farouq7assan0o/Threat-Intelligence-Analysis-MITRE-ATT-CK-Mapping

# 威胁情报分析与 MITRE ATT&CK 映射 **作者：** Farouq Hassan **专注领域：** 威胁情报、MITRE ATT&CK、OSINT 分析、影响评分、恶意软件分析 **涵盖主题：** * APT29 (NOBELIUM) 活动分析 * Lumma Stealer 恶意软件分析 # 第一部分 — APT29 (NOBELIUM) 活动分析 📄 来源： ## 1️⃣ 活动演变 APT29 展示了初始访问技术的转变： ### 2020 年活动 * **供应链入侵** * 目标：SolarWinds Orion * 技术：T1195.002 ### 2021 年活动 * **电子邮件鱼叉式钓鱼** * 平台：USAID 通过 Constant Contact * 技术：T1566.002 这反映了初始访问向量的战略性适应。 (第 1 页 ) ## 2️⃣ 行为链摘要 | 阶段 | 观察到的行为 | | -------------------- | -------------------------------- | | Initial Access | 供应链入侵或鱼叉式钓鱼 | | Execution | 基于 PowerShell 的执行 | | Persistence | 计划任务、后门 | | Privilege Escalation | 凭据/令牌滥用 | | Defense Evasion | 混淆 | | Discovery | 账户枚举 | | Lateral Movement | 远程服务 | | Command & Control | 基于 HTTP/S Web | | Collection | 电子邮件 + 目录数据 | | Exfiltration | C2 通道 | (第 1 页 ) ## 3️⃣ ATT&CK 技术影响评分 📄 来源： 影响评分模型： * High（高） = 90 * Medium（中） = 60 * Low（低） = 30 | 技术 ID | 名称 | 影响 | | ------------ | -------------------------- | ----------- | | T1195.002 | Supply Chain Compromise | High (90) | | T1566.002 | Spearphishing Link | Medium (60) | | T1204.002 | User Execution | Medium (60) | | T1059.001 | PowerShell | Medium (60) | | T1053.005 | Scheduled Task | Medium (60) | | T1550.001 | Access Token Abuse | High (90) | | T1071.001 | Web C2 | Medium (60) | | T1027 | Obfuscation | Medium (60) | | T1087 | Account Discovery | Low (30) | | T1041 | Exfiltration over C2 | Medium (60) | | T1114 | Email Collection | Medium (60) | | T1003.001 | LSASS Credential Dumping | High (90) | (第 2 页 ) ## 4️⃣ 完整 ATT&CK Navigator JSON（原文附录） 以下是用于 ATT&CK Navigator 的完整 JSON： ``` { "name": "NOBELIUM / APT29 – OSINT TTP mapping (impact-scored)", "version": "4.5", "domain": "enterprise-attack", "description": "OSINT-based ATT&CK technique mapping with impact-based scoring: High=90, Med=60, Low=30.", "filters": { "platforms": [ "Windows", "Linux", "macOS", "Azure AD", "Office 365" ] }, "sorting": 0, "layout": { "layout": "side", "showName": true, "showID": true }, "techniques": [ { "techniqueID": "T1195.002", "score": 90, "color": "#ff4d4d", "comment": "SolarWinds Orion supply-chain compromise." }, { "techniqueID": "T1566.002", "score": 60, "color": "#ffb84d", "comment": "USAID/Constant Contact spearphishing links." }, { "techniqueID": "T1204.002", "score": 60, "color": "#ffb84d", "comment": "User execution of malicious payload." }, { "techniqueID": "T1059.001", "score": 60, "color": "#ffb84d", "comment": "PowerShell execution for staging." }, { "techniqueID": "T1053.005", "score": 60, "color": "#ffb84d", "comment": "Scheduled Task persistence." }, { "techniqueID": "T1550.001", "score": 90, "color": "#ff4d4d", "comment": "Access token and identity abuse." }, { "techniqueID": "T1071.001", "score": 60, "color": "#ffb84d", "comment": "Web-based command and control." }, { "techniqueID": "T1027", "score": 60, "color": "#ffb84d", "comment": "Payload