Threat-Based Adversary Emulation with MITRE ATT&CK

1. ©2018 The MITRE Corporation. All rights reserved. Approved for public release. Distribution unlimited 18-1528-19. ATT&CKing the Status Quo: Threat- Based Adversary Emulation with MITRE ATT&CK™ Katie Nickels Cody Thomas SANS Threat Hunting & Incident Response Summit September 6, 2018 | 1 |

2. How we define threat hunting | 2 | “Human act of looking for badness that is not yet detected successfully.” -Sergio Caltagirone Problem: I need a threat to hunt for! Solution: Create one by emulating real adversaries. © 2018 The MITRE Corporation. All rights reserved. Approved for public release. Distribution unlimited 18-1528-19.

3. Tough questions for defenders ▪ How do I organize threat hunting? ▪ How do I know that my hunting techniques will work? ▪ Do I have a chance at detecting APT28? ▪ Is the data I’m collecting useful? ▪ Do I have overlapping tool coverage? ▪ Will this *shiny new* product from vendor XYZ help my organization’s defenses? | 3 | © 2018 The MITRE Corporation. All rights reserved. Approved for public release. Distribution unlimited 18-1528-19.

4. The difficult task of detecting TTPs Source: David Bianco, https://detect-respond.blogspot.com/2013/03/the-pyramid-of-pain.html David Bianco’s Pyramid of Pain | 4 | Also applies to red teamers! © 2018 The MITRE Corporation. All rights reserved. Approved for public release. Distribution unlimited 18-1528-19.

5. | 5 | What is ? A knowledge base of adversary behavior ➢ Based on real-world observations ➢ Free, open, and globally accessible ➢ A common language ➢ Community-driven © 2018 The MITRE Corporation. All rights reserved. Approved for public release. Distribution unlimited 18-1528-19.

6. Zooming in on the Adversary Lifecycle | 6 | Recon Weaponize Deliver Exploit Control Execute Maintain Enterprise Mobile ATT&CK © 2018 The MITRE Corporation. All rights reserved. Approved for public release. Distribution unlimited 18-1528-19.

7. Hardware Additions Scheduled Task Binary Padding Credentials in Registry Browser Bookmark Discovery Exploitation of Remote Services Data from Information Repositories Exfiltration Over Physical Medium Remote Access Tools Trusted Relationship LSASS Driver Extra Window Memory Injection Exploitation for Credential Access Port Knocking Supply Chain Compromise Local Job Scheduling Access Token Manipulation Network Share Discovery Distributed Component Object Model Video Capture Exfiltration Over Command and Control Channel Multi-hop Proxy Trap Bypass User Account Control Forced Authentication Audio Capture Domain Fronting Spearphishing Attachment Launchctl Process Injection Hooking Peripheral Device Discovery Remote File Copy Automated Collection Data Encoding Signed Binary Proxy Execution Image File Execution Options Injection Password Filter DLL Pass the Ticket Clipboard Data Data Encrypted Remote File Copy Exploit Public-Facing Application Plist Modification LLMNR/NBT-NS Poisoning File and Directory Discovery Replication Through Removable Media Email Collection Automated Exfiltration Multi-Stage Channels User Execution Valid Accounts Screen Capture Exfiltration Over Other Network Medium Web Service Replication Through Removable Media Exploitation for Client Execution DLL Search Order Hijacking Private Keys Permission Groups Discovery Windows Admin Shares Data Staged Standard Non-Application Layer Protocol AppCert DLLs Signed Script Proxy Execution Keychain Pass the Hash Input Capture Exfiltration Over Alternative Protocol Spearphishing via Service CMSTP Hooking Input Prompt Process Discovery Third-party Software Data from Network Shared DriveDynamic Data Exchange Startup Items DCShadow Bash History System Network Connections Discovery Shared Webroot Data Transfer Size Limits Connection Proxy Spearphishing Link Mshta Launch Daemon Port Knocking Two-Factor Authentication Interception Logon Scripts Data from Local System Multilayer Encryption Drive-by Compromise AppleScript Dylib Hijacking Indirect Command Execution System Owner/User Discovery Windows Remote Management Man in the Browser Data Compressed Standard Application Layer ProtocolValid Accounts Source Application Shimming Data from Removable Media Scheduled Transfer Space after Filename AppInit DLLs BITS Jobs Replication Through Removable Media System Network Configuration Discovery Application Deployment Software Commonly Used Port Execution through Module Load Web Shell Control Panel Items Standard Cryptographic Protocol Service Registry Permissions Weakness CMSTP Input Capture Application Window Discovery SSH Hijacking AppleScript Custom Cryptographic Protocol Regsvcs/Regasm New Service Process Doppelgänging Network Sniffing InstallUtil File System Permissions Weakness Mshta Credential Dumping Password Policy Discovery Taint Shared Content Regsvr32 Path Interception Hidden Files and Directories Kerberoasting Remote Desktop Protocol Data Obfuscation Execution through API Accessibility Features Securityd Memory System Time Discovery Custom Command and Control ProtocolPowerShell Port Monitors Space after Filename Brute Force Account Discovery Remote Services Rundll32 Kernel Modules and Extensions Sudo Caching LC_MAIN Hijacking Account Manipulation System Information Discovery Communication Through Removable Media Third-party Software SID-History Injection HISTCONTROL Credentials in Files Scripting Port Knocking Sudo Hidden Users Security Software DiscoveryGraphical User Interface SIP and Trust Provider Hijacking Setuid and Setgid Clear Command History Multiband Communication Command-Line Interface Exploitation for Privilege Escalation Gatekeeper Bypass Network Service ScanningScreensaver Hidden Window Fallback Channels Service Execution Browser Extensions Deobfuscate/Decode Files or Information Remote System Discovery Uncommonly Used Port Windows Remote Management Re-opened Applications Rc.common Trusted Developer Query Registry | 7 | Initial Access Execution Persistence Privilege Escalation Defense Evasion Credential Access Discovery Lateral Movement Collection Exfiltration Command & Control What is ATT&CK, really? Tactics: the adversary’s technical goals Techniques:howthegoalsare achieved Procedures – Specific technique implementation © 2018 The MITRE Corporation. All rights reserved. Approved for public release. Distribution unlimited 18-1528-19.

