Slideshare.net rh-isac summit 2019 - adam pennington - leveraging mitre at tamp-ck for detection analysis amp defense

Adam Pennington
RH-ISAC Summit 2019 - Adam Pennington - Leveraging MITRE
ATT&CK™ for Detection, Analysis & Defense
slideshare.net/AdamPennington4/rhisac-summit-2019-adam-pennington-leveraging-mitre-attck-for-detection-analysis-defense
1. 1. ©2019 The MITRE Corporation. ALL RIGHTS RESERVED. Approved for public release. Distribution
unlimited 19-01075-9. Leveraging MITRE ATT&CK™ for Detection, Analysis & Defense | 1 | Adam Pennington
@_whatshisface MITRE ATT&CK @MITREattack
2. 2. Poll Question: How familiar are you with MITRE ATT&CK?  I’ve never heard of it, just picked a random talk
 I’ve heard about it, never really used it  I’ve played with some tactics and techniques  I’m an ATT&CK
master ©2019 The MITRE Corporation. ALL RIGHTS RESERVED. Approved for public release. Distribution
unlimited 19-01075-9. | 2 |
3. 3. Agenda  ATT&CK basics  ATT&CK use cases – Cyber threat intelligence – Adversary emulation –
Detection and Analytics – Assessments and Engineering  Takeaways  Q&A/Discussion ©2019 The MITRE
Corporation. ALL RIGHTS RESERVED. Approved for public release. Distribution unlimited 19-01075-9. | 3 |
4. 4. Tough Questions for Defenders  How effective are my defenses?  Do I have a chance at detecting APT29?
 Is the data I’m collecting useful?  Do I have overlapping tool coverage?  Will this new product help my
organization’s defenses? | 4 | ©2019 The MITRE Corporation. ALL RIGHTS RESERVED. Approved for public
release. Distribution unlimited 19-01075-9.
5. 5. ©2019 The MITRE Corporation. ALL RIGHTS RESERVED. Approved for public release. Distribution
unlimited 19-01075-9. | 5 | What is ? A knowledge base of adversary behavior  Based on real-world
observations  Free, open, and globally accessible  A common language  Community-driven
6. 6. The Difficult Task of Detecting TTPs Source: David Bianco, https://detect-
respond.blogspot.com/2013/03/the-pyramid-of-pain.html David Bianco’s Pyramid of Pain ©2019 The MITRE
Corporation. ALL RIGHTS RESERVED. Approved for public release. Distribution unlimited 19-01075-9.
1/15

7. 7. Impact Data Destruction Data Encrypted for Impact Defacement Disk Content Wipe Disk Structure Wipe
Endpoint Denial of Service Firmware Corruption Inhibit System Recovery Network Denial of Service Resource
Hijacking Runtime Data Manipulation Service Stop Stored Data Manipulation Transmitted Data Manipulation
Command and Control Commonly Used Port Communication Through Removable Media Connection Proxy
Custom Command and Control Protocol Custom Cryptographic Protocol Data Encoding Data Obfuscation
Domain Fronting Domain Generation Algorithms Fallback Channels Multiband Communication Multi-hop
Proxy Multilayer Encryption Multi-Stage Channels Port Knocking Remote Access Tools Remote File Copy
Standard Application Layer Protocol Standard Cryptographic Protocol Standard Non-Application Layer Protocol
Uncommonly Used Port Web Service Exfiltration Automated Exfiltration Data Compressed Data Encrypted Data
Transfer Size Limits Exfiltration Over Other Network Medium Exfiltration Over Command and Control Channel
Exfiltration Over Alternative Protocol Exfiltration Over Physical Medium Scheduled Transfer Collection Audio
Capture Automated Collection Clipboard Data Data from Information Repositories Data from Local System Data
from Network Shared Drive Data from Removable Media Data Staged Email Collection Input Capture Man in the
Browser Screen Capture Video Capture Lateral Movement AppleScript Application Deployment Software
Distributed Component Object Model Exploitation of Remote Services Logon Scripts Pass the Hash Pass the
Ticket Remote Desktop Protocol Remote File Copy Remote Services Replication Through Removable Media
Shared Webroot SSH Hijacking Taint Shared Content Third-party Software Windows Admin Shares Windows
Remote Management Credential Access Discovery Network Sniffing Account Manipulation Account Discovery
Bash History Application Window DiscoveryBrute Force Credential Dumping Browser Bookmark
DiscoveryCredentials in Files Credentials in Registry Domain Trust Discovery Exploitation for Credential Access
File and Directory Discovery Network Service Scanning Forced Authentication Network Share Discovery
Hooking Password Policy Discovery Input Capture Peripheral Device Discovery Input Prompt Permission Groups
Discovery Kerberoasting Process Discovery Keychain Query Registry LLMNR/NBT-NS Poisoning and Relay
Remote System Discovery Security Software Discovery Password Filter DLL System Information
DiscoveryPrivate Keys Securityd Memory System Network Configuration Discovery Two-Factor Authentication
Interception System Network Connections Discovery System Owner/User Discovery System Service Discovery
System Time Discovery Virtualization/Sandbox Evasion Execution Persistence Privilege Escalation Defense
Evasion Scheduled Task Binary Padding Launchctl Access Token Manipulation Local Job Scheduling Bypass
User Account Control LSASS Driver Extra Window Memory Injection Trap Process Injection AppleScript DLL
Search Order Hijacking CMSTP Image File Execution Options Injection Command-Line Interface Plist
Modification Compiled HTML File Valid Accounts Control Panel Items Accessibility Features BITS Jobs Dynamic
Data Exchange AppCert DLLs Clear Command History Execution through API AppInit DLLs CMSTP Execution
through Module Load Application Shimming Code Signing Dylib Hijacking Compiled HTML File Exploitation for
Client Execution File System Permissions Weakness Component Firmware Hooking Component Object Model
HijackingGraphical User Interface Launch Daemon InstallUtil New Service Control Panel Items Mshta Path
Interception DCShadow PowerShell Port Monitors Deobfuscate/Decode Files or InformationRegsvcs/Regasm
Service Registry Permissions Weakness Regsvr32 Setuid and Setgid Disabling Security Tools Rundll32 Startup
Items DLL Side-Loading Scripting Web Shell Execution Guardrails Service Execution .bash_profile and .bashrc
Exploitation for Privilege Escalation Exploitation for Defense Evasion Signed Binary Proxy Execution Account
Manipulation Authentication Package SID-History Injection File Deletion Signed Script Proxy Execution BITS
Jobs Sudo File Permissions ModificationBootkit Sudo Caching Source Browser Extensions File System Logical
Offsets Space after Filename Change Default File Association Gatekeeper Bypass Third-party Software Group
Policy Modification Trusted Developer Utilities Component Firmware Hidden Files and Directories User
Execution Component Object Model Hijacking Hidden Users Windows Management Instrumentation Hidden
Window Create Account HISTCONTROL Windows Remote Management External Remote Services Indicator
Blocking Hidden Files and Directories Indicator Removal from ToolsXSL Script Processing Hypervisor Kernel
Modules and Extensions Indicator Removal on Host Indirect Command Execution Launch Agent Install Root
Certificate LC_LOAD_DYLIB Addition InstallUtil Login Item Launchctl Initial Access Drive-by Compromise
Exploit Public-Facing Application External Remote Services Hardware Additions Replication Through
Removable Media Spearphishing Attachment Spearphishing Link Spearphishing via Service Supply Chain
Compromise Trusted Relationship Valid Accounts Breaking Down ATT&CK Tactics: the adversary’s technical
goals Techniques:howthegoalsare achieved | 7 | ©2019 The MITRE Corporation. ALL RIGHTS RESERVED.
Approved for public release. Distribution unlimited 19-01075-9. Procedures: Specific technique implementation
2/15

