Slides presented by Adam Pennington for a Symantec webinar on "Defending Against Targeted Ransomware with MITRE ATT&CK"

1. ©2019 The MITRE Corporation. ALL RIGHTS RESERVED Approved for public release. Distribution unlimited 19-01075-7
Defending Against Targeted
Ransomware with MITRE ATT&CK™
| 1 |
Adam Pennington @_whatshisface
MITRE ATT&CK @MITREattack

2. Questions You Might Have on Ransomware/GoGaLocker
▪ How can I adapt my defenses to threats like these?
▪ Do I have a chance at detecting GoGaLocker?
▪ Is the data I’m collecting useful against these actors?
| 2 |
©2019 The MITRE Corporation. ALL RIGHTS RESERVED Approved for public release. Distribution unlimited 19-01075-7

3. ©2019 The MITRE Corporation. ALL RIGHTS RESERVED Approved for public release. Distribution unlimited 19-01075-7
| 3 |
What is
?
A knowledge base of
adversary behavior
➢ Based on real-world observations
➢ Free, open, and globally accessible
➢ A common language
➢ Community-driven

4. The Difficult Task of Detecting TTPs
Source: David Bianco, https://detect-respond.blogspot.com/2013/03/the-pyramid-of-pain.html
David Bianco’s Pyramid of Pain
©2019 The MITRE Corporation. ALL RIGHTS RESERVED Approved for public release. Distribution unlimited 19-01075-7

5. Breaking Down ATT&CK
Tactics: the adversary’s technical goals
Techniques:howthegoalsare
achieved
Procedures: Specific technique implementation
| 5 |
©2019 The MITRE Corporation. ALL RIGHTS RESERVED Approved for public release. Distribution unlimited 19-01075-7

6. Technique: Data Encrypted for Impact
©2019 The MITRE Corporation. ALL RIGHTS RESERVED Approved for public release. Distribution unlimited 19-01075-7
| 6 |

7. Technique: Data Encrypted for Impact
©2019 The MITRE Corporation. ALL RIGHTS RESERVED Approved for public release. Distribution unlimited 19-01075-7
| 7 |

8. Technique: Data Encrypted for Impact
©2019 The MITRE Corporation. ALL RIGHTS RESERVED Approved for public release. Distribution unlimited 19-01075-7
| 8 |

9. Technique: Data Encrypted for Impact
©2019 The MITRE Corporation. ALL RIGHTS RESERVED Approved for public release. Distribution unlimited 19-01075-7
| 9 |

10. Software: LockerGoga
©2019 The MITRE Corporation. ALL RIGHTS RESERVED Approved for public release. Distribution unlimited 19-01075-7
| 10 |

11. Software: LockerGoga
©2019 The MITRE Corporation. ALL RIGHTS RESERVED Approved for public release. Distribution unlimited 19-01075-7
| 11 |

12. Software: LockerGoga
©2019 The MITRE Corporation. ALL RIGHTS RESERVED Approved for public release. Distribution unlimited 19-01075-7
| 12 |

