├── .github
    └── workflows
    │   ├── build.yml
    │   └── delete-preview.yml
├── .gitignore
├── CONTRIBUTING.md
├── LICENSE
├── Makefile
├── README.md
├── docs
    ├── _static
    │   ├── 1atm_capability_abstraction.png
    │   ├── 1pyramid_breakdown_pt1.png
    │   ├── 1pyramid_breakdown_pt2_revised.png
    │   ├── Summit_the_Pyramid_12.11.2024.png
    │   ├── adfind_analytic.png
    │   ├── adfind_example.png
    │   ├── adfind_improved.png
    │   ├── analysis_archive_chain.png
    │   ├── analysis_archive_tech.png
    │   ├── analysis_domain.png
    │   ├── analysis_filedir.png
    │   ├── analysis_lsass.png
    │   ├── archive-collected-data-flow.png
    │   ├── atm_tests.png
    │   ├── capability_abstraction_specterops.png
    │   ├── context_archive.png
    │   ├── context_categories.png
    │   ├── context_domain.png
    │   ├── context_flow_chart.png
    │   ├── context_lsass.png
    │   ├── css
    │   │   └── ctid.css
    │   ├── ctid_logo_white.png
    │   ├── d3_credentialdumping_basic.png
    │   ├── d3_credentialdumping_grantedaccess.png
    │   ├── d3_credentialdumping_targetimage.png
    │   ├── d3_passwordguessing_basic.png
    │   ├── d3_passwordguessing_errorcode.png
    │   ├── d3_scheduledtasks_4698.png
    │   ├── d3_scheduledtasks_4698filter.png
    │   ├── d3_scheduledtasks_basic.png
    │   ├── d3_scheduledtasks_filename.png
    │   ├── deep_dive_filedir.png
    │   ├── deepdive_domain.png
    │   ├── deepdive_lsass.png
    │   ├── detectioncomponents_hash.png
    │   ├── detectioncomponents_registry.png
    │   ├── detectionselection_credentialdumping_accurate.png
    │   ├── detectionselection_precise.png
    │   ├── domain_account_discovery_flow.png
    │   ├── eid4698.png
    │   ├── enabling_audit_object_access.png
    │   ├── event_robustness_table_revised.png
    │   ├── favicon.ico
    │   ├── file-directory-discovery-flow.png
    │   ├── flowchart_updated.png
    │   ├── funneloffidelity.png
    │   ├── js
    │   │   └── ctid.js
    │   ├── lsass-memory-flow.png
    │   ├── new_service_capability_abstraction.png
    │   ├── peripheral.png
    │   ├── pipes_2Dmodel_09122023_revised.png
    │   ├── pipes_collectionsource_08022023.PNG
    │   ├── pipes_condition.png
    │   ├── pipes_level1_07052023.png
    │   ├── pyramid_breakdown_revised.png
    │   ├── pyramid_of_pain.png
    │   ├── robustdetection_analyticoptions.png
    │   ├── robustdetection_eventplacement.png
    │   ├── robustnessscore_credentialdumping.png
    │   ├── robustnessscore_scheduledtasks.png
    │   ├── scheduled_task_capability_abstraction.png
    │   ├── scheduled_task_capability_abstraction_markedup.png
    │   ├── scoringanalytic_filter.png
    │   ├── scoringanalytic_finalscore.png
    │   ├── splunkquery_sourceuser.png
    │   ├── summit_level1_revised.png
    │   ├── summit_level5_revised.PNG
    │   ├── summitingmodel_hostbased_blank.png
    │   ├── summitingmodel_network_blank.png
    │   ├── sysmon_eventid11_schtasks.png
    │   ├── sysmon_reg_create_scheduled_task.png
    │   ├── technique.png
    │   ├── techniquemapping_http.png
    │   ├── techniquemapping_lsass.png
    │   ├── techniquemapping_rpc.png
    │   ├── techniquemapping_scheduledtasks.png
    │   ├── techniquemapping_webdav_endpoint.png
    │   ├── techniquemapping_webdav_network.png
    │   └── tie_scheduledtasks.png
    ├── _templates
    │   ├── footer.html
    │   ├── header.html
    │   ├── layout.html
    │   ├── searchbox.html
    │   └── source-buttons.html
    ├── analytics
    │   ├── ScoredAnalytics_05062025.csv
    │   ├── ScoredAnalytics_12062024.csv
    │   ├── access_token_manipulation.rst
    │   ├── adfind.rst
    │   ├── amsi_evasion.rst
    │   ├── analytic.rst.template
    │   ├── archive_collected_data.rst
    │   ├── bloodhound.rst
    │   ├── domain_account_discovery.rst
    │   ├── executable_download_webdav.rst
    │   ├── file_creation_date.rst
    │   ├── file_directory_discovery.rst
    │   ├── index.rst
    │   ├── link_download_webdav.rst
    │   ├── lsass_memory.rst
    │   ├── remote_registry.rst
    │   ├── service_registry_permissions_weakness_check.rst
    │   ├── task_scheduling.rst
    │   └── zeek_dce_rpc.rst
    ├── chaining.rst
    ├── changelog.rst
    ├── combiningobservables.rst
    ├── conf.py
    ├── context.rst
    ├── definitions.rst
    ├── detection-components.rst
    ├── detection-diagram.rst
    ├── examplemappings.rst
    ├── extra
    │   └── .gitignore
    ├── index.rst
    ├── introduction.rst
    ├── levels
    │   ├── adversary_tool.rst
    │   ├── application.rst
    │   ├── ephemeral.rst
    │   ├── header.rst
    │   ├── implementations.rst
    │   ├── index.rst
    │   ├── kernel-mode.rst
    │   ├── payload.rst
    │   ├── preexisting_tool.rst
    │   ├── quicklevels.rst
    │   ├── technique.rst
    │   └── user-mode.rst
    ├── overview.rst
    ├── robustdetection.rst
    └── scoringanalytic.rst
├── poetry.lock
└── pyproject.toml


/.github/workflows/build.yml:
--------------------------------------------------------------------------------
 1 | name: Build
 2 | 
 3 | on:
 4 |   push:
 5 |     branches: [main]
 6 |   pull_request:
 7 | 
 8 | permissions:
 9 |   contents: read
10 |   pages: write
11 |   id-token: write
12 |   pull-requests: write
13 | 
14 | jobs:
15 |   docs:
16 |     runs-on: ubuntu-latest
17 | 
18 |     steps:
19 |       - uses: actions/checkout@v4
20 |       - uses: actions/setup-python@v4
21 |         with:
22 |           python-version: '3.10'
23 |       - name: Update APT
24 |         run: sudo apt update
25 |       - name: Install Poetry
26 |         run: curl -sSL https://install.python-poetry.org/ | python -
27 |       - name: Add Poetry to PATH
28 |         run: echo "$HOME/.poetry/bin" >> $GITHUB_PATH
29 |       - name: Install dependencies
30 |         run: poetry install
31 |       - name: Build HTML docs
32 |         run: poetry run sphinx-build -M dirhtml docs docs/_build -W --keep-going
33 |       - name: Upload HTML docs
34 |         uses: actions/upload-artifact@v4
35 |         with:
36 |           name: summiting_the_pyramid_docs_html
37 |           path: docs/_build/dirhtml/
38 |                 
39 |   github_pages:
40 |     # This job only runs when committing or merging to main branch.
41 |     if: github.ref_name == 'main'
42 |     needs: docs
43 |     runs-on: ubuntu-latest
44 |     environment:
45 |       name: github-pages
46 |       url: ${{ steps.deployment.outputs.page_url }}
47 | 
48 |     steps:
49 |     - name: Setup Pages
50 |       uses: actions/configure-pages@v5
51 |     - name: Download HTML docs
52 |       uses: actions/download-artifact@v4
53 |       with:
54 |         name: summiting_the_pyramid_docs_html
55 |         path: docs
56 |     - name: Upload artifact
57 |       uses: actions/upload-pages-artifact@v3
58 |       with:
59 |         path: ./docs
60 |     - name: Deploy to GitHub Pages
61 |       id: deployment
62 |       uses: actions/deploy-pages@v4
63 | 


--------------------------------------------------------------------------------
/.github/workflows/delete-preview.yml:
--------------------------------------------------------------------------------
 1 | name: Delete Preview Build
 2 | 
 3 | on:
 4 |   pull_request:
 5 |     types: [closed]
 6 | 
 7 | permissions:
 8 |   contents: read
 9 |   id-token: write
10 |   pages: write
11 |   pull-requests: write
12 | 
13 | jobs:
14 |   azure_blob:
15 |     runs-on: ubuntu-latest
16 |     env:
17 |       AZURE_STORAGE_ACCOUNT: ctidflow
18 |       AZURE_STORAGE_SAS_TOKEN: ${{ secrets.AZURE_SAS_TOKEN }}
19 |       BRANCH_NAME: ${{ github.head_ref || github.ref_name }}
20 |     steps:
21 |       - name: Install Azure CLI
22 |         run: curl -sL https://aka.ms/InstallAzureCLIDeb | sudo bash
23 |       - name: Delete old blobs
24 |         run: az storage blob delete-batch -s '$web' --pattern "$BRANCH_NAME/*"
25 | 


--------------------------------------------------------------------------------
/.gitignore:
--------------------------------------------------------------------------------
  1 | # Byte-compiled / optimized / DLL files
  2 | __pycache__/
  3 | *.py[cod]
  4 | *$py.class
  5 | 
  6 | # C extensions
  7 | *.so
  8 | 
  9 | # Distribution / packaging
 10 | .Python
 11 | build/
 12 | develop-eggs/
 13 | dist/
 14 | downloads/
 15 | eggs/
 16 | .eggs/
 17 | lib/
 18 | lib64/
 19 | parts/
 20 | sdist/
 21 | var/
 22 | wheels/
 23 | pip-wheel-metadata/
 24 | share/python-wheels/
 25 | *.egg-info/
 26 | .installed.cfg
 27 | *.egg
 28 | MANIFEST
 29 | 
 30 | # PyInstaller
 31 | #  Usually these files are written by a python script from a template
 32 | #  before PyInstaller builds the exe, so as to inject date/other infos into it.
 33 | *.manifest
 34 | *.spec
 35 | 
 36 | # Installer logs
 37 | pip-log.txt
 38 | pip-delete-this-directory.txt
 39 | 
 40 | # Unit test / coverage reports
 41 | htmlcov/
 42 | .tox/
 43 | .nox/
 44 | .coverage
 45 | .coverage.*
 46 | .cache
 47 | nosetests.xml
 48 | coverage.xml
 49 | *.cover
 50 | *.py,cover
 51 | .hypothesis/
 52 | .pytest_cache/
 53 | 
 54 | # Translations
 55 | *.mo
 56 | *.pot
 57 | 
 58 | # Django stuff:
 59 | *.log
 60 | local_settings.py
 61 | db.sqlite3
 62 | db.sqlite3-journal
 63 | 
 64 | # Flask stuff:
 65 | instance/
 66 | .webassets-cache
 67 | 
 68 | #MacOS
 69 | .DS_Store
 70 | 
 71 | # Scrapy stuff:
 72 | .scrapy
 73 | 
 74 | # Sphinx documentation
 75 | docs/_build/
 76 | 
 77 | # PyBuilder
 78 | target/
 79 | 
 80 | # Jupyter Notebook
 81 | .ipynb_checkpoints
 82 | 
 83 | # PyCharm
 84 | .idea/
 85 | 
 86 | # IPython
 87 | profile_default/
 88 | ipython_config.py
 89 | 
 90 | # pyenv
 91 | .python-version
 92 | 
 93 | # pipenv
 94 | #   According to pypa/pipenv#598, it is recommended to include Pipfile.lock in version control.
 95 | #   However, in case of collaboration, if having platform-specific dependencies or dependencies
 96 | #   having no cross-platform support, pipenv may install dependencies that don't work, or not
 97 | #   install all needed dependencies.
 98 | #Pipfile.lock
 99 | 
100 | # PEP 582; used by e.g. github.com/David-OConnor/pyflow
101 | __pypackages__/
102 | 
103 | # Celery stuff
104 | celerybeat-schedule
105 | celerybeat.pid
106 | 
107 | # SageMath parsed files
108 | *.sage.py
109 | 
110 | # Environments
111 | .env
112 | .venv
113 | env/
114 | venv/
115 | ENV/
116 | env.bak/
117 | venv.bak/
118 | 
119 | # Spyder project settings
120 | .spyderproject
121 | .spyproject
122 | 
123 | # Rope project settings
124 | .ropeproject
125 | 
126 | # mkdocs documentation
127 | /site
128 | 
129 | # mypy
130 | .mypy_cache/
131 | .dmypy.json
132 | dmypy.json
133 | 
134 | # Pyre type checker
135 | .pyre/
136 | 
137 | #VSCode
138 | .vscode/
139 | 
140 | # Virtualenv
141 | stp_github_venv/
142 | 
143 | # Makefile
144 | Makefile
145 | 


--------------------------------------------------------------------------------
/CONTRIBUTING.md:
--------------------------------------------------------------------------------
 1 | # Contribute
 2 | 
 3 | ## How to contribute
 4 | 
 5 | Thanks for contributing to Summiting the Pyramid!
 6 | 
 7 | You are welcome to comment on issues, open new issues, and open pull requests.
 8 | 
 9 | Pull requests should target the **main** branch of the repository.
10 | 
11 | Also, if you contribute any source code, we need you to agree to the following Developer's Certificate of
12 | Origin below.
13 | 
14 | ## Reporting Issues
15 | 
16 | * Describe (in detail) what should have happened. Include any supporting information that may be helpful in
17 |   resolving the issue.
18 | 
19 | * Be sure to include any steps to replicate the issue.
20 | 
21 | ### Developer's Certificate of Origin v1.1
22 | 
23 | ```
24 | By making a contribution to this project, I certify that:
25 | 
26 | (a) The contribution was created in whole or in part by me and I
27 |  have the right to submit it under the open source license
28 |  indicated in the file; or
29 | 
30 | (b) The contribution is based upon previous work that, to the best
31 |  of my knowledge, is covered under an appropriate open source
32 |  license and I have the right under that license to submit that
33 |  work with modifications, whether created in whole or in part
34 |  by me, under the same open source license (unless I am
35 |  permitted to submit under a different license), as indicated
36 |  in the file; or
37 | 
38 | (c) The contribution was provided directly to me by some other
39 |  person who certified (a), (b) or (c) and I have not modified
40 |  it.
41 | 
42 | (d) I understand and agree that this project and the contribution
43 |  are public and that a record of the contribution (including all
44 |  personal information I submit with it, including my sign-off) is
45 |  maintained indefinitely and may be redistributed consistent with
46 |  this project or the open source license(s) involved.
47 | ```
48 | 


--------------------------------------------------------------------------------
/Makefile:
--------------------------------------------------------------------------------
 1 | #
 2 | # See `make help` for a list of all available commands.
 3 | #
 4 | 
 5 | SOURCEDIR = docs/
 6 | BUILDDIR = docs/_build/
 7 | .DEFAULT_GOAL := help
 8 | 
 9 | .PHONY: help
10 | help:
11 | 	@grep -E '^[a-zA-Z_-]+:.*?## .*$$' $(MAKEFILE_LIST) | awk 'BEGIN {FS = ":.*?## "}; {printf "\033[36m%-30s\033[0m %s\n", $$1, $$2}' | sort
12 | 
13 | .PHONY: clean
14 | clean: ## Clean build artifacts and generated files
15 | 	find . -name '*.pyc' -delete
16 | 	find . -name '__pycache__' -type d -delete
17 | 
18 | .PHONY: docs
19 | docs: ## Build Sphinx HTML documentation
20 | 	sphinx-build -M dirhtml "$(SOURCEDIR)" "$(BUILDDIR)"
21 | 
22 | .PHONY: docs-server
23 | docs-server: ## Run Sphinx build server
24 | 	sphinx-autobuild -b dirhtml -a "$(SOURCEDIR)" "$(BUILDDIR)"
25 | 
26 | 
27 | .PHONY: docs-pdf
28 | docs-pdf: ## Build Sphinx PDF documentation
29 | 	poetry export --dev --without-hashes -f requirements.txt -o docs/requirements.txt
30 | 	docker run --rm -v "$(PWD)/docs":/docs sphinxdoc/sphinx-latexpdf:4.3.1 \
31 | 			bash -c "pip install -r requirements.txt && sphinx-build -M latexpdf /docs /docs/_build"
32 | 	rm docs/requirements.txt
33 | 
34 | .PHONY: test
35 | test: ## Run tests
36 | 	pytest --cov=src/ --cov-report=term-missing
37 | 
38 | 
39 | .PHONY: test-ci
40 | test-ci: ## Run tests (with XML coverage report)
41 | 	pytest --cov=src/ --cov-report=xml
42 | 


--------------------------------------------------------------------------------
/README.md:
--------------------------------------------------------------------------------
 1 | [![build](https://github.com/center-for-threat-informed-defense/summiting-the-pyramid/actions/workflows/build.yml/badge.svg)](https://github.com/center-for-threat-informed-defense/summiting-the-pyramid/actions/workflows/build.yml)
 2 | 
 3 | <!--
 4 | When updating README.md, take a look at overview.rst and consider if you should
 5 | make the same updates there.
 6 | -->
 7 | 
 8 | # Summiting the Pyramid
 9 | 
10 | Summiting the Pyramid is a research project focused on engineering cyber analytics to
11 | make adversary evasion more difficult. This project is created and maintained by the
12 | [MITRE Center for Threat-Informed Defense](https://ctid.mitre.org/) in futherance of our
13 | mission to advance the start of the art and and the state of the practice in
14 | threat-informed defense globally. The project is funded by our [research
15 | participants](https://ctid.mitre.org/projects/summiting-the-pyramid/#participants-section).
16 | 
17 | **Table Of Contents:**
18 | 
19 | - [Getting Started](#getting-started)
20 | - [Getting Involved](#getting-involved)
21 | - [Questions and Feedback](#questions-and-feedback)
22 | - [How Do I Contribute?](#how-do-i-contribute)
23 | - [Notice](#notice)
24 | 
25 | ## Getting Started
26 | 
27 | To get started, read the project website. It provides an overview of the goals and
28 | methodologies, defines all the key terms, and contains highly detailed examples.
29 | 
30 | | Resource                                                                                       | Description                                                   |
31 | | ---------------------------------------------------------------------------------------------- | ------------------------------------------------------------- |
32 | | [Project Website](https://center-for-threat-informed-defense.github.io/summiting-the-pyramid/) | Complete documentation for the Summiting the Pyramid project. |
33 | | [Analytics Spreadsheet](docs/analytics/ScoredAnalytics_12062024.csv)                           | A summary of the analytics scored by the project team.        |
34 | 
35 | 
36 | ## Getting Involved
37 | 
38 | There are several ways that you can get involved with this project and help advance
39 | threat-informed defense:
40 | 
41 | - **Review the project model and methodology and tell us what you think.** We welcome
42 |   your feedback on any aspect of the project: from high-level concepts to low-level
43 |   technical details.
44 | - **Create your own analytics and observables.** We encourage you to use the methodology
45 |   to work through analytics or observables and send your results to
46 |   [SigmaHQ](https://github.com/SigmaHQ/sigma) that we can make them available to the
47 |   entire community.
48 | 
49 | ## Questions and Feedback
50 | 
51 | Please submit GitHub issues for any technical questions/concerns or contact
52 | ctid@mitre.org directly for more general inquiries.
53 | 
54 | Also see the guidance for contributors if are you interested in contributing or simply
55 | reporting issues.
56 | 
57 | ## How Do I Contribute?
58 | 
59 | We welcome your feedback and contributions to hel∑
60 | 
61 | ## Notice
62 | 
63 | © 2023, 2024, 2025 MITRE. Approved for public release. Document number(s) CT0078,
64 | CT0128, 25-1550.
65 | 
66 | Licensed under the Apache License, Version 2.0 (the "License"); you may not use this
67 | file except in compliance with the License. You may obtain a copy of the License at
68 | 
69 | http://www.apache.org/licenses/LICENSE-2.0
70 | 
71 | Unless required by applicable law or agreed to in writing, software distributed under
72 | the License is distributed on an "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
73 | KIND, either express or implied. See the License for the specific language governing
74 | permissions and limitations under the License.
75 | 
76 | This project makes use of ATT&CK®
77 | 
78 | [ATT&CK Terms of Use](https://attack.mitre.org/resources/terms-of-use/)
79 | 


--------------------------------------------------------------------------------
/docs/_static/1atm_capability_abstraction.png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/center-for-threat-informed-defense/summiting-the-pyramid/ff74aff93c74fb72ba3bfe58b2636f3e2c6398ee/docs/_static/1atm_capability_abstraction.png


--------------------------------------------------------------------------------
/docs/_static/1pyramid_breakdown_pt1.png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/center-for-threat-informed-defense/summiting-the-pyramid/ff74aff93c74fb72ba3bfe58b2636f3e2c6398ee/docs/_static/1pyramid_breakdown_pt1.png


--------------------------------------------------------------------------------
/docs/_static/1pyramid_breakdown_pt2_revised.png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/center-for-threat-informed-defense/summiting-the-pyramid/ff74aff93c74fb72ba3bfe58b2636f3e2c6398ee/docs/_static/1pyramid_breakdown_pt2_revised.png


--------------------------------------------------------------------------------
/docs/_static/Summit_the_Pyramid_12.11.2024.png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/center-for-threat-informed-defense/summiting-the-pyramid/ff74aff93c74fb72ba3bfe58b2636f3e2c6398ee/docs/_static/Summit_the_Pyramid_12.11.2024.png


--------------------------------------------------------------------------------
/docs/_static/adfind_analytic.png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/center-for-threat-informed-defense/summiting-the-pyramid/ff74aff93c74fb72ba3bfe58b2636f3e2c6398ee/docs/_static/adfind_analytic.png


--------------------------------------------------------------------------------
/docs/_static/adfind_example.png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/center-for-threat-informed-defense/summiting-the-pyramid/ff74aff93c74fb72ba3bfe58b2636f3e2c6398ee/docs/_static/adfind_example.png


--------------------------------------------------------------------------------
/docs/_static/adfind_improved.png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/center-for-threat-informed-defense/summiting-the-pyramid/ff74aff93c74fb72ba3bfe58b2636f3e2c6398ee/docs/_static/adfind_improved.png


--------------------------------------------------------------------------------
/docs/_static/analysis_archive_chain.png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/center-for-threat-informed-defense/summiting-the-pyramid/ff74aff93c74fb72ba3bfe58b2636f3e2c6398ee/docs/_static/analysis_archive_chain.png


--------------------------------------------------------------------------------
/docs/_static/analysis_archive_tech.png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/center-for-threat-informed-defense/summiting-the-pyramid/ff74aff93c74fb72ba3bfe58b2636f3e2c6398ee/docs/_static/analysis_archive_tech.png


--------------------------------------------------------------------------------
/docs/_static/analysis_domain.png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/center-for-threat-informed-defense/summiting-the-pyramid/ff74aff93c74fb72ba3bfe58b2636f3e2c6398ee/docs/_static/analysis_domain.png


--------------------------------------------------------------------------------
/docs/_static/analysis_filedir.png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/center-for-threat-informed-defense/summiting-the-pyramid/ff74aff93c74fb72ba3bfe58b2636f3e2c6398ee/docs/_static/analysis_filedir.png


--------------------------------------------------------------------------------
/docs/_static/analysis_lsass.png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/center-for-threat-informed-defense/summiting-the-pyramid/ff74aff93c74fb72ba3bfe58b2636f3e2c6398ee/docs/_static/analysis_lsass.png


--------------------------------------------------------------------------------
/docs/_static/archive-collected-data-flow.png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/center-for-threat-informed-defense/summiting-the-pyramid/ff74aff93c74fb72ba3bfe58b2636f3e2c6398ee/docs/_static/archive-collected-data-flow.png


--------------------------------------------------------------------------------
/docs/_static/atm_tests.png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/center-for-threat-informed-defense/summiting-the-pyramid/ff74aff93c74fb72ba3bfe58b2636f3e2c6398ee/docs/_static/atm_tests.png


--------------------------------------------------------------------------------
/docs/_static/capability_abstraction_specterops.png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/center-for-threat-informed-defense/summiting-the-pyramid/ff74aff93c74fb72ba3bfe58b2636f3e2c6398ee/docs/_static/capability_abstraction_specterops.png


--------------------------------------------------------------------------------
/docs/_static/context_archive.png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/center-for-threat-informed-defense/summiting-the-pyramid/ff74aff93c74fb72ba3bfe58b2636f3e2c6398ee/docs/_static/context_archive.png


--------------------------------------------------------------------------------
/docs/_static/context_categories.png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/center-for-threat-informed-defense/summiting-the-pyramid/ff74aff93c74fb72ba3bfe58b2636f3e2c6398ee/docs/_static/context_categories.png


--------------------------------------------------------------------------------
/docs/_static/context_domain.png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/center-for-threat-informed-defense/summiting-the-pyramid/ff74aff93c74fb72ba3bfe58b2636f3e2c6398ee/docs/_static/context_domain.png


--------------------------------------------------------------------------------
/docs/_static/context_flow_chart.png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/center-for-threat-informed-defense/summiting-the-pyramid/ff74aff93c74fb72ba3bfe58b2636f3e2c6398ee/docs/_static/context_flow_chart.png


--------------------------------------------------------------------------------
/docs/_static/context_lsass.png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/center-for-threat-informed-defense/summiting-the-pyramid/ff74aff93c74fb72ba3bfe58b2636f3e2c6398ee/docs/_static/context_lsass.png


--------------------------------------------------------------------------------
/docs/_static/ctid_logo_white.png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/center-for-threat-informed-defense/summiting-the-pyramid/ff74aff93c74fb72ba3bfe58b2636f3e2c6398ee/docs/_static/ctid_logo_white.png


--------------------------------------------------------------------------------
/docs/_static/d3_credentialdumping_basic.png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/center-for-threat-informed-defense/summiting-the-pyramid/ff74aff93c74fb72ba3bfe58b2636f3e2c6398ee/docs/_static/d3_credentialdumping_basic.png


--------------------------------------------------------------------------------
/docs/_static/d3_credentialdumping_grantedaccess.png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/center-for-threat-informed-defense/summiting-the-pyramid/ff74aff93c74fb72ba3bfe58b2636f3e2c6398ee/docs/_static/d3_credentialdumping_grantedaccess.png


--------------------------------------------------------------------------------
/docs/_static/d3_credentialdumping_targetimage.png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/center-for-threat-informed-defense/summiting-the-pyramid/ff74aff93c74fb72ba3bfe58b2636f3e2c6398ee/docs/_static/d3_credentialdumping_targetimage.png


--------------------------------------------------------------------------------
/docs/_static/d3_passwordguessing_basic.png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/center-for-threat-informed-defense/summiting-the-pyramid/ff74aff93c74fb72ba3bfe58b2636f3e2c6398ee/docs/_static/d3_passwordguessing_basic.png


--------------------------------------------------------------------------------
/docs/_static/d3_passwordguessing_errorcode.png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/center-for-threat-informed-defense/summiting-the-pyramid/ff74aff93c74fb72ba3bfe58b2636f3e2c6398ee/docs/_static/d3_passwordguessing_errorcode.png


--------------------------------------------------------------------------------
/docs/_static/d3_scheduledtasks_4698.png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/center-for-threat-informed-defense/summiting-the-pyramid/ff74aff93c74fb72ba3bfe58b2636f3e2c6398ee/docs/_static/d3_scheduledtasks_4698.png


--------------------------------------------------------------------------------
/docs/_static/d3_scheduledtasks_4698filter.png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/center-for-threat-informed-defense/summiting-the-pyramid/ff74aff93c74fb72ba3bfe58b2636f3e2c6398ee/docs/_static/d3_scheduledtasks_4698filter.png


--------------------------------------------------------------------------------
/docs/_static/d3_scheduledtasks_basic.png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/center-for-threat-informed-defense/summiting-the-pyramid/ff74aff93c74fb72ba3bfe58b2636f3e2c6398ee/docs/_static/d3_scheduledtasks_basic.png


--------------------------------------------------------------------------------
/docs/_static/d3_scheduledtasks_filename.png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/center-for-threat-informed-defense/summiting-the-pyramid/ff74aff93c74fb72ba3bfe58b2636f3e2c6398ee/docs/_static/d3_scheduledtasks_filename.png


