More Related Content
Similar to ATT&CK Updates- Defensive ATT&CK (20)
More from MITRE ATT&CK (20)
ATT&CK Updates- Defensive ATT&CK
- 1. Defensive ATT&CK Updates
Lex Crumpton
ATT&CK Defensive Lead
@LexOnTheHunt
©2022 The MITRE Corporation. ALL RIGHTS RESERVED. Approved for public release. Distribution unlimited 22-00706-26
- 2. Who am I
• Lead Cybersecurity Engineer
• Former Exploitation Developer…turned
blue...never looked back
• Manage some things:
• Digital Forensics Teams
• Threat Hunting Teams
• Detection Teams
• My Canine Child
• My Chaotic Workaholic Lifestyle J
©2022 The MITRE Corporation. ALL RIGHTS RESERVED. Approved for public release. Distribution unlimited 22-00706-26
- 3. What is Defensive
ATT&CK?
• Mitigations
• Data Sources:Components
• Detections
• Cyber Analytic Repository (CAR)
©2022 The MITRE Corporation. ALL RIGHTS RESERVED. Approved for public release. Distribution unlimited 22-00706-26
- 4. 2021
©2022 The MITRE Corporation. ALL RIGHTS RESERVED. Approved for public release. Distribution unlimited 22-00706-26
ID Data Source Data Component Detections
DS0017 Command Command Execution Monitor executed commands and arguments that may attempt to
access credential material stored in the process memory of the
Local Security Authority Subsystem Service (LSASS). Such as
procdump -ma lsass.exe lsass_dump
DS0009 Process OS API Execution Monitor for API calls that may attempt to access credential material
stored in the process memory of the Local Security Authority
Subsystem Service (LSASS).
Process Access Monitor for unexpected processes interacting with LSASS.exe.
Common credential dumpers such as Mimikatz access LSASS.exe
by opening the process, location the LSA secrets key, and
decrypting the sections in memory where credential details are
stored. Credential dumpers may also use methods for reflective
Process Injection to reduce potential indicators of compromise
activity.
Process Creation Monitor newly executed processes that may be indicative of
credential dumping, such as procdump.
- 5. 2022
©2022 The MITRE Corporation. ALL RIGHTS RESERVED. Approved for public release. Distribution unlimited 22-00706-26
COMING SOON
- 8. Looking towards the future…
Detections
2022
©2022 The MITRE Corporation. ALL RIGHTS RESERVED. Approved for public release. Distribution unlimited 22-00706-26
Cyber Analytic Repository