This document discusses operationalizing cyber threat intelligence by emulating adversary behaviors. It explains how to take cyber threat intelligence and map behaviors to the MITRE ATT&CK framework. Specific focus is given to the "Process Doppelgänging" technique, including understanding the behavior, potential detections, and emulating the behavior. The importance of fully emulating operations and expanding emulations through tools like Caldera is also covered.

1. ©2019 The MITRE Corporation. ALL RIGHTS RESERVED. Approved for public release. Distribution unlimited 19-01075-6.
ATT&CKing Your Adversaries
Operationalizing cyber intelligence in your own environment for
better sleep and a safer tomorrow
©2019 The MITRE Corporation. ALL RIGHTS RESERVED. Approved for public release. Distribution unlimited 19-01075-6.

2. ©2019 The MITRE Corporation. ALL RIGHTS RESERVED. Approved for public release. Distribution unlimited 19-01075-6.
Introductions
▪ Jamie Williams ( @jamieantisocial)
▪ Cyber adversarial engineer
▪ Adversary emulation + behavior detection research
▪ Sarah Yoder ( @sarah__yoder)
▪ Cyber security engineer
▪ Cyber threat intelligence + red teaming
▪ ATT&CK & ATT&CK Evaluations ( @MITREattack)
| 2 |

3. ©2019 The MITRE Corporation. ALL RIGHTS RESERVED. Approved for public release. Distribution unlimited 19-01075-6.
If You Were at 2018 BSidesLV
ATT&CKing the Status Quo:
Improving Threat Intelligence and
Cyber Defense with MITRE ATT&CK™
Slides available at
https://www.slideshare.net/KatieNickels/bsideslv-2018-
katie-nickels-and-john-wunder-attcking-the-status-quo
Threat Intelligence

4. ©2019 The MITRE Corporation. ALL RIGHTS RESERVED. Approved for public release. Distribution unlimited 19-01075-6.
If You Were at 2018 BSidesLV

5. ©2019 The MITRE Corporation. ALL RIGHTS RESERVED. Approved for public release. Distribution unlimited 19-01075-6.
Agenda
| 5 |
Intelligence
Behaviors
Detections Emulations

6. ©2019 The MITRE Corporation. ALL RIGHTS RESERVED. Approved for public release. Distribution unlimited 19-01075-6.
| 6 |
Intelligence to Behaviors
Intelligence
Behaviors
Detections Emulations

7. ©2019 The MITRE Corporation. ALL RIGHTS RESERVED. Approved for public release. Distribution unlimited 19-01075-6.
| 7 |
"Cyber threat intelligence (CTI) is the process
of analyzing information about adversaries,
as well as the output of that analysis, in a way
that can be applied to help network defenders
and decisionmakers”
What is Cyber Threat Intelligence?
https://www.mitre.org/capabilities/cybersecurity/overview/
cybersecurity-blog/using-attck-to-advance-cyber-threat

8. ©2019 The MITRE Corporation. ALL RIGHTS RESERVED. Approved for public release. Distribution unlimited 19-01075-6.
Where Does It Come From?
| 8 |
Internal Reporting
Open Source
Finished
Reporting
Indicators

9. ©2019 The MITRE Corporation. ALL RIGHTS RESERVED. Approved for public release. Distribution unlimited 19-01075-6.
| 9 |
All this information can become overwhelming!
but fear not!
ATT&CK
can help!
https://www.pngkit.com/png/
full/53-533742_batman-vs-
superman-open-shirt-
vector.png
©2019 The MITRE Corporation. ALL RIGHTS RESERVED. Approved for public release. Distribution unlimited 19-01075-6.

10. ©2019 The MITRE Corporation. ALL RIGHTS RESERVED. Approved for public release. Distribution unlimited 19-01075-6.
| 10 |
Knowledge base of adversary behaviors
Threat-informed defense
Based on real-world observations
References to publicly reported intelligence
Free, open, and globally accessible
attack.mitre.org
Community contribution driven
attack@mitre.org
@MITREattack

11. ©2019 The MITRE Corporation. ALL RIGHTS RESERVED. Approved for public release. Distribution unlimited 19-01075-6.
| 11 |
ATT&CK Structure
Tactics: the adversary’s technical goals
Techniques: how the goals are achieved
… …
Initial Access Execution Persistence
Privilege
Escalation
Defense
Evasion
Credential
Access
Discovery
Lateral
Movement
Collection Exfiltration Impact
Procedures: specific technique implementations
Command
and Control

