# Tactics, Techniques, and Procedures

_Dec 8, 2017_

This report maps Cobalt Strike's actions to MITRE's Adversarial Tactics, Techniques,
and Common Knowledge (ATT&CK) matrix.


-----

## Command-Line Interface

Command-line interfaces provide a way of interacting with computer systems and is
a common feature across many types of operating system platforms. One example
command-line interface on Windows systems is cmd, which can be used to perform a
number of tasks including execution of other software. Command-line interfaces can
be interacted with locally or remotely via a remote desktop application, reverse shell
session, etc. Commands that are executed run with the current permission level of the
command-line interface process unless the command includes process invocation that
changes permissions context for that execution (e.g. Scheduled Task).

Adversaries may use command-line interfaces to interact with systems and execute
other software during the course of an operation.

### Related Events

**date** **host** **pid** **activity**

12/08 18:13 JOSHDEV 356 run: netstat -na | findstr "EST"
12/08 18:17 ubuntu run: ls -alh
12/08 18:17 ubuntu run: ls -alh
12/08 18:17 ubuntu run: ls -alh /tmp
12/08 18:17 ubuntu run: tar zcvf /tmp/e.tgz /repository
12/08 18:17 ubuntu run: rm /tmp/e.tgz
12/08 18:17 ubuntu run: ls -alh /tmp

### Mitigation

Audit and/or block command-line interpreters by using whitelisting tools, like AppLocker,
or Software Restriction Policies where appropriate.

### Detection Methods

Command-line interface activities can be captured through proper logging of process
execution with command-line arguments. This information can be useful in gaining
additional insight to adversaries' actions through how they use native processes or
custom tools.

### Reference

[• Tactic: T1059](https://attack.mitre.org/wiki/Technique/T1059)

P 2


-----

## Credential Dumping

Credential dumping is the process of obtaining account login and password information
from the operating system and software. Credentials can be used to perform Lateral
Movement and access restricted information.

Tools may dump credentials in many different ways: extracting credential hashes for
offline cracking, extracting plaintext passwords, and extracting Kerberos tickets, among
others. Examples of credential dumpers include pwdump7, Windows Credential Editor,
Mimikatz, and gsecdump. These tools are in use by both professional security testers
and adversaries.

Plaintext passwords can be obtained using tools such as Mimikatz to extract passwords
stored by the Local Security Authority (LSA). If smart cards are used to authenticate to a
domain using a personal identification number (PIN), then that PIN is also cached as a
result and may be dumped.

DCSync is a variation on credential dumping which can be used to acquire sensitive
information from a domain controller. The action works by simulating a domain
controller replication process from a remote domain controller, which may contain
various pieces of information included in Active Directory such as passwords, historical
hashes, and current hashes of potentially useful accounts, such as the KRBTGT
account NTLM hash. Any members of the Administrators, Domain Admins, Enterprise
Admin groups or computer accounts on the domain controller are able to run DCSync
to pull password data. The hashes can then in turn be used to create a Golden Ticket
for use in Pass the Ticket. DCSync functionality has been included in the "lsadump"
module in Mimikatz.

### Related Events

**date** **host** **pid** **activity**

12/08 17:57 WS2 1872 dump hashes
12/08 17:57 WS2 1872 run mimikatz's sekurlsa::logonpasswords
command
12/08 18:05 FILESERVER 1664 dump hashes
12/08 18:05 FILESERVER 1664 run mimikatz's sekurlsa::logonpasswords
command
12/08 18:07 DC 1204 dump hashes
12/08 18:07 DC 1204 run mimikatz's sekurlsa::logonpasswords
command

### Mitigation

Monitor/harden access to LSASS and SAM table with tools that allow process
whitelisting. Limit credential overlap across systems to prevent lateral movement

P 3


-----

opportunities using Valid Accounts if passwords and hashes are obtained. Ensure that
local administrator accounts have complex, unique passwords across all systems on the
network. Do not put user or admin domain accounts in the local administrator groups
across systems unless they are tightly controlled, as this is often equivalent to having
a local administrator account with the same password on all systems. On Windows 8.1
and Windows Server 2012 R2, enable Protected Process Light for LSA.

Identify and block potentially malicious software that may be used to dump credentials
by using whitelisting tools, like AppLocker, or Software Restriction Policies where
appropriate.

With Windows 10, Microsoft implemented new protections called Credential Guard
to protect the LSA secrets that can be used to obtain credentials through forms of
credential dumping. It is not configured by default and has hardware and firmware
system requirements. It also does not protect against all forms of credential dumping.

### Detection Methods

Common credential dumpers such as Mimikatz access the LSA Subsystem Service
(LSASS) process by opening the process, locating the LSA secrets key, and decrypting
the sections in memory where credential details are stored. Credential dumpers may
also use methods for reflective DLL Injection to reduce potential indicators of malicious
activity.

NTLM hash dumpers open the Security Accounts Manager (SAM) on the local file
system (%SystemRoot%/system32/config/SAM) or create a dump of the Registry SAM
key to access stored account password hashes. Some hash dumpers will open the
local file system as a device and parse to the SAM table to avoid file access defenses.
Others will make an in-memory copy of the SAM table before reading hashes. Detection
of compromised Valid Accounts in-use by adversaries may help as well.

