We study Adversarial Tactics, Techniques & Common Knowledge (ATT @ CK). Enterprise Tactics. Part 1
- From the sandbox
- Tutorial
Links to all parts:
Part 1. Obtaining initial access (Initial Access)
Part 2. Execution (Execution)
Part 3. Consolidation (Persistence)
Part 4. Privilege Escalation
Part 5. Defense Evasion
Part 6. Obtaining credentials (Credential Access)
Part 7. Discovery (Discovery)
Part 8. Lateral Movement
Part 9. Collecting data (Collection)
Part 10 Exfiltration Part 11. Exfiltration
Part 11. Command and Control (Command and Control )
The author is not responsible for the possible consequences of the application of the information presented, and also apologizes for any inaccuracies in some formulations and terms. By the way, this is my first attempt at publishing on Habré, so I hope for fair criticism of myself.
Submersion in the subject will begin with the most voluminous matrix ATT & CK Matrix for Enterprise , which describes the most active and most dangerous phases of an attack on a corporate network:
- Initial Access (Initial Access);
- Execution code (Execution);
- Fixation in the attacked system (Persistence);
- Privilege Escalation;
- Protection bypass (Defense Evasion);
- Obtain credentials (Credential Access);
- Review (Discovery);
- Horizontal promotion (Lateral Movement);
- Data collection (Collection);
- Leakage (Exfiltration);
- Management and control (Command and Control).
The attacker's goal at the initial access stage is to deliver some malicious code to the system under attack and ensure that it can be further executed.
System: Windows, Linux, macOS
Permissions: User
Description: The essence of the technique is to open a web resource in the browser where the attacker prepared various browser exploits and plugins,
hidden frames or malicious Java files that the attacker will download the system.
Security Tips: Using the latest browsers and plugins and
using anti-virus software. Microsoft suggests using the Windows Defender Explloit Guard (WDEG) and the Enhanced Mitigation Experience Toolkit (EMET) . It makes sense to also consider the expediency of blocking execution in the JavaScript browser.
System: Windows, Linux, macOS
Description: The technique involves the use of known bugs, glitches and vulnerabilities in software that has open network ports (web servers, network services SSH, SMB2, DBMS, etc.). Top 10 web application vulnerabilities are published by OWASP.
Security Recommendations: Using firewalls, network segmentation using the DMZ, using recommendations for secure software development, avoiding problems documented by OWASP and CWE. Scan external perimeter for vulnerabilities. Monitor application logs and traffic for abnormal behavior.
System: Windows, Linux, macOS
Description: Hardware add-ons can be built into additional computer accessories, network equipment, and computers to provide attackers with initial access. The commercial and opensource products can include embedded network connectivity, man-in-the-middle attacks for breaking encryption systems, performing keystroke injection, reading core memory through DMA, adding a new wireless network, etc.
Protection recommendations: Apply network access control policies, such as using certificates for devices and the 802.1.x standard, limiting the use of DHCP to only registered devices, prohibiting network interaction with unregistered devices, blocking the installation of external devices using host protection (Endpoint Security agents to limit device connectivity ).
System: Windows
Description: The technique involves the execution of a malicious program using the autorun feature in Windows. To deceive a user, a “legitimate” file can be pre-modified or replaced, and then copied onto a removable device by an attacker. Also, the payload can be implemented by the removable device firmware or through the program of the initial formatting of the media.
Security Tips: Disable autorun features in Windows. Restricting the use of removable devices at the level of the organization’s security policy. The use of antivirus software.
Description: The use of malware attached to phishing emails. The text of the letter, as a rule, contains a plausible reason why the recipient should open the file in an attachment.
Protection recommendations: Use of network intrusion prevention systems (IDS) and antiviruses designed to scan and remove malicious attachments in emails. Setting a policy for blocking unused attachment formats. Antiphishing user training.
Description: Use links to download malware in emails.
Security Tips: Checking URLs in email can help find links to known malicious sites. Use of network intrusion prevention systems (IDS) and antiviruses. Antiphishing user training.
Description: In this scenario, the attackers send messages through various social networking services, personal mail and other services that are not controlled by the enterprise.
Attackers can use fake profiles in the social. networks, for example, to send potential job offers. This allows the victim employee to ask questions about policies and software in the company, forcing the victim to open malicious links and attachments. Typically, an attacker makes an initial contact, and then sends the malicious content to the mail that the employee of the attacked company uses in the workplace. If the victim is unable to launch the malicious file, they can give him instructions on further actions.
Protection recommendations:Blocking access to social networks, personal email services, etc. Use of white lists of applications, network intrusion prevention systems (IDS) and antiviruses. Antiphishing user training.
Description: The scenario involves the introduction of various exploits, backdoors, and other hacking tools into software and computer equipment during the delivery of software and computer equipment to the attacked company. Possible attack vectors:
- Manipulations with tools and software development environments;
- Work with source code repositories;
- Manipulations with software update and distribution mechanisms;
- Compromise and infection of OS images;
- Modification of legal software;
- Sale of modified / counterfeit products by the legal distributor;
- Interception at the stage of shipment.
Typically, attackers focus on the introduction of malicious components in the distribution channels and software updates.
Protection recommendations: Application of a risk management system in supply chains (SCRM) and software development life cycle management system (SDLC). The use of procedures for monitoring the integrity of binary software files, anti-virus scanning of distributions, software testing and updates before deployment, physical inspection of purchased equipment, media with software distributions and accompanying documentation to detect fraud.
Description: Attackers can use organizations that have access to the infrastructure of the alleged victim. Often, companies use a less secure network connection to communicate with a trusted third party than standard access to the company from outside. Examples of trusted third parties are IT service contractors, security service providers, infrastructure contractors. Also, the accounts used by the trusted party to access the company's network may be compromised and used for initial access.
Protection recommendations: Network segmentation and isolation of critical infrastructure components that do not require wide access from outside. Account Management
records and permissions used by parties to a trust relationship. Checking security policies and procedures of contracted organizations requiring privileged access. Monitoring activities carried out by third-party suppliers and proxies.
Description: Attackers can steal credentials of a specific user or service account using access credentials technicians , capture credentials in the process of exploration using social engineering. Compromised credentials can be used to bypass access control systems and gain access to remote systems and external services such as VPN, OWA, remote desktop, or gain elevated privileges in certain systems and network areas. In case of successful implementation of the script, attackers may refuse
malware to make it difficult to detect. Also, attackers can create accounts using predefined names and passwords to save backup access in case of unsuccessful attempts to use other means.
Security Recommendations: Apply password policy, follow recommendations for designing and administering a corporate network to limit the use of privileged accounts at all administrative levels. Regular checks of domain and local accounts and their rights in order to identify those that may allow an attacker to gain broad access. Monitoring account activity using SIEM systems.
Part 1. Obtaining initial access (Initial Access)
Part 2. Execution (Execution)
Part 3. Consolidation (Persistence)
Part 4. Privilege Escalation
Part 5. Defense Evasion
Part 6. Obtaining credentials (Credential Access)
Part 7. Discovery (Discovery)
Part 8. Lateral Movement
Part 9. Collecting data (Collection)
Part 10 Exfiltration Part 11. Exfiltration
Part 11. Command and Control (Command and Control )
Getting initial access
This publication begins the cycle of posts devoted to the description of the main techniques used by attackers at various stages of the hacker attacks.
The material presented will be a free retelling of the content of the Adversarial Tactics, Techniques & Common Knowledge (ATT @ CK ) matrices from The Miter :
- PRE-ATT & CK (technology preparatory stages of attack);
- ATT & CK Matrix for Enterprise (corporate attack techniques);
- ATT & CK Mobile Profile (attacks on mobile devices).
The author is not responsible for the possible consequences of the application of the information presented, and also apologizes for any inaccuracies in some formulations and terms. By the way, this is my first attempt at publishing on Habré, so I hope for fair criticism of myself.
Submersion in the subject will begin with the most voluminous matrix ATT & CK Matrix for Enterprise , which describes the most active and most dangerous phases of an attack on a corporate network:
- Initial Access (Initial Access);
- Execution code (Execution);
- Fixation in the attacked system (Persistence);
- Privilege Escalation;
- Protection bypass (Defense Evasion);
- Obtain credentials (Credential Access);
- Review (Discovery);
- Horizontal promotion (Lateral Movement);
- Data collection (Collection);
- Leakage (Exfiltration);
- Management and control (Command and Control).
The attacker's goal at the initial access stage is to deliver some malicious code to the system under attack and ensure that it can be further executed.
Shadow loading (Drive-by Compromise), Drive-by download
System: Windows, Linux, macOS
Permissions: User
Description: The essence of the technique is to open a web resource in the browser where the attacker prepared various browser exploits and plugins,
hidden frames or malicious Java files that the attacker will download the system.
Security Tips: Using the latest browsers and plugins and
using anti-virus software. Microsoft suggests using the Windows Defender Explloit Guard (WDEG) and the Enhanced Mitigation Experience Toolkit (EMET) . It makes sense to also consider the expediency of blocking execution in the JavaScript browser.
Exploit Public-Facing Application Exploits
System: Windows, Linux, macOS
Description: The technique involves the use of known bugs, glitches and vulnerabilities in software that has open network ports (web servers, network services SSH, SMB2, DBMS, etc.). Top 10 web application vulnerabilities are published by OWASP.
