Approved

MITRE ATT&CK IMPACT Tactic IOC Detection

Experimenting with a simple query to detect IOC's based on process/cmdline analysis.

This one below maps the MITRE ATT&CK framework for IMPACT.

-- VARIABLES
-- Start Search on  Date and Time        Date
-- Total Hours to search                 STRING

-- Detect MITRE ATT&CK Impact Tactic using Process and cmdline info only
WITH Mitre_map (ID, Tactic, Technique, SubTechnique, Description, Method, Condition, SubCondition, Refrence) AS ( VALUES

-- Account Access Removal T1531
   ('T1531','Impact','Account Access Removal','','https://attack.mitre.org/techniques/T1531','Process_Cmd','net.exe','%user % %','https://www.windows-commandline.com/change-user-password-in-windows-command-line/'),
   ('T1531','Impact','Account Access Removal','','https://attack.mitre.org/techniques/T1531','Process_Cmd','net1.exe','%user % %','https://www.windows-commandline.com/change-user-password-in-windows-command-line/'),
   
-- Data Destruction T1485
   ('T1485','Impact','Data Destruction','','https://attack.mitre.org/techniques/T1485','Process_Cmd','sdelete.exe','%accepteula%','https://docs.microsoft.com/en-us/sysinternals/downloads/sdelete'),
   ('T1485','Impact','Data Destruction','','https://attack.mitre.org/techniques/T1485','Process_Cmd','sdelete64.exe','%accepteula%','https://docs.microsoft.com/en-us/sysinternals/downloads/sdelete'),
   ('T1485','Impact','Data Destruction','','https://attack.mitre.org/techniques/T1485','Process_Cmd','vssadmin.exe','%delete%shadows%','https://docs.microsoft.com/en-us/windows-server/administration/windows-commands/vssadmin'),
   ('T1485','Impact','Data Destruction','','https://attack.mitre.org/techniques/T1485','Process_Cmd','powershell.exe','%win32_shadowcopy%delete%','https://gallery.technet.microsoft.com/scriptcenter/PowerShell-Script-to-ce858ca8'),
   ('T1485','Impact','Data Destruction','','https://attack.mitre.org/techniques/T1485','Process_Cmd','wbadmin.exe','%delete%','https://docs.microsoft.com/en-us/windows-server/administration/windows-commands/wbadmin'),
   ('T1485','Impact','Data Destruction','','https://attack.mitre.org/techniques/T1485','Process_Cmd','wbadmin.exe','%disable%','https://docs.microsoft.com/en-us/windows-server/administration/windows-commands/wbadmin'),   
   ('T1485','Impact','Data Destruction','','https://attack.mitre.org/techniques/T1485','Process_Cmd','bcdedit.exe','%delete%','https://docs.microsoft.com/en-us/windows-server/administration/windows-commands/bcdedit'),
   ('T1485','Impact','Data Destruction','','https://attack.mitre.org/techniques/T1485','Process_Cmd','bcdedit.exe','%import%','https://docs.microsoft.com/en-us/windows-server/administration/windows-commands/bcdedit'),
   ('T1485','Impact','Data Destruction','','https://attack.mitre.org/techniques/T1485','Process_Cmd','ccleaner.exe','%auto%','https://docs.microsoft.com/en-us/sysinternals/downloads/sdelete'),
   ('T1485','Impact','Data Destruction','','https://attack.mitre.org/techniques/T1485','Process_Cmd','ccleaner.exe','%delete%','https://docs.microsoft.com/en-us/sysinternals/downloads/sdelete'),
   ('T1485','Impact','Data Destruction','','https://attack.mitre.org/techniques/T1485','Process_Cmd','pnputil.exe','%add%rawdisk%','rawdisk can be used to delete files, seeing it added is suspect'),
   ('T1485','Impact','Data Destruction','','https://attack.mitre.org/techniques/T1485','Process_Cmd','hdderase.exe','%','https://docs.microsoft.com/en-us/sysinternals/downloads/sdelete'),
   ('T1485','Impact','Data Destruction','','https://attack.mitre.org/techniques/T1485','Process_Cmd','killdisk.exe','%','https://docs.microsoft.com/en-us/sysinternals/downloads/sdelete'),
   ('T1485','Impact','Data Destruction','','https://attack.mitre.org/techniques/T1485','Process_Cmd','eraser.exe','%','https://docs.microsoft.com/en-us/sysinternals/downloads/sdelete'),
   ('T1485','Impact','Data Destruction','','https://attack.mitre.org/techniques/T1485','Process_Cmd','diskwipe.exe','%','https://docs.microsoft.com/en-us/sysinternals/downloads/sdelete'),
   ('T1485','Impact','Data Destruction','','https://attack.mitre.org/techniques/T1485','Process_Cmd','diskpart.exe','%clean%','https://docs.microsoft.com/en-us/sysinternals/downloads/sdelete'),
   
