<!DOCTYPE html> <html lang='en'> <head> <script async src="https://www.googletagmanager.com/gtag/js?id=UA-62667723-1"></script> <script> window.dataLayer = window.dataLayer || []; function gtag(){dataLayer.push(arguments);} gtag('js', new Date()); gtag('config', 'UA-62667723-1'); </script> <meta name="google-site-verification" content="2oJKLqNN62z6AOCb0A0IXGtbQuj-lev5YPAHFF_cbHQ"/> <meta charset='utf-8'> <meta name='viewport' content='width=device-width, initial-scale=1,shrink-to-fit=no'> <meta http-equiv="X-UA-Compatible" content="IE=edge"> <link rel='shortcut icon' href="/versions/v16/theme/favicon.ico" type='image/x-icon'> <title>Command, Data Source DS0017 | MITRE ATT&CK&reg;</title> <!-- USWDS CSS --> <!-- Bootstrap CSS --> <link rel='stylesheet' href="/versions/v16/theme/style/bootstrap.min.css" /> <link rel='stylesheet' href="/versions/v16/theme/style/bootstrap-tourist.css" /> <link rel='stylesheet' href="/versions/v16/theme/style/bootstrap-select.min.css" /> <!-- Fontawesome CSS --> <link rel="stylesheet" href="/versions/v16/theme/style/fontawesome-6.5.1/css/fontawesome.min.css"/> <link rel="stylesheet" href="/versions/v16/theme/style/fontawesome-6.5.1/css/brands.min.css"/> <link rel="stylesheet" href="/versions/v16/theme/style/fontawesome-6.5.1/css/solid.min.css"/> <link rel="stylesheet" type="text/css" href="/versions/v16/theme/style.min.css?6689c2db"> </head> <body> <div class="container-fluid attack-website-wrapper d-flex flex-column h-100"> <div class="row sticky-top flex-grow-0 flex-shrink-1"> <!-- header elements --> <header class="col px-0"> <nav class='navbar navbar-expand-lg navbar-dark position-static'> <a class='navbar-brand' href="/versions/v16/"><img src="/versions/v16/theme/images/mitre_attack_logo.png" class="attack-logo"></a> <button class='navbar-toggler' type='button' data-toggle='collapse' data-target='#navbarCollapse' aria-controls='navbarCollapse' aria-expanded='false' aria-label='Toggle navigation'> <span class='navbar-toggler-icon'></span> </button> <div class='collapse navbar-collapse' id='navbarCollapse'> <ul class='nav nav-tabs ml-auto'> <li class="nav-item dropdown"> <a class="nav-link dropdown-toggle" href="/versions/v16/matrices/" id="navbarDropdown" role="button" data-toggle="dropdown" aria-haspopup="true" aria-expanded="false"> <b>Matrices</b> </a> <div class="dropdown-menu " aria-labelledby="navbarDropdown"> <a class="dropdown-item" href="/versions/v16/matrices/enterprise/">Enterprise</a> <a class="dropdown-item" href="/versions/v16/matrices/mobile/">Mobile</a> <a class="dropdown-item" href="/versions/v16/matrices/ics/">ICS</a> </div> </li> <li class="nav-item dropdown"> <a class="nav-link dropdown-toggle" href="/versions/v16/tactics/" id="navbarDropdown" role="button" data-toggle="dropdown" aria-haspopup="true" aria-expanded="false"> <b>Tactics</b> </a> <div class="dropdown-menu " aria-labelledby="navbarDropdown"> <a class="dropdown-item" href="/versions/v16/tactics/enterprise/">Enterprise</a> <a class="dropdown-item" href="/versions/v16/tactics/mobile/">Mobile</a> <a class="dropdown-item" href="/versions/v16/tactics/ics/">ICS</a> </div> </li> <li class="nav-item dropdown"> <a class="nav-link dropdown-toggle" href="/versions/v16/techniques/" id="navbarDropdown" role="button" data-toggle="dropdown" aria-haspopup="true" aria-expanded="false"> <b>Techniques</b> </a> <div class="dropdown-menu " aria-labelledby="navbarDropdown"> <a class="dropdown-item" href="/versions/v16/techniques/enterprise/">Enterprise</a> <a class="dropdown-item" href="/versions/v16/techniques/mobile/">Mobile</a> <a class="dropdown-item" href="/versions/v16/techniques/ics/">ICS</a> </div> </li> <li class="nav-item dropdown"> <a class="nav-link dropdown-toggle" href="/versions/v16/datasources" id="navbarDropdown" role="button" data-toggle="dropdown" aria-haspopup="true" aria-expanded="false"> <b>Defenses</b> </a> <div class="dropdown-menu " aria-labelledby="navbarDropdown"> <a class="dropdown-item" href="/versions/v16/datasources">Data Sources</a> <div class="dropright dropdown"> <a class="dropdown-item dropdown-toggle" href="/versions/v16/mitigations/" id="navbarDropdown" role="button" data-toggle="dropdown" aria-haspopup="true" aria-expanded="false"> <b>Mitigations</b> </a> <div class="dropdown-menu " aria-labelledby="navbarDropdown"> <a class="dropdown-item" href="/versions/v16/mitigations/enterprise/">Enterprise</a> <a class="dropdown-item" href="/versions/v16/mitigations/mobile/">Mobile</a> <a class="dropdown-item" href="/versions/v16/mitigations/ics/">ICS</a> </div> </div> <a class="dropdown-item" href="/versions/v16/assets">Assets</a> </div> </li> <li class="nav-item dropdown"> <a class="nav-link dropdown-toggle" href="/versions/v16/groups" id="navbarDropdown" role="button" data-toggle="dropdown" aria-haspopup="true" aria-expanded="false"> <b>CTI</b> </a> <div class="dropdown-menu " aria-labelledby="navbarDropdown"> <a class="dropdown-item" href="/versions/v16/groups">Groups</a> <a class="dropdown-item" href="/versions/v16/software">Software</a> <a class="dropdown-item" href="/versions/v16/campaigns">Campaigns</a> </div> </li> <li class="nav-item dropdown"> <a class="nav-link dropdown-toggle" href="/versions/v16/resources/" id="navbarDropdown" role="button" data-toggle="dropdown" aria-haspopup="true" aria-expanded="false"> <b>Resources</b> </a> <div class="dropdown-menu " aria-labelledby="navbarDropdown"> <a class="dropdown-item" href="/versions/v16/resources/">Get Started</a> <a class="dropdown-item" href="/versions/v16/resources/learn-more-about-attack/">Learn More about ATT&CK</a> <a class="dropdown-item" href="/versions/v16/resources/attackcon/">ATT&CKcon</a> <a class="dropdown-item" href="/versions/v16/resources/attack-data-and-tools/">ATT&CK Data & Tools</a> <a class="dropdown-item" href="/versions/v16/resources/faq/">FAQ</a> <a class="dropdown-item" href="/versions/v16/resources/engage-with-attack/contact/">Engage with ATT&CK</a> <a class="dropdown-item" href="/resources/versions/">Version History</a> <a class="dropdown-item" href="/versions/v16/resources/legal-and-branding/">Legal & Branding</a> </div> </li> <li class="nav-item"> <a href="/versions/v16/resources/engage-with-attack/benefactors/" class="nav-link" ><b>Benefactors</b></a> </li> <li class="nav-item"> <a href="https://medium.com/mitre-attack/" target="_blank" class="nav-link"> <b>Blog</b>&nbsp; <img src="/versions/v16/theme/images/external-site.svg" alt="External site" class="external-icon" /> </a> </li> <li class="nav-item"> <button id="search-button" class="btn search-button">Search <div id="search-icon" class="icon-button search-icon"></div></button> </li> </ul> </div> </nav> </header> </div> <div class="row flex-grow-0 flex-shrink-1"> <!-- banner elements --> <div class="col px-0"> <!-- don't edit or remove the line below even though it's commented out, it gets parsed and replaced by the versioning feature --> <div class="container-fluid version-banner"><div class="icon-inline baseline mr-1"><img src="/versions/v16/theme/images/icon-warning-24px.svg"></div>Currently viewing <a href="https://github.com/mitre/cti/releases/tag/ATT%26CK-v16.1" target="_blank">ATT&CK v16.1</a> which is the current version of ATT&CK. <a href="/resources/versions/">Learn more about the versioning system</a> or <a href="/">see the live site</a>.</div> <div class="container-fluid d-none"> ATT&CKcon 6.0 returns October 14-15, 2025 in McLean, VA. More details about tickets and our CFP can be found <a href='https://na.eventscloud.com/attackcon6'>here</a> </div> </div> </div> <div class="row flex-grow-1 flex-shrink-0"> <!-- main content elements --> <!--start-indexing-for-search--> <div class="sidebar nav sticky-top flex-column pr-0 pt-4 pb-3 pl-3" id="v-tab" role="tablist" aria-orientation="vertical"> <div class="resizer" id="resizer"></div> <!--stop-indexing-for-search--> <div id="v-tab" role="tablist" aria-orientation="vertical" class="h-100"> <div class="sidenav-wrapper"> <div class="heading" data-toggle="collapse" data-target="#sidebar-collapse" id="v-home-tab" aria-expanded="true" aria-controls="#sidebar-collapse" aria-selected="false">DATA SOURCES <i class="fa-solid fa-fw fa-chevron-down"></i> <i class="fa-solid fa-fw fa-chevron-up"></i> </div> <div class="checkbox-div" id="v-home-tab" aria-selected="false"> <div class="custom-control custom-switch"> <input type="checkbox" class="custom-control-input" id="enterpriseSwitch" onchange="filterTables(enterpriseSwitch, icsSwitch)"> <label class="custom-control-label" for="enterpriseSwitch">Enterprise</label> </div> <div class="custom-control custom-switch"> <input type="checkbox" class="custom-control-input" id="mobileSwitch" onchange="filterTables(mobileSwitch, enterpriseSwitch)"> <label class="custom-control-label" for="mobileSwitch">Mobile</label> </div> <div class="custom-control custom-switch"> <input type="checkbox" class="custom-control-input" id="icsSwitch" onchange="filterTables(icsSwitch, enterpriseSwitch)"> <label class="custom-control-label" for="icsSwitch">ICS</label> </div> </div> <br class="br-mobile"> <div class="sidenav-list collapse show" id="sidebar-collapse" aria-labelledby="v-home-tab"> <div class="sidenav"> <div class="sidenav-head enterprise " id="DS0026"> <a href="/versions/v16/datasources/DS0026/"> Active Directory </a> <div class="expand-button collapsed" id="DS0026-header" data-toggle="collapse" data-target="#DS0026-body" aria-expanded="false" aria-controls="#DS0026-body"></div> </div> <div class="sidenav-body collapse" id="DS0026-body" aria-labelledby="DS0026-header"> <div class="sidenav"> <div class="sidenav-head enterprise " id="DS0026-Active Directory Credential Request"> <a href="/datasources/DS0026/#Active%20Directory%20Credential%20Request"> Active Directory Credential Request </a> </div> </div> <div class="sidenav"> <div class="sidenav-head enterprise " id="DS0026-Active Directory Object Access"> <a href="/datasources/DS0026/#Active%20Directory%20Object%20Access"> Active Directory Object Access </a> </div> </div> <div class="sidenav"> <div class="sidenav-head enterprise " id="DS0026-Active Directory Object Creation"> <a href="/datasources/DS0026/#Active%20Directory%20Object%20Creation"> Active Directory Object Creation </a> </div> </div> <div class="sidenav"> <div class="sidenav-head enterprise " id="DS0026-Active Directory Object Deletion"> <a href="/datasources/DS0026/#Active%20Directory%20Object%20Deletion"> Active Directory Object Deletion </a> </div> </div> <div class="sidenav"> <div class="sidenav-head enterprise " id="DS0026-Active Directory Object Modification"> <a href="/datasources/DS0026/#Active%20Directory%20Object%20Modification"> Active Directory Object Modification </a> </div> </div> </div> </div> <div class="sidenav"> <div class="sidenav-head enterprise ics " id="DS0015"> <a href="/versions/v16/datasources/DS0015/"> Application Log </a> <div class="expand-button collapsed" id="DS0015-header" data-toggle="collapse" data-target="#DS0015-body" aria-expanded="false" aria-controls="#DS0015-body"></div> </div> <div class="sidenav-body collapse" id="DS0015-body" aria-labelledby="DS0015-header"> <div class="sidenav"> <div class="sidenav-head enterprise ics " id="DS0015-Application Log Content"> <a href="/datasources/DS0015/#Application%20Log%20Content"> Application Log Content </a> </div> </div> </div> </div> <div class="sidenav"> <div class="sidenav-head mobile " id="DS0041"> <a href="/versions/v16/datasources/DS0041/"> Application Vetting </a> <div class="expand-button collapsed" id="DS0041-header" data-toggle="collapse" data-target="#DS0041-body" aria-expanded="false" aria-controls="#DS0041-body"></div> </div> <div class="sidenav-body collapse" id="DS0041-body" aria-labelledby="DS0041-header"> <div class="sidenav"> <div class="sidenav-head mobile " id="DS0041-API Calls"> <a href="/datasources/DS0041/#API%20Calls"> API Calls </a> </div> </div> <div class="sidenav"> <div class="sidenav-head mobile " id="DS0041-Application Assets"> <a href="/datasources/DS0041/#Application%20Assets"> Application Assets </a> </div> </div> <div class="sidenav"> <div class="sidenav-head mobile " id="DS0041-Network Communication"> <a href="/datasources/DS0041/#Network%20Communication"> Network Communication </a> </div> </div> <div class="sidenav"> <div class="sidenav-head mobile " id="DS0041-Permissions Requests"> <a href="/datasources/DS0041/#Permissions%20Requests"> Permissions Requests </a> </div> </div> <div class="sidenav"> <div class="sidenav-head mobile " id="DS0041-Protected Configuration"> <a href="/datasources/DS0041/#Protected%20Configuration"> Protected Configuration </a> </div> </div> </div> </div> <div class="sidenav"> <div class="sidenav-head ics " id="DS0039"> <a href="/versions/v16/datasources/DS0039/"> Asset </a> <div class="expand-button collapsed" id="DS0039-header" data-toggle="collapse" data-target="#DS0039-body" aria-expanded="false" aria-controls="#DS0039-body"></div> </div> <div class="sidenav-body collapse" id="DS0039-body" aria-labelledby="DS0039-header"> <div class="sidenav"> <div class="sidenav-head ics " id="DS0039-Asset Inventory"> <a href="/datasources/DS0039/#Asset%20Inventory"> Asset Inventory </a> </div> </div> <div class="sidenav"> <div class="sidenav-head ics " id="DS0039-Software"> <a href="/datasources/DS0039/#Software"> Software </a> </div> </div> </div> </div> <div class="sidenav"> <div class="sidenav-head enterprise " id="DS0037"> <a href="/versions/v16/datasources/DS0037/"> Certificate </a> <div class="expand-button collapsed" id="DS0037-header" data-toggle="collapse" data-target="#DS0037-body" aria-expanded="false" aria-controls="#DS0037-body"></div> </div> <div class="sidenav-body collapse" id="DS0037-body" aria-labelledby="DS0037-header"> <div class="sidenav"> <div class="sidenav-head enterprise " id="DS0037-Certificate Registration"> <a href="/datasources/DS0037/#Certificate%20Registration"> Certificate Registration </a> </div> </div> </div> </div> <div class="sidenav"> <div class="sidenav-head enterprise " id="DS0025"> <a href="/versions/v16/datasources/DS0025/"> Cloud Service </a> <div class="expand-button collapsed" id="DS0025-header" data-toggle="collapse" data-target="#DS0025-body" aria-expanded="false" aria-controls="#DS0025-body"></div> </div> <div class="sidenav-body collapse" id="DS0025-body" aria-labelledby="DS0025-header"> <div class="sidenav"> <div class="sidenav-head enterprise " id="DS0025-Cloud Service Disable"> <a href="/datasources/DS0025/#Cloud%20Service%20Disable"> Cloud Service Disable </a> </div> </div> <div class="sidenav"> <div class="sidenav-head enterprise " id="DS0025-Cloud Service Enumeration"> <a href="/datasources/DS0025/#Cloud%20Service%20Enumeration"> Cloud Service Enumeration </a> </div> </div> <div class="sidenav"> <div class="sidenav-head enterprise " id="DS0025-Cloud Service Metadata"> <a href="/datasources/DS0025/#Cloud%20Service%20Metadata"> Cloud Service Metadata </a> </div> </div> <div class="sidenav"> <div class="sidenav-head enterprise " id="DS0025-Cloud Service Modification"> <a href="/datasources/DS0025/#Cloud%20Service%20Modification"> Cloud Service Modification </a> </div> </div> </div> </div> <div class="sidenav"> <div class="sidenav-head enterprise " id="DS0010"> <a href="/versions/v16/datasources/DS0010/"> Cloud Storage </a> <div class="expand-button collapsed" id="DS0010-header" data-toggle="collapse" data-target="#DS0010-body" aria-expanded="false" aria-controls="#DS0010-body"></div> </div> <div class="sidenav-body collapse" id="DS0010-body" aria-labelledby="DS0010-header"> <div class="sidenav"> <div class="sidenav-head enterprise " id="DS0010-Cloud Storage Access"> <a href="/datasources/DS0010/#Cloud%20Storage%20Access"> Cloud Storage Access </a> </div> </div> <div class="sidenav"> <div class="sidenav-head enterprise " id="DS0010-Cloud Storage Creation"> <a href="/datasources/DS0010/#Cloud%20Storage%20Creation"> Cloud Storage Creation </a> </div> </div> <div class="sidenav"> <div class="sidenav-head enterprise " id="DS0010-Cloud Storage Deletion"> <a href="/datasources/DS0010/#Cloud%20Storage%20Deletion"> Cloud Storage Deletion </a> </div> </div> <div class="sidenav"> <div class="sidenav-head enterprise " id="DS0010-Cloud Storage Enumeration"> <a href="/datasources/DS0010/#Cloud%20Storage%20Enumeration"> Cloud Storage Enumeration </a> </div> </div> <div class="sidenav"> <div class="sidenav-head enterprise " id="DS0010-Cloud Storage Metadata"> <a href="/datasources/DS0010/#Cloud%20Storage%20Metadata"> Cloud Storage Metadata </a> </div> </div> <div class="sidenav"> <div class="sidenav-head enterprise " id="DS0010-Cloud Storage Modification"> <a href="/datasources/DS0010/#Cloud%20Storage%20Modification"> Cloud Storage Modification </a> </div> </div> </div> </div> <div class="sidenav"> <div class="sidenav-head active enterprise mobile ics " id="DS0017"> <a href="/versions/v16/datasources/DS0017/"> Command </a> <div class="expand-button collapsed" id="DS0017-header" data-toggle="collapse" data-target="#DS0017-body" aria-expanded="false" aria-controls="#DS0017-body"></div> </div> <div class="sidenav-body collapse" id="DS0017-body" aria-labelledby="DS0017-header"> <div class="sidenav"> <div class="sidenav-head enterprise mobile ics " id="DS0017-Command Execution"> <a href="/datasources/DS0017/#Command%20Execution"> Command Execution </a> </div> </div> </div> </div> <div class="sidenav"> <div class="sidenav-head enterprise " id="DS0032"> <a href="/versions/v16/datasources/DS0032/"> Container </a> <div class="expand-button collapsed" id="DS0032-header" data-toggle="collapse" data-target="#DS0032-body" aria-expanded="false" aria-controls="#DS0032-body"></div> </div> <div class="sidenav-body collapse" id="DS0032-body" aria-labelledby="DS0032-header"> <div class="sidenav"> <div class="sidenav-head enterprise " id="DS0032-Container Creation"> <a href="/datasources/DS0032/#Container%20Creation"> Container Creation </a> </div> </div> <div class="sidenav"> <div class="sidenav-head enterprise " id="DS0032-Container Enumeration"> <a href="/datasources/DS0032/#Container%20Enumeration"> Container Enumeration </a> </div> </div> <div class="sidenav"> <div class="sidenav-head enterprise " id="DS0032-Container Start"> <a href="/datasources/DS0032/#Container%20Start"> Container Start </a> </div> </div> </div> </div> <div class="sidenav"> <div class="sidenav-head enterprise " id="DS0038"> <a href="/versions/v16/datasources/DS0038/"> Domain Name </a> <div class="expand-button collapsed" id="DS0038-header" data-toggle="collapse" data-target="#DS0038-body" aria-expanded="false" aria-controls="#DS0038-body"></div> </div> <div class="sidenav-body collapse" id="DS0038-body" aria-labelledby="DS0038-header"> <div class="sidenav"> <div class="sidenav-head enterprise " id="DS0038-Active DNS"> <a href="/datasources/DS0038/#Active%20DNS"> Active DNS </a> </div> </div> <div class="sidenav"> <div class="sidenav-head enterprise " id="DS0038-Domain Registration"> <a href="/datasources/DS0038/#Domain%20Registration"> Domain Registration </a> </div> </div> <div class="sidenav"> <div class="sidenav-head enterprise " id="DS0038-Passive DNS"> <a href="/datasources/DS0038/#Passive%20DNS"> Passive DNS </a> </div> </div> </div> </div> <div class="sidenav"> <div class="sidenav-head enterprise ics " id="DS0016"> <a href="/versions/v16/datasources/DS0016/"> Drive </a> <div class="expand-button collapsed" id="DS0016-header" data-toggle="collapse" data-target="#DS0016-body" aria-expanded="false" aria-controls="#DS0016-body"></div> </div> <div class="sidenav-body collapse" id="DS0016-body" aria-labelledby="DS0016-header"> <div class="sidenav"> <div class="sidenav-head enterprise " id="DS0016-Drive Access"> <a href="/datasources/DS0016/#Drive%20Access"> Drive Access </a> </div> </div> <div class="sidenav"> <div class="sidenav-head enterprise ics " id="DS0016-Drive Creation"> <a href="/datasources/DS0016/#Drive%20Creation"> Drive Creation </a> </div> </div> <div class="sidenav"> <div class="sidenav-head enterprise " id="DS0016-Drive Modification"> <a href="/datasources/DS0016/#Drive%20Modification"> Drive Modification </a> </div> </div> </div> </div> <div class="sidenav"> <div class="sidenav-head enterprise " id="DS0027"> <a href="/versions/v16/datasources/DS0027/"> Driver </a> <div class="expand-button collapsed" id="DS0027-header" data-toggle="collapse" data-target="#DS0027-body" aria-expanded="false" aria-controls="#DS0027-body"></div> </div> <div class="sidenav-body collapse" id="DS0027-body" aria-labelledby="DS0027-header"> <div class="sidenav"> <div class="sidenav-head enterprise " id="DS0027-Driver Load"> <a href="/datasources/DS0027/#Driver%20Load"> Driver Load </a> </div> </div> <div class="sidenav"> <div class="sidenav-head enterprise " id="DS0027-Driver Metadata"> <a href="/datasources/DS0027/#Driver%20Metadata"> Driver Metadata </a> </div> </div> </div> </div> <div class="sidenav"> <div class="sidenav-head enterprise ics " id="DS0022"> <a href="/versions/v16/datasources/DS0022/"> File </a> <div class="expand-button collapsed" id="DS0022-header" data-toggle="collapse" data-target="#DS0022-body" aria-expanded="false" aria-controls="#DS0022-body"></div> </div> <div class="sidenav-body collapse" id="DS0022-body" aria-labelledby="DS0022-header"> <div class="sidenav"> <div class="sidenav-head enterprise ics " id="DS0022-File Access"> <a href="/datasources/DS0022/#File%20Access"> File Access </a> </div> </div> <div class="sidenav"> <div class="sidenav-head enterprise ics " id="DS0022-File Creation"> <a href="/datasources/DS0022/#File%20Creation"> File Creation </a> </div> </div> <div class="sidenav"> <div class="sidenav-head enterprise ics " id="DS0022-File Deletion"> <a href="/datasources/DS0022/#File%20Deletion"> File Deletion </a> </div> </div> <div class="sidenav"> <div class="sidenav-head enterprise ics " id="DS0022-File Metadata"> <a href="/datasources/DS0022/#File%20Metadata"> File Metadata </a> </div> </div> <div class="sidenav"> <div class="sidenav-head enterprise ics " id="DS0022-File Modification"> <a href="/datasources/DS0022/#File%20Modification"> File Modification </a> </div> </div> </div> </div> <div class="sidenav"> <div class="sidenav-head enterprise " id="DS0018"> <a href="/versions/v16/datasources/DS0018/"> Firewall </a> <div class="expand-button collapsed" id="DS0018-header" data-toggle="collapse" data-target="#DS0018-body" aria-expanded="false" aria-controls="#DS0018-body"></div> </div> <div class="sidenav-body collapse" id="DS0018-body" aria-labelledby="DS0018-header"> <div class="sidenav"> <div class="sidenav-head enterprise " id="DS0018-Firewall Disable"> <a href="/datasources/DS0018/#Firewall%20Disable"> Firewall Disable </a> </div> </div> <div class="sidenav"> <div class="sidenav-head enterprise " id="DS0018-Firewall Enumeration"> <a href="/datasources/DS0018/#Firewall%20Enumeration"> Firewall Enumeration </a> </div> </div> <div class="sidenav"> <div class="sidenav-head enterprise " id="DS0018-Firewall Metadata"> <a href="/datasources/DS0018/#Firewall%20Metadata"> Firewall Metadata </a> </div> </div> <div class="sidenav"> <div class="sidenav-head enterprise " id="DS0018-Firewall Rule Modification"> <a href="/datasources/DS0018/#Firewall%20Rule%20Modification"> Firewall Rule Modification </a> </div> </div> </div> </div> <div class="sidenav"> <div class="sidenav-head enterprise ics " id="DS0001"> <a href="/versions/v16/datasources/DS0001/"> Firmware </a> <div class="expand-button collapsed" id="DS0001-header" data-toggle="collapse" data-target="#DS0001-body" aria-expanded="false" aria-controls="#DS0001-body"></div> </div> <div class="sidenav-body collapse" id="DS0001-body" aria-labelledby="DS0001-header"> <div class="sidenav"> <div class="sidenav-head enterprise ics " id="DS0001-Firmware Modification"> <a href="/datasources/DS0001/#Firmware%20Modification"> Firmware Modification </a> </div> </div> </div> </div> <div class="sidenav"> <div class="sidenav-head enterprise " id="DS0036"> <a href="/versions/v16/datasources/DS0036/"> Group </a> <div class="expand-button collapsed" id="DS0036-header" data-toggle="collapse" data-target="#DS0036-body" aria-expanded="false" aria-controls="#DS0036-body"></div> </div> <div class="sidenav-body collapse" id="DS0036-body" aria-labelledby="DS0036-header"> <div class="sidenav"> <div class="sidenav-head enterprise " id="DS0036-Group Enumeration"> <a href="/datasources/DS0036/#Group%20Enumeration"> Group Enumeration </a> </div> </div> <div class="sidenav"> <div class="sidenav-head enterprise " id="DS0036-Group Metadata"> <a href="/datasources/DS0036/#Group%20Metadata"> Group Metadata </a> </div> </div> <div class="sidenav"> <div class="sidenav-head enterprise " id="DS0036-Group Modification"> <a href="/datasources/DS0036/#Group%20Modification"> Group Modification </a> </div> </div> </div> </div> <div class="sidenav"> <div class="sidenav-head enterprise " id="DS0007"> <a href="/versions/v16/datasources/DS0007/"> Image </a> <div class="expand-button collapsed" id="DS0007-header" data-toggle="collapse" data-target="#DS0007-body" aria-expanded="false" aria-controls="#DS0007-body"></div> </div> <div class="sidenav-body collapse" id="DS0007-body" aria-labelledby="DS0007-header"> <div class="sidenav"> <div class="sidenav-head enterprise " id="DS0007-Image Creation"> <a href="/datasources/DS0007/#Image%20Creation"> Image Creation </a> </div> </div> <div class="sidenav"> <div class="sidenav-head enterprise " id="DS0007-Image Deletion"> <a href="/datasources/DS0007/#Image%20Deletion"> Image Deletion </a> </div> </div> <div class="sidenav"> <div class="sidenav-head enterprise " id="DS0007-Image Metadata"> <a href="/datasources/DS0007/#Image%20Metadata"> Image Metadata </a> </div> </div> <div class="sidenav"> <div class="sidenav-head enterprise " id="DS0007-Image Modification"> <a href="/datasources/DS0007/#Image%20Modification"> Image Modification </a> </div> </div> </div> </div> <div class="sidenav"> <div class="sidenav-head enterprise " id="DS0030"> <a href="/versions/v16/datasources/DS0030/"> Instance </a> <div class="expand-button collapsed" id="DS0030-header" data-toggle="collapse" data-target="#DS0030-body" aria-expanded="false" aria-controls="#DS0030-body"></div> </div> <div class="sidenav-body collapse" id="DS0030-body" aria-labelledby="DS0030-header"> <div class="sidenav"> <div class="sidenav-head enterprise " id="DS0030-Instance Creation"> <a href="/datasources/DS0030/#Instance%20Creation"> Instance Creation </a> </div> </div> <div class="sidenav"> <div class="sidenav-head enterprise " id="DS0030-Instance Deletion"> <a href="/datasources/DS0030/#Instance%20Deletion"> Instance Deletion </a> </div> </div> <div class="sidenav"> <div class="sidenav-head enterprise " id="DS0030-Instance Enumeration"> <a href="/datasources/DS0030/#Instance%20Enumeration"> Instance Enumeration </a> </div> </div> <div class="sidenav"> <div class="sidenav-head enterprise " id="DS0030-Instance Metadata"> <a href="/datasources/DS0030/#Instance%20Metadata"> Instance Metadata </a> </div> </div> <div class="sidenav"> <div class="sidenav-head enterprise " id="DS0030-Instance Modification"> <a href="/datasources/DS0030/#Instance%20Modification"> Instance Modification </a> </div> </div> <div class="sidenav"> <div class="sidenav-head enterprise " id="DS0030-Instance Start"> <a href="/datasources/DS0030/#Instance%20Start"> Instance Start </a> </div> </div> <div class="sidenav"> <div class="sidenav-head enterprise " id="DS0030-Instance Stop"> <a href="/datasources/DS0030/#Instance%20Stop"> Instance Stop </a> </div> </div> </div> </div> <div class="sidenav"> <div class="sidenav-head enterprise " id="DS0035"> <a href="/versions/v16/datasources/DS0035/"> Internet Scan </a> <div class="expand-button collapsed" id="DS0035-header" data-toggle="collapse" data-target="#DS0035-body" aria-expanded="false" aria-controls="#DS0035-body"></div> </div> <div class="sidenav-body collapse" id="DS0035-body" aria-labelledby="DS0035-header"> <div class="sidenav"> <div class="sidenav-head enterprise " id="DS0035-Response Content"> <a href="/datasources/DS0035/#Response%20Content"> Response Content </a> </div> </div> <div class="sidenav"> <div class="sidenav-head enterprise " id="DS0035-Response Metadata"> <a href="/datasources/DS0035/#Response%20Metadata"> Response Metadata </a> </div> </div> </div> </div> <div class="sidenav"> <div class="sidenav-head enterprise " id="DS0008"> <a href="/versions/v16/datasources/DS0008/"> Kernel </a> <div class="expand-button collapsed" id="DS0008-header" data-toggle="collapse" data-target="#DS0008-body" aria-expanded="false" aria-controls="#DS0008-body"></div> </div> <div class="sidenav-body collapse" id="DS0008-body" aria-labelledby="DS0008-header"> <div class="sidenav"> <div class="sidenav-head enterprise " id="DS0008-Kernel Module Load"> <a href="/datasources/DS0008/#Kernel%20Module%20Load"> Kernel Module Load </a> </div> </div> </div> </div> <div class="sidenav"> <div class="sidenav-head enterprise ics " id="DS0028"> <a href="/versions/v16/datasources/DS0028/"> Logon Session </a> <div class="expand-button collapsed" id="DS0028-header" data-toggle="collapse" data-target="#DS0028-body" aria-expanded="false" aria-controls="#DS0028-body"></div> </div> <div class="sidenav-body collapse" id="DS0028-body" aria-labelledby="DS0028-header"> <div class="sidenav"> <div class="sidenav-head enterprise ics " id="DS0028-Logon Session Creation"> <a href="/datasources/DS0028/#Logon%20Session%20Creation"> Logon Session Creation </a> </div> </div> <div class="sidenav"> <div class="sidenav-head enterprise ics " id="DS0028-Logon Session Metadata"> <a href="/datasources/DS0028/#Logon%20Session%20Metadata"> Logon Session Metadata </a> </div> </div> </div> </div> <div class="sidenav"> <div class="sidenav-head enterprise " id="DS0004"> <a href="/versions/v16/datasources/DS0004/"> Malware Repository </a> <div class="expand-button collapsed" id="DS0004-header" data-toggle="collapse" data-target="#DS0004-body" aria-expanded="false" aria-controls="#DS0004-body"></div> </div> <div class="sidenav-body collapse" id="DS0004-body" aria-labelledby="DS0004-header"> <div class="sidenav"> <div class="sidenav-head enterprise " id="DS0004-Malware Content"> <a href="/datasources/DS0004/#Malware%20Content"> Malware Content </a> </div> </div> <div class="sidenav"> <div class="sidenav-head enterprise " id="DS0004-Malware Metadata"> <a href="/datasources/DS0004/#Malware%20Metadata"> Malware Metadata </a> </div> </div> </div> </div> <div class="sidenav"> <div class="sidenav-head enterprise ics " id="DS0011"> <a href="/versions/v16/datasources/DS0011/"> Module </a> <div class="expand-button collapsed" id="DS0011-header" data-toggle="collapse" data-target="#DS0011-body" aria-expanded="false" aria-controls="#DS0011-body"></div> </div> <div class="sidenav-body collapse" id="DS0011-body" aria-labelledby="DS0011-header"> <div class="sidenav"> <div class="sidenav-head enterprise ics " id="DS0011-Module Load"> <a href="/datasources/DS0011/#Module%20Load"> Module Load </a> </div> </div> </div> </div> <div class="sidenav"> <div class="sidenav-head enterprise " id="DS0023"> <a href="/versions/v16/datasources/DS0023/"> Named Pipe </a> <div class="expand-button collapsed" id="DS0023-header" data-toggle="collapse" data-target="#DS0023-body" aria-expanded="false" aria-controls="#DS0023-body"></div> </div> <div class="sidenav-body collapse" id="DS0023-body" aria-labelledby="DS0023-header"> <div class="sidenav"> <div class="sidenav-head enterprise " id="DS0023-Named Pipe Metadata"> <a href="/datasources/DS0023/#Named%20Pipe%20Metadata"> Named Pipe Metadata </a> </div> </div> </div> </div> <div class="sidenav"> <div class="sidenav-head enterprise ics " id="DS0033"> <a href="/versions/v16/datasources/DS0033/"> Network Share </a> <div class="expand-button collapsed" id="DS0033-header" data-toggle="collapse" data-target="#DS0033-body" aria-expanded="false" aria-controls="#DS0033-body"></div> </div> <div class="sidenav-body collapse" id="DS0033-body" aria-labelledby="DS0033-header"> <div class="sidenav"> <div class="sidenav-head enterprise ics " id="DS0033-Network Share Access"> <a href="/datasources/DS0033/#Network%20Share%20Access"> Network Share Access </a> </div> </div> </div> </div> <div class="sidenav"> <div class="sidenav-head enterprise mobile ics " id="DS0029"> <a href="/versions/v16/datasources/DS0029/"> Network Traffic </a> <div class="expand-button collapsed" id="DS0029-header" data-toggle="collapse" data-target="#DS0029-body" aria-expanded="false" aria-controls="#DS0029-body"></div> </div> <div class="sidenav-body collapse" id="DS0029-body" aria-labelledby="DS0029-header"> <div class="sidenav"> <div class="sidenav-head enterprise mobile ics " id="DS0029-Network Connection Creation"> <a href="/datasources/DS0029/#Network%20Connection%20Creation"> Network Connection Creation </a> </div> </div> <div class="sidenav"> <div class="sidenav-head enterprise mobile ics " id="DS0029-Network Traffic Content"> <a href="/datasources/DS0029/#Network%20Traffic%20Content"> Network Traffic Content </a> </div> </div> <div class="sidenav"> <div class="sidenav-head enterprise mobile ics " id="DS0029-Network Traffic Flow"> <a href="/datasources/DS0029/#Network%20Traffic%20Flow"> Network Traffic Flow </a> </div> </div> </div> </div> <div class="sidenav"> <div class="sidenav-head ics " id="DS0040"> <a href="/versions/v16/datasources/DS0040/"> Operational Databases </a> <div class="expand-button collapsed" id="DS0040-header" data-toggle="collapse" data-target="#DS0040-body" aria-expanded="false" aria-controls="#DS0040-body"></div> </div> <div class="sidenav-body collapse" id="DS0040-body" aria-labelledby="DS0040-header"> <div class="sidenav"> <div class="sidenav-head ics " id="DS0040-Device Alarm"> <a href="/datasources/DS0040/#Device%20Alarm"> Device Alarm </a> </div> </div> <div class="sidenav"> <div class="sidenav-head ics " id="DS0040-Process History/Live Data"> <a href="/datasources/DS0040/#Process%20History/Live%20Data"> Process History/Live Data </a> </div> </div> <div class="sidenav"> <div class="sidenav-head ics " id="DS0040-Process/Event Alarm"> <a href="/datasources/DS0040/#Process/Event%20Alarm"> Process/Event Alarm </a> </div> </div> </div> </div> <div class="sidenav"> <div class="sidenav-head enterprise " id="DS0021"> <a href="/versions/v16/datasources/DS0021/"> Persona </a> <div class="expand-button collapsed" id="DS0021-header" data-toggle="collapse" data-target="#DS0021-body" aria-expanded="false" aria-controls="#DS0021-body"></div> </div> <div class="sidenav-body collapse" id="DS0021-body" aria-labelledby="DS0021-header"> <div class="sidenav"> <div class="sidenav-head enterprise " id="DS0021-Social Media"> <a href="/datasources/DS0021/#Social%20Media"> Social Media </a> </div> </div> </div> </div> <div class="sidenav"> <div class="sidenav-head enterprise " id="DS0014"> <a href="/versions/v16/datasources/DS0014/"> Pod </a> <div class="expand-button collapsed" id="DS0014-header" data-toggle="collapse" data-target="#DS0014-body" aria-expanded="false" aria-controls="#DS0014-body"></div> </div> <div class="sidenav-body collapse" id="DS0014-body" aria-labelledby="DS0014-header"> <div class="sidenav"> <div class="sidenav-head enterprise " id="DS0014-Pod Creation"> <a href="/datasources/DS0014/#Pod%20Creation"> Pod Creation </a> </div> </div> <div class="sidenav"> <div class="sidenav-head enterprise " id="DS0014-Pod Enumeration"> <a href="/datasources/DS0014/#Pod%20Enumeration"> Pod Enumeration </a> </div> </div> <div class="sidenav"> <div class="sidenav-head enterprise " id="DS0014-Pod Modification"> <a href="/datasources/DS0014/#Pod%20Modification"> Pod Modification </a> </div> </div> </div> </div> <div class="sidenav"> <div class="sidenav-head enterprise mobile ics " id="DS0009"> <a href="/versions/v16/datasources/DS0009/"> Process </a> <div class="expand-button collapsed" id="DS0009-header" data-toggle="collapse" data-target="#DS0009-body" aria-expanded="false" aria-controls="#DS0009-body"></div> </div> <div class="sidenav-body collapse" id="DS0009-body" aria-labelledby="DS0009-header"> <div class="sidenav"> <div class="sidenav-head enterprise ics " id="DS0009-OS API Execution"> <a href="/datasources/DS0009/#OS%20API%20Execution"> OS