We study Adversarial Tactics, Techniques & Common Knowledge (ATT @ CK). Enterprise Tactics. Part 1
Links to all parts:
Part 1. Getting Initial Access
Part 2. Execution
Part 3. Persistence
Part 4. Privilege Escalation
Part 5. Defense Evasion
Part 6. Obtaining Credential Access
Part 7. Discovery
Part 8. Lateral Movement (Lateral Movement)
The author is not responsible for the possible consequences of the application of the information presented, and also apologizes for any inaccuracies in some formulations and terms. By the way, this is my first attempt at publishing on Habré, so I hope for fair criticism.
Immersion in the topic will begin with the most voluminous matrix ATT & CK Matrix for Enterprise , which describes the active and most dangerous phases of the attack on the corporate network:
- Getting the initial access (Initial Access);
- Execution code (Execution);
- Fixing in the attacked system (Persistence);
- Privilege Escalation;
- Protection bypass (Defense Evasion);
- Obtain credentials (Credential Access);
- Review (Discovery);
- Horizontal promotion (Lateral Movement);
- Data collection (Collection);
- Leakage (Exfiltration);
- Management and control (Command and Control).
')
The attacker's goal at the initial access stage is to deliver some malicious code to the system under attack and ensure that it can be further executed.
System: Windows, Linux, macOS
Rights: User
Description: The essence of the technique consists in opening the victim in the browser of a WEB-resource, on which the attacker prepared in advance various browser exploits and plug-ins,
hidden frames or malicious Java files, which without the user's knowledge will be loaded into the system under attack.
Security Tips: Using the latest browsers and plugins and
use of antivirus software. Microsoft suggests using the Windows Defender Explloit Guard (WDEG) and the Enhanced Mitigation Experience Toolkit (EMET) . It makes sense to also consider the advisability of blocking execution of JavaScript in the browser.
System: Windows, Linux, macOS
Description: The technique involves the use of known bugs, glitches and vulnerabilities in software that has open network ports (web servers, network services SSH, SMB2, DBMS, etc.). Top 10 web application vulnerabilities are published by OWASP.
Security Recommendations: Using firewalls, network segmentation using the DMZ, using recommendations for secure software development, avoiding problems documented by OWASP and CWE. Scan external perimeter for vulnerabilities. Monitor application logs and traffic for abnormal behavior.
System: Windows, Linux, macOS
Description: Hardware add-ons can be built into additional computer accessories, network equipment, and computers to provide intruders with initial access. The commercial and opensource products can include embedded network connectivity, man-in-the-middle attacks for breaking encryption systems, performing keystroke injection, reading core memory via DMA, adding a new wireless network, etc.
Security Recommendations: Apply network access control policies, such as using certificates for devices and 802.1.x, limiting the use of DHCP to only registered devices, prohibiting network interaction with unregistered devices, blocking the installation of external devices using host protection (Endpoint Security agents to limit device connections).
System: Windows
Description: Technique involves the execution of a malicious program using the autorun feature in Windows. To deceive a user, a “legitimate” file can be pre-modified or replaced, and then copied onto a removable device by an attacker. Also, the payload can be embedded firmware removable device or through the program of the initial formatting of the media.
Security Tips: Disable autorun features in Windows. Restricting the use of removable devices at the level of the organization’s security policy. The use of anti-virus software.
Description: Uses malware attached to phishing emails. The text of the letter, as a rule, contains a plausible reason why the recipient should open the file in an attachment.
Protection recommendations: Use of network intrusion prevention systems (IDS) and antiviruses designed to scan and remove malicious attachments in emails. Setting a policy for blocking unused attachment formats. User training on antiphishing rules.
Description: Use links to download malware in emails.
Security Tips: Checking URLs in email can help find links to known malicious sites. Use of network intrusion prevention systems (IDS) and antiviruses. User training on antiphishing rules.
Description: In this scenario, attackers send messages through various social networking services, personal mail, and other services not controlled by the enterprise.
Attackers can use fake profiles in the social. networks, for example, to send potential job offers. This allows the victim employee to ask questions about policies and software in the company, forcing the victim to open malicious links and attachments. Typically, an attacker makes an initial contact, and then sends the malicious content to the mail that the employee of the attacked company uses in the workplace. If the victim is unable to launch the malicious file, they can give him instructions on further actions.
Security tips: Blocking access to social networks, personal email services, etc. Use of white lists of applications, network intrusion prevention systems (IDS) and antiviruses. User training on antiphishing rules.
Description: The scenario involves the introduction of various exploits, backdoors, and other hacking tools into software and computer equipment at the stage of supplying software and computer equipment to the attacked company. Possible attack vectors:
- Manipulations with tools and software development environments;
- Work with source code repositories;
- Manipulations with software update and distribution mechanisms;
- Compromise and infection of OS images;
- Modification of legal software;
- Sale of modified / counterfeit products by the legal distributor;
- Interception at the stage of shipment.