-- Data Encrypted for Impact T1486
   ('T1486','Impact','Data Encrypted for Impact','','https://attack.mitre.org/techniques/T1486','Process_Cmd','enc.exe','%','https://www.carbonblack.com/blog/cb-tau-threat-intelligence-notification-jcry-ransomware-pretends-to-be-adobe-flash-player-update-installer/'),
   ('T1486','Impact','Data Encrypted for Impact','','https://attack.mitre.org/techniques/T1486','Process_Cmd','tgytutrc%.exe', '%-i%sm%-tgytutrc%','https://www.carbonblack.com/blog/tau-threat-intelligence-notification-lockergoga-ransomware/'),
   ('T1486','Impact','Data Encrypted for Impact','','https://attack.mitre.org/techniques/T1486','Process_Cmd','robinhood.exe', '%','https://www.carbonblack.com/blog/cb-tau-threat-intelligence-notification-robbinhood-ransomware-stops-181-windows-services-before-encryption/'),

-- Data Manipulation-Stored Data Manipulation T1565.001
   ('T1565.001','Impact','Data Manipulation ','Stored Data Manipulation','https://attack.mitre.org/techniques/T1565/001','NONE','','',''),

-- Data Manipulation- Transmitted Data Manipulation T1565.002  
   ('T1565.002','Impact','Data Manipulation ','Transmitted Data Manipulation','https://attack.mitre.org/techniques/T1565/002','Process_Cmd','powershell.exe','%get-clipboard%set-clipboard%','https://attack.mitre.org/software/S0455/'),

-- Data Manipulation- Runtime Data Manipulation T1565.003
   ('T1565.003','Impact','Data Manipulation ','Runtime Data Manipulation','https://attack.mitre.org/techniques/T1565/003','NONE','','',''),

-- Defacement- Internal Defacement
   ('T1491.001','Impact','Defacement ','Internal Defacement','https://attack.mitre.org/techniques/T1491/001','Process_Cmd','powershell.exe','%remove-item%\web\wallpaper\windows\%','https://gallery.technet.microsoft.com/scriptcenter/Change-the-Desktop-b5b2141c'),
   ('T1491.001','Impact','Defacement ','Internal Defacement','https://attack.mitre.org/techniques/T1491/001','Process_Cmd','powershell.exe','%set-wallpaper(win10).ps1%','https://gallery.technet.microsoft.com/scriptcenter/Change-the-Desktop-b5b2141c'),

-- Defacement- External Defacement
   ('T1491.002','Impact','Defacement ','External Defacement','https://attack.mitre.org/techniques/T1491/002','NONE','','',''),

