{"id":733,"date":"2020-09-16T12:54:00","date_gmt":"2020-09-16T12:54:00","guid":{"rendered":"http:\/\/blog.susp.io\/?p=733"},"modified":"2022-12-21T06:55:01","modified_gmt":"2022-12-21T06:55:01","slug":"mitre-attack","status":"publish","type":"post","link":"https:\/\/any.run\/cybersecurity-blog\/mitre-attack\/","title":{"rendered":"MITRE ATT&#038;CK: The Most Comprehensive Behavior Database"},"content":{"rendered":"\n<p>ANY.RUN community analyses an average of 6000 files and websites every day. That means that researchers submit 42,000 potentially malicious resources every week, 168,000 every month. And we are just one service. The variety and the sheer number of attack groups and malicious tools today are incredible.<br><\/p>\n\n\n\n<p>Danger can come in so many shapes and forms that absolutely nobody \u2014 not even the most prepared and well equipped of cybersecurity teams \u2014 can categorize and learn the behavior of each threat. That\u2019s a problem. We all know the most effective way of protecting against an attack: learning the threat\u2019s behavior.<br><\/p>\n\n\n\n<p>Enter the ATT&amp;CK framework by MITRE. It came up with ATT&amp;CK all the way back in 2003 to help the cybersecurity industry overcome the seemingly impossible challenge of learning the behavior of hundreds of malware samples. Since then, the framework became a staple in cybersecurity.&nbsp;<br><\/p>\n\n\n\n<p>MITRE created a common classification for malicious behaviors and the most comprehensive database of adverse techniques on the planet. So, let\u2019s talk about the MITRE ATT&amp;CK framework and why you, as a malware hunter, should start using it today.<br><\/p>\n\n\n\n<h2 class=\"wp-block-heading\">What is the Mitre ATT&amp;CK Framework?<\/h2>\n\n\n\n<p>MITRE ATT&amp;CK is a constantly updated database of adversary tactics and techniques. The framework looks like a sheet document with columns correlating to attack stages, from initial access to impact, and rows correlating to techniques.<br><\/p>\n\n\n\n<p>Each technique is a description of malware behavior derived from real-world recordings of previous attacks: information in the MITRE framework has represents years of experience and observations, collected, \u0441ottegorzed, and described in a single place. Researchers can easily apply the knowledge learned by studying the MITRE ATT&amp;CK table since it represents real-world malware behavior.<\/p>\n\n\n\n<h2 class=\"wp-block-heading\">How to use MITRE ATT&amp;CK to benefit the cybersecurity of your organization?<\/h2>\n\n\n\n<p>There are a lot of ways to use the framework. These are some of the most common:&nbsp;<br><\/p>\n\n\n\n<ul class=\"wp-block-list\"><li>Behavioral analytics: when executing, a malicious program generates files, establishes connections, and alters processes. These actions are traceable and can help identify an ongoing attack, aid during analysis, or develop a cybersecurity strategy to protect against known malware strains. With MITRE ATT&amp;CK, researchers can study the behavior of any known malware, which is greatly beneficial.&nbsp;<\/li><\/ul>\n\n\n\n<ul class=\"wp-block-list\"><li>Attack group identification:<strong> <\/strong>MITRE ATT&amp;CK connects techniques with attack groups.