module 1: introducing the training and … workshop...module 1: introducing the training and...

Module 1:Introducing the Training and

Understanding ATT&CK

©2019 The MITRE Corporation. ALL RIGHTS RESERVED Approved for public release. Distribution unlimited 19-01075-15.

Using MITRE ATT&CK™ for Cyber Threat Intelligence

Training

Katie Nickels and Adam Pennington


Training Overview

▪ Five modules consisting of YouTube videos and exercises are available at attack.mitre.org/training/cti

▪ Module 1: Introducing training and understanding ATT&CK

A. Topic introduction (Video)

▪ Module 2: Mapping to ATT&CK from finished reporting


B. Exercise 2: Mapping to ATT&CK from finished reporting (Do it yourself with materials on attack.mitre.org/training/cti)

C. Going over Exercise 2 (Video)

▪ Module 3: Mapping to ATT&CK from raw data


B. Exercise 3: Mapping to ATT&CK from raw data (Do it yourself with materials on attack.mitre.org/training/cti)



Training Overview

▪ Module 4: Storing and analyzing ATT&CK-mapped intel


B. Exercise 4: Comparing layers in ATT&CK Navigator (Do it yourself with materials on attack.mitre.org/training/cti)


▪ Module 5: Making ATT&CK-mapped data actionable with defensive recommendations


B. Exercise 5: Making defensive recommendations (Do it yourself with materials on attack.mitre.org/training/cti)

C. Going over Exercise 5 and wrap-up (Video)


Process of Applying ATT&CK to CTI

Understand ATT&CK

Map data to ATT&CK

Store & analyze ATT&CK-mapped

data

Make defensive recommendations

from ATT&CK-mapped data


Module 1 Module 2Module 3

Module 4 Module 5

Introduction to ATT&CK and Applying it to CTI


Tough Questions for Defenders

▪How effective are my defenses?

▪Do I have a chance at detecting APT29?

▪ Is the data I’m collecting useful?

▪Do I have overlapping tool coverage?

▪Will this new product help my organization’s defenses?

| 8 |

©2019 The MITRE Corporation. ALL RIGHTS RESERVED. Approved for public release. Distribution unlimited 19-01075-15.


| 9 |

What is

?A knowledge base of adversary behavior

➢ Based on real-world observations➢ Free, open, and globally accessible➢ A common language➢ Community-driven

The Difficult Task of Detecting TTPs

Source: David Bianco, https://detect-respond.blogspot.com/2013/03/the-pyramid-of-pain.html

David Bianco’s Pyramid of Pain©2019 The MITRE Corporation. ALL RIGHTS RESERVED. Approved for public release. Distribution unlimited 19-01075-10.

TTPs

Tools

Network/ Host Artifacts

Domain Names

IP Addresses

Hash Values

•Tough!

•Challenging

•Annoying

•Simple

•Easy

•Trivial

Impact

Data Destruction

Data Encrypted for Impact

Defacement

Disk Content Wipe

Disk Structure Wipe

Endpoint Denial of Service

Firmware Corruption

Inhibit System Recovery

Network Denial of Service

Resource Hijacking

Runtime Data Manipulation

Service Stop

Stored Data Manipulation

Transmitted Data Manipulation

© 2019 The MITRE Corporation. All rights reserved. Matrix current as of May 2019.

Command and Control

Commonly Used Port

Communication Through Removable Media

Connection Proxy

Custom Command and Control Protocol

Custom Cryptographic Protocol

Data Encoding

Data Obfuscation

Domain Fronting

Domain GenerationAlgorithms

Fallback Channels

Multiband Communication

Multi-hop Proxy

Multilayer Encryption

Multi-Stage Channels

Port Knocking

Remote Access Tools

Remote File Copy

Standard Application Layer Protocol

Standard Cryptographic Protocol

Standard Non-ApplicationLayer Protocol

Uncommonly Used Port

Web Service

Exfiltration

Automated Exfiltration

Data Compressed

Data Encrypted

Data Transfer Size Limits

Exfiltration Over OtherNetwork Medium

Exfiltration Over Commandand Control Channel

Exfiltration Over Alternative Protocol

Exfiltration Over Physical Medium

Scheduled Transfer

Collection

Audio Capture

Automated Collection

Clipboard Data

Data from InformationRepositories

Data from Local System

Data from Network Shared Drive

Data from Removable Media

Data Staged

Email Collection

Input Capture

Man in the Browser

Screen Capture

Video Capture

Lateral Movement

AppleScript

Application Deployment Software

Distributed ComponentObject Model

Exploitation ofRemote Services

Logon Scripts

Pass the Hash

Pass the Ticket

Remote Desktop Protocol

Remote File Copy

Remote Services

Replication Through Removable Media

Shared Webroot

SSH Hijacking

Taint Shared Content

Third-party Software

Windows Admin Shares

Windows RemoteManagement

Credential Access Discovery

Network Sniffing

Account Manipulation Account Discovery

Bash History Application WindowDiscoveryBrute Force

Credential Dumping Browser Bookmark DiscoveryCredentials in Files

Credentials in Registry Domain Trust Discovery

Exploitation forCredential Access

File and Directory Discovery

Network Service Scanning

Forced Authentication Network Share Discovery

Hooking Password Policy Discovery

Input Capture Peripheral Device Discovery

Input Prompt Permission Groups Discovery

Kerberoasting Process Discovery

Keychain Query Registry

LLMNR/NBT-NS Poisoningand Relay

Remote System Discovery

Security Software Discovery

Password Filter DLL System InformationDiscoveryPrivate Keys

Securityd Memory System Network Configuration Discovery

Two-Factor AuthenticationInterception

System Network Connections Discovery

System Owner/UserDiscovery

System Service Discovery

System Time Discovery

Virtualization/Sandbox Evasion

Execution Persistence Privilege Escalation Defense Evasion

Scheduled Task Binary Padding

Launchctl Access Token Manipulation

Local Job Scheduling Bypass User Account Control

LSASS Driver Extra Window Memory Injection

Trap Process Injection

AppleScript DLL Search Order Hijacking

CMSTP Image File Execution Options Injection

Command-Line Interface Plist Modification

Compiled HTML File Valid Accounts

Control Panel Items Accessibility Features BITS Jobs

Dynamic Data Exchange AppCert DLLs Clear Command History

Execution through API AppInit DLLs CMSTP

Execution through Module Load

Application Shimming Code Signing

Dylib Hijacking Compiled HTML File

Exploitation for Client Execution

File System Permissions Weakness Component Firmware

Hooking Component Object ModelHijackingGraphical User Interface Launch Daemon

InstallUtil New Service Control Panel Items

Mshta Path Interception DCShadow

PowerShell Port Monitors Deobfuscate/Decode Filesor InformationRegsvcs/Regasm Service Registry Permissions Weakness

Regsvr32 Setuid and Setgid Disabling Security Tools

Rundll32 Startup Items DLL Side-Loading

Scripting Web Shell Execution Guardrails

Service Execution .bash_profile and .bashrc Exploitation for Privilege Escalation

Exploitation for Defense Evasion

Signed Binary Proxy Execution

Account Manipulation

Authentication Package SID-History Injection File Deletion

Signed Script Proxy Execution

BITS Jobs Sudo File Permissions ModificationBootkit Sudo Caching

Source Browser Extensions File System Logical Offsets

Space after Filename Change Default File Association

Gatekeeper Bypass

Third-party Software Group Policy Modification

Trusted Developer Utilities Component Firmware Hidden Files and Directories

User Execution Component ObjectModel Hijacking

Hidden Users

Windows Management Instrumentation

Hidden Window

Create Account HISTCONTROL

Windows Remote Management

External Remote Services Indicator Blocking

Hidden Files and Directories Indicator Removalfrom ToolsXSL Script Processing Hypervisor

Kernel Modules and Extensions

Indicator Removal on Host

Indirect Command Execution

Launch Agent Install Root Certificate

LC_LOAD_DYLIB Addition InstallUtil

Login Item Launchctl

Logon Scripts LC_MAIN Hijacking

Modify Existing Service Masquerading

Netsh Helper DLL Modify Registry

Office Application Startup Mshta

Port Knocking Network Share ConnectionRemovalRc.common

Redundant Access NTFS File Attributes

Registry Run Keys / Startup Folder

Obfuscated Filesor Information

Re-opened Applications Port Knocking

Screensaver Process Doppelgänging

Security Support Provider Process Hollowing

Shortcut Modification Redundant Access

SIP and Trust ProviderHijacking

Regsvcs/Regasm

Regsvr32

System Firmware Rootkit

Systemd Service Rundll32

Time Providers Scripting

Windows Management Instrumentation Event

Subscription


Signed ScriptProxy ExecutionWinlogon Helper DLL

SIP and Trust Provider Hijacking

Software Packing

Space after Filename

Template Injection

Timestomp

Trusted Developer Utilities


Web Service

XSL Script Processing

Initial Access

Drive-by Compromise

Exploit Public-Facing Application

External Remote Services

Hardware Additions


Spearphishing Attachment

Spearphishing Link

Spearphishing via Service

Supply Chain Compromise

Trusted Relationship

Valid Accounts

Breaking Down ATT&CK

Tactics: the adversary’s technical goals

Te

ch

niq

ue

s:

ho

w t

he

go

als

are

a

ch

iev

ed

Procedures: Specific technique implementation


Technique: Spearphishing Attachment


Group: APT29


ATT&CK Use Cases

Threat Intelligenceprocesses = search Process:Createreg = filter processes where (exe == "reg.exe" and parent_exe== "cmd.exe")cmd = filter processes where (exe == "cmd.exe" and parent_exe != "explorer.exe"")reg_and_cmd = join (reg, cmd) where (reg.ppid == cmd.pid and reg.hostname == cmd.hostname)output reg_and_cmd

Detection

Adversary Emulation

Assessment and Engineering


MITRE ATT&CK™

Techniques Mapped to Data Sourc es

About This Diagram

How can I use data I already have to get started w ith ATT&CK?

MITRE

MITRE

MITRE ATT&CK™

Resources

To help cyber defenders gain a common understanding

of the threats they face, MITRE developed the ATT&CK

framework. It ’s a globally-accessible knowledge base of

adversary tact ics and t echniques based on real world

observat ions and open source research contributed by

the cyber community.

Used by organizat ions around the world, ATT&CK

provides a shared understanding of adversary tact ics,

techniques and procedures and how to detect , prevent ,

and/ or mit igate them.

ATT&CK is open and available to any person or

organizat ion for use at no charge.

For sixty years, MITRE has tackled complex problems

that challenge public saf ety, stability, and well-being.

Pioneering together with the cyber community, we’re

building a stronger, threat-informed defense for a

safer world.

ATT&CK™

EnterpriseFramework

Use ATT&CK for Cyber Threat Intelligence

Cyber threat intelligence comes from many sources, including knowledge of past incidents,

commercial threat feeds, informat ion-sharing groups, government threat -sharing programs,

and more. ATT&CK gives analysts a common language to communicate across reports and

organizat ions, providing a way to st ructure, compare, and analyze threat intelligence.

Use ATT&CK to Build Your Defensive Platform ATT&CK includes resources designed to help cyber defenders develop analyt ics that

detect the techniques used by an adversary. Based on threat intelligence included in

ATT&CK or provided by analysts, cyber defenders can create a comprehensive set of

analyt ics to detect threats.

Use ATT&CK for Adversary Emulation and Red Teaming

The best defense is a well-tested defense. ATT&CK provides a common adversary

behavior framework based on threat intelligence that red teams can use to emulate

specific threats. This helps cyber defenders find gaps in visib ilit y, defensive tools, and

processes—and then fix them.

Get St art ed w it h ATT&CK

at tack.mit re.org

• Access ATT&CK technical informat ion

• Cont ribute to ATT&CK

• Follow our b log

• W atch ATT&CK presentat ions

@MITREat tack

Follow us on Tw it ter for the

latest news

at tackevals.mit re.org

MITRE ATT&CK Evaluat ions

Legend

APT28

APT29

Both

LegendLow Priority

High Priority

Comparing APT28 to APT29

Find ing Gaps in Defense

One way to get started using ATT&CK is to look at what data sources you're already collect ing and use that data to detect ATT&CK

techniques. On our website, we current ly have 50 dif erent data sources mapped to Enterprise ATT&CK techniques. In this diagram,

we've chosen 12 of those data sources to show the techniques each of them might be able to detect w ith the right collect ion and

analyt ics. Check out our w ebsite at attack.mitre.org for more information on how each technique can be det ected, and specific

adversary examples you can use t o start detect ing adversary behavior with ATT&CK.

You can visualize how your own data sources map to adversary behavior with ATT&CK. Read our blog post at bit .ly/ ATTACK19 to

learn how we generated this diagram, check out the code, and begin building your own diagrams from ATT&CK content.

