Emulating an Adversary with Imperfect Intelligence

© 2020 THE MITRE CORPORATION. ALL RIGHTS RESERVED. APPROVED FOR PUBLIC RELEASE. DISTRIBUTION UNLIMITED 20-00841-10.© 2020 THE MITRE CORPORATION. ALL RIGHTS RESERVED. APPROVED FOR PUBLIC RELEASE. DISTRIBUTION UNLIMITED 20-00841-10.
Emulating an Adversary
with Imperfect Intelligence
Adam Pennington
@_whatshisface

© 2020 THE MITRE CORPORATION. ALL RIGHTS RESERVED. APPROVED FOR PUBLIC RELEASE. DISTRIBUTION UNLIMITED 20-00841-10.
2
System Owner/User Discovery (T1033)
adamp$ whoami
§ Lead of MITRE ATT&CK
§ 12 years with MITRE
§ Focused on threat intel and deception
§ Past defender and CTI analyst
§ Part of ATT&CK since it was a spreadsheet with no &
§ 11 years at Carnegie Mellon as student and researcher
§ SCUBA diver certified for decompression and rebreather diving
§ Former live sound engineer
§ DEF CON attendee since DEF CON 13

3
Outline
§Setting the stage on adversary emulation
§Gathering and extracting intelligence
§Recognizing imperfections
§Filling in the gaps
§Organizing our intel into a plan

© 2020 THE MITRE CORPORATION. ALL RIGHTS RESERVED. FOR INTERNAL USE ONLY.
Adversary Emulation
A type of red team engagement that
mimics a known threat to an
organization by leveraging threat
intelligence to influence what actions
and behaviors the red team uses.

5
What’s Different About Adversary Emulation?
Driven by threat intelligence
Scoped to activity like known threat
Likely follows a constructed scenario
Gives idea of how defenses might fare against adversary

6
New Challenges Introduced by Emulation
Need for intel
Lack of intel in a form we can use
Lack of intel on chosen adversary
Need to turn intel into a workable scenario

Our Adversary Emulation Process
| 7 |
Gather
threat intel
Extract
techniques
Analyze &
organize
Develop
tools
Emulate
the
adversary
Today’s Focus

| 8 |
Choose an Adversary and Gather Threat Intelligence
• Identify the adversary you want to emulate
• Consider who is targeting you and gaps you’re trying to assess
• Gather data about that adversary
• Look for post-exploit information
• Consider their tools, associated groups, and campaigns
• Think about the time frame
Gather
threat
intel
Extract
techniques
Analyze &
organize
Develop
tools
Emulate
the
adversary

9
Identify the Adversary You Want to Emulate
§ I’m going to leverage ATT&CK, but you don’t have to
§ Other options
§ Your own internal groups tracking
§ Commercial threat intel providers
§ Open source reports

Initial Access Execution Persistence Privilege Escalation Defense Evasion Credential Access Discovery Lateral Movement Collection Command and Control Exfiltration Impact
Valid Accounts Scheduled Task/Job Modify Authentication Process System Service Discovery Remote Services Data from Local System Data Obfuscation Exfiltration Over Other
Network Medium
Data Destruction
Replication Through
Removable Media
Windows Management
Instrumentation
Valid Accounts Network Sniffing Software Deployment
Tools
Data from Removable
Media
Fallback Channels Data Encrypted for Impact
Hijack Execution Flow OS Credential Dumping Application Window
Discovery
Application Layer Protocol Scheduled Transfer Service Stop
Trusted Relationship Software Deployment
Tools
Boot or Logon Initialization Scripts Direct Volume Access Input Capture Replication Through
Removable Media
Input Capture Proxy Data Transfer Size Limits Inhibit System Recovery
Supply Chain Compromise Create or Modify System Process Rootkit Brute Force System Network
Configuration Discovery
Data Staged Communication Through
Removable Media
Exfiltration Over
C2 Channel
Defacement
Hardware Additions Shared Modules Event Triggered Execution Obfuscated Files or
Information
Two-Factor Authentication
Interception
Internal Spearphishing Screen Capture Firmware Corruption
Exploit Public-Facing
Application
User Execution Boot or Logon Autostart Execution System Owner/User
Discovery
Use Alternate
Authentication Material
Email Collection Web Service Exfiltration Over
Physical Medium
Resource Hijacking
Exploitation for Client
Execution
Account Manipulation Process Injection Exploitation for Credential
Access
Clipboard Data Multi-Stage Channels Network Denial of Service
Phishing External Remote Services Access Token Manipulation System Network
Connections Discovery
Lateral Tool Transfer Automated Collection Ingress Tool Transfer Exfiltration Over
Web Service
Endpoint Denial of Service
External Remote Services System Services Office Application Startup Group Policy Modification Steal Web Session Cookie Taint Shared Content Audio Capture Data Encoding System Shutdown/Reboot
Drive-by Compromise Command and Scripting
Interpreter
Create Account Abuse Elevation Control Mechanism Unsecured Credentials Permission Groups
Discovery
Exploitation of Remote
Services
Video Capture Traffic Signaling Automated Exfiltration Account Access Removal
Browser Extensions Exploitation for Privilege
Escalation
Indicator Removal on Host Credentials from
Password Stores
Man in the Browser Remote Access Software Exfiltration Over
Alternative Protocol
Disk Wipe
Native API Traffic Signaling Modify Registry File and Directory
Discovery
Remote Service Session
Hijacking
Data from
Information Repositories
Dynamic Resolution Data Manipulation
Inter-Process
Communication
BITS Jobs Trusted Developer Utilities
Proxy Execution
Steal or Forge Kerberos
Tickets
Non-Standard Port Transfer Data to
Cloud AccountServer Software
Component
Peripheral Device
Discovery
Man-in-the-Middle Protocol Tunneling
Traffic Signaling Forced Authentication Archive Collected Data Encrypted Channel
Pre-OS Boot Signed Script Proxy
Execution
Steal Application Access
Token
Network Share Discovery Data from
Network Shared Drive
Non-Application
Layer ProtocolCompromise Client
Software Binary
Password Policy Discovery
Rogue Domain Controller Man-in-the-Middle Browser Bookmark
Discovery
Data from
Cloud Storage ObjectImplant Container Image Indirect Command
Execution Virtualization/Sandbox
EvasionBITS Jobs
XSL Script Processing Cloud Service Dashboard
Template Injection Software Discovery
File and Directory
Permissions Modification
Query Registry
Remote System Discovery
Virtualization/Sandbox
Evasion
Network Service Scanning
Process Discovery
Unused/Unsupported
Cloud Regions
System Information
Discovery
Use Alternate
Authentication Material
Account Discovery
System Time Discovery
Impair Defenses Domain Trust Discovery
Hide Artifacts Cloud Service Discovery
Masquerading
Deobfuscate/Decode Files
or Information
Signed Binary Proxy
Execution
Exploitation for
Defense Evasion
Execution Guardrails
Modify Cloud Compute
Infrastructure
Pre-OS Boot
Subvert Trust Controls
ATT&CK Knowledge Base Basics
Tactics: the adversary’s technical goals
Techniques:howthegoalsare
achieved
Sub-techniques:
More specific techniques
Procedures: Adversary technique and
sub-technique implementations

