WIXLIB

WHITEPAPERMAPPINGBEYONDTRUSTCAPABILITIESTO MITRE ATT&CK NAVIGATOR

Mapping BeyondTrust Capabilities To MITRE ATT&CK NavigatorCONTENTSMITRE ATT&CKTM . 1Defining the Tactics . 2How BeyondTrust Helps to Mitigate Risks Identified in MITRE ATT&CK Framework . 4TA0001 – Initial Access. 5TA0002 – Execution . 5TA0003 – Persistence . 7TA0004 – Privileged Escalation . 9TA0005 – Defense Evasion . 11TA0006 – Credential Access . 13TA0007 – Discovery . 15TA0008 – Lateral Movement. 16TA0009 – Collection .17TA0010 – Exfiltration . 18TA0011 – Command And Control . 19TA0040 – Impact . 20The Beyondtrust Privileged Access Management Platform . 21

Mapping BeyondTrust Capabilities To MITRE ATT&CK NavigatorMITRE ATT&CKTMWith the volume of cyberattacks growing every day, organizations are increasinglyrelying on third-parties to help discover, prioritize, categorize, and provide guidance toremediate threats. Once such third party is MITRE and their ATT&CKTM knowledgebase. MITRE started ATT&CK in 2013 to document common tactics, techniques, andprocedures (TTPs) that advanced persistent threats use against Windows enterprisenetworks.According to the MITRE website: MITRE ATT&CK is a globally-accessible knowledge base of adversary tacticsand techniques based on real-world observations. The ATT&CK knowledge baseis used as a foundation for the development of specific threat models andmethodologies in the private sector, in government, and in the cybersecurityproduct and service community. Open and available to any person or organization for use at no charge, the goal ofMITRE ATT&CK is to bring communities together to develop more effectivecybersecurity.BeyondTrust has mapped its PAM solutions for privileged password management,endpoint privilege management, and secure remote access into the ATT&CK frameworkby tactic and technique. With this mapping, organizations can better optimize the returnon their security investments.1

Mapping BeyondTrust Capabilities To MITRE ATT&CK NavigatorDefining the TacticsThe MITRE ATT&CK framework includes the following tactics - all definitions can befound on the MITRE website. Initial Access (TA0001) Represents the vectors adversaries use to gain aninitial foothold within a network. Execution (TA0002) Represents techniques that result in execution ofadversary-controlled code on a local or remote system. This tactic is often used inconjunction with initial access as the means of executing code once access isobtained, and lateral movement to expand access to remote systems on anetwork. Persistence (TA0003) Any access, action, or configuration change to a systemthat gives an adversary a persistent presence on that system. Adversaries willoften need to maintain access to systems through interruptions such as systemrestarts, loss of credentials, or other failures that would require a remote accesstool to restart or alternate backdoor for them to regain access. Privilege Escalation (TA0004) The result of actions that allows an adversaryto obtain a higher level of permissions on a system or network. Certain tools oractions require a higher level of privilege to work and are likely necessary at manypoints throughout an operation. Adversaries can enter a system with unprivilegedaccess and must take advantage of a system weakness to obtain localadministrator or SYSTEM/root level privileges. A user account withadministrator-like access can also be used. User accounts with permissions toaccess specific systems or perform specific functions necessary for adversaries toachieve their objective may also be considered an escalation of privilege. Defense Evasion (TA0005) Consists of techniques an adversary may use toevade detection or avoid other defenses. Sometimes these actions are the same asor variations of techniques in other categories that have the added benefit ofsubverting a particular defense or mitigation. Defense evasion may be considereda set of attributes the adversary applies to all other phases of the operation. Credential Access (TA0006) Represents techniques resulting in access to orcontrol over system, domain, or service credentials that are used within anenterprise environment. Adversaries will likely attempt to obtain legitimatecredentials from users or administrator accounts (local system administrator or2

Mapping BeyondTrust Capabilities To MITRE ATT&CK Navigatordomain users with administrator access) to use within the network. This allowsthe adversary to assume the identity of the account, with all of that account'spermissions on the system and network and makes it harder for defenders todetect the adversary. With sufficient access within a network, an adversary cancreate accounts for later use within the environment. Discovery (TA0007) Consists of techniques that allow the adversary to gainknowledge about the system and internal network. When adversaries gain accessto a new system, they must orient themselves to what they now have control ofand what benefits operating from that system give to their current objective oroverall goals during the intrusion. The operating system provides many nativetools that aid in this post-compromise information-gathering phase. Lateral Movement (TA0008) Consists of techniques that enable an adversaryto access and control remote systems on a network and could, but does notnecessarily, include execution of tools on remote systems. The lateral movementtechniques could allow an adversary to gather information from a system withoutneeding additional tools, such as a remote access tool. Collection (TA0009) Consists of techniques used to identify and gatherinformation, such as sensitive files, from a target network prior to exfiltration.This category also covers locations on a system or network where the adversarymay look for information to exfiltrate. Exfiltration (TA0010) Refers to techniques and attributes that result or aid inthe adversary removing files and information from a target network. Thiscategory also covers locations on a system or network where the adversary maylook for information to exfiltrate. Command and Control (TA0011) Represents how adversaries communicatewith systems under their control within a target network. There are many waysan adversary can establish command and control with various levels ofcovertness, depending on system configuration and network topology. Due to thewide degree of variation available to the adversary at the network level, only themost common factors were used to describe the differences in command andcontrol. There are still a great many specific techniques within the documentedmethods, largely due to how easy it is to define new protocols and use existing,legitimate protocols and network services for communication.3