Initial Access

Drive-by Compromise



Hardware Additions

Replication Through Removable

Media


Spearphishing Link




Valid Accounts

Execution

AppleScript

CMSTP

Command-Line Interface

Compiled HTML File

Control Panel Items

Dynamic Data Exchange

Execution through API



Graphical User Interface

InstallUtil

Launchctl

Local Job Scheduling

LSASS Driver

Mshta

PowerShell

Regsvcs/Regasm

Regsvr32

Rundll32

Scheduled Task

Scripting

Service Execution



Source



Trap


User Execution

Windows Management

Instrumentation



Persistence

.bash_profile and .bashrc

Accessibility Features


AppCert DLLs

AppInit DLLs

Application Shimming

Authentication Package

BITS Jobs

Bootkit

Browser Extensions

Change Default File Association

Component Firmware

Component Object Model Hijacking

Create Account

DLL Search Order Hijacking

Dylib Hijacking


File System Permissions W eakness

Hidden Files and Directories

Hooking

Hypervisor

Image File Execution Options

Injection


Launch Agent

Launch Daemon

Launchctl

LC_LOAD_DYLIB Addition


Login Item

Logon Scripts

LSASS Driver

Modify Existing Service

Netsh Helper DLL

New Service

Office Application Startup

Path Interception

Plist Modification

Port Knocking

Port Monitors

Rc.common

Re-opened Applications

Redundant Access


Scheduled Task

Screensaver

Security Support Provider

Service Registry Permissions

Weakness

Setuid and Setgid

Shortcut Modification


Startup Items

System Firmware

Systemd Service

Time Providers

Trap

Valid Accounts

Web Shell

Windows Management

Instrumentation Event Subscription

Winlogon Helper DLL

Privilege Escalation

Access Token Manipulation


AppCert DLLs

AppInit DLLs


Bypass User Account Control


Dylib Hijacking

Exploitation for Privilege Escalation

Extra Window Memory Injection


Hooking


Injection

Launch Daemon

New Service

Path Interception

Plist Modification

Port Monitors

Process Injection

Scheduled Task


Weakness

Setuid and Setgid

SID-History Injection

Startup Items

Sudo

Sudo Caching

Valid Accounts

Web Shell

Defense Evasion


Binary Padding

BITS Jobs


Clear Command History

CMSTP

Code Signing

Compile After Delivery

Compiled HTML File

Component Firmware


Control Panel Items

DCShadow

Deobfuscate/Decode Files or

Information

Disabling Security Tools


DLL Side-Loading

Execution Guardrails



File Deletion

File Permissions Modification

File System Logical Of fsets

Gatekeeper Bypass

Group Policy Modification


Hidden Users

Hidden Window

HISTCONTROL


Injection

Indicator Blocking

Indicator Removal from Tools



Install Root Certificate

InstallUtil

Launchctl

LC_MAIN Hijacking

Masquerading

Modify Registry

Mshta

Network Share Connection

Removal

NTFS File Attributes

Obfuscated Files or Information

Plist Modification

Port Knocking

Process Doppelgänging

Process Hollowing

Process Injection

Redundant Access

Regsvcs/Regasm

Regsvr32

Rootkit

Rundll32

Scripting




Software Packing


Template Injection

Timestomp


Valid Accounts


Web Service


Credential Access


Bash History

Brute Force

Credential Dumping

Credentials in Files

Credentials in Registry

Exploitation for Credential Access

Forced Authentication

Hooking

Input Capture

Input Prompt

Kerberoasting

Keychain

LLMNR/NBT -NS Poisoning and

Relay

Network Snif fing

Password Filter DLL

Private Keys

Securityd Memory

Two-Factor Authentication

Interception

Discovery

Account Discovery

Application Window Discovery

Browser Bookmark Discovery

Domain Trust Discovery



Network Share Discovery

Network Snif fing

Password Policy Discovery

Peripheral Device Discovery

Permission Groups Discovery

Process Discovery

Query Registry



System Information Discovery

System Network Configuration

Discovery

System Network Connections

Discovery

System Owner/User Discovery




Lateral Movement

AppleScript


Distributed Component Object

Model

Exploitation of Remote Services

Logon Scripts

Pass the Hash

Pass the Ticket


Remote File Copy

Remote Services


Media

Shared Webroot

SSH Hijacking





Collection

Audio Capture


Clipboard Data

Data from Information Repositories




Data Staged

Email Collection

Input Capture

Man in the Browser

Screen Capture

Video Capture

Command And Control

Commonly Used Port

Communication Through

Removable Media

Connection Proxy

Custom Command and Control

Protocol


Data Encoding

Data Obfuscation

Domain Fronting

Domain Generation Algorithms

Fallback Channels

Multi-hop Proxy




Port Knocking

Remote Access Tools

Remote File Copy



Standard Non-Application Layer

Protocol


Web Service

Exfiltration


Data Compressed

Data Encrypted



Exfiltration Over Command and

Control Channel

Exfiltration Over Other Network

Medium


Scheduled Transfer

Impact

Data Destruction


Defacement

Disk Content Wipe

Disk Structure Wipe


Firmware Corruption



Resource Hijacking


Service Stop



Initial Access

Drive-by Compromise



Hardware Additions


Media


Spearphishing Link




Valid Accounts

Execution

AppleScript

CMSTP


Compiled HTML File

Control Panel Items






InstallUtil

Launchctl


LSASS Driver

Mshta

PowerShell

Regsvcs/Regasm

Regsvr32

Rundll32

Scheduled Task

Scripting

Service Execution



Source



Trap


User Execution

Windows Management

Instrumentation



Persistence




AppCert DLLs

AppInit DLLs



BITS Jobs

Bootkit

Browser Extensions


Component Firmware


Create Account


Dylib Hijacking




Hooking

Hypervisor


Injection


Launch Agent

Launch Daemon

Launchctl



Login Item

Logon Scripts

LSASS Driver


Netsh Helper DLL

New Service


Path Interception

Plist Modification

Port Knocking

Port Monitors

Rc.common


Redundant Access


Scheduled Task

Screensaver



Weakness

Setuid and Setgid



Startup Items

System Firmware

Systemd Service

Time Providers

Trap

Valid Accounts

Web Shell

Windows Management


Winlogon Helper DLL




AppCert DLLs

AppInit DLLs




Dylib Hijacking




Hooking


Injection

Launch Daemon

New Service

Path Interception

Plist Modification

Port Monitors

Process Injection

Scheduled Task


Weakness

Setuid and Setgid


Startup Items

Sudo

Sudo Caching

Valid Accounts

Web Shell

Defense Evasion


Binary Padding

BITS Jobs



CMSTP

Code Signing


Compiled HTML File

Component Firmware


Control Panel Items

DCShadow


Information



DLL Side-Loading




File Deletion



Gatekeeper Bypass



Hidden Users

Hidden Window

HISTCONTROL


Injection

Indicator Blocking





InstallUtil

Launchctl

LC_MAIN Hijacking

Masquerading

Modify Registry

Mshta


Removal



Plist Modification

Port Knocking


Process Hollowing

Process Injection

Redundant Access

Regsvcs/Regasm

Regsvr32

Rootkit

Rundll32

Scripting




Software Packing


Template Injection

Timestomp


Valid Accounts


Web Service


Credential Access


Bash History

Brute Force

Credential Dumping





Hooking

Input Capture

Input Prompt

Kerberoasting

Keychain


Relay

Network Snif fing

Password Filter DLL

Private Keys

Securityd Memory


Interception

Discovery

Account Discovery







Network Snif fing




Process Discovery

Query Registry





Discovery


Discovery





Lateral Movement

AppleScript



Model


Logon Scripts

Pass the Hash

Pass the Ticket


Remote File Copy

Remote Services


Media

Shared Webroot

SSH Hijacking





Collection

Audio Capture


Clipboard Data





Data Staged

Email Collection

Input Capture

Man in the Browser

Screen Capture

Video Capture

Command And Control

Commonly Used Port


Removable Media

Connection Proxy


Protocol


Data Encoding

Data Obfuscation

Domain Fronting


Fallback Channels

Multi-hop Proxy




Port Knocking

Remote Access Tools

Remote File Copy




Protocol


Web Service

Exfiltration


Data Compressed

Data Encrypted




Control Channel


Medium


Scheduled Transfer

Impact

Data Destruction


Defacement

Disk Content Wipe

Disk Structure Wipe


Firmware Corruption



Resource Hijacking


Service Stop



AppleScript

Application DeploymentSoftware



Logon Scripts

Pass the Hash

Pass the Ticket


Remote File Copy

Remote Services

Replication ThroughRemovable Media

Shared Webroot

SSH Hijacking





Commonly Used Port

Communication ThroughRemovable Media

Connection Proxy

Custom Command andControl Protocol

Custom CryptographicProtocol

Data Encoding

Data Obfuscation

Domain Fronting


Fallback Channels


Multi-hop Proxy



Port Knocking

Remote Access Tools

Remote File Copy

Standard Application LayerProtocol

Standard CryptographicProtocol



Web Service


Data Compressed

Data Encrypted




Exfiltration Over AlternativeProtocol

Exfiltration OverPhysical Medium

Scheduled Transfer

Data Destruction


Defacement

Disk Content Wipe

Disk Structure Wipe


Firmware Corruption



Resource Hijacking


Service Stop


Transmitted DataManipulation

Audio Capture


Clipboard Data



Data from NetworkShared Drive


Data Staged

Email Collection

Input Capture

Man in the Browser

Screen Capture

Video Capture

Drive-by Compromise

Exploit Public-FacingApplication


Hardware Additions



Spearphishing Link




Valid Accounts

AppleScript

CMSTP


Compiled HTML File

Control Panel Items



Execution throughModule Load

Exploitation forClient Execution


InstallUtil

Mshta

PowerShell

Regsvcs/Regasm

Regsvr32

Rundll32

Scripting

Service Execution

Signed BinaryProxy Execution

Signed ScriptProxy Execution

Source





Image File Execution Options Injection

Plist Modification

Valid Accounts


AppCert DLLs

AppInit DLLs


Dylib Hijacking

File System Permissions Weakness

Hooking

Launch Daemon

New Service

Path Interception

Port Monitors

Service Registry Permissions Weakness

Setuid and Setgid

Startup Items

Web Shell




BITS Jobs

Bootkit

Browser Extensions

Change DefaultFile Association

Component Firmware

BITS Jobs


CMSTP

Code Signing

Compiled HTML File

Component Firmware

Component Object ModelHijacking

Control Panel Items

DCShadow

Deobfuscate/Decode Filesor Information


DLL Side-Loading


Exploitation forDefense Evasion

File Deletion

File PermissionsModification

File System Logical Offsets

Gatekeeper Bypass



Hidden Users

Exploitation forPrivilege Escalation


Sudo

Sudo Caching

Scheduled Task Binary Padding Network Sniffing

Launchctl


LSASS Driver

Trap




Process Injection


Bash History

Brute Force

Credential Dumping





Hooking

Input Capture

Input Prompt

Kerberoasting

Keychain


Password Filter DLL

Private Keys

Securityd Memory


Account Discovery

Application WindowDiscovery

Browser BookmarkDiscovery








Process Discovery

Query Discovery



System InformationDiscovery

System NetworkConfiguration Discovery

System NetworkConnections Discovery




Virtualization/SandboxEvasion

data loss prevention

dll monitoring

kernel driversloaded d

lls

malw

are

reve

rse e

ngin

eering

netw

ork

device lo

gs

network intrusion detection system

ssl/tls inspection

system calls

win

dow

s eve

nt lo

gs

anti-v

irus

dis

abl in

g s

ecu

rity

to

ols

explo

itatio

n f

or

clie

nt

exe

cu

tio

n

ind

icato

r re

moval fr

om

to

ols

spea

rphis

hin

g v

ia s

erv

ice

tem

pla

te inje

ction

user

execution

web s

hell

bin

ary

paddin

gco

de s

ignin

gco

ntrol p

anel i

tem

s

data

com

pre

ssed

data

encr

ypte

dfil

e d

elet

ion

grap

hica

l use

r in

terfac

e

hook

ing

indi

cato

r rem

oval

from

tool

s

lc_l

oad_

dylib

add

ition

lc_m

ain

hija

ckin

g

masq

ueradin

g

obfusc

ated fi

les

or info

rmatio

n

redundant a

ccess

rundll3

2

software packing

third-party

software

time providers

automated collection

communication through removable media

data from information repositories

exfiltration over physical medium

hardware additions

replication through removable media

authentication package

component object model hijacking

control panel items

dll search order hijacking

distributed component object modeldynamic data exchange

execution through module loadhooking

lsass driver

netsh helper dllpassword filter dllport monitorspowershellprocess injectionsip and trust provider hijacking

security support provider

time providers

xsl script processing

data encrypted for impact

disk content wipe

disk structure wipe

input capture

lsass driver

ntfs file attributes

two-factor au

thenticatio

n interception

appce

rt dlls

appin

it dlls

applica

tion sh

imm

ing

auth

entica

tion p

acka

ge

com

ponent o

bje

ct m

odel h

ijackin

g

dll s

ide-lo

adin

g

hookin

g

lsass d

rive

r

pow

ers

he

ll

reg

svr3

2

sip

and

trust p

rovid

er h

ijackin

g

se

curity

su

pp

ort p

rovid

er

tim

e p

rovi d

ers

bin

ary

pa

dd

ing

custo

m c

ryp

tog

rap

hic

pro

toco

l

fallb

ack c

hannels

lc_m

ain

hija

ckin

g

multib

and c

om

munic

ation

multila

yer

encr

yption

obfu

scate

d file

s o

r in

form

atio

n

standard

applic

atio

n la

yer

pro

toco

l

standard

cry

pto

gra

phic

pro

toco

l

dom

ain

genera

tion a

lgorith

ms

driv

e-by

com

prom

ise

endp

oint

den

ial o

f ser

vice

forc

ed a

uthe

ntic

atio

n

mul

ti-st

age

chan

nels

netw

ork

deni

al o

f ser

vice

netw

ork sn

iffing

reso

urce

hija

ckin

g

cust

om c

omm

and and c

ontrol p

roto

col

drive-b

y com

prom

ise

endpoint denial o

f service

network denial o

f service

obfuscated files or in

formatio

n

remote access tools

spearphishing attachment

standard non-application layer protocoltemplate injection

domain frontingdrive-by compromise

endpoint denial of service

install root certificate

obfuscated files or information

spearphishing link

spearphishing via service

standard cryptographic protocol

web service

applescript

application shimming

browser extensions

bypass user account control

exploitation for client execution

hypervisor

kernel modules and extensions

keychain

rootkit

account manipulation

bits jobs

cmstp

control panel items

create account

distributed component object m

odel

dynamic data exchange

file permissions m

odification

group policy modification

hookin

g

image file

exe

cutio

n o

ptio

ns in

jectio

n

indica

tor re

mova

l on h

ost

indire

ct com

mand e

xecu

tion

inhib

it system

reco

very

kerb

ero

astin

g

llmnr/n

bt-n

s p

ois

onin

g a

nd re

lay

modify

regis

try

new

serv

ice

obfu

scate

d file

s o

r info

rmatio

n

sid

-his

tory

inje

ctio

n

sip

an

d tru

st p

rovid

er h

ijackin

g

sch

ed

ule

d ta

sk

bin

ary

file

met

adat

a

MITRE ATT&CK™


About This Diagram


MITRE

MITRE

MITRE ATT&CK™

Resources









techniques and procedures and how to detect, prevent ,

and/ or mit igate them.







safer world.

