Campaigns
Banshee Malware Campaign: Unmasking the Silent Threat to macOS

Banshee Malware Campaign: Unmasking the Silent Threat to macOS

Banshee MalwaremacOS SecurityMalware-as-a-Service (MaaS)Cyber HygieneLumma Stealer
The Banshee malware campaign specifically targets macOS users, employing advanced evasion tactics by leveraging Apple's XProtect antivirus code to avoid detection. Initially distributed via a "malware-as-a-service" model, it has since evolved, expanding its target list and exploiting phishing sites and fake repositories.

Indicators of Compromise

data.country
oxygen.solutions
contemteny.site
dilemmadu.site
servicedny.site
goalyfeastz.site
seallysl.site
fotor.software
forbidstow.site
faulteyotk.site
api7.cfd
coincapy.com
alden.io
authorisev.site
opposezmny.site
westar.io

Campaign Guidance

Remediation, mitigation, notes, history and related intelligence

REMEDIATION
T1113 - Screen Capture


ID

Data Source

Data Component

Detects

DS0017

Command

Command Execution

Monitor executed commands and arguments that may attempt to take screen captures of the desktop to gather information over the course of an operation.

DS0009

Process

OS API Execution

Monitoring for screen capture behavior will depend on the method used to obtain data from the operating system and write output files. Detection methods could include collecting information from unusual processes using API calls used to obtain image data, and monitoring for image files written to disk, such as CopyFromScreen, xwd, or screencapture.[1][2]. The sensor data may need to be correlated with other events to identify malicious activity, depending on the legitimacy of this behavior within a given network environment.


T1033 - System Owner/User Discovery


ID

Data Source

Data Component

Detects

DS0026

Active Directory

Active Directory Object Access

Monitor domain controller logs for replication requests and other unscheduled activity possibly associated with DCSync. [236] [237] [238] Note: Domain controllers may not log replication requests originating from the default domain controller account. [239]. Monitor for replication requests [240] from IPs not associated with known domain controllers. [241]

DS0017

Command

Command Execution

Monitor executed commands and arguments that may attempt to dump credentials to obtain account login and credential material, normally in the form of a hash or a clear text password, from the operating system and software. Look for command-lines that invoke AuditD or the Security Accounts Manager (SAM). Remote access tools may contain built-in features or incorporate existing tools like Mimikatz. PowerShell scripts also exist that contain credential dumping functionality, such as PowerSploit's Invoke-Mimikatz module, [242] which may require additional logging features to be configured in the operating system to collect necessary information for analysis.

Note: Event ID 4104 (from the Microsoft-Windows-Powershell/Operational log) captures Powershell script blocks, which can be analyzed and used to detect on abuse of CMSTP.

DS0022

File

File Access

Monitor for hash dumpers opening the Security Accounts Manager (SAM) on the local file system (%SystemRoot%/system32/config/SAM). Some hash dumpers will open the local file system as a device and parse to the SAM table to avoid file access defenses. Others will make an in-memory copy of the SAM table before reading hashes. Detection of compromised Valid Accounts in-use by adversaries may help as well.

DS0029

Network Traffic

Network Traffic Content

Monitor and analyze traffic patterns and packet inspection associated to protocol(s) that do not follow the expected protocol standards and traffic flows (e.g extraneous packets that do not belong to established flows, gratuitous or anomalous traffic patterns, anomalous syntax, or structure). Consider correlation with process monitoring and command line to detect anomalous processes execution and command line arguments associated to traffic patterns (e.g. monitor anomalies in use of files that do not normally initiate connections for respective protocol(s)).

Note: Network Analysis frameworks such as Zeek can be used to capture, decode, and alert on network protocols.



Network Traffic Flow

Monitor network data for uncommon data flows. Processes utilizing the network that do not normally have network communication or have never been seen before are suspicious.

DS0009

Process

OS API Execution

Monitor for API calls that may attempt to dump credentials to obtain account login and credential material, normally in the form of a hash or a clear text password, from the operating system and software.



Process Access

Monitor for unexpected processes interacting with lsass.exe.[243] Common credential dumpers such as Mimikatz access the LSA Subsystem Service (LSASS) process by opening the process, locating the LSA secrets key, and decrypting the sections in memory where credential details are stored. Credential dumpers may also use methods for reflective Process Injection to reduce potential indicators of malicious activity.

Linux

To obtain the passwords and hashes stored in memory, processes must open a maps file in the /proc filesystem for the process being analyzed. This file is stored under the path /proc/<pid>/maps, where the <pid> directory is the unique pid of the program being interrogated for such authentication data. The AuditD monitoring tool, which ships stock in many Linux distributions, can be used to watch for hostile processes opening this file in the proc file system, alerting on the pid, process name, and arguments of such programs.



Process Creation

Monitor for newly executed processes that may be indicative of credential dumping. On Windows 8.1 and Windows Server 2012 R2, monitor Windows Logs for LSASS.exe creation to verify that LSASS started as a protected process.

Note: Event IDs are for Sysmon (Event ID 1 - process create) and Windows Security Log (Event ID 4688 - a new process has been created). The Analytic looks for any instances of at being created, therefore implying the querying or creation of tasks. If this tools is commonly used in your environment (e.g., by system administrators) this may lead to false positives and this analytic will therefore require tuning.

Analytic 1 - Suspicious Process Execution

(sourcetype="WinEventLog:Microsoft-Windows-Sysmon/Operational" EventCode="1") OR (sourcetype="WinEventLog:Security" EventCode="4688") AND Image="*at.exe"

DS0024

Windows Registry

Windows Registry Key Access

Monitor for the SAM registry key being accessed that may attempt to dump credentials to obtain account login and credential material, normally in the form of a hash or a clear text password, from the operating system and software.


