Publicité
MITRE-Module 1 Slides.pdf
MITRE-Module 1 Slides.pdf
MITRE-Module 1 Slides.pdf
MITRE-Module 1 Slides.pdf
MITRE-Module 1 Slides.pdf
MITRE-Module 1 Slides.pdf
MITRE-Module 1 Slides.pdf
MITRE-Module 1 Slides.pdf
MITRE-Module 1 Slides.pdf
MITRE-Module 1 Slides.pdf
MITRE-Module 1 Slides.pdf
MITRE-Module 1 Slides.pdf
MITRE-Module 1 Slides.pdf
MITRE-Module 1 Slides.pdf
MITRE-Module 1 Slides.pdf
MITRE-Module 1 Slides.pdf
MITRE-Module 1 Slides.pdf
MITRE-Module 1 Slides.pdf
MITRE-Module 1 Slides.pdf
MITRE-Module 1 Slides.pdf
MITRE-Module 1 Slides.pdf
MITRE-Module 1 Slides.pdf
MITRE-Module 1 Slides.pdf
MITRE-Module 1 Slides.pdf

Check these out next

BSidesLV 2018 - Katie Nickels and John Wunder - ATT&CKing the Status Quo
BSidesLV 2018 - Katie Nickels and John Wunder - ATT&CKing the Status Quo
Katie Nickels
Putting MITRE ATT&CK into Action with What You Have, Where You Are
Putting MITRE ATT&CK into Action with What You Have, Where You Are
Katie Nickels
Certes webinar securing the frictionless enterprise
Certes webinar securing the frictionless enterprise
Jason Bloomberg
Product security by Blockchain, AI and Security Certs
Product security by Blockchain, AI and Security Certs
LabSharegroup
Evolution of Offensive Testing - ATT&CK-based Adversary Emulation Plans
Evolution of Offensive Testing - ATT&CK-based Adversary Emulation Plans
Christopher Korban
CyberSecurity Update Slides
CyberSecurity Update Slides
Jim Kaplan CIA CFE
MITRE-Module 4 Slides.pdf
MITRE-Module 4 Slides.pdf
ReZa AdineH
Cybersecurity Slides
Cybersecurity Slides
Jim Kaplan CIA CFE
1 sur 24

MITRE-Module 1 Slides.pdf

27 Mar 2023
Télécharger pour lire hors ligne
Présentations et discours publics

Introducing the Training and Understanding ATT&CK

ReZa AdineH
SOC & CSIRT Architect & Consultant | SIEM engineer | Threat Intelligence Expert | Author & Instructor à Freelancer
Publicité
Publicité
Publicité

Recommandé

Anomali Detect 19 - Nickels & Pennington - Turning Intelligence into Action w...Anomali Detect 19 - Nickels & Pennington - Turning Intelligence into Action w...
Anomali Detect 19 - Nickels & Pennington - Turning Intelligence into Action w...Adam Pennington3K vues53 diapositives
Slideshare.net rh-isac summit 2019 - adam pennington - leveraging mitre at ta...Slideshare.net rh-isac summit 2019 - adam pennington - leveraging mitre at ta...
Slideshare.net rh-isac summit 2019 - adam pennington - leveraging mitre at ta...Robert Brandel27 vues15 diapositives
Emulating an Adversary with Imperfect IntelligenceEmulating an Adversary with Imperfect Intelligence
Emulating an Adversary with Imperfect IntelligenceAdam Pennington1.2K vues61 diapositives
RH-ISAC Summit 2019 - Adam Pennington - Leveraging MITRE ATT&CK™ for Detectio...RH-ISAC Summit 2019 - Adam Pennington - Leveraging MITRE ATT&CK™ for Detectio...
RH-ISAC Summit 2019 - Adam Pennington - Leveraging MITRE ATT&CK™ for Detectio...Adam Pennington3.7K vues54 diapositives
Pennington - Defending Against Targeted Ransomware with MITRE ATT&CKPennington - Defending Against Targeted Ransomware with MITRE ATT&CK
Pennington - Defending Against Targeted Ransomware with MITRE ATT&CKAdam Pennington499 vues32 diapositives
RH-ISAC Summit 2019 - Adam Pennington - Leveraging MITRE ATT&CK™ for Detectio...RH-ISAC Summit 2019 - Adam Pennington - Leveraging MITRE ATT&CK™ for Detectio...
RH-ISAC Summit 2019 - Adam Pennington - Leveraging MITRE ATT&CK™ for Detectio...Adam Pennington203 vues54 diapositives

Contenu connexe

Similaire à MITRE-Module 1 Slides.pdf(20)

BSidesLV 2018 - Katie Nickels and John Wunder - ATT&CKing the Status QuoBSidesLV 2018 - Katie Nickels and John Wunder - ATT&CKing the Status Quo
BSidesLV 2018 - Katie Nickels and John Wunder - ATT&CKing the Status Quo
Katie Nickels6K vues
Putting MITRE ATT&CK into Action with What You Have, Where You ArePutting MITRE ATT&CK into Action with What You Have, Where You Are
Putting MITRE ATT&CK into Action with What You Have, Where You Are
Katie Nickels12.6K vues
Certes webinar securing the frictionless enterpriseCertes webinar securing the frictionless enterprise
Certes webinar securing the frictionless enterprise
Jason Bloomberg292 vues
Product security by Blockchain, AI and Security CertsProduct security by Blockchain, AI and Security Certs
Product security by Blockchain, AI and Security Certs
LabSharegroup640 vues
Evolution of Offensive Testing - ATT&CK-based Adversary Emulation PlansEvolution of Offensive Testing - ATT&CK-based Adversary Emulation Plans
Evolution of Offensive Testing - ATT&CK-based Adversary Emulation Plans
Christopher Korban1.2K vues
CyberSecurity Update SlidesCyberSecurity Update Slides
CyberSecurity Update Slides
Jim Kaplan CIA CFE286 vues
MITRE-Module 4 Slides.pdfMITRE-Module 4 Slides.pdf
MITRE-Module 4 Slides.pdf
ReZa AdineH9 vues
Cybersecurity SlidesCybersecurity Slides
Cybersecurity Slides
Jim Kaplan CIA CFE223 vues
Automation: Embracing the Future of SecOpsAutomation: Embracing the Future of SecOps
Automation: Embracing the Future of SecOps
IBM Security2K vues
Symantec Webinar | How to Detect Targeted Ransomware with MITRE ATT&CKSymantec Webinar | How to Detect Targeted Ransomware with MITRE ATT&CK
Symantec Webinar | How to Detect Targeted Ransomware with MITRE ATT&CK
Symantec554 vues
MITRE_ATTACK_Enterprise_11x17.pdfMITRE_ATTACK_Enterprise_11x17.pdf
MITRE_ATTACK_Enterprise_11x17.pdf
AisyiFree13 vues
Privacy preserving computing and secure multi-party computation ISACA AtlantaPrivacy preserving computing and secure multi-party computation ISACA Atlanta
Privacy preserving computing and secure multi-party computation ISACA Atlanta
Ulf Mattsson361 vues
Application security meetup k8_s security with zero trust_29072021Application security meetup k8_s security with zero trust_29072021
Application security meetup k8_s security with zero trust_29072021
lior mazor80 vues
Putting the PRE into ATTACKPutting the PRE into ATTACK
Putting the PRE into ATTACK
MITRE - ATT&CKcon386 vues
Cloud computing final showCloud computing final show
Cloud computing final show
ahmad abdelhafeez413 vues
ISSA Atlanta - Emerging application and data protection for multi cloudISSA Atlanta - Emerging application and data protection for multi cloud
ISSA Atlanta - Emerging application and data protection for multi cloud
Ulf Mattsson162 vues
CrowdSec - Smart Money Round deckCrowdSec - Smart Money Round deck
CrowdSec - Smart Money Round deck
CrowdSec63 vues
Automation: The Wonderful Wizard of CTI (or is it?) Automation: The Wonderful Wizard of CTI (or is it?)
Automation: The Wonderful Wizard of CTI (or is it?)
MITRE ATT&CK249 vues
Protecting data privacy in analytics and machine learning ISACA London UKProtecting data privacy in analytics and machine learning ISACA London UK
Protecting data privacy in analytics and machine learning ISACA London UK
Ulf Mattsson119 vues
Iurii Garasym - Cloud Security Alliance Now in Ukraine. Mission, Opportunitie...Iurii Garasym - Cloud Security Alliance Now in Ukraine. Mission, Opportunitie...
Iurii Garasym - Cloud Security Alliance Now in Ukraine. Mission, Opportunitie...
Cloud Security Alliance Lviv Chapter134 vues

