Mitre alert packs T1500-1599

Adversaries may abuse legitimate extensible development features of servers to establish persistent access to systems.

Enterprise server applications may include features that allow developers to write and install software or scripts to extend the functionality of the main application.

Adversaries may install malicious components to extend and abuse server applications.

1. SecOpsRevilKaseyaWebShellsUploadConn

2. SecOpsRevilKaseyaWebShells

3. SecOpsLinuxCommandExecutionWebUser

4. SecOpsWinIISWebRootProcessExecution

DATA SOURCES

• proxy.all.access ^{learn more}

• box.unix ^{learn more}

• web.all.access ^{learn more}

• box.all.win ^{learn more}

LOOKUPS

• SecOpsLocation

• SecOpsAlertDescription

• SecOpsAssetRole

Adversaries may implant cloud or container images with malicious code to establish persistence after gaining access to an environment. Amazon Web Services (AWS) Amazon Machine Images (AMIs), Google Cloud Platform (GCP) Images, and Azure Images as well as popular container runtimes such as Docker can be implanted or backdoored. Unlike Upload Malware, this technique focuses on images. Depending on how the infrastructure is provisioned, this could provide persistent access (if provisioning tool is instructed to always use the latest image).

A tool has been developed to facilitate planting backdoors in cloud container images. If an adversary has access to a compromised AWS instance, and permissions to list the available container images, they may implant a backdoor such as a Web Shell.

1. SecOpsAwsEcrImageUpload

DATA SOURCES

• cloud.aws.cloudtrail ^{learn more}

LOOKUPS

• SecOpsLocation

• SecOpsAlertDescription

• SecOpsAssetRole

An adversary may attempt to enumerate the cloud services running on a system after gaining access, which can be platform-as-a-service (PaaS), infrastructure-as-a-service (IaaS), or software-as-a-service (SaaS). Many services exist throughout the various cloud providers and can include Continuous Integration and Continuous Delivery (CI/CD), Lambda Functions, Azure AD, etc.

Azure tools and APIs (Azure AD Graph API and Azure Resource Manager API) can enumerate resources and services, including applications, management groups, resources and policy definitions, and their relationships that are accessible by an identity.

Stormspotter is an open source tool for enumerating and constructing a graph for Azure resources and services.

Pacu is an open source AWS exploitation framework that supports several methods for discovering cloud services.

1. SecOpsGCPGCSBucketEnumerated

2. SecOpsGCPKubernetesClusterPodScanDetection

3. SecOpsAWSIAMUserGeneratingAccessDeniedErrorsAcrossMultipleActions

DATA SOURCES

• cloud.gcp ^{learn more}

• cloud.aws.cloudtrail.events ^{learn more}

LOOKUPS

• SecOpsLocation

• SecOpsAlertDescription

• SecOpsAssetRole

Adversaries can steal application access tokens as a means of acquiring credentials to access remote systems and resources.

Application access tokens are used to make authorized API requests on behalf of a user or service and are commonly used as a way to access resources in cloud and container-based applications and software-as-a-service (SaaS). OAuth is one commonly implemented framework to issue tokens and adversaries steal them to be able to access data and perform actions with the permissions of these accounts, which can lead to privilege escalation and further compromise of the environment.

In Kubernetes environments, processes running inside a container communicate with the Kubernetes API server using service account tokens. If a container is compromised, an attacker may be able to steal the container’s token and thereby gain access to Kubernetes API commands.

Token theft can also occur through social engineering, in which case user action may be required to grant access. An application desiring access to cloud-based services or protected APIs can gain entry using OAuth 2.0 through a variety of authorization protocols. A commonly-used sequence is Microsoft's Authorization Code Grant flow, where an OAuth access token enables a third-party application to interact with resources containing user data in the ways requested by the application without obtaining user credentials.

1. SecOpsGSuiteExcessiveOAuthPermissionsRequest

2. SecOpsO365UserPasswordChange

DATA SOURCES

• cloud.office365 ^{learn more}

• cloud.gsuite.reports.token ^{learn more}

LOOKUPS

• SecOpsLocation

• SecOpsAlertDescription

• SecOpsAssetRole

Adversaries may access data from improperly secured cloud storage.

Many cloud service providers offer solutions for online data object storage, either without an overarching application (Amazon S3, Azure Storage, and Google Cloud Storage) or as a peripheral use case of their platform (Slack, Confluence, and Salesforce).

Providers typically offer security guides to help end users configure systems, though misconfigurations are a common problem. One of the examples is unintentionally allowing public access to unauthenticated users, overly-broad access by all users, or even access for any anonymous person outside the control of the Identity Access Management system without even needing basic user permissions.

