More Related Content Similar to RH-ISAC Summit 2019 - Adam Pennington - Leveraging MITRE ATT&CK™ for Detection, Analysis & Defense (20) More from Adam Pennington (7) RH-ISAC Summit 2019 - Adam Pennington - Leveraging MITRE ATT&CK™ for Detection, Analysis & Defense1. ©2019 The MITRE Corporation. ALL RIGHTS RESERVED. Approved for public release. Distribution unlimited 19-01075-9.
Leveraging MITRE ATT&CK™ for
Detection, Analysis & Defense
| 1 |
Adam Pennington @_whatshisface
MITRE ATT&CK @MITREattack
2. Poll Question: How familiar are you with MITRE ATT&CK?
I’ve never heard of it, just picked a random talk
I’ve heard about it, never really used it
I’ve played with some tactics and techniques
I’m an ATT&CK master
©2019 The MITRE Corporation. ALL RIGHTS RESERVED. Approved for public release. Distribution unlimited 19-01075-9.
| 2 |
3. Agenda
ATT&CK basics
ATT&CK use cases
– Cyber threat intelligence
– Adversary emulation
– Detection and Analytics
– Assessments and Engineering
Takeaways
Q&A/Discussion
©2019 The MITRE Corporation. ALL RIGHTS RESERVED. Approved for public release. Distribution unlimited 19-01075-9.
| 3 |
4. Tough Questions for Defenders
How effective are my defenses?
Do I have a chance at detecting APT29?
Is the data I’m collecting useful?
Do I have overlapping tool coverage?
Will this new product help my organization’s defenses?
| 4 |
©2019 The MITRE Corporation. ALL RIGHTS RESERVED. Approved for public release. Distribution unlimited 19-01075-9.
5. ©2019 The MITRE Corporation. ALL RIGHTS RESERVED. Approved for public release. Distribution unlimited 19-01075-9.
| 5 |
What is
?
A knowledge base of
adversary behavior
Based on real-world observations
Free, open, and globally accessible
A common language
Community-driven
6. The Difficult Task of Detecting TTPs
Source: David Bianco, https://detect-respond.blogspot.com/2013/03/the-pyramid-of-pain.html
David Bianco’s Pyramid of Pain
©2019 The MITRE Corporation. ALL RIGHTS RESERVED. Approved for public release. Distribution unlimited 19-01075-9.
7. Impact
Data Destruction
Data Encrypted for Impact
Defacement
Disk Content Wipe
Disk Structure Wipe
Endpoint Denial of Service
Firmware Corruption
Inhibit System Recovery
Network Denial of Service
Resource Hijacking
Runtime Data Manipulation
Service Stop
Stored Data Manipulation
Transmitted Data
Manipulation
Command and Control
Commonly Used Port
Communication Through
Removable Media
Connection Proxy
Custom Command and
Control Protocol
Custom Cryptographic
Protocol
Data Encoding
Data Obfuscation
Domain Fronting
Domain Generation
Algorithms
Fallback Channels
Multiband Communication
Multi-hop Proxy
Multilayer Encryption
Multi-Stage Channels
Port Knocking
Remote Access Tools
Remote File Copy
Standard Application Layer
Protocol
Standard Cryptographic
Protocol
Standard Non-Application
Layer Protocol
Uncommonly Used Port
Web Service
Exfiltration
Automated Exfiltration
Data Compressed
Data Encrypted
Data Transfer Size Limits
Exfiltration Over Other
Network Medium
Exfiltration Over Command
and Control Channel
Exfiltration Over Alternative
Protocol
Exfiltration Over
Physical Medium
Scheduled Transfer
Collection
Audio Capture
Automated Collection
Clipboard Data
Data from Information
Repositories
Data from Local System
Data from Network
Shared Drive
Data from Removable Media
Data Staged
Email Collection
Input Capture
Man in the Browser
Screen Capture
Video Capture
Lateral Movement
AppleScript
Application Deployment
Software
Distributed Component
Object Model
Exploitation of
Remote Services
Logon Scripts
Pass the Hash
Pass the Ticket
Remote Desktop Protocol
Remote File Copy
Remote Services
Replication Through
Removable Media
Shared Webroot
SSH Hijacking
Taint Shared Content
Third-party Software
Windows Admin Shares
Windows Remote
Management
Credential Access Discovery
Network Sniffing
Account Manipulation Account Discovery
Bash History Application Window
DiscoveryBrute Force
Credential Dumping Browser Bookmark
DiscoveryCredentials in Files
Credentials in Registry Domain Trust Discovery
Exploitation for
Credential Access
File and Directory Discovery
Network Service Scanning
Forced Authentication Network Share Discovery
Hooking Password Policy Discovery
Input Capture Peripheral Device Discovery
Input Prompt Permission Groups Discovery
Kerberoasting Process Discovery
Keychain Query Registry
LLMNR/NBT-NS Poisoning
and Relay
Remote System Discovery
Security Software Discovery
Password Filter DLL System Information
DiscoveryPrivate Keys
Securityd Memory System Network
Configuration Discovery
Two-Factor Authentication
Interception
System Network
Connections Discovery
System Owner/User
Discovery
System Service Discovery
System Time Discovery
Virtualization/Sandbox
Evasion
Execution Persistence Privilege Escalation Defense Evasion
Scheduled Task Binary Padding
Launchctl Access Token Manipulation
Local Job Scheduling Bypass User Account Control
LSASS Driver Extra Window Memory Injection
Trap Process Injection
AppleScript DLL Search Order Hijacking
CMSTP Image File Execution Options Injection
Command-Line Interface Plist Modification
Compiled HTML File Valid Accounts
Control Panel Items Accessibility Features BITS Jobs
Dynamic Data Exchange AppCert DLLs Clear Command History
Execution through API AppInit DLLs CMSTP
Execution through
Module Load
Application Shimming Code Signing
Dylib Hijacking Compiled HTML File
Exploitation for
Client Execution
File System Permissions Weakness Component Firmware
Hooking Component Object Model
HijackingGraphical User Interface Launch Daemon
InstallUtil New Service Control Panel Items
Mshta Path Interception DCShadow
PowerShell Port Monitors Deobfuscate/Decode Files
or InformationRegsvcs/Regasm Service Registry Permissions Weakness
Regsvr32 Setuid and Setgid Disabling Security Tools
Rundll32 Startup Items DLL Side-Loading
Scripting Web Shell Execution Guardrails
Service Execution .bash_profile and .bashrc Exploitation for
Privilege Escalation
Exploitation for
Defense Evasion
Signed Binary
Proxy Execution
Account Manipulation
Authentication Package SID-History Injection File Deletion
Signed Script
Proxy Execution
BITS Jobs Sudo File Permissions
ModificationBootkit Sudo Caching
Source Browser Extensions File System Logical Offsets
Space after Filename Change Default
File Association
Gatekeeper Bypass
Third-party Software Group Policy Modification
Trusted Developer Utilities Component Firmware Hidden Files and Directories
User Execution Component Object
Model Hijacking
Hidden Users
Windows Management
Instrumentation
Hidden Window
Create Account HISTCONTROL
Windows Remote
Management
External Remote Services Indicator Blocking
Hidden Files and Directories Indicator Removal
from ToolsXSL Script Processing Hypervisor
Kernel Modules
and Extensions
Indicator Removal on Host
Indirect Command Execution
Launch Agent Install Root Certificate
LC_LOAD_DYLIB Addition InstallUtil
Login Item Launchctl
Initial Access
Drive-by Compromise
Exploit Public-Facing
Application
External Remote Services
Hardware Additions
Replication Through
Removable Media
Spearphishing Attachment
Spearphishing Link
Spearphishing via Service
Supply Chain Compromise
Trusted Relationship
Valid Accounts
Breaking Down ATT&CK
Tactics: the adversary’s technical goals
Techniques:howthegoalsare
achieved
| 7 |
©2019 The MITRE Corporation. ALL RIGHTS RESERVED. Approved for public release. Distribution unlimited 19-01075-9.
Procedures: Specific technique implementation
12. Group: APT29
©2019 The MITRE Corporation. ALL RIGHTS RESERVED. Approved for public release. Distribution unlimited 19-01075-9.
| 12 |
13. Group: APT29
©2019 The MITRE Corporation. ALL RIGHTS RESERVED. Approved for public release. Distribution unlimited 19-01075-9.
| 13 |
14. Group: APT29
©2019 The MITRE Corporation. ALL RIGHTS RESERVED. Approved for public release. Distribution unlimited 19-01075-9.
| 14 |
15. ATT&CK Use Cases
| 15 |
Threat Intelligence
processes = search Process:Create
reg = filter processes where (exe == "reg.exe" and parent_exe
== "cmd.exe")
cmd = filter processes where (exe == "cmd.exe" and
parent_exe != "explorer.exe"")
reg_and_cmd = join (reg, cmd) where (reg.ppid == cmd.pid and
reg.hostname == cmd.hostname)
output reg_and_cmd
Detection
Adversary Emulation
Assessment and Engineering
©2019 The MITRE Corporation. ALL RIGHTS RESERVED. Approved for public release. Distribution unlimited 19-01075-9.
Use ATT&CK for Adversary Emulation and Red Teaming
The best defense is a well-tested defense. ATT&CK provides a common adversary
behavior framework based on threat intelligence that red teams can use to emulate
specific threats. This helps cyber defenders find gaps in visibility, defensive tools, and
processes—and then fix them.
