JUST RELEASED: ATT&CK for Industrial Control Systems

TECHNIQUES

Drive-by Compromise

Exploit Public-Facing Application

External Remote Services

Hardware Additions

Replication Through Removable Media

Spearphishing Attachment

Spearphishing Link

Spearphishing via Service

Supply Chain Compromise

Trusted Relationship

Command-Line Interface

Compiled HTML File

Component Object Model and Distributed COM

Control Panel Items

Dynamic Data Exchange

Execution through API

Execution through Module Load

Exploitation for Client Execution

Graphical User Interface

Local Job Scheduling

Service Execution

Signed Binary Proxy Execution

Signed Script Proxy Execution

Space after Filename

Third-party Software

Trusted Developer Utilities

Windows Management Instrumentation

Windows Remote Management

XSL Script Processing

.bash_profile and .bashrc

Accessibility Features

Account Manipulation

Application Shimming

Authentication Package

Browser Extensions

Change Default File Association

Component Firmware

Component Object Model Hijacking

DLL Search Order Hijacking

Dylib Hijacking

External Remote Services

File System Permissions Weakness

Hidden Files and Directories

Image File Execution Options Injection

Implant Container Image

Kernel Modules and Extensions

LC_LOAD_DYLIB Addition

Local Job Scheduling

Modify Existing Service

Netsh Helper DLL

Office Application Startup

Path Interception

Plist Modification

PowerShell Profile

Re-opened Applications

Redundant Access

Registry Run Keys / Startup Folder

Security Support Provider

Server Software Component

Service Registry Permissions Weakness

Setuid and Setgid

Shortcut Modification

SIP and Trust Provider Hijacking

System Firmware

Systemd Service

Windows Management Instrumentation Event Subscription

Winlogon Helper DLL

Privilege Escalation

Access Token Manipulation

Accessibility Features

Application Shimming

Bypass User Account Control

DLL Search Order Hijacking

Dylib Hijacking

Elevated Execution with Prompt

Exploitation for Privilege Escalation

Extra Window Memory Injection

File System Permissions Weakness

Image File Execution Options Injection

Parent PID Spoofing

Path Interception

Plist Modification

PowerShell Profile

Process Injection

Service Registry Permissions Weakness

Setuid and Setgid

SID-History Injection

Defense Evasion

Access Token Manipulation

Application Access Token

Bypass User Account Control

Clear Command History

Compile After Delivery

Compiled HTML File

Component Firmware

Component Object Model Hijacking

Connection Proxy

Control Panel Items

Deobfuscate/Decode Files or Information

Disabling Security Tools

DLL Search Order Hijacking

DLL Side-Loading

Execution Guardrails

Exploitation for Defense Evasion

Extra Window Memory Injection

File and Directory Permissions Modification

File System Logical Offsets

Gatekeeper Bypass

Group Policy Modification

Hidden Files and Directories

Image File Execution Options Injection

Indicator Blocking

Indicator Removal from Tools

Indicator Removal on Host

Indirect Command Execution

Install Root Certificate

LC_MAIN Hijacking

Modify Registry

Network Share Connection Removal

NTFS File Attributes

Obfuscated Files or Information

Parent PID Spoofing

Plist Modification

Process Doppelgänging

Process Hollowing

Process Injection

Redundant Access

Revert Cloud Instance

Signed Binary Proxy Execution

Signed Script Proxy Execution

SIP and Trust Provider Hijacking

Software Packing

Space after Filename

Template Injection

Trusted Developer Utilities

Unused/Unsupported Cloud Regions

Virtualization/Sandbox Evasion

Web Session Cookie

XSL Script Processing

Credential Access

Account Manipulation

Cloud Instance Metadata API

Credential Dumping

Credentials from Web Browsers

Credentials in Files

Credentials in Registry

Exploitation for Credential Access

Forced Authentication

LLMNR/NBT-NS Poisoning and Relay

Network Sniffing

Password Filter DLL

Securityd Memory

Steal Application Access Token

Steal Web Session Cookie

Two-Factor Authentication Interception

Account Discovery

Application Window Discovery

Browser Bookmark Discovery