ATT&CK™

EnterpriseFramework
















at tack.mit re.org





@MITREat tack


latest news



Legend

APT28

APT29

Both

LegendLow Priority

High Priority








You can visualize how your own data sources map to adversary behavior w ith ATT&CK. Read our blog post at bit .ly/ ATTACK19 to


Initial Access

Drive-by Compromise



Hardware Additions


Media


Spearphishing Link




Valid Accounts

Execution

AppleScript

CMSTP


Compiled HTML File

Control Panel Items






InstallUtil

Launchctl


LSASS Driver

Mshta

PowerShell

Regsvcs/Regasm

Regsvr32

Rundll32

Scheduled Task

Scripting

Service Execution



Source



Trap


User Execution

Windows Management

Instrumentation



Persistence




AppCert DLLs

AppInit DLLs



BITS Jobs

Bootkit

Browser Extensions


Component Firmware


Create Account


Dylib Hijacking




Hooking

Hypervisor


Injection


Launch Agent

Launch Daemon

Launchctl



Login Item

Logon Scripts

LSASS Driver


Netsh Helper DLL

New Service


Path Interception

Plist Modification

Port Knocking

Port Monitors

Rc.common


Redundant Access


Scheduled Task

Screensaver



Weakness

Setuid and Setgid



Startup Items

System Firmware

Systemd Service

Time Providers

Trap

Valid Accounts

Web Shell

Windows Management


Winlogon Helper DLL




AppCert DLLs

AppInit DLLs




Dylib Hijacking




Hooking


Injection

Launch Daemon

New Service

Path Interception

Plist Modification

Port Monitors

Process Injection

Scheduled Task


Weakness

Setuid and Setgid


Startup Items

Sudo

Sudo Caching

Valid Accounts

Web Shell

Defense Evasion


Binary Padding

BITS Jobs



CMSTP

Code Signing


Compiled HTML File

Component Firmware


Control Panel Items

DCShadow


Information



DLL Side-Loading




File Deletion



Gatekeeper Bypass



Hidden Users

Hidden Window

HISTCONTROL


Injection

Indicator Blocking





InstallUtil

Launchctl

LC_MAIN Hijacking

Masquerading

Modify Registry

Mshta


Removal



Plist Modification

Port Knocking


Process Hollowing

Process Injection

Redundant Access

Regsvcs/Regasm

Regsvr32

Rootkit

Rundll32

Scripting




Software Packing


Template Injection

Timestomp


Valid Accounts


Web Service


Credential Access


Bash History

Brute Force

Credential Dumping





Hooking

Input Capture

Input Prompt

Kerberoasting

Keychain


Relay

Network Snif fing

Password Filter DLL

Private Keys

Securityd Memory


Interception

Discovery

Account Discovery







Network Snif fing




Process Discovery

Query Registry





Discovery


Discovery





Lateral Movement

AppleScript



Model


Logon Scripts

Pass the Hash

Pass the Ticket


Remote File Copy

Remote Services


Media

Shared Webroot

SSH Hijacking





Collection

Audio Capture


Clipboard Data





Data Staged

Email Collection

Input Capture

Man in the Browser

Screen Capture

Video Capture

Command And Control

Commonly Used Port


Removable Media

Connection Proxy


Protocol


Data Encoding

Data Obfuscation

Domain Fronting


Fallback Channels

Multi-hop Proxy




Port Knocking

Remote Access Tools

Remote File Copy




Protocol


Web Service

Exfiltration


Data Compressed

Data Encrypted




Control Channel


Medium


Scheduled Transfer

Impact

Data Destruction


Defacement

Disk Content Wipe

Disk Structure Wipe


Firmware Corruption



Resource Hijacking


Service Stop



Initial Access

Drive-by Compromise



Hardware Additions


Media


Spearphishing Link




Valid Accounts

Execution

AppleScript

CMSTP


Compiled HTML File

Control Panel Items






InstallUtil

Launchctl


LSASS Driver

Mshta

PowerShell

Regsvcs/Regasm

Regsvr32

Rundll32

Scheduled Task

Scripting

Service Execution



Source



Trap


User Execution

Windows Management

Instrumentation



Persistence




AppCert DLLs

AppInit DLLs



BITS Jobs

Bootkit

Browser Extensions


Component Firmware


Create Account


Dylib Hijacking




Hooking

Hypervisor


Injection


Launch Agent

Launch Daemon

Launchctl



Login Item

Logon Scripts

LSASS Driver


Netsh Helper DLL

New Service


Path Interception

Plist Modification

Port Knocking

Port Monitors

Rc.common


Redundant Access


Scheduled Task

Screensaver



Weakness

Setuid and Setgid



Startup Items

System Firmware

Systemd Service

Time Providers

Trap

Valid Accounts

Web Shell

Windows Management


Winlogon Helper DLL




AppCert DLLs

AppInit DLLs




Dylib Hijacking




Hooking


Injection

Launch Daemon

New Service

Path Interception

Plist Modification

Port Monitors

Process Injection

Scheduled Task


Weakness

Setuid and Setgid


Startup Items

Sudo

Sudo Caching

Valid Accounts

Web Shell

Defense Evasion


Binary Padding

BITS Jobs



CMSTP

Code Signing


Compiled HTML File

Component Firmware


Control Panel Items

DCShadow


Information



DLL Side-Loading




File Deletion



Gatekeeper Bypass



Hidden Users

Hidden Window

HISTCONTROL


Injection

Indicator Blocking





InstallUtil

Launchctl

LC_MAIN Hijacking

Masquerading

Modify Registry

Mshta


Removal



Plist Modification

Port Knocking


Process Hollowing

Process Injection

Redundant Access

Regsvcs/Regasm

Regsvr32

Rootkit

Rundll32

Scripting




Software Packing


Template Injection

Timestomp


Valid Accounts


Web Service


Credential Access


Bash History

Brute Force

Credential Dumping





Hooking

Input Capture

Input Prompt

Kerberoasting

Keychain


Relay

Network Snif fing

Password Filter DLL

Private Keys

Securityd Memory


Interception

Discovery

Account Discovery







Network Snif fing




Process Discovery

Query Registry





Discovery


Discovery





Lateral Movement

AppleScript



Model


Logon Scripts

Pass the Hash

Pass the Ticket


Remote File Copy

Remote Services


Media

Shared Webroot

SSH Hijacking





Collection

Audio Capture


Clipboard Data





Data Staged

Email Collection

Input Capture

Man in the Browser

Screen Capture

Video Capture

Command And Control

Commonly Used Port


Removable Media

Connection Proxy


Protocol


Data Encoding

Data Obfuscation

Domain Fronting


Fallback Channels

Multi-hop Proxy




Port Knocking

Remote Access Tools

Remote File Copy




Protocol


Web Service

Exfiltration


Data Compressed

Data Encrypted




Control Channel


Medium


Scheduled Transfer

Impact

Data Destruction


Defacement

Disk Content Wipe

Disk Structure Wipe


Firmware Corruption



Resource Hijacking


Service Stop



AppleScript




Logon Scripts

Pass the Hash

Pass the Ticket


Remote File Copy

Remote Services


Shared Webroot

SSH Hijacking





Commonly Used Port


Connection Proxy



Data Encoding

Data Obfuscation

Domain Fronting


Fallback Channels


Multi-hop Proxy



Port Knocking

Remote Access Tools

Remote File Copy





Web Service


Data Compressed

Data Encrypted






Scheduled Transfer

Data Destruction


Defacement

Disk Content Wipe

Disk Structure Wipe


Firmware Corruption



Resource Hijacking


Service Stop



Audio Capture


Clipboard Data





Data Staged

Email Collection

Input Capture

Man in the Browser

Screen Capture

Video Capture

Drive-by Compromise



Hardware Additions



Spearphishing Link




Valid Accounts

AppleScript

CMSTP


Compiled HTML File

Control Panel Items






InstallUtil

Mshta

PowerShell

Regsvcs/Regasm

Regsvr32

Rundll32

Scripting

Service Execution



Source






Plist Modification

Valid Accounts


AppCert DLLs

AppInit DLLs


Dylib Hijacking


Hooking

Launch Daemon

New Service

Path Interception

Port Monitors


Setuid and Setgid

Startup Items

Web Shell




BITS Jobs

Bootkit

Browser Extensions


Component Firmware

BITS Jobs


CMSTP

Code Signing

Compiled HTML File

Component Firmware


Control Panel Items

DCShadow



DLL Side-Loading



File Deletion



Gatekeeper Bypass



Hidden Users



Sudo

Sudo Caching


Launchctl


LSASS Driver

Trap




Process Injection


Bash History

Brute Force

Credential Dumping





Hooking

Input Capture

Input Prompt

Kerberoasting

Keychain


Password Filter DLL

Private Keys

Securityd Memory


Account Discovery










Process Discovery

Query Discovery











dll monitoring


lls

malw

are

reve

rse e

ngin

eering

netw

ork

device lo

gs


ssl/tls inspection

system calls

win

dow

s eve

nt lo

gs

anti-v

irus

dis

ablin

g s

ecu

rity

to

ols

explo

itatio

n for

clie

nt

executio

n

ind

icato

r re

moval fr

om

to

ols

spearp

his

hin

g v

ia s

erv

ice

tem

pla

te inje

ction

user

execution

web s

hell

bin

ary

paddin

gco

de s

ignin

gco

ntrol p

anel i

tem

s

data

com

pre

ssed

data

encr

ypte

dfil

e de

letio

ngr

aphi

cal u

ser in

terfac

e

hook

ing

indi

cato

r rem

oval

from

tool

s

lc_loa

d_dy

lib a

ddition

lc_m

ain

hija

ckin

g

masq

ueradin

g

obfusc

ated fi

les

or info

rmatio

n

redundant a

ccess

rundll3

2

software packing

third-party

software

time providers





hardware additions




control panel items




lsass driver



time providers



disk content wipe

disk structure wipe

input capture

lsass driver


two-factor authe

ntication intercep

tion

appce

rt dlls

appin

it dlls

applica

tion sh

imm

ing

auth

entica

tion p

ack

age

com

ponent o

bje

ct m

odel h

ijackin

g

dll s

ide-lo

adin

g

hookin

g

lsass d

river

pow

ers

hell

regsvr3

2

sip

an

d tru

st p

rovid

er h

ijackin

g

se

curi ty

su

pp

or t p

rovid

er

t im

e p

rovid

ers

bin

ary

padd

ing

custo

m c

rypto

gra

phic

pro

tocol

fallb

ack c

hannels

lc_m

ain

hija

ckin

g

multib

and c

om

munic

ation

multila

yer

encry

ption

obfu

scate

d file

s o

r in

form

atio

n

standard

applic

atio

n la

yer

pro

toco

l

standard

cry

pto

gra

phic

pro

toco

l

dom

ain

genera

tion a

lgorith

ms

driv

e-by

com

prom

ise

endp

oint

den

ial o

f ser

vice

forc

ed a

uthe

ntic

atio

n

mul

ti-st

age

chan

nels

netw

ork

deni

al o

f ser

vice

netw

ork

sniffing

reso

urce

hija

ckin

g

cust

om c

omm

and and c

ontrol p

roto

col

drive-b

y com

prom

ise

endpoint denial o

f service

network denial o

f service


formatio

n

remote access tools







spearphishing link



web service

applescript


browser extensions



hypervisor


keychain

rootkit


bits jobs

cmstp

control panel items

create account


odel


file permissions m

odification


hookin

g

image file

exe

cutio

n o

ptio

ns in

jectio

n

indica

tor re

mova

l on h

ost

indire

ct com

mand e

xecu

tion

inhib

it system

reco

very

kerb

ero

astin

g

llmnr/n

bt-n

s p

ois

onin

g a

nd re

lay

modify

regis

try

new

serv

ice

obfu

scate

d file

s o

r info

rmatio

n

sid

-his

tory

inje

ctio

n

sip

an

d tru

st p

rovid

er h

ijackin

g

sch

ed

ule

d ta

sk

bin

ary

file

met

adat

a

MITRE ATT&CK™


About This Diagram


MITRE

MITRE

MITRE ATT&CK™

Resources









techniques and procedures and how to detect , prevent ,

and/or mit igate them.







safer world.

