Redcannary

2022-04-04 10:57:23 +02:00
parent dd7576e4b3
commit aaafef29b4
5 changed files with 136 additions and 0 deletions
@@ -0,0 +1,24 @@
+title: Query to Ammyy Remote Access Software Domain
+id: 71ba22cb-8a01-42e2-a6dd-5bf9b547498f
+status: experimental
+description: |
+  An adversary may use legitimate desktop support and remote access software, such as Team Viewer, Go2Assist, LogMein, AmmyyAdmin, etc, to establish an interactive command and control channel to target systems within networks.
+  These services are commonly used as legitimate technical support software, and may be allowed by application control within a target environment.
+  Remote access tools like VNC, Ammyy, and Teamviewer are used frequently when compared with other legitimate software commonly used by adversaries. (Citation: Symantec Living off the Land) 
+references:
+    - https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1219/T1219.md#atomic-test-6---ammyy-admin-software-execution
+author: frack113
+date: 2022/04/04
+logsource:
+    product: windows
+    category: dns_query
+detection:
+    selection:
+        QueryName|endswith: '.ammyy.com'
+    condition: selection
+falsepositives:
+    - Unknown
+level: medium
+tags:
+    - attack.command_and_control
+    - attack.t1219
@@ -0,0 +1,26 @@
+title: Suspicious Get Current User
+id: 4096a49c-7de4-4da0-a230-c66ccd56ea5a
+status: experimental
+description: Use the PowerShell to identify the current logged user.
+date: 2022/04/04
+author: frack113
+references:
+    - https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1033/T1033.md#atomic-test-4---user-discovery-with-env-vars-powershell-script
+    - https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1033/T1033.md#atomic-test-5---getcurrent-user-with-powershell-script
+logsource:
+    product: windows
+    category: ps_script
+    definition: Script block logging must be enabled
+detection:
+    selection:
+        ScriptBlockText|contains:
+            - '[System.Environment]::UserName'
+            - '$env:UserName'
+            - '[System.Security.Principal.WindowsIdentity]::GetCurrent()'
+    condition: selection
+falsepositives:
+    - Legitimate PowerShell scripts
+level: low
+tags:
+    - attack.discovery
+    - attack.t1033
@@ -0,0 +1,26 @@
+title: Add Registry Value to Load Service in Safe Mode
+id: 1547e27c-3974-43e2-a7d7-7f484fb928ec
+description: Modify the registry to allow a driver, service, to persist in Safe Mode.
+author: frack113
+date: 2022/04/04
+status: experimental
+references:
+    - https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1112/T1112.md#atomic-test-33---windows-add-registry-value-to-load-service-in-safe-mode-without-network
+    - https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1112/T1112.md#atomic-test-34---windows-add-registry-value-to-load-service-in-safe-mode-with-network
+logsource:
+    category: registry_set
+    product: windows
+detection:
+    selection:
+        TargetObject|startswith:
+            - 'HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\'
+            - 'HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot\Network\'
+        TargetObject|endswith: '\(Default)'
+        Details: Service
+    condition: selection
+falsepositives:
+    - Unknown
+level: high
+tags:
+  - attack.defense_evasion
+  - attack.t1564.001
@@ -0,0 +1,27 @@
+title: Disable System Restore Through Registry
+id: 5de03871-5d46-4539-a82d-3aa992a69a83
+description: Modify the registry to disable system restore on the computer
+author: frack113
+date: 2022/04/04
+status: experimental
+references:
+    - https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1490/T1490.md#atomic-test-9---disable-system-restore-through-registry
+logsource:
+    category: registry_set
+    product: windows
+detection:
+    selection:
+        TargetObject|startswith:
+            - 'HKLM\SOFTWARE\Policies\Microsoft\Windows NT\SystemRestore'
+            - 'HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\SystemRestore'
+        TargetObject|endswith: 
+            - DisableConfig
+            - DisableSR
+        Details: 'DWORD (0x00000001)'
+    condition: selection
+falsepositives:
+    - Unknown
+level: medium
+tags:
+  - attack.impact
+  - attack.t1490
@@ -0,0 +1,33 @@
+title: Add Root or CA or AuthRoot Certificate to Certificate Store
+id: d223b46b-5621-4037-88fe-fda32eead684
+description: Modify the registry to disable system restore on the computer
+author: frack113
+date: 2022/04/04
+status: experimental
+references:
+    - https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1553.004/T1553.004.md#atomic-test-6---add-root-certificate-to-currentuser-certificate-store
+    - https://posts.specterops.io/code-signing-certificate-cloning-attacks-and-defenses-6f98657fc6ec
+logsource:
+    category: registry_set
+    product: windows
+detection:
+    selection:
+        TargetObject|contains:
+            - '\SOFTWARE\Microsoft\SystemCertificates\Root\Certificates\'
+            - '\SOFTWARE\Policies\Microsoft\SystemCertificates\Root\Certificates\'
+            - '\SOFTWARE\Microsoft\EnterpriseCertificates\Root\Certificates\'
+            - '\SOFTWARE\Microsoft\SystemCertificates\CA\Certificates\'
+            - '\SOFTWARE\Policies\Microsoft\SystemCertificates\CA\Certificates\'
+            - '\SOFTWARE\Microsoft\EnterpriseCertificates\CA\Certificates\'
+            - '\Software\Microsoft\SystemCertificates\AuthRoot\Certificates\'
+            - '\SOFTWARE\Policies\Microsoft\SystemCertificates\AuthRoot\Certificates\'
+            - '\SOFTWARE\Microsoft\EnterpriseCertificates\AuthRoot\Certificates\'
+        TargetObject|endswith: '\Blob'
+        Details: 'Binary Data'
+    condition: selection
+falsepositives:
+    - Unknown
+level: medium
+tags:
+  - attack.impact
+  - attack.t1490