diff --git a/Collection.md b/Collection.md new file mode 100644 index 0000000..42707dc --- /dev/null +++ b/Collection.md @@ -0,0 +1,42 @@ +## Collection + +### T1560 Archive Collected Data +Atomics: [T1560](https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1560/T1560.md) + + +### T1560.001 Archive via Utility +Atomics: [T1560.001](https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1560.001/T1560.001.md) + + +### T1123 Audio Capture +Atomics: [T1123](https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1123/T1123.md) + + +### T1119 Automated Collection +Atomics: [T1119](https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1119/T1119.md) + + +### T1115 Clipboard Data +Atomics: [T1115](https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1115/T1115.md) + + +### T1056.004 Credential API Hooking +Atomics: [T1056.004](https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1056.004/T1056.004.md) + + +### T1056.002 GUI Input Capture +Atomics: [T1056.002](https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1056.002/T1056.002.md) + + +### T1056.001 Keylogging +Atomics: [T1056.001](https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1056.001/T1056.001.md) + + +### T1074.001 Local Data Staging +Atomics: [T1074.001](https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1074.001/T1074.001.md) + + +### T1114.001 Local Email Collection +Atomics: [T1114.001](https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1114.001/T1114.001.md) + + diff --git a/CommandAndControl.md b/CommandAndControl.md new file mode 100644 index 0000000..c6345c9 --- /dev/null +++ b/CommandAndControl.md @@ -0,0 +1,34 @@ +## Command and Control + +### T1071.004 DNS +Atomics: [T1071.004](https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1071.004/T1071.004.md) + + +### T1573 Encrypted Channel +Atomics: [T1573](https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1573/T1573.md) + + +### T1105 Ingress Tool Transfer +Atomics: [T1105](https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1105/T1105.md) + + +### T1090.001 Internal Proxy +Atomics: [T1090.001](https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1090.001/T1090.001.md) + + +### T1095 Non-Application Layer Protocol +Atomics: [T1095](https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1095/T1095.md) + + +### T1571 Non-Standard Port +Atomics: [T1571](https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1571/T1571.md) + + +### T1219 Remote Access Software +Atomics: [T1219](https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1219/T1219.md) + + +### T1071.001 Web Protocols +Atomics: [T1071.001](https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1071.001/T1071.001.md) + + diff --git a/CredentialAccess.md b/CredentialAccess.md new file mode 100644 index 0000000..181b926 --- /dev/null +++ b/CredentialAccess.md @@ -0,0 +1,79 @@ +## Credential Access + + +### T1056.004 Credential API Hooking +Atomics: [T1056.004](https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1056.004/T1056.004.md) + + +### T1552.001 Credentials In Files +Atomics: [T1552.001](https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1552.001/T1552.001.md) + + +### T1555.003 Credentials from Web Browsers +Atomics: [T1555.003](https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1555.003/T1555.003.md) + + +### T1552.002 Credentials in Registry +Atomics: [T1552.002](https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1552.002/T1552.002.md) + + +### T1056.002 GUI Input Capture +Atomics: [T1056.002](https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1056.002/T1056.002.md) + + +### T1552.006 Group Policy Preferences +Atomics: [T1552.006](https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1552.006/T1552.006.md) + + +### T1558.003 Kerberoasting +Atomics: [T1558.003](https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1558.003/T1558.003.md) + + +### T1056.001 Keylogging +Atomics: [T1056.001](https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1056.001/T1056.001.md) + + +### T1003.004 LSA Secrets +Atomics: [T1003.004](https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1003.004/T1003.004.md) + + +### T1003.001 LSASS Memory +Atomics: [T1003.001](https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1003.001/T1003.001.md) + + +### T1003.003 NTDS +Atomics: [T1003.003](https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1003.003/T1003.003.md) + + +### T1040 Network Sniffing +Atomics: [T1040](https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1040/T1040.md) + + +### T1003 OS Credential Dumping +Atomics: [T1003](https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1003/T1003.md) + + +### T1110.002 Password