Mitre alert packs T1200-1299

Adversaries may exploit software vulnerabilities in client applications to execute code. Vulnerabilities can exist in software due to unsecured coding practices that can lead to unanticipated behavior.

Oftentimes the most valuable exploits to an offensive toolkit are those that can be used to obtain code execution on a remote system because they can be used to gain access to that system. Users will expect to see files related to the applications they commonly used to do work, so they are a useful target for exploit research and development because of their high utility.

1. SecOpsEDRCrowdStrikeOverwatchNotification

data sources

• edr.crowdstrike.falcon ^{learn more}

LOOKUPS

• SecOpsAlertDescription

• SecOpsAssetRole

An adversary may rely upon specific user actions in order to gain execution. Users may be subjected to social engineering to get them to execute malicious code (opening a malicious document file or link), which will typically be observed as follow-on behavior from forms of Phishing.

While this frequently occurs shortly after Initial Access, it may occur at other phases of an intrusion, such as shortly after Internal Spearphishing.

Adversaries may also deceive users into performing actions such as enabling Remote Access Software, allowing direct control of the system, or downloading and executing malware (tech support scams through Phishing, vishing, or other forms of user interaction). Adversaries can use a combination of these methods, such as spoofing and promoting toll-free numbers or call centers.

1. SecOpsLinuxStrangeProcessExec

data sources

• box.unix ^{learn more}

lookups

• SecOpsAlertDescription

• SecOpsAssetRole

Adversaries may use traffic signaling to hide open ports or other malicious functionality used for persistence or command and control.

Traffic signaling typically involves sending a series of packets with certain characteristics to a system to trigger a special response, such as opening a closed port or executing a malicious task. This series of packets usually consists of attempted connections to a predefined sequence of closed ports (Port Knocking), but can involve unusual flags, specific strings, or other unique characteristics.

Adversaries may also communicate with an already open port, but the service listening on that port will only respond to commands or trigger other malicious functionality if the appropriate values are passed.

The methods used can be the libpcap libraries to sniff for the packets in question or leverage raw sockets, which enables the malware to use ports that are already open for use by other programs.

1. SecOpsPossiblePortKnocking

data sources

• netstat.netflow.all ^{learn more}

LOOKUPS

• SecOpsLocation

• SecOpsAlertDescription

• SecOpsAssetRole

Adversaries may register a rogue Domain Controller (DC) to enable manipulation of Active Directory data by using DCShadow. DCShadow is a method of manipulating Active Directory (AD) data, including objects and schemas, by registering (or reusing an inactive registration) and simulating the behavior of a DC. Once registered, a rogue DC may be able to inject and replicate changes into AD infrastructure for any domain object, including credentials and keys.

Registering a rogue DC involves creating a new server and nTDSDSA objects in the Configuration partition of the AD schema, which requires Administrator privileges (either Domain or local to the DC) or the KRBTGT hash.

This technique may bypass system logging and security monitors such as security information and event management (SIEM) products and may also be used to alter and delete replication and other associated metadata to obstruct forensic analysis.

Adversaries may also utilize this technique to perform SID-History Injection and/or manipulate AD objects (such as accounts, access control lists, schemas) to establish backdoors for Persistence.

1. SecOpsWinDcShadowDetected

data sources

• box.all.win ^{learn more}

lookups

• SecOpsAlertDescription

• SecOpsAssetRole

Adversaries may exploit a system or application vulnerability to bypass security features. Exploitation of a software vulnerability occurs when an adversary takes advantage of a programming error in a program, service, or within the operating system software or kernel itself to execute adversary-controlled code. Vulnerabilities may exist in defensive security software that can be used to disable or circumvent them.

Adversaries may have prior knowledge through reconnaissance that security software exists within an environment or they may perform checks during or shortly after the system is compromised for Security Software Discovery. The security software will likely be targeted directly for exploitation. There are examples of antivirus software being targeted by persistent threat groups to avoid detection.