Group: APT29
| 11 |

Group: APT29
| 12 |

Group: APT29
| 13 |

ATT&CK Use Cases
| 14 |
Threat Intelligence
processes = search Process:Create
reg = filter processes where (exe == "reg.exe" and parent_exe
== "cmd.exe")
cmd = filter processes where (exe == "cmd.exe" and
parent_exe != "explorer.exe"")
reg_and_cmd = join (reg, cmd) where (reg.ppid == cmd.pid and
reg.hostname == cmd.hostname)
output reg_and_cmd
Detection
Adversary Emulation
Assessment and Engineering
Use ATT&CK for Adversary Emulation and Red Teaming
The best defense is a well-tested defense. ATT&CK provides a common adversary
behavior framework based on threat intelligence that red teams can use to emulate
specific threats. This helps cyber defenders find gaps in visibility, defensive tools, and
processes—and then fix them.
Legend
Low Priority
High Priority
Finding Gaps in Defense
Spearphishing Attachment
Spearphishing Link
Spearphishing via Service
Supply Chain Compromise
Trusted Relationship
Valid Accounts
Dynamic Data Exchange
Execution through API
Execution through Module Load
Exploitation for Client Execution
Graphical User Interface
InstallUtil
Launchctl
Local Job Scheduling
LSASS Driver
Mshta
PowerShell
Regsvcs/Regasm
Regsvr32
Rundll32
Scheduled Task
Scripting
Service Execution
Signed Binary Proxy Execution
Signed Script Proxy Execution
Source
Space after Filename
Third-party Software
Trap
Trusted Developer Utilities
User Execution
Windows Management
Instrumentation
Windows Remote Management
XSL Script Processing
Application Shimming
Authentication Package
BITS Jobs
Bootkit
Browser Extensions
Change Default File Association
Component Firmware
Component Object Model Hijacking
Create Account
DLL Search Order Hijacking
Dylib Hijacking
External Remote Services
File System Permissions Weakness
Hidden Files and Directories
Hooking
Hypervisor
Image File Execution Options
Injection
Kernel Modules and Extensions
Launch Agent
Launch Daemon
Launchctl
LC_LOAD_DYLIB Addition
Login Item
Logon Scripts
LSASS Driver
Modify Existing Service
Netsh Helper DLL
New Service
Office Application Startup
Path Interception
Plist Modification
Port Knocking
Port Monitors
Rc.common
Re-opened Applications
Redundant Access
Registry Run Keys / Startup Folder
Scheduled Task
Screensaver
Security Support Provider
Service Registry Permissions
Weakness
Setuid and Setgid
Shortcut Modification
SIP and Trust Provider Hijacking
Startup Items
System Firmware
Systemd Service
Time Providers
Trap
Valid Accounts
Web Shell
Windows Management
Instrumentation Event Subscription
Winlogon Helper DLL
Bypass User Account Control
Dylib Hijacking
Exploitation for Privilege Escalation
Extra Window Memory Injection
Hooking
Injection
Launch Daemon
New Service
Path Interception
Plist Modification
Port Monitors
Process Injection
Scheduled Task
Weakness
Setuid and Setgid
SID-History Injection
Startup Items
Sudo
Sudo Caching
Valid Accounts
Web Shell
CMSTP
Code Signing
Compile After Delivery
Compiled HTML File
Component Firmware
Control Panel Items
DCShadow
Deobfuscate/Decode Files or
Information
Disabling Security Tools
DLL Side-Loading
Exploitation for Defense Evasion
File Deletion
File Permissions Modification
File System Logical Offsets
Gatekeeper Bypass
Group Policy Modification
Hidden Users
Hidden Window
HISTCONTROL
Injection
Indicator Blocking
Indicator Removal from Tools
Indicator Removal on Host
Indirect Command Execution
Install Root Certificate
InstallUtil
Launchctl
LC_MAIN Hijacking
Masquerading
Modify Registry
Mshta
Network Share Connection
Removal
NTFS File Attributes
Obfuscated Files or Information
Plist Modification
Port Knocking
Process Doppelgänging
Process Hollowing
Process Injection
Redundant Access
Regsvcs/Regasm
Regsvr32
Rootkit
Rundll32
Scripting
Software Packing
Template Injection
Timestomp
Valid Accounts
Virtualization/Sandbox Evasion
Web Service
Credentials in Registry
Exploitation for Credential Access
Forced Authentication
Hooking
Input Capture
Input Prompt
Kerberoasting
Keychain
LLMNR/NBT-NS Poisoning and
Relay
Network Sniffing
Password Filter DLL
Private Keys
Securityd Memory
Interception
Network Share Discovery
Network Sniffing
Peripheral Device Discovery
