TTP-Based Hunting
Module: Develop Hypotheses and Abstract Analytics
©2020 The MITRE Corporation. All rights reserved.
Approved for Public Release, Case 20-2268.
2
Module Contents
• Introduction
▪
▪
▪
▪
▪
Methodology Overview
Purpose and Objectives – Full Curriculum
Objectives – Module: Develop Hypotheses and Abstract Analytics
Prerequisites
Connecting this Step to the Methodology
• Hypotheses
▪ What is a hypothesis?
▪ Why is it useful to orient around hypotheses?
▪ Examples
• Considerations for Improving Hypotheses
• Creating Abstract Analytics
• Exercises and Example
▪ Researching a Technique
▪ Creating and refining the hypothesis and abstract analytics
©2020 The MITRE Corporation. All rights reserved.
Approved for Public Release, Case 20-2268.
Develop Hypotheses and Abstract Analytics
TTP Hunting Methodology Overview
Current Focus
©2020 The MITRE Corporation. All rights reserved.
Approved for Public Release, Case 20-2268.
Develop Hypotheses and Abstract Analytics
3
Purpose & Objectives – Overall Curriculum
• This curriculum is intended to provide foundational education and
training on TTP-based hunting.
• Includes 7 modules – this module covers how to develop hypotheses
and abstract analytics and should be viewed after the Methodology
Overview.
• Having completed this curriculum, participants should be capable of
executing the TTP-based hunting methodology. Specifically, they will
be able to:
▪ Define adversarial behavior of interest, and
▪ Articulate hypotheses and analytics that drive information needs, data
collection requirements, filtering, and refinement of hypotheses and
analytics.
©2020 The MITRE Corporation. All rights reserved.
Approved for Public Release, Case 20-2268.
Develop Hypotheses and Abstract Analytics
4
Objectives – Module: Develop Hypotheses and
Abstract Analytics
• Module Training Objectives:
▪ Having completed this module, you should be able to develop and refine hypotheses
and abstract analytics to explore hunting for evidence that indicates a malicious actor
might be present.
• Module Learning Objectives:
▪ Understand the purpose of and how to formulate hypotheses
▪ Understand the purpose of and how to develop abstract analytics
▪ Understand how behavioral invariants relate to terrain, analytic development, and
hunt effectiveness
▪ Understand the investigative process to understand a Technique with sufficient
fidelity to formulate its behavioral invariants
▪ Understand how and where to receive feedback on hunt performance and where to
focus revision efforts.
▪ Be able to develop and refine hypotheses to explore hunting for evidence that
indicates a malicious actor might be present.
©2020 The MITRE Corporation. All rights reserved.
Approved for Public Release, Case 20-2268.
Develop Hypotheses and Abstract Analytics
5
6
Prerequisites
To successfully complete this curriculum, participants:
• Should be familiar with Windows, Splunk or ELK, networking
fundamentals, and ATT&CK® before beginning this course.
• Caveat: Participants will require an environment with
adequate sensing, data collection and storage, and an analytic
platform.
©2020 The MITRE Corporation. All rights reserved.
Approved for Public Release, Case 20-2268.
Develop Hypotheses and Abstract Analytics
Connecting This Step to the Methodology
• We studied the behaviors adversaries exhibit
• We documented those behaviors as Tactics, Techniques and Procedures (TTPs)
▪ Based on finished reporting and / or raw analysis
▪ ATT&CK is MITRE’s repository of openly reported adversary behavior TTPs
• This step of the methodology uses that TTP insight to develop hypotheses to
test during our hunt to make claims about malicious activity in an
environment
• The hypotheses developed in this step will guide our data collection
requirements, analytic development, and hunting operations
• During Step 6 (Implement and Test Analytics) we’ll use collected data and
concrete analytics to test these hypotheses
©2020 The MITRE Corporation. All rights reserved.
Approved for Public Release, Case 20-2268.
Develop Hypotheses and Abstract Analytics
7
8
Hypotheses
Hypothesis Creation (with Examples)
Behavioral Invariants
Analytics – Research Existing Repositories
©2020 The MITRE Corporation. All rights reserved.
Approved for Public Release, Case 20-2268.
Develop Hypotheses and Abstract Analytics
9
Hypotheses
• Oxford Dictionary definition: “A supposition or proposed explanation made
on the basis of limited evidence as a starting point for further investigation.”
• Hypotheses describe a suspected reason for why something is happening.
• Hypotheses must be specific, evidence-driven, and falsifiable
• Why orient around hypotheses?
▪
▪
▪
▪
Encourages clear thinking about what to hunt for and why
Provides focus for research, analysis and data collection
Helps bridge from information about behavior to concrete analytics
Establishes scientific foundation for making claims during the hunt
• Start by choosing a behavior and develop a hypothesis around what evidence
would indicate that a malicious actor is exhibiting that behavior.
©2020 The MITRE Corporation. All rights reserved.
Approved for Public Release, Case 20-2268.
Develop Hypotheses and Abstract Analytics
Example Hypothesis
• Behaviors observed: Burglars sometime enter homes (Tactic) by kicking open locked
doors (Technique) to steal property (Impact/Effect)
• Hypothesis:
▪ Bad: If the door opens, a burglar is breaking in
o
Too vague: if the homeowner enters, they will also open the door
▪ Good: If the door opens while still locked, a burglar is breaking in
o
Specific: incorporates the key elements of the malicious behavior
❑
o
Will require continuous sensing if door opens and if door is locked
Falsifiable by evidence of “benign” opening without unlocking
❑
❑
Sometimes it is false: e.g., Fire Department => False Alarm
We would need to investigate that possibility and try to address it
▪ Refined Hypothesis: If the door opens while locked, but no 911 call has been made and no
fire alarm is active, then a burglar is breaking in
o
o
Still falsifiable by evidence of burglar breaking in with 911 call made for example
However, less likely to be false
©2020 The MITRE Corporation. All rights reserved.
Approved for Public Release, Case 20-2268.
Develop Hypotheses and Abstract Analytics
10
Example Hypothesis: Cyber
• Behavior Observed: Adversaries maintain persistence (Tactic) on a
compromised host by scheduling tasks (Technique) (e.g., malicious software
to run on startup or at a scheduled time)
• Hypothesis: If a task is scheduled, an adversary is establishing persistence
▪ Specific: Incorporates the key elements of the behavior
o
Will need to continuously monitor for task scheduling activity
▪ Falsifiable by evidence of benign task scheduling
o
Example: system administrators also schedule tasks
• Refined Hypothesis: If a task is scheduled by a non-admin user, an adversary
is persisting
▪ Still falsifiable, but less likely to be false
©2020 The MITRE Corporation. All rights reserved.
Approved for Public Release, Case 20-2268.
Develop Hypotheses and Abstract Analytics
11
Hypothesis Creation
• Iterative process
▪ Evaluating hypothesis falsifiability exposes potential false alarm scenarios
▪ Those scenarios help refine the hypothesis to focus on the malicious use of
the Technique and how it is different from benign use
• In English, not a query syntax
▪ This facilitates reasoning and understanding at a high level of abstraction
▪ Avoids constraints of any specific syntax and enables sharing
▪ Can endure across implementation changes
• Could focus on a single Technique, or a group of related Techniques
©2020 The MITRE Corporation. All rights reserved.
Approved for Public Release, Case 20-2268.
Develop Hypotheses and Abstract Analytics
12
Questions to Consider for Hypotheses Creation
• Why would an adversary exhibit this behavior?
▪ Insights about what they would do next
o
o
If they are dumping OS credentials to move laterally, look for a connection to another host
using one of those credentials
If they send a Spearphishing email with an attachment to gain execution, investigate the
process started by that attachment
▪ Help distinguish malicious from benign
o
o
o
Adversaries schedule tasks to gain execution on a remote system and move laterally
System administrators schedule tasks on a remote system to ensure all machines on a network
have the latest patches.
What might look different about those behaviors based on their different goals?
❑
❑
©2020 The MITRE Corporation. All rights reserved.
Approved for Public Release, Case 20-2268.
Perhaps sys admin activity will look like a hub-and-spoke topology of connections emanating
from a sys admin box
Whereas the adversary might create something more like a line starting from an initial access
machine until they reach their target
Develop Hypotheses and Abstract Analytics
13
More Questions to Consider for Hypotheses Creation
• Which events / artifacts are common across Technique implementations?
▪ How can the Technique be invoked by an adversary?
o
o
The “Scheduled Task / Job” Technique has 5 Sub-Techniques including 2 for Windows.
For Windows Task Scheduling alone, there are at least 4 different interfaces (at.exe,
schtasks.exe, taskschd API, Task Scheduler GUI)
❑
What is common across them?
▪ What will the system do when this Technique in invoked?
o
Don’t just think about the invocation, also consider the 2nd order consequences:
❑
e.g., registry modifications, DLL loads, file writes, network connections.
▪ Which of these activities are unavoidable, and which are optional?
o
o
Some are fundamental to the behavior (behavioral invariants), others can be bypassed while
still achieving the adversary’s goal
Focus on the behavioral invariants
©2020 The MITRE Corporation. All rights reserved.
Approved for Public Release, Case 20-2268.
Develop Hypotheses and Abstract Analytics
14
Questions to Consider for Hypotheses Creation
• How would the adversary’s activity look different from benign usage?
▪ By a typical user?
o
o
This is often the easiest to distinguish, but should be considered
The system itself might exhibit potentially confusing behaviors for all users
▪ By a system or network administrator?
o
o
o
Have broad access and authority across the environment
Often make modifications to systems that can look like malicious behavior
Might be a tempting target for an adversary to masquerade as an admin
▪ By a software developer, “power user”, researcher?
o
o
Potentially lots of unusual activity on host and in network traffic
Atypical software, elevated privileges, debugging activity
• Can we influence benign usage to help us distinguish it from malicious activity?
▪ For example, stop using encoded PowerShell for sys admin activity
©2020 The MITRE Corporation. All rights reserved.
Approved for Public Release, Case 20-2268.