ATT&CK™

EnterpriseFramework
















at tack.mit re.org





@MITREat tack


latest news



Legend

APT28

APT29

Both

LegendLow Priority

High Priority








You can visualize how your own data sources map to adversary behavior w ith ATT&CK. Read our blog post at bit .ly/ ATTACK19 to


Initial Access

Drive-by Compromise



Hardware Additions


Media


Spearphishing Link




Valid Accounts

Execution

AppleScript

CMSTP


Compiled HTML File

Control Panel Items






InstallUtil

Launchctl


LSASS Driver

Mshta

PowerShell

Regsvcs/Regasm

Regsvr32

Rundll32

Scheduled Task

Scripting

Service Execution



Source



Trap


User Execution

Windows Management

Instrumentation



Persistence




AppCert DLLs

AppInit DLLs



BITS Jobs

Bootkit

Browser Extensions


Component Firmware


Create Account


Dylib Hijacking




Hooking

Hypervisor


Injection


Launch Agent

Launch Daemon

Launchctl



Login Item

Logon Scripts

LSASS Driver


Netsh Helper DLL

New Service


Path Interception

Plist Modification

Port Knocking

Port Monitors

Rc.common


Redundant Access


Scheduled Task

Screensaver



Weakness

Setuid and Setgid



Startup Items

System Firmware

Systemd Service

Time Providers

Trap

Valid Accounts

Web Shell

Windows Management


Winlogon Helper DLL




AppCert DLLs

AppInit DLLs




Dylib Hijacking




Hooking


Injection

Launch Daemon

New Service

Path Interception

Plist Modification

Port Monitors

Process Injection

Scheduled Task


Weakness

Setuid and Setgid


Startup Items

Sudo

Sudo Caching

Valid Accounts

Web Shell

Defense Evasion


Binary Padding

BITS Jobs



CMSTP

Code Signing


Compiled HTML File

Component Firmware


Control Panel Items

DCShadow


Information



DLL Side-Loading




File Deletion



Gatekeeper Bypass



Hidden Users

Hidden Window

HISTCONTROL


Injection

Indicator Blocking





InstallUtil

Launchctl

LC_MAIN Hijacking

Masquerading

Modify Registry

Mshta


Removal



Plist Modification

Port Knocking


Process Hollowing

Process Injection

Redundant Access

Regsvcs/Regasm

Regsvr32

Rootkit

Rundll32

Scripting




Software Packing


Template Injection

Timestomp


Valid Accounts


Web Service


Credential Access


Bash History

Brute Force

Credential Dumping





Hooking

Input Capture

Input Prompt

Kerberoasting

Keychain


Relay

Network Snif fing

Password Filter DLL

Private Keys

Securityd Memory


Interception

Discovery

Account Discovery







Network Snif fing




Process Discovery

Query Registry





Discovery


Discovery





Lateral Movement

AppleScript



Model


Logon Scripts

Pass the Hash

Pass the Ticket


Remote File Copy

Remote Services


Media

Shared Webroot

SSH Hijacking





Collection

Audio Capture


Clipboard Data





Data Staged

Email Collection

Input Capture

Man in the Browser

Screen Capture

Video Capture

Command And Control

Commonly Used Port


Removable Media

Connection Proxy


Protocol


Data Encoding

Data Obfuscation

Domain Fronting


Fallback Channels

Multi-hop Proxy




Port Knocking

Remote Access Tools

Remote File Copy




Protocol


Web Service

Exfiltration


Data Compressed

Data Encrypted




Control Channel


Medium


Scheduled Transfer

Impact

Data Destruction


Defacement

Disk Content Wipe

Disk Structure Wipe


Firmware Corruption



Resource Hijacking


Service Stop



Initial Access

Drive-by Compromise



Hardware Additions


Media


Spearphishing Link




Valid Accounts

Execution

AppleScript

CMSTP


Compiled HTML File

Control Panel Items






InstallUtil

Launchctl


LSASS Driver

Mshta

PowerShell

Regsvcs/Regasm

Regsvr32

Rundll32

Scheduled Task

Scripting

Service Execution



Source



Trap


User Execution

Windows Management

Instrumentation



Persistence




AppCert DLLs

AppInit DLLs



BITS Jobs

Bootkit

Browser Extensions


Component Firmware


Create Account


Dylib Hijacking




Hooking

Hypervisor


Injection


Launch Agent

Launch Daemon

Launchctl



Login Item

Logon Scripts

LSASS Driver


Netsh Helper DLL

New Service


Path Interception

Plist Modification

Port Knocking

Port Monitors

Rc.common


Redundant Access


Scheduled Task

Screensaver



Weakness

Setuid and Setgid



Startup Items

System Firmware

Systemd Service

Time Providers

Trap

Valid Accounts

Web Shell

Windows Management


Winlogon Helper DLL




AppCert DLLs

AppInit DLLs




Dylib Hijacking




Hooking


Injection

Launch Daemon

New Service

Path Interception

Plist Modification

Port Monitors

Process Injection

Scheduled Task


Weakness

Setuid and Setgid


Startup Items

Sudo

Sudo Caching

Valid Accounts

Web Shell

Defense Evasion


Binary Padding

BITS Jobs



CMSTP

Code Signing


Compiled HTML File

Component Firmware


Control Panel Items

DCShadow


Information



DLL Side-Loading




File Deletion



Gatekeeper Bypass



Hidden Users

Hidden Window

HISTCONTROL


Injection

Indicator Blocking





InstallUtil

Launchctl

LC_MAIN Hijacking

Masquerading

Modify Registry

Mshta


Removal



Plist Modification

Port Knocking


Process Hollowing

Process Injection

Redundant Access

Regsvcs/Regasm

Regsvr32

Rootkit

Rundll32

Scripting




Software Packing


Template Injection

Timestomp


Valid Accounts


Web Service


Credential Access


Bash History

Brute Force

Credential Dumping





Hooking

Input Capture

Input Prompt

Kerberoasting

Keychain


Relay

Network Snif fing

Password Filter DLL

Private Keys

Securityd Memory


Interception

Discovery

Account Discovery







Network Snif fing




Process Discovery

Query Registry





Discovery


Discovery





Lateral Movement

AppleScript



Model


Logon Scripts

Pass the Hash

Pass the Ticket


Remote File Copy

Remote Services


Media

Shared Webroot

SSH Hijacking





Collection

Audio Capture


Clipboard Data





Data Staged

Email Collection

Input Capture

Man in the Browser

Screen Capture

Video Capture

Command And Control

Commonly Used Port


Removable Media

Connection Proxy


Protocol


Data Encoding

Data Obfuscation

Domain Fronting


Fallback Channels

Multi-hop Proxy




Port Knocking

Remote Access Tools

Remote File Copy




Protocol


Web Service

Exfiltration


Data Compressed

Data Encrypted




Control Channel


Medium


Scheduled Transfer

Impact

Data Destruction


Defacement

Disk Content Wipe

Disk Structure Wipe


Firmware Corruption



Resource Hijacking


Service Stop



AppleScript




Logon Scripts

Pass the Hash

Pass the Ticket


Remote File Copy

Remote Services


Shared Webroot

SSH Hijacking





Commonly Used Port


Connection Proxy



Data Encoding

Data Obfuscation

Domain Fronting


Fallback Channels


Multi-hop Proxy



Port Knocking

Remote Access Tools

Remote File Copy





Web Service


Data Compressed

Data Encrypted






Scheduled Transfer

Data Destruction


Defacement

Disk Content Wipe

Disk Structure Wipe


Firmware Corruption



Resource Hijacking


Service Stop



Audio Capture


Clipboard Data





Data Staged

Email Collection

Input Capture

Man in the Browser

Screen Capture

Video Capture

Drive-by Compromise



Hardware Additions



Spearphishing Link




Valid Accounts

AppleScript

CMSTP


Compiled HTML File

Control Panel Items






InstallUtil

Mshta

PowerShell

Regsvcs/Regasm

Regsvr32

Rundll32

Scripting

Service Execution



Source






Plist Modification

Valid Accounts


AppCert DLLs

AppInit DLLs


Dylib Hijacking


Hooking

Launch Daemon

New Service

Path Interception

Port Monitors


Setuid and Setgid

Startup Items

Web Shell




BITS Jobs

Bootkit

Browser Extensions


Component Firmware

BITS Jobs


CMSTP

Code Signing

Compiled HTML File

Component Firmware


Control Panel Items

DCShadow



DLL Side-Loading



File Deletion



Gatekeeper Bypass



Hidden Users



Sudo

Sudo Caching


Launchctl


LSASS Driver

Trap




Process Injection


Bash History

Brute Force

Credential Dumping





Hooking

Input Capture

Input Prompt

Kerberoasting

Keychain


Password Filter DLL

Private Keys

Securityd Memory


Account Discovery










Process Discovery

Query Discovery











dll monitoring


lls

malw

are

reve

rse e

ngin

eering

netw

ork

device lo

gs


ssl/tls inspection

system calls

win

dow

s eve

nt lo

gs

anti-v

irus

dis

ab

li ng

se

curi

ty t

oo

ls

exp

loita

tio

n fo

r clie

nt exe

cution

indic

ato

r re

moval fr

om

tools

spe

arp

his

hin

g v

ia s

erv

ice

tem

pla

te inje

ction

user

execution

web s

hell

bin

ary

paddin

gco

de s

ignin

gco

ntrol p

anel i

tem

s

data

com

pre

ssed

data

encr

ypte

dfil

e de

letio

ngr

aphi

cal u

ser in

terfac

e

hook

ing

indi

cato

r rem

oval

from

tool

s

lc_l

oad_

dylib

add

ition

lc_m

ain

hija

ckin

g

masq

ueradin

g

obfusc

ated fi

les

or info

rmatio

n

redundant a

ccess

rundll3

2

software packing

third-party

software

time providers





hardware additions




control panel items




lsass driver



time providers



disk content wipe

disk structure wipe

input capture

lsass driver


two-factor authen

tication in

terceptio

n

appce

rt dlls

appin

it dlls

applica

tion sh

imm

ing

auth

entic

atio

n p

ack

age

com

ponent o

bje

ct m

odel h

ijackin

g

dll s

ide-lo

adin

g

hookin

g

lsass d

river

pow

ers

hell

regsvr3

2

sip

an

d tru

st p

rovid

er h

ijackin

g

se

curity

sup

po

rt pro

vi d

er

t im

e p

rovi d

ers

bin

ary

padd

ing

custo

m c

rypto

gra

ph

ic p

roto

col

fallb

ack c

han

nels

lc_m

ain

hija

ckin

g

multib

and c

om

munic

ation

multila

yer

encry

ption

obfu

scate

d file

s or

info

rmation

standard

applic

atio

n la

yer

pro

toco

l

standard

cry

pto

gra

phic

pro

toco

l

dom

ain

genera

tion a

lgorith

ms

driv

e-by

com

pro

mis

e

endp

oint

den

ial o

f ser

vice

forc

ed a

uthe

ntic

atio

n

mul

ti-st

age

chan

nels

netw

ork

deni

al o

f ser

vice

netw

ork sn

iffing

reso

urce

hija

ckin

g

cust

om c

omm

and and c

ontrol p

roto

col

drive-b

y com

prom

ise

endpoint denial o

f service

network denial o

f service


formatio

n

remote access tools







spearphishing link



web service

applescript


browser extensions



hypervisor


keychain

rootkit


bits jobs

cmstp

control panel items

create account


odel


file permissions m

odification


hookin

g

image file

exe

cutio

n o

ptio

ns in

jectio

n

indica

tor re

mova

l on h

ost

indire

ct com

mand e

xecu

tion

inhib

it system

reco

very

kerb

ero

astin

g

llmnr/n

bt-n

s p

ois

onin

g a

nd re

lay

modify

regis

try

new

serv

ice

obfu

sca

ted file

s o

r info

rmatio

n

sid

-his

tory

inje

ctio

n

sip

and tru

st p

rovid

er h

ijackin

g

sch

ed

ule

d ta

sk

bin

ary

file

met

adat

a

ATT&CK and CTI


Threat Intelligence – How ATT&CK Can Help

▪ Use knowledge of adversary behaviors to inform defenders

▪ Structuring threat intelligence with ATT&CK allows us to…

– Compare behaviors

▪ Groups to each other

▪ Groups over time

▪ Groups to defenses

– Communicate in a common language

| 21 |


Communicate to Defenders

CTI Analyst Defender


(T1060)THIS is what the adversary is doing! The Run key is AdobeUpdater.

Oh, we have Registry data, we can detect that!


Communicate Across the Community


CTI Consumer


(T1060)

Oh, you mean T1060!

APT1337 is using autorun

FUZZYDUCK used a Run key

Company A

Company B


Understand ATT&CK

Map data to ATT&CK


data





Module 4 Module 5

End of Module 1


Module 2:Mapping to ATT&CK from a Finished Report



Understand ATT&CK

Map data to ATT&CK


data





Module 4 Module 5

Why is it Difficult to Map CTI to ATT&CK?

▪ Requires a shift in analyst thinking

– Indicators → behaviors

▪ Volume of ATT&CK techniques

▪ “Technical” detail of some ATT&CK techniques

But it’s worthwhile because this process…▪ Forces analysts to shift to thinking about behaviors

▪ Allows them to learn about new adversary techniques

▪ Pushes them to learn the “technical” side


Process of Mapping to ATT&CK

0. Understand ATT&CK

1. Find the behavior

2. Research the behavior

3. Translate the behavior into a tactic

4. Figure out what technique applies to the behavior

5. Compare your results to other analysts

Two key sources for where you get information:

1. Finished reporting

2. Raw data



▪ You need to know what to look for before you can do this

▪ To get analysts started:

– Watch an ATT&CK presentation like Sp4rkcon

– Read the Philosophy Paper and items from our Getting Started page

– Read the Tactic descriptions

– Skim the Technique list

▪ Encourage ongoing learning and discussion

– Have analysts present a technique a week in your team training


1. Find the Behavior

▪ Different mindset from looking for indicators

▪ Look for what the adversary or software does

▪ Focus on initial compromise and post-compromise details

– Info that may not be useful for ATT&CK mapping:

▪ Static malware analysis

▪ Infrastructure registration information

▪ Industry/victim targeting information


https://www.fireeye.com/blog/threat-research/2014/11/operation_doubletap.html

[Tactic] | 1. [Technique] [Tactic] | 2. [Technique]

2. Research the Behavior


▪ CTI analysts may not be familiar with adversary/software behavior

▪ Encourage them to do additional research:

– Of your own team or organization (defenders/red teamers)

– Of external resources

▪ Time-consuming, but builds better analysts

▪ Understanding of core behavior helps with next steps


https://en.wikipedia.org/wiki/SOCKS



https://www.speedguide.net/port.php?port=1913?


3. Translate the Behavior into a Tactic

▪ What is the adversary trying to accomplish?