&nbsp; Some attack groups focus on particular industries, so analysts can identify threats that pose the most danger to their business, depending on the field, and develop custom-tailored defenses and response strategies.&nbsp;<\/li><\/ul>\n\n\n\n<ul class=\"wp-block-list\"><li>Defense evaluation: by learning which malware is likely to attack business and what processes it is going to spawn, analysts can evaluate how effective their countermeasures will be without putting themselves into any kind of danger.<\/li><\/ul>\n\n\n\n<h2 class=\"wp-block-heading\">How to Use the MITRE ATT&amp;CK Framework in ANY.RUN?<\/h2>\n\n\n\n<p>MITRE ATT&amp;CK makes it much easier to understand how a particular malware sample functions. In ANY.RUN, you can bring up the ATT&amp;CK matrix for any given sample to study its behavior.<br><\/p>\n\n\n\n<p>What\u2019s more, you can click on any technique to bring up a detailed explanation.<br><\/p>\n\n\n\n<p>Let\u2019s say we are analyzing one of the most active malware strains out there \u2014 <a href=\"https:\/\/any.run\/malware-trends\/agenttesla\" target=\"_blank\" rel=\"noreferrer noopener\" aria-label=\" (opens in a new tab)\">Agent Tesla<\/a>.<br><\/p>\n\n\n\n<figure class=\"wp-block-image size-large\"><img decoding=\"async\" src=\"\/cybersecurity-blog\/wp-content\/uploads\/2020\/08\/mitre1-1-1-1024x525.png\" alt=\"mitre attack\" class=\"wp-image-770\"\/><\/figure>\n\n\n\n<p>&nbsp;Clicking on the \u201cATT&amp;CK Matrix\u201d button will bring up the framework.<br><\/p>\n\n\n\n<figure class=\"wp-block-image size-large\"><img decoding=\"async\" src=\"\/cybersecurity-blog\/wp-content\/uploads\/2020\/08\/mitre2-1024x528.png\" alt=\"mitre attack\" class=\"wp-image-769\"\/><\/figure>\n\n\n\n<p>Here, you will be able to see documented techniques associated with this malware.<br><\/p>\n\n\n\n<p>Clicking on a technique will bring up the expanded description, process ID, and name. You can go even further by clicking on the indicator: this will bring up the additional details, like registry keys and the command line input.<\/p>\n\n\n\n<figure class=\"wp-block-image size-large\"><img decoding=\"async\" src=\"\/cybersecurity-blog\/wp-content\/uploads\/2020\/08\/mitre3-1024x793.png\" alt=\"Mitre attack \" class=\"wp-image-771\"\/><\/figure>\n\n\n\n<p>The arrows on the bottom switch between events if there were more than one of them.<br><\/p>\n\n\n\n<p>But what if you want to see all techniques, not just those related to a particular sample? That\u2019s easy enough: just use the \u201cShow all tactics\u201d checkbox at the top-right of the screen.<br><\/p>\n\n\n\n<figure class=\"wp-block-image size-large\"><img decoding=\"async\" src=\"\/cybersecurity-blog\/wp-content\/uploads\/2020\/08\/mitre4-1024x527.png\" alt=\"mitre attack\" class=\"wp-image-772\"\/><\/figure>\n\n\n\n<p>Techniques related to the reviewed malware will be highlighted on the screen.<br><\/p>\n\n\n\n<p>You can also search for other malware that uses the same attack techniques as the sample which you were viewing.