On Windows 8.1 and Windows Server 2012 R2, monitor Windows Logs for LSASS.exe
creation to verify thatLSASS started as a protected process.

Monitor processes and command-line arguments for program execution that may be
indicative of credential dumping. Remote access tools may contain built-in features
or incorporate existing tools like Mimikatz. PowerShell scripts also exist that contain
credential dumping functionality, such as PowerSploit's Invoke-Mimikatz module, which
may require additional logging features to be configured in the operating system to
collect necessary information for analysis.

### Reference

[• Tactic: T1003](https://attack.mitre.org/wiki/Technique/T1003)

P 4


-----

## DLL Injection

DLL injection is used to run code in the context of another process by causing the other
process to load and execute code. Running code in the context of another process
provides adversaries many benefits, such as access to the process's memory and
permissions. It also allows adversaries to mask their actions under a legitimate process.
A more sophisticated kind of DLL injection, reflective DLL injection, loads code without
calling the normal Windows API calls, potentially bypassing DLL load monitoring.
Numerous methods of DLL injection exist on Windows, including modifying the Registry,
creating remote threads, Windows hooking APIs, and DLL pre-loading.

### Related Events

**date** **host** **pid** **activity**

12/08 17:54 WS2 3400 log keystrokes in 2444 (x86)
12/08 17:57 WS2 1872 dump hashes
12/08 17:57 WS2 1872 run mimikatz's sekurlsa::logonpasswords
command
12/08 18:05 FILESERVER 1664 dump hashes
12/08 18:05 FILESERVER 1664 run mimikatz's sekurlsa::logonpasswords
command
12/08 18:07 DC 1204 dump hashes
12/08 18:07 DC 1204 run mimikatz's sekurlsa::logonpasswords
command
12/08 18:10 JOSHDEV 356 log keystrokes in 1220 (x86)
12/08 18:10 JOSHDEV 356 take a screenshot in 1220/x86
12/08 18:14 JOSHDEV 356 inject windows/beacon_smb/bind_pipe
(127.0.0.1:9756) into 1220 (x86)

### Mitigation

Mitigating specific API calls will likely have unintended side effects, such as preventing
legitimate software from operating properly. Efforts should be focused on preventing
adversary tools from running earlier in the chain of activity and on identification of
subsequent malicious behavior.

Identify or block potentially malicious software that may contain DLL injection
functionality by using whitelisting tools, like AppLocker, or Software Restriction Policies
where appropriate.

### Detection Methods

Monitoring API calls indicative of the various types of code injection may generate a
significant amount of data and may not be directly useful for defense unless collected
under specific circumstances for known bad sequences of calls, since benign use of API

P 5


-----

functions may be common and difficult to distinguish from malicious behavior. API calls
such as CreateRemoteThread and those that can be used to modify memory within
another process, such as WriteProcessMemory, may be used for this technique.

Monitor processes and command-line arguments for actions that could be done before
or after code injection has occurred and correlate the information with related event
information. Code injection may also be performed using PowerShell with tools such
as PowerSploit, so additional PowerShell monitoring may be required to cover known
implementations of this behavior.

### Reference

[• Tactic: T1055](https://attack.mitre.org/wiki/Technique/T1055)

P 6


-----

## Data from Local System

Sensitive data can be collected from local system sources, such as the file system or
databases of information residing on the system prior to Exfiltration.

Adversaries will often search the file system on computers they have compromised
to find files of interest. They may do this using a Command-Line Interface, such as
cmd, which has functionality to interact with the file system to gather information. Some
adversaries may also use Automated Collection on the local system.

### Related Events

**date** **host** **pid** **activity**

12/08 18:17 ubuntu download /tmp/e.tgz

### Mitigation

Identify unnecessary system utilities or potentially malicious software that may be used
to collect data from the local system, and audit and/or block them by using whitelisting
tools, like AppLocker, or Software Restriction Policies where appropriate.

### Detection Methods

Monitor processes and command-line arguments for actions that could be taken to
collect files from a system. Remote access tools with built-in features may interact
directly with the Windows API to gather data. Data may also be acquired through
Windows system management tools such as Windows Management Instrumentation
and PowerShell.

### Reference

[• Tactic: T1005](https://attack.mitre.org/wiki/Technique/T1005)

P 7


-----

## Exploitation of Vulnerability

Exploitation of a software vulnerability occurs when an adversary takes advantage of
a programming error in a program, service, or within the operating system software or
kernel itself to execute adversary-controlled code. Exploiting software vulnerabilities
may allow adversaries to run a command or binary on a remote system for lateral
movement, escalate a current process to a higher privilege level, or bypass security
mechanisms. Exploits may also allow an adversary access to privileged accounts and
credentials. One example of this is MS14-068, which can be used to forge Kerberos
tickets using domain user permissions.

### Related Events

**date** **host** **pid** **activity**

12/08 17:57 WS2 3400 run windows/beacon_smb/bind_pipe
(127.0.0.1:9756) via ms14-058

### Mitigation

Update software regularly by employing patch management for internal enterprise
endpoints and servers. Develop a robust cyber threat intelligence capability to
determine what types and levels of threat may use software exploits and 0-days against
a particular organization. Make it difficult for adversaries to advance their operation
through exploitation of undiscovered or unpatched vulnerabilities by using sandboxing,
virtualization, and exploit prevention tools such as the Microsoft Enhanced Mitigation
Experience Toolkit.

