Campaigns
PassiveNeuron-X

PassiveNeuron-X

PassiveNeuron-Xserver compromiseSQL exploitNeuralExecutorCobalt Strike
PassiveNeuron-X is a focused cyber espionage campaign that targets Windows Server machines exposed to the internet. The attackers seek entry through SQL servers and web-facing applications, drop custom implants and loaders, and use remote administration frameworks such as Cobalt Strike to move inside networks. The campaign focuses on government, industrial and financial targets across Asia, Africa, and Latin America, and it uses DLL hijacking, web shells, and script-based tools to persist and blend in with normal server activity.

Indicators of Compromise

No domains found for this campaign

Campaign Guidance

Remediation, mitigation, notes, history and related intelligence

REMEDIATION

T1190 - Exploit Public-Facing Application


ID

Data Source

Data Component

Detects

DS0015

Application Log

Application Log Content

Detecting software exploitation may be difficult depending on the tools available. Software exploits may not always succeed or may cause the exploited process to become unstable or crash. Web Application Firewalls may detect improper inputs attempting exploitation. Web server logs (e.g., var/log/httpd or /var/log/apache for Apache web servers on Linux) may also record evidence of exploitation.

(source="C:\inetpub\logs\LogFiles\W3SVC*" OR source="/var/log/apache2/access.log" OR source="/var/log/nginx/access.log")| eval exploit_attempt=if(like(cs_uri_query, "%exec%") OR like(cs_uri_query, "%cmd%") OR like(cs_uri_query, "%cat /etc/passwd%") OR like(cs_uri_query, "%../../%"), 1, 0)| stats count by src_ip, cs_uri_query, sc_status| where exploit_attempt=1 AND count > 5| table _time, src_ip, cs_uri_query, sc_status, count

DS0029

Network Traffic

Network Traffic Content

Use deep packet inspection to look for artifacts of common exploit traffic, such as SQL injection strings or known payloads. For example, monitor for successively chained functions that adversaries commonly abuse (i.e. gadget chaining) through unsafe deserialization to exploit publicly facing applications for initial access.[114] In AWS environments, monitor VPC flow logs and/or Elastic Load Balancer (ELB) logs going to and from instances hosting externally accessible applications.

(source="/var/log/zeek/http.log" OR source="C:\Windows\System32\LogFiles\Firewall")| regex http_request="(?i)select.from|union.select|cmd=.|exec=."| stats count by src_ip, dest_ip, http_method, uri_path| where count > 10| table _time, src_ip, dest_ip, http_method, uri_path, count


T1071 - Application Layer Protocol


ID

Data Source

Data Component

Detects

DS0029

Network Traffic

Network Traffic Content

Monitor and analyze traffic patterns and packet inspection associated to protocol(s), leveraging SSL/TLS inspection for encrypted traffic, that do not follow the expected protocol standards and traffic flows (e.g extraneous packets that do not belong to established flows, gratuitous or anomalous traffic patterns, anomalous syntax, or structure). Consider correlation with process monitoring and command line to detect anomalous processes execution and command line arguments associated to traffic patterns (e.g. monitor anomalies in use of files that do not normally initiate connections for respective protocol(s)).



Network Traffic Flow

Monitor and analyze traffic flows that do not follow the expected protocol standards and traffic flows (e.g extraneous packets that do not belong to established flows, or gratuitous or anomalous traffic patterns). Consider correlation with process monitoring and command line to detect anomalous processes execution and command line arguments associated to traffic patterns (e.g. monitor anomalies in use of files that do not normally initiate connections for respective protocol(s)).


T1055 - Process Injection


ID

Data Source

Data Component

Detects

DS0022

File

File Metadata

Monitor for contextual data about a file, which may include information such as name, the content (ex: signature, headers, or data/media), user/owner, permissions, etc.



File Modification

Monitor for changes made to files that may inject code into processes in order to evade process-based defenses as well as possibly elevate privileges.

DS0011

Module

Module Load

Monitor DLL/PE file events, specifically creation of these binary files as well as the loading of DLLs into processes. Look for DLLs that are not recognized or not normally loaded into a process.

DS0009

Process

OS API Execution

Monitoring Windows API calls indicative of the various types of code injection may generate a significant amount of data and may not be directly useful for defense unless collected under specific circumstances for known bad sequences of calls, since benign use of API functions may be common and difficult to distinguish from malicious behavior. Windows API calls such as CreateRemoteThread, SuspendThread/SetThreadContext/ResumeThread, QueueUserAPC/NtQueueApcThread, and those that can be used to modify memory within another process, such as VirtualAllocEx/WriteProcessMemory, may be used for this technique.[95] Monitoring for Linux specific calls such as the ptrace system call should not generate large amounts of data due to their specialized nature, and can be a very effective method to detect some of the common process injection methods.[96] [97] [98] [99]



Process Access

Monitor for processes being viewed that may inject code into processes in order to evade process-based defenses as well as possibly elevate privileges.



Process Metadata

Monitor for process memory inconsistencies, such as checking memory ranges against a known copy of the legitimate module.[100]



Process Modification

Monitor for changes made to processes that may inject code into processes in order to evade process-based defenses as well as possibly elevate privileges.


T1021 - Remote Services


ID

Data Source

Data Component

Detects

DS0017

Command

Command Execution

Monitor executed commands and arguments that may use Valid Accounts to log into a service specifically designed to accept remote connections, such as telnet, SSH, and VNC. The adversary may then perform actions as the logged-on user.

Analytic 1 - Detect adversary commands executed via remote sessions.

index=* (sourcetype="WinEventLog:Microsoft-Windows-Sysmon/Operational" OR sourcetype="/var/log/auth.log") AND (EventCode= 1 OR EventCode=sshd)| search parent_process_name="sshd" OR parent_process_name="mstsc.exe" OR parent_process_name="rdpclip.exe"| eval suspicious_command=case( match(command_line, "net user|powershell|/etc/passwd|nc|curl|socat"), "high", match(command_line, "whoami|ls|dir|pwd"), "low", true(), "normal" )| stats count by host, process_name, command_line, suspicious_command, _time| where count > threshold AND suspicious_command="high"| table _time, host, process_name, command_line, suspicious_command

DS0028

Logon Session

Logon Session Creation

Monitor for user accounts logged into systems they would not normally access or abnormal access patterns, such as multiple systems over a relatively short period of time. Correlate use of login activity related to remote services with unusual behavior or other malicious or suspicious activity. Adversaries will likely need to learn about an environment and the relationships between systems through Discovery techniques prior to attempting Lateral Movement. For example, in macOS you can review logs for "screensharingd" and "Authentication" event messages. [7][18]

Note: When using Security event id 4624, %$ means user names that do not end with $ character. Usually, computer accounts or local system accounts names end with the $ character. When using Security event 4624, UserName and UserLogonId correspond to TargetUserName and TargetLogonId respectively. When using Security event 4624, LogonType 3 corresponds to a Network Logon

Analytic 1 - New services being created under network logon sessions by non-system users(sourcetype="WinEventLog:Security" EventCode IN (4624, 4648, 4625)) AND LogonType="3" AND UserName NOT '$' | rename UserLogonId AS LogonID| join type=inner LogonID[| search (source="WinEventLog:Security" EventCode="4697") | rename UserLogonId as LogonID]

DS0011

Module

Module Load

Monitor DLL/PE file events, specifically creation of these binary files as well as the loading of DLLs into processes, that may use Valid Accounts to log into a service specifically designed to accept remote connections, such as telnet, SSH, and VNC. The adversary may then perform actions as the logged-on user.

Note: On Windows, Sysmon Event ID 7 (Image loaded) can be used to monitor the loading of DLLs into processes, including those designed to accept remote connections. This is a particularly noisy event and can generate a large volume of data, so we recommend baselining and filtering out any known benign processes and module to help reduce the number of events that are produced.

DS0033

Network Share

Network Share Access

Monitor interactions with network shares, such as reads or file transfers, using remote services such as Server Message Block (SMB).

