Document toolboxDocument toolbox

Mitre alert packs T1100-1199

Owned by Borja Moro Moreno
Last updated: Jul 03, 2024
8 min read
[ 1 T1105 ] [ 2 T1110 ] [ 3 T1112 ] [ 4 T1114 ] [ 5 T1115 ] [ 6 T1119 ] [ 7 T1123 ] [ 8 T1133 ] [ 9 T1134 ] [ 10 T1136 ] [ 11 T1140 ] [ 12 T1189 ] [ 13 T1190 ]

T1105

Ingress Tool Transfer

Purpose

Adversaries may transfer tools or other files from an external system into a compromised environment.

This can be done through the command and control channel or through alternate protocols such as ftp. Once present, adversaries may also transfer/spread tools between victim devices within a compromised environment (Lateral Tool Transfer). Files can also be transferred using various Web Services as well as native or otherwise present tools on the victim system.

On Windows, adversaries may use various utilities to download tools, such as copy, finger, and PowerShell commands such as IEX(New-Object Net.WebClient).downloadString() and Invoke-WebRequest. On Linux and macOS systems, a variety of utilities also exist, such as curl, scp, sftp, tftp, rsync, finger, and wget.

Included alerts

  1. SecOpsProxyHttpSingleCharacterFileNameRequest

  2. SecOpsLinuxNcUseDetected

  3. SecOpsLinuxSCPDetect

  4. SecOpsLinuxAbMaliciousExecution

  5. SecOpsLinuxCurlExecution

  6. SecOpsLinuxWgetUseDetected

  7. SecOpsLinuxRdpMountShare

  8. SecOpsWinCurl

  9. SecOpsWinInvokewebrequestUse

  10. SecOpsLolbinMshta

  11. SecOpsWinDefenderDownloadActivity

  12. SecOpsWinTFTPExecution

  13. SecOpsWinWebclientClassUse

  14. SecOpsWinNewPsDrive

  15. SecOpsLolbinCertreq

  16. SecOpsLolbinCertocexecution

  17. SecOpsLolbinBitsadminTransfer

  18. SecOpsWinFTPScriptExecution

  19. SecOpsWinAppInstallerExecution

  20. SecOpsWinMapSmbShare

  21. SecOpsLolbinCertutil

  22. SecOpsLolbinConfigsecuritypolicy

Prerequisites

data sources

LOOKUPS

T1110

Brute Froce

Purpose

This alert pack is vital to help to protect “the wall” of your systems, but it is also important to make sure that any misconfigured system accounts can work properly. These attacks are often repeated access attempts and are naturally noisy alerts when they do fire. This is because the attacker will not stop until they get through.

The alerts included in the alert pack will help your SOC know of any issues or misconfigurations in your environment and provide an extra level of security for you and your business.

Through the use of Brute Force an adversary, without knowledge of the password for an account or set of accounts, may systematically guess the password using a repetitive or iterative mechanism. Brute forcing passwords can take place via interaction with a service that will check the validity of those credentials or offline against previously acquired credential data, such as password hashes.

Included alerts

  1. SecOpsAuthPasswordSprayIp

  2. SecOpsPanAuthFailMultipleUserSingleIP

  3. SecOpsAWSMultipleFailedConsoleLoginsFromASourceIP

  4. SecOpsWinLockoutsEndpoint-AuthAll

  5. SecOpsO365BruteForce

  6. SecOpsAWSMultipleFailedConsoleLogins

  7. SecOpsBroRdpBruteForceSuccessHydraNcrack

  8. SecOpsO365ExcessiveAuthFailureAttempts

  9. SecOpsAWSIAMAssumeRolePolicyBruteForce

  10. SecOpsPanAuthExcessiveFailedLoginUser

  11. SecOpsO365ExcessiveSSOLoginFailures

  12. SecOpsWinLockoutsEndpoint

  13. SecOpsPanAuthExcessiveFailedLoginIP

Prerequisites

data sources

LOOKUPS

T1112

Modify Registry

Purpose

Adversaries may interact with the Windows Registry to hide configuration information within Registry keys, remove information as part of cleaning up, or as part of other techniques to aid in persistence and execution.