Cracking +Atomics: [T1110.002](https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1110.002/T1110.002.md) + + +### T1556.002 Password Filter DLL +Atomics: [T1556.002](https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1556.002/T1556.002.md) + + +### T1110.001 Password Guessing +Atomics: [T1110.001](https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1110.001/T1110.001.md) + + +### T1110.003 Password Spraying +Atomics: [T1110.003](https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1110.003/T1110.003.md) + + +### T1552.004 Private Keys +Atomics: [T1552.004](https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1552.004/T1552.004.md) + + +### T1003.002 Security Account Manager +Atomics: [T1003.002](https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1003.002/T1003.002.md) + + diff --git a/DefenseEvasion.md b/DefenseEvasion.md index 56eee73..7ad2f7b 100644 --- a/DefenseEvasion.md +++ b/DefenseEvasion.md @@ -209,4 +209,4 @@ Atomics: [T1070.006](https://github.com/redcanaryco/atomic-red-team/blob/master/ Atomics: [T1222.001](https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1222.001/T1222.001.md) ### T1220 XSL Script Processing -Atomics: [T1220](https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1220/T1220.md) +Atomics: [T1220](https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1220/T1220.md) \ No newline at end of file diff --git a/Discovery.md b/Discovery.md new file mode 100644 index 0000000..43d2855 --- /dev/null +++ b/Discovery.md @@ -0,0 +1,94 @@ +## Discovery + +### T1010 Application Window Discovery +Atomics: [T1010](https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1010/T1010.md) + + +### T1217 Browser Bookmark Discovery +Atomics: [T1217](https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1217/T1217.md) + + +### T1087.002 Domain Account +Atomics: [T1087.002](https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1087.002/T1087.002.md) + + +### T1069.002 Domain Groups +Atomics: [T1069.002](https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1069.002/T1069.002.md) + + +### T1482 Domain Trust Discovery +Atomics: [T1482](https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1482/T1482.md) + + +### T1083 File and Directory Discovery +Atomics: [T1083](https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1083/T1083.md) + + +### T1087.001 Local Account +Atomics: [T1087.001](https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1087.001/T1087.001.md) + + +### T1069.001 Local Groups +Atomics: [T1069.001](https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1069.001/T1069.001.md) + + +### T1046 Network Service Scanning +Atomics: [T1046](https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1046/T1046.md) + + +### T1135 Network Share Discovery +Atomics: [T1135](https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1135/T1135.md) + + +### T1040 Network Sniffing +Atomics: [T1040](https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1040/T1040.md) + + +### T1201 Password Policy Discovery +Atomics: [T1201](https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1201/T1201.md) + + +### T1057 Process Discovery +Atomics: [T1057](https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1057/T1057.md) + + +### T1012 Query Registry +Atomics: [T1012](https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1012/T1012.md) + + +### T1018 Remote System Discovery +Atomics: [T1018](https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1018/T1018.md) + + +### T1518.001 Security Software Discovery +Atomics: [T1518.001](https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1518.001/T1518.001.md) + + +### T1518 Software Discovery +Atomics: [T1518](https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1518/T1518.md) + + +### T1082 System Information Discovery +Atomics: [T1082](https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1082/T1082.md) + + +### T1016 System Network Configuration Discovery +Atomics: [T1016](https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1016/T1016.md) + + +### T1049 System Network Connections Discovery +Atomics: [T1049](https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1049/T1049.md) + + +### T1033 System Owner/User Discovery +Atomics: [T1033](https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1033/T1033.md) + + +### T1007 System Service Discovery +Atomics: [T1007](https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1007/T1007.md) + + +### T1124 System Time Discovery +Atomics: [T1124](https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1124/T1124.md) + + diff --git a/Execution.md b/Execution.md new file mode 100644 index 0000000..3835a89 --- /dev/null +++ b/Execution.md @@ -0,0 +1,42 @@ +## Execution + +### T1053.002 At (Windows) +Atomics: [T1053.002](https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1053.002/T1053.002.md) + + +### T1559.002 Dynamic Data Exchange +Atomics: [T1559.002](https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1559.002/T1559.002.md) + + +### T1204.002 Malicious File +Atomics: [T1204.002](https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1204.002/T1204.002.md) + + +### T1106 Native API +Atomics: [T1106](https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1106/T1106.md) + + +### T1059.001 PowerShell +Atomics: [T1059.001](https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1059.001/T1059.001.md) + + +### T1053.005 Scheduled Task +Atomics: [T1053.005](https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1053.005/T1053.005.md) + + +### T1569.002 Service Execution +Atomics: [T1569.002](https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1569.002/T1569.002.md) + + +### T1059.005 Visual Basic +Atomics: [T1059.005](https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1059.005/T1059.005.md) + + +### T1059.003 Windows Command Shell +Atomics: [T1059.003](https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1059.003/T1059.003.md) + + +### T1047 Windows Management Instrumentation +Atomics: [T1047](https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1047/T1047.md) + + diff --git a/Exfiltration.md b/Exfiltration.md new file mode 100644 index 0000000..e2964db --- /dev/null +++ b/Exfiltration.md @@ -0,0 +1,10 @@ +## Exfiltration + +### T1020 Automated Exfiltration +Atomics: [T1020](https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1020/T1020.md) + + +### T1048.003 Exfiltration Over Unencrypted/Obfuscated Non-C2 Protocol +Atomics: [T1048.003](https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1048.003/T1048.003.md) + + diff --git a/Impact.md b/Impact.md new file mode 100644 index 0000000..547d6cf --- /dev/null +++ b/Impact.md @@ -0,0 +1,22 @@ +## Impact + +### T1531 Account Access Removal +Atomics: [T1531](https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1531/T1531.md) + + +### T1485 Data Destruction +Atomics: [T1485](https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1485/T1485.md) + + +### T1490 Inhibit System Recovery +Atomics: [T1490](https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1490/T1490.md) + + +### T1489 Service Stop +Atomics: [T1489](https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1489/T1489.md) + + +### T1529 System Shutdown/Reboot +Atomics: [T1529](https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1529/T1529.md) + + diff --git a/LateralMovement.md b/LateralMovement.md new file mode 100644 index 0000000..0c7377b --- /dev/null +++ b/LateralMovement.md @@ -0,0 +1,25 @@ +## Lateral Movement + +### T1550.002 Pass the Hash +Atomics: [T1550.002](https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1550.002/T1550.002.md) + + +### T1550.003 Pass the Ticket +Atomics: [T1550.003](https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1550.003/T1550.003.md) + + +### T1563.002 RDP Hijacking +Atomics: [T1563.002](https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1563.002/T1563.002.md) + + +### T1021.001 Remote Desktop Protocol +Atomics: [T1021.001](https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1021.001/T1021.001.md) + + +### T1021.002 SMB/Windows Admin Shares +Atomics: [T1021.002](https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1021.002/T1021.002.md) + + +### T1021.006 Windows Remote Management +Atomics: [T1021.006](https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1021.006/T1021.006.md) + diff --git a/Persistence.md b/Persistence.md new file mode 100644 index 0000000..7cf6a14 --- /dev/null +++ b/Persistence.md @@ -0,0 +1,208 @@ +## Persistence + +### T1546.008 Accessibility Features +Atomics: [T1546.008](https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1546.008/T1546.008.md) + +Detections addition of a debugger process to executables using Image File Execution Options. + +``` +(RegistryKeyPath ContainsCIS "CurrentVersion\Image File Execution Options" AND RegistryKeyPath ContainsCIS ".exe\Debugger") AND (EventType = "Registry Value Create" OR EventType = "Registry Key Create") +``` + +### T1098 Account Manipulation +Atomics: [T1098](https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1098/T1098.md) + + +### T1546.010 Application Shimming +Atomics: [T1546.010](https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1546.011/T1546.010.md) , +[T1546.011](https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1546.011/T1546.011.md) + +Detects application shimming through sdbinst or registry