Home/Detection rules/MITRE CAR
Analytics

MITRE CAR

102 analytics · vendor-neutral detection analytics
The MITRE Cyber Analytics Repository (CAR) is a knowledge base of analytics describing how to detect adversary behaviour at the data-source level, independent of any single product. Each analytic states the behaviour it catches, maps to ATT&CK, and ships reference implementations in concrete query languages (Splunk, EQL, Pseudocode, and others) you can adapt to your own stack. Apache-2.0 from mitre-attack/car.
Using these analytics
What they are. CAR entries are detection recipes, not deployable rules - each describes the behaviour to catch and pins it to ATT&CK at the data-source level, independent of any product.
Deploy. Take the reference implementation in a language you run (Splunk, EQL, and others) and adapt it to your schema, or treat the pseudocode as the spec and write the rule for any platform yourself.
When. Reach for these when no off-the-shelf rule exists for a technique and you need to build detection up from the raw behaviour and the data sources it touches.

Analytics

25 shown of 102
CAR-2013-01-002
Autorun Differences
The Sysinternals tool [Autoruns](../sensors/autoruns) checks the registry and file system for known identify persistence mechanisms. It will output any tools identified, including built-in or added-on Microsoft functionality and third party software. Many of these locations are known by adversaries and used to obtain [Persistence](https://attack.mitre.org/tactics/TA0003). Running Autoruns periodically in an environment makes it possible to collect and monitor its output for differences, which may include the removal or addition of persistent tools. Depending on the persistence mechanism and location, legitimate software may be more likely to make changes than an adversary tool. Thus, this analytic may result in significant noise in a highly dynamic environment. While Autoruns is a convenient method to scan for programs using persistence mechanisms its scanning nature does not conform well to streaming based analytics. This analytic could be replaced with one that draws from sensors that collect registry and file information if streaming analytics are desired. Utilizes the Sysinternals autoruns tool (ignoring validated Microsoft entries). Primarily not a detection analytic by itself but through analysis of results by an analyst can be used for such. Building another analytic on top of this one identifying unusual entries would likely be a beneficial alternative.
T1037 ↗T1037.001 ↗T1053 ↗T1053.005 ↗T1112 ↗T1543 ↗T1543.003 ↗T1546 ↗T1546.001 ↗T1546.003 ↗T1546.008 ↗T1546.010 ↗T1547 ↗T1547.001 ↗T1547.004 ↗T1547.010 ↗T1574 ↗T1574.007 ↗T1574.008 ↗T1574.009 ↗T1574.010 ↗T1574.011 ↗
CAR-2013-01-003
SMB Events Monitoring
[Server Message Block](https://en.wikipedia.org/wiki/Server_Message Block) (SMB) is used by Windows to allow for file, pipe, and printer sharing over port 445/tcp. It allows for enumerating, and reading from and writing to file shares for a remote computer. Although it is heavily used by Windows servers for legitimate purposes and by users for file and printer sharing, many adversaries also use SMB to achieve [Lateral Movement](https://attack.mitre.org/tactics/TA0008). Looking at this activity more closely to obtain an adequate sense of situational awareness may make it possible to detect adversaries moving between hosts in a way that deviates from normal activity. Because SMB traffic is heavy in many environments, this analytic may be difficult to turn into something that can be used to quickly detect an APT. In some cases, it may make more sense to run this analytic in a forensic fashion. Looking through and filtering its output after an intrusion has been discovered may be helpful in identifying the scope of compromise. ### Output Description The source, destination, content, and time of each event.
pseudocode
flow = search Flow:Message
smb_events = filter flow where (dest_port == "445" and protocol == "smb")
smb_events.file_name = smb_events.proto_info.file_name
output smb_write
T1021 ↗T1021.002 ↗T1039 ↗
CAR-2013-02-003
Processes Spawning cmd.exe
The Windows [Command Prompt](https://en.wikipedia.org/wiki/cmd.exe) (`cmd.exe`) is a utility that provides a command line interface to Windows operating systems. It provides the ability to run additional programs and also has several built-in commands such as `dir`, `copy`, `mkdir`, and `type`, as well as batch scripts (`.bat`). Typically, when a user runs a command prompt, the parent process is `explorer.exe` or another instance of the prompt. There may be automated programs, logon scripts, or administrative tools that launch instances of the command prompt in order to run scripts or other built-in commands. Spawning the process `cmd.exe` from certain parents may be more indicative of malice. For example, if Adobe Reader or Outlook launches a command shell, this may suggest that a malicious document has been loaded and should be investigated. Thus, by looking for abnormal parent processes of `cmd.exe`, it may be possible to detect adversaries.