13. ATT&CK Use Cases
| 13 |
Threat Intelligence
processes = search Process:Create
reg = filter processes where (exe == "reg.exe" and parent_exe
== "cmd.exe")
cmd = filter processes where (exe == "cmd.exe" and
parent_exe != "explorer.exe"")
reg_and_cmd = join (reg, cmd) where (reg.ppid == cmd.pid and
reg.hostname == cmd.hostname)
output reg_and_cmd
Detection
Adversary Emulation
Assessment and Engineering
©2019 The MITRE Corporation. ALL RIGHTS RESERVED Approved for public release. Distribution unlimited 19-01075-7
Use ATT&CK for Adversary Emulation and Red Teaming
The best defense is a well-tested defense. ATT&CK provides a common adversary
behavior framework based on threat intelligence that red teams can use to emulate
specific threats. This helps cyber defenders find gaps in visibility, defensive tools, and
processes—and then fix them.
Legend
Low Priority
High Priority
Finding Gaps in Defense
Spearphishing Link
Spearphishing via Service
Supply Chain Compromise
Trusted Relationship
Valid Accounts
Execution through API
Execution through Module Load
Exploitation for Client Execution
Graphical User Interface
InstallUtil
Launchctl
Local Job Scheduling
LSASS Driver
Mshta
PowerShell
Regsvcs/Regasm
Regsvr32
Rundll32
Scheduled Task
Scripting
Service Execution
Signed Binary Proxy Execution
Signed Script Proxy Execution
Source
Space after Filename
Third-party Software
Trap
Trusted Developer Utilities
User Execution
Windows Management
Instrumentation
Windows Remote Management
XSL Script Processing
Authentication Package
BITS Jobs
Bootkit
Browser Extensions
Change Default File Association
Component Firmware
Component Object Model Hijacking
Create Account
DLL Search Order Hijacking
Dylib Hijacking
External Remote Services
File System Permissions W eakness
Hidden Files and Directories
Hooking
Hypervisor
Image File Execution Options
Injection
Kernel Modules and Extensions
Launch Agent
Launch Daemon
Launchctl
LC_LOAD_DYLIB Addition
Local Job Scheduling
Login Item
Logon Scripts
LSASS Driver
Modify Existing Service
Netsh Helper DLL
New Service
Office Application Startup
Path Interception
Plist Modification
Port Knocking
Port Monitors
Rc.common
Re-opened Applications
Redundant Access
Registry Run Keys / Startup Folder
Scheduled Task
Screensaver
Security Support Provider
Service Registry Permissions
Weakness
Setuid and Setgid
Shortcut Modification
SIP and Trust Provider Hijacking
Startup Items
System Firmware
Systemd Service
Time Providers
Trap
Valid Accounts
Web Shell
Windows Management
Instrumentation Event Subscription
Winlogon Helper DLL
DLL Search Order Hijacking
Dylib Hijacking
Exploitation for Privilege Escalation
Extra Window Memory Injection
File System Permissions W eakness
Hooking
Image File Execution Options
Injection
Launch Daemon
New Service
Path Interception
Plist Modification
Port Monitors
Process Injection
Scheduled Task
Service Registry Permissions
Weakness
Setuid and Setgid
SID-History Injection
Startup Items
Sudo
Sudo Caching
Valid Accounts
Web Shell
Code Signing
Compile After Delivery
Compiled HTML File
Component Firmware
Component Object Model Hijacking
Control Panel Items
DCShadow
Deobfuscate/Decode Files or
Information
Disabling Security Tools
DLL Search Order Hijacking
DLL Side-Loading
Execution Guardrails
Exploitation for Defense Evasion
Extra Window Memory Injection
File Deletion
File Permissions Modification
File System Logical Of fsets
Gatekeeper Bypass
Group Policy Modification
Hidden Files and Directories
Hidden Users
Hidden Window
HISTCONTROL
Image File Execution Options
Injection
Indicator Blocking
Indicator Removal from Tools
Indicator Removal on Host
Indirect Command Execution
Install Root Certificate
InstallUtil
Launchctl
LC_MAIN Hijacking
Masquerading
Modify Registry
Mshta
Network Share Connection
Removal
NTFS File Attributes
Obfuscated Files or Information
Plist Modification
Port Knocking
Process Doppelgänging
Process Hollowing
Process Injection
Redundant Access
Regsvcs/Regasm
Regsvr32
Rootkit
Rundll32
Scripting
Signed Binary Proxy Execution
Signed Script Proxy Execution
SIP and Trust Provider Hijacking
Software Packing
Space after Filename
Template Injection
Timestomp
Trusted Developer Utilities
Valid Accounts
Virtualization/Sandbox Evasion
Web Service
XSL Script Processing
Exploitation for Credential Access
Forced Authentication
Hooking
Input Capture
Input Prompt
Kerberoasting
Keychain
LLMNR/NBT -NS Poisoning and
Relay
Network Snif fing
Password Filter DLL
Private Keys
Securityd Memory
Two-Factor Authentication
Interception
Network Share Discovery
Network Snif fing
Password Policy Discovery
Peripheral Device Discovery
Permission Groups Discovery
Process Discovery
Query Registry
Remote System Discovery
Security Software Discovery
System Information Discovery
System Network Configuration
Discovery
System Network Connections
Discovery
System Owner/User Discovery
System Service Discovery
System Time Discovery
Virtualization/Sandbox Evasion
Pass the Ticket
Remote Desktop Protocol
Remote File Copy
Remote Services
Replication Through Removable
Media
Shared Webroot
SSH Hijacking
Taint Shared Content
Third-party Software
Windows Admin Shares
Windows Remote Management
Data from Removable Media
Data Staged
Email Collection
Input Capture
Man in the Browser
Screen Capture
Video Capture
Data Obfuscation
Domain Fronting
Domain Generation Algorithms
Fallback Channels
Multi-hop Proxy
Multi-Stage Channels
Multiband Communication
Multilayer Encryption
Port Knocking
Remote Access Tools
Remote File Copy
Standard Application Layer Protocol
Standard Cryptographic Protocol
Standard Non-Application Layer
Protocol
Uncommonly Used Port
Web Service
Exfiltration Over Other Network
Medium
Exfiltration Over Physical Medium
Scheduled Transfer
Firmware Corruption
Inhibit System Recovery
Network Denial of Service
Resource Hijacking
Runtime Data Manipulation
Service Stop
Stored Data Manipulation
Transmitted Data Manipulation
AppleScript
Application Deployment
Software
Distributed Component
Object Model
Exploitation of
Remote Services
Logon Scripts
Pass the Hash
Pass the Ticket
Remote Desktop Protocol
Remote File Copy
Remote Services
Replication Through
Removable Media
Shared Webroot
SSH Hijacking
Taint Shared Content
Third-party Software
Windows Admin Shares
Windows Remote
Management
Commonly Used Port
Communication Through
Removable Media
Connection Proxy
Custom Command and
Control Protocol
Custom Cryptographic
Protocol
Data Encoding
Data Obfuscation
Domain Fronting
Domain Generation
Algorithms
Fallback Channels
Multiband Communication
Multi-hop Proxy
Multilayer Encryption
Multi-Stage Channels
Port Knocking
Remote Access Tools
Remote File Copy
Standard Application Layer
Protocol
Standard Cryptographic
Protocol
Standard Non-Application
Layer Protocol
Uncommonly Used Port
Web Service
Automated Exfiltration
Data Compressed
Data Encrypted
Data Transfer Size Limits
Exfiltration Over Other
Network Medium
Exfiltration Over Command
and Control Channel
Exfiltration Over Alternative
Protocol
Exfiltration Over
Physical Medium
Scheduled Transfer
Data Destruction
Data Encrypted for Impact
Defacement
Disk Content Wipe
Disk Structure Wipe
Endpoint Denial of Service
Firmware Corruption
Inhibit System Recovery
Network Denial of Service
Resource Hijacking
Runtime Data Manipulation
