MITRE

M1048 Application Isolation and Sandboxing

M1042 Disable or Remove Feature or Program

M1050 Exploit Protection

M1030 Network Segmentation

M1026 Privileged Account Management

M1019 Threat Intelligence Program

M1051 Update Software

M1016 Vulnerability Scanning

Detecting software exploitation may be difficult depending on the tools available. Software exploits may not always succeed or may cause the exploited process to become unstable or crash. Also look for behavior on the endpoint system that might indicate successful compromise, such as abnormal behavior of the processes. This could include suspicious files written to disk, evidence of Process Injection for attempts to hide execution, evidence of Discovery, or other unusual network traffic that may indicate additional tools transferred to the system.

This type of attack technique cannot be easily mitigated with preventive controls since it is based on the abuse of system features.

Network intrusion detection systems and email gateways usually do not scan internal email, but an organization can leverage the journaling-based solution which sends a copy of emails to a security service for offline analysis or incorporate service-integrated solutions using on-premise or API-based integrations to help detect internal spearphishing attacks.

M1037 Filter Network Traffic

M1031 Network Intrusion Prevention

Monitor for file creation and files transferred within a network using protocols such as SMB. Unusual processes with internal network connections creating files on-system may be suspicious. Consider monitoring for abnormal usage of utilities and command-line arguments that may be used in support of remote transfer of files. Considering monitoring for alike file hashes or characteristics (ex: filename) that are created on multiple hosts

T1563.001 SSH Hijacking

T1563.002 RDP Hijacking

M1042 Disable or Remove Feature or Program

M1030 Network Segmentation

M1026 Privileged Account Management

M1018 User Account Management

Use of these services may be legitimate, depending upon the network environment and how it is used. Other factors, such as access patterns and activity that occurs after a remote login, may indicate suspicious or malicious behavior with that service. Monitor for user accounts logged into systems they would not normally access or access patterns to multiple systems over a relatively short period of time. Monitor for processes and command-line arguments associated with hijacking service sessions.

T1021.001 Remote Desktop Protocol

T1021.002 SMB/Windows Admin Shares

T1021.003 Distributed Component Object Model

T1021.004 SSH

T1021.005 VNC

T1021.006 Windows Remote Management

M1032 Multi-factor Authentication

M1018 User Account Management

Correlate use of login activity related to remote services with unusual behavior or other malicious or suspicious activity. Adversaries will likely need to learn about an environment and the relationships between systems through Discovery techniques prior to attempting Lateral Movement.

M1042 Disable or Remove Feature or Program

M1034 Limit Hardware Installation

Monitor file access on removable media. Detect processes that execute from removable media after it is mounted or when initiated by a user. If a remote access tool is used in this manner to move laterally, then additional actions are likely to occur after execution, such as opening network connections for Command and Control and system and network information Discovery.

M1015 Active Directory Configuration

M1032 Multi-factor Authentication

M1030 Network Segmentation

M1027 Password Policies

M1026 Privileged Account Management

M1029 Remote Data Storage

M1051 Update Software

M1018 User Account Management

M1017 User Training

Detection methods will vary depending on the type of third-party software or system and how it is typically used. The same investigation process can be applied here as with other potentially malicious activities where the distribution vector is initially unknown but the resulting activity follows a discernible pattern. Analyze the process execution trees, historical activities from the third-party application (such as what types of files are usually pushed), and the resulting activities or events from the file/binary/script pushed to systems. Often these third-party applications will have logs of their own that can be collected and correlated with other data from the environment. Ensure that third-party application logs are on-boarded to the enterprise logging system and the logs are regularly reviewed. Audit software deployment logs and look for suspicious or unauthorized activity. A system not typically used to push software to clients that suddenly is used for such a task outside of a known admin function may be suspicious. Monitor account login activity on these applications to detect suspicious/abnormal usage. Perform application deployment at regular times so that irregular deployment activity stands out. Monitor process activity that does not correlate to known good software. Monitor account login activity on the deployment system.