--------------------------------------------------------------------------------
/docs/_static/deep_dive_filedir.png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/center-for-threat-informed-defense/summiting-the-pyramid/ff74aff93c74fb72ba3bfe58b2636f3e2c6398ee/docs/_static/deep_dive_filedir.png


--------------------------------------------------------------------------------
/docs/_static/deepdive_domain.png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/center-for-threat-informed-defense/summiting-the-pyramid/ff74aff93c74fb72ba3bfe58b2636f3e2c6398ee/docs/_static/deepdive_domain.png


--------------------------------------------------------------------------------
/docs/_static/deepdive_lsass.png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/center-for-threat-informed-defense/summiting-the-pyramid/ff74aff93c74fb72ba3bfe58b2636f3e2c6398ee/docs/_static/deepdive_lsass.png


--------------------------------------------------------------------------------
/docs/_static/detectioncomponents_hash.png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/center-for-threat-informed-defense/summiting-the-pyramid/ff74aff93c74fb72ba3bfe58b2636f3e2c6398ee/docs/_static/detectioncomponents_hash.png


--------------------------------------------------------------------------------
/docs/_static/detectioncomponents_registry.png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/center-for-threat-informed-defense/summiting-the-pyramid/ff74aff93c74fb72ba3bfe58b2636f3e2c6398ee/docs/_static/detectioncomponents_registry.png


--------------------------------------------------------------------------------
/docs/_static/detectionselection_credentialdumping_accurate.png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/center-for-threat-informed-defense/summiting-the-pyramid/ff74aff93c74fb72ba3bfe58b2636f3e2c6398ee/docs/_static/detectionselection_credentialdumping_accurate.png


--------------------------------------------------------------------------------
/docs/_static/detectionselection_precise.png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/center-for-threat-informed-defense/summiting-the-pyramid/ff74aff93c74fb72ba3bfe58b2636f3e2c6398ee/docs/_static/detectionselection_precise.png


--------------------------------------------------------------------------------
/docs/_static/domain_account_discovery_flow.png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/center-for-threat-informed-defense/summiting-the-pyramid/ff74aff93c74fb72ba3bfe58b2636f3e2c6398ee/docs/_static/domain_account_discovery_flow.png


--------------------------------------------------------------------------------
/docs/_static/eid4698.png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/center-for-threat-informed-defense/summiting-the-pyramid/ff74aff93c74fb72ba3bfe58b2636f3e2c6398ee/docs/_static/eid4698.png


--------------------------------------------------------------------------------
/docs/_static/enabling_audit_object_access.png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/center-for-threat-informed-defense/summiting-the-pyramid/ff74aff93c74fb72ba3bfe58b2636f3e2c6398ee/docs/_static/enabling_audit_object_access.png


--------------------------------------------------------------------------------
/docs/_static/event_robustness_table_revised.png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/center-for-threat-informed-defense/summiting-the-pyramid/ff74aff93c74fb72ba3bfe58b2636f3e2c6398ee/docs/_static/event_robustness_table_revised.png


--------------------------------------------------------------------------------
/docs/_static/favicon.ico:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/center-for-threat-informed-defense/summiting-the-pyramid/ff74aff93c74fb72ba3bfe58b2636f3e2c6398ee/docs/_static/favicon.ico


--------------------------------------------------------------------------------
/docs/_static/file-directory-discovery-flow.png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/center-for-threat-informed-defense/summiting-the-pyramid/ff74aff93c74fb72ba3bfe58b2636f3e2c6398ee/docs/_static/file-directory-discovery-flow.png


--------------------------------------------------------------------------------
/docs/_static/flowchart_updated.png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/center-for-threat-informed-defense/summiting-the-pyramid/ff74aff93c74fb72ba3bfe58b2636f3e2c6398ee/docs/_static/flowchart_updated.png


--------------------------------------------------------------------------------
/docs/_static/funneloffidelity.png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/center-for-threat-informed-defense/summiting-the-pyramid/ff74aff93c74fb72ba3bfe58b2636f3e2c6398ee/docs/_static/funneloffidelity.png


--------------------------------------------------------------------------------
/docs/_static/js/ctid.js:
--------------------------------------------------------------------------------
 1 | const firstSection = document.querySelector("#main section:first-child");
 2 | const firstHeader = firstSection.querySelector("h1, h2, h3, h4, h5, h6");
 3 | 
 4 | /**
 5 |  * Add smooth scroll to page when user clicks on an anchor
 6 |  * This helps enable the active TOC highlight
 7 |  */
 8 | document.querySelectorAll('a[href^="#"]').forEach((anchor) => {
 9 |     anchor.addEventListener("click", function (e) {
10 |         e.preventDefault();
11 |         const href = this.getAttribute("href");
12 |         let el;
13 |         if (href === "#") {
14 |             // Sphinx does this annoying thing where the first TOC entry doesn't
15 |             // have the correct anchor, it's just #.
16 |             el = firstSection;
17 |         } else {
18 |             el = document.querySelector(this.getAttribute("href"));
19 |         }
20 |         el.scrollIntoView({ behavior: "smooth" });
21 |     });
22 | });
23 | 
24 | // Get all headings within the post content section
25 | const headings = document.querySelectorAll("section[id] h1, section[id] h2, section[id] h3, section[id] h4, section[id] h5, section[id] h6");
26 | const navLinks = document.querySelectorAll(".page-toc li a");
27 | 
28 | // Add an event listener listening for scroll
29 | if (navLinks.length > 0) {
30 |     window.addEventListener("scroll", navHighlighter);
31 | }
32 | 
33 | /**
34 |  * On scroll, determine the current heading that is closest to the top of the viewport (but still
35 |  * underneath the navbar) and make it active.
36 |  */
37 | function navHighlighter() {
38 |     // Get current scroll position
39 |     const targetY = + document.querySelector("header").offsetHeight;
40 | 
41 |     let closestEl = null;
42 |     let closestDist = 999999;
43 | 
44 |     // Find the closest heading that is in the viewport (if any).
45 |     for (const heading of headings) {
46 |         const rect = heading.getBoundingClientRect();
47 |         if (rect.top > window.innerHeight) {
48 |             // This element is off screen;
49 |             continue;
50 |         }
51 | 
52 |         // Look for the heading who's midpoint is closest to the target coordinate.
53 |         const yMidpoint = rect.top + rect.height / 2;
54 |         const dist = yMidpoint - targetY;
55 |         if (dist > 0 && dist < closestDist) {
56 |             closestDist = dist;
57 |             closestEl = heading;
58 |         }
59 |     }
60 | 
61 |     // If you found a heading and it matches a navlink, then make that navlink the
62 |     // current active link.
63 |     if (closestEl) {
64 |         let sectionId = closestEl.parentNode.id;
65 |         console.log(firstHeader);
66 |         console.log(closestEl);
67 |         if (closestEl === firstHeader) {
68 |             // Sphinx does this annoying thing where the first TOC entry doesn't
69 |             // have the correct anchor, it's just #.
70 |             console.log("top condition");
71 |             navLinks.forEach(nl => nl.classList.remove("active"));
72 |             navLinks[0].classList.add("active");
73 |         } else {
74 |             console.log("bottom condition");
75 |             for (const navLink of navLinks) {
76 |                 if (navLink.hash === `#${sectionId}`) {
77 |                     navLinks.forEach(nl => nl.classList.remove("active"));
78 |                     navLink.classList.add("active");
79 |                     break;
80 |                 }
81 |             }
82 |         }
83 |     }
84 | }
85 | 


--------------------------------------------------------------------------------
/docs/_static/lsass-memory-flow.png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/center-for-threat-informed-defense/summiting-the-pyramid/ff74aff93c74fb72ba3bfe58b2636f3e2c6398ee/docs/_static/lsass-memory-flow.png


--------------------------------------------------------------------------------
/docs/_static/new_service_capability_abstraction.png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/center-for-threat-informed-defense/summiting-the-pyramid/ff74aff93c74fb72ba3bfe58b2636f3e2c6398ee/docs/_static/new_service_capability_abstraction.png


--------------------------------------------------------------------------------
/docs/_static/peripheral.png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/center-for-threat-informed-defense/summiting-the-pyramid/ff74aff93c74fb72ba3bfe58b2636f3e2c6398ee/docs/_static/peripheral.png


--------------------------------------------------------------------------------
/docs/_static/pipes_2Dmodel_09122023_revised.png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/center-for-threat-informed-defense/summiting-the-pyramid/ff74aff93c74fb72ba3bfe58b2636f3e2c6398ee/docs/_static/pipes_2Dmodel_09122023_revised.png


--------------------------------------------------------------------------------
/docs/_static/pipes_collectionsource_08022023.PNG:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/center-for-threat-informed-defense/summiting-the-pyramid/ff74aff93c74fb72ba3bfe58b2636f3e2c6398ee/docs/_static/pipes_collectionsource_08022023.PNG


--------------------------------------------------------------------------------
/docs/_static/pipes_condition.png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/center-for-threat-informed-defense/summiting-the-pyramid/ff74aff93c74fb72ba3bfe58b2636f3e2c6398ee/docs/_static/pipes_condition.png


--------------------------------------------------------------------------------
/docs/_static/pipes_level1_07052023.png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/center-for-threat-informed-defense/summiting-the-pyramid/ff74aff93c74fb72ba3bfe58b2636f3e2c6398ee/docs/_static/pipes_level1_07052023.png


--------------------------------------------------------------------------------
/docs/_static/pyramid_breakdown_revised.png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/center-for-threat-informed-defense/summiting-the-pyramid/ff74aff93c74fb72ba3bfe58b2636f3e2c6398ee/docs/_static/pyramid_breakdown_revised.png


--------------------------------------------------------------------------------
/docs/_static/pyramid_of_pain.png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/center-for-threat-informed-defense/summiting-the-pyramid/ff74aff93c74fb72ba3bfe58b2636f3e2c6398ee/docs/_static/pyramid_of_pain.png


--------------------------------------------------------------------------------
/docs/_static/robustdetection_analyticoptions.png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/center-for-threat-informed-defense/summiting-the-pyramid/ff74aff93c74fb72ba3bfe58b2636f3e2c6398ee/docs/_static/robustdetection_analyticoptions.png


--------------------------------------------------------------------------------
/docs/_static/robustdetection_eventplacement.png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/center-for-threat-informed-defense/summiting-the-pyramid/ff74aff93c74fb72ba3bfe58b2636f3e2c6398ee/docs/_static/robustdetection_eventplacement.png


--------------------------------------------------------------------------------
/docs/_static/robustnessscore_credentialdumping.png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/center-for-threat-informed-defense/summiting-the-pyramid/ff74aff93c74fb72ba3bfe58b2636f3e2c6398ee/docs/_static/robustnessscore_credentialdumping.png


--------------------------------------------------------------------------------
/docs/_static/robustnessscore_scheduledtasks.png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/center-for-threat-informed-defense/summiting-the-pyramid/ff74aff93c74fb72ba3bfe58b2636f3e2c6398ee/docs/_static/robustnessscore_scheduledtasks.png


--------------------------------------------------------------------------------
/docs/_static/scheduled_task_capability_abstraction.png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/center-for-threat-informed-defense/summiting-the-pyramid/ff74aff93c74fb72ba3bfe58b2636f3e2c6398ee/docs/_static/scheduled_task_capability_abstraction.png


--------------------------------------------------------------------------------
/docs/_static/scheduled_task_capability_abstraction_markedup.png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/center-for-threat-informed-defense/summiting-the-pyramid/ff74aff93c74fb72ba3bfe58b2636f3e2c6398ee/docs/_static/scheduled_task_capability_abstraction_markedup.png


--------------------------------------------------------------------------------
/docs/_static/scoringanalytic_filter.png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/center-for-threat-informed-defense/summiting-the-pyramid/ff74aff93c74fb72ba3bfe58b2636f3e2c6398ee/docs/_static/scoringanalytic_filter.png


--------------------------------------------------------------------------------
/docs/_static/scoringanalytic_finalscore.png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/center-for-threat-informed-defense/summiting-the-pyramid/ff74aff93c74fb72ba3bfe58b2636f3e2c6398ee/docs/_static/scoringanalytic_finalscore.png


--------------------------------------------------------------------------------
/docs/_static/splunkquery_sourceuser.png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/center-for-threat-informed-defense/summiting-the-pyramid/ff74aff93c74fb72ba3bfe58b2636f3e2c6398ee/docs/_static/splunkquery_sourceuser.png


--------------------------------------------------------------------------------
/docs/_static/summit_level1_revised.png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/center-for-threat-informed-defense/summiting-the-pyramid/ff74aff93c74fb72ba3bfe58b2636f3e2c6398ee/docs/_static/summit_level1_revised.png


--------------------------------------------------------------------------------
/docs/_static/summit_level5_revised.PNG:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/center-for-threat-informed-defense/summiting-the-pyramid/ff74aff93c74fb72ba3bfe58b2636f3e2c6398ee/docs/_static/summit_level5_revised.PNG


--------------------------------------------------------------------------------
/docs/_static/summitingmodel_hostbased_blank.png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/center-for-threat-informed-defense/summiting-the-pyramid/ff74aff93c74fb72ba3bfe58b2636f3e2c6398ee/docs/_static/summitingmodel_hostbased_blank.png


--------------------------------------------------------------------------------
/docs/_static/summitingmodel_network_blank.png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/center-for-threat-informed-defense/summiting-the-pyramid/ff74aff93c74fb72ba3bfe58b2636f3e2c6398ee/docs/_static/summitingmodel_network_blank.png


--------------------------------------------------------------------------------
/docs/_static/sysmon_eventid11_schtasks.png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/center-for-threat-informed-defense/summiting-the-pyramid/ff74aff93c74fb72ba3bfe58b2636f3e2c6398ee/docs/_static/sysmon_eventid11_schtasks.png


--------------------------------------------------------------------------------
/docs/_static/sysmon_reg_create_scheduled_task.png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/center-for-threat-informed-defense/summiting-the-pyramid/ff74aff93c74fb72ba3bfe58b2636f3e2c6398ee/docs/_static/sysmon_reg_create_scheduled_task.png


--------------------------------------------------------------------------------
/docs/_static/technique.png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/center-for-threat-informed-defense/summiting-the-pyramid/ff74aff93c74fb72ba3bfe58b2636f3e2c6398ee/docs/_static/technique.png


--------------------------------------------------------------------------------
/docs/_static/techniquemapping_http.png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/center-for-threat-informed-defense/summiting-the-pyramid/ff74aff93c74fb72ba3bfe58b2636f3e2c6398ee/docs/_static/techniquemapping_http.png


--------------------------------------------------------------------------------
/docs/_static/techniquemapping_lsass.png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/center-for-threat-informed-defense/summiting-the-pyramid/ff74aff93c74fb72ba3bfe58b2636f3e2c6398ee/docs/_static/techniquemapping_lsass.png


--------------------------------------------------------------------------------
/docs/_static/techniquemapping_rpc.png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/center-for-threat-informed-defense/summiting-the-pyramid/ff74aff93c74fb72ba3bfe58b2636f3e2c6398ee/docs/_static/techniquemapping_rpc.png


--------------------------------------------------------------------------------
/docs/_static/techniquemapping_scheduledtasks.png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/center-for-threat-informed-defense/summiting-the-pyramid/ff74aff93c74fb72ba3bfe58b2636f3e2c6398ee/docs/_static/techniquemapping_scheduledtasks.png


--------------------------------------------------------------------------------
/docs/_static/techniquemapping_webdav_endpoint.png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/center-for-threat-informed-defense/summiting-the-pyramid/ff74aff93c74fb72ba3bfe58b2636f3e2c6398ee/docs/_static/techniquemapping_webdav_endpoint.png


--------------------------------------------------------------------------------
/docs/_static/techniquemapping_webdav_network.png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/center-for-threat-informed-defense/summiting-the-pyramid/ff74aff93c74fb72ba3bfe58b2636f3e2c6398ee/docs/_static/techniquemapping_webdav_network.png


--------------------------------------------------------------------------------
/docs/_static/tie_scheduledtasks.png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/center-for-threat-informed-defense/summiting-the-pyramid/ff74aff93c74fb72ba3bfe58b2636f3e2c6398ee/docs/_static/tie_scheduledtasks.png


--------------------------------------------------------------------------------
/docs/_templates/footer.html:
--------------------------------------------------------------------------------
  1 | <footer>
  2 |   {%- if (theme_prev_next_buttons_location == 'bottom' or
  3 |   theme_prev_next_buttons_location == 'both') and (next or prev) %} {#-
  4 |   Translators: This is an ARIA section label for the footer section of the page.
  5 |   -#}
  6 |   <div class="rst-footer-buttons" role="navigation" aria-label="{{ _('Footer') }}">
  7 |     {%- if prev %}
  8 |     <a href="{{ prev.link|e }}" class="btn btn-neutral float-left" title="{{ prev.title|striptags|e }}" accesskey="p"
  9 |       rel="prev"><span class="fa fa-arrow-circle-left" aria-hidden="true"></span> {{
 10 |       _('Previous') }}</a>
 11 |     {%- endif %} {%- if next %}
 12 |     <a href="{{ next.link|e }}" class="btn btn-neutral float-right" title="{{ next.title|striptags|e }}" accesskey="n"
 13 |       rel="next">{{ _('Next') }}
 14 |       <span class="fa fa-arrow-circle-right" aria-hidden="true"></span></a>
 15 |     {%- endif %}
 16 |   </div>
 17 |   {%- endif %}
 18 | 
 19 |   <hr />
 20 | 
 21 |   <div role="contentinfo">
 22 |     {%- block contentinfo %}
 23 |     <div class="row">
 24 |       <div class="col-md-6">
 25 |         <h3>The Center for Threat-Informed Defense</h3>
 26 |         <p>
 27 |           The
 28 |           <a href="https://ctid.mitre.org/" target="_blank">Center
 29 |             for Threat-Informed Defense</a>
 30 |           is a non-profit, privately funded research and development
 31 |           organization. Our mission is to advance the state of the art and the
 32 |           state of the practice in threat-informed defense globally.
 33 |         </p>
 34 |         <div class="footer-row">
 35 |           {%- if theme_logo and theme_logo != 'None' %}
 36 |           <a href="https://ctid.mitre.org/" target="_blank" {% if
 37 |             theme_logo_alt %}title="{{ theme_logo_alt|e }}" {% endif %} class="logo navbar-brand">
 38 |             <img src="{{ pathto('_static/' + theme_logo, 1) }}" {%- if theme_logo_width %}
 39 |               width="{{ theme_logo_width|e }}" {% endif %} {%- if theme_logo_height %}
 40 |               height="{{ theme_logo_height|e }}" {% endif %} {%- if theme_logo_alt %} alt="{{ theme_logo_alt|e }}" {%
 41 |               endif %} {%- if theme_logo_title %} title="{{ theme_logo_title|e }}" {% endif %} class="logo-img" />
 42 |           </a>
 43 |           {% endif %}
 44 |           <div class="social-links">
 45 |             <a href="mailto:ctid@mitre.org" aria-label="email ctid"
 46 |               class="email">
 47 |               <i class="fas fa-2x fa-envelope"></i>
 48 |             </a>
 49 |             <a href="https://www.linkedin.com/showcase/center-for-threat-informed-defense/" target="blank"
 50 |               aria-label="ctid on linkedin" class="linkedin">
 51 |               <i class="fab fa-2x fa-linkedin"></i>
 52 |             </a>
 53 |             <a href="https://www.youtube.com/playlist?list=PLALq3Th79NnpUkRy8TUYVBKvysCp9xwNh" target="blank"
 54 |               class="youtube" aria-label="mitre ctid youtube">
 55 |               <i class="fab fa-2x fa-youtube"></i>
 56 |             </a>
 57 |             <a href="https://github.com/center-for-threat-informed-defense/" target="blank" class="github"
 58 |               aria-label="ctid github">
 59 |               <i class="fab fa-2x fa-github"></i>
 60 |             </a>
 61 |           </div>
 62 |         </div>
 63 |       </div>
 64 |       {% if theme_footer_links %}
 65 |       <div class="col-md-6">
 66 |         <h4>Related Sites</h4>
 67 |         <div class="external-links">
 68 |           {% for link in theme_footer_links.split(',') %} {% set
 69 |           link_text=link.split("|")[0] %} {% set link_url=link.split("|")[1] %}
 70 |           <a class="link" href="{{ link_url }}" target="_blank">{{ link_text }}</a>
 71 |           {% endfor %}
 72 |         </div>
 73 |         <p>
 74 |           {%- if show_copyright %} &#169; {{ copyright_years }} MITRE.
 75 |           Approved for public release. Document number(s) {{ prs_numbers }}. {%-
 76 |           endif %} {%- if build_id and build_url %}
 77 |           <span class="build">
 78 |             {#- Translators: Build is a noun, not a verb -#} {%- trans %}Build{%
 79 |             endtrans -%}
 80 |             <a href="{{ build_url }}">{{ build_id }}</a>.
 81 |           </span>
 82 |           {%- elif commit %}
 83 |           <span class="commit">
 84 |             {#- Translators: the phrase "revision" comes from Git, referring to
 85 |             a commit #} {%- trans %}Revision{% endtrans %}
 86 |             <code>{{ commit }}</code>.
 87 |           </span>
 88 |           {%- endif %} {%- if last_updated %}
 89 |           <span class="lastupdated">
 90 |             {%- trans last_updated=last_updated|e %}Last updated on {{
 91 |             last_updated }}.{% endtrans %}
 92 |           </span>
 93 |           {%- endif -%}
 94 |         </p>
 95 |         {% endif %}
 96 |       </div>
 97 |     </div>
 98 |     {%- endblock %}
 99 |   </div>
100 | 
101 |   {%- block extrafooter %} {% endblock %}
102 | </footer>
103 | 


--------------------------------------------------------------------------------
/docs/_templates/header.html:
--------------------------------------------------------------------------------
 1 | <header class="container-fluid bg-primary sticky-top">
 2 |   <a class="btn btn-sm btn-light skip-to-content-link" href="#main">{{ _('Skip to content') }}</a>
 3 |   <div class="container-fluid container">
 4 |     <div class="navbar navbar-expand-lg navbar-dark font-weight-bold">
 5 |       {%- if theme_project_name %}
 6 |       <a class="logo" href="{{pathto(master_doc)}}">
 7 |         <h1>{{theme_project_name}}
 8 |           <span class="version">
 9 |             {{version}}
10 |           </span>
11 |         </h1>
12 |       </a>
13 |       {% endif %} {%- if theme_logo and theme_logo != 'None' %}
14 |       <a href="https://ctid.mitre.org/" target="_blank" {% if theme_logo_alt %}title="{{ theme_logo_alt|e }}" {% endif
15 |         %} class="navbar-brand d-none d-lg-block">
16 |         <img src="{{ pathto('_static/' + theme_logo, 1) }}" {%- if theme_logo_width %} width="{{ theme_logo_width|e }}"
17 |           {% endif %} {%- if theme_logo_height %} height="{{ theme_logo_height|e }}" {% endif %} {%- if theme_logo_alt
18 |           %} alt="{{ theme_logo_alt|e }}" {% endif %} {%- if theme_logo_title %} title="{{ theme_logo_title|e }}" {%
19 |           endif %} class="logo-img" />
20 |       </a>
21 |       {% endif %}
22 | 
23 |       <button class="navbar-toggler btn btn-primary d-lg-none" type="button" data-toggle="collapse"
24 |         data-target="#collapseSidebar" aria-expanded="false" aria-controls="collapseExample">
25 |         <span class="navbar-toggler-icon"></span>
26 |         <span class="sr-only">{{ _('menu') }}</span>
27 |       </button>
28 |     </div>
29 |   </div>
30 | </header>


--------------------------------------------------------------------------------
/docs/_templates/layout.html:
--------------------------------------------------------------------------------
  1 | {%- set url_root = pathto('', 1) -%} {%- if url_root == '#' %}{% set url_root =
  2 | '' %}{% endif -%} {%- if not embedded and docstitle %} {%- set titlesuffix = "
  3 | &mdash; "|safe + docstitle|e -%} {%- else %} {%- set titlesuffix = "" -%} {%-
  4 | endif -%} {%- set hidetoc = '' %} {%- if meta is defined and meta %} {%- if
  5 | 'hidetoc' in meta.keys() %} {%- set hidetoc = meta.get('hidetoc') %} {%- endif
  6 | %} {%- endif %} {%- set sphinx_version_info = sphinx_version.split('.') |
  7 | map('int') | list -%}
  8 | <!DOCTYPE html>
  9 | <html class="no-js" {% if language is not none %}lang="{{ language }}" {% endif %}
 10 |   data-content_root="{{ content_root }}">
 11 | 
 12 | <head>
 13 |   <meta charset="utf-8" />
 14 |   {%- if metatags %} {{ metatags }} {%- endif %}
 15 |   <meta name="viewport" content="width=device-width, initial-scale=1.0" />
 16 |   {% block htmltitle %}
 17 |   <title>{{ title|striptags|e }}{{ titlesuffix }}</title>
 18 |   {% endblock %} {%- if favicon_url %}
 19 |   <link rel="shortcut icon" href="{{ favicon_url }}" />
 20 |   {%- endif %} {#- Include our own stylesheets -#} {%- if
 21 |   sphinx_version_info[0]
 22 |   < 4 %} <link rel="stylesheet" type="text/css" href="{{ pathto('_static/' + style, 1) }}" />
 23 |   {%- endif %}
 24 |   <link href="//fonts.googleapis.com/css2?family=Oswald:wght@200..700&display=swap" rel="stylesheet" />
 25 | 
 26 |   <link rel="stylesheet" type="text/css" href="{{ pathto('_static/dist/fontawesome.css', 1) }}" />
 27 |   {#- Include stylesheets from sphinx (e.g. user custom css #} {%- for css in
 28 |   css_files %} {#- Block pygments css; we are manually including ours in
 29 |   theme.css instead #} {%- if css not in ["_static/pygments.css"] %} {%- if
 30 |   css|attr("filename") %} {{ css_tag(css) }} {%- else %}
 31 |   <link rel="stylesheet" href="{{ pathto(css, 1)|e }}" type="text/css" />
 32 |   {%- endif %} {%- endif %} {%- endfor %} {%- block linktags %} {%- if
 33 |   hasdoc('about') %}
 34 |   <link rel="author" title="{{ _('About these documents') }}" href="{{ pathto('about') }}" />
 35 |   {%- endif %} {%- if hasdoc('genindex') %}
 36 |   <link rel="index" title="{{ _('Index') }}" href="{{ pathto('genindex') }}" />
 37 |   {%- endif %} {%- if hasdoc('search') %}
 38 |   <link rel="search" title="{{ _('Search') }}" href="{{ pathto('search') }}" />
 39 |   {%- endif %} {%- if hasdoc('copyright') %}
 40 |   <link rel="copyright" title="{{ _('Copyright') }}" href="{{ pathto('copyright') }}" />
 41 |   {%- endif %}
 42 |   <link rel="top" title="{{ docstitle|e }}" href="{{ pathto(pagename) }}" />
 43 |   {%- if parents %}
 44 |   <link rel="up" title="{{ parents[-1].title|striptags|e }}" href="{{ parents[-1].link|e }}" />
 45 |   {%- endif %} {%- if next %}
 46 |   <link rel="next" title="{{ next.title|striptags|e }}" href="{{ next.link|e }}" />
 47 |   {%- endif %} {%- if prev %}
 48 |   <link rel="prev" title="{{ prev.title|striptags|e }}" href="{{ prev.link|e }}" />
 49 |   {%- endif %} {% endblock -%} {%- block extrahead %}{% endblock -%}
 50 | </head>
 51 | 
 52 | <body>
 53 |   <script type="text/javascript" src="{{ pathto('_static/dist/blocking.js', 1) }}"></script>
 54 |   {%- include "header.html" %}
 55 |   <div class="container-fluid container">
 56 |     <div class="row">
 57 |       <aside class="col-12 col-lg-3 sidebar-container">
 58 |         <div id="collapseSidebar" class="collapse sticky-top d-lg-block pt-5 pr-lg-2">
 59 |           {%- for sidebartemplate in sidebars %} {%- include sidebartemplate
 60 |           %} {%- endfor %}
 61 |           <div class="d-lg-none border-bottom">
 62 |             {# Bottom border for mobile (above content, needs to be expanded.)
 63 |             #}
 64 |           </div>
 65 |         </div>
 66 |       </aside>
 67 |       <div class="col-12 col-lg-9 pt-5">
 68 |         <header class="row align-items-baseline">
 69 |           <div class="col">{% include "breadcrumbs.html" %}</div>
 70 |           <div class="col-sm-12 col-lg-auto mt-3 mt-lg-3">
 71 |             <noscript>
 72 |               <p>
 73 |                 {{ _('JavaScript is required to toggle light/dark mode.') }}.
 74 |               </p>
 75 |             </noscript>
 76 |             <button id="wagtail-theme" class="btn btn-sm btn-light text-decoration-none" type="button">
 77 |               <span class="dark-only"><i class="fas fa-sun"></i> {{ _('Light mode') }}</span>
 78 |               <span class="light-only"><i class="fas fa-moon"></i> {{ _('Dark mode') }}</span>
 79 |             </button>
 80 |             {%- if pagename != "search" -%} {% include "source-buttons.html"
 81 |             %} {% endif %}
 82 |           </div>
 83 |         </header>
 84 |         <div class="row">
 85 |           <div class="col-12">
 86 |             <hr class="w-100 my-4" />
 87 |           </div>
 88 |         </div>
 89 |         <div class="row">
 90 |           <div class="col-12 col-lg-9 order-last order-lg-first rst-content">
 91 |             <main role="main" id="main">
 92 |               {%- block body %} {% endblock -%}
 93 |             </main>
 94 |             {% include "pager.html" %}
 95 |           </div>
 96 |           {% if display_toc and not hidetoc %}
 97 |           <nav class="col-12 col-lg-3 pb-4 d-none d-lg-block">
 98 |             <div class="sticky-top toc page-toc" aria-labelledby="page-toc-heading">
 99 |               <p class="font-weight-bold" id="page-toc-heading">
100 |                 On This Page
101 |               </p>
102 |               {{ toc }}
103 |             </div>
104 |           </nav>
105 |           {% endif %}
106 |         </div>
107 |       </div>
108 |     </div>
109 |   </div>
110 |   <footer class="container-fluid bg-primary text-light">
111 |     <div class="container">{% include "footer.html" %}</div>
112 |   </footer>
113 | 
114 |   {%- if not embedded %} {#- Sphinx >=1.8.0 has this as an external js file.
115 |   Sphinx 4.0 includes in in script_files #} {%- if sphinx_version_info[0] < 4 %} <script id="documentation_options"
116 |     data-url_root="{{ url_root }}" src="{{ pathto('_static/documentation_options.js', 1) }}">
117 |     </script>
118 |     {%- endif -%} {%- for scriptfile in script_files %} {{ js_tag(scriptfile) }}
119 |     {%- endfor %}
120 |     <script type="text/javascript" src="{{ pathto('_static/dist/theme.js', 1) }}"></script>
121 |     <script type="text/javascript" src="{{ pathto('_static/dist/vendor.js', 1) }}"></script>
122 |     {%- endif %} {%- block search %}
123 |     <script type="text/javascript" src="{{ pathto('_static/searchtools.js', 1) }}"></script>
124 |     <script type="text/javascript" src="{{ pathto('_static/language_data.js', 1) }}"></script>
125 |     <script type="text/javascript">
126 |       document.addEventListener("DOMContentLoaded", function () {
127 |         Search.loadIndex("{{ pathto('searchindex.js', 1) }}");
128 |       });
129 |     </script>
130 |     <script type="text/javascript" id="searchindexloader"></script>
131 |     {% endblock -%} {%- block scripts2 %}{% endblock -%} {%- block footer %}{%
132 |     endblock -%} {%- block footer2 %}{% endblock -%}
133 |     {% if googleanalytics_id %}
134 |     <!-- google analytics information -->
135 |     <script async="" src="https://www.googletagmanager.com/gtag/js?id={{googleanalytics_id}}"></script>
136 |     <script>
137 |       window.dataLayer = window.dataLayer || [];
138 |       function gtag() { dataLayer.push(arguments); }
139 |       gtag('js', new Date());
140 |       gtag('config', '{{googleanalytics_id}}', {
141 |         'anonymize_ip': false,
142 |       });
143 |     </script>
144 |     {% endif %}
145 | </body>
146 | 
147 | </html>
148 | 


