See All Posts

Adversary Emulation

Preparing for Known Russia-based Cyberthreats Using MITRE ATT&CK and AttackIQ

Published March 8, 2022

To prepare for a potential cyberattack from Russia-based actors, you can begin by testing your security controls against known adversary tactics. The vast majority of cyberattacks use tactics and techniques that have been employed in the past. This blog walks you through key known tactics and techniques, and highlights scenarios in the AttackIQ Security Optimization Platform that you can use today to test your defenses and improve your cybersecurity readiness. Read More

As the conflict in Ukraine escalates and the risk of potential cyberattacks continues against U.S. and allied interests, the justifiable temptation is to focus on new threat reporting. Every week, it seems, a new zero-day exploit is disclosed, a new malware family is identified, or a new threat actor is discovered. As the attacks hit the news, defenders immediately feel the pressure from their leadership to answer a single question: “are we covered?” 

While you need to answer that specific question, you can also tell your leadership that when they conduct a cyberattack, attackers use a range of known tactics, techniques, and procedures that are already in existence.  Recall that in the SolarWinds breach, the Russian government first used a novel supply-chain enabled attack to break past the victim’s perimeter defenses, but once inside the victims’ networks, the attacker used known tactics that had long been in existence to move laterally. In its alert following the intrusion, CISA used the MITRE ATT&CK framework to describe the adversary’s behavior. And with the known behaviors described in MITRE ATT&CK, we can test our defensive shields today.  

In light of the unfolding contingency in Ukraine, today we are going to review a handful of common techniques associated with both state-sponsored and cyberspace-criminal actors believed to be operating out of Russia. By focusing your defenses on these known threat behaviors, you can significantly improve your security program by testing your technologies, exercising your teams, and by making adjustments as required.  

Using the MITRE ATT&CK Knowledge Base we’re going to look at three techniques that have been broadly adapted by multiple actors and can be used as the foundation for larger detection efforts that will increase your security program performance in chunks rather than focusing on single actors and single techniques. The tactics we focus in this blog are:  

  • T1059.001 Command and Scripting Interpreter: PowerShell;  
  • T1059.003 Command and Scripting Interpreter: Windows Command Shell;  
  • T1547.001: Boot or Logon AutoStart Execution: Registry Run Keys / Startup Folder 

We highlight threat groups that use each tactic. Following our discussion of the tactics, we then turn to scenarios in the AttackIQ Security Optimization Platform that you can run against your security controls to emulate the adversary and test your total security program performance. 

T1059.001 Command and Scripting Interpreter: PowerShell 

Used By: APT28, APT29, Cobalt Group, Dragonfly 2.0, Indrik Spider, Nomadic Octopus, Sandworm Team, TEMP.Veles, Turla, Wizard Spider 

 

 

 

 

 

 

 

 

 

 

Microsoft PowerShell is a native framework for Windows systems whose built-in capabilities allow for easy interactions with all components of the operating system and make it a compelling tool for both system administrators and threat actors alike. This ATT&CK technique is broad and covers all ranges of usage, from simple downloaders to full featured memory resident backdoors. Identifying malicious usage of PowerShell can detect and prevent many of the additional ATT&CK techniques the scripts facilitate. Because PowerShell is versatile, so must be our detection efforts. 

 Evaluating coverage for PowerShell can be focused on: 

  1. The Script or Command’s Code: Atomic detection of common malicious patterns or obfuscation techniques can help identify illegitimate scripts from the ones leveraged by system admins.
    • Recommended Scenarios in the AttackIQ Security Optimization Platform:
      • Download 2021-06 PowerView.ps1 to Memory | Save 2021-06 PowerView.ps1 to File System: PowerView is a component of PowerShell Empire that performs network and Windows domain enumeration and exploitation using PowerShell. These two scenarios will test both your network and endpoint security control’s ability to identify commonly used malicious content. PowerShell Empire has been used by Turla, Wizard Spider, and Indrik Spider. 
      • Execute Emotet 2020-07 Encoded PowerShell Script to Download and Execute Emulated Malware: To make anti-virus detection more difficult, threat actors commonly obfuscate the PowerShell scripts to limit static identification. This scenario uses an obfuscated variant of an Emotet campaign. The obfuscation techniques used in this example are used by many different actor sets. Emotet is used by Wizard Spider. 
  1. An Initial Execution Point: How was the PowerShell script executed? Office Documents executing PowerShell from macros may indicate delivery of a malicious document. Scripts being executed from temporary directories or chained from VBS scripts can be suspicious. Setting the PowerShell execution policy to only allow signed scripts can prevent illegitimate scripts from starting.
    • Recommended Scenarios in the AttackIQ Security Optimization Platform: 
      • Initial Access using Office Documents: Macro-enabled Office Documents are one of the most common delivery mechanisms for an initial stage PowerShell downloader. This scenario emulates this behavior by dropping and executing a Microsoft Word file that uses macros to execute a PowerShell command to remotely download a secondary payload. Example used in Emotet delivery by Wizard Spider. 
      • Persistence Through WMI: This scenario mimics malware utilizing a WMI persistence mechanism to ultimately execute a PowerShell script via a VBScript that was initial launched as a WMI Event Consumer. Legitimate PowerShell scripts are unlikely to be executed in this manner. Technique used by Turla.
         
  1. Overall PowerShell Behavior: PowerShell still needs to interact with the host to retrieve information or make modifications. The files being accessed, the registry settings being modified, the web requests originating with PowerShell user-agents are all potential markers for nefarious behavior.
    • Recommended Scenarios in the AttackIQ Security Optimization Platform: 
      • Cobalt Strike Named Pipe Impersonation: A common technique leveraged in Cobalt Strike or Metasploit attacks is to use named pipes and service executions to elevate privileges by impersonating tokens. This scenario creates a named pipe listener using PowerShell. This technique is used by many actors with Cobalt Strike. 
      • Dump OS Passwords: MimiKatz has a PowerShell variant that facilitates harvesting and collecting system credentials. This scenario executes an obfuscated variant with low anti-virus detection. Mimikatz has been used by: APT28, APT29, Carbanak, DragonFly, Indrik Spider, TEMP.Veles, Turla, and Wizard Spider. 
      • Email Collection Script: Threat actors harvest email archive files looking for credentials or intellectual property that can be ransomed. The scenario uses PowerShell scripts to search and find files of interest. Similar technique used by: Carbanak 
      • Stop Windows Defender via Encoded PowerShell Script: Actors will look to disable security tools including Windows Defender to reduce the likelihood their future actions can be detected or prevented. Windows Defender is disabled in this scenario using an obfuscated PowerShell script. Technique was utilized by Wizard Spider with Conti. 

T1059.003 Command and Scripting Interpreter: Windows Command Shell 

Used By: APT28, APT29, Carbanak, Cobalt Group, Dragonfly 2.0, Gamaredon Group, Indrik Spider, Nomadic Octopus, Sandworm Team, Turla, Wizard Spider 

 

 

 

 

 

 

 

 

 

 

 

 The Windows Command Shell is the default system command prompt and is commonly utilized by threat actors to execute both native system commands and their own custom binaries. The ATT&CK technique includes interactive sessions and batch files that allow for sequences of commands to be executed in serial. 

Prevention of using the Windows Command Shell is impossible, it’s a core component of the Windows operating system and is ubiquitously leveraged by users and system administrators everywhere. Detection and Prevention primarily focus around two components: 

  1. Binaries Being Executed: Code signing requirements can help prevent non-native binaries from being run but that won’t stop actors from living off the land and using the included system commands and utilities. Your detection of malicious activity would center around the order of the commands being executed and the parent/grand-parent relationship of the processes. As an example, web server process shouldn’t commonly be executing discovery and collection commands; that would indicative of a web shell.
    • Recommended Scenarios in the AttackIQ Security Optimization Platform 
      • Code Signing Script: Actors will attempt to self-sign binaries to bypass controls restricting execution to signed binaries. This scenario uses a batch script to execute an AttackIQ self-signed binary that should be prevented if the appropriate Windows Defender Application Control (WDAC) policies are configured. Similar techniques have been leveraged by: APT29, Wizard Spider
  1. Command Line Arguments: The arguments being passed to the binaries can help identify binaries masquerading as other binaries or common arguments used by actors during reconnaissance efforts. Looking for mis-matched binaries and arguments will help identify when actors have renamed a system utility. Identifying common commands used to delay execution like pinging localhost between other commands can identify malicious batch process that need to wait before their next steps.
    • Recommended Scenarios in the AttackIQ Security Optimization Platform: 
      • Masquerading Script: This scenario renames a malicious binary to use the filename of a legitimate windows executable like svchost.exe or services.exe. The newly renamed malicious binary will still reside in the non-standard directory and detection can be based on those legitimate file names being executed in suspicious directories. Similar technique used by: APT28, APT29
      • Remote System Discovery Script: The scenario executes multiple net view commands in sequence to identify remote hosts. The command line arguments being passed can be indicative of common profiling actions taken by threat actors. Additional review of the parent process executing those commands and find a backdoor as the parent process. Similar execution of those commands used by: Turla 

T1547.001 Boot or Logon AutoStart Execution: Registry Run Keys / Startup Folder 

Used By: APT28, APT29, Carbanak, Cobalt Group, Dragonfly 2.0, Gamaredon Group, Turla, Wizard Spider 

Once initial access has been achieved, one of the most common methods actors will ensure persistence following a reboot is to utilize Registry Run Keys or the Startup folder. There are many keys in the Windows Registry that allow for items to be executed at startup or user logon. Identifying when these registry keys are modified or when files are placed in the Startup directory are key to finding actors who wish to remain in your network. There are plenty of legitimate uses for these keys, so scrutiny needs to be applied to where the binary is located, and the file names being used. 

Files being executed at startup that live in a Temp directory or have a random temporary name would be suspicious. Looking for outliers in asset inventories can help find unique entries limited to a small number of hosts in your enterprise compared to the standard entries. 

  • Recommended Scenarios in the AttackIQ Security Optimization Platform: 
    • Persistence Through Registry Run and RunOnce Keys: The scenario uses both the Run and RunOnce registry keys to have a malicious VBS script executed. The paths used attempt to masquerade as legitimate content but are executed out of the %TEMP% directory. Registry keys utilized by: APT28, APT29, DragonFly 2.0, Gamaredon Group, Sandworm Team, Turla, Wizard Spider 
    • Persistence Through Startup Folder: A configurable scenario that accepts a user-supplied directory which persistence folder will be utilized. A binary file is copied to that startup directory. Technique utilized by: APT28, APT29, Carbanak, Turla 

In summary, while all three of these techniques seem basic and obvious, the important take-away is how many actors rely on them to be successful. Defenders need to ensure their foundation is solid and that means testing against these basic building blocks to validate that their detection pipelines work. Building up coverage for these common techniques will not only detect more varied threat actors but help augment detection of other techniques as PowerShell and Windows Command Shell facilitate the execution of the tools that lead to those future stages. 

The MITRE ATT&CK Knowledge Base has general mitigations for each of the three techniques on their individual pages. It is important to digest those details and understand how they can apply to your defenses. We can only tackle the advanced and unique techniques when we first feel comfortable that we have the ground floor covered. That’s part of the benefit of conducting continuous testing using scenarios aligned to the MITRE ATT&CK framework.  

TAGS:

About the Author

  • Ken Towne
    Ken Towne
    Adversary Research Engineer Learn More