Typically, attackers focus on the introduction of malicious components in the distribution channels and software updates.
Protection recommendations: Application of a risk management system in supply chains (SCRM) and software development life cycle management system (SDLC). Using the procedures for monitoring the integrity of binary software files, anti-virus scanning of distributions, software testing and updates before deployment, physical inspection of purchased equipment, media with software distributions and supporting documentation to detect fraud.
Description: Attackers can use organizations that have access to the infrastructure of the alleged victim. Often, companies use a less secure network connection to communicate with a trusted third party than standard company access from outside. Examples of trusted third parties are IT service contractors, security service providers, infrastructure contractors. Also, the accounts used by the trusted party to access the company's network may be compromised and used for initial access.
Protection recommendations: Network segmentation and isolation of critical infrastructure components that do not require wide access from outside. Account Management
records and permissions used by parties to a trust relationship. Verification of security policies and procedures of contractual organizations requiring privileged access. Monitoring activities carried out by third-party suppliers and proxies.
Description: Attackers can steal credentials of a particular user or service account using access credentials technician , capture credentials in the process of exploration using social engineering. Compromised credentials can be used to bypass access control systems and gain access to remote systems and external services such as VPN, OWA, remote desktop, or gain elevated privileges in certain systems and network areas. In case of successful implementation of the script, attackers may refuse
malware to make it difficult to detect. Also, attackers can create accounts using predefined names and passwords to save backup access in case of unsuccessful attempts to use other means.
Security Recommendations: Apply password policy, follow recommendations for designing and administering a corporate network to limit the use of privileged accounts at all administrative levels. Regular checks of domain and local accounts and their rights in order to identify those that may allow an attacker to gain broad access. Monitoring account activity using SIEM systems.
Part 1. Getting Initial Access
Part 2. Execution
Part 3. Persistence
Part 4. Privilege Escalation
Part 5. Defense Evasion
Part 6. Obtaining Credential Access
Part 7. Discovery
Part 8. Lateral Movement (Lateral Movement)
Getting initial access
This publication begins the cycle of posts devoted to the description of the main techniques used by attackers at various stages of hacker attacks.
The material presented will be a free retelling of the content of the Adversarial Tactics, Techniques & Common Knowledge (ATT @ CK ) matrices from The Miter :
- PRE-ATT & CK (technology preparatory stages of attack);
- ATT & CK Matrix for Enterprise (attacks on corporate systems);
- ATT & CK Mobile Profile (attacks on mobile devices).
The author is not responsible for the possible consequences of the application of the information presented, and also apologizes for any inaccuracies in some formulations and terms. By the way, this is my first attempt at publishing on Habré, so I hope for fair criticism.
Immersion in the topic will begin with the most voluminous matrix ATT & CK Matrix for Enterprise , which describes the active and most dangerous phases of the attack on the corporate network:
- Getting the initial access (Initial Access);
- Execution code (Execution);
- Fixing in the attacked system (Persistence);
- Privilege Escalation;
- Protection bypass (Defense Evasion);
- Obtain credentials (Credential Access);
- Review (Discovery);
- Horizontal promotion (Lateral Movement);
- Data collection (Collection);
- Leakage (Exfiltration);
- Management and control (Command and Control).
')
The attacker's goal at the initial access stage is to deliver some malicious code to the system under attack and ensure that it can be further executed.
Shadow loading (Drive-by Compromise), Drive-by download
System: Windows, Linux, macOS
Rights: User
Description: The essence of the technique consists in opening the victim in the browser of a WEB-resource, on which the attacker prepared in advance various browser exploits and plug-ins,
hidden frames or malicious Java files, which without the user's knowledge will be loaded into the system under attack.
Security Tips: Using the latest browsers and plugins and
use of antivirus software. Microsoft suggests using the Windows Defender Explloit Guard (WDEG) and the Enhanced Mitigation Experience Toolkit (EMET) . It makes sense to also consider the advisability of blocking execution of JavaScript in the browser.
Exploit Public-Facing Application Exploits
System: Windows, Linux, macOS
Description: The technique involves the use of known bugs, glitches and vulnerabilities in software that has open network ports (web servers, network services SSH, SMB2, DBMS, etc.). Top 10 web application vulnerabilities are published by OWASP.
Security Recommendations: Using firewalls, network segmentation using the DMZ, using recommendations for secure software development, avoiding problems documented by OWASP and CWE. Scan external perimeter for vulnerabilities. Monitor application logs and traffic for abnormal behavior.