Permission Groups Discovery
Process Discovery
Query Registry
Security Software Discovery
System Information Discovery
System Network Configuration
Discovery
System Network Connections
Discovery
System Owner/User Discovery
System Service Discovery
Pass the Hash
Pass the Ticket
Remote Desktop Protocol
Remote File Copy
Remote Services
Replication Through Removable
Media
Shared Webroot
SSH Hijacking
Taint Shared Content
Windows Admin Shares
Data from Network Shared Drive
Data from Removable Media
Data Staged
Email Collection
Input Capture
Man in the Browser
Screen Capture
Video Capture
Data Encoding
Data Obfuscation
Domain Fronting
Domain Generation Algorithms
Fallback Channels
Multi-hop Proxy
Multi-Stage Channels
Multiband Communication
Multilayer Encryption
Port Knocking
Remote Access Tools
Remote File Copy
Standard Application Layer Protocol
Standard Cryptographic Protocol
Standard Non-Application Layer
Protocol
Uncommonly Used Port
Web Service
Control Channel
Exfiltration Over Other Network
Medium
Exfiltration Over Physical Medium
Scheduled Transfer
Firmware Corruption
Inhibit System Recovery
Network Denial of Service
Resource Hijacking
Runtime Data Manipulation
Service Stop
Stored Data Manipulation
Transmitted Data Manipulation
AppleScript
Application Deployment
Software
Distributed Component
Object Model
Exploitation of
Remote Services
Logon Scripts
Pass the Hash
Pass the Ticket
Remote File Copy
Remote Services
Replication Through
Removable Media
Shared Webroot
SSH Hijacking
Windows Remote
Management
Commonly Used Port
Communication Through
Removable Media
Connection Proxy
Custom Command and
Control Protocol
Custom Cryptographic
Protocol
Data Encoding
Data Obfuscation
Domain Fronting
Domain Generation
Algorithms
Fallback Channels
Multi-hop Proxy
Port Knocking
Remote Access Tools
Remote File Copy
Standard Application Layer
Protocol
Standard Cryptographic
Protocol
Standard Non-Application
Layer Protocol
Web Service
Automated Exfiltration
Data Compressed
Data Encrypted
Data Transfer Size Limits
Exfiltration Over Other
Network Medium
Exfiltration Over Command
and Control Channel
Exfiltration Over Alternative
Protocol
Exfiltration Over
Physical Medium
Scheduled Transfer
Data Destruction
Data Encrypted for Impact
Defacement
Disk Content Wipe
Disk Structure Wipe
Firmware Corruption
Resource Hijacking
Service Stop
Transmitted Data
Manipulation
Audio Capture
Automated Collection
Clipboard Data
Data from Information
Repositories
Data from Local System
Data from Network
Shared Drive
Data Staged
Email Collection
Input Capture
Man in the Browser
Screen Capture
Video Capture
Drive-by Compromise
Exploit Public-Facing
Application
Hardware Additions
Replication Through
Removable Media
Spearphishing Link
Valid Accounts
AppleScript
CMSTP
Command-Line Interface
Compiled HTML File
Control Panel Items
Execution through
Module Load
Exploitation for
Client Execution
InstallUtil
Mshta
PowerShell
Regsvcs/Regasm
Regsvr32
Rundll32
Scripting
Service Execution
Signed Binary
Proxy Execution
Signed Script
Proxy Execution
Source
Image File Execution Options Injection
Plist Modification
Valid Accounts
Accessibility Features
AppCert DLLs
AppInit DLLs
Dylib Hijacking
Hooking
Launch Daemon
New Service
Path Interception
Port Monitors
Service Registry Permissions Weakness
Setuid and Setgid
Startup Items
Web Shell
.bash_profile and .bashrc
Account Manipulation
BITS Jobs
Bootkit
Browser Extensions
Change Default
File Association
Component Firmware
BITS Jobs
Clear Command History
CMSTP
Code Signing
Compiled HTML File
Component Firmware
Component Object Model
Hijacking
Control Panel Items
DCShadow
Deobfuscate/Decode Files
or Information
DLL Side-Loading
Exploitation for
Defense Evasion
File Deletion
File Permissions
Modification
Gatekeeper Bypass
Hidden Users
Exploitation for
Privilege Escalation
Sudo
Sudo Caching
Scheduled Task Binary Padding Network Sniffing
Launchctl
LSASS Driver
Trap
Access Token Manipulation
Process Injection
Bash History
Brute Force
Credential Dumping
Credentials in Files
Exploitation for
Credential Access
Hooking
Input Capture
Input Prompt
Kerberoasting
Keychain
LLMNR/NBT-NS Poisoning
