Explore Python for MITRE ATT&CK execution
MITRE ATT&CK: Execution
The MITRE ATT&CK framework breaks the cyberattack lifecycle into a set of “tactics” or goals that an attacker may need to achieve during their attack. Some of these goals are “mandatory,” but many are optional.
Achieving code execution is an example of an “optional” but common goal in the cyberattack lifecycle. The ability to run malicious code on a target system provides an attacker with a foothold and a range of options for carrying out their objective.
Introduction to user execution
An attacker can achieve execution on a target system in a variety of different ways. One technique is to trick, convince or coerce the user into running the attacker’s code.
The use of malicious links is an example of a trickery-based approach to achieving user-aided execution. Phishing emails commonly contain malicious links that point to phishing pages or compromised pages containing malware. If the user clicks on the link, their computer may be infected with malware or the attacker will attempt to steal their login credentials or other sensitive information.
Spearphishing links with Python
One application of Python for achieving execution is to use it as a web server and as a script embedded in an HTML webpage.
The code above (available on Github) shows an example of using Python to implement a simple web server. The code accepts GET requests and looks for HTTP queries named “user” and “password” appended to the URL.
It then extracts and prints the username and password and performs a 300 redirect to another site. This could be used to hide the existence of the phishing site by ensuring that the user ends up at their desired destination.
This code sample is a web page designed to work with the Python server above. It implements a simple user authentication page that could be dressed up to look like a login page for a real service.
This code uses Brython to allow Python to be used as a script within an HTML page. If the user clicks the login button, their credentials are sent to the server formatted as the queries that they expect.
Introduction to scheduled task/job
Task scheduling is another method by which an attacker could achieve code execution on a target system. If the attacker can edit files or run certain system commands, they could set the system up to execute more general commands at a later date.
Most operating systems have support for scheduled execution, such as Linux’s cron or schtasks in Windows. Scheduled tasks can achieve multiple goals, including gaining initial execution and persistence and helping to break up the flow of the attack, making the attack chain more difficult for incident responders to reconstruct.
Scheduled execution with Python
Python can interact with the task scheduling functionality built into operating systems.
The code sample above (available here) uses the Windows schtasks command to schedule a security scan. The task runs the program, enabling it to perform malicious functionality and then schedule itself to run again at a random point in the future. This helps to break up any patterns that could be used to identify the script, such as running at the same time every day or at regular intervals.
Python and penetration testing
A penetration tester can use a variety of different means to gain execution on a target system, and Python can contribute to many of them. The examples here show how Python can be used as part of a phishing campaign or to exploit OS’s built-in task scheduling functionality to achieve execution and persistence.
MITRE ATT&CK, MITRE
Python for Cybersecurity, Github