From 2f1a7813d3df9efb60430ccac3aff6946f4f8717 Mon Sep 17 00:00:00 2001 From: "@" <@> Date: Thu, 17 Sep 2020 19:34:17 -0500 Subject: [PATCH] updated queries --- Execution.md | 14 ++++++++++++-- InitialAccess.md | 4 ++-- 2 files changed, 14 insertions(+), 4 deletions(-) diff --git a/Execution.md b/Execution.md index 3835a89..bbaea1f 100644 --- a/Execution.md +++ b/Execution.md @@ -1,16 +1,26 @@ ## Execution -### T1053.002 At (Windows) +### T1053.002 AT Scheduled Task Atomics: [T1053.002](https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1053.002/T1053.002.md) +Detect interactive process execution scheduled by AT command. + +``` +TgtProcName = "at.exe" AND TgtProcCmdLine ContainsCIS "/interactive " +``` ### T1559.002 Dynamic Data Exchange Atomics: [T1559.002](https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1559.002/T1559.002.md) -### T1204.002 Malicious File +### T1204.002 Malicious Documents Atomics: [T1204.002](https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1204.002/T1204.002.md) +The tests for this technique overlap heavily with [T1566.001 Spearphishing Attachment](https://github.com/keyboardcrunch/SentinelOne-ATTACK-Queries/blob/a2fd4227666db3f1c5d6713ae3e3b21bf5343b79/InitialAccess.md#t1566001-spearphishing-attachment) due to similar download and macro detections, so here we're focusing on detecting Office applications launching processes. The below query will cover tests 1, 3 and 4 but test [#2](https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1204.002/T1204.002.md#atomic-test-2---ostap-payload-download) is standalone cscript execution and will be detected with other queries. + +``` +(SrcProcParentName In Contains ("WINWORD.EXE","EXCEL.EXE") AND SrcProcName In Contains Anycase ("cmd.exe","cscript.exe","wscript.exe","certutil.exe","powershell.exe","msbuild.exe","csc.exe")) OR IndicatorName = "SuspiciousDocument" +``` ### T1106 Native API Atomics: [T1106](https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1106/T1106.md) diff --git a/InitialAccess.md b/InitialAccess.md index 4391959..a90d0ec 100644 --- a/InitialAccess.md +++ b/InitialAccess.md @@ -13,10 +13,10 @@ Detects enabling of Guest account, adding Guest account to groups, as well as ch Atomics: [T1566.001](https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1566.001/T1566.001.md) #### Test 1: -This test merely uses Powershell to download a maldoc, the below query will find powershell downloads using multiple cradle methods as documented here by [HarmJ0y](https://gist.github.com/HarmJ0y/bb48307ffa663256e239). The below query should only be used for hunting purposes and covers most unobfuscated powershell cradles. +This test merely uses Powershell to download a maldoc, the below query will find CommandLine or CommandScript downloads using multiple cradle methods as documented here by [HarmJ0y](https://gist.github.com/HarmJ0y/bb48307ffa663256e239). The below query should only be used for hunting purposes and covers most unobfuscated powershell cradles. ``` -(SrcProcCmdLine In Contains Anycase ("Net.WebClient","(iwr","DownloadString(","WinHttp.WinHttpRequest","IEX (","InternetExplorer.Application","Msxml2.XMLHTTP") OR SrcProcCmdScript In Contains Anycase ("Net.WebClient","(iwr","DownloadString(","WinHttp.WinHttpRequest","IEX (","InternetExplorer.Application","Msxml2.XMLHTTP")) +(SrcProcCmdLine In Contains Anycase ("Net.WebClient","(iwr","DownloadString(","WinHttp.WinHttpRequest","IEX (","InternetExplorer.Application","Msxml2.XMLHTTP","MSXML2.ServerXMLHTTP") OR SrcProcCmdScript In Contains Anycase ("Net.WebClient","(iwr","DownloadString(","WinHttp.WinHttpRequest","IEX (","InternetExplorer.Application","Msxml2.XMLHTTP","MSXML2.ServerXMLHTTP")) ```