DS0029

Network Traffic

Network Connection Creation

Monitor for newly constructed network connections that may use Valid Accounts to log into a service specifically designed to accept remote connections, such as RDP, telnet, SSH, and VNC. Monitor network connections involving common remote management protocols, such as ports tcp:3283 and tcp:5900, as well as ports tcp: 3389 and tcp:22 for remote login.

index="network_logs" sourcetype="network_connection"| search protocol IN ("tcp/22", "tcp/3389", "tcp/5900")| stats count by src_ip, dest_ip, dest_port, _time| eval suspicious_connection=if(src_ip NOT IN ("trusted_sources") AND count > threshold, "high", "normal")| where suspicious_connection="high"| table _time, src_ip, dest_ip, dest_port, suspicious_connection



Network Traffic Flow

Monitor network data for uncommon data flows that may be related to abuse of Valid Accounts to log into a service specifically designed to accept remote connections, such as RDP, telnet, SSH, and VNC.

Note: Network Analysis frameworks such as Zeek can be used to capture, decode, and alert on network service protocols such as SSH and RDP.

Analytic 1 - Suspicious Protocols

sourcetype="netflow" | search dest_port=22 OR dest_port=3389 OR dest_port=5900 OR dest_port=3283 // SSH, RDP, VNC, ARD

DS0009

Process

Process Creation

Monitor for newly executed processes that may use Valid Accounts to log into a service specifically designed to accept remote connections, such as RDP, telnet, SSH, and VNC. The adversary may then perform actions that spawn additional processes as the logged-on user.

Malicious actors may rename built-in commands or external tools, such as those provided by SysInternals, to better blend in with the environment. In those cases, the file path name is arbitrary and may blend in well with the background. If the arguments are closely inspected, it may be possible to infer what tools are running and understand what an adversary is doing. When any legitimate software shares the same command lines, it must be whitelisted according to the expected parameters.

Any tool of interest with commonly known command line usage can be detecting by command line analysis. Known substrings of command lines include

  • PuTTY

  • port forwarding -R * -pw

  • secure copy (scp) -pw * * @

  • mimikatz sekurlsa::

  • RAR  -hp

  • Archive* a * Additionally, it may be useful to find IP addresses in the command line

  • \d{1,3}.\d{1,3}.\d{1,3}.\d{1,3}

Analytic 1 - Suspicious Arguments

(sourcetype="WinEventLog:Microsoft-Windows-Sysmon/Operational" EventCode="1") OR (sourcetype="WinEventLog:Security" EventCode="4688") AND CommandLine="-R . -pw" OR CommandLine="-pw . . .@." OR CommandLine="sekurlsa" OR CommandLine=" -hp " OR CommandLine=". a .*"

DS0005

WMI

WMI Creation

Monitor for newly constructed WMI objects that is often used to log into a service that accepts remote connects.


T1090 - Proxy


ID

Data Source

Data Component

Detects

DS0029

Network Traffic

Network Connection Creation

Monitor for newly constructed network connections that are sent or received by untrusted hosts.



Network Traffic Content

Monitor and analyze traffic patterns and packet inspection associated to protocol(s) that do not follow the expected protocol standards and traffic flows (e.g extraneous packets that do not belong to established flows, gratuitous or anomalous traffic patterns, anomalous syntax, or structure). Consider correlation with process monitoring and command line to detect anomalous processes execution and command line arguments associated to traffic patterns (e.g. monitor anomalies in use of files that do not normally initiate connections for respective protocol(s)).



Network Traffic Flow

Monitor network data for uncommon data flows. Processes utilizing the network that do not normally have network communication or have never been seen before are suspicious.


T1083 - File and Directory Discovery


ID

Data Source

Data Component

Detects

DS0017

Command

Command Execution

Monitor executed commands and arguments that may enumerate files and directories or may search in specific locations of a host or network share for certain information within a file system. For network devices, monitor executed commands in AAA logs, especially those run by unexpected or unauthorized users. On ESXi servers, monitor for commands that leverage tools like grep and find to search for files with VM extensions such as vmdk, or in VM-related paths such as /vmfs/*.[401][402][403]

DS0009

Process

OS API Execution

Monitor for API calls that may enumerate files and directories or may search in specific locations of a host or network share for certain information within a file system.



