My account

Warming Up. Using ATT&CK for Self Advancement


601
July 11, 2019

Introduction

Many blue teams are using MITRE ATT&CK for advancement in the maturity of their detection and response. Blue team’s arsenal of EDR tools, event logs, and triage tools are all opening up the story of what’s occurring on endpoints. However, anomalies are normal and these alerts and data sources need to be triaged to move forward with response actions or filtering. The ATT&CK project provides progressing defenders with a knowledge base and resources that can be used as tools to understand attacks and therefore the rules and methods for detection. Using ATT&CK for this personal reflection will help you advance in the world of cybersecurity.

Requirements

A lab running at least a single Windows 7 or Windows 10 host is critical to any defenders personal advancement. Moving forward without practice in a sandboxed lab environment will lead only to surface level understanding of the techniques. Using a non-sandboxed computer to test adversary techniques is not advised. I highly recommend, at a minimum, increasing the default logging settings (powershell, process command line, etc), installing and configuring sysmon, and having procmon running at all times.

How can ATT&CK Help?

Often referred by the community as a “framework” the creators of ATT&CK refer to it as a “knowledge base”. ATT&CK was created to track attacker techniques that would be used in adversary emulations. The “CK” in ATT&CK stands for “Common Knowledge”. Each tactic and technique covered in the ATT&CK knowledge base is held by MITRE as something that every defender should know.

Before you Begin

You must identify a place to keep your notes on each technique. A simple way to download every technique in a format for note taking is via the MITRE ATT&CK Navigator which has the ability to download the matrix to an xlsx format for excel. Additionally, SOC Prime provides an easy to navigate ATT&CK matrix view via the Threat Detection Marketplace which is available for free.

Attack Navigator:
https://mitre-attack.github.io/attack-navigator/enterprise/

Threat Detection Marketplace:
https://tdm.socprime.com/att-ck/

Here are some suggested notes to take:

  1. Write your own description of the technique.
  2. Keep a copy of POC code.
  3. Keep a copy of signatures written or detection ideas.
  4. Keep a copy (or link) to free & open source tools useful in investigating the technique post-compromise.
  5. Keep track of the most useful resources you’ve identified for each technique.
  6. Keep track of the experts who you found were most influential to your understanding.

General Guidance

1. Identify a Technique from the ATT&CK Matrix

The fastest and easiest method of using ATT&CK for self progression is to start diving into each technique and tactic listed in the ATT&CK matrix from left to right. This brute force approach will get you through each technique, however it may not be the most efficient to ensure that you’re maturing quickly in areas that matter the most.

Here are some realities of the ATT&CK techniques that should influence how you approach using it to guide learning:

  1. Some techniques are more difficult to comprehend and act on than others; you don’t want to get overwhelmed by complicated techniques.
  2. Some techniques are very specific and some are “broad”; I expand on this later.
  3. Some techniques are more commonly used by adversaries than others. For instance, techniques abusing .NET have become more common as blue teams have better posturing against powershell attacks.

Luckily Travis Smith from Tripwire has released a customized ATT&CK matrix based on his teaching experience that can be used to identify easier methods from more difficult. Don’t be afraid to skip and come back to a technique if you find certain techniques harder to comprehend.

Travis Smith’s Blog Post:
[https://www.tripwire.com/state-of-security/mitre-framework/using-attck-teacher/] Travis Smith’s Attack Navigator Customization:
[https://github.com/TravisFSmith/mitre_attack/tree/master/teaching]

Note: Keep in mind that as ATT&CK evolves these custom matrices may become outdated.

2. Read the ATT&CK Technique Page

Each technique listed in ATT&CK is generally more involved than the ~1,000 word summary MITRE provides. For instance, “drive by compromise” listed as the first technique in the top-left of the matrix is a very broad technique. Many methods that fit this technique exist such as targeting extensions, browser bugs, or operating system bugs. The detection and understanding of these methods can differ extremely. For instance, detecting a malicious flash file is different from detecting malicious javascript. A flash file exploit is likely contained in the SWF format and probably involves analyzing actionscript while a javascript based exploit is a plaintext file and likely targets the browser’s javascript engine.

The material MITRE provides on each ATT&CK page is a good introduction to the technique. It will generally provide you with the lingo and enough information to guide you in additional research. For many techniques reading the ATT&CK description will likely provide you with more questions than answers. This is a good thing.

Things to think about:
As you read the ATT&CK Technique Page you should keep the following in mind:

  1. What nouns are vague to me?
    a. I.E What is “Actionscript”.
  2. How many adversaries are listed as using this technique?
    a. Generally, the more adversaries are listed the more common and easy to abuse the technique may be.
  3. How specific is this technique?
    a. Some techniques are very specific that they may not involve as much additional research as a broad technique.
  4. What offensive tools are listed as being associated with this technique and are they open source or available for testing?

3. Study Resources (Research)

For each Technique there are an abundance of resources located at the bottom of the page. Generally, the resources will cover reporting on when adversaries used the technique in the past. These resources may or may not get into the technical details of the technique. The best resource which may be listed under the technique will generally be the original offensive research report or blog post.

Things to think about:
As you read the resources you should keep the following in mind:

  1. What nouns are vague to me?
    a. I.E What is “Actionscript”.
  2. Do the authors of this publication have github pages, blog posts, a twitter account, etc.
  3. What offensive tools are listed as being associated with this technique and are they open source or available for testing?
  4. Is there POC Code available?
  5. What prevention and detection mechanisms are brought forward by the researcher? Do they specifically call out the technique?
  6. What tools or techniques are available to detect this technique post-compromise?
  7. Have I covered all aspects of this technique? Are there additional methods of this technique that I haven’t covered?

4. Additional Resources (Research)

As ATT&CK is a common knowledge base, many resources exist from researchers that are not necessarily tied to ATT&CK. The resources may aggregate specific technique examples, identify specific detections, and publish offensive technique research.

Here are a few of my favorite resources that cover adversary techniques in ATT&CK and many link to additional resources:
Living of the Land Binaries and Scripts Project:
https://github.com/LOLBAS-Project/LOLBAS
Sean Metcalf’s Website & Blog:
https://adsecurity.org/
Roberto Rodriguez’s Threat-Hunter Playbook:
https://github.com/Cyb3rWard0g/ThreatHunter-Playbook
SANS’ Posters:
https://digital-forensics.sans.org/community/posters
Casey Smith’s Blog:
http://subt0x11.blogspot.com/
Adam Hexacorn’s Blog:
http://www.hexacorn.com/blog/

Luckily for us, many of these techniques have also been explained by security researchers at conferences over the years. Here are a few classics:

Defending against PowerShell Attacks – Lee Holmes

Abusing Windows Management Instrumentation – Matt Graeber

Designing Active Directory DACL Backdoors – Andy Robbins and Will Schroeder

Things to think about:
See Step 3.

5. Conducting an Emulation (Emulate)

Note: Do not download emulation tools unless you own the network or have explicit permission. Emulation tools often flag by Anti-Virus and may contain exploits.

Emulating a technique in a sandboxed lab is great. Proof of Concept (POC) code provides defenders with a window into mastering the understanding of an attack. Many free emulation scripts and POC code exist and these toolsets provide a window into the technique in the form of boiled down code. Simply executing the code and watching the result is not enough. An attempt should be made to walk through the POC line-by-line to understand the technique. In addition, logs captured natively by the operating system, sysmon, and procmon should be reviewed. In some instances, capturing additional telemetry with tools such as wireshark, debuggers, API monitors, memory dumps, etc may be beneficial. In addition running forensics tools post emulation (such as those made available by Eric Zimmerman) may be beneficial depending on the technique.

Writing and testing the detection of that technique is another great way to understand the attack and the limitations and context of alerting on that event. Today, many rules are shared via SIGMA an open source signature format for SIEMs.

SOC Prime provides the Threat Detection Marketplace which consists of both emulations and rules for most of the techniques in ATT&CK. You can create an account for free and gain access to many rules for free(https://tdm.socprime.com/login/).

Some techniques can be incredibly difficult to understand or replicate without advanced training and experience. It is normal, even after conducting an emulation, understanding, or even writing your own code; to not completely understand what is happening. If you’ve made it this far and have lingering questions, reaching out to mentors or researchers directly may be useful.

Things to think about:
As you read the resources you should keep the following in mind:

  1. Can I change / alter the POC to bypass detection?
  2. Are there additional POCs available that fit in this technique but use a different method?

Limitations

Time
The time from discovery or request for a new technique to be published to the technique being published can take several months. Alternatives like following researchers on twitter is a great way to get ahead of the game. However, separating signal from noise with the deluge of information that is shared can be a daunting task.

Depth
Not all topics applicable to cybersecurity are covered by ATT&CK techniques. For instance, one is probably not going to learn about the intricacies of use-after-free based exploits. Looking at other frameworks and knowledge bases such as the MITRE’s Common Weaknesses Enumeration can assist here.

Adam Swan

Adam Swan

Senior Threat Hunting Engineer at SOC Prime
Adam Swan

Latest posts by Adam Swan (see all)

Related Posts