API Execution </a> </div> </div> <div class="sidenav"> <div class="sidenav-head enterprise " id="DS0009-Process Access"> <a href="/datasources/DS0009/#Process%20Access"> Process Access </a> </div> </div> <div class="sidenav"> <div class="sidenav-head enterprise mobile ics " id="DS0009-Process Creation"> <a href="/datasources/DS0009/#Process%20Creation"> Process Creation </a> </div> </div> <div class="sidenav"> <div class="sidenav-head enterprise mobile ics " id="DS0009-Process Metadata"> <a href="/datasources/DS0009/#Process%20Metadata"> Process Metadata </a> </div> </div> <div class="sidenav"> <div class="sidenav-head enterprise " id="DS0009-Process Modification"> <a href="/datasources/DS0009/#Process%20Modification"> Process Modification </a> </div> </div> <div class="sidenav"> <div class="sidenav-head enterprise mobile ics " id="DS0009-Process Termination"> <a href="/datasources/DS0009/#Process%20Termination"> Process Termination </a> </div> </div> </div> </div> <div class="sidenav"> <div class="sidenav-head enterprise ics " id="DS0003"> <a href="/versions/v16/datasources/DS0003/"> Scheduled Job </a> <div class="expand-button collapsed" id="DS0003-header" data-toggle="collapse" data-target="#DS0003-body" aria-expanded="false" aria-controls="#DS0003-body"></div> </div> <div class="sidenav-body collapse" id="DS0003-body" aria-labelledby="DS0003-header"> <div class="sidenav"> <div class="sidenav-head enterprise ics " id="DS0003-Scheduled Job Creation"> <a href="/datasources/DS0003/#Scheduled%20Job%20Creation"> Scheduled Job Creation </a> </div> </div> <div class="sidenav"> <div class="sidenav-head enterprise " id="DS0003-Scheduled Job Metadata"> <a href="/datasources/DS0003/#Scheduled%20Job%20Metadata"> Scheduled Job Metadata </a> </div> </div> <div class="sidenav"> <div class="sidenav-head enterprise ics " id="DS0003-Scheduled Job Modification"> <a href="/datasources/DS0003/#Scheduled%20Job%20Modification"> Scheduled Job Modification </a> </div> </div> </div> </div> <div class="sidenav"> <div class="sidenav-head enterprise ics " id="DS0012"> <a href="/versions/v16/datasources/DS0012/"> Script </a> <div class="expand-button collapsed" id="DS0012-header" data-toggle="collapse" data-target="#DS0012-body" aria-expanded="false" aria-controls="#DS0012-body"></div> </div> <div class="sidenav-body collapse" id="DS0012-body" aria-labelledby="DS0012-header"> <div class="sidenav"> <div class="sidenav-head enterprise ics " id="DS0012-Script Execution"> <a href="/datasources/DS0012/#Script%20Execution"> Script Execution </a> </div> </div> </div> </div> <div class="sidenav"> <div class="sidenav-head enterprise mobile " id="DS0013"> <a href="/versions/v16/datasources/DS0013/"> Sensor Health </a> <div class="expand-button collapsed" id="DS0013-header" data-toggle="collapse" data-target="#DS0013-body" aria-expanded="false" aria-controls="#DS0013-body"></div> </div> <div class="sidenav-body collapse" id="DS0013-body" aria-labelledby="DS0013-header"> <div class="sidenav"> <div class="sidenav-head enterprise mobile " id="DS0013-Host Status"> <a href="/datasources/DS0013/#Host%20Status"> Host Status </a> </div> </div> </div> </div> <div class="sidenav"> <div class="sidenav-head enterprise ics " id="DS0019"> <a href="/versions/v16/datasources/DS0019/"> Service </a> <div class="expand-button collapsed" id="DS0019-header" data-toggle="collapse" data-target="#DS0019-body" aria-expanded="false" aria-controls="#DS0019-body"></div> </div> <div class="sidenav-body collapse" id="DS0019-body" aria-labelledby="DS0019-header"> <div class="sidenav"> <div class="sidenav-head enterprise ics " id="DS0019-Service Creation"> <a href="/datasources/DS0019/#Service%20Creation"> Service Creation </a> </div> </div> <div class="sidenav"> <div class="sidenav-head enterprise ics " id="DS0019-Service Metadata"> <a href="/datasources/DS0019/#Service%20Metadata"> Service Metadata </a> </div> </div> <div class="sidenav"> <div class="sidenav-head enterprise ics " id="DS0019-Service Modification"> <a href="/datasources/DS0019/#Service%20Modification"> Service Modification </a> </div> </div> </div> </div> <div class="sidenav"> <div class="sidenav-head enterprise " id="DS0020"> <a href="/versions/v16/datasources/DS0020/"> Snapshot </a> <div class="expand-button collapsed" id="DS0020-header" data-toggle="collapse" data-target="#DS0020-body" aria-expanded="false" aria-controls="#DS0020-body"></div> </div> <div class="sidenav-body collapse" id="DS0020-body" aria-labelledby="DS0020-header"> <div class="sidenav"> <div class="sidenav-head enterprise " id="DS0020-Snapshot Creation"> <a href="/datasources/DS0020/#Snapshot%20Creation"> Snapshot Creation </a> </div> </div> <div class="sidenav"> <div class="sidenav-head enterprise " id="DS0020-Snapshot Deletion"> <a href="/datasources/DS0020/#Snapshot%20Deletion"> Snapshot Deletion </a> </div> </div> <div class="sidenav"> <div class="sidenav-head enterprise " id="DS0020-Snapshot Enumeration"> <a href="/datasources/DS0020/#Snapshot%20Enumeration"> Snapshot Enumeration </a> </div> </div> <div class="sidenav"> <div class="sidenav-head enterprise " id="DS0020-Snapshot Metadata"> <a href="/datasources/DS0020/#Snapshot%20Metadata"> Snapshot Metadata </a> </div> </div> <div class="sidenav"> <div class="sidenav-head enterprise " id="DS0020-Snapshot Modification"> <a href="/datasources/DS0020/#Snapshot%20Modification"> Snapshot Modification </a> </div> </div> </div> </div> <div class="sidenav"> <div class="sidenav-head enterprise ics " id="DS0002"> <a href="/versions/v16/datasources/DS0002/"> User Account </a> <div class="expand-button collapsed" id="DS0002-header" data-toggle="collapse" data-target="#DS0002-body" aria-expanded="false" aria-controls="#DS0002-body"></div> </div> <div class="sidenav-body collapse" id="DS0002-body" aria-labelledby="DS0002-header"> <div class="sidenav"> <div class="sidenav-head enterprise ics " id="DS0002-User Account Authentication"> <a href="/datasources/DS0002/#User%20Account%20Authentication"> User Account Authentication </a> </div> </div> <div class="sidenav"> <div class="sidenav-head enterprise " id="DS0002-User Account Creation"> <a href="/datasources/DS0002/#User%20Account%20Creation"> User Account Creation </a> </div> </div> <div class="sidenav"> <div class="sidenav-head enterprise " id="DS0002-User Account Deletion"> <a href="/datasources/DS0002/#User%20Account%20Deletion"> User Account Deletion </a> </div> </div> <div class="sidenav"> <div class="sidenav-head enterprise " id="DS0002-User Account Metadata"> <a href="/datasources/DS0002/#User%20Account%20Metadata"> User Account Metadata </a> </div> </div> <div class="sidenav"> <div class="sidenav-head enterprise " id="DS0002-User Account Modification"> <a href="/datasources/DS0002/#User%20Account%20Modification"> User Account Modification </a> </div> </div> </div> </div> <div class="sidenav"> <div class="sidenav-head mobile " id="DS0042"> <a href="/versions/v16/datasources/DS0042/"> User Interface </a> <div class="expand-button collapsed" id="DS0042-header" data-toggle="collapse" data-target="#DS0042-body" aria-expanded="false" aria-controls="#DS0042-body"></div> </div> <div class="sidenav-body collapse" id="DS0042-body" aria-labelledby="DS0042-header"> <div class="sidenav"> <div class="sidenav-head mobile " id="DS0042-Permissions Request"> <a href="/datasources/DS0042/#Permissions%20Request"> Permissions Request </a> </div> </div> <div class="sidenav"> <div class="sidenav-head mobile " id="DS0042-System Notifications"> <a href="/datasources/DS0042/#System%20Notifications"> System Notifications </a> </div> </div> <div class="sidenav"> <div class="sidenav-head mobile " id="DS0042-System Settings"> <a href="/datasources/DS0042/#System%20Settings"> System Settings </a> </div> </div> </div> </div> <div class="sidenav"> <div class="sidenav-head enterprise " id="DS0034"> <a href="/versions/v16/datasources/DS0034/"> Volume </a> <div class="expand-button collapsed" id="DS0034-header" data-toggle="collapse" data-target="#DS0034-body" aria-expanded="false" aria-controls="#DS0034-body"></div> </div> <div class="sidenav-body collapse" id="DS0034-body" aria-labelledby="DS0034-header"> <div class="sidenav"> <div class="sidenav-head enterprise " id="DS0034-Volume Creation"> <a href="/datasources/DS0034/#Volume%20Creation"> Volume Creation </a> </div> </div> <div class="sidenav"> <div class="sidenav-head enterprise " id="DS0034-Volume Deletion"> <a href="/datasources/DS0034/#Volume%20Deletion"> Volume Deletion </a> </div> </div> <div class="sidenav"> <div class="sidenav-head enterprise " id="DS0034-Volume Enumeration"> <a href="/datasources/DS0034/#Volume%20Enumeration"> Volume Enumeration </a> </div> </div> <div class="sidenav"> <div class="sidenav-head enterprise " id="DS0034-Volume Metadata"> <a href="/datasources/DS0034/#Volume%20Metadata"> Volume Metadata </a> </div> </div> <div class="sidenav"> <div class="sidenav-head enterprise " id="DS0034-Volume Modification"> <a href="/datasources/DS0034/#Volume%20Modification"> Volume Modification </a> </div> </div> </div> </div> <div class="sidenav"> <div class="sidenav-head enterprise " id="DS0006"> <a href="/versions/v16/datasources/DS0006/"> Web Credential </a> <div class="expand-button collapsed" id="DS0006-header" data-toggle="collapse" data-target="#DS0006-body" aria-expanded="false" aria-controls="#DS0006-body"></div> </div> <div class="sidenav-body collapse" id="DS0006-body" aria-labelledby="DS0006-header"> <div class="sidenav"> <div class="sidenav-head enterprise " id="DS0006-Web Credential Creation"> <a href="/datasources/DS0006/#Web%20Credential%20Creation"> Web Credential Creation </a> </div> </div> <div class="sidenav"> <div class="sidenav-head enterprise " id="DS0006-Web Credential Usage"> <a href="/datasources/DS0006/#Web%20Credential%20Usage"> Web Credential Usage </a> </div> </div> </div> </div> <div class="sidenav"> <div class="sidenav-head enterprise ics " id="DS0024"> <a href="/versions/v16/datasources/DS0024/"> Windows Registry </a> <div class="expand-button collapsed" id="DS0024-header" data-toggle="collapse" data-target="#DS0024-body" aria-expanded="false" aria-controls="#DS0024-body"></div> </div> <div class="sidenav-body collapse" id="DS0024-body" aria-labelledby="DS0024-header"> <div class="sidenav"> <div class="sidenav-head enterprise " id="DS0024-Windows Registry Key Access"> <a href="/datasources/DS0024/#Windows%20Registry%20Key%20Access"> Windows Registry Key Access </a> </div> </div> <div class="sidenav"> <div class="sidenav-head enterprise " id="DS0024-Windows Registry Key Creation"> <a href="/datasources/DS0024/#Windows%20Registry%20Key%20Creation"> Windows Registry Key Creation </a> </div> </div> <div class="sidenav"> <div class="sidenav-head enterprise ics " id="DS0024-Windows Registry Key Deletion"> <a href="/datasources/DS0024/#Windows%20Registry%20Key%20Deletion"> Windows Registry Key Deletion </a> </div> </div> <div class="sidenav"> <div class="sidenav-head enterprise ics " id="DS0024-Windows Registry Key Modification"> <a href="/datasources/DS0024/#Windows%20Registry%20Key%20Modification"> Windows Registry Key Modification </a> </div> </div> </div> </div> <div class="sidenav"> <div class="sidenav-head enterprise " id="DS0005"> <a href="/versions/v16/datasources/DS0005/"> WMI </a> <div class="expand-button collapsed" id="DS0005-header" data-toggle="collapse" data-target="#DS0005-body" aria-expanded="false" aria-controls="#DS0005-body"></div> </div> <div class="sidenav-body collapse" id="DS0005-body" aria-labelledby="DS0005-header"> <div class="sidenav"> <div class="sidenav-head enterprise " id="DS0005-WMI Creation"> <a href="/datasources/DS0005/#WMI%20Creation"> WMI Creation </a> </div> </div> </div> </div> </div> </div> </div> <!--start-indexing-for-search--> </div> <div class="tab-content col-xl-9 pt-4" id="v-tabContent"> <div class="tab-pane fade show active" id="v-attckmatrix" role="tabpanel" aria-labelledby="v-attckmatrix-tab"> <ol class="breadcrumb"> <li class="breadcrumb-item"><a href="/versions/v16/">Home</a></li> <li class="breadcrumb-item"><a href="/versions/v16/datasources/">Data Sources</a></li> <li class="breadcrumb-item">Command</li> </ol> <div class="tab-pane fade show active" id="v-" role="tabpanel" aria-labelledby="v--tab"></div> <div class="row"> <div class="col-xl-12"> <div class="jumbotron jumbotron-fluid"> <div class="container-fluid"> <h1> Command </h1> <div class="row"> <div class="col-md-8"> <div class="description-body"> <p>A directive given to a computer program, acting as an interpreter of some kind, in order to perform a specific task<span onclick=scrollToRef('scite-1') id="scite-ref-1-a" class="scite-citeref-number" title="Confluence Support. (2021, September 8). How to enable command line audit logging in linux. Retrieved September 23, 2021."data-reference="Confluence Linux Command Line">^{<a href="https://confluence.atlassian.com/confkb/how-to-enable-command-line-audit-logging-in-linux-956166545.html" target="_blank" data-hasqtip="0" aria-describedby="qtip-0">[1]</a>}</span><span onclick=scrollToRef('scite-2') id="scite-ref-2-a" class="scite-citeref-number" title="Gagliardi, R. (n.d.). Audit in a OS X System. Retrieved September 23, 2021."data-reference="Audit OSX">^{<a href="https://www.scip.ch/en/?labs.20150108" target="_blank" data-hasqtip="1" aria-describedby="qtip-1">[2]</a>}</span></p> </div> </div> <div class="col-md-4"> <div class="card"> <div class="card-body"> <div class="row card-data"> <div class="col-1 px-0 text-center"></div> <div class="col-11 pl-0"> <span class="h5 card-title">ID:&nbsp;</span>DS0017 </div> </div> <div class="row card-data"> <div class="col-1 px-0 text-center"> <span data-toggle="tooltip" data-placement="left" title="" data-test-ignore="true" data-original-title="The system an adversary is operating within; could be an operating system or application">&#9432;</span> </div> <div class="col-11 pl-0"> <span class="h5 card-title">Platforms:&nbsp;</span>Android, Containers, Linux, Network, Windows, iOS, macOS </div> </div> <div class="row card-data"> <div class="col-1 px-0 text-center"> <span data-toggle="tooltip" data-placement="left" title="" data-test-ignore="true" data-original-title="A description of where the data source may be physically collected (ex: Host, Network, Cloud Control Plane, etc.)">&#9432;</span> </div> <div class="col-11 pl-0"> <span class="h5 card-title">Collection Layers:&nbsp;</span>Container, Host </div> </div> <div class="row card-data"> <div class="col-1 px-0 text-center"></div> <div class="col-11 pl-0"> <span class="h5 card-title">Contributors</span>: Center for Threat-Informed Defense (CTID); Austin Clark, @c2defense </div> </div> <div class="row card-data"> <div class="col-1 px-0 text-center"></div> <div class="col-11 pl-0"> <span class="h5 card-title">Version</span>: 1.1 </div> </div> <div class="row card-data"> <div class="col-1 px-0 text-center"></div> <div class="col-11 pl-0"> <span class="h5 card-title">Created:&nbsp;</span>20 October 2021 </div> </div> <div class="row card-data"> <div class="col-1 px-0 text-center"></div> <div class="col-11 pl-0"> <span class="h5 card-title">Last Modified:&nbsp;</span>20 April 2023 </div> </div> </div> </div> <div class="text-center pt-2 version-button permalink"> <div class="live"> <a data-toggle="tooltip" data-placement="bottom" title="Permalink to this version of DS0017" href="/versions/v16/datasources/DS0017/" data-test-ignore="true">Version Permalink</a> </div> <div class="permalink"> <a data-toggle="tooltip" data-placement="bottom" title="Go to the live version of DS0017" href="/datasources/DS0017/" data-test-ignore="true">Live Version</a><!--do not change this line without also changing versions.py--> </div> </div> </div> </div> <h2 class="pt-3" id="datacomponents">Data Components</h2> <div class="row no-techniques-in-data-source-message" style="display: none"> <div class="col-md-12 description-body"> <p>This data source does not have any techniques in the selected domain(s)</p> </div> </div> <div class="row"> <div class="col-md-12 section-view enterprise mobile ics "> <a class="anchor" id="Command Execution"></a> <div class="section-desktop-view anchor-section"> <h4 class="pt-3">Command: Command Execution</h4> <div class="description-body"> <p>The execution of a line of text, potentially with arguments, created from program code (e.g. a cmdlet executed via powershell.exe, interactive commands like &gt;dir, shell executions, etc. )</p> </div> <div class="section-shadow"></div> </div> <div class="section-mobile-view anchor-section"> <h4 class="pt-3">Command: Command Execution</h4> <div class="section-shadow"></div> </div> <div class="section-mobile-view"> <div class="description-body"> <p>The execution of a line of text, potentially with arguments, created from program code (e.g. a cmdlet executed via powershell.exe, interactive commands like &gt;dir, shell executions, etc. )</p> </div> </div> <div class="tables-mobile"> <table class="table techniques-used background table-bordered"> <thead> <tr> <th class="p-2" scope="col">Domain</th> <th class="p-2" colspan="2">ID</th> <th class="p-2" scope="col">Name</th> <th class="p-2" scope="col">Detects</th> </tr> </thead> <tbody> <tr class="technique enterprise" id="enterprise"> <td> Enterprise </td> <td colspan="2"> <a href="/versions/v16/techniques/T1548">T1548</a> </td> <td> <a href="/versions/v16/techniques/T1548">Abuse Elevation Control Mechanism</a> </td> <td> <p>Monitor executed commands and arguments that may circumvent mechanisms designed to control elevate privileges to gain higher-level permissions.</p> </td> </tr> <tr class="sub technique enterprise" id="enterprise"> <td></td> <td></td> <td> <a href="/versions/v16/techniques/T1548/001">.001</a> </td> <td> <a href="/versions/v16/techniques/T1548/001">Setuid and Setgid</a> </td> <td> <p>Monitor for execution of utilities, like chmod, and their command-line arguments to look for setuid or setguid bits being set.</p> </td> </tr> <tr class="sub technique enterprise" id="enterprise"> <td></td> <td></td> <td> <a href="/versions/v16/techniques/T1548/002">.002</a> </td> <td> <a href="/versions/v16/techniques/T1548/002">Bypass User Account Control</a> </td> <td> <p>Monitor executed commands and arguments that may bypass UAC mechanisms to elevate process privileges on system.</p> </td> </tr> <tr class="sub technique enterprise" id="enterprise"> <td></td> <td></td> <td> <a href="/versions/v16/techniques/T1548/003">.003</a> </td> <td> <a href="/versions/v16/techniques/T1548/003">Sudo and Sudo Caching</a> </td> <td> <p>Monitor executed commands and arguments that may perform sudo caching and/or use the sudoers file to elevate privileges, such as the <code>sudo</code> command.</p> </td> </tr> <tr class="sub technique enterprise" id="enterprise"> <td></td> <td></td> <td> <a href="/versions/v16/techniques/T1548/006">.006</a> </td> <td> <a href="/versions/v16/techniques/T1548/006">TCC Manipulation</a> </td> <td> <p>Monitor executed commands and arguments that may abuse or modify TCC mechanisms designed to control access to elevated privileges. macOS system logs may also indicate when <code>AuthorizationExecuteWithPrivileges</code> is being called.</p> </td> </tr> <tr class="technique enterprise" id="enterprise"> <td> Enterprise </td> <td colspan="2"> <a href="/versions/v16/techniques/T1134">T1134</a> </td> <td> <a href="/versions/v16/techniques/T1134">Access Token Manipulation</a> </td> <td> <p>Monitor executed commands and arguments for token manipulation by auditing command-line activity. Specifically, analysts should look for use of the <code>runas</code> command. Detailed command-line logging is not enabled by default in Windows.<span onclick=scrollToRef('scite-3') id="scite-ref-3-a" class="scite-citeref-number" title="Mathers, B. (2017, March 7). Command line process auditing. Retrieved April 21, 2017."data-reference="Microsoft Command-line Logging">^{<a href="https://technet.microsoft.com/en-us/windows-server-docs/identity/ad-ds/manage/component-updates/command-line-process-auditing" target="_blank" data-hasqtip="2" aria-describedby="qtip-2">[3]</a>}</span></p> </td> </tr> <tr class="sub technique enterprise" id="enterprise"> <td></td> <td></td> <td> <a href="/versions/v16/techniques/T1134/001">.001</a> </td> <td> <a href="/versions/v16/techniques/T1134/001">Token Impersonation/Theft</a> </td> <td> <p>Monitor executed commands and arguments to detect token manipulation by auditing command-line activity. Specifically, analysts should look for use of the runas command. Detailed command-line logging is not enabled by default in Windows.<span onclick=scrollToRef('scite-3') id="scite-ref-3-a" class="scite-citeref-number" title="Mathers, B. (2017, March 7). Command line process auditing. Retrieved April 21, 2017."data-reference="Microsoft Command-line Logging">^{<a href="https://technet.microsoft.com/en-us/windows-server-docs/identity/ad-ds/manage/component-updates/command-line-process-auditing" target="_blank" data-hasqtip="2" aria-describedby="qtip-2">[3]</a>}</span></p> </td> </tr> <tr class="sub technique enterprise" id="enterprise"> <td></td> <td></td> <td> <a href="/versions/v16/techniques/T1134/002">.002</a> </td> <td> <a href="/versions/v16/techniques/T1134/002">Create Process with Token</a> </td> <td> <p>Monitor executed commands and arguments to detect token manipulation by auditing command-line activity. Specifically, analysts should look for use of the runas command or similar artifacts. Detailed command-line logging is not enabled by default in Windows.<span onclick=scrollToRef('scite-3') id="scite-ref-3-a" class="scite-citeref-number" title="Mathers, B. (2017, March 7). Command line process auditing. Retrieved April 21, 2017."data-reference="Microsoft Command-line Logging">^{<a href="https://technet.microsoft.com/en-us/windows-server-docs/identity/ad-ds/manage/component-updates/command-line-process-auditing" target="_blank" data-hasqtip="2" aria-describedby="qtip-2">[3]</a>}</span></p> </td> </tr> <tr class="sub technique enterprise" id="enterprise"> <td></td> <td></td> <td> <a href="/versions/v16/techniques/T1134/003">.003</a> </td> <td> <a href="/versions/v16/techniques/T1134/003">Make and Impersonate Token</a> </td> <td> <p>Monitor executed commands and arguments to detect token manipulation by auditing command-line activity. Specifically, analysts should look for use of the runas command or similar artifacts. Detailed command-line logging is not enabled by default in Windows.<span onclick=scrollToRef('scite-3') id="scite-ref-3-a" class="scite-citeref-number" title="Mathers, B. (2017, March 7). Command line process auditing. Retrieved April 21, 2017."data-reference="Microsoft Command-line Logging">^{<a href="https://technet.microsoft.com/en-us/windows-server-docs/identity/ad-ds/manage/component-updates/command-line-process-auditing" target="_blank" data-hasqtip="2" aria-describedby="qtip-2">[3]</a>}</span></p> </td> </tr> <tr class="technique enterprise" id="enterprise"> <td> Enterprise </td> <td colspan="2"> <a href="/versions/v16/techniques/T1087">T1087</a> </td> <td> <a href="/versions/v16/techniques/T1087">Account Discovery</a> </td> <td> <p>Monitor logs and other sources of command execution history for actions that could be taken to gather information about accounts, including the use of calls to cloud APIs that perform account discovery.</p><p>System and network discovery techniques normally occur throughout an operation as an adversary learns the environment, and also to an extent in normal network operations. Therefore discovery data and events should not be viewed in isolation, but as part of a chain of behavior that could lead to other activities, such as Lateral Movement, based on the information obtained.</p> </td> </tr> <tr class="sub technique enterprise" id="enterprise"> <td></td> <td></td> <td> <a href="/versions/v16/techniques/T1087/001">.001</a> </td> <td> <a href="/versions/v16/techniques/T1087/001">Local Account</a> </td> <td> <p>Monitor for execution of commands and arguments associated with enumeration or information gathering of local accounts and groups such as <code>net user</code>, <code>net account</code>, <code>net localgroup</code>, <code>Get-LocalUser</code>, and <code> dscl</code>.</p><p>System and network discovery techniques normally occur throughout an operation as an adversary learns the environment, and also to an extent in normal network operations. Therefore discovery data and events should not be viewed in isolation, but as part of a chain of behavior that could lead to other activities, such as Lateral Movement, based on the information obtained.</p> </td> </tr> <tr class="sub technique enterprise" id="enterprise"> <td></td> <td></td> <td> <a href="/versions/v16/techniques/T1087/002">.002</a> </td> <td> <a href="/versions/v16/techniques/T1087/002">Domain Account</a> </td> <td> <p>Monitor for execution of commands and arguments associated with enumeration or information gathering of domain accounts and groups, such as <code>net user /domain</code> and <code>net group /domain</code>, <code>dscacheutil -q group</code>on macOS, and <code>ldapsearch</code> on Linux.</p><p>System and network discovery techniques normally occur throughout an operation as an adversary learns the environment, and also to an extent in normal network operations. Therefore discovery data and events should not be viewed in isolation, but as part of a chain of behavior that could lead to other activities, such as Lateral Movement, based on the information obtained.</p> </td> </tr> <tr class="sub technique enterprise" id="enterprise"> <td></td> <td></td> <td> <a href="/versions/v16/techniques/T1087/003">.003</a> </td> <td> <a href="/versions/v16/techniques/T1087/003">Email Account</a> </td> <td> <p>Monitor for execution of commands and arguments associated with enumeration or information gathering of email addresses and accounts such as <code>Get-AddressList</code>, <code>Get-GlobalAddressList</code>, and <code>Get-OfflineAddressBook</code>.</p> </td> </tr> <tr class="sub technique enterprise" id="enterprise"> <td></td> <td></td> <td> <a href="/versions/v16/techniques/T1087/004">.004</a> </td> <td> <a href="/versions/v16/techniques/T1087/004">Cloud Account</a> </td> <td> <p>Monitor logs for actions that could be taken to gather information about cloud accounts, including the use of calls to cloud APIs that perform account discovery.</p><p>System and network discovery techniques normally occur throughout an operation as an adversary learns the environment, and also to an extent in normal network operations. Therefore discovery data and events should not be viewed in isolation, but as part of a chain of behavior that could lead to other activities, such as Lateral Movement, based on the information obtained.</p> </td> </tr> <tr class="technique enterprise" id="enterprise"> <td> Enterprise </td> <td colspan="2"> <a href="/versions/v16/techniques/T1098">T1098</a> </td> <td> <a href="/versions/v16/techniques/T1098">Account Manipulation</a> </td> <td> <p>Monitor executed commands and arguments for suspicious commands to modify accounts or account settings (including files such as the <code>authorized_keys</code> or <code>/etc/ssh/sshd_config</code>).</p><p>Monitor executed commands and arguments of suspicious commands (such as <code>Add-MailboxPermission</code>) that may be indicative of modifying the permissions of Exchange and other related service settings.</p> </td> </tr> <tr class="sub technique enterprise" id="enterprise"> <td></td> <td></td> <td> <a href="/versions/v16/techniques/T1098/004">.004</a> </td> <td> <a href="/versions/v16/techniques/T1098/004">SSH Authorized Keys</a> </td> <td> <p>Monitor executed commands and arguments to modify the authorized_keys or /etc/ssh/sshd_config files.</p> </td> </tr> <tr class="technique enterprise" id="enterprise"> <td> Enterprise </td> <td colspan="2"> <a href="/versions/v16/techniques/T1010">T1010</a> </td> <td> <a href="/versions/v16/techniques/T1010">Application Window Discovery</a> </td> <td> <p>Monitor executed commands and arguments for actions that could be taken to gather system and network information. Information may also be acquired through Windows system management tools such as Windows Management Instrumentation and PowerShell.</p><p>Note: Commands can also be obtained from Payload event field for PowerShell event id 4103. For PowerShell Module logging event id 4103, enable logging for module Microsoft.PowerShell.Management.</p><p>Analytic 1 - Suspicious Commands</p><p><code>sourcetype="WinEventLog:Microsoft-Windows-PowerShell/Operational" EventCode="4103" | where CommandLine LIKE "%Get-Process%" AND CommandLine LIKE "%mainWindowTitle%"</code></p> </td> </tr> <tr class="technique enterprise" id="enterprise"> <td> Enterprise </td> <td colspan="2"> <a href="/versions/v16/techniques/T1560">T1560</a> </td> <td> <a href="/versions/v16/techniques/T1560">Archive Collected Data</a> </td> <td> <p>Monitor executed commands and arguments for actions that will aid in compression or encrypting data that is collected prior to exfiltration, such as tar. </p> </td> </tr> <tr class="sub technique enterprise" id="enterprise"> <td></td> <td></td> <td> <a href="/versions/v16/techniques/T1560/001">.001</a> </td> <td> <a href="/versions/v16/techniques/T1560/001">Archive via Utility</a> </td> <td> <p>Monitor executed commands and arguments for actions that will aid in compression or encrypting data that is collected prior to exfiltration, such as tar. </p> </td> </tr> <tr class="technique enterprise" id="enterprise"> <td> Enterprise </td> <td colspan="2"> <a href="/versions/v16/techniques/T1123">T1123</a> </td> <td> <a href="/versions/v16/techniques/T1123">Audio Capture</a> </td> <td> <p>Monitor executed commands and arguments for actions that can leverage a computer’s peripheral devices (e.g., microphones and webcams) or applications (e.g., voice and video call services) to capture audio recordings for the purpose of listening into sensitive conversations to gather information.</p> </td> </tr> <tr class="technique enterprise" id="enterprise"> <td> Enterprise </td> <td colspan="2"> <a href="/versions/v16/techniques/T1119">T1119</a> </td> <td> <a href="/versions/v16/techniques/T1119">Automated Collection</a> </td> <td> <p>Monitor executed commands and arguments for actions that could be taken to collect internal data.</p> </td> </tr> <tr class="technique ics" id="ics"> <td> ICS </td> <td colspan="2"> <a href="/versions/v16/techniques/T0802">T0802</a> </td> <td> <a href="/versions/v16/techniques/T0802">Automated Collection</a> </td> <td> <p>Monitor executed commands and arguments for actions that could be taken to collect internal data.</p> </td> </tr> <tr class="technique enterprise" id="enterprise"> <td> Enterprise </td> <td colspan="2"> <a href="/versions/v16/techniques/T1020">T1020</a> </td> <td> <a href="/versions/v16/techniques/T1020">Automated Exfiltration</a> </td> <td> <p>Monitor executed commands and arguments that may exfiltrate data, such as sensitive documents, through the use of automated processing after being gathered during Collection</p> </td> </tr> <tr class="technique enterprise" id="enterprise"> <td> Enterprise </td> <td colspan="2"> <a href="/versions/v16/techniques/T1197">T1197</a> </td> <td> <a href="/versions/v16/techniques/T1197">BITS Jobs</a> </td> <td> <p>Monitor executed commands and arguments from the BITSAdmin tool (especially the ‘Transfer’, 'Create', 'AddFile', 'SetNotifyFlags', 'SetNotifyCmdLine', 'SetMinRetryDelay', 'SetCustomHeaders', and 'Resume' command options)<span onclick=scrollToRef('scite-4') id="scite-ref-4-a" class="scite-citeref-number" title="Microsoft. (n.d.). Background Intelligent Transfer Service. Retrieved January 12, 2018."data-reference="Microsoft BITS">^{<a href="https://msdn.microsoft.com/library/windows/desktop/bb968799.aspx" target="_blank" data-hasqtip="3" aria-describedby="qtip-3">[4]</a>}</span> Admin logs, PowerShell logs, and the Windows Event log for BITS activity.<span onclick=scrollToRef('scite-5') id="scite-ref-5-a" class="scite-citeref-number" title="French, D., Murphy, B. (2020, March 24). Adversary tradecraft 101: Hunting for persistence using Elastic Security (Part 1). Retrieved December 21, 2020."data-reference="Elastic - Hunting for Persistence Part 1">^{<a href="https://www.elastic.co/blog/hunting-for-persistence-using-elastic-security-part-1" target="_blank" data-hasqtip="4" aria-describedby="qtip-4">[5]</a>}</span> Also consider investigating more detailed information about jobs by parsing the BITS job database.<span onclick=scrollToRef('scite-6') id="scite-ref-6-a" class="scite-citeref-number" title="Counter Threat Unit Research Team. (2016, June 6). Malware Lingers with BITS. Retrieved January 12, 2018."data-reference="CTU BITS Malware June 2016">^{<a href="https://www.secureworks.com/blog/malware-lingers-with-bits" target="_blank" data-hasqtip="5" aria-describedby="qtip-5">[6]</a>}</span></p> </td> </tr> <tr class="technique enterprise" id="enterprise"> <td> Enterprise </td> <td colspan="2"> <a href="/versions/v16/techniques/T1547">T1547</a> </td> <td> <a href="/versions/v16/techniques/T1547">Boot or Logon Autostart Execution</a> </td> <td> <p>Monitor executed commands and arguments that may configure system settings to automatically execute a program during system boot or logon to maintain persistence or gain higher-level privileges on compromised systems.</p> </td> </tr> <tr class="sub technique enterprise" id="enterprise"> <td></td> <td></td> <td> <a href="/versions/v16/techniques/T1547/001">.001</a> </td> <td> <a href="/versions/v16/techniques/T1547/001">Registry Run Keys / Startup Folder</a> </td> <td> <p>Monitor executed commands and arguments that may achieve persistence by adding a program to a startup folder or referencing it with a Registry run key.</p> </td> </tr> <tr class="sub technique enterprise" id="enterprise"> <td></td> <td></td> <td> <a href="/versions/v16/techniques/T1547/002">.002</a> </td> <td> <a href="/versions/v16/techniques/T1547/002">Authentication Package</a> </td> <td> <p>Monitor executed commands and arguments that may abuse authentication packages to execute DLLs when the system boots.</p> </td> </tr> <tr class="sub technique enterprise" id="enterprise"> <td></td> <td></td> <td> <a href="/versions/v16/techniques/T1547/003">.003</a> </td> <td> <a href="/versions/v16/techniques/T1547/003">Time Providers</a> </td> <td> <p>Monitor executed commands and arguments that may abuse time providers to execute DLLs when the system boots.</p> </td> </tr> <tr class="sub technique enterprise" id="enterprise"> <td></td> <td></td> <td> <a href="/versions/v16/techniques/T1547/004">.004</a> </td> <td> <a href="/versions/v16/techniques/T1547/004">Winlogon Helper DLL</a> </td> <td> <p>Monitor executed commands and arguments that may abuse features of Winlogon to execute DLLs and/or executables when a user logs in.</p> </td> </tr> <tr class="sub technique enterprise" id="enterprise"> <td></td> <td></td> <td> <a href="/versions/v16/techniques/T1547/005">.005</a> </td> <td> <a href="/versions/v16/techniques/T1547/005">Security Support Provider</a> </td> <td> <p>Monitor executed commands and arguments that may abuse security support providers (SSPs) to execute DLLs when the system boots.</p> </td> </tr> <tr class="sub technique enterprise" id="enterprise"> <td></td> <td></td> <td> <a href="/versions/v16/techniques/T1547/006">.006</a> </td> <td> <a href="/versions/v16/techniques/T1547/006">Kernel Modules and Extensions</a> </td> <td> <p>Loading, unloading, and manipulating modules on Linux systems can be detected by monitoring for the following commands: <code>modprobe</code>, <code>insmod</code>, <code>lsmod</code>, <code>rmmod</code>, or <code>modinfo</code> <span onclick=scrollToRef('scite-7') id="scite-ref-7-a" class="scite-citeref-number" title="Henderson, B. (2006, September 24). How To Insert And Remove LKMs. Retrieved April 9, 2018."data-reference="Linux Loadable Kernel Module Insert and Remove LKMs">^{<a href="http://tldp.org/HOWTO/Module-HOWTO/x197.html" target="_blank" data-hasqtip="6" aria-describedby="qtip-6">[7]</a>}</span> Adversaries may run commands on the target system before loading a malicious module in order to ensure that it is properly compiled. <span onclick=scrollToRef('scite-8') id="scite-ref-8-a" class="scite-citeref-number" title="Chuvakin, A. (2003, February). An Overview of Rootkits. Retrieved September 12, 2024."data-reference="iDefense Rootkit Overview">^{<a href="https://www.megasecurity.org/papers/Rootkits.pdf" target="_blank" data-hasqtip="7" aria-describedby="qtip-7">[8]</a>}</span> Adversaries may also execute commands to identify the exact version of the running Linux kernel and/or download multiple versions of the same .ko (kernel object) files to use the one appropriate for the running system.