Embed Size (px)
Citation preview
MITRE ATT&CK®: APT29 Techniques Mapped to Mitigations and Data Sources
ABOUT THIS DIAGRAM
Resources
attack.mitre.org • Access ATT&CK technical information
• Contribute to ATT&CK
• Follow our blog
• Watch ATT&CK presentations
ATT&CK provides a framework for defenders to enhance their posture against specific adversaries. To use ATT&CK in this way, find an adversary group you’re interested in and identify the techniques that they are known to use. For each technique, pull up the technique page to see how that adversary uses the technique, as well as how you can potentially mitigate and detect it.
This chart helps visualize the results. Here, we have the techniques that APT29 is known to use in the middle column. We linked each technique on the left to potential means of mitigation and on the right to data sources that defenders can use to potentially detect the technique. Defenders can look at this chart either to see how their current mitigations and data sources stack up to APT29, or as a roadmap to plan how they can architect their defenses.
For more information, you can read about APT29, or other groups, on the ATT&CK website: attack.mitre.org.
GET STARTED WITH ATT&CK
LEGENDAPT28APT29Both
Comparing APT28 to APT29
Finding Gaps in Defense
LEGENDLow PriorityHigh Priority
AppleScriptApplication Deployment
Software
Distributed ComponentObject Model
Exploitation ofRemote Services
Logon ScriptsPass the HashPass the Ticket
Remote Desktop ProtocolRemote File CopyRemote Services
Replication ThroughRemovable MediaShared WebrootSSH Hijacking
Taint Shared ContentThird-party Software
Windows Admin SharesWindows Remote
Management
Commonly Used PortCommunication Through
Removable MediaConnection Proxy
Custom Command andControl Protocol
Custom CryptographicProtocol
Data EncodingData ObfuscationDomain Fronting
Domain GenerationAlgorithms
Fallback ChannelsMultiband Communication
Multi-hop ProxyMultilayer EncryptionMulti-Stage Channels
Port KnockingRemote Access Tools
Remote File CopyStandard Application Layer
Protocol
Standard CryptographicProtocol
Standard Non-ApplicationLayer Protocol
Uncommonly Used PortWeb Service
Automated ExfiltrationData Compressed
Data EncryptedData Transfer Size Limits
Exfiltration Over OtherNetwork Medium
Exfiltration Over Commandand Control Channel
Exfiltration Over AlternativeProtocol
Exfiltration OverPhysical Medium
Scheduled Transfer
Data DestructionData Encrypted for Impact
DefacementDisk Content WipeDisk Structure Wipe
Endpoint Denial of ServiceFirmware Corruption
Inhibit System RecoveryNetwork Denial of Service
Resource HijackingRuntime Data Manipulation
Service StopStored Data Manipulation
Transmitted DataManipulation
Audio CaptureAutomated Collection
Clipboard DataData from Information
RepositoriesData from Local System
Data from NetworkShared Drive
Data from Removable MediaData Staged
Email CollectionInput Capture
Man in the BrowserScreen CaptureVideo Capture
Drive-by CompromiseExploit Public-Facing
ApplicationExternal Remote Services
Hardware AdditionsReplication ThroughRemovable Media
Spearphishing AttachmentSpearphishing Link
Spearphishing via ServiceSupply Chain Compromise
Trusted RelationshipValid Accounts
AppleScriptCMSTP
Command-Line InterfaceCompiled HTML FileControl Panel Items
Dynamic Data ExchangeExecution through API
Execution throughModule Load
Exploitation forClient Execution
Graphical User InterfaceInstallUtil
MshtaPowerShell
Regsvcs/RegasmRegsvr32Rundll32Scripting
Service ExecutionSigned Binary
Proxy Execution
Signed ScriptProxy Execution
SourceSpace after FilenameThird-party Software
Trusted Developer Utilities
DLL Search Order HijackingImage File Execution Options Injection
Plist ModificationValid Accounts
Accessibility FeaturesAppCert DLLsAppInit DLLs
Application ShimmingDylib Hijacking
File System Permissions WeaknessHooking
Launch DaemonNew Service
Path InterceptionPort Monitors
Service Registry Permissions WeaknessSetuid and Setgid
Startup ItemsWeb Shell
.bash_profile and .bashrcAccount Manipulation
Authentication PackageBITS Jobs
BootkitBrowser Extensions
Change DefaultFile Association
Component Firmware
BITS JobsClear Command History
CMSTPCode Signing
Compiled HTML FileComponent Firmware
Component Object ModelHijacking
Control Panel ItemsDCShadow
Deobfuscate/Decode Filesor Information
Disabling Security ToolsDLL Side-Loading
Execution GuardrailsExploitation for
Defense EvasionFile Deletion
File PermissionsModification
File System Logical OffsetsGatekeeper Bypass
Group Policy ModificationHidden Files and Directories
Hidden Users
Exploitation forPrivilege EscalationSID-History Injection
SudoSudo Caching
Scheduled Task Binary Padding Network SniffingLaunchctl
Local Job SchedulingLSASS Driver
Trap
Access Token ManipulationBypass User Account Control
Extra Window Memory InjectionProcess Injection
Account ManipulationBash HistoryBrute Force
Credential DumpingCredentials in Files
Credentials in RegistryExploitation for
Credential AccessForced Authentication
HookingInput CaptureInput PromptKerberoasting
KeychainLLMNR/NBT-NS Poisoning
and RelayPassword Filter DLL
Private KeysSecurityd Memory
Two-Factor AuthenticationInterception
Account DiscoveryApplication Window
Discovery
Browser BookmarkDiscovery
Domain Trust DiscoveryFile and Directory DiscoveryNetwork Service ScanningNetwork Share Discovery
Password Policy DiscoveryPeripheral Device Discovery
Permission Groups DiscoveryProcess DiscoveryQuery Discovery
Remote System DiscoverySecurity Software Discovery
System InformationDiscovery
System NetworkConfiguration Discovery
System NetworkConnections Discovery
System Owner/UserDiscovery
System Service DiscoverySystem Time DiscoveryVirtualization/Sandbox
Evasion
EnterpriseFramework
To help cyber defenders gain a common understanding of the threats they face, MITRE developed the ATT&CK framework. It’s a globally-accessible knowledge base of adversary tactics and techniques based on real world observations and open source research contributed by the cyber community.