<br><\/p>\n\n\n\n<figure class=\"wp-block-image size-large\"><img decoding=\"async\" src=\"\/cybersecurity-blog\/wp-content\/uploads\/2020\/08\/mitre5-1-1-1024x523.png\" alt=\"public submissions\" class=\"wp-image-773\"\/><\/figure>\n\n\n\n<p>To do so, just copy and paste the MITRE ID into the ATT&amp;CK filed on the <a href=\"https:\/\/app.any.run\/submissions\/?utm_source=anyrunblog&amp;utm_medium=article&amp;utm_campaign=in-house&amp;utm_content=mitre_attack\" target=\"_blank\" rel=\"noreferrer noopener\" aria-label=\" (opens in a new tab)\">public submissions<\/a> page. This function is useful for learning how attackers use any given technique in different malware strains.<br><\/p>\n\n\n\n<p>There are a few ways how you can use the search function. Netwalker ransomware uses \u201cVisual C# command-line compiler\u201d. By filtering with the correlating MITRE ATT&amp;CK ID, we can find a particular malware type.<br><\/p>\n\n\n\n<p>Or, if we are looking at Masslogger, we notice a technique called \u201cEmail collection\u201c, with a MITRE ID T1114. If we search with this number, we can find other malware that can steal sensitive information from emails.<br><\/p>\n\n\n\n<h2 class=\"wp-block-heading\">Conclusion<\/h2>\n\n\n\n<p>The MITRE ATT&amp;CK framework is one of the most robust tools in the arsenal of a cyber-security professional. It can be used to learn about the behavior of countless malware strains and can help incorporate that knowledge into the web-defense of a business.&nbsp;<br><\/p>\n\n\n\n<p>The framework is also a great way for beginner malware hunters to learn about malware behavior: it provides context and allows searching for malware with the same functions and techniques.<br><\/p>\n\n\n\n<p>Hopefully, this article gave you an idea of how to use MITRE ATT&amp;CK in conjunction with <a href=\"https:\/\/any.run\/?utm_source=anyrunblog&amp;utm_medium=article&amp;utm_campaign=in-house&amp;utm_content=mitre_attack\" target=\"_blank\" rel=\"noreferrer noopener\" aria-label=\" (opens in a new tab)\">ANY.RUN<\/a> public submissions. Together, these two tools allow researchers with any experience level to quickly and efficiently find particular malware samples, or learn about new strains with similar behavior or capabilities.<br><\/p>\n\n\n\n<p>If you haven\u2019t used MITRE ATT&amp;CK before, make sure you give it a try!&nbsp;<br><\/p>\n","protected":false},"excerpt":{"rendered":"<p>ANY.RUN community analyses an average of 6000 files and websites every day. That means that researchers submit 42,000 potentially malicious resources every week, 168,000 every month. And we are just one service. The variety and the sheer number of attack groups and malicious tools today are incredible. Danger can come in so many shapes and [&hellip;]<\/p>\n","protected":false},"author":2,"featured_media":3145,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[6,8],"tags":[34,40,41],"class_list":["post-733","post","type-post","status-publish","format-standard","has-post-thumbnail","hentry","category-instructions","category-malware-analysis","tag-malware-analysis","tag-malware-behavior","tag-mitre-attck"],"acf":[],"yoast_head":"<!-- This site is optimized with the Yoast SEO plugin v20.10 - https:\/\/yoast.com\/wordpress\/plugins\/seo\/ -->\n<title>Using MITRE ATT&amp;CK - ANY.RUN Blog<\/title>\n<meta name=\"description\" content=\"MITRE ATT&amp;CK is a database of adversary tactics and techniques of malware attacks. Let&#039;s look at how to use it and how it can be useful for analysis.