ATT&CK for Cyber Threat Intelligence Training — Module 3: Mapping to ATT&CK from raw data
In this course we have the opportunity not only to study what ATT&CK is but also to test ourselves through practical exercises.
MITRE ATT&CK is a globally-accessible knowledge base of adversary tactics and techniques based on real-world observations. ATT&CK has two parts: ATT&CK for Enterprise, which covers behavior against enterprise IT networks and cloud, also ATT&CK for Mobile, which focuses on behavior against mobile devices.
We are going to use the ATT&CK for Enterprise matrix:
This exercise requires an effort of moving from indicators to behaviors and trying to reconstruct what techniques and tactics are used by the adversaries.
To solve the exercise we are going to use the method shown in the videos, which is based on 6 steps:
This is all the info that we receive to start our mapping process:
The data we have come from the ticket of an incident. We notice that the description of this ticket is cmd.exe commands via Pineapple RAT. That’s an important info to keep in mind because:
cmd.exe or simply cmd is a command shell based on the MS-DOS operating system that enables a user to interact directly with the operating system.
Then we know that the commands that we are going to analyze are collected by Sysmon. What is Sysmon?
System Monitor (Sysmon) is a Windows system service and device driver that, once installed on a system, remains resident across system reboots to monitor and log system activity to the Windows event log.
Now that we have a general overview and have also read the data e all the general information, we can start!
Fist command executed:
- ipconfig /all
The first question in our analysis process is to understand what the command is for and why it is executed. What does the attacker want to get out of this info?
ipconfig /all shows the description of each network connection along with additional information such as your physical (MAC) address, DHCP connections, Lease times, as well as in-depth IPv6 information.
ipconfig /all output in Windows XP. Source: WikipediaNext phase is research the behaviour:
After seeing how that command has been used by some threat actors, we can link to the command ipconfig /all , the following tactic: Discovery -System Network Configuration Discovery (T1016)
2. arp -a
What is this command used for?
ARP stands for “Address Resolution Protocol” is a protocol for mapping an IP address to a physical MAC address on a local area network.ARP is a program used by a computer system to find another computer’s MAC address based on its IP address.
It is interesting to consider why the attacker wants to know the MAC Address? What can it be used for?
MAC addresses are used only for communication between devices directly connected to each other or connected to the same “Local Area Network” LAN. IP addresses are used to make communication possible between devices that are not on the same LAN.
Specifically, the arp -a command is used to display the ARP table for a particular IP address. It also shows all the entries of the ARP cache or table.
So what is the purpose of ARP tables?
The ARP table is used to maintain a correlation between each MAC address and its corresponding IP address.
We now know what the arp command is for, and we have guessed that the attacker wants to know details about the machines’ network configuration. So doing a search of possible tactics we expect to find: the use of discovery and in particular discovery of the network configuration. Technique used: Discovery — System Network Configuration Discovery (T1016)
3. echo %USERDOMAIN%\%USERNAME%
What is this command used for?
It’s used to to check the Current Login Account on User Workstations.
So now the attacker is trying to get information about the user of that device. If we copy and search for the command on the MITRE ATT&CK site we get no results. What could be a similar command? Probably whoami is the command that comes closest and also gives the most information about the users of a device.
Technique used:Discovery — System Owner / User Discovery (T1033)
Ding,ding! We found what technique was used!
4.tasklist /v
What is this command used for?
This command displays a list of processes running on a local or remote computer Specifically tasklist /v provides detailed information about the running tasks.
So the adversary, after making a discovery about the network configuration, tries to figure out what common software/applications are running on the systems within the network.Technique used:Discovery — Process Discovery (T1057)
5.sc query
What is this command used for?
It’s a command that it’s used to see what services are installed on a computer and find out which ones are active.
Thus, the process of discovery by the adversary continues, trying to figure out what services are active on the machine.Technique used: Discovery — System Service Discovery (T1007)
6. systeminfo
What is this command used for?
This command is used to display detailed configuration information about a computer and its operating system, including operating system configuration, security information, product ID, and hardware properties (such as RAM, disk space, and network cards).
We can definitely say we see a pattern in the commands executed by the attacker; he is trying to acquire as much information about the machine as possible.Technique used: Discovery — System Information Discovery (T1082)
7.net group “Domain Admins” /domain
8.net user /domain
9.net group “Domain Controllers” /domain
These 3 commands are similar but have different and very specific goals.
net user /domain is used to display user account information, specifically, /domain is used to indicate that the action is performed on the domain controller.
What’s the difference between “Domain Admins” and “Domain Controllers?
net group “Domain Admins” /domain will displays the local administrators group on current domain controller.
net group “Domain Controllers” /domain will query Domain Controllers Computers.
Domain Admins have full control of the domain. By default, this group is a member of the Administrators group on all domain controllers, all domain workstations, and all domain member servers at the time they are joined to the domain. By default, the Administrator account is a member of this group.
Domain controllers restrict access to domain resources by authenticating user identity through login credentials, and by preventing unauthorized access to those resources. Domain controllers apply security policies to requests for access to domain resources. For example, in a Windows AD domain, the domain controller draws authentication information for user accounts from AD.
Domain controllers are most commonly used in Windows Active Directory (AD) domains but are also used with other types of identity management systems.
What is Active Directory?
Active Directory (AD) is a database and set of services that connect users with the network resources they need to get their work done. The purpose of Active Directory is to enable organizations to keep their network secure and organized without having to use up excessive IT resources.
After this activity of researching how commands and operations work, we begin to understand why it is critical for the attacker to acquire this information. One possible strategy the attacker wants to adopt is to discover and understand the environment before moving laterally, after gaining an initial foothold on a domain controller.
Techniques used:
net group “Domain Admins” /domain Discovery — Permission Groups Discovery (T1069)
net user /domain Discovery — Account Discovery (T1087) Execution — Command-Line Interface (T1059)
net group “Domain Controllers” /domain Discovery — Remote System Discovery (T1018)
10.netsh advfirewall show allprofiles
What is this command used for?
This command is used to see if the firewall is enabled for all profiles.
Having information about the firewall is very important to an attacker. The firewall plays a key function in protecting against security attacks. In fact, the firewall analyzes incoming and outgoing network traffic and, based on predetermined rules, creates a barrier to block viruses and attackers.Technique used: Discovery — System Network Configuration Discovery (T1016)
11.netstat -ano
What is this command used for?
The netstat -ano command lists the number of all open ports and active connections in numerical form and along with the process ID.
This is the last command executed by the attacker, which along with the other commands is linked to a discovery on the network.Technique used: Discovery — System Network Connections Discovery (T1049)
We can also add to our analysis that all commands are executed according to the Command and Scripting Interpreter T1059 technique.
Recap of all discovery techniques used and analyzed in this case using ATT&CK Navigator:
