#8 LAVAEL: Implementing MITRE TTP-Based Hunting — V Diagram Methodology
This Adversary Emulation Lab is crafted based on widely accessible, documented execution plans that adhere to the MITRE Active Defense Capability Set. This comprehensive guide provides details on implementing the “7-Step TTP-Based Hunt Methodology” as outlined in MITRE’s publication.
In preparation for implementing the V diagram methodology (a 7-step process), cyber security experts are required to conduct research on interesting Advanced Persistent Threat (APT) groups. This research will aid in the development of a real-life adversary emulation plan.
V Diagram Methodology
The V Diagram methodology comprises the following seven steps, designed to systematically address and mitigate cybersecurity threats:
- Develop and Update Malicious Activity Model — Construct and refine a model that represents malicious activities accurately.
- Develop Hypotheses and Abstract Analytics — Formulate hypotheses based on the model and abstract analytics to predict and detect malicious behaviors.
- Determine Data Requirements — Identify the specific data needed to support the hypotheses and analytics.
- Filter — Apply filtering techniques to refine data collection and reduce noise.
- Identify and Mitigate Data Collection Gaps — Identify any gaps in data collection and develop strategies to address these gaps.
- Implement and Test Analytics — Deploy and rigorously test the analytics to ensure they effectively identify malicious activity.
- Hunt: Detect Malicious Activity and Investigate — Use the developed analytics to detect malicious activities and conduct thorough investigations.
TTP Hunt/Detect using Methodology “V” Diagram
Based on the provided methodology, each step of the adversary emulation plan will be described in detail:
1. Develop a malicious activity model
The goal of Step 1 is to start recognizing indicators of both known and unknown malware, the misuse of legitimate software, and zero-day exploits that cyber attackers employ to gain an initial presence in the network. This allows operators to detect the adversary and their corresponding tactics, techniques, and procedures (TTPs). Examples of various potential malicious activities include:
- Social Engineering
- Phishing
- Spear Phishing
- Man-in-the-Middle Attacks
- Data Encryption for Impact
- Denial of Service (DoS)
In this lab, the example involves emulated phishing, where a user will download an attachment and run an executable. The next table captures techniques and context together, which will be used to develop a hypothesis in Step 2. If a technique is identified that is associated with another technique or malware, the malicious activity model may be updated to include additional context and/or used for further investigation or actions. Malicious activity model for custom adversary group:
Also you can use Attack Flow to create visualization:
In the first step, a Cyber Hunt plan can be created for each malicious activity based on the collected data:
Malicious Activity Model: T1566.001 — Phishing: Spearphishing Attachment Malicious Activity Model: T1560.001 — Archive via Utility
Malicious Activity Model: T1204.002 — User Execution: Malicious File
Malicious Activity Model: T1573 — Encrypted Channel
Malicious Activity Model: T1059.001 — Command and Scripting Interpreter: PowerShell
Malicious Activity Model: T1486 — Data Encrypted for Impact
2. Develop hypotheses and abstract analytics
A hypothesis for a cyber hunt is an educated belief that an adversary will behave in a certain way, and an analytic is the method used to detect the adversary’s behavior identified in the hypothesis. For example, if the hypothesis is that an adversary will exfiltrate data by using FTP, an analytic needs to be developed to detect unusual or unauthorized FTP connections and transfers. A variety of references are provided below to assist in formulating a hypothesis and corresponding analytics:
In Step 2, we will focus on crafting both a hypothesis and an analytic. While the Cyber Analytics Repository (CAR) and MITRE ATT&CK can offer valuable insights for a cyber hunt, they should not be the sole resources for this phase. Additionally, any hypothesis derived from CAR or MITRE ATT&CK should be cross-validated with the malicious activity model created in Step 1. Building the hypothesis and analytic can be effectively achieved using MITRE’s Cyber Analytics Repository (CAR) or ATT&CK framework.
