Submit Search
Upload
Emulating an Adversary with Imperfect Intelligence
•
0 likes
•
1,239 views
A
Adam Pennington
Follow
Presented by Adam Pennington in the DEF CON 28 Red Team Village.
Read less
Read more
Technology
Report
Share
Report
Share
1 of 61
Download now
Download to read offline
Recommended
RH-ISAC Summit 2019 - Adam Pennington - Leveraging MITRE ATT&CK™ for Detectio...
RH-ISAC Summit 2019 - Adam Pennington - Leveraging MITRE ATT&CK™ for Detectio...
Adam Pennington
Becoming a Yogi on Mac ATT&CKwith OceanLotus Postures
Becoming a Yogi on Mac ATT&CKwith OceanLotus Postures
Adam Pennington
Update from the MITRE ATT&CK Team
Update from the MITRE ATT&CK Team
Adam Pennington
Pennington - Defending Against Targeted Ransomware with MITRE ATT&CK
Pennington - Defending Against Targeted Ransomware with MITRE ATT&CK
Adam Pennington
Anomali Detect 19 - Nickels & Pennington - Turning Intelligence into Action w...
Anomali Detect 19 - Nickels & Pennington - Turning Intelligence into Action w...
Adam Pennington
Slideshare.net rh-isac summit 2019 - adam pennington - leveraging mitre at ta...
Slideshare.net rh-isac summit 2019 - adam pennington - leveraging mitre at ta...
Robert Brandel
Grc f42
Grc f42
SelectedPresentations
When Insiders ATT&CK!
When Insiders ATT&CK!
MITRE ATT&CK
Recommended
RH-ISAC Summit 2019 - Adam Pennington - Leveraging MITRE ATT&CK™ for Detectio...
RH-ISAC Summit 2019 - Adam Pennington - Leveraging MITRE ATT&CK™ for Detectio...
Adam Pennington
Becoming a Yogi on Mac ATT&CKwith OceanLotus Postures
Becoming a Yogi on Mac ATT&CKwith OceanLotus Postures
Adam Pennington
Update from the MITRE ATT&CK Team
Update from the MITRE ATT&CK Team
Adam Pennington
Pennington - Defending Against Targeted Ransomware with MITRE ATT&CK
Pennington - Defending Against Targeted Ransomware with MITRE ATT&CK
Adam Pennington
Anomali Detect 19 - Nickels & Pennington - Turning Intelligence into Action w...
Anomali Detect 19 - Nickels & Pennington - Turning Intelligence into Action w...
Adam Pennington
Slideshare.net rh-isac summit 2019 - adam pennington - leveraging mitre at ta...
Slideshare.net rh-isac summit 2019 - adam pennington - leveraging mitre at ta...
Robert Brandel
Grc f42
Grc f42
SelectedPresentations
When Insiders ATT&CK!
When Insiders ATT&CK!
MITRE ATT&CK
State of the ATT&CK - ATT&CKcon Power Hour
State of the ATT&CK - ATT&CKcon Power Hour
Adam Pennington
MITRE ATT&CKcon Power Hour - November
MITRE ATT&CKcon Power Hour - November
MITRE - ATT&CKcon
BSidesLV 2018 - Katie Nickels and John Wunder - ATT&CKing the Status Quo
BSidesLV 2018 - Katie Nickels and John Wunder - ATT&CKing the Status Quo
Katie Nickels
Evolution of Offensive Testing - ATT&CK-based Adversary Emulation Plans
Evolution of Offensive Testing - ATT&CK-based Adversary Emulation Plans
Christopher Korban
Purple Teaming with ATT&CK - x33fcon 2018
Purple Teaming with ATT&CK - x33fcon 2018
Christopher Korban
Threat-Based Adversary Emulation with MITRE ATT&CK
Threat-Based Adversary Emulation with MITRE ATT&CK
Katie Nickels
Using MITRE PRE-ATTACK and ATTACK in Cybercrime Education and Research
Using MITRE PRE-ATTACK and ATTACK in Cybercrime Education and Research
MITRE - ATT&CKcon
Firewall buyers-guide
Firewall buyers-guide
Andy Kwong
Putting MITRE ATT&CK into Action with What You Have, Where You Are
Putting MITRE ATT&CK into Action with What You Have, Where You Are
Katie Nickels
FIRST CTI Symposium: Turning intelligence into action with MITRE ATT&CK™
FIRST CTI Symposium: Turning intelligence into action with MITRE ATT&CK™
Katie Nickels
MITRE ATT&CKcon 2.0: Ready to ATT&CK? Bring Your Own Data (BYOD) and Validate...
MITRE ATT&CKcon 2.0: Ready to ATT&CK? Bring Your Own Data (BYOD) and Validate...
MITRE - ATT&CKcon
MITRE ATT&CKcon 2018: Playing Devil’s Advocate to Security Initiatives with A...
MITRE ATT&CKcon 2018: Playing Devil’s Advocate to Security Initiatives with A...
MITRE - ATT&CKcon
ATT&CKing Your Adversaries - Operationalizing cyber intelligence in your own ...
ATT&CKing Your Adversaries - Operationalizing cyber intelligence in your own ...
JamieWilliams130
What Happens Before the Kill Chain
What Happens Before the Kill Chain
OpenDNS
RH-ISAC Summit 2019 - Adam Pennington - Leveraging MITRE ATT&CK™ for Detectio...
RH-ISAC Summit 2019 - Adam Pennington - Leveraging MITRE ATT&CK™ for Detectio...
Adam Pennington
MITRE ATT&CKcon 2.0: State of the ATT&CK; Blake Strom, MITRE
MITRE ATT&CKcon 2.0: State of the ATT&CK; Blake Strom, MITRE
MITRE - ATT&CKcon
Mapping the EventBot Mobile Banking Trojan with MITRE ATTACK for Mobile
Mapping the EventBot Mobile Banking Trojan with MITRE ATTACK for Mobile
MITRE - ATT&CKcon
Security For The People: End-User Authentication Security on the Internet by ...
Security For The People: End-User Authentication Security on the Internet by ...
Duo Security
The Internal Signs of Compromise
The Internal Signs of Compromise
FireEye, Inc.
ATT&CKing with Threat Intelligence
ATT&CKing with Threat Intelligence
Christopher Korban
MITRE-Module 1 Slides.pdf
MITRE-Module 1 Slides.pdf
ReZa AdineH
Putting the PRE into ATTACK
Putting the PRE into ATTACK
MITRE - ATT&CKcon
More Related Content
What's hot
State of the ATT&CK - ATT&CKcon Power Hour
State of the ATT&CK - ATT&CKcon Power Hour
Adam Pennington
MITRE ATT&CKcon Power Hour - November
MITRE ATT&CKcon Power Hour - November
MITRE - ATT&CKcon
BSidesLV 2018 - Katie Nickels and John Wunder - ATT&CKing the Status Quo
BSidesLV 2018 - Katie Nickels and John Wunder - ATT&CKing the Status Quo
Katie Nickels
Evolution of Offensive Testing - ATT&CK-based Adversary Emulation Plans
Evolution of Offensive Testing - ATT&CK-based Adversary Emulation Plans
Christopher Korban
Purple Teaming with ATT&CK - x33fcon 2018
Purple Teaming with ATT&CK - x33fcon 2018
Christopher Korban
Threat-Based Adversary Emulation with MITRE ATT&CK
Threat-Based Adversary Emulation with MITRE ATT&CK
Katie Nickels
Using MITRE PRE-ATTACK and ATTACK in Cybercrime Education and Research
Using MITRE PRE-ATTACK and ATTACK in Cybercrime Education and Research
MITRE - ATT&CKcon
Firewall buyers-guide
Firewall buyers-guide
Andy Kwong
Putting MITRE ATT&CK into Action with What You Have, Where You Are
Putting MITRE ATT&CK into Action with What You Have, Where You Are
Katie Nickels
FIRST CTI Symposium: Turning intelligence into action with MITRE ATT&CK™
FIRST CTI Symposium: Turning intelligence into action with MITRE ATT&CK™
Katie Nickels
MITRE ATT&CKcon 2.0: Ready to ATT&CK? Bring Your Own Data (BYOD) and Validate...
MITRE ATT&CKcon 2.0: Ready to ATT&CK? Bring Your Own Data (BYOD) and Validate...
MITRE - ATT&CKcon
MITRE ATT&CKcon 2018: Playing Devil’s Advocate to Security Initiatives with A...
MITRE ATT&CKcon 2018: Playing Devil’s Advocate to Security Initiatives with A...
MITRE - ATT&CKcon
ATT&CKing Your Adversaries - Operationalizing cyber intelligence in your own ...
ATT&CKing Your Adversaries - Operationalizing cyber intelligence in your own ...
JamieWilliams130
What Happens Before the Kill Chain
What Happens Before the Kill Chain
OpenDNS
RH-ISAC Summit 2019 - Adam Pennington - Leveraging MITRE ATT&CK™ for Detectio...
RH-ISAC Summit 2019 - Adam Pennington - Leveraging MITRE ATT&CK™ for Detectio...
Adam Pennington
MITRE ATT&CKcon 2.0: State of the ATT&CK; Blake Strom, MITRE
MITRE ATT&CKcon 2.0: State of the ATT&CK; Blake Strom, MITRE
MITRE - ATT&CKcon
Mapping the EventBot Mobile Banking Trojan with MITRE ATTACK for Mobile
Mapping the EventBot Mobile Banking Trojan with MITRE ATTACK for Mobile
MITRE - ATT&CKcon
Security For The People: End-User Authentication Security on the Internet by ...
Security For The People: End-User Authentication Security on the Internet by ...
Duo Security
The Internal Signs of Compromise
The Internal Signs of Compromise
FireEye, Inc.
ATT&CKing with Threat Intelligence
ATT&CKing with Threat Intelligence
Christopher Korban
What's hot
(20)
State of the ATT&CK - ATT&CKcon Power Hour
State of the ATT&CK - ATT&CKcon Power Hour
MITRE ATT&CKcon Power Hour - November
MITRE ATT&CKcon Power Hour - November
BSidesLV 2018 - Katie Nickels and John Wunder - ATT&CKing the Status Quo
BSidesLV 2018 - Katie Nickels and John Wunder - ATT&CKing the Status Quo
Evolution of Offensive Testing - ATT&CK-based Adversary Emulation Plans
Evolution of Offensive Testing - ATT&CK-based Adversary Emulation Plans
Purple Teaming with ATT&CK - x33fcon 2018
Purple Teaming with ATT&CK - x33fcon 2018
Threat-Based Adversary Emulation with MITRE ATT&CK
Threat-Based Adversary Emulation with MITRE ATT&CK
Using MITRE PRE-ATTACK and ATTACK in Cybercrime Education and Research
Using MITRE PRE-ATTACK and ATTACK in Cybercrime Education and Research
Firewall buyers-guide
Firewall buyers-guide
Putting MITRE ATT&CK into Action with What You Have, Where You Are
Putting MITRE ATT&CK into Action with What You Have, Where You Are
FIRST CTI Symposium: Turning intelligence into action with MITRE ATT&CK™
FIRST CTI Symposium: Turning intelligence into action with MITRE ATT&CK™
MITRE ATT&CKcon 2.0: Ready to ATT&CK? Bring Your Own Data (BYOD) and Validate...