### Detection Methods

Software exploits may not always succeed or may cause the exploited process to
become unstable or crash. Software and operating system crash reports may contain
useful contextual information about attempted exploits that correlate with other
malicious activity. Exploited processes may exhibit behavior that is unusual for the
specific process, such as spawning additional processes or reading and writing to files.

### Reference

[• Tactic: T1068](https://attack.mitre.org/wiki/Technique/T1068)

P 8


-----

## Input Capture

Adversaries can use methods of capturing user input for obtaining credentials for
Valid Accounts and information Collection that include keylogging and user input field
interception.

Keylogging is the most prevalent type of input capture, with many different ways of
intercepting keystrokes, but other methods exist to target information for specific
purposes, such as performing a UAC prompt or wrapping the Windows default
credential provider.

Keylogging is likely to be used to acquire credentials for new access opportunities when
Credential Dumping efforts are not effective, and may require an adversary to remain
passive on a system for a period of time before an opportunity arises.

Adversaries may also install code on externally facing portals, such as a VPN login
page, to capture and transmit credentials of users who attempt to log into the service.
This variation on input capture may be conducted post-compromise using legitimate
administrative access as a backup measure to maintain network access through
External Remote Services and Valid Accounts or as part of the initial compromise by
exploitation of the externally facing web service.

### Related Events

**date** **host** **pid** **activity**

12/08 17:54 WS2 3400 log keystrokes in 2444 (x86)
12/08 18:10 JOSHDEV 356 log keystrokes in 1220 (x86)

### Mitigation

Identify and block potentially malicious software that may be used to acquire credentials
or information from the user by using whitelisting tools, like AppLocker, or Software
Restriction Policies where appropriate.

In cases where this behavior is difficult to detect or mitigate, efforts can be made to
lessen some of the impact that might result from an adversary acquiring credential
information. It is also good practice to follow mitigation recommendations for adversary
use of Valid Accounts.

### Detection Methods

Keyloggers may take many forms, possibly involving modification to the Registry and
installation of a driver, setting a hook, or polling to intercept keystrokes. Commonly used
API calls include SetWindowsHook, GetKeyState, and GetAsynceyState. Monitor the
Registry and file system for such changes and detect driver installs, as well as looking
for common keylogging API calls. API calls alone are not an indicator of keylogging, but

P 9


-----

may provide behavioral data that is useful when combined with other information such
as new files written to disk and unusual processes.

Monitor the Registry for the addition of a Custom Credential Provider. Detection of
compromised Valid Accounts in use by adversaries may help to catch the result of user
input interception if new techniques are used.

### Reference

[• Tactic: T1056](https://attack.mitre.org/wiki/Technique/T1056)

P 10


-----

## Network Service Scanning

Adversaries may attempt to get a listing of services running on remote hosts, including
those that may be vulnerable to remote software exploitation. Methods to acquire this
information include port scans and vulnerability scans using tools that are brought onto
a system.

### Related Events

**date** **host** **pid** **activity**

12/08 18:00 WS2 3400 scan ports 1-1024,3389,5000-6000 on
10.10.10.0-10.10.10.255

### Mitigation

Use network intrusion detection/prevention systems to detect and prevent remote
service scans. Ensure that unnecessary ports and services are closed and proper
network segmentation is followed to protect critical servers and devices.

Identify unnecessary system utilities or potentially malicious software that may be used
to acquire information about services running on remote systems, and audit and/or
block them by using whitelisting tools, like AppLocker, or Software Restriction Policies
where appropriate.

### Detection Methods

System and network discovery techniques normally occur throughout an operation
as an adversary learns the environment. Data and events should not be viewed in
isolation, but as part of a chain of behavior that could lead to other activities, such as
Lateral Movement, based on the information obtained.

Normal, benign system and network events from legitimate remote service scanning
may be uncommon, depending on the environment and how they are used. Legitimate
open port and vulnerability scanning may be conducted within the environment and will
need to be deconflicted with any detection capabilities developed. Network intrusion
detection systems can also be used to identify scanning activity. Monitor for process
use of the networks and inspect intra-network flows to detect port scans.

### Reference

[• Tactic: T1046](https://attack.mitre.org/wiki/Technique/T1046)

P 11


-----

## Network Share Discovery

Networks often contain shared network drives and folders that enable users to access
file directories on various systems across a network.

**Windows**
File sharing over a Windows network occurs over the SMB protocol.

Net can be used to query a remote system for available shared drives using the net
view \\remotesystem command. It can also be used to query shared drives on the local
system using net share.

Adversaries may look for folders and drives shared on remote systems as a means of
identifying sources of information to gather as a precursor for Collection and to identify
potential systems of interest for Lateral Movement.

**Mac**
On Mac, locally mounted shares can be viewed with the df -aH command.

### Related Events

**date** **host** **pid** **activity**

12/08 18:04 WS2 3400 run net share on fileserver.corp.acme.com

### Mitigation

Identify unnecessary system utilities or potentially malicious software that may be used
to acquire network share information, and audit and/or block them by using whitelisting
tools, like AppLocker, or Software Restriction Policies where appropriate.

### Detection Methods

System and network discovery techniques normally occur throughout an operation
as an adversary learns the environment. Data and events should not be viewed in
isolation, but as part of a chain of behavior that could lead to other activities, such as
Lateral Movement, based on the information obtained.

Normal, benign system and network events related to legitimate remote system
discovery may be uncommon, depending on the environment and how they are used.
Monitor processes and command-line arguments for actions that could be taken to
gather system and network information. Remote access tools with built-in features may
interact directly with the Windows API to gather information. Information may also be
acquired through Windows system management tools such as Windows Management
Instrumentation and PowerShell.

### Reference

P 12


-----

[• Tactic: T1135](https://attack.mitre.org/wiki/Technique/T1135)


P 13


-----

## New Service

When operating systems boot up, they can start programs or applications called
services that perform background system functions. A service's configuration
information, including the file path to the service's executable, is stored in the Windows
Registry.

Adversaries may install a new service that can be configured to execute at startup by
using utilities to interact with services or by directly modifying the Registry. The service
name may be disguised by using a name from a related operating system or benign
software with Masquerading. Services may be created with administrator privileges but
are executed under SYSTEM privileges, so an adversary may also use a service to
escalate privileges from administrator to SYSTEM. Adversaries may also directly start
services through Service Execution.

### Related Events

**date** **host** **pid** **activity**

12/08 18:02 WS2 3400 run windows/beacon_smb/bind_pipe
(\\fileserver.corp.acme.com\pipe
\status_9756) on fileserver.corp.acme.com
via Service Control Manager (PSH)
12/08 18:06 WS2 1872 run windows/beacon_smb/bind_pipe (\
\DC\pipe\status_9756) on DC via Service
Control Manager (PSH)
12/08 18:08 WS2 1872 run windows/beacon_smb/bind_pipe (\
\MAIL\pipe\status_9756) on MAIL via
Service Control Manager (\\MAIL\ADMIN$
\c0b6e50.exe)

### Mitigation

Limit privileges of user accounts and remediate Privilege Escalation vectors so only
authorized administrators can create new services.

Identify and block unnecessary system utilities or potentially malicious software that
may be used to create services by using whitelisting tools, like AppLocker, or Software
Restriction Policies where appropriate.

### Detection Methods

Monitor service creation through changes in the Registry and common utilities using
command-line invocation. New, benign services may be created during installation of
new software. Data and events should not be viewed in isolation, but as part of a chain
of behavior that could lead to other activities, such as network connections made for

P 14


-----

Command and Control, learning details about the environment through Discovery, and
Lateral Movement.

Tools such as Sysinternals Autoruns may also be used to detect system changes that
could be attempts at persistence. Look for changes to services that do not correlate with
known software, patch cycles, etc. Suspicious program execution through services may
show up as outlier processes that have not been seen before when compared against
historical data.

Monitor processes and command-line arguments for actions that could create services.
Remote access tools with built-in features may interact directly with the Windows API
to perform these functions outside of typical system utilities. Services may also be
created through Windows system management tools such as Windows Management
Instrumentation and PowerShell, so additional logging may need to be configured to
gather the appropriate data.

### Reference

[• Tactic: T1050](https://attack.mitre.org/wiki/Technique/T1050)

P 15


-----

## Pass the Hash

Pass the hash (PtH) is a method of authenticating as a user without having access to
the user's cleartext password. This method bypasses standard authentication steps that
require a cleartext password, moving directly into the portion of the authentication that
uses the password hash. In this technique, valid password hashes for the account being
used are captured using a Credential Access technique. Captured hashes are used
with PtH to authenticate as that user. Once authenticated, PtH may be used to perform
actions on local or remote systems.

Windows 7 and higher with KB2871997 require valid domain user credentials or RID
500 administrator hashes.

### Related Events

**date** **host** **pid** **activity**

12/08 18:06 WS2 1872 run mimikatz's sekurlsa::pth /
user:Administrator /domain:CORP /
ntlm:83414a69a47afeec7e3a37d05a81dc3b /
run:"cmd.exe /c echo 70f32449cc8 > \\.
\pipe\d8e195" command

### Mitigation

Monitor systems and domain logs for unusual credential logon activity. Prevent access
to Valid Accounts. Apply patch KB2871997 to Windows 7 and higher systems to limit
the default access of accounts in the local administrator group. Limit credential overlap
across systems to prevent the damage of credential compromise and reduce the
adversary's ability to perform Lateral Movement between systems. Ensure that builtin and created local administrator accounts have complex, unique passwords. Do not
allow a domain user to be in the local administrator group on multiple systems.

### Detection Methods

Audit all logon and credential use events and review for discrepancies. Unusual remote
logins that correlate with other suspicious activity (such as writing and executing
binaries) may indicate malicious activity. NTLM LogonType 3 authentications that are
not associated to a domain login and are not anonymous logins are suspicious.

### Reference

[• Tactic: T1075](https://attack.mitre.org/wiki/Technique/T1075)

P 16


-----

## PowerShell

PowerShell is a powerful interactive command-line interface and scripting environment
included in the Windows operating system. Adversaries can use PowerShell to
perform a number of actions, including discovery of information and execution of code.
Examples include the Start-Process cmdlet which can be used to run an executable and
the Invoke-Command cmdlet which runs a command locally or on a remote computer.

