New relationship "malware uses attack-pattern"

[khho]

In SRO id, relationship--a71256aa-a2e3-447c-ba4e-004ba4f062b2, we see the relationship "malware uses attack-pattern". Based on STIX2 standard on attack-pattern and malware, there is only the relationship "attack-pattern uses malware" available and not the other way around. Even though "relationships are not restricted to what is listed" in the standard, it would be good to clarify the reason in this case for introducing this new relationship "malware uses attack-pattern" instead of using the already available one in "attack-pattern uses malware".

[saintx]

This is one of many examples of how the STIX2 standard is incomplete. It very common for Malware to use Attack Patterns that use other Malware and Tools. In this way, attack patterns (and really all TTPs) are composable. STIX is not a prescriptive, but a descriptive data model.

Here's an excellent blog article detailing 10 examples of how malware can use the process injection attack pattern: https://www.endgame.com/blog/technical-blog/ten-process-injection-techniques-technical-survey-common-and-trending-process. Note in none of these cases does the process injection use the malware.

You can also have an attack pattern "use" malware, such as when an embedded Powershell script uses an off-the-shelf dropper to install its payload. In that case, the attack pattern is to take advantage of privileged powershell execution, but the dropper itself is run of the mill, commodity malware.

Does this help?

[khho]

Thanks for sharing your thoughts. STIX2 standard says that the Relationship, "attack-pattern uses malware", "describes that the related Malware or Tool is used to perform the behavior identified in the Attack Pattern". This should cover the examples you given without the need to introduce a new "malware uses attack-pattern" relationship. Please advise if there are any special consideration I may have missed. Thanks again.

[saintx]

If you encode both cases the same way, then you will be unable to determine whether the attack pattern uses the malware, or the malware uses the attack pattern, without subsequent analysis. Usage is not a reflexive relationship.

[khho]

Thanks again. I agree that usage should not be a reflexive relationship but till now, it is unclear how and when "malware uses attack-pattern" is used.

In "relationship--a71256aa-a2e3-447c-ba4e-004ba4f062b2", the SRO looks like this: "relationship_type": "uses", "source_ref": "malware--fb575479-14ef-41e9-bfab-0b7cf10bec73", "target_ref": "attack-pattern--57340c81-c025-4189-8fa0-fc7ede51bae4", where the malware, ADVSTORESHELL, is a spying backdoor and the attack-pattern is "Modify Registry". Relationship, "attack-pattern uses malware", "describes that the related Malware or Tool is used to perform the behavior identified in the Attack Pattern". I think that relationship "attack-pattern uses malware" in STIX2 standard is sufficient to explain that given a known attack-pattern "Modify Registry", there exists ADVSTORESHELL that performs the behaviour "Modify Registry".

Let me know if I'm wrong. Can you also share how you would define the Relationship, "malware uses attack-pattern"?

[johnwunder]

We talked about this exact topic as we were trying to figure out how to represent ATT&CK in STIX. We ended up going with this non-standard relationship because we felt the "attack-pattern uses malware" relationship implied that a key part of the attack pattern was the use of that tool or malware. What we want to say, though, is that you can use that tool in order to carry out the behavior -- but you don't necessarily have to.

So I guess as an example, I would use "attack-pattern uses malware" if I were describing a specific adversary's attack patterns and they always (or almost always) use that tool to execute that technique. On the other hand, many of these more generic attack patterns can either be carried out manually or with the tool and so that relationship didn't seem to make as much sense.

[johnwunder]

Going to close this, since it's been about 2 weeks with no activity.

[khho]

Hi John,

Thanks for giving your inputs. I was too busy for the past week as it was our festive season for the last 2 weeks.

A quick check on enterprise-attack.json and mobile-attack.json show that there are many instances of "malware uses attack-pattern" SRO but no instance of "attack-pattern uses malware" SRO can be found. Do you know of any example of an attack-pattern with the SRO "attack-pattern uses malware", together with the SRO "malware uses attack-pattern" (where malware in use in both SROs could be different)?