8. 8. Technique: Spearphishing Attachment ©2019 The MITRE Corporation. ALL RIGHTS RESERVED. Approved
for public release. Distribution unlimited 19-01075-9. | 8 |
12. 12. Group: APT29 ©2019 The MITRE Corporation. ALL RIGHTS RESERVED. Approved for public release.
Distribution unlimited 19-01075-9. | 12 |
15. 15. ATT&CK Use Cases | 15 | Threat Intelligence processes = search Process:Create reg = filter processes where
(exe == "reg.exe" and parent_exe == "cmd.exe") cmd = filter processes where (exe == "cmd.exe" and parent_exe
!= "explorer.exe"") reg_and_cmd = join (reg, cmd) where (reg.ppid == cmd.pid and reg.hostname ==
cmd.hostname) output reg_and_cmd Detection Adversary Emulation Assessment and Engineering ©2019 The
MITRE Corporation. ALL RIGHTS RESERVED. Approved for public release. Distribution unlimited 19-01075-9.
Use ATT&CK for Adversary Emulation and Red Teaming The best defense is a well-tested defense. ATT&CK
provides a common adversary behavior framework based on threat intelligence that red teams can use to emulate
specic threats. This helps cyber defenders nd gaps in visibility, defensive tools, and processes—and then x
them. Legend Low Priority High Priority Finding Gaps in Defense Spearphishing Link Spearphishing via Service
Supply Chain Compromise Trusted Relationship Valid Accounts Execution through API Execution through
Module Load Exploitation for Client Execution Graphical User Interface InstallUtil Launchctl Local Job
Scheduling LSASS Driver Mshta PowerShell Regsvcs/Regasm Regsvr32 Rundll32 Scheduled Task Scripting
Service Execution Signed Binary Proxy Execution Signed Script Proxy Execution Source Space after Filename
Third-party Software Trap Trusted Developer Utilities User Execution Windows Management Instrumentation
Windows Remote Management XSL Script Processing Authentication Package BITS Jobs Bootkit Browser
Extensions Change Default File Association Component Firmware Component Object Model Hijacking Create
Account DLL Search Order Hijacking Dylib Hijacking External Remote Services File System Permissions W
eakness Hidden Files and Directories Hooking Hypervisor Image File Execution Options Injection Kernel
Modules and Extensions Launch Agent Launch Daemon Launchctl LC_LOAD_DYLIB Addition Local Job
Scheduling Login Item Logon Scripts LSASS Driver Modify Existing Service Netsh Helper DLL New Service
Office Application Startup Path Interception Plist Modification Port Knocking Port Monitors Rc.common Re-
opened Applications Redundant Access Registry Run Keys / Startup Folder Scheduled Task Screensaver Security
Support Provider Service Registry Permissions Weakness Setuid and Setgid Shortcut Modification SIP and Trust
Provider Hijacking Startup Items System Firmware Systemd Service Time Providers Trap Valid Accounts Web
Shell Windows Management Instrumentation Event Subscription Winlogon Helper DLL DLL Search Order
Hijacking Dylib Hijacking Exploitation for Privilege Escalation Extra Window Memory Injection File System
Permissions W eakness Hooking Image File Execution Options Injection Launch Daemon New Service Path
Interception Plist Modification Port Monitors Process Injection Scheduled Task Service Registry Permissions
Weakness Setuid and Setgid SID-History Injection Startup Items Sudo Sudo Caching Valid Accounts Web Shell
Code Signing Compile After Delivery Compiled HTML File Component Firmware Component Object Model
Hijacking Control Panel Items DCShadow Deobfuscate/Decode Files or Information Disabling Security Tools
DLL Search Order Hijacking DLL Side-Loading Execution Guardrails Exploitation for Defense Evasion Extra
Window Memory Injection File Deletion File Permissions Modification File System Logical Of fsets Gatekeeper
Bypass Group Policy Modification Hidden Files and Directories Hidden Users Hidden Window HISTCONTROL
Image File Execution Options Injection Indicator Blocking Indicator Removal from Tools Indicator Removal on
Host Indirect Command Execution Install Root Certificate InstallUtil Launchctl LC_MAIN Hijacking
Masquerading Modify Registry Mshta Network Share Connection Removal NTFS File Attributes Obfuscated Files
or Information Plist Modification Port Knocking Process Doppelgänging Process Hollowing Process Injection
Redundant Access Regsvcs/Regasm Regsvr32 Rootkit Rundll32 Scripting Signed Binary Proxy Execution Signed
3/15

Script Proxy Execution SIP and Trust Provider Hijacking Software Packing Space after Filename Template
Injection Timestomp Trusted Developer Utilities Valid Accounts Virtualization/Sandbox Evasion Web Service
XSL Script Processing Exploitation for Credential Access Forced Authentication Hooking Input Capture Input
Prompt Kerberoasting Keychain LLMNR/NBT -NS Poisoning and Relay Network Snif fing Password Filter DLL
Private Keys Securityd Memory Two-Factor Authentication Interception Network Share Discovery Network Snif
fing Password Policy Discovery Peripheral Device Discovery Permission Groups Discovery Process Discovery
Query Registry Remote System Discovery Security Software Discovery System Information Discovery System
Network Configuration Discovery System Network Connections Discovery System Owner/User Discovery System
Service Discovery System Time Discovery Virtualization/Sandbox Evasion Pass the Ticket Remote Desktop
Protocol Remote File Copy Remote Services Replication Through Removable Media Shared Webroot SSH
Hijacking Taint Shared Content Third-party Software Windows Admin Shares Windows Remote Management
Data from Removable Media Data Staged Email Collection Input Capture Man in the Browser Screen Capture
Video Capture Data Obfuscation Domain Fronting Domain Generation Algorithms Fallback Channels Multi-hop
Proxy Multi-Stage Channels Multiband Communication Multilayer Encryption Port Knocking Remote Access
Tools Remote File Copy Standard Application Layer Protocol Standard Cryptographic Protocol Standard Non-
Application Layer Protocol Uncommonly Used Port Web Service Exfiltration Over Other Network Medium
Exfiltration Over Physical Medium Scheduled Transfer Firmware Corruption Inhibit System Recovery Network
Denial of Service Resource Hijacking Runtime Data Manipulation Service Stop Stored Data Manipulation
Transmitted Data Manipulation AppleScript Application Deployment Software Distributed Component Object
Model Exploitation of Remote Services Logon Scripts Pass the Hash Pass the Ticket Remote Desktop Protocol
Remote File Copy Remote Services Replication Through Removable Media Shared Webroot SSH Hijacking Taint
Shared Content Third-party Software Windows Admin Shares Windows Remote Management Commonly Used
Port Communication Through Removable Media Connection Proxy Custom Command and Control Protocol
Custom Cryptographic Protocol Data Encoding Data Obfuscation Domain Fronting Domain Generation
Algorithms Fallback Channels Multiband Communication Multi-hop Proxy Multilayer Encryption Multi-Stage
Channels Port Knocking Remote Access Tools Remote File Copy Standard Application Layer Protocol Standard
Cryptographic Protocol Standard Non-Application Layer Protocol Uncommonly Used Port Web Service
Automated Exfiltration Data Compressed Data Encrypted Data Transfer Size Limits Exfiltration Over Other
Network Medium Exfiltration Over Command and Control Channel Exfiltration Over Alternative Protocol
Exfiltration Over Physical Medium Scheduled Transfer Data Destruction Data Encrypted for Impact Defacement
Disk Content Wipe Disk Structure Wipe Endpoint Denial of Service Firmware Corruption Inhibit System
Recovery Network Denial of Service Resource Hijacking Runtime Data Manipulation Service Stop Stored Data
Manipulation Transmitted Data Manipulation Audio Capture Automated Collection Clipboard Data Data from
Information Repositories Data from Local System Data from Network Shared Drive Data from Removable Media
Data Staged Email Collection Input Capture Man in the Browser Screen Capture Video Capture Drive-by
Compromise Exploit Public-Facing Application External Remote Services Hardware Additions Replication
Through Removable Media Spearphishing Attachment Spearphishing Link Spearphishing via Service Supply
Chain Compromise Trusted Relationship Valid Accounts AppleScript CMSTP Command-Line Interface
Compiled HTML File Control Panel Items Dynamic Data Exchange Execution through API Execution through
Module Load Exploitation for Client Execution Graphical User Interface InstallUtil Mshta PowerShell
Regsvcs/Regasm Regsvr32 Rundll32 Scripting Service Execution Signed Binary Proxy Execution Signed Script
Proxy Execution Source Space after Filename Third-party Software Trusted Developer Utilities DLL Search
Order Hijacking Image File Execution Options Injection Plist Modification Valid Accounts Accessibility Features
AppCert DLLs AppInit DLLs Application Shimming Dylib Hijacking File System Permissions Weakness Hooking
Launch Daemon New Service Path Interception Port Monitors Service Registry Permissions Weakness Setuid
and Setgid Startup Items Web Shell .bash_profile and .bashrc Account Manipulation Authentication Package
BITS Jobs Bootkit Browser Extensions Change Default File Association Component Firmware BITS Jobs Clear
Command History CMSTP Code Signing Compiled HTML File Component Firmware Component Object Model
Hijacking Control Panel Items DCShadow Deobfuscate/Decode Files or Information Disabling Security Tools
DLL Side-Loading Execution Guardrails Exploitation for Defense Evasion File Deletion File Permissions
Modification File System Logical Offsets Gatekeeper Bypass Group Policy Modification Hidden Files and
Directories Hidden Users Exploitation for Privilege Escalation SID-History Injection Sudo Sudo Caching
Scheduled Task Binary Padding Network Sniffing Launchctl Local Job Scheduling LSASS Driver Trap Access
4/15