Legend
Low Priority
High Priority
Finding Gaps in Defense
Spearphishing Link
Spearphishing via Service
Supply Chain Compromise
Trusted Relationship
Valid Accounts
Execution through API
Execution through Module Load
Exploitation for Client Execution
Graphical User Interface
InstallUtil
Launchctl
Local Job Scheduling
LSASS Driver
Mshta
PowerShell
Regsvcs/Regasm
Regsvr32
Rundll32
Scheduled Task
Scripting
Service Execution
Signed Binary Proxy Execution
Signed Script Proxy Execution
Source
Space after Filename
Third-party Software
Trap
Trusted Developer Utilities
User Execution
Windows Management
Instrumentation
Windows Remote Management
XSL Script Processing
Authentication Package
BITS Jobs
Bootkit
Browser Extensions
Change Default File Association
Component Firmware
Component Object Model Hijacking
Create Account
DLL Search Order Hijacking
Dylib Hijacking
External Remote Services
File System Permissions W eakness
Hidden Files and Directories
Hooking
Hypervisor
Image File Execution Options
Injection
Kernel Modules and Extensions
Launch Agent
Launch Daemon
Launchctl
LC_LOAD_DYLIB Addition
Local Job Scheduling
Login Item
Logon Scripts
LSASS Driver
Modify Existing Service
Netsh Helper DLL
New Service
Office Application Startup
Path Interception
Plist Modification
Port Knocking
Port Monitors
Rc.common
Re-opened Applications
Redundant Access
Registry Run Keys / Startup Folder
Scheduled Task
Screensaver
Security Support Provider
Service Registry Permissions
Weakness
Setuid and Setgid
Shortcut Modification
SIP and Trust Provider Hijacking
Startup Items
System Firmware
Systemd Service
Time Providers
Trap
Valid Accounts
Web Shell
Windows Management
Instrumentation Event Subscription
Winlogon Helper DLL
DLL Search Order Hijacking
Dylib Hijacking
Exploitation for Privilege Escalation
Extra Window Memory Injection
File System Permissions W eakness
Hooking
Image File Execution Options
Injection
Launch Daemon
New Service
Path Interception
Plist Modification
Port Monitors
Process Injection
Scheduled Task
Service Registry Permissions
Weakness
Setuid and Setgid
SID-History Injection
Startup Items
Sudo
Sudo Caching
Valid Accounts
Web Shell
Code Signing
Compile After Delivery
Compiled HTML File
Component Firmware
Component Object Model Hijacking
Control Panel Items
DCShadow
Deobfuscate/Decode Files or
Information
Disabling Security Tools
DLL Search Order Hijacking
DLL Side-Loading
Execution Guardrails
Exploitation for Defense Evasion
Extra Window Memory Injection
File Deletion
File Permissions Modification
File System Logical Of fsets
Gatekeeper Bypass
Group Policy Modification
Hidden Files and Directories
Hidden Users
Hidden Window
HISTCONTROL
Image File Execution Options
Injection
Indicator Blocking
Indicator Removal from Tools
Indicator Removal on Host
Indirect Command Execution
Install Root Certificate
InstallUtil
Launchctl
LC_MAIN Hijacking
Masquerading
Modify Registry
Mshta
Network Share Connection
Removal
NTFS File Attributes
Obfuscated Files or Information
Plist Modification
Port Knocking
Process Doppelgänging
Process Hollowing
Process Injection
Redundant Access
Regsvcs/Regasm
Regsvr32
Rootkit
Rundll32
Scripting
Signed Binary Proxy Execution
Signed Script Proxy Execution
SIP and Trust Provider Hijacking
Software Packing
Space after Filename
Template Injection
Timestomp
Trusted Developer Utilities
Valid Accounts
Virtualization/Sandbox Evasion
Web Service
XSL Script Processing
Exploitation for Credential Access
Forced Authentication
Hooking
Input Capture
Input Prompt
Kerberoasting
Keychain
LLMNR/NBT -NS Poisoning and
Relay
Network Snif fing
Password Filter DLL
Private Keys
Securityd Memory
Two-Factor Authentication
Interception
Network Share Discovery
Network Snif fing
Password Policy Discovery
Peripheral Device Discovery
Permission Groups Discovery
Process Discovery
Query Registry
Remote System Discovery
Security Software Discovery
System Information Discovery
System Network Configuration
Discovery
System Network Connections
Discovery
System Owner/User Discovery
System Service Discovery
System Time Discovery
Virtualization/Sandbox Evasion
Pass the Ticket
Remote Desktop Protocol
Remote File Copy
Remote Services
Replication Through Removable
Media
Shared Webroot
SSH Hijacking
Taint Shared Content
Third-party Software
Windows Admin Shares
Windows Remote Management
Data from Removable Media
Data Staged
Email Collection
Input Capture
Man in the Browser
Screen Capture
Video Capture
Data Obfuscation
Domain Fronting
Domain Generation Algorithms
Fallback Channels
Multi-hop Proxy
Multi-Stage Channels
Multiband Communication
Multilayer Encryption
Port Knocking
Remote Access Tools
Remote File Copy
Standard Application Layer Protocol
Standard Cryptographic Protocol
Standard Non-Application Layer
Protocol
Uncommonly Used Port
Web Service
Exfiltration Over Other Network
Medium
Exfiltration Over Physical Medium
Scheduled Transfer
Firmware Corruption
Inhibit System Recovery
Network Denial of Service
Resource Hijacking
Runtime Data Manipulation
Service Stop
Stored Data Manipulation
Transmitted Data Manipulation
AppleScript
Application Deployment
Software
Distributed Component
Object Model
Exploitation of
Remote Services
Logon Scripts
Pass the Hash
Pass the Ticket
Remote Desktop Protocol
Remote File Copy
Remote Services
Replication Through
Removable Media
Shared Webroot
SSH Hijacking
Taint Shared Content
Third-party Software
Windows Admin Shares
Windows Remote
Management
Commonly Used Port
Communication Through
Removable Media
Connection Proxy
Custom Command and
Control Protocol
Custom Cryptographic
Protocol
Data Encoding
Data Obfuscation
Domain Fronting
Domain Generation
Algorithms
Fallback Channels
Multiband Communication
Multi-hop Proxy
Multilayer Encryption
Multi-Stage Channels
Port Knocking
Remote Access Tools
Remote File Copy
Standard Application Layer
Protocol
Standard Cryptographic
Protocol
Standard Non-Application
Layer Protocol
Uncommonly Used Port
Web Service
Automated Exfiltration
Data Compressed
Data Encrypted
Data Transfer Size Limits
Exfiltration Over Other
Network Medium
Exfiltration Over Command
and Control Channel
Exfiltration Over Alternative
Protocol
Exfiltration Over
Physical Medium
Scheduled Transfer
Data Destruction
Data Encrypted for Impact
Defacement
Disk Content Wipe
Disk Structure Wipe
Endpoint Denial of Service
Firmware Corruption
Inhibit System Recovery
Network Denial of Service
Resource Hijacking
Runtime Data Manipulation
Service Stop
Stored Data Manipulation
Transmitted Data
Manipulation
Audio Capture
Automated Collection
Clipboard Data
Data from Information
Repositories
Data from Local System
Data from Network
Shared Drive
Data from Removable Media
Data Staged
Email Collection
Input Capture
Man in the Browser
Screen Capture
Video Capture
Drive-by Compromise
Exploit Public-Facing
Application
External Remote Services
Hardware Additions
Replication Through
Removable Media
Spearphishing Attachment
Spearphishing Link
Spearphishing via Service
Supply Chain Compromise
Trusted Relationship
Valid Accounts
AppleScript
CMSTP
Command-Line Interface
Compiled HTML File
Control Panel Items
Dynamic Data Exchange
Execution through API
Execution through
Module Load
Exploitation for
Client Execution
Graphical User Interface
InstallUtil
Mshta
PowerShell
Regsvcs/Regasm
Regsvr32
Rundll32
Scripting
Service Execution
Signed Binary
Proxy Execution
Signed Script
Proxy Execution
Source
Space after Filename
Third-party Software
Trusted Developer Utilities
DLL Search Order Hijacking
Image File Execution Options Injection
Plist Modification
Valid Accounts
Accessibility Features
AppCert DLLs
AppInit DLLs
Application Shimming
Dylib Hijacking
File System Permissions Weakness
Hooking
Launch Daemon
New Service
Path Interception
Port Monitors
Service Registry Permissions Weakness
Setuid and Setgid
Startup Items
Web Shell
.bash_profile and .bashrc
Account Manipulation
Authentication Package
BITS Jobs
Bootkit
Browser Extensions
Change Default
File Association
Component Firmware
BITS Jobs
Clear Command History
CMSTP
Code Signing
Compiled HTML File
Component Firmware
Component Object Model
Hijacking
Control Panel Items
DCShadow
Deobfuscate/Decode Files
or Information
Disabling Security Tools
DLL Side-Loading
Execution Guardrails
Exploitation for
Defense Evasion
File Deletion
File Permissions
Modification
File System Logical Offsets
Gatekeeper Bypass
Group Policy Modification
Hidden Files and Directories
Hidden Users
Exploitation for
Privilege Escalation
SID-History Injection
Sudo
Sudo Caching
Scheduled Task Binary Padding Network Sniffing
Launchctl
Local Job Scheduling
LSASS Driver
Trap
Access Token Manipulation
Bypass User Account Control
Extra Window Memory Injection
Process Injection
Account Manipulation
Bash History
Brute Force
Credential Dumping
Credentials in Files
Credentials in Registry
Exploitation for
Credential Access
Forced Authentication
Hooking
Input Capture
Input Prompt
Kerberoasting
Keychain
LLMNR/NBT-NS Poisoning
and Relay
Password Filter DLL
Private Keys
Securityd Memory
Two-Factor Authentication
Interception
Account Discovery
Application Window
Discovery
Browser Bookmark
Discovery
Domain Trust Discovery
File and Directory Discovery
Network Service Scanning
Network Share Discovery
Password Policy Discovery
Peripheral Device Discovery
Permission Groups Discovery
Process Discovery
Query Discovery
Remote System Discovery
Security Software Discovery
System Information
Discovery
System Network
Configuration Discovery
System Network
Connections Discovery
System Owner/User
Discovery
System Service Discovery
System Time Discovery
Virtualization/Sandbox
Evasion
Use ATT&CK for Cyber Threat Intelligence
Cyber threat intelligence comes from many sources, including knowledge of past incidents,
commercial threat feeds, information-sharing groups, government threat-sharing programs,
and more. ATT&CK gives analysts a common language to communicate across reports and
organizations, providing a way to structure, compare, and analyze threat intelligence.
