ReZa AdineH, profile picture
Uploaded byReZa AdineH
PDF, PPTX72 views

MITRE-Module 4 Slides.pdf

The document discusses various ways that threat intelligence data mapped to the MITRE ATT&CK framework can be stored and analyzed. It provides examples of how ATT&CK techniques have been included in security reports and notes that the community is still exploring the best methods and formats for capturing and linking ATT&CK data to other information like indicators. The goal is to be able to make defensive recommendations by analyzing stored ATT&CK-mapped intelligence.

Embed presentation

Download as PDF, PPTX
Module 4: Storing and Analyzing ATT&CK-Mapped Data ©2019 The MITRE Corporation. ALL RIGHTS RESERVED Approved for public release. Distribution unlimited 19-01075-15.
Process of Applying ATT&CK to CTI Understand ATT&CK Map data to ATT&CK Store & analyze ATT&CK-mapped data Make defensive recommendations from ATT&CK- mapped data ©2019 The MITRE Corporation. ALL RIGHTS RESERVED Approved for public release. Distribution unlimited 19-01075-15. Module 1 Module 2 Module 3 Module 4 Module 5
Considerations When Storing ATT&CK-Mapped Intel ▪ Who’s consuming it? – Human or machine? – Requirements? ▪ How will you provide context? – Include full text? ▪ How detailed will it be? – Just a Technique, or a Procedure? – How will you capture that detail? (Free text?) ▪ How will you link it to other intel? – Incident, group, campaign, indicator… ▪ How will you import and export data? – Format? ©2019 The MITRE Corporation. ALL RIGHTS RESERVED Approved for public release. Distribution unlimited 19-01075-15. The community is still figuring this out!
Ways to Store and Display ATT&CK-Mapped Intel ¯ _(ツ)_/¯ ©2019 The MITRE Corporation. ALL RIGHTS RESERVED Approved for public release. Distribution unlimited 19-01075-15.
Ways to Store and Display ATT&CK-Mapped Intel Courtesy of Alexandre Dulaunoy ©2019 The MITRE Corporation. ALL RIGHTS RESERVED Approved for public release. Distribution unlimited 19-01075-15.
Ways to Store and Display ATT&CK-Mapped Intel Courtesy of Alexandre Dulaunoy ©2019 The MITRE Corporation. ALL RIGHTS RESERVED Approved for public release. Distribution unlimited 19-01075-15. Ability to link to indicators and files
Ways to Express and Store ATT&CK-Mapped Intel https://www.anomali.com/blog/weekly-threat-briefing-google- spots-attacks-exploiting-ios-zero-day-flaws … ©2019 The MITRE Corporation. ALL RIGHTS RESERVED Approved for public release. Distribution unlimited 19-01075-15. Techniques at the end of a report
Ways to Express and Store ATT&CK-Mapped Intel https://securingtomorrow.mcafee.com/other-blogs/mcafee-labs/analyzing- operation-ghostsecret-attack-seeks-to-steal-data-worldwide/ ©2019 The MITRE Corporation. ALL RIGHTS RESERVED Approved for public release. Distribution unlimited 19-01075-15. Techniques at the end of a report
Ways to Express and Store ATT&CK-Mapped Intel https://www.crowdstrike.com/resources/reports/2018-crowdstrike-global- threat-report-blurring-the-lines-between-statecraft-and-tradecraft/ ©2019 The MITRE Corporation. ALL RIGHTS RESERVED Approved for public release. Distribution unlimited 19-01075-15. Techniques at the beginning of a report
Ways to Express and Store ATT&CK-Mapped Intel https://www.digitalshadows.com/blog-and-research/mitre-attck- and-the-mueller-gru-indictment-lessons-for-organizations/ ©2019 The MITRE Corporation. ALL RIGHTS RESERVED Approved for public release. Distribution unlimited 19-01075-15. Adding additional info to an ATT&CK technique
Ways to Express and Store ATT&CK-Mapped Intel https://www.recordedfuture.com/mitre-attack-framework/ ©2019 The MITRE Corporation. ALL RIGHTS RESERVED Approved for public release. Distribution unlimited 19-01075-15. With timestamps
Ways to Express and Store ATT&CK-Mapped Intel https://pan-unit42.github.io/playbook_viewer/ ©2019 The MITRE Corporation. ALL RIGHTS RESERVED Approved for public release. Distribution unlimited 19-01075-15. Machine readable Linking techniques to indicators
Ways to Express and Store ATT&CK-Mapped Intel https://attack.mitre.org/groups/G0007/ What else could we do? https://www.nccgroup.trust/us/about-us/newsroom-and-events/blog/2018/march/apt15- is-alive-and-strong-an-analysis-of-royalcli-and-royaldns/ Credential Dumping (T1003) Full-Text Report ATT&CK Technique ©2019 The MITRE Corporation. ALL RIGHTS RESERVED Approved for public release. Distribution unlimited 19-01075-15.
Understand ATT&CK Map data to ATT&CK Store & analyze ATT&CK-mapped data Make defensive recommendations from ATT&CK- mapped data Process of Applying ATT&CK to CTI So now we have some ATT&CK-mapped intel… What can we do with it? ©2019 The MITRE Corporation. ALL RIGHTS RESERVED Approved for public release. Distribution unlimited 19-01075-15.
Initial Access rive by Compromise xploit ublic acing Application ardware Additions Replication Through Removable Media pearphishing Attachment pearphishing ink pearphishing via ervice upply Chain Compromise Trusted Relationship alid Accounts Execution Apple cript CM T Command ine Interface Control anel Items ynamic ata xchange xecution through A I xecution through Module oad xploitation for Client xecution raphical ser Interface Install til aunchctl ocal ob cheduling A river Mshta ower hell Regsvcs Regasm Regsvr Rundll cheduled T ask cripting ervice xecution igned inary roxy xecution igned cript roxy xecution ource pace after ilename Third party oftware Trap Trusted eveloper tilities ser xecution Windows Management Instrumentation Windows Remote Management Persistence .bash profile and .bashrc Accessibility eatures AppCert s AppInit s Application himming Authentication ackage IT obs ootkit rowser xtensions Change efault ile Association Component irmware Component b ect Model i acking Create Account earch rder i acking ylib i acking xternal Remote ervices ile ystem ermissions Weakness idden iles and irectories ooking ypervisor Image ile xecution ptions In ection ernel Modules and xtensions aunch Agent aunch aemon aunchctl C A I Addition ocal ob cheduling ogin Item ogon cripts A river Modify xisting ervice Netsh elper New ervice ffice Application tartup ath Interception list Modification ort nocking ort Monitors Rc.common Re opened Applications Redundant Access Registry Run eys tart older cheduled T ask creensaver Privilege Escalation Access T oken Manipulation Accessibility eatures AppCert s AppInit s Application himming ypass ser Account Control earch rder i acking ylib i acking xploitation for rivilege scalation xtra Window Memory In ection ile ystem ermissions Weakness ooking Image ile xecution ptions In ection aunch aemon New ervice ath Interception list Modification ort Monitors rocess In ection cheduled T ask ervice Registry ermissions Weakness etuid and etgid I istory In ection tartup Items udo udo Caching alid Accounts Web hell Defense Evasion Access T oken Manipulation inary adding IT obs ypass ser Account Control Clear Command istory CM T Code igning Component irmware Component b ect Model i acking Control anel Items C hadow eobfuscate ecode iles or Information isabling ecurity T ools earch rder i acking ide oading xploitation for efense vasion xtra Window Memory In ection ile eletion ile ystem ogical ffsets atekeeper ypass idden iles and irectories idden sers idden Window I TC NTR Image ile xecution ptions In ection Indicator locking Indicator Removal from T ools Indicator Removal on ost Indirect Command xecution Install Root Certificate Install til aunchctl C MAIN i acking Masquerading Modify Registry Mshta Network hare Connection Removal NT ile Attributes bfuscated iles or Information list Modification ort nocking rocess oppelg nging rocess ollowing rocess In ection Credential Access Account Manipulation ash istory rute orce Credential umping Credentials in iles Credentials in Registry xploitation for Credential Access orced Authentication ooking Input Capture Input rompt erberoasting eychain MNR N T N oisoning Network niffing assword ilter rivate eys Replication Through Removable Media ecurityd Memory Two actor Authentication Interception Discovery Account iscovery Application Window iscovery rowser ookmark iscovery ile and irectory iscovery Network ervice canning Network hare iscovery assword olicy iscovery eripheral evice iscovery ermission roups iscovery rocess iscovery uery Registry Remote ystem iscovery ecurity oftware iscovery ystem Information iscovery ystem Network Configuration iscovery ystem Network Connections iscovery ystem wner ser iscovery ystem ervice iscovery ystem Time iscovery Lateral Movement Apple cript Application eployment oftware istributed Component b ect Model xploitation of Remote ervices ogon cripts ass the ash ass the Ticket Remote esktop rotocol Remote ile Copy Remote ervices Replication Through Removable Media hared Webroot i acking T aint hared Content Third party oftware Windows Admin hares Windows Remote Management Collection Audio Capture Automated Collection Clipboard ata ata from Information Repositories ata from ocal ystem ata from Network hared rive ata from Removable Media ata taged mail Collection Input Capture Man in the rowser creen Capture ideo Capture Exfiltration Automated xfiltration ata Compressed ata ncrypted ata Transfer i e imits xfiltration ver Alternative rotocol xfiltration ver Command and Control Channel xfiltration ver ther Network Medium xfiltration ver hysical Medium cheduled Transfer Command And Control Commonly sed ort Communication Through Removable Media Connection roxy Custom Command and Control rotocol Custom Cryptographic rotocol ata ncoding ata bfuscation omain ronting allback Channels Multi hop roxy Multi tage Channels Multiband Communication Multilayer ncryption ort nocking Remote Access T ools Remote ile Copy tandard Application ayer rotocol tandard Cryptographic rotocol tandard Non Application ayer rotocol ncommonly sed ort Web ervice APT28 Techniques* *from open source reporting we’ve mapped Initial Access Execution Persistence Privilege Escalation Defense Evasion Credential Access Discovery Lateral Movement Collection Exfiltration Command and Control
Initial Access rive by Compromise xploit ublic acing Application ardware Additions Replication Through Removable Media pearphishing Attachment pearphishing ink pearphishing via ervice upply Chain Compromise Trusted Relationship alid Accounts Execution Apple cript CM T Command ine Interface Control anel Items ynamic ata xchange xecution through A I xecution through Module oad xploitation for Client xecution raphical ser Interface Install til aunchctl ocal ob cheduling A river Mshta ower hell Regsvcs Regasm Regsvr Rundll cheduled T ask cripting ervice xecution igned inary roxy xecution igned cript roxy xecution ource pace after ilename Third party oftware Trap Trusted eveloper tilities ser xecution Windows Management Instrumentation Windows Remote Management Persistence .bash profile and .bashrc Accessibility eatures AppCert s AppInit s Application himming Authentication ackage IT obs ootkit rowser xtensions Change efault ile Association Component irmware Component b ect Model i acking Create Account earch rder i acking ylib i acking xternal Remote ervices ile ystem ermissions Weakness idden iles and irectories ooking ypervisor Image ile xecution ptions In ection ernel Modules and xtensions aunch Agent aunch aemon aunchctl C A I Addition ocal ob cheduling ogin Item ogon cripts A river Modify xisting ervice Netsh elper New ervice ffice Application tartup ath Interception list Modification ort nocking ort Monitors Rc.common Re opened Applications Redundant Access Registry Run eys tart older cheduled T ask creensaver Privilege Escalation Access T oken Manipulation Accessibility eatures AppCert s AppInit s Application himming ypass ser Account Control earch rder i acking ylib i acking xploitation for rivilege scalation xtra Window Memory In ection ile ystem ermissions Weakness ooking Image ile xecution ptions In ection aunch aemon New ervice ath Interception list Modification ort Monitors rocess In ection cheduled T ask ervice Registry ermissions Weakness etuid and etgid I istory In ection tartup Items udo udo Caching alid Accounts Web hell Defense Evasion Access T oken Manipulation inary adding IT obs ypass ser Account Control Clear Command istory CM T Code igning Component irmware Component b ect Model i acking Control anel Items C hadow eobfuscate ecode iles or Information isabling ecurity T ools earch rder i acking ide oading xploitation for efense vasion xtra Window Memory In ection ile eletion ile ystem ogical ffsets atekeeper ypass idden iles and irectories idden sers idden Window I