M1038 Execution Prevention

M1050 Exploit Protection

M1022 Restrict File and Directory Permissions

Processes that write or overwrite many files to a network shared directory may be suspicious. Monitor processes that are executed from removable media for malicious or abnormal activity such as network connections due to Command and Control and possible network Discovery techniques. Frequently scan shared network directories for malicious files, hidden files, .LNK files, and other file types that may not typical exist in directories used to share specific types of content.

T1550.001 Application Access Token

T1550.002 Pass the Hash

T1550.003 Pass the Ticket

T1550.004 Web Session Cookie

M1026 Privileged Account Management

M1018 User Account Management

Configure robust, consistent account activity audit policies across the enterprise and with externally accessible services.[4] Look for suspicious account behavior across systems that share accounts, either user, admin, or service accounts. Examples: one account logged into multiple systems simultaneously; multiple accounts logged into the same machine simultaneously; accounts logged in at odd times or outside of business hours. Activity may be from interactive login sessions or process ownership from accounts being used to execute binaries on a remote system as a particular account. Correlate other security systems with login information (e.g., a user has an active login session but has not entered the building or does not have VPN access)

T1087.001 Local Account

T1087.002 Domain Account

T1087.003 Email Account

T1087.004 Cloud Account

M1028 Operating System Configuration

System and network discovery techniques normally occur throughout an operation as an adversary learns the environment. Data and events should not be viewed in isolation, but as part of a chain of behavior that could lead to other activities, such as Lateral Movement, based on the information obtained. Monitor processes and command-line arguments for actions that could be taken to gather system and network information. Remote access tools with built-in features may interact directly with the Windows API to gather information. Information may also be acquired through Windows system management tools such as Windows Management Instrumentation and PowerShell. Monitor for processes that can be used to enumerate user accounts, such as net.exe and net1.exe, especially when executed in quick succession.[4]

This type of attack technique cannot be easily mitigated with preventive controls since it is based on the abuse of system features.

System and network discovery techniques normally occur throughout an operation as an adversary learns the environment. Data and events should not be viewed in isolation, but as part of a chain of behavior that could lead to other activities based on the information obtained. Monitor processes and command-line arguments for actions that could be taken to gather system and network information. Remote access tools with built-in features may interact directly with the Windows API to gather information. Information may also be acquired through Windows system management tools such as Windows Management Instrumentation and PowerShell.

This type of attack technique cannot be easily mitigated with preventive controls since it is based on the abuse of system features.

Monitor processes and command-line arguments for actions that could be taken to gather browser bookmark information. Remote access tools with built-in features may interact directly using APIs to gather information. Information may also be acquired through system management tools such as Windows Management Instrumentation and PowerShell. System and network discovery techniques normally occur throughout an operation as an adversary learns the environment. Data and events should not be viewed in isolation, but as part of a chain of behavior that could lead to other activities, such as Collection and Exfiltration, based on the information obtained.

M1018 User Account Management

Establish centralized logging for the activity of cloud infrastructure components. Monitor logs for actions that could be taken to gather information about cloud infrastructure, including the use of discovery API calls by new or unexpected users. To reduce false positives, valid change management procedures could introduce a known identifier that is logged with the change (e.g., tag or header) if supported by the cloud provider, to help distinguish valid, expected actions from malicious ones.

M1018 User Account Management

Monitor account activity logs to see actions performed and activity associated with the cloud service management console. Some cloud providers, such as AWS, provide distinct log events for login attempts to the management console.[2]

This type of attack technique cannot be easily mitigated with preventive controls since it is based on the abuse of system features.

Cloud service discovery techniques will likely occur throughout an operation where an adversary is targeting cloud-based systems and services. Data and events should not be viewed in isolation, but as part of a chain of behavior that could lead to other activities based on the information obtained. Normal, benign system and network events that look like cloud service discovery may be uncommon, depending on the environment and how they are used. Monitor cloud service usage for anomalous behavior that may indicate adversarial presence within the environment.

T1595.001 Scanning IP Blocks

T1595.002 Vulnerability Scanning

M1056 Pre-compromise This technique cannot be easily mitigated with preventive controls since it is based on behaviors performed outside of the scope of enterprise defenses and controls. Efforts should focus on minimizing the amount and sensitivity of data available to external parties.