Use ATT&CK to Build Your Defensive Platform
ATT&CK includes resources designed to help cyber defenders develop analytics that
detect the techniques used by an adversary. Based on threat intelligence included in
ATT&CK or provided by analysts, cyber defenders can create a comprehensive set of
analytics to detect threats.
Get Started with ATT&CK
Legend
APT28
APT29
Both
Comparing APT28 to APT29
analytics. Check out our w ebsite at attack.mitre.org for more information on how each technique can be det ected, and
adversary examples you can use to start detecting adversary behavior with ATT&CK.
You can visualize how your own data sources map to adversary behavior with ATT&CK. Read our blog post at bit.ly/ATT
learn how we generated this diagram, check out the code, and begin building your own diagrams from ATT&CK conten
Initial Access
Drive-by Compromise
Exploit Public-Facing Application
External Remote Services
Hardware Additions
Replication Through Removable
Media
Spearphishing Attachment
Spearphishing Link
Spearphishing via Service
Supply Chain Compromise
Trusted Relationship
Valid Accounts
Execution
AppleScript
CMSTP
Command-Line Interface
Compiled HTML File
Control Panel Items
Dynamic Data Exchange
Execution through API
Execution through Module Load
Exploitation for Client Execution
Graphical User Interface
InstallUtil
Launchctl
Local Job Scheduling
LSASS Driver
Mshta
PowerShell
Regsvcs/Regasm
Regsvr32
Rundll32
Scheduled Task
Scripting
Service Execution
Signed Binary Proxy Execution
Signed Script Proxy Execution
Source
Space after Filename
Third-party Software
Trap
Trusted Developer Utilities
User Execution
Windows Management
Instrumentation
Windows Remote Management
XSL Script Processing
Persistence
.bash_profile and .bashrc
Accessibility Features
Account Manipulation
AppCert DLLs
AppInit DLLs
Application Shimming
Authentication Package
BITS Jobs
Bootkit
Browser Extensions
Change Default File Association
Component Firmware
Component Object Model Hijacking
Create Account
DLL Search Order Hijacking
Dylib Hijacking
External Remote Services
File System Permissions W eakness
Hidden Files and Directories
Hooking
Hypervisor
Image File Execution Options
Injection
Kernel Modules and Extensions
Launch Agent
Launch Daemon
Launchctl
LC_LOAD_DYLIB Addition
Local Job Scheduling
Login Item
Logon Scripts
LSASS Driver
Modify Existing Service
Netsh Helper DLL
New Service
Office Application Startup
Path Interception
Plist Modification
Port Knocking
Port Monitors
Rc.common
Re-opened Applications
Redundant Access
Registry Run Keys / Startup Folder
Scheduled Task
Screensaver
Security Support Provider
Service Registry Permissions
Weakness
Setuid and Setgid
Shortcut Modification
SIP and Trust Provider Hijacking
Startup Items
System Firmware
Systemd Service
Time Providers
Trap
Valid Accounts
Web Shell
Windows Management
Instrumentation Event Subscription
Winlogon Helper DLL
Privilege Escalation
Access Token Manipulation
Accessibility Features
AppCert DLLs
AppInit DLLs
Application Shimming
Bypass User Account Control
DLL Search Order Hijacking
Dylib Hijacking
Exploitation for Privilege Escalation
Extra Window Memory Injection
File System Permissions W eakness
Hooking
Image File Execution Options
Injection
Launch Daemon
New Service
Path Interception
Plist Modification
Port Monitors
Process Injection
Scheduled Task
Service Registry Permissions
Weakness
Setuid and Setgid
SID-History Injection
Startup Items
Sudo
Sudo Caching
Valid Accounts
Web Shell
Defense Evasion
Access Token Manipulation
Binary Padding
BITS Jobs
Bypass User Account Control
Clear Command History
CMSTP
Code Signing
Compile After Delivery
Compiled HTML File
Component Firmware
Component Object Model Hijacking
Control Panel Items
DCShadow
Deobfuscate/Decode Files or
Information
Disabling Security Tools
DLL Search Order Hijacking
DLL Side-Loading
Execution Guardrails
Exploitation for Defense Evasion
Extra Window Memory Injection
File Deletion
File Permissions Modification
File System Logical Of fsets
Gatekeeper Bypass
Group Policy Modification
Hidden Files and Directories
Hidden Users
Hidden Window
HISTCONTROL
Image File Execution Options
Injection
Indicator Blocking
Indicator Removal from Tools
Indicator Removal on Host
Indirect Command Execution
Install Root Certificate
InstallUtil
Launchctl
LC_MAIN Hijacking
Masquerading
Modify Registry
Mshta
Network Share Connection
Removal
NTFS File Attributes
Obfuscated Files or Information
Plist Modification
Port Knocking
Process Doppelgänging
Process Hollowing
Process Injection
Redundant Access
Regsvcs/Regasm
Regsvr32
Rootkit
Rundll32
Scripting
Signed Binary Proxy Execution
Signed Script Proxy Execution
SIP and Trust Provider Hijacking
Software Packing
Space after Filename
Template Injection
Timestomp
Trusted Developer Utilities
Valid Accounts
Virtualization/Sandbox Evasion
Web Service
XSL Script Processing
Credential Access
Account Manipulation
Bash History
Brute Force
Credential Dumping
Credentials in Files
Credentials in Registry
Exploitation for Credential Access
Forced Authentication
Hooking
Input Capture
Input Prompt
Kerberoasting
Keychain
LLMNR/NBT -NS Poisoning and
Relay
Network Snif fing
Password Filter DLL
Private Keys
Securityd Memory
Two-Factor Authentication
Interception
Discovery
Account Discovery
Application Window Discovery
Browser Bookmark Discovery
Domain Trust Discovery
File and Directory Discovery
Network Service Scanning
Network Share Discovery
Network Snif fing
Password Policy Discovery
Peripheral Device Discovery
Permission Groups Discovery
Process Discovery
Query Registry
Remote System Discovery
Security Software Discovery
System Information Discovery
System Network Configuration
Discovery
System Network Connections
Discovery
System Owner/User Discovery
System Service Discovery
System Time Discovery
Virtualization/Sandbox Evasion
Lateral Movement
AppleScript
Application Deployment Software
Distributed Component Object
Model
Exploitation of Remote Services
Logon Scripts
Pass the Hash
Pass the Ticket
Remote Desktop Protocol
Remote File Copy
Remote Services
Replication Through Removable
Media
Shared Webroot
SSH Hijacking
Taint Shared Content
Third-party Software
Windows Admin Shares
Windows Remote Management
Collection
Audio Capture
Automated Collection
Clipboard Data
Data from Information Repositories
Data from Local System
Data from Network Shared Drive
Data from Removable Media
Data Staged
Email Collection
Input Capture
Man in the Browser
Screen Capture
Video Capture
Command And Control
Commonly Used Port
Communication Through
Removable Media
Connection Proxy
Custom Command and Control
Protocol
Custom Cryptographic Protocol
Data Encoding
Data Obfuscation
Domain Fronting
Domain Generation Algorithms
Fallback Channels
Multi-hop Proxy
Multi-Stage Channels
Multiband Communication
Multilayer Encryption
Port Knocking
Remote Access Tools
Remote File Copy
Standard Application Layer Protocol
Standard Cryptographic Protocol
Standard Non-Application Layer
Protocol
Uncommonly Used Port
Web Service
Exfiltration
Automated Exfiltration
Data Compressed
Data Encrypted
Data Transfer Size Limits
Exfiltration Over Alternative Protocol
Exfiltration Over Command and
Control Channel
Exfiltration Over Other Network
Medium
Exfiltration Over Physical Medium
Scheduled Transfer
Impact
Data Destruction
Data Encrypted for Impact
Defacement
Disk Content Wipe
Disk Structure Wipe
Endpoint Denial of Service
Firmware Corruption
Inhibit System Recovery
Network Denial of Service
Resource Hijacking
Runtime Data Manipulation
Service Stop
Stored Data Manipulation
Transmitted Data Manipulation
Initial Access
Drive-by Compromise
Exploit Public-Facing Application
External Remote Services
Hardware Additions
Replication Through Removable
Media
Spearphishing Attachment
Spearphishing Link
Spearphishing via Service
Supply Chain Compromise
Trusted Relationship
Valid Accounts
Execution
AppleScript
CMSTP
Command-Line Interface
Compiled HTML File
Control Panel Items
Dynamic Data Exchange
Execution through API
Execution through Module Load
Exploitation for Client Execution
Graphical User Interface
InstallUtil
Launchctl
Local Job Scheduling
LSASS Driver
Mshta
PowerShell
Persistence
.bash_profile and .bashrc
Accessibility Features
Account Manipulation
AppCert DLLs
AppInit DLLs
Application Shimming
Authentication Package
BITS Jobs
Bootkit
Browser Extensions
Change Default File Association
Component Firmware
Component Object Model Hijacking
Create Account
DLL Search Order Hijacking
Dylib Hijacking
Privilege Escalation
Access Token Manipulation