--------------------------------------------------------------------------------
/docs/_templates/searchbox.html:
--------------------------------------------------------------------------------
 1 | {%- if builder != "singlehtml" %}
 2 | <div id="searchbox" class="searchbox mb-6 px-1" role="search">
 3 |     <form id="search-form" action="{{ pathto('search') }}" autocomplete="off" method="get" role="search">
 4 |         <div class="input-group">
 5 |             <div class="input-group-prepend">
 6 |                 <div class="input-group-text border-right-0 bg-white py-3 pl-3 pr-2"><span class="fas fa-search"></span>
 7 |                 </div>
 8 |             </div>
 9 |             <input class="form-control py-3 pr-3 pl-1 h-100 border-left-0" type="search" name="q"
10 |                 placeholder="Search docs" aria-label="Search docs" id="searchinput" />
11 |         </div>
12 |         <input type="hidden" name="check_keywords" value="yes" />
13 |         <input type="hidden" name="area" value="default" />
14 |     </form>
15 | </div>
16 | {%- endif %}
17 | 


--------------------------------------------------------------------------------
/docs/_templates/source-buttons.html:
--------------------------------------------------------------------------------
 1 | {%- if show_source and has_source and sourcename %}
 2 | <a
 3 |   class="btn btn-sm btn-light text-decoration-none"
 4 |   href="{{ pathto('_sources/' + sourcename, true)|e }}"
 5 |   rel="nofollow"
 6 | >
 7 |   <span class="btn-icon"><span class="fas fa-code"></span></span>
 8 |   <span class="btn-text">View source</span>
 9 | </a>
10 | {%- endif %}
11 | 


--------------------------------------------------------------------------------
/docs/analytics/access_token_manipulation.rst:
--------------------------------------------------------------------------------
  1 | 
  2 | ----------------------------
  3 | Access Token Abuse
  4 | ----------------------------
  5 | 
  6 | Original Analytic
  7 | ^^^^^^^^^^^^^^^^^
  8 | 
  9 | .. code-block:: yaml
 10 | 
 11 |   title: Operator Bloopers Cobalt Strike Commands
 12 |   id: 647c7b9e-d784-4fda-b9a0-45c565a7b729
 13 |   related:
 14 |       - id: 4f154fb6-27d1-4813-a759-78b93e0b9c48
 15 |         type: similar
 16 |   status: experimental
 17 |   description: Detects use of Cobalt Strike commands accidentally entered in the CMD shell
 18 |   references:
 19 |       - https://hstechdocs.helpsystems.com/manuals/cobaltstrike/current/userguide/content/cobalt-4-5-user-guide.pdf
 20 |       - https://thedfirreport.com/2021/10/04/bazarloader-and-the-conti-leaks/
 21 |       - https://thedfirreport.com/2022/06/16/sans-ransomware-summit-2022-can-you-detect-this/
 22 |   author: _pete_0, TheDFIRReport
 23 |   date: 2022/05/06
 24 |   modified: 2023/01/30
 25 |   tags:
 26 |       - attack.execution
 27 |       - attack.t1059.003
 28 |   logsource:
 29 |       category: process_creation
 30 |       product: windows
 31 |   detection:
 32 |       selection_img:
 33 |           - OriginalFileName: 'Cmd.Exe'
 34 |           - Image|endswith: '\cmd.exe'
 35 |       selection_cli:
 36 |           CommandLine|startswith:
 37 |               - 'cmd '
 38 |               - 'cmd.exe'
 39 |               - 'c:\windows\system32\cmd.exe'
 40 |           CommandLine|contains:
 41 |               - 'psinject'
 42 |               - 'spawnas'
 43 |               - 'make_token'
 44 |               - 'remote-exec'
 45 |               - 'rev2self'
 46 |               - 'dcsync'
 47 |               - 'logonpasswords'
 48 |               - 'execute-assembly'
 49 |               - 'getsystem'
 50 |       condition: all of selection_*
 51 |   falsepositives:
 52 |       - Unknown
 53 |   level: high
 54 | 
 55 | Analytic Source: `SigmaHQ <https://github.com/SigmaHQ/sigma/blob/master/rules/windows/process_creation/proc_creation_win_hktl_cobaltstrike_bloopers_cmd.yml>`_
 56 | 
 57 | Original Analytic Scoring
 58 | ^^^^^^^^^^^^^^^^^^^^^^^^^
 59 | .. list-table::
 60 |     :widths: 20 20 20 30
 61 |     :header-rows: 1
 62 | 
 63 |     * -
 64 |       - Application (A)
 65 |       - User-Mode (U)
 66 |       - Kernel-Mode (K)
 67 |     * - Core to (Sub-) Technique (5)
 68 |       -
 69 |       -
 70 |       -
 71 |     * - Core to Part of (Sub-) Technique (4)
 72 |       -
 73 |       -
 74 |       -
 75 |     * - Core to Pre-Existing Tool or Inside Boundary (3)
 76 |       -
 77 |       -
 78 |       -
 79 |     * - Core to Adversary-Brought Tool or Outside Boundary (2)
 80 |       -
 81 |       - 
 82 |       - | EventID: 1
 83 |         | CommandLine|contains:
 84 |         |    - 'psinject'
 85 |         |    - 'spawnas'
 86 |         |    - 'make_token'
 87 |         |    - 'remote-exec'
 88 |         |    - 'rev2self'
 89 |         |    - 'dcsync'
 90 |         |    - 'logonpasswords'
 91 |         |    - 'execute-assembly'
 92 |         |    - 'getsystem'
 93 |     * - Ephemeral (1)
 94 |       -
 95 |       - 
 96 |       - | selection_img:
 97 |         |     - OriginalFileName: 'Cmd.Exe'
 98 |         |     - Image|endswith: '\\cmd.exe'
 99 |         |     CommandLine|startswith:
100 |         |         - 'cmd '
101 |         |         - 'cmd.exe'
102 |         |         - 'c:\\\\windows\\\\system32\\\\cmd.exe'
103 | 
104 | This analytic's robustness score is **1U** because it relies on commands being run from
105 | ``cmd.exe``. While some observables of the analytic score at level 2, they are ORed with
106 | level 1 making the overall analytic score at 1U. This analytic also relies on an
107 | adversary accidentally entering these commands on the victim machine since the specified
108 | arguments are typically executed on a beacon within CobaltStrike.
109 | 
110 | We can generate an analytic that scores scores higher according to the Summiting
111 | methodoogy by researching what happens on a system when a token is impersonated. The
112 | original analytic spans several different behaviors, tactics, and techniques including
113 | process injection, privilege escalation, lateral movement, access token manipulation,
114 | and credential access, so we also need to re-scope our analytic and focus on a single
115 | ATT&CK technique. We'll continue with **T1134.001 Access Token Manipulation: Token
116 | Impersonation/Theft**. We will further scope down our research, focusing on access token
117 | theft implementations that leverage Windows API calls versus command line
118 | implementations like the ``runas`` command.
119 | 
120 | Test scripts were executed to call Windows APIs commonly used by adversaries and/or
121 | tools when performing access token manipulation, as seen on the ATT&CK page [#f1]_:
122 | 
123 |   - LogonUser
124 |   - DuplicateTokenEx
125 |   - ImpersonateLogonUser
126 | 
127 | .. figure:: ../_static/atm_tests.png
128 |    :alt: Test scripts used to call Windows APIs associated with Access Token Manipulation
129 |    :align: center
130 |    :scale: 100%
131 | 
132 |    Test script used to call Windows APIs associated with Access Token
133 |    Manipulation. (Click to enlarge)
134 | 
135 | Testing confirmed that calling these APIs generated Event ID 4624 (An account has been logged on).
136 | 
137 | .. note::
138 | 
139 |     ``Audit Logon`` events must be configured in Local System or Group Policy to capture
140 |     Event ID 4624
141 | 
142 | With knowledge that event ID 4624 [#f2]_ is fired anytime an adversary performs access
143 | token manipulation, we can now begin to develop a new analytic. Simply searching for
144 | Event ID 4624 would be incredibly noisy on a production environment, therefore defenders
145 | must leverage other fields in the event to filter out false positives. Fortunately, the
146 | Summiting team has gone through this process already, submitted the improved analytic to
147 | Sigma through previous research [#f3]_, and started developing a capability abstraction
148 | map. The team is continuing the research to find better event IDs or other observables
149 | which can be correlated to access tokens specifically.
150 | 
151 | .. code-block:: yaml
152 | 
153 |   title: Potential Access Token Abuse
154 |   id: 02f7c9c1-1ae8-4c6a-8add-04693807f92f
155 |   status: experimental
156 |   description: Detects potential token impersonation and theft. Example, when using "DuplicateToken(Ex)" and "ImpersonateLoggedOnUser" with the "LOGON32_LOGON_NEW_CREDENTIALS flag".
157 |   references:
158 |       - https://www.elastic.co/fr/blog/how-attackers-abuse-access-token-manipulation
159 |       - https://www.manageengine.com/log-management/cyber-security/access-token-manipulation.html
160 |   author: Michaela Adams, Zach Mathis
161 |   date: 2022/11/06
162 |   modified: 2023/04/26
163 |   tags:
164 |       - attack.defense_evasion
165 |       - attack.privilege_escalation
166 |       - attack.t1134.001
167 |   logsource:
168 |       product: windows
169 |       service: security
170 |   detection:
171 |       selection:
172 |           EventID: 4624
173 |           LogonType: 9
174 |           LogonProcessName: 'Advapi'
175 |           AuthenticationPackageName: 'Negotiate'
176 |           ImpersonationLevel: '%%1833' # Impersonation
177 |       condition: selection
178 |   falsepositives:
179 |       - Anti-Virus
180 |   level: medium
181 | 
182 | .. figure:: ../_static/1atm_capability_abstraction.png
183 |   :alt: Capability abstraction map for API-based implementations of Access Token Manipulation: Token Impersonation and Theft
184 |   :align: center
185 |   :scale: 100%
186 | 
187 |   Capability abstraction map for API-based implementations of Access Token Manipulation:
188 |   Token Impersonation and Theft
189 | 
190 | Improved Analytic Scoring
191 | ^^^^^^^^^^^^^^^^^^^^^^^^^
192 | 
193 | .. list-table::
194 |     :widths: 20 20 30 20
195 |     :header-rows: 1
196 | 
197 |     * -
198 |       - Application (A)
199 |       - User-Mode (U)
200 |       - Kernel-Mode (K)
201 |     * - Core to (Sub-) Technique (5)
202 |       -
203 |       -
204 |       -
205 |     * - Core to Part of (Sub-) Technique (4)
206 |       -
207 |       - | EventID: 4624
208 |         | LogonType: 9
209 |         | LogonProcessName: 'Advapi'
210 |         | AuthenticationPackageName: 'Negotiate'
211 |         | ImpersonationLevel: '%%1833'
212 |       -
213 |     * - Core to Pre-Existing Tool or Inside Boudnary (3)
214 |       -
215 |       -
216 |       -
217 |     * - Core to Adversary-Brought Tool or Outside Boundary (2)
218 |       -
219 |       -
220 |       -
221 |     * - Ephemeral (1)
222 |       -
223 |       -
224 |       -
225 | 
226 | .. note::
227 | 
228 |     The behavioral analytic research for Access Token Manipulation is covered in MITRE
229 |     ATT&CK Defender's (MAD) Technique Detection Course on Access Token Manipulation.
230 | 
231 | .. rubric:: References
232 | 
233 | .. [#f1] https://attack.mitre.org/techniques/T1134/001/
234 | .. [#f2] https://www.ultimatewindowssecurity.com/securitylog/encyclopedia/event.aspx?eventid=4624
235 | .. [#f3] https://github.com/SigmaHQ/sigma/blob/a08e1b9d45e61570d26377e8f6811d37c6a01166/rules/windows/builtin/security/account_management/win_security_access_token_abuse.yml
236 | 


--------------------------------------------------------------------------------
/docs/analytics/adfind.rst:
--------------------------------------------------------------------------------
  1 | .. _AD Find:
  2 | 
  3 | -----------------
  4 | ADFind
  5 | -----------------
  6 | 
  7 | Original Analytic
  8 | ^^^^^^^^^^^^^^^^^
  9 | 
 10 | .. code-block:: yaml
 11 | 
 12 |   title: Suspicious AdFind Execution
 13 |   id: 75df3b17-8bcc-4565-b89b-c9898acef911
 14 |   status: experimental
 15 |   description: Detects the execution of a AdFind for Active Directory enumeration
 16 |   references:
 17 |       - https://social.technet.microsoft.com/wiki/contents/articles/7535.adfind-command-examples.aspx
 18 |       - https://github.com/center-for-threat-informed-defense/adversary_emulation_library/blob/master/fin6/Emulation_Plan/Phase1.md
 19 |       - https://thedfirreport.com/2020/05/08/adfind-recon/
 20 |   author: FPT.EagleEye Team, omkar72, oscd.community
 21 |   date: 2020/09/26
 22 |   modified: 2021/05/12
 23 |   tags:
 24 |       - attack.discovery
 25 |       - attack.t1018
 26 |       - attack.t1087.002
 27 |       - attack.t1482
 28 |       - attack.t1069.002
 29 |   logsource:
 30 |       product: windows
 31 |       category: process_creation
 32 |   detection:
 33 |       selection:
 34 |           CommandLine|contains:
 35 |               - 'objectcategory'
 36 |               - 'trustdmp'
 37 |               - 'dcmodes'
 38 |               - 'dclist'
 39 |               - 'computers_pwdnotreqd'
 40 |           Image|endswith: '\adfind.exe'
 41 |       condition: selection
 42 |   falsepositives:
 43 |       - Administrative activity
 44 |   level: medium
 45 | 
 46 | Analytic Source: `SigmaHQ <https://github.com/SigmaHQ/sigma/blob/30bee7204cc1b98a47635ed8e52f44fdf776c602/rules/windows/process_creation/win_susp_adfind.yml>`_
 47 | 
 48 | Original Analytic Scoring
 49 | ^^^^^^^^^^^^^^^^^^^^^^^^^
 50 | 
 51 | .. list-table::
 52 |     :widths: 20 20 20 30
 53 |     :header-rows: 1
 54 | 
 55 |     * -
 56 |       - Application (A)
 57 |       - User-Mode (U)
 58 |       - Kernel-Mode (K)
 59 |     * - Core to (Sub-) Technique (5)
 60 |       -
 61 |       -
 62 |       -
 63 |     * - Core to Part of (Sub-) Technique (4)
 64 |       -
 65 |       -
 66 |       -
 67 |     * - Core to Pre-Existing Tool or Inside Boundary (3)
 68 |       -
 69 |       -
 70 |       -
 71 |     * - Core to Adversary-Brought Tool or Outside Boundary (2)
 72 |       -
 73 |       - 
 74 |       - | EventID: 1
 75 |         | CommandLine|contains:
 76 |         |   - 'objectcategory'
 77 |         |   - 'trustdmp'
 78 |         |   - 'dcmodes'
 79 |         |   - 'dclist'
 80 |         |   - 'computers_pwdnotreqd'
 81 |     * - Ephemeral (1)
 82 |       -
 83 |       - 
 84 |       - Image|endswith: '\\adfind.exe'
 85 | 
 86 | Improved Analytic Scoring
 87 | ^^^^^^^^^^^^^^^^^^^^^^^^^
 88 | 
 89 | .. list-table::
 90 |     :widths: 20 20 20 30
 91 |     :header-rows: 1
 92 | 
 93 |     * -
 94 |       - Application (A)
 95 |       - User-Mode (U)
 96 |       - Kernel-Mode (K)
 97 |     * - Core to (Sub-) Technique (5)
 98 |       -
 99 |       -
100 |       -
101 |     * - Core to Part of (Sub-) Technique (4)
102 |       -
103 |       -
104 |       -
105 |     * - Core to Pre-Existing Tool or Inside Boundary (3)
106 |       -
107 |       -
108 |       -
109 |     * - Core to Adversary-Brought Tool or Outside Boundary (2)
110 |       -
111 |       - 
112 |       - | EventID: 1
113 |         | CommandLine|contains:
114 |         |   - 'objectcategory'
115 |         |   - 'trustdmp'
116 |         |   - 'dcmodes'
117 |         |   - 'dclist'
118 |         |   - 'computers_pwdnotreqd'
119 |         | OriginalFileName|endswith: '\\adfind.exe'
120 |     * - Ephemeral (1)
121 |       -
122 |       -
123 |       -
124 | 
125 | This analytic looks for specific command-line arguments of the ADFind tool,
126 | identified when ``Image`` ends with ``adfind.exe``. The logsource for this
127 | analytic is ``process_creation``, so it could potentially fire for Windows Event
128 | ID 4688 or Sysmon Event ID 1. This analytic references the ``Image`` field,
129 | which does not exist in Event ID 4688 but does exist in Sysmon Event ID 1.
130 | [#f1]_ Event ID 4688 has the field NewProcessName, though it could be mapped to
131 | another field name in your SIEM of choice. We proceed with the interpretation
132 | that 4688 events will not be returned, and therefore score this using Event ID
133 | 1.
134 | 
135 | Sysmon Event ID 1 is generated when Win32 API functions are called to create a
136 | new process. [#f2]_  However, instead of operating from a userland artifact, it
137 | awaits a kernel callback to notify it via the
138 | ``PsSetCreateProcessNotifyRoutineEx`` function that a new process has been
139 | created. The aforementioned routine is normally triggered by the driver any time
140 | a new process is registered with the kernel, at which point it notifies all
141 | drivers in its callback array of the new process registration. Although it is
142 | possible for the notification routine to be avoided, doing so generally requires
143 | modifying either Sysmon (to suppress the driver callback) or the driver itself
144 | (to avoid notifications of process registration ever being sent out), both of
145 | which are quite impractical. Therefore, it is a kernel-mode log source and we
146 | can place the observables in the :ref:`Kernel-Mode`.
147 | 
148 | ``Image|endswith: '\adfind.exe'`` is placed at the :ref:`Ephemeral Values`. An
149 | adversary can easily obfuscate or change the Image value by renaming the file.
150 | The command-line arguments are placed at :ref:`Adversary Brought Tool`, since
151 | the command-line arguments are specific to the ADFind tool and require modifying
152 | source code to change. Since the ``CommandLine`` and ``Image`` observables in
153 | the analytic are ANDed together, according to our Boolean logic, the entire
154 | analytic scores as a **1K**.
155 | 
156 | The robustness of this analytic can be increased by leveraging the
157 | ``OriginalFileName`` field in Sysmon Event ID 1 instead of ``Image``. It is
158 | trivial for an adversary to change the ``Image`` name ending with ``adfind.exe``
159 | to avoid detection. It is more challenging for an adversary to change the
160 | ``OriginalFileName``, since it is derived from the PE header. Changing the PE
161 | header requires either modifying values at the executable's compile time or
162 | modifying raw bytes with a hex editor, both of which are more complex for an
163 | adversary than renaming a file on a compromised system.
164 | 
165 | By instead detecting ``OriginalFileName|endswith: '\adfind.exe'``, this analytic
166 | moves up a level to **2K**.
167 | 
168 | Another approach to improve the robustness of this analytic is to drop the
169 | condition of the ``Image`` or ``OriginalFileName`` completely since the
170 | command-line arguments specified in the first clause are likely unique to the
171 | ADFind tool. Adding that second clause adds a way for an adversary to evade the
172 | analytic without decreasing accuracy.
173 | 
174 | 
175 | .. rubric:: References
176 | 
177 | .. [#f1] https://www.ultimatewindowssecurity.com/securitylog/encyclopedia/event.aspx?eventid=90001
178 | .. [#f2] https://learn.microsoft.com/en-us/windows/win32/api/processthreadsapi/nf-processthreadsapi-createprocessa
179 | 


--------------------------------------------------------------------------------
/docs/analytics/amsi_evasion.rst:
--------------------------------------------------------------------------------
  1 | :orphan:
  2 | 
  3 | ------------
  4 | AMSI Evasion
  5 | ------------
  6 | 
  7 | Original Analytic
  8 | ^^^^^^^^^^^^^^^^^
  9 | 
 10 | .. code-block:: yaml
 11 | 
 12 |   title: Removal Of AMSI Provider Registry Keys
 13 |   id: 41d1058a-aea7-4952-9293-29eaaf516465
 14 |   status: test
 15 |   description: Detects the deletion of AMSI provider registry key entries in HKLM\Software\Microsoft\AMSI. This technique could be used by an attacker in order to disable AMSI inspection.
 16 |   references:
 17 |       - https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1562.001/T1562.001.md
 18 |       - https://seclists.org/fulldisclosure/2020/Mar/45
 19 |   author: frack113
 20 |   date: 2021/06/07
 21 |   modified: 2023/02/08
 22 |   tags:
 23 |       - attack.defense_evasion
 24 |       - attack.t1562.001
 25 |   logsource:
 26 |       product: windows
 27 |       category: registry_delete
 28 |   detection:
 29 |       selection:
 30 |           EventType: DeleteKey
 31 |           TargetObject|endswith:
 32 |               - '{2781761E-28E0-4109-99FE-B9D127C57AFE}' # IOfficeAntiVirus
 33 |               - '{A7C452EF-8E9F-42EB-9F2B-245613CA0DC9}' # ProtectionManagement.dll
 34 |       condition: selection
 35 |   falsepositives:
 36 |       - Unlikely
 37 |   level: high
 38 | 
 39 | Analytic Source: `SigmaHQ <https://github.com/SigmaHQ/sigma/blob/7f3eff58e17c1edec877cf45972726588d009940/rules/windows/registry/registry_delete/registry_delete_removal_amsi_registry_key.yml>`_
 40 | 
 41 | Original Analytic Scoring
 42 | ^^^^^^^^^^^^^^^^^^^^^^^^^
 43 | 
 44 | .. list-table::
 45 |     :widths: 20 20 30 20
 46 |     :header-rows: 1
 47 | 
 48 |     * -
 49 |       - Application (A)
 50 |       - User-mode (U)
 51 |       - Kernel-mode (K)
 52 |     * - Core to (Sub-) Technique (5)
 53 |       -
 54 |       -
 55 |       -
 56 |     * - Core to Part of (Sub-) Technique (4)
 57 |       -
 58 |       -
 59 |       -
 60 |     * - Core to Pre-Existing Tool (3)
 61 |       -
 62 |       -
 63 |       -
 64 |     * - Core to Adversary-brought Tool (2)
 65 |       -
 66 |       -
 67 |       -
 68 |     * - Ephemeral (1)
 69 |       -
 70 |       -
 71 |       - |  EventType: DeleteKey
 72 |         |  TargetObject|endswith:
 73 |         |    - '{2781761E-28E0-4109-99FE-B9D127C57AFE}'
 74 |         |    - '{A7C452EF-8E9F-42EB-9F2B-245613CA0DC9}'
 75 | 
 76 | 
 77 | Improved Analytic Scoring
 78 | ^^^^^^^^^^^^^^^^^^^^^^^^^
 79 | 
 80 | .. list-table::
 81 |     :widths: 15 30 60
 82 |     :header-rows: 1
 83 | 
 84 |     * - Level
 85 |       - Level Name
 86 |       - Observables
 87 |     * - 7
 88 |       - Kernel
 89 |       - | TargetObject|contains:
 90 |         | - 'Computer\\HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\AMSI\\Providers\\'
 91 |     * - 6
 92 |       - System Calls
 93 |       -
 94 |     * - 5
 95 |       - OS API
 96 |       -
 97 |     * - 4
 98 |       - Application API
 99 |       -
100 |     * - 3
101 |       - Tools Outside Adversary Control
102 |       -
103 |     * - 2
104 |       - Tools Within Adversary Control
105 |       -
106 |     * - 1
107 |       - Operational/Environmental Variables
108 |       -
109 | 
110 | Research Notes and Caveats
111 | ^^^^^^^^^^^^^^^^^^^^^^^^^^
112 | The original analytic relies on the adversary removing the AMSI provider from the
113 | registry. There is a known technique to evade this analytic where an new (Fake) AMSI is
114 | registered in the directory. This moves to detect any change in the directory. This
115 | directory is “special” due to the way the OS uses it in the queuing of AMSI tasking
116 | [#f1]_ . With these modification the adversary cannot add, remove, or modify any values
117 | in this directory, detecting the activity.
118 | 
119 | .. rubric:: References
120 | 
121 | .. [#f1] https://learn.microsoft.com/en-us/windows/win32/amsi/dev-audience#register-your-provider-dll-with-amsi
122 | 


