In the third and final part of a three part series, Tim Bandos, Digital Guardian's VP of Cybersecurity, describes how to best leverage MITRE's Attack Framework for threat hunting.
In the third and final chapter of our ‘Threat Hunting with MITRE’s ATT&CK Framework’ series, I’d like to focus on some of the more critical threat signatures that can be used for hunting retroactively in your environment. These particular techniques I’d consider to be higher fidelity and should ultimately be constructed into alarms for immediate response. However, looking back in time is highly recommended to ensure nothing has been missed if these haven’t been in place for detection.
Macro Execution & Command Obfuscation
This particular attack spans across five MITRE detection techniques within three separate phases. At DG, we incorporate the MITRE phases as a Tag within the rule. Analysts have the option of triaging by Tag or by Alarm Name. Personally, seeing an alarm named ‘Obfuscated Files or Information,' which is one of the MITRE techniques, just visually looks weird to me. So we decided to modify them a bit with the naming convention in the alarms (ie. ATP – Command Obfuscation)
The process tree below shows a string of malicious behavior derived from a malicious email attachment that was opened within Outlook.exe. Once the attachment was clicked, a macro was executed which spawned cmd.exe and powershell.exe.
Looking at the obfuscated command that generated the alarm… clearly not legitimate. So how do we proactively detect, and even better yet prevent this in the future? Creating signatures for this particular technique is highly advised and will yield almost zero false positives. I’ve included the detection below.
ATP – Command Obfuscation
Note: The term ‘matches’ as the Operator is regex.
ATP – Macro Execution
Note: This will detect macro execution via WMI
To take it a step further, we can pull back some additional forensics such as the file that is being executed ‘nomo.txt’ within the ProgramData directory to see how this piece of malware operates.
The file above shows entrenched malicious code that is being called via wscript. Additionally, the persistence mechanism for this malware runs off a scheduled job every three hours.
Regsvr32 Bypassing AppLocker Restrictions
The windows feature AppLocker was initially introduced to allow admins the ability to prevent execution of executables, scripts, etc, but it didn’t last long for attackers to weaponize a vulnerability that was discovered in order to bypass. Allow me to introduce you to Regsvr32. Regsvr32 is a legitimate command line program that is used to register/unregister .dll files into the registry. Unfortunately, arbitrary code can be executed via this utility through .sct files, either local or remote, which ultimately bypasses AppLocker’s pre-defined rules. Alerting on this activity is critical because it’s either an adversary or some lame penetration tester. Below is an example of this activity occurring.
ATP - Regsvr32 AppLocker Bypass Local
ATP - Microsoft HTA Abuse Activity
And there you have it. I hope this blogpost series has armed you with some additional intel to hit the ground running so you can be the ultimate savior of your organization’s network from those who clearly have zero ethical bounds. I know it can be difficult conducting threat hunting on a day to day basis. Typically security folks are required to wear every hat in their closet but carving out the time to do this as much as possible is imperative and may even one day assist in beefing up your budget if you discover something really juicy! MITRE’s ATT&CK framework lends an extremely helpful hand in mapping out where to spend your focus with great examples from prior threat actor campaigns and malware sample references.
As Yoda would say, “Patience you must have... smaller in number are we, but larger in mind” ...May the threat hunting forces be with you …