Joshua Abraham, Praetorian – Enterprise Security Weekly #135

    Josh Abraham is in studio! He is a Staff Engineer at Praetorian, and he is going to talk about the MITRE attack framework for defenders! Why Praetorian Benchmarks to MITRE ATT&CK: https://p16.praetorian.com/blog/why-praetorian-benchmarks-to-mitre-attackFull Show Notes Visit https://securityweekly.com/esw for all the latest episodes!
The post Joshua Abraham, Praetorian – Enterprise Security Weekly #135 appeared first on Security Weekly.

Link: http://feedproxy.google.com/~r/securityweekly/Lviv/~3/0ZoANLrPCGA/

Invoke-ATTACKAPI – A PowerShell Script To Interact With The MITRE ATT& CK Framework Via Its Own API

A PowerShell script to interact with the MITRE ATT&CK Framework via its own API in order to gather information about techniques, tactics, groups, software and references provided by the MITRE ATT&CK Team @MITREattack.GoalsProvide an easy way to interact with the MITRE ATT&CK Framework via its own API and PowerShell to the community.Expedite the acquisition of data from ATT&CK when preparing for a Hunting Campaign.Learn PowerShell Dynamic Parameters :)Getting StartedRequirementsPowerShell version 3+Installing /Importinggit clone https://github.com/Cyb3rWard0g/Invoke-ATTACKAPI.gitcd Invoke-ATTACKAPIImport-Module .\Invoke-ATTACKAPI.ps1 /$$$$$$ /$$$$$$$$ /$$$$$$$$ /$$$ /$$$$$$ /$$ /$$ /$$$$$$ /$$$$$$$ /$$$$$$ /$$__ $$|__ $$__/|__ $$__//$$ $$ /$$__ $$| $$ /$$/ /$$__ $$| $$__ $$|_ $$_/| $$ \ $$ | $$ | $$ | $$$ | $$ \__/| $$ /$$/ | $$ \ $$| $$ \ $$ | $$| $$$$$$$$ | $$ | $$ /$$ $$/$$| $$ | $$$$$/ | $$$$$$$$| $$$$$$$/ | $$| $$__ $$ | $$ | $$ | $$ $$_/| $$ | $$ $$ | $$__ $$| $$____/ | $$| $$ | $$ | $$ | $$ | $$\ $$ | $$ $$| $$\ $$ | $$ | $$| $$ | $$| $$ | $$ | $$ | $$ | $$$$/$$| $$$$$$/| $$ \ $$ | $$ | $$| $$ /$$$$$$|__/ |__/ |__/ |__/ \____/\_/ \______/ |__/ \__/ |__/ |__/|__/ |______/ V.0.9[BETA] Adversarial Tactics, Techniques & Common Knowledge API[*] Author: Roberto Rodriguez @Cyb3rWard0g[++] Pulling MITRE ATT&CK DataExamplesThis query matches all techniquesInvoke-ATTACKAPI -Category -TechniqueID : {T1001}Bypass : {}Contributor : {}Requires System : {}Data Source : {Packet capture, Process use of network, Process monitoring, Network protocol analysis}Description : {Command and control (C2) communications are hidden (but not necessarily encrypted) in an attempt to make the content more difficult to discover or decipher and to make the communication less conspicuous and hide commands from being seen. This encompasses many methods, such as adding junk data to protocol traffic, using steganography, commingling legitimate traffic with C2 communications traffic, or using a non-standard data encoding system, such as a modified Base64 encoding for the message body of an HTTP request.}Mitigation : {Network intrusion detection and prevention systems that use network signatures to identify traffic for specific adversary malware can be used to mitigate activity at the network level. Signatures are often for unique indicators within protocols and may be based on the specific obfuscation technique used by a particular adversary or tool, and will likely be different across various malware families and versions. Adversaries will likely change tool C2 signatures over time or construct protocols in such a way as to avoid detection by common defensive tools.[[CiteRef::University of Birmingham C2]]}Tactic : Command and ControlAnalytic Details : {Analyze network data for uncommon data flows (e.g., a client sending significantly more data than it receives from a server). Processes utilizing the network that do not normally have network communication or have never been seen before are suspicious. Analyze packet contents to detect communications that do not follow the expected protocol behavior for the port that is being used.[[CiteRef::University of Birmingham C2]]}TechniqueName : {Data Obfuscation}FullText : Technique/T1001Link Text : {[[Technique/T1001|Data Obfuscation]]}Reference : {University of Birmingham C2, FireEye APT28, Axiom, FireEye APT30…}Platform : {Windows Server 2003, Windows Server 2008, Windows Server 2012, Windows XP…}Name : {Data Obfuscation}CAPEC ID : {}Requires Permission : {}URL : https://attack.mitre.org/wiki/Technique/T1001………………………….ID : {T1068}Bypass : {Anti-virus, System access controls}Contributor : {John Lambert, Microsoft Threat Intelligence Center}Requires System : {Unpatched software or otherwise vulnerable target. Depending on the target and goal, the system and exploitable service may need to be remotely accessible from the internal network. In the case of privilege escalation, the adversary likely already has user permissions on the target system.}Data Source : {Windows Error Reporting, File monitoring, Process monitoring}Description : {Exploitation of a software vulnerability occurs when an adversary takes advantage of a programming error in a program, service, or within the operating system software or kernel itself to execute adversary-controlled code. Exploiting software vulnerabilities may allow adversaries to run a command or binary on a remote system for lateral movement, escalate a current process to a higher privilege level, or bypass security mechanisms. Exploits may also allow an adversary access to privileged accounts and credentials. One example of this is MS14-068, which can be used to forge Kerberos tickets using domain user permissions.[[CiteRef::Technet MS14-068]][[CiteRef::ADSecurity Detecting Forged Tickets]]}Mitigation : {Update software regularly by employing patch management for internal enterprise endpoints and servers. Develop a robust cyber threat intelligence capability to determine what types and levels of threat may use software exploits and 0-days against a particular organization. Make it difficult for adversaries to advance their operation through exploitation of undiscovered or unpatched vulnerabilities by using sandboxing, virtualization, and exploit prevention tools such as the Microsoft Enhanced Mitigation Experience Toolkit.[[CiteRef::SRD EMET]]}Tactic : {Credential Access, Defense Evasion, Lateral Movement, Privilege Escalation}Analytic Details : {Software exploits may not always succeed or may cause the exploited process to become unstable or crash. Software and operating system crash reports may contain useful contextual information about attempted exploits that correlate with other malicious activity. Exploited processes may exhibit behavior that is unusual for the specific process, such as spawning additional processes or reading and writing to files.}TechniqueName : {Exploitation of Vulnerability}FullText : Technique/T1068Link Text : {[[Technique/T1068|Exploitation of Vulnerability]]}Reference : {ADSecurity Detecting Forged Tickets, Bitdefender APT28 Dec 2015, ESET Sednit July 2015, ESET Sednit Part 1…}Platform : {Windows Server 2003, Windows Server 2008, Windows Server 2012, Windows XP…}Name : {Exploitation of Vulnerability}CAPEC ID : {69}Requires Permission : {User, Administrator, SYSTEM}URL : https://attack.mitre.org/wiki/Technique/T1068This query matches the page Technique with ID T1014Invoke-ATTACKAPI -Category -Technique -ID T1014ID : {T1014}Bypass : {Anti-virus, File monitoring, Host intrusion prevention systems, Process whitelisting…}Contributor : {}Requires System : {}Data Source : {BIOS, MBR, System calls}Description : {Rootkits are programs that hide the existence of malware by intercepting and modifying operating system API calls that supply system information. Rootkits or rootkit enabling functionality may reside at the user or kernel level in the operating system or lower, to include a [[Technique/T1062|Hypervisor]], Master Boot Record, or the [[Technique/T1019|System Firmware]].[[CiteRef::Wikipedia Rootkit]] Adversaries may use rootkits to hide the presence of programs, files, network connections, services, drivers, and other system components.}Mitigation : {Identify potentially malicious software that may contain rootkit functionality, and audit and/or block it by using whitelisting[[CiteRef::Beechey 2010]] tools, like AppLocker,[[CiteRef::Windows Commands JPCERT]][[CiteRef::NSA MS AppLocker]] or Software Restriction Policies[[CiteRef::Corio 2008]] where appropriate.[[CiteRef::TechNet Applocker vs SRP]]}Tactic : Defense EvasionAnalytic Details : {Some rootkit protections may be built into anti-virus or operating system software. There are dedicated rootkit detection tools that look for specific types of rootkit behavior. Monitor for the existence of unrecognized DLLs, devices, services, and changes to the MBR.[[CiteRef::Wikipedia Rootkit]]}TechniqueName : {Rootkit}FullText : Technique/T1014Link Text : {[[Technique/T1014|Rootkit]]}Reference : {Wikipedia Rootkit, Beechey 2010, Windows Commands JPCERT, NSA MS AppLocker…}Platform : {Windows Server 2003, Windows Server 2008, Windows Server 2012, Windows XP…}Name : {Rootkit}CAPEC ID : {}Requires Permission : {Administrator, SYSTEM}URL : https://attack.mitre.org/wiki/Technique/T1014This query matches against all the group that use a specific software (in this case Cobalt Strike). SYNTAX: “Software: "Invoke-ATTACKAPI -Category -Group -Tool ‘Software: Cobalt Strike’Tool : {Software: Cobalt Strike, Software: KOMPROGO, Software: WINDSHIELD, Software: SOUNDBITE…}Alias : {APT32, OceanLotus Group}ID : {G0050}URL : https://attack.mitre.org/wiki/Group/G0050TechniqueName : {Scheduled Task, Regsvr32, PowerShell, Custom Command and Control Protocol…}FullText : Group/G0050Reference : {FireEye APT32 May 2017, GitHub Malleable C2, GitHub Invoke-Obfuscation}Link Text : {[[Group/G0050|APT32]]}Name : {APT32}Description : {[[Group/G0050|APT32]] is a threat group that has been active since at least 2014. The group has targeted multiple private sector industries as well as with foreign governments, dissidents, and journalists. The group’s operations are aligned with Vietnamese state interests.[[CiteRef::FireEye APT32 May 2017]]}TechniqueID : {Technique/T1053, Technique/T1117, Technique/T1086, Technique/T1094…}Display Title : Group: APT32, OceanLotus Group[BETA] Exporting custom results to a CSVInvoke-ATTACKAPI -Category -Technique | where-object -Property ID -GE "T1134" | select @{Name="Name"; Expression={$_.Name -join ","}}, @{Name="Tactic"; Expression={$_.Tactic -join ","}}, @{Name ="ID"; Expression={$_.ID -join ","}}, @{Name="Description"; Expression={$_.Description -join ","}}, @{Name="Analytic details"; Expression={$_.’Analytic Details’ -join ","}}, @{Name="Data Source";Expression={$_.’Data Source’ -join ","}} | export-csv F:\wardog\scripts\demo6.csv -NoTypeInformationShowing an up to date ATT&CK Matrix for EnterpriseInvoke-ATTACKAPI -Matrix | select Persistence, ‘Privilege Escalation’, ‘Defense Evasion’,’Credential Access’, Discovery, ‘Lateral Movement’, Execution, Collection, Exfiltration, ‘Command and Control’ | ftPersistence Privilege Escalation Defense Evasion Credential Access Discovery Lateral Movement Execution———– ——————– ————— —————– ——— —————- ———.bash_profile and .bashrc Access Token Manipulation Access Token Manipulation Account Manipulation Account Discovery AppleScript AppleScriptAccessibility Features Accessibility Features Binary Padding Bash History Application Window Discovery Application Deployment Software Application ShimmingAppInit DLLs AppInit DLLs Bypass User Account Control Brute Force File and Directory Discovery Exploitation of Vulnerability Command-Line InterfaceApplication Shimming Application Shimming Clear Command History Create Account Network Service Scanning Logon Scripts Execution through APIAuthentication Package Bypass User Account Control Code Signing Credential Dumping Network Share Discovery Pass the Hash Execution through Mod…Bootkit DLL Injection Component Firmware Credentials in Files Peripheral Device Discovery Pass the Ticket Graphical User InterfaceChange Default File Association DLL Search Order Hijacking Component Object Model Hijacking Exploitation of Vulnerability Permission Groups Discovery Remote Desktop Protocol InstallUtilComponent Firmware Dylib Hijacking Deobfuscate/Decode Files or Information Input Capture Process Discovery Remote File Copy LaunchctlComponent Object Model Hijacking Exploitation of Vulnerability Disabling Security Tools Input Prompt Query Registry Remote Services PowerShellCron Job File System Permissions Weakness DLL Injection Keychain Remote System Discovery Replication Through Removable Media Process HollowingDLL Search Order Hijacking Launch Daemon DLL Search Order Hijacking Network Sniffing Security Software Discovery Shared Webroot Regsvcs/RegasmDylib Hijacking Local Port Monitor DLL Side-Loading Private Keys System Information Discovery Taint Shared Content Regsvr32External Remote Services New Service Exploitation of Vulnerability Securityd Memory System Network Configuration Discovery Third-party Software Rundll32File System Permissions Weakness Path Interception File Deletion Two-Factor Authentication Interception System Network Connections Discovery Windows Admin Shares Scheduled TaskHidden Files and Directories Plist Modification File System Logical Offsets System Owner/User Discovery Windows Remote Management ScriptingHypervisor Scheduled Task Gatekeeper Bypass System Service Discovery Service ExecutionLaunch Agent Service Registry Permissions Weakness Hidden Files and Directories System Time Discovery SourceLaunch Daemon Setuid and Setgid Hidden Users Space after FilenameLaunchctl Startup Items Hidden Window Third-party SoftwareLC_LOAD_DYLIB Addition Sudo HISTCONTROL TrapLocal Port Monitor Valid Accounts Indicator Blocking Trusted Developer Uti…Login Item Web Shell Indicator Removal from Tools Windows Management In…Logon Scripts Indicator Removal on Host Windows Remote Manage…Modify Existing Service Install Root CertificateNetsh Helper DLL InstallUtilNew Service LaunchctlOffice Application Startup LC_MAIN HijackingPath Interception MasqueradingPlist Modification Modify RegistryRc.common Network Share Connection RemovalRedundant Access NTFS Extended AttributesRegistry Run Keys / Start Folder Obfuscated Files or InformationRe-opened Applications Plist ModificationScheduled Task Process HollowingSecurity Support Provider Redundant AccessService Registry Permissions Weakness Regsvcs/RegasmShortcut Modification Regsvr32Startup Items RootkitSystem Firmware Rundll32Trap ScriptingValid Accounts Software PackingWeb Shell Space after FilenameWindows Management Instrumentation Event Subscription TimestompWinlogon Helper DLL Trusted Developer Utilities Valid AccountsGetting an up to date ATT&CK Matrix for Enterprise and exporting it to a csv fileInvoke-ATTACKAPI -Matrix | select Persistence, ‘Privilege Escalation’, ‘Defense Evasion’,’Credential Access’,Discovery, ‘Lateral Movement’, Execution, Collection, Exfiltration, ‘Command and Control’ | Export-Csv C:\wardog\scripts\matrix.csv -NoTypeInformationShowing an up to date table of Groups/APTs with the techniques and tools attributed to themInvoke-ATTACKAPI -Attribution | ftGroup Group Alias Group ID Tactic TechniqueName TechniqueID Tool—– ———– ——– —— ————- ———– —-admin@338 admin@338 G0018 Discovery System Time Discovery Technique/T1124 Software: Net, net.exeadmin@338 admin@338 G0018 Defense Evasion Network Share Connection Removal Technique/T1126 Software: Net, net.exeadmin@338 admin@338 G0018 Command and Control Commonly Used Port Technique/T1043 Software: LOWBALLadmin@338 admin@338 G0018 {Command and Control, Lateral Movement} Remote File Copy Technique/T1105 Software: LOWBALLadmin@338 admin@338 G0018 Discovery System Network Connections Discovery Technique/T1049 Software: netstat, netstat.exeadmin@338 admin@338 G0018 Discovery System Information Discovery Technique/T1082 Software: BUBBLEWRAP, Backdoor.APT…admin@338 admin@338 G0018 Discovery Account Discovery Technique/T1087admin@338 admin@338 G0018 Execution Command-Line Interface Technique/T1059admin@338 admin@338 G0018 Discovery System Service Discovery Technique/T1007admin@338 admin@338 G0018 Defense Evasion Masquerading Technique/T1036admin@338 admin@338 G0018 Discovery Remote System Discovery Technique/T1018 Software: Net, net.exeadmin@338 admin@338 G0018 Discovery System Network Connections Discovery Technique/T1049 Software: Net, net.exeadmin@338 admin@338 G0018 Lateral Movement Windows Admin Shares Technique/T1077 Software: Net, net.exeadmin@338 admin@338 G0018 {Defense Evasion, Privilege Escalation} DLL Injection Technique/T1055 Software: PoisonIvy, Poison Ivyadmin@338 admin@338 G0018 Discovery System Service Discovery Technique/T1007 Software: Net, net.exeadmin@338 admin@338 G0018 Discovery Account Discovery Technique/T1087 Software: Net, net.exeadmin@338 admin@338 G0018 Command and Control Standard Non-Application Layer Protocol Technique/T1095 Software: BUBBLEWRAP, Backdoor.APT…admin@338 admin@338 G0018 Discovery System Information Discovery Technique/T1082 Software: Systeminfo, systeminfo.exeadmin@338 admin@338 G0018 Credential Access Create Account Technique/T1136 Software: Net, net.exeadmin@338 admin@338 G0018 Discovery Permission Groups Discovery Technique/T1069admin@338 admin@338 G0018 Discovery Network Share Discovery Technique/T1135 Software: Net, net.exeadmin@338 admin@338 G0018 Command and Control Web Service Technique/T1102 Software: LOWBALLadmin@338 admin@338 G0018 Execution Service Execution Technique/T1035 Software: Net, net.exeadmin@338 admin@338 G0018 Discovery File and Directory Discovery Technique/T1083admin@338 admin@338 G0018 Discovery Permission Groups Discovery Technique/T1069 Software: Net, net.exeadmin@338 admin@338 G0018 Discovery System Network Connections Discovery Technique/T1049admin@338 admin@338 G0018 Discovery System Information Discovery Technique/T1082admin@338 admin@338 G0018 Command and Control Standard Application Layer Protocol Technique/T1071 Software: LOWBALLadmin@338 admin@338 G0018 Command and Control Standard Cryptographic Protocol Technique/T1032 Software: PoisonIvy, Poison Ivyadmin@338 admin@338 G0018 {Collection, Credential Access} Input Capture Technique/T1056 Software: PoisonIvy, Poison Ivyadmin@338 admin@338 G0018 Command and Control Standard Application Layer Protocol Technique/T1071 Software: BUBBLEWRAP, Backdoor.APT…admin@338 admin@338 G0018 Discovery System Network Configuration Discovery Technique/T1016 Software: ipconfig, ipconfig.exeadmin@338 admin@338 G0018 Discovery System Network Configuration Discovery Technique/T1016APT1 {APT1, Comment Crew, Comment Group, Comment Panda} G0006 Collection Data from Local System Technique/T1005APT1 {APT1, Comment Crew, Comment Group, Comment Panda} G0006 Execution Service Execution Technique/T1035 Software: xCmdAPT1 {APT1, Comment Crew, Comment Group, Comment Panda} G0006 Lateral Movement Pass the Hash Technique/T1075 Software: Pass-The-Hash ToolkitAPT1 {APT1, Comment Crew, Comment Group, Comment Panda} G0006 Execution Service Execution Technique/T1035 Software: Net, net.exeAPT1 {APT1, Comment Crew, Comment Group, Comment Panda} G0006 Discovery Remote System Discovery Technique/T1018 Software: Net, net.exeAPT1 {APT1, Comment Crew, Comment Group, Comment Panda} G0006 Collection Email Collection Technique/T1114APT1 {APT1, Comment Crew, Comment Group, Comment Panda} G0006 Lateral Movement Pass the Hash Technique/T1075Showing an up to date table of the techniques and tools attributed to a Group/APT with Group ID G0051 (FIN7)Invoke-ATTACKAPI -Attribution | Where-Object -Property ‘Group ID’ -EQ ‘G0046’ | ftGroup Group Alias Group ID Tactic TechniqueName TechniqueID Tool Description—– ———– ——– —— ————- ———– —- ———–FIN7 FIN7 G0046 Discovery Process Discovery Technique/T1057 Software: HALFBAKED {[[Software/S0151|HALFBAKED]] can obtain information about running processes on the victim.[[CiteRef::Fir…FIN7 FIN7 G0046 Persistence Registry Run Keys / Start Folder Technique/T1060 {[[Group/G0046|FIN7]] malware has created a Registry Run key pointing to its malicious LNK file to establ…FIN7 FIN7 G0046 Discovery Query Registry Technique/T1012 Software: POWERSOURCE, DNSMessenger {[[Software/S0145|POWERSOURCE]] queries Registry keys in preparation for setting Run keys to achieve pers…FIN7 FIN7 G0046 Persistence Registry Run Keys / Start Folder Technique/T1060 Software: POWERSOURCE, DNSMessenger {[[Software/S0145|POWERSOURCE]] achieves persistence by setting a Registry Run key, with the path dependi…FIN7 FIN7 G0046 {Command and Control, Lateral Movement} Remote File Copy Technique/T1105 Software: POWERSOURCE, DNSMessenger {[[Software/S0145|POWERSOURCE]] has been observed being used to download [[Software/S0146|TEXTMATE]] and …FIN7 FIN7 G0046 {Execution, Persistence, Privilege Escalation} Application Shimming Technique/T1138 {[[Group/G0046|FIN7]] has used application shim databases for persistence.[[CiteRef::FireEye FIN7 Shim Da…FIN7 FIN7 G0046 {Execution, Persistence, Privilege Escalation} Scheduled Task Technique/T1053 {[[Group/G0046|FIN7]] malware has created scheduled tasks to establish persistence.[[CiteRef::FireEye FIN…FIN7 FIN7 G0046 Command and Control Standard Application Layer Protocol Technique/T1071 Software: Carbanak, Anunak {The [[Software/S0030|Carbanak]] malware communicates to its command server using HTTP with an encrypted …FIN7 FIN7 G0046 Collection Screen Capture Technique/T1113 Software: HALFBAKED {[[Software/S0151|HALFBAKED]] can obtain screenshots from the victim.[[CiteRef::FireEye FIN7 April 2017]]}FIN7 FIN7 G0046 Command and Control Standard Application Layer Protocol Technique/T1071 Software: POWERSOURCE, DNSMessenger {[[Software/S0145|POWERSOURCE]] uses DNS TXT records for C2.[[CiteRef::FireEye FIN7 March 2017]][[CiteRef…FIN7 FIN7 G0046 Execution Windows Management Instrumentation Technique/T1047 Software: HALFBAKED {[[Software/S0151|HALFBAKED]] can use WMI queries to gather system information.[[CiteRef::FireEye FIN7 Ap…FIN7 FIN7 G0046 Command and Control Standard Application Layer Protocol Technique/T1071 Software: TEXTMATE, DNSMessenger {[[Software/S0146|TEXTMATE]] uses DNS TXT records for C2.[[CiteRef::FireEye FIN7 March 2017]]}FIN7 FIN7 G0046 Discovery System Information Discovery Technique/T1082 Software: HALFBAKED {[[Software/S0151|HALFBAKED]] can obtain information about the OS, processor, and BIOS.[[CiteRef::FireEye…FIN7 FIN7 G0046 {Collection, Credential Access} Input Capture Technique/T1056 Software: Carbanak, Anunak {[[Software/S0030|Carbanak]] contains keylogger functionality.[[CiteRef::Kaspersky Carbanak]]}FIN7 FIN7 G0046 Command and Control Standard Cryptographic Protocol Technique/T1032 Software: Carbanak, Anunak {[[Software/S0030|Carbanak]] encrypts the message body of HTTP traffic with RC2 and Base64 encoding.[[Cit…FIN7 FIN7 G0046 Execution PowerShell Technique/T1086 Software: HALFBAKED {[[Software/S0151|HALFBAKED]] can execute PowerShell scripts.[[CiteRef::FireEye FIN7 April 2017]]}FIN7 FIN7 G0046 {Command and Control, Lateral Movement} Remote File Copy Technique/T1105 {[[Group/G0046|FIN7]] uses a PowerShell script to launch shellcode that retrieves an additional payload.[…FIN7 FIN7 G0046 Execution PowerShell Technique/T1086 Software: POWERSOURCE, DNSMessenger {[[Software/S0145|POWERSOURCE]] is a PowerShell backdoor.[[CiteRef::FireEye FIN7 March 2017]][[CiteRef::C…FIN7 FIN7 G0046 Execution PowerShell Technique/T1086 {[[Group/G0046|FIN7]] uses a PowerShell script to launch shellcode that retrieves an additional payload.[…FIN7 FIN7 G0046 Defense Evasion Masquerading Technique/T1036 {[[Group/G0046|FIN7]] has created a scheduled task named “AdobeFlashSync” to establish persistence.[[Cite…FIN7 FIN7 G0046 Defense Evasion Obfuscated Files or Information Technique/T1027 Software: POWERSOURCE, DNSMessenger {If the victim is using PowerShell 3.0 or later, [[Software/S0145|POWERSOURCE]] writes its decoded payloa…FIN7 FIN7 G0046 Defense Evasion File Deletion Technique/T1107 Software: HALFBAKED {[[Software/S0151|HALFBAKED]] can delete a specified file.[[CiteRef::FireEye FIN7 April 2017]]}FIN7 FIN7 G0046 Execution Command-Line Interface Technique/T1059 Software: TEXTMATE, DNSMessenger {[[Software/S0146|TEXTMATE]] executes cmd.exe to provide a reverse shell to attackers.[[CiteRef::FireEye…Getting an up to date table of Groups/APTs with the techniques and tools attributed to them and exporting it to a csv fileInvoke-ATTACKAPI -Attribution | select Group, ‘Group Alias’,’Group ID’, Tactic, TechniqueName,TechniqueID, Tool, @{Name=’Description’; Expression={$_.Description}}, ‘Data Source’| export-csv -NoTypeInformation C:\Documents\ATTACK_Attribution.csvShowing an up to date table with all the valuable information from the MITRE ATTACK DB at onceInvoke-ATTACKAPI -All | ftTactic TechniqueName TechniqueID Group Group Alias Group ID Tool—— ————- ———– —– ———– ——– —-Collection Screen Capture Technique/T1113 APT28 {APT28, Sednit, Sofacy, Pawn Storm…} G0007Collection Screen Capture Technique/T1113 APT28 {APT28, Sednit, Sofacy, Pawn Storm…} G0007 Software: XAgentOSXCollection Data from Local System Technique/T1005 APT1 {APT1, Comment Crew, Comment Group, Comment Panda} G0006Collection Screen Capture Technique/T1113 Cleaver {Cleaver, TG-2889, Threat Group 2889} G0003 Software: TinyZBotCollection Screen Capture Technique/T1113 APT32 {APT32, OceanLotus Group} G0050 Software: Cobalt StrikeCollection Screen Capture Technique/T1113 APT29 {APT29, The Dukes, Cozy Bear} G0016 Software: CosmicDuke, TinyBaron,…Collection Data Staged Technique/T1074 APT30 APT30 G0013 Software: SPACESHIPCollection Data from Local System Technique/T1005 Ke3chang Ke3chang G0004Collection Data from Local System Technique/T1005 Lazarus Group {Lazarus Group, HIDDEN COBRA, Guardians of Peace} G0032Collection Data from Local System Technique/T1005 APT29 {APT29, The Dukes, Cozy Bear} G0016 Software: CosmicDuke, TinyBaron,…Collection Data from Local System Technique/T1005 APT29 {APT29, The Dukes, Cozy Bear} G0016 Software: PinchDukeCollection Data from Local System Technique/T1005 APT30 APT30 G0013 Software: FLASHFLOODCollection Screen Capture Technique/T1113 RTM RTM G0048 Software: RTMCollection Screen Capture Technique/T1113 MONSOON {MONSOON, Operation Hangover} G0042 Software: BADNEWSCollection Screen Capture Technique/T1113 menuPass {menuPass, Stone Panda, APT10, Red Apollo…} G0045 Software: RedLeaves, BUGJUICECollection Email Collection Technique/T1114 APT29 {APT29, The Dukes, Cozy Bear} G0016 Software: SeaDuke, SeaDaddy, Sea…Collection Email Collection Technique/T1114 APT1 {APT1, Comment Crew, Comment Group, Comment Panda} G0006Collection Screen Capture Technique/T1113 Sandworm Team {Sandworm Team, Quedagh} G0034 Software: BlackEnergy, Black EnergyCollection Screen Capture Technique/T1113 FIN7 FIN7 G0046 Software: HALFBAKEDCollection Screen Capture Technique/T1113 Dust Storm Dust Storm G0031 Software: ZLibCollection Screen Capture Technique/T1113 Dragonfly {Dragonfly, Energetic Bear} G0035 Software: Trojan.KaraganyCollection Screen Capture Technique/T1113 menuPass {menuPass, Stone Panda, APT10, Red Apollo…} G0045 Software: EvilGrabCollection Screen Capture Technique/T1113 Group5 Group5 G0043Collection Screen Capture Technique/T1113 Gamaredon Group Gamaredon Group G0047 Software: PteranodonCollection Data Staged Technique/T1074 APT30 APT30 G0013 Software: FLASHFLOODGetting an up to date table with all the valuable information from the MITRE ATTACK DB at once and exporting it to a csv fileInvoke-ATTACKAPI -All | select @{Name=’Tactic’; Expression={$_.tactic -join ‘,’}}, @{Name=’TechniqueName’;Expression={$_.techniquename -join ‘,’}}, techniqueID, group, @{Name=’Group Alias’; Expression={$_.’Group alias’-join ‘,’}}, ‘Group ID’, @{Name=’Tool’; Expression={$_.Tool -join ‘,’}}, @{Name=’Description’; Expression={$_.Description -join ‘,’}}, @{Name=’Data Source’; Expression={$_.’Data Source’ -join ‘,’}}, @{Name=’Bypass’; Expression={$_.Bypass -join ‘,’}}, @{Name=’Analytic Details’; Expression={$_.’Analytic Details’-join ‘,’}}, @{Name=’Mitigation’; Expression={$_.Mitigation -join ‘,’}}, @{Name=’Platform’; Expression={$_.Platform -join ‘,’}}, @{Name=’Requires Permission’; Expression={$_.’Requires Permission’ -join’,’}}, @{Name=’Requires System’; Expression={$_.’Requires System’ -join ‘,’}}, @{Name=’CAPEC ID’; Expression={$_.’CAPEC ID’ -join ‘,’}}, @{Name=’Contributor’; Expression={$_.Contributor -join ‘,’}}, @{Name=’URL’; Expression={$_.URL -join ‘,’}} | Export-Csv -NoTypeInformation C:\\Downloads\ATTACK_ALL.csvAuthorRoberto Rodriguez @Cyb3rWard0gDownload Invoke-ATTACKAPI

Link: http://feedproxy.google.com/~r/PentestTools/~3/VroojUrU_bw/invoke-attackapi-powershell-script-to.html

APT, MITRE, DoD, and Panera – Hack Naked News #167

This week, Drupal vulnerabilities, APT detection, DoD bug bounties, new DNS services and breaches galore from Under Armour, Saks, Lord and Taylor, and Panera! Jason Wood from Paladin Security joins us for expert commentary so stay tuned to this episode of Hack Naked News! News Drupal Issues Highly Critical Patch: Over 1M Sites Vulnerable – Drupal released […]
The post APT, MITRE, DoD, and Panera – Hack Naked News #167 appeared first on Security Weekly.

Link: http://feedproxy.google.com/~r/securityweekly/Lviv/~3/Pkso__wYSeI/