MITRE ATT&CK Framework

PreviousNetwork Analysis Nextpost-incident

Last updated 2 years ago

MITRE ATT&CK Framework

MITRE ATT&CK Framework Stages:
- MITRE ATT&CK Navigator:
Initial access 9 techniques:
Execution technique examples:
- Administrative feature of windows, WMI service used for local and remote access to SMB and the Remote Procedure Call Service (RPCS), MITRE provides specific identification of WMI
Persistence examples:
- - EG SSH, FTP, VPN
Privilege escalation examples:
- - Obtaining valid accounts (eg via phishing)
Defense evasion:
- Ways that adversaries will work to evade or disable security defenses such as antivirus, endpoint detection and response, logging, and human analysts
- Impair defenses: disrupting operation of security tools (eg SIEM)
  - Disable of Modify Tools
  - Disable Windows Event Logging
  - HISTCONTROL (used to not log command history) which affects ~/.bash_history
  - Disable or Modify System Firewall
  - Indicator Blocking
  - Disable or Modify Cloud Firewall
- Indicator removal:
  - Deleting bash history
  - Deleting files
  - Deleting raw log files
  - Timestomping
Credential access:
- - LSASS Memory: credentials stored in memory, eg using Mimikatz
  - Monitor lsass.exe in Windows
  - Use AuditD for Linux
  - /etc/passwd /etc/shadow: dumping /etc/passwd and /etc/shadow (only accessible by root) files for password cracking
- - Hashcat can be used to attack encrupted passwords using brute force:
  - Mitigations: account lockout policies, better passwords, MFA, log monitoring
Discovery:
- Account discovery:
  - Local accounts: net user and net localgroup (windows), id and groups (MacOS), /etc/passwd using cat, string or head (Linux)
  - Domain accounts: net user /domain and net group domain (windows), dscacheutil -q group (MacOS), ldapsearch (linux)
  - Email and cloud accounts
  - Mitigations: disable the registry key to prevent administrator accounts from being enumerated, group policy can force this change network-wide
- Network service discovery
- File and directory discovery
- Lateral movement:
  - Enumerating internal remote services, eg:
    Remote Desktop Protocol (RDP)
    SMB/Windows Admin Shares
    Distributed Component Object Model
    SSH
    VNC
    Windows Remote Management (WINRM)
    Mitigating enumeration: use MFA, monitor timelines of logon activity
  - Internal spearphishing, eg using a script to email other users from a compromised systems emali client
    Scan eamil/attachments for mitigation
Collection:
- Email collection
- Audio capture
- Screen capture
- Data from local system
- Mitigations: audit, encryption, MFA, monitor api calls releated to system audio, monitor unusual processes that access microphones, API calls taking screenshots
- Data from local system mitigation: monitor for commands such as dir, find, tree, locate; monitor for excessive usage of commands in CMD and powershell related to exfiltration
Command and control:
- Application layer using protocols like http, https, dns
- Cobalt strike is an example of a C2 application
  - Mitigation: NIDS/NIPS, monitor network data flows
- Web service: legit web services may be used for C2
- Nonstandard ports: C2 typically uses ports that aren't associated with services
  - Mitigation: restrict proxies/firewall ports for outbound connections, packet inspection
Exfiltration:
- Exfil Over C2 Channel
  - Mitigation: frequency analysis
- Scheduled transfer
  - Mitigation: NIPS/NIDS
Impact:
- EG disrupting availability and intergrity
  - Account access removal:
  - Deleting or locking accounts
  - Password changes
  - Mitigation: windows log monitoring, baseline comparison
  - Defacement:
  - Delivering messaging,
  - Intimidation
  - Claiming credit for an intrusion
  - Mitigation: revert to latest backup, WAF to monitor websites, defend against SQL injection and cross site scripting
  - Data encryption (eg ransomware):
  - Mitigations: data backups, monitor specific command-line usages such as vssadmin, wbadmin, bcdedit

