exe) OR CommandLine="<em>.exe\"</em>cleanmgr.exe /autoclean<em>" OR (ParentImage="c:\windows\</em>dccw.exe" AND Image!="c:\windows\system32\cttune.exe") OR Image="c:\program files\windows media player\osk.exe" OR ParentImage="c:\windows\system32\slui.exe"|eval PossibleTechniques=case(like(lower(ParentCommandLine),"%c:\windows\system32\dism.exe%"), "UACME #23", like(lower(Image),"c:\program files\windows media player\osk.exe"), "UACME #32", like(lower(ParentImage),"c:\windows\system32\fodhelper.exe"), "UACME #33", like(lower(CommandLine),"%.exe\"%cleanmgr.exe /autoclean%"), "UACME #34", like(lower(Image),"c:\windows\system32\wusa.exe"), "UACME #36", like(lower(ParentImage),"c:\windows\%dccw.exe"), "UACME #37", like(lower(ParentImage),"c:\windows\system32\slui.exe"), "UACME #45") </code></p><p>Analytic 2 - Disable UAC</p><p><code>(source="<em>WinEventLog:Microsoft-Windows-Sysmon/Operational" EventCode="1") OR (source="</em>WinEventLog:Security" EventCode="4688") ParentImage="C:\Windows\System32\cmd.exe" CommandLine="reg.exe<em>HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System</em>REG_DWORD /d 0*""</code></p> </td> </tr> <tr class="sub technique enterprise" id="enterprise"> <td></td> <td></td> <td> <a href="/techniques/T1548/003">.003</a> </td> <td> <a href="/techniques/T1548/003">Sudo and Sudo Caching</a> </td> <td> <p>Monitor newly executed processes that may perform sudo caching and/or use the sudoers file to elevate privileges.</p> </td> </tr> <tr class="sub technique enterprise" id="enterprise"> <td></td> <td></td> <td> <a href="/techniques/T1548/004">.004</a> </td> <td> <a href="/techniques/T1548/004">Elevated Execution with Prompt</a> </td> <td> <p>Consider monitoring for <code>/usr/libexec/security_authtrampoline</code> executions which may indicate that <code>AuthorizationExecuteWithPrivileges</code> is being executed. MacOS system logs may also indicate when <code>AuthorizationExecuteWithPrivileges</code> is being called.</p> </td> </tr> <tr class="sub technique enterprise" id="enterprise"> <td></td> <td></td> <td> <a href="/techniques/T1548/006">.006</a> </td> <td> <a href="/techniques/T1548/006">TCC Manipulation</a> </td> <td> <p>Monitor for abnormal processes executing under applications with elevated access.</p> </td> </tr> <tr class="technique enterprise" id="enterprise"> <td> Enterprise </td> <td colspan="2"> <a href="/techniques/T1134">T1134</a> </td> <td> <a href="/techniques/T1134">Access Token Manipulation</a> </td> <td> <p>Monitor for executed processes that may modify access tokens to operate under a different user or system security context to perform actions and bypass access controls.</p> </td> </tr> <tr class="sub technique enterprise" id="enterprise"> <td></td> <td></td> <td> <a href="/techniques/T1134/004">.004</a> </td> <td> <a href="/techniques/T1134/004">Parent PID Spoofing</a> </td> <td> <p>Monitor for newly constructed processes and/or command-lines that may abuse mechanisms to evade defenses, such as those blocking processes spawning directly from Office documents, and analysis targeting unusual/potentially malicious parent-child process relationships, such as spoofing the PPID of PowerShell/Rundll32 to be explorer.exe</p> </td> </tr> <tr class="technique enterprise" id="enterprise"> <td> Enterprise </td> <td colspan="2"> <a href="/techniques/T1087">T1087</a> </td> <td> <a href="/techniques/T1087">Account Discovery</a> </td> <td> <p>Monitor for processes that can be used to enumerate user accounts and groups such as <code>net.exe</code> and <code>net1.exe</code>, especially when executed in quick succession.<span onclick=scrollToRef('scite-56') id="scite-ref-56-a" class="scite-citeref-number" title="Stepanic, D.. (2020, January 13). Embracing offensive tooling: Building detections against Koadic using EQL. Retrieved November 30, 2020."data-reference="Elastic - Koadiac Detection with EQL">^{<a href="https://www.elastic.co/blog/embracing-offensive-tooling-building-detections-against-koadic-using-eql" target="_blank" data-hasqtip="55" aria-describedby="qtip-55">[56]</a>}</span> Information may also be acquired through Windows system management tools such as <a href="/techniques/T1047">Windows Management Instrumentation</a> and <a href="/techniques/T1059/001">PowerShell</a>.</p> </td> </tr> <tr class="sub technique enterprise" id="enterprise"> <td></td> <td></td> <td> <a href="/techniques/T1087/001">.001</a> </td> <td> <a href="/techniques/T1087/001">Local Account</a> </td> <td> <p>Monitor for processes that can be used to enumerate user accounts and groups such as <code>net.exe</code> and <code>net1.exe</code>, especially when executed in quick succession.<span onclick=scrollToRef('scite-56') id="scite-ref-56-a" class="scite-citeref-number" title="Stepanic, D.. (2020, January 13). Embracing offensive tooling: Building detections against Koadic using EQL. Retrieved November 30, 2020."data-reference="Elastic - Koadiac Detection with EQL">^{<a href="https://www.elastic.co/blog/embracing-offensive-tooling-building-detections-against-koadic-using-eql" target="_blank" data-hasqtip="55" aria-describedby="qtip-55">[56]</a>}</span> Information may also be acquired through Windows system management tools such as <a href="/techniques/T1047">Windows Management Instrumentation</a> and <a href="/techniques/T1059/001">PowerShell</a>.</p><p>Note: Event IDs are for Sysmon (Event ID 1 - process creation) and Windows Security Log (Event ID 4688 - a new process has been created). - For Linux, auditing frameworks such as the Linux Auditing System (auditd) can be used to alert on the enumeration/reading of files that store local users, including <code>/etc/passwd</code>. - For MacOS, utilities that work in concert with Apple’s Endpoint Security Framework such as Process Monitor can be used to track usage of commands such as <code>id</code> and <code>groups</code>.</p><p>Analytic 1 - Net Discovery Commands</p><p><code>(source="<em>WinEventLog:Microsoft-Windows-Sysmon/Operational" EventCode="1") OR (source="</em>WinEventLog:Security" EventCode="4688") Image="net.exe" OR Image="net1.exe"</code></p> </td> </tr> <tr class="sub technique enterprise" id="enterprise"> <td></td> <td></td> <td> <a href="/techniques/T1087/002">.002</a> </td> <td> <a href="/techniques/T1087/002">Domain Account</a> </td> <td> <p>Monitor for processes that can be used to enumerate domain accounts and groups, such as <code>net.exe</code> and <code>net1.exe</code>, especially when executed in quick succession.<span onclick=scrollToRef('scite-56') id="scite-ref-56-a" class="scite-citeref-number" title="Stepanic, D.. (2020, January 13). Embracing offensive tooling: Building detections against Koadic using EQL. Retrieved November 30, 2020."data-reference="Elastic - Koadiac Detection with EQL">^{<a href="https://www.elastic.co/blog/embracing-offensive-tooling-building-detections-against-koadic-using-eql" target="_blank" data-hasqtip="55" aria-describedby="qtip-55">[56]</a>}</span> Information may also be acquired through Windows system management tools such as Windows Management Instrumentation and PowerShell.</p> </td> </tr> <tr class="sub technique enterprise" id="enterprise"> <td></td> <td></td> <td> <a href="/techniques/T1087/003">.003</a> </td> <td> <a href="/techniques/T1087/003">Email Account</a> </td> <td> <p>Monitor for newly executed processes, such as <a href="/techniques/T1047">Windows Management Instrumentation</a> and <a href="/techniques/T1059/001">PowerShell</a> , with arguments that can be used to enumerate email addresses and accounts.</p> </td> </tr> <tr class="technique enterprise" id="enterprise"> <td> Enterprise </td> <td colspan="2"> <a href="/techniques/T1098">T1098</a> </td> <td> <a href="/techniques/T1098">Account Manipulation</a> </td> <td> <p>Monitor for newly constructed processes indicative of modifying account settings, such as those that modify <code>authorized_keys</code> or <code>/etc/ssh/sshd_config</code> files.</p> </td> </tr> <tr class="sub technique enterprise" id="enterprise"> <td></td> <td></td> <td> <a href="/techniques/T1098/004">.004</a> </td> <td> <a href="/techniques/T1098/004">SSH Authorized Keys</a> </td> <td> <p>Monitor for suspicious processes modifying the authorized_keys or /etc/ssh/sshd_config files.</p> </td> </tr> <tr class="technique ics" id="ics"> <td> ICS </td> <td colspan="2"> <a href="/techniques/T0830">T0830</a> </td> <td> <a href="/techniques/T0830">Adversary-in-the-Middle</a> </td> <td> <p>Host-based implementations of this technique may utilize networking-based system calls or network utility commands (e.g., iptables) to locally intercept traffic. Monitor for relevant process creation events.</p> </td> </tr> <tr class="technique enterprise" id="enterprise"> <td> Enterprise </td> <td colspan="2"> <a href="/techniques/T1010">T1010</a> </td> <td> <a href="/techniques/T1010">Application Window Discovery</a> </td> <td> <p>Monitor for newly executed processes that may attempt to get a listing of open application windows. System and network discovery techniques normally occur throughout an operation as an adversary learns the environment. Data and events should not be viewed in isolation, but as part of a chain of behavior that could lead to other activities based on the information obtained.</p><p>Note: Event IDs are for Sysmon (Event ID 1 - process create) and Windows Security Log (Event ID 4688 - a new process has been created).</p><p>Analytic 1 - Suspicious Processes</p><p><code>(sourcetype="WinEventLog:Microsoft-Windows-Sysmon/Operational" EventCode="1") OR (sourcetype="WinEventLog:Security" EventCode="4688") | where CommandLine LIKE "%Get-Process%" AND CommandLine LIKE "%mainWindowTitle%"</code></p> </td> </tr> <tr class="technique enterprise" id="enterprise"> <td> Enterprise </td> <td colspan="2"> <a href="/techniques/T1560">T1560</a> </td> <td> <a href="/techniques/T1560">Archive Collected Data</a> </td> <td> <p>Monitor for newly constructed processes and/or command-lines that aid in compression or encrypting data that is collected prior to exfiltration, such as 7-Zip, WinRAR, and WinZip. </p> </td> </tr> <tr class="sub technique enterprise" id="enterprise"> <td></td> <td></td> <td> <a href="/techniques/T1560/001">.001</a> </td> <td> <a href="/techniques/T1560/001">Archive via Utility</a> </td> <td> <p>Monitor for newly constructed processes and/or command-lines that aid in compression or encrypting data that is collected prior to exfiltration, such as 7-Zip, WinRAR, and WinZip. Before <a href="https://attack.mitre.org/tactics/TA0010">Exfiltration</a> that an adversary has <a href="https://attack.mitre.org/tactics/TA0009">Collection</a>, it is very likely that a <a href="/techniques/T1560">Archive Collected Data</a> will be created, so that transfer times are minimized and fewer files are transmitted. There is variety between the tools used to compress data, but the command line usage and context of archiving tools, such as ZIP, RAR, and 7ZIP, should be monitored.In addition to looking for RAR or 7z program names, command line usage of 7Zip or RAR can be detected with the flag usage of "* a *". This is helpful, as adversaries may change program names.</p><p>Note: This analytic looks for the command line argument a, which is used by RAR. However, there may be other programs that have this as a legitimate argument and may need to be filtered out.</p><p>Analytic 1 - Command Line Usage of Archiving Software</p><p><code> (source="WinEventLog:Microsoft-Windows-Sysmon/Operational" EventCode="1") OR (source="WinEventLog:Security" EventCode="4688") CommandLine="<em> a </em>"</code></p> </td> </tr> <tr class="technique ics" id="ics"> <td> ICS </td> <td colspan="2"> <a href="/techniques/T0895">T0895</a> </td> <td> <a href="/techniques/T0895">Autorun Image</a> </td> <td> <p>Monitor for newly executed processes that execute from removable media after it is mounted or when initiated by a user. </p> </td> </tr> <tr class="technique enterprise" id="enterprise"> <td> Enterprise </td> <td colspan="2"> <a href="/techniques/T1197">T1197</a> </td> <td> <a href="/techniques/T1197">BITS Jobs</a> </td> <td> <p>Monitor for newly constructed BITS tasks to enumerate using the BITSAdmin tool (bitsadmin /list /allusers /verbose). </p><p>Note: Event IDs are for Sysmon (Event ID 1 - process create) and Windows Security Log (Event ID 4688 - a new process has been created). Analytic 1 is oriented around looking for the creation of Microsoft Background Intelligent Transfer Service utility (bitsadmin.exe) processes that schedule a BITS job to persist on an endpoint. The analytic identifies the command-line parameters used to create, resume or add a file to a BITS job; these are typically seen combined in a single command-line or executed in sequence.</p><p>Analytic 2 identifies Microsoft Background Intelligent Transfer Service utility <code> bitsadmin.exe </code> using the <code> transfer</code> parameter to download a remote object. In addition, look for <code> download </code> or <code> upload </code> on the command-line, the switches are not required to perform a transfer. Capture any files downloaded. Review the reputation of the IP or domain used. Typically once executed, a follow on command will be used to execute the dropped file. Network connection or file modification events related will not spawn or create from <code> bitsadmin.exe </code>, but the artifacts will appear in a parallel process of <code> svchost.exe </code> with a command-line similar to <code> svchost.exe -k netsvcs -s BITS </code>. It’s important to review all parallel and child processes to capture any behaviors and artifacts. In some suspicious and malicious instances, BITS jobs will be created. You can use <code> bitsadmin /list /verbose </code> to list out the jobs during investigation.</p><p>Analytic 1 - BITS Job Persistence</p><p><code> (source="<em>WinEventLog:Microsoft-Windows-Sysmon/Operational" EventCode="1") OR (source="</em>WinEventLog:Security" EventCode="4688") Image="C:\Windows\System32\bitsadmin.exe" AND (CommandLine= "<em>create</em>" OR CommandLine= "<em>addfile</em>" OR CommandLine= "<em>setnotifyflags</em>" OR CommandLine= "<em>setnotifycmdline</em>" OR CommandLine= "<em>setminretrydelay</em>" OR CommandLine= "<em>setcustomheaders</em>" OR CommandLine= "<em>resume</em>")</code></p><p>Analytic 2 - BITSAdmin Download File</p><p><code> (source="<em>WinEventLog:Microsoft-Windows-Sysmon/Operational" EventCode="1") OR (source="</em>WinEventLog:Security" EventCode="4688") Image="C:\Windows\System32\bitsadmin.exe" AND CommandLine= <em>transfer</em></code></p> </td> </tr> <tr class="technique enterprise" id="enterprise"> <td> Enterprise </td> <td colspan="2"> <a href="/techniques/T1547">T1547</a> </td> <td> <a href="/techniques/T1547">Boot or Logon Autostart Execution</a> </td> <td> <p>Suspicious program execution as autostart programs may show up as outlier processes that have not been seen before when compared against historical data to increase confidence of malicious activity, data and events should not be viewed in isolation, but as part of a chain of behavior that could lead to other activities, such as network connections made for Command and Control, learning details about the environment through Discovery, and Lateral Movement.</p> </td> </tr> <tr class="sub technique enterprise" id="enterprise"> <td></td> <td></td> <td> <a href="/techniques/T1547/001">.001</a> </td> <td> <a href="/techniques/T1547/001">Registry Run Keys / Startup Folder</a> </td> <td> <p>Monitor for newly executed processes executed from the Run/RunOnce registry keys through Windows EID 9707 or "Software\Microsoft\Windows\CurrentVersion\Run" and "Software\Microsoft\Windows\CurrentVersion\RunOnce" registry keys with the full command line.</p><p>Registry modifications are often essential in establishing persistence via known Windows mechanisms. Many legitimate modifications are done graphically via regedit.exe or by using the corresponding channels, or even calling the Registry APIs directly. The built-in utility reg.exe provides a command-line interface to the registry, so that queries and modifications can be performed from a shell, such as cmd.exe. When a user is responsible for these actions, the parent of cmd.exe will likely be explorer.exe. Occasionally, power users and administrators write scripts that do this behavior as well, but likely from a different process tree. These background scripts must be learned so they can be tuned out accordingly.</p><p>Output DescriptionThe sequence of processes that resulted in reg.exe being started from a shell. That is, a hierarchy that looks like• great-grand_parent.exe• grand_parent.exe• parent.exe• reg.exe</p><p>Analytic 1 - Reg.exe called from Command Shell</p><p><code>(source="<em>WinEventLog:Microsoft-Windows-Sysmon/Operational" EventCode="1") OR (source="</em>WinEventLog:Security" EventCode="4688") Image="reg.exe" AND ParentImage="cmd.exe"| join left=L right=R where L.ParentProcessGuid = R.ProcessGuid [search EventCode IN (1, 4688) Image="<em>cmd.exe" ParentImage!="</em>explorer.exe"]</code></p> </td> </tr> <tr class="sub technique enterprise" id="enterprise"> <td></td> <td></td> <td> <a href="/techniques/T1547/003">.003</a> </td> <td> <a href="/techniques/T1547/003">Time Providers</a> </td> <td> <p>Monitor newly executed processes, such as the W32tm.exe utility. <span onclick=scrollToRef('scite-57') id="scite-ref-57-a" class="scite-citeref-number" title="Mathers, B. (2017, May 31). Windows Time Service Tools and Settings. Retrieved March 26, 2018."data-reference="Microsoft W32Time May 2017">^{<a href="https://docs.microsoft.com/windows-server/networking/windows-time-service/windows-time-service-tools-and-settings" target="_blank" data-hasqtip="56" aria-describedby="qtip-56">[57]</a>}</span> The Sysinternals Autoruns tool may also be used to analyze auto-starting locations, including DLLs listed as time providers. <span onclick=scrollToRef('scite-58') id="scite-ref-58-a" class="scite-citeref-number" title="Russinovich, M. (2016, January 4). Autoruns for Windows v13.51. Retrieved June 6, 2016."data-reference="TechNet Autoruns">^{<a href="https://technet.microsoft.com/en-us/sysinternals/bb963902" target="_blank" data-hasqtip="57" aria-describedby="qtip-57">[58]</a>}</span></p> </td> </tr> <tr class="sub technique enterprise" id="enterprise"> <td></td> <td></td> <td> <a href="/techniques/T1547/004">.004</a> </td> <td> <a href="/techniques/T1547/004">Winlogon Helper DLL</a> </td> <td> <p>Monitor for the execution of processes that may abuse features of Winlogon to execute DLLs and/or executables when a user logs in.</p><p>Analytic 1 - Modification of the Winlogon Registry Key</p><p><code>(source="<em>WinEventLog:Microsoft-Windows-Sysmon/Operational" EventCode="1") OR (source="</em>WinEventLog:Security" EventCode="4688") | where (CommandLine LIKE "%Microsoft\Windows NT\CurrentVersion\Winlogon%" AND (CommandLine LIKE "%Userinit%" OR CommandLine LIKE "%Shell%" OR CommandLine LIKE "%Notify%")) AND (CommandLine LIKE "%reg%" OR CommandLine LIKE "%add%" OR CommandLine LIKE "%/d%" OR CommandLine LIKE "%Set-ItemProperty%" OR CommandLine LIKE "%New-ItemProperty%" CommandLine LIKE "%-value%")</code></p> </td> </tr> <tr class="sub technique enterprise" id="enterprise"> <td></td> <td></td> <td> <a href="/techniques/T1547/006">.006</a> </td> <td> <a href="/techniques/T1547/006">Kernel Modules and Extensions</a> </td> <td> <p>Monitor for newly created processes that may modify the kernel to automatically execute programs on system boot.</p> </td> </tr> <tr class="sub technique enterprise" id="enterprise"> <td></td> <td></td> <td> <a href="/techniques/T1547/009">.009</a> </td> <td> <a href="/techniques/T1547/009">Shortcut Modification</a> </td> <td> <p>Monitor for newly executed processes that may create or edit shortcuts to run a program during system boot or user login.</p> </td> </tr> <tr class="sub technique enterprise" id="enterprise"> <td></td> <td></td> <td> <a href="/techniques/T1547/013">.013</a> </td> <td> <a href="/techniques/T1547/013">XDG Autostart Entries</a> </td> <td> <p>Monitor newly executed processes that may modify XDG autostart entries to execute programs or commands during system boot.</p> </td> </tr> <tr class="sub technique enterprise" id="enterprise"> <td></td> <td></td> <td> <a href="/techniques/T1547/014">.014</a> </td> <td> <a href="/techniques/T1547/014">Active Setup</a> </td> <td> <p>Monitor newly executed processes that may achieve persistence by adding a Registry key to the Active Setup of the local machine.</p> </td> </tr> <tr class="sub technique enterprise" id="enterprise"> <td></td> <td></td> <td> <a href="/techniques/T1547/015">.015</a> </td> <td> <a href="/techniques/T1547/015">Login Items</a> </td> <td> <p>Monitor processes that start at login for unusual or unknown applications. Usual applications for login items could include what users add to configure their user environment, such as email, chat, or music applications, or what administrators include for organization settings and protections. Check for running applications from login items that also have abnormal behavior, such as establishing network connections.</p> </td> </tr> <tr class="technique enterprise" id="enterprise"> <td> Enterprise </td> <td colspan="2"> <a href="/techniques/T1037">T1037</a> </td> <td> <a href="/techniques/T1037">Boot or Logon Initialization Scripts</a> </td> <td> <p>Monitor for newly executed processes that may use scripts automatically executed at boot or logon initialization to establish persistence. Adversaries may schedule software to run whenever a user logs into the system; this is done to establish persistence and sometimes for lateral movement. This trigger is established through the registry key <code>HKEY_CURRENT_USER\EnvironmentUserInitMprLogonScript</code>. This signature looks edits to existing keys or creation of new keys in that path. Users purposefully adding benign scripts to this path will result in false positives; that case is rare, however. There are other ways of running a script at startup or login that are not covered in this signature. Note that this signature overlaps with the Windows Sysinternals Autoruns tool, which would also show changes to this registry path.</p><p>Analytic 1 - Boot or Logon Initialization Scripts</p><p><code>(source="<em>WinEventLog:Microsoft-Windows-Sysmon/Operational" EventCode="1") OR (source="</em>WinEventLog:Security" EventCode="4688") AND CommandLine="<em>reg</em>add<em>\Environment</em>UserInitMprLogonScript" </code></p> </td> </tr> <tr class="sub technique enterprise" id="enterprise"> <td></td> <td></td> <td> <a href="/techniques/T1037/001">.001</a> </td> <td> <a href="/techniques/T1037/001">Logon Script (Windows)</a> </td> <td> <p>Monitor for newly constructed processes and/or command-lines that execute logon scripts</p><p>Analytic 1 - Boot or Logon Initialization Scripts</p><p><code>(source="<em>WinEventLog:Microsoft-Windows-Sysmon/Operational" EventCode="1") OR (source="</em>WinEventLog:Security" EventCode="4688") AND CommandLine="<em>reg</em>add<em>\Environment</em>UserInitMprLogonScript" </code></p> </td> </tr> <tr class="sub technique enterprise" id="enterprise"> <td></td> <td></td> <td> <a href="/techniques/T1037/002">.002</a> </td> <td> <a href="/techniques/T1037/002">Login Hook</a> </td> <td> <p>Monitor for processes and/or command-lines to install or modify login hooks, as well as processes spawned at user login by these hooks.</p> </td> </tr> <tr class="sub technique enterprise" id="enterprise"> <td></td> <td></td> <td> <a href="/techniques/T1037/003">.003</a> </td> <td> <a href="/techniques/T1037/003">Network Logon Script</a> </td> <td> <p>Monitor for newly constructed processes and/or command-lines that execute logon scripts</p> </td> </tr> <tr class="sub technique enterprise" id="enterprise"> <td></td> <td></td> <td> <a href="/techniques/T1037/004">.004</a> </td> <td> <a href="/techniques/T1037/004">RC Scripts</a> </td> <td> <p>Monitor for newly constructed processes and/or command-lines that execute /etc/rc.local if present.</p> </td> </tr> <tr class="sub technique enterprise" id="enterprise"> <td></td> <td></td> <td> <a href="/techniques/T1037/005">.005</a> </td> <td> <a href="/techniques/T1037/005">Startup Items</a> </td> <td> <p>Monitor for newly constructed processes and/or command-lines that execute during the boot up process to check for unusual or unknown applications and behavior</p> </td> </tr> <tr class="technique enterprise" id="enterprise"> <td> Enterprise </td> <td colspan="2"> <a href="/techniques/T1176">T1176</a> </td> <td> <a href="/techniques/T1176">Browser Extensions</a> </td> <td> <p>Monitor for newly executed processes that could be used to abuse internet browser extensions to establish persistence. </p> </td> </tr> <tr class="technique enterprise" id="enterprise"> <td> Enterprise </td> <td colspan="2"> <a href="/techniques/T1217">T1217</a> </td> <td> <a href="/techniques/T1217">Browser Information Discovery</a> </td> <td> <p>Monitor for processes with arguments that may be associated with gathering browser information, such as local files and databases (e.g., <code>%APPDATA%/Google/Chrome</code>).<span onclick=scrollToRef('scite-59') id="scite-ref-59-a" class="scite-citeref-number" title="Chrome Enterprise and Education Help. (n.d.). Use Chrome Browser with Roaming User Profiles. Retrieved March 28, 2023."data-reference="Chrome Roaming Profiles">^{<a href="https://support.google.com/chrome/a/answer/7349337" target="_blank" data-hasqtip="58" aria-describedby="qtip-58">[59]</a>}</span></p> </td> </tr> <tr class="technique enterprise" id="enterprise"> <td> Enterprise </td> <td colspan="2"> <a href="/techniques/T1651">T1651</a> </td> <td> <a href="/techniques/T1651">Cloud Administration Command</a> </td> <td> <p>Monitor for process creation events in virtual machines that are associated with cloud VM agents, such as the WindowsAzureGuestAgent.exe process on Azure virtual machines. <span onclick=scrollToRef('scite-60') id="scite-ref-60-a" class="scite-citeref-number" title="Adrien Bataille, Anders Vejlby, Jared Scott Wilson, and Nader Zaveri. (2021, December 14). Azure Run Command for Dummies. Retrieved March 13, 2023."data-reference="Mandiant Azure Run Command 2021">^{<a href="https://www.mandiant.com/resources/blog/azure-run-command-dummies" target="_blank" data-hasqtip="59" aria-describedby="qtip-59">[60]</a>}</span></p><p>Analytic 1 - Unexpected process creation</p><p><code> sourcetype=process_creation| search process_name IN ("WindowsAzureGuestAgent.exe", "ssm-agent.exe")| where process_name IN ("WindowsAzureGuestAgent.exe", "ssm-agent.exe") AND process_path != "/usr/local/bin/"</code></p> </td> </tr> <tr class="technique enterprise" id="enterprise"> <td> Enterprise </td> <td colspan="2"> <a href="/techniques/T1059">T1059</a> </td> <td> <a href="/techniques/T1059">Command and Scripting Interpreter</a> </td> <td> <p>Monitor log files for process execution through command-line and scripting activities. This information can be useful in gaining additional insight to adversaries' actions through how they use native processes or custom tools. Also monitor for loading of modules associated with specific languages.</p><p>Analytic 1 - Look for unusual command and scripting process creation.</p><p><code> (sourcetype=WinEventLog:Security OR sourcetype=sysmon OR sourcetype=linux_secure OR sourcetype=linux_audit OR sourcetype=mac_os_log OR sourcetype=azure:audit OR sourcetype=o365:audit)(EventCode=4688 OR EventID=1 OR _raw=<em>sh</em> OR _raw=<em>python</em> OR _raw=<em>powershell</em> OR _raw=<em>cmd</em> OR _raw=<em>script</em> OR _raw=<em>wscript</em> OR _raw=<em>bash</em>)</code></p> </td> </tr> <tr class="sub technique enterprise" id="enterprise"> <td></td> <td></td> <td> <a href="/techniques/T1059/001">.001</a> </td> <td> <a href="/techniques/T1059/001">PowerShell</a> </td> <td> <p>Monitor for newly executed processes that may abuse PowerShell commands and scripts for execution. PowerShell is a scripting environment included with Windows that is used by both attackers and administrators. Execution of PowerShell scripts in most Windows versions is opaque and not typically secured by antivirus which makes using PowerShell an easy way to circumvent security measures. This analytic detects execution of PowerShell scripts.</p><p>Powershell can be used to hide monitored command line execution such as:</p><p>net usesc start</p><p>Note: - The logic for Analytic 1 is based around detecting on non-interactive Powershell sessions (i.e., those not launched by a user through explorer.exe). This may lead to false positives when used in a production environment, so we recommend tuning any such analytics by including additional logic (e.g., looking for suspicious parent processes) that helps filter such events.- The logic for Analytic 2 is based around detecting on remote Powershell sessions. PowerShell can be used over WinRM to remotely run commands on a host. When a remote PowerShell session starts, svchost.exe executes wsmprovhost.exe.</p><p>Analytic 1 - Non-interactive Powershell Sessions</p><p><code>(source="<em>WinEventLog:Microsoft-Windows-Sysmon/Operational" EventCode="1") OR (source="</em>WinEventLog:Security" EventCode="4688") Image="powershell.exe" AND ParentImage!="explorer.exe"</code></p><p>Analytic 2 - Remote Powershell Sessions </p><p><code>(source="<em>WinEventLog:Microsoft-Windows-Sysmon/Operational" EventCode="1") OR (source="</em>WinEventLog:Security" EventCode="4688") Image="wsmprovhost.exe" AND ParentImage="svchost.exe"</code></p><p>Analytic 3 - Powershell Execution</p><p><code>(source="<em>WinEventLog:Microsoft-Windows-Sysmon/Operational" EventCode="1") Image="C:\Windows\</em>\powershell.exe" ParentImage!="C:\Windows\explorer.exe"|stats values(CommandLine) as "Command Lines" values(ParentImage) as "Parent Images" by ComputerName</code></p> </td> </tr> <tr class="sub technique enterprise" id="enterprise"> <td></td> <td></td> <td> <a href="/techniques/T1059/002">.002</a> </td> <td> <a href="/techniques/T1059/002">AppleScript</a> </td> <td> <p>Monitor for newly executed processes that may abuse AppleScript for execution. Scripts are likely to perform actions with various effects on a system that may generate events, depending on the types of monitoring used. Actions may be related to network and system information <a href="https://attack.mitre.org/tactics/TA0007">Discovery</a>, <a href="https://attack.mitre.org/tactics/TA0009">Collection</a>, or other scriptable post-compromise behaviors and could be used as indicators of detection leading back to the source script.</p><p>Analytic 1 - Look for unusual AppleScript process creation.</p><p><code> sourcetype=macOS:Process| search (parent_process_name="osascript" OR parent_process_name="NSAppleScript" OR parent_process_name="OSAScript") </code></p><p>Analytic 2 - Untrusted Locations</p><p><code> source="<em>Osquery:</em>" EventCode="process_added" AND Path LIKE "/Users/<em>/Downloads/</em>" OR Path LIKE "/tmp/*" </code></p><p>Analytic 3 - Parent/Child Process Relationship</p><p><code> source="<em>Osquery:</em>" EventCode="process_added" AND ParentImage= "/System/Library/CoreServices/Finder.app/Contents/MacOS/Finder" AND Image LIKE "<em>osascript</em>"</code></p> </td> </tr> <tr class="sub technique enterprise" id="enterprise"> <td></td> <td></td> <td> <a href="/techniques/T1059/003">.003</a> </td> <td> <a href="/techniques/T1059/003">Windows Command Shell</a> </td> <td> <p>Monitor for newly executed processes that may abuse the Windows command shell for execution.</p><p>Note: Try an Analytic by creating a baseline of parent processes of <a href="/software/S0106">cmd</a> seen over the last 30 days and a list of parent processes of <a href="/software/S0106">cmd</a> seen today. Parent processes in the baseline are removed from the set of parent processes seen today, leaving a list of new parent processes. This analytic attempts to identify suspicious programs spawning <a href="/software/S0106">cmd</a> by looking for programs that do not normally create <a href="/software/S0106">cmd</a>.  It is very common for some programs to spawn <a href="/software/S0106">cmd</a> as a subprocess, for example to run batch files or Windows commands. However, many processes don’t routinely launch a command prompt - e.g., Microsoft Outlook. A command prompt being launched from a process that normally doesn’t launch command prompts could be the result of malicious code being injected into that process, or of an attacker replacing a legitimate program with a malicious one.</p><p>Analytic 1 - Unusual Command Execution</p><p><code> (source="<em>WinEventLog:Microsoft-Windows-Sysmon/Operational" EventCode="1") OR (source="</em>WinEventLog:Security" EventCode="4688") AND CommandLine="<em>cmd.exe</em>" AND (CommandLine REGEXP "./c.<em>" OR CommandLine REGEXP ".</em>._ \/k.*")</code></p> </td> </tr> <tr class="sub technique enterprise" id="enterprise"> <td></td> <td></td> <td> <a href="/techniques/T1059/004">.004</a> </td> <td> <a href="/techniques/T1059/004">Unix Shell</a> </td> <td> <p>Monitor for newly executed processes that may abuse Unix shell commands and scripts for execution.</p><p>Analytic 1 - Look for unusual Unix shell process creation.</p><p><code> sourcetype=linux_secure OR sourcetype=macos_secure| search (command="sh" OR command="bash" OR command="zsh")| eval suspicious_process=if(like(command_line, "%.sh" OR "%.bash" OR "%.zsh"), "Yes", "No")| where suspicious_process="Yes"</code></p> </td> </tr> <tr class="sub technique enterprise" id="enterprise"> <td></td> <td></td> <td> <a href="/techniques/T1059/005">.005</a> </td> <td> <a href="/techniques/T1059/005">Visual Basic</a> </td> <td> <p>Monitor for the creation of processes related to VBScript and VBA execution. Monitor for events associated with VB execution, such as Office applications spawning processes, usage of the Windows Script Host (typically cscript.exe or wscript.exe). VB execution is likely to perform actions with various effects on a system that may generate events, depending on the types of monitoring used.</p><p>Note: This query monitors for the creation of processes like cscript.exe, wscript.exe, excel.exe, and winword.exe, which are commonly used to execute VB scripts. It highlights instances where these processes are initiated, providing insight into potential VB script execution.</p><p>Analytic 1 - Look for unusual VB process creation.