Plus de ReZa AdineH(11)

MITRE-Module 2 Slides.pdfMITRE-Module 2 Slides.pdf
MITRE-Module 2 Slides.pdf
ReZa AdineH10 vues
MITRE-Module 5 Slides.pdfMITRE-Module 5 Slides.pdf
MITRE-Module 5 Slides.pdf
ReZa AdineH5 vues
MITRE-Module 3 Slides.pdfMITRE-Module 3 Slides.pdf
MITRE-Module 3 Slides.pdf
ReZa AdineH15 vues
SIEM POC Assessment.pdfSIEM POC Assessment.pdf
SIEM POC Assessment.pdf
ReZa AdineH57 vues
Cover of book Threat Intelligence for Threat Hunting;Written by Reza AdinehCover of book Threat Intelligence for Threat Hunting;Written by Reza Adineh
Cover of book Threat Intelligence for Threat Hunting;Written by Reza Adineh
ReZa AdineH232 vues
Next generation Security Operation Center; Written by Reza AdinehNext generation Security Operation Center; Written by Reza Adineh
Next generation Security Operation Center; Written by Reza Adineh
ReZa AdineH120 vues
Review on Event Correlation- مروری بر روش های همبسته سازی در مدیریت رخدادReview on Event Correlation- مروری بر روش های همبسته سازی در مدیریت رخداد
Review on Event Correlation- مروری بر روش های همبسته سازی در مدیریت رخداد
ReZa AdineH218 vues
Effective Security Operation Center - present by Reza AdinehEffective Security Operation Center - present by Reza Adineh
Effective Security Operation Center - present by Reza Adineh
ReZa AdineH341 vues
علت ناکامی بسیاری از پروژههای مرکزعملیاتامنیت چیست ؟علت ناکامی بسیاری از پروژههای مرکزعملیاتامنیت چیست ؟
علت ناکامی بسیاری از پروژههای مرکزعملیاتامنیت چیست ؟
ReZa AdineH418 vues
Security monitoring log management-describe logstash,kibana,elastic slidshareSecurity monitoring log management-describe logstash,kibana,elastic slidshare
Security monitoring log management-describe logstash,kibana,elastic slidshare
ReZa AdineH633 vues
Security operations center-SOC Presentation-مرکز عملیات امنیتSecurity operations center-SOC Presentation-مرکز عملیات امنیت
Security operations center-SOC Presentation-مرکز عملیات امنیت
ReZa AdineH5.7K vues
Publicité

Dernier(20)

DIB-DIBATE-SCRIPT (1).pdfDIB-DIBATE-SCRIPT (1).pdf
DIB-DIBATE-SCRIPT (1).pdf
JohnChristianAgustin2 vues
Messages and Audience.pdfMessages and Audience.pdf
Messages and Audience.pdf
JohnChristianAgustin3 vues
professional-writing.pptxprofessional-writing.pptx
professional-writing.pptx
LilibethLalamoro1 vue
total_internal_reflectiontotal_internal_reflection
total_internal_reflection
SanchitTech1 vue
【本科生、研究生】美国印第安纳大学布鲁明顿分校毕业证文凭购买指南【本科生、研究生】美国印第安纳大学布鲁明顿分校毕业证文凭购买指南
【本科生、研究生】美国印第安纳大学布鲁明顿分校毕业证文凭购买指南
foxupud4 vues
BATAAN COVID'S VACCINATION PROGRAM.pdfBATAAN COVID'S VACCINATION PROGRAM.pdf
BATAAN COVID'S VACCINATION PROGRAM.pdf
JohnChristianAgustin4 vues
【本科生、研究生】美国天主教大学毕业证文凭购买指南【本科生、研究生】美国天主教大学毕业证文凭购买指南
【本科生、研究生】美国天主教大学毕业证文凭购买指南
foxupud3 vues
Destructive Political Polarisation in the Context of Digital Communication – ...Destructive Political Polarisation in the Context of Digital Communication – ...
Destructive Political Polarisation in the Context of Digital Communication – ...
KatharinaEsau14 vues
3-5ds_puppet_show_rubric_0.docx3-5ds_puppet_show_rubric_0.docx
3-5ds_puppet_show_rubric_0.docx
ZyraMilkyArauctoSiso1 vue
11.1_Katleen Bell-Bonjean.pdf11.1_Katleen Bell-Bonjean.pdf
11.1_Katleen Bell-Bonjean.pdf
Katleen Bell-Bonjean2 vues
IKWUEZE UCHENNA HUMPHREY.pptxIKWUEZE UCHENNA HUMPHREY.pptx
IKWUEZE UCHENNA HUMPHREY.pptx
UchennaIkwueze20 vue
ZXANGER MANAGEMENT.pptxZXANGER MANAGEMENT.pptx
ZXANGER MANAGEMENT.pptx
Anuoluwapo113 vues
System-Modelling-for-Requirements-Analysis-II-09052023-072823am.pptxSystem-Modelling-for-Requirements-Analysis-II-09052023-072823am.pptx
System-Modelling-for-Requirements-Analysis-II-09052023-072823am.pptx
YasirShaikh341 vue
Guided Film Analysis.pdfGuided Film Analysis.pdf
Guided Film Analysis.pdf
JohnChristianAgustin2 vues
The Cornerstone of Media - ABS CBN Reporter (Jervis Manahan).pdfThe Cornerstone of Media - ABS CBN Reporter (Jervis Manahan).pdf
The Cornerstone of Media - ABS CBN Reporter (Jervis Manahan).pdf
JohnChristianAgustin2 vues
【本科生、研究生】德国开姆尼茨工业大学毕业证文凭购买指南【本科生、研究生】德国开姆尼茨工业大学毕业证文凭购买指南
【本科生、研究生】德国开姆尼茨工业大学毕业证文凭购买指南
foxupud3 vues
Logistics - Marine and Airlien Traffic.pptxLogistics - Marine and Airlien Traffic.pptx
Logistics - Marine and Airlien Traffic.pptx
DiuLin42 vues
Introduction to Film.pdfIntroduction to Film.pdf
Introduction to Film.pdf
JohnChristianAgustin2 vues
Study Designs in Epidemiology-Ahmed Mandil-2.pptStudy Designs in Epidemiology-Ahmed Mandil-2.ppt
Study Designs in Epidemiology-Ahmed Mandil-2.ppt
LawalBelloDanchadi1 vue
Reflective Essay.pdfReflective Essay.pdf
Reflective Essay.pdf
JohnChristianAgustin3 vues