Token Manipulation Bypass User Account Control Extra Window Memory Injection Process Injection Account
Manipulation Bash History Brute Force Credential Dumping Credentials in Files Credentials in Registry
Exploitation for Credential Access Forced Authentication Hooking Input Capture Input Prompt Kerberoasting
Keychain LLMNR/NBT-NS Poisoning and Relay Password Filter DLL Private Keys Securityd Memory Two-
Factor Authentication Interception Account Discovery Application Window Discovery Browser Bookmark
Discovery Domain Trust Discovery File and Directory Discovery Network Service Scanning Network Share
Discovery Password Policy Discovery Peripheral Device Discovery Permission Groups Discovery Process
Discovery Query Discovery Remote System Discovery Security Software Discovery System Information Discovery
System Network Configuration Discovery System Network Connections Discovery System Owner/User Discovery
System Service Discovery System Time Discovery Virtualization/Sandbox Evasion Use ATT&CK for Cyber Threat
Intelligence Cyber threat intelligence comes from many sources, including knowledge of past incidents,
commercial threat feeds, information-sharing groups, government threat-sharing programs, and more. ATT&CK
gives analysts a common language to communicate across reports and organizations, providing a way to
structure, compare, and analyze threat intelligence. Use ATT&CK to Build Your Defensive Platform ATT&CK
includes resources designed to help cyber defenders develop analytics that detect the techniques used by an
adversary. Based on threat intelligence included in ATT&CK or provided by analysts, cyber defenders can create
a comprehensive set of analytics to detect threats. Get Started with ATT&CK Legend APT28 APT29 Both
Comparing APT28 to APT29 analytics. Check out our w ebsite at attack.mitre.org for more information on how
each technique can be det ected, and adversary examples you can use to start detecting adversary behavior with
ATT&CK. You can visualize how your own data sources map to adversary behavior with ATT&CK. Read our blog
post at bit.ly/ATT learn how we generated this diagram, check out the code, and begin building your own
diagrams from ATT&CK conten Initial Access Drive-by Compromise Exploit Public-Facing Application External
Remote Services Hardware Additions Replication Through Removable Media Spearphishing Attachment
Spearphishing Link Spearphishing via Service Supply Chain Compromise Trusted Relationship Valid Accounts
Execution AppleScript CMSTP Command-Line Interface Compiled HTML File Control Panel Items Dynamic
Data Exchange Execution through API Execution through Module Load Exploitation for Client Execution
Graphical User Interface InstallUtil Launchctl Local Job Scheduling LSASS Driver Mshta PowerShell
Regsvcs/Regasm Regsvr32 Rundll32 Scheduled Task Scripting Service Execution Signed Binary Proxy Execution
Signed Script Proxy Execution Source Space after Filename Third-party Software Trap Trusted Developer
Utilities User Execution Windows Management Instrumentation Windows Remote Management XSL Script
Processing Persistence .bash_profile and .bashrc Accessibility Features Account Manipulation AppCert DLLs
AppInit DLLs Application Shimming Authentication Package BITS Jobs Bootkit Browser Extensions Change
Default File Association Component Firmware Component Object Model Hijacking Create Account DLL Search
Order Hijacking Dylib Hijacking External Remote Services File System Permissions W eakness Hidden Files and
Directories Hooking Hypervisor Image File Execution Options Injection Kernel Modules and Extensions Launch
Agent Launch Daemon Launchctl LC_LOAD_DYLIB Addition Local Job Scheduling Login Item Logon Scripts
LSASS Driver Modify Existing Service Netsh Helper DLL New Service Office Application Startup Path
Interception Plist Modification Port Knocking Port Monitors Rc.common Re-opened Applications Redundant
Access Registry Run Keys / Startup Folder Scheduled Task Screensaver Security Support Provider Service
Registry Permissions Weakness Setuid and Setgid Shortcut Modification SIP and Trust Provider Hijacking
Startup Items System Firmware Systemd Service Time Providers Trap Valid Accounts Web Shell Windows
Management Instrumentation Event Subscription Winlogon Helper DLL Privilege Escalation Access Token
Manipulation Accessibility Features AppCert DLLs AppInit DLLs Application Shimming Bypass User Account
Control DLL Search Order Hijacking Dylib Hijacking Exploitation for Privilege Escalation Extra Window
Memory Injection File System Permissions W eakness Hooking Image File Execution Options Injection Launch
Daemon New Service Path Interception Plist Modification Port Monitors Process Injection Scheduled Task
Service Registry Permissions Weakness Setuid and Setgid SID-History Injection Startup Items Sudo Sudo
Caching Valid Accounts Web Shell Defense Evasion Access Token Manipulation Binary Padding BITS Jobs
Bypass User Account Control Clear Command History CMSTP Code Signing Compile After Delivery Compiled
HTML File Component Firmware Component Object Model Hijacking Control Panel Items DCShadow
Deobfuscate/Decode Files or Information Disabling Security Tools DLL Search Order Hijacking DLL Side-
Loading Execution Guardrails Exploitation for Defense Evasion Extra Window Memory Injection File Deletion
File Permissions Modification File System Logical Of fsets Gatekeeper Bypass Group Policy Modification Hidden
5/15

Files and Directories Hidden Users Hidden Window HISTCONTROL Image File Execution Options Injection
Indicator Blocking Indicator Removal from Tools Indicator Removal on Host Indirect Command Execution
Install Root Certificate InstallUtil Launchctl LC_MAIN Hijacking Masquerading Modify Registry Mshta Network
Share Connection Removal NTFS File Attributes Obfuscated Files or Information Plist Modification Port
Knocking Process Doppelgänging Process Hollowing Process Injection Redundant Access Regsvcs/Regasm
Regsvr32 Rootkit Rundll32 Scripting Signed Binary Proxy Execution Signed Script Proxy Execution SIP and
Trust Provider Hijacking Software Packing Space after Filename Template Injection Timestomp Trusted
Developer Utilities Valid Accounts Virtualization/Sandbox Evasion Web Service XSL Script Processing
Credential Access Account Manipulation Bash History Brute Force Credential Dumping Credentials in Files
Credentials in Registry Exploitation for Credential Access Forced Authentication Hooking Input Capture Input
Prompt Kerberoasting Keychain LLMNR/NBT -NS Poisoning and Relay Network Snif fing Password Filter DLL
Private Keys Securityd Memory Two-Factor Authentication Interception Discovery Account Discovery
Application Window Discovery Browser Bookmark Discovery Domain Trust Discovery File and Directory
Discovery Network Service Scanning Network Share Discovery Network Snif fing Password Policy Discovery
Peripheral Device Discovery Permission Groups Discovery Process Discovery Query Registry Remote System
Discovery Security Software Discovery System Information Discovery System Network Configuration Discovery
System Network Connections Discovery System Owner/User Discovery System Service Discovery System Time
Discovery Virtualization/Sandbox Evasion Lateral Movement AppleScript Application Deployment Software
Distributed Component Object Model Exploitation of Remote Services Logon Scripts Pass the Hash Pass the
Ticket Remote Desktop Protocol Remote File Copy Remote Services Replication Through Removable Media
Shared Webroot SSH Hijacking Taint Shared Content Third-party Software Windows Admin Shares Windows
Remote Management Collection Audio Capture Automated Collection Clipboard Data Data from Information
Repositories Data from Local System Data from Network Shared Drive Data from Removable Media Data Staged
Email Collection Input Capture Man in the Browser Screen Capture Video Capture Command And Control
Commonly Used Port Communication Through Removable Media Connection Proxy Custom Command and
Control Protocol Custom Cryptographic Protocol Data Encoding Data Obfuscation Domain Fronting Domain
Generation Algorithms Fallback Channels Multi-hop Proxy Multi-Stage Channels Multiband Communication
Multilayer Encryption Port Knocking Remote Access Tools Remote File Copy Standard Application Layer
Protocol Standard Cryptographic Protocol Standard Non-Application Layer Protocol Uncommonly Used Port
Web Service Exfiltration Automated Exfiltration Data Compressed Data Encrypted Data Transfer Size Limits
Exfiltration Over Alternative Protocol Exfiltration Over Command and Control Channel Exfiltration Over Other
Network Medium Exfiltration Over Physical Medium Scheduled Transfer Impact Data Destruction Data
Encrypted for Impact Defacement Disk Content Wipe Disk Structure Wipe Endpoint Denial of Service Firmware
Corruption Inhibit System Recovery Network Denial of Service Resource Hijacking Runtime Data Manipulation
Service Stop Stored Data Manipulation Transmitted Data Manipulation Initial Access Drive-by Compromise
Exploit Public-Facing Application External Remote Services Hardware Additions Replication Through
Removable Media Spearphishing Attachment Spearphishing Link Spearphishing via Service Supply Chain
Compromise Trusted Relationship Valid Accounts Execution AppleScript CMSTP Command-Line Interface
Compiled HTML File Control Panel Items Dynamic Data Exchange Execution through API Execution through
Module Load Exploitation for Client Execution Graphical User Interface InstallUtil Launchctl Local Job
Scheduling LSASS Driver Mshta PowerShell Persistence .bash_profile and .bashrc Accessibility Features Account
Manipulation AppCert DLLs AppInit DLLs Application Shimming Authentication Package BITS Jobs Bootkit
Browser Extensions Change Default File Association Component Firmware Component Object Model Hijacking
Create Account DLL Search Order Hijacking Dylib Hijacking Privilege Escalation Access Token Manipulation
Accessibility Features AppCert DLLs AppInit DLLs Application Shimming Bypass User Account Control DLL
Search Order Hijacking Dylib Hijacking Exploitation for Privilege Escalation Extra Window Memory Injection
File System Permissions W eakness Hooking Image File Execution Options Injection Launch Daemon New
Service Path Interception Defense Evasion Access Token Manipulation Binary Padding BITS Jobs Bypass User
Account Control Clear Command History CMSTP Code Signing Compile After Delivery Compiled HTML File
Component Firmware Component Object Model Hijacking Control Panel Items DCShadow Deobfuscate/Decode
Files or Information Disabling Security Tools DLL Search Order Hijacking Credential Access Account
Manipulation Bash History Brute Force Credential Dumping Credentials in Files Credentials in Registry
Exploitation for Credential Access Forced Authentication Hooking Input Capture Input Prompt Kerberoasting
6/15

