{"id":1560,"date":"2020-12-02T06:48:00","date_gmt":"2020-12-02T04:48:00","guid":{"rendered":"https:\/\/fortgale.com\/news\/?p=1560"},"modified":"2026-06-08T22:18:07","modified_gmt":"2026-06-08T22:18:07","slug":"mapping-cyber-attack-italian-case","status":"publish","type":"post","link":"https:\/\/fortgale.com\/blog\/emerging-threats\/mapping-cyber-attack-italian-case\/","title":{"rendered":"Mapping a cyber attack \u2014 the Italian case"},"content":{"rendered":"\n<div class=\"wp-block-media-text alignwide is-stacked-on-mobile\" style=\"grid-template-columns:22% auto\"><figure class=\"wp-block-media-text__media\"><img decoding=\"async\" src=\"https:\/\/fortgale.com\/news\/wp-content\/uploads\/sites\/2\/2020\/11\/MummySpider.png\" alt=\"\" class=\"wp-image-1528 size-full\" loading=\"lazy\" \/><\/figure><div class=\"wp-block-media-text__content\">\n<p class=\"has-text-align-justify has-tablet-text-align-justify has-mobile-text-align-justify wp-block-paragraph\">Following the previous post (<a class=\"ek-link ek-link ek-link\" href=\"https:\/\/fortgale.com\/news\/incident-response-dietro-le-quinte\/\">link<\/a>) covering the <strong>Incident Response<\/strong> activity of an actual Italian case attributable to activity known as &#8220;<strong>Big Game Hunting<\/strong>&#8221; (BGH), we focus attention on the use of the <strong>ATT&amp;CK matrix<\/strong> for defensive purposes.<\/p>\n\n\n\n<p class=\"has-text-align-justify has-tablet-text-align-justify has-mobile-text-align-justify wp-block-paragraph\">Specifically, the ATT&amp;CK matrix (<em><strong>Adversarial Tactics, Techniques &amp; Common Knowledge<\/strong><\/em>) was developed by <strong>MITRE<\/strong> with the objective of providing a tool that enables <strong>mapping of all offensive criminal activities<\/strong>. The matrix can be considered a more extensive tool compared to the <a href=\"https:\/\/www.lockheedmartin.com\/en-us\/capabilities\/cyber\/cyber-kill-chain.html\" class=\"ek-link\">Cyber Kill-Chain developed by Lockheed Martin<\/a>.<\/p>\n<\/div><\/div>\n\n\n\n<hr class=\"wp-block-separator\" \/>\n\n\n\n<p class=\"has-text-align-justify wp-block-paragraph\">Below is the result of <strong>mapping the Threat Actor&#8217;s movements<\/strong> within the IT infrastructure of the company from the previous post. The outcome of the attack was information loss and generalised service disruption of servers and the Backup system that impacted the Company&#8217;s operations. <br>The criminals compromised the entire <strong>Active Directory<\/strong> environment, executing a <strong>DCSync<\/strong> to copy user credentials from the infrastructure, and also tampering with the entire <strong>Backup<\/strong> flow, deleting copies from the previous 12 months.<\/p>\n\n\n\n<div class=\"wp-block-media-text alignwide is-stacked-on-mobile\"><figure class=\"wp-block-media-text__media\"><img decoding=\"async\" src=\"https:\/\/fortgale.com\/news\/wp-content\/uploads\/sites\/2\/2020\/11\/parte1.png\" alt=\"\" class=\"wp-image-1589 size-full\" loading=\"lazy\" \/><\/figure><div class=\"wp-block-media-text__content\">\n<blockquote class=\"wp-block-quote is-layout-flow wp-block-quote-is-layout-flow\"><p>A non-exhaustive portion of the 12 Tactics of the ATT&amp;CK matrix and the mapping of activities performed by the criminals<\/p><\/blockquote>\n\n\n\n<figure class=\"wp-block-image size-large is-style-zoooom\"><img decoding=\"async\" src=\"https:\/\/fortgale.com\/news\/wp-content\/uploads\/sites\/2\/2020\/11\/part2.png\" alt=\"\" class=\"wp-image-1588\" loading=\"lazy\" \/><\/figure>\n<\/div><\/div>\n\n\n\n<p class=\"wp-block-paragraph\"><\/p>\n\n\n\n<hr class=\"wp-block-separator\" \/>\n\n\n\n<h2 class=\"wp-block-heading\" id=\"h-initial-access-ta001\"><strong>Initial Access  [<a href=\"https:\/\/attack.mitre.org\/versions\/v7\/tactics\/TA0001\/\" class=\"ek-link\">TA001<\/a>]<\/strong><\/h2>\n\n\n\n<p class=\"has-text-align-justify wp-block-paragraph\">The Threat Actor, for initial access to the infrastructure, used Malware delivery via E-Mail (<strong><em>Spearphishing Attachment<\/em><\/strong> [<a href=\"https:\/\/attack.mitre.org\/versions\/v7\/techniques\/T1566\/001\/\" class=\"ek-link\">T1566.001<\/a>]) to compromise the systems of several Company employees. With control of the operating systems of the first victims, the actor leveraged these credentials to access other services and Servers on the corporate LAN (<em><strong>Valid Accounts<\/strong><\/em> [<a href=\"https:\/\/attack.mitre.org\/versions\/v7\/techniques\/T1078\/\" class=\"ek-link\">T1078<\/a>]).<\/p>\n\n\n\n<h2 class=\"wp-block-heading\" id=\"h-lateral-movement-ta0008\"><strong>Lateral Movement [<a href=\"https:\/\/attack.mitre.org\/versions\/v7\/tactics\/TA0008\/\" class=\"ek-link\">TA0008<\/a>]<\/strong><\/h2>\n\n\n\n<p class=\"has-text-align-justify wp-block-paragraph\">With the accounts obtained in phase <strong>TA001<\/strong>, the criminals executed <strong><em>Lateral Movement<\/em><\/strong> manoeuvres to access other servers in the company&#8217;s infrastructure. For these operations, sessions were established via <strong>RDP [<a href=\"https:\/\/attack.mitre.org\/versions\/v7\/techniques\/T1021\/001\/\" class=\"ek-link\">T1021.001<\/a>], SMB [<a href=\"https:\/\/attack.mitre.org\/versions\/v7\/techniques\/T1021\/002\/\" class=\"ek-link\">T1021.002<\/a>] and WinRM [<a href=\"https:\/\/attack.mitre.org\/versions\/v7\/techniques\/T1021\/006\/\" class=\"ek-link\">T1021.006<\/a>].<\/strong><\/p>\n\n\n\n<figure class=\"wp-block-image size-large is-style-zoooom\"><img decoding=\"async\" src=\"https:\/\/fortgale.com\/news\/wp-content\/uploads\/sites\/2\/2020\/11\/ltmv.png\" alt=\"\" class=\"wp-image-1690\" loading=\"lazy\" \/><\/figure>\n\n\n\n<h2 class=\"wp-block-heading\" id=\"h-privilege-escalation-ta0004\"><strong>Privilege Escalation [<a href=\"https:\/\/attack.mitre.org\/versions\/v7\/tactics\/TA0004\/\" class=\"ek-link\">TA0004<\/a>]<\/strong><\/h2>\n\n\n\n<div class=\"wp-block-media-text alignwide has-media-on-the-right\" style=\"grid-template-columns:auto 32%\"><figure class=\"wp-block-media-text__media\"><img decoding=\"async\" src=\"https:\/\/fortgale.com\/news\/wp-content\/uploads\/sites\/2\/2020\/11\/privesca-1.png\" alt=\"\" class=\"wp-image-1597 size-full\" loading=\"lazy\" \/><\/figure><div class=\"wp-block-media-text__content\">\n<p class=\"has-text-align-justify has-normal-font-size wp-block-paragraph\">The criminals, having obtained multiple accesses to various workstations and servers, initiated privilege <strong>escalation<\/strong> activities using the <strong>getsystem<\/strong> command. Specifically, <em>getsystem<\/em> is a command from <a href=\"https:\/\/www.offensive-security.com\/metasploit-unleashed\/meterpreter-basics\/\" class=\"ek-link\">Meterpreter<\/a> and <a href=\"https:\/\/www.cobaltstrike.com\/\" class=\"ek-link\">CobaltStrike<\/a> that performs privilege escalation by creating and starting a system service and exploiting its <em>security context<\/em>, in this case <strong>SYSTEM<\/strong>.<br>The event with <strong>ID 7045<\/strong> on the right is the Windows server event indicating service creation during the <em>escalation<\/em> activity. <br><a href=\"https:\/\/blog.cobaltstrike.com\/2014\/04\/02\/what-happens-when-i-type-getsystem\/\" class=\"ek-link\">Further details<\/a>.