Process Creation

Monitor newly executed processes that may enumerate files and directories or may search in specific locations of a host or network share for certain information within a file system.


T1057 - Process Discovery


ID

Data Source

Data Component

Detects

DS0017

Command

Command Execution

Monitor executed commands and arguments for actions that may attempt to get information about running processes on a system.

DS0009

Process

OS API Execution

Monitor for API calls may attempt to get information about running processes on a system.



Process Creation

Monitor for newly executed processes that may attempt to get information about running processes on a system. To be effective in deciphering malicious and benign activity, the full command line is essential. Similarly, having information about the parent process can help with making decisions and tuning to an environment.

Because these commands are built in, they may be run frequently by power users or even by normal users. Thus, an analytic looking at this information should have well-defined white- or blacklists, and should consider looking at an anomaly detection approach, so that this information can be learned dynamically.Within the built-in Windows Commands:

  • hostname

  • ipconfig

  • net

  • quser

  • qwinsta

  • sc with flags query, queryex, qc

  • systeminfo

  • tasklist

  • dsquery

  • whoamiNote: To be effective in deciphering malicious and benign activity, the full command line is essential. Similarly, having information about the parent process can help with making decisions and tuning to an environment.

Analytic 1 - Host Discovery Commands

(source="WinEventLog:Microsoft-Windows-Sysmon/Operational" EventCode="1") OR (source="WinEventLog:Security" EventCode="4688") (Image="C:\Windows\\hostname.exe" OR Image="C:\Windows\\ipconfig.exe" OR Image="C:\Windows\\net.exe" OR Image="C:\Windows\\quser.exe" OR Image="C:\Windows\\qwinsta.exe" OR (Image="C:\Windows\\sc.exe" AND (CommandLine=" query " OR CommandLine=" qc ")) OR Image="C:\Windows\\systeminfo.exe" OR Image="C:\Windows\\tasklist.exe" OR Image="C:\Windows\*\whoami.exe")|stats values(Image) as "Images" values(CommandLine) as "Command Lines" by ComputerName



T1059.001 - PowerShell


ID

Data Source

Data Component

Detects

DS0017

Command

Command Execution

If proper execution policy is set, adversaries will likely be able to define their own execution policy if they obtain administrator or system access, either through the Registry or at the command line. This change in policy on a system may be a way to detect malicious use of PowerShell. If PowerShell is not used in an environment, then simply looking for PowerShell execution may detect malicious activity. It is also beneficial to turn on PowerShell logging to gain increased fidelity in what occurs during execution (which is applied to .NET invocations). [321] PowerShell 5.0 introduced enhanced logging capabilities, and some of those features have since been added to PowerShell 4.0. Earlier versions of PowerShell do not have many logging features.[322] An organization can gather PowerShell execution details in a data analytic platform to supplement it with other data.

PowerShell can be used over WinRM to remotely run commands on a host. When a remote PowerShell session starts, svchost.exe executes wsmprovhost.exe

For this to work, certain registry keys must be set, and the WinRM service must be enabled. The PowerShell command Enter-PSSession -ComputerName \<RemoteHost> creates a remote PowerShell session.

Analytic 1 - Look for unusual PowerShell execution.

sourcetype=WinEventLog:Microsoft-Windows-PowerShell/Operational| search EventCode=4104| eval suspicious_cmds=if(like(Message, "%-EncodedCommand%") OR like(Message, "%Invoke-Expression%") OR like(Message, "%IEX%") OR like(Message, "%DownloadFile%"), "Yes", "No")| where suspicious_cmds="Yes"

DS0011

Module

Module Load

Monitor for loading and/or execution of artifacts associated with PowerShell specific assemblies, such as System.Management.Automation.dll (especially to unusual process names/locations).[3][4]

Analytic 1 - Processes loading PowerShell assemblies

sourcetype=WinEventLog:Microsoft-Windows-Sysmon/Operational| search EventCode=7 ImageLoaded IN ("C:\Windows\System32\System.Management.Automation.dll", "C:\Windows\System32\powershell.exe")

DS0009

Process

Process Creation

Monitor for newly executed processes that may abuse PowerShell commands and scripts for execution. PowerShell is a scripting environment included with Windows that is used by both attackers and administrators. Execution of PowerShell scripts in most Windows versions is opaque and not typically secured by antivirus which makes using PowerShell an easy way to circumvent security measures. This analytic detects execution of PowerShell scripts.