Access to specific areas of the Registry depends on account permissions, some requiring administrator-level access. The built-in Windows command-line utility Reg may be used for local or remote Registry modification.  Other tools may also be used, such as a remote access tool, which may contain functionality to interact with the Registry through the Windows API.

Registry modifications may also include actions to hide keys, such as prepending key names with a null character, which will cause an error and/or be ignored when read via Reg or other utilities using the Win32 API.  Adversaries may abuse these pseudo-hidden keys to conceal payloads/commands used to maintain persistence.

The Registry of a remote system may be modified to aid in execution of files as part of lateral movement. It requires the remote Registry service to be running on the target system. Often Valid Accounts are required, along with access to the remote system's SMB/Windows Admin Shares for RPC communication.

Included alerts

  1. SecOpsWinActivateNoTrayContextMenuGroupPolicyFeature

  2. SecOpsWinRegistryModificationDisableChangePasswdFeature

  3. SecOpsWinRegistryModificationDisableShutdownButton

  4. SecOpsWinRegistryModificationHideSCAPower

  5. SecOpsWinRegistryModificationHideSCAVolume

  6. SecOpsWinActivateNoControlPanelGroupPolicyFeature

  7. SecOpsWinRegistryModificationDisableNotificationCenter

  8. SecOpsWinRegistryModificationDisableLockWSFeature

  9. SecOpsWinRegistryModificationNoFindGroupPolicyFeature

  10. SecOpsWinActivateNoPropertiesMyDocumentsGroupPolicyFeature

  11. SecOpsWinRegistryModificationNoDesktopGroupPolicy

  12. SecOpsWinRegistryModificationDisableLogOffButton

  13. SecOpsWinActivateNoSetTaskbarGroupPolicyFeature

  14. SecOpsWinRegistryModificationHideSCANetwork

  15. SecOpsWinRegistryModificationHideClockGroupPolicyFeature

  16. SecOpsWinRegistryModificationHideSCAHealth

  17. SecOpsBlackByteRansomwareRegistryChanges

  18. SecOpsWinModifyShowCompressColorAndInfoTipRegistry

  19. SecOpsWinRegistryModificationDisableTaskmgr

  20. SecOpsWinActivateNoCloseGroupPolicyFeature

  21. SecOpsWinRegistryModificationDisableRegistryTool

  22. SecOpsWinRegistryModificationIExplorerSecZone

  23. SecOpsWinLsassKeyModification

  24. SecOpsWinRegistryModificationDisableCMDApp

  25. SecOpsBlackByteRansomwareRegChangesPowershell

  26. SecOpsWinAddRegistryValueToLoadSrvcInSafeModeWONetwork

  27. SecOpsWinActivateNoFileMenuGroupPolicyFeature

  28. SecOpsWinAddRegistryValueToLoadSrvcInSafeModeWithNetwork

  29. SecOpsWinRegistryModificationPowershellLoggingDisabled

  30. SecOpsWinDisableUac

  31. SecOpsWinRegistryModificationActivateN

Prerequisites

data sources

LOOKUPS

T1114

Email Collection

Purpose

Adversaries may target user email to collect sensitive information from mail servers or clients.

Emails may contain sensitive data, including trade secrets or personal information, that can prove valuable to adversaries.

Included alerts

  1. SecOpsO365PSTExportAlert

  2. SecOpsO365SuspiciousAdminEmailForwarding

Prerequisites

DATA SOURCES

LOOKUPS

T1115

Clipboard Data

Purpose

Adversaries may collect data stored in the clipboard from users copying information within or between applications.

For example, adversaries can access clipboard data on Windows by using clip.exe or Get-Clipboard. Additionally, adversaries may monitor and then replace users’ clipboard with their data (e.g., Transmitted Data Manipulation).

Systems with macOS and Linux also have commands, such as pbpaste, to grab clipboard contents.

