SlideShare a Scribd company logo

Started from the Bottom: Exploiting Data Sources to Uncover ATT&CK Behaviors

J
JamieWilliams130

Presented at the SANS Threat Hunting & IR Summit 2020

Technology
1 of 66
Download to read offline
Started From the Bottom: Exploiting Data Sources to Uncover ® Behaviors Jose Rodriguez @Cyb3rPandaH Jamie Williams @jamieantisocial MITRE ATT&CK @MITREattack
Agenda ● Data sources? ● Are ATT&CK data sources sufficient for security operations? ● Any opportunities for ATT&CK data sources improvement? ● How can we enhance current data sources? ● How do these concepts apply to ATT&CK? ● Data-driven hunt experiment
Data sources?
When you hear about a new threat…. As defenders, what can we do?
Threat modeling Exploit Public- Facing Application
Threat modeling Exploit Public- Facing Application Rundll32 Service Execution Regsvr32 Windows Command Shell
Threat modeling Exploit Public- Facing Application Rundll32 Service Execution Regsvr32 Windows Command Shell Match Legitimate Name or Location Scheduled Task COR_PROFILER Windows Service Modify Registry …
Exploit Public- Facing Application Rundll32 Service Execution Regsvr32 Windows Command Shell Match Legitimate Name or Location Scheduled Task COR_PROFILER Windows Service Modify Registry Threat modeling++ …
Threat modeling++ Exploit Public- Facing Application Rundll32 Regsvr32 Service Execution Windows Command Shell Match Legitimate Name or Location Scheduled Task COR_PROFILER Windows Service Modify Registry Initial Access ImpactC2Exfil.Collection Lateral Movement Discovery Cred. Access Defense Evasion Priv. Esc.PersistenceExecution
Threat modeling++ Exploit Public- Facing Application Rundll32 Regsvr32 Service Execution Windows Command Shell Match Legitimate Name or Location Scheduled Task COR_PROFILER Windows Service Modify Registry Initial Access ImpactC2Exfil.Collection Lateral Movement Discovery Cred. Access Defense Evasion Priv. Esc.PersistenceExecution
Initial Access ImpactC2Exfil.Collection Lateral Movement Discovery Cred. Access Defense Evasion Priv. Esc.PersistenceExecution ATT&CK
Initial Access ImpactC2Exfil.Collection Lateral Movement Discovery Cred. Access Defense Evasion Priv. Esc.PersistenceExecution ATT&CK
Initial Access ImpactC2Exfil.Collection Lateral Movement Discovery Cred. Access Defense Evasion Priv. Esc.PersistenceExecution ATT&CK
Data source Source of information collected by a sensor or logging system that may be used to collect information relevant to identifying the action being performed, sequence of actions, or the results of those actions by an adversary. DLL monitoring Process monitoring Netflow Windows event logs File monitoring …
Are ATT&CK data sources sufficient for security operations?
How data sources support this process? Adversary Behavior Telemetry Data Sources Modeling Threat Actor Identifying Relevant Data
Data Sources Command ProcessProcess Port Ip Process dll Connected to Connected to Created Created Executed Loaded Sysmon 3 Network Connection Sysmon 7 Image Loaded PowerShell 4104 Script Block Logging Threat Actor Model – Data Perspective Relevant Data What data are we generating? What data are we collecting? Effective Detection Strategy Process command-line parameters Process monitoring Netflow Windows event logs File monitoring Security 4624 Successful Logon Zeek Conn Log TCP/UDP/ICMP Osquery Process_events How data sources support this process?
ATT&CK data sources mapped to sub-techniques
Any opportunities for ATT&CK data sources improvement? https://screenrant.com/lord-rings-movies-gandalf-staffs-grey-white-explained/
Some opportunities for improvement are: • Lack of context • Redundancy and overlapping • Too broad scope https://www.pinterest.com/pin/535013630705243890/
Opportunity: Lack of context More context will help to map ATT&CK data sources to event logs Sysmon 1 Process Creation Sysmon 3 Network Connection Sysmon 5 Process Terminated Sysmon 8 Create Remote Thread Sysmon 10 Process Access Process Monitoring? ?
Opportunity: Redundancy and overlapping Standardize names & account for intersections
Opportunity: Too broad scope Breaking down data sources with a broad scope
How can we enhance current ATT&CK data sources? https://lotr.fandom.com/wiki/Gandalf
Enter data modeling!! A data model is a collection of concepts for organizing data elements and standardizing how they relate to one another.
How to identify data elements and relationships? A data dictionary describes a single event log and its corresponding event field names.
Documenting event logs via data dictionaries Module dllProcess Loaded Sysmon 7 Image Loaded Field Type Description Sample Value Process Guid String Process Guid of the process that loaded the image {A98268C1-A12A-5ACD- 0000-0010E4C8B300} Process Id Integer Process ID used by the os to identify the process that loaded the image 3532 Image String File path of the process that loaded the image C:WindowsSystem32 cmd.exe Image Loaded String Full path of the image loaded C:WindowsSystem32 msvcrt.dll Description String Description of the image loaded Windows NT CRT DLL
Documenting data sources via data dictionaries Module dllProcess Loaded Process IpProcess Connected to PortProcess Connected to IpUser Connected to PortUser Connected to Sysmon 7 Image Loaded Sysmon 3 Network Connection Data fields - ProcessGuid - ProcessId - Image - ImageLoaded - Product - Description - Signed - Signature - SignatureStatus Data fields - ProcessGuid - ProcessId - Image - User - Protocol - SourceIp - SourcePort - DestinationIp - DestinationPort Sysmon 8 Create Remote Thread Data fields - SourceProcessGuid - SourceProcessId - SourceImage - TargetProcessGuid - TargetProcessId - TargetImage - StartModule - StartFunction ProcessProcess Wrote to Sysmon 11 File Create File FileProcess Created Data fields - ProcessGuid - ProcessId - Image - TargetFileName - CreationUtcTime
How do these concepts apply to ATT&CK?
Adding metadata to ATT&CK data sources Process Sysmon 1 Process Creation Sysmon 3 Network Connection Sysmon 8 Create Remote Thread Sysmon 10 Process Access Security 4688 Process Created Security 5156 Connection Permitted ProcessProcess Created ProcessUser Created IpProcess Connected To IpUser Connected To ProcessProcess Wrote To ProcessProcess Opened Process Network Connection Process Creation Process Modification Process Access Data Sources Components Relationships Event Logs
Identifying relevant data via data sources objects Sysmon 7 Image Loaded Sysmon 3 Network Connection Data fields - ProcessGuid - ProcessId - Image - ImageLoaded - Product - Description - Signed - Signature - SignatureStatus Data fields - ProcessGuid - ProcessId - Image - User - Protocol - SourceIp - SourcePort - DestinationIp - DestinationPort Sysmon 8 Create Remote Thread Data fields - SourceProcessGuid - SourceProcessId - SourceImage - TargetProcessGuid - TargetProcessId - TargetImage - StartModule - StartFunction Sysmon 11 File Create Data fields - ProcessGuid - ProcessId - Image - TargetFileName - CreationUtcTime API Auth. logs Process Module Netflow File Windows event logs
Identifying relevant data via data sources objects Sysmon 7 Image Loaded Sysmon 3 Network Connection Data fields - ProcessGuid - ProcessId - Image - ImageLoaded - Product - Description - Signed - Signature - SignatureStatus Data fields - ProcessGuid - ProcessId - Image - User - Protocol - SourceIp - SourcePort - DestinationIp - DestinationPort Sysmon 8 Create Remote Thread Data fields - SourceProcessGuid - SourceProcessId - SourceImage - TargetProcessGuid - TargetProcessId - TargetImage - StartModule - StartFunction Sysmon 11 File Create Data fields - ProcessGuid - ProcessId - Image - TargetFileName - CreationUtcTime Identify coverage and gaps ? ? API Auth. logs Process Module Netflow File Windows event logs Windows event logs
T1574.012 Hijack Execution Flow: COR_PROFILER PERSISTENCE Data-driven hunt experiment
A basic detection research process 1. Research goal definition 2. Initial detection modeling 3. Adversary simulation 4. Detection model definition 5. Detection model validation 6. Documentation & communication
1. Research goal: COR_PROFILER
1. Research goal: COR_PROFILER Creation of malicious dll Use of wmic.exe Modification of the registry to set environment variable Load of dll through .NET processes Where will we find this, and more, data?
2. Initial detection modeling: COR_PROFILER Creation of malicious dll Use of wmic.exe Modification of the registry to set environment variable Load of dll through .NET processes Process Process creation User Process created Process Process created Sysmon 1 Process Creation File Windows Registry Module Data Sources module load Data Components Windows registry key modification File creation Process File created Relationships Environment Activity Event Logs Sysmon 11 File Creation Process Registry Key Value modified Sysmon 13 Registry Value Set Process dll loaded Sysmon 7 Image Loaded
3. Adversary simulation: COR_PROFILER
4. Detection model: Persistence & COR_PROFILER User Process Process File Process Registry Key Value modifies Process dll loads Before reboot After reboot Data Model creates creates creates Creation of malicious dll Use of wmic.exe Modification of the registry to set environment variable Load of dll through .NET processes Environment Activity
4. Detection model: COR_PROFILER Sysmon 13 Registry Value Set Sysmon 1 Process Creation Creation of malicious dll Use of wmic.exe Modification of the registry to set environment variable Load of dll through .NET processes Environment Activity
4. Detection model: COR_PROFILER Sysmon 13 Registry Value Set Sysmon 1 Process Creation Creation of malicious dll Use of wmic.exe Modification of the registry to set environment variable Load of dll through .NET processes Environment Activity
4. Detection model: CMD.EXE ParentProcess cmd.exe also has more child processes
4. Detection model: COR_PROFILER (Before Rebooting) cmd.exe wmic.exe wmiprvse.exe modifies modifies reg.exe creates modifies Registry Entry e0b3489da74f.dll Inprocserver32 CLSID {11111111-1111-1111-1111- 1111deadbeef} Environment Variable COR_ENABLING_PROFILING Environment Variable COR_PROFILER CLSID {11111111-1111-1111- 1111-1111deadbeef} Data Model Simulation Data creates Registry Entry e0b3489da74f.dll Inprocserver32 CLSID {11111111-1111-1111-1111- 1111deadbeef} Environment Variable COR_ENABLING_PROFILING Creation of malicious dll Use of wmic.exe Modification of the registry to set environment variable Load of dll through .NET processes Environment Activity Environment Variable COR_PROFILER CLSID {11111111-1111-1111- 1111-1111deadbeef} Registry Entry e0b3489da74f.dll Inprocserver32 CLSID {11111111-1111-1111-1111- 1111deadbeef} Environment Variable COR_PROFILER CLSID {11111111-1111-1111- 1111-1111deadbeef}
4. Detection model: COR_PROFILER (Before Rebooting) process process process modifies modifies process creates modifies Registry Entry e0b3489da74f.dll Inprocserver32 CLSID {11111111-1111-1111-1111- 1111deadbeef} Environment Variable COR_ENABLING_PROFILING Environment Variable COR_PROFILER CLSID {11111111-1111-1111-1111- 1111deadbeef} Data Model Adversary Behavior creates registry key value Inprocserver32 CLSID {XXX-XXX-XXX-XXX-XXX} registry key value COR_ENABLING_PROFILING Creation of malicious dll Use of wmic.exe Modification of the registry to set environment variable Load of dll through .NET processes Environment Activity registry key value COR_PROFILER CLSID {XXX-XXX-XXX-XXX-XXX}
4. Detection model: COR_PROFILER (Before Rebooting) Data Analytic
4. Detection model: COR_PROFILER (Before Rebooting) Data Analytic dll registered using inprocserver and CLSID COR_PROFILER environment variable configured with same CLSID
4. Detection model: COR_PROFILER (Before Rebooting) Data Analytic Results
After a nice weekend... https://wifflegif.com/tags/67564-bombur-gifs
4. Detection model: e0b3489da74f.DLL load Sysmon 7 Image Loaded Creation of malicious dll Use of wmic.exe Modification of the registry to set environment variable Load of dll through .NET processes Environment Activity
4. Detection model: e0b3489da74f.DLL load Sysmon 7 Image Loaded Creation of malicious dll Use of wmic.exe Modification of the registry to set environment variable Load of dll through .NET processes Environment Activity
4. Detection model: Persistence & COR_PROFILER Data Model Adversary Behavior Before Reboot After Reboot process process process modifies modifies process creates modifies creates registry key value Inprocserver32 CLSID {XXX-XXX-XXX-XXX-XXX} dll registry key value COR_ENABLING_PROFILING registry key value COR_PROFILER CLSID {XXX-XXX-XXX-XXX-XXX} process loads dll
4. Detection model : COR_PROFILER (After Reboot) Data Analytic
4. Detection model : COR_PROFILER (After Reboot) Data Analytic dll registered using inprocserver and CLSID COR_PROFILER environment variable configured with same CLSID dll loaded after reboot
4. Detection model : COR_PROFILER (After Rebooting) Data Analytic Results
4. Detection model : COR_PROFILER (After Rebooting) Data Analytic Results
Is that all? https://gifer.com/en/gifs/saruman
4. Detection model: Visual Studio 2019 (victim) What else does the victim process do?
4. Detection model: Persistence & COR_PROFILER Data Model Adversary Behavior Before Reboot After Reboot process process process modifies modifies process creates modifies creates registry key value Inprocserver32 CLSID {XXX-XXX-XXX-XXX-XXX} dll registry key value COR_ENABLING_PROFILING registry key value COR_PROFILER CLSID {XXX-XXX-XXX-XXX- XXX} process loads process ip Connects to process dll creates creates
4. Detection model : COR_PROFILER (After Reboot) Data Analytic
4. Detection model : COR_PROFILER (After Reboot) Data Analytic dll registered using inprocserver and CLSID COR_PROFILER environment variable configured with same CLSID dll loaded after reboot Child process of process that loaded dll Child process making a network connection
5. Detection model: Persistence & COR_PROFILER
5. Detection model: Persistence & COR_PROFILER regsvr32.exe connected to 151.101.208.133 after being spawned by a powershell.exe that loaded e0b3489da74f.dll due to COR_PROFILER environment variables set by wmiprvse.exe and reg.exe
6. Documentation and communication Before Reboot After Reboot process process process modifies modifies process creates modifies creates registry key value Inprocserver32 CLSID {XXX-XXX-XXX-XXX-XXX} dll registry key value COR_ENABLING_PROFILING registry key value COR_PROFILER CLSID {XXX-XXX-XXX-XXX- XXX} process loads process ip Connects to process dll creates creates
6. Documentation and communication Before Reboot After Reboot process process process modifies modifies process creates modifies creates registry key value Inprocserver32 CLSID {XXX-XXX-XXX-XXX-XXX} dll registry key value COR_ENABLING_PROFILING registry key value COR_PROFILER CLSID {XXX-XXX-XXX-XXX- XXX} process loads process ip Connects to process dll creates creates Behavior Context
Conclusion •Modeling data sources can provide more context •We can use this enhanced understanding of data sources and their relationships to more effectively uncover ATT&CK behaviors
Contact info and relevant links • attack.mitre.org • redcanary.com/blog/ blue-mockingbird-cryptominer/ • redcanary.com/blog/ cor_profiler-for-persistence/ • 3gstudent.github.io/ 3gstudent.github.io/ Use-CLR-to-maintain-persistence/ Jose Rodriguez @Cyb3rPandaH Jamie Williams @jamieantisocial MITRE ATT&CK @MITREattack • github.com/redcanaryco/atomic-red-team • github.com/Cyb3rWard0g/HELK • github.com/OTRF/OSSEM • github.com/OTRF/Mordor • mitre.org/sites/default/files/publications/ pr-19-3892-ttp-based-hunting.pdf