<span onclick=scrollToRef('scite-9') id="scite-ref-9-a" class="scite-citeref-number" title="Remillano, A., Urbanec, J. (2019, September 19). Skidmap Linux Malware Uses Rootkit Capabilities to Hide Cryptocurrency-Mining Payload. Retrieved June 4, 2020."data-reference="Trend Micro Skidmap">^{<a href="https://blog.trendmicro.com/trendlabs-security-intelligence/skidmap-linux-malware-uses-rootkit-capabilities-to-hide-cryptocurrency-mining-payload/" target="_blank" data-hasqtip="8" aria-describedby="qtip-8">[9]</a>}</span> Many LKMs require Linux headers (specific to the target kernel) in order to compile properly. These are typically obtained through the operating systems package manager and installed like a normal package.</p><p>On macOS, monitor for execution of <code>kextload</code> commands and user installed kernel extensions performing abnormal and/or potentially malicious activity (such as creating network connections). Monitor for new rows added in the <code>kext_policy</code> table. KextPolicy stores a list of user approved (non Apple) kernel extensions and a partial history of loaded kernel modules in a SQLite database, <code>/var/db/SystemPolicyConfiguration/KextPolicy</code>.<span onclick=scrollToRef('scite-10') id="scite-ref-10-a" class="scite-citeref-number" title="Pikeralpha. (2017, August 29). User Approved Kernel Extension Loading…. Retrieved September 23, 2021."data-reference="User Approved Kernel Extension Pike’s">^{<a href="https://pikeralpha.wordpress.com/2017/08/29/user-approved-kernel-extension-loading/" target="_blank" data-hasqtip="9" aria-describedby="qtip-9">[10]</a>}</span><span onclick=scrollToRef('scite-11') id="scite-ref-11-a" class="scite-citeref-number" title="Richard Purves. (2017, November 9). MDM and the Kextpocalypse . Retrieved September 23, 2021."data-reference="Purves Kextpocalypse 2">^{<a href="https://richard-purves.com/2017/11/09/mdm-and-the-kextpocalypse-2/" target="_blank" data-hasqtip="10" aria-describedby="qtip-10">[11]</a>}</span><span onclick=scrollToRef('scite-12') id="scite-ref-12-a" class="scite-citeref-number" title="Apple. (2019, May 3). Configuration Profile Reference. Retrieved September 23, 2021."data-reference="Apple Developer Configuration Profile">^{<a href="https://developer.apple.com/business/documentation/Configuration-Profile-Reference.pdf" target="_blank" data-hasqtip="11" aria-describedby="qtip-11">[12]</a>}</span></p> </td> </tr> <tr class="sub technique enterprise" id="enterprise"> <td></td> <td></td> <td> <a href="/versions/v16/techniques/T1547/007">.007</a> </td> <td> <a href="/versions/v16/techniques/T1547/007">Re-opened Applications</a> </td> <td> <p>Monitor executed commands and arguments that may modify plist files to automatically run an application when a user logs in.</p> </td> </tr> <tr class="sub technique enterprise" id="enterprise"> <td></td> <td></td> <td> <a href="/versions/v16/techniques/T1547/013">.013</a> </td> <td> <a href="/versions/v16/techniques/T1547/013">XDG Autostart Entries</a> </td> <td> <p>Monitor executed commands and arguments that may modify XDG autostart entries to execute programs or commands during system boot.</p> </td> </tr> <tr class="sub technique enterprise" id="enterprise"> <td></td> <td></td> <td> <a href="/versions/v16/techniques/T1547/014">.014</a> </td> <td> <a href="/versions/v16/techniques/T1547/014">Active Setup</a> </td> <td> <p>Monitor executed commands and arguments that may achieve persistence by adding a Registry key to the Active Setup of the local machine.</p> </td> </tr> <tr class="technique enterprise" id="enterprise"> <td> Enterprise </td> <td colspan="2"> <a href="/versions/v16/techniques/T1037">T1037</a> </td> <td> <a href="/versions/v16/techniques/T1037">Boot or Logon Initialization Scripts</a> </td> <td> <p>Monitor executed commands and arguments that may consist of logon scripts for unusual access by abnormal users or at abnormal times.</p> </td> </tr> <tr class="sub technique enterprise" id="enterprise"> <td></td> <td></td> <td> <a href="/versions/v16/techniques/T1037/001">.001</a> </td> <td> <a href="/versions/v16/techniques/T1037/001">Logon Script (Windows)</a> </td> <td> <p>Monitor executed commands and arguments for logon scripts</p> </td> </tr> <tr class="sub technique enterprise" id="enterprise"> <td></td> <td></td> <td> <a href="/versions/v16/techniques/T1037/002">.002</a> </td> <td> <a href="/versions/v16/techniques/T1037/002">Login Hook</a> </td> <td> <p>Monitor executed commands with arguments to install or modify login hooks.</p> </td> </tr> <tr class="sub technique enterprise" id="enterprise"> <td></td> <td></td> <td> <a href="/versions/v16/techniques/T1037/003">.003</a> </td> <td> <a href="/versions/v16/techniques/T1037/003">Network Logon Script</a> </td> <td> <p>Monitor executed commands and arguments for logon scripts</p> </td> </tr> <tr class="sub technique enterprise" id="enterprise"> <td></td> <td></td> <td> <a href="/versions/v16/techniques/T1037/004">.004</a> </td> <td> <a href="/versions/v16/techniques/T1037/004">RC Scripts</a> </td> <td> <p>Monitor executed commands and arguments resulting from RC scripts for unusual or unknown applications or behavior</p> </td> </tr> <tr class="sub technique enterprise" id="enterprise"> <td></td> <td></td> <td> <a href="/versions/v16/techniques/T1037/005">.005</a> </td> <td> <a href="/versions/v16/techniques/T1037/005">Startup Items</a> </td> <td> <p>Monitor executed commands and arguments for logon scripts</p> </td> </tr> <tr class="technique enterprise" id="enterprise"> <td> Enterprise </td> <td colspan="2"> <a href="/versions/v16/techniques/T1176">T1176</a> </td> <td> <a href="/versions/v16/techniques/T1176">Browser Extensions</a> </td> <td> <p>Monitor executed commands and arguments for usage of the profiles tool, such as profiles install -type=configuration.</p> </td> </tr> <tr class="technique enterprise" id="enterprise"> <td> Enterprise </td> <td colspan="2"> <a href="/versions/v16/techniques/T1217">T1217</a> </td> <td> <a href="/versions/v16/techniques/T1217">Browser Information Discovery</a> </td> <td> <p>Monitor executed commands and arguments for actions that could be taken to gather browser information, such as local files and databases (e.g., <code>%APPDATA%/Google/Chrome</code>).<span onclick=scrollToRef('scite-13') id="scite-ref-13-a" class="scite-citeref-number" title="Chrome Enterprise and Education Help. (n.d.). Use Chrome Browser with Roaming User Profiles. Retrieved March 28, 2023."data-reference="Chrome Roaming Profiles">^{<a href="https://support.google.com/chrome/a/answer/7349337" target="_blank" data-hasqtip="12" aria-describedby="qtip-12">[13]</a>}</span> Remote access tools with built-in features may interact directly using APIs to gather information. Information may also be acquired through system management tools such as Windows Management Instrumentation and PowerShell.</p> </td> </tr> <tr class="technique enterprise" id="enterprise"> <td> Enterprise </td> <td colspan="2"> <a href="/versions/v16/techniques/T1110">T1110</a> </td> <td> <a href="/versions/v16/techniques/T1110">Brute Force</a> </td> <td> <p>Monitor executed commands and arguments that may use brute force techniques to gain access to accounts when passwords are unknown or when password hashes are obtained.</p><p>Analytic 1 - Command-line tools used for brute force attacks.</p><p><code> (index=security sourcetype="Powershell" EventCode=4104) OR(index=os sourcetype="linux_secure" (cmdline IN ("<em>hydra</em>", "<em>medusa</em>", "<em>ncrack</em>", "<em>patator</em>", "<em>john</em>", "<em>hashcat</em>", "<em>rcrack</em>", "<em>w3af</em>", "<em>aircrack-ng</em>"))) OR (index=os sourcetype="macos_secure" (cmdline IN ("<em>hydra</em>", "<em>medusa</em>", "<em>ncrack</em>", "<em>patator</em>", "<em>john</em>", "<em>hashcat</em>", "<em>rcrack</em>", "<em>w3af</em>", "<em>aircrack-ng</em>"))) | where match(CommandLine, "(?i)(hydra|medusa|ncrack|patator|john|hashcat|rcrack|w3af|aircrack-ng)") </code></p> </td> </tr> <tr class="technique enterprise" id="enterprise"> <td> Enterprise </td> <td colspan="2"> <a href="/versions/v16/techniques/T1115">T1115</a> </td> <td> <a href="/versions/v16/techniques/T1115">Clipboard Data</a> </td> <td> <p>Monitor executed commands and arguments to collect data stored in the clipboard from users copying information within or between applications.</p> </td> </tr> <tr class="technique enterprise" id="enterprise"> <td> Enterprise </td> <td colspan="2"> <a href="/versions/v16/techniques/T1651">T1651</a> </td> <td> <a href="/versions/v16/techniques/T1651">Cloud Administration Command</a> </td> <td> <p>Monitor for suspicious command executions via cloud management services like AWS System Manager or Azure RunCommand. In Azure, usage of Azure RunCommand can be identified via the Azure Activity Logs, and additional details on the result of executed jobs are available in the <code>C:\Packages\Plugins\Microsoft.CPlat.Core.RunCommandWindows</code> directory on Windows virtual machines.<span onclick=scrollToRef('scite-14') id="scite-ref-14-a" class="scite-citeref-number" title="Adrien Bataille, Anders Vejlby, Jared Scott Wilson, and Nader Zaveri. (2021, December 14). Azure Run Command for Dummies. Retrieved March 13, 2023."data-reference="Mandiant Azure Run Command 2021">^{<a href="https://www.mandiant.com/resources/blog/azure-run-command-dummies" target="_blank" data-hasqtip="13" aria-describedby="qtip-13">[14]</a>}</span></p><p>Analytic 1 - Abnormal or unauthorized execution of commands/scripts on VMs</p><p><code> index=cloud_logs sourcetype=aws:ssm OR sourcetype=azure:activity| search action IN ("RunCommand", "StartSSMCommand", "ExecuteCommand")</code></p> </td> </tr> <tr class="technique enterprise" id="enterprise"> <td> Enterprise </td> <td colspan="2"> <a href="/versions/v16/techniques/T1059">T1059</a> </td> <td> <a href="/versions/v16/techniques/T1059">Command and Scripting Interpreter</a> </td> <td> <p>Monitor command-line arguments for script execution and subsequent behavior. Actions may be related to network and system information Discovery, Collection, or other scriptable post-compromise behaviors and could be used as indicators of detection leading back to the source script. Scripts are likely to perform actions with various effects on a system that may generate events, depending on the types of monitoring used. </p><p>Analytic 1 - Suspicious script execution</p><p><code> (sourcetype=WinEventLog:Security OR OR sourcetype=sysmon OR sourcetype=linux_secure OR sourcetype=linux_audit OR sourcetype=mac_os_log OR sourcetype=azure:audit OR sourcetype=o365:audit)| search Image IN ("bash", "sh", "cmd", "powershell", "python", "java", "perl", "ruby", "node", "osascript", "wmic")| eval suspicious_cmds=if(like(command_line, "%Invoke-Obfuscation%") OR like(command_line, "%-EncodedCommand%") OR like(command_line, "%IEX%") OR like(command_line, "%wget%") OR like(command_line, "%curl%"), "Yes", "No")</code></p> </td> </tr> <tr class="sub technique enterprise" id="enterprise"> <td></td> <td></td> <td> <a href="/versions/v16/techniques/T1059/001">.001</a> </td> <td> <a href="/versions/v16/techniques/T1059/001">PowerShell</a> </td> <td> <p>If proper execution policy is set, adversaries will likely be able to define their own execution policy if they obtain administrator or system access, either through the Registry or at the command line. This change in policy on a system may be a way to detect malicious use of PowerShell. If PowerShell is not used in an environment, then simply looking for PowerShell execution may detect malicious activity. It is also beneficial to turn on PowerShell logging to gain increased fidelity in what occurs during execution (which is applied to .NET invocations). <span onclick=scrollToRef('scite-15') id="scite-ref-15-a" class="scite-citeref-number" title="Malware Archaeology. (2016, June). WINDOWS POWERSHELL LOGGING CHEAT SHEET - Win 7/Win 2008 or later. Retrieved June 24, 2016."data-reference="Malware Archaeology PowerShell Cheat Sheet">^{<a href="http://www.malwarearchaeology.com/s/Windows-PowerShell-Logging-Cheat-Sheet-ver-June-2016-v2.pdf" target="_blank" data-hasqtip="14" aria-describedby="qtip-14">[15]</a>}</span> PowerShell 5.0 introduced enhanced logging capabilities, and some of those features have since been added to PowerShell 4.0. Earlier versions of PowerShell do not have many logging features.<span onclick=scrollToRef('scite-16') id="scite-ref-16-a" class="scite-citeref-number" title="Dunwoody, M. (2016, February 11). GREATER VISIBILITY THROUGH POWERSHELL LOGGING. Retrieved February 16, 2016."data-reference="FireEye PowerShell Logging 2016">^{<a href="https://www.fireeye.com/blog/threat-research/2016/02/greater_visibilityt.html" target="_blank" data-hasqtip="15" aria-describedby="qtip-15">[16]</a>}</span> An organization can gather PowerShell execution details in a data analytic platform to supplement it with other data.</p><p>PowerShell can be used over WinRM to remotely run commands on a host. When a remote PowerShell session starts, svchost.exe executes wsmprovhost.exe</p><p>For this to work, certain registry keys must be set, and the WinRM service must be enabled. The PowerShell command Enter-PSSession -ComputerName \&lt;RemoteHost&gt; creates a remote PowerShell session.</p><p>Analytic 1 - Look for unusual PowerShell execution.</p><p><code> sourcetype=WinEventLog:Microsoft-Windows-PowerShell/Operational| search EventCode=4104| eval suspicious_cmds=if(like(Message, "%-EncodedCommand%") OR like(Message, "%Invoke-Expression%") OR like(Message, "%IEX%") OR like(Message, "%DownloadFile%"), "Yes", "No")| where suspicious_cmds="Yes"</code></p> </td> </tr> <tr class="sub technique enterprise" id="enterprise"> <td></td> <td></td> <td> <a href="/versions/v16/techniques/T1059/002">.002</a> </td> <td> <a href="/versions/v16/techniques/T1059/002">AppleScript</a> </td> <td> <p>Monitor executed commands and arguments that may abuse AppleScript for execution. Scripts are likely to perform actions with various effects on a system that may generate events, depending on the types of monitoring used. Actions may be related to network and system information <a href="https://attack.mitre.org/tactics/TA0007">Discovery</a>, <a href="https://attack.mitre.org/tactics/TA0009">Collection</a>, or other scriptable post-compromise behaviors and could be used as indicators of detection leading back to the source script.</p><p>Analytic 1 - Look for unusual execution of AppleScript.</p><p><code>sourcetype=macOS:Process| search process_name="osascript"| eval suspicious_cmd=if(like(command_line, "%-e%") OR like(command_line, "%path/to/script%"), "Yes", "No")| where suspicious_cmd="Yes" </code></p> </td> </tr> <tr class="sub technique enterprise" id="enterprise"> <td></td> <td></td> <td> <a href="/versions/v16/techniques/T1059/003">.003</a> </td> <td> <a href="/versions/v16/techniques/T1059/003">Windows Command Shell</a> </td> <td> <p>Monitor executed commands and arguments that may abuse the Windows command shell for execution. Usage of the Windows command shell may be common on administrator, developer, or power user systems depending on job function. If scripting is restricted for normal users, then any attempt to enable scripts running on a system would be considered suspicious. If scripts are not commonly used on a system, but enabled, scripts running out of cycle from patching or other administrator functions are suspicious. Scripts should be captured from the file system when possible to determine their actions and intent.</p><p>Analytic 1 - Look for unusual command shell execution.</p><p><code> sourcetype=WinEventLog:Security| search (EventCode=4688 OR EventCode=4689) process_name="cmd.exe"| eval suspicious_cmd=if(like(command_line, "%/c%") OR like(command_line, "%.bat%") OR like(command_line, "%.cmd%"), "Yes", "No")| where suspicious_cmd="Yes"</code></p> </td> </tr> <tr class="sub technique enterprise" id="enterprise"> <td></td> <td></td> <td> <a href="/versions/v16/techniques/T1059/004">.004</a> </td> <td> <a href="/versions/v16/techniques/T1059/004">Unix Shell</a> </td> <td> <p>Monitor executed commands and arguments that may abuse Unix shell commands and scripts for execution. Unix shell usage may be common on administrator, developer, or power user systems, depending on job function. If scripting is restricted for normal users, then any attempt to enable scripts running on a system would be considered suspicious. If scripts are not commonly used on a system, but enabled, scripts running out of cycle from patching or other administrator functions are suspicious. Scripts should be captured from the file system when possible to determine their actions and intent.</p><p>Note: this analytic does not include an exhaustive list of potentially suspicious commands that could be executed through a shell interpreter. Instead, it is meant to serve as an example of types of commands that can warrant further investigation.</p><p>Analytic 1 - Unusual command execution </p><p><code> sourcetype="linux_logs" CommandLine="<em>sh -c</em>" AND (CommandLine="<em>wget</em>" OR CommandLine="<em>curl</em>" OR CommandLine="<em>nc</em>" OR CommandLine="<em>perl</em>")</code></p> </td> </tr> <tr class="sub technique enterprise" id="enterprise"> <td></td> <td></td> <td> <a href="/versions/v16/techniques/T1059/005">.005</a> </td> <td> <a href="/versions/v16/techniques/T1059/005">Visual Basic</a> </td> <td> <p>Monitor executed commands and arguments that may abuse Visual Basic (VB) for execution.</p><p>Analytic 1 - Look for unusual VB execution.</p><p><code>sourcetype=wineventlog OR sourcetype=linux_secure OR sourcetype=macos_secure| search (command="cscript.exe" OR command="wscript.exe" OR command=".vbs" OR command=".vba" OR command=".vbe")| eval suspicious_cmd=if(like(command_line, "%.vbs" OR "%.vba" OR "%.vbe"), "Yes", "No")| where suspicious_cmd="Yes" </code></p> </td> </tr> <tr class="sub technique enterprise" id="enterprise"> <td></td> <td></td> <td> <a href="/versions/v16/techniques/T1059/006">.006</a> </td> <td> <a href="/versions/v16/techniques/T1059/006">Python</a> </td> <td> <p>Monitor systems for abnormal Python usage and python.exe behavior, which could be an indicator of malicious activity. Understanding standard usage patterns is important to avoid a high number of false positives. If scripting is restricted for normal users, then any attempts to enable scripts running on a system would be considered suspicious. If scripts are not commonly used on a system, but enabled, scripts running out of cycle from patching or other administrator functions are suspicious. Scripts should be captured from the file system when possible to determine their actions and intent. Scripts are likely to perform actions with various effects on a system that may generate events, depending on the types of monitoring used. Monitor executed commands and arguments that may abuse Python commands and scripts for execution.</p><p>Analytic 1 - Look for unusual Python execution.</p><p><code>OR sourcetype=wineventlog:security OR sourcetype=sysmonEventCode=4688 OR EventCode=1 | search (process_name="python.exe" OR process_name="python3" OR process_name="python")| eval suspicious_script=if(match(command_line, ".<em> -c .</em>|.<em>exec.</em>|.<em>import os.</em>|.<em>eval.</em>|.<em>base64.</em>"), "True", "False")| where suspicious_script="True"| table _time, user, host, command_line, process_name, parent_process </code> </p> </td> </tr> <tr class="sub technique enterprise" id="enterprise"> <td></td> <td></td> <td> <a href="/versions/v16/techniques/T1059/007">.007</a> </td> <td> <a href="/versions/v16/techniques/T1059/007">JavaScript</a> </td> <td> <p>Scripting execution is likely to perform actions with various effects on a system that may generate events, depending on the types of monitoring used. Monitor processes and command-line arguments for execution and subsequent behavior. Actions may be related to network and system information <a href="https://attack.mitre.org/tactics/TA0007">Discovery</a>, <a href="https://attack.mitre.org/tactics/TA0009">Collection</a>, or other programmable post-compromise behaviors and could be used as indicators of detection leading back to the source. Monitor for execution of JXA through <code>osascript</code> and usage of <code>OSAScript</code> API that may be related to other suspicious behavior occurring on the system. </p> </td> </tr> <tr class="sub technique enterprise" id="enterprise"> <td></td> <td></td> <td> <a href="/versions/v16/techniques/T1059/008">.008</a> </td> <td> <a href="/versions/v16/techniques/T1059/008">Network Device CLI</a> </td> <td> <p>Consider reviewing command history in either the console or as part of the running memory to determine if unauthorized or suspicious commands were used to modify device configuration. <span onclick=scrollToRef('scite-17') id="scite-ref-17-a" class="scite-citeref-number" title="Cisco. (n.d.). Cisco IOS Software Integrity Assurance - Command History. Retrieved October 21, 2020."data-reference="Cisco IOS Software Integrity Assurance - Command History">^{<a href="https://tools.cisco.com/security/center/resources/integrity_assurance.html#23" target="_blank" data-hasqtip="16" aria-describedby="qtip-16">[17]</a>}</span> Consider comparing a copy of the network device configuration against a known-good version to discover unauthorized changes to the command interpreter. The same process can be accomplished through a comparison of the run-time memory, though this is non-trivial and may require assistance from the vendor.</p> </td> </tr> <tr class="sub technique enterprise" id="enterprise"> <td></td> <td></td> <td> <a href="/versions/v16/techniques/T1059/009">.009</a> </td> <td> <a href="/versions/v16/techniques/T1059/009">Cloud API</a> </td> <td> <p>Consider reviewing command history in either host machines or cloud audit logs to determine if unauthorized or suspicious commands were executed.</p><p>Cloud API activity logging is typically enabled by default and may be reviewed in sources like the Microsoft Unified Audit Log, AWS CloudTrail, and GCP Admin Activty logs. Review these sources for history of executed API commands. Host logs may also be reviewed to capture CLI commands or PowerShell module usage to invoke Cloud API functions.</p> </td> </tr> <tr class="sub technique enterprise" id="enterprise"> <td></td> <td></td> <td> <a href="/versions/v16/techniques/T1059/010">.010</a> </td> <td> <a href="/versions/v16/techniques/T1059/010">AutoHotKey & AutoIT</a> </td> <td> <p>Monitor executed commands and arguments for abnormal usage of utilities and command-line arguments that may be used in support of malicious execution. Compare recent invocations of <code>AutoIt3.exe</code> and <code>AutoHotkey.exe</code> with prior history of known good arguments to determine anomalous and potentially adversarial activity (ex: obfuscated and/or malicious commands).</p> </td> </tr> <tr class="sub technique enterprise" id="enterprise"> <td></td> <td></td> <td> <a href="/versions/v16/techniques/T1059/011">.011</a> </td> <td> <a href="/versions/v16/techniques/T1059/011">Lua</a> </td> <td> <p>Monitor command-line arguments for script execution and subsequent behavior. Actions may be related to network and system information Discovery, Collection, or other scriptable post-compromise behaviors such as using <code><code>os.execute</code></code> to execute operating system commands.</p> </td> </tr> <tr class="technique mobile" id="mobile"> <td> Mobile </td> <td colspan="2"> <a href="/versions/v16/techniques/T1623">T1623</a> </td> <td> <a href="/versions/v16/techniques/T1623">Command and Scripting Interpreter</a> </td> <td> <p>Command-line activities can potentially be detected through Mobile Threat Defense (MTD) integrations with lower-level OS APIs. This could grant the MTD agents access to running processes and their parameters, potentially detecting unwanted or malicious shells.</p> </td> </tr> <tr class="sub technique mobile" id="mobile"> <td></td> <td></td> <td> <a href="/versions/v16/techniques/T1623/001">.001</a> </td> <td> <a href="/versions/v16/techniques/T1623/001">Unix Shell</a> </td> <td> <p>Command-line activities can potentially be detected through Mobile Threat Defense (MTD) integrations with lower-level OS APIs. This could grant the MTD agents access to running processes and their parameters, potentially detecting unwanted or malicious shells.</p> </td> </tr> <tr class="technique ics" id="ics"> <td> ICS </td> <td colspan="2"> <a href="/versions/v16/techniques/T0807">T0807</a> </td> <td> <a href="/versions/v16/techniques/T0807">Command-Line Interface</a> </td> <td> <p>On Windows and Unix systems monitor executed commands and arguments that may use shell commands for execution. Shells may be common on administrator, developer, or power user systems depending on job function.</p><p>On network device and embedded system CLIs consider reviewing command history if unauthorized or suspicious commands were used to modify device configuration.</p> </td> </tr> <tr class="technique enterprise" id="enterprise"> <td> Enterprise </td> <td colspan="2"> <a href="/versions/v16/techniques/T1609">T1609</a> </td> <td> <a href="/versions/v16/techniques/T1609">Container Administration Command</a> </td> <td> <p>Monitor command execution within containers to detect suspicious activity. Commands executed via Docker (<code>docker exec</code>) or Kubernetes (<code>kubectl exec</code>) should be captured along with relevant metadata.</p><p>Analytic 1 - Unusual command executions in container services</p><p><code>sourcetype=docker:daemon OR sourcetype=kubernetes:apiserver| search command IN ("docker exec", "kubectl exec")</code></p> </td> </tr> <tr class="technique enterprise" id="enterprise"> <td> Enterprise </td> <td colspan="2"> <a href="/versions/v16/techniques/T1136">T1136</a> </td> <td> <a href="/versions/v16/techniques/T1136">Create Account</a> </td> <td> <p>Monitor executed commands and arguments for actions that are associated with account creation, such as net user or useradd</p> </td> </tr> <tr class="sub technique enterprise" id="enterprise"> <td></td> <td></td> <td> <a href="/versions/v16/techniques/T1136/001">.001</a> </td> <td> <a href="/versions/v16/techniques/T1136/001">Local Account</a> </td> <td> <p>Monitor executed commands and arguments for actions that are associated with local account creation, such as <code>net user /add</code>, <code>useradd</code>, <code>dscl -create</code>, and <code>kubectl create serviceaccount</code>.</p> </td> </tr> <tr class="sub technique enterprise" id="enterprise"> <td></td> <td></td> <td> <a href="/versions/v16/techniques/T1136/002">.002</a> </td> <td> <a href="/versions/v16/techniques/T1136/002">Domain Account</a> </td> <td> <p>Monitor executed commands and arguments for actions that are associated with local account creation, such as net user /add /domain.</p> </td> </tr> <tr class="technique enterprise" id="enterprise"> <td> Enterprise </td> <td colspan="2"> <a href="/versions/v16/techniques/T1543">T1543</a> </td> <td> <a href="/versions/v16/techniques/T1543">Create or Modify System Process</a> </td> <td> <p>Command-line invocation of tools capable of modifying services may be unusual, depending on how systems are typically used in a particular environment. Look for abnormal process call trees from known services and for execution of other commands that could relate to Discovery or other adversary techniques.</p> </td> </tr> <tr class="sub technique enterprise" id="enterprise"> <td></td> <td></td> <td> <a href="/versions/v16/techniques/T1543/001">.001</a> </td> <td> <a href="/versions/v16/techniques/T1543/001">Launch Agent</a> </td> <td> <p>Ensure Launch Agent's <code> ProgramArguments </code> key pointing to executables located in the <code>/tmp</code> or <code>/shared</code> folders are in alignment with enterprise policy. Ensure all Launch Agents with the <code>RunAtLoad</code> key set to <code>true</code> are in alignment with policy.</p> </td> </tr> <tr class="sub technique enterprise" id="enterprise"> <td></td> <td></td> <td> <a href="/versions/v16/techniques/T1543/002">.002</a> </td> <td> <a href="/versions/v16/techniques/T1543/002">Systemd Service</a> </td> <td> <p>Suspicious systemd services can also be identified by comparing results against a trusted system baseline. Malicious systemd services may be detected by using the systemctl utility to examine system wide services: <code>systemctl list-units -–type=service –all</code>. Auditing the execution and command-line arguments of the 'systemctl' utility, as well related utilities such as <code>/usr/sbin/service</code> may reveal malicious systemd service execution.</p> </td> </tr> <tr class="sub technique enterprise" id="enterprise"> <td></td> <td></td> <td> <a href="/versions/v16/techniques/T1543/003">.003</a> </td> <td> <a href="/versions/v16/techniques/T1543/003">Windows Service</a> </td> <td> <p>Monitor processes and command-line arguments for actions that could create or modify services. Command-line invocation of tools capable of adding or modifying services may be unusual, depending on how systems are typically used in a particular environment. Services may also be modified through Windows system management tools such as <a href="/versions/v16/techniques/T1047">Windows Management Instrumentation</a> and <a href="/versions/v16/techniques/T1059/001">PowerShell</a>, so additional logging may need to be configured to gather the appropriate data. Also collect service utility execution and service binary path arguments used for analysis. Service binary paths may even be changed to execute commands or scripts.</p> </td> </tr> <tr class="sub technique enterprise" id="enterprise"> <td></td> <td></td> <td> <a href="/versions/v16/techniques/T1543/004">.004</a> </td> <td> <a href="/versions/v16/techniques/T1543/004">Launch Daemon</a> </td> <td> <p>Some legitimate LaunchDaemons point to unsigned code that could be exploited. For Launch Daemons with the <code>RunAtLoad</code> parameter set to true, ensure the <code>Program</code> parameter points to signed code or executables are in alignment with enterprise policy. Some parameters are interchangeable with others, such as <code>Program</code> and <code>ProgramArguments</code> parameters but one must be present. <span onclick=scrollToRef('scite-18') id="scite-ref-18-a" class="scite-citeref-number" title="Dennis German. (2020, November 20). launchd Keywords for plists. Retrieved October 7, 2021."data-reference="launchd Keywords for plists">^{<a href="https://www.real-world-systems.com/docs/launchdPlist.1.html" target="_blank" data-hasqtip="17" aria-describedby="qtip-17">[18]</a>}</span></p> </td> </tr> <tr class="sub technique enterprise" id="enterprise"> <td></td> <td></td> <td> <a href="/versions/v16/techniques/T1543/005">.005</a> </td> <td> <a href="/versions/v16/techniques/T1543/005">Container Service</a> </td> <td> <p>Monitor for suspicious uses of the docker or podman command, such as attempts to mount the root filesystem of the host. </p> </td> </tr> <tr class="technique enterprise" id="enterprise"> <td> Enterprise </td> <td colspan="2"> <a href="/versions/v16/techniques/T1555">T1555</a> </td> <td> <a href="/versions/v16/techniques/T1555">Credentials from Password Stores</a> </td> <td> <p>Monitor executed commands and arguments that may search for common password storage locations to obtain user credentials.</p><p>Analytic 1 - Commands indicating credential searches.</p><p><code> (index=os sourcetype IN ("Powershell", "linux_secure", "macos_secure") CommandLine IN ("<em>findstr</em> /si password", "<em>findstr</em> /si pass", "<em>grep</em> -r password", "<em>grep</em> -r pass", "<em>grep</em> -r secret", "<em>security</em> find-generic-password", "<em>security</em> find-internet-password", "<em>security</em> dump-keychain", "<em>gsettings</em> get org.gnome.crypto.cache", "<em>cat</em> /etc/shadow", "<em>strings</em> /etc/shadow", "<em>ls -al</em> ~/.ssh/known_hosts", "<em>ssh-add</em> -L"))</code></p> </td> </tr> <tr class="sub technique enterprise" id="enterprise"> <td></td> <td></td> <td> <a href="/versions/v16/techniques/T1555/001">.001</a> </td> <td> <a href="/versions/v16/techniques/T1555/001">Keychain</a> </td> <td> <p>Monitor executed commands with arguments that may be used to collect Keychain data from a system to acquire credentials.</p><p>Analytic 1 - Commands indicating credential searches in Keychain.</p><p><code> index=security sourcetype="macos_secure"(event_type="process" AND (command IN ("security dump-keychain", "security find-generic-password", "security find-internet-password", "security unlock-keychain") OR command IN ("<em>security</em> dump-keychain<em>", "</em>security<em> find-generic-password</em>", "<em>security</em> find-internet-password<em>", "</em>security<em> unlock-keychain</em>")))</code></p> </td> </tr> <tr class="sub technique enterprise" id="enterprise"> <td></td> <td></td> <td> <a href="/versions/v16/techniques/T1555/002">.002</a> </td> <td> <a href="/versions/v16/techniques/T1555/002">Securityd Memory</a> </td> <td> <p>Monitor executed commands and arguments that may obtain root access (allowing them to read securityd’s memory), then they can scan through memory to find the correct sequence of keys in relatively few tries to decrypt the user’s logon keychain.</p><p>Analytic 1 - Commands indicating attempts to read securityd’s memory.</p><p><code> index=security sourcetype IN ("linux_secure", "macos_secure") event_type="process"(CommandLine IN ("<em>gcore</em>", "<em>dbxutil</em>", "<em>vmmap</em>", "<em>gdb</em>", "<em>lldb</em>", "<em>memdump</em>", "<em>strings</em>", "<em>cat /proc/</em>/maps<em>", "</em>grep /proc/<em>/maps</em>") OR CommandLine IN ("<em>security find-generic-password</em>", "<em>security find-internet-password</em>", "<em>security dump-keychain</em>"))</code></p> </td> </tr> <tr class="sub technique enterprise" id="enterprise"> <td></td> <td></td> <td> <a href="/versions/v16/techniques/T1555/003">.003</a> </td> <td> <a href="/versions/v16/techniques/T1555/003">Credentials from Web Browsers</a> </td> <td> <p>Monitor executed commands and arguments that may acquire credentials from web browsers by reading files specific to the target browser.<span onclick=scrollToRef('scite-19') id="scite-ref-19-a" class="scite-citeref-number" title="Mercer, W. and Rascagneres, P. (2018, February 12). Olympic Destroyer Takes Aim At Winter Olympics. Retrieved March 14, 2019."data-reference="Talos Olympic Destroyer 2018">^{<a href="https://blog.talosintelligence.com/2018/02/olympic-destroyer.html" target="_blank" data-hasqtip="18" aria-describedby="qtip-18">[19]</a>}</span></p><p>Analytic 1 - Commands indicating credential searches in web browsers.</p><p><code> index=security sourcetype IN ("WinEventLog:Microsoft-Windows-Sysmon/Operational", "linux_secure", "macos_secure") event_type="process"(CommandLine IN ("<em>sqlite3</em> <em>logins</em>", "<em>CryptUnprotectData</em>", "<em>security find-internet-password</em>", "<em>sqlcipher</em> <em>logins</em>", "<em>strings</em> <em>Login Data</em>", "<em>cat</em> <em>Login Data</em>", "<em>cat</em> <em>logins.json</em>", "<em>sqlite3</em> <em>signons.sqlite</em>"))</code></p> </td> </tr> <tr class="sub technique enterprise" id="enterprise"> <td></td> <td></td> <td> <a href="/versions/v16/techniques/T1555/004">.004</a> </td> <td> <a href="/versions/v16/techniques/T1555/004">Windows Credential Manager</a> </td> <td> <p>Monitor executed commands and arguments for suspicious activity listing credentials from the Windows Credentials locker (e.g. <code>vaultcmd /listcreds:"Windows Credentials"</code>).