Using MITRE ATT&CK When Researching Attacker Behavior in a Post-Compromise World

Share and earn Cybytes
Facebook Twitter LinkedIn Email

MITRE ATT&CK is arguably one of the best assets available to security professionals who want to dive into the intricacies of detecting and preventing adversary behaviors. Why is that? It’s a great knowledge base of known adversarial behaviors overlayed with attacker TTPs and their state in the kill-chain.  ATT&CK is actively updated and evolves as new techniques are discovered. Here within TAU we live and breathe MITRE ATT&CK and benefit from its awesome work, so thank you MITRE!

We can leverage MITRE ATT&CK as the foundational knowledge base to pull from when researching attackers’ behaviors in a post-compromise world. But what would a specific attack look like when executed in your own testbed which mapped directly to a MITRE ATT&CK Threat ID? This is where the folks over at Red Canary have done an awesome job at putting together a framework to test your detection capabilities in nicely organized unit tests. What If you were interested in understanding if you have visibility to detect something like a privilege escalation via the CMSTP COM provider? You can head over to the T1191 atomic test and execute, observe, create detection rules, repeat.

(Example CMSTP COM UAC Bypass observed in the wild)

Through this applied detection research you might notice that CMSTP.exe is what the industry has coined an “Lolbin” or a binary that ships in windows, is signed by microsoft, and can proxy code execution on behalf of another process. You also notice that the binary has never executed in your environment so why even let your shiney new detection technique get exercised, let’s just minimize this attack vector all together.

Recently, Carbon Black ran an internal hack-a-thon and I decided to have some fun with Red Canary’s Atomic Red Team and Cb Defense prevention rules, I internally dubbed this tool “Atomic Blue Team”. The idea here is to automatically parse out the atomic Yaml’s, bucket the attack vectors into adversary techniques, and automatically create prevention rules in Cb Defense to disallow the Atomic executors from completing successfully. If you have never dug into the atomic Yamls, there is a common set of data that you can leverage. At a high level I started out by parsing out only the atomic tests I was studying for this hack-a-thon project, windows. After that I broke down the tests via their executors. So these buckets would look something like command-interpreters, lolbins, and dev_tools. After finding the eligible test cases I then referenced the observed behaviors in the atomic test with the prevention capabilities provided natively in Cb Defense via our policy automation APIs(

So what does this end up looking like for Windows eligible test cases? Awesome question:

(some of the suggested rules generated by this project)

Generatng LOL Bin Rules


cmstp is being used to execute code

Indicator for command_interpreter attempting to make netconns

rundll32 wants to invoke cmd-interp

Indicator for command_interpreter attempting to make netconns

regsvr32 want to make a netconn

regsvr32 is loading sketchy stuff too!

Indicator for command_interpreter attempting to make netconns

certutil wants to make a netconn

pcalua is being used to execute code

forfiles is being used to execute code

Generating Dev Tools Rules


csc is being used to compile/execute payloads

installutil is being used to execute code

MSbuild is being used to execute code

csc is being used to compile/execute payloads

regasm is being used to execute code


Example of what a subset of the policy looks like in Cb Defense:

This is such a great showing of security unit testing in a red vs blue context. Often times we nerd out on the intricacies of our payloads, delivery mechanisms, command & control infrastructure, etc but with machine readable attacker TTP definitions we can quickly iterate on various detection and prevention techniques without having to take the time to exercise the entire kill chain attack process.

So is this proof-of-concept rule generation meant to block all the things? Of course not, this is meant to showcase the power of unit testing when applied to red vs blue. When evaluating security product be sure to not only look at the immediate features in front of you but the flexibility of the security tooling you have in front of you. Are you able to talk to an API to automatically put in new detection/prevention rules? Can you automatically take remediation actions when certain behaviors are observed on an endpoint?

We have come a long way in the cyber security testing space and have much more progress to make but I truly believe this type of automated testing is the future of cyber security detection/prevention/ and resiliency.

Parts of this code base have been open-sourced here:

Happy Hunting




The post Using MITRE ATT&CK When Researching Attacker Behavior in a Post-Compromise World appeared first on Carbon Black.

Share this post and earn Cybytes
Facebook Twitter LinkedIn Email
About Carbon Black, Inc.
Carbon Black is the leading provider of next-generation endpoint security. Carbon Black’s Next-Generation Antivirus (NGAV) solution, Cb Defense, leverages breakthrough prevention technology, “Streaming Prevention,” to instantly see and stop cyberattacks before they execute. Cb Defense uniquely combines breakthrough prevention with market-leading detection and response into a single, lightweight agent delivered through the cloud. With more than 7 million endpoints under management, Carbon Black has more than 2,500 customers, including 30 of the Fortune 100. These customers use Carbon Black to replace legacy antivirus, lock down critical systems, hunt threats, and protect their endpoints from the most advanced cyberattacks, including non-malware attacks.

Our Revolution

We believe Cyber Security training should be free, for everyone, FOREVER. Everyone, everywhere, deserves the OPPORTUNITY to learn, begin and grow a career in this fascinating field. Therefore, Cybrary is a free community where people, companies and training come together to give everyone the ability to collaborate in an open source way that is revolutionizing the cyber security educational experience.

Cybrary On The Go

Get the Cybrary app for Android for online and offline viewing of our lessons.

Get it on Google Play

Support Cybrary

Donate Here to Get This Month's Donor Badge

Skip to toolbar

We recommend always using caution when following any link

Are you sure you want to continue?