Contents
Introduction
Earlier we published a study covering the results of external and internal penetration tests in 2022. Among the research topics were the top 10 most common MITRE ATT&CK® techniques and sub-techniques successfully used by our pentesters. Penetration testing is a simulated attack, so by analyzing the 10 most popular techniques and sub-techniques, we will learn how to counteract real attackers. We explain how to detect these techniques and suggest preventive measures that will make an attack much more difficult to perform, or minimize the likelihood of it hitting your organization. For convenience, all techniques and sub-techniques are grouped by tactics.
In each chapter you will find recommendations both on how to detect an attack that uses techniques or sub-techniques from our top 10 list, as well as on how to strengthen your defenses so that such incidents do not occur. In the «D3FEND matrix» This model allows you to select a cybersecurity tool for detection and response, including blocking compromised resources, strengthening your organization's defenses, and setting up baits for attackers. D3FEND is gaining momentum and actively developing. , you will find the list of functions of information security tools used to detect, prevent, and respond to incidents involving techniques from the top 10 list.
Takeaways
We reviewed the 10 MITRE ATT&CK® techniques that were successfully used by our pentesters in real projects; they are listed in Table 1.
Table 1. List of tactics and techniques
| ID | Tactic | Technique |
|---|---|---|
| T1190 | Initial Access | Exploit Public-Facing Application |
| T1059 | Execution | Command and Scripting Interpreter |
| T1098 | Persistence | Account Manipulation |
|
T1110 T1003 T1552 |
Credential Access |
Brute Force OS Credential Dumping Unsecured Credentials |
| T1087 T1083 | Discovery |
Account Discovery File and Directory Discovery |
| T1550 | Lateral Movement | Use Alternate Authentication Material |
| T1071 | Command and Control | Application Layer Protocol |
Event sources that help detect the use of these techniques:
- Operating system event log, including events related to security audits and system logins
- Network traffic
- Application event log
- Domain controller event log
To facilitate prevention and detection of attacks with the help of 10 MITRE ATT&CK techniques, the following information protection tools can be used:
- Security incident and event management (SIEM) systems
- Network traffic analysis (NTA) systems
- Web application firewalls (WAF)
- Next-generation firewalls (NGFW)
- Intrusion detection systems (IDS)
- Intrusion prevention systems (IPS)
- Endpoint detection and response (EDR) and more modern extended detection and response (XDR) solutions
It is also possible to use built-in Windows security mechanisms, such as Credential Guard, to protect against credential theft attacks.
Basic functions of cybersecurity tools that can help experts to detect attacks or be used as a preventive measure are described in chapter «D3FEND matrix». Note, however, that these functions only partially cover the needs of infosec experts. This tool is new but actively developing. Plenty of modern information protection tools have many more useful features that can more quickly identify or respond to information security incidents.
Initial Access
To gain initial access to infrastructure, pentesters most often used Exploit Public-Facing Application (T1190). This technique was used in 100% of external penetration tests.
Attacks performed with the help of this technique can be detected in:
- Application event logs.
- Operating system event log.
- Network traffic.
The use of exploits can cause errors or unsuccessful authentication attempts that will be displayed in the application event log, for example in access.log, or in the database transaction logs.
Successful exploitation of a vulnerability can be detected, for example, by running reconnaissance commands.
To detect traces of known exploits in network traffic, it is possible to use network sensors of NTA, IDS, WAF or NGFW systems. If attackers use unknown (new) exploits, the attack can be detected only if a new exploit contains fragments of old payloads
To counter attacks performed with the help of this technique:
- Implement a vulnerability and security update management process.
- Use traffic analysis systems (provided the product has network sensors that can detect exploits in traffic), advanced next-generation firewalls (NGFWs) that can detect exploits, web application firewalls (WAFs), and intrusion prevention systems (IPSs).
- Segment the organization's network by establishing a demilitarized zone (DMZ).
- Isolate applications located in the DMZ with the help of virtualization technologies.
Execution
Of all the techniques used to execute commands on compromised hosts, the most successful one involved the use of
Command and Scripting Interpreter. This technique was successful in 93% of penetration tests.
The use of Command and Scripting Interpreter can be detected by analyzing events related to:
- Running processes (Sysmon: 1 and Windows Security Log: 4688 (with enabled command-line logging); for Linux: auditd: Syscall: execve). Analyze arguments passed in script-running lines. Pay attention to the names of scripts being run; some attackers do not change the names of publicly available scripts.
- Script execution (PowerShell conveyor events): 4103; PowerShell code block events: 4104). Monitor all attempts to enable script-running functions. If such a change of system settings occurs without the involvement of administrators, check whether this activity is legitimate. Analyze the content of scripts being executed, as attackers often use popular scripts in their original form, without obfuscation.
- Library download (Sysmon: 7).
Monitor library downloads and other events related to scripting languages (for example JScript.dll or vbscript.dll).
To counter attacks performed with the help of this technique:
- Use EDR solutions to detect and analyze malicious activity at endpoints (XDR).
- Use sandboxes.
- Disable the running of unsigned scripts.
- Remove unnecessary and unused shells and interpreters.
- Allow only privileged users to run PowerShell.
Persistence
In 82% of the companies under study, pentesters successfully used Account Manipulation (T1098) to gain a foothold in the infrastructure.
The use of Account Manipulation by attackers can be detected by analyzing:
- Domain controller events. Keep track of changes to Active Directory objects of type "user" in the domain controller security logs. For this, use events with ID 5136 that have the value "user" in the Class field. To track changes in particular account attributes, specify the names of these attributes in the LDAP Display Name field.
- Windows security log events Monitor events related to changes in user accounts (4738), computer accounts (4742), adding security group users (4732, 4728, 4756), as well as events related to changes in these security groups (4735, 4737, 4755). Such changes may occur, for example, out of hours, or be performed by persons who have no reason to do so.
- Events related to script execution. Configure the collection of PowerShell script events. These events make it possible to detect the use of various cmdlets for changing accounts and their privileges.
- Process-running events. Monitor the appearance of new processes that indicate any changes in account settings. Pay attention not only to processes, but also to the arguments with which they are run (including file paths, such as ~/.ssh/authorized_keys or /etc/ssh/sshd_config).
How to prevent attacks that involve Account Manipulation:
- Implement two-factor authentication.
- Segment your network and configure an access control policy. Proper network segmentation and access restrictions will force attackers to perform a lot more operations to achieve their goals, which will increase the chances of detecting bad actors in good time and taking measures to prevent the actuation of a non-tolerable event.
- Restrict privileged accounts: these should not be used for everyday tasks. Follow the recommendations on how to work with privileged accounts.
- Monitor the privileges of regular users. For example, they must not have permissions to change accounts or account policies.
- Check the security settings of domain controllers. Limit access to unnecessary protocols and services.
- Use EDR (XDR).
Credential Access
Credential Access: OS Credential Dumping
Of all the methods aimed at stealing account data, the most successful was OS Credential Dumping. It was used in 93% of the organizations under study. Several methods can be used to dump accounts; we focus on the most frequently used ones: DCSync (93%) and LSASS Memory (68%).
Credential Access: OS Credential Dumping: DCSync
An attack that involves OS Credential Dumping: DCSync (T1003.006) can be detected by analyzing:
- Domain controller events (DC Security Log: 4662) Monitor the event log on the domain controller for replication-related requests and other actions that may be part of a DCSync attack.
- Network traffic Monitor network activity of domain controllers. If replication requests are coming from a host that is not a domain controller, find out immediately what this host is and why it is requesting replication.
Analyze the DCE/RPC protocol and look for requests with opnum = 3 (DRSGetNCChanges) that indicate the start of domain controller replication.
Preventive measures to protect against attacks involving OS Credential Dumping: DCSync:
- Control the list of accounts with the "Directory change replication" privilege and other privileges related to domain controller replication. For the list of accounts with this privilege, see the access control list (ACL).
- Make sure that all local administrator accounts have strong and unique passwords on all hosts in the network.
- Do not include users in the administrator group on any devices in the network, unless this account is closely monitored.
- Implement an EDR solution to detect and analyze malicious activity at endpoints (EDR and XDR).
- If the infrastructure uses Local Administrator Password Solution (LAPS), make sure that only administrative accounts that need it have rights to LAPS.
- Follow best practices for administering corporate infrastructure, and restrict the use of privileged accounts outside administrative security zones.
Follow the recommendations on how to organize work with privileged accounts.
