Please enable JavaScript.

Coggle requires JavaScript to display documents.

Mittre Attack Techniques - Coggle Diagram

- - - - It is the Volume Shadow Copy Service main component, coordinating "provider" and "writer" routines to allow making copies of files while locked by the system or applications, including transactional processing where all or none of a transaction must succeed.
        Deletes Windows Volume Shadow Copies. This technique is used by numerous ransomware families and APT malware such as Olympic Destroyer. Upon execution, if no shadow volumes exist the message "No items found that satisfy the query." will be displayed. If shadow volumes are present, it will delete them without printing output to the screen. This is because the /quiet parameter was passed which also suppresses the y/n confirmation prompt. Shadow copies can only be created on Windows server or Windows 8.
      - Commands
        
        cmd.exe /c vssadmin delete shadows /all /quiet
      - Mitigation
        
        The command line parameter—vssadmin.exe Delete Shadows—offers us a great opportunity to detect ransomware.
        
        procedures for taking regular data backups that can be used to restore organizational data.[28] Ensure backups are stored off system and is protected from common methods adversaries may use to gain access and destroy the backups to prevent recovery.
        
        technical controls to prevent the disabling of services or deletion of files involved in system recovery.
        
        process monitoring to monitor the execution and command line parameters of binaries involved in inhibiting system recovery, such as vssadmin, wbadmin, and bcdedit. The Windows event logs, ex. Event ID 524 indicating a system catalog was deleted, may contain entries associated with suspicious activity.
        
        Monitor the status of services involved in system recovery. Monitor the registry for changes associated with system recovery features (ex: the creation of HKEY_CURRENT_USER\Software\Policies\Microsoft\PreviousVersions\DisableLocalPage).
    - - Windows Management Instrumentation (WMI) is the infrastructure for management data and operations on Windows-based operating systems. You can write WMI scripts or applications to automate administrative tasks on remote computers but WMI also supplies management data to other parts of the operating system and products, for example System Center Operations Manager, formerly Microsoft Operations Manager (MOM), or Windows Remote Management (WinRM).
        The large-scale aim of the system is to consolidate the management of devices and applications across corporate networks, and so WMI can be used to do the following:
        Gather statuses of computers
        Configure computer settings (security, system properties, permissions, etc.)
        Run applications or execute code
        Turn on, or turn off, error logging
        All of these functions are accessed via a combination of PowerShell and the WMI command-line interface (WMIC). As you can see, the uses of WMI are varied, and the system can be used to monitor and change a huge variety of settings across a computer network.
      - Mitigation
        
        Detection of Wmic.exe with command line shadowcopy delete
      - MaliscUse
        
        Deletes Windows Volume Shadow Copies via WMI.
        This technique is used by numerous ransomware families and APT malware such as Olympic Destroyer. Shadow copies can only be created on Windows server or Windows 8.
        wmic.exe shadowcopy delete
        
        Delete Volume Shadow Copies via WMI with PowerShell
        Deletes Windows Volume Shadow Copies with PowerShell code and Get-WMIObject. This technique is used by numerous ransomware families such as Sodinokibi/REvil. Executes Get-WMIObject. Shadow copies can only be created on Windows server or Windows 8, so upon execution there may be no output displayed.
        Get-WmiObject Win32Shadowcopy | ForEach-Object {$.Delete();}
    - - MalUses
        
        Deletes Windows Backup Catalog.
        This technique is used by numerous ransomware families and APT malware such as Olympic Destroyer. Upon execution, "The backup catalog has been successfully deleted." will be displayed in the PowerShell session.
        wbadmin delete catalog -quiet
        
        BackupCatalog
        
        Windows Server Backup stores the details about your backups (what volumes are backed up and where the backups are located) in a file called a backup catalog. The catalog is stored in the same place that you store your backups at the path: <StorageLocation>\WindowsImageBackup\<ComputerBackedUp>\Catalog.
        use a backup wizard located in the control panel.
        
        wbadmin Delete systemstatebackup
        Deletes the Windows systemstatebackup using wbadmin.exe. This technique is used by numerous ransomware families. This may only be successful on server platforms that have Windows Backup enabled.
        wbadmin delete systemstatebackup -keepVersions:0
      - The wbadmin.exe utility is a command line utility built into Windows, since Windows Vista/Server 2008. The command is used to back up and restore operating systems, drive volumes, files, folders and applications from a command-line interface (CLI). The wbadmin utility saves the image backup in a WindowsImageBackup folder on the target drive. To perform all the backup tasks, an individual must have the appropriate permissions, such as being a member of the backup operators or administrator group.
      - Mitigation
    - - MalUse
        
        Disables repair by the Windows Recovery Console on boot.
        This technique is used by numerous ransomware families and APT malware such as Olympic Destroyer. Upon execution, "The operation completed successfully." will be displayed in the powershell session.
        used to disable automatic Windows recovery features by modifying boot configuration data
      - Commands
        
        Attack Commands: Run with command_prompt! Elevation Required (e.g. root or admin)
        bcdedit.exe /set {default} bootstatuspolicy ignoreallfailures
        bcdedit.exe /set {default} recoveryenabled no
        
        Cleanup Commands:
        bcdedit.exe /set {default} bootstatuspolicy DisplayAllFailures >nul 2>&1
        bcdedit.exe /set {default} recoveryenabled yes >nul 2>&1
      - Boot Configuration Data Editor (Bcdedit.exe) is used to make changes to the Boot Configuration Data (BCD)
        Configuration Data (BCD) Store that controls how the operating system starts in Microsoft Vista and Windows Server 2008. BCD Store also contains the configuration for boot parameters for your system.
    - - MalUse
        
        Deletes backup files in a manner similar to Ryuk ransomware. Upon exection, many "access is denied" messages will appear as the commands try to delete files from around the system.
      - Command
        
        del /s /f /q c:*.VHD c:*.bac c:*.bak c:*.wbcat c:*.bkf c:\Backup. c:\backup. c:*.set c:*.win c:*.dsk
- - - - The following section describes some of the ways in which the abuse of the techniques we just discussed can be detected, with a few insights into some of the implementations Countercept used when facing with this threat.
        