pseudocode
process = search Process:Create
cmd = filter process where (exe == "cmd.exe")
output cmd
DNIF
_fetch * from event where $LogName=WINDOWS-SYSMON AND $EventID=1 AND $Process=regex(.*cmd\.exe.*)i limit 100
LogPoint
norm_id=WindowsSysmon event_id=1 image="*\cmd.exe"
T1059 ↗T1059.003 ↗
CAR-2013-02-008
Simultaneous Logins on a Host
Multiple users logged into a single machine at the same time, or even within the same hour, do not typically occur in networks we have observed. Logon events are Windows Event Code 4624 for Windows Vista and above, 518 for pre-Vista. Logoff events are 4634 for Windows Vista and above, 538 for pre-Vista. Logon types 2, 3, 9 and 10 are of interest. For more details see the Logon Types table on Microsoft's [Audit Logon Events](https://docs.microsoft.com/en-us/previous-versions/windows/it-pro/windows-server-2003/cc787567(v=ws.10)) page.
pseudocode
users_list = search UserSession:Login
users_grouped = group users_list by hostname
users_grouped = from users_grouped select min(time) as earliest_time, max(time) as latest_time count(user) as user_count
multiple_logins = filter users_grouped where (latest_time - earliest_time <= 1 hour and user_count > 1)
output multiple_logins
T1078 ↗T1078.002 ↗T1078.003 ↗
CAR-2013-02-012
User Logged in to Multiple Hosts
Most users use only one or two machines during the normal course of business. User accounts that log in to multiple machines, especially over a short period of time, may be compromised. Remote logins among multiple machines may be an indicator of [Lateral Movement](https://attack.mitre.org/tactics/TA0008). Certain users will likely appear as being logged into several machines and may need to be "whitelisted." Such users would include network admins or user names that are common to many hosts. ### Output Description User Name, Machines logged into, the earliest and latest times in which users were logged into the host, the type of logon, and logon ID.
T1078 ↗T1078.002 ↗T1078.003 ↗
CAR-2013-03-001
Reg.exe called from Command Shell
Registry modifications are often essential in establishing persistence via known Windows mechanisms. Many legitimate modifications are done graphically via `regedit.exe` or by using the corresponding channels, or even calling the Registry APIs directly. The built-in utility `reg.exe` provides a [command-line interface](https://en.wikipedia.org/wiki/Command-line_interface) to the registry, so that queries and modifications can be performed from a shell, such as `cmd.exe`. When a user is responsible for these actions, the parent of `cmd.exe` will likely be `explorer.exe`. Occasionally, power users and administrators write scripts that do this behavior as well, but likely from a different process tree. These background scripts must be learned so they can be tuned out accordingly. ### Output Description The sequence of processes that resulted in `reg.exe` being started from a shell. That is, a hierarchy that looks like - `great-grand_parent.exe` - `grand_parent.exe` - `parent.exe` - `reg.exe`
pseudocode
processes = search Process:Create
reg = filter processes where (exe == "reg.exe" and parent_exe == "cmd.exe")
cmd = filter processes where (exe == "cmd.exe" and parent_exe != "explorer.exe"")
reg_and_cmd = join (reg, cmd) where (reg.ppid == cmd.pid and reg.hostname == cmd.hostname)
output reg_and_cmd
DNIF
_fetch * from event where $LogName=WINDOWS-SYSMON AND $EventID=1 AND $Process=regex(.*reg\.exe.*)i AND $ParentProcess=regex(.*cmd\.exe.*)i as #A limit 100
>>_fetch * from event where $LogName=WINDOWS-SYSMON AND $EventID=1 AND $Process=regex(.*cmd\.exe.*)i NOT $ParentProcess=regex(.*explorer\.exe.*)i as #B limit 100
>>_checkif sjoin #B.$PPID = #A.$CPID str_compare #B.$SystemName eq #A.$SystemName include
T1012 ↗T1112 ↗T1547 ↗T1547.001 ↗T1574 ↗T1574.011 ↗
CAR-2013-04-002
Quick execution of a series of suspicious commands
Certain commands are frequently used by malicious actors and infrequently used by normal users. By looking for execution of these commands in short periods of time, we can not only see when a malicious user was on the system but also get an idea of what they were doing. Commands of interest: - arp.exe - at.exe - attrib.exe - cscript.exe - dsquery.exe - hostname.exe - ipconfig.exe - mimikatz.exe - nbstat.exe - net.exe - netsh.exe - nslookup.exe - ping.exe - quser.exe - qwinsta.exe - reg.exe - runas.exe - sc.exe - schtasks.exe - ssh.exe - systeminfo.exe - taskkill.exe - telnet.exe - tracert.exe - wscript.exe - xcopy.exe ### Output Description The host on which the commands were executed, the time of execution, and what commands were executed