8. Example Technique: New Service | 8 | Description: When operating systems boot up, they can start programs or applications called services that perform background system functions. […] Adversaries may install a new service which will be executed at startup by directly modifying the registry or by using tools. 1 Platform: Windows Permissions required: Administrator, SYSTEM Effective permissions: SYSTEM Detection: • Monitor service creation through changes in the Registry and common utilities using command-line invocation • … Mitigation: • Limit privileges of user accounts and remediate Privilege Escalation vectors • … Data sources: Windows registry, process monitoring, command-line parameters Examples: Carbanak, Lazarus Group, TinyZBot, Duqu, CozyCar, CosmicDuke, hcdLoader, … References: 1. Microsoft. (n.d.). Services. Retrieved June 7, 2016. © 2018 The MITRE Corporation. All rights reserved. Approved for public release. Distribution unlimited 18-1528-19.

9. Example Group: APT28 | 9 | Description: APT28 is a threat group that has been attributed to the Russian government.1 2 3 4 This group reportedly compromised the Democratic National Committee in April 2016.5 Aliases: Sednit, Sofacy, Pawn Storm, Fancy Bear, STRONTIUM, Tsar Team, Threat Group- 4127, TG-4127 1 2 3 4 5 6 7 Techniques: • Data Obfuscation 1 • Connection Proxy 1 8 • Standard Application Layer Protocol 1 • Remote File Copy 8 9 • Rundll32 8 9 • Indicator Removal on Host 5 • Timestomp5 • Credential Dumping 10 • Screen Capture 10 11 • Bootkit 7 and more… Software: CHOPSTICK, JHUHUGIT, ADVSTORESHELL, XTunnel, Mimikatz, HIDEDRV, USBStealer, CORESHELL, OLDBAIT, XAgentOSX, Komplex, Responder, Forfiles, Winexe, certutil 1 3 6 References: 1. FireEye. (2015). APT28: A WINDOW INTO RUSSIA’S CYBER ESPIONAGE OPERATIONS?. Retrieved August 19, 2015. … © 2018 The MITRE Corporation. All rights reserved. Approved for public release. Distribution unlimited 18-1528-19.

10. How to use it: threat-informed defense, but for real Threat Intel Detection Adversary Emulation Hunting © 2018 The MITRE Corporation. All rights reserved. Approved for public release. Distribution unlimited 18-1528-19.

