Collection Flashcards
Collection
This lesson is going to cover the ninth stage in the MITRE ATT&CK framework, Collection. These techniques are used to describe ways that adversaries will identify important files or information, collect them, and prepare them for data exfiltration. At the time of writing currently includes 16 top-level techniques. We will be looking at the following:
Email Collection
Audio Capture
Screen Capture
Data From Local System
Email Collection
MITRE Technique T1114
Collecting emails from a target system seems like a great idea – these emails could give an insight into business operations, provide a list of valid internal email addresses for future spear phishing attacks or sell them for money on underground markets, collect email attachments that could include sensitive data, and much more. When considering email collection there’s three sub-technique that we need to consider:
Local Email Collection – Attackers may target emails on the local system to identify and collect sensitive information. Files containing email data can be acquired from a user’s local system such as Outlook storage or cache files typically stored in C:\Users\Documents\Outlook Files or C:\Users\AppData\Local\Microsoft\Outlook.
Remote Email Collection – Attackers may specifically target and pivot to an Exchange server or Office 365 to collect sensitive information. Using valid credentials the actor can interact directly with the Exchange server to poll information from within a network. The attack doesn’t always have to occur from within a network, as internet facing Exchange services or Office 365 can be accessed to read, send, save and delete emails.
Email Forwarding Rule – Adversaries may setup email forwarding rules to collect sensitive information. Any emails that are sent to a user will be silently auto-forwarded to an attacker-owned email address presenting a data leak that will continue to give the adversary access to email messages even if they have lost access to the network. This could result in sensitive data exposure which could also be used for social engineering and spear phishing attacks in the future.
Using multi-factor authentication (MFA) can prevent access to an account where a malicious actor has discovered the valid username and password combination. Although there are ways MFA can be bypassed it adds more work for the adversary and gives us more time to catch them. We could also consider encrypting our emails or sensitive documents and only share the decryption key with trusted parties via alternative communication methods. And finally enterprise-grade email solutions could have functionality to audit auto-forwarding rules to see if any have been created to send mail to non-domain mailboxes and generate an alert or report for further investigation.
In regard to detecting this activity we have a number of options the we can choose from. Unusual processes accessing an email server or application could suggest an adversary is attempt to connect, or a user that works from 9 AM to 5 PM logging in at 1:30 AM on a Saturday and opening their email application is very unusual and is potentially a sign of malicious activity. Also monitor for unusual PowerShell, WMI, and CMD commands being executed from a user’s account.
Email Collection 2
Audio Capturee
MITRE Technique T1123
An attacker can utilise peripheral devices such as plugged-in microphones, headsets or webcams to collect audio from users that are interacting with the system. Recording of system audio can also result in the ability to capture conversations via Voice-over IP (VOIP) applications such as Skype, Webex, and Teams.
APT37 has been documented using audio capture software known as SOUNDWAVE to record microphone input from an infected system. The Bandook malware has modules that can allow the software to capture audio, the same with Cobian RAT, Attor, and Cadelspy.
It is not possible to complete mitigate this technique because using system audio is practically a necessity. Focusing on detection we can monitor API calls that are related to audio capture, but this would generate a high volume of false positives because it could be legitimate activity. Process monitoring should be conducted to identify any unusual processes are attempting to access the microphone on a system along with file creation that is likely audio-related.
Audio Capturee 2
Screen Capture
MITRE Technique T1133
Taking screen captures from the system can help to gather information over a long period of time, and this technique will typically be deployed soon after a system has been compromised, giving it a good chance of collecting valuable information or build up a profile of the user’s day-to-day habits. Taking a screenshot can also be achieved through native utilities or API calls, such as CopyFromScreen, xwd, or screencapture (but this isn’t standard behaviour, so we can monitor on these commands!).
The first entry in the Procedure Examples table for this technique is the famous Agent Tesla remote access trojan (RAT). This tool has the ability to take screenshots at regular intervals which could disclose information from open documents or web browsing activity. APT28 and APT39 have been known to collect screenshots during their cyber operations as an information collection technique. Aria-body, a malicious program, also has the ability to capture screenshots.
Mitigating these actions isn’t feasible as it can be used for legitimate purposes, and instead we should focus on detection. We can monitor for unusual API calls that are related with taking screenshots, but this could still generate a large number of false positives. We should find ways to link this with other activity to reduce the number of false positives and build a stronger detection capability.
Screen Capture 2
Data From Local System
MITRE Technique T1005
Attackers may search through any attached local or networked drives to find files of interest and sensitive data prior to Exfiltration. This can be anything from local databases to coding projects, sensitive documents to user’s files. Identifying such files can be achieved by using an interpreter such as the CMD on Windows systems, making use of commands such as find, tree, locate, and dir. Alternatively attackers can make use of tools that can perform Automated Collection on the local system.
The Procedure Examples table for this technique has a lot of generic entries because almost every threat actor is going to want to identify and exfiltrate interesting files from a compromised system. We can see that APT28 has previously exfiltrated internal documents from systems under their control and using Forfiles to prepare files for exfiltration. GravityRAT (remote access trojan) is known to steal files with specific file extensions which are typically widely used within businesses and enterprises. The same goes for Inception which looks for files with specific extensions and sends them back to the attacker.
It’s hard to differentiate between legitimate and malicious activity because it won’t immediately look any different than expected user activity accessing and changing user-generated files on their systems. To detect this activity we should monitor for excessive usage of commands in CMD and PowerShell that may represent a malicious actor preparing files for exfiltration.
Data From Local System 2