Keychain LLMNR/NBT -NS Poisoning and Relay Network Snif fing Password Filter DLL Discovery Account
Discovery Application Window Discovery Browser Bookmark Discovery Domain Trust Discovery File and
Directory Discovery Network Service Scanning Network Share Discovery Network Snif fing Password Policy
Discovery Peripheral Device Discovery Permission Groups Discovery Process Discovery Query Registry Remote
System Discovery Security Software Discovery System Information Discovery Lateral Movement AppleScript
Application Deployment Software Distributed Component Object Model Exploitation of Remote Services Logon
Scripts Pass the Hash Pass the Ticket Remote Desktop Protocol Remote File Copy Remote Services Replication
Through Removable Media Shared Webroot SSH Hijacking Taint Shared Content Third-party Software Windows
Admin Shares Collection Audio Capture Automated Collection Clipboard Data Data from Information
Repositories Data from Local System Data from Network Shared Drive Data from Removable Media Data Staged
Email Collection Input Capture Man in the Browser Screen Capture Video Capture Command And Control
Commonly Used Port Communication Through Removable Media Connection Proxy Custom Command and
Control Protocol Custom Cryptographic Protocol Data Encoding Data Obfuscation Domain Fronting Domain
Generation Algorithms Fallback Channels Multi-hop Proxy Multi-Stage Channels Multiband Communication
Multilayer Encryption Port Knocking Remote Access Tools Exfiltration Automated Exfiltration Data Compressed
Data Encrypted Data Transfer Size Limits Exfiltration Over Alternative Protocol Exfiltration Over Command and
Control Channel Exfiltration Over Other Network Medium Exfiltration Over Physical Medium Scheduled
Transfer Impact Data Destruction Data Encrypted for Impact Defacement Disk Content Wipe Disk Structure
Wipe Endpoint Denial of Service Firmware Corruption Inhibit System Recovery Network Denial of Service
Resource Hijacking Runtime Data Manipulation Service Stop Stored Data Manipulation Transmitted Data
Manipulation ob sta Use ATT&CK to Build Your Defensive Platform ATT&CK includes resources designed to help
cyber defenders develop analytics that detect the techniques used by an adversary. Based on threat intelligence
included in ATT&CK or provided by analysts, cyber defenders can create a comprehensive set of analytics to
detect threats. Legend APT28 APT29 Both Legend Low Priority High Priority Comparing APT28 to APT29
Finding Gaps in Defense Exploit Public-Facing Application External Remote Services Hardware Additions
Replication Through Removable Media Spearphishing Attachment Spearphishing Link Spearphishing via Service
Supply Chain Compromise Trusted Relationship Valid Accounts CMSTP Command-Line Interface Compiled
HTML File Control Panel Items Dynamic Data Exchange Execution through API Execution through Module Load
Exploitation for Client Execution Graphical User Interface InstallUtil Launchctl Local Job Scheduling LSASS
Driver Mshta PowerShell Regsvcs/Regasm Regsvr32 Rundll32 Scheduled Task Scripting Service Execution
Signed Binary Proxy Execution Signed Script Proxy Execution Source Space after Filename Third-party Software
Trap Trusted Developer Utilities User Execution Windows Management Instrumentation Windows Remote
Management XSL Script Processing Accessibility Features Account Manipulation AppCert DLLs AppInit DLLs
Application Shimming Authentication Package BITS Jobs Bootkit Browser Extensions Change Default File
Association Component Firmware Component Object Model Hijacking Create Account DLL Search Order
Hijacking Dylib Hijacking External Remote Services File System Permissions W eakness Hidden Files and
Directories Hooking Hypervisor Image File Execution Options Injection Kernel Modules and Extensions Launch
Agent Launch Daemon Launchctl LC_LOAD_DYLIB Addition Local Job Scheduling Login Item Logon Scripts
LSASS Driver Modify Existing Service Netsh Helper DLL New Service Office Application Startup Path
Interception Plist Modification Port Knocking Port Monitors Rc.common Re-opened Applications Redundant
Access Registry Run Keys / Startup Folder Scheduled Task Screensaver Security Support Provider Service
Registry Permissions Weakness Setuid and Setgid Shortcut Modification SIP and Trust Provider Hijacking
Startup Items System Firmware Systemd Service Time Providers Trap Valid Accounts Web Shell Windows
Management Instrumentation Event Subscription Winlogon Helper DLL Accessibility Features AppCert DLLs
AppInit DLLs Application Shimming Bypass User Account Control DLL Search Order Hijacking Dylib Hijacking
Exploitation for Privilege Escalation Extra Window Memory Injection File System Permissions W eakness
Hooking Image File Execution Options Injection Launch Daemon New Service Path Interception Plist
Modification Port Monitors Process Injection Scheduled Task Service Registry Permissions Weakness Setuid and
Setgid SID-History Injection Startup Items Sudo Sudo Caching Valid Accounts Web Shell Binary Padding BITS
Jobs Bypass User Account Control Clear Command History CMSTP Code Signing Compile After Delivery
Compiled HTML File Component Firmware Component Object Model Hijacking Control Panel Items DCShadow
7/15

