Problem: The specific attack for a particular command line is not shown, how to find the corresponding attack on the server side when viewing logs?

[subvert0r]

I am trying to collect attack logs on a Elastic server side from a client machine that I ran atomic on (Windows 10 client), but the problem is, when viewing process creations and their command lines, it's not obvious which attack a particular command line is, meaning it's GUID or at least a Mitre ID.

Is there anyway that I can change atomic so it would somehow put the GUID of the attack or something relate to a particular attack inside the command line of a process, for example echo or something?

[kienmarkdo]

You have encountered an issue called "mapping Sysmon logs to MITRE ATT&CK techniques" https://ieeexplore.ieee.org/document/10343783

The current easiest way that I can think of that is semi-effective at retrieving the logs associated with an atomic test is:

1. Get the process ID of the atomic test by running the command

Import-Csv $env:TEMP\Invoke-AtomicTest-ExecutionLog.csv | Out-GridView # Windows

(See more in Execution Logging)

2. In Elastic (Kibana Discover), search for all logs whose process ID or logs whose parent process ID is the same as that atomic test's PID, with the KQL query

process.pid : <PID> OR process.parent.pid : <PID>

3. You can confirm the correct logs by searching the field process.command_line in each log.

Here is an example of how it would look like for T1486 Atomic Test 8

• Retrieve the PID of the atomic test

• Find the command by its PID in Elastic