MITRE-Module 1 Slides.pdf

  1. Module 1: Introducing the Training and Understanding ATT&CK ©2019 The MITRE Corporation. ALL RIGHTS RESERVED Approved for public release. Distribution unlimited 19-01075-15.
  2. Using MITRE ATT&CK™ for Cyber Threat Intelligence Training Katie Nickels and Adam Pennington ©2019 The MITRE Corporation. ALL RIGHTS RESERVED Approved for public release. Distribution unlimited 19-01075-15.
  3. Training Overview ▪ Five modules consisting of YouTube videos and exercises are available at attack.mitre.org/training/cti ▪ Module 1: Introducing training and understanding ATT&CK A. Topic introduction (Video) ▪ Module 2: Mapping to ATT&CK from finished reporting A. Topic introduction (Video) B. Exercise 2: Mapping to ATT&CK from finished reporting (Do it yourself with materials on attack.mitre.org/training/cti) C. Going over Exercise 2 (Video) ▪ Module 3: Mapping to ATT&CK from raw data A. Topic introduction (Video) B. Exercise 3: Mapping to ATT&CK from raw data (Do it yourself with materials on attack.mitre.org/training/cti) C. Going over Exercise 3 (Video) ©2019 The MITRE Corporation. ALL RIGHTS RESERVED Approved for public release. Distribution unlimited 19-01075-15.
  4. Training Overview ▪ Module 4: Storing and analyzing ATT&CK-mapped intel A. Topic introduction (Video) B. Exercise 4: Comparing layers in ATT&CK Navigator (Do it yourself with materials on attack.mitre.org/training/cti) C. Going over Exercise 4 (Video) ▪ Module 5: Making ATT&CK-mapped data actionable with defensive recommendations A. Topic introduction (Video) B. Exercise 5: Making defensive recommendations (Do it yourself with materials on attack.mitre.org/training/cti) C. Going over Exercise 5 and wrap-up (Video) ©2019 The MITRE Corporation. ALL RIGHTS RESERVED Approved for public release. Distribution unlimited 19-01075-15.
  5. Process of Applying ATT&CK to CTI Understand ATT&CK Map data to ATT&CK Store & analyze ATT&CK-mapped data Make defensive recommendations from ATT&CK- mapped data ©2019 The MITRE Corporation. ALL RIGHTS RESERVED Approved for public release. Distribution unlimited 19-01075-15. Module 1 Module 2 Module 3 Module 4 Module 5
  6. Introduction to ATT&CK and Applying it to CTI ©2019 The MITRE Corporation. ALL RIGHTS RESERVED Approved for public release. Distribution unlimited 19-01075-15.
  7. Tough Questions for Defenders ▪ How effective are my defenses? ▪ Do I have a chance at detecting APT29? ▪ Is the data I’m collecting useful? ▪ Do I have overlapping tool coverage? ▪ Will this new product help my organization’s defenses? | 8 | ©2019 The MITRE Corporation. ALL RIGHTS RESERVED. Approved for public release. Distribution unlimited 19-01075-15.
  8. ©2019 The MITRE Corporation. ALL RIGHTS RESERVED. Approved for public release. Distribution unlimited 19-01075-15. | 9 | What is ? A knowledge base of adversary behavior ➢ Based on real-world observations ➢ Free, open, and globally accessible ➢ A common language ➢ Community-driven
  9. The Difficult Task of Detecting TTPs Source: David Bianco, https://detect-respond.blogspot.com/2013/03/the-pyramid-of-pain.html David Bianco’s Pyramid of Pain ©2019 The MITRE Corporation. ALL RIGHTS RESERVED. Approved for public release. Distribution unlimited 19-01075-10. TTPs Tools Network/ Host Artifacts Domain Names IP Addresses Hash Values •Tough! •Challenging •Annoying •Simple •Easy •Trivial
  10. Impact Data Destruction Data Encrypted for Impact Defacement Disk Content Wipe Disk Structure Wipe Endpoint Denial of Service Firmware Corruption Inhibit System Recovery Network Denial of Service Resource Hijacking Runtime Data Manipulation Service Stop Stored Data Manipulation Transmitted Data Manipulation Command and Control Commonly Used Port Communication Through Removable Media Connection Proxy Custom Command and Control Protocol Custom Cryptographic Protocol Data Encoding Data Obfuscation Domain Fronting Domain Generation Algorithms Fallback Channels Multiband Communication Multi-hop Proxy Multilayer Encryption Multi-Stage Channels Port Knocking Remote Access Tools Remote File Copy Standard Application Layer Protocol Standard Cryptographic Protocol Standard Non-Application Layer Protocol Uncommonly Used Port Web Service Exfiltration Automated Exfiltration Data Compressed Data Encrypted Data Transfer Size Limits Exfiltration Over Other Network Medium Exfiltration Over Command and Control Channel Exfiltration Over Alternative Protocol Exfiltration Over Physical Medium Scheduled Transfer Collection Audio Capture Automated Collection Clipboard Data Data from Information Repositories Data from Local System Data from Network Shared Drive Data from Removable Media Data Staged Email Collection Input Capture Man in the Browser Screen Capture Video Capture Lateral Movement AppleScript Application Deployment Software Distributed Component Object Model Exploitation of Remote Services Logon Scripts Pass the Hash Pass the Ticket Remote Desktop Protocol Remote File Copy Remote Services Replication Through Removable Media Shared Webroot SSH Hijacking Taint Shared Content Third-party Software Windows Admin Shares Windows Remote Management Credential Access Discovery Network Sniffing Account Manipulation Account Discovery Bash History Application Window Discovery Brute Force Credential Dumping Browser Bookmark Discovery Credentials in Files Credentials in Registry Domain Trust Discovery Exploitation for Credential Access File and Directory Discovery Network Service Scanning Forced Authentication Network Share Discovery Hooking Password Policy Discovery Input Capture Peripheral Device Discovery Input Prompt Permission Groups Discovery Kerberoasting Process Discovery Keychain Query Registry LLMNR/NBT-NS Poisoning and Relay Remote System Discovery Security Software Discovery Password Filter DLL System Information Discovery Private Keys Securityd Memory System Network Configuration Discovery Two-Factor Authentication Interception System Network Connections Discovery System Owner/User Discovery System Service Discovery System Time Discovery Virtualization/Sandbox Evasion Execution Persistence Privilege Escalation Defense Evasion Scheduled Task Binary Padding Launchctl Access Token Manipulation Local Job Scheduling Bypass User Account Control LSASS Driver Extra Window Memory Injection Trap Process Injection AppleScript DLL Search Order Hijacking CMSTP Image File Execution Options Injection Command-Line Interface Plist Modification Compiled HTML File Valid Accounts Control Panel Items Accessibility Features BITS Jobs Dynamic Data Exchange AppCert DLLs Clear Command History Execution through API AppInit DLLs CMSTP Execution through Module Load Application Shimming Code Signing Dylib Hijacking Compiled HTML File Exploitation for Client Execution File System Permissions Weakness Component Firmware Hooking Component Object Model Hijacking Graphical User Interface Launch Daemon InstallUtil New Service Control Panel Items Mshta Path Interception DCShadow PowerShell Port Monitors Deobfuscate/Decode Files or Information Regsvcs/Regasm Service Registry Permissions Weakness Regsvr32 Setuid and Setgid Disabling Security Tools Rundll32 Startup Items DLL Side-Loading Scripting Web Shell Execution Guardrails Service Execution .bash_profile and .bashrc Exploitation for Privilege Escalation Exploitation for Defense Evasion Signed Binary Proxy Execution Account Manipulation Authentication Package SID-History Injection File Deletion Signed Script Proxy Execution BITS Jobs Sudo File Permissions Modification Bootkit Sudo Caching Source Browser Extensions File System Logical Offsets Space after Filename Change Default File Association Gatekeeper Bypass Third-party Software Group Policy Modification Trusted Developer Utilities Component Firmware Hidden Files and Directories User Execution Component Object Model Hijacking Hidden Users Windows Management Instrumentation Hidden Window Create Account HISTCONTROL Windows Remote Management External Remote Services Indicator Blocking Hidden Files and Directories Indicator Removal from Tools XSL Script Processing Hypervisor Kernel Modules and Extensions Indicator Removal on Host Indirect Command Execution Launch Agent Install Root Certificate LC_LOAD_DYLIB Addition InstallUtil Login Item Launchctl Initial Access Drive-by Compromise Exploit Public-Facing Application External Remote Services Hardware Additions Replication Through Removable Media Spearphishing Attachment Spearphishing Link Spearphishing via Service Supply Chain Compromise Trusted Relationship Valid Accounts Breaking Down ATT&CK Tactics: the adversary’s technical goals Techniques: how the goals are achieved Procedures: Specific technique implementation ©2019 The MITRE Corporation. ALL RIGHTS RESERVED. Approved for public release. Distribution unlimited 19-01075-15.