</p><p><code>sourcetype=windows_security OR sourcetype=wineventlog OR sourcetype=linux_secure OR sourcetype=macos_secure| search (process="cscript.exe" OR process="wscript.exe" OR process="excel.exe" OR process="winword.exe")| eval suspicious_process=if(like(process, "cscript.exe" OR "wscript.exe" OR "excel.exe" OR "winword.exe"), "Yes", "No")| where suspicious_process="Yes" </code></p> </td> </tr> <tr class="sub technique enterprise" id="enterprise"> <td></td> <td></td> <td> <a href="/techniques/T1059/006">.006</a> </td> <td> <a href="/techniques/T1059/006">Python</a> </td> <td> <p>Monitor systems for abnormal Python usage and python.exe behavior, which could be an indicator of malicious activity. Understanding standard usage patterns is important to avoid a high number of false positives. If scripting is restricted for normal users, then any attempts to enable scripts running on a system would be considered suspicious. If scripts are not commonly used on a system, but enabled, scripts running out of cycle from patching or other administrator functions are suspicious. Scripts should be captured from the file system when possible to determine their actions and intent. Scripts are likely to perform actions with various effects on a system that may generate events, depending on the types of monitoring used. Monitor newly executed processes that may abuse Python commands and scripts for execution.</p> </td> </tr> <tr class="sub technique enterprise" id="enterprise"> <td></td> <td></td> <td> <a href="/techniques/T1059/007">.007</a> </td> <td> <a href="/techniques/T1059/007">JavaScript</a> </td> <td> <p>Monitor for events associated with scripting execution, such as process activity, usage of the Windows Script Host (typically cscript.exe or wscript.exe), file activity involving scripts</p> </td> </tr> <tr class="sub technique enterprise" id="enterprise"> <td></td> <td></td> <td> <a href="/techniques/T1059/010">.010</a> </td> <td> <a href="/techniques/T1059/010">AutoHotKey & AutoIT</a> </td> <td> <p>Monitor and analyze the execution and arguments of the <code>AutoIt3.exe</code> and <code>AutoHotkey.exe</code> interpreters. Non-standard process execution trees may also indicate suspicious or malicious behavior, such as if <code>AutoHotkey.exe</code> is the parent process for additional suspicious processes and activity.</p> </td> </tr> <tr class="technique mobile" id="mobile"> <td> Mobile </td> <td colspan="2"> <a href="/techniques/T1623">T1623</a> </td> <td> <a href="/techniques/T1623">Command and Scripting Interpreter</a> </td> <td> <p>Mobile Threat Defense (MTD) with lower-level OS APIs integrations may have access to newly created processes and their parameters, potentially detecting unwanted or malicious shells.</p> </td> </tr> <tr class="sub technique mobile" id="mobile"> <td></td> <td></td> <td> <a href="/techniques/T1623/001">.001</a> </td> <td> <a href="/techniques/T1623/001">Unix Shell</a> </td> <td> <p>Mobile Threat Defense (MTD) with lower-level OS APIs integrations may have access to newly created processes and their parameters, potentially detecting unwanted or malicious shells.</p> </td> </tr> <tr class="technique ics" id="ics"> <td> ICS </td> <td colspan="2"> <a href="/techniques/T0807">T0807</a> </td> <td> <a href="/techniques/T0807">Command-Line Interface</a> </td> <td> <p>Monitor for processes spawning from known command shell applications (e.g., PowerShell, Bash). Benign activity will need to be allow-listed. This information can be useful in gaining additional insight to adversaries' actions through how they use native processes or custom tools.</p> </td> </tr> <tr class="technique enterprise" id="enterprise"> <td> Enterprise </td> <td colspan="2"> <a href="/techniques/T1609">T1609</a> </td> <td> <a href="/techniques/T1609">Container Administration Command</a> </td> <td> <p>Track the creation of new processes within a container environment, which could indicate suspicious activity initiated via the Docker daemon or Kubernetes API server.</p><p>Analytic 1 - Unusual process creation within containers</p><p><code>sourcetype=docker:daemon OR sourcetype=kubernetes:container| search action="start" OR action="exec"</code></p> </td> </tr> <tr class="technique enterprise" id="enterprise"> <td> Enterprise </td> <td colspan="2"> <a href="/techniques/T1659">T1659</a> </td> <td> <a href="/techniques/T1659">Content Injection</a> </td> <td> <p>Look for behaviors on the endpoint system that might indicate successful compromise, such as abnormal behaviors of browser processes. This could include suspicious files written to disk, evidence of <a href="/techniques/T1055">Process Injection</a> for attempts to hide execution, or evidence of Discovery.</p> </td> </tr> <tr class="technique enterprise" id="enterprise"> <td> Enterprise </td> <td colspan="2"> <a href="/techniques/T1136">T1136</a> </td> <td> <a href="/techniques/T1136">Create Account</a> </td> <td> <p>Monitor newly executed processes associated with account creation, such as net.exe </p> </td> </tr> <tr class="sub technique enterprise" id="enterprise"> <td></td> <td></td> <td> <a href="/techniques/T1136/001">.001</a> </td> <td> <a href="/techniques/T1136/001">Local Account</a> </td> <td> <p>Monitor newly executed processes associated with account creation, such as net.exe</p><p>Analytic 1 - Create local admin accounts using net.exe</p><p><code>(source="<em>WinEventLog:Microsoft-Windows-Sysmon/Operational" EventCode="1") OR (source="</em>WinEventLog:Security" EventCode="4688") (Image= C:\Windows\System32\net.exe OR Image= C:\Windows\System32\net1.exe ) AND CommandLine = * -exportPFX * )</code></p> </td> </tr> <tr class="sub technique enterprise" id="enterprise"> <td></td> <td></td> <td> <a href="/techniques/T1136/002">.002</a> </td> <td> <a href="/techniques/T1136/002">Domain Account</a> </td> <td> <p>Monitor newly executed processes associated with account creation, such as net.exe</p> </td> </tr> <tr class="technique enterprise" id="enterprise"> <td> Enterprise </td> <td colspan="2"> <a href="/techniques/T1543">T1543</a> </td> <td> <a href="/techniques/T1543">Create or Modify System Process</a> </td> <td> <p>New, benign system processes may be created during installation of new software.</p> </td> </tr> <tr class="sub technique enterprise" id="enterprise"> <td></td> <td></td> <td> <a href="/techniques/T1543/002">.002</a> </td> <td> <a href="/techniques/T1543/002">Systemd Service</a> </td> <td> <p>Suspicious processes or scripts spawned in this manner will have a parent process of ‘systemd’, a parent process ID of 1, and will usually execute as the ‘root’ user.</p> </td> </tr> <tr class="sub technique enterprise" id="enterprise"> <td></td> <td></td> <td> <a href="/techniques/T1543/003">.003</a> </td> <td> <a href="/techniques/T1543/003">Windows Service</a> </td> <td> <p>Suspicious program execution through services may show up as outlier processes that have not been seen before when compared against historical data. Look for abnormal process call trees from known services and for execution of other commands that could relate to Discovery or other adversary techniques. Data and events should not be viewed in isolation, but as part of a chain of behavior that could lead to other activities, such as network connections made for Command and Control, learning details about the environment through Discovery, and Lateral Movement.</p><p>Windows runs the Service Control Manager (SCM) within the process services.exe. Windows launches services as independent processes or DLL loads within a svchost.exe group. To be a legitimate service, a process (or DLL) must have the appropriate service entry point SvcMain. If an application does not have the entry point, then it will timeout (default is 30 seconds) and the process will be killed.</p><p>To survive the timeout, adversaries and red teams can create services that direct to cmd.exe with the flag /c, followed by the desired command. The /c flag causes the command shell to run a command and immediately exit. As a result, the desired program will remain running and it will report an error starting the service. This analytic will catch that command prompt instance that is used to launch the actual malicious executable. Additionally, the children and descendants of services.exe will run as a SYSTEM user by default. </p><p>Note: Create a baseline of services seen over the last 30 days and a list of services seen today. Remove services in the baseline from services seen today, leaving a list of new services. Returns all processes named cmd.exe that have services.exe as a parent process. Because this should never happen, the /c flag is redundant in the search.</p><p>Analytic 2 - Services launching CMD</p><p><code> (sourcetype=WinEventLog:Microsoft-Windows-Sysmon/Operational EventCode="1") OR (sourcetype=WinEventLog:Security EventCode="4688") Image="<em>cmd.exe" and ParentImage="</em>services.exe"</code></p> </td> </tr> <tr class="sub technique enterprise" id="enterprise"> <td></td> <td></td> <td> <a href="/techniques/T1543/004">.004</a> </td> <td> <a href="/techniques/T1543/004">Launch Daemon</a> </td> <td> <p>Monitor for newly executed processes that may create or modify Launch Daemons to execute malicious payloads as part of persistence.</p> </td> </tr> <tr class="technique enterprise" id="enterprise"> <td> Enterprise </td> <td colspan="2"> <a href="/techniques/T1555">T1555</a> </td> <td> <a href="/techniques/T1555">Credentials from Password Stores</a> </td> <td> <p>Monitor newly executed processes that may search for common password storage locations to obtain user credentials.</p><p>Analytic 1 - New processes with parameters indicating credential searches.</p><p><code> index=security sourcetype IN ("WinEventLog:Microsoft-Windows-Sysmon/Operational", "linux_secure", "macos_secure")(EventCode=1 CommandLine IN ("<em>mimikatz</em>", "<em>procdump</em>", "<em>gcore</em>", "<em>dbxutil</em>", "<em>security find-generic-password</em>", "<em>security find-internet-password</em>", "<em>security dump-keychain</em>", "<em>gsettings get org.gnome.crypto.cache</em>", "<em>cat /etc/shadow</em>", "<em>strings /etc/shadow</em>", "<em>ls -al ~/.ssh/known_hosts</em>", "<em>ssh-add -L</em>"))</code></p> </td> </tr> <tr class="sub technique enterprise" id="enterprise"> <td></td> <td></td> <td> <a href="/techniques/T1555/001">.001</a> </td> <td> <a href="/techniques/T1555/001">Keychain</a> </td> <td> <p>Monitor processes spawned by command line utilities to manipulate keychains directly, such as <code>security</code>, combined with arguments to collect passwords, such as <code>dump-keychain -d</code>.</p><p>Analytic 1 - New processes with parameters indicating attempts to manipulate keychains.</p><p><code>index=security sourcetype="macos_secure" event_type="process"(CommandLine IN ("<em>security dump-keychain</em>", "<em>security find-generic-password</em>", "<em>security find-internet-password</em>", "<em>security unlock-keychain</em>", "<em>security delete-keychain</em>", "<em>security set-keychain-settings</em>", "<em>security add-internet-password</em>", "<em>security add-generic-password</em>", "<em>security import</em>", "<em>security export</em>")) </code></p> </td> </tr> <tr class="sub technique enterprise" id="enterprise"> <td></td> <td></td> <td> <a href="/techniques/T1555/004">.004</a> </td> <td> <a href="/techniques/T1555/004">Windows Credential Manager</a> </td> <td> <p>Monitor newly executed processes for suspicious activity listing credentials from the Windows Credentials locker (e.g. <code>vaultcmd /listcreds:"Windows Credentials"</code>).<span onclick=scrollToRef('scite-61') id="scite-ref-61-a" class="scite-citeref-number" title="Arntz, P. (2016, March 30). The Windows Vault . Retrieved November 23, 2020."data-reference="Malwarebytes The Windows Vault">^{<a href="https://blog.malwarebytes.com/101/2016/01/the-windows-vaults/" target="_blank" data-hasqtip="60" aria-describedby="qtip-60">[61]</a>}</span></p><p>Analytic 1 - New processes with parameters indicating credential searches in Windows Credential Manager.</p><p><code> index=security sourcetype="WinEventLog:Microsoft-Windows-Sysmon/Operational" EventCode=1(CommandLine IN ("<em>vaultcmd.exe</em>", "<em>rundll32.exe keymgr.dll KRShowKeyMgr</em>"))</code></p> </td> </tr> <tr class="technique enterprise" id="enterprise"> <td> Enterprise </td> <td colspan="2"> <a href="/techniques/T1485">T1485</a> </td> <td> <a href="/techniques/T1485">Data Destruction</a> </td> <td> <p>Monitor for newly executed processes of binaries that could be involved in data destruction activity, such as SDelete.</p> </td> </tr> <tr class="technique ics" id="ics"> <td> ICS </td> <td colspan="2"> <a href="/techniques/T0809">T0809</a> </td> <td> <a href="/techniques/T0809">Data Destruction</a> </td> <td> <p>Monitor for newly executed processes of binaries that could be involved in data destruction activity, such as SDelete.</p> </td> </tr> <tr class="technique enterprise" id="enterprise"> <td> Enterprise </td> <td colspan="2"> <a href="/techniques/T1486">T1486</a> </td> <td> <a href="/techniques/T1486">Data Encrypted for Impact</a> </td> <td> <p>Monitor for newly constructed processes and/or command-lines involved in data destruction activity, such as vssadmin, wbadmin, and bcdedit.</p> </td> </tr> <tr class="technique enterprise" id="enterprise"> <td> Enterprise </td> <td colspan="2"> <a href="/techniques/T1005">T1005</a> </td> <td> <a href="/techniques/T1005">Data from Local System</a> </td> <td> <p>Monitor for newly executed processes that may search local system sources, such as file systems or local databases, to find files of interest and sensitive data prior to Exfiltration.</p> </td> </tr> <tr class="technique ics" id="ics"> <td> ICS </td> <td colspan="2"> <a href="/techniques/T0893">T0893</a> </td> <td> <a href="/techniques/T0893">Data from Local System</a> </td> <td> <p>Monitor for newly executed processes that may search local system sources, such as file systems or local databases, to find files of interest and sensitive data.</p> </td> </tr> <tr class="technique enterprise" id="enterprise"> <td> Enterprise </td> <td colspan="2"> <a href="/techniques/T1622">T1622</a> </td> <td> <a href="/techniques/T1622">Debugger Evasion</a> </td> <td> <p>Monitoring for suspicious processes being spawned that gather a variety of system information or perform other forms of Discovery, especially in a short period of time, may aid in detection. Debugger related system checks will likely occur in the first steps of an operation but may also occur throughout as an adversary learns the environment. Data and events should not be viewed in isolation, but as part of a chain of behavior that could lead to other activities, such as lateral movement, based on the information obtained.</p> </td> </tr> <tr class="technique enterprise" id="enterprise"> <td> Enterprise </td> <td colspan="2"> <a href="/techniques/T1140">T1140</a> </td> <td> <a href="/techniques/T1140">Deobfuscate/Decode Files or Information</a> </td> <td> <p>Monitor for newly executed processes that attempt to hide artifacts of an intrusion, such as common archive file applications and extensions (ex: Zip and RAR archive tools), and correlate with other suspicious behavior to reduce false positives from normal user and administrator behavior.</p><p>CertUtil.exe may be used to encode and decode a file, including PE and script code. Encoding will convert a file to base64 with -----BEGIN CERTIFICATE----- and -----END CERTIFICATE----- tags. Malicious usage will include decoding an encoded file that was downloaded. Once decoded, it will be loaded by a parallel process. Note that there are two additional command switches that may be used - encodehex and decodehex. Similarly, the file will be encoded in HEX and later decoded for further execution. During triage, identify the source of the file being decoded. Review its contents or execution behavior for further analysis.</p><p>Analytic Event IDs are for Sysmon (Event ID 1 - process create) and Windows Security Log (Event ID 4688 - a new process has been created). The analytic is oriented around the creation of CertUtil.exe processes, which may be used to encode and decode files, including PE and script code. Malicious usage will include decoding a encoded file that was downloaded. Once decoded, it will be loaded by a parallel process.</p><p>Analytic 1 - CertUtil with Decode Argument</p><p><code> (source="<em>WinEventLog:Microsoft-Windows-Sysmon/Operational" EventCode="1") OR (source="</em>WinEventLog:Security" EventCode="4688") Image="C:\Windows\System32\certutil.exe" AND CommandLine= <em>decode</em> )</code></p> </td> </tr> <tr class="technique enterprise" id="enterprise"> <td> Enterprise </td> <td colspan="2"> <a href="/techniques/T1652">T1652</a> </td> <td> <a href="/techniques/T1652">Device Driver Discovery</a> </td> <td> <p>Monitor processes (<code>lsmod</code>, <code>driverquery.exe</code>, etc.) for events that may highlight potentially malicious attempts to enumerate device drivers.</p> </td> </tr> <tr class="technique enterprise" id="enterprise"> <td> Enterprise </td> <td colspan="2"> <a href="/techniques/T1561">T1561</a> </td> <td> <a href="/techniques/T1561">Disk Wipe</a> </td> <td> <p>Monitor newly executed processes that may wipe or corrupt raw disk data on specific systems or in large numbers in a network to interrupt availability to system and network resources.</p> </td> </tr> <tr class="sub technique enterprise" id="enterprise"> <td></td> <td></td> <td> <a href="/techniques/T1561/001">.001</a> </td> <td> <a href="/techniques/T1561/001">Disk Content Wipe</a> </td> <td> <p>Monitor newly executed processes that may erase the contents of storage devices on specific systems or in large numbers in a network to interrupt availability to system and network resources.</p> </td> </tr> <tr class="sub technique enterprise" id="enterprise"> <td></td> <td></td> <td> <a href="/techniques/T1561/002">.002</a> </td> <td> <a href="/techniques/T1561/002">Disk Structure Wipe</a> </td> <td> <p>Monitor newly executed processes that may corrupt or wipe the disk data structures on a hard drive necessary to boot a system; targeting specific critical systems or in large numbers in a network to interrupt availability to system and network resources.</p> </td> </tr> <tr class="technique enterprise" id="enterprise"> <td> Enterprise </td> <td colspan="2"> <a href="/techniques/T1482">T1482</a> </td> <td> <a href="/techniques/T1482">Domain Trust Discovery</a> </td> <td> <p>Monitor for newly executed processes that may attempt to gather information on domain trust relationships that may be used to identify lateral movement opportunities in Windows multi-domain/forest environments.</p> </td> </tr> <tr class="technique enterprise" id="enterprise"> <td> Enterprise </td> <td colspan="2"> <a href="/techniques/T1189">T1189</a> </td> <td> <a href="/techniques/T1189">Drive-by Compromise</a> </td> <td> <p>Look for behaviors on the endpoint system that might indicate successful compromise, such as abnormal behaviors of browser processes. This could include suspicious files written to disk, evidence of <a href="/techniques/T1055">Process Injection</a> for attempts to hide execution, or evidence of Discovery.</p> </td> </tr> <tr class="technique ics" id="ics"> <td> ICS </td> <td colspan="2"> <a href="/techniques/T0817">T0817</a> </td> <td> <a href="/techniques/T0817">Drive-by Compromise</a> </td> <td> <p>Monitor for behaviors on the endpoint system that might indicate successful compromise, such as abnormal behaviors of browser processes. This could include suspicious files written to disk.</p> </td> </tr> <tr class="technique enterprise" id="enterprise"> <td> Enterprise </td> <td colspan="2"> <a href="/techniques/T1611">T1611</a> </td> <td> <a href="/techniques/T1611">Escape to Host</a> </td> <td> <p>Monitor for process activity (such as unexpected processes spawning outside a container and/or on a host) that might indicate an attempt to escape from a privileged container to host. </p> </td> </tr> <tr class="technique enterprise" id="enterprise"> <td> Enterprise </td> <td colspan="2"> <a href="/techniques/T1546">T1546</a> </td> <td> <a href="/techniques/T1546">Event Triggered Execution</a> </td> <td> <p>Tools such as Sysinternals Autoruns can be used to detect changes to execution triggers that could be attempts at persistence. Also look for abnormal process call trees for execution of other commands that could relate to Discovery actions or other techniques.</p> </td> </tr> <tr class="sub technique enterprise" id="enterprise"> <td></td> <td></td> <td> <a href="/techniques/T1546/001">.001</a> </td> <td> <a href="/techniques/T1546/001">Change Default File Association</a> </td> <td> <p>Monitor for newly executed processes that may establish persistence by executing malicious content triggered by a file type association.</p> </td> </tr> <tr class="sub technique enterprise" id="enterprise"> <td></td> <td></td> <td> <a href="/techniques/T1546/002">.002</a> </td> <td> <a href="/techniques/T1546/002">Screensaver</a> </td> <td> <p>Monitor newly executed processes that may establish persistence by executing malicious content triggered by user inactivity.</p><p>Analytic 1 - HKCU\Control Panel\Desktop registry key</p><p><code> (source="<em>WinEventLog:Microsoft-Windows-Sysmon/Operational" EventCode="1") OR (source="</em>WinEventLog:Security" EventCode="4688") | where CommandLine LIKE "%reg%" AND CommandLine LIKE "%add%" AND CommandLine LIKE "%HKCU\Control Panel\Desktop\%"</code></p> </td> </tr> <tr class="sub technique enterprise" id="enterprise"> <td></td> <td></td> <td> <a href="/techniques/T1546/003">.003</a> </td> <td> <a href="/techniques/T1546/003">Windows Management Instrumentation Event Subscription</a> </td> <td> <p>Monitor newly executed processes that result from the execution of subscriptions (i.e. spawning from the WmiPrvSe.exe WMI Provider Host process).</p><p>Note: Windows Event ID 4688 (A new process has been created) and Sysmon Event ID 1 (Process creation) can be used to alert on processes created by WMI event subscription triggers by filtering on events with a parent process name of <code>WmiPrvSe.exe</code>.</p><p>Monitor for execution of mofcomp.exe as a child of a suspicious shell or script running utility – <code>\powershell.exe</code> or <code>\cmd.exe</code> – or by having a suspicious path in the command line, such as <code>%temp%</code>.<span onclick=scrollToRef('scite-62') id="scite-ref-62-a" class="scite-citeref-number" title="detection.fyi. (2023, October 28). Potential Suspicious Mofcomp Execution. Retrieved February 9, 2024."data-reference="sus mofcomp">^{<a href="https://detection.fyi/sigmahq/sigma/windows/process_creation/proc_creation_win_mofcomp_execution/" target="_blank" data-hasqtip="61" aria-describedby="qtip-61">[62]</a>}</span><span onclick=scrollToRef('scite-63') id="scite-ref-63-a" class="scite-citeref-number" title="The DFIR Report. (2023, January 8). proc_creation_win_mofcomp_execution.yml. Retrieved February 9, 2024."data-reference="sus mofcomp dos">^{<a href="https://github.com/The-DFIR-Report/Sigma-Rules/blob/main/rules/windows/process_creation/proc_creation_win_mofcomp_execution.yml" target="_blank" data-hasqtip="62" aria-describedby="qtip-62">[63]</a>}</span> Adversaries may compile modified MOF files using mofcomp.exe to create malicious WMI event subscriptions. </p> </td> </tr> <tr class="sub technique enterprise" id="enterprise"> <td></td> <td></td> <td> <a href="/techniques/T1546/004">.004</a> </td> <td> <a href="/techniques/T1546/004">Unix Shell Configuration Modification</a> </td> <td> <p>Monitor newly executed processes that may establish persistence through executing malicious commands triggered by a user’s shell.</p> </td> </tr> <tr class="sub technique enterprise" id="enterprise"> <td></td> <td></td> <td> <a href="/techniques/T1546/005">.005</a> </td> <td> <a href="/techniques/T1546/005">Trap</a> </td> <td> <p>Monitor newly executed processes that may establish persistence by executing malicious content triggered by an interrupt signal.</p> </td> </tr> <tr class="sub technique enterprise" id="enterprise"> <td></td> <td></td> <td> <a href="/techniques/T1546/006">.006</a> </td> <td> <a href="/techniques/T1546/006">LC_LOAD_DYLIB Addition</a> </td> <td> <p>Monitor processes for those that may be used to modify binary headers.</p> </td> </tr> <tr class="sub technique enterprise" id="enterprise"> <td></td> <td></td> <td> <a href="/techniques/T1546/007">.007</a> </td> <td> <a href="/techniques/T1546/007">Netsh Helper DLL</a> </td> <td> <p>It is likely unusual for netsh.exe to have any child processes in most environments. Monitor process executions and investigate any child processes spawned by netsh.exe for malicious behavior.</p> </td> </tr> <tr class="sub technique enterprise" id="enterprise"> <td></td> <td></td> <td> <a href="/techniques/T1546/008">.008</a> </td> <td> <a href="/techniques/T1546/008">Accessibility Features</a> </td> <td> <p>Monitor newly executed processes that may establish persistence and/or elevate privileges by executing malicious content triggered by accessibility features.</p><p>An adversary can use accessibility features (Ease of Access), such as StickyKeys or Utilman, to launch a command shell from the logon screen and gain SYSTEM access. Since an adversary does not have physical access to the machine, this technique must be run within Remote Desktop. To prevent an adversary from getting to the login screen without first authenticating, Network-Level Authentication (NLA) must be enabled. If a debugger is set up for one of the accessibility features, then it will intercept the process launch of the feature and instead execute a new command line. This analytic looks for instances of cmd.exe or powershell.exe launched directly from the logon process, winlogon.exe. </p><p>Several accessibility programs can be run using the Ease of Access center</p><ul><li>sethc.exe handles StickyKeys</li><li>utilman.exe is the Ease of Access menu</li><li>osk.exe runs the On-Screen Keyboard</li><li>narrator.exe reads screen text over audio</li><li>magnify.exe magnifies the view of the screen near the cursor</li></ul><p>One simple way to implement this technique is to note that in a default Windows configuration there are no spaces in the path to the system32 folder. If the accessibility programs are ever run with a Debugger set, then Windows will launch the Debugger process and append the command line to the accessibility program. As a result, a space is inserted in the command line before the path. Looking for any instances of a space in the command line before the name of an accessibility program will help identify when Debuggers are set.</p><p>The Windows Registry location HKLM\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options allows for parameters to be set for applications during execution. One feature used by malicious actors is the "Debugger" option. When a key has this value enabled, a Debugging command line can be specified. Windows will launch the Debugging command line, and pass the original command line in as an argument. Adversaries can set a Debugger for Accessibility Applications. The analytic looks for the original command line as an argument to the Debugger. When the strings "sethc.exe", "utilman.exe", "osk.exe", "narrator.exe", and "Magnify.exe" are detected in the arguments, but not as the main executable, it is very likely that a Debugger is set.</p><p>Note: Event IDs are for Sysmon (Event ID 1 - process create) and Windows Security Log (Event ID 4688 - a new process has been created). The Analytic example looks for any creation of common accessibility processes such as sethc.exe but does no other filtering, which may result in false positives. Therefore, we recommend tuning any such analytics by including additional logic (e.g., testing the name of the parent process) that helps reduce false positives.</p><p>Analytic 2 could depend on the possibility of the known strings used as arguments for other applications used in the day-to-day environment. Although the chance of the string "sethc.exe" being used as an argument for another application is unlikely, it still is a possibility.</p><p>Analytic 1 - Command Launched from Winlogon</p><p><code> (source="<em>WinEventLog:Microsoft-Windows-Sysmon/Operational" EventCode="1") OR (source="</em>WinEventLog:Security" EventCode="4688") AND ParentImage="winlogon.exe" AND Image="cmd.exe"AND (CommandLine="<em>sethc.exe"OR CommandLine="</em>utilman.exe"OR CommandLine="<em>osk.exe" OR CommandLine="</em>narrator.exe" OR CommandLine="*magnify.exe"</code></p><p>Analytic 2 - Debuggers for Accessibility Applications</p><p><code> (source="<em>WinEventLog:Microsoft-Windows-Sysmon/Operational" EventCode="1") OR (source="</em>WinEventLog:Security" EventCode="4688") | where CommandLine match "$.<em> .</em>(sethcutilmanosknarratormagnify).exe"</code></p> </td> </tr> <tr class="sub technique enterprise" id="enterprise"> <td></td> <td></td> <td> <a href="/techniques/T1546/009">.009</a> </td> <td> <a href="/techniques/T1546/009">AppCert DLLs</a> </td> <td> <p>Monitor newly executed processes that may establish persistence and/or elevate privileges by executing malicious content triggered by AppCert DLLs loaded into processes.</p> </td> </tr> <tr class="sub technique enterprise" id="enterprise"> <td></td> <td></td> <td> <a href="/techniques/T1546/010">.010</a> </td> <td> <a href="/techniques/T1546/010">AppInit DLLs</a> </td> <td> <p>Monitor newly executed processes that may establish persistence and/or elevate privileges by executing malicious content triggered by AppInit DLLs loaded into processes.</p><p>Note: Sysmon Event ID 1 (process create) and Windows Security Log Event ID 4688 (a new process has been created) can be used to detect new reg.exe processes that modify the AppInit DLL registry keys since the registry keys are specified as a command-line parameter.</p> </td> </tr> <tr class="sub technique enterprise" id="enterprise"> <td></td> <td></td> <td> <a href="/techniques/T1546/011">.011</a> </td> <td> <a href="/techniques/T1546/011">Application Shimming</a> </td> <td> <p>Monitor newly executed processs for sdbinst.exe for potential indications of application shim abuse. There are several public tools available that will detect shims that are currently available <span onclick=scrollToRef('scite-64') id="scite-ref-64-a" class="scite-citeref-number" title="Pierce, Sean. (2015, November). Defending Against Malicious Application Compatibility Shims. Retrieved June 22, 2017."data-reference="Black Hat 2015 App Shim">^{<a href="https://www.blackhat.com/docs/eu-15/materials/eu-15-Pierce-Defending-Against-Malicious-Application-Compatibility-Shims-wp.pdf" target="_blank" data-hasqtip="63" aria-describedby="qtip-63">[64]</a>}</span>:* Shim-Process-Scanner - checks memory of every running process for any shim flags* Shim-Detector-Lite - detects installation of custom shim databases* Shim-Guard - monitors registry for any shim installations* ShimScanner - forensic tool to find active shims in memory* ShimCacheMem - Volatility plug-in that pulls shim cache from memory (note: shims are only cached after reboot)</p> </td> </tr> <tr class="sub technique enterprise" id="enterprise"> <td></td> <td></td> <td> <a href="/techniques/T1546/012">.012</a> </td> <td> <a href="/techniques/T1546/012">Image File Execution Options Injection</a> </td> <td> <p>Monitor for abnormal usage of the GFlags tool as well as common processes spawned under abnormal parents and/or with creation flags indicative of debugging such as <code>DEBUG_PROCESS</code> and <code>DEBUG_ONLY_THIS_PROCESS</code>. <span onclick=scrollToRef('scite-65') id="scite-ref-65-a" class="scite-citeref-number" title="Shanbhag, M. (2010, March 24). Image File Execution Options (IFEO). Retrieved December 18, 2017."data-reference="Microsoft Dev Blog IFEO Mar 2010">^{<a href="https://blogs.msdn.microsoft.com/mithuns/2010/03/24/image-file-execution-options-ifeo/" target="_blank" data-hasqtip="64" aria-describedby="qtip-64">[65]</a>}</span></p> </td> </tr> <tr class="sub technique enterprise" id="enterprise"> <td></td> <td></td> <td> <a href="/techniques/T1546/013">.013</a> </td> <td> <a href="/techniques/T1546/013">PowerShell Profile</a> </td> <td> <p>Monitor newly executed processes that may gain persistence and elevate privileges by executing malicious content triggered by PowerShell profiles.</p> </td> </tr> <tr class="sub technique enterprise" id="enterprise"> <td></td> <td></td> <td> <a href="/techniques/T1546/014">.014</a> </td> <td> <a href="/techniques/T1546/014">Emond</a> </td> <td> <p>Monitor newly executed processes that may gain persistence and elevate privileges by executing malicious content triggered by the Event Monitor Daemon (emond).</p> </td> </tr> <tr class="sub technique enterprise" id="enterprise"> <td></td> <td></td> <td> <a href="/techniques/T1546/015">.015</a> </td> <td> <a href="/techniques/T1546/015">Component Object Model Hijacking</a> </td> <td> <p>Monitor newly executed processes that may establish persistence by executing malicious content triggered by hijacked references to Component Object Model (COM) objects.</p> </td> </tr> <tr class="sub technique enterprise" id="enterprise"> <td></td> <td></td> <td> <a href="/techniques/T1546/016">.016</a> </td> <td> <a href="/techniques/T1546/016">Installer Packages</a> </td> <td> <p>Monitor processes with arguments that may be related to abuse of installer packages, including malicious, likely elevated processes triggered by application installations.</p> </td> </tr> <tr class="sub technique enterprise" id="enterprise"> <td></td> <td></td> <td> <a href="/techniques/T1546/017">.017</a> </td> <td> <a href="/techniques/T1546/017">Udev Rules</a> </td> <td> <p>Monitor the creation of new processes that are children of <code>systemd-udevd.service</code> at the process tree level.<span onclick=scrollToRef('scite-66') id="scite-ref-66-a" class="scite-citeref-number" title="Eder P. Ignacio. (2024, February 21). Leveraging Linux udev for persistence. Retrieved September 26, 2024."data-reference="Ignacio Udev research 2024">^{<a href="https://ch4ik0.github.io/en/posts/leveraging-Linux-udev-for-persistence/" target="_blank" data-hasqtip="65" aria-describedby="qtip-65">[66]</a>}</span></p> </td> </tr> <tr class="technique enterprise" id="enterprise"> <td> Enterprise </td> <td colspan="2"> <a href="/techniques/T1480">T1480</a> </td> <td> <a href="/techniques/T1480">Execution Guardrails</a> </td> <td> <p>Monitoring for suspicious processes being spawned that gather a variety of system information or perform other forms of <a href="https://attack.mitre.org/tactics/TA0007">Discovery</a>, especially in a short period of time, may aid in detection. Detecting the use of guardrails may be difficult depending on the implementation.</p> </td> </tr> <tr class="sub technique enterprise" id="enterprise"> <td></td> <td></td> <td> <a href="/techniques/T1480/001">.001</a> </td> <td> <a href="/techniques/T1480/001">Environmental Keying</a> </td> <td> <p>Monitoring for suspicious processes being spawned that gather a variety of system information or perform other forms of <a href="https://attack.mitre.org/tactics/TA0007">Discovery</a>, especially in a short period of time, may aid in detection. Detecting the use of environmental keying may be difficult depending on the implementation.