modification. + +``` +(SrcProcName = "sdbinst.exe" and ProcessCmd ContainsCIS ".sdb") OR ((RegistryKeyPath ContainsCIS "AppInit_DLLs" OR RegistryPath ContainsCIS "AppCompatFlags") AND (EventType = "Registry Value Create" OR EventType = "Registry Value Modified")) +``` + +### T1053.002 AT Scheduled Task +Atomics: [T1053.002](https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1053.002/T1053.002.md) + +Detect interactive process execution scheduled by AT command. + +``` +TgtProcName = "at.exe" AND TgtProcCmdLine ContainsCIS "/interactive " +``` + +### T1197 BITS Jobs +Atomics: [T1197](https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1197/T1197.md) + + +### T1176 Browser Extensions +Atomics: [T1176](https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1176/T1176.md) + + +### T1574.012 COR Profiler +Atomics: [T1574.012](https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1574.012/T1574.012.md) + +Detection of unmanaged COR profiler hooking of .NET CLR through registry or process command. + +``` +(SrcProcCmdScript Contains "COR_" AND SrcProcCmdScript Contains "\Environment") OR RegistryKeyPath Contains "COR_PROFILER_PATH" OR SrcProcCmdScript Contains "$env:COR_" +``` + +### T1546.001 Change Default File Association +Atomics: [T1546.001](https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1546.001/T1546.001.md) + + +### T1574.001 DLL Search Order Hijacking +Atomics: [T1574.001](https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1574.001/T1574.001.md) + +Detection of DLL search order hijack for AMSI bypass. Search order bypasses can target more than AMSI, so this can be expanded upon greatly by switching the `ContainsCIS` to `In Contains Anycase(dll list)`. + +``` +(FileFullName ContainsCIS "amsi.dll" AND FileFullName Does Not ContainCIS "System32") AND EventType = "File Creation" +``` + +### T1574.002 DLL Side-Loading of Notepad++ GUP.exe +Atomics: [T1574.002](https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1574.002/T1574.002.md) + +Detection for GUP.exe side-loading a dll, where executable has a display name of "WinGup for Notepad++" and has non-standard source process. Keep an eye on Cross Process events or add `AND EventType = "Open Remote Process Handle"` to the query to narrow down target (child) process. + +``` +TgtProcDisplayName ContainsCIS "WinGup" and SrcProcName Not In ("notepad++.exe","explorer.exe","lsass.exe","csrss.exe","svchost.exe","WerFault.exe") +``` + +### T1078.001 Enable Guest account with RDP and Admin +Atomics: [T1078.001](https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1078.001/T1078.001.md) + +Detects enabling of Guest account, adding Guest account to groups, as well as changing of Deny/Allow of Terminal Server connections through Registry changes. + +``` +(SrcProcCmdLine ContainsCIS "net localgroup" AND SrcProcCmdLine ContainsCIS "guest /add") OR (SrcProcCmdLine ContainsCIS "net user" AND SrcProcCmdLine ContainsCIS "/active:yes") OR (RegistryKeyPath In Contains ("Terminal Server\AllowTSConnections","Terminal Server\DenyTSConnections") AND EventType In ("Registry Value Create","Registry Value Modified")) +``` + +### T1546.012 Image File Execution Options Injection +Atomics: [T1546.012](https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1546.012/T1546.012.md) + +Detection of Image File Execution Options tampering for persistence through Registry monitoring. + +``` +RegistryKeyPath In Contains Anycase ("CurrentVersion\Image File Execution Options","CurrentVersion\SilentProcessExit") AND RegistryKeyPath In Contains Anycase ("GlobalFlag","ReportingMode","MonitorProcess") +``` + +### T1136.001 Local Account +Atomics: [T1136.001](https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1136.001/T1136.001.md) + + +### T1037.001 Logon Scripts (Windows) +Atomics: [T1037.001](https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1037.001/T1037.001.md) + +Detects addition of logon scripts through command line or registry methods. + +``` +SrcProcCmdLine ContainsCIS "UserInitMprLogonScript" OR (RegistryKeyPath ContainsCIS "UserInitMprLogonScript" AND EventType = "Registry Value Create") +``` + +### T1546.007 Netsh Helper DLL +Atomics: [T1546.007](https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1546.007/T1546.007.md) + +Detection of "helper" dlls with network command shell, through command arguments or registry modification. + +``` +(TgtProcName = "netsh.exe" AND TgtProcCmdLine ContainsCIS "add helper") OR (RegistryPath ContainsCIS "SOFTWARE\Microsoft\NetSh" AND EventType = "Registry Value Create") +``` + +### T1574.009 Unquoted Service Path for program.exe +Atomics: [T1574.009](https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1574.009/T1574.009.md) + +Detects