SlideShare ist ein Scribd-Unternehmen logo

MITRE-Module 3 Slides.pdf

ReZa AdineH
ReZa AdineH

This document discusses mapping raw cyber threat data to the ATT&CK framework. It describes finding behaviors in raw data, researching the behaviors, translating them to ATT&CK tactics, and identifying the relevant ATT&CK techniques. The process includes comparing mappings to other analysts and understanding different types of techniques. An exercise demonstrates mapping behaviors from command line executions and malware analysis to ATT&CK.

Präsentationen & Vorträge
1 von 23
Downloaden Sie, um offline zu lesen
Module 3: Mapping to ATT&CK from Raw Data
Process of Applying ATT&CK to CTI Understand ATT&CK Map data to ATT&CK Store & analyze ATT&CK-mapped data Make defensive recommendations from ATT&CK- mapped data ©2019 The MITRE Corporation. ALL RIGHTS RESERVED Approved for public release. Distribution unlimited 19-01075-15. Module 1 Module 2 Module 3 Module 4 Module 5
Mapping to ATT&CK from Raw Data ▪ So far, working from intel where activity has already been analyzed ▪ Analysis of techniques/behaviors directly from source data – Likely more information available at the procedure level – Not reinterpreting another analyst’s prose – Greater knowledge/expertise required to interpret intent/tactic ▪ Broad set of possible data can contain behaviors – Shell commands, malware, forensic disk images, packets ©2019 The MITRE Corporation. ALL RIGHTS RESERVED Approved for public release. Distribution unlimited 19-01075-15.
Process of Mapping to ATT&CK 0. Understand ATT&CK 1. Find the behavior 2. Research the behavior 3. Translate the behavior into a tactic 4. Figure out what technique applies to the behavior 5. Compare your results to other analysts ©2019 The MITRE Corporation. ALL RIGHTS RESERVED Approved for public release. Distribution unlimited 19-01075-15.
ipconfig /all sc.exe ln334656-pc create .recycler.exe a -hpfGzq5yKw C:$Recycle.Binold C:$Recycle.BinShockwave_network.vsdx Commands captured by Sysmon being run interactively via cmd.exe 10.2.13.44:32123 -> 128.29.32.4:443 128.29.32.4:443 -> 10.2.13.44:32123 Flows from malware in a sandbox HKLMSoftwareMicrosoftWindowsCurrentVersionRun HKLMSoftwareMicrosoftNetsh New reg keys during an incident 1. Find the Behavior ©2019 The MITRE Corporation. ALL RIGHTS RESERVED Approved for public release. Distribution unlimited 19-01075-15.
2. Research the Behavior ▪ Can be similar to analysis of finished reporting for raw data ▪ May require expertise in the specific data type – Network, forensics, malware, Windows cmd line, etc ▪ May require multiple data sources, more context – Additional questions to responders/analysts ©2019 The MITRE Corporation. ALL RIGHTS RESERVED Approved for public release. Distribution unlimited 19-01075-15.
2. Research the Behavior ©2019 The MITRE Corporation. ALL RIGHTS RESERVED Approved for public release. Distribution unlimited 19-01075-15.
2. Research the Behavior .recycler.exe a -hpfGzq5yKw C:$Recycle.Binold C:$Recycle.BinShockwave_network.vsdx – Can make some educated guesses, but not enough context File analysis: When recycler.exe is executed, it gives the following output: C:recycler.exe RAR 3.70 Copyright (c) 1993-2007 Alexander Roshal 22 May 2007 Shareware version Type RAR -? for help – Aha! Based on the analysis we can Google the flags to RAR and determine that it is being used to compress and encrypt the file ©2019 The MITRE Corporation. ALL RIGHTS RESERVED Approved for public release. Distribution unlimited 19-01075-15.
2. Research the Behavior .recycler.exe a -hpfGzq5yKw C:$Recycle.Binold C:$Recycle.BinShockwave_network.vsdx And the file being compressed/encrypted is a Visio diagram, probably exfiltration ©2019 The MITRE Corporation. ALL RIGHTS RESERVED Approved for public release. Distribution unlimited 19-01075-15.
3. Translate the Behavior into a Tactic ipconfig /all – Specific procedure only mapped to System Network Configuration Discovery – System Network Configuration Discovery -> Discovery ✅ – Seen being run via Sysmon -> Execution .recycler.exe a -hpfGzq5yKw C:$Recycle.Binold C:$Recycle.BinShockwave_network.vsdx – We figured out researching this that “vsdx” is Visio data – Moderate confidence Exfiltration, commands around this could make clearer – Seen being run via Sysmon -> Execution ©2019 The MITRE Corporation. ALL RIGHTS RESERVED Approved for public release. Distribution unlimited 19-01075-15.
4. Figure Out What Technique Applies ▪ Similar to working with finished reporting we may jump straight here – Procedure may map directly to Technique/Tactic – May have enough experience to compress steps ipconfig /all – Specific procedure in System Network Configuration Discovery (T1016) – Also Command-Line Interface (T1059) .recycler.exe a -hpfGzq5yKw C:$Recycle.Binold C:$Recycle.BinShockwave_network.vsdx – We figured out researching this that “a –hp” compresses/encrypts – Appears to be Data Compressed (T1002) and Data Encrypted (T1022) – Also Command-Line Interface (T1059) ©2019 The MITRE Corporation. ALL RIGHTS RESERVED Approved for public release. Distribution unlimited 19-01075-15.
4. Concurrent Techniques ▪ Don’t just think of what’s happening – think of how it’s happening ▪ Certain tactics commonly have concurrent techniques: – Execution – Defense Evasion – Collection ▪ Examples: – Data Compressed + Data Encrypted (2x Exfiltration) – Spearphishing Attachment + User Execution (Initial Access + Execution) – Data from Local System + Email Collection (2x Collection) – Process Discovery + Command-Line Interface (Discovery + Execution) ©2019 The MITRE Corporation. ALL RIGHTS RESERVED Approved for public release. Distribution unlimited 19-01075-15.
4. Different Types of Techniques ▪ Not all techniques are created equal! – Credit to Red Canary: https://www.redcanary.com/blog/avoiding-common-attack-pitfalls/ ▪ Some are specific – Rundll32 – Netsh Helper DLL ▪ Some are broad – Scripting – Obfuscated Files or Information ▪ Some capture “how” the behavior occurs – Masquerading – Data Transfer Size Limits – Automated Collection ©2019 The MITRE Corporation. ALL RIGHTS RESERVED Approved for public release. Distribution unlimited 19-01075-15.
