atc-project / atc-mitigation Goto Github PK
View Code? Open in Web Editor NEWActionable analytics designed to combat threats based on MITRE's ATT&CK.
License: Apache License 2.0
Actionable analytics designed to combat threats based on MITRE's ATT&CK.
License: Apache License 2.0
From Readme
:
CIS benchmarks — best description of hardening strategies (for some OSes), but no mapping to MITRE ATT&CK. Once they will implement this mapping, we will integrate their analytics into the project
It's done for the TOP 20 CIS Controls under a Creative Commons Attribution-Non Commercial-No Derivatives 4.0 International Public License:
Sample:
CIS Control | CIS Sub-Control | Asset Type | Security Function | Title | Description | Mitigation ID | Mitigation Name | Mitigation Description | Tech- nique ID | Technique Name | Technique Description |
1 | 1,6 | Devices | Respond | Address Unauthorized Assets | Ensure that unauthorized assets are either removed from the network, quarantined or the inventory is updated in a timely manner. | M1034 | Limit Hardware Installation | Block users or groups from installing or using unapproved hardware on systems, including USB devices. | T1200 | Hardware Additions | Adversaries may introduce computer accessories, computers, or networking hardware into a system or network that can be used as a vector to gain access. While public references of usage by APT groups are scarce, many penetration testers leverage hardware additions for initial access. Commercial and open source products are leveraged with capabilities such as passive network tapping, man-in-the middle encryption breaking, keystroke injection, kernel memory reading via DMA, adding new wireless access to an existing network, and others. |
T1091 | Replication Through Removable Media | Adversaries may move onto systems, possibly those on disconnected or air-gapped networks, by copying malware to removable media and taking advantage of Autorun features when the media is inserted into a system and executes. In the case of Lateral Movement, this may occur through modification of executable files stored on removable media or by copying malware and renaming it to look like a legitimate file to trick users into executing it on a separate system. In the case of Initial Access, this may occur through manual manipulation of the media, modification of systems used to initially format the media, or modification to the media's firmware itself. | |||||||||
2,6 | Address unapproved software | Ensure that unauthorized software is either removed or the inventory is updated in a timely manner | M1042 | Disable or Remove Feature or Program | Remove or deny access to unnecessary and potentially vulnerable software to prevent abuse by adversaries. | T1191 | CMSTP | The Microsoft Connection Manager Profile Installer (CMSTP.exe)
is a command-line program used to install Connection Manager service
profiles. CMSTP.exe accepts an installation information file (INF) as a
parameter and installs a service profile leveraged for remote access
connections. Adversaries may supply CMSTP.exe with INF files infected with malicious commands. Similar to Regsvr32 / "Squiblydoo", CMSTP.exe may be abused to load and execute DLLs and/or COM scriptlets (SCT) from remote servers. This execution may also bypass AppLocker and other whitelisting defenses since CMSTP.exe is a legitimate, signed Microsoft application. CMSTP.exe can also be abused to Bypass User Account Control and execute arbitrary commands from a malicious INF through an auto-elevated COM interface. |
|||
T1092 | Communication Through Removable Media | Adversaries can perform command and control between compromised hosts on potentially disconnected networks using removable media to transfer commands from system to system. Both systems would need to be compromised, with the likelihood that an Internet-connected system was compromised first and the second through lateral movement by Replication Through Removable Media. Commands and files would be relayed from the disconnected system to the Internet-connected system to which the adversary has direct access. | |||||||||
T1175 | Component Object Model and Distributed COM | Adversaries may use the Windows Component Object Model (COM)
and Distributed Component Object Model (DCOM) for local code execution or to
execute on remote systems as part of lateral movement. COM is a component of the native Windows application programming interface (API) that enables interaction between software objects, or executable code that implements one or more interfaces. Through COM, a client object can call methods of server objects, which are typically Dynamic Link Libraries (DLL) or executables (EXE). DCOM is transparent middleware that extends the functionality of Component Object Model (COM) beyond a local computer using remote procedure call (RPC) technology. Permissions to interact with local and remote server COM objects are specified by access control lists (ACL) in the Registry. By default, only Administrators may remotely activate and launch COM objects through DCOM. Adversaries may abuse COM for local command and/or payload execution. Various COM interfaces are exposed that can be abused to invoke arbitrary execution via a variety of programming languages such as C, C++, Java, and VBScript. Specific COM objects also exists to directly perform functions beyond code execution, such as creating a Scheduled Task, fileless download/execution, and other adversary behaviors such as Privilege Escalation and Persistence. Adversaries may use DCOM for lateral movement. Through DCOM, adversaries operating in the context of an appropriately privileged user can remotely obtain arbitrary and even direct shellcode execution through Office applications as well as other Windows objects that contain insecure methods. DCOM can also execute macros in existing documents and may also invoke Dynamic Data Exchange (DDE) execution directly through a COM created instance of a Microsoft Office application, bypassing the need for a malicious document. |
|||||||||
T1173 | Dynamic Data Exchange | Windows Dynamic Data Exchange (DDE) is a client-server protocol
for one-time and/or continuous inter-process communication (IPC) between
applications. Once a link is established, applications can autonomously
exchange transactions consisting of strings, warm data links (notifications
when a data item changes), hot data links (duplications of changes to a data
item), and requests for command execution. Object Linking and Embedding (OLE), or the ability to link data between documents, was originally implemented through DDE. Despite being superseded by COM, DDE may be enabled in Windows 10 and most of Microsoft Office 2016 via Registry keys. Adversaries may use DDE to execute arbitrary commands. Microsoft Office documents can be poisoned with DDE commands, directly or through embedded files, and used to deliver execution via phishing campaigns or hosted Web content, avoiding the use of Visual Basic for Applications (VBA) macros. DDE could also be leveraged by an adversary operating on a compromised machine who does not have direct access to command line execution. |
|||||||||
T1519 | Emond | Adversaries may use Event Monitor Daemon (emond) to establish
persistence by scheduling malicious commands to run on predictable event
triggers. Emond is a Launch Daemon that accepts events from various services,
runs them through a simple rules engine, and takes action. The emond binary
at /sbin/emond will load any rules from the /etc/emond.d/rules/ directory and
take action once an explicitly defined event takes place. The rule files are
in the plist format and define the name, event type, and action to take. Some
examples of event types include system startup and user authentication.
Examples of actions are to run a system command or send an email. The emond
service will not launch if there is no file present in the QueueDirectories
path /private/var/db/emondClients, specified in the Launch Daemon
configuration file
at/System/Library/LaunchDaemons/com.apple.emond.plist. Adversaries may abuse this service by writing a rule to execute commands when a defined event occurs, such as system start up or user authentication. Adversaries may also be able to escalate privileges from administrator to root as the emond service is executed with root privileges by the Launch Daemon service. |
|||||||||
T1052 | Exfiltration Over Physical Medium | In certain circumstances, such as an air-gapped network compromise, exfiltration could occur via a physical medium or device introduced by a user. Such media could be an external hard drive, USB drive, cellular phone, MP3 player, or other removable storage and processing device. The physical medium or device could be used as the final exfiltration point or to hop between otherwise disconnected systems. | |||||||||
T1210 | Exploitation of Remote Services | Exploitation of a software vulnerability occurs when an
adversary takes advantage of a programming error in a program, service, or
within the operating system software or kernel itself to execute
adversary-controlled code. A common goal for post-compromise exploitation of
remote services is for lateral movement to enable access to a remote
system. An adversary may need to determine if the remote system is in a vulnerable state, which may be done through Network Service Scanning or other Discovery methods looking for common, vulnerable software that may be deployed in the network, the lack of certain patches that may indicate vulnerabilities, or security software that may be used to detect or contain remote exploitation. Servers are likely a high value target for lateral movement exploitation, but endpoint systems may also be at risk if they provide an advantage or access to additional resources. There are several well-known vulnerabilities that exist in common services such as SMB and RDP as well as applications that may be used within internal networks such as MySQL and web server services. Depending on the permissions level of the vulnerable remote service an adversary may achieve Exploitation for Privilege Escalation as a result of lateral movement exploitation as well. |
A declarative, efficient, and flexible JavaScript library for building user interfaces.
🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
An Open Source Machine Learning Framework for Everyone
The Web framework for perfectionists with deadlines.
A PHP framework for web artisans
Bring data to life with SVG, Canvas and HTML. 📊📈🎉
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
Some thing interesting about web. New door for the world.
A server is a program made to process requests and deliver data to clients.
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
Some thing interesting about visualization, use data art
Some thing interesting about game, make everyone happy.
We are working to build community through open source technology. NB: members must have two-factor auth.
Open source projects and samples from Microsoft.
Google ❤️ Open Source for everyone.
Alibaba Open Source for everyone
Data-Driven Documents codes.
China tencent open source team.