<span onclick=scrollToRef('scite-20') id="scite-ref-20-a" class="scite-citeref-number" title="Arntz, P. (2016, March 30). The Windows Vault . Retrieved November 23, 2020."data-reference="Malwarebytes The Windows Vault">^{<a href="https://blog.malwarebytes.com/101/2016/01/the-windows-vaults/" target="_blank" data-hasqtip="19" aria-describedby="qtip-19">[20]</a>}</span></p><p>Analytic 1 - Commands indicating credential searches in Windows Credential Manager.</p><p><code> index=security sourcetype="Powershell" EventCode=4104(CommandLine IN ("<em>vaultcmd.exe</em>", "<em>rundll32.exe keymgr.dll KRShowKeyMgr</em>"))</code></p> </td> </tr> <tr class="sub technique enterprise" id="enterprise"> <td></td> <td></td> <td> <a href="/versions/v16/techniques/T1555/005">.005</a> </td> <td> <a href="/versions/v16/techniques/T1555/005">Password Managers</a> </td> <td> <p>Monitor executed commands and arguments that may acquire user credentials from third-party password managers. <span onclick=scrollToRef('scite-21') id="scite-ref-21-a" class="scite-citeref-number" title="ise. (2019, February 19). Password Managers: Under the Hood of Secrets Management. Retrieved January 22, 2021."data-reference="ise Password Manager February 2019">^{<a href="https://www.ise.io/casestudies/password-manager-hacking/" target="_blank" data-hasqtip="20" aria-describedby="qtip-20">[21]</a>}</span></p><p>Analytic 1 - Commands indicating credential searches in password managers.</p><p><code> index=security sourcetype IN ("linux_secure", "macos_secure")(CommandLine IN ("<em>keepass</em>", "<em>lastpass</em>", "<em>1password</em>", "<em>bitwarden</em>", "<em>dashlane</em>", "<em>passwordsafe</em>", "<em>login</em>", "<em>vault</em>"))</code></p> </td> </tr> <tr class="technique enterprise" id="enterprise"> <td> Enterprise </td> <td colspan="2"> <a href="/versions/v16/techniques/T1485">T1485</a> </td> <td> <a href="/versions/v16/techniques/T1485">Data Destruction</a> </td> <td> <p>Monitor executed commands and arguments for binaries that could be involved in data destruction activity, such as SDelete.</p> </td> </tr> <tr class="technique mobile" id="mobile"> <td> Mobile </td> <td colspan="2"> <a href="/versions/v16/techniques/T1662">T1662</a> </td> <td> <a href="/versions/v16/techniques/T1662">Data Destruction</a> </td> <td> <p>Command-line activities can potentially be detected through Mobile Threat Defense (MTD) integrations with lower-level OS APIs. This could grant the MTD agents access to running processes and their parameters, potentially detecting file deletion processes. </p> </td> </tr> <tr class="technique ics" id="ics"> <td> ICS </td> <td colspan="2"> <a href="/versions/v16/techniques/T0809">T0809</a> </td> <td> <a href="/versions/v16/techniques/T0809">Data Destruction</a> </td> <td> <p>Monitor executed commands and arguments for binaries that could be involved in data destruction activity, such as SDelete.</p> </td> </tr> <tr class="technique enterprise" id="enterprise"> <td> Enterprise </td> <td colspan="2"> <a href="/versions/v16/techniques/T1486">T1486</a> </td> <td> <a href="/versions/v16/techniques/T1486">Data Encrypted for Impact</a> </td> <td> <p>Monitor executed commands and arguments for actions involved in data destruction activity, such as vssadmin, wbadmin, and bcdedit</p> </td> </tr> <tr class="technique enterprise" id="enterprise"> <td> Enterprise </td> <td colspan="2"> <a href="/versions/v16/techniques/T1005">T1005</a> </td> <td> <a href="/versions/v16/techniques/T1005">Data from Local System</a> </td> <td> <p>Monitor executed commands and arguments that may search and collect local system sources, such as file systems or local databases, to find files of interest and sensitive data prior to Exfiltration. Remote access tools with built-in features may interact directly with the Windows API to gather data. Data may also be acquired through Windows system management tools such as <a href="/versions/v16/techniques/T1047">Windows Management Instrumentation</a> and <a href="/versions/v16/techniques/T1059/001">PowerShell</a>.</p><p>For network devices, monitor executed commands in AAA logs, especially those run by unexpected or unauthorized users.</p> </td> </tr> <tr class="technique ics" id="ics"> <td> ICS </td> <td colspan="2"> <a href="/versions/v16/techniques/T0893">T0893</a> </td> <td> <a href="/versions/v16/techniques/T0893">Data from Local System</a> </td> <td> <p>Monitor executed commands and arguments that may search and collect local system sources, such as file systems or local databases, to find files of interest and sensitive data. Remote access tools with built-in features may interact directly with the Windows API to gather data. Data may also be acquired through Windows system management tools such as <a href="/versions/v16/techniques/T1047">Windows Management Instrumentation</a> and <a href="/versions/v16/techniques/T1059/001">PowerShell</a>.</p> </td> </tr> <tr class="technique enterprise" id="enterprise"> <td> Enterprise </td> <td colspan="2"> <a href="/versions/v16/techniques/T1039">T1039</a> </td> <td> <a href="/versions/v16/techniques/T1039">Data from Network Shared Drive</a> </td> <td> <p>Monitor executed commands and arguments for actions that could be taken to collect files from a network share. Remote access tools with built-in features may interact directly with the Windows API to gather and copy to a location. Data may also be acquired and staged through Windows system management tools such as Windows Management Instrumentation and PowerShell.</p> </td> </tr> <tr class="technique enterprise" id="enterprise"> <td> Enterprise </td> <td colspan="2"> <a href="/versions/v16/techniques/T1025">T1025</a> </td> <td> <a href="/versions/v16/techniques/T1025">Data from Removable Media</a> </td> <td> <p>Monitor executed commands and arguments for actions that could be taken to collect files from a system's connected removable media. For example, data may be acquired through Windows system management tools such as Windows Management Instrumentation and PowerShell.</p> </td> </tr> <tr class="technique enterprise" id="enterprise"> <td> Enterprise </td> <td colspan="2"> <a href="/versions/v16/techniques/T1074">T1074</a> </td> <td> <a href="/versions/v16/techniques/T1074">Data Staged</a> </td> <td> <p>Monitor executed commands and arguments arguments for actions that could be taken to collect and combine files. Remote access tools with built-in features may interact directly with the Windows API to gather and copy to a location. Data may also be acquired and staged through Windows system management tools such as Windows Management Instrumentation and PowerShell.</p> </td> </tr> <tr class="sub technique enterprise" id="enterprise"> <td></td> <td></td> <td> <a href="/versions/v16/techniques/T1074/001">.001</a> </td> <td> <a href="/versions/v16/techniques/T1074/001">Local Data Staging</a> </td> <td> <p>Monitor executed commands and arguments arguments for actions that could be taken to collect and combine files. Remote access tools with built-in features may interact directly with the Windows API to gather and copy to a location. Data may also be acquired and staged through Windows system management tools such as Windows Management Instrumentation and PowerShell.</p> </td> </tr> <tr class="sub technique enterprise" id="enterprise"> <td></td> <td></td> <td> <a href="/versions/v16/techniques/T1074/002">.002</a> </td> <td> <a href="/versions/v16/techniques/T1074/002">Remote Data Staging</a> </td> <td> <p>Monitor executed commands and arguments arguments for actions that could be taken to collect and combine files. Remote access tools with built-in features may interact directly with the Windows API to gather and copy to a location. Data may also be acquired and staged through Windows system management tools such as Windows Management Instrumentation and PowerShell.</p> </td> </tr> <tr class="technique enterprise" id="enterprise"> <td> Enterprise </td> <td colspan="2"> <a href="/versions/v16/techniques/T1622">T1622</a> </td> <td> <a href="/versions/v16/techniques/T1622">Debugger Evasion</a> </td> <td> <p>Monitor executed commands and arguments that may employ various means to detect and avoid debugged environments. Detecting actions related to debugger identification may be difficult depending on the adversary's implementation and monitoring required.</p> </td> </tr> <tr class="technique enterprise" id="enterprise"> <td> Enterprise </td> <td colspan="2"> <a href="/versions/v16/techniques/T1652">T1652</a> </td> <td> <a href="/versions/v16/techniques/T1652">Device Driver Discovery</a> </td> <td> <p>Monitor executed commands (<code>lsmod</code>, <code>driverquery</code>, etc.) with arguments highlighting potentially malicious attempts to enumerate device drivers.</p> </td> </tr> <tr class="technique enterprise" id="enterprise"> <td> Enterprise </td> <td colspan="2"> <a href="/versions/v16/techniques/T1006">T1006</a> </td> <td> <a href="/versions/v16/techniques/T1006">Direct Volume Access</a> </td> <td> <p>Monitor executed commands and arguments that could be taken to copy files from the logical drive and evade common file system protections. Since this technique may also be used through <a href="/versions/v16/techniques/T1059/001">PowerShell</a>, additional logging of PowerShell scripts is recommended.</p> </td> </tr> <tr class="technique enterprise" id="enterprise"> <td> Enterprise </td> <td colspan="2"> <a href="/versions/v16/techniques/T1561">T1561</a> </td> <td> <a href="/versions/v16/techniques/T1561">Disk Wipe</a> </td> <td> <p>Monitor for direct access read/write attempts using the <code>\\.\</code> notation.<span onclick=scrollToRef('scite-22') id="scite-ref-22-a" class="scite-citeref-number" title="Russinovich, M. & Garnier, T. (2017, May 22). Sysmon v6.20. Retrieved December 13, 2017."data-reference="Microsoft Sysmon v6 May 2017">^{<a href="https://docs.microsoft.com/sysinternals/downloads/sysmon" target="_blank" data-hasqtip="21" aria-describedby="qtip-21">[22]</a>}</span> Monitor for unusual kernel driver installation activity.</p> </td> </tr> <tr class="sub technique enterprise" id="enterprise"> <td></td> <td></td> <td> <a href="/versions/v16/techniques/T1561/001">.001</a> </td> <td> <a href="/versions/v16/techniques/T1561/001">Disk Content Wipe</a> </td> <td> <p>Monitor executed commands and arguments that may erase the contents of storage devices on specific systems or in large numbers in a network to interrupt availability to system and network resources.</p> </td> </tr> <tr class="sub technique enterprise" id="enterprise"> <td></td> <td></td> <td> <a href="/versions/v16/techniques/T1561/002">.002</a> </td> <td> <a href="/versions/v16/techniques/T1561/002">Disk Structure Wipe</a> </td> <td> <p>Monitor executed commands and arguments that may corrupt or wipe the disk data structures on a hard drive necessary to boot a system; targeting specific critical systems or in large numbers in a network to interrupt availability to system and network resources.</p> </td> </tr> <tr class="technique enterprise" id="enterprise"> <td> Enterprise </td> <td colspan="2"> <a href="/versions/v16/techniques/T1484">T1484</a> </td> <td> <a href="/versions/v16/techniques/T1484">Domain or Tenant Policy Modification</a> </td> <td> <p>Monitor executed commands and arguments for modifications to domain trust settings, such as when a user or application modifies the federation settings on the domain or updates domain authentication from Managed to Federated via ActionTypes <code>Set federation settings on domain</code> and <code>Set domain authentication</code>.<span onclick=scrollToRef('scite-23') id="scite-ref-23-a" class="scite-citeref-number" title="Microsoft. (2020, December). Azure Sentinel Detections. Retrieved December 30, 2020."data-reference="Microsoft - Azure Sentinel ADFSDomainTrustMods">^{<a href="https://github.com/Azure/Azure-Sentinel/blob/master/Detections/AuditLogs/ADFSDomainTrustMods.yaml" target="_blank" data-hasqtip="22" aria-describedby="qtip-22">[23]</a>}</span><span onclick=scrollToRef('scite-24') id="scite-ref-24-a" class="scite-citeref-number" title="Microsoft 365 Defender Team. (2020, December 28). Using Microsoft 365 Defender to protect against Solorigate. Retrieved January 7, 2021."data-reference="Microsoft 365 Defender Solorigate">^{<a href="https://www.microsoft.com/security/blog/2020/12/28/using-microsoft-365-defender-to-coordinate-protection-against-solorigate/" target="_blank" data-hasqtip="23" aria-describedby="qtip-23">[24]</a>}</span></p> </td> </tr> <tr class="sub technique enterprise" id="enterprise"> <td></td> <td></td> <td> <a href="/versions/v16/techniques/T1484/001">.001</a> </td> <td> <a href="/versions/v16/techniques/T1484/001">Group Policy Modification</a> </td> <td> <p>Monitor executed commands and arguments that may modify Group Policy Objects (GPOs) to subvert the intended discretionary access controls for a domain, usually with the intention of escalating privileges on the domain.</p> </td> </tr> <tr class="sub technique enterprise" id="enterprise"> <td></td> <td></td> <td> <a href="/versions/v16/techniques/T1484/002">.002</a> </td> <td> <a href="/versions/v16/techniques/T1484/002">Trust Modification</a> </td> <td> <p>Monitor executed commands and arguments that updates domain authentication from Managed to Federated via ActionTypes <code>Set federation settings on domain</code> and <code>Set domain authentication</code>.<span onclick=scrollToRef('scite-23') id="scite-ref-23-a" class="scite-citeref-number" title="Microsoft. (2020, December). Azure Sentinel Detections. Retrieved December 30, 2020."data-reference="Microsoft - Azure Sentinel ADFSDomainTrustMods">^{<a href="https://github.com/Azure/Azure-Sentinel/blob/master/Detections/AuditLogs/ADFSDomainTrustMods.yaml" target="_blank" data-hasqtip="22" aria-describedby="qtip-22">[23]</a>}</span> Monitor for PowerShell commands such as: <code>Update-MSOLFederatedDomain –DomainName: "Federated Domain Name"</code>, or <code>Update-MSOLFederatedDomain –DomainName: "Federated Domain Name" –supportmultipledomain</code>.<span onclick=scrollToRef('scite-25') id="scite-ref-25-a" class="scite-citeref-number" title="Microsoft. (2020, September 14). Update or repair the settings of a federated domain in Office 365, Azure, or Intune. Retrieved December 30, 2020."data-reference="Microsoft - Update or Repair Federated domain">^{<a href="https://docs.microsoft.com/en-us/office365/troubleshoot/active-directory/update-federated-domain-office-365" target="_blank" data-hasqtip="24" aria-describedby="qtip-24">[25]</a>}</span></p> </td> </tr> <tr class="technique enterprise" id="enterprise"> <td> Enterprise </td> <td colspan="2"> <a href="/versions/v16/techniques/T1482">T1482</a> </td> <td> <a href="/versions/v16/techniques/T1482">Domain Trust Discovery</a> </td> <td> <p>Monitor executed commands and arguments for actions that could be taken to gather system and network information, such as nltest /domain_trusts. Remote access tools with built-in features may interact directly with the Windows API to gather information.</p> </td> </tr> <tr class="technique enterprise" id="enterprise"> <td> Enterprise </td> <td colspan="2"> <a href="/versions/v16/techniques/T1114">T1114</a> </td> <td> <a href="/versions/v16/techniques/T1114">Email Collection</a> </td> <td> <p>Monitor executed processes and command-line arguments for actions that could be taken to gather local email files. Remote access tools with built-in features may interact directly with the Windows API to gather information. Information may also be acquired through Windows system management tools such as Windows Management Instrumentation and PowerShell.</p><p>On Windows systems, monitor for creation of suspicious inbox rules through the use of the <code>New-InboxRule</code>, <code>Set-InboxRule</code>, <code>New-TransportRule</code>, and <code>Set-TransportRule</code> PowerShell cmdlets.<span onclick=scrollToRef('scite-26') id="scite-ref-26-a" class="scite-citeref-number" title="Carr, N., Sellmer, S. (2021, June 14). Behind the scenes of business email compromise: Using cross-domain threat data to disrupt a large BEC campaign. Retrieved June 15, 2021."data-reference="Microsoft BEC Campaign">^{<a href="https://www.microsoft.com/security/blog/2021/06/14/behind-the-scenes-of-business-email-compromise-using-cross-domain-threat-data-to-disrupt-a-large-bec-infrastructure/" target="_blank" data-hasqtip="25" aria-describedby="qtip-25">[26]</a>}</span><span onclick=scrollToRef('scite-27') id="scite-ref-27-a" class="scite-citeref-number" title="Microsoft. (2023, February 22). Manage mail flow rules in Exchange Online. Retrieved March 13, 2023."data-reference="Microsoft Manage Mail Flow Rules 2023">^{<a href="https://learn.microsoft.com/en-us/exchange/security-and-compliance/mail-flow-rules/manage-mail-flow-rules" target="_blank" data-hasqtip="26" aria-describedby="qtip-26">[27]</a>}</span></p> </td> </tr> <tr class="sub technique enterprise" id="enterprise"> <td></td> <td></td> <td> <a href="/versions/v16/techniques/T1114/001">.001</a> </td> <td> <a href="/versions/v16/techniques/T1114/001">Local Email Collection</a> </td> <td> <p>Monitor executed commands and arguments for actions that could be taken to gather local email files. Remote access tools with built-in features may interact directly with the Windows API to gather information. Information may also be acquired through Windows system management tools such as Windows Management Instrumentation and PowerShell.</p> </td> </tr> <tr class="sub technique enterprise" id="enterprise"> <td></td> <td></td> <td> <a href="/versions/v16/techniques/T1114/002">.002</a> </td> <td> <a href="/versions/v16/techniques/T1114/002">Remote Email Collection</a> </td> <td> <p>Monitor executed commands and arguments for actions that may target an Exchange server, Office 365, or Google Workspace to collect sensitive information.</p> </td> </tr> <tr class="sub technique enterprise" id="enterprise"> <td></td> <td></td> <td> <a href="/versions/v16/techniques/T1114/003">.003</a> </td> <td> <a href="/versions/v16/techniques/T1114/003">Email Forwarding Rule</a> </td> <td> <p>On Windows systems, monitor for creation of suspicious inbox rules through the use of the <code>New-InboxRule</code>, <code>Set-InboxRule</code>, <code>New-TransportRule</code>, and <code>Set-TransportRule</code> PowerShell cmdlets.<span onclick=scrollToRef('scite-26') id="scite-ref-26-a" class="scite-citeref-number" title="Carr, N., Sellmer, S. (2021, June 14). Behind the scenes of business email compromise: Using cross-domain threat data to disrupt a large BEC campaign. Retrieved June 15, 2021."data-reference="Microsoft BEC Campaign">^{<a href="https://www.microsoft.com/security/blog/2021/06/14/behind-the-scenes-of-business-email-compromise-using-cross-domain-threat-data-to-disrupt-a-large-bec-infrastructure/" target="_blank" data-hasqtip="25" aria-describedby="qtip-25">[26]</a>}</span><span onclick=scrollToRef('scite-27') id="scite-ref-27-a" class="scite-citeref-number" title="Microsoft. (2023, February 22). Manage mail flow rules in Exchange Online. Retrieved March 13, 2023."data-reference="Microsoft Manage Mail Flow Rules 2023">^{<a href="https://learn.microsoft.com/en-us/exchange/security-and-compliance/mail-flow-rules/manage-mail-flow-rules" target="_blank" data-hasqtip="26" aria-describedby="qtip-26">[27]</a>}</span></p> </td> </tr> <tr class="technique enterprise" id="enterprise"> <td> Enterprise </td> <td colspan="2"> <a href="/versions/v16/techniques/T1546">T1546</a> </td> <td> <a href="/versions/v16/techniques/T1546">Event Triggered Execution</a> </td> <td> <p>Monitor executed commands and arguments that may establish persistence and/or elevate privileges using system mechanisms that trigger execution based on specific events.</p> </td> </tr> <tr class="sub technique enterprise" id="enterprise"> <td></td> <td></td> <td> <a href="/versions/v16/techniques/T1546/001">.001</a> </td> <td> <a href="/versions/v16/techniques/T1546/001">Change Default File Association</a> </td> <td> <p>Monitor executed commands and arguments that may establish persistence by executing malicious content triggered by a file type association.</p> </td> </tr> <tr class="sub technique enterprise" id="enterprise"> <td></td> <td></td> <td> <a href="/versions/v16/techniques/T1546/002">.002</a> </td> <td> <a href="/versions/v16/techniques/T1546/002">Screensaver</a> </td> <td> <p>Monitor executed commands and arguments of .scr files.</p> </td> </tr> <tr class="sub technique enterprise" id="enterprise"> <td></td> <td></td> <td> <a href="/versions/v16/techniques/T1546/003">.003</a> </td> <td> <a href="/versions/v16/techniques/T1546/003">Windows Management Instrumentation Event Subscription</a> </td> <td> <p>Monitor executed commands and arguments that can be used to register WMI persistence, such as the <code> Register-WmiEvent</code> <a href="/versions/v16/techniques/T1059/001">PowerShell</a> cmdlet <span onclick=scrollToRef('scite-28') id="scite-ref-28-a" class="scite-citeref-number" title="Microsoft. (n.d.). Retrieved January 24, 2020."data-reference="Microsoft Register-WmiEvent">^{<a href="https://docs.microsoft.com/en-us/powershell/module/microsoft.powershell.management/register-wmievent?view=powershell-5.1" target="_blank" data-hasqtip="27" aria-describedby="qtip-27">[28]</a>}</span></p> </td> </tr> <tr class="sub technique enterprise" id="enterprise"> <td></td> <td></td> <td> <a href="/versions/v16/techniques/T1546/004">.004</a> </td> <td> <a href="/versions/v16/techniques/T1546/004">Unix Shell Configuration Modification</a> </td> <td> <p>Monitor executed commands and arguments that may establish persistence through executing malicious commands triggered by a user’s shell.</p> </td> </tr> <tr class="sub technique enterprise" id="enterprise"> <td></td> <td></td> <td> <a href="/versions/v16/techniques/T1546/005">.005</a> </td> <td> <a href="/versions/v16/techniques/T1546/005">Trap</a> </td> <td> <p>Monitor executed commands and arguments that may establish persistence by executing malicious content triggered by an interrupt signal.</p> </td> </tr> <tr class="sub technique enterprise" id="enterprise"> <td></td> <td></td> <td> <a href="/versions/v16/techniques/T1546/006">.006</a> </td> <td> <a href="/versions/v16/techniques/T1546/006">LC_LOAD_DYLIB Addition</a> </td> <td> <p>Monitor executed commands and arguments that may establish persistence by executing malicious content triggered by the execution of tainted binaries.</p> </td> </tr> <tr class="sub technique enterprise" id="enterprise"> <td></td> <td></td> <td> <a href="/versions/v16/techniques/T1546/007">.007</a> </td> <td> <a href="/versions/v16/techniques/T1546/007">Netsh Helper DLL</a> </td> <td> <p>Monitor executed commands and arguments that may establish persistence by executing malicious content triggered by Netsh Helper DLLs.</p> </td> </tr> <tr class="sub technique enterprise" id="enterprise"> <td></td> <td></td> <td> <a href="/versions/v16/techniques/T1546/008">.008</a> </td> <td> <a href="/versions/v16/techniques/T1546/008">Accessibility Features</a> </td> <td> <p>Monitor executed commands and arguments that may establish persistence and/or elevate privileges by executing malicious content triggered by accessibility features. Command line invocation of tools capable of modifying the Registry for associated keys are also suspicious. Utility arguments and the binaries themselves should be monitored for changes.</p><p>Note: Event ID 4104 (from the Microsoft-Windows-Powershell/Operational log) captures Powershell script blocks, which can be analyzed and used to detect on abuse of Accessibility Features. </p> </td> </tr> <tr class="sub technique enterprise" id="enterprise"> <td></td> <td></td> <td> <a href="/versions/v16/techniques/T1546/009">.009</a> </td> <td> <a href="/versions/v16/techniques/T1546/009">AppCert DLLs</a> </td> <td> <p>Monitor executed commands and arguments that may establish persistence and/or elevate privileges by executing malicious content triggered by AppCert DLLs loaded into processes.</p> </td> </tr> <tr class="sub technique enterprise" id="enterprise"> <td></td> <td></td> <td> <a href="/versions/v16/techniques/T1546/010">.010</a> </td> <td> <a href="/versions/v16/techniques/T1546/010">AppInit DLLs</a> </td> <td> <p>Monitor executed commands and arguments that may establish persistence and/or elevate privileges by executing malicious content triggered by AppInit DLLs loaded into processes.</p> </td> </tr> <tr class="sub technique enterprise" id="enterprise"> <td></td> <td></td> <td> <a href="/versions/v16/techniques/T1546/011">.011</a> </td> <td> <a href="/versions/v16/techniques/T1546/011">Application Shimming</a> </td> <td> <p>Monitor executed commands and arguments for sdbinst.exe for potential indications of application shim abuse.</p> </td> </tr> <tr class="sub technique enterprise" id="enterprise"> <td></td> <td></td> <td> <a href="/versions/v16/techniques/T1546/012">.012</a> </td> <td> <a href="/versions/v16/techniques/T1546/012">Image File Execution Options Injection</a> </td> <td> <p>Monitor executed commands and arguments that may establish persistence and/or elevate privileges by executing malicious content triggered by Image File Execution Options (IFEO) debuggers.</p> </td> </tr> <tr class="sub technique enterprise" id="enterprise"> <td></td> <td></td> <td> <a href="/versions/v16/techniques/T1546/013">.013</a> </td> <td> <a href="/versions/v16/techniques/T1546/013">PowerShell Profile</a> </td> <td> <p>Monitor abnormal PowerShell commands, unusual loading of PowerShell drives or modules.</p> </td> </tr> <tr class="sub technique enterprise" id="enterprise"> <td></td> <td></td> <td> <a href="/versions/v16/techniques/T1546/014">.014</a> </td> <td> <a href="/versions/v16/techniques/T1546/014">Emond</a> </td> <td> <p>Monitor executed commands and arguments that may gain persistence and elevate privileges by executing malicious content triggered by the Event Monitor Daemon (emond).</p> </td> </tr> <tr class="sub technique enterprise" id="enterprise"> <td></td> <td></td> <td> <a href="/versions/v16/techniques/T1546/015">.015</a> </td> <td> <a href="/versions/v16/techniques/T1546/015">Component Object Model Hijacking</a> </td> <td> <p>Monitor executed commands and arguments that may establish persistence by executing malicious content triggered by hijacked references to Component Object Model (COM) objects.</p><p>Note: Event ID 4104 (from the Microsoft-Windows-Powershell/Operational log) captures Powershell script blocks, which can be analyzed and used to detect on changes to COM registry keys, including HKCU\Software\Classes\CLSID*.</p> </td> </tr> <tr class="sub technique enterprise" id="enterprise"> <td></td> <td></td> <td> <a href="/versions/v16/techniques/T1546/016">.016</a> </td> <td> <a href="/versions/v16/techniques/T1546/016">Installer Packages</a> </td> <td> <p>Monitor executed commands and arguments that may be related to abuse of installer packages, including malicious commands triggered by application installations.</p> </td> </tr> <tr class="technique enterprise" id="enterprise"> <td> Enterprise </td> <td colspan="2"> <a href="/versions/v16/techniques/T1480">T1480</a> </td> <td> <a href="/versions/v16/techniques/T1480">Execution Guardrails</a> </td> <td> <p>Monitor executed commands and arguments that may gather information about the victim's business relationships that can be used during targeting. Detecting the use of guardrails may be difficult depending on the implementation.</p> </td> </tr> <tr class="sub technique enterprise" id="enterprise"> <td></td> <td></td> <td> <a href="/versions/v16/techniques/T1480/001">.001</a> </td> <td> <a href="/versions/v16/techniques/T1480/001">Environmental Keying</a> </td> <td> <p>Monitor executed commands and arguments that may gather the victim's physical location(s) that can be used during targeting. Detecting the use of environmental keying may be difficult depending on the implementation.</p> </td> </tr> <tr class="technique enterprise" id="enterprise"> <td> Enterprise </td> <td colspan="2"> <a href="/versions/v16/techniques/T1048">T1048</a> </td> <td> <a href="/versions/v16/techniques/T1048">Exfiltration Over Alternative Protocol</a> </td> <td> <p>Monitor executed commands and arguments that may steal data by exfiltrating it over a different protocol than that of the existing command and control channel.</p> </td> </tr> <tr class="sub technique enterprise" id="enterprise"> <td></td> <td></td> <td> <a href="/versions/v16/techniques/T1048/001">.001</a> </td> <td> <a href="/versions/v16/techniques/T1048/001">Exfiltration Over Symmetric Encrypted Non-C2 Protocol</a> </td> <td> <p>Monitor executed commands and arguments that may steal data by exfiltrating it over a symmetrically encrypted network protocol other than that of the existing command and control channel.</p> </td> </tr> <tr class="sub technique enterprise" id="enterprise"> <td></td> <td></td> <td> <a href="/versions/v16/techniques/T1048/002">.002</a> </td> <td> <a href="/versions/v16/techniques/T1048/002">Exfiltration Over Asymmetric Encrypted Non-C2 Protocol</a> </td> <td> <p>Monitor executed commands and arguments that may steal data by exfiltrating it over a symmetrically encrypted network protocol other than that of the existing command and control channel.</p> </td> </tr> <tr class="sub technique enterprise" id="enterprise"> <td></td> <td></td> <td> <a href="/versions/v16/techniques/T1048/003">.003</a> </td> <td> <a href="/versions/v16/techniques/T1048/003">Exfiltration Over Unencrypted Non-C2 Protocol</a> </td> <td> <p>Monitor executed commands and arguments that may steal data by exfiltrating it over a symmetrically encrypted network protocol other than that of the existing command and control channel.</p> </td> </tr> <tr class="technique enterprise" id="enterprise"> <td> Enterprise </td> <td colspan="2"> <a href="/versions/v16/techniques/T1041">T1041</a> </td> <td> <a href="/versions/v16/techniques/T1041">Exfiltration Over C2 Channel</a> </td> <td> <p>Monitor executed commands and arguments that may steal data by exfiltrating it over an existing command and control channel.</p> </td> </tr> <tr class="technique enterprise" id="enterprise"> <td> Enterprise </td> <td colspan="2"> <a href="/versions/v16/techniques/T1011">T1011</a> </td> <td> <a href="/versions/v16/techniques/T1011">Exfiltration Over Other Network Medium</a> </td> <td> <p>Monitor executed commands and arguments that may attempt to exfiltrate data over a different network medium than the command and control channel</p> </td> </tr> <tr class="sub technique enterprise" id="enterprise"> <td></td> <td></td> <td> <a href="/versions/v16/techniques/T1011/001">.001</a> </td> <td> <a href="/versions/v16/techniques/T1011/001">Exfiltration Over Bluetooth</a> </td> <td> <p>Monitor executed commands and arguments that may attempt to exfiltrate data over Bluetooth rather than the command and control channel.</p> </td> </tr> <tr class="technique enterprise" id="enterprise"> <td> Enterprise </td> <td colspan="2"> <a href="/versions/v16/techniques/T1052">T1052</a> </td> <td> <a href="/versions/v16/techniques/T1052">Exfiltration Over Physical Medium</a> </td> <td> <p>Monitor executed commands and arguments that may attempt to exfiltrate data via a physical medium, such as a removable drive.</p> </td> </tr> <tr class="sub technique enterprise" id="enterprise"> <td></td> <td></td> <td> <a href="/versions/v16/techniques/T1052/001">.001</a> </td> <td> <a href="/versions/v16/techniques/T1052/001">Exfiltration over USB</a> </td> <td> <p>Monitor executed commands and arguments that may attempt to exfiltrate data over a USB connected physical device.</p> </td> </tr> <tr class="technique enterprise" id="enterprise"> <td> Enterprise </td> <td colspan="2"> <a href="/versions/v16/techniques/T1567">T1567</a> </td> <td> <a href="/versions/v16/techniques/T1567">Exfiltration Over Web Service</a> </td> <td> <p>Monitor executed commands and arguments that may use an existing, legitimate external Web service to exfiltrate data rather than their primary command and control channel.</p> </td> </tr> <tr class="sub technique enterprise" id="enterprise"> <td></td> <td></td> <td> <a href="/versions/v16/techniques/T1567/001">.001</a> </td> <td> <a href="/versions/v16/techniques/T1567/001">Exfiltration to Code Repository</a> </td> <td> <p>Monitor executed command and arguments that may exfiltrate data to a code repository rather than over their primary command and control channel.</p> </td> </tr> <tr class="sub technique enterprise" id="enterprise"> <td></td> <td></td> <td> <a href="/versions/v16/techniques/T1567/002">.002</a> </td> <td> <a href="/versions/v16/techniques/T1567/002">Exfiltration to Cloud Storage</a> </td> <td> <p>Monitor executed commands and arguments that may exfiltrate data to a cloud storage service rather than over their primary command and control channel.</p> </td> </tr> <tr class="sub technique enterprise" id="enterprise"> <td></td> <td></td> <td> <a href="/versions/v16/techniques/T1567/004">.004</a> </td> <td> <a href="/versions/v16/techniques/T1567/004">Exfiltration Over Webhook</a> </td> <td> <p>Monitor executed commands and arguments that may exfiltrate data to a webhook as a malicious command and control channel. Additionally, monitor commands that may create new webhook configurations in SaaS services - for example, <code>gh webhook forward</code> in Github or <code>mgc subscriptions create</code> in Office 365.<span onclick=scrollToRef('scite-29') id="scite-ref-29-a" class="scite-citeref-number" title="Github. (n.d.). Receiving webhooks with the GitHub CLI. Retrieved August 4, 2023."data-reference="Github CLI Create Webhook">^{<a href="https://docs.github.com/en/webhooks-and-events/webhooks/receiving-webhooks-with-the-github-cli" target="_blank" data-hasqtip="28" aria-describedby="qtip-28">[29]</a>}</span><span onclick=scrollToRef('scite-30') id="scite-ref-30-a" class="scite-citeref-number" title="Microsoft . (n.d.). Create subscription. Retrieved August 4, 2023."data-reference="Microsoft CLI Create Subscription">^{<a href="https://learn.microsoft.com/en-us/graph/api/subscription-post-subscriptions" target="_blank" data-hasqtip="29" aria-describedby="qtip-29">[30]</a>}</span></p> </td> </tr> <tr class="technique enterprise" id="enterprise"> <td> Enterprise </td> <td colspan="2"> <a href="/versions/v16/techniques/T1083">T1083</a> </td> <td> <a href="/versions/v16/techniques/T1083">File and Directory Discovery</a> </td> <td> <p>Monitor executed commands and arguments that may enumerate files and directories or may search in specific locations of a host or network share for certain information within a file system. For network devices, monitor executed commands in AAA logs, especially those run by unexpected or unauthorized users.</p> </td> </tr> <tr class="technique enterprise" id="enterprise"> <td> Enterprise </td> <td colspan="2"> <a href="/versions/v16/techniques/T1222">T1222</a> </td> <td> <a href="/versions/v16/techniques/T1222">File and Directory Permissions Modification</a> </td> <td> <p>Many of the commands used to modify ACLs and file/directory ownership are built-in system utilities and may generate a high false positive alert rate, so compare against baseline knowledge for how systems are typically used and correlate modification events with other indications of malicious activity where possible.</p> </td> </tr> <tr class="sub technique enterprise" id="enterprise"> <td></td> <td></td> <td> <a href="/versions/v16/techniques/T1222/001">.001</a> </td> <td> <a href="/versions/v16/techniques/T1222/001">Windows File and Directory Permissions Modification</a> </td> <td> <p>Monitor for executed commands and arguments for PowerShell cmdlets that can be used to retrieve or modify file and directory DACLs.