pseudocode
processes = search Process:Create
reg_processes = filter processes where (exe == "arp.exe" or exe == "at.exe" or exe == "attrib.exe"
 or exe == "cscript.exe" or exe == "dsquery.exe" or exe == "hostname.exe"
 or exe == "ipconfig.exe" or exe == "mimikatz.exe" or exe == "nbstat.exe"
 or exe == "net.exe" or exe == "netsh.exe" or exe == "nslookup.exe"
 or exe == "ping.exe" or exe == "quser.exe" or exe == "qwinsta.exe"
 or exe == "reg.exe" or exe == "runas.exe" or exe == "sc.exe"
 or exe == "schtasks.exe" or exe == "ssh.exe" or exe == "systeminfo.exe"
 or exe == "taskkill.exe" or exe == "telnet.exe" or exe == "tracert.exe"
 or exe == "wscript.exe" or exe == "xcopy.exe")
reg_grouped = group reg by hostname, ppid where(max time between two events is 30 minutes)
output reg_grouped
Sigma
DNIF
_fetch * from event where $LogName=WINDOWS-SYSMON AND $EventID=1 AND $App=regex(arp\.exe|at\.exe|attrib\.exe|cscript\.exe|dsquery\.exe|hostname\.exe|ipconfig\.exe|mimikatz.exe|nbstat\.exe|net\.exe|netsh\.exe|nslookup\.exe|ping\.exe|quser\.exe|qwinsta\.exe|reg\.exe|runas\.exe|sc\.exe|schtasks\.exe|ssh\.exe|systeminfo\.exe|taskkill\.exe|telnet\.exe|tracert\.exe|wscript\.exe|xcopy\.exe)i group count_unique $App limit 100
>>_agg count
>>_checkif int_compare Count > 1 include
LogPoint
norm_id=WindowsSysmon event_id=1 image IN ["*\arp.exe", "*\at.exe", "*\attrib.exe", "*\cscript.exe", "*\dsquery.exe", "*\hostname.exe", "*\ipconfig.exe", "*\mimikatz.exe", "*\nbstat.exe", "*\net.exe", "*\netsh.exe", "*\nslookup.exe", "*\ping.exe", "*\quser.exe", "*\qwinsta.exe", "*\reg.exe", "*\runas.exe", "*\sc.exe", "*\schtasks.exe", "*\ssh.exe", "*\systeminfo.exe", "*\taskkill.exe", "*\telnet.exe", "*\tracert.exe", "*\wscript.exe", "*\xcopy.exe"]
| chart count() as cnt by host
| search cnt > 1
T1003 ↗T1003.002 ↗T1007 ↗T1010 ↗T1012 ↗T1016 ↗T1018 ↗T1021 ↗T1021.002 ↗T1029 ↗T1033 ↗T1046 ↗T1049 ↗T1053 ↗T1053.002 ↗T1053.005 ↗T1057 ↗T1059 ↗T1059.005 ↗T1069 ↗T1069.001 ↗T1069.002 ↗T1082 ↗T1087 ↗T1087.001 ↗T1087.002 ↗T1098 ↗T1112 ↗T1518 ↗T1518.001 ↗T1543 ↗T1543.003 ↗T1562 ↗T1562.001 ↗T1562.006 ↗T1569 ↗T1569.002 ↗T1574 ↗T1574.011 ↗
CAR-2013-05-002
Suspicious Run Locations
In Windows, files should never execute out of certain directory locations. Any of these locations may exist for a variety of reasons, and executables may be present in the directory but should not execute. As a result, some defenders make the mistake of ignoring these directories and assuming that a process will never run from one. There are known TTPs that have taken advantage of this fact to go undetected. This fact should inform defenders to monitor these directories more closely, knowing that they should never contain running processes. Monitors the directories - `*:\RECYCLER` - `*:\SystemVolumeInformation` - `%systemroot%\Tasks` - `%systemroot%\debug`
pseudocode
processes = search Process:Create
suspicious_locations = filter process where (
 image_path == "*:\RECYCLER\*" or
 image_path == "*:\SystemVolumeInformation\*" or
 image_path == "%windir%\Tasks\*" or
 image_path == "%systemroot%\debug\*"
)
output suspicious_locations
DNIF
_fetch * from event where $LogName=WINDOWS-SYSMON AND $EventID=1 AND $Process=regex(.*(\:\\recycler\\|\:\\systemvolumeinformation\\|\%windir\%\\tasks\\|\%systemroot\%\\debug\\).*)i group count_unique $App limit 100
Sigma
LogPoint
norm_id=WindowsSysmon event_id=1 image IN ["*:\RECYCLER\*", "*:\SystemVolumeInformation\*", "C:\Windows\Tasks\*", "C:\Windows\System32\debug\*"]
T1036 ↗
CAR-2013-05-003
SMB Write Request
As described in [CAR-2013-01-003](../CAR-2013-01-003), SMB provides a means of remotely managing a file system. Adversaries often use SMB to move laterally to a host. SMB is commonly used to upload files. It may be used for staging in [Exfiltration](https://attack.mitre.org/tactics/TA0010) or as a [Lateral Movement](https://attack.mitre.org/tactics/TA0008) technique. Unlike SMB Reads, SMB Write requests typically require an additional level of access, resulting in less activity. Focusing on SMB Write activity narrows the field to find techniques that actively change remote hosts, instead of passively reading files.
