an introduction to att&ck - federal aviation …...an overview of the (enterprise) mitre...

© 2019 The MITRE Corporation. All rights reserved. Approved for public release. Distribution unlimited 18-3288-14.

An Introduction to ATT&CK

Andy Applebaum

ATIEC 2019

September 24th, 2019

Outline

▪ An Overview of the (Enterprise) MITRE ATT&CK framework

▪ Use Cases in 15 minutes (or less!)

– Detection

– Cyber Threat Intelligence

– Adversary Emulation

– Assessments and Enginering

| 2 |


Understanding Our Defenses Within the Perimeter

MITRE’s ATT&CK Framework

https://www.youtube.com/watch?v=0BEf6s1iu5g

| 3 |





| 4 |





| 5 |

Block attachments based on MD5

Block bad IP rangesAlert on DNS requests

Scan hosts for artifacts


ATT&CK in Context: The Pyramid of Pain

Source: David Bianco

https://detect-respond.blogspot.com/2013/03/the-pyramid-of-pain.html

TTPs = Tactics, Techniques, and Procedures

| 6 |

Block attachments based on MD5

Block bad IP ranges

Scan hosts for artifacts

Alert on DNS requests



ATT&CK in Context: The Pyramid of Pain

Source: David Bianco


TTPs = Tactics, Techniques, and Procedures

ATT&CK™ is a globally-accessible

knowledge base of adversary tactics

and techniques, developed by MITRE

based on real-world observations of

adversaries’ operations.

attack.mitre.org

| 7 |



The ATT&CK Matrix

| 8 |

Initial Access Execution Persistence Privilege Escalation Defense Evasion CredentialAccess Discovery Lateral Movement Collection Command and Control Exfiltration Impact

Drive-by Compromise Scheduled Task Binary Padding Network Sniffing AppleScript Audio Capture Commonly Used Port Automated Exfiltration Data Destruction

Exploit Public-Facing Application

Launchctl Access Token Manipulation Account Manipulation Account Discovery Application Deployment Software

Automated Collection Communication Through Removable Media

Data Compressed Data Encrypted for Impact

Local Job Scheduling Bypass User Account Control Bash History Application WindowDiscovery

Clipboard Data Data Encrypted Defacement

External Remote Services LSASS Driver Extra Window Memory Injection Brute Force Distributed ComponentObject Model

Data from InformationRepositories

Connection Proxy Data Transfer Size Limits Disk Content Wipe

Hardware Additions Trap Process Injection Credential Dumping Browser Bookmark Discovery

Custom Command and Control Protocol

Exfiltration Over OtherNetwork Medium

Disk Structure Wipe

Replication Through Removable Media

AppleScript DLL Search Order Hijacking Credentials in Files Exploitation ofRemote Services

Data from Local System Endpoint Denial of Service

CMSTP Image File Execution Options Injection Credentials in Registry Domain Trust Discovery Data from Network Shared Drive

Custom Cryptographic Protocol

Exfiltration Over Commandand Control Channel

Firmware Corruption

Spearphishing Attachment Command-Line Interface Plist Modification Exploitation forCredential Access

File and Directory Discovery Logon Scripts Inhibit System Recovery

Spearphishing Link Compiled HTML File Valid Accounts Network Service Scanning Pass the Hash Data from Removable Media Data Encoding Exfiltration Over Alternative Protocol

Network Denial of Service

Spearphishing via Service Control Panel Items Accessibility Features BITS Jobs Forced Authentication Network Share Discovery Pass the Ticket Data Staged Data Obfuscation Resource Hijacking

Supply Chain Compromise Dynamic Data Exchange AppCert DLLs Clear Command History Hooking Password Policy Discovery Remote Desktop Protocol Email Collection Domain Fronting Exfiltration Over Physical Medium

Runtime Data Manipulation

Trusted Relationship Execution through API AppInit DLLs CMSTP Input Capture Peripheral Device Discovery Remote File Copy Input Capture Domain GenerationAlgorithms

Service Stop

Valid Accounts Execution through Module Load

Application Shimming Code Signing Input Prompt Permission Groups Discovery Remote Services Man in the Browser Scheduled Transfer Stored Data Manipulation

Dylib Hijacking Compiled HTML File Kerberoasting Process Discovery Replication Through Removable Media

Screen Capture Fallback Channels Transmitted Data ManipulationExploitation for

Client Execution

File System Permissions Weakness Component Firmware Keychain Query Registry Video Capture Multiband Communication

Hooking Component Object ModelHijacking

LLMNR/NBT-NS Poisoningand Relay

Remote System Discovery Shared Webroot Multi-hop Proxy

Graphical User Interface Launch Daemon Security Software Discovery SSH Hijacking Multilayer Encryption

InstallUtil New Service Control Panel Items Password Filter DLL System InformationDiscovery

Taint Shared Content Multi-Stage Channels

Mshta Path Interception DCShadow Private Keys Third-party Software Port Knocking

PowerShell Port Monitors Deobfuscate/Decode Filesor Information

Securityd Memory System Network Configuration Discovery

Windows Admin Shares Remote Access Tools

Regsvcs/Regasm Service Registry Permissions Weakness Two-Factor AuthenticationInterception

Windows RemoteManagement

Remote File Copy

Regsvr32 Setuid and Setgid Disabling Security Tools System Network Connections Discovery

Standard Application Layer ProtocolRundll32 Startup Items DLL Side-Loading

Scripting Web Shell Execution Guardrails System Owner/UserDiscovery

Standard Cryptographic ProtocolService Execution .bash_profile and .bashrc Exploitation for

Privilege EscalationExploitation for

Defense EvasionSigned Binary Proxy Execution

Account Manipulation System Service Discovery Standard Non-ApplicationLayer ProtocolAuthentication Package SID-History Injection File Deletion System Time Discovery

Signed Script Proxy Execution

BITS Jobs Sudo File Permissions Modification

Virtualization/Sandbox Evasion

Uncommonly Used Port

Bootkit Sudo Caching Web Service

Source Browser Extensions File System Logical Offsets

Space after Filename Change Default File Association

Gatekeeper Bypass

Third-party Software Group Policy Modification

Trusted Developer Utilities Component Firmware Hidden Files and Directories

User Execution Component ObjectModel Hijacking

Hidden Users

Windows Management Instrumentation

Hidden Window

Create Account HISTCONTROL

Windows Remote Management

External Remote Services Indicator Blocking

Hidden Files and Directories Indicator Removalfrom ToolsXSL Script Processing Hypervisor

Kernel Modules and Extensions

Indicator Removal on Host

Indirect Command Execution

Launch Agent Install Root Certificate

LC_LOAD_DYLIB Addition InstallUtil

Login Item Launchctl

Logon Scripts LC_MAIN Hijacking

Modify Existing Service Masquerading

Netsh Helper DLL Modify Registry

Office Application Startup Mshta

Port Knocking Network Share ConnectionRemovalRc.common

Redundant Access NTFS File Attributes

Registry Run Keys / Startup Folder

Obfuscated Filesor Information

Re-opened Applications Port Knocking

Screensaver Process Doppelgänging

Security Support Provider Process Hollowing

Tactics – Adversary’s technical goal

Tech

niq

ues

–H

ow

go

al is

ach

ieve

d

Publicly Available

attack.mitre.org


The ATT&CK Matrix

| 9 |















Disk Structure Wipe







Firmware Corruption









Service Stop





Client Execution














Remote File Copy















Gatekeeper Bypass




Hidden Users


Hidden Window























Tech

niq

ues

–H

ow

go

al is

ach

ieve

d

Publicly Available

attack.mitre.org


Initial

AccessExecution Persistence

Privilege

Escalation

Defense

Evasion

Credential

AccessDiscovery

Lateral

MovementCollection Exfiltration

Command

and ControlImpact

The ATT&CK Matrix

| 10 |















Disk Structure Wipe







Firmware Corruption









Service Stop





Client Execution














Remote File Copy















Gatekeeper Bypass




Hidden Users


Hidden Window























Tech

niq

ues

–H

ow

go

al is

ach

ieve

d

Procedures – Specific technique implementation

Publicly Available

attack.mitre.org


The ATT&CK Matrix

| 11 |















Disk Structure Wipe







Firmware Corruption









Service Stop





Client Execution














Remote File Copy















Gatekeeper Bypass




Hidden Users


Hidden Window























Tech

niq

ues

–H

ow

go

al is

ach

ieve

d

Procedures – Specific technique implementation

Grounded in real data from cyber incidents

Decouples the problem from the solution

Focuses on describing adversary TTPs, not IoCs

Describes post-compromise adversary behaviors

Publicly Available

attack.mitre.org


Example Technique: New Service

Description: When operating systems boot up, they can start programs or applications called services that perform background system functions. […] Adversaries may install a new service which will be executed at startup by directly modifying the registry or by using tools. 1

Platform: Windows

Permissions required: Administrator, SYSTEM

Effective permissions: SYSTEM

Detection: • Monitor service creation through changes in the Registry and common utilities using command-line invocation

• …

Mitigation: • Limit privileges of user accounts and remediate Privilege Escalation vectors• …

Data sources: Windows registry, process monitoring, command-line parameters

Examples: Carbanak, Lazarus Group, TinyZBot, Duqu, CozyCar, CosmicDuke, hcdLoader, …

References: 1. Microsoft. (n.d.). Services. Retrieved June 7, 2016.

| 12 |


https://attack.mitre.org/wiki/Privilege_Escalation

Not Just Techniques: Example Group (APT28)

Description: APT28 is a threat group that has been attributed to the Russian government.1 2 3 4 This group reportedly compromised the Democratic National Committee in April 2016.5

Aliases: Sednit, Sofacy, Pawn Storm, Fancy Bear, STRONTIUM, Tsar Team, Threat Group-4127, TG-4127 1 2 3 4 5 6 7

Techniques: • Data Obfuscation 1

• Connection Proxy 1 8

• Standard Application Layer Protocol 1

• Remote File Copy 8 9

• Rundll32 8 9

• Indicator Removal on Host 5

• Timestomp 5

• Credential Dumping 10

• Screen Capture 10 11

• Bootkit 7 and more…

Software: CHOPSTICK, JHUHUGIT, ADVSTORESHELL, XTunnel, Mimikatz, HIDEDRV, USBStealer, CORESHELL, OLDBAIT, XAgentOSX, Komplex, Responder, Forfiles, Winexe, certutil 1 3 6

References: 1. FireEye. (2015). APT28: A WINDOW INTO RUSSIA’S CYBER ESPIONAGE OPERATIONS?. Retrieved August 19, 2015.

