
Operation Silent Glide
Indicators of Compromise
Campaign Guidance
Remediation, mitigation, notes, history and related intelligence
REMEDIATION
T1059-Command and Scripting Interpreter
ID | Data Source | Data Component | Detects |
Monitor command-line arguments for script execution and subsequent behavior. Actions may be related to network and system information Discovery, Collection, or other scriptable post-compromise behaviors and could be used as indicators of detection leading back to the source script. Scripts are likely to perform actions with various effects on a system that may generate events, depending on the types of monitoring used. Analytic 1 - Suspicious script execution (sourcetype=WinEventLog:Security OR OR sourcetype=sysmon OR sourcetype=linux_secure OR sourcetype=linux_audit OR sourcetype=mac_os_log OR sourcetype=azure:audit OR sourcetype=o365:audit)| search Image IN ("bash", "sh", "cmd", "powershell", "python", "java", "perl", "ruby", "node", "osascript", "wmic")| eval suspicious_cmds=if(like(command_line, "%Invoke-Obfuscation%") OR like(command_line, "%-EncodedCommand%") OR like(command_line, "%IEX%") OR like(command_line, "%wget%") OR like(command_line, "%curl%"), "Yes", "No") | |||
Monitor for events associated with scripting execution, such as the loading of modules associated with scripting languages (ex: JScript.dll or vbscript.dll). Analytic 1 - Look for unusual module loads associated with scripting languages. sourcetype=WinEventLog:Microsoft-Windows-Sysmon/Operational| search EventCode=7 ImageLoaded IN ("C:\Windows\System32\JScript.dll", "C:\Windows\System32\vbscript.dll", "System.Management.Automation.dll") | |||
Monitor log files for process execution through command-line and scripting activities. This information can be useful in gaining additional insight to adversaries' actions through how they use native processes or custom tools. Also monitor for loading of modules associated with specific languages. Analytic 1 - Look for unusual command and scripting process creation. (sourcetype=WinEventLog:Security OR sourcetype=sysmon OR sourcetype=linux_secure OR sourcetype=linux_audit OR sourcetype=mac_os_log OR sourcetype=azure:audit OR sourcetype=o365:audit)(EventCode=4688 OR EventID=1 OR _raw=sh OR _raw=python OR _raw=powershell OR _raw=cmd OR _raw=script OR _raw=wscript OR _raw=bash) | |||
Monitor contextual data about a running process, which may include information such as environment variables, image name, user/owner, or other information that may reveal abuse of system features. For example, consider monitoring for Windows Event ID (EID) 400, which shows the version of PowerShell executing in the EngineVersion field (which may also be relevant to detecting a potential Downgrade Attack) as well as if PowerShell is running locally or remotely in the HostName field. Furthermore, EID 400 may indicate the start time and EID 403 indicates the end time of a PowerShell session.[59] | |||
Monitor for any attempts to enable scripts running on a system that would be considered suspicious. If scripts are not commonly used on a system, but enabled, scripts running out of cycle from patching or other administrator functions are suspicious. Scripts should be captured from the file system when possible to determine their actions and intent. Analytic 1 - Look for attempts to enable scripts on the system. index=windows (EventCode=1 OR EventCode=4688 OR EventCode=4103 OR EventCode=4104) (CommandLine="script")| search script_name IN (".ps1", ".sh", ".py", ".rb", ".js", ".vbs")| eval suspicious_script=if(like(script_name, "%.sh") AND hour(_time) NOT BETWEEN 8 AND 18, "Yes", "No")| where suspicious_script="Yes" |
T1021.001 Remote Services: Remote Desktop Protocol
ID | Data Source | Data Component | Detects |
Monitor for user accounts logged into systems associated with RDP (ex: Windows EID 4624 Logon Type 10). Other factors, such as access patterns (ex: multiple systems over a relatively short period of time) and activity that occurs after a remote login, may indicate suspicious or malicious behavior with RDP. Monitoring logon and logoff events for hosts on the network is very important for situational awareness. This information can be used as an indicator of unusual activity as well as to corroborate activity seen elsewhere. Could be applied to a number of different types of monitoring depending on what information is desired. Some use cases include monitoring for all remote connections and building login timelines for users. Logon events are Windows Event Code 4624 for Windows Vista and above, 518 for pre-Vista. Logoff events are 4634 for Windows Vista and above, 538 for pre-Vista. Note: This analytic looks for user logon events and filters out the top 30 account names to reduce the occurrence of noisy service accounts and the like. It is meant as a starting point for situational awareness around such events. This is liable to be quite noisy and will need tweaking, especially in terms of the number of top users filtered out. Analytic 1 sourcetype="WinEventLog:Security" EventCode IN (4624, 4634, 4647, 4778, 4779)| search LogonType=10 // RDP Interactive Logon| eval is_suspicious=if((user!="expected_users") AND (dest_ip!="expected_servers"), "True", "False")| where is_suspicious="True" | |||
