From 9b3e332bd8e87d95a107a36881913844e32dddc7 Mon Sep 17 00:00:00 2001 From: MARCOS SANCHEZ BAJO <100405823@alumnos.uc3m.es> Date: Sat, 6 Nov 2021 14:49:42 +0100 Subject: [PATCH] Uploaded mitre att&ck diagram with some ideas --- figures/layer.json | 950 +++++++++++++++++++++++++++++++++++++++++++++ 1 file changed, 950 insertions(+) create mode 100644 figures/layer.json diff --git a/figures/layer.json b/figures/layer.json new file mode 100644 index 0000000..eb9efdf --- /dev/null +++ b/figures/layer.json @@ -0,0 +1,950 @@ +{ + "name": "layer", + "versions": { + "attack": "10", + "navigator": "4.5.1", + "layer": "4.2" + }, + "domain": "enterprise-attack", + "description": "", + "filters": { + "platforms": [ + "Linux" + ] + }, + "sorting": 0, + "layout": { + "layout": "side", + "aggregateFunction": "average", + "showID": false, + "showName": true, + "showAggregateScores": false, + "countUnscored": false + }, + "hideDisabled": false, + "techniques": [ + { + "techniqueID": "T1098", + "tactic": "persistence", + "color": "#3182bd", + "comment": "https://github.com/pathtofile/bad-bpf#sudo-add\n\nhttps://www.youtube.com/watch?v=g6SKWT7sROQ", + "enabled": true, + "metadata": [], + "showSubtechniques": false + }, + { + "techniqueID": "T1547", + "tactic": "persistence", + "color": "#e6550d", + "comment": "", + "enabled": true, + "metadata": [], + "showSubtechniques": false + }, + { + "techniqueID": "T1547", + "tactic": "privilege-escalation", + "color": "#e6550d", + "comment": "", + "enabled": true, + "metadata": [], + "showSubtechniques": false + }, + { + "techniqueID": "T1037", + "tactic": "persistence", + "color": "#3182bd", + "comment": "", + "enabled": true, + "metadata": [], + "showSubtechniques": false + }, + { + "techniqueID": "T1037", + "tactic": "privilege-escalation", + "color": "#3182bd", + "comment": "", + "enabled": true, + "metadata": [], + "showSubtechniques": false + }, + { + "techniqueID": "T1176", + "tactic": "persistence", + "color": "#e60d0d", + "comment": "", + "enabled": true, + "metadata": [], + "showSubtechniques": false + }, + { + "techniqueID": "T1059", + "tactic": "execution", + "color": "#e6d60d", + "comment": "We should have some kind of program deployer for the rootkit", + "enabled": true, + "metadata": [], + "showSubtechniques": false + }, + { + "techniqueID": "T1554", + "tactic": "persistence", + "color": "#e6d60d", + "comment": "We can at the very least fake an account, we might be able to overwrite a program too(?)\n\nhttps://www.youtube.com/watch?v=g6SKWT7sROQ", + "enabled": true, + "metadata": [], + "showSubtechniques": false + }, + { + "techniqueID": "T1136", + "tactic": "persistence", + "color": "#3182bd", + "comment": "We could try to modify an auth file but we would rather 'fake' its contents while being read by a process checking privileges", + "enabled": true, + "metadata": [], + "showSubtechniques": false + }, + { + "techniqueID": "T1543", + "tactic": "persistence", + "color": "#e60d0d", + "comment": "", + "enabled": true, + "metadata": [], + "showSubtechniques": false + }, + { + "techniqueID": "T1543", + "tactic": "privilege-escalation", + "color": "#e60d0d", + "comment": "", + "enabled": true, + "metadata": [], + "showSubtechniques": false + }, + { + "techniqueID": "T1189", + "tactic": "initial-access", + "color": "#e60d0d", + "comment": "", + "enabled": true, + "metadata": [], + "showSubtechniques": false + }, + { + "techniqueID": "T1546", + "tactic": "privilege-escalation", + "color": "#e6d60d", + "comment": "uprobes, kprobes", + "enabled": true, + "metadata": [], + "showSubtechniques": false + }, + { + "techniqueID": "T1546", + "tactic": "persistence", + "color": "#e6d60d", + "comment": "uprobes, kprobes", + "enabled": true, + "metadata": [], + "showSubtechniques": false + }, + { + "techniqueID": "T1190", + "tactic": "initial-access", + "color": "#e60d0d", + "comment": "", + "enabled": true, + "metadata": [], + "showSubtechniques": false + }, + { + "techniqueID": "T1203", + "tactic": "execution", + "color": "#e6d60d", + "comment": "We might need to load a privileged ebpf without privileges. There exists https://github.com/chompie1337/Linux_LPE_eBPF_CVE-2021-3490", + "enabled": true, + "metadata": [], + "showSubtechniques": false + }, + { + "techniqueID": "T1133", + "tactic": "persistence", + "color": "#e60d0d", + "comment": "", + "enabled": true, + "metadata": [], + "showSubtechniques": false + }, + { + "techniqueID": "T1133", + "tactic": "initial-access", + "color": "#e60d0d", + "comment": "", + "enabled": true, + "metadata": [], + "showSubtechniques": false + }, + { + "techniqueID": "T1200", + "tactic": "initial-access", + "color": "#e6550d", + "comment": "It may be fun to build a quick rubber ducky for deploying the program", + "enabled": true, + "metadata": [], + "showSubtechniques": false + }, + { + "techniqueID": "T1106", + "tactic": "execution", + "color": "#e6550d", + "comment": "https://attack.mitre.org/techniques/T1106/ The part of dealing with defensive software may be applicable. https://www.youtube.com/watch?v=5zixNDolLrg Contains an example at the end", + "enabled": true, + "metadata": [], + "showSubtechniques": false + }, + { + "techniqueID": "T1566", + "tactic": "initial-access", + "color": "#e60d0d", + "comment": "", + "enabled": true, + "metadata": [], + "showSubtechniques": false + }, + { + "techniqueID": "T1053", + "tactic": "execution", + "color": "#3182bd", + "comment": "Possible to modify data read from crontab or sshd. https://www.youtube.com/watch?v=5zixNDolLrg", + "enabled": true, + "metadata": [], + "showSubtechniques": false + }, + { + "techniqueID": "T1053", + "tactic": "persistence", + "color": "#3182bd", + "comment": "Possible to modify data read from crontab or sshd. https://www.youtube.com/watch?v=5zixNDolLrg", + "enabled": true, + "metadata": [], + "showSubtechniques": false + }, + { + "techniqueID": "T1053", + "tactic": "privilege-escalation", + "color": "#3182bd", + "comment": "Possible to modify data read from crontab or sshd. https://www.youtube.com/watch?v=5zixNDolLrg", + "enabled": true, + "metadata": [], + "showSubtechniques": false + }, + { + "techniqueID": "T1072", + "tactic": "execution", + "color": "#e60d0d", + "comment": "", + "enabled": true, + "metadata": [], + "showSubtechniques": false + }, + { + "techniqueID": "T1072", + "tactic": "lateral-movement", + "color": "#e60d0d", + "comment": "", + "enabled": true, + "metadata": [], + "showSubtechniques": false + }, + { + "techniqueID": "T1195", + "tactic": "initial-access", + "color": "#e60d0d", + "comment": "", + "enabled": true, + "metadata": [], + "showSubtechniques": false + }, + { + "techniqueID": "T1199", + "tactic": "initial-access", + "color": "#e60d0d", + "comment": "", + "enabled": true, + "metadata": [], + "showSubtechniques": false + }, + { + "techniqueID": "T1204", + "tactic": "execution", + "color": "#e6d60d", + "comment": "We may rely on the user to start certain actions so that we can uprobe some function or kprobe syscalls", + "enabled": true, + "metadata": [], + "showSubtechniques": false + }, + { + "techniqueID": "T1078", + "tactic": "defense-evasion", + "color": "#e60d0d", + "comment": "", + "enabled": true, + "metadata": [], + "showSubtechniques": false + }, + { + "techniqueID": "T1078", + "tactic": "persistence", + "color": "#e60d0d", + "comment": "", + "enabled": true, + "metadata": [], + "showSubtechniques": false + }, + { + "techniqueID": "T1078", + "tactic": "privilege-escalation", + "color": "#e60d0d", + "comment": "", + "enabled": true, + "metadata": [], + "showSubtechniques": false + }, + { + "techniqueID": "T1078", + "tactic": "initial-access", + "color": "#e60d0d", + "comment": "", + "enabled": true, + "metadata": [], + "showSubtechniques": false + }, + { + "techniqueID": "T1548", + "tactic": "privilege-escalation", + "color": "#3182bd", + "comment": "on sudo, we can fake an user having privileges", + "enabled": true, + "metadata": [], + "showSubtechniques": false + }, + { + "techniqueID": "T1548", + "tactic": "defense-evasion", + "color": "#3182bd", + "comment": "on sudo, we can fake an user having privileges", + "enabled": true, + "metadata": [], + "showSubtechniques": false + }, + { + "techniqueID": "T1087", + "tactic": "discovery", + "color": "#3182bd", + "comment": "we can read user memory when opening the /etc/passwd file", + "enabled": true, + "metadata": [], + "showSubtechniques": false + }, + { + "techniqueID": "T1557", + "tactic": "credential-access", + "color": "#3182bd", + "comment": "Complete control over the network stack.", + "enabled": true, + "metadata": [], + "showSubtechniques": false + }, + { + "techniqueID": "T1557", + "tactic": "collection", + "color": "#3182bd", + "comment": "Complete control over the network stack.", + "enabled": true, + "metadata": [], + "showSubtechniques": false + }, + { + "techniqueID": "T1217", + "tactic": "discovery", + "color": "#e60d0d", + "comment": "", + "enabled": true, + "metadata": [], + "showSubtechniques": false + }, + { + "techniqueID": "T1110", + "tactic": "credential-access", + "color": "#e60d0d", + "comment": "", + "enabled": true, + "metadata": [], + "showSubtechniques": false + }, + { + "techniqueID": "T1555", + "tactic": "credential-access", + "color": "#e6d60d", + "comment": "Not stealing them, but hooking the user functions in charge of doing that and changing it by another fake additional user", + "enabled": true, + "metadata": [], + "showSubtechniques": false + }, + { + "techniqueID": "T1140", + "tactic": "defense-evasion", + "color": "#e6550d", + "comment": "Difficult to say. Don't think it should be our focus either", + "enabled": true, + "metadata": [], + "showSubtechniques": false + }, + { + "techniqueID": "T1611", + "tactic": "privilege-escalation", + "color": "#e6550d", + "comment": "", + "enabled": true, + "metadata": [], + "showSubtechniques": false + }, + { + "techniqueID": "T1480", + "tactic": "defense-evasion", + "color": "#3182bd", + "comment": "When dealing with hooked functions and syscalls we should always check that the process we are hooking is the one we want, or otherwise we might break things (and be noisy about it)", + "enabled": true, + "metadata": [], + "showSubtechniques": false + }, + { + "techniqueID": "T1212", + "tactic": "credential-access", + "color": "#e60d0d", + "comment": "", + "enabled": true, + "metadata": [], + "showSubtechniques": false + }, + { + "techniqueID": "T1211", + "tactic": "defense-evasion", + "color": "#3182bd", + "comment": "", + "enabled": true, + "metadata": [], + "showSubtechniques": false + }, + { + "techniqueID": "T1068", + "tactic": "privilege-escalation", + "color": "#e6d60d", + "comment": "https://github.com/chompie1337/Linux_LPE_eBPF_CVE-2021-3490\nBut this shouldn't be our main focus", + "enabled": true, + "metadata": [], + "showSubtechniques": false + }, + { + "techniqueID": "T1210", + "tactic": "lateral-movement", + "color": "#e6d60d", + "comment": "technically possible if we can first scan a host for a given vuln by sending packets crafted for that and then simulate a connection sending the paylaod. As seen in defcon this requires a external client which sends packets so that we can modify it (we cannot just craft them with ebpf)", + "enabled": true, + "metadata": [], + "showSubtechniques": false + }, + { + "techniqueID": "T1083", + "tactic": "discovery", + "color": "#3182bd", + "comment": "", + "enabled": true, + "metadata": [], + "showSubtechniques": false + }, + { + "techniqueID": "T1222", + "tactic": "defense-evasion", + "color": "#e6d60d", + "comment": "", + "enabled": true, + "metadata": [], + "showSubtechniques": false + }, + { + "techniqueID": "T1606", + "tactic": "credential-access", + "color": "#e60d0d", + "comment": "", + "enabled": true, + "metadata": [], + "showSubtechniques": false + }, + { + "techniqueID": "T1564", + "tactic": "defense-evasion", + "color": "#3182bd", + "comment": "We can hide a directory with the binaries we want via hooking getdents64\nhttps://embracethered.com/blog/posts/2021/offensive-bpf-libbpf-bpf_probe_write_user/", + "enabled": true, + "metadata": [], + "showSubtechniques": false + }, + { + "techniqueID": "T1574", + "tactic": "persistence", + "color": "#e6550d", + "comment": "", + "enabled": true, + "metadata": [], + "showSubtechniques": false + }, + { + "techniqueID": "T1574", + "tactic": "privilege-escalation", + "color": "#e6550d", + "comment": "", + "enabled": true, + "metadata": [], + "showSubtechniques": false + }, + { + "techniqueID": "T1574", + "tactic": "defense-evasion", + "color": "#e6550d", + "comment": "", + "enabled": true, + "metadata": [], + "showSubtechniques": false + }, + { + "techniqueID": "T1562", + "tactic": "defense-evasion", + "color": "#3182bd", + "comment": "We can study an specific defense (eg in the defcon rootkit they used a RASP) and see if we can reproduce that somehow", + "enabled": true, + "metadata": [], + "showSubtechniques": false + }, + { + "techniqueID": "T1070", + "tactic": "defense-evasion", + "color": "#3182bd", + "comment": "We must fake the kernel buffer when someone reads it so that the warning messages shown during the bpf helper of writing to user space are not shown. ", + "enabled": true, + "metadata": [], + "showSubtechniques": false + }, + { + "techniqueID": "T1056", + "tactic": "collection", + "color": "#e6d60d", + "comment": "i know there's a way to do it with lkm rootkits", + "enabled": true, + "metadata": [], + "showSubtechniques": false + }, + { + "techniqueID": "T1056", + "tactic": "credential-access", + "color": "#e6d60d", + "comment": "i know there's a way to do it with lkm rootkits", + "enabled": true, + "metadata": [], + "showSubtechniques": false + }, + { + "techniqueID": "T1534", + "tactic": "lateral-movement", + "color": "#e60d0d", + "comment": "not really smth we should focus on", + "enabled": true, + "metadata": [], + "showSubtechniques": false + }, + { + "techniqueID": "T1570", + "tactic": "lateral-movement", + "color": "#e6d60d", + "comment": "We can try this if we find some host in the network with an open known service ", + "enabled": true, + "metadata": [], + "showSubtechniques": false + }, + { + "techniqueID": "T1036", + "tactic": "defense-evasion", + "color": "#3182bd", + "comment": "although the techniques specified for this one on the webpage require research", + "enabled": true, + "metadata": [], + "showSubtechniques": false + }, + { + "techniqueID": "T1556", + "tactic": "credential-access", + "color": "#e6d60d", + "comment": "we can hook some function of the process via uprobes and modify usr space in a favourable way, but requires some research.", + "enabled": true, + "metadata": [], + "showSubtechniques": false + }, + { + "techniqueID": "T1556", + "tactic": "defense-evasion", + "color": "#e6d60d", + "comment": "we can hook some function of the process via uprobes and modify usr space in a favourable way, but requires some research.", + "enabled": true, + "metadata": [], + "showSubtechniques": false + }, + { + "techniqueID": "T1556", + "tactic": "persistence", + "color": "#e6d60d", + "comment": "we can hook some function of the process via uprobes and modify usr space in a favourable way, but requires some research.", + "enabled": true, + "metadata": [], + "showSubtechniques": false + }, + { + "techniqueID": "T1046", + "tactic": "discovery", + "color": "#e6550d", + "comment": "", + "enabled": true, + "metadata": [], + "showSubtechniques": false + }, + { + "techniqueID": "T1135", + "tactic": "discovery", + "color": "#e6d60d", + "comment": "the majority of discovery is just hooking open calls and seeing what is going on in the system", + "enabled": true, + "metadata": [], + "showSubtechniques": false + }, + { + "techniqueID": "T1040", + "tactic": "credential-access", + "color": "#3182bd", + "comment": "At least for a given host we can, but we might not be able to set promiscuous mode", + "enabled": true, + "metadata": [], + "showSubtechniques": false + }, + { + "techniqueID": "T1040", + "tactic": "discovery", + "color": "#3182bd", + "comment": "At least for a given host we can, but we might not be able to set promiscuous mode", + "enabled": true, + "metadata": [], + "showSubtechniques": false + }, + { + "techniqueID": "T1003", + "tactic": "credential-access", + "color": "#e60d0d", + "comment": "", + "enabled": true, + "metadata": [], + "showSubtechniques": false + }, + { + "techniqueID": "T1027", + "tactic": "defense-evasion", + "color": "#e60d0d", + "comment": "at least just with ebpf, if we use an userspace program additionally then we could", + "enabled": true, + "metadata": [], + "showSubtechniques": false + }, + { + "techniqueID": "T1201", + "tactic": "discovery", + "color": "#e60d0d", + "comment": "", + "enabled": true, + "metadata": [], + "showSubtechniques": false + }, + { + "techniqueID": "T1069", + "tactic": "discovery", + "color": "#3182bd", + "comment": "", + "enabled": true, + "metadata": [], + "showSubtechniques": false + }, + { + "techniqueID": "T1542", + "tactic": "defense-evasion", + "color": "#e60d0d", + "comment": "requires additional non ebpf program", + "enabled": true, + "metadata": [], + "showSubtechniques": false + }, + { + "techniqueID": "T1542", + "tactic": "persistence", + "color": "#e60d0d", + "comment": "requires additional non ebpf program", + "enabled": true, + "metadata": [], + "showSubtechniques": false + }, + { + "techniqueID": "T1057", + "tactic": "discovery", + "color": "#3182bd", + "comment": "", + "enabled": true, + "metadata": [], + "showSubtechniques": false + }, + { + "techniqueID": "T1055", + "tactic": "defense-evasion", + "color": "#e6550d", + "comment": "", + "enabled": true, + "metadata": [], + "showSubtechniques": false + }, + { + "techniqueID": "T1055", + "tactic": "privilege-escalation", + "color": "#e6550d", + "comment": "", + "enabled": true, + "metadata": [], + "showSubtechniques": false + }, + { + "techniqueID": "T1620", + "tactic": "defense-evasion", + "color": "#e6550d", + "comment": "", + "enabled": true, + "metadata": [], + "showSubtechniques": false + }, + { + "techniqueID": "T1563", + "tactic": "lateral-movement", + "color": "#3182bd", + "comment": "This is very interesting. If we have a running telnet connection for example, we may be able to modify the sent contents ", + "enabled": true, + "metadata": [], + "showSubtechniques": false + }, + { + "techniqueID": "T1018", + "tactic": "discovery", + "color": "#3182bd", + "comment": "Passive scanning as seen in defcon, or research some other way", + "enabled": true, + "metadata": [], + "showSubtechniques": false + }, + { + "techniqueID": "T1014", + "tactic": "defense-evasion", + "color": "#3182bd", + "comment": "", + "enabled": true, + "metadata": [], + "showSubtechniques": false + }, + { + "techniqueID": "T1505", + "tactic": "persistence", + "color": "#e60d0d", + "comment": "", + "enabled": true, + "metadata": [], + "showSubtechniques": false + }, + { + "techniqueID": "T1518", + "tactic": "discovery", + "color": "#e60d0d", + "comment": "", + "enabled": true, + "metadata": [], + "showSubtechniques": false + }, + { + "techniqueID": "T1539", + "tactic": "credential-access", + "color": "#e60d0d", + "comment": "", + "enabled": true, + "metadata": [], + "showSubtechniques": false + }, + { + "techniqueID": "T1558", + "tactic": "credential-access", + "color": "#e6550d", + "comment": "looks possible but needs research", + "enabled": true, + "metadata": [], + "showSubtechniques": false + }, + { + "techniqueID": "T1553", + "tactic": "defense-evasion", + "color": "#e60d0d", + "comment": "", + "enabled": true, + "metadata": [], + "showSubtechniques": false + }, + { + "techniqueID": "T1082", + "tactic": "discovery", + "color": "#e6550d", + "comment": "", + "enabled": true, + "metadata": [], + "showSubtechniques": false + }, + { + "techniqueID": "T1614", + "tactic": "discovery", + "color": "#e6550d", + "comment": "", + "enabled": true, + "metadata": [], + "showSubtechniques": false + }, + { + "techniqueID": "T1016", + "tactic": "discovery", + "color": "#3182bd", + "comment": "we can control the network stack and infer data from there", + "enabled": true, + "metadata": [], + "showSubtechniques": false + }, + { + "techniqueID": "T1049", + "tactic": "discovery", + "color": "#3182bd", + "comment": "", + "enabled": true, + "metadata": [], + "showSubtechniques": false + }, + { + "techniqueID": "T1033", + "tactic": "discovery", + "color": "#3182bd", + "comment": "", + "enabled": true, + "metadata": [], + "showSubtechniques": false + }, + { + "techniqueID": "T1205", + "tactic": "defense-evasion", + "color": "#3182bd", + "comment": "The rootkit can filter packets and check if a specific magic string has been received, to which we react. We need to build a remote client for communication. C&C", + "enabled": true, + "metadata": [], + "showSubtechniques": false + }, + { + "techniqueID": "T1205", + "tactic": "persistence", + "color": "#3182bd", + "comment": "The rootkit can filter packets and check if a specific magic string has been received, to which we react. We need to build a remote client for communication. C&C", + "enabled": true, + "metadata": [], + "showSubtechniques": false + }, + { + "techniqueID": "T1205", + "tactic": "command-and-control", + "color": "#3182bd", + "comment": "The rootkit can filter packets and check if a specific magic string has been received, to which we react. We need to build a remote client for communication. C&C", + "enabled": true, + "metadata": [], + "showSubtechniques": false + }, + { + "techniqueID": "T1111", + "tactic": "credential-access", + "color": "#e6550d", + "comment": "", + "enabled": true, + "metadata": [], + "showSubtechniques": false + }, + { + "techniqueID": "T1552", + "tactic": "credential-access", + "color": "#e60d0d", + "comment": "", + "enabled": true, + "metadata": [], + "showSubtechniques": false + }, + { + "techniqueID": "T1497", + "tactic": "defense-evasion", + "color": "#e6d60d", + "comment": "Escaping th eebpf virtual machine and go to kernel CVE-2021-3490, CVE-2021-3489", + "enabled": true, + "metadata": [], + "showSubtechniques": false + }, + { + "techniqueID": "T1497", + "tactic": "discovery", + "color": "#e6d60d", + "comment": "Escaping th eebpf virtual machine and go to kernel CVE-2021-3490, CVE-2021-3489", + "enabled": true, + "metadata": [], + "showSubtechniques": false + } + ], + "gradient": { + "colors": [ + "#ff6666", + "#ffe766", + "#8ec843" + ], + "minValue": 0, + "maxValue": 100 + }, + "legendItems": [ + { + "label": "Not applicable", + "color": "#e60d0d" + }, + { + "label": "Needs research / don't know if applicable", + "color": "#e6550d" + }, + { + "label": "Applicable / some hints on how to do it", + "color": "#e6d60d" + }, + { + "label": "Applicable and very interesting to do it", + "color": "#00ffff" + } + ], + "metadata": [], + "showTacticRowBackground": false, + "tacticRowBackground": "#dddddd", + "selectTechniquesAcrossTactics": true, + "selectSubtechniquesWithParent": false +} \ No newline at end of file