pseudocode
flow = search Flow:Message
smb_write = filter flow where (dest_port == "445" and protocol == "smb.write")
smb_write.file_name = smb_write.proto_info.file_name
output smb_write
T1021 ↗T1021.002 ↗T1078 ↗T1078.002 ↗T1078.003 ↗T1570 ↗
CAR-2013-05-004
Execution with AT
In order to gain [persistence](https://attack.mitre.org/tactics/TA0003/), [privilege escalation](https://attack.mitre.org/tactics/TA0004/), or [remote execution](https://attack.mitre.org/tactics/TA0002/), an adversary may use the Windows built-in command AT (at.exe) to [schedule a command](https://attack.mitre.org/techniques/T1053/002) to be run at a specified time, date, and even host. This method has been used by adversaries and administrators alike. Its use may lead to detection of compromised hosts and compromised users if it is used to move laterally. The built-in Windows tool schtasks.exe ([CAR-2013-08-001](../CAR-2013-08-001)) offers greater flexibility when creating, modifying, and enumerating tasks. For these reasons, schtasks.exe is more commonly used by administrators, tools/scripts, and power users.
pseudocode
process = search Process:Create
at = filter process where (exe == "at.exe")
output at
Splunk
index=__your_sysmon_index__ Image="C:\\Windows\\*\\at.exe"|stats values(CommandLine) as "Command Lines" by ComputerName
EQL
process where subtype.create and process_name == "at.exe"
DNIF
_fetch * from event where $LogName=WINDOWS-SYSMON AND $EventID=1 AND $App=at.exe limit 100
T1053 ↗T1053.002 ↗
CAR-2013-05-005
SMB Copy and Execution
An adversary needs to gain access to other hosts to move throughout an environment. In many cases, this is a twofold process. First, a file is remotely written to a host via an SMB share (detected by [CAR-2013-05-003](../CAR-2013-05-003)). Then, a variety of [Execution](https://attack.mitre.org/tactics/TA0002) techniques can be used to remotely establish execution of the file or script. To detect this behavior, look for files that are written to a host over SMB and then later run directly as a process or in the command line arguments. SMB File Writes and Remote Execution may happen normally in an environment, but the combination of the two behaviors is less frequent and more likely to indicate adversarial activity. This can possibly extend to more copy protocols in order to widen its reach, or it could be tuned more finely to focus on specific program run locations (e.g. `%SYSTEMROOT%\system32`) to gain a higher detection rate.