Monitor authentication logs and analyze for unusual access patterns. A remote desktop logon, through RDP, may be typical of a system administrator or IT support, but only from select workstations. Monitoring remote desktop logons and comparing to known/approved originating systems can detect lateral movement of an adversary. Analytic 1 sourcetype="WinEventLog:Security" EventCode="4624" AND LogonType="10" AND AuthenticationPackageName="Negotiate" AND TargetUserName="Admin*") | |||
Monitor for newly constructed network connections (typically over port 3389) that may use Valid Accounts to log into a computer using the Remote Desktop Protocol (RDP). The adversary may then perform actions as the logged-on user. Other factors, such as access patterns and activity that occurs after a remote login, may indicate suspicious or malicious behavior with RDP. Analytic 1 - Abnormal RDP Network Connections sourcetype=zeek | search dest_port=3389 // Default RDP port| stats count by src_ip, dest_ip, dest_port| where src_ip!="trusted_ips" AND dest_ip!="internal_servers" | |||
Monitor network traffic for uncommon data flows that may use Valid Accounts to log into a computer using the Remote Desktop Protocol (RDP). The Remote Desktop Protocol (RDP), built in to Microsoft operating systems, allows a user to remotely log in to the desktop of another host. It allows for interactive access of the running windows, and forwards key presses, mouse clicks, etc. Network administrators, power users, and end-users may use RDP for day-to-day operations. From an adversary’s perspective, RDP provides a means to laterally move to a new host. Determining which RDP connections correspond to adversary activity can be a difficult problem in highly dynamic environments, but will be useful in identifying the scope of a compromise.Remote Desktop can be detected in several ways
Analytic 1 - Suspicious RDP sourcetype=netflow LogonType="10"| search dest_port=3389 // Default RDP port| stats count by src_ip, dest_ip, dest_port| where src_ip!="trusted_ips" AND dest_ip!="internal_servers" | |||
Monitor for newly executed processes (such as mstsc.exe) that may use Valid Accounts to log into a computer using the Remote Desktop Protocol (RDP). The adversary may then perform actions that spawn additional processes as the logged-on user. Analytic 1 - Unusual processes associated with RDP sessions sourcetype=WinEventLog:Microsoft-Windows-Sysmon/Operational EventCode=1 | search (parent_process="mstsc.exe" OR parent_process="rdpclip.exe")| table _time, host, user, process_name, parent_process, command_line| where process_name!="expected_processes" |
T1047-Windows Management Instrumentation
ID | Data Source | Data Component | Detects |
Monitor executed commands and arguments for actions that are used to perform remote behavior. Analytic 1 - Look for wmic.exeexecution with arguments indicative of remote process creation. index=windows_logs sourcetype=WinEventLog:Security OR sourcetype=WinEventLog:Microsoft-Windows-Sysmon/Operational| eval CommandLine=coalesce(CommandLine, ParentCommandLine)| eval ProcessName=lower(ProcessName), CommandLine=lower(CommandLine)| search ProcessName IN ("wmic.exe", "powershell.exe", "wbemtool.exe", "wmiprvse.exe", "wmiadap.exe", "scrcons.exe")| search CommandLine IN ("process call create", "shadowcopy delete", "process start", "createobject")| stats count by _time, ComputerName, User, ProcessName, CommandLine, ParentProcessName, ParentCommandLine, dest, src_ip, dest_ip| eval alert_message="Suspicious WMI activity detected: " + ProcessName + " executed by " + User + " on " + ComputerName + " with command: " + CommandLine| where NOT (User="SYSTEM" OR ProcessName="wmiprvse.exe" OR CommandLine="wmic shadowcopy delete" AND src_ip="trusted_ip_range")| table _time, ComputerName, User, ProcessName, CommandLine, ParentProcessName, ParentCommandLine, src_ip, dest_ip, alert_message | |||
Monitor network traffic for WMI connections for potential use to remotely edit configuration, start services, or query files. When remote WMI requests are over RPC it connects to a DCOM interface within the RPC group netsvcs. To detect this activity, a sensor is needed at the network level that can decode RPC traffic or on the host where the communication can be detected more natively, such as Event Tracing for Windows. Using wireshark/tshark decoders, the WMI interfaces can be extracted so that WMI activity over RPC can be detected. Although the description details how to detect remote WMI precisely, a decent estimate has been to look for the string RPCSS within the initial RPC connection on 135/tcp. It returns a superset of this activity, and will trigger on all DCOM-related services running within RPC, which is likely to also be activity that should be detected