…

| 13 |


MITRE’s Public ATT&CK Resources

| 14 |

Public ATT&CK Knowledge Base

attack.mitre.org

ATT&CK Navigator

Structured Content PRE- and Mobile ATT&CK

Conference Talks


MITRE’s Public ATT&CK Resources

| 15 |

attackevals.mitre.orgAdversary Emulation Plans

CALDERA: Automated

Adversary Emulation

ATT&CK Evaluations


What do people do with ATT&CK?

▪ Develop detection rules

▪ Measure their security posture

▪ Quantify their security posture

▪ Guide threat hunting efforts

▪ Evaluate/analyze defensive tools

▪ Write threat intelligence reports

▪ Ingest threat intelligence

▪ Automate intrusion response

▪ Build threat models

▪ Train blue/red teams

▪ Run red team exercises

▪ Classify malware behaviors

| 16 |


Who’s Hiring for ATT&CK?

Financial▪ SF Fed Reserve▪ Bank of America▪ JP Morgan▪ FS-ISAC▪ Experian

Tech▪ Microsoft▪ Intel▪ Airbnb▪ Verizon▪ Box

Security▪ RevSec▪ FireEye▪ AppGuard▪ CrowdStrike

Retail▪ Target▪ Best Buy▪ PepsiCo▪ Under Armour

Media▪ NBCUniversal▪ Nielsen

Defense▪ Boeing▪ Booz Allen

Others▪ General Electric▪ Deloitte▪ Pfizer▪ GSK


Who’s Contributing to ATT&CK?

▪ Alain Homewood, Insomnia Security

▪ Alan Neville, @abnev

▪ Anastasios Pingios

▪ Andrew Smith, @jakx_

▪ Barry Shteiman, Exabeam

▪ Bartosz Jerzman

▪ Bryan Lee

▪ Carlos Borges, CIP

▪ Casey Smith

▪ Christiaan Beek, @ChristiaanBeek

▪ Cody Thomas, SpecterOps

▪ Craig Aitchison

▪ Daniel Oakley

▪ Darren Spruell

▪ Dave Westgard

▪ David Ferguson, CyberSponse

▪ David Lu, Tripwire

▪ David Routin

▪ Ed Williams, Trustwave, SpiderLabs

▪ Edward Millington

▪ Elger Vinicius S. Rodrigues, @elgervinicius, CYBINT Centre

▪ Elia Florio, Microsoft

▪ Emily Ratliff, IBM

▪ ENDGAME

▪ Eric Kuehn, Secure Ideas

▪ Erye Hernandez, Palo Alto Networks

▪ Felipe Espósito, @Pr0teus

▪ FS-ISAC

▪ Hans Christoffer Gaardløs

▪ Itamar Mizrahi

▪ Itzik Kotler, SafeBreach

▪ Jacob Wilkin, Trustwave, SpiderLabs

▪ Jan Miller, CrowdStrike

▪ Jared Atkinson, @jaredcatkinson

▪ Jeremy Galloway

▪ John Lambert, Microsoft Threat Intelligence Center

▪ John Strand

▪ Josh Abraham

▪ Justin Warner, ICEBRG

▪ Leo Loobeek, @leoloobeek

▪ Loic Jaquemet

▪ Marc-Etienne M.Léveillé, ESET

▪ Mark Wee

▪ Matt Graeber, @mattifestation, SpecterOps

▪ Matt Kelly, @breakersall

▪ Matthew Demaske, Adaptforward

▪ Matthew Molyett, @s1air

▪ McAfee

▪ Michael Cox

▪ Mike Kemmerer

▪ Milos Stojadinovic

▪ Mnemonic

▪ Nick Carr, FireEye

▪ Nik Seetharaman, Palantir

▪ Nishan Maharjan, @loki248

▪ Oddvar Moe, @oddvarmoe

▪ Omkar Gudhate

▪ Patrick Campbell, @pjcampbe11

▪ Paul Speulstra, AECOM Global Security

Operations Center

▪ Pedro Harrison

▪ Praetorian

▪ Rahmat Nurfauzi, @infosecn1nja, PT XynexisInternational

▪ Red Canary

▪ RedHuntLabs (@redhuntlabs)

▪ Ricardo Dias

▪ Richard Gold, Digital Shadows

▪ Richie Cyrus, SpecterOps

▪ Robby Winchester, @robwinchester3

▪ Robert Falcone

▪ Romain Dumont, ESET

▪ Ryan Becwar

▪ Ryan Benson, Exabeam

▪ Scott Lundgren, @5twenty9, Carbon Black

▪ Stefan Kanthak

▪ Sudhanshu Chauhan, @Sudhanshu_C

▪ Sunny Neo

▪ Sylvain Gil, Exabeam

▪ Teodor Cimpoesu

▪ Tim MalcomVetter

▪ Tom Ueltschi @c_APT_ure

▪ Tony Lambert, Red Canary

▪ Travis Smith, Tripwire

▪ Tristan Bennett, Seamless Intelligence

▪ Valerii Marchuk, Cybersecurity Help s.r.o.

▪ Veeral Patel

▪ Vincent Le Toux

▪ Walker Johnson

▪ Ye Yint Min Thu Htut, Offensive Security Team, DBS Bank

▪ Yonatan Gotlib, Deep Instinct

| 18 |

89 individuals + orgs contributing

to ATT&CK!


Starting Places for Using ATT&CK(in 15 minutes)

| 19 |

ATT&CK Core Use Cases

| 20 |

Threat Intelligenceprocesses = search Process:Createreg = filter processes where (exe == "reg.exe" and parent_exe== "cmd.exe")cmd = filter processes where (exe == "cmd.exe" and parent_exe != "explorer.exe"")reg_and_cmd = join (reg, cmd) where (reg.ppid == cmd.pid and reg.hostname == cmd.hostname)output reg_and_cmd

Detection

Adversary Emulation

Assessment and Engineering

MITRE ATT&CK™

Techniques Mapped to Data Sourc es

About This Diagram

How can I use data I already have to get started w ith ATT&CK?

MITRE

MITRE

MITRE ATT&CK™

Resources

To help cyber defenders gain a common understanding

of the threats they face, MITRE developed the ATT&CK

framework. It ’s a globally-accessible knowledge base of

adversary tact ics and t echniques based on real world

observat ions and open source research contributed by

the cyber community.

Used by organizat ions around the world, ATT&CK

provides a shared understanding of adversary tact ics,

techniques and procedures and how to detect , prevent ,

and/ or mit igate them.

ATT&CK is open and available to any person or

organizat ion for use at no charge.

For sixty years, MITRE has tackled complex problems

that challenge public saf ety, stability, and well-being.

Pioneering together with the cyber community, we’re

building a stronger, threat-informed defense for a

safer world.

ATT&CK™

EnterpriseFramework

Use ATT&CK for Cyber Threat Intelligence

Cyber threat intelligence comes from many sources, including knowledge of past incidents,

commercial threat feeds, informat ion-sharing groups, government threat -sharing programs,

and more. ATT&CK gives analysts a common language to communicate across reports and

organizat ions, providing a way to st ructure, compare, and analyze threat intelligence.

Use ATT&CK to Build Your Defensive Platform ATT&CK includes resources designed to help cyber defenders develop analyt ics that

detect the techniques used by an adversary. Based on threat intelligence included in

ATT&CK or provided by analysts, cyber defenders can create a comprehensive set of

analyt ics to detect threats.

Use ATT&CK for Adversary Emulation and Red Teaming

The best defense is a well-tested defense. ATT&CK provides a common adversary

behavior framework based on threat intelligence that red teams can use to emulate

specific threats. This helps cyber defenders find gaps in visib ilit y, defensive tools, and

processes—and then fix them.

Get St art ed w it h ATT&CK

at tack.mit re.org

• Access ATT&CK technical informat ion

• Cont ribute to ATT&CK

• Follow our b log

• W atch ATT&CK presentat ions

@MITREat tack

Follow us on Tw it ter for the

latest news

at tackevals.mit re.org

MITRE ATT&CK Evaluat ions

Legend

APT28

APT29

Both

LegendLow Priority

High Priority

Comparing APT28 to APT29

Find ing Gaps in Defense

One way to get started using ATT&CK is to look at what data sources you're already collect ing and use that data to detect ATT&CK

techniques. On our website, we current ly have 50 dif erent data sources mapped to Enterprise ATT&CK techniques. In this diagram,

we've chosen 12 of those data sources to show the techniques each of them might be able to detect w ith the right collect ion and

analyt ics. Check out our w ebsite at attack.mitre.org for more information on how each technique can be det ected, and specific

adversary examples you can use t o start detect ing adversary behavior with ATT&CK.

You can visualize how your own data sources map to adversary behavior with ATT&CK. Read our blog post at bit .ly/ ATTACK19 to

learn how we generated this diagram, check out the code, and begin building your own diagrams from ATT&CK content.