pseudocode
process = search Process:Create
smb_write = run Analytic:CAR-2013-05-003
remote_start = join (smb_write, process) where (
 smb_write.hostname == process.hostname and
 smb_write.file_path == process.image_path
 (smb_write.time < process.time)
)
output remote_start
T1021 ↗T1021.002 ↗T1078 ↗T1078.002 ↗T1078.003 ↗T1570 ↗
CAR-2013-05-009
Running executables with same hash and different names
Executables are generally not renamed, thus a given hash of an executable should only have ever one name. Identifying instances where multiple process names share the same hash may find cases where tools are copied by attackers to different folders or hosts to [avoid detection](https://attack.mitre.org/tactics/TA0005). Although this analytic was initially based on MD5 hashes, it is equally applicable to any hashing convention. ### Output Description A list of hashes and the different executables associated with each one
splunk · Basic Query
index=__your_sysmon_index__ EventCode=1|stats dc(Hashes) as Num_Hashes values(Hashes) as "Hashes" by Image|where Num_Hashes > 1
Sigma · Sigma/Sysmon
Sigma · Sigma (renamed powershell)
Sigma · Sigma (renamed paexec)
T1036 ↗T1036.003 ↗
CAR-2013-07-001
Suspicious Arguments
Malicious actors may rename built-in commands or external tools, such as those provided by SysInternals, to better [blend in](https://attack.mitre.org/tactics/TA0005) with the environment. In those cases, the file path name is arbitrary and may blend in well with the background. If the arguments are closely inspected, it may be possible to infer what tools are running and understand what an adversary is doing. When any legitimate software shares the same command lines, it must be whitelisted according to the expected parameters. Any tool of interest with commonly known command line usage can be detecting by command line analysis. Known substrings of command lines include - PuTTY - port forwarding `-R * -pw` - secure copy (scp) `-pw * * *@*` - mimikatz `sekurlsa::` - RAR `* -hp *` - Archive`* a *` Additionally, it may be useful to find IP addresses in the command line - `\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3}` Logically this analytic makes use of [CAR-2014-03-005](../CAR-2014-03-005).
pseudocode
process = search Process:Create
port_fwd = filter process where (command_line match "-R .* -pw")
scp = filter process where (command_line match "-pw .* .* .*@.*"
mimikatz = filter process where (command_line match "sekurlsa")
rar = filter process where (command_line match " -hp ")
archive = filter process where (command_line match ".* a .*")
ip_addr = filter process where (command_line match \d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3})

output port_fwd, scp, mimikatz, rar, archive, ip_addr
splunk
index=__your_sysmon_index__ EventCode=1 (CommandLine="* -R * -pw*" OR CommandLine="* -pw * *@*" OR CommandLine="*sekurlsa*" OR CommandLine="* -hp *" OR CommandLine="* a *")
EQL
process where subtype.create and
  (command_line == "* -R * -pw*" or command_line == "* -pw * *@*" or command_line == "*sekurlsa*" or command_line == "* -hp *" or command_line == "* a *")
splunk
index=__your_sysmon_index__ EventCode=1 |regex CommandLine=".*\b(25[0-5]|2[0-4][0-9]|[01]?[0-9][0-9]?)(\.(25[0-5]|2[0-4][0-9]|[01]?[0-9][0-9]?)){3}\b.*"
T1003 ↗T1003.001 ↗T1021 ↗T1105 ↗
CAR-2013-07-002
RDP Connection Detection
The [Remote Desktop Protocol](https://attack.mitre.org/techniques/T1021/001) (RDP), built in to Microsoft operating systems, allows a user to remotely log in to the desktop of another host. It allows for interactive access of the running windows, and forwards key presses, mouse clicks, etc. Network administrators, power users, and end-users may use RDP for day-to-day operations. From an adversary's perspective, RDP provides a means to [laterally move](https://attack.mitre.org/tactics/TA0008) to a new host. Determining which RDP connections correspond to adversary activity can be a difficult problem in highly dynamic environments, but will be useful in identifying the scope of a compromise. Remote Desktop can be detected in several ways - Network connections to port 3389/tcp (assuming use of the default port) - Packet capture analysis - Windows security logs (Event ID 4624, 4634, 4647, 4778) - Detecting network connections from `mstsc.exe` - Execution of the process `rdpclip.exe` - Runs as the clipboard manager on the RDP target if clipboard sharing is enabled ### Output Description The time of the Connection, the source, the destination, and the user name used
pseudocode
flow_start = search Flow:Start
flow_end = search Flow:End
rdp_start = filter flow_start where (port == "3389")
rdp_end = filter flow_start where (port == "3389")
rdp = group flow_start, flow_end by src_ip, src_port, dest_ip, dest_port
output rdp
Sigma · Sigma (Localhost Login)
T1021 ↗T1021.001 ↗
CAR-2013-07-005
Command Line Usage of Archiving Software
Before [exfiltrating data](https://attack.mitre.org/tactics/TA0010) that an adversary has [collected](https://attack.mitre.org/tactics/TA0009), it is very likely that a [compressed archive](https://attack.mitre.org/techniques/T1560) will be created, so that transfer times are minimized and fewer files are transmitted. There is variety between the tools used to compress data, but the command line usage and context of archiving tools, such as ZIP, RAR, and 7ZIP, should be monitored. In addition to looking for RAR or 7z program names, command line usage of 7Zip or RAR can be detected with the flag usage of "`\* a \*`". This is helpful, as adversaries may change program names.