  11. Technique: Spearphishing Attachment ©2019 The MITRE Corporation. ALL RIGHTS RESERVED. Approved for public release. Distribution unlimited 19-01075-15.
  12. Technique: Spearphishing Attachment ©2019 The MITRE Corporation. ALL RIGHTS RESERVED. Approved for public release. Distribution unlimited 19-01075-15.
  13. Technique: Spearphishing Attachment ©2019 The MITRE Corporation. ALL RIGHTS RESERVED. Approved for public release. Distribution unlimited 19-01075-15.
  14. Technique: Spearphishing Attachment ©2019 The MITRE Corporation. ALL RIGHTS RESERVED. Approved for public release. Distribution unlimited 19-01075-15.
  15. Group: APT29 ©2019 The MITRE Corporation. ALL RIGHTS RESERVED. Approved for public release. Distribution unlimited 19-01075-15.
  16. Group: APT29 ©2019 The MITRE Corporation. ALL RIGHTS RESERVED. Approved for public release. Distribution unlimited 19-01075-15.
  17. Group: APT29 ©2019 The MITRE Corporation. ALL RIGHTS RESERVED. Approved for public release. Distribution unlimited 19-01075-15.
  18. ATT&CK Use Cases Threat Intelligence processes = search Process:Create reg = filter processes where (exe == "reg.exe" and parent_exe == "cmd.exe") cmd = filter processes where (exe == "cmd.exe" and parent_exe != "explorer.exe"") reg_and_cmd = join (reg, cmd) where (reg.ppid == cmd.pid and reg.hostname == cmd.hostname) output reg_and_cmd Detection Adversary Emulation Assessment and Engineering ©2019 The MITRE Corporation. ALL RIGHTS RESERVED. Approved for public release. Distribution unlimited 19-01075-15. Use ATT&CK for Adversary Emulation and Red Teaming The best defense is a well-tested defense. ATT&CK provides a common adversary behavior framework based on threat intelligence that red teams can use to emulate specific threats. This helps cyber defenders find gaps in visibility, defensive tools, and processes—and then fix them. Legend Low Priority High Priority Finding Gaps in Defense Spearphishing Link Spearphishing via Service Supply Chain Compromise Trusted Relationship Valid Accounts Execution through API Execution through Module Load Exploitation for Client Execution Graphical User Interface InstallUtil Launchctl Local Job Scheduling LSASS Driver Mshta PowerShell Regsvcs/Regasm Regsvr32 Rundll32 Scheduled Task Scripting Service Execution Signed Binary Proxy Execution Signed Script Proxy Execution Source Space after Filename Third-party Software Trap Trusted Developer Utilities User Execution Windows Management Instrumentation Windows Remote Management XSL Script Processing Authentication Package BITS Jobs Bootkit Browser Extensions Change Default File Association Component Firmware Component Object Model Hijacking Create Account DLL Search Order Hijacking Dylib Hijacking External Remote Services File System Permissions W eakness Hidden Files and Directories Hooking Hypervisor Image File Execution Options Injection Kernel Modules and Extensions Launch Agent Launch Daemon Launchctl LC_LOAD_DYLIB Addition Local Job Scheduling Login Item Logon Scripts LSASS Driver Modify Existing Service Netsh Helper DLL New Service Office Application Startup Path Interception Plist Modification Port Knocking Port Monitors Rc.common Re-opened Applications Redundant Access Registry Run Keys / Startup Folder Scheduled Task Screensaver Security Support Provider Service Registry Permissions Weakness Setuid and Setgid Shortcut Modification SIP and Trust Provider Hijacking Startup Items System Firmware Systemd Service Time Providers Trap Valid Accounts Web Shell Windows Management Instrumentation Event Subscription Winlogon Helper DLL DLL Search Order Hijacking Dylib Hijacking Exploitation for Privilege Escalation Extra Window Memory Injection File System Permissions W eakness Hooking Image File Execution Options Injection Launch Daemon New Service Path Interception Plist Modification Port Monitors Process Injection Scheduled Task Service Registry Permissions Weakness Setuid and Setgid SID-History Injection Startup Items Sudo Sudo Caching Valid Accounts Web Shell Code Signing Compile After Delivery Compiled HTML File Component Firmware Component Object Model Hijacking Control Panel Items DCShadow Deobfuscate/Decode Files or Information Disabling Security Tools DLL Search Order Hijacking DLL Side-Loading Execution Guardrails Exploitation for Defense Evasion Extra Window Memory Injection File Deletion File Permissions Modification File System Logical Of fsets Gatekeeper Bypass Group Policy Modification Hidden Files and Directories Hidden Users Hidden Window HISTCONTROL Image File Execution Options Injection Indicator Blocking Indicator Removal from Tools Indicator Removal on Host Indirect Command Execution Install Root Certificate InstallUtil Launchctl LC_MAIN Hijacking Masquerading Modify Registry Mshta Network Share Connection Removal NTFS File Attributes Obfuscated Files or Information Plist Modification Port Knocking Process Doppelgänging Process Hollowing Process Injection Redundant Access Regsvcs/Regasm Regsvr32 Rootkit Rundll32 Scripting Signed Binary Proxy Execution Signed Script Proxy Execution SIP and Trust Provider Hijacking Software Packing Space after Filename Template Injection Timestomp Trusted Developer Utilities Valid Accounts Virtualization/Sandbox Evasion Web Service XSL Script Processing Exploitation for Credential Access Forced Authentication Hooking Input Capture Input Prompt Kerberoasting Keychain LLMNR/NBT -NS Poisoning and Relay Network Snif fing Password Filter DLL Private Keys Securityd Memory Two-Factor Authentication Interception Network Share Discovery Network Snif fing Password Policy Discovery Peripheral Device Discovery Permission Groups Discovery Process Discovery Query Registry Remote System Discovery Security Software Discovery System Information Discovery System Network Configuration Discovery System Network Connections Discovery System Owner/User Discovery System Service Discovery System Time Discovery Virtualization/Sandbox Evasion Pass the Ticket Remote Desktop Protocol Remote File Copy Remote Services Replication Through Removable Media Shared Webroot SSH Hijacking Taint Shared Content Third-party Software Windows Admin Shares Windows Remote Management Data from Removable Media Data Staged Email Collection Input Capture Man in the Browser Screen Capture Video Capture Data Obfuscation Domain Fronting Domain Generation Algorithms Fallback Channels Multi-hop Proxy Multi-Stage Channels Multiband Communication Multilayer Encryption Port Knocking Remote Access Tools Remote File Copy Standard Application Layer Protocol Standard Cryptographic Protocol Standard Non-Application Layer Protocol Uncommonly Used Port Web Service Exfiltration Over Other Network Medium Exfiltration Over Physical Medium Scheduled Transfer Firmware Corruption Inhibit System Recovery Network Denial of Service Resource Hijacking Runtime Data Manipulation Service Stop Stored Data Manipulation Transmitted Data Manipulation AppleScript Application Deployment Software Distributed Component Object Model Exploitation of Remote