PreviousNetwork Analysis Nextpost-incident

Last updated 2 years ago

MITRE ATT&CK Framework Stages:
- MITRE ATT&CK Navigator:
Initial access 9 techniques:
Execution technique examples:
- Administrative feature of windows, WMI service used for local and remote access to SMB and the Remote Procedure Call Service (RPCS), MITRE provides specific identification of WMI
Persistence examples:
- - EG SSH, FTP, VPN
Privilege escalation examples:
- - Obtaining valid accounts (eg via phishing)
Defense evasion:
- Ways that adversaries will work to evade or disable security defenses such as antivirus, endpoint detection and response, logging, and human analysts
- Impair defenses: disrupting operation of security tools (eg SIEM)
  - Disable of Modify Tools
  - Disable Windows Event Logging
  - HISTCONTROL (used to not log command history) which affects ~/.bash_history
  - Disable or Modify System Firewall
  - Indicator Blocking
  - Disable or Modify Cloud Firewall
- Indicator removal:
  - Deleting bash history
  - Deleting files
  - Deleting raw log files
  - Timestomping
Credential access:
- - LSASS Memory: credentials stored in memory, eg using Mimikatz
  - Monitor lsass.exe in Windows
  - Use AuditD for Linux
  - /etc/passwd /etc/shadow: dumping /etc/passwd and /etc/shadow (only accessible by root) files for password cracking
- - Hashcat can be used to attack encrupted passwords using brute force:
  - Mitigations: account lockout policies, better passwords, MFA, log monitoring
Discovery:
- Account discovery:
  - Local accounts: net user and net localgroup (windows), id and groups (MacOS), /etc/passwd using cat, string or head (Linux)
  - Domain accounts: net user /domain and net group domain (windows), dscacheutil -q group (MacOS), ldapsearch (linux)
  - Email and cloud accounts
  - Mitigations: disable the registry key to prevent administrator accounts from being enumerated, group policy can force this change network-wide
- Network service discovery
- File and directory discovery
- Lateral movement:
  - Enumerating internal remote services, eg:
    Remote Desktop Protocol (RDP)
    SMB/Windows Admin Shares
    Distributed Component Object Model
    SSH
    VNC
    Windows Remote Management (WINRM)
    Mitigating enumeration: use MFA, monitor timelines of logon activity
  - Internal spearphishing, eg using a script to email other users from a compromised systems emali client
    Scan eamil/attachments for mitigation
Collection:
- Email collection
- Audio capture
- Screen capture
- Data from local system
- Mitigations: audit, encryption, MFA, monitor api calls releated to system audio, monitor unusual processes that access microphones, API calls taking screenshots
- Data from local system mitigation: monitor for commands such as dir, find, tree, locate; monitor for excessive usage of commands in CMD and powershell related to exfiltration
Command and control:
- Application layer using protocols like http, https, dns
- Cobalt strike is an example of a C2 application
  - Mitigation: NIDS/NIPS, monitor network data flows
- Web service: legit web services may be used for C2
- Nonstandard ports: C2 typically uses ports that aren't associated with services
  - Mitigation: restrict proxies/firewall ports for outbound connections, packet inspection
Exfiltration:
- Exfil Over C2 Channel
  - Mitigation: frequency analysis
- Scheduled transfer
  - Mitigation: NIPS/NIDS
Impact:
- EG disrupting availability and intergrity
  - Account access removal:
  - Deleting or locking accounts
  - Password changes
  - Mitigation: windows log monitoring, baseline comparison
  - Defacement:
  - Delivering messaging,
  - Intimidation
  - Claiming credit for an intrusion
  - Mitigation: revert to latest backup, WAF to monitor websites, defend against SQL injection and cross site scripting
  - Data encryption (eg ransomware):
  - Mitigations: data backups, monitor specific command-line usages such as vssadmin, wbadmin, bcdedit