SlideShare a Scribd company logo

MITRE-Module 1 Slides.pdf

ReZa AdineH
ReZa AdineH

This document provides an overview of a training on using MITRE ATT&CK for cyber threat intelligence. It outlines five training modules that are available online and describe what is covered in each module, including introductory videos and exercises. Module 1 focuses on introducing ATT&CK and understanding how it can be applied to cyber threat intelligence.

Related slideshows

BSidesLV 2018 - Katie Nickels and John Wunder - ATT&CKing the Status Quo
BSidesLV 2018 - Katie Nickels and John Wunder - ATT&CKing the Status QuoBSidesLV 2018 - Katie Nickels and John Wunder - ATT&CKing the Status Quo
BSidesLV 2018 - Katie Nickels and John Wunder - ATT&CKing the Status Quo
 
Putting MITRE ATT&CK into Action with What You Have, Where You Are
Putting MITRE ATT&CK into Action with What You Have, Where You ArePutting MITRE ATT&CK into Action with What You Have, Where You Are
Putting MITRE ATT&CK into Action with What You Have, Where You Are
 
Certes webinar securing the frictionless enterprise
Certes webinar securing the frictionless enterpriseCertes webinar securing the frictionless enterprise
Certes webinar securing the frictionless enterprise
 
1 of 24
Download to read offline
Module 1: Introducing the Training and Understanding ATT&CK ©2019 The MITRE Corporation. ALL RIGHTS RESERVED Approved for public release. Distribution unlimited 19-01075-15.
Using MITRE ATT&CK™ for Cyber Threat Intelligence Training Katie Nickels and Adam Pennington ©2019 The MITRE Corporation. ALL RIGHTS RESERVED Approved for public release. Distribution unlimited 19-01075-15.
Training Overview ▪ Five modules consisting of YouTube videos and exercises are available at attack.mitre.org/training/cti ▪ Module 1: Introducing training and understanding ATT&CK A. Topic introduction (Video) ▪ Module 2: Mapping to ATT&CK from finished reporting A. Topic introduction (Video) B. Exercise 2: Mapping to ATT&CK from finished reporting (Do it yourself with materials on attack.mitre.org/training/cti) C. Going over Exercise 2 (Video) ▪ Module 3: Mapping to ATT&CK from raw data A. Topic introduction (Video) B. Exercise 3: Mapping to ATT&CK from raw data (Do it yourself with materials on attack.mitre.org/training/cti) C. Going over Exercise 3 (Video) ©2019 The MITRE Corporation. ALL RIGHTS RESERVED Approved for public release. Distribution unlimited 19-01075-15.
Training Overview ▪ Module 4: Storing and analyzing ATT&CK-mapped intel A. Topic introduction (Video) B. Exercise 4: Comparing layers in ATT&CK Navigator (Do it yourself with materials on attack.mitre.org/training/cti) C. Going over Exercise 4 (Video) ▪ Module 5: Making ATT&CK-mapped data actionable with defensive recommendations A. Topic introduction (Video) B. Exercise 5: Making defensive recommendations (Do it yourself with materials on attack.mitre.org/training/cti) C. Going over Exercise 5 and wrap-up (Video) ©2019 The MITRE Corporation. ALL RIGHTS RESERVED Approved for public release. Distribution unlimited 19-01075-15.
Process of Applying ATT&CK to CTI Understand ATT&CK Map data to ATT&CK Store & analyze ATT&CK-mapped data Make defensive recommendations from ATT&CK- mapped data ©2019 The MITRE Corporation. ALL RIGHTS RESERVED Approved for public release. Distribution unlimited 19-01075-15. Module 1 Module 2 Module 3 Module 4 Module 5
Introduction to ATT&CK and Applying it to CTI ©2019 The MITRE Corporation. ALL RIGHTS RESERVED Approved for public release. Distribution unlimited 19-01075-15.
Tough Questions for Defenders ▪ How effective are my defenses? ▪ Do I have a chance at detecting APT29? ▪ Is the data I’m collecting useful? ▪ Do I have overlapping tool coverage? ▪ Will this new product help my organization’s defenses? | 8 | ©2019 The MITRE Corporation. ALL RIGHTS RESERVED. Approved for public release. Distribution unlimited 19-01075-15.
©2019 The MITRE Corporation. ALL RIGHTS RESERVED. Approved for public release. Distribution unlimited 19-01075-15. | 9 | What is ? A knowledge base of adversary behavior ➢ Based on real-world observations ➢ Free, open, and globally accessible ➢ A common language ➢ Community-driven
The Difficult Task of Detecting TTPs Source: David Bianco, https://detect-respond.blogspot.com/2013/03/the-pyramid-of-pain.html David Bianco’s Pyramid of Pain ©2019 The MITRE Corporation. ALL RIGHTS RESERVED. Approved for public release. Distribution unlimited 19-01075-10. TTPs Tools Network/ Host Artifacts Domain Names IP Addresses Hash Values •Tough! •Challenging •Annoying •Simple •Easy •Trivial
Impact Data Destruction Data Encrypted for Impact Defacement Disk Content Wipe Disk Structure Wipe Endpoint Denial of Service Firmware Corruption Inhibit System Recovery Network Denial of Service Resource Hijacking Runtime Data Manipulation Service Stop Stored Data Manipulation Transmitted Data Manipulation Command and Control Commonly Used Port Communication Through Removable Media Connection Proxy Custom Command and Control Protocol Custom Cryptographic Protocol Data Encoding Data Obfuscation Domain Fronting Domain Generation Algorithms Fallback Channels Multiband Communication Multi-hop Proxy Multilayer Encryption Multi-Stage Channels Port Knocking Remote Access Tools Remote File Copy Standard Application Layer Protocol Standard Cryptographic Protocol Standard Non-Application Layer Protocol Uncommonly Used Port Web Service Exfiltration Automated Exfiltration Data Compressed Data Encrypted Data Transfer Size Limits Exfiltration Over Other Network Medium Exfiltration Over Command and Control Channel Exfiltration Over Alternative Protocol Exfiltration Over Physical Medium Scheduled Transfer Collection Audio Capture Automated Collection Clipboard Data Data from Information Repositories Data from Local System Data from Network Shared Drive Data from Removable Media Data Staged Email Collection Input Capture Man in the Browser Screen Capture Video Capture Lateral Movement AppleScript Application Deployment Software Distributed Component Object Model Exploitation of Remote Services Logon Scripts Pass the Hash Pass the Ticket Remote Desktop Protocol Remote File Copy Remote Services Replication Through Removable Media Shared Webroot SSH Hijacking Taint Shared Content Third-party Software Windows Admin Shares Windows Remote Management Credential Access Discovery Network Sniffing Account Manipulation Account Discovery Bash History Application Window Discovery Brute Force Credential Dumping Browser Bookmark Discovery Credentials in Files Credentials in Registry Domain Trust Discovery Exploitation for Credential Access File and Directory Discovery Network Service Scanning Forced Authentication Network Share Discovery Hooking Password Policy Discovery Input Capture Peripheral Device Discovery Input Prompt Permission Groups Discovery Kerberoasting Process Discovery Keychain Query Registry LLMNR/NBT-NS Poisoning and Relay Remote System Discovery Security Software Discovery Password Filter DLL System Information Discovery Private Keys Securityd Memory System Network Configuration Discovery Two-Factor Authentication Interception System Network Connections Discovery System Owner/User Discovery System Service Discovery System Time Discovery Virtualization/Sandbox Evasion Execution Persistence Privilege Escalation Defense Evasion Scheduled Task Binary Padding Launchctl Access Token Manipulation Local Job Scheduling Bypass User Account Control LSASS Driver Extra Window Memory Injection Trap Process Injection AppleScript DLL Search Order Hijacking CMSTP Image File Execution Options Injection Command-Line Interface Plist Modification Compiled HTML File Valid Accounts Control Panel Items Accessibility Features BITS Jobs Dynamic Data Exchange AppCert DLLs Clear Command History Execution through API AppInit DLLs CMSTP Execution through Module Load Application Shimming Code Signing Dylib Hijacking Compiled HTML File Exploitation for Client Execution File System Permissions Weakness Component Firmware Hooking Component Object Model Hijacking Graphical User Interface Launch Daemon InstallUtil New Service Control Panel Items Mshta Path Interception DCShadow PowerShell Port Monitors Deobfuscate/Decode Files or Information Regsvcs/Regasm Service Registry Permissions Weakness Regsvr32 Setuid and Setgid Disabling Security Tools Rundll32 Startup Items DLL Side-Loading Scripting Web Shell Execution Guardrails Service Execution .bash_profile and .bashrc Exploitation for Privilege Escalation Exploitation for Defense Evasion Signed Binary Proxy Execution Account Manipulation Authentication Package SID-History Injection File Deletion Signed Script Proxy Execution BITS Jobs Sudo File Permissions Modification Bootkit Sudo Caching Source Browser Extensions File System Logical Offsets Space after Filename Change Default File Association Gatekeeper Bypass Third-party Software Group Policy Modification Trusted Developer Utilities Component Firmware Hidden Files and Directories User Execution Component Object Model Hijacking Hidden Users Windows Management Instrumentation Hidden Window Create Account HISTCONTROL Windows Remote Management External Remote Services Indicator Blocking Hidden Files and Directories Indicator Removal from Tools XSL Script Processing Hypervisor Kernel Modules and Extensions Indicator Removal on Host Indirect Command Execution Launch Agent Install Root Certificate LC_LOAD_DYLIB Addition InstallUtil Login Item Launchctl Initial Access Drive-by Compromise Exploit Public-Facing Application External Remote Services Hardware Additions Replication Through Removable Media Spearphishing Attachment Spearphishing Link Spearphishing via Service Supply Chain Compromise Trusted Relationship Valid Accounts Breaking Down ATT&CK Tactics: the adversary’s technical goals Techniques: how the goals are achieved Procedures: Specific technique implementation ©2019 The MITRE Corporation. ALL RIGHTS RESERVED. Approved for public release. Distribution unlimited 19-01075-15.
Technique: Spearphishing Attachment ©2019 The MITRE Corporation. ALL RIGHTS RESERVED. Approved for public release. Distribution unlimited 19-01075-15.
Technique: Spearphishing Attachment ©2019 The MITRE Corporation. ALL RIGHTS RESERVED. Approved for public release. Distribution unlimited 19-01075-15.
Technique: Spearphishing Attachment ©2019 The MITRE Corporation. ALL RIGHTS RESERVED. Approved for public release. Distribution unlimited 19-01075-15.
Technique: Spearphishing Attachment ©2019 The MITRE Corporation. ALL RIGHTS RESERVED. Approved for public release. Distribution unlimited 19-01075-15.
Group: APT29 ©2019 The MITRE Corporation. ALL RIGHTS RESERVED. Approved for public release. Distribution unlimited 19-01075-15.
Group: APT29 ©2019 The MITRE Corporation. ALL RIGHTS RESERVED. Approved for public release. Distribution unlimited 19-01075-15.
Group: APT29 ©2019 The MITRE Corporation. ALL RIGHTS RESERVED. Approved for public release. Distribution unlimited 19-01075-15.
ATT&CK Use Cases Threat Intelligence processes = search Process:Create reg = filter processes where (exe == "reg.exe" and parent_exe == "cmd.exe") cmd = filter processes where (exe == "cmd.exe" and parent_exe != "explorer.exe"") reg_and_cmd = join (reg, cmd) where (reg.ppid == cmd.pid and reg.hostname == cmd.hostname) output reg_and_cmd Detection Adversary Emulation Assessment and Engineering ©2019 The MITRE Corporation. ALL RIGHTS RESERVED. Approved for public release. Distribution unlimited 19-01075-15. Use ATT&CK for Adversary Emulation and Red Teaming The best defense is a well-tested defense. ATT&CK provides a common adversary behavior framework based on threat intelligence that red teams can use to emulate specific threats. This helps cyber defenders find gaps in visibility, defensive tools, and processes—and then fix them. Legend Low Priority High Priority Finding Gaps in Defense Spearphishing Link Spearphishing via Service Supply Chain Compromise Trusted Relationship Valid Accounts Execution through API Execution through Module Load Exploitation for Client Execution Graphical User Interface InstallUtil Launchctl Local Job Scheduling LSASS Driver Mshta PowerShell Regsvcs/Regasm Regsvr32 Rundll32 Scheduled Task Scripting Service Execution Signed Binary Proxy Execution Signed Script Proxy Execution Source Space after Filename Third-party Software Trap Trusted Developer Utilities User Execution Windows Management Instrumentation Windows Remote Management XSL Script Processing Authentication Package BITS Jobs Bootkit Browser Extensions Change Default File Association Component Firmware Component Object Model Hijacking Create Account DLL Search Order Hijacking Dylib Hijacking External Remote Services File System Permissions W eakness Hidden Files and Directories Hooking Hypervisor Image File Execution Options Injection Kernel Modules and Extensions Launch Agent Launch Daemon Launchctl LC_LOAD_DYLIB Addition Local Job Scheduling Login Item Logon Scripts LSASS Driver Modify Existing Service Netsh Helper DLL New Service Office Application Startup Path Interception Plist Modification Port Knocking Port Monitors Rc.common Re-opened Applications Redundant Access Registry Run Keys / Startup Folder Scheduled Task Screensaver Security Support Provider Service Registry Permissions Weakness Setuid and Setgid Shortcut Modification SIP and Trust Provider Hijacking Startup Items System Firmware Systemd Service Time Providers Trap Valid Accounts Web Shell Windows Management Instrumentation Event Subscription Winlogon Helper DLL DLL Search Order Hijacking Dylib Hijacking Exploitation for Privilege Escalation Extra Window Memory Injection File System Permissions W eakness Hooking Image File Execution Options Injection Launch Daemon New Service Path Interception Plist Modification Port Monitors Process Injection Scheduled Task Service Registry Permissions Weakness Setuid and Setgid SID-History Injection Startup Items Sudo Sudo Caching Valid Accounts Web Shell Code Signing Compile After Delivery Compiled HTML File Component Firmware Component Object Model Hijacking Control Panel Items DCShadow Deobfuscate/Decode Files or Information Disabling Security Tools DLL Search Order Hijacking DLL Side-Loading Execution Guardrails Exploitation for Defense Evasion Extra Window Memory Injection File Deletion File Permissions Modification File System Logical Of fsets Gatekeeper Bypass Group Policy Modification Hidden Files and Directories Hidden Users Hidden Window HISTCONTROL Image File Execution Options Injection Indicator Blocking Indicator Removal from Tools Indicator Removal on Host Indirect Command Execution Install Root Certificate InstallUtil Launchctl LC_MAIN Hijacking Masquerading Modify Registry Mshta Network Share Connection Removal NTFS File Attributes Obfuscated Files or Information Plist Modification Port Knocking Process Doppelgänging Process Hollowing Process Injection Redundant Access Regsvcs/Regasm Regsvr32 Rootkit Rundll32 Scripting Signed Binary Proxy Execution Signed Script Proxy Execution SIP and Trust Provider Hijacking Software Packing Space after Filename Template Injection Timestomp Trusted Developer Utilities Valid Accounts Virtualization/Sandbox Evasion Web Service XSL Script Processing Exploitation for Credential Access Forced Authentication Hooking Input Capture Input Prompt Kerberoasting Keychain LLMNR/NBT -NS Poisoning and Relay Network Snif fing Password Filter DLL Private Keys Securityd Memory Two-Factor Authentication Interception Network Share Discovery Network Snif fing Password Policy Discovery Peripheral Device Discovery Permission Groups Discovery Process Discovery Query Registry Remote System Discovery Security Software Discovery System Information Discovery System Network Configuration Discovery System Network Connections Discovery System Owner/User Discovery System Service Discovery System Time Discovery Virtualization/Sandbox Evasion Pass the Ticket Remote Desktop Protocol Remote File Copy Remote Services Replication Through Removable Media Shared Webroot SSH Hijacking Taint Shared Content Third-party Software Windows Admin Shares Windows Remote Management Data from Removable Media Data Staged Email Collection Input Capture Man in the Browser Screen Capture Video Capture Data Obfuscation Domain Fronting Domain Generation Algorithms Fallback Channels Multi-hop Proxy Multi-Stage Channels Multiband Communication Multilayer Encryption Port Knocking Remote Access Tools Remote File Copy Standard Application Layer Protocol Standard Cryptographic Protocol Standard Non-Application Layer Protocol Uncommonly Used Port Web Service Exfiltration Over Other Network Medium Exfiltration Over Physical Medium Scheduled Transfer Firmware Corruption Inhibit System Recovery Network Denial of Service Resource Hijacking Runtime Data Manipulation Service Stop Stored Data Manipulation Transmitted Data Manipulation AppleScript Application Deployment Software Distributed Component Object Model Exploitation of Remote Services Logon Scripts Pass the Hash Pass the Ticket Remote Desktop Protocol Remote File Copy Remote Services Replication Through Removable Media Shared Webroot SSH Hijacking Taint Shared Content Third-party Software Windows Admin Shares Windows Remote Management Commonly Used Port Communication Through Removable Media Connection Proxy Custom Command and Control Protocol Custom Cryptographic Protocol Data Encoding Data Obfuscation Domain Fronting Domain Generation Algorithms Fallback Channels Multiband Communication Multi-hop Proxy Multilayer Encryption Multi-Stage Channels Port Knocking Remote Access Tools Remote File Copy Standard Application Layer Protocol Standard Cryptographic Protocol Standard Non-Application Layer Protocol Uncommonly Used Port Web Service Automated Exfiltration Data Compressed Data Encrypted Data Transfer Size Limits Exfiltration Over Other Network Medium Exfiltration Over Command and Control Channel Exfiltration Over Alternative Protocol Exfiltration Over Physical Medium Scheduled Transfer Data Destruction Data Encrypted for Impact Defacement Disk Content Wipe Disk Structure Wipe Endpoint Denial of Service Firmware Corruption Inhibit System Recovery Network Denial of Service Resource Hijacking Runtime Data Manipulation Service Stop Stored Data Manipulation Transmitted Data Manipulation Audio Capture Automated Collection Clipboard Data Data from Information Repositories Data from Local System Data from Network Shared Drive Data from Removable Media Data Staged Email Collection Input Capture Man in the Browser Screen Capture Video Capture Drive-by Compromise Exploit Public-Facing Application External Remote Services Hardware Additions Replication Through Removable Media Spearphishing Attachment Spearphishing Link Spearphishing via Service Supply Chain Compromise Trusted Relationship Valid Accounts AppleScript CMSTP Command-Line Interface Compiled HTML File Control Panel Items Dynamic Data Exchange Execution through API Execution through Module Load Exploitation for Client Execution Graphical User Interface InstallUtil Mshta PowerShell Regsvcs/Regasm Regsvr32 Rundll32 Scripting Service Execution Signed Binary Proxy Execution Signed Script Proxy Execution Source Space after Filename Third-party Software Trusted Developer Utilities DLL Search Order Hijacking Image File Execution Options Injection Plist Modification Valid Accounts Accessibility Features AppCert DLLs AppInit DLLs Application Shimming Dylib Hijacking File System Permissions Weakness Hooking Launch Daemon New Service Path Interception Port Monitors Service Registry Permissions Weakness Setuid and Setgid Startup Items Web Shell .bash_profile and .bashrc Account Manipulation Authentication Package BITS Jobs Bootkit Browser Extensions Change Default File Association Component Firmware BITS Jobs Clear Command History CMSTP Code Signing Compiled HTML File Component Firmware Component Object Model Hijacking Control Panel Items DCShadow Deobfuscate/Decode Files or Information Disabling Security Tools DLL Side-Loading Execution Guardrails Exploitation for Defense Evasion File Deletion File Permissions Modification File System Logical Offsets Gatekeeper Bypass Group Policy Modification Hidden Files and Directories Hidden Users Exploitation for Privilege Escalation SID-History Injection Sudo Sudo Caching Scheduled Task Binary Padding Network Sniffing Launchctl Local Job Scheduling LSASS Driver Trap Access Token Manipulation Bypass User Account Control Extra Window Memory Injection Process Injection Account Manipulation Bash History Brute Force Credential Dumping Credentials in Files Credentials in Registry Exploitation for Credential Access Forced Authentication Hooking Input Capture Input Prompt Kerberoasting Keychain LLMNR/NBT-NS Poisoning and Relay Password Filter DLL Private Keys Securityd Memory Two-Factor Authentication Interception Account Discovery Application Window Discovery Browser Bookmark Discovery Domain Trust Discovery File and Directory Discovery Network Service Scanning Network Share Discovery Password Policy Discovery Peripheral Device Discovery Permission Groups Discovery Process Discovery Query Discovery Remote System Discovery Security Software Discovery System Information Discovery System Network Configuration Discovery System Network Connections Discovery System Owner/User Discovery System Service Discovery System Time Discovery Virtualization/Sandbox Evasion Use ATT&CK for Cyber Threat Intelligence Cyber threat intelligence comes from many sources, including knowledge of past incidents, commercial threat feeds, information-sharing groups, government threat-sharing programs, and more. ATT&CK gives analysts a common language to communicate across reports and organizations, providing a way to structure, compare, and analyze threat intelligence. Use ATT&CK to Build Your Defensive Platform ATT&CK includes resources designed to help cyber defenders develop analytics that detect the techniques used by an adversary. Based on threat intelligence included in ATT&CK or provided by analysts, cyber defenders can create a comprehensive set of analytics to detect threats. Get Started with ATT&CK Legend APT28 APT29 Both Comparing APT28 to APT29 analytics. Check out our w ebsite at attack.mitre.org for more information on how each technique can be det ected, and adversary examples you can use to start detecting adversary behavior with ATT&CK. You can visualize how your own data sources map to adversary behavior with ATT&CK. Read our blog post at bit.ly/ATT learn how we generated this diagram, check out the code, and begin building your own diagrams from ATT&CK conten Initial Access Drive-by Compromise Exploit Public-Facing Application External Remote Services Hardware Additions Replication Through Removable Media Spearphishing Attachment Spearphishing Link Spearphishing via Service Supply Chain Compromise Trusted Relationship Valid Accounts Execution AppleScript CMSTP Command-Line Interface Compiled HTML File Control Panel Items Dynamic Data Exchange Execution through API Execution through Module Load Exploitation for Client Execution Graphical User Interface InstallUtil Launchctl Local Job Scheduling LSASS Driver Mshta PowerShell Regsvcs/Regasm Regsvr32 Rundll32 Scheduled Task Scripting Service Execution Signed