<\/p>\n<\/div><\/div>\n\n\n\n<h2 class=\"wp-block-heading\" id=\"h-discovery-ta0007\"><strong>Discovery [<a href=\"https:\/\/attack.mitre.org\/versions\/v7\/tactics\/TA0007\/\" class=\"ek-link\">TA0007<\/a>]<\/strong><\/h2>\n\n\n\n<p class=\"has-text-align-justify wp-block-paragraph\">The <strong>Discovery<\/strong> phase consists of the series of technical operations that adversaries execute to acquire information about systems and networks. These activities enable adversaries to better understand the environment in which they operate and direct attention to the most interesting systems. This often allows them to <strong>explore what is in the vicinity<\/strong> of their access point. Native operating system tools are frequently used in this post-compromise information-gathering phase.<br>Specifically, the criminals executed multiple accesses to company servers and positioned the file <strong>netscan.exe<\/strong> at the path &#8220;C:\\Users\\Public\\Downloads&#8221;, subsequently used for network scanning activities <strong>[<a href=\"https:\/\/attack.mitre.org\/versions\/v7\/techniques\/T1046\/\" class=\"ek-link\">T1046<\/a>]<\/strong>. Our <a href=\"https:\/\/fortgale.com\/en\/managed-soc\/\">Managed SOC<\/a> detected this reconnaissance pattern through correlation of file placement events and subsequent network enumeration behaviour.<\/p>\n\n\n\n<figure class=\"wp-block-image size-large is-style-zoooom\"><img decoding=\"async\" src=\"https:\/\/fortgale.com\/news\/wp-content\/uploads\/sites\/2\/2020\/11\/lista.png\" alt=\"\" class=\"wp-image-1565\" loading=\"lazy\" \/><\/figure>\n\n\n\n<hr class=\"wp-block-separator\" \/>\n\n\n\n<p class=\"has-text-align-justify wp-block-paragraph\">The mapping of adversary TTPs against the MITRE ATT&amp;CK framework enables systematic identification of detection gaps and prioritisation of defensive controls across the intrusion lifecycle.<\/p>\n","protected":false},"excerpt":{"rendered":"<p>Mapping a real Italian intrusion onto the MITRE ATT&amp;CK framework: phases, techniques, telemetry sources and lessons for SOC detection-engineering.<\/p>\n","protected":false},"author":1,"featured_media":3849,"comment_status":"closed","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[3],"tags":[38,53,3128,435,158,3144,3145,232,3096,283,313,314,350],"class_list":["post-1560","post","type-post","status-publish","format-standard","has-post-thumbnail","hentry","category-emerging-threats","tag-attck","tag-bgh","tag-detection-engineering","tag-fortgale-report","tag-gootkit","tag-italian-threat-landscape","tag-kill-chain","tag-mitre","tag-mitre-attck","tag-ransomware","tag-sfile2","tag-sfile3","tag-threat"],"_links":{"self":[{"href":"https:\/\/fortgale.com\/blog\/wp-json\/wp\/v2\/posts\/1560","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/fortgale.com\/blog\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/fortgale.com\/blog\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/fortgale.com\/blog\/wp-json\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/fortgale.com\/blog\/wp-json\/wp\/v2\/comments?post=1560"}],"version-history":[{"count":5,"href":"https:\/\/fortgale.com\/blog\/wp-json\/wp\/v2\/posts\/1560\/revisions"}],"predecessor-version":[{"id":9851,"href":"https:\/\/fortgale.com\/blog\/wp-json\/wp\/v2\/posts\/1560\/revisions\/9851"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/fortgale.com\/blog\/wp-json\/wp\/v2\/media\/3849"}],"wp:attachment":[{"href":"https:\/\/fortgale.com\/blog\/wp-json\/wp\/v2\/media?parent=1560"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/fortgale.com\/blog\/wp-json\/wp\/v2\/categories?post=1560"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/fortgale.com\/blog\/wp-json\/wp\/v2\/tags?post=1560"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}