TC NTR Image ile xecution ptions In ection Indicator locking Indicator Removal from T ools Indicator Removal on ost Indirect Command xecution Install Root Certificate Install til aunchctl C MAIN i acking Masquerading Modify Registry Mshta Network hare Connection Removal NT ile Attributes bfuscated iles or Information list Modification ort nocking rocess oppelg nging rocess ollowing rocess In ection Credential Access Account Manipulation ash istory rute orce Credential umping Credentials in iles Credentials in Registry xploitation for Credential Access orced Authentication ooking Input Capture Input rompt erberoasting eychain MNR N T N oisoning Network niffing assword ilter rivate eys Replication Through Removable Media ecurityd Memory Two actor Authentication Interception Discovery Account iscovery Application Window iscovery rowser ookmark iscovery ile and irectory iscovery Network ervice canning Network hare iscovery assword olicy iscovery eripheral evice iscovery ermission roups iscovery rocess iscovery uery Registry Remote ystem iscovery ecurity oftware iscovery ystem Information iscovery ystem Network Configuration iscovery ystem Network Connections iscovery ystem wner ser iscovery ystem ervice iscovery ystem Time iscovery Lateral Movement Apple cript Application eployment oftware istributed Component b ect Model xploitation of Remote ervices ogon cripts ass the ash ass the Ticket Remote esktop rotocol Remote ile Copy Remote ervices Replication Through Removable Media hared Webroot i acking T aint hared Content Third party oftware Windows Admin hares Windows Remote Management Collection Audio Capture Automated Collection Clipboard ata ata from Information Repositories ata from ocal ystem ata from Network hared rive ata from Removable Media ata taged mail Collection Input Capture Man in the rowser creen Capture ideo Capture Exfiltration Automated xfiltration ata Compressed ata ncrypted ata Transfer i e imits xfiltration ver Alternative rotocol xfiltration ver Command and Control Channel xfiltration ver ther Network Medium xfiltration ver hysical Medium cheduled Transfer Command And Control Commonly sed ort Communication Through Removable Media Connection roxy Custom Command and Control rotocol Custom Cryptographic rotocol ata ncoding ata bfuscation omain ronting allback Channels Multi hop roxy Multi tage Channels Multiband Communication Multilayer ncryption ort nocking Remote Access T ools Remote ile Copy tandard Application ayer rotocol tandard Cryptographic rotocol tandard Non Application ayer rotocol ncommonly sed ort Web ervice APT29 Techniques Initial Access Execution Persistence Privilege Escalation Defense Evasion Credential Access Discovery Lateral Movement Collection Exfiltration Command and Control
Initial Access rive by Compromise xploit ublic acing Application ardware Additions Replication Through Removable Media pearphishing Attachment pearphishing ink pearphishing via ervice upply Chain Compromise Trusted Relationship alid Accounts Execution Apple cript CM T Command ine Interface Control anel Items ynamic ata xchange xecution through A I xecution through Module oad xploitation for Client xecution raphical ser Interface Install til aunchctl ocal ob cheduling A river Mshta ower hell Regsvcs Regasm Regsvr Rundll cheduled T ask cripting ervice xecution igned inary roxy xecution igned cript roxy xecution ource pace after ilename Third party oftware Trap Trusted eveloper tilities ser xecution Windows Management Instrumentation Windows Remote Management Persistence .bash profile and .bashrc Accessibility eatures AppCert s AppInit s Application himming Authentication ackage IT obs ootkit rowser xtensions Change efault ile Association Component irmware Component b ect Model i acking Create Account earch rder i acking ylib i acking xternal Remote ervices ile ystem ermissions Weakness idden iles and irectories ooking ypervisor Image ile xecution ptions In ection ernel Modules and xtensions aunch Agent aunch aemon aunchctl C A I Addition ocal ob cheduling ogin Item ogon cripts A river Modify xisting ervice Netsh elper New ervice ffice Application tartup ath Interception list Modification ort nocking ort Monitors Rc.common Re opened Applications Redundant Access Registry Run eys tart older cheduled T ask creensaver Privilege Escalation Access T oken Manipulation Accessibility eatures AppCert s AppInit s Application himming ypass ser Account Control earch rder i acking ylib i acking xploitation for rivilege scalation xtra Window Memory In ection ile ystem ermissions Weakness ooking Image ile xecution ptions In ection aunch aemon New ervice ath Interception list Modification ort Monitors rocess In ection cheduled T ask ervice Registry ermissions Weakness etuid and etgid I istory In ection tartup Items udo udo Caching alid Accounts Web hell Defense Evasion Access T oken Manipulation inary adding IT obs ypass ser Account Control Clear Command istory CM T Code igning Component irmware Component b ect Model i acking Control anel Items C hadow eobfuscate ecode iles or Information isabling ecurity T ools earch rder i acking ide oading xploitation for efense vasion xtra Window Memory In ection ile eletion ile ystem ogical ffsets atekeeper ypass idden iles and irectories idden sers idden Window I TC NTR Image ile xecution ptions In ection Indicator locking Indicator Removal from T ools Indicator Removal on ost Indirect Command xecution Install Root Certificate Install til aunchctl C MAIN i acking Masquerading Modify Registry Mshta Network hare Connection Removal NT ile Attributes bfuscated iles or Information list Modification ort nocking rocess oppelg nging rocess ollowing rocess In ection Credential Access Account Manipulation ash istory rute orce Credential umping Credentials in iles Credentials in Registry xploitation for Credential Access orced Authentication ooking Input Capture Input rompt erberoasting eychain MNR N T N oisoning Network niffing assword ilter rivate eys Replication Through Removable Media ecurityd Memory Two actor Authentication Interception Discovery Account iscovery Application Window iscovery rowser ookmark iscovery ile and irectory iscovery Network ervice canning Network hare iscovery assword olicy iscovery eripheral evice iscovery ermission roups iscovery rocess iscovery uery Registry Remote ystem iscovery ecurity oftware iscovery ystem Information iscovery ystem Network Configuration iscovery ystem Network Connections iscovery ystem wner ser iscovery ystem ervice iscovery ystem Time iscovery Lateral Movement Apple cript Application eployment oftware istributed Component b ect Model xploitation of Remote ervices ogon cripts ass the ash ass the Ticket Remote esktop rotocol Remote ile Copy Remote ervices Replication Through Removable Media hared Webroot i acking T aint hared Content Third party oftware Windows Admin hares Windows Remote Management Collection Audio Capture Automated Collection Clipboard ata ata from Information Repositories ata from ocal ystem ata from Network hared rive ata from Removable Media ata taged mail Collection Input Capture Man in the rowser creen Capture ideo Capture Exfiltration Automated xfiltration ata Compressed ata ncrypted ata Transfer i e imits xfiltration ver Alternative rotocol xfiltration ver Command and Control Channel xfiltration ver ther Network Medium xfiltration ver hysical Medium cheduled Transfer Command And Control Commonly sed ort Communication Through Removable Media Connection roxy Custom Command and Control rotocol Custom Cryptographic rotocol ata ncoding ata bfuscation omain ronting allback Channels Multi hop roxy Multi tage Channels Multiband Communication Multilayer ncryption ort nocking Remote Access T ools Remote ile Copy tandard Application ayer rotocol tandard Cryptographic rotocol tandard Non Application ayer rotocol ncommonly sed ort Web ervice Comparing APT28 and APT29 Initial Access Execution Persistence Privilege Escalation Defense Evasion Credential Access Discovery Lateral Movement Collection Exfiltration Command and Control Overlay known gaps APT28 APT29 Both groups
ATT&CK Navigator ▪ One option for getting started with storing and analyzing in a simple way ▪ Open source (JSON), so you can customize it ▪ Allows you you visualize data ©2019 The MITRE Corporation. ALL RIGHTS RESERVED Approved for public release. Distribution unlimited 19-01075-15.
ATT&CK Navigator Demo Video
Exercise 4: Comparing Layers in ATT&CK Navigator ▪ Docs you will need are at attack.mitre.org/training/cti under Exercise 4 – Step-by-step instructions are in the “Comparing ayers in Navigator” – Techniques are listed in the “A T 9 and Cobalt itty techniques” 1. Open ATT&CK Navigator: http://bit.ly/attacknav 2. Enter techniques from APT39 and Cobalt Kitty/OceanLotus into separate Navigator layers with a unique score for each layer’s techniques 3. Combine the layers in Navigator to create a third layer 4. Make your third layer look pretty 5. Make a list of the techniques that overlap between the two groups ▪ Please pause. We suggest giving yourself 15 minutes for this exercise. ©2019 The MITRE Corporation. ALL RIGHTS RESERVED Approved for public release. Distribution unlimited 19-01075-15.
Initial Access rive by Compromise xploit ublic acing Application ardware Additions Replication Through Removable Media pearphishing Attachment pearphishing ink pearphishing via ervice upply Chain Compromise Trusted Relationship alid Accounts Execution Apple cript CM T Command ine Interface Compiled TM ile Control anel Items ynamic ata xchange xecution through A I xecution through Module oad xploitation for Client xecution raphical ser Interface Install til aunchctl ocal ob cheduling A river Mshta ower hell Regsvcs Regasm Regsvr Rundll cheduled Task cripting ervice xecution igned inary roxy xecution igned cript roxy xecution ource pace after ilename Third party oftware Trap Trusted eveloper tilities ser xecution Windows Management Instrumentation Windows Remote Management cript rocessing Persistence .bash profile and .bashrc Accessibility eatures Account Manipulation AppCert s AppInit s Application himming Authentication ackage IT obs ootkit rowser xtensions Change efault ile Association Component irmware Component b ect Model i acking Create Account earch rder i acking ylib i acking xternal Remote ervices ile ystem ermissions Weakness idden iles and irectories ooking ypervisor Image ile xecution ptions In ection ernel Modules and xtensions aunch Agent aunch aemon aunchctl C A I Addition ocal ob cheduling ogin Item ogon cripts A river Modify xisting ervice Netsh elper New ervice ffice Application tartup ath Interception list Modification ort nocking ort Monitors Rc.common Re opened Applications Privilege Escalation Access Token Manipulation Accessibility eatures AppCert s AppInit s Application himming ypass ser Account Control earch rder i acking ylib i acking xploitation for rivilege scalation xtra Window Memory In ection ile ystem ermissions Weakness ooking Image ile xecution ptions In ection aunch aemon New ervice ath Interception list Modification ort Monitors rocess In ection cheduled Task ervice Registry ermissions Weakness etuid and etgid I istory In ection tartup Items udo udo Caching alid Accounts Web hell Defense Evasion Access Token Manipulation inary adding IT obs ypass ser Account Control Clear Command istory CM T Code igning Compiled TM ile Component irmware Component b ect Model i acking Control anel Items C hadow eobfuscate ecode iles or Information isabling ecurity Tools earch rder i acking ide oading xploitation for efense vasion xtra Window Memory In ection ile eletion ile ermissions Modification ile ystem ogical ffsets atekeeper ypass idden iles and irectories idden sers idden Window I TC NTR Image ile xecution ptions In ection Indicator locking Indicator Removal from Tools Indicator Removal on ost Indirect Command xecution Install Root Certificate Install til aunchctl C MAIN i acking Masquerading Modify Registry Mshta Network hare Connection Removal NT ile Attributes bfuscated iles or Information Credential Access Account Manipulation ash istory rute orce Credential umping Credentials in iles Credentials in Registry xploitation for Credential Access orced Authentication ooking Input Capture Input rompt erberoasting eychain MNR N T N oisoning Network niffing assword ilter rivate eys ecurityd Memory Two actor Authentication Interception Discovery Account iscovery Application Window iscovery rowser ookmark iscovery ile and irectory iscovery Network ervice canning Network hare iscovery Network niffing assword olicy iscovery eripheral evice iscovery ermission roups iscovery rocess iscovery uery Registry Remote ystem iscovery ecurity oftware iscovery ystem Information iscovery ystem Network Configuration iscovery ystem Network Connections iscovery ystem wner ser iscovery ystem ervice iscovery ystem Time iscovery Lateral Movement Apple cript Application eployment oftware istributed Component b ect Model xploitation of Remote ervices ogon cripts ass the ash ass the Ticket Remote esktop rotocol Remote ile Copy Remote ervices Replication Through Removable Media hared Webroot i acking Taint hared Content Third party oftware Windows Admin hares Windows Remote Management Collection Audio Capture Automated Collection Clipboard ata ata from Information Repositories ata from ocal ystem ata from Network hared rive ata from Removable Media ata taged mail Collection Input Capture Man in the rowser creen Capture ideo Capture Exfiltration Automated xfiltration ata Compressed ata ncrypted ata Transfer i e imits xfiltration ver Alternative rotocol xfiltration ver Command and Control Channel xfiltration ver ther Network Medium xfiltration ver hysical Medium cheduled Transfer Command And Control Commonly sed ort Communication Through Removable Media Connection roxy Custom Command and Control rotocol Custom Cryptographic rotocol ata ncoding ata bfuscation omain ronting allback Channels Multi hop roxy Multi tage Channels Multiband Communication Multilayer ncryption ort nocking Remote Access Tools Remote ile Copy tandard Application ayer rotocol tandard Cryptographic rotocol tandard Non Application ayer rotocol ncommonly sed ort Web ervice Initial Access rive by Compromise xploit ublic acing Application ardware Additions Replication Through Removable Media pearphishing Attachment pearphishing ink pearphishing via ervice upply Chain Compromise Trusted Relationship alid Accounts Execution Apple cript CM T Command ine Interface Compiled TM ile Control anel Items ynamic ata xchange xecution through A I xecution through Module oad xploitation for Client xecution raphical ser Interface Install til aunchctl ocal ob cheduling A river Mshta ower hell Regsvcs Regasm Regsvr Rundll cheduled Task cripting ervice xecution igned inary roxy xecution igned cript roxy xecution ource pace after ilename Third party oftware Trap Trusted eveloper tilities ser xecution Windows Management Instrumentation Windows Remote Management cript rocessing Persistence .bash profile and .bashrc Accessibility eatures Account Manipulation AppCert s AppInit s Application himming Authentication ackage IT obs ootkit rowser xtensions Change efault ile Association Component irmware Component b ect Model i acking Create Account earch rder i acking ylib i acking xternal Remote ervices ile ystem ermissions Weakness idden iles and irectories ooking ypervisor Image ile xecution ptions In ection ernel Modules and xtensions aunch Agent aunch aemon aunchctl C A I Addition ocal ob cheduling ogin Item ogon cripts A river Modify xisting ervice Netsh elper New ervice ffice Application tartup ath Interception list Modification ort nocking ort Monitors Rc.common Re opened Applications Privilege Escalation Access Token Manipulation Accessibility eatures AppCert s AppInit s Application himming ypass ser Account Control earch rder i acking ylib i acking xploitation for rivilege scalation xtra Window Memory In ection ile ystem ermissions Weakness ooking Image ile xecution ptions In ection aunch aemon New ervice ath Interception list Modification ort Monitors rocess In ection cheduled Task ervice Registry ermissions Weakness etuid and etgid I istory In ection tartup Items udo udo Caching alid Accounts Web hell Defense Evasion Access Token Manipulation inary adding IT obs ypass ser Account Control Clear Command istory CM T Code igning Compiled TM ile Component irmware Component b ect Model i acking Control anel Items C hadow eobfuscate ecode iles or Information isabling ecurity Tools earch rder i acking ide oading xploitation for efense vasion xtra Window Memory In ection ile eletion ile ermissions Modification ile ystem ogical ffsets atekeeper ypass idden iles and irectories idden sers idden Window I TC NTR Image ile xecution ptions In ection Indicator locking Indicator Removal from Tools Indicator Removal on ost Indirect Command xecution Install Root Certificate Install til aunchctl C MAIN i acking Masquerading Modify Registry Mshta Network hare Connection Removal NT ile Attributes bfuscated iles or Information Credential Access Account Manipulation ash istory rute orce Credential umping Credentials in iles Credentials in Registry xploitation for Credential Access orced Authentication ooking Input Capture Input rompt erberoasting eychain MNR N T N oisoning Network niffing assword ilter rivate eys ecurityd Memory Two actor Authentication Interception Discovery Account iscovery Application Window iscovery rowser ookmark iscovery ile and irectory iscovery Network ervice canning Network hare iscovery Network niffing assword olicy iscovery eripheral evice iscovery ermission roups iscovery rocess iscovery uery Registry Remote ystem iscovery ecurity oftware iscovery ystem Information iscovery ystem Network Configuration iscovery ystem Network Connections iscovery ystem wner ser iscovery ystem ervice iscovery ystem Time iscovery Lateral Movement Apple cript Application eployment oftware istributed Component b ect Model xploitation of Remote ervices ogon cripts ass the ash ass the Ticket Remote esktop rotocol Remote ile Copy Remote ervices Replication Through Removable Media hared Webroot i acking Taint hared Content Third party oftware Windows Admin hares Windows Remote Management Collection Audio Capture Automated Collection Clipboard ata ata from Information Repositories ata from ocal ystem ata from Network hared rive ata from Removable Media ata taged mail Collection Input Capture Man in the rowser creen Capture ideo Capture Exfiltration Automated xfiltration ata Compressed ata ncrypted ata Transfer i e imits xfiltration ver Alternative rotocol xfiltration ver Command and Control Channel xfiltration ver ther Network Medium xfiltration ver hysical Medium cheduled Transfer Command And Control Commonly sed ort Communication Through Removable Media Connection roxy Custom Command and Control rotocol Custom Cryptographic rotocol ata ncoding ata bfuscation omain ronting allback Channels Multi hop roxy Multi tage Channels Multiband Communication Multilayer ncryption ort nocking Remote Access Tools Remote ile Copy tandard Application ayer rotocol tandard Cryptographic rotocol tandard Non Application ayer rotocol ncommonly sed ort Web ervice Initial Access rive by Compromise xploit ublic acing Application ardware Additions Replication Through Removable Media pearphishing Attachment pearphishing ink pearphishing via ervice upply Chain Compromise Trusted Relationship alid Accounts Execution Apple cript CM T Command ine Interface Compiled TM ile Control anel Items ynamic ata xchange xecution through A I xecution through Module oad xploitation for Client xecution raphical ser Interface Install til aunchctl ocal ob cheduling A river Mshta ower hell Regsvcs Regasm Regsvr Rundll cheduled Task cripting ervice xecution igned inary roxy xecution igned cript roxy xecution ource pace after ilename Third party oftware Trap Trusted eveloper tilities ser xecution Windows Management Instrumentation Windows Remote Management cript rocessing Persistence .bash profile and .bashrc Accessibility eatures Account Manipulation AppCert s AppInit s Application himming Authentication ackage IT obs ootkit rowser xtensions Change efault ile Association Component irmware Component b ect Model i acking Create Account earch rder i acking ylib i acking xternal Remote ervices ile ystem ermissions Weakness idden iles and irectories ooking ypervisor Image ile xecution ptions In ection ernel Modules and xtensions aunch Agent aunch aemon aunchctl C A I Addition ocal ob cheduling ogin Item ogon cripts A river Modify xisting ervice Netsh elper New ervice ffice Application tartup ath Interception list Modification ort nocking ort Monitors Rc.common Re opened Applications Privilege Escalation Access Token Manipulation Accessibility eatures AppCert s AppInit s Application himming ypass ser Account Control earch rder i acking ylib i acking xploitation for rivilege scalation xtra Window Memory In ection ile ystem ermissions Weakness ooking Image ile xecution ptions In ection aunch aemon New ervice ath Interception list Modification ort Monitors rocess In ection cheduled Task ervice Registry ermissions Weakness etuid and etgid I istory In ection tartup Items udo udo Caching alid Accounts Web hell Defense Evasion Access Token Manipulation inary adding IT obs ypass ser Account Control Clear Command istory CM T Code igning Compiled TM ile Component irmware Component b ect Model i acking Control anel Items C hadow eobfuscate ecode iles or Information isabling ecurity Tools earch rder i acking ide oading xploitation for efense vasion xtra Window Memory In ection ile eletion ile ermissions Modification ile ystem ogical ffsets atekeeper ypass idden iles and irectories idden sers idden Window I TC NTR Image ile xecution ptions In ection Indicator locking Indicator Removal from Tools Indicator Removal on ost Indirect Command xecution Install Root Certificate Install til aunchctl C MAIN i acking Masquerading Modify Registry Mshta Network hare Connection Removal NT ile Attributes bfuscated iles or Information Credential Access Account Manipulation ash istory rute orce Credential umping Credentials in iles Credentials in Registry xploitation for Credential Access orced Authentication ooking Input Capture Input rompt erberoasting eychain MNR N T N oisoning Network niffing assword ilter rivate eys ecurityd Memory Two actor Authentication Interception Discovery Account iscovery Application Window iscovery rowser ookmark iscovery ile and irectory iscovery Network ervice canning Network hare iscovery Network niffing assword olicy iscovery eripheral evice iscovery ermission roups iscovery rocess iscovery uery Registry Remote ystem iscovery ecurity oftware iscovery ystem Information iscovery ystem Network Configuration iscovery ystem Network Connections iscovery ystem wner ser iscovery ystem ervice iscovery ystem Time iscovery Lateral Movement Apple cript Application eployment oftware istributed Component b ect Model xploitation of Remote ervices ogon cripts ass the ash ass the Ticket Remote esktop rotocol Remote ile Copy Remote ervices Replication Through Removable Media hared Webroot i acking Taint hared Content Third party oftware Windows Admin hares Windows Remote Management Collection Audio Capture Automated Collection Clipboard ata ata from Information Repositories ata from ocal ystem ata from Network hared rive ata from Removable Media ata taged mail Collection Input Capture Man in the rowser creen Capture ideo Capture Exfiltration Automated xfiltration ata Compressed ata ncrypted ata Transfer i e imits xfiltration ver Alternative rotocol xfiltration ver Command and Control Channel xfiltration ver ther Network Medium xfiltration ver hysical Medium cheduled Transfer Command And Control Commonly sed ort Communication Through Removable Media Connection roxy Custom Command and Control rotocol Custom Cryptographic rotocol ata ncoding ata bfuscation omain ronting allback Channels Multi hop roxy Multi tage Channels Multiband Communication Multilayer ncryption ort nocking Remote Access Tools Remote ile Copy tandard Application ayer rotocol tandard Cryptographic rotocol tandard Non Application ayer rotocol ncommonly sed ort Web ervice Exercise 4: Comparing Layers in ATT&CK Navigator APT39 Both groups OceanLotus ©2019 The MITRE Corporation. ALL RIGHTS RESERVED Approved for public release. Distribution unlimited 19-01075-15.
Exercise 4: Comparing Layers in ATT&CK Navigator ▪ Here are the overlapping techniques: 1. Spearphishing Attachment 2. Spearphishing Link 3. Scheduled Task 4. Scripting 5. User Execution 6. Registry Run Keys/Startup Folder 7. Network Service Scanning ©2019 The MITRE Corporation. ALL RIGHTS RESERVED Approved for public release. Distribution unlimited 19-01075-15.
Process of Applying ATT&CK to CTI Understand ATT&CK Map data to ATT&CK Store & analyze ATT&CK-mapped data Make defensive recommendations from ATT&CK- mapped data ©2019 The MITRE Corporation. ALL RIGHTS RESERVED Approved for public release. Distribution unlimited 19-01075-15. Module 1 Module 2 Module 3 Module 4 Module 5
End of Module 4 ©2019 The MITRE Corporation. ALL RIGHTS RESERVED Approved for public release. Distribution unlimited 19-01075-15.