obfuscation." }, { "techniqueID": "T1087", "score": 30, "color": "#fff176", "comment": "Account discovery." }, { "techniqueID": "T1041", "score": 60, "color": "#ffb84d", "comment": "Exfiltration over C2 channel." }, { "techniqueID": "T1114", "score": 60, "color": "#ffb84d", "comment": "Email collection." }, { "techniqueID": "T1003.001", "score": 90, "color": "#ff4d4d", "comment": "LSASS credential dumping." } ], "legendItems": [ { "label": "High impact (90)", "color": "#ff4d4d" }, { "label": "Medium impact (60)", "color": "#ffb84d" }, { "label": "Low impact (30)", "color": "#fff176" } ] } ``` （完整 JSON 见第 3–4 页 ） # 第二部分 — Lumma Stealer 恶意软件分析 📄 来源： ## 1️⃣ 恶意软件概述 Lumma Stealer 是一种信息窃取恶意软件，目标是： * 凭据 * 浏览器数据 * 加密货币钱包 常见传播方式： * 钓鱼邮件 * 恶意广告 * 破解软件安装程序 (第 1 页 ) ## 2️⃣ 传播、执行、持久化 ### 传播 * 恶意邮件附件或链接 ### 执行 * PowerShell * 原生 Windows APIs ### 持久化 * 计划任务 * 注册表 Run 键 (第 1 页 ) ## 3️⃣ 入侵指标 | 类型 | 指标 | | -------- | --------------------------------------------------- | | File | `%AppData%` 中的随机化 `.exe` | | Network | 向硬编码 IP 发起的 HTTP POST | | Registry | HKCU\Software\Microsoft\Windows\CurrentVersion\Run | (第 1 页 ) ## 4️⃣ ATT&CK 映射（JSON 摘录） 📄 来源： ``` { "name": "Lumma Stealer ATT&CK Mapping", "version": "4.5", "domain": "enterprise-attack", "techniques": [ { "techniqueID": "T1566.001", "score": 9, "comment": "Malspam delivery" }, { "techniqueID": "T1204.002", "score": 8, "comment": "User execution" }, { "techniqueID": "T1059.001", "score": 7, "comment": "PowerShell execution" }, { "techniqueID": "T1053.005", "score": 8, "comment": "Scheduled task persistence" }, { "techniqueID": "T1027", "score": 6, "comment": "Obfuscation" }, { "techniqueID": "T1555", "score": 9, "comment": "Credential harvesting" }, { "techniqueID": "T1005", "score": 7, "comment": "Local data collection" }, { "techniqueID": "T1071.001", "score": 8, "comment": "HTTP C2" }, { "techniqueID": "T1041", "score": 9, "comment": "Exfiltration over C2" } ] } ``` ## 5️⃣ 防御建议 来自第 4 页 ： * 改进邮件过滤 * 限制 PowerShell 执行 * 监控出站流量 * 实施应用程序白名单 # 对比分析 — APT29 vs Lumma | 类别 | APT29 | Lumma Stealer | | ---------------- | ---------------------------- | ---------------------------- | | Actor Type | Nation-state | Cybercrime malware | | Initial Access | Supply-chain / Spearphishing | Malspam / Phishing | | Credential Abuse | Access token abuse | Browser/password store theft | | C2 | Web-based HTTP/S | HTTP POST hard-coded | | Impact | Strategic espionage | Credential/data theft | # 展示的技能 * OSINT 威胁情报分析 * MITRE ATT&CK 映射 * 影响评分方法论 * ATT&CK Navigator JSON 构建 * 恶意软件行为分析 * IOC 识别 * 防御控制建议 * 跨活动比较 # 安全价值 本次会话展示了： * 结构化威胁行为体分析 * 行为链建模 * 将真实活动映射到 ATT&CK * 将情报转化为防御建议 * 连接威胁情报与蓝队策略

标签：APT29, Cloudflare, DAST, DNS 反向解析, ESC4, Homebrew安装, IPv6, IP 地址批量处理, Lumma Stealer, MITRE ATT&CK, NOBELIUM, OSINT, PE 加载器, PowerShell, SolarWinds, TTPs, 供应链攻击, 信息窃密, 凭据窃取, 初始访问, 协议分析, 命令与控制, 威胁情报, 开发者工具, 影响评估, 恶意软件分析, 战术技术, 权限提升, 横向移动, 私有化部署, 红队战术, 编程规范, 网络安全, 网络安全审计, 远控, 防御加固, 防御规避, 隐私保护, 高危漏洞, 鱼叉钓鱼