Execution Flashcards
Execution
This lesson is going to cover the second stage in the MITRE ATT&CK framework, Execution (TA0002). These techniques are used to describe ways that adversaries will execute malicious code for a number of purposes, and at the time of writing currently includes 10 top-level techniques. We will be looking at the following:
Windows Management Instrumentation User Execution (2 sub-techniques)
Windows Management Instrumentation
MITRE Technique T1047
Windows Management Instrumentation (WMI) is an administration feature that facilitates the management of devices and applications in a network from a Windows system. WMI provides users with information about the status of local or remote computer systems and can be used to remotely execute code on other systems. It uses the WMI service for local and remote access and the Server Message Block (SMB) and Remote Procedure Call Service (RPCS).
WMI has a number of uses such as lateral movement and discovery, but considering we are focusing on Execution in this lesson, take a look at a few highlighted entries from the Procedure Examples table below (there’s far too many to cover here!):
MITRE offer a couple of Mitigations that can be used to prevent malicious abuse of WMI. They focus on properly managing privileged accounts by only issuing them to individuals that need those privileges (think principle of least privilege!). The other suggestion is to be very restrictive regarding who can use WMI to limit the number of accounts that could abuse this if they are compromised.
MITRE states that organisations should monitor for WMI usage, which we can do using System Monitoring (Sysmon) from Sysinternals. We can monitor the following event IDs (click them for more information and log examples!):
Sysmon Event ID 19 – WmiEventFilter activity detected
Sysmon Event ID 20 – WmiEventConsumer activity detected
Sysmon Event ID 21 – WmiEventConsumerToFilter activity detected
Windows Management Instrumentation 2
User Execution
MITRE Technique T1204
This technique is related to a user interacting with a malicious URL (sub-technique 1) or a malicious file (sub-technique 2), and is very closely tied with Phishing as an Initial Access technique. By convincing a user to click a link or run an attachment using social engineering tactics (we covered these in the Phishing Analysis domain!) the adversary can achieve code execution on a system without first having initial access. Alternatively, this technique can be used from inside the network, sending phishing emails internally or uploading a malicious file to a shared drive or file sharing server, and then entice users to click on it, running malicious code.
MITRE offers 4 Mitigations that we could use. Application whitelisting is the process of preventing any unapproved executables from running, working to prevent malicious code execution. Network Intrusion Prevention systems (NIPS) can work to identify requests to malicious or suspicious web resources and block the connection before any files are downloaded. User awareness training is a huge part of an effective information security program. End users should be trained to spot phishing emails and not interact with them (replying, clicking links or attachments).
User Execution 2
In the Detection section we have two great recommendations for protecting against User Execution. The first is to monitor commands that are entered into processes such as CMD.exe (Windows Command Shell) and PowerShell.exe as well as monitoring applications that are used to compress payloads and then extract them (7Zip, WinRar, and others). The second suggestion is to use an up-to-date and commercial anti-virus solution that will detect malicious files using different techniques such as file analysis, pattern-based detection, and repetitional checks. An endpoint detection and response (EDR) solution should also be considered to monitor and report on malicious activity, providing analysts with a platform where they can investigate process activity, such as Winword.exe spawning a child process of CMD.exe (this is NOT normal activity, and will be a malicious macro inside a Microsoft Office document that is opening a command prompt to call back to the C2 server and download additional malware).