Knocking Process Doppelgänging Process Hollowing Process Injection Redundant Access Regsvcs/Regasm
Regsvr32 Rootkit Rundll32 Scripting Signed Binary Proxy Execution Signed Script Proxy Execution SIP and
Trust Provider Hijacking Software Packing Space after Filename Template Injection Timestomp Trusted
Developer Utilities Valid Accounts Virtualization/Sandbox Evasion Web Service XSL Script Processing Bash
History Brute Force Credential Dumping Credentials in Files Credentials in Registry Exploitation for Credential
Access Forced Authentication Hooking Input Capture Input Prompt Kerberoasting Keychain LLMNR/NBT -NS
Poisoning and Relay Network Snif fing Password Filter DLL Private Keys Securityd Memory Two-Factor
Authentication Interception Application Window Discovery Browser Bookmark Discovery Domain Trust
Discovery File and Directory Discovery Network Service Scanning Network Share Discovery Network Snif fing
Password Policy Discovery Peripheral Device Discovery Permission Groups Discovery Process Discovery Query
Registry Remote System Discovery Security Software Discovery System Information Discovery System Network
Configuration Discovery System Network Connections Discovery System Owner/User Discovery System Service
Discovery System Time Discovery Virtualization/Sandbox Evasion Application Deployment Software Distributed
Component Object Model Exploitation of Remote Services Logon Scripts Pass the Hash Pass the Ticket Remote
Desktop Protocol Remote File Copy Remote Services Replication Through Removable Media Shared Webroot
SSH Hijacking Taint Shared Content Third-party Software Windows Admin Shares Windows Remote
Management Automated Collection Clipboard Data Data from Information Repositories Data from Local System
Data from Network Shared Drive Data from Removable Media Data Staged Email Collection Input Capture Man
in the Browser Screen Capture Video Capture Communication Through Removable Media Connection Proxy
Custom Command and Control Protocol Custom Cryptographic Protocol Data Encoding Data Obfuscation
Domain Fronting Domain Generation Algorithms Fallback Channels Multi-hop Proxy Multi-Stage Channels
Multiband Communication Multilayer Encryption Port Knocking Remote Access Tools Remote File Copy
Standard Application Layer Protocol Standard Cryptographic Protocol Standard Non-Application Layer Protocol
Uncommonly Used Port Web Service Data Compressed Data Encrypted Data Transfer Size Limits Exfiltration
Over Alternative Protocol Exfiltration Over Command and Control Channel Exfiltration Over Other Network
Medium Exfiltration Over Physical Medium Scheduled Transfer Data Encrypted for Impact Defacement Disk
Content Wipe Disk Structure Wipe Endpoint Denial of Service Firmware Corruption Inhibit System Recovery
Network Denial of Service Resource Hijacking Runtime Data Manipulation Service Stop Stored Data
Manipulation Transmitted Data Manipulation Initial Access Drive-by Compromise Exploit Public-Facing
Application External Remote Services Hardware Additions Replication Through Removable Media
Spearphishing Attachment Spearphishing Link Spearphishing via Service Supply Chain Compromise Trusted
Relationship Valid Accounts Execution AppleScript CMSTP Command-Line Interface Compiled HTML File
Control Panel Items Dynamic Data Exchange Execution through API Execution through Module Load
Exploitation for Client Execution Graphical User Interface InstallUtil Launchctl Local Job Scheduling LSASS
Driver Mshta PowerShell Regsvcs/Regasm Regsvr32 Rundll32 Scheduled Task Scripting Service Execution
Signed Binary Proxy Execution Signed Script Proxy Execution Source Space after Filename Third-party Software
Trap Trusted Developer Utilities User Execution Windows Management Instrumentation Windows Remote
Management XSL Script Processing Persistence .bash_profile and .bashrc Accessibility Features Account
Manipulation AppCert DLLs AppInit DLLs Application Shimming Authentication Package BITS Jobs Bootkit
Browser Extensions Change Default File Association Component Firmware Component Object Model Hijacking
Create Account DLL Search Order Hijacking Dylib Hijacking External Remote Services File System Permissions
W eakness Hidden Files and Directories Hooking Hypervisor Image File Execution Options Injection Kernel
Modules and Extensions Launch Agent Launch Daemon Launchctl LC_LOAD_DYLIB Addition Local Job
Scheduling Login Item Logon Scripts LSASS Driver Modify Existing Service Netsh Helper DLL New Service
Office Application Startup Path Interception Plist Modification Port Knocking Port Monitors Rc.common Re-
opened Applications Redundant Access Registry Run Keys / Startup Folder Scheduled Task Screensaver Security
Support Provider Service Registry Permissions Weakness Setuid and Setgid Privilege Escalation Access Token
Manipulation Accessibility Features AppCert DLLs AppInit DLLs Application Shimming Bypass User Account
8/15

Control DLL Search Order Hijacking Dylib Hijacking Exploitation for Privilege Escalation Extra Window
Memory Injection File System Permissions W eakness Hooking Image File Execution Options Injection Launch
Daemon New Service Path Interception Plist Modification Port Monitors Process Injection Scheduled Task
Service Registry Permissions Weakness Setuid and Setgid SID-History Injection Startup Items Sudo Sudo
Caching Valid Accounts Web Shell Defense Evasion Access Token Manipulation Binary Padding BITS Jobs
Bypass User Account Control Clear Command History CMSTP Code Signing Compile After Delivery Compiled
HTML File Component Firmware Component Object Model Hijacking Control Panel Items DCShadow
Knocking Process Doppelgänging Process Hollowing Credential Access Account Manipulation Bash History
Brute Force Credential Dumping Credentials in Files Credentials in Registry Exploitation for Credential Access
Forced Authentication Hooking Input Capture Input Prompt Kerberoasting Keychain LLMNR/NBT -NS
Poisoning and Relay Network Snif fing Password Filter DLL Private Keys Securityd Memory Two-Factor
Authentication Interception Discovery Account Discovery Application Window Discovery Browser Bookmark
Discovery Domain Trust Discovery File and Directory Discovery Network Service Scanning Network Share
Discovery Network Snif fing Password Policy Discovery Peripheral Device Discovery Permission Groups
Discovery Process Discovery Query Registry Remote System Discovery Security Software Discovery System
Information Discovery System Network Configuration Discovery System Network Connections Discovery System
Owner/User Discovery System Service Discovery System Time Discovery Virtualization/Sandbox Evasion Lateral
Movement AppleScript Application Deployment Software Distributed Component Object Model Exploitation of
Remote Services Logon Scripts Pass the Hash Pass the Ticket Remote Desktop Protocol Remote File Copy
Remote Services Replication Through Removable Media Shared Webroot SSH Hijacking Taint Shared Content
Third-party Software Windows Admin Shares Windows Remote Management Collection Audio Capture
Automated Collection Clipboard Data Data from Information Repositories Data from Local System Data from
Network Shared Drive Data from Removable Media Data Staged Email Collection Input Capture Man in the
Browser Screen Capture Video Capture Command And Control Commonly Used Port Communication Through
Removable Media Connection Proxy Custom Command and Control Protocol Custom Cryptographic Protocol
Data Encoding Data Obfuscation Domain Fronting Domain Generation Algorithms Fallback Channels Multi-hop
Proxy Multi-Stage Channels Multiband Communication Multilayer Encryption Port Knocking Remote Access
Tools Remote File Copy Standard Application Layer Protocol Standard Cryptographic Protocol Standard Non-
Application Layer Protocol Uncommonly Used Port Web Service Exfiltration Automated Exfiltration Data
Compressed Data Encrypted Data Transfer Size Limits Exfiltration Over Alternative Protocol Exfiltration Over
Command and Control Channel Exfiltration Over Other Network Medium Exfiltration Over Physical Medium
Scheduled Transfer Impact Data Destruction Data Encrypted for Impact Defacement Disk Content Wipe Disk
Structure Wipe Endpoint Denial of Service Firmware Corruption Inhibit System Recovery Network Denial of
Service Resource Hijacking Runtime Data Manipulation Service Stop Stored Data Manipulation Transmitted
Data Manipulation malwarereve net work device logs network intrusion detection system ssl/tls inspection
system calls windowseventlogs ocol compromise point denial of service network denial of service obfuscated files
or information remote access tools spearphishing attachment standard non-application layer protocoltemplate
injection domain fronting drive-by compromise endpoint denial of service install root certificate obfuscated files
or information spearphishing link spearphishing via service standard cryptographic protocol web service
applescript application shimming browser extensions bypass user account control exploitation for client
execution hypervisor kernel modules and extensions keychain rootkit account manipulation bits jobs cm stp em s
16. 16. Poll Question: What use case is most important to you?  Threat intelligence  Detection  Adversary
Emulation  Assessment and Engineering ©2019 The MITRE Corporation. ALL RIGHTS RESERVED.
Approved for public release. Distribution unlimited 19-01075-9. | 16 |
17. 17. Threat Intelligence | 17 | ©2019 The MITRE Corporation. ALL RIGHTS RESERVED. Approved for public
9/15