</p> </td> </tr> <tr class="sub technique enterprise" id="enterprise"> <td></td> <td></td> <td> <a href="/versions/v16/techniques/T1222/002">.002</a> </td> <td> <a href="/versions/v16/techniques/T1222/002">Linux and Mac File and Directory Permissions Modification</a> </td> <td> <p>Many of the commands used to modify ACLs and file/directory ownership are built-in system utilities and may generate a high false positive alert rate, so compare against baseline knowledge for how systems are typically used and correlate modification events with other indications of malicious activity where possible. Commonly abused command arguments include <code>chmod +x</code>, <code>chmod -R 755</code>, and <code>chmod 777</code>.<span onclick=scrollToRef('scite-31') id="scite-ref-31-a" class="scite-citeref-number" title="Phil Stokes. (2021, February 16). 20 Common Tools & Techniques Used by macOS Threat Actors & Malware. Retrieved August 23, 2021."data-reference="20 macOS Common Tools and Techniques">^{<a href="https://labs.sentinelone.com/20-common-tools-techniques-used-by-macos-threat-actors-malware/" target="_blank" data-hasqtip="30" aria-describedby="qtip-30">[31]</a>}</span></p> </td> </tr> <tr class="technique ics" id="ics"> <td> ICS </td> <td colspan="2"> <a href="/versions/v16/techniques/T0823">T0823</a> </td> <td> <a href="/versions/v16/techniques/T0823">Graphical User Interface</a> </td> <td> <p>Monitor executed commands and arguments related to services specifically designed to accept remote graphical connections, such as RDP and VNC. <a href="/versions/v16/techniques/T0886">Remote Services</a> and <a href="/versions/v16/techniques/T0859">Valid Accounts</a> may be used to access a host’s GUI.</p> </td> </tr> <tr class="technique enterprise" id="enterprise"> <td> Enterprise </td> <td colspan="2"> <a href="/versions/v16/techniques/T1615">T1615</a> </td> <td> <a href="/versions/v16/techniques/T1615">Group Policy Discovery</a> </td> <td> <p>Monitor for suspicious use of <code>gpresult</code>. Monitor for the use of PowerShell functions such as <code>Get-DomainGPO</code> and <code>Get-DomainGPOLocalGroup</code> and processes spawning with command-line arguments containing <code>GPOLocalGroup</code>.</p> </td> </tr> <tr class="technique enterprise" id="enterprise"> <td> Enterprise </td> <td colspan="2"> <a href="/versions/v16/techniques/T1564">T1564</a> </td> <td> <a href="/versions/v16/techniques/T1564">Hide Artifacts</a> </td> <td> <p>Monitor executed commands and arguments that may attempt to hide artifacts associated with their behaviors to evade detection.</p> </td> </tr> <tr class="sub technique enterprise" id="enterprise"> <td></td> <td></td> <td> <a href="/versions/v16/techniques/T1564/001">.001</a> </td> <td> <a href="/versions/v16/techniques/T1564/001">Hidden Files and Directories</a> </td> <td> <p>Monitor the file system and shell commands for files being created with a leading "." and the Windows command-line use of attrib.exe to add the hidden attribute.</p> </td> </tr> <tr class="sub technique enterprise" id="enterprise"> <td></td> <td></td> <td> <a href="/versions/v16/techniques/T1564/002">.002</a> </td> <td> <a href="/versions/v16/techniques/T1564/002">Hidden Users</a> </td> <td> <p>Monitor executed commands and arguments that could be taken to add a new user and subsequently hide it from login screens.</p> </td> </tr> <tr class="sub technique enterprise" id="enterprise"> <td></td> <td></td> <td> <a href="/versions/v16/techniques/T1564/003">.003</a> </td> <td> <a href="/versions/v16/techniques/T1564/003">Hidden Window</a> </td> <td> <p>Monitor executed commands and arguments that may use hidden windows to conceal malicious activity from the plain sight of users. In Windows, enable and configure event logging and PowerShell logging to check for the hidden window style.</p> </td> </tr> <tr class="sub technique enterprise" id="enterprise"> <td></td> <td></td> <td> <a href="/versions/v16/techniques/T1564/004">.004</a> </td> <td> <a href="/versions/v16/techniques/T1564/004">NTFS File Attributes</a> </td> <td> <p>The Streams tool of Sysinternals can be used to uncover files with ADSs. The <code>dir /r</code> command can also be used to display ADSs. <span onclick=scrollToRef('scite-32') id="scite-ref-32-a" class="scite-citeref-number" title="Pravs. (2009, May 25). What you need to know about alternate data streams in windows? Is your Data secure? Can you restore that?. Retrieved March 21, 2018."data-reference="Symantec ADS May 2009">^{<a href="https://www.symantec.com/connect/articles/what-you-need-know-about-alternate-data-streams-windows-your-data-secure-can-you-restore" target="_blank" data-hasqtip="31" aria-describedby="qtip-31">[32]</a>}</span> Many PowerShell commands (such as Get-Item, Set-Item, Remove-Item, and Get-ChildItem) can also accept a <code>-stream</code> parameter to interact with ADSs. <span onclick=scrollToRef('scite-33') id="scite-ref-33-a" class="scite-citeref-number" title="Arntz, P. (2015, July 22). Introduction to Alternate Data Streams. Retrieved March 21, 2018."data-reference="MalwareBytes ADS July 2015">^{<a href="https://blog.malwarebytes.com/101/2015/07/introduction-to-alternate-data-streams/" target="_blank" data-hasqtip="32" aria-describedby="qtip-32">[33]</a>}</span> <span onclick=scrollToRef('scite-34') id="scite-ref-34-a" class="scite-citeref-number" title="Marlin, J. (2013, March 24). Alternate Data Streams in NTFS. Retrieved March 21, 2018."data-reference="Microsoft ADS Mar 2014">^{<a href="https://blogs.technet.microsoft.com/askcore/2013/03/24/alternate-data-streams-in-ntfs/" target="_blank" data-hasqtip="33" aria-describedby="qtip-33">[34]</a>}</span></p> </td> </tr> <tr class="sub technique enterprise" id="enterprise"> <td></td> <td></td> <td> <a href="/versions/v16/techniques/T1564/006">.006</a> </td> <td> <a href="/versions/v16/techniques/T1564/006">Run Virtual Instance</a> </td> <td> <p>Consider monitoring for commands and arguments that may be atypical for benign use of virtualization software. Usage of virtualization binaries or command-line arguments associated with running a silent installation may be especially suspect (ex. <code>-silent</code>, <code>-ignore-reboot</code>), as well as those associated with running a headless (in the background with no UI) virtual instance (ex. <code>VBoxManage startvm $VM --type headless</code>).<span onclick=scrollToRef('scite-35') id="scite-ref-35-a" class="scite-citeref-number" title="Johann Rehberger. (2020, September 23). Beware of the Shadowbunny - Using virtual machines to persist and evade detections. Retrieved September 22, 2021."data-reference="Shadowbunny VM Defense Evasion">^{<a href="https://embracethered.com/blog/posts/2020/shadowbunny-virtual-machine-red-teaming-technique/" target="_blank" data-hasqtip="34" aria-describedby="qtip-34">[35]</a>}</span> Similarly, monitoring command line arguments which suppress notifications may highlight potentially malicious activity (ex. <code>VBoxManage.exe setextradata global GUI/SuppressMessages "all"</code>). Monitor for commands which enable hypervisors such as Hyper-V.</p> </td> </tr> <tr class="sub technique enterprise" id="enterprise"> <td></td> <td></td> <td> <a href="/versions/v16/techniques/T1564/008">.008</a> </td> <td> <a href="/versions/v16/techniques/T1564/008">Email Hiding Rules</a> </td> <td> <p>On Windows and Exchange systems, monitor for creation or modification of suspicious inbox rules through the use of the <code>New-InboxRule</code>, <code>Set-InboxRule</code>, <code>New-TransportRule</code>, and <code>Set-TransportRule</code> PowerShell cmdlets.<span onclick=scrollToRef('scite-26') id="scite-ref-26-a" class="scite-citeref-number" title="Carr, N., Sellmer, S. (2021, June 14). Behind the scenes of business email compromise: Using cross-domain threat data to disrupt a large BEC campaign. Retrieved June 15, 2021."data-reference="Microsoft BEC Campaign">^{<a href="https://www.microsoft.com/security/blog/2021/06/14/behind-the-scenes-of-business-email-compromise-using-cross-domain-threat-data-to-disrupt-a-large-bec-infrastructure/" target="_blank" data-hasqtip="25" aria-describedby="qtip-25">[26]</a>}</span><span onclick=scrollToRef('scite-27') id="scite-ref-27-a" class="scite-citeref-number" title="Microsoft. (2023, February 22). Manage mail flow rules in Exchange Online. Retrieved March 13, 2023."data-reference="Microsoft Manage Mail Flow Rules 2023">^{<a href="https://learn.microsoft.com/en-us/exchange/security-and-compliance/mail-flow-rules/manage-mail-flow-rules" target="_blank" data-hasqtip="26" aria-describedby="qtip-26">[27]</a>}</span><span onclick=scrollToRef('scite-36') id="scite-ref-36-a" class="scite-citeref-number" title="Pany, D. & Hanley, C. (2023, May 3). Cloudy with a Chance of Bad Logs: Cloud Platform Log Configurations to Consider in Investigations. Retrieved October 16, 2023."data-reference="Mandiant Cloudy Logs 2023">^{<a href="https://www.mandiant.com/resources/blog/cloud-bad-log-configurations" target="_blank" data-hasqtip="35" aria-describedby="qtip-35">[36]</a>}</span></p> </td> </tr> <tr class="sub technique enterprise" id="enterprise"> <td></td> <td></td> <td> <a href="/versions/v16/techniques/T1564/009">.009</a> </td> <td> <a href="/versions/v16/techniques/T1564/009">Resource Forking</a> </td> <td> <p>Monitor executed commands and arguments that are leveraging the use of resource forks, especially those immediately followed by potentially malicious activity such as creating network connections.</p> </td> </tr> <tr class="sub technique enterprise" id="enterprise"> <td></td> <td></td> <td> <a href="/versions/v16/techniques/T1564/011">.011</a> </td> <td> <a href="/versions/v16/techniques/T1564/011">Ignore Process Interrupts</a> </td> <td> <p>Monitor executed commands and arguments, such as <code>nohup</code>, that may attempt to hide processes from interrupt signals.</p> </td> </tr> <tr class="technique enterprise" id="enterprise"> <td> Enterprise </td> <td colspan="2"> <a href="/versions/v16/techniques/T1574">T1574</a> </td> <td> <a href="/versions/v16/techniques/T1574">Hijack Execution Flow</a> </td> <td> <p>Monitor executed commands and arguments that may execute their own malicious payloads by hijacking the way operating systems run programs.</p> </td> </tr> <tr class="sub technique enterprise" id="enterprise"> <td></td> <td></td> <td> <a href="/versions/v16/techniques/T1574/006">.006</a> </td> <td> <a href="/versions/v16/techniques/T1574/006">Dynamic Linker Hijacking</a> </td> <td> <p>Monitor executed commands and arguments associated with modifications to variables and files associated with loading shared libraries such as LD_PRELOAD on Linux and DYLD_INSERT_LIBRARIES on macOS.</p> </td> </tr> <tr class="sub technique enterprise" id="enterprise"> <td></td> <td></td> <td> <a href="/versions/v16/techniques/T1574/011">.011</a> </td> <td> <a href="/versions/v16/techniques/T1574/011">Services Registry Permissions Weakness</a> </td> <td> <p>Monitor for the execution of commands and arguments that can be used for adversaries to modify services' registry keys and values through applications such as Windows Management Instrumentation and PowerShell. Additional logging may need to be configured to gather the appropriate data.</p> </td> </tr> <tr class="sub technique enterprise" id="enterprise"> <td></td> <td></td> <td> <a href="/versions/v16/techniques/T1574/012">.012</a> </td> <td> <a href="/versions/v16/techniques/T1574/012">COR_PROFILER</a> </td> <td> <p>Extra scrutiny should be placed on suspicious modification of Registry keys such as COR_ENABLE_PROFILING, COR_PROFILER, and COR_PROFILER_PATH by command line tools like wmic.exe, setx.exe, and <a href="/versions/v16/software/S0075">Reg</a>. Monitoring for command-line arguments indicating a change to COR_PROFILER variables may aid in detection.</p> </td> </tr> <tr class="technique enterprise" id="enterprise"> <td> Enterprise </td> <td colspan="2"> <a href="/versions/v16/techniques/T1562">T1562</a> </td> <td> <a href="/versions/v16/techniques/T1562">Impair Defenses</a> </td> <td> <p>Monitor executed commands and arguments that may maliciously modify components of a victim environment in order to hinder or disable defensive mechanisms.</p> </td> </tr> <tr class="sub technique enterprise" id="enterprise"> <td></td> <td></td> <td> <a href="/versions/v16/techniques/T1562/001">.001</a> </td> <td> <a href="/versions/v16/techniques/T1562/001">Disable or Modify Tools</a> </td> <td> <p>Monitor for the execution of commands and arguments associated with disabling or modification of security software processes or services such as <code>Set-MpPreference-DisableScriptScanning 1</code> in Windows,<code>sudo spctl --master-disable</code> in macOS, and <code>setenforce 0</code> in Linux. Furthermore, on Windows monitor for the execution of taskkill.exe or Net Stop commands which may deactivate antivirus software and other security systems. </p> </td> </tr> <tr class="sub technique enterprise" id="enterprise"> <td></td> <td></td> <td> <a href="/versions/v16/techniques/T1562/002">.002</a> </td> <td> <a href="/versions/v16/techniques/T1562/002">Disable Windows Event Logging</a> </td> <td> <p>Monitor executed commands and arguments for commands that can be used to disable logging. For example, <a href="/versions/v16/software/S0645">Wevtutil</a>, auditpol, <code>sc stop EventLog</code>, <code>reg add</code>, <code>Set- or Stop-Service</code>, <code>Set- or New-ItemProperty</code>, <code>sc config</code>, and offensive tooling (such as <a href="/versions/v16/software/S0002">Mimikatz</a> and Invoke-Phant0m) may be used to clear logs and/or change the EventLog/audit policy.<span onclick=scrollToRef('scite-37') id="scite-ref-37-a" class="scite-citeref-number" title="Chandel, R. (2021, April 22). Defense Evasion: Windows Event Logging (T1562.002). Retrieved September 14, 2021."data-reference="def_ev_win_event_logging">^{<a href="https://www.hackingarticles.in/defense-evasion-windows-event-logging-t1562-002/" target="_blank" data-hasqtip="36" aria-describedby="qtip-36">[37]</a>}</span><span onclick=scrollToRef('scite-38') id="scite-ref-38-a" class="scite-citeref-number" title="svch0st. (2020, September 30). Event Log Tampering Part 1: Disrupting the EventLog Service. Retrieved September 14, 2021."data-reference="evt_log_tampering">^{<a href="https://svch0st.medium.com/event-log-tampering-part-1-disrupting-the-eventlog-service-8d4b7d67335c" target="_blank" data-hasqtip="37" aria-describedby="qtip-37">[38]</a>}</span><span onclick=scrollToRef('scite-39') id="scite-ref-39-a" class="scite-citeref-number" title="Heiligenstein, L. (n.d.). REP-25: Disable Windows Event Logging. Retrieved April 7, 2022."data-reference="disable_win_evt_logging">^{<a href="https://ptylu.github.io/content/report/report.html?report=25" target="_blank" data-hasqtip="38" aria-describedby="qtip-38">[39]</a>}</span> </p> </td> </tr> <tr class="sub technique enterprise" id="enterprise"> <td></td> <td></td> <td> <a href="/versions/v16/techniques/T1562/003">.003</a> </td> <td> <a href="/versions/v16/techniques/T1562/003">Impair Command History Logging</a> </td> <td> <p>Correlating a user session with a distinct lack of new commands in their <code>.bash_history</code> can be a clue to suspicious behavior. Monitor for modification of PowerShell command history settings through processes being created with <code>-HistorySaveStyle SaveNothing</code> command-line arguments and use of the PowerShell commands <code>Set-PSReadlineOption -HistorySaveStyle SaveNothing</code> and <code>Set-PSReadLineOption -HistorySavePath {File Path}</code>. For network devices, monitor for missing or inconsistencies in Network Device CLI logging present in AAA logs as well as in specific RADIUS and TACAS+ logs.</p> </td> </tr> <tr class="sub technique enterprise" id="enterprise"> <td></td> <td></td> <td> <a href="/versions/v16/techniques/T1562/004">.004</a> </td> <td> <a href="/versions/v16/techniques/T1562/004">Disable or Modify System Firewall</a> </td> <td> <p>Monitor executed commands and arguments associated with disabling or the modification of system firewalls such as <code>netsh advfirewall firewall set rule group="file and printer sharing" new enable=Yes</code>,<code>ufw disable</code>, and <code>ufw logging off</code>.</p> </td> </tr> <tr class="sub technique enterprise" id="enterprise"> <td></td> <td></td> <td> <a href="/versions/v16/techniques/T1562/006">.006</a> </td> <td> <a href="/versions/v16/techniques/T1562/006">Indicator Blocking</a> </td> <td> <p>Monitor executed commands and arguments that may attempt to block indicators or events typically captured by sensors from being gathered and analyzed. Adversaries may attempt to evade system defenses by unloading minifilter drivers used by host-based sensors such as Sysmon through the use of the fltmc command-line utility. Accordingly, this analytic looks for command-line invocations of this utility when used to unload minifilter drivers.</p> </td> </tr> <tr class="sub technique enterprise" id="enterprise"> <td></td> <td></td> <td> <a href="/versions/v16/techniques/T1562/009">.009</a> </td> <td> <a href="/versions/v16/techniques/T1562/009">Safe Mode Boot</a> </td> <td> <p>Monitor executed commands and arguments associated with making configuration changes to boot settings, such as <code>bcdedit.exe</code> and <code>bootcfg.exe</code>.<span onclick=scrollToRef('scite-40') id="scite-ref-40-a" class="scite-citeref-number" title="Microsoft. (2021, May 27). bcdedit. Retrieved June 23, 2021."data-reference="Microsoft bcdedit 2021">^{<a href="https://docs.microsoft.com/en-us/windows-server/administration/windows-commands/bcdedit" target="_blank" data-hasqtip="39" aria-describedby="qtip-39">[40]</a>}</span><span onclick=scrollToRef('scite-41') id="scite-ref-41-a" class="scite-citeref-number" title="Gerend, J. et al. (2017, October 16). bootcfg. Retrieved August 30, 2021."data-reference="Microsoft Bootcfg">^{<a href="https://docs.microsoft.com/windows-server/administration/windows-commands/bootcfg" target="_blank" data-hasqtip="40" aria-describedby="qtip-40">[41]</a>}</span><span onclick=scrollToRef('scite-42') id="scite-ref-42-a" class="scite-citeref-number" title="Sophos. (2019, December 9). Snatch ransomware reboots PCs into Safe Mode to bypass protection. Retrieved June 23, 2021."data-reference="Sophos Snatch Ransomware 2019">^{<a href="https://news.sophos.com/en-us/2019/12/09/snatch-ransomware-reboots-pcs-into-safe-mode-to-bypass-protection/" target="_blank" data-hasqtip="41" aria-describedby="qtip-41">[42]</a>}</span></p> </td> </tr> <tr class="sub technique enterprise" id="enterprise"> <td></td> <td></td> <td> <a href="/versions/v16/techniques/T1562/010">.010</a> </td> <td> <a href="/versions/v16/techniques/T1562/010">Downgrade Attack</a> </td> <td> <p>Monitor for commands or other activity that may be indicative of attempts to abuse older or deprecated technologies (ex: <code>powershell –v 2</code>).</p> </td> </tr> <tr class="sub technique enterprise" id="enterprise"> <td></td> <td></td> <td> <a href="/versions/v16/techniques/T1562/012">.012</a> </td> <td> <a href="/versions/v16/techniques/T1562/012">Disable or Modify Linux Audit System</a> </td> <td> <p>Command-line invocation of the <code>auditctl</code> utility may be unusual, depending on how systems are typically used in a particular environment. At runtime, look for commands to modify or create rules using the <code>auditctl</code> utility. </p> </td> </tr> <tr class="technique enterprise" id="enterprise"> <td> Enterprise </td> <td colspan="2"> <a href="/versions/v16/techniques/T1070">T1070</a> </td> <td> <a href="/versions/v16/techniques/T1070">Indicator Removal</a> </td> <td> <p>Monitor executed commands and arguments that may delete or alter generated artifacts on a host system, including logs or captured files such as quarantined malware.</p> </td> </tr> <tr class="sub technique enterprise" id="enterprise"> <td></td> <td></td> <td> <a href="/versions/v16/techniques/T1070/001">.001</a> </td> <td> <a href="/versions/v16/techniques/T1070/001">Clear Windows Event Logs</a> </td> <td> <p>Monitor executed commands and arguments for actions that would delete Windows event logs (via PowerShell) such as <code>Remove-EventLog -LogName Security</code>.</p><p>Note: Event ID 4104 (from the Microsoft-Windows-Powershell/Operational log) captures Powershell script blocks, which can be analyzed and used to detect on attempts to Clear Windows Event Logs. In particular, Powershell has a built-in Clear-EventLog cmdlet that allows for a specified log to be cleared. </p> </td> </tr> <tr class="sub technique enterprise" id="enterprise"> <td></td> <td></td> <td> <a href="/versions/v16/techniques/T1070/002">.002</a> </td> <td> <a href="/versions/v16/techniques/T1070/002">Clear Linux or Mac System Logs</a> </td> <td> <p>Monitor executed commands and arguments for actions that could be taken to remove or overwrite system logs.</p> </td> </tr> <tr class="sub technique enterprise" id="enterprise"> <td></td> <td></td> <td> <a href="/versions/v16/techniques/T1070/003">.003</a> </td> <td> <a href="/versions/v16/techniques/T1070/003">Clear Command History</a> </td> <td> <p>Monitor executed commands and arguments for actions that could be taken to clear command history, such as <code>Clear-History</code> on Windows or <code>clear logging</code> / <code>clear history</code> via a Network Device CLI in AAA logs, or to disable writing command history, such as <code>history -c</code> in bash/zsh .</p><p>Analytic 1 - Powershell Commands </p><p><code> (source="<em>WinEventLog:Microsoft-Windows-Powershell/Operational" EventCode="4103") (CommandLine="</em>Clear-History<em>" OR (CommandLine="</em>Remove-Item<em>" AND CommandLine="</em>ConsoleHost_history.text*")) </code></p> </td> </tr> <tr class="sub technique enterprise" id="enterprise"> <td></td> <td></td> <td> <a href="/versions/v16/techniques/T1070/004">.004</a> </td> <td> <a href="/versions/v16/techniques/T1070/004">File Deletion</a> </td> <td> <p>Monitor executed commands and arguments for actions that could be utilized to unlink, rename, or delete files.</p> </td> </tr> <tr class="sub technique enterprise" id="enterprise"> <td></td> <td></td> <td> <a href="/versions/v16/techniques/T1070/005">.005</a> </td> <td> <a href="/versions/v16/techniques/T1070/005">Network Share Connection Removal</a> </td> <td> <p>Monitor executed commands and arguments of net use commands associated with establishing and removing remote shares over SMB, including following best practices for detection of Windows Admin Shares.</p> </td> </tr> <tr class="sub technique enterprise" id="enterprise"> <td></td> <td></td> <td> <a href="/versions/v16/techniques/T1070/006">.006</a> </td> <td> <a href="/versions/v16/techniques/T1070/006">Timestomp</a> </td> <td> <p>Monitor executed commands and arguments for actions that could be taken to alter generated artifacts on a host system (e.g., <code>Timestomp.exe</code> and <code>SetMace.exe</code>).</p> </td> </tr> <tr class="sub technique enterprise" id="enterprise"> <td></td> <td></td> <td> <a href="/versions/v16/techniques/T1070/007">.007</a> </td> <td> <a href="/versions/v16/techniques/T1070/007">Clear Network Connection History and Configurations</a> </td> <td> <p>Monitor executed commands and arguments that may delete or alter malicious network configuration settings as well as generated artifacts on a host system, including logs and files such as <code>Default.rdp</code> or <code>/var/log/</code>. </p> </td> </tr> <tr class="sub technique enterprise" id="enterprise"> <td></td> <td></td> <td> <a href="/versions/v16/techniques/T1070/008">.008</a> </td> <td> <a href="/versions/v16/techniques/T1070/008">Clear Mailbox Data</a> </td> <td> <p>Monitor executed commands and arguments that may delete or alter generated artifacts on a host system, including logs or captured files such as quarantined emails. In Exchange environments, monitor for PowerShell cmdlets that may create or alter transport rules, such as <code>New-TransportRule</code> and <code>Set-TransportRule</code>.<span onclick=scrollToRef('scite-27') id="scite-ref-27-a" class="scite-citeref-number" title="Microsoft. (2023, February 22). Manage mail flow rules in Exchange Online. Retrieved March 13, 2023."data-reference="Microsoft Manage Mail Flow Rules 2023">^{<a href="https://learn.microsoft.com/en-us/exchange/security-and-compliance/mail-flow-rules/manage-mail-flow-rules" target="_blank" data-hasqtip="26" aria-describedby="qtip-26">[27]</a>}</span></p> </td> </tr> <tr class="sub technique enterprise" id="enterprise"> <td></td> <td></td> <td> <a href="/versions/v16/techniques/T1070/009">.009</a> </td> <td> <a href="/versions/v16/techniques/T1070/009">Clear Persistence</a> </td> <td> <p>Monitor executed commands and arguments that may delete or alter generated artifacts associated with persistence on a host system.</p> </td> </tr> <tr class="technique ics" id="ics"> <td> ICS </td> <td colspan="2"> <a href="/versions/v16/techniques/T0872">T0872</a> </td> <td> <a href="/versions/v16/techniques/T0872">Indicator Removal on Host</a> </td> <td> <p>Monitor executed commands and arguments that may delete or alter generated artifacts on a host system, including logs or captured files such as quarantined malware.</p> </td> </tr> <tr class="technique enterprise" id="enterprise"> <td> Enterprise </td> <td colspan="2"> <a href="/versions/v16/techniques/T1202">T1202</a> </td> <td> <a href="/versions/v16/techniques/T1202">Indirect Command Execution</a> </td> <td> <p>Monitor executed commands and arguments to bypass security restrictions that limit the use of command-line interpreters. </p> </td> </tr> <tr class="technique enterprise" id="enterprise"> <td> Enterprise </td> <td colspan="2"> <a href="/versions/v16/techniques/T1105">T1105</a> </td> <td> <a href="/versions/v16/techniques/T1105">Ingress Tool Transfer</a> </td> <td> <p>Monitor executed commands and arguments for suspicious activity associated with downloading external content.</p> </td> </tr> <tr class="technique enterprise" id="enterprise"> <td> Enterprise </td> <td colspan="2"> <a href="/versions/v16/techniques/T1490">T1490</a> </td> <td> <a href="/versions/v16/techniques/T1490">Inhibit System Recovery</a> </td> <td> <p>Use process monitoring to monitor the execution and command line parameters of binaries involved in inhibiting system recovery, such as <code>vssadmin</code>, <code>wbadmin</code>, and <code>bcdedit</code>.</p> </td> </tr> <tr class="sub technique noparent enterprise" id="enterprise"> <td> Enterprise </td> <td> <a href="/versions/v16/techniques/T1056">T1056</a> </td> <td> <a href="/versions/v16/techniques/T1056/002">.002</a> </td> <td> <a href="/versions/v16/techniques/T1056">Input Capture</a>: <a href="/versions/v16/techniques/T1056/002">GUI Input Capture</a> </td> <td> <p>Monitor executed commands and arguments, such as requests for credentials and/or strings related to creating password prompts that may be malicious.<span onclick=scrollToRef('scite-43') id="scite-ref-43-a" class="scite-citeref-number" title="Johann Rehberger. (2021, April 18). Spoofing credential dialogs on macOS Linux and Windows. Retrieved August 19, 2021."data-reference="Spoofing credential dialogs">^{<a href="https://embracethered.com/blog/posts/2021/spoofing-credential-dialogs/" target="_blank" data-hasqtip="42" aria-describedby="qtip-42">[43]</a>}</span></p> </td> </tr> <tr class="technique enterprise" id="enterprise"> <td> Enterprise </td> <td colspan="2"> <a href="/versions/v16/techniques/T1570">T1570</a> </td> <td> <a href="/versions/v16/techniques/T1570">Lateral Tool Transfer</a> </td> <td> <p>Monitor executed commands and arguments for actions for abnormal usage of utilities and command-line arguments that may be used in support of remote transfer of files</p> </td> </tr> <tr class="technique ics" id="ics"> <td> ICS </td> <td colspan="2"> <a href="/versions/v16/techniques/T0867">T0867</a> </td> <td> <a href="/versions/v16/techniques/T0867">Lateral Tool Transfer</a> </td> <td> <p>Monitor executed commands and arguments for abnormal usage of utilities and command-line arguments that may be used in support of remote transfer of files.</p> </td> </tr> <tr class="technique enterprise" id="enterprise"> <td> Enterprise </td> <td colspan="2"> <a href="/versions/v16/techniques/T1654">T1654</a> </td> <td> <a href="/versions/v16/techniques/T1654">Log Enumeration</a> </td> <td> <p>Monitor for the use of commands and arguments of utilities and other tools used to access and export logs.</p> </td> </tr> <tr class="technique enterprise" id="enterprise"> <td> Enterprise </td> <td colspan="2"> <a href="/versions/v16/techniques/T1036">T1036</a> </td> <td> <a href="/versions/v16/techniques/T1036">Masquerading</a> </td> <td> <p>Monitor executed commands and arguments that may attempt to manipulate features of their artifacts to make them appear legitimate or benign to users and/or security tools. <span onclick=scrollToRef('scite-44') id="scite-ref-44-a" class="scite-citeref-number" title="Carr, N.. (2018, October 25). Nick Carr Status Update Masquerading. Retrieved September 12, 2024."data-reference="Twitter ItsReallyNick Masquerading Update">^{<a href="https://x.com/ItsReallyNick/status/1055321652777619457" target="_blank" data-hasqtip="43" aria-describedby="qtip-43">[44]</a>}</span></p><p>Note: For Windows, Event ID 4104 (from the Microsoft-Windows-Powershell/Operational log) captures Powershell script blocks, which can be analyzed and used to detect on potential Masquerading. </p> </td> </tr> <tr class="sub technique enterprise" id="enterprise"> <td></td> <td></td> <td> <a href="/versions/v16/techniques/T1036/003">.003</a> </td> <td> <a href="/versions/v16/techniques/T1036/003">Rename System Utilities</a> </td> <td> <p>Monitor executed commands and arguments that may rename legitimate system utilities to try to evade security mechanisms concerning the usage of those utilities.</p> </td> </tr> <tr class="sub technique enterprise" id="enterprise"> <td></td> <td></td> <td> <a href="/versions/v16/techniques/T1036/004">.004</a> </td> <td> <a href="/versions/v16/techniques/T1036/004">Masquerade Task or Service</a> </td> <td> <p>Monitor executed commands and arguments that may attempt to manipulate the name of a task or service to make it appear legitimate or benign.</p> </td> </tr> <tr class="sub technique enterprise" id="enterprise"> <td></td> <td></td> <td> <a href="/versions/v16/techniques/T1036/008">.008</a> </td> <td> <a href="/versions/v16/techniques/T1036/008">Masquerade File Type</a> </td> <td> <p>Monitor for abnormal command execution from otherwise non-executable file types (such as <code>.txt</code> and <code>.jpg</code>). </p> </td> </tr> <tr class="technique ics" id="ics"> <td> ICS </td> <td colspan="2"> <a href="/versions/v16/techniques/T0849">T0849</a> </td> <td> <a href="/versions/v16/techniques/T0849">Masquerading</a> </td> <td> <p>Monitor executed commands and arguments that may attempt to manipulate features of their artifacts to make them appear legitimate or benign to users and/or security tools.<span onclick=scrollToRef('scite-44') id="scite-ref-44-a" class="scite-citeref-number" title="Carr, N.. (2018, October 25). Nick Carr Status Update Masquerading. Retrieved September 12, 2024."data-reference="Twitter ItsReallyNick Masquerading Update">^{<a href="https://x.com/ItsReallyNick/status/1055321652777619457" target="_blank" data-hasqtip="43" aria-describedby="qtip-43">[44]</a>}</span></p> </td> </tr> <tr class="sub technique noparent enterprise" id="enterprise"> <td> Enterprise </td> <td> <a href="/versions/v16/techniques/T1556">T1556</a> </td> <td> <a href="/versions/v16/techniques/T1556/005">.005</a> </td> <td> <a href="/versions/v16/techniques/T1556">Modify Authentication Process</a>: <a href="/versions/v16/techniques/T1556/005">Reversible Encryption</a> </td> <td> <p>Monitor command-line usage for <code>-AllowReversiblePasswordEncryption $true</code> or other actions that could be related to malicious tampering of user settings (i.e. <a href="/versions/v16/techniques/T1484/001">Group Policy Modification</a>). </p><p>Analytic 1 - Command-line actions indicating changes to encryption settings.</p><p><code> index=security (sourcetype="WinEventLog:Security" OR sourcetype="powershell")(EventCode=4688 OR EventCode=4104) commandline="<em>set-aduser</em>" commandline="<em>allowreversiblepasswordencryption</em>" | table _time, Process_ID, User, CommandLine</code></p> </td> </tr> <tr class="technique enterprise" id="enterprise"> <td> Enterprise </td> <td colspan="2"> <a href="/versions/v16/techniques/T1112">T1112</a> </td> <td> <a href="/versions/v16/techniques/T1112">Modify Registry</a> </td> <td> <p>Monitor executed commands and arguments for actions that could be taken to change, conceal, and/or delete information in the Registry. The Registry may also be modified through Windows system management tools such as Windows Management Instrumentation and PowerShell, which may require additional logging features to be configured in the operating system to collect necessary information for analysis.</p> </td> </tr> <tr class="technique ics" id="ics"> <td> ICS </td> <td colspan="2"> <a href="/versions/v16/techniques/T0840">T0840</a> </td> <td> <a href="/versions/v16/techniques/T0840">Network Connection Enumeration</a> </td> <td> <p>Monitor executed commands and arguments that may look for details about the network configuration and settings, such as IP and/or MAC addresses, of systems they access or through information discovery of remote systems. Also monitor executed commands and arguments that may attempt to get a listing of network connections to or from the compromised system they are currently accessing or from remote systems by querying for information over the network. Information may also be acquired through Windows system management tools such as <a href="/versions/v16/techniques/T1047">Windows Management Instrumentation</a> and <a href="/versions/v16/techniques/T1059/001">PowerShell</a>.</p> </td> </tr> <tr class="technique enterprise" id="enterprise"> <td> Enterprise </td> <td colspan="2"> <a href="/versions/v16/techniques/T1046">T1046</a> </td> <td> <a href="/versions/v16/techniques/T1046">Network Service Discovery</a> </td> <td> <p>Monitor executed commands and arguments that may attempt to get a listing of services running on remote hosts, including those that may be vulnerable to remote software exploitation.</p> </td> </tr> <tr class="technique enterprise" id="enterprise"> <td> Enterprise </td> <td colspan="2"> <a href="/versions/v16/techniques/T1135">T1135</a> </td> <td> <a href="/versions/v16/techniques/T1135">Network Share Discovery</a> </td> <td> <p>Monitor executed commands and arguments that may look for folders and drives shared on remote systems as a means of identifying sources of information to gather as a precursor for Collection and to identify potential systems of interest for Lateral Movement.</p> </td> </tr> <tr class="technique enterprise" id="enterprise"> <td> Enterprise </td> <td colspan="2"> <a href="/versions/v16/techniques/T1040">T1040</a> </td> <td> <a href="/versions/v16/techniques/T1040">Network Sniffing</a> </td> <td> <p>Monitor executed commands and arguments for actions that aid in sniffing network traffic to capture information about an environment, including authentication material passed over the network.</p><p>Analytic 1 - Unexpected command execution of network sniffing tools.</p><p><code> index=security (sourcetype="Powershell" EventCode=4104) | eval CommandLine=coalesce(Command_Line, CommandLine)| where ExecutingProcess IN ("<em>tshark.exe", "</em>windump.exe", "<em>tcpdump.exe", "</em>wprui.exe", "*wpr.exe")</code></p> </td> </tr> <tr class="technique ics" id="ics"> <td> ICS </td> <td colspan="2"> <a href="/versions/v16/techniques/T0842">T0842</a> </td> <td> <a href="/versions/v16/techniques/T0842">Network Sniffing</a> </td> <td> <p>Monitor executed commands and arguments for actions that aid in sniffing network traffic to capture information about an environment.</p> </td> </tr> <tr class="technique enterprise" id="enterprise"> <td> Enterprise </td> <td colspan="2"> <a href="/versions/v16/techniques/T1027">T1027</a> </td> <td> <a href="/versions/v16/techniques/T1027">Obfuscated Files or Information</a> </td> <td> <p>Monitor executed commands and arguments for indicators of obfuscation and potentially suspicious syntax such as uninterpreted escape characters (e.g., <code>^</code>).