T1056.001 - Keylogging


ID

Data Source

Data Component

Detects

DS0027

Driver

Driver Load

Monitor for unusual kernel driver installation activity

DS0009

Process

OS API Execution

Monitor for API calls to the SetWindowsHook, GetKeyState, and GetAsyncKeyState.[2] and look for common keylogging API calls. API calls alone are not an indicator of keylogging, but may provide behavioral data that is useful when combined with other information such as new files written to disk and unusual processes.

DS0024

Windows Registry

Windows Registry Key Modification

Monitor for changes made to windows registry keys or values for unexpected modifications


T1204.002 - Malicious File


ID

Data Source

Data Component

Detects

DS0022

File

File Creation

Monitor for files created in unusual directories or files with suspicious extensions. Focus on common locations like the Downloads folder, Temp directories, or the user’s Desktop, especially files that would be of interest from spearphishing attachments.

While batch files are not inherently malicious, it is uncommon to see them created after OS installation, especially in the Windows directory. This analytic looks for the suspicious activity of a batch file being created within the C:\Windows\System32 directory tree. There will be only occasional false positives due to administrator actions.

For MacOS, utilities that work in concert with Apple’s Endpoint Security Framework such as File Monitor can be used to track file creation events.

Analytic 1 - Batch File Write to System32

(sourcetype=WinEventLog:Microsoft-Windows-Sysmon/Operational EventCode="11") file_path="system32" AND file_extension=".bat"

Analytic 2 - New file creation in unusual directories.

sourcetype=WinEventLog:Microsoft-Windows-Sysmon/Operational EventCode=11| search file_path IN ("/Downloads/", "/Temp/", "/Desktop/")| stats count by file_name file_extension file_path user| where file_extension IN ("doc", "docx", "pdf", "xls", "rtf", "exe", "scr", "lnk", "pif", "cpl", "zip")

DS0009

Process

Process Creation

Monitor for processes spawned after opening a suspicious file. Common applications that might be exploited are Microsoft Word, PDF readers, or compression utilities.

Analytic 1 - Processes created from malicious files.

(sourcetype=WinEventLog:Security EventCode=4688) OR (sourcetype=Sysmon EventCode=1)| search process_name IN ("WINWORD.EXE", "EXCEL.EXE", "PDFReader.exe", "7z.exe", "powershell.exe", "cmd.exe")| stats count by process_name parent_process_name command_line user| where parent_process_name IN ("explorer.exe", "outlook.exe", "thunderbird.exe")


T1119 - Automated Collection


ID

Data Source

Data Component

Detects

DS0017

Command

Command Execution

Monitor executed commands and arguments for actions that could be taken to collect internal data.

DS0022

File

File Access

Monitor for unexpected files (e.g., .pdf, .docx, .jpg, etc.) viewed for collecting internal data.

DS0012

Script

Script Execution

Monitor for any attempts to enable scripts running on a system would be considered suspicious. If scripts are not commonly used on a system, but enabled, scripts running out of cycle from patching or other administrator functions are suspicious. Scripts should be captured from the file system when possible to determine their actions and intent.

DS0002

User Account

User Account Authentication

Monitor Azure AD (Entra ID) Sign In logs for suspicious Applications authenticating to the Graph API or other sensitive Resources using User Agents attributed to scripting interpreters such as python or Powershell.

Analytic 1 - Suspicious applications, unusual user agents (e.g., python, PowerShell), anomalous IP addresses, and unmanaged devices

index="azure_ad_signin_logs" Operation="UserLogin"| search UserAgent="python" OR UserAgent="PowerShell"| stats count by ClientIP, UserId, DeviceProperties| where ClientIP!="expected_ip" OR DeviceProperties!="expected_properties"


T1115 - Clipboard Data


ID

Data Source

Data Component

Detects

DS0017

Command

Command Execution

Monitor executed commands and arguments to collect data stored in the clipboard from users copying information within or between applications.

DS0009

Process

OS API Execution

Monitor API calls that could collect data stored in the clipboard from users copying information within or between applications.


T1082 - System Information Discovery


ID

Data Source

Data Component

Detects

DS0017

Command

Command Execution

Monitor executed commands and arguments that may attempt to get detailed information about the operating system and hardware, including version, patches, hotfixes, service packs, and architecture. For network devices, monitor executed commands in AAA logs, especially those run by unexpected or unauthorized users.

DS0009

Process

OS API Execution

Monitor for API calls that may attempt to get detailed information about the operating system and hardware, including version, patches, hotfixes, service packs, and architecture. Remote access tools with built-in features may interact directly with the Windows API to gather information. Information may also be acquired through Windows system management tools such as Windows Management Instrumentation and PowerShell. In cloud-based systems, native logging can be used to identify access to certain APIs and dashboards that may contain system information. Depending on how the environment is used, that data alone may not be useful due to benign use during normal operations.



Process Creation

Monitor newly executed processes that may attempt to get detailed information about the operating system and hardware, including version, patches, hotfixes, service packs, and architecture.


T1053 - Scheduled Task/Job


ID

Data Source

Data Component

Detects

DS0017

Command

Command Execution

Monitor executed commands and arguments that may abuse task scheduling functionality to facilitate initial or recurring execution of malicious code.

Analytic 1 - Look for task scheduling commands being executed with unusual parameters.

index=security (sourcetype="WinEventLog:Security" OR sourcetype="linux_secure" OR sourcetype="macos_secure" OR sourcetype="container_logs")| eval CommandLine = coalesce(CommandLine, process)| where (sourcetype="WinEventLog:Security" AND EventCode IN (4697, 4702, 4698)) OR (sourcetype="linux_secure" AND CommandLine LIKE "%cron%" OR CommandLine LIKE "%at%") OR (sourcetype="macos_secure" AND CommandLine LIKE "%launchctl%" OR CommandLine LIKE "%cron%") OR (sourcetype="container_logs" AND (CommandLine LIKE "%cron%" OR CommandLine LIKE "%at%"))| where (sourcetype="WinEventLog:Security" AND (CommandLine LIKE "%/create%" OR CommandLine LIKE "%/delete%" OR CommandLine LIKE "%/change%")) OR (sourcetype="linux_secure" AND (CommandLine LIKE "%-f%" OR CommandLine LIKE "%-m%" OR CommandLine LIKE "%--env%")) OR (sourcetype="macos_secure" AND (CommandLine LIKE "%/Library/LaunchDaemons%" OR CommandLine LIKE "%/Library/LaunchAgents%" OR CommandLine LIKE "%/System/Library/LaunchDaemons%" OR CommandLine LIKE "%/System/Library/LaunchAgents%")) OR (sourcetype="container_logs" AND (CommandLine LIKE "%-f%" OR CommandLine LIKE "%--schedule%" OR CommandLine LIKE "%--env%"))

DS0032

Container

Container Creation

Monitor for newly constructed containers that may abuse task scheduling functionality to facilitate initial or recurring execution of malicious code.

Analytic 1 - Look for new container creation events with unusual parameters.

index=container_logs sourcetype="docker_events" OR sourcetype="kubernetes_events"| eval event_action=coalesce(action, status)| where (event_action="create" OR event_action="start")| search event_type="container"| search (parameters="--privileged" OR parameters="--cap-add=" OR parameters="--volume=" OR parameters="--network=host" OR parameters="--device")

DS0022

File

File Creation

Monitor newly constructed files that may abuse task scheduling functionality to facilitate initial or recurring execution of malicious code.

Analytic 1 - Look for new task files with unusual parameters.

index=security_logs OR index=system_logs(sourcetype="docker_events" OR sourcetype="kubernetes_events" OR sourcetype="wineventlog:security" OR sourcetype="linux_secure" OR sourcetype="syslog" OR sourcetype="file_monitoring")| eval platform=case( sourcetype=="docker_events" OR sourcetype=="kubernetes_events", "Containers", sourcetype=="wineventlog:security", "Windows", sourcetype=="linux_secure" OR sourcetype=="syslog", "Linux", sourcetype=="mac_os_events", "macOS")| search ( (platform="Containers" AND (event_type="file_create" AND (file_path="/etc/cron.d/" OR file_path="/etc/systemd/system/"))) OR (platform="Windows" AND EventCode=4663 AND (ObjectName="C:\Windows\System32\Tasks\" OR ObjectName="C:\Windows\Tasks\")) OR (platform="Linux" AND (file_path="/etc/cron.d/" OR file_path="/etc/systemd/system/")) OR (platform="macOS" AND (file_path="/Library/LaunchDaemons/" OR file_path="/Library/LaunchAgents/")))



File Modification

Monitor for changes made to files that may abuse task scheduling functionality to facilitate initial or recurring execution of malicious code.

Analytic 1 - Look for task file modifications with unusual parameters.

index=security_logs OR index=system_logs(sourcetype="docker_events" OR sourcetype="kubernetes_events" OR sourcetype="wineventlog:security" OR sourcetype="linux_secure" OR sourcetype="syslog" OR sourcetype="file_monitoring")| eval platform=case( sourcetype=="docker_events" OR sourcetype=="kubernetes_events", "Containers", sourcetype=="wineventlog:security", "Windows", sourcetype=="linux_secure" OR sourcetype=="syslog", "Linux", sourcetype=="mac_os_events", "macOS")| search ( (platform="Containers" AND (event_type="file_modify" AND (file_path="/etc/cron.d/" OR file_path="/etc/systemd/system/" OR file_path="/etc/crontab"))) OR (platform="Windows" AND EventCode=4663 AND (ObjectName="C:\Windows\System32\Tasks\" OR ObjectName="C:\Windows\Tasks\")) OR (platform="Linux" AND (file_path="/etc/cron.d/" OR file_path="/etc/systemd/system/" OR file_path="/etc/crontab")) OR (platform="macOS" AND (file_path="/Library/LaunchDaemons/" OR file_path="/Library/LaunchAgents/")))

DS0009

Process

Process Creation

Monitor for newly executed processes that may abuse task scheduling functionality to facilitate initial or recurring execution of malicious code.

Note: Below is the relevant Events and SourcesWindows:

  • Sysmon Event ID 1: Process creation, particularly for schtasks.exe, at.exe, Taskeng.exe, crontab, etc.

  • Windows Event Log EventCode 4688: Process creation that might involve task scheduling.

  • Windows Task Scheduler Logs: Task creation, modification, or deletion.

Linux/macOS:

  • Auditd logs: Monitoring for cron job creation or modifications.

  • Syslog: Logs related to cron jobs or scheduled tasks.

  • File integrity monitoring (FIM): For changes to /etc/cron, /var/spool/cron/, or user-specific cron jobs.

Containers:- Container logs: Detection of scheduled tasks or cron jobs within container environments.

Analytic 1 - Look for task execution with unusual parameters.

(sourcetype="WinEventLog:Microsoft-Windows-Sysmon/Operational" OR sourcetype="WinEventLog:Security" OR sourcetype="linux_auditd" OR sourcetype="syslog") | where Image IN ("schtasks.exe", "at.exe", "Taskeng.exe", "cron", "crontab", "systemd-timers")

DS0003

Scheduled Job

Scheduled Job Creation

Monitor newly constructed scheduled jobs that may abuse task scheduling functionality to facilitate initial or recurring execution of malicious code.

On Windows systems, security event ID 4698 (A scheduled task was created) provides information on newly created scheduled tasks. It includes the TaskContent field, which contains an XML blob that captures key information on the scheduled task including the command to be executed.

Analytic 1 - Scheduled Task Execution

source="*WinEventLog:Security" EventCode="4698" | where NOT (TaskName IN ("\Microsoft\Windows\UpdateOrchestrator\Reboot", "\Microsoft\Windows\Defrag\ScheduledDefrag"))| search TaskContent="powershell.exe" OR TaskContent="cmd.exe"


T1059.002 - AppleScript



ID

Data Source

Data Component

Detects

DS0017

Command

Command Execution

Monitor executed commands and arguments that may abuse AppleScript for execution. Scripts are likely to perform actions with various effects on a system that may generate events, depending on the types of monitoring used. Actions may be related to network and system information Discovery, Collection, or other scriptable post-compromise behaviors and could be used as indicators of detection leading back to the source script.

Analytic 1 - Look for unusual execution of AppleScript.

sourcetype=macOS:Process| search process_name="osascript"| eval suspicious_cmd=if(like(command_line, "%-e%") OR like(command_line, "%path/to/script%"), "Yes", "No")| where suspicious_cmd="Yes"

DS0009

Process

OS API Execution

Monitor for execution of AppleScript through osascript and usage of the NSAppleScript and OSAScript APIs that may be related to other suspicious behavior occurring on the system.

Analytic 1 - Look for unusual OS API execution related to AppleScript.

sourcetype=macOS:Syslog OR sourcetype=macOS:Process| search (process_name="NSAppleScript" OR process_name="OSAScript")



Process Creation

Monitor for newly executed processes that may abuse AppleScript for execution. Scripts are likely to perform actions with various effects on a system that may generate events, depending on the types of monitoring used. Actions may be related to network and system information Discovery, Collection, or other scriptable post-compromise behaviors and could be used as indicators of detection leading back to the source script.

Analytic 1 - Look for unusual AppleScript process creation.

sourcetype=macOS:Process| search (parent_process_name="osascript" OR parent_process_name="NSAppleScript" OR parent_process_name="OSAScript")

Analytic 2 - Untrusted Locations

source="Osquery:" EventCode="process_added" AND Path LIKE "/Users//Downloads/" OR Path LIKE "/tmp/*"

Analytic 3 - Parent/Child Process Relationship

source="Osquery:" EventCode="process_added" AND ParentImage= "/System/Library/CoreServices/Finder.app/Contents/MacOS/Finder" AND Image LIKE "osascript"


T1005 - Data from Local System


ID

Data Source

Data Component

Detects

DS0017

Command

Command Execution

Monitor executed commands and arguments that may search and collect local system sources, such as file systems or local databases, to find files of interest and sensitive data prior to Exfiltration. Remote access tools with built-in features may interact directly with the Windows API to gather data. Data may also be acquired through Windows system management tools such as Windows Management Instrumentation and PowerShell.

For network devices, monitor executed commands in AAA logs, especially those run by unexpected or unauthorized users.

DS0022

File

File Access

Monitor for unexpected/abnormal access to files that may be malicious collection of local data, such as user files (pdf, .docx, .jpg, etc.) or local databases.

DS0009

Process

OS API Execution

Monitor for API calls that may search local system sources, such as file systems or local databases, to find files of interest and sensitive data prior to Exfiltration.



Process Creation

Monitor for newly executed processes that may search local system sources, such as file systems or local databases, to find files of interest and sensitive data prior to Exfiltration.

DS0012

Script

Script Execution

Monitor for any attempts to enable scripts running on a system would be considered suspicious. If scripts are not commonly used on a system, but enabled, scripts running out of cycle from patching or other administrator functions are suspicious. Scripts should be captured from the file system when possible to determine their actions and intent. Data may also be acquired through Windows system management tools such as Windows Management Instrumentation and PowerShell.


T1555 - Credentials from Password Stores


ID

Data Source

Data Component

Detects

DS0025

Cloud Service

Cloud Service Enumeration

Monitor for API calls and CLI commands that attempt to enumerate and fetch credential material from cloud secrets managers, such as get-secret-value in AWS, gcloud secrets describe in GCP, and az key vault secret show in Azure. Alert on any suspicious usages of these commands, such as an account or service generating an unusually high number of secret requests.

Analytic 1 - High volume of secret requests from unusual accounts or services.

index=security sourcetype IN ("aws:cloudtrail", "azure:activity", "gcp:activity")(eventName IN ("ListAccessKeys", "GetLoginProfile", "ListSecrets", "GetSecretValue", "GetParametersByPath", "ListKeys") ORoperationName IN ("ListAccessKeys", "GetLoginProfile", "ListSecrets", "GetSecretValue", "GetParametersByPath", "ListKeys") ORprotoPayload.methodName IN ("ListAccessKeys", "GetLoginProfile", "ListSecrets", "GetSecretValue", "GetParametersByPath", "ListKeys"))

DS0017

Command

Command Execution

Monitor executed commands and arguments that may search for common password storage locations to obtain user credentials.

Analytic 1 - Commands indicating credential searches.

(index=os sourcetype IN ("Powershell", "linux_secure", "macos_secure") CommandLine IN ("findstr /si password", "findstr /si pass", "grep -r password", "grep -r pass", "grep -r secret", "security find-generic-password", "security find-internet-password", "security dump-keychain", "gsettings get org.gnome.crypto.cache", "cat /etc/shadow", "strings /etc/shadow", "ls -al ~/.ssh/known_hosts", "ssh-add -L"))

DS0022

File

File Access

Monitor for files being accessed that may search for common password storage locations to obtain user credentials.

Analytic 1 - Unauthorized access to files containing credentials.

index=security sourcetype IN ("WinEventLog:Security", "WinEventLog:Microsoft-Windows-Sysmon/Operational", "linux_secure", "macos_secure")((sourcetype="WinEventLog:Security" EventCode=4663 ObjectName IN ("passwords", "creds", "credentials", "secrets")) OR (sourcetype="WinEventLog:Microsoft-Windows-Sysmon/Operational" EventCode=11 TargetObject IN ("passwords", "creds", "credentials", "secrets")) OR (sourcetype="linux_secure" action="open" filepath IN ("/etc/shadow", "/etc/passwd", "/.aws/credentials", "/.ssh/id_rsa")) OR (sourcetype="macos_secure" event_type="open" file_path IN ("/Library/Keychains/", "/Users//Library/Keychains/", "/Users//.ssh/id_rsa")))

DS0009

Process

OS API Execution

Monitor for API calls that may search for common password storage locations to obtain user credentials.



Process Access

Monitor for processes being accessed that may search for common password storage locations to obtain user credentials.

Analytic 1 - Unauthorized process access indicating credential searches.

index=security sourcetype IN ("WinEventLog:Microsoft-Windows-Sysmon/Operational", "linux_secure", "macos_secure")(EventCode=10 TargetImage IN ("lsass.exe", "securityd", "ssh-agent", "gpg-agent") OR EventCode=11 TargetObject IN ("password", "creds", "credentials", "secrets", "keychain", ".kdbx", ".pfx", ".pem", ".p12", ".key") OR EventCode=1 CommandLine IN ("mimikatz", "procdump", "gcore", "dbxutil", "security find-generic-password", "security find-internet-password", "security dump-keychain", "gsettings get org.gnome.crypto.cache"))



Process Creation

Monitor newly executed processes that may search for common password storage locations to obtain user credentials.

Analytic 1 - New processes with parameters indicating credential searches.

index=security sourcetype IN ("WinEventLog:Microsoft-Windows-Sysmon/Operational", "linux_secure", "macos_secure")(EventCode=1 CommandLine IN ("mimikatz", "procdump", "gcore", "dbxutil", "security find-generic-password", "security find-internet-password", "security dump-keychain", "gsettings get org.gnome.crypto.cache", "cat /etc/shadow", "strings /etc/shadow", "ls -al ~/.ssh/known_hosts", "ssh-add -L"))



T1016 - System Network Configuration Discovery


ID

Data Source

Data Component

Detects

DS0017

Command

Command Execution

Monitor executed commands and arguments that may look for details about the network configuration and settings, such as IP and/or MAC addresses, of systems they access or through information discovery of remote systems. For network devices, monitor executed commands in AAA logs, especially those run by unexpected or unauthorized users.

DS0009

Process

OS API Execution

Monitor for API calls (such as GetAdaptersInfo() and GetIpNetTable()) that may gather details about the network configuration and settings, such as IP and/or MAC addresses.



Process Creation

Monitor for executed processes (such as ipconfig/ifconfig and arp) with arguments that may look for details about the network configuration and settings, such as IP and/or MAC addresses.

Note: The Analytic looks for the creation of ipconfig, route, and nbtstat processes, all of which are system administration utilities that can be used for the purpose of system network configuration discovery. If these tools are commonly used in your environment (e.g., by system administrators) this may lead to false positives and this analytic will therefore require tuning.

Analytic 1 - Suspicious Process

(sourcetype="WinEventLog:Microsoft-Windows-Sysmon/Operational" EventCode="1") OR (sourcetype="WinEventLog:Security" EventCode="4688") AND (Image="C:\Windows\System32\ipconfig.exe" OR Image="C:\Windows\System32\route.exe" OR Image="C:\Windows\System32\nbtstat.exe")

DS0012

Script

Script Execution

Monitor for any attempts to enable scripts running on a system would be considered suspicious. If scripts are not commonly used on a system, but enabled, scripts running out of cycle from patching or other administrator functions are suspicious. Scripts should be captured from the file system when possible to determine their actions and intent.


T1087 - Account Discovery


ID

Data Source

Data Component

Detects

DS0017

Command

Command Execution

Monitor logs and other sources of command execution history for actions that could be taken to gather information about accounts, including the use of calls to cloud APIs that perform account discovery.

System and network discovery techniques normally occur throughout an operation as an adversary learns the environment, and also to an extent in normal network operations. Therefore discovery data and events should not be viewed in isolation, but as part of a chain of behavior that could lead to other activities, such as Lateral Movement, based on the information obtained.

DS0022

File

File Access

Monitor access to file resources that contain local accounts and groups information such as /etc/passwd, /Users directories, and the SAM database.

If access requires high privileges, look for non-admin objects (such as users or processes) attempting to access restricted file resources.

DS0009

Process

Process Creation

Monitor for processes that can be used to enumerate user accounts and groups such as net.exe and net1.exe, especially when executed in quick succession.[10] Information may also be acquired through Windows system management tools such as Windows Management Instrumentation and PowerShell.


T1083 - File and Directory Discovery


ID

Data Source

Data Component

Detects

DS0017

Command

Command Execution

Monitor executed commands and arguments that may enumerate files and directories or may search in specific locations of a host or network share for certain information within a file system. For network devices, monitor executed commands in AAA logs, especially those run by unexpected or unauthorized users.

DS0009

Process

OS API Execution

Monitor for API calls that may enumerate files and directories or may search in specific locations of a host or network share for certain information within a file system.



Process Creation

Monitor newly executed processes that may enumerate files and directories or may search in specific locations of a host or network share for certain information within a file system.


T1057 - Process Discovery


ID

Data Source

Data Component

Detects

DS0017

Command

Command Execution

Monitor executed commands and arguments for actions that may attempt to get information about running processes on a system.

DS0009

Process

OS API Execution

Monitor for API calls may attempt to get information about running processes on a system.



Process Creation

Monitor for newly executed processes that may attempt to get information about running processes on a system. To be effective in deciphering malicious and benign activity, the full command line is essential. Similarly, having information about the parent process can help with making decisions and tuning to an environment.