More Related Content

PDF
Anomali Detect 19 - Nickels & Pennington - Turning Intelligence into Action w...
byAdam Pennington
 
PDF
FIRST CTI Symposium: Turning intelligence into action with MITRE ATT&CK™
byKatie Nickels
 
PDF
Automation: The Wonderful Wizard of CTI (or is it?)
byMITRE ATT&CK
 
PDF
MITRE-Module 1 Slides.pdf
byReZa AdineH
 
PDF
Slideshare.net rh-isac summit 2019 - adam pennington - leveraging mitre at ta...
byRobert Brandel
 
PDF
State of the ATT&CK
byMITRE ATT&CK
 
PDF
MITRE_ATTACK_Enterprise_11x17.pdf
byAisyiFree
 
PDF
Update from the MITRE ATT&CK Team
byAdam Pennington
 
Anomali Detect 19 - Nickels & Pennington - Turning Intelligence into Action w...
byAdam Pennington
 
FIRST CTI Symposium: Turning intelligence into action with MITRE ATT&CK™
byKatie Nickels
 
Automation: The Wonderful Wizard of CTI (or is it?)
byMITRE ATT&CK
 
MITRE-Module 1 Slides.pdf
byReZa AdineH
 
Slideshare.net rh-isac summit 2019 - adam pennington - leveraging mitre at ta...
byRobert Brandel
 
State of the ATT&CK
byMITRE ATT&CK
 
MITRE_ATTACK_Enterprise_11x17.pdf
byAisyiFree
 
Update from the MITRE ATT&CK Team
byAdam Pennington
 

Similar to MITRE-Module 4 Slides.pdf

PDF
BSidesLV 2018 - Katie Nickels and John Wunder - ATT&CKing the Status Quo
byKatie Nickels
 
PPTX
RH-ISAC Summit 2019 - Adam Pennington - Leveraging MITRE ATT&CK™ for Detectio...
byAdam Pennington
 
PDF
Threat-Based Adversary Emulation with MITRE ATT&CK
byKatie Nickels
 
PPTX
Putting MITRE ATT&CK into Action with What You Have, Where You Are
byKatie Nickels
 
PDF
State of the ATTACK
byMITRE - ATT&CKcon
 
PDF
RH-ISAC Summit 2019 - Adam Pennington - Leveraging MITRE ATT&CK™ for Detectio...
byAdam Pennington
 
PDF
MITRE ATT&CKcon Power Hour - November
byMITRE - ATT&CKcon
 
PDF
MITRE ATT&CK Framework
byn|u - The Open Security Community
 
PPTX
ATT&CKing with Threat Intelligence
byChristopher Korban
 
PDF
Introduction to MITRE ATT&CK
byArpan Raval
 
PDF
MITRE-Module 2 Slides.pdf
byReZa AdineH
 
PDF
MITRE ATT&CK Updates: State of the ATT&CK (ATT&CKcon 4.0 Edition)
byMITRE ATT&CK
 
PDF
State of the ATT&CK May 2023
byAdam Pennington
 
PDF
MITRE-Module 3 Slides.pdf
byReZa AdineH
 
PDF
Getting Bear-y Cozy with PowerShell
byJamieWilliams130
 
PPTX
Defend Your Data Now with the MITRE ATT&CK Framework
byTripwire
 
PDF
Becoming a Yogi on Mac ATT&CK with OceanLotus Postures
byAdam Pennington
 
PDF
Pennington - Defending Against Targeted Ransomware with MITRE ATT&CK
byAdam Pennington
 
PDF
State of the ATT&CK - ATT&CKcon Power Hour
byAdam Pennington
 
PDF
MITRE ATT&CKcon 2.0: State of the ATT&CK; Blake Strom, MITRE
byMITRE - ATT&CKcon
 
BSidesLV 2018 - Katie Nickels and John Wunder - ATT&CKing the Status Quo
byKatie Nickels
 
RH-ISAC Summit 2019 - Adam Pennington - Leveraging MITRE ATT&CK™ for Detectio...
byAdam Pennington
 
Threat-Based Adversary Emulation with MITRE ATT&CK
byKatie Nickels
 
Putting MITRE ATT&CK into Action with What You Have, Where You Are
byKatie Nickels
 
State of the ATTACK
byMITRE - ATT&CKcon
 
RH-ISAC Summit 2019 - Adam Pennington - Leveraging MITRE ATT&CK™ for Detectio...
byAdam Pennington
 
MITRE ATT&CKcon Power Hour - November
byMITRE - ATT&CKcon
 
MITRE ATT&CK Framework
byn|u - The Open Security Community
 
ATT&CKing with Threat Intelligence
byChristopher Korban
 
Introduction to MITRE ATT&CK
byArpan Raval
 
MITRE-Module 2 Slides.pdf
byReZa AdineH
 
MITRE ATT&CK Updates: State of the ATT&CK (ATT&CKcon 4.0 Edition)
byMITRE ATT&CK
 
State of the ATT&CK May 2023
byAdam Pennington
 
MITRE-Module 3 Slides.pdf
byReZa AdineH
 
Getting Bear-y Cozy with PowerShell
byJamieWilliams130
 
Defend Your Data Now with the MITRE ATT&CK Framework
byTripwire
 
Becoming a Yogi on Mac ATT&CK with OceanLotus Postures
byAdam Pennington
 
Pennington - Defending Against Targeted Ransomware with MITRE ATT&CK
byAdam Pennington
 
State of the ATT&CK - ATT&CKcon Power Hour
byAdam Pennington
 
MITRE ATT&CKcon 2.0: State of the ATT&CK; Blake Strom, MITRE
byMITRE - ATT&CKcon
 

More from ReZa AdineH

PDF
Security operations center-SOC Presentation-مرکز عملیات امنیت
byReZa AdineH
 
PPTX
Effective Security Operation Center - present by Reza Adineh
byReZa AdineH
 
PDF
MITRE-Module 5 Slides.pdf
byReZa AdineH
 
PPTX
Effective Security Operations Center (SOC) A Modern, Strategic, and Threat-In...
byReZa AdineH
 
PPTX
From Zero to SOC: Designing Effective Threat Detection & Incident Response
byReZa AdineH
 
