CIS benchmarks — best description of hardening strategies (for some OSes), but no mapping to MITRE ATT&CK. Once they will implement this mapping, we will integrate their analytics into the project
It's done for the TOP 20 CIS Controls under a Creative Commons Attribution-Non Commercial-No Derivatives 4.0 International Public License:
Ensure that unauthorized assets are either removed from the
network, quarantined or the inventory is updated in a timely manner.
M1034
Limit Hardware Installation
Block users or groups from installing or using unapproved
hardware on systems, including USB devices.
T1200
Hardware
Additions
Adversaries may introduce computer accessories, computers, or
networking hardware into a system or network that can be used as a vector to
gain access. While public references of usage by APT groups are scarce, many
penetration testers leverage hardware additions for initial access.
Commercial and open source products are leveraged with capabilities such as
passive network tapping, man-in-the middle encryption breaking, keystroke
injection, kernel memory reading via DMA, adding new wireless access to an
existing network, and others.
T1091
Replication
Through Removable Media
Adversaries may move onto systems, possibly those on
disconnected or air-gapped networks, by copying malware to removable media
and taking advantage of Autorun features when the media is inserted into a
system and executes. In the case of Lateral Movement, this may occur through
modification of executable files stored on removable media or by copying
malware and renaming it to look like a legitimate file to trick users into
executing it on a separate system. In the case of Initial Access, this may
occur through manual manipulation of the media, modification of systems used
to initially format the media, or modification to the media's firmware
itself.
2,6
Address unapproved software
Ensure that unauthorized software is either removed or the
inventory is updated in a timely manner
M1042
Disable or Remove Feature or Program
Remove or deny access to unnecessary and
potentially vulnerable software to prevent abuse by adversaries.
T1191
CMSTP
The Microsoft Connection Manager Profile Installer (CMSTP.exe)
is a command-line program used to install Connection Manager service
profiles. CMSTP.exe accepts an installation information file (INF) as a
parameter and installs a service profile leveraged for remote access
connections.
Adversaries may supply CMSTP.exe with INF files infected with malicious
commands. Similar to Regsvr32 / "Squiblydoo", CMSTP.exe may be
abused to load and execute DLLs and/or COM scriptlets (SCT) from remote
servers. This execution may also bypass AppLocker and other whitelisting
defenses since CMSTP.exe is a legitimate, signed Microsoft application.
CMSTP.exe can also be abused to Bypass User Account Control and execute
arbitrary commands from a malicious INF through an auto-elevated COM
interface.
T1092
Communication
Through Removable Media
Adversaries can perform command and control between compromised
hosts on potentially disconnected networks using removable media to transfer
commands from system to system. Both systems would need to be compromised,
with the likelihood that an Internet-connected system was compromised first
and the second through lateral movement by Replication Through Removable
Media. Commands and files would be relayed from the disconnected system to
the Internet-connected system to which the adversary has direct access.
T1175
Component
Object Model and Distributed COM
Adversaries may use the Windows Component Object Model (COM)
and Distributed Component Object Model (DCOM) for local code execution or to
execute on remote systems as part of lateral movement.
COM is a component of the native Windows application programming interface
(API) that enables interaction between software objects, or executable code
that implements one or more interfaces. Through COM, a client object can call
methods of server objects, which are typically Dynamic Link Libraries (DLL)
or executables (EXE). DCOM is transparent middleware that extends the
functionality of Component Object Model (COM) beyond a local computer using
remote procedure call (RPC) technology.
Permissions to interact with local and remote server COM objects are
specified by access control lists (ACL) in the Registry. By default, only
Administrators may remotely activate and launch COM objects through
DCOM.
Adversaries may abuse COM for local command and/or payload execution. Various
COM interfaces are exposed that can be abused to invoke arbitrary execution
via a variety of programming languages such as C, C++, Java, and VBScript.
Specific COM objects also exists to directly perform functions beyond code
execution, such as creating a Scheduled Task, fileless download/execution,
and other adversary behaviors such as Privilege Escalation and
Persistence.
Adversaries may use DCOM for lateral movement. Through DCOM, adversaries
operating in the context of an appropriately privileged user can remotely
obtain arbitrary and even direct shellcode execution through Office
applications as well as other Windows objects that contain insecure methods.
DCOM can also execute macros in existing documentsand may also invoke Dynamic Data Exchange
(DDE) execution directly through a COM created instance of a Microsoft Office
application, bypassing the need for a malicious document.
T1173
Dynamic Data
Exchange
Windows Dynamic Data Exchange (DDE) is a client-server protocol
for one-time and/or continuous inter-process communication (IPC) between
applications. Once a link is established, applications can autonomously
exchange transactions consisting of strings, warm data links (notifications
when a data item changes), hot data links (duplications of changes to a data
item), and requests for command execution.
Object Linking and Embedding (OLE), or the ability to link data between
documents, was originally implemented through DDE. Despite being superseded
by COM, DDE may be enabled in Windows 10 and most of Microsoft Office 2016
via Registry keys.
Adversaries may use DDE to execute arbitrary commands. Microsoft Office
documents can be poisoned with DDE commands, directly or through embedded
files, and used to deliver execution via phishing campaigns or hosted Web
content, avoiding the use of Visual Basic for Applications (VBA) macros. DDE
could also be leveraged by an adversary operating on a compromised machine
who does not have direct access to command line execution.
T1519
Emond
Adversaries may use Event Monitor Daemon (emond) to establish
persistence by scheduling malicious commands to run on predictable event
triggers. Emond is a Launch Daemon that accepts events from various services,
runs them through a simple rules engine, and takes action. The emond binary
at /sbin/emond will load any rules from the /etc/emond.d/rules/ directory and
take action once an explicitly defined event takes place. The rule files are
in the plist format and define the name, event type, and action to take. Some
examples of event types include system startup and user authentication.
Examples of actions are to run a system command or send an email. The emond
service will not launch if there is no file present in the QueueDirectories
path /private/var/db/emondClients, specified in the Launch Daemon
configuration file
at/System/Library/LaunchDaemons/com.apple.emond.plist.
Adversaries may abuse this service by writing a rule to execute commands
when a defined event occurs, such as system start up or user authentication.
Adversaries may also be able to escalate privileges from administrator to
root as the emond service is executed with root privileges by the Launch
Daemon service.
T1052
Exfiltration
Over Physical Medium
In certain circumstances, such as an air-gapped network
compromise, exfiltration could occur via a physical medium or device
introduced by a user. Such media could be an external hard drive, USB drive,
cellular phone, MP3 player, or other removable storage and processing device.
The physical medium or device could be used as the final exfiltration point
or to hop between otherwise disconnected systems.
T1210
Exploitation of
Remote Services
Exploitation of a software vulnerability occurs when an
adversary takes advantage of a programming error in a program, service, or
within the operating system software or kernel itself to execute
adversary-controlled code. A common goal for post-compromise exploitation of
remote services is for lateral movement to enable access to a remote
system.
An adversary may need to determine if the remote system is in a vulnerable
state, which may be done through Network Service Scanning or other Discovery
methods looking for common, vulnerable software that may be deployed in the
network, the lack of certain patches that may indicate vulnerabilities, or
security software that may be used to detect or contain remote exploitation.
Servers are likely a high value target for lateral movement exploitation, but
endpoint systems may also be at risk if they provide an advantage or access
to additional resources.
There are several well-known vulnerabilities that exist in common services
such as SMB and RDP as well as applications that may be used within internal
networks such as MySQL and web server services.
Depending on the permissions level of the vulnerable remote service an
adversary may achieve Exploitation for Privilege Escalation as a result of
lateral movement exploitation as well.
That's awesome! Thank you for the information! We will develop a backlog and start gradually moving it to the atc-mitigation project (: Would you like to give us a hand with the development?
From
Readme:It's done for the TOP 20 CIS Controls under a Creative Commons Attribution-Non Commercial-No Derivatives 4.0 International Public License:
Sample:
Adversaries may supply CMSTP.exe with INF files infected with malicious commands. Similar to Regsvr32 / "Squiblydoo", CMSTP.exe may be abused to load and execute DLLs and/or COM scriptlets (SCT) from remote servers. This execution may also bypass AppLocker and other whitelisting defenses since CMSTP.exe is a legitimate, signed Microsoft application.
CMSTP.exe can also be abused to Bypass User Account Control and execute arbitrary commands from a malicious INF through an auto-elevated COM interface.
COM is a component of the native Windows application programming interface (API) that enables interaction between software objects, or executable code that implements one or more interfaces. Through COM, a client object can call methods of server objects, which are typically Dynamic Link Libraries (DLL) or executables (EXE). DCOM is transparent middleware that extends the functionality of Component Object Model (COM) beyond a local computer using remote procedure call (RPC) technology.
Permissions to interact with local and remote server COM objects are specified by access control lists (ACL) in the Registry. By default, only Administrators may remotely activate and launch COM objects through DCOM.
Adversaries may abuse COM for local command and/or payload execution. Various COM interfaces are exposed that can be abused to invoke arbitrary execution via a variety of programming languages such as C, C++, Java, and VBScript. Specific COM objects also exists to directly perform functions beyond code execution, such as creating a Scheduled Task, fileless download/execution, and other adversary behaviors such as Privilege Escalation and Persistence.
Adversaries may use DCOM for lateral movement. Through DCOM, adversaries operating in the context of an appropriately privileged user can remotely obtain arbitrary and even direct shellcode execution through Office applications as well as other Windows objects that contain insecure methods. DCOM can also execute macros in existing documents and may also invoke Dynamic Data Exchange (DDE) execution directly through a COM created instance of a Microsoft Office application, bypassing the need for a malicious document.
Object Linking and Embedding (OLE), or the ability to link data between documents, was originally implemented through DDE. Despite being superseded by COM, DDE may be enabled in Windows 10 and most of Microsoft Office 2016 via Registry keys.
Adversaries may use DDE to execute arbitrary commands. Microsoft Office documents can be poisoned with DDE commands, directly or through embedded files, and used to deliver execution via phishing campaigns or hosted Web content, avoiding the use of Visual Basic for Applications (VBA) macros. DDE could also be leveraged by an adversary operating on a compromised machine who does not have direct access to command line execution.
Adversaries may abuse this service by writing a rule to execute commands when a defined event occurs, such as system start up or user authentication. Adversaries may also be able to escalate privileges from administrator to root as the emond service is executed with root privileges by the Launch Daemon service.
An adversary may need to determine if the remote system is in a vulnerable state, which may be done through Network Service Scanning or other Discovery methods looking for common, vulnerable software that may be deployed in the network, the lack of certain patches that may indicate vulnerabilities, or security software that may be used to detect or contain remote exploitation. Servers are likely a high value target for lateral movement exploitation, but endpoint systems may also be at risk if they provide an advantage or access to additional resources.
There are several well-known vulnerabilities that exist in common services such as SMB and RDP as well as applications that may be used within internal networks such as MySQL and web server services.
Depending on the permissions level of the vulnerable remote service an adversary may achieve Exploitation for Privilege Escalation as a result of lateral movement exploitation as well.
That's awesome! Thank you for the information! We will develop a backlog and start gradually moving it to the atc-mitigation project (: Would you like to give us a hand with the development?