Because these commands are built in, they may be run frequently by power users or even by normal users. Thus, an analytic looking at this information should have well-defined white- or blacklists, and should consider looking at an anomaly detection approach, so that this information can be learned dynamically.Within the built-in Windows Commands:

  • hostname

  • ipconfig

  • net

  • quser

  • qwinsta

  • sc with flags query, queryex, qc

  • systeminfo

  • tasklist

  • dsquery

  • whoamiNote: To be effective in deciphering malicious and benign activity, the full command line is essential. Similarly, having information about the parent process can help with making decisions and tuning to an environment.

Analytic 1 - Host Discovery Commands

(source="WinEventLog:Microsoft-Windows-Sysmon/Operational" EventCode="1") OR (source="WinEventLog:Security" EventCode="4688") (Image="C:\Windows\\hostname.exe" OR Image="C:\Windows\\ipconfig.exe" OR Image="C:\Windows\\net.exe" OR Image="C:\Windows\\quser.exe" OR Image="C:\Windows\\qwinsta.exe" OR (Image="C:\Windows\\sc.exe" AND (CommandLine=" query " OR CommandLine=" qc ")) OR Image="C:\Windows\\systeminfo.exe" OR Image="C:\Windows\\tasklist.exe" OR Image="C:\Windows\*\whoami.exe")|stats values(Image) as "Images" values(CommandLine) as "Command Lines" by ComputerName


T1547.001 - Registry Run Keys / Startup Folder


ID

Data Source

Data Component

Detects

DS0017

Command

Command Execution

Monitor executed commands and arguments that may achieve persistence by adding a program to a startup folder or referencing it with a Registry run key.

DS0022

File

File Modification

Monitor the start folder for additions or changes. Tools such as Sysinternals Autoruns may also be used to detect system changes that could be attempts at persistence, including the startup folders. [302]

DS0009

Process

Process Creation

Monitor for newly executed processes executed from the Run/RunOnce registry keys through Windows EID 9707 or "Software\Microsoft\Windows\CurrentVersion\Run" and "Software\Microsoft\Windows\CurrentVersion\RunOnce" registry keys with the full command line.

Registry modifications are often essential in establishing persistence via known Windows mechanisms. Many legitimate modifications are done graphically via regedit.exe or by using the corresponding channels, or even calling the Registry APIs directly. The built-in utility reg.exe provides a command-line interface to the registry, so that queries and modifications can be performed from a shell, such as cmd.exe. When a user is responsible for these actions, the parent of cmd.exe will likely be explorer.exe. Occasionally, power users and administrators write scripts that do this behavior as well, but likely from a different process tree. These background scripts must be learned so they can be tuned out accordingly.

Output DescriptionThe sequence of processes that resulted in reg.exe being started from a shell. That is, a hierarchy that looks like• great-grand_parent.exe• grand_parent.exe• parent.exe• reg.exe

Analytic 1 - Reg.exe called from Command Shell

(source="WinEventLog:Microsoft-Windows-Sysmon/Operational" EventCode="1") OR (source="WinEventLog:Security" EventCode="4688") Image="reg.exe" AND ParentImage="cmd.exe"| join left=L right=R where L.ParentProcessGuid = R.ProcessGuid [search EventCode IN (1, 4688) Image="cmd.exe" ParentImage!="explorer.exe"]

DS0024

Windows Registry

Windows Registry Key Creation

Monitor for newly created windows registry keys that may achieve persistence by adding a program to a startup folder or referencing it with a Registry run key.



Windows Registry Key Modification

Monitor Registry for changes to run keys that do not correlate with known software, patch cycles, etc. Tools such as Sysinternals Autoruns may also be used to detect system changes that could be attempts at persistence, including listing the run keys' Registry locations. [302]

Detection of the modification of the registry key Common Startup located in HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\User Shell Folders\ and HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\User Shell Folders. When a user logs on, any files located in the Startup Folder are launched. Attackers may modify these folders with other files in order to evade detection set on these default folders. This detection focuses on EventIDs 4688 and 1 for process creation and EventID 4657 for the modification of the Registry Keys.

Analytic 1 - Modification of Default Startup Folder in the Registry Key ‘Common Startup’

(source="WinEventLog:Security" EventCode="4657" ObjectValueName="Common Startup") OR (source="WinEventLog:Microsoft-Windows-Sysmon/Operational" EventCode="13" TargetObject="*Common Startup")


T1059.004 - Unix Shell


ID

Data Source

Data Component

Detects

DS0017

Command

Command Execution

Monitor executed commands and arguments that may abuse Unix shell commands and scripts for execution. Unix shell usage may be common on administrator, developer, or power user systems, depending on job function. If scripting is restricted for normal users, then any attempt to enable scripts running on a system would be considered suspicious. If scripts are not commonly used on a system, but enabled, scripts running out of cycle from patching or other administrator functions are suspicious. Scripts should be captured from the file system when possible to determine their actions and intent.

Note: this analytic does not include an exhaustive list of potentially suspicious commands that could be executed through a shell interpreter. Instead, it is meant to serve as an example of types of commands that can warrant further investigation.

Analytic 1 - Unusual command execution

sourcetype="linux_logs" CommandLine="sh -c" AND (CommandLine="wget" OR CommandLine="curl" OR CommandLine="nc" OR CommandLine="perl")

DS0009

Process

Process Creation

Monitor for newly executed processes that may abuse Unix shell commands and scripts for execution.

Analytic 1 - Look for unusual Unix shell process creation.

sourcetype=linux_secure OR sourcetype=macos_secure| search (command="sh" OR command="bash" OR command="zsh")| eval suspicious_process=if(like(command_line, "%.sh" OR "%.bash" OR "%.zsh"), "Yes", "No")| where suspicious_process="Yes"


T1012 - Query Registry


ID

Data Source

Data Component

Detects

DS0017

Command

Command Execution

Monitor executed commands and arguments for actions that may interact with the Windows Registry to gather information about the system, configuration, and installed software.