MITRE ATT&CKcon 2.0: Ready to ATT&CK? Bring Your Own Data (BYOD) and Validate...
MITRE ATT&CKcon 2018: Playing Devil’s Advocate to Security Initiatives with A...
MITRE ATT&CKcon 2018: Playing Devil’s Advocate to Security Initiatives with A...
ATT&CKing Your Adversaries - Operationalizing cyber intelligence in your own ...
ATT&CKing Your Adversaries - Operationalizing cyber intelligence in your own ...
What Happens Before the Kill Chain
What Happens Before the Kill Chain
RH-ISAC Summit 2019 - Adam Pennington - Leveraging MITRE ATT&CK™ for Detectio...
RH-ISAC Summit 2019 - Adam Pennington - Leveraging MITRE ATT&CK™ for Detectio...
MITRE ATT&CKcon 2.0: State of the ATT&CK; Blake Strom, MITRE
MITRE ATT&CKcon 2.0: State of the ATT&CK; Blake Strom, MITRE
Mapping the EventBot Mobile Banking Trojan with MITRE ATTACK for Mobile
Mapping the EventBot Mobile Banking Trojan with MITRE ATTACK for Mobile
Security For The People: End-User Authentication Security on the Internet by ...
Security For The People: End-User Authentication Security on the Internet by ...
The Internal Signs of Compromise
The Internal Signs of Compromise
ATT&CKing with Threat Intelligence
ATT&CKing with Threat Intelligence
Similar to Emulating an Adversary with Imperfect Intelligence
MITRE-Module 1 Slides.pdf
MITRE-Module 1 Slides.pdf
ReZa AdineH
Putting the PRE into ATTACK
Putting the PRE into ATTACK
MITRE - ATT&CKcon
CyberSecurity Update Slides
CyberSecurity Update Slides
Jim Kaplan CIA CFE
State of the ATTACK
State of the ATTACK
MITRE - ATT&CKcon
MITRE ATT&CK Updates: State of the ATT&CK (ATT&CKcon 4.0 Edition)
MITRE ATT&CK Updates: State of the ATT&CK (ATT&CKcon 4.0 Edition)
MITRE ATT&CK
Symantec Webinar | How to Detect Targeted Ransomware with MITRE ATT&CK
Symantec Webinar | How to Detect Targeted Ransomware with MITRE ATT&CK
Symantec
Mapping ATT&CK Techniques to ENGAGE Activities
Mapping ATT&CK Techniques to ENGAGE Activities
MITRE ATT&CK
Exploring the Defender's Advantage
Exploring the Defender's Advantage
Raffael Marty
Automation: The Wonderful Wizard of CTI (or is it?)
Automation: The Wonderful Wizard of CTI (or is it?)
MITRE ATT&CK
State of the ATT&CK
State of the ATT&CK
MITRE ATT&CK
Hacking3e ppt ch11
Hacking3e ppt ch11
Skillspire LLC
Digitalstakeout Scout Overview
Digitalstakeout Scout Overview
DigitalStakeout
CrowdCasts Monthly: Going Beyond the Indicator
CrowdCasts Monthly: Going Beyond the Indicator
CrowdStrike
MITRE-Module 4 Slides.pdf
MITRE-Module 4 Slides.pdf
ReZa AdineH
Cybersecurity Slides
Cybersecurity Slides
Jim Kaplan CIA CFE
How Zero Trust Makes the Mission Simple & Secure
How Zero Trust Makes the Mission Simple & Secure
scoopnewsgroup
Cyber 101: An introduction to privileged access management
Cyber 101: An introduction to privileged access management
seadeloitte
Crack the Code
Crack the Code
InnoTech
Cyber security fundamentals (Cantonese)
Cyber security fundamentals (Cantonese)
Cloudflare
State of the ATT&CK May 2023
State of the ATT&CK May 2023
Adam Pennington
Similar to Emulating an Adversary with Imperfect Intelligence
(20)
MITRE-Module 1 Slides.pdf
MITRE-Module 1 Slides.pdf
Putting the PRE into ATTACK
Putting the PRE into ATTACK
CyberSecurity Update Slides
CyberSecurity Update Slides
State of the ATTACK
State of the ATTACK
MITRE ATT&CK Updates: State of the ATT&CK (ATT&CKcon 4.0 Edition)
MITRE ATT&CK Updates: State of the ATT&CK (ATT&CKcon 4.0 Edition)
Symantec Webinar | How to Detect Targeted Ransomware with MITRE ATT&CK
Symantec Webinar | How to Detect Targeted Ransomware with MITRE ATT&CK
Mapping ATT&CK Techniques to ENGAGE Activities
Mapping ATT&CK Techniques to ENGAGE Activities
Exploring the Defender's Advantage
Exploring the Defender's Advantage
Automation: The Wonderful Wizard of CTI (or is it?)
Automation: The Wonderful Wizard of CTI (or is it?)
State of the ATT&CK
State of the ATT&CK
Hacking3e ppt ch11
Hacking3e ppt ch11
Digitalstakeout Scout Overview
Digitalstakeout Scout Overview
CrowdCasts Monthly: Going Beyond the Indicator
CrowdCasts Monthly: Going Beyond the Indicator
MITRE-Module 4 Slides.pdf
MITRE-Module 4 Slides.pdf
Cybersecurity Slides
Cybersecurity Slides
How Zero Trust Makes the Mission Simple & Secure
How Zero Trust Makes the Mission Simple & Secure
Cyber 101: An introduction to privileged access management
Cyber 101: An introduction to privileged access management
Crack the Code
Crack the Code
Cyber security fundamentals (Cantonese)
Cyber security fundamentals (Cantonese)
State of the ATT&CK May 2023
State of the ATT&CK May 2023
Recently uploaded
Pigging Solutions in Pet Food Manufacturing
Pigging Solutions in Pet Food Manufacturing
Pigging Solutions
Unleash Your Potential - Namagunga Girls Coding Club
Unleash Your Potential - Namagunga Girls Coding Club
Kalema Edgar
Tech-Forward - Achieving Business Readiness For Copilot in Microsoft 365
Tech-Forward - Achieving Business Readiness For Copilot in Microsoft 365
2toLead Limited
Making_way_through_DLL_hollowing_inspite_of_CFG_by_Debjeet Banerjee.pptx
Making_way_through_DLL_hollowing_inspite_of_CFG_by_Debjeet Banerjee.pptx
null - The Open Security Community
Automating Business Process via MuleSoft Composer | Bangalore MuleSoft Meetup...
Automating Business Process via MuleSoft Composer | Bangalore MuleSoft Meetup...
shyamraj55
Vulnerability_Management_GRC_by Sohang Sengupta.pptx
Vulnerability_Management_GRC_by Sohang Sengupta.pptx
null - The Open Security Community
Transcript: #StandardsGoals for 2024: What’s new for BISAC - Tech Forum 2024
Transcript: #StandardsGoals for 2024: What’s new for BISAC - Tech Forum 2024
BookNet Canada
Connect Wave/ connectwave Pitch Deck Presentation
Connect Wave/ connectwave Pitch Deck Presentation
Slibray Presentation
New from BookNet Canada for 2024: BNC BiblioShare - Tech Forum 2024
New from BookNet Canada for 2024: BNC BiblioShare - Tech Forum 2024
BookNet Canada
Snow Chain-Integrated Tire for a Safe Drive on Winter Roads
Snow Chain-Integrated Tire for a Safe Drive on Winter Roads
Hyundai Motor Group
Human Factors of XR: Using Human Factors to Design XR Systems
Human Factors of XR: Using Human Factors to Design XR Systems
Mark Billinghurst
Hot Sexy call girls in Panjabi Bagh 🔝 9953056974 🔝 Delhi escort Service
Hot Sexy call girls in Panjabi Bagh 🔝 9953056974 🔝 Delhi escort Service
9953056974 Low Rate Call Girls In Saket, Delhi NCR
Understanding the Laravel MVC Architecture
Understanding the Laravel MVC Architecture
Pixlogix Infotech
Designing IA for AI - Information Architecture Conference 2024
Designing IA for AI - Information Architecture Conference 2024
Enterprise Knowledge
Are Multi-Cloud and Serverless Good or Bad?
Are Multi-Cloud and Serverless Good or Bad?
Mattias Andersson
Transcript: New from BookNet Canada for 2024: BNC BiblioShare - Tech Forum 2024
Transcript: New from BookNet Canada for 2024: BNC BiblioShare - Tech Forum 2024
BookNet Canada
Unblocking The Main Thread Solving ANRs and Frozen Frames
Unblocking The Main Thread Solving ANRs and Frozen Frames
Sinan KOZAK
Benefits Of Flutter Compared To Other Frameworks
Benefits Of Flutter Compared To Other Frameworks
Softradix Technologies
DMCC Future of Trade Web3 - Special Edition
DMCC Future of Trade Web3 - Special Edition
Dubai Multi Commodity Centre
#StandardsGoals for 2024: What’s new for BISAC - Tech Forum 2024
#StandardsGoals for 2024: What’s new for BISAC - Tech Forum 2024
BookNet Canada
Recently uploaded
(20)
Pigging Solutions in Pet Food Manufacturing
Pigging Solutions in Pet Food Manufacturing
Unleash Your Potential - Namagunga Girls Coding Club
Unleash Your Potential - Namagunga Girls Coding Club
Tech-Forward - Achieving Business Readiness For Copilot in Microsoft 365
Tech-Forward - Achieving Business Readiness For Copilot in Microsoft 365
Making_way_through_DLL_hollowing_inspite_of_CFG_by_Debjeet Banerjee.pptx
Making_way_through_DLL_hollowing_inspite_of_CFG_by_Debjeet Banerjee.pptx
Automating Business Process via MuleSoft Composer | Bangalore MuleSoft Meetup...
Automating Business Process via MuleSoft Composer | Bangalore MuleSoft Meetup...
