ASSETS- Service Execution (T1035)
ASSETS- Service Execution (T1035)
Version 1.0
ATT&CK Technique: Service Execution (T1035)
Important note:
-
This playbook is different from other MITRE ATT&CKTM Hunt playbooks in that it is executed from an Asset record, not a Hunt record.
What this playbook hunts for:
-
Registered services on an endpoint that have a known-malicious executable listed in the service’s filepath
How the playbook works:
-
Uses Powershell and WMI through WinRM to query a host’s registered services.
-
Registered services (hash values) are checked against Virustotal
-
SIEM queried for execution of file with malicious MD5 hash identified in the previous step
What results are expected:
-
Service name, File name, and MD5 hash of any identified malicious file
-
Name, process ID, and path of any process with a matching MD5
-
Command line arguments for matching process execution
-
Execution time
-
Hostname of the computer where file was executed
-
User account that was used to execute file
Common follow-on actions:
-
Acquire forensic image
-
Sandbox file
-
Get running processes
-
Get network connections
-
Quarantine host
What inputs are necessary:
-
SIEM
-
WinRM (or another tool capable of running Powershell scripts) enabled on the target host
-
Virustotal API
-
Logs: Sysmon Event ID 1: Process creation
-
Hunt start time
What subroutine playbooks are needed:
-
Create and Link Alerts from Hunt (Host-based)
What configurations are needed:
-
Sysmon logging enabled
False Positive Potential: Low
-
False positives should be limited to files that Virustotal also has mistakenly classified as malicious