Mapping 'Compromised Insider' Use Case to the MITRE ATT&CK Techniques & Data Source

If this is one of your use cases, Cyberseer would work with your environment to ensure we have the right data sources to provide visibility of the MITRE ATT&CK techniques.

Compromised Insider Use Case

View this use case mapped against each tactic to reveal the MITRE ATT&CK techniques & data source: 

Initial Access
Execution
Privilege Escalation
Credential Access
Discovery
Lateral Movement
Exfiltration

Initial Access

Initial Access consists of techniques that use various entry vectors to gain their initial foothold within a network.

DATA SOURCES

• Application Log Content
• File Creation
• Network Connection Creation
• Network Traffic Content
• Process Creation
• Application Log Content
• Network Traffic Flow
• Logon Session Creation
• User Account Authentication

MITRE ATT&CK Techniques

•T1566 Phishing
•T1078 Valid Accounts

Execution

Execution consists of techniques that result in adversary-controlled code running on a local or remote system.

DATA SOURCES

  • Application Log Content
  • Command Execution
  • Container Creation
  • Container Start
  • File Creation
  • File Modification
  • Image Creation
  • Instance Creation
  • Instance Start
  • Module Load
  • Network Connection Creation
  • Network Traffic Content
  • Process Creation
  • Scheduled Job Creation
  • Script Execution

MITRE ATT&CK Techniques

  • T1059 Command and Scripting Interpreter
  • T1053 Scheduled Task/Job
  • T1204 User Execution
  • T1047 Windows Management Instrumentation

Privilege Escalation

Privilege Escalation consists of techniques that adversaries use to gain higher-level permissions on a system or network.

DATA SOURCES

  • Active Directory Object Modification
  • Command Execution
  • Container Creation
  • File Creation
  • File Metadata
  • File Modification
  • Module Load
  • OS API Execution
  • Process Access
  • Process Creation
  • Process Metadata
  • Scheduled Job Creation
  • User Account Metadata
  • WMI Creation
  • Windows Registry Key

MITRE ATT&CK Techniques

  • T1134 Access Token Manipulation
  • T1068 Exploitation for Privilege Escalation
  • T1055 Process Injection
  • T1053 Scheduled Task/Job
  • T1078 Valid Accounts

Credential Access

Credential Access consists of techniques for stealing credentials like account names and passwords.

DATA SOURCES

  • Application Log Content
  • User Account Authentication
  • Active Directory Object Access
  • Command Execution
  • File Access
  • Network Traffic Content
  • Network Traffic Flow
  • OS API Execution
  • Process Access
  • Process Creation
  • Windows Registry Key Access

MITRE ATT&CK Techniques

  • T1110 Brute Force
  • T1555 Credentials from Password Stores
  • T1557 Man-in-the-Middle
  • T1003 OS Credential Dumping
  • T1558 Steal or Forge Kerberos Tickets

Discovery

Discovery consists of techniques an adversary may use to gain knowledge about the system and internal network.

DATA SOURCES

  • Asset logon and access
  • Authentication and access management
  • VPN and zero-trust network access
  • Application Activity
  • Privileged access management and activity
  • File monitoring
  • Remote logon activity
  • DLP alerts
  • Web activity

MITRE ATT&CK Techniques

  • T1087 Account Discovery
  • T1135 Network Share Discovery
  • T1040 Network Sniffing
  • T1057 Process Discovery
  • T1518 Software Discovery

Lateral Movement

Lateral Movement consists of techniques that adversaries use to enter and control remote systems on a network.

DATA SOURCES

  • Command Execution
  • File Access
  • Firewall Enumeration
  • Firewall Metadata
  • OS API Execution
  • Process Creation
  • User Account Metadata

MITRE ATT&CK Techniques

  • T1534 Internal Spear phishing
  • T1563 Remote Service Session Hijacking
  • T1021 Remote Services

Exfiltration

Exfiltration consists of techniques that adversaries may use to steal data from your network.

DATA SOURCES

  • Cloud Storage Creation
  • Cloud Storage Modification
  • Command Execution
  • File Access
  • Network Connection Creation
  • Network Traffic Content
  • Network Traffic Flow
  • Script Execution
  • Snapshot Creation
  • Snapshot Modification

MITRE ATT&CK Techniques

  • T1048 Exfiltration Over Alternative Protocol
  • T1041 Exfiltration Over C2 Channel
  • T1052 Exfiltration Over Physical Medium
  • T1567 Exfiltration Over Web Service
  • T1537 Transfer Data to Cloud Account

Read On

Detecting & Stopping Remote Access Scams

Detecting & Stopping Remote Access Scams

Detect Emotet Malspam

Detect Emotet Malspam

Introduction to Emotet Malspam

Recently, one of Cyberseer’s customers was hit with a “Malspam”...

Cyber Discovery - Discoveries made by the Cyberseer SOC

Cyber Discovery - Discoveries made by the Cyberseer SOC

Cyberseer delivers a Managed Security Service Provider (MSSP) to customers using smart technology...