--------------------------------------------------------------------------------
/docs/analytics/analytic.rst.template:
--------------------------------------------------------------------------------
 1 | -------------------------
 2 | Insert Analytic Name Here
 3 | -------------------------
 4 | 
 5 | Original Analytic
 6 | ^^^^^^^^^^^^^^^^^
 7 | 
 8 | .. code-block:: yaml
 9 |   
10 |   title: Insert Sigma rule here
11 | 
12 | Analytic Source: `Source Name <https://foo.bar>`_
13 | 
14 | Original Analytic Scoring
15 | ^^^^^^^^^^^^^^^^^^^^^^^^^
16 | .. list-table::
17 |     :widths: 20 20 20 20
18 |     :header-rows: 1
19 | 
20 |     * - 
21 |       - Application (A)
22 |       - User-mode (U)
23 |       - Kernel-mode (K)
24 |     * - Core to (Sub-) Technique (5)
25 |       - 
26 |       - 
27 |       - 
28 |     * - Core to Part of (Sub-) Technique (4)
29 |       - 
30 |       -
31 |       -
32 |     * - Core to Pre-Existing Tool (3)
33 |       - 
34 |       - 
35 |       -
36 |     * - Core to Adversary-brought Tool (2)
37 |       - 
38 |       - 
39 |       - 
40 |     * - Ephemeral (1)
41 |       - 
42 |       - 
43 |       - 
44 | 
45 | Improved Analytic Scoring
46 | ^^^^^^^^^^^^^^^^^^^^^^^^^
47 | 
48 | .. list-table::
49 |     :widths: 20 20 30 20
50 |     :header-rows: 1
51 | 
52 |     * - 
53 |       - Application (A)
54 |       - User-mode (U)
55 |       - Kernel-mode (K)
56 |     * - Core to (Sub-) Technique (5)
57 |       - 
58 |       - 
59 |       - 
60 |     * - Core to Part of (Sub-) Technique (4)
61 |       - 
62 |       -
63 |       -
64 |     * - Core to Pre-Existing Tool (3)
65 |       - 
66 |       - 
67 |       -
68 |     * - Core to Adversary-brought Tool (2)
69 |       - 
70 |       - 
71 |       - 
72 |     * - Ephemeral (1)
73 |       - 
74 |       - 
75 |       - 
76 | 
77 | Research Notes and Caveats
78 | ^^^^^^^^^^^^^^^^^^^^^^^^^^
79 | 
80 | Make sure to change the reference number and copy/paste what is needed in there
81 | [#f1]_ .
82 | 
83 | .. rubric:: References
84 | 
85 | .. [#f1] https://mitre.org/
86 | 


--------------------------------------------------------------------------------
/docs/analytics/archive_collected_data.rst:
--------------------------------------------------------------------------------
  1 | -------------------------
  2 | Archive Collected Data
  3 | -------------------------
  4 | 
  5 | Technique Investigation
  6 | ^^^^^^^^^^^^^^^^^^^^^^^^^
  7 | 
  8 | This technique focuses on the repeated creation of compressed archive files,
  9 | such as Zip files or WinRar files, in a short amount of time. While the creation
 10 | of file archives may be a routine part of office work, it can also be indicative
 11 | of staging files for exfiltration or can be paired with encryption to become the
 12 | impact step of a ransomware attack. The behavior which identifies the
 13 | distinction between benign usage and potential malicious usage is multiple
 14 | archive events occurring in a short time frame. This indicates the use of a
 15 | script or other automated process for creating archives, which is rare enough
 16 | for normal user activity that it should minimize false positive detections. 
 17 | 
 18 | Context Flowchart Walkthrough
 19 | ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
 20 | 
 21 | .. figure:: ../_static/archive-collected-data-flow.png
 22 |    :alt: Context Flowchart Walkthrough for Archive Collected Data Technique
 23 |    :align: center
 24 |    :scale: 100%
 25 | 
 26 |    Click to enlarge
 27 | 
 28 | This technique, which is indistinguishable from routine workflows except for
 29 | volume, falls into the chained technique category of "Performing Abnormal
 30 | Action.” The only differentiator we identified from legitimate usage was the
 31 | volume and number of these actions in a short amount of time. This means that
 32 | effective detection needs to rely on the chaining together of several individual
 33 | events into a chain for proper detection.
 34 | 
 35 | 
 36 | Technique-Level Analysis
 37 | ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
 38 | 
 39 | .. figure:: ../_static/analysis_archive_chain.png
 40 |    :alt: Chain-Level Analysis for Archive Collected Data Technique
 41 |    :align: center
 42 |    :scale: 100%
 43 | 
 44 |    Click to enlarge
 45 | 
 46 | .. figure:: ../_static/analysis_archive_tech.png
 47 |    :alt: Technique-Level Analysis for Archive Collected Data Technique
 48 |    :align: center
 49 |    :scale: 100%
 50 | 
 51 |    Click to enlarge
 52 | 
 53 | We researched a way in which we could pair the archive creation with
 54 | exfiltration methods directly. However, we found that there is too much
 55 | variation between specific exfiltration methods used in the attack chains that
 56 | the resulting analytics would not have been very robust. Additionally, the
 57 | environments in which we we tested these analytics had an accelerated timeline
 58 | of known adversary activity because our “known bad” event logs came from
 59 | adversary emulation exercises. Actual APT activity or ransomware campaigns may
 60 | have compression and exfiltration occur out-of-order or on time-tables that we
 61 | could not accurately predict. 
 62 | 
 63 | The focus on the volume of archive creation is one behavior we identified that
 64 | was most likely to filter out the routine usage and highlight potentially
 65 | malicious behavior.
 66 | 
 67 | Original Analytic
 68 | ^^^^^^^^^^^^^^^^^^^^^^^^^
 69 | .. code-block:: yaml
 70 | 
 71 |     powershell EventCode=4104 ScriptBlockText = "*Compress-Archive*"  ScriptBlockText = "*\\Temp\\*" 
 72 |      | stats count min(_time) as firstTime max(_time) as lastTime by EventCode ScriptBlockText Computer UserID 
 73 |      | rename Computer as dest 
 74 |      | rename UserID as user 
 75 |      | `security_content_ctime(firstTime)` 
 76 |      | `security_content_ctime(lastTime)` 
 77 |      | `windows_archive_collected_data_via_powershell_filter`
 78 | 
 79 | 
 80 | The `original Splunk analytic
 81 | <https://research.splunk.com/endpoint/74c5a3b0-27a7-463c-9d00-1a5bb12cb7b5/>`_
 82 | we used for comparison focuses solely on the PowerShell usage of the
 83 | “Compress-Archive” commandlet. Additionally, it only alerted on compression
 84 | operations which occurred in a “Temp” directory. This analytic does filter out
 85 | much of the benign usage with the inclusion of this directory filter. However,
 86 | this is a brittle analytic. All an adversary need do to avoid triggering this is
 87 | to compress files outside of folders named “Temp.” Also, this focus on
 88 | PowerShell compression also leaves out scenarios where an adversary uses a
 89 | standard archiving tool like WinZip or 7zip for their compression. 
 90 | 
 91 | .. list-table::
 92 |     :widths: 20 20 20 20
 93 |     :header-rows: 1
 94 | 
 95 |     * - 
 96 |       - Application (A)
 97 |       - User-mode (U)
 98 |       - Kernel-mode (K)
 99 |     * - Core to (Sub-) Technique (5)
100 |       - 
101 |       - 
102 |       - 
103 |     * - Core to Part of (Sub-) Technique (4)
104 |       - 
105 |       - 
106 |       -
107 |     * - Core to Pre-Existing Tool (3) 
108 |       -
109 |       -
110 |       - | EventCode=4104
111 |         | \'powershell\'
112 |     * - Core to Adversary-brought Tool (2)
113 |       - 
114 |       - 
115 |       - 
116 |     * - Ephemeral (1)
117 |       - 
118 |       - 
119 |       - | ScriptBlockText = "\*\\Temp\\\*
120 | 
121 | This analytic focuses only on Process Creation of a Pre-Existing Tool commonly
122 | used on the compression technique. The event code is generated from a Kernel
123 | level operation, so for the EventCode=4104 portion of the analytic scoring, we
124 | can place that in 3K.
125 | 
126 | However, the inclusion of the "Temp" directory as a way of filtering out noise
127 | is completely Ephemeral. If an adversary were to simply avoid working out of a
128 | folder titled "Temp," the malicious behavior would be filtered out as benign.
129 | 
130 | Following the Boolean logic of how these components are being combined via
131 | “AND”, the overall analytic is thus scored as a 1K.
132 | 
133 | Improved Analytic
134 | ^^^^^^^^^^^^^^^^^^^^^^^^^
135 | 
136 | .. code-block:: yaml
137 | 
138 |    ### CORRELATION
139 |    title: Multiple Archived Files
140 |    description: Detects multiple uses of archiving utilities indicative of staging activity
141 |    status: test
142 |    correlation: 
143 |       type: event_count
144 |       rules:
145 |          - archiving_utils
146 |       group-by:
147 |          - TargetObject
148 |       timespan: 10m
149 |       condition:
150 |          gte: 5
151 |    ---
152 |    ### BASE RULE
153 |    title: Archiving Data Using Common Utilties
154 |    status: test
155 |    description: An adversary may compress data that is collected prior to exfiltration using 3rd party utilities
156 |    name: archiving_utils
157 |    author: MITRE
158 |    date: 2025-03-25 
159 |    tags:
160 |        - attack.collection
161 |        - attack.t1560.001
162 |    logsource:
163 |        product: windows
164 |        category: process_creation
165 |    detection:
166 |        selection:
167 |            - OriginalFileName:
168 |                - '7z.exe'
169 |                - '7z*.exe'
170 |                - 'winzip.exe'
171 |                - 'winzip64.exe'
172 |                - 'rar.exe'
173 |            - CommandLine|contains:
174 |                - 'Compress-Archive'
175 |        condition: 1 of selection
176 |    falsepositives:
177 |        - Legitimate user activity
178 | 
179 | 
180 | .. list-table::
181 |     :widths: 20 20 30 20
182 |     :header-rows: 1
183 | 
184 |     * - 
185 |       - Application (A)
186 |       - User-mode (U)
187 |       - Kernel-mode (K)
188 |     * - Core to (Sub-) Technique (5)
189 |       - 
190 |       - 
191 |       - 
192 |     * - Core to Part of (Sub-) Technique (4)
193 |       - 
194 |       - 
195 |       -
196 |     * - Core to Pre-Existing Tool (3)
197 |       - 
198 |       -
199 |       - | EventCode=4104
200 |         | \`powershell\`
201 |         | ScriptBlockText = "\*Compress-Archive\*“
202 |         | OriginalFileName=(7z\*.exe OR \*rar.exe)
203 | 
204 | 
205 |     * - Core to Adversary-brought Tool (2)
206 |       - 
207 |       - 
208 |       - 
209 |     * - Ephemeral (1)
210 |       - 
211 |       - 
212 |       - 
213 | 
214 | The change in our analytic focused on substituting the Ephemeral string search
215 | of "Temp" with the timespan and count of Archiving Data Using Common Utilities.
216 | This elimination of the 1K analytic scoring immediately improved the analytic to
217 | a 3K, but it also introduced a far greater chance for false positives to be
218 | generated. To reduce this false positive opportunity, we focused on a number of
219 | events that would occur within a short timeframe. This eliminated the benign use
220 | case of a user who might be using archive tools on their workstation for
221 | approved business purposes. Scripting is the only common way to reach the
222 | volumes our analytic checks, and we find this to be an acceptable level of
223 | potential false positive alerts. Please note that the number of archive events
224 | and the time span may need to be adjusted for your organization.
225 | 


--------------------------------------------------------------------------------
/docs/analytics/bloodhound.rst:
--------------------------------------------------------------------------------
  1 | :orphan:
  2 | 
  3 | ----------
  4 | BloodHound
  5 | ----------
  6 | 
  7 | Original Analytic
  8 | ^^^^^^^^^^^^^^^^^
  9 | 
 10 | .. list-table::
 11 |     :widths: 30 70
 12 | 
 13 |     * - Original Analytic
 14 |       - | selection_1:
 15 |         | TargetFilename|endswith:
 16 |         |   - '_BloodHound.zip'
 17 |         |   - '_computers.json'
 18 |         |   - '_containers.json'
 19 |         |   - '_domains.json'
 20 |         |   - '_gpos.json'
 21 |         |   - '_groups.json'
 22 |         |   - '_ous.json'
 23 |         |   - '_users.json'
 24 |         | selection_2:
 25 |         | TargetFilename|contains|all:
 26 |         |   - 'BloodHound'
 27 |         |   - '.zip'
 28 |     * - Improved Analytic
 29 |       - | | rex field=target_file_name ".*\\\\(?<bloodhound_format>\d{14}_.*\.zip)"?
 30 |         | | where isnotnull(bloodhound_format)
 31 | 
 32 | Analytic Source: `SigmaHQ <https://github.com/SigmaHQ/sigma/blob/27aac9763988ade9eca6ee513919691fae0e28e3/rules/windows/file/file_event/file_event_win_bloodhound_collection.yml>`_
 33 | 
 34 | Original Analytic Scoring
 35 | ^^^^^^^^^^^^^^^^^^^^^^^^^
 36 | .. list-table::
 37 |     :widths: 15 30 60
 38 |     :header-rows: 1
 39 | 
 40 |     * - Level
 41 |       - Level Name
 42 |       - Observables
 43 |     * - 7
 44 |       - Kernel
 45 |       -
 46 |     * - 6
 47 |       - System Calls
 48 |       -
 49 |     * - 5
 50 |       - OS API
 51 |       -
 52 |     * - 4
 53 |       - Library API
 54 |       -
 55 |     * - 3
 56 |       - Tools Outside Adversary Control
 57 |       -
 58 |     * - 2
 59 |       - Tools Within Adversary Control
 60 |       -
 61 |     * - 1
 62 |       - Operational/Environmental Variables
 63 |       - | selection_1:
 64 |         | TargetFilename|endswith:
 65 |         |   - '_BloodHound.zip'
 66 |         |   - '_computers.json'
 67 |         |   - '_containers.json'
 68 |         |   - '_domains.json'
 69 |         |   - '_gpos.json'
 70 |         |   - '_groups.json'
 71 |         |   - '_ous.json'
 72 |         |   - '_users.json'
 73 |         | selection_2:
 74 |         | TargetFilename|contains|all:
 75 |         |   - 'BloodHound'
 76 |         |   - '.zip'
 77 | 
 78 | Improved Analytic Scoring
 79 | ^^^^^^^^^^^^^^^^^^^^^^^^^
 80 | .. list-table::
 81 |     :widths: 15 30 60
 82 |     :header-rows: 1
 83 | 
 84 |     * - Level
 85 |       - Level Name
 86 |       - Observables
 87 |     * - 7
 88 |       - Kernel
 89 |       -
 90 |     * - 6
 91 |       - System Calls
 92 |       -
 93 |     * - 5
 94 |       - OS API
 95 |       -
 96 |     * - 4
 97 |       - Library API
 98 |       -
 99 |     * - 3
100 |       - Tools Outside Adversary Control
101 |       -
102 |     * - 2
103 |       - Tools Within Adversary Control
104 |       - | | rex field=target_file_name ".*\\\\(?<bloodhound_format>\d{14}_.*\.zip)"?
105 |         | | where isnotnull(bloodhound_format)
106 |     * - 1
107 |       - Operational/Environmental Variables
108 |       -
109 | 
110 | Research Notes and Caveats
111 | ^^^^^^^^^^^^^^^^^^^^^^^^^^
112 | 
113 | The original analytic detects specific file names associated with the Active Directory
114 | reconaissance tool, BloodHound [#f1]_. Several of these file names can be easily changed
115 | by an adversary when executing the tool. An alternative detection method might look at
116 | the length of BloodHound's output zip file, which during testing was always 14
117 | characters long. This characteristic is more challenging for an adversary to evade,
118 | since it would require a recompilation of the tool. This improved analytic moves up a
119 | level from Operational/Environmental Variables to Tools Within Adversary Control.
120 | 
121 | .. rubric:: References
122 | .. [#f1] https://attack.mitre.org/software/S0521/
123 | 


--------------------------------------------------------------------------------
/docs/analytics/executable_download_webdav.rst:
--------------------------------------------------------------------------------
 1 | ---------------------------------------------------
 2 | Executable (EXE) File Download from a WebDAV Server
 3 | --------------------------------------------------- 
 4 | 
 5 | Original Analytic
 6 | ^^^^^^^^^^^^^^^^^
 7 | 
 8 | .. code-block:: yaml
 9 | 
10 |   title: Executable from Webdav
11 |   id: aac2fd97-bcba-491b-ad66-a6edf89c71bf
12 |   status: test
13 |   description: 'Detects executable access via webdav6. Can be seen in APT 29 such as from the emulated APT 29 hackathon https://github.com/OTRF/detection-hackathon-apt29/'
14 |   references:
15 |       - http://carnal0wnage.attackresearch.com/2012/06/webdav-server-to-download-custom.html
16 |       - https://github.com/OTRF/detection-hackathon-apt29
17 |   author: 'SOC Prime, Adam Swan'
18 |   date: 2020-05-01
19 |   modified: 2021-11-27
20 |   tags:
21 |       - attack.command-and-control
22 |       - attack.t1105
23 |   logsource:
24 |       product: zeek
25 |       service: http
26 |   detection:
27 |       selection_webdav:
28 |           - c-useragent|contains: 'WebDAV'
29 |           - c-uri|contains: 'webdav'
30 |       selection_executable:
31 |           - resp_mime_types|contains: 'dosexec'
32 |           - c-uri|endswith: '.exe'
33 |       condition: selection_webdav and selection_executable
34 |   falsepositives:
35 |       - Unknown
36 |   level: medium
37 | 
38 | Analytic Source: `SigmaHQ <https://github.com/SigmaHQ/sigma/blob/6048be5a7a3bf3b923fd4ee8236fed59ef7ff6a1/rules/network/zeek/zeek_http_executable_download_from_webdav.yml>`_
39 | 
40 | Original Analytic Scoring
41 | ^^^^^^^^^^^^^^^^^^^^^^^^^
42 | 
43 | .. list-table::
44 |     :widths: 20 30 30
45 |     :header-rows: 1
46 | 
47 |     * -
48 |       - Payload (P)
49 |       - Header (H)
50 |     * - Core to (Sub-) Technique (5)
51 |       -
52 |       -
53 |     * - Core to Part of (Sub-) Technique (4)
54 |       -
55 |       -
56 |     * - Core to Pre-Existing Tool or Inside Boundary (3)
57 |       -
58 |       -
59 |     * - Core to Adversary-Brought Tool or Outside Boundary (2)
60 |       -
61 |       - | c-uri|contains: 'webdav'
62 |         | c-uri|endswith: '.exe'
63 |     * - Ephemeral (1)
64 |       - | resp_mime_types|contains: 'dosexec'
65 |       - | c-useragent|contains: 'WebDAV'
66 | 
67 | This analytic detects executable access via the WebDAV6 tool, as identified
68 | through two selections. The analytic would trigger if the UserAgent and the URI
69 | contain ``webdav``, both of which are contained within the header. The analytic
70 | would also trigger if the responder's list of mime types contains ``dosexec``,
71 | which is contained in the payload, and the URI ends with ``.exe``, which is
72 | visible in the header.
73 | 
74 | The first selection scores as **1H** in its entirety. On its own,
75 | ``c-uri|contains: 'webdav'`` scores individually as a **2H**, as WebDAV is an
76 | adversary-brought tool whose URI format does not change and will always contain
77 | ``webdav``. However, it is ANDed with ``c-useragent|contains: 'WebDAV'``, which
78 | scores as a **1H**, due to the UserAgent being ephemeral and easily changed.
79 | Since the scores are ANDed, together they come out as a **1H**.
80 | 
81 | The second selection scores as a **1P**, as while ``c-uri|endswith: '.exe'``
82 | would individually score as a **2H**, due to the unchangeable nature of WebDAV's
83 | URIs, it is ANDed with ``resp_mime_types|contains: 'dosexec'``, which scores as
84 | a **1P**. This is a Zeek field that looks at the HTTP log to see if the keyword
85 | ``dosexec`` is present in the ordered vector of mime types from the responder.
86 | This keyword is ephemeral and requires visibility into the payload, making it a
87 | **1P** in total.
88 | 
89 | As the final score of the analytic is the greater of both selections, due to
90 | them not being dependent on each other through OR Boolean logic, we get a total
91 | analytic score of **1H**.
92 | 
93 | 


--------------------------------------------------------------------------------
/docs/analytics/file_creation_date.rst:
--------------------------------------------------------------------------------
  1 | ------------------------------------------
  2 | File Creation Date Changed to Another Year
  3 | ------------------------------------------
  4 | 
  5 | Original Analytic
  6 | ^^^^^^^^^^^^^^^^^
  7 | 
  8 | .. code-block:: yaml
  9 | 
 10 |     title: File Creation Date Changed to Another Year
 11 |     id: 558eebe5-f2ba-4104-b339-36f7902bcc1a
 12 |     status: test
 13 |     description: |
 14 |         Attackers may change the file creation time of a backdoor to make it look like it was installed with the operating system.
 15 |         Note that many processes legitimately change the creation time of a file; it does not necessarily indicate malicious activity.
 16 |     references:
 17 |         - https://www.inversecos.com/2022/04/defence-evasion-technique-timestomping.html
 18 |     author: frack113, Florian Roth (Nextron Systems)
 19 |     date: 2022-08-12
 20 |     modified: 2022-10-25
 21 |     tags:
 22 |         - attack.t1070.006
 23 |         - attack.defense-evasion
 24 |     logsource:
 25 |         category: file_change
 26 |         product: windows
 27 |     detection:
 28 |         selection1:
 29 |             PreviousCreationUtcTime|startswith: '2022'
 30 |         filter1:
 31 |             CreationUtcTime|startswith: '2022'
 32 |         selection2:
 33 |             PreviousCreationUtcTime|startswith: '202'
 34 |         filter2:
 35 |             CreationUtcTime|startswith: '202'
 36 |         gen_filter_updates:
 37 |             - Image:
 38 |                 - 'C:\Windows\system32\ProvTool.exe'
 39 |                 - 'C:\Windows\System32\usocoreworker.exe'
 40 |                 - 'C:\Windows\ImmersiveControlPanel\SystemSettings.exe'
 41 |             - TargetFilename|startswith: 'C:\ProgramData\USOPrivate\UpdateStore\'
 42 |             - TargetFilename|endswith:
 43 |                 - '.tmp'
 44 |                 - '.temp'
 45 |         gen_filter_tiworker:
 46 |             Image|startswith: 'C:\WINDOWS\'
 47 |             Image|endswith: '\TiWorker.exe'
 48 |             TargetFilename|endswith: '.cab'
 49 |         condition: (( selection1 and not filter1 ) or ( selection2 and not filter2 )) and not 1 of gen_filter*
 50 |     falsepositives:
 51 |         - Changes made to or by the local NTP service
 52 |     level: high
 53 | 
 54 | Analytic Source: `SigmaHQ <https://github.com/SigmaHQ/sigma/blob/f33530e7561d98bc6f898f5a9137c3b2a7159a1b/rules/windows/file/file_change/file_change_win_2022_timestomping.yml>`_
 55 | 
 56 | Original Analytic Scoring
 57 | ^^^^^^^^^^^^^^^^^^^^^^^^^
 58 | .. list-table::
 59 |     :widths: 20 15 15 40
 60 |     :header-rows: 1
 61 | 
 62 |     * -
 63 |       - Application (A)
 64 |       - User-Mode (U)
 65 |       - Kernel-Mode (K)
 66 |     * - Core to (Sub-) Technique (5)
 67 |       -
 68 |       -
 69 |       - 
 70 |     * - Core to Part of (Sub-) Technique (4)
 71 |       -
 72 |       -
 73 |       - | Event ID: 4656
 74 |         | selection1: PreviousCreationUtcTime|startswith: '2022'
 75 |         | filter1: CreationUtcTime|startswith: '2022'
 76 |         | selection2: PreviousCreationUtcTime|startswith: '202'
 77 |         | filter2: CreationUtcTime|startswith: '202'
 78 |     * - Core to Pre-Existing Tool or Inside Boundary (3)
 79 |       -
 80 |       -
 81 |       - | Filter
 82 |         | Image:
 83 |         | - 'C:\Windows\system32\ProvTool.exe'
 84 |         | - 'C:\Windows\ImmersiveControlPanel\SystemSettings.exe'
 85 |     * - Core to Adversary-Brought Tool or Outside Boundary (2)
 86 |       -
 87 |       - 
 88 |       - 
 89 |     * - Ephemeral (1)
 90 |       -
 91 |       - 
 92 |       - | Filter
 93 |         | TargetFilename|startswith: 'C:\ProgramData\USOPrivate\UpdateStore\'
 94 |         | TargetFilename|endswith:
 95 |         | - '.tmp'
 96 |         | - '.temp'
 97 |         | gen_filter_tiworker:
 98 |         |   Image|startswith: 'C:\\WINDOWS\\'
 99 |         |   Image|endswith: '\\TiWorker.exe'
100 |         |   TargetFilename|endswith: '.cab'
101 | 
102 | This analytic aims to identify changes to a file creation date. We are scoring
103 | this analytic based on what it attempts to do, even though the value should be
104 | updated to reflect the correct year. Since it targets
105 | ``PreviousCreationUtcTime`` and ``CreationUtcTime``, which are both accurate
106 | fields, this observable was given a score of :ref:`Some Implementations` because
107 | it is part of the time-stomping sub-technique and will not detect all
108 | implementations. Moving on to the filters, the ``Image`` field, which is often
109 | an ephemeral value, is scored at a :ref:`Pre-Existing Tools` because it is a
110 | part of the windows core processes and is specific and defined file values
111 | within the OS. The next filters that target filenames are :ref:`Ephemeral
112 | Values` because an adversary can change them very easily. The last grouping of
113 | filters, ``gen_filter_tiworker``, is also an ephemeral value because these
114 | values are also easy to change. Without including the filter, the analytic would
115 | have a score of 4K, but once the scores are combined using Boolean logic, the
116 | total score would be a **1K**.