-- Disk Wipe- Disk Content Wipe
   ('T1561.001','Impact','Disk Wipe ','Disk Content Wipe','https://attack.mitre.org/techniques/T1561/001','Process_Cmd','powershell.exe','%get-disk%diskpart%format%','Powershell invoking diskpart to format drive'),
   ('T1561.001','Impact','Disk Wipe ','Disk Content Wipe','https://attack.mitre.org/techniques/T1561/001','Process_Cmd','powershell.exe','%get-disk%diskpart%clean%','Powershell invoking diskpart to clean drive'),
   ('T1561.001','Impact','Disk Wipe ','Disk Content Wipe','https://attack.mitre.org/techniques/T1561/001','Process_Cmd','powershell.exe','%diskpart%format%','https://www.seagate.com/support/kb/how-to-diskpart-eraseclean-a-drive-through-the-command-prompt-005929en/'),
   ('T1561.001','Impact','Disk Wipe ','Disk Content Wipe','https://attack.mitre.org/techniques/T1561/001','Process_Cmd','powershell.exe','%diskpart%clean%','https://www.seagate.com/support/kb/how-to-diskpart-eraseclean-a-drive-through-the-command-prompt-005929en/'),
   ('T1561.001','Impact','Disk Wipe ','Disk Content Wipe','https://attack.mitre.org/techniques/T1561/001','Process_Cmd','diskpart.exe','%clean%','Powershell collecting disk info' || CHAR(10) || 'https://docs.microsoft.com/en-us/windows-server/administration/windows-commands/diskpart'),
   ('T1561.001','Impact','Disk Wipe ','Disk Content Wipe','https://attack.mitre.org/techniques/T1561/001','Process_Cmd','diskpart.exe','%format%','Powershell collecting disk info' || CHAR(10) || 'https://docs.microsoft.com/en-us/windows-server/administration/windows-commands/diskpart'),
   ('T1561.001','Impact','Disk Wipe ','Disk Content Wipe','https://attack.mitre.org/techniques/T1561/001','Process_Cmd','bootsect.exe','%','https://docs.microsoft.com/en-us/windows-hardware/manufacture/desktop/bootsect-command-line-options'),
   ('T1561.001','Impact','Disk Wipe ','Disk Content Wipe','https://attack.mitre.org/techniques/T1561/001','Process_Cmd','bcdedit.exe','%format%','https://docs.microsoft.com/en-us/windows-hardware/manufacture/desktop/bcdedit-command-line-options'),
   ('T1561.001','Impact','Disk Wipe ','Disk Content Wipe','https://attack.mitre.org/techniques/T1561/001','Process_Cmd','bcdboot.exe','%format%','https://docs.microsoft.com/en-us/windows-hardware/manufacture/desktop/bcdboot-command-line-options-techref-di'),
   ('T1561.001','Impact','Disk Wipe ','Disk Content Wipe','https://attack.mitre.org/techniques/T1561/001','Process_Cmd','bootcfg.exe','%delete%','https://docs.microsoft.com/en-us/windows-server/administration/windows-commands/bootcfg'),

-- DiskWipe- Disk Structure Wipe
   ('T1561.002','Impact','Disk Wipe ','Disk Structure Wipe','https://attack.mitre.org/techniques/T1561/002','NONE','','',''),

-- Endpoint Denial of Service- OS Exhaustion Flood
   ('T1499.001','Impact','Endpoint Denial of Service ','OS Exhaustion Flood','https://attack.mitre.org/techniques/T1499/001','NONE','','',''),

-- Endpoint Denial of Service- Service Exhaustion Flood
   ('T1499.002','Impact','Endpoint Denial of Service ','Service Exhaustion Flood','https://attack.mitre.org/techniques/T1499/002','NONE','','',''),

-- Endpoint Denial of Service- Application Exhaustion Flood
   ('T1499.003','Impact','Endpoint Denial of Service ','Application Exhaustion Flood','https://attack.mitre.org/techniques/T1499/003','NONE','','',''),

-- Endpoint Denial of Service- Application or System Exploitation
   --('T1499.004','Impact','Endpoint Denial of Service ','Application or System Exploitation','https://attack.mitre.org/techniques/T1499/004','NONE','','',''),

-- Firmware Corruption
   ('T1495','Impact','Firmware Corruption','','https://attack.mitre.org/techniques/T1495','Process_Cmd','bcdedit.exe','%set%','https://docs.microsoft.com/en-us/windows-hardware/manufacture/desktop/bcdedit-command-line-options'),