Note: For PowerShell Module logging event id 4103, enable logging for module Microsoft.PowerShell.Management. The New-PSDrive PowerShell cmdlet creates temporary and persistent drives that are mapped to or associated with a location in a data store, such a registry key (PSProvider "Registry"). The the Get-ChildItem gets the items in one or more specified locations. By using both, you can enumerate COM objects in one or more specified locations.

Analytic 1 - Suspicious Commands

(sourcetype="WinEventLog:Microsoft-Windows-Powershell/Operational" EventCode="4103") | WHERE CommandLine LIKE "%New-PSDrive%" AND (CommandLine LIKE "%Registry%" OR CommandLine LIKE "%HKEY_CLASSES_ROOT%" OR CommandLine LIKE "%HKCR%")

DS0009

Process

OS API Execution

Monitor for API calls (such as RegOpenKeyExA) that may interact with the Windows Registry to gather information about the system, configuration, and installed software. OS API calls associated with querying the Windows Registry are RegOpenKeyEx , RegOpenUserClassesRoot, RegQueryValueExA, and RegQueryValueExW. Execution of these functions might trigger security log ids such as 4663 (Microsoft Security Auditing). Also monitor for RegOpenUserClassesRoot api to retrieve a handle to the HKEY_CLASSES_ROOT key for a specified user. The returned key has a view of the registry that merges the contents of the HKEY_LOCAL_MACHINE\Software\Classes key with the contents of the Software\Classes keys in the user's registry hive.

Note: Most EDR tools do not support direct monitoring of API calls due to the sheer volume of calls produced by an endpoint but may have alerts or events that are based on abstractions of OS API calls.



Process Creation

Monitor for newly executed processes that may interact with the Windows Registry to gather information about the system, configuration, and installed software.

Note: The New-PSDrive PowerShell cmdlet creates temporary and persistent drives that are mapped to or associated with a location in a data store, such a registry key (PSProvider "Registry"). The Get-ChildItem gets the items in one or more specified locations. By using both, you can enumerate COM objects in one or more specified locations.

Note for Analytic 3: Replace FilePathToLolbasProcessXX.exe with lolBAS process names that are used by your organization. The number_standard_deviations parameter should be tuned accordingly. Identifying outliers by comparing distance from a data point to the average value against a certain number of standard deviations is recommended for data values that are symmetrical distributed. If your data is not distributed, try a different algorithm such as the Interquartile Range (IQR).

Analytic 1 - Suspicious Processes with Registry keys

(sourcetype="WinEventLog:Microsoft-Windows-Sysmon/Operational" EventCode="1") OR (sourcetype="WinEventLog:Security" EventCode="4688") | search (CommandLine LIKE "%reg%" AND CommandLine LIKE "%query%") OR (CommandLine LIKE "%Registry%" AND (CommandLine LIKE "%HKEY_CLASSES_ROOT%" OR CommandLine "%HKCR%"))

Analytic 2 - reg.exe spawned from suspicious cmd.exe

((sourcetype="WinEventLog:Microsoft-Windows-Sysmon/Operational" EventCode="1") OR (sourcetype="WinEventLog:Security" EventCode="4688") | WHERE (Image LIKE "%reg.exe%" AND ParentImage LIKE "%cmd.exe%")| rename ProcessParentGuid as guid| join type=inner guid[ | search ((source="WinEventLog:Microsoft-Windows-Sysmon/Operational" EventCode="1") OR (source="WinEventLog:Security" EventCode="4688") AND (Image LIKE "%cmd.exe%" AND ParentImage NOT LIKE "%explorer.exe%")| rename ProcessGuid as guid ]

Analytic 3 - Rare LolBAS command lines

((sourcetype="WinEventLog:Microsoft-Windows-Sysmon/Operational" EventCode="1") OR (sourcetype="WinEventLog:Security" EventCode="4688") AND Image IN ('FilePathToLolbasProcess01.exe','FilePathToLolbasProcess02.exe') AND number_standard_deviations = 1.5| select Image, ProcessCount, AVG(ProcessCount) Over() - STDEV(ProcessCount) Over() * number_standard_deviations AS LowerBound | WHERE ProcessCount < LowerBound

DS0024

Windows Registry

Windows Registry Key Access

Monitor for unexpected process interactions with the Windows Registry (i.e. reads) that may be related to gathering information.

Note: For Security Auditing event ids 4656 and 4663, a System Access Control List (SACL) that controls the use of specific access rights such as Enumerate sub-keys and Query key value is required for event generation. Depending on the Registry key you are monitoring, the implementation of a new System Access Control List (SACL) might be required. Depending of Registry key used for the creation of a System Access Control List (SACL), the generation of event ids 4656 and 4663 might be noisy.

Analytic 1 - Suspicious Registry

(sourcetype="WinEventLog:Security" EventCode IN (4663, 4656)) AND ObjectType="Key" | WHERE ObjectName LIKE "%SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall%" AND (UserAccessList LIKE "%4435%" OR UserAccessList LIKE "%Enumerate sub-keys%" OR UserAccessList LIKE "%4432%" OR UserAccessList LIKE "%Query key value%") AND Image NOT IN ('FilePathToExpectedProcess01.exe','FilePathToExpectedProcess02.exe')



T1543.001 - Launch Agent


ID

Data Source

Data Component

Detects

DS0017

Command

Command Execution

Ensure Launch Agent's ProgramArguments key pointing to executables located in the /tmp or /shared folders are in alignment with enterprise policy. Ensure all Launch Agents with the RunAtLoad key set to true are in alignment with policy.

DS0022

File

File Creation

Monitor for newly constructed files that may create or modify launch agents to repeatedly execute malicious payloads as part of persistence.