Accessibility Features
AppCert DLLs
AppInit DLLs
Application Shimming
Bypass User Account Control
DLL Search Order Hijacking
Dylib Hijacking
Exploitation for Privilege Escalation
Extra Window Memory Injection
File System Permissions W eakness
Hooking
Image File Execution Options
Injection
Launch Daemon
New Service
Path Interception
Defense Evasion
Access Token Manipulation
Binary Padding
BITS Jobs
Bypass User Account Control
Clear Command History
CMSTP
Code Signing
Compile After Delivery
Compiled HTML File
Component Firmware
Component Object Model Hijacking
Control Panel Items
DCShadow
Deobfuscate/Decode Files or
Information
Disabling Security Tools
DLL Search Order Hijacking
Credential Access
Account Manipulation
Bash History
Brute Force
Credential Dumping
Credentials in Files
Credentials in Registry
Exploitation for Credential Access
Forced Authentication
Hooking
Input Capture
Input Prompt
Kerberoasting
Keychain
LLMNR/NBT -NS Poisoning and
Relay
Network Snif fing
Password Filter DLL
Discovery
Account Discovery
Application Window Discovery
Browser Bookmark Discovery
Domain Trust Discovery
File and Directory Discovery
Network Service Scanning
Network Share Discovery
Network Snif fing
Password Policy Discovery
Peripheral Device Discovery
Permission Groups Discovery
Process Discovery
Query Registry
Remote System Discovery
Security Software Discovery
System Information Discovery
Lateral Movement
AppleScript
Application Deployment Software
Distributed Component Object
Model
Exploitation of Remote Services
Logon Scripts
Pass the Hash
Pass the Ticket
Remote Desktop Protocol
Remote File Copy
Remote Services
Replication Through Removable
Media
Shared Webroot
SSH Hijacking
Taint Shared Content
Third-party Software
Windows Admin Shares
Collection
Audio Capture
Automated Collection
Clipboard Data
Data from Information Repositories
Data from Local System
Data from Network Shared Drive
Data from Removable Media
Data Staged
Email Collection
Input Capture
Man in the Browser
Screen Capture
Video Capture
Command And Control
Commonly Used Port
Communication Through
Removable Media
Connection Proxy
Custom Command and Control
Protocol
Custom Cryptographic Protocol
Data Encoding
Data Obfuscation
Domain Fronting
Domain Generation Algorithms
Fallback Channels
Multi-hop Proxy
Multi-Stage Channels
Multiband Communication
Multilayer Encryption
Port Knocking
Remote Access Tools
Exfiltration
Automated Exfiltration
Data Compressed
Data Encrypted
Data Transfer Size Limits
Exfiltration Over Alternative Protocol
Exfiltration Over Command and
Control Channel
Exfiltration Over Other Network
Medium
Exfiltration Over Physical Medium
Scheduled Transfer
Impact
Data Destruction
Data Encrypted for Impact
Defacement
Disk Content Wipe
Disk Structure Wipe
Endpoint Denial of Service
Firmware Corruption
Inhibit System Recovery
Network Denial of Service
Resource Hijacking
Runtime Data Manipulation
Service Stop
Stored Data Manipulation
Transmitted Data Manipulation
ob
sta
Use ATT&CK to Build Your Defensive Platform
ATT&CK includes resources designed to help cyber defenders develop analytics that
detect the techniques used by an adversary. Based on threat intelligence included in
ATT&CK or provided by analysts, cyber defenders can create a comprehensive set of
analytics to detect threats.
Legend
APT28
APT29
Both
Legend
Low Priority
High Priority
Comparing APT28 to APT29
Finding Gaps in Defense
Exploit Public-Facing Application
External Remote Services
Hardware Additions
Replication Through Removable
Media
Spearphishing Attachment
Spearphishing Link
Spearphishing via Service
Supply Chain Compromise
Trusted Relationship
Valid Accounts
CMSTP
Command-Line Interface
Compiled HTML File
Control Panel Items
Dynamic Data Exchange
Execution through API
Execution through Module Load
Exploitation for Client Execution
Graphical User Interface
InstallUtil
Launchctl
Local Job Scheduling
LSASS Driver
Mshta
PowerShell
Regsvcs/Regasm
Regsvr32
Rundll32
Scheduled Task
Scripting
Service Execution
Signed Binary Proxy Execution
Signed Script Proxy Execution
Source
Space after Filename
Third-party Software
Trap
Trusted Developer Utilities
User Execution
Windows Management
Instrumentation
Windows Remote Management
XSL Script Processing
Accessibility Features
Account Manipulation
AppCert DLLs
AppInit DLLs
Application Shimming
Authentication Package
BITS Jobs
Bootkit
Browser Extensions
Change Default File Association
Component Firmware
Component Object Model Hijacking
Create Account
DLL Search Order Hijacking
Dylib Hijacking
External Remote Services
File System Permissions W eakness
Hidden Files and Directories
Hooking
Hypervisor
Image File Execution Options
Injection
Kernel Modules and Extensions
Launch Agent
Launch Daemon
Launchctl
LC_LOAD_DYLIB Addition
Local Job Scheduling
Login Item
Logon Scripts
LSASS Driver
Modify Existing Service
Netsh Helper DLL
New Service
Office Application Startup
Path Interception
Plist Modification
Port Knocking
Port Monitors
Rc.common
Re-opened Applications
Redundant Access
Registry Run Keys / Startup Folder
Scheduled Task
Screensaver
Security Support Provider
Service Registry Permissions
Weakness
Setuid and Setgid
Shortcut Modification
SIP and Trust Provider Hijacking
Startup Items
System Firmware
Systemd Service
Time Providers
Trap
Valid Accounts
Web Shell
Windows Management
Instrumentation Event Subscription
Winlogon Helper DLL
Accessibility Features
AppCert DLLs
AppInit DLLs
Application Shimming
Bypass User Account Control
DLL Search Order Hijacking
Dylib Hijacking
Exploitation for Privilege Escalation
Extra Window Memory Injection
File System Permissions W eakness
Hooking
Image File Execution Options
Injection
Launch Daemon
New Service
Path Interception
Plist Modification
Port Monitors
Process Injection
Scheduled Task
Service Registry Permissions
Weakness
Setuid and Setgid
SID-History Injection
Startup Items
Sudo
Sudo Caching
Valid Accounts
Web Shell
Binary Padding
BITS Jobs
Bypass User Account Control
Clear Command History
CMSTP
Code Signing
Compile After Delivery
Compiled HTML File
Component Firmware
Component Object Model Hijacking
Control Panel Items
DCShadow
Deobfuscate/Decode Files or
Information
Disabling Security Tools
DLL Search Order Hijacking
DLL Side-Loading
Execution Guardrails
Exploitation for Defense Evasion
Extra Window Memory Injection
File Deletion
File Permissions Modification
File System Logical Of fsets
Gatekeeper Bypass
Group Policy Modification
Hidden Files and Directories
Hidden Users
Hidden Window
HISTCONTROL
Image File Execution Options
Injection
Indicator Blocking
Indicator Removal from Tools
Indicator Removal on Host
Indirect Command Execution
Install Root Certificate
InstallUtil
Launchctl
LC_MAIN Hijacking
Masquerading
Modify Registry
Mshta
Network Share Connection
Removal
NTFS File Attributes
Obfuscated Files or Information
Plist Modification
Port Knocking
Process Doppelgänging
Process Hollowing
Process Injection
Redundant Access
Regsvcs/Regasm
Regsvr32
Rootkit
Rundll32
Scripting
Signed Binary Proxy Execution
Signed Script Proxy Execution
SIP and Trust Provider Hijacking
Software Packing
Space after Filename
Template Injection
Timestomp
Trusted Developer Utilities
Valid Accounts
Virtualization/Sandbox Evasion
Web Service
XSL Script Processing
Bash History
Brute Force
Credential Dumping
Credentials in Files
Credentials in Registry
Exploitation for Credential Access
Forced Authentication
Hooking
Input Capture
Input Prompt
Kerberoasting
Keychain
LLMNR/NBT -NS Poisoning and
Relay
Network Snif fing
Password Filter DLL
Private Keys
Securityd Memory
Two-Factor Authentication
Interception
Application Window Discovery
Browser Bookmark Discovery
Domain Trust Discovery
File and Directory Discovery
Network Service Scanning
Network Share Discovery
Network Snif fing
Password Policy Discovery
Peripheral Device Discovery
Permission Groups Discovery
Process Discovery
Query Registry
Remote System Discovery
Security Software Discovery
System Information Discovery
System Network Configuration
Discovery
System Network Connections
Discovery
System Owner/User Discovery
System Service Discovery
System Time Discovery
Virtualization/Sandbox Evasion
Application Deployment Software
Distributed Component Object
Model
Exploitation of Remote Services
Logon Scripts
Pass the Hash
Pass the Ticket
Remote Desktop Protocol
Remote File Copy
Remote Services
Replication Through Removable
Media
Shared Webroot
SSH Hijacking
Taint Shared Content
Third-party Software
Windows Admin Shares
Windows Remote Management
Automated Collection
Clipboard Data