</p><p>Also monitor command-lines for syntax-specific signs of obfuscation, such as variations of arguments associated with encoding.</p> </td> </tr> <tr class="sub technique enterprise" id="enterprise"> <td></td> <td></td> <td> <a href="/versions/v16/techniques/T1027/004">.004</a> </td> <td> <a href="/versions/v16/techniques/T1027/004">Compile After Delivery</a> </td> <td> <p>Monitor executed commands and arguments for actions that could be taken to gather common compilers, such as csc.exe and GCC/MinGW, and correlate with other suspicious behavior to reduce false positives from normal user and administrator behavior.</p> </td> </tr> <tr class="sub technique enterprise" id="enterprise"> <td></td> <td></td> <td> <a href="/versions/v16/techniques/T1027/010">.010</a> </td> <td> <a href="/versions/v16/techniques/T1027/010">Command Obfuscation</a> </td> <td> <p>Monitor executed commands and arguments for indicators of obfuscation and potentially suspicious syntax such as uninterpreted escape characters (e.g., <code>^</code>).</p><p>Also monitor command-lines for syntax-specific signs of obfuscation, such as variations of arguments associated with encoding.</p> </td> </tr> <tr class="technique enterprise" id="enterprise"> <td> Enterprise </td> <td colspan="2"> <a href="/versions/v16/techniques/T1137">T1137</a> </td> <td> <a href="/versions/v16/techniques/T1137">Office Application Startup</a> </td> <td> <p>Monitor executed commands and arguments that may leverage Microsoft Office-based applications for persistence between startups. Microsoft has released a PowerShell script to safely gather mail forwarding rules and custom forms in your mail environment as well as steps to interpret the output.<span onclick=scrollToRef('scite-45') id="scite-ref-45-a" class="scite-citeref-number" title="Fox, C., Vangel, D. (2018, April 22). Detect and Remediate Outlook Rules and Custom Forms Injections Attacks in Office 365. Retrieved February 4, 2019."data-reference="Microsoft Detect Outlook Forms">^{<a href="https://docs.microsoft.com/en-us/office365/securitycompliance/detect-and-remediate-outlook-rules-forms-attack" target="_blank" data-hasqtip="44" aria-describedby="qtip-44">[45]</a>}</span> SensePost, whose tool <a href="/versions/v16/software/S0358">Ruler</a> can be used to carry out malicious rules, forms, and Home Page attacks, has released a tool to detect Ruler usage.<span onclick=scrollToRef('scite-46') id="scite-ref-46-a" class="scite-citeref-number" title="SensePost. (2017, September 21). NotRuler - The opposite of Ruler, provides blue teams with the ability to detect Ruler usage against Exchange. Retrieved February 4, 2019."data-reference="SensePost NotRuler">^{<a href="https://github.com/sensepost/notruler" target="_blank" data-hasqtip="45" aria-describedby="qtip-45">[46]</a>}</span></p> </td> </tr> <tr class="sub technique enterprise" id="enterprise"> <td></td> <td></td> <td> <a href="/versions/v16/techniques/T1137/001">.001</a> </td> <td> <a href="/versions/v16/techniques/T1137/001">Office Template Macros</a> </td> <td> <p>Monitor executed commands and arguments that may abuse Microsoft Office templates to obtain persistence on a compromised system.</p> </td> </tr> <tr class="sub technique enterprise" id="enterprise"> <td></td> <td></td> <td> <a href="/versions/v16/techniques/T1137/002">.002</a> </td> <td> <a href="/versions/v16/techniques/T1137/002">Office Test</a> </td> <td> <p>Monitor executed commands and arguments that may abuse the Microsoft Office "Office Test" Registry key to obtain persistence on a compromised system.</p> </td> </tr> <tr class="sub technique enterprise" id="enterprise"> <td></td> <td></td> <td> <a href="/versions/v16/techniques/T1137/003">.003</a> </td> <td> <a href="/versions/v16/techniques/T1137/003">Outlook Forms</a> </td> <td> <p>Monitor executed commands and arguments that may abuse Microsoft Outlook forms to obtain persistence on a compromised system. Microsoft has released a PowerShell script to safely gather mail forwarding rules and custom forms in your mail environment as well as steps to interpret the output.<span onclick=scrollToRef('scite-45') id="scite-ref-45-a" class="scite-citeref-number" title="Fox, C., Vangel, D. (2018, April 22). Detect and Remediate Outlook Rules and Custom Forms Injections Attacks in Office 365. Retrieved February 4, 2019."data-reference="Microsoft Detect Outlook Forms">^{<a href="https://docs.microsoft.com/en-us/office365/securitycompliance/detect-and-remediate-outlook-rules-forms-attack" target="_blank" data-hasqtip="44" aria-describedby="qtip-44">[45]</a>}</span></p> </td> </tr> <tr class="sub technique enterprise" id="enterprise"> <td></td> <td></td> <td> <a href="/versions/v16/techniques/T1137/004">.004</a> </td> <td> <a href="/versions/v16/techniques/T1137/004">Outlook Home Page</a> </td> <td> <p>Monitor executed commands and arguments that may abuse Microsoft Outlook's Home Page feature to obtain persistence on a compromised system. Microsoft has released a PowerShell script to safely gather mail forwarding rules and custom forms in your mail environment as well as steps to interpret the output.<span onclick=scrollToRef('scite-45') id="scite-ref-45-a" class="scite-citeref-number" title="Fox, C., Vangel, D. (2018, April 22). Detect and Remediate Outlook Rules and Custom Forms Injections Attacks in Office 365. Retrieved February 4, 2019."data-reference="Microsoft Detect Outlook Forms">^{<a href="https://docs.microsoft.com/en-us/office365/securitycompliance/detect-and-remediate-outlook-rules-forms-attack" target="_blank" data-hasqtip="44" aria-describedby="qtip-44">[45]</a>}</span></p> </td> </tr> <tr class="sub technique enterprise" id="enterprise"> <td></td> <td></td> <td> <a href="/versions/v16/techniques/T1137/005">.005</a> </td> <td> <a href="/versions/v16/techniques/T1137/005">Outlook Rules</a> </td> <td> <p>Monitor executed commands and arguments that may abuse Microsoft Outlook rules to obtain persistence on a compromised system. Microsoft has released a PowerShell script to safely gather mail forwarding rules and custom forms in your mail environment as well as steps to interpret the output.<span onclick=scrollToRef('scite-45') id="scite-ref-45-a" class="scite-citeref-number" title="Fox, C., Vangel, D. (2018, April 22). Detect and Remediate Outlook Rules and Custom Forms Injections Attacks in Office 365. Retrieved February 4, 2019."data-reference="Microsoft Detect Outlook Forms">^{<a href="https://docs.microsoft.com/en-us/office365/securitycompliance/detect-and-remediate-outlook-rules-forms-attack" target="_blank" data-hasqtip="44" aria-describedby="qtip-44">[45]</a>}</span> This PowerShell script is ineffective in gathering rules with modified PR_RULE_MSG_NAME and PR_RULE_MSG_PROVIDER properties caused by adversaries using a Microsoft Exchange Server Messaging API Editor (MAPI Editor), so only examination with the Exchange Administration tool MFCMapi can reveal these mail forwarding rules.<span onclick=scrollToRef('scite-47') id="scite-ref-47-a" class="scite-citeref-number" title="Damian Pfammatter. (2018, September 17). Hidden Inbox Rules in Microsoft Exchange. Retrieved October 12, 2021."data-reference="Pfammatter - Hidden Inbox Rules">^{<a href="https://blog.compass-security.com/2018/09/hidden-inbox-rules-in-microsoft-exchange/" target="_blank" data-hasqtip="46" aria-describedby="qtip-46">[47]</a>}</span></p> </td> </tr> <tr class="sub technique enterprise" id="enterprise"> <td></td> <td></td> <td> <a href="/versions/v16/techniques/T1137/006">.006</a> </td> <td> <a href="/versions/v16/techniques/T1137/006">Add-ins</a> </td> <td> <p>Monitor executed commands and arguments that may abuse Microsoft Office add-ins to obtain persistence on a compromised system. </p> </td> </tr> <tr class="technique enterprise" id="enterprise"> <td> Enterprise </td> <td colspan="2"> <a href="/versions/v16/techniques/T1003">T1003</a> </td> <td> <a href="/versions/v16/techniques/T1003">OS Credential Dumping</a> </td> <td> <p>Monitor executed commands and arguments that may attempt to dump credentials using tools like <a href="/versions/v16/software/S0002">Mimikatz</a>, ProcDump, NTDSUtil, or accessing /proc, /etc/passwd, and /etc/shadow. </p><p>Analytic 1 - Suspicious command execution involving credential dumping tools.<code>(index=security sourcetype="WinEventLog:Security" EventCode=4688 Image IN ("<em>mimikatz.exe", "</em>procdump.exe", "<em>ntdsutil.exe", "</em>powershell.exe") CommandLine IN ("<em>Invoke-Mimikatz</em>", "<em>Invoke-CachedCredentials</em>", "<em>Invoke-LSADump</em>", "<em>Invoke-SAMDump</em>"))OR(index=security sourcetype="linux_secure" Command IN ("cat /etc/passwd", "cat /etc/shadow", "grep -E '^[0-9a-f-]<em> r' /proc/</em>/maps"))OR(index=security sourcetype="macOS:UnifiedLog" process IN ("cat", "grep") message IN ("/etc/passwd", "/etc/shadow", "/var/db/shadow/hash/*", "/private/etc/master.passwd"))</code></p> </td> </tr> <tr class="sub technique enterprise" id="enterprise"> <td></td> <td></td> <td> <a href="/versions/v16/techniques/T1003/001">.001</a> </td> <td> <a href="/versions/v16/techniques/T1003/001">LSASS Memory</a> </td> <td> <p>Monitor executed commands and arguments that may attempt to access credential material stored in the process memory of the Local Security Authority Subsystem Service (LSASS). Remote access tools may contain built-in features or incorporate existing tools like Mimikatz. PowerShell scripts also exist that contain credential dumping functionality, such as PowerSploit's Invoke-Mimikatz module,<span onclick=scrollToRef('scite-48') id="scite-ref-48-a" class="scite-citeref-number" title="PowerSploit. (n.d.). Retrieved December 4, 2014."data-reference="Powersploit">^{<a href="https://github.com/mattifestation/PowerSploit" target="_blank" data-hasqtip="47" aria-describedby="qtip-47">[48]</a>}</span> which may require additional logging features to be configured in the operating system to collect necessary information for analysis.</p><p>Note: Event ID 4104 from the "Microsoft-Windows-PowerShell/Operational" log captures Powershell script blocks, whose contents can be further analyzed to determine if they’re performing LSASS dumping.</p><p>Analytic 1 - Unauthorized command execution of LSASS memory.</p><p><code> index=security sourcetype="Powershell" EventCode=4104Image="<em>powershell.exe" CommandLine IN ("</em>Invoke-Mimikatz<em>", "</em>procdump.exe<em> -ma lsass", "</em>rundll32.exe<em> comsvcs.dll, MiniDump", "</em>taskmgr.exe* /dump") </code></p> </td> </tr> <tr class="sub technique enterprise" id="enterprise"> <td></td> <td></td> <td> <a href="/versions/v16/techniques/T1003/002">.002</a> </td> <td> <a href="/versions/v16/techniques/T1003/002">Security Account Manager</a> </td> <td> <p>Monitor executed commands and arguments that may attempt to extract credential material from the Security Account Manager (SAM) database either through in-memory techniques or through the Windows Registry where the SAM database is stored.</p><p>Analytic 1 - Unauthorized attempts to dump SAM database through command execution.</p><p><code> index=security sourcetype="Powershell" EventCode=4104 Image="<em>powershell.exe" CommandLine IN ("</em>Invoke-Mimikatz<em>", "</em>Invoke-SAMDump<em>", "</em>reg save hklm\sam<em>", "</em>reg.exe save hklm\sam*")</code></p> </td> </tr> <tr class="sub technique enterprise" id="enterprise"> <td></td> <td></td> <td> <a href="/versions/v16/techniques/T1003/003">.003</a> </td> <td> <a href="/versions/v16/techniques/T1003/003">NTDS</a> </td> <td> <p>Monitor executed commands and arguments that may attempt to access or create a copy of the Active Directory domain database in order to steal credential information, as well as obtain other information about domain members such as devices, users, and access rights. Look for command-lines that invoke attempts to access or copy the NTDS.dit.</p><p>Note: Events 4688 (Microsoft Windows Security Auditing) and 1 (Microsoft Windows Sysmon) provide context of commands and parameters being executed via creation of a new process. Event 800 (PowerShell) provides context of commands and parameters being executed via PowerShell. This detection is based on known Windows utilities commands and parameters that can be used to copy the ntds.dit file. It is recommended to keep the list of commands and parameters up to date.</p><p>Analytic 1 - Command line attempt to access or create a copy of ntds.dit file</p><p><code>((sourcetype="WinEventLog:Microsoft-Windows-Powershell/Operational" EventCode="800") AND((CommandLine LIKE "%ntds%" AND CommandLine LIKE "%ntdsutil%" AND CommandLine LIKE "%create%") OR (CommandLine LIKE "%vssadmin%" AND CommandLine LIKE "%create%" AND CommandLine LIKE "%shadow%") OR (CommandLine LIKE "%copy%" AND CommandLine LIKE "%ntds.dit%")))</code></p> </td> </tr> <tr class="sub technique enterprise" id="enterprise"> <td></td> <td></td> <td> <a href="/versions/v16/techniques/T1003/004">.004</a> </td> <td> <a href="/versions/v16/techniques/T1003/004">LSA Secrets</a> </td> <td> <p>Monitor executed commands and arguments that may access to a host may attempt to access Local Security Authority (LSA) secrets. Remote access tools may contain built-in features or incorporate existing tools like Mimikatz. PowerShell scripts also exist that contain credential dumping functionality, such as PowerSploit's Invoke-Mimikatz module,<span onclick=scrollToRef('scite-48') id="scite-ref-48-a" class="scite-citeref-number" title="PowerSploit. (n.d.). Retrieved December 4, 2014."data-reference="Powersploit">^{<a href="https://github.com/mattifestation/PowerSploit" target="_blank" data-hasqtip="47" aria-describedby="qtip-47">[48]</a>}</span> which may require additional logging features to be configured in the operating system to collect necessary information for analysis.</p><p>Analytic 1 - Suspicious access to LSA secrets.</p><p><code> index=security (sourcetype="Powershell" EventCode=4104) Image="<em>powershell.exe" CommandLine IN ("</em>Invoke-Mimikatz<em>", "</em>Invoke-LSADump*")</code></p> </td> </tr> <tr class="sub technique enterprise" id="enterprise"> <td></td> <td></td> <td> <a href="/versions/v16/techniques/T1003/005">.005</a> </td> <td> <a href="/versions/v16/techniques/T1003/005">Cached Domain Credentials</a> </td> <td> <p>Monitor executed commands and arguments that may attempt to access cached domain credentials used to allow authentication to occur in the event a domain controller is unavailable.<span onclick=scrollToRef('scite-49') id="scite-ref-49-a" class="scite-citeref-number" title="Microsoft. (2016, August 21). Cached and Stored Credentials Technical Overview. Retrieved February 21, 2020."data-reference="Microsoft - Cached Creds">^{<a href="https://docs.microsoft.com/en-us/previous-versions/windows/it-pro/windows-server-2012-r2-and-2012/hh994565(v%3Dws.11)" target="_blank" data-hasqtip="48" aria-describedby="qtip-48">[49]</a>}</span>. Remote access tools may contain built-in features or incorporate existing tools like Mimikatz. PowerShell scripts also exist that contain credential dumping functionality, such as PowerSploit's Invoke-Mimikatz module,<span onclick=scrollToRef('scite-48') id="scite-ref-48-a" class="scite-citeref-number" title="PowerSploit. (n.d.). Retrieved December 4, 2014."data-reference="Powersploit">^{<a href="https://github.com/mattifestation/PowerSploit" target="_blank" data-hasqtip="47" aria-describedby="qtip-47">[48]</a>}</span> which may require additional logging features to be configured in the operating system to collect necessary information for analysis.Detection of compromised <a href="/versions/v16/techniques/T1078">Valid Accounts</a> in-use by adversaries may help as well.</p><p>Analytic 1 - Unusual access to cached domain credentials.</p><p><code> (index=security sourcetype="Powershell" EventCode=4104 Image="<em>powershell.exe" CommandLine IN ("</em>Invoke-Mimikatz<em>", "</em>Invoke-CachedCredentials<em>"))OR(index=security sourcetype="linux_secure" (cmd IN ("</em>mimikatz<em>", "</em>cachedump*"))) </code></p> </td> </tr> <tr class="sub technique enterprise" id="enterprise"> <td></td> <td></td> <td> <a href="/versions/v16/techniques/T1003/007">.007</a> </td> <td> <a href="/versions/v16/techniques/T1003/007">Proc Filesystem</a> </td> <td> <p>Monitor executed commands and arguments that may gather credentials from information stored in the Proc filesystem or <code>/proc</code>. For instance, adversaries may use regex patterns to search for process memory that may be exfiltrated or searched for credentials.<span onclick=scrollToRef('scite-50') id="scite-ref-50-a" class="scite-citeref-number" title="Atomic Red Team. (2023, November). T1003.007 - OS Credential Dumping: Proc Filesystem. Retrieved March 28, 2024."data-reference="atomic-red proc file system">^{<a href="https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1003.007/T1003.007.md" target="_blank" data-hasqtip="49" aria-describedby="qtip-49">[50]</a>}</span><span onclick=scrollToRef('scite-51') id="scite-ref-51-a" class="scite-citeref-number" title="Gregal, Hunter. (2019, September 17). MimiPenguin 2.0. Retrieved March 28, 2024."data-reference="mimipenguin proc file">^{<a href="https://github.com/huntergregal/mimipenguin/blob/master/mimipenguin.sh" target="_blank" data-hasqtip="50" aria-describedby="qtip-50">[51]</a>}</span></p><p><code>grep -E "^[0-9a-f-]* r" /proc/"$pid"/maps | grep -E 'heap|stack' | cut -d' ' -f 1</code></p><p><code>grep -E "^[0-9a-f-]* r" /proc/"$PID"/maps | grep heap | cut -d' ' -f 1</code></p><p>Analytic 1 - Unexpected access to /proc filesystem.</p><p><code> index=os sourcetype="linux_audit" command IN ("grep -E '^[0-9a-f-]<em> r' /proc/</em>/maps", "cat /proc/<em>/maps", "awk '{print $1}' /proc/</em>/maps") </code></p> </td> </tr> <tr class="sub technique enterprise" id="enterprise"> <td></td> <td></td> <td> <a href="/versions/v16/techniques/T1003/008">.008</a> </td> <td> <a href="/versions/v16/techniques/T1003/008">/etc/passwd and /etc/shadow</a> </td> <td> <p>Monitor executed commands and arguments that may attempt to dump the contents of <code>/etc/passwd</code> and <code>/etc/shadow</code> to enable offline password cracking.</p><p>Analytic 1 - Unexpected command execution involving /etc/passwd and /etc/shadow.</p><p><code> index=os sourcetype="linux_audit" command IN ("cat /etc/passwd", "cat /etc/shadow", "grep /etc/passwd", "grep /etc/shadow") | eval Command=command | eval TargetFile=case(match(Command, ".<em>passwd.</em>"), "/etc/passwd", match(Command, ".<em>shadow.</em>"), "/etc/shadow")</code></p> </td> </tr> <tr class="technique enterprise" id="enterprise"> <td> Enterprise </td> <td colspan="2"> <a href="/versions/v16/techniques/T1201">T1201</a> </td> <td> <a href="/versions/v16/techniques/T1201">Password Policy Discovery</a> </td> <td> <p>Monitor executed commands and arguments for actions that may attempt to access detailed information about the password policy used within an enterprise network or cloud environment. For network devices, monitor executed commands in AAA logs, especially those run by unexpected or unauthorized users.</p> </td> </tr> <tr class="technique enterprise" id="enterprise"> <td> Enterprise </td> <td colspan="2"> <a href="/versions/v16/techniques/T1120">T1120</a> </td> <td> <a href="/versions/v16/techniques/T1120">Peripheral Device Discovery</a> </td> <td> <p>Monitor executed commands and arguments that may attempt to gather information about attached peripheral devices and components connected to a computer system.</p> </td> </tr> <tr class="technique enterprise" id="enterprise"> <td> Enterprise </td> <td colspan="2"> <a href="/versions/v16/techniques/T1069">T1069</a> </td> <td> <a href="/versions/v16/techniques/T1069">Permission Groups Discovery</a> </td> <td> <p>Monitor executed commands and arguments acquired through Windows system management tools such as Windows Management Instrumentation and PowerShell.</p> </td> </tr> <tr class="sub technique enterprise" id="enterprise"> <td></td> <td></td> <td> <a href="/versions/v16/techniques/T1069/001">.001</a> </td> <td> <a href="/versions/v16/techniques/T1069/001">Local Groups</a> </td> <td> <p>Monitor for executed commands and arguments that may attempt to find local system groups and permission settings.</p> </td> </tr> <tr class="sub technique enterprise" id="enterprise"> <td></td> <td></td> <td> <a href="/versions/v16/techniques/T1069/002">.002</a> </td> <td> <a href="/versions/v16/techniques/T1069/002">Domain Groups</a> </td> <td> <p>Monitor for executed commands and arguments that may attempt to find domain-level groups and permission settings.</p> </td> </tr> <tr class="sub technique enterprise" id="enterprise"> <td></td> <td></td> <td> <a href="/versions/v16/techniques/T1069/003">.003</a> </td> <td> <a href="/versions/v16/techniques/T1069/003">Cloud Groups</a> </td> <td> <p>Monitor for executed commands and arguments that may attempt to find cloud groups and permission settings. </p> </td> </tr> <tr class="technique enterprise" id="enterprise"> <td> Enterprise </td> <td colspan="2"> <a href="/versions/v16/techniques/T1647">T1647</a> </td> <td> <a href="/versions/v16/techniques/T1647">Plist File Modification</a> </td> <td> <p>Monitor for commands with arguments (such as opening common command-line editors) used to modify plist files, especially commonly abused files such as those in <code>\~/LaunchAgents</code>, <code>\~/Library/Application Support/com.apple.backgroundtaskmanagementagent/backgrounditems.btm</code>, and an application's <code>Info.plist</code>.</p> </td> </tr> <tr class="technique enterprise" id="enterprise"> <td> Enterprise </td> <td colspan="2"> <a href="/versions/v16/techniques/T1653">T1653</a> </td> <td> <a href="/versions/v16/techniques/T1653">Power Settings</a> </td> <td> <p>Monitor and inspect commands and arguments associated with manipulating the power settings of a system.</p> </td> </tr> <tr class="technique enterprise" id="enterprise"> <td> Enterprise </td> <td colspan="2"> <a href="/versions/v16/techniques/T1542">T1542</a> </td> <td> <a href="/versions/v16/techniques/T1542">Pre-OS Boot</a> </td> <td> <p>Monitor executed commands and arguments in command history in either the console or as part of the running memory to determine if unauthorized or suspicious commands were used to modify device configuration.</p> </td> </tr> <tr class="sub technique enterprise" id="enterprise"> <td></td> <td></td> <td> <a href="/versions/v16/techniques/T1542/005">.005</a> </td> <td> <a href="/versions/v16/techniques/T1542/005">TFTP Boot</a> </td> <td> <p>Monitor executed commands and arguments in command history in either the console or as part of the running memory to determine if unauthorized or suspicious commands were used to modify device configuration.</p> </td> </tr> <tr class="technique enterprise" id="enterprise"> <td> Enterprise </td> <td colspan="2"> <a href="/versions/v16/techniques/T1057">T1057</a> </td> <td> <a href="/versions/v16/techniques/T1057">Process Discovery</a> </td> <td> <p>Monitor executed commands and arguments for actions that may attempt to get information about running processes on a system.</p> </td> </tr> <tr class="technique enterprise" id="enterprise"> <td> Enterprise </td> <td colspan="2"> <a href="/versions/v16/techniques/T1012">T1012</a> </td> <td> <a href="/versions/v16/techniques/T1012">Query Registry</a> </td> <td> <p>Monitor executed commands and arguments for actions that may interact with the Windows Registry to gather information about the system, configuration, and installed software.</p><p>Note: For PowerShell Module logging event id 4103, enable logging for module Microsoft.PowerShell.Management. The New-PSDrive PowerShell cmdlet creates temporary and persistent drives that are mapped to or associated with a location in a data store, such a registry key (PSProvider "Registry"). The the Get-ChildItem gets the items in one or more specified locations. By using both, you can enumerate COM objects in one or more specified locations.</p><p>Analytic 1 - Suspicious Commands</p><p><code>(sourcetype="WinEventLog:Microsoft-Windows-Powershell/Operational" EventCode="4103") | WHERE CommandLine LIKE "%New-PSDrive%" AND (CommandLine LIKE "%Registry%" OR CommandLine LIKE "%HKEY_CLASSES_ROOT%" OR CommandLine LIKE "%HKCR%")</code></p> </td> </tr> <tr class="technique enterprise" id="enterprise"> <td> Enterprise </td> <td colspan="2"> <a href="/versions/v16/techniques/T1563">T1563</a> </td> <td> <a href="/versions/v16/techniques/T1563">Remote Service Session Hijacking</a> </td> <td> <p>Monitor executed commands and arguments that may take control of preexisting sessions with remote services to move laterally in an environment.</p> </td> </tr> <tr class="sub technique enterprise" id="enterprise"> <td></td> <td></td> <td> <a href="/versions/v16/techniques/T1563/001">.001</a> </td> <td> <a href="/versions/v16/techniques/T1563/001">SSH Hijacking</a> </td> <td> <p>Monitor executed commands and arguments that may hijack a legitimate user's SSH session to move laterally within an environment.</p> </td> </tr> <tr class="sub technique enterprise" id="enterprise"> <td></td> <td></td> <td> <a href="/versions/v16/techniques/T1563/002">.002</a> </td> <td> <a href="/versions/v16/techniques/T1563/002">RDP Hijacking</a> </td> <td> <p>monitor service creation that uses cmd.exe /k or cmd.exe /c in its arguments to detect RDP session hijacking. Windows PowerShell log Event ID 4104 (PS script execution) can be used to capture PowerShell script block contents which may contain commands used as a precursor to RDP hijacking. For example, the following command in a PowerShell script block may be used to enumerate the systems on a network which have RDP access: <code>Find-DomainLocalGroupMember -GroupName "Remote Desktop Users" | select -expand ComputerName</code>.</p> </td> </tr> <tr class="technique enterprise" id="enterprise"> <td> Enterprise </td> <td colspan="2"> <a href="/versions/v16/techniques/T1021">T1021</a> </td> <td> <a href="/versions/v16/techniques/T1021">Remote Services</a> </td> <td> <p>Monitor executed commands and arguments that may use <a href="/versions/v16/techniques/T1078">Valid Accounts</a> to log into a service specifically designed to accept remote connections, such as telnet, SSH, and VNC. The adversary may then perform actions as the logged-on user.</p> </td> </tr> <tr class="sub technique enterprise" id="enterprise"> <td></td> <td></td> <td> <a href="/versions/v16/techniques/T1021/002">.002</a> </td> <td> <a href="/versions/v16/techniques/T1021/002">SMB/Windows Admin Shares</a> </td> <td> <p>Monitor executed commands and arguments that connect to remote shares, such as <a href="/versions/v16/software/S0039">Net</a>, on the command-line interface and Discovery techniques that could be used to find remotely accessible systems.<span onclick=scrollToRef('scite-52') id="scite-ref-52-a" class="scite-citeref-number" title="French, D. (2018, October 9). Detecting & Removing an Attacker’s WMI Persistence. Retrieved October 11, 2019."data-reference="Medium Detecting WMI Persistence">^{<a href="https://medium.com/threatpunter/detecting-removing-wmi-persistence-60ccbb7dff96" target="_blank" data-hasqtip="51" aria-describedby="qtip-51">[52]</a>}</span></p><p>Note: Event ID 4104 (from the Microsoft-Windows-Powershell/Operational log) captures Powershell script blocks, which can be analyzed and used to detect on potential connections and writing to remote shares. </p> </td> </tr> <tr class="sub technique enterprise" id="enterprise"> <td></td> <td></td> <td> <a href="/versions/v16/techniques/T1021/006">.006</a> </td> <td> <a href="/versions/v16/techniques/T1021/006">Windows Remote Management</a> </td> <td> <p>Monitor executed commands and arguments that may invoke a WinRM script to correlate it with other related events.<span onclick=scrollToRef('scite-53') id="scite-ref-53-a" class="scite-citeref-number" title="French, D. (2018, September 30). Detecting Lateral Movement Using Sysmon and Splunk. Retrieved October 11, 2019."data-reference="Medium Detecting Lateral Movement">^{<a href="https://medium.com/threatpunter/detecting-lateral-movement-using-sysmon-and-splunk-318d3be141bc" target="_blank" data-hasqtip="52" aria-describedby="qtip-52">[53]</a>}</span></p> </td> </tr> <tr class="technique ics" id="ics"> <td> ICS </td> <td colspan="2"> <a href="/versions/v16/techniques/T0886">T0886</a> </td> <td> <a href="/versions/v16/techniques/T0886">Remote Services</a> </td> <td> <p>Monitor executed commands and arguments to services specifically designed to accept remote connections, such as RDP, Telnet, SSH, and VNC. The adversary may then perform these actions using <a href="/versions/v16/techniques/T0859">Valid Accounts</a>.</p> </td> </tr> <tr class="technique enterprise" id="enterprise"> <td> Enterprise </td> <td colspan="2"> <a href="/versions/v16/techniques/T1018">T1018</a> </td> <td> <a href="/versions/v16/techniques/T1018">Remote System Discovery</a> </td> <td> <p>Monitor executed commands and arguments that may attempt to get a listing of other systems by IP address, hostname, or other logical identifier on a network that may be used for Lateral Movement from the current system. For network devices, monitor executed commands in AAA logs, especially those run by unexpected or unauthorized users.</p><p>Windows PowerShell log Event ID 4104 (PS script execution) can be used to capture PowerShell script block contents which may contain commands used as a precursor to <a href="/versions/v16/techniques/T1563/002">RDP Hijacking</a>. For example, the following command in a PowerShell script block may be used to enumerate the systems on a network which have RDP access: <code>Find-DomainLocalGroupMember -GroupName "Remote Desktop Users" | select -expand ComputerName</code>. </p> </td> </tr> <tr class="technique enterprise" id="enterprise"> <td> Enterprise </td> <td colspan="2"> <a href="/versions/v16/techniques/T1496">T1496</a> </td> <td> <a href="/versions/v16/techniques/T1496">Resource Hijacking</a> </td> <td> <p>Monitor executed commands and arguments that may indicate common cryptomining or proxyware functionality.</p> </td> </tr> <tr class="sub technique enterprise" id="enterprise"> <td></td> <td></td> <td> <a href="/versions/v16/techniques/T1496/001">.001</a> </td> <td> <a href="/versions/v16/techniques/T1496/001">Compute Hijacking</a> </td> <td> <p>Monitor executed commands and arguments that may indicate common cryptomining functionality.</p> </td> </tr> <tr class="sub technique enterprise" id="enterprise"> <td></td> <td></td> <td> <a href="/versions/v16/techniques/T1496/002">.002</a> </td> <td> <a href="/versions/v16/techniques/T1496/002">Bandwidth Hijacking</a> </td> <td> <p>Monitor executed commands and arguments that may indicate common proxyware functionality. </p> </td> </tr> <tr class="technique enterprise" id="enterprise"> <td> Enterprise </td> <td colspan="2"> <a href="/versions/v16/techniques/T1053">T1053</a> </td> <td> <a href="/versions/v16/techniques/T1053">Scheduled Task/Job</a> </td> <td> <p>Monitor executed commands and arguments that may abuse task scheduling functionality to facilitate initial or recurring execution of malicious code.</p><p>Analytic 1 - Look for task scheduling commands being executed with unusual parameters.</p><p><code>index=security (sourcetype="WinEventLog:Security" OR sourcetype="linux_secure" OR sourcetype="macos_secure" OR sourcetype="container_logs")| eval CommandLine = coalesce(CommandLine, process)| where (sourcetype="WinEventLog:Security" AND EventCode IN (4697, 4702, 4698)) OR (sourcetype="linux_secure" AND CommandLine LIKE "%cron%" OR CommandLine LIKE "%at%") OR (sourcetype="macos_secure" AND CommandLine LIKE "%launchctl%" OR CommandLine LIKE "%cron%") OR (sourcetype="container_logs" AND (CommandLine LIKE "%cron%" OR CommandLine LIKE "%at%"))| where (sourcetype="WinEventLog:Security" AND (CommandLine LIKE "%/create%" OR CommandLine LIKE "%/delete%" OR CommandLine LIKE "%/change%")) OR (sourcetype="linux_secure" AND (CommandLine LIKE "%-f%" OR CommandLine LIKE "%-m%" OR CommandLine LIKE "%--env%")) OR (sourcetype="macos_secure" AND (CommandLine LIKE "%/Library/LaunchDaemons%" OR CommandLine LIKE "%/Library/LaunchAgents%" OR CommandLine LIKE "%/System/Library/LaunchDaemons%" OR CommandLine LIKE "%/System/Library/LaunchAgents%")) OR (sourcetype="container_logs" AND (CommandLine LIKE "%-f%" OR CommandLine LIKE "%--schedule%" OR CommandLine LIKE "%--env%")) </code></p> </td> </tr> <tr class="sub technique enterprise" id="enterprise"> <td></td> <td></td> <td> <a href="/versions/v16/techniques/T1053/002">.002</a> </td> <td> <a href="/versions/v16/techniques/T1053/002">At</a> </td> <td> <p>Monitor executed commands and arguments for actions that could be taken to create/modify tasks. Tasks may also be created through Windows system management tools such as <a href="/versions/v16/techniques/T1047">Windows Management Instrumentation</a> and <a href="/versions/v16/techniques/T1059/001">PowerShell</a>, so additional logging may need to be configured to gather the appropriate data.</p><p>Analytic 1 - Linux Command Execution </p><p><code> index=linux_logs sourcetype=syslog "at" | rex "user=(?<user>\w+)"</code></p><p>Analytic 2 - Windows Command Execution <code> index=windows_logs sourcetype=WinEventLog:System EventCode=4698 TaskName="at*"| where NOT (user="SYSTEM" AND TaskName="\Microsoft\Windows\Defrag\ScheduledDefrag")</code></p> </td> </tr> <tr class="sub technique enterprise" id="enterprise"> <td></td> <td></td> <td> <a href="/versions/v16/techniques/T1053/003">.003</a> </td> <td> <a href="/versions/v16/techniques/T1053/003">Cron</a> </td> <td> <p>Monitor execution of commands related to cron that are out of alignment with known software or administrative tasks. Monitor executed atq command and ensure IP addresses stored in the SSH_CONNECTION and SSH_CLIENT variables, machines that created the jobs, are trusted hosts. All at jobs are stored in /var/spool/cron/atjobs/.</p><p>Analytic 1 - Suspicious Cron execution</p><p><code> index=linux_logs sourcetype=cron_logs | search "cron" AND (command="crontab -e" OR command="crontab -l" OR command="<em> * * * </em>" OR command="<em>/cron.d/</em>")</code></p> </td> </tr> <tr class="sub technique enterprise" id="enterprise"> <td></td> <td></td> <td> <a href="/versions/v16/techniques/T1053/005">.005</a> </td> <td> <a href="/versions/v16/techniques/T1053/005">Scheduled Task</a> </td> <td> <p>Monitor for commands being executed via schtasks or other utilities related to task scheduling.</p><p>Analytic 1 - Look for schtasks.exe execution with arguments indicative of task creation/modification.</p><p><code> sourcetype=WinEventLog:Powershell (EventCode=4104 OR command="schtasks.exe")| stats count by user host process_name command_line| where Image="schtasks.exe" OR command_line="<em>schtasks</em>"</code></p> </td> </tr> <tr class="sub technique enterprise" id="enterprise"> <td></td> <td></td> <td> <a href="/versions/v16/techniques/T1053/006">.006</a> </td> <td> <a href="/versions/v16/techniques/T1053/006">Systemd Timers</a> </td> <td> <p>Monitor executed commands and arguments the 'systemd-run' utility as it may be used to create timers.</p><p>Analytic 1 - Look for systemd-run execution with arguments indicative of timer creation.</p><p><code>sourcetype=linux_logs (command="systemctl<em>" OR command="systemd-run</em>") </code></p> </td> </tr> <tr class="technique enterprise" id="enterprise"> <td> Enterprise </td> <td colspan="2"> <a href="/versions/v16/techniques/T1113">T1113</a> </td> <td> <a href="/versions/v16/techniques/T1113">Screen Capture</a> </td> <td> <p>Monitor executed commands and arguments that may attempt to take screen captures of the desktop to gather information over the course of an operation.</p> </td> </tr> <tr class="technique ics" id="ics"> <td> ICS </td> <td colspan="2"> <a href="/versions/v16/techniques/T0852">T0852</a> </td> <td> <a href="/versions/v16/techniques/T0852">Screen Capture</a> </td> <td> <p>Monitor executed commands and arguments that may attempt to take screen captures of the desktop to gather information over the course of an operation.