NON-MITRE ATT&CK Analytics¶

Trigger Condition: When an attempt to execute code or create a service on a remote host via winrm.vbs is detected. WinRM is a windows native script used to manage Windows RM settings. The functionality of the WinRM command is provided through a Visual Basic Script, winrm.vbs. This script can be abused to create a process leading to remote code execution and lateral movement. False positives are uncommon, but legitimate use for administrative purposes such as remote PowerShell execution can trigger this alert.

ATT&CK Category: -

ATT&CK Tag: -

Minimum Log Source Requirement: Windows Sysmon, Windows

Query:

Trigger Condition: Application Whitelisting Bypass and Arbitrary Unsigned Code Execution Technique is attempted using winrm.vbs. It detects the execution of attacker-controlled WsmPty.xsl or WsmTxt.xsl via winrm.vbs and copied cscript.exe (can be renamed). winrm.vbs (a Windows-signed script) can consume and execute attacker-controlled XSL, which is not subject to enlightened script host restrictions, resulting in the execution of arbitrary, unsigned code execution.

ATT&CK Category: -

ATT&CK Tag: -

Minimum Log Source Requirement: Windows Sysmon, Windows

Query:

Trigger Condition: The execution of a PowerShell code by the sqlps.exe utility, which is included in the standard set of utilities supplied with the MSSQL Server is detected. Script blocks are not logged in this case, so this utility helps to bypass protection mechanisms based on the analysis of these logs. As this attack requires sqlps.exe bundled with MSSQL installation, any device without it is not vulnerable. Also, child process sqlps.exe spawned by sqlagent.exe is a legitimate action. Direct PS command execution through SQLPS.exe is rare, but if it occurs, it results in a false positive.

ATT&CK Category: -

ATT&CK Tag: -

Minimum Log Source Requirement: Windows Sysmon, Windows

Query:

Trigger Condition: When shadow copies are deleted using operating systems utilities. Shadow copy is a Microsoft technology that can create backup copies or snapshots of computer files or volumes. Windows internal binaries are PowerShell, wmic, vssadmin, diskshadow, wbadmin, and vssadmin. Adversaries can utilize these binaries to delete shadow copies from the system so that the data recovery and reverting the system to a saved state is impossible after dropping malware.

ATT&CK Category: -

ATT&CK Tag: -

Minimum Log Source Requirement: Windows Sysmon, Windows

Query:

Trigger Condition: When child processes are created using the diskshadow binary. DiskShadow.exe is a Windows internal binary that exposes the functionality offered by the Volume Shadow Copy Service. Volume shadow copy service is a Windows framework that backs up a volume by creating a copy of it. Adversaries can use diskshadow binary’s interactive mode and execute other binaries using the exec command to bypass defensive countermeasures.

ATT&CK Category: -

ATT&CK Tag: -

Minimum Log Source Requirement: Windows Sysmon, Windows

Query:

Trigger Condition: When diskshadow binary is used to execute code from a file. DiskShadow.exe is Windows internal binary that exposes the functionality offered by the Volume Shadow Copy Service. Volume shadow copy service is a framework in Windows that provides the function to backup a volume by creating a copy of it. Adversaries can use diskshadow with -s or /s tag to execute a command from a file and bypass detection.

ATT&CK Category: -

ATT&CK Tag: -

Minimum Log Source Requirement: Windows Sysmon, Windows

Query:

Trigger Condition: The process pattern for CVE-2021-40444 is detected. CVE-22021-4044 is a remote code execution vulnerability in MSHTML, which is Microsoft’s proprietary browser engine for Internet Explorer. Control.exe is a Windows internal binary to access the control panel. Adversaries can rename their malware or payload to control.exe and execute it to escape detection.

ATT&CK Category: -

ATT&CK Tag: -

Minimum Log Source Requirement: Windows Sysmon, Windows

Query:

Trigger Condition: When a service is created by loading a DLL using the ExtExport service in IE. ExtExport is a module that serves to import/export data from other programs, for example, favorites or bookmarks from other browsers. Attackers can use Extexport.exe to load any DLL using the built-in tool ExtExport.exe which can be found inside the Internet Explorer directory.

ATT&CK Category: -

ATT&CK Tag: -

Minimum Log Source Requirement: Windows Sysmon, Windows

Query:

Trigger Condition: When Logpoint detects the use of workfolders binary to execute other process. Workfolders is a Windows internal binary that provides a consistent way for users to access their work files from their PCs and devices. Adversaries can use this technique to evade defensive countermeasures or to hide as a persistence mechanism.