and Relay
Password Filter DLL
Private Keys
Securityd Memory
Interception
Account Discovery
Application Window
Discovery
Browser Bookmark
Discovery
Domain Trust Discovery
File and Directory Discovery
Process Discovery
Query Discovery
System Information
Discovery
System Network
Configuration Discovery
System Network
Connections Discovery
System Owner/User
Discovery
Virtualization/Sandbox
Evasion
Use ATT&CK for Cyber Threat Intelligence
Cyber threat intelligence comes from many sources, including knowledge of past incidents,
commercial threat feeds, information-sharing groups, government threat-sharing programs,
and more. ATT&CK gives analysts a common language to communicate across reports and
organizations, providing a way to structure, compare, and analyze threat intelligence.
Use ATT&CK to Build Your Defensive Platform
ATT&CK includes resources designed to help cyber defenders develop analytics that
detect the techniques used by an adversary. Based on threat intelligence included in
ATT&CK or provided by analysts, cyber defenders can create a comprehensive set of
analytics to detect threats.
Get Started with ATT&CK
Legend
APT28
APT29
Both
Comparing APT28 to APT29
we've chosen 12 of those data sources to show the techniques each of them might be able to detect with the right colle
analytics. Check out our website at attack.mitre.org for more information on how each technique can be detected, and
adversary examples you can use to start detecting adversary behavior with ATT&CK.
You can visualize how your own data sources map to adversary behavior with ATT&CK. Read our blog post at bit.ly/ATT
learn how we generated this diagram, check out the code, and begin building your own diagrams from ATT&CK conten
Initial Access
Drive-by Compromise
Exploit Public-Facing Application
Hardware Additions
Media
Spearphishing Link
Valid Accounts
Execution
AppleScript
CMSTP
Compiled HTML File
Control Panel Items
InstallUtil
Launchctl
LSASS Driver
Mshta
PowerShell
Regsvcs/Regasm
Regsvr32
Rundll32
Scheduled Task
Scripting
Service Execution
Source
Trap
User Execution
Windows Management
Instrumentation
Persistence
AppCert DLLs
AppInit DLLs
BITS Jobs
Bootkit
Browser Extensions
Component Firmware
Create Account
Dylib Hijacking
Hooking
Hypervisor
Injection
Launch Agent
Launch Daemon
Launchctl
Login Item
Logon Scripts
LSASS Driver
Netsh Helper DLL
New Service
Path Interception
Plist Modification
Port Knocking
Port Monitors
Rc.common
Redundant Access
Scheduled Task
Screensaver
Weakness
Setuid and Setgid
Startup Items
System Firmware
Systemd Service
Time Providers
Trap
Valid Accounts
Web Shell
Windows Management
Winlogon Helper DLL
AppCert DLLs
AppInit DLLs
Dylib Hijacking
Hooking
Injection
Launch Daemon
New Service
Path Interception
Plist Modification
Port Monitors
Process Injection
Scheduled Task
Weakness
Setuid and Setgid
Startup Items
Sudo
Sudo Caching
Valid Accounts
Web Shell
Defense Evasion
Binary Padding
BITS Jobs
CMSTP
Code Signing
Compiled HTML File
Component Firmware
Control Panel Items
DCShadow
Information
DLL Side-Loading
File Deletion
Gatekeeper Bypass
Hidden Users
Hidden Window
HISTCONTROL
Injection
Indicator Blocking
InstallUtil
Launchctl
LC_MAIN Hijacking
Masquerading
Modify Registry
Mshta
Removal
Plist Modification
Port Knocking
Process Hollowing
Process Injection
Redundant Access
Regsvcs/Regasm
Regsvr32
Rootkit
Rundll32
Scripting
Software Packing
Template Injection
Timestomp
Valid Accounts
Web Service
Credential Access
Bash History
Brute Force
Credential Dumping
Hooking
Input Capture
Input Prompt
Kerberoasting
Keychain
Relay
Network Sniffing
Password Filter DLL
Private Keys
Securityd Memory
Interception
Discovery
Account Discovery
Application Window Discovery
Browser Bookmark Discovery
Network Sniffing
Process Discovery
Query Registry
Discovery
Discovery
Lateral Movement
AppleScript
Application Deployment Software
Distributed Component Object
Model
Exploitation of Remote Services
Logon Scripts
Pass the Hash
Pass the Ticket
Remote File Copy
Remote Services
Media
Shared Webroot
SSH Hijacking
Collection
Audio Capture
Clipboard Data
Data from Information Repositories
Data Staged
Email Collection