Cloud Service Dashboard

Cloud Service Discovery

Domain Trust Discovery

File and Directory Discovery

Network Service Scanning

Network Share Discovery

Network Sniffing

Password Policy Discovery

Peripheral Device Discovery

Permission Groups Discovery

Process Discovery

Remote System Discovery

Security Software Discovery

Software Discovery

System Information Discovery

System Network Configuration Discovery

System Network Connections Discovery

System Owner/User Discovery

System Service Discovery

System Time Discovery

Virtualization/Sandbox Evasion

Lateral Movement

Application Access Token

Application Deployment Software

Component Object Model and Distributed COM

Exploitation of Remote Services

Internal Spearphishing

Pass the Ticket

Remote Desktop Protocol

Remote File Copy

Remote Services

Replication Through Removable Media

Taint Shared Content

Third-party Software

Web Session Cookie

Windows Admin Shares

Windows Remote Management

Automated Collection

Data from Cloud Storage Object

Data from Information Repositories

Data from Local System

Data from Network Shared Drive

Data from Removable Media

Email Collection

Man in the Browser

Command and Control

Commonly Used Port

Communication Through Removable Media

Connection Proxy

Custom Command and Control Protocol

Custom Cryptographic Protocol

Data Obfuscation

Domain Fronting

Domain Generation Algorithms

Fallback Channels

Multi-hop Proxy

Multi-Stage Channels

Multiband Communication

Multilayer Encryption

Remote Access Tools

Remote File Copy

Standard Application Layer Protocol

Standard Cryptographic Protocol

Standard Non-Application Layer Protocol

Uncommonly Used Port

Automated Exfiltration

Data Compressed

Data Transfer Size Limits

Exfiltration Over Alternative Protocol

Exfiltration Over Command and Control Channel

Exfiltration Over Other Network Medium

Exfiltration Over Physical Medium

Scheduled Transfer

Transfer Data to Cloud Account

Account Access Removal

Data Destruction

Data Encrypted for Impact

Disk Content Wipe

Disk Structure Wipe

Endpoint Denial of Service

Firmware Corruption

Inhibit System Recovery

Network Denial of Service

Resource Hijacking

Runtime Data Manipulation

Stored Data Manipulation

System Shutdown/Reboot

Transmitted Data Manipulation

Data from Network Shared Drive

Sensitive data can be collected from remote systems via shared network drives (host shared directory, network file server, etc.) that are accessible from the current system prior to Exfiltration.

Adversaries may search network shares on computers they have compromised to find files of interest. Interactive command shells may be in use, and common functionality within cmd may be used to gather information.

ID: T1039

Tactic: Collection

Platform: Linux, macOS, Windows

System Requirements: Privileges to access network shared drive

Data Sources: File monitoring, Process monitoring, Process command-line parameters

Version: 1.0

Created: 31 May 2017

Last Modified: 17 October 2018

Procedure Examples

Name	Description
BADNEWS	When it first starts, BADNEWS crawls the victim's mapped drives and collects documents with the following extensions: .doc, .docx, .pdf, .ppt, .pptx, and .txt.^[1]
BRONZE BUTLER	BRONZE BUTLER has exfiltrated files stolen from file shares.^[5]
CosmicDuke	CosmicDuke steals user files from network shared drives with file extensions and keywords that match a predefined list.^[2]
menuPass	menuPass has collected data from remote systems by mounting network shares with `net use` and using Robocopy to transfer data.^[3]
Sowbug	Sowbug extracted Word documents from a file server on a victim network.^[4]

Mitigations

This type of attack technique cannot be easily mitigated with preventive controls since it is based on the abuse of system features.

Detection

Monitor processes and command-line arguments for actions that could be taken to collect files from a network share. Remote access tools with built-in features may interact directly with the Windows API to gather data. Data may also be acquired through Windows system management tools such as Windows Management Instrumentation and PowerShell.

References