Monitor for suspicious network traffic that could be indicative of scanning, such as large quantities originating from a single source (especially if the source is known to be associated with an adversary/botnet). Analyzing web metadata may also reveal artifacts that can be attributed to potentially malicious activity, such as referer or user-agent string HTTP/S fields. Much of this activity may have a very high occurrence and associated false positive rate, as well as potentially taking place outside the visibility of the target organization, making detection difficult for defenders. Detection efforts may be focused on related stages of the adversary lifecycle, such as during Initial Access.

T1592.001 Hardware

T1592.002 Software

T1592.003 Firmware

T1592.004 Client Configurations

M1056 Pre-compromise This technique cannot be easily mitigated with preventive controls since it is based on behaviors performed outside of the scope of enterprise defenses and controls. Efforts should focus on minimizing the amount and sensitivity of data available to external parties.

Much of this activity may have a very high occurrence and associated false positive rate, as well as potentially taking place outside the visibility of the target organization, making detection difficult for defenders. Detection efforts may be focused on related stages of the adversary lifecycle, such as during Initial Access.

T1589.001 Credentials

T1589.002 Email Addresses

T1589.003 Employee Names

M1056 Pre-compromise This technique cannot be easily mitigated with preventive controls since it is based on behaviors performed outside of the scope of enterprise defenses and controls. Efforts should focus on minimizing the amount and sensitivity of data available to external parties.

Much of this activity may have a very high occurrence and associated false positive rate, as well as potentially taking place outside the visibility of the target organization, making detection difficult for defenders. Detection efforts may be focused on related stages of the adversary lifecycle, such as during Initial Access.

T1590.001 Domain Properties

T1590.002 DNS

T1590.003 Network Trust Dependencies

T1590.004 Network Topology

T1590.005 IP Addresses

T1590.006 Network Security Appliances

M1056 Pre-compromise This technique cannot be easily mitigated with preventive controls since it is based on behaviors performed outside of the scope of enterprise defenses and controls. Efforts should focus on minimizing the amount and sensitivity of data available to external parties.

Much of this activity may have a very high occurrence and associated false positive rate, as well as potentially taking place outside the visibility of the target organization, making detection difficult for defenders. Detection efforts may be focused on related stages of the adversary lifecycle, such as during Initial Access.

T1591.001 Determine Physical Locations

T1591.002 Business Relationships

T1591.003 Identify Business Tempo

T1591.004 Identify Roles

M1056 Pre-compromise This technique cannot be easily mitigated with preventive controls since it is based on behaviors performed outside of the scope of enterprise defenses and controls. Efforts should focus on minimizing the amount and sensitivity of data available to external parties.

Much of this activity may have a very high occurrence and associated false positive rate, as well as potentially taking place outside the visibility of the target organization, making detection difficult for defenders. Detection efforts may be focused on related stages of the adversary lifecycle, such as during Initial Access.

T1598.001 Spearphishing Service

T1598.002 Spearphishing Attachment

T1598.003 Spearphishing Link

M1054 Software Configuration

M1017 User Training

Depending on the specific method of phishing, the detections can vary. Monitor for suspicious email activity, such as numerous accounts receiving messages from a single unusual/unknown sender. Filtering based on DKIM+SPF or header analysis can help detect when the email sender is spoofed. When it comes to following links, monitor for references to uncategorized or known-bad sites. URL inspection within email (including expanding shortened links) can also help detect links leading to known malicious sites. Monitor social media traffic for suspicious activity, including messages requesting information as well as abnormal file or data transfers (especially those involving unknown, or otherwise suspicious accounts).

T1597.001 Threat Intel Vendors

T1597.002 Purchase Technical Data

M1056 Pre-compromise This technique cannot be easily mitigated with preventive controls since it is based on behaviors performed outside of the scope of enterprise defenses and controls. Efforts should focus on minimizing the amount and sensitivity of data available to external parties.

Much of this activity may have a very high occurrence and associated false positive rate, as well as potentially taking place outside the visibility of the target organization, making detection difficult for defenders. Detection efforts may be focused on related stages of the adversary lifecycle, such as during Initial Access.