\" \/>\n<meta name=\"robots\" content=\"index, follow, max-snippet:-1, max-image-preview:large, max-video-preview:-1\" \/>\n<link rel=\"canonical\" href=\"https:\/\/any.run\/cybersecurity-blog\/mitre-attack\/\" \/>\n<meta name=\"twitter:label1\" content=\"Written by\" \/>\n\t<meta name=\"twitter:data1\" content=\"ANY.RUN\" \/>\n\t<meta name=\"twitter:label2\" content=\"Est. reading time\" \/>\n\t<meta name=\"twitter:data2\" content=\"5 minutes\" \/>\n<script type=\"application\/ld+json\" class=\"yoast-schema-graph\">{\"@context\":\"https:\/\/schema.org\",\"@graph\":[{\"@type\":\"Article\",\"@id\":\"https:\/\/any.run\/cybersecurity-blog\/mitre-attack\/#article\",\"isPartOf\":{\"@id\":\"https:\/\/any.run\/cybersecurity-blog\/mitre-attack\/\"},\"author\":{\"name\":\"ANY.RUN\",\"@id\":\"https:\/\/any.run\/\"},\"headline\":\"MITRE ATT&#038;CK: The Most Comprehensive Behavior Database\",\"datePublished\":\"2020-09-16T12:54:00+00:00\",\"dateModified\":\"2022-12-21T06:55:01+00:00\",\"mainEntityOfPage\":{\"@id\":\"https:\/\/any.run\/cybersecurity-blog\/mitre-attack\/\"},\"wordCount\":952,\"commentCount\":3,\"publisher\":{\"@id\":\"https:\/\/any.run\/\"},\"keywords\":[\"malware analysis\",\"malware behavior\",\"MITRE ATT&amp;CK\"],\"articleSection\":[\"Instructions on ANY.RUN\",\"Malware Analysis\"],\"inLanguage\":\"en-US\",\"potentialAction\":[{\"@type\":\"CommentAction\",\"name\":\"Comment\",\"target\":[\"https:\/\/any.run\/cybersecurity-blog\/mitre-attack\/#respond\"]}]},{\"@type\":\"WebPage\",\"@id\":\"https:\/\/any.run\/cybersecurity-blog\/mitre-attack\/\",\"url\":\"https:\/\/any.run\/cybersecurity-blog\/mitre-attack\/\",\"name\":\"Using MITRE ATT&CK - ANY.RUN Blog\",\"isPartOf\":{\"@id\":\"https:\/\/any.run\/\"},\"datePublished\":\"2020-09-16T12:54:00+00:00\",\"dateModified\":\"2022-12-21T06:55:01+00:00\",\"description\":\"MITRE ATT&CK is a database of adversary tactics and techniques of malware attacks. Let's look at how to use it and how it can be useful for analysis.\",\"breadcrumb\":{\"@id\":\"https:\/\/any.run\/cybersecurity-blog\/mitre-attack\/#breadcrumb\"},\"inLanguage\":\"en-US\",\"potentialAction\":[{\"@type\":\"ReadAction\",\"target\":[\"https:\/\/any.run\/cybersecurity-blog\/mitre-attack\/\"]}]},{\"@type\":\"BreadcrumbList\",\"@id\":\"https:\/\/any.run\/cybersecurity-blog\/mitre-attack\/#breadcrumb\",\"itemListElement\":[{\"@type\":\"ListItem\",\"position\":1,\"name\":\"Home\",\"item\":\"https:\/\/any.run\/cybersecurity-blog\/\"},{\"@type\":\"ListItem\",\"position\":2,\"name\":\"Guest Posts\",\"item\":\"https:\/\/any.run\/cybersecurity-blog\/category\/guest-posts\/\"},{\"@type\":\"ListItem\",\"position\":3,\"name\":\"MITRE ATT&#038;CK: The Most Comprehensive Behavior Database\"}]},{\"@type\":\"WebSite\",\"@id\":\"https:\/\/any.run\/\",\"url\":\"https:\/\/any.run\/\",\"name\":\"ANY.RUN&#039;s Cybersecurity Blog\",\"description\":\"Cybersecurity Blog covers topics for experienced professionals as well as for those new to it.