12. ©2019 The MITRE Corporation. ALL RIGHTS RESERVED. Approved for public release. Distribution unlimited 19-01075-6.
What is a Behavior?
▪More than hash values, signatures, IPs, etc.
▪Think ATT&CK structure
▪ Tactic (Why)
▪ Technique (How)
▪ Procedure (What)
| 12 |

13. ©2019 The MITRE Corporation. ALL RIGHTS RESERVED. Approved for public release. Distribution unlimited 19-01075-6.
Finding Behaviors in Finished Reporting
| 13 |
https://usa.kaspersky.com/about/press-releases/2018_synack-doppelganging

14. ©2019 The MITRE Corporation. ALL RIGHTS RESERVED. Approved for public release. Distribution unlimited 19-01075-6.
Finding Behaviors in Finished Reporting
| 14 |
https://usa.kaspersky.com/about/press-releases/2018_synack-doppelganging

15. ©2019 The MITRE Corporation. ALL RIGHTS RESERVED. Approved for public release. Distribution unlimited 19-01075-6.
Mapping the Behaviors to ATT&CK
| 15 |
1. Start with the Tactic
Defense Evasion
Defense Evasion
https://usa.kaspersky.com/about/press-releases/2018_synack-doppelganging
Impact Discovery
Discovery
Defense Evasion
Defense Evasion

16. ©2019 The MITRE Corporation. ALL RIGHTS RESERVED. Approved for public release. Distribution unlimited 19-01075-6.
Mapping the Behaviors to ATT&CK
| 16 |
2. Move onto Techniques
Defense Evasion
Defense Evasion
Discovery
Discovery
| Obfuscated Files or Information(T1027)
| Obfuscated Files or Information(T1027)
| File and Directory Discovery (T1083)
| Virtualization/Sandbox Evasion (T1497)
| Data Encrypted for Impact (T1486) | Process Discovery (T1057)
| System Service Discovery (T1007)
https://usa.kaspersky.com/about/press-releases/2018_synack-doppelganging
Defense Evasion
Impact
Defense Evasion | Execution Guardrails (T1480)

17. ©2019 The MITRE Corporation. ALL RIGHTS RESERVED. Approved for public release. Distribution unlimited 19-01075-6.
SynAck (S0242)
| 17 |
https://attack.mitre.org/software/S0242/

18. ©2019 The MITRE Corporation. ALL RIGHTS RESERVED. Approved for public release. Distribution unlimited 19-01075-6.
| 18 |
Behaviors to Detections
Intelligence
Behaviors
Detections Emulations

19. ©2019 The MITRE Corporation. ALL RIGHTS RESERVED. Approved for public release. Distribution unlimited 19-01075-6.
Understanding the Behavior
▪ Stages of a behavior
1. Prerequisites – What does execution require?
2. Mechanics – What does execution involve?
3. Artifacts – What does execution leave behind?
▪ Critical when considering detection
| 19 |
Driver loaded
Image loaded
Process creation
ProcessAccess
CreateRemoteThread
Network connection
FileCreate
RegistryEvent
1 2 3

20. ©2019 The MITRE Corporation. ALL RIGHTS RESERVED. Approved for public release. Distribution unlimited 19-01075-6.
Let’s Pick One Behavior to Focus On
| 20 |
https://attack.mitre.org/software/S0242/

21. ©2019 The MITRE Corporation. ALL RIGHTS RESERVED. Approved for public release. Distribution unlimited 19-01075-6.
Let’s Pick One Behavior to Focus On
| 21 |
https://attack.mitre.org/software/S0242/

22. ©2019 The MITRE Corporation. ALL RIGHTS RESERVED. Approved for public release. Distribution unlimited 19-01075-6.
Understanding Process Doppelgänging
▪ Originally presented at Black Hat Europe 2017
▪ Based on deprecated transactional NTFS (TxT)
▪ Load and execute arbitrary code in legitimate process
▪ Avoid typical process injection/hollowing mechanics
and AV scans (disk writes)
▪ Undocumented process creation API
(Zw/NtCreateProcessEx) to execute from memory
section rather than disk
| 22 |
https://www.blackhat.com/docs/eu-17/materials/eu-17-Liberman-Lost-In-Transaction-Process-Doppelganging.pdf