</p> </td> </tr> <tr class="technique ics" id="ics"> <td> ICS </td> <td colspan="2"> <a href="/versions/v16/techniques/T0853">T0853</a> </td> <td> <a href="/versions/v16/techniques/T0853">Scripting</a> </td> <td> <p>Monitor command-line arguments for script execution and subsequent behavior. Actions may be related to network and system information Discovery, Collection, or other scriptable post-compromise behaviors and could be used as indicators of detection leading back to the source script. Scripts are likely to perform actions with various effects on a system that may generate events, depending on the types of monitoring used. </p> </td> </tr> <tr class="sub technique noparent enterprise" id="enterprise"> <td> Enterprise </td> <td> <a href="/versions/v16/techniques/T1505">T1505</a> </td> <td> <a href="/versions/v16/techniques/T1505/004">.004</a> </td> <td> <a href="/versions/v16/techniques/T1505">Server Software Component</a>: <a href="/versions/v16/techniques/T1505/004">IIS Components</a> </td> <td> <p>Monitor execution and command-line arguments of <code>AppCmd.exe</code>, which may be abused to install malicious IIS modules.<span onclick=scrollToRef('scite-54') id="scite-ref-54-a" class="scite-citeref-number" title="Microsoft. (2007, November 24). IIS Modules Overview. Retrieved June 17, 2021."data-reference="Microsoft IIS Modules Overview 2007">^{<a href="https://docs.microsoft.com/en-us/iis/get-started/introduction-to-iis/iis-modules-overview" target="_blank" data-hasqtip="53" aria-describedby="qtip-53">[54]</a>}</span><span onclick=scrollToRef('scite-55') id="scite-ref-55-a" class="scite-citeref-number" title="Falcone, R. (2018, January 25). OilRig uses RGDoor IIS Backdoor on Targets in the Middle East. Retrieved July 6, 2018."data-reference="Unit 42 RGDoor Jan 2018">^{<a href="https://researchcenter.paloaltonetworks.com/2018/01/unit42-oilrig-uses-rgdoor-iis-backdoor-targets-middle-east/" target="_blank" data-hasqtip="54" aria-describedby="qtip-54">[55]</a>}</span><span onclick=scrollToRef('scite-56') id="scite-ref-56-a" class="scite-citeref-number" title="Hromcová, Z., Cherepanov, A. (2021). Anatomy of Native IIS Malware. Retrieved September 9, 2021."data-reference="ESET IIS Malware 2021">^{<a href="https://i.blackhat.com/USA21/Wednesday-Handouts/us-21-Anatomy-Of-Native-Iis-Malware-wp.pdf" target="_blank" data-hasqtip="55" aria-describedby="qtip-55">[56]</a>}</span></p> </td> </tr> <tr class="sub technique enterprise" id="enterprise"> <td></td> <td></td> <td> <a href="/versions/v16/techniques/T1505/005">.005</a> </td> <td> <a href="/versions/v16/techniques/T1505">Server Software Component</a>: <a href="/versions/v16/techniques/T1505/005">Terminal Services DLL</a> </td> <td> <p>Monitor executed commands and arguments for potential adversary actions to modify Registry values (ex: <code>reg.exe</code>) or modify/replace the legitimate <code>termsrv.dll</code>.</p> </td> </tr> <tr class="technique enterprise" id="enterprise"> <td> Enterprise </td> <td colspan="2"> <a href="/versions/v16/techniques/T1489">T1489</a> </td> <td> <a href="/versions/v16/techniques/T1489">Service Stop</a> </td> <td> <p>Monitor executed commands and arguments that may stop or disable services on a system to render those services unavailable to legitimate users.</p> </td> </tr> <tr class="technique ics" id="ics"> <td> ICS </td> <td colspan="2"> <a href="/versions/v16/techniques/T0881">T0881</a> </td> <td> <a href="/versions/v16/techniques/T0881">Service Stop</a> </td> <td> <p>Monitor executed commands and arguments that may stop or disable services on a system to render those services unavailable to legitimate users.</p> </td> </tr> <tr class="technique enterprise" id="enterprise"> <td> Enterprise </td> <td colspan="2"> <a href="/versions/v16/techniques/T1518">T1518</a> </td> <td> <a href="/versions/v16/techniques/T1518">Software Discovery</a> </td> <td> <p>Monitor executed commands and arguments that may attempt to get a listing of software and software versions that are installed on a system or in a cloud environment.</p> </td> </tr> <tr class="sub technique enterprise" id="enterprise"> <td></td> <td></td> <td> <a href="/versions/v16/techniques/T1518/001">.001</a> </td> <td> <a href="/versions/v16/techniques/T1518/001">Security Software Discovery</a> </td> <td> <p>Monitor executed commands and arguments that may attempt to get a listing of security software, configurations, defensive tools, and sensors that are installed on a system or in a cloud environment.</p><p>Note: For Windows, Event ID 4104 (from the Microsoft-Windows-Powershell/Operational log) captures Powershell script blocks, which can be analyzed and used to detect on potential Security Software Discovery. </p> </td> </tr> <tr class="technique enterprise" id="enterprise"> <td> Enterprise </td> <td colspan="2"> <a href="/versions/v16/techniques/T1649">T1649</a> </td> <td> <a href="/versions/v16/techniques/T1649">Steal or Forge Authentication Certificates</a> </td> <td> <p>Monitor for the execution of commands and other utilities abused to forge and/or steal certificates and related private keys.<span onclick=scrollToRef('scite-57') id="scite-ref-57-a" class="scite-citeref-number" title="Schroeder, W. & Christensen, L. (2021, June 22). Certified Pre-Owned - Abusing Active Directory Certificate Services. Retrieved August 2, 2022."data-reference="SpecterOps Certified Pre Owned">^{<a href="https://web.archive.org/web/20220818094600/https://specterops.io/assets/resources/Certified_Pre-Owned.pdf" target="_blank" data-hasqtip="56" aria-describedby="qtip-56">[57]</a>}</span></p> </td> </tr> <tr class="technique enterprise" id="enterprise"> <td> Enterprise </td> <td colspan="2"> <a href="/versions/v16/techniques/T1558">T1558</a> </td> <td> <a href="/versions/v16/techniques/T1558">Steal or Forge Kerberos Tickets</a> </td> <td> <p>Monitor executed commands and arguments that may attempt to subvert Kerberos authentication by stealing or forging Kerberos tickets to enable <a href="/versions/v16/techniques/T1550/003">Pass the Ticket</a>.</p> </td> </tr> <tr class="technique enterprise" id="enterprise"> <td> Enterprise </td> <td colspan="2"> <a href="/versions/v16/techniques/T1553">T1553</a> </td> <td> <a href="/versions/v16/techniques/T1553">Subvert Trust Controls</a> </td> <td> <p>Command monitoring may reveal malicious attempts to modify trust settings, such as the installation of root certificates or modifications to trust attributes/policies applied to files.</p> </td> </tr> <tr class="sub technique enterprise" id="enterprise"> <td></td> <td></td> <td> <a href="/versions/v16/techniques/T1553/001">.001</a> </td> <td> <a href="/versions/v16/techniques/T1553/001">Gatekeeper Bypass</a> </td> <td> <p>Monitor and investigate attempts to modify extended file attributes with utilities such as <code>xattr</code>. Built-in system utilities may generate high false positive alerts, so compare against baseline knowledge for how systems are typically used and correlate modification events with other indications of malicious activity where possible. </p> </td> </tr> <tr class="sub technique enterprise" id="enterprise"> <td></td> <td></td> <td> <a href="/versions/v16/techniques/T1553/004">.004</a> </td> <td> <a href="/versions/v16/techniques/T1553/004">Install Root Certificate</a> </td> <td> <p>Monitor for commands, such as <code>security add-trusted-cert</code> (macOS) or <code>certutil -addstore</code> (Windows), that can be used to install root certificates. A system's root certificates are unlikely to change frequently. Monitor new certificates installed on a system that could be due to malicious activity. <span onclick=scrollToRef('scite-58') id="scite-ref-58-a" class="scite-citeref-number" title="Graeber, M. (2017, December 22). Code Signing Certificate Cloning Attacks and Defenses. Retrieved April 3, 2018."data-reference="SpectorOps Code Signing Dec 2017">^{<a href="https://posts.specterops.io/code-signing-certificate-cloning-attacks-and-defenses-6f98657fc6ec" target="_blank" data-hasqtip="57" aria-describedby="qtip-57">[58]</a>}</span> Check pre-installed certificates on new systems to ensure unnecessary or suspicious certificates are not present. Microsoft provides a list of trustworthy root certificates online and through <code>authroot.stl</code>. <span onclick=scrollToRef('scite-58') id="scite-ref-58-a" class="scite-citeref-number" title="Graeber, M. (2017, December 22). Code Signing Certificate Cloning Attacks and Defenses. Retrieved April 3, 2018."data-reference="SpectorOps Code Signing Dec 2017">^{<a href="https://posts.specterops.io/code-signing-certificate-cloning-attacks-and-defenses-6f98657fc6ec" target="_blank" data-hasqtip="57" aria-describedby="qtip-57">[58]</a>}</span> The Sysinternals Sigcheck utility can also be used (<code>sigcheck[64].exe -tuv</code>) to dump the contents of the certificate store and list valid certificates not rooted to the Microsoft Certificate Trust List. <span onclick=scrollToRef('scite-59') id="scite-ref-59-a" class="scite-citeref-number" title="Russinovich, M. et al.. (2017, May 22). Sigcheck. Retrieved April 3, 2018."data-reference="Microsoft Sigcheck May 2017">^{<a href="https://docs.microsoft.com/sysinternals/downloads/sigcheck" target="_blank" data-hasqtip="58" aria-describedby="qtip-58">[59]</a>}</span></p> </td> </tr> <tr class="sub technique enterprise" id="enterprise"> <td></td> <td></td> <td> <a href="/versions/v16/techniques/T1553/006">.006</a> </td> <td> <a href="/versions/v16/techniques/T1553/006">Code Signing Policy Modification</a> </td> <td> <p>Monitor for the execution of commands that could modify the code signing policy of a system, such as <code>bcdedit.exe -set TESTSIGNING ON</code>. <span onclick=scrollToRef('scite-60') id="scite-ref-60-a" class="scite-citeref-number" title="Microsoft. (2021, February 15). Enable Loading of Test Signed Drivers. Retrieved April 22, 2021."data-reference="Microsoft TESTSIGNING Feb 2021">^{<a href="https://docs.microsoft.com/en-us/windows-hardware/drivers/install/the-testsigning-boot-configuration-option" target="_blank" data-hasqtip="59" aria-describedby="qtip-59">[60]</a>}</span></p> </td> </tr> <tr class="technique enterprise" id="enterprise"> <td> Enterprise </td> <td colspan="2"> <a href="/versions/v16/techniques/T1218">T1218</a> </td> <td> <a href="/versions/v16/techniques/T1218">System Binary Proxy Execution</a> </td> <td> <p>Monitor executed commands and arguments that may forge credential materials that can be used to gain access to web applications or Internet services.</p> </td> </tr> <tr class="sub technique enterprise" id="enterprise"> <td></td> <td></td> <td> <a href="/versions/v16/techniques/T1218/001">.001</a> </td> <td> <a href="/versions/v16/techniques/T1218/001">Compiled HTML File</a> </td> <td> <p>Monitor executed commands and arguments that may forge SAML tokens with any permissions claims and lifetimes if they possess a valid SAML token-signing certificate.<span onclick=scrollToRef('scite-61') id="scite-ref-61-a" class="scite-citeref-number" title="Lambert, J. (2020, December 13). Important steps for customers to protect themselves from recent nation-state cyberattacks. Retrieved December 17, 2020."data-reference="Microsoft SolarWinds Steps">^{<a href="https://blogs.microsoft.com/on-the-issues/2020/12/13/customers-protect-nation-state-cyberattacks/" target="_blank" data-hasqtip="60" aria-describedby="qtip-60">[61]</a>}</span></p> </td> </tr> <tr class="sub technique enterprise" id="enterprise"> <td></td> <td></td> <td> <a href="/versions/v16/techniques/T1218/002">.002</a> </td> <td> <a href="/versions/v16/techniques/T1218/002">Control Panel</a> </td> <td> <p>When executed from the command line or clicked, control.exe will execute the CPL file (ex: <code>control.exe file.cpl</code>) before <a href="/versions/v16/techniques/T1218/011">Rundll32</a> is used to call the CPL's API functions (ex: <code>rundll32.exe shell32.dll,Control_RunDLL file.cpl</code>). CPL files can be executed directly via the CPL API function with just the latter <a href="/versions/v16/techniques/T1218/011">Rundll32</a> command, which may bypass detections and/or execution filters for control.exe.<span onclick=scrollToRef('scite-62') id="scite-ref-62-a" class="scite-citeref-number" title="Mercês, F. (2014, January 27). CPL Malware - Malicious Control Panel Items. Retrieved January 18, 2018."data-reference="TrendMicro CPL Malware Jan 2014">^{<a href="https://www.trendmicro.de/cloud-content/us/pdfs/security-intelligence/white-papers/wp-cpl-malware.pdf" target="_blank" data-hasqtip="61" aria-describedby="qtip-61">[62]</a>}</span></p> </td> </tr> <tr class="sub technique enterprise" id="enterprise"> <td></td> <td></td> <td> <a href="/versions/v16/techniques/T1218/003">.003</a> </td> <td> <a href="/versions/v16/techniques/T1218/003">CMSTP</a> </td> <td> <p>Monitor executed commands and arguments that may gather information about the victim's hosts that can be used during targeting.</p><p>Note: Event ID 4104 (from the Microsoft-Windows-Powershell/Operational log) captures Powershell script blocks, which can be analyzed and used to detect on abuse of CMSTP. </p> </td> </tr> <tr class="sub technique enterprise" id="enterprise"> <td></td> <td></td> <td> <a href="/versions/v16/techniques/T1218/004">.004</a> </td> <td> <a href="/versions/v16/techniques/T1218/004">InstallUtil</a> </td> <td> <p>Monitor executed commands and arguments used before and after the InstallUtil.exe invocation may also be useful in determining the origin and purpose of the binary being executed.</p> </td> </tr> <tr class="sub technique enterprise" id="enterprise"> <td></td> <td></td> <td> <a href="/versions/v16/techniques/T1218/005">.005</a> </td> <td> <a href="/versions/v16/techniques/T1218/005">Mshta</a> </td> <td> <p>Look for mshta.exe executing raw or obfuscated script within the command-line. Compare recent invocations of mshta.exe with prior history of known good arguments and executed .hta files to determine anomalous and potentially adversarial activity. Command arguments used before and after the mshta.exe invocation may also be useful in determining the origin and purpose of the .hta file being executed.</p> </td> </tr> <tr class="sub technique enterprise" id="enterprise"> <td></td> <td></td> <td> <a href="/versions/v16/techniques/T1218/007">.007</a> </td> <td> <a href="/versions/v16/techniques/T1218/007">Msiexec</a> </td> <td> <p>Command arguments used before and after the invocation of msiexec.exe may also be useful in determining the origin and purpose of the MSI files or DLLs being executed.</p> </td> </tr> <tr class="sub technique enterprise" id="enterprise"> <td></td> <td></td> <td> <a href="/versions/v16/techniques/T1218/008">.008</a> </td> <td> <a href="/versions/v16/techniques/T1218/008">Odbcconf</a> </td> <td> <p>Command arguments used before and after the invocation of odbcconf.exe may also be useful in determining the origin and purpose of the DLL being loaded.</p> </td> </tr> <tr class="sub technique enterprise" id="enterprise"> <td></td> <td></td> <td> <a href="/versions/v16/techniques/T1218/009">.009</a> </td> <td> <a href="/versions/v16/techniques/T1218/009">Regsvcs/Regasm</a> </td> <td> <p>Command arguments used before and after Regsvcs.exe or Regasm.exe invocation may also be useful in determining the origin and purpose of the binary being executed.</p> </td> </tr> <tr class="sub technique enterprise" id="enterprise"> <td></td> <td></td> <td> <a href="/versions/v16/techniques/T1218/010">.010</a> </td> <td> <a href="/versions/v16/techniques/T1218/010">Regsvr32</a> </td> <td> <p>Command arguments used before and after the regsvr32.exe invocation may also be useful in determining the origin and purpose of the script or DLL being loaded. <span onclick=scrollToRef('scite-63') id="scite-ref-63-a" class="scite-citeref-number" title="Nolen, R. et al.. (2016, April 28). Threat Advisory: "Squiblydoo" Continues Trend of Attackers Using Native OS Tools to "Live off the Land". Retrieved April 9, 2018."data-reference="Carbon Black Squiblydoo Apr 2016">^{<a href="https://www.carbonblack.com/2016/04/28/threat-advisory-squiblydoo-continues-trend-of-attackers-using-native-os-tools-to-live-off-the-land/" target="_blank" data-hasqtip="62" aria-describedby="qtip-62">[63]</a>}</span></p> </td> </tr> <tr class="sub technique enterprise" id="enterprise"> <td></td> <td></td> <td> <a href="/versions/v16/techniques/T1218/011">.011</a> </td> <td> <a href="/versions/v16/techniques/T1218/011">Rundll32</a> </td> <td> <p>Command arguments used with the rundll32.exe invocation may also be useful in determining the origin and purpose of the DLL being loaded. Typical command-line usage of rundll32.exe is <code>"rundll32.exe DllFile,EntryPoint"</code> where <code>DllFile</code> is the name of the DLL file being called and EntryPoint the name of the entry point in the DLL file. </p><p>DLLs stored on SMB shares can similarly be called using the syntax of <code>"rundll32.exe \<ip_address>\DllFile,EntryPoint"</code> where <ip_address> is the IPv4 address of the host of the SMB share. </p><p>Rundll32 can also be used to execute arbitrary Javascript using the syntax <code>"rundll32.exe javascript:&lt;<em>code_block</em>&gt;"</code>where &lt;<em>code_block</em>&gt; is a string defining the Javascript code to be executed. </p> </td> </tr> <tr class="sub technique enterprise" id="enterprise"> <td></td> <td></td> <td> <a href="/versions/v16/techniques/T1218/012">.012</a> </td> <td> <a href="/versions/v16/techniques/T1218/012">Verclsid</a> </td> <td> <p>Command arguments used before and after the invocation of verclsid.exe may also be useful in determining the origin and purpose of the payload being executed.</p> </td> </tr> <tr class="sub technique enterprise" id="enterprise"> <td></td> <td></td> <td> <a href="/versions/v16/techniques/T1218/013">.013</a> </td> <td> <a href="/versions/v16/techniques/T1218/013">Mavinject</a> </td> <td> <p>Adversaries may rename abusable binaries to evade detections, but the argument <code>INJECTRUNNING</code> is required for mavinject.exe to perform <a href="/versions/v16/techniques/T1055/001">Dynamic-link Library Injection</a> and may therefore be monitored to alert malicious activity.</p> </td> </tr> <tr class="sub technique enterprise" id="enterprise"> <td></td> <td></td> <td> <a href="/versions/v16/techniques/T1218/014">.014</a> </td> <td> <a href="/versions/v16/techniques/T1218/014">MMC</a> </td> <td> <p>Monitor executed commands and arguments that may gather information about the victim's DNS that can be used during targeting.</p> </td> </tr> <tr class="sub technique enterprise" id="enterprise"> <td></td> <td></td> <td> <a href="/versions/v16/techniques/T1218/015">.015</a> </td> <td> <a href="/versions/v16/techniques/T1218/015">Electron Applications</a> </td> <td> <p>Monitor executed commands and arguments that may abuse Electron apps to execute malicious content. For example, analyze commands invoking <code>teams.exe</code> or <code>chrome.exe</code> to execute malicious or abnormal content.</p> </td> </tr> <tr class="technique ics" id="ics"> <td> ICS </td> <td colspan="2"> <a href="/versions/v16/techniques/T0894">T0894</a> </td> <td> <a href="/versions/v16/techniques/T0894">System Binary Proxy Execution</a> </td> <td> <p>Monitor executed commands and associated arguments for application programs which support executing custom code, scripts, commands, or executables. </p> </td> </tr> <tr class="technique enterprise" id="enterprise"> <td> Enterprise </td> <td colspan="2"> <a href="/versions/v16/techniques/T1082">T1082</a> </td> <td> <a href="/versions/v16/techniques/T1082">System Information Discovery</a> </td> <td> <p>Monitor executed commands and arguments that may attempt to get detailed information about the operating system and hardware, including version, patches, hotfixes, service packs, and architecture. For network devices, monitor executed commands in AAA logs, especially those run by unexpected or unauthorized users.</p> </td> </tr> <tr class="technique enterprise" id="enterprise"> <td> Enterprise </td> <td colspan="2"> <a href="/versions/v16/techniques/T1614">T1614</a> </td> <td> <a href="/versions/v16/techniques/T1614">System Location Discovery</a> </td> <td> <p>Monitor executed commands and arguments that may gather information in an attempt to calculate the geographical location of a victim host.</p> </td> </tr> <tr class="sub technique enterprise" id="enterprise"> <td></td> <td></td> <td> <a href="/versions/v16/techniques/T1614/001">.001</a> </td> <td> <a href="/versions/v16/techniques/T1614/001">System Language Discovery</a> </td> <td> <p>Monitor executed commands and arguments that may attempt to gather information about the system language of a victim in order to infer the geographical location of that host.</p> </td> </tr> <tr class="technique enterprise" id="enterprise"> <td> Enterprise </td> <td colspan="2"> <a href="/versions/v16/techniques/T1016">T1016</a> </td> <td> <a href="/versions/v16/techniques/T1016">System Network Configuration Discovery</a> </td> <td> <p>Monitor executed commands and arguments that may look for details about the network configuration and settings, such as IP and/or MAC addresses, of systems they access or through information discovery of remote systems. For network devices, monitor executed commands in AAA logs, especially those run by unexpected or unauthorized users.</p> </td> </tr> <tr class="sub technique enterprise" id="enterprise"> <td></td> <td></td> <td> <a href="/versions/v16/techniques/T1016/001">.001</a> </td> <td> <a href="/versions/v16/techniques/T1016/001">Internet Connection Discovery</a> </td> <td> <p>Monitor executed commands and arguments that may check for Internet connectivity on compromised systems.</p> </td> </tr> <tr class="sub technique enterprise" id="enterprise"> <td></td> <td></td> <td> <a href="/versions/v16/techniques/T1016/002">.002</a> </td> <td> <a href="/versions/v16/techniques/T1016/002">Wi-Fi Discovery</a> </td> <td> <p>Monitor executed commands and arguments that may collect Wi-Fi information on compromised systems.</p> </td> </tr> <tr class="technique enterprise" id="enterprise"> <td> Enterprise </td> <td colspan="2"> <a href="/versions/v16/techniques/T1049">T1049</a> </td> <td> <a href="/versions/v16/techniques/T1049">System Network Connections Discovery</a> </td> <td> <p>Monitor executed commands and arguments that may attempt to get a listing of network connections to or from the compromised system they are currently accessing or from remote systems by querying for information over the network. Information may also be acquired through Windows system management tools such as <a href="/versions/v16/techniques/T1047">Windows Management Instrumentation</a> and <a href="/versions/v16/techniques/T1059/001">PowerShell</a>.</p><p>For network devices, monitor executed commands in AAA logs, especially those run by unexpected or unauthorized users.</p> </td> </tr> <tr class="technique enterprise" id="enterprise"> <td> Enterprise </td> <td colspan="2"> <a href="/versions/v16/techniques/T1033">T1033</a> </td> <td> <a href="/versions/v16/techniques/T1033">System Owner/User Discovery</a> </td> <td> <p>Monitor executed commands and arguments that may attempt to dump credentials to obtain account login and credential material, normally in the form of a hash or a clear text password, from the operating system and software. Look for command-lines that invoke AuditD or the Security Accounts Manager (SAM). Remote access tools may contain built-in features or incorporate existing tools like <a href="/versions/v16/software/S0002">Mimikatz</a>. <a href="/versions/v16/techniques/T1059/001">PowerShell</a> scripts also exist that contain credential dumping functionality, such as PowerSploit's Invoke-Mimikatz module, <span onclick=scrollToRef('scite-48') id="scite-ref-48-a" class="scite-citeref-number" title="PowerSploit. (n.d.). Retrieved December 4, 2014."data-reference="Powersploit">^{<a href="https://github.com/mattifestation/PowerSploit" target="_blank" data-hasqtip="47" aria-describedby="qtip-47">[48]</a>}</span> which may require additional logging features to be configured in the operating system to collect necessary information for analysis.</p><p>Note: Event ID 4104 (from the Microsoft-Windows-Powershell/Operational log) captures Powershell script blocks, which can be analyzed and used to detect on abuse of CMSTP. </p> </td> </tr> <tr class="technique enterprise" id="enterprise"> <td> Enterprise </td> <td colspan="2"> <a href="/versions/v16/techniques/T1216">T1216</a> </td> <td> <a href="/versions/v16/techniques/T1216">System Script Proxy Execution</a> </td> <td> <p>Monitor executed commands and arguments for scripts like PubPrn.vbs that may be used to proxy execution of malicious files.</p> </td> </tr> <tr class="sub technique enterprise" id="enterprise"> <td></td> <td></td> <td> <a href="/versions/v16/techniques/T1216/001">.001</a> </td> <td> <a href="/versions/v16/techniques/T1216/001">PubPrn</a> </td> <td> <p>Monitor executed commands and arguments for scripts like PubPrn.vbs that may be used to proxy execution of malicious files.</p> </td> </tr> <tr class="sub technique enterprise" id="enterprise"> <td></td> <td></td> <td> <a href="/versions/v16/techniques/T1216/002">.002</a> </td> <td> <a href="/versions/v16/techniques/T1216/002">SyncAppvPublishingServer</a> </td> <td> <p>Monitor executed commands and arguments for scripts like Syncappvpublishingserver.vbs that may be used to proxy execution of malicious files.</p> </td> </tr> <tr class="technique enterprise" id="enterprise"> <td> Enterprise </td> <td colspan="2"> <a href="/versions/v16/techniques/T1007">T1007</a> </td> <td> <a href="/versions/v16/techniques/T1007">System Service Discovery</a> </td> <td> <p>Monitor executed commands and arguments that could be taken to gather system information related to services. Remote access tools with built-in features may interact directly with the Windows API to gather information. Information may also be acquired through Windows system management tools such as <a href="/versions/v16/techniques/T1047">Windows Management Instrumentation</a> and <a href="/versions/v16/techniques/T1059/001">PowerShell</a>.</p> </td> </tr> <tr class="technique enterprise" id="enterprise"> <td> Enterprise </td> <td colspan="2"> <a href="/versions/v16/techniques/T1569">T1569</a> </td> <td> <a href="/versions/v16/techniques/T1569">System Services</a> </td> <td> <p>Monitor command-line invocations for tools capable of creating or modifying system services (e.g., <code>systemctl</code> on Linux, <code>sc.exe</code> on Windows, <code>launchctl</code> on macOS).</p><p>Analytic 1 - Unusual service modification tools.</p><p><code> sourcetype=command_logs| search command IN ("systemctl", "sc", "launchctl")</code></p> </td> </tr> <tr class="sub technique enterprise" id="enterprise"> <td></td> <td></td> <td> <a href="/versions/v16/techniques/T1569/001">.001</a> </td> <td> <a href="/versions/v16/techniques/T1569/001">Launchctl</a> </td> <td> <p>Monitor the execution of the <code>launchctl</code> command, focusing on subcommands such as <code>load</code>, <code>unload</code>, and <code>start</code> that may be used by adversaries to load Launch Agents or Launch Daemons.</p><p>Note: This analytic monitors the execution of the launchctl command and its key subcommands. Exclude known administrative users to minimize false positives.</p><p>Analytic 1 - Suspicious Launchctl</p><p><code>sourcetype=macOS:unified OR sourcetype=osquery OR sourcetype=auditd| search command IN ("launchctl load", "launchctl unload", "launchctl start") </code></p> </td> </tr> <tr class="sub technique enterprise" id="enterprise"> <td></td> <td></td> <td> <a href="/versions/v16/techniques/T1569/002">.002</a> </td> <td> <a href="/versions/v16/techniques/T1569/002">Service Execution</a> </td> <td> <p>Monitor executed commands and arguments that may abuse the Windows service control manager to execute malicious commands or payloads.</p><p>Analytic 1- Commands abusing Windows service control manager.</p><p><code>sourcetype=WinEventLog:Security OR sourcetype=Powershell OR sourcetype=Sysmon EventCode IN (1,4688,4104) | search command_line IN ("sc.exe<em>", "net start</em>", "net stop<em>", "psexec.exe</em>")| where user!="SYSTEM" // Exclude common system-level activities</code></p> </td> </tr> <tr class="technique enterprise" id="enterprise"> <td> Enterprise </td> <td colspan="2"> <a href="/versions/v16/techniques/T1529">T1529</a> </td> <td> <a href="/versions/v16/techniques/T1529">System Shutdown/Reboot</a> </td> <td> <p>Monitor executed commands and arguments of binaries involved in shutting down or rebooting systems. For network devices, monitor executed commands in AAA logs, especially those run by unexpected or unauthorized users.</p> </td> </tr> <tr class="technique enterprise" id="enterprise"> <td> Enterprise </td> <td colspan="2"> <a href="/versions/v16/techniques/T1124">T1124</a> </td> <td> <a href="/versions/v16/techniques/T1124">System Time Discovery</a> </td> <td> <p>Monitor executed commands and arguments for actions that may gather the system time and/or time zone from a local or remote system.</p> </td> </tr> <tr class="technique enterprise" id="enterprise"> <td> Enterprise </td> <td colspan="2"> <a href="/versions/v16/techniques/T1127">T1127</a> </td> <td> <a href="/versions/v16/techniques/T1127">Trusted Developer Utilities Proxy Execution</a> </td> <td> <p>Monitor executed commands and arguments used before and after invocation of the utilities may also be useful in determining the origin and purpose of the binary being executed.</p> </td> </tr> <tr class="sub technique enterprise" id="enterprise"> <td></td> <td></td> <td> <a href="/versions/v16/techniques/T1127/001">.001</a> </td> <td> <a href="/versions/v16/techniques/T1127/001">MSBuild</a> </td> <td> <p>Monitor executed commands and arguments used before and after invocation of the utilities may also be useful in determining the origin and purpose of the binary being executed.</p> </td> </tr> <tr class="sub technique enterprise" id="enterprise"> <td></td> <td></td> <td> <a href="/versions/v16/techniques/T1127/002">.002</a> </td> <td> <a href="/versions/v16/techniques/T1127/002">ClickOnce</a> </td> <td> <p>When executed from the command line, rundll32 is used to call the ClickOnce API functions (ex: <code>rundll32.exe dfshim.dll,ShOpenVerbApplication file.appref-ms</code>).</p> </td> </tr> <tr class="technique enterprise" id="enterprise"> <td> Enterprise </td> <td colspan="2"> <a href="/versions/v16/techniques/T1552">T1552</a> </td> <td> <a href="/versions/v16/techniques/T1552">Unsecured Credentials</a> </td> <td> <p>While detecting adversaries accessing credentials may be difficult without knowing they exist in the environment, it may be possible to detect adversary use of credentials they have obtained. Monitor the command-line arguments of executing processes for suspicious words or regular expressions that may indicate searching for a password (for example: password, pwd, login, secure, or credentials). See <a href="/versions/v16/techniques/T1078">Valid Accounts</a> for more information.</p><p>Analytic 1 - Suspicious commands or regular expressions indicating credential search.</p><p><code> (index=security sourcetype="Powershell" EventCode=4104) OR(index=os sourcetype="linux_secure" action="execve") OR(index=os sourcetype="macos_secure" event_type="execve") | where match(CommandLine, "(?i)(password|credential|secret|key|token|login|passwd|passphrase)")</code></p> </td> </tr> <tr class="sub technique enterprise" id="enterprise"> <td></td> <td></td> <td> <a href="/versions/v16/techniques/T1552/001">.001</a> </td> <td> <a href="/versions/v16/techniques/T1552/001">Credentials In Files</a> </td> <td> <p>Monitor executed commands and arguments of executing processes for suspicious words or regular expressions that may indicate searching for a password (for example: password, pwd, login, secure, or credentials).</p><p>Analytic 1 - Commands indicating credential searches in files.</p><p><code> (index=security sourcetype="Powershell" EventCode=4104 CommandLine="<em>password</em>" OR CommandLine="<em>credential</em>") OR(index=sysmon sourcetype="WinEventLog:Microsoft-Windows-Sysmon/Operational" EventCode=1 CommandLine="<em>password</em>" OR CommandLine="<em>credential</em>") OR(index=os sourcetype="linux_audit" action="execve" CommandLine="<em>password</em>" OR CommandLine="<em>credential</em>" OR CommandLine="<em>passwd</em>" OR CommandLine="<em>secret</em>") OR(index=os sourcetype="macos_secure" event_type="execve" CommandLine="<em>password</em>" OR CommandLine="<em>credential</em>" OR CommandLine="<em>passwd</em>" OR CommandLine="<em>secret</em>") </code></p> </td> </tr> <tr class="sub technique enterprise" id="enterprise"> <td></td> <td></td> <td> <a href="/versions/v16/techniques/T1552/002">.002</a> </td> <td> <a href="/versions/v16/techniques/T1552/002">Credentials in Registry</a> </td> <td> <p>Monitor executed commands and arguments that may search the Registry on compromised systems for insecurely stored credentials.</p><p>Analytic 1 - Commands indicating credential searches in the registry.</p><p><code> (index=security sourcetype="powershell" EventCode=4104 ScriptBlockText="<em>reg query</em> /f password /t REG_SZ /s*")</code></p> </td> </tr> <tr class="sub technique enterprise" id="enterprise"> <td></td> <td></td> <td> <a href="/versions/v16/techniques/T1552/003">.003</a> </td> <td> <a href="/versions/v16/techniques/T1552/003">Bash History</a> </td> <td> <p>While users do typically rely on their history of commands, they often access this history through other utilities like "history" instead of commands like <code>cat ~/.bash_history</code>.</p><p>Analytic 1 - Commands accessing .bash_historythrough unexpected means.</p><p><code> (index=os sourcetype="linux_secure" action="open" filepath="/home/<em>/.bash_history") OR(index=os sourcetype="macos_secure" event_type="open" file_path="/Users/</em>/.bash_history")</code></p> </td> </tr> <tr class="sub technique enterprise" id="enterprise"> <td></td> <td></td> <td> <a href="/versions/v16/techniques/T1552/004">.004</a> </td> <td> <a href="/versions/v16/techniques/T1552/004">Private Keys</a> </td> <td> <p>Monitor executed commands and arguments that may search for private key certificate files on compromised systems for insecurely stored credentials.</p><p>Analytic 1 - Commands indicating searches for private keys.</p><p><code> (index=security sourcetype="WinEventLog:Security" EventCode=4688 CommandLine="<em>private key</em>" OR CommandLine="<em>certificate</em>" OR CommandLine IN ("<em>.key</em>", "<em>.pgp</em>", "<em>.gpg</em>", "<em>.ppk</em>", "<em>.p12</em>", "<em>.pem</em>", "<em>.pfx</em>", "<em>.cer</em>", "<em>.p7b</em>", "<em>.asc</em>")) OR(index=sysmon sourcetype="WinEventLog:Microsoft-Windows-Sysmon/Operational" EventCode=1 CommandLine="<em>private key</em>" OR CommandLine="<em>certificate</em>" OR CommandLine IN ("<em>.key</em>", "<em>.pgp</em>", "<em>.gpg</em>", "<em>.ppk</em>", "<em>.p12</em>", "<em>.pem</em>", "<em>.pfx</em>", "<em>.cer</em>", "<em>.p7b</em>", "<em>.asc</em>")) OR(index=os sourcetype="linux_secure" action="execve" CommandLine="<em>private key</em>" OR CommandLine="<em>certificate</em>" OR CommandLine IN ("<em>.key</em>", "<em>.pgp</em>", "<em>.gpg</em>", "<em>.ppk</em>", "<em>.p12</em>", "<em>.pem</em>", "<em>.pfx</em>", "<em>.cer</em>", "<em>.p7b</em>", "<em>.asc</em>")) OR(index=os sourcetype="macos_secure" event_type="execve" CommandLine="<em>private key</em>" OR CommandLine="<em>certificate</em>" OR CommandLine IN ("<em>.key</em>", "<em>.pgp</em>", "<em>.gpg</em>", "<em>.ppk</em>", "<em>.p12</em>", "<em>.pem</em>", "<em>.pfx</em>", "<em>.cer</em>", "<em>.p7b</em>", "<em>.asc</em>"))</code></p> </td> </tr> <tr class="sub technique enterprise" id="enterprise"> <td></td> <td></td> <td> <a href="/versions/v16/techniques/T1552/006">.006</a> </td> <td> <a href="/versions/v16/techniques/T1552/006">Group Policy Preferences</a> </td> <td> <p>Monitor executed commands and arguments that may search for SYSVOL data and/or GPP XML files, especially on compromised domain controllers.