Level 3: Core to Pre-Existing Tools
Description: Observables associated with a tool or functionality that existed on the system pre-compromise, may be managed by the defending organization, and difficult for an adversary to modify.
Why are tools split between adversary-brought and pre-existing?
Pre-existing tools provide less flexibility to adversaries than tools that are brought by an adversary, as an adversary has to behave and act with what is available to them through the tool. The configurations, command-line arguments, and other observables for this level will remain consistent with what is available for the tool.
Since the adversary cannot change the capability itself and it is managed by an organization, it is much more difficult to distinguish adversary use from benign use. This provides an opportunity for an adversary to blend into the computing environment, also known as a Living off the Land (LotL) attack 1 2. It is likely that analytics utilizing native tool observables will need to be combined with other observables at other levels, or require further research into low-variance behaviors of abusing these tools through MITRE ATT&CK techniques.
Examples: Signatures, command-line arguments, tool-specific configurations, metadata, binaries
Note
These observables may change as pre-existing tools present in the environment change.
Observables
Category |
Observables |
Generating Activity |
Evade Behavior |
|---|---|---|---|
Command-line arguments |
CommandLine (Sysmon)
Process Command Line (EID)
ParentCommandLine (Sysmon)
|
Built into the tool to identify different functionalities, be called by a tool or scripts, or called by an interactive sessions with a user |
Change the tool or configuration which has different command-line arguments |
Process creation |
OriginalFileName (Sysmon)
|
Filename is embedded into the PE header of a tool |
Use a tool with a different filename, or edit PE header |
Signatures |
Signature (Sysmon)
SignatureStatus (Sysmon)
link_target (Sysmon)
|
||
Tool-specific configurations |
Integrity level (Sysmon)
Mandatory Label (EID)
Token elevation type (EID)
Access level (EID)
File path outside adversary
control
|
A recommendation for setting up and using tools that support processing of information 3 |
Pivot to tool or raise permissions to avoid alerts on specific-configuration |
User Session |
Login Type (EID)
Login successful (EID)
|
A user logons to a profile or application 4 |
Login to application or user with different logon type 5 |
Authentication |
Auth service (CAR)
Decision reason (CAR)
Method (CAR)
|
References