PowerShell may also be used to download and run executables from the Internet, which
can be executed from disk or in memory without touching disk.

Administrator permissions are required to use PowerShell to connect to remote
systems.

A number of PowerShell-based offensive testing tools are available, including Empire,
PowerSploit, and PSAttack.

### Related Events

**date** **host** **pid** **activity**

12/08 17:55 WS2 3400 import: C:\Users\user\Desktop\PowerSploitmaster\Privesc\PowerUp.ps1
12/08 17:56 WS2 3400 run: Invoke-AllChecks
12/08 18:00 WS2 3400 import: C:\Users\user\Desktop\PowerSploitmaster\Recon\PowerView.ps1
12/08 18:00 WS2 3400 run: Find-LocalAdminAccess
12/08 18:09 WS2 1872 run windows/beacon_smb/bind_pipe
(\\JOSHDEV\pipe\status_9756) on
JOSHDEV via WMI

### Mitigation

It may be possible to remove PowerShell from systems when not needed, but a review
should be performed to assess the impact to an environment, since it could be in
use for many legitimate purposes and administrative functions. When PowerShell is
necessary, restrict PowerShell execution policy to administrators and to only execute
signed scripts. Be aware that there are methods of bypassing the PowerShell execution
policy, depending on environment configuration. Disable/restrict the WinRM Service to
help prevent uses of PowerShell for remote execution.

### Detection Methods

If proper execution policy is set, adversaries will likely be able to define their own
execution policy if they obtain administrator or system access, either through the
Registry or at the command line. This change in policy on a system may be a way to

P 17


-----

detect malicious use of PowerShell. If PowerShell is not used in an environment, then
simply looking for PowerShell execution may detect malicious activity.

It is also beneficial to turn on PowerShell logging to gain increased fidelity in what
occurs during execution. PowerShell 5.0 introduced enhanced logging capabilities, and
some of those features have since been added to PowerShell 4.0. Earlier versions of
PowerShell do not have many logging features. An organization can gather PowerShell
execution details in a data analytic platform to supplement it with other data.

### Reference

[• Tactic: T1086](https://attack.mitre.org/wiki/Technique/T1086)

P 18


-----

## Process Discovery

Adversaries may attempt to get information about running processes on a system.
Information obtained could be used to gain an understanding of common software
running on systems within the network.

**Windows**
An example command that would obtain details on processes is "tasklist" using the
Tasklist utility.

**Mac and Linux**
In Mac and Linux, this is accomplished with the ps command.

### Related Events

**date** **host** **pid** **activity**

12/08 17:53 WS2 3400 list processes
12/08 18:05 FILESERVER 1664 list processes
12/08 18:09 JOSHDEV 356 list processes
12/08 18:13 JOSHDEV 356 list processes

### Mitigation

Identify unnecessary system utilities or potentially malicious software that may be
used to acquire information about processes, and audit and/or block them by using
whitelisting tools, like AppLocker, or Software Restriction Policies where appropriate.

### Detection Methods

System and network discovery techniques normally occur throughout an operation
as an adversary learns the environment. Data and events should not be viewed in
isolation, but as part of a chain of behavior that could lead to other activities, such as
Lateral Movement, based on the information obtained.

Normal, benign system and network events that look like process discovery may be
uncommon, depending on the environment and how they are used. Monitor processes
and command-line arguments for actions that could be taken to gather system and
network information. Remote access tools with built-in features may interact directly
with the Windows API to gather information. Information may also be acquired through
Windows system management tools such as Windows Management Instrumentation
and PowerShell.

### Reference

[• Tactic: T1057](https://attack.mitre.org/wiki/Technique/T1057)

P 19


-----

## Process Hollowing

Process hollowing occurs when a process is created in a suspended state and the
process's memory is replaced with the code of a second program so that the second
program runs instead of the original program. Windows and process monitoring tools
believe the original process is running, whereas the actual program running is different.

Process hollowing may be used similarly to DLL Injection to evade defenses and
detection analysis of malicious process execution by launching adversary-controlled
code under the context of a legitimate process.

### Related Events

**date** **host** **pid** **activity**

12/08 17:53 WS2 3400 take screenshot
12/08 17:57 WS2 3400 run windows/beacon_smb/bind_pipe
(127.0.0.1:9756) via ms14-058
12/08 17:57 WS2 1872 dump hashes
12/08 17:57 WS2 1872 run mimikatz's sekurlsa::logonpasswords
command
12/08 18:00 WS2 3400 run net computers
12/08 18:00 WS2 3400 scan ports 1-1024,3389,5000-6000 on
10.10.10.0-10.10.10.255
12/08 18:04 WS2 3400 run net share on fileserver.corp.acme.com
12/08 18:05 FILESERVER 1664 dump hashes
12/08 18:05 FILESERVER 1664 run mimikatz's sekurlsa::logonpasswords
command
12/08 18:05 WS2 3400 run net dclist
12/08 18:06 WS2 1872 run mimikatz's sekurlsa::pth /
user:Administrator /domain:CORP /
ntlm:83414a69a47afeec7e3a37d05a81dc3b /
run:"cmd.exe /c echo 70f32449cc8 > \\.
\pipe\d8e195" command
12/08 18:07 DC 1204 dump hashes
12/08 18:07 DC 1204 run mimikatz's sekurlsa::logonpasswords
command
12/08 18:16 JOSHDEV 1220 spawn x86 features to: c:\program files
\putty\putty.exe
12/08 18:16 JOSHDEV 1220 SSH to 192.168.57.18:22 as devops

### Mitigation

P 20


-----

Mitigating specific API calls will likely have unintended side effects, such as preventing
legitimate software from operating properly. Efforts should be focused on preventing
adversary tools from running earlier in the chain of activity and on identifying
subsequent malicious behavior.

Although process hollowing may be used to evade certain types of defenses, it is still
good practice to identify potentially malicious software that may be used to perform
adversarial actions, including process hollowing, and audit and/or block it by using
whitelisting tools, like AppLocker, or Software Restriction Policies where appropriate.

### Detection Methods

Monitoring API calls may generate a significant amount of data and may not be directly
useful for defense unless collected under specific circumstances for known bad
sequences of calls, since benign use of API functions may be common and difficult to
distinguish from malicious behavior.

Analyze process behavior to determine if a process is performing actions it usually does
not, such as opening network connections, reading files, or other suspicious actions that
could relate to post-compromise behavior.

### Reference

[• Tactic: T1093](https://attack.mitre.org/wiki/Technique/T1093)

P 21


-----

## Remote Services

An adversary may use valid credentials to log into a service specifically designed to
accept remote connections, such as telnet, SSH, and VNC. The adversary may then
perform actions as the logged-on user.

### Related Events

**date** **host** **pid** **activity**

12/08 18:16 JOSHDEV 1220 SSH to 192.168.57.18:22 as devops

### Mitigation

Limit the number of accounts that may use remote services. Use multifactor
authentication where possible. Limit the permissions for accounts that are at higher risk
of compromise; for example, configure SSH so users can only run specific programs.
Prevent Valid Accounts that can be used by existing services.

### Detection Methods

Correlate use of login activity related to remote services with unusual behavior or
other malicious or suspicious activity. Adversaries will likely need to learn about an
environment and the relationships between systems through Discovery techniques prior
to attempting Lateral Movement.

### Reference

[• Tactic: T1021](https://attack.mitre.org/wiki/Technique/T1021)

P 22


-----

## Remote System Discovery

Adversaries will likely attempt to get a listing of other systems by IP address, hostname,
or other logical identifier on a network that may be used for Lateral Movement from the
current system. Functionality could exist within remote access tools to enable this, but
utilities available on the operating system could also be used.

**Windows**
Examples of tools and commands that acquire this information include "ping" or "net
view" using Net.

**Mac**
Specific to Mac, the bonjour protocol to discover additional Mac-based systems within
the same broadcast domain. Utilities such as "ping" and others can be used to gather
information about remote systems.

**Linux**
Utilities such as "ping" and others can be used to gather information about remote
systems.

### Related Events

**date** **host** **pid** **activity**

12/08 18:00 WS2 3400 run net computers
12/08 18:05 WS2 3400 run net dclist

### Mitigation

Identify unnecessary system utilities or potentially malicious software that may be
used to acquire information on remotely available systems, and audit and/or block
them by using whitelisting tools, like AppLocker, or Software Restriction Policies where
appropriate.

### Detection Methods

System and network discovery techniques normally occur throughout an operation
as an adversary learns the environment. Data and events should not be viewed in
isolation, but as part of a chain of behavior that could lead to other activities, such as
Lateral Movement, based on the information obtained.

Normal, benign system and network events related to legitimate remote system
discovery may be uncommon, depending on the environment and how they are used.
Monitor processes and command-line arguments for actions that could be taken to
gather system and network information. Remote access tools with built-in features may
interact directly with the Windows API to gather information. Information may also be

P 23


-----

acquired through Windows system management tools such as Windows Management
Instrumentation and PowerShell.

### Reference

[• Tactic: T1018](https://attack.mitre.org/wiki/Technique/T1018)

P 24


-----

## Scheduled Transfer

Data exfiltration may be performed only at certain times of day or at certain intervals.
This could be done to blend traffic patterns with normal activity or availability.

When scheduled exfiltration is used, other exfiltration techniques likely apply as well
to transfer the information out of the network, such as Exfiltration Over Command and
Control Channel and Exfiltration Over Alternative Protocol.

### Related Events

**date** **host** **pid** **activity**

12/08 18:00 WS2 3400 sleep for 1s

### Mitigation

Network intrusion detection and prevention systems that use network signatures to
identify traffic for specific adversary command and control infrastructure and malware
can be used to mitigate activity at the network level. Signatures are often for unique
indicators within protocols and may be based on the specific obfuscation technique
used by a particular adversary or tool, and will likely be different across various
malware families and versions. Adversaries will likely change tool command and control
signatures over time or construct protocols in such a way to avoid detection by common
defensive tools.

### Detection Methods

Monitor process file access patterns and network behavior. Unrecognized processes
or scripts that appear to be traversing file systems and sending network traffic may be
suspicious. Network connections to the same destination that occur at the same time of
day for multiple days are suspicious.

### Reference

[• Tactic: T1029](https://attack.mitre.org/wiki/Technique/T1029)

P 25


-----

## Screen Capture

Adversaries may attempt to take screen captures of the desktop to gather information
over the course of an operation. Screen capturing functionality may be included as a
feature of a remote access tool used in post-compromise operations.

**Mac**
On OSX, the native command screencapture is used to capture screenshots.

**Linux**
On Linux, there is the native command xwd.

### Related Events

**date** **host** **pid** **activity**

12/08 17:53 WS2 3400 take screenshot
12/08 18:10 JOSHDEV 356 take a screenshot in 1220/x86

### Mitigation

Blocking software based on screen capture functionality may be difficult, and there may
be legitimate software that performs those actions. Instead, identify potentially malicious
software that may have functionality to acquire screen captures, and audit and/or block
it by using whitelisting tools, like AppLocker, or Software Restriction Policies where
appropriate.

### Detection Methods

Monitoring for screen capture behavior will depend on the method used to obtain data
from the operating system and write output files. Detection methods could include
collecting information from unusual processes using API calls used to obtain image
data, and monitoring for image files written to disk. The sensor data may need to be
correlated with other events to identify malicious activity, depending on the legitimacy of
this behavior within a given network environment.

### Reference

[• Tactic: T1113](https://attack.mitre.org/wiki/Technique/T1113)

P 26


-----

## Scripting

Adversaries may use scripts to aid in operations and perform multiple actions that would
otherwise be manual. Scripting is useful for speeding up operational tasks and reducing
the time required to gain access to critical resources. Some scripting languages may
be used to bypass process monitoring mechanisms by directly interacting with the
operating system at an API level instead of calling other programs. Common scripting
languages for Windows include VBScript and PowerShell but could also be in the form
of command-line batch scripts.

Many popular offensive frameworks exist which use forms of scripting for security
testers and adversaries alike. Metasploit, Veil, and PowerSploit are three examples
that are popular among penetration testers for exploit and post-compromise operations
and include many features for evading defenses. Some adversaries are known to use
PowerShell.

### Related Events

**date** **host** **pid** **activity**

12/08 17:55 WS2 3400 import: C:\Users\user\Desktop\PowerSploitmaster\Privesc\PowerUp.ps1
12/08 18:00 WS2 3400 import: C:\Users\user\Desktop\PowerSploitmaster\Recon\PowerView.ps1

### Mitigation

Turn off unused features or restrict access to scripting engines such as VBScript or
scriptable administration frameworks such as PowerShell.

### Detection Methods

Scripting may be common on admin, developer, or power user systems, depending
on job function. If scripting is restricted for normal users, then any attempts to enable
scripts running on a system would be considered suspicious. If scripts are not
commonly used on a system, but enabled, scripts running out of cycle from patching
or other administrator functions are suspicious. Scripts should be captured from the file
system when possible to determine their actions and intent.

Scripts are likely to perform actions with various effects on a system that may generate
events, depending on the types of monitoring used. Monitor processes and commandline arguments for script execution and subsequent behavior. Actions may be related
to network and system information Discovery, Collection, or other scriptable postcompromise behaviors and could be used as indicators of detection leading back to the
source script.

### Reference

P 27


-----

[• Tactic: T1064](https://attack.mitre.org/wiki/Technique/T1064)


P 28


-----

## Service Execution

Adversaries may execute a binary, command, or script via a method that interacts
with Windows services, such as the Service Control Manager. This can be done by
either creating a new service or modifying an existing service. This technique is the
execution used in conjunction with New Service and Modify Existing Service during
service persistence or privilege escalation.

### Related Events

**date** **host** **pid** **activity**

12/08 18:02 WS2 3400 run windows/beacon_smb/bind_pipe
(\\fileserver.corp.acme.com\pipe
\status_9756) on fileserver.corp.acme.com
via Service Control Manager (PSH)
12/08 18:06 WS2 1872 run windows/beacon_smb/bind_pipe (\
\DC\pipe\status_9756) on DC via Service
Control Manager (PSH)
12/08 18:08 WS2 1872 run windows/beacon_smb/bind_pipe (\
\MAIL\pipe\status_9756) on MAIL via
Service Control Manager (\\MAIL\ADMIN$
\c0b6e50.exe)

### Mitigation

Ensure that permissions disallow services that run at a higher permissions level from
being created or interacted with by a user with a lower permission level. Also ensure
that high permission level service binaries cannot be replaced or modified by users with
a lower permission level.

Identify unnecessary system utilities or potentially malicious software that may be used
to interact with Windows services, and audit and/or block them by using whitelisting
tools, like AppLocker, or Software Restriction Policies where appropriate.

### Detection Methods

Changes to service Registry entries and command-line invocation of tools capable of
modifying services that do not correlate with known software, patch cycles, etc., may be
suspicious. If a service is used only to execute a binary or script and not to persist, then
it will likely be changed back to its original form shortly after the service is restarted so
the service is not left broken, as is the case with the common administrator tool PsExec.

### Reference

[• Tactic: T1035](https://attack.mitre.org/wiki/Technique/T1035)

P 29


-----

## Windows Admin Shares

Windows systems have hidden network shares that are accessible only to
administrators and provide the ability for remote file copy and other administrative
functions. Example network shares include C$, ADMIN$, and IPC$.