Data from Information Repositories
Data from Local System
Data from Network Shared Drive
Data from Removable Media
Data Staged
Email Collection
Input Capture
Man in the Browser
Screen Capture
Video Capture
Communication Through
Removable Media
Connection Proxy
Custom Command and Control
Protocol
Custom Cryptographic Protocol
Data Encoding
Data Obfuscation
Domain Fronting
Domain Generation Algorithms
Fallback Channels
Multi-hop Proxy
Multi-Stage Channels
Multiband Communication
Multilayer Encryption
Port Knocking
Remote Access Tools
Remote File Copy
Standard Application Layer Protocol
Standard Cryptographic Protocol
Standard Non-Application Layer
Protocol
Uncommonly Used Port
Web Service
Data Compressed
Data Encrypted
Data Transfer Size Limits
Exfiltration Over Alternative Protocol
Exfiltration Over Command and
Control Channel
Exfiltration Over Other Network
Medium
Exfiltration Over Physical Medium
Scheduled Transfer
Data Encrypted for Impact
Defacement
Disk Content Wipe
Disk Structure Wipe
Endpoint Denial of Service
Firmware Corruption
Inhibit System Recovery
Network Denial of Service
Resource Hijacking
Runtime Data Manipulation
Service Stop
Stored Data Manipulation
Transmitted Data Manipulation
Initial Access
Drive-by Compromise
Exploit Public-Facing Application
External Remote Services
Hardware Additions
Replication Through Removable
Media
Spearphishing Attachment
Spearphishing Link
Spearphishing via Service
Supply Chain Compromise
Trusted Relationship
Valid Accounts
Execution
AppleScript
CMSTP
Command-Line Interface
Compiled HTML File
Control Panel Items
Dynamic Data Exchange
Execution through API
Execution through Module Load
Exploitation for Client Execution
Graphical User Interface
InstallUtil
Launchctl
Local Job Scheduling
LSASS Driver
Mshta
PowerShell
Regsvcs/Regasm
Regsvr32
Rundll32
Scheduled Task
Scripting
Service Execution
Signed Binary Proxy Execution
Signed Script Proxy Execution
Source
Space after Filename
Third-party Software
Trap
Trusted Developer Utilities
User Execution
Windows Management
Instrumentation
Windows Remote Management
XSL Script Processing
Persistence
.bash_profile and .bashrc
Accessibility Features
Account Manipulation
AppCert DLLs
AppInit DLLs
Application Shimming
Authentication Package
BITS Jobs
Bootkit
Browser Extensions
Change Default File Association
Component Firmware
Component Object Model Hijacking
Create Account
DLL Search Order Hijacking
Dylib Hijacking
External Remote Services
File System Permissions W eakness
Hidden Files and Directories
Hooking
Hypervisor
Image File Execution Options
Injection
Kernel Modules and Extensions
Launch Agent
Launch Daemon
Launchctl
LC_LOAD_DYLIB Addition
Local Job Scheduling
Login Item
Logon Scripts
LSASS Driver
Modify Existing Service
Netsh Helper DLL
New Service
Office Application Startup
Path Interception
Plist Modification
Port Knocking
Port Monitors
Rc.common
Re-opened Applications
Redundant Access
Registry Run Keys / Startup Folder
Scheduled Task
Screensaver
Security Support Provider
Service Registry Permissions
Weakness
Setuid and Setgid
Privilege Escalation
Access Token Manipulation
Accessibility Features
AppCert DLLs
AppInit DLLs
Application Shimming
Bypass User Account Control
DLL Search Order Hijacking
Dylib Hijacking
Exploitation for Privilege Escalation
Extra Window Memory Injection
File System Permissions W eakness
Hooking
Image File Execution Options
Injection
Launch Daemon
New Service
Path Interception
Plist Modification
Port Monitors
Process Injection
Scheduled Task
Service Registry Permissions
Weakness
Setuid and Setgid
SID-History Injection
Startup Items
Sudo
Sudo Caching
Valid Accounts
Web Shell
Defense Evasion
Access Token Manipulation
Binary Padding
BITS Jobs
Bypass User Account Control
Clear Command History
CMSTP
Code Signing
Compile After Delivery
Compiled HTML File
Component Firmware
Component Object Model Hijacking
Control Panel Items
DCShadow
Deobfuscate/Decode Files or
Information
Disabling Security Tools
DLL Search Order Hijacking
DLL Side-Loading
Execution Guardrails
Exploitation for Defense Evasion
Extra Window Memory Injection
File Deletion
File Permissions Modification
File System Logical Of fsets
Gatekeeper Bypass
Group Policy Modification
Hidden Files and Directories
Hidden Users
Hidden Window
HISTCONTROL
Image File Execution Options
Injection
Indicator Blocking
Indicator Removal from Tools
Indicator Removal on Host
Indirect Command Execution
Install Root Certificate
InstallUtil
Launchctl
LC_MAIN Hijacking
Masquerading
Modify Registry
Mshta
Network Share Connection
Removal
NTFS File Attributes
Obfuscated Files or Information
Plist Modification
Port Knocking
Process Doppelgänging
Process Hollowing
Credential Access
Account Manipulation
Bash History
Brute Force
Credential Dumping
Credentials in Files
Credentials in Registry
Exploitation for Credential Access
Forced Authentication
Hooking
Input Capture
Input Prompt
Kerberoasting
Keychain
LLMNR/NBT -NS Poisoning and
Relay
Network Snif fing
Password Filter DLL
Private Keys
Securityd Memory
Two-Factor Authentication
Interception
Discovery
Account Discovery
Application Window Discovery
Browser Bookmark Discovery
Domain Trust Discovery
File and Directory Discovery
Network Service Scanning
Network Share Discovery
Network Snif fing
Password Policy Discovery
Peripheral Device Discovery
Permission Groups Discovery
Process Discovery
Query Registry
Remote System Discovery
Security Software Discovery
System Information Discovery
System Network Configuration
Discovery
System Network Connections
Discovery
System Owner/User Discovery
System Service Discovery
System Time Discovery
Virtualization/Sandbox Evasion
Lateral Movement
AppleScript
Application Deployment Software
Distributed Component Object
Model
Exploitation of Remote Services
Logon Scripts
Pass the Hash
Pass the Ticket
Remote Desktop Protocol
Remote File Copy
Remote Services
Replication Through Removable
Media
Shared Webroot
SSH Hijacking
Taint Shared Content
Third-party Software
Windows Admin Shares
Windows Remote Management
Collection
Audio Capture
Automated Collection
Clipboard Data
Data from Information Repositories
Data from Local System
Data from Network Shared Drive
Data from Removable Media
Data Staged
Email Collection
Input Capture
Man in the Browser
Screen Capture
Video Capture
Command And Control
Commonly Used Port
Communication Through
Removable Media
Connection Proxy
Custom Command and Control
Protocol
Custom Cryptographic Protocol
Data Encoding
Data Obfuscation
Domain Fronting
Domain Generation Algorithms
Fallback Channels
Multi-hop Proxy
Multi-Stage Channels
Multiband Communication
Multilayer Encryption
Port Knocking
Remote Access Tools
Remote File Copy
Standard Application Layer Protocol
Standard Cryptographic Protocol
Standard Non-Application Layer
Protocol
Uncommonly Used Port
Web Service
Exfiltration
Automated Exfiltration
Data Compressed
Data Encrypted
Data Transfer Size Limits
Exfiltration Over Alternative Protocol
Exfiltration Over Command and
Control Channel
Exfiltration Over Other Network
Medium
Exfiltration Over Physical Medium
Scheduled Transfer
Impact
Data Destruction
Data Encrypted for Impact
Defacement
Disk Content Wipe
Disk Structure Wipe
Endpoint Denial of Service
Firmware Corruption
Inhibit System Recovery
Network Denial of Service
Resource Hijacking
Runtime Data Manipulation
Service Stop
Stored Data Manipulation
Transmitted Data Manipulation
malwarereve
net
work device logs
network intrusion detection system
ssl/tls inspection
system
calls
windowseventlogs
ocol
compromise
point denial of service
network denial of service
obfuscated files or information
remote access tools
spearphishing attachment
standard non-application layer protocoltemplate injection
domain fronting
drive-by compromise
endpoint denial of service
install root certificate
obfuscated files or information
spearphishing link
spearphishing via service
standard cryptographic protocol
web service
applescript
application shimming
browser extensions
bypass user account control
exploitation for client execution
hypervisor
kernel modules and extensions
keychain
rootkit
account manipulation
bits jobs
cm
stp
em
s
16. Poll Question: What use case is most important to you?
Threat intelligence
Detection
Adversary Emulation
Assessment and Engineering
©2019 The MITRE Corporation. ALL RIGHTS RESERVED. Approved for public release. Distribution unlimited 19-01075-9.
| 16 |
17. Threat Intelligence
| 17 |
©2019 The MITRE Corporation. ALL RIGHTS RESERVED. Approved for public release. Distribution unlimited 19-01075-9.