PDF
SIEM POC Assessment.pdf
byReZa AdineH
 
PPTX
Review on Event Correlation- مروری بر روش های همبسته سازی در مدیریت رخداد
byReZa AdineH
 
PPTX
The Evolution of SIEM- From Logs to Detection-First Intelligence.pptx
byReZa AdineH
 
PPTX
Detection-First SIEM: Rule Types, Dashboards, and Threat-Informed Strategy
byReZa AdineH
 
PDF
Security monitoring log management-describe logstash,kibana,elastic slidshare
byReZa AdineH
 
PDF
علت ناکامی بسیاری از پروژههای مرکزعملیاتامنیت چیست ؟
byReZa AdineH
 
PDF
Cover of book Threat Intelligence for Threat Hunting;Written by Reza Adineh
byReZa AdineH
 
PDF
Next generation Security Operation Center; Written by Reza Adineh
byReZa AdineH
 
Security operations center-SOC Presentation-مرکز عملیات امنیت
byReZa AdineH
 
Effective Security Operation Center - present by Reza Adineh
byReZa AdineH
 
MITRE-Module 5 Slides.pdf
byReZa AdineH
 
Effective Security Operations Center (SOC) A Modern, Strategic, and Threat-In...
byReZa AdineH
 
From Zero to SOC: Designing Effective Threat Detection & Incident Response
byReZa AdineH
 
SIEM POC Assessment.pdf
byReZa AdineH
 
Review on Event Correlation- مروری بر روش های همبسته سازی در مدیریت رخداد
byReZa AdineH
 
The Evolution of SIEM- From Logs to Detection-First Intelligence.pptx
byReZa AdineH
 
Detection-First SIEM: Rule Types, Dashboards, and Threat-Informed Strategy
byReZa AdineH
 
Security monitoring log management-describe logstash,kibana,elastic slidshare
byReZa AdineH
 
علت ناکامی بسیاری از پروژههای مرکزعملیاتامنیت چیست ؟
byReZa AdineH
 
Cover of book Threat Intelligence for Threat Hunting;Written by Reza Adineh
byReZa AdineH
 
Next generation Security Operation Center; Written by Reza Adineh
byReZa AdineH
 

Recently uploaded

PDF
Digital Finance Summit 2025 - Beep by Maria Vittoria Dalla Rosa Prati
byFinTech Belgium
 
PPTX
Digital Finance Summit 2025 - Vyntra by Joris Lochy
byFinTech Belgium
 
PPTX
Digital Finance Summit 2025 - Inna Kostiuk and Pavlo Denysiuk
byFinTech Belgium
 
PPTX
Digital Finance Summit 2025 - Jos Gheerardyn
byFinTech Belgium
 
PDF
Digital Finance Summit 2025 - Marko Koić
byFinTech Belgium
 
PPTX
Digital Finance Summit 2025 - Balint Kis
byFinTech Belgium
 
PPT
2014limspresentation-141119055221-conversion-gate02.ppt
byImadAghila
 
PPTX
Digital Finance Summit 2025 - David Van der Looven
byFinTech Belgium
 
PDF
Digital Finance Summit 2025 - Joris Germonpré
byFinTech Belgium
 
PPTX
Digital Finance Summit 2025 - MyProved by Xavier Laoureux
byFinTech Belgium
 
PPTX
Digital Finance Summit 2025 - Cédric Nève
byFinTech Belgium
 
PPTX
How to Create a Timeline in PowerPoint|Step-by-Step Guide
byzhiqiangjiang1
 
PPTX
Digital Finance Summit 2025-Benoit van den Hove
byFinTech Belgium
 
DOCX
Top Platforms to Secure Gmail Accounts for Business Use This Year.docx
bysmmtrust service
 
PDF
HEPA (AHU) Qualification.pdf & Replacement Frequency of HEPA filter
byvinodchauhan89
 
DOCX
The Benefits of Using Old Gmail Accounts for Quick Verification.docx
bysmmtrust service
 
PPTX
How to Insert Notes in PowerPoint (Step-by-Step Guide 2025)
byTeresa Garcia
 
PPTX
WASTEWATER TREATMENT LABORATORY TRAINING.pptx
byImadAghila
 
PDF
Finale Group Project UW- Uyghur Muslims.pdf
bykarlas39
 
PPTX
2025-12-07 Moses 10 (shared slides).pptx
byDale Wells
 
Digital Finance Summit 2025 - Beep by Maria Vittoria Dalla Rosa Prati
byFinTech Belgium
 
Digital Finance Summit 2025 - Vyntra by Joris Lochy
byFinTech Belgium
 
Digital Finance Summit 2025 - Inna Kostiuk and Pavlo Denysiuk
byFinTech Belgium
 
Digital Finance Summit 2025 - Jos Gheerardyn
byFinTech Belgium
 
Digital Finance Summit 2025 - Marko Koić
byFinTech Belgium
 
Digital Finance Summit 2025 - Balint Kis
byFinTech Belgium
 
2014limspresentation-141119055221-conversion-gate02.ppt
byImadAghila
 
Digital Finance Summit 2025 - David Van der Looven
byFinTech Belgium
 
Digital Finance Summit 2025 - Joris Germonpré
byFinTech Belgium
 
Digital Finance Summit 2025 - MyProved by Xavier Laoureux
byFinTech Belgium
 
Digital Finance Summit 2025 - Cédric Nève
byFinTech Belgium
 
How to Create a Timeline in PowerPoint|Step-by-Step Guide
byzhiqiangjiang1
 
Digital Finance Summit 2025-Benoit van den Hove
byFinTech Belgium
 
Top Platforms to Secure Gmail Accounts for Business Use This Year.docx
bysmmtrust service
 
HEPA (AHU) Qualification.pdf & Replacement Frequency of HEPA filter
byvinodchauhan89
 
The Benefits of Using Old Gmail Accounts for Quick Verification.docx
bysmmtrust service
 