1. SecOpsCDProxyDstIp

2. SecOpsCDProxySrcIp

3. SecOpsCDIocUrlSuspiciousProxyData

4. SecOpsCDPossibleIocIpFoundInAuthData

5. SecOpsPossiblePathTrasversalInjection

6. SecOpsWebShellFileSuspicious

7. SecOpsPossibleFuzzingAttack

8. SecOpsCDIocIpSuspiciousWebData

9. SecOpsCDWebSrcIp

10. SecOpsCDFWSrcIpIsPossibleIoc

11. SecOpsUnusualUseragentLength

12. SecOpsCDIocIpSuspiciousGSuiteData

13. SecOpsCDIocIpSuspiciousO365Data

14. SecOpsCDIocIpSuspiciousAWSData

data sources

• auth.all ^{learn more}

• cloud.office365.management ^{learn more}

• web.all.access ^{learn more}

• cloud.gsuite.reports ^{learn more}

• firewall.all.traffic ^{learn more}

• domains.all ^{learn more}

• cloud.aws.cloudtrail ^{learn more}

• proxy.all.access ^{learn more}

Adversaries may bypass process and/or signature-based defenses by proxying execution of malicious content with signed, or otherwise trusted, binaries.

Binaries used in this technique are often Microsoft-signed files, indicating that they have been either downloaded from Microsoft or are already native in the operating system.

Binaries signed with trusted digital certificates can typically execute on Windows systems protected by digital signature validation.

Similarly, on Linux systems adversaries may abuse trusted binaries such as split to proxy execution of malicious commands.

1. SecOpsLolbinMshta

2. SecOpsWinMsiExecInstallWeb

3. SecOpsLolbinCertocexecution

data sources

• box.all.win ^{learn more}

lookups

• SecOpsAlertDescription

• SecOpsAssetRole

An adversary may use legitimate desktop support and remote access software, such as TeamViewer, AnyDesk, Go2Assist, LogMein, or AmmyyAdmin to establish an interactive command and control channel to target systems within networks. These services may be allowed by application control within a target environment.

Remote access tools may be installed and used post-compromise as alternate communications channel for redundant access or as a way to establish an interactive remote desktop session with the target system. They may also be used as a component of malware to establish a reverse connection or back-connect to an adversary controlled service or system.

1. SecOpsFWEmbargoedCountryOutboundTrafficDetected

2. SecOpsFWEmbargoedCountryInboundTrafficDetected

data sources

• firewall.all.traffic ^{learn more}

lookups

• SecOpsLocation

• SecOpsAlertDescription

• SecOpsAssetRole

• SecOpsEmbargoCountries

Adversaries may bypass application control and obscure execution of code by embedding scripts inside XSL files (Extensible Stylesheet Language), which are commonly used to describe the processing and rendering of data within XML files. To support complex operations, the XSL standard includes support for embedded scripting in various languages.

Adversaries may abuse this functionality to execute arbitrary files while potentially bypassing application control. Similar to Trusted Developer Utilities Proxy Execution, the Microsoft common line transformation utility binary (msxsl.exe) can be installed and used to execute malicious JavaScript embedded within local or remote (URL referenced) XSL files. Since msxsl.exe is not installed by default, an adversary will likely need to package it with dropped files. Msxsl.exe takes two main arguments, an XML source file and an XSL stylesheet. Since the XSL file is valid XML, the adversary may call the same XSL file twice. When using msxsl.exe adversaries may also give the XML/XSL files an arbitrary file extension.

1. SecOpsO365ImpossibleTravel

data sources

• cloud.office365 ^{learn more}

lookups

• SecOpsAlertDescription

• SecOpsAssetRole

Adversaries may modify file or directory permissions/attributes to evade access control lists (ACLs) and access protected files. File and directory permissions are commonly managed by ACLs configured by the owner, or users with permissions and they explicitly designate which users or groups can perform which actions (read, write, execute, etc.).

Modifications may include changing specific access rights, which may enable malicious activity such as modifying, replacing, or deleting specific files or directories.

Specific file and directory modifications may be a required step for many techniques to establish Persistence.

Adversaries may also change permissions of symbolic links and associated settings to enable malware to access files from local shortcuts with remote paths.

1. SecOpsLinuxFileOwnerNowRoot

2. SecOpsGCPStorageBucketPermissionsModification

data sources

• cloud.gcp ^{learn more}

• box.unix ^{learn more}

lookups

• SecOpsAlertDescription

• SecOpsAssetRole

• SecOpsLocation