</p> </td> </tr> <tr class="technique enterprise" id="enterprise"> <td> Enterprise </td> <td colspan="2"> <a href="/techniques/T1052">T1052</a> </td> <td> <a href="/techniques/T1052">Exfiltration Over Physical Medium</a> </td> <td> <p>Monitor for newly executed processes when removable media is mounted.</p> </td> </tr> <tr class="sub technique enterprise" id="enterprise"> <td></td> <td></td> <td> <a href="/techniques/T1052/001">.001</a> </td> <td> <a href="/techniques/T1052/001">Exfiltration over USB</a> </td> <td> <p>Monitor for newly executed processes when removable media is mounted </p> </td> </tr> <tr class="technique enterprise" id="enterprise"> <td> Enterprise </td> <td colspan="2"> <a href="/techniques/T1203">T1203</a> </td> <td> <a href="/techniques/T1203">Exploitation for Client Execution</a> </td> <td> <p>Identify abnormal child processes spawned by applications commonly targeted by exploits, such as browsers or Office programs, particularly those launched with suspicious arguments or into unknown directories.</p><p>Example, it is not expected behavior for print spool service to be executing discovery type processes. However, this is one example and could be any number of native or third party processes that are executing either unusual or unknown (potentially adversary brought) processes.</p><p>Note:- Analytic 1, look for instances where Office Applications (e.g., Word, Excel, PowerPoint) are launched with suspicious parameters or from unusual locations- Analytic 2, look for abnormal child process creation by Office Applications especially when accompanied by suspicious command-line parameters</p><p>Analytic 1 - Office Application Process Execution</p><p><code> (source="<em>WinEventLog:Microsoft-Windows-Sysmon/Operational" EventCode="1") OR (source="</em>WinEventLog:Security" EventCode="4688") AND (Image= "\winword.exe" OR Image= "\excel.exe" OR Image= "<em>\powerpnt.exe") AND (CommandLine= "</em>macro<em>" OR CommandLine= "</em>automation<em>" OR CommandLine= "</em>shellcode<em>") AND ParentCommandLine= "</em>open*"</code></p><p>Analytic 2 - Unusual Child Process Creation</p><p><code> (source="<em>WinEventLog:Microsoft-Windows-Sysmon/Operational" EventCode="1") OR (source="</em>WinEventLog:Security" EventCode="4688") AND (ParentImage= "\winword.exe" OR ParentImage= "\excel.exe" OR ParentImage= "\powerpnt.exe") AND (Image != "\system32\" OR Image != "*\program files")</code></p> </td> </tr> <tr class="technique enterprise" id="enterprise"> <td> Enterprise </td> <td colspan="2"> <a href="/techniques/T1212">T1212</a> </td> <td> <a href="/techniques/T1212">Exploitation for Credential Access</a> </td> <td> <p>Monitor for newly executed processes that may indicate attempts to exploit vulnerabilities for credential access.</p><p>Analytic 1 - Unexpected process creation related to exploitation tools or techniques.</p><p><code> (index=security sourcetype="WinEventLog:Security" EventCode=4688) OR (index=security sourcetype="WinEventLog:Microsoft-Windows-Sysmon/Operational" EventCode=1) OR (index=os sourcetype="linux_secure" action="execve") OR (index=os sourcetype="macos_secure" event_type="execve") | where match(Image, "(?i)(msfconsole|metasploit|mimikatz|powersploit|empire|cobaltstrike|responder|kerberoast|john|hashcat|rcrack|hydra|medusa|ncrack|patator)")</code></p> </td> </tr> <tr class="technique enterprise" id="enterprise"> <td> Enterprise </td> <td colspan="2"> <a href="/techniques/T1211">T1211</a> </td> <td> <a href="/techniques/T1211">Exploitation for Defense Evasion</a> </td> <td> <p>Monitor for abnormal process creations, such as a Command and Scripting Interpreter spawning from a potentially exploited application. Also look for behavior on the system that might indicate successful compromise, such as abnormal behavior of processes.</p> </td> </tr> <tr class="technique enterprise" id="enterprise"> <td> Enterprise </td> <td colspan="2"> <a href="/techniques/T1068">T1068</a> </td> <td> <a href="/techniques/T1068">Exploitation for Privilege Escalation</a> </td> <td> <p>Monitor for newly executed processes that may exploit software vulnerabilities in an attempt to elevate privileges. After gaining initial access to a system, threat actors attempt to escalate privileges as they may be operating within a lower privileged process which does not allow them to access protected information or carry out tasks which require higher permissions. A common way of escalating privileges in a system is by externally invoking and exploiting spoolsv or connhost executables, both of which are legitimate Windows applications. This query searches for an invocation of either of these executables by a user, thus alerting us of any potentially malicious activity.</p><p>Note: Event IDs are for Sysmon (Event ID 1 - process create) and Windows Security Log (Event ID 4688 - a new process has been created). The Analytic is oriented around looking for an invocation of either spoolsv.exe or conhost.exe by a user, thus alerting us of any potentially malicious activity. A common way of escalating privileges in a system is by externally invoking and exploiting these executables, both of which are legitimate Windows applications. </p><p>Analytic 1 - Unusual Child Process for spoolsv.exe or connhost.exe</p><p><code> (source="<em>WinEventLog:Microsoft-Windows-Sysmon/Operational" EventCode="1") OR (source="</em>WinEventLog:Security" EventCode="4688") (Image="C:\Windows\System32\spoolsv.exe" OR Image="C:\Windows\System32\conhost.exe") AND ParentImage= "C:\Windows\System32\cmd.exe")</code></p> </td> </tr> <tr class="technique enterprise" id="enterprise"> <td> Enterprise </td> <td colspan="2"> <a href="/techniques/T1083">T1083</a> </td> <td> <a href="/techniques/T1083">File and Directory Discovery</a> </td> <td> <p>Monitor newly executed processes that may enumerate files and directories or may search in specific locations of a host or network share for certain information within a file system.</p> </td> </tr> <tr class="technique enterprise" id="enterprise"> <td> Enterprise </td> <td colspan="2"> <a href="/techniques/T1222">T1222</a> </td> <td> <a href="/techniques/T1222">File and Directory Permissions Modification</a> </td> <td> <p>Monitor for newly executed processes that may modify file or directory permissions/attributes to evade access control lists (ACLs) and access protected files.<span onclick=scrollToRef('scite-67') id="scite-ref-67-a" class="scite-citeref-number" title="Hybrid Analysis. (2018, June 12). c9b65b764985dfd7a11d3faf599c56b8.exe. Retrieved August 19, 2018."data-reference="Hybrid Analysis Icacls1 June 2018">^{<a href="https://www.hybrid-analysis.com/sample/ef0d2628823e8e0a0de3b08b8eacaf41cf284c086a948bdfd67f4e4373c14e4d?environmentId=100" target="_blank" data-hasqtip="66" aria-describedby="qtip-66">[67]</a>}</span><span onclick=scrollToRef('scite-68') id="scite-ref-68-a" class="scite-citeref-number" title="Hybrid Analysis. (2018, May 30). 2a8efbfadd798f6111340f7c1c956bee.dll. Retrieved August 19, 2018."data-reference="Hybrid Analysis Icacls2 May 2018">^{<a href="https://www.hybrid-analysis.com/sample/22dab012c3e20e3d9291bce14a2bfc448036d3b966c6e78167f4626f5f9e38d6?environmentId=110" target="_blank" data-hasqtip="67" aria-describedby="qtip-67">[68]</a>}</span></p> </td> </tr> <tr class="sub technique enterprise" id="enterprise"> <td></td> <td></td> <td> <a href="/techniques/T1222/001">.001</a> </td> <td> <a href="/techniques/T1222/001">Windows File and Directory Permissions Modification</a> </td> <td> <p>Monitor for newly constructed processes and/or command-lines that can interact with the DACLs using built-in Windows commands, such as icacls, cacls, takeown, and attrib, which can grant adversaries higher permissions on specific files and folders.</p> </td> </tr> <tr class="sub technique enterprise" id="enterprise"> <td></td> <td></td> <td> <a href="/techniques/T1222/002">.002</a> </td> <td> <a href="/techniques/T1222/002">Linux and Mac File and Directory Permissions Modification</a> </td> <td> <p>Monitor for newly executed processes that may modify file or directory permissions/attributes to evade access control lists (ACLs) and access protected files.<span onclick=scrollToRef('scite-67') id="scite-ref-67-a" class="scite-citeref-number" title="Hybrid Analysis. (2018, June 12). c9b65b764985dfd7a11d3faf599c56b8.exe. Retrieved August 19, 2018."data-reference="Hybrid Analysis Icacls1 June 2018">^{<a href="https://www.hybrid-analysis.com/sample/ef0d2628823e8e0a0de3b08b8eacaf41cf284c086a948bdfd67f4e4373c14e4d?environmentId=100" target="_blank" data-hasqtip="66" aria-describedby="qtip-66">[67]</a>}</span><span onclick=scrollToRef('scite-68') id="scite-ref-68-a" class="scite-citeref-number" title="Hybrid Analysis. (2018, May 30). 2a8efbfadd798f6111340f7c1c956bee.dll. Retrieved August 19, 2018."data-reference="Hybrid Analysis Icacls2 May 2018">^{<a href="https://www.hybrid-analysis.com/sample/22dab012c3e20e3d9291bce14a2bfc448036d3b966c6e78167f4626f5f9e38d6?environmentId=110" target="_blank" data-hasqtip="67" aria-describedby="qtip-67">[68]</a>}</span></p> </td> </tr> <tr class="sub technique noparent enterprise" id="enterprise"> <td> Enterprise </td> <td> <a href="/techniques/T1606">T1606</a> </td> <td> <a href="/techniques/T1606/002">.002</a> </td> <td> <a href="/techniques/T1606">Forge Web Credentials</a>: <a href="/techniques/T1606/002">SAML Tokens</a> </td> <td> <p>This search looks for arguments to certutil.exe indicating the manipulation or extraction of Certificate. This certificate can then be used to sign new authentication tokens specially inside Federated environments such as Windows ADFS.</p><p>Analytic 1 - Certutil.exe Certificate Extraction</p><p><code> (source="<em>WinEventLog:Microsoft-Windows-Sysmon/Operational" EventCode="1") OR (source="</em>WinEventLog:Security" EventCode="4688") AND Image= "C:\Windows\System32\certutil.exe" AND CommandLine= "<em> -exportPFX </em>") </code></p> </td> </tr> <tr class="technique ics" id="ics"> <td> ICS </td> <td colspan="2"> <a href="/techniques/T0823">T0823</a> </td> <td> <a href="/techniques/T0823">Graphical User Interface</a> </td> <td> <p>Monitor for newly executed processes related to services specifically designed to accept remote graphical connections, such as RDP and VNC. <a href="/techniques/T0886">Remote Services</a> and <a href="/techniques/T0859">Valid Accounts</a> may be used to access a host’s GUI.</p> </td> </tr> <tr class="technique enterprise" id="enterprise"> <td> Enterprise </td> <td colspan="2"> <a href="/techniques/T1615">T1615</a> </td> <td> <a href="/techniques/T1615">Group Policy Discovery</a> </td> <td> <p>Monitor for newly executed processes that may gather information on Group Policy settings to identify paths for privilege escalation, security measures applied within a domain, and to discover patterns in domain objects that can be manipulated or used to blend in the environment.</p> </td> </tr> <tr class="technique enterprise" id="enterprise"> <td> Enterprise </td> <td colspan="2"> <a href="/techniques/T1564">T1564</a> </td> <td> <a href="/techniques/T1564">Hide Artifacts</a> </td> <td> <p>Monitor newly executed processes that may attempt to hide artifacts associated with their behaviors to evade detection.</p> </td> </tr> <tr class="sub technique enterprise" id="enterprise"> <td></td> <td></td> <td> <a href="/techniques/T1564/001">.001</a> </td> <td> <a href="/techniques/T1564/001">Hidden Files and Directories</a> </td> <td> <p>Monitor newly executed processes that may set files and directories to be hidden to evade detection mechanisms.</p> </td> </tr> <tr class="sub technique enterprise" id="enterprise"> <td></td> <td></td> <td> <a href="/techniques/T1564/002">.002</a> </td> <td> <a href="/techniques/T1564/002">Hidden Users</a> </td> <td> <p>Monitor newly executed processes for actions that could be taken to add a new user and subsequently hide it from login screens.</p> </td> </tr> <tr class="sub technique enterprise" id="enterprise"> <td></td> <td></td> <td> <a href="/techniques/T1564/003">.003</a> </td> <td> <a href="/techniques/T1564/003">Hidden Window</a> </td> <td> <p>Monitor newly executed processes that may use hidden windows to conceal malicious activity from the plain sight of users. For example, monitor suspicious windows explorer execution – such as an additional <code>explorer.exe</code> holding a handle to an unknown desktop – that may be used for hidden malicious activity via hVNC.<span onclick=scrollToRef('scite-69') id="scite-ref-69-a" class="scite-citeref-number" title="Safran, Or. Asinovsky, Pavel. (2017, November). Who Hid My Desktop: Deep Dive Into HVNC. Retrieved November 28, 2023."data-reference="Who Hid My Desktop">^{<a href="https://deepsec.net/docs/Slides/2017/Who_Hid_My_Desktop_Or_Safran_Pavel_Asinovsky.pdf" target="_blank" data-hasqtip="68" aria-describedby="qtip-68">[69]</a>}</span> </p> </td> </tr> <tr class="sub technique enterprise" id="enterprise"> <td></td> <td></td> <td> <a href="/techniques/T1564/004">.004</a> </td> <td> <a href="/techniques/T1564/004">NTFS File Attributes</a> </td> <td> <p>Monitor for process execution that may use NTFS file attributes to hide their malicious data in order to evade detection. </p><p>Analytic 1 - NTFS Alternate Data Stream Execution : System Utilities (Powershell)</p><p><code>(source="<em>WinEventLog:Microsoft-Windows-Sysmon/Operational" EventCode="1") OR (source="</em>WinEventLog:Security" EventCode="4688") Image= "C:\Windows\<em>\powershell.exe" | regex CommandLine= "Invoke-CimMethod\s+-ClassName\s+Win32_Process\s+-MethodName\s+Create.</em>\b(\w+(.\w+)?):(\w+(.\w+)?)|-ep bypass\s+-\s+&lt;.<em>\b(\w+(.\w+)?):(\w+(.\w+)?)|-command.</em>Get-Content.<em>-Stream.</em>Set-Content.<em>start-process .</em>(\w+(.\w+)?)"</code></p><p>Analytic 2 - NTFS Alternate Data Stream Execution : System Utilities (WMIC)</p><p><code>(source="<em>WinEventLog:Microsoft-Windows-Sysmon/Operational" EventCode="1") OR (source="</em>WinEventLog:Security" EventCode="4688") Image= "C:\Windows\<em>\wmic.exe" | regex CommandLine= "process call create.</em>\"(\w+(.\w+)?):(\w+(.\w+)?)"</code></p><p>Analytic 3 - NTFS Alternate Data Stream Execution : System Utilities (rundll32)</p><p><code>(source="<em>WinEventLog:Microsoft-Windows-Sysmon/Operational" EventCode="1") OR (source="</em>WinEventLog:Security" EventCode="4688") Image= "C:\Windows\<em>\rundll32.exe" | regex CommandLine= "\"?(\w+(.\w+)?):(\w+(.\w+)?)?\"?,\w+\|(advpack.dll\|ieadvpack.dll),RegisterOCX\s+(\w+.\w+):(\w+(.\w+)?)\|(shdocvw.dll\|ieframe.dll),OpenURL.</em>(\w+.\w+):(\w+(.\w+)?)"</code></p><p>Analytic 4 - NTFS Alternate Data Stream Execution : System Utilities (wscript/cscript)</p><p><code>(source="<em>WinEventLog:Microsoft-Windows-Sysmon/Operational" EventCode="1") OR (source="</em>WinEventLog:Security" EventCode="4688") Image= "C:\Windows\<em>\wscript.exe" OR Image= "C:\Windows\</em>\cscript.exe)" | regex CommandLine= "(?&lt;!\/)\b\w+(.\w+)?:\w+(.\w+)?$"</code></p> </td> </tr> <tr class="sub technique enterprise" id="enterprise"> <td></td> <td></td> <td> <a href="/techniques/T1564/006">.006</a> </td> <td> <a href="/techniques/T1564/006">Run Virtual Instance</a> </td> <td> <p>Monitor newly executed processes associated with running a virtual instance, such as those launched from binary files associated with common virtualization technologies (ex: VirtualBox, VMware, QEMU, Hyper-V).</p> </td> </tr> <tr class="sub technique enterprise" id="enterprise"> <td></td> <td></td> <td> <a href="/techniques/T1564/009">.009</a> </td> <td> <a href="/techniques/T1564/009">Resource Forking</a> </td> <td> <p>Monitor newly executed processes that may abuse resource forks to hide malicious code or executables to evade detection and bypass security applications.</p> </td> </tr> <tr class="sub technique enterprise" id="enterprise"> <td></td> <td></td> <td> <a href="/techniques/T1564/010">.010</a> </td> <td> <a href="/techniques/T1564/010">Process Argument Spoofing</a> </td> <td> <p>Analyze process behavior to determine if a process is performing actions it usually does not and/or do no align with its logged command-line arguments.</p><p>Detection of process argument spoofing may be difficult as adversaries may momentarily modify stored arguments used for malicious execution. These changes may bypass process creation detection and/or later process memory analysis. Consider monitoring for <a href="/techniques/T1055/012">Process Hollowing</a>, which includes monitoring for process creation (especially those in a suspended state) as well as access and/or modifications of these processes (especially by the parent process) via Windows API calls.<span onclick=scrollToRef('scite-70') id="scite-ref-70-a" class="scite-citeref-number" title="Daman, R. (2020, February 4). The return of the spoof part 2: Command line spoofing. Retrieved November 19, 2021."data-reference="Nviso Spoof Command Line 2020">^{<a href="https://blog.nviso.eu/2020/02/04/the-return-of-the-spoof-part-2-command-line-spoofing/" target="_blank" data-hasqtip="69" aria-describedby="qtip-69">[70]</a>}</span><span onclick=scrollToRef('scite-71') id="scite-ref-71-a" class="scite-citeref-number" title="Pena, E., Erikson, C. (2019, October 10). Staying Hidden on the Endpoint: Evading Detection with Shellcode. Retrieved November 29, 2021."data-reference="Mandiant Endpoint Evading 2019">^{<a href="https://www.mandiant.com/resources/staying-hidden-on-the-endpoint-evading-detection-with-shellcode" target="_blank" data-hasqtip="70" aria-describedby="qtip-70">[71]</a>}</span></p> </td> </tr> <tr class="sub technique enterprise" id="enterprise"> <td></td> <td></td> <td> <a href="/techniques/T1564/011">.011</a> </td> <td> <a href="/techniques/T1564/011">Ignore Process Interrupts</a> </td> <td> <p>Monitor newly created processes for artifacts, such as <code>nohup</code> or <a href="/techniques/T1059/001">PowerShell</a> <code>-ErrorAction SilentlyContinue</code>, that may attempt to hide processes from interrupt signals.</p> </td> </tr> <tr class="technique enterprise" id="enterprise"> <td> Enterprise </td> <td colspan="2"> <a href="/techniques/T1574">T1574</a> </td> <td> <a href="/techniques/T1574">Hijack Execution Flow</a> </td> <td> <p>Monitor processes for unusual activity (e.g., a process that does not use the network begins to do so, abnormal process call trees). Track library metadata, such as a hash, and compare libraries that are loaded at process execution time against previous executions to detect differences that do not correlate with patching or updates.</p> </td> </tr> <tr class="sub technique enterprise" id="enterprise"> <td></td> <td></td> <td> <a href="/techniques/T1574/002">.002</a> </td> <td> <a href="/techniques/T1574/002">DLL Side-Loading</a> </td> <td> <p>Monitor newly constructed processes for unusual activity (e.g., a process that does not use the network begins to do so) as well as the introduction of new files/programs.</p> </td> </tr> <tr class="sub technique enterprise" id="enterprise"> <td></td> <td></td> <td> <a href="/techniques/T1574/005">.005</a> </td> <td> <a href="/techniques/T1574/005">Executable Installer File Permissions Weakness</a> </td> <td> <p>Monitor for newly constructed processes to match an existing service executables. </p> </td> </tr> <tr class="sub technique enterprise" id="enterprise"> <td></td> <td></td> <td> <a href="/techniques/T1574/006">.006</a> </td> <td> <a href="/techniques/T1574/006">Dynamic Linker Hijacking</a> </td> <td> <p>Monitor for newly executed processes for unusual activity (e.g., a process that does not use the network begins to do so).</p> </td> </tr> <tr class="sub technique enterprise" id="enterprise"> <td></td> <td></td> <td> <a href="/techniques/T1574/007">.007</a> </td> <td> <a href="/techniques/T1574/007">Path Interception by PATH Environment Variable</a> </td> <td> <p>Monitor for newly executed processes for process executable paths that are named for partial directories.</p> </td> </tr> <tr class="sub technique enterprise" id="enterprise"> <td></td> <td></td> <td> <a href="/techniques/T1574/008">.008</a> </td> <td> <a href="/techniques/T1574/008">Path Interception by Search Order Hijacking</a> </td> <td> <p>Monitor for newly executed processes for process executable paths that are named for partial directories.</p> </td> </tr> <tr class="sub technique enterprise" id="enterprise"> <td></td> <td></td> <td> <a href="/techniques/T1574/009">.009</a> </td> <td> <a href="/techniques/T1574/009">Path Interception by Unquoted Path</a> </td> <td> <p>Monitor for newly executed processes that may execute their own malicious payloads by hijacking vulnerable file path references.</p> </td> </tr> <tr class="sub technique enterprise" id="enterprise"> <td></td> <td></td> <td> <a href="/techniques/T1574/010">.010</a> </td> <td> <a href="/techniques/T1574/010">Services File Permissions Weakness</a> </td> <td> <p>Monitor for newly executed processes that may execute their own malicious payloads by hijacking the binaries used by services.</p> </td> </tr> <tr class="sub technique enterprise" id="enterprise"> <td></td> <td></td> <td> <a href="/techniques/T1574/011">.011</a> </td> <td> <a href="/techniques/T1574/011">Services Registry Permissions Weakness</a> </td> <td> <p>Monitor suspicious programs execution through services. These processes may show up as outlier processes that have not been seen before when compared against historical data.</p> </td> </tr> <tr class="sub technique enterprise" id="enterprise"> <td></td> <td></td> <td> <a href="/techniques/T1574/012">.012</a> </td> <td> <a href="/techniques/T1574/012">COR_PROFILER</a> </td> <td> <p>Monitor for newly executed processes, such as setx.exe, that may abuse of the COR_PROFILER variable, monitor for new suspicious unmanaged profiling DLLs loading into .NET processes shortly after the CLR causing abnormal process behavior.<span onclick=scrollToRef('scite-72') id="scite-ref-72-a" class="scite-citeref-number" title="Brown, J. (2020, May 7). Detecting COR_PROFILER manipulation for persistence. Retrieved June 24, 2020."data-reference="Red Canary COR_PROFILER May 2020">^{<a href="https://redcanary.com/blog/cor_profiler-for-persistence/" target="_blank" data-hasqtip="71" aria-describedby="qtip-71">[72]</a>}</span></p> </td> </tr> <tr class="sub technique enterprise" id="enterprise"> <td></td> <td></td> <td> <a href="/techniques/T1574/014">.014</a> </td> <td> <a href="/techniques/T1574/014">AppDomainManager</a> </td> <td> <p>Monitor newly constructed processes for unusual activity (e.g., a process that does not use the network begins to do so) as well as the loading of unexpected .NET resources.</p> </td> </tr> <tr class="technique enterprise" id="enterprise"> <td> Enterprise </td> <td colspan="2"> <a href="/techniques/T1562">T1562</a> </td> <td> <a href="/techniques/T1562">Impair Defenses</a> </td> <td> <p>Monitor newly executed processes that may maliciously modify components of a victim environment in order to hinder or disable defensive mechanisms.</p> </td> </tr> <tr class="sub technique enterprise" id="enterprise"> <td></td> <td></td> <td> <a href="/techniques/T1562/001">.001</a> </td> <td> <a href="/techniques/T1562/001">Disable or Modify Tools</a> </td> <td> <p>In an attempt to avoid detection after compromising a machine, threat actors often try to disable Windows Defender. This is often done using "sc" [service control], a legitimate tool provided by Microsoft for managing services. This action interferes with event detection and may lead to a security event going undetected, thereby potentially leading to further compromise of the network.</p><p>Note: Though this analytic is utilizing Event ID 1 for process creation, the arguments are specifically looking for the use of service control for querying or trying to stop Windows Defender.</p><p>Analytic 1 - Detecting Tampering of Windows Defender Command Prompt</p><p><code>(source="WinEventLog:Microsoft-Windows-Sysmon/Operational" EventCode="1") OR (source="WinEventLog:Security" EventCode="4688") Image="C:\Windows\System32\sc.exe" (CommandLine="sc <em>config</em>" OR CommandLine="sc <em>stop</em>" OR CommandLine="sc <em>query</em>" )</code></p> </td> </tr> <tr class="sub technique enterprise" id="enterprise"> <td></td> <td></td> <td> <a href="/techniques/T1562/002">.002</a> </td> <td> <a href="/techniques/T1562/002">Disable Windows Event Logging</a> </td> <td> <p>Monitor newly executed processes that may disable Windows event logging to limit data that can be leveraged for detections and audits.</p><p>Analytic 1 - Disable Windows Event Logging</p><p><code> (source="WinEventLog:Microsoft-Windows-Sysmon/Operational" EventCode="1") OR (source="WinEventLog:Security" EventCode="4688") ((CommandLine="<em>New-Item</em>" OR CommandLine="<em>reg add</em>") CommandLine="<em>MiniNt</em>") OR (CommandLine="<em>Stop-Service</em>" CommandLine="<em>EventLog</em>") OR (CommandLine="<em>EventLog</em>" (CommandLine="<em>Set-Service</em>" OR CommandLine="<em>reg add</em>" OR CommandLine="<em>Set-ItemProperty</em>" OR CommandLine="<em>New-ItemProperty</em>" OR CommandLine="<em>sc config</em>")) OR (CommandLine="<em>auditpol</em>" (CommandLine="<em>/set</em>" OR CommandLine="<em>/clear</em>" OR CommandLine="<em>/revove</em>")) OR (CommandLine="<em>wevtutil</em>" (CommandLine="<em>sl</em>" OR CommandLine="<em>set-log</em>"))</code></p> </td> </tr> <tr class="sub technique enterprise" id="enterprise"> <td></td> <td></td> <td> <a href="/techniques/T1562/006">.006</a> </td> <td> <a href="/techniques/T1562/006">Indicator Blocking</a> </td> <td> <p>Monitor for executed processes that may attempt to block indicators or events typically captured by sensors from being gathered and analyzed.</p><p>Analytic 1 - Indicator Blocking - Driver Unloaded</p><p><code>(source="<em>WinEventLog:Microsoft-Windows-Sysmon/Operational" EventCode="1") OR (source="</em>WinEventLog:Security" EventCode="4688") Image= "fltmc.exe" AND CommandLine= "<em>unload</em>"</code></p> </td> </tr> <tr class="sub technique enterprise" id="enterprise"> <td></td> <td></td> <td> <a href="/techniques/T1562/009">.009</a> </td> <td> <a href="/techniques/T1562/009">Safe Mode Boot</a> </td> <td> <p>Monitor newly executed processes that may abuse Windows safe mode to disable endpoint defenses.</p> </td> </tr> <tr class="sub technique enterprise" id="enterprise"> <td></td> <td></td> <td> <a href="/techniques/T1562/010">.010</a> </td> <td> <a href="/techniques/T1562/010">Downgrade Attack</a> </td> <td> <p>Monitor newly executed processes that may downgrade or use a version of system features that may be outdated, vulnerable, and/or does not support updated security controls such as logging.</p> </td> </tr> <tr class="sub technique enterprise" id="enterprise"> <td></td> <td></td> <td> <a href="/techniques/T1562/011">.011</a> </td> <td> <a href="/techniques/T1562/011">Spoof Security Alerting</a> </td> <td> <p>Consider monitoring for suspicious processes that may be spoofing security tools and monitoring messages.</p> </td> </tr> <tr class="technique enterprise" id="enterprise"> <td> Enterprise </td> <td colspan="2"> <a href="/techniques/T1070">T1070</a> </td> <td> <a href="/techniques/T1070">Indicator Removal</a> </td> <td> <p>Monitor for newly executed processes that may delete or alter generated artifacts on a host system, including logs or captured files such as quarantined malware.</p> </td> </tr> <tr class="sub technique enterprise" id="enterprise"> <td></td> <td></td> <td> <a href="/techniques/T1070/001">.001</a> </td> <td> <a href="/techniques/T1070/001">Clear Windows Event Logs</a> </td> <td> <p>Monitor for newly executed processes that may clear Windows Event Logs to hide the activity of an intrusion. In an attempt to clear traces after compromising a machine, threat actors often try to clear Windows Event logs. This is often done using "wevtutil", a legitimate tool provided by Microsoft. This action interferes with event collection and notification, and may lead to a security event going undetected, thereby potentially leading to further compromise of the network.</p><p>Note: This search query looks for wevtutil, Clear-EventLog, Limit-EventLog, Remove-Item or Remove-EventLog inside a command that may cause the system to remove Windows Event logs.</p><p>Analytic 1 - Clearing Windows Logs with Wevtutil</p><p><code>(source="<em>WinEventLog:Microsoft-Windows-Sysmon/Operational" EventCode="1") OR (source="</em>WinEventLog:Security" EventCode="4688") (Image=<em>wevtutil</em> CommandLine=<em>cl</em> (CommandLine=<em>System</em> OR CommandLine=<em>Security</em> OR CommandLine=<em>Setup</em> OR CommandLine=<em>Application</em>) OR Clear-EventLog OR Limit-EventLog OR (Remove-Item AND .evtx) OR Remove-EventLog) </code></p> </td> </tr> <tr class="sub technique enterprise" id="enterprise"> <td></td> <td></td> <td> <a href="/techniques/T1070/003">.003</a> </td> <td> <a href="/techniques/T1070/003">Clear Command History</a> </td> <td> <p>Monitor for the suspicious execution of processes that may clear the command history of a compromised account to conceal the actions undertaken during an intrusion.</p><p>Analytic 1 - Clear Powershell Console Command History </p><p><code>(source="<em>WinEventLog:Microsoft-Windows-Sysmon/Operational" EventCode="1") OR (source="</em>WinEventLog:Security" EventCode="4688") AND (CommandLine="<em>rm (Get-PSReadlineOption).HistorySavePath</em>" OR CommandLine="<em>del (Get-PSReadlineOption).HistorySavePath</em>" OR CommandLine="<em>Set-PSReadlineOption –HistorySaveStyle SaveNothing</em>" OR CommandLine="<em>Remove-Item (Get-PSReadlineOption).HistorySavePath</em>" OR (CommandLine="<em>del</em>" AND CommandLine="<em>Microsoft\Windows\Powershell\PSReadline\ConsoleHost_history.txt</em>"))</code></p> </td> </tr> <tr class="sub technique enterprise" id="enterprise"> <td></td> <td></td> <td> <a href="/techniques/T1070/005">.005</a> </td> <td> <a href="/techniques/T1070/005">Network Share Connection Removal</a> </td> <td> <p>Monitor for newly constructed processes and/or command line execution that can be used to remove network share connections via the net.exe process. </p><p>Note: Event IDs are for Sysmon (Event ID 1 - process create) and Windows Security Log (Event ID 4688 - a new process has been created). The Analytic is oriented around looking for various methods of removing network shares via the command line, which is otherwise a rare event. </p><p>Analytic 1- Network Share Connection Removal</p><p><code> (source="<em>WinEventLog:Microsoft-Windows-Sysmon/Operational" EventCode="1") OR (source="</em>WinEventLog:Security" EventCode="4688") (Image= "C:\Windows\System32\net.exe" AND CommandLine= "<em>delete</em>") OR CommandLine="<em>Remove-SmbShare</em>" OR CommandLine="<em>Remove-FileShare</em>" )</code></p> </td> </tr> <tr class="sub technique enterprise" id="enterprise"> <td></td> <td></td> <td> <a href="/techniques/T1070/007">.007</a> </td> <td> <a href="/techniques/T1070/007">Clear Network Connection History and Configurations</a> </td> <td> <p>Monitor created processes with arguments that may delete or alter malicious network configuration settings as well as generated artifacts that highlight network connection history on a host system -- which may include logs, files, or Registry values.</p> </td> </tr> <tr class="sub technique enterprise" id="enterprise"> <td></td> <td></td> <td> <a href="/techniques/T1070/008">.008</a> </td> <td> <a href="/techniques/T1070/008">Clear Mailbox Data</a> </td> <td> <p>Monitor for newly executed processes with arguments that may delete or alter generated artifacts on a host system, including logs or captured files such as quarantined emails.</p> </td> </tr> <tr class="sub technique enterprise" id="enterprise"> <td></td> <td></td> <td> <a href="/techniques/T1070/009">.009</a> </td> <td> <a href="/techniques/T1070/009">Clear Persistence</a> </td> <td> <p>Monitor for newly executed processes that may delete or alter generated artifacts associated with persistence on a host system. </p> </td> </tr> <tr class="technique ics" id="ics"> <td> ICS </td> <td colspan="2"> <a href="/techniques/T0872">T0872</a> </td> <td> <a href="/techniques/T0872">Indicator Removal on Host</a> </td> <td> <p>Monitor for newly executed processes that may delete or alter generated artifacts on a host system, including logs or captured files such as quarantined malware.</p> </td> </tr> <tr class="technique enterprise" id="enterprise"> <td> Enterprise </td> <td colspan="2"> <a href="/techniques/T1202">T1202</a> </td> <td> <a href="/techniques/T1202">Indirect Command Execution</a> </td> <td> <p>Monitor for newly constructed processes and/or command-lines that can be used instead of invoking cmd (i.e. pcalua.exe, winrs.exe, cscript/wscript.exe, hh.exe, or bash.exe)</p> </td> </tr> <tr class="technique enterprise" id="enterprise"> <td> Enterprise </td> <td colspan="2"> <a href="/techniques/T1490">T1490</a> </td> <td> <a href="/techniques/T1490">Inhibit System Recovery</a> </td> <td> <p>Use process monitoring to monitor the execution and command line parameters of binaries involved in inhibiting system recovery, such as <code>vssadmin</code>, <code>wbadmin</code>, and <code>bcdedit</code>. After compromising a network of systems, threat actors often try to delete/resize Shadow Copy in an attempt to prevent administrators from restoring the systems to versions present before the attack. This is often done via vssadmin, a legitimate Windows tool to interact with shadow copies. This action is often employed by ransomware, may lead to a failure in recovering systems after an attack. The pseudo code detection focus on Windows Security and Sysmon process creation (4688 and 1). The use of wmic to delete shadow copy generates WMI-Activity Operationnal 5857 event and could generate 5858 (if the operation fails). These 2 EventIDs could be interesting when attackers use wmic without process creation and/or for forensics.</p><p>Analytic 1 - Detecting Shadow Copy Deletion or Resize</p><p><code>(source="<em>WinEventLog:Microsoft-Windows-Sysmon/Operational" EventCode="1") OR (source="</em>WinEventLog:Security" EventCode="4688")(CommandLine="<em>vssadmin</em> <em>delete</em> <em>shadows</em>" OR CommandLine="<em>wmic</em> <em>shadowcopy</em> <em>delete</em>" OR CommandLine="<em>vssadmin</em> <em>resize</em> <em>shadowstorage</em>")) OR (EventCode="5857" ProviderName="MSVSS__PROVIDER") OR (EventCode="5858" Operation="<em>Win32_ShadowCopy</em>")</code></p><p>Analytic 2 - BCDEdit Failure Recovery Modification</p><p><code>(source="<em>WinEventLog:Microsoft-Windows-Sysmon/Operational" EventCode="1") OR (source="</em>WinEventLog:Security" EventCode="4688") Image= "C:\Windows\System32\bcdedit.exe" AND CommandLine="<em>recoveryenabled</em>"</code></p> </td> </tr> <tr class="technique enterprise" id="enterprise"> <td> Enterprise </td> <td colspan="2"> <a href="/techniques/T1056">T1056</a> </td> <td> <a href="/techniques/T1056">Input Capture</a> </td> <td> <p>Monitor for newly executed processes conducting malicious activity </p> </td> </tr> <tr class="sub technique enterprise" id="enterprise"> <td></td> <td></td> <td> <a href="/techniques/T1056/002">.002</a> </td> <td> <a href="/techniques/T1056/002">GUI Input Capture</a> </td> <td> <p>Monitor for newly executed processes </p> </td> </tr> <tr class="technique enterprise" id="enterprise"> <td> Enterprise </td> <td colspan="2"> <a href="/techniques/T1559">T1559</a> </td> <td> <a href="/techniques/T1559">Inter-Process Communication</a> </td> <td> <p>Monitor the creation of processes that are related to the abuse of IPC mechanisms, particularly those that communicate with higher-privileged services or perform suspicious operations.