T1596.001 DNS/Passive DNS

T1596.002 WHOIS

T1596.003 Digital Certificates

T1596.004 CDNs

T1596.005 Scan Databases

M1056 Pre-compromise This technique cannot be easily mitigated with preventive controls since it is based on behaviors performed outside of the scope of enterprise defenses and controls. Efforts should focus on minimizing the amount and sensitivity of data available to external parties.

Much of this activity may have a very high occurrence and associated false positive rate, as well as potentially taking place outside the visibility of the target organization, making detection difficult for defenders. Detection efforts may be focused on related stages of the adversary lifecycle, such as during Initial Access.

T1593.001 Social Media

T1593.002 Search Engines

M1056 Pre-compromise This technique cannot be easily mitigated with preventive controls since it is based on behaviors performed outside of the scope of enterprise defenses and controls. Efforts should focus on minimizing the amount and sensitivity of data available to external parties.

Much of this activity may have a very high occurrence and associated false positive rate, as well as potentially taking place outside the visibility of the target organization, making detection difficult for defenders. Detection efforts may be focused on related stages of the adversary lifecycle, such as during Initial Access.

M1056 Pre-compromise This technique cannot be easily mitigated with preventive controls since it is based on behaviors performed outside of the scope of enterprise defenses and controls. Efforts should focus on minimizing the amount and sensitivity of data available to external parties.

Monitor for suspicious network traffic that could be indicative of adversary reconnaissance, such as rapid successions of requests indicative of web crawling and/or large quantities of requests originating from a single source (especially if the source is known to be associated with an adversary). Analyzing web metadata may also reveal artifacts that can be attributed to potentially malicious activity, such as referer or user-agent string HTTP/S fields.

T1583.001 Domains

T1583.002 DNS Server

T1583.003 Virtual Private Server

T1583.004 Server

T1583.005 Botnet

T1583.006 Web Services

M1056 Pre-compromise This technique cannot be easily mitigated with preventive controls since it is based on behaviors performed outside of the scope of enterprise defenses and controls. Efforts should focus on minimizing the amount and sensitivity of data available to external parties.

Consider use of services that may aid in tracking of newly acquired infrastructure, such as WHOIS databases for domain registration information. Much of this activity may take place outside the visibility of the target organization, making detection of this behavior difficult. Detection efforts may be focused on related stages of the adversary lifecycle, such as during Command and Control.

T1586.001 Social Media Accounts

T1586.002 Email Accounts

M1056 Pre-compromise This technique cannot be easily mitigated with preventive controls since it is based on behaviors performed outside of the scope of enterprise defenses and controls. Efforts should focus on minimizing the amount and sensitivity of data available to external parties.

Consider monitoring social media activity related to your organization. Suspicious activity may include personas claiming to work for your organization or recently modified accounts making numerous connection requests to accounts affiliated with your organization. Much of this activity will take place outside the visibility of the target organization, making detection of this behavior difficult. Detection efforts may be focused on related stages of the adversary lifecycle, such as during Initial Access (ex: Phishing).

T1584.001 Domains

T1584.002 DNS Server

T1584.003 Virtual Private Server

T1584.004 Server

T1584.005 Botnet

T1584.006 Web Services

M1056 Pre-compromise This technique cannot be easily mitigated with preventive controls since it is based on behaviors performed outside of the scope of enterprise defenses and controls. Efforts should focus on minimizing the amount and sensitivity of data available to external parties.

Consider monitoring social media activity related to your organization. Suspicious activity may include personas claiming to work for your organization or recently modified accounts making numerous connection requests to accounts affiliated with your organization. Much of this activity will take place outside the visibility of the target organization, making detection of this behavior difficult. Detection efforts may be focused on related stages of the adversary lifecycle, such as during Initial Access (ex: Phishing).

T1587.001 Malware

T1587.002 Code Signing Certificates

T1587.003 Digital Certificates

T1587.004 Exploits

This technique cannot be easily mitigated with preventive controls since it is based on behaviors performed outside of the scope of enterprise defenses and controls.

