Mitre alert packs T1000-1099

Adversaries may attempt to dump credentials to obtain account login and credential material, normally in the form of a hash or a clear text password, from the operating system and software. Credentials can then be used to perform Lateral Movement and access restricted information.

Several of the tools mentioned in associated sub-techniques may be used by both adversaries and professional security testers. Additional custom tools likely exist as well.

1. SecOpsWinUserCredentialDumpRegistry

2. SecOpsWinShadowCopyDetected

3. SecOpsWinMimikatzLsadump

4. SecOpsWinCredentialDumpingNppspy

5. SecOpsWinRegUtilityHiveExport

6. SecOpsWinLsassMemDump

data sources

• box.all.win ^{learn more}

LOOKUPS

• SecOpsAlertDescription

• SecOpsAssetRole

Adversaries may search local system sources, such as file systems and configuration files or local databases, to find files of interest and sensitive data prior to Exfiltration.

Adversaries may do this using a Command and Scripting Interpreter, such as cmd as well as a Network Device CLI, which have functionality to interact with the file system to gather information. Adversaries may also use Automated Collection on the local system.

1. SecOpsWinSensitiveFiles

data sources

• box.all.win ^{learn more}

LOOKUPS

• SecOpsAlertDescription

• SecOpsAssetRole

Adversaries may attempt to exfiltrate data over a different network medium than the command and control channel. The exfiltration may occur over a WiFi connection, modem, cellular data connection, Bluetooth, or another radio frequency (RF) channel.

Adversaries may choose to do this if they have sufficient access or proximity, and the connection is not as well secured or defended as the primary Internet-connected channel because it is not routed through the same enterprise network.

1. SecOpsEntityBehaviorEntropyServer

data sources

• secops.entities.system

LOOKUPS

• SecOpsAlertDescription

• SecOpsAssetRole

Adversaries may interact with the Windows Registry to gather information about the system, configuration, and installed software.

The Registry contains a significant amount of information about the operating system, configuration, software, and security, which can easily be queried using the Reg utility.

Some of the information may help further operations within a network, or during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.

1. SecOpsWinRegistryQuery

data sources

• box.all.win ^{learn more}

LOOKUPS

• SecOpsAlertDescription

• SecOpsAssetRole

Adversaries may attempt to get a listing of other systems by IP address, hostname, or other logical identifier on a network that may be used for Lateral Movement from the current system.

Functionality could exist within remote access tools to enable this, but utilities available on the operating system could also be used such as Ping or Net. Adversaries may also analyze data from local host files (ex. C:\\Windows\\System32\\Drivers\\etc\\hosts or other passive means such as local Arp cache entries in order to discover the presence of remote systems in an environment.

Adversaries may also target discovery of network infrastructure as well as leverage Network Device CLI commands on network devices to gather detailed information about systems within a network.

1. SecOpsLog4ShellVulnerabilityCloudAzure

2. SecOpsLog4ShellVulnerabilityOverCrowdStrike

3. SecOpsLog4ShellVulnOverDomainsUnionTableConnectionsWithLookup

4. SecOpsWinRemoteSystemDiscovery

data sources

• edr.crowdstrike.cannon.processrollup2 ^{learn more}

• domains.all ^{learn more}

• box.all.win ^{learn more}

• cloud.azure ^{learn more}

Adversaries may exfiltrate data, such as sensitive documents, through the use of automated processing after being gathered during Collection.

When automated exfiltration is used, other exfiltration techniques likely apply as well to transfer the information out of the network, such as Exfiltration Over C2 Channel and Exfiltration Over Alternative Protocol.

1. SecOpsFWTrafficForeignDestination

2. SecOpsDataExfiltrationToUnsanctionedA

data sources

• firewall.all.traffic ^{learn more}

• cloud.office365.siem_agent_event ^{learn more}

LOOKUPS

• SecOpsLocation

• SecOpsAlertDescription

• SecOpsAssetRole

• SecOpsDomesticCountries

Attackers often use valid accounts to perform actions impersonating the user and cause disruptions. Help your company protect against the misuse of their asset and improve your security posture.

To do that, adversaries may log in to services specifically designed to accept remote connections, such as telnet, SSH, and VNC. In an enterprise environment, servers and workstations can be organized into domains. Domains provide centralized identity management, allowing users to login using one set of credentials across the entire network. If an adversary is able to obtain a set of valid domain, credentials, they could login to many different machines using remote access protocols such as Secure Shell (SSH) or Remote Desktop Protocol (RDP).