▪ Often requires domain expertise

– Finished intel can give you context


▪ Only 12 options:

– Initial Access

– Execution

– Persistence

– Privilege Escalation

– Defense Evasion

– Credential Access

– Discovery

– Lateral Movement

– Collection

– Command and Control

– Exfiltration

– Impact


▪ “When executed, the malware first establishes a SOCKS5 connection to 192.157.198.103 using TCP port 1913. … Once the connection to the server is established, the malware expects a message containing at least three bytes from the server. These first three bytes are the command identifier. The following commands are supported by the malware … “

– A connection in order to command the malware to do something → Command and Control


4. Figure Out What Technique Applies

▪ Often the toughest part

▪ Not every behavior is necessarily a technique

▪ Key strategies:

1. Look at the list of Techniques for the identified Tactic

2. Search attack.mitre.org

▪ Try key words

▪ Try “procedure”-level detail

▪ Try specific command strings



Protocol vs.

Port

→ 2 techniques?



“the malware first establishes a SOCKS5 connection”



“establishes a SOCKS5 connection to

192.157.198.103 using TCP port 1913”

“CTRL+ F” FTW


Rinse and Repeat

https://www.fireeye.com/blog/threat-research/2014/11/operation_doubletap.html

Privilege Escalation | 3. Exploitation for Privilege Escalation (T1068)Execution | 4. Command-Line Interface (T1059)

Discovery | 5. System Owner/User Discovery (T1033)

Persistence – | 6. Scheduled Task (T1053)

Command and Control | 1. Standard Non-Application Layer Protocol (T1095)Command and Control |

2. Uncommonly Used Port (T1065)

Exercise 2: Cybereason Cobalt Kitty Report

▪ Analyze a threat report to find the Enterprise ATT&CK techniques

– 22 highlighted techniques in the Cybereason Cobalt Kitty report

▪ Choose a PDF from attack.mitre.org/training/cti under Exercise 2

– Choose your own adventure: start with “highlights only” or “tactic hints”

▪ Use the PDF or a text document/piece of paper to record your results

▪ Write down the ATT&CK tactic and technique you think applies to each highlight

▪ Tips:

– Do keyword searches of our website: https://attack.mitre.org

– Remember that you don’t have to be perfect

– Use this as a chance to dive into ATT&CK

▪ Please pause. We suggest giving yourself 30 minutes for this exercise.


https://attack.mitre.org/

Exercise 2 Optional Bonus Step:Compare your results to other analysts

▪ Step 5 of the process: Compare your results to other analysts

▪ Helps hedge against analyst biases

– More likely to identify techniques you’ve previously identified

Analyst 1 Analyst 2

https://www.nccgroup.trust/us/about-us/newsroom-and-events/blog/2018/march/apt15-is-alive-and-strong-an-analysis-of-royalcli-and-royaldns/

Command-Line Interface (T1059)

System Owner/User Discovery (T1033)

Scheduled Task (T1053)

Uncommonly Used Port (T1065)

Multi-Stage Channels (T1104)

Exploitation for Privilege Escalation (T1068)

Command-Line Interface (T1059)

Scheduled Task (T1053)

Uncommonly Used Port (T1065)

Custom Command and Control Protocol (T1094)Standard Non-Application Layer Protocol (T1095)

Discuss why it’s different


Finishing Exercise 2 (Optional Bonus Step)

▪ Now, compare your answers to another analyst’s answers

▪ Compare what you each had for each technique answer

– Discuss where there are differences – why did you have different answers?

– It’s okay to disagree!

▪ Please pause. We suggest giving yourself 10 minutes for this part of the exercise. If you do not have other analysts to discuss your answers with, you may advance to the next portion.


Going Over the Exercise – Cybereason Report

▪ Think about:

– What were the easiest & hardest techniques to identify?

– How did you identify each technique?

– What challenges did you have? How did you address them?


Cybereason Cobalt Kitty Report

1. Two types of payloads were found in the spear-phishing emails … link to a malicious site

– Initial Access - Spearphishing Link (T1192)

2. Two types of payloads were found in the spear-phishing emails … Word documents

– Initial Access - Spearphishing Attachment (T1193)

3. Two types of payloads were found in the spear-phishing emails … Word documents with malicious macros

– Defense Evasion/Execution – Scripting (T1064)

4. Two types of payloads were found in the spear-phishing emails

– Execution – User Execution (T1204)


https://cybr.ly/cobaltkitty


5.

– Execution - Command-Line Interface (T1059)

6. The two scheduled tasks are created on infected Windows

– Execution/Persistence - Scheduled Task (T1053)

7. schtasks /create /sc MINUTE /tn "Windows Error Reporting" /tr"mshta.exe about:'<script language=\"vbscript\“…

– Execution/Defense Evasion - Mshta (T1170)

8. That downloads and executes an additional payload from the same server

– Command and Control - Remote File Copy (T1105)




9.

– Execution - PowerShell (T1086)

10. it will pass an obfuscated and XOR’ed PowerShell payload to cmd.exe

– Defense Evasion - Obfuscated Files or Information (T1027)

11. The attackers used trivial but effective persistence techniques .. Those techniques consist of: Windows Registry Autorun

– Persistence - Registry Run Keys / Startup Folder (T1060)

12. the attackers used NTFS Alternate Data Stream to hide their payloads

– Defense Evasion - NTFS File Attributes (T1096)




13 & 14. The attackers created and/or modified Windows Services

– Persistence – New Service (T1050)

– Persistence – Modify Existing Service (T1031)

15 & 16. The attackers used a malicious Outlook backdoor macro … edited a specific registry value to create persistence

– Persistence – Office Application Startup (T1137)

– Defense Evasion – Modify Registry (T1112)

17. The attackers used different techniques and protocols to communicate with the C&C servers … HTTP

– Command and Control - Standard Application Layer Protocol (T1071)




18. :80 (in traffic from compromised machine to C&C server)

– Command and Control - Commonly Used Port (T1043)

19 & 20. The attackers downloaded COM scriptlets using regsvr32.exe

– Command and Control - Remote File Copy (T1105)

– Execution - Regsvr32 (T1117)

21. binary was renamed “kb-10233.exe”, masquerading as a Windows update

– Defense Evasion - Masquerading (T1036)

22. network scanning against entire ranges…looking for open ports…

– Discovery - Network Service Scanning (T1046)



Optional Exercise 2 Bonus Report

▪ If you’d like more practice mapping finished reporting to ATT&CK, work through the FireEye APT39 report in the same manner. The PDF is available at attack.mitre.org/training/cti under Exercise 2. (No tactic hints option this time!)

▪ Answers are provided in a separate PDF.


Skipping Steps in the Process

Once you’re experienced, you maybe able to skip steps

…but this increases your bias

…and it won’t work every time







Sometimes

we jump

directly here



Understand ATT&CK

Map data to ATT&CK


data





Module 4 Module 5

End of Module 2

Module 3:Mapping to ATT&CK from Raw Data


Understand ATT&CK

Map data to ATT&CK


data





Module 4 Module 5

Mapping to ATT&CK from Raw Data

▪ So far, working from intel where activity has already been analyzed

▪ Analysis of techniques/behaviors directly from source data

– Likely more information available at the procedure level

– Not reinterpreting another analyst’s prose

– Greater knowledge/expertise required to interpret intent/tactic

▪ Broad set of possible data can contain behaviors

– Shell commands, malware, forensic disk images, packets


Process of Mapping to ATT&CK








ipconfig /all

sc.exe \\ln334656-pc create

.\recycler.exe a -hpfGzq5yKw C:\$Recycle.Bin\old

C:\$Recycle.Bin\Shockwave_network.vsdxCommands captured by Sysmon being run interactively via cmd.exe

10.2.13.44:32123 -> 128.29.32.4:443

128.29.32.4:443 -> 10.2.13.44:32123

Flows from malware in a sandbox

HKLM\Software\Microsoft\Windows\CurrentVersion\Run

HKLM\Software\Microsoft\Netsh

New reg keys during an incident




▪ Can be similar to analysis of finished reporting for raw data

▪ May require expertise in the specific data type

– Network, forensics, malware, Windows cmd line, etc

▪ May require multiple data sources, more context

– Additional questions to responders/analysts




C:\$Recycle.Bin\Shockwave_network.vsdx

– Can make some educated guesses, but not enough context

File analysis:

When recycler.exe is executed, it gives the following output:

C:\recycler.exe

RAR 3.70 Copyright (c) 1993-2007 Alexander Roshal 22 May 2007

Shareware version Type RAR -? for help

– Aha! Based on the analysis we can Google the flags to RAR and determine that it is being used to compress and encrypt the file





And the file being compressed/encrypted is a Visio diagram, probably exfiltration



ipconfig /all

– Specific procedure only mapped to System Network Configuration Discovery

– System Network Configuration Discovery -> Discovery✅

– Seen being run via Sysmon -> Execution



– We figured out researching this that “vsdx” is Visio data

– Moderate confidence Exfiltration, commands around this could make clearer

– Seen being run via Sysmon -> Execution



▪ Similar to working with finished reporting we may jump straight here

– Procedure may map directly to Technique/Tactic

– May have enough experience to compress steps

ipconfig /all

– Specific procedure in System Network Configuration Discovery (T1016)

– Also Command-Line Interface (T1059)



– We figured out researching this that “a –hp” compresses/encrypts

– Appears to be Data Compressed (T1002) and Data Encrypted (T1022)

– Also Command-Line Interface (T1059)


4. Concurrent Techniques

▪ Don’t just think of what’s happening – think of how it’s happening

▪ Certain tactics commonly have concurrent techniques:

– Execution

– Defense Evasion

– Collection

▪ Examples:

– Data Compressed + Data Encrypted (2x Exfiltration)

– Spearphishing Attachment + User Execution (Initial Access + Execution)

– Data from Local System + Email Collection (2x Collection)

– Process Discovery + Command-Line Interface (Discovery + Execution)


4. Different Types of Techniques

▪ Not all techniques are created equal!

– Credit to Red Canary: https://www.redcanary.com/blog/avoiding-common-attack-pitfalls/

▪ Some are specific

– Rundll32

– Netsh Helper DLL

▪ Some are broad

– Scripting

– Obfuscated Files or Information

▪ Some capture “how” the behavior occurs

– Masquerading

– Data Transfer Size Limits

– Automated Collection©2019 The MITRE Corporation. ALL RIGHTS RESERVED Approved for public release. Distribution unlimited 19-01075-15.

https://www.redcanary.com/blog/avoiding-common-attack-pitfalls/

5. Compare Your Results to Other Analysts

▪ Same caveats about hedging biases

▪ May need a broader set of skills/experience to work with types of data

Analyst 1 Analyst 2

• Packets

• Malware/Reversing

• Windows command line

• Windows Events

• Disk forensics

• macOS/Linux


Pros/cons of Mapping from the Two Different Sources

Step Raw Finished

Find the behavior Nearly everything may be a

behavior (not all ATT&CK)

May be buried amongst prose, IOCs, etc

Research the behavior May need to look at multiple

sources, data types. May also

be a known procedure

May have more info/context, may also

have lost detail in writing

Translate the behavior into a

tactic

Have to map to adversary

intent, need domain

knowledge/expertise

Often intent has been postulated by report

author

Figure out what technique

applies to the behavior

May have a procedure that

maps straight to technique, or

may require deep

understanding to understand

how accomplished

May be as simple as a text match to

description/procedure, or may be too

vague to tell

Compare your results to other

analysts

May need multiple analysts to

cover all data sources

More likely in a form where other analysts

needed for coverage/hedge against bias


Exercise 3: Working with raw data

▪ You’re going to be examining two tickets from a simulated incident

▪ Ticket 473822

– Series of commands interactively executed via cmd.exe on an end system

▪ Ticket 473845

– Pieces of a malware analysis of the primary RAT used in the incident

▪ Both tickets are at https://attack.mitre.org/training/cti under Exercise 3

▪ Use whatever to record your results or download and edit

▪ Identify as many behaviors as possible

▪ Annotate the behaviors that are ATT&CK techniques

▪ Please pause. We suggest giving yourself 25 minutes for this exercise.©2019 The MITRE Corporation. ALL RIGHTS RESERVED Approved for public release. Distribution unlimited 19-01075-15.

Exercise Questions

▪ What questions would you have asked of your incident responders?

▪ What was easier/harder than working with finished reporting?

▪ What other types of data do you commonly encounter with behaviors?

▪ Did you notice any behaviors that you couldn’t find a technique for?


Going Over Exercise 3 (Ticket 473822)

ipconfig /all

arp -a

echo %USERDOMAIN%\%USERNAME%

tasklist /v

sc query

systeminfo

net group "Domain Admins" /domain

net user /domain

net group "Domain Controllers" /domain

netsh advfirewall show allprofiles

netstat -ano

System Network Configuration Discovery (T1016)


System Owner / User Discovery (T1033)

Process Discovery (T1057)

System Service Discovery (T1007)

All are Execution - Command-Line Interface (T1059)

System Information Discovery (T1082)

Permission Groups Discovery (T1069)

Account Discovery (T1087)

Remote System Discovery (T1018)


System Network Connections Discovery (T1049)

Dis

co

very


Going Over Exercise 3 (Ticket 473845)

C2 protocol is base64 encoded commands over https. The RAT beacons every

30 seconds requesting a command.