Develop Hypotheses and Abstract Analytics
15
Behavioral Invariants of a Technique
• Definition: Activities fundamental to a Technique that do not change by
altering the Procedural implementation of that Technique (e.g., what
tool executes it)
▪ Behavioral invariants emerge because of how the terrain is designed
▪ Software developers created the terrain and the available (un)intended
functionality – attackers must operate within that functionality
▪ If an adversary could evade the hypothesis while still executing the
Technique, it is likely the hypothesis is not focused on behavioral invariants
©2020 The MITRE Corporation. All rights reserved.
Approved for Public Release, Case 20-2268.
Develop Hypotheses and Abstract Analytics
16
Finding the Behavioral Invariants
• An iterative process that includes research and hands-on investigation
• Research
▪ The behavior – why, how, and what
▪ Different implementations of the behavior (including evasively)
▪ Open-source literature and documentation from the system producer
• Hands-on activities
▪ Reverse engineer, debug, and / or black-box test the relevant software
▪ Analyze logs
▪ Develop your own implementation of the behavior
▪ Experiment (Purple Team) with a threat emulator
©2020 The MITRE Corporation. All rights reserved.
Approved for Public Release, Case 20-2268.
Develop Hypotheses and Abstract Analytics
17
Question To Ask Regarding The Technique
•
•
•
•
•
•
•
Why do adversaries employ it?
How do authorized users use it?
How does the technique work?
In what ways has it been implemented?
Are there existing analytics to detect it?
Are there existing mitigations to prevent it?
Which Techniques tend to be used with this Technique?
▪ When used for malicious purposes?
▪ When used for benign purposes?
• What alternative Techniques could an adversary employ for this purpose?
• What are the behavioral invariants associated with this Technique?
©2020 The MITRE Corporation. All rights reserved.
Approved for Public Release, Case 20-2268.
Develop Hypotheses and Abstract Analytics
18
Choose a Low Cost / Big Benefit Technique
Low Cost
• Leverages data already
collected
• Low false positives
• Low anticipated complexity
• Analytics already exist
• Well-documented
Big Benefit
• Not already covered
• Frequently used by
adversaries of interest
• High impact
Over time, we will accumulate a robust repository of successful analytics across Techniques.
You will always need to stay updated as new functionality and Techniques are created.
©2020 The MITRE Corporation. All rights reserved.
Approved for Public Release, Case 20-2268.
Develop Hypotheses and Abstract Analytics
19
Analytics – Research Existing Repositories
Sigma
• https://github.com/Neo23x0/sigma/
• Generic + open signature format for log events mapped to ATT&CK
• Implementations: Sigma (includes translator for ELK, Splunk, etc.)
CAR
• https://car.mitre.org/
• Pseudocode, Splunk, EQL, Sigma syntax mapped to ATT&CK
BZAR
• https://github.com/mitre-attack/bzar
• BRO/ZEEK rules mapped to ATT&CL
EQL
• https://eqllib.readthedocs.io/en/latest/analytics.html
• ATT&CK-mapped EQL (includes converter for other schemas such as Sysmon)
Threat Hunter Playbook
• https://threathunterplaybook.com/introduction.html
• SQL-like format and Jupyter Notebooks mapped to ATT&CK
©2020 The MITRE Corporation. All rights reserved.
Approved for Public Release, Case 20-2268.
Develop Hypotheses and Abstract Analytics
20
Finding Scheduled Task Behavioral Invariants
• Research: https://attack.mitre.org/techniques/T1053/ (“Scheduled
Task/Job”)
▪ Adversaries may abuse task scheduling functionality to facilitate initial or
recurring execution of malicious code
▪ A task can also be scheduled on a remote system, if the proper
authentication is met
o
Example: RPC and file and printer sharing in Windows environments
▪ Adversaries may use task scheduling to execute programs at system
startup or on a scheduled basis for persistence
▪ These mechanisms can also be abused to run a process under the context
of a specified account (such as one with elevated permissions/privileges)
▪ Tactics: Execution, Persistence, Privilege Escalation
©2020 The MITRE Corporation. All rights reserved.
Approved for Public Release, Case 20-2268.
Develop Hypotheses and Abstract Analytics
21
Why would an adversary Schedule a Task?
22
• Adversaries may abuse task scheduling functionality to facilitate initial or
recurring execution of malicious code
• A task can also be scheduled on a remote system, if the proper
authentication is met
▪ Example: RPC and file and printer sharing in Windows environments
• Adversaries may use task scheduling to execute programs at system
startup or on a scheduled basis for persistence
• These mechanisms can also be abused to run a process under the
context of a specified account (such as one with elevated
permissions/privileges)
• Tactics: Execution, Persistence, Privilege Escalation
https://attack.mitre.org/techniques/T1053/
©2020 The MITRE Corporation. All rights reserved.
Approved for Public Release, Case 20-2268.
Develop Hypotheses and Abstract Analytics
How can the Technique be invoked by an adversary?
• ATT&CK Sub-Techniques provide
a good starting point for learning
more about how adversaries
implement a Technique
• For Windows:
▪ Scheduled Task – via graphical,
programmatic or command-line
interfaces
▪ at.exe
©2020 The MITRE Corporation. All rights reserved.
Approved for Public Release, Case 20-2268.
Develop Hypotheses and Abstract Analytics
23
Researching Scheduled Task Behavioral Invariants
• Research reveals
▪ 4 Invocation methods: at.exe, schtasks.exe, API and GUI options
▪ Windows Security Event Log ID 4698 is triggered when a Task is Scheduled
• Hands-on investigation
▪ Run Windows Sysinternals Process Monitor (procmon)
▪ Debug schtasks.exe (e.g., with WinDbg)
o
Discover order of DLL loads, File Creation, Registry Modification, Log Events
▪ Execute in different ways, compare Event Logs
o
o
What changes based on execution? What stays constant?
What distinguishes benign from malicious use?
©2020 The MITRE Corporation. All rights reserved.
Approved for Public Release, Case 20-2268.
Develop Hypotheses and Abstract Analytics
24
Using Procmon to Investigate Behavioral Invariants
• Start procmon and filter to Task Schedule Service
▪ E.g., “Command Line” Contains “Schedule”
• Schedule a task through schtasks.exe
• Schedule a task through the Task Scheduler GUI
• Note that both schtasks.exe and the GUI invoke the Task Scheduler
• Task Scheduler executes the same sequence of events as summarized
in the following slides
©2020 The MITRE Corporation. All rights reserved.
Approved for Public Release, Case 20-2268.
Develop Hypotheses and Abstract Analytics
25
Filtered Procmon From Task Scheduler Service
RegCreateKey HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tree\a\t1
RegSetValue HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tree\a\t1\SD
RegSetValue HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tree\a\t1\Id
RegSetValue HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tree\a\t1\Index
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tasks\{2BA374AFRegCreateKey BD3B-458F-B7DE-71BC4FAB9347}
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tasks\{2BA374AFRegSetValue BD3B-458F-B7DE-71BC4FAB9347}\Path
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tasks\{2BA374AFRegSetValue BD3B-458F-B7DE-71BC4FAB9347}\Hash
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Plain\{2BA374AFRegCreateKey BD3B-458F-B7DE-71BC4FAB9347}
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tasks\{2BA374AFRegSetValue BD3B-458F-B7DE-71BC4FAB9347}\Author
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tasks\{2BA374AFRegSetValue BD3B-458F-B7DE-71BC4FAB9347}\URI
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tasks\{2BA374AFRegSetValue BD3B-458F-B7DE-71BC4FAB9347}\Triggers
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tasks\{2BA374AFRegSetValue BD3B-458F-B7DE-71BC4FAB9347}\Actions
CreateFile
C:\Windows\System32\Tasks\a\t1
WriteFile
C:\Windows\System32\Tasks\a\t1
Desired Access: All Access, Disposition: REG_CREATED_NEW_KEY
Type: REG_BINARY, Length: 180, Data: 01 00 04 80 88 00 00 00 98
00 00 00 00 00 00 00
Type: REG_SZ, Length: 80, Data: {2BA374AF-BD3B-458F-B7DE71BC4FAB9347}
Type: REG_DWORD, Length: 4, Data: 3
Desired Access: All Access, Disposition: REG_CREATED_NEW_KEY
Type: REG_SZ, Length: 12, Data: \a\t1
Type: REG_BINARY, Length: 32, Data: 7C 29 05 DD FE 00 F1 94 53 47
13 1D 33 1A 0F 2B
Desired Access: All Access, Disposition: REG_CREATED_NEW_KEY
Type: REG_SZ, Length: 34, Data: Domain\User
Type: REG_SZ, Length: 12, Data: \a\t1
Type: REG_BINARY, Length: 256, Data: 17 00 00 00 00 00 00 00 00
FF FF FF FF FF FF FF
Type: REG_BINARY, Length: 54, Data: 03 00 0C 00 00 00 41 00 75 00
74 00 68 00 6F 00
Desired Access: Generic Write, Read Attributes, Maximum Allowed
Offset: 0, Length: 4,096, I/O Flags: Non-cached, Paging I/O,
Synchronous Paging I/O, Priority: Normal
Abridged from thousands of original procmon records
©2020 The MITRE Corporation. All rights reserved.
Approved for Public Release, Case 20-2268.
26
Develop Hypotheses and Abstract Analytics
Filtered Procmon From Task Scheduler Service
RegCreateKey HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tree\a\t1
RegSetValue HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tree\a\t1\SD
RegSetValue HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tree\a\t1\Id
RegSetValue HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tree\a\t1\Index
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tasks\{2BA374AFRegCreateKey BD3B-458F-B7DE-71BC4FAB9347}
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tasks\{2BA374AFRegSetValue BD3B-458F-B7DE-71BC4FAB9347}\Path
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tasks\{2BA374AFRegSetValue BD3B-458F-B7DE-71BC4FAB9347}\Hash
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Plain\{2BA374AFRegCreateKey BD3B-458F-B7DE-71BC4FAB9347}
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tasks\{2BA374AFRegSetValue BD3B-458F-B7DE-71BC4FAB9347}\Author
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tasks\{2BA374AFRegSetValue BD3B-458F-B7DE-71BC4FAB9347}\URI
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tasks\{2BA374AFRegSetValue BD3B-458F-B7DE-71BC4FAB9347}\Triggers
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tasks\{2BA374AFRegSetValue BD3B-458F-B7DE-71BC4FAB9347}\Actions
Create and Set
Registry Keys
27
Desired Access: All Access, Disposition: REG_CREATED_NEW_KEY
Type: REG_BINARY, Length: 180, Data: 01 00 04 80 88 00 00 00 98
00 00 00 00 00 00 00
Type: REG_SZ, Length: 80, Data: {2BA374AF-BD3B-458F-B7DE71BC4FAB9347}
Type: REG_DWORD, Length: 4, Data: 3
Desired Access: All Access, Disposition: REG_CREATED_NEW_KEY
Type: REG_SZ, Length: 12, Data: \a\t1
Type: REG_BINARY, Length: 32, Data: 7C 29 05 DD FE 00 F1 94 53 47
13 1D 33 1A 0F 2B
Desired Access: All Access, Disposition: REG_CREATED_NEW_KEY
Type: REG_SZ, Length: 34, Data: Domain\User
Type: REG_SZ, Length: 12, Data: \a\t1
Type: REG_BINARY, Length: 256, Data: 17 00 00 00 00 00 00 00 00
FF FF FF FF FF FF FF
Type: REG_BINARY, Length: 54, Data: 03 00 0C 00 00 00 41 00 75 00
74 00 68 00 6F 00
CreateFile
C:\Windows\System32\Tasks\a\t1
Desired Access: Generic Write, Read Attributes, Maximum Allowed
WriteFile
C:\Windows\System32\Tasks\a\t1
Offset: 0, Length: 4,096, I/O Flags: Non-cached, Paging I/O,
Synchronous Paging I/O, Priority: Normal
©2020 The MITRE Corporation. All rights reserved.
Approved for Public Release, Case 20-2268.
Develop Hypotheses and Abstract Analytics
Filtered Procmon From Task Scheduler Service
RegCreateKey HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tree\a\t1
RegSetValue HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tree\a\t1\SD
RegSetValue HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tree\a\t1\Id
RegSetValue HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tree\a\t1\Index
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tasks\{2BA374AFRegCreateKey BD3B-458F-B7DE-71BC4FAB9347}
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tasks\{2BA374AFRegSetValue BD3B-458F-B7DE-71BC4FAB9347}\Path
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tasks\{2BA374AFRegSetValue BD3B-458F-B7DE-71BC4FAB9347}\Hash
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Plain\{2BA374AFRegCreateKey BD3B-458F-B7DE-71BC4FAB9347}
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tasks\{2BA374AFRegSetValue BD3B-458F-B7DE-71BC4FAB9347}\Author
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tasks\{2BA374AFRegSetValue BD3B-458F-B7DE-71BC4FAB9347}\URI
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tasks\{2BA374AFRegSetValue BD3B-458F-B7DE-71BC4FAB9347}\Triggers
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tasks\{2BA374AFRegSetValue BD3B-458F-B7DE-71BC4FAB9347}\Actions
CreateFile
C:\Windows\System32\Tasks\a\t1
WriteFile
C:\Windows\System32\Tasks\a\t1
©2020 The MITRE Corporation. All rights reserved.
Approved for Public Release, Case 20-2268.
Create Job File
Develop Hypotheses and Abstract Analytics
28
Desired Access: All Access, Disposition: REG_CREATED_NEW_KEY
Type: REG_BINARY, Length: 180, Data: 01 00 04 80 88 00 00 00 98
00 00 00 00 00 00 00
Type: REG_SZ, Length: 80, Data: {2BA374AF-BD3B-458F-B7DE71BC4FAB9347}
Type: REG_DWORD, Length: 4, Data: 3
Desired Access: All Access, Disposition: REG_CREATED_NEW_KEY
Type: REG_SZ, Length: 12, Data: \a\t1
Type: REG_BINARY, Length: 32, Data: 7C 29 05 DD FE 00 F1 94 53 47
13 1D 33 1A 0F 2B
Desired Access: All Access, Disposition: REG_CREATED_NEW_KEY
Type: REG_SZ, Length: 34, Data: Domain\User
Type: REG_SZ, Length: 12, Data: \a\t1
Type: REG_BINARY, Length: 256, Data: 17 00 00 00 00 00 00 00 00
FF FF FF FF FF FF FF
Type: REG_BINARY, Length: 54, Data: 03 00 0C 00 00 00 41 00 75 00
74 00 68 00 6F 00
Desired Access: Generic Write, Read Attributes, Maximum Allowed
Offset: 0, Length: 4,096, I/O Flags: Non-cached, Paging I/O,
Synchronous Paging I/O, Priority: Normal
Debugging To Find Behavioral Invariants
1.
2.
3.
4.
5.
6.
7.
8.
9.
10.
11.
12.
13.
14.
Stack when 4663 and 4698 Fire:
Ntdll!RtlUserThreadStart + 0x21
KERNEL32!BaseThreadInitThunk + 0x14
Schtasks!_wmainCRTStartup + 0x14d
Schtasks!wmain + 0x12f
Schtasks!CreateScheduledTask + 0xbd
Schtasks!CreateTaskVista + 0x73c
Taskschd + 0x123a2
Taskschd + 0x15224
Taskschd + 0x12832
RPCRT4!NdrClientCall3 + 0xf1
RPCRT4!NdrClientCall3 + 0x1196
RPCRT4!RPCBindingSetOption
Ntdll!NtAlpcSendWaitReceivePort + 0x12
Syscall
Example insights from debugging schtasks:
Taskschd.dll calls XmlLite.dll to create the XML Job
File.
Taskschd.dll then calls RPCRT4!NdrClientCall3.
RPCRT4 is a DLL for Remote Procedure Calls (RPC) and
it is loaded and called even for this local-only use of
schtasks.
RPCRT4!NdrClientCall3 calls
ntdll!NtAlpcSendWaitReceivePort which makes a
syscall. That syscall seems to execute both the
Registry Key creation and the Job File Creation.
Within that syscall, both actions occur and the 4663
and 4698 events are both triggered and logged.
Debugging requires skills not taught in this class, and exposes very low-level
insight into the behavior, requiring knowledge to interpret.
©2020 The MITRE Corporation. All rights reserved.
Approved for Public Release, Case 20-2268.
Develop Hypotheses and Abstract Analytics
29
Candidate Behavioral Invariants
• File creations within the task directory
▪ Can be loud and lacks detail on the contents of the file
▪ Possible to create tasks in other directories
• Registry changes made for the new tasks
▪ Registry events lack detail on nature of the scheduled task, not sufficient for detection
• Network connection over RPC (port 135)
▪ Commonly used by other applications => False Positives
▪ Default Ephemeral Port 49154 (could be used by other applications, scheduled tasks
could use a different port)
• DLL’s serve as a sub-process source of information.
▪ Both mswsocket.dll and taskschd.dll are called by process scheduling remote tasks
o
Monitoring DLL loads is very loud. Monitoring both individually will likely be too much data.
©2020 The MITRE Corporation. All rights reserved.
Approved for Public Release, Case 20-2268.
Develop Hypotheses and Abstract Analytics
30
Behavioral Invariant Activity Sequence
Remote
Local
Activity
1
1
Process Created
2
2
DLLs loaded
3 (src)
Mswsock.dll loaded
4 (src)
Network Connection to epmap port, ephemeral port provided for RPC
5 (dest)
3
Registry modified with values corresponding with Job File
6 (dest)
4
Job File Written
Task Created
©2020 The MITRE Corporation. All rights reserved.
Approved for Public Release, Case 20-2268.
Develop Hypotheses and Abstract Analytics
31
Behavioral Invariants: Example Summary
• Technique: Scheduled Task / Job
Within Windows, there are 4 different invocation methods
Each invocation is associated with a different initial process creation
Different DLLs are loaded depending on invocation method
Remote scheduling creates network traffic, local does not
✓All invocations result in a Job File and associated Registry keys and values
o
Note: This occurs on the target machine during remote scheduling
▪ A behavioral invariant is the creation of a Job File and associated Registry
keys and values, regardless of how those activities are invoked
©2020 The MITRE Corporation. All rights reserved.
Approved for Public Release, Case 20-2268.
Develop Hypotheses and Abstract Analytics
32
Distinguishing Malicious from Benign
What do benign scheduled tasks look like?
• schtasks /v /fo csv >> tasks.csv creates a CSV of all scheduled tasks
• Might have hundreds of benign tasks scheduled by Microsoft, AV or sys admins
• Typical benign Scheduled Tasks run as a wide variety of users such as:
▪ \Everyone
▪ BUILTIN\Administrators, Users
▪ NT AUTHORITY\Authenticated Users, INTERACTIVE, LOCAL SERVICE, NETWORK
SERVICE, SYSTEM
What will look different when an adversary schedules a task?
• Many benign tasks were scheduled when the system was built, adversarial use
occurs afterwards => Need to monitor for the act of scheduling
• Most benign tasks were scheduled locally, but adversaries might schedule
remotely for Lateral Movement => Look for remote task scheduling
©2020 The MITRE Corporation. All rights reserved.
Approved for Public Release, Case 20-2268.
Develop Hypotheses and Abstract Analytics
33
34
Considerations for
Improving Hypotheses
©2020 The MITRE Corporation. All rights reserved.
Approved for Public Release, Case 20-2268.
Develop Hypotheses and Abstract Analytics
Hypotheses and Analytics can be Decomposed
Level of Decomposition
Hypothesis
Analytic
Campaign
Adversaries are stealing my secrets
Exfiltration is detected
Tactic: Exfiltration
Adversaries are using a known
ATT&CK Exfiltration Technique
T1020 OR T1030 …OR T1567…
detected
Technique: 1567 (Web Service)
Adversaries are using web services to
exfil secret data
Unauthorized outbound traffic to
code repository or cloud storage
Sub-Technique: Code Repository
Adversaries are sending secret data to Outbound traffic to unauthorized
code repositories
code repository
©2020 The MITRE Corporation. All rights reserved.
Approved for Public Release, Case 20-2268.
Develop Hypotheses and Abstract Analytics
35
Drivers to Improve Hypotheses
• Discovery of false positives and/or alternative implementations from
▪ Thinking through falsification scenarios
▪ Research
▪ Experimentation
▪ Purple Teaming
▪ Operational implementation
©2020 The MITRE Corporation. All rights reserved.
Approved for Public Release, Case 20-2268.
Develop Hypotheses and Abstract Analytics
36
Improving the Scheduled Task Hypothesis
• Behavior Description: Adversaries may use task scheduling to execute
programs at system startup or on a scheduled basis for persistence. These
mechanisms can also be abused to run a process under the context of a
specified account (such as one with elevated permissions/privileges)… A
task can also be scheduled on a remote system, with proper authentication
• Initial Hypothesis: If a Task is Scheduled, an adversary may be attempting
to gain Persistence, conduct remote Execution, or Escalate Privileges.
• Issues:
▪ Lacks Detail
▪ Broad
▪ Too vague to implement
• Work done here saves time later
©2020 The MITRE Corporation. All rights reserved.
Approved for Public Release, Case 20-2268.
Develop Hypotheses and Abstract Analytics
37
Refined Hypothesis: Local Scheduling
How Does a Task get Scheduled Locally in Windows?
• At least 3 interfaces
▪ From the command line with schtasks.exe or at.exe
▪ Programmatically using Windows APIs as exposed in taskschd
▪ Through the Task Scheduler Graphical User Interface (GUI)
• Windows Task Scheduler creates a Job file for each scheduled
task and updates the Registry to include that new task
• Updated Hypothesis: If a Task is Scheduled new Job File OR Tasks
Registry Key is created, an adversary may be attempting to gain
Persistence, conduct remote Execution or Escalate Privileges.
©2020 The MITRE Corporation. All rights reserved.
Approved for Public Release, Case 20-2268.
Develop Hypotheses and Abstract Analytics
38
Refined Hypothesis: Remote Scheduling
How can a Task be Scheduled Remotely in Windows?
•
•
•
•
•
With schtasks.exe /S <system> : A value that specifies the remote computer.
With at.exe \\<computername> : Specifies a remote computer.
Through mstask API: ITaskScheduler::SetTargetComputer
Through GUI: Action -> Connect to Remote Computer…
Updated Hypothesis: If a Task is Scheduled schtasks.exe is executed with /S OR
at.exe is executed with \<computername>, an adversary may be attempting to
gain Persistence, conduct remote Execution or Escalate Privileges.
©2020 The MITRE Corporation. All rights reserved.
Approved for Public Release, Case 20-2268.
Develop Hypotheses and Abstract Analytics
39
Research Typical Benign Usage
• Administrators tend to launch schtasks locally, or from specified
admin machines
• Usage of /S but not from designated admin machine more likely to be
malicious
• Therefore, consider adding:
▪/S AND hostname NOT IN (<admin hostnames>)
o
If an adversary had compromised an admin account and was operating from
and admin host, how would this look different from benign usage?
©2020 The MITRE Corporation. All rights reserved.
Approved for Public Release, Case 20-2268.
Develop Hypotheses and Abstract Analytics
40
Refined Hypothesis: Scheduling as Specified User
How can a Task be Scheduled As a Specified User in Windows?
• With schtasks.exe /ru <User> : Specifies User to run the task as.
• Through taskschd API using IPrincipal::put_UserId
• Through Task Scheduler GUI: “Change User…” dialog
• At.exe does not provide an option to specify a user
• Updated Hypothesis: If a task is scheduled to run as a different user
than the user scheduling the task an adversary may be attempting to
gain Persistence, Remote Execution or Escalate Privileges.
©2020 The MITRE Corporation. All rights reserved.
Approved for Public Release, Case 20-2268.
Develop Hypotheses and Abstract Analytics
41
42
Creating Abstract Analytics
Examples
Future Steps
©2020 The MITRE Corporation. All rights reserved.
Approved for Public Release, Case 20-2268.
Develop Hypotheses and Abstract Analytics
Creating an Abstract Analytic
• With a solid hypothesis, we can create an abstract analytic
• The hypothesis will be in the form of an English-language statement
that can be evaluated as true or false based on evidence
▪ If the door opens while still locked, a burglar is breaking in
• An abstract analytic is written in a mixture of English and pseudocode query syntax and represents the more detailed conditions under
which an analytic would be triggered
▪ Door:Opening AND Door_Bolt == Extended
▪ This doesn’t need to comply with a defined data model or query syntax yet
©2020 The MITRE Corporation. All rights reserved.
Approved for Public Release, Case 20-2268.
Develop Hypotheses and Abstract Analytics
43
Local Scheduling Hypothesis and Abstract Analytic
• Hypothesis:
▪ If a new Job File OR Tasks Registry Key is created, an adversary may be
attempting to gain Persistence.
• Abstract Analytic
▪ English: An XML file is created in the “*Tasks” directory, or a
“*Schedule\TaskCache\Tasks” registry key is created
▪ Or, Pseudo-code: File:create WHERE (directory == “*\Tasks”)) OR
(Registry:add where (key ==
“HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows
NT\CurrentVersion\Schedule\TaskCache\Tasks”))
©2020 The MITRE Corporation. All rights reserved.
Approved for Public Release, Case 20-2268.
Develop Hypotheses and Abstract Analytics
44
Remote Scheduling Hypothesis and Abstract Analytic
• Hypothesis:
▪ If schtasks.exe is executed with /S OR at.exe is executed with
\\<computername>, an adversary may be attempting to conduct remote
Execution.
• Abstract Analytic
▪ Process:Create where ((exe == "schtasks.exe") AND (command_line ==
“*/S*”)) OR ((exe ==“at.exe”) AND (command_line == “* \\*”))
©2020 The MITRE Corporation. All rights reserved.
Approved for Public Release, Case 20-2268.
Develop Hypotheses and Abstract Analytics
45
Specified User Scheduling Hypothesis and Abstract
Analytic
• Hypothesis:
▪ If a task is scheduled to run as a different user than the user scheduling
the task, an adversary may be attempting to Escalate Privileges.
• Abstract Analytic
▪ English: A task is scheduled, and the username of the scheduler is not
equal to the username the task will run as
▪ Pseudo-code: Task:Scheduled AND (Task_Author != Task_RunAs)
©2020 The MITRE Corporation. All rights reserved.
Approved for Public Release, Case 20-2268.
Develop Hypotheses and Abstract Analytics
46
Previewing Future Steps
• In the next step (3) we’ll learn how to use the hypotheses developed in this
step to determine which data will be useful in testing those hypotheses
• As we refine our hypotheses and start finding useful data sources, we’ll be
better-positioned to write more concrete analytics (e.g., SIGMA syntax)
• Once we reach Step 6, we’ll have real data collected, indexed and available
in a specific analytic tool (e.g., ELK) and we can translate the generic
analytics into syntax appropriate to that analytics tool (e.g., Lucene syntax)
• With analytics implemented in a tool searching real data, we will test the
hypotheses developed in this step and iterate as needed to account for
nuances that emerge during implementation in an operational
environment
• This step primes us to accomplish those future steps, communicate
effectively, and interpret our analytic results
©2020 The MITRE Corporation. All rights reserved.
Approved for Public Release, Case 20-2268.
Develop Hypotheses and Abstract Analytics
47
48
TTP Hunting Methodology Overview
1
7
2
6
Hypotheses generated in this Step will be
implemented as analytics which will
test those hypotheses.
©2020 The MITRE Corporation. All rights reserved.
Approved for Public Release, Case 20-2268.
Develop Hypotheses and Abstract Analytics
49
Exercises
Researching a Technique
Creating and refining the hypothesis and abstract analytics
©2020 The MITRE Corporation. All rights reserved.
Approved for Public Release, Case 20-2268.
Develop Hypotheses and Abstract Analytics
Refinement Exercise
• Rewrite the previous hypothesis taking into account some of the
topics discussed here.
• Keep in mind:
▪
▪
▪
Edge Cases
Alternative means of execution
Opportunities to reduce noise
©2020 The MITRE Corporation. All rights reserved.
Approved for Public Release, Case 20-2268.
Develop Hypotheses and Abstract Analytics
50
51
Exercise
Identify different methods for
executing the following ATT&CK
Technique:
OS Credential Dumping
©2020 The MITRE Corporation. All rights reserved.
Approved for Public Release, Case 20-2268.
Develop Hypotheses and Abstract Analytics
52
Exercise
Identify different methods for
executing the following ATT&CK
Technique:
OS Credential Dumping
Example Answers
• SAM memory access with various
tools
• SAM dumping via registry
• Cached Credentials
• LSA Secrets
• NTDS file from Domain Controller
• GPP Files
• LSASS Memory Access
• Security Support Provider Interface
• DCSync
• PROC Filesystem (Linux)
©2020 The MITRE Corporation. All rights reserved.
Approved for Public Release, Case 20-2268.
Develop Hypotheses and Abstract Analytics
53
Exercise
For the following TTP, write a hypothetical way you can detect its use.
https://attack.mitre.org/techniques/T1059/
Hints:
• Look at existing repositories
• Pay attention to variations of the technique
©2020 The MITRE Corporation. All rights reserved.
Approved for Public Release, Case 20-2268.
Develop Hypotheses and Abstract Analytics
54
To test your knowledge of the material contained in these modules, please visit the
following link:
https://mitrefedramp.gov1.qualtrics.com/jfe/form/SV_exuvTV0gLzBmtmJ
Question? Contact TCHAMP@groups.mitre.org
©2020 The MITRE Corporation. All rights reserved.
Approved for Public Release, Case 20-2268.
Develop Hypotheses and Abstract Analytics