Service Stop
Stored Data Manipulation
Transmitted Data
Manipulation
Audio Capture
Automated Collection
Clipboard Data
Data from Information
Repositories
Data from Local System
Data from Network
Shared Drive
Data from Removable Media
Data Staged
Email Collection
Input Capture
Man in the Browser
Screen Capture
Video Capture
Drive-by Compromise
Exploit Public-Facing
Application
External Remote Services
Hardware Additions
Replication Through
Removable Media
Spearphishing Attachment
Spearphishing Link
Spearphishing via Service
Supply Chain Compromise
Trusted Relationship
Valid Accounts
AppleScript
CMSTP
Command-Line Interface
Compiled HTML File
Control Panel Items
Dynamic Data Exchange
Execution through API
Execution through
Module Load
Exploitation for
Client Execution
Graphical User Interface
InstallUtil
Mshta
PowerShell
Regsvcs/Regasm
Regsvr32
Rundll32
Scripting
Service Execution
Signed Binary
Proxy Execution
Signed Script
Proxy Execution
Source
Space after Filename
Third-party Software
Trusted Developer Utilities
DLL Search Order Hijacking
Image File Execution Options Injection
Plist Modification
Valid Accounts
Accessibility Features
AppCert DLLs
AppInit DLLs
Application Shimming
Dylib Hijacking
File System Permissions Weakness
Hooking
Launch Daemon
New Service
Path Interception
Port Monitors
Service Registry Permissions Weakness
Setuid and Setgid
Startup Items
Web Shell
.bash_profile and .bashrc
Account Manipulation
Authentication Package
BITS Jobs
Bootkit
Browser Extensions
Change Default
File Association
Component Firmware
BITS Jobs
Clear Command History
CMSTP
Code Signing
Compiled HTML File
Component Firmware
Component Object Model
Hijacking
Control Panel Items
DCShadow
Deobfuscate/Decode Files
or Information
Disabling Security Tools
DLL Side-Loading
Execution Guardrails
Exploitation for
Defense Evasion
File Deletion
File Permissions
Modification
File System Logical Offsets
Gatekeeper Bypass
Group Policy Modification
Hidden Files and Directories
Hidden Users
Exploitation for
Privilege Escalation
SID-History Injection
Sudo
Sudo Caching
Scheduled Task Binary Padding Network Sniffing
Launchctl
Local Job Scheduling
LSASS Driver
Trap
Access Token Manipulation
Bypass User Account Control
Extra Window Memory Injection
Process Injection
Account Manipulation
Bash History
Brute Force
Credential Dumping
Credentials in Files
Credentials in Registry
Exploitation for
Credential Access
Forced Authentication
Hooking
Input Capture
Input Prompt
Kerberoasting
Keychain
LLMNR/NBT-NS Poisoning
and Relay
Password Filter DLL
Private Keys
Securityd Memory
Two-Factor Authentication
Interception
Account Discovery
Application Window
Discovery
Browser Bookmark
Discovery
Domain Trust Discovery
File and Directory Discovery
Network Service Scanning
Network Share Discovery
Password Policy Discovery
Peripheral Device Discovery
Permission Groups Discovery
Process Discovery
Query Discovery
Remote System Discovery
Security Software Discovery
System Information
Discovery
System Network
Configuration Discovery
System Network
Connections Discovery
System Owner/User
Discovery
System Service Discovery
System Time Discovery
Virtualization/Sandbox
Evasion
Use ATT&CK for Cyber Threat Intelligence
Cyber threat intelligence comes from many sources, including knowledge of past incidents,
commercial threat feeds, information-sharing groups, government threat-sharing programs,
and more. ATT&CK gives analysts a common language to communicate across reports and
organizations, providing a way to structure, compare, and analyze threat intelligence.
Use ATT&CK to Build Your Defensive Platform
ATT&CK includes resources designed to help cyber defenders develop analytics that
detect the techniques used by an adversary. Based on threat intelligence included in
ATT&CK or provided by analysts, cyber defenders can create a comprehensive set of
analytics to detect threats.
Get Started with ATT&CK
Legend
APT28
APT29
Both
Comparing APT28 to APT29
we've chosen 12 of those data sources to show the techniques each of them might be able to detect with the right colle
analytics. Check out our w ebsite at attack.mitre.org for more information on how each technique can be det ected, and
adversary examples you can use to start detecting adversary behavior with ATT&CK.
You can visualize how your own data sources map to adversary behavior with ATT&CK. Read our blog post at bit.ly/ATT
learn how we generated this diagram, check out the code, and begin building your own diagrams from ATT&CK conten
Initial Access
Drive-by Compromise
Exploit Public-Facing Application
External Remote Services
Hardware Additions
Replication Through Removable
Media
Spearphishing Attachment
Spearphishing Link
Spearphishing via Service
Supply Chain Compromise
Trusted Relationship
Valid Accounts
Execution
AppleScript
CMSTP
Command-Line Interface
Compiled HTML File
Control Panel Items
Dynamic Data Exchange
Execution through API
Execution through Module Load
Exploitation for Client Execution
Graphical User Interface
InstallUtil
Launchctl
Local Job Scheduling
LSASS Driver
Mshta
PowerShell
Regsvcs/Regasm
Regsvr32
Rundll32
Scheduled Task
Scripting
Service Execution
Signed Binary Proxy Execution
Signed Script Proxy Execution
Source
Space after Filename
Third-party Software
Trap
Trusted Developer Utilities
User Execution
Windows Management
Instrumentation
Windows Remote Management
XSL Script Processing
Persistence
.bash_profile and .bashrc
Accessibility Features
Account Manipulation
AppCert DLLs
AppInit DLLs
Application Shimming
Authentication Package
BITS Jobs
Bootkit
Browser Extensions
Change Default File Association
Component Firmware
Component Object Model Hijacking
Create Account
DLL Search Order Hijacking
Dylib Hijacking
External Remote Services
File System Permissions W eakness
Hidden Files and Directories
Hooking
Hypervisor
Image File Execution Options
Injection
Kernel Modules and Extensions
Launch Agent
Launch Daemon
Launchctl
LC_LOAD_DYLIB Addition
Local Job Scheduling
Login Item
Logon Scripts
LSASS Driver
Modify Existing Service
Netsh Helper DLL
New Service
Office Application Startup
Path Interception
Plist Modification
Port Knocking
Port Monitors
Rc.common
Re-opened Applications
Redundant Access
Registry Run Keys / Startup Folder
Scheduled Task
Screensaver
Security Support Provider
Service Registry Permissions
Weakness
Setuid and Setgid
Shortcut Modification
SIP and Trust Provider Hijacking
Startup Items
System Firmware
Systemd Service
Time Providers
Trap
Valid Accounts
Web Shell
Windows Management
Instrumentation Event Subscription
Winlogon Helper DLL
Privilege Escalation
Access Token Manipulation
Accessibility Features
AppCert DLLs
AppInit DLLs
Application Shimming
Bypass User Account Control
DLL Search Order Hijacking
Dylib Hijacking
Exploitation for Privilege Escalation
Extra Window Memory Injection
File System Permissions W eakness
Hooking
Image File Execution Options
Injection
Launch Daemon
New Service
Path Interception
Plist Modification
Port Monitors
Process Injection
Scheduled Task
Service Registry Permissions
Weakness
Setuid and Setgid
SID-History Injection
Startup Items
Sudo
Sudo Caching
Valid Accounts
Web Shell
Defense Evasion
Access Token Manipulation
Binary Padding
BITS Jobs
Bypass User Account Control
Clear Command History
CMSTP
Code Signing