Vulnerability_Management_GRC_by Sohang Sengupta.pptx
Vulnerability_Management_GRC_by Sohang Sengupta.pptx
Transcript: #StandardsGoals for 2024: What’s new for BISAC - Tech Forum 2024
Transcript: #StandardsGoals for 2024: What’s new for BISAC - Tech Forum 2024
Connect Wave/ connectwave Pitch Deck Presentation
Connect Wave/ connectwave Pitch Deck Presentation
New from BookNet Canada for 2024: BNC BiblioShare - Tech Forum 2024
New from BookNet Canada for 2024: BNC BiblioShare - Tech Forum 2024
Snow Chain-Integrated Tire for a Safe Drive on Winter Roads
Snow Chain-Integrated Tire for a Safe Drive on Winter Roads
Human Factors of XR: Using Human Factors to Design XR Systems
Human Factors of XR: Using Human Factors to Design XR Systems
Hot Sexy call girls in Panjabi Bagh 🔝 9953056974 🔝 Delhi escort Service
Hot Sexy call girls in Panjabi Bagh 🔝 9953056974 🔝 Delhi escort Service
Understanding the Laravel MVC Architecture
Understanding the Laravel MVC Architecture
Designing IA for AI - Information Architecture Conference 2024
Designing IA for AI - Information Architecture Conference 2024
Are Multi-Cloud and Serverless Good or Bad?
Are Multi-Cloud and Serverless Good or Bad?
Transcript: New from BookNet Canada for 2024: BNC BiblioShare - Tech Forum 2024
Transcript: New from BookNet Canada for 2024: BNC BiblioShare - Tech Forum 2024
Unblocking The Main Thread Solving ANRs and Frozen Frames
Unblocking The Main Thread Solving ANRs and Frozen Frames
Benefits Of Flutter Compared To Other Frameworks
Benefits Of Flutter Compared To Other Frameworks
DMCC Future of Trade Web3 - Special Edition
DMCC Future of Trade Web3 - Special Edition
#StandardsGoals for 2024: What’s new for BISAC - Tech Forum 2024
#StandardsGoals for 2024: What’s new for BISAC - Tech Forum 2024
Emulating an Adversary with Imperfect Intelligence
1.
© 2020 THE
MITRE CORPORATION. ALL RIGHTS RESERVED. APPROVED FOR PUBLIC RELEASE. DISTRIBUTION UNLIMITED 20-00841-10.© 2020 THE MITRE CORPORATION. ALL RIGHTS RESERVED. APPROVED FOR PUBLIC RELEASE. DISTRIBUTION UNLIMITED 20-00841-10. Emulating an Adversary with Imperfect Intelligence Adam Pennington @_whatshisface
2.
© 2020 THE
MITRE CORPORATION. ALL RIGHTS RESERVED. APPROVED FOR PUBLIC RELEASE. DISTRIBUTION UNLIMITED 20-00841-10. 2 System Owner/User Discovery (T1033) adamp$ whoami § Lead of MITRE ATT&CK § 12 years with MITRE § Focused on threat intel and deception § Past defender and CTI analyst § Part of ATT&CK since it was a spreadsheet with no & § 11 years at Carnegie Mellon as student and researcher § SCUBA diver certified for decompression and rebreather diving § Former live sound engineer § DEF CON attendee since DEF CON 13
3.
© 2020 THE
MITRE CORPORATION. ALL RIGHTS RESERVED. APPROVED FOR PUBLIC RELEASE. DISTRIBUTION UNLIMITED 20-00841-10. 3 Outline §Setting the stage on adversary emulation §Gathering and extracting intelligence §Recognizing imperfections §Filling in the gaps §Organizing our intel into a plan
4.
© 2020 THE
MITRE CORPORATION. ALL RIGHTS RESERVED. APPROVED FOR PUBLIC RELEASE. DISTRIBUTION UNLIMITED 20-00841-10. © 2020 THE MITRE CORPORATION. ALL RIGHTS RESERVED. FOR INTERNAL USE ONLY. Adversary Emulation A type of red team engagement that mimics a known threat to an organization by leveraging threat intelligence to influence what actions and behaviors the red team uses.
5.
© 2020 THE
MITRE CORPORATION. ALL RIGHTS RESERVED. APPROVED FOR PUBLIC RELEASE. DISTRIBUTION UNLIMITED 20-00841-10. 5 What’s Different About Adversary Emulation? Driven by threat intelligence Scoped to activity like known threat Likely follows a constructed scenario Gives idea of how defenses might fare against adversary
6.
© 2020 THE
MITRE CORPORATION. ALL RIGHTS RESERVED. APPROVED FOR PUBLIC RELEASE. DISTRIBUTION UNLIMITED 20-00841-10. 6 New Challenges Introduced by Emulation Need for intel Lack of intel in a form we can use Lack of intel on chosen adversary Need to turn intel into a workable scenario
7.
© 2020 THE
MITRE CORPORATION. ALL RIGHTS RESERVED. APPROVED FOR PUBLIC RELEASE. DISTRIBUTION UNLIMITED 20-00841-10. Our Adversary Emulation Process | 7 | Gather threat intel Extract techniques Analyze & organize Develop tools Emulate the adversary Today’s Focus
8.
© 2020 THE
MITRE CORPORATION. ALL RIGHTS RESERVED. APPROVED FOR PUBLIC RELEASE. DISTRIBUTION UNLIMITED 20-00841-10. | 8 | Choose an Adversary and Gather Threat Intelligence • Identify the adversary you want to emulate • Consider who is targeting you and gaps you’re trying to assess • Gather data about that adversary • Look for post-exploit information • Consider their tools, associated groups, and campaigns • Think about the time frame Gather threat intel Extract techniques Analyze & organize Develop tools Emulate the adversary
9.
© 2020 THE
MITRE CORPORATION. ALL RIGHTS RESERVED. APPROVED FOR PUBLIC RELEASE. DISTRIBUTION UNLIMITED 20-00841-10. 9 Identify the Adversary You Want to Emulate § I’m going to leverage ATT&CK, but you don’t have to § Other options § Your own internal groups tracking § Commercial threat intel providers § Open source reports
10.
© 2020 THE
MITRE CORPORATION. ALL RIGHTS RESERVED. APPROVED FOR PUBLIC RELEASE. DISTRIBUTION UNLIMITED 20-00841-10. Initial Access Execution Persistence Privilege Escalation Defense Evasion Credential Access Discovery Lateral Movement Collection Command and Control Exfiltration Impact Valid Accounts Scheduled Task/Job Modify Authentication Process System Service Discovery Remote Services Data from Local System Data Obfuscation Exfiltration Over Other Network Medium Data Destruction Replication Through Removable Media Windows Management Instrumentation Valid Accounts Network Sniffing Software Deployment Tools Data from Removable Media Fallback Channels Data Encrypted for Impact Hijack Execution Flow OS Credential Dumping Application Window Discovery Application Layer Protocol Scheduled Transfer Service Stop Trusted Relationship Software Deployment Tools Boot or Logon Initialization Scripts Direct Volume Access Input Capture Replication Through Removable Media Input Capture Proxy Data Transfer Size Limits Inhibit System Recovery Supply Chain Compromise Create or Modify System Process Rootkit Brute Force System Network Configuration Discovery Data Staged Communication Through Removable Media Exfiltration Over C2 Channel Defacement Hardware Additions Shared Modules Event Triggered Execution Obfuscated Files or Information Two-Factor Authentication Interception Internal Spearphishing Screen Capture Firmware Corruption Exploit Public-Facing Application User Execution Boot or Logon Autostart Execution System Owner/User Discovery Use Alternate Authentication Material Email Collection Web Service Exfiltration Over Physical Medium Resource Hijacking Exploitation for Client Execution Account Manipulation Process Injection Exploitation for Credential Access Clipboard Data Multi-Stage Channels Network Denial of Service Phishing External Remote Services Access Token Manipulation System Network Connections Discovery Lateral Tool Transfer Automated Collection Ingress Tool Transfer Exfiltration Over Web Service Endpoint Denial of Service External Remote Services System Services Office Application Startup Group Policy Modification Steal Web Session Cookie Taint Shared Content Audio Capture Data Encoding System Shutdown/Reboot Drive-by Compromise Command and Scripting Interpreter Create Account Abuse Elevation Control Mechanism Unsecured Credentials Permission Groups Discovery Exploitation of Remote Services Video Capture Traffic Signaling Automated Exfiltration Account Access Removal Browser Extensions Exploitation for Privilege Escalation Indicator Removal on Host Credentials from Password Stores Man in the Browser Remote Access Software Exfiltration Over Alternative Protocol Disk Wipe Native API Traffic Signaling Modify Registry File and Directory Discovery Remote Service Session Hijacking Data from Information Repositories Dynamic Resolution Data Manipulation Inter-Process Communication BITS Jobs Trusted Developer Utilities Proxy Execution Steal or Forge Kerberos Tickets Non-Standard Port Transfer Data to Cloud AccountServer Software Component Peripheral Device Discovery Man-in-the-Middle Protocol Tunneling Traffic Signaling Forced Authentication Archive Collected Data Encrypted Channel Pre-OS Boot Signed Script Proxy Execution Steal Application Access Token Network Share Discovery Data from Network Shared Drive Non-Application Layer ProtocolCompromise Client Software Binary Password Policy Discovery Rogue Domain Controller Man-in-the-Middle Browser Bookmark Discovery Data from Cloud Storage ObjectImplant Container Image Indirect Command Execution Virtualization/Sandbox EvasionBITS Jobs XSL Script Processing Cloud Service Dashboard Template Injection Software Discovery File and Directory Permissions Modification Query Registry Remote System Discovery Virtualization/Sandbox Evasion Network Service Scanning Process Discovery Unused/Unsupported Cloud Regions System Information Discovery Use Alternate Authentication Material Account Discovery System Time Discovery Impair Defenses Domain Trust Discovery Hide Artifacts Cloud Service Discovery Masquerading Deobfuscate/Decode Files or Information Signed Binary Proxy Execution Exploitation for Defense Evasion Execution Guardrails Modify Cloud Compute Infrastructure Pre-OS Boot Subvert Trust Controls ATT&CK Knowledge Base Basics Tactics: the adversary’s technical goals Techniques:howthegoalsare achieved Sub-techniques: More specific techniques Procedures: Adversary technique and sub-technique implementations
11.
© 2020 THE
MITRE CORPORATION. ALL RIGHTS RESERVED. APPROVED FOR PUBLIC RELEASE. DISTRIBUTION UNLIMITED 20-00841-10. Group: APT29 | 11 |
12.
© 2020 THE
MITRE CORPORATION. ALL RIGHTS RESERVED. APPROVED FOR PUBLIC RELEASE. DISTRIBUTION UNLIMITED 20-00841-10. Group: APT29 | 12 |
13.