Mapping BeyondTrust Capabilities To MITRE ATT&CK Navigator Impact (TA0040) The adversary is trying to manipulate, interrupt, or destroyyour systems and data. Impact consists of techniques that adversaries use todisrupt availability or compromise integrity by manipulating business andoperational processes. Techniques used for impact can include destroying ortampering with data. In some cases, business processes can look fine, but mayhave been altered to benefit the adversaries’ goals. These techniques might beused by adversaries to follow through on their end goal or to provide cover for aconfidentiality breach.How BeyondTrust Helps to Mitigate Risks Identified in MITREATT&CK FrameworkThe following tables map BeyondTrust capabilities to the techniques identified withinthe tactics categorized in MITRE ATT&CK. The BeyondTrust capability mapping isrepresented by three columns: Detect – The ability to identify or discover all or part of the Techniques relatedto an Enterprise Tactic Prevent – The ability to stop or mitigate all or part of the Techniques related toan Enterprise Tactic Respond – The ability to generate notifications or alerts in the form of email,SIEM Event, SNMP Trap, or Scheduled Report4

Mapping BeyondTrust Capabilities To MITRE ATT&CK NavigatorTA0001 – Initial AccessBeyondTrust e-by CompromiseYYYT1190Exploit Public-Facing ApplicationYYYT1133External Remote ServicesYYYT1200Hardware AdditionsYYYT1091Replication Through RemovableYYYTA0001 – Initial AccessMediaT1193Spearphishing AttachmentYYYT1192Spearphishing LinkYYYT1194Spearphishing via ServiceYYYT1195Supply Chain Compromisen/aT1199Trusted RelationshipYYYT1078Valid AccountsYYYTA0002 – ExecutionBeyondTrust eScriptYYYT1191CMSTPYYYT1059Command-Line InterfaceYYYT1223Compiled HTML FileYYYT1175Component Object Model andYYYTA0002 – ExecutionDistributed COMT1196Control Panel ItemsYYYT1173Dynamic Data ExchangeYYYT1106Execution through APIYYY5

Mapping BeyondTrust Capabilities To MITRE ATT&CK NavigatorBeyondTrust ution through Module LoadYYYT1203Exploitation for Client ExecutionYYYT1061Graphical User 168Local Job SchedulingYYYT1177LSASS cheduled TaskYYYT1064ScriptingYYYT1035Service ExecutionYYYT1218Signed Binary Proxy ExecutionYYYT1216Signed Script Proxy ExecutionYYYT1153SourceYYYT1151Space after FilenameYYYT1072Third-party SoftwareYYYT1154TrapYYYT1127Trusted Developer UtilitiesYYYT1204User ExecutionYYYT1047Windows ManagementYYYTA0002 – ExecutionInstrumentationT1028Windows Remote ManagementYYYT1220XSL Script ProcessingYYY6

Mapping BeyondTrust Capabilities To MITRE ATT&CK NavigatorTA0003 – PersistenceBeyondTrust h profile and .bashrcYYYT1015Accessibility FeaturesYYYT1098Account ManipulationYYYT1182AppCert DLLsYYYT1103AppInit DLLsYYYT1138Application ShimmingYYYT1131Authentication PackageYYYT1197BITS JobsYYYT1067BootkitYYYT1176Browser ExtensionsYYYT1042Change Default File AssociationYYYT1109Component FirmwareT1122Component Object Model HijackingYYYT1136Create AccountYYYT1038DLL Search Order HijackingYYYT1157Dylib HijackingYYYT1519EmondYYYT1133External Remote ServicesNYNT1044File System Permissions WeaknessYYYT1158Hidden Files and 83Image File Execution Optionsn/aTA0003 – Persistencen/aInjectionT1525Implant Container ImageYYYT1215Kernel Modules and ExtensionsYYY7

Mapping BeyondTrust Capabilities To MITRE ATT&CK NavigatorBeyondTrust ch AgentNYNT1160Launch DaemonNYNT1152LaunchctlYYYT1161LC LOAD DYLIB Additionn/an/an/aT1168Local Job SchedulingYYYT1162Login ItemYYYT1037Logon ScriptsYYYT1177LSASS DriverYYYT1031Modify Existing ServiceYYYT1128Netsh Helper DLLYYYT1050New ServiceYYYT1137Office Application StartupYYYT1034Path InterceptionYYYT1150Plist ModificationYYYT1205Port Knockingn/aT1013Port Monitorsn/aT1504PowerShell ProfileYYYT1163Rc.commonYYYT1164Re-opened Applicationsn/an/an/aT1108Redundant Accessn/aT1060Registry Run Keys / Startup FolderYYYT1053Scheduled TaskYYYT1180ScreensaverYYYT1101Security Support ProviderYYYT1505Server Software ComponentYYYT1058Service Registry PermissionsYYYYYYTA0003 – PersistenceWeaknessT1166Setuid and Setgid8

Mapping BeyondTrust Capabilities To MITRE ATT&CK NavigatorBeyondTrust tcut ModificationYYYT1198SIP and Trust Provider HijackingYYYT1165Startup ItemsYYYT1019System Firmwaren/aT1501Systemd ServiceYYYT1209Time ProvidersYYYT1154Trapn/an/an/aT1078Valid AccountsYYYT1100Web ShellYYYT1084Windows ManagementInstrumentation Event SubscriptionWinlogon Helper DLLYYYYYYT1004TA0003 – PersistenceTA0004 – Privileged EscalationBeyondTrust ccess Token ManipulationT1015Accessibility FeaturesYYYT1182AppCert DLLsYYYT1103AppInit DLLsYYYT1138Application ShimmingYYYT1088Bypass User Account ControlYYYT1038DLL Search Order HijackingYYYT1157Dylib HijackingYYYT1514Elevated Execution with PromptYYYT1519EmondYYYT1068Exploitation for Privilege EscalationYYYT1181Extra Window Memory InjectionTA004 – Privilege Escalationn/a9