\",\"publisher\":{\"@id\":\"https:\/\/any.run\/\"},\"potentialAction\":[{\"@type\":\"SearchAction\",\"target\":{\"@type\":\"EntryPoint\",\"urlTemplate\":\"https:\/\/any.run\/?s={search_term_string}\"},\"query-input\":\"required name=search_term_string\"}],\"inLanguage\":\"en-US\"},{\"@type\":\"Organization\",\"@id\":\"https:\/\/any.run\/\",\"name\":\"ANY.RUN\",\"url\":\"https:\/\/any.run\/\",\"logo\":{\"@type\":\"ImageObject\",\"inLanguage\":\"en-US\",\"@id\":\"https:\/\/any.run\/\",\"url\":\"https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2020\/08\/ANYRUN-Icon.svg\",\"contentUrl\":\"https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2020\/08\/ANYRUN-Icon.svg\",\"width\":1,\"height\":1,\"caption\":\"ANY.RUN\"},\"image\":{\"@id\":\"https:\/\/any.run\/\"},\"sameAs\":[\"https:\/\/www.facebook.com\/www.any.run\/\",\"https:\/\/twitter.com\/anyrun_app\",\"https:\/\/www.linkedin.com\/company\/30692044\",\"https:\/\/www.youtube.com\/channel\/UCOgCPho7lzmH7m6fPNlukrQ\"]},{\"@type\":\"Person\",\"@id\":\"https:\/\/any.run\/\",\"name\":\"ANY.RUN\",\"image\":{\"@type\":\"ImageObject\",\"inLanguage\":\"en-US\",\"@id\":\"https:\/\/any.run\/\",\"url\":\"https:\/\/secure.gravatar.com\/avatar\/c4ce3a6c672056b4a8cd6b0110782215?s=96&d=mm&r=g\",\"contentUrl\":\"https:\/\/secure.gravatar.com\/avatar\/c4ce3a6c672056b4a8cd6b0110782215?s=96&d=mm&r=g\",\"caption\":\"ANY.RUN\"},\"url\":\"https:\/\/any.run\/cybersecurity-blog\/author\/a-bespalova\/\"}]}<\/script>\n<!-- \/ Yoast SEO plugin. -->","yoast_head_json":{"title":"Using MITRE ATT&CK - ANY.RUN Blog","description":"MITRE ATT&CK is a database of adversary tactics and techniques of malware attacks. Let's look at how to use it and how it can be useful for analysis.","robots":{"index":"index","follow":"follow","max-snippet":"max-snippet:-1","max-image-preview":"max-image-preview:large","max-video-preview":"max-video-preview:-1"},"canonical":"https:\/\/any.run\/cybersecurity-blog\/mitre-attack\/","twitter_misc":{"Written by":"ANY.RUN","Est. reading time":"5 minutes"},"schema":{"@context":"https:\/\/schema.org","@graph":[{"@type":"Article","@id":"https:\/\/any.run\/cybersecurity-blog\/mitre-attack\/#article","isPartOf":{"@id":"https:\/\/any.run\/cybersecurity-blog\/mitre-attack\/"},"author":{"name":"ANY.RUN","@id":"https:\/\/any.run\/"},"headline":"MITRE ATT&#038;CK: The Most Comprehensive Behavior Database","datePublished":"2020-09-16T12:54:00+00:00","dateModified":"2022-12-21T06:55:01+00:00","mainEntityOfPage":{"@id":"https:\/\/any.run\/cybersecurity-blog\/mitre-attack\/"},"wordCount":952,"commentCount":3,"publisher":{"@id":"https:\/\/any.run\/"},"keywords":["malware analysis","malware behavior","MITRE ATT&amp;CK"],"articleSection":["Instructions on ANY.RUN","Malware Analysis"],"inLanguage":"en-US","potentialAction":[{"@type":"CommentAction","name":"Comment","target":["https:\/\/any.run\/cybersecurity-blog\/mitre-attack\/#respond"]}]},{"@type":"WebPage","@id":"https:\/\/any.run\/cybersecurity-blog\/mitre-attack\/","url":"https:\/\/any.run\/cybersecurity-blog\/mitre-attack\/","name":"Using MITRE ATT&CK - ANY.RUN Blog","isPartOf":{"@id":"https:\/\/any.run\/"},"datePublished":"2020-09-16T12:54:00+00:00","dateModified":"2022-12-21T06:55:01+00:00","description":"MITRE ATT&CK is a database of adversary tactics and techniques of malware attacks. Let's look at how to use it and how it can be useful for