© 2020 THE
MITRE CORPORATION. ALL RIGHTS RESERVED. APPROVED FOR PUBLIC RELEASE. DISTRIBUTION UNLIMITED 20-00841-10. Group: APT29 | 13 |
14.
© 2020 THE
MITRE CORPORATION. ALL RIGHTS RESERVED. APPROVED FOR PUBLIC RELEASE. DISTRIBUTION UNLIMITED 20-00841-10. ATT&CK Use Cases | 14 | Threat Intelligence processes = search Process:Create reg = filter processes where (exe == "reg.exe" and parent_exe == "cmd.exe") cmd = filter processes where (exe == "cmd.exe" and parent_exe != "explorer.exe"") reg_and_cmd = join (reg, cmd) where (reg.ppid == cmd.pid and reg.hostname == cmd.hostname) output reg_and_cmd Detection Adversary Emulation Assessment and Engineering Use ATT&CK for Adversary Emulation and Red Teaming The best defense is a well-tested defense. ATT&CK provides a common adversary behavior framework based on threat intelligence that red teams can use to emulate specific threats. This helps cyber defenders find gaps in visibility, defensive tools, and processes—and then fix them. Legend Low Priority High Priority Finding Gaps in Defense Spearphishing Attachment Spearphishing Link Spearphishing via Service Supply Chain Compromise Trusted Relationship Valid Accounts Dynamic Data Exchange Execution through API Execution through Module Load Exploitation for Client Execution Graphical User Interface InstallUtil Launchctl Local Job Scheduling LSASS Driver Mshta PowerShell Regsvcs/Regasm Regsvr32 Rundll32 Scheduled Task Scripting Service Execution Signed Binary Proxy Execution Signed Script Proxy Execution Source Space after Filename Third-party Software Trap Trusted Developer Utilities User Execution Windows Management Instrumentation Windows Remote Management XSL Script Processing Application Shimming Authentication Package BITS Jobs Bootkit Browser Extensions Change Default File Association Component Firmware Component Object Model Hijacking Create Account DLL Search Order Hijacking Dylib Hijacking External Remote Services File System Permissions Weakness Hidden Files and Directories Hooking Hypervisor Image File Execution Options Injection Kernel Modules and Extensions Launch Agent Launch Daemon Launchctl LC_LOAD_DYLIB Addition Local Job Scheduling Login Item Logon Scripts LSASS Driver Modify Existing Service Netsh Helper DLL New Service Office Application Startup Path Interception Plist Modification Port Knocking Port Monitors Rc.common Re-opened Applications Redundant Access Registry Run Keys / Startup Folder Scheduled Task Screensaver Security Support Provider Service Registry Permissions Weakness Setuid and Setgid Shortcut Modification SIP and Trust Provider Hijacking Startup Items System Firmware Systemd Service Time Providers Trap Valid Accounts Web Shell Windows Management Instrumentation Event Subscription Winlogon Helper DLL Bypass User Account Control DLL Search Order Hijacking Dylib Hijacking Exploitation for Privilege Escalation Extra Window Memory Injection File System Permissions Weakness Hooking Image File Execution Options Injection Launch Daemon New Service Path Interception Plist Modification Port Monitors Process Injection Scheduled Task Service Registry Permissions Weakness Setuid and Setgid SID-History Injection Startup Items Sudo Sudo Caching Valid Accounts Web Shell CMSTP Code Signing Compile After Delivery Compiled HTML File Component Firmware Component Object Model Hijacking Control Panel Items DCShadow Deobfuscate/Decode Files or Information Disabling Security Tools DLL Search Order Hijacking DLL Side-Loading Execution Guardrails Exploitation for Defense Evasion Extra Window Memory Injection File Deletion File Permissions Modification File System Logical Offsets Gatekeeper Bypass Group Policy Modification Hidden Files and Directories Hidden Users Hidden Window HISTCONTROL Image File Execution Options Injection Indicator Blocking Indicator Removal from Tools Indicator Removal on Host Indirect Command Execution Install Root Certificate InstallUtil Launchctl LC_MAIN Hijacking Masquerading Modify Registry Mshta Network Share Connection Removal NTFS File Attributes Obfuscated Files or Information Plist Modification Port Knocking Process Doppelgänging Process Hollowing Process Injection Redundant Access Regsvcs/Regasm Regsvr32 Rootkit Rundll32 Scripting Signed Binary Proxy Execution Signed Script Proxy Execution SIP and Trust Provider Hijacking Software Packing Space after Filename Template Injection Timestomp Trusted Developer Utilities Valid Accounts Virtualization/Sandbox Evasion Web Service XSL Script Processing Credentials in Registry Exploitation for Credential Access Forced Authentication Hooking Input Capture Input Prompt Kerberoasting Keychain LLMNR/NBT-NS Poisoning and Relay Network Sniffing Password Filter DLL Private Keys Securityd Memory Two-Factor Authentication Interception Network Service Scanning Network Share Discovery Network Sniffing Password Policy Discovery Peripheral Device Discovery Permission Groups Discovery Process Discovery Query Registry Remote System Discovery Security Software Discovery System Information Discovery System Network Configuration Discovery System Network Connections Discovery System Owner/User Discovery System Service Discovery System Time Discovery Virtualization/Sandbox Evasion Pass the Hash Pass the Ticket Remote Desktop Protocol Remote File Copy Remote Services Replication Through Removable Media Shared Webroot SSH Hijacking Taint Shared Content Third-party Software Windows Admin Shares Windows Remote Management Data from Network Shared Drive Data from Removable Media Data Staged Email Collection Input Capture Man in the Browser Screen Capture Video Capture Data Encoding Data Obfuscation Domain Fronting Domain Generation Algorithms Fallback Channels Multi-hop Proxy Multi-Stage Channels Multiband Communication Multilayer Encryption Port Knocking Remote Access Tools Remote File Copy Standard Application Layer Protocol Standard Cryptographic Protocol Standard Non-Application Layer Protocol Uncommonly Used Port Web Service Control Channel Exfiltration Over Other Network Medium Exfiltration Over Physical Medium Scheduled Transfer Endpoint Denial of Service Firmware Corruption Inhibit System Recovery Network Denial of Service Resource Hijacking Runtime Data Manipulation Service Stop Stored Data Manipulation Transmitted Data Manipulation AppleScript Application Deployment Software Distributed Component Object Model Exploitation of Remote Services Logon Scripts Pass the Hash Pass the Ticket Remote Desktop Protocol Remote File Copy Remote Services Replication Through Removable Media Shared Webroot SSH Hijacking Taint Shared Content Third-party Software Windows Admin Shares Windows Remote Management Commonly Used Port Communication Through Removable Media Connection Proxy Custom Command and Control Protocol Custom Cryptographic Protocol Data Encoding Data Obfuscation Domain Fronting Domain Generation Algorithms Fallback Channels Multiband Communication Multi-hop Proxy Multilayer Encryption Multi-Stage Channels Port Knocking Remote Access Tools Remote File Copy Standard Application Layer Protocol Standard Cryptographic Protocol Standard Non-Application Layer Protocol Uncommonly Used Port Web Service Automated Exfiltration Data Compressed Data Encrypted Data Transfer Size Limits Exfiltration Over Other Network Medium Exfiltration Over Command and Control Channel Exfiltration Over Alternative Protocol Exfiltration Over Physical Medium Scheduled Transfer Data Destruction Data Encrypted for Impact Defacement Disk Content Wipe Disk Structure Wipe Endpoint Denial of Service Firmware Corruption Inhibit System Recovery Network Denial of Service Resource Hijacking Runtime Data Manipulation Service Stop Stored Data Manipulation Transmitted Data Manipulation Audio Capture Automated Collection Clipboard Data Data from Information Repositories Data from Local System Data from Network Shared Drive Data from Removable Media Data Staged Email Collection Input Capture Man in the Browser Screen Capture Video Capture Drive-by Compromise Exploit Public-Facing Application External Remote Services Hardware Additions Replication Through Removable Media Spearphishing Attachment Spearphishing Link Spearphishing via Service Supply Chain Compromise Trusted Relationship Valid Accounts AppleScript CMSTP Command-Line Interface Compiled HTML File Control Panel Items Dynamic Data Exchange Execution through API Execution through Module Load Exploitation for Client Execution Graphical User Interface InstallUtil Mshta PowerShell Regsvcs/Regasm Regsvr32 Rundll32 Scripting Service Execution Signed Binary Proxy Execution Signed Script Proxy Execution Source Space after Filename Third-party Software Trusted Developer Utilities DLL Search Order Hijacking Image File Execution Options Injection Plist Modification Valid Accounts Accessibility Features AppCert DLLs AppInit DLLs Application Shimming Dylib Hijacking File System Permissions Weakness Hooking Launch Daemon New Service Path Interception Port Monitors Service Registry Permissions Weakness Setuid and Setgid Startup Items Web Shell .bash_profile and .bashrc Account Manipulation Authentication Package BITS Jobs Bootkit Browser Extensions Change Default File Association Component Firmware BITS Jobs Clear Command History CMSTP Code Signing Compiled HTML File Component Firmware Component Object Model Hijacking Control Panel Items DCShadow Deobfuscate/Decode Files or Information Disabling Security Tools DLL Side-Loading Execution Guardrails Exploitation for Defense Evasion File Deletion File Permissions Modification File System Logical Offsets Gatekeeper Bypass Group Policy Modification Hidden Files and Directories Hidden Users Exploitation for Privilege Escalation SID-History Injection Sudo Sudo Caching Scheduled Task Binary Padding Network Sniffing Launchctl Local Job Scheduling LSASS Driver Trap Access Token Manipulation Bypass User Account Control Extra Window Memory Injection Process Injection Account Manipulation Bash History Brute Force Credential Dumping Credentials in Files Credentials in Registry Exploitation for Credential Access Forced Authentication Hooking Input Capture Input Prompt Kerberoasting Keychain LLMNR/NBT-NS Poisoning and Relay Password Filter DLL Private Keys Securityd Memory Two-Factor Authentication Interception Account Discovery Application Window Discovery Browser Bookmark Discovery Domain Trust Discovery File and Directory Discovery Network Service Scanning Network Share Discovery Password Policy Discovery Peripheral Device Discovery Permission Groups Discovery Process Discovery Query Discovery Remote System Discovery Security Software Discovery System Information Discovery System Network Configuration Discovery System Network Connections Discovery System Owner/User Discovery System Service Discovery System Time Discovery Virtualization/Sandbox Evasion Use ATT&CK for Cyber Threat Intelligence Cyber threat intelligence comes from many sources, including knowledge of past incidents, commercial threat feeds, information-sharing groups, government threat-sharing programs, and more. ATT&CK gives analysts a common language to communicate across reports and organizations, providing a way to structure, compare, and analyze threat intelligence. Use ATT&CK to Build Your Defensive Platform ATT&CK includes resources designed to help cyber defenders develop analytics that detect the techniques used by an adversary. Based on threat intelligence included in ATT&CK or provided by analysts, cyber defenders can create a comprehensive set of analytics to detect threats. Get Started with ATT&CK Legend APT28 APT29 Both Comparing APT28 to APT29 we've chosen 12 of those data sources to show the techniques each of them might be able to detect with the right colle analytics. Check out our website at attack.mitre.org for more information on how each technique can be detected, and adversary examples you can use to start detecting adversary behavior with ATT&CK. You can visualize how your own data sources map to adversary behavior with ATT&CK. Read our blog post at bit.ly/ATT learn how we generated this diagram, check out the code, and begin building your own diagrams from ATT&CK conten Initial Access Drive-by Compromise Exploit Public-Facing Application External Remote Services