Detection Template
schema: v1
enabled: true
uuid: "********-****-****-****-************" # python -c 'import uuid; print(uuid.uuid4())'
version: "1.0.0" # https://semver.org
title: "XXXX"
severity: "low | medium | high"
description: |
## Summary
WRITE A SHORT SUMMARY ABOUT THE ATTACK
HOW THE DETECTION TIRES TO CATCH IT
ANY ENRICHMENT THAT OCCURS
ANY FALSE POSITIVE MINIMIZATION STEPS
The following report contains all activities related to XXXXX.
An adversary may execute this attack by
1. XXXXX
2. XXXXX
3. XXXXX
This detection tries to catch the attack by
1. XXXXX
2. XXXXX
3. XXXXX
## Considerations
DESCRIBE WHAT HAS TO BE KEPT IN MIND BY THE RESPONDER WHEN HANDLING THE CASE
DESCRIBE ANY ASSUMPTIONS MADE DURING THE DETECTION DEVELOPMENT
## Blind Spots
DESCRIBE WHAT HAD TO BE EXCLUDED FROM THE DETECTION AND WHY
## False Positives
DESCRIBE HOW FALSE POSITIVES USUALLY OCCUR WITH THIS DETECTION
## Response Plan
### Triage
- Open a case from the alert(s)
- Determine **when** the action happened by checking the `Timestamp` field
- Determine **who** is the user responsible for the action through the `AccountName` field
- Determine **where** this action has taken place through the `DeviceName` field
- Close case, describe why and add whitelisting suggestion if you observe previously "false positive" closed cases from the same detection; either on the same machine or by the same user or both
- If none of the above applies, escalate
### Investigation
- Determine **what** has been XXXXX using the `XXXXX` field(s)
1. Check if the process chain has any unusual discrepancies
2. Check if the file is signed and by whom
3. Check the file's prevalency
4. Check the file's hash is on VirusTotal
5. If there are hits on VT, or it's not indexed, acquire the file and analyse it using the Sandbox or Malware Lab
- If none of the above steps lead to a resolution that can be considered "false positive", respond!
### Response
- Determine **why** the operation was needed by the user by
1. Checking for any support tickets or other references explaining the activity
2. Contacting the user, but keep in mind that they're user might be compromised
- Contain the threat
- Expand the investigation to other endpoints if necessary
- Expand the detection if necessary
- Whitelist if needed
references:
- "https://wiki.tillstuder.com/pages/this-is-a-dummy-link-to-the-detections-research-article"
- "https://www.221bluestreet.com/offensive-security/windows-components-object-model/com-hijacking-t1546.015"
- "https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1546.015/T1546.015.md"
tags:
- "mitre/attack/tactics/TA0004"
- "mitre/attack/tactics/TA0003"
- "mitre/attack/techniques/T1546.015"
- "mitre/attack/datasources/DS0024"
- "mitre/defend/technique/D3-PA"
- "mitre/defend/technique/D3-FA"
- "mitre/defend/doa/ExecutableBinary"
- "mitre/defend/doa/WindowsRegistry"
- "platform/windows"
- "requester/redteam"
- "author/TillStuder"
offensive_tests:
- "********-****-****-****-************" # This UUID is a reference to the offensive procedure / unit test which causes the alert to fire. The actual content is stored in the Adversary Emulation Platform.
detection_query:
language: "Kusto"
platform: "AdvancedHunting"
scheduling: "*/5 * * * *" # https://crontab.guru/
query_variables:
- LOOKBACK-PERIOD: "5min"
- TEST-SERVER-HOSTNAME: "TillStuderPurpleBox"
object_mapping:
- user-id: "{AccountName}"
column_mapping:
- AccountName: "UserID"
data_sources:
- "mde:DeviceRegistryEvents"
output_columns: [Timestamp, DeviceName, AccountName]
output_plugin: md
query: |
// ///////////////////////////////////////////////////////////////////////////
// This is just a dummy query with some rough guidelines and handy commands for detection development/maintenance
// ///////////////////////////////////////////////////////////////////////////
let selectedEventTimestamp = datetime(2023-02-09T07:55:06.0000000Z);
search in (*)
Timestamp > ago(${LOOKBACK-PERIOD})
// Timestamp > selectedEventTimestamp
// Timestamp between ((selectedEventTimestamp - 60sec) .. (selectedEventTimestamp + 60sec))
| where * contains "${TEST-SERVER-HOSTNAME}"
// Detection Logic
// False Positive Allowlisting
// Filtering and Sorting
| sort by DeviceName, Timestamp desc
| project-reorder Timestamp, DeviceName, AccountName
// ///////////////////////////////////////////////////////////////////////////
// Handy Commands:
// | summarize percentiles(Count, 5, 50, 95)
// | evaluate autocluster()
// | evaluate basket()
// | top-hitters 25 of DeviceId
// | distinct DeviceId
// | top-nested 15 of ProcessVersionInfoOriginalFileName by count(),
// top-nested 15 of InitiatingProcessVersionInfoOriginalFileName by count(),
// top-nested 15 of InitiatingProcessParentFileName by count()
// ActionType Distribution:
// | summarize count() by ActionType
// | sort by count_
// | render piechart
// Alert Distribution over Time:
// | summarize count() by bin(Timestamp, 1d)
// | sort by count_
// | render timechart
For an example of the above template, check out: WMIC WinRM LOLBin Execution by Provider Host
For defining the severity, check out: Alert Prioritization Framework
For the response plan, check out Alert Triage
For tagging, check out these useful links/tools:
- https://attack.mitre.org/tactics/
- https://attack.mitre.org/techniques/
- https://attack.mitre.org/datasources/
- https://d3fend.mitre.org/technique/
- https://d3fend.mitre.org/dao/artifact/
- https://d3fend.mitre.org/tools/attack-extractor/
- https://d3fend.mitre.org/tools/d3fend-extractor/
- https://d3fend.mitre.org/tools/artifact-extractor/
- https://dfiq.org/questions/
Relevant Note(s):
Footnotes
-
https://github.com/FalconForceTeam/FalconForge/blob/main/docs/usecase-format.md ↩
-
https://github.com/elastic/detection-rules/blob/main/CONTRIBUTING.md#rule-metadata ↩
-
https://github.com/SigmaHQ/sigma/blob/master/sigma-schema.rx.yml ↩
-
https://blog.palantir.com/alerting-and-detection-strategy-framework-52dc33722df2 ↩
-
https://medium.com/@logcraft/how-to-version-detection-rules-2367f1852aab ↩