This open access may expose various types of sensitive data, such as credit cards, personally identifiable information, or medical records.

Adversaries may also obtain and then abuse leaked credentials from source repositories, logs, or other means as a way to gain access to cloud storage objects.

1. SecOpsGSuiteDriveOpenToPublic

2. SecOpsGSuiteAcessTransparencyEvent

3. SecOpsGCPPubSubTopicCreation

4. SecOpsGCPKubernetesSensitiveObjectAccess

5. SecOpsGCPPubSubSubscriptionCreation

6. SecOpsGCPAuditListQueues

7. SecOpsGCPNewPublicStorageBucket

8. SecOpsGCPGoogleDriveSharedPublicly

9. SecOpsAwsDbSnapshotCreated

10. SecOpsAwsSqsListQueues

DATA SOURCES

• cloud.gcp ^{learn more}

• cloud.gsuite.reports.access_transparency ^{learn more}

• cloud.aws.cloudtrail ^{learn more}

• cloud.gsuite.audit.drive ^{learn more}

LOOKUPS

• SecOpsLocation

• SecOpsAlertDescription

• SecOpsAssetRole

Adversaries may interrupt availability of system and network resources by inhibiting access to accounts utilized by legitimate users (delete, lock or manipulate) to subsequently log off and/or perform a System Shutdown/Reboot to set malicious changes into place.

In Windows, Net utility (Set-LocalUser) and PowerShell cmdlets (Set-ADAccountPassword) may be used by adversaries to modify user accounts. In Linux, the passwd utility may be used to change passwords. Accounts could also be disabled by Group Policy.

Adversaries who use ransomware or similar attacks may first perform this and other Impact behaviors, such as Data Destruction and Defacement, in order to impede incident response/recovery before completing the Data Encrypted for Impact objective.

1. SecOpsGCPIAMCustomRoleDeletion

2. SecOpsGCPIAMServiceAccountDisabled

3. SecOpsGCPIAMServiceAccountDeletion

4. SecOpsAWSIAMDeletePolicy

5. SecOpsAwsKmsKeyDeletion

6. SecOpsAwsMasterKeyDisabledOrDeletion

7. SecOpsAWSIamSuccessfulGroupDeletion

DATA SOURCES

• cloud.gcp ^{learn more}

• cloud.aws.cloudtrail ^{learn more}

LOOKUPS

• SecOpsLocation

• SecOpsAlertDescription

• SecOpsAssetRole

Adversaries may exfiltrate data, including backups of cloud environments, to another cloud account they control on the same service to avoid typical file transfers/downloads and network-based exfiltration detection.

This is because a defender who is monitoring data transfers may not be watching for transfers within the same cloud provider. Such transfers may utilize existing cloud provider APIs and the internal address space of the cloud provider to blend into normal traffic or avoid data transfers over external network interfaces.

1. SecOpsGCPLoggingSinkModification

DATA SOURCES

• cloud.gcp ^{learn more}

LOOKUPS

• SecOpsLocation

• SecOpsAlertDescription

• SecOpsAssetRole

An adversary may steal web application or service session cookies and use them to gain access to web applications or Internet services as an authenticated user without needing credentials. Web applications and services often use session cookies as an authentication token after a user has authenticated to a website.

Cookies are often valid for an extended period of time, even if the web application is not actively used and can be found on disk, in the process memory of the browser, and in network traffic to remote systems. Session cookies can be used to bypasses some multi-factor authentication protocols.

There are several examples of malware targeting cookies from web browsers on the local system and also open source frameworks, such as Evilginx 2 and Muraena, to gather session cookies through a malicious proxy (Adversary-in-the-Middle), which can be set up and used in phishing campaigns.

After an adversary acquires a valid cookie, they can then perform a Web Session Cookie technique to login to the corresponding web application.

1. SecOpsO365UserPasswordChange

DATA SOURCES

• cloud.office365 ^{learn more}

LOOKUPS

• SecOpsAlertDescription

• SecOpsAssetRole

Adversaries may create or modify system-level processes to repeatedly execute malicious payloads as part of persistence. When operating systems boot up, they can start processes that perform background system functions (called services on Windows and Linux, and Launch Daemon/Launch Agent on MacOS, which are run to finish system initialization and load user specific parameters).

Adversaries may install new services, daemons, or agents, or modify existing ones, that can be configured to execute at startup or a repeatable interval in order to establish persistence.

Services, daemons, or agents may be created with administrator privileges but executed under root/SYSTEM privileges. Adversaries may leverage this functionality to create or modify system processes in order to escalate privileges.