</p><p>Analytic 1 - Processes using IPC mechanisms.</p><p><code>(( sourcetype=WinEventLog:Security EventCode=4688) OR (sourcetype=Sysmon EventCode=1))| search parent_process IN ("XPCService", "com.apple.securityd") OR process_name IN ("cmd.exe", "bash", "osascript")</code></p> </td> </tr> <tr class="sub technique enterprise" id="enterprise"> <td></td> <td></td> <td> <a href="/techniques/T1559/001">.001</a> </td> <td> <a href="/techniques/T1559/001">Component Object Model</a> </td> <td> <p>Monitor for newly executed processes that are associated with COM objects, especially those invoked by a user different than the one currently logged on.</p> </td> </tr> <tr class="sub technique enterprise" id="enterprise"> <td></td> <td></td> <td> <a href="/techniques/T1559/002">.002</a> </td> <td> <a href="/techniques/T1559/002">Dynamic Data Exchange</a> </td> <td> <p>Monitor for newly executed processes that may use Windows Dynamic Data Exchange (DDE) to execute arbitrary commands. Adversaries may use Windows Dynamic Data Exchange (DDE) to execute arbitrary commands. DDE is a client-server protocol for one-time and/or continuous inter-process communication (IPC) between applications. Once a link is established, applications can autonomously exchange transactions consisting of strings, warm data links (notifications when a data item changes), hot data links (duplications of changes to a data item), and requests for command execution.</p><p>Analytic 1 - Unusual Child Process spawned using DDE exploit</p><p><code> (source="WinEventLog:Microsoft-Windows-Sysmon/Operational" EventCode="1") OR (source="WinEventLog:Security" EventCode="4688") Image="<em>.exe" (ParentImage="</em>excel.exe" OR ParentImage="<em>word.exe" OR ParentImage="</em>outlook.exe")</code></p> </td> </tr> <tr class="technique enterprise" id="enterprise"> <td> Enterprise </td> <td colspan="2"> <a href="/techniques/T1570">T1570</a> </td> <td> <a href="/techniques/T1570">Lateral Tool Transfer</a> </td> <td> <p>Monitor newly constructed processes that assist in lateral tool transfers. </p> </td> </tr> <tr class="technique ics" id="ics"> <td> ICS </td> <td colspan="2"> <a href="/techniques/T0867">T0867</a> </td> <td> <a href="/techniques/T0867">Lateral Tool Transfer</a> </td> <td> <p>Monitor newly constructed processes that assist in lateral tool transfers, such as file transfer programs.</p> </td> </tr> <tr class="technique enterprise" id="enterprise"> <td> Enterprise </td> <td colspan="2"> <a href="/techniques/T1654">T1654</a> </td> <td> <a href="/techniques/T1654">Log Enumeration</a> </td> <td> <p>Monitor for unexpected process activity associated with utilities that can access and export logs, such as <code>wevutil.exe</code> on Windows and <code>CollectGuestLogs.exe</code> on Azure hosted VMs.</p> </td> </tr> <tr class="technique enterprise" id="enterprise"> <td> Enterprise </td> <td colspan="2"> <a href="/techniques/T1036">T1036</a> </td> <td> <a href="/techniques/T1036">Masquerading</a> </td> <td> <p>Monitor for newly executed processes that may attempt to manipulate features of their artifacts to make them appear legitimate or benign to users and/or security tools. The RECYCLER and SystemVolumeInformation directories will be present on every drive. Replace %systemroot% and %windir% with the actual paths as configured by the endpoints.</p><p>Analytic 1 - Suspicious Run Locations</p><p><code>(sourcetype="WinEventLog:Microsoft-Windows-Sysmon/Operational" EventCode="1") OR (sourcetype="WinEventLog:Security" EventCode="4688") AND ( Image="<em>:\RECYCLER*" OR Image="</em>:\SystemVolumeInformation*" OR Image="%windir%\Tasks*" OR Image="%systemroot%\debug*")</code></p> </td> </tr> <tr class="sub technique enterprise" id="enterprise"> <td></td> <td></td> <td> <a href="/techniques/T1036/005">.005</a> </td> <td> <a href="/techniques/T1036/005">Match Legitimate Name or Location</a> </td> <td> <p>Monitor for newly executed processes that may match or approximate the name or location of legitimate files or resources when naming/placing them. Looks for mismatches between process names and their image paths.Malware authors often use this technique to hide malicious executables behind legitimate Windows executable names (e.g. lsass.exe, svchost.exe, etc).There are several sub-techniques, but this analytic focuses on <a href="/techniques/T1036/005">Match Legitimate Name or Location</a> only.</p><p>Note: With process monitoring, hunt for processes matching these criteria:</p><ul><li>process name is svchost.exe, smss.exe, wininit.exe, taskhost.exe, etc.</li><li>process path is not C:\Windows\System32\ or C:\Windows\SysWow64\</li></ul><p>Examples (true positive):C:\Users\administrator\svchost.exe</p><p>To make sure the rule doesn’t miss cases where the executable would be started from a sub-folder of these locations, the entire path is checked for the process path. The below example should be considered as suspicious: C:\Windows\System32\srv\svchost.exe</p><p>Analytic 1 - Common Windows Process Masquerading</p><p><code>(source="<em>WinEventLog:Microsoft-Windows-Sysmon/Operational" EventCode="1") OR (source="</em>WinEventLog:Security" EventCode="4688")AND ( (Image=svchost.exe AND (image_path!="C:\Windows\System32\svchost.exe" OR process_path!="C:\Windows\SysWow64\svchost.exe")) OR (Image="*smss.exe" AND image_path!="C:\Windows\System32\smss.exe") OR (Image="wininit.exe" AND image_path!="C:\Windows\System32\wininit.exe") OR (Image="taskhost.exe" AND image_path!="C:\Windows\System32\taskhost.exe") OR (Image="lasass.exe" AND image_path!="C:\Windows\System32\lsass.exe") OR (Image="winlogon.exe" AND image_path!="C:\Windows\System32\winlogon.exe") OR (Image="csrss.exe" AND image_path!="C:\Windows\System32\csrss.exe") OR (Image="services.exe" AND image_path!="C:\Windows\System32\services.exe") OR (Image="lsm.exe" AND image_path!="C:\Windows\System32\lsm.exe") OR (Image="explorer.exe" AND image_path!="C:\Windows\explorer.exe")</code></p> </td> </tr> <tr class="sub technique enterprise" id="enterprise"> <td></td> <td></td> <td> <a href="/techniques/T1036/009">.009</a> </td> <td> <a href="/techniques/T1036/009">Break Process Trees</a> </td> <td> <p>Monitor for the abnormal creation of background processes as well as processes executing from abnormal locations, such as <code>/dev/shm</code>.</p> </td> </tr> <tr class="technique enterprise" id="enterprise"> <td> Enterprise </td> <td colspan="2"> <a href="/techniques/T1112">T1112</a> </td> <td> <a href="/techniques/T1112">Modify Registry</a> </td> <td> <p>Monitor processes and command-line arguments for actions that could be taken to change, conceal, and/or delete information in the Registry. (i.e. reg.exe, regedit.exe). The analytic is oriented around detecting invocations of <a href="/software/S0075">Reg</a> where the parent executable is an instance of cmd.exe that wasn’t spawned by explorer.exe. The built-in utility reg.exe provides a command-line interface to the registry, so that queries and modifications can be performed from a shell, such as cmd.exe. When a user is responsible for these actions, the parent of cmd.exewill typically be explorer.exe. Occasionally, power users and administrators write scripts that do this behavior as well, but likely from a different process tree. These background scripts must be baselined so they can be tuned out accordingly. Analytic Event IDs are for Sysmon (Event ID 1 - process create) and Windows Security Log (Event ID 4688 - a new process has been created). </p><p>Analytic 1 - Registry Edit with Modification of Userinit, Shell or Notify</p><p><code>(source="<em>WinEventLog:Microsoft-Windows-Sysmon/Operational" EventCode="1") OR (source="</em>WinEventLog:Security" EventCode="4688") ((CommandLine="<em>reg</em>" CommandLine="<em>add</em>" CommandLine="<em>/d</em>") OR ((CommandLine="<em>Set-ItemProperty</em>" OR CommandLine="<em>New-ItemProperty</em>") AND CommandLine="<em>-value</em>")) CommandLine="<em>\Microsoft\Windows NT\CurrentVersion\Winlogon</em>" (CommandLine="<em>Userinit</em>" OR CommandLine="<em>Shell</em>" OR CommandLine="<em>Notify</em>")</code></p><p>Analytic 2 - Modification of Default Startup Folder in the Registry Key 'Common Startup'</p><p><code>(source="<em>WinEventLog:Microsoft-Windows-Sysmon/Operational" EventCode="1") OR (source="</em>WinEventLog:Security" EventCode="4688") (CommandLine="<em>reg</em>" AND CommandLine="<em>add</em>" AND CommandLine="<em>/d</em>") OR (CommandLine="<em>Set-ItemProperty</em>" AND CommandLine="<em>-value</em>") CommandLine="<em>Common Startup</em>"</code></p><p>Analytic 3 - Registry Edit with Creation of SafeDllSearchMode Key Set to 0</p><p><code>(source="<em>WinEventLog:Microsoft-Windows-Sysmon/Operational" EventCode="1") OR (source="</em>WinEventLog:Security" EventCode="4688")((CommandLine="<em>reg</em>" CommandLine="<em>add</em>" CommandLine="<em>/d</em>") OR (CommandLine="<em>Set-ItemProperty</em>" CommandLine="<em>-value</em>")) (CommandLine="<em>00000000</em>" OR CommandLine="<em>0</em>") CommandLine="<em>SafeDllSearchMode</em>")</code></p> </td> </tr> <tr class="technique ics" id="ics"> <td> ICS </td> <td colspan="2"> <a href="/techniques/T0840">T0840</a> </td> <td> <a href="/techniques/T0840">Network Connection Enumeration</a> </td> <td> <p>Monitor for executed processes (such as ipconfig/ifconfig and arp) with arguments that may look for details about the network configuration and settings, such as IP and/or MAC addresses. Also monitor for executed processes that may attempt to get a listing of network connections to or from the compromised system they are currently accessing or from remote systems by querying for information over the network.</p> </td> </tr> <tr class="technique enterprise" id="enterprise"> <td> Enterprise </td> <td colspan="2"> <a href="/techniques/T1135">T1135</a> </td> <td> <a href="/techniques/T1135">Network Share Discovery</a> </td> <td> <p>Monitor for newly executed processes that may look for folders and drives shared on remote systems as a means of identifying sources of information to gather as a precursor for Collection and to identify potential systems of interest for Lateral Movement.</p> </td> </tr> <tr class="technique enterprise" id="enterprise"> <td> Enterprise </td> <td colspan="2"> <a href="/techniques/T1040">T1040</a> </td> <td> <a href="/techniques/T1040">Network Sniffing</a> </td> <td> <p>Monitor for newly executed processes that can aid in sniffing network traffic to capture information about an environment, including authentication material passed over the network </p><p>Note: The Analytic is for Windows systems and looks for new processes that have the names of the most common network sniffing tools. While this may be noisy on networks where sysadmins are using any of these tools on a regular basis, in most networks their use is noteworthy.</p><p>Analytic 1 - Unexpected execution of network sniffing tools.</p><p><code>index=security sourcetype="WinEventLog:Security" EventCode=4688 OR index=security sourcetype="WinEventLog:Microsoft-Windows-Sysmon/Operational" EventCode=1 Image IN ("<em>tshark.exe", "</em>windump.exe", "*tcpdump.exe", "wprui.exe", "wpr.exe") AND ParentImage!="C:\Program Files\Windows Event Reporting\Core\EventReporting.AgentService.exe"</code></p> </td> </tr> <tr class="technique ics" id="ics"> <td> ICS </td> <td colspan="2"> <a href="/techniques/T0842">T0842</a> </td> <td> <a href="/techniques/T0842">Network Sniffing</a> </td> <td> <p>Monitor for newly executed processes that can aid in sniffing network traffic to capture information about an environment.</p> </td> </tr> <tr class="technique enterprise" id="enterprise"> <td> Enterprise </td> <td colspan="2"> <a href="/techniques/T1027">T1027</a> </td> <td> <a href="/techniques/T1027">Obfuscated Files or Information</a> </td> <td> <p>Monitor for newly executed processes that may attempt to make an executable or file difficult to discover or analyze by encrypting, encoding, or otherwise obfuscating its contents on the system or in transit.</p> </td> </tr> <tr class="sub technique enterprise" id="enterprise"> <td></td> <td></td> <td> <a href="/techniques/T1027/004">.004</a> </td> <td> <a href="/techniques/T1027/004">Compile After Delivery</a> </td> <td> <p>Monitor for newly constructed processes and/or command-lines that look for non-native binary formats and cross-platform compiler and execution frameworks like Mono and determine if they have a legitimate purpose on the system. Typically these should only be used in specific and limited cases, like for software development.</p> </td> </tr> <tr class="sub technique enterprise" id="enterprise"> <td></td> <td></td> <td> <a href="/techniques/T1027/011">.011</a> </td> <td> <a href="/techniques/T1027/011">Fileless Storage</a> </td> <td> <p>In Linux systems, monitor for newly executed processes from shared memory directories such as <code>/dev/shm</code>, <code>/run/shm</code>, <code>/var/run</code>, and <code>/var/lock</code>.<span onclick=scrollToRef('scite-73') id="scite-ref-73-a" class="scite-citeref-number" title="Elastic. (n.d.). Binary Executed from Shared Memory Directory. Retrieved September 24, 2024."data-reference="Elastic Binary Executed from Shared Memory Directory">^{<a href="https://www.elastic.co/guide/en/security/7.17/prebuilt-rule-7-16-3-binary-executed-from-shared-memory-directory.html" target="_blank" data-hasqtip="72" aria-describedby="qtip-72">[73]</a>}</span></p> </td> </tr> <tr class="technique enterprise" id="enterprise"> <td> Enterprise </td> <td colspan="2"> <a href="/techniques/T1137">T1137</a> </td> <td> <a href="/techniques/T1137">Office Application Startup</a> </td> <td> <p>Monitor newly executed processes that may leverage Microsoft Office-based applications for persistence between startups. Collect process execution information including process IDs (PID) and parent process IDs (PPID) and look for abnormal chains of activity resulting from Office processes. Non-standard process execution trees may also indicate suspicious or malicious behavior. If winword.exe is the parent process for suspicious processes and activity relating to other adversarial techniques, then it could indicate that the application was used maliciously.</p> </td> </tr> <tr class="sub technique enterprise" id="enterprise"> <td></td> <td></td> <td> <a href="/techniques/T1137/001">.001</a> </td> <td> <a href="/techniques/T1137/001">Office Template Macros</a> </td> <td> <p>Monitor newly executed processes that may abuse Microsoft Office templates to obtain persistence on a compromised system.</p> </td> </tr> <tr class="sub technique enterprise" id="enterprise"> <td></td> <td></td> <td> <a href="/techniques/T1137/002">.002</a> </td> <td> <a href="/techniques/T1137/002">Office Test</a> </td> <td> <p>Monitor newly executed processes that may abuse the Microsoft Office "Office Test" Registry key to obtain persistence on a compromised system.</p> </td> </tr> <tr class="sub technique enterprise" id="enterprise"> <td></td> <td></td> <td> <a href="/techniques/T1137/003">.003</a> </td> <td> <a href="/techniques/T1137/003">Outlook Forms</a> </td> <td> <p>Monitor newly executed processes that may abuse Microsoft Outlook forms to obtain persistence on a compromised system.</p> </td> </tr> <tr class="sub technique enterprise" id="enterprise"> <td></td> <td></td> <td> <a href="/techniques/T1137/004">.004</a> </td> <td> <a href="/techniques/T1137/004">Outlook Home Page</a> </td> <td> <p>Monitor newly executed processes that may abuse Microsoft Outlook's Home Page feature to obtain persistence on a compromised system.</p> </td> </tr> <tr class="sub technique enterprise" id="enterprise"> <td></td> <td></td> <td> <a href="/techniques/T1137/005">.005</a> </td> <td> <a href="/techniques/T1137/005">Outlook Rules</a> </td> <td> <p>Monitor newly executed processes that may abuse Microsoft Outlook rules to obtain persistence on a compromised system.</p> </td> </tr> <tr class="sub technique enterprise" id="enterprise"> <td></td> <td></td> <td> <a href="/techniques/T1137/006">.006</a> </td> <td> <a href="/techniques/T1137/006">Add-ins</a> </td> <td> <p>Monitor newly executed processes that may abuse Microsoft Office add-ins to obtain persistence on a compromised system. </p> </td> </tr> <tr class="technique enterprise" id="enterprise"> <td> Enterprise </td> <td colspan="2"> <a href="/techniques/T1003">T1003</a> </td> <td> <a href="/techniques/T1003">OS Credential Dumping</a> </td> <td> <p>Monitor for newly executed processes that may be indicative of credential dumping.</p><p>Analytic 1 - Unexpected process creation related to credential dumping.</p><p><code> (index=security sourcetype="WinEventLog:Security" EventCode=4688 Image="<em>procdump.exe" CommandLine IN ("</em> -ma lsass<em>"))OR (index=security sourcetype="linux_secure" (key="cmdline" value IN ("</em>procdump<em> -ma /proc/$(pgrep lsass)")) (key="exe" value="</em>procdump"))OR(index=security sourcetype="macOS:UnifiedLog" process="<em>procdump" command="</em> -ma /proc/$(pgrep lsass)")</code></p> </td> </tr> <tr class="sub technique enterprise" id="enterprise"> <td></td> <td></td> <td> <a href="/techniques/T1003/001">.001</a> </td> <td> <a href="/techniques/T1003/001">LSASS Memory</a> </td> <td> <p>Monitor for newly executed processes that may be indicative of credential dumping. On Windows 8.1 and Windows Server 2012 R2, monitor Windows Logs for LSASS.exe creation to verify that LSASS started as a protected process. Try monitoring for Sysmon Event ID 1 and/or Windows Security Event ID 4688 for process activity. </p><p>Note: - Rundll32/MiniDump has a different command-line syntax than that of Procdump, in that the process being dumped is specified via process ID instead of name (as with Procdump). Therefore, because the LSASS process ID is non-deterministic, the MiniDump detection isn’t specific to LSASS dumping and may need to be tuned to help reduce false positives.- When monitoring for .dll functions on the command-line be sure to also check for the ordinal associated with the function.</p><p>Analytic 1 - Unexpected process creation related to LSASS memory dumping.</p><p><code> index=security sourcetype="WinEventLog:Security" EventCode=4688 Image IN ("<em>procdump.exe", "</em>rundll32.exe", "<em>taskmgr.exe", "</em>powershell.exe") CommandLine IN ("<em> -ma lsass</em>", "<em>rundll32.exe</em> comsvcs.dll, MiniDump", "<em>taskmgr.exe</em> /dump", "<em>powershell.exe</em> -Command Get-Process lsass | Out-MemoryDump")</code></p> </td> </tr> <tr class="technique enterprise" id="enterprise"> <td> Enterprise </td> <td colspan="2"> <a href="/techniques/T1201">T1201</a> </td> <td> <a href="/techniques/T1201">Password Policy Discovery</a> </td> <td> <p>Monitor for newly executed processes that may attempt to access detailed information about the password policy used within an enterprise network or cloud environment.</p> </td> </tr> <tr class="technique enterprise" id="enterprise"> <td> Enterprise </td> <td colspan="2"> <a href="/techniques/T1120">T1120</a> </td> <td> <a href="/techniques/T1120">Peripheral Device Discovery</a> </td> <td> <p>Monitor for newly executed processes that may attempt to gather information about attached peripheral devices and components connected to a computer system.</p> </td> </tr> <tr class="technique enterprise" id="enterprise"> <td> Enterprise </td> <td colspan="2"> <a href="/techniques/T1069">T1069</a> </td> <td> <a href="/techniques/T1069">Permission Groups Discovery</a> </td> <td> <p>Monitor for newly constructed processes and/or command-lines for actions that could be taken to gather system and network information. System and network discovery techniques normally occur throughout an operation as an adversary learns the environment. Data and events should not be viewed in isolation, but as part of a chain of behavior that could lead to other activities, such as Lateral Movement, based on the information obtained.</p> </td> </tr> <tr class="sub technique enterprise" id="enterprise"> <td></td> <td></td> <td> <a href="/techniques/T1069/001">.001</a> </td> <td> <a href="/techniques/T1069/001">Local Groups</a> </td> <td> <p>Monitor newly executed processes that may attempt to find local system groups and permission settings.</p><p>Note: Event IDs are for Sysmon (Event ID 1 - process creation) and Windows Security Log (Event ID 4688 - a new process has been created). The logic in the Analytic looks for any instances of net.exe used for local user/group discovery; although this utility is not normally used for benign purposes, such usage by system administrator actions may trigger false positives.</p><p>Analytic 1 - Local Permission Group Discovery</p><p><code>(source="<em>WinEventLog:Microsoft-Windows-Sysmon/Operational" EventCode="1") OR (source="</em>WinEventLog:Security" EventCode="4688") Image="net.exe" AND ( CommandLine="<em>net</em> user<em>" OR CommandLine="</em>net<em> group</em>" OR CommandLine="<em>net</em> localgroup<em>" OR CommandLine="</em>get-localgroup<em>" OR CommandLine="</em>get-ADPrincipalGroupMembership*" )</code></p> </td> </tr> <tr class="sub technique enterprise" id="enterprise"> <td></td> <td></td> <td> <a href="/techniques/T1069/002">.002</a> </td> <td> <a href="/techniques/T1069/002">Domain Groups</a> </td> <td> <p>Monitor newly executed processes that may attempt to find domain-level groups and permission settings.</p><p>For Linux, auditing frameworks that support alerting on process creation, including the audit daemon (auditd), can be used to alert on invocations of commands such as <code>ldapsearch</code>.</p><p>For MacOS, utilities that work in concert with Apple’s Endpoint Security Framework such as Process Monitor can be used to track usage of commands such as <code>dscacheutil -q group</code>.</p><p>Note: Event IDs are for Sysmon (Event ID 10 - process access) and Windows Security Log (Event ID 4688 - a new process has been created). </p><p>Analytic 1 - Local Permission Group Discovery - Net</p><p><code>(source="<em>WinEventLog:Microsoft-Windows-Sysmon/Operational" EventCode="1") OR (source="</em>WinEventLog:Security" EventCode="4688") (Image= "net.exe" OR Image= "net1.exe") AND CommandLine="<em>group</em>/domain*")</code></p> </td> </tr> <tr class="sub technique enterprise" id="enterprise"> <td></td> <td></td> <td> <a href="/techniques/T1069/003">.003</a> </td> <td> <a href="/techniques/T1069/003">Cloud Groups</a> </td> <td> <p>Monitor newly executed processes that may attempt to find cloud groups and permission settings.</p> </td> </tr> <tr class="technique enterprise" id="enterprise"> <td> Enterprise </td> <td colspan="2"> <a href="/techniques/T1647">T1647</a> </td> <td> <a href="/techniques/T1647">Plist File Modification</a> </td> <td> <p>Monitor for newly executed processes with arguments that can modify property list (plist) files.</p> </td> </tr> <tr class="technique enterprise" id="enterprise"> <td> Enterprise </td> <td colspan="2"> <a href="/techniques/T1057">T1057</a> </td> <td> <a href="/techniques/T1057">Process Discovery</a> </td> <td> <p>Monitor for newly executed processes that may attempt to get information about running processes on a system. To be effective in deciphering malicious and benign activity, the full command line is essential. Similarly, having information about the parent process can help with making decisions and tuning to an environment.</p><p>Because these commands are built in, they may be run frequently by power users or even by normal users. Thus, an analytic looking at this information should have well-defined white- or blacklists, and should consider looking at an anomaly detection approach, so that this information can be learned dynamically.Within the built-in Windows Commands:</p><ul><li>hostname</li><li>ipconfig</li><li>net</li><li>quser</li><li>qwinsta</li><li>sc with flags query, queryex, qc</li><li>systeminfo</li><li>tasklist</li><li>dsquery</li><li>whoamiNote: To be effective in deciphering malicious and benign activity, the full command line is essential. Similarly, having information about the parent process can help with making decisions and tuning to an environment.</li></ul><p>Analytic 1 - Host Discovery Commands</p><p><code>(source="<em>WinEventLog:Microsoft-Windows-Sysmon/Operational" EventCode="1") OR (source="</em>WinEventLog:Security" EventCode="4688") (Image="C:\Windows\<em>\hostname.exe" OR Image="C:\Windows\</em>\ipconfig.exe" OR Image="C:\Windows\<em>\net.exe" OR Image="C:\Windows\</em>\quser.exe" OR Image="C:\Windows\<em>\qwinsta.exe" OR (Image="C:\Windows\</em>\sc.exe" AND (CommandLine="<em> query </em>" OR CommandLine="<em> qc </em>")) OR Image="C:\Windows\<em>\systeminfo.exe" OR Image="C:\Windows\</em>\tasklist.exe" OR Image="C:\Windows\*\whoami.exe")|stats values(Image) as "Images" values(CommandLine) as "Command Lines" by ComputerName</code></p> </td> </tr> <tr class="sub technique noparent enterprise" id="enterprise"> <td> Enterprise </td> <td> <a href="/techniques/T1055">T1055</a> </td> <td> <a href="/techniques/T1055/012">.012</a> </td> <td> <a href="/techniques/T1055">Process Injection</a>: <a href="/techniques/T1055/012">Process Hollowing</a> </td> <td> <p>Monitor for newly executed processes that may inject malicious code into suspended and hollowed processes in order to evade process-based defenses. Adversaries may start legitimate processes and then use their memory space to run malicious code. This analytic looks for common Windows processes that have been abused this way in the past; when the processes are started for this purpose they may not have the standard parent that we would expect. This list is not exhaustive, and it is possible for cyber actors to avoid this discepency. These signatures only work if Sysmon reports the parent process, which may not always be the case if the parent dies before sysmon processes the event.</p><p>Analytic 1 - Processes Started From Irregular Parents</p><p><code>(source="<em>WinEventLog:Microsoft-Windows-Sysmon/Operational" EventCode="1") OR (source="</em>WinEventLog:Security" EventCode="4688") AND ParentImage!="?" AND ParentImage!="C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe" AND ParentImage!="C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe" AND((Image="C:\Windows\System32\smss.exe" AND (ParentImage!="C:\Windows\System32\smss.exe" AND ParentImage!="System")) OR(Image="C:\Windows\System32\csrss.exe" AND (ParentImage!="C:\Windows\System32\smss.exe" AND ParentImage!="C:\Windows\System32\svchost.exe")) OR(Image="C:\Windows\System32\wininit.exe" AND ParentImage!="C:\Windows\System32\smss.exe") OR(Image="C:\Windows\System32\winlogon.exe" AND ParentImage!="C:\Windows\System32\smss.exe") OR(Image="C:\Windows\System32\lsass.exe" and ParentImage!="C:\Windows\System32\wininit.exe") OR(Image="C:\Windows\System32\LogonUI.exe" AND (ParentImage!="C:\Windows\System32\winlogon.exe" AND ParentImage!="C:\Windows\System32\wininit.exe")) OR(Image="C:\Windows\System32\services.exe" AND ParentImage!="C:\Windows\System32\wininit.exe") OR(Image="C:\Windows\System32\spoolsv.exe" AND ParentImage!="C:\Windows\System32\services.exe") OR(Image="C:\Windows\System32\taskhost.exe" AND (ParentImage!="C:\Windows\System32\services.exe" AND ParentImage!="C:\Windows\System32\svchost.exe")) OR(Image="C:\Windows\System32\taskhostw.exe" AND (ParentImage!="C:\Windows\System32\services.exe" AND ParentImage!="C:\Windows\System32\svchost.exe")) OR(Image="C:\Windows\System32\userinit.exe" AND (ParentImage!="C:\Windows\System32\dwm.exe" AND ParentImage!="C:\Windows\System32\winlogon.exe")))</code></p> </td> </tr> <tr class="technique enterprise" id="enterprise"> <td> Enterprise </td> <td colspan="2"> <a href="/techniques/T1012">T1012</a> </td> <td> <a href="/techniques/T1012">Query Registry</a> </td> <td> <p>Monitor for newly executed processes that may interact with the Windows Registry to gather information about the system, configuration, and installed software.</p><p>Note: The New-PSDrive PowerShell cmdlet creates temporary and persistent drives that are mapped to or associated with a location in a data store, such a registry key (PSProvider "Registry"). The Get-ChildItem gets the items in one or more specified locations. By using both, you can enumerate COM objects in one or more specified locations.</p><p>Note for Analytic 3: Replace FilePathToLolbasProcessXX.exe with lolBAS process names that are used by your organization. The number_standard_deviations parameter should be tuned accordingly. Identifying outliers by comparing distance from a data point to the average value against a certain number of standard deviations is recommended for data values that are symmetrical distributed. If your data is not distributed, try a different algorithm such as the Interquartile Range (IQR).</p><p>Analytic 1 - Suspicious Processes with Registry keys</p><p><code>(sourcetype="WinEventLog:Microsoft-Windows-Sysmon/Operational" EventCode="1") OR (sourcetype="WinEventLog:Security" EventCode="4688") | search (CommandLine LIKE "%reg%" AND CommandLine LIKE "%query%") OR (CommandLine LIKE "%Registry%" AND (CommandLine LIKE "%HKEY_CLASSES_ROOT%" OR CommandLine "%HKCR%"))</code></p><p>Analytic 2 - reg.exe spawned from suspicious cmd.exe</p><p><code>((sourcetype="WinEventLog:Microsoft-Windows-Sysmon/Operational" EventCode="1") OR (sourcetype="WinEventLog:Security" EventCode="4688") | WHERE (Image LIKE "%reg.exe%" AND ParentImage LIKE "%cmd.exe%")| rename ProcessParentGuid as guid| join type=inner guid[ | search ((source="<em>WinEventLog:Microsoft-Windows-Sysmon/Operational" EventCode="1") OR (source="</em>WinEventLog:Security" EventCode="4688") AND (Image LIKE "%cmd.exe%" AND ParentImage NOT LIKE "%explorer.exe%")| rename ProcessGuid as guid ]</code></p><p>Analytic 3 - Rare LolBAS command lines</p><p><code> ((sourcetype="WinEventLog:Microsoft-Windows-Sysmon/Operational" EventCode="1") OR (sourcetype="WinEventLog:Security" EventCode="4688") AND Image IN ('FilePathToLolbasProcess01.exe','FilePathToLolbasProcess02.exe') AND number_standard_deviations = 1.5| select Image, ProcessCount, AVG(ProcessCount) Over() - STDEV(ProcessCount) Over() * number_standard_deviations AS LowerBound | WHERE ProcessCount &lt; LowerBound</code></p> </td> </tr> <tr class="technique enterprise" id="enterprise"> <td> Enterprise </td> <td colspan="2"> <a href="/techniques/T1219">T1219</a> </td> <td> <a href="/techniques/T1219">Remote Access Software</a> </td> <td> <p>Monitor for applications and processes related to remote admin software. Correlate activity with other suspicious behavior that may reduce false positives if this type of software is used by legitimate users and administrators. <a href="/techniques/T1090/004">Domain Fronting</a> may be used in conjunction to avoid defenses. Adversaries will likely need to deploy and/or install these remote software to compromised systems. It may be possible to detect or prevent the installation of this type of software with host-based solutions.</p> </td> </tr> <tr class="technique enterprise" id="enterprise"> <td> Enterprise </td> <td colspan="2"> <a href="/techniques/T1563">T1563</a> </td> <td> <a href="/techniques/T1563">Remote Service Session Hijacking</a> </td> <td> <p>Monitor newly executed processes that may take control of preexisting sessions with remote services to move laterally in an environment.</p> </td> </tr> <tr class="sub technique enterprise" id="enterprise"> <td></td> <td></td> <td> <a href="/techniques/T1563/001">.001</a> </td> <td> <a href="/techniques/T1563/001">SSH Hijacking</a> </td> <td> <p>Monitor newly executed processes that may hijack a legitimate user's SSH session to move laterally within an environment.</p> </td> </tr> <tr class="sub technique enterprise" id="enterprise"> <td></td> <td></td> <td> <a href="/techniques/T1563/002">.002</a> </td> <td> <a href="/techniques/T1563/002">RDP Hijacking</a> </td> <td> <p>Consider monitoring processes for tscon.exe usage. Using tscon.exe to hijack an RDP session requires SYSTEM level permissions. Therefore, we recommend also looking for Privilege Escalation techniques that may be used for this purpose in conjunction with RDP Session Hijacking.</p><p>In addition to tscon.exe, mstsc.exe can similarly be used to hijack existing RDP sessions. In this case, we recommend looking for the command-line parameters of <code>/noconsentPrompt</code> and <code>/shadow:</code>, which allow for stealthy hijacking of an RDP session with no prompt and without kicking off the existing session.</p> </td> </tr> <tr class="technique enterprise" id="enterprise"> <td> Enterprise </td> <td colspan="2"> <a href="/techniques/T1021">T1021</a> </td> <td> <a href="/techniques/T1021">Remote Services</a> </td> <td> <p>Monitor for newly executed processes that may use <a href="/techniques/T1078">Valid Accounts</a> to log into a service specifically designed to accept remote connections, such as RDP, telnet, SSH, and VNC. The adversary may then perform actions that spawn additional processes as the logged-on user.</p><p>Malicious actors may rename built-in commands or external tools, such as those provided by SysInternals, to better blend in with the environment. In those cases, the file path name is arbitrary and may blend in well with the background. If the arguments are closely inspected, it may be possible to infer what tools are running and understand what an adversary is doing. When any legitimate software shares the same command lines, it must be whitelisted according to the expected parameters.</p><p>Any tool of interest with commonly known command line usage can be detecting by command line analysis. Known substrings of command lines include</p><ul><li>PuTTY</li><li>port forwarding <code>-R * -pw</code></li><li>secure copy (scp) <code>-pw * * <em>@</em></code></li><li>mimikatz <code>sekurlsa::</code></li><li>RAR <code><em> -hp </em></code></li><li>Archive* a * Additionally, it may be useful to find IP addresses in the command line</li><li><code>\d{1,3}.\d{1,3}.\d{1,3}.\d{1,3}</code></li></ul><p>Analytic 1 - Suspicious Arguments</p><p><code>(sourcetype="WinEventLog:Microsoft-Windows-Sysmon/Operational" EventCode="1") OR (sourcetype="WinEventLog:Security" EventCode="4688") AND CommandLine="-R .<em> -pw" OR CommandLine="-pw .</em> .<em> .</em>@.<em>" OR CommandLine="sekurlsa" OR CommandLine=" -hp " OR CommandLine=".</em> a .