Powershell can be used to hide monitored command line execution such as:

net usesc start

Note: - The logic for Analytic 1 is based around detecting on non-interactive Powershell sessions (i.e., those not launched by a user through explorer.exe). This may lead to false positives when used in a production environment, so we recommend tuning any such analytics by including additional logic (e.g., looking for suspicious parent processes) that helps filter such events.- The logic for Analytic 2 is based around detecting on remote Powershell sessions. PowerShell can be used over WinRM to remotely run commands on a host. When a remote PowerShell session starts, svchost.exe executes wsmprovhost.exe.

Analytic 1 - Non-interactive Powershell Sessions

(source="WinEventLog:Microsoft-Windows-Sysmon/Operational" EventCode="1") OR (source="WinEventLog:Security" EventCode="4688") Image="powershell.exe" AND ParentImage!="explorer.exe"

Analytic 2 - Remote Powershell Sessions

(source="WinEventLog:Microsoft-Windows-Sysmon/Operational" EventCode="1") OR (source="WinEventLog:Security" EventCode="4688") Image="wsmprovhost.exe" AND ParentImage="svchost.exe"

Analytic 3 - Powershell Execution

(source="WinEventLog:Microsoft-Windows-Sysmon/Operational" EventCode="1") Image="C:\Windows\\powershell.exe" ParentImage!="C:\Windows\explorer.exe"|stats values(CommandLine) as "Command Lines" values(ParentImage) as "Parent Images" by ComputerName



Process Metadata

Consider monitoring for Windows event ID (EID) 400, which shows the version of PowerShell executing in the EngineVersion field (which may also be relevant to detecting a potential Downgrade Attack) as well as if PowerShell is running locally or remotely in the HostName field. Furthermore, EID 400 may indicate the start time and EID 403 indicates the end time of a PowerShell session.[323]

DS0012

Script

Script Execution

Monitor for any attempts to enable scripts running on a system that would be considered suspicious. If scripts are not commonly used on a system, but enabled, scripts running out of cycle from patching or other administrator functions are suspicious. Scripts should be captured from the file system when possible to determine their actions and intent.

Analytic 1 - Script Block Logging Events

(source=WinEventLog:"Microsoft-Windows-PowerShell/Operational" EventID="4104" AND Image="powershell.exe" AND (CommandLine="-enc" OR CommandLine="-ep bypass" OR CommandLine="-noni*")


T1547.001 - Registry Run Keys / Startup Folder


ID

Data Source

Data Component

Detects

DS0017

Command

Command Execution

Monitor executed commands and arguments that may achieve persistence by adding a program to a startup folder or referencing it with a Registry run key.

DS0022

File

File Modification

Monitor the start folder for additions or changes. Tools such as Sysinternals Autoruns may also be used to detect system changes that could be attempts at persistence, including the startup folders. [313]

DS0009

Process

Process Creation

Monitor for newly executed processes executed from the Run/RunOnce registry keys through Windows EID 9707 or "Software\Microsoft\Windows\CurrentVersion\Run" and "Software\Microsoft\Windows\CurrentVersion\RunOnce" registry keys with the full command line.

Registry modifications are often essential in establishing persistence via known Windows mechanisms. Many legitimate modifications are done graphically via regedit.exe or by using the corresponding channels, or even calling the Registry APIs directly. The built-in utility reg.exe provides a command-line interface to the registry, so that queries and modifications can be performed from a shell, such as cmd.exe. When a user is responsible for these actions, the parent of cmd.exe will likely be explorer.exe. Occasionally, power users and administrators write scripts that do this behavior as well, but likely from a different process tree. These background scripts must be learned so they can be tuned out accordingly.

