On Friday the Australian Federal Government detailed sustained ‘copy-paste’ threats on government and business throughout the country. According to the Government: “‘Copy-paste compromises’ is derived from … heavy use of proof-of-concept exploit code, web shells and other tools copied almost identically from open source.”
The “Australian Cyber Security Centre (ASCS)” has unveiled more than 50 techniques (TIDs) attackers have used in the campaign against Australian entities mapping against the MITRE ATT&CK Framework.
We’ve built our cloud-native endpoint security platform with our customers’ standardization on MITRE in mind. It’s our goal to arm security professionals with all the context they need, right where they need it. We’ve infused MITRE ATT&CK directly into our cloud console to ease identification of nation-state threats via:
- Behavioral EDR tactic, technique, and procedure (TTP) correlation
- Embedded MITRE Technique ID tagging
- Out-of-the-box MITRE ATT&CK threat feed
- Continuous and unbiased recording of endpoint telemetry, including fileless attack techniques
Understanding, detecting and preventing attacker behaviors are all critical components to the MITRE ATT&CK framework as well as VMware Carbon Black’s philosophy to cybersecurity. The TIDs revealed by the ASCS should be a critical area of focus for cybersecurity teams in the wake of these ongoing attacks.
It’s long been our position, particularly when it comes to sophisticated, well-resourced threats, that traditional security measures do very little, if anything at all, to prevent and detect specific attacker behaviors. Using a security solution that focuses on specific techniques / behaviors can help prevent insight into cyberattacks that involve more than just malicious files.
Shortly after learning about the attacks, the VMware Carbon Black Threat Analysis Unit (TAU) took a look at the various TIDs revealed in the ACSC report. At a high level, what they found is that the alleged nation-state launching these attacks often leveraged multiple behaviors to circumvent traditional security mechanisms. This is a trend we’ve noticed for quite some time and not limited to this latest situation on Australia.
The Australian government has said the attacks are exploiting known weaknesses in code, leveraging email phishing attempts via emails and using links to fake login sites. They are also attempting to gain credentials, conduct lateral movement, obfuscate files, escalate privileges and circumvent multi-factor authentication, among other techniques. A more detailed list appears below.
TAU’s initial look at the attacks indicates that approximately 85% of the TIDs used in this attack are targeting endpoints and end users directly. For this 85% of attacks, the VMware Carbon Black Cloud (specifically Enterprise EDR) has existing detections for the tactics documented. A list of the TID, tactic, associated threat feed, and notes on the tactics appear below:
TIDs with Existing Detections as Part of the VMware Carbon Black Cloud
TID: T1002 |
Tactic: Exfiltration – Data Compressed |
Threat Feed in VMware Carbon Black Cloud: ATT&CK Framework |
TID Notes via MITRE: “An adversary may compress data (e.g., sensitive documents) that is collected prior to exfiltration in order to make it portable and minimize the amount of data sent over the network. The compression is done separately from the exfiltration channel and is performed using a custom program or algorithm, or a more common compression library or utility such as 7zip, RAR, ZIP, or zlib.” |
TID: T1003 |
Tactic: Credential Access |
Threat Feed in VMware Carbon Black Cloud: AMSI Threat Intelligence |
TID Notes via MITRE: Credential dumping is the process of obtaining account login and password information, normally in the form of a hash or a clear text password, from the operating system and software. Credentials can then be used to perform Lateral Movement and access restricted information. |
TID: T1005 |
Tactic: Data Collection from Local System |
Threat Feed in VMware Carbon Black Cloud: AMSI Threat Intelligence |
TID Notes via MITRE: Sensitive data can be collected from local system sources, such as the file system or databases of information residing on the system prior to Exfiltration. Adversaries will often search the file system on computers they have compromised to find files of interest. They may do this using a Command-Line Interface, such as cmd, which has functionality to interact with the file system to gather information. Some adversaries may also use Automated Collection on the local system. |