Included alerts

  1. SecOpsLinuxPamdKeylogging

  2. SecOpsLinuxClipboardCopyXclip

Prerequisites

data sources

LOOKUPS

T1119

Automated Collection

Purpose

Once established within a system or network, an adversary may use automated techniques to collect internal data. Methods to do this include the use of a Command and Scripting Interpreter to search for and copy information fitting set criteria such as file type, location, or name at specific time intervals. In cloud-based environments, adversaries may also use cloud APIs and command line interfaces, or extract, transform, and load ETL services to automatically collect data. This functionality could also be built into remote access tools.

This technique may incorporate use of other techniques such as File and Directory Discovery and Lateral Tool Transfer to identify and move files, as well as Cloud Service Dashboard and Cloud Storage Object Discovery to identify resources in cloud environments.

Included alerts

  1. SecOpsWinAutomatedCollectionPowershell

  2. SecOpsWinAutomatedCollectionCmd

Prerequisites

data sources

LOOKUPS

T1123

Audio Capture

Purpose

An adversary can leverage a computer's peripheral devices (microphones and webcams) or applications (voice and video call services) to capture audio recordings for the purpose of listening into sensitive conversations to gather information.

Malware or scripts may be used to interact with the devices through an available API provided by the operating system or an application to capture audio. Audio files may be written to disk and exfiltrated later.

Included alerts

  1. SecOpsLinuxAudioCapture

Prerequisites

data sources

LOOKUPS

T1133

External Remote Services

Purpose

Adversaries may leverage external-facing remote services to initially access and/or persist within a network. Remote services such as VPNs, Citrix, and other access mechanisms allow users to connect to internal enterprise network resources from external locations. There are often remote service gateways that manage connections and credential authentication for these services. Services such as Windows Remote Management and VNC can also be used externally.

Access to Valid Accounts to use the service is often a requirement, which could be obtained through credential pharming or by obtaining the credentials from users after compromising the enterprise network. Access to remote services may be used as a redundant or persistent access mechanism during an operation.

Access may also be gained through an exposed service that doesn’t require authentication. In containerized environments, this may include an exposed Docker API, Kubernetes API server, kubelet, or web application such as the Kubernetes dashboard.

Included alerts

  1. SecOpsHAFNIUMWebShellsTargetingExchangeServers

  2. SecOpsWinDnsExeParentProcess

  3. SecOpsVNCPortOpen

Prerequisites

DATA SOURCES

LOOKUPS

T1134

Access Token Manipulation

Purpose

Adversaries may modify access tokens to operate under a different user or system security context to perform actions and bypass access controls.

Windows uses access tokens to determine the ownership of a running process. A user can manipulate access tokens to make a running process appear as though it is the child of a different process or belongs to someone else. When this occurs, the process also takes on the security context associated with the new token.

An adversary can use built-in Windows API functions to copy access tokens from existing processes; this is known as token stealing. These tokens can then be applied to an existing process (Token Impersonation/Theft) or used to spawn a new process (Create Process with Token).

Any standard user can use the runas command, and the Windows API functions, to create impersonation tokens; it does not require access to an administrator account. There are also other mechanisms, such as Active Directory fields, that can be used to modify access tokens."

Included alerts

  1. SecOpsWinRunasCommandExecution

Prerequisites

Data sources

lookups

T1136

Create Account

Purpose

This alert pack helps you to control any sort of misuse of credentials to create accounts and help secure environments by notifying you. This alert pack can also help you to maintain compliance by confirming any sort of account that was created and approved and is audit-friendly.

Adversaries may create an account to maintain access to victim systems. With a sufficient level of access, creating such accounts may be used to establish secondary credentialed access that does not require persistent remote access tools to be deployed on the system.