Compile After Delivery
Compiled HTML File
Component Firmware
Component Object Model Hijacking
Control Panel Items
DCShadow
Deobfuscate/Decode Files or
Information
Disabling Security Tools
DLL Search Order Hijacking
DLL Side-Loading
Execution Guardrails
Exploitation for Defense Evasion
Extra Window Memory Injection
File Deletion
File Permissions Modification
File System Logical Of fsets
Gatekeeper Bypass
Group Policy Modification
Hidden Files and Directories
Hidden Users
Hidden Window
HISTCONTROL
Image File Execution Options
Injection
Indicator Blocking
Indicator Removal from Tools
Indicator Removal on Host
Indirect Command Execution
Install Root Certificate
InstallUtil
Launchctl
LC_MAIN Hijacking
Masquerading
Modify Registry
Mshta
Network Share Connection
Removal
NTFS File Attributes
Obfuscated Files or Information
Plist Modification
Port Knocking
Process Doppelgänging
Process Hollowing
Process Injection
Redundant Access
Regsvcs/Regasm
Regsvr32
Rootkit
Rundll32
Scripting
Signed Binary Proxy Execution
Signed Script Proxy Execution
SIP and Trust Provider Hijacking
Software Packing
Space after Filename
Template Injection
Timestomp
Trusted Developer Utilities
Valid Accounts
Virtualization/Sandbox Evasion
Web Service
XSL Script Processing
Credential Access
Account Manipulation
Bash History
Brute Force
Credential Dumping
Credentials in Files
Credentials in Registry
Exploitation for Credential Access
Forced Authentication
Hooking
Input Capture
Input Prompt
Kerberoasting
Keychain
LLMNR/NBT -NS Poisoning and
Relay
Network Snif fing
Password Filter DLL
Private Keys
Securityd Memory
Two-Factor Authentication
Interception
Discovery
Account Discovery
Application Window Discovery
Browser Bookmark Discovery
Domain Trust Discovery
File and Directory Discovery
Network Service Scanning
Network Share Discovery
Network Snif fing
Password Policy Discovery
Peripheral Device Discovery
Permission Groups Discovery
Process Discovery
Query Registry
Remote System Discovery
Security Software Discovery
System Information Discovery
System Network Configuration
Discovery
System Network Connections
Discovery
System Owner/User Discovery
System Service Discovery
System Time Discovery
Virtualization/Sandbox Evasion
Lateral Movement
AppleScript
Application Deployment Software
Distributed Component Object
Model
Exploitation of Remote Services
Logon Scripts
Pass the Hash
Pass the Ticket
Remote Desktop Protocol
Remote File Copy
Remote Services
Replication Through Removable
Media
Shared Webroot
SSH Hijacking
Taint Shared Content
Third-party Software
Windows Admin Shares
Windows Remote Management
Collection
Audio Capture
Automated Collection
Clipboard Data
Data from Information Repositories
Data from Local System
Data from Network Shared Drive
Data from Removable Media
Data Staged
Email Collection
Input Capture
Man in the Browser
Screen Capture
Video Capture
Command And Control
Commonly Used Port
Communication Through
Removable Media
Connection Proxy
Custom Command and Control
Protocol
Custom Cryptographic Protocol
Data Encoding
Data Obfuscation
Domain Fronting
Domain Generation Algorithms
Fallback Channels
Multi-hop Proxy
Multi-Stage Channels
Multiband Communication
Multilayer Encryption
Port Knocking
Remote Access Tools
Remote File Copy
Standard Application Layer Protocol
Standard Cryptographic Protocol
Standard Non-Application Layer
Protocol
Uncommonly Used Port
Web Service
Exfiltration
Automated Exfiltration
Data Compressed
Data Encrypted
Data Transfer Size Limits
Exfiltration Over Alternative Protocol
Exfiltration Over Command and
Control Channel
Exfiltration Over Other Network
Medium
Exfiltration Over Physical Medium
Scheduled Transfer
Impact
Data Destruction
Data Encrypted for Impact
Defacement
Disk Content Wipe
Disk Structure Wipe
Endpoint Denial of Service
Firmware Corruption
Inhibit System Recovery
Network Denial of Service
Resource Hijacking
Runtime Data Manipulation
Service Stop
Stored Data Manipulation
Transmitted Data Manipulation
Initial Access
Drive-by Compromise
Exploit Public-Facing Application
External Remote Services
Hardware Additions
Replication Through Removable
Media
Spearphishing Attachment
Spearphishing Link
Spearphishing via Service
Supply Chain Compromise
Trusted Relationship
Valid Accounts
Execution
AppleScript
CMSTP
Command-Line Interface
Compiled HTML File
Control Panel Items
Dynamic Data Exchange
Execution through API
Execution through Module Load
Exploitation for Client Execution
Graphical User Interface
InstallUtil
Launchctl
Local Job Scheduling
LSASS Driver
Mshta
PowerShell
Persistence
.bash_profile and .bashrc
Accessibility Features
Account Manipulation
AppCert DLLs
AppInit DLLs
Application Shimming
Authentication Package
BITS Jobs
Bootkit
Browser Extensions
Change Default File Association
Component Firmware
Component Object Model Hijacking
Create Account
DLL Search Order Hijacking
Dylib Hijacking
Privilege Escalation
Access Token Manipulation
Accessibility Features
AppCert DLLs
AppInit DLLs
Application Shimming
Bypass User Account Control
DLL Search Order Hijacking
Dylib Hijacking
Exploitation for Privilege Escalation
Extra Window Memory Injection
File System Permissions W eakness
Hooking
Image File Execution Options
Injection
Launch Daemon
New Service
Path Interception
Defense Evasion
Access Token Manipulation
Binary Padding
BITS Jobs
Bypass User Account Control
Clear Command History
CMSTP
Code Signing
Compile After Delivery
Compiled HTML File
Component Firmware
Component Object Model Hijacking
Control Panel Items
DCShadow
Deobfuscate/Decode Files or
Information
Disabling Security Tools
DLL Search Order Hijacking
Credential Access
Account Manipulation
Bash History
Brute Force
Credential Dumping
Credentials in Files
Credentials in Registry
Exploitation for Credential Access
Forced Authentication
Hooking
Input Capture
Input Prompt
Kerberoasting
Keychain
LLMNR/NBT -NS Poisoning and
Relay
Network Snif fing
Password Filter DLL
Discovery
Account Discovery
Application Window Discovery
Browser Bookmark Discovery
Domain Trust Discovery
File and Directory Discovery
Network Service Scanning
Network Share Discovery
Network Snif fing
Password Policy Discovery
Peripheral Device Discovery
Permission Groups Discovery
Process Discovery
Query Registry
Remote System Discovery
Security Software Discovery
System Information Discovery
Lateral Movement
AppleScript
Application Deployment Software
Distributed Component Object
Model
Exploitation of Remote Services
Logon Scripts
Pass the Hash
Pass the Ticket
Remote Desktop Protocol
Remote File Copy
Remote Services
Replication Through Removable
Media
Shared Webroot
SSH Hijacking
Taint Shared Content
Third-party Software
Windows Admin Shares
Collection
Audio Capture
Automated Collection
Clipboard Data
Data from Information Repositories
Data from Local System
Data from Network Shared Drive
Data from Removable Media
Data Staged
Email Collection
Input Capture
Man in the Browser
Screen Capture
Video Capture
Command And Control
Commonly Used Port
Communication Through
Removable Media
Connection Proxy
Custom Command and Control
Protocol
Custom Cryptographic Protocol
Data Encoding
Data Obfuscation
Domain Fronting
Domain Generation Algorithms
Fallback Channels
Multi-hop Proxy
Multi-Stage Channels
Multiband Communication
Multilayer Encryption