Services Logon Scripts Pass the Hash Pass the Ticket Remote Desktop Protocol Remote File Copy Remote Services Replication Through Removable Media Shared Webroot SSH Hijacking Taint Shared Content Third-party Software Windows Admin Shares Windows Remote Management Commonly Used Port Communication Through Removable Media Connection Proxy Custom Command and Control Protocol Custom Cryptographic Protocol Data Encoding Data Obfuscation Domain Fronting Domain Generation Algorithms Fallback Channels Multiband Communication Multi-hop Proxy Multilayer Encryption Multi-Stage Channels Port Knocking Remote Access Tools Remote File Copy Standard Application Layer Protocol Standard Cryptographic Protocol Standard Non-Application Layer Protocol Uncommonly Used Port Web Service Automated Exfiltration Data Compressed Data Encrypted Data Transfer Size Limits Exfiltration Over Other Network Medium Exfiltration Over Command and Control Channel Exfiltration Over Alternative Protocol Exfiltration Over Physical Medium Scheduled Transfer Data Destruction Data Encrypted for Impact Defacement Disk Content Wipe Disk Structure Wipe Endpoint Denial of Service Firmware Corruption Inhibit System Recovery Network Denial of Service Resource Hijacking Runtime Data Manipulation Service Stop Stored Data Manipulation Transmitted Data Manipulation Audio Capture Automated Collection Clipboard Data Data from Information Repositories Data from Local System Data from Network Shared Drive Data from Removable Media Data Staged Email Collection Input Capture Man in the Browser Screen Capture Video Capture Drive-by Compromise Exploit Public-Facing Application External Remote Services Hardware Additions Replication Through Removable Media Spearphishing Attachment Spearphishing Link Spearphishing via Service Supply Chain Compromise Trusted Relationship Valid Accounts AppleScript CMSTP Command-Line Interface Compiled HTML File Control Panel Items Dynamic Data Exchange Execution through API Execution through Module Load Exploitation for Client Execution Graphical User Interface InstallUtil Mshta PowerShell Regsvcs/Regasm Regsvr32 Rundll32 Scripting Service Execution Signed Binary Proxy Execution Signed Script Proxy Execution Source Space after Filename Third-party Software Trusted Developer Utilities DLL Search Order Hijacking Image File Execution Options Injection Plist Modification Valid Accounts Accessibility Features AppCert DLLs AppInit DLLs Application Shimming Dylib Hijacking File System Permissions Weakness Hooking Launch Daemon New Service Path Interception Port Monitors Service Registry Permissions Weakness Setuid and Setgid Startup Items Web Shell .bash_profile and .bashrc Account Manipulation Authentication Package BITS Jobs Bootkit Browser Extensions Change Default File Association Component Firmware BITS Jobs Clear Command History CMSTP Code Signing Compiled HTML File Component Firmware Component Object Model Hijacking Control Panel Items DCShadow Deobfuscate/Decode Files or Information Disabling Security Tools DLL Side-Loading Execution Guardrails Exploitation for Defense Evasion File Deletion File Permissions Modification File System Logical Offsets Gatekeeper Bypass Group Policy Modification Hidden Files and Directories Hidden Users Exploitation for Privilege Escalation SID-History Injection Sudo Sudo Caching Scheduled Task Binary Padding Network Sniffing Launchctl Local Job Scheduling LSASS Driver Trap Access Token Manipulation Bypass User Account Control Extra Window Memory Injection Process Injection Account Manipulation Bash History Brute Force Credential Dumping Credentials in Files Credentials in Registry Exploitation for Credential Access Forced Authentication Hooking Input Capture Input Prompt Kerberoasting Keychain LLMNR/NBT-NS Poisoning and Relay Password Filter DLL Private Keys Securityd Memory Two-Factor Authentication Interception Account Discovery Application Window Discovery Browser Bookmark Discovery Domain Trust Discovery File and Directory Discovery Network Service Scanning Network Share Discovery Password Policy Discovery Peripheral Device Discovery Permission Groups Discovery Process Discovery Query Discovery Remote System Discovery Security Software Discovery System Information Discovery System Network Configuration Discovery System Network Connections Discovery System Owner/User Discovery System Service Discovery System Time Discovery Virtualization/Sandbox Evasion Use ATT&CK for Cyber Threat Intelligence Cyber threat intelligence comes from many sources, including knowledge of past incidents, commercial threat feeds, information-sharing groups, government threat-sharing programs, and more. ATT&CK gives analysts a common language to communicate across reports and organizations, providing a way to structure, compare, and analyze threat intelligence. Use ATT&CK to Build Your Defensive Platform ATT&CK includes resources designed to help cyber defenders develop analytics that detect the techniques used by an adversary. Based on threat intelligence included in ATT&CK or provided by analysts, cyber defenders can create a comprehensive set of analytics to detect threats. Get Started with ATT&CK Legend APT28 APT29 Both Comparing APT28 to APT29 analytics. Check out our w ebsite at attack.mitre.org for more information on how each technique can be det ected, and adversary examples you can use to start detecting adversary behavior with ATT&CK. You can visualize how your own data sources map to adversary behavior with ATT&CK. Read our blog post at bit.ly/ATT learn how we generated this diagram, check out the code, and begin building your own diagrams from ATT&CK conten Initial Access Drive-by Compromise Exploit Public-Facing Application External Remote Services Hardware Additions Replication Through Removable Media Spearphishing Attachment Spearphishing Link Spearphishing via Service Supply Chain Compromise Trusted Relationship Valid Accounts Execution AppleScript CMSTP Command-Line Interface Compiled HTML File Control Panel Items Dynamic Data Exchange Execution through API Execution through Module Load Exploitation for Client Execution Graphical User Interface InstallUtil Launchctl Local Job Scheduling LSASS Driver Mshta PowerShell Regsvcs/Regasm Regsvr32 Rundll32 Scheduled Task Scripting Service Execution Signed Binary Proxy Execution Signed Script Proxy Execution Source Space after Filename Third-party Software Trap Trusted Developer Utilities User Execution Windows Management Instrumentation Windows Remote Management XSL Script Processing Persistence .bash_profile and .bashrc Accessibility Features Account Manipulation AppCert DLLs AppInit DLLs Application Shimming Authentication Package BITS Jobs Bootkit Browser Extensions Change Default File Association Component Firmware Component Object Model Hijacking Create Account DLL Search Order Hijacking Dylib Hijacking External Remote Services File System Permissions W eakness Hidden Files and Directories Hooking Hypervisor Image File Execution Options Injection Kernel Modules and Extensions Launch Agent Launch Daemon Launchctl LC_LOAD_DYLIB Addition Local Job Scheduling Login Item Logon Scripts LSASS Driver Modify Existing Service Netsh Helper DLL New Service Office Application Startup Path Interception Plist Modification Port Knocking Port Monitors Rc.common Re-opened Applications Redundant Access Registry Run Keys / Startup Folder Scheduled Task Screensaver Security Support Provider Service Registry Permissions Weakness Setuid and Setgid Shortcut Modification SIP and Trust Provider Hijacking Startup Items System Firmware Systemd Service Time Providers Trap Valid Accounts Web Shell Windows Management Instrumentation Event Subscription Winlogon Helper DLL Privilege Escalation Access Token Manipulation Accessibility Features AppCert DLLs AppInit DLLs Application Shimming Bypass User Account Control DLL Search Order Hijacking Dylib Hijacking Exploitation for