Get best of the week

How Traffic Analysis Systems Detect Hacker Tactics by MITER ATT & CK, Part 4



In previous posts ( first , second and third parts), we examined the techniques of the seven tactics of MITER ATT & CK:

  • initial access
  • execution
  • consolidation (persistence);
  • privilege escalation
  • detection prevention (defense evasion);
  • obtaining credential access;
  • intelligence (discovery).

We also showed how with the help of our  NTA-solution  it is possible to recognize suspicious activity in network traffic. Now we’ll show you how our technologies work with lateral movement and collection techniques.

Movement within the perimeter (lateral movement)


Attackers use perimeter movement techniques to gain access and control remote systems on the network, to install malware, and to gradually expand their presence in the infrastructure. The main goal of the attackers is to identify the administrators on the network, their computers, key assets and data in order to ultimately gain full control over the infrastructure. 
The following are descriptions of perimeter movement techniques that can be detected by analyzing traffic. There are nine of them.

1. T1175 : Component Object Model and Distributed COM


Using COM or DCOM technologies to execute code on local or remote systems when moving through a network.

What PT Network Attack Discovery (PT NAD) does: When this technology is used to access remote systems, it can be detected by analyzing traffic. PT NAD detects suspicious DCOM calls that cybercriminals typically use to advance through the network.

2. T1210 : exploitation of remote services


Exploiting vulnerabilities in network services to move around the network.

What PT NAD does : detects exploitation of common vulnerabilities. Among them are vulnerabilities in the SMB (MS17-010) and Print System Remote Protocol (MS-RPRN) protocols, in the Redis DBMS, in the rConfig network device configuration system.

3. T1075 : pass the hash


A method of authenticating a user without access to his password in the clear. Attackers bypass the standard authentication steps that require a password and go directly to that part of the authentication that uses the password hash. Attackers will obtain hashes in advance using credential acquisition techniques.

What PT NAD does : it detects various signs of network activity of the hacker utility Mimikatz, which attackers use to attack overpass the hash (developing the pass the hash attack).

4. T1097 : pass the ticket


Authentication method on a system using Kerberos tickets without access to an account password. It can be used by attackers as the first step in moving around the perimeter to a remote system.

What PT NAD does : it detects the preparatory stage of the pass the ticket technique, reveals the transfer of files with exported Kerberos tickets over the network.

5. T1076 : remote desktop protocol


A technique that allows attackers to access a remote system using the RDP remote desktop protocol if it is allowed for use on a network and allows users to connect to their computer using their credentials.

What PT NAD does : in the program, you can filter all saved sessions by protocols (for example, RDP) and analyze each suspicious one. The function is useful in investigating and proactively searching for threats (threat hunting).

6. T1021 : remote services


Use valid accounts to log in to a service designed to accept remote connections, such as Telnet, SSH, or VNC. After that, attackers will be able to perform actions on behalf of the logged-in user.

What PT NAD does : automatically detects VNC connections and the activity of the EvilVNC trojan. This trojan secretly installs a VNC server on the victim’s host and automatically starts it. To verify the legitimacy of remote connections using SSH and TELNET protocols, PT NAD users can filter out all sessions with such connections and analyze each suspicious one.

7. T1072 : third-party software


The technique by which attackers gain access to network administration software (third-party software and software deployment systems) and use it to launch malicious code. Examples of third-party software: SCCM, VNC, HBSS, Altiris. In the event of gaining access to such systems, the adversary can remotely run the code on all nodes connected to the software deployment, monitoring or administration system.

What PT NAD does : it automatically detects the operation of such software on the network. For example, the rules work on the facts of connection via the VNC protocol and the activity of the EvilVNC trojan, which secretly installs the VNC server on the victim's host and automatically starts this server.

8. T1077 : Windows Admin Shares


Using hidden network folders accessible only by administrators, for example C $, ADMIN $, IPC $. They provide the ability to remotely copy files and other administrative functions.

What PT NAD does:

PT NAD discovery example detected remote execution of commands through the SCM (Service Control Manager). This is only possible with access to Windows Admin Shares administrative shares.



Detection of application of the T1077 technique: Windows Admin Shares

If you open a session, you can see that the rule for the Impacket tool worked in it. It uses network access to C $ to get command execution results.



Session card showing downloaded files from the administrator’s network folder

9. T1028 : Windows Remote Management


Using the Windows service and protocol, which allows the user to interact with remote systems.

What PT NAD does : sees network connections established using Windows Remote Management. Such sessions are detected automatically by the rules.

Data collection


Attackers use collection tactics to collect information that they then plan to steal using data exfiltration techniques. Typical data sources include different types of drives, browsers, audio, video, and email.

Traffic analysis may indicate the use of two data collection techniques in the network.

1. T1039 : data from network shared drive


Collect data from remote systems that have public network drives.

What PT NAD does: an example of detection

File transfer from network drives is visible by traffic, file transfer sessions can be studied in detail in PT NAD.

Let's check the hypothesis that the attackers used the T1039 technique and were able to access the file server of the company's financial department. To do this, we filter out all sessions based on activity from the IP address of the file storage and find among them the connections in which the files were downloaded. Having entered the card of one of such sessions, we see that the TopSecretReport_2020 file has been downloaded.



After downloading and looking at the file, we understand what specific information the attackers managed to seize.

2. T1185 : man in the browser


A technique whereby an attacker exploits a victim’s browser vulnerability and changes web content and intercepts information. One example: an attacker injects software into the browser that allows you to intercept cookies, HTTP sessions, client SSL certificates and use the browser to authenticate and go to the intranet.

What PT NAD does : Automatically detects a man in the browser attack based on the introduction of malicious scripts into downloadable web pages. PT NAD detects such attacks in two ways: by compromised certificates that were previously used in such attacks, and by the characteristic network activity of malicious programs aimed at injecting code into the browser (for example, Zeus).

Instead of a conclusion


We remind you that the full mapping of PT NAD to the MITER ATT & CK matrix is published on Habré .

In the following articles, we will talk about other tactics and techniques of hackers and how the PT Network Attack Discovery NTA-system helps to identify them. Stay with us!

Authors :

  • Anton Kutepov, Specialist, PT Expert Security Center Positive Technologies
  • Natalia Kazankova, product marketer Positive Technologies

More articles:


All Articles