Much of this activity will take place outside the visibility of the target organization, making detection of this behavior difficult. Detection efforts may be focused on related stages of the adversary lifecycle, such as during Defense Evasion or Command and Control.

T1585.001 Social Media Accounts

T1585.002 Email Accounts

This technique cannot be easily mitigated with preventive controls since it is based on behaviors performed outside of the scope of enterprise defenses and controls.

Consider monitoring social media activity related to your organization. Suspicious activity may include personas claiming to work for your organization or recently created/modified accounts making numerous connection requests to accounts affiliated with your organization. Much of this activity will take place outside the visibility of the target organization, making detection of this behavior difficult. Detection efforts may be focused on related stages of the adversary lifecycle, such as during Initial Access (ex: Phishing).

T1588.001 Malware

T1588.002 Tool

T1588.003 Code Signing Certificates

T1588.004 Digital Certificates

T1588.005 Exploits

T1588.006 Vulnerabilities

This technique cannot be easily mitigated with preventive controls since it is based on behaviors performed outside of the scope of enterprise defenses and controls.

Consider monitoring social media activity related to your organization. Suspicious activity may include personas claiming to work for your organization or recently created/modified accounts making numerous connection requests to accounts affiliated with your organization. Much of this activity will take place outside the visibility of the target organization, making detection of this behavior difficult. Detection efforts may be focused on related stages of the adversary lifecycle, such as during Initial Access (ex: Phishing).

T1608.001 Upload Malware

T1608.002 Upload Tool

T1608.003 Install Digital Certificate

T1608.004 Drive-by Target

T1608.005 Link Target

This technique cannot be easily mitigated with preventive controls since it is based on behaviors performed outside of the scope of enterprise defenses and controls.

Consider monitoring social media activity related to your organization. Suspicious activity may include personas claiming to work for your organization or recently created/modified accounts making numerous connection requests to accounts affiliated with your organization. Much of this activity will take place outside the visibility of the target organization, making detection of this behavior difficult. Detection efforts may be focused on related stages of the adversary lifecycle, such as during Initial Access (ex: Phishing).

T1548.001 Setuid and Setgid

T1548.002 Bypass User Account Control

T1548.003 Sudo and Sudo Caching

T1548.004 Elevated Execution with Prompt

M1047 Audit

M1038 Execution Prevention

M1028 Operating System Configuration

M1026 Privileged Account Management

M1022 Restrict File and Directory Permissions

M1052 User Account Control

T1134.001 Token Impersonation/Theft

T1134.002 Create Process with Token

T1134.003 Make and Impersonate Token

T1134.004 Parent PID Spoofing

T1134.005 SID-History Injection

M1026 Privileged Account Management

M1018 User Account Management

If an adversary is using a standard command-line shell, analysts can detect token manipulation by auditing command-line activity. Specifically, analysts should look for use of the runas command. Detailed command-line logging is not enabled by default in Windows. If an adversary is using a payload that calls the Windows token APIs directly, analysts can detect token manipulation only through careful analysis of user network activity, examination of running processes, and correlation with other endpoint and network behavior. There are many Windows API calls a payload can take advantage of to manipulate access tokens (e.g., LogonUser [18], DuplicateTokenEx[19], and ImpersonateLoggedOnUser[20]). Please see the referenced Windows API pages for more information. Query systems for process and thread token information and look for inconsistencies such as user owns processes impersonating the local SYSTEM account. Look for inconsistencies between the various fields that store PPID information, such as the EventHeader ProcessId from data collected via Event Tracing for Windows (ETW), Creator Process ID/Name from Windows event logs, and the ProcessID and ParentProcessID (which are also produced from ETW and other utilities such as Task Manager and Process Explorer). The ETW provided EventHeader ProcessId identifies the actual parent process.