*" </code></p> </td> </tr> <tr class="sub technique enterprise" id="enterprise"> <td></td> <td></td> <td> <a href="/techniques/T1021/001">.001</a> </td> <td> <a href="/techniques/T1021/001">Remote Desktop Protocol</a> </td> <td> <p>Monitor for newly executed processes (such as <code>mstsc.exe</code>) that may use <a href="/techniques/T1078">Valid Accounts</a> to log into a computer using the Remote Desktop Protocol (RDP). The adversary may then perform actions that spawn additional processes as the logged-on user.</p><p>Analytic 1 - Unusual processes associated with RDP sessions</p><p><code> sourcetype=WinEventLog:Microsoft-Windows-Sysmon/Operational EventCode=1 | search (parent_process="mstsc.exe" OR parent_process="rdpclip.exe")| table _time, host, user, process_name, parent_process, command_line| where process_name!="expected_processes"</code></p> </td> </tr> <tr class="sub technique enterprise" id="enterprise"> <td></td> <td></td> <td> <a href="/techniques/T1021/002">.002</a> </td> <td> <a href="/techniques/T1021/002">SMB/Windows Admin Shares</a> </td> <td> <p>Monitor for the creation of WMI Win32_Process class and method Create to interact with a remote network share using Server Message Block (SMB). Relevant indicators detected by Bro/Zeek is IWbemServices::ExecMethod or IWbemServices::ExecMethodAsync. One thing to notice is that when the Create method is used on a remote system, the method is run under a host process named "Wmiprvse.exe".</p><p>The process WmiprvSE.exe is what spawns the process defined in the CommandLine parameter of the Create method. Therefore, the new process created remotely will have Wmiprvse.exe as a parent. WmiprvSE.exe is a DCOM server and it is spawned underneath the DCOM service host svchost.exe with the following parameters C:\WINDOWS\system32\svchost.exe -k DcomLaunch -p. From a logon session perspective, on the target, WmiprvSE.exe is spawned in a different logon session by the DCOM service host. However, whatever is executed by WmiprvSE.exe occurs on the new network type (3) logon session created by the user that authenticated from the network.</p><p>Analytic 1 - Basic</p><p><code>(sourcetype="WinEventLog:Microsoft-Windows-Sysmon/Operational" EventCode="1") OR (sourcetype="WinEventLog:Security" EventCode="4688") AND ParentImage="*wmiprvse.exe" AND TargetLogonID="0x3e7"</code></p> </td> </tr> <tr class="sub technique enterprise" id="enterprise"> <td></td> <td></td> <td> <a href="/techniques/T1021/003">.003</a> </td> <td> <a href="/techniques/T1021/003">Distributed Component Object Model</a> </td> <td> <p>Monitor for newly executed processes associated with DCOM activity, especially those invoked by a user different than the one currently logged on. Enumeration of COM objects, via <a href="/techniques/T1012">Query Registry</a> or <a href="/techniques/T1059/001">PowerShell</a>, may also precede malicious use.<span onclick=scrollToRef('scite-74') id="scite-ref-74-a" class="scite-citeref-number" title="Hamilton, C. (2019, June 4). Hunting COM Objects. Retrieved June 10, 2019."data-reference="Fireeye Hunting COM June 2019">^{<a href="https://www.fireeye.com/blog/threat-research/2019/06/hunting-com-objects.html" target="_blank" data-hasqtip="73" aria-describedby="qtip-73">[74]</a>}</span><span onclick=scrollToRef('scite-75') id="scite-ref-75-a" class="scite-citeref-number" title="Nelson, M. (2017, January 5). Lateral Movement using the MMC20 Application COM Object. Retrieved November 21, 2017."data-reference="Enigma MMC20 COM Jan 2017">^{<a href="https://enigma0x3.net/2017/01/05/lateral-movement-using-the-mmc20-application-com-object/" target="_blank" data-hasqtip="74" aria-describedby="qtip-74">[75]</a>}</span></p><p>The Microsoft Management Console (mmc.exe) can be by used by threat actors used to spawn arbitrary processes through DCOM. The typical process tree for this method looks like: svchost.exe —&gt; mmc.exe —&gt; <some_process>.exe. </p><p>Accordingly, look for process creation events of mmc.exe in conjunction with the -Embedding command-line argument, along with suspicious child processes that can be used for malicious purposes, such as cmd.exe, reg.exe, etc.</p><p>Similar to the Microsoft Management Console, Excel can also be used to execute processes through DCOM. In this case, the typical process tree looks like: svchost.exe —&gt; excel.exe —&gt; <some_process>.exe. </p><p>Look for process creation events of excel.exe in conjunction with the /automation -Embedding command-line argument, along with suspicious child processes that can be used for malicious purposes, such as cmd.exe, reg.exe, etc.</p> </td> </tr> <tr class="sub technique enterprise" id="enterprise"> <td></td> <td></td> <td> <a href="/techniques/T1021/004">.004</a> </td> <td> <a href="/techniques/T1021/004">SSH</a> </td> <td> <p>Monitor for newly executed processes that may use <a href="/techniques/T1078">Valid Accounts</a> to log into remote machines using Secure Shell (SSH). For example, on macOS systems <code>log show --predicate 'process = "sshd"'</code> can be used to review incoming SSH connection attempts for suspicious activity. The command <code>log show --info --predicate 'process = "ssh" or eventMessage contains "ssh"'</code> can be used to review outgoing SSH connection activity.<span onclick=scrollToRef('scite-76') id="scite-ref-76-a" class="scite-citeref-number" title="Sarah Edwards. (2020, April 30). Analysis of Apple Unified Logs: Quarantine Edition [Entry 6] – Working From Home? Remote Logins. Retrieved August 19, 2021."data-reference="Apple Unified Log Analysis Remote Login and Screen Sharing">^{<a href="https://sarah-edwards-xzkc.squarespace.com/blog/2020/4/30/analysis-of-apple-unified-logs-quarantine-edition-entry-6-working-from-home-remote-logins" target="_blank" data-hasqtip="75" aria-describedby="qtip-75">[76]</a>}</span></p><p>For Linux systems, the Audit framework (auditd) can be used to monitor for the creation of SSH related processes such as ssh. </p><p>For macOS systems (10.12+), the above command can be used to look through the Unified Logs for SSH connection activity, though we also recommend including the "—debug" parameter to ensure that all relevant data is returned: <code>log show --info --debug --predicate 'process = "ssh" or eventMessage contains "ssh"'</code></p> </td> </tr> <tr class="sub technique enterprise" id="enterprise"> <td></td> <td></td> <td> <a href="/techniques/T1021/005">.005</a> </td> <td> <a href="/techniques/T1021/005">VNC</a> </td> <td> <p>Monitor for newly executed processes that may use <a href="/techniques/T1078">Valid Accounts</a> to remotely control machines using Virtual Network Computing (VNC). For example, on macOS systems the <code>screensharingd</code> process may be related to VNC connection activity.<span onclick=scrollToRef('scite-76') id="scite-ref-76-a" class="scite-citeref-number" title="Sarah Edwards. (2020, April 30). Analysis of Apple Unified Logs: Quarantine Edition [Entry 6] – Working From Home? Remote Logins. Retrieved August 19, 2021."data-reference="Apple Unified Log Analysis Remote Login and Screen Sharing">^{<a href="https://sarah-edwards-xzkc.squarespace.com/blog/2020/4/30/analysis-of-apple-unified-logs-quarantine-edition-entry-6-working-from-home-remote-logins" target="_blank" data-hasqtip="75" aria-describedby="qtip-75">[76]</a>}</span></p> </td> </tr> <tr class="sub technique enterprise" id="enterprise"> <td></td> <td></td> <td> <a href="/techniques/T1021/006">.006</a> </td> <td> <a href="/techniques/T1021/006">Windows Remote Management</a> </td> <td> <p>Monitor for newly executed processes that may use <a href="/techniques/T1078">Valid Accounts</a> to interact with remote systems using Windows Remote Management (WinRM), as well as service processes such as <code>wmiprvse.exe</code> on destination hosts.</p> </td> </tr> <tr class="technique ics" id="ics"> <td> ICS </td> <td colspan="2"> <a href="/techniques/T0886">T0886</a> </td> <td> <a href="/techniques/T0886">Remote Services</a> </td> <td> <p>Monitor for newly executed processes related to services specifically designed to accept remote connections, such as RDP, Telnet, SSH, and VNC. The adversary may use <a href="/techniques/T0859">Valid Accounts</a> to login and may perform follow-on actions that spawn additional processes as the user.</p> </td> </tr> <tr class="technique enterprise" id="enterprise"> <td> Enterprise </td> <td colspan="2"> <a href="/techniques/T1018">T1018</a> </td> <td> <a href="/techniques/T1018">Remote System Discovery</a> </td> <td> <p>Monitor for newly executed processes that can be used to discover remote systems, such as <code>ping.exe</code> and <code>tracert.exe</code>, especially when executed in quick succession.<span onclick=scrollToRef('scite-56') id="scite-ref-56-a" class="scite-citeref-number" title="Stepanic, D.. (2020, January 13). Embracing offensive tooling: Building detections against Koadic using EQL. Retrieved November 30, 2020."data-reference="Elastic - Koadiac Detection with EQL">^{<a href="https://www.elastic.co/blog/embracing-offensive-tooling-building-detections-against-koadic-using-eql" target="_blank" data-hasqtip="55" aria-describedby="qtip-55">[56]</a>}</span></p> </td> </tr> <tr class="technique ics" id="ics"> <td> ICS </td> <td colspan="2"> <a href="/techniques/T0846">T0846</a> </td> <td> <a href="/techniques/T0846">Remote System Discovery</a> </td> <td> <p>Monitor for newly executed processes that can be used to discover remote systems, such as ping.exe and tracert.exe , especially when executed in quick succession.<span onclick=scrollToRef('scite-56') id="scite-ref-56-a" class="scite-citeref-number" title="Stepanic, D.. (2020, January 13). Embracing offensive tooling: Building detections against Koadic using EQL. Retrieved November 30, 2020."data-reference="Elastic - Koadiac Detection with EQL">^{<a href="https://www.elastic.co/blog/embracing-offensive-tooling-building-detections-against-koadic-using-eql" target="_blank" data-hasqtip="55" aria-describedby="qtip-55">[56]</a>}</span> Consider monitoring for new processes engaging in scanning activity or connecting to multiple systems by correlating process creation network data.</p> </td> </tr> <tr class="technique ics" id="ics"> <td> ICS </td> <td colspan="2"> <a href="/techniques/T0888">T0888</a> </td> <td> <a href="/techniques/T0888">Remote System Information Discovery</a> </td> <td> <p>Monitor for newly executed processes that can be used to discover remote systems, such as ping.exe and tracert.exe, especially when executed in quick succession.<span onclick=scrollToRef('scite-56') id="scite-ref-56-a" class="scite-citeref-number" title="Stepanic, D.. (2020, January 13). Embracing offensive tooling: Building detections against Koadic using EQL. Retrieved November 30, 2020."data-reference="Elastic - Koadiac Detection with EQL">^{<a href="https://www.elastic.co/blog/embracing-offensive-tooling-building-detections-against-koadic-using-eql" target="_blank" data-hasqtip="55" aria-describedby="qtip-55">[56]</a>}</span> Consider monitoring for new processes engaging in scanning activity or connecting to multiple systems by correlating process creation network data.</p> </td> </tr> <tr class="technique enterprise" id="enterprise"> <td> Enterprise </td> <td colspan="2"> <a href="/techniques/T1091">T1091</a> </td> <td> <a href="/techniques/T1091">Replication Through Removable Media</a> </td> <td> <p>Monitor for newly executed processes that execute from removable media after it is mounted or when initiated by a user. If a remote access tool is used in this manner to move laterally, then additional actions are likely to occur after execution, such as opening network connections for Command and Control and system and network information Discovery.</p> </td> </tr> <tr class="technique ics" id="ics"> <td> ICS </td> <td colspan="2"> <a href="/techniques/T0847">T0847</a> </td> <td> <a href="/techniques/T0847">Replication Through Removable Media</a> </td> <td> <p>Monitor for newly executed processes that execute from removable media after it is mounted or when initiated by a user. If a remote access tool is used in this manner to move laterally, then additional actions are likely to occur after execution, such as opening network connections for Command and Control and system and network information Discovery. </p> </td> </tr> <tr class="technique enterprise" id="enterprise"> <td> Enterprise </td> <td colspan="2"> <a href="/techniques/T1496">T1496</a> </td> <td> <a href="/techniques/T1496">Resource Hijacking</a> </td> <td> <p>Monitor for common cryptomining or proxyware software process names that may indicate compromise and resource usage.</p> </td> </tr> <tr class="sub technique enterprise" id="enterprise"> <td></td> <td></td> <td> <a href="/techniques/T1496/001">.001</a> </td> <td> <a href="/techniques/T1496/001">Compute Hijacking</a> </td> <td> <p>Monitor for common cryptomining software process names that may indicate compromise and resource usage.</p> </td> </tr> <tr class="sub technique enterprise" id="enterprise"> <td></td> <td></td> <td> <a href="/techniques/T1496/002">.002</a> </td> <td> <a href="/techniques/T1496/002">Bandwidth Hijacking</a> </td> <td> <p>Monitor for common proxyware software process names that may indicate compromise and resource usage. </p> </td> </tr> <tr class="technique enterprise" id="enterprise"> <td> Enterprise </td> <td colspan="2"> <a href="/techniques/T1053">T1053</a> </td> <td> <a href="/techniques/T1053">Scheduled Task/Job</a> </td> <td> <p>Monitor for newly executed processes that may abuse task scheduling functionality to facilitate initial or recurring execution of malicious code.</p><p>Note: Below is the relevant Events and SourcesWindows:</p><ul><li>Sysmon Event ID 1: Process creation, particularly for schtasks.exe, at.exe, Taskeng.exe, crontab, etc.</li><li>Windows Event Log EventCode 4688: Process creation that might involve task scheduling.</li><li>Windows Task Scheduler Logs: Task creation, modification, or deletion.</li></ul><p>Linux/macOS:</p><ul><li>Auditd logs: Monitoring for cron job creation or modifications.</li><li>Syslog: Logs related to cron jobs or scheduled tasks.</li><li>File integrity monitoring (FIM): For changes to /etc/cron<em>, /var/spool/cron/</em>, or user-specific cron jobs.</li></ul><p>Containers:- Container logs: Detection of scheduled tasks or cron jobs within container environments.</p><p>Analytic 1 - Look for task execution with unusual parameters.</p><p><code>(sourcetype="WinEventLog:Microsoft-Windows-Sysmon/Operational" OR sourcetype="WinEventLog:Security" OR sourcetype="linux_auditd" OR sourcetype="syslog") | where Image IN ("schtasks.exe", "at.exe", "Taskeng.exe", "cron", "crontab", "systemd-timers")</code></p> </td> </tr> <tr class="sub technique enterprise" id="enterprise"> <td></td> <td></td> <td> <a href="/techniques/T1053/002">.002</a> </td> <td> <a href="/techniques/T1053/002">At</a> </td> <td> <p>Monitor for newly constructed processes with command-lines that create/modify or are executed from tasks. For example, on Windows tasks may spawn from <code>svchost.exe</code> or the Windows Task Scheduler <code>taskeng.exe</code> for older OS versions. <span onclick=scrollToRef('scite-77') id="scite-ref-77-a" class="scite-citeref-number" title="Loobeek, L. (2017, December 8). leoloobeek Status. Retrieved September 12, 2024."data-reference="Twitter Leoloobeek Scheduled Task">^{<a href="https://x.com/leoloobeek/status/939248813465853953" target="_blank" data-hasqtip="76" aria-describedby="qtip-76">[77]</a>}</span> Suspicious program execution through scheduled tasks may show up as outlier processes that have not been seen before when compared against historical data. Instances of the process at.exe running imply the querying or creation of tasks. Although the command_line is not essential for the analytic to run, it is critical when identifying the command that was scheduled.</p><p>Analytic 1 - Scheduled Task</p><p><code>(source="<em>WinEventLog:Microsoft-Windows-Sysmon/Operational" EventCode="1") OR (source="</em>WinEventLog:Security" EventCode="4688") Image="*at.exe"</code></p> </td> </tr> <tr class="sub technique enterprise" id="enterprise"> <td></td> <td></td> <td> <a href="/techniques/T1053/003">.003</a> </td> <td> <a href="/techniques/T1053/003">Cron</a> </td> <td> <p>Create a baseline of cron jobs and the processes that they spawn in your environment. Monitor for newly spawned outlier processes that are executed through cron jobs that have not been seen before when compared against the baseline data.</p><p>Analytic 1 - Unusual Cron Job Creation</p><p><code> index=os_logs sourcetype=process_creation (process_name="<em>cron</em>" OR process_name="<em>/usr/sbin/cron</em>") </code></p> </td> </tr> <tr class="sub technique enterprise" id="enterprise"> <td></td> <td></td> <td> <a href="/techniques/T1053/005">.005</a> </td> <td> <a href="/techniques/T1053/005">Scheduled Task</a> </td> <td> <p>Monitor for newly constructed processes and/or command-lines that execute from the svchost.exe in Windows 10 and the Windows Task Scheduler taskeng.exe for older versions of Windows. <span onclick=scrollToRef('scite-77') id="scite-ref-77-a" class="scite-citeref-number" title="Loobeek, L. (2017, December 8). leoloobeek Status. Retrieved September 12, 2024."data-reference="Twitter Leoloobeek Scheduled Task">^{<a href="https://x.com/leoloobeek/status/939248813465853953" target="_blank" data-hasqtip="76" aria-describedby="qtip-76">[77]</a>}</span> If scheduled tasks are not used for persistence, then the adversary is likely to remove the task when the action is complete. Look for instances of <code> schtasks.exe </code> running as processes. The <code> command_line </code> field is necessary to disambiguate between types of schtasks commands. These include the flags <code>/create </code>,<code> /run</code>,<code> /query</code>,<code> /delete</code>,<code> /change</code>, and <code> /end</code>.</p><p>Detection of the creation or modification of Scheduled Tasks with a suspicious script, extension or user writable path. Attackers may create or modify Scheduled Tasks for the persistent execution of malicious code. This detection focuses at the same time on EventIDs 4688 and 1 with process creation (SCHTASKS) and EventID 4698, 4702 for Scheduled Task creation/modification event log.</p><p>Analytic 1 - New processes whose parent processes are svchost.exe or taskeng.exe</p><p><code> (source="<em>WinEventLog:Microsoft-Windows-Sysmon/Operational" EventCode="1") OR (source="</em>WinEventLog:Security" EventCode="4688") AND (ParentImage="<em>svchost.exe</em>" OR ParentImage="<em>taskeng.exe</em>")</code></p><p>Analytic 2 - Scheduled Task Creation or Modification Containing Suspicious Scripts, Extensions or User Writable Paths</p><p><code>( (source="<em>WinEventLog:Microsoft-Windows-Sysmon/Operational" EventCode="1") OR (source="</em>WinEventLog:Security" EventCode="4688") CommandLine="<em>SCHTASKS</em>" (CommandLine="<em>/CREATE</em>" OR CommandLine="<em>/CHANGE</em>") ) ( ( CommandLine="<em>.cmd</em>" OR CommandLine="<em>.ps1</em>" OR CommandLine="<em>.vbs</em>" OR CommandLine="<em>.py</em>" OR CommandLine="<em>.js</em>" OR CommandLine="<em>.exe</em>" OR CommandLine="<em>.bat</em>" ) OR ( CommandLine="<em>javascript</em>" OR CommandLine="<em>powershell</em>" OR CommandLine="<em>wmic</em>" OR CommandLine="<em>rundll32</em>" OR CommandLine="<em>cmd</em>" OR CommandLine="<em>cscript</em>" OR CommandLine="<em>wscript</em>" OR CommandLine="<em>regsvr32</em>" OR CommandLine="<em>mshta</em>" OR CommandLine="<em>bitsadmin</em>" OR CommandLine="<em>certutil</em>" OR CommandLine="<em>msiexec</em>" OR CommandLine="<em>javaw</em>" ) OR ( CommandLine="<em>%APPDATA%</em>" OR CommandLine="<em>\AppData\Roaming</em>" OR CommandLine="<em>%PUBLIC%</em>" OR CommandLine="<em>C:\Users\Public</em>" OR CommandLine="<em>%ProgramData%</em>" OR CommandLine="<em>C:\ProgramData</em>" OR CommandLine="<em>%TEMP%</em>" OR CommandLine="<em>\AppData\Local\Temp</em>" OR CommandLine="<em>\Windows\PLA\System</em>" OR CommandLine="<em>\tasks</em>" OR CommandLine="<em>\Registration\CRMLog</em>" OR CommandLine="<em>\FxsTmp</em>" OR CommandLine="<em>\spool\drivers\color</em>" OR CommandLine="<em>\tracing</em>" ) )</code></p> </td> </tr> <tr class="sub technique enterprise" id="enterprise"> <td></td> <td></td> <td> <a href="/techniques/T1053/006">.006</a> </td> <td> <a href="/techniques/T1053/006">Systemd Timers</a> </td> <td> <p>Monitor for newly constructed processes and/or command-lines that will have a parent process of ‘systemd’, a parent process ID of 1, and will usually execute as the ‘root’ user.</p><p>Note: This query looks for processes spawned by systemd (parent process systemd, with a PID of 1). These processes should be examined for anomalous behavior, particularly when running as the root user.</p><p>Analytic 1 - Look for processes with parent process systemdand unusual parameters.</p><p><code> sourcetype=linux_process_creation parent_process_name="systemd"</code></p> </td> </tr> <tr class="technique ics" id="ics"> <td> ICS </td> <td colspan="2"> <a href="/techniques/T0853">T0853</a> </td> <td> <a href="/techniques/T0853">Scripting</a> </td> <td> <p>Monitor log files for process execution through command-line and scripting activities. This information can be useful in gaining additional insight to adversaries' actions through how they use native processes or custom tools. Also monitor for loading of modules associated with specific languages.</p> </td> </tr> <tr class="technique enterprise" id="enterprise"> <td> Enterprise </td> <td colspan="2"> <a href="/techniques/T1505">T1505</a> </td> <td> <a href="/techniques/T1505">Server Software Component</a> </td> <td> <p>Process monitoring may be used to detect servers components that perform suspicious actions such as running cmd.exe or accessing files.</p> </td> </tr> <tr class="sub technique enterprise" id="enterprise"> <td></td> <td></td> <td> <a href="/techniques/T1505/003">.003</a> </td> <td> <a href="/techniques/T1505/003">Web Shell</a> </td> <td> <p>Web shells can be difficult to detect. Unlike other forms of persistent remote access, they do not initiate connections. The portion of the Web shell that is on the server may be small and innocuous looking. The PHP version of the China Chopper Web shell, for example, is very similar to the following short payload: <span onclick=scrollToRef('scite-78') id="scite-ref-78-a" class="scite-citeref-number" title="Lee, T., Hanzlik, D., Ahl, I. (2013, August 7). Breaking Down the China Chopper Web Shell - Part I. Retrieved March 27, 2015."data-reference="Lee 2013">^{<a href="https://www.fireeye.com/blog/threat-research/2013/08/breaking-down-the-china-chopper-web-shell-part-i.html" target="_blank" data-hasqtip="77" aria-describedby="qtip-77">[78]</a>}</span></p><p><code>&lt;?php @evaI($_P0ST['password']);&gt;</code></p><p>Nevertheless, detection mechanisms exist. Process monitoring may be used to detect Web servers that perform suspicious actions such as spawning cmd.exe or accessing files that are not in the Web directory.<span onclick=scrollToRef('scite-79') id="scite-ref-79-a" class="scite-citeref-number" title=" NSA Cybersecurity Directorate. (n.d.). Mitigating Web Shells. Retrieved July 22, 2021."data-reference="NSA Cyber Mitigating Web Shells">^{<a href="https://github.com/nsacyber/Mitigating-Web-Shells" target="_blank" data-hasqtip="78" aria-describedby="qtip-78">[79]</a>}</span></p><p>A web shell is a web script placed on an openly accessible web server to allow an adversary to use the server as a gatway in a network. As the shell operates, commands will be issued from within the web application into the broader server operating system. This analytic looks for host enumeration executables initiated by any web service that would not normally be executed within that environment.</p><p>Analytic 1 - Webshell-Indicative Process Tree</p><p><code>(source="<em>WinEventLog:Microsoft-Windows-Sysmon/Operational" EventCode="1") OR (source="</em>WinEventLog:Security" EventCode="4688") (ParentImage="C:\Windows\System32\<em>w3wp.exe" OR ParentImage="</em>httpd.exe" OR ParentImage="<em>tomcat</em>.exe" OR ParentImage="<em>nginx.exe")(Image="C:\Windows\System32\cmd.exe OR Image="C:\Windows\SysWOW64\cmd.exe" OR Image="C:\Windows\System32\</em>\powershell.exe OR Image="C:\Windows\SysWOW64\<em>\powershell.exe OR Image="C:\Windows\System32\net.exe" OR Image="C:\Windows\System32\hostname.exe" OR Image="C:\Windows\System32\whoami.exe" OR Image="</em>systeminfo.exe OR Image="C:\Windows\System32\ipconfig.exe")</code></p> </td> </tr> <tr class="sub technique enterprise" id="enterprise"> <td></td> <td></td> <td> <a href="/techniques/T1505/005">.005</a> </td> <td> <a href="/techniques/T1505/005">Terminal Services DLL</a> </td> <td> <p>Monitor processes with arguments that may potentially highlight adversary actions to modify Registry values (ex: <code>reg.exe</code>) or modify/replace the legitimate <code>termsrv.dll</code>.</p> </td> </tr> <tr class="technique enterprise" id="enterprise"> <td> Enterprise </td> <td colspan="2"> <a href="/techniques/T1489">T1489</a> </td> <td> <a href="/techniques/T1489">Service Stop</a> </td> <td> <p>Monitor for newly executed processes that may stop or disable services on a system to render those services unavailable to legitimate users.</p> </td> </tr> <tr class="technique ics" id="ics"> <td> ICS </td> <td colspan="2"> <a href="/techniques/T0881">T0881</a> </td> <td> <a href="/techniques/T0881">Service Stop</a> </td> <td> <p>Monitor for newly executed processes that may stop or disable services on a system to render those services unavailable to legitimate users.</p> </td> </tr> <tr class="technique enterprise" id="enterprise"> <td> Enterprise </td> <td colspan="2"> <a href="/techniques/T1072">T1072</a> </td> <td> <a href="/techniques/T1072">Software Deployment Tools</a> </td> <td> <p>Monitor for newly executed processes that does not correlate to known good software. Analyze the process execution trees, historical activities from the third-party application (such as what types of files are usually pushed), and the resulting activities or events from the file/binary/script pushed to systems. </p><p>Note: This query detects the creation of suspicious processes initiated by system or administrative accounts (such as SYSTEM, Admin, or SCCM) that are not typical for those users, and filters the process creation based on unusual patterns. Processes like cmd.exe, powershell.exe, or python executed in this context without an expected parent process or correlation to authorized events should be flagged for investigation.</p><p>Analytic 1 - Look for unusual software deployment processes, unexpected binaries or scripts, non-standard execution trees</p><p><code>sourcetype=WinEventLog:Security OR sourcetype=linux_audit | search (process_name IN ("cmd.exe", "powershell.exe", "sh", "bash", "python", "wscript", "msiexec.exe", "installer") AND user IN ("SYSTEM", "Admin", "SCCM")) </code></p> </td> </tr> <tr class="technique enterprise" id="enterprise"> <td> Enterprise </td> <td colspan="2"> <a href="/techniques/T1518">T1518</a> </td> <td> <a href="/techniques/T1518">Software Discovery</a> </td> <td> <p>Monitor newly executed processes that may attempt to get a listing of software and software versions that are installed on a system or in a cloud environment.</p> </td> </tr> <tr class="sub technique enterprise" id="enterprise"> <td></td> <td></td> <td> <a href="/techniques/T1518/001">.001</a> </td> <td> <a href="/techniques/T1518/001">Security Software Discovery</a> </td> <td> <p>Monitor newly executed processes that may attempt to get a listing of security software, configurations, defensive tools, and sensors that are installed on a system or in a cloud environment.</p> </td> </tr> <tr class="technique ics" id="ics"> <td> ICS </td> <td colspan="2"> <a href="/techniques/T0865">T0865</a> </td> <td> <a href="/techniques/T0865">Spearphishing Attachment</a> </td> <td> <p>Monitor for suspicious descendant process spawning from Microsoft Office and other productivity software.<span onclick=scrollToRef('scite-56') id="scite-ref-56-a" class="scite-citeref-number" title="Stepanic, D.. (2020, January 13). Embracing offensive tooling: Building detections against Koadic using EQL. Retrieved November 30, 2020."data-reference="Elastic - Koadiac Detection with EQL">^{<a href="https://www.elastic.co/blog/embracing-offensive-tooling-building-detections-against-koadic-using-eql" target="_blank" data-hasqtip="55" aria-describedby="qtip-55">[56]</a>}</span> For added context on adversary procedures and background see <a href="/techniques/T1566/001">Spearphishing Attachment</a>.</p> </td> </tr> <tr class="technique enterprise" id="enterprise"> <td> Enterprise </td> <td colspan="2"> <a href="/techniques/T1553">T1553</a> </td> <td> <a href="/techniques/T1553">Subvert Trust Controls</a> </td> <td> <p>Monitor processes and arguments for malicious attempts to modify trust settings, such as the installation of root certificates or modifications to trust attributes/policies applied to files.</p> </td> </tr> <tr class="sub technique enterprise" id="enterprise"> <td></td> <td></td> <td> <a href="/techniques/T1553/001">.001</a> </td> <td> <a href="/techniques/T1553/001">Gatekeeper Bypass</a> </td> <td> <p>Monitor and investigate attempts to modify extended file attributes with utilities such as <code>xattr</code>. Built-in system utilities may generate high false positive alerts, so compare against baseline knowledge for how systems are typically used and correlate modification events with other indications of malicious activity where possible. </p> </td> </tr> <tr class="sub technique enterprise" id="enterprise"> <td></td> <td></td> <td> <a href="/techniques/T1553/004">.004</a> </td> <td> <a href="/techniques/T1553/004">Install Root Certificate</a> </td> <td> <p>Monitor for processes, such as <code>certmgr.exe</code> (macOS) or <code>certutil.exe</code> (Windows), that can be used to install root certificates. A system's root certificates are unlikely to change frequently. Monitor new certificates installed on a system that could be due to malicious activity. <span onclick=scrollToRef('scite-80') id="scite-ref-80-a" class="scite-citeref-number" title="Graeber, M. (2017, December 22). Code Signing Certificate Cloning Attacks and Defenses. Retrieved April 3, 2018."data-reference="SpectorOps Code Signing Dec 2017">^{<a href="https://posts.specterops.io/code-signing-certificate-cloning-attacks-and-defenses-6f98657fc6ec" target="_blank" data-hasqtip="79" aria-describedby="qtip-79">[80]</a>}</span> Check pre-installed certificates on new systems to ensure unnecessary or suspicious certificates are not present. Microsoft provides a list of trustworthy root certificates online and through <code>authroot.stl</code>. <span onclick=scrollToRef('scite-80') id="scite-ref-80-a" class="scite-citeref-number" title="Graeber, M. (2017, December 22). Code Signing Certificate Cloning Attacks and Defenses. Retrieved April 3, 2018."data-reference="SpectorOps Code Signing Dec 2017">^{<a href="https://posts.specterops.io/code-signing-certificate-cloning-attacks-and-defenses-6f98657fc6ec" target="_blank" data-hasqtip="79" aria-describedby="qtip-79">[80]</a>}</span> The Sysinternals Sigcheck utility can also be used (<code>sigcheck[64].exe -tuv</code>) to dump the contents of the certificate store and list valid certificates not rooted to the Microsoft Certificate Trust List. <span onclick=scrollToRef('scite-81') id="scite-ref-81-a" class="scite-citeref-number" title="Russinovich, M. et al.. (2017, May 22). Sigcheck. Retrieved April 3, 2018."data-reference="Microsoft Sigcheck May 2017">^{<a href="https://docs.microsoft.com/sysinternals/downloads/sigcheck" target="_blank" data-hasqtip="80" aria-describedby="qtip-80">[81]</a>}</span></p><p>Analytic 1 - Attempt to Add Certificate to Untrusted Store</p><p><code> (source="WinEventLog:Microsoft-Windows-Sysmon/Operational" EventCode="1") OR (source="WinEventLog:Security" EventCode="4688") AND Image="C:\Windows\System32\certutil.exe" CommandLine="<em>-addstore</em>"</code></p> </td> </tr> <tr class="sub technique enterprise" id="enterprise"> <td></td> <td></td> <td> <a href="/techniques/T1553/006">.006</a> </td> <td> <a href="/techniques/T1553/006">Code Signing Policy Modification</a> </td> <td> <p>Monitor processes and command-line arguments for actions that could be taken to modify the code signing policy of a system, such as <code>bcdedit.exe -set TESTSIGNING ON</code>. <span onclick=scrollToRef('scite-82') id="scite-ref-82-a" class="scite-citeref-number" title="Microsoft. (2021, February 15). Enable Loading of Test Signed Drivers. Retrieved April 22, 2021."data-reference="Microsoft TESTSIGNING Feb 2021">^{<a href="https://docs.microsoft.com/en-us/windows-hardware/drivers/install/the-testsigning-boot-configuration-option" target="_blank" data-hasqtip="81" aria-describedby="qtip-81">[82]</a>}</span></p> </td> </tr> <tr class="technique enterprise" id="enterprise"> <td> Enterprise </td> <td colspan="2"> <a href="/techniques/T1218">T1218</a> </td> <td> <a href="/techniques/T1218">System Binary Proxy Execution</a> </td> <td> <p>Monitor processes and command-line parameters for signed binaries that may be used to proxy execution of malicious files. Compare recent invocations of signed binaries that may be used to proxy execution with prior history of known good arguments and loaded files to determine anomalous and potentially adversarial activity. Legitimate programs used in suspicious ways, like msiexec.exe downloading an MSI file from the Internet, may be indicative of an intrusion. Correlate activity with other suspicious behavior to reduce false positives that may be due to normal benign use by users and administrators.</p> </td> </tr> <tr class="sub technique enterprise" id="enterprise"> <td></td> <td></td> <td> <a href="/techniques/T1218/001">.001</a> </td> <td> <a href="/techniques/T1218/001">Compiled HTML File</a> </td> <td> <p>Monitor and analyze the execution and arguments of hh.exe. <span onclick=scrollToRef('scite-83') id="scite-ref-83-a" class="scite-citeref-number" title="Moe, O. (2017, August 13). Bypassing Device guard UMCI using CHM – CVE-2017-8625. Retrieved October 3, 2018."data-reference="MsitPros CHM Aug 2017">^{<a href="https://oddvar.moe/2017/08/13/bypassing-device-guard-umci-using-chm-cve-2017-8625/" target="_blank" data-hasqtip="82" aria-describedby="qtip-82">[83]</a>}</span> Compare recent invocations of hh.exe with prior history of known good arguments to determine anomalous and potentially adversarial activity (ex: obfuscated and/or malicious commands). Non-standard process execution trees may also indicate suspicious or malicious behavior, such as if hh.exe is the parent process for suspicious processes and activity relating to other adversarial techniques.