Adversarial Tactics, Techniques and Common Knowledge (ATT&CK™) Blake Strom August 2015 Approved for Public Release; Distribution Unlimited. Case Number 15-1288 © 2015 The MITRE Corporation. All rights reserved. |2| Cyber Attack Lifecycle Recon Deliver Weaponize Control Exploit Maintain Execute Traditional CND ATT&CK Better understand tactics used by the adversary already operating within a network © 2015 The MITRE Corporation. All rights reserved. Approved for Public Release; Distribution Unlimited. Case Number 15-1288 |3| Threat Based Modeling • Cyber threat analysis • Research • Industry reports Adversary Behavior © 2015 The MITRE Corporation. All rights reserved. ATT&CK • Adversary model • Post-access techniques • Data sources • Analytics • Prioritization Enterprise Defense Approved for Public Release; Distribution Unlimited. Case Number 15-1288 |4| Cyber Attack Lifecycle – Enhanced Persistence Privilege Escalation Credential Access Host Enumeration Defense Evasion Lateral Movement Execution Command and Control Exfiltration Threat data informed adversary model Higher fidelity on right-of-exploit, post-access phases Describes behavior sans adversary tools © 2015 The MITRE Corporation. All rights reserved. Approved for Public Release; Distribution Unlimited. Case Number 15-1288 |5| ATT&CK Adversary Model Consists of: 1. Decomposed post-exploit phases of Cyber Attack Lifecycle 2. List of techniques available to adversaries for each phase 3. Possible methods of detection and mitigation 4. Apply documented adversary use of techniques Publically available adversary information is a problem – Not granular enough – Insufficient volume © 2015 The MITRE Corporation. All rights reserved. Image source: www.mrpotatohead.net Mr. Potato Head is a registered trademark of Hasbro Inc. Approved for Public Release; Distribution Unlimited. Case Number 15-1288 |6| Use of Public Adversary Information Publicly reported adversary group and tool coverage: – 16 groups and counting Examples: APT28, APT30, DarkHotel, Hurricane Panda, Ke3chang, Cleaver, Axiom – 30 tools and counting Examples: Mimikatz, PsExec, dsquery, Hikit, PlugX, Poison Ivy © 2015 The MITRE Corporation. All rights reserved. Approved for Public Release; Distribution Unlimited. Case Number 15-1288 |7| Technique Details Persistence –New Service – Description: Installation of a new service. May use service name from previous or newer OS or create entirely new service name. – Platform: Windows – Permissions required: Administrator, SYSTEM – Effective permissions: SYSTEM – Use: Part of initial infection vector or used during operation to locally or remotely execute persistent malware. – Detection: Monitor new service creation. Look for out of the ordinary service names and activity that does not correlate with known-good software, patches, etc. New services may show up as outlier processes that have not been seen before when compared against historical data. – Data Sources: Windows Registry, process information © 2015 The MITRE Corporation. All rights reserved. Approved for Public Release; Distribution Unlimited. Case Number 15-1288 |8| ATT&CK: The Tactics and Techniques Persistence Privilege Escalation Defense Evasion Legitimate Credentials Binary Accessibility Features Padding AddMonitor DLL SideDLL Search Order Hijack Loading Disabling Edit Default File Handlers Security New Service Tools Path Interception File System Scheduled Task Logical Service File Permission Offsets Weakness Process Hollowing Shortcut Modification Rootkit Web shell Bypass UAC BIOS DLL Injection Hypervisor Indicator Exploitation Rootkit blocking on of host Logon Scripts Vulnerability Indicator Master Boot removal from Record tools Indicator Mod. Exist’g removal from Service host Registry Run MasqueradKeys ing NTFS Serv. Reg. Perm. Extended Weakness Attributes Windows Mgmt Obfuscated Instr. Event Payload Subsc. Rundll32 Winlogon Helper Scripting DLL Software Packing Timestomp © 2015 The MITRE Corporation. All rights reserved. Credential Access Host Enumeration Lateral Movement Credential Dumping Credentials in Files Network Sniffing User Interaction Credential manipulation Account enumeration File system enumeration Application deployment software Exploitation of Vulnerability Logon scripts Pass the hash Pass the ticket Peer connections Remote Desktop Protocol Group permission enumeration Local network connection enumeration Local networking enumeration Operating system enumeration Owner/User enumeration Process enumeration Security software enumeration Service enumeration Window enumeration Execution Command Line File Access PowerShell Process Hollowing Registry Rundll32 Scheduled Task Service Manipulation Third Party Software Windows management instrumentation Windows remote management Remote Services Replication through removable media Shared webroot Taint shared content Windows admin shares C2 Exfiltration Commonly used port Comm through removable media Custom application layer protocol Custom encryption cipher Data obfuscation Fallback channels Multiband comm Multilayer encryption Peer connections Standard app layer protocol Standard non-app layer protocol Standard encryption cipher Uncommonly used port Automated or scripted exfiltration Data compressed Data encrypted Data size limits Data staged Exfil over C2 channel Exfil over alternate channel to C2 network