Level 2: Core to Adversary-Brought Tool
Description: Observables which are associated with tools that are brought in by an adversary to accomplish an attack.
Tools which are brought by an adversary for an attack provide the adversary the flexibility to configure the tool and change their implementations to meet their specific needs. Malware and tools which might fall under these observables include ADFind, Cobalt Strike, and others which the adversary can modify or configure to accomplish their goal.
Why are adversary-brought tools placed here?
These tools give adversaries flexibility to evade detection by modifying the tool before deployment to the target system. For example, if an analytic detection is identifying certain tool-specific configurations, an adversary can change the source code and evade that detection 1. While this requires knowledge on the adversary to change the tool configuration without changing the functionality, it gives an adversary flexibility to evade detection through the availability of application code itself.
Examples: Command-line arguments, tool-specific configurations, metadata, binaries
Observables
Category |
Observables |
Generating Activity |
Evade Behavior |
|---|---|---|---|
Command-line arguments |
CommandLine (Sysmon)
ParentCommandLine (Sysmon)
|
Built into the tool to identify different functionalities, be called by a tool or script, or called by an interactive sessions with a user |
Rename arguments within tool, which requires access to code base. Need for recompile. |
Process creation |
OriginalFileName (Sysmon)
|
Filename is embedded into the PE header of a tool |
User would have to edit the PE header with the updated name and recompile the tool |
Tool-specific configurations |
Integrity level (Sysmon)
|
A recommendation for setting up and using tools that support processing of information 2 |
Change setting within tool, requires permissions to reconfigure tool |
Metadata |
Created when a file is modified, including its deletion 3 |
Recompile tool |
|
Binaries |
Offered by programs which allow a program to be installed without having to compile source code 4 |
Utilize different binary, edit binary directly, or recompile source code with different options |
References