Used by organizations around the world, ATT&CK provides a shared understanding of adversary tactics, techniques and procedures and how to detect, prevent, and/or mitigate them.
ATT&CK is open and available to any person or organization for use at no charge.
For more than 60 years, MITRE has worked in the public interest. Through our public-private partnerships and federally funded R&D centers, we work across government and in partnership with industry to tackle challenges to the safety, stability, and well-being of our nation.
attackevals.mitre.org MITRE ATT&CK Evaluations
The best defense is a well-tested defense. ATT&CK provides a common adversary behavior framework based on threat intelligence that red teams can use to emulate specific threats. This helps cyber defenders find gaps in visibility, defensive tools, and processes—and then fix them.
Cyber threat intelligence comes from many sources, including knowledge of past incidents, commercial threat feeds, information-sharing groups, government threat-sharing programs, and more. ATT&CK gives analysts a common language to communicate across reports and organizations, providing a way to structure, compare, and analyze threat intelligence.
Use ATT&CK for Cyber Threat Intelligence
ATT&CK includes resources designed to help cyber defenders develop analytics that detect the techniques used by an adversary. Based on threat intelligence included in ATT&CK or provided by analysts, cyber defenders can create a comprehensive set of analytics to detect threats.
Use ATT&CK to Build Your Defensive Platform
Aligning your Defenses to Adversaries with ATT&CK
Use ATT&CK for Adversary Emulation and Red Teaming
Active Directory Configuration
Antivirus/Antimalware
Application Isolation and Sandboxing
Audit
Code Signing
Disable or Remove Feature or Program
Execution Prevention
Exploit Protection
Filter Network Traffic
Limit Access to Resource Over Network
Network Intrusion Prevention
Network Segmentation
Operating System Configuration
Password Policies
Privileged Account Management
Restrict Web-Based Content
SSL/TLS Inspection
Update SoftwareUser Account Control
User Account Management
User Training
Anti-virus
Authentication logs
Binary file metadata
Detonation chamber
DLL monitoring
DNS records
Email gateway
Environment variable
File monitoring
Host network interface
Loaded DLLs
Mail server
Malware reverse engineering
Netflow/Enclave netflow
Network intrusion detection system
Network protocol analysis
Packet capture
PowerShell logs
Process command-line parameters
Process monitoring
Process use of network
SSL/TLS inspection
System calls
Web proxy
Windows event logs
Windows Registry
WMI Objects
MITIGATIONS APT29 TECHNIQUES DATA SOURCES
Mitigate It! Detect It!
