Home Code Tutorials A Detailed Tutorial on Building Your First ATT&CK Procedure

A Detailed Tutorial on Building Your First ATT&CK Procedure

26 min read

Word: The assault process constructed on this publish won’t work for each macOS working system or in each situation. There are a lot of elements that may block scripts from working at boot time, and it is best to all the time take a look at towards your goal working system.

The MITRE ATT&CK framework is a universally accepted knowledge-base of techniques, strategies and procedures designed to arrange and show how adversaries assault real-world belongings. Blue groups use ATT&CK to higher perceive the multitude of latest (and previous) assaults and map these to their inner instruments and techniques. Purple groups can use ATT&CK as a kind of playbook, utilizing particular “performs” (mixtures of TTPs) to attempt to take a look at their techniques, which might be simply communicated to the remainder of the safety crew.

Digging into some terminology:

  • A tactic is what an attacker hopes to realize.
  • A method is how an attacker plans to realize or execute the tactic.
  • A process is a selected implementation of the method.

Sound complicated? Let’s stroll via an instance:

An attacker might execute a Assortment tactic to steal knowledge from a pc, choosing the Clipboard Information (T1115) method and executing the Get-Clipboard PowerShell cmdlet because the process to finish the motion.

ATT&CK helps defenders in a wide range of methods:

  • It affords a typical language to debate techniques, strategies and procedures.
  • It offers a dynamic kill-chain for blue crew members to detect and reply.
  • It provides sources associated to risk teams and the behaviors they use within the wild.

For these on the offensive aspect, the ATT&CK matrix affords one other fairly outstanding profit: it acts a classification system to design your assaults into distinct kill-chains.

Offensive operators, together with these in cyber operations and crimson groups alike, spend their time crafting exploits, coding implants and researching methods to conduct post-compromise actions with out getting caught. In a continuing recreation of cat-and-mouse, an offensive operator wants to stay one step forward always and, due to this fact, should construct (and rebuild) procedures continually.

On this publish, we’ll stroll via how an offensive operator makes use of ATT&CK. We are going to begin with a objective, one thing to perform, after which got down to outline it as a tactic, choose the best-fitting method and eventually pivot into constructing a single process to make use of in a reside assault.

Step 0: The ATTACK State of affairs

I’m an offensive operator. Beforehand, I wrote a superb Python-based implant that simply drops onto goal techniques and permits me Distant Code Execution (RCE). When my agent, let’s name it “Boomer,” is put in, it beacons again to my command-and-control (C2) server the place I can ship it directions. I now want to plot a brand new instruction (process) to make sure Boomer stays on the contaminated laptop – particularly when the pc reboots.

When a pc reboots, any non-system providers and processes will shut down and never reopen when the pc begins again up. This can cease implants like Boomer of their tracks – until motion is taken to make sure they reboot when the pc does.

As a Python agent, I’ve coded Boomer to execute Python code as assaults utilizing the Python 3 interpreter put in by default on my goal working system, macOS.

Some attackers will ship directions on to the shell interpreter via utilities reminiscent of Bash or ZSH, however defenders have improved their detection’s for these through the years. So I’ll want to jot down my process within the Python programming language so it may well execute via the interpreter on the contaminated machine.

Boomer accepts a Python expression – even a big one – and pipes it via the built-in exec() perform, which interprets and executes dynamic Python code.

It appears like this:

Step 1: Deciding on the tactic

With Boomer deployed remotely and ready for an instruction, I first have to pick out my tactic.

With my objective in hand – which is to keep up my foothold on the contaminated laptop – I head to assault.mitre.org to see if any techniques align.

Wanting on the Enterprise techniques, I see Reconnaissance, Useful resource Improvement, Preliminary Entry, Execution, Persistence…there it’s. Persistence sounds precisely like what I’m attempting to do!

Clicking into the tactic, I confirm my hunch by studying MITRE’s description:

The adversary is attempting to keep up their foothold. Persistence consists of strategies that adversaries use to maintain entry to techniques throughout restarts, modified credentials, and different interruptions that might lower off their entry. Methods used for persistence embody any entry, motion, or configuration modifications that allow them keep their foothold on techniques, reminiscent of changing or hijacking reliable code or including startup code.

Good. That is the one. Time to choose a method.

Step 2: Deciding on the method

Scrolling down the web page on the Persistence tactic (https://assault.mitre.org/techniques/TA0003/), I see a wide range of rows with a T* prefix. These are the method identifiers beneath the tactic.

Two particularly catch my eye: T1547 (Boot or Logon Autostart Execution) and T1037 (Boot or Logon Initialization Scripts).

T1547 is described as:

Adversaries might configure system settings to robotically execute a program throughout system boot or logon to keep up persistence or achieve higher-level privileges on compromised techniques. Working techniques might have mechanisms for robotically working a program on system boot or account logon. These mechanisms might embody robotically executing packages which might be positioned in specifically designated directories or are referenced by repositories that retailer configuration data, such because the Home windows Registry. An adversary might obtain the identical objective by modifying or extending options of the kernel.

And T1037 is:

Adversaries might use scripts robotically executed at boot or logon initialization to ascertain persistence. Initialization scripts can be utilized to carry out administrative features, which can typically execute different packages or ship data to an inner logging server. These scripts can differ based mostly on the working system and whether or not utilized regionally or remotely.

Hm. Both might work for me, as they’re each designed to relaunch an arbitrary program (like Boomer) after a pc boots up. As a result of Boomer is a Python script, I determine I can in all probability hook into the script method somewhat simpler, so I determine on T1037.

Beneath this method, I see a sequence of sub-techniques, or classes, as denoted with the .000 syntax. Now, whereas all of those sub-techniques ought to be thought of, my eye is drawn to .002: Logon Script (Mac) as a result of it particularly mentions the working system Boomer is at present working on.

Scanning the outline of T1037.002, I learn:

Adversaries might use macOS logon scripts robotically executed at logon initialization to ascertain persistence. macOS permits logon scripts (often called login hooks) to be executed every time a selected person logs right into a system. A login hook tells Mac OS X to execute a sure script when a person logs in, however in contrast to Startup Gadgets, a login hook executes because the elevated root person.

Good. This can just do fantastic.

Step 3: Researching the choices

At this level, I’ve recognized the Persistence tactic and method T1037.002 as my most popular habits to execute. For any method, there may very well be dozens – if not 1000’s – of variations. That is what makes being a defender so tough. Because the offensive operator, to achieve success, I solely want to pick out one variation the protection is blind to, whereas defenders must catch all of my assaults to beat me.

Selecting a variation means hitting the web for some analysis.

Let’s begin on the ATT&CK web site itself. Clicking into the method itself (https://assault.mitre.org/strategies/T1037/002/), I can see the protection is being educated to detect procedures underneath this method on this method:

Monitor logon scripts for uncommon entry by irregular customers or at irregular occasions. Search for information added or modified by uncommon accounts outdoors of regular administration duties. Monitor working course of for actions that may very well be indicative of irregular packages or executables working upon logon.

Okay, good to know.

Heading to each hacker’s finest good friend, Google, I kind the next:

“macos logon script python”

This leads me to a Stackoverflow publish (https://stackoverflow.com/questions/29338066/run-python-script-at-os-x-startup) recommending I create a PLIST file and place it in one of many following places:

  • /System/Library/LaunchAgents
  • /System/Library/LaunchDaemons
  • /Customers/<username>/Library/LaunchAgents

A PLIST file is solely a properties file on macOS computer systems for particular purposes.

This has 12 upvotes and appears to be a nicely supported reply, so I bookmark the web page and transfer on to the following step: writing the code.

Step 4: Writing the code

Based mostly on my analysis within the earlier step, I must do two issues to construct my assault:

  • Write a PLIST property file which begins Boomer.
  • Place the property file on the right location on disk.

In my analysis, it says to place my new PLIST property file in one among three places on disk. I suppose I can discover an instance PLIST file there to work off of, so I navigate alone laptop computer to these places and open a couple of PLIST information.

I discover a small instance that appears promising: com.jetbrains.toolbox.plist.

Opening this, I see:

<?xml model="1.0" encoding="UTF-8"?>
<!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "<http://www.apple.com/DTDs/PropertyList-1.0.dtd>">
<plist model="1.0">
       <string>/Purposes/JetBrains Toolbox.app/Contents/MacOS/jetbrains-toolbox</string>

It appears just like the Label ought to equal the identify of my PLIST file and the Program arguments ought to be the trail to the Python interpreter and script location. I regulate the values to the next, which match my very own laptop.

<?xml model="1.0" encoding="UTF-8"?>
<!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "<http://www.apple.com/DTDs/PropertyList-1.0.dtd>">
<plist model="1.0">

Subsequent, I stage the PLIST file on my laptop computer’s /Customers/privateducky/Library/LaunchAgents listing to be able to try it out.

I make sure the paths outlined within the PLIST are appropriate. Then, as an alternative of infecting my laptop computer with a Boomer agent, I drop an ad-hoc Python script referred to as boomer.py into my laptop computer’s Downloads listing to check with:

import time
whereas True:
  print('boomer right here')

Rebooting my laptop computer, I run a course of verify to see if my ad-hoc Boomer course of is energetic:

 ad-hoc Boomer process in att&ck


Step 5: Launching the assault

With a working process in hand, I’m able to ship it to my reside Boomer agent working on the contaminated distant laptop.

Since I’m planning on utilizing Python’s built-in exec() perform, I would like to make sure my instruction is a sound Python string.

It appears somewhat messy, however this one-liner ought to do the trick (assuming the username of the energetic person is barry and Boomer is situated within the Downloads listing of the distant machine):


With the command prepared, I ship the process (instruction) to Boomer and sit again comfortably, understanding each time the contaminated machine is rebooted, Boomer will chill on.

On this publish, we discovered how you can take a objective and convert it into an executable process categorized by MITRE ATT&CK.

From right here, we are able to proceed constructing procedures to assemble an end-to-end mission, or we are able to save our process into an listed database so we are able to repeat it sooner or later. Within the latter case, there are a number of standard on-line repositories constructed towards standardizing assault procedures in a repeatable method. There’s the Atomic Purple Staff (https://github.com/redcanaryco/atomic-red-team) venture in addition to the Group repository (https://github.com/preludeorg/neighborhood), each of which index procedures in YML format for reuse in future missions.

Completely happy constructing!

David HuntIn regards to the Writer: David Hunt is the CTO of Prelude Analysis Inc. There, he leads a crew supporting a cutting-edge autonomous crimson crew platform. Previous to this work, David constructed CALDERA, an open-source adversary emulation framework, whereas working as a Principal Cyber Safety Engineer for MITRE. David has spent 15 years working as a safety advisor for the U.S. Authorities, together with full-time roles at main cyber safety corporations, reminiscent of FireEye.

Editor’s Word: The opinions expressed on this visitor writer article are solely these of the contributor, and don’t essentially mirror these of Tripwire, Inc.

Leave a Reply

Your email address will not be published. Required fields are marked *

Check Also

How do I get disaster relief?

The climate within the Houston area could also be warming up, however many residents nonet…