Mirrors/keyboardcrunch-sentinelone-attack-queries
1
0
Fork 0
mirror of https://github.com/keyboardcrunch/SentinelOne-ATTACK-Queries synced 2026-06-08 17:17:21 +00:00
Code Issues Packages Projects Releases Wiki Activity
Files
master
keyboardcrunch-sentinelone-…/Tactics/CredentialAccess.md
T
@ 9310ec5c67 T1003.003 NTDS Copy
2020-10-23 17:45:53 -05:00

6.7 KiB
Raw Permalink Blame History

Credential Access

T1056.004 Credential API Hooking

Atomics: T1056.004

The weight of this test relies on injecting a dll with mavinject that hooks into powershell to do the TLS decryption, our detection for T1055 Mavinject would cover us for these tests.

T1552.001 Credentials In Files

Atomics: T1552.001

Test #1 - LaZagne

LaZagne happens to spawn 3 cmd shells to save security, system and sam RegKeys, and the standard compiled release from github will have the original name artifact of lazagne.exe.manifest within the %temp%_MEI?????\lazagne.exe.manifest location. TgtProcCmdline Contains "reg.exe save hklm\s" OR TgtFilePath Contains "lazagne.exe.manifest"

Test #3 - findstr password extraction

TgtProcCmdLine ContainsCIS "/si pass" OR TgtProcCmdLine ContainsCIS "-pattern password"

T1555.003 Credentials from Web Browsers

Atomics: T1555.003

Test #1 - Modified SysInternals AccessChk Chrome password collector

To focus on detection, we're looking for AccessChk.exe where the DisplayName does not match that of the original. There's 4X as many Cross_Process objects with this query but none detect the collection of the Chrome password db.

TgtProcName = "accesschk.exe" AND TgtProcDisplayName != "Reports effective permissions for securable objects"

T1552.002 Registry Credential Enumeration

Atomics: T1552.002

This query detects enumeration and discovery of credentials within the Registry, including Putty sessions.

TgtProcCmdline ContainsCIS "query HKLM /f password /t REG_SZ /s" OR TgtProcCmdline ContainsCIS "query HKCU /f password /t REG_SZ /s" OR TgtProcCmdline ContainsCIS "query HKCU\Software\SimonTatham\PuTTY\Sessions /t REG_SZ /s"

T1056.002 GUI Input Capture

Atomics: T1056.002

Focusing here on detecting the Powershell UI.PromptForCredential and GetNetworkCredential().Password in CmdScript or CmdLine.

(TgtProcCmdline ContainsCIS ".UI.PromptForCredential(" AND TgtProcCmdline ContainsCIS ".GetNetworkCredential().Password") OR (SrcProcCmdScript ContainsCIS ".UI.PromptForCredential(" AND SrcProcCmdScript ContainsCIS ".GetNetworkCredential().Password")

T1552.006 Group Policy Preferences

Atomics: T1552.006

Detection focuses on sysvol GP Policy xml file enumeration, with findstr or Get-GPPPassword (Alias or CmdScript internal match).

TgtProcCmdline RegExp "^.*\/S cpassword.*\\sysvol\\.*.xml" OR TgtProcCmdline ContainsCIS "Get-GPPPassword" OR SrcProcCmdScript ContainsCIS "Get-ChildItem -Path \"\\$Server\SYSVOL\" -Recurse -ErrorAction SilentlyContinue -Include 'Groups.xml','Services.xml','Scheduledtasks.xml','DataSources.xml','Printers.xml','Drives.xml'"

T1558.003 Kerberoasting

Atomics: T1558.003

T1056.001 Powershell Keylogging

Atomics: T1056.001

I wasn't able to get either copy of the Get-Keystrokes.ps1 to work with powershell, but the below should reliably detect invocation by alias or CmdScript line matching.

TgtProcCmdline ContainsCIS "Get-Keystrokes" OR SrcProcCmdScript ContainsCIS "user32.dll GetAsyncKeyState" OR SrcProcCmdScript ContainsCIS "[Windows.Forms.Keys][Runtime.InteropServices.Marshal]::ReadInt32("

T1003.004 LSA Secrets

Atomics: T1003.004

For simplicity, we're detecting a Cmdline used for both psexec (the test) as well as direct reg.exe LSA extraction.

TgtProcCmdLine ContainsCIS "save HKLM\security\policy\secrets"

T1003.001 LSASS Memory Dumping

Atomics: T1003.001

This one may look crazy but it's not. Detection of wce by hash, procdump, comsvc, dumpert, mimikatz, pypykatz, and werfault all in one query.

TgtProcImageSha1 = "f0c52cea19c204f5cdbe952cc7cfc182e20d8d43" OR TgtProcCmdline ContainsCIS "-ma lsass.exe" OR TgtProcCmdline ContainsCIS "comsvcs.dll, MiniDump" OR TgtFilePath = "C:\Windows\Temp\dumpert.dmp" OR TgtFilePath RegExp "^.*lsass.*.DMP" OR (SrcProcCmdline ContainsCIS "sekurlsa::minidump" OR SrcProcCmdline ContainsCIS "sekurlsa::logonpasswords") OR SrcProcCmdline ContainsCIS "live lsa"

T1003.003 NTDS Copy

Atomics: T1003.003

We won't bother detecting VSS copies being created, rather detecting credential file copies. NTDS.dit or SYSTEM whether a VSS copy or not.

SrcProcCmdline RegExp "^.*copy.*\\Windows\\NTDS\\NTDS.dit.*" OR SrcProcCmdline RegExp "^.*copy.*\\Windows\\System32\\config\\SYSTEM .*" OR SrcProcCmdline ContainsCIS "save HKLM\SYSTEM" OR (TgtProcName = "ntdsutil.exe" AND TgtProcCmdline ContainsCIS "ac i ntds") OR (TgtProcName = "mklink.exe" and TgtProcCmdline RegExp "^.*\/[d,D].*GLOBALROOT\\Device\\HarddiskVolumeShadowCopy.*")

T1040 Network Sniffing

Atomics: T1040

T1003 OS Credential Dumping

Atomics: T1003

T1110.002 Password Cracking

Atomics: T1110.002

T1556.002 Password Filter DLL

Atomics: T1556.002

T1110.001 Password Guessing

Atomics: T1110.001

T1110.003 Password Spraying

Atomics: T1110.003

T1552.004 Private Keys

Atomics: T1552.004

T1003.002 Security Account Manager

Atomics: T1003.002

Reference in New Issue View Git Blame Copy Permalink