Blue Team Toolkit
  • 👊Welcome!
  • application-security
    • Application Security
  • DFIR Toolkit
  • Incident Response
    • Containment, Eradication, and Recovery
    • Network Analysis
    • MITRE ATT&CK Framework
    • post-incident
    • preparation
  • network-hardening
    • Basic Network Tools
    • Basic Port Info
    • NMAP
    • Wireshark
  • Phishing Analysis
    • Basic Email Info
    • Email Headers
  • reversing
    • gdb
    • reversing
  • Security Information and Event Monitoring
    • DeepBlueCLI
    • Linux Log Analysis
    • Log Review Approach
    • Network Device Log Analysis
    • Other Tools
    • SIFT Workstation
    • Splunk
    • Syslog
    • Sysmon
    • Web Server Log Analysis
    • Windows Log Analysis
  • Systems Forensics
    • Autopsy
    • Basic File Metadata
    • Browser History Capturer
    • Browser History Viewer
    • Digital Evidence Handling
    • Exiftool
    • File Hashing
    • File Systems
    • forensics-workstation
    • FTK Imager
    • John the Ripper
    • JumpList Explorer
    • KAPE
    • Linux Artifacts
    • Memory File Analysis
    • Prefetch Explorer Command Tool PECmd.exe
    • Scalpel
    • Steghide
    • Sysinternals
    • Volatility
    • Windows Artifacts
    • Windows File Analyzer
    • YARA
  • systems-hardening
    • Active Directory Hardening
    • linux-hardening
    • windows-hardening
Powered by GitBook
On this page
  1. Incident Response

MITRE ATT&CK Framework

PreviousNetwork AnalysisNextpost-incident

Last updated 2 years ago

  • MITRE ATT&CK Framework Stages:

    • MITRE ATT&CK Navigator:

  • Initial access 9 techniques:

  • Execution technique examples:

    • Administrative feature of windows, WMI service used for local and remote access to SMB and the Remote Procedure Call Service (RPCS), MITRE provides specific identification of WMI

  • Persistence examples:

      • EG SSH, FTP, VPN

  • Privilege escalation examples:

      • Obtaining valid accounts (eg via phishing)

  • Defense evasion:

    • Ways that adversaries will work to evade or disable security defenses such as antivirus, endpoint detection and response, logging, and human analysts

    • Impair defenses: disrupting operation of security tools (eg SIEM)

      • Disable of Modify Tools

      • Disable Windows Event Logging

      • HISTCONTROL (used to not log command history) which affects ~/.bash_history

      • Disable or Modify System Firewall

      • Indicator Blocking

      • Disable or Modify Cloud Firewall

    • Indicator removal:

      • Deleting bash history

      • Deleting files

      • Deleting raw log files

      • Timestomping

  • Credential access:

      • LSASS Memory: credentials stored in memory, eg using Mimikatz

      • Monitor lsass.exe in Windows

      • Use AuditD for Linux

      • /etc/passwd /etc/shadow: dumping /etc/passwd and /etc/shadow (only accessible by root) files for password cracking

      • Hashcat can be used to attack encrupted passwords using brute force:

      • Mitigations: account lockout policies, better passwords, MFA, log monitoring

  • Discovery:

    • Account discovery:

      • Local accounts: net user and net localgroup (windows), id and groups (MacOS), /etc/passwd using cat, string or head (Linux)

      • Domain accounts: net user /domain and net group domain (windows), dscacheutil -q group (MacOS), ldapsearch (linux)

      • Email and cloud accounts

      • Mitigations: disable the registry key to prevent administrator accounts from being enumerated, group policy can force this change network-wide

    • Network service discovery

    • File and directory discovery

    • Lateral movement:

      • Enumerating internal remote services, eg:

        • Remote Desktop Protocol (RDP)

        • SMB/Windows Admin Shares

        • Distributed Component Object Model

        • SSH

        • VNC

        • Windows Remote Management (WINRM)

        • Mitigating enumeration: use MFA, monitor timelines of logon activity

      • Internal spearphishing, eg using a script to email other users from a compromised systems emali client

        • Scan eamil/attachments for mitigation

  • Collection:

    • Email collection

    • Audio capture

    • Screen capture

    • Data from local system

    • Mitigations: audit, encryption, MFA, monitor api calls releated to system audio, monitor unusual processes that access microphones, API calls taking screenshots

    • Data from local system mitigation: monitor for commands such as dir, find, tree, locate; monitor for excessive usage of commands in CMD and powershell related to exfiltration

  • Command and control:

    • Application layer using protocols like http, https, dns

    • Cobalt strike is an example of a C2 application

      • Mitigation: NIDS/NIPS, monitor network data flows

    • Web service: legit web services may be used for C2

    • Nonstandard ports: C2 typically uses ports that aren't associated with services

      • Mitigation: restrict proxies/firewall ports for outbound connections, packet inspection

  • Exfiltration:

    • Exfil Over C2 Channel

      • Mitigation: frequency analysis

    • Scheduled transfer

      • Mitigation: NIPS/NIDS

  • Impact:

    • EG disrupting availability and intergrity

      • Account access removal:

      • Deleting or locking accounts

      • Password changes

      • Mitigation: windows log monitoring, baseline comparison

      • Defacement:

      • Delivering messaging,

      • Intimidation

      • Claiming credit for an intrusion

      • Mitigation: revert to latest backup, WAF to monitor websites, defend against SQL injection and cross site scripting

      • Data encryption (eg ransomware):

      • Mitigations: data backups, monitor specific command-line usages such as vssadmin, wbadmin, bcdedit

https://attack.mitre.org/matrices/enterprise/
https://mitre-attack.github.io/attack-navigator/
Drive-by Compromise
Exploit Public-Facing Application
External Remote Services
Hardware Additions
Phishing
Replication Through Removable Media
Supply Chain Compromise
Trusted Relationship
Valid Accounts
https://attack.mitre.org/tactics/TA0002/
Windows Management Instrumentation
User Execution
https://attack.mitre.org/tactics/TA0003/
Boot or Logon Autostart Execution
External Remote Services
https://attack.mitre.org/tactics/TA0004/
Valid Accounts
Exploitation for Privilege Escalation
https://attack.mitre.org/tactics/TA0005/
https://attack.mitre.org/tactics/TA0006/
OS Credential Dumping
Brute Force
https://hashcat.net/hashcat/
https://attack.mitre.org/tactics/TA0007/
https://attack.mitre.org/tactics/TA0008/
https://attack.mitre.org/tactics/TA0009/
https://attack.mitre.org/tactics/TA0011/
https://attack.mitre.org/tactics/TA0010/
https://attack.mitre.org/tactics/TA0040/