Level 2: Core to Adversary-Brought Tool or Outside Boundary

Description: Observables associated with tools that are brought in by an adversary to accomplish an attack.

Tools that are brought by an adversary for an attack provide the adversary the flexibility to configure the tool and change the tool’s implementations to meet their specific needs. Malware and tools that might fall under these observables include ADFind, CobaltStrike, and others that the adversary can modify or configure to accomplish their goal.

Why are adversary-brought tools placed here?

These tools give adversaries flexibility to evade detection by modifying the tool before deployment to the target system. For example, if an analytic detection is identifying certain tool-specific configurations, an adversary can change the source code and evade that detection. 1 While this requires knowledge on the adversary to change the tool configuration without changing the functionality, it gives an adversary flexibility to evade detection through the availability of application code itself.

Examples: Command-line arguments, tool-specific configurations, metadata, binaries

Observables

Category

Observables

Generating Activity

Evade Behavior

Command-Line Arguments

CommandLine (Sysmon)
ParentCommandLine (Sysmon)

Built into the tool to identify different functionalities, be called by a tool or script, or be called by an interactive session with a user.

Rename arguments within tool, which requires access to code base. Need for recompile.

Process Creation

OriginalFileName (Sysmon)

Filename is embedded into the PE header of a tool.

User would have to edit the PE header with the updated name and recompile the tool.

Tool-Specific Configurations

Integrity level (Sysmon)

A recommendation for setting up and using tools that support processing of information. 2

Change setting within tool, requires permissions to reconfigure tool.

Metadata


Created when a file is modified, including its deletion. 3

Recompile the tool.

Binaries


Offered by programs that allow a program to be installed without having to compile source code. 4

Utilize different binary, edit binary directly, or recompile source code with different options.

References

1

https://posts.specterops.io/capability-abstraction-fbeaeeb26384

2

https://csrc.nist.gov/glossary/term/tool_configuration

3

https://www.techtarget.com/whatis/definition/metadata

4

https://www.computerhope.com/jargon/b/binaries.htm