Port Knocking
Remote Access Tools
Exfiltration
Automated Exfiltration
Data Compressed
Data Encrypted
Data Transfer Size Limits
Exfiltration Over Alternative Protocol
Exfiltration Over Command and
Control Channel
Exfiltration Over Other Network
Medium
Exfiltration Over Physical Medium
Scheduled Transfer
Impact
Data Destruction
Data Encrypted for Impact
Defacement
Disk Content Wipe
Disk Structure Wipe
Endpoint Denial of Service
Firmware Corruption
Inhibit System Recovery
Network Denial of Service
Resource Hijacking
Runtime Data Manipulation
Service Stop
Stored Data Manipulation
Transmitted Data Manipulation
ob
sta
Use ATT&CK to Build Your Defensive Platform
ATT&CK includes resources designed to help cyber defenders develop analytics that
detect the techniques used by an adversary. Based on threat intelligence included in
ATT&CK or provided by analysts, cyber defenders can create a comprehensive set of
analytics to detect threats.
Legend
APT28
APT29
Both
Legend
Low Priority
High Priority
Comparing APT28 to APT29
Finding Gaps in Defense
Drive-by Compromise
Exploit Public-Facing Application
External Remote Services
Hardware Additions
Replication Through Removable
Media
Spearphishing Attachment
Spearphishing Link
Spearphishing via Service
Supply Chain Compromise
Trusted Relationship
Valid Accounts
AppleScript
CMSTP
Command-Line Interface
Compiled HTML File
Control Panel Items
Dynamic Data Exchange
Execution through API
Execution through Module Load
Exploitation for Client Execution
Graphical User Interface
InstallUtil
Launchctl
Local Job Scheduling
LSASS Driver
Mshta
PowerShell
Regsvcs/Regasm
Regsvr32
Rundll32
Scheduled Task
Scripting
Service Execution
Signed Binary Proxy Execution
Signed Script Proxy Execution
Source
Space after Filename
Third-party Software
Trap
Trusted Developer Utilities
User Execution
Windows Management
Instrumentation
Windows Remote Management
XSL Script Processing
.bash_profile and .bashrc
Accessibility Features
Account Manipulation
AppCert DLLs
AppInit DLLs
Application Shimming
Authentication Package
BITS Jobs
Bootkit
Browser Extensions
Change Default File Association
Component Firmware
Component Object Model Hijacking
Create Account
DLL Search Order Hijacking
Dylib Hijacking
External Remote Services
File System Permissions W eakness
Hidden Files and Directories
Hooking
Hypervisor
Image File Execution Options
Injection
Kernel Modules and Extensions
Launch Agent
Launch Daemon
Launchctl
LC_LOAD_DYLIB Addition
Local Job Scheduling
Login Item
Logon Scripts
LSASS Driver
Modify Existing Service
Netsh Helper DLL
New Service
Office Application Startup
Path Interception
Plist Modification
Port Knocking
Port Monitors
Rc.common
Re-opened Applications
Redundant Access
Registry Run Keys / Startup Folder
Scheduled Task
Screensaver
Security Support Provider
Service Registry Permissions
Weakness
Setuid and Setgid
Shortcut Modification
SIP and Trust Provider Hijacking
Startup Items
System Firmware
Systemd Service
Time Providers
Trap
Valid Accounts
Web Shell
Windows Management
Instrumentation Event Subscription
Winlogon Helper DLL
Access Token Manipulation
Accessibility Features
AppCert DLLs
AppInit DLLs
Application Shimming
Bypass User Account Control
DLL Search Order Hijacking
Dylib Hijacking
Exploitation for Privilege Escalation
Extra Window Memory Injection
File System Permissions W eakness
Hooking
Image File Execution Options
Injection
Launch Daemon
New Service
Path Interception
Plist Modification
Port Monitors
Process Injection
Scheduled Task
Service Registry Permissions
Weakness
Setuid and Setgid
SID-History Injection
Startup Items
Sudo
Sudo Caching
Valid Accounts
Web Shell
Access Token Manipulation
Binary Padding
BITS Jobs
Bypass User Account Control
Clear Command History
CMSTP
Code Signing
Compile After Delivery
Compiled HTML File
Component Firmware
Component Object Model Hijacking
Control Panel Items
DCShadow
Deobfuscate/Decode Files or
Information
Disabling Security Tools
DLL Search Order Hijacking
DLL Side-Loading
Execution Guardrails
Exploitation for Defense Evasion
Extra Window Memory Injection
File Deletion
File Permissions Modification
File System Logical Of fsets
Gatekeeper Bypass
Group Policy Modification
Hidden Files and Directories
Hidden Users
Hidden Window
HISTCONTROL
Image File Execution Options
Injection
Indicator Blocking
Indicator Removal from Tools
Indicator Removal on Host
Indirect Command Execution
Install Root Certificate
InstallUtil
Launchctl
LC_MAIN Hijacking
Masquerading
Modify Registry
Mshta
Network Share Connection
Removal
NTFS File Attributes
Obfuscated Files or Information
Plist Modification
Port Knocking
Process Doppelgänging
Process Hollowing
Process Injection
Redundant Access
Regsvcs/Regasm
Regsvr32
Rootkit
Rundll32
Scripting
Signed Binary Proxy Execution
Signed Script Proxy Execution
SIP and Trust Provider Hijacking
Software Packing
Space after Filename
Template Injection
Timestomp
Trusted Developer Utilities
Valid Accounts
Virtualization/Sandbox Evasion
Web Service
XSL Script Processing
Account Manipulation
Bash History
Brute Force
Credential Dumping
Credentials in Files
Credentials in Registry
Exploitation for Credential Access
Forced Authentication
Hooking
Input Capture
Input Prompt
Kerberoasting
Keychain
LLMNR/NBT -NS Poisoning and
Relay
Network Snif fing
Password Filter DLL
Private Keys
Securityd Memory
Two-Factor Authentication
Interception
Account Discovery
Application Window Discovery
Browser Bookmark Discovery
Domain Trust Discovery
File and Directory Discovery
Network Service Scanning
Network Share Discovery
Network Snif fing
Password Policy Discovery
Peripheral Device Discovery
Permission Groups Discovery
Process Discovery
Query Registry
Remote System Discovery
Security Software Discovery
System Information Discovery
System Network Configuration
Discovery
System Network Connections
Discovery
System Owner/User Discovery
System Service Discovery
System Time Discovery
Virtualization/Sandbox Evasion
AppleScript
Application Deployment Software
Distributed Component Object
Model
Exploitation of Remote Services
Logon Scripts
Pass the Hash
Pass the Ticket
Remote Desktop Protocol
Remote File Copy
Remote Services
Replication Through Removable
Media
Shared Webroot
SSH Hijacking
Taint Shared Content
Third-party Software
Windows Admin Shares
Windows Remote Management
Audio Capture
Automated Collection
Clipboard Data
Data from Information Repositories
Data from Local System
Data from Network Shared Drive
Data from Removable Media
Data Staged
Email Collection
Input Capture
Man in the Browser
Screen Capture
Video Capture
Commonly Used Port
Communication Through
Removable Media
Connection Proxy
Custom Command and Control
Protocol
Custom Cryptographic Protocol
Data Encoding
Data Obfuscation
Domain Fronting
Domain Generation Algorithms
Fallback Channels
Multi-hop Proxy
Multi-Stage Channels
Multiband Communication
Multilayer Encryption
Port Knocking
Remote Access Tools
Remote File Copy
Standard Application Layer Protocol
Standard Cryptographic Protocol
Standard Non-Application Layer
Protocol
Uncommonly Used Port
Web Service
Automated Exfiltration
Data Compressed
Data Encrypted
Data Transfer Size Limits
Exfiltration Over Alternative Protocol
Exfiltration Over Command and
Control Channel
Exfiltration Over Other Network
Medium