1. SecOpsBroWinLsatUserEnumeration

2. SecOpsFWExternalSMBTrafficDetectedFirewall

3. SecOpsLinuxExtNetworkviaTelnet

4. SecOpsBroWinDceRpcSamrEnumeration

5. SecOpsFWRDPExternalAccess

6. SecOpsWinNetworkShareCreated

7. SecOpsBroSmbFirstSeenShare

8. SecOpsFWSMBInternalScanningDetected

9. SecOpsWinAdminShareSuspiciousUse

10. SecOpsBroWinDceRpceServiceCall

11. SecOpsLinuxIntNetworkviaTelnet

12. SecOpsVNCPortOpen

13. SecOpsFWSMBTrafficOutbound

data sources

• firewall.all.traffic ^{learn more}

• ids.bro.dce_rpc

• ids.bro.notice

• box.unix ^{learn more}

• box.all.win ^{learn more}

Lookups

• SecOpsAlertDescription

• SecOpsAssetRole

• SecOpsLocation

Adversaries may search connected removable media on computers they have compromised to find files of interest.

Sensitive data can be collected from any removable media (optical disk drive, USB memory, etc.) connected to the compromised system prior to Exfiltration. Interactive command shells may be in use, and common functionality within cmd may be used to gather information.

Some adversaries may also use Automated Collection on removable media."

1. SecOpsWinExternalDeviceInstallationDenied

2. SecOpsWinSuspiciousExternalDeviceInstallation

data sources

• box.all.win ^{learn more}

Lookups

• SecOpsLocation

• SecOpsAlertDescription

• SecOpsAssetRole

Adversaries may attempt to make an executable or file difficult to discover or analyze by encrypting, encoding, or otherwise obfuscating its contents on the system or in transit. This is common behavior across different platforms and the network to evade defenses.

Payloads may be compressed, archived, or encrypted in order to avoid detection. These payloads may be used during Initial Access or later to mitigate detection. Sometimes a user's action or password entering may be required to open and Deobfuscate/Decode Files or Information for User Execution. Adversaries may also use compressed or archived scripts, such as JavaScript.

Portions of files can also be encoded to hide the plain-text strings that would otherwise help defenders with discovery. Payloads may also be split into separate, seemingly benign files that only reveal malicious functionality when reassembled.

Adversaries may also abuse Command Obfuscation to obscure commands executed from payloads or directly via Command and Scripting Interpreter. Environment variables, aliases, characters, and other platform/language specific semantics can be used to evade signature based detections and application control mechanisms.

1. SecOpsTooLongDNSResponse

2. SecOpsLolbinCertutil

DATA SOURCES

• network.dns ^{learn more}

• box.all.win ^{learn more}

LOOKUPS

• SecOpsLocation

• SecOpsAlertDescription

• SecOpsAssetRole

An adversary may exfiltrate data in fixed size chunks instead of whole files or limit packet sizes below certain thresholds.

This approach may be used to avoid triggering network data transfer threshold alerts.

1. SecOpsCloudDiscoveryAnomalyDetectionO365

2. SecOpsAwsVpcLargeFile

data sources

• vpc.aws.flow ^{learn more}

• cloud.office365.siem_agent_event ^{learn more}

LOOKUPS

• SecOpsLocation

• SecOpsAlertDescription

• SecOpsAssetRole

Adversaries may attempt to identify the primary user, currently logged in user, set of users that commonly uses a system, or whether a user is actively using the system. They may do this, for example, by retrieving account usernames or by using OS Credential Dumping.

This technique may consist of any actions performed (typically the command whoami) to retrieve username information, which is prevalent throughout a system and includes running process ownership, file/directory ownership, session information, and system logs. This may be used to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.

1. SecOpsWinLocalSystemExecuteWhoami

DATA SOURCES

• box.all.win ^{learn more}

LOOKUPS

• SecOpsAlertDescription

• SecOpsAssetRole

Adversaries may attempt to manipulate features of their artifacts to make them appear legitimate or benign to users and/or security tools. Masquerading occurs when the name or location of an object, legitimate or malicious, is manipulated or abused for the sake of evading defenses and observation. This may include manipulating file metadata, tricking users into misidentifying the file type, and giving legitimate task or service names.

Renaming abusable system utilities to evade security monitoring is also a form of Masquerading.