Privilege Escalation Extra Window Memory Injection File System Permissions W eakness Hooking Image File Execution Options Injection Launch Daemon New Service Path Interception Plist Modification Port Monitors Process Injection Scheduled Task Service Registry Permissions Weakness Setuid and Setgid SID-History Injection Startup Items Sudo Sudo Caching Valid Accounts Web Shell Defense Evasion Access Token Manipulation Binary Padding BITS Jobs Bypass User Account Control Clear Command History CMSTP Code Signing Compile After Delivery Compiled HTML File Component Firmware Component Object Model Hijacking Control Panel Items DCShadow Deobfuscate/Decode Files or Information Disabling Security Tools DLL Search Order Hijacking DLL Side-Loading Execution Guardrails Exploitation for Defense Evasion Extra Window Memory Injection File Deletion File Permissions Modification File System Logical Of fsets Gatekeeper Bypass Group Policy Modification Hidden Files and Directories Hidden Users Hidden Window HISTCONTROL Image File Execution Options Injection Indicator Blocking Indicator Removal from Tools Indicator Removal on Host Indirect Command Execution Install Root Certificate InstallUtil Launchctl LC_MAIN Hijacking Masquerading Modify Registry Mshta Network Share Connection Removal NTFS File Attributes Obfuscated Files or Information Plist Modification Port Knocking Process Doppelgänging Process Hollowing Process Injection Redundant Access Regsvcs/Regasm Regsvr32 Rootkit Rundll32 Scripting Signed Binary Proxy Execution Signed Script Proxy Execution SIP and Trust Provider Hijacking Software Packing Space after Filename Template Injection Timestomp Trusted Developer Utilities Valid Accounts Virtualization/Sandbox Evasion Web Service XSL Script Processing Credential Access Account Manipulation Bash History Brute Force Credential Dumping Credentials in Files Credentials in Registry Exploitation for Credential Access Forced Authentication Hooking Input Capture Input Prompt Kerberoasting Keychain LLMNR/NBT -NS Poisoning and Relay Network Snif fing Password Filter DLL Private Keys Securityd Memory Two-Factor Authentication Interception Discovery Account Discovery Application Window Discovery Browser Bookmark Discovery Domain Trust Discovery File and Directory Discovery Network Service Scanning Network Share Discovery Network Snif fing Password Policy Discovery Peripheral Device Discovery Permission Groups Discovery Process Discovery Query Registry Remote System Discovery Security Software Discovery System Information Discovery System Network Configuration Discovery System Network Connections Discovery System Owner/User Discovery System Service Discovery System Time Discovery Virtualization/Sandbox Evasion Lateral Movement AppleScript Application Deployment Software Distributed Component Object Model Exploitation of Remote Services Logon Scripts Pass the Hash Pass the Ticket Remote Desktop Protocol Remote File Copy Remote Services Replication Through Removable Media Shared Webroot SSH Hijacking Taint Shared Content Third-party Software Windows Admin Shares Windows Remote Management Collection Audio Capture Automated Collection Clipboard Data Data from Information Repositories Data from Local System Data from Network Shared Drive Data from Removable Media Data Staged Email Collection Input Capture Man in the Browser Screen Capture Video Capture Command And Control Commonly Used Port Communication Through Removable Media Connection Proxy Custom Command and Control Protocol Custom Cryptographic Protocol Data Encoding Data Obfuscation Domain Fronting Domain Generation Algorithms Fallback Channels Multi-hop Proxy Multi-Stage Channels Multiband Communication Multilayer Encryption Port Knocking Remote Access Tools Remote File Copy Standard Application Layer Protocol Standard Cryptographic Protocol Standard Non-Application Layer Protocol Uncommonly Used Port Web Service Exfiltration Automated Exfiltration Data Compressed Data Encrypted Data Transfer Size Limits Exfiltration Over Alternative Protocol Exfiltration Over Command and Control Channel Exfiltration Over Other Network Medium Exfiltration Over Physical Medium Scheduled Transfer Impact Data Destruction Data Encrypted for Impact Defacement Disk Content Wipe Disk Structure Wipe Endpoint Denial of Service Firmware Corruption Inhibit System Recovery Network Denial of Service Resource Hijacking Runtime Data Manipulation Service Stop Stored Data Manipulation Transmitted Data Manipulation Initial Access Drive-by Compromise Exploit Public-Facing Application External Remote Services Hardware Additions Replication Through Removable Media Spearphishing Attachment Spearphishing Link Spearphishing via Service Supply Chain Compromise Trusted Relationship Valid Accounts Execution AppleScript CMSTP Command-Line Interface Compiled HTML File Control Panel Items Dynamic Data Exchange Execution through API Execution through Module Load Exploitation for Client Execution Graphical User Interface InstallUtil Launchctl Local Job Scheduling LSASS Driver Mshta PowerShell Persistence .bash_profile and .bashrc Accessibility Features Account Manipulation AppCert DLLs AppInit DLLs Application Shimming Authentication Package BITS Jobs Bootkit Browser Extensions Change Default File Association Component Firmware Component Object Model Hijacking Create Account DLL Search Order Hijacking Dylib Hijacking Privilege Escalation Access Token Manipulation Accessibility Features AppCert DLLs AppInit DLLs Application Shimming Bypass User Account Control DLL Search Order Hijacking Dylib Hijacking Exploitation for Privilege Escalation Extra Window Memory Injection File System Permissions W eakness Hooking Image File Execution Options Injection Launch Daemon New Service Path Interception Defense Evasion Access Token Manipulation Binary Padding BITS Jobs Bypass User Account Control Clear Command History CMSTP Code Signing Compile After Delivery Compiled HTML File Component Firmware Component Object Model Hijacking Control Panel Items DCShadow Deobfuscate/Decode Files or Information Disabling Security Tools DLL Search Order Hijacking Credential Access Account Manipulation Bash History Brute Force Credential Dumping Credentials in Files Credentials in Registry Exploitation for Credential Access Forced Authentication Hooking Input Capture Input Prompt Kerberoasting Keychain LLMNR/NBT -NS Poisoning and Relay Network Snif fing Password Filter DLL Discovery Account Discovery Application Window Discovery Browser Bookmark Discovery Domain Trust Discovery File and Directory Discovery Network Service Scanning Network Share Discovery Network Snif fing Password Policy Discovery Peripheral Device Discovery Permission Groups Discovery Process Discovery Query Registry Remote System Discovery Security Software Discovery System Information Discovery Lateral Movement AppleScript Application Deployment Software Distributed Component Object Model Exploitation of Remote Services Logon Scripts Pass the Hash Pass the Ticket Remote Desktop Protocol Remote File Copy Remote Services Replication Through Removable Media Shared Webroot SSH Hijacking Taint Shared Content Third-party Software Windows Admin Shares Collection Audio Capture Automated Collection Clipboard Data Data from Information Repositories Data from Local System Data from Network Shared Drive Data from Removable Media Data Staged Email Collection Input Capture Man in the Browser Screen Capture Video Capture Command And Control Commonly Used Port Communication Through Removable Media Connection Proxy Custom Command and Control Protocol Custom Cryptographic Protocol Data Encoding Data Obfuscation Domain Fronting Domain Generation Algorithms Fallback Channels Multi-hop Proxy Multi-Stage Channels Multiband Communication Multilayer Encryption Port Knocking Remote Access Tools Exfiltration Automated Exfiltration Data Compressed Data Encrypted Data Transfer Size Limits Exfiltration