23. ©2019 The MITRE Corporation. ALL RIGHTS RESERVED. Approved for public release. Distribution unlimited 19-01075-6.
Legitimate File
| 23 |
Understanding Process Doppelgänging

24. ©2019 The MITRE Corporation. ALL RIGHTS RESERVED. Approved for public release. Distribution unlimited 19-01075-6.
Legitimate FileMalicious File
| 24 |
1
Transact – overwrite target file
Understanding Process Doppelgänging

25. ©2019 The MITRE Corporation. ALL RIGHTS RESERVED. Approved for public release. Distribution unlimited 19-01075-6.
Legitimate FileMalicious File
| 25 |
2
Load – load target file
Understanding Process Doppelgänging

26. ©2019 The MITRE Corporation. ALL RIGHTS RESERVED. Approved for public release. Distribution unlimited 19-01075-6.
Legitimate File
| 26 |
3
Rollback – undo write in step 1
Understanding Process Doppelgänging

27. ©2019 The MITRE Corporation. ALL RIGHTS RESERVED. Approved for public release. Distribution unlimited 19-01075-6.
Changes are only visible
within transaction
Legitimate File
Animate – execute loaded file from step 2
| 27 |
4
Understanding Process Doppelgänging

28. ©2019 The MITRE Corporation. ALL RIGHTS RESERVED. Approved for public release. Distribution unlimited 19-01075-6.
▪ Monitor and analyze calls to CreateTranscation, CreateFileTransacted,
RollbackTransaction, and other rarely used functions indicative of TxF
activity. Process Doppelgänging also invokes an outdated and
undocumented implementation of the Windows process loader via calls to
NtCreateProcessEx and NtCreateThreadEx as well as API calls used to
modify memory within another process, such as WriteProcessMemory.
▪ Scan file objects reported during the PsSetCreateProcessNotifyRoutine,
which triggers a callback whenever a process is created or deleted,
specifically looking for file objects with enabled write access. Also
consider comparing file objects loaded in memory to the corresponding
file on disk.
▪ Analyze process behavior to determine if a process is performing actions
it usually does not, such as opening network connections, reading files, or
other suspicious actions that could relate to post-compromise behavior.
| 28 |
https://attack.mitre.org/techniques/T1186
Understanding Process Doppelgänging

29. ©2019 The MITRE Corporation. ALL RIGHTS RESERVED. Approved for public release. Distribution unlimited 19-01075-6.
▪ Monitor and analyze calls to CreateTranscation, CreateFileTransacted,
RollbackTransaction, and other rarely used functions indicative of TxF
activity. Process Doppelgänging also invokes an outdated and
undocumented implementation of the Windows process loader via calls to
NtCreateProcessEx and NtCreateThreadEx as well as API calls used to
modify memory within another process, such as WriteProcessMemory.
▪ Scan file objects reported during the PsSetCreateProcessNotifyRoutine,
which triggers a callback whenever a process is created or deleted,
specifically looking for file objects with enabled write access. Also
consider comparing file objects loaded in memory to the corresponding
file on disk.
▪ Analyze process behavior to determine if a process is performing actions
it usually does not, such as opening network connections, reading files, or
other suspicious actions that could relate to post-compromise behavior.
API Monitoring
Process Monitoring
File Monitoring
| 29 |
https://attack.mitre.org/techniques/T1186
Understanding Process Doppelgänging

30. ©2019 The MITRE Corporation. ALL RIGHTS RESERVED. Approved for public release. Distribution unlimited 19-01075-6.
| 30 |
Detections to Emulations
Intelligence
Behaviors
Detections Emulations

31. ©2019 The MITRE Corporation. ALL RIGHTS RESERVED. Approved for public release. Distribution unlimited 19-01075-6.
Emulating Process Doppelgänging
▪ PoC available from Ruben
Booen (@FuzzySec)
▪ github.com/FuzzySecurity/
PowerShell-Suite
▪ Start-Eidolon.ps1
▪ Windows API (T1106) via
PowerShell (T1086)
| 31 |
https://gph.is/1XJvaI6

32. ©2019 The MITRE Corporation. ALL RIGHTS RESERVED. Approved for public release. Distribution unlimited 19-01075-6.
Start-Eidolon -Target Calc.exe -Mimikatz -Verbose
Emulating Process Doppelgänging
| 32 |