1. SecOpsLinuxSvcFileCreated

2. SecOpsLinuxSvcEnabled

3. SecOpsMaliciousServiceInstallations

4. SecOpsSIGRedExploitMicrosoftWindowsDNS

5. SecOpsTurlaPNGDropperService

6. SecOpsTurlaServiceInstall

7. SecOpsStoneDrillServiceInstall

8. SecOpsRareServiceInstalls

9. SecOpsAPT29byGoogleUpdateServiceInstall

DATA SOURCES

• box.unix ^{learn more}

• box.all.win ^{learn more}

LOOKUPS

• SecOpsLocation

• SecOpsAlertDescription

• SecOpsAssetRole

Adversaries may establish persistence and/or elevate privileges using system mechanisms that trigger execution based on specific events. Various operating systems have means to monitor and subscribe to events such as logons or running specific applications/binaries. Cloud environments may also support various functions and services that monitor and can be invoked in response to specific cloud events.

Adversaries may abuse these mechanisms as a means of maintaining persistent access to a victim via repeatedly executing malicious code. After gaining access to a victim system, adversaries may create/modify event triggers to point to malicious content that will be executed whenever the event trigger is invoked.

Since the execution can be proxied by an account with higher permissions, such as SYSTEM or service accounts, an adversary may be able to abuse these triggered execution mechanisms to escalate their privileges.

1. SecOpsLinuxFileCreateProfile

2. SecOpsLinuxAppendCommandToProfileConfig

3. SecOpsSuspiciousWMIExecution

4. SecOpsREvilKaseyaRegistryKey

5. SecOpsAppInitDLLsLoaded

6. SecOpsSuspiciousBehaviorAppInitDLL

7. SecOpsWINWmiMOFProcessExecution

8. SecOpsWinWmiprvseSpawningProcess

DATA SOURCES

• box.unix ^{learn more}

• box.all.win ^{learn more}

LOOKUPS

• SecOpsLocation

• SecOpsAlertDescription

• SecOpsAssetRole

Adversaries may configure system settings to automatically execute a program during system boot or logon to maintain persistence or gain higher-level privileges on compromised systems.

Operating systems may have mechanisms to automatically run a program on system boot or account logon, which may include automatically executing programs placed in specially designated directories or in repositories that store configuration information, such as the Windows Registry. An adversary may achieve the same goal by modifying or extending features of the kernel.

Since some boot or logon autostart programs run with higher privileges, an adversary may leverage these to elevate privileges.

1. SecOpsLinuxInstallKernelModprobe

2. SecOpsLinuxInsertKernelInsmod

3. SecOpsWinRegistryModificationRunKeyAdded

DATA SOURCES

• box.unix ^{learn more}

• box.all.win ^{learn more}

LOOKUPS

• SecOpsAlertDescription

• SecOpsAssetRole

Adversaries may circumvent mechanisms designed to control elevate privileges to gain higher-level permissions.

Most modern systems contain native elevation control mechanisms that are intended to limit privileges that a user can perform on a machine. Authorization has to be granted to specific users in order to perform tasks that can be considered of higher risk.

An adversary can perform several methods to take advantage of built-in control mechanisms in order to escalate privileges on a system

1. SecOpsLinuxSetuiSecapUtility

2. SecOpsLinuxNOPASSWDSudoers

3. SecOpsLinuxDoasToolExec

4. SecOpsLinuxDoasConfigCreate

5. SecOpsLinuxSudoFileModification

6. SecOpsLinuxSetuidUsingChmod

7. SecOpsBypassUserAccountControl

DATA SOURCES

• box.unix ^{learn more}

• box.all.win ^{learn more}

LOOKUPS

• SecOpsLocation

• SecOpsAlertDescription

• SecOpsAssetRole

Adversaries may use alternate authentication material, such as password hashes, Kerberos tickets, and application access tokens, in order to move laterally within an environment and bypass normal system access controls.

Authentication processes generally require a valid identity (username) along with one or more authentication factors (password, pin, physical smart card, token generator, etc.). Alternate authentication material is legitimately generated by systems after both identity and authentication factors are provided or during the identity creation process.

Caching alternate authentication material allows the system to verify identity without asking for factors again. Due to the fact that it must be maintained by the system—either in memory or on disk—it may be at risk of being stolen through Credential Access techniques. By stealing them, adversaries are able to bypass system access controls and authenticate to systems.