1. SecOpsProxyHttpSingleCharacterFileNameRequest

2. SecOpsWinFakeProcesses

3. SecOpsWinSuspiciousWritesToRecycleBin

4. SecOpsWinMemoryCorruptionVulnerability

data sources

• proxy.all.access ^{learn more}

• box.all.win ^{learn more}

LOOKUPS

• SecOpsLocation

• SecOpsAlertDescription

• SecOpsAssetRole

Adversaries may use scripts automatically executed at boot or logon initialization to establish and maintain persistence.

Initialization scripts can be used to perform administrative functions, which may often execute other programs or send information to an internal logging server. These scripts can vary based on operating system and whether applied locally or remotely.

An adversary may also be able to escalate their privileges since some boot or logon initialization scripts run with higher privileges.

1. SecOpsLinuxFileCreateInitBoot

2. SecOpsLinuxBashShellProfileMod

DATA SOURCES

• box.unix ^{learn more}

LOOKUPS

• SecOpsAlertDescription

• SecOpsAssetRole

Adversaries may attempt to get a list of services running on remote hosts and local network infrastructure devices, including those that may be vulnerable to remote software exploitation. Common methods to acquire this information include port and/or vulnerability scans using tools that are brought onto a system.

It is very important to detect to know that you have a potential attacker within your system that is trying to discover the layout for your infrastructure. This is a crucial step in causing disruption and issues for your business and customers. When an attacker has infiltrated a network device they will often use the techniques to find out what devices are being used, and which are vulnerable to exploitation.

1. SecOpsLog4ShellVulnerabilityCloudAzure

2. SecOpsFWPortScanInternalSource

3. SecOpsAwsECRContainerScanningFindingsCritical

4. SecOpsFWSMBInboundScanningDetected

5. SecOpsFWExcessFirewallDeniesOutbound

6. SecOpsAWSExcessiveSecurityScanning

7. SecOpsFWIpScanInternal

8. SecOpsLog4ShellVulnOverDomainsUnionTableConnectionsWithLookup

9. SecOpsAWSECRContainerScanningFindingsLowInformationalUnknown

10. SecOpsFWPortSweepInternalSource

data sources

• firewall.all.traffic ^{learn more}

• cloud.azure ^{learn more}

• cloud.aws.cloudtrail ^{learn more}

• domains.all ^{learn more}

Adversaries may abuse Windows Management Instrumentation (WMI) to execute malicious commands and payloads. WMI is an administration feature that provides a uniform environment to access Windows system components. The WMI service enables both local and remote access, though the latter is facilitated by Remote Services such as Distributed Component Object Model (DCOM) and Windows Remote Management (WinRM). Remote WMI over DCOM operates using port 135, whereas WMI over WinRM operates over port 5985 when using HTTP and 5986 for HTTPS.

An adversary can use WMI to interact with local and remote systems and use it as a means to execute various behaviors, such as gathering information for Discovery as well as remote Execution of files as part of Lateral Movement.

SecOpsWinWMIPermanentEventSubscription

SecOpsWinWmiProcessCallCreate

SecOpsWinWmiLaunchingShell

SecOpsWinSysInternalsActivityDetected

SecOpsWinWmiTemporaryEventSubscription

DATA SOURCES

• box.all.win ^{learn more}

LOOKUPS

• SecOpsAlertDescription

• SecOpsAssetRole

Adversaries may steal data by exfiltrating it over a different protocol than that of the existing command and control channel. The data may also be sent to an alternate network location from the main command and control server.

Alternate protocols include FTP, SMTP, HTTP/S, DNS, SMB, or any other network protocol not being used as the main command and control channel. Adversaries may also opt to encrypt and/or obfuscate these alternate channels.

Exfiltration Over Alternative Protocol can be done using various common operating system utilities such as Net/SMB or FTP. On macOS and Linux curl may be used to invoke protocols such as HTTP/S or FTP/S to exfiltrate data from a system.

Many IaaS and SaaS platforms (such as Microsoft Exchange, Microsoft SharePoint, GitHub, and AWS S3) support the direct download of files, emails, source code, and other sensitive information via the web console or Cloud API.