5. Compare Your Results to Other Analysts ▪ Same caveats about hedging biases ▪ May need a broader set of skills/experience to work with types of data Analyst 1 Analyst 2 • Packets • Malware/Reversing • Windows command line • Windows Events • Disk forensics • macOS/Linux ©2019 The MITRE Corporation. ALL RIGHTS RESERVED Approved for public release. Distribution unlimited 19-01075-15.
Pros/cons of Mapping from the Two Different Sources Step Raw Finished Find the behavior Nearly everything may be a behavior (not all ATT&CK) May be buried amongst prose, IOCs, etc Research the behavior May need to look at multiple sources, data types. May also be a known procedure May have more info/context, may also have lost detail in writing Translate the behavior into a tactic Have to map to adversary intent, need domain knowledge/expertise Often intent has been postulated by report author Figure out what technique applies to the behavior May have a procedure that maps straight to technique, or may require deep understanding to understand how accomplished May be as simple as a text match to description/procedure, or may be too vague to tell Compare your results to other analysts May need multiple analysts to cover all data sources More likely in a form where other analysts needed for coverage/hedge against bias ©2019 The MITRE Corporation. ALL RIGHTS RESERVED Approved for public release. Distribution unlimited 19-01075-15.
Exercise 3: Working with raw data ▪ You’re going to be examining two tickets from a simulated incident ▪ Ticket 473822 – Series of commands interactively executed via cmd.exe on an end system ▪ Ticket 473845 – Pieces of a malware analysis of the primary RAT used in the incident ▪ Both tickets are at https://attack.mitre.org/training/cti under Exercise 3 ▪ Use whatever to record your results or download and edit ▪ Identify as many behaviors as possible ▪ Annotate the behaviors that are ATT&CK techniques ▪ Please pause. We suggest giving yourself 25 minutes for this exercise. ©2019 The MITRE Corporation. ALL RIGHTS RESERVED Approved for public release. Distribution unlimited 19-01075-15.
Exercise Questions ▪ What questions would you have asked of your incident responders? ▪ What was easier/harder than working with finished reporting? ▪ What other types of data do you commonly encounter with behaviors? ▪ Did you notice any behaviors that you couldn’t find a technique for? ©2019 The MITRE Corporation. ALL RIGHTS RESERVED Approved for public release. Distribution unlimited 19-01075-15.
Going Over Exercise 3 (Ticket 473822) ipconfig /all arp -a echo %USERDOMAIN%%USERNAME% tasklist /v sc query systeminfo net group "Domain Admins" /domain net user /domain net group "Domain Controllers" /domain netsh advfirewall show allprofiles netstat -ano System Network Configuration Discovery (T1016) System Network Configuration Discovery (T1016) System Owner / User Discovery (T1033) Process Discovery (T1057) System Service Discovery (T1007) All are Execution - Command-Line Interface (T1059) System Information Discovery (T1082) Permission Groups Discovery (T1069) Account Discovery (T1087) Remote System Discovery (T1018) System Network Configuration Discovery (T1016) System Network Connections Discovery (T1049) Discovery ©2019 The MITRE Corporation. ALL RIGHTS RESERVED Approved for public release. Distribution unlimited 19-01075-15.
Going Over Exercise 3 (Ticket 473845) C2 protocol is base64 encoded commands over https. The RAT beacons every 30 seconds requesting a command. UPLOAD file (upload a file server->client) DOWNLOAD file (download a file client->server) SHELL command (runs a command via cmd.exe) PSHELL command (runs a command via powershell.exe) EXEC path (executes a PE at the path given via CreateProcess) SLEEP n (skips n beacons) 10.1.1.1:24123 -> 129.83.44.12:443 129.83.44.12:443 -> 10.1.1.1:24123 Copy C:winspoo1.exe -> C:WindowsSystem32winspool.exe HKEY_CURRENT_USERSoftwareMicrosoftWindowsCurrentVersionRunwinspool REG_SZ "C:WindowsSystem32winspool.exe" Execution - Command-Line Interface (T1059) Execution - Powershell (T1086) Execution - Execution through API (T1106) Command and Control - Commonly Used Port (T1043) Command and Control - Data Encoding (T1132) Command and Control - Standard Application Layer Protocol (T1071) Defense Evasion - Masquerading (T1036) Persistence - Registry Run Keys (T1060) Command and Control – Remote File Copy (T1105) ©2019 The MITRE Corporation. ALL RIGHTS RESERVED Approved for public release. Distribution unlimited 19-01075-15.
From Raw Data to Finished Reporting with ATT&CK ▪ We’ve talked about augmenting reports with ATT&CK and analyzing data with ATT&CK, possibly in parallel with analysis for reporting ▪ If you are creating reporting with ATT&CK techniques, we recommend keeping the techniques with the related procedures for context – Allows other analysts to examine the mapping for themselves – Allows much easier capture of how a technique was done ©2019 The MITRE Corporation. ALL RIGHTS RESERVED Approved for public release. Distribution unlimited 19-01075-15.
Finished Reporting Examples During operation Tangerine Yellow, the actors used Pineapple RAT to execute ‘ipconfig /all1’ via the Windows command shell2. 1. Discovery – System Network Configuration Discovery (T1016) 2. Execution – Command-Line Interface (T1059) System Network Configuration Discovery (T1016) and Command-Line Interface (T1059) - During operation Tangerine Yellow, the actors used Pineapple RAT to execute ‘ipconfig /all’ via the Windows command shell. Instead of Appendix C – ATT&CK Techniques ▪ System Network Configuration Discovery ▪ Command-Line Interface ▪ Hardware Additions ©2019 The MITRE Corporation. ALL RIGHTS RESERVED Approved for public release. Distribution unlimited 19-01075-15.
Process of Applying ATT&CK to CTI Understand ATT&CK Map data to ATT&CK Store & analyze ATT&CK-mapped data Make defensive recommendations from ATT&CK- mapped data ©2019 The MITRE Corporation. ALL RIGHTS RESERVED Approved for public release. Distribution unlimited 19-01075-15. Module 1 Module 2 Module 3 Module 4 Module 5
End of Module 3 ©2019 The MITRE Corporation. ALL RIGHTS RESERVED Approved for public release. Distribution unlimited 19-01075-15.

