MITRE ATT&CK(https://attack.mitre.org) is a pre-defined framework  that categorises existing adversary techniques. The MITRE organisation puts a lot of effort in mapping commonly seen adversarial TTPs to log sources required for detection, phase of execution and potential actor usage. To validate MITRE coverage I developed RE:TERNAL as a MITRE-based command and control framework.

A lot of blue teams currently use MITRE to validate their detection capabilities. In many cases this is still a papercase exercise: organisations will map their log sources to the MITRE model and cross-check what techniques can be theoretically be detected. This would provide an organisation with an initial overview of  detection coverage without having to actually execute and/or hire a red team. Ruben Bouman and Marcus Bakker recently released DeTTACT (https://github.com/rabobank-cdc/DeTTACT) that does this mapping automatically for you based on available log sources.

However,  technical verification of the MITRE technique coverage is still missing. Hiring a red team is often not needed to verify a single technique within a phase. To cover this aspect I developed a Command and Control framework called RE:TERNAL (https://github.com/d3vzer0/reternal-quickstart) that implements MITRE models to execute techniques on hosts within a network.

Note: The framework is very much WIP. Be careful when testing and do not deploy and/or run in a production environment yet.

Reternal uses agents installed on endpoints that communicate back to a central command and control server. The agent is written in Go and compiles to Linux, OSX and Windows binaries. Using a custom WebApp, operators can prepare so called 'recipes' that exist out of pre-defined tasks mapped to MITRE techniques and actors. The operator can schedule these recipes at specific times, issue timeouts between execution and  schedule recipes to directly and only be executed when an agent comes online for the first time.

Reternal includes several mapped techniques based on the Uber Metta project (https://github.com/uber-common/metta). The original format of Metta doesn't work anymore since I made small adjustments to the format for flexibility.

The video below displays shows a short intro how the recipe building process works.

After browsing the commands corresponding to the ATTCK technique or actor TTP, the operator can add the entire list of commands to a recipe using the corresponding button. Recipes can contain an entire flow of commands and techniques. This means you can add a techniques based on different phases in the MITRE model and execute them in the apropriate order simulating a full-scoped attack scenario.

Simply said, the mapped techniques are a combination of individual built-in tasks that are mapped to MITRE. For now, there are five default tasks that can be used to map existing techniques. These will be extended later in time to also support pivotting, keyloggers, persistence techniques etc etc. The currently implemented tasks are:

  • exec_shell: perform command on CLI/Cmd
  • make_screenshot: Uses OS API to create a screenshot
  • download_remote: Download remote file over HTTP from agent
  • get_ifaces: Returns all interfaces from host
  • read_file: Reads a file from the agent and returns it to the CnC

The mapping to MITRE can be done by creating a file on the reternal-mitre repository. These are automatically imported during setup. The format works as follows

# Redesigned format of METTA for Reternal

name: Bitsadmin Download/Exfil Examples
author: cg
description: bitsadmin download a file.
reference: http://0xthem.blogspot.com/2014/03/t-emporal-persistence-with-and-schtasks.html
mitre_technique:
  id: T1011
  platform: Windows
commands:
- input: bitsadmin /transfer systemrepair /download /priority normal http://127.0.0.1/file.txt
    c:\windows\temp\file.txt
  sleep: 1
  type: exec_shell

The most important aspect the the mitre_technique.id and commands.type field. The MITRE ID should correspond to the technique your mapping relates to. The commands type should refer to one of the built-in reternal commands.

Your mapped technique will automatically be mapped to a specific actor. Next to mapping these techniques, the built-in commands can also be executed manually without having the use the MITRE model.

When a recipe has been built, you can drag and drop the specific tasks to change the order of execution. When finalized, select all the agents your recipe should run on and press the play button at the navigation bar to schedule the execution date. Your scheduled tasks/recipes are directly mapped to an embedded MITRE ATTCK navigator afterwards.

Automated API mapping to the embedded Navigator

If you're excited to test it out and contribute, be sure to check out the quickstart repository. This is my first announcement about the subject and framework but I'm hoping this will enspire others to promote validation of monitoring capalities and threat hunting within other organisations. I'll be sure to create more posts about the framework in the future about new features, ways of working and other relevant topics.

Screenshot of the included terminal