Recommended

Lateral Movement with PowerShell
Lateral Movement with PowerShellLateral Movement with PowerShell
Lateral Movement with PowerShellkieranjacobsen
 
Windows Operating System Archaeology
Windows Operating System ArchaeologyWindows Operating System Archaeology
Windows Operating System Archaeologyenigma0x3
 
MindMap - Forensics Windows Registry Cheat Sheet
MindMap - Forensics Windows Registry Cheat SheetMindMap - Forensics Windows Registry Cheat Sheet
MindMap - Forensics Windows Registry Cheat SheetJuan F. Padilla
 
Windows Threat Hunting
Windows Threat HuntingWindows Threat Hunting
Windows Threat HuntingGIBIN JOHN
 
Attacker's Perspective of Active Directory
Attacker's Perspective of Active DirectoryAttacker's Perspective of Active Directory
Attacker's Perspective of Active DirectorySunny Neo
 
Threat Hunting with Splunk
Threat Hunting with SplunkThreat Hunting with Splunk
Threat Hunting with SplunkSplunk
 
Alphorm.com Formation Microsoft 365 (MS-500) Administrateur Sécurité : Protec...
Alphorm.com Formation Microsoft 365 (MS-500) Administrateur Sécurité : Protec...Alphorm.com Formation Microsoft 365 (MS-500) Administrateur Sécurité : Protec...
Alphorm.com Formation Microsoft 365 (MS-500) Administrateur Sécurité : Protec...Alphorm
 
Data Loss Prevention
Data Loss PreventionData Loss Prevention
Data Loss PreventionReza Kopaee
 

Recommended

Lateral Movement with PowerShell
Lateral Movement with PowerShellLateral Movement with PowerShell
Lateral Movement with PowerShellkieranjacobsen
 
Windows Operating System Archaeology
Windows Operating System ArchaeologyWindows Operating System Archaeology
Windows Operating System Archaeologyenigma0x3
 
MindMap - Forensics Windows Registry Cheat Sheet
MindMap - Forensics Windows Registry Cheat SheetMindMap - Forensics Windows Registry Cheat Sheet
MindMap - Forensics Windows Registry Cheat SheetJuan F. Padilla
 
Windows Threat Hunting
Windows Threat HuntingWindows Threat Hunting
Windows Threat HuntingGIBIN JOHN
 
Attacker's Perspective of Active Directory
Attacker's Perspective of Active DirectoryAttacker's Perspective of Active Directory
Attacker's Perspective of Active DirectorySunny Neo
 
Threat Hunting with Splunk
Threat Hunting with SplunkThreat Hunting with Splunk
Threat Hunting with SplunkSplunk
 
Alphorm.com Formation Microsoft 365 (MS-500) Administrateur Sécurité : Protec...
Alphorm.com Formation Microsoft 365 (MS-500) Administrateur Sécurité : Protec...Alphorm.com Formation Microsoft 365 (MS-500) Administrateur Sécurité : Protec...
Alphorm.com Formation Microsoft 365 (MS-500) Administrateur Sécurité : Protec...Alphorm
 
Data Loss Prevention
Data Loss PreventionData Loss Prevention
Data Loss PreventionReza Kopaee
 
Threat hunting for Beginners
Threat hunting for BeginnersThreat hunting for Beginners
Threat hunting for BeginnersSKMohamedKasim
 
Android security and penetration testing | DIVA | Yogesh Ojha
Android security and penetration testing | DIVA | Yogesh OjhaAndroid security and penetration testing | DIVA | Yogesh Ojha
Android security and penetration testing | DIVA | Yogesh OjhaYogesh Ojha
 
Shariyaz abdeen data leakage prevention presentation
Shariyaz abdeen data leakage prevention presentationShariyaz abdeen data leakage prevention presentation
Shariyaz abdeen data leakage prevention presentationShariyaz Abdeen
 
Threat Hunting with Splunk Hands-on
Threat Hunting with Splunk Hands-onThreat Hunting with Splunk Hands-on
Threat Hunting with Splunk Hands-onSplunk
 
Mapping to MITRE ATT&CK: Enhancing Operations Through the Tracking of Interac...
Mapping to MITRE ATT&CK: Enhancing Operations Through the Tracking of Interac...Mapping to MITRE ATT&CK: Enhancing Operations Through the Tracking of Interac...
Mapping to MITRE ATT&CK: Enhancing Operations Through the Tracking of Interac...MITRE ATT&CK
 
Hunting Lateral Movement in Windows Infrastructure
Hunting Lateral Movement in Windows InfrastructureHunting Lateral Movement in Windows Infrastructure
Hunting Lateral Movement in Windows InfrastructureSergey Soldatov
 
Microsoft 365 and Microsoft Cloud App Security
Microsoft 365 and Microsoft Cloud App SecurityMicrosoft 365 and Microsoft Cloud App Security
Microsoft 365 and Microsoft Cloud App SecurityAlbert Hoitingh
 
Taking the Attacker Eviction Red Pill (v2.0)
Taking the Attacker Eviction Red Pill (v2.0)Taking the Attacker Eviction Red Pill (v2.0)
Taking the Attacker Eviction Red Pill (v2.0)Frode Hommedal
 
Fileless Malware Infections
Fileless Malware InfectionsFileless Malware Infections
Fileless Malware InfectionsRamon
 
Threat Hunting
Threat HuntingThreat Hunting
Threat HuntingSplunk
 
Threat Hunting, Detection, and Incident Response in the Cloud
Threat Hunting, Detection, and Incident Response in the CloudThreat Hunting, Detection, and Incident Response in the Cloud
Threat Hunting, Detection, and Incident Response in the CloudBen Johnson
 
Azure Information Protection
Azure Information ProtectionAzure Information Protection
Azure Information ProtectionRobert Crane
 
MITRE ATT&CK Updates: ICS
MITRE ATT&CK Updates: ICSMITRE ATT&CK Updates: ICS
MITRE ATT&CK Updates: ICSMITRE ATT&CK
 
