Security Toolbox Forensics & Analysis Resources 27 - itnett/FTD02H-N GitHub Wiki

Here’s a comprehensive list of tools mapped to various stages of the MITRE ATT&CK framework. This mapping shows how different tools can be used throughout an investigation for each technique identified in the framework.

1. Initial Access (TA0001)

  • Exploitation of Public-Facing Applications (T1190):

    • Tool: Nmap (Scanning for vulnerabilities on public-facing applications)
    • Tool: Burp Suite (Testing and exploiting web vulnerabilities)

  • Drive-by Compromise (T1189):

    • Tool: ZAP (Web vulnerability scanner)

2. Execution (TA0002)

  • Command and Scripting Interpreter (T1059):

    • Tool: PowerShell Empire (Post-exploitation tool for Windows scripting and control)
    • Tool: Metasploit (Command execution and exploitation framework)

  • Exploitation for Client Execution (T1203):

    • Tool: Exploit Pack (Exploit vulnerability discovery and weaponization)

3. Persistence (TA0003)

  • Account Manipulation (T1098):

    • Tool: BloodHound (Active Directory account manipulation mapping)
    • Tool: Mimikatz (Credential and token extraction for persistence)

  • Boot or Logon Autostart Execution (T1547):

    • Tool: Autoruns (Windows persistence via autostart programs and scripts)

4. Privilege Escalation (TA0004)

  • Exploitation for Privilege Escalation (T1068):

    • Tool: WinPwnage (Privilege escalation tool targeting Windows)

  • Access Token Manipulation (T1134):

    • Tool: Incognito (Access token manipulation in Windows)

5. Defense Evasion (TA0005)

  • Obfuscated Files or Information (T1027):

    • Tool: Veil (Payload obfuscation and evasion)
    • Tool: Hyperion (PE crypter for obfuscation)

  • Indicator Removal on Host (T1070):

    • Tool: CCleaner (Clearing logs and temporary files)
    • Tool: LogCleaner (Remove log artifacts on Windows and Linux)

6. Credential Access (TA0006)

  • Credential Dumping (T1003):

    • Tool: Mimikatz (Extracting credentials from Windows)
    • Tool: LaZagne (Dumping credentials from browsers, Wi-Fi, databases)

  • Brute Force (T1110):

    • Tool: Hydra (Password brute forcing)

7. Discovery (TA0007)

  • Network Service Scanning (T1046):

    • Tool: Nmap (Port and service scanning)
    • Tool: Masscan (High-speed network scanner)

  • System Information Discovery (T1082):

    • Tool: SystemInfo (Collect system details in Windows)
      • Link: Built-in Windows tool
    • Tool: OSQuery (SQL-powered endpoint visibility)

8. Lateral Movement (TA0008)

  • Remote Services (T1021):

    • Tool: PsExec (Remote service execution)
    • Tool: CrackMapExec (Lateral movement within Windows networks)

  • Exploitation of Remote Services (T1210):

    • Tool: Metasploit (Exploiting services)

9. Collection (TA0009)

  • Data Staged (T1074):
    • Tool: Wireshark (Network data collection and inspection)
    • Tool: tcpdump (CLI packet capture and analysis)

10. Command and Control (TA0011)

  • Application Layer Protocol (T1071):

    • Tool: Cobalt Strike (Red team C2 framework)
    • Tool: Empire (C2 framework for post-exploitation)

  • Non-Standard Port (T1571):

    • Tool: Suricata (Intrusion detection for unusual port usage)

11. Exfiltration (TA0010)

  • Automated Exfiltration (T1020):

    • Tool: rclone (File transfer automation)

  • Data Compressed (T1002):

    • Tool: 7-Zip (File compression before exfiltration)

12. Impact (TA0040)

  • Data Encrypted for Impact (T1486):

    • Tool: GPG (Encrypting files to disrupt access)

  • Service Stop (T1489):

    • Tool: SC (Service Control) (Stop Windows services for disruption)
      • Link: Built-in Windows tool
    • Tool: KillDisk (Wipe and disable services for disruption)

Additional Tools

  • Threat Intelligence and Detection:
    • Splunk (SIEM and detection)
    • MISP (Malware Information Sharing Platform)

Forensic and Incident Response Tools

  • Memory Forensics (T1003, T1046, T1071)

    • Tool: Volatility (Memory forensics framework)
    • Tool: Rekall (Memory forensics framework)

  • Disk Forensics (T1070)

    • Tool: The Sleuth Kit (TSK) (Low-level forensic analysis)
    • Tool: Autopsy (GUI for The Sleuth Kit, used for disk forensic analysis)

  • Live Response (T1070, T1105)

    • Tool: GRR Rapid Response (Live forensics and incident response)
    • Tool: Velociraptor (Endpoint visibility and live response)

Digital Artifact Collection and Evidence Preservation

  • Artifact Collection (T1003, T1070, T1105)
    • Tool: Log2Timeline (plaso) (Creating forensic timelines from digital evidence)
    • Tool: Bulk Extractor (Forensic tool that scans disks and images for digital artifacts)

Network Forensics

  • Network Traffic Analysis (T1040)

    • Tool: Wireshark (Packet capture and network traffic analysis)
    • Tool: Zeek (formerly Bro) (Network analysis and monitoring framework)

  • Protocol Analysis (T1071.001)

    • Tool: Tcpdump (Command-line packet capture tool)
    • Tool: Suricata (IDS/IPS for network protocol analysis)

Malware Analysis

  • Static Malware Analysis (T1071, T1105)

    • Tool: Binwalk (Firmware analysis and binary inspection)
    • Tool: Ghidra (Reverse engineering tool developed by NSA)

  • Dynamic Malware Analysis (T1105)

    • Tool: Cuckoo Sandbox (Automated malware analysis in sandbox environments)
    • Tool: Hybrid Analysis (Online service for dynamic malware analysis)

Web and URL Analysis

  • URL Reputation Checking (T1071)

    • Tool: VirusTotal (Multi-engine URL and file reputation service)
    • Tool: URLHaus (Check for known malicious URLs)

  • Webpage Snapshot and Inspection (T1071.001)

    • Tool: URL2PNG (Take a snapshot of a webpage for analysis)
    • Tool: Wayback Machine (Check for historical versions of a website)

Threat Intelligence Sharing and Collaboration

  • Threat Intelligence Platforms (T1071.001)
    • Tool: MISP (Malware Information Sharing Platform) (Platform for sharing threat intel and IOCs)
    • Tool: Open Threat Exchange (OTX) (Threat intelligence platform)

Exfiltration and Data Loss Prevention (DLP)

  • File Monitoring and Detection (T1074)

    • Tool: OSQuery (Monitor file and system state)
    • Tool: Splunk (Log monitoring and anomaly detection)

  • Data Compression Detection (T1002)

    • Tool: 7-Zip (Used for file compression, often by attackers)

Case Workflow Example Using These Tools:

  1. Detection: Network anomalies are flagged by Suricata or Zeek, indicating possible exfiltration attempts or command-and-control communication on non-standard ports (MITRE ATT&CK T1571). URLs and IP addresses are captured for further investigation.

  2. URL/Domain Investigation: The URLs and IPs are analyzed in VirusTotal and URLHaus to check if they are associated with known malware campaigns (MITRE ATT&CK T1071).

  3. Webpage Analysis: URL2PNG or Wayback Machine are used to gather snapshots of the page at different times to understand if the site has been compromised (MITRE ATT&CK T1071.001).

  4. Malware Analysis: If the site is distributing a malicious binary, it can be submitted to Hybrid Analysis or Cuckoo Sandbox to get a dynamic behavior analysis and see how it interacts with the operating system (MITRE ATT&CK T1105).

  5. Network Inspection: Wireshark or Tcpdump can capture and inspect network traffic to see how the malware communicates with the C2 server (MITRE ATT&CK T1071).

  6. Memory and Disk Forensics: Volatility or Autopsy are used to analyze memory dumps and disk images for residual artifacts (MITRE ATT&CK T1070).

  7. Threat Intelligence: Any new indicators (IPs, hashes, domains) are shared in MISP or OTX for the broader community to be aware of the new threat (MITRE ATT&CK T1020).

By mapping these tools to each MITRE ATT&CK tactic and technique, you ensure a structured, comprehensive approach to identifying and mitigating cyber threats across various phases of an attack.