Exfil over other network medium Exfil over physical medium Approved for Public Release; Distribution Unlimited. Case Number 15-1288 From local system From network resource From removable media Scheduled transfer |9| Applications Gap analysis with current defenses Prioritize detection/mitigation of heavily used techniques Information sharing Track a specific adversary’s set of techniques Simulations, exercises New technologies, research © 2015 The MITRE Corporation. All rights reserved. Approved for Public Release; Distribution Unlimited. Case Number 15-1288 | 10 | Tactic Breakdown Persistence Privilege Escalation Credential Access Host Enumeration Defense Evasion 20 14 5 11 Lateral Movement Execution Command and Control Exfiltration 14 11 13 13 19 © 2015 The MITRE Corporation. All rights reserved. Approved for Public Release; Distribution Unlimited. Case Number 15-1288 | 11 | Publicly Known Adversary Use Persistence Privilege Escalation Credential Access Host Enumeration Defense Evasion 20 14 5 Lateral Movement 5 Execution 4 Command and Control 3 Exfiltration 11 8 19 12 © 2015 The MITRE Corporation. All rights reserved. 14 6 11 5 13 10 13 4 Approved for Public Release; Distribution Unlimited. Case Number 15-1288 | 12 | Publically Reported Technique Use Persistence Privilege Escalation Defense Evasion Legitimate Credentials Binary Accessibility Features Padding AddMonitor DLL SideDLL Search Order Hijack Loading Disabling Edit Default File Handlers Security New Service Tools Path Interception File System Scheduled Task Logical Service File Permission Offsets Weakness Process Hollowing Shortcut Modification Rootkit Web shell Bypass UAC BIOS DLL Injection Hypervisor Indicator Exploitation Rootkit blocking on of host Logon Scripts Vulnerability Indicator Master Boot removal from Record tools Indicator Mod. Exist’g removal from Service host Registry Run MasqueradKeys ing NTFS Serv. Reg. Perm. Extended Weakness Attributes Windows Mgmt Obfuscated Instr. Event Payload Subsc. Rundll32 Winlogon Helper Scripting DLL Software Packing Timestomp © 2015 The MITRE Corporation. All rights reserved. Credential Access Host Enumeration Lateral Movement Credential Dumping Credentials in Files Network Sniffing User Interaction Credential manipulation Account enumeration File system enumeration Application deployment software Exploitation of Vulnerability Logon scripts Pass the hash Pass the ticket Peer connections Remote Desktop Protocol Group permission enumeration Local network connection enumeration Local networking enumeration Operating system enumeration Owner/User enumeration Process enumeration Security software enumeration Service enumeration Window enumeration Execution Command Line File Access PowerShell Process Hollowing Registry Rundll32 Scheduled Task Service Manipulation Third Party Software Windows management instrumentation Windows remote management Remote Services Replication through removable media Shared webroot Taint shared content Windows admin shares C2 Exfiltration Commonly used port Comm through removable media Custom application layer protocol Custom encryption cipher Data obfuscation Fallback channels Multiband comm Multilayer encryption Peer connections Standard app layer protocol Standard non-app layer protocol Standard encryption cipher Uncommonly used port Automated or scripted exfiltration Data compressed Data encrypted Data size limits Data staged Exfil over C2 channel Exfil over alternate channel to C2 network Exfil over other network medium Exfil over physical medium Approved for Public Release; Distribution Unlimited. Case Number 15-1288 From local system From network resource From removable media Scheduled transfer | 13 | Notional Defense Gaps Persistence Privilege Escalation Defense Evasion Legitimate Credentials Binary Accessibility Features Padding AddMonitor DLL SideDLL Search Order Hijack Loading Disabling Edit Default File Handlers Security New Service Tools Path Interception File System Scheduled Task Logical Service File Permission Offsets Weakness Process Hollowing Shortcut Modification Rootkit Web shell Bypass UAC BIOS DLL Injection Hypervisor Indicator Exploitation Rootkit blocking on of host Logon Scripts Vulnerability Indicator Master Boot removal from Record tools Indicator Mod. Exist’g removal from Service host Registry Run MasqueradKeys ing NTFS Serv. Reg. Perm. Extended Weakness Attributes Windows Mgmt Obfuscated Instr. Event Payload Subsc. Rundll32 Winlogon Helper Scripting DLL Software Packing Timestomp © 2015 The MITRE Corporation. All Detect rights reserved. Detect Partially Credential Access Host Enumeration Lateral Movement Credential Dumping Credentials in Files Network Sniffing User Interaction Credential manipulation Account enumeration File system enumeration Application deployment software Exploitation of Vulnerability Logon scripts Pass the hash Pass the ticket Peer connections Remote Desktop Protocol No Detect Group permission enumeration Local network connection enumeration Local networking enumeration Operating system enumeration Owner/User enumeration Process enumeration Security software enumeration Service enumeration Window enumeration Execution Command Line File Access PowerShell Process Hollowing Registry Rundll32 Scheduled Task Service Manipulation Third Party Software Windows management instrumentation Windows remote management