creation or modification of the file at `C:\program.exe` for exploiting unquoted services paths of Program Files folder. + +``` +(FileFullName = "C:\program.exe" AND EventType In ("File Creation","File Modification")) OR TgtProcImagePath = "C:\program.exe" +``` + +### T1546.013 Malicious Process Start Added to Powershell Profile +Atomics: [T1546.013](https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1546.013/T1546.013.md) + +Detects the addition of process execution strings (`TgtProcCmdLine In Contains Anycase (list)`)to the powershell profile, through CommandLine and CommandScript indicators. + +``` +(SrcProcCmdScript ContainsCIS "Add-Content $profile -Value" AND SrcProcCmdScript ContainsCIS "Start-Process") OR (TgtProcCmdLine ContainsCIS "Add-Content $profile" AND TgtProcCmdLine In Contains Anycase ("Start-Process","& ","cmd.exe /c")) +``` + +### T1547.001 Registry Run Keys / Startup Folder +Atomics: [T1547.001](https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1547.001/T1547.001.md) + + +### T1053.005 Scheduled Task +Atomics: [T1053.005](https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1053.005/T1053.005.md) + + +### T1546.002 Screensaver +Atomics: [T1546.002](https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1546.002/T1546.002.md) + +Detects malicious changes to screensaver through Registry changes, filtering expected processes. + +``` +RegistryKeyPath ContainsCIS "Control Panel\Desktop\SCRNSAVE.EXE" AND (EventType In ("Registry Value Create","Registry Value Modified") AND SrcProcName Not In ("svchost.exe","SetupHost.exe","CcmExec.exe")) +``` + +### T1547.005 Security Support Provider +Atomics: [T1547.005](https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1547.005/T1547.005.md) + +Detection of changes to Security Support Provider through Registry modification. Filters most standard system changes with `SrcProcName Not In (list)` but there will be some noise from installers. + +``` +RegistryKeyPath ContainsCIS "\Control\Lsa\Security Packages" AND (SrcProcName Not In ("services.exe","SetupHost.exe","svchost.exe") AND SrcProcCmdLine Does Not ContainCIS "system32\wsauth.dll") +``` + +### T1574.010 Services File Permissions Weakness +Atomics: [T1574.010](https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1574.010/T1574.010.md) + + +### T1574.011 Services Registry Permissions Weakness +Atomics: [T1574.011](https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1574.011/T1574.011.md) + + +### T1547.009 Startup Shortcuts +Atomics: [T1547.009](https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1547.009/T1547.009.md) + +Focuses on Test 2: Detection .lnk or .url files written to Startup folders. Filters noise with `SrcProcName Not In (list)` but you can remove noise from 3rd party update services updating their links by adding `SrcProcParentName != "userinit.exe"` to the query. + +``` +(FileFullName ContainsCIS "Microsoft\Windows\Start Menu\Programs\Startup" AND TgtFileExtension In Contains ("lnk","url") AND EventType = "File Creation") AND SrcProcName Not In ("ONENOTE.EXE","msiexec.exe") +``` + +### T1505.002 Transport Agent +Atomics: [T1505.002](https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1505.002/T1505.002.md) + + +### T1505.003 Web Shell +Atomics: [T1505.003](https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1505.003/T1505.003.md) + + +### T1546.003 Windows Management Instrumentation Event Subscription +Atomics: [T1546.003](https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1546.003/T1546.003.md) + +Detect WMI Event Subs using the New-CimInstance cmdlet, through CommandLine and CommandScript indicators. + +``` +SrcProcCmdLine ContainsCIS "New-CimInstance -Namespace root/subscription" OR SrcProcCmdScript ContainsCIS "New-CimInstance -Namespace root/subscription" +``` + +### T1543.003 Windows Service +Atomics: [T1543.003](https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1543.003/T1543.003.md) + +Detects creation and modification of windows services through binPath argument to sc.exe. + +``` +TgtProcName = "sc.exe" AND TgtProcCmdLine Contains "binPath=" +``` + +### T1547.004 Winlogon Helper DLL +Atomics: [T1547.004](https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1547.004/T1547.004.md) + +Detects Winlogon Helper Dll changes through Registry MetadataIndicator item, as it holds the full registry change info but will only return data of the Indicators object type. + +``` +IndicatorMetadata In Contains Anycase ("Microsoft\Windows NT\CurrentVersion\Winlogon","Microsoft\Windows NT\CurrentVersion\Winlogon\Notify") AND IndicatorMetadata In Contains Anycase ("logon","Userinit","Shell") AND IndicatorMetadata Does Not ContainCIS "WINDOWS\system32\userinit.exe" +``` \ No newline at end of file diff --git a/PrivilegeEscalation.md b/PrivilegeEscalation.md index f6f7310..38a1db7 100644 --- a/PrivilegeEscalation.md +++ b/PrivilegeEscalation.md @@ -32,7 +32,7 @@ Detects application shimming through sdbinst or registry modification. Atomics: [T1548.002](https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1548.002/T1548.002.md) Detection of UAC bypass through tampering with Shell Open for .ms-settings or .msc file types. -`Noted issues with Sentinel Agent 4.3.2.86 detecting by registry key. All registry key paths wer ControlSet001\Service\bam\State\UserSettings\GUID\...