Hardware bookmarks (Hardware Additions)
System: Windows, Linux, macOS
Description: Hardware add-ons can be built into additional computer accessories, network equipment, and computers to provide intruders with initial access. The commercial and opensource products can include embedded network connectivity, man-in-the-middle attacks for breaking encryption systems, performing keystroke injection, reading core memory via DMA, adding a new wireless network, etc.
Security Recommendations: Apply network access control policies, such as using certificates for devices and 802.1.x, limiting the use of DHCP to only registered devices, prohibiting network interaction with unregistered devices, blocking the installation of external devices using host protection (Endpoint Security agents to limit device connections).
Replication Through Removable Media
System: Windows
Description: Technique involves the execution of a malicious program using the autorun feature in Windows. To deceive a user, a “legitimate” file can be pre-modified or replaced, and then copied onto a removable device by an attacker. Also, the payload can be embedded firmware removable device or through the program of the initial formatting of the media.
Security Tips: Disable autorun features in Windows. Restricting the use of removable devices at the level of the organization’s security policy. The use of anti-virus software.
Spearphishing Attachment
Description: Uses malware attached to phishing emails. The text of the letter, as a rule, contains a plausible reason why the recipient should open the file in an attachment.
Protection recommendations: Use of network intrusion prevention systems (IDS) and antiviruses designed to scan and remove malicious attachments in emails. Setting a policy for blocking unused attachment formats. User training on antiphishing rules.
Targeted phishing links (Spearphishing Link)
Description: Use links to download malware in emails.
Security Tips: Checking URLs in email can help find links to known malicious sites. Use of network intrusion prevention systems (IDS) and antiviruses. User training on antiphishing rules.
Targeted phishing services (Spearphishing via Service)
Description: In this scenario, attackers send messages through various social networking services, personal mail, and other services not controlled by the enterprise.
Attackers can use fake profiles in the social. networks, for example, to send potential job offers. This allows the victim employee to ask questions about policies and software in the company, forcing the victim to open malicious links and attachments. Typically, an attacker makes an initial contact, and then sends the malicious content to the mail that the employee of the attacked company uses in the workplace. If the victim is unable to launch the malicious file, they can give him instructions on further actions.
Security tips: Blocking access to social networks, personal email services, etc. Use of white lists of applications, network intrusion prevention systems (IDS) and antiviruses. User training on antiphishing rules.
Supply Chain Compromise
Description: The scenario involves the introduction of various exploits, backdoors, and other hacking tools into software and computer equipment at the stage of supplying software and computer equipment to the attacked company. Possible attack vectors:
- Manipulations with tools and software development environments;
- Work with source code repositories;
- Manipulations with software update and distribution mechanisms;
- Compromise and infection of OS images;
- Modification of legal software;
- Sale of modified / counterfeit products by the legal distributor;
- Interception at the stage of shipment.
Typically, attackers focus on the introduction of malicious components in the distribution channels and software updates.
Protection recommendations: Application of a risk management system in supply chains (SCRM) and software development life cycle management system (SDLC). Using the procedures for monitoring the integrity of binary software files, anti-virus scanning of distributions, software testing and updates before deployment, physical inspection of purchased equipment, media with software distributions and supporting documentation to detect fraud.
Trust Relationship (Trusted Relationship)
Description: Attackers can use organizations that have access to the infrastructure of the alleged victim. Often, companies use a less secure network connection to communicate with a trusted third party than standard company access from outside. Examples of trusted third parties are IT service contractors, security service providers, infrastructure contractors. Also, the accounts used by the trusted party to access the company's network may be compromised and used for initial access.
Protection recommendations: Network segmentation and isolation of critical infrastructure components that do not require wide access from outside. Account Management
records and permissions used by parties to a trust relationship. Verification of security policies and procedures of contractual organizations requiring privileged access. Monitoring activities carried out by third-party suppliers and proxies.
Valid Accounts
Description: Attackers can steal credentials of a particular user or service account using access credentials technician , capture credentials in the process of exploration using social engineering. Compromised credentials can be used to bypass access control systems and gain access to remote systems and external services such as VPN, OWA, remote desktop, or gain elevated privileges in certain systems and network areas. In case of successful implementation of the script, attackers may refuse
malware to make it difficult to detect. Also, attackers can create accounts using predefined names and passwords to save backup access in case of unsuccessful attempts to use other means.
Security Recommendations: Apply password policy, follow recommendations for designing and administering a corporate network to limit the use of privileged accounts at all administrative levels. Regular checks of domain and local accounts and their rights in order to identify those that may allow an attacker to gain broad access. Monitoring account activity using SIEM systems.
The next part describes the tactics used at the stage of code execution (Execution).
Source: https://habr.com/ru/post/423405/
All Articles