Exfiltration Over Physical Medium
Scheduled Transfer
Data Destruction
Data Encrypted for Impact
Defacement
Disk Content Wipe
Disk Structure Wipe
Endpoint Denial of Service
Firmware Corruption
Inhibit System Recovery
Network Denial of Service
Resource Hijacking
Runtime Data Manipulation
Service Stop
Stored Data Manipulation
Transmitted Data Manipulation
Initial Access
Drive-by Compromise
Exploit Public-Facing Application
External Remote Services
Hardware Additions
Replication Through Removable
Media
Spearphishing Attachment
Spearphishing Link
Spearphishing via Service
Supply Chain Compromise
Trusted Relationship
Valid Accounts
Execution
AppleScript
CMSTP
Command-Line Interface
Compiled HTML File
Control Panel Items
Dynamic Data Exchange
Execution through API
Execution through Module Load
Exploitation for Client Execution
Graphical User Interface
InstallUtil
Launchctl
Local Job Scheduling
LSASS Driver
Mshta
PowerShell
Regsvcs/Regasm
Regsvr32
Rundll32
Scheduled Task
Scripting
Service Execution
Signed Binary Proxy Execution
Signed Script Proxy Execution
Source
Space after Filename
Third-party Software
Trap
Trusted Developer Utilities
User Execution
Windows Management
Instrumentation
Windows Remote Management
XSL Script Processing
Persistence
.bash_profile and .bashrc
Accessibility Features
Account Manipulation
AppCert DLLs
AppInit DLLs
Application Shimming
Authentication Package
BITS Jobs
Bootkit
Browser Extensions
Change Default File Association
Component Firmware
Component Object Model Hijacking
Create Account
DLL Search Order Hijacking
Dylib Hijacking
External Remote Services
File System Permissions W eakness
Hidden Files and Directories
Hooking
Hypervisor
Image File Execution Options
Injection
Kernel Modules and Extensions
Launch Agent
Launch Daemon
Launchctl
LC_LOAD_DYLIB Addition
Local Job Scheduling
Login Item
Logon Scripts
LSASS Driver
Modify Existing Service
Netsh Helper DLL
New Service
Office Application Startup
Path Interception
Plist Modification
Port Knocking
Port Monitors
Rc.common
Re-opened Applications
Redundant Access
Registry Run Keys / Startup Folder
Scheduled Task
Screensaver
Security Support Provider
Service Registry Permissions
Weakness
Setuid and Setgid
Privilege Escalation
Access Token Manipulation
Accessibility Features
AppCert DLLs
AppInit DLLs
Application Shimming
Bypass User Account Control
DLL Search Order Hijacking
Dylib Hijacking
Exploitation for Privilege Escalation
Extra Window Memory Injection
File System Permissions W eakness
Hooking
Image File Execution Options
Injection
Launch Daemon
New Service
Path Interception
Plist Modification
Port Monitors
Process Injection
Scheduled Task
Service Registry Permissions
Weakness
Setuid and Setgid
SID-History Injection
Startup Items
Sudo
Sudo Caching
Valid Accounts
Web Shell
Defense Evasion
Access Token Manipulation
Binary Padding
BITS Jobs
Bypass User Account Control
Clear Command History
CMSTP
Code Signing
Compile After Delivery
Compiled HTML File
Component Firmware
Component Object Model Hijacking
Control Panel Items
DCShadow
Deobfuscate/Decode Files or
Information
Disabling Security Tools
DLL Search Order Hijacking
DLL Side-Loading
Execution Guardrails
Exploitation for Defense Evasion
Extra Window Memory Injection
File Deletion
File Permissions Modification
File System Logical Of fsets
Gatekeeper Bypass
Group Policy Modification
Hidden Files and Directories
Hidden Users
Hidden Window
HISTCONTROL
Image File Execution Options
Injection
Indicator Blocking
Indicator Removal from Tools
Indicator Removal on Host
Indirect Command Execution
Install Root Certificate
InstallUtil
Launchctl
LC_MAIN Hijacking
Masquerading
Modify Registry
Mshta
Network Share Connection
Removal
NTFS File Attributes
Obfuscated Files or Information
Plist Modification
Port Knocking
Process Doppelgänging
Process Hollowing
Credential Access
Account Manipulation
Bash History
Brute Force
Credential Dumping
Credentials in Files
Credentials in Registry
Exploitation for Credential Access
Forced Authentication
Hooking
Input Capture
Input Prompt
Kerberoasting
Keychain
LLMNR/NBT -NS Poisoning and
Relay
Network Snif fing
Password Filter DLL
Private Keys
Securityd Memory
Two-Factor Authentication
Interception
Discovery
Account Discovery
Application Window Discovery
Browser Bookmark Discovery
Domain Trust Discovery
File and Directory Discovery
Network Service Scanning
Network Share Discovery
Network Snif fing
Password Policy Discovery
Peripheral Device Discovery
Permission Groups Discovery
Process Discovery
Query Registry
Remote System Discovery
Security Software Discovery
System Information Discovery
System Network Configuration
Discovery
System Network Connections
Discovery
System Owner/User Discovery
System Service Discovery
System Time Discovery
Virtualization/Sandbox Evasion
Lateral Movement
AppleScript
Application Deployment Software
Distributed Component Object
Model
Exploitation of Remote Services
Logon Scripts
Pass the Hash
Pass the Ticket
Remote Desktop Protocol
Remote File Copy
Remote Services
Replication Through Removable
Media
Shared Webroot
SSH Hijacking
Taint Shared Content
Third-party Software
Windows Admin Shares
Windows Remote Management
Collection
Audio Capture
Automated Collection
Clipboard Data
Data from Information Repositories
Data from Local System
Data from Network Shared Drive
Data from Removable Media
Data Staged
Email Collection
Input Capture
Man in the Browser
Screen Capture
Video Capture
Command And Control
Commonly Used Port
Communication Through
Removable Media
Connection Proxy
Custom Command and Control
Protocol
Custom Cryptographic Protocol
Data Encoding
Data Obfuscation
Domain Fronting
Domain Generation Algorithms
Fallback Channels
Multi-hop Proxy
Multi-Stage Channels
Multiband Communication
Multilayer Encryption
Port Knocking
Remote Access Tools
Remote File Copy
Standard Application Layer Protocol
Standard Cryptographic Protocol
Standard Non-Application Layer
Protocol
Uncommonly Used Port
Web Service
Exfiltration
Automated Exfiltration
Data Compressed
Data Encrypted
Data Transfer Size Limits
Exfiltration Over Alternative Protocol
Exfiltration Over Command and
Control Channel
Exfiltration Over Other Network
Medium
Exfiltration Over Physical Medium
Scheduled Transfer
Impact
Data Destruction
Data Encrypted for Impact
Defacement
Disk Content Wipe
Disk Structure Wipe
Endpoint Denial of Service
Firmware Corruption
Inhibit System Recovery
Network Denial of Service
Resource Hijacking
Runtime Data Manipulation
Service Stop
Stored Data Manipulation
Transmitted Data Manipulation
malwarereve
net
work device logs
network intrusion detection system
ssl/tls inspection
system
calls
windowseventlogs
ocol
compromise
point denial of service
network denial of service
obfuscated files or information
remote access tools
spearphishing attachment
standard non-application layer protocoltemplate injection
domain fronting
drive-by compromise
endpoint denial of service
install root certificate
obfuscated files or information
spearphishing link
spearphishing via service
standard cryptographic protocol
web service
applescript
application shimming
browser extensions
bypass user account control
exploitation for client execution
hypervisor
kernel modules and extensions
keychain
rootkit
account manipulation
bits jobs
cm
stp
em
s