1. SecOpsAwsStsPossibleSessionTokenAbuse

2. SecOpsAWSNewUserPoolClientCreated

3. SecOpsPassTheHashActivityLoginBehaviour

4. SecOpsWinPotentialPassTheHash

DATA SOURCES

• box.all.win ^{learn more}

• cloud.aws.cloudtrail ^{learn more}

LOOKUPS

• SecOpsLocation

• SecOpsAlertDescription

• SecOpsAssetRole

Adversaries may search compromised systems to find and obtain insecurely stored credentials. These credentials can be stored and/or misplaced in many locations on a system, including plaintext files (Bash History), operating system or application-specific repositories (Credentials in Registry), or other specialized files/artifacts (Private Keys).

1. SecOpsAzureDevOpsSecretNotSecured

2. SecOpsGCPSecretsManagerHighActivity

3. SecOpsAWSSecretsManagerSensitiveAdminActionObserved

4. SecOpsAwsGetSecretFromNonAmazonIp

5. SecOpsWinWifiCredHarvestNetsh

DATA SOURCES

• cloud.azure.vm.unknown_events ^{learn more}

• box.all.win ^{learn more}

• cloud.aws.cloudtrail ^{learn more}

• cloud.gcp ^{learn more}

LOOKUPS

• SecOpsLocation

• SecOpsAlertDescription

• SecOpsAssetRole

Adversaries may undermine security controls that will either warn users of untrusted activity or prevent execution of untrusted programs.

Operating systems and security products may contain mechanisms to identify programs or websites as possessing some level of trust. They are allowed to run signed by a valid code certificate and the user is warned about an attribute set downloaded from the Internet or an untrusted site.

The method used will depend on the specific mechanism they seek to subvert (File and Directory Permissions Modification or Modify Registry). They may also create or steal code signing certificates to acquire trust on target systems.

1. SecOpsWinAttemptToAddCertificateToStore

DATA SOURCES

• box.all.win ^{learn more}

LOOKUPS

• SecOpsAlertDescription

• SecOpsAssetRole

• SecOpsLocation

Adversaries may search for common password storage locations to obtain user credentials. Once credentials are obtained, they can be used to perform lateral movement and access restricted information.

Passwords are stored in several places on a system, depending on the operating system or application holding the credentials. There are also specific applications that store passwords to make it easier for users manage and maintain.

1. SecOpsWinRegistryModificationStoreLogonCred

DATA SOURCES

• box.all.win ^{learn more}

LOOKUPS

• SecOpsAlertDescription

• SecOpsAssetRole

Adversaries may modify authentication mechanisms and processes to access user credentials or enable otherwise unwarranted access to accounts, being able to authenticate to a service or system without using Valid Accounts.

The authentication process is handled by mechanisms responsible responsible for gathering, storing, and validating credentials

• Windows: Local Security Authentication Server (LSASS) and or Security Accounts Manager (SAM).

• Unix-based systems: pluggable authentication modules (PAM).

• MacOS systems: authorization plugins.

Adversaries may maliciously modify a part of this process to either reveal credentials or bypass authentication mechanisms. Compromised credentials or access may be used to bypass access controls placed on various resources on systems within the network and may even be used for persistent access to remote systems and externally available services, such as VPNs, Outlook Web Access and remote desktop.

1. SecOpsO365DisableMFA

data sources

• cloud.office365.management.azureactivedirectory ^{learn more}

LOOKUPS

• SecOpsAlertDescription

• SecOpsAssetRole

Adversaries may attempt to subvert Kerberos authentication by stealing or forging Kerberos tickets to enable Pass the Ticket.

Kerberos is an authentication protocol widely used in modern Windows domain environments. In Kerberos environments, referred to as "realms", there are three basic participants: client, service, and Key Distribution Center (KDC).

Clients request access to a service and through the exchange of Kerberos tickets, originating from KDC, they are granted access after having successfully authenticated. The KDC is responsible for both authentication and ticket granting.

1. SecOpsWinGoldenSamlCertificateExport

2. SecOpsWinADDomainEnumeration

DATA SOURCES

• box.all.win ^{learn more}

LOOKUPS

• SecOpsAlertDescription

• SecOpsAssetRole

An adversary may compress and/or encrypt data that is collected prior to exfiltration. This can help to obfuscate the collected data and minimize the amount of data sent over the network. Encryption can be used to hide exfiltrated information from detection or make exfiltration less conspicuous upon inspection.

Both compression and encryption are done prior to exfiltration, and can be performed using a utility, 3rd party library, or custom method.

1. SecOpsLinuxCompressEncryptData

2. SecOpsWinCompressEncryptData

DATA SOURCES

• box.unix ^{learn more}

• box.all.win ^{learn more}

LOOKUPS

• SecOpsLocation

• SecOpsAlertDescription

• SecOpsAssetRole

This alert pack helps you protect against an adversary that has infiltrated your system and is trying to remove barriers for other adversaries. It provides the necessary information to stop and remediate any damage caused before it is too late.