18. 18. Communicate to Defenders | 11 | CTI Analyst Defender Registry Run Keys / Startup Folder (T1060) THIS is
what the adversary is doing! The Run key is AdobeUpdater. Oh, we have Registry data, we can detect that! ©2019
The MITRE Corporation. ALL RIGHTS RESERVED. Approved for public release. Distribution unlimited 19-
01075-9.
19. 19. Communicate Across the Community ©2019 The MITRE Corporation. ALL RIGHTS RESERVED. Approved
for public release. Distribution unlimited 19-01075-9. | 12 | CTI Consumer Registry Run Keys / Startup Folder
(T1060) Oh, you mean T1060! APT1337 is using autorun FUZZYDUCK used a Run key Company A Company B
20. 20. APT28 Techniques* | 20 | *from open source reporting we’ve mapped Initial Access Execution Persistence
Privilege Escalation Defense Evasion Credential Access Discovery Lateral Movement Collection Exfiltration
Command and Control ©2019 The MITRE Corporation. ALL RIGHTS RESERVED. Approved for public release.
Distribution unlimited 19-01075-9.
21. 21. APT29 Techniques | 21 | Initial Access Execution Persistence Privilege Escalation Defense Evasion Credential
Access Discovery Lateral Movement Collection Exfiltration Command and Control ©2019 The MITRE
22. 22. Comparing APT28 and APT29 | 22 | Initial Access Execution Persistence Privilege Escalation Defense
Evasion Credential Access Discovery Lateral Movement Collection Exfiltration Command and Control APT28
APT29 Both groups Prioritize! ©2019 The MITRE Corporation. ALL RIGHTS RESERVED. Approved for public
23. 23. Comparing APT28 and APT29 | 23 | Initial Access Execution Persistence Privilege Escalation Defense
Evasion Credential Access Discovery Lateral Movement Collection Exfiltration Command and Control Overlay
known gaps APT28 APT29 Both groups ©2019 The MITRE Corporation. ALL RIGHTS RESERVED. Approved
for public release. Distribution unlimited 19-01075-9.
24. 24. Mapping ATT&CK Techniques https://www.nccgroup.trust/us/about-us/newsroom-and-
events/blog/2018/march/apt15-is-alive- and-strong-an-analysis-of-royalcli-and-royaldns/ Scripting (T1064)
Registry Run Keys / Startup Folder (T1060) Command-Line Interface (T1059) Process Discovery (T1057)
Remote System Discovery (T1018) System Network Connections Discovery (T1049) System Information
Discovery (T1082) System Network Configuration Discovery (T1016) Credential Dumping (T1003) Pass the
Ticket (T1097)Input Capture (T1056) Email Collection (T1114) | 24 | ©2019 The MITRE Corporation. ALL
RIGHTS RESERVED. Approved for public release. Distribution unlimited 19-01075-9.
25. 25. Adversary Emulation | 25 | ©2019 The MITRE Corporation. ALL RIGHTS RESERVED. Approved for public
26. 26. Communicate Between Red and Blue | 11 | Red Team Blue Team I just used a Scheduled Task (T1053) to gain
Persistence. We just detected the red team performing T1053! ©2019 The MITRE Corporation. ALL RIGHTS
RESERVED. Approved for public release. Distribution unlimited 19-01075-9.
27. 27. Maturing your red teams APT3 Adversary Emulation Field Manual | 27 | Category Built-in Windows Cobalt
Strike Metasploit Description Discovery T1082 ver shell ver Get the Windows OS version that's T1082 set shell
set get_env.rb Print all of the environment variables T1033 whoami /all /fo list shell whoami /all /fo list getuid
Get current user information, SID, domain, groups the user belongs to, T1082 net config workstation net config
server shell net config workstation Get computer name, username, OS software version, domain information,
T1016 ipconfig /all shell ipconfig ipconfig post/windows/gather/en Get information about the domain, network
adapters, DNS / WSUS T1082 systeminfo [/s COMPNAME] [/u DOMAINuser] [/p password] systemprofiler tool
if no access yet (victim browses to website) sysinfo, run winenum, get_env.rb Displays detailed configuration
information about a computer and its operating system, including T1012 reg query
"HKEY_LOCAL_MACHINESY STEMCurrentControlSetContr olTerminal Server" /v fDenyTSConnections shell
reg query "HKEY_LOCAL_MACHIN ESYSTEMCurrentContro lSetControlTerminal Server" /v reg queryval -k
"HKEY_LOCAL_MACH INESYSTEMCurrentC ontrolSetControlTermi nal Server" -v Check for the current
registry value for terminal services, if it's 0, then terminal services are enabled. If it's 1, then they're disabled
©2019 The MITRE Corporation. ALL RIGHTS RESERVED. Approved for public release. Distribution unlimited
19-01075-9.
10/15

28. 28. Develop intentional adversary emulation plans  Develop your own adversary emulation plan  Choose an
adversary that is important to you  Use ATT&CK to communicate findings and drive defenders to improve 
More info on developing plans: – ATT&CK Evaluations Methodology:
https://attackevals.mitre.org/methodology/round1/scope.html – Threat-based Purple Teaming with ATT&CK:
https://www.youtube.com/watch?v=OYEP- YAKIn0&index=3&list=PL7ZDZo2Xu332XUiwFHB5X-
tXfqIwVkg5l&t=0s – ATT&CKing the Status Quo: Threat-Based Adversary Emulation with MITRE ATT&CK:
https://www.sans.org/cyber-security-summit/archives/file/summit-archive-1536260992.pdf | 28 | Gather
threat intel Extract techniques Analyze & organize Develop tools Emulate the adversary ©2019 The MITRE
29. 29. Detection | 29 | ©2019 The MITRE Corporation. ALL RIGHTS RESERVED. Approved for public release.
30. 30. How ATT&CK Can Help  ATT&CK helps you with detection by… – Forcing you to think about post-exploit
activity – Orienting you towards detecting the top of the Pyramid of Pain – Giving you a framework to organize
your detections  Building out an ATT&CK-Based detection program… – Borrow from others – Develop a data
strategy – Develop a detection strategy – Write your own analytics | 30 | ©2019 The MITRE Corporation. ALL
RIGHTS RESERVED. Approved for public release. Distribution unlimited 19-01075-9.
31. 31. Borrowing from others  There’s a large community of people doing ATT&CK for detection – What analytics
are they running and finding valuable? – Which of those can you run based on data you already have?  Look at
existing repositories, or talk to partner organizations – Cyber Analytics Repository (CAR): https://car.mitre.org/
– Endgame EQL Analytics Library: https://eqllib.readthedocs.io/en/latest/analytics.html – Sigma:
https://github.com/Neo23x0/sigma  With analytics organized around ATT&CK, you know what you’re
targeting | 31 | ©2019 The MITRE Corporation. ALL RIGHTS RESERVED. Approved for public release.
32. 32. CAR Analytic: Access Permission Modification | 32 | https://car.mitre.org/analytics/CAR-2019-07-001
19-01075-9.
19-01075-9.
19-01075-9. Recently added to CAR: Splunk, Sigma, and EQL Implementations
19-01075-9.
36. 36. Sigma Analytic: “Suspicious WMI execution” ©2019 The MITRE Corporation. ALL RIGHTS RESERVED.
Approved for public release. Distribution unlimited 19-01075-9. | 36 |
https://github.com/Neo23x0/sigma/blob/master/rules/windows/process_creation/win_susp_wmi_execution.yml
37. 37. Sigma Analytic: “Suspicious WMI execution”  Convert to your query language  Conversion of “Suspicious
WMI execution” to ElasticSearch Query Strings with Winlogbeat ingested data: user$ sigmac --target es-qs -c
tools/config/winlogbeat.yml rules/windows/process_creation/win_susp_wmi_execution.yml
(winlog.event_data.Image.keyword:(*wmic.exe) AND winlog.event_data.CommandLine.keyword:
(*/NODE:*process call create * OR * path AntiVirusProduct get * OR * path FirewallProduct get * OR *
shadowcopy delete *)) ©2019 The MITRE Corporation. ALL RIGHTS RESERVED. Approved for public release.
38. 38. Developing a Data Strategy  Develop a data strategy – What data sources are needed by the analytics you
want to run? – Host-based data is useful, but consider network data too (e.g. Bro/Zeek)  Example data sources
associated with ATT&CK techniques: – Windows registry – Process monitoring – Command-line parameters –
Network intrusion detection system – and more… | 38 | ©2019 The MITRE Corporation. ALL RIGHTS
39. 39. Developing a Data Strategy ©2019 The MITRE Corporation. ALL RIGHTS RESERVED. Approved for public
release. Distribution unlimited 19-01075-9. | 39 |
11/15