14. How Can I Use ATT&CK?
▪ Use knowledge of adversary behavior to help track behaviors
– Intelligence already shared within ATT&CK Groups/Software
– Map additional intelligence into ATT&CK
▪ Leverage known behaviors to help inform defenses
– Detections/Mitigations/Data Sources contained within Techniques
– External resources mapped to ATT&CK
©2019 The MITRE Corporation. ALL RIGHTS RESERVED Approved for public release. Distribution unlimited 19-01075-7
| 14 |

15. Leveraging ATT&CK’s Version of GoGaLocker
©2019 The MITRE Corporation. ALL RIGHTS RESERVED Approved for public release. Distribution unlimited 19-01075-7
| 15 |

16. Visualizing LockerGoga Techniques from ATT&CK
©2019 The MITRE Corporation. ALL RIGHTS RESERVED Approved for public release. Distribution unlimited 19-01075-7
| 16 |
= Technique in ATT&CK LockerGoga Page

17. Map Additional Intelligence to ATT&CK
▪ ATT&CK Groups/Software is limited to free/public CTI
▪ Not enough resources to map every published report
▪ Identify behaviors
– What text is describing adversary activity?
▪ Identify the Tactic
– What is the adversary trying to do?
▪ Move onto Techniques
– How is the adversary accomplishing that goal?
©2019 The MITRE Corporation. ALL RIGHTS RESERVED Approved for public release. Distribution unlimited 19-01075-7
| 17 |