` +** Noted issues with Sentinel Agent 4.3.2.86 detecting by registry key. All registry key paths wer ControlSet001\Service\bam\State\UserSettings\GUID\... *** ``` SrcProcCmdLine ContainsCIS "ms-settings\shell\open\command" OR SrcProcCmdLine ContainsCIS "mscfile\shell\open\command" @@ -172,7 +172,7 @@ Atomics: [T1546.002](https://github.com/redcanaryco/atomic-red-team/blob/master/ Detects malicious changes to screensaver through Registry changes, filtering expected processes. ``` -RegistryKeyPath ContainsCIS "Control Panel\Desktop\SCRNSAVE.EXE" AND (EventType In ("Registry Value Create","Registry Value Modified") AND SrcProcName Not In ("svchost.exe","SetupHost.exe")) +RegistryKeyPath ContainsCIS "Control Panel\Desktop\SCRNSAVE.EXE" AND (EventType In ("Registry Value Create","Registry Value Modified") AND SrcProcName Not In ("svchost.exe","SetupHost.exe","CcmExec.exe")) ``` ### T1547.005 Security Support Provider @@ -218,4 +218,4 @@ Detects Winlogon Helper Dll changes through Registry MetadataIndicator item, as ``` IndicatorMetadata In Contains Anycase ("Microsoft\Windows NT\CurrentVersion\Winlogon","Microsoft\Windows NT\CurrentVersion\Winlogon\Notify") AND IndicatorMetadata In Contains Anycase ("logon","Userinit","Shell") AND IndicatorMetadata Does Not ContainCIS "WINDOWS\system32\userinit.exe" -``` +``` \ No newline at end of file diff --git a/README.md b/README.md index fed988f..92a5ee1 100644 --- a/README.md +++ b/README.md @@ -1,7 +1,9 @@ # ATT&CK Mapped SentinelOne Queries MITRE ATT&CK mapped queries for SentinelOne Deep Visiblity -This project aims to document SentinelOne Deep Visibility queries for detecting Windows TTPs generated by Red Canary Co's Atomic Red Team framework. These queries have been crafted and tested on Liberty console release and should support Deep Visibility 3.0. Recommending that your Sentinel Agents be on 4.2.x or newer, as some of the indicators data being queried is only collected by newer agents. +This project aims to document SentinelOne Deep Visibility queries for detecting Windows TTPs generated by Red Canary Co's Atomic Red Team framework. Not all techniques documented within the Atomic Red Team project will have matching queries, due to limited data sources within SentinelOne some detections will be limited; we'll eventually expand beyond A.R.T. and just call these ATT&CK mapped queries, but I like the idea of having a framework to test these detections. + +** These queries have been crafted and tested on Liberty console release and should support Deep Visibility 3.0. Recommending that your Sentinel Agents be on 4.2.x or newer, as some of the indicators data being queried is only collected by newer agents. ** ## Tactics (COMPLETED) @@ -14,24 +16,20 @@ This project aims to document SentinelOne Deep Visibility queries for detecting [Defense Evasion](https://github.com/keyboardcrunch/SentinelOne-ATTACK-Queries/blob/master/DefenseEvasion.md) +[Persistence](https://github.com/keyboardcrunch/SentinelOne-ATTACK-Queries/blob/master/Persistence.exe) -## Tactics (PENDING) -[Persistence]() +[Impact](https://github.com/keyboardcrunch/SentinelOne-ATTACK-Queries/blob/master/Impact.md) -[Impact]() +[Discovery](https://github.com/keyboardcrunch/SentinelOne-ATTACK-Queries/blob/master/Discovery.md) -[Discovery]() +[Command and Control](https://github.com/keyboardcrunch/SentinelOne-ATTACK-Queries/blob/master/CommandAndControl.md) -[Command and Control]() +[Collection](https://github.com/keyboardcrunch/SentinelOne-ATTACK-Queries/blob/master/Collection.md) -[Collection]() +[Execution](https://github.com/keyboardcrunch/SentinelOne-ATTACK-Queries/blob/master/Execution.md) -[Execution]() - -[Exfiltration]() - -[Credential Access]() - -[Lateral Movement]() +[Exfiltration](https://github.com/keyboardcrunch/SentinelOne-ATTACK-Queries/blob/master/Exfiltration.md) +[Credential Access](https://github.com/keyboardcrunch/SentinelOne-ATTACK-Queries/blob/master/CredentialAccess.md) +[Lateral Movement](https://github.com/keyboardcrunch/SentinelOne-ATTACK-Queries/blob/master/LateralMovement.md)