UPLOAD file (upload a file server->client)

DOWNLOAD file (download a file client->server)

SHELL command (runs a command via cmd.exe)

PSHELL command (runs a command via powershell.exe)

EXEC path (executes a PE at the path given via CreateProcess)

SLEEP n (skips n beacons)

10.1.1.1:24123 -> 129.83.44.12:443

129.83.44.12:443 -> 10.1.1.1:24123

Copy C:\winspoo1.exe -> C:\Windows\System32\winspool.exe

HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run\winspool

REG_SZ "C:\Windows\System32\winspool.exe"

Execution - Command-Line Interface (T1059)

Execution - Powershell (T1086)

Execution - Execution through API (T1106)

Command and Control - Commonly Used Port (T1043)

Command and Control - Data Encoding (T1132)

Command and Control - Standard Application Layer Protocol (T1071)

Defense Evasion - Masquerading (T1036)

Persistence - Registry Run Keys (T1060)

Command and Control – Remote File Copy (T1105)


From Raw Data to Finished Reporting with ATT&CK

▪ We’ve talked about augmenting reports with ATT&CK and analyzing data with ATT&CK, possibly in parallel with analysis for reporting

▪ If you are creating reporting with ATT&CK techniques, we recommend keeping the techniques with the related procedures for context

– Allows other analysts to examine the mapping for themselves

– Allows much easier capture of how a technique was done


Finished Reporting Examples

During operation Tangerine Yellow, the actors used Pineapple RAT to execute ‘ipconfig /all1’ via the Windows command shell2.

1. Discovery – System Network Configuration Discovery (T1016)

2. Execution – Command-Line Interface (T1059)

System Network Configuration Discovery (T1016) and Command-Line Interface (T1059) - During operation Tangerine Yellow, the actors used Pineapple RAT to execute ‘ipconfig /all’ via the Windows command shell.

Instead of

Appendix C – ATT&CK Techniques

▪ System Network Configuration Discovery

▪ Command-Line Interface

▪ Hardware Additions©2019 The MITRE Corporation. ALL RIGHTS RESERVED Approved for public release. Distribution unlimited 19-01075-15.


Understand ATT&CK

Map data to ATT&CK


data





Module 4 Module 5

End of Module 3


Module 4:Storing and Analyzing ATT&CK-Mapped Data



Understand ATT&CK

Map data to ATT&CK


data





Module 4 Module 5

Considerations When Storing ATT&CK-Mapped Intel

▪ Who’s consuming it?

– Human or machine?

– Requirements?

▪ How will you provide context?

– Include full text?

▪ How detailed will it be?

– Just a Technique, or a Procedure?

– How will you capture that detail? (Free text?)

▪ How will you link it to other intel?

– Incident, group, campaign, indicator…

▪ How will you import and export data?

– Format?©2019 The MITRE Corporation. ALL RIGHTS RESERVED Approved for public release. Distribution unlimited 19-01075-15.

The community is still

figuring this out!

Ways to Store and Display ATT&CK-Mapped Intel

¯\_(ツ)_/¯



Courtesy of Alexandre Dulaunoy



Courtesy of Alexandre Dulaunoy


Ability to link to indicators

and files

Ways to Express and Store ATT&CK-Mapped Intel

https://www.anomali.com/blog/weekly-threat-briefing-google-spots-attacks-exploiting-ios-zero-day-flaws

…


Techniques at the

end of a report


https://securingtomorrow.mcafee.com/other-blogs/mcafee-labs/analyzing-operation-ghostsecret-attack-seeks-to-steal-data-worldwide/


Techniques at the end of a report


https://www.crowdstrike.com/resources/reports/2018-crowdstrike-global-threat-report-blurring-the-lines-between-statecraft-and-tradecraft/


Techniques at the

beginning of a report


https://www.digitalshadows.com/blog-and-research/mitre-attck-and-the-mueller-gru-indictment-lessons-for-organizations/


Adding additional

info to an ATT&CK

technique


https://www.recordedfuture.com/mitre-attack-framework/


With

timestamps


https://pan-unit42.github.io/playbook_viewer/©2019 The MITRE Corporation. ALL RIGHTS RESERVED Approved for public release. Distribution unlimited 19-01075-15.

Machine readable

Linking techniques to indicators


https://attack.mitre.org/groups/G0007/

What else could we do?

https://www.nccgroup.trust/us/about-us/newsroom-and-events/blog/2018/march/apt15-is-alive-and-strong-an-analysis-of-royalcli-and-royaldns/

Credential Dumping

(T1003)

Full-Text Report ATT&CK Technique


Understand ATT&CK

Map data to ATT&CK


data




So now we have some ATT&CK-mapped intel…

What can we do with it?


Initial Access

rive by Compromise

xploit ublic acingApplication

ardware Additions


pearphishing Attachment

pearphishing ink

pearphishing via ervice

upply Chain Compromise


alid Accounts

Execution

Apple cript

CM T

Command ine Interface

Control anel Items

ynamic ata xchange

xecution through A I

xecution through Module oad xploitation for Client xecution

raphical ser Interface

Install til

aunchctl

ocal ob cheduling

A river

Mshta

ower hell

Regsvcs Regasm

Regsvr

Rundll

cheduled Task

cripting

ervice xecution

igned inary roxy xecution igned cript roxy xecution

ource

pace after ilename

Third party oftware

Trap

Trusted eveloper tilities

ser xecution

Windows ManagementInstrumentationWindows RemoteManagement

Persistence

.bash profile and .bashrc

Accessibility eatures

AppCert s

AppInit s

Application himming

Authentication ackage

IT obs

ootkit

rowser xtensions

Change efault ileAssociation

Component irmware

Component b ect Model i acking

Create Account

earch rder i acking

ylib i acking

xternal Remote ervices

ile ystem ermissionsWeakness

idden iles and irectories

ooking

ypervisor

Image ile xecution ptionsIn ection ernel Modules and xtensions

aunch Agent

aunch aemon

aunchctl

C A I Addition

ocal ob cheduling

ogin Item

ogon cripts

A river

Modify xisting ervice

Netsh elper

New ervice

ffice Application tartup

ath Interception

list Modification

ort nocking

ort Monitors

Rc.common

Re opened Applications

Redundant Access

Registry Run eys tart older

cheduled Task

creensaver

ecurity upport rovider

ervice Registry ermissionsWeakness

hortcut Modification

I and Trust rovider i acking

tartup Items

ystem irmware

Time roviders

Trap

alid Accounts

Web hell

Windows ManagementInstrumentation vent ubscription

Winlogon elper




AppCert s

AppInit s

Application himming

ypass ser Account Control

earch rder i acking

ylib i acking

xploitation for rivilege scalation xtra Window MemoryIn ection ile ystem ermissionsWeakness

ooking

Image ile xecution ptionsIn ection

aunch aemon

New ervice

ath Interception

list Modification

ort Monitors

rocess In ection

cheduled Task


etuid and etgid

I istory In ection

tartup Items

udo

udo Caching

alid Accounts

Web hell

Defense Evasion


inary adding

IT obs


Clear Command istory

CM T

Code igning

Component irmware


Control anel Items

C hadow

eobfuscate ecode iles orInformation

isabling ecurity Tools

earch rder i acking

ide oading

xploitation for efense vasion xtra Window MemoryIn ection

ile eletion

ile ystem ogical ffsets

atekeeper ypass


idden sers

idden Window

I TC NTR


Indicator locking


Indicator Removal on ost

Indirect Command xecution


Install til

aunchctl

C MAIN i acking

Masquerading

Modify Registry

Mshta

Network hare ConnectionRemoval

NT ile Attributes

bfuscated iles orInformation

list Modification

ort nocking

rocess oppelg nging

rocess ollowing

rocess In ection

Redundant Access

Regsvcs Regasm

Regsvr

Rootkit

Rundll

cripting

igned inary roxy xecution igned cript roxy xecution I and Trust rovider i acking

oftware acking

pace after ilename

Timestomp


alid Accounts

Web ervice

Credential Access


ash istory

rute orce

Credential umping

Credentials in iles


xploitation for CredentialAccess

orced Authentication

ooking

Input Capture

Input rompt

erberoasting

eychain

MNR N T N oisoning

Network niffing

assword ilter

rivate eys


ecurityd Memory

Two actor AuthenticationInterception

Discovery

Account iscovery

Application Window iscovery

rowser ookmark iscovery

ile and irectory iscovery

Network ervice canning

Network hare iscovery

assword olicy iscovery

eripheral evice iscovery

ermission roups iscovery

rocess iscovery

uery Registry

Remote ystem iscovery

ecurity oftware iscovery

ystem Information iscovery

ystem NetworkConfiguration iscovery ystem Network Connections iscovery ystem wner ser iscovery

ystem ervice iscovery

ystem Time iscovery

Lateral Movement

Apple cript

Application eployment oftware istributed Component b ect Model xploitation of Remote ervices

ogon cripts

ass the ash

ass the Ticket

Remote esktop rotocol

Remote ile Copy

Remote ervices


hared Webroot

i acking

Taint hared Content

Third party oftware

Windows Admin hares


Collection

Audio Capture


Clipboard ata

ata from InformationRepositories

ata from ocal ystem

ata from Network hared rive

ata from Removable Media

ata taged

mail Collection

Input Capture

Man in the rowser

creen Capture

ideo Capture

Exfiltration

Automated xfiltration

ata Compressed

ata ncrypted

ata Transfer i e imits

xfiltration ver Alternative rotocol xfiltration ver Commandand Control Channel xfiltration ver therNetwork Medium xfiltration ver hysicalMedium

cheduled Transfer

Command And Control

Commonly sed ort


Connection roxy

Custom Command andControl rotocolCustom Cryptographic rotocol

ata ncoding

ata bfuscation

omain ronting

allback Channels

Multi hop roxy

Multi tage Channels


Multilayer ncryption

ort nocking

Remote Access Tools

Remote ile Copy

tandard Application ayer rotocol tandard Cryptographic rotocol tandard Non Application ayer rotocol