Microsoft Defender for Endpoint
Microsoft Defender for EndpointMicrosoft Defender for Endpoint
Microsoft Defender for EndpointCheah Eng Soon
 
Building an Empire with PowerShell
Building an Empire with PowerShellBuilding an Empire with PowerShell
Building an Empire with PowerShellWill Schroeder
 
Hunting for Credentials Dumping in Windows Environment
Hunting for Credentials Dumping in Windows EnvironmentHunting for Credentials Dumping in Windows Environment
Hunting for Credentials Dumping in Windows EnvironmentTeymur Kheirkhabarov
 
Kỹ thuật tìm IP Server nằm sau CloudFlare
Kỹ thuật tìm IP Server nằm sau CloudFlareKỹ thuật tìm IP Server nằm sau CloudFlare
Kỹ thuật tìm IP Server nằm sau CloudFlareVietnix Hosting
 
Threat modelling(system + enterprise)
Threat modelling(system + enterprise)Threat modelling(system + enterprise)
Threat modelling(system + enterprise)abhimanyubhogwan
 
Microsoft Security Development Lifecycle
Microsoft Security Development LifecycleMicrosoft Security Development Lifecycle
Microsoft Security Development LifecycleRazi Rais
 
MITRE ATT&CKcon 2.0: Prioritizing ATT&CK Informed Defenses the CIS Way; Phili...
MITRE ATT&CKcon 2.0: Prioritizing ATT&CK Informed Defenses the CIS Way; Phili...MITRE ATT&CKcon 2.0: Prioritizing ATT&CK Informed Defenses the CIS Way; Phili...
MITRE ATT&CKcon 2.0: Prioritizing ATT&CK Informed Defenses the CIS Way; Phili...MITRE - ATT&CKcon
 
The Enterprise Guide to Building a Data Mesh - Introducing SpecMesh
The Enterprise Guide to Building a Data Mesh - Introducing SpecMeshThe Enterprise Guide to Building a Data Mesh - Introducing SpecMesh
The Enterprise Guide to Building a Data Mesh - Introducing SpecMeshIanFurlong4
 
Redis Streams plus Spark Structured Streaming
Redis Streams plus Spark Structured StreamingRedis Streams plus Spark Structured Streaming
Redis Streams plus Spark Structured StreamingDave Nielsen
 

More Related Content

What's hot

Threat hunting for Beginners
Threat hunting for BeginnersThreat hunting for Beginners
Threat hunting for BeginnersSKMohamedKasim
 
Android security and penetration testing | DIVA | Yogesh Ojha
Android security and penetration testing | DIVA | Yogesh OjhaAndroid security and penetration testing | DIVA | Yogesh Ojha
Android security and penetration testing | DIVA | Yogesh OjhaYogesh Ojha
 
Shariyaz abdeen data leakage prevention presentation
Shariyaz abdeen data leakage prevention presentationShariyaz abdeen data leakage prevention presentation
Shariyaz abdeen data leakage prevention presentationShariyaz Abdeen
 
Threat Hunting with Splunk Hands-on
Threat Hunting with Splunk Hands-onThreat Hunting with Splunk Hands-on
Threat Hunting with Splunk Hands-onSplunk
 
Mapping to MITRE ATT&CK: Enhancing Operations Through the Tracking of Interac...
Mapping to MITRE ATT&CK: Enhancing Operations Through the Tracking of Interac...Mapping to MITRE ATT&CK: Enhancing Operations Through the Tracking of Interac...
Mapping to MITRE ATT&CK: Enhancing Operations Through the Tracking of Interac...MITRE ATT&CK
 
Hunting Lateral Movement in Windows Infrastructure
Hunting Lateral Movement in Windows InfrastructureHunting Lateral Movement in Windows Infrastructure
Hunting Lateral Movement in Windows InfrastructureSergey Soldatov
 
Microsoft 365 and Microsoft Cloud App Security
Microsoft 365 and Microsoft Cloud App SecurityMicrosoft 365 and Microsoft Cloud App Security
Microsoft 365 and Microsoft Cloud App SecurityAlbert Hoitingh
 
Taking the Attacker Eviction Red Pill (v2.0)
Taking the Attacker Eviction Red Pill (v2.0)Taking the Attacker Eviction Red Pill (v2.0)
Taking the Attacker Eviction Red Pill (v2.0)Frode Hommedal
 
Fileless Malware Infections
Fileless Malware InfectionsFileless Malware Infections
Fileless Malware InfectionsRamon
 
Threat Hunting
Threat HuntingThreat Hunting
Threat HuntingSplunk
 
Threat Hunting, Detection, and Incident Response in the Cloud
Threat Hunting, Detection, and Incident Response in the CloudThreat Hunting, Detection, and Incident Response in the Cloud
Threat Hunting, Detection, and Incident Response in the CloudBen Johnson
 
Azure Information Protection
Azure Information ProtectionAzure Information Protection
Azure Information ProtectionRobert Crane
 
MITRE ATT&CK Updates: ICS
MITRE ATT&CK Updates: ICSMITRE ATT&CK Updates: ICS
MITRE ATT&CK Updates: ICSMITRE ATT&CK
 
Microsoft Defender for Endpoint
Microsoft Defender for EndpointMicrosoft Defender for Endpoint
Microsoft Defender for EndpointCheah Eng Soon
 
Building an Empire with PowerShell
Building an Empire with PowerShellBuilding an Empire with PowerShell
Building an Empire with PowerShellWill Schroeder
 
Hunting for Credentials Dumping in Windows Environment
Hunting for Credentials Dumping in Windows EnvironmentHunting for Credentials Dumping in Windows Environment
Hunting for Credentials Dumping in Windows EnvironmentTeymur Kheirkhabarov
 
Kỹ thuật tìm IP Server nằm sau CloudFlare
Kỹ thuật tìm IP Server nằm sau CloudFlareKỹ thuật tìm IP Server nằm sau CloudFlare
Kỹ thuật tìm IP Server nằm sau CloudFlareVietnix Hosting
 
Threat modelling(system + enterprise)
Threat modelling(system + enterprise)Threat modelling(system + enterprise)
Threat modelling(system + enterprise)abhimanyubhogwan
 
Microsoft Security Development Lifecycle
Microsoft Security Development LifecycleMicrosoft Security Development Lifecycle
Microsoft Security Development LifecycleRazi Rais
 
MITRE ATT&CKcon 2.0: Prioritizing ATT&CK Informed Defenses the CIS Way; Phili...
MITRE ATT&CKcon 2.0: Prioritizing ATT&CK Informed Defenses the CIS Way; Phili...MITRE ATT&CKcon 2.0: Prioritizing ATT&CK Informed Defenses the CIS Way; Phili...
MITRE ATT&CKcon 2.0: Prioritizing ATT&CK Informed Defenses the CIS Way; Phili...MITRE - ATT&CKcon
 

What's hot (20)

Threat hunting for Beginners
Threat hunting for BeginnersThreat hunting for Beginners
Threat hunting for Beginners
 
Android security and penetration testing | DIVA | Yogesh Ojha
Android security and penetration testing | DIVA | Yogesh OjhaAndroid security and penetration testing | DIVA | Yogesh Ojha
Android security and penetration testing | DIVA | Yogesh Ojha
 
Shariyaz abdeen data leakage prevention presentation
Shariyaz abdeen data leakage prevention presentationShariyaz abdeen data leakage prevention presentation
Shariyaz abdeen data leakage prevention presentation
 
Threat Hunting with Splunk Hands-on
Threat Hunting with Splunk Hands-onThreat Hunting with Splunk Hands-on
Threat Hunting with Splunk Hands-on
 
Mapping to MITRE ATT&CK: Enhancing Operations Through the Tracking of Interac...
Mapping to MITRE ATT&CK: Enhancing Operations Through the Tracking of Interac...Mapping to MITRE ATT&CK: Enhancing Operations Through the Tracking of Interac...
Mapping to MITRE ATT&CK: Enhancing Operations Through the Tracking of Interac...
 