The known behaviors can be searched for in both the CAR knowledge base and MITRE ATT&CK to find an analytic that corresponds to this behavior:
T1566.001 — Phishing: Spearphishing Attachment
- CAR MITRE
- ATT&CK MITRE
T1560.001 — Archive via Utility
T1204.002 — User Execution: Malicious File
T1573 — Encrypted Channel
- CAR MITRE
- ATT&CK MITRE
T1059.001 — Command and Scripting Interpreter: PowerShell
T1486 — Data Encrypted for Impact
- CAR MITRE
- ATT&CK MITRE
These sources can be utilized to gain a deeper understanding of these behaviors, enabling the creation of more accurate hypotheses and analytics. Potential future adversary behaviors (hypotheses) can also be identified, and abstract detection methods can be developed to uncover these behaviors in future hunts. It is important to maintain the analytic at an abstract level at this stage of the methodology to accommodate any changes that may arise later in the process.
Now that operators have either utilized an existing analytic repository such as CAR to identify an analytic and formulate a hypothesis or created a hypothesis and analytic from scratch using ATT&CK characterizations, they can extract the necessary data to implement these analytics and develop the Cyber Hunt Plan. At this stage in the plan, operators have constructed a malicious activity model and devised a hypothesis accompanied by an abstract analytic.
3. Determine data requirements
Collect and index various data types from endpoints (such as registry, file, and process data), network devices (including DNS, network, proxy, and firewall logs), and security systems (alerts and threat intelligence) to improve cyber threat hunting in near real-time. In the provided lab environment, the Elastic Agent will be installed on a Windows host. This agent provide tools such as EDR, Network Packet Capture, System, and Windows (including Sysmon), which collectively gather Windows system, security, application, and PowerShell logs. Additionally, Logstash is configured to process FortiGate (or another firewall) syslog data, adding another layer of log collection from the firewall. This setup addresses most of the aspects outlined in the MITRE documentation for a basic lab setup and log collection within this lab environment. The ATT&CK knowledge base includes metadata to help detect and identify adversary TTPs (Tactics, Techniques, and Procedures). This section demonstrates how operators can leverage ATT&CK Data Sources to better understand the types of data relevant to a specific ATT&CK TTP.
The model is now updated with the required data for each step of threat hunting:
4. Filtering the sources of data
Operators should obtain the following information from the network owner: network maps or diagrams, configuration baselines for workstations, servers, and network devices, network baselines, vulnerability assessment results, logging configurations, Group Policy Objects (GPO), normal working hours, and details about critical assets.
Collecting data on networks results in an overwhelming volume of information. It is impractical for analysts to manually examine each event to effectively pinpoint security-related threats. To manage this challenge, cyber operators employ filtering techniques to concentrate on critical analysis areas, utilizing key elements such as time, behavior, and cyber terrain.
Time plays a crucial role in cybersecurity analysis. By examining the timing of events, analysts can identify patterns and anomalies that may indicate malicious activity. For instance, a surge in network traffic during off-peak hours could signal a potential breach. Time-based filtering helps in narrowing down the vast data to specific periods when suspicious activities are more likely to occur.
Behavior analysis involves studying the actions of users and systems to detect deviations from normal patterns. By establishing a baseline of expected behavior, cybersecurity tools can flag irregular activities that may signify threats. Behavioral analytics can detect subtle signs of insider threats, malware infections, or other security breaches that might otherwise go unnoticed.
Cyber Terrain refers to the digital landscape that includes hardware, software, networks, and data. Understanding the cyber terrain is essential for effective threat detection and response. It allows cyber operators to map out critical assets and their interconnections, providing a context for where and how attacks might occur. By focusing on high-value targets and vulnerable points within the cyber terrain, analysts can prioritize their efforts and deploy resources more efficiently.
Operators must critically assess the analytics created for the engagement to determine whether they can distinguish between nominal activity and legitimate system administrative actions.
To identify suspicious login activities, operators should first understand the typical login patterns within the network. The initial step is to consult with the network administrators to gather information on the usual login times, locations, and user accounts. This information will help establish a baseline of normal login behavior.