</p><p>Note: Event IDs are for Sysmon (Event ID 1 - process create) and Windows Security Log (Event ID 4688 - a new process has been created). The Analytic looks for the creation of any HTML Help Executable (<code> hh.exe </code>) processes. Adversaries may hide malicious code in <code> .chm </code> compiled help files; whenever a user tries to open one of these files, Windows executes the HTML Help Executable. Therefore, if there are legitimate uses of compiled help files in your environment, this analytic may lead to false positives and will require additional tuning. </p><p>Analytic 1 - Compiled HTML Access</p><p><code> (source="<em>WinEventLog:Microsoft-Windows-Sysmon/Operational" EventCode="1") OR (source="</em>WinEventLog:Security" EventCode="4688") Image="C:\Windows\syswow64\hh.exe" OR Image="C:\Windows\system32\hh.exe" </code></p> </td> </tr> <tr class="sub technique enterprise" id="enterprise"> <td></td> <td></td> <td> <a href="/techniques/T1218/002">.002</a> </td> <td> <a href="/techniques/T1218/002">Control Panel</a> </td> <td> <p>Monitor and analyze activity related to items associated with CPL files, such as the control.exe. Analyze new Control Panel items as well as those present on disk for malicious content. Both executable and CPL formats are compliant Portable Executable (PE) images and can be examined using traditional tools and methods, pending anti-reverse-engineering techniques.<span onclick=scrollToRef('scite-84') id="scite-ref-84-a" class="scite-citeref-number" title="Mercês, F. (2014, January 27). CPL Malware - Malicious Control Panel Items. Retrieved January 18, 2018."data-reference="TrendMicro CPL Malware Jan 2014">^{<a href="https://www.trendmicro.de/cloud-content/us/pdfs/security-intelligence/white-papers/wp-cpl-malware.pdf" target="_blank" data-hasqtip="83" aria-describedby="qtip-83">[84]</a>}</span></p> </td> </tr> <tr class="sub technique enterprise" id="enterprise"> <td></td> <td></td> <td> <a href="/techniques/T1218/003">.003</a> </td> <td> <a href="/techniques/T1218/003">CMSTP</a> </td> <td> <p>Use process monitoring to detect and analyze the execution and arguments of CMSTP.exe. Compare recent invocations of CMSTP.exe with prior history of known good arguments and loaded files to determine anomalous and potentially adversarial activity. Sysmon events can also be used to identify potential abuses of CMSTP.exe. Detection strategy may depend on the specific adversary procedure, but potential rules include: <span onclick=scrollToRef('scite-85') id="scite-ref-85-a" class="scite-citeref-number" title="Seetharaman, N. (2018, July 7). Detecting CMSTP-Enabled Code Execution and UAC Bypass With Sysmon.. Retrieved August 6, 2018."data-reference="Endurant CMSTP July 2018">^{<a href="http://www.endurant.io/cmstp/detecting-cmstp-enabled-code-execution-and-uac-bypass-with-sysmon/" target="_blank" data-hasqtip="84" aria-describedby="qtip-84">[85]</a>}</span>* To detect loading and execution of local/remote payloads - Event 1 (Process creation) where ParentImage contains CMSTP.exe* Also monitor for events, such as the creation of processes (Sysmon Event 1), that involve auto-elevated CMSTP COM interfaces such as CMSTPLUA (3E5FC7F9-9A51-4367-9063-A120244FBEC7) and CMLUAUTIL (3E000D72-A845-4CD9-BD83-80C07C3B881F).</p> </td> </tr> <tr class="sub technique enterprise" id="enterprise"> <td></td> <td></td> <td> <a href="/techniques/T1218/004">.004</a> </td> <td> <a href="/techniques/T1218/004">InstallUtil</a> </td> <td> <p>Use process monitoring to monitor the execution and arguments of InstallUtil.exe. Compare recent invocations of InstallUtil.exe with prior history of known good arguments and executed binaries to determine anomalous and potentially adversarial activity</p> </td> </tr> <tr class="sub technique enterprise" id="enterprise"> <td></td> <td></td> <td> <a href="/techniques/T1218/005">.005</a> </td> <td> <a href="/techniques/T1218/005">Mshta</a> </td> <td> <p>Use process monitoring to monitor the execution and arguments of mshta.exe.</p> </td> </tr> <tr class="sub technique enterprise" id="enterprise"> <td></td> <td></td> <td> <a href="/techniques/T1218/007">.007</a> </td> <td> <a href="/techniques/T1218/007">Msiexec</a> </td> <td> <p>Use process monitoring to monitor the execution and arguments of msiexec.exe. Compare recent invocations of msiexec.exe with prior history of known good arguments and executed MSI files.</p> </td> </tr> <tr class="sub technique enterprise" id="enterprise"> <td></td> <td></td> <td> <a href="/techniques/T1218/008">.008</a> </td> <td> <a href="/techniques/T1218/008">Odbcconf</a> </td> <td> <p>Use process monitoring to monitor the execution and arguments of odbcconf.exe. Compare recent invocations of odbcconf.exe with prior history of known good arguments and loaded DLLs to determine anomalous and potentially adversarial activity.</p> </td> </tr> <tr class="sub technique enterprise" id="enterprise"> <td></td> <td></td> <td> <a href="/techniques/T1218/009">.009</a> </td> <td> <a href="/techniques/T1218/009">Regsvcs/Regasm</a> </td> <td> <p>Use process monitoring to monitor the execution and arguments of Regsvcs.exe and Regasm.exe. Compare recent invocations of Regsvcs.exe and Regasm.exe with prior history of known good arguments and executed binaries to determine anomalous and potentially adversarial activity.</p> </td> </tr> <tr class="sub technique enterprise" id="enterprise"> <td></td> <td></td> <td> <a href="/techniques/T1218/010">.010</a> </td> <td> <a href="/techniques/T1218/010">Regsvr32</a> </td> <td> <p>Use process monitoring to monitor the execution and arguments of regsvr32.exe. Compare recent invocations of regsvr32.exe with prior history of known good arguments and loaded files to determine anomalous and potentially adversarial activity.</p><p>Note: Event IDs are for Sysmon (Event ID 1 - process create) and Windows Security Log (Event ID 4688 - a new process has been created). - Analytic 1 is a more generic analytic that looks for suspicious usage of regsvr32.exe, specifically for cases where regsvr32.exe creates child processes that aren’t itself. It’s not likely that this will result in millions of hits, but it does occur during benign activity so some form of baselining would be necessary for this to be useful as an alerting analytic.- Analytic 2 is around "Squiblydoo", which is a specific usage of regsvr32.exe to load a COM scriptlet directly from the internet and execute it in a way that bypasses application whitelisting. It looks for regsvr32.exe process creation events that load scrobj.dll via the command-line (which executes the COM scriptlet).- Analytic 3 This uses the same logic as above, but adds lightweight baselining by ignoring all results that also showed up in the previous 30 days (it runs over 1 day).- Analytic 4 This looks for child processes that may be spawend by regsvr32, while attempting to eliminate some of the common false positives such as werfault (Windows Error Reporting).</p><p>Analytic 1 - Generic Regsvr32</p><p><code> (source="<em>WinEventLog:Microsoft-Windows-Sysmon/Operational" EventCode="1") OR (source="</em>WinEventLog:Security" EventCode="4688") regsvr32.exe | search ParentImage="<em>regsvr32.exe" AND Image!="</em>regsvr32.exe*"</code></p><p>Analytic 2 - Squiblydoo</p><p><code>(source="<em>WinEventLog:Microsoft-Windows-Sysmon/Operational" EventCode="1") OR (source="</em>WinEventLog:Security" EventCode="4688") regsvr32.exe scrobj.dll | search Image="*regsvr32.exe"</code></p><p>Analyt 3 - New Items since last month </p><p><code>(source="<em>WinEventLog:Microsoft-Windows-Sysmon/Operational" EventCode="1") earliest=-d@d latest=now() regsvr32.exe | search ParentImage="</em>regsvr32.exe" AND Image!="<em>regsvr32.exe</em>" | search NOT [search (source="<em>WinEventLog:Microsoft-Windows-Sysmon/Operational" EventCode="1") earliest=-60d@d latest=-30d@d regsvr32.exe | search ParentImage="</em>regsvr32.exe" AND Image!="<em>regsvr32.exe</em>" | dedup CommandLine | fields CommandLine ]</code></p><p>Analytic 4 - Spawning Child Processes </p><p><code>(source="*WinEventLog:Microsoft-Windows-Sysmon/Operational" EventCode="1") (ParentImage="C:\Windows\System32\regsvr32.exe" OR ParentImage="C:\Windows\SysWOW64\regsvr32.exe") AND Image!="C:\Windows\System32\regsvr32.exe" AND Image!="C:\Windows\SysWOW64\regsvr32.exe" AND Image!="C:\WINDOWS\System32\regsvr32.exe" AND Image!="C:\WINDOWS\SysWOW64\regsvr32.exe" AND Image!="C:\Windows\SysWOW64\WerFault.exe" AND Image!="C:\Windows\System32\wevtutil.exe" AND Image!="C:\Windows\System32\WerFault.exe"|stats values(ComputerName) as "Computer Name" values(ParentCommandLine) as "Parent Command Line" count(Image) as ImageCount by Image</code></p> </td> </tr> <tr class="sub technique enterprise" id="enterprise"> <td></td> <td></td> <td> <a href="/techniques/T1218/011">.011</a> </td> <td> <a href="/techniques/T1218/011">Rundll32</a> </td> <td> <p>Use process monitoring to monitor the execution and arguments of rundll32.exe. Compare recent invocations of rundll32.exe with prior history of known good arguments and loaded DLLs to determine anomalous and potentially adversarial activity. </p><p>When monitoring for all instances of Rundll32 execution, as defined by the logic in the Detection Pseudocode, it is imperative to also investigate the full set of command-line parameters used. These parameters contain key information about the DLL payload, including the name, entry point, and optional arguments.</p><p>Note: Event IDs are for Sysmon (Event ID 10 - process create) and Windows Security Log (Event ID 4688 - a new process has been created). The Analytic looks for any instances of rundll32.exe but does no other filtering, which may result in false positives. Therefore, we recommend tuning any such analytics by including additional logic (e.g., testing the name of the user that created the process) that helps reduce false positives.</p><p>Analytic 1 - RunDLL32.exe Monitoring</p><p><code> (source="<em>WinEventLog:Microsoft-Windows-Sysmon/Operational" EventCode="1") OR (source="</em>WinEventLog:Security" EventCode="4688") Image= "rundll32.exe"</code></p> </td> </tr> <tr class="sub technique enterprise" id="enterprise"> <td></td> <td></td> <td> <a href="/techniques/T1218/012">.012</a> </td> <td> <a href="/techniques/T1218/012">Verclsid</a> </td> <td> <p>Use process monitoring to monitor the execution and arguments of verclsid.exe. Compare recent invocations of verclsid.exe with prior history of known good arguments and loaded files to determine anomalous and potentially adversarial activity. Depending on the environment, it may be unusual for verclsid.exe to have a parent process of a Microsoft Office product. It may also be unusual for verclsid.exe to have any child processes or to make network connections or file modifications.</p> </td> </tr> <tr class="sub technique enterprise" id="enterprise"> <td></td> <td></td> <td> <a href="/techniques/T1218/013">.013</a> </td> <td> <a href="/techniques/T1218/013">Mavinject</a> </td> <td> <p>Monitor the execution and arguments of mavinject.exe. Compare recent invocations of mavinject.exe with prior history of known good arguments and injected DLLs to determine anomalous and potentially adversarial activity.</p> </td> </tr> <tr class="sub technique enterprise" id="enterprise"> <td></td> <td></td> <td> <a href="/techniques/T1218/014">.014</a> </td> <td> <a href="/techniques/T1218/014">MMC</a> </td> <td> <p>Monitor processes for suspicious or malicious use of MMC. Since MMC is a signed Windows binary, verify use of MMC is legitimate and not malicious.</p> </td> </tr> <tr class="sub technique enterprise" id="enterprise"> <td></td> <td></td> <td> <a href="/techniques/T1218/015">.015</a> </td> <td> <a href="/techniques/T1218/015">Electron Applications</a> </td> <td> <p>Monitor processes and command-line parameters for binaries associated with Electron apps that may be used to proxy execution of malicious content. Compare recent invocations of these binaries with prior history of known good arguments to determine anomalous and potentially adversarial activity.</p><p>Correlate activity with other suspicious behavior to reduce false positives that may be due to normal benign use by users and administrators.</p> </td> </tr> <tr class="technique ics" id="ics"> <td> ICS </td> <td colspan="2"> <a href="/techniques/T0894">T0894</a> </td> <td> <a href="/techniques/T0894">System Binary Proxy Execution</a> </td> <td> <p>Monitor for unusual processes execution, especially for processes that allow the proxy execution of malicious files.</p> </td> </tr> <tr class="technique enterprise" id="enterprise"> <td> Enterprise </td> <td colspan="2"> <a href="/techniques/T1082">T1082</a> </td> <td> <a href="/techniques/T1082">System Information Discovery</a> </td> <td> <p>Monitor newly executed processes that may attempt to get detailed information about the operating system and hardware, including version, patches, hotfixes, service packs, and architecture.</p> </td> </tr> <tr class="technique enterprise" id="enterprise"> <td> Enterprise </td> <td colspan="2"> <a href="/techniques/T1614">T1614</a> </td> <td> <a href="/techniques/T1614">System Location Discovery</a> </td> <td> <p>Monitor newly executed processes that may gather information in an attempt to calculate the geographical location of a victim host.</p> </td> </tr> <tr class="sub technique enterprise" id="enterprise"> <td></td> <td></td> <td> <a href="/techniques/T1614/001">.001</a> </td> <td> <a href="/techniques/T1614/001">System Language Discovery</a> </td> <td> <p>Monitor for newly executed processes that may attempt to gather information about the system language of a victim in order to infer the geographical location of that host.</p> </td> </tr> <tr class="technique enterprise" id="enterprise"> <td> Enterprise </td> <td colspan="2"> <a href="/techniques/T1016">T1016</a> </td> <td> <a href="/techniques/T1016">System Network Configuration Discovery</a> </td> <td> <p>Monitor for executed processes (such as ipconfig/ifconfig and arp) with arguments that may look for details about the network configuration and settings, such as IP and/or MAC addresses.</p><p>Note: The Analytic looks for the creation of <a href="/software/S0100">ipconfig</a>, <a href="/software/S0103">route</a>, and <a href="/software/S0102">nbtstat</a> processes, all of which are system administration utilities that can be used for the purpose of system network configuration discovery. If these tools are commonly used in your environment (e.g., by system administrators) this may lead to false positives and this analytic will therefore require tuning. </p><p>Analytic 1 - Suspicious Process</p><p><code>(sourcetype="WinEventLog:Microsoft-Windows-Sysmon/Operational" EventCode="1") OR (sourcetype="WinEventLog:Security" EventCode="4688") AND (Image="C:\Windows\System32\ipconfig.exe" OR Image="C:\Windows\System32\route.exe" OR Image="C:\Windows\System32\nbtstat.exe")</code></p> </td> </tr> <tr class="sub technique enterprise" id="enterprise"> <td></td> <td></td> <td> <a href="/techniques/T1016/001">.001</a> </td> <td> <a href="/techniques/T1016/001">Internet Connection Discovery</a> </td> <td> <p>Monitor for executed processes (such as tracert or ping) that may check for Internet connectivity on compromised systems.</p> </td> </tr> <tr class="technique enterprise" id="enterprise"> <td> Enterprise </td> <td colspan="2"> <a href="/techniques/T1049">T1049</a> </td> <td> <a href="/techniques/T1049">System Network Connections Discovery</a> </td> <td> <p>Monitor for executed processes that may attempt to get a listing of network connections to or from the compromised system they are currently accessing or from remote systems by querying for information over the network.</p> </td> </tr> <tr class="technique enterprise" id="enterprise"> <td> Enterprise </td> <td colspan="2"> <a href="/techniques/T1033">T1033</a> </td> <td> <a href="/techniques/T1033">System Owner/User Discovery</a> </td> <td> <p>Monitor for newly executed processes that may be indicative of credential dumping. On Windows 8.1 and Windows Server 2012 R2, monitor Windows Logs for LSASS.exe creation to verify that LSASS started as a protected process.</p><p>Note: Event IDs are for Sysmon (Event ID 1 - process create) and Windows Security Log (Event ID 4688 - a new process has been created). The Analytic looks for any instances of <a href="/software/S0110">at</a> being created, therefore implying the querying or creation of tasks. If this tools is commonly used in your environment (e.g., by system administrators) this may lead to false positives and this analytic will therefore require tuning. </p><p>Analytic 1 - Suspicious Process Execution</p><p><code> (sourcetype="WinEventLog:Microsoft-Windows-Sysmon/Operational" EventCode="1") OR (sourcetype="WinEventLog:Security" EventCode="4688") AND Image="*at.exe"</code></p> </td> </tr> <tr class="technique enterprise" id="enterprise"> <td> Enterprise </td> <td colspan="2"> <a href="/techniques/T1216">T1216</a> </td> <td> <a href="/techniques/T1216">System Script Proxy Execution</a> </td> <td> <p>Monitor script processes, such as `cscript that may be used to proxy execution of malicious files.</p> </td> </tr> <tr class="sub technique enterprise" id="enterprise"> <td></td> <td></td> <td> <a href="/techniques/T1216/001">.001</a> </td> <td> <a href="/techniques/T1216/001">PubPrn</a> </td> <td> <p>Monitor script processes, such as `cscript that may be used to proxy execution of malicious files.</p> </td> </tr> <tr class="sub technique enterprise" id="enterprise"> <td></td> <td></td> <td> <a href="/techniques/T1216/002">.002</a> </td> <td> <a href="/techniques/T1216/002">SyncAppvPublishingServer</a> </td> <td> <p>Monitor script processes, such as <code>wscript.exe</code>, that may be used to proxy execution of malicious files. </p> </td> </tr> <tr class="technique enterprise" id="enterprise"> <td> Enterprise </td> <td colspan="2"> <a href="/techniques/T1007">T1007</a> </td> <td> <a href="/techniques/T1007">System Service Discovery</a> </td> <td> <p>Monitor for newly executed processes with arguments that may try to get information about registered services. System and network discovery techniques normally occur throughout an operation as an adversary learns the environment. Data and events should not be viewed in isolation, but as part of a chain of behavior that could lead to other activities, such as Lateral Movement, based on the information obtained.</p><p>Note: Event IDs are for Sysmon (Event ID 1 - process create) and Windows Security Log (Event ID 4688 - a new process has been created). For event id 4688, depending on Windows version, you might need to enable <code> Administrative Templates\System\Audit Process Creation\Include command line in process creation events </code> group policy to include command line in process creation events.</p><p>Analytic 1 - Suspicious Processes</p><p><code>((sourcetype="WinEventLog:Security" EventCode="4688") OR (sourcetype="WinEventLog:Microsoft-Windows-Sysmon/Operational" EventCode="1") | WHERE ((CommandLine LIKE "%sc%" AND CommandLine LIKE "%query%") OR (CommandLine LIKE "%tasklist%" AND CommandLine LIKE "%/svc%") OR (CommandLine LIKE "%systemctl%" AND CommandLine LIKE "%--type=service%") OR (CommandLine LIKE "%net%" AND CommandLine LIKE "%start%"))</code></p> </td> </tr> <tr class="technique enterprise" id="enterprise"> <td> Enterprise </td> <td colspan="2"> <a href="/techniques/T1569">T1569</a> </td> <td> <a href="/techniques/T1569">System Services</a> </td> <td> <p>Monitor newly executed processes that may abuse system services or daemons to execute commands or programs.</p><p>Analytic 1 - New processes abusing system services.</p><p><code>sourcetype=process_logs| search process IN ("services.exe", "systemd", "launchd") </code></p> </td> </tr> <tr class="sub technique enterprise" id="enterprise"> <td></td> <td></td> <td> <a href="/techniques/T1569/001">.001</a> </td> <td> <a href="/techniques/T1569/001">Launchctl</a> </td> <td> <p>Monitor for newly executed daemons that may abuse launchctl to execute commands or programs.</p><p>Analytic 1 - Executable path is in unusual directories</p><p><code>sourcetype=osquery OR sourcetype=auditd| search parent_process="launchctl" AND process_path IN ("/tmp/<em>", "/Shared/</em>") </code> </p> </td> </tr> <tr class="sub technique enterprise" id="enterprise"> <td></td> <td></td> <td> <a href="/techniques/T1569/002">.002</a> </td> <td> <a href="/techniques/T1569/002">Service Execution</a> </td> <td> <p>Monitor for newly executed processes that may abuse the Windows service control manager to execute malicious commands or payloads.</p><p>Events 4688 (Microsoft Windows Security Auditing) and 1 (Microsoft Windows Sysmon) provide context of Windows processes creation that can be used to implement this detection.</p><p>This detection is based on uncommon process and parent process relationships. Service Control Manager spawning command shell is a good starting point. Add more suspicious relationships based on the reality of your network environment.</p><p>In order to reduce false positives, you can also filter the CommandLine event field using parameters such as /c which carries out the command specified by the parent process.</p><p>Analytic 1 - Service Execution</p><p><code>(source="<em>WinEventLog:Microsoft-Windows-Sysmon/Operational" EventCode="1") OR (source="</em>WinEventLog:Security" EventCode="4688") | WHERE Image LIKE "<em>services.exe" AND Image LIKE "</em>cmd.exe"</code></p> </td> </tr> <tr class="technique enterprise" id="enterprise"> <td> Enterprise </td> <td colspan="2"> <a href="/techniques/T1529">T1529</a> </td> <td> <a href="/techniques/T1529">System Shutdown/Reboot</a> </td> <td> <p>Monitor for newly executed processes of binaries involved in shutting down or rebooting systems.</p> </td> </tr> <tr class="technique enterprise" id="enterprise"> <td> Enterprise </td> <td colspan="2"> <a href="/techniques/T1124">T1124</a> </td> <td> <a href="/techniques/T1124">System Time Discovery</a> </td> <td> <p>Monitor for newly executed processes that may gather the system time and/or time zone from a local or remote system.</p> </td> </tr> <tr class="technique enterprise" id="enterprise"> <td> Enterprise </td> <td colspan="2"> <a href="/techniques/T1080">T1080</a> </td> <td> <a href="/techniques/T1080">Taint Shared Content</a> </td> <td> <p>Monitor processes that are executed from removable media for malicious or abnormal activity such as network connections due to Command and Control and possible network Discovery techniques.</p> </td> </tr> <tr class="technique enterprise" id="enterprise"> <td> Enterprise </td> <td colspan="2"> <a href="/techniques/T1221">T1221</a> </td> <td> <a href="/techniques/T1221">Template Injection</a> </td> <td> <p>Analyze process behavior to determine if an Office application is performing actions, such as opening network connections, reading files, spawning abnormal child processes (ex: <a href="/techniques/T1059/001">PowerShell</a>), or other suspicious actions that could relate to post-compromise behavior.</p> </td> </tr> <tr class="technique enterprise" id="enterprise"> <td> Enterprise </td> <td colspan="2"> <a href="/techniques/T1205">T1205</a> </td> <td> <a href="/techniques/T1205">Traffic Signaling</a> </td> <td> <p>Identify running processes with raw sockets. Ensure processes listed have a need for an open raw socket and are in accordance with enterprise policy.<span onclick=scrollToRef('scite-86') id="scite-ref-86-a" class="scite-citeref-number" title="Jamie Harries. (2022, May 25). Hunting a Global Telecommunications Threat: DecisiveArchitect and Its Custom Implant JustForFun. Retrieved October 18, 2022."data-reference="crowdstrike bpf socket filters">^{<a href="https://www.crowdstrike.com/blog/how-to-hunt-for-decisivearchitect-and-justforfun-implant/" target="_blank" data-hasqtip="85" aria-describedby="qtip-85">[86]</a>}</span></p> </td> </tr> <tr class="sub technique enterprise" id="enterprise"> <td></td> <td></td> <td> <a href="/techniques/T1205/002">.002</a> </td> <td> <a href="/techniques/T1205/002">Socket Filters</a> </td> <td> <p>Identify running processes with raw sockets. Ensure processes listed have a need for an open raw socket and are in accordance with enterprise policy.<span onclick=scrollToRef('scite-86') id="scite-ref-86-a" class="scite-citeref-number" title="Jamie Harries. (2022, May 25). Hunting a Global Telecommunications Threat: DecisiveArchitect and Its Custom Implant JustForFun. Retrieved October 18, 2022."data-reference="crowdstrike bpf socket filters">^{<a href="https://www.crowdstrike.com/blog/how-to-hunt-for-decisivearchitect-and-justforfun-implant/" target="_blank" data-hasqtip="85" aria-describedby="qtip-85">[86]</a>}</span></p> </td> </tr> <tr class="technique enterprise" id="enterprise"> <td> Enterprise </td> <td colspan="2"> <a href="/techniques/T1127">T1127</a> </td> <td> <a href="/techniques/T1127">Trusted Developer Utilities Proxy Execution</a> </td> <td> <p>Monitor for abnormal presence of these or other utilities that enable proxy execution that are typically used for development, debugging, and reverse engineering on a system that is not used for these purposes may be suspicious. Use process monitoring to monitor the execution and arguments of from developer utilities that may be abused. Compare recent invocations of those binaries with prior history of known good arguments and executed binaries to determine anomalous and potentially adversarial activity. It is likely that these utilities will be used by software developers or for other software development related tasks, so if it exists and is used outside of that context, then the event may be suspicious.</p> </td> </tr> <tr class="sub technique enterprise" id="enterprise"> <td></td> <td></td> <td> <a href="/techniques/T1127/001">.001</a> </td> <td> <a href="/techniques/T1127/001">MSBuild</a> </td> <td> <p>Monitor for newly executed processes of MSBuild.exe. Compare recent invocations of those binaries with prior history of known good arguments and executed binaries to determine anomalous and potentially adversarial activity.</p><p>Trusted developer utilities such as MSBuild may be leveraged to run malicious code with elevated privileges. This analytic looks for any instances of msbuild.exe, which will execute any C# code placed within a given XML document; and msxsl.exe, which processes xsl transformation specifications for XML files and will execute a variaty of scripting languages contained within the XSL file. Both of these executables are rarely used outside of Visual Studio.</p><p>Analytic 1 - MSBuild and msxsl</p><p><code>(source="<em>WinEventLog:Microsoft-Windows-Sysmon/Operational" EventCode="1") OR (source="</em>WinEventLog:Security" EventCode="4688")(Image="C:\Program Files (x86)\Microsoft Visual Studio\<em>\bin\MSBuild.exe" OR Image="C:\Windows\Microsoft.NET\Framework</em>\msbuild.exe" OR Image="C:\users\<em>\appdata\roaming\microsoft\msxsl.exe") ParentImage!="</em>\Microsoft Visual Studio*")</code></p> </td> </tr> <tr class="sub technique enterprise" id="enterprise"> <td></td> <td></td> <td> <a href="/techniques/T1127/002">.002</a> </td> <td> <a href="/techniques/T1127/002">ClickOnce</a> </td> <td> <p>Monitor for newly executed child processes of dfsvc.exe that may be indicative of malicious ClickOnce applications.</p> </td> </tr> <tr class="technique enterprise" id="enterprise"> <td> Enterprise </td> <td colspan="2"> <a href="/techniques/T1552">T1552</a> </td> <td> <a href="/techniques/T1552">Unsecured Credentials</a> </td> <td> <p>Monitor newly executed processes that may search compromised systems to find and obtain insecurely stored credentials.</p><p>Analytic 1 - New processes with parameters indicating credential searches.</p><p><code> (index=security sourcetype="WinEventLog:Security" EventCode=4688 CommandLine="<em>password</em>" OR CommandLine="<em>credential</em>") OR(index=sysmon sourcetype="WinEventLog:Microsoft-Windows-Sysmon/Operational" EventCode=1 CommandLine="<em>password</em>" OR CommandLine="<em>credential</em>") OR(index=os sourcetype="linux_audit" action="execve" CommandLine="<em>password</em>" OR CommandLine="<em>credential</em>") OR(index=os sourcetype="macos_secure" event_type="execve" CommandLine="<em>password</em>" OR CommandLine="<em>credential</em>")</code></p> </td> </tr> <tr class="sub technique enterprise" id="enterprise"> <td></td> <td></td> <td> <a href="/techniques/T1552/001">.001</a> </td> <td> <a href="/techniques/T1552/001">Credentials In Files</a> </td> <td> <p>Monitor newly executed processes for local file systems and remote file shares for files containing insecurely stored credentials.</p><p>Note: Pseudocode Event IDs are for Sysmon (Event ID 1 - process create) and Windows Security Log (Event ID 4688 - a new process has been created). The Analytic looks for command-line instances of searching the Windows Registry for insecurely stored credentials. This can be accomplished using the query functionality of the <a href="/software/S0075">Reg</a> system utility, by looking for keys and values that contain strings such as "password". In addition, adversaries may use toolkits such as <a href="/software/S0194">PowerSploit</a> in order to dump credentials from various applications such as IIS. Accordingly, this analytic looks for invocations of reg.exe in this capacity as well as that of several PowerSploit modules with similar functionality.</p><p>Analytic 1 - Credentials in Files &amp; Registry</p><p><code>(source="WinEventLog:Microsoft-Windows-Sysmon/Operational" EventCode="1") OR (source="WinEventLog:Security" EventCode="4688")<br />CommandLine="<em>reg</em> query HKLM /f password /t REG_SZ /s<em>" ORCommandLine="reg</em> query HKCU /f password /t REG_SZ /s" ORCommandLine="<em>Get-UnattendedInstallFile</em>" ORCommandLine="<em>Get-Webconfig" ORCommandLine="</em>Get-ApplicationHost<em>" ORCommandLine="</em>Get-SiteListPassword<em>" ORCommandLine="</em>Get-CachedGPPPassword<em>" ORCommandLine="</em>Get-RegistryAutoLogon*"</code></p> </td> </tr> <tr class="sub technique enterprise" id="enterprise"> <td></td> <td></td> <td> <a href="/techniques/T1552/002">.002</a> </td> <td> <a href="/techniques/T1552/002">Credentials in Registry</a> </td> <td> <p>Monitor newly executed processes for applications that can be used to query the Registry, such as <a href="/software/S0075">Reg</a>, and collect command parameters that may indicate credentials are being searched. Correlate activity with related suspicious behavior that may indicate an active intrusion to reduce false positives.</p><p>Note: Pseudocode Event IDs are for Sysmon (Event ID 1 - process create) and Windows Security Log (Event ID 4688 - a new process has been created). The Analytic looks for command-line instances of searching the Windows Registry for insecurely stored credentials. This can be accomplished using the query functionality of the <a href="/software/S0075">Reg</a> system utility, by looking for keys and values that contain strings such as "password". In addition, adversaries may use toolkits such as <a href="/software/S0194">PowerSploit</a> in order to dump credentials from various applications such as IIS. Accordingly, this analytic looks for invocations of reg.exe in this capacity as well as that of several PowerSploit modules with similar functionality.</p><p>Analytic 1 - Credentials in Files &amp; Registry</p><p><code>(source="WinEventLog:Microsoft-Windows-Sysmon/Operational" EventCode="1") OR (source="WinEventLog:Security" EventCode="4688")<br />CommandLine="<em>reg</em> query HKLM /f password /t REG_SZ /s<em>" ORCommandLine="reg</em> query HKCU /f password /t REG_SZ /s" ORCommandLine="<em>Get-UnattendedInstallFile</em>" ORCommandLine="<em>Get-Webconfig" ORCommandLine="</em>Get-ApplicationHost<em>" ORCommandLine="</em>Get-SiteListPassword<em>" ORCommandLine="</em>Get-CachedGPPPassword<em>" ORCommandLine="</em>Get-RegistryAutoLogon*" </code></p><p>Analytic 2 - New processes with parameters indicating credential searches.</p><p><code> (index=security sourcetype="WinEventLog:Security" EventCode=4688 CommandLine="<em>reg query</em> /f password /t REG_SZ /s<em>") OR(index=sysmon sourcetype="WinEventLog:Microsoft-Windows-Sysmon/Operational" EventCode=1 CommandLine="</em>reg query<em> /f password /t REG_SZ /s</em>")</code></p> </td> </tr> <tr class="technique enterprise" id="enterprise"> <td> Enterprise </td> <td colspan="2"> <a href="/techniques/T1204">T1204</a> </td> <td> <a href="/techniques/T1204">User Execution</a> </td> <td> <p>Identify processes spawned by user actions, especially from Office documents, PDFs, or web browsers that could lead to malicious execution.</p><p>Analytic 1 - Processes created from user interaction with files.</p><p><code> ((sourcetype=WinEventLog:Security EventCode=4688) OR (sourcetype=Sysmon EventCode=1))| search parent_process IN ("winword.exe", "excel.exe", "chrome.exe", "firefox.exe")| stats count by parent_process process_name command_line user| where process_name NOT IN ("chrome.exe", "firefox.exe", "winword.exe", "excel.exe")</code></p> </td> </tr> <tr class="sub technique enterprise" id="enterprise"> <td></td> <td></td> <td> <a href="/techniques/T1204/002">.002</a> </td> <td> <a href="/techniques/T1204/002">Malicious File</a> </td> <td> <p>Monitor for processes spawned after opening a suspicious file. Common applications that might be exploited are Microsoft Word, PDF readers, or compression utilities.</p><p>Analytic 1 - Processes created from malicious files.</p><p><code> (sourcetype=WinEventLog:Security EventCode=4688) OR (sourcetype=Sysmon EventCode=1)| search process_name IN ("WINWORD.EXE", "EXCEL.EXE", "PDFReader.exe", "7z.exe", "powershell.exe", "cmd.exe")| stats count by process_name parent_process_name command_line user| where parent_process_name IN ("explorer.exe", "outlook.exe", "thunderbird.exe")</code></p> </td> </tr> <tr class="technique ics" id="ics"> <td> ICS </td> <td colspan="2"> <a href="/techniques/T0863">T0863</a> </td> <td> <a href="/techniques/T0863">User Execution</a> </td> <td> <p>Monitor for newly executed processes that depend on user interaction, especially for applications that can embed programmatic capabilities (e.g., Microsoft Office products with scripts, installers, zip files). This includes compression applications, such as those for zip files, that can be used to <a href="/techniques/T1140">Deobfuscate/Decode Files or Information</a> in payloads.</p> </td> </tr> <tr class="technique enterprise" id="enterprise"> <td> Enterprise </td> <td colspan="2"> <a href="/techniques/T1497">T1497</a> </td> <td> <a href="/techniques/T1497">Virtualization/Sandbox Evasion</a> </td> <td> <p>Virtualization, sandbox, user activity, and related discovery techniques will likely occur in the first steps of an operation but may also occur throughout as an adversary learns the environment. Data and events should not be viewed in isolation, but as part of a chain of behavior that could lead to other activities, such as lateral movement, based on the information obtained. Detecting actions related to virtualization and sandbox identification may be difficult depending on the adversary's implementation and monitoring required. Monitoring for suspicious processes being spawned that gather a variety of system information or perform other forms of Discovery, especially in a short period of time, may aid in detection.