T1547.001 Registry Run Keys / Startup Folder

T1547.002 Authentication Package

T1547.003 Time Providers

T1547.004 Winlogon Helper DLL

T1547.005 Security Support Provider

T1547.006 Kernel Modules and Extensions

T1547.007 Re-opened Applications

T1547.008 LSASS Driver

T1547.009 Shortcut Modification

T1547.010 Port Monitors

T1547.011 Plist Modification

T1547.012 Print Processors

T1547.013 XDG Autostart Entries

T1547.014 Active Setup

This type of attack technique cannot be easily mitigated with preventive controls since it is based on the abuse of system features

Monitor for additions or modifications of mechanisms that could be used to trigger autostart execution, such as relevant additions to the Registry. Look for changes that are not correlated with known updates, patches, or other planned administrative activity. Tools such as Sysinternals Autoruns may also be used to detect system autostart configuration changes that could be attempts at persistence.[7] Changes to some autostart configuration settings may happen under normal conditions when legitimate software is installed. Suspicious program execution as autostart programs may show up as outlier processes that have not been seen before when compared against historical data.To increase confidence of malicious activity, data and events should not be viewed in isolation, but as part of a chain of behavior that could lead to other activities, such as network connections made for Command and Control, learning details about the environment through Discovery, and Lateral Movement. Monitor DLL loads by processes, specifically looking for DLLs that are not recognized or not normally loaded into a process. Look for abnormal process behavior that may be due to a process loading a malicious DLL. Monitor for abnormal usage of utilities and command-line parameters involved in kernel modification or driver installation.

T1037.001 Logon Script (Windows)

T1037.002 Logon Script (Mac)

T1037.003 Network Logon Script

T1037.004 RC Scripts

T1037.005 Startup Items

M1022 Restrict File and Directory Permissions

M1024 Restrict Registry Permissions

Monitor logon scripts for unusual access by abnormal users or at abnormal times. Look for files added or modified by unusual accounts outside of normal administration duties. Monitor running process for actions that could be indicative of abnormal programs or executables running upon logon.

T1543.001 Launch Agent

T1543.002 Systemd Service

T1543.003 Windows Service

T1543.004 Launch Daemon

M1047 Audit

M1033 Limit Software Installation

M1022 Restrict File and Directory Permissions

M1018 User Account Management

Monitor for changes to system processes that do not correlate with known software, patch cycles, etc., including by comparing results against a trusted system baseline. New, benign system processes may be created during installation of new software. Data and events should not be viewed in isolation, but as part of a chain of behavior that could lead to other activities, such as network connections made for Command and Control, learning details about the environment through Discovery, and Lateral Movement. Command-line invocation of tools capable of modifying services may be unusual, depending on how systems are typically used in a particular environment. Look for abnormal process call trees from known services and for execution of other commands that could relate to Discovery or other adversary techniques. Monitor for changes to files associated with system-level processes.

T1484.001 Group Policy Modification

T1484.002 Domain Trust Modification

M1047 Audit

M1026 Privileged Account Management

M1018 User Account Management

It may be possible to detect domain policy modifications using Windows event logs. Group policy modifications, for example, may be logged under a variety of Windows event IDs for modifying, creating, undeleting, moving, and deleting directory service objects (Event ID 5136, 5137, 5138, 5139, 5141 respectively). Monitor for modifications to domain trust settings, such as when a user or application modifies the federation settings on the domain or updates domain authentication from Managed to Federated via ActionTypes Set federation settings on domain and Set domain authentication.[8][9] This may also include monitoring for Event ID 307 which can be correlated to relevant Event ID 510 with the same Instance ID for change details. Consider monitoring for commands/cmdlets and command-line arguments that may be leveraged to modify domain policy settings.[12] Some domain policy modifications, such as changes to federation settings, are likely to be rare.[9]

M1048 Application Isolation and Sandboxing

M1038 Execution Prevention

M1026 Privileged Account Management

Monitor for the deployment of suspicious or unknown container images and pods in your environment, particularly containers running as root. Additionally, monitor for unexpected usage of syscalls such as mount (as well as resulting process activity) that may indicate an attempt to escape from a privileged container to host. In Kubernetes, monitor for cluster-level events associated with changing containers' volume configurations.