Credential Access: OS Credential Dumping: LSASS Memory
To detect an attack performed using the OS Credential Dumping: LSASS Memory sub-technique (T1003.001), it is important to analyze:
- Script execution events (PowerShell conveyor events: 4103; PowerShell code block events: 4104). Analyze PowerShell script events. Script cmdlets may include known functions from the hacker toolkit, such as Invoke-Mimikatz from the PowerSploit suite.
- Process-running and access events (Sysmon: 10 and Sysmon: 1, Windows Security Log: 4688 with enabled command-line logging). Monitor processes that request read access to LSASS.exe. The emergence of new non-system processes may indicate an attempt to capture a memory image.
Collect and analyze arguments passed in command lines. Attackers often change the names of utilities for dumping, but the parameter keys remain the same—and these patterns can be used to detect dumping attempts.
To counter attacks performed using OS Credential Dumping: LSASS Memory:
- Enable Attack Surface Reduction (ASR) rules.
- Activate Windows' built-in Credential Guard feature and include privileged domain users in the Protected Users group.
- If possible, disable or limit NTLM and the WDigest digest authentication protocol.
- Use EDR (XDR);
- For Windows Server 2012 R2 and for Windows 8.1: enable Protected Process Light.
- Make sure that the policy "Store password using reversible encryption for all users in the domain" is disabled (reversible encryption must be disabled).
Credential Access: Brute Force
Brute force was successfully used by our pentesters in all the organizations under study. Among all the brute force sub-techniques, Password Spraying (82%) and Password Guessing (75%) proved to be the most successful for brute-forcing credentials.
To learn about problems identified in password policies of major domestic companies in various economic sectors, see our analytical report «Results of Penetration Tests in 2022», section «Password policy flaws». In this report, you can also find recommendations on how to implement a password policy at your company.
The Brute Force sub-techniques Password Guessing (T1110.001) and Spraying (T1110.003) can be detected by analyzing:
- Application event logs. Monitor multiple unsuccessful authentication attempts, especially in services available at the perimeter. A large number of errors in a row from the same account indicates Password Guessing. If the users are different, but you can see the logic in the sequence of user names, or the time intervals are short and constant, then this is probably a Password Spraying attack.
- User login events (for Windows: Windows Security Log: 4625 and Kerberos Authentication Service: 4771; for Linux: /var/log/auth.log and /var/log/secure). Monitor operating system events that indicate unsuccessful login attempts. These can be events happening at individual hosts or at authentication servers, such as Kerberos ticket requests.
- Network traffic. Analyze network traffic for unsuccessful login attempts. For example, an attack related to password brute-forcing in a Windows domain can be detected by a large number of unsuccessful Kerberos authentication attempts. To automate this task, NTA systems can be used.
To counter the use of the Password Guessing and Spraying Brute Force sub-techniques:
- Implement multifactor authentication, especially for externally accessible services.
- Set requirements for password complexity and length.
Complicate password brute-forcing by blocking accounts after a certain number of unsuccessful login attempts within a certain period of time. Note, however, that this measure will only work for attacks involving the Password Guessing sub-technique.
Be aware that a very strict account-blocking policy can disrupt business processes. In this case, the system will not stop functioning, but legitimate users will not be able to access it because their accounts will be blocked
Credential Access: Unsecured Credentials
The Unsecured Credentials (T1552) technique was successfully used in 79% of the organizations under study.
To detect the use of the Unsecured Credentials technique, analyze:
- Process-running events (for Windows: Sysmon: 1 and Windows Security Log: 4688 (with enabled command-line logging); for Linux: auditd: Syscall: execve). Monitor process-running events using advanced command-line auditing. Pay attention to commands aimed at searching for credentials. They usually contain the following keywords: password, pwd, login, secure, or a combination of username and password. Usually the dir command in the standard cmd.exe command shell is used to search by name pattern in Windows. Windows uses the findstr.exe utility to search by content. In Linux, the find and grep utilities are used for these purposes, respectively.
- Script-execution events (PowerShell conveyor events: 4103; PowerShell code-block events: 4104). Collect and analyze PowerShell script events. Scrip cmdlets usually contain file search instructions, such as Get-ChildItem with name patterns containing the password, pwd, login, or secure strings, or a combination of username and password.