40. 40. Developing a Detection Strategy  Assess your detection coverage across ATT&CK – Consider starting with
one tactic and expanding from there – Choose a “coverage rating” that works for you:  1-5 based on quality or
number of detections  Low, Medium, High based on confidence you would detect that behavior  Remember
you’ll never get to 100% or “perfect” coverage! | 40 | Credit: Kyle Rainey and Red Canary
https://redcanary.com/blog/ avoiding-common-attack-pitfalls/ ©2019 The MITRE Corporation. ALL RIGHTS
41. 41. Developing a Detection Strategy | 41 | ATT&CK Navigator https://github.com/mitre-attack/attack-navigator
19-01075-9.
42. 42. Creating your own analytics  Look at the gaps in your detection that you can’t fill with existing content – Or,
look at incident data, red team successes, etc.  Leverage information in ATT&CK procedures  Use behavior
driven development (BDD) for detection | 42 | ©2019 The MITRE Corporation. ALL RIGHTS RESERVED.
Approved for public release. Distribution unlimited 19-01075-9.
43. 43. Leveraging Information in ATT&CK Procedures ©2019 The MITRE Corporation. ALL RIGHTS RESERVED.
Approved for public release. Distribution unlimited 19-01075-9. | 43 | • Could leverage directly as a search string
in your SIEM • Would require “Process command-line parameters” • Where safe, can emulate the attack and see
what’s generated
44. 44. Analytic Development Workflow Based on BDD Execute the attack Write search to detect malicious behavior
Revise to filter out false positives Ensure search detects malicious behavior Repeat with a different procedure
19-01075-9. | 44 | Based on Dan North’s Behavior Driven Development (BDD)
45. 45. Other Sources for Procedures to Test  References in ATT&CK Procedure Examples  Atomic Red Team –
https://atomicredteam.io/  Your own intelligence reporting  Creative red teaming ©2019 The MITRE
Corporation. ALL RIGHTS RESERVED. Approved for public release. Distribution unlimited 19-01075-9. | 45 |
46. 46. Assessments and Engineering | 46 | ©2019 The MITRE Corporation. ALL RIGHTS RESERVED. Approved
for public release. Distribution unlimited 19-01075-9.
47. 47. How ATT&CK Can Help  ATT&CK helps you with security engineering by… – Giving you a common
language for detection, CTI, and adversary emulation – Increasing awareness of where you may need to accept
risk  Building out an ATT&CK-Based security engineering process… – Track what you’re doing now – Base
decisions on what and how you want to improve – Understand where defenses are sufficient, where progress is
being made, and where risk may need to be accepted | 47 | ©2019 The MITRE Corporation. ALL RIGHTS
48. 48. Track What You’re Doing Now  Interview your detection/ops team, CTI team, and red team – CTI: What
threats do we face and which techniques should we prioritize? – Detection: What techniques can we cover, and
which can’t we? – Red: What have we validated?  Examine your tools, documentation, and analytics – Tools:
Which data sources can we collect? – Documentation: Do policies and procedures help us with techniques? –
Analytics: What techniques can it detect? How much procedure coverage?  Look at how your overall ATT&CK
technique coverage fares – Are there gaps in either detection or validation? | 48 | ©2019 The MITRE
49. 49. Track What You’re Doing Now | 49 | Legend High Confidence of Detection Some Confidence of Detection
Low Confidence of Detection ©2019 The MITRE Corporation. ALL RIGHTS RESERVED. Approved for public
50. 50. Initial Access Execution Persistence Privilege Escalation Defense Evasion Credential Access Discovery
Lateral Movement Collection Command and Control Exfiltration Impact Drive-by Compromise Scheduled Task
Binary Padding Network Sniffing AppleScript Audio Capture Commonly Used Port Automated Exfiltration Data
Destruction Exploit Public-Facing Application Launchctl Access Token Manipulation Account Manipulation
Account Discovery ApplicationDeployment Software Automated Collection CommunicationThrough Removable
Media Data Compressed Data Encrypted for Impact Local Job Scheduling Bypass User Account Control Bash
History ApplicationWindow Discovery Clipboard Data Data Encrypted Defacement External Remote Services
LSASS Driver Extra Window Memory Injection Brute Force Distributed Component Object Model Data from
Information Repositories Connection Proxy Data Transfer Size Limits Disk Content Wipe Hardware Additions
Trap Process Injection Credential Dumping Browser Bookmark Discovery Custom Command and Control
Protocol ExfiltrationOver Other Network Medium Disk StructureWipe ReplicationThrough Removable Media
12/15

AppleScript DLL Search Order Hijacking Credentials in Files Exploitationof Remote Services Data from Local
System Endpoint Denial of Service CMSTP Image File Execution Options Injection Credentials in Registry
Domain Trust Discovery Data from Network Shared Drive Custom Cryptographic Protocol ExfiltrationOver
Command and Control Channel Firmware Corruption Spearphishing Attachment Command-LineInterface Plist
Modification Exploitationfor Credential Access File and Directory Discovery Logon Scripts Inhibit System
Recovery Spearphishing Link Compiled HTML File Valid Accounts Network Service Scanning Pass the Hash Data
from Removable Media Data Encoding ExfiltrationOver Alternative Protocol Network Denial of Service
Spearphishing via Service Control Panel Items Accessibility Features BITS Jobs Forced Authentication Network
Share Discovery Pass the Ticket Data Staged Data Obfuscation Resource Hijacking Supply Chain Compromise
Dynamic Data Exchange AppCert DLLs Clear Command History Hooking Password Policy Discovery Remote
Desktop Protocol Email Collection Domain Fronting ExfiltrationOver Physical Medium Runtime Data
Manipulation Trusted Relationship Execution through API AppInit DLLs CMSTP Input Capture Peripheral
Device Discovery Remote File Copy Input Capture Domain Generation Algorithms Service Stop Valid Accounts
Execution through Module Load ApplicationShimming Code Signing Input Prompt Permission Groups Discovery
Remote Services Man in the Browser Scheduled Transfer Stored Data Manipulation Dylib Hijacking Compiled
HTML File Kerberoasting Process Discovery ReplicationThrough Removable Media Screen Capture Fallback
Channels Transmitted Data ManipulationExploitationfor Client Execution File System Permissions Weakness
Component Firmware Keychain Query Registry Video Capture Multiband Communication Hooking Component
Object Model Hijacking LLMNR/NBT-NS Poisoning and Relay Remote System Discovery Shared Webroot Multi-
hopProxy GraphicalUser Interface Launch Daemon Security Software Discovery SSH Hijacking Multilayer
Encryption InstallUtil New Service Control Panel Items Password Filter DLL System Information Discovery Taint
Shared Content Multi-Stage Channels Mshta Path Interception DCShadow Private Keys Third-partySoftware
Port Knocking PowerShell Port Monitors Deobfuscate/Decode Files or Information Securityd Memory System
Network Configuration Discovery Windows Admin Shares Remote Access Tools Regsvcs/Regasm Service
Registry Permissions Weakness Two-Factor Authentication Interception Windows Remote Management Remote
File Copy Regsvr32 Setuid and Setgid Disabling Security Tools System Network Connections Discovery Standard
ApplicationLayer ProtocolRundll32 Startup Items DLL Side-Loading Scripting Web Shell Execution Guardrails
System Owner/User Discovery Standard Cryptographic ProtocolService Execution .bash_profile and .bashrc
Exploitationfor PrivilegeEscalation Exploitationfor Defense EvasionSigned Binary Proxy Execution Account
Manipulation System Service Discovery Standard Non-Application Layer ProtocolAuthenticationPackage SID-
History Injection File Deletion System Time Discovery Signed Script Proxy Execution BITS Jobs Sudo File
Permissions Modification Virtualization/Sandbox Evasion Uncommonly Used Port Bootkit Sudo Caching Web
Service Source Browser Extensions File System Logical Offsets Space after Filename Change Default File
Association Gatekeeper Bypass Third-partySoftware Group Policy Modification Trusted Developer Utilities
Component Firmware Hidden Files and Directories User Execution Component Object Model Hijacking Hidden
Users Windows Management Instrumentation Hidden Window Create Account HISTCONTROL Windows
Remote Management External Remote Services Indicator Blocking Hidden Files and Directories Indicator
Removal from ToolsXSL Script Processing Hypervisor Kernel Modules and Extensions Indicator Removal on
Host Indirect Command Execution Launch Agent Install Root Certificate LC_LOAD_DYLIB Addition InstallUtil
Login Item Launchctl Logon Scripts LC_MAIN Hijacking Modify Existing Service Masquerading Netsh Helper
DLL Modify Registry Office Application Startup Mshta Port Knocking Network Share Connection
RemovalRc.common Redundant Access NTFS File Attributes Registry Run Keys / Startup Folder Obfuscated
Files or Information Re-opened Applications Port Knocking Screensaver Process Doppelgänging Security
Support Provider Process Hollowing Shortcut Modification Redundant Access SIP and Trust Provider Hijacking
Regsvcs/Regasm Regsvr32 Decide Where To Improve Legend High Confidence of Detection Some Confidence of
Detection Low Confidence of Detection © 2019 The MITRE Corporation. All rights reserved. Prioritized
Technique Focus on Exploit Public-Facing Application and Data Content Wipe as they can have significant
impact to operations Command-Line Interface, Credential Dumping, and Standard Application Layer Protocol
are popular techniques and can give a big return on investment Startup Items, InstallUtil, and System Time
Discovery are used by threat actors most relevant to your network Existing logs can be used to detect Remote File
Copy and Data From Removable Media, making analytic development easier ©2019 The MITRE Corporation.
ALL RIGHTS RESERVED. Approved for public release. Distribution unlimited 19-01075-9.
13/15