Hardware Additions Replication Through Removable Media Spearphishing Attachment Spearphishing Link Spearphishing via Service Supply Chain Compromise Trusted Relationship Valid Accounts Execution AppleScript CMSTP Command-Line Interface Compiled HTML File Control Panel Items Dynamic Data Exchange Execution through API Execution through Module Load Exploitation for Client Execution Graphical User Interface InstallUtil Launchctl Local Job Scheduling LSASS Driver Mshta PowerShell Regsvcs/Regasm Regsvr32 Rundll32 Scheduled Task Scripting Service Execution Signed Binary Proxy Execution Signed Script Proxy Execution Source Space after Filename Third-party Software Trap Trusted Developer Utilities User Execution Windows Management Instrumentation Windows Remote Management XSL Script Processing Persistence .bash_profile and .bashrc Accessibility Features Account Manipulation AppCert DLLs AppInit DLLs Application Shimming Authentication Package BITS Jobs Bootkit Browser Extensions Change Default File Association Component Firmware Component Object Model Hijacking Create Account DLL Search Order Hijacking Dylib Hijacking External Remote Services File System Permissions Weakness Hidden Files and Directories Hooking Hypervisor Image File Execution Options Injection Kernel Modules and Extensions Launch Agent Launch Daemon Launchctl LC_LOAD_DYLIB Addition Local Job Scheduling Login Item Logon Scripts LSASS Driver Modify Existing Service Netsh Helper DLL New Service Office Application Startup Path Interception Plist Modification Port Knocking Port Monitors Rc.common Re-opened Applications Redundant Access Registry Run Keys / Startup Folder Scheduled Task Screensaver Security Support Provider Service Registry Permissions Weakness Setuid and Setgid Shortcut Modification SIP and Trust Provider Hijacking Startup Items System Firmware Systemd Service Time Providers Trap Valid Accounts Web Shell Windows Management Instrumentation Event Subscription Winlogon Helper DLL Privilege Escalation Access Token Manipulation Accessibility Features AppCert DLLs AppInit DLLs Application Shimming Bypass User Account Control DLL Search Order Hijacking Dylib Hijacking Exploitation for Privilege Escalation Extra Window Memory Injection File System Permissions Weakness Hooking Image File Execution Options Injection Launch Daemon New Service Path Interception Plist Modification Port Monitors Process Injection Scheduled Task Service Registry Permissions Weakness Setuid and Setgid SID-History Injection Startup Items Sudo Sudo Caching Valid Accounts Web Shell Defense Evasion Access Token Manipulation Binary Padding BITS Jobs Bypass User Account Control Clear Command History CMSTP Code Signing Compile After Delivery Compiled HTML File Component Firmware Component Object Model Hijacking Control Panel Items DCShadow Deobfuscate/Decode Files or Information Disabling Security Tools DLL Search Order Hijacking DLL Side-Loading Execution Guardrails Exploitation for Defense Evasion Extra Window Memory Injection File Deletion File Permissions Modification File System Logical Offsets Gatekeeper Bypass Group Policy Modification Hidden Files and Directories Hidden Users Hidden Window HISTCONTROL Image File Execution Options Injection Indicator Blocking Indicator Removal from Tools Indicator Removal on Host Indirect Command Execution Install Root Certificate InstallUtil Launchctl LC_MAIN Hijacking Masquerading Modify Registry Mshta Network Share Connection Removal NTFS File Attributes Obfuscated Files or Information Plist Modification Port Knocking Process Doppelgänging Process Hollowing Process Injection Redundant Access Regsvcs/Regasm Regsvr32 Rootkit Rundll32 Scripting Signed Binary Proxy Execution Signed Script Proxy Execution SIP and Trust Provider Hijacking Software Packing Space after Filename Template Injection Timestomp Trusted Developer Utilities Valid Accounts Virtualization/Sandbox Evasion Web Service XSL Script Processing Credential Access Account Manipulation Bash History Brute Force Credential Dumping Credentials in Files Credentials in Registry Exploitation for Credential Access Forced Authentication Hooking Input Capture Input Prompt Kerberoasting Keychain LLMNR/NBT-NS Poisoning and Relay Network Sniffing Password Filter DLL Private Keys Securityd Memory Two-Factor Authentication Interception Discovery Account Discovery Application Window Discovery Browser Bookmark Discovery Domain Trust Discovery File and Directory Discovery Network Service Scanning Network Share Discovery Network Sniffing Password Policy Discovery Peripheral Device Discovery Permission Groups Discovery Process Discovery Query Registry Remote System Discovery Security Software Discovery System Information Discovery System Network Configuration Discovery System Network Connections Discovery System Owner/User Discovery System Service Discovery System Time Discovery Virtualization/Sandbox Evasion Lateral Movement AppleScript Application Deployment Software Distributed Component Object Model Exploitation of Remote Services Logon Scripts Pass the Hash Pass the Ticket Remote Desktop Protocol Remote File Copy Remote Services Replication Through Removable Media Shared Webroot SSH Hijacking Taint Shared Content Third-party Software Windows Admin Shares Windows Remote Management Collection Audio Capture Automated Collection Clipboard Data Data from Information Repositories Data from Local System Data from Network Shared Drive Data from Removable Media Data Staged Email Collection Input Capture Man in the Browser Screen Capture Video Capture Command And Control Commonly Used Port Communication Through Removable Media Connection Proxy Custom Command and Control Protocol Custom Cryptographic Protocol Data Encoding Data Obfuscation Domain Fronting Domain Generation Algorithms Fallback Channels Multi-hop Proxy Multi-Stage Channels Multiband Communication Multilayer Encryption Port Knocking Remote Access Tools Remote File Copy Standard Application Layer Protocol Standard Cryptographic Protocol Standard Non-Application Layer Protocol Uncommonly Used Port Web Service Exfiltration Automated Exfiltration Data Compressed Data Encrypted Data Transfer Size Limits Exfiltration Over Alternative Protocol Exfiltration Over Command and Control Channel Exfiltration Over Other Network Medium Exfiltration Over Physical Medium Scheduled Transfer Impact Data Destruction Data Encrypted for Impact Defacement Disk Content Wipe Disk Structure Wipe Endpoint Denial of Service Firmware Corruption Inhibit System Recovery Network Denial of Service Resource Hijacking Runtime Data Manipulation Service Stop Stored Data Manipulation Transmitted Data Manipulation Initial Access Drive-by Compromise Exploit Public-Facing Application External Remote Services Hardware Additions Replication Through Removable Media Spearphishing Attachment Spearphishing Link Spearphishing via Service Supply Chain Compromise Trusted Relationship Valid Accounts Execution AppleScript CMSTP Command-Line Interface Compiled HTML File Control Panel Items Dynamic Data Exchange Execution through API Execution through Module Load Exploitation for Client Execution Graphical User Interface InstallUtil Launchctl Local Job Scheduling LSASS Driver Mshta PowerShell Persistence .bash_profile and .bashrc Accessibility Features Account Manipulation AppCert DLLs AppInit DLLs Application Shimming Authentication Package BITS Jobs Bootkit Browser Extensions Change Default File Association Component Firmware Component Object Model Hijacking Create Account DLL Search Order Hijacking Dylib Hijacking Privilege Escalation Access Token Manipulation Accessibility Features AppCert DLLs AppInit DLLs Application Shimming Bypass User Account Control DLL Search Order Hijacking Dylib Hijacking Exploitation for Privilege Escalation Extra Window Memory Injection File System Permissions Weakness Hooking Image File Execution Options Injection Launch Daemon New Service Path Interception Defense Evasion Access Token Manipulation Binary Padding BITS Jobs Bypass User Account Control Clear Command History CMSTP Code Signing Compile After Delivery Compiled HTML File Component Firmware Component Object Model Hijacking Control Panel Items DCShadow Deobfuscate/Decode Files or Information Disabling Security Tools DLL Search Order Hijacking Credential Access Account Manipulation Bash History Brute Force Credential Dumping Credentials in Files Credentials in Registry Exploitation for Credential Access Forced Authentication Hooking Input Capture Input Prompt Kerberoasting Keychain LLMNR/NBT-NS Poisoning and Relay Network Sniffing Password Filter DLL Discovery Account Discovery Application Window Discovery Browser Bookmark Discovery Domain Trust Discovery File and Directory Discovery Network Service Scanning Network Share Discovery Network Sniffing Password Policy Discovery Peripheral Device Discovery Permission Groups Discovery Process Discovery Query Registry Remote System Discovery Security Software Discovery System Information Discovery Lateral Movement AppleScript Application Deployment Software Distributed Component Object Model Exploitation of Remote Services Logon Scripts Pass the Hash Pass the Ticket Remote Desktop Protocol Remote File Copy Remote Services Replication Through Removable Media Shared Webroot SSH Hijacking Taint Shared Content Third-party Software Windows Admin Shares Collection Audio Capture Automated Collection Clipboard Data Data from Information Repositories Data from Local System Data from Network Shared Drive Data from Removable Media Data Staged Email Collection Input Capture Man in the Browser Screen Capture Video Capture Command And Control Commonly Used Port Communication Through Removable Media Connection Proxy Custom Command and Control Protocol Custom Cryptographic Protocol Data Encoding Data Obfuscation Domain Fronting Domain Generation Algorithms Fallback Channels Multi-hop Proxy Multi-Stage Channels Multiband Communication Multilayer Encryption Port Knocking Remote Access Tools Exfiltration Automated Exfiltration Data Compressed Data Encrypted Data Transfer Size Limits Exfiltration Over Alternative Protocol Exfiltration Over Command and Control Channel Exfiltration Over Other Network Medium Exfiltration Over Physical Medium Scheduled Transfer Impact Data Destruction Data Encrypted for Impact Defacement Disk Content Wipe Disk Structure Wipe Endpoint Denial of Service Firmware Corruption Inhibit System Recovery Network Denial of Service Resource Hijacking Runtime Data Manipulation Service Stop Stored Data Manipulation Transmitted Data Manipulation ob stan Use ATT&CK to Build Your Defensive Platform ATT&CK includes resources designed to help cyber defenders develop analytics that detect the techniques used by an adversary. Based on threat intelligence included in ATT&CK or provided by analysts, cyber defenders can create a comprehensive set of analytics to detect threats. Legend APT28 APT29 Both Legend Low Priority High Priority Comparing APT28 to APT29 Finding Gaps in Defense Drive-by Compromise Exploit Public-Facing Application External Remote Services Hardware Additions Replication Through Removable Media Spearphishing Attachment Spearphishing Link Spearphishing via Service Supply Chain Compromise Trusted Relationship Valid Accounts AppleScript CMSTP Command-Line Interface Compiled HTML File Control Panel Items Dynamic Data Exchange Execution through API Execution through Module Load Exploitation for Client Execution Graphical User Interface InstallUtil Launchctl Local Job Scheduling LSASS Driver Mshta PowerShell Regsvcs/Regasm Regsvr32 Rundll32 Scheduled Task Scripting Service Execution Signed Binary Proxy Execution Signed Script Proxy Execution Source Space after Filename Third-party Software Trap Trusted Developer Utilities User Execution Windows Management Instrumentation Windows Remote Management XSL Script Processing .bash_profile and .bashrc Accessibility Features Account Manipulation AppCert DLLs AppInit DLLs Application Shimming Authentication Package BITS Jobs Bootkit Browser Extensions Change Default File Association Component Firmware Component Object Model Hijacking Create Account DLL Search Order Hijacking Dylib Hijacking External Remote Services File System Permissions Weakness Hidden Files