Binary Proxy Execution Signed Script Proxy Execution Source Space after Filename Third-party Software Trap Trusted Developer Utilities User Execution Windows Management Instrumentation Windows Remote Management XSL Script Processing Persistence .bash_profile and .bashrc Accessibility Features Account Manipulation AppCert DLLs AppInit DLLs Application Shimming Authentication Package BITS Jobs Bootkit Browser Extensions Change Default File Association Component Firmware Component Object Model Hijacking Create Account DLL Search Order Hijacking Dylib Hijacking External Remote Services File System Permissions W eakness Hidden Files and Directories Hooking Hypervisor Image File Execution Options Injection Kernel Modules and Extensions Launch Agent Launch Daemon Launchctl LC_LOAD_DYLIB Addition Local Job Scheduling Login Item Logon Scripts LSASS Driver Modify Existing Service Netsh Helper DLL New Service Office Application Startup Path Interception Plist Modification Port Knocking Port Monitors Rc.common Re-opened Applications Redundant Access Registry Run Keys / Startup Folder Scheduled Task Screensaver Security Support Provider Service Registry Permissions Weakness Setuid and Setgid Shortcut Modification SIP and Trust Provider Hijacking Startup Items System Firmware Systemd Service Time Providers Trap Valid Accounts Web Shell Windows Management Instrumentation Event Subscription Winlogon Helper DLL Privilege Escalation Access Token Manipulation Accessibility Features AppCert DLLs AppInit DLLs Application Shimming Bypass User Account Control DLL Search Order Hijacking Dylib Hijacking Exploitation for Privilege Escalation Extra Window Memory Injection File System Permissions W eakness Hooking Image File Execution Options Injection Launch Daemon New Service Path Interception Plist Modification Port Monitors Process Injection Scheduled Task Service Registry Permissions Weakness Setuid and Setgid SID-History Injection Startup Items Sudo Sudo Caching Valid Accounts Web Shell Defense Evasion Access Token Manipulation Binary Padding BITS Jobs Bypass User Account Control Clear Command History CMSTP Code Signing Compile After Delivery Compiled HTML File Component Firmware Component Object Model Hijacking Control Panel Items DCShadow Deobfuscate/Decode Files or Information Disabling Security Tools DLL Search Order Hijacking DLL Side-Loading Execution Guardrails Exploitation for Defense Evasion Extra Window Memory Injection File Deletion File Permissions Modification File System Logical Of fsets Gatekeeper Bypass Group Policy Modification Hidden Files and Directories Hidden Users Hidden Window HISTCONTROL Image File Execution Options Injection Indicator Blocking Indicator Removal from Tools Indicator Removal on Host Indirect Command Execution Install Root Certificate InstallUtil Launchctl LC_MAIN Hijacking Masquerading Modify Registry Mshta Network Share Connection Removal NTFS File Attributes Obfuscated Files or Information Plist Modification Port Knocking Process Doppelgänging Process Hollowing Process Injection Redundant Access Regsvcs/Regasm Regsvr32 Rootkit Rundll32 Scripting Signed Binary Proxy Execution Signed Script Proxy Execution SIP and Trust Provider Hijacking Software Packing Space after Filename Template Injection Timestomp Trusted Developer Utilities Valid Accounts Virtualization/Sandbox Evasion Web Service XSL Script Processing Credential Access Account Manipulation Bash History Brute Force Credential Dumping Credentials in Files Credentials in Registry Exploitation for Credential Access Forced Authentication Hooking Input Capture Input Prompt Kerberoasting Keychain LLMNR/NBT -NS Poisoning and Relay Network Snif fing Password Filter DLL Private Keys Securityd Memory Two-Factor Authentication Interception Discovery Account Discovery Application Window Discovery Browser Bookmark Discovery Domain Trust Discovery File and Directory Discovery Network Service Scanning Network Share Discovery Network Snif fing Password Policy Discovery Peripheral Device Discovery Permission Groups Discovery Process Discovery Query Registry Remote System Discovery Security Software Discovery System Information Discovery System Network Configuration Discovery System Network Connections Discovery System Owner/User Discovery System Service Discovery System Time Discovery Virtualization/Sandbox Evasion Lateral Movement AppleScript Application Deployment Software Distributed Component Object Model Exploitation of Remote Services Logon Scripts Pass the Hash Pass the Ticket Remote Desktop Protocol Remote File Copy Remote Services Replication Through Removable Media Shared Webroot SSH Hijacking Taint Shared Content Third-party Software Windows Admin Shares Windows Remote Management Collection Audio Capture Automated Collection Clipboard Data Data from Information Repositories Data from Local System Data from Network Shared Drive Data from Removable Media Data Staged Email Collection Input Capture Man in the Browser Screen Capture Video Capture Command And Control Commonly Used Port Communication Through Removable Media Connection Proxy Custom Command and Control Protocol Custom Cryptographic Protocol Data Encoding Data Obfuscation Domain Fronting Domain Generation Algorithms Fallback Channels Multi-hop Proxy Multi-Stage Channels Multiband Communication Multilayer Encryption Port Knocking Remote Access Tools Remote File Copy Standard Application Layer Protocol Standard Cryptographic Protocol Standard Non-Application Layer Protocol Uncommonly Used Port Web Service Exfiltration Automated Exfiltration Data Compressed Data Encrypted Data Transfer Size Limits Exfiltration Over Alternative Protocol Exfiltration Over Command and Control Channel Exfiltration Over Other Network Medium Exfiltration Over Physical Medium Scheduled Transfer Impact Data Destruction Data Encrypted for Impact Defacement Disk Content Wipe Disk Structure Wipe Endpoint Denial of Service Firmware Corruption Inhibit System Recovery Network Denial of Service Resource Hijacking Runtime Data Manipulation Service Stop Stored Data Manipulation Transmitted Data Manipulation Initial Access Drive-by Compromise Exploit Public-Facing Application External Remote Services Hardware Additions Replication Through Removable Media Spearphishing Attachment Spearphishing Link Spearphishing via Service Supply Chain Compromise Trusted Relationship Valid Accounts Execution AppleScript CMSTP Command-Line Interface Compiled HTML File Control Panel Items Dynamic Data Exchange Execution through API Execution through Module Load Exploitation for Client Execution Graphical User Interface InstallUtil Launchctl Local Job Scheduling LSASS Driver Mshta PowerShell Persistence .bash_profile and .bashrc Accessibility Features Account Manipulation AppCert DLLs AppInit DLLs Application Shimming Authentication Package BITS Jobs Bootkit Browser Extensions Change Default File Association Component Firmware Component Object Model Hijacking Create Account DLL Search Order Hijacking Dylib Hijacking Privilege Escalation Access Token Manipulation Accessibility Features AppCert DLLs AppInit DLLs Application Shimming Bypass User Account Control DLL Search Order Hijacking Dylib Hijacking Exploitation for Privilege Escalation Extra Window Memory Injection File System Permissions W eakness Hooking Image File Execution Options Injection Launch Daemon New Service Path Interception Defense Evasion Access Token Manipulation Binary Padding BITS Jobs Bypass User Account Control Clear Command History CMSTP Code Signing Compile After Delivery Compiled HTML File Component Firmware Component Object Model Hijacking Control Panel Items DCShadow Deobfuscate/Decode Files or Information Disabling Security Tools DLL Search Order Hijacking Credential Access Account Manipulation Bash History Brute Force Credential Dumping Credentials in Files Credentials in Registry Exploitation for Credential Access Forced Authentication Hooking Input Capture Input Prompt Kerberoasting Keychain LLMNR/NBT -NS Poisoning and Relay Network Snif fing Password Filter DLL Discovery Account Discovery Application Window Discovery Browser Bookmark Discovery Domain Trust Discovery File and Directory Discovery Network Service Scanning Network Share Discovery Network Snif fing Password Policy Discovery Peripheral Device Discovery Permission Groups Discovery Process Discovery Query Registry Remote System Discovery Security Software Discovery System Information Discovery Lateral Movement AppleScript Application Deployment Software Distributed Component Object Model Exploitation of Remote Services Logon Scripts Pass the Hash Pass the Ticket Remote Desktop Protocol Remote File Copy Remote Services Replication Through Removable Media Shared Webroot SSH Hijacking Taint Shared Content Third-party Software Windows Admin Shares Collection Audio Capture Automated Collection Clipboard Data Data from Information Repositories Data from Local System Data from Network Shared Drive Data from Removable Media Data Staged Email Collection Input Capture Man in the Browser Screen Capture Video Capture Command And Control Commonly Used Port Communication Through Removable Media Connection Proxy Custom Command and Control Protocol Custom Cryptographic Protocol Data Encoding Data Obfuscation Domain Fronting Domain Generation Algorithms Fallback Channels Multi-hop Proxy Multi-Stage Channels Multiband Communication Multilayer Encryption Port Knocking Remote Access Tools Exfiltration Automated Exfiltration Data Compressed Data Encrypted Data Transfer Size Limits Exfiltration Over Alternative Protocol Exfiltration Over Command and Control Channel Exfiltration Over Other Network Medium Exfiltration Over Physical Medium Scheduled Transfer Impact Data Destruction Data Encrypted for Impact Defacement Disk Content Wipe Disk Structure Wipe Endpoint Denial of Service Firmware Corruption Inhibit System Recovery Network Denial of Service Resource Hijacking Runtime Data Manipulation Service Stop Stored Data Manipulation Transmitted Data Manipulation ob sta Use ATT&CK to Build Your Defensive Platform ATT&CK includes resources designed to help cyber defenders develop analytics that detect the techniques used by an adversary. Based on threat intelligence included in ATT&CK or provided by analysts, cyber defenders can create a comprehensive set of analytics to detect threats. Legend APT28 APT29 Both Legend Low Priority High Priority Comparing APT28 to APT29 Finding Gaps in Defense Exploit Public-Facing Application External Remote Services Hardware Additions Replication Through Removable Media Spearphishing Attachment Spearphishing Link Spearphishing via Service Supply Chain Compromise Trusted Relationship Valid Accounts CMSTP Command-Line Interface Compiled HTML File Control Panel Items Dynamic Data Exchange Execution through API Execution through Module Load Exploitation for Client Execution Graphical User Interface InstallUtil Launchctl Local Job Scheduling LSASS Driver Mshta PowerShell Regsvcs/Regasm Regsvr32 Rundll32 Scheduled Task Scripting Service Execution Signed Binary Proxy Execution Signed Script Proxy Execution Source Space after Filename Third-party Software Trap Trusted Developer Utilities User Execution Windows Management Instrumentation Windows Remote Management XSL Script Processing Accessibility Features Account Manipulation AppCert DLLs AppInit DLLs Application Shimming Authentication Package BITS Jobs Bootkit Browser Extensions Change Default File Association Component Firmware Component Object Model Hijacking Create Account DLL Search Order Hijacking Dylib Hijacking External Remote Services File System Permissions W eakness Hidden Files and Directories Hooking Hypervisor Image File Execution Options Injection Kernel Modules and Extensions Launch Agent Launch Daemon Launchctl LC_LOAD_DYLIB Addition Local Job Scheduling Login Item Logon Scripts LSASS Driver Modify Existing Service Netsh Helper DLL New Service Office Application Startup Path Interception Plist Modification Port Knocking Port Monitors Rc.common Re-opened Applications Redundant Access Registry Run Keys / Startup Folder Scheduled Task Screensaver Security Support Provider Service Registry Permissions Weakness Setuid and Setgid Shortcut Modification SIP and Trust Provider Hijacking Startup Items System Firmware Systemd