File Modification

Launch Agents also require files on disk for persistence which can also be monitored via other file monitoring applications.

DS0019

Service

Service Creation

Monitor Launch Agent creation through additional plist files and utilities such as Objective-See’s KnockKnock application.



Service Modification

Monitor for changes made to launch agents to repeatedly execute malicious payloads as part of persistence.


T1070.004 - File Deletion


ID

Data Source

Data Component

Detects

DS0017

Command

Command Execution

Monitor executed commands and arguments for actions that could be utilized to unlink, rename, or delete files.

DS0022

File

File Deletion

Monitor for unexpected deletion of files from the system



T1518 - Software Discovery


ID

Data Source

Data Component

Detects

DS0017

Command

Command Execution

Monitor executed commands and arguments that may attempt to get a listing of software and software versions that are installed on a system or in a cloud environment.

DS0018

Firewall

Firewall Enumeration

Monitor for an extracted list of available firewalls and/or their associated settings/rules (ex: Azure Network Firewall CLI Show commands)



Firewall Metadata

Monitor for contextual data about a firewall and activity around it such as name, policy, or status

DS0009

Process

OS API Execution

Monitor for API calls that may attempt to get a listing of software and software versions that are installed on a system or in a cloud environment.



Process Creation

Monitor newly executed processes that may attempt to get a listing of software and software versions that are installed on a system or in a cloud environment.


T1564.001 - Hidden Files and Directories


ID

Data Source

Data Component

Detects

DS0017

Command

Command Execution

Monitor the file system and shell commands for files being created with a leading "." and the Windows command-line use of attrib.exe to add the hidden attribute.

DS0022

File

File Creation

Monitor the file system and shell commands for files being created with a leading "."



File Metadata

Monitor for contextual data about a file, which may include information such as name, the content (ex: signature, headers, or data/media), user/owner, permissions may set files and directories to be hidden to evade detection mechanisms.

DS0009

Process

Process Creation

Monitor newly executed processes that may set files and directories to be hidden to evade detection mechanisms.

Reports & References1

Observed Countries250

AD (314)
AE (875)
AF (943)
AG (536)
AI (365)
AL (564)
AM (480)
AO (995)
AQ (83)
AR (602)
AS (710)
AT (567)
AU (923)
AW (272)
AX (955)
AZ (404)
BA (907)
BB (967)
BD (881)
BE (78)
BF (849)
BG (6)
BH (173)
BI (661)
BJ (725)
BL (654)
BM (50)
BN (28)
BO (449)
BQ (548)
BR (304)
BS (899)
BT (428)
BV (573)
BW (261)
BY (583)
BZ (259)
CA (857)
CC (305)
CD (95)
CF (424)
CG (80)
CH (326)
CI (33)
CK (417)
CL (834)
CM (155)
CN (76)
CO (913)
CR (185)
CU (676)
CV (611)
CW (337)
CX (520)
CY (90)
CZ (112)
DE (30)
DJ (559)
DK (136)
DM (592)
DO (116)
DZ (224)
EC (276)
EE (522)
EG (732)
EH (80)
ER (750)
ES (200)
ET (296)
FI (57)
FJ (814)
FK (457)
FM (648)
FO (58)
FR (842)
GA (336)
GB (793)
GD (530)
GE (390)
GF (591)
GG (256)
GH (797)
GI (612)
GL (774)
GM (820)
GN (232)
GP (39)
GQ (961)
GR (985)
GS (976)
GT (79)
GU (598)
GW (979)
GY (246)
HK (548)
HM (125)
HN (744)
HR (583)
HT (401)
HU (107)
ID (775)
IE (92)
IL (866)
IM (643)
IN (300)
IO (803)
IQ (112)
IR (577)
IS (367)
IT (790)
JE (199)
JM (975)
JO (895)
JP (95)
KE (396)
KG (785)
KH (18)
KI (346)
KM (807)
KN (673)
KP (78)
KR (249)
KW (738)
KY (177)
KZ (18)
LA (565)
LB (574)
LC (275)
LI (761)
LK (900)
LR (578)
LS (311)
LT (262)
LU (443)
LV (151)
LY (321)
MA (990)
MC (185)
MD (871)
ME (40)
MF (916)
MG (326)
MH (873)
MK (732)
ML (77)
MM (285)
MN (931)
MO (968)
MP (305)
MQ (363)
MR (251)
MS (783)
MT (93)
MU (616)
MV (395)
MW (377)
MX (838)
MY (820)
MZ (428)
NA (558)
NC (819)
NE (203)
NF (889)
NG (986)
NI (320)
NL (726)
NO (318)
NP (966)
NR (877)
NU (575)
NZ (702)
OM (122)
PA (392)
PE (390)
PF (158)
PG (158)
PH (229)
PK (750)
PL (413)
PM (568)
PN (373)
PR (212)
PS (97)
PT (231)
PW (572)
PY (657)
QA (181)
RE (174)
RO (247)
RS (749)
RU (185)
RW (444)
SA (930)
SB (475)
SC (125)
SD (78)
SE (610)
SG (443)
SH (106)
SI (692)
SJ (310)
SK (98)
SL (679)
SM (355)
SN (452)
SO (951)
SR (611)
SS (349)
ST (775)
SV (726)
SX (33)
SY (839)
SZ (507)
TC (956)
TD (684)
TF (479)
TG (181)
TH (206)
TJ (419)
TK (768)
TL (726)
TM (263)
TN (443)
TO (963)
TR (246)
TT (462)
TV (123)
TW (561)
TZ (284)
UA (884)
UG (780)
UM (234)
US (624)
UY (230)
UZ (360)
VA (690)
VC (370)
VE (578)
VG (629)
VI (111)
VN (3)
VU (568)
WF (719)
WS (392)
XK (215)
YE (720)
YT (985)
ZA (457)
ZM (233)
ZW (567)