Empfohlen

MITRE-Module 2 Slides.pdf
MITRE-Module 2 Slides.pdfMITRE-Module 2 Slides.pdf
MITRE-Module 2 Slides.pdf
ReZa AdineH
 
RH-ISAC Summit 2019 - Adam Pennington - Leveraging MITRE ATT&CK™ for Detectio...
RH-ISAC Summit 2019 - Adam Pennington - Leveraging MITRE ATT&CK™ for Detectio...RH-ISAC Summit 2019 - Adam Pennington - Leveraging MITRE ATT&CK™ for Detectio...
RH-ISAC Summit 2019 - Adam Pennington - Leveraging MITRE ATT&CK™ for Detectio...
Adam Pennington
 
MITRE-Module 5 Slides.pdf
MITRE-Module 5 Slides.pdfMITRE-Module 5 Slides.pdf
MITRE-Module 5 Slides.pdf
ReZa AdineH
 
RH-ISAC Summit 2019 - Adam Pennington - Leveraging MITRE ATT&CK™ for Detectio...
RH-ISAC Summit 2019 - Adam Pennington - Leveraging MITRE ATT&CK™ for Detectio...RH-ISAC Summit 2019 - Adam Pennington - Leveraging MITRE ATT&CK™ for Detectio...
RH-ISAC Summit 2019 - Adam Pennington - Leveraging MITRE ATT&CK™ for Detectio...
Adam Pennington
 
Effective Data Erasure and Anti Forensics Techniques
Effective Data Erasure and Anti Forensics TechniquesEffective Data Erasure and Anti Forensics Techniques
Effective Data Erasure and Anti Forensics Techniques
ijtsrd
 
Automation: The Wonderful Wizard of CTI (or is it?)
Automation: The Wonderful Wizard of CTI (or is it?) Automation: The Wonderful Wizard of CTI (or is it?)
Automation: The Wonderful Wizard of CTI (or is it?)
MITRE ATT&CK
 
Irm 5-malicious networkbehaviour
Irm 5-malicious networkbehaviourIrm 5-malicious networkbehaviour
Irm 5-malicious networkbehaviour
Kasper de Waard
 
Automated prevention of ransomware with machine learning and gpos
Automated prevention of ransomware with machine learning and gposAutomated prevention of ransomware with machine learning and gpos
Automated prevention of ransomware with machine learning and gpos
Priyanka Aash
 

Empfohlen

MITRE-Module 2 Slides.pdf
MITRE-Module 2 Slides.pdfMITRE-Module 2 Slides.pdf
MITRE-Module 2 Slides.pdf
ReZa AdineH
 
RH-ISAC Summit 2019 - Adam Pennington - Leveraging MITRE ATT&CK™ for Detectio...
RH-ISAC Summit 2019 - Adam Pennington - Leveraging MITRE ATT&CK™ for Detectio...RH-ISAC Summit 2019 - Adam Pennington - Leveraging MITRE ATT&CK™ for Detectio...
RH-ISAC Summit 2019 - Adam Pennington - Leveraging MITRE ATT&CK™ for Detectio...
Adam Pennington
 
MITRE-Module 5 Slides.pdf
MITRE-Module 5 Slides.pdfMITRE-Module 5 Slides.pdf
MITRE-Module 5 Slides.pdf
ReZa AdineH
 
RH-ISAC Summit 2019 - Adam Pennington - Leveraging MITRE ATT&CK™ for Detectio...
RH-ISAC Summit 2019 - Adam Pennington - Leveraging MITRE ATT&CK™ for Detectio...RH-ISAC Summit 2019 - Adam Pennington - Leveraging MITRE ATT&CK™ for Detectio...
RH-ISAC Summit 2019 - Adam Pennington - Leveraging MITRE ATT&CK™ for Detectio...
Adam Pennington
 
Effective Data Erasure and Anti Forensics Techniques
Effective Data Erasure and Anti Forensics TechniquesEffective Data Erasure and Anti Forensics Techniques
Effective Data Erasure and Anti Forensics Techniques
ijtsrd
 
Automation: The Wonderful Wizard of CTI (or is it?)
Automation: The Wonderful Wizard of CTI (or is it?) Automation: The Wonderful Wizard of CTI (or is it?)
Automation: The Wonderful Wizard of CTI (or is it?)
MITRE ATT&CK
 
Irm 5-malicious networkbehaviour
Irm 5-malicious networkbehaviourIrm 5-malicious networkbehaviour
Irm 5-malicious networkbehaviour
Kasper de Waard
 
Automated prevention of ransomware with machine learning and gpos
Automated prevention of ransomware with machine learning and gposAutomated prevention of ransomware with machine learning and gpos
Automated prevention of ransomware with machine learning and gpos
Priyanka Aash
 
SPO2-T11_Automated-Prevention-of-Ransomware-with-Machine-Learning-and-GPOs
SPO2-T11_Automated-Prevention-of-Ransomware-with-Machine-Learning-and-GPOsSPO2-T11_Automated-Prevention-of-Ransomware-with-Machine-Learning-and-GPOs
SPO2-T11_Automated-Prevention-of-Ransomware-with-Machine-Learning-and-GPOs
Rod Soto
 
Disaster and RecoveryBusiness Impact AnalysisSystem .docx
Disaster and RecoveryBusiness Impact AnalysisSystem .docxDisaster and RecoveryBusiness Impact AnalysisSystem .docx
Disaster and RecoveryBusiness Impact AnalysisSystem .docx
duketjoy27252
 
Protect the data - Cyber security - Breaches - Brand/Reputation
Protect the data - Cyber security - Breaches - Brand/ReputationProtect the data - Cyber security - Breaches - Brand/Reputation
Protect the data - Cyber security - Breaches - Brand/Reputation
Pa Al
 
Advanced malware analysis training session3 botnet analysis part2
Advanced malware analysis training session3 botnet analysis part2Advanced malware analysis training session3 botnet analysis part2
Advanced malware analysis training session3 botnet analysis part2
Cysinfo Cyber Security Community
 
FIRST CTI Symposium: Turning intelligence into action with MITRE ATT&CK™
FIRST CTI Symposium: Turning intelligence into action with MITRE ATT&CK™FIRST CTI Symposium: Turning intelligence into action with MITRE ATT&CK™
FIRST CTI Symposium: Turning intelligence into action with MITRE ATT&CK™
Katie Nickels
 
Data in Motion - tech-intro-for-paris-hackathon
Data in Motion - tech-intro-for-paris-hackathonData in Motion - tech-intro-for-paris-hackathon
Data in Motion - tech-intro-for-paris-hackathon
Cisco DevNet
 
IRJET- Ethical Hacking
IRJET- Ethical HackingIRJET- Ethical Hacking
IRJET- Ethical Hacking
IRJET Journal
 
How to not fail at security data analytics (by CxOSidekick)
How to not fail at security data analytics (by CxOSidekick)How to not fail at security data analytics (by CxOSidekick)
How to not fail at security data analytics (by CxOSidekick)
Dinis Cruz
 
CompTIA Cybersecurity Analyst Certification Tips and Tricks
CompTIA Cybersecurity Analyst Certification Tips and TricksCompTIA Cybersecurity Analyst Certification Tips and Tricks
CompTIA Cybersecurity Analyst Certification Tips and Tricks
Joseph Holbrook, Chief Learning Officer (CLO)
 