Included alerts

  1. SecOpsAzureExternalUserInvited

  2. SecOpsO365NewFederatedDomain

  3. SecOpsWinUserCreationAbnormalNamingConvention

  4. SecOpsAzureUserCreated

  5. SecOpsO365AddedServicePrincipal

  6. SecOpsLocalUserCreation

  7. SecOpsAzureExternalUserInvitationRedeemed

  8. SecOpsAWSIAMCreateUserActionObserved

  9. SecOpsWinAnonymousAccountCreated

  10. SecOpsGCPIAMServiceAccountCreated

  11. SecOpsAWSNewUserPoolClientCreated

Prerequisites

DATA SOURCES

LOOKUPS

T1140

Deobfuscate-Decode Files or Information

Purpose

Adversaries may use Obfuscated Files or Information to hide artifacts of an intrusion from analysis. They may require separate mechanisms to decode or deobfuscate that information depending on how they intend to use it. Methods for this include built-in functionality of malware or using utilities present on the system.

One such example is the use of certutil to decode a remote access tool portable executable file that has been hidden inside a certificate file. Another example is using the Windows command copy /b to reassemble binary fragments into a malicious payload.

Sometimes a user's action may be required to open it for deobfuscation or decryption as part of User Execution, such as entering the password.

Included alerts

  1. SecOpsLolbinCertutil

Prerequisites

DATA SOURCES

LOOKUPS

T1189

Drive-by Compromise

Purpose

Adversaries may gain access to a system through a user visiting a website over the normal course of browsing.

There are multiple ways of delivering exploit code to a browser:

  • A legitimate website where adversaries have injected some form of malicious code such as JavaScript, iFrames, and cross-site scripting.

  • Malicious ads are paid for and served through legitimate ad providers.

  • Built-in web application interfaces are leveraged for the insertion of any other kind of object that can be used to display web content or contain a script that executes on the visiting client (e.g. forum posts, comments, and other user controllable web content).

When the targeted website is visited by a specific community, such as government, a particular industry, or region, is often referred to as a strategic web compromise or watering hole attack.

Included alerts

  1. SecOpsGSuiteUnauthorizedOAuthApp

Prerequisites

DATA SOURCES

LOOKUPS

T1190

Exploit Public-Facing Application

Purpose

Adversaries may attempt to take advantage of a weakness in an Internet-facing computer or program using software, data, or commands in order to cause unintended or unanticipated behavior. The weakness in the system can be a bug, a glitch, or a design vulnerability. These applications are often websites, but can include databases (like SQL), standard services (like SMB or SSH), network device administration and management protocols (like SNMP and Smart Install), and any other applications with Internet accessible open sockets, such as web servers and related services.

Depending on the flaw being exploited this may include Exploitation for Defense Evasion. If an application is hosted on cloud-based infrastructure and/or is containerized, then exploiting it may lead to compromise of the underlying instance or container. This can allow an adversary a path to access the cloud or container APIs, exploit container host access via Escape to Host, or take advantage of weak identity and access management policies.

Included alerts

  1. SecOpsLog4ShellVulnerabilityCloudAzure

  2. SecOpsNonStandardHTTPMethod

  3. SecOpsLog4ShellVulnerabilityOverProxyConnections

  4. SecOpsLog4ShellVulnerabilityOverCrowdStrike

  5. SecOpsBroHttpRequestSingleHeader

  6. SecOpsHTTPQueryUserAgentLengthOutsize

  7. SecOpsLog4ShellVulnerabilityOverWebServerConnections

  8. SecOpsHAFNIUMHttpPostTargetingExchangeServers

  9. SecOpsExplotationAttemptF5BigIp

  10. SecOpsMoveitWebShell

  11. SecOpsPossibleInjectionUserAgent

  12. SecOpsHTTPQueryNonStandardMethod

  13. SecOpsHAFNIUMNetworkActivityTargetingExchangeServers

  14. SecOpsLog4ShellVulnOverFirewallTrafficConnections

  15. SecOpsRevilKaseyaNetworkActivity

  16. SecOpsHAFNIUMUserAgentsTargetingExchangeServers

  17. SecOpsLog4ShellVulnOverDomainsUnionTableConnectionsWithLookup

  18. SecOpsLog4ShellVulnOverDomainsUnionTableConnections

  19. SecOpsLog4ShellVulnerabilityCloudGCP

  20. SecOpsLog4ShellVulnerabilityCloudAWS

Prerequisites

DATA SOURCES