-- Inhibit System Recovery
   ('T1490','Impact','Inhibit System Recovery','','https://attack.mitre.org/techniques/T1490','Process_Cmd','vssadmin.exe','%delete%shadows%', ''),
   ('T1490','Impact','Inhibit System Recovery','','https://attack.mitre.org/techniques/T1490','Process_Cmd','vssadmin.exe','%resize%shadowstorage%', ''),
   ('T1490','Impact','Inhibit System Recovery','','https://attack.mitre.org/techniques/T1490','Process_Cmd','wmic.exe','%shadowcopy%delete%', ''),
   ('T1490','Impact','Inhibit System Recovery','','https://attack.mitre.org/techniques/T1490','Process_Cmd','wbadmin.exe','%delete%catalog%-quiet%', ''),
   ('T1490','Impact','Inhibit System Recovery','','https://attack.mitre.org/techniques/T1490','Process_Cmd','bcdedit.exe','%set%bootstatuspolicy%ignoreallfailures%', ''),
   ('T1490','Impact','Inhibit System Recovery','','https://attack.mitre.org/techniques/T1490','Process_Cmd','bcdedit.exe','%recoveryenabled%no%', ''),
   ('T1490','Impact','Inhibit System Recovery','','https://attack.mitre.org/techniques/T1490','Process_Cmd','powershell.exe','%set-itemproperty%previousversions%HideBackupEntries%', 'Hide previous versions of files on backup location'),
   ('T1490','Impact','Inhibit System Recovery','','https://attack.mitre.org/techniques/T1490','Process_Cmd','powershell.exe','%set-itemproperty%previousversions%DisableRemoteRestore%', 'Prevent restoring remote previous versions'),
   ('T1490','Impact','Inhibit System Recovery','','https://attack.mitre.org/techniques/T1490','Process_Cmd','powershell.exe','%set-itemproperty%previousversions%DisableRemotePage%', 'Hide previous versions list for remote files'),
   ('T1490','Impact','Inhibit System Recovery','','https://attack.mitre.org/techniques/T1490','Process_Cmd','powershell.exe','%set-itemproperty%previousversions%DisableLocalRestore%', 'Prevent restoring local previous versions'),
   ('T1490','Impact','Inhibit System Recovery','','https://attack.mitre.org/techniques/T1490','Process_Cmd','powershell.exe','%set-itemproperty%previousversions%DisableLocalPage%', 'Hide previous versions list for local files'),
   ('T1490','Impact','Inhibit System Recovery','','https://attack.mitre.org/techniques/T1490','Process_Cmd','powershell.exe','%set-itemproperty%previousversions%DisableBackupRestore%', 'Prevent restoring previous versions from backups'),
   ('T1490','Impact','Inhibit System Recovery','','https://attack.mitre.org/techniques/T1490','Process_Cmd','reg.exe','%add%PreviousVersions%HideBackupEntries%', 'Hide previous versions of files on backup location'),
   ('T1490','Impact','Inhibit System Recovery','','https://attack.mitre.org/techniques/T1490','Process_Cmd','reg.exe','%add%PreviousVersions%DisableRemoteRestore%', 'Prevent restoring remote previous versions'),
   ('T1490','Impact','Inhibit System Recovery','','https://attack.mitre.org/techniques/T1490','Process_Cmd','reg.exe','%add%PreviousVersions%DisableRemotePage%', 'Hide previous versions list for remote files'),
   ('T1490','Impact','Inhibit System Recovery','','https://attack.mitre.org/techniques/T1490','Process_Cmd','reg.exe','%add%PreviousVersions%DisableLocalRestore%', 'Prevent restoring local previous versions'),
   ('T1490','Impact','Inhibit System Recovery','','https://attack.mitre.org/techniques/T1490','Process_Cmd','reg.exe','%add%PreviousVersions%DisableLocalPage%', 'Hide previous versions list for local files'),
   ('T1490','Impact','Inhibit System Recovery','','https://attack.mitre.org/techniques/T1490','Process_Cmd','reg.exe','%add%PreviousVersions%DisableBackupRestore%', 'Prevent restoring previous versions from backups'),

-- Network Denial of Service- Direct Network Flood
   ('T1498.001','Impact','Network Denial of Service ','Direct Network Flood','https://attack.mitre.org/techniques/T1498/001','NONE','','',''),

-- Network Denial of Service- Reflection Amplification
   ('T1498.002','Impact','Network Denial of Service ','Reflection Amplification','https://attack.mitre.org/techniques/T1498/002','NONE','','',''),

-- Resource Hi jacking 
   ('T1496','Impact','Resource Hijacking','','https://attack.mitre.org/techniques/T1496','NONE','','',''),

