Merge pull request #3 from carbonblack/MITRE-enrichment

Adding in MITRE enrichment

Attack_Navigator_Layer/Carbon_Black_-_Excel4_Forensics_Tips.json

@@ -0,0 +1,258 @@
+{
+	"name": "Carbon Black - Excel4 Forensics Tips",
+	"versions": {
+		"attack": "9",
+		"navigator": "4.3",
+		"layer": "4.2"
+	},
+	"domain": "enterprise-attack",
+	"description": "",
+	"filters": {
+		"platforms": [
+			"Windows"
+		]
+	},
+	"sorting": 0,
+	"layout": {
+		"layout": "side",
+		"aggregateFunction": "average",
+		"showID": false,
+		"showName": true,
+		"showAggregateScores": false,
+		"countUnscored": false
+	},
+	"hideDisabled": false,
+	"techniques": [
+		{
+			"techniqueID": "T1071",
+			"tactic": "command-and-control",
+			"color": "#74c476",
+			"comment": "",
+			"enabled": true,
+			"metadata": [],
+			"showSubtechniques": false
+		},
+		{
+			"techniqueID": "T1071.001",
+			"tactic": "command-and-control",
+			"color": "#74c476",
+			"comment": "",
+			"enabled": true,
+			"metadata": [],
+			"showSubtechniques": false
+		},
+		{
+			"techniqueID": "T1059",
+			"tactic": "execution",
+			"color": "#74c476",
+			"comment": "",
+			"enabled": true,
+			"metadata": [],
+			"showSubtechniques": false
+		},
+		{
+			"techniqueID": "T1059.001",
+			"tactic": "execution",
+			"color": "#74c476",
+			"comment": "",
+			"enabled": true,
+			"metadata": [],
+			"showSubtechniques": false
+		},
+		{
+			"techniqueID": "T1059.003",
+			"tactic": "execution",
+			"color": "#74c476",
+			"comment": "",
+			"enabled": true,
+			"metadata": [],
+			"showSubtechniques": false
+		},
+		{
+			"techniqueID": "T1059.005",
+			"tactic": "execution",
+			"color": "#74c476",
+			"comment": "",
+			"enabled": true,
+			"metadata": [],
+			"showSubtechniques": false
+		},
+		{
+			"techniqueID": "T1059.007",
+			"tactic": "execution",
+			"color": "#74c476",
+			"comment": "",
+			"enabled": true,
+			"metadata": [],
+			"showSubtechniques": false
+		},
+		{
+			"techniqueID": "T1140",
+			"tactic": "defense-evasion",
+			"color": "#74c476",
+			"comment": "",
+			"enabled": true,
+			"metadata": [],
+			"showSubtechniques": false
+		},
+		{
+			"techniqueID": "T1480",
+			"tactic": "defense-evasion",
+			"color": "#74c476",
+			"comment": "",
+			"enabled": true,
+			"metadata": [],
+			"showSubtechniques": false
+		},
+		{
+			"techniqueID": "T1480.001",
+			"tactic": "defense-evasion",
+			"color": "#74c476",
+			"comment": "",
+			"enabled": true,
+			"metadata": [],
+			"showSubtechniques": false
+		},
+		{
+			"techniqueID": "T1106",
+			"tactic": "execution",
+			"color": "#74c476",
+			"comment": "",
+			"enabled": true,
+			"metadata": [],
+			"showSubtechniques": false
+		},
+		{
+			"techniqueID": "T1027",
+			"tactic": "defense-evasion",
+			"color": "#74c476",
+			"comment": "",
+			"enabled": true,
+			"metadata": [],
+			"showSubtechniques": false
+		},
+		{
+			"techniqueID": "T1566",
+			"tactic": "initial-access",
+			"color": "#74c476",
+			"comment": "",
+			"enabled": true,
+			"metadata": [],
+			"showSubtechniques": false
+		},
+		{
+			"techniqueID": "T1566.001",
+			"tactic": "initial-access",
+			"color": "#74c476",
+			"comment": "",
+			"enabled": true,
+			"metadata": [],
+			"showSubtechniques": false
+		},
+		{
+			"techniqueID": "T1566.002",
+			"tactic": "initial-access",
+			"color": "#74c476",
+			"comment": "",
+			"enabled": true,
+			"metadata": [],
+			"showSubtechniques": false
+		},
+		{
+			"techniqueID": "T1566.003",
+			"tactic": "initial-access",
+			"color": "#74c476",
+			"comment": "",
+			"enabled": true,
+			"metadata": [],
+			"showSubtechniques": false
+		},
+		{
+			"techniqueID": "T1129",
+			"tactic": "execution",
+			"color": "#74c476",
+			"comment": "",
+			"enabled": true,
+			"metadata": [],
+			"showSubtechniques": false
+		},
+		{
+			"techniqueID": "T1204",
+			"tactic": "execution",
+			"color": "#74c476",
+			"comment": "",
+			"enabled": true,
+			"metadata": [],
+			"showSubtechniques": false
+		},
+		{
+			"techniqueID": "T1204.001",
+			"tactic": "execution",
+			"color": "#74c476",
+			"comment": "",
+			"enabled": true,
+			"metadata": [],
+			"showSubtechniques": false
+		},
+		{
+			"techniqueID": "T1204.002",
+			"tactic": "execution",
+			"color": "#74c476",
+			"comment": "",
+			"enabled": true,
+			"metadata": [],
+			"showSubtechniques": false
+		},
+		{
+			"techniqueID": "T1497",
+			"tactic": "defense-evasion",
+			"color": "#74c476",
+			"comment": "",
+			"enabled": true,
+			"metadata": [],
+			"showSubtechniques": false
+		},
+		{
+			"techniqueID": "T1497",
+			"tactic": "discovery",
+			"color": "#74c476",
+			"comment": "",
+			"enabled": true,
+			"metadata": [],
+			"showSubtechniques": false
+		},
+		{
+			"techniqueID": "T1497.001",
+			"tactic": "defense-evasion",
+			"color": "#74c476",
+			"comment": "",
+			"enabled": true,
+			"metadata": [],
+			"showSubtechniques": false
+		},
+		{
+			"techniqueID": "T1497.001",
+			"tactic": "discovery",
+			"color": "#74c476",
+			"comment": "",
+			"enabled": true,
+			"metadata": [],
+			"showSubtechniques": false
+		}
+	],
+	"gradient": {
+		"colors": [
+			"#ff6666",
+			"#ffe766",
+			"#8ec843"
+		],
+		"minValue": 0,
+		"maxValue": 100
+	},
+	"legendItems": [],
+	"metadata": [],
+	"showTacticRowBackground": false,
+	"tacticRowBackground": "#dddddd",
+	"selectTechniquesAcrossTactics": true,
+	"selectSubtechniquesWithParent": false
+}

