# ATT&CKing FIN7 ### The Value of Using Frameworks for Threat Intelligence #### Regina Elwell, FireEye Katie Nickels, MITRE ----- ## Agenda #### § Why Should We Use Frameworks for Threat Intelligence? ###### – Introduction to MITRE ATT&CK™ – Introduction to the Attack Lifecycle – How ATT&CK and the Attack Lifecycle Complement Each Other #### § Introduction to FIN7 § FIN7 Targeted Lifecycle Overview § FIN7 Deep Dive ----- ## Why Use a Framework to Organize Threat Intel? ###### Regardless of which one you choose, it can help you… #### § Identify where you have gaps in knowledge § Compare adversaries to each other § Compare adversary behavior to defenses ----- ## Introduction to MITRE ATT&CK™ ###### A knowledge base of adversary behavior #### § Based on real-world observations § Free, open, globally accessible, and community-driven § A common language Mobile ## ATT&CK ###### Recon Deliver Control Maintain Weaponize Exploit Execute ## Enterprise PRE-ATT&CK ----- |Initial Access|Execution|Persistence|Privilege Escalation|Col5|Defense Evasion|Credential Access|Discovery|Lateral Movement|Collection|Col11|Exfiltration|Command & Control| |---|---|---|---|---|---|---|---|---|---|---|---|---| |Hardware Additions|Scheduled Task||||Binary Padding|Credentials in Registry|Browser Bookmark Discovery|Exploitation of Remote Services|Data from Information Repositories||Exfiltration Over Physical Medium|Remote Access Tools| |Trusted Relationship|LSASS Driver||Extra Window Memory Injection|||Exploitation for Credential Access||||||Port Knocking| |Supply Chain Compromise|Local Job Scheduling||Access Token Manipulation||||Network Share|Distributed Component|Video Capture||Exfiltration Over Command and Control Channel|Multi-hop Proxy| ||Trap|||Bypass User Account Control||Forced Authentication|Discovery|Object Model|Aud|io Capture||Domain Fronting| |Spearphishing Attachment|Launchctl|||Process Injection||Hooking|Peripheral Device Discovery|Remote File Copy|Autom|ated Collection||Data Encoding| ||Signed Binary Proxy Execution|Imag||e File Execution Options Injection||Password Filter DLL||Pass the Ticket|Clip|board Data|Data Encrypted|Remote File Copy| |Exploit Public-Facing Application||||Plist Modification||LLMNR/NBT-NS Poisoning|File and Directory Discovery|Replication Through Removable Media|Ema|il Collection|Automated Exfiltration|Multi-Stage Channels| ||User Execution|||Valid Accounts|||||Scre|en Capture|Exfiltration Over Other Network Medium|Web Service| |Replication Through Removable Media|Exploitation for Client Execution|||DLL Search Order Hijacking||Private Keys|Permission Groups Discovery|Windows Admin Shares|Da|ta Staged||Standard Non-Application Layer Protocol| |||AppCert||DLLs|Signed Script Proxy Execution|Keychain||Pass the Hash|Inp|ut Capture|Exfiltration Over Alternative Protocol|| |Spearphishing via Service|CMSTP|Hookin||g||Input Prompt|Process Discovery|Third-party Software|Data f Sh|rom Network ared Drive||| ||Dynamic Data Exchange|Startup It||ems|DCShadow|Bash History|System Network Connections Discovery|Shared Webroot|||Data Transfer Size Limits|Connection Proxy| |Spearphishing Link|Mshta|Launch Da||emon|Port Knocking|Two-Factor Authentication Interception||Logon Scripts|Data fro|m Local System||Multilayer Encryption| |Drive-by Compromise|AppleScript|Dylib Hijac||king|Indirect Command Execution||System Owner/User Discovery|Windows Remote Management|Man i|n the Browser|Data Compressed|Standard Application Layer Protocol| |Valid Accounts|Source|Application S||himming|||||Data fr|om Removable Media|Scheduled Transfer|| ||Space after Filename|AppInit D||LLs|BITS Jobs|Replication Through Removable Media|System Network Configuration Discovery|Application Deployment Software||||Commonly Used Port| ||Execution through Module Load|Web Sh||ell|Control Panel Items|||||||Standard Cryptographic Protocol| |||Service Registry Permi||ssions Weakness|ProcCeMSdTP ures|– SpInpuet Cacpturiefic|tecAphplicnatioinq Winudowe i Discovery|SSH Hijacking||||| |||||||||mplementa AppleScript||||Custom Cryptographic Protocol| ||Regsvcs/Regasm|New Ser||vice|Process Doppelgänging|Network Sniffing||||||| ||InstallUtil|File System Permissi||ons Weakness|Mshta|Credential Dumping|Password Policy Discovery|Taint Shared Content||||| ||Regsvr32|Path Interc||eption|Hidden Files and Directories|Kerberoasting||Remote Desktop Protocol||||Data Obfuscation| ||Execution through API|Accessibility F||eatures||Securityd Memory|System Time Discovery|||||Custom Command and Control Protocol| ||PowerShell|Port Mon||itors|Space after Filename|Brute Force|Account Discovery|Remote Services||||| ||Rundll32|Kernel Modules and Extensions||Sudo Caching|LC_MAIN Hijacking|Account Manipulation|System Information Discovery|||||Communication Through Removable Media| ||Third-party Software|||SID-History Injection|HISTCONTROL|Credentials in Files||||||| ||Scripting|Port Knocking||Sudo|Hidden Users||Security Software Discovery|||||| ||Graphical User Interface|||Setuid and Setgid|Clear Command History|||||||| ## Breaking Down Enterprise ATT&CK #### Tactics: the adversary’s technical goals ###### Initial Privilege Defense Credential Lateral Command Execution Persistence Discovery Collection Exfiltration Access Escalation Evasion Access Movement & Control Hardware Additions Scheduled Task Binary Padding Credentials in Registry Browser Bookmark Exploitation of Remote Data from Information Exfiltration Over Remote Access Tools Trusted Relationship LSASS Driver Extra Window Memory Injection Exploitation for Discovery Services Repositories Physical Medium Port Knocking Supply Chain Compromise Local Job Scheduling Access Token Manipulation Credential Access Network Share Distributed Component Video Capture Exfiltration Over Multi-hop Proxy Trap Bypass User Account Control Forced Authentication Discovery Object Model Audio Capture Command and Domain Fronting Control Channel Launchctl Process Injection Hooking Peripheral Device Remote File Copy Automated Collection Data Encoding Spearphishing Attachment Signed Binary Image File Execution Options Injection Password Filter DLL Discovery Pass the Ticket Clipboard Data Data Encrypted Remote File Copy Exploit Public-Facing Proxy Execution Plist Modification LLMNR/NBT-NS File and Directory Replication Through Email Collection Automated Exfiltration Multi-Stage Channels Application User Execution Valid Accounts Poisoning Discovery Removable Media Screen Capture Exfiltration Over Other Web Service Replication Through Exploitation for DLL Search Order Hijacking Private Keys Permission Groups Windows Admin Shares Data Staged Network Medium Standard Removable Media Client Execution AppCert DLLs Signed Script Keychain Discovery Pass the Hash Input Capture Exfiltration Over Non-Application Spearphishing via CMSTP Hooking Proxy Execution Input Prompt Process Discovery Third-party Software Data from Network Alternative Protocol Layer Protocol Service Dynamic Data Exchange Startup Items DCShadow Bash History System Network Shared Webroot Shared Drive Data Transfer Connection Proxy Spearphishing Link Mshta Launch Daemon Port Knocking Connections Discovery Logon Scripts Data from Local System Size Limits Multilayer Encryption Two-Factor Drive-by Compromise AppleScript Dylib Hijacking Indirect Command Authentication System Owner/User Windows Remote Man in the Browser Data Compressed Standard Application Valid Accounts Source Application Shimming Execution Interception Discovery Management Data from Removable Scheduled Transfer Layer Protocol Space after Filename AppInit DLLs BITS Jobs Replication Through System Network Application Media Commonly Used Port Execution through Web Shell Control Panel Items Removable Media Configuration Discovery Deployment Software Standard Cryptographic Module Load Service Registry Permissions Weakness CMSTP Input Capture Application Window SSH Hijacking Protocol Regsvcs/Regasm New Service **Procedures Process Doppelgänging** – Specific technique implementationNetwork Sniffing Discovery AppleScript Custom Cryptographic Protocol InstallUtil File System Permissions Weakness Mshta Credential Dumping Password Policy Taint Shared Content Regsvr32 Path Interception Hidden Files Kerberoasting Discovery Remote Desktop Data Obfuscation Execution through API Accessibility Features and Directories Securityd Memory System Time Discovery Protocol Custom Command PowerShell Port Monitors Space after Filename Brute Force Account Discovery Remote Services and Control Protocol Rundll32 Kernel Modules Sudo Caching LC_MAIN Hijacking Account Manipulation System Information Communication Third-party Software and Extensions SID-History Injection HISTCONTROL Credentials in Files Discovery Through Removable Media Scripting Port Knocking Sudo Hidden Users Security