Mitre alert packs T1400-1499

Adversaries may attempt to gather information on domain trust relationships that may be used to identify lateral movement opportunities in Windows multi-domain/forest environments.

Domain trusts provide a mechanism for a domain to allow access to resources based on the authentication procedures of another domain. This way, users of the trusted domain can access resources in the trusting domain.

The information discovered may help the adversary conduct SID-History Injection, Pass the Ticket, and Kerberoasting.

Domain trusts can be enumerated using the Win32 API call DSEnumerateDomainTrusts() .NET methods, and LDAP. The Windows utility Nltest is known to be used by adversaries to enumerate domain trusts.

1. SecOpsWinDomainTrustActivity

DATA SOURCES

• box.all.win ^{learn more}

LOOKUPS

• SecOpsAlertDescription

• SecOpsAssetRole

Adversaries may modify the configuration settings of a domain to evade defenses and/or escalate privileges in domain environments. Domains provide centralized means to manage how computer resources can act and interact on a network.

Modifications to domain settings may include altering domain Group Policy Objects (GPOs) or changing trust settings for domains, including federation trusts.

These settings control many of the interactions within the Active Directory (AD) environment, which can lead to a great number of potential attacks (modifying GPOs to push a malicious Scheduled Task, modifying domain trusts to include an adversary controlled domain and be subsequently accepted by victim domain resources, or implement a Rogue Domain Controller.

Adversaries may temporarily modify domain policy, carry out a malicious action(s), and then revert the change to remove suspicious indicators.

1. SecOpsADAccountNoExpires

2. SecOpsAzureConditionalAccessPolicyDeleted

3. SecOpsAzureConditionalAccessPolicyUpdated

4. SecOpsAzureConditionalAccessPolicyAdded

5. SecOpsAWSIAMPolicyAppliedToGroup

6. SecOpsAWSIAMPolicyAppliedToUser

7. SecOpsAWSRootLogin

8. SecOpsAWSPublicS3BucketExposed

9. SecOpsAWSIAMPolicyAppliedToRole

10. SecOpsWinRegistryModificationNewTrustedSite

DATA SOURCES

• box.all.win ^{learn more}

• cloud.azure.eh.events ^{learn more}

• cloud.aws.cloudtrail ^{learn more}

LOOKUPS

• SecOpsAlertDescription

• SecOpsAssetRole

• SecOpsLocation

This alert pack will help you to protect against data being deleted outside of normal procedures. When that happens the SOC can launch an investigation and quickly remove any potential threats within the system and restore whatever damage has been done. Data destroyed can not only cause disruptions to the business, or to its users but can also cause fees or taxes from the government regulations and compliance audits.

Adversaries may destroy data and files on specific systems or in large numbers on a network to interrupt availability to systems, services, and network resources. Data destruction is likely to render stored data irrecoverable by forensic techniques through overwriting files or data on local and remote drives. Operating system file deletion commands such as del and rm often only remove pointers to files without wiping the contents of the files themselves, making the files recoverable by proper forensic methodology

1. SecOpsLinuxFileDDOverwrite

2. SecOpsLinuxInitDaemonDeletion

3. SecOpsLinuxDeletionofService

4. SecOpsLinuxDeletionofSslCert

5. SecOpsLinuxDeletionSSHKey

6. SecOpsGCPStorageBucketDeletion

7. SecOpsLinuxHighFileDeletesEtc

DATA SOURCES

• cloud.gcp ^{learn more}

• box.unix ^{learn more}

LOOKUPS

• SecOpsLocation

• SecOpsAlertDescription

• SecOpsAssetRole

Adversaries may encrypt data on target systems or remote drives in a network to interrupt availability to system and network resources (sometimes even critical system files, disk partitions, and the MBR). In cloud environments, storage objects within compromised accounts may also be encrypted.

This is done while withholding access to a decryption key (ransomware) to obtain monetary compensation in exchange.

Adversaries may need to employ other behaviors first, such as File and Directory Permissions Modification or System Shutdown/Reboot, in order to gain access to manipulate these files. 

1. SecOpsAwsS3EncryptWithKMSKey

data sources

• cloud.aws.cloudtrail ^{learn more}

LOOKUPS

• SecOpsLocation

• SecOpsAlertDescription

• SecOpsAssetRole

Adversaries may stop or disable services on a system to render those services unavailable to legitimate users. Stopping critical services or processes can inhibit or stop response to an incident or aid in the adversary's overall objectives to cause damage to the environment.

Adversaries may accomplish this by disabling individual services of high importance to an organization, such as MSExchangeIS, which will make Exchange content inaccessible. In some cases, they stop or disable many or all services to render systems unusable.

Services or processes may not allow for modification of their data stores while running so they stop services or processes in order to conduct Data Destruction or Data Encrypted for Impact on the data stores of services like Exchange and SQL Server.

1. SecOpsAzureNWDeviceModified

2. SecOpsGCPPrivateCloudRouteDeletion

3. SecOpsGCPPrivateCloudNetworkDeletion

4. SecOpsWinSamStopped

DATA SOURCES

• cloud.gcp ^{learn more}

• box.all.win ^{learn more}

• cloud.azure.activity.events ^{learn more}

LOOKUPS

• SecOpsLocation

• SecOpsAlertDescription

• SecOpsAssetRole

Adversaries may delete or remove built-in data and turn off services designed to aid in the recovery of a corrupted system to prevent recovery. This may deny access to available backups and recovery options.

Operating systems may contain features that can help fix corrupted systems, such as a backup catalog, volume shadow copies, and automatic repair features. Disable or delete them may augment the effects of Data Destruction and Data Encrypted for Impact, and even disable recovery notifications to be able to later corrupt backups.

1. SecOpsAzureAutomationRunbookDeleted

2. SecOpsWinBackupCatalogDeleted

DATA SOURCES

• box.all.win ^{learn more}

• cloud.azure.activity.events ^{learn more}

LOOKUPS

• SecOpsLocation

• SecOpsAlertDescription

• SecOpsAssetRole

Adversaries may leverage the resources of co-opted systems in order to solve resource intensive problems, which may impact system and/or hosted service availability or cause them to become unresponsive.

Servers and cloud-based systems are common targets because of the high potential for available resources. Containerized environments may also be targeted due to the ease of deployment via exposed APIs and the potential for scaling mining activities by deploying or compromising multiple containers within an environment or cluster.

One common purpose for Resource Hijacking is to validate transactions of cryptocurrency networks and earn virtual currency.

1. SecOpsLog4ShellVulnerabilityCloudAzure

2. SecOpsLog4ShellVulnerabilityOverCrowdStrike

3. SecOpsLog4ShellVulnOverDomainsUnionTableConnectionsWithLookup

4. SecOpsAzureDevOpsProjectVisibilityChanged

5. SecOpsAzureDevOpsPublicUpstreamSourceAdded

6. SecOpsAzureDevOpsPATMisuse

DATA SOURCES

• domains.all ^{learn more}

• cloud.azure ^{learn more}

• cloud.azure.vm.unknown_events ^{learn more}

• edr.crowdstrike.cannon.processrollup2 ^{learn more}