and Directories Hooking Hypervisor Image File Execution Options Injection Kernel Modules and Extensions Launch Agent Launch Daemon Launchctl LC_LOAD_DYLIB Addition Local Job Scheduling Login Item Logon Scripts LSASS Driver Modify Existing Service Netsh Helper DLL New Service Office Application Startup Path Interception Plist Modification Port Knocking Port Monitors Rc.common Re-opened Applications Redundant Access Registry Run Keys / Startup Folder Scheduled Task Screensaver Security Support Provider Service Registry Permissions Weakness Setuid and Setgid Shortcut Modification SIP and Trust Provider Hijacking Startup Items System Firmware Systemd Service Time Providers Trap Valid Accounts Web Shell Windows Management Instrumentation Event Subscription Winlogon Helper DLL Access Token Manipulation Accessibility Features AppCert DLLs AppInit DLLs Application Shimming Bypass User Account Control DLL Search Order Hijacking Dylib Hijacking Exploitation for Privilege Escalation Extra Window Memory Injection File System Permissions Weakness Hooking Image File Execution Options Injection Launch Daemon New Service Path Interception Plist Modification Port Monitors Process Injection Scheduled Task Service Registry Permissions Weakness Setuid and Setgid SID-History Injection Startup Items Sudo Sudo Caching Valid Accounts Web Shell Access Token Manipulation Binary Padding BITS Jobs Bypass User Account Control Clear Command History CMSTP Code Signing Compile After Delivery Compiled HTML File Component Firmware Component Object Model Hijacking Control Panel Items DCShadow Deobfuscate/Decode Files or Information Disabling Security Tools DLL Search Order Hijacking DLL Side-Loading Execution Guardrails Exploitation for Defense Evasion Extra Window Memory Injection File Deletion File Permissions Modification File System Logical Offsets Gatekeeper Bypass Group Policy Modification Hidden Files and Directories Hidden Users Hidden Window HISTCONTROL Image File Execution Options Injection Indicator Blocking Indicator Removal from Tools Indicator Removal on Host Indirect Command Execution Install Root Certificate InstallUtil Launchctl LC_MAIN Hijacking Masquerading Modify Registry Mshta Network Share Connection Removal NTFS File Attributes Obfuscated Files or Information Plist Modification Port Knocking Process Doppelgänging Process Hollowing Process Injection Redundant Access Regsvcs/Regasm Regsvr32 Rootkit Rundll32 Scripting Signed Binary Proxy Execution Signed Script Proxy Execution SIP and Trust Provider Hijacking Software Packing Space after Filename Template Injection Timestomp Trusted Developer Utilities Valid Accounts Virtualization/Sandbox Evasion Web Service XSL Script Processing Account Manipulation Bash History Brute Force Credential Dumping Credentials in Files Credentials in Registry Exploitation for Credential Access Forced Authentication Hooking Input Capture Input Prompt Kerberoasting Keychain LLMNR/NBT-NS Poisoning and Relay Network Sniffing Password Filter DLL Private Keys Securityd Memory Two-Factor Authentication Interception Account Discovery Application Window Discovery Browser Bookmark Discovery Domain Trust Discovery File and Directory Discovery Network Service Scanning Network Share Discovery Network Sniffing Password Policy Discovery Peripheral Device Discovery Permission Groups Discovery Process Discovery Query Registry Remote System Discovery Security Software Discovery System Information Discovery System Network Configuration Discovery System Network Connections Discovery System Owner/User Discovery System Service Discovery System Time Discovery Virtualization/Sandbox Evasion AppleScript Application Deployment Software Distributed Component Object Model Exploitation of Remote Services Logon Scripts Pass the Hash Pass the Ticket Remote Desktop Protocol Remote File Copy Remote Services Replication Through Removable Media Shared Webroot SSH Hijacking Taint Shared Content Third-party Software Windows Admin Shares Windows Remote Management Audio Capture Automated Collection Clipboard Data Data from Information Repositories Data from Local System Data from Network Shared Drive Data from Removable Media Data Staged Email Collection Input Capture Man in the Browser Screen Capture Video Capture Commonly Used Port Communication Through Removable Media Connection Proxy Custom Command and Control Protocol Custom Cryptographic Protocol Data Encoding Data Obfuscation Domain Fronting Domain Generation Algorithms Fallback Channels Multi-hop Proxy Multi-Stage Channels Multiband Communication Multilayer Encryption Port Knocking Remote Access Tools Remote File Copy Standard Application Layer Protocol Standard Cryptographic Protocol Standard Non-Application Layer Protocol Uncommonly Used Port Web Service Automated Exfiltration Data Compressed Data Encrypted Data Transfer Size Limits Exfiltration Over Alternative Protocol Exfiltration Over Command and Control Channel Exfiltration Over Other Network Medium Exfiltration Over Physical Medium Scheduled Transfer Data Destruction Data Encrypted for Impact Defacement Disk Content Wipe Disk Structure Wipe Endpoint Denial of Service Firmware Corruption Inhibit System Recovery Network Denial of Service Resource Hijacking Runtime Data Manipulation Service Stop Stored Data Manipulation Transmitted Data Manipulation Initial Access Drive-by Compromise Exploit Public-Facing Application External Remote Services Hardware Additions Replication Through Removable Media Spearphishing Attachment Spearphishing Link Spearphishing via Service Supply Chain Compromise Trusted Relationship Valid Accounts Execution AppleScript CMSTP Command-Line Interface Compiled HTML File Control Panel Items Dynamic Data Exchange Execution through API Execution through Module Load Exploitation for Client Execution Graphical User Interface InstallUtil Launchctl Local Job Scheduling LSASS Driver Mshta PowerShell Regsvcs/Regasm Regsvr32 Rundll32 Scheduled Task Scripting Service Execution Signed Binary Proxy Execution Signed Script Proxy Execution Source Space after Filename Third-party Software Trap Trusted Developer Utilities User Execution Windows Management Instrumentation Windows Remote Management XSL Script Processing Persistence .bash_profile and .bashrc Accessibility Features Account Manipulation AppCert DLLs AppInit DLLs Application Shimming Authentication Package BITS Jobs Bootkit Browser Extensions Change Default File Association Component Firmware Component Object Model Hijacking Create Account DLL Search Order Hijacking Dylib Hijacking External Remote Services File System Permissions Weakness Hidden Files and Directories Hooking Hypervisor Image File Execution Options Injection Kernel Modules and Extensions Launch Agent Launch Daemon Launchctl LC_LOAD_DYLIB Addition Local Job Scheduling Login Item Logon Scripts LSASS Driver Modify Existing Service Netsh Helper DLL New Service Office Application Startup Path Interception Plist Modification Port Knocking Port Monitors Rc.common Re-opened Applications Redundant Access Registry Run Keys / Startup Folder Scheduled Task Screensaver Security Support Provider Service Registry Permissions Weakness Setuid and Setgid Privilege Escalation Access Token Manipulation Accessibility Features AppCert DLLs AppInit DLLs Application Shimming Bypass User Account Control DLL Search Order Hijacking Dylib Hijacking Exploitation for Privilege Escalation Extra Window Memory Injection File System Permissions Weakness Hooking Image File Execution Options Injection Launch Daemon New Service Path Interception Plist Modification Port Monitors Process Injection Scheduled Task Service Registry Permissions Weakness Setuid and Setgid SID-History Injection Startup Items Sudo Sudo Caching Valid Accounts Web Shell Defense Evasion Access Token Manipulation Binary Padding BITS Jobs Bypass User Account Control Clear Command History CMSTP Code Signing Compile After Delivery Compiled HTML File Component Firmware Component Object Model Hijacking Control Panel Items DCShadow Deobfuscate/Decode Files or Information Disabling Security Tools DLL Search Order Hijacking DLL Side-Loading Execution Guardrails Exploitation for Defense Evasion Extra Window Memory Injection File Deletion File Permissions Modification File System Logical Offsets Gatekeeper Bypass Group Policy Modification Hidden Files and Directories Hidden Users Hidden Window HISTCONTROL Image File Execution Options Injection Indicator Blocking Indicator Removal from Tools Indicator Removal on Host Indirect Command Execution Install Root Certificate InstallUtil Launchctl LC_MAIN Hijacking Masquerading Modify Registry Mshta Network Share Connection Removal NTFS File Attributes Obfuscated Files or Information Plist Modification Port Knocking Process Doppelgänging Process Hollowing Credential Access Account Manipulation Bash History Brute Force Credential Dumping Credentials in Files Credentials in Registry Exploitation for Credential Access Forced Authentication Hooking Input Capture Input Prompt Kerberoasting Keychain LLMNR/NBT-NS Poisoning and Relay Network Sniffing Password Filter DLL Private Keys Securityd Memory Two-Factor Authentication Interception Discovery Account Discovery Application Window Discovery Browser Bookmark Discovery Domain Trust Discovery File and Directory Discovery Network Service Scanning Network Share Discovery Network Sniffing Password Policy Discovery Peripheral Device Discovery Permission Groups Discovery Process Discovery Query Registry Remote System Discovery Security Software Discovery System Information Discovery System Network Configuration Discovery System Network Connections Discovery System Owner/User Discovery System Service Discovery System Time Discovery Virtualization/Sandbox Evasion Lateral Movement AppleScript Application Deployment Software Distributed Component Object Model Exploitation of Remote Services Logon Scripts Pass the Hash Pass the Ticket Remote Desktop Protocol Remote File Copy Remote Services Replication Through Removable Media Shared Webroot SSH Hijacking Taint Shared Content Third-party Software Windows Admin Shares Windows Remote Management Collection Audio Capture Automated Collection Clipboard Data Data from Information Repositories Data from Local System Data from Network Shared Drive Data from Removable Media Data Staged Email Collection Input Capture Man in the Browser Screen Capture Video Capture Command And Control Commonly Used Port Communication Through Removable Media Connection Proxy Custom Command and Control Protocol Custom Cryptographic Protocol Data Encoding Data Obfuscation Domain Fronting Domain Generation Algorithms Fallback Channels Multi-hop Proxy Multi-Stage Channels Multiband Communication Multilayer Encryption Port Knocking Remote Access Tools Remote File Copy Standard Application Layer Protocol Standard Cryptographic Protocol Standard Non-Application Layer Protocol Uncommonly Used Port Web Service Exfiltration Automated Exfiltration Data Compressed Data Encrypted Data Transfer Size Limits Exfiltration Over Alternative Protocol Exfiltration Over Command and Control Channel Exfiltration Over Other Network Medium Exfiltration Over Physical Medium Scheduled Transfer Impact Data Destruction Data Encrypted for Impact Defacement Disk Content Wipe Disk Structure Wipe Endpoint Denial of Service Firmware Corruption Inhibit System Recovery Network Denial of Service Resource Hijacking Runtime Data Manipulation Service Stop Stored Data Manipulation Transmitted Data Manipulation malwarerever net work device logs network intrusion detection system ssl/tls inspection system calls windowseventlogs ocol compromise point denial of service network denial of service obfuscated files or information remote access tools spearphishing attachment standard non-application layer protocoltemplate injection domain fronting drive-by compromise endpoint denial of service install root certificate obfuscated files or information spearphishing link spearphishing via service standard cryptographic protocol web service applescript application shimming browser extensions bypass user account control exploitation for client execution hypervisor kernel modules and extensions keychain rootkit account manipulation bits jobs cm stp em s
15.
