Penetration testing

Explore Python for MITRE ATT&CK execution

June 16, 2021 by Howard Poston

MITRE ATT&CK: Execution

The MITRE ATT&CK framework breaks the cyberattack lifecycle into a set of “tactics” or goals that an attacker may need to achieve during their attack. Some of these goals are “mandatory,” but many are optional.

Achieving code execution is an example of an “optional” but common goal in the cyberattack lifecycle. The ability to run malicious code on a target system provides an attacker with a foothold and a range of options for carrying out their objective.

Introduction to user execution

An attacker can achieve execution on a target system in a variety of different ways. One technique is to trick, convince or coerce the user into running the attacker’s code.

Malicious links

The use of malicious links is an example of a trickery-based approach to achieving user-aided execution. Phishing emails commonly contain malicious links that point to phishing pages or compromised pages containing malware. If the user clicks on the link, their computer may be infected with malware or the attacker will attempt to steal their login credentials or other sensitive information.

Spearphishing links with Python

One application of Python for achieving execution is to use it as a web server and as a script embedded in an HTML webpage.

Spearphishing links with Python

 

The code above (available on Github) shows an example of using Python to implement a simple web server. The code accepts GET requests and looks for HTTP queries named “user” and “password” appended to the URL.

It then extracts and prints the username and password and performs a 300 redirect to another site. This could be used to hide the existence of the phishing site by ensuring that the user ends up at their desired destination.

Spearphishing links with Python 2

This code sample is a web page designed to work with the Python server above. It implements a simple user authentication page that could be dressed up to look like a login page for a real service.

This code uses Brython to allow Python to be used as a script within an HTML page. If the user clicks the login button, their credentials are sent to the server formatted as the queries that they expect.

This example uses Brython to allow Python to be used at both ends of the HTTP connection. However, it would be more common to use Python as the webserver and JavaScript in the HTML. Regardless, the code makes it possible to build a web server and web page that could steal user credentials if they were directed to it by a malicious link.

Introduction to scheduled task/job

Task scheduling is another method by which an attacker could achieve code execution on a target system. If the attacker can edit files or run certain system commands, they could set the system up to execute more general commands at a later date.

Scheduled execution

Most operating systems have support for scheduled execution, such as Linux’s cron or schtasks in Windows. Scheduled tasks can achieve multiple goals, including gaining initial execution and persistence and helping to break up the flow of the attack, making the attack chain more difficult for incident responders to reconstruct.

Scheduled execution with Python

Python can interact with the task scheduling functionality built into operating systems.

Scheduled execution with Python

The code sample above (available here) uses the Windows schtasks command to schedule a security scan. The task runs the program, enabling it to perform malicious functionality and then schedule itself to run again at a random point in the future. This helps to break up any patterns that could be used to identify the script, such as running at the same time every day or at regular intervals.

Python and penetration testing

A penetration tester can use a variety of different means to gain execution on a target system, and Python can contribute to many of them. The examples here show how Python can be used as part of a phishing campaign or to exploit OS’s built-in task scheduling functionality to achieve execution and persistence.

Sources

MITRE ATT&CK, MITRE
Brython, Brython
Python for Cybersecurity, Github

Posted: June 16, 2021
Articles Author
Howard Poston
View Profile

Howard Poston is a cybersecurity researcher with a background in blockchain, cryptography and malware analysis. He has a master's degree in Cyber Operations from the Air Force Institute of Technology and two years of experience in cybersecurity research and development at Sandia National Labs. He currently works as a freelance consultant providing training and content creation for cyber and blockchain security.

Leave a Reply

Your email address will not be published. Required fields are marked *