18. Communicate to Defenders
| 11 |
CTI
Analyst Defender
Registry Run Keys
/ Startup Folder
(T1060)
THIS is what the
adversary is doing!
The Run key is
AdobeUpdater.
Oh, we have
Registry data, we
can detect that!
©2019 The MITRE Corporation. ALL RIGHTS RESERVED. Approved for public release. Distribution unlimited 19-01075-9.
19. Communicate Across the Community
©2019 The MITRE Corporation. ALL RIGHTS RESERVED. Approved for public release. Distribution unlimited 19-01075-9.
| 12 |
CTI Consumer
Registry Run Keys
/ Startup Folder
(T1060)
Oh, you
mean T1060!
APT1337 is
using autorun
FUZZYDUCK
used a Run key
Company
A
Company
B
20. APT28 Techniques*
| 20 |
*from open source
reporting we’ve mapped
Initial
Access
Execution Persistence
Privilege
Escalation
Defense
Evasion
Credential
Access
Discovery
Lateral
Movement
Collection Exfiltration
Command
and Control
©2019 The MITRE Corporation. ALL RIGHTS RESERVED. Approved for public release. Distribution unlimited 19-01075-9.
21. APT29 Techniques
| 21 |
Initial
Access
Execution Persistence
Privilege
Escalation
Defense
Evasion
Credential
Access
Discovery
Lateral
Movement
Collection Exfiltration
Command
and Control
©2019 The MITRE Corporation. ALL RIGHTS RESERVED. Approved for public release. Distribution unlimited 19-01075-9.
22. Comparing APT28 and APT29
| 22 |
Initial
Access
Execution Persistence
Privilege
Escalation
Defense
Evasion
Credential
Access
Discovery
Lateral
Movement
Collection Exfiltration
Command
and Control
APT28
APT29
Both groups Prioritize!
©2019 The MITRE Corporation. ALL RIGHTS RESERVED. Approved for public release. Distribution unlimited 19-01075-9.
23. Comparing APT28 and APT29
| 23 |
Initial
Access
Execution Persistence
Privilege
Escalation
Defense
Evasion
Credential
Access
Discovery
Lateral
Movement
Collection Exfiltration
Command
and Control
Overlay known gaps
APT28
APT29
Both groups
©2019 The MITRE Corporation. ALL RIGHTS RESERVED. Approved for public release. Distribution unlimited 19-01075-9.
25. Adversary Emulation
| 25 |
©2019 The MITRE Corporation. ALL RIGHTS RESERVED. Approved for public release. Distribution unlimited 19-01075-9.
26. Communicate Between Red and Blue
| 11 |
Red
Team
Blue
Team
I just used a
Scheduled Task
(T1053) to gain
Persistence.
We just detected
the red team
performing T1053!
©2019 The MITRE Corporation. ALL RIGHTS RESERVED. Approved for public release. Distribution unlimited 19-01075-9.
27. Maturing your red teams
APT3 Adversary Emulation Field Manual
| 27 |
Category Built-in Windows Cobalt Strike Metasploit Description
Discovery
T1082 ver shell ver Get the Windows OS version that's
T1082 set shell set get_env.rb Print all of the environment variables
T1033 whoami /all /fo list shell whoami /all /fo list getuid
Get current user information, SID,
domain, groups the user belongs to,
T1082
net config workstation
net config server
shell net config
workstation
Get computer name, username, OS
software version, domain information,
T1016 ipconfig /all shell ipconfig
ipconfig
post/windows/gather/en
Get information about the domain,
network adapters, DNS / WSUS
T1082
systeminfo [/s COMPNAME]
[/u DOMAINuser] [/p
password]
systemprofiler tool if no
access yet (victim
browses to website)
sysinfo, run winenum,
get_env.rb
Displays detailed configuration
information about a computer and its
operating system, including
T1012
reg query
"HKEY_LOCAL_MACHINESY
STEMCurrentControlSetContr
olTerminal Server" /v
fDenyTSConnections
shell reg query
"HKEY_LOCAL_MACHIN
ESYSTEMCurrentContro
lSetControlTerminal
Server" /v
reg queryval -k
"HKEY_LOCAL_MACH
INESYSTEMCurrentC
ontrolSetControlTermi
nal Server" -v
Check for the current registry value
for terminal services, if it's 0, then
terminal services are enabled. If it's
1, then they're disabled
©2019 The MITRE Corporation. ALL RIGHTS RESERVED. Approved for public release. Distribution unlimited 19-01075-9.
28. Develop intentional adversary emulation plans
Develop your own adversary emulation plan
Choose an adversary that is important to you
Use ATT&CK to communicate findings and drive defenders to improve
More info on developing plans:
– ATT&CK Evaluations Methodology: https://attackevals.mitre.org/methodology/round1/scope.html
– Threat-based Purple Teaming with ATT&CK: https://www.youtube.com/watch?v=OYEP-
YAKIn0&index=3&list=PL7ZDZo2Xu332XUiwFHB5X-tXfqIwVkg5l&t=0s
– ATT&CKing the Status Quo: Threat-Based Adversary Emulation with MITRE ATT&CK:
https://www.sans.org/cyber-security-summit/archives/file/summit-archive-1536260992.pdf
| 28 |
Gather
threat intel
Extract
techniques
Analyze &
organize
Develop
tools
Emulate the
adversary
©2019 The MITRE Corporation. ALL RIGHTS RESERVED. Approved for public release. Distribution unlimited 19-01075-9.
29. Detection
| 29 |
©2019 The MITRE Corporation. ALL RIGHTS RESERVED. Approved for public release. Distribution unlimited 19-01075-9.
30. How ATT&CK Can Help
ATT&CK helps you with detection by…
– Forcing you to think about post-exploit activity
– Orienting you towards detecting the top of the Pyramid of Pain
– Giving you a framework to organize your detections
Building out an ATT&CK-Based detection program…
– Borrow from others
– Develop a data strategy
– Develop a detection strategy
– Write your own analytics
| 30 |
©2019 The MITRE Corporation. ALL RIGHTS RESERVED. Approved for public release. Distribution unlimited 19-01075-9.
31. Borrowing from others
There’s a large community of people doing ATT&CK for detection
– What analytics are they running and finding valuable?
– Which of those can you run based on data you already have?
Look at existing repositories, or talk to partner organizations
– Cyber Analytics Repository (CAR): https://car.mitre.org/
– Endgame EQL Analytics Library:
https://eqllib.readthedocs.io/en/latest/analytics.html
– Sigma: https://github.com/Neo23x0/sigma
With analytics organized around ATT&CK, you know what you’re targeting
| 31 |
©2019 The MITRE Corporation. ALL RIGHTS RESERVED. Approved for public release. Distribution unlimited 19-01075-9.
32. CAR Analytic: Access Permission Modification
| 32 |
https://car.mitre.org/analytics/CAR-2019-07-001
©2019 The MITRE Corporation. ALL RIGHTS RESERVED. Approved for public release. Distribution unlimited 19-01075-9.
33. CAR Analytic: Access Permission Modification
| 33 |
https://car.mitre.org/analytics/CAR-2019-07-001
©2019 The MITRE Corporation. ALL RIGHTS RESERVED. Approved for public release. Distribution unlimited 19-01075-9.
34. CAR Analytic: Access Permission Modification
| 34 |
https://car.mitre.org/analytics/CAR-2019-07-001
©2019 The MITRE Corporation. ALL RIGHTS RESERVED. Approved for public release. Distribution unlimited 19-01075-9.
Recently added to CAR:
Splunk, Sigma, and EQL
Implementations
35. CAR Analytic: Access Permission Modification
| 35 |
https://car.mitre.org/analytics/CAR-2019-07-001
©2019 The MITRE Corporation. ALL RIGHTS RESERVED. Approved for public release. Distribution unlimited 19-01075-9.
36. Sigma Analytic: “Suspicious WMI execution”
©2019 The MITRE Corporation. ALL RIGHTS RESERVED. Approved for public release. Distribution unlimited 19-01075-9.
| 36 |
https://github.com/Neo23x0/sigma/blob/master/rules/windows/process_creation/win_susp_wmi_execution.yml
37. Sigma Analytic: “Suspicious WMI execution”
Convert to your query language
Conversion of “Suspicious WMI execution” to ElasticSearch Query
Strings with Winlogbeat ingested data:
user$ sigmac --target es-qs -c tools/config/winlogbeat.yml
rules/windows/process_creation/win_susp_wmi_execution.yml
(winlog.event_data.Image.keyword:(*wmic.exe) AND
winlog.event_data.CommandLine.keyword:(*/NODE:*process call
create * OR * path AntiVirusProduct get * OR * path
FirewallProduct get * OR * shadowcopy delete *))
©2019 The MITRE Corporation. ALL RIGHTS RESERVED. Approved for public release. Distribution unlimited 19-01075-9.
| 37 |
38. Developing a Data Strategy
Develop a data strategy
– What data sources are needed by the analytics you want to run?
