Shulou(Shulou.com)05/31 Report--

How to carry out ATT and CK to improve the host EDR detection ability analysis, I believe that many inexperienced people do not know what to do, so this paper summarizes the causes of the problem and solutions, through this article I hope you can solve this problem.

I. Preface

ATT&CK is a hot concept in the domestic security industry this year. Many organizations and manufacturers have released articles to explain their understanding of it. Even many Party A units have begun to care about ATT&CK. They not only consult security manufacturers about their research results in this area, but also seem to intend to regard it as a dimension to measure the product capability of manufacturers. For a time, the security circle is quite unaware of this concept. The atmosphere of "safety is in vain".

Of course, this phenomenon is very normal. As a new technology concept from abroad, ATT&CK should be studied and analyzed by the security industry. But on the other hand, there are many misunderstandings and one-sided aspects in the current research and analysis of ATT&CK in the industry, so we have made some discussions on ATT&CK from our own point of view, hoping to restore its true face, eliminate excessive "mystery", and re-examine the real value of this technology. Of course, as a family's opinion, we certainly have something that is not objective. Right and wrong should be judged as far as possible.

II. Introduction of ATT&CK1 and ATT&CK framework

ATT&CK (Adversarial Tactics, Techniques & Common Knowledge) is a knowledge base developed by MITRE Company and based on real-world observation of attacking tactics and technologies.

MITRE is a non-profit R & D organization funded by the U.S. Government that provides systems engineering, research and development, and information technology support to the U.S. Government. And cooperate with the National Institute of Standards and Technology (NIST) Standardization Organization to develop relevant security standards, such as vulnerability CVE, CWE numbering scheme and threat intelligence format STIX.

The MITRE ATT&CK framework systematically collects and integrates the knowledge base of attack techniques throughout the entire life cycle of the attack process, and these attack techniques come from insight into real security events. The framework systematically organizes the TTP (tactical Tactics, technical Techniques, process Procedures) used by attackers. All kinds of known attack techniques to achieve the tactical purpose are included in each tactical item, and the specific steps and processes of using this technology are described in detail in each technology.

ATT&CK model is based on the Kill Chain model put forward by Lockheed-Martin Company, and constructs a set of knowledge model and framework that is finer and easier to share. Now, after several years of development, the whole matrix has become rich and has been split into PRE-ATT&CK and ATT&CK for Enterprise. PRE-ATT&CK covers the first two stages of the Kill Chain model and contains tactics and techniques related to attackers' attempts to exploit vulnerabilities in a specific target network or system. ATT&CK for Enterprise covers the last five stages of Kill Chain.

ATT&CK for Enterprise divides network security events into 12 phases. Initial access stage, execution stage, persistence stage, empowerment stage, defense evasion stage, credential access phase, discovery phase, lateral movement stage, collection phase, command and control stage, exudation stage, influence stage. The mapping between attack methods and stages is shown in the following figure:

2. The ability of ATT&CK

The ATT&CK knowledge base is used as the basis for developing specific threat models and methods in government and cyber security products and services. At the same time, it can also be used to test whether EDR products have the ability to detect APT. Now it is mainly used in four directions: simulation attack, evaluation and improvement of defense capability, threat intelligence extraction and modeling, threat assessment and analysis.

1. Simulated attack: conduct red and blue attack and defense drills based on ATT&CK to build the red and blue army

2. Detection and analysis: based on the specific "technology", effectively enhance the detection capability for the safety construction of Party A.

3. Threat intelligence: use the ATT&CK framework to identify attack organizations for security intelligence construction

4. Evaluation improvement: map the solution to the ATT&CK threat model, identify and bridge the gap, and evaluate the security capability.

The knowledge base integrated within the framework of ATT&CK provides a standard for the security industry to collect known TTPs and promote the optimization and improvement of security products. This paper will put forward the exploration and thinking about the ATT&CK framework in improving the host EDR detection ability from the detection and analysis of TTPs.