Hunting Lateral Movement in Windows Infrastructure
Hunting Lateral Movement in Windows InfrastructureHunting Lateral Movement in Windows Infrastructure
Hunting Lateral Movement in Windows Infrastructure
 
Microsoft 365 and Microsoft Cloud App Security
Microsoft 365 and Microsoft Cloud App SecurityMicrosoft 365 and Microsoft Cloud App Security
Microsoft 365 and Microsoft Cloud App Security
 
Taking the Attacker Eviction Red Pill (v2.0)
Taking the Attacker Eviction Red Pill (v2.0)Taking the Attacker Eviction Red Pill (v2.0)
Taking the Attacker Eviction Red Pill (v2.0)
 
Fileless Malware Infections
Fileless Malware InfectionsFileless Malware Infections
Fileless Malware Infections
 
Threat Hunting
Threat HuntingThreat Hunting
Threat Hunting
 
Threat Hunting, Detection, and Incident Response in the Cloud
Threat Hunting, Detection, and Incident Response in the CloudThreat Hunting, Detection, and Incident Response in the Cloud
Threat Hunting, Detection, and Incident Response in the Cloud
 
Azure Information Protection
Azure Information ProtectionAzure Information Protection
Azure Information Protection
 
MITRE ATT&CK Updates: ICS
MITRE ATT&CK Updates: ICSMITRE ATT&CK Updates: ICS
MITRE ATT&CK Updates: ICS
 
Microsoft Defender for Endpoint
Microsoft Defender for EndpointMicrosoft Defender for Endpoint
Microsoft Defender for Endpoint
 
Building an Empire with PowerShell
Building an Empire with PowerShellBuilding an Empire with PowerShell
Building an Empire with PowerShell
 
Hunting for Credentials Dumping in Windows Environment
Hunting for Credentials Dumping in Windows EnvironmentHunting for Credentials Dumping in Windows Environment
Hunting for Credentials Dumping in Windows Environment
 
Kỹ thuật tìm IP Server nằm sau CloudFlare
Kỹ thuật tìm IP Server nằm sau CloudFlareKỹ thuật tìm IP Server nằm sau CloudFlare
Kỹ thuật tìm IP Server nằm sau CloudFlare
 
Threat modelling(system + enterprise)
Threat modelling(system + enterprise)Threat modelling(system + enterprise)
Threat modelling(system + enterprise)
 
Microsoft Security Development Lifecycle
Microsoft Security Development LifecycleMicrosoft Security Development Lifecycle
Microsoft Security Development Lifecycle
 
MITRE ATT&CKcon 2.0: Prioritizing ATT&CK Informed Defenses the CIS Way; Phili...
MITRE ATT&CKcon 2.0: Prioritizing ATT&CK Informed Defenses the CIS Way; Phili...MITRE ATT&CKcon 2.0: Prioritizing ATT&CK Informed Defenses the CIS Way; Phili...
MITRE ATT&CKcon 2.0: Prioritizing ATT&CK Informed Defenses the CIS Way; Phili...
 

Similar to Started from the Bottom: Exploiting Data Sources to Uncover ATT&CK Behaviors

The Enterprise Guide to Building a Data Mesh - Introducing SpecMesh
The Enterprise Guide to Building a Data Mesh - Introducing SpecMeshThe Enterprise Guide to Building a Data Mesh - Introducing SpecMesh
The Enterprise Guide to Building a Data Mesh - Introducing SpecMeshIanFurlong4
 
Redis Streams plus Spark Structured Streaming
Redis Streams plus Spark Structured StreamingRedis Streams plus Spark Structured Streaming
Redis Streams plus Spark Structured StreamingDave Nielsen
 
“Lights Out”Configuration using Tivoli Netcool AutoDiscovery Tools
“Lights Out”Configuration using Tivoli Netcool AutoDiscovery Tools“Lights Out”Configuration using Tivoli Netcool AutoDiscovery Tools
“Lights Out”Configuration using Tivoli Netcool AutoDiscovery ToolsAntonio Rolle
 
Presentation.pdf
Presentation.pdfPresentation.pdf
Presentation.pdfSPAMVEDANT
 
Implementing a data_science_project (Python Version)_part1
Implementing a data_science_project (Python Version)_part1Implementing a data_science_project (Python Version)_part1
Implementing a data_science_project (Python Version)_part1Dr Sulaimon Afolabi
 
20090701 Climate Data Staging
20090701 Climate Data Staging20090701 Climate Data Staging
20090701 Climate Data StagingHenning Bergmeyer
 
Data Mining with JDM API by Regina Wang (4/11)
Data Mining with JDM API by Regina Wang (4/11)Data Mining with JDM API by Regina Wang (4/11)
Data Mining with JDM API by Regina Wang (4/11)butest
 
Evolving your Data Access with MongoDB Stitch - Drew Di Palma
Evolving your Data Access with MongoDB Stitch - Drew Di PalmaEvolving your Data Access with MongoDB Stitch - Drew Di Palma
Evolving your Data Access with MongoDB Stitch - Drew Di PalmaMongoDB
 
MongoDB Schema Design: Practical Applications and Implications
MongoDB Schema Design: Practical Applications and ImplicationsMongoDB Schema Design: Practical Applications and Implications
MongoDB Schema Design: Practical Applications and ImplicationsMongoDB
 
WPS Application Patterns
WPS Application PatternsWPS Application Patterns
WPS Application PatternsDaniel Nüst
 
Hunting malware via memory forensics
Hunting malware via memory forensicsHunting malware via memory forensics
Hunting malware via memory forensicsSriram Krishnan
 
A fresh new look into Information Gathering - OWASP Spain
A fresh new look into Information Gathering - OWASP SpainA fresh new look into Information Gathering - OWASP Spain
A fresh new look into Information Gathering - OWASP SpainChristian Martorella
 
Enterprise guide to building a Data Mesh
Enterprise guide to building a Data MeshEnterprise guide to building a Data Mesh
Enterprise guide to building a Data MeshSion Smith
 
Off-Label Data Mesh: A Prescription for Healthier Data
Off-Label Data Mesh: A Prescription for Healthier DataOff-Label Data Mesh: A Prescription for Healthier Data
Off-Label Data Mesh: A Prescription for Healthier DataHostedbyConfluent
 
Building Social Enterprise with Ruby and Salesforce
Building Social Enterprise with Ruby and SalesforceBuilding Social Enterprise with Ruby and Salesforce
Building Social Enterprise with Ruby and SalesforceRaymond Gao
 