Initial Access

Drive-by Compromise


External Remote Services

Hardware Additions

Replication Through Removable

Media

Spearphishing Attachment

Spearphishing Link

Spearphishing via Service

Supply Chain Compromise

Trusted Relationship

Valid Accounts

Execution

AppleScript

CMSTP

Command-Line Interface

Compiled HTML File

Control Panel Items

Dynamic Data Exchange

Execution through API

Execution through Module Load

Exploitation for Client Execution

Graphical User Interface

InstallUtil

Launchctl

Local Job Scheduling

LSASS Driver

Mshta

PowerShell

Regsvcs/Regasm

Regsvr32

Rundll32

Scheduled Task

Scripting

Service Execution

Signed Binary Proxy Execution


Source

Space after Filename

Third-party Software

Trap

Trusted Developer Utilities

User Execution

Windows Management

Instrumentation


XSL Script Processing

Persistence

.bash_profile and .bashrc

Accessibility Features

Account Manipulation

AppCert DLLs

AppInit DLLs

Application Shimming

Authentication Package

BITS Jobs

Bootkit

Browser Extensions

Change Default File Association

Component Firmware

Component Object Model Hijacking

Create Account

DLL Search Order Hijacking

Dylib Hijacking


File System Permissions W eakness

Hidden Files and Directories

Hooking

Hypervisor

Image File Execution Options

Injection


Launch Agent

Launch Daemon

Launchctl

LC_LOAD_DYLIB Addition


Login Item

Logon Scripts

LSASS Driver

Modify Existing Service

Netsh Helper DLL

New Service

Office Application Startup

Path Interception

Plist Modification

Port Knocking

Port Monitors

Rc.common

Re-opened Applications

Redundant Access


Scheduled Task

Screensaver

Security Support Provider

Service Registry Permissions

Weakness

Setuid and Setgid

Shortcut Modification

SIP and Trust Provider Hijacking

Startup Items

System Firmware

Systemd Service

Time Providers

Trap

Valid Accounts

Web Shell

Windows Management

Instrumentation Event Subscription

Winlogon Helper DLL

Privilege Escalation

Access Token Manipulation


AppCert DLLs

AppInit DLLs


Bypass User Account Control


Dylib Hijacking

Exploitation for Privilege Escalation

Extra Window Memory Injection


Hooking


Injection

Launch Daemon

New Service

Path Interception

Plist Modification

Port Monitors

Process Injection

Scheduled Task


Weakness

Setuid and Setgid

SID-History Injection

Startup Items

Sudo

Sudo Caching

Valid Accounts

Web Shell

Defense Evasion


Binary Padding

BITS Jobs


Clear Command History

CMSTP

Code Signing

Compile After Delivery

Compiled HTML File

Component Firmware


Control Panel Items

DCShadow

Deobfuscate/Decode Files or

Information

Disabling Security Tools


DLL Side-Loading

Execution Guardrails

Exploitation for Defense Evasion


File Deletion

File Permissions Modification

File System Logical Of fsets

Gatekeeper Bypass

Group Policy Modification


Hidden Users

Hidden Window

HISTCONTROL


Injection

Indicator Blocking

Indicator Removal from Tools



Install Root Certificate

InstallUtil

Launchctl

LC_MAIN Hijacking

Masquerading

Modify Registry

Mshta

Network Share Connection

Removal

NTFS File Attributes

Obfuscated Files or Information

Plist Modification

Port Knocking

Process Doppelgänging

Process Hollowing

Process Injection

Redundant Access

Regsvcs/Regasm

Regsvr32

Rootkit

Rundll32

Scripting




Software Packing


Template Injection

Timestomp


Valid Accounts


Web Service


Credential Access


Bash History

Brute Force

Credential Dumping

Credentials in Files

Credentials in Registry

Exploitation for Credential Access

Forced Authentication

Hooking

Input Capture

Input Prompt

Kerberoasting

Keychain

LLMNR/NBT -NS Poisoning and

Relay

Network Snif fing

Password Filter DLL

Private Keys

Securityd Memory

Two-Factor Authentication

Interception

Discovery

Account Discovery

Application Window Discovery

Browser Bookmark Discovery

Domain Trust Discovery

File and Directory Discovery

Network Service Scanning

Network Share Discovery

Network Snif fing

Password Policy Discovery

Peripheral Device Discovery

Permission Groups Discovery

Process Discovery

Query Registry

Remote System Discovery

Security Software Discovery

System Information Discovery

System Network Configuration

Discovery

System Network Connections

Discovery

System Owner/User Discovery

System Service Discovery

System Time Discovery


Lateral Movement

AppleScript

Application Deployment Software

Distributed Component Object

Model

Exploitation of Remote Services

Logon Scripts

Pass the Hash

Pass the Ticket

Remote Desktop Protocol

Remote File Copy

Remote Services


Media

Shared Webroot

SSH Hijacking

Taint Shared Content


Windows Admin Shares


Collection

Audio Capture

Automated Collection

Clipboard Data

Data from Information Repositories

Data from Local System

Data from Network Shared Drive

Data from Removable Media

Data Staged

Email Collection

Input Capture

Man in the Browser

Screen Capture

Video Capture

Command And Control

Commonly Used Port

Communication Through

Removable Media

Connection Proxy

Custom Command and Control

Protocol


Data Encoding

Data Obfuscation

Domain Fronting

Domain Generation Algorithms

Fallback Channels

Multi-hop Proxy

Multi-Stage Channels

Multiband Communication

Multilayer Encryption

Port Knocking

Remote Access Tools

Remote File Copy

Standard Application Layer Protocol

Standard Cryptographic Protocol

Standard Non-Application Layer

Protocol


Web Service

Exfiltration

Automated Exfiltration

Data Compressed

Data Encrypted

Data Transfer Size Limits

Exfiltration Over Alternative Protocol

Exfiltration Over Command and

Control Channel

Exfiltration Over Other Network

Medium

Exfiltration Over Physical Medium

Scheduled Transfer

Impact

Data Destruction

Data Encrypted for Impact

Defacement

Disk Content Wipe

Disk Structure Wipe

Endpoint Denial of Service

Firmware Corruption

Inhibit System Recovery


Resource Hijacking


Service Stop

Stored Data Manipulation

Transmitted Data Manipulation

Initial Access

Drive-by Compromise



Hardware Additions


Media


Spearphishing Link




Valid Accounts

Execution

AppleScript

CMSTP


Compiled HTML File

Control Panel Items






InstallUtil

Launchctl


LSASS Driver

Mshta

PowerShell

Regsvcs/Regasm

Regsvr32

Rundll32

Scheduled Task

Scripting

Service Execution



Source



Trap


User Execution

Windows Management

Instrumentation



Persistence




AppCert DLLs

AppInit DLLs



BITS Jobs

Bootkit

Browser Extensions


Component Firmware


Create Account


Dylib Hijacking




Hooking

Hypervisor


Injection


Launch Agent

Launch Daemon

Launchctl



Login Item

Logon Scripts

LSASS Driver


Netsh Helper DLL

New Service


Path Interception

Plist Modification

Port Knocking

Port Monitors

Rc.common


Redundant Access


Scheduled Task

Screensaver



Weakness

Setuid and Setgid



Startup Items

System Firmware

Systemd Service

Time Providers

Trap

Valid Accounts

Web Shell

Windows Management


Winlogon Helper DLL




AppCert DLLs

AppInit DLLs




Dylib Hijacking




Hooking


Injection

Launch Daemon

New Service

Path Interception

Plist Modification

Port Monitors

Process Injection

Scheduled Task


Weakness

Setuid and Setgid


Startup Items

Sudo

Sudo Caching

Valid Accounts

Web Shell

Defense Evasion


Binary Padding

BITS Jobs



CMSTP

Code Signing


Compiled HTML File

Component Firmware


Control Panel Items

DCShadow


Information



DLL Side-Loading




File Deletion



Gatekeeper Bypass



Hidden Users

Hidden Window

HISTCONTROL


Injection

Indicator Blocking





InstallUtil

Launchctl

LC_MAIN Hijacking

Masquerading

Modify Registry

Mshta


Removal



Plist Modification

Port Knocking


Process Hollowing

Process Injection

Redundant Access

Regsvcs/Regasm

Regsvr32

Rootkit

Rundll32

Scripting




Software Packing


Template Injection

Timestomp


Valid Accounts


Web Service


Credential Access


Bash History

Brute Force

Credential Dumping





Hooking

Input Capture

Input Prompt

Kerberoasting

Keychain


Relay

Network Snif fing

Password Filter DLL

Private Keys

Securityd Memory


Interception

Discovery

Account Discovery







Network Snif fing




Process Discovery

Query Registry





Discovery


Discovery





Lateral Movement

AppleScript



Model


Logon Scripts

Pass the Hash

Pass the Ticket


Remote File Copy

Remote Services


Media

Shared Webroot

SSH Hijacking





Collection

Audio Capture


Clipboard Data





Data Staged

Email Collection

Input Capture

Man in the Browser

Screen Capture

Video Capture

Command And Control

Commonly Used Port


Removable Media

Connection Proxy


Protocol


Data Encoding

Data Obfuscation

Domain Fronting


Fallback Channels

Multi-hop Proxy




Port Knocking

Remote Access Tools

Remote File Copy




Protocol


Web Service

Exfiltration


Data Compressed

Data Encrypted




Control Channel


Medium


Scheduled Transfer

Impact

Data Destruction


Defacement

Disk Content Wipe

Disk Structure Wipe


Firmware Corruption



Resource Hijacking


Service Stop



AppleScript

Application DeploymentSoftware

Distributed ComponentObject Model

Exploitation ofRemote Services

Logon Scripts

Pass the Hash

Pass the Ticket


Remote File Copy

Remote Services

Replication ThroughRemovable Media

Shared Webroot

SSH Hijacking





Commonly Used Port

Communication ThroughRemovable Media

Connection Proxy

Custom Command andControl Protocol

Custom CryptographicProtocol

Data Encoding

Data Obfuscation

Domain Fronting

Domain GenerationAlgorithms

Fallback Channels


Multi-hop Proxy



Port Knocking

Remote Access Tools

Remote File Copy

Standard Application LayerProtocol

Standard CryptographicProtocol

Standard Non-ApplicationLayer Protocol


Web Service


Data Compressed

Data Encrypted




Exfiltration Over AlternativeProtocol

Exfiltration OverPhysical Medium

Scheduled Transfer

Data Destruction


Defacement

Disk Content Wipe

Disk Structure Wipe


Firmware Corruption



Resource Hijacking


Service Stop


Transmitted DataManipulation

Audio Capture


Clipboard Data



Data from NetworkShared Drive


Data Staged

Email Collection

Input Capture

Man in the Browser

Screen Capture

Video Capture

Drive-by Compromise

Exploit Public-FacingApplication


Hardware Additions



Spearphishing Link




Valid Accounts

AppleScript

CMSTP


Compiled HTML File

Control Panel Items



Execution throughModule Load

Exploitation forClient Execution


InstallUtil

Mshta

PowerShell

Regsvcs/Regasm

Regsvr32

Rundll32

Scripting

Service Execution

Signed BinaryProxy Execution

Signed ScriptProxy Execution

Source





Image File Execution Options Injection

Plist Modification

Valid Accounts


AppCert DLLs

AppInit DLLs


Dylib Hijacking

File System Permissions Weakness

Hooking

Launch Daemon

New Service

Path Interception

Port Monitors

Service Registry Permissions Weakness

Setuid and Setgid

Startup Items

Web Shell




BITS Jobs

Bootkit

Browser Extensions

Change DefaultFile Association

Component Firmware

BITS Jobs


CMSTP

Code Signing

Compiled HTML File

Component Firmware

Component Object ModelHijacking

Control Panel Items

DCShadow

Deobfuscate/Decode Filesor Information


DLL Side-Loading


Exploitation forDefense Evasion

File Deletion

File PermissionsModification

File System Logical Offsets

Gatekeeper Bypass



Hidden Users

Exploitation forPrivilege Escalation


Sudo

Sudo Caching

Scheduled Task Binary Padding Network Sniffing

Launchctl


LSASS Driver

Trap




Process Injection


Bash History

Brute Force

Credential Dumping



Exploitation forCredential Access


Hooking

Input Capture

Input Prompt

Kerberoasting

Keychain


Password Filter DLL

Private Keys

Securityd Memory

Two-Factor AuthenticationInterception

Account Discovery

Application WindowDiscovery

Browser BookmarkDiscovery








Process Discovery

Query Discovery



System InformationDiscovery

System NetworkConfiguration Discovery

System NetworkConnections Discovery

System Owner/UserDiscovery



Virtualization/SandboxEvasion

data loss prevention

dll monitoring

kernel driversloaded d

lls

malw

are

reve

rse e

ngin

eering

netw

ork

device lo

gs

network intrusion detection system

ssl/tls inspection

system calls

win

dow

s eve

nt lo

gs

anti-v

irus

dis

abl in

g s

ecu

rity

to

ols

explo

itatio

n f

or

clie

nt

exe

cu

tio

n

ind

icato

r re

moval fr

om

to

ols

spea

rphis

hin

g v

ia s

erv

ice

tem

pla

te inje

ction

user

execution

web s

hell

bin

ary

paddin

gco

de s

ignin

gco

ntrol p

anel i

tem

s

data

com

pre

ssed

data

encr

ypte

dfil

e d

elet

ion

grap

hica

l use

r in

terfac

e

hook

ing

indi

cato

r rem

oval

from

tool

s

lc_l

oad_

dylib

add

ition

lc_m

ain

hija

ckin

g

masq

ueradin

g

obfusc

ated fi

les

or info

rmatio

n

redundant a

ccess

rundll3

2

software packing

third-party

software

time providers

automated collection

communication through removable media

data from information repositories

exfiltration over physical medium

hardware additions

replication through removable media

authentication package

component object model hijacking

control panel items

dll search order hijacking

distributed component object modeldynamic data exchange

execution through module loadhooking

lsass driver

netsh helper dllpassword filter dllport monitorspowershellprocess injectionsip and trust provider hijacking