© 2020 THE
MITRE CORPORATION. ALL RIGHTS RESERVED. APPROVED FOR PUBLIC RELEASE. DISTRIBUTION UNLIMITED 20-00841-10. 15 Choosing an Adversary Based on Gaps APT28 techniques from ATT&CK (based only on open source reporting) Diagram using ATT&CK Navigator: https://bit.ly/attacknav
16.
© 2020 THE
MITRE CORPORATION. ALL RIGHTS RESERVED. APPROVED FOR PUBLIC RELEASE. DISTRIBUTION UNLIMITED 20-00841-10. 16 Choosing an Adversary Based on Gaps Notional gaps in defenses
17.
© 2020 THE
MITRE CORPORATION. ALL RIGHTS RESERVED. APPROVED FOR PUBLIC RELEASE. DISTRIBUTION UNLIMITED 20-00841-10. 17 Choosing an Adversary Based on Gaps Green = APT28 techniques that can test our gaps
18.
© 2020 THE
MITRE CORPORATION. ALL RIGHTS RESERVED. APPROVED FOR PUBLIC RELEASE. DISTRIBUTION UNLIMITED 20-00841-10. 18 Choosing an Adversary Based on Who is Targeting You • Work with your threat intel team – many ways to prioritize • Adversary who targets you regularly • Adversary who has targeted others like you • Adversary who rarely targets but has a high skill level
19.
© 2020 THE
MITRE CORPORATION. ALL RIGHTS RESERVED. APPROVED FOR PUBLIC RELEASE. DISTRIBUTION UNLIMITED 20-00841-10. 19 Turla / Snake / Venomous Bear
20.
© 2020 THE
MITRE CORPORATION. ALL RIGHTS RESERVED. APPROVED FOR PUBLIC RELEASE. DISTRIBUTION UNLIMITED 20-00841-10. 20 Gather Data About Your Chosen Adversary
21.
© 2020 THE
MITRE CORPORATION. ALL RIGHTS RESERVED. APPROVED FOR PUBLIC RELEASE. DISTRIBUTION UNLIMITED 20-00841-10. | 21 | Extract Techniques from Reports • Look for behaviors • Identify the adversary tactic • Move from tactic to technique/sub-technique • Work as a team • Free training on how to do this at: https://attack.mitre.org/training/cti Gather threat intel Extract techniques Analyze & organize Develop tools Emulate the adversary
22.
© 2020 THE
MITRE CORPORATION. ALL RIGHTS RESERVED. APPROVED FOR PUBLIC RELEASE. DISTRIBUTION UNLIMITED 20-00841-10. Mapping ATT&CK Techniques | 22 | https://www.nccgroup.trust/us/about-us/newsroom-and-events/blog/2018/march/apt15-is-alive- and-strong-an-analysis-of-royalcli-and-royaldns/ Windows Command Shell (T1059.003) Registry Run Keys / Startup Folder (T1574.001) Windows Command Shell (T1059.003) Process Discovery (T1057) Remote System Discovery (T1018) System Network Connections Discovery (T1049) System Information Discovery (T1082) System Network Configuration Discovery (T1016) OS Credential Dumping (T1003) Pass the Ticket (T1550.003) Keylogging (T1056.001) Email Collection (T1114)
23.
© 2020 THE
MITRE CORPORATION. ALL RIGHTS RESERVED. APPROVED FOR PUBLIC RELEASE. DISTRIBUTION UNLIMITED 20-00841-10. 23 Structure Your Collected Intel Turla techniques from ATT&CK (based only on open source reporting)
24.
© 2020 THE
MITRE CORPORATION. ALL RIGHTS RESERVED. APPROVED FOR PUBLIC RELEASE. DISTRIBUTION UNLIMITED 20-00841-10. | 24 | Analyze and Organize Techniques and Intel • Establish the adversary’s goal • Examine gaps between access and goal • Fill in the gaps you have • Organize intel into technique flow • Organize technique flow into phases Gather threat intel Extract techniques Analyze & organize Develop tools Emulate the adversary
25.
© 2020 THE
MITRE CORPORATION. ALL RIGHTS RESERVED. APPROVED FOR PUBLIC RELEASE. DISTRIBUTION UNLIMITED 20-00841-10. 25 Establish an Adversary’s Goal(s) https://securelist.com/the-epic-turla-operation/65545/ https://www.welivesecurity.com/wp-content/uploads/2020/05/ESET_Turla_ComRAT.pdf
26.
© 2020 THE
MITRE CORPORATION. ALL RIGHTS RESERVED. APPROVED FOR PUBLIC RELEASE. DISTRIBUTION UNLIMITED 20-00841-10. 26 Examine Gaps Between Access and Goal Why are there gaps? • Open source intel likely doesn’t paint a complete adversary picture • Biases and lack of visibility of adversary activity • Group intel in ATT&CK subject to these biases and we add our own • Biases from what we map and how we map it • Understanding these is important for knowing where gaps likely are
27.
© 2020 THE
MITRE CORPORATION. ALL RIGHTS RESERVED. APPROVED FOR PUBLIC RELEASE. DISTRIBUTION UNLIMITED 20-00841-10. Open Source Biases: Visibility Bias Visible Disk Forensics Network Flows Process Execution Powershell Registry Monitoring Decoded C2 Not Seen 27
28.
© 2020 THE
MITRE CORPORATION. ALL RIGHTS RESERVED. APPROVED FOR PUBLIC RELEASE. DISTRIBUTION UNLIMITED 20-00841-10. Open Source Biases: Novelty Bias Another APT1337 Report APT1338 Report!!! 28
29.
© 2020 THE
MITRE CORPORATION. ALL RIGHTS RESERVED. APPROVED FOR PUBLIC RELEASE. DISTRIBUTION UNLIMITED 20-00841-10. Open Source Biases: Availability Bias All Possible Behaviors Familiar Behaviors 29
30.
© 2020 THE
MITRE CORPORATION. ALL RIGHTS RESERVED. APPROVED FOR PUBLIC RELEASE. DISTRIBUTION UNLIMITED 20-00841-10. Open Source Biases: Victim Bias Victim 4 Victim 5Victim 3 Victim 2 Victim 1 30
31.
© 2020 THE
MITRE CORPORATION. ALL RIGHTS RESERVED. APPROVED FOR PUBLIC RELEASE. DISTRIBUTION UNLIMITED 20-00841-10. Open Source Biases: Production Bias Operation Snakepit APT1337 Report Operation Brown Fox APT1338 Report Ducks in the Wild FUZZYDUCK Report Source 1 Source 2 31
32.
© 2020 THE
MITRE CORPORATION. ALL RIGHTS RESERVED. APPROVED FOR PUBLIC RELEASE. DISTRIBUTION UNLIMITED 20-00841-10. Security Vendors 92% Press Reports 5% Publicly- available Government Reports 3% ATT&CK Biases: Sources We Select From reports used for technique examples in ATT&CK Groups 32
33.
© 2020 THE
MITRE CORPORATION. ALL RIGHTS RESERVED. APPROVED FOR PUBLIC RELEASE. DISTRIBUTION UNLIMITED 20-00841-10. ATT&CK Biases: Availability Bias All Possible Techniques Techniques We Remember 33
34.
© 2020 THE
MITRE CORPORATION. ALL RIGHTS RESERVED. APPROVED FOR PUBLIC RELEASE. DISTRIBUTION UNLIMITED 20-00841-10. ATT&CK Biases: Novelty Bias Yet another FUZZYDUCK using Powershell report APT1337 Using Transmitted Data Manipulation 34
35.
© 2020 THE
MITRE CORPORATION. ALL RIGHTS RESERVED. APPROVED FOR PUBLIC RELEASE. DISTRIBUTION UNLIMITED 20-00841-10. 35 Other ATT&CK Group Caveats §Reports from different time periods combined § Reporting frequently doesn’t say when activity happened § Single reports often only show a small range of activity §Groups only include behaviors directly tied to actor activity § Doesn’t include the behaviors of software adversaries use §Reporting doesn’t always agree on attribution
36.
© 2020 THE
MITRE CORPORATION. ALL RIGHTS RESERVED. APPROVED FOR PUBLIC RELEASE. DISTRIBUTION UNLIMITED 20-00841-10. How Can We Deal With These Limitations? | 24| • Know that they exist • Once you know them, you can better determine where your gaps likely are • Account for the gaps they create as you build your adversary plan Tenor.com
37.