51. 51. Be Intentional About Improvements  Think about the best way to mitigate each gap – Maybe it’s a new
detection or data source – Maybe it’s a mitigation, new group policy, or new user training – Maybe the gap
shouldn’t be closed, and risk should be accepted  Validate any changes using adversary emulation | 51 | ©2019
01075-9.
52. 52. Initial Access Execution Persistence Privilege Escalation Defense Evasion Credential Access Discovery Lateral
Movement Collection Command and Control Exfiltration Impact Drive-by Compromise Scheduled Task Binary
Padding Network Sniffing AppleScript Audio Capture Commonly Used Port Automated Exfiltration Data
Destruction Exploit Public-Facing Application Launchctl Access Token Manipulation Account Manipulation
Account Discovery ApplicationDeployment Software Automated Collection CommunicationThrough Removable
Media Data Compressed Data Encrypted for Impact Local Job Scheduling Bypass User Account Control Bash
History ApplicationWindow Discovery Clipboard Data Data Encrypted Defacement External Remote Services
LSASS Driver Extra Window Memory Injection Brute Force Distributed Component Object Model Data from
Information Repositories Connection Proxy Data Transfer Size Limits Disk Content Wipe Hardware Additions
Trap Process Injection Credential Dumping Browser Bookmark Discovery Custom Command and Control
Protocol ExfiltrationOver Other Network Medium Disk StructureWipe ReplicationThrough Removable Media
AppleScript DLL Search Order Hijacking Credentials in Files Exploitationof Remote Services Data from Local
System Endpoint Denial of Service CMSTP Image File Execution Options Injection Credentials in Registry
Domain Trust Discovery Data from Network Shared Drive Custom Cryptographic Protocol ExfiltrationOver
Command and Control Channel Firmware Corruption Spearphishing Attachment Command-LineInterface Plist
Modification Exploitationfor Credential Access File and Directory Discovery Logon Scripts Inhibit System
Recovery Spearphishing Link Compiled HTML File Valid Accounts Network Service Scanning Pass the Hash Data
from Removable Media Data Encoding ExfiltrationOver Alternative Protocol Network Denial of Service
Spearphishing via Service Control Panel Items Accessibility Features BITS Jobs Forced Authentication Network
Share Discovery Pass the Ticket Data Staged Data Obfuscation Resource Hijacking Supply Chain Compromise
Dynamic Data Exchange AppCert DLLs Clear Command History Hooking Password Policy Discovery Remote
Desktop Protocol Email Collection Domain Fronting ExfiltrationOver Physical Medium Runtime Data
Manipulation Trusted Relationship Execution through API AppInit DLLs CMSTP Input Capture Peripheral
Device Discovery Remote File Copy Input Capture Domain Generation Algorithms Service Stop Valid Accounts
Execution through Module Load ApplicationShimming Code Signing Input Prompt Permission Groups Discovery
Remote Services Man in the Browser Scheduled Transfer Stored Data Manipulation Dylib Hijacking Compiled
HTML File Kerberoasting Process Discovery ReplicationThrough Removable Media Screen Capture Fallback
Channels Transmitted Data ManipulationExploitationfor Client Execution File System Permissions Weakness
Component Firmware Keychain Query Registry Video Capture Multiband Communication Hooking Component
Object Model Hijacking LLMNR/NBT-NS Poisoning and Relay Remote System Discovery Shared Webroot Multi-
hopProxy GraphicalUser Interface Launch Daemon Security Software Discovery SSH Hijacking Multilayer
Encryption InstallUtil New Service Control Panel Items Password Filter DLL System Information Discovery Taint
Shared Content Multi-Stage Channels Mshta Path Interception DCShadow Private Keys Third-partySoftware
Port Knocking PowerShell Port Monitors Deobfuscate/Decode Files or Information Securityd Memory System
Network Configuration Discovery Windows Admin Shares Remote Access Tools Regsvcs/Regasm Service
Registry Permissions Weakness Two-Factor Authentication Interception Windows Remote Management Remote
File Copy Regsvr32 Setuid and Setgid Disabling Security Tools System Network Connections Discovery Standard
ApplicationLayer ProtocolRundll32 Startup Items DLL Side-Loading Scripting Web Shell Execution Guardrails
System Owner/User Discovery Standard Cryptographic ProtocolService Execution .bash_profile and .bashrc
Exploitationfor PrivilegeEscalation Exploitationfor Defense EvasionSigned Binary Proxy Execution Account
Manipulation System Service Discovery Standard Non-Application Layer ProtocolAuthenticationPackage SID-
History Injection File Deletion System Time Discovery Signed Script Proxy Execution BITS Jobs Sudo File
Permissions Modification Virtualization/Sandbox Evasion Uncommonly Used Port Bootkit Sudo Caching Web
Service Source Browser Extensions File System Logical Offsets Space after Filename Change Default File
Association Gatekeeper Bypass Third-partySoftware Group Policy Modification Trusted Developer Utilities
Component Firmware Hidden Files and Directories User Execution Component Object Model Hijacking Hidden
Users Windows Management Instrumentation Hidden Window Create Account HISTCONTROL Windows
Remote Management External Remote Services Indicator Blocking Hidden Files and Directories Indicator
14/15

Removal from ToolsXSL Script Processing Hypervisor Kernel Modules and Extensions Indicator Removal on
Host Indirect Command Execution Launch Agent Install Root Certificate LC_LOAD_DYLIB Addition InstallUtil
Login Item Launchctl Logon Scripts LC_MAIN Hijacking Modify Existing Service Masquerading Netsh Helper
DLL Modify Registry Office Application Startup Mshta Port Knocking Network Share Connection
RemovalRc.common Redundant Access NTFS File Attributes Registry Run Keys / Startup Folder Obfuscated
Files or Information Re-opened Applications Port Knocking Screensaver Process Doppelgänging Security
Support Provider Process Hollowing Shortcut Modification Redundant Access SIP and Trust Provider Hijacking
Regsvcs/Regasm Regsvr32 Be Intentional About Improvements Legend High Confidence of Detection Some
Confidence of Detection Low Confidence of Detection © 2019 The MITRE Corporation. All rights reserved.
Prioritized Technique ©2019 The MITRE Corporation. ALL RIGHTS RESERVED. Approved for public release.
Distribution unlimited 19-01075-9. We’ll tackle Spearphishing Attachment and Spearphishing Link via new user
training Supply Chain Compromise and Component Firmware are beyond our capability and resources to stop or
detect, so we’ll accept the risk None of our existing tools have visibility into Command-Line Interface so we’ll
need to obtain something new
53. 53. Takeaways ©2019 The MITRE Corporation. ALL RIGHTS RESERVED. Approved for public release.
Distribution unlimited 19-01075-9. | 53 | Organize, compare, and communicate your threat intelligence Move
your red team towards adversary emulation and purple teaming Orient your detections towards behaviors and
the top of the Pyramid Assess your current stance and engineer improvements Can help you
54. 54. | 31 | https://attack.mitre.org attack@mitre.org @MITREattack Adam Pennington @_whatshisface ©2019
01075-9.
15/15

Slideshare.net rh-isac summit 2019 - adam pennington - leveraging mitre at tamp-ck for detection analysis amp defense

Empfohlen

Empfohlen

Weitere ähnliche Inhalte

Was ist angesagt?

Was ist angesagt? (20)

Ähnlich wie Slideshare.net rh-isac summit 2019 - adam pennington - leveraging mitre at tamp-ck for detection analysis amp defense

Ähnlich wie Slideshare.net rh-isac summit 2019 - adam pennington - leveraging mitre at tamp-ck for detection analysis amp defense (20)

Kürzlich hochgeladen

Kürzlich hochgeladen (20)

Slideshare.net rh-isac summit 2019 - adam pennington - leveraging mitre at tamp-ck for detection analysis amp defense