– Host-based data is useful, but consider network data too (e.g. Bro/Zeek)
Example data sources associated with ATT&CK techniques:
– Windows registry
– Process monitoring
– Command-line parameters
– Network intrusion detection system
– and more…
| 38 |
©2019 The MITRE Corporation. ALL RIGHTS RESERVED. Approved for public release. Distribution unlimited 19-01075-9.
39. Developing a Data Strategy
©2019 The MITRE Corporation. ALL RIGHTS RESERVED. Approved for public release. Distribution unlimited 19-01075-9.
| 39 |
40. Developing a Detection Strategy
Assess your detection coverage across ATT&CK
– Consider starting with one tactic and expanding from there
– Choose a “coverage rating” that works for you:
1-5 based on quality or number of detections
Low, Medium, High based on confidence you would detect that behavior
Remember you’ll never get to 100% or “perfect” coverage!
| 40 |
Credit: Kyle Rainey and Red
Canary
https://redcanary.com/blog/
avoiding-common-attack-pitfalls/
©2019 The MITRE Corporation. ALL RIGHTS RESERVED. Approved for public release. Distribution unlimited 19-01075-9.
41. Developing a Detection Strategy
| 41 |
ATT&CK Navigator
https://github.com/mitre-attack/attack-navigator
©2019 The MITRE Corporation. ALL RIGHTS RESERVED. Approved for public release. Distribution unlimited 19-01075-9.
42. Creating your own analytics
Look at the gaps in your detection that you can’t fill with existing content
– Or, look at incident data, red team successes, etc.
Leverage information in ATT&CK procedures
Use behavior driven development (BDD) for detection
| 42 |
©2019 The MITRE Corporation. ALL RIGHTS RESERVED. Approved for public release. Distribution unlimited 19-01075-9.
43. Leveraging Information in ATT&CK Procedures
©2019 The MITRE Corporation. ALL RIGHTS RESERVED. Approved for public release. Distribution unlimited 19-01075-9.
| 43 |
• Could leverage directly as a search string in your SIEM
• Would require “Process command-line parameters”
• Where safe, can emulate the attack and see what’s generated
44. Analytic Development Workflow Based on BDD
Execute
the attack
Write
search to
detect
malicious
behavior
Revise to
filter out
false
positives
Ensure
search
detects
malicious
behavior
Repeat
with a
different
procedure
©2019 The MITRE Corporation. ALL RIGHTS RESERVED. Approved for public release. Distribution unlimited 19-01075-9.
| 44 |
Based on Dan North’s Behavior Driven Development (BDD)
45. Other Sources for Procedures to Test
References in ATT&CK Procedure Examples
Atomic Red Team
– https://atomicredteam.io/
Your own intelligence reporting
Creative red teaming
©2019 The MITRE Corporation. ALL RIGHTS RESERVED. Approved for public release. Distribution unlimited 19-01075-9.
| 45 |
46. Assessments and Engineering
| 46 |
©2019 The MITRE Corporation. ALL RIGHTS RESERVED. Approved for public release. Distribution unlimited 19-01075-9.
47. How ATT&CK Can Help
ATT&CK helps you with security engineering by…
– Giving you a common language for detection, CTI, and adversary emulation
– Increasing awareness of where you may need to accept risk
Building out an ATT&CK-Based security engineering process…
– Track what you’re doing now
– Base decisions on what and how you want to improve
– Understand where defenses are sufficient, where progress is being made,
and where risk may need to be accepted
| 47 |
©2019 The MITRE Corporation. ALL RIGHTS RESERVED. Approved for public release. Distribution unlimited 19-01075-9.
48. Track What You’re Doing Now
Interview your detection/ops team, CTI team, and red team
– CTI: What threats do we face and which techniques should we prioritize?
– Detection: What techniques can we cover, and which can’t we?
– Red: What have we validated?
Examine your tools, documentation, and analytics
– Tools: Which data sources can we collect?
– Documentation: Do policies and procedures help us with techniques?
– Analytics: What techniques can it detect? How much procedure coverage?
Look at how your overall ATT&CK technique coverage fares
– Are there gaps in either detection or validation?
| 48 |
©2019 The MITRE Corporation. ALL RIGHTS RESERVED. Approved for public release. Distribution unlimited 19-01075-9.
49. Track What You’re Doing Now
| 49 |
Legend
High Confidence of Detection
Some Confidence of Detection
Low Confidence of Detection
©2019 The MITRE Corporation. ALL RIGHTS RESERVED. Approved for public release. Distribution unlimited 19-01075-9.
50. Initial Access Execution Persistence Privilege Escalation Defense Evasion Credential Access Discovery Lateral Movement Collection Command and Control Exfiltration Impact
Drive-by Compromise Scheduled Task Binary Padding Network Sniffing AppleScript Audio Capture Commonly Used Port Automated Exfiltration Data Destruction
Exploit Public-Facing
Application
Launchctl Access Token Manipulation Account Manipulation Account Discovery ApplicationDeployment
Software
Automated Collection CommunicationThrough
Removable Media
Data Compressed Data Encrypted for Impact
Local Job Scheduling Bypass User Account Control Bash History ApplicationWindow
Discovery
Clipboard Data Data Encrypted Defacement
External Remote Services LSASS Driver Extra Window Memory Injection Brute Force Distributed Component
Object Model
Data from Information
Repositories
Connection Proxy Data Transfer Size Limits Disk Content Wipe
Hardware Additions Trap Process Injection Credential Dumping Browser Bookmark
Discovery
Custom Command and
Control Protocol
ExfiltrationOver Other
Network Medium
Disk StructureWipe
ReplicationThrough
Removable Media
AppleScript DLL Search Order Hijacking Credentials in Files Exploitationof
Remote Services
Data from Local System Endpoint Denial of Service
CMSTP Image File Execution Options Injection Credentials in Registry Domain Trust Discovery Data from Network
Shared Drive
Custom Cryptographic
Protocol
ExfiltrationOver Command
and Control Channel
Firmware Corruption
Spearphishing Attachment Command-LineInterface Plist Modification Exploitationfor
Credential Access
File and Directory Discovery Logon Scripts Inhibit System Recovery
Spearphishing Link Compiled HTML File Valid Accounts Network Service Scanning Pass the Hash Data from Removable Media Data Encoding ExfiltrationOver Alternative
Protocol
Network Denial of Service
Spearphishing via Service Control Panel Items Accessibility Features BITS Jobs Forced Authentication Network Share Discovery Pass the Ticket Data Staged Data Obfuscation Resource Hijacking
Supply Chain Compromise Dynamic Data Exchange AppCert DLLs Clear Command History Hooking Password Policy Discovery Remote Desktop Protocol Email Collection Domain Fronting ExfiltrationOver
Physical Medium
Runtime Data Manipulation
Trusted Relationship Execution through API AppInit DLLs CMSTP Input Capture Peripheral Device Discovery Remote File Copy Input Capture Domain Generation
Algorithms
Service Stop
Valid Accounts Execution through
Module Load
ApplicationShimming Code Signing Input Prompt Permission Groups Discovery Remote Services Man in the Browser Scheduled Transfer Stored Data Manipulation
Dylib Hijacking Compiled HTML File Kerberoasting Process Discovery ReplicationThrough
Removable Media
Screen Capture Fallback Channels Transmitted Data
ManipulationExploitationfor
Client Execution
File System Permissions Weakness Component Firmware Keychain Query Registry Video Capture Multiband Communication
Hooking Component Object Model
Hijacking
LLMNR/NBT-NS Poisoning
and Relay
Remote System Discovery Shared Webroot Multi-hopProxy
GraphicalUser Interface Launch Daemon Security Software Discovery SSH Hijacking Multilayer Encryption
InstallUtil New Service Control Panel Items Password Filter DLL System Information
Discovery
Taint Shared Content Multi-Stage Channels
Mshta Path Interception DCShadow Private Keys Third-partySoftware Port Knocking
PowerShell Port Monitors Deobfuscate/Decode Files
or Information
Securityd Memory System Network
Configuration Discovery
Windows Admin Shares Remote Access Tools
Regsvcs/Regasm Service Registry Permissions Weakness Two-Factor Authentication
Interception
Windows Remote
Management
Remote File Copy
Regsvr32 Setuid and Setgid Disabling Security Tools System Network
Connections Discovery
Standard ApplicationLayer
ProtocolRundll32 Startup Items DLL Side-Loading
Scripting Web Shell Execution Guardrails System Owner/User
Discovery
Standard Cryptographic
ProtocolService Execution .bash_profile and .bashrc Exploitationfor
PrivilegeEscalation
Exploitationfor
Defense EvasionSigned Binary
Proxy Execution
Account Manipulation System Service Discovery Standard Non-Application
Layer ProtocolAuthenticationPackage SID-History Injection File Deletion System Time Discovery
Signed Script
Proxy Execution
BITS Jobs Sudo File Permissions
Modification
Virtualization/Sandbox
Evasion
Uncommonly Used Port
Bootkit Sudo Caching Web Service
Source Browser Extensions File System Logical Offsets
Space after Filename Change Default
File Association
Gatekeeper Bypass
Third-partySoftware Group Policy Modification
Trusted Developer Utilities Component Firmware Hidden Files and Directories
User Execution Component Object
Model Hijacking
Hidden Users
Windows Management
Instrumentation
Hidden Window
Create Account HISTCONTROL
Windows Remote
Management
External Remote Services Indicator Blocking
Hidden Files and Directories Indicator Removal
from ToolsXSL Script Processing Hypervisor
Kernel Modules
and Extensions
Indicator Removal on Host
Indirect Command Execution
Launch Agent Install Root Certificate
LC_LOAD_DYLIB Addition InstallUtil
Login Item Launchctl
Logon Scripts LC_MAIN Hijacking
Modify Existing Service Masquerading
Netsh Helper DLL Modify Registry
Office Application Startup Mshta
Port Knocking Network Share Connection
RemovalRc.common
Redundant Access NTFS File Attributes
Registry Run
Keys / Startup Folder
Obfuscated Files
or Information
Re-opened Applications Port Knocking
Screensaver Process Doppelgänging
Security Support Provider Process Hollowing
Shortcut Modification Redundant Access
SIP and Trust Provider
Hijacking
Regsvcs/Regasm
Regsvr32
Decide Where To Improve
Legend
High Confidence of Detection
Some Confidence of Detection
Low Confidence of Detection
© 2019 The MITRE Corporation. All rights reserved.