Output DescriptionThe sequence of processes that resulted in reg.exe being started from a shell. That is, a hierarchy that looks like• great-grand_parent.exe• grand_parent.exe• parent.exe• reg.exe

Analytic 1 - Reg.exe called from Command Shell

(source="WinEventLog:Microsoft-Windows-Sysmon/Operational" EventCode="1") OR (source="WinEventLog:Security" EventCode="4688") Image="reg.exe" AND ParentImage="cmd.exe"| join left=L right=R where L.ParentProcessGuid = R.ProcessGuid [search EventCode IN (1, 4688) Image="cmd.exe" ParentImage!="explorer.exe"]

DS0024

Windows Registry

Windows Registry Key Creation

Monitor for newly created windows registry keys that may achieve persistence by adding a program to a startup folder or referencing it with a Registry run key.



Windows Registry Key Modification

Monitor Registry for changes to run keys that do not correlate with known software, patch cycles, etc. Tools such as Sysinternals Autoruns may also be used to detect system changes that could be attempts at persistence, including listing the run keys' Registry locations. [313]

Detection of the modification of the registry key Common Startup located in HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\User Shell Folders\ and HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\User Shell Folders. When a user logs on, any files located in the Startup Folder are launched. Attackers may modify these folders with other files in order to evade detection set on these default folders. This detection focuses on EventIDs 4688 and 1 for process creation and EventID 4657 for the modification of the Registry Keys.

Analytic 1 - Modification of Default Startup Folder in the Registry Key ‘Common Startup’

(source="WinEventLog:Security" EventCode="4657" ObjectValueName="Common Startup") OR (source="WinEventLog:Microsoft-Windows-Sysmon/Operational" EventCode="13" TargetObject="*Common Startup")



T1027 - Obfuscated Files or Information


ID

Data Source

Data Component

Detects

DS0015

Application Log

Application Log Content

The first detection of a malicious tool may trigger an anti-virus or other security tool alert. Similar events may also occur at the boundary through network IDS, email scanning appliance, etc. The initial detection should be treated as an indication of a potentially more invasive intrusion. The alerting system should be thoroughly investigated beyond that initial alert for activity that was not detected. Adversaries may continue with an operation, assuming that individual events like an anti-virus detect will not be investigated or that an analyst will not be able to conclusively link that event to other activity occurring on the network.

DS0017

Command

Command Execution

Monitor executed commands and arguments for indicators of obfuscation and potentially suspicious syntax such as uninterpreted escape characters (e.g., ^).

Also monitor command-lines for syntax-specific signs of obfuscation, such as variations of arguments associated with encoding.

DS0022

File

File Creation

Detection of file obfuscation is difficult unless artifacts are left behind by the obfuscation process that are uniquely detectable with a signature. If detection of the obfuscation itself is not possible, it may be possible to detect the malicious activity that caused the obfuscated file (for example, the method that was used to write, read, or modify the file on the file system).



File Metadata

Monitor for contextual data about a file, which may include information such as name, the content (ex: signature, headers, or data/media), user/owner, permissions, etc.

File-based signatures may be capable of detecting code obfuscation depending on the methods used.[185][186][187]

DS0011

Module

Module Load

Monitoring module loads, especially those not explicitly included in import tables, may highlight obfuscated code functionality. Dynamic malware analysis may also expose signs of code obfuscation.[186]

DS0009

Process

OS API Execution

Monitor and analyze calls to functions such as GetProcAddress() that are associated with malicious code obfuscation.[185]



Process Creation

Monitor for newly executed processes that may attempt to make an executable or file difficult to discover or analyze by encrypting, encoding, or otherwise obfuscating its contents on the system or in transit.

DS0012

Script

Script Execution

Monitor executed scripts for indicators of obfuscation and potentially suspicious command syntax, such as uninterpreted escape characters (e.g., ^).

Also monitor commands within scripts for syntax-specific signs of obfuscation, such as encoded or otherwise unreadable blobs of characters.

DS0024

Windows Registry

Windows Registry Key Creation

Monitor for the creation of Registry values that may highlight storage of malicious data such as commands or payloads.