1. SecOpsLinuxNcUseDetected

2. SecOpsLinuxSCPDetect

3. SecOpsLinuxAbMaliciousExecution

4. SecOpsLinuxCurlExecution

5. SecOpsLinuxPythonServerStarted

6. SecOpsLinuxRubyHttpServerStarted

7. SecOpsLinuxWgetUseDetected

8. SecOpsLinuxPhpServerStarted

9. SecOpsLinuxRdpMountShare

10. SecOpsAwsVpcLargeOutboundTrafficBlock

11. SecOpsWinCurl

12. SecOpsWinInvokewebrequestUse

13. SecOpsWinIcmpExfiltration

14. SecOpsWinRcloneExecution

15. SecOpsWinTFTPExecution

16. SecOpsWinSmtpExfiltration

17. SecOpsWinWebclientClassUse

18. SecOpsWinNewPsDrive

19. SecOpsLolbinCertreq

20. SecOpsWinFTPScriptExecution

21. SecOpsWinMapSmbShare

DATA SOURCES

• box.unix ^{learn more}

• vpc.aws.flow ^{learn more}

• box.all.win ^{learn more}

LOOKUPS

• SecOpsLocation

• SecOpsAlertDescription

• SecOpsAssetRole

Adversaries may attempt to exfiltrate data via a physical medium, such as a removable drive.

In certain circumstances, such as an air-gapped network compromise, exfiltration could occur via a physical medium or device introduced by a user. Such media could be an external hard drive, USB drive, cellular phone, MP3 player, or other removable storage and processing device.

The physical medium or device could be used as the final exfiltration point or to hop between otherwise disconnected systems.

1. SecOpsWinExternalDeviceInstallationDenied

2. SecOpsWinSuspiciousExternalDeviceInsta

DATA SOURCES

• box.all.win ^{learn more}

LOOKUPS

• SecOpsLocation

• SecOpsAlertDescription

• SecOpsAssetRole

Adversaries may set up executable, or malicious code, to be run at different times to cause disruptions to the business.

This technique may apply to all major operating systems, provided the proper authentication requirements are met, typically being a member of an admin or otherwise privileged group. One example is RPC and file and printer sharing in Windows environments.

These detections help your SOC understand what steps and events occurred before the program was run. Even better, it can help notify the SOC when an adversary has attempted some of these steps and can help provide real-time information for the SOC to thwart those attempts.

1. SecOpsLinuxAddFilestoCrontabDir

2. SecOpsAzureAutomationWebhookCreated

3. SecOpsWinSchtasksForcedReboot

4. SecOpsLinuxAppendCronjobEntry

5. SecOpsWinScheduledTaskCreation

6. SecOpsWinSchtasksRemoteSystem

7. SecOpsAzureAutomationRunbookCreatedOrMofidied

DATA SOURCES

• cloud.azure.activity.events ^{learn more}

• box.all.win ^{learn more}

• box.unix ^{learn more}

LOOKUPS

• SecOpsLocation

• SecOpsAlertDescription

• SecOpsAssetRole

Adversaries may inject code into processes in order to evade process-based defenses as well as possibly elevate privileges.

To do that, they run code in the context of another process to have access to the process's memory, system/network resources, and possibly elevated privileges. Execution via process injection may also evade detection from security products since the execution is masked under a legitimate process.

There are many different ways to inject code into a process and they exist for every major OS but are typically platform specific. More sophisticated samples may perform multiple process injections to segment modules and further evade detection, utilizing named pipes or other inter-process communication (IPC) mechanisms as a communication channel.

1. SecOpsIntegrityProblem

DATA SOURCES

• box.all.win ^{learn more}

LOOKUPS

• SecOpsLocation

• SecOpsAlertDescription

• SecOpsAssetRole

Adversaries may employ user input capturing methods to obtain credentials or collect information.

During normal system usage, users often provide credentials to various different locations, such as login pages/portals or system dialog boxes. Input capture mechanisms may be transparent to the user (Credential API Hooking) or rely on deceiving the user into providing input through a service they believe genuine (Web Portal Capture).

1. SecOpsWinPowershellKeyloggin

DATA SOURCES

• box.all.win ^{learn more}

LOOKUPS

• SecOpsAlertDescription

• SecOpsAssetRole

Adversaries may attempt to get information about running processes on a system, which can be used in turn to get information on systems within the network and shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.

In Windows environments, this can be obtained using the Tasklist utility via cmd or Get-Process via PowerShell, as well as extracting it from the output of Native API calls such as CreateToolhelp32Snapshot.

In Mac and Linux, this is accomplished with the ps command or enumerating processes via /proc.

On network devices, Network Device CLI commands such as show processes can be used for this.