pseudocode
processes = search Process:Create
rar_argument = filter processes where (command_line == "* a *")
output rar_argument
DNIF
_fetch * from event where $LogName=WINDOWS-SYSMON AND $EventID=1 AND $Process=regex(.* a .*)i limit 100
LogPoint
norm_id=WindowsSysmon event_id=1 command="* a *"
T1560 ↗T1560.001 ↗
CAR-2013-08-001
Execution with schtasks
The Windows built-in tool `schtasks.exe` provides the creation, modification, and running of [scheduled tasks](https://attack.mitre.org/techniques/T1053) on a local or remote computer. It is provided as a more flexible alternative to `at.exe`, described in [CAR-2013-05-004](../CAR-2013-05-004). Although used by adversaries, the tool is also legitimately used by administrators, scripts, and software configurations. The scheduled tasks tool can be used to gain [Persistence](https://attack.mitre.org/tactics/TA0003) and can be used in combination with a [Lateral Movement](https://attack.mitre.org/tactics/TA0008) technique to remotely gain [execution](https://attack.mitre.org/tactics/TA0002). Additionally, the command has parameters to specify the user and password responsible for creating the task, as well as the user and password combination that the task will run as. The `/s` flag specifies the remote system on which the task should be scheduled, usually indicating [Lateral Movement](https://attack.mitre.org/tactics/TA0008).
pseudocode
process = search Process:Create
schtasks = filter process where (exe == "schtasks.exe")
output schtasks
DNIF
_fetch * from event where $LogName=WINDOWS-SYSMON AND $EventID=1 AND $App=schtasks.exe AND $Process=regex(.*(\/create|\/run|\/query|\/delete|\/change|\/end).*)i limit 100
LogPoint
norm_id=WindowsSysmon event_id=1 image="*\schtasks.exe" command IN ["*/create*", "*/run*", "*/query*", "*/delete*", "*/change*", "*/end*"]
T1053 ↗T1053.005 ↗
CAR-2013-09-003
SMB Session Setups
Account usage within SMB can be used to identify compromised credentials, and the hosts accessed with them. This analytic monitors SMB activity that deals with user activity rather than file activity.
pseudocode
flow = search Flow:Message
smb_setup = filter flow where (dest_port == 445 and protocol == smb.setup)
smb_setup.user = smb_write.proto_info.user_name
smb_setup.target_host = smb_write.proto_info.hostname
output smb_write
T1187 ↗
CAR-2013-09-005
Service Outlier Executables
New executables that are started as a service are suspicious. This analytic looks for anomalous service executables.
pseudocode
processes = search Process:Create
services = filter processes where (parent_image_path == "C:\Windows\System32\services.exe")
historic_services = filter services (where timestamp < now - 1 day AND timestamp > now - 1 day)
current_services = filter services (where timestamp >= now - 1 day)
new_services = historic_services - current_services
output new_services
Sigma · Sigma (Windows Event Log)
LogPoint
norm_id=WinServer event_id=7045
| chart count() as cnt by file
| search cnt < 5
T1543 ↗T1543.003 ↗
CAR-2013-10-001
User Login Activity Monitoring
Monitoring logon and logoff events for hosts on the network is very important for situational awareness. This information can be used as an indicator of unusual activity as well as to corroborate activity seen elsewhere. Could be applied to a number of different types of monitoring depending on what information is desired. Some use cases include monitoring for all remote connections and building login timelines for users. Logon events are Windows Event Code 4624 for Windows Vista and above, 518 for pre-Vista. Logoff events are 4634 for Windows Vista and above, 538 for pre-Vista. ### Output Description The time of login events for distinct users on individual systems
Pseudocode · Account Logon with Filtering
logon_events = search User_Session:Login
filtered_logons = filter logon_events where (
  user NOT IN TOP30(user))
output filtered_logons
Splunk · Account Logon with Filtering
index=__your_win_event_log_index__ EventCode=4624|search NOT [search index=__your_win_event_log_index__ EventCode=4624|top 30 Account_Name|table Account_Name]
DNIF · Account Logon with Filtering
_fetch * from event where $LogName=WINDOWS-NXLOG-AUDIT AND $SubSystem=AUTHENTICATION AND $Action=LOGIN group count_unique $ScopeID, $User limit 30
>>_store in_disk david_test win_top_30 stack_replace
>>_fetch * from event where $LogName=WINDOWS-NXLOG-AUDIT AND $SubSystem=AUTHENTICATION AND $Action=LOGIN limit 10000