Slideshare.net rh-isac summit 2019 - adam pennington - leveraging mitre at ta...
Slideshare.net rh-isac summit 2019 - adam pennington - leveraging mitre at ta...Slideshare.net rh-isac summit 2019 - adam pennington - leveraging mitre at ta...
Slideshare.net rh-isac summit 2019 - adam pennington - leveraging mitre at ta...
Robert Brandel
 
technical-information-gathering-slides.pdf
technical-information-gathering-slides.pdftechnical-information-gathering-slides.pdf
technical-information-gathering-slides.pdf
MarceloCunha571649
 
Cisco Connect 2018 Malaysia - Secure data center-building a secure zero-trus...
Cisco Connect 2018 Malaysia - Secure data center-building a secure zero-trus...Cisco Connect 2018 Malaysia - Secure data center-building a secure zero-trus...
Cisco Connect 2018 Malaysia - Secure data center-building a secure zero-trus...
NetworkCollaborators
 
Computer forensics
Computer forensicsComputer forensics
Computer forensics
Lalit Garg
 
nullcon 2011 - Enterprise Paradigm for Controlling Data Leakage
nullcon 2011 - Enterprise Paradigm for Controlling Data Leakagenullcon 2011 - Enterprise Paradigm for Controlling Data Leakage
nullcon 2011 - Enterprise Paradigm for Controlling Data Leakage
n|u - The Open Security Community
 
MITRE-Module 4 Slides.pdf
MITRE-Module 4 Slides.pdfMITRE-Module 4 Slides.pdf
MITRE-Module 4 Slides.pdf
ReZa AdineH
 
Pennington - Defending Against Targeted Ransomware with MITRE ATT&CK
Pennington - Defending Against Targeted Ransomware with MITRE ATT&CKPennington - Defending Against Targeted Ransomware with MITRE ATT&CK
Pennington - Defending Against Targeted Ransomware with MITRE ATT&CK
Adam Pennington
 
MMIX Peering Forum and MMNOG 2020: Packet Analysis for Network Security
MMIX Peering Forum and MMNOG 2020: Packet Analysis for Network SecurityMMIX Peering Forum and MMNOG 2020: Packet Analysis for Network Security
MMIX Peering Forum and MMNOG 2020: Packet Analysis for Network Security
APNIC
 
IRJET- A Study on Penetration Testing using Metasploit Framework
IRJET- A Study on Penetration Testing using Metasploit FrameworkIRJET- A Study on Penetration Testing using Metasploit Framework
IRJET- A Study on Penetration Testing using Metasploit Framework
IRJET Journal
 
Penetration testing using metasploit framework
Penetration testing using metasploit frameworkPenetration testing using metasploit framework
Penetration testing using metasploit framework
PawanKesharwani
 
Experiences in Mainframe-to-Splunk Big Data Access
Experiences in Mainframe-to-Splunk Big Data AccessExperiences in Mainframe-to-Splunk Big Data Access
Experiences in Mainframe-to-Splunk Big Data Access
Precisely
 
MITRE-Module 1 Slides.pdf
MITRE-Module 1 Slides.pdfMITRE-Module 1 Slides.pdf
MITRE-Module 1 Slides.pdf
ReZa AdineH
 
SIEM POC Assessment.pdf
SIEM POC Assessment.pdfSIEM POC Assessment.pdf
SIEM POC Assessment.pdf
ReZa AdineH
 

Weitere ähnliche Inhalte

Ähnlich wie MITRE-Module 3 Slides.pdf

SPO2-T11_Automated-Prevention-of-Ransomware-with-Machine-Learning-and-GPOs
SPO2-T11_Automated-Prevention-of-Ransomware-with-Machine-Learning-and-GPOsSPO2-T11_Automated-Prevention-of-Ransomware-with-Machine-Learning-and-GPOs
SPO2-T11_Automated-Prevention-of-Ransomware-with-Machine-Learning-and-GPOs
Rod Soto
 
Disaster and RecoveryBusiness Impact AnalysisSystem .docx
Disaster and RecoveryBusiness Impact AnalysisSystem .docxDisaster and RecoveryBusiness Impact AnalysisSystem .docx
Disaster and RecoveryBusiness Impact AnalysisSystem .docx
duketjoy27252
 

Ähnlich wie MITRE-Module 3 Slides.pdf (20)

SPO2-T11_Automated-Prevention-of-Ransomware-with-Machine-Learning-and-GPOs
SPO2-T11_Automated-Prevention-of-Ransomware-with-Machine-Learning-and-GPOsSPO2-T11_Automated-Prevention-of-Ransomware-with-Machine-Learning-and-GPOs
SPO2-T11_Automated-Prevention-of-Ransomware-with-Machine-Learning-and-GPOs
 
Disaster and RecoveryBusiness Impact AnalysisSystem .docx
Disaster and RecoveryBusiness Impact AnalysisSystem .docxDisaster and RecoveryBusiness Impact AnalysisSystem .docx
Disaster and RecoveryBusiness Impact AnalysisSystem .docx
 
Protect the data - Cyber security - Breaches - Brand/Reputation
Protect the data - Cyber security - Breaches - Brand/ReputationProtect the data - Cyber security - Breaches - Brand/Reputation
Protect the data - Cyber security - Breaches - Brand/Reputation
 
Advanced malware analysis training session3 botnet analysis part2
Advanced malware analysis training session3 botnet analysis part2Advanced malware analysis training session3 botnet analysis part2
Advanced malware analysis training session3 botnet analysis part2
 
FIRST CTI Symposium: Turning intelligence into action with MITRE ATT&CK™
FIRST CTI Symposium: Turning intelligence into action with MITRE ATT&CK™FIRST CTI Symposium: Turning intelligence into action with MITRE ATT&CK™
FIRST CTI Symposium: Turning intelligence into action with MITRE ATT&CK™
 
Data in Motion - tech-intro-for-paris-hackathon
Data in Motion - tech-intro-for-paris-hackathonData in Motion - tech-intro-for-paris-hackathon
Data in Motion - tech-intro-for-paris-hackathon
 
IRJET- Ethical Hacking
IRJET- Ethical HackingIRJET- Ethical Hacking
IRJET- Ethical Hacking
 
How to not fail at security data analytics (by CxOSidekick)
How to not fail at security data analytics (by CxOSidekick)How to not fail at security data analytics (by CxOSidekick)
How to not fail at security data analytics (by CxOSidekick)
 
CompTIA Cybersecurity Analyst Certification Tips and Tricks
CompTIA Cybersecurity Analyst Certification Tips and TricksCompTIA Cybersecurity Analyst Certification Tips and Tricks
CompTIA Cybersecurity Analyst Certification Tips and Tricks
 
Slideshare.net rh-isac summit 2019 - adam pennington - leveraging mitre at ta...
Slideshare.net rh-isac summit 2019 - adam pennington - leveraging mitre at ta...Slideshare.net rh-isac summit 2019 - adam pennington - leveraging mitre at ta...
Slideshare.net rh-isac summit 2019 - adam pennington - leveraging mitre at ta...
 
technical-information-gathering-slides.pdf
technical-information-gathering-slides.pdftechnical-information-gathering-slides.pdf
technical-information-gathering-slides.pdf
 
Cisco Connect 2018 Malaysia - Secure data center-building a secure zero-trus...
Cisco Connect 2018 Malaysia - Secure data center-building a secure zero-trus...Cisco Connect 2018 Malaysia - Secure data center-building a secure zero-trus...
Cisco Connect 2018 Malaysia - Secure data center-building a secure zero-trus...
 
