Level 4: Core to Some Implementations of (Sub-)Technique
Description: Observables associated with low-variance behaviors of the (Sub-)Technique, unavoidable without a substantially different implementation
Analytics which are core to some implementations of a technique or sub-technique look at the behaviors an adversary will demonstrate during an attack. These are defined as low variance behaviors, those which cannot be avoided by the implementation. Multiple implementations may point to the same low variance behavior, allowing a defender to create a robust analytic.
Note
These observables may change if the definition of the Technique is modified in a new version of ATT&CK.
Observables
Sub-Technique/Technique |
Observables |
Low Variance Behavior |
|---|---|---|
Modify Authentication Process (T1556) |
AttributeLDAPDisplayName: msDS-KeyCredentialLink |
AttritubuteLDAPDisplayName is similar to a registry key, as it could be an arbitrary value or one several built-in “special” values. mdDS-KeyCredentialLink is a special value used by the system for authentication 1 |
Indicator Removal: File Deletion (T1070.004) |
Event ID 524 Provider Name: Microsoft-Windows-Backup |
While this is a event robustness category, the utilization of this event is indicative of this technique. |
OS Credential Dumping: LSASS Memory (T1003.001) |
TargetImage = lsass.exe GrantedAccess: 0x1010 OR 0x1410 |
There are multiple access masks which can be used. This analytic covers two of those access masks. Anything that has the right bits are wildcards essentially 2 |
References: