TOPIC: A little known guide of hacking tactics - ATT&CK - PART 1 (TORA TORA TORA)
OUR GUEST WILL BE:
Katie Nickels, ATT&CK Threat Intelligence Lead, MITRE
@likethecoins and @MITREattack
SPONSORS OF OUR PODCAST
NEWS-WORTHY:
Credit Freezes after Sept 21st, 2018 are FREEEEEE
Brian Krebs article
Track your luggage or Tracking YOU ?
"Do you use a Tumi bag? Registered it with Tumi's Tracer service? Your bag might not be the only thing being tracked. A reliable source we know told us that one way or another, Tumi may have lost track of the details of users who registered their bags with the service, and that whoever got a hold of it could use it for sophisticated phishing campaigns."
British airways website hacked 380K users affected
Tesla Model S and X cars can be REMOTELY opened
TOR Browser 0-Day
Bad Actors Sizing Up Systems Via Lightweight Recon Malware
https://threatpost.com/bad-actors-sizing-up-systems-via-lightweight-recon-malware/137364/
List of Admin and Application Whitelisting commands you should monitor the quantity of executions:
SITE-WORTHY
1. BDIR - Olaf Hartong Sysmon Modular
2. BDIR - Roberto Rodriguez @Cyb3rWard0 - Threat Hunter Playbook
Guest - Katie Nickels
MITRE ATT&CK website
TOOL-WORTHY
BDIR - Sysmon View and Sysmon Shell
Guest - Katie Nickels
MITRE ATT&CK Navigator
MALWARE OF THE MONTH
EMOTET - 2 Samples
Sample 1 - Word Doc
PowerShell BASE64 blob to hide download
Use of DOS Cmd line obfuscation
Extracted to AppData\Local\Microsoft\Windows\slskey.exe (root of folder)
Another long random.exe renamed same hash
Also \Users\Public 203.exe - root of folder (never good)
Lots of .tmp files in users tempt made by slskey.exe
Typical Run Key persistence
Changed Firewall Policy for Remote Assistance (Different Log !!!)
WerFault, so something crashed, watch those logs too
Sample 2 - EXE
Deleted loader/installer upon execution
Typical Run key persistence
AppData\Local\Microsoft\Windows\random_chars.exe
2nd copy, different hash in ProgramData root (Duh)
3rd copy in ProgramData\GUID folder different hash
Created a scheduled task name of a GUID
Folder and Task name GUID’s did not match
Lesson Learned
Because we are so quick at LOG-MD evals, the malware could wait to do more
In one sample it created a task 5 mins or more after running LMD. The Run Key was caught, but another version stored in ProgramData made a Scheduled Task
Remember what we said on the last podcast… ENABLE Scheduled Task logging !!!
Launch Chrome BEFORE malware eval.. Damn Google Update schedule tasks
You might Audit C:\Windows\System32\Tasks folder for Adds
TOPIC OF THE DAY
A little known guide of hacking tactics - ATT&CK - PART 1 (TORA TORA TORA)
INTERVIEW WITH: Katie Nickels of MITRE ATT&CK
So what is ATT&CK all about?
What is ATT&CK?
What is the goal of the project?
Why should people care about this project?
What are the components of ATT&CK
What are you working on that is coming up?
ARTICLES:
MITRE ATT&CK 101
The Design and philosophy of ATT&CK
Cyber Analytics Repository:
CAR Exploration Tool (CARET):
Katie’s blogs on applying ATT&CK to threat intelligence: Part 1 and Part 2
Katie and her colleague John Wunder’s BSidesLV slides (YouTube video coming soon!)
Upcoming events for Katie and the team:
Katie is briefing at the FireEye Cyber Defense Summit on October 3-4
Catch a few team members attending Derbycon
ATT&CKcon is on October 23-24 (it will be live streamed if you can’t make it in person)
Follow us on Twitter @MITREattack for updates
Contribute !!!
Please contribute to ATT&CK! Email us at attack@mitre.org.
-----------------------------------------------------------------------------------------------
PART 2 - A little known guide of hacking tactics - ATT&CK - PART 2
We will discuss some new Cheat Sheets and what to do with them and why we created them, and some other info you can use