Input Capture
Man in the Browser
Screen Capture
Video Capture
Command And Control
Commonly Used Port
Removable Media
Connection Proxy
Custom Command and Control
Protocol
Custom Cryptographic Protocol
Data Encoding
Data Obfuscation
Domain Fronting
Fallback Channels
Multi-hop Proxy
Port Knocking
Remote Access Tools
Remote File Copy
Protocol
Web Service
Exfiltration
Data Compressed
Data Encrypted
Exfiltration Over Alternative Protocol
Exfiltration Over Command and
Control Channel
Medium
Scheduled Transfer
Impact
Data Destruction
Defacement
Disk Content Wipe
Disk Structure Wipe
Firmware Corruption
Resource Hijacking
Service Stop
Initial Access
Drive-by Compromise
Hardware Additions
Media
Spearphishing Link
Valid Accounts
Execution
AppleScript
CMSTP
Compiled HTML File
Control Panel Items
InstallUtil
Launchctl
LSASS Driver
Mshta
PowerShell
Persistence
AppCert DLLs
AppInit DLLs
BITS Jobs
Bootkit
Browser Extensions
Component Firmware
Create Account
Dylib Hijacking
AppCert DLLs
AppInit DLLs
Dylib Hijacking
Hooking
Injection
Launch Daemon
New Service
Path Interception
Defense Evasion
Binary Padding
BITS Jobs
CMSTP
Code Signing
Compiled HTML File
Component Firmware
Control Panel Items
DCShadow
Information
Credential Access
Bash History
Brute Force
Credential Dumping
Hooking
Input Capture
Input Prompt
Kerberoasting
Keychain
Relay
Network Sniffing
Password Filter DLL
Discovery
Account Discovery
Network Sniffing
Process Discovery
Query Registry
Lateral Movement
AppleScript
Model
Logon Scripts
Pass the Hash
Pass the Ticket
Remote File Copy
Remote Services
Media
Shared Webroot
SSH Hijacking
Collection
Audio Capture
Clipboard Data
Data Staged
Email Collection
Input Capture
Man in the Browser
Screen Capture
Video Capture
Command And Control
Commonly Used Port
Removable Media
Connection Proxy
Protocol
Data Encoding
Data Obfuscation
Domain Fronting
Fallback Channels
Multi-hop Proxy
Port Knocking
Remote Access Tools
Exfiltration
Data Compressed
Data Encrypted
Control Channel
Medium
Scheduled Transfer
Impact
Data Destruction
Defacement
Disk Content Wipe
Disk Structure Wipe
Firmware Corruption
Resource Hijacking
Service Stop
ob
stan
Use ATT&CK to Build Your Defensive Platform
ATT&CK includes resources designed to help cyber defenders develop analytics that
detect the techniques used by an adversary. Based on threat intelligence included in
ATT&CK or provided by analysts, cyber defenders can create a comprehensive set of
analytics to detect threats.
Legend
APT28
APT29
Both
Legend
Low Priority
High Priority
Comparing APT28 to APT29
Finding Gaps in Defense
Drive-by Compromise
Hardware Additions
Media
Spearphishing Link
Valid Accounts
AppleScript
CMSTP
Compiled HTML File
Control Panel Items
InstallUtil
Launchctl
LSASS Driver
Mshta
PowerShell
Regsvcs/Regasm
Regsvr32
Rundll32
Scheduled Task
Scripting
Service Execution
Source
Trap
User Execution
Windows Management
Instrumentation
AppCert DLLs
AppInit DLLs
BITS Jobs
Bootkit
Browser Extensions
Component Firmware
Create Account
Dylib Hijacking
Hooking
Hypervisor
Injection
Launch Agent
Launch Daemon
Launchctl
Login Item
Logon Scripts
LSASS Driver
Netsh Helper DLL
New Service
Path Interception
Plist Modification
Port Knocking
Port Monitors
Rc.common
Redundant Access
Scheduled Task
Screensaver
Weakness
Setuid and Setgid
Startup Items
System Firmware
Systemd Service
Time Providers
Trap
Valid Accounts
Web Shell
Windows Management
Winlogon Helper DLL
AppCert DLLs
AppInit DLLs
Dylib Hijacking
Hooking
Injection
Launch Daemon
New Service
Path Interception
Plist Modification
Port Monitors
Process Injection
Scheduled Task
Weakness
Setuid and Setgid
Startup Items
Sudo
Sudo Caching
Valid Accounts
Web Shell
Binary Padding
BITS Jobs
CMSTP
Code Signing
Compiled HTML File
Component Firmware
Control Panel Items
DCShadow
Information
DLL Side-Loading
File Deletion
Gatekeeper Bypass
Hidden Users
Hidden Window
HISTCONTROL
Injection
Indicator Blocking
InstallUtil
Launchctl
LC_MAIN Hijacking
Masquerading
Modify Registry
Mshta
Removal
Plist Modification
Port Knocking
Process Hollowing
Process Injection
Redundant Access
Regsvcs/Regasm
Regsvr32
Rootkit
Rundll32
Scripting
Software Packing