>>_checkif lookup david_test win_top_30 join $ScopeID = $ScopeID str_compare $User eq $User exclude
T1021 ↗T1021.001 ↗T1078 ↗T1078.002 ↗T1078.003 ↗
CAR-2013-10-002
DLL Injection via Load Library
Microsoft Windows allows for processes to remotely create threads within other processes of the same privilege level. This functionality is provided via the Windows API [CreateRemoteThread](https://msdn.microsoft.com/en-us/library/windows/desktop/ms682437.aspx). Both Windows and third-party software use this ability for legitimate purposes. For example, the Windows process [csrss.exe](https://en.wikipedia.org/wiki/Client/Server_Runtime_Subsystem) creates threads in programs to send signals to registered callback routines. Both adversaries and host-based security software use this functionality to [inject DLLs](https://attack.mitre.org/techniques/T1055), but for very different purposes. An adversary is likely to inject into a program to [evade defenses](https://attack.mitre.org/tactics/TA0005) or [bypass User Account Control](https://attack.mitre.org/techniques/T1548/002), but a security program might do this to gain increased monitoring of API calls. One of the most common methods of [DLL Injection](https://attack.mitre.org/techniques/T1055) is through the Windows API [LoadLibrary](https://msdn.microsoft.com/en-us/library/windows/desktop/ms684175.aspx). - Allocate memory in the target program with [VirtualAllocEx](https://msdn.microsoft.com/en-us/library/windows/desktop/aa366890.aspx) - Write the name of the DLL to inject into this program with [WriteProcessMemory](https://msdn.microsoft.com/en-us/library/windows/desktop/ms681674.aspx) - Create a new thread and set its entry point to [LoadLibrary](https://msdn.microsoft.com/en-us/library/windows/desktop/ms684175.aspx) using the API [CreateRemoteThread](https://msdn.microsoft.com/en-us/library/windows/desktop/ms682437.aspx). This behavior can be detected by looking for thread creations across processes, and resolving the entry point to determine the function name. If the function is `LoadLibraryA` or `LoadLibraryW`, then the intent of the remote thread is clearly to inject a DLL. When this is the case, the source process must be examined so that it can be ignored when it is both expected and a trusted process.
pseudocode
remote_thread = search Thread:RemoteCreate
remote_thread = filter (start_function == "LoadLibraryA" or start_function == "LoadLibraryW")
remote_thread = filter (src_image_path != "C:\Path\To\TrustedProgram.exe")

output remote_thread
LogPoint
norm_id=WindowsSysmon event_id=8 start_function IN ["LoadLibraryA", "LoadLibraryW"] -source_image="C:\Path\To\TrustedProgram.exe"
T1055 ↗T1055.001 ↗T1548 ↗T1548.002 ↗
CAR-2014-02-001
Service Binary Modifications
Adversaries may modify the binary file for an existing service to achieve [Persistence](https://attack.mitre.org/tactics/TA0003) while potentially [evading defenses](https://attack.mitre.org/tactics/TA0005). If a newly created or modified runs as a service, it may indicate APT activity. However, services are frequently installed by legitimate software. A well-tuned baseline is essential to differentiating between benign and malicious service modifications. ### Output Description The Service Name and approximate time in which changes occurred on each host
pseudocode
legitimate_installers = ["C:\windows\system32\msiexec.exe", "C:\windows\syswow64\msiexec.exe", ...]

file_change = search File:Create,Modify
process = search Process:Create
service_process = filter processes where (parent_exe == "services.exe")
modified_service = join (search, filter) where (
 file_change.time < service_process.time and
 file_change.file_path == service_process.image_path
)

modified_service = filter modified_service where (modified_service.file_change.image_path not in legitimate_installers)
output modified_service
T1543 ↗T1543.003 ↗T1569 ↗T1569.002 ↗T1574 ↗T1574.010 ↗
CAR-2014-03-001
SMB Write Request - NamedPipes
An SMB write can be an indicator of lateral movement, especially when combined with other information such as execution of that written file. Named pipes are a subset of SMB write requests. Named pipes such as msftewds may not be alarming; however others, such as lsarpc, may. Monitoring SMB write requests still creates some noise, particulary with named pipes. As a result, SMB is now split between writing named pipes and writing other files.
