Wednesday, October 5, 2022

Tools, Tools Everywhere!

How do we get from hunting and detecting Tools (and IOC´s) to actually trying to detect some TTPs and preferably the big one TACTICS?






From Mitre Attack, detection on Account Discovery:Domain Account



Lets look at the definitions first (I steal them from Ryan Stillions Blog on TTPs)


Tactics

Merriam-Webster:

    "the science and art of disposing and maneuvering forces in combat" 

    "the art or skill of employing available means to accomplish an end"


Techniques

Merriam-Webster:

     "a way of doing something by using special knowledge or skill" 

     "the way that a person performs basic physical movements or skills"



I’m a practical guy so I like to find Tactics by thinking if “this is a mean to an end” and sort of have an idea if that is detectable.


TI Report to Tactics


Lets grab the latest TheDFIRReport (from 2022-09-16 BumbleBee: Round Two and see if we can find any Tactics.

Shoutout to TheDFIRReport for a great job and for sharing their work!


Lets take a few findings from the report and see if we can find Tactics:


Finding:

C:\Windows\system32\cmd.exe /C net group "domain admins" /domain

Proposed tactic:

Querying the/a DomainController for users in the “domain admins” group


Finding:

C:\Windows\system32\cmd.exe /C nltest /dclist:

Proposed Tactic:

Query the/a domain controller to get a list of all domain controllers


Finding:

C:\Windows\system32\cmd.exe /C af.exe -f "objectcategory=computer" > ad_computers.txt

Proposed Tactic:

Query the domain controller for all computers in the domain


Finding:

C:\programdata\procdump64.exe -accepteula -ma lsass.exe C:\programdata\lsass.dmp

Proposed Tactic:

Get credentials by reading lsass.exe process memory


Finding:

net  localgroup Administrators sql_admin /ADD

Proposed Tactic:

Add user to the local Administrators group


Finding:

A remote service was created on one of the workstations in order to dump lsass

Proposed Tactic:

Executing code through running a service on remote host


NO More TOOLS?

So we have been able to(hopefully) find some Tactics based on some findings in a Threat Intel report, TheDFIRReport.

By rewriting the findings into Tactics I hope to be able to write detection on a much higher level that Tools and once and for all leave the hunt for new tools behind me(at least in theory).

The reasoning behind that was explained in my last blog post “Tactics, the killer of YOLO Command lines?” Where Pyramid of Pain and the DML model was discussed.


If anyone have comments on my Tactics please let me know. Otherwise I will look into making detections on these for my nest blog post.















References:

TheDFIRReport: BumbleBee: Round Two 

Ryan Stillions: on TTPs 

Net group command 

Net command 

Adfind usage 

Procdump

Malforsec: Tactics, the killer of YOLO Command lines?

Mitre Att&ck: Account Discovery:Domain Account