TID: T1018 |
Tactic: Remote System Discovery |
Threat Feed in VMware Carbon Black Cloud: AMSI Threat Intelligence |
TID Notes via MITRE: Adversaries will likely attempt to get a listing of other systems by IP address, hostname, or other logical identifier on a network that may be used for Lateral Movement from the current system. Functionality could exist within remote access tools to enable this, but utilities available on the operating system could also be used. Adversaries may also use local host files in order to discover the hostname to IP address mappings of remote systems. |
TID: T1027 |
Tactic: Defense Evasion – Obfuscated Files or Information |
Threat Feed in VMware Carbon Black Cloud: AMSI Threat Intelligence |
TID Notes via MITRE: Adversaries may attempt to make an executable or file difficult to discover or analyze by encrypting, encoding, or otherwise obfuscating its contents on the system or in transit. This is common behavior that can be used across different platforms and the network to evade defenses. Payloads may be compressed, archived, or encrypted in order to avoid detection. These payloads may be used during Initial Access or later to mitigate detection. Sometimes a user’s action may be required to open and Deobfuscate/Decode Files or Information for User Execution. The user may also be required to input a password to open a password protected compressed/encrypted file that was provided by the adversary. Adversaries may also used compressed or archived scripts, such as Javascript. |
TID: T1028 |
Tactic: Execution, Lateral Movement – Windows Remote Management |
Threat Feed in VMware Carbon Black Cloud: AMSI Threat Intelligence |
TID Notes via MITRE: Windows Remote Management (WinRM) is the name of both a Windows service and a protocol that allows a user to interact with a remote system (e.g., run an executable, modify the Registry, modify services). It may be called with the winrm command or by any number of programs such as PowerShell. |
TID: T1032 |
Tactic: Command And Control – Standard Cryptographic Protocol |
Threat Feed in VMware Carbon Black Cloud: Bit9EndpointVisibility |
TID Notes via MITRE: Adversaries may explicitly employ a known encryption algorithm to conceal command and control traffic rather than relying on any inherent protections provided by a communication protocol. Despite the use of a secure algorithm, these implementations may be vulnerable to reverse engineering if necessary secret keys are encoded and/or generated within malware samples/configuration files. |
TID: T1038 |
Tactic: Persistence, Privilege Escalation, Defense Evasion – DLL Search Order Hijacking |
Threat Feed in VMware Carbon Black Cloud: AMSI Threat Intelligence |
TID Notes via MITRE: Windows systems use a common method to look for required DLLs to load into a program. Adversaries may take advantage of the Windows DLL search order and programs that ambiguously specify DLLs to gain privilege escalation and persistence. Adversaries may perform DLL preloading, also called binary planting attacks, by placing a malicious DLL with the same name as an ambiguously specified DLL in a location that Windows searches before the legitimate DLL. Often this location is the current working directory of the program. Remote DLL preloading attacks occur when a program sets its current directory to a remote location such as a Web share before loading a DLL. Adversaries may use this behavior to cause the program to load a malicious DLL. |
TID: T1043 |
Tactic: Command And Control – Commonly Used Port |
Threat Feed in VMware Carbon Black Cloud: AMSI Threat Intelligence |
TID Notes via MITRE: Adversaries may communicate over a commonly used port to bypass firewalls or network detection systems and to blend with normal network activity to avoid more detailed inspection. They may use commonly open ports such as
TCP:80 (HTTP) TCP:443 (HTTPS) TCP:25 (SMTP) TCP/UDP:53 (DNS) |
TID: T1046 |
Tactic: Discovery – Network Service Scanning |
Threat Feed in VMware Carbon Black Cloud: Carbon Black Endpoint Suspicious Indicators |
TID Notes via MITRE: Adversaries may attempt to get a listing of services running on remote hosts, including those that may be vulnerable to remote software exploitation. Methods to acquire this information include port scans and vulnerability scans using tools that are brought onto a system.
Within cloud environments, adversaries may attempt to discover services running on other cloud hosts or cloud services enabled within the environment. Additionally, if the cloud environment is connected to a on-premises environment, adversaries may be able to identify services running on non-cloud systems. |
TID: T1048 |
Tactic: Exfiltration – Exfiltration Over Alternative Protocol |
Threat Feed in VMware Carbon Black Cloud: Carbon Black Endpoint Visibility |
TID Notes via MITRE: Data exfiltration is performed with a different protocol from the main command and control protocol or channel. The data is likely to be sent to an alternate network location from the main command and control server. Alternate protocols include FTP, SMTP, HTTP/S, DNS, SMB, or any other network protocol not being used as the main command and control channel. Different channels could include Internet Web services such as cloud storage. |
TID: T1053 |
Tactic: Execution, Persistence, Privilege Escalation – Scheduled Task |
Threat Feed in VMware Carbon Black Cloud: AMSI Threat Intelligence |
TID Notes via MITRE: Utilities such as at and schtasks, along with the Windows Task Scheduler, can be used to schedule programs or scripts to be executed at a date and time. A task can also be scheduled on a remote system, provided the proper authentication is met to use RPC and file and printer sharing is turned on. Scheduling a task on a remote system typically required being a member of the Administrators group on the remote system. [1]
An adversary may use task scheduling to execute programs at system startup or on a scheduled basis for persistence, to conduct remote Execution as part of Lateral Movement, to gain SYSTEM privileges, or to run a process under the context of a specified account. |
TID: T1056 |
Tactic: Collection, Credential Access – Input Capture |
Threat Feed in VMware Carbon Black Cloud: AMSI Threat Intelligence |
TID Notes via MITRE: Adversaries can use methods of capturing user input for obtaining credentials for Valid Accounts and information Collection that include keylogging and user input field interception.
Keylogging is the most prevalent type of input capture, with many different ways of intercepting keystrokes, but other methods exist to target information for specific purposes, such as performing a UAC prompt or wrapping the Windows default credential provider. |
TID: T1059 |
Tactic: Execution – Command-Line Interface |
Threat Feed in VMware Carbon Black Cloud: Carbon Black Advanced Threats |
TID Notes via MITRE: Command-line interfaces provide a way of interacting with computer systems and is a common feature across many types of operating system platforms. [1] One example command-line interface on Windows systems is cmd, which can be used to perform a number of tasks including execution of other software. Command-line interfaces can be interacted with locally or remotely via a remote desktop application, reverse shell session, etc. Commands that are executed run with the current permission level of the command-line interface process unless the command includes process invocation that changes permissions context for that execution (e.g. Scheduled Task). Adversaries may use command-line interfaces to interact with systems and execute other software during the course of an operation. |
TID: T1064 |
Tactic: Defense Evasion, Execution – Scripting |
Threat Feed in VMware Carbon Black Cloud: AMSI Threat Intelligence |
TID Notes via MITRE: Adversaries may use scripts to aid in operations and perform multiple actions that would otherwise be manual. Scripting is useful for speeding up operational tasks and reducing the time required to gain access to critical resources. Some scripting languages may be used to bypass process monitoring mechanisms by directly interacting with the operating system at an API level instead of calling other programs. Common scripting languages for Windows include VBScript and PowerShell but could also be in the form of command-line batch scripts.Scripts can be embedded inside Office documents as macros that can be set to execute when files used in Spearphishing Attachment and other types of spearphishing are opened. Malicious embedded macros are an alternative means of execution than software exploitation through Exploitation for Client Execution, where adversaries will rely on macros being allowed or that the user will accept to activate them. |
TID: T1068 |
Tactic: Privilege Escalation – Exploitation for Privilege Escalation |
Threat Feed in VMware Carbon Black Cloud: Carbon Black Advanced Threats |
TID Notes via MITRE: Exploitation of a software vulnerability occurs when an adversary takes advantage of a programming error in a program, service, or within the operating system software or kernel itself to execute adversary-controlled code. Security constructs such as permission levels will often hinder access to information and use of certain techniques, so adversaries will likely need to perform Privilege Escalation to include use of software exploitation to circumvent those restrictions. |
TID: T1069 |
Tactic: Discovery – Permission Groups Discovery |
Threat Feed in VMware Carbon Black Cloud: AMSI Threat Intelligence |
TID Notes via MITRE: Adversaries may attempt to find local system or domain-level groups and permissions settings. |
TID: T1074 |
Tactic: Collection – Data Staged |
Threat Feed in VMware Carbon Black Cloud: Carbon Black Advanced Threats |
TID Notes via MITRE: Collected data is staged in a central location or directory prior to Exfiltration. Data may be kept in separate files or combined into one file through techniques such as Data Compressed or Data Encrypted. Interactive command shells may be used, and common functionality within cmd and bash may be used to copy data into a staging location. |
TID: T1077 |
Tactic: Lateral Movement – Windows Admin Shares |
Threat Feed in VMware Carbon Black Cloud: Carbon Black Advanced Threats |
TID Notes via MITRE: Windows systems have hidden network shares that are accessible only to administrators and provide the ability for remote file copy and other administrative functions. Example network shares include C$, ADMIN$, and IPC$. Adversaries may use this technique in conjunction with administrator-level Valid Accounts to remotely access a networked system over server message block (SMB) to interact with systems using remote procedure calls (RPCs), transfer files, and run transferred binaries through remote Execution. Example execution techniques that rely on authenticated sessions over SMB/RPC are Scheduled Task, Service Execution, and Windows Management Instrumentation. Adversaries can also use NTLM hashes to access administrator shares on systems with Pass the Hash and certain configuration and patch levels. |
TID: T1078 |
Tactic: Defense Evasion, Persistence, Privilege Escalation, Initial Access – Valid Accounts |
Threat Feed in VMware Carbon Black Cloud: Carbon Black Advanced Threats |
TID Notes via MITRE: Adversaries may steal the credentials of a specific user or service account using Credential Access techniques or capture credentials earlier in their reconnaissance process through social engineering for means of gaining Initial Access. Accounts that an adversary may use can fall into three categories: default, local, and domain accounts. Default accounts are those that are built-into an OS such as Guest or Administrator account on Windows systems or default factory/provider set accounts on other types of systems, software, or devices. Local accounts are those configured by an organization for use by users, remote support, services, or for administration on a single system or service. Domain accounts are those managed by Active Directory Domain Services where access and permissions are configured across systems and services that are part of that domain. Domain accounts can cover users, administrators, and services. Execution, and Windows Management Instrumentation. Adversaries can also use NTLM hashes to access administrator shares on systems with Pass the Hash and certain configuration and patch levels. |
TID: T1079 |
Tactic: Command And Control – Multilayer Encryption |
Threat Feed in VMware Carbon Black Cloud: Carbon Black Community |
TID Notes via MITRE: An adversary performs C2 communications using multiple layers of encryption, typically (but not exclusively) tunneling a custom encryption scheme within a protocol encryption scheme such as HTTPS or SMTPS. |
TID: T1083 |
Tactic: Discovery – File and Directory Discovery |
Threat Feed in VMware Carbon Black Cloud: ATT&CK Framework |
TID Notes via MITRE: Adversaries may enumerate files and directories or may search in specific locations of a host or network share for certain information within a file system. Adversaries may use the information from File and Directory Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions. |
TID: T1090 |
Tactic: Command And Control, Defense Evasion – Connection Proxy |
Threat Feed in VMware Carbon Black Cloud: Carbon Black Advanced Threats |
TID Notes via MITRE: Adversaries may use a connection proxy to direct network traffic between systems or act as an intermediary for network communications to a command and control server to avoid direct connections to their infrastructure. Many tools exist that enable traffic redirection through proxies or port redirection, including HTRAN, ZXProxy, and ZXPortMap. [1] Adversaries use these types of proxies to manage command and control communications, to reduce the number of simultaneous outbound network connections, to provide resiliency in the face of connection loss, or to ride over existing trusted communications paths between victims to avoid suspicion. |
TID: T1087 |
Tactic: Discovery – Account Discovery |
Threat Feed in VMware Carbon Black Cloud: AMSI Threat Intelligence |
TID Notes via MITRE: Adversaries may attempt to get a listing of local system or domain accounts. |
TID: T1099 |
Tactic: Defense Evasion – Timestomp |
Threat Feed in VMware Carbon Black Cloud: Carbon Black Endpoint Suspicious Indicators |