pseudocode
flow = search Flow:Message
smb_write = filter flow where (dest_port == "445" and protocol == "smb.write_pipe")
smb_write.pipe_name = smb_write.proto_info.pipe_name
output smb_write
T1570 ↗
CAR-2014-03-005
Remotely Launched Executables via Services
There are several ways to cause code to [execute](https://attack.mitre.org/tactics/TA0002) on a remote host. One of the most common methods is via the Windows [Service Control Manager](https://en.wikipedia.org/wiki/Service_Control_Manager) (SCM), which allows authorized users to remotely create and modify services. Several tools, such as [PsExec](https://attack.mitre.org/software/S0029), use this functionality. When a client remotely communicates with the Service Control Manager, there are two observable behaviors. First, the client connects to the [RPC Endpoint Mapper](../CAR-2014-05-001) over 135/tcp. This handles authentication, and tells the client what port the endpoint—in this case the SCM—is listening on. Then, the client connects directly to the listening port on `services.exe`. If the request is to start an existing service with a known command line, the the SCM process will run the corresponding command. This compound behavior can be detected by looking for `services.exe` receiving a network connection and immediately spawning a child process.
pseudocode
process = search Process:Create
flow = search Flow:Start
service = filter process where (parent_exe == "services.exe")
remote_start = join (flow, service ) where (
 flow.hostname == service.hostname and
 flow.pid == service.pid and
 (flow.time < service.time < flow.time + 1 second)
)
output remote_start
T1543 ↗T1543.003 ↗T1569 ↗T1569.002 ↗
CAR-2014-03-006
RunDLL32.exe monitoring
Adversaries may find it necessary to use [Dyanamic-link Libraries](https://msdn.microsoft.com/en-us/library/windows/desktop/ms682589.aspx) (DLLs) to [evade defenses](https://attack.mitre.org/tactics/TA0005). One way these DLLs can be "executed" is through the use of the built-in Windows utility [RunDLL32](https://attack.mitre.org/techniques/T1218.011), which allows a user to execute code in a DLL, providing the name and optional arguments to an exported entry point. Windows uses RunDll32 legitimately in its normal operation, but with a proper baseline and understanding of the environment, monitoring its usage could be fruitful.
pseudocode
process = search Process:Create
rundll32 = filter process where (exe == "rundll32.exe")
output rundll32
DNIF
_fetch * from event where $LogName=WINDOWS-SYSMON AND $EventID=1 AND $App=rundll32.exe limit 100
LogPoint
norm_id=WindowsSysmon event_id=1 image="*\rundll32.exe"
T1218 ↗T1218.011 ↗
CAR-2014-04-003
Powershell Execution
[PowerShell](https://attack.mitre.org/techniques/T1059/001/) is a scripting environment included with Windows that is used by both attackers and administrators. Execution of PowerShell scripts in most Windows versions is opaque and not typically secured by antivirus which makes using PowerShell an easy way to circumvent security measures. This analytic detects execution of PowerShell scripts. Powershell can be used to hide monitored command line execution such as: - `net use` - `sc start`
pseudocode
process = search Process:Create
powershell = filter process where (exe == "powershell.exe" AND parent_exe != "explorer.exe" )
output powershell
Splunk
index=__your_sysmon_index__ EventCode=1 Image="C:\\Windows\\*\\powershell.exe" ParentImage!="C:\\Windows\\explorer.exe"|stats values(CommandLine) as "Command Lines" values(ParentImage) as "Parent Images" by ComputerName
EQL
process where subtype.create and
  (process_name == "powershell.exe" and parent_process_name != "explorer.exe")
DNIF
_fetch * from event where $LogName=WINDOWS-SYSMON AND $EventID=1 AND $App=powershell.exe NOT $ParentProcess=regex(.*explorer.exe.*)i limit 30
T1059 ↗T1059.001 ↗
Showing 1-25 of 102
Prev 1 Next
SOC and Response
CVE triage
Stack monitoring
Am I affected
IOC triage
KEV catalog
Recently exploited
Daily brief
Change tracking
Detection Engineering
Detection coverage workspace
Saved stacks
SIEM query builder
Detection rules
D3FEND
Threat Hunting
Threat actors
ATT&CK techniques
Attack paths
Indicators
Ransomware groups
Atomic tests
Red Team and Pentest
Exploitability triage
Recon pack
Attack paths
CAPEC patterns
Adversary emulation
Compliance and GRC
Framework mapping
Control assessment
Audit view
Atlas Search Threat actors Techniques Detection coverage Tools & malware CWE CAPEC KEV catalog Package vulns
About All capabilities Pricing API docs Privacy policy Terms of service
threatengine.sh