Security Recommendations: Using firewalls, network segmentation using the DMZ, using recommendations for secure software development, avoiding problems documented by OWASP and CWE. Scan external perimeter for vulnerabilities. Monitor application logs and traffic for abnormal behavior.
Hardware bookmarks (Hardware Additions)
System: Windows, Linux, macOS
Description: Hardware add-ons can be built into additional computer accessories, network equipment, and computers to provide attackers with initial access. The commercial and opensource products can include embedded network connectivity, man-in-the-middle attacks for breaking encryption systems, performing keystroke injection, reading core memory through DMA, adding a new wireless network, etc.
Protection recommendations: Apply network access control policies, such as using certificates for devices and the 802.1.x standard, limiting the use of DHCP to only registered devices, prohibiting network interaction with unregistered devices, blocking the installation of external devices using host protection (Endpoint Security agents to limit device connectivity ).
Replication through Removable Media
System: Windows
Description: The technique involves the execution of a malicious program using the autorun feature in Windows. To deceive a user, a “legitimate” file can be pre-modified or replaced, and then copied onto a removable device by an attacker. Also, the payload can be implemented by the removable device firmware or through the program of the initial formatting of the media.
Security Tips: Disable autorun features in Windows. Restricting the use of removable devices at the level of the organization’s security policy. The use of antivirus software.
Spearphishing Attachment
Description: The use of malware attached to phishing emails. The text of the letter, as a rule, contains a plausible reason why the recipient should open the file in an attachment.
Protection recommendations: Use of network intrusion prevention systems (IDS) and antiviruses designed to scan and remove malicious attachments in emails. Setting a policy for blocking unused attachment formats. Antiphishing user training.
Targeted phishing links (Spearphishing Link)
Description: Use links to download malware in emails.
Security Tips: Checking URLs in email can help find links to known malicious sites. Use of network intrusion prevention systems (IDS) and antiviruses. Antiphishing user training.
Targeted phishing services (Spearphishing via Service)
Description: In this scenario, the attackers send messages through various social networking services, personal mail and other services that are not controlled by the enterprise.
Attackers can use fake profiles in the social. networks, for example, to send potential job offers. This allows the victim employee to ask questions about policies and software in the company, forcing the victim to open malicious links and attachments. Typically, an attacker makes an initial contact, and then sends the malicious content to the mail that the employee of the attacked company uses in the workplace. If the victim is unable to launch the malicious file, they can give him instructions on further actions.
Protection recommendations:Blocking access to social networks, personal email services, etc. Use of white lists of applications, network intrusion prevention systems (IDS) and antiviruses. Antiphishing user training.
Supply Chain Compromise
Description: The scenario involves the introduction of various exploits, backdoors, and other hacking tools into software and computer equipment during the delivery of software and computer equipment to the attacked company. Possible attack vectors:
- Manipulations with tools and software development environments;
- Work with source code repositories;
- Manipulations with software update and distribution mechanisms;
- Compromise and infection of OS images;
- Modification of legal software;
- Sale of modified / counterfeit products by the legal distributor;
- Interception at the stage of shipment.
Typically, attackers focus on the introduction of malicious components in the distribution channels and software updates.
Protection recommendations: Application of a risk management system in supply chains (SCRM) and software development life cycle management system (SDLC). The use of procedures for monitoring the integrity of binary software files, anti-virus scanning of distributions, software testing and updates before deployment, physical inspection of purchased equipment, media with software distributions and accompanying documentation to detect fraud.
Trusted Relationships
Description: Attackers can use organizations that have access to the infrastructure of the alleged victim. Often, companies use a less secure network connection to communicate with a trusted third party than standard access to the company from outside. Examples of trusted third parties are IT service contractors, security service providers, infrastructure contractors. Also, the accounts used by the trusted party to access the company's network may be compromised and used for initial access.
Protection recommendations: Network segmentation and isolation of critical infrastructure components that do not require wide access from outside. Account Management
records and permissions used by parties to a trust relationship. Checking security policies and procedures of contracted organizations requiring privileged access. Monitoring activities carried out by third-party suppliers and proxies.
Valid Accounts
Description: Attackers can steal credentials of a specific user or service account using access credentials technicians , capture credentials in the process of exploration using social engineering. Compromised credentials can be used to bypass access control systems and gain access to remote systems and external services such as VPN, OWA, remote desktop, or gain elevated privileges in certain systems and network areas. In case of successful implementation of the script, attackers may refuse
malware to make it difficult to detect. Also, attackers can create accounts using predefined names and passwords to save backup access in case of unsuccessful attempts to use other means.
Security Recommendations: Apply password policy, follow recommendations for designing and administering a corporate network to limit the use of privileged accounts at all administrative levels. Regular checks of domain and local accounts and their rights in order to identify those that may allow an attacker to gain broad access. Monitoring account activity using SIEM systems.
The next part describes the tactics used at the stage of code execution (Execution).