3. ATT&CK landing environment

This paper will discuss the landing and application of ATT&CK framework in terminal security products. The emergence of ATT&CK provides a clear, measurable and landing standard for the detection capability of terminal security products, changing that the defenders often fall into an unknown and uncertain state for intrusion detection in the past, effectively make up for their own shortcomings, through the detection of attack technology, mapped to the tactics of ATT&CK, a clear understanding of the attack stage of the attacker.

In addition, if we can make terminal security products have the detection capability for TTP, it can undoubtedly enhance the core detection capability of security products, improve the coverage of attack detection and the accuracy of automatic handling, and prevent attackers from bypassing detection through some simple deformations, because detection for TTP means that we are detecting according to the behavior of attackers. If attackers want to avoid detection, they need to change their behavior, which requires the study of some new technologies and attack methods, which means more difficult and more expensive.

All attack detection is based on feature matching of data sources and policies. If we need to detect an attack technology, we first need to obtain the data corresponding to this technology, which is the clues left on the host or network device when an attacker attacks the host or network. They are often presented in the form of various logs, which may be built-in logs of the system or application, or log data specially recorded because of security needs. In each technical description of MITRE ATT&CK, there is data source information corresponding to the technology, which tells us from which types of data the traces left after the implementation of the attack technology can be found.

4. Data classification

Through calling STIX objects and attributes mapped to ATT&CK objects and attributes in STIX 2.0 GitHub repository, 59 kinds of data sources are analyzed and counted.

The following figure is based on the statistics of the number of technologies that can be detected by each data source, and obtains the ranking of the top 10 data sources.

5. Technology selection

In addition to detecting the acquisition of data sources, there are also different degrees of difficulty in the detection of different technical points. When the scene is reproduced, some only need to execute system commands and expose tools, while others need special and special tools to detect from common command program monitoring to deep system kernel calls and process context monitoring.

(Netmap: a table of difficulty in detecting attack techniques)

And different commands and different forms of use of the same tool can map different technologies in different attack stages, and the technical points of detection are also different. The following is the TTP for analyzing the mimikatz tool mapping.

III. Introduction to Sysmon1 and Sysmon

Sysmon is a free lightweight system monitoring tool from Microsoft. Originally developed by Sysinternals, Sysinternals was acquired by Microsoft and now belongs to the Sysinternals family of tools (with Microsoft code signature). It records the details of process creation, network connections and file creation time changes through system services and drivers, and writes and displays the relevant information in windows log events. Security personnel often use this tool to record and analyze the activities of system processes to identify malicious or abnormal activities.

After installation, Sysmon is divided into two parts: the user mode system service and the driver. The user mode records the network data through ETW (Event Tracing for Windows), parses the data returned by the driver through EventLog, the driver part collects the process-related information through the callback functions of input, thread and module, and records the data of access files and registry through the Minifilter file filter driver and registry callback function.

2. Reasons for choosing

Functionally, once Sysmon is installed on the system, system activity can be monitored and recorded in the Windows event log while the system is resident. Compared with general detection tools, Sysmon can perform in-depth monitoring of system activities and record high credibility indicators of advanced attacks. It is an excellent host intrusion detection engine for HIDS and EDR.

In terms of stability, it exceeds most of the self-developed drivers, with perfect functions and little impact on performance. although it is powerful, there are a lot of monitoring blind spots. If self-developed Agent is matched with it, it can make up for other needs such as self-monitoring blind area and non-query function.

The next technical detection for ATT&CK mainly relies on the monitoring of sysmon, and the test captures event data from the terminal for analysis. I'll show you later how to install sysmon and how to use custom configurations to filter noise and obtain threat characteristics.

3. Build environment for testing

Execute the sysmon program to install, which is used to generate log monitoring data.

Simulate the attack environment, write batch files, and execute minikatz malicious programs (which can be used to obtain plaintext passwords, golden tickets, * *, etc.) from memory.

Install winlogbeat products to help us stream Windows event logs to our ELK storage in real time.

Open the winlogbeat.yml file to edit the type of logs it collects. Add a line after-name:System:-name:Microsoft-windows-sysmon / operational

Perform configuration tests for winlogbeat and execute.\ winlogbeat.exe-c.\ winlogbeat.yml-configtest-e. After the test is normal, turn on the service and execute start-service winlogbeat.

It can be used for secondary analysis and processing to capture the monitoring data of the system after the attack.

It is recommended that you give priority to what you may currently see in the environment, rather than just selecting any technology in the matrix. For example, if you are running Sysmon in your environment and are collecting "ProcessCreate" events, you can give priority to techniques that require "Process Monitoring" or "Process command line arguments" as the data source.

IV. Analysis process

In this paper, we mainly discuss the use of minikatz technology to obtain hash credentials or transfer process, this kind of technology is mainly through command line parameter detection and program running context-sensitive calls to monitor, and then through the extraction of its features, analyze how to effectively reduce data noise, and simulate the execution of test commands to establish a session for verification, so as to continuously improve the effect of engineering detection.

The following is to monitor the system command line program calling interface in real time by calling the system API interface, and to simulate and detect malicious attacks by matching command line parameter characteristics.

However, simply by matching the characteristics of command line parameters, although it can match certain attacks, it is also easy to be bypassed.

1. Analysis of Sysmon tools.

With the help of tools such as Sysmonview, we can fully present the behavior of the attacker and the execution process of malicious programs. It is helpful to behavior analysis and feature extraction. As can be analyzed from the following figure, cryptdll.dll, samlib.dll, hid.dll, WinSCard.dll, vaultcli.dll and other dynamic link libraries have been loaded during the execution of mimikatz, and the system lsass.exe process has been accessed.

However, whether the dll being called is a program that only mimikatz will call, whether there is noise, or it is impossible to determine, there may be some programs that also need to call these dll files, or need further analysis and confirmation.

2. Analysis of Sysmon data platform.

In the face of massive data logs, we need a large data platform for analysis, to understand the relationship between hosts, processes, files, networks, drivers, registries, pipes and other objects, and to analyze and compare them. filter out the smallest unique features that can be identified in accordance with some attack techniques.

3. Analysis of Sysmon rules

Through behavior analysis, after the preliminary feature extraction, we can match the features through sysmon rules.

ATT&CK Technical number T1003-credential dumps can be configured and monitored by the following sysmon rules.

Or through the yaml rules, configuration detection.

Detected in the system log, the result successfully captured the relevant operation information of minikatz.

Because the minikatz program is run using the bat script, the following figure shows the hit technique T1036-detection rules for obfuscation attacks

Credential dumps such as Mimikatz can be executed directly through local binary program files, or they can be loaded and run in memory directly through Powershell, and read data from other processes from memory. When analyzing and looking for such programs, you can further analyze the part of the extraction process that requests specific permissions to read the LSASS process to detect when a credential dump occurs. Distinguish Mimikatz from the common access patterns used by other programs.

The common Mimikatz GrantedAccess mode.

These features are specific to how the current version of Mimikatz works, so they are unreliable for future updates and non-default configurations of Mimikatz.

EventCode=10

TargetImage= "C:\\ WINDOWS\\ system32\\ lsass.exe"

(GrantedAccess=0x1410 OR GrantedAccess=0x1010 OR GrantedAccess=0x1438 OR GrantedAccess=0x143a OR GrantedAccess=0x1418)

CallTrace= "C:\\ windows\\ SYSTEM32\\ ntdll.dll+* | C:\ windows\\ System32\\ KERNELBASE.dll+20edd | UNKNOWN (*)"

| | table _ time hostname user SourceImage GrantedAccess |

The following is the sysmon configuration statement numbered T1003 credential access phase where the tactical credential dump technology maps more fine-grained sub-technologies.

The following is the behavior that the system detects the creation of files by keyloggers, which can improve the ability to detect attacks and find more security problems on the host side by detecting abnormal behaviors.

5. Sysmonhunter analysis

Using Empire tools for simulation testing, Empire is an intranet penetration testing tool, its cross-platform characteristics are similar to Metasploit, there are rich modules and interfaces, users can add modules and functions, is a better platform for PowerShell.

The data monitored by the terminal are processed by feature matching, and the results are pushed to the Elasticsearch database to view the data input.

By analyzing the number of calls to dll, analyze whether the file is called by the normal program.

Analyzing some dll is a process that is only called by some programs, or some operations must be called, it needs to be analyzed one by one to determine that it can be regarded as an index of feature engineering.

By importing the graph database for association analysis, blue indicates the program, red indicates the calling process, yellow represents the node, and green represents the terminal number.

VI. Practical application

Combined with the product detection, through abstract extraction, the appropriate classification is completed, which connects the behavior of the attacker with the specific detection methods. Through abstract extraction, a general detection method is formed, so that the product can detect individual antagonistic behavior and its targets.

1. Single point test

Application of testing framework

Atomic Red Team is a simple test library that every security team can perform to test the detection capabilities of security products. The test library is a small, highly portable detection and testing framework mapped to the MITER ATT&CK framework. Each test is designed to map a specific policy.

The following is to verify the detection ability of EDR through the interactive testing framework.

What any attacker wants most when entering the intranet is to steal as many credentials as possible. If they can log on to other systems with their credentials, there is no need to test attacks by studying the remaining loopholes in other assets, so the acquisition of host credentials has always been a must for military. whether it is penetration testing, red-blue confrontation or network protection action, the person who gets the certificate wins the world. Therefore, the following selection of relevant credentials to obtain the application detection of related attacks.

Shadow copy operation

Vssadmin command for creating / deleting shadow copies of Windows drives. A shadow copy is simply a backup, and you can create a shadow copy backup and exactly the same file copy. For example, databases opened exclusively and files opened by operators and system activities can be backed up during the creation of shadow copies with the command. You can use shadow copies to export SAM files and work with SYSKEY to obtain NTLM Hash using tools such as mimikatz. You can also use VSS shadow copies to copy ntds.dit,ntds.dit is a database file in the AD (active Directory) that contains all information about all objects in the active directory domain, including password hashes for all domain users and computer accounts.

The following is the testing situation after the analysis of the product according to the program hash and process behavior.

Mimikatz

Mimikatz is an artifact written by French Gentil Kiwi on the windows platform. It has many functions, among which the brightest function is to obtain the plaintext password of the windows account in active status directly from the lsass.exe process. Not only that, mimikatz can also enhance process permissions, inject processes, read process memory, pass hash, and so on.

The following is the testing situation after the analysis of the product according to the program hash and process behavior.

Procdump

Procdump is a tool in the Windows toolkit, because it has the official signature of Microsoft, so most software killers will not be checked. Export the memory file of lsass.exe through procdump, and use mimikatz.exe to read the memory file locally to extract the password.

The following is the testing situation after the analysis of the product according to the program hash and process behavior.

Ntdsdump

Ntdsdump is a NTDS.dit (active Directory Database) password extraction tool that can obtain all hash artifacts on a domain controller offline through ntds.dit files and SYSTEM files derived from the domain controller.

The following is the testing situation after the analysis of the product according to the program hash and process behavior.

2. Scene testing

Blackmail detection

After the extortion program is simulated, the abnormal alarm is detected by extracting behavioral features, hash alignment, matching feature library.

Finally, it is determined that the host is being attacked by blackmail virus through automatic analysis.