18. Mapping Techniques from Symantec’s Report
©2019 The MITRE Corporation. ALL RIGHTS RESERVED Approved for public release. Distribution unlimited 19-01075-7
| 18 |
T1481- Data Encrypted for Impact
T1064- Scripting
T1089- Disabling
Security Tools
T1086- Powershell
T1003- Credential Dumping
T1116- Code Signing
T1077- Windows Admin Shares
T1021- Remote Services

19. Techniques Associated with GoGaLocker Activity
▪ Execution - Execution through API (T1106)
▪ Execution - Powershell (T1086)
▪ Execution - Scripting (T1064)
▪ Execution - Windows Management Instrumentation (T1047)
▪ Defense Evasion - Code Signing (T1116)
▪ Defense Evasion - Disabling Security Tools (T1089)
▪ Credential Access - Credential Dumping (T1003)
▪ Lateral Movement - Remote File Copy (T1105)
▪ Lateral Movement - Remote Services (T1021)
▪ Lateral Movement - Windows Admin Shares (T1077)
▪ Command and Control - Uncommonly Used Port (T1065)
▪ Command and Control - Multistage Channels (T1103)
▪ Impact - Data Encrypted for Impact (T1481)
▪ Impact - Disk Structure Wipe (T1487)
©2019 The MITRE Corporation. ALL RIGHTS RESERVED Approved for public release. Distribution unlimited 19-01075-7
| 19 |
Mapped from “Targeted Ransomware: An ISTR Report”

20. Additional Techniques from Symantec’s Report
©2019 The MITRE Corporation. ALL RIGHTS RESERVED Approved for public release. Distribution unlimited 19-01075-7
| 20 |
= Technique in ATT&CK LockerGoga Page
= Technique added from GoGaLocker reporting

21. How Do I Use All This to Defend Myself?
©2019 The MITRE Corporation. ALL RIGHTS RESERVED Approved for public release. Distribution unlimited 19-01075-7
| 21 |
Determine
priority
techniques
Research
defensive
options
Determine
tradeoffs
on specific
options
Implement
defenses

22. Determine Priority Techniques
Many ways to prioritize, focused on leveraging GoGaLocker CTI
1. Threat intelligence: what are your adversaries doing?
2. Data sources: what data do you have already?
3. Tools: what can your current tools cover?
4. Red team: what can you see red teamers doing?
©2019 The MITRE Corporation. ALL RIGHTS RESERVED Approved for public release. Distribution unlimited 19-01075-7
| 22 |

23. Determine Priority Techniques
Threat intelligence: what are your adversaries doing?
▪ Execution - Execution through API (T1106)
▪ Execution - Powershell (T1086)
▪ Execution - Scripting (T1064)
▪ Execution - Windows Management Instrumentation (T1047)
▪ Defense Evasion - Code Signing (T1116)
▪ …
▪ Command and Control - Multistage Channels (T1103)
▪ Impact - Data Encrypted for Impact (T1481)
▪ Impact - Disk Structure Wipe (T1487)
©2019 The MITRE Corporation. ALL RIGHTS RESERVED Approved for public release. Distribution unlimited 19-01075-7
| 23 |

24. Research Defensive Options Related to Technique
▪ Many sources provide defensive information indexed to ATT&CK
– ATT&CK
▪ Data Sources/Detections/Mitigations/Research referenced on Techniques
– Other defensive repositories mapped to ATT&CK
▪ Cyber Analytics Repository: https://car.mitre.org/
▪ EQL Analytics Library: https://eqllib.readthedocs.io/en/latest/analytics.html
▪ Threat Hunter Playbook: https://github.com/Cyb3rWard0g/ThreatHunter-Playbook
▪ Sigma: https://github.com/Neo23x0/sigma
▪ Atomic Threat Coverage: https://github.com/krakow2600/atomic-threat-coverage
▪ Supplement with your own research
©2019 The MITRE Corporation. ALL RIGHTS RESERVED Approved for public release. Distribution unlimited 19-01075-7
| 24 |

25. Research Defensive Options Related to T1481
©2019 The MITRE Corporation. ALL RIGHTS RESERVED Approved for public release. Distribution unlimited 19-01075-7
| 25 |

26. Research Defensive Options Related to T1481
©2019 The MITRE Corporation. ALL RIGHTS RESERVED Approved for public release. Distribution unlimited 19-01075-7
| 26 |

27. Research Defensive Options Related to T1481
©2019 The MITRE Corporation. ALL RIGHTS RESERVED Approved for public release. Distribution unlimited 19-01075-7
| 27 |

28. Research Defensive Options Related to T1481
▪ Mitigate
– Data backup
▪ Detect
– Process monitoring
– File creation/modification monitoring
– Kernel driver monitoring
©2019 The MITRE Corporation. ALL RIGHTS RESERVED Approved for public release. Distribution unlimited 19-01075-7
| 28 |

29. Determine Tradeoffs on Specific Options
▪ Do existing tools/products already implement a mitigation?
– May be necessary to reconfigure to counter specific threat
▪ Are you already collecting the right data sources to detect?
– Analytics in existing repositories may be available
▪ Are any options simply infeasible for your organization?
– E.g., have too high a false positive rate, budget impossibility
©2019 The MITRE Corporation. ALL RIGHTS RESERVED Approved for public release. Distribution unlimited 19-01075-7
| 29 |

30. Implement Defenses and Repeat
▪ Report identified 14 Techniques related to GoGaLocker activity
– ATT&CK maps 30 more techniques to other targeted ransomware
▪ Note: Not all Techniques may be feasible to detect/mitigate
– May be too closely aligned with normal behaviors
– Related data sources may still be worth collecting
©2019 The MITRE Corporation. ALL RIGHTS RESERVED Approved for public release. Distribution unlimited 19-01075-7
| 30 |

31. Takeaways
▪ Targeted ransomware is a growing threat to enterprises
– While total number of victims are small, the impact is high
▪ ATT&CK is a free, open, and globally accessible resource that
can help organize defenses against ransomware…and more
– Track and understand adversary behaviors
– Identify defensive options through resources mapped to ATT&CK
©2019 The MITRE Corporation. ALL RIGHTS RESERVED Approved for public release. Distribution unlimited 19-01075-7
| 31 |

32. | 31 |
https://attack.mitre.org
attack@mitre.org
@MITREattack
Adam Pennington
@_whatshisface
©2019 The MITRE Corporation. ALL RIGHTS RESERVED Approved for public release. Distribution unlimited 19-01075-7