Template Injection
Timestomp
Valid Accounts
Web Service
Bash History
Brute Force
Credential Dumping
Hooking
Input Capture
Input Prompt
Kerberoasting
Keychain
Relay
Network Sniffing
Password Filter DLL
Private Keys
Securityd Memory
Interception
Account Discovery
Network Sniffing
Process Discovery
Query Registry
Discovery
Discovery
AppleScript
Model
Logon Scripts
Pass the Hash
Pass the Ticket
Remote File Copy
Remote Services
Media
Shared Webroot
SSH Hijacking
Audio Capture
Clipboard Data
Data Staged
Email Collection
Input Capture
Man in the Browser
Screen Capture
Video Capture
Commonly Used Port
Removable Media
Connection Proxy
Protocol
Data Encoding
Data Obfuscation
Domain Fronting
Fallback Channels
Multi-hop Proxy
Port Knocking
Remote Access Tools
Remote File Copy
Protocol
Web Service
Data Compressed
Data Encrypted
Control Channel
Medium
Scheduled Transfer
Data Destruction
Defacement
Disk Content Wipe
Disk Structure Wipe
Firmware Corruption
Resource Hijacking
Service Stop
Initial Access
Drive-by Compromise
Hardware Additions
Media
Spearphishing Link
Valid Accounts
Execution
AppleScript
CMSTP
Compiled HTML File
Control Panel Items
InstallUtil
Launchctl
LSASS Driver
Mshta
PowerShell
Regsvcs/Regasm
Regsvr32
Rundll32
Scheduled Task
Scripting
Service Execution
Source
Trap
User Execution
Windows Management
Instrumentation
Persistence
AppCert DLLs
AppInit DLLs
BITS Jobs
Bootkit
Browser Extensions
Component Firmware
Create Account
Dylib Hijacking
Hooking
Hypervisor
Injection
Launch Agent
Launch Daemon
Launchctl
Login Item
Logon Scripts
LSASS Driver
Netsh Helper DLL
New Service
Path Interception
Plist Modification
Port Knocking
Port Monitors
Rc.common
Redundant Access
Scheduled Task
Screensaver
Weakness
Setuid and Setgid
AppCert DLLs
AppInit DLLs
Dylib Hijacking
Hooking
Injection
Launch Daemon
New Service
Path Interception
Plist Modification
Port Monitors
Process Injection
Scheduled Task
Weakness
Setuid and Setgid
Startup Items
Sudo
Sudo Caching
Valid Accounts
Web Shell
Defense Evasion
Binary Padding
BITS Jobs
CMSTP
Code Signing
Compiled HTML File
Component Firmware
Control Panel Items
DCShadow
Information
DLL Side-Loading
File Deletion
Gatekeeper Bypass
Hidden Users
Hidden Window
HISTCONTROL
Injection
Indicator Blocking
InstallUtil
Launchctl
LC_MAIN Hijacking
Masquerading
Modify Registry
Mshta
Removal
Plist Modification
Port Knocking
Process Hollowing
Credential Access
Bash History
Brute Force
Credential Dumping
Hooking
Input Capture
Input Prompt
Kerberoasting
Keychain
Relay
Network Sniffing
Password Filter DLL
Private Keys
Securityd Memory
Interception
Discovery
Account Discovery
Network Sniffing
Process Discovery
Query Registry
Discovery
Discovery
Lateral Movement
AppleScript
Model
Logon Scripts
Pass the Hash
Pass the Ticket
Remote File Copy
Remote Services
Media
Shared Webroot
SSH Hijacking
Collection
Audio Capture
Clipboard Data
Data Staged
Email Collection
Input Capture
Man in the Browser
Screen Capture
Video Capture
Command And Control
Commonly Used Port
Removable Media
Connection Proxy
Protocol
Data Encoding
Data Obfuscation
Domain Fronting
Fallback Channels
Multi-hop Proxy
Port Knocking
Remote Access Tools
Remote File Copy
Protocol
Web Service
Exfiltration
Data Compressed
Data Encrypted
Control Channel
Medium
Scheduled Transfer
Impact
Data Destruction
Defacement
Disk Content Wipe
Disk Structure Wipe
Firmware Corruption
Resource Hijacking
Service Stop
malwarerever
net
work device logs
network intrusion detection system
ssl/tls inspection
system
calls
windowseventlogs
ocol
compromise
point denial of service
network denial of service
obfuscated files or information
remote access tools
spearphishing attachment
standard non-application layer protocoltemplate injection
domain fronting
drive-by compromise
endpoint denial of service
install root certificate
obfuscated files or information
spearphishing link
spearphishing via service
standard cryptographic protocol
web service
applescript
application shimming
browser extensions
bypass user account control
exploitation for client execution
hypervisor
kernel modules and extensions
keychain
rootkit
account manipulation
bits jobs
cm
stp
em
s