Computer forensics
Computer forensicsComputer forensics
Computer forensics
 
nullcon 2011 - Enterprise Paradigm for Controlling Data Leakage
nullcon 2011 - Enterprise Paradigm for Controlling Data Leakagenullcon 2011 - Enterprise Paradigm for Controlling Data Leakage
nullcon 2011 - Enterprise Paradigm for Controlling Data Leakage
 
MITRE-Module 4 Slides.pdf
MITRE-Module 4 Slides.pdfMITRE-Module 4 Slides.pdf
MITRE-Module 4 Slides.pdf
 
Pennington - Defending Against Targeted Ransomware with MITRE ATT&CK
Pennington - Defending Against Targeted Ransomware with MITRE ATT&CKPennington - Defending Against Targeted Ransomware with MITRE ATT&CK
Pennington - Defending Against Targeted Ransomware with MITRE ATT&CK
 
MMIX Peering Forum and MMNOG 2020: Packet Analysis for Network Security
MMIX Peering Forum and MMNOG 2020: Packet Analysis for Network SecurityMMIX Peering Forum and MMNOG 2020: Packet Analysis for Network Security
MMIX Peering Forum and MMNOG 2020: Packet Analysis for Network Security
 
IRJET- A Study on Penetration Testing using Metasploit Framework
IRJET- A Study on Penetration Testing using Metasploit FrameworkIRJET- A Study on Penetration Testing using Metasploit Framework
IRJET- A Study on Penetration Testing using Metasploit Framework
 
Penetration testing using metasploit framework
Penetration testing using metasploit frameworkPenetration testing using metasploit framework
Penetration testing using metasploit framework
 
Experiences in Mainframe-to-Splunk Big Data Access
Experiences in Mainframe-to-Splunk Big Data AccessExperiences in Mainframe-to-Splunk Big Data Access
Experiences in Mainframe-to-Splunk Big Data Access
 

Mehr von ReZa AdineH

Review on Event Correlation- مروری بر روش های همبسته سازی در مدیریت رخداد
Review on Event Correlation- مروری بر روش های همبسته سازی در مدیریت رخدادReview on Event Correlation- مروری بر روش های همبسته سازی در مدیریت رخداد
Review on Event Correlation- مروری بر روش های همبسته سازی در مدیریت رخداد
ReZa AdineH
 
علت ناکامی بسیاری از پروژههای مرکزعملیاتامنیت چیست ؟
علت ناکامی بسیاری از پروژههای مرکزعملیاتامنیت چیست ؟علت ناکامی بسیاری از پروژههای مرکزعملیاتامنیت چیست ؟
علت ناکامی بسیاری از پروژههای مرکزعملیاتامنیت چیست ؟
ReZa AdineH
 
Security operations center-SOC Presentation-مرکز عملیات امنیت
Security operations center-SOC Presentation-مرکز عملیات امنیتSecurity operations center-SOC Presentation-مرکز عملیات امنیت
Security operations center-SOC Presentation-مرکز عملیات امنیت
ReZa AdineH
 

Mehr von ReZa AdineH (9)

MITRE-Module 1 Slides.pdf
MITRE-Module 1 Slides.pdfMITRE-Module 1 Slides.pdf
MITRE-Module 1 Slides.pdf
 
SIEM POC Assessment.pdf
SIEM POC Assessment.pdfSIEM POC Assessment.pdf
SIEM POC Assessment.pdf
 
Cover of book Threat Intelligence for Threat Hunting;Written by Reza Adineh
Cover of book Threat Intelligence for Threat Hunting;Written by Reza AdinehCover of book Threat Intelligence for Threat Hunting;Written by Reza Adineh
Cover of book Threat Intelligence for Threat Hunting;Written by Reza Adineh
 
Next generation Security Operation Center; Written by Reza Adineh
Next generation Security Operation Center; Written by Reza AdinehNext generation Security Operation Center; Written by Reza Adineh
Next generation Security Operation Center; Written by Reza Adineh
 
Review on Event Correlation- مروری بر روش های همبسته سازی در مدیریت رخداد
Review on Event Correlation- مروری بر روش های همبسته سازی در مدیریت رخدادReview on Event Correlation- مروری بر روش های همبسته سازی در مدیریت رخداد
Review on Event Correlation- مروری بر روش های همبسته سازی در مدیریت رخداد
 
Effective Security Operation Center - present by Reza Adineh
Effective Security Operation Center - present by Reza AdinehEffective Security Operation Center - present by Reza Adineh
Effective Security Operation Center - present by Reza Adineh
 
علت ناکامی بسیاری از پروژههای مرکزعملیاتامنیت چیست ؟
علت ناکامی بسیاری از پروژههای مرکزعملیاتامنیت چیست ؟علت ناکامی بسیاری از پروژههای مرکزعملیاتامنیت چیست ؟
علت ناکامی بسیاری از پروژههای مرکزعملیاتامنیت چیست ؟
 
Security monitoring log management-describe logstash,kibana,elastic slidshare
Security monitoring log management-describe logstash,kibana,elastic slidshareSecurity monitoring log management-describe logstash,kibana,elastic slidshare
Security monitoring log management-describe logstash,kibana,elastic slidshare
 
Security operations center-SOC Presentation-مرکز عملیات امنیت
Security operations center-SOC Presentation-مرکز عملیات امنیتSecurity operations center-SOC Presentation-مرکز عملیات امنیت
Security operations center-SOC Presentation-مرکز عملیات امنیت
 

Kürzlich hochgeladen

BDSM⚡Call Girls in Sector 93 Noida Escorts >༒8448380779 Escort Service
BDSM⚡Call Girls in Sector 93 Noida Escorts >༒8448380779 Escort ServiceBDSM⚡Call Girls in Sector 93 Noida Escorts >༒8448380779 Escort Service
BDSM⚡Call Girls in Sector 93 Noida Escorts >༒8448380779 Escort Service
Delhi Call girls
 