        Events Logs
        Stand Alone Tools and Scripts
        Sigma Rules
        
        Apart from the event logs, to follow along with some of the examples we recommend installing the following tools:
        Sysmon (SwiftOnSecurity's config will serve us well here) EID 12
        Sysinternal's Autoruns
  - - - malware will often create a task that looks for certain preconditions to launch, downloads new malicious code on a schedule, or uses scheduled tasks as a way to always remain in memory. I've seen malware hunters struggle to find out how the malicious code "keeps re-infecting their clean system." Answer: Check the Task Scheduler.
    - - There are a few steps you can take, and they're not hard -- you just have to be aware of them. First, you can look for unexpected, hidden job files. You can use Windows Explorer, Attrib.exe, or DIR /ah to search for hidden files, but an even easier way is to use Sysinternals Autoruns. Autoruns lets you zero straight in on all scheduled tasks, whether they're hidden or not.
      - Unfortunately, if you've never looked around to see what jobs normally run on your systems (and it can be dozens to hundreds enabled by Microsoft or legitimate software), figuring out what is nasty versus nice can take some time. Here's where it pays just to be aware of this attack vector because you don't want to look at every job file all the time. Heck, that will drive you crazy. But you can be sure to look for suspicious job files whenever you're doing a malware investigation.
- - - - Encrypt all files with a large speed rate, ransomware only uses this encryption mechanism with AES algorithm and stores the keys for each file on disk. Decryption can be done simply through opening this file with the keys and decrypt files .
  - - - Encryption is done through ransomware (Client) generating a RSA key pair, ransomware encrypts all files with a public key and send private one to the attacker server. This encryption technique is quite slow as it takes a long time to encrypt large files. Also victim and server both need to be connected to the internet for the private key to be received causing several scenarios where the encryption will not be initiated or private key is lost and there no possibility for decryption.
  - - - Implementing IT disaster recovery plans that contain procedures for regularly taking and testing data backups that can be used to restore organizational data.[48] Ensure backups are stored off system and is protected from common methods adversaries may use to gain access and destroy the backups to prevent recovery. Consider enabling versioning in cloud environments to maintain backup copies of storage objects.[49]
    - - detection of static properties. Through Extracting all the APIs that are called before any encryptionAPI is called. This is determined by checking for the keyword‘‘crypt”. If not found it'll continue extracting all APIs which will be fed into a trained learning algorithm that will decide the maliciousness based on the sequence of imported APIs.
- - - - Grant Full Access to folder for Everyone
        Invokes the command line similar to that used by Ryuk Ransomware to grant full access to the entire C:\ drive for Everyone. icacls "C:*" /grant Everyone:F /T /C /Q
        icacls "#{path}" /grant Everyone:F /T /C /Q
      - cacls - Grant permission to specified user or group recursively
        Modifies the filesystem permissions of the specified folder and contents to allow the specified user or group Full Control. If "Access is denied" is displayed it may be because the file or folder doesn't exit. Run the prereq command to create it. Upon successfull execution, "Successfully processed 3 files" will be displayed.
        icacls.exe #{file_or_folder} /grant #{user_or_group}:F
    - - Detection
  - - - attrib - hide file
        Attackers leverage an existing Windows binary, attrib.exe, to mark specific files or folder as hidden by using specific flags so that the victim does not see the file.
        attrib.exe +h #{file_or_folder}\attrib.txt
      - Remove read-only attribute
        Removes the read-only attribute from a file or folder using the attrib.exe command. Upon execution, no output will be displayed. Open the file in File Explorer > Right Click - Prperties and observe that the Read Only checkbox is empty.
        attrib.exe -r #{file_or_folder}*.* /s
  - - - Take ownership using takeown utility
        Modifies the filesystem permissions of the specified file or folder to take ownership of the object. Upon execution, "SUCCESS" will be displayed for the folder and each file inside of it.
        takeown.exe /f #{file_folder_to_own} /r
- - - - Malware through Host scans the local network as well as randomly generated IP addresses for unpatched and vulnerable systems.
    - - Malwares can spread not only to other machines in the same network, but also across the Internet. As we have seen with wannaCry which does a massive scanning on Internet IP addresses to find and infect other vulnerable computers.
  - - - Unless encryption keys are symmetrical and hard coded within the ransomware itself, most ransomware will contact C&C (Command & Control) servers through the multiple proxy servers to exchange public encryption keys.
    - - Detailed information about the operating system and hardware, including version, patches, hotfixes, service packs, and architecture are essential for the attacker to shape the follow-on behaviors
    - - Ransomware will often install or instruct the victim to install anonymity software such as Tor Browser for the victim to transfer a particular amount of cryptocurrency to the attacker’s wallet in exchange for the private key required for decryption.