-- Service Stop Lots of ways of doing this, find and add Reg method
   ('T1489','Impact','Service Stop','','https://attack.mitre.org/techniques/T1489','Process_Cmd','sc.exe','%stop%',''),
   ('T1489','Impact','Service Stop','','https://attack.mitre.org/techniques/T1489','Process_Cmd','sc.exe','%config%start%=%disabled%',''),
   ('T1489','Impact','Service Stop','','https://attack.mitre.org/techniques/T1489','Process_Cmd','wmic.exe','%service%changeStartmode%Disabled%',''),
   ('T1489','Impact','Service Stop','','https://attack.mitre.org/techniques/T1489','Process_Cmd','powershell.exe','%Set-service%StartupType%Disabled%',''),
   ('T1489','Impact','Service Stop','','https://attack.mitre.org/techniques/T1489','Process_Cmd','net.exe','%stop%',''),

-- System Shutdown/Reboot
   ('T1529','Impact','System Shutdown/Reboot','','https://attack.mitre.org/techniques/T1529','Process_Cmd','%','%shutdown%',''),
   ('T1529','Impact','System Shutdown/Reboot','','https://attack.mitre.org/techniques/T1529','Process_Cmd','%','%reboot%',''),
   ('T1529','Impact','System Shutdown/Reboot','','https://attack.mitre.org/techniques/T1529','Process_Cmd','shutdown.exe','%',''),
   ('T1529','Impact','System Shutdown/Reboot','','https://attack.mitre.org/techniques/T1529','Process_Cmd','at.exe','%shutdown%',''),
   ('T1529','Impact','System Shutdown/Reboot','','https://attack.mitre.org/techniques/T1529','Process_Cmd','schtasks.exe','%create%shutdown%',''),
   ('T1529','Impact','System Shutdown/Reboot','','https://attack.mitre.org/techniques/T1529','Process_Cmd','powershell.exe','%stop-computer%',''),
   ('T1529','Impact','System Shutdown/Reboot','','https://attack.mitre.org/techniques/T1529','Process_Cmd','powershell.exe','%restart-computer%','')
)

/*****************************************************************\
| Hunt for matching IOCs using the Sophos Journal Tables (Windows) |
\*****************************************************************/
-- LIST ALL RULES SELECT * FROM Mitre_map
-- COUNT ALL RULES SELECT CASE(Method='NONE') WHEN 1 THEN 0 ELSE COUNT(ID) END Count, ID, Tactic, Technique, SubTechnique, Description FROM Mitre_Map GROUP BY ID ORDER BY Technique ASC
-- Search for matching process name and cmdline indicator of compromise

SELECT
   CAST(datetime(spj.time,'unixepoch') AS TEXT) DateTime,
   CAST(map.ID AS TEXT) Mitre_ID, CAST(map.Tactic AS TEXT) Tactic, CAST(map.Technique AS TEXT) Technique, CAST(map.SubTechnique AS TEXT) SubTechnique, CAST(map.Description AS TEXT) Mitre_Description,
   CAST(map.condition || ' + ' || map.subcondition AS TEXT) Hunt_Rule,
   CAST( (SELECT username FROM users WHERE uid = replace(spj.sid, rtrim(spj.sid, replace(spj.sid, '-', '')), '')) AS TEXT) User_Name,
   CAST(spj.processName AS TEXT) processName,
   CAST(spj.cmdline AS TEXT) CmdLine,
   CAST(spj.SophosPID AS TEXT) SophosPID,
   CAST ( (SELECT spj2.processName FROM Sophos_process_journal spj2 WHERE spj2.SophosPID = spj.ParentSophosPID AND spj2.time = replace(spj.ParentSophosPID, rtrim(spj.ParentSophosPID, replace(spj.ParentSophosPID,':','')),'')/10000000-11644473600) AS TEXT) ParentProcessName,
   CAST(spj.pathname AS TEXT) Path,
   CAST(map.Refrence AS TEXT) Refrence
FROM Sophos_process_journal spj 
   JOIN Mitre_map map ON 
      spj.evenTtype = 0 AND 
      spj.processName LIKE map.condition AND 
      spj.cmdline LIKE map.SubCondition
WHERE 
   spj.time > $$Start Search on  Date and Time$$ AND 
   spj.time < $$Start Search on  Date and Time$$ + $$Total Hours to search$$*3600 AND
   map.Method = 'Process_Cmd'