1. SecOpsWinPowershellProcessDiscover

DATA SOURCES

• box.all.win ^{learn more}

LOOKUPS

• SecOpsAlertDescription

• SecOpsAssetRole

Adversaries may abuse command and script interpreters to execute commands, scripts, or binaries. These interfaces and languages provide ways of interacting with computer systems and are a common feature across many different platforms. Most systems come with some built-in command-line interface and scripting capabilities, for example, macOS and Linux distributions include some flavor of Unix Shell while Windows installations include the Windows Command Shell and PowerShell. There are also cross-platform interpreters such as Python, as well as those commonly associated with client applications such as JavaScript and Visual Basic.

Adversaries may abuse these technologies in various ways as a means of executing arbitrary commands. Commands and scripts can be embedded in Initial Access payloads delivered to victims as lure documents or as secondary payloads downloaded from an existing C2. Adversaries may also execute commands through interactive terminals/shells, as well as utilize various Remote Services in order to achieve remote Execution.

1. SecOpsLinuxNcUseDetected

2. SecOpsLinuxRestrictedShellBreakoutSSH

3. SecOpsLinuxSuspciousExecutionCommand

4. SecOpsAzureVMCmdEXE

5. SecOpsWinPowershellSetExecutionPolicyBypass

6. SecOpsWinOfficeBrowserLaunchingShell

7. SecOpsWinWmiScriptExecution

8. SecOpsMaliciousPowerShellCommandletNames

9. SecOpsWinWmiExecVbsScript

10. SecOpsMaliciousPowerShellPrebuiltCommandlet

     

data sources

• cloud.azure.activity.events ^{learn more}

• box.all.win ^{learn more}

• box.unix ^{learn more}

Adversaries may exploit software vulnerabilities in an attempt to elevate privileges. This occurs when an adversary takes advantage of a programming error in a program, service, or within the operating system software or kernel itself to execute adversary-controlled code. Security constructs such as permission levels will often hinder access to information and use of certain techniques, so adversaries will likely need to perform privilege escalation to include use of software exploitation to circumvent those restrictions.

Vulnerabilities can also be exploited to enable an adversary to move from a virtualized environment, such as within a virtual machine or container, onto the underlying host. This may be a necessary step for an adversary compromising an endpoint system that has been properly configured and limits other privilege escalation methods.

Adversaries may bring a signed vulnerable driver onto a compromised machine so that they can exploit the vulnerability to execute code in kernel mode. This process is sometimes referred to as Bring Your Own Vulnerable Driver (BYOVD). Adversaries may include the vulnerable driver with files delivered during Initial Access or download it to a compromised system via Ingress Tool Transfer or Lateral Tool Transfer.

1. SecOpsWinSpoolsvExeAbnormalProcessSpawn

DATA SOURCES

• box.all.win ^{learn more}

LOOKUPS

• SecOpsAlertDescription

• SecOpsAssetRole

Adversaries may attempt to discover group and permission settings. This information can help adversaries determine which user accounts and groups are available, the membership of users in particular groups, and which users and groups have elevated permissions.

This can be done in many different ways and the information extracted about the compromised environment can be used in follow-on activity and targeting.

1. SecOpsAzureGroupInformationDownload

2. SecOpsWinPermissionGroupDiscovery

DATA SOURCES

• cloud.azure.ad.audit ^{learn more}

• box.all.win ^{learn more}

LOOKUPS

• SecOpsAlertDescription

• SecOpsAssetRole

Adversaries may delete or modify artifacts generated within systems to remove evidence of their presence or hinder defenses. Typically, these artifacts are used as defensive indicators related to monitored events, such as strings from downloaded files, logs that are generated from user actions, and other data analyzed by defenders. Location, format, and type of artifact (such as command or login history) are often specific to each platform.

The removal of these indicators may interfere with event collection, reporting, or other processes used to detect intrusion activity. This may compromise the integrity of security solutions by causing notable events to go unreported, as well as impede forensic analysis and incident response due to lack of sufficient data to determine what occurred.

1. SecOpsLinuxWebserverAccessLogsDeleted

2. SecOpsLinuxSystemLogFileDeletion

3. SecOpsWinAuditLogCleared

data sources

• box.unix ^{learn more}

• box.all.win ^{learn more}

LOOKUPS

• SecOpsLocation

• SecOpsAlertDescription

• SecOpsAssetRole

Adversaries may communicate using OSI application layer protocols to avoid detection/network filtering by blending in with existing traffic. Commands to the remote system, and often the results of those commands, will be embedded within the protocol traffic between the client and server.

Adversaries may utilize many different protocols, including those used for web browsing, transferring files, electronic mail, or DNS. Commonly used protocols are SMB, SSH, or RDP, which are for connections that occur internally within an enclave (those between a proxy or pivot node and other nodes).

