John Wunder
61 lines
4.5 KiB
JSON
61 lines
4.5 KiB
JSON
{
|
|
"type": "bundle",
|
|
"id": "bundle--70a766f0-0fa0-48fb-9f99-9a6cb54060ba",
|
|
"spec_version": "2.0",
|
|
"objects": [
|
|
{
|
|
"type": "attack-pattern",
|
|
"id": "attack-pattern--478aa214-2ca7-4ec0-9978-18798e514790",
|
|
"created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
|
|
"created": "2017-05-31T21:30:45.613Z",
|
|
"modified": "2018-01-17T12:56:55.080Z",
|
|
"name": "New Service",
|
|
"description": "When operating systems boot up, they can start programs or applications called services that perform background system functions. (Citation: TechNet Services) A service's configuration information, including the file path to the service's executable, is stored in the Windows Registry. \n\nAdversaries may install a new service that can be configured to execute at startup by using utilities to interact with services or by directly modifying the Registry. The service name may be disguised by using a name from a related operating system or benign software with Masquerading. Services may be created with administrator privileges but are executed under SYSTEM privileges, so an adversary may also use a service to escalate privileges from administrator to SYSTEM. Adversaries may also directly start services through Service Execution.\n\nDetection: Monitor service creation through changes in the Registry and common utilities using command-line invocation. New, benign services may be created during installation of new software. Data and events should not be viewed in isolation, but as part of a chain of behavior that could lead to other activities, such as network connections made for Command and Control, learning details about the environment through Discovery, and Lateral Movement.\n\nTools such as Sysinternals Autoruns may also be used to detect system changes that could be attempts at persistence. (Citation: TechNet Autoruns) Look for changes to services that do not correlate with known software, patch cycles, etc. Suspicious program execution through services may show up as outlier processes that have not been seen before when compared against historical data.\n\nMonitor processes and command-line arguments for actions that could create services. Remote access tools with built-in features may interact directly with the Windows API to perform these functions outside of typical system utilities. Services may also be created through Windows system management tools such as Windows Management Instrumentation and PowerShell, so additional logging may need to be configured to gather the appropriate data.\n\nPlatforms: Windows\n\nData Sources: Windows Registry, Process monitoring, Process command-line parameters\n\nEffective Permissions: SYSTEM\n\nPermissions Required: Administrator, SYSTEM",
|
|
"kill_chain_phases": [
|
|
{
|
|
"kill_chain_name": "mitre-attack",
|
|
"phase_name": "persistence"
|
|
},
|
|
{
|
|
"kill_chain_name": "mitre-attack",
|
|
"phase_name": "privilege-escalation"
|
|
}
|
|
],
|
|
"external_references": [
|
|
{
|
|
"source_name": "mitre-attack",
|
|
"url": "https://attack.mitre.org/wiki/Technique/T1050",
|
|
"external_id": "T1050"
|
|
},
|
|
{
|
|
"source_name": "TechNet Services",
|
|
"description": "Microsoft. (n.d.). Services. Retrieved June 7, 2016.",
|
|
"url": "https://technet.microsoft.com/en-us/library/cc772408.aspx"
|
|
},
|
|
{
|
|
"source_name": "TechNet Autoruns",
|
|
"description": "Russinovich, M. (2016, January 4). Autoruns for Windows v13.51. Retrieved June 6, 2016.",
|
|
"url": "https://technet.microsoft.com/en-us/sysinternals/bb963902"
|
|
}
|
|
],
|
|
"object_marking_refs": [
|
|
"marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
|
|
],
|
|
"x_mitre_data_sources": [
|
|
"Windows Registry",
|
|
"Process monitoring",
|
|
"Process command-line parameters"
|
|
],
|
|
"x_mitre_effective_permissions": [
|
|
"SYSTEM"
|
|
],
|
|
"x_mitre_permissions_required": [
|
|
"Administrator",
|
|
"SYSTEM"
|
|
],
|
|
"x_mitre_platforms": [
|
|
"Windows"
|
|
]
|
|
}
|
|
]
|
|
} |