Version 1.4

Command Artifacts

What are they?

Artifacts are a way to track the indicators left behind in a target environment automatically. These can be things like dropped files, network activity, process creation, and modifications to a system. Artifacts are broken out into three main pieces:

  • Base Artifact - Name and description of the base category of an artifact such as "File Create", "Process Create", etc.

  • Artifact Template - A template of how to turn a specific command into a specific artifact instance such as sh -c [shell command here].

  • Artifact Instance - A specific instance of an artifact in an operation such as Process Creation for Task 5 of "sh -c whoami" and "whoami"

Where are they?

Command artifacts are viewable right below the command MITRE ATT&CK mappings:

In the above screenshot there are a few important pieces to notice.

  • The Base Artifact refers to the general type of artifact.

  • The Artifact field refers to the general format of the artifact that's created. In this instance, executing the shell command creates an artifact of sh -c followed by some value.

  • The Replace String indicates the string in the Artifact string to replace when the command is executed.

  • The Linked Parameter can be used to tie this specific artifact template to the value of a specific command parameter. If this is left blank, then this gets the entire set of parameters supplied.

Example Walkthrough

Take the above screenshot for the shell command as an example where you issue the command shell whoami . There is no linked parameter, so the entire set of parameters is used. The Replace String of * in sh -c * will be replaced with our parameter. So, the final artifact will be sh -c whoami.

As another example, consider the artifact template for Upload:

An upload command will look like: upload {"remote_path": "/users/its-a-feature/Desktop/evil.bin", "file_id": 5} . This artifact is tied to a specific parameter, so only that parameter's value will be used.

There will be a File Create artifact created that takes the remote_path value and replaces all instances of the Replace String (*) in the Artifact with this value. In this case, that's the entire string. So, we end up with an artifact of /users/its-a-feature/Desktop/evil.bin. If this was the shell example with no explicit parameter called out, then the entire JSON argument string would have been passed in.

Last updated