analysis.","breadcrumb":{"@id":"https:\/\/any.run\/cybersecurity-blog\/mitre-attack\/#breadcrumb"},"inLanguage":"en-US","potentialAction":[{"@type":"ReadAction","target":["https:\/\/any.run\/cybersecurity-blog\/mitre-attack\/"]}]},{"@type":"BreadcrumbList","@id":"https:\/\/any.run\/cybersecurity-blog\/mitre-attack\/#breadcrumb","itemListElement":[{"@type":"ListItem","position":1,"name":"Home","item":"https:\/\/any.run\/cybersecurity-blog\/"},{"@type":"ListItem","position":2,"name":"Guest Posts","item":"https:\/\/any.run\/cybersecurity-blog\/category\/guest-posts\/"},{"@type":"ListItem","position":3,"name":"MITRE ATT&#038;CK: The Most Comprehensive Behavior Database"}]},{"@type":"WebSite","@id":"https:\/\/any.run\/","url":"https:\/\/any.run\/","name":"ANY.RUN&#039;s Cybersecurity Blog","description":"Cybersecurity Blog covers topics for experienced professionals as well as for those new to it.","publisher":{"@id":"https:\/\/any.run\/"},"potentialAction":[{"@type":"SearchAction","target":{"@type":"EntryPoint","urlTemplate":"https:\/\/any.run\/?s={search_term_string}"},"query-input":"required name=search_term_string"}],"inLanguage":"en-US"},{"@type":"Organization","@id":"https:\/\/any.run\/","name":"ANY.RUN","url":"https:\/\/any.run\/","logo":{"@type":"ImageObject","inLanguage":"en-US","@id":"https:\/\/any.run\/","url":"https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2020\/08\/ANYRUN-Icon.svg","contentUrl":"https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2020\/08\/ANYRUN-Icon.svg","width":1,"height":1,"caption":"ANY.RUN"},"image":{"@id":"https:\/\/any.run\/"},"sameAs":["https:\/\/www.facebook.com\/www.any.run\/","https:\/\/twitter.com\/anyrun_app","https:\/\/www.linkedin.com\/company\/30692044","https:\/\/www.youtube.com\/channel\/UCOgCPho7lzmH7m6fPNlukrQ"]},{"@type":"Person","@id":"https:\/\/any.run\/","name":"ANY.RUN","image":{"@type":"ImageObject","inLanguage":"en-US","@id":"https:\/\/any.run\/","url":"https:\/\/secure.gravatar.com\/avatar\/c4ce3a6c672056b4a8cd6b0110782215?s=96&d=mm&r=g","contentUrl":"https:\/\/secure.gravatar.com\/avatar\/c4ce3a6c672056b4a8cd6b0110782215?s=96&d=mm&r=g","caption":"ANY.RUN"},"url":"https:\/\/any.run\/cybersecurity-blog\/author\/a-bespalova\/"}]}},"_links":{"self":[{"href":"https:\/\/any.run\/cybersecurity-blog\/wp-json\/wp\/v2\/posts\/733"}],"collection":[{"href":"https:\/\/any.run\/cybersecurity-blog\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/any.run\/cybersecurity-blog\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/any.run\/cybersecurity-blog\/wp-json\/wp\/v2\/users\/2"}],"replies":[{"embeddable":true,"href":"https:\/\/any.run\/cybersecurity-blog\/wp-json\/wp\/v2\/comments?post=733"}],"version-history":[{"count":1,"href":"https:\/\/any.run\/cybersecurity-blog\/wp-json\/wp\/v2\/posts\/733\/revisions"}],"predecessor-version":[{"id":3807,"href":"https:\/\/any.run\/cybersecurity-blog\/wp-json\/wp\/v2\/posts\/733\/revisions\/3807"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/any.run\/cybersecurity-blog\/wp-json\/wp\/v2\/media\/3145"}],"wp:attachment":[{"href":"https:\/\/any.run\/cybersecurity-blog\/wp-json\/wp\/v2\/media?parent=733"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/any.run\/cybersecurity-blog\/wp-json\/wp\/v2\/categories?post=733"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/any.run\/cybersecurity-blog\/wp-json\/wp\/v2\/tags?post=733"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}