Service Time Providers Trap Valid Accounts Web Shell Windows Management Instrumentation Event Subscription Winlogon Helper DLL Accessibility Features AppCert DLLs AppInit DLLs Application Shimming Bypass User Account Control DLL Search Order Hijacking Dylib Hijacking Exploitation for Privilege Escalation Extra Window Memory Injection File System Permissions W eakness Hooking Image File Execution Options Injection Launch Daemon New Service Path Interception Plist Modification Port Monitors Process Injection Scheduled Task Service Registry Permissions Weakness Setuid and Setgid SID-History Injection Startup Items Sudo Sudo Caching Valid Accounts Web Shell Binary Padding BITS Jobs Bypass User Account Control Clear Command History CMSTP Code Signing Compile After Delivery Compiled HTML File Component Firmware Component Object Model Hijacking Control Panel Items DCShadow Deobfuscate/Decode Files or Information Disabling Security Tools DLL Search Order Hijacking DLL Side-Loading Execution Guardrails Exploitation for Defense Evasion Extra Window Memory Injection File Deletion File Permissions Modification File System Logical Of fsets Gatekeeper Bypass Group Policy Modification Hidden Files and Directories Hidden Users Hidden Window HISTCONTROL Image File Execution Options Injection Indicator Blocking Indicator Removal from Tools Indicator Removal on Host Indirect Command Execution Install Root Certificate InstallUtil Launchctl LC_MAIN Hijacking Masquerading Modify Registry Mshta Network Share Connection Removal NTFS File Attributes Obfuscated Files or Information Plist Modification Port Knocking Process Doppelgänging Process Hollowing Process Injection Redundant Access Regsvcs/Regasm Regsvr32 Rootkit Rundll32 Scripting Signed Binary Proxy Execution Signed Script Proxy Execution SIP and Trust Provider Hijacking Software Packing Space after Filename Template Injection Timestomp Trusted Developer Utilities Valid Accounts Virtualization/Sandbox Evasion Web Service XSL Script Processing Bash History Brute Force Credential Dumping Credentials in Files Credentials in Registry Exploitation for Credential Access Forced Authentication Hooking Input Capture Input Prompt Kerberoasting Keychain LLMNR/NBT -NS Poisoning and Relay Network Snif fing Password Filter DLL Private Keys Securityd Memory Two-Factor Authentication Interception Application Window Discovery Browser Bookmark Discovery Domain Trust Discovery File and Directory Discovery Network Service Scanning Network Share Discovery Network Snif fing Password Policy Discovery Peripheral Device Discovery Permission Groups Discovery Process Discovery Query Registry Remote System Discovery Security Software Discovery System Information Discovery System Network Configuration Discovery System Network Connections Discovery System Owner/User Discovery System Service Discovery System Time Discovery Virtualization/Sandbox Evasion Application Deployment Software Distributed Component Object Model Exploitation of Remote Services Logon Scripts Pass the Hash Pass the Ticket Remote Desktop Protocol Remote File Copy Remote Services Replication Through Removable Media Shared Webroot SSH Hijacking Taint Shared Content Third-party Software Windows Admin Shares Windows Remote Management Automated Collection Clipboard Data Data from Information Repositories Data from Local System Data from Network Shared Drive Data from Removable Media Data Staged Email Collection Input Capture Man in the Browser Screen Capture Video Capture Communication Through Removable Media Connection Proxy Custom Command and Control Protocol Custom Cryptographic Protocol Data Encoding Data Obfuscation Domain Fronting Domain Generation Algorithms Fallback Channels Multi-hop Proxy Multi-Stage Channels Multiband Communication Multilayer Encryption Port Knocking Remote Access Tools Remote File Copy Standard Application Layer Protocol Standard Cryptographic Protocol Standard Non-Application Layer Protocol Uncommonly Used Port Web Service Data Compressed Data Encrypted Data Transfer Size Limits Exfiltration Over Alternative Protocol Exfiltration Over Command and Control Channel Exfiltration Over Other Network Medium Exfiltration Over Physical Medium Scheduled Transfer Data Encrypted for Impact Defacement Disk Content Wipe Disk Structure Wipe Endpoint Denial of Service Firmware Corruption Inhibit System Recovery Network Denial of Service Resource Hijacking Runtime Data Manipulation Service Stop Stored Data Manipulation Transmitted Data Manipulation Initial Access Drive-by Compromise Exploit Public-Facing Application External Remote Services Hardware Additions Replication Through Removable Media Spearphishing Attachment Spearphishing Link Spearphishing via Service Supply Chain Compromise Trusted Relationship Valid Accounts Execution AppleScript CMSTP Command-Line Interface Compiled HTML File Control Panel Items Dynamic Data Exchange Execution through API Execution through Module Load Exploitation for Client Execution Graphical User Interface InstallUtil Launchctl Local Job Scheduling LSASS Driver Mshta PowerShell Regsvcs/Regasm Regsvr32 Rundll32 Scheduled Task Scripting Service Execution Signed Binary Proxy Execution Signed Script Proxy Execution Source Space after Filename Third-party Software Trap Trusted Developer Utilities User Execution Windows Management Instrumentation Windows Remote Management XSL Script Processing Persistence .bash_profile and .bashrc Accessibility Features Account Manipulation AppCert DLLs AppInit DLLs Application Shimming Authentication Package BITS Jobs Bootkit Browser Extensions Change Default File Association Component Firmware Component Object Model Hijacking Create Account DLL Search Order Hijacking Dylib Hijacking External Remote Services File System Permissions W eakness Hidden Files and Directories Hooking Hypervisor Image File Execution Options Injection Kernel Modules and Extensions Launch Agent Launch Daemon Launchctl LC_LOAD_DYLIB Addition Local Job Scheduling Login Item Logon Scripts LSASS Driver Modify Existing Service Netsh Helper DLL New Service Office Application Startup Path Interception Plist Modification Port Knocking Port Monitors Rc.common Re-opened Applications Redundant Access Registry Run Keys / Startup Folder Scheduled Task Screensaver Security Support Provider Service Registry Permissions Weakness Setuid and Setgid Privilege Escalation Access Token Manipulation Accessibility Features AppCert DLLs AppInit DLLs Application Shimming Bypass User Account Control DLL Search Order Hijacking Dylib Hijacking Exploitation for Privilege Escalation Extra Window Memory Injection File System Permissions W eakness Hooking Image File Execution Options Injection Launch Daemon New Service Path Interception Plist Modification Port Monitors Process Injection Scheduled Task Service Registry Permissions Weakness Setuid and Setgid SID-History Injection Startup Items Sudo Sudo Caching Valid Accounts Web Shell Defense Evasion Access Token Manipulation Binary Padding BITS Jobs Bypass User Account Control Clear Command History CMSTP Code Signing Compile After Delivery Compiled HTML File Component Firmware Component Object Model Hijacking Control Panel Items DCShadow Deobfuscate/Decode Files or Information Disabling Security Tools DLL Search Order Hijacking DLL Side-Loading Execution Guardrails Exploitation for Defense Evasion Extra Window Memory Injection File Deletion File Permissions Modification File System Logical Of fsets Gatekeeper Bypass Group Policy Modification Hidden Files and Directories Hidden Users Hidden Window HISTCONTROL Image File Execution Options Injection Indicator Blocking Indicator Removal from Tools Indicator Removal on Host Indirect Command Execution Install Root Certificate InstallUtil Launchctl LC_MAIN Hijacking Masquerading Modify Registry Mshta Network Share Connection Removal NTFS File Attributes Obfuscated Files or Information Plist Modification Port Knocking Process Doppelgänging Process Hollowing Credential Access Account Manipulation Bash History Brute Force Credential Dumping Credentials in Files Credentials in Registry Exploitation for Credential Access Forced Authentication Hooking Input Capture Input Prompt Kerberoasting Keychain LLMNR/NBT -NS Poisoning and Relay Network Snif fing Password Filter DLL Private Keys Securityd Memory Two-Factor Authentication Interception Discovery Account Discovery Application Window Discovery Browser Bookmark Discovery Domain Trust Discovery File and Directory Discovery Network Service Scanning Network Share Discovery Network Snif fing Password Policy Discovery Peripheral Device Discovery Permission Groups Discovery Process Discovery Query Registry Remote System Discovery Security Software Discovery System Information Discovery System Network Configuration Discovery System Network Connections Discovery System Owner/User Discovery System Service Discovery System Time Discovery Virtualization/Sandbox Evasion Lateral Movement AppleScript Application Deployment Software Distributed Component Object Model Exploitation of Remote Services Logon Scripts Pass the Hash Pass the Ticket Remote Desktop Protocol Remote File Copy Remote Services Replication Through Removable Media Shared Webroot SSH Hijacking Taint Shared Content Third-party Software Windows Admin Shares Windows Remote Management Collection Audio Capture Automated Collection Clipboard Data Data from Information Repositories Data from Local System Data from Network Shared Drive Data from Removable Media Data Staged Email Collection Input Capture Man in the Browser Screen Capture Video Capture Command And Control Commonly Used Port Communication Through Removable Media Connection Proxy Custom Command and Control Protocol Custom Cryptographic Protocol Data Encoding Data Obfuscation Domain Fronting Domain Generation Algorithms Fallback Channels Multi-hop Proxy Multi-Stage Channels Multiband Communication Multilayer Encryption Port Knocking Remote Access Tools Remote File Copy Standard Application Layer Protocol Standard Cryptographic Protocol Standard Non-Application Layer Protocol Uncommonly Used Port Web Service Exfiltration Automated Exfiltration Data Compressed Data Encrypted Data Transfer Size Limits Exfiltration Over Alternative Protocol Exfiltration Over Command and Control Channel Exfiltration Over Other Network Medium Exfiltration Over Physical Medium Scheduled Transfer Impact Data Destruction Data Encrypted for Impact Defacement Disk Content Wipe Disk Structure Wipe Endpoint Denial of Service Firmware Corruption Inhibit System Recovery Network Denial of Service Resource Hijacking Runtime Data Manipulation Service Stop Stored Data Manipulation Transmitted Data Manipulation m a l w a r e r e v e n e t work device logs network intrusion detection system ssl/tls inspection system calls w i n d o w s e v e n t l o g s ocol compromise point denial of service network denial of service obfuscated files or information remote access tools spearphishing attachment standard non-application layer protocol template injection domain fronting drive-by compromise endpoint denial of service install root certificate obfuscated files or information spearphishing link spearphishing via service standard cryptographic protocol web service applescript application shimming browser extensions bypass user account control exploitation for client execution hypervisor kernel modules and extensions keychain rootkit account manipulation bits jobs cm stp em s
ATT&CK and CTI ©2019 The MITRE Corporation. ALL RIGHTS RESERVED Approved for public release. Distribution unlimited 19-01075-15.
Threat Intelligence – How ATT&CK Can Help ▪ Use knowledge of adversary behaviors to inform defenders ▪ Structuring threat intelligence with ATT&CK allows us to… – Compare behaviors ▪ Groups to each other ▪ Groups over time ▪ Groups to defenses – Communicate in a common language | 21 | ©2019 The MITRE Corporation. ALL RIGHTS RESERVED Approved for public release. Distribution unlimited 19-01075-15.
Communicate to Defenders CTI Analyst Defender Registry Run Keys / Startup Folder (T1060) THIS is what the adversary is doing! The Run key is AdobeUpdater. Oh, we have Registry data, we can detect that! ©2019 The MITRE Corporation. ALL RIGHTS RESERVED. Approved for public release. Distribution unlimited 19-01075-15.