--------------------------------------------------------------------------------
/docs/analytics/index.rst:
--------------------------------------------------------------------------------
 1 | .. _analytics:
 2 | 
 3 | ====================
 4 | Analytics Repository
 5 | ====================
 6 | 
 7 | The following examples demonstrate how to score and improve an analytic in accordance
 8 | with the Summiting the Pyramid methodology.
 9 | 
10 | .. toctree::
11 |     :maxdepth: 1
12 | 
13 |     access_token_manipulation
14 |     adfind
15 |     archive_collected_data
16 |     domain_account_discovery
17 |     executable_download_webdav
18 |     file_creation_date
19 |     file_directory_discovery
20 |     link_download_webdav
21 |     lsass_memory
22 |     remote_registry
23 |     service_registry_permissions_weakness_check
24 |     task_scheduling
25 |     zeek_dce_rpc    
26 | 
27 | .. _Scored Analytics:
28 | 
29 | **Scored Analytics Repository:**
30 | 
31 | There is also a published CSV file that contains analytics that have been scored with
32 | the methodology: :download:`ScoredAnalytics <ScoredAnalytics_05062025.csv>`
33 | 
34 | **Score your own analytics in Sigma!** 
35 | 
36 | Sigma now has a tag to document the STP score of an analytic. `Checkout the
37 | Sigma tags appendix to learn more
38 | <https://github.com/SigmaHQ/sigma-specification/blob/main/appendix/sigma-tags-appendix.md#namespace-stp>`_.
39 | 


--------------------------------------------------------------------------------
/docs/analytics/link_download_webdav.rst:
--------------------------------------------------------------------------------
 1 | ----------------------------------------------------------
 2 | Link (LNK) File Download Containing a WebDAV UNC Hyperlink
 3 | ----------------------------------------------------------
 4 | 
 5 | Original Analytic
 6 | ^^^^^^^^^^^^^^^^^
 7 | 
 8 | .. code-block:: 
 9 | 
10 | 
11 |   alert http any any - any any
12 |   (
13 |   msg: "POLICY [ANY.RUN] A suspicious Lnk file leading to a WebDAV resource was downloaded";
14 |   flow: established, to_client; 
15 |   http.stat_code;
16 |   content:"200";
17 |   
18 |   file_data;
19 |   content: "|400 0000 01140200 00000000 0000000 00000046|";depth: 28; 
20 |   pcre: "/\x5c\x00\x5c(?:\x00 [a-z0-9\.\-\_])+\x00@/R";
21 |   classtype: policy-violation;
22 |   metadata: tag webdav, created_at 2024_03_20; 
23 |   sid: 8001397; rev: 1;
24 |   )
25 | 
26 | Analyic Source: `ANY.RUN <https://any.run/cybersecurity-blog/wp-content/uploads/2024/04/9-1.png>`_
27 | 
28 | Original Analytic Scoring
29 | ^^^^^^^^^^^^^^^^^^^^^^^^^
30 | 
31 | .. list-table::
32 |     :widths: 20 30 30
33 |     :header-rows: 1
34 | 
35 |     * -
36 |       - Payload (P)
37 |       - Header (H)
38 |     * - Core to (Sub-) Technique (5)
39 |       -
40 |       -
41 |     * - Core to Part of (Sub-) Technique (4)
42 |       - | Payload|beginswith: “4C 00 00 00 01 14 02 00 00 00 00 00 C0 00 00 00 00 00 00 46” and
43 |         | Regex pattern: “\x5C\x00\x5C(?:\x00[a-z0-9\.\-\_])+\x))@”
44 |       -
45 |     * - Core to Pre-Existing Tool or Inside Boundary (3)
46 |       -
47 |       -
48 |     * - Core to Adversary-Brought Tool or Outside Boundary (2)
49 |       -
50 |       - 
51 |     * - Ephemeral (1)
52 |       - 
53 |       - 
54 | 
55 | The Suricata rule looks for the 20-byte sequence ``4C 00 00 00 01 14 02 00 00 00
56 | 00 00 C0 00 00 00 00 00 00 46`` at the start of the file, and a regular
57 | expression (regex) pattern to match double-backslash ``\\`` followed by an
58 | arbitrary-length series of lowercase letters, digits, periods, dashes, and
59 | underscore characters followed by the ``@`` symbol. According to Microsoft
60 | documentation, the first 4 bytes of an LNK file must equal the hexadecimal value
61 | ``0x0000004C``, and the next 16 bytes must equal the Shell Link Class ID
62 | ``00021401-0000-0000-C000-000000000046``. [#f1]_  Therefore, the 20-byte sequence in
63 | this Suricata rule is robust enough to specifically identify LNK files, and this
64 | observable would have an analytic robustness score of :ref:`Some
65 | Implementations`. Furthermore, the regex pattern for the WebDAV UNC path is
66 | general enough to allow either an IP address or a host/domain name followed by
67 | the ``@`` symbol. The analytic robustness of the regex pattern is also
68 | :ref:`Some Implementations`. The event robustness is :ref:`Payload`, because it
69 | relies on visibility of the HTTP body section, and the overall robustness score
70 | for this rule is **4P**.
71 | 
72 | .. rubric:: References
73 | 
74 | .. [#f1] https://learn.microsoft.com/en-us/openspecs/windows_protocols/ms-shllink/16cb4ca1-9339-4d0c-a68d-bf1d6cc0f943


--------------------------------------------------------------------------------
/docs/analytics/lsass_memory.rst:
--------------------------------------------------------------------------------
  1 | -------------------------
  2 | LSASS Memory
  3 | -------------------------
  4 | 
  5 | This technique focuses on the malicious use of dumping credential materials
  6 | stored in the Local Security Authority Subsystem Service (LSASS). While this
  7 | technique focuses on how an adversary can use LSASS process memory to access
  8 | credentials, there are also valid use cases where a legitimate user, such as an
  9 | admin, may need to access LSASS memory in an identical manner.
 10 | 
 11 | Through our investigation of the technique and its various implementations, we
 12 | found that there are a few robust mechanisms in which we can potentially
 13 | differentiate benign use cases from malicious ones. One method is to focus on
 14 | the 'GrantedAccess' mask field value found in Sysmon Event ID 10 (Process
 15 | Access), which can differ based on the implementation method and other
 16 | parameters present when LSASS is accessed.  Other potential methods include
 17 | monitoring access or modifications to associated Registry keys.
 18 | 
 19 | 
 20 | Context Flowchart Walkthrough
 21 | ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
 22 | 
 23 | .. figure:: ../_static/lsass-memory-flow.png
 24 |    :alt: Context Flowchart Walkthrough for LSASS Memory Subtechnique
 25 |    :align: center
 26 |    :scale: 100%
 27 | 
 28 |    Click to enlarge
 29 | 
 30 | Focusing on the ambiguous nature of this technique (ex: implementations
 31 | utilizing native tools and not known adversary tooling) and walking through the
 32 | flowchart, we can categorize this technique as having “Identifiable
 33 | Modifications and Artifacts”, as we saw through the identification of the
 34 | 'GrantedAccess” mask value as a differentiator during our technique
 35 | investigation.  Consequently, we see that this technique can utilize
 36 | Technique-Level Context in our resulting improved analytic.
 37 | 
 38 | 
 39 | Technique-Level Analysis
 40 | ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
 41 | 
 42 | .. figure:: ../_static/analysis_lsass.png
 43 |    :alt: Technique-Level Analysis for LSASS Memory Subtechnique
 44 |    :align: center
 45 |    :scale: 100%
 46 | 
 47 |    Click to enlarge
 48 | 
 49 | Based on the investigative research we did on the LSASS memory sub-technique, we
 50 | identified a key event artifact within Sysmon Event ID 10 that we can use to
 51 | identify probably malicious intent. The GrantedAccess mask value is a
 52 | low-variance behavior that serves as an effective differentiator between
 53 | malicious and benign behavior, and given the value which corresponds to certain
 54 | requested permissions, we can incorporate it into an analytic in order to
 55 | maintain robustness while also helping to reduce false positives.
 56 | 
 57 | 
 58 | Original Analytic
 59 | ^^^^^^^^^^^^^^^^^^^^^^^^^
 60 | 
 61 | CAR-2019-04-004: Credential Dumping via Mimikatz:
 62 | https://car.mitre.org/analytics/CAR-2019-04-004/
 63 | 
 64 | .. code-block:: yaml
 65 |   
 66 |   index=__your_sysmon_data__ EventCode=10
 67 |   TargetImage="C:\\WINDOWS\\system32\\lsass.exe"
 68 |   (GrantedAccess=0x1410 OR GrantedAccess=0x1010 OR GrantedAccess=0x1438 OR GrantedAccess=0x143a OR GrantedAccess=0x1418)
 69 |   CallTrace="C:\\windows\\SYSTEM32\\ntdll.dll+*|C:\\windows\\System32\\KERNELBASE.dll+20edd|UNKNOWN(*)"
 70 |   | table _time hostname user SourceImage GrantedAccess
 71 | 
 72 | The above analytic looks for instances where processes are requesting certain
 73 | permissions to read parts of LSASS in order to detect potential credential
 74 | dumping. The components of this analytic are tuned to implementations utilizing
 75 | Mimikatz, which while effective, may weed out other potential malicious
 76 | activity.  
 77 | 
 78 | .. list-table::
 79 |     :widths: 20 20 20 20
 80 |     :header-rows: 1
 81 | 
 82 |     * - 
 83 |       - Application (A)
 84 |       - User-mode (U)
 85 |       - Kernel-mode (K)
 86 |     * - Core to (Sub-) Technique (5)
 87 |       - 
 88 |       - 
 89 |       - 
 90 |     * - Core to Part of (Sub-) Technique (4)
 91 |       - 
 92 |       - | TargetImage="\*lsass.exe"
 93 |         | GrantedAccess=0x1410 or 0x1010 or 0x143a or 0x1418
 94 | 
 95 |       -
 96 |     * - Core to Pre-Existing Tool (3)
 97 |       - 
 98 |       - 
 99 |       -
100 |     * - Core to Adversary-brought Tool (2)
101 |       - 
102 |       - | CallTrace="C:\\windows\\SYSTEM32\\ntdll.dll+\* 
103 |         | | C:\\windows\\System32\\KERNELBASE.dll+20edd
104 |         | | UNKNOWN(*)"
105 |       - 
106 |     * - Ephemeral (1)
107 |       - 
108 |       - 
109 |       - 
110 | 
111 | Sysmon Event ID is triggered via a user-mode API, and so is scored at the 'U'
112 | level.  From our research, we know that the GrantedAccess mask value can be used
113 | as a good differentiator for identifying probable malicious intent, and so that
114 | component is scored as a 4U. Utilizing the CallTrace value is a viable method to
115 | reduce false positives by honing in on the function residing at the specified
116 | virtual address. 
117 | 
118 | Because this function is specific to a default configuration of a version of
119 | Mimikatz, we score it at a 2U.
120 | 
121 | Following the Boolean logic of how these components are being combined via
122 | “AND”, the overall analytic is thus scored as a 2U.
123 | 
124 | 
125 | Improved Analytic
126 | ^^^^^^^^^^^^^^^^^^^^^^^^^
127 | 
128 | .. list-table::
129 |     :widths: 20 20 30 20
130 |     :header-rows: 1
131 | 
132 |     * - 
133 |       - Application (A)
134 |       - User-mode (U)
135 |       - Kernel-mode (K)
136 |     * - Core to (Sub-) Technique (5)
137 |       - 
138 |       - 
139 |       - 
140 |     * - Core to Part of (Sub-) Technique (4)
141 |       - 
142 |       - | TargetImage="\*lsass.exe"
143 |         | GrantedAccess=0x1410 or 0x1010
144 | 
145 |       -
146 |     * - Core to Pre-Existing Tool (3)
147 |       - 
148 |       - | **Filter:** NOT SourceUser=NT Authority/System
149 |       -
150 |     * - Core to Adversary-brought Tool (2)
151 |       - 
152 |       - 
153 |       - 
154 |     * - Ephemeral (1)
155 |       - 
156 |       - 
157 |       - 
158 | 
159 | Starting from the original analytic, we removed the CallTrace value that focused
160 | on more narrow implementations involving Mimikatz. After conducting some field
161 | testing on the GrantedAccess mask values in our environment, we found that a
162 | large majority of the benign uses of lsass.exe are made using the 0x1fffff
163 | access mask, while the 0x1010 and 0x1410 are far less common. These masks allow
164 | us to dramatically lower our false positives while retaining visibility for
165 | multiple implementations of LSASS memory access. Additional malicious
166 | GrantedAccess masks could be added to make the detection more accurate in
167 | capturing more implementations based on what is expected within the environment.
168 | Since this is not a Level 5: Core to Sub-Technique or Technique, it will not
169 | capture all malicious events, and can be put in the Level 4 category.
170 | 
171 | While this analytic was much better in terms of accuracy and resistance to
172 | adversary evasion over time, there is still potential for false positives that
173 | we can try to address. From analysis in our own testing environment, we were
174 | able to discern that an individual users accessing LSASS is probably more
175 | indicative of malicious behavior than other system-associated accounts, and thus
176 | could be a way to reduce some false positives. The SourceUser field is managed
177 | by the organization and specific to the environment, making it a Level 3: Core
178 | to Pre-Existing Tools or Inside Boundary. Additionally, the value ``NT
179 | AUTHORITY\SYSTEM`` is a specific value that is known to run mostly benign
180 | activities throughout the system. While this introduces another means for the
181 | adversary to potentially hide (by acting as one of those “trusted” users), we
182 | made the determination that filtering on user was more beneficial in terms of
183 | reducing false positives than it would be harmful to robustness. 
184 | 
185 | With all this considered and combined, our final analytic scoring comes out to a
186 | 3U with the use of a filter.
187 | 
188 | 


--------------------------------------------------------------------------------
/docs/analytics/remote_registry.rst:
--------------------------------------------------------------------------------
  1 | --------------------------------------------
  2 | Remote Registry Management Using Reg Utility
  3 | --------------------------------------------
  4 | 
  5 | Original Analytic
  6 | ^^^^^^^^^^^^^^^^^
  7 | 
  8 | .. code-block:: yaml
  9 | 
 10 |     title: Remote Registry Management Using Reg Utility
 11 |     id: 68fcba0d-73a5-475e-a915-e8b4c576827e
 12 |     status: test
 13 |     description: Remote registry management using REG utility from non-admin workstation
 14 |     references:
 15 |         - https://www.slideshare.net/heirhabarov/hunting-for-credentials-dumping-in-windows-environment
 16 |     author: Teymur Kheirkhabarov, oscd.community
 17 |     date: 2019-10-22
 18 |     modified: 2023-12-15
 19 |     tags:
 20 |         - attack.credential-access
 21 |         - attack.defense-evasion
 22 |         - attack.discovery
 23 |         - attack.s0075
 24 |         - attack.t1012
 25 |         - attack.t1112
 26 |         - attack.t1552.002
 27 |     logsource:
 28 |         product: windows
 29 |         service: security
 30 |     detection:
 31 |         selection:
 32 |             EventID: 5145
 33 |             RelativeTargetName|contains: '\winreg'
 34 |         filter_main:
 35 |             IpAddress|expand: '%Admins_Workstations%'
 36 |         condition: selection and not filter_main
 37 |     falsepositives:
 38 |         - Legitimate usage of remote registry management by administrator
 39 |     level: medium
 40 | 
 41 | Analytic Source: `SigmaHQ <https://github.com/SigmaHQ/sigma/blob/f33530e7561d98bc6f898f5a9137c3b2a7159a1b/rules-placeholder/windows/builtin/security/win_security_remote_registry_management_via_reg.yml>`_
 42 | 
 43 | Original Host-Based Analytic Scoring
 44 | ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
 45 | .. list-table::
 46 |     :widths: 20 20 20 30
 47 |     :header-rows: 1
 48 | 
 49 |     * -
 50 |       - Application (A)
 51 |       - User-Mode (U)
 52 |       - Kernel-Mode (K)
 53 |     * - Core to (Sub-) Technique (5)
 54 |       -
 55 |       -
 56 |       -
 57 |     * - Core to Part of (Sub-) Technique (4)
 58 |       -
 59 |       -
 60 |       - | Event ID: 5145
 61 |         | RelativeTargetName|contains: '\\winreg'
 62 |     * - Core to Pre-Existing Tool or Inside Boundary (3)
 63 |       -
 64 |       -
 65 |       -
 66 |     * - Core to Adversary-Brought Tool or Outside Boundary (2)
 67 |       -
 68 |       - 
 69 |       - 
 70 |     * - Ephemeral (1)
 71 |       -
 72 |       - 
 73 |       - | Filter: IpAddress|expand: '%Admins_Workstations%'
 74 | 
 75 | Improved Analytic Scoring #1
 76 | ^^^^^^^^^^^^^^^^^^^^^^^^^^^^
 77 | .. list-table::
 78 |     :widths: 20 20 20 30
 79 |     :header-rows: 1
 80 | 
 81 |     * -
 82 |       - Application (A)
 83 |       - User-Mode (U)
 84 |       - Kernel-Mode (K)
 85 |     * - Core to (Sub-) Technique (5)
 86 |       -
 87 |       -
 88 |       -
 89 |     * - Core to Part of (Sub-) Technique (4)
 90 |       -
 91 |       -
 92 |       - | Event ID: 5145
 93 |         | RelativeTargetName|contains: 'winreg'
 94 |     * - Core to Pre-Existing Tool or Inside Boundary (3)
 95 |       -
 96 |       -
 97 |       - | Filter: SubjectUserName|expand: '%Admins_Workstations%'
 98 |     * - Core to Adversary-Brought Tool or Outside Boundary (2)
 99 |       -
100 |       - 
101 |       - 
102 |     * - Ephemeral (1)
103 |       -
104 |       - 
105 |       - 
106 | 
107 | This analytic specifically looks at Event ID 5145, which generates every time a
108 | network share object is accessed. At a glance, this can look like Sysmon 18, but
109 | when access is requested for the network share itself the field appears as
110 | ``\``. [#f1]_ Event ID 5145 was given a score of :ref:`Kernel-Mode` due to the
111 | level of permission needed at the kernel level to access network share objects.
112 | This analytic is looking for any remote access to the registry and is filtering
113 | on the remote source, giving it a score of :ref:`Some Implementations`, making
114 | the total score for this observable a **4K**. 
115 | 
116 | The initial score for the filter was a **1K** because it would be easy for an
117 | adversary to change or spoof the IP address the filter is targeting.
118 | Additionally, IPs can be shared and frequently change from user to user within
119 | an internal network, making the filter not accurate. When the Boolean logic is
120 | used to combine the scores, **we get a total analytic score of 1K**.
121 | 
122 | However, the score can be improved in two ways. First, the filter target can be
123 | improved by using ``SubjectUserName`` instead of ``IpAddress``. By using a
124 | username instead of an ephemeral IP address, the filter now targets a field that
125 | calls an specific ID set and managed by the enterprise. The filter score
126 | increases to a 3K, which then increases the overall analytic score to a **3K**
127 | as well.
128 | 
129 | Additionally, the ``RelativeTargetName`` value can remove the use of “\”.
130 | According to Microsoft documentation, if access is requested to the share
131 | itself, then the value of RelativeTargetName would equal ``\``, rather than
132 | contain a slash pre-pended to the pipe name. To ensure the analytic is working
133 | properly, the slash should be removed from the ``RelativeTargetName``.
134 | 
135 | Original Network Traffic Analytic Scoring
136 | ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
137 | 
138 | .. list-table::
139 |     :widths: 20 30 30
140 |     :header-rows: 1
141 | 
142 |     * -
143 |       - Payload (P)
144 |       - Header (H)
145 |     * - Core to (Sub-) Technique (5)
146 |       -
147 |       -
148 |     * - Core to Part of (Sub-) Technique (4)
149 |       - 
150 |       - | **Zeek Log: dce_rpc.log**
151 |         | named_pipe: winreg
152 |         | **Zeek Log: smb_files.log**
153 |         | - path: \*\\IPC$
154 |         | - name: winreg
155 |     * - Core to Pre-Existing Tool or Inside Boundary (3)
156 |       -
157 |       - | Filter: SubjectUserName|expand: '%Admins_Workstations%'
158 |     * - Core to Adversary-Brought Tool or Outside Boundary (2)
159 |       -
160 |       - 
161 |     * - Ephemeral (1)
162 |       - 
163 |       - 
164 | 
165 | The network analytic shown above is the network equivalent of the host-based
166 | analytic, which simply detects remote access to the registry via the Windows
167 | Remote Registry Protocol via the named pipe ``winreg``. However, simply
168 | detecting the named pipe is very broadly scoped and would not necessarily
169 | indicate that a user or adversary is attempting to modify the registry by
170 | creating new keys or setting new values. It is possible to create a more
171 | detailed detection analytic by leveraging other fields within Zeek's dce_rpc.log
172 | and identifying the specific RPC operations observed within the network traffic.
173 | 
174 | Improved Analytic Scoring #2
175 | ^^^^^^^^^^^^^^^^^^^^^^^^^^^^
176 | 
177 | .. list-table::
178 |     :widths: 20 30 30
179 |     :header-rows: 1
180 | 
181 |     * -
182 |       - Payload (P)
183 |       - Header (H)
184 |     * - Core to (Sub-) Technique (5)
185 |       -
186 |       -
187 |     * - Core to Part of (Sub-) Technique (4)
188 |       - 
189 |       - | **Zeek Log: dce_rpc.log**
190 |         | endpoint: winreg
191 |         | operation:
192 |         | - BaseRegCreateKey
193 |         | - BaseRegSetValue
194 |     * - Core to Pre-Existing Tool or Inside Boundary (3)
195 |       -
196 |       - | Filter: SubjectUserName|expand: '%Admins_Workstations%'
197 |     * - Core to Adversary-Brought Tool or Outside Boundary (2)
198 |       -
199 |       - 
200 |     * - Ephemeral (1)
201 |       - 
202 |       - 
203 | 
204 | .. rubric:: References
205 | 
206 | .. [#f1] https://learn.microsoft.com/en-us/previous-versions/windows/it-pro/windows-10/security/threat-protection/auditing/event-5145


--------------------------------------------------------------------------------
/docs/analytics/service_registry_permissions_weakness_check.rst:
--------------------------------------------------------------------------------
  1 | -------------------------------------------
  2 | Service Registry Permissions Weakness Check
  3 | -------------------------------------------
  4 | 
  5 | Original Analytic
  6 | ^^^^^^^^^^^^^^^^^
  7 | 
  8 | .. code-block:: yaml
  9 | 
 10 |   title: Service Registry Permissions Weakness Check
 11 |   id: 95afc12e-3cbb-40c3-9340-84a032e596a3
 12 |   status: test
 13 |   description: |
 14 |       Adversaries may execute their own malicious payloads by hijacking the Registry entries used by services.
 15 |       Adversaries may use flaws in the permissions for registry to redirect from the originally specified executable to one that they control, in order to launch their own code at Service start.
 16 |       Windows stores local service configuration information in the Registry under HKLM\SYSTEM\CurrentControlSet\Services
 17 |   references:
 18 |       - https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1574.011/T1574.011.md#atomic-test-1---service-registry-permissions-weakness
 19 |       - https://docs.microsoft.com/en-us/powershell/module/microsoft.powershell.security/get-acl?view=powershell-7.2
 20 |   author: frack113
 21 |   date: 2021/12/30
 22 |   tags:
 23 |       - attack.persistence
 24 |       - attack.t1574.011
 25 |   logsource:
 26 |       product: windows
 27 |       category: ps_script
 28 |       definition: 'Requirements: Script Block Logging must be enabled'
 29 |   detection:
 30 |       selection:
 31 |           ScriptBlockText|contains|all:
 32 |               - 'get-acl'
 33 |               - 'REGISTRY::HKLM\SYSTEM\CurrentControlSet\Services\'
 34 |       condition: selection
 35 |   falsepositives:
 36 |       - Legitimate administrative script
 37 |   level: medium
 38 | 
 39 | Analytic Source: `SigmaHQ <https://github.com/SigmaHQ/sigma/blob/master/rules/windows/powershell/powershell_script/posh_ps_get_acl_service.yml>`_
 40 | 
 41 | Original Analytic Scoring
 42 | ^^^^^^^^^^^^^^^^^^^^^^^^^
 43 | .. list-table::
 44 |     :widths: 20 30 20 20
 45 |     :header-rows: 1
 46 | 
 47 |     * -
 48 |       - Application (A)
 49 |       - User-mode (U)
 50 |       - Kernel-mode (K)
 51 |     * - Core to (Sub-) Technique (5)
 52 |       -
 53 |       -
 54 |       -
 55 |     * - Core to Part of (Sub-) Technique (4)
 56 |       -
 57 |       -
 58 |       -
 59 |     * - Core to Pre-Existing Tool (3)
 60 |       -
 61 |       -
 62 |       -
 63 |     * - Core to Adversary-brought Tool (2)
 64 |       - | EventID: 4104
 65 |         | ScriptBlockText|contains|all:
 66 |         | - 'get-acl'
 67 |         | - 'REGISTRY::HKLM\\SYSTEM\\CurrentControlSet\\Services\\'
 68 |       -
 69 |       -
 70 |     * - Ephemeral (1)
 71 |       -
 72 |       -
 73 |       -
 74 | 
 75 | Improved Analytic Scoring
 76 | ^^^^^^^^^^^^^^^^^^^^^^^^^
 77 | 
 78 | .. list-table::
 79 |     :widths: 20 20 20 30
 80 |     :header-rows: 1
 81 | 
 82 |     * -
 83 |       - Application (A)
 84 |       - User-mode (U)
 85 |       - Kernel-mode (K)
 86 |     * - Core to (Sub-) Technique (5)
 87 |       -
 88 |       -
 89 |       - | EventID: 4663​
 90 |         | TargetObject: “\*SYSTEM\\CurrentControlSet\\Services\\\*”
 91 |     * - Core to Part of (Sub-) Technique (4)
 92 |       -
 93 |       -
 94 |       -
 95 |     * - Core to Pre-Existing Tool (3)
 96 |       -
 97 |       -
 98 |       -
 99 |     * - Core to Adversary-brought Tool (2)
100 |       -
101 |       -
102 |       -
103 |     * - Ephemeral (1)
104 |       -
105 |       -
106 |       -
107 | 
108 | This analytic uses the Windows PowerShell logging Event ID 4104 and detects on specific
109 | values in the ScriptBlockText field [#f1]_. While the specified registry key is core to
110 | the subtechnique [#f2]_, the actual observable is the string representation of that
111 | registry key inside the script text. It is relatively easy for an attacker to obfuscate
112 | keywords or values in a PowerShell script. For example, the cmdlet ``get-acl`` is
113 | defined and included in the Microsoft.PowerShell.Security module, but equivalent
114 | functionality can be accomplished with a renamed or custom cmdlet that doesn't require
115 | ``get-acl`` exist in the script text. The registry key string can be obfuscated in other
116 | ways [#f3]_, several of which are shown below. Since the adversary can modify their
117 | tools and associated scripts before deployment to evade this analytic, it is **2A**.
118 | 
119 | .. code-block::
120 | 
121 |   # Let's start with a simple example:
122 |   function Invoke-Malware {
123 |     Write-Host 'Malware!';
124 |   }
125 | 
126 |   # Simple signature: if script contains “Write-Host 'Malware'” → Malicious
127 |   # Simple bypass:
128 |   function Invoke-Malware {
129 |     Write-Host "Malware!";
130 |   }
131 | 
132 |   # Simple signature: if re.findall(“Write-Host .Malware.”, script) → Malicious
133 |   # Simple bypass:
134 |   function Invoke-Malware {
135 |     Write-Host (“Mal” + “ware!”);
136 |   }
137 | 
138 |   # Let's start being a little more sophisticated (just a bit):
139 |   function Invoke-NotMalware {
140 |     $malware_base64 = "V3JpdGUtSG9zdCAiTWFsd2FyZSEi";
141 |     $malware = [System.Text.Encoding]::ASCII.GetString([System.Convert]::FromBase64String($malware_base64));
142 |     IEX ($malware);
143 |   }
144 | 
145 |   # Simple signature:
146 |   # if script contains “V3JpdGUtSG9zdCAiTWFsd2FyZSEi” → Malicious
147 |   # Simple bypass:
148 |   function Invoke-NotMalware {
149 |     $malware_base64 = "VwByAGkAdABlAC0ASABvAHMAdAAgACIATQBhAGwAdwBhAHIAZQAhACIA";
150 |     $malware = [System.Text.Encoding]::UNICODE.GetString([System.Convert]::FromBase64String($malware_base64));
151 |     IEX ($malware);
152 |   }
153 | 
154 |   # Security solutions are able to emulate base64 decoding
155 |   # So malware authors move to algorithm based obfuscation such as XOR:
156 |   $key = 0x64
157 |   $encodedMalware = "M2QWZA1kEGQBZElkLGQLZBdkEGREZEZkKWQFZAhkE2QFZBZkAWRFZEZk";
158 |   $bytes = [Convert]::FromBase64String($encodedMalware)
159 |   $decodedBytes = foreach ($byte in $bytes) {$byte -bxor $key}
160 |   $decodedMalware = [System.Text.Encoding]::Unicode.GetString($decodedBytes)
161 |   IEX ($decodedMalware)
162 | 
163 | A more robust way of detecting the original behavior involves setting a Security Access
164 | Control List (SACL) on the registry key. Setting a SACL on the registry key enables
165 | using a kernel-mode data source to detect the ``get-acl`` behavior of a script without
166 | looking at the contents of the script itself. Once the SACL is set and configured, an
167 | EventID 4663 will be generated whenever an attempt is made to access the registry key.
168 | 
169 | .. note::
170 | 
171 |     SACLs have configuration options which can change the accuracy of an analytic. One
172 |     configuration option is to log the "Full Control" set of activity and get a complete
173 |     view of registry key activity, and then query those results for when the registry
174 |     key is read (when the ``AccessMask`` field has the corresponding value
175 |     ``READ_CONTROL`` [#f4]_). However, this approach could generate a large amount of
176 |     benign noise. As an alternative, the SACL can be configured to generate an event
177 |     only when the key is read.
178 | 
179 | .. rubric:: References
180 | 
181 | .. [#f1] https://github.com/OTRF/OSSEM-DD/blob/5e16ccfe548c8c0249430247a99e213636b2a5a5/windows/etw-providers/Microsoft-Windows-PowerShell/events/event-4104_v1.yml#L22
182 | .. [#f2] https://attack.mitre.org/techniques/T1574/011/
183 | .. [#f3] https://i.blackhat.com/briefings/asia/2018/asia-18-Tal-Liberman-Documenting-the-Undocumented-The-Rise-and-Fall-of-AMSI.pdf
184 | .. [#f4] https://learn.microsoft.com/en-us/openspecs/windows_protocols/ms-lsad/5ee8db78-5f0e-47b2-aba7-8447ff454e3b
185 | 