As You Seek – How Search Enables Big Data Analytics
As You Seek – How Search Enables Big Data AnalyticsAs You Seek – How Search Enables Big Data Analytics
As You Seek – How Search Enables Big Data AnalyticsInside Analysis
 
Amundsen: From discovering to security data
Amundsen: From discovering to security dataAmundsen: From discovering to security data
Amundsen: From discovering to security datamarkgrover
 
Organizing the Data Chaos of Scientists
Organizing the Data Chaos of ScientistsOrganizing the Data Chaos of Scientists
Organizing the Data Chaos of ScientistsAndreas Schreiber
 
Redis + Structured Streaming—A Perfect Combination to Scale-Out Your Continuo...
Redis + Structured Streaming—A Perfect Combination to Scale-Out Your Continuo...Redis + Structured Streaming—A Perfect Combination to Scale-Out Your Continuo...
Redis + Structured Streaming—A Perfect Combination to Scale-Out Your Continuo...Databricks
 

Similar to Started from the Bottom: Exploiting Data Sources to Uncover ATT&CK Behaviors (20)

The Enterprise Guide to Building a Data Mesh - Introducing SpecMesh
The Enterprise Guide to Building a Data Mesh - Introducing SpecMeshThe Enterprise Guide to Building a Data Mesh - Introducing SpecMesh
The Enterprise Guide to Building a Data Mesh - Introducing SpecMesh
 
Redis Streams plus Spark Structured Streaming
Redis Streams plus Spark Structured StreamingRedis Streams plus Spark Structured Streaming
Redis Streams plus Spark Structured Streaming
 
“Lights Out”Configuration using Tivoli Netcool AutoDiscovery Tools
“Lights Out”Configuration using Tivoli Netcool AutoDiscovery Tools“Lights Out”Configuration using Tivoli Netcool AutoDiscovery Tools
“Lights Out”Configuration using Tivoli Netcool AutoDiscovery Tools
 
Presentation.pdf
Presentation.pdfPresentation.pdf
Presentation.pdf
 
Airbnb - StreamAlert
Airbnb - StreamAlertAirbnb - StreamAlert
Airbnb - StreamAlert
 
Implementing a data_science_project (Python Version)_part1
Implementing a data_science_project (Python Version)_part1Implementing a data_science_project (Python Version)_part1
Implementing a data_science_project (Python Version)_part1
 
20090701 Climate Data Staging
20090701 Climate Data Staging20090701 Climate Data Staging
20090701 Climate Data Staging
 
Data Mining with JDM API by Regina Wang (4/11)
Data Mining with JDM API by Regina Wang (4/11)Data Mining with JDM API by Regina Wang (4/11)
Data Mining with JDM API by Regina Wang (4/11)
 
Evolving your Data Access with MongoDB Stitch - Drew Di Palma
Evolving your Data Access with MongoDB Stitch - Drew Di PalmaEvolving your Data Access with MongoDB Stitch - Drew Di Palma
Evolving your Data Access with MongoDB Stitch - Drew Di Palma
 
MongoDB Schema Design: Practical Applications and Implications
MongoDB Schema Design: Practical Applications and ImplicationsMongoDB Schema Design: Practical Applications and Implications
MongoDB Schema Design: Practical Applications and Implications
 
WPS Application Patterns
WPS Application PatternsWPS Application Patterns
WPS Application Patterns
 
Hunting malware via memory forensics
Hunting malware via memory forensicsHunting malware via memory forensics
Hunting malware via memory forensics
 
A fresh new look into Information Gathering - OWASP Spain
A fresh new look into Information Gathering - OWASP SpainA fresh new look into Information Gathering - OWASP Spain
A fresh new look into Information Gathering - OWASP Spain
 
Enterprise guide to building a Data Mesh
Enterprise guide to building a Data MeshEnterprise guide to building a Data Mesh
Enterprise guide to building a Data Mesh
 
Off-Label Data Mesh: A Prescription for Healthier Data
Off-Label Data Mesh: A Prescription for Healthier DataOff-Label Data Mesh: A Prescription for Healthier Data
Off-Label Data Mesh: A Prescription for Healthier Data
 
Building Social Enterprise with Ruby and Salesforce
Building Social Enterprise with Ruby and SalesforceBuilding Social Enterprise with Ruby and Salesforce
Building Social Enterprise with Ruby and Salesforce
 
As You Seek – How Search Enables Big Data Analytics
As You Seek – How Search Enables Big Data AnalyticsAs You Seek – How Search Enables Big Data Analytics
As You Seek – How Search Enables Big Data Analytics
 
Amundsen: From discovering to security data
Amundsen: From discovering to security dataAmundsen: From discovering to security data
Amundsen: From discovering to security data
 
Organizing the Data Chaos of Scientists
Organizing the Data Chaos of ScientistsOrganizing the Data Chaos of Scientists
Organizing the Data Chaos of Scientists
 
Redis + Structured Streaming—A Perfect Combination to Scale-Out Your Continuo...
Redis + Structured Streaming—A Perfect Combination to Scale-Out Your Continuo...Redis + Structured Streaming—A Perfect Combination to Scale-Out Your Continuo...
Redis + Structured Streaming—A Perfect Combination to Scale-Out Your Continuo...
 

Recently uploaded

Advanced Test Driven-Development @ php[tek] 2024
Advanced Test Driven-Development @ php[tek] 2024Advanced Test Driven-Development @ php[tek] 2024
Advanced Test Driven-Development @ php[tek] 2024Scott Keck-Warren
 
WordPress Websites for Engineers: Elevate Your Brand
WordPress Websites for Engineers: Elevate Your BrandWordPress Websites for Engineers: Elevate Your Brand
WordPress Websites for Engineers: Elevate Your Brandgvaughan
 
Gen AI in Business - Global Trends Report 2024.pdf
Gen AI in Business - Global Trends Report 2024.pdfGen AI in Business - Global Trends Report 2024.pdf
Gen AI in Business - Global Trends Report 2024.pdfAddepto
 
SIP trunking in Janus @ Kamailio World 2024
SIP trunking in Janus @ Kamailio World 2024SIP trunking in Janus @ Kamailio World 2024
SIP trunking in Janus @ Kamailio World 2024Lorenzo Miniero
 
Build your next Gen AI Breakthrough - April 2024
Build your next Gen AI Breakthrough - April 2024Build your next Gen AI Breakthrough - April 2024
Build your next Gen AI Breakthrough - April 2024Neo4j
 
Are Multi-Cloud and Serverless Good or Bad?
Are Multi-Cloud and Serverless Good or Bad?Are Multi-Cloud and Serverless Good or Bad?
Are Multi-Cloud and Serverless Good or Bad?Mattias Andersson
 
Designing IA for AI - Information Architecture Conference 2024
Designing IA for AI - Information Architecture Conference 2024Designing IA for AI - Information Architecture Conference 2024
Designing IA for AI - Information Architecture Conference 2024Enterprise Knowledge
 
Tech-Forward - Achieving Business Readiness For Copilot in Microsoft 365
Tech-Forward - Achieving Business Readiness For Copilot in Microsoft 365Tech-Forward - Achieving Business Readiness For Copilot in Microsoft 365
Tech-Forward - Achieving Business Readiness For Copilot in Microsoft 3652toLead Limited
 