33. ©2019 The MITRE Corporation. ALL RIGHTS RESERVED. Approved for public release. Distribution unlimited 19-01075-6.
Detecting Emulation - Sysmon
| 33 |

34. ©2019 The MITRE Corporation. ALL RIGHTS RESERVED. Approved for public release. Distribution unlimited 19-01075-6.
Detecting Emulation – ETW
| 34 |
https://www.countercept.com/blog/d
etecting-malicious-use-of-net-part-1
https://github.com/fireeye/pywintrace

35. ©2019 The MITRE Corporation. ALL RIGHTS RESERVED. Approved for public release. Distribution unlimited 19-01075-6.
Detecting Emulation – ETW
| 35 |
https://www.countercept.com/blog/d
etecting-malicious-use-of-net-part-1
https://github.com/fireeye/pywintrace

36. ©2019 The MITRE Corporation. ALL RIGHTS RESERVED. Approved for public release. Distribution unlimited 19-01075-6.
Detecting Emulation - ProcMon
| 36 |

37. ©2019 The MITRE Corporation. ALL RIGHTS RESERVED. Approved for public release. Distribution unlimited 19-01075-6.
Detecting Emulation - ProcMon
| 37 |

38. ©2019 The MITRE Corporation. ALL RIGHTS RESERVED. Approved for public release. Distribution unlimited 19-01075-6.
Detecting Emulation – Windows Event
▪ Security Event Log ID 4985 - The state of a transaction has changed
| 38 |

39. ©2019 The MITRE Corporation. ALL RIGHTS RESERVED. Approved for public release. Distribution unlimited 19-01075-6.
Detecting Emulation – Windows Event
▪ Security Event Log ID 4985 - The state of a transaction has changed
| 39 |

40. ©2019 The MITRE Corporation. ALL RIGHTS RESERVED. Approved for public release. Distribution unlimited 19-01075-6.
Detecting Emulation – Wrap up
| 40 |
NTFS File events
(ProcMon)
Process creation (Sysmon)
API Calls (ETW)
Windows Event log
1 2 3
▪ Be wary of costs and tradeoffs between data sources
▪ Capture and share analytic knowledge
▪ CAR, Sigma, EQL, etc.

41. ©2019 The MITRE Corporation. ALL RIGHTS RESERVED. Approved for public release. Distribution unlimited 19-01075-6.
Expanding Emulation
| 41 |
https://github.com/mitre/caldera

42. ©2019 The MITRE Corporation. ALL RIGHTS RESERVED. Approved for public release. Distribution unlimited 19-01075-6.
CALDERA
1. Add our payload (Start-Eidon.ps1) in payloads
2. Add a new ability
3. Add a new adversary
| 42 |
https://github.com/mitre/caldera

43. ©2019 The MITRE Corporation. ALL RIGHTS RESERVED. Approved for public release. Distribution unlimited 19-01075-6.
CALDERA
1. Add our payload (Start-Eidon.ps1) in payloads
2. Add a new ability
3. Add a new adversary
| 43 |
https://github.com/mitre/caldera

44. ©2019 The MITRE Corporation. ALL RIGHTS RESERVED. Approved for public release. Distribution unlimited 19-01075-6.
Emulate Entire Operation
| 44 |
https://github.com/mitre/caldera

45. ©2019 The MITRE Corporation. ALL RIGHTS RESERVED. Approved for public release. Distribution unlimited 19-01075-6.
Emulate Entire Operation
| 45 |
https://github.com/mitre/caldera

46. ©2019 The MITRE Corporation. ALL RIGHTS RESERVED. Approved for public release. Distribution unlimited 19-01075-6.
Important Takeaways
▪ Understand adversary behaviors
▪ Where you can get this intel
▪ What (procedure) they do as well as why (tactic) and
how (technique)
▪ Emulate adversary behaviors
▪ Vary procedures for different impressions
▪ Understand defenses and how they apply to your environment
and organization
▪ Recognize additional opportunities based on specific procedures
▪ Be wary of building analytics vice just enabling visibility (cost)
| 46 |

47. ©2019 The MITRE Corporation. ALL RIGHTS RESERVED. Approved for public release. Distribution unlimited 19-01075-6.
| 47 |
attack.mitre.org
medium.com/mitre-attack
attack@mitre.org
@MITREattack
@sarah__yoder
@jamieantisocial