Over Alternative Protocol Exfiltration Over Command and Control Channel Exfiltration Over Other Network Medium Exfiltration Over Physical Medium Scheduled Transfer Impact Data Destruction Data Encrypted for Impact Defacement Disk Content Wipe Disk Structure Wipe Endpoint Denial of Service Firmware Corruption Inhibit System Recovery Network Denial of Service Resource Hijacking Runtime Data Manipulation Service Stop Stored Data Manipulation Transmitted Data Manipulation ob sta Use ATT&CK to Build Your Defensive Platform ATT&CK includes resources designed to help cyber defenders develop analytics that detect the techniques used by an adversary. Based on threat intelligence included in ATT&CK or provided by analysts, cyber defenders can create a comprehensive set of analytics to detect threats. Legend APT28 APT29 Both Legend Low Priority High Priority Comparing APT28 to APT29 Finding Gaps in Defense Exploit Public-Facing Application External Remote Services Hardware Additions Replication Through Removable Media Spearphishing Attachment Spearphishing Link Spearphishing via Service Supply Chain Compromise Trusted Relationship Valid Accounts CMSTP Command-Line Interface Compiled HTML File Control Panel Items Dynamic Data Exchange Execution through API Execution through Module Load Exploitation for Client Execution Graphical User Interface InstallUtil Launchctl Local Job Scheduling LSASS Driver Mshta PowerShell Regsvcs/Regasm Regsvr32 Rundll32 Scheduled Task Scripting Service Execution Signed Binary Proxy Execution Signed Script Proxy Execution Source Space after Filename Third-party Software Trap Trusted Developer Utilities User Execution Windows Management Instrumentation Windows Remote Management XSL Script Processing Accessibility Features Account Manipulation AppCert DLLs AppInit DLLs Application Shimming Authentication Package BITS Jobs Bootkit Browser Extensions Change Default File Association Component Firmware Component Object Model Hijacking Create Account DLL Search Order Hijacking Dylib Hijacking External Remote Services File System Permissions W eakness Hidden Files and Directories Hooking Hypervisor Image File Execution Options Injection Kernel Modules and Extensions Launch Agent Launch Daemon Launchctl LC_LOAD_DYLIB Addition Local Job Scheduling Login Item Logon Scripts LSASS Driver Modify Existing Service Netsh Helper DLL New Service Office Application Startup Path Interception Plist Modification Port Knocking Port Monitors Rc.common Re-opened Applications Redundant Access Registry Run Keys / Startup Folder Scheduled Task Screensaver Security Support Provider Service Registry Permissions Weakness Setuid and Setgid Shortcut Modification SIP and Trust Provider Hijacking Startup Items System Firmware Systemd Service Time Providers Trap Valid Accounts Web Shell Windows Management Instrumentation Event Subscription Winlogon Helper DLL Accessibility Features AppCert DLLs AppInit DLLs Application Shimming Bypass User Account Control DLL Search Order Hijacking Dylib Hijacking Exploitation for Privilege Escalation Extra Window Memory Injection File System Permissions W eakness Hooking Image File Execution Options Injection Launch Daemon New Service Path Interception Plist Modification Port Monitors Process Injection Scheduled Task Service Registry Permissions Weakness Setuid and Setgid SID-History Injection Startup Items Sudo Sudo Caching Valid Accounts Web Shell Binary Padding BITS Jobs Bypass User Account Control Clear Command History CMSTP Code Signing Compile After Delivery Compiled HTML File Component Firmware Component Object Model Hijacking Control Panel Items DCShadow Deobfuscate/Decode Files or Information Disabling Security Tools DLL Search Order Hijacking DLL Side-Loading Execution Guardrails Exploitation for Defense Evasion Extra Window Memory Injection File Deletion File Permissions Modification File System Logical Of fsets Gatekeeper Bypass Group Policy Modification Hidden Files and Directories Hidden Users Hidden Window HISTCONTROL Image File Execution Options Injection Indicator Blocking Indicator Removal from Tools Indicator Removal on Host Indirect Command Execution Install Root Certificate InstallUtil Launchctl LC_MAIN Hijacking Masquerading Modify Registry Mshta Network Share Connection Removal NTFS File Attributes Obfuscated Files or Information Plist Modification Port Knocking Process Doppelgänging Process Hollowing Process Injection Redundant Access Regsvcs/Regasm Regsvr32 Rootkit Rundll32 Scripting Signed Binary Proxy Execution Signed Script Proxy Execution SIP and Trust Provider Hijacking Software Packing Space after Filename Template Injection Timestomp Trusted Developer Utilities Valid Accounts Virtualization/Sandbox Evasion Web Service XSL Script Processing Bash History Brute Force Credential Dumping Credentials in Files Credentials in Registry Exploitation for Credential Access Forced Authentication Hooking Input Capture Input Prompt Kerberoasting Keychain LLMNR/NBT -NS Poisoning and Relay Network Snif fing Password Filter DLL Private Keys Securityd Memory Two-Factor Authentication Interception Application Window Discovery Browser Bookmark Discovery Domain Trust Discovery File and Directory Discovery Network Service Scanning Network Share Discovery Network Snif fing Password Policy Discovery Peripheral Device Discovery Permission Groups Discovery Process Discovery Query Registry Remote System Discovery Security Software Discovery System Information Discovery System Network Configuration Discovery System Network Connections Discovery System Owner/User Discovery System Service Discovery System Time Discovery Virtualization/Sandbox Evasion Application Deployment Software Distributed Component Object Model Exploitation of Remote Services Logon Scripts Pass the Hash Pass the Ticket Remote Desktop Protocol Remote File Copy Remote Services Replication Through Removable Media Shared Webroot SSH Hijacking Taint Shared Content Third-party Software Windows Admin Shares Windows Remote Management Automated Collection Clipboard Data Data from Information Repositories Data from Local System Data from Network Shared Drive Data from Removable Media Data Staged Email Collection Input Capture Man in the Browser Screen Capture Video Capture Communication Through Removable Media Connection Proxy Custom Command and Control Protocol Custom Cryptographic Protocol Data Encoding Data Obfuscation Domain Fronting Domain Generation Algorithms Fallback Channels Multi-hop Proxy Multi-Stage Channels Multiband Communication Multilayer Encryption Port Knocking Remote Access Tools Remote File Copy Standard Application Layer Protocol Standard Cryptographic Protocol Standard Non-Application Layer Protocol Uncommonly Used Port Web Service Data Compressed Data Encrypted Data Transfer Size Limits Exfiltration Over Alternative Protocol Exfiltration Over Command and Control Channel Exfiltration Over Other Network Medium Exfiltration Over Physical Medium Scheduled Transfer Data Encrypted for Impact Defacement Disk Content Wipe Disk Structure Wipe Endpoint Denial of Service Firmware Corruption Inhibit System Recovery Network Denial of Service Resource Hijacking Runtime Data Manipulation Service Stop Stored Data Manipulation Transmitted Data Manipulation Initial Access Drive-by Compromise Exploit Public-Facing Application External Remote Services Hardware Additions Replication Through Removable Media Spearphishing Attachment Spearphishing Link Spearphishing via Service Supply Chain Compromise Trusted Relationship Valid Accounts Execution AppleScript CMSTP Command-Line Interface Compiled HTML File Control Panel Items Dynamic Data Exchange Execution through API Execution through Module Load Exploitation for Client Execution Graphical User Interface InstallUtil Launchctl Local Job Scheduling LSASS Driver Mshta PowerShell Regsvcs/Regasm Regsvr32 Rundll32 Scheduled Task Scripting Service Execution Signed Binary