Remote Services Replication through removable media Shared webroot Taint shared content Windows admin shares C2 Exfiltration Commonly used port Comm through removable media Custom application layer protocol Custom encryption cipher Data obfuscation Fallback channels Multiband comm Multilayer encryption Peer connections Standard app layer protocol Standard non-app layer protocol Standard encryption cipher Uncommonly used port Automated or scripted exfiltration Data compressed Data encrypted Data size limits Data staged Exfil over C2 channel Exfil over alternate channel to C2 network Exfil over other network medium Exfil over physical medium Approved for Public Release; Distribution Unlimited. Case Number 15-1288 From local system From network resource From removable media Scheduled transfer | 14 | Adversary Visibility at the Perimeter Persistence Privilege Escalation Defense Evasion Legitimate Credentials Binary Accessibility Features Padding AddMonitor DLL SideDLL Search Order Hijack Loading Disabling Edit Default File Handlers Security New Service Tools Path Interception File System Scheduled Task Logical Service File Permission Offsets Weakness Process Hollowing Shortcut Modification Rootkit Web shell Bypass UAC BIOS DLL Injection Hypervisor Indicator Exploitation Rootkit blocking on of host Logon Scripts Vulnerability Indicator Master Boot removal from Record tools Indicator Mod. Exist’g removal from Service host Registry Run MasqueradKeys ing NTFS Serv. Reg. Perm. Extended Weakness Attributes Windows Mgmt Obfuscated Instr. Event Payload Subsc. Rundll32 Winlogon Helper Scripting DLL Software Packing Timestomp Credential Access Host Enumeration Lateral Movement Credential Dumping Credentials in Files Network Sniffing User Interaction Credential manipulation Account enumeration File system enumeration Application deployment software Exploitation of Vulnerability Logon scripts Pass the hash Pass the ticket Peer connections Remote Desktop Protocol © 2015 The MITRE Corporation. rights reserved. No Visibility Full Visibility PartiallyAllVisibility Group permission enumeration Local network connection enumeration Local networking enumeration Operating system enumeration Owner/User enumeration Process enumeration Security software enumeration Service enumeration Window enumeration Execution Command Line File Access PowerShell Process Hollowing Registry Rundll32 Scheduled Task Service Manipulation Third Party Software Windows management instrumentation Windows remote management Remote Services Replication through removable media Shared webroot Taint shared content Windows admin shares C2 Exfiltration Commonly used port Comm through removable media Custom application layer protocol Custom encryption cipher Data obfuscation Fallback channels Multiband comm Multilayer encryption Peer connections Standard app layer protocol Standard non-app layer protocol Standard encryption cipher Uncommonly used port Automated or scripted exfiltration Data compressed Data encrypted Data size limits Data staged Exfil over C2 channel Exfil over alternate channel to C2 network Exfil over other network medium Exfil over physical medium Approved for Public Release; Distribution Unlimited. Case Number 15-1288 From local system From network resource From removable media Scheduled transfer | 15 | Adversary Visibility at the Perimeter Adversary has the most latitude for variation at the network level Firewall, IDS/IPS, netflow, proxy, mail gateway, WCF, SSL MitM, protocol decoders, anomaly detection etc… All partial solutions Don’t add up to a complete one Often require specific prior knowledge – IPs, domains, malware changed easily Sector, organization specific infrastructure Frequently modify tools Use legitimate channels Better coverage with host sensing Visibility Partially ©Full 2015 The MITRE Corporation. All Visibility rights reserved. No Visibility Defense Evasion Legit. Cred. Binary Padding DLL SideLoading Disabling Security Tools File System Logical Offsets Process Hollowing Rootkit Bypass UAC DLL Injection Indicator blocking on host Indicator removal from tools Indicator removal from host Masquerading NTFS Extended Attributes Obfuscated Payload Rundll32 Scripting Software Packing Timestomp C2 Exfiltration Commonly used port Comm through removable media Custom application layer protocol Custom encryption cipher Data obfuscation Fallback channels Multiband comm Multilayer encryption Peer connections Standard app layer protocol Standard non-app layer protocol Standard encryption cipher Uncommonly used port Automated or scripted exfiltration Data compressed Data encrypted Data size limits Data staged Exfil over C2 channel Exfil over alternate channel to C2 network Exfil over other network medium Exfil over physical medium Approved for Public Release; Distribution Unlimited. Case Number 15-1288 From local system From network resource From removable media Scheduled transfer | 16 | Public Website – attack.mitre.org © 2015 The MITRE Corporation. All rights reserved. Approved for Public Release; Distribution Unlimited. Case Number 15-1288 | 17 | Questions? More information: attack.mitre.org Questions and contributions: [email protected] Twitter: @MITREattack © 2015 The MITRE Corporation. All rights reserved. Approved for Public Release; Distribution Unlimited. Case Number 15-1288
© Copyright 2024 Paperzz