15
Choosing an Adversary Based on Gaps
APT28 techniques
from ATT&CK
(based only on open
source reporting)
Diagram using ATT&CK Navigator: https://bit.ly/attacknav

16
Notional gaps
in defenses

17
Green = APT28
techniques that can
test our gaps

18
Choosing an Adversary Based on Who is Targeting You
• Work with your threat intel team – many ways to prioritize
• Adversary who targets you regularly
• Adversary who has targeted others like you
• Adversary who rarely targets but has a high skill level

19
Turla / Snake / Venomous Bear

20
Gather Data About Your Chosen Adversary

| 21 |
Extract Techniques from Reports
• Look for behaviors
• Identify the adversary tactic
• Move from tactic to technique/sub-technique
• Work as a team
• Free training on how to do this at: https://attack.mitre.org/training/cti
Gather
threat
intel
Extract
techniques
Analyze &
organize
Develop
tools
Emulate the
adversary

Mapping ATT&CK Techniques
| 22 |
https://www.nccgroup.trust/us/about-us/newsroom-and-events/blog/2018/march/apt15-is-alive-
and-strong-an-analysis-of-royalcli-and-royaldns/
Windows Command Shell (T1059.003)
Registry Run Keys / Startup Folder (T1574.001)
Windows Command Shell (T1059.003)
Process Discovery (T1057)
Remote System Discovery (T1018)
System Network Connections Discovery (T1049)
System Information Discovery (T1082)
System Network Configuration Discovery (T1016)
OS Credential Dumping (T1003)
Pass the Ticket (T1550.003)
Keylogging (T1056.001)
Email Collection (T1114)

23
Structure Your Collected Intel
Turla techniques
from ATT&CK
(based only on open
source reporting)

| 24 |
Analyze and Organize Techniques and Intel
• Establish the adversary’s goal
• Examine gaps between access and goal
• Fill in the gaps you have
• Organize intel into technique flow
• Organize technique flow into phases
Gather
threat intel
Extract
techniques
Analyze
&
organize
Develop
tools
Emulate
the
adversary

25
Establish an Adversary’s Goal(s)
https://securelist.com/the-epic-turla-operation/65545/
https://www.welivesecurity.com/wp-content/uploads/2020/05/ESET_Turla_ComRAT.pdf

26
Examine Gaps Between Access and Goal
Why are there gaps?
• Open source intel likely doesn’t paint a complete adversary picture
• Biases and lack of visibility of adversary activity
• Group intel in ATT&CK subject to these biases and we add our own
• Biases from what we map and how we map it
• Understanding these is important for knowing where gaps likely are

Open Source Biases: Visibility Bias
Visible
Disk
Forensics
Network
Flows
Process
Execution
Powershell
Registry
Monitoring
Decoded
C2
Not Seen
27

Open Source Biases: Novelty Bias
Another APT1337
Report
APT1338
Report!!!
28

Open Source Biases: Availability Bias
All Possible
Behaviors
Familiar
Behaviors
29

Open Source Biases: Victim Bias
Victim 4
Victim 5Victim 3
Victim 2
Victim 1
30

Open Source Biases: Production Bias
Operation Snakepit
APT1337 Report
Operation Brown Fox
APT1338 Report
Ducks in the Wild
FUZZYDUCK Report
Source 1 Source 2
31

Security
Vendors
92%
Press
Reports
5%
Publicly-
available
Government
Reports
3%
ATT&CK Biases: Sources We Select
From reports used
for technique examples
in ATT&CK Groups
32

ATT&CK Biases: Availability Bias
All Possible
Techniques
Techniques
We
Remember
33

ATT&CK Biases: Novelty Bias
Yet another
FUZZYDUCK
using Powershell
report
APT1337
Using
Transmitted
Data
Manipulation
34

35
Other ATT&CK Group Caveats
§Reports from different time periods combined
§ Reporting frequently doesn’t say when activity happened
§ Single reports often only show a small range of activity
§Groups only include behaviors directly tied to actor activity
§ Doesn’t include the behaviors of software adversaries use
§Reporting doesn’t always agree on attribution

How Can We Deal With These Limitations?
| 24|
• Know that they exist
• Once you know them, you can better
determine where your gaps likely are
• Account for the gaps they create as
you build your adversary plan
Tenor.com

37
Identifying Possible Gaps for a Specific Adversary
Turla techniques
from ATT&CK
(based only on open
source reporting)

38
Missing Dependencies
Turla techniques
from ATT&CK
(based only on open
source reporting)
Finding related techniques: https://medium.com/mitre-attack/finding-related-att-ck-techniques-f1a4e8dfe2b6

39
Missing Dependencies
Turla techniques
from ATT&CK
(based only on open
source reporting)
Finding related techniques: https://medium.com/mitre-attack/finding-related-att-ck-techniques-f1a4e8dfe2b6

40
Unusually Sparse Tactics
Turla techniques
from ATT&CK
(based only on open
source reporting)
Note: Turla is older than cloud storage

| 41 |
Gather
threat intel
Extract
techniques
Analyze
&
organize
Develop
tools
Emulate
the
adversary

42
Techniques for Filling in Gaps
Add techniques from software
Fill in missing dependencies
Examine peer adversaries
Look at common techniques