If this Giant Must Walk: A Manifesto for a New Nigeria
If this Giant Must Walk: A Manifesto for a New NigeriaIf this Giant Must Walk: A Manifesto for a New Nigeria
If this Giant Must Walk: A Manifesto for a New Nigeria
Kayode Fayemi
 
No Advance 8868886958 Chandigarh Call Girls , Indian Call Girls For Full Nigh...
No Advance 8868886958 Chandigarh Call Girls , Indian Call Girls For Full Nigh...No Advance 8868886958 Chandigarh Call Girls , Indian Call Girls For Full Nigh...
No Advance 8868886958 Chandigarh Call Girls , Indian Call Girls For Full Nigh...
Sheetaleventcompany
 
BDSM⚡Call Girls in Sector 97 Noida Escorts >༒8448380779 Escort Service
BDSM⚡Call Girls in Sector 97 Noida Escorts >༒8448380779 Escort ServiceBDSM⚡Call Girls in Sector 97 Noida Escorts >༒8448380779 Escort Service
BDSM⚡Call Girls in Sector 97 Noida Escorts >༒8448380779 Escort Service
Delhi Call girls
 
Chiulli_Aurora_Oman_Raffaele_Beowulf.pptx
Chiulli_Aurora_Oman_Raffaele_Beowulf.pptxChiulli_Aurora_Oman_Raffaele_Beowulf.pptx
Chiulli_Aurora_Oman_Raffaele_Beowulf.pptx
raffaeleoman
 

Kürzlich hochgeladen (20)

BDSM⚡Call Girls in Sector 93 Noida Escorts >༒8448380779 Escort Service
BDSM⚡Call Girls in Sector 93 Noida Escorts >༒8448380779 Escort ServiceBDSM⚡Call Girls in Sector 93 Noida Escorts >༒8448380779 Escort Service
BDSM⚡Call Girls in Sector 93 Noida Escorts >༒8448380779 Escort Service
 
Introduction to Prompt Engineering (Focusing on ChatGPT)
Introduction to Prompt Engineering (Focusing on ChatGPT)Introduction to Prompt Engineering (Focusing on ChatGPT)
Introduction to Prompt Engineering (Focusing on ChatGPT)
 
If this Giant Must Walk: A Manifesto for a New Nigeria
If this Giant Must Walk: A Manifesto for a New NigeriaIf this Giant Must Walk: A Manifesto for a New Nigeria
If this Giant Must Walk: A Manifesto for a New Nigeria
 
No Advance 8868886958 Chandigarh Call Girls , Indian Call Girls For Full Nigh...
No Advance 8868886958 Chandigarh Call Girls , Indian Call Girls For Full Nigh...No Advance 8868886958 Chandigarh Call Girls , Indian Call Girls For Full Nigh...
No Advance 8868886958 Chandigarh Call Girls , Indian Call Girls For Full Nigh...
 
ANCHORING SCRIPT FOR A CULTURAL EVENT.docx
ANCHORING SCRIPT FOR A CULTURAL EVENT.docxANCHORING SCRIPT FOR A CULTURAL EVENT.docx
ANCHORING SCRIPT FOR A CULTURAL EVENT.docx
 
Presentation on Engagement in Book Clubs
Presentation on Engagement in Book ClubsPresentation on Engagement in Book Clubs
Presentation on Engagement in Book Clubs
 
The workplace ecosystem of the future 24.4.2024 Fabritius_share ii.pdf
The workplace ecosystem of the future 24.4.2024 Fabritius_share ii.pdfThe workplace ecosystem of the future 24.4.2024 Fabritius_share ii.pdf
The workplace ecosystem of the future 24.4.2024 Fabritius_share ii.pdf
 
Mathematics of Finance Presentation.pptx
Mathematics of Finance Presentation.pptxMathematics of Finance Presentation.pptx
Mathematics of Finance Presentation.pptx
 
Report Writing Webinar Training
Report Writing Webinar TrainingReport Writing Webinar Training
Report Writing Webinar Training
 
BDSM⚡Call Girls in Sector 97 Noida Escorts >༒8448380779 Escort Service
BDSM⚡Call Girls in Sector 97 Noida Escorts >༒8448380779 Escort ServiceBDSM⚡Call Girls in Sector 97 Noida Escorts >༒8448380779 Escort Service
BDSM⚡Call Girls in Sector 97 Noida Escorts >༒8448380779 Escort Service
 
SaaStr Workshop Wednesday w/ Lucas Price, Yardstick
SaaStr Workshop Wednesday w/ Lucas Price, YardstickSaaStr Workshop Wednesday w/ Lucas Price, Yardstick
SaaStr Workshop Wednesday w/ Lucas Price, Yardstick
 
Re-membering the Bard: Revisiting The Compleat Wrks of Wllm Shkspr (Abridged)...
Re-membering the Bard: Revisiting The Compleat Wrks of Wllm Shkspr (Abridged)...Re-membering the Bard: Revisiting The Compleat Wrks of Wllm Shkspr (Abridged)...
Re-membering the Bard: Revisiting The Compleat Wrks of Wllm Shkspr (Abridged)...
 
Air breathing and respiratory adaptations in diver animals
Air breathing and respiratory adaptations in diver animalsAir breathing and respiratory adaptations in diver animals
Air breathing and respiratory adaptations in diver animals
 
VVIP Call Girls Nalasopara : 9892124323, Call Girls in Nalasopara Services
VVIP Call Girls Nalasopara : 9892124323, Call Girls in Nalasopara ServicesVVIP Call Girls Nalasopara : 9892124323, Call Girls in Nalasopara Services
VVIP Call Girls Nalasopara : 9892124323, Call Girls in Nalasopara Services
 
Andrés Ramírez Gossler, Facundo Schinnea - eCommerce Day Chile 2024
Andrés Ramírez Gossler, Facundo Schinnea - eCommerce Day Chile 2024Andrés Ramírez Gossler, Facundo Schinnea - eCommerce Day Chile 2024
Andrés Ramírez Gossler, Facundo Schinnea - eCommerce Day Chile 2024
 
Mohammad_Alnahdi_Oral_Presentation_Assignment.pptx
Mohammad_Alnahdi_Oral_Presentation_Assignment.pptxMohammad_Alnahdi_Oral_Presentation_Assignment.pptx
Mohammad_Alnahdi_Oral_Presentation_Assignment.pptx
 
Call Girl Number in Khar Mumbai📲 9892124323 💞 Full Night Enjoy
Call Girl Number in Khar Mumbai📲 9892124323 💞 Full Night EnjoyCall Girl Number in Khar Mumbai📲 9892124323 💞 Full Night Enjoy
Call Girl Number in Khar Mumbai📲 9892124323 💞 Full Night Enjoy
 
