this is module One lesson for attack mapping process, identifying techniques or sub techniques.
In this lesson, we have three objectives.
The first is to learn key strategies for identifying techniques and sub techniques.
We're going to go over some examples of working with these strategies with texture and actual report, as well as some of the external resources that you might use as you take a look at this.
Uh, and our overall hope is that you get out of this the ability to identify techniques and sub techniques in narrative reporting the Step four of the process we gave in less than one
this is often the hardest step in the mapping process that we gave him the first lesson.
Techniques and sub techniques are not always easy to identify. There are a lot of them in attack, and so the process we've gone through so far in the first few steps
is in order to try to make this better.
Also, some techniques may appear in attack multiple times, so this is reflected throughout attack, where an adversary may be trying to do one of a couple of different things with the particular behavior.
For example, hijack, execution flow and all of its sub techniques fall under persistence, privilege escalation and defensive Asian.
Because there are a couple different reasons why an adversary may actually use these behaviors.
Not every behavior that you're going to find in every port is necessarily a technique or sub technique and attack.
It may be not a match with the tax scope. It could be something outside of the technical space that attack lives in. It could be something more like just providing indicators compromise to an analyst, and not every behavior that could be mapped is actually a malicious activity by an adversary.
Context can be key for determining this and taking a look at what it is the adversary is trying to accomplish.
So you can take a look at, you know, tools that the adversaries using. And is it actually a hostile adversary usage? Are they trying to meet one of those tactics in attack?
It's also true that not every possible technique is documented,
so one of the goals of attack is to describe seen in the wild adversary behaviors. And so, for that reason, if if it hasn't been given to us before from threat intelligence reporting or contributed to attack. It might not be an attack
now. That said, if you are finding behaviors in reporting that are coming from actual adversaries and you're not finding them, an attack might be a great opportunity to contribute to the, uh, contribute those to us that they will be an attack in the future.
So I'm going to get into three key strategies that you can use in order to try to find the specific technique and sub technique to map to an attack.
The first is to take what you've already been doing in the previous steps and looking at the list of techniques and sub techniques for the tactic or tactics you previously identified.
So I don't get you down to a much smaller portion of attack.
Get into a little bit of just searching the attacked at Mirador website directly. We have a lot of text in there, and it may help you key in on the specific technique or sub technique that you're looking for.
Finally, if that's not working, taking a look at how attack actually is doing mapping, so we have thousands of examples in this point of adversary behavior from reports map to attack, and so just taking a look at how we're actually doing that ourselves.
Taking a look at the list of techniques and sub techniques in the tactic that you previously identified.
So as you take a look, you're going to find that attack these days actually has two levels of technique
techniques and sub techniques.
Now, some techniques are just more specific techniques. They have all of the same fields, the same properties
But we recommend that as your mapping to attack that you go down to the lowest level of detail that you're able to.
That is, if there is both a technique in a sub technique that applies, we recommend going down to the sub technique.
So take a look at the behaviors in the given tactic. It's going to give you a much smaller list of techniques and sub techniques than you have. Looking at all the tech
now, this is even more true in something like initial access or impact, where there's only a few techniques there.
But there's still quite a few there. If you're looking at something like defensive Asian
as you go through, you can take a look at details that are in the first paragraph of each other reports,
and sometimes it may not make sense to go all the way down to the sub technique at first. Sometimes it may be that it's It's fairly obvious what technique applies.
Then you need to open it up, take a look and see if there are sub techniques that actually match
other times. If something really specifically maps to a given sub technique, you may be able to go directly to that level.
It may be that you're actually working your way back up, where your first able to identify a sub technique directly and then work back up to the technique.
If that fails, if you're not finding what you're looking for in the tactic that you believe that the adversary was doing,
it might be worth looking across the entire attack website.
We have a lot of text in attack that is both describing the adversary behavior itself
as well as a number of examples where we've mapped adversary behavior already to specific techniques.
This can be things like just using your favorite search engine to search attacked at mr dot org site using control keyword searches
across different lists of techniques, looking for text in the technique name itself.
You can also take a look at procedure level details. So in a lot of cases, we may have mapped something that came from very similar text to what you're looking for from the report you have.
And it can be worth trying specific command strings. So we have a lot of example commands and attack at this point that may match up exactly what you're seeing an adversary do.
If that fails, it may be worth backing up a step
and taking a look at how we're actually mapping techniques to attack.
If you get into some of the groups and software pages, an attack or techniques and looking at procedure examples,
you can actually see some of how the attack team is taking details from reporting and mapping them to attack, and so may be helpful to just take a look at how we're doing it.
And it may be useful as a hint to take another direction forward.
So let's get into some examples of actually using some of these strategies.
So in that report that we've looked at in the previous lessons.
We had a couple of these phrases in there that we've already highlighted. So used email attachments
created scheduled task
And so these are terms that you can search and attack and you'll find directly appearing in different techniques.
So, for example, used email attachments, you'll find that directly in fishing spearfishing attachment,
which is a sub technique. 15 66.1
If you look for create scheduled task, you'll find scheduled Task Job T 10 53.
Now if you then go in and look at the sub techniques
of that technique, look at the details around. Create scheduled task.
You'll find that you can probably get all the way down to T 10 53 point oh five. So another level down
installed tools again you'll find directly in English. Tool Transfer T 11 oh five.
So you know, if I search for socks five in an attack may or may not find an appropriate matching technique.
So if, for example, I look for just socks,
um, come up right in
non application layer protocol where we describe socks as a non application layer protocol
so it is directly in the technique description itself. You also would have found it from the specific tactic that you've gotten down into.
And so again, it's a fairly direct finding.
So maybe you're just looking across technique list. So one of the things we highlighted earlier was established as a socks five connection using TCP Port 1913.
Well, so I want to see what using port might actually be an attack. We've already figured out that that's command and control.
So let's take a look at our technique list.
If I look for port, I come up with nonstandard port and port knocking. If I get into the descriptions,
this is not port knocking. Port knocking is when an adversary connects to a series of specific numbered ports, which opens a connection on the given system
now nonstandard port. On the other hand, we had already taken a look. At 1913, we've done some research. We recognized that it was not a normal port to be using
and since maps down to nonstandard port,
So from this one little phrase, we've actually been able to come up with two techniques non application layer protocol and nonstandard port.
Okay, so backing all the way back to that piece of report that we started with here
we've got this establishes the socks five connection using TCP port, where we've come up with tactics and techniques for that one little portion.
Now, for now, let's check
Take a look through the rest of this and see what techniques you're able to identify.
So please pause the video, take a look, see what you're able to find and in a minute I'll give you what my answers would be.
Okay, so, going back to the behaviors that we highlighted early in the module,
we have a successful exploitation. Were given a user system access on the machine.
This is privilege escalation, exploitation for privilege escalation.
We had that. The malware is using command dot x Z and running a specific command.
Well, the command on exit part you'll find directly in command and scripting Interpreter, Windows Command Shell
and the command that's being run is system owner user discovery.
Again, we can find a scheduled task job scheduled task
if we get into first the technique from the specific phrase and then get into the sub technique that is Windows specific.
So? Hopefully you've gotten some strategies out of this for identifying techniques and sub techniques.
We've taken a look at how we can actually apply those dig some of the information out of the attack website and some of the resources you might be able to use for doing this.
And we're giving you a little bit of practice identifying techniques and sub techniques in narrative reporting. We'll get into some more practice on doing that in a moment.