Atomic Red Team

Date: 2021-02-12 ID: cc9b25d5-efc9-11eb-926b-550bf0943fbb Author: Michael Haag Environment: attack_range Directory: atomic_red_team

Description

Invoked T1218.009 via AtomicRedTeam and manual execution of regasm and regsvcs.

ID	Technique	Tactic
T1218.009	Regsvcs/Regasm	Defense Evasion

The following datasets were collected during this attack simulation:

Path: /datasets/attack_techniques/T1218.009/atomic_red_team/windows-sysmon.log
Sourcetype: XmlWinEventLog
Source: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational

The following detections in our security content repository use this attack data for testing:

Detection Name	Type	Source	MITRE ATT&CK	Analytic Story
Detect Regasm Spawning a Process	`TTP`	Endpoint	T1218.009	Suspicious Regsvcs Regasm Activity, Living Off The Land, Handala Wiper, Compromised Windows Host, DarkGate Malware, Snake Keylogger
Detect Regsvcs Spawning a Process	`TTP`	Endpoint	T1218.009	Suspicious Regsvcs Regasm Activity, Living Off The Land, Compromised Windows Host
Detect Regsvcs with Network Connection	`TTP`	Endpoint	T1218.009	Suspicious Regsvcs Regasm Activity, Living Off The Land, Hellcat Ransomware
Detect Regasm with Network Connection	`TTP`	Endpoint	T1218.009	Suspicious Regsvcs Regasm Activity, Living Off The Land, Handala Wiper, Hellcat Ransomware
Detect Regsvcs with No Command Line Arguments	`TTP`	Endpoint	T1218.009	Suspicious Regsvcs Regasm Activity, Living Off The Land
Detect Regasm with no Command Line Arguments	`TTP`	Endpoint	T1218.009	Suspicious Regsvcs Regasm Activity, Living Off The Land, Handala Wiper

Replay attack data with replay.py from Splunk Attack Data.

1python replay.py --dataset /datasets/attack_techniques/T1218.009/atomic_red_team/windows-sysmon.log --index attack_data

Find more detections and analytics for this attack technique in our security content repository.

Source: GitHub | Version: 1.0