Eviction - THM
Last updated
Last updated
Sunny is a SOC analyst at E-corp, which manufactures rare earth metals for government and non-government clients. She receives a classified intelligence report that informs her that an APT group (APT28) might be trying to attack organizations similar to E-corp. To act on this intelligence, she must use the MITRE ATT&CK Navigator to identify the TTPs used by the APT group, to ensure it has not already intruded into the network, and to stop it if it has.
1.1. What is a technique used by the APT to both perform recon and gain initial access?
The MITRE ATTACK Navigator that points to APT28's TTP looks like this
Under the reconnaissance tactic column, and the sub-technique of ‘Phishing for Information,’ we can see that the Spearphishing Link technique is used by the APT to perform reconnaissance.
According to the MITRE ATT&CK framework, spearphishing with a link (sub-technique T1566.002) is a specific variant of spearphishing. In this method, adversaries send emails containing malicious links instead of attachments. These links are designed to download malware or exploit vulnerabilities when clicked by the recipient.
In the context of reconnaissance (tactic TA0043), adversaries use spearphishing links to gather information about their targets. This can involve social engineering techniques to pose as a trusted source, encouraging the target to click the link. Once clicked, the link may lead to a compromised website or prompt the user to download malicious files, thereby gaining access to the victim's system.
Spearphising Link
1.2. Sunny identified that the APT might have moved forward from the recon phase. Which accounts might the APT compromise while developing resources?
From the navigator, we can see that Email accounts is highlighted as the APT's technique for resource development.
MITRE ATT&CK’s sub-technique T1586.002, “Compromise Accounts: Email Accounts,” involves adversaries compromising email accounts to further their operations. These compromised accounts can be used for activities such as phishing, sending spam, or acquiring infrastructure like domains. Methods to compromise email accounts include phishing for credentials, purchasing credentials from third-party sites, brute forcing, or paying insiders for access
Email accounts
1.3. E-corp has found that the APT might have gained initial access using social engineering to make the user execute code for the threat actor. Sunny wants to identify if the APT was also successful in execution. What two techniques of user execution should Sunny look out for? (Answer format: <technique 1> and <technique 2>)
MITRE ATT&CK's sub-technique T1204.001, "User Execution: Malicious Link," involves adversaries tricking users into clicking on malicious links, often through social engineering, leading to code execution or further exploitation. Sub-technique T1204.002, "User Execution: Malicious File," involves adversaries deceiving users into opening malicious files, typically delivered via spearphishing attachments, to execute harmful code. Both techniques rely heavily on user interaction to initiate the attack.
Malicious file and malicious link
1.4. If the above technique was successful, which scripting interpreters should Sunny search for to identify successful execution? (Answer format: <technique 1> and <technique 2>)
MITRE ATT&CK's sub-technique T1059.001, "Command and Scripting Interpreter: PowerShell," involves adversaries using PowerShell to execute commands and scripts, often for tasks like discovery and code execution. Sub-technique T1059.003, "Command and Scripting Interpreter: Windows Command Shell," involves adversaries leveraging the Windows Command Shell to run commands and scripts, enabling them to interact with the system and perform various malicious activities. Both techniques exploit built-in scripting environments to facilitate their operations.
Powershell and Windows Command shell
1.5. While looking at the scripting interpreters identified in Q4, Sunny found some obfuscated scripts that changed the registry. Assuming these changes are for maintaining persistence, which registry keys should Sunny observe to track these changes?
MITRE ATT&CK's sub-technique T1547.001, "Boot or Logon Autostart Execution: Registry Run Keys / Startup Folder," involves adversaries achieving persistence by adding programs to startup folders or referencing them with Registry run keys. This ensures the programs are executed automatically when a user logs in, running with the user's permissions. This method allows adversaries to maintain access and potentially elevate privileges on compromised systems.
Registry run keys
1.6. Sunny identified that the APT executes system binaries to evade defences. Which system binary's execution should Sunny scrutinize for proxy execution?
MITRE ATT&CK's sub-technique T1218.011, "System Binary Proxy Execution: Rundll32," involves adversaries abusing the rundll32.exe utility to execute malicious code. By using rundll32.exe, adversaries can proxy the execution of DLLs and scripts, often bypassing security defenses that may not monitor this trusted binary. This technique allows for the execution of malicious payloads while evading detection.
Rundll32
1.7. Sunny identified tcpdump on one of the compromised hosts. Assuming this was placed there by the threat actor, which technique might the APT be using here for discovery?
MITRE ATT&CK's technique T1040, "Network Sniffing," involves adversaries passively capturing network traffic to gather information about an environment, including authentication credentials and other sensitive data. This can be achieved by placing a network interface into promiscuous mode or using span ports to capture a larger amount of data. Network sniffing can reveal configuration details, such as running services and IP addresses, which can be used for further attack.
Network sniffing
1.8. It looks like the APT achieved lateral movement by exploiting remote services. Which remote services should Sunny observe to identify APT activity traces?
MITRE ATT&CK's sub-technique T1021.002, "Remote Services: SMB/Windows Admin Shares," involves adversaries using valid accounts to interact with remote network shares via the Server Message Block (SMB) protocol. This allows them to perform actions as the logged-on user, such as transferring files, executing binaries, and moving laterally within a network. SMB is commonly used for file and printer sharing on Windows networks, and adversaries can exploit it to gain unauthorized access and control.
SMB/Windows Admin shares
1.9. It looked like the primary goal of the APT was to steal intellectual property from E-corp's information repositories. Which information repository can be the likely target of the APT?
MITRE ATT&CK's sub-technique T1213.002, "Data from Information Repositories: SharePoint," involves adversaries leveraging SharePoint repositories to mine valuable information. SharePoint often contains critical data such as network diagrams, system documentation, and credentials, which can help adversaries understand the internal structure and functionality of the target network. By accessing and extracting this information, adversaries can further their objectives and plan subsequent attacks.
Sharepoint
1.10. Although the APT had collected the data, it could not connect to the C2 for data exfiltration. To thwart any attempts to do that, what types of proxy might the APT use? (Answer format: <technique 1> and <technique 2>)
MITRE ATT&CK's sub-technique T1090.002, "Proxy: External Proxy," involves adversaries using external proxies to relay network communications, masking the destination of command and control (C2) traffic and avoiding direct connections to their infrastructure. Sub-technique T1090.003, "Proxy: Multi-hop Proxy," involves chaining multiple proxies together to further obscure the source of malicious traffic, making it difficult for defenders to trace the origin. Both techniques enhance the adversaries' ability to evade detection and maintain persistent access.
External proxy and multi-hop proxy