Communicate Across the Community ©2019 The MITRE Corporation. ALL RIGHTS RESERVED. Approved for public release. Distribution unlimited 19-01075-15. CTI Consumer Registry Run Keys / Startup Folder (T1060) Oh, you mean T1060! APT1337 is using autorun FUZZYDUCK used a Run key Company A Company B
Process of Applying ATT&CK to CTI Understand ATT&CK Map data to ATT&CK Store & analyze ATT&CK-mapped data Make defensive recommendations from ATT&CK- mapped data ©2019 The MITRE Corporation. ALL RIGHTS RESERVED Approved for public release. Distribution unlimited 19-01075-15. Module 1 Module 2 Module 3 Module 4 Module 5
End of Module 1 ©2019 The MITRE Corporation. ALL RIGHTS RESERVED Approved for public release. Distribution unlimited 19-01075-15.

More Related Content

MITRE-Module 1 Slides.pdf

  • 1. Module 1: Introducing the Training and Understanding ATT&CK ©2019 The MITRE Corporation. ALL RIGHTS RESERVED Approved for public release. Distribution unlimited 19-01075-15.
  • 2. Using MITRE ATT&CK™ for Cyber Threat Intelligence Training Katie Nickels and Adam Pennington ©2019 The MITRE Corporation. ALL RIGHTS RESERVED Approved for public release. Distribution unlimited 19-01075-15.
  • 3. Training Overview ▪ Five modules consisting of YouTube videos and exercises are available at attack.mitre.org/training/cti ▪ Module 1: Introducing training and understanding ATT&CK A. Topic introduction (Video) ▪ Module 2: Mapping to ATT&CK from finished reporting A. Topic introduction (Video) B. Exercise 2: Mapping to ATT&CK from finished reporting (Do it yourself with materials on attack.mitre.org/training/cti) C. Going over Exercise 2 (Video) ▪ Module 3: Mapping to ATT&CK from raw data A. Topic introduction (Video) B. Exercise 3: Mapping to ATT&CK from raw data (Do it yourself with materials on attack.mitre.org/training/cti) C. Going over Exercise 3 (Video) ©2019 The MITRE Corporation. ALL RIGHTS RESERVED Approved for public release. Distribution unlimited 19-01075-15.
  • 4. Training Overview ▪ Module 4: Storing and analyzing ATT&CK-mapped intel A. Topic introduction (Video) B. Exercise 4: Comparing layers in ATT&CK Navigator (Do it yourself with materials on attack.mitre.org/training/cti) C. Going over Exercise 4 (Video) ▪ Module 5: Making ATT&CK-mapped data actionable with defensive recommendations A. Topic introduction (Video) B. Exercise 5: Making defensive recommendations (Do it yourself with materials on attack.mitre.org/training/cti) C. Going over Exercise 5 and wrap-up (Video) ©2019 The MITRE Corporation. ALL RIGHTS RESERVED Approved for public release. Distribution unlimited 19-01075-15.
  • 5. Process of Applying ATT&CK to CTI Understand ATT&CK Map data to ATT&CK Store & analyze ATT&CK-mapped data Make defensive recommendations from ATT&CK- mapped data ©2019 The MITRE Corporation. ALL RIGHTS RESERVED Approved for public release. Distribution unlimited 19-01075-15. Module 1 Module 2 Module 3 Module 4 Module 5
  • 6. Introduction to ATT&CK and Applying it to CTI ©2019 The MITRE Corporation. ALL RIGHTS RESERVED Approved for public release. Distribution unlimited 19-01075-15.
  • 7. Tough Questions for Defenders ▪ How effective are my defenses? ▪ Do I have a chance at detecting APT29? ▪ Is the data I’m collecting useful? ▪ Do I have overlapping tool coverage? ▪ Will this new product help my organization’s defenses? | 8 | ©2019 The MITRE Corporation. ALL RIGHTS RESERVED. Approved for public release. Distribution unlimited 19-01075-15.
  • 8. ©2019 The MITRE Corporation. ALL RIGHTS RESERVED. Approved for public release. Distribution unlimited 19-01075-15. | 9 | What is ? A knowledge base of adversary behavior ➢ Based on real-world observations ➢ Free, open, and globally accessible ➢ A common language ➢ Community-driven
  • 9. The Difficult Task of Detecting TTPs Source: David Bianco, https://detect-respond.blogspot.com/2013/03/the-pyramid-of-pain.html David Bianco’s Pyramid of Pain ©2019 The MITRE Corporation. ALL RIGHTS RESERVED. Approved for public release. Distribution unlimited 19-01075-10. TTPs Tools Network/ Host Artifacts Domain Names IP Addresses Hash Values •Tough! •Challenging •Annoying •Simple •Easy •Trivial
  • 10. Impact Data Destruction Data Encrypted for Impact Defacement Disk Content Wipe Disk Structure Wipe Endpoint Denial of Service Firmware Corruption Inhibit System Recovery Network Denial of Service Resource Hijacking Runtime Data Manipulation Service Stop Stored Data Manipulation Transmitted Data Manipulation Command and Control Commonly Used Port Communication Through Removable Media Connection Proxy Custom Command and Control Protocol Custom Cryptographic Protocol Data Encoding Data Obfuscation Domain Fronting Domain Generation Algorithms Fallback Channels Multiband Communication Multi-hop Proxy Multilayer Encryption Multi-Stage Channels Port Knocking Remote Access Tools Remote File Copy Standard Application Layer Protocol Standard Cryptographic Protocol Standard Non-Application Layer Protocol Uncommonly Used Port Web Service Exfiltration Automated Exfiltration Data Compressed Data Encrypted Data Transfer Size Limits Exfiltration Over Other Network Medium Exfiltration Over Command and Control Channel Exfiltration Over Alternative Protocol Exfiltration Over Physical Medium Scheduled Transfer Collection Audio Capture Automated Collection Clipboard Data Data from Information Repositories Data from Local System Data from Network Shared Drive Data from Removable Media Data Staged Email Collection Input Capture Man in the Browser Screen Capture Video Capture Lateral Movement AppleScript Application Deployment Software Distributed Component Object Model Exploitation of Remote Services Logon Scripts Pass the Hash Pass the Ticket Remote Desktop Protocol Remote File Copy Remote Services Replication Through Removable Media Shared Webroot SSH Hijacking Taint Shared Content Third-party Software Windows Admin Shares Windows Remote Management Credential Access Discovery Network Sniffing Account Manipulation Account Discovery Bash History Application Window Discovery Brute Force Credential Dumping Browser Bookmark Discovery Credentials in Files Credentials in Registry Domain Trust Discovery Exploitation for Credential Access File and Directory Discovery Network Service Scanning Forced Authentication Network Share Discovery Hooking Password Policy Discovery Input Capture Peripheral Device Discovery Input Prompt Permission Groups Discovery Kerberoasting Process Discovery Keychain Query Registry LLMNR/NBT-NS Poisoning and Relay Remote System Discovery Security Software Discovery Password Filter DLL System Information Discovery Private Keys Securityd Memory System Network Configuration Discovery Two-Factor Authentication Interception System Network Connections Discovery System Owner/User Discovery System Service Discovery System Time Discovery Virtualization/Sandbox Evasion Execution Persistence Privilege Escalation Defense Evasion Scheduled Task Binary Padding Launchctl Access Token Manipulation Local Job Scheduling Bypass User Account Control LSASS Driver Extra Window Memory Injection Trap Process Injection AppleScript DLL Search Order Hijacking CMSTP Image File Execution Options Injection Command-Line Interface Plist Modification Compiled HTML File Valid Accounts Control Panel Items Accessibility Features BITS Jobs Dynamic Data Exchange AppCert DLLs Clear Command History Execution through API AppInit DLLs CMSTP Execution through Module Load Application Shimming Code Signing Dylib Hijacking Compiled HTML File Exploitation for Client Execution File System Permissions Weakness Component Firmware Hooking Component Object Model Hijacking Graphical User Interface Launch Daemon InstallUtil New Service Control Panel Items Mshta Path Interception DCShadow PowerShell Port Monitors Deobfuscate/Decode Files or Information Regsvcs/Regasm Service Registry Permissions Weakness Regsvr32 Setuid and Setgid Disabling Security Tools Rundll32 Startup Items DLL Side-Loading Scripting Web Shell Execution Guardrails Service Execution .bash_profile and .bashrc Exploitation for Privilege Escalation Exploitation for Defense Evasion Signed Binary Proxy Execution Account Manipulation Authentication Package SID-History Injection File Deletion Signed Script Proxy Execution BITS Jobs Sudo File Permissions Modification Bootkit Sudo Caching Source Browser Extensions File System Logical Offsets Space after Filename Change Default File Association Gatekeeper Bypass Third-party Software Group Policy Modification Trusted Developer Utilities Component Firmware Hidden Files and Directories User Execution Component Object Model Hijacking Hidden Users Windows Management Instrumentation Hidden Window Create Account HISTCONTROL Windows Remote Management External Remote Services Indicator Blocking Hidden Files and Directories Indicator Removal from Tools XSL Script Processing Hypervisor Kernel Modules and Extensions Indicator Removal on Host Indirect Command Execution Launch Agent Install Root Certificate LC_LOAD_DYLIB Addition InstallUtil Login Item Launchctl Initial Access Drive-by Compromise Exploit Public-Facing Application External Remote Services Hardware Additions Replication Through Removable Media Spearphishing Attachment Spearphishing Link Spearphishing via Service Supply Chain Compromise Trusted Relationship Valid Accounts Breaking Down ATT&CK Tactics: the adversary’s technical goals Techniques: how the goals are achieved Procedures: Specific technique implementation ©2019 The MITRE Corporation. ALL RIGHTS RESERVED. Approved for public release. Distribution unlimited 19-01075-15.
  • 11. Technique: Spearphishing Attachment ©2019 The MITRE Corporation. ALL RIGHTS RESERVED. Approved for public release. Distribution unlimited 19-01075-15.
  • 12. Technique: Spearphishing Attachment ©2019 The MITRE Corporation. ALL RIGHTS RESERVED. Approved for public release. Distribution unlimited 19-01075-15.
  • 13. Technique: Spearphishing Attachment ©2019 The MITRE Corporation. ALL RIGHTS RESERVED. Approved for public release. Distribution unlimited 19-01075-15.
  • 14. Technique: Spearphishing Attachment ©2019 The MITRE Corporation. ALL RIGHTS RESERVED. Approved for public release. Distribution unlimited 19-01075-15.
  • 15. Group: APT29 ©2019 The MITRE Corporation. ALL RIGHTS RESERVED. Approved for public release. Distribution unlimited 19-01075-15.
  • 16. Group: APT29 ©2019 The MITRE Corporation. ALL RIGHTS RESERVED. Approved for public release. Distribution unlimited 19-01075-15.
  • 17. Group: APT29 ©2019 The MITRE Corporation. ALL RIGHTS RESERVED. Approved for public release. Distribution unlimited 19-01075-15.
  • 18. ATT&CK Use Cases Threat Intelligence processes = search Process:Create reg = filter processes where (exe == "reg.exe" and parent_exe == "cmd.exe") cmd = filter processes where (exe == "cmd.exe" and parent_exe != "explorer.exe"") reg_and_cmd = join (reg, cmd) where (reg.ppid == cmd.pid and reg.hostname == cmd.hostname) output reg_and_cmd Detection Adversary Emulation Assessment and Engineering ©2019 The MITRE Corporation. ALL RIGHTS RESERVED. Approved for public release. Distribution unlimited 19-01075-15. Use ATT&CK for Adversary Emulation and Red Teaming The best defense is a well-tested defense. ATT&CK provides a common adversary behavior framework based on threat intelligence that red teams can use to emulate specific threats. This helps cyber defenders find gaps in visibility, defensive tools, and processes—and then fix them. Legend Low Priority High Priority Finding Gaps in Defense Spearphishing Link Spearphishing via Service Supply Chain Compromise Trusted Relationship Valid Accounts Execution through API Execution through Module Load Exploitation for Client Execution Graphical User Interface InstallUtil Launchctl Local Job Scheduling LSASS Driver Mshta PowerShell Regsvcs/Regasm Regsvr32 Rundll32 Scheduled Task Scripting Service Execution Signed Binary Proxy Execution Signed Script Proxy Execution Source Space after Filename Third-party Software Trap Trusted Developer Utilities User Execution Windows Management Instrumentation Windows Remote Management XSL Script Processing Authentication Package BITS Jobs Bootkit Browser Extensions Change Default File Association Component Firmware Component Object Model Hijacking Create Account DLL Search Order Hijacking Dylib Hijacking External Remote Services File System Permissions W eakness Hidden Files and Directories Hooking Hypervisor Image File Execution Options Injection Kernel Modules and Extensions Launch Agent Launch Daemon Launchctl LC_LOAD_DYLIB Addition Local Job Scheduling Login Item Logon Scripts LSASS Driver Modify Existing Service Netsh Helper DLL New Service Office Application Startup Path Interception Plist Modification Port Knocking Port Monitors Rc.common Re-opened Applications Redundant Access Registry Run Keys / Startup Folder Scheduled Task Screensaver Security Support Provider Service Registry Permissions Weakness Setuid and Setgid Shortcut Modification SIP and Trust Provider Hijacking Startup Items System Firmware Systemd Service Time Providers Trap Valid Accounts Web Shell Windows Management Instrumentation Event Subscription Winlogon Helper DLL DLL Search Order Hijacking Dylib Hijacking Exploitation for Privilege Escalation Extra Window Memory Injection File System Permissions W eakness Hooking Image File Execution Options Injection Launch Daemon New Service Path Interception Plist Modification Port Monitors Process Injection Scheduled Task Service Registry Permissions Weakness Setuid and Setgid SID-History Injection Startup Items Sudo Sudo Caching Valid Accounts Web Shell Code Signing Compile After Delivery Compiled HTML File Component Firmware Component Object Model Hijacking Control Panel Items DCShadow Deobfuscate/Decode Files or Information Disabling Security Tools DLL Search Order Hijacking DLL Side-Loading Execution Guardrails Exploitation for Defense Evasion Extra Window Memory Injection File Deletion File Permissions Modification File System Logical Of fsets Gatekeeper Bypass Group Policy Modification Hidden Files and Directories Hidden Users Hidden Window HISTCONTROL Image File Execution Options Injection Indicator Blocking Indicator Removal from Tools Indicator Removal on Host Indirect Command Execution Install Root Certificate InstallUtil Launchctl LC_MAIN Hijacking Masquerading Modify Registry Mshta Network Share Connection Removal NTFS File Attributes Obfuscated Files or Information Plist Modification Port Knocking Process Doppelgänging Process Hollowing Process Injection Redundant Access Regsvcs/Regasm Regsvr32 Rootkit Rundll32 Scripting Signed Binary Proxy Execution Signed Script Proxy Execution SIP and Trust Provider Hijacking Software Packing Space after Filename Template Injection Timestomp Trusted Developer Utilities Valid Accounts Virtualization/Sandbox Evasion Web Service XSL Script Processing Exploitation for Credential Access Forced Authentication Hooking Input Capture Input Prompt Kerberoasting Keychain LLMNR/NBT -NS Poisoning and Relay Network Snif fing Password Filter DLL Private Keys Securityd Memory Two-Factor Authentication Interception Network Share Discovery Network Snif fing Password Policy Discovery Peripheral Device Discovery Permission Groups Discovery Process Discovery Query Registry Remote System Discovery Security Software Discovery System Information Discovery System Network Configuration Discovery System Network Connections Discovery System Owner/User Discovery System Service Discovery System Time Discovery Virtualization/Sandbox Evasion Pass the Ticket Remote Desktop Protocol Remote File Copy Remote Services Replication Through Removable Media Shared Webroot SSH Hijacking Taint Shared Content Third-party Software Windows Admin Shares Windows Remote Management Data from Removable Media Data Staged Email Collection Input Capture Man in the Browser Screen Capture Video Capture Data Obfuscation Domain Fronting Domain Generation Algorithms Fallback Channels Multi-hop Proxy Multi-Stage Channels Multiband Communication Multilayer Encryption Port Knocking Remote Access Tools Remote File Copy Standard Application Layer Protocol Standard Cryptographic Protocol Standard Non-Application Layer Protocol Uncommonly Used Port Web Service Exfiltration Over Other Network Medium Exfiltration Over Physical Medium Scheduled Transfer Firmware Corruption Inhibit System Recovery Network Denial of Service Resource Hijacking Runtime Data Manipulation Service Stop Stored Data Manipulation Transmitted Data Manipulation AppleScript Application Deployment Software Distributed Component Object Model Exploitation of Remote Services Logon Scripts Pass the Hash Pass the Ticket Remote Desktop Protocol Remote File Copy Remote Services Replication Through Removable Media Shared Webroot SSH Hijacking Taint Shared Content Third-party Software Windows Admin Shares Windows Remote Management Commonly Used Port Communication Through Removable Media Connection Proxy Custom Command and Control Protocol Custom Cryptographic Protocol Data Encoding Data Obfuscation Domain Fronting Domain Generation Algorithms Fallback Channels Multiband Communication Multi-hop Proxy Multilayer Encryption Multi-Stage Channels Port Knocking Remote Access Tools Remote File Copy Standard Application Layer Protocol Standard Cryptographic Protocol Standard Non-Application Layer Protocol Uncommonly Used Port Web Service Automated Exfiltration Data Compressed Data Encrypted Data Transfer Size Limits Exfiltration Over Other Network Medium Exfiltration Over Command and Control Channel Exfiltration Over Alternative Protocol Exfiltration Over Physical Medium Scheduled Transfer Data Destruction Data Encrypted for Impact Defacement Disk Content Wipe Disk Structure Wipe Endpoint Denial of Service Firmware Corruption Inhibit System Recovery Network Denial of Service Resource Hijacking Runtime Data Manipulation Service Stop Stored Data Manipulation Transmitted Data Manipulation Audio Capture Automated Collection Clipboard Data Data from Information Repositories Data from Local System Data from Network Shared Drive Data from Removable Media Data Staged Email Collection Input Capture Man in the Browser Screen Capture Video Capture Drive-by Compromise Exploit Public-Facing Application External Remote Services Hardware Additions Replication Through Removable Media Spearphishing Attachment Spearphishing Link Spearphishing via Service Supply Chain Compromise Trusted Relationship Valid Accounts AppleScript CMSTP Command-Line Interface Compiled HTML File Control Panel Items Dynamic Data Exchange Execution through API Execution through Module Load Exploitation for Client Execution Graphical User Interface InstallUtil Mshta PowerShell Regsvcs/Regasm Regsvr32 Rundll32 Scripting Service Execution Signed Binary Proxy Execution Signed Script Proxy Execution Source Space after Filename Third-party Software Trusted Developer Utilities DLL Search Order Hijacking Image File Execution Options Injection Plist Modification Valid Accounts Accessibility Features AppCert DLLs AppInit DLLs Application Shimming Dylib Hijacking File System Permissions Weakness Hooking Launch Daemon New Service Path Interception Port Monitors Service Registry Permissions Weakness Setuid and Setgid Startup Items Web Shell .bash_profile and .bashrc Account Manipulation Authentication Package BITS Jobs Bootkit Browser Extensions Change Default File Association Component Firmware BITS Jobs Clear Command History CMSTP Code Signing Compiled HTML File Component Firmware Component Object Model Hijacking Control Panel Items DCShadow Deobfuscate/Decode Files or Information Disabling Security Tools DLL Side-Loading Execution Guardrails Exploitation for Defense Evasion File Deletion File Permissions Modification File System Logical Offsets Gatekeeper Bypass Group Policy Modification Hidden Files and Directories Hidden Users Exploitation for Privilege Escalation SID-History Injection Sudo Sudo Caching Scheduled Task Binary Padding Network Sniffing Launchctl Local Job Scheduling LSASS Driver Trap Access Token Manipulation Bypass User Account Control Extra Window Memory Injection Process Injection Account Manipulation Bash History Brute Force Credential Dumping Credentials in Files Credentials in Registry Exploitation for Credential Access Forced Authentication Hooking Input Capture Input Prompt Kerberoasting Keychain LLMNR/NBT-NS Poisoning and Relay Password Filter DLL Private Keys Securityd Memory Two-Factor Authentication Interception Account Discovery Application Window Discovery Browser Bookmark Discovery Domain Trust Discovery File and Directory Discovery Network Service Scanning Network Share Discovery Password Policy Discovery Peripheral Device Discovery Permission Groups Discovery Process Discovery Query Discovery Remote System Discovery Security Software Discovery System Information Discovery System Network Configuration Discovery System Network Connections Discovery System Owner/User Discovery System Service Discovery System Time Discovery Virtualization/Sandbox Evasion Use ATT&CK for Cyber Threat Intelligence Cyber threat intelligence comes from many sources, including knowledge of past incidents, commercial threat feeds, information-sharing groups, government threat-sharing programs, and more. ATT&CK gives analysts a common language to communicate across reports and organizations, providing a way to structure, compare, and analyze threat intelligence. Use ATT&CK to Build Your Defensive Platform ATT&CK includes resources designed to help cyber defenders develop analytics that detect the techniques used by an adversary. Based on threat intelligence included in ATT&CK or provided by analysts, cyber defenders can create a comprehensive set of analytics to detect threats. Get Started with ATT&CK Legend APT28 APT29 Both Comparing APT28 to APT29 analytics. Check out our w ebsite at attack.mitre.org for more information on how each technique can be det ected, and adversary examples you can use to start detecting adversary behavior with ATT&CK. You can visualize how your own data sources map to adversary behavior with ATT&CK. Read our blog post at bit.ly/ATT learn how we generated this diagram, check out the code, and begin building your own diagrams from ATT&CK conten Initial Access Drive-by Compromise Exploit Public-Facing Application External Remote Services Hardware Additions Replication Through Removable Media Spearphishing Attachment Spearphishing Link Spearphishing via Service Supply Chain Compromise Trusted Relationship Valid Accounts Execution AppleScript CMSTP Command-Line Interface Compiled HTML File Control Panel Items Dynamic Data Exchange Execution through API Execution through Module Load Exploitation for Client Execution Graphical User Interface InstallUtil Launchctl Local Job Scheduling LSASS Driver Mshta PowerShell Regsvcs/Regasm Regsvr32 Rundll32 Scheduled Task Scripting Service Execution Signed Binary Proxy Execution Signed Script Proxy Execution Source Space after Filename Third-party Software Trap Trusted Developer Utilities User Execution Windows Management Instrumentation Windows Remote Management XSL Script Processing Persistence .bash_profile and .bashrc Accessibility Features Account Manipulation AppCert DLLs AppInit DLLs Application Shimming Authentication Package BITS Jobs Bootkit Browser Extensions Change Default File Association Component Firmware Component Object Model Hijacking Create Account DLL Search Order Hijacking Dylib Hijacking External Remote Services File System Permissions W eakness Hidden Files and Directories Hooking Hypervisor Image File Execution Options Injection Kernel Modules and Extensions Launch Agent Launch Daemon Launchctl LC_LOAD_DYLIB Addition Local Job Scheduling Login Item Logon Scripts LSASS Driver Modify Existing Service Netsh Helper DLL New Service Office Application Startup Path Interception Plist Modification Port Knocking Port Monitors Rc.common Re-opened Applications Redundant Access Registry Run Keys / Startup Folder Scheduled Task Screensaver Security Support Provider Service Registry Permissions Weakness Setuid and Setgid Shortcut Modification SIP and Trust Provider Hijacking Startup Items System Firmware Systemd Service Time Providers Trap Valid Accounts Web Shell Windows Management Instrumentation Event Subscription Winlogon Helper DLL Privilege Escalation Access Token Manipulation Accessibility Features AppCert DLLs AppInit DLLs Application Shimming Bypass User Account Control DLL Search Order Hijacking Dylib Hijacking Exploitation for Privilege Escalation Extra Window Memory Injection File System Permissions W eakness Hooking Image File Execution Options Injection Launch Daemon New Service Path Interception Plist Modification Port Monitors Process Injection Scheduled Task Service Registry Permissions Weakness Setuid and Setgid SID-History Injection Startup Items Sudo Sudo Caching Valid Accounts Web Shell Defense Evasion Access Token Manipulation Binary Padding BITS Jobs Bypass User Account Control Clear Command History CMSTP Code Signing Compile After Delivery Compiled HTML File Component Firmware Component Object Model Hijacking Control Panel Items DCShadow Deobfuscate/Decode Files or Information Disabling Security Tools DLL Search Order Hijacking DLL Side-Loading Execution Guardrails Exploitation for Defense Evasion Extra Window Memory Injection File Deletion File Permissions Modification File System Logical Of fsets Gatekeeper Bypass Group Policy Modification Hidden Files and Directories Hidden Users Hidden Window HISTCONTROL Image File Execution Options Injection Indicator Blocking Indicator Removal from Tools Indicator Removal on Host Indirect Command Execution Install Root Certificate InstallUtil Launchctl LC_MAIN Hijacking Masquerading Modify Registry Mshta Network Share Connection Removal NTFS File Attributes Obfuscated Files or Information Plist Modification Port Knocking Process Doppelgänging Process Hollowing Process Injection Redundant Access Regsvcs/Regasm Regsvr32 Rootkit Rundll32 Scripting Signed Binary Proxy Execution Signed Script Proxy Execution SIP and Trust Provider Hijacking Software Packing Space after Filename Template Injection Timestomp Trusted Developer Utilities Valid Accounts Virtualization/Sandbox Evasion Web Service XSL Script Processing Credential Access Account Manipulation Bash History Brute Force Credential Dumping Credentials in Files Credentials in Registry Exploitation for Credential Access Forced Authentication Hooking Input Capture Input Prompt Kerberoasting Keychain LLMNR/NBT -NS Poisoning and Relay Network Snif fing Password Filter DLL Private Keys Securityd Memory Two-Factor Authentication Interception Discovery Account Discovery Application Window Discovery Browser Bookmark Discovery Domain Trust Discovery File and Directory Discovery Network Service Scanning Network Share Discovery Network Snif fing Password Policy Discovery Peripheral Device Discovery Permission Groups Discovery Process Discovery Query Registry Remote System Discovery Security Software Discovery System Information Discovery System Network Configuration Discovery System Network Connections Discovery System Owner/User Discovery System Service Discovery System Time Discovery Virtualization/Sandbox Evasion Lateral Movement AppleScript Application Deployment Software Distributed Component Object Model Exploitation of Remote Services Logon Scripts Pass the Hash Pass the Ticket Remote Desktop Protocol Remote File Copy Remote Services Replication Through Removable Media Shared Webroot SSH Hijacking Taint Shared Content Third-party Software Windows Admin Shares Windows Remote Management Collection Audio Capture Automated Collection Clipboard Data Data from Information Repositories Data from Local System Data from Network Shared Drive Data from Removable Media Data Staged Email Collection Input Capture Man in the Browser Screen Capture Video Capture Command And Control Commonly Used Port Communication Through Removable Media Connection Proxy Custom Command and Control Protocol Custom Cryptographic Protocol Data Encoding Data Obfuscation Domain Fronting Domain Generation Algorithms Fallback Channels Multi-hop Proxy Multi-Stage Channels Multiband Communication Multilayer Encryption Port Knocking Remote Access Tools Remote File Copy Standard Application Layer Protocol Standard Cryptographic Protocol Standard Non-Application Layer Protocol Uncommonly Used Port Web Service Exfiltration Automated Exfiltration Data Compressed Data Encrypted Data Transfer Size Limits Exfiltration Over Alternative Protocol Exfiltration Over Command and Control Channel Exfiltration Over Other Network Medium Exfiltration Over Physical Medium Scheduled Transfer Impact Data Destruction Data Encrypted for Impact Defacement Disk Content Wipe Disk Structure Wipe Endpoint Denial of Service Firmware Corruption Inhibit System Recovery Network Denial of Service Resource Hijacking Runtime Data Manipulation Service Stop Stored Data Manipulation Transmitted Data Manipulation Initial Access Drive-by Compromise Exploit Public-Facing Application External Remote Services Hardware Additions Replication Through Removable Media Spearphishing Attachment Spearphishing Link Spearphishing via Service Supply Chain Compromise Trusted Relationship Valid Accounts Execution AppleScript CMSTP Command-Line Interface Compiled HTML File Control Panel Items Dynamic Data Exchange Execution through API Execution through Module Load Exploitation for Client Execution Graphical User Interface InstallUtil Launchctl Local Job Scheduling LSASS Driver Mshta PowerShell Persistence .bash_profile and .bashrc Accessibility Features Account Manipulation AppCert DLLs AppInit DLLs Application Shimming Authentication Package BITS Jobs Bootkit Browser Extensions Change Default File Association Component Firmware Component Object Model Hijacking Create Account DLL Search Order Hijacking Dylib Hijacking Privilege Escalation Access Token Manipulation Accessibility Features AppCert DLLs AppInit DLLs Application Shimming Bypass User Account Control DLL Search Order Hijacking Dylib Hijacking Exploitation for Privilege Escalation Extra Window Memory Injection File System Permissions W eakness Hooking Image File Execution Options Injection Launch Daemon New Service Path Interception Defense Evasion Access Token Manipulation Binary Padding BITS Jobs Bypass User Account Control Clear Command History CMSTP Code Signing Compile After Delivery Compiled HTML File Component Firmware Component Object Model Hijacking Control Panel Items DCShadow Deobfuscate/Decode Files or Information Disabling Security Tools DLL Search Order Hijacking Credential Access Account Manipulation Bash History Brute Force Credential Dumping Credentials in Files Credentials in Registry Exploitation for Credential Access Forced Authentication Hooking Input Capture Input Prompt Kerberoasting Keychain LLMNR/NBT -NS Poisoning and Relay Network Snif fing Password Filter DLL Discovery Account Discovery Application Window Discovery Browser Bookmark Discovery Domain Trust Discovery File and Directory Discovery Network Service Scanning Network Share Discovery Network Snif fing Password Policy Discovery Peripheral Device Discovery Permission Groups Discovery Process Discovery Query Registry Remote System Discovery Security Software Discovery System Information Discovery Lateral Movement AppleScript Application Deployment Software Distributed Component Object Model Exploitation of Remote Services Logon Scripts Pass the Hash Pass the Ticket Remote Desktop Protocol Remote File Copy Remote Services Replication Through Removable Media Shared Webroot SSH Hijacking Taint Shared Content Third-party Software Windows Admin Shares Collection Audio Capture Automated Collection Clipboard Data Data from Information Repositories Data from Local System Data from Network Shared Drive Data from Removable Media Data Staged Email Collection Input Capture Man in the Browser Screen Capture Video Capture Command And Control Commonly Used Port Communication Through Removable Media Connection Proxy Custom Command and Control Protocol Custom Cryptographic Protocol Data Encoding Data Obfuscation Domain Fronting Domain Generation Algorithms Fallback Channels Multi-hop Proxy Multi-Stage Channels Multiband Communication Multilayer Encryption Port Knocking Remote Access Tools Exfiltration Automated Exfiltration Data Compressed Data Encrypted Data Transfer Size Limits Exfiltration Over Alternative Protocol Exfiltration Over Command and Control Channel Exfiltration Over Other Network Medium Exfiltration Over Physical Medium Scheduled Transfer Impact Data Destruction Data Encrypted for Impact Defacement Disk Content Wipe Disk Structure Wipe Endpoint Denial of Service Firmware Corruption Inhibit System Recovery Network Denial of Service Resource Hijacking Runtime Data Manipulation Service Stop Stored Data Manipulation Transmitted Data Manipulation ob sta Use ATT&CK to Build Your Defensive Platform ATT&CK includes resources designed to help cyber defenders develop analytics that detect the techniques used by an adversary. Based on threat intelligence included in ATT&CK or provided by analysts, cyber defenders can create a comprehensive set of analytics to detect threats. Legend APT28 APT29 Both Legend Low Priority High Priority Comparing APT28 to APT29 Finding Gaps in Defense Exploit Public-Facing Application External Remote Services Hardware Additions Replication Through Removable Media Spearphishing Attachment Spearphishing Link Spearphishing via Service Supply Chain Compromise Trusted Relationship Valid Accounts CMSTP Command-Line Interface Compiled HTML File Control Panel Items Dynamic Data Exchange Execution through API Execution through Module Load Exploitation for Client Execution Graphical User Interface InstallUtil Launchctl Local Job Scheduling LSASS Driver Mshta PowerShell Regsvcs/Regasm Regsvr32 Rundll32 Scheduled Task Scripting Service Execution Signed Binary Proxy Execution Signed Script Proxy Execution Source Space after Filename Third-party Software Trap Trusted Developer Utilities User Execution Windows Management Instrumentation Windows Remote Management XSL Script Processing Accessibility Features Account Manipulation AppCert DLLs AppInit DLLs Application Shimming Authentication Package BITS Jobs Bootkit Browser Extensions Change Default File Association Component Firmware Component Object Model Hijacking Create Account DLL Search Order Hijacking Dylib Hijacking External Remote Services File System Permissions W eakness Hidden Files and Directories Hooking Hypervisor Image File Execution Options Injection Kernel Modules and Extensions Launch Agent Launch Daemon Launchctl LC_LOAD_DYLIB Addition Local Job Scheduling Login Item Logon Scripts LSASS Driver Modify Existing Service Netsh Helper DLL New Service Office Application Startup Path Interception Plist Modification Port Knocking Port Monitors Rc.common Re-opened Applications Redundant Access Registry Run Keys / Startup Folder Scheduled Task Screensaver Security Support Provider Service Registry Permissions Weakness Setuid and Setgid Shortcut Modification SIP and Trust Provider Hijacking Startup Items System Firmware Systemd Service Time Providers Trap Valid Accounts Web Shell Windows Management Instrumentation Event Subscription Winlogon Helper DLL Accessibility Features AppCert DLLs AppInit DLLs Application Shimming Bypass User Account Control DLL Search Order Hijacking Dylib Hijacking Exploitation for Privilege Escalation Extra Window Memory Injection File System Permissions W eakness Hooking Image File Execution Options Injection Launch Daemon New Service Path Interception Plist Modification Port Monitors Process Injection Scheduled