7. Continuous evolution 1. Granularity of ATT&CK refiner attack

Although ATT&CK provides a set of systematic theoretical guidance, it still can not solve the specific technical problems of detection points, and there is no method to describe the specific implementation of the technology. For some technical description is still relatively general, for the detection of safety products testing coverage is still not enough. At present, the problem of breadth of ATT&CK has been basically solved, and the future development is to increase the depth, not that a test case covers an index, but that a group of test cases can verify the depth of an index.

Recently, in order to enhance the framework structure, the ATT&CK organization began to tune and redesign the whole framework, refine the granularity of the attack technology, and put forward the concept of sub-technology. A sub-technology is a way to describe a specific implementation of a technology in more detail. Later, you can view the various ways in which the technology can be executed in the list of technologies. A credential dump, for example, is a good example.

In credential dump technology, there are a total of nine ways to perform this operation, such as Windows SAM and cached credentials. Although the end result is similar each time, many different behaviors are concentrated in one technology. For the sub-technology, we will split it and have a top-level credential dump technology with nine seeds under it to describe these changes in more detail to understand how they are applied to each platform in a particular way.

Sub-technologies will start with. 001 and increase with each new sub-technology. For example, access token manipulation will still be T1134, but token manipulation / theft will be T1134.001, use token creation process T1134.002, and so on

An in-depth analysis of the technology required by the sub-technology leads to the adjustment of the attribution position between the tactics and the technology. Some technologies that do not fit the core definition of the policy may be deleted, such as "hidden files" and "directories" that are not suitable for "persistence", and a small number of technologies that need to be deprecated, such as "Hypervisor", in which we find unproven use case concepts. And the downgrade of technology to the adjustment of sub-technology. For example, because we added the "Pre-OS Boot" technology, we moved the existing Bootkit technology as its child technology below it.

The following is the corresponding table for mapping old technologies to new sub-technologies

2. Attack and defense detection and confrontation

ATT&CK is constantly updating and upgrading, and attackers are constantly looking for more covert ways to bypass the detection of traditional security tools, so defenders have to change their detection and defense methods.

Just like the sysmon detection engine we used for intrusion detection above, many people directly use the default configuration in the process of installing Sysmon without changing the file name, service name and driver name. after the attacker discovers that the host environment is equipped with Sysmon, through the analysis of the existing rules and environment, and using the combination technology of bypass and blocking combined with the specific situation, the Sysmon log record can be easily broken. Therefore, the defender needs to hide the sysmon, otherwise it will affect the TTP detection of attackers and intrusion detection.

From the perspective of tactical, technical and process (TTPs) attacks, attackers now use tools to develop towards customization, modularization and no file landing, which can bypass most of the traditional security protection equipment. For example, the following tool runs without any parameters to dump the memory of lsass.exe directly.

This needs to rely on security manufacturers to invest in research, the more thorough the research and analysis, the more difficult it will be for attackers to bypass. Especially for the existing TTPs research, to study how to accurately match attacks, I think this is also the trend in the future, to accurate detection forward, otherwise security analysts will be submerged in a large number of alarms of various devices, incessantly disorganized, of course, this is a continuous process, constantly upgrading and evolving in the offensive and defensive confrontation.

3. Analysis of big data's intelligent platform.

At a deeper level, what would it be like to detect only a specific known attack? A new feature, a new alarm, a new signature, one by one! Yes, this is probably the detection and analysis of threats experienced as a security analyst on a daily basis. Have we ever thought that through an ecosystem composed of several open source frameworks, we will enable advanced analysis functions to enhance threat detection capabilities, build big data intelligent analysis platform by enabling machine learning, and further develop analysis techniques that make predictions or recommendations based on data to solve the problem of detecting known threats, mining unknown threats through association analysis, and improving the detection rate.

After reading the above, have you mastered how to analyze the ATT and CK to improve the host EDR detection ability? If you want to learn more skills or want to know more about it, you are welcome to follow the industry information channel, thank you for reading!

Welcome to subscribe "Shulou Technology Information " to get latest news, interesting things and hot topics in the IT industry, and controls the hottest and latest Internet news, technology news and IT industry trends.