between hosts. More about RPCSS at : rpcss_dcom_interfaces.html Look for instances of the WMI querying in network traffic, and find the cases where a process is launched immediately after a connection is seen. This essentially merges the request to start a remote process via WMI with the process execution. If other processes are spawned from wmiprvse.exe in this time frame, it is possible for race conditions to occur, and the wrong process may be merged. If this is the case, it may be useful to look deeper into the network traffic to see if the desired command can be extracted. After the WMI connection has been initialized, a process can be remotely launched using the command: wmic /node:"" process call create "", which is detected in the third Detection Pseudocode. This leaves artifacts at both a network (RPC) and process (command line) level. When wmic.exe (or the schtasks API) is used to remotely create processes, Windows uses RPC (135/tcp) to communicate with the the remote machine. After RPC authenticates, the RPC endpoint mapper opens a high port connection, through which the schtasks Remote Procedure Call is actually implemented. With the right packet decoders, or by looking for certain byte streams in raw data, these functions can be identified. When the command line is executed, it has the parent process of C:\windows\system32\wbem\WmiPrvSE.exe. This analytic looks for these two events happening in sequence, so that the network connection and target process are output. Certain strings can be identifiers of the WMI by looking up the interface UUID for IRemUnknown2 in different formats- UUID 00000143-0000-0000-c000-000000000046 (decoded)- Hex 43 01 00 00 00 00 00 00 c0 00 00 00 00 00 00 46 (raw)- ASCII CF (printable text only) This identifier is present three times during the RPC request phase. Any sensor that has access to the byte code as raw, decoded, or ASCII could implement this analytic. The transfer syntax is- UUID 8a885d04-1ceb-11c9-9fe8-08002b104860 (decoded)- Hex 04 5d 88 8a eb 1c c9 11 9f e8 08 00 2b 10 48 60 (raw)- ASCII `]+H`` (printable text only) Thus, a great ASCII based signature is- CF]+HCFCFhost" Note: To detect WMI over RPC (using DCOM), a sensor needs to exist that has the insight into individual connections and can actually decode and make sense of RPC traffic. Specifically, WMI can be detected by looking at RPC traffic where the target interface matches that of WMI, which is IRemUnknown2. Look for instances of the WMI querying in network traffic, and find the cases where a process is launched immediately after a connection is seen. This essentially merges the request to start a remote process via WMI with the process execution. If other processes are spawned from wmiprvse.exe in this time frame, it is possible for race conditions to occur, and the wrong process may be merged. If this is the case, it may be useful to look deeper into the network traffic to see if the desired command can be extracted. Analytic 1 - Monitor for WMI over RPC (DCOM) connections. Look for the string RPCSS within the initial RPC connection on port 135/tcp. index=windows_logs sourcetype=WinEventLog:Security OR sourcetype=WinEventLog:Microsoft-Windows-Sysmon/Operational OR sourcetype=WinEventLog:Microsoft-Windows-Security-Auditing| eval ProcessName=lower(ProcessName), CommandLine=lower(CommandLine)| search ProcessName IN ("wmic.exe", "powershell.exe", "wmiprvse.exe", "wmiadap.exe", "scrcons.exe", "wbemtool.exe")| search CommandLine IN ("process call create", "win32_process", "win32_service", "shadowcopy delete", "network")| search (sourcetype="WinEventLog:Security" EventCode=4688) OR (sourcetype="WinEventLog:Microsoft-Windows-Sysmon/Operational" EventCode=1)| join ProcessName [ search index=windows_logs sourcetype=WinEventLog:Microsoft-Windows-Sysmon/Operational EventCode=3 | eval DestinationIp = coalesce(DestinationIp, dest_ip)| eval DestinationPort = coalesce(DestinationPort, dest_port)| search DestinationPort IN (135, 5985, 5986) ]| stats count by _time, ComputerName, User, ProcessName, CommandLine, DestinationIp, DestinationPort, dest, src_ip, dest_ip| eval alert_message="Suspicious WMI Network Connection Detected: " + ProcessName + " executed by " + User + " on " + ComputerName + " with command: " + CommandLine + " connecting to " + DestinationIp + ":" + DestinationPort| where NOT (User="SYSTEM" OR ProcessName="wmiprvse.exe" OR (src_ip="trusted_ip_range" AND DestinationIp="trusted_ip_range"))| table _time, ComputerName, User, ProcessName, CommandLine, DestinationIp, DestinationPort, src_ip, dest_ip, alert_message | |||