Adding Techniques from Software – Turla Software
43
Arp
Carbon
certutil
ComRAT
Empire
Epic
Gazer
Kazuar
LightNeuron
Mimikatz
Mosquito
nbtstat
Net
netstat
PowerStallion
PsExec
Reg
Systeminfo
Tasklist
Uroburos

Turla Software – Utilities
44
Arp
Carbon
certutil
ComRAT
Empire
Epic
Gazer
Kazuar
LightNeuron
Mimikatz
Mosquito
nbtstat
Net
netstat
PowerStallion
PsExec
Reg
Systeminfo
Tasklist
Uroburos

Turla Software – Public Tools
45
Arp
Carbon
certutil
ComRAT
Empire
Epic
Gazer
Kazuar
LightNeuron
Mimikatz
Mosquito
nbtstat
Net
netstat
PowerStallion
PsExec
Reg
Systeminfo
Tasklist
Uroburos

Turla Software – Possibly Unique to Turla
46
Arp
Carbon
certutil
ComRAT
Empire
Epic
Gazer
Kazuar
LightNeuron
Mimikatz
Mosquito
nbtstat
Net
netstat
PowerStallion
PsExec
Reg
Systeminfo
Tasklist
Uroburos

Turla Software – Possibly Unique to Turla
47

Turla Techniques Plus Turla Software
48
Blue = Turla
Red = Turla SW
Green = Both

Fill in Missing Dependencies
49
Blue = Turla
Red = Turla SW
Green = Both

50
Blue = Turla
Red = Turla SW
Green = Both

51
Turla + Software + Dependencies

52
Examine Peer Adversaries – APT28 + APT29
Other Russia attributed groups
focused on data theft
Green = Techniques used by both

Look at Common Techniques
53
1. Process Injection
2. Scheduled Task
3. Windows Admin Shares
4. PowerShell
5. Remote File Copy
6. Masquerading
7. Scripting
8. DLL Search Order Hijacking
9. Domain Trust Discovery
10.Disabling Security Tools
1. Security Software Discovery
2. Obfuscated Files or Info
3. Process Injection
4. System Info Discovery
5. Process Discovery
6. Software Packing
7. DLL Side-Loading
8. Data Encrypted
9. Execution through API
10.Standard Crypto Protocol

| 54 |
Gather
threat intel
Extract
techniques
Analyze
&
organize
Develop
tools
Emulate
the
adversary

Turla Compiled Technique Profile
55
Turla + Software + Dependencies

56
Organize Intel into Technique Flow
Initial Access
• Spearphishing Attachment
• Spearphishing Link
• Drive-by Compromise
Execution
• PowerShell
• Malicious File
• Malicious Link
Defense Evasion
• Deobfuscate Files or Info
• Hidden File System
• Code Signing
Discovery
• File and Dir Discovery
• Peripheral Dev Discovery
• System Info Discovery
Credential Access
• OS Credential Dumping
• Creds from PW Stores
Persistence
• Shortcut Modification
• Winlogon Helper DLL
• Screensaver
• PowerShell Profile
Lateral Movement
• Lateral Tool Transfer
• SMB/Win Admin SharesPrivilege Escalation
• Create Process w/ Token
• COM Hijacking
• DLL Injection
Collection
• Data from Remov. Media
• Remote Email Collection
• Data from Info Repos
Exfiltration
• Exfil to Cloud Storage
• Exfil over C2 Channel

57
Organize Technique Flow into Plan Phases
Initial
Access
Execution
Defense
Evasion
Discovery
Credential
Access
Persistence
Lateral
Movement
Privilege
Escalation
Collection
Exfiltration
Reconnaissance
Resource
Development
Phase 1 Phase 2 Phase 3

Tool up and Emulate
| 58 |
Develop Tools
• Will COTS/FOSS work?
• Need custom dev?
• Payloads inspired by APT
Emulate
• Setup infra and test
• Emulate the adversary!
• Follow the adversary MO
• Think about your goal
• Think about pacing
Gather
threat
intel
Extract
techniques
Analyze &
organize
Develop
tools
Emulate
the
adversary

59
In Closing
Pick your adversary to emulate wisely
The intel on your adversary isn’t perfect
You can still emulate an adversary with imperfect intel

60
ATT&CK Adversary Emulation Resources
§ ATT&CK Navigator
§ Live Version: http://bit.ly/attacknav
§ Source: https://github.com/mitre-attack/attack-navigator
§ ATT&CK: https://attack.mitre.org/
§ APT3 Emulation plan: https://attack.mitre.org/resources/adversary-emulation-plans/
§ APT29 Emulation plan: https://github.com/mitre-attack/attack-arsenal
§ CALDERA: https://github.com/mitre/caldera

https://attack.mitre.org
attack@mitre.org
@mitreattack
Adam Pennington
@_whatshisface

Emulating an Adversary with Imperfect Intelligence

Recommended

Recommended

More Related Content

What's hot

What's hot (20)

Similar to Emulating an Adversary with Imperfect Intelligence

Similar to Emulating an Adversary with Imperfect Intelligence (20)

Recently uploaded

Recently uploaded (20)

Emulating an Adversary with Imperfect Intelligence