-
Notifications
You must be signed in to change notification settings - Fork 0
/
Copy pathFileIntegrityMonitoring.yaml
387 lines (386 loc) · 16.3 KB
/
FileIntegrityMonitoring.yaml
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
258
259
260
261
262
263
264
265
266
267
268
269
270
271
272
273
274
275
276
277
278
279
280
281
282
283
284
285
286
287
288
289
290
291
292
293
294
295
296
297
298
299
300
301
302
303
304
305
306
307
308
309
310
311
312
313
314
315
316
317
318
319
320
321
322
323
324
325
326
327
328
329
330
331
332
333
334
335
336
337
338
339
340
341
342
343
344
345
346
347
348
349
350
351
352
353
354
355
356
357
358
359
360
361
362
363
364
365
366
367
368
369
370
371
372
373
374
375
376
377
378
379
380
381
382
383
384
385
386
387
version: 1
ATT&CK version: 8.2
creation date: 1/21/2021
name: File Integrity Monitoring
contact: [email protected]
organization: Center for Threat Informed Defense (CTID)
platform: Azure
tags:
- Azure Security Center
- Azure Security Center Recommendation
- Azure Defender
- Azure Defender for Servers
- Windows
- Linux
description: >
File integrity monitoring (FIM), also known as change monitoring, examines operating system
files, Windows registries, application software, Linux system files, and more, for changes that
might indicate an attack. File Integrity Monitoring (FIM) informs you when changes occur to
sensitive areas in your resources, so you can investigate and address unauthorized activity.
techniques:
- id: T1053
name: Scheduled Task/Job
technique-scores:
- category: Detect
value: Significant
sub-techniques-scores:
- sub-techniques:
- id: T1053.001
name: At (Linux)
- id: T1053.002
name: At (Windows)
- id: T1053.003
name: Cron
- id: T1053.005
name: Scheduled Task
- id: T1053.006
name: Systemd Timers
scores:
- category: Detect
value: Partial
comments: >
This control may detect changes to the Windows registry upon creation or modification of scheduled tasks.
This control may also detect changes to files used by cron or systemd to create/modify scheduled tasks.
The specificity of registry keys and files used in creation or modification of these scheduled tasks may
reduce the false positive rate. This control at worst scans for changes on an hourly basis.
- id: T1098
name: Account Manipulation
technique-scores:
- category: Detect
value: Minimal
sub-techniques-scores:
- sub-techniques:
- id: T1098.004
name: SSH Authorized Keys
scores:
- category: Detect
value: Partial
comments: >
This control may detect changes to the SSH authorized keys file which may indicate establishment
of persistence. This control at worst scans for changes on an hourly basis.
- id: T1547
name: Boot or Logon Autostart Execution
technique-scores:
- category: Detect
value: Partial
sub-techniques-scores:
- sub-techniques:
- id: T1547.001
name: Registry Run Keys / Startup Folder
- id: T1547.002
name: Authentication Package
- id: T1547.003
name: Time Providers
- id: T1547.004
name: Winlogon Helper DLL
- id: T1547.005
name: Security Support Provider
- id: T1547.006
name: Kernel Modules and Extensions
- id: T1547.008
name: LSASS Driver
- id: T1547.009
name: Shortcut Modification
- id: T1547.010
name: Port Monitors
- id: T1547.012
name: Print Processors
scores:
- category: Detect
value: Partial
comments: >
This control may detect changes to the Windows registry or files that enable Boot or Logon Autostart
Execution. This control at worst scans for changes on an hourly basis.
- id: T1037
name: Boot or Logon Initialization Scripts
technique-scores:
- category: Detect
value: Partial
sub-techniques-scores:
- sub-techniques:
- id: T1037.001
name: Logon Script (Windows)
- id: T1037.003
name: Network Logon Script
scores:
- category: Detect
value: Partial
comments: >
This control may detect changes to the Windows registry upon creation or modification of logon scripts.
This control at worst scans for changes on an hourly basis.
- id: T1543
name: Create or Modify System Process
technique-scores:
- category: Detect
value: Partial
sub-techniques-scores:
- sub-techniques:
- id: T1543.002
name: Systemd Service
- id: T1543.003
name: Windows Service
scores:
- category: Detect
value: Partial
comments: >
This control may detect changes to the Windows registry upon creation or modification of Windows services.
This control may also detect changes to files used by systemd to create/modify systemd services.
The specificity of registry keys and files used in creation or modification of these scheduled tasks may
reduce the false positive rate. This control at worst scans for changes on an hourly basis.
- id: T1546
name: Event Triggered Execution
technique-scores:
- category: Detect
value: Partial
comments: >
The detection score for this technique was assessed as Partial because it doesn't detect
some of the sub-techniques of this technique such as Windows Management Instrumentation (WMI)
Event Subscription and Trap sub-techniques. Additionally for some sub-techniques,
this control can be noisy.
sub-techniques-scores:
- sub-techniques:
- id: T1546.001
name: Change Default File Association
- id: T1546.002
name: Screensaver
- id: T1546.004
name: .bash_profile and .bashrc
- id: T1546.007
name: Netsh Helper DLL
- id: T1546.008
name: Accessibility Features
- id: T1546.009
name: AppCert DLLs
- id: T1546.011
name: Application Shimming
- id: T1546.012
name: Image File Execution Options Injection
- id: T1546.013
name: PowerShell Profile
scores:
- category: Detect
value: Partial
comments: >
This control may detect changes to the Windows registry or files that indicate event triggered execution.
The specificity of registry keys and files used in creation or modification of these scheduled tasks may
reduce the false positive rate. This control at worst scans for changes on an hourly basis.
- sub-techniques:
- id: T1546.010
name: AppInit DLLs
- id: T1546.015
name: Component Object Model Hijacking
scores:
- category: Detect
value: Minimal
comments: >
The detection score for this group of sub-techniques is assessed as Minimal due to the
accuracy component of the score. The registry keys which are modified as a result of
these sub-techniques can change frequently or are too numerous to monitor and
therefore can result in significant amount of false positives.
- id: T1574
name: Hijack Execution Flow
technique-scores:
- category: Detect
value: Minimal
sub-techniques-scores:
- sub-techniques:
- id: T1574.006
name: LD_PRELOAD
scores:
- category: Detect
value: Partial
comments: >
This control may detect changes to the ld.so.preload file which may indicate an attempt to
hijack execution flow. This sub-technique may also be utilized through an environment
variable which this control may not detect. This control at worst scans for changes on an
hourly basis.
- id: T1137
name: Office Application Startup
technique-scores:
- category: Detect
value: Minimal
sub-techniques-scores:
- sub-techniques:
- id: T1137.002
name: Office Test
scores:
- category: Detect
value: Partial
comments: >
This control may detect changes to the Windows registry to establish persistence with the Office
Test sub-technique. The specificity of registry keys involved may reduce the false positive rate.
This control at worst scans for changes on an hourly basis.
- id: T1548
name: Abuse Elevation Control Mechanism
technique-scores:
- category: Detect
value: Minimal
sub-techniques-scores:
- sub-techniques:
- id: T1548.002
name: Bypass User Account Control
scores:
- category: Detect
value: Minimal
comments: >-
Some UAC bypass methods rely on modifying specific, user-accessible Registry settings
that can be monitored using this control. Overall, there are numerous other bypass
methods that do not result in Registry modification that this control will not be
effective in detection resulting in a low detection coverage factor.
- sub-techniques:
- id: T1548.003
name: Sudo and Sudo Caching
scores:
- category: Detect
value: Partial
comments: >
This control may detect changes to the sudoers file which may indicate privilege
escalation. This control at worst scans for changes on an hourly basis.
- id: T1556
name: Modify Authentication Process
technique-scores:
- category: Detect
value: Partial
comments: >-
This control is effective for detecting the Registry and file system artifacts that are
generated during the execution of some variations of this technique while minimizing false
positives due to the locations being monitored changing infrequently (e.g. /etc/pam.d/).
sub-techniques-scores:
- sub-techniques:
- id: T1556.002
name: Password Filter DLL
scores:
- category: Detect
value: Partial
comments: >-
The Registry key used to register a Password Filter DLL can be monitored for changes
using this control providing substantial coverage of this sub-technique. This key
should not change often and therefore false positives should be minimal. This control
at worst scans for changes on an hourly basis.
- sub-techniques:
- id: T1556.003
name: Pluggable Authentication Modules
scores:
- category: Detect
value: Partial
comments: >-
The PAM configuration and module paths (/etc/pam.d/) can be monitored for changes
using this control. The files in this path should not change often and therefore
false positives should be minimal. This control at worst scans for changes on an hourly
basis.
- id: T1003
name: OS Credential Dumping
technique-scores:
- category: Detect
value: Minimal
comments: >-
Most credential dumping operations do not require modifying resources that can be detected
by this control (i.e. Registry and File system) and therefore its coverage is minimal.
sub-techniques-scores:
- sub-techniques:
- id: T1003.001
name: LSASS Memory
scores:
- category: Detect
value: Partial
comments: >-
This control can be used to detect the Windows Security Support Provider (SSP) DLLs
variation of this sub-technique by monitoring the Registry keys used to register these
DLLs. These keys should change infrequently and therefore false positives should be
minimal.
- id: T1222
name: File and Directory Permissions Modification
technique-scores:
- category: Detect
value: Partial
sub-techniques-scores:
- sub-techniques:
- id: T1222.001
name: Windows File and Directory Permissions Modification
- id: T1222.002
name: Linux and Mac File and Directory Permissions Modification
scores:
- category: Detect
value: Partial
comments: >-
This control can detect changes to the permissions of Windows and Linux files and can
be used to detect modifications to sensitive directories and files that shouldn't
change frequently. This control at worst scans for changes on an hourly basis.
- id: T1562
name: Impair Defenses
technique-scores:
- category: Detect
value: Minimal
comments: Due to low detection coverage, this technique is scored as minimal.
sub-techniques-scores:
- sub-techniques:
- id: T1562.001
name: Disable or Modify Tools
scores:
- category: Detect
value: Minimal
comments: >-
This control can be used to monitor Registry keys related to security software or
event logging processes that can detect when an adversary attempts to disable these
tools via modifying or deleting Registry keys. A majority of the cited procedure
examples for this sub-technique are related to killing security processes rather than
modifying the Registry, and therefore the detection coverage for this control is low.
- sub-techniques:
- id: T1562.004
name: Disable or Modify System Firewall
- id: T1562.006
name: Indicator Blocking
scores:
- category: Detect
value: Minimal
comments: >-
There are numerous ways depending on the operating system that these sub-techniques
can be accomplished. Monitoring the Windows Registry is one way depending on the
procedure chosen to implement the sub-technique and therefore the overall coverage is
low.
- id: T1553
name: Subvert Trust Controls
technique-scores:
- category: Detect
value: Partial
comments: >-
This control can be used to detect a subset of this technique's sub-techniques while
minimizing the false positive rate.
sub-techniques-scores:
- sub-techniques:
- id: T1553.003
name: SIP and Trust Provider Hijacking
scores:
- category: Detect
value: Partial
comments: >-
This control can detect modifications made to the Registry keys used to register
Windows Subject Interface Packages (SIPs). Because this sub-technique can be
accomplished without modifying the Registry via DLL Search Order Hijacking, it has
been scored as Partial. The related Registry keys should not change often and therefore
the false positive rate should be minimal. This control at worst scans for changes on an
hourly basis.
- sub-techniques:
- id: T1553.004
name: Install Root Certificate
scores:
- category: Detect
value: Partial
comments: >-
This control can be used to detect when the system root certificates has changed by
detecting the corresponding Registry or File system modifications that occur as a
result. These root certificates should not change often and therefore the false
positive rate is minimal. This control at worst scans for changes on an hourly basis.
comments: >
The techniques included in this mapping result in Windows Registry or file system artifacts
being created or modified which can be detected by this control.
The detection score for most techniques included in this mapping was scored as Significant and
where there are exceptions, comments have been provided. This Significant score assessment was
due to the following factors: Coverage - (High) The control was able to detect most of the
sub-techniques, references and procedure examples of the mapped techniques. Accuracy - (High)
Although this control does not include built-in intelligence to minimize the false positive rate,
the specific artifacts generated by the techniques in this mapping do not change frequently and
therefore the potential for a high false-positive is reduced. Temporal - (Medium) This control at
worst scans for changes on an hourly basis.
references:
- 'https://docs.microsoft.com/en-us/azure/security-center/security-center-file-integrity-monitoring'