Monitor for newly constructed processes and/or command-lines of "wmic". If the command line utility wmic.exe is used on the source host, then it can additionally be detected on an analytic. The command line on the source host is constructed into something like wmic.exe /node:"\<hostname>" process call create "\<command line>". It is possible to also connect via IP address, in which case the string "\<hostname>" would instead look like IP Address. Processes can be created remotely via WMI in a few other ways, such as more direct API access or the built-in utility PowerShell. Note: Event IDs are for Sysmon (Event ID 10 - process access) and Windows Security Log (Event ID 4688 - a new process has been created). Besides executing arbitrary processes, wmic.exe can also be used to executed data stored in NTFS alternate data streams NTFS File Attributes.Looks for instances of wmic.exe as well as the substrings in the command line:- process call create- /node: Analytic 1 - Detect wmic.exeprocess creation with command lines containing process call create or /node:. index=security sourcetype="WinEventLog:Security" (EventCode=4688 OR EventCode=4656 OR EventCode=4103 OR EventCode=800) | eval command_line = coalesce(CommandLine, ParentCommandLine) | where (ProcessName="wmic.exe" AND (command_line LIKE "%/node:%" OR command_line LIKE "%process call create%"))OR (command_line LIKE "Invoke-WmiMethod" OR command_line LIKE "Get-WmiObject" OR command_line LIKE "gwmi" OR command_line LIKE "win32_process") | |||
Monitor for newly constructed WMI objects that will execute malicious commands and payloads. Analytic 1 - WMI object creation events index=security sourcetype="WinEventLog:Microsoft-Windows-WMI-Activity/Operational" (EventCode=5861 OR EventCode=5857 OR EventCode=5858) | eval CommandLine = coalesce(CommandLine, ParentCommandLine) | where (EventCode=5861 AND (CommandLine LIKE "create" OR CommandLine LIKE "process")) OR (EventCode=5857 AND (CommandLine LIKE "exec" OR CommandLine LIKE "invoke")) OR (EventCode=5858 AND (CommandLine LIKE "payload" OR CommandLine LIKE "wmic")) |
T1105-Ingress Tool Transfer
ID | Data Source | Data Component | Detects |
Monitor executed commands and arguments for suspicious activity associated with downloading external content. | |||
Monitor for file creation and files transferred into the network. | |||
Monitor for newly constructed network connections that are sent or received by untrusted hosts or creating files on-system may be suspicious. Abnormal use of utilities such as FTP may also be suspicious. | |||
Monitor network traffic content for files and other potentially malicious content, especially data coming in from abnormal/unknown domain and IPs. | |||
Monitor network data for uncommon data flows (e.g., a client sending significantly more data than it receives from a server). Processes utilizing the network that do not normally have network communication or have never been seen before are suspicious. |
T1569.002-System Services: Service Execution
ID | Data Source | Data Component | Detects |
Monitor executed commands and arguments that may abuse the Windows service control manager to execute malicious commands or payloads. Analytic 1- Commands abusing Windows service control manager. sourcetype=WinEventLog:Security OR sourcetype=Powershell OR sourcetype=Sysmon EventCode IN (1,4688,4104) | search command_line IN ("sc.exe", "net start", "net stop", "psexec.exe")| where user!="SYSTEM" // Exclude common system-level activities | |||
Monitor network data for uncommon data flows. Processes utilizing the network that do not normally have network communication or have never been seen before are suspicious. | |||
Monitor for newly executed processes that may abuse the Windows service control manager to execute malicious commands or payloads. Events 4688 (Microsoft Windows Security Auditing) and 1 (Microsoft Windows Sysmon) provide context of Windows processes creation that can be used to implement this detection. This detection is based on uncommon process and parent process relationships. Service Control Manager spawning command shell is a good starting point. Add more suspicious relationships based on the reality of your network environment. In order to reduce false positives, you can also filter the CommandLine event field using parameters such as /c which carries out the command specified by the parent process. Analytic 1 - Service Execution (source="WinEventLog:Microsoft-Windows-Sysmon/Operational" EventCode="1") OR (source="WinEventLog:Security" EventCode="4688") | WHERE Image LIKE "services.exe" AND Image LIKE "cmd.exe" | |||
Monitor newly constructed services that abuse control manager to execute malicious commands or payloads. Analytic 1 - Suspicious Service Creation sourcetype=WinEventLog:Security OR sourcetype=WinEventLog:System EventCode=4697 OR EventCode=7045| table _time, user, service_name, service_file_name, process_id| where service_file_name != "legitimate_software_path" // Exclude legitimate services | |||
Monitor for changes made to windows registry keys and/or values that may abuse the Windows service control manager to execute malicious commands or payloads. Analytic 1 - Registry changes related to service execution. sourcetype=WinEventLog:Security OR sourcetype=Sysmon EventCode=13 OR EventCode=4657| search registry_path IN ("HKLM\SYSTEM\CurrentControlSet\Services")| where registry_value != "legitimate_software_registry*" // Filter out common services |