security support provider

time providers

xsl script processing

data encrypted for impact

disk content wipe

disk structure wipe

input capture

lsass driver

ntfs file attributes

two-factor au

thenticatio

n interception

appce

rt dlls

appin

it dlls

applica

tion sh

imm

ing

auth

entica

tion p

acka

ge

com

ponent o

bje

ct m

odel h

ijackin

g

dll s

ide-lo

adin

g

hookin

g

lsass d

rive

r

pow

ers

he

ll

reg

svr3

2

sip

and

trust p

rovid

er h

ijackin

g

se

curity

su

pp

ort p

rovid

er

tim

e p

rovi d

ers

bin

ary

pa

dd

ing

custo

m c

ryp

tog

rap

hic

pro

toco

l

fallb

ack c

hannels

lc_m

ain

hija

ckin

g

multib

and c

om

munic

ation

multila

yer

encr

yption

obfu

scate

d file

s o

r in

form

atio

n

standard

applic

atio

n la

yer

pro

toco

l

standard

cry

pto

gra

phic

pro

toco

l

dom

ain

genera

tion a

lgorith

ms

driv

e-by

com

prom

ise

endp

oint

den

ial o

f ser

vice

forc

ed a

uthe

ntic

atio

n

mul

ti-st

age

chan

nels

netw

ork

deni

al o

f ser

vice

netw

ork sn

iffing

reso

urce

hija

ckin

g

cust

om c

omm

and and c

ontrol p

roto

col

drive-b

y com

prom

ise

endpoint denial o

f service

network denial o

f service

obfuscated files or in

formatio

n

remote access tools

spearphishing attachment

standard non-application layer protocoltemplate injection

domain frontingdrive-by compromise

endpoint denial of service

install root certificate

obfuscated files or information

spearphishing link

spearphishing via service

standard cryptographic protocol

web service

applescript

application shimming

browser extensions

bypass user account control

exploitation for client execution

hypervisor

kernel modules and extensions

keychain

rootkit

account manipulation

bits jobs

cmstp

control panel items

create account

distributed component object m

odel

dynamic data exchange

file permissions m

odification

group policy modification

hookin

g

image file

exe

cutio

n o

ptio

ns in

jectio

n

indica

tor re

mova

l on h

ost

indire

ct com

mand e

xecu

tion

inhib

it system

reco

very

kerb

ero

astin

g

llmnr/n

bt-n

s p

ois

onin

g a

nd re

lay

modify

regis

try

new

serv

ice

obfu

scate

d file

s o

r info

rmatio

n

sid

-his

tory

inje

ctio

n

sip

an

d tru

st p

rovid

er h

ijackin

g

sch

ed

ule

d ta

sk

bin

ary

file

met

adat

a

MITRE ATT&CK™


About This Diagram


MITRE

MITRE

MITRE ATT&CK™

Resources









techniques and procedures and how to detect, prevent ,

and/ or mit igate them.







safer world.

ATT&CK™

EnterpriseFramework
















at tack.mit re.org





@MITREat tack


latest news



Legend

APT28

APT29

Both

LegendLow Priority

High Priority








You can visualize how your own data sources map to adversary behavior w ith ATT&CK. Read our blog post at bit .ly/ ATTACK19 to