11. What is adversary emulation? • AKA: Threat-based red teaming • Adversary emulation • Emulate the techniques of an adversary that’s most likely to target your environment • Focus on the behaviors of those techniques instead of specific implementations https://giphy.com/explore/hackerman https://tenor.com/view/hackerman-transformation-kung-fury-kung-fury-gif-7263543 © 2018 The MITRE Corporation. All rights reserved. Approved for public release. Distribution unlimited 18-1528-19.

12. Step 1: Choose an adversary and gather threat intel ▪ Identify the adversary you want to emulate – Consider who’s targeting you and gaps you’re trying to assess ▪ Gather data about that adversary – Look for post-exploit information – Consider their tools, aliases, and campaigns – Think about the time frame Gather threat intel Extract techniques Analyze & organize Develop tools Emulate the adversary © 2018 The MITRE Corporation. All rights reserved. Approved for public release. Distribution unlimited 18-1528-19.

13. Initial Access rive y Compromise E ploit u lic acing pplication ardware dditions eplication hrough emova le edia pearphishing ttachment pearphishing ink pearphishing via ervice upply Chain Compromise rusted elationship alid ccounts ecution pple cript C Command ine nterface Control anel tems ynamic ata E change E ecution through E ecution through odule oad E ploitation for Client E ecution raphical ser nterface nstall til aunchctl ocal o cheduling river shta ower hell egsvcs egasm egsvr undll cheduled ask cripting ervice E ecution igned inary ro y E ecution igned cript ro y E ecution ource pace after ilename hird party oftware rap rusted eveloper tilities ser E ecution indows anagement nstrumentation indows emote anagement Persistence ash profile and ashrc ccessi ility eatures ppCert s pp nit s pplication himming uthentication ackage o s ootkit rowser E tensions Change efault ile ssociation Component irmware Component ect odel i acking Create ccount earch rder i acking yli i acking E ternal emote ervices ile ystem ermissions eakness idden iles and irectories ooking ypervisor mage ile E ecution ptions n ection ernel odules and E tensions aunch gent aunch aemon aunchctl C ddition ocal o cheduling ogin tem ogon cripts river odify E isting ervice etsh elper ew ervice ffice pplication tartup ath nterception list odification ort nocking Privilege scalation ccess oken anipulation ccessi ility eatures ppCert s pp nit s pplication himming ypass ser ccount Control earch rder i acking yli i acking E ploitation for rivilege Escalation E tra indow emory n ection ile ystem ermissions eakness ooking mage ile E ecution ptions n ection aunch aemon ew ervice ath nterception list odification ort onitors rocess n ection cheduled ask ervice egistry ermissions eakness etuid and etgid istory n ection tartup tems udo udo Caching alid ccounts e hell Defense vasion ccess oken anipulation inary adding o s ypass ser ccount Control Clear Command istory C Code igning Component irmware Component ect odel i acking Control anel tems C hadow eo fuscate ecode iles or nformation isa ling ecurity ools earch rder i acking ide oading E ploitation for efense Evasion E tra indow emory n ection ile eletion ile ystem ogical ffsets atekeeper ypass idden iles and irectories idden sers idden indow C mage ile E ecution ptions n ection ndicator locking ndicator emoval from ools ndicator emoval on ost ndirect Command E ecution nstall oot Certificate nstall til aunchctl C i acking asquerading odify egistry shta etwork hare Connection emoval Credential Access ccount anipulation ash istory rute orce Credential umping Credentials in iles Credentials in egistry E ploitation for Credential ccess orced uthentication ooking nput Capture nput rompt er eroasting eychain oisoning etwork niffing assword ilter rivate eys eplication hrough emova le edia ecurityd emory wo actor uthentication nterception Discovery ccount iscovery pplication indow iscovery rowser ookmark iscovery ile and irectory iscovery etwork ervice canning etwork hare iscovery assword olicy iscovery eripheral evice iscovery ermission roups iscovery rocess iscovery uery egistry emote ystem iscovery ecurity oftware iscovery ystem nformation iscovery ystem etwork Configuration iscovery ystem etwork Connections iscovery ystem wner ser iscovery ystem ervice iscovery ystem ime iscovery ateral ovement pple cript pplication eployment oftware istri uted Component ect odel E ploitation of emote ervices ogon cripts ass the ash ass the icket emote esktop rotocol emote ile Copy emote ervices eplication hrough emova le edia hared e root i acking aint hared Content hird party oftware indows dmin hares indows emote anagement Collection udio Capture utomated Collection Clip oard ata ata from nformation epositories ata from ocal ystem ata from etwork hared rive ata from emova le edia ata taged Email Collection nput Capture an in the rowser creen Capture ideo Capture filtration utomated E filtration ata Compressed ata Encrypted ata ransfer i e imits E filtration ver lternative rotocol E filtration ver Command and Control Channel E filtration ver ther etwork edium E filtration ver hysical edium cheduled ransfer Command And Control Commonly sed ort Communication hrough emova le edia Connection ro y Custom Command and Control rotocol Custom Cryptographic rotocol ata Encoding ata fuscation omain ronting all ack Channels ulti hop ro y ulti tage Channels ulti and Communication ultilayer Encryption ort nocking emote ccess ools emote ile Copy tandard pplication ayer rotocol tandard Cryptographic rotocol tandard on pplication ayer rotocol ncommonly sed ort e ervice Choosing an adversary based on gaps | 13 | Notional gaps in defenses © 2018 The MITRE Corporation. All rights reserved. Approved for public release. Distribution unlimited 18-1528-19.