Prioritized Technique
Focus on Exploit Public-Facing Application and Data
Content Wipe as they can have significant impact to
operations
Command-Line Interface, Credential
Dumping, and Standard Application
Layer Protocol are popular techniques and
can give a big return on investment
Startup Items, InstallUtil, and System Time Discovery are used
by threat actors most relevant to your network
Existing logs can be used to detect Remote File Copy and
Data From Removable Media, making analytic development
easier
©2019 The MITRE Corporation. ALL RIGHTS RESERVED. Approved for public release. Distribution unlimited 19-01075-9.
51. Be Intentional About Improvements
Think about the best way to mitigate each gap
– Maybe it’s a new detection or data source
– Maybe it’s a mitigation, new group policy, or new user training
– Maybe the gap shouldn’t be closed, and risk should be accepted
Validate any changes using adversary emulation
| 51 |
©2019 The MITRE Corporation. ALL RIGHTS RESERVED. Approved for public release. Distribution unlimited 19-01075-9.
52. Initial Access Execution Persistence Privilege Escalation Defense Evasion Credential Access Discovery Lateral Movement Collection Command and Control Exfiltration Impact
Drive-by Compromise Scheduled Task Binary Padding Network Sniffing AppleScript Audio Capture Commonly Used Port Automated Exfiltration Data Destruction
Exploit Public-Facing
Application
Launchctl Access Token Manipulation Account Manipulation Account Discovery ApplicationDeployment
Software
Automated Collection CommunicationThrough
Removable Media
Data Compressed Data Encrypted for Impact
Local Job Scheduling Bypass User Account Control Bash History ApplicationWindow
Discovery
Clipboard Data Data Encrypted Defacement
External Remote Services LSASS Driver Extra Window Memory Injection Brute Force Distributed Component
Object Model
Data from Information
Repositories
Connection Proxy Data Transfer Size Limits Disk Content Wipe
Hardware Additions Trap Process Injection Credential Dumping Browser Bookmark
Discovery
Custom Command and
Control Protocol
ExfiltrationOver Other
Network Medium
Disk StructureWipe
ReplicationThrough
Removable Media
AppleScript DLL Search Order Hijacking Credentials in Files Exploitationof
Remote Services
Data from Local System Endpoint Denial of Service
CMSTP Image File Execution Options Injection Credentials in Registry Domain Trust Discovery Data from Network
Shared Drive
Custom Cryptographic
Protocol
ExfiltrationOver Command
and Control Channel
Firmware Corruption
Spearphishing Attachment Command-LineInterface Plist Modification Exploitationfor
Credential Access
File and Directory Discovery Logon Scripts Inhibit System Recovery
Spearphishing Link Compiled HTML File Valid Accounts Network Service Scanning Pass the Hash Data from Removable Media Data Encoding ExfiltrationOver Alternative
Protocol
Network Denial of Service
Spearphishing via Service Control Panel Items Accessibility Features BITS Jobs Forced Authentication Network Share Discovery Pass the Ticket Data Staged Data Obfuscation Resource Hijacking
Supply Chain Compromise Dynamic Data Exchange AppCert DLLs Clear Command History Hooking Password Policy Discovery Remote Desktop Protocol Email Collection Domain Fronting ExfiltrationOver
Physical Medium
Runtime Data Manipulation
Trusted Relationship Execution through API AppInit DLLs CMSTP Input Capture Peripheral Device Discovery Remote File Copy Input Capture Domain Generation
Algorithms
Service Stop
Valid Accounts Execution through
Module Load
ApplicationShimming Code Signing Input Prompt Permission Groups Discovery Remote Services Man in the Browser Scheduled Transfer Stored Data Manipulation
Dylib Hijacking Compiled HTML File Kerberoasting Process Discovery ReplicationThrough
Removable Media
Screen Capture Fallback Channels Transmitted Data
ManipulationExploitationfor
Client Execution
File System Permissions Weakness Component Firmware Keychain Query Registry Video Capture Multiband Communication
Hooking Component Object Model
Hijacking
LLMNR/NBT-NS Poisoning
and Relay
Remote System Discovery Shared Webroot Multi-hopProxy
GraphicalUser Interface Launch Daemon Security Software Discovery SSH Hijacking Multilayer Encryption
InstallUtil New Service Control Panel Items Password Filter DLL System Information
Discovery
Taint Shared Content Multi-Stage Channels
Mshta Path Interception DCShadow Private Keys Third-partySoftware Port Knocking
PowerShell Port Monitors Deobfuscate/Decode Files
or Information
Securityd Memory System Network
Configuration Discovery
Windows Admin Shares Remote Access Tools
Regsvcs/Regasm Service Registry Permissions Weakness Two-Factor Authentication
Interception
Windows Remote
Management
Remote File Copy
Regsvr32 Setuid and Setgid Disabling Security Tools System Network
Connections Discovery
Standard ApplicationLayer
ProtocolRundll32 Startup Items DLL Side-Loading
Scripting Web Shell Execution Guardrails System Owner/User
Discovery
Standard Cryptographic
ProtocolService Execution .bash_profile and .bashrc Exploitationfor
PrivilegeEscalation
Exploitationfor
Defense EvasionSigned Binary
Proxy Execution
Account Manipulation System Service Discovery Standard Non-Application
Layer ProtocolAuthenticationPackage SID-History Injection File Deletion System Time Discovery
Signed Script
Proxy Execution
BITS Jobs Sudo File Permissions
Modification
Virtualization/Sandbox
Evasion
Uncommonly Used Port
Bootkit Sudo Caching Web Service
Source Browser Extensions File System Logical Offsets
Space after Filename Change Default
File Association
Gatekeeper Bypass
Third-partySoftware Group Policy Modification
Trusted Developer Utilities Component Firmware Hidden Files and Directories
User Execution Component Object
Model Hijacking
Hidden Users
Windows Management
Instrumentation
Hidden Window
Create Account HISTCONTROL
Windows Remote
Management
External Remote Services Indicator Blocking
Hidden Files and Directories Indicator Removal
from ToolsXSL Script Processing Hypervisor
Kernel Modules
and Extensions
Indicator Removal on Host
Indirect Command Execution
Launch Agent Install Root Certificate
LC_LOAD_DYLIB Addition InstallUtil
Login Item Launchctl
Logon Scripts LC_MAIN Hijacking
Modify Existing Service Masquerading
Netsh Helper DLL Modify Registry
Office Application Startup Mshta
Port Knocking Network Share Connection
RemovalRc.common
Redundant Access NTFS File Attributes
Registry Run
Keys / Startup Folder
Obfuscated Files
or Information
Re-opened Applications Port Knocking
Screensaver Process Doppelgänging
Security Support Provider Process Hollowing
Shortcut Modification Redundant Access
SIP and Trust Provider
Hijacking
Regsvcs/Regasm
Regsvr32
Be Intentional About Improvements
Legend
High Confidence of Detection
Some Confidence of Detection
Low Confidence of Detection
© 2019 The MITRE Corporation. All rights reserved.
Prioritized Technique
©2019 The MITRE Corporation. ALL RIGHTS RESERVED. Approved for public release. Distribution unlimited 19-01075-9.
We’ll tackle Spearphishing Attachment and
Spearphishing Link via new user training
Supply Chain Compromise and Component Firmware
are beyond our capability and resources to stop or detect,
so we’ll accept the risk
None of our existing tools have visibility into
Command-Line Interface so we’ll need to
obtain something new
53. Takeaways
©2019 The MITRE Corporation. ALL RIGHTS RESERVED. Approved for public release. Distribution unlimited 19-01075-9.
| 53 |
Organize, compare, and communicate
your threat intelligence
Move your red team towards adversary
emulation and purple teaming
Orient your detections towards
behaviors and the top of the Pyramid
Assess your current stance and
engineer improvements
Can help you