Open in app

Sign in

Write

Sign in

Utilising MITRE ATT&CK to Detect Techniques Used by Advanced Persistent Threat Actors

Fraser Dumayne
Adarma Tech Blog
Published in
7 min readFeb 13, 2020
MITRE ATT&CK

Introduction

The current political landscape is a chaotic one with news nearly every day on both real-world and cyber attacks, however, the two are increasingly becoming one and the same as hackers attempt to take advantage of vulnerabilities in physical infrastructure. Recent real-world events have only elevated such geopolitical tensions and often results in word spreading about the possibility of the target state retaliating against the attacker using their cyber capabilities in a bid to escalate the conflict. These nation-state groups are often referred to as Advanced Persistent Threats (APTs) and are armed with huge financial backing as they target victims over long periods of time.

The realm of threat modelling has become increasingly significant as these attacks on infrastructure and important organisations have become more frequent around the world. The purpose of this blog is to guide you through the one example of threat hunting with the use of MITRE ATT&CK and a number of other tools. It should be mentioned that there are many ways to build your own threat model and there is no one size fits all model to deal with all types of attackers, this is just one example.

Analysing Selected APTs

The best way to create a reliable defence is to first perform research on your potential attackers and understand what techniques they use. MITRE ATT&CK offers a huge list of APTs that can be utilised to find the techniques used by each threat actor which can then, in turn, be used to forge your defences. For this blog post, I wanted to discover the biggest APTs so I searched the MITRE APT page, selected some APTs that were of interest to me, and compiled a list of these groups. Once this list was finalised, I could translate this into a visual representation of their techniques using another tool called DeTT&CT which allows you to generate JSON files that can be used with ATT&CK Navigator to generate these heat maps. The following image shows DeTT&CT in action in a Docker container, all that was required was a list of the APTs.

Running DeTT&CT in Docker
Example DeTT&CT Usage

The resulting output can be seen in the below image in ATT&CK Navigator, it shows a significant usage of PowerShell, Scripting, Obfuscated Files or Information, and Credential Dumping across all groups and a large focus on Discovery, Execution, C&C, and Defense Evasion tactics. Now that we have this data on the most common techniques used by the chosen APTs, we can fine tune our defences by using example data sets and searching for incidents.

ATT&CK Navigator output example
ATT&CK Navigator output for Selected APTs

Technique 1 — Credential Dumping

The first technique we’re going to look into is Credential Dumping as it is one of the more frequent ones, not only across the selected APTs but also across all threat actors. OilRig (AKA APT34) in particular have been known to use tools such as MimiKatz to gain credentials of the accounts on a system. To begin searching for these attacks, we need to log into Splunk (other SIEM tools are available) and ingest the data set downloaded from Mordor and Splunk should do the rest.

If you’re unfamiliar with Splunk you need to go to Settings > Add Data > Upload > Select File (Upload the JSON file from Mordor) then ensure the sourcetype is set to “_json” on the next page and on the Input Settings page make a new index with default defaults for the events.

You should be able to see the events if you click ‘Start Searching’. Now we want to fine tune our search to isolate any possible attacks. After a bit of research, I discovered various ways of tracking down such attacks and created a Splunk search to find any suspicious events using the following search:

index=”mordor” source=”covenant_mimikatz_logonpasswords_2019–12–05033226.json” sourcetype=”_json” TargetImage=”C:\\Windows\\system32\\lsass.exe” EventID=10

One key aspect of this was to search for an event ID of 10 which can be understood as a ‘Process Access’ action. If an attacker were to attempt to retrieve credentials using Mimikatz, they would likely target the Local Security Authority Subsystem Service (LSASS) process once they had admin privileges. We can, therefore, target this process by specifying a target image of ‘lsass.exe’ to locate events using this process. The above search should return the event shown below. As you can see there is an unknown script being run from host IT001.shire.com with a target image of lsass.exe:

Suspicious credential dumping event
Potential credential dumping attack

Technique 2 — Powershell

The second technique we’re going to take a look at is Powershell which is an Execution technique. OilRig has also been known to use this technique in the wild by using scripts to run commands from PowerShell to decode file contents (as mentioned on MITRE ATT&CK). We can follow our previous methodology to get the data we need but this time using the PowerShell dataset from Mordor. Once again this should be ingested into Splunk so we can easily isolate potential attacks. The following search was able to isolate the event:

index=”mordor” source=”empire_invoke_psexec_2019–05–18210652.json” sourcetype=”_json” level=Warning task=”Execute a Remote Command” source_name=”Microsoft-Windows-PowerShell”

The above search is incredibly simple and in a real-world situation could generate a number of false alarms but hey, we’re only practising right! The first part of the search isolates any events with a warning level as this is a dead give away of suspicious activity, however, this could also be used to the attacker's advantage by carrying out actions that won’t reach this alert level. The second part to look at is the type of task which in this case is ‘Execute a Remote Command’, this could suggest that the attacker is trying to run scripts on PowerShell remotely. Finally, we can target the source name to ensure we are targeting PowerShell executions. The final event we get is:

Suspicious powershell event
Suspicious PowerShell execution

However, after a bit more research, I discovered some events contained an encrypted string, all of which were being sent by the user with the name ‘pgustavo’. These messages included the following string under the message field:

powershell.exe -noP -sta -w 1 -enc

The key flags in the above message are; ‘-w 1’ which shows that it is hidden (as 1 is the flag for hidden, 0 for normal, 2 for minimised, and 3 for maximised). The -enc part suggests that the rest of the string has been encoded so to decode these strings I plugged them into the CyberChef tool and downloaded the results as a file. The output for one of the strings looked like this:

Decoded output of string found in events
Decoded output of one of the strings

After a quick comparison, it would seem that both this output and the message from the earlier event are matching, possibly suggesting that the event discovered earlier was the source of the attack. The final step we need to take is to update our previous search to isolate these encoded messages as best as possible so that future occurrences can be discovered (if this were in a real-world environment):

Some minor changesindex=”mordor” source=”empire_invoke_psexec_2019–05–18210652.json” message=”*powershell.exe*-enc*”

Conclusion

And there you have it! Now we are completely safe from all of our attackers (joking). Of course, this is only one process of defending yourself from attackers and only a small portion of techniques were covered with very simple searches but nevertheless, researching these aspects is crucial to a strong defence. Additionally, in a real-world situation you would need to have the hardware to generate logs rather than using these pre-recorded datasets, but this method is great for honing your threat hunting skills and improving your understanding of the various threats out there.

Resources

  • MITRE ATT&CK — Threat modelling framework that is widely used, covering APTs, Techniques, Tactics, Data Sources, etc.
  • Mordor — A project that provides a number of prerecorded JSON datasets made up of security events that have been simulated using certain techniques all of which has been mapped to MITRE ATT&CK. In this blog, I used the Credential Dumping dataset and the Powershell dataset.
  • ATT&CK Navigator — Tool used for creating heat maps based on MITRE ATT&CK. Can ingest JSON files created by DeTT&CT.
  • DeTT&CT — Used to generate JSON files based on various factors. In this blog, the group function was used to generate a heat map based on a select few APTs and their techniques.
  • CyberChef — Used to decode encrypted PowerShell strings. This tool has a tonne of options for decoding/encoding.
  • Splunk Enterprise — Popular SIEM tool used for ingesting data and searching for specific events. Not necessarily required if you are following along but hugely useful!

References

Threat Hunting
Cybersecurity
Mitre Attack
Threat Intelligence
Splunk

--

--

Fraser Dumayne
Adarma Tech Blog

Written by Fraser Dumayne

10 Followers
Writer for

Threat Intelligence Specialist

Help

Status

About

Careers

Press

Blog

Privacy

Terms

Text to speech

Teams