ATT&CK Category: -

ATT&CK Tag: -

Minimum Log Source Requirement: Windows Sysmon, Windows

Query:

Trigger Condition: When wuauclt.exe is used to proxy execute codes. Wuauclt.exe (Windows Update Auto Update Client) is a Microsoft Windows native AutoUpdate Client used to check for available updates from Microsoft Update. Adversaries may abuse wuauclt.exe to camouflage and execute malicious codes.

ATT&CK Category: -

ATT&CK Tag: -

Minimum Log Source Requirement: Windows Sysmon, Windows

Query:

Trigger Condition: When a suspicious DLL is executed using wab.exe. Windows Address Book stores addresses, contact details, and e-mail addresses by programs like Outlook. When wab.exe executes, it tries to load DLL pointed by the registry key. But adversaries leverage this functionality to load their custom malicious DLL from a path other than the default by modifying the path pointed by the registry key.

ATT&CK Category: Defense Evasion

ATT&CK Tag: T1564.004 - NTFS File Attributes

Minimum Log Source Requirement: Windows Sysmon, Windows

Query:

Trigger Condition: When the execution of either suspicious DLL or unsigned code using dotnet.exe is detected. dotnet.exe is a command line tool for managing .NET source codes and binaries. Adversaries can use it to execute DLL or some unsigned code and can bypass default AppLocker rules. dotnet.exe might trigger false positives if used for penetrating testing or system administration.

ATT&CK Category: -

ATT&CK Tag: -

Minimum Log Source Requirement: Windows Sysmon, Windows

Query:

Trigger Condition: When a renamed arbitrary executable is executed using stordiag.exe. stordiag.exe collects storage and file system diagnostic logs and outputs to a folder. Generally, stordiag.exe performs schtasks.exe, systeminfo.exe and fltmc.exe after it is executed. Adversaries can abuse its functionality by copying it into a random folder, renaming the malicious executables as schtasks.exe, systeminfo.exe and fltmc.exe, and running them. It might trigger false positives for legitimate use of stordiag.exe.

ATT&CK Category: -

ATT&CK Tag: -

Minimum Log Source Requirement: Windows Sysmon, Windows

Query:

Trigger Condition: When a new child process is spawned via tttracer.exe. Microsoft Time Travel Tracing Tool (Tttracer) is a diagnostic tool to collect time travel traces of given processes. Later, traces are analyzed by Microsoft Support for troubleshooting purposes. Adversaries can use this binary to launch their malicious binary and create a dump of a process.

ATT&CK Category: -

ATT&CK Tag: -

Minimum Log Source Requirement: Windows Sysmon, Windows

Query:

Trigger Condition: When loading of time travel debugging utility DLLs are detected. Ttdrecord.dll, ttdwriter.dll and ttdloader.dll are part of a time travel debugging utility. Time Travel Debugging is a tool that captures a trace of a process as it executes and replays it later, forward and backward. DLL adversaries can run other binaries or dump a process by loading.

ATT&CK Category: -

ATT&CK Tag: -

Minimum Log Source Requirement: Windows Sysmon

Query:

Trigger Condition: When MSDeploy is used to execute files. Microsoft Deploy (MSDeploy) is a binary that allows users to deploy Web Applications. Adversaries can use this technique to bypass application whitelisting.

ATT&CK Category: -

ATT&CK Tag: -

Minimum Log Source Requirement: Windows Sysmon, Windows

Query:

Trigger Condition: When an exploitation attempt of CVE-2022-40684 is detected. CVE-2022-40684 is an authentication bypass using an alternate path or channel vulnerability [CWE-288] in FortiOS, FortiProxy and FortiSwitchManager that may allow an unauthenticated attacker to perform operations on the administrative interface via specially crafted HTTP or HTTPS requests. Adversaries can use this technique to gain remote access to a system. The affected versions are: FortiOS v7.2.0-7.2.1, FortiOS v7.0.0-7.0.6, FortiProxy v7.2.0, FortiProxy v7.0.0-7.0.6, FortiSwitchManager v7.2.0 and FortiSwitchManager v7.0.0.