Software Graphical User Interface SIP and Trust Setuid and Setgid Clear Command History Discovery Multiband Provider Hijacking Communication ----- ## The Targeted Attack Lifecycle ----- |Persistence Privilege Persistence Escalation|Persistence| |---|---| |Persistence|| ## How ATT&CK and the Attack Lifecycle are Complementary ###### Lateral Persistence Movement Initial Privilege Persistence Discovery Collection Access Escalation Exfiltration Defense Credential Command Execution ### Across the lifecycle: ###### Evasion Access & Control ----- ## FIN7 ###### Introduction #### § Active since late 2015 § Financially motivated § Primary objective: point of sale compromise § Mainly use spearphishing for malware distribution § Limited use of exploits, and no known use of zero- ###### day exploits #### § Blend of publicly available and unique or altered ###### tools ----- ## FIN7 Targeted Attack Lifecycle ###### • Meterpreter • PowerAdmin Exec • CARBANAK (PAExec) • BABYMETAL • Terminal Services (RDP) • ANTAK • SIMPLECRED • Weaponized MS Word • Cobalt Strike Beacon • Cobalt Strike • Batch Scripts • PILLOWMINT documents with: • DRIFTPIN Beacon • Custom Network Scanners • OFFTRACK • Malicious VBA Macros • HALFBAKED • Metasploit • Metasploit • SUPERSOFT • Embedded Encrypted • BELLHOP • Mimikatz VBScript Objects (VBE) • POWERPIPE • Embedded LNK Files • POWERSOURCE which load Malicious • TEXTMATE VBScript • BATELEUR • BIRDDOG ----- ## Spearphishing ##### ATT&CK T1193: Spearphishing #### § Targeted spearphishing with customized lures ##### with attachment ###### – Weaponized Word documents with malicious VBA macros ##### T1064: Scripting ###### – LNK files used to launch VBA code embedded within document contents – Embedded OLE objects containing malware T1173: Dynamic Data Exchange #### § Use social engineering to encourage response ##### T1204: User execution ----- ## Spearphishing: Mitigation and Detection #### § User training ###### – Even if they click, will they report? – Don’t rely just on this #### § Tools: email filtering and application whitelisting § Use GPO to block execution of macros in documents from the Internet § Create analytics on suspicious execution chains to detect macros ###### – Example: winword.exe spawning cmd.exe, wscript.exe, or powershell.exe ----- ## HALFBAKED #### § The HALFBAKED malware has several components: ###### § A dropper contained in a VBA Macro which writes out the installer and backdoor to the infected system T1064: Scripting § A VBScript installer which installs the backdoor as a persistent service ##### T1050: New Service ###### § A VBScript backdoor possessing typical capabilities: – Reverse shell ##### T1059: Command-Line Interface ###### – Execute shell commands – Upload and download files T1105: Remote File Copy – Uses Windows Management Instrumentation (WMI) to collect reconnaissance details ##### T1047: WMI ----- ## HALFBAKED: Detection and Mitigation #### § Implement least-privilege model for domain users ###### – Ensure domain users are not in local admins group #### § Monitor service creation through command-line invocation and look for low ###### frequency services in your environment #### § Monitor network traffic for WMI connections and capture command-line ###### arguments of "wmic” – Look for anomalies in systems using WMI ----- ## BELLHOP #### § BELLHOP is a javascript-based backdoor interpreted using the native Windows ###### Scripting Host (WSH) ##### T1082: System Information Discovery ###### – The BELLHOP dropper gathers basic host information and downloads a base64- encoded blob of javascript to disk and sets up persistence in three ways: § Creating a Run key in the Registry ##### T1060: Registry Run Keys ###### § Creating a RunOnce key in the Registry § Creating a persistent named scheduled task T1053: Scheduled Task – BELLHOP communicates using HTTP and HTTPS with primarily benign sites such as Google documents and Pastebin T1071: Standard Application Layer Protocol ----- ## BELLHOP: Mitigation and Detection #### § Monitor for ver, systeminfo, and dir executed from the command line ###### – Create a detection that chain these with other discovery commands #### § Monitor for Registry run keys that do not correlate with known software § Limit privileges of user accounts so only authorized admins can create scheduled ###### tasks on remote systems #### § Configure event logging for scheduled task creation and changes by enabling ###### "Microsoft-Windows-TaskScheduler/Operational" in event logging – Example BELLHOP Scheduled Task: SysChecks ----- ## POWERSOURCE & TEXTMATE #### § POWERSOURCE is a heavily obfuscated and modified version of the publicly ###### available tool DNS_TXT_Pwnage T1027: Obfuscated Files or Information ##### T1060: Registry Run Keys ###### § Installed in the registry or Alternate Data Streams ##### T1096: NTFS File Attributes ###### § Uses DNS TXT requests (port 53) for command and control ##### T1071: Standard App Layer Protocol T1043: Commonly Used Port #### § TEXTMATE has been observed being downloaded via POWERSOURCE ###### § Second-stage “file-less” payload, runs in memory via PowerShell T1086: PowerShell § Implements reverse shell via DNS TXT (port 53) commands ##### T1059: Command-Line Interface T1071: Standard Application Layer Protocol ----- ## POWERSOURCE & TEXTMATE: Mitigation and Detection #### § Force web traffic through a proxy ###### – Including DNS traffic – do not allow Internet DNS resolution #### § Flag and analyze commands containing indicators of obfuscation and known ###### suspicious syntax such as uninterpreted escape characters like ^ and “ #### § Restrict PowerShell execution policy to administrators and to only execute signed ###### scripts ----- ## PowerAdmin Exec (PAExec) #### § PowerAdmin Exec (PAExec) ###### – Functionally similar to SysInternals PsExec, PAExec supports execution of remote commands ##### T1035: Service Execution ###### – Most forensic artifacts are created on the source and not the target ----- ## PAExec: Mitigation and Detection #### § Look for unusual file names such as “logsXXX.exe” (unique to FIN7) § Monitor for unusual executables running from “C:\Windows\Temp\” § If you have technology capable of it, look at binaries for: ###### – CompanyName Power Admin LLC – FileDescription PAExec Application – InternalName PAExec – OriginalFilename PAExec.exe ----- ## PILLOWMINT #### § PILLOWMINT is a Point-of-Sale malware tool used to scrape track 1 and track 2 ###### payment card data from memory – Scraped payment card data is encrypted and stored in the registry and as plaintext in a file ##### T1074: Data Staged ###### – Contains additional backdoor capabilities including: § Running processes § Downloading and executing files T1105: Remote File Copy § Downloading and injecting DLLs T1055: Process Injection – Communicates with a command and control (C2) server over HTTP using AES encrypted messages ##### T1071: Standard Application Layer Protocol T1032: Standard Cryptographic Protocol ----- ## PILLOWMINT: Mitigation and Detection #### § Implement point-to-point encryption and tokenization § Use data loss prevention software § Look for registry keys: ###### – HKLM\System\CurrentControlSet\Services\Tcpip\Parameters\Interfaces\server – HKLM\System\CurrentControlSet\Services\Tcpip\Parameters\Interfaces\com man – HKLM\System\CurrentControlSet\Services\Tcpip\Parameters\Interfaces\PDSK 21_ #### § Look for output files in the directory: %WINDIR%\system32\sysvols\ ----- ## Using Structured Threat Intelligence ###### FIN7 ### Overlay ###### FIN8 defensive gaps Both groups ### (notional) ----- ## Conclusion #### § Frameworks are useful for organizing threat intel regardless of which one § Consider which framework based on your use case, and consider combining ###### them for analysis #### § FIN7 has been successful because they use social engineering and well-disguised ###### lures #### § FIN7 continues to be successful because they are constantly adapting and ###### evolving to prevent detection #### § For the best chance of detecting FIN7, look across their attack lifecycle and ###### ATT&CK techniques they use ----- ## Additional Resources #### § Visit https://attack.mitre.org for more information on ATT&CK ###### – FIN7: https://attack.mitre.org/wiki/Group/G0046 – Contact us: attack@mitre.org #### § More information on FIN7: ###### – On the Hunt for FIN7: Pursuing an Enigmatic and Evasive Global Criminal Operation https://www.fireeye.com/blog/threat-research/2018/08/fin7- pursuing-an-enigmatic-and-evasive-global-criminal-operation.html – Tracking a Cyber Crime Group: FIN7 at a Glance https://www.fireeye.com/blog/executive-perspective/2018/08/tracking-a- cyber-crime-group-fin7-at-a-glance.html ----- ## Questions? -----