TID Notes via MITRE: Timestomping is a technique that modifies the timestamps of a file (the modify, access, create, and change times), often to mimic files that are in the same folder. This is done, for example, on files that have been modified or created by the adversary so that they do not appear conspicuous to forensic investigators or file analysis tools. Timestomping may be used along with file name Masquerading to hide malware and tools |
TID: T1100 |
Tactic: Persistence, Privilege Escalation – Web Shell |
Threat Feed in VMware Carbon Black Cloud: Carbon Black Endpoint Suspicious Indicators |
TID Notes via MITRE: A Web shell is a Web script that is placed on an openly accessible Web server to allow an adversary to use the Web server as a gateway into a network. A Web shell may provide a set of functions to execute or a command-line interface on the system that hosts the Web server. In addition to a server-side script, a Web shell may have a client interface program that is used to talk to the Web server (see, for example, China Chopper Web shell client). |
TID: T1102 |
Tactic: Command And Control, Defense Evasion – Web Service |
Threat Feed in VMware Carbon Black Cloud: Carbon Black Endpoint Suspicious Indicators |
TID Notes via MITRE: Adversaries may use an existing, legitimate external Web service as a means for relaying commands to a compromised system. These commands may also include pointers to command and control (C2) infrastructure. Adversaries may post content, known as a dead drop resolver, on Web services with embedded (and often obfuscated/encoded) domains or IP addresses. Once infected, victims will reach out to and be redirected by these resolvers. |
TID: T1105 |
Tactic: Command And Control, Lateral Movement – Remote File Copy |
Threat Feed in VMware Carbon Black Cloud: Carbon Black Advanced Threats |
TID Notes via MITRE: Files may be copied from one system to another to stage adversary tools or other files over the course of an operation. Files may be copied from an external adversary-controlled system through the Command and Control channel to bring tools into the victim network or through alternate protocols with another tool such as FTP. Files can also be copied over on Mac and Linux with native tools like scp, rsync, and sftp. Adversaries may also copy files laterally between internal victim systems to support Lateral Movement with remote Execution using inherent file sharing protocols such as file sharing over SMB to connected network shares or with authenticated connections with Windows Admin Shares or Remote Desktop Protocol. |
TID: T1106 |
Tactic: Execution – Execution through API |
Threat Feed in VMware Carbon Black Cloud: AMSI Threat Intelligence |
TID Notes via MITRE: Adversary tools may directly use the Windows application programming interface (API) to execute binaries. Functions such as the Windows API CreateProcess will allow programs and scripts to start other processes with proper path and argument parameters. |
TID: T1107 |
Tactic: Defense Evasion – File Deletion |
Threat Feed in VMware Carbon Black Cloud: Carbon Black Advanced Threats |
TID Notes via MITRE: Malware, tools, or other non-native files dropped or created on a system by an adversary may leave traces behind as to what was done within a network and how. Adversaries may remove these files over the course of an intrusion to keep their footprint low or remove them at the end as part of the post-intrusion cleanup process. There are tools available from the host operating system to perform cleanup, but adversaries may use other tools as well. Examples include native cmd functions such as DEL, secure deletion tools such as Windows Sysinternals SDelete, or other third-party file deletion tools. |
TID: T1108 |
Tactic: Defense Evasion, Persistence – Redundant Access |
Threat Feed in VMware Carbon Black Cloud: Carbon Black Endpoint Visibility |
TID Notes via MITRE: Adversaries may use more than one remote access tool with varying command and control protocols or credentialed access to remote services so they can maintain access if an access mechanism is detected or mitigated. If one type of tool is detected and blocked or removed as a response but the organization did not gain a full understanding of the adversary’s tools and access, then the adversary will be able to retain access to the network. Adversaries may also attempt to gain access to Valid Accounts to use External Remote Services such as external VPNs as a way to maintain access despite interruptions to remote access tools deployed within a target network. Adversaries may also retain access through cloud-based infrastructure and applications. |
TID: T1110 |
Tactic: Credential Access – Brute Force |
Threat Feed in VMware Carbon Black Cloud: ATT&CK Framework |
TID Notes via MITRE: Adversaries may use brute force techniques to attempt access to accounts when passwords are unknown or when password hashes are obtained. Credential Dumping is used to obtain password hashes, this may only get an adversary so far when Pass the Hash is not an option. Techniques to systematically guess the passwords used to compute hashes are available, or the adversary may use a pre-computed rainbow table to crack hashes. Cracking hashes is usually done on adversary-controlled systems outside of the target network.
Adversaries may attempt to brute force logins without knowledge of passwords or hashes during an operation either with zero knowledge or by attempting a list of known or possible passwords. This is a riskier option because it could cause numerous authentication failures and account lockouts, depending on the organization’s login failure policies. |
TID: T1111 |
Tactic: Credential Access – Two-Factor Authentication Interception |
Threat Feed in VMware Carbon Black Cloud: Carbon Black Community |
TID Notes via MITRE: Use of two- or multifactor authentication is recommended and provides a higher level of security than user names and passwords alone, but organizations should be aware of techniques that could be used to intercept and bypass these security mechanisms. Adversaries may target authentication mechanisms, such as smart cards, to gain access to systems, services, and network resources. If a smart card is used for two-factor authentication (2FA), then a keylogger will need to be used to obtain the password associated with a smart card during normal use. With both an inserted card and access to the smart card password, an adversary can connect to a network resource using the infected system to proxy the authentication with the inserted hardware token. |
TID: T1114 |
Tactic: Collection – Email Collection |
Threat Feed in VMware Carbon Black Cloud: AMSI Threat Intelligence |
TID Notes via MITRE: Adversaries may target user email to collect sensitive information from a target. Files containing email data can be acquired from a user’s system, such as Outlook storage or cache files .pst and .ost. Adversaries may leverage a user’s credentials and interact directly with the Exchange server to acquire information from within a network. Adversaries may also access externally facing Exchange services or Office 365 to access email using credentials or access tokens. Tools such as MailSniper can be used to automate searches for specific key words. |
TID: T1135 |
Tactic: Discovery – Network Share Discovery |
Threat Feed in VMware Carbon Black Cloud: Carbon Black Endpoint Visibility |
TID Notes via MITRE: Networks often contain shared network drives and folders that enable users to access file directories on various systems across a network. |
TID: T1137 |
Tactic: Persistence – Office Application Startup |
Threat Feed in VMware Carbon Black Cloud: Carbon Black Advanced Threats |
TID Notes via MITRE: Microsoft Office is a fairly common application suite on Windows-based operating systems within an enterprise network. There are multiple mechanisms that can be used with Office for persistence when an Office-based application is started. |
TID: T1140 |
Tactic: Defense Evasion – Deobfuscate/Decode Files or Information |
Threat Feed in VMware Carbon Black Cloud: AMSI Threat Intelligence |
TID Notes via MITRE: Adversaries may use Obfuscated Files or Information to hide artifacts of an intrusion from analysis. They may require separate mechanisms to decode or deobfuscate that information depending on how they intend to use it. Methods for doing that include built-in functionality of malware, Scripting, PowerShell, or by using utilities present on the system. |
TID: T1187 |
Tactic: Credential Access – Forced Authentication |
Threat Feed in VMware Carbon Black Cloud: Carbon Black Endpoint Visibility |
TID Notes via MITRE: The Server Message Block (SMB) protocol is commonly used in Windows networks for authentication and communication between systems for access to resources and file sharing. When a Windows system attempts to connect to an SMB resource it will automatically attempt to authenticate and send credential information for the current user to the remote system. This behavior is typical in enterprise environments so that users do not need to enter credentials to access network resources. Web Distributed Authoring and Versioning (WebDAV) is typically used by Windows systems as a backup protocol when SMB is blocked or fails. WebDAV is an extension of HTTP and will typically operate over TCP ports 80 and 443. |
TID: T1188 |
Tactic: Command And Control – Multi-hop Proxy |
Threat Feed in VMware Carbon Black Cloud: Carbon Black Community |
TID Notes via MITRE: To disguise the source of malicious traffic, adversaries may chain together multiple proxies. Typically, a defender will be able to identify the last proxy traffic traversed before it enters their network; the defender may or may not be able to identify any previous proxies before the last-hop proxy. This technique makes identifying the original source of the malicious traffic even more difficult by requiring the defender to trace malicious traffic through several proxies to identify its source. |
TID: T1190 |
Tactic: Initial Access – Exploit Public-Facing Application |
Threat Feed in VMware Carbon Black Cloud: Carbon Black Advanced Threats |
TID Notes via MITRE: The use of software, data, or commands to take advantage of a weakness in an Internet-facing computer system or program in order to cause unintended or unanticipated behavior. The weakness in the system can be a bug, a glitch, or a design vulnerability. These applications are often websites, but can include databases (like SQL), standard services (like SMB or SSH), and any other applications with Internet accessible open sockets, such as web servers and related services.[3] Depending on the flaw being exploited this may include Exploitation for Defense Evasion. |
TID: T1192 |
Tactic: Initial Access – Spearphishing Link |
Threat Feed in VMware Carbon Black Cloud: Carbon Black Advanced Threats |
TID Notes via MITRE: Spearphishing with a link is a specific variant of spearphishing. It is different from other forms of spearphishing in that it employs the use of links to download malware contained in email, instead of attaching malicious files to the email itself, to avoid defenses that may inspect email attachments. |
TID: T1193 |
Tactic: Initial Access – Spearphishing Attachment |
Threat Feed in VMware Carbon Black Cloud: Carbon Black Advanced Threats |
TID Notes via MITRE: Spearphishing attachment is a specific variant of spearphishing. Spearphishing attachment is different from other forms of spearphishing in that it employs the use of malware attached to an email. All forms of spearphishing are electronically delivered social engineering targeted at a specific individual, company, or industry. In this scenario, adversaries attach a file to the spearphishing email and usually rely upon User Execution to gain execution. |
TID: T1203 |
Tactic: Execution – Exploitation for Client Execution |
Threat Feed in VMware Carbon Black Cloud: Carbon Black Advanced Threats |
TID Notes via MITRE: Vulnerabilities can exist in software due to unsecure coding practices that can lead to unanticipated behavior. Adversaries can take advantage of certain vulnerabilities through targeted exploitation for the purpose of arbitrary code execution. Oftentimes the most valuable exploits to an offensive toolkit are those that can be used to obtain code execution on a remote system because they can be used to gain access to that system. Users will expect to see files related to the applications they commonly used to do work, so they are a useful target for exploit research and development because of their high utility. |
TID: T1204 |
Tactic: Execution – User Execution |
Threat Feed in VMware Carbon Black Cloud: Carbon Black Advanced Threats |
TID Notes via MITRE: An adversary may rely upon specific actions by a user in order to gain execution. This may be direct code execution, such as when a user opens a malicious executable delivered via Spearphishing Attachment with the icon and apparent extension of a document file. It also may lead to other execution techniques, such as when a user clicks on a link delivered via Spearphishing Link that leads to exploitation of a browser or application vulnerability via Exploitation for Client Execution. Adversaries may use several types of files that require a user to execute them, including .doc, .pdf, .xls, .rtf, .scr, .exe, .lnk, .pif, and .cpl. |
TID: T1482 |
Tactic: Discovery – Domain Trust Discovery |
Threat Feed in VMware Carbon Black Cloud: AMSI Threat Intelligence |
TID Notes via MITRE: Adversaries may attempt to gather information on domain trust relationships that may be used to identify Lateral Movement opportunities in Windows multi-domain/forest environments. Domain trusts provide a mechanism for a domain to allow access to resources based on the authentication procedures of another domain. Domain trusts allow the users of the trusted domain to access resources in the trusting domain. The information discovered may help the adversary conduct SID-History Injection, Pass the Ticket, and Kerberoasting. Domain trusts can be enumerated using the DSEnumerateDomainTrusts() Win32 API call, .NET methods, and LDAP. The Windows utility Nltest is known to be used by adversaries to enumerate domain trusts. |