</p><p>Analytic 1 - Commands indicating searches for GPP XML files.</p><p><code> (index=security sourcetype="Powershell" EventCode=4104 CommandLine="<em>dir /s </em>.xml*") </code></p> </td> </tr> <tr class="sub technique enterprise" id="enterprise"> <td></td> <td></td> <td> <a href="/versions/v16/techniques/T1552/007">.007</a> </td> <td> <a href="/versions/v16/techniques/T1552/007">Container API</a> </td> <td> <p>Establish centralized logging for the activity of container and Kubernetes cluster components. Monitor logs for actions that could be taken to gather credentials to container and cloud infrastructure, including the use of discovery API calls by new or unexpected users and APIs that access Docker logs.</p><p>Analytic 1 - Unexpected API calls or access to Docker logs indicating credential access.</p><p><code> index=containers sourcetype IN ("docker:events", "kubernetes:api", "kubernetes:container") | search Command IN ("docker logs", "kubectl get secrets", "kubectl describe secret", "kubectl exec", "curl http[:]//169.254.169[.]254/latest/meta-data/iam/security-credentials/", "aws iam list-access-keys", "az ad sp list")</code></p> </td> </tr> <tr class="technique enterprise" id="enterprise"> <td> Enterprise </td> <td colspan="2"> <a href="/versions/v16/techniques/T1204">T1204</a> </td> <td> <a href="/versions/v16/techniques/T1204">User Execution</a> </td> <td> <p>Detect commands triggered by users, especially related to decompression tools (e.g., zip files) that may unpack malicious payloads. This includes compression applications, such as those for zip files, that can be used to <a href="/versions/v16/techniques/T1140">Deobfuscate/Decode Files or Information</a> in payloads.</p><p>Analytic 1 - Command lines showing decompression or decoding actions.</p><p><code> sourcetype=WinEventLog:Powershell EventCode=4104| search process_name IN ("powershell.exe", "cmd.exe", "zip.exe", "winrar.exe")| stats count by process_name command_line user| where command_line LIKE "%unzip%" OR command_line LIKE "%decode%"</code> </p> </td> </tr> <tr class="sub technique enterprise" id="enterprise"> <td></td> <td></td> <td> <a href="/versions/v16/techniques/T1204/003">.003</a> </td> <td> <a href="/versions/v16/techniques/T1204/003">Malicious Image</a> </td> <td> <p>Monitor for suspicious commands related to image or container manipulation, especially commands run from users not typically associated with these tasks.</p><p>Analytic 1 - Unexpected command execution related to image files.</p><p><code>sourcetype=command_execution| search command IN ("docker pull", "docker run", "docker exec", "kubectl run", "gcloud container images list-tags", "aws ec2 run-instances")</code></p> </td> </tr> <tr class="technique ics" id="ics"> <td> ICS </td> <td colspan="2"> <a href="/versions/v16/techniques/T0863">T0863</a> </td> <td> <a href="/versions/v16/techniques/T0863">User Execution</a> </td> <td> <p>Monitor for newly executed processes that depend on user interaction, especially for applications that can embed programmatic capabilities (e.g., Microsoft Office products with scripts, installers, zip files). This includes compression applications, such as those for zip files, that can be used to <a href="/versions/v16/techniques/T1140">Deobfuscate/Decode Files or Information</a> in payloads. For added context on adversary procedures and background see <a href="/versions/v16/techniques/T1204">User Execution</a> and applicable sub-techniques.</p> </td> </tr> <tr class="technique enterprise" id="enterprise"> <td> Enterprise </td> <td colspan="2"> <a href="/versions/v16/techniques/T1125">T1125</a> </td> <td> <a href="/versions/v16/techniques/T1125">Video Capture</a> </td> <td> <p>Monitor executed commands and arguments that can leverage a computer's peripheral devices (e.g., integrated cameras or webcams) or applications (e.g., video call services) to capture video recordings for the purpose of gathering information.</p> </td> </tr> <tr class="technique enterprise" id="enterprise"> <td> Enterprise </td> <td colspan="2"> <a href="/versions/v16/techniques/T1497">T1497</a> </td> <td> <a href="/versions/v16/techniques/T1497">Virtualization/Sandbox Evasion</a> </td> <td> <p>Monitor executed commands and arguments that may employ various means to detect and avoid virtualization and analysis environments. Detecting actions related to virtualization and sandbox identification may be difficult depending on the adversary's implementation and monitoring required.</p> </td> </tr> <tr class="sub technique enterprise" id="enterprise"> <td></td> <td></td> <td> <a href="/versions/v16/techniques/T1497/001">.001</a> </td> <td> <a href="/versions/v16/techniques/T1497/001">System Checks</a> </td> <td> <p>Monitor executed commands and arguments that may employ various means to detect and avoid virtualization and analysis environments. Detecting actions related to virtualization and sandbox identification may be difficult depending on the adversary's implementation and monitoring required.</p> </td> </tr> <tr class="sub technique enterprise" id="enterprise"> <td></td> <td></td> <td> <a href="/versions/v16/techniques/T1497/002">.002</a> </td> <td> <a href="/versions/v16/techniques/T1497/002">User Activity Based Checks</a> </td> <td> <p>Monitor executed commands and arguments that may employ various means to detect and avoid virtualization and analysis environments. Detecting actions related to virtualization and sandbox identification may be difficult depending on the adversary's implementation and monitoring required.</p> </td> </tr> <tr class="sub technique enterprise" id="enterprise"> <td></td> <td></td> <td> <a href="/versions/v16/techniques/T1497/003">.003</a> </td> <td> <a href="/versions/v16/techniques/T1497/003">Time Based Evasion</a> </td> <td> <p>Monitor executed commands and arguments that may employ various time-based methods to detect and avoid virtualization and analysis environments. Detecting actions related to virtualization and sandbox identification may be difficult depending on the adversary's implementation and monitoring required.</p> </td> </tr> <tr class="technique enterprise" id="enterprise"> <td> Enterprise </td> <td colspan="2"> <a href="/versions/v16/techniques/T1047">T1047</a> </td> <td> <a href="/versions/v16/techniques/T1047">Windows Management Instrumentation</a> </td> <td> <p>Monitor executed commands and arguments for actions that are used to perform remote behavior.</p><p>Analytic 1 - Look for wmic.exeexecution with arguments indicative of remote process creation.</p><p><code> index=windows_logs sourcetype=WinEventLog:Security OR sourcetype=WinEventLog:Microsoft-Windows-Sysmon/Operational| eval CommandLine=coalesce(CommandLine, ParentCommandLine)| eval ProcessName=lower(ProcessName), CommandLine=lower(CommandLine)| search ProcessName IN ("wmic.exe", "powershell.exe", "wbemtool.exe", "wmiprvse.exe", "wmiadap.exe", "scrcons.exe")| search CommandLine IN ("<em>process call create</em>", "<em>shadowcopy delete</em>", "<em>process start</em>", "<em>createobject</em>")| stats count by _time, ComputerName, User, ProcessName, CommandLine, ParentProcessName, ParentCommandLine, dest, src_ip, dest_ip| eval alert_message="Suspicious WMI activity detected: " + ProcessName + " executed by " + User + " on " + ComputerName + " with command: " + CommandLine| where NOT (User="SYSTEM" OR ProcessName="wmiprvse.exe" OR CommandLine="<em>wmic shadowcopy delete</em>" AND src_ip="trusted_ip_range")| table _time, ComputerName, User, ProcessName, CommandLine, ParentProcessName, ParentCommandLine, src_ip, dest_ip, alert_message</code></p> </td> </tr> </tbody> </table> </div> </div> </div> <h2 class="pt-3" id="references">References</h2> <div class="row"> <div class="col"> <ol> <li> <span id="scite-1" class="scite-citation"> <span class="scite-citation-text"> <a rel="nofollow" class="external text" name="scite-1" href="https://confluence.atlassian.com/confkb/how-to-enable-command-line-audit-logging-in-linux-956166545.html" target="_blank"> Confluence Support. (2021, September 8). How to enable command line audit logging in linux. Retrieved September 23, 2021. </a> </span> </span> </li> <li> <span id="scite-2" class="scite-citation"> <span class="scite-citation-text"> <a rel="nofollow" class="external text" name="scite-2" href="https://www.scip.ch/en/?labs.20150108" target="_blank"> Gagliardi, R. (n.d.). Audit in a OS X System. Retrieved September 23, 2021. </a> </span> </span> </li> <li> <span id="scite-3" class="scite-citation"> <span class="scite-citation-text"> <a rel="nofollow" class="external text" name="scite-3" href="https://technet.microsoft.com/en-us/windows-server-docs/identity/ad-ds/manage/component-updates/command-line-process-auditing" target="_blank"> Mathers, B. (2017, March 7). Command line process auditing. Retrieved April 21, 2017. </a> </span> </span> </li> <li> <span id="scite-4" class="scite-citation"> <span class="scite-citation-text"> <a rel="nofollow" class="external text" name="scite-4" href="https://msdn.microsoft.com/library/windows/desktop/bb968799.aspx" target="_blank"> Microsoft. (n.d.). Background Intelligent Transfer Service. Retrieved January 12, 2018. </a> </span> </span> </li> <li> <span id="scite-5" class="scite-citation"> <span class="scite-citation-text"> <a rel="nofollow" class="external text" name="scite-5" href="https://www.elastic.co/blog/hunting-for-persistence-using-elastic-security-part-1" target="_blank"> French, D., Murphy, B. (2020, March 24). Adversary tradecraft 101: Hunting for persistence using Elastic Security (Part 1). Retrieved December 21, 2020. </a> </span> </span> </li> <li> <span id="scite-6" class="scite-citation"> <span class="scite-citation-text"> <a rel="nofollow" class="external text" name="scite-6" href="https://www.secureworks.com/blog/malware-lingers-with-bits" target="_blank"> Counter Threat Unit Research Team. (2016, June 6). Malware Lingers with BITS. Retrieved January 12, 2018. </a> </span> </span> </li> <li> <span id="scite-7" class="scite-citation"> <span class="scite-citation-text"> <a rel="nofollow" class="external text" name="scite-7" href="http://tldp.org/HOWTO/Module-HOWTO/x197.html" target="_blank"> Henderson, B. (2006, September 24). How To Insert And Remove LKMs. Retrieved April 9, 2018. </a> </span> </span> </li> <li> <span id="scite-8" class="scite-citation"> <span class="scite-citation-text"> <a rel="nofollow" class="external text" name="scite-8" href="https://www.megasecurity.org/papers/Rootkits.pdf" target="_blank"> Chuvakin, A. (2003, February). An Overview of Rootkits. Retrieved September 12, 2024. </a> </span> </span> </li> <li> <span id="scite-9" class="scite-citation"> <span class="scite-citation-text"> <a rel="nofollow" class="external text" name="scite-9" href="https://blog.trendmicro.com/trendlabs-security-intelligence/skidmap-linux-malware-uses-rootkit-capabilities-to-hide-cryptocurrency-mining-payload/" target="_blank"> Remillano, A., Urbanec, J. (2019, September 19). Skidmap Linux Malware Uses Rootkit Capabilities to Hide Cryptocurrency-Mining Payload. Retrieved June 4, 2020. </a> </span> </span> </li> <li> <span id="scite-10" class="scite-citation"> <span class="scite-citation-text"> <a rel="nofollow" class="external text" name="scite-10" href="https://pikeralpha.wordpress.com/2017/08/29/user-approved-kernel-extension-loading/" target="_blank"> Pikeralpha. (2017, August 29). User Approved Kernel Extension Loading…. Retrieved September 23, 2021. </a> </span> </span> </li> <li> <span id="scite-11" class="scite-citation"> <span class="scite-citation-text"> <a rel="nofollow" class="external text" name="scite-11" href="https://richard-purves.com/2017/11/09/mdm-and-the-kextpocalypse-2/" target="_blank"> Richard Purves. (2017, November 9). MDM and the Kextpocalypse . Retrieved September 23, 2021. </a> </span> </span> </li> <li> <span id="scite-12" class="scite-citation"> <span class="scite-citation-text"> <a rel="nofollow" class="external text" name="scite-12" href="https://developer.apple.com/business/documentation/Configuration-Profile-Reference.pdf" target="_blank"> Apple. (2019, May 3). Configuration Profile Reference. Retrieved September 23, 2021. </a> </span> </span> </li> <li> <span id="scite-13" class="scite-citation"> <span class="scite-citation-text"> <a rel="nofollow" class="external text" name="scite-13" href="https://support.google.com/chrome/a/answer/7349337" target="_blank"> Chrome Enterprise and Education Help. (n.d.). Use Chrome Browser with Roaming User Profiles. Retrieved March 28, 2023. </a> </span> </span> </li> <li> <span id="scite-14" class="scite-citation"> <span class="scite-citation-text"> <a rel="nofollow" class="external text" name="scite-14" href="https://www.mandiant.com/resources/blog/azure-run-command-dummies" target="_blank"> Adrien Bataille, Anders Vejlby, Jared Scott Wilson, and Nader Zaveri. (2021, December 14). Azure Run Command for Dummies. Retrieved March 13, 2023. </a> </span> </span> </li> <li> <span id="scite-15" class="scite-citation"> <span class="scite-citation-text"> <a rel="nofollow" class="external text" name="scite-15" href="http://www.malwarearchaeology.com/s/Windows-PowerShell-Logging-Cheat-Sheet-ver-June-2016-v2.pdf" target="_blank"> Malware Archaeology. (2016, June). WINDOWS POWERSHELL LOGGING CHEAT SHEET - Win 7/Win 2008 or later. Retrieved June 24, 2016. </a> </span> </span> </li> <li> <span id="scite-16" class="scite-citation"> <span class="scite-citation-text"> <a rel="nofollow" class="external text" name="scite-16" href="https://www.fireeye.com/blog/threat-research/2016/02/greater_visibilityt.html" target="_blank"> Dunwoody, M. (2016, February 11). GREATER VISIBILITY THROUGH POWERSHELL LOGGING. Retrieved February 16, 2016. </a> </span> </span> </li> <li> <span id="scite-17" class="scite-citation"> <span class="scite-citation-text"> <a rel="nofollow" class="external text" name="scite-17" href="https://tools.cisco.com/security/center/resources/integrity_assurance.html#23" target="_blank"> Cisco. (n.d.). Cisco IOS Software Integrity Assurance - Command History. Retrieved October 21, 2020. </a> </span> </span> </li> <li> <span id="scite-18" class="scite-citation"> <span class="scite-citation-text"> <a rel="nofollow" class="external text" name="scite-18" href="https://www.real-world-systems.com/docs/launchdPlist.1.html" target="_blank"> Dennis German. (2020, November 20). launchd Keywords for plists. Retrieved October 7, 2021. </a> </span> </span> </li> <li> <span id="scite-19" class="scite-citation"> <span class="scite-citation-text"> <a rel="nofollow" class="external text" name="scite-19" href="https://blog.talosintelligence.com/2018/02/olympic-destroyer.html" target="_blank"> Mercer, W. and Rascagneres, P. (2018, February 12). Olympic Destroyer Takes Aim At Winter Olympics. Retrieved March 14, 2019. </a> </span> </span> </li> <li> <span id="scite-20" class="scite-citation"> <span class="scite-citation-text"> <a rel="nofollow" class="external text" name="scite-20" href="https://blog.malwarebytes.com/101/2016/01/the-windows-vaults/" target="_blank"> Arntz, P. (2016, March 30). The Windows Vault . Retrieved November 23, 2020. </a> </span> </span> </li> <li> <span id="scite-21" class="scite-citation"> <span class="scite-citation-text"> <a rel="nofollow" class="external text" name="scite-21" href="https://www.ise.io/casestudies/password-manager-hacking/" target="_blank"> ise. (2019, February 19). Password Managers: Under the Hood of Secrets Management. Retrieved January 22, 2021. </a> </span> </span> </li> <li> <span id="scite-22" class="scite-citation"> <span class="scite-citation-text"> <a rel="nofollow" class="external text" name="scite-22" href="https://docs.microsoft.com/sysinternals/downloads/sysmon" target="_blank"> Russinovich, M. & Garnier, T. (2017, May 22). Sysmon v6.20. Retrieved December 13, 2017. </a> </span> </span> </li> <li> <span id="scite-23" class="scite-citation"> <span class="scite-citation-text"> <a rel="nofollow" class="external text" name="scite-23" href="https://github.com/Azure/Azure-Sentinel/blob/master/Detections/AuditLogs/ADFSDomainTrustMods.yaml" target="_blank"> Microsoft. (2020, December). Azure Sentinel Detections. Retrieved December 30, 2020. </a> </span> </span> </li> <li> <span id="scite-24" class="scite-citation"> <span class="scite-citation-text"> <a rel="nofollow" class="external text" name="scite-24" href="https://www.microsoft.com/security/blog/2020/12/28/using-microsoft-365-defender-to-coordinate-protection-against-solorigate/" target="_blank"> Microsoft 365 Defender Team. (2020, December 28). Using Microsoft 365 Defender to protect against Solorigate. Retrieved January 7, 2021. </a> </span> </span> </li> <li> <span id="scite-25" class="scite-citation"> <span class="scite-citation-text"> <a rel="nofollow" class="external text" name="scite-25" href="https://docs.microsoft.com/en-us/office365/troubleshoot/active-directory/update-federated-domain-office-365" target="_blank"> Microsoft. (2020, September 14). Update or repair the settings of a federated domain in Office 365, Azure, or Intune. Retrieved December 30, 2020. </a> </span> </span> </li> <li> <span id="scite-26" class="scite-citation"> <span class="scite-citation-text"> <a rel="nofollow" class="external text" name="scite-26" href="https://www.microsoft.com/security/blog/2021/06/14/behind-the-scenes-of-business-email-compromise-using-cross-domain-threat-data-to-disrupt-a-large-bec-infrastructure/" target="_blank"> Carr, N., Sellmer, S. (2021, June 14). Behind the scenes of business email compromise: Using cross-domain threat data to disrupt a large BEC campaign. Retrieved June 15, 2021. </a> </span> </span> </li> <li> <span id="scite-27" class="scite-citation"> <span class="scite-citation-text"> <a rel="nofollow" class="external text" name="scite-27" href="https://learn.microsoft.com/en-us/exchange/security-and-compliance/mail-flow-rules/manage-mail-flow-rules" target="_blank"> Microsoft. (2023, February 22). Manage mail flow rules in Exchange Online. Retrieved March 13, 2023. </a> </span> </span> </li> <li> <span id="scite-28" class="scite-citation"> <span class="scite-citation-text"> <a rel="nofollow" class="external text" name="scite-28" href="https://docs.microsoft.com/en-us/powershell/module/microsoft.powershell.management/register-wmievent?view=powershell-5.1" target="_blank"> Microsoft. (n.d.). Retrieved January 24, 2020. </a> </span> </span> </li> <li> <span id="scite-29" class="scite-citation"> <span class="scite-citation-text"> <a rel="nofollow" class="external text" name="scite-29" href="https://docs.github.com/en/webhooks-and-events/webhooks/receiving-webhooks-with-the-github-cli" target="_blank"> Github. (n.d.). Receiving webhooks with the GitHub CLI. Retrieved August 4, 2023. </a> </span> </span> </li> <li> <span id="scite-30" class="scite-citation"> <span class="scite-citation-text"> <a rel="nofollow" class="external text" name="scite-30" href="https://learn.microsoft.com/en-us/graph/api/subscription-post-subscriptions" target="_blank"> Microsoft . (n.d.). Create subscription. Retrieved August 4, 2023. </a> </span> </span> </li> <li> <span id="scite-31" class="scite-citation"> <span class="scite-citation-text"> <a rel="nofollow" class="external text" name="scite-31" href="https://labs.sentinelone.com/20-common-tools-techniques-used-by-macos-threat-actors-malware/" target="_blank"> Phil Stokes. (2021, February 16). 20 Common Tools & Techniques Used by macOS Threat Actors & Malware. Retrieved August 23, 2021. </a> </span> </span> </li> <li> <span id="scite-32" class="scite-citation"> <span class="scite-citation-text"> <a rel="nofollow" class="external text" name="scite-32" href="https://www.symantec.com/connect/articles/what-you-need-know-about-alternate-data-streams-windows-your-data-secure-can-you-restore" target="_blank"> Pravs. (2009, May 25). What you need to know about alternate data streams in windows? Is your Data secure? Can you restore that?. Retrieved March 21, 2018. </a> </span> </span> </li> </ol> </div> <div class="col"> <ol start="33.0"> <li> <span id="scite-33" class="scite-citation"> <span class="scite-citation-text"> <a rel="nofollow" class="external text" name="scite-33" href="https://blog.malwarebytes.com/101/2015/07/introduction-to-alternate-data-streams/" target="_blank"> Arntz, P. (2015, July 22). Introduction to Alternate Data Streams. Retrieved March 21, 2018. </a> </span> </span> </li> <li> <span id="scite-34" class="scite-citation"> <span class="scite-citation-text"> <a rel="nofollow" class="external text" name="scite-34" href="https://blogs.technet.microsoft.com/askcore/2013/03/24/alternate-data-streams-in-ntfs/" target="_blank"> Marlin, J. (2013, March 24). Alternate Data Streams in NTFS. Retrieved March 21, 2018. </a> </span> </span> </li> <li> <span id="scite-35" class="scite-citation"> <span class="scite-citation-text"> <a rel="nofollow" class="external text" name="scite-35" href="https://embracethered.com/blog/posts/2020/shadowbunny-virtual-machine-red-teaming-technique/" target="_blank"> Johann Rehberger. (2020, September 23). Beware of the Shadowbunny - Using virtual machines to persist and evade detections. Retrieved September 22, 2021. </a> </span> </span> </li> <li> <span id="scite-36" class="scite-citation"> <span class="scite-citation-text"> <a rel="nofollow" class="external text" name="scite-36" href="https://www.mandiant.com/resources/blog/cloud-bad-log-configurations" target="_blank"> Pany, D. & Hanley, C. (2023, May 3). Cloudy with a Chance of Bad Logs: Cloud Platform Log Configurations to Consider in Investigations. Retrieved October 16, 2023. </a> </span> </span> </li> <li> <span id="scite-37" class="scite-citation"> <span class="scite-citation-text"> <a rel="nofollow" class="external text" name="scite-37" href="https://www.hackingarticles.in/defense-evasion-windows-event-logging-t1562-002/" target="_blank"> Chandel, R. (2021, April 22). Defense Evasion: Windows Event Logging (T1562.002). Retrieved September 14, 2021. </a> </span> </span> </li> <li> <span id="scite-38" class="scite-citation"> <span class="scite-citation-text"> <a rel="nofollow" class="external text" name="scite-38" href="https://svch0st.medium.com/event-log-tampering-part-1-disrupting-the-eventlog-service-8d4b7d67335c" target="_blank"> svch0st. (2020, September 30). Event Log Tampering Part 1: Disrupting the EventLog Service. Retrieved September 14, 2021. </a> </span> </span> </li> <li> <span id="scite-39" class="scite-citation"> <span class="scite-citation-text"> <a rel="nofollow" class="external text" name="scite-39" href="https://ptylu.github.io/content/report/report.html?report=25" target="_blank"> Heiligenstein, L. (n.d.). REP-25: Disable Windows Event Logging. Retrieved April 7, 2022. </a> </span> </span> </li> <li> <span id="scite-40" class="scite-citation"> <span class="scite-citation-text"> <a rel="nofollow" class="external text" name="scite-40" href="https://docs.microsoft.com/en-us/windows-server/administration/windows-commands/bcdedit" target="_blank"> Microsoft. (2021, May 27). bcdedit. Retrieved June 23, 2021. </a> </span> </span> </li> <li> <span id="scite-41" class="scite-citation"> <span class="scite-citation-text"> <a rel="nofollow" class="external text" name="scite-41" href="https://docs.microsoft.com/windows-server/administration/windows-commands/bootcfg" target="_blank"> Gerend, J. et al. (2017, October 16). bootcfg. Retrieved August 30, 2021. </a> </span> </span> </li> <li> <span id="scite-42" class="scite-citation"> <span class="scite-citation-text"> <a rel="nofollow" class="external text" name="scite-42" href="https://news.sophos.com/en-us/2019/12/09/snatch-ransomware-reboots-pcs-into-safe-mode-to-bypass-protection/" target="_blank"> Sophos. (2019, December 9). Snatch ransomware reboots PCs into Safe Mode to bypass protection. Retrieved June 23, 2021. </a> </span> </span> </li> <li> <span id="scite-43" class="scite-citation"> <span class="scite-citation-text"> <a rel="nofollow" class="external text" name="scite-43" href="https://embracethered.com/blog/posts/2021/spoofing-credential-dialogs/" target="_blank"> Johann Rehberger. (2021, April 18). Spoofing credential dialogs on macOS Linux and Windows. Retrieved August 19, 2021. </a> </span> </span> </li> <li> <span id="scite-44" class="scite-citation"> <span class="scite-citation-text"> <a rel="nofollow" class="external text" name="scite-44" href="https://x.com/ItsReallyNick/status/1055321652777619457" target="_blank"> Carr, N.. (2018, October 25). Nick Carr Status Update Masquerading. Retrieved September 12, 2024. </a> </span> </span> </li> <li> <span id="scite-45" class="scite-citation"> <span class="scite-citation-text"> <a rel="nofollow" class="external text" name="scite-45" href="https://docs.microsoft.com/en-us/office365/securitycompliance/detect-and-remediate-outlook-rules-forms-attack" target="_blank"> Fox, C., Vangel, D. (2018, April 22). Detect and Remediate Outlook Rules and Custom Forms Injections Attacks in Office 365. Retrieved February 4, 2019. </a> </span> </span> </li> <li> <span id="scite-46" class="scite-citation"> <span class="scite-citation-text"> <a rel="nofollow" class="external text" name="scite-46" href="https://github.com/sensepost/notruler" target="_blank"> SensePost. (2017, September 21). NotRuler - The opposite of Ruler, provides blue teams with the ability to detect Ruler usage against Exchange. Retrieved February 4, 2019. </a> </span> </span> </li> <li> <span id="scite-47" class="scite-citation"> <span class="scite-citation-text"> <a rel="nofollow" class="external text" name="scite-47" href="https://blog.compass-security.com/2018/09/hidden-inbox-rules-in-microsoft-exchange/" target="_blank"> Damian Pfammatter. (2018, September 17). Hidden Inbox Rules in Microsoft Exchange. Retrieved October 12, 2021. </a> </span> </span> </li> <li> <span id="scite-48" class="scite-citation"> <span class="scite-citation-text"> <a rel="nofollow" class="external text" name="scite-48" href="https://github.com/mattifestation/PowerSploit" target="_blank"> PowerSploit. (n.d.). Retrieved December 4, 2014. </a> </span> </span> </li> <li> <span id="scite-49" class="scite-citation"> <span class="scite-citation-text"> <a rel="nofollow" class="external text" name="scite-49" href="https://docs.microsoft.com/en-us/previous-versions/windows/it-pro/windows-server-2012-r2-and-2012/hh994565(v%3Dws.11)" target="_blank"> Microsoft. (2016, August 21). Cached and Stored Credentials Technical Overview. Retrieved February 21, 2020. </a> </span> </span> </li> <li> <span id="scite-50" class="scite-citation"> <span class="scite-citation-text"> <a rel="nofollow" class="external text" name="scite-50" href="https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1003.007/T1003.007.md" target="_blank"> Atomic Red Team. (2023, November). T1003.007 - OS Credential Dumping: Proc Filesystem. Retrieved March 28, 2024. </a> </span> </span> </li> <li> <span id="scite-51" class="scite-citation"> <span class="scite-citation-text"> <a rel="nofollow" class="external text" name="scite-51" href="https://github.com/huntergregal/mimipenguin/blob/master/mimipenguin.sh" target="_blank"> Gregal, Hunter. (2019, September 17). MimiPenguin 2.0. Retrieved March 28, 2024. </a> </span> </span> </li> <li> <span id="scite-52" class="scite-citation"> <span class="scite-citation-text"> <a rel="nofollow" class="external text" name="scite-52" href="https://medium.com/threatpunter/detecting-removing-wmi-persistence-60ccbb7dff96" target="_blank"> French, D. (2018, October 9). Detecting & Removing an Attacker’s WMI Persistence. Retrieved October 11, 2019. </a> </span> </span> </li> <li> <span id="scite-53" class="scite-citation"> <span class="scite-citation-text"> <a rel="nofollow" class="external text" name="scite-53" href="https://medium.com/threatpunter/detecting-lateral-movement-using-sysmon-and-splunk-318d3be141bc" target="_blank"> French, D. (2018, September 30). Detecting Lateral Movement Using Sysmon and Splunk. Retrieved October 11, 2019. </a> </span> </span> </li> <li> <span id="scite-54" class="scite-citation"> <span class="scite-citation-text"> <a rel="nofollow" class="external text" name="scite-54" href="https://docs.microsoft.com/en-us/iis/get-started/introduction-to-iis/iis-modules-overview" target="_blank"> Microsoft. (2007, November 24). IIS Modules Overview. Retrieved June 17, 2021. </a> </span> </span> </li> <li> <span id="scite-55" class="scite-citation"> <span class="scite-citation-text"> <a rel="nofollow" class="external text" name="scite-55" href="https://researchcenter.paloaltonetworks.com/2018/01/unit42-oilrig-uses-rgdoor-iis-backdoor-targets-middle-east/" target="_blank"> Falcone, R. (2018, January 25). OilRig uses RGDoor IIS Backdoor on Targets in the Middle East. Retrieved July 6, 2018. </a> </span> </span> </li> <li> <span id="scite-56" class="scite-citation"> <span class="scite-citation-text"> <a rel="nofollow" class="external text" name="scite-56" href="https://i.blackhat.com/USA21/Wednesday-Handouts/us-21-Anatomy-Of-Native-Iis-Malware-wp.pdf" target="_blank"> Hromcová, Z., Cherepanov, A. (2021). Anatomy of Native IIS Malware. Retrieved September 9, 2021. </a> </span> </span> </li> <li> <span id="scite-57" class="scite-citation"> <span class="scite-citation-text"> <a rel="nofollow" class="external text" name="scite-57" href="https://web.archive.org/web/20220818094600/https://specterops.io/assets/resources/Certified_Pre-Owned.pdf" target="_blank"> Schroeder, W. & Christensen, L. (2021, June 22). Certified Pre-Owned - Abusing Active Directory Certificate Services. Retrieved August 2, 2022. </a> </span> </span> </li> <li> <span id="scite-58" class="scite-citation"> <span class="scite-citation-text"> <a rel="nofollow" class="external text" name="scite-58" href="https://posts.specterops.io/code-signing-certificate-cloning-attacks-and-defenses-6f98657fc6ec" target="_blank"> Graeber, M. (2017, December 22). Code Signing Certificate Cloning Attacks and Defenses. Retrieved April 3, 2018. </a> </span> </span> </li> <li> <span id="scite-59" class="scite-citation"> <span class="scite-citation-text"> <a rel="nofollow" class="external text" name="scite-59" href="https://docs.microsoft.com/sysinternals/downloads/sigcheck" target="_blank"> Russinovich, M. et al.. (2017, May 22). Sigcheck. Retrieved April 3, 2018. </a> </span> </span> </li> <li> <span id="scite-60" class="scite-citation"> <span class="scite-citation-text"> <a rel="nofollow" class="external text" name="scite-60" href="https://docs.microsoft.com/en-us/windows-hardware/drivers/install/the-testsigning-boot-configuration-option" target="_blank"> Microsoft. (2021, February 15). Enable Loading of Test Signed Drivers. Retrieved April 22, 2021. </a> </span> </span> </li> <li> <span id="scite-61" class="scite-citation"> <span class="scite-citation-text"> <a rel="nofollow" class="external text" name="scite-61" href="https://blogs.microsoft.com/on-the-issues/2020/12/13/customers-protect-nation-state-cyberattacks/" target="_blank"> Lambert, J. (2020, December 13). Important steps for customers to protect themselves from recent nation-state cyberattacks. Retrieved December 17, 2020. </a> </span> </span> </li> <li> <span id="scite-62" class="scite-citation"> <span class="scite-citation-text"> <a rel="nofollow" class="external text" name="scite-62" href="https://www.trendmicro.de/cloud-content/us/pdfs/security-intelligence/white-papers/wp-cpl-malware.pdf" target="_blank"> Mercês, F. (2014, January 27). CPL Malware - Malicious Control Panel Items. Retrieved January 18, 2018. </a> </span> </span> </li> <li> <span id="scite-63" class="scite-citation"> <span class="scite-citation-text"> <a rel="nofollow" class="external text" name="scite-63" href="https://www.carbonblack.com/2016/04/28/threat-advisory-squiblydoo-continues-trend-of-attackers-using-native-os-tools-to-live-off-the-land/" target="_blank"> Nolen, R. et al.. (2016, April 28). Threat Advisory: “Squiblydoo” Continues Trend of Attackers Using Native OS Tools to “Live off the Land”. Retrieved April 9, 2018. </a> </span> </span> </li> </ol> </div> </div> </div> </div> </div> </div> </div> </div> <!--stop-indexing-for-search--> <!-- search overlay for entire page -- not displayed inline --> <div class="overlay search" id="search-overlay" style="display: none;"> <div class="overlay-inner"> <!-- text input for searching --> <div class="search-header"> <div class="search-input"> <input type="text" id="search-input" placeholder="search"> </div> <div class="search-icons"> <div class="search-parsing-icon spinner-border" style="display: none" id="search-parsing-icon"></div> <div class="close-search-icon" id="close-search-icon">&times;</div> </div> </div> <!-- results and controls for loading more results --> <div id="search-body" class="search-body"> <div class="results" id="search-results"> <!-- content will be appended here on search --> </div> <div id="load-more-results" class="load-more-results"> <button class="btn btn-default" id="load-more-results-button">load more results</button> </div> </div> </div> </div> </div> <div class="row flex-grow-0 flex-shrink-1"> <!-- footer elements --> <footer class="col footer"> <div class="container-fluid"> <div class="row row-footer"> <div class="col-2 col-sm-2 col-md-2"> <div class="footer-center-responsive my-auto"> <a href="https://www.mitre.org" target="_blank" rel="noopener" aria-label="MITRE"> <img src="/versions/v16/theme/images/mitrelogowhiteontrans.gif" class="mitre-logo-wtrans"> </a> </div> </div> <div class="col-2 col-sm-2 footer-responsive-break"></div> <div class="footer-link-group"> <div class="row row-footer"> <div class="px-3 col-footer"> <u class="footer-link"><a href="/versions/v16/resources/engage-with-attack/contact" class="footer-link">Contact Us</a></u> </div> <div class="px-3 col-footer"> <u class="footer-link"><a href="/versions/v16/resources/legal-and-branding/terms-of-use" class="footer-link">Terms of Use</a></u> </div> <div class="px-3 col-footer"> <u class="footer-link"><a href="/versions/v16/resources/legal-and-branding/privacy" class="footer-link">Privacy Policy</a></u> </div> <div class="px-3"> <u class="footer-link"><a href="/versions/v16/resources/changelog.html" class="footer-link" data-toggle="tooltip" data-placement="top" data-html="true" title="ATT&amp;CK content v16.1&#013;Website v4.2.1">Website Changelog</a></u> </div> </div> <div class="row"> <small class="px-3"> &copy;&nbsp;2015&nbsp;-&nbsp;2024, The MITRE Corporation. MITRE ATT&CK and ATT&CK are registered trademarks of The MITRE Corporation. </small> </div> </div> <div class="w-100 p-2 footer-responsive-break"></div> <div class="col pr-4"> <div class="footer-float-right-responsive-brand"> <div class="row row-footer row-footer-icon"> <div class="mb-1"> <a href="https://twitter.com/MITREattack" class="btn btn-footer"> <i class="fa-brands fa-x-twitter fa-lg"></i> </a> <a href="https://github.com/mitre-attack" class="btn btn-footer"> <i class="fa-brands fa-github fa-lg"></i> </a> </div> </div> </div> </div> </div> </div> </div> </footer> </div> </div> <!--stopindex--> </div> <!--SCRIPTS--> <script src="/versions/v16/theme/scripts/jquery-3.5.1.min.js"></script> <script src="/versions/v16/theme/scripts/popper.min.js"></script> <script src="/versions/v16/theme/scripts/bootstrap-select.min.js"></script> <script src="/versions/v16/theme/scripts/bootstrap.bundle.min.js"></script> <script src="/versions/v16/theme/scripts/site.js"></script> <script src="/versions/v16/theme/scripts/settings.js"></script> <script src="/versions/v16/theme/scripts/search_bundle.js"></script> <!--SCRIPTS--> <script src="/versions/v16/theme/scripts/resizer.js"></script> <!--SCRIPTS--> <script src="/versions/v16/theme/scripts/filter/filter.js?1178"></script> <script src="/versions/v16/theme/scripts/navigation.js"></script> <script src="/versions/v16/theme/scripts/mobileview-datasources.js"></script> <script src="/versions/v16/theme/scripts/bootstrap-tourist.js"></script> <script src="/versions/v16/theme/scripts/settings.js"></script> <script src="/versions/v16/theme/scripts/tour/tour-relationships.js"></script> </body> </html>