Adversaries may use this technique in conjunction with administrator-level Valid
Accounts to remotely access a networked system over server message block (SMB)
to interact with systems using remote procedure calls (RPCs), transfer files, and run
transferred binaries through remote Scheduled Task, Service Execution, and Windows
Management Instrumentation. Adversaries can also use NTLM hashes to access
administrator shares on systems with Pass the Hash and certain configuration and
patch levels.

The Net utility can be used to connect to Windows admin shares on remote systems
using net use commands with valid credentials.

### Related Events

**date** **host** **pid** **activity**

12/08 18:02 WS2 3400 list files in \\fileserver.corp.acme.com
\ADMIN$
12/08 18:06 WS2 1872 list files in \\DC\C$
12/08 18:08 WS2 1872 run windows/beacon_smb/bind_pipe (\
\MAIL\pipe\status_9756) on MAIL via
Service Control Manager (\\MAIL\ADMIN$
\c0b6e50.exe)

### Mitigation

Do not reuse local administrator account passwords across systems. Ensure password
complexity and uniqueness such that the passwords cannot be cracked or guessed.
Deny remote use of local admin credentials to log into systems. Do not allow domain
user accounts to be in the local Administrators group multiple systems.

Identify unnecessary system utilities or potentially malicious software that may be used
to leverage SMB and the Windows admin shares, and audit and/or block them by using
whitelisting tools, like AppLocker, or Software Restriction Policies where appropriate.

### Detection Methods

Ensure that proper logging of accounts used to log into systems is turned on and
centrally collected. Windows logging is able to collect success/failure for accounts that
may be used to move laterally and can be collected using tools such as Windows Event
Forwarding. Monitor remote login events and associated SMB activity for file transfers
and remote process execution. Monitor the actions of remote users who connect to

P 30


-----

administrative shares. Monitor for use of tools and commands to connect to remote
shares, such as Net, on the command-line interface and Discovery techniques that
could be used to find remotely accessible systems.

### Reference

[• Tactic: T1077](https://attack.mitre.org/wiki/Technique/T1077)

P 31


-----

## Windows Management Instrumentation

Windows Management Instrumentation (WMI) is a Windows administration feature
that provides a uniform environment for local and remote access to Windows system
components. It relies on the WMI service for local and remote access and the server
message block (SMB) and Remote Procedure Call Service (RPCS) for remote access.
RPCS operates over port 135.

An adversary can use WMI to interact with local and remote systems and use it as a
means to perform many tactic functions, such as gathering information for Discovery
and remote Execution of files as part of Lateral Movement.

### Related Events

**date** **host** **pid** **activity**

12/08 18:09 WS2 1872 run windows/beacon_smb/bind_pipe
(\\JOSHDEV\pipe\status_9756) on
JOSHDEV via WMI

### Mitigation

Disabling WMI or RPCS may cause system instability and should be evaluated to
assess the impact to a network. By default, only administrators are allowed to connect
remotely using WMI. Restrict other users who are allowed to connect, or disallow
all users to connect remotely to WMI. Prevent credential overlap across systems of
administrator and privileged accounts.

### Detection Methods

Monitor network traffic for WMI connections; the use of WMI in environments that do not
typically use WMI may be suspect. Perform process monitoring to capture commandline arguments of "wmic" and detect commands that are used to perform remote
behavior.

### Reference

[• Tactic: T1047](https://attack.mitre.org/wiki/Technique/T1047)

P 32


-----

# LICENSE

The MITRE Corporation (MITRE) hereby grants you a non-exclusive, royalty-free
license to use Adversarial Tactics, Techniques and Common Knowledge (ATT&CK™)
for research, development, and commercial purposes. Any copy you make for such
purposes is authorized provided that you reproduce MITRE's copyright designation and
this license in any such copy.

"(c) 2017 The MITRE Corporation. This work is reproduced and distributed with the
permission of The MITRE Corporation."

## DISCLAIMERS

MITRE does not claim ATT&CK enumerates all possibilities for the types of actions and
behaviors documented as part of its adversary model and framework of techniques.
Using the information contained within ATT&CK to address or cover full categories of
techniques will not guarantee full defensive coverage as there may be undisclosed
techniques or variations on existing techniques not documented by ATT&CK.

ALL DOCUMENTS AND THE INFORMATION CONTAINED THEREIN ARE
PROVIDED ON AN "AS IS" BASIS AND THE CONTRIBUTOR, THE ORGANIZATION
HE/SHE REPRESENTS OR IS SPONSORED BY (IF ANY), THE MITRE
CORPORATION, ITS BOARD OF TRUSTEES, OFFICERS, AGENTS, AND
EMPLOYEES, DISCLAIM ALL WARRANTIES, EXPRESS OR IMPLIED, INCLUDING
BUT NOT LIMITED TO ANY WARRANTY THAT THE USE OF THE INFORMATION
THEREIN WILL NOT INFRINGE ANY RIGHTS OR ANY IMPLIED WARRANTIES OF
MERCHANTABILITY OR FITNESS FOR A PARTICULAR PURPOSE.

P 33


-----