Accessibility Features (T1546.008)
Bypass User Access Control (T1548.002)
Domain Fronting (T1090.004)
Exploitation for Client Execution (T1203)
Malicious File (T1204.002)
Multi-hop Proxy (T1090.003)
Non-Application Layer Protocol (T1095)
Obfuscated Files or Information (T1027)
Pass the Ticket (T1550.003)
PowerShell (T1059.001)
Rundll32 (T1218.011)
Scheduled Task (T1053.005)
Shortcut Modification (T1547.009)
Software Packing (T1027.002)
Spearphishing Attachment (T1566.001)
Spearphishing Link (T1566.002)
Windows Management Instrumentation (T1047)
Windows Management Instrumentation Event Subscription (T1546.003)
Accessibility Features (T1546.008)
Bypass User Access Control (T1548.002)
Domain Fronting (T1090.004)
Exploitation for Client Execution (T1203)
Malicious File (T1204.002)
Multi-hop Proxy (T1090.003)
Non-Application Layer Protocol (T1095)
Obfuscated Files or Information (T1027)
Pass the Ticket (T1550.003)
PowerShell (T1059.001)
Rundll32 (T1218.011)
Scheduled Task (T1053.005)
Shortcut Modification (T1547.009)
Software Packing (T1027.002)
Spearphishing Attachment (T1566.001)
Spearphishing Link (T1566.002)
Windows Management Instrumentation (T1047)
Windows Management Instrumentation Event Subscription (T1546.003)
MITRE ATT&CK®
Enterprise Frameworkattack.mitre.org
© 2020 MITRE. Matrix current as of October 2020
Initial Access9 techniques
Defense Evasion34 techniques
Execution10 techniques
Persistence18 techniques
Privilege Escalation12 techniques
Credential Access14 techniques
Discovery24 techniques
Lateral Movement9 techniques
Collection16 techniques
Command and Control16 techniques
Exfiltration9 techniques
Impact13 techniques
Modify Authentication Process System Service DiscoveryScheduled Task/Job
Direct Volume AccessRootkitObfuscated Files orInformation
Input CaptureOS Credential Dumping Application Window
DiscoverySystem NetworkConfiguration Discovery
Communication ThroughRemovable Media
System Owner/UserDiscoverySystem NetworkConnections Discovery
Exfiltration OverWeb Service
Use AlternateAuthentication Material
Permission GroupsDiscoveryFile and DirectoryDiscovery
Exploitation of RemoteServicesRemote Service SessionHijacking
Data from InformationRepositories
Peripheral DeviceDiscovery
Browser BookmarkDiscoveryVirtualization/SandboxEvasion
Brute ForceTwo-Factor AuthenticationInterception
Indicator Removal on HostExploitation for PrivilegeEscalation Modify Registry
Trusted Developer UtilitiesProxy ExecutionTraffic Signaling
Pre-OS Boot Network Share DiscoveryPassword Policy Discovery
Exfiltration Over OtherNetwork Medium
Exfiltration OverC2 ChannelExfiltration OverPhysical Medium
Scheduled TransferData Transfer Size Limits
Data from NetworkShared Drive
Non-Application LayerProtocol
Data from CloudStorage Object
Man-in-the-MiddleArchive Collected Data
Protocol TunnelingEncrypted Channel
Compromise ClientSoftware BinaryImplant Container Image
Rogue Domain Controller
Signed Script ProxyExecution
BITS JobsXSL Script ProcessingTemplate Injection
Impair DefensesHide ArtifactsMasquerading
Pre-OS BootSubvert Trust Controls
Indirect CommandExecution
Forced Authentication
Steal or Forge KerberosTickets
Man-in-the-Middle
Steal Application AccessToken
File and DirectoryPermissions ModificationVirtualization/SandboxEvasionUnused/UnsupportedCloud RegionsUse AlternateAuthentication Material
Deobfuscate/Decode Filesor InformationSigned Binary ProxyExecution
Execution GuardrailsModify Cloud ComputeInfrastructure
Exploitation for DefenseEvasion
Valid Accounts Network SniffingWindows ManagementInstrumentation
Valid AccountsReplication ThroughRemovable Media
Software DeploymentTools
Exploitation for ClientExecution
Exploitation for CredentialAccess
Hijack Execution Flow
Process InjectionAccess Token ManipulationGroup Policy Modification
Lateral Tool TransferTaint Shared Content
Abuse Elevation Control MechanismCredentials fromPassword Stores
Transfer Data toCloud Account
Exfiltration OverAlternative Protocol
Steal Web Session CookieUnsecured Credentials
Account ManipulationExternal Remote ServicesOffice Application StartupSystem Services
Command and ScriptingInterpreter
Create Account
PhishingExternal Remote ServicesDrive-by Compromise
Has sub-techniques
Browser ExtensionsTraffic SignalingNative APIBITS Jobs Non-Standard PortInter-Process
Communication Server SoftwareComponent
Boot or Logon Initialization ScriptsCreate or Modify System Process
Event Triggered Execution
Trusted RelationshipSupply Chain CompromiseHardware Additions
Boot or Logon Autostart ExecutionClipboard DataAutomated CollectionAudio CaptureVideo CaptureMan in the Browser
Email Collection
Dynamic Resolution
Multi-Stage ChannelsIngress Tool TransferData EncodingTraffic Signaling Automated ExfiltrationRemote Access Software
Web ServiceShared Modules
Remote ServicesSoftware DeploymentTools
Data from Local System
Application Layer ProtocolFallback ChannelsData Obfuscation
Data from RemovableMedia
Replication ThroughRemovable MediaInternal Spearphishing
Input Capture ProxyData StagedScreen Capture
Network Denial of ServiceEndpoint Denial of ServiceSystem Shutdown/RebootAccount Access RemovalDisk Wipe
Resource Hijacking
Data Manipulation
Service StopData Encrypted for ImpactData Destruction
Inhibit System RecoveryDefacementFirmware Corruption
User ExecutionExploit Public-FacingApplication
Cloud Service DashboardSoftware DiscoveryQuery RegistryRemote System Discovery
System InformationDiscoveryAccount DiscoverySystem Time DiscoveryDomain Trust DiscoveryCloud Service Discovery
Network Service ScanningProcess Discovery