Chiulli_Aurora_Oman_Raffaele_Beowulf.pptx
Chiulli_Aurora_Oman_Raffaele_Beowulf.pptxChiulli_Aurora_Oman_Raffaele_Beowulf.pptx
Chiulli_Aurora_Oman_Raffaele_Beowulf.pptx
 
Thirunelveli call girls Tamil escorts 7877702510
Thirunelveli call girls Tamil escorts 7877702510Thirunelveli call girls Tamil escorts 7877702510
Thirunelveli call girls Tamil escorts 7877702510
 
George Lever - eCommerce Day Chile 2024
George Lever - eCommerce Day Chile 2024George Lever - eCommerce Day Chile 2024
George Lever - eCommerce Day Chile 2024
 

MITRE-Module 3 Slides.pdf

  • 1. Module 3: Mapping to ATT&CK from Raw Data
  • 2. Process of Applying ATT&CK to CTI Understand ATT&CK Map data to ATT&CK Store & analyze ATT&CK-mapped data Make defensive recommendations from ATT&CK- mapped data ©2019 The MITRE Corporation. ALL RIGHTS RESERVED Approved for public release. Distribution unlimited 19-01075-15. Module 1 Module 2 Module 3 Module 4 Module 5
  • 3. Mapping to ATT&CK from Raw Data ▪ So far, working from intel where activity has already been analyzed ▪ Analysis of techniques/behaviors directly from source data – Likely more information available at the procedure level – Not reinterpreting another analyst’s prose – Greater knowledge/expertise required to interpret intent/tactic ▪ Broad set of possible data can contain behaviors – Shell commands, malware, forensic disk images, packets ©2019 The MITRE Corporation. ALL RIGHTS RESERVED Approved for public release. Distribution unlimited 19-01075-15.
  • 4. Process of Mapping to ATT&CK 0. Understand ATT&CK 1. Find the behavior 2. Research the behavior 3. Translate the behavior into a tactic 4. Figure out what technique applies to the behavior 5. Compare your results to other analysts ©2019 The MITRE Corporation. ALL RIGHTS RESERVED Approved for public release. Distribution unlimited 19-01075-15.
  • 5. ipconfig /all sc.exe ln334656-pc create .recycler.exe a -hpfGzq5yKw C:$Recycle.Binold C:$Recycle.BinShockwave_network.vsdx Commands captured by Sysmon being run interactively via cmd.exe 10.2.13.44:32123 -> 128.29.32.4:443 128.29.32.4:443 -> 10.2.13.44:32123 Flows from malware in a sandbox HKLMSoftwareMicrosoftWindowsCurrentVersionRun HKLMSoftwareMicrosoftNetsh New reg keys during an incident 1. Find the Behavior ©2019 The MITRE Corporation. ALL RIGHTS RESERVED Approved for public release. Distribution unlimited 19-01075-15.
  • 6. 2. Research the Behavior ▪ Can be similar to analysis of finished reporting for raw data ▪ May require expertise in the specific data type – Network, forensics, malware, Windows cmd line, etc ▪ May require multiple data sources, more context – Additional questions to responders/analysts ©2019 The MITRE Corporation. ALL RIGHTS RESERVED Approved for public release. Distribution unlimited 19-01075-15.
  • 7. 2. Research the Behavior ©2019 The MITRE Corporation. ALL RIGHTS RESERVED Approved for public release. Distribution unlimited 19-01075-15.
  • 8. 2. Research the Behavior .recycler.exe a -hpfGzq5yKw C:$Recycle.Binold C:$Recycle.BinShockwave_network.vsdx – Can make some educated guesses, but not enough context File analysis: When recycler.exe is executed, it gives the following output: C:recycler.exe RAR 3.70 Copyright (c) 1993-2007 Alexander Roshal 22 May 2007 Shareware version Type RAR -? for help – Aha! Based on the analysis we can Google the flags to RAR and determine that it is being used to compress and encrypt the file ©2019 The MITRE Corporation. ALL RIGHTS RESERVED Approved for public release. Distribution unlimited 19-01075-15.
  • 9. 2. Research the Behavior .recycler.exe a -hpfGzq5yKw C:$Recycle.Binold C:$Recycle.BinShockwave_network.vsdx And the file being compressed/encrypted is a Visio diagram, probably exfiltration ©2019 The MITRE Corporation. ALL RIGHTS RESERVED Approved for public release. Distribution unlimited 19-01075-15.
  • 10. 3. Translate the Behavior into a Tactic ipconfig /all – Specific procedure only mapped to System Network Configuration Discovery – System Network Configuration Discovery -> Discovery ✅ – Seen being run via Sysmon -> Execution .recycler.exe a -hpfGzq5yKw C:$Recycle.Binold C:$Recycle.BinShockwave_network.vsdx – We figured out researching this that “vsdx” is Visio data – Moderate confidence Exfiltration, commands around this could make clearer – Seen being run via Sysmon -> Execution ©2019 The MITRE Corporation. ALL RIGHTS RESERVED Approved for public release. Distribution unlimited 19-01075-15.
  • 11. 4. Figure Out What Technique Applies ▪ Similar to working with finished reporting we may jump straight here – Procedure may map directly to Technique/Tactic – May have enough experience to compress steps ipconfig /all – Specific procedure in System Network Configuration Discovery (T1016) – Also Command-Line Interface (T1059) .recycler.exe a -hpfGzq5yKw C:$Recycle.Binold C:$Recycle.BinShockwave_network.vsdx – We figured out researching this that “a –hp” compresses/encrypts – Appears to be Data Compressed (T1002) and Data Encrypted (T1022) – Also Command-Line Interface (T1059) ©2019 The MITRE Corporation. ALL RIGHTS RESERVED Approved for public release. Distribution unlimited 19-01075-15.
  • 12. 4. Concurrent Techniques ▪ Don’t just think of what’s happening – think of how it’s happening ▪ Certain tactics commonly have concurrent techniques: – Execution – Defense Evasion – Collection ▪ Examples: – Data Compressed + Data Encrypted (2x Exfiltration) – Spearphishing Attachment + User Execution (Initial Access + Execution) – Data from Local System + Email Collection (2x Collection) – Process Discovery + Command-Line Interface (Discovery + Execution) ©2019 The MITRE Corporation. ALL RIGHTS RESERVED Approved for public release. Distribution unlimited 19-01075-15.
  • 13. 4. Different Types of Techniques ▪ Not all techniques are created equal! – Credit to Red Canary: https://www.redcanary.com/blog/avoiding-common-attack-pitfalls/ ▪ Some are specific – Rundll32 – Netsh Helper DLL ▪ Some are broad – Scripting – Obfuscated Files or Information ▪ Some capture “how” the behavior occurs – Masquerading – Data Transfer Size Limits – Automated Collection ©2019 The MITRE Corporation. ALL RIGHTS RESERVED Approved for public release. Distribution unlimited 19-01075-15.