How to Insert Notes in PowerPoint (Step-by-Step Guide 2025)
byTeresa Garcia
 
WASTEWATER TREATMENT LABORATORY TRAINING.pptx
byImadAghila
 
Finale Group Project UW- Uyghur Muslims.pdf
bykarlas39
 
2025-12-07 Moses 10 (shared slides).pptx
byDale Wells
 

MITRE-Module 4 Slides.pdf

  • 1.
    Module 4: Storing andAnalyzing ATT&CK-Mapped Data ©2019 The MITRE Corporation. ALL RIGHTS RESERVED Approved for public release. Distribution unlimited 19-01075-15.
  • 2.
    Process of ApplyingATT&CK to CTI Understand ATT&CK Map data to ATT&CK Store & analyze ATT&CK-mapped data Make defensive recommendations from ATT&CK- mapped data ©2019 The MITRE Corporation. ALL RIGHTS RESERVED Approved for public release. Distribution unlimited 19-01075-15. Module 1 Module 2 Module 3 Module 4 Module 5
  • 3.
    Considerations When StoringATT&CK-Mapped Intel ▪ Who’s consuming it? – Human or machine? – Requirements? ▪ How will you provide context? – Include full text? ▪ How detailed will it be? – Just a Technique, or a Procedure? – How will you capture that detail? (Free text?) ▪ How will you link it to other intel? – Incident, group, campaign, indicator… ▪ How will you import and export data? – Format? ©2019 The MITRE Corporation. ALL RIGHTS RESERVED Approved for public release. Distribution unlimited 19-01075-15. The community is still figuring this out!
  • 4.
    Ways to Storeand Display ATT&CK-Mapped Intel ¯ _(ツ)_/¯ ©2019 The MITRE Corporation. ALL RIGHTS RESERVED Approved for public release. Distribution unlimited 19-01075-15.
  • 5.
    Ways to Storeand Display ATT&CK-Mapped Intel Courtesy of Alexandre Dulaunoy ©2019 The MITRE Corporation. ALL RIGHTS RESERVED Approved for public release. Distribution unlimited 19-01075-15.
  • 6.
    Ways to Storeand Display ATT&CK-Mapped Intel Courtesy of Alexandre Dulaunoy ©2019 The MITRE Corporation. ALL RIGHTS RESERVED Approved for public release. Distribution unlimited 19-01075-15. Ability to link to indicators and files
  • 7.
    Ways to Expressand Store ATT&CK-Mapped Intel https://www.anomali.com/blog/weekly-threat-briefing-google- spots-attacks-exploiting-ios-zero-day-flaws … ©2019 The MITRE Corporation. ALL RIGHTS RESERVED Approved for public release. Distribution unlimited 19-01075-15. Techniques at the end of a report
  • 8.
    Ways to Expressand Store ATT&CK-Mapped Intel https://securingtomorrow.mcafee.com/other-blogs/mcafee-labs/analyzing- operation-ghostsecret-attack-seeks-to-steal-data-worldwide/ ©2019 The MITRE Corporation. ALL RIGHTS RESERVED Approved for public release. Distribution unlimited 19-01075-15. Techniques at the end of a report
  • 9.
    Ways to Expressand Store ATT&CK-Mapped Intel https://www.crowdstrike.com/resources/reports/2018-crowdstrike-global- threat-report-blurring-the-lines-between-statecraft-and-tradecraft/ ©2019 The MITRE Corporation. ALL RIGHTS RESERVED Approved for public release. Distribution unlimited 19-01075-15. Techniques at the beginning of a report
  • 10.
    Ways to Expressand Store ATT&CK-Mapped Intel https://www.digitalshadows.com/blog-and-research/mitre-attck- and-the-mueller-gru-indictment-lessons-for-organizations/ ©2019 The MITRE Corporation. ALL RIGHTS RESERVED Approved for public release. Distribution unlimited 19-01075-15. Adding additional info to an ATT&CK technique
  • 11.
    Ways to Expressand Store ATT&CK-Mapped Intel https://www.recordedfuture.com/mitre-attack-framework/ ©2019 The MITRE Corporation. ALL RIGHTS RESERVED Approved for public release. Distribution unlimited 19-01075-15. With timestamps
  • 12.
    Ways to Expressand Store ATT&CK-Mapped Intel https://pan-unit42.github.io/playbook_viewer/ ©2019 The MITRE Corporation. ALL RIGHTS RESERVED Approved for public release. Distribution unlimited 19-01075-15. Machine readable Linking techniques to indicators
  • 13.
    Ways to Expressand Store ATT&CK-Mapped Intel https://attack.mitre.org/groups/G0007/ What else could we do? https://www.nccgroup.trust/us/about-us/newsroom-and-events/blog/2018/march/apt15- is-alive-and-strong-an-analysis-of-royalcli-and-royaldns/ Credential Dumping (T1003) Full-Text Report ATT&CK Technique ©2019 The MITRE Corporation. ALL RIGHTS RESERVED Approved for public release. Distribution unlimited 19-01075-15.
  • 14.
    Understand ATT&CK Map data to ATT&CK Store& analyze ATT&CK-mapped data Make defensive recommendations from ATT&CK- mapped data Process of Applying ATT&CK to CTI So now we have some ATT&CK-mapped intel… What can we do with it? ©2019 The MITRE Corporation. ALL RIGHTS RESERVED Approved for public release. Distribution unlimited 19-01075-15.
  • 15.
    Initial Access rive byCompromise xploit ublic acing Application ardware Additions Replication Through Removable Media pearphishing Attachment pearphishing ink pearphishing via ervice upply Chain Compromise Trusted Relationship alid Accounts Execution Apple cript CM T Command ine Interface Control anel Items ynamic ata xchange xecution through A I xecution through Module oad xploitation for Client xecution raphical ser Interface Install til aunchctl ocal ob cheduling A river Mshta ower hell Regsvcs Regasm Regsvr Rundll cheduled T ask cripting ervice xecution igned inary roxy xecution igned cript roxy xecution ource pace after ilename Third party oftware Trap Trusted eveloper tilities ser xecution Windows Management Instrumentation Windows Remote Management Persistence .bash profile and .bashrc Accessibility eatures AppCert s AppInit s Application himming Authentication ackage IT obs ootkit rowser xtensions Change efault ile Association Component irmware Component b ect Model i acking Create Account earch rder i acking ylib i acking xternal Remote ervices ile ystem ermissions Weakness idden iles and irectories ooking ypervisor Image ile xecution ptions In ection ernel Modules and xtensions aunch Agent aunch aemon aunchctl C A I Addition ocal ob cheduling ogin Item ogon cripts A river Modify xisting ervice Netsh elper New ervice ffice Application tartup ath Interception list Modification ort nocking ort Monitors Rc.common Re opened Applications Redundant Access Registry Run eys tart older cheduled T ask creensaver Privilege Escalation Access T oken Manipulation Accessibility eatures AppCert s AppInit s Application himming ypass ser Account Control earch rder i acking ylib i acking xploitation for rivilege scalation xtra Window Memory In ection ile ystem ermissions Weakness ooking Image ile xecution ptions In ection aunch aemon New ervice ath Interception list Modification ort Monitors rocess In ection cheduled T ask ervice Registry ermissions Weakness etuid and etgid I istory In ection tartup Items udo udo Caching alid Accounts Web hell Defense Evasion Access T oken Manipulation inary adding IT obs ypass ser Account Control Clear Command istory CM T Code igning Component irmware Component b ect Model i acking Control anel Items C hadow eobfuscate ecode iles or Information isabling ecurity T ools earch rder i acking ide oading xploitation for efense vasion xtra Window Memory In ection ile eletion ile ystem ogical ffsets atekeeper ypass idden iles and irectories idden sers idden Window I TC NTR Image ile xecution ptions In ection Indicator locking Indicator Removal from T ools Indicator Removal on ost Indirect Command xecution Install Root Certificate Install til aunchctl C MAIN i acking Masquerading Modify Registry Mshta Network hare Connection Removal NT ile Attributes bfuscated iles or Information list Modification ort nocking rocess oppelg nging rocess ollowing rocess In ection Credential Access Account Manipulation ash istory rute orce Credential umping Credentials in iles Credentials in Registry xploitation for Credential Access orced Authentication ooking Input Capture Input rompt erberoasting eychain MNR N T N oisoning Network niffing assword ilter rivate eys Replication Through Removable Media ecurityd Memory Two actor Authentication Interception Discovery Account iscovery Application Window iscovery rowser ookmark iscovery ile and irectory iscovery Network ervice canning Network hare iscovery assword olicy iscovery eripheral evice iscovery ermission roups iscovery rocess iscovery uery Registry Remote ystem iscovery ecurity oftware iscovery ystem Information iscovery ystem Network Configuration iscovery ystem Network Connections iscovery ystem wner ser iscovery ystem ervice iscovery ystem Time iscovery Lateral Movement Apple cript Application eployment oftware istributed Component b ect Model xploitation of Remote ervices ogon cripts ass the ash ass the Ticket Remote esktop rotocol Remote ile Copy Remote ervices Replication Through Removable Media hared Webroot i acking T aint hared Content Third party oftware Windows Admin hares Windows Remote Management Collection Audio Capture Automated Collection Clipboard ata ata from Information Repositories ata from ocal ystem ata from Network hared rive ata from Removable Media ata taged mail Collection Input Capture Man in the rowser creen Capture ideo Capture Exfiltration Automated xfiltration ata Compressed ata ncrypted ata Transfer i e imits xfiltration ver Alternative rotocol xfiltration ver Command and Control Channel xfiltration ver ther Network Medium xfiltration ver hysical Medium cheduled Transfer Command And Control Commonly sed ort Communication Through Removable Media Connection roxy Custom Command and Control rotocol Custom Cryptographic rotocol ata ncoding ata bfuscation omain ronting allback Channels Multi hop roxy Multi tage Channels Multiband Communication Multilayer ncryption ort nocking Remote Access T ools Remote ile Copy tandard Application ayer rotocol tandard Cryptographic rotocol tandard Non Application ayer rotocol ncommonly sed ort Web ervice APT28 Techniques* *from open source reporting we’ve mapped Initial Access Execution Persistence Privilege Escalation Defense Evasion Credential Access Discovery Lateral Movement Collection Exfiltration Command and Control
  • 16.
    Initial Access rive byCompromise xploit ublic acing Application ardware Additions Replication Through Removable Media pearphishing Attachment pearphishing ink pearphishing via ervice upply Chain Compromise Trusted Relationship alid Accounts Execution Apple cript CM T Command ine Interface Control anel Items ynamic ata xchange xecution through A I xecution through Module oad xploitation for Client xecution raphical ser Interface Install til aunchctl ocal ob cheduling A river Mshta ower hell Regsvcs Regasm Regsvr Rundll cheduled T ask cripting ervice xecution igned inary roxy xecution igned cript roxy xecution ource pace after ilename Third party oftware Trap Trusted eveloper tilities ser xecution Windows Management Instrumentation Windows Remote Management Persistence .bash profile and .bashrc Accessibility eatures AppCert s AppInit s Application himming Authentication ackage IT obs ootkit rowser xtensions Change efault ile Association Component irmware Component b ect Model i acking Create Account earch rder i acking ylib i acking xternal Remote ervices ile ystem ermissions Weakness idden iles and irectories ooking ypervisor Image ile xecution ptions In ection ernel Modules and xtensions aunch Agent aunch aemon aunchctl C A I Addition ocal ob cheduling ogin Item ogon cripts A river Modify xisting ervice Netsh elper New ervice ffice Application tartup ath Interception list Modification ort nocking ort Monitors Rc.common Re opened Applications Redundant Access Registry Run eys tart older cheduled T ask creensaver Privilege Escalation Access T oken Manipulation Accessibility eatures AppCert s AppInit s Application himming ypass ser Account Control earch rder i acking ylib i acking xploitation for rivilege scalation xtra Window Memory In ection ile ystem ermissions Weakness ooking Image ile xecution ptions In ection aunch aemon New ervice ath Interception list Modification ort Monitors rocess In ection cheduled T ask ervice Registry ermissions Weakness etuid and etgid I istory In ection tartup Items udo udo Caching alid Accounts Web hell Defense Evasion Access T oken Manipulation inary adding IT obs ypass ser Account Control Clear Command istory CM T Code igning Component irmware Component b ect Model i acking Control anel Items C hadow eobfuscate ecode iles or Information isabling ecurity T ools earch rder i acking ide oading xploitation for efense vasion xtra Window Memory In ection ile eletion ile ystem ogical ffsets atekeeper ypass idden iles and irectories idden sers idden Window I TC NTR Image ile xecution ptions In ection Indicator locking Indicator Removal from T ools Indicator Removal on ost Indirect Command