</p> </td> </tr> <tr class="sub technique enterprise" id="enterprise"> <td></td> <td></td> <td> <a href="/techniques/T1497/001">.001</a> </td> <td> <a href="/techniques/T1497/001">System Checks</a> </td> <td> <p>Virtualization, sandbox, user activity, and related discovery techniques will likely occur in the first steps of an operation but may also occur throughout as an adversary learns the environment. Data and events should not be viewed in isolation, but as part of a chain of behavior that could lead to other activities, such as lateral movement, based on the information obtained. Detecting actions related to virtualization and sandbox identification may be difficult depending on the adversary's implementation and monitoring required. Monitoring for suspicious processes being spawned that gather a variety of system information or perform other forms of Discovery, especially in a short period of time, may aid in detection.</p> </td> </tr> <tr class="sub technique enterprise" id="enterprise"> <td></td> <td></td> <td> <a href="/techniques/T1497/002">.002</a> </td> <td> <a href="/techniques/T1497/002">User Activity Based Checks</a> </td> <td> <p>User activity-based checks will likely occur in the first steps of an operation but may also occur throughout as an adversary learns the environment. Data and events should not be viewed in isolation, but as part of a chain of behavior that could lead to other activities, such as lateral movement, based on the information obtained. Detecting actions related to virtualization and sandbox identification may be difficult depending on the adversary's implementation and monitoring required. Monitoring for suspicious processes being spawned that gather a variety of system information or perform other forms of Discovery, especially in a short period of time, may aid in detection.</p> </td> </tr> <tr class="sub technique enterprise" id="enterprise"> <td></td> <td></td> <td> <a href="/techniques/T1497/003">.003</a> </td> <td> <a href="/techniques/T1497/003">Time Based Evasion</a> </td> <td> <p>Time-based evasion will likely occur in the first steps of an operation but may also occur throughout as an adversary learns the environment. Data and events should not be viewed in isolation, but as part of a chain of behavior that could lead to other activities, such as lateral movement, based on the information obtained. Detecting actions related to virtualization and sandbox identification may be difficult depending on the adversary's implementation and monitoring required. Monitoring for suspicious processes being spawned that gather a variety of system information or perform other forms of Discovery, especially in a short period of time, may aid in detection.</p> </td> </tr> <tr class="technique enterprise" id="enterprise"> <td> Enterprise </td> <td colspan="2"> <a href="/techniques/T1047">T1047</a> </td> <td> <a href="/techniques/T1047">Windows Management Instrumentation</a> </td> <td> <p>Monitor for newly constructed processes and/or command-lines of "wmic". If the command line utility <code>wmic.exe</code> is used on the source host, then it can additionally be detected on an analytic. The command line on the source host is constructed into something like <code>wmic.exe /node:"\&lt;hostname&gt;" process call create "\&lt;command line&gt;"</code>. It is possible to also connect via IP address, in which case the string <code>"\&lt;hostname&gt;"</code> would instead look like IP Address. Processes can be created remotely via WMI in a few other ways, such as more direct API access or the built-in utility PowerShell.</p><p>Note: Event IDs are for Sysmon (Event ID 10 - process access) and Windows Security Log (Event ID 4688 - a new process has been created). </p><p>Besides executing arbitrary processes, wmic.exe can also be used to executed data stored in NTFS alternate data streams <a href="/techniques/T1564/004">NTFS File Attributes</a>.Looks for instances of wmic.exe as well as the substrings in the command line:- process call create- /node:</p><p>Analytic 1 - Detect wmic.exeprocess creation with command lines containing process call create or /node:.</p><p><code> index=security sourcetype="WinEventLog:Security" (EventCode=4688 OR EventCode=4656 OR EventCode=4103 OR EventCode=800) | eval command_line = coalesce(CommandLine, ParentCommandLine) | where (ProcessName="wmic.exe" AND (command_line LIKE "%/node:%" OR command_line LIKE "%process call create%"))OR (command_line LIKE "<em>Invoke-WmiMethod</em>" OR command_line LIKE "<em>Get-WmiObject</em>" OR command_line LIKE "<em>gwmi</em>" OR command_line LIKE "<em>win32_process</em>")</code></p> </td> </tr> <tr class="technique enterprise" id="enterprise"> <td> Enterprise </td> <td colspan="2"> <a href="/techniques/T1220">T1220</a> </td> <td> <a href="/techniques/T1220">XSL Script Processing</a> </td> <td> <p>Use process monitoring to monitor the execution and arguments of msxsl.exe and wmic.exe. <span onclick=scrollToRef('scite-87') id="scite-ref-87-a" class="scite-citeref-number" title="LOLBAS. (n.d.). Wmic.exe. Retrieved July 31, 2019."data-reference="LOLBAS Wmic">^{<a href="https://lolbas-project.github.io/lolbas/Binaries/Wmic/" target="_blank" data-hasqtip="86" aria-describedby="qtip-86">[87]</a>}</span> <span onclick=scrollToRef('scite-88') id="scite-ref-88-a" class="scite-citeref-number" title="Desimone, J. (2018, April 18). Status Update. Retrieved September 12, 2024."data-reference="Twitter SquiblyTwo Detection APR 2018">^{<a href="https://x.com/dez_/status/986614411711442944" target="_blank" data-hasqtip="87" aria-describedby="qtip-87">[88]</a>}</span> Command arguments used before and after the script invocation may also be useful in determining the origin and purpose of the payload being loaded. The presence of msxsl.exe or other utilities that enable proxy execution that are typically used for development, debugging, and reverse engineering on a system that is not used for these purposes may be suspicious.</p> </td> </tr> </tbody> </table> </div> </div> <div class="col-md-12 section-view enterprise mobile ics "> <a class="anchor" id="Process Metadata"></a> <div class="section-desktop-view anchor-section"> <h4 class="pt-3">Process: Process Metadata</h4> <div class="description-body"> <p>Contextual data about a running process, which may include information such as environment variables, image name, user/owner, etc.</p> </div> <div class="section-shadow"></div> </div> <div class="section-mobile-view anchor-section"> <h4 class="pt-3">Process: Process Metadata</h4> <div class="section-shadow"></div> </div> <div class="section-mobile-view"> <div class="description-body"> <p>Contextual data about a running process, which may include information such as environment variables, image name, user/owner, etc.</p> </div> </div> <div class="tables-mobile"> <table class="table techniques-used background table-bordered"> <thead> <tr> <th class="p-2" scope="col">Domain</th> <th class="p-2" colspan="2">ID</th> <th class="p-2" scope="col">Name</th> <th class="p-2" scope="col">Detects</th> </tr> </thead> <tbody> <tr class="technique enterprise" id="enterprise"> <td> Enterprise </td> <td colspan="2"> <a href="/techniques/T1548">T1548</a> </td> <td> <a href="/techniques/T1548">Abuse Elevation Control Mechanism</a> </td> <td> <p>Monitor contextual data about a running process, which may include information such as environment variables, image name, user/owner that may circumvent mechanisms designed to control elevate privileges to gain higher-level permissions.</p> </td> </tr> <tr class="sub technique enterprise" id="enterprise"> <td></td> <td></td> <td> <a href="/techniques/T1548/002">.002</a> </td> <td> <a href="/techniques/T1548/002">Bypass User Account Control</a> </td> <td> <p>Monitor contextual data about a running process, which may include information such as environment variables, image name, user/owner that may bypass UAC mechanisms to elevate process privileges on system.</p> </td> </tr> <tr class="sub technique enterprise" id="enterprise"> <td></td> <td></td> <td> <a href="/techniques/T1548/003">.003</a> </td> <td> <a href="/techniques/T1548/003">Sudo and Sudo Caching</a> </td> <td> <p>Monitor contextual data about a running process, which may include information such as environment variables, image name, user/owner that may perform sudo caching and/or use the sudoers file to elevate privileges.</p> </td> </tr> <tr class="technique enterprise" id="enterprise"> <td> Enterprise </td> <td colspan="2"> <a href="/techniques/T1134">T1134</a> </td> <td> <a href="/techniques/T1134">Access Token Manipulation</a> </td> <td> <p>Query systems for process and thread token information and look for inconsistencies such as user owns processes impersonating the local SYSTEM account.<span onclick=scrollToRef('scite-89') id="scite-ref-89-a" class="scite-citeref-number" title="Atkinson, J., Winchester, R. (2017, December 7). A Process is No One: Hunting for Token Manipulation. Retrieved December 21, 2017."data-reference="BlackHat Atkinson Winchester Token Manipulation">^{<a href="https://www.blackhat.com/docs/eu-17/materials/eu-17-Atkinson-A-Process-Is-No-One-Hunting-For-Token-Manipulation.pdf" target="_blank" data-hasqtip="88" aria-describedby="qtip-88">[89]</a>}</span> Look for inconsistencies between the various fields that store PPID information, such as the EventHeader ProcessId from data collected via Event Tracing for Windows (ETW), Creator Process ID/Name from Windows event logs, and the ProcessID and ParentProcessID (which are also produced from ETW and other utilities such as Task Manager and Process Explorer). The ETW provided EventHeader ProcessId identifies the actual parent process.</p> </td> </tr> <tr class="sub technique enterprise" id="enterprise"> <td></td> <td></td> <td> <a href="/techniques/T1134/004">.004</a> </td> <td> <a href="/techniques/T1134/004">Parent PID Spoofing</a> </td> <td> <p>Look for inconsistencies between the various fields that store PPID information, such as the EventHeader ProcessId from data collected via Event Tracing for Windows (ETW), Creator Process ID/Name from Windows event logs, and the ProcessID and ParentProcessID (which are also produced from ETW and other utilities such as Task Manager and Process Explorer). The ETW provided EventHeader ProcessId identifies the actual parent process.<span onclick=scrollToRef('scite-90') id="scite-ref-90-a" class="scite-citeref-number" title="Loh, I. (2018, December 21). Detecting Parent PID Spoofing. Retrieved June 3, 2019."data-reference="CounterCept PPID Spoofing Dec 2018">^{<a href="https://www.countercept.com/blog/detecting-parent-pid-spoofing/" target="_blank" data-hasqtip="89" aria-describedby="qtip-89">[90]</a>}</span></p> </td> </tr> <tr class="technique enterprise" id="enterprise"> <td> Enterprise </td> <td colspan="2"> <a href="/techniques/T1059">T1059</a> </td> <td> <a href="/techniques/T1059">Command and Scripting Interpreter</a> </td> <td> <p>Monitor contextual data about a running process, which may include information such as environment variables, image name, user/owner, or other information that may reveal abuse of system features. For example, consider monitoring for Windows Event ID (EID) 400, which shows the version of PowerShell executing in the <code>EngineVersion</code> field (which may also be relevant to detecting a potential <a href="/techniques/T1562/010">Downgrade Attack</a>) as well as if PowerShell is running locally or remotely in the <code>HostName</code> field. Furthermore, EID 400 may indicate the start time and EID 403 indicates the end time of a PowerShell session.<span onclick=scrollToRef('scite-91') id="scite-ref-91-a" class="scite-citeref-number" title="Hastings, M. (2014, July 16). Investigating PowerShell Attacks. Retrieved December 1, 2021."data-reference="inv_ps_attacks">^{<a href="https://powershellmagazine.com/2014/07/16/investigating-powershell-attacks/" target="_blank" data-hasqtip="90" aria-describedby="qtip-90">[91]</a>}</span></p> </td> </tr> <tr class="sub technique enterprise" id="enterprise"> <td></td> <td></td> <td> <a href="/techniques/T1059/001">.001</a> </td> <td> <a href="/techniques/T1059/001">PowerShell</a> </td> <td> <p>Consider monitoring for Windows event ID (EID) 400, which shows the version of PowerShell executing in the <code>EngineVersion</code> field (which may also be relevant to detecting a potential <a href="/techniques/T1562/010">Downgrade Attack</a>) as well as if PowerShell is running locally or remotely in the <code>HostName</code> field. Furthermore, EID 400 may indicate the start time and EID 403 indicates the end time of a PowerShell session.<span onclick=scrollToRef('scite-91') id="scite-ref-91-a" class="scite-citeref-number" title="Hastings, M. (2014, July 16). Investigating PowerShell Attacks. Retrieved December 1, 2021."data-reference="inv_ps_attacks">^{<a href="https://powershellmagazine.com/2014/07/16/investigating-powershell-attacks/" target="_blank" data-hasqtip="90" aria-describedby="qtip-90">[91]</a>}</span></p> </td> </tr> <tr class="technique mobile" id="mobile"> <td> Mobile </td> <td colspan="2"> <a href="/techniques/T1623">T1623</a> </td> <td> <a href="/techniques/T1623">Command and Scripting Interpreter</a> </td> <td> <p>Mobile Threat Defense (MTD) with lower-level OS APIs integrations may have access to running processes and their parameters, potentially detecting unwanted or malicious shells.</p> </td> </tr> <tr class="sub technique mobile" id="mobile"> <td></td> <td></td> <td> <a href="/techniques/T1623/001">.001</a> </td> <td> <a href="/techniques/T1623/001">Unix Shell</a> </td> <td> <p>Mobile Threat Defense (MTD) with lower-level OS APIs integrations may have access to running processes and their parameters, potentially detecting unwanted or malicious shells.</p> </td> </tr> <tr class="technique ics" id="ics"> <td> ICS </td> <td colspan="2"> <a href="/techniques/T0874">T0874</a> </td> <td> <a href="/techniques/T0874">Hooking</a> </td> <td> <p>Verify integrity of live processes by comparing code in memory to that of corresponding static binaries, specifically checking for jumps and other instructions that redirect code flow.</p> </td> </tr> <tr class="sub technique noparent enterprise" id="enterprise"> <td> Enterprise </td> <td> <a href="/techniques/T1562">T1562</a> </td> <td> <a href="/techniques/T1562/010">.010</a> </td> <td> <a href="/techniques/T1562">Impair Defenses</a>: <a href="/techniques/T1562/010">Downgrade Attack</a> </td> <td> <p>Monitor contextual data about a running process, which may include information such as environment variables, image name, user/owner, or other information that may reveal use of a version of system features that may be outdated, vulnerable, and/or does not support updated security controls such as logging. For example, monitoring for Windows event ID (EID) 400, specifically the <code>EngineVersion</code> field which shows the version of PowerShell running, may highlight a malicious downgrade attack.<span onclick=scrollToRef('scite-91') id="scite-ref-91-a" class="scite-citeref-number" title="Hastings, M. (2014, July 16). Investigating PowerShell Attacks. Retrieved December 1, 2021."data-reference="inv_ps_attacks">^{<a href="https://powershellmagazine.com/2014/07/16/investigating-powershell-attacks/" target="_blank" data-hasqtip="90" aria-describedby="qtip-90">[91]</a>}</span></p> </td> </tr> <tr class="technique enterprise" id="enterprise"> <td> Enterprise </td> <td colspan="2"> <a href="/techniques/T1056">T1056</a> </td> <td> <a href="/techniques/T1056">Input Capture</a> </td> <td> <p>Verify integrity of live processes by comparing code in memory to that of corresponding static binaries, specifically checking for jumps and other instructions that redirect code flow.</p> </td> </tr> <tr class="sub technique enterprise" id="enterprise"> <td></td> <td></td> <td> <a href="/techniques/T1056/004">.004</a> </td> <td> <a href="/techniques/T1056/004">Credential API Hooking</a> </td> <td> <p>Verify integrity of live processes by comparing code in memory to that of corresponding static binaries, specifically checking for jumps and other instructions that redirect code flow.</p> </td> </tr> <tr class="technique enterprise" id="enterprise"> <td> Enterprise </td> <td colspan="2"> <a href="/techniques/T1036">T1036</a> </td> <td> <a href="/techniques/T1036">Masquerading</a> </td> <td> <p>Monitor for file names that are mismatched between the file name on disk and that of the binary's PE metadata, this is a likely indicator that a binary was renamed after it was compiled. </p> </td> </tr> <tr class="sub technique enterprise" id="enterprise"> <td></td> <td></td> <td> <a href="/techniques/T1036/003">.003</a> </td> <td> <a href="/techniques/T1036/003">Rename System Utilities</a> </td> <td> <p>Monitor for file names that are mismatched between the file name on disk and that of the binary's PE metadata, this is a likely indicator that a binary was renamed after it was compiled. </p> </td> </tr> <tr class="sub technique enterprise" id="enterprise"> <td></td> <td></td> <td> <a href="/techniques/T1036/005">.005</a> </td> <td> <a href="/techniques/T1036/005">Match Legitimate Name or Location</a> </td> <td> <p>Collecting and comparing disk and resource filenames for binaries by looking to see if the InternalName, OriginalFilename, and/or ProductName match what is expected could provide useful leads, but may not always be indicative of malicious activity.</p> </td> </tr> <tr class="technique ics" id="ics"> <td> ICS </td> <td colspan="2"> <a href="/techniques/T0849">T0849</a> </td> <td> <a href="/techniques/T0849">Masquerading</a> </td> <td> <p>Monitor for file names that are mismatched between the file name on disk and that of the binary's metadata. This is a likely indicator that a binary was renamed after it was compiled. For added context on adversary procedures and background see <a href="/techniques/T1036">Masquerading</a> and applicable sub-techniques.</p> </td> </tr> <tr class="technique enterprise" id="enterprise"> <td> Enterprise </td> <td colspan="2"> <a href="/techniques/T1055">T1055</a> </td> <td> <a href="/techniques/T1055">Process Injection</a> </td> <td> <p>Monitor for process memory inconsistencies, such as checking memory ranges against a known copy of the legitimate module.<span onclick=scrollToRef('scite-92') id="scite-ref-92-a" class="scite-citeref-number" title="Aliz Hammond. (2019, August 15). Hiding Malicious Code with "Module Stomping": Part 1. Retrieved July 14, 2022."data-reference="Hiding Malicious Code with Module Stomping">^{<a href="https://blog.f-secure.com/hiding-malicious-code-with-module-stomping/" target="_blank" data-hasqtip="91" aria-describedby="qtip-91">[92]</a>}</span></p> </td> </tr> <tr class="sub technique enterprise" id="enterprise"> <td></td> <td></td> <td> <a href="/techniques/T1055/001">.001</a> </td> <td> <a href="/techniques/T1055/001">Dynamic-link Library Injection</a> </td> <td> <p>Monitor for process memory inconsistencies compared to DLL files on disk by checking memory ranges against a known copy of the legitimate module.<span onclick=scrollToRef('scite-92') id="scite-ref-92-a" class="scite-citeref-number" title="Aliz Hammond. (2019, August 15). Hiding Malicious Code with "Module Stomping": Part 1. Retrieved July 14, 2022."data-reference="Hiding Malicious Code with Module Stomping">^{<a href="https://blog.f-secure.com/hiding-malicious-code-with-module-stomping/" target="_blank" data-hasqtip="91" aria-describedby="qtip-91">[92]</a>}</span></p> </td> </tr> <tr class="technique ics" id="ics"> <td> ICS </td> <td colspan="2"> <a href="/techniques/T0853">T0853</a> </td> <td> <a href="/techniques/T0853">Scripting</a> </td> <td> <p>Monitor contextual data about a running process, which may include information such as environment variables, image name, user/owner, or other information that may reveal abuse of system features. </p> </td> </tr> <tr class="technique enterprise" id="enterprise"> <td> Enterprise </td> <td colspan="2"> <a href="/techniques/T1127">T1127</a> </td> <td> <a href="/techniques/T1127">Trusted Developer Utilities Proxy Execution</a> </td> <td> <p>Evaluate Event Tracing for Windows (ETW) telemetry associated with the execution of developer utilities.</p> </td> </tr> <tr class="sub technique enterprise" id="enterprise"> <td></td> <td></td> <td> <a href="/techniques/T1127/002">.002</a> </td> <td> <a href="/techniques/T1127/002">ClickOnce</a> </td> <td> <p>Evaluate Event Tracing for Windows (ETW) telemetry associated with ClickOnce deployment execution.</p> </td> </tr> </tbody> </table> </div> </div> <div class="col-md-12 section-view enterprise "> <a class="anchor" id="Process Modification"></a> <div class="section-desktop-view anchor-section"> <h4 class="pt-3">Process: Process Modification</h4> <div class="description-body"> <p>Changes made to a process, or its contents, typically to write and/or execute code in the memory of the target process (ex: Sysmon EID 8)</p> </div> <div class="section-shadow"></div> </div> <div class="section-mobile-view anchor-section"> <h4 class="pt-3">Process: Process Modification</h4> <div class="section-shadow"></div> </div> <div class="section-mobile-view"> <div class="description-body"> <p>Changes made to a process, or its contents, typically to write and/or execute code in the memory of the target process (ex: Sysmon EID 8)</p> </div> </div> <div class="tables-mobile"> <table class="table techniques-used background table-bordered"> <thead> <tr> <th class="p-2" scope="col">Domain</th> <th class="p-2" colspan="2">ID</th> <th class="p-2" scope="col">Name</th> <th class="p-2" scope="col">Detects</th> </tr> </thead> <tbody> <tr class="technique enterprise" id="enterprise"> <td> Enterprise </td> <td colspan="2"> <a href="/techniques/T1185">T1185</a> </td> <td> <a href="/techniques/T1185">Browser Session Hijacking</a> </td> <td> <p>This may be a difficult technique to detect because adversary traffic may be masked by normal user traffic. Monitor for <a href="/techniques/T1055">Process Injection</a> against browser applications.</p> </td> </tr> <tr class="technique enterprise" id="enterprise"> <td> Enterprise </td> <td colspan="2"> <a href="/techniques/T1562">T1562</a> </td> <td> <a href="/techniques/T1562">Impair Defenses</a> </td> <td> <p>Using another process or third-party tools, monitor for modifications or access to system processes associated with logging.</p> </td> </tr> <tr class="sub technique enterprise" id="enterprise"> <td></td> <td></td> <td> <a href="/techniques/T1562/012">.012</a> </td> <td> <a href="/techniques/T1562/012">Disable or Modify Linux Audit System</a> </td> <td> <p>Using another process or third-party tools, monitor for potentially malicious modifications or access to the <code>auditd</code> system process.</p> </td> </tr> <tr class="technique enterprise" id="enterprise"> <td> Enterprise </td> <td colspan="2"> <a href="/techniques/T1055">T1055</a> </td> <td> <a href="/techniques/T1055">Process Injection</a> </td> <td> <p>Monitor for changes made to processes that may inject code into processes in order to evade process-based defenses as well as possibly elevate privileges.</p> </td> </tr> <tr class="sub technique enterprise" id="enterprise"> <td></td> <td></td> <td> <a href="/techniques/T1055/001">.001</a> </td> <td> <a href="/techniques/T1055/001">Dynamic-link Library Injection</a> </td> <td> <p>Monitor for changes made to processes that may inject dynamic-link libraries (DLLs) into processes in order to evade process-based defenses as well as possibly elevate privileges. Injecting a malicious DLL into a process is a common adversary TTP. Although the ways of doing this are numerous, mavinject.exe is a commonly used tool for doing so because it roles up many of the necessary steps into one, and is available within Windows. Attackers may rename the executable, so we also use the common argument "INJECTRUNNING" as a related signature here. Whitelisting certain applications may be necessary to reduce noise for this analytic.</p><p>Analytic 1 - DLL Injection with Mavinject</p><p><code>(source="WinEventLog:Microsoft-Windows-Sysmon/Operational" EventCode="1") OR (source="WinEventLog:Security" EventCode="4688") Image="C:\Windows\SysWOW64\mavinject.exe" OR Image="C:\Windows\System32\mavinject.exe" OR CommandLine="<em>/INJECTRUNNING</em>""</code></p> </td> </tr> <tr class="sub technique enterprise" id="enterprise"> <td></td> <td></td> <td> <a href="/techniques/T1055/002">.002</a> </td> <td> <a href="/techniques/T1055/002">Portable Executable Injection</a> </td> <td> <p>Monitor for changes made to processes that may inject portable executables (PE) into processes in order to evade process-based defenses as well as possibly elevate privileges.</p> </td> </tr> <tr class="sub technique enterprise" id="enterprise"> <td></td> <td></td> <td> <a href="/techniques/T1055/003">.003</a> </td> <td> <a href="/techniques/T1055/003">Thread Execution Hijacking</a> </td> <td> <p>Monitor for changes made to processes that may inject malicious code into hijacked processes in order to evade process-based defenses as well as possibly elevate privileges.</p> </td> </tr> <tr class="sub technique enterprise" id="enterprise"> <td></td> <td></td> <td> <a href="/techniques/T1055/004">.004</a> </td> <td> <a href="/techniques/T1055/004">Asynchronous Procedure Call</a> </td> <td> <p>Monitor for changes made to processes that may inject malicious code into processes via the asynchronous procedure call (APC) queue in order to evade process-based defenses as well as possibly elevate privileges.</p> </td> </tr> <tr class="sub technique enterprise" id="enterprise"> <td></td> <td></td> <td> <a href="/techniques/T1055/005">.005</a> </td> <td> <a href="/techniques/T1055/005">Thread Local Storage</a> </td> <td> <p>Monitor for changes made to processes that may inject malicious code into processes via thread local storage (TLS) callbacks in order to evade process-based defenses as well as possibly elevate privileges.</p> </td> </tr> <tr class="sub technique enterprise" id="enterprise"> <td></td> <td></td> <td> <a href="/techniques/T1055/008">.008</a> </td> <td> <a href="/techniques/T1055/008">Ptrace System Calls</a> </td> <td> <p>Monitor for changes made to processes that may inject malicious code into processes via ptrace (process trace) system calls in order to evade process-based defenses as well as possibly elevate privileges.</p> </td> </tr> <tr class="sub technique enterprise" id="enterprise"> <td></td> <td></td> <td> <a href="/techniques/T1055/012">.012</a> </td> <td> <a href="/techniques/T1055/012">Process Hollowing</a> </td> <td> <p>Monitor for changes made to processes that may inject malicious code into suspended and hollowed processes in order to evade process-based defenses.</p> </td> </tr> <tr class="sub technique enterprise" id="enterprise"> <td></td> <td></td> <td> <a href="/techniques/T1055/015">.015</a> </td> <td> <a href="/techniques/T1055/015">ListPlanting</a> </td> <td> <p>Monitor for changes made to processes that may inject code into processes in order to evade process-based defenses as well as possibly elevate privileges. Analyze process behavior to determine if a process is performing unusual actions, such as opening network connections, reading files, or other suspicious actions that could relate to post-compromise behavior. </p> </td> </tr> </tbody> </table> </div> </div> <div class="col-md-12 section-view enterprise mobile ics "> <a class="anchor" id="Process Termination"></a> <div class="section-desktop-view anchor-section"> <h4 class="pt-3">Process: Process Termination</h4> <div class="description-body"> <p>Exit of a running process (ex: Sysmon EID 5 or Windows EID 4689)</p> </div> <div class="section-shadow"></div> </div> <div class="section-mobile-view anchor-section"> <h4 class="pt-3">Process: Process Termination</h4> <div class="section-shadow"></div> </div> <div class="section-mobile-view"> <div class="description-body"> <p>Exit of a running process (ex: Sysmon EID 5 or Windows EID 4689)</p> </div> </div> <div class="tables-mobile"> <table class="table techniques-used background table-bordered"> <thead> <tr> <th class="p-2" scope="col">Domain</th> <th class="p-2" colspan="2">ID</th> <th class="p-2" scope="col">Name</th> <th class="p-2" scope="col">Detects</th> </tr> </thead> <tbody> <tr class="technique ics" id="ics"> <td> ICS </td> <td colspan="2"> <a href="/techniques/T0803">T0803</a> </td> <td> <a href="/techniques/T0803">Block Command Message</a> </td> <td> <p>Monitor for the termination of processes or services associated with ICS automation protocols and application software which could help detect blocked communications.</p> </td> </tr> <tr class="technique ics" id="ics"> <td> ICS </td> <td colspan="2"> <a href="/techniques/T0804">T0804</a> </td> <td> <a href="/techniques/T0804">Block Reporting Message</a> </td> <td> <p>Monitor for the termination of processes or services associated with ICS automation protocols and application software which could help detect blocked communications.</p> </td> </tr> <tr class="technique ics" id="ics"> <td> ICS </td> <td colspan="2"> <a href="/techniques/T0805">T0805</a> </td> <td> <a href="/techniques/T0805">Block Serial COM</a> </td> <td> <p>Monitor for the termination of processes or services associated with ICS automation protocols and application software which could help detect blocked communications.</p> </td> </tr> <tr class="technique enterprise" id="enterprise"> <td> Enterprise </td> <td colspan="2"> <a href="/techniques/T1562">T1562</a> </td> <td> <a href="/techniques/T1562">Impair Defenses</a> </td> <td> <p>Monitor for unexpected deletions of a running process (ex: Sysmon EID 5 or Windows EID 4689) that may maliciously modify components of a victim environment in order to hinder or disable defensive mechanisms.</p> </td> </tr> <tr class="sub technique enterprise" id="enterprise"> <td></td> <td></td> <td> <a href="/techniques/T1562/001">.001</a> </td> <td> <a href="/techniques/T1562/001">Disable or Modify Tools</a> </td> <td> <p>Monitor processes for unexpected termination related to security tools/services. Specifically, before execution of ransomware, monitor for rootkit tools, such as GMER, PowerTool or TDSSKiller, that may detect and terminate hidden processes and the host antivirus software.</p> </td> </tr> <tr class="technique mobile" id="mobile"> <td> Mobile </td> <td colspan="2"> <a href="/techniques/T1629">T1629</a> </td> <td> <a href="/techniques/T1629">Impair Defenses</a> </td> <td> <p>Mobile security products integrated with Samsung Knox for Mobile Threat Defense can monitor processes to see if security tools are killed or stop running.</p> </td> </tr> <tr class="technique enterprise" id="enterprise"> <td> Enterprise </td> <td colspan="2"> <a href="/techniques/T1489">T1489</a> </td> <td> <a href="/techniques/T1489">Service Stop</a> </td> <td> <p>Monitor processes and command-line arguments to see if critical processes are terminated or stop running.</p> </td> </tr> <tr class="technique ics" id="ics"> <td> ICS </td> <td colspan="2"> <a href="/techniques/T0881">T0881</a> </td> <td> <a href="/techniques/T0881">Service Stop</a> </td> <td> <p>Monitor processes and command-line arguments to see if critical processes are terminated or stop running. For added context on adversary procedures and background see <a href="/techniques/T1489">Service Stop</a>.