--------------------------------------------------------------------------------
/docs/analytics/zeek_dce_rpc.rst:
--------------------------------------------------------------------------------
  1 | ---------------------------------
  2 | Zeek DCE-RPC MITRE BZAR Execution
  3 | ---------------------------------
  4 | 
  5 | Original Analytic
  6 | ^^^^^^^^^^^^^^^^^
  7 | 
  8 | .. code-block:: yaml
  9 | 
 10 |   title: MITRE BZAR Indicators for Execution
 11 |     id: b640c0b8-87f8-4daa-aef8-95a24261dd1d
 12 |     status: test
 13 |     description: 'Windows DCE-RPC functions which indicate an execution techniques on the remote system. All credit for the Zeek mapping of the suspicious endpoint/operation field goes to MITRE'
 14 |     references:
 15 |         - https://github.com/mitre-attack/bzar#indicators-for-attck-execution
 16 |     author: '@neu5ron, SOC Prime'
 17 |     date: 2020-03-19
 18 |     modified: 2021-11-27
 19 |     tags:
 20 |         - attack.execution
 21 |         - attack.t1047
 22 |         - attack.t1053.002
 23 |         - attack.t1569.002
 24 |     logsource:
 25 |         product: zeek
 26 |         service: dce_rpc
 27 |     detection:
 28 |         op1:
 29 |             endpoint: 'JobAdd'
 30 |             operation: 'atsvc'
 31 |         op2:
 32 |             endpoint: 'ITaskSchedulerService'
 33 |             operation: 'SchRpcEnableTask'
 34 |         op3:
 35 |             endpoint: 'ITaskSchedulerService'
 36 |             operation: 'SchRpcRegisterTask'
 37 |         op4:
 38 |             endpoint: 'ITaskSchedulerService'
 39 |             operation: 'SchRpcRun'
 40 |         op5:
 41 |             endpoint: 'IWbemServices'
 42 |             operation: 'ExecMethod'
 43 |         op6:
 44 |             endpoint: 'IWbemServices'
 45 |             operation: 'ExecMethodAsync'
 46 |         op7:
 47 |             endpoint: 'svcctl'
 48 |             operation: 'CreateServiceA'
 49 |         op8:
 50 |             endpoint: 'svcctl'
 51 |             operation: 'CreateServiceW'
 52 |         op9:
 53 |             endpoint: 'svcctl'
 54 |             operation: 'StartServiceA'
 55 |         op10:
 56 |             endpoint: 'svcctl'
 57 |             operation: 'StartServiceW'
 58 |         condition: 1 of op*
 59 |     falsepositives:
 60 |         - Windows administrator tasks or troubleshooting
 61 |         - Windows management scripts or software
 62 |     level: medium  
 63 | 
 64 | Analytic Source: `SigmaHQ <https://github.com/SigmaHQ/sigma/blob/master/rules/network/zeek/zeek_dce_rpc_mitre_bzar_execution.yml>`_
 65 | 
 66 | Original Analytic Scoring
 67 | ^^^^^^^^^^^^^^^^^^^^^^^^^
 68 | 
 69 | .. list-table::
 70 |     :widths: 20 30 30
 71 |     :header-rows: 1
 72 | 
 73 |     * -
 74 |       - Payload (P)
 75 |       - Header (H)
 76 |     * - Core to (Sub-) Technique (5)
 77 |       -
 78 |       - 
 79 |     * - Core to Part of (Sub-) Technique (4)
 80 |       - 
 81 |       - | **Zeek Log: dce_rpc.log**
 82 |         | T1053.002
 83 |         | endpoint: atsvc
 84 |         | operation: NetrJobAdd
 85 |         |
 86 |         | T1053.005
 87 |         | endpoint: ITaskScheduler
 88 |         | operation:
 89 |         | - SchRpcRegisterTask
 90 |         | - SchRpcEnableTask
 91 |         | - SchRpcRun 
 92 |         | 
 93 |         | T1047 
 94 |         | endpoint: IWbemServices 
 95 |         | operation:
 96 |         | - ExecMethod 
 97 |         | - ExecMethodAsync
 98 |         | 
 99 |         | T1569.002
100 |         | endpoint: svcctl 
101 |         | operation:
102 |         | - CreateServiceA
103 |         | - CreateServiceW 
104 |         | - StartServiceA
105 |         | - StartServiceW 
106 |     * - Core to Pre-Existing Tool or Inside Boundary (3)
107 |       -
108 |       -
109 |     * - Core to Adversary-Brought Tool or Outside Boundary (2)
110 |       -
111 |       - 
112 |     * - Ephemeral (1)
113 |       - 
114 |       - 
115 | 
116 | This Sigma detection analytic is based on `MITRE's BZAR scripts for Zeek
117 | <https://github.com/mitre-attack/bzar>`_. It is an aggregation of remote
118 | execution techniques leveraging various Windows system services via the RPC
119 | protocol. Using Zeek's dce_rpc.log, this analytic looks at the endpoint field
120 | within the log to identify the Windows At Service Remote Protocol (``atsvc``) ,
121 | Windows Task Scheduler Service Remote Protocol (``ITaskScheduler``),  Windows
122 | Management Instrumentation (WMI) Remote Protocol (``IWbemServices``), [#f1]_
123 | and Windows Service Control Manager Remote Protocol (``svcctl``). [#f2]_  This
124 | analytic then looks at the operation field to identify certain operations within
125 | each Windows service associated with remote execution.
126 | 
127 | The Sigma detection analytic could benefit from a couple of improvements:
128 | 
129 | * For `T1053.002 <https://attack.mitre.org/techniques/T1053/002/>`_, the Sigma
130 |   analytic contains an error where the values for endpoint and operation are
131 |   transposed. According to the original detection analytic in MITRE's BZAR,
132 |   [#f3]_  the endpoint should be ``atsvc``, and the operation should be
133 |   ``JobAdd``. Interestingly, digging a little deeper, the full name of the
134 |   operation should be ``NetrJobAdd``, which is the string value defined in
135 |   Zeek's ``DCE_RPC::operations table``. [#f4]_  It appears that both the Sigma
136 |   analytic and the original BZAR scripts contain errors that should be
137 |   corrected.
138 | * For `T1569.002 <https://attack.mitre.org/techniques/T1569/002/>`_, the Sigma
139 |   analytic contains four operations related to creating or starting a service:
140 |   ``CreateServiceA``, ``CreateServiceW``, ``StartServiceA``, ``StartServiceW``.
141 |   The original release of MITRE's BZAR in 2019 contained only these four
142 |   operations, but it was updated in 2020 to include two more operations:
143 |   ``CreateServiceWOW64A`` and ``CreateServiceWOW64W``. Digging a little deeper,
144 |   Microsoft more recently updated the Windows Service Control Manager Remote
145 |   Protocol and added one more relevant operation: ``CreateWowService``. It
146 |   appears that both the Sigma analytic and the BZAR scripts should be updated to
147 |   reflect the current state.
148 | 
149 | Improved Analytic Scoring
150 | ^^^^^^^^^^^^^^^^^^^^^^^^^
151 | 
152 | .. list-table::
153 |     :widths: 20 30 30
154 |     :header-rows: 1
155 | 
156 |     * -
157 |       - Payload (P)
158 |       - Header (H)
159 |     * - Core to (Sub-) Technique (5)
160 |       -
161 |       - 
162 |     * - Core to Part of (Sub-) Technique (4)
163 |       - 
164 |       - | **Zeek Log: dce_rpc.log**
165 |         | T1053.002
166 |         | endpoint: atsvc
167 |         | operation: NetrJobAdd
168 |         |
169 |         | T1053.005
170 |         | endpoint: ITaskScheduler
171 |         | operation:
172 |         | - SchRpcRegisterTask
173 |         | - SchRpcEnableTask
174 |         | - SchRpcRun 
175 |         | 
176 |         | T1047 
177 |         | endpoint: IWbemServices 
178 |         | operation:
179 |         | - ExecMethod 
180 |         | - ExecMethodAsync
181 |         | 
182 |         | T1569.002
183 |         | endpoint: svcctl 
184 |         | operation:
185 |         | - CreateWowService*
186 |         | - CreateService*
187 |         | - StartService* 
188 |     * - Core to Pre-Existing Tool or Inside Boundary (3)
189 |       -
190 |       -
191 |     * - Core to Adversary-Brought Tool or Outside Boundary (2)
192 |       -
193 |       - 
194 |     * - Ephemeral (1)
195 |       - 
196 |       - 
197 | 
198 | 
199 | .. rubric:: References
200 | 
201 | .. [#f1] https://learn.microsoft.com/en-us/openspecs/windows_protocols/ms-wmi/c476597d-4c76-47e7-a2a4-a564fe4bf814
202 | .. [#f2] https://learn.microsoft.com/en-us/openspecs/windows_protocols/ms-scmr/705b624a-13de-43cc-b8a2-99573da3635f
203 | .. [#f3] https://github.com/mitre-attack/bzar?tab=readme-ov-file#45-indicators-for-attck-execution
204 | .. [#f4] https://docs.zeek.org/en/current/scripts/base/protocols/dce-rpc/consts.zeek.html#id-DCE_RPC::operations
205 | 


--------------------------------------------------------------------------------
/docs/chaining.rst:
--------------------------------------------------------------------------------
 1 | .. _Chaining Analytics:
 2 | 
 3 | Chaining Analytics
 4 | =====================
 5 | 
 6 | **Understand the Differences Between “Loose” and “Direct” Correlation**
 7 | 
 8 | There are two ways we can define the relationship between analytics we would
 9 | like to chain together. If we have CTI reporting of a specific adversary or
10 | campaign that uses a specific set of activities, then a direct correlation is
11 | appropriate. If we are looking at a trend from multiple adversaries or campaigns
12 | with some common activities seen, then that is a loose correlation. 
13 | 
14 |   
15 | Direct Correlation 
16 | ---------------------
17 | Direct correlation is used when there is a clear focus on a specific campaign,
18 | adversary, or tool. The most effective direct correlation analytics involve
19 | actions that are dependent on one another. For example, an adversary performs an
20 | initial action, and a subsequent action relies on the success of the first.
21 | These dependent actions may originate from different data sources or occur in
22 | different parts of the network, but their interdependence is key to establishing
23 | a direct correlation. This method is straightforward, as the analytics are
24 | chained together in a sequence where all actions must occur for the correlation
25 | to be valid.
26 | 
27 | **Example:**
28 | 
29 | Let's assume we have reporting that an adversary uses three commands together to
30 | accomplish a singular task, and the use of those commands individually would not
31 | achieve the same goal. This is a case of a direct correlation and we want all
32 | conditions to be met before triggering an alert. 
33 | 
34 | 
35 |  Analytic1 AND Analytic2 AND Analytic3
36 | 
37 | All three analytics need to be triggered for this to create a alert. 
38 | 
39 |   
40 | Loose Correlation 
41 | ---------------------
42 | Loose correlation is applied when there is only a general idea of the
43 | adversary's behavior, rather than precise knowledge of the specific actions they
44 | will take. A good example of this is discovery activity, which occurs frequently
45 | on networks and can be difficult to distinguish as either normal behavior or
46 | adversary activity. For instance, system information discovery may be observed
47 | across multiple systems, while remote file share discovery may occur on a
48 | different set of systems. Individually, these actions may appear benign, but
49 | when multiple techniques converge on a single system or user, they begin to form
50 | a pattern that suggests adversary activity.
51 | 
52 | **Example:**
53 | 
54 | Now let's assume we see several commands that are used to achieve an action by
55 | the adversary, but that action can be achieved with a few different options. We
56 | consider that a loose correlation. Our detection analytic will include all of
57 | the known combinations, but we set a threshold where we need to see *n*
58 | conditions met for an alert to trigger. This threshold reduces false positives
59 | while still capturing the activity.  
60 | 
61 |  Analytic1 OR Analytic2 OR Analytic3 
62 | 
63 |  Distinct_Count (Analytic_ID) by Host 
64 | 
65 |  Where Distinct_count >=2 
66 | 
67 | We are looking at three activities and counting the number of alerts that go
68 | off. Importantly this is a distinct count meaning that even if Analytic1 goes
69 | off 10 times it is only counted once. Then we set a threshold where if 2 or more
70 | go off, an alert is triggered.
71 | 
72 | Importantly, loose correlation does not account for the order in which actions
73 | occur, making it less complex to implement compared to methods that rely on
74 | strict sequencing.
75 | 
76 | While some implementations attempt to enforce strict sequencing, we have found
77 | that this approach can be challenging to implement effectively. The complexity
78 | and cost of such implementations often outweigh the benefits, and adoption of
79 | these types of analytics have been limited in practice. Loose correlation, by
80 | contrast, offers a more practical and scalable solution, allowing organizations
81 | to adapt thresholds and analytics to their specific environments while
82 | maintaining a balance between detection accuracy and operational feasibility.
83 | 


--------------------------------------------------------------------------------
/docs/changelog.rst:
--------------------------------------------------------------------------------
 1 | Changelog
 2 | =========
 3 | 
 4 | Version History
 5 | ---------------
 6 | 
 7 | 3.0 -- May 8th, 2025
 8 | 
 9 |     This release includes our "Ambiguous Techniques" research, which defines
10 |     what makes a technique ambiguous, identifies examples of ambiguous
11 |     techniques in MITRE ATT&CK, and contributes new best practices for building
12 |     robust detections for ambiguous techniques.
13 | 
14 | 2.0 -- December 17th, 2024
15 | 
16 |     This major update defines "robustness" in the context of detection
17 |     engineering, how to quantify robustness and how to improve it in your
18 |     existing detections. This release also adds new elements to the STP model
19 |     for scoring network detections.
20 | 
21 | 1.0 -- September 14th, 2023
22 | 
23 |     The initial release of Summiting the pyramid includes the model,
24 |     methodology, definitions, and worked examples.
25 | 
26 | 
27 | Acknowledgements
28 | ----------------
29 | 
30 | The Summiting the Pyramid project team includes:
31 | 
32 | * Michaela Adams
33 | * Roman Daszczyszak
34 | * Michael Esposito
35 | * Antonia Feffer
36 | * Mark Fernandez
37 | * Steve Luke
38 | * Robert Schull
39 | * Sean Sweeney
40 | * Ross Weisman
41 | * Olivia Williams
42 | 
43 | The Ambiguous Techniques project team includes:
44 | 
45 | * Antonia Feffer
46 | * Devon Ellis
47 | * Kayla Kraines
48 | * Robert Schull
49 | * Robert Shovan
50 | * Sean Sweeney
51 | 
52 | Additional thanks for contributing time, resources, and technical review:
53 | 
54 | * Robleh Esa
55 | * August Moore
56 | * Roberto Rodriguez
57 | * SpecterOps
58 | * UltimateWindowsSecurity
59 | 


--------------------------------------------------------------------------------
/docs/combiningobservables.rst:
--------------------------------------------------------------------------------
 1 | .. _combiningobservables:
 2 | 
 3 | Combining Observables
 4 | =====================
 5 | 
 6 | Understanding Resistance to Adversary Change Over Time
 7 | ------------------------------------------------------
 8 | 
 9 | The Summiting model provides a relative score for the difficulty an attacker
10 | would have in evading a candidate analytic when executing a given technique.
11 | This score is determined by the lowest level that an analytic contains that
12 | could be evaded by an adversary and lead to a successful attack. Thus, the
13 | highest level (5) requires the adversary to make a costly change to their TTPs,
14 | whereas the lowest level (1) requires only quick and inexpensive changes.
15 | 
16 | Evaluating Robustness
17 | ---------------------
18 | 
19 | Let **R(X)** be the Summiting Level for a given analytic.
20 | 
21 | If the analytic contains a single observable O, then the following rule applies:
22 | 
23 | * **R(X) → R(O)** – That is, the robustness of the analytic evaluates to the
24 |     robustness of the observable.
25 | 
26 | If the analytic contains multiple observables A & B, then the following Boolean
27 | logic applies:
28 | 
29 | * **R(A AND B) → MIN(R(A), R(B))** – With the boolean operator "AND", the
30 |   adversary only needs to evade either A or B, which makes the robustness equal
31 |   to the lesser of the two observables.
32 | * **R((A AND B) | A) → R(B)** - The level of A and B predicated on observing A
33 |   is equivalent to the level of B, since observing A is a given in this context.
34 | * **R(A OR B) → MAX(R(A), R(B))** - With the Boolean operator “OR”, the
35 |   adversary needs to evade both A and B, which makes the score equal to the
36 |   greater of the two observables. Note a special case where two observables at
37 |   Level 4 happen to cover all possible implementations, then that would raise
38 |   the Boolean OR expression to Level 5.
39 | * **R(NOT A) → R(A)** - The level of NOT A would be equivalent to the robustness
40 |   level of the observable A itself, since the detection focus is still at A's
41 |   level.
42 | 
43 | However, if the analytic has a filter and Boolean logic, the following Boolean
44 | logic applies:
45 | 
46 | * **R(A) and NOT(FILTER C AND FILTER D) → R(A) AND (NOT(FILTER C) OR NOT(FILTER
47 |   D))** – The Boolean logic of the filter, more specifically the NOT clause,
48 |   flips the operators within the filter itself. For this reason, a NOT AND would
49 |   turn into an OR.
50 | * **R(A OR B) → MAX(R(A), R(B))** - With the Boolean operator “OR”, the
51 |   adversary needs to evade both A and B, which makes the score equal to the
52 |   greater of the two observables. Note a special case where two observables at
53 |   Level 4 happen to cover all possible implementations, then that would raise
54 |   the Boolean OR expression to Level 5.
55 | * **R(NOT A) → R(A)** - The level of NOT A would be equivalent to the robustness
56 |   level of the observable A itself, since the detection focus is still at A's
57 |   level.
58 | 


--------------------------------------------------------------------------------
/docs/conf.py:
--------------------------------------------------------------------------------
  1 | # Configuration file for the Sphinx documentation builder.
  2 | #
  3 | # This file only contains a selection of the most common options. For a full
  4 | # list see the documentation:
  5 | # https://www.sphinx-doc.org/en/master/usage/configuration.html
  6 | 
  7 | # -- Path setup --------------------------------------------------------------
  8 | 
  9 | # If extensions (or modules to document with autodoc) are in another directory,
 10 | # add these directories to sys.path here. If the directory is relative to the
 11 | # documentation root, use os.path.abspath to make it absolute, like shown here.
 12 | #
 13 | # import os
 14 | # import sys
 15 | # sys.path.insert(0, os.path.abspath('.'))
 16 | from slugify import slugify
 17 | 
 18 | # -- Project information -----------------------------------------------------
 19 | 
 20 | project = "Summiting the Pyramid"
 21 | slug = slugify(project)
 22 | googleanalytics_id = (
 23 |     "G-Q5598Z1TB7"  # find google analytics id from old analytics_id variable
 24 | )
 25 | 
 26 | author = "Center for Threat-Informed Defense"
 27 | copyright_years = "2023, 2024, 2025"
 28 | prs_numbers = "CT0078, CT0128, 25-1550"
 29 | 
 30 | # The full version, including alpha/beta/rc tags
 31 | version = "v3.0.0"
 32 | release = version
 33 | 
 34 | 
 35 | # -- General configuration ---------------------------------------------------
 36 | 
 37 | # Add any Sphinx extension module names here, as strings. They can be
 38 | # extensions coming with Sphinx (named 'sphinx.ext.*') or your custom
 39 | # ones.
 40 | extensions = [
 41 |     "sphinx_wagtail_theme",
 42 | ]
 43 | 
 44 | # Add any paths that contain templates here, relative to this directory.
 45 | templates_path = ["_templates"]
 46 | 
 47 | # List of patterns, relative to source directory, that match files and
 48 | # directories to ignore when looking for source files.
 49 | # This pattern also affects html_static_path and html_extra_path.
 50 | exclude_patterns = ["_build", "Thumbs.db", ".DS_Store"]
 51 | 
 52 | rst_prolog = f"""
 53 | .. |copyright_years| replace:: {copyright_years}
 54 | .. |prs_numbers| replace:: {prs_numbers}
 55 | """
 56 | 
 57 | # -- Options for HTML output -------------------------------------------------
 58 | 
 59 | # The theme to use for HTML and HTML Help pages.  See the documentation for
 60 | # a list of builtin themes.
 61 | #
 62 | html_theme = "sphinx_wagtail_theme"
 63 | html_static_path = ["_static"]
 64 | html_extra_path = ["extra"]
 65 | html_favicon = "_static/favicon.ico"
 66 | html_logo = "_static/ctid_logo_white.png"
 67 | html_css_files = [
 68 |     "css/ctid.css",
 69 | ]
 70 | html_js_files = [
 71 |     "js/ctid.js",
 72 | ]
 73 | html_copy_source = False
 74 | html_show_sourcelink = False
 75 | html_show_sphinx = False
 76 | html_use_smartypants = False
 77 | html_context = {
 78 |     "copyright_years": copyright_years,
 79 |     "prs_numbers": prs_numbers,
 80 |     "googleanalytics_id": googleanalytics_id,
 81 | }
 82 | 
 83 | footer_links = [
 84 |     [
 85 |         "Measure Maximize and Mature Threat-Informed Defense",
 86 |         "https://ctid.mitre.org/projects/measure-maximize-and-mature-threat-informed-defense-m3tid/",
 87 |     ],
 88 |     [
 89 |         "Sensor Mappings To ATT&CK",
 90 |         "https://ctid.mitre.org/projects/sensor-mappings-to-attack/",
 91 |     ],
 92 | ]
 93 | 
 94 | html_theme_options = {
 95 |     "logo": "ctid_logo_white.png",
 96 |     "logo_alt": "The Center for Threat-Informed Defense",
 97 |     "logo_width": 250,
 98 |     "project_name": "Summiting The Pyramid",
 99 |     "footer_links": ",".join(
100 |         [f"{link[0]}|{link[1]}?utm_source={slug}" for link in footer_links]
101 |     ),
102 | }
103 | 


--------------------------------------------------------------------------------
/docs/context.rst:
--------------------------------------------------------------------------------
  1 | .. _Context:
  2 | 
  3 | ==============================================================
  4 | Context to Determine Intent
  5 | ==============================================================
  6 | 
  7 | Our research on ambiguous techniques led us to classify three different types of
  8 | context that a defender may need in order to distill an actor's intent:
  9 | peripheral-level, chain-level, and technique-level. These contexts provide
 10 | needed information surround the usage of a technique, which is critical for
 11 | determining intent. 
 12 | 
 13 | -----------------------------------------------------
 14 | Peripheral-Level Context
 15 | -----------------------------------------------------
 16 | .. figure:: ./_static/peripheral.png
 17 |    :alt: Peripheral-Level Context
 18 |    :align: center
 19 |    :scale: 25%
 20 | 
 21 | Peripheral-Level Context can be understood as an "outside-looking-in"
 22 | perspective. This category focuses on external information that is most valuable
 23 | for defending against potential attacks targeting your network.
 24 | 
 25 | Many of the techniques within this category are associated with pre-compromise
 26 | activities, such as those in the Reconnaissance tactic. As a result, the
 27 | detections generated in this category are primarily proactive in nature, rather
 28 | than traditional queries that can be directly implemented in a Security
 29 | Information and Event Management (SIEM) system. Instead, these detections
 30 | emphasize cyber threat intelligence on emerging threats to your network,
 31 | industry, or sector. This approach supports the development of both
 32 | behavior-based and signature-based defenses, enabling organizations to better
 33 | anticipate and mitigate risks before they materialize.
 34 | 
 35 | 
 36 | ------------------------------------------------------
 37 | Chain-Level Context
 38 | ------------------------------------------------------
 39 | 
 40 | .. figure:: ./_static/analysis_archive_chain.png
 41 |    :alt: Chain-Level Context
 42 |    :align: center
 43 |    :scale: 100%
 44 | 
 45 |    Click to enlarge
 46 | 
 47 | Chain-level context focuses on observing co-occurring techniques—those that
 48 | occur before, after, or concurrently with a specific technique of interest—in
 49 | order to establish intent. We examined chain-level context techniques by
 50 | leveraging data from our repository of Attack Flows and our Adversary Emulation
 51 | Library. 
 52 | 
 53 | Using Archiving Collected Data as an example, we examined infamous breaches and
 54 | mapped out the activities occurring immediately before, after, or concurrent to
 55 | the technique to identify patterns and trends. We used a color-coded system
 56 | based on tactics, which helped highlight trends more effectively. For example,
 57 | one notable trend we observed was the frequent occurrence of Exfiltration (seen
 58 | above in brown) immediately following the archiving of collected data. This
 59 | trend informed our understanding of the attack chains and what activity we could
 60 | anticipate seeing around Archiving Collected Data that would point to it being
 61 | employed with malicious intent.
 62 | 
 63 | The determination of malicious intent in this context relied on analyzing
 64 | historical attack chains and recurring patterns. One consideration during this
 65 | process was the length of the attack chain. In most cases, the analytics we
 66 | developed focused on chaining together two techniques. While it is possible to
 67 | chain together more techniques, there is a trade-off between chain length and
 68 | the accuracy and precision of the analysis. Longer chains may exclude relevant
 69 | activity that would otherwise be captured, so finding an optimal balance between
 70 | chain length, the number of techniques linked, and the desired level of accuracy
 71 | and precision is critical.
 72 | 
 73 | ------------------------------------------------------
 74 | Technique-Level Context
 75 | ------------------------------------------------------
 76 | 
 77 | .. figure:: ./_static/technique.png
 78 |    :alt: Technique-Level Context
 79 |    :align: center
 80 |    :scale: 100%
 81 | 
 82 |    Click to enlarge
 83 | 
 84 | Technique-level context focuses on artifacts related to the detection of a
 85 | single technique. To determine technique-level context, we distill the detection
 86 | criteria into four general categories: **Who, What, When, & Where**. 
 87 | 
 88 | ------------------------------
 89 | 
 90 | **Who:** Authentication and privileges, examining who is operating within the
 91 | network, the privileges they are using, and how they are attempting to access
 92 | resources. It provides insight into user behavior and access patterns.
 93 | 
 94 | **What:** Traditional event artifacts, such as flags, commands, specific
 95 | registry keys, API calls, and other concrete artifacts that can be extracted
 96 | from event codes or event IDs. 
 97 | 
 98 | **When:** Analyzes access patterns, including the frequency of activity and
 99 | whether operations are occurring outside of typical or expected hours. It helps
100 | identify anomalies in the timing of activity that may indicate malicious intent.
101 | 
102 | **Where:** Examines the key terrain within a network. This includes monitoring
103 | critical files, locations, or systems, as well as examining network connections.
104 | By establishing a baseline, organizations can detect abnormal connections or
105 | flows, such as new connections being initiated or unexpected destinations being
106 | accessed.
107 | 
108 | ------------------------------
109 | 
110 | By organizing detection criteria into these categories, we provide a structured
111 | approach to developing detection analytics and identifying technique-level
112 | differentiators. This framework enables defenders to focus on key aspects of
113 | network activity - authentication, artifacts, timing, and terrain - while
114 | leveraging baseline data and behavioral analysis to detect anomalies and
115 | differentiate between benign and malicious behavior.
116 | 
117 | --------------------------------------
118 | How to Use Context to Determine Intent
119 | --------------------------------------
120 | .. figure:: ./_static/context_flow_chart.png
121 |    :alt: Contextual Requirements Flowchart
122 |    :align: center
123 |    :scale: 100%
124 | 
125 |    Click to enlarge
126 | 
127 | The flowchart represents the progression of activities during an incident, and
128 | which type of context to use as a defender. The flow starts from the onset of
129 | the attack behavior and moves toward behavioral specifics. The legend at the
130 | bottom-left highlights the different contexts, with gray representing not enough
131 | information to make a determination. We have broken the flowchart into 5 stages: 
132 | 
133 | 1. Attack:
134 |     * Pre-Compromise Activities: Actions that occur before the adversary has
135 |       breached the network, e.g. Reconnaissance.
136 |     * Post-Compromise Activities: Actions that occur after an adversary has
137 |       gained access into the network, e.g. Inital Access
138 | 2. Tool Usage:
139 |     * Adversary-brought Tools: software brought in by an adversary to accomplish
140 |       an attack, and used in a way that clearly indicates malicious intent, e.g.
141 |       Mimikatz
142 |     * Pre-existing Tools: software or functionality that existed on the system
143 |       pre-compromise, and used in a way that does not indicate malicious intent,
144 |       e.g. PowerShell
145 | 3. Operation Types:
146 |     * Non-Standard Operation: Involves actions that deviate from intended usage
147 |       of a tool in an identifiable manner, which would be presumed to be
148 |       malicious.
149 |     * Standard Operation: Includes intended user activities, either by
150 |       legitimate users or adversaries
151 | 4. User Access:
152 |     * Non-Legitimate User Access: Includes actions by adversaries meant to
153 |       directly manipulate systems or deceive legitimate users.
154 |     * Legitimate User Access: Includes actions by legitimate users or
155 |       adversaries using stolen credentials or tokens.
156 | 5. Behavioral Outcomes:
157 |     * Identifiable Modifications/Artifacts: Detectable changes in systems or
158 |       behaviors that could indicate malicious activity, e.g. Scheduled Task
159 |     * Indistinguishable Usage: Actions that mimic normal user behavior without
160 |       identifiable modifications, e.g. LSASS Memory Access
161 |     * Performing Expected Actions: Legitimate activity aligned with normal
162 |       behavior expectations, e.g. Valid Accounts.
163 |     * Performing Abnormal Actions: Deviations from expected behavior, which may
164 |       indicate malicious activity, e.g. Archive Collected Data.
165 | 