  • 14. 5. Compare Your Results to Other Analysts ▪ Same caveats about hedging biases ▪ May need a broader set of skills/experience to work with types of data Analyst 1 Analyst 2 • Packets • Malware/Reversing • Windows command line • Windows Events • Disk forensics • macOS/Linux ©2019 The MITRE Corporation. ALL RIGHTS RESERVED Approved for public release. Distribution unlimited 19-01075-15.
  • 15. Pros/cons of Mapping from the Two Different Sources Step Raw Finished Find the behavior Nearly everything may be a behavior (not all ATT&CK) May be buried amongst prose, IOCs, etc Research the behavior May need to look at multiple sources, data types. May also be a known procedure May have more info/context, may also have lost detail in writing Translate the behavior into a tactic Have to map to adversary intent, need domain knowledge/expertise Often intent has been postulated by report author Figure out what technique applies to the behavior May have a procedure that maps straight to technique, or may require deep understanding to understand how accomplished May be as simple as a text match to description/procedure, or may be too vague to tell Compare your results to other analysts May need multiple analysts to cover all data sources More likely in a form where other analysts needed for coverage/hedge against bias ©2019 The MITRE Corporation. ALL RIGHTS RESERVED Approved for public release. Distribution unlimited 19-01075-15.
  • 16. Exercise 3: Working with raw data ▪ You’re going to be examining two tickets from a simulated incident ▪ Ticket 473822 – Series of commands interactively executed via cmd.exe on an end system ▪ Ticket 473845 – Pieces of a malware analysis of the primary RAT used in the incident ▪ Both tickets are at https://attack.mitre.org/training/cti under Exercise 3 ▪ Use whatever to record your results or download and edit ▪ Identify as many behaviors as possible ▪ Annotate the behaviors that are ATT&CK techniques ▪ Please pause. We suggest giving yourself 25 minutes for this exercise. ©2019 The MITRE Corporation. ALL RIGHTS RESERVED Approved for public release. Distribution unlimited 19-01075-15.
  • 17. Exercise Questions ▪ What questions would you have asked of your incident responders? ▪ What was easier/harder than working with finished reporting? ▪ What other types of data do you commonly encounter with behaviors? ▪ Did you notice any behaviors that you couldn’t find a technique for? ©2019 The MITRE Corporation. ALL RIGHTS RESERVED Approved for public release. Distribution unlimited 19-01075-15.
  • 18. Going Over Exercise 3 (Ticket 473822) ipconfig /all arp -a echo %USERDOMAIN%%USERNAME% tasklist /v sc query systeminfo net group "Domain Admins" /domain net user /domain net group "Domain Controllers" /domain netsh advfirewall show allprofiles netstat -ano System Network Configuration Discovery (T1016) System Network Configuration Discovery (T1016) System Owner / User Discovery (T1033) Process Discovery (T1057) System Service Discovery (T1007) All are Execution - Command-Line Interface (T1059) System Information Discovery (T1082) Permission Groups Discovery (T1069) Account Discovery (T1087) Remote System Discovery (T1018) System Network Configuration Discovery (T1016) System Network Connections Discovery (T1049) Discovery ©2019 The MITRE Corporation. ALL RIGHTS RESERVED Approved for public release. Distribution unlimited 19-01075-15.
  • 19. Going Over Exercise 3 (Ticket 473845) C2 protocol is base64 encoded commands over https. The RAT beacons every 30 seconds requesting a command. UPLOAD file (upload a file server->client) DOWNLOAD file (download a file client->server) SHELL command (runs a command via cmd.exe) PSHELL command (runs a command via powershell.exe) EXEC path (executes a PE at the path given via CreateProcess) SLEEP n (skips n beacons) 10.1.1.1:24123 -> 129.83.44.12:443 129.83.44.12:443 -> 10.1.1.1:24123 Copy C:winspoo1.exe -> C:WindowsSystem32winspool.exe HKEY_CURRENT_USERSoftwareMicrosoftWindowsCurrentVersionRunwinspool REG_SZ "C:WindowsSystem32winspool.exe" Execution - Command-Line Interface (T1059) Execution - Powershell (T1086) Execution - Execution through API (T1106) Command and Control - Commonly Used Port (T1043) Command and Control - Data Encoding (T1132) Command and Control - Standard Application Layer Protocol (T1071) Defense Evasion - Masquerading (T1036) Persistence - Registry Run Keys (T1060) Command and Control – Remote File Copy (T1105) ©2019 The MITRE Corporation. ALL RIGHTS RESERVED Approved for public release. Distribution unlimited 19-01075-15.
  • 20. From Raw Data to Finished Reporting with ATT&CK ▪ We’ve talked about augmenting reports with ATT&CK and analyzing data with ATT&CK, possibly in parallel with analysis for reporting ▪ If you are creating reporting with ATT&CK techniques, we recommend keeping the techniques with the related procedures for context – Allows other analysts to examine the mapping for themselves – Allows much easier capture of how a technique was done ©2019 The MITRE Corporation. ALL RIGHTS RESERVED Approved for public release. Distribution unlimited 19-01075-15.
  • 21. Finished Reporting Examples During operation Tangerine Yellow, the actors used Pineapple RAT to execute ‘ipconfig /all1’ via the Windows command shell2. 1. Discovery – System Network Configuration Discovery (T1016) 2. Execution – Command-Line Interface (T1059) System Network Configuration Discovery (T1016) and Command-Line Interface (T1059) - During operation Tangerine Yellow, the actors used Pineapple RAT to execute ‘ipconfig /all’ via the Windows command shell. Instead of Appendix C – ATT&CK Techniques ▪ System Network Configuration Discovery ▪ Command-Line Interface ▪ Hardware Additions ©2019 The MITRE Corporation. ALL RIGHTS RESERVED Approved for public release. Distribution unlimited 19-01075-15.
  • 22. Process of Applying ATT&CK to CTI Understand ATT&CK Map data to ATT&CK Store & analyze ATT&CK-mapped data Make defensive recommendations from ATT&CK- mapped data ©2019 The MITRE Corporation. ALL RIGHTS RESERVED Approved for public release. Distribution unlimited 19-01075-15. Module 1 Module 2 Module 3 Module 4 Module 5
  • 23. End of Module 3 ©2019 The MITRE Corporation. ALL RIGHTS RESERVED Approved for public release. Distribution unlimited 19-01075-15.