Test your SecOps against Mitre Att&cks
- Validate performance against leading threats
- Operationalize threat intelligence and reduce risk with each of your investments
- Fill out our form to get a free trial of SightGain’s platform
“SightGain actually tests your current or proposed solutions against the threats you face. The results show a “nutrition label” with empiric evidence to enable fast decision making with supporting data”.
“SightGain proactively identifies gaps in your security portfolio and then enables us to evaluate the alternative investments that work the best for our context”.
“The key advantage of SightGain is all levels of the organization can actually see and measure individual Cyber Defender capabilities, skills, training, and learning progress”.
Adversaries may abuse command and script interpreters to execute commands, scripts, or binaries. These interfaces and languages provide ways of interacting with computer systems and are a common feature across many different platforms. Most systems come with some built-in command-line interface and scripting capabilities, for example, macOS and Linux distributions include some flavor of Unix Shell while Windows installations include the Windows Command Shell and PowerShell.
One such adversary, FIN6 has used scripting to iterate through a list of compromised PoS systems, copy data to a log file, and remove the original data files. Another adversary, FIN5 scans processes on all victim systems in the environment and uses automated scripts to pull back the results.
Adversaries may bypass the process and/or signature-based defenses by proxying the execution of malicious content with signed or otherwise trusted, binaries. Binaries used in this technique are often Microsoft-signed files, indicating that they have been either downloaded from Microsoft or are already native in the operating system. Binaries signed with trusted digital certificates can typically execute on Windows systems protected by digital signature validation. Several Microsoft-signed binaries that are defaulted on Windows installations can be used to proxy the execution of other files or commands.
Lazarus Group lnk files used for persistence have abused the Windows Update Client (wuauclt.exe) to execute a malicious DLL. The Lazarus Group is a North Korean state-sponsored cyber threat group that has been attributed to the Reconnaissance General Bureau. The group has been active since at least 2009 and was reportedly responsible for the November 2014 destructive wiper attack against Sony Pictures Entertainment as part of a campaign named Operation Blockbuster by Novetta.
Adversaries may abuse Windows Management Instrumentation (WMI) to execute malicious commands and payloads. WMI is an administration feature that provides a uniform environment to access Windows system components. The WMI service enables both local and remote access, though the latter is facilitated by Remote Services such as Distributed Component Object Model (DCOM) and Windows Remote Management (WinRM). Remote WMI over DCOM operates using port 135, whereas WMI over WinRM operates over port 5985 when using HTTP and 5986 for HTTPS. An adversary can use WMI to interact with local and remote systems and use it as a means to execute various behaviors, such as gathering information for Discovery as well as remote Execution of files as part of Lateral Movement
FIN8’s malicious spearphishing payloads use WMI to launch malware and spawn cmd.exe execution. FIN8 has also used WMIC for lateral movement as well as during and post-compromise cleanup activities.
Adversaries may attempt to dump credentials to obtain account login and credential material, normally in the form of a hash or a clear text password, from the operating system and software. Credentials can then be used to perform Lateral Movement and access restricted information.
One such adversary, PinchDuke steals credentials from compromised hosts. PinchDuke’s credential-stealing functionality is believed to be based on the source code of the Pinch credential-stealing malware (also known as LdPinch). Credentials targeted by PinchDuke include ones associated with many sources such as WinInet Credential Cache, and Lightweight Directory Access Protocol (LDAP). Another adversary, APT28 regularly deploys both publicly available (ex: Mimikatz) and custom password retrieval tools on victims.
Adversaries may transfer tools or other files from an external system into a compromised environment. Tools or files may be copied from an external adversary-controlled system to the victim network through the command and control channel or through alternate protocols such as FTP. Once present, adversaries may also transfer/spread tools between victim devices within a compromised environment (i.e. Lateral Tool Transfer). Files can also be transferred using various Web Services as well as native or otherwise present tools on the victim system.
FIN7 has downloaded additional malware to execute on the victim’s machine, including by using a PowerShell script to launch shellcode that retrieves an additional payload.
Adversaries may inject code into processes in order to evade process-based defenses as well as possibly elevate privileges. Process injection is a method of executing arbitrary code in the address space of a separate live process. Running code in the context of another process may allow access to the process’s memory, system/network resources, and possibly elevated privileges. Execution via process injection may also evade detection from security products since the execution is masked under a legitimate process.
There are many different ways to inject code into a process, many of which abuse legitimate functionalities. These implementations exist for every major OS but are typically platform specific.
More sophisticated samples may perform multiple process injections to segment modules and further evade detection, utilizing named pipes or other inter-process communication (IPC) mechanisms as a communication channel.
InvisiMole can inject itself into another process to avoid detection including the use of a technique called ListPlanting that customizes the sorting algorithm in a ListView structure.
Adversaries may abuse task scheduling functionality to facilitate initial or recurring execution of malicious code. Utilities exist within all major operating systems to schedule programs or scripts to be executed at a specified date and time. A task can also be scheduled on a remote system, provided the proper authentication is met (ex: RPC and file and printer sharing in Windows environments). Scheduling a task on a remote system typically may require being a member of an admin or otherwise privileged group on the remote system. Adversaries may use task scheduling to execute programs at system startup or on a scheduled basis for persistence. These mechanisms can also be abused to run a process under the context of a specified account (such as one with elevated permissions/privileges). Similar to System Binary Proxy Execution, adversaries have also abused task scheduling to potentially mask one-time execution under a trusted system process.
Lokibot’s second stage DLL has set a timer using “timeSetEvent” to schedule its next execution.
Adversaries may attempt to make an executable or file difficult to discover or analyze by encrypting, encoding, or otherwise obfuscating its contents on the system or in transit. This is common behavior that can be used across different platforms and the network to evade defenses.
Most of the strings in ADVSTORESHELL are encrypted with an XOR-based algorithm; some strings are also encrypted with 3DES and reversed. API function names are also reversed, presumably to avoid detection in memory.[
Adversaries may attempt to manipulate features of their artifacts to make them appear legitimate or benign to users and/or security tools. Masquerading occurs when the name or location of an object, legitimate or malicious, is manipulated or abused for the sake of evading defenses and observation. This may include manipulating file metadata, tricking users into misidentifying the file type, and giving legitimate task or service names. Renaming abusable system utilities to evade security monitoring is also a form of Masquerading
Dragonfly has created accounts disguised as legitimate backup and service accounts as well as an email administration account
Adversaries may execute their own malicious payloads by hijacking the way operating systems run programs. Hijacking execution flow can be for the purposes of persistence, since this hijacked execution may reoccur over time. Adversaries may also use these mechanisms to elevate privileges or evade defenses, such as application control or other restrictions on execution. There are many ways an adversary may hijack the flow of execution, including by manipulating how the operating system locates programs to be executed. How the operating system locates libraries to be used by a program can also be intercepted. Locations where the operating system looks for programs/resources, such as file directories and in the case of Windows the Registry, could also be poisoned to include malicious payloads.
Denis replaces the nonexistent Windows DLL “msfte.dll” with its own malicious version, which is loaded by the SearchIndexer.exe and SearchProtocolHost.exe.
Subscribe to our newsletter to get the latest security news and insights from industry leaders on emerging threats.