CISA’s Cybersecurity Advisory AA24-193A documents the SILENTSHIELD red-team operation against a Federal Civilian Executive Branch organization, illustrating a long-term, state-sponsored attack simulation and the TTPs used. AttackIQ released templates that map these behaviors to MITRE techniques for both Windows and Unix/Linux to help validate defense-in-depth and detection capabilities.
#SILENTSHIELD #AA24-193A
#SILENTSHIELD #AA24-193A
Keypoints
- CCE: CISA released AA24-193A detailing the SILENTSHIELD red-team operation against a Federal Civilian Executive Branch organization.
- Duration and scope: Eight-month exercise in 2023 simulating a long-term, state-sponsored adversary with both Windows and Unix/Linux playbooks.
- Initial access: Gained entry via an unpatched web server vulnerability and via phishing to reach the Windows environment.
- Defense-in-depth emphasis: AttackIQ templates help validate security controls, detections, and responses across Windows and Unix/Linux.
- Structured tactics: The assessment template covers Persistence, Privilege Escalation, Defense Evasion, Discovery, Lateral Movement, and Command & Control.
- Representative techniques: Includes Registry Run Keys, Scheduled Tasks, Windows Services, Pass-the-Ticket/Pass-the-Hash, RDP/SSH, system/file/process discovery, and cryptocurrency of credential dumping tools like Mimikatz.
- Mitigation focus: Prioritize patching, run-key monitoring, and SIEM/EDR detections to identify unauthorized startup, credential abuse, and lateral movement patterns.
MITRE Techniques
- [T1053.005] Scheduled Task – ‘This scenario attempts to create a new scheduled task for persistence using the schtasks utility.’
- [T1547.001] Registry Run Keys – ‘This scenario acquires persistence by setting the HKLMSoftwareMicrosoftWindowsCurrentVersionRun registry key that Windows uses to identify what applications should be run at system startup.’
- [T1543.003] Windows Service – ‘This scenario leverages the native sc command line tool to create a new service and performs a query in order to verify if the service was correctly created.’
- [T1134] Access Token Manipulation – ‘This scenario lists active access tokens that could be impersonated by another process.’
- [T1036.003] Masquerading – ‘This scenario copies powershell.exe, renames it to notepad.exe to bypass detection and executes the whoami command.’
- [T1007] System Service Discovery – ‘This scenario executes sc, Get-Service, net start or tasklist /svc commands to query all running Windows services.’
- [T1057] Process Discovery – ‘This scenario enumerates processes running on the target asset through the tasklist Windows utility.’
- [T1083] File and Directory Discovery – ‘This scenario executes the dir command to discover files and directories.’
- [T1550.003] Pass the Ticket – ‘This scenario simulates a Pass the Ticket (PtT) attack by dumping Kerberos tickets using Mimikatz and injecting them into the current session to simulate a logon.’
- [T1550.002] Pass the Hash – ‘This scenario simulates a Pass the Hash attack (PtH) using dumped credentials from Mimikatz.’
- [T1021.001] Remote Desktop Protocol – ‘This scenario attempts to move laterally within a network using the Remote Desktop Protocol (RDP) protocol.’
- [T1021.004] SSH – ‘This scenario attempts to open a remote shell and execute commands on target computers using the Secure Shell (SSH) protocol.’
- [T1053.003] Cron – ‘This scenario used the cron utility to schedule commands for initial or recurring execution.’
- [T1070.006] Timestomp – ‘This scenario simulates the timestomp technique by creating a temporary file and modifying the file’s timestamp with a Bash script.’
- [T1222.002] Linux/Mac File and Directory Permissions Modification – ‘This scenario executes the chmod command to change permissions on a specified file or directory.’
- [T1003.007] Proc Filesystem – ‘This scenario aims to extract passwords stored in the memory of running processes on a Linux system through the /proc file system.’
Indicators of Compromise
- [Registry/Run Key] Run Keys for startup persistence – HKLMSoftwareMicrosoftWindowsCurrentVersionRun (Windows)
- [Credential/Dumping Tool] Mimikatz – referenced in Kerberos ticket/dumping activities
- [Proc Filesystem] /proc – used to extract passwords from memory on Linux systems
- [Command/Utility References] powershell.exe, schtasks, sc, Get-Service, dir, tasklist, whoami – context: commands used in various stages of attacks
Read more: https://www.attackiq.com/2024/07/15/response-to-cisa-advisory-aa24-193a/