--------------------------------------------------------------------------------
/docs/detection-components.rst:
--------------------------------------------------------------------------------
  1 | .. _Components:
  2 | 
  3 | Components of a Robust Detection
  4 | ================================
  5 | 
  6 | A :ref:`robust detection<Robust Detection>` is one that is accurate and
  7 | resistant to adversary evasion over time.  But what does that look like when we
  8 | are building out a detection?
  9 | 
 10 | Let's first establish some key terms that will help us distinguish the types of
 11 | alerts a defender will see within their environment:
 12 | 
 13 | * True positive: An alert for a malicious event
 14 | * False positive: An alert for a benign event
 15 | * True negative: Benign event that does not alert
 16 | * False negative: Malicious event that does not alert
 17 | 
 18 | Malicious activity or benign activity will be categorized as one of these four
 19 | alert categories and will help defenders analyze the quality and effectiveness
 20 | of their alerts.
 21 | 
 22 | Accurate Detection
 23 | ------------------
 24 | 
 25 | An :ref:`accurate detection<Accuracy>` combines the traditional detection
 26 | metrics of precision and recall. When we are building an accurate detection, we
 27 | want to build a detection which has low false positives and low false negatives.
 28 | Therefore, defenders must find the balance.
 29 | 
 30 | A detection with low false positives does not alert on much benign activity,
 31 | making it great for detecting on specific, malicious activity.
 32 | 
 33 | Let's think of detecting malicious Scheduled Task activity. Many actors use
 34 | their own tools to schedule tasks and maintain persistence within their
 35 | environment. One of those tools is Shamoon. If we wanted to build a detection
 36 | analytic against Shamoon that has a low false positive rate, we could use a hash
 37 | value to detect on the specific use of this malicious activity within our
 38 | environment. The use of this hash value creates a low false positive rate
 39 | because it is highly unlikely that we will capture benign activity within this
 40 | detection.
 41 | 
 42 | .. figure:: _static/detectioncomponents_hash.png
 43 |    :alt: Precise detection using hash value
 44 |    :align: center
 45 |    :scale: 100%
 46 | 
 47 |    A hash value creates a low false positive rate, but it does not provide good
 48 |    false negative rate or resistance to adversary evasion over time.
 49 | 
 50 | A detection which has a low false negative rate is one that has a high
 51 | probabilty of detecting malicious events. Visualizing this in terms of a
 52 | technique or a specific topic of coverage in a detection, an analytic would
 53 | catch all malicious activity. So, the selection area of an analytic could be
 54 | very large.
 55 | 
 56 | The ATT&CK page identifies many malicious technique implementations of Scheduled
 57 | Task activities. A Scheduled Task analytic that has low false negative rate will
 58 | capture many of those documented malicious implementations. For example, when a
 59 | task is scheduled, it creates a new registry key. Because this would occur
 60 | across all implementations of scheduled tasks, an analytic that detects the
 61 | creation of a registry key within the task scheduler would be considered an
 62 | accurate detection. This detection could also be resistant to adversary evasion
 63 | over time, since this activity occurs across all implementations of a technique
 64 | and cannot be avoided.
 65 | 
 66 | .. figure:: _static/detectioncomponents_registry.png
 67 |    :alt: Accurate detection using registry key value
 68 |    :align: center
 69 |    :scale: 100%
 70 | 
 71 |    A registry key detection for scheduled tasks provides a low false negative
 72 |    rate and is resistant to adversary evasion over time. However, it raises the
 73 |    false positive rate.
 74 | 
 75 | When building an accurate detection, defenders must find the balance between
 76 | false positive and false negative rates.
 77 | 
 78 | Accurate vs. Resistance
 79 | -----------------------
 80 | 
 81 | There is usually a trade-off between the false positive and false negative rate
 82 | that occurs when creating an accurate detection. When an analyst creates a
 83 | detection that has a low false positive rate, it might be too specific to
 84 | account for other malicious implementations of a technique, making the detection
 85 | more susceptible to missing other malicious activity. On the other hand, an
 86 | analytic that captures all malicious activity is more susceptible to capturing
 87 | benign activity as well, raising the false positive rate. This puts more work on
 88 | the analyst to triage alerts. Let's refer to our detection of scheduled tasks.
 89 | Since registry key creation occurs across all implementations, it will also
 90 | alert on benign activity. For example, if a Windows application schedules an
 91 | update to run, our detection analytic will alert, generating a false positive.
 92 | It is possible to create detections that have a low false positive and low false
 93 | negative rate, but it is not possible for all techniques. When building
 94 | detections, an analyst must weigh what is most important for them and the risks
 95 | associated with favoring false positive or false negative rates.
 96 | 
 97 | There is also a second component to a robust detection: resistance to adversary
 98 | evasion over time. This ensures that detections created, regardless of current
 99 | or future implementations, can remain effective. Resistance to adversary evasion
100 | over time more closely aligns with having a low false negative rate. As a
101 | defender builds a detection that uses observables associated with techniques
102 | (Levels 4 and 5), it covers multiple or all implementations and is more
103 | difficult for the adversary to evade. Once a defender's detection is at the top
104 | of the pyramid, the most likely way an adversary will evade detection is through
105 | changing their technique entirely. Because of this, false negative rate and
106 | resistance to adversary evasion over time are closely aligned. However,
107 | exclusions which are built to lower the false positive rate can also be built to
108 | be resistant to adversary evasion. The observables chosen to filter out benign
109 | activity can be built in a way that is difficult for adversaries to manipulate,
110 | making it more difficult for adversaries to hide in exclusions.
111 | 
112 | The Summiting the Pyramid robustness matrix can help a defender map an analytic
113 | to their resistance to adversary evasion over time. Want to know how to score
114 | your detection analytics for accuracy and resistance to adversary evasion?
115 | :ref:`Read our guidance  on scoring detection analytics<scoring analytic>`.
116 | 
117 | Determining Sufficient Context
118 | -------------------------------
119 | 
120 | Context plays a critical role in developing robust analytics for ambiguous
121 | techniques, as it helps differentiate between malicious and benign behaviors
122 | that share overlapping observables. Without sufficient context, analytics risk
123 | generating excessive false positives, which can render them ineffective and
124 | burdensome for defenders. The Ambiguous Techniques framework emphasizes the need
125 | to incorporate situational awareness via :ref:`context<Context>` to accurately
126 | infer intent and distinguish malicious activity, while maintaining robustness to
127 | ensure operational feasibility.
128 | 
129 | .. figure:: _static/context_categories.png
130 |    :alt: Overview of Context Categories
131 |    :align: center
132 | 
133 | By integrating context into analytic development, defenders can improve
134 | detection accuracy, reduce false positives, and make informed decisions.
135 | Maintaining robustness involves balancing precision with operational
136 | feasibility, ensuring analytics remain effective in diverse environments.
137 | 
138 | Bringing It All Together Through Robust Detection
139 | -------------------------------------------------
140 | 
141 | A robust detection is what we look to achieve in our detection environment.
142 | While this might not be possible for all detections, it is important to know how
143 | to measure the accuracy and resistance to adversary evasion over time for the
144 | detection, find balance between them, and fill the gaps within your detection
145 | environment with additional logging or detections.
146 | 
147 | Want to know how to bring this all together? :ref:`Read our guidance  that
148 | outlines the steps needed to create a robust detection<Build Robust Detection>`.
149 | 


--------------------------------------------------------------------------------
/docs/extra/.gitignore:
--------------------------------------------------------------------------------
1 | *
2 | !.gitignore
3 | 


--------------------------------------------------------------------------------
/docs/index.rst:
--------------------------------------------------------------------------------
 1 | Summiting the Pyramid |version|
 2 | ===============================
 3 | 
 4 | .. figure:: _static/Summit_the_Pyramid_12.11.2024.png
 5 |    :alt: Summiting the Pyramid, Leveling Up Your Analytics
 6 |    :align: center
 7 | 
 8 | Summiting the Pyramid is a research project focused on engineering cyber analytics to
 9 | make adversary evasion more difficult. This project is created and maintained by the
10 | `MITRE Center for Threat-Informed Defense <https://ctid.mitre.org/>`__ in futherance of
11 | our mission to advance the state of the art and the state of the practice in
12 | threat-informed defense globally.
13 | 
14 | .. important::
15 |     **What's New In V3:**
16 | 
17 |     In version 3.0, we updated and improved the project in the following ways!
18 | 
19 |     * Defined a framework for deriving :ref:`malicious intent <Intent
20 |       Definition>` for :ref:`ambiguous techniques<AT Definition>`.
21 |     * Identified a method to employ co-occuring techniques to support
22 |       :ref:`chained analytic development<Chaining Analytics>`.
23 |     * Developed a :ref:`context-based methodology<Context>` for deriving
24 |       malicious intent when engineering robust analytics with lower false
25 |       positive rates.
26 | 
27 | 
28 | .. toctree::
29 |     :maxdepth: 2
30 |     :caption: Contents
31 | 
32 |     overview
33 |     introduction
34 |     definitions
35 |     levels/index
36 |     combiningobservables
37 |     context
38 |     chaining
39 |     examplemappings
40 |     scoringanalytic
41 |     analytics/index
42 |     detection-components
43 |     robustdetection
44 |     detection-diagram
45 |     changelog
46 | 
47 | Notice
48 | ------
49 | 
50 | © |copyright_years| MITRE. Approved for public release. Document number(s)
51 | |prs_numbers|.
52 | 
53 | Licensed under the Apache License, Version 2.0 (the "License"); you may not use this
54 | file except in compliance with the License. You may obtain a copy of the License at
55 | http://www.apache.org/licenses/LICENSE-2.0
56 | 
57 | Unless required by applicable law or agreed to in writing, software distributed under
58 | the License is distributed on an "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
59 | KIND, either express or implied. See the License for the specific language governing
60 | permissions and limitations under the License.
61 | 
62 | This project makes use of ATT&CK®: `ATT&CK Terms of Use
63 | <https://attack.mitre.org/resources/terms-of-use/>`__
64 | 


--------------------------------------------------------------------------------
/docs/levels/adversary_tool.rst:
--------------------------------------------------------------------------------
 1 | .. _Adversary Brought Tool:
 2 | 
 3 | -----------------------------------------------------------
 4 | Level 2: Core to Adversary-Brought Tool or Outside Boundary 
 5 | -----------------------------------------------------------
 6 | 
 7 | **Description**: Observables associated with tools that are brought in by an
 8 | adversary to accomplish an attack.
 9 | 
10 | Tools that are brought by an adversary for an attack provide the adversary the
11 | flexibility to configure the tool and change the tool's implementations to meet
12 | their specific needs. Malware and tools that might fall under these observables
13 | include ADFind, CobaltStrike, and others that the adversary can modify or
14 | configure to accomplish their goal.
15 | 
16 | **Why are adversary-brought tools placed here?**
17 | 
18 | These tools give adversaries flexibility to evade detection by modifying the
19 | tool before deployment to the target system. For example, if an analytic
20 | detection is identifying certain tool-specific configurations, an adversary can
21 | change the source code and evade that detection. [#f1]_ While this requires
22 | knowledge on the adversary to change the tool configuration without changing the
23 | functionality, it gives an adversary flexibility to evade detection through the
24 | availability of application code itself.
25 | 
26 | **Examples**: Command-line arguments, tool-specific configurations, metadata,
27 | binaries
28 | 
29 | Observables
30 | ^^^^^^^^^^^
31 | +-------------------------------+-----------------------------------+----------------------------------+--------------------------------+
32 | | Category                      | Observables                       |   Generating Activity            |           Evade Behavior       |
33 | +===============================+===================================+==================================+================================+
34 | | Command-Line Arguments        |  | CommandLine (Sysmon)           | Built into the tool to identify  | Rename arguments within tool,  |
35 | |                               |  | ParentCommandLine (Sysmon)     | different functionalities, be    | which requires access to code  |
36 | |                               |                                   | called by a tool or script, or be| base. Need for recompile.      |
37 | |                               |                                   | called by an interactive session |                                |
38 | |                               |                                   | with a user.                     |                                |
39 | +-------------------------------+-----------------------------------+----------------------------------+--------------------------------+
40 | | Process Creation              |  | OriginalFileName (Sysmon)      | Filename is embedded into        | User would have to edit the PE |
41 | |                               |                                   | the PE header of a tool.         | header with the updated name   |
42 | |                               |                                   |                                  | and recompile the tool.        |
43 | +-------------------------------+-----------------------------------+----------------------------------+--------------------------------+
44 | | Tool-Specific Configurations  |  | Integrity level (Sysmon)       | A recommendation for setting     | Change setting within tool,    |
45 | |                               |                                   | up and using tools that          | requires permissions to        |
46 | |                               |                                   | support processing of            | reconfigure tool.              |
47 | |                               |                                   | information. [#f2]_              |                                |
48 | +-------------------------------+-----------------------------------+----------------------------------+--------------------------------+
49 | | Metadata                      |  |                                | Created when a file is modified, | Recompile the tool.            |
50 | |                               |                                   | including its deletion. [#f3]_   |                                |
51 | +-------------------------------+-----------------------------------+----------------------------------+--------------------------------+
52 | | Binaries                      |  |                                | Offered by programs that allow   | Utilize different binary,      |
53 | |                               |                                   | a program to be installed without| edit binary directly, or       |
54 | |                               |                                   | having to compile source code.   | recompile source code with     |
55 | |                               |                                   | [#f4]_                           | different options.             |
56 | +-------------------------------+-----------------------------------+----------------------------------+--------------------------------+
57 | 
58 | .. rubric:: References
59 | 
60 | .. [#f1] https://posts.specterops.io/capability-abstraction-fbeaeeb26384
61 | .. [#f2] https://csrc.nist.gov/glossary/term/tool_configuration
62 | .. [#f3] https://www.techtarget.com/whatis/definition/metadata
63 | .. [#f4] https://www.computerhope.com/jargon/b/binaries.htm
64 | 


--------------------------------------------------------------------------------
/docs/levels/application.rst:
--------------------------------------------------------------------------------
 1 | .. _Application:
 2 | 
 3 | ---------------------
 4 | Column A: Application
 5 | ---------------------
 6 | 
 7 | **Description**: Observables associated with the use of applications available
 8 | to defenders before adversary use and difficult for the adversary to modify.
 9 | 
10 | The Application event robustness category groups observables that are collected
11 | closest to applications and are potentially modifiable by the user. For example,
12 | Windows provides developers the opportunity to create service providers for
13 | tools and applications, which can be used to create detection analytics. Other
14 | frameworks can be implemented by a user for needs within their environment.
15 | While users might need to download and configure application sensor data, these
16 | data are available to the defender before an adversary conducts their attack.
17 | 
18 | Observables
19 | ^^^^^^^^^^^
20 | +-------------------------------+-----------------------------------------------------------------------+
21 | | Category                      | Observables                                                           |
22 | +===============================+=======================================================================+
23 | | Scheduled Jobs                |  | Event ID 4698 (Task creation)                                      |
24 | |                               |  | Event ID 4699 (Task deletion)                                      |
25 | |                               |  | Event ID 4700 (Task enabled)                                       |
26 | |                               |  | Event ID 4701 (Task disabled)                                      |
27 | |                               |  | Event ID 4702 (Task updated)                                       |
28 | +-------------------------------+-----------------------------------------------------------------------+
29 | | MSI Installer                 |  | Event ID 1040 (Generic Service Resource Availability) [#f1]_       |
30 | |                               |  | Event ID 1042 (Generic Service Resource Availability) [#f2]_       |
31 | |                               |  | Event ID 1033 (Windows Installer Application Installation) [#f3]_  |
32 | +-------------------------------+-----------------------------------------------------------------------+
33 | | Windows Backup                |  | Event ID 524 (The System Catalog has been deleted) [#f4]_          |
34 | +-------------------------------+-----------------------------------------------------------------------+
35 | | Powershell                    |  | Event ID 4104 (Creating Scriptblock text) [#f5]_                   |
36 | +-------------------------------+-----------------------------------------------------------------------+
37 | | File                          |  | Yara Rules [#f6]_                                                  |
38 | +-------------------------------+-----------------------------------------------------------------------+
39 | 
40 | **Useful resources:**
41 | 
42 | * Roberto Rodriguez's `API - To - Event
43 |   <https://docs.google.com/spreadsheets/d/1Y3MHsgDWj_xH4qrqIMs4kYJq1FSuqv4LqIrcX24L10A/edit#gid=0>`_
44 | * Jonny Johnson's `TelemetrySource
45 |   <https://docs.google.com/spreadsheets/d/1d7hPRktxzYWmYtfLFaU_vMBKX2z98bci0fssTYyofdo/edit#gid=0>`_
46 | * UltimateWindowsSecurity `Event ID Glossary
47 |   <https://www.ultimatewindowssecurity.com/securitylog/encyclopedia/default.aspx?i=j>`_
48 | 
49 | .. rubric:: References
50 | 
51 | .. [#f1] https://learn.microsoft.com/en-us/previous-versions/windows/it-pro/windows-server-2008-R2-and-2008/cc773449%28v=ws.10%29
52 | .. [#f2] https://learn.microsoft.com/en-us/previous-versions/windows/it-pro/windows-server-2008-R2-and-2008/cc773487%28v=ws.10%29
53 | .. [#f3] https://learn.microsoft.com/en-us/previous-versions/windows/it-pro/windows-server-2008-R2-and-2008/cc735566%28v=ws.10%29
54 | .. [#f4] https://learn.microsoft.com/en-us/previous-versions/windows/it-pro/windows-server-2008-R2-and-2008/cc734301%28v=ws.10%29
55 | .. [#f5] https://www.myeventlog.com/search/show/980
56 | .. [#f6] https://yara.readthedocs.io/en/stable/writingmodules.html
57 | 


--------------------------------------------------------------------------------
/docs/levels/ephemeral.rst:
--------------------------------------------------------------------------------
 1 | .. _Ephemeral Values:
 2 | 
 3 | -------------------------
 4 | Level 1: Ephemeral Values
 5 | -------------------------
 6 | 
 7 | **Description**: Observables that are trivial for an adversary to change, or
 8 | that change even without adversary intervention.
 9 | 
10 | Ephemeral values capture the context of what is currently happening to a user,
11 | process, or system. These observables include process IDs, hash values, domain
12 | names, filenames, and others. While these observables offer high :ref:`accuracy
13 | <Accuracy>`, they are often easy to evade.
14 | 
15 | **Why are these observables the lowest level?**
16 | 
17 | These observables cannot be relied on to identify adversary behavior. These
18 | indicators take minimal effort for an adversary to change [#f1]_. A new hash
19 | value can be created if one bit is changed in a file. A filename can be
20 | obfuscated within an image. When building out analytics, these observables will
21 | mostly capture values that point to the context of a certain application, user,
22 | or process. While these observables can detect known malicious applications or
23 | processes, they will not detect anything new, nor will they detect if the
24 | adversary decides to change an operational or environmental variable to evade
25 | detection. To ensure detection in-depth, these observables should be combined
26 | with observables from other levels.
27 | 
28 | **Examples**: Hash values, IP addresses, protocol-specific ports, file names,
29 | domain names, processes, user oriented observables, others
30 | 
31 | Observables
32 | ^^^^^^^^^^^
33 | +-------------------------------+-----------------------------------+--------------------------------+--------------------------------+
34 | | Category                      | Observables                       |   Generating Activity          | Evade Behavior                 |
35 | +===============================+===================================+================================+================================+
36 | | Hash Values                   |  | Hashes (Sysmon)                | Passing a file or object       | Change one bit in a file and   |
37 | |                               |                                   | through a mathmatical formula  | regenerate the hash.           |
38 | |                               |                                   | to create a unique identifying |                                |
39 | |                               |                                   | number.                        |                                |
40 | +-------------------------------+-----------------------------------+--------------------------------+--------------------------------+
41 | | IP Address                    |  | SourceIp (Sysmon)              | Assigned by ISP. [#f2]_        | Connect to a different ISP,    |
42 | |                               |  | DestinationIp (Sysmon)         |                                | restart the router or modem, or|
43 | |                               |                                   |                                | utilize a VPN.                 |
44 | +-------------------------------+-----------------------------------+--------------------------------+--------------------------------+
45 | | Protocol-Specific Ports       |  | DestinationPort (Sysmon)       | Ports are standardized across  | Change port configuration      |
46 | |                               |  | SourcePort (Sysmon)            | network devices, [#f3]_ while  | settings in the code or        |
47 | |                               |                                   | others aren't associated       | computer.                      |
48 | |                               |                                   | with a protocol standard.      |                                |
49 | +-------------------------------+-----------------------------------+--------------------------------+--------------------------------+
50 | | Filenames                     |  | Image (Sysmon)                 | Created by the user to identify| Filename can be changed by the |
51 | |                               |  | Parent image (Sysmon)          | a file.                        | user or can be obfuscated in   |
52 | |                               |  | CurrentDirectory (Sysmon)      |                                | code deployment.               |
53 | |                               |  | Extension (Sysmon)             |                                |                                |
54 | |                               |  | TargetFilename (Sysmon)        |                                |                                |
55 | +-------------------------------+-----------------------------------+--------------------------------+--------------------------------+
56 | | Domain Names                  |  | SourceHostname (Sysmon)        | Reigster the domain name with  | Map tools or website           |
57 | |                               |  | DestinationHostname (Sysmon)   | the registrar. [#f4]_          | to a different domain name.    |
58 | +-------------------------------+-----------------------------------+--------------------------------+--------------------------------+
59 | | Processes                     |  | ProcessGuid (Sysmon)           | New processes create a child   | Operating System Kernel creates|
60 | |                               |  | ProcessId (Sysmon)             | process. The parent and child  | a new process and associated   |
61 | |                               |  | Parent process GUID (Sysmon)   | processes are each assigned a  | metadata.                      |
62 | |                               |  | Subject SID (EID)              | PID. [#f5]_                    |                                |
63 | |                               |  | Target SID (EID)               |                                |                                |
64 | |                               |  | New Process ID (EID)           |                                |                                |
65 | |                               |  | Creator Process ID (WEID)      |                                |                                |
66 | +-------------------------------+-----------------------------------+--------------------------------+--------------------------------+
67 | | Pipes                         |  | Pipe Names (Sysmon)            | A pipe server or user specifies| Change the name of the pipe.   |
68 | |                               |                                   | a name for a pipe when it calls|                                |
69 | |                               |                                   | CreateNamedPipe functon. [#f6]_|                                |
70 | +-------------------------------+-----------------------------------+--------------------------------+--------------------------------+
71 | 
72 | .. rubric:: References
73 | 
74 | .. [#f1] http://detect-respond.blogspot.com/2013/03/the-pyramid-of-pain.html
75 | .. [#f2] https://usa.kaspersky.com/resource-center/definitions/what-is-an-ip-address
76 | .. [#f3] https://www.cloudflare.com/learning/network-layer/what-is-a-computer-port/
77 | .. [#f4] https://www.codecademy.com/resources/blog/what-is-a-domain-name/#domain-name-registrars-and-registries
78 | .. [#f5] https://www.tutorialspoint.com/inter_process_communication/inter_process_communication_process_creation_termination.htm
79 | .. [#f6] https://learn.microsoft.com/en-us/windows/win32/ipc/pipe-names
80 | 


--------------------------------------------------------------------------------
/docs/levels/header.rst:
--------------------------------------------------------------------------------
 1 | .. _Header:
 2 | 
 3 | ---------------------------
 4 | Column H: Header Visibility
 5 | ---------------------------
 6 | 
 7 | **Description**: Observables associated with the relevant network protocol
 8 | header.
 9 | 
10 | The Header Visibility event robustness category groups observables that are
11 | transmitted as part of the network protocol header. For most network protocols,
12 | even encryption protocols like Internet Protocol Security (IPSEC) and Transport
13 | Layer Security (TLS), the header section of the protocol must be transmitted in
14 | plain text, while only the data payload would be encrypted or obfuscated. For
15 | example, with IPSEC (OSI Layer 3), the IP header would be visible in plain text,
16 | but the IP payload would be encrypted. With TLS (OSI Layer 4), the TCP header
17 | would be visible in plain text, but the TCP payload would be encrypted. With RPC
18 | (OSI Layer 7), the RPC header would be visible in plain text, but the RPC
19 | payload could be encrypted. Observables associated with the network protocol
20 | header, and therefore not affected by payload encryption or obfuscation, are
21 | more robust.
22 | 
23 | Observables
24 | ^^^^^^^^^^^
25 | +-------------------------------+-----------------------------------------------------------------------------------------+
26 | | Category                      | Observable Fields                                                                       |
27 | +===============================+=========================================================================================+
28 | | Named Pipe Access             | | Zeek Log: dce_rpc.log [#f1]_                                                          |
29 | |                               | | - named_pipe                                                                          |
30 | |                               | | Zeek Log: smb_files.log [#f1]_                                                        |
31 | |                               | | - path: \*\IPC$                                                                       |
32 | +-------------------------------+-----------------------------------------------------------------------------------------+
33 | | Network Share Access          | | Zeek Log: smb_files.log                                                               |
34 | |                               | | - path                                                                                |
35 | |                               | | Zeek Log: smb_mapping.log [#f1]_                                                      |
36 | |                               | | - path                                                                                |
37 | +-------------------------------+-----------------------------------------------------------------------------------------+
38 | | Network Traffic Connection    | | Zeek Log: conn.log [#f1]_                                                             |
39 | |                               | | - id$orig_h                                                                           |
40 | |                               | | - id$orig_p                                                                           |
41 | |                               | | - id$resp_h                                                                           |
42 | |                               | | - id$resp_p                                                                           |
43 | |                               | | - proto                                                                               |
44 | |                               | | - service                                                                             |
45 | |                               | | - duration                                                                            |
46 | +-------------------------------+-----------------------------------------------------------------------------------------+
47 | | Network Traffic Flow          | | Zeek Log: conn.log [#f1]_                                                             |
48 | |                               | | - id$orig_h                                                                           |
49 | |                               | | - id$orig_p                                                                           |
50 | |                               | | - id$resp_h                                                                           |
51 | |                               | | - id$resp_p                                                                           |
52 | |                               | | - proto                                                                               |
53 | |                               | | - service                                                                             |
54 | |                               | | - duration                                                                            |
55 | +-------------------------------+-----------------------------------------------------------------------------------------+
56 | | Scheduled Job Creation        | | Zeek Log: dce_rpc.log                                                                 |
57 | | (Remote)                      | | - endpoint: ITaskScheduler                                                            |
58 | |                               | | - operation: SchRpcRegisterTask, SchRpcEnableTask, SchRpcRun                          |
59 | +-------------------------------+-----------------------------------------------------------------------------------------+
60 | | Service Creation (Remote)     | | Zeek Log: dce_rpc.log                                                                 |
61 | |                               | | - endpoint: ITaskScheduler                                                            |
62 | |                               | | - operation: CreateWowService, CreateService, StartService                            |
63 | +-------------------------------+-----------------------------------------------------------------------------------------+
64 | | WMI                           | | Zeek Log: dce_rpc.log                                                                 |
65 | |                               | | - endpoint: IWbemServices                                                             |
66 | |                               | | - operation: ExecMethod, ExecMethodAsync                                              |
67 | +-------------------------------+-----------------------------------------------------------------------------------------+
68 | | Windows Registry Key Access   | | Zeek Log: dce_rpc.log                                                                 |
69 | | (Remote)                      | | - endpoint: winreg                                                                    |
70 | |                               | | - operation: BaseRegOpenKey                                                           |
71 | +-------------------------------+-----------------------------------------------------------------------------------------+
72 | | Windows Registry Key Creation | | Zeek Log: dce_rpc.log                                                                 |
73 | | (Remote)                      | | - endpoint: winreg                                                                    |
74 | |                               | | - operation: BaseRegCreateKey                                                         |
75 | +-------------------------------+-----------------------------------------------------------------------------------------+
76 | | Windows Registry Key Deletion | | Zeek Log: dce_rpc.log                                                                 |
77 | | (Remote)                      | | - endpoint: winreg                                                                    |
78 | |                               | | - operation: BaseRegDeleteKey, BaseRegDeleteValue                                     |
79 | +-------------------------------+-----------------------------------------------------------------------------------------+
80 | | Windows Registry Key          | | Zeek Log: dce_rpc.log                                                                 |
81 | | Modification (Remote)         | | - endpoint: winreg                                                                    |
82 | |                               | | - operation: BaseRegSetValue                                                          |
83 | +-------------------------------+-----------------------------------------------------------------------------------------+
84 | 
85 | .. rubric:: References
86 | 
87 | .. [#f1] https://docs.zeek.org/en/current/script-reference/log-files.html#network-protocols