Proxy Execution Signed Script Proxy Execution Source Space after Filename Third-party Software Trap Trusted Developer Utilities User Execution Windows Management Instrumentation Windows Remote Management XSL Script Processing Persistence .bash_profile and .bashrc Accessibility Features Account Manipulation AppCert DLLs AppInit DLLs Application Shimming Authentication Package BITS Jobs Bootkit Browser Extensions Change Default File Association Component Firmware Component Object Model Hijacking Create Account DLL Search Order Hijacking Dylib Hijacking External Remote Services File System Permissions W eakness Hidden Files and Directories Hooking Hypervisor Image File Execution Options Injection Kernel Modules and Extensions Launch Agent Launch Daemon Launchctl LC_LOAD_DYLIB Addition Local Job Scheduling Login Item Logon Scripts LSASS Driver Modify Existing Service Netsh Helper DLL New Service Office Application Startup Path Interception Plist Modification Port Knocking Port Monitors Rc.common Re-opened Applications Redundant Access Registry Run Keys / Startup Folder Scheduled Task Screensaver Security Support Provider Service Registry Permissions Weakness Setuid and Setgid Privilege Escalation Access Token Manipulation Accessibility Features AppCert DLLs AppInit DLLs Application Shimming Bypass User Account Control DLL Search Order Hijacking Dylib Hijacking Exploitation for Privilege Escalation Extra Window Memory Injection File System Permissions W eakness Hooking Image File Execution Options Injection Launch Daemon New Service Path Interception Plist Modification Port Monitors Process Injection Scheduled Task Service Registry Permissions Weakness Setuid and Setgid SID-History Injection Startup Items Sudo Sudo Caching Valid Accounts Web Shell Defense Evasion Access Token Manipulation Binary Padding BITS Jobs Bypass User Account Control Clear Command History CMSTP Code Signing Compile After Delivery Compiled HTML File Component Firmware Component Object Model Hijacking Control Panel Items DCShadow Deobfuscate/Decode Files or Information Disabling Security Tools DLL Search Order Hijacking DLL Side-Loading Execution Guardrails Exploitation for Defense Evasion Extra Window Memory Injection File Deletion File Permissions Modification File System Logical Of fsets Gatekeeper Bypass Group Policy Modification Hidden Files and Directories Hidden Users Hidden Window HISTCONTROL Image File Execution Options Injection Indicator Blocking Indicator Removal from Tools Indicator Removal on Host Indirect Command Execution Install Root Certificate InstallUtil Launchctl LC_MAIN Hijacking Masquerading Modify Registry Mshta Network Share Connection Removal NTFS File Attributes Obfuscated Files or Information Plist Modification Port Knocking Process Doppelgänging Process Hollowing Credential Access Account Manipulation Bash History Brute Force Credential Dumping Credentials in Files Credentials in Registry Exploitation for Credential Access Forced Authentication Hooking Input Capture Input Prompt Kerberoasting Keychain LLMNR/NBT -NS Poisoning and Relay Network Snif fing Password Filter DLL Private Keys Securityd Memory Two-Factor Authentication Interception Discovery Account Discovery Application Window Discovery Browser Bookmark Discovery Domain Trust Discovery File and Directory Discovery Network Service Scanning Network Share Discovery Network Snif fing Password Policy Discovery Peripheral Device Discovery Permission Groups Discovery Process Discovery Query Registry Remote System Discovery Security Software Discovery System Information Discovery System Network Configuration Discovery System Network Connections Discovery System Owner/User Discovery System Service Discovery System Time Discovery Virtualization/Sandbox Evasion Lateral Movement AppleScript Application Deployment Software Distributed Component Object Model Exploitation of Remote Services Logon Scripts Pass the Hash Pass the Ticket Remote Desktop Protocol Remote File Copy Remote Services Replication Through Removable Media Shared Webroot SSH Hijacking Taint Shared Content Third-party Software Windows Admin Shares Windows Remote Management Collection Audio Capture Automated Collection Clipboard Data Data from Information Repositories Data from Local System Data from Network Shared Drive Data from Removable Media Data Staged Email Collection Input Capture Man in the Browser Screen Capture Video Capture Command And Control Commonly Used Port Communication Through Removable Media Connection Proxy Custom Command and Control Protocol Custom Cryptographic Protocol Data Encoding Data Obfuscation Domain Fronting Domain Generation Algorithms Fallback Channels Multi-hop Proxy Multi-Stage Channels Multiband Communication Multilayer Encryption Port Knocking Remote Access Tools Remote File Copy Standard Application Layer Protocol Standard Cryptographic Protocol Standard Non-Application Layer Protocol Uncommonly Used Port Web Service Exfiltration Automated Exfiltration Data Compressed Data Encrypted Data Transfer Size Limits Exfiltration Over Alternative Protocol Exfiltration Over Command and Control Channel Exfiltration Over Other Network Medium Exfiltration Over Physical Medium Scheduled Transfer Impact Data Destruction Data Encrypted for Impact Defacement Disk Content Wipe Disk Structure Wipe Endpoint Denial of Service Firmware Corruption Inhibit System Recovery Network Denial of Service Resource Hijacking Runtime Data Manipulation Service Stop Stored Data Manipulation Transmitted Data Manipulation m a l w a r e r e v e n e t work device logs network intrusion detection system ssl/tls inspection system calls w i n d o w s e v e n t l o g s ocol compromise point denial of service network denial of service obfuscated files or information remote access tools spearphishing attachment standard non-application layer protocol template injection domain fronting drive-by compromise endpoint denial of service install root certificate obfuscated files or information spearphishing link spearphishing via service standard cryptographic protocol web service applescript application shimming browser extensions bypass user account control exploitation for client execution hypervisor kernel modules and extensions keychain rootkit account manipulation bits jobs cm stp em s
  19. ATT&CK and CTI ©2019 The MITRE Corporation. ALL RIGHTS RESERVED Approved for public release. Distribution unlimited 19-01075-15.
  20. Threat Intelligence – How ATT&CK Can Help ▪ Use knowledge of adversary behaviors to inform defenders ▪ Structuring threat intelligence with ATT&CK allows us to… – Compare behaviors ▪ Groups to each other ▪ Groups over time ▪ Groups to defenses – Communicate in a common language | 21 | ©2019 The MITRE Corporation. ALL RIGHTS RESERVED Approved for public release. Distribution unlimited 19-01075-15.
  21. Communicate to Defenders CTI Analyst Defender Registry Run Keys / Startup Folder (T1060) THIS is what the adversary is doing! The Run key is AdobeUpdater. Oh, we have Registry data, we can detect that! ©2019 The MITRE Corporation. ALL RIGHTS RESERVED. Approved for public release. Distribution unlimited 19-01075-15.
  22. Communicate Across the Community ©2019 The MITRE Corporation. ALL RIGHTS RESERVED. Approved for public release. Distribution unlimited 19-01075-15. CTI Consumer Registry Run Keys / Startup Folder (T1060) Oh, you mean T1060! APT1337 is using autorun FUZZYDUCK used a Run key Company A Company B
  23. Process of Applying ATT&CK to CTI Understand ATT&CK Map data to ATT&CK Store & analyze ATT&CK-mapped data Make defensive recommendations from ATT&CK- mapped data ©2019 The MITRE Corporation. ALL RIGHTS RESERVED Approved for public release. Distribution unlimited 19-01075-15. Module 1 Module 2 Module 3 Module 4 Module 5
  24. End of Module 1 ©2019 The MITRE Corporation. ALL RIGHTS RESERVED Approved for public release. Distribution unlimited 19-01075-15.
Publicité