T1546.001 Change Default File Association

T1546.002 Screensaver

T1546.003 Windows Management Instrumentation Event Subscription

T1546.004 Unix Shell Configuration Modification

T1546.005 Trap

T1546.006 LC_LOAD_DYLIB Addition

T1546.007 Netsh Helper DLL

T1546.008 Accessibility Features

T1546.009 AppCert DLLs

T1546.010 AppInit DLLs

T1546.011 Application Shimming

T1546.012 Image File Execution Options Injection

T1546.013 PowerShell Profile

T1546.014 Emond

T1546.015 Component Object Model Hijacking

This type of attack technique cannot be easily mitigated with preventive controls since it is based on the abuse of system features.

Monitoring for additions or modifications of mechanisms that could be used to trigger event-based execution, especially the addition of abnormal commands such as execution of unknown programs, opening network sockets, or reaching out across the network. Also look for changes that do not line up with updates, patches, or other planned administrative activity. These mechanisms may vary by OS, but are typically stored in central repositories that store configuration information such as the Windows Registry, Common Information Model (CIM), and/or specific named files, the last of which can be hashed and compared to known good values. Monitor for processes, API/System calls, and other common ways of manipulating these event repositories. Tools such as Sysinternals Autoruns can be used to detect changes to execution triggers that could be attempts at persistence. Also look for abnormal process call trees for execution of other commands that could relate to Discovery actions or other techniques. Monitor DLL loads by processes, specifically looking for DLLs that are not recognized or not normally loaded into a process. Look for abnormal process behavior that may be due to a process loading a malicious DLL. Data and events should not be viewed in isolation, but as part of a chain of behavior that could lead to other activities, such as making network connections for Command and Control, learning details about the environment through Discovery, and conducting Lateral Movement.

M1048 Application Isolation and Sandboxing

M1038 Execution Prevention

M1050 Exploit Protection

M1019 Threat Intelligence Program

M1051 Update Software

Detecting software exploitation may be difficult depending on the tools available. Software exploits may not always succeed or may cause the exploited process to become unstable or crash. Also look for behavior on the endpoint system that might indicate successful compromise, such as abnormal behavior of the processes. This could include suspicious files written to disk, evidence of Process Injection for attempts to hide execution or evidence of Discovery. Consider monitoring for the presence or loading (ex: Sysmon Event ID 6) of known vulnerable drivers that adversaries may drop and exploit to execute code in kernel mode. Higher privileges are often necessary to perform additional actions such as some methods of OS Credential Dumping. Look for additional activity that may indicate an adversary has gained higher privileges.

T1574.001 DLL Search Order Hijacking

T1574.002 DLL Side-Loading

T1574.004 Dylib Hijacking

T1574.005 Executable Installer File Permissions Weakness

T1574.006 Dynamic Linker Hijacking

T1574.007 Path Interception by PATH Environment Variable

T1574.008 Path Interception by Search Order Hijacking

T1574.009 Path Interception by Unquoted Path

T1574.010 Services File Permissions Weakness

T1574.011 Services Registry Permissions Weakness

T1574.012 COR_PROFILER

M1013 Application Developer Guidance

M1047 Audit

M1038 Execution Prevention

M1022 Restrict File and Directory Permissions

M1044 Restrict Library Loading

M1024 Restrict Registry Permissions

M1051 Update Software

M1052 User Account Control

M1018 User Account Management

Monitor file systems for moving, renaming, replacing, or modifying DLLs. Changes in the set of DLLs that are loaded by a process (compared with past behavior) that do not correlate with known software, patches, etc., are suspicious. Monitor DLLs loaded into a process and detect DLLs that have the same file name but abnormal paths. Modifications to or creation of .manifest and .local redirection files that do not correlate with software updates are suspicious. Look for changes to binaries and service executables that may normally occur during software updates. If an executable is written, renamed, and/or moved to match an existing service executable, it could be detected and correlated with other suspicious behavior. Hashing of binaries and service executables could be used to detect replacement against historical data. Monitor for changes to environment variables, as well as the commands to implement these changes. Monitor processes for unusual activity (e.g., a process that does not use the network begins to do so, abnormal process call trees). Track library metadata, such as a hash, and compare libraries that are loaded at process execution time against previous executions to detect differences that do not correlate with patching or updates. Service changes are reflected in the Registry. Modification to existing services should not occur frequently. If a service binary path or failure parameters are changed to values that are not typical for that service and does not correlate with software updates, then it may be due to malicious activity. Data and events should not be viewed in isolation, but as part of a chain of behavior that could lead to other activities, such as network connections made for Command and Control, learning details about the environment through Discovery, and Lateral Movement. Tools such as Sysinternals Autoruns may also be used to detect system changes that could be attempts at persistence, including listing current service information. [12] Suspicious program execution through services may show up as outlier processes that have not been seen before when compared against historical data.