Unblocking The Main Thread Solving ANRs and Frozen Frames
Unblocking The Main Thread Solving ANRs and Frozen FramesUnblocking The Main Thread Solving ANRs and Frozen Frames
Unblocking The Main Thread Solving ANRs and Frozen FramesSinan KOZAK
 
Understanding the Laravel MVC Architecture
Understanding the Laravel MVC ArchitectureUnderstanding the Laravel MVC Architecture
Understanding the Laravel MVC ArchitecturePixlogix Infotech
 
New from BookNet Canada for 2024: BNC BiblioShare - Tech Forum 2024
New from BookNet Canada for 2024: BNC BiblioShare - Tech Forum 2024New from BookNet Canada for 2024: BNC BiblioShare - Tech Forum 2024
New from BookNet Canada for 2024: BNC BiblioShare - Tech Forum 2024BookNet Canada
 
Connect Wave/ connectwave Pitch Deck Presentation
Connect Wave/ connectwave Pitch Deck PresentationConnect Wave/ connectwave Pitch Deck Presentation
Connect Wave/ connectwave Pitch Deck PresentationSlibray Presentation
 
Unleash Your Potential - Namagunga Girls Coding Club
Unleash Your Potential - Namagunga Girls Coding ClubUnleash Your Potential - Namagunga Girls Coding Club
Unleash Your Potential - Namagunga Girls Coding ClubKalema Edgar
 
Nell’iperspazio con Rocket: il Framework Web di Rust!
Nell’iperspazio con Rocket: il Framework Web di Rust!Nell’iperspazio con Rocket: il Framework Web di Rust!
Nell’iperspazio con Rocket: il Framework Web di Rust!Commit University
 
My Hashitalk Indonesia April 2024 Presentation
My Hashitalk Indonesia April 2024 PresentationMy Hashitalk Indonesia April 2024 Presentation
My Hashitalk Indonesia April 2024 PresentationRidwan Fadjar
 
Key Features Of Token Development (1).pptx
Key Features Of Token Development (1).pptxKey Features Of Token Development (1).pptx
Key Features Of Token Development (1).pptxLBM Solutions
 
"LLMs for Python Engineers: Advanced Data Analysis and Semantic Kernel",Oleks...
"LLMs for Python Engineers: Advanced Data Analysis and Semantic Kernel",Oleks..."LLMs for Python Engineers: Advanced Data Analysis and Semantic Kernel",Oleks...
"LLMs for Python Engineers: Advanced Data Analysis and Semantic Kernel",Oleks...Fwdays
 

Recently uploaded (20)

Advanced Test Driven-Development @ php[tek] 2024
Advanced Test Driven-Development @ php[tek] 2024Advanced Test Driven-Development @ php[tek] 2024
Advanced Test Driven-Development @ php[tek] 2024
 
WordPress Websites for Engineers: Elevate Your Brand
WordPress Websites for Engineers: Elevate Your BrandWordPress Websites for Engineers: Elevate Your Brand
WordPress Websites for Engineers: Elevate Your Brand
 
Gen AI in Business - Global Trends Report 2024.pdf
Gen AI in Business - Global Trends Report 2024.pdfGen AI in Business - Global Trends Report 2024.pdf
Gen AI in Business - Global Trends Report 2024.pdf
 
SIP trunking in Janus @ Kamailio World 2024
SIP trunking in Janus @ Kamailio World 2024SIP trunking in Janus @ Kamailio World 2024
SIP trunking in Janus @ Kamailio World 2024
 
Build your next Gen AI Breakthrough - April 2024
Build your next Gen AI Breakthrough - April 2024Build your next Gen AI Breakthrough - April 2024
Build your next Gen AI Breakthrough - April 2024
 
Are Multi-Cloud and Serverless Good or Bad?
Are Multi-Cloud and Serverless Good or Bad?Are Multi-Cloud and Serverless Good or Bad?
Are Multi-Cloud and Serverless Good or Bad?
 
DMCC Future of Trade Web3 - Special Edition
DMCC Future of Trade Web3 - Special EditionDMCC Future of Trade Web3 - Special Edition
DMCC Future of Trade Web3 - Special Edition
 
Designing IA for AI - Information Architecture Conference 2024
Designing IA for AI - Information Architecture Conference 2024Designing IA for AI - Information Architecture Conference 2024
Designing IA for AI - Information Architecture Conference 2024
 
Tech-Forward - Achieving Business Readiness For Copilot in Microsoft 365
Tech-Forward - Achieving Business Readiness For Copilot in Microsoft 365Tech-Forward - Achieving Business Readiness For Copilot in Microsoft 365
Tech-Forward - Achieving Business Readiness For Copilot in Microsoft 365
 
Unblocking The Main Thread Solving ANRs and Frozen Frames
Unblocking The Main Thread Solving ANRs and Frozen FramesUnblocking The Main Thread Solving ANRs and Frozen Frames
Unblocking The Main Thread Solving ANRs and Frozen Frames
 
Understanding the Laravel MVC Architecture
Understanding the Laravel MVC ArchitectureUnderstanding the Laravel MVC Architecture
Understanding the Laravel MVC Architecture
 
New from BookNet Canada for 2024: BNC BiblioShare - Tech Forum 2024
New from BookNet Canada for 2024: BNC BiblioShare - Tech Forum 2024New from BookNet Canada for 2024: BNC BiblioShare - Tech Forum 2024
New from BookNet Canada for 2024: BNC BiblioShare - Tech Forum 2024
 
Connect Wave/ connectwave Pitch Deck Presentation
Connect Wave/ connectwave Pitch Deck PresentationConnect Wave/ connectwave Pitch Deck Presentation
Connect Wave/ connectwave Pitch Deck Presentation
 
E-Vehicle_Hacking_by_Parul Sharma_null_owasp.pptx
E-Vehicle_Hacking_by_Parul Sharma_null_owasp.pptxE-Vehicle_Hacking_by_Parul Sharma_null_owasp.pptx
E-Vehicle_Hacking_by_Parul Sharma_null_owasp.pptx
 
Hot Sexy call girls in Panjabi Bagh 🔝 9953056974 🔝 Delhi escort Service
Hot Sexy call girls in Panjabi Bagh 🔝 9953056974 🔝 Delhi escort ServiceHot Sexy call girls in Panjabi Bagh 🔝 9953056974 🔝 Delhi escort Service
Hot Sexy call girls in Panjabi Bagh 🔝 9953056974 🔝 Delhi escort Service
 
Unleash Your Potential - Namagunga Girls Coding Club
Unleash Your Potential - Namagunga Girls Coding ClubUnleash Your Potential - Namagunga Girls Coding Club
Unleash Your Potential - Namagunga Girls Coding Club
 
Nell’iperspazio con Rocket: il Framework Web di Rust!
Nell’iperspazio con Rocket: il Framework Web di Rust!Nell’iperspazio con Rocket: il Framework Web di Rust!
Nell’iperspazio con Rocket: il Framework Web di Rust!
 
My Hashitalk Indonesia April 2024 Presentation
My Hashitalk Indonesia April 2024 PresentationMy Hashitalk Indonesia April 2024 Presentation
My Hashitalk Indonesia April 2024 Presentation
 
Key Features Of Token Development (1).pptx
Key Features Of Token Development (1).pptxKey Features Of Token Development (1).pptx
Key Features Of Token Development (1).pptx
 
"LLMs for Python Engineers: Advanced Data Analysis and Semantic Kernel",Oleks...
"LLMs for Python Engineers: Advanced Data Analysis and Semantic Kernel",Oleks..."LLMs for Python Engineers: Advanced Data Analysis and Semantic Kernel",Oleks...
"LLMs for Python Engineers: Advanced Data Analysis and Semantic Kernel",Oleks...
 