14. Initial Access rive y Compromise E ploit u lic acing pplication ardware dditions eplication hrough emova le edia pearphishing ttachment pearphishing ink pearphishing via ervice upply Chain Compromise rusted elationship alid ccounts ecution pple cript C Command ine nterface Control anel tems ynamic ata E change E ecution through E ecution through odule oad E ploitation for Client E ecution raphical ser nterface nstall til aunchctl ocal o cheduling river shta ower hell egsvcs egasm egsvr undll cheduled ask cripting ervice E ecution igned inary ro y E ecution igned cript ro y E ecution ource pace after ilename hird party oftware rap rusted eveloper tilities ser E ecution indows anagement nstrumentation indows emote anagement Persistence ash profile and ashrc ccessi ility eatures ppCert s pp nit s pplication himming uthentication ackage o s ootkit rowser E tensions Change efault ile ssociation Component irmware Component ect odel i acking Create ccount earch rder i acking yli i acking E ternal emote ervices ile ystem ermissions eakness idden iles and irectories ooking ypervisor mage ile E ecution ptions n ection ernel odules and E tensions aunch gent aunch aemon aunchctl C ddition ocal o cheduling ogin tem ogon cripts river odify E isting ervice etsh elper ew ervice ffice pplication tartup ath nterception list odification ort nocking Privilege scalation ccess oken anipulation ccessi ility eatures ppCert s pp nit s pplication himming ypass ser ccount Control earch rder i acking yli i acking E ploitation for rivilege Escalation E tra indow emory n ection ile ystem ermissions eakness ooking mage ile E ecution ptions n ection aunch aemon ew ervice ath nterception list odification ort onitors rocess n ection cheduled ask ervice egistry ermissions eakness etuid and etgid istory n ection tartup tems udo udo Caching alid ccounts e hell Defense vasion ccess oken anipulation inary adding o s ypass ser ccount Control Clear Command istory C Code igning Component irmware Component ect odel i acking Control anel tems C hadow eo fuscate ecode iles or nformation isa ling ecurity ools earch rder i acking ide oading E ploitation for efense Evasion E tra indow emory n ection ile eletion ile ystem ogical ffsets atekeeper ypass idden iles and irectories idden sers idden indow C mage ile E ecution ptions n ection ndicator locking ndicator emoval from ools ndicator emoval on ost ndirect Command E ecution nstall oot Certificate nstall til aunchctl C i acking asquerading odify egistry shta etwork hare Connection emoval Credential Access ccount anipulation ash istory rute orce Credential umping Credentials in iles Credentials in egistry E ploitation for Credential ccess orced uthentication ooking nput Capture nput rompt er eroasting eychain oisoning etwork niffing assword ilter rivate eys eplication hrough emova le edia ecurityd emory wo actor uthentication nterception Discovery ccount iscovery pplication indow iscovery rowser ookmark iscovery ile and irectory iscovery etwork ervice canning etwork hare iscovery assword olicy iscovery eripheral evice iscovery ermission roups iscovery rocess iscovery uery egistry emote ystem iscovery ecurity oftware iscovery ystem nformation iscovery ystem etwork Configuration iscovery ystem etwork Connections iscovery ystem wner ser iscovery ystem ervice iscovery ystem ime iscovery ateral ovement pple cript pplication eployment oftware istri uted Component ect odel E ploitation of emote ervices ogon cripts ass the ash ass the icket emote esktop rotocol emote ile Copy emote ervices eplication hrough emova le edia hared e root i acking aint hared Content hird party oftware indows dmin hares indows emote anagement Collection udio Capture utomated Collection Clip oard ata ata from nformation epositories ata from ocal ystem ata from etwork hared rive ata from emova le edia ata taged Email Collection nput Capture an in the rowser creen Capture ideo Capture filtration utomated E filtration ata Compressed ata Encrypted ata ransfer i e imits E filtration ver lternative rotocol E filtration ver Command and Control Channel E filtration ver ther etwork edium E filtration ver hysical edium cheduled ransfer Command And Control Commonly sed ort Communication hrough emova le edia Connection ro y Custom Command and Control rotocol Custom Cryptographic rotocol ata Encoding ata fuscation omain ronting all ack Channels ulti hop ro y ulti tage Channels ulti and Communication ultilayer Encryption ort nocking emote ccess ools emote ile Copy tandard pplication ayer rotocol tandard Cryptographic rotocol tandard on pplication ayer rotocol ncommonly sed ort e ervice Choosing an adversary based on gaps | 14 | APT29 techniques (based only on open source reporting) © 2018 The MITRE Corporation. All rights reserved. Approved for public release. Distribution unlimited 18-1528-19.