T1055.001 Dynamic-link Library Injection

T1055.002 Portable Executable Injection

T1055.003 Thread Execution Hijacking

T1055.004 Asynchronous Procedure Call

T1055.005 Thread Local Storage

T1055.008 Ptrace System Calls

T1055.009 Proc Memory

T1055.011 Extra Window Memory Injection

T1055.012 Process Hollowing

T1055.013 Process Doppelgänging

T1055.014 VDSO Hijacking

M1040 Behavior Prevention on Endpoint

M1026 Privileged Account Management

Monitoring Windows API calls indicative of the various types of code injection may generate a significant amount of data and may not be directly useful for defense unless collected under specific circumstances for known bad sequences of calls, since benign use of API functions may be common and difficult to distinguish from malicious behavior. Windows API calls such as CreateRemoteThread, SuspendThread/SetThreadContext/ResumeThread, QueueUserAPC/NtQueueApcThread, and those that can be used to modify memory within another process, such as VirtualAllocEx/WriteProcessMemory, may be used for this technique. Monitor DLL/PE file events, specifically creation of these binary files as well as the loading of DLLs into processes. Look for DLLs that are not recognized or not normally loaded into a process. Monitoring for Linux specific calls such as the ptrace system call should not generate large amounts of data due to their specialized nature, and can be a very effective method to detect some of the common process injection methods. Monitor for named pipe creation and connection events (Event IDs 17 and 18) for possible indicators of infected processes with external modules. Analyze process behavior to determine if a process is performing actions it usually does not, such as opening network connections, reading files, or other suspicious actions that could relate to post-compromise behavior.

T1053.001 At (Linux)

T1053.002 At (Windows)

T1053.003 Cron

T1053.004 Launchd

T1053.005 Scheduled Task

T1053.006 Systemd Timers

T1053.007 Container Orchestration Job

M1047 Audit

M1028 Operating System Configuration

M1026 Privileged Account Management

M1018 User Account Management

Monitor scheduled task creation from common utilities using command-line invocation. Legitimate scheduled tasks may be created during installation of new software or through system administration functions. Look for changes to tasks that do not correlate with known software, patch cycles, etc. Suspicious program execution through scheduled tasks may show up as outlier processes that have not been seen before when compared against historical data. Data and events should not be viewed in isolation, but as part of a chain of behavior that could lead to other activities, such as network connections made for Command and Control, learning details about the environment through Discovery, and Lateral Movement.

T1078.001 Default Accounts

T1078.002 Domain Accounts

T1078.003 Local Accounts

T1078.004 Cloud Accounts

M1013 Application Developer Guidance

M1027 Password Policies

M1026 Privileged Account Management

Configure robust, consistent account activity audit policies across the enterprise and with externally accessible services. [52] Look for suspicious account behavior across systems that share accounts, either user, admin, or service accounts. Examples: one account logged into multiple systems simultaneously; multiple accounts logged into the same machine simultaneously; accounts logged in at odd times or outside of business hours. Activity may be from interactive login sessions or process ownership from accounts being used to execute binaries on a remote system as a particular account. Correlate other security systems with login information (e.g., a user has an active login session but has not entered the building or does not have VPN access). Perform regular audits of domain and local system accounts to detect accounts that may have been created by an adversary for persistence. Checks on these accounts could also include whether default accounts such as Guest have been activated. These audits should also include checks on any appliances and applications for default credentials or SSH keys, and if any are discovered, they should be updated immediately.