Initial Access

Drive-by Compromise



Hardware Additions


Media


Spearphishing Link




Valid Accounts

Execution

AppleScript

CMSTP


Compiled HTML File

Control Panel Items






InstallUtil

Launchctl


LSASS Driver

Mshta

PowerShell

Regsvcs/Regasm

Regsvr32

Rundll32

Scheduled Task

Scripting

Service Execution



Source



Trap


User Execution

Windows Management

Instrumentation



Persistence




AppCert DLLs

AppInit DLLs



BITS Jobs

Bootkit

Browser Extensions


Component Firmware


Create Account


Dylib Hijacking




Hooking

Hypervisor


Injection


Launch Agent

Launch Daemon

Launchctl



Login Item

Logon Scripts

LSASS Driver


Netsh Helper DLL

New Service


Path Interception

Plist Modification

Port Knocking

Port Monitors

Rc.common


Redundant Access


Scheduled Task

Screensaver



Weakness

Setuid and Setgid



Startup Items

System Firmware

Systemd Service

Time Providers

Trap

Valid Accounts

Web Shell

Windows Management


Winlogon Helper DLL




AppCert DLLs

AppInit DLLs




Dylib Hijacking




Hooking


Injection

Launch Daemon

New Service

Path Interception

Plist Modification

Port Monitors

Process Injection

Scheduled Task


Weakness

Setuid and Setgid


Startup Items

Sudo

Sudo Caching

Valid Accounts

Web Shell

Defense Evasion


Binary Padding

BITS Jobs



CMSTP

Code Signing


Compiled HTML File

Component Firmware


Control Panel Items

DCShadow


Information



DLL Side-Loading




File Deletion



Gatekeeper Bypass



Hidden Users

Hidden Window

HISTCONTROL


Injection

Indicator Blocking





InstallUtil

Launchctl

LC_MAIN Hijacking

Masquerading

Modify Registry

Mshta


Removal



Plist Modification

Port Knocking


Process Hollowing

Process Injection

Redundant Access

Regsvcs/Regasm

Regsvr32

Rootkit

Rundll32

Scripting




Software Packing


Template Injection

Timestomp


Valid Accounts


Web Service


Credential Access


Bash History

Brute Force

Credential Dumping





Hooking

Input Capture

Input Prompt

Kerberoasting

Keychain


Relay

Network Snif fing

Password Filter DLL

Private Keys

Securityd Memory


Interception

Discovery

Account Discovery







Network Snif fing




Process Discovery

Query Registry





Discovery


Discovery





Lateral Movement

AppleScript



Model


Logon Scripts

Pass the Hash

Pass the Ticket


Remote File Copy

Remote Services


Media

Shared Webroot

SSH Hijacking





Collection

Audio Capture


Clipboard Data





Data Staged

Email Collection

Input Capture

Man in the Browser

Screen Capture

Video Capture

Command And Control

Commonly Used Port


Removable Media

Connection Proxy


Protocol


Data Encoding

Data Obfuscation

Domain Fronting


Fallback Channels

Multi-hop Proxy




Port Knocking

Remote Access Tools

Remote File Copy




Protocol


Web Service

Exfiltration


Data Compressed

Data Encrypted




Control Channel


Medium


Scheduled Transfer

Impact

Data Destruction


Defacement

Disk Content Wipe

Disk Structure Wipe


Firmware Corruption



Resource Hijacking


Service Stop



Initial Access

Drive-by Compromise



Hardware Additions


Media


Spearphishing Link




Valid Accounts

Execution

AppleScript

CMSTP


Compiled HTML File

Control Panel Items






InstallUtil

Launchctl


LSASS Driver

Mshta

PowerShell

Regsvcs/Regasm

Regsvr32

Rundll32

Scheduled Task

Scripting

Service Execution



Source



Trap


User Execution

Windows Management

Instrumentation



Persistence




AppCert DLLs

AppInit DLLs



BITS Jobs

Bootkit

Browser Extensions


Component Firmware


Create Account


Dylib Hijacking




Hooking

Hypervisor


Injection


Launch Agent

Launch Daemon

Launchctl



Login Item

Logon Scripts

LSASS Driver


Netsh Helper DLL

New Service


Path Interception

Plist Modification

Port Knocking

Port Monitors

Rc.common


Redundant Access


Scheduled Task

Screensaver



Weakness

Setuid and Setgid



Startup Items

System Firmware

Systemd Service

Time Providers

Trap

Valid Accounts

Web Shell

Windows Management


Winlogon Helper DLL




AppCert DLLs

AppInit DLLs




Dylib Hijacking




Hooking


Injection

Launch Daemon

New Service

Path Interception

Plist Modification

Port Monitors

Process Injection

Scheduled Task


Weakness

Setuid and Setgid


Startup Items

Sudo

Sudo Caching

Valid Accounts

Web Shell

Defense Evasion


Binary Padding

BITS Jobs



CMSTP

Code Signing


Compiled HTML File

Component Firmware


Control Panel Items

DCShadow


Information



DLL Side-Loading




File Deletion



Gatekeeper Bypass



Hidden Users

Hidden Window

HISTCONTROL


Injection

Indicator Blocking





InstallUtil

Launchctl

LC_MAIN Hijacking

Masquerading

Modify Registry

Mshta


Removal



Plist Modification

Port Knocking


Process Hollowing

Process Injection

Redundant Access

Regsvcs/Regasm

Regsvr32

Rootkit

Rundll32

Scripting




Software Packing


Template Injection

Timestomp


Valid Accounts


Web Service


Credential Access


Bash History

Brute Force

Credential Dumping





Hooking

Input Capture

Input Prompt

Kerberoasting

Keychain


Relay

Network Snif fing

Password Filter DLL

Private Keys

Securityd Memory


Interception

Discovery

Account Discovery







Network Snif fing




Process Discovery

Query Registry





Discovery


Discovery





Lateral Movement

AppleScript



Model


Logon Scripts

Pass the Hash

Pass the Ticket


Remote File Copy

Remote Services


Media

Shared Webroot

SSH Hijacking





Collection

Audio Capture


Clipboard Data





Data Staged

Email Collection

Input Capture

Man in the Browser

Screen Capture

Video Capture

Command And Control

Commonly Used Port


Removable Media

Connection Proxy


Protocol


Data Encoding

Data Obfuscation

Domain Fronting


Fallback Channels

Multi-hop Proxy




Port Knocking

Remote Access Tools

Remote File Copy




Protocol


Web Service

Exfiltration


Data Compressed

Data Encrypted




Control Channel


Medium


Scheduled Transfer

Impact

Data Destruction


Defacement

Disk Content Wipe

Disk Structure Wipe


Firmware Corruption



Resource Hijacking


Service Stop



AppleScript




Logon Scripts

Pass the Hash

Pass the Ticket


Remote File Copy

Remote Services


Shared Webroot

SSH Hijacking





Commonly Used Port


Connection Proxy



Data Encoding

Data Obfuscation

Domain Fronting


Fallback Channels


Multi-hop Proxy



Port Knocking

Remote Access Tools

Remote File Copy





Web Service


Data Compressed

Data Encrypted






Scheduled Transfer

Data Destruction


Defacement

Disk Content Wipe

Disk Structure Wipe


Firmware Corruption



Resource Hijacking


Service Stop



Audio Capture


Clipboard Data





Data Staged

Email Collection

Input Capture

Man in the Browser

Screen Capture

Video Capture

Drive-by Compromise



Hardware Additions



Spearphishing Link




Valid Accounts

AppleScript

CMSTP


Compiled HTML File

Control Panel Items






InstallUtil

Mshta

PowerShell

Regsvcs/Regasm

Regsvr32

Rundll32

Scripting

Service Execution



Source






Plist Modification

Valid Accounts


AppCert DLLs

AppInit DLLs


Dylib Hijacking


Hooking

Launch Daemon

New Service

Path Interception

Port Monitors


Setuid and Setgid

Startup Items

Web Shell




BITS Jobs

Bootkit

Browser Extensions


Component Firmware

BITS Jobs


CMSTP

Code Signing

Compiled HTML File

Component Firmware


Control Panel Items

DCShadow



DLL Side-Loading



File Deletion



Gatekeeper Bypass



Hidden Users



Sudo

Sudo Caching


Launchctl


LSASS Driver

Trap




Process Injection


Bash History

Brute Force

Credential Dumping





Hooking

Input Capture

Input Prompt

Kerberoasting

Keychain


Password Filter DLL

Private Keys

Securityd Memory


Account Discovery










Process Discovery

Query Discovery











dll monitoring


lls

malw

are

reve

rse e

ngin

eering

netw

ork

device lo

gs


ssl/tls inspection

system calls

win

dow

s eve

nt lo

gs

anti-v

irus

dis

ablin

g s

ecu

rity

to

ols

explo

itatio

n for

clie

nt

executio

n

ind

icato

r re

moval fr

om

to

ols

spearp

his

hin

g v

ia s

erv

ice

tem

pla

te inje

ction

user

execution

web s

hell

bin

ary

paddin

gco

de s

ignin

gco

ntrol p

anel i

tem

s

data

com

pre

ssed

data

encr

ypte

dfil

e de

letio

ngr

aphi

cal u

ser in

terfac

e

hook

ing

indi

cato

r rem

oval

from

tool

s

lc_loa

d_dy

lib a

ddition

lc_m

ain

hija

ckin

g

masq

ueradin

g

obfusc

ated fi

les

or info

rmatio

n

redundant a

ccess

rundll3

2

software packing

third-party

software

time providers





hardware additions




control panel items




lsass driver



time providers



disk content wipe

disk structure wipe

input capture

lsass driver


two-factor authe

ntication intercep

tion

appce

rt dlls

appin

it dlls

applica

tion sh

imm

ing

auth

entica

tion p

ack

age

com

ponent o

bje

ct m

odel h

ijackin

g

dll s

ide-lo

adin

g

hookin

g

lsass d

river

pow

ers

hell

regsvr3

2

sip

an

d tru

st p

rovid

er h

ijackin

g

se

curi ty

su

pp

or t p

rovid

er

t im

e p

rovid

ers

bin

ary

padd

ing

custo

m c

rypto

gra

phic

pro

tocol

fallb

ack c

hannels

lc_m

ain

hija

ckin

g

multib

and c

om

munic

ation

multila

yer

encry

ption

obfu

scate

d file

s o

r in

form

atio

n

standard

applic

atio

n la

yer

pro

toco

l

standard

cry

pto

gra

phic

pro

toco

l

dom

ain

genera

tion a

lgorith

ms

driv

e-by

com

prom

ise

endp

oint

den

ial o

f ser

vice

forc

ed a

uthe

ntic

atio

n

mul

ti-st

age

chan

nels

netw

ork

deni

al o

f ser

vice

netw

ork

sniffing

reso

urce

hija

ckin

g

cust

om c

omm

and and c

ontrol p

roto

col

drive-b

y com

prom

ise

endpoint denial o

f service

network denial o

f service


formatio

n

remote access tools







spearphishing link



web service

applescript


browser extensions



hypervisor


keychain

rootkit


bits jobs

cmstp

control panel items

create account


odel


file permissions m

odification


hookin

g

image file

exe

cutio

n o

ptio

ns in

jectio

n

indica

tor re

mova

l on h

ost

indire

ct com

mand e

xecu

tion

inhib

it system

reco

very

kerb

ero

astin

g

llmnr/n

bt-n

s p

ois

onin

g a

nd re

lay

modify

regis

try

new

serv

ice

obfu

scate

d file

s o

r info

rmatio

n

sid

-his

tory

inje

ctio

n

sip

an

d tru

st p

rovid

er h

ijackin

g

sch

ed

ule

d ta

sk

bin

ary

file

met

adat

a

MITRE ATT&CK™


About This Diagram


MITRE

MITRE

MITRE ATT&CK™

Resources









techniques and procedures and how to detect , prevent ,

and/or mit igate them.







safer world.

ATT&CK™

EnterpriseFramework
















at tack.mit re.org





@MITREat tack


latest news



Legend

APT28

APT29

Both

LegendLow Priority

High Priority








You can visualize how your own data sources map to adversary behavior w ith ATT&CK. Read our blog post at bit .ly/ ATTACK19 to