ATT&CK Category: -

ATT&CK Tag: -

Minimum Log Source Requirement: Firewall, Proxy Server, Web Server

Query:

Trigger Condition: When the possible use of TE.exe for proxy execution of malicious scripts is detected. TE.exe is a testing tool included with Microsoft Test Authoring and Execution Framework (TAEF). TAEF allows users to run automation by executing test files written in different languages (C, C#, Microsoft COM Scripting interfaces). Adversaries can leverage its functionality to execute malicious codes (such as WSC files with VBScript or DLL) directly by running te.exe. It is not unusual to use te.exe directly to execute legal TAEF tests, so legitimate use can trigger false positives.

ATT&CK Category: -

ATT&CK Tag: -

Minimum Log Source Requirement: Windows, Windows Sysmon

Query:

Trigger Condition: When proxy execution of malicious payloads via Manage-bde.wsf is detected. Manage-bde.wsf is a BitLocker management script file that is generally used to turn BitLocker, specify unlock mechanisms, update recovery methods and unlock BitLocker-protected data drives. Adversaries can use it for the proxy execution of malicious payloads.

ATT&CK Category: -

ATT&CK Tag: -

Minimum Log Source Requirement: Windows, Windows Sysmon

Query:

Trigger Condition: When proxy execution of PowerShell code via Microsoft signed script CL_Mutexverifiers.ps1 is detected. Adversaries can execute payloads via runAfterCancelProcess in CL_Mutexverifiers.ps1 module. Script block logging must have been enabled for the alert to work.

ATT&CK Category: -

ATT&CK Tag: -

Minimum Log Source Requirement: Windows

Query:

Trigger Condition: When OfflineScannerShell.exe is executed from a folder other than the default. Microsoft Defender Offline is an antimalware scanning tool that lets you boot and run a scan from a trusted environment. Adversaries can use OfflineScannerShell.exe to execute the mpclient.dll library in the current working directory and execute arbitrary codes.

ATT&CK Category: -

ATT&CK Tag: -

Minimum Log Source Requirement: Windows

Query:

Trigger Condition: When DLL loading through AccCheckConsole binary is detected. AccCheckConsole is a command-line tool for verifying the accessibility implementation of your application’s UI. Adversaries can use this technique to load their malicious DLL.

ATT&CK Category: -

ATT&CK Tag: -

Minimum Log Source Requirement: Windows Sysmon, Windows

Query:

Trigger Condition: When proxy execution of binaries via appvlp.exe is detected. Appvlp, also known as Application Virtualization Utility, is included with Microsoft Office 2016, which makes applications available to end-user computers without having to install applications directly on those computers. Adversaries can use this technique to bypass process or signature-based defenses by proxying the execution of malicious content with signed or otherwise trusted binaries.

ATT&CK Category: -

ATT&CK Tag: -

Minimum Log Source Requirement: Windows Sysmon, Windows

Query:

Trigger Condition: When the use of UtilityFunctions script to execute a managed DLL is detected. UtilityFunctions is one of several powershell scripts from Microsoft for diagnostic and maintenance work. Adversaries can use this technique to proxy execute malicious files.

ATT&CK Category: -

ATT&CK Tag: -

Minimum Log Source Requirement: Windows Sysmon, Windows

Query:

Trigger Condition: When squirrel.exe is run via using arguments download, update and updateRoolback arguments. Squirrel.exe is a binary to update the existing installed NuGet or squirrel package. NuGet is a package manager designed to enable developers to share reusable code. Adversaries can use this technique to download and execute malicious NuGet package.

ATT&CK Category: -

ATT&CK Tag: -

Minimum Log Source Requirement: Windows Sysmon, Windows

Query:

Trigger Condition: When the execution of binaries from a suspicious folder is detected. Paths mentioned in the lists are not Windows default paths from where native and internal binaries are executed. Adversaries may attempt to masquerade their payload as legitimate binaries and execute from non-default paths to avoid detection. Legitimate binaries executed from those paths can trigger an alert, so include those binaries in the excluded process list.

ATT&CK Category: -

ATT&CK Tag: -

Minimum Log Source Requirement: Windows Sysmon, Windows

Query:

Trigger Condition: When the creation of a new script file by those applications which should not create one such as office applications, Wordpad. Script files contain a set of instructions or commands and are executed by a script interpreter or runtime environment. Adversaries can use this technique to drop their payload in the system and execute it.

ATT&CK Category: -

ATT&CK Tag: -

Minimum Log Source Requirement: Windows Sysmon

Query: