CTI Workshop Full Slides

Module 1:
Introducing the Training and

Understanding ATT&CK
©2019 The MITRE Corporation. ALL RIGHTS RESERVED Approved for public release. Distribution unlimited 19-01075-15.
Using MITRE ATT&CK™
for Cyber Threat Intelligence
Training
Katie Nickels and Adam Pennington

Training Overview
▪ Five modules consisting of YouTube videos and exercises are available at
attack.mitre.org/training/cti
▪ Module 1: Introducing training and understanding ATT&CK
A. Topic introduction (Video)
▪ Module 2: Mapping to ATT&CK from finished reporting
B. Exercise 2: Mapping to ATT&CK from finished reporting
(Do it yourself with materials on attack.mitre.org/training/cti)
C. Going over Exercise 2 (Video)
▪ Module 3: Mapping to ATT&CK from raw data
B. Exercise 3: Mapping to ATT&CK from raw data
Training Overview
▪ Module 4: Storing and analyzing ATT&CK-mapped intel
B. Exercise 4: Comparing layers in ATT&CK Navigator
▪ Module 5: Making ATT&CK-mapped data actionable with defensive recommendations
B. Exercise 5: Making defensive recommendations
C. Going over Exercise 5 and wrap-up (Video)
Process of Applying ATT&CK to CTI
Make defensive
Store & analyze
Understand Map data to recommendations
ATT&CK-mapped
ATT&CK ATT&CK from ATT&CK-
data
mapped data
Module 1 Module 2 Module 4 Module 5

Module 3
Introduction to ATT&CK
and Applying it to CTI
|8|
Tough Questions for Defenders
▪ How effective are my defenses?

▪ Do I have a chance at detecting APT29?
▪ Is the data I’m collecting useful?
▪ Do I have overlapping tool coverage?
▪ Will this new product help my organization’s defenses?
©2019 The MITRE Corporation. ALL RIGHTS RESERVED. Approved for public release. Distribution unlimited 19-01075-15.
|9|
What is
?
A knowledge base of
adversary behavior
➢ Based on real-world observations
➢ Free, open, and globally accessible
➢ A common language
➢ Community-driven
The Difficult Task of Detecting TTPs
TTPs •Tough!
Tools •Challenging
Network/
Host Artifacts •Annoying
Domain Names •Simple
IP Addresses •Easy
Hash Values •Trivial
Source: David Bianco, https://detect-respond.blogspot.com/2013/03/the-pyramid-of-pain.html
David Bianco’s Pyramid of Pain

Breaking Down ATT&CK
Tactics: the adversary’s technical goals

Techniques: how the goals are
Initial Access Execution Persistence Privilege Escalation Defense Evasion Credential Access Discovery Lateral Movement Collection Command and Control Exfiltration Impact
Drive-by Compromise Scheduled Task Binary Padding Network Sniffing AppleScript Audio Capture Commonly Used Port Automated Exfiltration Data Destruction
Exploit Public-Facing Launchctl Access Token Manipulation Account Manipulation Account Discovery Application Deployment Automated Collection Communication Through Data Compressed Data Encrypted for Impact
Application Local Job Scheduling Bypass User Account Control Bash History Software Clipboard Data Removable Media Data Encrypted Defacement
Application Window
External Remote Services LSASS Driver Extra Window Memory Injection Brute Force Discovery Connection Proxy Data Transfer Size Limits Disk Content Wipe
Distributed Component Data from Information
Hardware Additions Trap Process Injection Credential Dumping Object Model Repositories Disk Structure Wipe
Browser Bookmark Custom Command and Exfiltration Over Other
AppleScript DLL Search Order Hijacking Credentials in Files Discovery Data from Local System Control Protocol Network Medium Endpoint Denial of Service
Replication Through Exploitation of
Removable Media CMSTP Image File Execution Options Injection Credentials in Registry Domain Trust Discovery Remote Services Firmware Corruption
Data from Network Custom Cryptographic Exfiltration Over Command
Spearphishing Attachment Command-Line Interface Plist Modification File and Directory Discovery Logon Scripts Shared Drive Protocol and Control Channel Inhibit System Recovery
Exploitation for
Spearphishing Link Compiled HTML File Valid Accounts Credential Access Network Service Scanning Pass the Hash Data from Removable Media Data Encoding Network Denial of Service
Exfiltration Over Alternative
Spearphishing via Service Control Panel Items Accessibility Features BITS Jobs Forced Authentication Network Share Discovery Pass the Ticket Data Staged Data Obfuscation Protocol Resource Hijacking
Supply Chain Compromise Dynamic Data Exchange AppCert DLLs Clear Command History Hooking Password Policy Discovery Remote Desktop Protocol Email Collection Domain Fronting Exfiltration Over Runtime Data Manipulation
Trusted Relationship Execution through API AppInit DLLs CMSTP Input Capture Peripheral Device Discovery Remote File Copy Input Capture Physical Medium Service Stop
Domain Generation
Valid Accounts Application Shimming Code Signing Input Prompt Permission Groups Discovery Remote Services Man in the Browser Algorithms Scheduled Transfer Stored Data Manipulation
Execution through
Module Load Dylib Hijacking Compiled HTML File Kerberoasting Process Discovery Screen Capture Fallback Channels
Replication Through Transmitted Data
File System Permissions Weakness Component Firmware Keychain Query Registry Removable Media Video Capture Multiband Communication Manipulation
Exploitation for
Client Execution Hooking Remote System Discovery Shared Webroot Multi-hop Proxy
Component Object Model LLMNR/NBT-NS Poisoning
Graphical User Interface Launch Daemon Hijacking and Relay Security Software Discovery SSH Hijacking Multilayer Encryption
InstallUtil New Service Control Panel Items Password Filter DLL System Information Taint Shared Content Multi-Stage Channels
Mshta Path Interception DCShadow Private Keys Discovery Third-party Software Port Knocking
PowerShell Port Monitors Securityd Memory Windows Admin Shares Remote Access Tools
Procedures: Specific technique implementation

Deobfuscate/Decode Files System Network
Regsvcs/Regasm Service Registry Permissions Weakness or Information Configuration Discovery Remote File Copy
Two-Factor Authentication Windows Remote
Regsvr32 Setuid and Setgid Disabling Security Tools Interception Management
System Network Standard Application Layer
Rundll32 Startup Items DLL Side-Loading Connections Discovery Protocol
Scripting Web Shell Execution Guardrails System Owner/User Standard Cryptographic

Service Execution .bash_profile and .bashrc Discovery Protocol
Exploitation for Exploitation for
Account Manipulation Privilege Escalation Defense Evasion System Service Discovery
Signed Binary Standard Non-Application
Proxy Execution Authentication Package SID-History Injection File Deletion System Time Discovery Layer Protocol
achieved
Signed Script BITS Jobs Sudo File Permissions Virtualization/Sandbox Uncommonly Used Port
Proxy Execution Bootkit Sudo Caching Modification Evasion Web Service
Source Browser Extensions File System Logical Offsets
Space after Filename Change Default Gatekeeper Bypass
Third-party Software File Association Group Policy Modification
Trusted Developer Utilities Component Firmware Hidden Files and Directories
User Execution Component Object Hidden Users
Model Hijacking Hidden Window
Windows Management
Instrumentation Create Account HISTCONTROL
Windows Remote External Remote Services Indicator Blocking

Management Hidden Files and Directories Indicator Removal
XSL Script Processing Hypervisor from Tools
Kernel Modules Indicator Removal on Host

and Extensions Indirect Command Execution
Launch Agent Install Root Certificate
LC_LOAD_DYLIB Addition InstallUtil
Login Item Launchctl
Technique: Spearphishing Attachment
Group: APT29
Group: APT29
Group: APT29
em
Exploit Public-Facing Application CMSTP Accessibility Features Accessibility Features Binary Padding Bash History Application Window Discovery Application Deployment Software Automated Collection
Communication Through
Data Compressed Data Encrypted for Impact Spearphishing Link Execution through API Authentication Package DLL Search Order Hijacking Code Signing Exploitation for Credential Access
s Network Share Discovery Pass the Ticket Data from Removable Media Data Obfuscation
Exfiltration Over Other Network
Firmware Corruption
cmtack.mitre.org for more information on how each t echnique can be det ected, and
Removable Media Medium
External Remote Services Command-Line Interface Account Manipulation AppCert DLLs BITS Jobs Brute Force Browser Bookmark Discovery
Distributed Component Object
Model
Clipboard Data Connection Proxy
Custom Command and Control

Data Encrypted Defacement
Spearphishing via Service Execution through Module Load
analytics. Check outacour w ebsite at at
BITS Jobs Dylib Hijacking Compile After Delivery Forced Authentication Network Snif fing Remote Desktop Protocol Data Staged Domain Fronting Exfiltration Over Physical Medium Inhibit System Recovery
Hardware Additions Compiled HTML File AppCert DLLs AppInit DLLs Bypass User Account Control Credential Dumping Domain Trust Discovery Exploitation of Remote Services Data from Information Repositories
Protocol
Data Transfer Size Limits Disk Content Wipe
Supply Chain Compromise Exploitation for Client Execution
co Bootkit
st Exploitation for Privilege Escalation Compiled HTML File Hooking Password Policy Discovery Remote File Copy Email Collection Domain Generation Algorithms Scheduled Transfer Network Denial of Service
p det ecting adversary behavior w ith ATT&CK.

Replication Through Removable
Media
Control Panel Items AppInit DLLs Application Shimming Clear Command History Credentials in Files File and Directory Discovery Logon Scripts Data from Local System Custom Cryptographic Protocol Exfiltration Over Alternative Protocol
Exfiltration Over Command and

Disk Structure Wipe
Trusted Relationship Graphical User Interface
adversary examples you bitt o start
un can use
Browser Extensions Extra Window Memory Injection Component Firmware Input Capture Peripheral Device Discovery Remote Services Input Capture Fallback Channels Resource Hijacking
t s
Spearphishing Attachment Dynamic Data Exchange Application Shimming Bypass User Account Control CMSTP Credentials in Registry Network Service Scanning Pass the Hash Data from Network Shared Drive Data Encoding Endpoint Denial of Service
Control Channel
Spearphishing Link Execution through API Authentication Package DLL Search Order Hijacking Code Signing Exploitation for Credential Access Network Share Discovery Pass the Ticket Data from Removable Media Data Obfuscation
Medium
Firmware Corruption
Valid Accounts InstallUtil
Launchctl
Change Default File Association
Component Firmware
File System Permissions W eakness
Hooking
ma Component Object Model Hijacking
Control Panel Items jo b

Input Prompt
Kerberoasting
Permission Groups Discovery
Process Discovery
Media
Shared W ebroot
Man in the Browser
Screen Capture
Multi-hop Proxy
Multi-Stage Channels
Runtime Data Manipulation
Service Stop
nip
Spearphishing via Service Execution through Module Load BITS Jobs Dylib Hijacking Compile After Delivery Forced Authentication Network Snif fing Remote Desktop Protocol Data Staged Domain Fronting Exfiltration Over Physical Medium Inhibit System Recovery
Supply Chain Compromise Exploitation for Client Execution Bootkit Exploitation for Privilege Escalation Compiled HTML File Hooking Password Policy Discovery Remote File Copy Email Collection Domain Generation Algorithms Scheduled Transfer Network Denial of Service Local Job Scheduling Component Object Model Hijacking
Image File Execution Options
DCShadow s Keychain Query Registry SSH Hijacking Video Capture Multiband Communication Stored Data Manipulation
Trusted Relationship Graphical User Interface Browser Extensions Extra Window Memory Injection Component Firmware Input Capture Peripheral Device Discovery Remote Services Input Capture Fallback Channels Resource Hijacking
LSASS Driver You can visualize how your ow
ulan data sources map to adversary behavior w it h ATT&CK. Read our blog post at bit.ly/ ATT
Create Account
Injection
Launch Daemon
Deobfuscate/Decode Files or
Information
LLMNR/NBT -NS Poisoning and
Relay
Remote System Discovery Taint Shared Content Multilayer Encryption Transmitted Data Manipulation
tio
Valid Accounts InstallUtil Change Default File Association File System Permissions W eakness Component Object Model Hijacking Input Prompt Permission Groups Discovery Man in the Browser Multi-hop Proxy Runtime Data Manipulation
Media
Mshta DLL Search Order Hijacking New Service Disabling Security Tools Network Snif fing Security Software Discovery Third-party Software Port Knocking
Launchctl
Local Job Scheduling

Component Firmware
Component Object Model Hijacking

Hooking

Control Panel Items
DCShadow
Kerberoasting
Keychain
Process Discovery
Query Registry
Shared W ebroot
SSH Hijacking
Screen Capture
Video Capture
Multi-Stage Channels
Multiband Communication
Service Stop
Stored Data Manipulation

PowerShell learn how we generated this diagram,n check out the c ode, and begin building y our ow n diagrams from ATT&CK conten
Dylib Hijacking Path Interception DLL Search Order Hijacking Password Filter DLL System Information Discovery Windows Admin Shares Remote Access Tools
ATT&CK Use Cases

Injection
System Network Configuration
Deobfuscate/Decode Files or LLMNR/NBT -NS Poisoning and Regsvcs/Regasm External Remote Services Plist Modification DLL Side-Loading Private Keys Windows Remote Management Remote File Copy
LSASS Driver Create Account Launch Daemon Remote System Discovery Taint Shared Content Multilayer Encryption Transmitted Data Manipulation Discovery
Information Relay
System Network Connections
Mshta DLL Search Order Hijacking New Service Disabling Security Tools Network Snif fing Security Software Discovery Third-party Software Port Knocking Regsvr32 File System Permissions W eakness Port Monitors Execution Guardrails Securityd Memory Standard Application Layer Protocol
Discovery
PowerShell Dylib Hijacking Path Interception DLL Search Order Hijacking Password Filter DLL System Information Discovery Windows Admin Shares Remote Access Tools Two-Factor Authentication
Rundll32 Hidden Files and Directories Process Injection Exploitation for Defense Evasion System Owner/User Discovery Standard Cryptographic Protocol
Interception
ke r
Regsvcs/Regasm External Remote Services Plist Modification DLL Side-Loading Private Keys Windows Remote Management Remote File Copy Standard Non-Application Layer
Discovery
roo
Scheduled Task Hooking Scheduled Task Extra Window Memory Injection System Service Discovery
System Network Connections Protocol
Regsvr32 File System Permissions W eakness Port Monitors Execution Guardrails Securityd Memory Standard Application Layer Protocol
Two-Factor Authentication
Discovery
Scripting
nel Hypervisor
Service Registry Permissions
Weakness
t ki
File Deletion System Time Discovery Uncommonly Used Port
Get St art ed w it h A TT&CK

Interception
Standard Non-Application Layer
Protocol
Service Execution
mo
Injection
Setuid and Setgid
t
File Permissions Modification Virtualization/Sandbox Evasion Web Service
Scripting Hypervisor
File Deletion System Time Discovery Uncommonly Used Port Signed Binary Proxy Execution
dul
Kernel Modules and Extensions SID-History Injection
ke File System Logical Of fsets
ych
Weakness
Service Execution
Injection
Setuid and Setgid File Permissions Modification Virtualization/Sandbox Evasion Web Service Signed Script Proxy Execution Launch Agent
es Startup Items Gatekeeper Bypass
Signed Binary Proxy Execution Kernel Modules and Extensions SID-History Injection File System Logical Of fsets
Source Launch Daemon and Sudo ain Group Policy Modification
Signed Script Proxy Execution Launch Agent Startup Items Gatekeeper Bypass
Space after Filename Launchctl
ex
Sudo Caching Hidden Files and Directories
Use ATT&CKtenfor
Source Launch Daemon Sudo Group Policy Modification
sio Cyber Threat Intelligence

Third-party Software LC_LOAD_DYLIB Addition Valid Accounts Hidden Users
Space after Filename Launchctl Sudo Caching Hidden Files and Directories
Third-party Software LC_LOAD_DYLIB Addition Valid Accounts Hidden Users Trap
e xp
Trusted Developer Utilities
n Local Job Scheduling
Login Item
Web Shell
s
Hidden Window
HISTCONTROL Low Priority

loita
Trap Local Job Scheduling Web Shell Hidden Window
Trusted Developer Utilities Login Item HISTCONTROL

APT28 tion
User Execution
Cyber t hreat inteelligence

Logon Scripts
com es from m any sources, including know ledge High

of past
hyp
incident s,
Legend
Priority
Injection
User Execution
Windows Management
Logon Scripts
Injection Windows Management
Instrumentation
fo rvis LSASS Driver Indicator Blocking
Legend or
com mr ercial
APT29
win
LSASS Driver Indicator Blocking
Instrumentation
clie
Windows Remote Management Modify Existing Service Indicator Removal from Tools
nt et hreat feeds, inform at ion-sharing groups, governm ent t hreat -sharing program s,
Detection Threat Intelligence
XSL Script Processing Netsh Helper DLL Indicator Removal on Host

Both byp x ec
New Service Indirect Command Execution
assand m ore. A TT&CK New Service Indirect Command Execution
dow
Office Application Startup Install Root Certificate
use utio gives analyst s a com m on language t o com m unicat e across report s and
Path Interception InstallUtil

r ac n Path Interception InstallUtil
Plist Modification Launchctl
organizat couions, providing a w ay t o st ruct ure, com pare, and analyze t hreat int elligence.
n t co Find ing Ga p s in Defense
se
Port Knocking LC_MAIN Hijacking
Port Monitors Masquerading
ntro
Rc.common Modify Registry
brow
Port Monitors
l Masquerading
Co m p a ring APT28 to APT29

processes = search Process:Create
Initial Access Execution Persistence Privilege Escalation Defense Evasion Credential Access Discovery Lateral Movement Collection Command And Control Exfiltration Impact
ven
Re-opened Applications Mshta
Network Share Connection

Drive-by Compromise
ser e
Rc.common
AppleScript .bash_profile and .bashrc
Modify Registry
Access Token Manipulation Access Token Manipulation Account Manipulation Account Discovery AppleScript Audio Capture Commonly Used Port Automated Exfiltration Data Destruction
xten
Redundant Access Communication Through
Removal Re-opened
Exploit Public-Facing Application Applications
CMSTP Accessibility Features Mshta
Accessibility Features Binary Padding Bash History Application Window Discovery Application Deployment Software Automated Collection Data Compressed Data Encrypted for Impact
Removable Media
Registry Run Keys / Startup Folder NTFS File Attributes
External Remote Services Redundant Access
sion
Command-Line Interface Account Manipulation AppCertNetwork
DLLs
Removal
Share Connection BITS Jobs Brute Force Browser Bookmark Discovery
Model
Clipboard Data Connection Proxy Data Encrypted Defacement
Scheduled Task Obfuscated Files or Information
s Custom Command and Control
reg = filter processes where (exe == "reg.exe" and parent_exe

Hardware Additions Compiled HTML File AppCert DLLs AppInit DLLs Bypass User Account Control Credential Dumping Domain Trust Discovery Exploitation of Remote Services Data from Information Repositories Data Transfer Size Limits Disk Content Wipe
t lo
appli Registry Run Keys / Startup Folder NTFS File Attributes Protocol
Screensaver Plist Modification Replication Through Removable
Control Panel Items AppInit DLLs Application Shimming Clear Command History Credentials in Files File and Directory Discovery Logon Scripts Data from Local System Custom Cryptographic Protocol Exfiltration Over Alternative Protocol Disk Structure Wipe
catio
Media
Scheduled Task Obfuscated Files or Information Exfiltration Over Command and
Security Support Provider Port Knocking Spearphishing Attachment Dynamic Data Exchange Application Shimming Bypass User Account Control CMSTP Credentials in Registry Network Service Scanning Pass the Hash Data from Network Shared Drive Data Encoding Endpoint Denial of Service

Process Doppelgänging n
Spearphishing Link Screensaver
shim Execution through API Authentication Package PlistOrder
DLL Search Modification
Hijacking Code Signing Exploitation for Credential Access Network Share Discovery Pass the Ticket Data from Removable Media Data Obfuscation
Control Channel
Firmware Corruption
gs
Weakness Medium
ming
== "cmd.exe")
Setuid and Setgid Process Hollowing Spearphishing via Service Execution through Module Load BITS Jobs Dylib Hijacking Compile After Delivery Forced Authentication Network Snif fing Remote Desktop Protocol Data Staged Domain Fronting Exfiltration Over Physical Medium Inhibit System Recovery
Security Support Provider Port Knocking
Supply Chain Compromise Exploitation for Client Execution Bootkit Exploitation for Privilege Escalation Compiled HTML File Hooking Password Policy Discovery Remote File Copy Email Collection Domain Generation Algorithms Scheduled Transfer Network Denial of Service
Shortcut Modification Process Injection Service Registry Permissions
Process Doppelgänging
Trusted Relationship Weakness Graphical User Interface Browser Extensions Extra Window Memory Injection Component Firmware Input Capture Peripheral Device Discovery Remote Services Input Capture Fallback Channels Resource Hijacking
SIP and Trust Provider Hijacking Redundant Access
Valid Accounts
Setuid and SetgidInstallUtil Change Default File Association
Process Hollowing
File System Permissions W eakness Component Object Model Hijacking Input Prompt Permission Groups Discovery
Man in the Browser Multi-hop Proxy Runtime Data Manipulation
Media
apples
Startup Items Regsvcs/Regasm
cmd = filter processes where (exe == "cmd.exe" and

Launchctl
Shortcut Modification Component Firmware HookingProcess Injection Control Panel Items Kerberoasting Process Discovery Shared W ebroot Screen Capture Multi-Stage Channels Service Stop
cript
System Firmware Regsvr32
Local Job Scheduling Component Object Model Hijacking DCShadow Keychain Query Registry SSH Hijacking Video Capture Multiband Communication Stored Data Manipulation
SIP and Trust Provider Hijacking InjectionRedundant Access
Systemd Service Rootkit
Deobfuscate/Decode Files or LLMNR/NBT -NS Poisoning and
LSASS Driver Create Account Launch Daemon Remote System Discovery Taint Shared Content Multilayer Encryption Transmitted Data Manipulation
Information Relay
Time Providers Rundll32 Startup Items Regsvcs/Regasm
Trap Scripting
sys
parent_exe != "explorer.exe"")
System FirmwarePowerShell Dylib Hijacking Regsvr32
Path Interception DLL Search Order Hijacking Password Filter DLL System Information Discovery Windows Admin Shares Remote Access Tools
Valid Accounts
Web Shell
Windows Management
Signed Binary Proxy Execution
Signed Script Proxy Execution

Systemd Service
Time Providers
Regsvcs/Regasm
Regsvr32
External Remote Services
File System Permissions W eakness

Plist Modification
Rootkit
Port Monitors
Rundll32
DLL Side-Loading
Execution Guardrails
Private Keys
Securityd Memory
Discovery
System Network Connections
Discovery
Windows Remote Management Remote File Copy
tem
Standard Application Layer Protocol
ca
SIP and Trust Provider Hijacking Rundll32 Hidden Files and Directories Process Injection Exploitation for Defense Evasion System Owner/User Discovery Standard Cryptographic Protocol
Instrumentation Event Subscription Interception
reg_and_cmd = join (reg, cmd) where (reg.ppid == cmd.pid and

Trap Scheduled Task Hooking
Scripting
Scheduled Task Extra Window Memory Injection System Service Discovery
Winlogon Helper DLL Software Packing
lls
Protocol
Space after Filename Valid Accounts Scripting Hypervisor Signed Binary Proxy Execution File Deletion System Time Discovery Uncommonly Used Port
Weakness
Template Injection
web servic Web Shell
Service Execution
Injection
Setuid and Setgid
Signed Script Proxy Execution
File Permissions Modification Virtualization/Sandbox Evasion Web Service
Timestomp
e Windows Management
Signed Binary Proxy Execution Kernel Modules and Extensions SID-History Injection
SIP and Trust Provider Hijacking
File System Logical Of fsets
reg.hostname == cmd.hostname)
Instrumentation Event
SignedSubscription
Script Proxy Execution Launch Agent Startup Items Gatekeeper Bypass
Winlogon Helper Source
DLL Launch Daemon Sudo Software Packing Group Policy Modification
standard crypto
Valid Accounts
Space after Filename
Virtualization/Sandbox Evasion
Web Service
graphic protocol Third-party Software LC_LOAD_DYLIB Addition Valid Accounts
Template Injection
Hidden Users
output reg_and_cmd
XSL Script Processing Timestomp

User Execution
Login Item
Logon Scripts Trusted Developer Utilities

HISTCONTROL

Injection
APT28
Legend
Windows Management
APT29
Instrumentation Valid Accounts
spearphishing via service Windows Remote Management
XSL Script Processing

Modify Existing Service
Netsh Helper DLL

Virtualization/Sandbox Evasion
Indicator Removal from Tools
Indicator Removal on Host
New Service Web Service Indirect Command Execution Both

Path Interception InstallUtil
Use ATT&CK to Build Your Defensive Platform spearphishing link

ssl/tls insp
ectio
Co m p a ring APT28 to APT29 n

Port Monitors Masquerading
Rc.common Modify Registry
Use ATT&CK
ted files or informafor
tion Adversary Emulation and Red Teaming
Redundant Access
A TT&CK includ es resources d esig ned t o help cyb er d efend ers d evelop analyt ics t hat
Removal
obfusca
Screensaver Plist Modification
d et ect t he t echniq ues used b y an ad versary. Based on t hreat int ellig ence includ ed in
Assessment and Engineering
isatae
The b estinsta
d efense
w ell-t est ed d efense. A TT&CK p rovid es a com m on ad versary
ll root certific
Weakness
A TT&CK or p rovid ed b y analyst s, cyb er d efend ers can creat e a com p rehensive set of
Setuid and Setgid Process Hollowing
Shortcut Modification Process Injection
SIP and Trust Provider Hijacking Redundant Access
analyt ics t o d et ect t hreat s. b ehavior fram ew ork be ased on t hreat int ellig ence t hat red t eam s can use t o em ulat e Startup Items Regsvcs/Regasm
l of serv ic em
tection syst
System Firmware Regsvr32
int denias. This help s cyb er d efend ers fi nd g ap s in visib ilit y, d efensive t ools, and
Systemd Service Rootkit
sp ecifiencdpo
t hreat usion de
Adversary Emulation
Time Providers Rundll32
r
Initial Access Execution Persistence Privilege Escalation Defense Evasion Credential Access Discovery Lateral Movement Collection Command And Control Exfiltration Impact
t
Trap Scripting
in
work
Drive-by Compromise AppleScript .bash_profile and .bashrc Access Token Manipulation Access Token Manipulation Account Manipulation Account Discovery AppleScript Audio Capture Commonly Used Port Automated Exfiltration Data Destruction
Valid Accounts Signed Binary Proxy Execution
e
promisfi x t hem .
Communication Through
p rocesses—and t hen
Exploit Public-Facing Application CMSTP Accessibility Features Accessibility Features Binary Padding Bash History Application Window Discovery Application Deployment Software Automated Collection Data Compressed Data Encrypted for Impact
Removable Media Web Shell Signed Script Proxy Execution
c om net
Distributed Component Object Windows Management
External Remote Services Command-Line Interface Account Manipulation AppCert DLLs BITS Jobs Brute Force Browser Bookmark Discovery Clipboard Data Connection Proxy Data Encrypted Defacement SIP and Trust Provider Hijacking
rive-by
Model Instrumentation Event Subscription
Hardware Additions Compiled HTML File AppCert DLLs AppInit DLLs Bypass User Account Control Credential Dumping Domain Trust Discovery Exploitation of Remote Services Data from Information Repositories Data Transfer Size Limits Disk Content Wipe Winlogon Helper DLL Software Packing
d
Protocol
Control Panel Items AppInit DLLs Application Shimming Clear Command History Credentials in Files File and Directory Discovery Logon Scripts Data from Local System Custom Cryptographic Protocol Exfiltration Over Alternative Protocol Disk Structure Wipe Space after Filename
Media
Exfiltration Over Command and
nting
Spearphishing Attachment Dynamic Data Exchange Application Shimming Bypass User Account Control CMSTP Credentials in Registry Network Service Scanning Pass the Hash Data from Network Shared Drive Data Encoding Endpoint Denial of Service Template Injection
Control Channel
ain fro
Exfiltration Over Other Network Timestomp
s
Spearphishing Link Execution through API Authentication Package DLL Search Order Hijacking Code Signing Exploitation for Credential Access Network Share Discovery Pass the Ticket Data from Removable Media Data Obfuscation Firmware Corruption
Medium
og
d om
el
sta
Valid Accounts
Exploit Public-Facing Launchctl Access Token Manipulation Virtualization/Sandbox Evasion
Account Manipulation Account Discovery Application Deployment Automated Collection Communication Through Data Compressed Data Encrypted for Impact
Trusted Relationship Graphical User Interface Browser Extensions Extra Window Memory Injection Component Firmware Input Capture Peripheral Device Discovery Remote Services Input Capture Fallback Channels Resource Hijacking Application Local Job Scheduling Bypass User Account Control Bash History Application Window Software Clipboard Data Removable Media Data Encrypted Defacement
vic
Web Service
Valid Accounts InstallUtil Change Default File Association File System Permissions W eakness Component Object Model Hijacking Input Prompt Permission Groups Discovery
Media
Man in the Browser Multi-hop Proxy Runtime Data Manipulation External Remote Services LSASS Driver Extra Window Memory Injection Brute Force Discovery Distributed Component Data from Information Connection Proxy Data Transfer Size Limits Disk Content Wipe
Launchctl Component Firmware Hooking Control Panel Items Kerberoasting Process Discovery Shared W ebroot Screen Capture Multi-Stage Channels Service Stop Hardware Additions Trap Process Injection Credential Dumping Browser Bookmark Object Model Repositories Custom Command and Exfiltration Over Other Disk Structure Wipe
Local Job Scheduling Component Object Model Hijacking
Injection
DCShadow
Deobfuscate/Decode Files or
Keychain
LLMNR/NBT -NS Poisoning and

Query Registry SSH Hijacking Video Capture Multiband Communication Stored Data Manipulation Replication Through
Removable Media
AppleScript
CMSTP
DLL Search Order Hijacking
Image File Execution Options Injection
Credentials in Files
Credentials in Registry
Discovery
Domain Trust Discovery
Exploitation of
Remote Services
Data from Local System
Data from Network
Control Protocol
Custom Cryptographic
Network Medium
Exfiltration Over Command de
Endpoint Denial of Service
Firmware Corruption
rk
LSASS Driver Create Account Launch Daemon Remote System Discovery Taint Shared Content Multilayer Encryption Transmitted Data Manipulation
Information Relay
ction
Spearphishing Attachment Command-Line Interface Plist Modification Exploitation for File and Directory Discovery Logon Scripts Shared Drive Protocol and Control Channel Inhibit System Recovery
o
Spearphishing Link Compiled HTML File Valid Accounts Credential Access Network Service Scanning Pass the Hash Data from Removable Media Data Encoding Exfiltration Over Alternative Network Denial of Service
inje
PowerShell Dylib Hijacking Path Interception DLL Search Order Hijacking Password Filter DLL System Information Discovery Windows Admin Shares Remote Access Tools
Spearphishing via Service Control Panel Items Accessibility Features BITS Jobs Forced Authentication Network Share Discovery Pass the Ticket Data Obfuscation Protocol Resource Hijacking
plate
Data Staged
w
Regsvcs/Regasm External Remote Services Plist Modification DLL Side-Loading Private Keys Windows Remote Management Remote File Copy
Discovery
System Network Connections Supply Chain Compromise Dynamic Data Exchange AppCert DLLs Clear Command History Hooking Password Policy Discovery Remote Desktop Protocol Email Collection Domain Fronting Exfiltration Over Runtime Data Manipulation
tem ATT&CK
Regsvr32 File System Permissions W eakness Port Monitors Execution Guardrails Securityd Memory Standard Application Layer Protocol
e
Use olto Build Your Defensive Platform
Physical Medium
t
Discovery
Trusted Relationship Execution through API AppInit DLLs CMSTP Input Capture Peripheral Device Discovery Remote File Copy Input Capture Domain Generation Service Stop
ne
otoc
Algorithms
rev
Interception
Valid Accounts Execution through Application Shimming Code Signing Input Prompt Permission Groups Discovery Remote Services Man in the Browser Scheduled Transfer Stored Data Manipulation
Module Load
r pr
Protocol Dylib Hijacking Compiled HTML File Kerberoasting Process Discovery Replication Through Screen Capture Fallback Channels Transmitted Data
Scripting Hypervisor File Deletion System Time Discovery Uncommonly Used Port
File System Permissions Weakness Component Firmware Keychain Query Discovery Removable Media Video Capture Multiband Communication Manipulation
laye
Weakness Exploitation for
Service Execution
Injection
Setuid and Setgid File Permissions Modification Virtualization/Sandbox Evasion Web Service Client Execution Hooking Component Object Model LLMNR/NBT-NS Poisoning Remote System Discovery Shared Webroot Multi-hop Proxy
n includ es resources
atio ent
are
Hijacking
A TT&CK
Graphical User Interface
d esig ned t o help cyb er d efend ers d evelop analyt ics t hat
Launch Daemon and Relay Security Software Discovery SSH Hijacking Multilayer Encryption
Signed Binary Proxy Execution Kernel Modules and Extensions SID-History Injection File System Logical Of fsets
plic ob
InstallUtil New Service Control Panel Items Password Filter DLL Taint Shared Content Multi-Stage Channels
hm
Signed Script Proxy Execution Launch Agent Startup Items Gatekeeper Bypass
System Information
-apd et ect t he taechniq tac

Source Launch Daemon Sudo Group Policy Modification Mshta Path Interception DCShadow Private Keys Discovery Third-party Software Port Knocking
o n PowerShell
t ues used b y an ad versary. Based on t hreat int ellig ence includ ed in
Port Monitors Deobfuscate/Decode Files Securityd Memory System Network Windows Admin Shares Remote Access Tools
malw
Third-party Software LC_LOAD_DYLIB Addition Valid Accounts Hidden Users
r d n i ng
Regsvcs/Regasm
s
Service Registry Permissions Weakness or Information Two-Factor Authentication Configuration Discovery Windows Remote Remote File Copy
da hish or p rovid ool b y analyst s, cyb er d efend ers can creat e a com p rehensive set of
Regsvr32 Setuid and Setgid Disabling Security Tools Interception System Network Management Standard Application Layer
stan A TT&CK ted

Low Priority
arp
ss
Trusted Developer Utilities Login Item HISTCONTROL
Legend
spe cceect t hreat
Image File Execution Options Scripting Web Shell Execution Guardrails System Owner/User Standard Cryptographic
User Execution Logon Scripts
High Priority Discovery Protocol

Injection
Windows Management
Instrumentation
analyt ics t otedaet
Service Execution
n s.
.bash_profile and .bashrc
Account Manipulation
Exploitation for
Privilege Escalation
Exploitation for
Defense Evasion System Service Discovery
atio
Signed Binary Standard Non-Application
o
re m rm
Signed Script
Initial Access BITS Jobs
Execution Persistence Sudo File
Privilege Escalation PermissionsDefense Evasion Credential Access Virtualization/Sandbox
Discovery Lateral Movement Collection Command And Control Uncommonly Used Port
Exfiltration Impact
New Service Indirect Command Execution Proxy Execution
f o Bootkit Sudo Caching ModificationAccess Token Manipulation Evasion Web Service
r in
Drive-by Compromise AppleScript .bash_profile and .bashrc Access Token Manipulation Account Manipulation Account Discovery AppleScript Audio Capture Commonly Used Port Automated Exfiltration Data Destruction
ce
Source Browser
CMSTP Extensions File System LogicalBinary Offsets Communication Through
so
Exploit Public-Facing Application Accessibility Features Accessibility Features Padding Bash History Application Window Discovery Application Deployment Software Automated Collection Data Compressed Data Encrypted for Impact
rv i
Removable Media
Path Interception InstallUtil Space after Filename
External Remote Services Change Default
Command-Line Interface Account Manipulation AppCert DLLs Gatekeeper Bypass BITS Jobs Brute Force Browser Bookmark Discovery
Clipboard Data Connection Proxy Data Encrypted Defacement
file
Model
se
Plist Modification Launchctl Third-party Software
Hardware Additions
FileCompiled
Association
HTML File AppCert DLLs AppInit DLLs Group Policy Modification
Bypass User Account Control Credential Dumping Domain Trust Discovery Exploitation of Remote Services Data from Information Repositories
Data Transfer Size Limits Disk Content Wipe
Find ing Ga p s in Defense

Protocol
e d
Replication
f
Through Removable
o
Component
Control Panel Firmware
Items AppInit DLLs Application Hidden
Shimming Files and Directories
Clear Command History Credentials in Files File and Directory Discovery Logon Scripts Data from Local System Custom Cryptographic Protocol Exfiltration Over Alternative Protocol Disk Structure Wipe
c at
Media
l ice
Hidden UsersCMSTP Exfiltration Over Command and
ni a
Port Monitors Masquerading Spearphishing Attachment Dynamic Data Exchange Application Shimming Bypass User Account Control Credentials in Registry Network Service Scanning Pass the Hash Data from Network Shared Drive Data Encoding Endpoint Denial of Service
Control Channel
f us
e rv
Rc.common Modify Registry Spearphishing Link Execution through API Authentication Package DLL Search Order Hijacking Code Signing Exploitation for Credential Access Network Share Discovery Pass the Ticket Data from Removable Media Data Obfuscation Firmware Corruption
de
Medium
ob
Redundant Access
Removal
o rk ofs
tw ial ise
Trusted Relationship Graphical User Interface Browser Extensions Extra Window Memory Injection Component Firmware Input Capture Peripheral Device Discovery Remote Services Input Capture Fallback Channels Resource Hijacking
ne
Valid Accounts InstallUtil Change Default File Association File System Permissions W eakness Component Object Model Hijacking Input Prompt Permission Groups Discovery Man in the Browser Multi-hop Proxy Runtime Data Manipulation
en om
Media
Launchctl Component Firmware Hooking Control Panel Items Kerberoasting Process Discovery Shared W ebroot Screen Capture Multi-Stage Channels Service Stop
td pr
Screensaver Plist Modification
Local Job Scheduling Component Object Model Hijacking DCShadow Keychain Query Registry SSH Hijacking Video Capture Multiband Communication Stored Data Manipulation
ol
Injection
in m LSASS Driver Create Account Launch Daemon

Deobfuscate/Decode Files or LLMNR/NBT -NS Poisoning and
Remote System Discovery Taint Shared Content Multilayer Encryption Transmitted Data Manipulation
po
Information Relay
co oc
Weakness Mshta DLL Search Order Hijacking New Service Disabling Security Tools Network Snif fing Security Software Discovery Third-party Software Port Knocking
Setuid and Setgid Process Hollowing

PowerShell Dylib Hijacking Path Interception DLL Search Order Hijacking Password Filter DLL System Information Discovery Windows Admin Shares Remote Access Tools
ATT&CK and CTI
| 21 |
Threat Intelligence – How ATT&CK Can Help
▪ Use knowledge of adversary behaviors to inform defenders
▪ Structuring threat intelligence with ATT&CK allows us to…

– Compare behaviors
▪ Groups to each other
▪ Groups over time
▪ Groups to defenses
– Communicate in a common language
Communicate to Defenders
Registry Run Keys

THIS is what the / Startup Folder
Oh, we have
adversary is doing! (T1060) Registry data, we
The Run key is
can detect that!
AdobeUpdater.
CTI
Analyst Defender
Communicate Across the Community
Registry Run Keys

Company Company
/ Startup Folder
A B
(T1060)
APT1337 is FUZZYDUCK
using autorun used a Run key
Oh, you
mean T1060!
CTI Consumer
Make defensive
Store & analyze
ATT&CK-mapped
data
mapped data

Module 3
End of Module 1
Module 2:
Mapping to ATT&CK from a Finished Report
Make defensive
Store & analyze
ATT&CK-mapped
data
mapped data

Module 3
Why is it Difficult to Map CTI to ATT&CK?
▪ Requires a shift in analyst thinking
– Indicators → behaviors
▪ Volume of ATT&CK techniques
▪ “Technical” detail of some ATT&CK techniques
But it’s worthwhile because this process…

▪ Forces analysts to shift to thinking about behaviors
▪ Allows them to learn about new adversary techniques
▪ Pushes them to learn the “technical” side
Process of Mapping to ATT&CK
0. Understand ATT&CK
1. Find the behavior
2. Research the behavior
3. Translate the behavior into a tactic
4. Figure out what technique applies to the behavior
5. Compare your results to other analysts
Two key sources for where you get information:

1. Finished reporting
2. Raw data
▪ You need to know what to look for before you can do this
▪ To get analysts started:
– Watch an ATT&CK presentation like Sp4rkcon
– Read the Philosophy Paper and items from our Getting Started page
– Read the Tactic descriptions
– Skim the Technique list
▪ Encourage ongoing learning and discussion
– Have analysts present a technique a week in your team training
1. Find the Behavior
▪ Different mindset from looking for indicators
▪ Look for what the adversary or software does
▪ Focus on initial compromise and post-compromise details
– Info that may not be useful for ATT&CK mapping:
▪ Static malware analysis
▪ Infrastructure registration information
▪ Industry/victim targeting information
[Tactic] | 1. [Technique] [Tactic] | 2. [Technique]
https://www.fireeye.com/blog/threat-research/2014/11/operation_doubletap.html
2. Research the Behavior
▪ CTI analysts may not be familiar with adversary/software behavior
▪ Encourage them to do additional research:
– Of your own team or organization (defenders/red teamers)
– Of external resources
▪ Time-consuming, but builds better analysts
▪ Understanding of core behavior helps with next steps
https://en.wikipedia.org/wiki/SOCKS
? https://www.speedguide.net/port.php?port=1913
3. Translate the Behavior into a Tactic
▪ What is the adversary trying to accomplish?
▪ Often requires domain expertise
– Finished intel can give you context
▪ Only 12 options:
– Initial Access – Discovery
– Execution – Lateral Movement
– Persistence – Collection
– Privilege Escalation – Command and Control
– Defense Evasion – Exfiltration
– Credential Access – Impact
▪ “When executed, the malware first establishes a SOCKS5

connection to 192.157.198.103 using TCP port 1913. … Once
the connection to the server is established, the malware
expects a message containing at least three bytes from the
server. These first three bytes are the command identifier. The
following commands are supported by the malware … “
– A connection in order to command the malware to do something
→ Command and Control
4. Figure Out What Technique Applies
▪ Often the toughest part
▪ Not every behavior is necessarily a technique
▪ Key strategies:
1. Look at the list of Techniques for the identified Tactic
2. Search attack.mitre.org
▪ Try key words
▪ Try “procedure”-level detail
▪ Try specific command strings
Protocol vs.
Port
→ 2 techniques?
“the malware first establishes a SOCKS5 connection”
“establishes a SOCKS5 connection to

192.157.198.103 using TCP port 1913”
“CTRL+ F” FTW
Rinse and Repeat
Privilege Escalation | 3. Exploitation for Privilege Escalation (T1068)

Execution | 4. Command-Line Interface (T1059)
Discovery | 5. System Owner/User Discovery (T1033)
Persistence – | 6. Scheduled Task (T1053)
Command and Control |

Command and Control | 1. Standard Non-Application Layer Protocol (T1095) 2. Uncommonly Used Port (T1065)
https://www.fireeye.com/blog/threat-research/2014/11/operation_doubletap.html
Exercise 2: Cybereason Cobalt Kitty Report
▪ Analyze a threat report to find the Enterprise ATT&CK techniques
– 22 highlighted techniques in the Cybereason Cobalt Kitty report
▪ Choose a PDF from attack.mitre.org/training/cti under Exercise 2
– Choose your own adventure: start with “highlights only” or “tactic hints”
▪ Use the PDF or a text document/piece of paper to record your results
▪ Write down the ATT&CK tactic and technique you think applies to each
highlight
▪ Tips:
– Do keyword searches of our website: https://attack.mitre.org
– Remember that you don’t have to be perfect
– Use this as a chance to dive into ATT&CK
▪ Please pause. We suggest giving yourself 30 minutes for this exercise.
Exercise 2 Optional Bonus Step:
Compare your results to other analysts
▪ Step 5 of the process: Compare your results to other analysts
▪ Helps hedge against analyst biases
– More likely to identify techniques you’ve previously identified
Analyst 1 Analyst 2
Exploitation for Privilege Escalation (T1068)

Command-Line Interface (T1059) Command-Line Interface (T1059)
System Owner/User Discovery (T1033)
Scheduled Task (T1053) Scheduled Task (T1053)
Standard Non-Application Layer Protocol (T1095) Custom Command and Control Protocol (T1094)
Uncommonly Used Port (T1065) Uncommonly Used Port (T1065)
Multi-Stage Channels (T1104)
Discuss why it’s different

https://www.nccgroup.trust/us/about-us/newsroom-and-events/blog/2018/march/apt15-is-alive-and-strong-an-analysis-of-royalcli-and-royaldns/
Finishing Exercise 2 (Optional Bonus Step)
▪ Now, compare your answers to another analyst’s answers
▪ Compare what you each had for each technique answer
– Discuss where there are differences – why did you have different answers?
– It’s okay to disagree!
▪ Please pause. We suggest giving yourself 10 minutes for this part of the
exercise. If you do not have other analysts to discuss your answers with,
you may advance to the next portion.
Going Over the Exercise – Cybereason Report
▪ Think about:
– What were the easiest & hardest techniques to identify?
– How did you identify each technique?
– What challenges did you have? How did you address them?
Cybereason Cobalt Kitty Report
1. Two types of payloads were found in the spear-phishing emails … link to

a malicious site
– Initial Access - Spearphishing Link (T1192)
2. Two types of payloads were found in the spear-phishing emails … Word
documents
– Initial Access - Spearphishing Attachment (T1193)
3. Two types of payloads were found in the spear-phishing emails … Word
documents with malicious macros
– Defense Evasion/Execution – Scripting (T1064)
4. Two types of payloads were found in the spear-phishing emails
– Execution – User Execution (T1204)
https://cybr.ly/cobaltkitty
5.
– Execution - Command-Line Interface (T1059)

6. The two scheduled tasks are created on infected Windows
– Execution/Persistence - Scheduled Task (T1053)
7. schtasks /create /sc MINUTE /tn "Windows Error Reporting" /tr
"mshta.exe about:'<script language=\"vbscript\“…
– Execution/Defense Evasion - Mshta (T1170)
8. That downloads and executes an additional payload from the same
server
– Command and Control - Remote File Copy (T1105)
9.
– Execution - PowerShell (T1086)

10. it will pass an obfuscated and XOR’ed PowerShell payload to cmd.exe
– Defense Evasion - Obfuscated Files or Information (T1027)
11. The attackers used trivial but effective persistence techniques .. Those
techniques consist of: Windows Registry Autorun
– Persistence - Registry Run Keys / Startup Folder (T1060)
12. the attackers used NTFS Alternate Data Stream to hide their payloads
– Defense Evasion - NTFS File Attributes (T1096)
13 & 14. The attackers created and/or modified Windows Services

– Persistence – New Service (T1050)
– Persistence – Modify Existing Service (T1031)
15 & 16. The attackers used a malicious Outlook backdoor macro … edited
a specific registry value to create persistence
– Persistence – Office Application Startup (T1137)
– Defense Evasion – Modify Registry (T1112)
17. The attackers used different techniques and protocols to communicate
with the C&C servers … HTTP
– Command and Control - Standard Application Layer Protocol (T1071)
18. :80 (in traffic from compromised machine to C&C server)

– Command and Control - Commonly Used Port (T1043)
19 & 20. The attackers downloaded COM scriptlets using regsvr32.exe
– Command and Control - Remote File Copy (T1105)
– Execution - Regsvr32 (T1117)
21. binary was renamed “kb-10233.exe”, masquerading as a Windows
update
– Defense Evasion - Masquerading (T1036)
22. network scanning against entire ranges…looking for open ports…
– Discovery - Network Service Scanning (T1046)
Optional Exercise 2 Bonus Report
▪ If you’d like more practice mapping finished reporting to ATT&CK, work
through the FireEye APT39 report in the same manner. The PDF is
available at attack.mitre.org/training/cti under Exercise 2. (No tactic hints
option this time!)
▪ Answers are provided in a separate PDF.
Skipping Steps in the Process
Once you’re experienced, you maybe able to skip steps
…but this increases your bias
…and it won’t work every time
3. Translate the behavior into a tactic Sometimes
4. Figure out what technique applies to the behavior we jump
5. Compare your results to other analysts directly here
Make defensive
Store & analyze
ATT&CK-mapped
data
mapped data

Module 3
End of Module 2
Module 3:
Mapping to ATT&CK from Raw Data
Make defensive
Store & analyze
ATT&CK-mapped
data
mapped data

Module 3
Mapping to ATT&CK from Raw Data
▪ So far, working from intel where activity has already been analyzed
▪ Analysis of techniques/behaviors directly from source data

– Likely more information available at the procedure level
– Not reinterpreting another analyst’s prose
– Greater knowledge/expertise required to interpret intent/tactic
▪ Broad set of possible data can contain behaviors

– Shell commands, malware, forensic disk images, packets
Process of Mapping to ATT&CK
3. Translate the behavior into a tactic
4. Figure out what technique applies to the behavior
5. Compare your results to other analysts
ipconfig /all
sc.exe \\ln334656-pc create
.\recycler.exe a -hpfGzq5yKw C:\$Recycle.Bin\old
C:\$Recycle.Bin\Shockwave_network.vsdx
Commands captured by Sysmon being run interactively via cmd.exe
10.2.13.44:32123 -> 128.29.32.4:443

128.29.32.4:443 -> 10.2.13.44:32123
Flows from malware in a sandbox
HKLM\Software\Microsoft\Windows\CurrentVersion\Run
HKLM\Software\Microsoft\Netsh
New reg keys during an incident
▪ Can be similar to analysis of finished reporting for raw data
▪ May require expertise in the specific data type

– Network, forensics, malware, Windows cmd line, etc
▪ May require multiple data sources, more context
– Additional questions to responders/analysts
– Can make some educated guesses, but not enough context
File analysis:
When recycler.exe is executed, it gives the following output:
C:\recycler.exe
RAR 3.70 Copyright (c) 1993-2007 Alexander Roshal 22 May 2007
Shareware version Type RAR -? for help
– Aha! Based on the analysis we can Google the flags to RAR and
determine that it is being used to compress and encrypt the file
And the file being compressed/encrypted is a Visio diagram, probably exfiltration
ipconfig /all
– Specific procedure only mapped to System Network Configuration Discovery
– System Network Configuration Discovery -> Discovery ✅
– Seen being run via Sysmon -> Execution

– We figured out researching this that “vsdx” is Visio data
– Moderate confidence Exfiltration, commands around this could make clearer
– Seen being run via Sysmon -> Execution
▪ Similar to working with finished reporting we may jump straight here
– Procedure may map directly to Technique/Tactic
– May have enough experience to compress steps
ipconfig /all
– Specific procedure in System Network Configuration Discovery (T1016)
– Also Command-Line Interface (T1059)
– We figured out researching this that “a –hp” compresses/encrypts
– Appears to be Data Compressed (T1002) and Data Encrypted (T1022)
– Also Command-Line Interface (T1059)
4. Concurrent Techniques
▪ Don’t just think of what’s happening – think of how it’s happening

▪ Certain tactics commonly have concurrent techniques:
– Execution
– Defense Evasion
– Collection
▪ Examples:
– Data Compressed + Data Encrypted (2x Exfiltration)
– Spearphishing Attachment + User Execution (Initial Access + Execution)
– Data from Local System + Email Collection (2x Collection)
– Process Discovery + Command-Line Interface (Discovery + Execution)
4. Different Types of Techniques
▪ Not all techniques are created equal!

– Credit to Red Canary: https://www.redcanary.com/blog/avoiding-common-attack-pitfalls/
▪ Some are specific
– Rundll32
– Netsh Helper DLL
▪ Some are broad
– Scripting
– Obfuscated Files or Information
▪ Some capture “how” the behavior occurs
– Masquerading
– Data Transfer Size Limits
– Automated Collection
5. Compare Your Results to Other Analysts
▪ Same caveats about hedging biases
▪ May need a broader set of skills/experience to work with types of data
Analyst 1 Analyst 2
• Packets • Windows Events

• Malware/Reversing • Disk forensics
• Windows command line • macOS/Linux
Pros/cons of Mapping from the Two Different Sources
Step Raw Finished
Find the behavior Nearly everything may be a May be buried amongst prose, IOCs, etc
behavior (not all ATT&CK)
Research the behavior May need to look at multiple May have more info/context, may also
sources, data types. May also have lost detail in writing
be a known procedure
Translate the behavior into a Have to map to adversary Often intent has been postulated by report
tactic intent, need domain author
knowledge/expertise
Figure out what technique May have a procedure that May be as simple as a text match to
applies to the behavior maps straight to technique, or description/procedure, or may be too
may require deep vague to tell
understanding to understand
how accomplished
Compare your results to other May need multiple analysts to More likely in a form where other analysts
analysts cover all data sources needed for coverage/hedge against bias
Exercise 3: Working with raw data
▪ You’re going to be examining two tickets from a simulated incident
▪ Ticket 473822
– Series of commands interactively executed via cmd.exe on an end system
▪ Ticket 473845
– Pieces of a malware analysis of the primary RAT used in the incident
▪ Both tickets are at https://attack.mitre.org/training/cti under Exercise 3
▪ Use whatever to record your results or download and edit

▪ Identify as many behaviors as possible
▪ Annotate the behaviors that are ATT&CK techniques

Exercise Questions
▪ What questions would you have asked of your incident responders?

▪ What was easier/harder than working with finished reporting?
▪ What other types of data do you commonly encounter with behaviors?
▪ Did you notice any behaviors that you couldn’t find a technique for?
Going Over Exercise 3 (Ticket 473822)
ipconfig /all System Network Configuration Discovery (T1016)
arp -a System Network Configuration Discovery (T1016)
echo %USERDOMAIN%\%USERNAME% System Owner / User Discovery (T1033)
tasklist /v Process Discovery (T1057)
Discovery
sc query System Service Discovery (T1007)
systeminfo System Information Discovery (T1082)

net group "Domain Admins" /domain Permission Groups Discovery (T1069)
net user /domain Account Discovery (T1087)
net group "Domain Controllers" /domain Remote System Discovery (T1018)
netsh advfirewall show allprofiles System Network Configuration Discovery (T1016)

netstat -ano System Network Connections Discovery (T1049)
All are Execution - Command-Line Interface (T1059)
Going Over Exercise 3 (Ticket 473845)
Command and Control - Data Encoding (T1132)
C2 protocol is base64 encoded commands over https. The RAT beacons every
Command and Control - Standard Application Layer Protocol (T1071)
30 seconds requesting a command.
UPLOAD file (upload a file server->client)
DOWNLOAD file (download a Command and Control – Remote File Copy (T1105)
file client->server)
SHELL command (runs a command Execution
via cmd.exe)
- Command-Line Interface (T1059)
PSHELL command (runs a command via powershell.exe)
Execution - Powershell (T1086)
EXEC path (executes a PE at the Execution
path given via CreateProcess)
- Execution through API (T1106)
SLEEP n (skips n beacons)
10.1.1.1:24123 -> 129.83.44.12:443

Command and Control - Commonly Used Port (T1043)
129.83.44.12:443 -> 10.1.1.1:24123
Copy C:\winspoo1.exe -> C:\Windows\System32\winspool.exe
Defense Evasion - Masquerading (T1036)
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run\winspool
REG_SZ "C:\Windows\System32\winspool.exe"
Persistence - Registry Run Keys (T1060)
From Raw Data to Finished Reporting with ATT&CK
▪ We’ve talked about augmenting reports with ATT&CK and analyzing data
with ATT&CK, possibly in parallel with analysis for reporting
▪ If you are creating reporting with ATT&CK techniques, we recommend

keeping the techniques with the related procedures for context
– Allows other analysts to examine the mapping for themselves
– Allows much easier capture of how a technique was done
Finished Reporting Examples
During operation Tangerine Yellow, the actors used Pineapple RAT to execute
‘ipconfig /all1’ via the Windows command shell2.
1. Discovery – System Network Configuration Discovery (T1016)
2. Execution – Command-Line Interface (T1059)
System Network Configuration Discovery (T1016) and Command-Line

Interface (T1059) - During operation Tangerine Yellow, the actors used Pineapple
RAT to execute ‘ipconfig /all’ via the Windows command shell.
Instead of
Appendix C – ATT&CK Techniques
▪ System Network Configuration Discovery
▪ Command-Line Interface
▪ Hardware Additions
Make defensive
Store & analyze
ATT&CK-mapped
data
mapped data

Module 3
End of Module 3
Module 4:
Storing and Analyzing ATT&CK-Mapped Data
Make defensive
Store & analyze
ATT&CK-mapped
data
mapped data

Module 3
Considerations When Storing ATT&CK-Mapped Intel
▪ Who’s consuming it?
– Human or machine?
– Requirements?
▪ How will you provide context? The community is still
– Include full text? figuring this out!
▪ How detailed will it be?
– Just a Technique, or a Procedure?
– How will you capture that detail? (Free text?)
▪ How will you link it to other intel?
– Incident, group, campaign, indicator…
▪ How will you import and export data?
– Format?
Ways to Store and Display ATT&CK-Mapped Intel
¯\_(ツ)_/¯
Courtesy of Alexandre Dulaunoy
Courtesy of Alexandre Dulaunoy

Ability to link to indicators
and files
Ways to Express and Store ATT&CK-Mapped Intel
Techniques at the
end of a report https://www.anomali.com/blog/weekly-threat-briefing-google-
spots-attacks-exploiting-ios-zero-day-flaws
Techniques at the end of a report
https://securingtomorrow.mcafee.com/other-blogs/mcafee-labs/analyzing-
operation-ghostsecret-attack-seeks-to-steal-data-worldwide/
Techniques at the
beginning of a report https://www.crowdstrike.com/resources/reports/2018-crowdstrike-global-
threat-report-blurring-the-lines-between-statecraft-and-tradecraft/
Adding additional
info to an ATT&CK
technique
https://www.digitalshadows.com/blog-and-research/mitre-attck-
and-the-mueller-gru-indictment-lessons-for-organizations/
With
timestamps
https://www.recordedfuture.com/mitre-attack-framework/
Machine readable
Linking techniques to indicators
https://pan-unit42.github.io/playbook_viewer/
https://attack.mitre.org/groups/G0007/
What else could we do?
Full-Text Report ATT&CK Technique

Credential Dumping
(T1003)
https://www.nccgroup.trust/us/about-us/newsroom-and-events/blog/2018/march/apt15-
is-alive-and-strong-an-analysis-of-royalcli-and-royaldns/
So now we have some ATT&CK-mapped intel…
Make defensive
Store & analyze
ATT&CK-mapped
data
mapped data
What can we do with it?
APT28 Techniques*
Initial Privilege Defense Credential Lateral Command
Execution Persistence Escalation Evasion Access
Discovery
Movement
Collection Exfiltration
and Control
Access
Initial Access Execution Persistence Privilege Escalation Defense Evasion Credential Access Discovery Lateral Movement Collection Exfiltration Command And Control
rive by Compromise Apple cript .bash profile and .bashrc Access Token Manipulation Access Token Manipulation Account Manipulation Account iscovery Apple cript Audio Capture Automated xfiltration Commonly sed ort
xploit ublic acing CM T Accessibility eatures Accessibility eatures inary adding ash istory Application Window Application eployment Automated Collection ata Compressed Communication Through
Application iscovery oftware Removable Media
ardware Additions Command ine Interface AppCert s AppCert s IT obs rute orce rowser ookmark iscovery istributed
b ect Model
Component Clipboard ata ata ncrypted Connection roxy
Replication Through Control anel Items AppInit s AppInit s ypass ser Account ControlCredential umping ile and irectory iscovery xploitation of Remote ata from Information ata Transfer i e imits Custom Command and
Removable Media ervices Repositories Control rotocol
pearphishing Attachment ynamic ata xchange Application himming Application himming Clear Command istory Credentials in iles Network ervice canning ogon cripts ata from ocal ystem xfiltration ver Alternative Custom Cryptographic
rotocol rotocol
pearphishing ink xecution through A I Authentication ackage ypass ser Account ControlCM T Credentials in Registry Network hare iscovery ass the ash ata from Network hared xfiltration ver Command ata ncoding
rive and Control Channel
pearphishing via ervice xecution through Module IT obs earch rder i acking Code igning xploitation for Credential assword olicy iscovery ass the Ticket xfiltration ver ther
ata from Removable Media Network ata bfuscation
oad Access Medium
upply Chain Compromise xploitation for Client ootkit ylib i acking Component irmware orced Authentication eripheral evice iscovery Remote esktop rotocol ata taged xfiltration ver hysical omain ronting
xecution Medium
Trusted Relationship raphical ser Interface rowser xtensions xploitation for rivilege Component b ect Model ooking ermission roups iscoveryRemote ile Copy mail Collection cheduled Transfer allback Channels
scalation i acking
alid Accounts Install til Change efault ile xtra Window Memory Control anel Items Input Capture rocess iscovery Remote ervices Input Capture Multi hop roxy
Association In ection
aunchctl Component irmware ile ystem ermissions C hadow Input rompt uery Registry Replication Through Man in the rowser Multi tage Channels
Weakness Removable Media
ocal ob cheduling Component b ect Model ooking eobfuscate ecode iles or erberoasting Remote ystem iscovery hared Webroot creen Capture Multiband Communication
i acking Information
A river Create Account Image ile xecution ptions isabling ecurity Tools eychain ecurity oftware iscovery i acking ideo Capture Multilayer ncryption
In ection
Mshta earch rder i acking aunch aemon earch rder i acking MNR N T N oisoning ystem Information iscoveryTaint hared Content ort nocking
ower hell ylib i acking New ervice ide oading Network niffing ystem Network Third party oftware Remote Access Tools
Configuration iscovery
Regsvcs Regasm xternal Remote ervices ath Interception xploitation for efense assword ilter ystem Network ConnectionsWindows Admin hares Remote ile Copy
vasion iscovery
Regsvr ile ystem ermissions list Modification xtra Window Memory rivate eys ystem wner ser Windows Remote tandard Application ayer
Weakness In ection iscovery Management rotocol
Rundll idden iles and irectories ort Monitors ile eletion Replication Through ystem ervice iscovery tandard Cryptographic
Removable Media rotocol
cheduled Task ooking rocess In ection ile ystem ogical ffsets ecurityd Memory ystem Time iscovery tandard Non Application
ayer rotocol
cripting ypervisor cheduled Task atekeeper ypass Two actor Authentication ncommonly sed ort
Interception
ervice xecution Image ile xecution ptions ervice Registry ermissions idden iles and irectories Web ervice
In ection Weakness
igned inary roxy ernel Modules and etuid and etgid idden sers
xecution xtensions
igned cript roxy aunch Agent I istory In ection idden Window
xecution
ource aunch aemon tartup Items I TC NTR
pace after ilename aunchctl udo Image ile xecution ptions
In ection
Third party oftware C A I Addition udo Caching Indicator locking
Trap ocal ob cheduling alid Accounts Indicator Removal from Tools
Trusted eveloper tilities ogin Item Web hell Indicator Removal on ost
ser xecution ogon cripts Indirect Command xecution
Windows Management A river Install Root Certificate
*from open source

Instrumentation
Windows Remote Modify xisting ervice Install til
Management
Netsh elper aunchctl
New ervice C MAIN i acking
reporting we’ve mapped

ffice Application tartup Masquerading
ath Interception Modify Registry
list Modification Mshta
ort nocking Network hare Connection
Removal
ort Monitors NT ile Attributes
Rc.common bfuscated iles or
Information
Re opened Applications list Modification
Redundant Access ort nocking
Registry Run eys tart rocess oppelg nging
older
cheduled Task rocess ollowing
creensaver rocess In ection
APT29 Techniques
Discovery
Movement
and Control
Access
b ect Model
rotocol rotocol
oad Access Medium
xecution Medium
scalation i acking
In ection
vasion iscovery
ayer rotocol
Interception
In ection Weakness
xecution xtensions
xecution
In ection
ser xecution ogon cripts Indirect Command xecution
Windows Management A river Install Root Certificate
Instrumentation
Windows Remote Modify xisting ervice Install til
Management
ffice Application tartup Masquerading
ath Interception Modify Registry
list Modification Mshta
Removal
ort Monitors NT ile Attributes
Rc.common bfuscated iles or
Information
Re opened Applications list Modification
older
Comparing APT28 and APT29
Discovery
Movement
and Control
Access
b ect Model
rotocol rotocol
oad Access Medium
xecution Medium
scalation i acking
In ection
vasion iscovery
ayer rotocol
Interception
In ection Weakness
xecution xtensions
Overlay known gaps

xecution
In ection
ser xecution
Windows Management
Instrumentation
Windows Remote
Management
ogon
A
Modify
cripts
river
xisting ervice
Indirect Command
Install Root Certificate
Install til
xecution
APT28
ffice Application
ath Interception
list Modification
tartup Masquerading
Modify Registry
Mshta
APT29
Removal
ort Monitors
Rc.common
Re opened Applications
NT ile Attributes
bfuscated iles or
Information
list Modification
Both groups
older
ATT&CK Navigator
▪ One option for getting started with storing and analyzing in a simple way
▪ Open source (JSON), so you can customize it
▪ Allows you you visualize data
ATT&CK Navigator Demo Video
Exercise 4: Comparing Layers in ATT&CK Navigator
▪ Docs you will need are at attack.mitre.org/training/cti under Exercise 4
– Step-by-step instructions are in the “Comparing ayers in Navigator”
– Techniques are listed in the “A T 9 and Cobalt itty techniques”
1. Open ATT&CK Navigator: http://bit.ly/attacknav

2. Enter techniques from APT39 and Cobalt Kitty/OceanLotus into separate
Navigator layers with a unique score for each layer’s techniques
3. Combine the layers in Navigator to create a third layer
4. Make your third layer look pretty
5. Make a list of the techniques that overlap between the two groups

ardware Additions Command ine Interface Account Manipulation AppCert s IT obs rute orce rowser ookmark iscovery istributed
b ect Model
Replication Through Compiled TM ile AppCert s AppInit s ypass ser Account ControlCredential umping ile and irectory iscovery xploitation of Remote ata from Information ata Transfer i e imits Custom Command and
pearphishing Attachment Control anel Items AppInit s Application himming Clear Command istory Credentials in iles Network ervice canning ogon cripts ata from ocal ystem xfiltration ver Alternative Custom Cryptographic
rotocol rotocol
pearphishing ink ynamic ata xchange Application himming ypass ser Account ControlCM T Credentials in Registry Network hare iscovery ass the ash ata from Network hared xfiltration ver Command ata ncoding
pearphishing via ervice xecution through A I Authentication ackage earch rder i acking Code igning xploitation for Credential Network niffing ass the Ticket xfiltration ver ther
Access Medium
upply Chain Compromise xecution through Module IT obs ylib i acking Compiled TM ile orced Authentication assword olicy iscovery Remote esktop rotocol ata taged xfiltration ver hysical omain ronting
oad Medium
Trusted Relationship xploitation for Client ootkit xploitation for rivilege Component irmware ooking eripheral evice iscovery Remote ile Copy mail Collection cheduled Transfer allback Channels
xecution scalation
alid Accounts raphical ser Interface rowser xtensions xtra Window Memory Component b ect Model Input Capture ermission roups iscoveryRemote ervices Input Capture Multi hop roxy
In ection i acking
Install til Change efault ile ile ystem ermissions Control anel Items Input rompt rocess iscovery Replication Through Man in the rowser Multi tage Channels
Association Weakness Removable Media
aunchctl Component irmware ooking C hadow erberoasting uery Registry hared Webroot creen Capture Multiband Communication
ocal ob cheduling Component b ect Model Image ile xecution ptions eobfuscate ecode iles or eychain Remote ystem iscovery i acking ideo Capture Multilayer ncryption
i acking In ection Information
A river Create Account aunch aemon isabling ecurity Tools MNR N T N oisoning ecurity oftware iscovery Taint hared Content ort nocking
Mshta earch rder i acking New ervice earch rder i acking Network niffing ystem Information iscoveryThird party oftware Remote Access Tools
ower hell ylib i acking ath Interception ide oading assword ilter ystem Network Windows Admin hares Remote ile Copy
Regsvcs Regasm xternal Remote ervices list Modification xploitation for efense rivate eys ystem Network ConnectionsWindows Remote tandard Application ayer
vasion iscovery Management rotocol
Regsvr ile ystem ermissions ort Monitors xtra Window Memory ecurityd Memory ystem wner ser tandard Cryptographic
Weakness In ection iscovery rotocol
Rundll idden iles and irectories rocess In ection ile eletion Two actor Authentication ystem ervice iscovery tandard Non Application
Interception ayer rotocol
cheduled Task ooking cheduled Task ile ermissions Modification ystem Time iscovery ncommonly sed ort
cripting ypervisor ervice Registry ermissions ile ystem ogical ffsets Web ervice
Weakness
ervice xecution Image ile xecution ptions etuid and etgid atekeeper ypass
In ection
igned inary roxy ernel Modules and I istory In ection idden iles and irectories
xecution xtensions
igned cript roxy aunch Agent tartup Items idden sers
xecution
ource
pace after ilename
Third party oftware
aunch
aunchctl
C A
aemon
I Addition
udo
udo Caching
alid Accounts
idden Window
I TC NTR
Image ile xecution ptions
APT39
In ection
Trap ocal ob cheduling Web hell Indicator locking
Trusted
ser xecution
eveloper tilities
Windows Management
ogin Item
ogon cripts
Indicator Removal from Tools
Indicator Removal on ost
OceanLotus
Instrumentation A river Indirect Command xecution
Windows Remote Modify xisting ervice Install Root Certificate
Management
cript rocessing Netsh
New ervice
elper Install til
aunchctl
Both groups
ffice Application tartup C MAIN i acking
ath Interception Masquerading
list Modification Modify Registry
ort nocking Mshta
ort Monitors Network hare Connection
Removal
Rc.common NT ile Attributes
bfuscated iles or
Re opened Applications Information
▪ Here are the overlapping techniques:
1. Spearphishing Attachment
2. Spearphishing Link
3. Scheduled Task
4. Scripting
5. User Execution
6. Registry Run Keys/Startup Folder
7. Network Service Scanning
Make defensive
Store & analyze
ATT&CK-mapped
data
mapped data

Module 3
End of Module 4
Module 5:
Making Defensive Recommendations from
ATT&CK-Mapped Data
Make defensive
Store & analyze
ATT&CK-mapped
data
mapped data

Module 3
Applying Technique Intelligence to Defense
▪ We’ve now seen a few ways to identify techniques seen in the wild
– Extracted from finished reporting
– Extracted from raw/incident data
– Leveraging data already mapped by ATT&CK team
▪ Can identify techniques used by multiple groups we care about
– May be our highest priority starting point
▪ How do we make that intelligence actionable?
Process for Making Recommendations from Techniques
0. Determine priority techniques

1. Research how techniques are being used
2. Research defensive options related to technique
3. Research organizational capability/constraints
4. Determine what tradeoffs are for org on specific options
5. Make recommendations
0. Determine Priority Techniques
▪ Multiple ways to prioritize, today focused on leveraging CTI
1. Data sources: what data do you have already?

2. Threat intelligence: what are your adversaries doing?
3. Tools: what can your current tools cover?
4. Red team: what can you see red teamers doing?
▪ Threat intelligence: what are your adversaries doing?

3. Scheduled Task
4. Scripting
5. User Execution
1. Research How Techniques Are Being Used
▪ What specific procedures are being used for a given technique?
– Important that our defensive response overlaps with activity
From the APT39 Report

FireEye Intelligence has observed APT39 leverage spear phishing emails
with malicious attachments and/or hyperlinks typically resulting in a
POWBAT infection
From the Cobalt Kitty Report
Two types of payloads were found in the spear-phishing emails
2. Research Defensive Options Related to Technique
▪ Many sources provide defensive information indexed to ATT&CK

– ATT&CK
▪ Data Sources
▪ Detections
▪ Mitigations
▪ Research linked to from Technique pages
– MITRE Cyber Analytics Repository (CAR)
– Roberto Rodrigue ’s ThreatHunter-Playbook
– Atomic Threat Coverage
▪ Supplement with your own research
WINDOWS ATT&CK LOGGING CHEAT SHEET - Win 7 - Win 2012

4688 4688 4657
7045 7040
Execution Service Execution T1035 Process Process Windows
New Service Service Chan
CMD Line Execution Registry
4688 4688
Execution User Execution T1204 Process Process Anti-virus
CMD Line Execution
Windows 4688 4688 4624
Netflow/Enclave
Execution Management T1047 Process Process Authentication
netflow
Instrumentation CMD Line Execution logs
4688 5156 4657
https://www.malwarearchaeology.com/s/Windows-ATTCK_Logging-Cheat-Sheet_ver_Sept_2018.pdf
Third-party 4663 Binary file
Execution,Lateral Movement T1072 Process Windows Windows
Software File monitoring metadata
Execution Firewall Registry
▪ Further research shows that for Windows to generate event 4688 multiple
Execution,Lateral Movement
Windows Remote
4663
File monitor
4688
T1028 Process
4688
Process
5156
Windows
5140/5145
Net Shares
Management
GPO changes are required and it is very noisy CMD Line Execution Firewall
4688
▪ Similar information can be gathered via Sysmon with better filtering
Execution,Persistence LSASS Driver T1177 Process
Execution
4663
File monitoring
DLL
monitoring
Loaded DLLs
Sysmon - ID
Kernel drive
4688 4688
Execution,Persistence,Privileg 4663 Windows event
Scheduled Task T1053 Process Process
e Escalation File monitoring logs
CMD Line Execution
4688 4688 5156
Automated
4663
Exfiltration T1020 Process Process CMD Windows
▪ ATT&CK:
– https://attack.mitre.org
▪ Cyber Analytics Repository:
– https://car.mitre.org/
▪ Threat Hunter Playbook
– https://github.com/hunters-forge/ThreatHunter-Playbook
▪ Windows ATT&CK Logging Cheatsheet
– https://www.malwarearchaeology.com/cheat-sheets
▪ User training
▪ Application whitelisting
▪ Block unknown files in transit
▪ NIPS
▪ File detonation systems
▪ Monitor command-line arguments
– Windows Event Log 4688
– Sysmon
▪ Anti-Virus
▪ Endpoint sensing
3. Research Organizational Capabilities/Constraints
▪ What data sources, defenses, mitigations are already collected/in place?

– Some options may be inexpensive/simple
– Possibly new analytics on existing sources
▪ What products are already deployed that may have add’l capabilities?
– E.g. able to gather new data sources/implement new mitigations
▪ Is there anything about the organization that may preclude responses?
– E.g. user constraints/usage patterns
▪ Notional Capabilities
– Windows Events already collected to SIEM (but not process info)
– Evaluating application whitelisting tools
– Highly technical workforce
– Already have an email file detonation appliance
– Already have anti-virus on all endpoints
▪ Notional Constraints
– SIEM at close to license limit, increase would be prohibitive
– Large portion of user population developers, run arbitrary binaries
– Files in transit usually encrypted passing by NIPS
4. Determine What Tradeoffs Are for Org on Specific Options
▪ How do each of the identified options fit into your org?
▪ Example Positives
– Leveraging existing strengths/tools/data sources
– Close fit with specific threat
▪ Example Negatives
– Cost not commiserate with risk averted
– Poor cultural fit with organization
▪ Highly dependent on your specific organization
Defensive option Example Pros Example Cons

Increase user training around Covers most common use case, Time investment by all users, training
clicking on attachments technical workforce likely will make fatigue
good sensors
Enforcement of application Already examining whitelisting Developer population heavily impacted
whitelisting solution, most binaries of concern if prevented from running arbitrary
never seen before binaries. High support cost.
Monitor command-line Collecting events already, already Volume of logs from processes likely
arguments/create analytic feeding into a SIEM unacceptable license cost.
Anti-Virus Already in place Limited signature coverage
Install endpoint detection and Possibly best visibility without No existing tool, prohibitively expensive
response (EDR) product greatly increasing log volumes
Email Detonation Appliance Already in place May not have full visibility into inbound
email
5. Make Recommendations
▪ Could be technical, policy, or risk acceptance

