CAR-2021-01-009-T1490 New detection patterns, unit tests added

mitre-attack / car

Cyber Analytics Repository

Apache License 2.0

889 stars 300 forks source link

CAR-2021-01-009-T1490 New detection patterns, unit tests added #144

Closed Ptylu closed 2 years ago

Ptylu commented 2 years ago

Splunk, Elastic and LogPoint Detection for 4688 and 1 vssadmin shadow copy deletion, wmic shadow copy deletion and vssadmin shadow copy resize
Splunk, Elastic and LogPoint Detection for 5857 and 5858 use of wmic to interact with shadow copy
unit test added shadow copy deletion with vssadmin and wmic. shadow copy resize with vssadmin
Description modification (Vssadmin.exe in title removed...)

Ptylu commented 2 years ago

Hello,

I propose an update for the shadow copy detection. There are 2 CAR that focus on the shadow deletion https://car.mitre.org/analytics/CAR-2020-04-001/ https://car.mitre.org/analytics/CAR-2021-01-009/

I modified the recent one. I think we can merge the 2 CAR to have only 1 CAR file ?

ikiril01 commented 2 years ago

@Ptylu awesome! I definitely like the idea of consolidating the shadow copy analytics into a single one; just need to determine if we need to "deprecate" the old ones.

Ptylu commented 2 years ago

@ikiril01 From my point of view, I think we can reuse the Pseudocode from https://car.mitre.org/analytics/CAR-2020-04-001/ All the other informations are already in https://car.mitre.org/analytics/CAR-2021-01-009/