Adversaries may maliciously modify components of a victim’s environment in order to hinder or disable defensive mechanisms. This not only involves impairing preventative defenses, such as firewalls and anti-virus but also detection capabilities that can use to audit activity and identify malicious behavior. This may also span both native defenses as well as supplemental capabilities installed by users and administrators.

1. SecOpsLinuxPotentialDisableSELinux

2. SecOpsGCPLoggingSinkDeletion

3. SecOpsAWSLoggingConfigurationChangeObservedStopLogging

4. SecOpsAzureFWPolicyDeletion

5. SecOpsGCPLoggingBucketDeletion

6. SecOpsAWSNetworkAccessControlListDeleted

7. SecOpsAzureFrontDoorWafPolicyDeletion

8. SecOpsGCPGCEFirewallRuleCreation

9. SecOpsAWSOpenNetworkACLs

10. SecOpsAzureDevOpsAuditDisabled

11. SecOpsGCPGCEFirewallRuleDeletion

12. SecOpsAWSLoggingConfigurationChangeObservedRemoveTags

13. SecOpsGCPPubSubTopicDeletion

14. SecOpsO365MailboxAuditBypass

15. SecOpsWinDisableAntispywareRegistry

16. SecOpsGCPGCEFirewallRuleModification

17. SecOpsO365BypassMFAviaIP

18. SecOpsWinCritServiceStopped

19. SecOpsGCPPubSubSubscriptionDeletion

20. SecOpsAWSLoggingConfigurationChangeObservedDeleteTrail

DATA SOURCES

• cloud.azure.activity.events ^{learn more}

• cloud.office365.management ^{learn more}

• cloud.azure.vm.unknown_events ^{learn more}

• cloud.office365.management.exchange ^{learn more}

• box.unix ^{learn more}

• cloud.aws.cloudtrail ^{learn more}

• cloud.gcp ^{learn more}

• box.all.win ^{learn more}

• cloud.azure.eh.events ^{learn more}

LOOKUPS

• SecOpsLocation

• SecOpsAlertDescription

• SecOpsAssetRole

Adversaries may take control of preexisting sessions with remote services to move laterally in an environment. Users may employ valid credentials to log in to a service specifically designed to accept remote connections, such as telnet, SSH, and RDP, and a session will be established to maintain a continuous interaction with that service.

Adversaries may commandeer these sessions to carry out actions on remote systems. Remote Service Session Hijacking differs from use of Remote Services because it hijacks an existing session rather than creating a new session using Valid Accounts.

1. SecOpsAWSDetectUsersCreatingKeysWit

DATA SOURCES

• cloud.aws.cloudtrail ^{learn more}

LOOKUPS

• SecOpsLocation

• SecOpsAlertDescription

• SecOpsAssetRole

Adversaries may insert, delete, or manipulate data in order to influence external outcomes or hide activity, thus threatening the integrity of the data. By manipulating data, adversaries may attempt to affect a business process, organizational understanding, or decision making.

The type of modification and the impact it will have depends on the target application and process as well as the goals and objectives of the adversary. For complex systems, an adversary would likely need special expertise and possibly access to specialized software related to the system that would typically be gained through a prolonged information gathering campaign in order to have the desired impact.

1. SecOpsGCPSQLDatabaseModification

DATA SOURCES

• cloud.gcp ^{learn more}

LOOKUPS

• SecOpsLocation

• SecOpsAlertDescription

• SecOpsAssetRole

Adversaries may send phishing messages to gain access to victim systems. All forms of phishing are electronically delivered social engineering. Phishing can be targeted at a specific individual, company, or industry, which is known as spearphishing, or mass malware spam campaigns, which is known as non-targeted phishing.

Adversaries may send victims emails or use social media to send malicious attachments or links, typically to execute malicious code on victim systems. Phishing may also involve social engineering techniques (posing as a trusted source), as well as evasive techniques (removing or manipulating emails or metadata/headers from the compromised accounts used as senders as in Email Hiding Rules). They also forge or spoof the identity of the sender which can be used to fool both the human recipient as well as automated security tools.

Victims may also receive phishing messages that instruct them to call a phone number where they are directed to visit a malicious URL, download malware, or install adversary-accessible remote management tools onto their computer.