1. SecOpsOutboundTrafficToDeviceFlaggedAsThreat

2. SecOpsBroSshInteresingHostNameLogin

3. SecOpsFWSigred

4. SecOpsFWIrcTrafficExternalDestination

5. SecOpsRevilKaseyaDomainConnection

6. SecOpsHostNameSubdomainLength

7. SecOpsHostDNSBasedCovertChannelIpv6Record

DATA SOURCES

• firewall.all.traffic ^{learn more}

• domains.all ^{learn more}

• network.dns ^{learn more}

• proxy.all.access ^{learn more}

• ids.bro.notice

LOOKUPS

• SecOpsLocation

• SecOpsAlertDescription

• SecOpsAssetRole

Adversaries may gain access to and use third-party software suites installed within an enterprise network, such as administration, monitoring, and deployment systems, to move laterally through the network. Third-party applications and software deployment systems may be in use in the network environment for administration purposes (e.g., SCCM, HBSS, Altiris, etc.).

Access to a third-party network-wide or enterprise-wide software system may enable an adversary to have remote code execution on all systems that are connected to such a system. The access may be used to laterally move to other systems, gather information, or cause a specific effect, such as wiping the hard drives on all endpoints.

The permissions required for this action vary by system configuration; local credentials may be sufficient with direct access to the third-party system, or specific domain credentials may be required. However, the system may require an administrative account to log in or to perform it's intended purpose.

1. SecOpsMultipleVMCreationActivitiesO365

    

DATA SOURCES

• cloud.office365.siem_agent_alert ^{learn more}

Adversaries may stage collected data in a central location or directory prior to Exfiltration. Data may be kept in separate files or combined into one file through techniques such as Archive Collected Data. Interactive command shells may be used, and common functionality within cmd and bash may be used to copy data into a staging location. In cloud environments, adversaries may stage data within a particular instance or virtual machine before exfiltration.

An adversary may Create Cloud Instance and stage data in that instance. Adversaries may choose to stage data from a victim network in a centralized location prior to Exfiltration to minimize the number of connections made to their C2 server and better evade detection.

1. SecOpsFwTftpOutboundTraffic

    

DATA SOURCES

• firewall.all.traffic ^{learn more}

Adversaries may obtain and abuse credentials of existing accounts as a means of gaining Initial Access, Persistence, Privilege Escalation, or Defense Evasion.

This may ultimately cause significant disruptions, as compromised credentials may be used to bypass access controls placed on local or remote systems and externally available services, such as VPNs, Outlook Web Access, network devices, and remote desktop. They may also grant increased privilege to specific systems or access to restricted areas of the network and adversaries may choose not to use malware or tools to make it harder to detect their presence.

These detections will help lower your MTTR for these events by providing you with real-time updates from these accounts so that the appropriate action can be taken.