15. Initial Access rive y Compromise E ploit u lic acing pplication ardware dditions eplication hrough emova le edia pearphishing ttachment pearphishing ink pearphishing via ervice upply Chain Compromise rusted elationship alid ccounts ecution pple cript C Command ine nterface Control anel tems ynamic ata E change E ecution through E ecution through odule oad E ploitation for Client E ecution raphical ser nterface nstall til aunchctl ocal o cheduling river shta ower hell egsvcs egasm egsvr undll cheduled ask cripting ervice E ecution igned inary ro y E ecution igned cript ro y E ecution ource pace after ilename hird party oftware rap rusted eveloper tilities ser E ecution indows anagement nstrumentation indows emote anagement Persistence ash profile and ashrc ccessi ility eatures ppCert s pp nit s pplication himming uthentication ackage o s ootkit rowser E tensions Change efault ile ssociation Component irmware Component ect odel i acking Create ccount earch rder i acking yli i acking E ternal emote ervices ile ystem ermissions eakness idden iles and irectories ooking ypervisor mage ile E ecution ptions n ection ernel odules and E tensions aunch gent aunch aemon aunchctl C ddition ocal o cheduling ogin tem ogon cripts river odify E isting ervice etsh elper ew ervice ffice pplication tartup ath nterception list odification ort nocking Privilege scalation ccess oken anipulation ccessi ility eatures ppCert s pp nit s pplication himming ypass ser ccount Control earch rder i acking yli i acking E ploitation for rivilege Escalation E tra indow emory n ection ile ystem ermissions eakness ooking mage ile E ecution ptions n ection aunch aemon ew ervice ath nterception list odification ort onitors rocess n ection cheduled ask ervice egistry ermissions eakness etuid and etgid istory n ection tartup tems udo udo Caching alid ccounts e hell Defense vasion ccess oken anipulation inary adding o s ypass ser ccount Control Clear Command istory C Code igning Component irmware Component ect odel i acking Control anel tems C hadow eo fuscate ecode iles or nformation isa ling ecurity ools earch rder i acking ide oading E ploitation for efense Evasion E tra indow emory n ection ile eletion ile ystem ogical ffsets atekeeper ypass idden iles and irectories idden sers idden indow C mage ile E ecution ptions n ection ndicator locking ndicator emoval from ools ndicator emoval on ost ndirect Command E ecution nstall oot Certificate nstall til aunchctl C i acking asquerading odify egistry shta etwork hare Connection emoval Credential Access ccount anipulation ash istory rute orce Credential umping Credentials in iles Credentials in egistry E ploitation for Credential ccess orced uthentication ooking nput Capture nput rompt er eroasting eychain oisoning etwork niffing assword ilter rivate eys eplication hrough emova le edia ecurityd emory wo actor uthentication nterception Discovery ccount iscovery pplication indow iscovery rowser ookmark iscovery ile and irectory iscovery etwork ervice canning etwork hare iscovery assword olicy iscovery eripheral evice iscovery ermission roups iscovery rocess iscovery uery egistry emote ystem iscovery ecurity oftware iscovery ystem nformation iscovery ystem etwork Configuration iscovery ystem etwork Connections iscovery ystem wner ser iscovery ystem ervice iscovery ystem ime iscovery ateral ovement pple cript pplication eployment oftware istri uted Component ect odel E ploitation of emote ervices ogon cripts ass the ash ass the icket emote esktop rotocol emote ile Copy emote ervices eplication hrough emova le edia hared e root i acking aint hared Content hird party oftware indows dmin hares indows emote anagement Collection udio Capture utomated Collection Clip oard ata ata from nformation epositories ata from ocal ystem ata from etwork hared rive ata from emova le edia ata taged Email Collection nput Capture an in the rowser creen Capture ideo Capture filtration utomated E filtration ata Compressed ata Encrypted ata ransfer i e imits E filtration ver lternative rotocol E filtration ver Command and Control Channel E filtration ver ther etwork edium E filtration ver hysical edium cheduled ransfer Command And Control Commonly sed ort Communication hrough emova le edia Connection ro y Custom Command and Control rotocol Custom Cryptographic rotocol ata Encoding ata fuscation omain ronting all ack Channels ulti hop ro y ulti tage Channels ulti and Communication ultilayer Encryption ort nocking emote ccess ools emote ile Copy tandard pplication ayer rotocol tandard Cryptographic rotocol tandard on pplication ayer rotocol ncommonly sed ort e ervice Choosing an adversary based on gaps | 15 | Purple = APT29 techniques that can test our gaps © 2018 The MITRE Corporation. All rights reserved. Approved for public release. Distribution unlimited 18-1528-19.

16. Step 2: Extract ATT&CK techniques from reports ▪ Look for behaviors ▪ Store the info in a structured way ▪ Have the threat intel originator do it ▪ Start at the tactic level ▪ Use ATT&CK website examples ▪ Work as a team Gather threat intel Extract techniques Analyze & organize Develop tools Emulate the adversary © 2018 The MITRE Corporation. All rights reserved. Approved for public release. Distribution unlimited 18-1528-19.

17. How to extract ATT&CK techniques © 2018 The MITRE Corporation. All rights reserved. Approved for public release. Distribution unlimited 18-1528-19. https://www.fireeye.com/blog/threat-research/2014/11/operation_doubletap.html T1068 - Exploitation for Privilege Escalation T1059 - Command-Line Interface T1033 - System Owner/User Discovery T1053 - Scheduled Task T1065 - Uncommonly Used Port T1095 - Standard Non-Application Layer Protocol T1104 - Multi-Stage Channels

18. How to extract ATT&CK techniques https://recon.cx/2017/montreal/resources/slides/RECON-MTL-2017- evolution_of_pirpi.pdf T1069 - Permission Groups Discovery T1049 - System Network Connections Discovery T1018 - Remote System Discovery T1107 - File Deletion T1057 - Process Discovery T1034 - Path Interception © 2018 The MITRE Corporation. All rights reserved. Approved for public release. Distribution unlimited 18-1528-19.

19. Step 3: Analyze and organize techniques and intel ▪ stablish the adversary’s goal ▪ Consider adversary M.O. ▪ Think about the why, what, and how – In ATT&CK: Tactic, Technique, Procedure Gather threat intel Extract techniques Analyze & organize Develop tools Emulate the adversary © 2018 The MITRE Corporation. All rights reserved. Approved for public release. Distribution unlimited 18-1528-19.

20. https://www.symantec.com/connect/blogs/buckeye-cyberespionage-group-shifts-gaze-us-hong-kong https://www.fireeye.com/blog/threat-research/2014/04/new-zero-day-exploit-targeting-internet-explorer-versions-9-through-11-identified-in-targeted-attacks.html They are extremely proficient at lateral movement … and typically do not reuse command and control infrastructure Analyze intel for adversary M.O. https://www.lastline.com/labsblog/an-analysis-of-plugx-malware/ Buckeye seems to target file and print servers, which makes it likely the group is looking to steal documents The rarsfx archive is created 5-6 months before this attack … used the same rarsfx archive with other payloads before this attack. © 2018 The MITRE Corporation. All rights reserved. Approved for public release. Distribution unlimited 18-1528-19.

21. Organize intel into technique flow ▪ Provide order to techniques – Not going to be perfect – Techniques have their own required ordering – Feeds the emulation plan | 21 | © 2018 The MITRE Corporation. All rights reserved. Approved for public release. Distribution unlimited 18-1528-19.

