MITRE 筆記 - HackMD

# MITRE 筆記 ## MITRE概述源自於麻省理工的美國非營利研究機構，專注於國防領域先進計畫。透過 NIST 的資助開啟許多資安研發計畫。 * 資安弱點情資分享：CVE 漏洞資料庫 * 資安威脅情資分享：ATT&CK 攻擊資料庫 * 資安開源工具分享：Guckoo、Yaraprocessor * 資安相關計畫分享：軟體安全、供應鏈風險管理、應用程式安全等 ## 惡意攻擊者 APT(Advanced Persistent Threat)進階持續性威脅 ## ATT&CK Adversarial Tactics, Techniques, and Common Knowledge ![](https://i.imgur.com/zRmxGd6.png) ## TTPs 攻擊手法的三個階段 * T, Tactics: 攻擊者預期達成的目標 -> 該階段的目標，定義戰術與策略 * T, Techniques: 成階段目標所執行的手法 -> 策略中的技巧與技術 * P, Procedures: 攻擊者所使用或開發的軟體與工具 -> 技術實現的過程參考資料：[從紅隊角度看 MITRE ATT&CK® -- ATT&CK®介紹](https://medium.com/h1dra-security-team/%E5%BE%9E%E7%B4%85%E9%9A%8A%E8%A7%92%E5%BA%A6%E7%9C%8B-mitre-att-ck-att-ck-%E5%9F%BA%E6%9C%AC%E4%BB%8B%E7%B4%B9-d69a72b80d39) ## Techniques ### T1071.001 Application Layer Protocol: Web Protocols This test simulates an infected host beaconing to command and control. It will use Invoke-WebRequest command to send request to google with different agents. The agents are like browers. This test won't show up any output. But we can use Wireshark to record session and observe user agent string and response. ### T1059.003 Command and Scripting Interpreter: Windows Command Shell This test will create and execute a batch file script. Upon execution, CMD will launch to run the batch script and close again. ### T1055.001 Process Injection: Dynamic-Link Library Injection This test will use powershell to download T1055.dll to disk. Then powershell will spawn mavinject.exe to perform process injection in T1055.dll. Once finish the test, it's expect to see a MessageBox, with Notepad's icon in taskbar. The reason why using DLL injection is that when executing a DLL file, it can avoid the detection from security products.