1. SecOpsO365PhishAttempt

2. SecOpsMimecastMessageWithHighSpamScore

3. SecOpsMimecastMessageWithVirusDetections

DATA SOURCES

• mail.mimecast.siem.av ^{learn more}

• mail.mimecast.siem.receipt ^{earn more}

• cloud.office365.management.securitycompliancecenter ^{learn more}

LOOKUPS

• SecOpsLocation

• SecOpsAlertDescription

• SecOpsAssetRole

Adversaries may use an existing, legitimate external Web service to exfiltrate data rather than their primary command and control channel.

Popular Web services acting as an exfiltration mechanism may give a significant amount of cover due to the likelihood that hosts within a network are already communicating with them prior to compromise.

Firewall rules may also already exist to permit traffic to these services and web service providers commonly use SSL/TLS encryption, giving adversaries an added level of protection.

1. SecOpsGSuiteDriveExternallyShared

2. SecOpsLolbinDatasvcutil

3. SecOpsLolbinConfigsecuritypolicy

DATA SOURCES

• cloud.gsuite.reports.drive ^{learn more}

• box.all.win ^{learn more}

LOOKUPS

• SecOpsLocation

• SecOpsAlertDescription

• SecOpsAssetRole

Adversaries may dynamically establish connections to command and control infrastructure to evade common detections and remediations. This may be achieved by using malware that shares a common algorithm with the infrastructure the adversary uses to receive the malware's communications. These calculations can be used to dynamically adjust parameters such as the domain name, IP address, or port number the malware uses for command and control.

Adversaries may use dynamic resolution for the purpose of Fallback Channels. When contact is lost with the primary command and control server malware may employ dynamic resolution as a means to reestablishing command and control.

1. SecOpsDynamicDNSDetected

2. SecOpsTLDFromDomainNotInMozillaTLD

3. SecOpsSuspicionOfPossibleDomainGenerationAlgorithm

DATA SOURCES

• proxy.all.access ^{learn more}

• secops.entities.system

• domains.all ^{learn more}

LOOKUPS

• SecOpsAlertDescription

• SecOpsAssetRole

Adversaries may abuse system services or daemons to execute commands or programs. To do this, they can execute malicious content by interacting with or creating services either locally or remotely.

Many services are set to run at boot, which can aid in achieving persistence (Create or Modify System Process), but they can also abuse services for one-time or temporary execution.

1. SecOpsWinServiceCreatedNonStandardPath

DATA SOURCES

• box.all.win ^{learn more}

LOOKUPS

• SecOpsAlertDescription

• SecOpsAssetRole

Adversaries may communicate using a protocol and port paring that are typically not associated, or make changes to the standard port used by a protocol, to bypass filtering or muddle analysis/parsing of network data.

1. SecOpsPortIntoURL

2. SecOpsFWTrafficOnUnassignedLowPort

DATA SOURCES

• firewall.all.traffic ^{learn more}

• proxy.all.access ^{learn more}

Adversaries may tunnel network communications to and from a victim system within a separate protocol to avoid detection/network filtering and/or enable access to otherwise unreachable systems.

Tunneling involves explicitly encapsulating a protocol within another. This behavior may conceal malicious traffic by blending in with existing traffic and/or provide an outer layer of encryption (similar to a VPN). There are various means to encapsulate a protocol within another protocol. For example, adversaries may perform SSH tunneling (also known as SSH port forwarding), which involves forwarding arbitrary data over an encrypted SSH tunnel.

Tunneling could also enable routing of network packets that would otherwise not reach their intended destination, such as SMB, RDP, or other traffic that would be filtered by network appliances or not routed over the Internet. Known as DNS over HTTPS (DoH), queries to resolve C2 infrastructure may be encapsulated within encrypted HTTPS packets.

Protocol Tunneling may also be abused by adversaries during Dynamic Resolution or in conjunction with Proxy and/or Protocol Impersonation to further conceal C2 communications and infrastructure.

1. SecOpsWinDnsExcessiveEmptyOrRefusedQueries

DATA SOURCES

• dns.windows ^{learn more}

Adversaries may execute their own malicious payloads by hijacking the way operating systems run programs. Hijacking execution flow can be for the purposes of persistence, since this hijacked execution may reoccur over time, as well as to elevate privileges or evade defenses, such as application control or other restrictions on execution.

There are many ways to this such as manipulating how the operating system locates programs to be executed, how the operating system locates libraries to be used by a program, or the locations where the operating system looks for programs/resources (file directories or the Registry in Windows).

1. SecOpsLinuxHijackLibraryCalls

2. SecOpsDLLWithNonUsualPath

DATA SOURCES

• box.unix ^{learn more}

• box.all.win ^{learn more}

LOOKUPS

• SecOpsAlertDescription

• SecOpsAssetRole

An adversary may attempt to modify a cloud account's compute service infrastructure to evade defenses. A modification to the compute service infrastructure can include the creation, deletion, or modification of one or more components such as compute instances, virtual machines, and snapshots.