5. Identify and mitigate data collection gaps
Additionally, the tools mentioned, such as Suricata, Strelka, Osquery, or sandboxes, can be implemented as described in the MITRE documentation to analyze files. In some environments, Sysmon, when configured properly, can significantly enhance data collection.
Updated Cyber Hunt Plan for “Find and Mitigate Data Collection Gaps”:
- Annotate available data sources and document any missing ones, recommending logging enhancements.
- Install Sysmon with a custom configuration using sysmon-modular, or build your own configuration.
- Ensure that the Advanced Audit Policy is configured based on recommendations.
- Install basic Elastic Agent integrations along with EDR to capture application, system, and security data.
In a Cyber Hunt Plan, it is beneficial to include additional details about Vulnerability Assessment Results near the section on determining data requirements. These assessments offer a list of existing vulnerabilities that can highlight potential weaknesses adversaries might exploit. Understanding which systems are susceptible to certain exploits can help direct the analysis efforts during the hunt. This information is crucial for identifying and addressing data collection gaps, making the hunt more focused and effective.
6. Implement and test analytics
This section outlines the process for operators to implement a previously developed pseudocode analytic and translate it into Kibana Query Language (KQL), Lucene, or in this case — ES|QL within Kibana. The analytic will then be tested using threat emulation to generate the necessary data for logging.
An ES|QL query will be provided for each malicious activity model:
T1566.001 — Phishing: Spearphishing Attachment
FROM logs-* metadata _id, _version, _index
| WHERE (event.code == "11")
AND process.name == "chrome.exe"
AND (file.name LIKE "*.zip:Zone.Identifier"
OR file.name LIKE "*.7z:Zone.Identifier"
OR file.name LIKE "*.rar:Zone.Identifier"
OR file.name LIKE "*.tar:Zone.Identifier"
OR file.name LIKE "*.gz:Zone.Identifier"
OR file.name LIKE "*.bz2:Zone.Identifier"
OR file.name LIKE "*.iso:Zone.Identifier"
OR file.name LIKE "*.exe:Zone.Identifier")
| KEEP @timestamp, event.code, process.entity_id, process.pid, process.name, file.name, file.hash.md5, file.hash.sha1, file.hash.sha256, _id, _version, _indexT1560.001 — Archive via Utility
FROM logs-* metadata _id, _version, _index
| WHERE event.code == "15"
AND process.name == "Explorer.EXE"
AND (file.name LIKE "*.exe:Zone.Identifier")
AND (
winlog.event_data.Contents LIKE "*.zip*" OR
winlog.event_data.Contents LIKE "*.7z*" OR
winlog.event_data.Contents LIKE "*.rar*" OR
winlog.event_data.Contents LIKE "*.tar*" OR
winlog.event_data.Contents LIKE "*.gz*" OR
winlog.event_data.Contents LIKE "*.bz2*" OR
winlog.event_data.Contents LIKE "*.iso*"
)
| KEEP event.code, @timestamp, process.name, file.name, file.hash.md5, file.hash.sha1, file.hash.sha256, _id, _version, _indexT1204.002 — User Execution: Malicious File
FROM logs-* metadata _id, _version, _index
| WHERE (event.code == "1")
AND (
process.name LIKE "*.exe"
AND (
process.name LIKE "*wallet*"
OR process.name LIKE "*bitcoin*"
)
)
AND process.parent.name == "explorer.exe"
| KEEP event.code, @timestamp, process.entity_id, process.pid, process.name, file.hash.md5, file.hash.sha1, file.hash.sha256, _id, _version, _indexT1573 — Encrypted Channel
FROM logs-* metadata _id, _version, _index
| WHERE (event.category == "process" AND event.action == "start")
AND (
process.command_line LIKE "*System.Net.Security.SslStream*"
AND process.command_line LIKE "*AuthenticateAsClient*"
AND process.command_line LIKE "*GetBytes*"
)
| KEEP event.code, @timestamp, process.entity_id, process.pid, process.name, process.command_line, _id, _version, _indexT1059.001 — Command and Scripting Interpreter: PowerShell
FROM logs-* metadata _id, _version, _index
| WHERE event.code == "4104"
AND (
powershell.file.script_block_text LIKE "*Invoke-WebRequest*"
AND powershell.file.script_block_text LIKE "*http*"
AND (
powershell.file.script_block_text LIKE "*.exe*"
OR powershell.file.script_block_text LIKE "*.py*"
OR powershell.file.script_block_text LIKE "*.ps1*"
)
)
| KEEP event.code, @timestamp, process.entity_id, process.pid, process.name, powershell.file.script_block_text, _id, _version, _indexT1486 — Data Encrypted for Impact
FROM logs-*
| WHERE event.action == "FileCreate"
AND process.executable LIKE "*.exe"
AND file.name LIKE "*.enc"
| STATS unique_files = COUNT_DISTINCT(file.name) BY process.executable
| WHERE unique_files > 5
| SORT unique_files DESC
| RENAME unique_files AS `Files`, process.executable AS `Process Executable`
| KEEP `Process Executable`, `Files`7. Hunt/Detect malicious activity and investigate
In the previous steps, the adversary to model the hunt operations around was determined, and a malicious activity model was developed based on that threat. A pseudocode analytic was created to detect a specific technique used by the adversary in the malicious activity model. Available data sources and collection gaps within the system were identified. Next, the pseudocode analytic was translated into a ES|QL query for use within Kibana. Now, operators will operationalize the analytic and commence the hunting process.
Hunting is driven by a core sequence of steps. It starts with the collection of data and an understanding of malicious TTPs (Tactics, Techniques, and Procedures). This foundation allows for the efficient filtering of data to identify malicious activity. Once this activity is thoroughly understood, the organization can implement containment and eradication procedures to disrupt and impose costs on the adversary.
The lab execution and detection flow is as follows:
- User Downloads the Attachment from the Email
The user reads the email and decides to download the attachment to the PC.
The following rule was triggered: Suspicious Archive or Executable Download via Chrome.
2. User Unzips the Archive
After the user downloaded the zip file and attempted to extract it. The following rule was triggered: Suspicious Archive Execution via Windows Explorer
3. User Runs the Program
After extracting the executable from the archive, the user runs the program. It simulates a crypto wallet where the user must guess the password. However, when the user clicks to unlock the “imagined wallet,” a background connection is established to the C2 server, allowing a simulated attacker to gain control via PowerShell. The following rule was triggered: Suspicious Executable Launched via Windows Explorer.
4. Connection to C2 Server is Established
As previously mentioned, after the user executes the program and starts guessing the password, a background connection is established to the C2 server. The following rule was triggered: Suspicious Encrypted C2 Channel Establishment.
5. PowerShell Web Request and Execution
After the simulated attacker gains access to PowerShell, they find some interesting data on the Desktop and download another program, disguised as a “wallet update.” The following rule was triggered: Suspicious PowerShell Web Request Execution.
6. Some Data Becomes Encrypted
Finally, after the program is downloaded, it encrypts some data in the folder. The following rule was triggered: Potential Ransomware Activity: Multiple Encrypted Files Created.
Assess Analytics and the Hunt/Emulation Process
VECTR is a platform designed to support adversary emulation and evaluate the effectiveness of cybersecurity defenses. It enables organizations to simulate attack scenarios, assess security controls, and continuously improve their defensive strategies with detailed reporting and metrics.
Additional Tools to Consider:
SigmaHQ (Sigma CLI)
SigmaHQ provides an open standard for writing detection rules in a human-readable format that can be converted to various SIEM systems using the Sigma CLI. This approach allows for standardized and flexible threat detection across different platforms.
MISP (Malware Information Sharing Platform & Threat Sharing)
MISP is an open-source platform that collects and shares threat intelligence, promoting collaboration and integration with other security tools to enhance detection and response to cyber threats.
