Level 4: Core to Some Implementations of (Sub-)Technique
Description: Observables associated with low-variance behaviors of the (sub-)technique, unavoidable without a substantially different implementation.
Analytics that are core to some implementations of a technique or sub-technique look at the behaviors an adversary will demonstrate during an attack. These behaviors are defined as low variance behaviors—those which cannot be avoided by the implementation. Multiple implementations may point to the same low variance behavior, allowing a defender to create a robust analytic.
Note
These observables may change if the definition of the technique is modified in a new version of ATT&CK.
Observables
Sub-Technique/Technique |
Observables |
Low Variance Behavior |
|---|---|---|
Modify Authentication Process (T1556) |
AttributeLDAPDisplayName: msDS-KeyCredentialLink |
AttritubuteLDAPDisplayName is similar to a registry key, as it could be an arbitrary value or one of several built-in “special” values. msDS-KeyCredentialLink is a special value used by the system for authentication. 1 |
OS Credential Dumping: LSASS Memory (T1003.001) |
TargetImage = lsass.exe GrantedAccess: 0x1010 OR 0x1410 |
There are multiple access masks that can be used. This analytic covers two of those access masks. Anything that has the right bits is essentially a wildcard. 2 |
Scheduled Task/Job: At (T1053.002) - Remote |
Event 5145: Relative Target Name = atsvc Sysmon 18: PipeName = atsvc RPC Network Protocol - Endpoint: atsvc - RPCOperation: NetrJobAdd |
Remote access to the Windows At Service is achieved via the named pipe “atsvc”. 3 |
Modify Registry (T1112) Remote |
Event 5145: Relative Target Name = winreg Sysmon 18: PipeName = winreg RPC Network Protocol - Endpoint: winreg - RPCOperation: BaseRegCreateKey OR BaseRegSetValue |
Remote access to the Windows Registry is achieved via the named pipe “winreg”. 4 |
References: