October 9, 2024
      No Comments
      omran

Key Highlights:

• MITRE ATT&CK Framework: This framework outlines tactics (why an action is done) and techniques (how an action is executed), helping defenders understand adversarial behavior. Sub-techniques further specify behaviors, and procedures explain the implementation of these actions. This structure offers insight into how adversaries operate and informs defensive measures.
• Practical Applications: By studying frameworks like MITRE ATT&CK, you can understand the known tactics of groups like APT3 and anticipate new threat actor behaviors. For example, using execution techniques such as scripting (T1059) helps defenders mitigate malicious script execution through scripting interpreter controls or access restrictions.
• Active Scanning: Technique T1595 (Active Scanning) presents challenges for defenders because it involves scanning public-facing systems outside the organization’s defenses. This resembles normal traffic, making detection harder, especially without external monitoring tools.
• Typosquatting and Homoglyph Attacks: Sub-technique T1583.001 highlights how attackers use typo domains and internationalized domains (IDNs) for phishing or malware distribution. These attacks trick users into interacting with seemingly legitimate sites.

Here’s an overview of the techniques from the MITRE ATT&CK framework, categorized by tactics. This is a summarized version to give you an idea of the most relevant techniques used by adversaries, organized by their tactical goal.

1. Initial Access (TA0001)

Initial Access techniques represent the vectors adversaries use to gain an initial foothold within a network.

• Phishing (T1566)
• Drive-by Compromise (T1189)
• Exploitation for Client Execution (T1203)
• Trusted Relationship (T1199)
• External Remote Services (T1133)
• Valid Accounts (T1078)

2. Execution (TA0002)

Execution techniques represent ways attackers run malicious code within the environment.

• Command and Scripting Interpreter (T1059)
• PowerShell (T1059.001)
• Windows Command Shell (T1059.003)
• AppleScript (T1059.002)
• User Execution (T1204)
• Scheduled Task/Job (T1053)
• Exploit Public-Facing Application (T1190)

3. Persistence (TA0003)

Persistence techniques ensure adversaries maintain their foothold in a network.

• Account Manipulation (T1098)
• Create Account (T1136)
• Boot or Logon Autostart Execution (T1547)
• Scheduled Task/Job (T1053)
• DLL Search Order Hijacking (T1038)

4. Privilege Escalation (TA0004)

Privilege escalation techniques allow attackers to gain higher-level permissions.

• Exploitation for Privilege Escalation (T1068)
• Process Injection (T1055)
• Sudo and Sudo Caching (T1548.003)
• Valid Accounts (T1078)

5. Defense Evasion (TA0005)

These techniques allow adversaries to avoid detection and hide their activities.

• Obfuscated Files or Information (T1027)
• Indicator Removal on Host (T1070)
• Disable Security Tools (T1562)
• Process Hollowing (T1055.012)
• Timestomp (T1070.006)

6. Credential Access (TA0006)

Credential access techniques result in stolen account names and passwords.

• Credential Dumping (T1003)
• LSASS Memory (T1003.001)
• NTDS (T1003.003)
• Brute Force (T1110)
• Keylogging (T1056.001)

7. Discovery (TA0007)

Discovery techniques allow attackers to gain knowledge about the environment.

• System Information Discovery (T1082)
• Process Discovery (T1057)
• File and Directory Discovery (T1083)
• Network Share Discovery (T1135)
• Account Discovery (T1087)

8. Lateral Movement (TA0008)

Lateral Movement techniques allow adversaries to move through a network.

• Remote Services (T1021)
• RDP (T1021.001)
• SMB/Windows Admin Shares (T1021.002)
• Pass the Hash (T1550.002)
• Taint Shared Content (T1080)

9. Collection (TA0009)

Collection techniques are used to gather information and files from the victim network.

• Data from Local System (T1005)
• Input Capture (T1056)
• Data Staged (T1074)
• Screen Capture (T1113)

10. Exfiltration (TA0010)

Exfiltration techniques represent the methods adversaries use to steal data from a network.

• Exfiltration Over Web Service (T1567.002)
• Exfiltration Over C2 Channel (T1041)
• Scheduled Transfer (T1029)
• Data Compressed (T1560)

11. Command and Control (C2) (TA0011)

Command and Control techniques allow adversaries to communicate with and control systems in the compromised environment.

• Application Layer Protocol (T1071)
• Web Protocols (T1071.001)
• DNS (T1071.004)
• Remote Access Software (T1219)
• Ingress Tool Transfer (T1105)

12. Impact (TA0040)

Impact techniques are used to disrupt availability or compromise integrity by destroying or tampering with data.

• Data Destruction (T1485)
• Defacement (T1491)
• Disk Wipe (T1561.001)
• Ransomware (T1486)
• Service Stop (T1489)

Sub-techniques Example:

Each main technique has associated sub-techniques for more specificity. For example:

• Command and Scripting Interpreter (T1059)
• PowerShell (T1059.001)
• Bash (T1059.004)
• Python (T1059.006)

 

Certainly! Here’s a continuation from Technique 13 and beyond, including additional techniques and sub-techniques from the MITRE ATT&CK framework.

13. Data Destruction (T1485)

Adversaries may destroy data in order to disrupt availability, causing damage to the target’s systems or information.

14. Defacement (T1491)

Adversaries may modify visual content on websites, applications, or systems to cause disruption or embarrassment to the target.

• Internal Defacement (T1491.001): Modifying content within an internal application or system.
• External Defacement (T1491.002): Modifying externally accessible content like websites.

15. Exploitation for Client Execution (T1203)

Exploitation of a vulnerability in client applications to execute malicious code.

• Browser Exploitation (T1203.001)
• Email Client Exploitation (T1203.002)

16. Hijack Execution Flow (T1574)

Adversaries may hijack execution flow by compromising the execution paths or control flow of a legitimate process.

• DLL Search Order Hijacking (T1574.001): Exploiting Windows’ search order for dynamic link libraries (DLLs).
• DLL Side-Loading (T1574.002): Installing malicious DLLs alongside legitimate software.
• COR_PROFILER (T1574.012): Using the COR_PROFILER environment variable to inject malicious DLLs.

17. Input Capture (T1056)

Adversaries may capture user input to steal credentials or other sensitive information.

• Keylogging (T1056.001): Monitoring keystrokes on a compromised system.
• GUI Input Capture (T1056.002): Capturing mouse clicks, screen activity, or other GUI inputs.

18. Masquerading (T1036)

Adversaries may disguise the names, paths, or signatures of files or executables to evade detection.

• Masquerading Task or Service (T1036.004): Creating or renaming scheduled tasks/services to look legitimate.

19. Modify Authentication Process (T1556)

Adversaries may modify the authentication process to enable access for themselves or other malicious actors.

• LSASS Driver Modification (T1556.002): Modifying the Local Security Authority Subsystem Service (LSASS) to dump credentials or gain unauthorized access.

20. Modify Registry (T1112)

Adversaries may modify Windows Registry settings to evade defenses, maintain persistence, or manipulate system functionality.

• Registry Run Keys / Startup Folder (T1547.001): Using registry keys to execute programs automatically during system boot or user login.

21. Process Injection (T1055)

Adversaries may inject code into the memory space of a live process to evade process-based defenses and escalate privileges.

• Process Hollowing (T1055.012): Hollowing out a legitimate process and injecting malicious code.
• DLL Injection (T1055.001): Injecting malicious code into the address space of another process by loading a malicious DLL.

22. Remote System Discovery (T1018)

Adversaries may attempt to get information about remote systems by querying for domain or network configuration settings.

23. Scheduled Task/Job (T1053)

Adversaries may use task scheduling to execute code at predefined times or intervals.

• Cron Job (T1053.003): Using Linux cron jobs for persistence or execution.
• At Job (T1053.001): Using Windows’ at command to schedule tasks.

24. Steal Application Access Token (T1528)

Adversaries may steal tokens that grant access to applications or services, allowing them to impersonate a user without needing credentials.

25. System Information Discovery (T1082)

Adversaries may gather detailed information about the system to determine system architecture, version, and other information that can help them tailor attacks.

26. System Service Discovery (T1007)

Adversaries may query system services on a local or remote system to gain insight into running services that may be vulnerable.

27. Timestomp (T1070.006)

Adversaries may alter file timestamps to conceal when files were created, modified, or accessed.

28. Unsecured Credentials (T1552)

Adversaries may search for plaintext credentials or other sensitive information that are stored improperly.

• Private Keys (T1552.004): Searching for private cryptographic keys in files.

29. User Execution (T1204)

Adversaries may rely on a user to run malicious content.

• Malicious File (T1204.002): Executing malware embedded in files opened by a user.

30. Valid Accounts (T1078)

Adversaries may steal or otherwise obtain legitimate user accounts for use in their operations.

• Domain Accounts (T1078.002): Use of domain credentials to access network resources.

31. Web Service (T1102)

Adversaries may use existing web services to infiltrate systems, exfiltrate data, or maintain communication with compromised assets.

• Dead Drop Resolver (T1102.002): Using legitimate websites or services as intermediaries for command and control.

32. Brute Force (T1110)

Adversaries may use brute force techniques to guess or crack passwords.

• Password Guessing (T1110.001)
• Password Cracking (T1110.002)

33. Clipboard Data (T1115)

Adversaries may collect data stored in the clipboard, potentially capturing sensitive information like passwords or personal information.

34. Credential Dumping (T1003)

Adversaries may attempt to dump credentials from operating system memory, software, or data stores.

• LSASS Memory (T1003.001)
• NTDS (T1003.003): Dumping credentials from Active Directory.

35. Exfiltration Over Web Service (T1567)

Adversaries may use web services to exfiltrate stolen data.

36. Indicator Removal on Host (T1070)

Adversaries may delete or tamper with system logs or other artifacts to cover their tracks.

• Clear Windows Event Logs (T1070.001)

37. Data Encrypted for Impact (T1486)

Adversaries may encrypt files or data on target systems to render them inaccessible, often as part of a ransomware attack.

38. Process Discovery (T1057)

Adversaries may enumerate running processes on a system to gain insight into what applications are running, which can inform follow-on actions such as process injection.

39. Remote File Copy (T1105)

Adversaries may copy files from an external system to a compromised system, often to stage files for exfiltration or subsequent attacks.

40. Sudo and Sudo Caching (T1548.003)

Adversaries may abuse the Linux sudo command or its caching mechanism to escalate privileges or maintain persistent elevated access.

41. System Owner/User Discovery (T1033)

Adversaries may query information about the local system owner or users, potentially to gather data for privilege escalation or lateral movement.

This list highlights many more techniques used by adversaries in the MITRE ATT&CK framework, focusing on key actions that attackers use at various stages of an attack. Each technique has associated sub-techniques, providing granular insight into adversary behavior.

 

42. Unsecured Credentials: Credentials in Files (T1552.001)

• Storing sensitive credentials insecurely in files.

43. Unsecured Credentials: Credentials in Cloud Storage (T1552.005)

• Credentials stored in cloud environments or services improperly.

44. Masquerading: Masquerade Task or Service (T1036.004)

• Naming tasks or services similarly to legitimate ones to avoid detection.

45. Exploit Public-Facing Application (T1190)

• Taking advantage of a vulnerability in an internet-facing application.

46. Indirect Command Execution (T1202)

• Running commands in an indirect way to avoid detection, often through other processes.

47. Security Software Discovery (T1518.001)

• Finding installed security software to evade defenses or tailor attacks.

48. Network Share Discovery (T1135)

• Enumerating shared folders and files across networked systems.

49. Create Account (T1136)

• Creating new user accounts within a compromised environment for persistence.

50. Software Deployment Tools (T1072)

• Leveraging software deployment mechanisms for malware distribution or lateral movement.

51. Command-Line Interface (T1059.003)

• Using the command-line interface to execute commands or scripts.

52. System Network Connections Discovery (T1049)

• Identifying active network connections on a target system.

53. Account Discovery (T1087)

• Collecting information on user or system accounts to plan further attacks.

54. Valid Accounts: Domain Accounts (T1078.002)

• Using stolen or compromised domain-level credentials for lateral movement.

55. System Owner/User Discovery (T1033)

• Querying system metadata to identify the owner or primary user.

56. Modify Cloud Compute Infrastructure (T1578)

• Manipulating cloud infrastructure to expand access or gain persistence.

57. Modify Registry (T1112)

• Changing Windows Registry keys and values to hide activity or maintain persistence.

58. Timestomp (T1070.006)

• Modifying file timestamps to obscure the attacker’s activity.

59. Sudo Caching (T1548.003)

• Exploiting Linux sudo caching to escalate privileges without a password prompt.

60. Clipboard Data (T1115)

• Capturing sensitive information from the clipboard, such as copied passwords.

61. Obfuscated Files or Information (T1027)

• Encoding or encrypting files to conceal malicious payloads or communications.

62. Application Layer Protocol (T1071)

• Using standard application layer protocols for command and control communications.
• Web Protocols (T1071.001)
• DNS (T1071.004)

63. Screen Capture (T1113)

• Taking screenshots of the compromised environment to collect sensitive data.

64. Remote Services: Remote Desktop Protocol (RDP) (T1021.001)

• Leveraging RDP to move laterally or maintain persistence within the network.

65. Web Service: Dead Drop Resolver (T1102.002)

• Using web services like dead-drop resolvers to relay information between attacker and compromised systems.

66. Pass the Hash (T1550.002)

• Reusing stolen hash values to authenticate without having to crack passwords.

67. Ingress Tool Transfer (T1105)

• Transferring files or malware from an external source into the target environment.

68. Credential Dumping: LSASS Memory (T1003.001)

• Dumping credentials from the LSASS process on Windows systems.

69. Scheduled Task/Job: At (Windows Task Scheduling) (T1053.001)

• Using the at command to schedule and execute tasks.

70. Registry Run Keys / Startup Folder (T1547.001)

• Modifying registry run keys or startup folders for persistence.

71. User Execution: Malicious File (T1204.002)

• Executing malicious code from files that a user opens.

72. Active Scanning (T1595)

• Actively scanning networks or applications to find vulnerabilities or open services.

73. Keylogging (T1056.001)

• Recording keystrokes to steal credentials or sensitive information.

74. Masquerading: Masquerade File Extensions (T1036.005)

• Using fake file extensions to disguise malicious files.

75. DLL Side-Loading (T1574.002)

• Loading malicious DLLs by hijacking the way legitimate programs search for DLLs.

76. Network Sniffing (T1040)

• Capturing network traffic to collect credentials or other sensitive data.

77. Lateral Tool Transfer (T1570)

• Moving tools or malware laterally between systems within the network.

78. Remote File Copy (T1105)

• Copying files from a remote system to a local system as part of an attack.

79. Process Hollowing (T1055.012)

• Hijacking legitimate processes to run malicious code by hollowing them out.

80. Exfiltration Over Web Service (T1567.002)

• Using web-based services to exfiltrate data from the compromised environment.

81. Data Encrypted for Impact (T1486)

• Encrypting sensitive data as part of ransomware or another destructive attack.

82. Exploitation for Privilege Escalation (T1068)

• Using vulnerabilities to gain elevated permissions.

83. File and Directory Discovery (T1083)

• Enumerating files and directories on a system to gather information about its structure.

84. Virtualization/Sandbox Evasion (T1497)

• Detecting and evading virtualized environments or sandboxes to avoid being analyzed.

85. System Services: Service Execution (T1569.002)

• Using Windows services to execute malicious code.

86. Scheduled Task/Job: Cron Job (T1053.003)

• Scheduling tasks using cron on Linux or Unix systems to maintain persistence.

87. Process Injection: DLL Injection (T1055.001)

• Injecting malicious code into the address space of another process via a DLL.

88. Exfiltration Over C2 Channel (T1041)

• Using command and control channels to exfiltrate data.

89. Automated Exfiltration (T1020)

• Automating the process of data exfiltration from a compromised network.

90. Data Compressed (T1560)

• Compressing data before exfiltration to reduce file size or evade detection.

91. Drive-by Compromise (T1189)

• Compromising a system when a user visits a malicious website.

92. Pass the Ticket (T1550.003)

• Using Kerberos tickets for authentication without needing passwords.

93. Brute Force (T1110)

• Repeatedly attempting to guess or crack passwords.

94. Data from Local System (T1005)

• Collecting data stored on a local system for exfiltration or further analysis.

95. Spearphishing Attachment (T1566.001)

• Sending targeted emails with malicious attachments.

96. Process Discovery (T1057)

• Enumerating running processes on a system to inform further actions.

97. Masquerading: Match Legitimate Name or Location (T1036.005)

• Making a malicious file or service appear to be legitimate by matching its name or path.

98. Exfiltration Over Physical Medium (T1052)

• Using physical media such as USB drives to exfiltrate data.

99. Input Capture: Credential API Hooking (T1056.004)

• Capturing credentials by hooking into legitimate API calls.

100. Replication Through Removable Media (T1091)

• Using USB drives or other removable media to propagate malware.

These techniques are part of a broader range of methods adversaries use across different stages of an attack. The MITRE ATT&CK framework covers tactics from Initial Access all the way to Impact, providing defenders with a comprehensive understanding of how adversaries operate and how to mitigate these threats.

Here are the 14 tactics in the MITRE ATT&CK framework, in the correct order:

1. Initial Access (TA0001): The methods adversaries use to get into a network.
• Example: Phishing, Exploit Public-Facing Applications
2. Execution (TA0002): The techniques adversaries use to run malicious code.
• Example: Command and Scripting Interpreter, PowerShell
3. Persistence (TA0003): How adversaries maintain their foothold in a system.
• Example: Scheduled Task/Job, Boot or Logon Autostart Execution
4. Privilege Escalation (TA0004): Techniques used to gain higher-level permissions.
• Example: Exploitation for Privilege Escalation, Process Injection
5. Defense Evasion (TA0005): Techniques to avoid detection or hide malicious activities.
• Example: Obfuscated Files or Information, Disable Security Tools
6. Credential Access (TA0006): Techniques to steal credentials like usernames and passwords.
• Example: Credential Dumping, Brute Force
7. Discovery (TA0007): Methods used to gain knowledge about the environment.
• Example: System Information Discovery, Network Service Discovery
8. Lateral Movement (TA0008): Moving through a network to access other systems.
• Example: Remote Services, Pass the Hash
9. Collection (TA0009): Techniques to gather data from a target system.
• Example: Data from Local System, Keylogging
10. Exfiltration (TA0010): Techniques for stealing data from a target network.
• Example: Exfiltration Over Web Service, Exfiltration Over C2 Channel
11. Command and Control (C2) (TA0011): How adversaries communicate with compromised systems.
• Example: Application Layer Protocol, Web Service
12. Impact (TA0040): Techniques used to disrupt availability or destroy data.
• Example: Data Destruction, Ransomware
13. Resource Development (TA0042): Techniques used by adversaries to establish resources they need for operations, such as infrastructure and tools.
• Example: Acquire Infrastructure, Compromise Accounts
14. Reconnaissance (TA0043): Techniques adversaries use to gather information on their target before launching an attack.
• Example: Active Scanning, Search Open Technical Databases

These tactics represent the different goals adversaries pursue during an attack, and each tactic has a set of associated techniques and sub-techniques that explain how attackers accomplish their objectives.

Tags: , , , , , , , , , , , , , , , , , , ,