How to counter the Unsecured Credentials technique: to minimize the odds of this technique being successfully used, regularly search for files containing passwords and educate users on how to store confidential information. Control access to file shares: certain folders should be accessible only to specific persons. Do not allow the storage of passwords in files.
Discovery
The File and Directory Discovery (T1083) technique was successfully used in all companies, and Account Discovery in 96% of projects.
Attempts to detect this technique will generate a large number of false positives, as rules will be triggered by legitimate activity. To reduce the number of false positives, we recommend paying attention to the overall situation in the infrastructure, rather than to a specific event related to the Discovery tactic. Attackers will not only search for files or study account privileges, but also trigger other events in security logs. Therefore, if there are no other suspicious events, but a file can be accessed, do not raise the alarm.
Pay attention to how often similar events occur, because, in general, these actions constitute legitimate activity and may be caused by administrator actions or legitimate scripts.
Discovery: File and Directory Discovery
The use of the File and Directory Discovery technique can be detected by analyzing:
- Process-running events (for Windows: Sysmon: 1, Windows Security Log: 4688 (with enabled command-line logging); for Linux: auditd: Syscall: execve).
Monitor process-running events using advanced command-line auditing. Pay attention to commands aimed at listing files and directories.
Usually the dir command of the standard cmd.exe command shell is used to list directories and search for files and folders in Windows. In Linux, the ls and find utilities are used for these purposes, respectively.
- Script-execution events (PowerShell conveyor events: 4103; PowerShell code-block events: 4104). Collect and analyze PowerShell script events. When analyzing cmdlets in the script, you may come across instructions to search for files, such as Get-ChildItem.
The Discovery: File and Directory Discovery technique is related to the Credential Access: Unsecured Credentials technique. As with Credential Access, attackers using this technique often target credentials stored in user files. Therefore, the detection recommendations and preventive measures for these two techniques are similar.
File and Directory Discovery prevention:
Such attacks are difficult to prevent because they rely on legitimate features of the operating system. To minimize the chances of a successful attack, we recommend not to store or transmit sensitive information in cleartext. Use encryption for this purpose.
Discovery: Account Discovery
The use of the Account Discovery: Domain Account (T1087.002), Local Account (T1087.001) sub-technique can be detected by analyzing:
- Process-running events (for Windows: Sysmon: 1, Windows Security Log: 4688 (with enabled command-line logging); for Linux: auditd: Syscall: execve). Monitor commands aimed at listing or collecting information about users and groups.
- Script-execution events (PowerShell conveyor events: 4103; PowerShell code-block events: 4104). Collect and analyze PowerShell script events. Script cmdlets may contain user listing and searching instructions, such as Get-ADUser.
Prevention of the Account Discovery: Domain Account, Local Account sub-technique:
Such attacks are difficult to prevent because they rely on the use of legitimate features of the operating system.
A pinpoint recommendation that can complicate the attack:
If the EnumerateAdministrators setting is enabled in the Windows registry, attackers can obtain the list of local administrators by calling the UAC dialog. Disable this setting so that attackers cannot exploit this method to obtain the list of local administrators. The parameter is stored at the path: HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\CredUI\ EnumerateAdministrators.
Lateral Movement
Use Alternate Authentication Material was the most efficient Lateral Movement technique used by pentesters to move inside the network perimeter. This is because it is not always possible to find a password in cleartext; if the password is strong, nor is it easy to recover it from the hash, while getting the hash itself or TGT or TGS is simpler.
Lateral Movement: Use Alternate Authentication Material: Pass the Hash
The use of the Use Alternate Authentication Material: Pass the Hash sub-technique (T1550.002) can be detected in:
- Domain controller security log (Windows event: 4768 and 4769). Monitor new TGT and TGS requests. In combination with the specific system login session (ID 4624 with Logon Type = 9) and LSASS process memory access (Sysmon ID 10), the 4768 and 4769 Windows events may indicate a bypass of the password hash acquisition stage, and instead point to an attempt to perform a Pass the Hash attack for Kerberos (OverPass the Hash attack).
- Log of system audit login events (Windows event 4624). Monitor user authentication attempts. Login attempts in conjunction with other suspicious activity may indicate that the infrastructure has been compromised.
For example, NTLM and LogonType 3 verification is suspicious because the system is accessed without a graphical shell. In this case, make sure that this is not a typical infrastructure event, because sometimes major networks have systems that use outdated authentication mechanisms.
To counter attacks involving the Use Alternate Authentication Material: Pass the Hash sub-technique:
Install security updates KB2871997 for Windows 7 and higher versions (a pinpoint recommendation). This update restricts default access for accounts from the local administrator group.
It is impossible to completely prevent attacks using this technique because of the operating system architecture, but you can minimize the odds of such attacks being performed and make them more difficult to carry out: for this, limit the use of privileged accounts. For example, domain administrator account should only be used when working with domain controller and single services where such privileges are required.
Lateral Movement: Use Alternate Authentication Material: Pass the Ticket
The use of the Use Alternate Authentication Material: Pass the Ticket (T1550.003) sub-technique can be detected in:
- Kerberos authentication audit log (Windows event 4769). Monitor new TGT and TGS tickets used by a host that did not use them before. This may be a sign of an attack if this host does not proxy traffic.
If, after a double krbtgt password reset, the event 4769 with code 0x1F is registered on the domain controller, this may indicate an attempt to use a stolen or fake ticket.
- Log of system audit login events. Monitor user authentication attempts. Login attempts in conjunction with other suspicious activity may indicate that the infrastructure has been compromised,
- Process-running events. Events that trigger Kerberos ticket manipulation utilities (for example, Rubeus or klist) may indicate that a Pass the Ticket attack is being prepared.
- Network traffic. If a host did not request a Kerberos ticket but uses one, it may be a sign of a Pass the Ticket attack. To automate the search of such attacks, an NTA system can be used.
To counter attacks involving the Use Alternate Authentication Material: Pass the Ticket sub-technique:
It is impossible to fully prevent attacks involving this technique because of specific features of the operating system, but you can minimize the odds of such attacks. Periodically reset the password for the krbtgt account. Change the password, run replication, and then change the password again. This algorithm will help if attackers managed to steal credentials but did not continue the attack for some reason, or if attackers have been in the infrastructure for a long time. Follow best practices for administering corporate infrastructure, and restrict the use of privileged accounts outside administrative security zones.
Command and Control
Our pentesters successfully used the Application Layer Protocol: Web Protocols (T1071) sub-technique in 93% of companies.
Attacks performed with the help of this method can be detected by analyzing:
- Network traffic.
It is necessary to analyze protocols and packets for anomalies, and use protection tools that detect patterns consistent with known attacker tools, even if the traffic is encrypted.
To detect such attacks, Intrusion Detection Systems (IDS) or Network Traffic Analysis (NTA) systems can be used.
Attacks can be prevented by using:
- An intrusion prevention system (IPS)
- Extended detection and response systems (XDR)
- A next-generation firewall (NGFW)
D3FEND matrix
The D3FEND matrix is a convenient tool for selecting the necessary functions of information protection tools. The D3FEND model is related to the MITRE ATT&CK, which makes it much easier to choose the necessary measures.
The developers of this methodology distinguished five defensive tactics Cyberattack response. : Detect, Harden, Deceive, Evict, Isolate. Each tactic has its own set of techniques. For example, the Evict tactic includes two techniques: Credential Eviction and Process Eviction. Specific functions of information protection tools are listed under the techniques (see the Table below). The list of functions is not full, but the tool is actively developing.
We marked on the matrix the functions of protection tools needed to prevent, detect, or respond to attacks using 10 techniques from the MITRE ATT&CK matrix that were the most efficient in penetration tests.
Note that these measures are the required minimum, and modern information protection tools have a much broader functionality, which helps to detect and respond to attacks faster.
Conclusion
The ability to detect and prevent attacks performed using the top 10 most common MITRE ATT&CK® techniques will increase the efficiency of your defense systems and help you to detect more attacks. For this, it is vital to analyze operating system event logs, network traffic, application event logs, and domain controller event logs; and to use modern security tools that facilitate data collection and issue timely alerts about attacker actions.
As our report shows, by changing your approach to meeting regulatory requirements, you can build a full-fledged system of protection against real attacks, instead of just formally complying with these requirements. This new approach will not only raise the maturity of your information security processes, but also make your company's security system truly effective.
Get in touch
will contact you shortly