Permissions gained from the modification of infrastructure components may bypass restrictions that prevent access to existing infrastructure. Modifying infrastructure components may also allow an adversary to evade detection and remove evidence of their presence.

1. SecOpsAzureHybridHealthADFSNewServer

2. SecOpsAzureHybridHealthADFSDelete

3. SecOpsAwsECRContainerUploadOutsideBusinessHours

4. SecOpsAwsDbSnapshotCreated

DATA SOURCES

• cloud.aws.cloudtrail ^{learn more}

• cloud.azure.othres.administrative ^{learn more}

LOOKUPS

• SecOpsAlertDescription

• SecOpsAssetRole

• SecOpsLocation

This alert pack will let you know when the attackers are looking for valuable information about your clouds and can help your team respond to all discovery threats.

An adversary may attempt to discover infrastructure and resources that are available within an infrastructure-as-a-service (IaaS) environment. This includes compute service resources such as instances, virtual machines, and snapshots as well as resources of other services including the storage and database services.

1. SecOpsGCPAuditUnauthorizedAPICalls

2. SecOpsGCPAuditListQueues

3. SecOpsGCPPossibleReconnaissanceActivity

4. SecOpsGCPPortScan

5. SecOpsGCPGCPloitExploitationFrameworkActivity

6. SecOpsAwsCloudTrailReconEvent

7. SecOpsGCPPortSweep

DATA SOURCES

• cloud.aws.cloudtrail ^{learn more}

• cloud.gcp.compute.firewall ^{learn more}

• cloud.gcp ^{learn more}

LOOKUPS

• SecOpsLocation

• SecOpsAlertDescription

• SecOpsAssetRole

Adversaries may create and cultivate accounts with services that can be used during targeting, and create accounts that can be used to build a persona for further operations. Persona development consists of the development of public information, presence, history and appropriate affiliations to social media, website, or other publicly available information that could be referenced and scrutinized for legitimacy.

For operations incorporating social engineering, the utilization of an online persona may be important, and they may be fictitious or impersonate real people. Establishing a persona may require development of additional documentation to make them seem real.

Establishing accounts can also include the creation of accounts with email providers, which may be directly leveraged for Phishing for Information.

1. SecOpsAWSCreateloginprofile

DATA SOURCES

• cloud.aws.cloudtrail ^{learn more}

LOOKUPS

• SecOpsLocation

• SecOpsAlertDescription

• SecOpsAssetRole

Adversaries may build capabilities that can be used during targeting. Rather than purchasing, freely downloading, or stealing capabilities, adversaries may develop their own capabilities in-house.

This is the process of identifying development requirements and building solutions such as malware, exploits, and self-signed certificates. Adversaries may develop capabilities to support their operations throughout numerous phases of the adversary lifecycle.

As with legitimate development efforts, different skill sets may be required for developing capabilities, and they may be located in-house contracted out. The use of a contractor may be considered an extension of that adversary's development capabilities, provided the adversary plays a role in shaping requirements and maintains a degree of exclusivity to the capability.

1. SecOpsBroSelfSignedCert

DATA SOURCES

• ids.bro.ssl ^{learn more}

Adversaries may buy, free download and/or steal capabilities that can be used during targeting, rather than developing their own capabilities in-house, in order to support their operations throughout numerous phases of the adversary lifecycle. Activities may include the acquisition of malware, software (including licenses), exploits, certificates, and information relating to vulnerabilities.

When purchasing capabilities from third-party entities, they do so from technology companies that specialize in malware and exploits, criminal marketplaces, or from individuals.

When stealing capabilities from third-party entities (including other adversaries), they include stealing software licenses, malware, SSL/TLS and code-signing certificates, or raiding closed databases of vulnerabilities or exploits.

1. SecOpsFortinetCriticalAppUse

2. SecOpsFortinetHighRiskAppUse

3. SecOpsWinSysInternalsActivityDetected

DATA SOURCES

• firewall.fortinet.traffic.forward ^{learn more}

• box.all.win ^{learn more}

LOOKUPS

• SecOpsLocation

• SecOpsAlertDescription

• SecOpsAssetRole

Adversaries may gather information about the victim's identity that can be used during targeting. Information about identities may include a variety of details, including personal data (employee names, email addresses, etc.) as well as sensitive details such as credentials.

Adversaries may gather this information in various ways, such as direct elicitation via Phishing for Information. Information about users could also be enumerated via other active means such as probing and analyzing responses from authentication services that may reveal valid usernames in a system (Active Scanning).