--------------------------------------------------------------------------------
/docs/levels/implementations.rst:
--------------------------------------------------------------------------------
 1 | .. _Some Implementations:
 2 | 
 3 | --------------------------------------------------------
 4 | Level 4: Core to Some Implementations of (Sub-)Technique
 5 | --------------------------------------------------------
 6 | 
 7 | **Description**: Observables associated with low-variance behaviors of the
 8 | (sub-)technique, unavoidable without a substantially different implementation.
 9 | 
10 | Analytics that are core to some implementations of a technique or sub-technique
11 | look at the behaviors an adversary will demonstrate during an attack. These
12 | behaviors are defined as low variance behaviors—those which cannot be avoided by
13 | the implementation. Multiple implementations may point to the same low variance
14 | behavior, allowing a defender to create a robust analytic.
15 | 
16 | .. note::
17 | 
18 |     These observables may change if the definition of the technique is modified in a
19 |     new version of ATT&CK.
20 | 
21 | Observables
22 | ^^^^^^^^^^^
23 | +-------------------------------+---------------------------------------------------+--------------------------------------+
24 | | Sub-Technique/Technique       | Observables                                       | Low Variance Behavior                |
25 | +===============================+===================================================+======================================+
26 | | Modify Authentication         |  AttributeLDAPDisplayName: msDS-KeyCredentialLink | AttritubuteLDAPDisplayName is        |
27 | | Process (T1556)               |                                                   | similar to a registry key, as it     |
28 | |                               |                                                   | could be an arbitrary value or one of|
29 | |                               |                                                   | several built-in "special" values.   |
30 | |                               |                                                   | msDS-KeyCredentialLink is a special  |
31 | |                               |                                                   | value used by the system for         |
32 | |                               |                                                   | authentication. [#f1]_               |
33 | +-------------------------------+---------------------------------------------------+--------------------------------------+
34 | |  OS Credential Dumping:       |  TargetImage = lsass.exe                          | There are multiple access masks      |
35 | |  LSASS Memory (T1003.001)     |  GrantedAccess: 0x1010 OR 0x1410                  | that can be used. This analytic      |
36 | |                               |                                                   | covers two of those access masks.    |
37 | |                               |                                                   | Anything that has the right bits     |
38 | |                               |                                                   | is essentially a wildcard. [#f2]_    |
39 | +-------------------------------+---------------------------------------------------+--------------------------------------+
40 | | Scheduled Task/Job: At        | Event 5145: Relative Target Name = atsvc          | Remote access to the Windows At      |
41 | | (T1053.002) - Remote          | Sysmon 18: PipeName = \atsvc                      | Service is achieved via the named    |
42 | |                               | RPC Network Protocol                              | pipe "atsvc". [#f3]_                 |
43 | |                               | - Endpoint: atsvc                                 |                                      |
44 | |                               | - RPCOperation: NetrJobAdd                        |                                      |  
45 | +-------------------------------+---------------------------------------------------+--------------------------------------+
46 | | Modify Registry (T1112)       | Event 5145: Relative Target Name = winreg         | Remote access to the Windows Registry|
47 | | Remote                        | Sysmon 18: PipeName = \winreg                     | is achieved via the named pipe       |
48 | |                               | RPC Network Protocol                              | "winreg". [#f4]_                     |
49 | |                               | - Endpoint: winreg                                |                                      |
50 | |                               | - RPCOperation: BaseRegCreateKey OR               |                                      |  
51 | |                               | BaseRegSetValue                                   |                                      | 
52 | +-------------------------------+---------------------------------------------------+--------------------------------------+
53 | 
54 | .. rubric:: References:
55 | 
56 | .. [#f1] https://cyberstoph.org/posts/2022/03/detecting-shadow-credentials/
57 | .. [#f2] https://www.splunk.com/en_us/blog/security/you-bet-your-lsass-hunting-lsass-access.html
58 | .. [#f3] https://learn.microsoft.com/en-us/openspecs/windows_protocols/ms-tsch/d1058a28-7e02-4948-8b8d-4a347fa64931
59 | .. [#f4] https://learn.microsoft.com/en-us/openspecs/windows_protocols/ms-rrp/0fa3191d-bb79-490a-81bd-54c2601b7a78
60 | 


--------------------------------------------------------------------------------
/docs/levels/index.rst:
--------------------------------------------------------------------------------
 1 | .. _Summiting Levels:
 2 | 
 3 | ===================
 4 | Summiting Levels
 5 | ===================
 6 | 
 7 | Our model defines five levels of analytic robustness and three columns of event
 8 | robustness. (See: :doc:`../definitions`) This section goes into deeper detail about how the
 9 | levels and columns are defined and how to map observables onto our model.
10 | 
11 | **Levels: Analytic Robustness Categories**
12 | 
13 | There are five levels that represent how difficult it is for an adversary to evade an
14 | observable.
15 | 
16 | .. toctree::
17 |     :maxdepth: 1
18 | 
19 |     technique
20 |     implementations
21 |     preexisting_tool
22 |     adversary_tool
23 |     ephemeral
24 | 
25 | .. _Host-Based Columns:
26 | 
27 | **Columns: Host-Based Event Robustness Columns**
28 | 
29 | There are three columns that represent where event data originates within the OS.
30 | 
31 | .. toctree::
32 |     :maxdepth: 1
33 | 
34 |     application
35 |     user-mode
36 |     kernel-mode
37 | 
38 | .. _Network Traffic Columns:
39 | 
40 | **Columns: Network Traffic Robustness Columns**
41 | 
42 | There are two columns that represent visibility into network traffic.
43 | 
44 | .. toctree::
45 |     :maxdepth: 1
46 | 
47 |     payload
48 |     header
49 | 
50 | For a quick search of an observable, please utilize the observables page.
51 | 
52 | .. toctree::
53 |     :maxdepth: 1
54 | 
55 |     quicklevels
56 | 


--------------------------------------------------------------------------------
/docs/levels/kernel-mode.rst:
--------------------------------------------------------------------------------
 1 | .. _Kernel-Mode:
 2 | 
 3 | ---------------------
 4 | Column K: Kernel-Mode
 5 | ---------------------
 6 | 
 7 | **Description**: Interfacing directly with ring 0 in the OS. Observables are in
 8 | kernel mode.
 9 | 
10 | As defined by Microsoft, the kernel “implements the core functionality that
11 | everything else in the operating system depends upon.” [#f1]_ This is the heart
12 | of the operating system, as it provides the services for everything, including
13 | managing threads, conflicts and errors, and system memory. [#f2]_ Some of the
14 | kernel library support routines available start with Ke within the Windows
15 | Operating System. Defenders can monitor kernel activity through observables
16 | including registry modification, some event IDs, and network protocols. Kernel
17 | observables are usually the hardest to evade and represent the most robust
18 | events and fields in the framework.
19 | 
20 | Observables
21 | ^^^^^^^^^^^
22 | +-------------------------------+-----------------------------------------------------------------------------------------+
23 | | Category                      | Observable Fields                                                                       |
24 | +===============================+=========================================================================================+
25 | | Process                       | | Event ID 4688 (Process creation)                                                      |
26 | |                               | | Event ID 4689 (Process exited)                                                        |
27 | |                               | | Sysmon ID 1 (Process creation)                                                        |
28 | |                               | | Sysmon ID 8 (Create remote thread)                                                    |
29 | +-------------------------------+-----------------------------------------------------------------------------------------+
30 | | File                          | | Event ID 4663 (Attempt was made to access object)                                     |
31 | +-------------------------------+-----------------------------------------------------------------------------------------+
32 | | Registry Keys                 | | Event ID 4656 (Handle to object requested)                                            |
33 | |                               | | Sysmon ID 12 (Registry object added/deleted)                                          |
34 | |                               | | Event ID 4660 (Object deleted)                                                        |
35 | |                               | | Event ID 4657 (Registry value modified)                                               |
36 | +-------------------------------+-----------------------------------------------------------------------------------------+
37 | | Objects                       | | Event ID 5136 (A directory service object was modified)                               |
38 | +-------------------------------+-----------------------------------------------------------------------------------------+
39 | | Named Pipes                   | | Sysmon ID 17 (Pipe created)                                                           |
40 | |                               | | Sysmon ID 18 (Pipe connected)                                                         |  
41 | |                               | | Event ID 5145 (A network share object was checked to see whether client can be        |
42 | |                               |  granted desired access)                                                                |
43 | +-------------------------------+-----------------------------------------------------------------------------------------+
44 | | Network                       | | Sysmon ID 3 (Network connection detected)                                             |
45 | |                               | | Event ID 5156 (The Windows Filtering Platform has allowed a connection)               |
46 | |                               | | Event ID 5157 (The Windows Filtering Platform has blocked a connection)               |
47 | +-------------------------------+-----------------------------------------------------------------------------------------+
48 | 
49 | 
50 | **Useful resources:**
51 | 
52 | * Roberto Rodriguez's `API - To - Event
53 |   <https://docs.google.com/spreadsheets/d/1Y3MHsgDWj_xH4qrqIMs4kYJq1FSuqv4LqIrcX24L10A/edit#gid=0>`_
54 | * Jonny Johnson's `TelemetrySource
55 |   <https://docs.google.com/spreadsheets/d/1d7hPRktxzYWmYtfLFaU_vMBKX2z98bci0fssTYyofdo/edit#gid=0>`_
56 | * UltimateWindowsSecurity `Event ID Glossary
57 |   <https://www.ultimatewindowssecurity.com/securitylog/encyclopedia/default.aspx?i=j>`_
58 | 
59 | .. rubric:: References
60 | 
61 | .. [#f1] https://learn.microsoft.com/en-us/windows-hardware/drivers/kernel/windows-kernel-mode-kernel-library
62 | .. [#f2] https://www.techtarget.com/searchdatacenter/definition/kernel
63 | 


--------------------------------------------------------------------------------
/docs/levels/payload.rst:
--------------------------------------------------------------------------------
 1 | .. _Payload:
 2 | 
 3 | ----------------------------
 4 | Column P: Payload Visibility
 5 | ----------------------------
 6 | 
 7 | **Description**: Observables are associated with the relevant network protocol
 8 | payload, and sensor visibility into the payload is necessary for detection.
 9 | 
10 | The Payload Visibility event robustness category groups observables that are
11 | transmitted within the network protocol payload. For some network protocols,
12 | sensor visibility into the data payload may be obscured via encryption or
13 | obfuscation applied by the adversary or via encryption applied by the intrinsic
14 | behavior of the operating system, service, or application. Observables
15 | associated with network protocol payload or relying on full, plain-text
16 | visibility into the payload are less robust.
17 | 
18 | Observables
19 | ^^^^^^^^^^^
20 | +-------------------------------+-----------------------------------------------------------------------------------------+
21 | | Category                      | Observable Fields                                                                       |
22 | +===============================+=========================================================================================+
23 | | Network Traffic Content       | Examples include (but are not limited to):                                              |
24 | |                               |                                                                                         |
25 | |                               | * Zeek Event: dce_rpc_request_stub [#f1]_                                               |
26 | |                               | * Zeek Event: http_entity_data [#f2]_                                                   |
27 | |                               | * Suricata rules allow access to the protocol payload. [#f3]_                           |
28 | +-------------------------------+-----------------------------------------------------------------------------------------+
29 | 
30 | .. rubric:: References
31 | 
32 | .. [#f1] https://docs.zeek.org/en/current/script-reference/proto-analyzers.html#id-dce_rpc_request_stub
33 | .. [#f2] https://docs.zeek.org/en/current/script-reference/proto-analyzers.html#id-http_entity_data
34 | .. [#f3] https://docs.suricata.io/en/latest/rules/index.html#suricata-rules
35 | 


--------------------------------------------------------------------------------
/docs/levels/quicklevels.rst:
--------------------------------------------------------------------------------
 1 | Observables Quick Search
 2 | ========================
 3 | 
 4 | .. list-table:: Analytic Robustness Categories
 5 |    :widths: 25 75
 6 |    :header-rows: 1
 7 | 
 8 |    * - Level Name
 9 |      - Observables
10 |    * - 5: Core to Sub-Technique or Technique
11 |      - TargetObject = “HKLM\SOFTWARE\Microsoft\Windows NT\
12 |        CurrentVersion\Schedule\TaskCache\Tree” OR “HKLM\
13 |        SOFTWARE\Microsoft\Windows NT\CurrentVersion\ Schedule\TaskCache” (T1053)
14 |    * - 4: Core to Some Implementations of (Sub-)Technique
15 |      - AttributeLDAPDisplayName: msDS-KeyCredentialLink (T1556)
16 |    * - 3: Core to Pre-Existing Tools
17 |      - signer (CAR), signature_valid (CAR), mime_type (CAR), link_target (CAR),
18 |        command line (Sysmon), parent command line (Sysmon), process command line
19 |        (Windows EID), command_line (CAR), parent_command_line (CAR), integrity
20 |        level (Sysmon), mandatory label (Windows EID), token elevation type
21 |        (Windows EID), original file name (Sysmon), access_level (CAR),
22 |        integrity_level (CAR), login_type (CAR), login_successful (CAR),
23 |        auth_service (CAR), decision_reason (CAR), method (CAR)
24 |    * - 2: Core to Adversary-Brought Tools
25 |      - Command line (Sysmon), integrity level (Sysmon), parent command line
26 |        (Sysmon)
27 |    * - 1: Ephemeral Values
28 |      - Hashes (Sysmon), md5_hash (CAR), sha1_hash (CAR), sha256_hash (CAR),
29 |        target_address (CAR), dest_ip (CAR), src_ip (CAR), dest_port (CAR),
30 |        src_port (CAR), image (Sysmon), parent image (Sysmon), current directory
31 |        (Sysmon), extension (CAR), file_name (CAR), file_path (CAR), image_path
32 |        (CAR), current_working_directory (CAR), exe (CAR), parent_exe (CAR),
33 |        app_name (CAR), auth_target (CAR), fqdn (CAR), ad_domain (CAR),
34 |        target_ad_domain (CAR), process GUID (Sysmon), process ID (Sysmon),
35 |        parent process GUID (Sysmon), parent process ID (Sysmon), Subject SID
36 |        (Windows), target SID (Windows EID), new process ID (Windows EID),
37 |        creator process ID (Windows EID), pid (CAR), ppid (CAR), user (Sysmon),
38 |        logon GUID (Sysmon), logon ID (Sysmon), subject name (Windows EID),
39 |        subject domain (Windows EID), subject logon ID (Windows EID), target
40 |        domain (Windows EID), target logon ID (Windows EID), new process name
41 |        (Windows EID), creator process name (Windows EID), gid (CAR), group
42 |        (CAR), owner_uid (CAR), owner (CAR), user (CAR), uid (CAR), guid (CAR),
43 |        hostname (CAR), target_guid (CAR), target_uid (CAR), target_user (CAR),
44 |        target_user_role (CAR), target_user_type (CAR), target_name (CAR),
45 |        target_pid (CAR), login_id (CAR), user_agent (CAR), user_role (CAR),
46 |        contents (CAR), creation_time (CAR), mode (CAR), previous_creation_time
47 |        (CAR), env_vars (CAR), data (CAR), new_content (CAR), value (CAR),
48 |        response_time
49 | 
50 | 
51 | .. list-table:: Event Robustness Categories
52 |    :widths: 30 70
53 |    :header-rows: 1
54 | 
55 |    * - Column Name
56 |      - Sensor Data Observables
57 |    * - Application (A)
58 |      - Event ID 4698, Event ID 4699, Event ID 4700, Event ID 4701, Event ID
59 |        4702, Event ID 1040, Event ID 1042, Event ID 1033
60 |    * - User-Mode (U)
61 |      - Sysmon ID 1, Sysmon ID 5, Sysmon ID 2, Sysmon ID 10, Sysmon ID 11, Sysmon
62 |        ID 15, Sysmon ID 23, Sysmon ID 6, Sysmon ID 13, Sysmon ID 14, Sysmon ID
63 |        17, Event ID 7045
64 |    * - Kernel-Mode (K)
65 |      - Event ID 4688, Event ID 4689, Sysmon ID 8, Event ID 4663, Event ID 4656,
66 |        Sysmon ID 12, Event ID 4660, Event ID 4657, Event ID 5136


--------------------------------------------------------------------------------
/docs/levels/technique.rst:
--------------------------------------------------------------------------------
 1 | .. _Technique:
 2 | 
 3 | -------------------------------------------
 4 | Level 5: Core to Sub-Technique or Technique
 5 | -------------------------------------------
 6 | 
 7 | **Description**: Observables associated with “chokepoints” or “invariant
 8 | behaviors” of the (sub-)technique, unavoidable by any implementation.
 9 | 
10 | Some ATT&CK techniques produce artifacts that are the same across all
11 | implementations of that behavior. These artifacts are considered invariant
12 | behaviors, i.e., an essential part of any implementation of the behavior. While
13 | identifying these invariant behaviors requires research into all possible
14 | implementations of a technique and the observables that are produced, it
15 | provides the defender the most robust analytic option, as it forces the
16 | adversary to switch to an entirely different technique.
17 | 
18 | .. note::
19 | 
20 |     These observables may change if the definition of the technique is modified in a
21 |     new version of ATT&CK.
22 | 
23 | Observables
24 | ^^^^^^^^^^^
25 | +---------------------------+----------------------------------------------------------+---------------------------------------+
26 | | Sub-Technique/Technique   | Observables                                              | Invariant Behavior                    |
27 | +===========================+==========================================================+=======================================+
28 | |  Scheduled Tasks (T1053)  |  TargetObject = "HKLM\\SOFTWARE\\Microsoft\\Windows NT\\ |  The registry key value is generated  |
29 | |                           |  CurrentVersion\\Schedule\\TaskCache\\Tree" OR "HKLM\\   |  whenever a new task is created,      |
30 | |                           |  SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\       |  regardless of implementation. [#f1]_ |
31 | |                           |  Schedule\\TaskCache"                                    |                                       |
32 | +---------------------------+----------------------------------------------------------+---------------------------------------+
33 | |  OS Credential Dumping:   |  RPC Network Protocol                                    | DRSReplicaSync triggers replication   |
34 | |  DCSync (T1003.006)       |  - Endpoint (aka, Interface) = drsuapi [#f2]_            | from another Domain Controller. [#f3]_|
35 | |                           |  - Operation (aka, Method) = DRSReplicaSync OR           | DRSGetNCChanges replicates updates    |
36 | |                           |  DRSGetNCChanges                                         | from a naming context (NC) on another |
37 | |                           |                                                          | server. [#f4]_                        | 
38 | +---------------------------+----------------------------------------------------------+---------------------------------------+
39 | 
40 | .. rubric:: References
41 | 
42 | .. [#f1] https://posts.specterops.io/abstracting-scheduled-tasks-3b6451f6a1c5
43 | .. [#f2] https://learn.microsoft.com/en-us/openspecs/windows_protocols/ms-drsr/f977faaa-673e-4f66-b9bf-48c640241d47
44 | .. [#f3] https://learn.microsoft.com/en-us/openspecs/windows_protocols/ms-drsr/25c71d91-051f-4c26-977f-a70892f29b00 
45 | .. [#f4] https://learn.microsoft.com/en-us/openspecs/windows_protocols/ms-drsr/b63730ac-614c-431c-9501-28d6aca91894
46 | 


--------------------------------------------------------------------------------
/docs/levels/user-mode.rst:
--------------------------------------------------------------------------------
 1 | .. _User-Mode:
 2 | 
 3 | -------------------
 4 | Column U: User-Mode
 5 | -------------------
 6 | 
 7 | **Description**: Observables associated with user-mode OS activity.
 8 | 
 9 | The OS kernel (ring 0) is typically invoked using C wrapper functions running in
10 | user mode (ring 3). In Windows, these system wrapper functions usually start
11 | with Nt or Zw. [#f1]_ .  In other operating systems, these C wrapper functions
12 | are usually included in libc. In either case, the wrapper functions switch into
13 | kernel mode using a predefined calling convention such as setting specific
14 | register flags and calling a certain interrupt. The attacker may bypass these
15 | wrapper functions by writing their own code to switch to kernel mode.
16 | 
17 | Observables
18 | ^^^^^^^^^^^
19 | +-------------------------------+--------------------------------------------------------------------------------+
20 | | Category                      | Observables                                                                    |
21 | +===============================+================================================================================+
22 | | Process                       | | Sysmon ID 5 (Process termination)                                            |
23 | |                               | | Sysmon ID 10 (Process access)                                                |
24 | |                               | | Event ID 7045 (New service installed)                                        |
25 | +-------------------------------+--------------------------------------------------------------------------------+
26 | | File                          | | Sysmon ID 2 (File creation time changed)                                     |
27 | |                               | | Sysmon ID 11 (File create)                                                   |
28 | |                               | | Sysmon ID 15 (File create stream hash)                                       |
29 | |                               | | Sysmon ID 23 (File deletion)                                                 |
30 | +-------------------------------+--------------------------------------------------------------------------------+
31 | | Driver                        | | Sysmon ID 6 (Driver loaded)                                                  |
32 | +-------------------------------+--------------------------------------------------------------------------------+
33 | | Registry Key                  | | Sysmon ID 13 (Registry value set)                                            |
34 | |                               | | Sysmon ID 14 (Registry object renamed)                                       |
35 | +-------------------------------+--------------------------------------------------------------------------------+
36 | 
37 | **Useful resources:**
38 | 
39 | * Roberto Rodriguez's `API - To - Event
40 |   <https://docs.google.com/spreadsheets/d/1Y3MHsgDWj_xH4qrqIMs4kYJq1FSuqv4LqIrcX24L10A/edit#gid=0>`_
41 | * Jonny Johnson's `TelemetrySource
42 |   <https://docs.google.com/spreadsheets/d/1d7hPRktxzYWmYtfLFaU_vMBKX2z98bci0fssTYyofdo/edit#gid=0>`_
43 | * UltimateWindowsSecurity `Event ID Glossary
44 |   <https://www.ultimatewindowssecurity.com/securitylog/encyclopedia/default.aspx?i=j>`_
45 | 
46 | .. rubric:: References
47 | 
48 | .. [#f1] https://learn.microsoft.com/en-us/windows-hardware/drivers/kernel/using-nt-and-zw-versions-of-the-native-system-services-routines
49 | 


--------------------------------------------------------------------------------
/docs/overview.rst:
--------------------------------------------------------------------------------
 1 | Overview
 2 | ========
 3 | 
 4 | ..
 5 |   Whenever you update overview.rst, also look at README.md and consider whether
 6 |   you should make a corresponding update there.
 7 | 
 8 | .. epigraph::
 9 | 
10 |    The entire point of detecting indicators is to respond to them, and once you can
11 |    respond to them quickly enough, you have denied the adversary the use of those
12 |    indicators when they are attacking you. Not all indicators are created equal, though,
13 |    and some of them are far more valuable than others.
14 | 
15 |    -- David Bianco, `The Pyramid of Pain <https://detect-respond.blogspot.com/2013/03/the-pyramid-of-pain.html>`__
16 | 
17 | The `Pyramid of Pain
18 | <https://detect-respond.blogspot.com/2013/03/the-pyramid-of-pain.html>`__ depicts the
19 | relationship between different categories of threat indicators and the adversary's
20 | ability to evade detections based on those indicators. Summiting the Pyramid builds on
21 | this conceptual foundation with a rigorous analysis of how to engineer analytics to
22 | increase robustness and make adversary evasion as costly as possible.
23 | 
24 | .. figure:: _static/event_robustness_table_revised.png
25 |    :alt: Breaking down the Pyramid of Pain
26 |    :align: center
27 | 
28 | The Summiting the Pyramid methodology is based on a two-dimensional model. The rows
29 | represent indicator categories (similar to the Pyramid of Pain), and columns represent
30 | the data sources for detection analytics. Observables can be mapped onto locations
31 | within the grid, which visually represents the difficulty and cost for adversaries to
32 | avoid creating that observable. A defender can use this model to analyze existing
33 | analytics for robustness and evadeability, as well as to engineer new and improved
34 | analytics.
35 | 
36 | For example, a defender can utilize an analytic that alerts if a certain hash is
37 | detected. An adversary can easily evade detection by recompiling their tools with a
38 | one-byte difference. This is visually represented by placing the observable on the first
39 | row:
40 | 
41 | .. figure:: _static/summit_level1_revised.png
42 |    :alt: Hash value at level 1: Ephemeral values
43 |    :align: center
44 | 
45 | The analytic can be improved by using observables that are in higher level groups (i.e.
46 | moving up the grid) or more reliable data sources (i.e. moving to the right). Moving up
47 | reflects the selection of indicators that are more costly for the adversary to change.
48 | Moving right reflects the use of data sources that are harder for the attacker to
49 | manipulate. Taken together, these lead to analytics that are more difficult and
50 | expensive to evade:
51 | 
52 | .. figure:: _static/summit_level5_revised.PNG
53 |    :alt: Event ID at level 5: Core to Technique
54 |    :align: center
55 | 
56 | This project includes a complete toolkit for defenders to start analyzing and improving
57 | detection analytics: a model for evasiveness, a methodology for mappings detection
58 | analytics onto that model, and many worked examples of mapping real-world analytics.
59 | 
60 | Want to learn more? Hear some of the project creators talk more about Summiting the Pyramid at ShmooCon 2024!
61 | 
62 | .. raw:: html
63 | 
64 |    <embed>
65 |       <iframe width="560" height="315" src="https://www.youtube.com/embed/B86QP361t8E?si=jxhS8XmJe_ihARj7" title="YouTube video player" frameborder="0" allow="accelerometer; autoplay; clipboard-write; encrypted-media; gyroscope; picture-in-picture; web-share" referrerpolicy="strict-origin-when-cross-origin" allowfullscreen></iframe>
66 |    </embed>
67 | 
68 | 
69 | 


--------------------------------------------------------------------------------
/pyproject.toml:
--------------------------------------------------------------------------------
 1 | [tool.poetry]
 2 | name = "summiting-the-pyramid"
 3 | version = "3.0.0"
 4 | description = ""
 5 | authors = [
 6 |     "Ross Weisman <rpweisman@mitre.org>",
 7 |     "Roman Daszczyszak <romand@mitre.org>",
 8 | ]
 9 | license = "Apache"
10 | package-mode = false
11 | 
12 | [tool.poetry.dependencies]
13 | python = "^3.8"
14 | python-slugify = "^8.0.4"
15 | 
16 | [tool.poetry.group.dev.dependencies]
17 | black = "^22.3.0"
18 | bumpver = "^2022.1119"
19 | pytest = "^7.1.2"
20 | pytest-cov = "2.11.1"
21 | Sphinx = "^6.2.0"
22 | sphinx-autobuild = "^2021.3.14"
23 | sphinx-wagtail-theme = "^6.5.0"
24 | 
25 | [build-system]
26 | requires = ["poetry-core>=1.0.0"]
27 | build-backend = "poetry.core.masonry.api"
28 | 
29 | [tool.bumpver]
30 | current_version = "v0.0.36"
31 | version_pattern = "vMAJOR.MINOR.PATCH"
32 | commit_message = "Bump version {old_version} -> {new_version}"
33 | commit = true
34 | tag = true
35 | 
36 | [tool.bumpver.file_patterns]
37 | # pep440_version does not have the "v" prefix
38 | "pyproject.toml" = ['version = "{pep440_version}"']
39 | "docs/conf.py" = ['version = "{version}"']
40 | 


--------------------------------------------------------------------------------