ncommonly sed ort

Web ervice

APT28 Techniques*

*from open source reporting we’ve mapped

Initial

AccessExecution Persistence

Privilege

Escalation

Defense

Evasion

Credential

AccessDiscovery

Lateral

MovementCollection Exfiltration

Command

and Control

Initial Access

rive by Compromise


ardware Additions



pearphishing ink




alid Accounts

Execution

Apple cript

CM T


Control anel Items

ynamic ata xchange




Install til

aunchctl

ocal ob cheduling

A river

Mshta

ower hell

Regsvcs Regasm

Regsvr

Rundll

cheduled Task

cripting

ervice xecution


ource

pace after ilename

Third party oftware

Trap


ser xecution


Persistence



AppCert s

AppInit s

Application himming


IT obs

ootkit

rowser xtensions


Component irmware


Create Account

earch rder i acking

ylib i acking




ooking

ypervisor


aunch Agent

aunch aemon

aunchctl

C A I Addition

ocal ob cheduling

ogin Item

ogon cripts

A river


Netsh elper

New ervice


ath Interception

list Modification

ort nocking

ort Monitors

Rc.common


Redundant Access


cheduled Task

creensaver





tartup Items

ystem irmware

Time roviders

Trap

alid Accounts

Web hell


Winlogon elper




AppCert s

AppInit s

Application himming


earch rder i acking

ylib i acking


ooking


aunch aemon

New ervice

ath Interception

list Modification

ort Monitors

rocess In ection

cheduled Task


etuid and etgid

I istory In ection

tartup Items

udo

udo Caching

alid Accounts

Web hell

Defense Evasion


inary adding

IT obs



CM T

Code igning

Component irmware


Control anel Items

C hadow



earch rder i acking

ide oading


ile eletion


atekeeper ypass


idden sers

idden Window

I TC NTR


Indicator locking





Install til

aunchctl

C MAIN i acking

Masquerading

Modify Registry

Mshta


NT ile Attributes


list Modification

ort nocking

rocess oppelg nging

rocess ollowing

rocess In ection

Redundant Access

Regsvcs Regasm

Regsvr

Rootkit

Rundll

cripting


oftware acking

pace after ilename

Timestomp


alid Accounts

Web ervice

Credential Access


ash istory

rute orce

Credential umping

Credentials in iles




ooking

Input Capture

Input rompt

erberoasting

eychain

MNR N T N oisoning

Network niffing

assword ilter

rivate eys


ecurityd Memory


Discovery

Account iscovery









rocess iscovery

uery Registry






ystem Time iscovery

Lateral Movement

Apple cript


ogon cripts

ass the ash

ass the Ticket


Remote ile Copy

Remote ervices


hared Webroot

i acking

Taint hared Content

Third party oftware

Windows Admin hares


Collection

Audio Capture


Clipboard ata


ata from ocal ystem



ata taged

mail Collection

Input Capture

Man in the rowser

creen Capture

ideo Capture

Exfiltration


ata Compressed

ata ncrypted



cheduled Transfer

Command And Control

Commonly sed ort


Connection roxy


ata ncoding

ata bfuscation

omain ronting

allback Channels

Multi hop roxy

Multi tage Channels



ort nocking

Remote Access Tools

Remote ile Copy


ncommonly sed ort

Web ervice

APT29 Techniques

Initial


Privilege

Escalation

Defense

Evasion

Credential

AccessDiscovery

Lateral


Command

and Control

Initial Access

rive by Compromise


ardware Additions



pearphishing ink




alid Accounts

Execution

Apple cript

CM T


Control anel Items

ynamic ata xchange




Install til

aunchctl

ocal ob cheduling

A river

Mshta

ower hell

Regsvcs Regasm

Regsvr

Rundll

cheduled Task

cripting

ervice xecution


ource

pace after ilename

Third party oftware

Trap


ser xecution


Persistence



AppCert s

AppInit s

Application himming


IT obs

ootkit

rowser xtensions


Component irmware


Create Account

earch rder i acking

ylib i acking




ooking

ypervisor


aunch Agent

aunch aemon

aunchctl

C A I Addition

ocal ob cheduling

ogin Item

ogon cripts

A river


Netsh elper

New ervice


ath Interception

list Modification

ort nocking

ort Monitors

Rc.common


Redundant Access


cheduled Task

creensaver





tartup Items

ystem irmware

Time roviders

Trap

alid Accounts

Web hell


Winlogon elper




AppCert s

AppInit s

Application himming


earch rder i acking

ylib i acking


ooking


aunch aemon

New ervice

ath Interception

list Modification

ort Monitors

rocess In ection

cheduled Task


etuid and etgid

I istory In ection

tartup Items

udo

udo Caching

alid Accounts

Web hell

Defense Evasion


inary adding

IT obs



CM T

Code igning

Component irmware


Control anel Items

C hadow



earch rder i acking

ide oading


ile eletion


atekeeper ypass


idden sers

idden Window

I TC NTR


Indicator locking





Install til

aunchctl

C MAIN i acking

Masquerading

Modify Registry

Mshta


NT ile Attributes


list Modification

ort nocking

rocess oppelg nging

rocess ollowing

rocess In ection

Redundant Access

Regsvcs Regasm

Regsvr

Rootkit

Rundll

cripting


oftware acking

pace after ilename

Timestomp


alid Accounts

Web ervice

Credential Access


ash istory

rute orce

Credential umping

Credentials in iles




ooking

Input Capture

Input rompt

erberoasting

eychain

MNR N T N oisoning

Network niffing

assword ilter

rivate eys


ecurityd Memory


Discovery

Account iscovery









rocess iscovery

uery Registry






ystem Time iscovery

Lateral Movement

Apple cript


ogon cripts

ass the ash

ass the Ticket


Remote ile Copy

Remote ervices


hared Webroot

i acking

Taint hared Content

Third party oftware

Windows Admin hares


Collection

Audio Capture


Clipboard ata


ata from ocal ystem



ata taged

mail Collection

Input Capture

Man in the rowser

creen Capture

ideo Capture

Exfiltration


ata Compressed

ata ncrypted



cheduled Transfer

Command And Control

Commonly sed ort


Connection roxy


ata ncoding

ata bfuscation

omain ronting

allback Channels

Multi hop roxy

Multi tage Channels



ort nocking

Remote Access Tools

Remote ile Copy


ncommonly sed ort

Web ervice

Comparing APT28 and APT29

Initial


Privilege

Escalation

Defense

Evasion

Credential

AccessDiscovery

Lateral


Command

and Control

Overlay known gaps

APT28

APT29

Both groups

ATT&CK Navigator

▪ One option for getting started with storing and analyzing in a simple way

▪ Open source (JSON), so you can customize it

▪ Allows you you visualize data


ATT&CK Navigator Demo Video

Exercise 4: Comparing Layers in ATT&CK Navigator

▪ Docs you will need are at attack.mitre.org/training/cti under Exercise 4

– Step-by-step instructions are in the “Comparing ayers in Navigator”

– Techniques are listed in the “A T 9 and Cobalt itty techniques”

1. Open ATT&CK Navigator: http://bit.ly/attacknav

2. Enter techniques from APT39 and Cobalt Kitty/OceanLotus into separate Navigator layers with a unique score for each layer’s techniques

3. Combine the layers in Navigator to create a third layer

4. Make your third layer look pretty

5. Make a list of the techniques that overlap between the two groups

▪ Please pause. We suggest giving yourself 15 minutes for this exercise.


Initial Access

rive by Compromise


ardware Additions



pearphishing ink




alid Accounts

Execution

Apple cript

CM T


Compiled TM ile

Control anel Items

ynamic ata xchange




Install til

aunchctl

ocal ob cheduling

A river

Mshta

ower hell

Regsvcs Regasm

Regsvr

Rundll

cheduled Task

cripting

ervice xecution


ource

pace after ilename

Third party oftware

Trap


ser xecution


cript rocessing

Persistence




AppCert s

AppInit s

Application himming


IT obs

ootkit

rowser xtensions


Component irmware


Create Account

earch rder i acking

ylib i acking




ooking

ypervisor


aunch Agent

aunch aemon

aunchctl

C A I Addition

ocal ob cheduling

ogin Item

ogon cripts

A river


Netsh elper

New ervice


ath Interception

list Modification

ort nocking

ort Monitors

Rc.common


Redundant Access

Registry Run eys tartup older

cheduled Task

creensaver



etuid and etgid



tartup Items

ystem irmware

Time roviders

Trap

alid Accounts

Web hell


Winlogon elper




AppCert s

AppInit s

Application himming


earch rder i acking

ylib i acking


ooking


aunch aemon

New ervice

ath Interception

list Modification

ort Monitors

rocess In ection

cheduled Task


etuid and etgid

I istory In ection

tartup Items

udo

udo Caching

alid Accounts

Web hell

Defense Evasion


inary adding

IT obs



CM T

Code igning

Compiled TM ile

Component irmware


Control anel Items

C hadow



earch rder i acking

ide oading


ile eletion

ile ermissions Modification


atekeeper ypass


idden sers

idden Window

I TC NTR


Indicator locking





Install til

aunchctl

C MAIN i acking

Masquerading

Modify Registry

Mshta


NT ile Attributes


list Modification

ort nocking

rocess oppelg nging

rocess ollowing

rocess In ection

Redundant Access

Regsvcs Regasm

Regsvr

Rootkit

Rundll

cripting


oftware acking

pace after ilename

Template In ection

Timestomp


alid Accounts

Web ervice

cript rocessing

Credential Access


ash istory

rute orce

Credential umping

Credentials in iles




ooking

Input Capture

Input rompt

erberoasting

eychain

MNR N T N oisoning

Network niffing

assword ilter

rivate eys

ecurityd Memory


Discovery

Account iscovery






Network niffing




rocess iscovery

uery Registry






ystem Time iscovery

Lateral Movement

Apple cript


ogon cripts

ass the ash

ass the Ticket


Remote ile Copy

Remote ervices


hared Webroot

i acking

Taint hared Content

Third party oftware

Windows Admin hares


Collection

Audio Capture


Clipboard ata


ata from ocal ystem



ata taged

mail Collection

Input Capture

Man in the rowser

creen Capture

ideo Capture

Exfiltration


ata Compressed

ata ncrypted



cheduled Transfer

Command And Control

Commonly sed ort


Connection roxy


ata ncoding

ata bfuscation

omain ronting

allback Channels

Multi hop roxy

Multi tage Channels



ort nocking

Remote Access Tools

Remote ile Copy


ncommonly sed ort

Web ervice

Initial Access

rive by Compromise


ardware Additions



pearphishing ink




alid Accounts

Execution

Apple cript

CM T


Compiled TM ile

Control anel Items

ynamic ata xchange




Install til

aunchctl

ocal ob cheduling

A river

Mshta

ower hell

Regsvcs Regasm

Regsvr

Rundll

cheduled Task

cripting

ervice xecution


ource

pace after ilename

Third party oftware

Trap


ser xecution


cript rocessing

Persistence




AppCert s

AppInit s

Application himming


IT obs

ootkit

rowser xtensions


Component irmware


Create Account

earch rder i acking

ylib i acking




ooking

ypervisor


aunch Agent

aunch aemon

aunchctl

C A I Addition

ocal ob cheduling

ogin Item

ogon cripts

A river


Netsh elper

New ervice


ath Interception

list Modification

ort nocking

ort Monitors

Rc.common


Redundant Access


cheduled Task

creensaver



etuid and etgid



tartup Items

ystem irmware

Time roviders

Trap

alid Accounts

Web hell


Winlogon elper




AppCert s

AppInit s

Application himming


earch rder i acking

ylib i acking


ooking


aunch aemon

New ervice

ath Interception

list Modification

ort Monitors

rocess In ection

cheduled Task


etuid and etgid

I istory In ection

tartup Items

udo

udo Caching

alid Accounts

Web hell

Defense Evasion


inary adding

IT obs



CM T

Code igning

Compiled TM ile

Component irmware


Control anel Items

C hadow



earch rder i acking

ide oading


ile eletion



atekeeper ypass


idden sers

idden Window

I TC NTR


Indicator locking





Install til

aunchctl

C MAIN i acking

Masquerading

Modify Registry

Mshta


NT ile Attributes


list Modification

ort nocking

rocess oppelg nging

rocess ollowing

rocess In ection

Redundant Access

Regsvcs Regasm

Regsvr

Rootkit

Rundll

cripting


oftware acking

pace after ilename

Template In ection

Timestomp


alid Accounts

Web ervice

cript rocessing

Credential Access


ash istory

rute orce

Credential umping

Credentials in iles




ooking

Input Capture

Input rompt

erberoasting

eychain

MNR N T N oisoning

Network niffing

assword ilter

rivate eys

ecurityd Memory


Discovery

Account iscovery






Network niffing




rocess iscovery

uery Registry






ystem Time iscovery

Lateral Movement

Apple cript


ogon cripts

ass the ash

ass the Ticket


Remote ile Copy

Remote ervices


hared Webroot

i acking

Taint hared Content

Third party oftware

Windows Admin hares


Collection

Audio Capture


Clipboard ata


ata from ocal ystem



ata taged

mail Collection

Input Capture

Man in the rowser

creen Capture

ideo Capture

Exfiltration


ata Compressed

ata ncrypted



cheduled Transfer

Command And Control

Commonly sed ort


Connection roxy


ata ncoding

ata bfuscation

omain ronting

allback Channels

Multi hop roxy

Multi tage Channels



ort nocking

Remote Access Tools

Remote ile Copy


ncommonly sed ort

Web ervice

Initial Access

rive by Compromise


ardware Additions



pearphishing ink




alid Accounts

Execution

Apple cript

CM T


Compiled TM ile

Control anel Items

ynamic ata xchange




Install til

aunchctl

ocal ob cheduling

A river

Mshta

ower hell

Regsvcs Regasm

Regsvr

Rundll

cheduled Task

cripting

ervice xecution


ource

pace after ilename

Third party oftware

Trap


ser xecution


cript rocessing

Persistence




AppCert s

AppInit s

Application himming


IT obs

ootkit

rowser xtensions


Component irmware


Create Account

earch rder i acking

ylib i acking




ooking

ypervisor


aunch Agent

aunch aemon

aunchctl

C A I Addition

ocal ob cheduling

ogin Item

ogon cripts

A river


Netsh elper

New ervice


ath Interception

list Modification

ort nocking

ort Monitors

Rc.common


Redundant Access


cheduled Task

creensaver



etuid and etgid



tartup Items

ystem irmware

Time roviders

Trap

alid Accounts

Web hell


Winlogon elper




AppCert s

AppInit s

Application himming


earch rder i acking

ylib i acking


ooking


aunch aemon

New ervice

ath Interception

list Modification

ort Monitors

rocess In ection

cheduled Task


etuid and etgid

I istory In ection

tartup Items

udo

udo Caching

alid Accounts

Web hell

Defense Evasion


inary adding

IT obs



CM T

Code igning

Compiled TM ile

Component irmware


Control anel Items

C hadow



earch rder i acking

ide oading


ile eletion



atekeeper ypass


idden sers

idden Window

I TC NTR


Indicator locking





Install til

aunchctl

C MAIN i acking

Masquerading

Modify Registry

Mshta


NT ile Attributes


list Modification

ort nocking

rocess oppelg nging

rocess ollowing

rocess In ection

Redundant Access

Regsvcs Regasm

Regsvr

Rootkit

Rundll

cripting


oftware acking

pace after ilename

Template In ection

Timestomp


alid Accounts

Web ervice

cript rocessing

Credential Access


ash istory

rute orce

Credential umping

Credentials in iles




ooking

Input Capture

Input rompt

erberoasting

eychain

MNR N T N oisoning

Network niffing

assword ilter

rivate eys

ecurityd Memory


Discovery

Account iscovery






Network niffing




rocess iscovery

uery Registry






ystem Time iscovery

Lateral Movement

Apple cript


ogon cripts

ass the ash

ass the Ticket


Remote ile Copy

Remote ervices


hared Webroot

i acking

Taint hared Content

Third party oftware

Windows Admin hares


Collection

Audio Capture


Clipboard ata


ata from ocal ystem



ata taged

mail Collection

Input Capture

Man in the rowser

creen Capture

ideo Capture

Exfiltration


ata Compressed

ata ncrypted



cheduled Transfer

Command And Control

Commonly sed ort


Connection roxy


ata ncoding

ata bfuscation

omain ronting

allback Channels

Multi hop roxy

Multi tage Channels



ort nocking

Remote Access Tools

Remote ile Copy


ncommonly sed ort

Web ervice


APT39

Both groups

OceanLotus



▪ Here are the overlapping techniques:

1. Spearphishing Attachment

2. Spearphishing Link

3. Scheduled Task

4. Scripting

5. User Execution

6. Registry Run Keys/Startup Folder

7. Network Service Scanning



Understand ATT&CK

Map data to ATT&CK


data





Module 4 Module 5

End of Module 4


Module 5:Making Defensive Recommendations from

ATT&CK-Mapped Data



Understand ATT&CK

Map data to ATT&CK


data





Module 4 Module 5

Applying Technique Intelligence to Defense

▪ We’ve now seen a few ways to identify techniques seen in the wild

– Extracted from finished reporting

– Extracted from raw/incident data

– Leveraging data already mapped by ATT&CK team

▪ Can identify techniques used by multiple groups we care about

– May be our highest priority starting point

▪ How do we make that intelligence actionable?


Process for Making Recommendations from Techniques

0. Determine priority techniques

1. Research how techniques are being used

2. Research defensive options related to technique

3. Research organizational capability/constraints

4. Determine what tradeoffs are for org on specific options

5. Make recommendations


0. Determine Priority Techniques

▪ Multiple ways to prioritize, today focused on leveraging CTI

1. Data sources: what data do you have already?

2. Threat intelligence: what are your adversaries doing?

3. Tools: what can your current tools cover?

4. Red team: what can you see red teamers doing?



▪ Threat intelligence: what are your adversaries doing?



3. Scheduled Task

4. Scripting

5. User Execution




1. Research How Techniques Are Being Used

▪ What specific procedures are being used for a given technique?

– Important that our defensive response overlaps with activity

From the APT39 Report

FireEye Intelligence has observed APT39 leverage spear phishing emails with malicious attachments and/or hyperlinks typically resulting in a POWBAT infection


From the Cobalt Kitty Report

Two types of payloads were found in the spear-phishing emails



2. Research Defensive Options Related to Technique

▪ Many sources provide defensive information indexed to ATT&CK

– ATT&CK

▪ Data Sources

▪ Detections

▪ Mitigations

▪ Research linked to from Technique pages

– MITRE Cyber Analytics Repository (CAR)

– Roberto Rodrigue ’s ThreatHunter-Playbook

– Atomic Threat Coverage

▪ Supplement with your own research



▪ Further research shows that for Windows to generate event 4688 multiple GPO changes are required and it is very noisy

▪ Similar information can be gathered via Sysmon with better filtering

Sept 2018 ver 1.0 MalwareArchaeology.com Page 11 of 15

WINDOWS ATT&CK LOGGING CHEAT SHEET - Win 7 - Win 2012

Execution Service Execution T1035 4688 Process CMD Line

4688 Process Execution

4657 Windows Registry

7045 New Service

7040 Service Change

Execution User Execution T1204 4688 Process CMD Line


Anti-virus

Execution Windows Management Instrumentation

T1047 4688 Process CMD Line


4624 Authentication logs

Netflow/Enclave netflow

Execution,Lateral Movement Third-party Software

T1072 4688 Process Execution

5156 Windows Firewall

4663 File monitoring

4657 Windows Registry

Binary file metadata

Third-party application logs

Execution,Lateral Movement Windows Remote Management

T1028 4688 Process CMD Line



5140/5145 Net Shares


4624 Authentication logs

Netflow/Enclave netflow

Execution,Persistence LSASS Driver T1177 4688 Process Execution


DLL monitoring

Loaded DLLs Sysmon - ID 6 Kernel drivers

API monitoring

Execution,Persistence,Privilege Escalation

Scheduled Task T1053 4688 Process CMD Line



Windows event logs

Exfiltration Automated Exfiltration


4688 Process CMD Line



Exfiltration Data Compressed T1002 4688 Process Execution


4663 File Monitoring


IDS/IPS DLP Binary file metadata

Exfiltration Data Encrypted T1022 4688 Process Execution



Binary file metadata

IDS/IPS DLP Network protocol analysis

Exfiltration Data Transfer Size Limits

T1030 5156 Windows Firewall


Packet capture Netflow/Enclave netflow

Exfiltration Exfiltration Over Alternative Protocol



Packet capture Netflow/Enclave netflow

Network protocol analysis

User interface

Exfiltration Exfiltration Over Command and Control Channel



LMD - SRUM User interface

Exfiltration Exfiltration Over Other Network Medium




User interface

https://www.malwarearchaeology.com/s/Windows-ATTCK_Logging-Cheat-Sheet_ver_Sept_2018.pdf



▪ ATT&CK:

– https://attack.mitre.org

▪ Cyber Analytics Repository:

– https://car.mitre.org/

▪ Threat Hunter Playbook

– https://github.com/hunters-forge/ThreatHunter-Playbook

▪ Windows ATT&CK Logging Cheatsheet

– https://www.malwarearchaeology.com/cheat-sheets


https://attack.mitre.org/

https://car.mitre.org/

https://github.com/hunters-forge/ThreatHunter-Playbook

https://www.malwarearchaeology.com/cheat-sheets


▪ User training

▪ Application whitelisting

▪ Block unknown files in transit

▪ NIPS

▪ File detonation systems

▪ Monitor command-line arguments

– Windows Event Log 4688

– Sysmon

▪ Anti-Virus

▪ Endpoint sensing


3. Research Organizational Capabilities/Constraints

▪ What data sources, defenses, mitigations are already collected/in place?

– Some options may be inexpensive/simple

– Possibly new analytics on existing sources

▪ What products are already deployed that may have add’l capabilities?

– E.g. able to gather new data sources/implement new mitigations

▪ Is there anything about the organization that may preclude responses?

– E.g. user constraints/usage patterns



▪ Notional Capabilities

– Windows Events already collected to SIEM (but not process info)

– Evaluating application whitelisting tools

– Highly technical workforce

– Already have an email file detonation appliance

– Already have anti-virus on all endpoints

▪ Notional Constraints

– SIEM at close to license limit, increase would be prohibitive

– Large portion of user population developers, run arbitrary binaries

– Files in transit usually encrypted passing by NIPS


4. Determine What Tradeoffs Are for Org on Specific Options

▪ How do each of the identified options fit into your org?

▪ Example Positives

– Leveraging existing strengths/tools/data sources

– Close fit with specific threat

▪ Example Negatives

– Cost not commiserate with risk averted

– Poor cultural fit with organization

▪ Highly dependent on your specific organization



Defensive option Example Pros Example Cons

Increase user training around clicking on attachments

Covers most common use case, technical workforce likely will make good sensors

Time investment by all users, training fatigue

Enforcement of application whitelisting

Already examining whitelisting solution, most binaries of concern never seen before

Developer population heavily impacted if prevented from running arbitrary binaries. High support cost.

Monitor command-line arguments/create analytic

Collecting events already, already feeding into a SIEM

Volume of logs from processes likely unacceptable license cost.

Anti-Virus Already in place Limited signature coverage

Install endpoint detection and response (EDR) product

Possibly best visibility without greatly increasing log volumes

No existing tool, prohibitively expensive

Email Detonation Appliance Already in place May not have full visibility into inbound email


5. Make Recommendations

▪ Could be technical, policy, or risk acceptance

▪ Could be for management, SOC, IT, all of the above

▪ Some potential recommendation types:

– Technical

▪ Collect new data sources

▪ Write a detection/analytic from existing data

▪ Change a config/engineering changes

▪ New tool

– Policy changes

▪ Technical/human

– Accept risk

▪ Some things are undetectable/unmitigable or not worth the tradeoff


Initial Access Execution Persistence Privilege Escalation Defense Evasion Credential Access Discovery Lateral Movement Collection Command and Control Exfiltration Impact

Drive-by Compromise Scheduled Task Binary Padding Network Sniffing AppleScript Audio Capture Commonly Used Port Automated Exfiltration Data Destruction


Launchctl Access Token Manipulation Account Manipulation Account Discovery Application Deployment Software

Automated Collection Communication Through Removable Media

Data Compressed Data Encrypted for Impact

Local Job Scheduling Bypass User Account Control Bash History Application WindowDiscovery

Clipboard Data Data Encrypted Defacement

External Remote Services LSASS Driver Extra Window Memory Injection Brute Force Distributed ComponentObject Model


Connection Proxy Data Transfer Size Limits Disk Content Wipe

Hardware Additions Trap Process Injection Credential Dumping Browser Bookmark Discovery

Custom Command and Control Protocol


Disk Structure Wipe


AppleScript DLL Search Order Hijacking Credentials in Files Exploitation ofRemote Services

Data from Local System Endpoint Denial of Service

CMSTP Image File Execution Options Injection Credentials in Registry Domain Trust Discovery Data from Network Shared Drive



Firmware Corruption

Spearphishing Attachment Command-Line Interface Plist Modification Exploitation forCredential Access

File and Directory Discovery Logon Scripts Inhibit System Recovery

Spearphishing Link Compiled HTML File Valid Accounts Network Service Scanning Pass the Hash Data from Removable Media Data Encoding Exfiltration Over Alternative Protocol


Spearphishing via Service Control Panel Items Accessibility Features BITS Jobs Forced Authentication Network Share Discovery Pass the Ticket Data Staged Data Obfuscation Resource Hijacking

Supply Chain Compromise Dynamic Data Exchange AppCert DLLs Clear Command History Hooking Password Policy Discovery Remote Desktop Protocol Email Collection Domain Fronting Exfiltration Over Physical Medium


Trusted Relationship Execution through API AppInit DLLs CMSTP Input Capture Peripheral Device Discovery Remote File Copy Input Capture Domain GenerationAlgorithms

Service Stop

Valid Accounts Execution through Module Load

Application Shimming Code Signing Input Prompt Permission Groups Discovery Remote Services Man in the Browser Scheduled Transfer Stored Data Manipulation

Dylib Hijacking Compiled HTML File Kerberoasting Process Discovery Replication Through Removable Media

Screen Capture Fallback Channels Transmitted Data ManipulationExploitation for

Client Execution

File System Permissions Weakness Component Firmware Keychain Query Registry Video Capture Multiband Communication

Hooking Component Object ModelHijacking


Remote System Discovery Shared Webroot Multi-hop Proxy

Graphical User Interface Launch Daemon Security Software Discovery SSH Hijacking Multilayer Encryption

InstallUtil New Service Control Panel Items Password Filter DLL System InformationDiscovery

Taint Shared Content Multi-Stage Channels

Mshta Path Interception DCShadow Private Keys Third-party Software Port Knocking

PowerShell Port Monitors Deobfuscate/Decode Filesor Information

Securityd Memory System Network Configuration Discovery

Windows Admin Shares Remote Access Tools

Regsvcs/Regasm Service Registry Permissions Weakness Two-Factor AuthenticationInterception


Remote File Copy

Regsvr32 Setuid and Setgid Disabling Security Tools System Network Connections Discovery

Standard Application Layer ProtocolRundll32 Startup Items DLL Side-Loading

Scripting Web Shell Execution Guardrails System Owner/UserDiscovery

Standard Cryptographic ProtocolService Execution .bash_profile and .bashrc Exploitation for

Privilege EscalationExploitation for

Defense EvasionSigned Binary Proxy Execution

Account Manipulation System Service Discovery Standard Non-ApplicationLayer ProtocolAuthentication Package SID-History Injection File Deletion System Time Discovery


BITS Jobs Sudo File Permissions Modification



Bootkit Sudo Caching Web Service

Source Browser Extensions File System Logical Offsets

Space after Filename Change Default File Association

Gatekeeper Bypass

Third-party Software Group Policy Modification

Trusted Developer Utilities Component Firmware Hidden Files and Directories

User Execution Component ObjectModel Hijacking

Hidden Users

Windows Management Instrumentation

Hidden Window

Create Account HISTCONTROL


External Remote Services Indicator Blocking

Hidden Files and Directories Indicator Removalfrom ToolsXSL Script Processing Hypervisor




Launch Agent Install Root Certificate

LC_LOAD_DYLIB Addition InstallUtil

Login Item Launchctl

Logon Scripts LC_MAIN Hijacking

Modify Existing Service Masquerading

Netsh Helper DLL Modify Registry

Office Application Startup Mshta

Port Knocking Network Share ConnectionRemovalRc.common

Redundant Access NTFS File Attributes


Obfuscated Filesor Information

Re-opened Applications Port Knocking

Screensaver Process Doppelgänging

Security Support Provider Process Hollowing

Shortcut Modification Redundant Access

SIP and Trust ProviderHijacking

Regsvcs/Regasm

Regsvr32

System Firmware Rootkit


LegendHigh Confidence of Detection

Some Confidence of DetectionLow Confidence of DetectionPrioritized Technique

We’ll tackle Spearphishing Attachment and

Spearphishing Link via new user training

Supply Chain Compromise and Component Firmware

are beyond our capability and resources to stop or detect,

so we’ll accept the risk

None of our existing tools have visibility into

Command-Line Interface so we’ll need to

obtain something new


5. Make Recommendations (Example)

1. New user training around not clicking on attachments

– Policy changed matched with a technical workforce

2. Continued use of AV

– No additional cost

3. Increase coverage of email detonation

– Taking advantage of existing tools


Exercise 5: Defensive Recommendations

Worksheet in attack.mitre.org/training/cti under Exercise 5

“Making Defensive Recommendations Guided Exercise”

Download the worksheet and work through recommendation process

0. Determine priority techniques

1. Research how techniques are being used

2. Research defensive options related to technique

3. Research organizational capability/constraints

4. Determine what tradeoffs are for org on specific options

5. Make recommendations

▪ Please pause. We suggest giving yourself 15 minutes for this exercise.©2019 The MITRE Corporation. ALL RIGHTS RESERVED Approved for public release. Distribution unlimited 19-01075-15.

Going Over the Exercise

▪ What resources were helpful to you finding defensive options?

▪ What kind of recommendations did you end up making?

▪ Did you consider doing nothing or accepting risk?

▪ Were there any options that were completely inappropriate for you?



▪ Threat intelligence: what are your adversaries doing?



3. Scheduled Task

4. Scripting

5. User Execution





From the Cobalt Kitty Report


Within a Word Macro


▪ For this exercise, assume that you have Windows Event Log Collection going to a SIEM, but no ability to collect process execution logging.



Defensive option Pros Cons

Monitor scheduled task creation from common utilities using command-line invocation

Would allow us to collect detailed information on how task added.

Organization has no ability to collect process execution logging.

Configure event logging for scheduled task creation and changes

Fits well into existing Windows Event Log collection system, would be simple to implement enterprise wide.

Increases collected log volumes.

Sysinternals Autoruns may also be used

Would collect on other persistence techniques as well. Tool is free.

Not currently installed, would need to be added to all systems along with data collection and analytics of results.

Monitor processes and command-line arguments

Would allow us to collect detailed information on how task added.

Organization has no ability to collect process execution logging.



Given the limitations and sources we pointed at, likely answers similar to:

▪ Enable "Microsoft-Windows-TaskScheduler/Operational" setting within the event logging service, and create analytics around Event ID 106 - Scheduled task registered, and Event ID 140 - Scheduled task updated

Possibly

▪ Use Autoruns to watch for changes that could be attempts at persistence


In Closing

Understand ATT&CK

Map data to ATT&CK


data





Module 4 Module 5

https://[email protected]@MITREattack

Adam Pennington@_whatshisface

Katie Nickels@likethecoins


End of Module 5


module 1: introducing the training and … workshop...module 1: introducing the training and...

Documents