Initial Access

Drive-by Compromise



Hardware Additions


Media


Spearphishing Link




Valid Accounts

Execution

AppleScript

CMSTP


Compiled HTML File

Control Panel Items






InstallUtil

Launchctl


LSASS Driver

Mshta

PowerShell

Regsvcs/Regasm

Regsvr32

Rundll32

Scheduled Task

Scripting

Service Execution



Source



Trap


User Execution

Windows Management

Instrumentation



Persistence




AppCert DLLs

AppInit DLLs



BITS Jobs

Bootkit

Browser Extensions


Component Firmware


Create Account


Dylib Hijacking




Hooking

Hypervisor


Injection


Launch Agent

Launch Daemon

Launchctl



Login Item

Logon Scripts

LSASS Driver


Netsh Helper DLL

New Service


Path Interception

Plist Modification

Port Knocking

Port Monitors

Rc.common


Redundant Access


Scheduled Task

Screensaver



Weakness

Setuid and Setgid



Startup Items

System Firmware

Systemd Service

Time Providers

Trap

Valid Accounts

Web Shell

Windows Management


Winlogon Helper DLL




AppCert DLLs

AppInit DLLs




Dylib Hijacking




Hooking


Injection

Launch Daemon

New Service

Path Interception

Plist Modification

Port Monitors

Process Injection

Scheduled Task


Weakness

Setuid and Setgid


Startup Items

Sudo

Sudo Caching

Valid Accounts

Web Shell

Defense Evasion


Binary Padding

BITS Jobs



CMSTP

Code Signing


Compiled HTML File

Component Firmware


Control Panel Items

DCShadow


Information



DLL Side-Loading




File Deletion



Gatekeeper Bypass



Hidden Users

Hidden Window

HISTCONTROL


Injection

Indicator Blocking





InstallUtil

Launchctl

LC_MAIN Hijacking

Masquerading

Modify Registry

Mshta


Removal



Plist Modification

Port Knocking


Process Hollowing

Process Injection

Redundant Access

Regsvcs/Regasm

Regsvr32

Rootkit

Rundll32

Scripting




Software Packing


Template Injection

Timestomp


Valid Accounts


Web Service


Credential Access


Bash History

Brute Force

Credential Dumping





Hooking

Input Capture

Input Prompt

Kerberoasting

Keychain


Relay

Network Snif fing

Password Filter DLL

Private Keys

Securityd Memory


Interception

Discovery

Account Discovery







Network Snif fing




Process Discovery

Query Registry





Discovery


Discovery





Lateral Movement

AppleScript



Model


Logon Scripts

Pass the Hash

Pass the Ticket


Remote File Copy

Remote Services


Media

Shared Webroot

SSH Hijacking





Collection

Audio Capture


Clipboard Data





Data Staged

Email Collection

Input Capture

Man in the Browser

Screen Capture

Video Capture

Command And Control

Commonly Used Port


Removable Media

Connection Proxy


Protocol


Data Encoding

Data Obfuscation

Domain Fronting


Fallback Channels

Multi-hop Proxy




Port Knocking

Remote Access Tools

Remote File Copy




Protocol


Web Service

Exfiltration


Data Compressed

Data Encrypted




Control Channel


Medium


Scheduled Transfer

Impact

Data Destruction


Defacement

Disk Content Wipe

Disk Structure Wipe


Firmware Corruption



Resource Hijacking


Service Stop



Initial Access

Drive-by Compromise



Hardware Additions


Media


Spearphishing Link




Valid Accounts

Execution

AppleScript

CMSTP


Compiled HTML File

Control Panel Items






InstallUtil

Launchctl


LSASS Driver

Mshta

PowerShell

Regsvcs/Regasm

Regsvr32

Rundll32

Scheduled Task

Scripting

Service Execution



Source



Trap


User Execution

Windows Management

Instrumentation



Persistence




AppCert DLLs

AppInit DLLs



BITS Jobs

Bootkit

Browser Extensions


Component Firmware


Create Account


Dylib Hijacking




Hooking

Hypervisor


Injection


Launch Agent

Launch Daemon

Launchctl



Login Item

Logon Scripts

LSASS Driver


Netsh Helper DLL

New Service


Path Interception

Plist Modification

Port Knocking

Port Monitors

Rc.common


Redundant Access


Scheduled Task

Screensaver



Weakness

Setuid and Setgid



Startup Items

System Firmware

Systemd Service

Time Providers

Trap

Valid Accounts

Web Shell

Windows Management


Winlogon Helper DLL




AppCert DLLs

AppInit DLLs




Dylib Hijacking




Hooking


Injection

Launch Daemon

New Service

Path Interception

Plist Modification

Port Monitors

Process Injection

Scheduled Task


Weakness

Setuid and Setgid


Startup Items

Sudo

Sudo Caching

Valid Accounts

Web Shell

Defense Evasion


Binary Padding

BITS Jobs



CMSTP

Code Signing


Compiled HTML File

Component Firmware


Control Panel Items

DCShadow


Information



DLL Side-Loading




File Deletion



Gatekeeper Bypass



Hidden Users

Hidden Window

HISTCONTROL


Injection

Indicator Blocking





InstallUtil

Launchctl

LC_MAIN Hijacking

Masquerading

Modify Registry

Mshta


Removal



Plist Modification

Port Knocking


Process Hollowing

Process Injection

Redundant Access

Regsvcs/Regasm

Regsvr32

Rootkit

Rundll32

Scripting




Software Packing


Template Injection

Timestomp


Valid Accounts


Web Service


Credential Access


Bash History

Brute Force

Credential Dumping





Hooking

Input Capture

Input Prompt

Kerberoasting

Keychain


Relay

Network Snif fing

Password Filter DLL

Private Keys

Securityd Memory


Interception

Discovery

Account Discovery







Network Snif fing




Process Discovery

Query Registry





Discovery


Discovery





Lateral Movement

AppleScript



Model


Logon Scripts

Pass the Hash

Pass the Ticket


Remote File Copy

Remote Services


Media

Shared Webroot

SSH Hijacking





Collection

Audio Capture


Clipboard Data





Data Staged

Email Collection

Input Capture

Man in the Browser

Screen Capture

Video Capture

Command And Control

Commonly Used Port


Removable Media

Connection Proxy


Protocol


Data Encoding

Data Obfuscation

Domain Fronting


Fallback Channels

Multi-hop Proxy




Port Knocking

Remote Access Tools

Remote File Copy




Protocol


Web Service

Exfiltration


Data Compressed

Data Encrypted




Control Channel


Medium


Scheduled Transfer

Impact

Data Destruction


Defacement

Disk Content Wipe

Disk Structure Wipe


Firmware Corruption



Resource Hijacking


Service Stop



AppleScript




Logon Scripts

Pass the Hash

Pass the Ticket


Remote File Copy

Remote Services


Shared Webroot

SSH Hijacking





Commonly Used Port


Connection Proxy



Data Encoding

Data Obfuscation

Domain Fronting


Fallback Channels


Multi-hop Proxy



Port Knocking

Remote Access Tools

Remote File Copy





Web Service


Data Compressed

Data Encrypted






Scheduled Transfer

Data Destruction


Defacement

Disk Content Wipe

Disk Structure Wipe


Firmware Corruption



Resource Hijacking


Service Stop



Audio Capture


Clipboard Data





Data Staged

Email Collection

Input Capture

Man in the Browser

Screen Capture

Video Capture

Drive-by Compromise



Hardware Additions



Spearphishing Link




Valid Accounts

AppleScript

CMSTP


Compiled HTML File

Control Panel Items






InstallUtil

Mshta

PowerShell

Regsvcs/Regasm

Regsvr32

Rundll32

Scripting

Service Execution



Source






Plist Modification

Valid Accounts


AppCert DLLs

AppInit DLLs


Dylib Hijacking


Hooking

Launch Daemon

New Service

Path Interception

Port Monitors


Setuid and Setgid

Startup Items

Web Shell




BITS Jobs

Bootkit

Browser Extensions


Component Firmware

BITS Jobs


CMSTP

Code Signing

Compiled HTML File

Component Firmware


Control Panel Items

DCShadow



DLL Side-Loading



File Deletion



Gatekeeper Bypass



Hidden Users



Sudo

Sudo Caching


Launchctl


LSASS Driver

Trap




Process Injection


Bash History

Brute Force

Credential Dumping





Hooking

Input Capture

Input Prompt

Kerberoasting

Keychain


Password Filter DLL

Private Keys

Securityd Memory


Account Discovery










Process Discovery

Query Discovery











dll monitoring


lls

malw

are

reve

rse e

ngin

eering

netw

ork

device lo

gs


ssl/tls inspection

system calls

win

dow

s eve

nt lo

gs

anti-v

irus

dis

ab

li ng

se

curi

ty t

oo

ls

exp

loita

tio

n fo

r clie

nt exe

cution

indic

ato

r re

moval fr

om

tools

spe

arp

his

hin

g v

ia s

erv

ice

tem

pla

te inje

ction

user

execution

web s

hell

bin

ary

paddin

gco

de s

ignin

gco

ntrol p

anel i

tem

s

data

com

pre

ssed

data

encr

ypte

dfil

e de

letio

ngr

aphi

cal u

ser in

terfac

e

hook

ing

indi

cato

r rem

oval

from

tool

s

lc_l

oad_

dylib

add

ition

lc_m

ain

hija

ckin

g

masq

ueradin

g

obfusc

ated fi

les

or info

rmatio

n

redundant a

ccess

rundll3

2

software packing

third-party

software

time providers





hardware additions




control panel items




lsass driver



time providers



disk content wipe

disk structure wipe

input capture

lsass driver


two-factor authen

tication in

terceptio

n

appce

rt dlls

appin

it dlls

applica

tion sh

imm

ing

auth

entic

atio

n p

ack

age

com

ponent o

bje

ct m

odel h

ijackin

g

dll s

ide-lo

adin

g

hookin

g

lsass d

river

pow

ers

hell

regsvr3

2

sip

an

d tru

st p

rovid

er h

ijackin

g

se

curity

sup

po

rt pro

vi d

er

t im

e p

rovi d

ers

bin

ary

padd

ing

custo

m c

rypto

gra

ph

ic p

roto

col

fallb

ack c

han

nels

lc_m

ain

hija

ckin

g

multib

and c

om

munic

ation

multila

yer

encry

ption

obfu

scate

d file

s or

info

rmation

standard

applic

atio

n la

yer

pro

toco

l

standard

cry

pto

gra

phic

pro

toco

l

dom

ain

genera

tion a

lgorith

ms

driv

e-by

com

pro

mis

e

endp

oint

den

ial o

f ser

vice

forc

ed a

uthe

ntic

atio

n

mul

ti-st

age

chan

nels

netw

ork

deni

al o

f ser

vice

netw

ork sn

iffing

reso

urce

hija

ckin

g

cust

om c

omm

and and c

ontrol p

roto

col

drive-b

y com

prom

ise

endpoint denial o

f service

network denial o

f service


formatio

n

remote access tools







spearphishing link



web service

applescript


browser extensions



hypervisor


keychain

rootkit


bits jobs

cmstp

control panel items

create account


odel


file permissions m

odification


hookin

g

image file

exe

cutio

n o

ptio

ns in

jectio

n

indica

tor re

mova

l on h

ost

indire

ct com

mand e

xecu

tion

inhib

it system

reco

very

kerb

ero

astin

g

llmnr/n

bt-n

s p

ois

onin

g a

nd re

lay

modify

regis

try

new

serv

ice

obfu

sca

ted file

s o

r info

rmatio

n

sid

-his

tory

inje

ctio

n

sip

and tru

st p

rovid

er h

ijackin

g

sch

ed

ule

d ta

sk

bin

ary

file

met

adat

a


Getting Started with Detection: Developing Analytics

1 Identify techniques to detect

Write code for detection using existing data

Assign a name, store, and test the analytic

| 21 |

3

2


Resources for Developing Analytics

▪ There’s a large community of people doing ATT&CK for detection

– What analytics are they running and finding valuable?

– Which of those can you run based on data you already have?

▪ Look at existing repositories, or talk to partner organizations

– Cyber Analytics Repository: https://car.mitre.org/

– Endgame EQL Analytics Library: https://eqllib.readthedocs.io/en/latest/analytics.html

– Sigma: https://github.com/Neo23x0/sigma

▪ For more info, check out the ATT&CK blog on detection:

– https://medium.com/mitre-attack/getting-started-with-attack-detection-a8e49e4960d0

| 22 |


https://car.mitre.org/

https://eqllib.readthedocs.io/en/latest/analytics.html

https://github.com/Neo23x0/sigma

https://medium.com/mitre-attack/getting-started-with-attack-detection-a8e49e4960d0

rive by Co pro ise

ploit bli a ingAppli ation

ard are Additions

epli ation T ro g e ovable edia

pearp is ing Atta ent

pearp is ing in

pearp is ing via ervi e

pply C ain Co pro ise

Tr sted elations ip

alid A o nts

Apple ript

C T

Co and ine nter a e

Control anel te s

yna i ata ange

e tion t ro g A

e tion t ro g od le oad ploitation or Client e tion

rap i al ser nter a e

nstall til

a n tl

o al ob ed ling

A river

s ta

o er ell

egsv s egas

egsvr

ndll

ed led Tas

ripting

ervi e e tion

igned inary ro y e tion igned ript ro y e tion

o r e

pa e a ter ilena e

T ird party o t are

Trap

Tr sted eveloper tilities

ser e tion

indo s anage ent nstr entation indo s e ote anage ent

.bas pro ile and .bas r

A essibility eat res

AppCert s

App nit s

Appli ation i ing

A t enti ation a age

T obs

oot it

ro ser tensions

C ange e a lt ileAsso iation

Co ponent ir are

Co ponent b e t odel i a ing

Create A o nt

ear rder i a ing

ylib i a ing

ternal e ote ervi es

ile yste er issions ea ness

idden iles and ire tories

oo ing

ypervisor

age ile e tion ptions n e tionKernel od les and tensions

a n Agent

a n ae on

a n tl

C A Addition

o al ob ed ling

ogin te

ogon ripts

A river

odi y isting ervi e

ets elper

e ervi e

i e Appli ation tart p

at nter eption

list odi i ation

ort Kno ing

ort onitors

. o on

e opened Appli ations

ed ndant A ess

egistry n Keys tart older

ed led Tas

reensaver

e rity pport rovider

ervi e egistry er issions ea ness

ort t odi i ation

and Tr st rovider i a ing

tart p te s

yste ir are

Ti e roviders

Trap

alid A o nts

eb ell

indo s anage ent nstr entation vent bs ription

inlogon elper

A ess To en anip lation


AppCert s

App nit s

Appli ation i ing

ypass ser A o nt Control

ear rder i a ing

ylib i a ing

ploitation or rivilege s alation tra indo e ory n e tion ile yste er issions ea ness