1. SecOpsSimultaneouslyLoginbyIP

2. SecOpsGSuiteLoginAccountWarning

3. SecOpsAWSDetectStsAssumeRoleAbuse

4. SecOpsSimultaneouslyLoginbyUser

5. SecOpsGSuiteMobileSuspiciousActivity

6. SecOpsAWSRootLogin

7. SecOpsLinuxAuditdMaxFailedLoginAttempts

8. SecOpsGSuiteGovernmentAttackWarning

9. SecOpsAWSUserSuccessfulLoginWithoutMFA

10. SecOpsLinuxIrregularLogin

11. SecOpsGCPIAMCustomRoleCreation

12. SecOpsAwsDbSnapshotCreated

13. SecOpsLinuxMaxSessionsPerUser

14. SecOpsGCPDetectAccountsWithHighRiskRolesByProject

15. SecOpsAWSPermissionsBoundaryLiftedtoRole

16. SecOpsAzureAutoAccountCreated

17. SecOpsO365UserPasswordChange

18. SecOpsAWSSetdefaultpolicyversion

19. SecOpsAzureUserLoginSuspiciousRisk

20. SecOpsAWSSamlAccess

21. SecOpsAwsUnapprovedUserApiActivity

22. SecOpsAzureImpossibleTravel

23. SecOpsAWSPermissionsBoundaryLiftedtoUser

24. SecOpsAWSPermissionsBoundaryModifiedToRole

25. SecOpsAzureUserHighRiskSignIn

26. SecOpsAWSCreateloginprofile

27. SecOpsAWSIamSuccessfulGroupDeletion

28. SecOpsAzureUserHighAggregateRiskSignIn

29. SecOpsAWSPermissionsBoundaryModifiedToUser

30. SecOpsWinAdminRemoteLogon

31. SecOpsAzureUserConfirmedCompromised

32. SecOpsAWSUpdateloginprofile

33. SecOpsWinExcessiveUserInteractiveLogin

DATA SOURCES

• cloud.office365 ^{learn more}

• cloud.gsuite.reports.login ^{learn more}

• auth.all ^{learn more}

• cloud.azure.ad.signin ^{learn more}

• cloud.gsuite.alerts ^{learn more}

• box.unix ^{learn more}

• cloud.gcp ^{learn more}

• cloud.aws.cloudtrail ^{learn more}

• cloud.gsuite.reports.mobile ^{learn more}

• box.all.win ^{learn more}

• cloud.azure.eh.events ^{learn more}

LOOKUPS

• SecOpsLocation

• SecOpsAlertDescription

• SecOpsAssetRole

An adversary may attempt to get detailed information about the operating system and hardware, including version, patches, hotfixes, service packs, and architecture. Adversaries may use the information from System Information Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions. Tools such as Systeminfo can be used to gather detailed system information. If running with privileged access, a breakdown of system data can be gathered through the code configuration tool on macOS. As an example, adversaries with user-level access can execute the command to obtain currently mounted disks and associated freely available space.

Adversaries may also leverage a Network Device CLI on network devices to gather detailed system information. System Information Discovery combined with information gathered from other forms of discovery and reconnaissance can drive payload development and concealment. Infrastructure as a Service (IaaS) cloud providers such as AWS, GCP, and Azure allow access to instance and virtual machine information via APIs. Successful authenticated API calls can return data such as the operating system platform and status of a particular instance or the model view of a virtual machine.

1. SecOpsMultipleHTTPMethodsUsed

2. SecOpsEntityNewServer

    

    

DATA SOURCES

• proxy.all.access ^{learn more}

• secops.entities.behavior

Adversaries may enumerate files and directories or search in specific host or network locations for certain information within a file system, and later use it to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.

This can be achieved by using a variety of command shell utilities (dir, tree, ls, find, and locate), custom tools to interact with the Native API, or leverage of a Network Device CLI (dir, show flash, and/or nvram).

1. SecOpsRevilKaseyaHashFound

2. SecOpsHAFNIUMHashFoundFileTargetingExchangeServers

3. SecOpsSeveralError4xx

4. SecOpsHAFNIUMUmServiceSuspiciousFileTargetingExchangeServers

DATA SOURCES

• box.all.win ^{learn more}

• web.all.access ^{learn more}

• edr.all.threats ^{learn more}

LOOKUPS

• SecOpsLocation

• SecOpsAlertDescription

• SecOpsAssetRole

Adversaries may attempt to get a list of valid accounts, usernames, or email addresses on a compromised system or environment to help them determine how they can aid in follow-on behavior such as brute-forcing, spear-phishing attacks, or account takeovers (e.g. Valid Accounts).

Adversaries may use several methods to enumerate accounts, including abuse of existing tools, built-in commands, and potential misconfigurations that leak account names and roles or permissions in the targeted environment. For example, cloud environments typically provide easily accessible interfaces to obtain user lists and hosts can be exploited by using default PowerShell and other command line functionality to identify accounts.

Information about email addresses and accounts may also be extracted by searching an infected system’s files.

1. SecOpsAzureUserInformationDownload

2. SecOpsAWSOpsWorksDescribePermissionsEvent

Data sources

• cloud.azure.ad.audit ^{learn more}

• cloud.aws.cloudtrail ^{learn more}

LOOKUPS

• SecOpsLocation

• SecOpsAlertDescription

• SecOpsAssetRole

Adversaries may use a connection proxy to redirect network traffic between systems or act as an intermediary for network communications to a command and control server and avoid direct connections to their infrastructure.

This is achieved by using tools such as HTRAN, ZXProxy, and ZXPortMa, which provide management of command and control communications, reduce the number of simultaneous outbound network connections, provide resiliency in the face of connection loss, and ride over existing trusted communications paths between victims to avoid suspicion.

Adversaries may take advantage of routing schemes in Content Delivery Networks (CDNs) to proxy command and control traffic or chain together multiple proxies to further disguise the source of malicious traffic.