xecution Install Root Certificate Install til aunchctl C MAIN i acking Masquerading Modify Registry Mshta Network hare Connection Removal NT ile Attributes bfuscated iles or Information list Modification ort nocking rocess oppelg nging rocess ollowing rocess In ection Credential Access Account Manipulation ash istory rute orce Credential umping Credentials in iles Credentials in Registry xploitation for Credential Access orced Authentication ooking Input Capture Input rompt erberoasting eychain MNR N T N oisoning Network niffing assword ilter rivate eys Replication Through Removable Media ecurityd Memory Two actor Authentication Interception Discovery Account iscovery Application Window iscovery rowser ookmark iscovery ile and irectory iscovery Network ervice canning Network hare iscovery assword olicy iscovery eripheral evice iscovery ermission roups iscovery rocess iscovery uery Registry Remote ystem iscovery ecurity oftware iscovery ystem Information iscovery ystem Network Configuration iscovery ystem Network Connections iscovery ystem wner ser iscovery ystem ervice iscovery ystem Time iscovery Lateral Movement Apple cript Application eployment oftware istributed Component b ect Model xploitation of Remote ervices ogon cripts ass the ash ass the Ticket Remote esktop rotocol Remote ile Copy Remote ervices Replication Through Removable Media hared Webroot i acking T aint hared Content Third party oftware Windows Admin hares Windows Remote Management Collection Audio Capture Automated Collection Clipboard ata ata from Information Repositories ata from ocal ystem ata from Network hared rive ata from Removable Media ata taged mail Collection Input Capture Man in the rowser creen Capture ideo Capture Exfiltration Automated xfiltration ata Compressed ata ncrypted ata Transfer i e imits xfiltration ver Alternative rotocol xfiltration ver Command and Control Channel xfiltration ver ther Network Medium xfiltration ver hysical Medium cheduled Transfer Command And Control Commonly sed ort Communication Through Removable Media Connection roxy Custom Command and Control rotocol Custom Cryptographic rotocol ata ncoding ata bfuscation omain ronting allback Channels Multi hop roxy Multi tage Channels Multiband Communication Multilayer ncryption ort nocking Remote Access T ools Remote ile Copy tandard Application ayer rotocol tandard Cryptographic rotocol tandard Non Application ayer rotocol ncommonly sed ort Web ervice APT29 Techniques Initial Access Execution Persistence Privilege Escalation Defense Evasion Credential Access Discovery Lateral Movement Collection Exfiltration Command and Control
  • 17.
    Initial Access rive byCompromise xploit ublic acing Application ardware Additions Replication Through Removable Media pearphishing Attachment pearphishing ink pearphishing via ervice upply Chain Compromise Trusted Relationship alid Accounts Execution Apple cript CM T Command ine Interface Control anel Items ynamic ata xchange xecution through A I xecution through Module oad xploitation for Client xecution raphical ser Interface Install til aunchctl ocal ob cheduling A river Mshta ower hell Regsvcs Regasm Regsvr Rundll cheduled T ask cripting ervice xecution igned inary roxy xecution igned cript roxy xecution ource pace after ilename Third party oftware Trap Trusted eveloper tilities ser xecution Windows Management Instrumentation Windows Remote Management Persistence .bash profile and .bashrc Accessibility eatures AppCert s AppInit s Application himming Authentication ackage IT obs ootkit rowser xtensions Change efault ile Association Component irmware Component b ect Model i acking Create Account earch rder i acking ylib i acking xternal Remote ervices ile ystem ermissions Weakness idden iles and irectories ooking ypervisor Image ile xecution ptions In ection ernel Modules and xtensions aunch Agent aunch aemon aunchctl C A I Addition ocal ob cheduling ogin Item ogon cripts A river Modify xisting ervice Netsh elper New ervice ffice Application tartup ath Interception list Modification ort nocking ort Monitors Rc.common Re opened Applications Redundant Access Registry Run eys tart older cheduled T ask creensaver Privilege Escalation Access T oken Manipulation Accessibility eatures AppCert s AppInit s Application himming ypass ser Account Control earch rder i acking ylib i acking xploitation for rivilege scalation xtra Window Memory In ection ile ystem ermissions Weakness ooking Image ile xecution ptions In ection aunch aemon New ervice ath Interception list Modification ort Monitors rocess In ection cheduled T ask ervice Registry ermissions Weakness etuid and etgid I istory In ection tartup Items udo udo Caching alid Accounts Web hell Defense Evasion Access T oken Manipulation inary adding IT obs ypass ser Account Control Clear Command istory CM T Code igning Component irmware Component b ect Model i acking Control anel Items C hadow eobfuscate ecode iles or Information isabling ecurity T ools earch rder i acking ide oading xploitation for efense vasion xtra Window Memory In ection ile eletion ile ystem ogical ffsets atekeeper ypass idden iles and irectories idden sers idden Window I TC NTR Image ile xecution ptions In ection Indicator locking Indicator Removal from T ools Indicator Removal on ost Indirect Command xecution Install Root Certificate Install til aunchctl C MAIN i acking Masquerading Modify Registry Mshta Network hare Connection Removal NT ile Attributes bfuscated iles or Information list Modification ort nocking rocess oppelg nging rocess ollowing rocess In ection Credential Access Account Manipulation ash istory rute orce Credential umping Credentials in iles Credentials in Registry xploitation for Credential Access orced Authentication ooking Input Capture Input rompt erberoasting eychain MNR N T N oisoning Network niffing assword ilter rivate eys Replication Through Removable Media ecurityd Memory Two actor Authentication Interception Discovery Account iscovery Application Window iscovery rowser ookmark iscovery ile and irectory iscovery Network ervice canning Network hare iscovery assword olicy iscovery eripheral evice iscovery ermission roups iscovery rocess iscovery uery Registry Remote ystem iscovery ecurity oftware iscovery ystem Information iscovery ystem Network Configuration iscovery ystem Network Connections iscovery ystem wner ser iscovery ystem ervice iscovery ystem Time iscovery Lateral Movement Apple cript Application eployment oftware istributed Component b ect Model xploitation of Remote ervices ogon cripts ass the ash ass the Ticket Remote esktop rotocol Remote ile Copy Remote ervices Replication Through Removable Media hared Webroot i acking T aint hared Content Third party oftware Windows Admin hares Windows Remote Management Collection Audio Capture Automated Collection Clipboard ata ata from Information Repositories ata from ocal ystem ata from Network hared rive ata from Removable Media ata taged mail Collection Input Capture Man in the rowser creen Capture ideo Capture Exfiltration Automated xfiltration ata Compressed ata ncrypted ata Transfer i e imits xfiltration ver Alternative rotocol xfiltration ver Command and Control Channel xfiltration ver ther Network Medium xfiltration ver hysical Medium cheduled Transfer Command And Control Commonly sed ort Communication Through Removable Media Connection roxy Custom Command and Control rotocol Custom Cryptographic rotocol ata ncoding ata bfuscation omain ronting allback Channels Multi hop roxy Multi tage Channels Multiband Communication Multilayer ncryption ort nocking Remote Access T ools Remote ile Copy tandard Application ayer rotocol tandard Cryptographic rotocol tandard Non Application ayer rotocol ncommonly sed ort Web ervice Comparing APT28 and APT29 Initial Access Execution Persistence Privilege Escalation Defense Evasion Credential Access Discovery Lateral Movement Collection Exfiltration Command and Control Overlay known gaps APT28 APT29 Both groups
  • 18.
    ATT&CK Navigator ▪ Oneoption for getting started with storing and analyzing in a simple way ▪ Open source (JSON), so you can customize it ▪ Allows you you visualize data ©2019 The MITRE Corporation. ALL RIGHTS RESERVED Approved for public release. Distribution unlimited 19-01075-15.
  • 19.
  • 20.
    Exercise 4: ComparingLayers in ATT&CK Navigator ▪ Docs you will need are at attack.mitre.org/training/cti under Exercise 4 – Step-by-step instructions are in the “Comparing ayers in Navigator” – Techniques are listed in the “A T 9 and Cobalt itty techniques” 1. Open ATT&CK Navigator: http://bit.ly/attacknav 2. Enter techniques from APT39 and Cobalt Kitty/OceanLotus into separate Navigator layers with a unique score for each layer’s techniques 3. Combine the layers in Navigator to create a third layer 4. Make your third layer look pretty 5. Make a list of the techniques that overlap between the two groups ▪ Please pause. We suggest giving yourself 15 minutes for this exercise. ©2019 The MITRE Corporation. ALL RIGHTS RESERVED Approved for public release. Distribution unlimited 19-01075-15.
  • 21.
    Initial Access rive byCompromise xploit ublic acing Application ardware Additions Replication Through Removable Media pearphishing Attachment pearphishing ink pearphishing via ervice upply Chain Compromise Trusted Relationship alid Accounts Execution Apple cript CM T Command ine Interface Compiled TM ile Control anel Items ynamic ata xchange xecution through A I xecution through Module oad xploitation for Client xecution raphical ser Interface Install til aunchctl ocal ob cheduling A river Mshta ower hell Regsvcs Regasm Regsvr Rundll cheduled Task cripting ervice xecution igned inary roxy xecution igned cript roxy xecution ource pace after ilename Third party oftware Trap Trusted eveloper tilities ser xecution Windows Management Instrumentation Windows Remote Management cript rocessing Persistence .bash profile and .bashrc Accessibility eatures Account Manipulation AppCert s AppInit s Application himming Authentication ackage IT obs ootkit rowser xtensions Change efault ile Association Component irmware Component b ect Model i acking Create Account earch rder i acking ylib i acking xternal Remote ervices ile ystem ermissions Weakness idden iles and irectories ooking ypervisor Image ile xecution ptions In ection ernel Modules and xtensions aunch Agent aunch aemon aunchctl C A I Addition ocal ob cheduling ogin Item ogon cripts A river Modify xisting ervice Netsh elper New ervice ffice Application tartup ath Interception list Modification ort nocking ort Monitors Rc.common Re opened Applications Privilege Escalation Access Token Manipulation Accessibility eatures AppCert s AppInit s Application himming ypass ser Account Control earch rder i acking ylib i acking xploitation for rivilege scalation xtra Window Memory In ection ile ystem ermissions Weakness ooking Image ile xecution ptions In ection aunch aemon New ervice ath Interception list Modification ort Monitors rocess In ection cheduled Task ervice Registry ermissions Weakness etuid and etgid I istory In ection tartup Items udo udo Caching alid Accounts Web hell Defense Evasion Access Token Manipulation inary adding IT obs ypass ser Account Control Clear Command istory CM T Code igning Compiled TM ile Component irmware Component b ect Model i acking Control anel Items C hadow eobfuscate ecode iles or Information isabling ecurity Tools earch rder i acking ide oading xploitation for efense vasion xtra Window Memory In ection ile eletion ile ermissions Modification ile ystem ogical ffsets atekeeper ypass idden iles and irectories idden sers idden Window I TC NTR Image ile xecution ptions In ection Indicator locking Indicator Removal from Tools Indicator Removal on ost Indirect Command xecution Install Root Certificate Install til aunchctl C MAIN i acking Masquerading Modify Registry Mshta Network hare Connection Removal NT ile Attributes bfuscated iles or Information Credential Access Account Manipulation ash istory rute orce Credential umping Credentials in iles Credentials in Registry xploitation for Credential Access orced Authentication ooking Input Capture Input rompt erberoasting eychain MNR N T N oisoning Network niffing assword ilter rivate eys ecurityd Memory Two actor Authentication Interception Discovery Account iscovery Application Window iscovery rowser ookmark iscovery ile and irectory iscovery Network ervice canning Network hare iscovery Network niffing assword olicy iscovery eripheral evice iscovery ermission roups iscovery rocess iscovery uery Registry Remote ystem iscovery