README.md

@@ -13,6 +13,7 @@ Table of Contents
 =================
    * [Carbon Black TAU Excel 4 Macro Analysis](#carbon-black-tau-excel-4-macro-analysis)
       * [Excel 4 Macro Forensics Tips](#excel-4-macro-forensics-tips)
+         * [MITRE ATT&CK Overview](#mitre-attck-overview)
          * [Execution Techniques](#execution-techniques)
          * [Obfuscation Techniques](#obfuscation-techniques)
          * [Sandboxing Detection Techniques](#sandboxing-detection-techniques)
@@ -51,41 +52,46 @@ Table of Contents
 
 ## Excel 4 Macro Forensics Tips
 
+### MITRE ATT&CK Overview
+Although this work is focusing solely on one specific Initial Access Technique ([Phishing](https://attack.mitre.org/techniques/T1566/)), below is a breakdown of the various ATT&CK techniques leveraged inside of Excel4 payloads during [User Execution: Malicious File](https://attack.mitre.org/techniques/T1204/002/)
+
+An interactive ATT&CK Navigator Layer can be found [here](https://raw.githubusercontent.com/carbonblack/excel4-tests/main/Attack_Navigator_Layer/Carbon_Black_-_Excel4_Forensics_Tips.json)
+
 ### Execution Techniques
 Below are common execution techniques leveraged by malware inside of Excel4 macro documents.
 