1. SecOpsActivityFromAnonymousIPO365

2. SecOpsAnonymousConnection

3. SecOpsActivityAnonymousIPAddressesO365

4. SecOpsBehaviourAlertTestingApp

data sources

• firewall.all.traffic ^{learn more}

• cloud.office365.siem_agent_alert ^{learn more}

LOOKUPS

• SecOpsAlertDescription

• SecOpsAssetRole

Adversaries can perform command and control between compromised hosts on potentially disconnected networks using removable media to transfer commands from system to system.

Both systems would need to be compromised, with the likelihood that an Internet-connected system was compromised first and the second through lateral movement by Replication Through Removable Media. Commands and files would be relayed from the disconnected system to the Internet-connected system to which the adversary has direct access.

1. SecOpsWinExternalDeviceInstallationDenied

2. SecOpsWinSuspiciousExternalDeviceInstallation

data sources

• box.all.win ^{learn more}

LOOKUPS

• SecOpsLocation

• SecOpsAlertDescription

• SecOpsAssetRole

Adversaries may use a non-application layer protocol for communication between host and C2 server or among infected hosts within a network. The list of possible protocols is extensive and include network layer protocols (ICMP or Internet Control Message Protocol), transport layer protocols (UDP or User Datagram Protocol), session layer protocols (SOCKS or Socket Secure), as well as redirected/tunneled protocols (SOL or Serial over LAN).

In the case of the ICMP it is required to be implemented by all IP-compatible hosts Because ICMP is part of the Internet Protocol Suite. However, it is not as commonly monitored as other Internet Protocols such as TCP or UDP and may be used by adversaries to hide communications.

1. SecOpsFWIcmpExcessivePackets

data sources

• firewall.all.traffic ^{learn more}

LOOKUPS

• SecOpsAlertDescription

• SecOpsAssetRole

• SecOpsLocation

Account, access controls are extremely important in preventing the users and systems from causing disruption based on access levels or having accounts manipulated by attackers.

These detections will let you know when there are any issues or misconfigurations in your environment and provide an extra level of security for you and your business.

Account Manipulation technique may consist of any actions that preserve adversary access to a compromised account, such as modifying credentials or permissions groups. These actions could also include account activity designed to subvert security policies, such as performing iterative password updates to bypass password duration policies and preserve the life of compromised credentials.

1. SecOpsLinuxSshAuthKeyModification

2. SecOpsO365UserPasswordReset

3. SecOpsAWSIAMCreateUserActionObserved

4. SecOpsAzureUserAddedNonAdminRole

5. SecOpsO365SusMailboxDelegation

6. SecOpsAWSPermissionsBoundaryLiftedtoRole

7. SecOpsAzureUserAddedToGlobalAdminRole

8. SecOpsAWSPermissionsBoundaryLiftedtoUser

9. SecOpsAWSSetdefaultpolicyversion

10. SecOpsAzureUserAddedOutsidePIMRole

11. SecOpsAwsEc2KeyAction

12. SecOpsAWSPermissionsBoundaryModifiedToRole

13. SecOpsGSuite2SVDisabled

14. SecOpsAWSCreateloginprofile

15. SecOpsAwsKmsSensitiveActivity

16. SecOpsGCPGCSBucketModified

17. SecOpsAWSPermissionsBoundaryModifiedToUser

18. SecOpsAWSNewUserPoolClientCreated

19. SecOpsGCPKMSKeyDestroy

20. SecOpsAWSUpdateloginprofile

21. SecOpsAwsPermanentKeyCreation

22. SecOpsGCPIAMServiceAccountKeyDeletion

23. SecOpsAWSDetectStsAssumeRoleAbuse

24. SecOpsWinUserAddedToLocalSecurityEnabledGroup

25. SecOpsGCPIAMServiceAccountKeyCreation

26. SecOpsAwsRoleCreated

27. SecOpsWinUserAddedSelfToSecGroup

28. SecOpsGCPKMSKeyEnabledOrDisabled

29. SecOpsAWSIAMDeletePolicy

30. SecOpsWinUserAddedPrivlegedSecGroup

DATA SOURCES

• cloud.office365 ^{learn more}

• cloud.office365.management.exchange ^{learn more}

• cloud.azure.ad.audit ^{learn more}

• cloud.gsuite.reports.admin ^{learn more}

• box.unix ^{learn more}

• cloud.aws.cloudtrail ^{learn more}

• cloud.gcp ^{learn more}

• box.all.win ^{learn more}

LOOKUPS

• SecOpsLocation

• SecOpsAlertDescription

• SecOpsAssetRole