oo ing

age ile e tion ptions n e tion

a n ae on

e ervi e

at nter eption

list odi i ation

ort onitors

ro ess n e tion

ed led Tas


et id and etgid

istory n e tion

tart p te s

do

do Ca ing

alid A o nts

eb ell


inary adding

T obs


Clear Co and istory

C T

Code igning

Co ponent ir are


Control anel te s

C ado

eob s ate e ode iles or n or ation

isabling e rity Tools

ear rder i a ing

ide oading

ploitation or e ense vasion tra indo e ory n e tion

ile eletion

ile yste ogi al sets

ate eeper ypass


idden sers

idden indo

TC T


ndi ator lo ing

ndi ator e oval ro Tools

ndi ator e oval on ost

ndire t Co and e tion

nstall oot Certi i ate

nstall til

a n tl

C A i a ing

as erading

odi y egistry

s ta

et or are Conne tion e oval

T ile Attrib tes

b s ated iles or n or ation

list odi i ation

ort Kno ing

ro ess oppelg nging

ro ess ollo ing

ro ess n e tion

ed ndant A ess

egsv s egas

egsvr

oot it

ndll

ripting

igned inary ro y e tion igned ript ro y e tion and Tr st rovider i a ing

o t are a ing

pa e a ter ilena e

Ti esto p


alid A o nts

eb ervi e

A o nt anip lation

as istory

r te or e

Credential ping

Credentials in iles

Credentials in egistry

ploitation or CredentialA ess

or ed A t enti ation

oo ing

np t Capt re

np t ro pt

Kerberoasting

Key ain

T oisoning

et or ni ing

ass ord ilter

rivate Keys


e rityd e ory

T o a tor A t enti ation nter eption

A o nt is overy

Appli ation indo is overy

ro ser oo ar is overy

ile and ire tory is overy

et or ervi e anning

et or are is overy

ass ord oli y is overy

erip eral evi e is overy

er ission ro ps is overy

ro ess is overy

ery egistry

e ote yste is overy

e rity o t are is overy

yste n or ation is overy

yste et or Con ig ration is overy yste et or Conne tions is overy yste ner ser is overy

yste ervi e is overy

yste Ti e is overy

Apple ript

Appli ation eploy ent o t are istrib ted Co ponent b e t odel ploitation o e ote ervi es

ogon ripts

ass t e as

ass t e Ti et

e ote es top roto ol

e ote ile Copy

e ote ervi es


ared ebroot

i a ing

Taint ared Content

T ird party o t are

indo s Ad in ares

indo s e ote anage ent

A dio Capt re

A to ated Colle tion

Clipboard ata

ata ro n or ation epositories

ata ro o al yste

ata ro et or ared rive

ata ro e ovable edia

ata taged

ail Colle tion

np t Capt re

an in t e ro ser

reen Capt re

ideo Capt re

A to ated iltration

ata Co pressed

ata n rypted

ata Trans er i e i its

iltration ver Alternative roto ol iltration ver Co andand Control C annel iltration ver t er et or edi iltration ver ysi al edi

ed led Trans er

Co only sed ort

Co ni ation T ro g e ovable edia

Conne tion ro y

C sto Co and andControl roto olC sto Cryptograp i roto ol

ata n oding

ata b s ation

o ain ronting

allba C annels

lti op ro y

lti tage C annels

ltiband Co ni ation

ltilayer n ryption

ort Kno ing

e ote A ess Tools

e ote ile Copy

tandard Appli ation ayer roto ol tandard Cryptograp i roto ol tandard on Appli ation ayer roto ol