© 2020 THE
MITRE CORPORATION. ALL RIGHTS RESERVED. APPROVED FOR PUBLIC RELEASE. DISTRIBUTION UNLIMITED 20-00841-10. 37 Identifying Possible Gaps for a Specific Adversary Turla techniques from ATT&CK (based only on open source reporting)
38.
© 2020 THE
MITRE CORPORATION. ALL RIGHTS RESERVED. APPROVED FOR PUBLIC RELEASE. DISTRIBUTION UNLIMITED 20-00841-10. 38 Missing Dependencies Turla techniques from ATT&CK (based only on open source reporting) Finding related techniques: https://medium.com/mitre-attack/finding-related-att-ck-techniques-f1a4e8dfe2b6
39.
© 2020 THE
MITRE CORPORATION. ALL RIGHTS RESERVED. APPROVED FOR PUBLIC RELEASE. DISTRIBUTION UNLIMITED 20-00841-10. 39 Missing Dependencies Turla techniques from ATT&CK (based only on open source reporting) Finding related techniques: https://medium.com/mitre-attack/finding-related-att-ck-techniques-f1a4e8dfe2b6
40.
© 2020 THE
MITRE CORPORATION. ALL RIGHTS RESERVED. APPROVED FOR PUBLIC RELEASE. DISTRIBUTION UNLIMITED 20-00841-10. 40 Unusually Sparse Tactics Turla techniques from ATT&CK (based only on open source reporting) Note: Turla is older than cloud storage
41.
© 2020 THE
MITRE CORPORATION. ALL RIGHTS RESERVED. APPROVED FOR PUBLIC RELEASE. DISTRIBUTION UNLIMITED 20-00841-10. | 41 | Analyze and Organize Techniques and Intel • Establish the adversary’s goal • Examine gaps between access and goal • Fill in the gaps you have • Organize intel into technique flow • Organize technique flow into phases Gather threat intel Extract techniques Analyze & organize Develop tools Emulate the adversary
42.
© 2020 THE
MITRE CORPORATION. ALL RIGHTS RESERVED. APPROVED FOR PUBLIC RELEASE. DISTRIBUTION UNLIMITED 20-00841-10. 42 Techniques for Filling in Gaps Add techniques from software Fill in missing dependencies Examine peer adversaries Look at common techniques
43.
© 2020 THE
MITRE CORPORATION. ALL RIGHTS RESERVED. APPROVED FOR PUBLIC RELEASE. DISTRIBUTION UNLIMITED 20-00841-10. Adding Techniques from Software – Turla Software 43 Arp Carbon certutil ComRAT Empire Epic Gazer Kazuar LightNeuron Mimikatz Mosquito nbtstat Net netstat PowerStallion PsExec Reg Systeminfo Tasklist Uroburos
44.
© 2020 THE
MITRE CORPORATION. ALL RIGHTS RESERVED. APPROVED FOR PUBLIC RELEASE. DISTRIBUTION UNLIMITED 20-00841-10. Turla Software – Utilities 44 Arp Carbon certutil ComRAT Empire Epic Gazer Kazuar LightNeuron Mimikatz Mosquito nbtstat Net netstat PowerStallion PsExec Reg Systeminfo Tasklist Uroburos
45.
© 2020 THE
MITRE CORPORATION. ALL RIGHTS RESERVED. APPROVED FOR PUBLIC RELEASE. DISTRIBUTION UNLIMITED 20-00841-10. Turla Software – Public Tools 45 Arp Carbon certutil ComRAT Empire Epic Gazer Kazuar LightNeuron Mimikatz Mosquito nbtstat Net netstat PowerStallion PsExec Reg Systeminfo Tasklist Uroburos
46.
© 2020 THE
MITRE CORPORATION. ALL RIGHTS RESERVED. APPROVED FOR PUBLIC RELEASE. DISTRIBUTION UNLIMITED 20-00841-10. Turla Software – Possibly Unique to Turla 46 Arp Carbon certutil ComRAT Empire Epic Gazer Kazuar LightNeuron Mimikatz Mosquito nbtstat Net netstat PowerStallion PsExec Reg Systeminfo Tasklist Uroburos
47.
© 2020 THE
MITRE CORPORATION. ALL RIGHTS RESERVED. APPROVED FOR PUBLIC RELEASE. DISTRIBUTION UNLIMITED 20-00841-10. Turla Software – Possibly Unique to Turla 47
48.
© 2020 THE
MITRE CORPORATION. ALL RIGHTS RESERVED. APPROVED FOR PUBLIC RELEASE. DISTRIBUTION UNLIMITED 20-00841-10. Turla Techniques Plus Turla Software 48 Blue = Turla Red = Turla SW Green = Both
49.
© 2020 THE
MITRE CORPORATION. ALL RIGHTS RESERVED. APPROVED FOR PUBLIC RELEASE. DISTRIBUTION UNLIMITED 20-00841-10. Fill in Missing Dependencies 49 Blue = Turla Red = Turla SW Green = Both
50.
© 2020 THE
MITRE CORPORATION. ALL RIGHTS RESERVED. APPROVED FOR PUBLIC RELEASE. DISTRIBUTION UNLIMITED 20-00841-10. Fill in Missing Dependencies 50 Blue = Turla Red = Turla SW Green = Both
51.
© 2020 THE
MITRE CORPORATION. ALL RIGHTS RESERVED. APPROVED FOR PUBLIC RELEASE. DISTRIBUTION UNLIMITED 20-00841-10. Fill in Missing Dependencies 51 Turla + Software + Dependencies
52.
© 2020 THE
MITRE CORPORATION. ALL RIGHTS RESERVED. APPROVED FOR PUBLIC RELEASE. DISTRIBUTION UNLIMITED 20-00841-10. 52 Examine Peer Adversaries – APT28 + APT29 Other Russia attributed groups focused on data theft Green = Techniques used by both
53.
© 2020 THE
MITRE CORPORATION. ALL RIGHTS RESERVED. APPROVED FOR PUBLIC RELEASE. DISTRIBUTION UNLIMITED 20-00841-10. Look at Common Techniques 53 1. Process Injection 2. Scheduled Task 3. Windows Admin Shares 4. PowerShell 5. Remote File Copy 6. Masquerading 7. Scripting 8. DLL Search Order Hijacking 9. Domain Trust Discovery 10.Disabling Security Tools 1. Security Software Discovery 2. Obfuscated Files or Info 3. Process Injection 4. System Info Discovery 5. Process Discovery 6. Software Packing 7. DLL Side-Loading 8. Data Encrypted 9. Execution through API 10.Standard Crypto Protocol
54.
© 2020 THE
MITRE CORPORATION. ALL RIGHTS RESERVED. APPROVED FOR PUBLIC RELEASE. DISTRIBUTION UNLIMITED 20-00841-10. | 54 | Analyze and Organize Techniques and Intel • Establish the adversary’s goal • Examine gaps between access and goal • Fill in the gaps you have • Organize intel into technique flow • Organize technique flow into phases Gather threat intel Extract techniques Analyze & organize Develop tools Emulate the adversary
55.
© 2020 THE
MITRE CORPORATION. ALL RIGHTS RESERVED. APPROVED FOR PUBLIC RELEASE. DISTRIBUTION UNLIMITED 20-00841-10. Turla Compiled Technique Profile 55 Turla + Software + Dependencies
56.
© 2020 THE
MITRE CORPORATION. ALL RIGHTS RESERVED. APPROVED FOR PUBLIC RELEASE. DISTRIBUTION UNLIMITED 20-00841-10. 56 Organize Intel into Technique Flow Initial Access • Spearphishing Attachment • Spearphishing Link • Drive-by Compromise Execution • PowerShell • Malicious File • Malicious Link Defense Evasion • Deobfuscate Files or Info • Hidden File System • Code Signing Discovery • File and Dir Discovery • Peripheral Dev Discovery • System Info Discovery Credential Access • OS Credential Dumping • Creds from PW Stores Persistence • Shortcut Modification • Winlogon Helper DLL • Screensaver • PowerShell Profile Lateral Movement • Lateral Tool Transfer • SMB/Win Admin SharesPrivilege Escalation • Create Process w/ Token • COM Hijacking • DLL Injection Collection • Data from Remov. Media • Remote Email Collection • Data from Info Repos Exfiltration • Exfil to Cloud Storage • Exfil over C2 Channel
57.
© 2020 THE
MITRE CORPORATION. ALL RIGHTS RESERVED. APPROVED FOR PUBLIC RELEASE. DISTRIBUTION UNLIMITED 20-00841-10. 57 Organize Technique Flow into Plan Phases Initial Access Execution Defense Evasion Discovery Credential Access Persistence Lateral Movement Privilege Escalation Collection Exfiltration Reconnaissance Resource Development Phase 1 Phase 2 Phase 3
58.
© 2020 THE
MITRE CORPORATION. ALL RIGHTS RESERVED. APPROVED FOR PUBLIC RELEASE. DISTRIBUTION UNLIMITED 20-00841-10. Tool up and Emulate | 58 | Develop Tools • Will COTS/FOSS work? • Need custom dev? • Payloads inspired by APT Emulate • Setup infra and test • Emulate the adversary! • Follow the adversary MO • Think about your goal • Think about pacing Gather threat intel Extract techniques Analyze & organize Develop tools Emulate the adversary
59.
© 2020 THE
MITRE CORPORATION. ALL RIGHTS RESERVED. APPROVED FOR PUBLIC RELEASE. DISTRIBUTION UNLIMITED 20-00841-10. 59 In Closing Pick your adversary to emulate wisely The intel on your adversary isn’t perfect You can still emulate an adversary with imperfect intel
60.
© 2020 THE
MITRE CORPORATION. ALL RIGHTS RESERVED. APPROVED FOR PUBLIC RELEASE. DISTRIBUTION UNLIMITED 20-00841-10. 60 ATT&CK Adversary Emulation Resources § ATT&CK Navigator § Live Version: http://bit.ly/attacknav § Source: https://github.com/mitre-attack/attack-navigator § ATT&CK: https://attack.mitre.org/ § APT3 Emulation plan: https://attack.mitre.org/resources/adversary-emulation-plans/ § APT29 Emulation plan: https://github.com/mitre-attack/attack-arsenal § CALDERA: https://github.com/mitre/caldera
61.
© 2020 THE
MITRE CORPORATION. ALL RIGHTS RESERVED. APPROVED FOR PUBLIC RELEASE. DISTRIBUTION UNLIMITED 20-00841-10. https://attack.mitre.org attack@mitre.org @mitreattack Adam Pennington @_whatshisface
Download now