ecurity oftware iscovery ystem Information iscovery ystem Network Configuration iscovery ystem Network Connections iscovery ystem wner ser iscovery ystem ervice iscovery ystem Time iscovery Lateral Movement Apple cript Application eployment oftware istributed Component b ect Model xploitation of Remote ervices ogon cripts ass the ash ass the Ticket Remote esktop rotocol Remote ile Copy Remote ervices Replication Through Removable Media hared Webroot i acking Taint hared Content Third party oftware Windows Admin hares Windows Remote Management Collection Audio Capture Automated Collection Clipboard ata ata from Information Repositories ata from ocal ystem ata from Network hared rive ata from Removable Media ata taged mail Collection Input Capture Man in the rowser creen Capture ideo Capture Exfiltration Automated xfiltration ata Compressed ata ncrypted ata Transfer i e imits xfiltration ver Alternative rotocol xfiltration ver Command and Control Channel xfiltration ver ther Network Medium xfiltration ver hysical Medium cheduled Transfer Command And Control Commonly sed ort Communication Through Removable Media Connection roxy Custom Command and Control rotocol Custom Cryptographic rotocol ata ncoding ata bfuscation omain ronting allback Channels Multi hop roxy Multi tage Channels Multiband Communication Multilayer ncryption ort nocking Remote Access Tools Remote ile Copy tandard Application ayer rotocol tandard Cryptographic rotocol tandard Non Application ayer rotocol ncommonly sed ort Web ervice Initial Access rive by Compromise xploit ublic acing Application ardware Additions Replication Through Removable Media pearphishing Attachment pearphishing ink pearphishing via ervice upply Chain Compromise Trusted Relationship alid Accounts Execution Apple cript CM T Command ine Interface Compiled TM ile Control anel Items ynamic ata xchange xecution through A I xecution through Module oad xploitation for Client xecution raphical ser Interface Install til aunchctl ocal ob cheduling A river Mshta ower hell Regsvcs Regasm Regsvr Rundll cheduled Task cripting ervice xecution igned inary roxy xecution igned cript roxy xecution ource pace after ilename Third party oftware Trap Trusted eveloper tilities ser xecution Windows Management Instrumentation Windows Remote Management cript rocessing Persistence .bash profile and .bashrc Accessibility eatures Account Manipulation AppCert s AppInit s Application himming Authentication ackage IT obs ootkit rowser xtensions Change efault ile Association Component irmware Component b ect Model i acking Create Account earch rder i acking ylib i acking xternal Remote ervices ile ystem ermissions Weakness idden iles and irectories ooking ypervisor Image ile xecution ptions In ection ernel Modules and xtensions aunch Agent aunch aemon aunchctl C A I Addition ocal ob cheduling ogin Item ogon cripts A river Modify xisting ervice Netsh elper New ervice ffice Application tartup ath Interception list Modification ort nocking ort Monitors Rc.common Re opened Applications Privilege Escalation Access Token Manipulation Accessibility eatures AppCert s AppInit s Application himming ypass ser Account Control earch rder i acking ylib i acking xploitation for rivilege scalation xtra Window Memory In ection ile ystem ermissions Weakness ooking Image ile xecution ptions In ection aunch aemon New ervice ath Interception list Modification ort Monitors rocess In ection cheduled Task ervice Registry ermissions Weakness etuid and etgid I istory In ection tartup Items udo udo Caching alid Accounts Web hell Defense Evasion Access Token Manipulation inary adding IT obs ypass ser Account Control Clear Command istory CM T Code igning Compiled TM ile Component irmware Component b ect Model i acking Control anel Items C hadow eobfuscate ecode iles or Information isabling ecurity Tools earch rder i acking ide oading xploitation for efense vasion xtra Window Memory In ection ile eletion ile ermissions Modification ile ystem ogical ffsets atekeeper ypass idden iles and irectories idden sers idden Window I TC NTR Image ile xecution ptions In ection Indicator locking Indicator Removal from Tools Indicator Removal on ost Indirect Command xecution Install Root Certificate Install til aunchctl C MAIN i acking Masquerading Modify Registry Mshta Network hare Connection Removal NT ile Attributes bfuscated iles or Information Credential Access Account Manipulation ash istory rute orce Credential umping Credentials in iles Credentials in Registry xploitation for Credential Access orced Authentication ooking Input Capture Input rompt erberoasting eychain MNR N T N oisoning Network niffing assword ilter rivate eys ecurityd Memory Two actor Authentication Interception Discovery Account iscovery Application Window iscovery rowser ookmark iscovery ile and irectory iscovery Network ervice canning Network hare iscovery Network niffing assword olicy iscovery eripheral evice iscovery ermission roups iscovery rocess iscovery uery Registry Remote ystem iscovery ecurity oftware iscovery ystem Information iscovery ystem Network Configuration iscovery ystem Network Connections iscovery ystem wner ser iscovery ystem ervice iscovery ystem Time iscovery Lateral Movement Apple cript Application eployment oftware istributed Component b ect Model xploitation of Remote ervices ogon cripts ass the ash ass the Ticket Remote esktop rotocol Remote ile Copy Remote ervices Replication Through Removable Media hared Webroot i acking Taint hared Content Third party oftware Windows Admin hares Windows Remote Management Collection Audio Capture Automated Collection Clipboard ata ata from Information Repositories ata from ocal ystem ata from Network hared rive ata from Removable Media ata taged mail Collection Input Capture Man in the rowser creen Capture ideo Capture Exfiltration Automated xfiltration ata Compressed ata ncrypted ata Transfer i e imits xfiltration ver Alternative rotocol xfiltration ver Command and Control Channel xfiltration ver ther Network Medium xfiltration ver hysical Medium cheduled Transfer Command And Control Commonly sed ort Communication Through Removable Media Connection roxy Custom Command and Control rotocol Custom Cryptographic rotocol ata ncoding ata bfuscation omain ronting allback Channels Multi hop roxy Multi tage Channels Multiband Communication Multilayer ncryption ort nocking Remote Access Tools Remote ile Copy tandard Application ayer rotocol tandard Cryptographic rotocol tandard Non Application ayer rotocol ncommonly sed ort Web ervice Initial Access rive by Compromise xploit ublic acing Application ardware Additions Replication Through Removable Media pearphishing Attachment pearphishing ink pearphishing via ervice upply Chain Compromise Trusted Relationship alid Accounts Execution Apple cript CM T Command ine Interface Compiled TM ile Control anel Items ynamic ata xchange xecution through A I xecution through Module oad xploitation for Client xecution raphical ser Interface Install til aunchctl ocal ob cheduling A river Mshta ower hell Regsvcs Regasm Regsvr Rundll cheduled Task cripting ervice xecution igned inary roxy xecution igned cript roxy xecution ource pace after ilename Third party oftware Trap Trusted eveloper tilities ser xecution Windows Management Instrumentation Windows Remote Management cript rocessing Persistence .bash profile and .bashrc Accessibility eatures Account Manipulation AppCert s AppInit s Application himming Authentication ackage IT obs ootkit rowser xtensions Change efault ile Association Component irmware Component b ect Model i acking Create Account earch rder i acking ylib i acking xternal Remote ervices ile ystem ermissions Weakness idden iles and irectories ooking ypervisor Image ile xecution ptions In ection ernel Modules and xtensions aunch Agent aunch aemon aunchctl C A I Addition ocal ob cheduling ogin Item ogon cripts A river Modify xisting ervice Netsh elper New ervice ffice Application tartup ath Interception list Modification ort nocking ort Monitors Rc.common Re opened Applications Privilege Escalation Access Token Manipulation Accessibility eatures AppCert s AppInit s Application himming ypass ser Account Control earch rder i acking ylib i acking xploitation for rivilege scalation xtra Window Memory In ection ile ystem ermissions Weakness ooking Image ile xecution ptions In ection aunch aemon New ervice ath Interception list Modification ort Monitors rocess In ection cheduled Task ervice Registry ermissions Weakness etuid and etgid I istory In ection tartup Items udo udo Caching alid Accounts Web hell Defense Evasion Access Token Manipulation inary adding IT obs ypass ser Account Control Clear Command istory CM T Code igning Compiled TM ile Component irmware Component b ect Model i acking Control anel Items C hadow eobfuscate ecode iles or Information isabling ecurity Tools earch rder i acking ide oading xploitation for efense vasion xtra Window Memory In ection ile eletion ile ermissions Modification ile ystem ogical ffsets atekeeper ypass idden iles and irectories idden sers idden Window I TC NTR Image ile xecution ptions In ection Indicator locking Indicator Removal from Tools Indicator Removal on ost Indirect Command xecution Install Root Certificate Install til aunchctl C MAIN i acking Masquerading Modify Registry Mshta Network hare Connection Removal NT ile Attributes bfuscated iles or Information Credential Access Account Manipulation ash istory rute orce Credential umping Credentials in iles Credentials in Registry xploitation for Credential Access orced Authentication ooking Input Capture Input rompt erberoasting eychain MNR N T N oisoning Network niffing assword ilter rivate eys ecurityd Memory Two actor Authentication Interception Discovery Account iscovery Application Window iscovery rowser ookmark iscovery ile and irectory iscovery Network ervice canning Network hare iscovery Network niffing assword olicy iscovery eripheral evice iscovery ermission roups iscovery rocess iscovery uery Registry Remote ystem iscovery ecurity oftware iscovery ystem Information iscovery ystem Network Configuration iscovery ystem Network Connections iscovery ystem wner ser iscovery ystem ervice iscovery ystem Time iscovery Lateral Movement Apple cript Application eployment oftware istributed Component b ect Model xploitation of Remote ervices ogon cripts ass the ash ass the Ticket Remote esktop rotocol Remote ile Copy Remote ervices Replication Through Removable Media hared Webroot i acking Taint hared Content Third party oftware Windows Admin hares Windows Remote Management Collection Audio Capture Automated Collection Clipboard ata ata from Information Repositories ata from ocal ystem ata from Network hared rive ata from Removable Media ata taged mail Collection Input Capture Man in the rowser creen Capture ideo Capture Exfiltration Automated xfiltration ata Compressed ata ncrypted ata Transfer i e imits xfiltration ver Alternative rotocol xfiltration ver Command and Control Channel xfiltration ver ther Network Medium xfiltration ver hysical Medium cheduled Transfer Command And Control Commonly sed ort Communication Through Removable Media Connection roxy Custom Command and Control rotocol Custom Cryptographic rotocol ata ncoding ata bfuscation omain ronting allback Channels Multi hop roxy Multi tage Channels Multiband Communication Multilayer ncryption ort nocking Remote Access Tools Remote ile Copy tandard Application ayer rotocol tandard Cryptographic rotocol tandard Non Application ayer rotocol ncommonly sed ort Web ervice Exercise 4: Comparing Layers in ATT&CK Navigator APT39 Both groups OceanLotus ©2019 The MITRE Corporation. ALL RIGHTS RESERVED Approved for public release. Distribution unlimited 19-01075-15.
  • 22.
    Exercise 4: ComparingLayers in ATT&CK Navigator ▪ Here are the overlapping techniques: 1. Spearphishing Attachment 2. Spearphishing Link 3. Scheduled Task 4. Scripting 5. User Execution 6. Registry Run Keys/Startup Folder 7. Network Service Scanning ©2019 The MITRE Corporation. ALL RIGHTS RESERVED Approved for public release. Distribution unlimited 19-01075-15.
  • 23.
    Process of ApplyingATT&CK to CTI Understand ATT&CK Map data to ATT&CK Store & analyze ATT&CK-mapped data Make defensive recommendations from ATT&CK- mapped data ©2019 The MITRE Corporation. ALL RIGHTS RESERVED Approved for public release. Distribution unlimited 19-01075-15. Module 1 Module 2 Module 3 Module 4 Module 5
  • 24.
    End of Module4 ©2019 The MITRE Corporation. ALL RIGHTS RESERVED Approved for public release. Distribution unlimited 19-01075-15.