n o only sed ort

eb ervi e

Threat Intelligence: APT28 Techniques*

*from open source p w ’ pp

Initial


Privilege

Escalation

Defense

Evasion

Credential

AccessDiscovery

Lateral


Command

and Control

| 23 |


rive by Co pro ise


ard are Additions



pearp is ing in



Tr sted elations ip

alid A o nts

Apple ript

C T

Co and ine nter a e

Control anel te s

yna i ata ange

e tion t ro g A



nstall til

a n tl

o al ob ed ling

A river

s ta

o er ell

egsv s egas

egsvr

ndll

ed led Tas

ripting

ervi e e tion


o r e

pa e a ter ilena e

T ird party o t are

Trap


ser e tion




AppCert s

App nit s

Appli ation i ing


T obs

oot it

ro ser tensions


Co ponent ir are


Create A o nt

ear rder i a ing

ylib i a ing




oo ing

ypervisor


a n Agent

a n ae on

a n tl

C A Addition

o al ob ed ling

ogin te

ogon ripts

A river

odi y isting ervi e

ets elper

e ervi e


at nter eption

list odi i ation

ort Kno ing

ort onitors

. o on


ed ndant A ess


ed led Tas

reensaver



ort t odi i ation


tart p te s

yste ir are

Ti e roviders

Trap

alid A o nts

eb ell


inlogon elper



AppCert s

App nit s

Appli ation i ing


ear rder i a ing

ylib i a ing


oo ing


a n ae on

e ervi e

at nter eption

list odi i ation

ort onitors

ro ess n e tion

ed led Tas


et id and etgid

istory n e tion

tart p te s

do

do Ca ing

alid A o nts

eb ell


inary adding

T obs


Clear Co and istory

C T

Code igning

Co ponent ir are


Control anel te s

C ado



ear rder i a ing

ide oading


ile eletion


ate eeper ypass


idden sers

idden indo

TC T


ndi ator lo ing





nstall til

a n tl

C A i a ing

as erading

odi y egistry

s ta


T ile Attrib tes


list odi i ation

ort Kno ing

ro ess oppelg nging

ro ess ollo ing

ro ess n e tion

ed ndant A ess

egsv s egas

egsvr

oot it

ndll

ripting


o t are a ing

pa e a ter ilena e

Ti esto p


alid A o nts

eb ervi e

A o nt anip lation

as istory

r te or e

Credential ping

Credentials in iles




oo ing

np t Capt re

np t ro pt

Kerberoasting

Key ain

T oisoning

et or ni ing

ass ord ilter

rivate Keys


e rityd e ory


A o nt is overy




et or ervi e anning

et or are is overy




ro ess is overy

ery egistry

e ote yste is overy





yste Ti e is overy

Apple ript


ogon ripts

ass t e as

ass t e Ti et


e ote ile Copy

e ote ervi es


ared ebroot

i a ing

Taint ared Content

T ird party o t are

indo s Ad in ares


A dio Capt re


Clipboard ata


ata ro o al yste



ata taged

ail Colle tion

np t Capt re

an in t e ro ser

reen Capt re

ideo Capt re

A to ated iltration

ata Co pressed

ata n rypted



ed led Trans er

Co only sed ort


Conne tion ro y


ata n oding

ata b s ation

o ain ronting

allba C annels

lti op ro y

lti tage C annels

ltiband Co ni ation

ltilayer n ryption

ort Kno ing

e ote A ess Tools

e ote ile Copy


n o only sed ort

eb ervi e

APT29 Techniques

Initial


Privilege

Escalation

Defense

Evasion

Credential

AccessDiscovery

Lateral


Command

and Control

| 24 |


rive by Co pro ise


ard are Additions



pearp is ing in



Tr sted elations ip

alid A o nts

Apple ript

C T

Co and ine nter a e

Control anel te s

yna i ata ange

e tion t ro g A



nstall til

a n tl

o al ob ed ling

A river

s ta

o er ell

egsv s egas

egsvr

ndll

ed led Tas

ripting

ervi e e tion


o r e

pa e a ter ilena e

T ird party o t are

Trap


ser e tion




AppCert s

App nit s

Appli ation i ing


T obs

oot it

ro ser tensions


Co ponent ir are


Create A o nt

ear rder i a ing

ylib i a ing




oo ing

ypervisor


a n Agent

a n ae on

a n tl

C A Addition

o al ob ed ling

ogin te

ogon ripts

A river

odi y isting ervi e

ets elper

e ervi e


at nter eption

list odi i ation

ort Kno ing

ort onitors

. o on


ed ndant A ess


ed led Tas

reensaver



ort t odi i ation


tart p te s

yste ir are

Ti e roviders

Trap

alid A o nts

eb ell


inlogon elper



AppCert s

App nit s

Appli ation i ing


ear rder i a ing

ylib i a ing


oo ing


a n ae on

e ervi e

at nter eption

list odi i ation

ort onitors

ro ess n e tion

ed led Tas


et id and etgid

istory n e tion

tart p te s

do

do Ca ing

alid A o nts

eb ell


inary adding

T obs


Clear Co and istory

C T

Code igning

Co ponent ir are


Control anel te s

C ado



ear rder i a ing

ide oading


ile eletion


ate eeper ypass


idden sers

idden indo

TC T


ndi ator lo ing





nstall til

a n tl

C A i a ing

as erading

odi y egistry

s ta


T ile Attrib tes


list odi i ation

ort Kno ing

ro ess oppelg nging

ro ess ollo ing

ro ess n e tion

ed ndant A ess

egsv s egas

egsvr

oot it

ndll

ripting


o t are a ing

pa e a ter ilena e

Ti esto p


alid A o nts

eb ervi e

A o nt anip lation

as istory

r te or e

Credential ping

Credentials in iles




oo ing

np t Capt re

np t ro pt

Kerberoasting

Key ain

T oisoning

et or ni ing

ass ord ilter

rivate Keys


e rityd e ory


A o nt is overy




et or ervi e anning

et or are is overy




ro ess is overy

ery egistry

e ote yste is overy





yste Ti e is overy

Apple ript


ogon ripts

ass t e as

ass t e Ti et


e ote ile Copy

e ote ervi es


ared ebroot

i a ing

Taint ared Content

T ird party o t are

indo s Ad in ares


A dio Capt re


Clipboard ata


ata ro o al yste



ata taged

ail Colle tion

np t Capt re

an in t e ro ser

reen Capt re

ideo Capt re

A to ated iltration

ata Co pressed

ata n rypted



ed led Trans er

Co only sed ort


Conne tion ro y


ata n oding

ata b s ation

o ain ronting

allba C annels

lti op ro y

lti tage C annels

ltiband Co ni ation

ltilayer n ryption

ort Kno ing

e ote A ess Tools

e ote ile Copy


n o only sed ort

eb ervi e

Comparing APT28 and APT29

Initial


Privilege

Escalation

Defense

Evasion

Credential

AccessDiscovery

Lateral


Command

and Control

APT28

APT29

Both groups

| 25 |


rive by Co pro ise


ard are Additions



pearp is ing in



Tr sted elations ip

alid A o nts

Apple ript

C T

Co and ine nter a e

Control anel te s

yna i ata ange

e tion t ro g A



nstall til

a n tl

o al ob ed ling

A river

s ta

o er ell

egsv s egas

egsvr

ndll

ed led Tas

ripting

ervi e e tion


o r e

pa e a ter ilena e

T ird party o t are

Trap


ser e tion




AppCert s

App nit s

Appli ation i ing


T obs

oot it

ro ser tensions


Co ponent ir are


Create A o nt

ear rder i a ing

ylib i a ing




oo ing

ypervisor


a n Agent

a n ae on

a n tl

C A Addition

o al ob ed ling

ogin te

ogon ripts

A river

odi y isting ervi e

ets elper

e ervi e


at nter eption

list odi i ation

ort Kno ing

ort onitors

. o on


ed ndant A ess


ed led Tas

reensaver



ort t odi i ation


tart p te s

yste ir are

Ti e roviders

Trap

alid A o nts

eb ell


inlogon elper



AppCert s

App nit s

Appli ation i ing


ear rder i a ing

ylib i a ing


oo ing


a n ae on

e ervi e

at nter eption

list odi i ation

ort onitors

ro ess n e tion

ed led Tas


et id and etgid

istory n e tion

tart p te s

do

do Ca ing

alid A o nts

eb ell


inary adding

T obs


Clear Co and istory

C T

Code igning

Co ponent ir are


Control anel te s

C ado



ear rder i a ing

ide oading


ile eletion


ate eeper ypass


idden sers

idden indo

TC T


ndi ator lo ing





nstall til

a n tl

C A i a ing

as erading

odi y egistry

s ta


T ile Attrib tes


list odi i ation

ort Kno ing

ro ess oppelg nging

ro ess ollo ing

ro ess n e tion

ed ndant A ess

egsv s egas

egsvr

oot it

ndll

ripting


o t are a ing

pa e a ter ilena e

Ti esto p


alid A o nts

eb ervi e

A o nt anip lation

as istory

r te or e

Credential ping

Credentials in iles




oo ing

np t Capt re

np t ro pt

Kerberoasting

Key ain

T oisoning

et or ni ing

ass ord ilter

rivate Keys


e rityd e ory


A o nt is overy




et or ervi e anning

et or are is overy




ro ess is overy

ery egistry

e ote yste is overy





yste Ti e is overy

Apple ript


ogon ripts

ass t e as

ass t e Ti et


e ote ile Copy

e ote ervi es


ared ebroot

i a ing

Taint ared Content

T ird party o t are

indo s Ad in ares


A dio Capt re


Clipboard ata


ata ro o al yste



ata taged

ail Colle tion

np t Capt re

an in t e ro ser

reen Capt re

ideo Capt re

A to ated iltration

ata Co pressed

ata n rypted



ed led Trans er

Co only sed ort


Conne tion ro y


ata n oding

ata b s ation

o ain ronting

allba C annels

lti op ro y

lti tage C annels

ltiband Co ni ation

ltilayer n ryption

ort Kno ing

e ote A ess Tools

e ote ile Copy


n o only sed ort

eb ervi e

Comparing APT28 and APT29

Initial


Privilege

Escalation

Defense

Evasion

Credential

AccessDiscovery

Lateral


Command

and Control

Focus on shared techniques APT28

APT29

Both groups

| 26 |


Tips for Using ATT&CK for Threat Intelligence

1. Choose a threat group relevant to your organization

2. Map their techniques to ATT&CK

– Or use existing mappings:

https://attack.mitre.org/groups/

https://pan-unit42.github.io/playbook_viewer/

3. Prioritize writing detections for those techniques

Then…

▪ Map many groups, focus on frequently seen techniques across groups

▪ For more info:

– https://medium.com/mitre-attack/getting-started-with-attack-cti-4eb205be4b2f

| 27 |


https://attack.mitre.org/groups/

https://pan-unit42.github.io/playbook_viewer/

https://medium.com/mitre-attack/getting-started-with-attack-cti-4eb205be4b2f

Adversary Emulation: How ATT&CK Can Help

▪ Focus your red team to emulate specific relevant adversaries

– Shows what your network looks like to real threats!

▪ ATT&CK can help you with adversary emulation and red teaming by…

– Focusing on known adversary behaviors

– Describing low-level TTP details that can be emulated

– Providing a common language to express tests and results

▪ Building out an ATT&CK-based adversary emulation program…

1. Try open source or commercial tools to get your feet wet

2. Track and mature what your red team is doing

3. Develop intentional adversary emulation plans based on CTI and detection

| 28 |


Getting Started: Using Open Source Tools

▪ No red team? No problem!

▪ Defenders can try out red teaming tools to get your feet wet

– Atomic Red Team: https://github.com/redcanaryco/atomic-red-team

– Red Team Automation: https://github.com/endgameinc/RTA

– CALDERA: https://github.com/mitre/caldera

| 29 |


https://github.com/redcanaryco/atomic-red-team

https://github.com/endgameinc/RTA

https://github.com/mitre/caldera

Bringing it Together: Gaps and Assessments

| 30 |

LegendHigh Confidence of DetectionSome Confidence of DetectionLow Confidence of Detection



| 31 |


We have some confidence we would detect Automated Exfiltration if executed

We have low confidence we would detect Data Encrypted if executed

We have high confidence we would detect Scheduled Transfer if executed



| 32 |


Communicate capabilities with a common reference

Inform tooling purchases for biggest ROI

Identify data sources needed for detection

Knowledge of my detection gaps allows

me to…

Develop analytics targeting high-impact gaps


1. Look at the data sources you’re collecting

Tips For Understanding Your Coverage

| 33 |

Windows Admin Shareshttps://attack.mitre.org/techniques/T1077/

Apple ript

C T

Co and ine nter a e

Co piled T ile

Control anel te s


nstall til

a n tl

s ta

o er ell

egsv s egas

egsvr

ndll

ed led Tas

ripting

ervi e e tion

igned inary ro y e tion

igned ript ro y e tion

o r e

Trap

ser e tion

indo s anage ent nstr entation


ript ro essing


Appli ation i ing

C ange e a lt ile Asso iation

Create A o nt

ear rder i a ing



Kernel od les and tensions

a n tl

C A Addition

odi y isting ervi e

e ervi e


list odi i ation

ed led Tas

reensaver


et id and etgid

ort t odi i ation

yste d ervi e

Trap


Appli ation i ing


ear rder i a ing


e ervi e

list odi i ation

ed led Tas


et id and etgid

do Ca ing



C T

Co pile A ter elivery

Co piled T ile

Control anel te s



ear rder i a ing

ile eletion

ile er issions odi i ation


ndi ator lo ing




nstall til

a n tl

odi y egistry

s ta


T ile Attrib tes


list odi i ation

egsv s egas

egsvr

ndll

ripting

igned inary ro y e tion

igned ript ro y e tion

Ti esto p

irt ali ation andbo vasion

ript ro essing

as istory

Credential ping

Credentials in iles


np t ro pt

A o nt is overy



o ain Tr st is overy


et or ervi e anning

et or are is overy



ro ess is overy

ery egistry

e ote yste is overy



yste et or Con ig ration is overy yste et or Conne tions is overy

yste ner ser is overy


yste Ti e is overy

irt ali ation andbo vasion

Apple ript

indo s Ad in ares



ata ro o al yste



ata taged

ata Co pressed

ata n rypted

p

ata estr tion

ata n rypted or pa t

is Content ipe

n ibit yste e overy

ervi e top



2. Map your analytics to ATT&CK techniques they might detect


| 34 |



2. Map your analytics to ATT&CK techniques they might detect

3. Map your tools to ATT&CK

– Read documentation

– Ask the vendor!

4. Find reports of prior activity

– What have you caught?

– What did you find a post-mortem?

5. Talk to your teams!

– Ask your red teams their favorite TTPs

– Ask your hunters what they struggle with

– Ask your IR team what they’ve seen


| 35 |


Following Up On Gaps: Prioritized Remediation


© 2019 The MITRE Corporation. All rights reserved.















Disk Structure Wipe







Firmware Corruption









Service Stop





Client Execution














Remote File Copy















Gatekeeper Bypass




Hidden Users


Hidden Window






















Shortcut Modification Redundant Access

SIP and Trust ProviderHijacking

Regsvcs/Regasm

Regsvr32

System Firmware Rootkit
















Disk Structure Wipe







Firmware Corruption









Service Stop





Client Execution














Remote File Copy















Gatekeeper Bypass




Hidden Users


Hidden Window
























Regsvcs/Regasm

Regsvr32


Prioritizing Remediations: Examples



Prioritized Technique
















Disk Structure Wipe







Firmware Corruption









Service Stop





Client Execution














Remote File Copy















Gatekeeper Bypass




Hidden Users


Hidden Window
























Regsvcs/Regasm

Regsvr32






Focus on Exploit Public-Facing Application and Data Content Wipeas they can have significant impact to operations
















Disk Structure Wipe







Firmware Corruption









Service Stop





Client Execution














Remote File Copy















Gatekeeper Bypass




Hidden Users


Hidden Window
























Regsvcs/Regasm

Regsvr32






Command-Line Interface, Credential Dumping, and Standard Application Layer Protocol are popular techniques and can give the biggest

return on investment
















Disk Structure Wipe







Firmware Corruption









Service Stop





Client Execution














Remote File Copy















Gatekeeper Bypass




Hidden Users


Hidden Window
























Regsvcs/Regasm

Regsvr32






Startup Items, InstallUtil, and System Time Discovery are used by threat actors most relevant to your network
















Disk Structure Wipe







Firmware Corruption









Service Stop





Client Execution














Remote File Copy















Gatekeeper Bypass




Hidden Users


Hidden Window
























Regsvcs/Regasm

Regsvr32






Existing logs can be used to detect Remote File Copy and Data From Removable Media, making analytic development easier


Remediating Gaps: Tips for Prioritization

1. Small lists of techniques are great for short-term wins

2. Follow one of two paradigms:

– A technique or two across tactics, or

– Many techniques in one tactic

3. Focus on techniques that are immediately relevant

– Are they used by relevant threat actors?

– Are they popular or frequently occurring?

– Are they easy to execute and do they enable more techniques?

– Are the necessary logs readily accessible?

| 42 |


Closing Thoughts

| 43 |

Long-Term Integration

Tune or Acquire New

Defenses

Assess Defensive Coverage

Identify High Priority

Gaps

| 44 |

Assessments and

Engineering

Adversary Emulation Exercises

• Threat intelligence• Sightings data• Relevant threat models

• Writing detections• ATT&CK evaluations• Public resources


Links and Contact

▪ Andy Applebaum

– [email protected]

– @andyplayse4

▪ ATT&CK

– https://attack.mitre.org

– @MITREattack

– [email protected]

▪ Data + Code

– https://github.com/mitre/cti (STIX data)

– https://github.com/mitre-attack (code)

▪ CALDERA

– https://github.com/mitre/caldera

▪ ATT&CK-based Product Evals

– https://attackevals.mitre.org/

▪ ATT&CKcon

– https://www.mitre.org/attackcon

▪ Blog

– https://medium.com/mitre-attack

| 45 |


mailto:[email protected]

https://attack.mitre.org/

mailto:[email protected]

https://github.com/mitre/cti

https://github.com/mitre-attack

https://github.com/mitre/caldera

https://attackevals.mitre.org/

https://www.mitre.org/attackcon

https://medium.com/mitre-attack

an introduction to att&ck - federal aviation …...an overview of the (enterprise) mitre...

Documents