The MITRE ATT&CK framework is a set of known Tactics, Techniques, and Procedures (TTPs) that have been used by adversaries to achieve their objectives. Defenders can use the framework to measure and improve their detection capabilities so they can be better prepared when for a real-world attack.
The MITRE website describes the framework in the following way:
MITRE’s Adversarial Tactics, Techniques, and Common Knowledge (ATT&CK™) is a curated knowledge base and model for cyber adversary behavior, reflecting the various phases of an adversary’s lifecycle and the platforms they are known to target. ATT&CK is useful for understanding security risk against known adversary behavior, for planning security improvements, and verifying defenses work as expected.
In April, MITRE released an update for the MITRE ATT&CK framework. This update included several new 23 additional new techniques, which increased the total from 188 to 219. The previous release in January 2018 included 19 new techniques.
One of the major changes was the addition of the initial access category into the ATT&CK framework. This includes several include several TTPs including:
This release includes 23 new TTPs. The increase in quantity and speed demonstrates a commitment to expanding the usage of the framework by MITRE and contributors from the security community. We are excited that we could contribute many TTPs to this release. This included 3 new TTPs ( T1208, T1218 and T1216). Our team regular performs security assessments for Fortune 500 clients and we wanted to make sure that our top attack vectors included the ATT&CK framework. Our goal is to ensure that defenders have everything they need to understand these attacks.
Kerberoasting is an attack that can be used to escalate privileges to perform lateral movement and/or maintain persistence. An attacker that has gained access to a system which can communicate with the domain can request Kerberos tickets for the service accounts that are set up as service principal names. The Kerberos tickets can be cracked offline which provide the credentials for the service account. Often these credentials are privileged and don’t expire. This is a very stealthy attack that should be a focus for blue-teams.
The Windows operating system includes many binaries. These binaries can be used by users and system administrators as well as attackers. The usage of signed Microsoft binaries is challenging since the attacker isn’t dropping new malware on the endpoint but are instead leveraging the existing functionality to achieve their objectives. One example of this is using SyncAppvPublishingServe.exe. SyncAppvPublishingServe is a utility that enables attackers to execute PowerShell code without powershell.exe. Therefore, if a blue-team has disabled powershell.exe attackers can still utilize SyncAppvPublishingServe to execute PowerShell code on endpoints. It can also be used used to bypass more advanced controls such as Constrained Language Mode and Device Guard.
Windows also contain many scripts that be used by used by attackers malicious. Not as common as binaries, but there are still several scripts included even on a fully patched Windows 10 system. These scripts can be used to perform malicious functionality bypass application whitelisting, download and execute malicious code and/or get around command-line logging functionality.
One example of this is pubprn.vbs This script can be used to execute local or remote content using cscript. This method has been used by APT groups such as APT32.
In summary, the release increased the number of TTPs from 188 to 219. We are excited that MITRE has continued to allocate resources behind MITRE ATT&CK. At Praetorian, we use the framework to help clients understand where they should focus their efforts to improve their detection capabilities. We look forward to working with MITRE in the future and seeing the ATT&CK framework continue to grow and evolve in the future!