Atomic Red Team

Date: 2020-11-18 ID: cc9b25fe-efc9-11eb-926b-550bf0943fbb Author: Patrick Bareiss Environment: attack_range Directory: atomic_red_team

Description

Generation of Atomic Red Team technique T1548.002

ID	Technique	Tactic
T1548.002	Bypass User Account Control	Defense Evasion, Privilege Escalation

The following datasets were collected during this attack simulation:

Path: /datasets/attack_techniques/T1548.002/atomic_red_team/dism_pswa_4688_windows-security.log
Sourcetype: XmlWinEventLog
Source: XmlWinEventLog:Security

Path: /datasets/attack_techniques/T1548.002/atomic_red_team/windows-sysmon.log
Sourcetype: XmlWinEventLog
Source: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational

The following detections in our security content repository use this attack data for testing:

Detection Name	Type	Source	MITRE ATT&CK	Analytic Story
Eventvwr UAC Bypass	`TTP`	Endpoint	T1548.002	Windows Defense Evasion Tactics, IcedID, Living Off The Land, Windows Registry Abuse, ValleyRAT
Disabling Remote User Account Control	`TTP`	Endpoint	T1548.002	Windows Defense Evasion Tactics, Suspicious Windows Registry Activities, Remcos, Windows Registry Abuse, Azorult, AgentTesla
FodHelper UAC Bypass	`TTP`	Endpoint	T1112, T1548.002	IcedID, ValleyRAT, Compromised Windows Host, Windows Defense Evasion Tactics
Windows DISM Install PowerShell Web Access	`TTP`	Endpoint	T1548.002	CISA AA24-241A

Replay attack data with replay.py from Splunk Attack Data.

1python replay.py --dataset /datasets/attack_techniques/T1548.002/atomic_red_team/dism_pswa_4688_windows-security.log --index attack_data

Find more detections and analytics for this attack technique in our security content repository.

Source: GitHub | Version: 1.0