▪ Could be for management, SOC, IT, all of the above
▪ Some potential recommendation types:
– Technical
▪ Collect new data sources
▪ Write a detection/analytic from existing data
▪ Change a config/engineering changes
▪ New tool
– Policy changes
▪ Technical/human
– Accept risk
▪ Some things are undetectable/unmitigable or not worth the tradeoff
Initial Access Execution Persistence Privilege Escalation Defense Evasion Credential Access Discovery Lateral Movement Collection Command and Control Exfiltration Impact
Exploit Public-Facing Launchctl Access Token Manipulation Account Manipulation Account Discovery Application Deployment Automated Collection Communication Through Data Compressed Data Encrypted for Impact
Application Local Job Scheduling Bypass User Account Control Bash History Application Window Software Clipboard Data Removable Media Data Encrypted Defacement
External Remote Services LSASS Driver Extra Window Memory Injection Brute Force Discovery Distributed Component Data from Information Connection Proxy Data Transfer Size Limits Disk Content Wipe
Hardware Additions Trap Process Injection Credential Dumping Browser Bookmark Object Model Repositories Custom Command and Exfiltration Over Other Disk Structure Wipe
Replication Through AppleScript DLL Search Order Hijacking Credentials in Files Discovery Exploitation of Data from Local System Control Protocol Network Medium Endpoint Denial of Service
Removable Media CMSTP Image File Execution Options Injection Credentials in Registry Domain Trust Discovery Remote Services Data from Network Custom Cryptographic Exfiltration Over Command Firmware Corruption
Spearphishing Attachment Command-Line Interface Plist Modification Exploitation for File and Directory Discovery Logon Scripts Shared Drive Protocol and Control Channel Inhibit System Recovery
Spearphishing Link Compiled HTML File Valid Accounts Credential Access Network Service Scanning Pass the Hash Data from Removable Media Data Encoding Exfiltration Over Alternative Network Denial of Service
Spearphishing via Service Control Panel Items Accessibility Features BITS Jobs Forced Authentication Network Share Discovery Pass the Ticket Data Staged Data Obfuscation Protocol Resource Hijacking
Supply Chain Compromise Dynamic Data Exchange AppCert DLLs Clear Command History Hooking Password Policy Discovery Remote Desktop Protocol Email Collection Domain Fronting Exfiltration Over Runtime Data Manipulation
Trusted Relationship Execution through API AppInit DLLs CMSTP Input Capture Peripheral Device Discovery Remote File Copy Input Capture Domain Generation Physical Medium Service Stop
Valid Accounts Execution through Application Shimming Code Signing Input Prompt Permission Groups Discovery Remote Services Man in the Browser Algorithms Scheduled Transfer Stored Data Manipulation
Module Load Dylib Hijacking Compiled HTML File Kerberoasting Process Discovery Replication Through Screen Capture Fallback Channels Transmitted Data
Exploitation for File System Permissions Weakness Component Firmware Keychain Query Registry Removable Media Video Capture Multiband Communication Manipulation
Client Execution Hooking Component Object Model LLMNR/NBT-NS Poisoning Remote System Discovery Shared Webroot Multi-hop Proxy
Graphical User Interface Launch Daemon Hijacking and Relay Security Software Discovery SSH Hijacking Multilayer Encryption
InstallUtil New Service Control Panel Items Password Filter DLL System Information Taint Shared Content Multi-Stage Channels
Mshta Path Interception DCShadow Private Keys Discovery Third-party Software Port Knocking
PowerShell Port Monitors Deobfuscate/Decode Files Securityd Memory System Network Windows Admin Shares Remote Access Tools
Regsvcs/Regasm Service Registry Permissions Weakness or Information Two-Factor Authentication Configuration Discovery Windows Remote Remote File Copy
Regsvr32 Setuid and Setgid Disabling Security Tools Interception System Network Management Standard Application Layer
Scripting Web Shell Execution Guardrails System Owner/User Standard Cryptographic
Service Execution .bash_profile and .bashrc Exploitation for Exploitation for Discovery Protocol
Signed Binary Account Manipulation Privilege Escalation Defense Evasion System Service Discovery Standard Non-Application
Signed Script BITS Jobs Sudo File Permissions Virtualization/Sandbox Uncommonly Used Port
Proxy Execution Bootkit Sudo Caching Modification Evasion Web Service
Source Browser Extensions File System Logical Offsets
Space after Filename
Third-party Software
None of our existing tools have visibility into
Change Default
File Association
Component Firmware
Gatekeeper Bypass
Group Policy Modification
Hidden Files and Directories
User Execution
Windows Management
Instrumentation
We’ll tackle
Command-Line
Component Object
Model Hijacking
Create Account Interface
External Remote Services
so we’ll need
Spearphishing to
Attachment and Hidden Users
Hidden Window
HISTCONTROL
Indicator Blocking
Windows Remote
Management
XSL Script Processing HypervisorSpearphishing
obtain
Kernel Modules
and Extensions
something Link
Hidden Files and Directories
new via new user training Indicator Removal

from Tools
Indicator Removal on Host
Indirect Command Execution
Supply Chain Compromise and Component Firmware

Launch Agent
LC_LOAD_DYLIB Addition
Login Item
Logon Scripts
Install Root Certificate
InstallUtil
Launchctl
LC_MAIN Hijacking
are beyond our capability and resourcesHigh

Modify Existing Service
Netsh Helper DLL to Confidence
stop or of Detection
detect, Masquerading
Modify Registry
Office Application Startup
Legend Some Confidence of Detection Mshta
so we’ll accept the riskLow Confidence of Detection

Port Knocking Network Share Connection
Rc.common Removal
Redundant Access NTFS File Attributes
Registry Run Obfuscated Files
Keys / Startup Folder
Re-opened Applications
or Information
Port Knocking
Prioritized Technique
Screensaver Process Doppelgänging
Security Support Provider Process Hollowing
Shortcut Modification Redundant Access
©2019 The MITRE Corporation. ALL RIGHTSSIPRESERVED
and Trust Provider Approved for public release. Regsvcs/Regasm
Distribution unlimited 19-01075-15.
Hijacking Regsvr32
5. Make Recommendations (Example)
1. New user training around not clicking on attachments
– Policy changed matched with a technical workforce
2. Continued use of AV
– No additional cost
3. Increase coverage of email detonation
– Taking advantage of existing tools
Exercise 5: Defensive Recommendations
Worksheet in attack.mitre.org/training/cti under Exercise 5
“Making Defensive Recommendations Guided Exercise”
Download the worksheet and work through recommendation process
0. Determine priority techniques

1. Research how techniques are being used
2. Research defensive options related to technique
3. Research organizational capability/constraints
4. Determine what tradeoffs are for org on specific options
5. Make recommendations

Going Over the Exercise
▪ What resources were helpful to you finding defensive options?
▪ What kind of recommendations did you end up making?
▪ Did you consider doing nothing or accepting risk?
▪ Were there any options that were completely inappropriate for you?
▪ Threat intelligence: what are your adversaries doing?

3. Scheduled Task
4. Scripting
5. User Execution
From the Cobalt Kitty Report
Within a Word Macro

▪ For this exercise, assume that you have Windows Event Log Collection
going to a SIEM, but no ability to collect process execution logging.
Defensive option Pros Cons
Monitor scheduled task creation Would allow us to collect detailed Organization has no ability to collect
from common utilities using information on how task added. process execution logging.
command-line invocation
Configure event logging for Fits well into existing Windows Increases collected log volumes.
scheduled task creation and Event Log collection system, would
changes be simple to implement enterprise
wide.
Sysinternals Autoruns may also be Would collect on other persistence Not currently installed, would need to
used techniques as well. Tool is free. be added to all systems along with data
collection and analytics of results.
Monitor processes and command- Would allow us to collect detailed Organization has no ability to collect
line arguments information on how task added. process execution logging.
Given the limitations and sources we pointed at, likely answers similar to:
▪ Enable "Microsoft-Windows-TaskScheduler/Operational" setting within the

event logging service, and create analytics around Event ID 106 - Scheduled
task registered, and Event ID 140 - Scheduled task updated
Possibly
▪ Use Autoruns to watch for changes that could be attempts at persistence
In Closing
Make defensive
Store & analyze
ATT&CK-mapped
data
mapped data

Module 3
https://attack.mitre.org
attack@mitre.org
@MITREattack
Katie Nickels Adam Pennington

@likethecoins @_whatshisface
End of Module 5

CTI Workshop Full Slides

Uploaded by

Document Information

Copyright

Available Formats

Share this document

Share or Embed Document

Sharing Options

Did you find this document useful?

Is this content inappropriate?

Copyright:

Available Formats

CTI Workshop Full Slides

Uploaded by

Copyright:

Available Formats

Module 1:

Introducing the Training and

Katie Nickels and Adam Pennington

Module 1 Module 2 Module 4 Module 5

Tough Questions for Defenders

▪ How effective are my defenses?

David Bianco’s Pyramid of Pain

Tactics: the adversary’s technical goals

Procedures: Specific technique implementation

Scripting Web Shell Execution Guardrails System Owner/User Standard Cryptographic

Windows Remote External Remote Services Indicator Blocking

Kernel Modules Indicator Removal on Host

Custom Command and Control

p det ecting adversary behavior w ith ATT&CK.

Exfiltration Over Command and

Control Panel Items jo b

Local Job Scheduling

Component Object Model Hijacking

Image File Execution Options

Stored Data Manipulation

ATT&CK Use Cases

Get St art ed w it h A TT&CK

sio Cyber Threat Intelligence

Third-party Software LC_LOAD_DYLIB Addition Valid Accounts Hidden Users Trap

HISTCONTROL Low Priority

Trusted Developer Utilities Login Item HISTCONTROL

Cyber t hreat inteelligence

com es from m any sources, including know ledge High

XSL Script Processing Netsh Helper DLL Indicator Removal on Host

Path Interception InstallUtil

n t co Find ing Ga p s in Defense

Co m p a ring APT28 to APT29

Network Share Connection

Scheduled Task Obfuscated Files or Information

s Custom Command and Control

reg = filter processes where (exe == "reg.exe" and parent_exe

Service Registry Permissions

cmd = filter processes where (exe == "cmd.exe" and

Signed Script Proxy Execution

File System Permissions W eakness

reg_and_cmd = join (reg, cmd) where (reg.ppid == cmd.pid and

XSL Script Processing Timestomp

Logon Scripts Trusted Developer Utilities

Image File Execution Options

spearphishing via service Windows Remote Management

XSL Script Processing

Netsh Helper DLL

Indicator Removal on Host

New Service Web Service Indirect Command Execution Both

Use ATT&CK to Build Your Defensive Platform spearphishing link

Co m p a ring APT28 to APT29 n

Rc.common Modify Registry

Re-opened Applications Mshta

Scheduled Task Obfuscated Files or Information

Screensaver Plist Modification

Shortcut Modification Process Injection

SIP and Trust Provider Hijacking Redundant Access

LLMNR/NBT -NS Poisoning and

-apd et ect t he taechniq tac

Third-party Software LC_LOAD_DYLIB Addition Valid Accounts Hidden Users

stan A TT&CK ted

High Priority Discovery Protocol

Find ing Ga p s in Defense

Port Knocking LC_MAIN Hijacking