Task Service Registry Permissions Weakness Setuid and Setgid SID-History Injection Startup Items Sudo Sudo Caching Valid Accounts Web Shell Binary Padding BITS Jobs Bypass User Account Control Clear Command History CMSTP Code Signing Compile After Delivery Compiled HTML File Component Firmware Component Object Model Hijacking Control Panel Items DCShadow Deobfuscate/Decode Files or Information Disabling Security Tools DLL Search Order Hijacking DLL Side-Loading Execution Guardrails Exploitation for Defense Evasion Extra Window Memory Injection File Deletion File Permissions Modification File System Logical Of fsets Gatekeeper Bypass Group Policy Modification Hidden Files and Directories Hidden Users Hidden Window HISTCONTROL Image File Execution Options Injection Indicator Blocking Indicator Removal from Tools Indicator Removal on Host Indirect Command Execution Install Root Certificate InstallUtil Launchctl LC_MAIN Hijacking Masquerading Modify Registry Mshta Network Share Connection Removal NTFS File Attributes Obfuscated Files or Information Plist Modification Port Knocking Process Doppelgänging Process Hollowing Process Injection Redundant Access Regsvcs/Regasm Regsvr32 Rootkit Rundll32 Scripting Signed Binary Proxy Execution Signed Script Proxy Execution SIP and Trust Provider Hijacking Software Packing Space after Filename Template Injection Timestomp Trusted Developer Utilities Valid Accounts Virtualization/Sandbox Evasion Web Service XSL Script Processing Bash History Brute Force Credential Dumping Credentials in Files Credentials in Registry Exploitation for Credential Access Forced Authentication Hooking Input Capture Input Prompt Kerberoasting Keychain LLMNR/NBT -NS Poisoning and Relay Network Snif fing Password Filter DLL Private Keys Securityd Memory Two-Factor Authentication Interception Application Window Discovery Browser Bookmark Discovery Domain Trust Discovery File and Directory Discovery Network Service Scanning Network Share Discovery Network Snif fing Password Policy Discovery Peripheral Device Discovery Permission Groups Discovery Process Discovery Query Registry Remote System Discovery Security Software Discovery System Information Discovery System Network Configuration Discovery System Network Connections Discovery System Owner/User Discovery System Service Discovery System Time Discovery Virtualization/Sandbox Evasion Application Deployment Software Distributed Component Object Model Exploitation of Remote Services Logon Scripts Pass the Hash Pass the Ticket Remote Desktop Protocol Remote File Copy Remote Services Replication Through Removable Media Shared Webroot SSH Hijacking Taint Shared Content Third-party Software Windows Admin Shares Windows Remote Management Automated Collection Clipboard Data Data from Information Repositories Data from Local System Data from Network Shared Drive Data from Removable Media Data Staged Email Collection Input Capture Man in the Browser Screen Capture Video Capture Communication Through Removable Media Connection Proxy Custom Command and Control Protocol Custom Cryptographic Protocol Data Encoding Data Obfuscation Domain Fronting Domain Generation Algorithms Fallback Channels Multi-hop Proxy Multi-Stage Channels Multiband Communication Multilayer Encryption Port Knocking Remote Access Tools Remote File Copy Standard Application Layer Protocol Standard Cryptographic Protocol Standard Non-Application Layer Protocol Uncommonly Used Port Web Service Data Compressed Data Encrypted Data Transfer Size Limits Exfiltration Over Alternative Protocol Exfiltration Over Command and Control Channel Exfiltration Over Other Network Medium Exfiltration Over Physical Medium Scheduled Transfer Data Encrypted for Impact Defacement Disk Content Wipe Disk Structure Wipe Endpoint Denial of Service Firmware Corruption Inhibit System Recovery Network Denial of Service Resource Hijacking Runtime Data Manipulation Service Stop Stored Data Manipulation Transmitted Data Manipulation Initial Access Drive-by Compromise Exploit Public-Facing Application External Remote Services Hardware Additions Replication Through Removable Media Spearphishing Attachment Spearphishing Link Spearphishing via Service Supply Chain Compromise Trusted Relationship Valid Accounts Execution AppleScript CMSTP Command-Line Interface Compiled HTML File Control Panel Items Dynamic Data Exchange Execution through API Execution through Module Load Exploitation for Client Execution Graphical User Interface InstallUtil Launchctl Local Job Scheduling LSASS Driver Mshta PowerShell Regsvcs/Regasm Regsvr32 Rundll32 Scheduled Task Scripting Service Execution Signed Binary Proxy Execution Signed Script Proxy Execution Source Space after Filename Third-party Software Trap Trusted Developer Utilities User Execution Windows Management Instrumentation Windows Remote Management XSL Script Processing Persistence .bash_profile and .bashrc Accessibility Features Account Manipulation AppCert DLLs AppInit DLLs Application Shimming Authentication Package BITS Jobs Bootkit Browser Extensions Change Default File Association Component Firmware Component Object Model Hijacking Create Account DLL Search Order Hijacking Dylib Hijacking External Remote Services File System Permissions W eakness Hidden Files and Directories Hooking Hypervisor Image File Execution Options Injection Kernel Modules and Extensions Launch Agent Launch Daemon Launchctl LC_LOAD_DYLIB Addition Local Job Scheduling Login Item Logon Scripts LSASS Driver Modify Existing Service Netsh Helper DLL New Service Office Application Startup Path Interception Plist Modification Port Knocking Port Monitors Rc.common Re-opened Applications Redundant Access Registry Run Keys / Startup Folder Scheduled Task Screensaver Security Support Provider Service Registry Permissions Weakness Setuid and Setgid Privilege Escalation Access Token Manipulation Accessibility Features AppCert DLLs AppInit DLLs Application Shimming Bypass User Account Control DLL Search Order Hijacking Dylib Hijacking Exploitation for Privilege Escalation Extra Window Memory Injection File System Permissions W eakness Hooking Image File Execution Options Injection Launch Daemon New Service Path Interception Plist Modification Port Monitors Process Injection Scheduled Task Service Registry Permissions Weakness Setuid and Setgid SID-History Injection Startup Items Sudo Sudo Caching Valid Accounts Web Shell Defense Evasion Access Token Manipulation Binary Padding BITS Jobs Bypass User Account Control Clear Command History CMSTP Code Signing Compile After Delivery Compiled HTML File Component Firmware Component Object Model Hijacking Control Panel Items DCShadow Deobfuscate/Decode Files or Information Disabling Security Tools DLL Search Order Hijacking DLL Side-Loading Execution Guardrails Exploitation for Defense Evasion Extra Window Memory Injection File Deletion File Permissions Modification File System Logical Of fsets Gatekeeper Bypass Group Policy Modification Hidden Files and Directories Hidden Users Hidden Window HISTCONTROL Image File Execution Options Injection Indicator Blocking Indicator Removal from Tools Indicator Removal on Host Indirect Command Execution Install Root Certificate InstallUtil Launchctl LC_MAIN Hijacking Masquerading Modify Registry Mshta Network Share Connection Removal NTFS File Attributes Obfuscated Files or Information Plist Modification Port Knocking Process Doppelgänging Process Hollowing Credential Access Account Manipulation Bash History Brute Force Credential Dumping Credentials in Files Credentials in Registry Exploitation for Credential Access Forced Authentication Hooking Input Capture Input Prompt Kerberoasting Keychain LLMNR/NBT -NS Poisoning and Relay Network Snif fing Password Filter DLL Private Keys Securityd Memory Two-Factor Authentication Interception Discovery Account Discovery Application Window Discovery Browser Bookmark Discovery Domain Trust Discovery File and Directory Discovery Network Service Scanning Network Share Discovery Network Snif fing Password Policy Discovery Peripheral Device Discovery Permission Groups Discovery Process Discovery Query Registry Remote System Discovery Security Software Discovery System Information Discovery System Network Configuration Discovery System Network Connections Discovery System Owner/User Discovery System Service Discovery System Time Discovery Virtualization/Sandbox Evasion Lateral Movement AppleScript Application Deployment Software Distributed Component Object Model Exploitation of Remote Services Logon Scripts Pass the Hash Pass the Ticket Remote Desktop Protocol Remote File Copy Remote Services Replication Through Removable Media Shared Webroot SSH Hijacking Taint Shared Content Third-party Software Windows Admin Shares Windows Remote Management Collection Audio Capture Automated Collection Clipboard Data Data from Information Repositories Data from Local System Data from Network Shared Drive Data from Removable Media Data Staged Email Collection Input Capture Man in the Browser Screen Capture Video Capture Command And Control Commonly Used Port Communication Through Removable Media Connection Proxy Custom Command and Control Protocol Custom Cryptographic Protocol Data Encoding Data Obfuscation Domain Fronting Domain Generation Algorithms Fallback Channels Multi-hop Proxy Multi-Stage Channels Multiband Communication Multilayer Encryption Port Knocking Remote Access Tools Remote File Copy Standard Application Layer Protocol Standard Cryptographic Protocol Standard Non-Application Layer Protocol Uncommonly Used Port Web Service Exfiltration Automated Exfiltration Data Compressed Data Encrypted Data Transfer Size Limits Exfiltration Over Alternative Protocol Exfiltration Over Command and Control Channel Exfiltration Over Other Network Medium Exfiltration Over Physical Medium Scheduled Transfer Impact Data Destruction Data Encrypted for Impact Defacement Disk Content Wipe Disk Structure Wipe Endpoint Denial of Service Firmware Corruption Inhibit System Recovery Network Denial of Service Resource Hijacking Runtime Data Manipulation Service Stop Stored Data Manipulation Transmitted Data Manipulation m a l w a r e r e v e n e t work device logs network intrusion detection system ssl/tls inspection system calls w i n d o w s e v e n t l o g s ocol compromise point denial of service network denial of service obfuscated files or information remote access tools spearphishing attachment standard non-application layer protocol template injection domain fronting drive-by compromise endpoint denial of service install root certificate obfuscated files or information spearphishing link spearphishing via service standard cryptographic protocol web service applescript application shimming browser extensions bypass user account control exploitation for client execution hypervisor kernel modules and extensions keychain rootkit account manipulation bits jobs cm stp em s
  • 19. ATT&CK and CTI ©2019 The MITRE Corporation. ALL RIGHTS RESERVED Approved for public release. Distribution unlimited 19-01075-15.
  • 20. Threat Intelligence – How ATT&CK Can Help ▪ Use knowledge of adversary behaviors to inform defenders ▪ Structuring threat intelligence with ATT&CK allows us to… – Compare behaviors ▪ Groups to each other ▪ Groups over time ▪ Groups to defenses – Communicate in a common language | 21 | ©2019 The MITRE Corporation. ALL RIGHTS RESERVED Approved for public release. Distribution unlimited 19-01075-15.
  • 21. Communicate to Defenders CTI Analyst Defender Registry Run Keys / Startup Folder (T1060) THIS is what the adversary is doing! The Run key is AdobeUpdater. Oh, we have Registry data, we can detect that! ©2019 The MITRE Corporation. ALL RIGHTS RESERVED. Approved for public release. Distribution unlimited 19-01075-15.
  • 22. Communicate Across the Community ©2019 The MITRE Corporation. ALL RIGHTS RESERVED. Approved for public release. Distribution unlimited 19-01075-15. CTI Consumer Registry Run Keys / Startup Folder (T1060) Oh, you mean T1060! APT1337 is using autorun FUZZYDUCK used a Run key Company A Company B
  • 23. Process of Applying ATT&CK to CTI Understand ATT&CK Map data to ATT&CK Store & analyze ATT&CK-mapped data Make defensive recommendations from ATT&CK- mapped data ©2019 The MITRE Corporation. ALL RIGHTS RESERVED Approved for public release. Distribution unlimited 19-01075-15. Module 1 Module 2 Module 3 Module 4 Module 5
  • 24. End of Module 1 ©2019 The MITRE Corporation. ALL RIGHTS RESERVED Approved for public release. Distribution unlimited 19-01075-15.