22. Organize technique flow into plan phases ▪ This is the hardest part of the puzzle ▪ No plan will be perfect, so approximate where needed ▪ This isn’t a replay of an incident - variation is OK © 2018 The MITRE Corporation. All rights reserved. Approved for public release. Distribution unlimited 18-1528-19.

23. ▪ What are the COTS / Open Source tools available? – Can you exhibit the right behaviors with these tools? – Can you extend or modify them? ▪ Do you need to develop something specific? – Delivery mechanisms, Command and Control, Capabilities ▪ Create payloads “inspired by” the adversary’s tradecraft – Modify IoCs and behaviors if possible – Obfuscate with purpose, NOT all the things – “over-o fuscation” is itself suspicious! Step 4: Develop tools to emulate behaviors Gather threat intel Extract techniques Analyze & organize Develop tools Emulate the adversary © 2018 The MITRE Corporation. All rights reserved. Approved for public release. Distribution unlimited 18-1528-19.

24. What is behavioral emulation for TTPs? ▪ Performing adversary techniques with variations – dversary created “C:aos.exe” for Priv Esc via path interception ▪ You intercept any service path that runs under higher privileges – dversary used “PSExec” for ateral ovement ▪ ou do it manually with “sc.exe” or via ower hell – dversary runs “whoami” for iscovery ▪ You do it with environment variables “% E %% E E%” © 2018 The MITRE Corporation. All rights reserved. Approved for public release. Distribution unlimited 18-1528-19.

25. Defining your toolset ▪ Don’t limit yourself to a single environment or tool – Python, PowerShell, Command-Line, Custom Binary, etc ▪ Do stay within the behavior boundaries © 2018 The MITRE Corporation. All rights reserved. Approved for public release. Distribution unlimited 18-1528-19.

26. Create an Adversary Emulation Field Manual ▪ Provides multiple implementations across toolsets ▪ Provides offensive command-line examples ▪ Create this as you go, and use for reference later T1069 - Permission Groups Discovery net localgroup net group /domain wmic group [and more…] © 2018 The MITRE Corporation. All rights reserved. Approved for public release. Distribution unlimited 18-1528-19.

27. Step 5: Emulate the adversary ▪ Set up infrastructure and test – Set up C2 servers & redirector, buy domains, test, install ▪ Emulate the adversary! – Follow the adversary M.O. – “ omain dmin” most likely isn’t your goal – eep the “speed of the adversary” in mind ▪ Low and slow vs smash and grab Gather threat intel Extract techniques Analyze & organize Develop tools Emulate the adversary © 2018 The MITRE Corporation. All rights reserved. Approved for public release. Distribution unlimited 18-1528-19.

28. In summary… ▪ Test your hunting capabilities with adversary emulation ▪ Use threat intelligence to drive your emulation ▪ Move toward a threat-based defense | 28 | © 2018 The MITRE Corporation. All rights reserved. Approved for public release. Distribution unlimited 18-1528-19.

29. Links ▪ ATT&CK – https://attack.mitre.org – github.com/mitre/cti – cti-taxii.mitre.org ▪ ATT&CK Navigator – https://github.com/mitre/attack-navigator – https://mitre.github.io/attack-navigator/enterprise/ ▪ Adversary Emulation Plans – https://attack.mitre.org/wiki/Adversary_Emulation_Plans ▪ CALDERA: Automated Adversary Emulation – https://github.com/mitre/caldera ▪ Cyber Analytic Repository (CAR) – https://car.mitre.org © 2018 The MITRE Corporation. All rights reserved. Approved for public release. Distribution unlimited 18-1528-19.

30. | 30 | @likethecoins attack.mitre.org attack@mitre.org @MITREattack Katie Nickels Cody Thomas @its_a_feature_ © 2018 The MITRE Corporation. All rights reserved. Approved for public release. Distribution unlimited 18-1528-19.

Threat-Based Adversary Emulation with MITRE ATT&CK

Threat-Based Adversary Emulation with MITRE ATT&CK

Recommended

More Related Content

What's hot

What's hot(20)

Similar to Threat-Based Adversary Emulation with MITRE ATT&CK

Similar to Threat-Based Adversary Emulation with MITRE ATT&CK(20)

Recently uploaded

Recently uploaded(20)

Threat-Based Adversary Emulation with MITRE ATT&CK