</p> </td> </tr> </tbody> </table> </div> </div> </div> <h2 class="pt-3" id="references">References</h2> <div class="row"> <div class="col"> <ol> <li> <span id="scite-1" class="scite-citation"> <span class="scite-citation-text"> <a rel="nofollow" class="external text" name="scite-1" href="https://docs.microsoft.com/en-us/windows/win32/procthread/processes-and-threads" target="_blank"> Microsoft. (2018, May 31). Processes and Threads. Retrieved September 28, 2021. </a> </span> </span> </li> <li> <span id="scite-2" class="scite-citation"> <span class="scite-citation-text"> <a rel="nofollow" class="external text" name="scite-2" href="https://msdn.microsoft.com/en-us/library/windows/desktop/aa378184(v=vs.85).aspx" target="_blank"> Microsoft TechNet. (n.d.). Retrieved April 25, 2017. </a> </span> </span> </li> <li> <span id="scite-3" class="scite-citation"> <span class="scite-citation-text"> <a rel="nofollow" class="external text" name="scite-3" href="https://msdn.microsoft.com/en-us/library/windows/desktop/aa446617(v=vs.85).aspx" target="_blank"> Microsoft TechNet. (n.d.). Retrieved April 25, 2017. </a> </span> </span> </li> <li> <span id="scite-4" class="scite-citation"> <span class="scite-citation-text"> <a rel="nofollow" class="external text" name="scite-4" href="https://msdn.microsoft.com/en-us/library/windows/desktop/aa378612(v=vs.85).aspx" target="_blank"> Microsoft TechNet. (n.d.). Retrieved April 25, 2017. </a> </span> </span> </li> <li> <span id="scite-5" class="scite-citation"> <span class="scite-citation-text"> <a rel="nofollow" class="external text" name="scite-5" href="https://docs.microsoft.com/windows/desktop/ProcThread/process-creation-flags" target="_blank"> Schofield, M. & Satran, M. (2018, May 30). Process Creation Flags. Retrieved June 4, 2019. </a> </span> </span> </li> <li> <span id="scite-6" class="scite-citation"> <span class="scite-citation-text"> <a rel="nofollow" class="external text" name="scite-6" href="https://www.securityinbits.com/malware-analysis/parent-pid-spoofing-stage-2-ataware-ransomware-part-3" target="_blank"> Secuirtyinbits . (2019, May 14). Parent PID Spoofing (Stage 2) Ataware Ransomware Part 3. Retrieved June 6, 2019. </a> </span> </span> </li> <li> <span id="scite-7" class="scite-citation"> <span class="scite-citation-text"> <a rel="nofollow" class="external text" name="scite-7" href="https://learn.microsoft.com/en-us/windows/win32/printdocs/addmonitor" target="_blank"> Microsoft. (n.d.). AddMonitor function. Retrieved September 12, 2024. </a> </span> </span> </li> <li> <span id="scite-8" class="scite-citation"> <span class="scite-citation-text"> <a rel="nofollow" class="external text" name="scite-8" href="https://developer.apple.com/documentation/security/keychain_services/keychain_items" target="_blank"> Apple. (n.d.). Keychain Items. Retrieved April 12, 2022. </a> </span> </span> </li> <li> <span id="scite-9" class="scite-citation"> <span class="scite-citation-text"> <a rel="nofollow" class="external text" name="scite-9" href="https://blog.talosintelligence.com/2018/02/olympic-destroyer.html" target="_blank"> Mercer, W. and Rascagneres, P. (2018, February 12). Olympic Destroyer Takes Aim At Winter Olympics. Retrieved March 14, 2019. </a> </span> </span> </li> <li> <span id="scite-10" class="scite-citation"> <span class="scite-citation-text"> <a rel="nofollow" class="external text" name="scite-10" href="https://docs.microsoft.com/en-us/windows/win32/api/wincred/nf-wincred-credenumeratea" target="_blank"> Microsoft. (2018, December 5). CredEnumarateA function (wincred.h). Retrieved November 24, 2020. </a> </span> </span> </li> <li> <span id="scite-11" class="scite-citation"> <span class="scite-citation-text"> <a rel="nofollow" class="external text" name="scite-11" href="https://github.com/gentilkiwi/mimikatz/wiki/howto-~-credential-manager-saved-credentials" target="_blank"> Delpy, B. (2017, December 12). howto ~ credential manager saved credentials. Retrieved November 23, 2020. </a> </span> </span> </li> <li> <span id="scite-12" class="scite-citation"> <span class="scite-citation-text"> <a rel="nofollow" class="external text" name="scite-12" href="https://posts.specterops.io/a-guide-to-attacking-domain-trusts-971e52cb2944" target="_blank"> Schroeder, W. (2017, October 30). A Guide to Attacking Domain Trusts. Retrieved February 14, 2019. </a> </span> </span> </li> <li> <span id="scite-13" class="scite-citation"> <span class="scite-citation-text"> <a rel="nofollow" class="external text" name="scite-13" href="https://docs.microsoft.com/en-us/dotnet/api/system.directoryservices.activedirectory.domain.getalltrustrelationships?redirectedfrom=MSDN&view=netframework-4.7.2#System_DirectoryServices_ActiveDirectory_Domain_GetAllTrustRelationships" target="_blank"> Microsoft. (n.d.). Domain.GetAllTrustRelationships Method. Retrieved February 14, 2019. </a> </span> </span> </li> <li> <span id="scite-14" class="scite-citation"> <span class="scite-citation-text"> <a rel="nofollow" class="external text" name="scite-14" href="https://www.endgame.com/blog/technical-blog/ten-process-injection-techniques-technical-survey-common-and-trending-process" target="_blank"> Hosseini, A. (2017, July 18). Ten Process Injection Techniques: A Technical Survey Of Common And Trending Process Injection Techniques. Retrieved December 7, 2017. </a> </span> </span> </li> <li> <span id="scite-15" class="scite-citation"> <span class="scite-citation-text"> <a rel="nofollow" class="external text" name="scite-15" href="https://learn.microsoft.com/en-us/windows/win32/api/synchapi/nf-synchapi-createmutexa" target="_blank"> Microsoft. (2023, February 8). CreateMutexA function (synchapi.h). Retrieved September 19, 2024. </a> </span> </span> </li> <li> <span id="scite-16" class="scite-citation"> <span class="scite-citation-text"> <a rel="nofollow" class="external text" name="scite-16" href="https://www.sans.org/blog/looking-at-mutex-objects-for-malware-discovery-indicators-of-compromise/" target="_blank"> Lenny Zeltser. (2012, July 24). Looking at Mutex Objects for Malware Discovery & Indicators of Compromise. Retrieved September 19, 2024. </a> </span> </span> </li> <li> <span id="scite-17" class="scite-citation"> <span class="scite-citation-text"> <a rel="nofollow" class="external text" name="scite-17" href="https://oddvar.moe/2018/01/14/putting-data-in-alternate-data-streams-and-how-to-execute-it/" target="_blank"> Moe, O. (2018, January 14). Putting Data in Alternate Data Streams and How to Execute It. Retrieved June 30, 2018. </a> </span> </span> </li> <li> <span id="scite-18" class="scite-citation"> <span class="scite-citation-text"> <a rel="nofollow" class="external text" name="scite-18" href="https://oddvar.moe/2018/04/11/putting-data-in-alternate-data-streams-and-how-to-execute-it-part-2/" target="_blank"> Moe, O. (2018, April 11). Putting Data in Alternate Data Streams and How to Execute It - Part 2. Retrieved June 30, 2018. </a> </span> </span> </li> <li> <span id="scite-19" class="scite-citation"> <span class="scite-citation-text"> <a rel="nofollow" class="external text" name="scite-19" href="https://posts.specterops.io/host-based-threat-modeling-indicator-design-a9dbbb53d5ea" target="_blank"> Atkinson, J. (2017, July 18). Host-based Threat Modeling & Indicator Design. Retrieved March 21, 2018. </a> </span> </span> </li> <li> <span id="scite-20" class="scite-citation"> <span class="scite-citation-text"> <a rel="nofollow" class="external text" name="scite-20" href="https://blog.malwarebytes.com/threat-intelligence/2022/01/north-koreas-lazarus-apt-leverages-windows-update-client-github-in-latest-campaign/" target="_blank"> Saini, A. and Hossein, J. (2022, January 27). North Korea’s Lazarus APT leverages Windows Update client, GitHub in latest campaign. Retrieved January 27, 2022. </a> </span> </span> </li> <li> <span id="scite-21" class="scite-citation"> <span class="scite-citation-text"> <a rel="nofollow" class="external text" name="scite-21" href="https://msdn.microsoft.com/library/windows/desktop/ms644959.aspx" target="_blank"> Microsoft. (n.d.). Hooks Overview. Retrieved December 12, 2017. </a> </span> </span> </li> <li> <span id="scite-22" class="scite-citation"> <span class="scite-citation-text"> <a rel="nofollow" class="external text" name="scite-22" href="https://volatility-labs.blogspot.com/2012/09/movp-31-detecting-malware-hooks-in.html" target="_blank"> Volatility Labs. (2012, September 24). MoVP 3.1 Detecting Malware Hooks in the Windows GUI Subsystem. Retrieved December 12, 2017. </a> </span> </span> </li> <li> <span id="scite-23" class="scite-citation"> <span class="scite-citation-text"> <a rel="nofollow" class="external text" name="scite-23" href="https://github.com/prekageo/winhook" target="_blank"> Prekas, G. (2011, July 11). Winhook. Retrieved December 12, 2017. </a> </span> </span> </li> <li> <span id="scite-24" class="scite-citation"> <span class="scite-citation-text"> <a rel="nofollow" class="external text" name="scite-24" href="https://github.com/jay/gethooks" target="_blank"> Satiro, J. (2011, September 14). GetHooks. Retrieved December 12, 2017. </a> </span> </span> </li> <li> <span id="scite-25" class="scite-citation"> <span class="scite-citation-text"> <a rel="nofollow" class="external text" name="scite-25" href="https://zairon.wordpress.com/2006/12/06/any-application-defined-hook-procedure-on-my-machine/" target="_blank"> Felici, M. (2006, December 6). Any application-defined hook procedure on my machine?. Retrieved December 12, 2017. </a> </span> </span> </li> <li> <span id="scite-26" class="scite-citation"> <span class="scite-citation-text"> <a rel="nofollow" class="external text" name="scite-26" href="https://eyeofrablog.wordpress.com/2017/06/27/windows-keylogger-part-2-defense-against-user-land/" target="_blank"> Eye of Ra. (2017, June 27). Windows Keylogger Part 2: Defense against user-land. Retrieved December 12, 2017. </a> </span> </span> </li> <li> <span id="scite-27" class="scite-citation"> <span class="scite-citation-text"> <a rel="nofollow" class="external text" name="scite-27" href="https://medium.com/@vishavjitsingh.csi/timestomping-explained-on-api-level-f0c219cf3dc9" target="_blank"> Vishavjit Singh. (2023, June 22). TIMESTOMPING EXPLAINED ON API LEVEL. Retrieved June 20, 2024. </a> </span> </span> </li> <li> <span id="scite-28" class="scite-citation"> <span class="scite-citation-text"> <a rel="nofollow" class="external text" name="scite-28" href="https://www.inversecos.com/2022/04/defence-evasion-technique-timestomping.html" target="_blank"> Lina Lau. (2022, April 28). Defence Evasion Technique: Timestomping Detection – NTFS Forensics. Retrieved September 30, 2024. </a> </span> </span> </li> <li> <span id="scite-29" class="scite-citation"> <span class="scite-citation-text"> <a rel="nofollow" class="external text" name="scite-29" href="http://opensecuritytraining.info/Keylogging_files/The%20Adventures%20of%20a%20Keystroke.pdf" target="_blank"> Tinaztepe, E. (n.d.). The Adventures of a Keystroke: An in-depth look into keyloggers on Windows. Retrieved April 27, 2016. </a> </span> </span> </li> <li> <span id="scite-30" class="scite-citation"> <span class="scite-citation-text"> <a rel="nofollow" class="external text" name="scite-30" href="https://www.secureworks.com/research/skeleton-key-malware-analysis" target="_blank"> Dell SecureWorks. (2015, January 12). Skeleton Key Malware Analysis. Retrieved April 8, 2019. </a> </span> </span> </li> <li> <span id="scite-31" class="scite-citation"> <span class="scite-citation-text"> <a rel="nofollow" class="external text" name="scite-31" href="https://learn.microsoft.com/en-us/windows/win32/api/npapi/nf-npapi-nplogonnotify" target="_blank"> Microsoft. (2021, October 21). NPLogonNotify function (npapi.h). Retrieved March 30, 2023. </a> </span> </span> </li> <li> <span id="scite-32" class="scite-citation"> <span class="scite-citation-text"> <a rel="nofollow" class="external text" name="scite-32" href="https://docs.microsoft.com/sysinternals/downloads/reghide" target="_blank"> Russinovich, M. & Sharkey, K. (2006, January 10). Reghide. Retrieved August 9, 2018. </a> </span> </span> </li> <li> <span id="scite-33" class="scite-citation"> <span class="scite-citation-text"> <a rel="nofollow" class="external text" name="scite-33" href="https://posts.specterops.io/hiding-registry-keys-with-psreflect-b18ec5ac8353" target="_blank"> Reitz, B. (2017, July 14). Hiding Registry keys with PSReflect. Retrieved August 9, 2018. </a> </span> </span> </li> <li> <span id="scite-34" class="scite-citation"> <span class="scite-citation-text"> <a rel="nofollow" class="external text" name="scite-34" href="https://docs.microsoft.com/en-us/sysinternals/downloads/regdelnull" target="_blank"> Russinovich, M. & Sharkey, K. (2016, July 4). RegDelNull v1.11. Retrieved August 10, 2018. </a> </span> </span> </li> <li> <span id="scite-35" class="scite-citation"> <span class="scite-citation-text"> <a rel="nofollow" class="external text" name="scite-35" href="https://www.huntress.com/blog/hackers-no-hashing-randomizing-api-hashes-to-evade-cobalt-strike-shellcode-detection" target="_blank"> Brennan, M. (2022, February 16). Hackers No Hashing: Randomizing API Hashes to Evade Cobalt Strike Shellcode Detection. Retrieved August 22, 2022. </a> </span> </span> </li> <li> <span id="scite-36" class="scite-citation"> <span class="scite-citation-text"> <a rel="nofollow" class="external text" name="scite-36" href="https://www.itworld.com/article/2853992/3-tools-to-check-your-hard-drives-health-and-make-sure-its-not-already-dying-on-you.html" target="_blank"> Pinola, M. (2014, December 14). 3 tools to check your hard drive's health and make sure it's not already dying on you. Retrieved October 2, 2018. </a> </span> </span> </li> <li> <span id="scite-37" class="scite-citation"> <span class="scite-citation-text">SanDisk. (n.d.). Self-Monitoring, Analysis and Reporting Technology (S.M.A.R.T.). Retrieved October 2, 2018.</span> </span> </li> <li> <span id="scite-38" class="scite-citation"> <span class="scite-citation-text"> <a rel="nofollow" class="external text" name="scite-38" href="https://www.smartmontools.org/" target="_blank"> smartmontools. (n.d.). smartmontools. Retrieved October 2, 2018. </a> </span> </span> </li> <li> <span id="scite-39" class="scite-citation"> <span class="scite-citation-text">Ligh, M.H. et al.. (2014, July). The Art of Memory Forensics: Detecting Malware and Threats in Windows, Linux, and Mac Memory. Retrieved December 20, 2017.</span> </span> </li> <li> <span id="scite-40" class="scite-citation"> <span class="scite-citation-text"> <a rel="nofollow" class="external text" name="scite-40" href="https://www.gnu.org/software/acct/" target="_blank"> GNU. (2010, February 5). The GNU Accounting Utilities. Retrieved December 20, 2017. </a> </span> </span> </li> <li> <span id="scite-41" class="scite-citation"> <span class="scite-citation-text"> <a rel="nofollow" class="external text" name="scite-41" href="https://access.redhat.com/documentation/en-us/red_hat_enterprise_linux/6/html/security_guide/chap-system_auditing" target="_blank"> Jahoda, M. et al.. (2017, March 14). redhat Security Guide - Chapter 7 - System Auditing. Retrieved December 20, 2017. </a> </span> </span> </li> <li> <span id="scite-42" class="scite-citation"> <span class="scite-citation-text"> <a rel="nofollow" class="external text" name="scite-42" href="http://www.chokepoint.net/2014/02/detecting-userland-preload-rootkits.html" target="_blank"> stderr. (2014, February 14). Detecting Userland Preload Rootkits. Retrieved December 20, 2017. </a> </span> </span> </li> <li> <span id="scite-43" class="scite-citation"> <span class="scite-citation-text"> <a rel="nofollow" class="external text" name="scite-43" href="https://msdn.microsoft.com/library/windows/desktop/ms633584.aspx" target="_blank"> Microsoft. (n.d.). GetWindowLong function. Retrieved December 16, 2017. </a> </span> </span> </li> <li> <span id="scite-44" class="scite-citation"> <span class="scite-citation-text"> <a rel="nofollow" class="external text" name="scite-44" href="https://msdn.microsoft.com/library/windows/desktop/ms633591.aspx" target="_blank"> Microsoft. (n.d.). SetWindowLong function. Retrieved December 16, 2017. </a> </span> </span> </li> <li> <span id="scite-45" class="scite-citation"> <span class="scite-citation-text"> <a rel="nofollow" class="external text" name="scite-45" href="https://msdn.microsoft.com/library/windows/desktop/ms644953.aspx" target="_blank"> Microsoft. (n.d.). SendNotifyMessage function. Retrieved December 16, 2017. </a> </span> </span> </li> <li> <span id="scite-46" class="scite-citation"> <span class="scite-citation-text"> <a rel="nofollow" class="external text" name="scite-46" href="https://www.blackhat.com/docs/eu-17/materials/eu-17-Liberman-Lost-In-Transaction-Process-Doppelganging.pdf" target="_blank"> Liberman, T. & Kogan, E. (2017, December 7). Lost in Transaction: Process Doppelgänging. Retrieved December 20, 2017. </a> </span> </span> </li> </ol> </div> <div class="col"> <ol start="47.0"> <li> <span id="scite-47" class="scite-citation"> <span class="scite-citation-text"> <a rel="nofollow" class="external text" name="scite-47" href="https://hshrzd.wordpress.com/2017/12/18/process-doppelganging-a-new-way-to-impersonate-a-process/" target="_blank"> hasherezade. (2017, December 18). Process Doppelgänging – a new way to impersonate a process. Retrieved December 20, 2017. </a> </span> </span> </li> <li> <span id="scite-48" class="scite-citation"> <span class="scite-citation-text"> <a rel="nofollow" class="external text" name="scite-48" href="https://0x00sec.org/t/super-stealthy-droppers/3715" target="_blank"> 0x00pico. (2017, September 25). Super-Stealthy Droppers. Retrieved October 4, 2021. </a> </span> </span> </li> <li> <span id="scite-49" class="scite-citation"> <span class="scite-citation-text"> <a rel="nofollow" class="external text" name="scite-49" href="https://www.sentinelone.com/blog/teaching-an-old-rat-new-tricks/" target="_blank"> Landry, J. (2016, April 21). Teaching an old RAT new tricks. Retrieved October 4, 2021. </a> </span> </span> </li> <li> <span id="scite-50" class="scite-citation"> <span class="scite-citation-text"> <a rel="nofollow" class="external text" name="scite-50" href="https://docs.microsoft.com/en-us/dotnet/api/system.drawing.graphics.copyfromscreen?view=netframework-4.8" target="_blank"> Microsoft. (n.d.). Graphics.CopyFromScreen Method. Retrieved March 24, 2020. </a> </span> </span> </li> <li> <span id="scite-51" class="scite-citation"> <span class="scite-citation-text"> <a rel="nofollow" class="external text" name="scite-51" href="https://blog.malwarebytes.com/threat-analysis/2017/01/new-mac-backdoor-using-antiquated-code/" target="_blank"> Thomas Reed. (2017, January 18). New Mac backdoor using antiquated code. Retrieved July 5, 2017. </a> </span> </span> </li> <li> <span id="scite-52" class="scite-citation"> <span class="scite-citation-text"> <a rel="nofollow" class="external text" name="scite-52" href="https://s3.documentcloud.org/documents/20413525/fbi-flash-indicators-of-compromise-ragnar-locker-ransomware-11192020-bc.pdf" target="_blank"> FBI. (2020, November 19). Indicators of Compromise Associated with Ragnar Locker Ransomware. Retrieved September 12, 2024. </a> </span> </span> </li> <li> <span id="scite-53" class="scite-citation"> <span class="scite-citation-text"> <a rel="nofollow" class="external text" name="scite-53" href="https://www.ise.io/casestudies/password-manager-hacking/" target="_blank"> ise. (2019, February 19). Password Managers: Under the Hood of Secrets Management. Retrieved January 22, 2021. </a> </span> </span> </li> <li> <span id="scite-54" class="scite-citation"> <span class="scite-citation-text"> <a rel="nofollow" class="external text" name="scite-54" href="https://versprite.com/blog/exploiting-vyprvpn-for-macos/" target="_blank"> VerSprite. (2018, January 24). Exploiting VyprVPN for MacOS. Retrieved April 20, 2022. </a> </span> </span> </li> <li> <span id="scite-55" class="scite-citation"> <span class="scite-citation-text"> <a rel="nofollow" class="external text" name="scite-55" href="https://medium.com/threatpunter/detecting-attempts-to-steal-passwords-from-memory-558f16dce4ea" target="_blank"> French, D. (2018, October 2). Detecting Attempts to Steal Passwords from Memory. Retrieved October 11, 2019. </a> </span> </span> </li> <li> <span id="scite-56" class="scite-citation"> <span class="scite-citation-text"> <a rel="nofollow" class="external text" name="scite-56" href="https://www.elastic.co/blog/embracing-offensive-tooling-building-detections-against-koadic-using-eql" target="_blank"> Stepanic, D.. (2020, January 13). Embracing offensive tooling: Building detections against Koadic using EQL. Retrieved November 30, 2020. </a> </span> </span> </li> <li> <span id="scite-57" class="scite-citation"> <span class="scite-citation-text"> <a rel="nofollow" class="external text" name="scite-57" href="https://docs.microsoft.com/windows-server/networking/windows-time-service/windows-time-service-tools-and-settings" target="_blank"> Mathers, B. (2017, May 31). Windows Time Service Tools and Settings. Retrieved March 26, 2018. </a> </span> </span> </li> <li> <span id="scite-58" class="scite-citation"> <span class="scite-citation-text"> <a rel="nofollow" class="external text" name="scite-58" href="https://technet.microsoft.com/en-us/sysinternals/bb963902" target="_blank"> Russinovich, M. (2016, January 4). Autoruns for Windows v13.51. Retrieved June 6, 2016. </a> </span> </span> </li> <li> <span id="scite-59" class="scite-citation"> <span class="scite-citation-text"> <a rel="nofollow" class="external text" name="scite-59" href="https://support.google.com/chrome/a/answer/7349337" target="_blank"> Chrome Enterprise and Education Help. (n.d.). Use Chrome Browser with Roaming User Profiles. Retrieved March 28, 2023. </a> </span> </span> </li> <li> <span id="scite-60" class="scite-citation"> <span class="scite-citation-text"> <a rel="nofollow" class="external text" name="scite-60" href="https://www.mandiant.com/resources/blog/azure-run-command-dummies" target="_blank"> Adrien Bataille, Anders Vejlby, Jared Scott Wilson, and Nader Zaveri. (2021, December 14). Azure Run Command for Dummies. Retrieved March 13, 2023. </a> </span> </span> </li> <li> <span id="scite-61" class="scite-citation"> <span class="scite-citation-text"> <a rel="nofollow" class="external text" name="scite-61" href="https://blog.malwarebytes.com/101/2016/01/the-windows-vaults/" target="_blank"> Arntz, P. (2016, March 30). The Windows Vault . Retrieved November 23, 2020. </a> </span> </span> </li> <li> <span id="scite-62" class="scite-citation"> <span class="scite-citation-text"> <a rel="nofollow" class="external text" name="scite-62" href="https://detection.fyi/sigmahq/sigma/windows/process_creation/proc_creation_win_mofcomp_execution/" target="_blank"> detection.fyi. (2023, October 28). Potential Suspicious Mofcomp Execution. Retrieved February 9, 2024. </a> </span> </span> </li> <li> <span id="scite-63" class="scite-citation"> <span class="scite-citation-text"> <a rel="nofollow" class="external text" name="scite-63" href="https://github.com/The-DFIR-Report/Sigma-Rules/blob/main/rules/windows/process_creation/proc_creation_win_mofcomp_execution.yml" target="_blank"> The DFIR Report. (2023, January 8). proc_creation_win_mofcomp_execution.yml. Retrieved February 9, 2024. </a> </span> </span> </li> <li> <span id="scite-64" class="scite-citation"> <span class="scite-citation-text"> <a rel="nofollow" class="external text" name="scite-64" href="https://www.blackhat.com/docs/eu-15/materials/eu-15-Pierce-Defending-Against-Malicious-Application-Compatibility-Shims-wp.pdf" target="_blank"> Pierce, Sean. (2015, November). Defending Against Malicious Application Compatibility Shims. Retrieved June 22, 2017. </a> </span> </span> </li> <li> <span id="scite-65" class="scite-citation"> <span class="scite-citation-text"> <a rel="nofollow" class="external text" name="scite-65" href="https://blogs.msdn.microsoft.com/mithuns/2010/03/24/image-file-execution-options-ifeo/" target="_blank"> Shanbhag, M. (2010, March 24). Image File Execution Options (IFEO). Retrieved December 18, 2017. </a> </span> </span> </li> <li> <span id="scite-66" class="scite-citation"> <span class="scite-citation-text"> <a rel="nofollow" class="external text" name="scite-66" href="https://ch4ik0.github.io/en/posts/leveraging-Linux-udev-for-persistence/" target="_blank"> Eder P. Ignacio. (2024, February 21). Leveraging Linux udev for persistence. Retrieved September 26, 2024. </a> </span> </span> </li> <li> <span id="scite-67" class="scite-citation"> <span class="scite-citation-text"> <a rel="nofollow" class="external text" name="scite-67" href="https://www.hybrid-analysis.com/sample/ef0d2628823e8e0a0de3b08b8eacaf41cf284c086a948bdfd67f4e4373c14e4d?environmentId=100" target="_blank"> Hybrid Analysis. (2018, June 12). c9b65b764985dfd7a11d3faf599c56b8.exe. Retrieved August 19, 2018. </a> </span> </span> </li> <li> <span id="scite-68" class="scite-citation"> <span class="scite-citation-text"> <a rel="nofollow" class="external text" name="scite-68" href="https://www.hybrid-analysis.com/sample/22dab012c3e20e3d9291bce14a2bfc448036d3b966c6e78167f4626f5f9e38d6?environmentId=110" target="_blank"> Hybrid Analysis. (2018, May 30). 2a8efbfadd798f6111340f7c1c956bee.dll. Retrieved August 19, 2018. </a> </span> </span> </li> <li> <span id="scite-69" class="scite-citation"> <span class="scite-citation-text"> <a rel="nofollow" class="external text" name="scite-69" href="https://deepsec.net/docs/Slides/2017/Who_Hid_My_Desktop_Or_Safran_Pavel_Asinovsky.pdf" target="_blank"> Safran, Or. Asinovsky, Pavel. (2017, November). Who Hid My Desktop: Deep Dive Into HVNC. Retrieved November 28, 2023. </a> </span> </span> </li> <li> <span id="scite-70" class="scite-citation"> <span class="scite-citation-text"> <a rel="nofollow" class="external text" name="scite-70" href="https://blog.nviso.eu/2020/02/04/the-return-of-the-spoof-part-2-command-line-spoofing/" target="_blank"> Daman, R. (2020, February 4). The return of the spoof part 2: Command line spoofing. Retrieved November 19, 2021. </a> </span> </span> </li> <li> <span id="scite-71" class="scite-citation"> <span class="scite-citation-text"> <a rel="nofollow" class="external text" name="scite-71" href="https://www.mandiant.com/resources/staying-hidden-on-the-endpoint-evading-detection-with-shellcode" target="_blank"> Pena, E., Erikson, C. (2019, October 10). Staying Hidden on the Endpoint: Evading Detection with Shellcode. Retrieved November 29, 2021. </a> </span> </span> </li> <li> <span id="scite-72" class="scite-citation"> <span class="scite-citation-text"> <a rel="nofollow" class="external text" name="scite-72" href="https://redcanary.com/blog/cor_profiler-for-persistence/" target="_blank"> Brown, J. (2020, May 7). Detecting COR_PROFILER manipulation for persistence. Retrieved June 24, 2020. </a> </span> </span> </li> <li> <span id="scite-73" class="scite-citation"> <span class="scite-citation-text"> <a rel="nofollow" class="external text" name="scite-73" href="https://www.elastic.co/guide/en/security/7.17/prebuilt-rule-7-16-3-binary-executed-from-shared-memory-directory.html" target="_blank"> Elastic. (n.d.). Binary Executed from Shared Memory Directory. Retrieved September 24, 2024. </a> </span> </span> </li> <li> <span id="scite-74" class="scite-citation"> <span class="scite-citation-text"> <a rel="nofollow" class="external text" name="scite-74" href="https://www.fireeye.com/blog/threat-research/2019/06/hunting-com-objects.html" target="_blank"> Hamilton, C. (2019, June 4). Hunting COM Objects. Retrieved June 10, 2019. </a> </span> </span> </li> <li> <span id="scite-75" class="scite-citation"> <span class="scite-citation-text"> <a rel="nofollow" class="external text" name="scite-75" href="https://enigma0x3.net/2017/01/05/lateral-movement-using-the-mmc20-application-com-object/" target="_blank"> Nelson, M. (2017, January 5). Lateral Movement using the MMC20 Application COM Object. Retrieved November 21, 2017. </a> </span> </span> </li> <li> <span id="scite-76" class="scite-citation"> <span class="scite-citation-text"> <a rel="nofollow" class="external text" name="scite-76" href="https://sarah-edwards-xzkc.squarespace.com/blog/2020/4/30/analysis-of-apple-unified-logs-quarantine-edition-entry-6-working-from-home-remote-logins" target="_blank"> Sarah Edwards. (2020, April 30). Analysis of Apple Unified Logs: Quarantine Edition [Entry 6] – Working From Home? Remote Logins. Retrieved August 19, 2021. </a> </span> </span> </li> <li> <span id="scite-77" class="scite-citation"> <span class="scite-citation-text"> <a rel="nofollow" class="external text" name="scite-77" href="https://x.com/leoloobeek/status/939248813465853953" target="_blank"> Loobeek, L. (2017, December 8). leoloobeek Status. Retrieved September 12, 2024. </a> </span> </span> </li> <li> <span id="scite-78" class="scite-citation"> <span class="scite-citation-text"> <a rel="nofollow" class="external text" name="scite-78" href="https://www.fireeye.com/blog/threat-research/2013/08/breaking-down-the-china-chopper-web-shell-part-i.html" target="_blank"> Lee, T., Hanzlik, D., Ahl, I. (2013, August 7). Breaking Down the China Chopper Web Shell - Part I. Retrieved March 27, 2015. </a> </span> </span> </li> <li> <span id="scite-79" class="scite-citation"> <span class="scite-citation-text"> <a rel="nofollow" class="external text" name="scite-79" href="https://github.com/nsacyber/Mitigating-Web-Shells" target="_blank"> NSA Cybersecurity Directorate. (n.d.). Mitigating Web Shells. Retrieved July 22, 2021. </a> </span> </span> </li> <li> <span id="scite-80" class="scite-citation"> <span class="scite-citation-text"> <a rel="nofollow" class="external text" name="scite-80" href="https://posts.specterops.io/code-signing-certificate-cloning-attacks-and-defenses-6f98657fc6ec" target="_blank"> Graeber, M. (2017, December 22). Code Signing Certificate Cloning Attacks and Defenses. Retrieved April 3, 2018. </a> </span> </span> </li> <li> <span id="scite-81" class="scite-citation"> <span class="scite-citation-text"> <a rel="nofollow" class="external text" name="scite-81" href="https://docs.microsoft.com/sysinternals/downloads/sigcheck" target="_blank"> Russinovich, M. et al.. (2017, May 22). Sigcheck. Retrieved April 3, 2018. </a> </span> </span> </li> <li> <span id="scite-82" class="scite-citation"> <span class="scite-citation-text"> <a rel="nofollow" class="external text" name="scite-82" href="https://docs.microsoft.com/en-us/windows-hardware/drivers/install/the-testsigning-boot-configuration-option" target="_blank"> Microsoft. (2021, February 15). Enable Loading of Test Signed Drivers. Retrieved April 22, 2021. </a> </span> </span> </li> <li> <span id="scite-83" class="scite-citation"> <span class="scite-citation-text"> <a rel="nofollow" class="external text" name="scite-83" href="https://oddvar.moe/2017/08/13/bypassing-device-guard-umci-using-chm-cve-2017-8625/" target="_blank"> Moe, O. (2017, August 13). Bypassing Device guard UMCI using CHM – CVE-2017-8625. Retrieved October 3, 2018. </a> </span> </span> </li> <li> <span id="scite-84" class="scite-citation"> <span class="scite-citation-text"> <a rel="nofollow" class="external text" name="scite-84" href="https://www.trendmicro.de/cloud-content/us/pdfs/security-intelligence/white-papers/wp-cpl-malware.pdf" target="_blank"> Mercês, F. (2014, January 27). CPL Malware - Malicious Control Panel Items. Retrieved January 18, 2018. </a> </span> </span> </li> <li> <span id="scite-85" class="scite-citation"> <span class="scite-citation-text"> <a rel="nofollow" class="external text" name="scite-85" href="http://www.endurant.io/cmstp/detecting-cmstp-enabled-code-execution-and-uac-bypass-with-sysmon/" target="_blank"> Seetharaman, N. (2018, July 7). Detecting CMSTP-Enabled Code Execution and UAC Bypass With Sysmon.. Retrieved August 6, 2018. </a> </span> </span> </li> <li> <span id="scite-86" class="scite-citation"> <span class="scite-citation-text"> <a rel="nofollow" class="external text" name="scite-86" href="https://www.crowdstrike.com/blog/how-to-hunt-for-decisivearchitect-and-justforfun-implant/" target="_blank"> Jamie Harries. (2022, May 25). Hunting a Global Telecommunications Threat: DecisiveArchitect and Its Custom Implant JustForFun. Retrieved October 18, 2022. </a> </span> </span> </li> <li> <span id="scite-87" class="scite-citation"> <span class="scite-citation-text"> <a rel="nofollow" class="external text" name="scite-87" href="https://lolbas-project.github.io/lolbas/Binaries/Wmic/" target="_blank"> LOLBAS. (n.d.). Wmic.exe. Retrieved July 31, 2019. </a> </span> </span> </li> <li> <span id="scite-88" class="scite-citation"> <span class="scite-citation-text"> <a rel="nofollow" class="external text" name="scite-88" href="https://x.com/dez_/status/986614411711442944" target="_blank"> Desimone, J. (2018, April 18). Status Update. Retrieved September 12, 2024. </a> </span> </span> </li> <li> <span id="scite-89" class="scite-citation"> <span class="scite-citation-text"> <a rel="nofollow" class="external text" name="scite-89" href="https://www.blackhat.com/docs/eu-17/materials/eu-17-Atkinson-A-Process-Is-No-One-Hunting-For-Token-Manipulation.pdf" target="_blank"> Atkinson, J., Winchester, R. (2017, December 7). A Process is No One: Hunting for Token Manipulation. Retrieved December 21, 2017. </a> </span> </span> </li> <li> <span id="scite-90" class="scite-citation"> <span class="scite-citation-text"> <a rel="nofollow" class="external text" name="scite-90" href="https://www.countercept.com/blog/detecting-parent-pid-spoofing/" target="_blank"> Loh, I. (2018, December 21). Detecting Parent PID Spoofing. Retrieved June 3, 2019. </a> </span> </span> </li> <li> <span id="scite-91" class="scite-citation"> <span class="scite-citation-text"> <a rel="nofollow" class="external text" name="scite-91" href="https://powershellmagazine.com/2014/07/16/investigating-powershell-attacks/" target="_blank"> Hastings, M. (2014, July 16). Investigating PowerShell Attacks. Retrieved December 1, 2021. </a> </span> </span> </li> <li> <span id="scite-92" class="scite-citation"> <span class="scite-citation-text"> <a rel="nofollow" class="external text" name="scite-92" href="https://blog.f-secure.com/hiding-malicious-code-with-module-stomping/" target="_blank"> Aliz Hammond. (2019, August 15). Hiding Malicious Code with "Module Stomping": Part 1. Retrieved July 14, 2022. </a> </span> </span> </li> </ol> </div> </div> </div> </div> </div> </div> </div> </div> <!--stop-indexing-for-search--> <!-- search overlay for entire page -- not displayed inline --> <div class="overlay search" id="search-overlay" style="display: none;"> <div class="overlay-inner"> <!-- text input for searching --> <div class="search-header"> <div class="search-input"> <input type="text" id="search-input" placeholder="search"> </div> <div class="search-icons"> <div class="search-parsing-icon spinner-border" style="display: none" id="search-parsing-icon"></div> <div class="close-search-icon" id="close-search-icon">&times;</div> </div> </div> <!-- results and controls for loading more results --> <div id="search-body" class="search-body"> <div class="results" id="search-results"> <!-- content will be appended here on search --> </div> <div id="load-more-results" class="load-more-results"> <button class="btn btn-default" id="load-more-results-button">load more results</button> </div> </div> </div> </div> </div> <div class="row flex-grow-0 flex-shrink-1"> <!-- footer elements --> <footer class="col footer"> <div class="container-fluid"> <div class="row row-footer"> <div class="col-2 col-sm-2 col-md-2"> <div class="footer-center-responsive my-auto"> <a href="https://www.mitre.org" target="_blank" rel="noopener" aria-label="MITRE"> <img src="/theme/images/mitrelogowhiteontrans.gif" class="mitre-logo-wtrans"> </a> </div> </div> <div class="col-2 col-sm-2 footer-responsive-break"></div> <div class="footer-link-group"> <div class="row row-footer"> <div class="px-3 col-footer"> <u class="footer-link"><a href="/resources/engage-with-attack/contact" class="footer-link">Contact Us</a></u> </div> <div class="px-3 col-footer"> <u class="footer-link"><a href="/resources/legal-and-branding/terms-of-use" class="footer-link">Terms of Use</a></u> </div> <div class="px-3 col-footer"> <u class="footer-link"><a href="/resources/legal-and-branding/privacy" class="footer-link">Privacy Policy</a></u> </div> <div class="px-3"> <u class="footer-link"><a href="/resources/changelog.html" class="footer-link" data-toggle="tooltip" data-placement="top" data-html="true" title="ATT&amp;CK content v16.1&#013;Website v4.2.1">Website Changelog</a></u> </div> </div> <div class="row"> <small class="px-3"> &copy;&nbsp;2015&nbsp;-&nbsp;2024, The MITRE Corporation. MITRE ATT&CK and ATT&CK are registered trademarks of The MITRE Corporation. </small> </div> </div> <div class="w-100 p-2 footer-responsive-break"></div> <div class="col pr-4"> <div class="footer-float-right-responsive-brand"> <div class="row row-footer row-footer-icon"> <div class="mb-1"> <a href="https://twitter.com/MITREattack" class="btn btn-footer"> <i class="fa-brands fa-x-twitter fa-lg"></i> </a> <a href="https://github.com/mitre-attack" class="btn btn-footer"> <i class="fa-brands fa-github fa-lg"></i> </a> </div> </div> </div> </div> </div> </div> </div> </footer> </div> </div> <!--stopindex--> </div> <!--SCRIPTS--> <script src="/theme/scripts/jquery-3.5.1.min.js"></script> <script src="/theme/scripts/popper.min.js"></script> <script src="/theme/scripts/bootstrap-select.min.js"></script> <script src="/theme/scripts/bootstrap.bundle.min.js"></script> <script src="/theme/scripts/site.js"></script> <script src="/theme/scripts/settings.js"></script> <script src="/theme/scripts/search_bundle.js"></script> <!--SCRIPTS--> <script src="/theme/scripts/resizer.js"></script> <!--SCRIPTS--> <script src="/theme/scripts/filter/filter.js?4910"></script> <script src="/theme/scripts/navigation.js"></script> <script src="/theme/scripts/mobileview-datasources.js"></script> <script src="/theme/scripts/bootstrap-tourist.js"></script> <script src="/theme/scripts/settings.js"></script> <script src="/theme/scripts/tour/tour-relationships.js"></script> </body> </html>