1. SecOpsWinGatherVictimIdentitySAMInfo

2. SecOpsWinKerberosUserEnumeration

DATA SOURCES

• box.all.win ^{learn more}

LOOKUPS

• SecOpsAlertDescription

• SecOpsAssetRole

Adversaries may gather information about the victim's networks that can be used during targeting. Information about networks may include a variety of details, including administrative data (IP ranges, domain names, etc.) as well as specifics regarding its topology and operations.

To gather this, adversaries perform direct collection actions via Active Scanning or Phishing for Information. It may also be exposed via online or other accessible data sets (Search Open Technical Databases).

Gathering this information may reveal opportunities for other forms of reconnaissance (Active Scanning or Search Open Websites/Domains), establishing operational resources (Acquire Infrastructure or Compromise Infrastructure), and/or initial access (Trusted Relationship).

1. SecOpsWermgrConnectingToIPCheckWebServices

DATA SOURCES

• box.all.win ^{learn more}

LOOKUPS

• SecOpsAlertDescription

• SecOpsAssetRole

Adversaries may gather information about the victim's hosts that can be used during targeting. Information about hosts may include a variety of details, including administrative data (name, assigned IP, functionality, etc.) and specifics regarding its configuration (operating system, language, etc.).

To gather this, adversaries perform direct collection actions via Active Scanning or Phishing for Information. They may also compromise sites and then include malicious content designed to collect host information from visitors. Information about hosts may also be exposed via online or other accessible data sets (Social Media or Search Victim-Owned Websites).

Gathering this information may reveal opportunities for other forms of reconnaissance (Search Open Websites/Domains or Search Open Technical Databases), establishing operational resources (Develop Capabilities or Obtain Capabilities), and/or initial access (Supply Chain Compromise or External Remote Services).

1. SecOpsWinWMIReconRunningProcessOrSrvcs

2. SecOpsWinSysInfoGatheringUsingDxdiag

DATA SOURCES

• box.all.win ^{learn more}

LOOKUPS

• SecOpsAlertDescription

• SecOpsAssetRole

Adversaries may execute active reconnaissance scans to gather information that can be used during targeting. Active scans are those where the adversary probes victim infrastructure via network traffic, as opposed to other forms of reconnaissance that do not involve direct interaction.

Depending on the information they seek, this can be done in various ways, include the use of native features of network protocols such as ICMP. Information from these scans may reveal opportunities for other forms of reconnaissance (Search Open Websites/Domains or Search Open Technical Databases), establishing operational resources (Develop Capabilities or Obtain Capabilities), and/or initial access (External Remote Services or Exploit Public-Facing Application).

1. SecOpsFWIpScanExternal

2. SecOpsFWExcessFirewallDenies

3. SecOpsFWPortScanExternalSource

4. SecOpsDNSQueryToExternalSrvcInteractionDomains

5. SecOpsGCPPortScan

6. SecOpsWinAttackerToolsOnEndpoint

DATA SOURCES

• box.all.win ^{learn more}

• cloud.gcp.compute.firewall ^{learn more}

• firewall.all.traffic ^{learn more}

• network.dns ^{learn more}

LOOKUPS

• SecOpsLocation

• SecOpsAlertDescription

• SecOpsAssetRole

Adversaries may bridge network boundaries by compromising perimeter network devices or internal devices responsible for network segmentation, bypassing restrictions on traffic routing that otherwise separate trusted and untrusted networks.

Devices such as routers and firewalls can be used to create boundaries between trusted and untrusted networks by restricting traffic types. Restriction can be achieved by prohibiting IP addresses, layer 4 protocol ports, or through deep packet inspection to identify applications. To participate with the rest of the network, these devices can be directly addressable or transparent, but their mode of operation has no bearing on how the adversary can bypass them when compromised.

When an adversary takes control of such a boundary device, they can bypass its policy enforcement to pass normally prohibited traffic across the trust boundary between the two separated networks without hinderance.

By achieving sufficient rights on the device, an adversary can reconfigure the device to allow the traffic they want for command and control via Multi-hop Proxy or exfiltration of data via Traffic Duplication. Adversaries may also target internal devices responsible for network segmentation and abuse them in conjunction with Internal Proxy. In the cases where a border device separates two separate organizations, the adversary can also facilitate lateral movement into new victim environments.

1. SecOpsGCPPrivateCloudRouteCreation

DATA SOURCES

• cloud.gcp ^{learn more}

LOOKUPS

• SecOpsLocation

• SecOpsAlertDescription

• SecOpsAssetRole