DS0005

WMI

WMI Creation

Monitor for the creation of WMI Objects and values that may highlight storage of malicious data such as commands or payloads.


T1573 - Encrypted Channel


ID

Data Source

Data Component

Detects

DS0029

Network Traffic

Network Traffic Content

Monitor and analyze traffic patterns and packet inspection associated to protocol(s) that do not follow the expected protocol standards and traffic flows (e.g extraneous packets that do not belong to established flows, gratuitous or anomalous traffic patterns, anomalous syntax, or structure). Consider correlation with process monitoring and command line to detect anomalous processes execution and command line arguments associated to traffic patterns (e.g. monitor anomalies in use of files that do not normally initiate connections for respective protocol(s)).


T1132 - Data Encoding


ID

Data Source

Data Component

Detects

DS0029

Network Traffic

Network Traffic Content

Monitor for network data for uncommon data flows (e.g., a client sending significantly more data than it receives from a server). Processes utilizing the network that do not normally have network communication or have never been seen before are suspicious. Analyze packet contents to detect communications that do not follow the expected protocol behavior for the port that is being used.

Note: Network Analysis frameworks such as Zeek can be used to capture, decode, and alert on network protocols and packet contents.


T1059.003 - Windows Command Shell


ID

Data Source

Data Component

Detects

DS0017

Command

Command Execution

Monitor executed commands and arguments that may abuse the Windows command shell for execution. Usage of the Windows command shell may be common on administrator, developer, or power user systems depending on job function. If scripting is restricted for normal users, then any attempt to enable scripts running on a system would be considered suspicious. If scripts are not commonly used on a system, but enabled, scripts running out of cycle from patching or other administrator functions are suspicious. Scripts should be captured from the file system when possible to determine their actions and intent.

Analytic 1 - Look for unusual command shell execution.

sourcetype=WinEventLog:Security| search (EventCode=4688 OR EventCode=4689) process_name="cmd.exe"| eval suspicious_cmd=if(like(command_line, "%/c%") OR like(command_line, "%.bat%") OR like(command_line, "%.cmd%"), "Yes", "No")| where suspicious_cmd="Yes"

DS0009

Process

Process Creation

Monitor for newly executed processes that may abuse the Windows command shell for execution.

Note: Try an Analytic by creating a baseline of parent processes of cmd seen over the last 30 days and a list of parent processes of cmd seen today. Parent processes in the baseline are removed from the set of parent processes seen today, leaving a list of new parent processes. This analytic attempts to identify suspicious programs spawning cmd by looking for programs that do not normally create cmd.  It is very common for some programs to spawn cmd as a subprocess, for example to run batch files or Windows commands. However, many processes don’t routinely launch a command prompt - e.g., Microsoft Outlook. A command prompt being launched from a process that normally doesn’t launch command prompts could be the result of malicious code being injected into that process, or of an attacker replacing a legitimate program with a malicious one.

Analytic 1 - Unusual Command Execution

(source="WinEventLog:Microsoft-Windows-Sysmon/Operational" EventCode="1") OR (source="WinEventLog:Security" EventCode="4688") AND CommandLine="cmd.exe" AND (CommandLine REGEXP "./c." OR CommandLine REGEXP ".._ \/k.*")


T1105 - Ingress Tool Transfer


ID

Data Source

Data Component

Detects

DS0017

Command

Command Execution

Monitor executed commands and arguments for suspicious activity associated with downloading external content.

DS0022

File

File Creation

Monitor for file creation and files transferred into the network.

DS0029

Network Traffic

Network Connection Creation

Monitor for newly constructed network connections that are sent or received by untrusted hosts or creating files on-system may be suspicious. Abnormal use of utilities such as FTP may also be suspicious.



Network Traffic Content

Monitor network traffic content for files and other potentially malicious content, especially data coming in from abnormal/unknown domain and IPs.



Network Traffic Flow

Monitor network data for uncommon data flows (e.g., a client sending significantly more data than it receives from a server). Processes utilizing the network that do not normally have network communication or have never been seen before are suspicious.

Observed Countries2

CF (897)
ZA (243)