-Techniques | Description | Malicious Usage |
----------- | ----------- | --------------- |
-`EXEC` | starts a process | Often used to execution second stage payload |
-`UNREGISTER` | Unregisters a previously registered dynamic link library | Unregister DLL after malicious activity is complete. | 
-`REGISTER` | Registers the specified dynamic link library | Write payload to memory | 
-`CALL` | use DLL functions directly in worksheets | Use functions within dlls like ShellExecute, URLDownloadToFile | 
-`FOPEN` | Opens a file into memory | creates malicious file | 
-`FWRITE` | Writes text to a file | Write to malicious file | 
-`FCLOSE` | Closes the specified file | Closes malicious file | 
-`FREADLIN` | Reads characters from a file | Reads payload within file |
-
-### Obfuscation Techniques
-Common Evasion or Obfuscation techniques often used by malware inside of Excel4 macro documents.
-
-Techniques | Description | Malicious Usage |
----------- | ----------- | --------------- |
-`Download via DCONN` | Pulls data from external data source | download additional excel4 macro content |
-`CHAR` | returns a character when given a valid character code | obfuscates payloads and macro functions |
-`MID` | extracts a given number of characters from the middle of a supplied text string | obfuscates payloads and macro functions |
-`FORMULA` | Enters a formula in the active cell or in a reference. | dynamically builds payload as a function.  |
-`CODE` | Returns the numeric code for a given character  | Obfuscates payload and macro functions |
-`HEX2DEC` | Converts a hexadecimal number to decimal | Obfuscates payload and macro functions |
+Techniques | Description | Malicious Usage | MITRE ATT&CK Mapping |
+---------- | ----------- | --------------- | -------------------- |
+`EXEC` | Starts a process | Often used to execution second stage payload | [Command and Scripting Interpreter](https://attack.mitre.org/techniques/T1059/) / [Signed Binary Proxy Execution](https://attack.mitre.org/techniques/T1218/) |
+`UNREGISTER` | Unregisters a previously registered dynamic link library | Unregister DLL after malicious activity is complete | [Shared Modules](https://attack.mitre.org/techniques/T1129/) |
+`REGISTER` | Registers the specified dynamic link library | Write payload to memory | [Shared Modules](https://attack.mitre.org/techniques/T1129/) |
+`CALL` | Use DLL functions directly in worksheets | Use functions within dlls like ShellExecute, URLDownloadToFile | [Native API](https://attack.mitre.org/techniques/T1106/) |
+`FOPEN` | Opens a file into memory | Creates malicious file | [Obfuscated Files or Information](https://attack.mitre.org/techniques/T1027/) |
+`FWRITE` | Writes text to a file | Write to malicious file | [Obfuscated Files or Information](https://attack.mitre.org/techniques/T1027/) |
+`FCLOSE` | Closes the specified file | Closes malicious file | [Obfuscated Files or Information](https://attack.mitre.org/techniques/T1027/) |
+`FREADLIN` | Reads characters from a file | Reads payload within file | [Obfuscated Files or Information](https://attack.mitre.org/techniques/T1027/) |
+
+### (De)Obfuscation Techniques
+Obfuscation/Deobfuscation techniques often used by malware inside of Excel4 macro documents. Payloads are almost always deobfuscated, dynamically, once the document is executed by a victim.
+
+Techniques | Description | Malicious Usage | MITRE ATT&CK Mapping |
+---------- | ----------- | --------------- | -------------------- |
+`Download via DCONN` | Pulls data from external data source | Download additional Excel4 macro content | [Application Layer Protocol](https://attack.mitre.org/techniques/T1071/) |
+`CHAR` | Returns a character when given a valid character code | Obfuscates payloads and macro functions | [Obfuscated Files or Information](https://attack.mitre.org/techniques/T1027/) / [Deobfuscate/Decode Files or Information](https://attack.mitre.org/techniques/T1140/)   |
+`MID` | Extracts a given number of characters from the middle of a supplied text string | Obfuscates payloads and macro functions | [Obfuscated Files or Information](https://attack.mitre.org/techniques/T1027/) / [Deobfuscate/Decode Files or Information](https://attack.mitre.org/techniques/T1140/)  |
+`FORMULA` | Enters a formula in the active cell or in a reference | Dynamically builds payload as a function | [Obfuscated Files or Information](https://attack.mitre.org/techniques/T1027/) / [Deobfuscate/Decode Files or Information](https://attack.mitre.org/techniques/T1140/)  |
+`CODE` | Returns the numeric code for a given character  | Obfuscates payload and macro functions | [Obfuscated Files or Information](https://attack.mitre.org/techniques/T1027/) / [Deobfuscate/Decode Files or Information](https://attack.mitre.org/techniques/T1140/)  |
+`HEX2DEC` | Converts a hexadecimal number to decimal | Obfuscates payload and macro functions | [Obfuscated Files or Information](https://attack.mitre.org/techniques/T1027/) / [Deobfuscate/Decode Files or Information](https://attack.mitre.org/techniques/T1140/) |
 
 ### Sandboxing Detection Techniques
-Techniques used to check document execution environment
-
-Function | Description | Malicious Usage |
----------- | ----------- | --------------- |
-`GET.WORKSPACE` | Returns information about the workspace | Used to detect various information about windows environment to evade dynamic detonation |
-`GET.DOCUMENT` | Returns information about a sheet in a workbook | Used to gather information about the running document to detect dynamic detonation. |
-`GET.WINDOW` | Returns information about a window | Used to get information about the Excel window to detect dynamic detonation | 
-`GET.WORKBOOK` | Returns information about a workbook | Used to gather information about the running document to detect dynamic detonation. 
+Techniques used to check document execution environment in an effort to perform Defense Evasion.
+
+Function | Description | Malicious Usage | MITRE ATT&CK Mapping |
+-------- | ----------- | --------------- | -------------------- |
+`GET.WORKSPACE` | Returns information about the workspace | Used to detect various information about windows environment to evade dynamic detonation | [Virtualization/Sandbox Evasion: System Checks](https://attack.mitre.org/techniques/T1497/001/) |
+`GET.DOCUMENT` | Returns information about a sheet in a workbook | Used to gather information about the running document to detect dynamic detonation | [Virtualization/Sandbox Evasion: System Checks](https://attack.mitre.org/techniques/T1497/001/) |
+`GET.WINDOW` | Returns information about a window | Used to get information about the Excel window to detect dynamic detonation | [Virtualization/Sandbox Evasion: System Checks](https://attack.mitre.org/techniques/T1497/001/) |
+`GET.WORKBOOK` | Returns information about a workbook | Used to gather information about the running document to detect dynamic detonation | [Virtualization/Sandbox Evasion: System Checks](https://attack.mitre.org/techniques/T1497/001/) | 
 
 ## Test Samples