Started from the Bottom: Exploiting Data Sources to Uncover ATT&CK Behaviors

  • 1. Started From the Bottom: Exploiting Data Sources to Uncover ® Behaviors Jose Rodriguez @Cyb3rPandaH Jamie Williams @jamieantisocial MITRE ATT&CK @MITREattack
  • 2. Agenda ● Data sources? ● Are ATT&CK data sources sufficient for security operations? ● Any opportunities for ATT&CK data sources improvement? ● How can we enhance current data sources? ● How do these concepts apply to ATT&CK? ● Data-driven hunt experiment
  • 4. When you hear about a new threat…. As defenders, what can we do?
  • 5. Threat modeling Exploit Public- Facing Application
  • 6. Threat modeling Exploit Public- Facing Application Rundll32 Service Execution Regsvr32 Windows Command Shell
  • 7. Threat modeling Exploit Public- Facing Application Rundll32 Service Execution Regsvr32 Windows Command Shell Match Legitimate Name or Location Scheduled Task COR_PROFILER Windows Service Modify Registry …
  • 8. Exploit Public- Facing Application Rundll32 Service Execution Regsvr32 Windows Command Shell Match Legitimate Name or Location Scheduled Task COR_PROFILER Windows Service Modify Registry Threat modeling++ …
  • 9. Threat modeling++ Exploit Public- Facing Application Rundll32 Regsvr32 Service Execution Windows Command Shell Match Legitimate Name or Location Scheduled Task COR_PROFILER Windows Service Modify Registry Initial Access ImpactC2Exfil.Collection Lateral Movement Discovery Cred. Access Defense Evasion Priv. Esc.PersistenceExecution
  • 10. Threat modeling++ Exploit Public- Facing Application Rundll32 Regsvr32 Service Execution Windows Command Shell Match Legitimate Name or Location Scheduled Task COR_PROFILER Windows Service Modify Registry Initial Access ImpactC2Exfil.Collection Lateral Movement Discovery Cred. Access Defense Evasion Priv. Esc.PersistenceExecution
  • 14. Data source Source of information collected by a sensor or logging system that may be used to collect information relevant to identifying the action being performed, sequence of actions, or the results of those actions by an adversary. DLL monitoring Process monitoring Netflow Windows event logs File monitoring …
  • 15. Are ATT&CK data sources sufficient for security operations?
  • 16. How data sources support this process? Adversary Behavior Telemetry Data Sources Modeling Threat Actor Identifying Relevant Data
  • 17. Data Sources Command ProcessProcess Port Ip Process dll Connected to Connected to Created Created Executed Loaded Sysmon 3 Network Connection Sysmon 7 Image Loaded PowerShell 4104 Script Block Logging Threat Actor Model – Data Perspective Relevant Data What data are we generating? What data are we collecting? Effective Detection Strategy Process command-line parameters Process monitoring Netflow Windows event logs File monitoring Security 4624 Successful Logon Zeek Conn Log TCP/UDP/ICMP Osquery Process_events How data sources support this process?
  • 18. ATT&CK data sources mapped to sub-techniques
  • 19. Any opportunities for ATT&CK data sources improvement? https://screenrant.com/lord-rings-movies-gandalf-staffs-grey-white-explained/
  • 20. Some opportunities for improvement are: • Lack of context • Redundancy and overlapping • Too broad scope https://www.pinterest.com/pin/535013630705243890/
  • 21. Opportunity: Lack of context More context will help to map ATT&CK data sources to event logs Sysmon 1 Process Creation Sysmon 3 Network Connection Sysmon 5 Process Terminated Sysmon 8 Create Remote Thread Sysmon 10 Process Access Process Monitoring? ?
  • 22. Opportunity: Redundancy and overlapping Standardize names & account for intersections
  • 23. Opportunity: Too broad scope Breaking down data sources with a broad scope
  • 24. How can we enhance current ATT&CK data sources? https://lotr.fandom.com/wiki/Gandalf
  • 25. Enter data modeling!! A data model is a collection of concepts for organizing data elements and standardizing how they relate to one another.
  • 26. How to identify data elements and relationships? A data dictionary describes a single event log and its corresponding event field names.
  • 27. Documenting event logs via data dictionaries Module dllProcess Loaded Sysmon 7 Image Loaded Field Type Description Sample Value Process Guid String Process Guid of the process that loaded the image {A98268C1-A12A-5ACD- 0000-0010E4C8B300} Process Id Integer Process ID used by the os to identify the process that loaded the image 3532 Image String File path of the process that loaded the image C:WindowsSystem32 cmd.exe Image Loaded String Full path of the image loaded C:WindowsSystem32 msvcrt.dll Description String Description of the image loaded Windows NT CRT DLL
  • 28. Documenting data sources via data dictionaries Module dllProcess Loaded Process IpProcess Connected to PortProcess Connected to IpUser Connected to PortUser Connected to Sysmon 7 Image Loaded Sysmon 3 Network Connection Data fields - ProcessGuid - ProcessId - Image - ImageLoaded - Product - Description - Signed - Signature - SignatureStatus Data fields - ProcessGuid - ProcessId - Image - User - Protocol - SourceIp - SourcePort - DestinationIp - DestinationPort Sysmon 8 Create Remote Thread Data fields - SourceProcessGuid - SourceProcessId - SourceImage - TargetProcessGuid - TargetProcessId - TargetImage - StartModule - StartFunction ProcessProcess Wrote to Sysmon 11 File Create File FileProcess Created Data fields - ProcessGuid - ProcessId - Image - TargetFileName - CreationUtcTime
  • 29. How do these concepts apply to ATT&CK?
  • 30. Adding metadata to ATT&CK data sources Process Sysmon 1 Process Creation Sysmon 3 Network Connection Sysmon 8 Create Remote Thread Sysmon 10 Process Access Security 4688 Process Created Security 5156 Connection Permitted ProcessProcess Created ProcessUser Created IpProcess Connected To IpUser Connected To ProcessProcess Wrote To ProcessProcess Opened Process Network Connection Process Creation Process Modification Process Access Data Sources Components Relationships Event Logs
  • 31. Identifying relevant data via data sources objects Sysmon 7 Image Loaded Sysmon 3 Network Connection Data fields - ProcessGuid - ProcessId - Image - ImageLoaded - Product - Description - Signed - Signature - SignatureStatus Data fields - ProcessGuid - ProcessId - Image - User - Protocol - SourceIp - SourcePort - DestinationIp - DestinationPort Sysmon 8 Create Remote Thread Data fields - SourceProcessGuid - SourceProcessId - SourceImage - TargetProcessGuid - TargetProcessId - TargetImage - StartModule - StartFunction Sysmon 11 File Create Data fields - ProcessGuid - ProcessId - Image - TargetFileName - CreationUtcTime API Auth. logs Process Module Netflow File Windows event logs
  • 32. Identifying relevant data via data sources objects Sysmon 7 Image Loaded Sysmon 3 Network Connection Data fields - ProcessGuid - ProcessId - Image - ImageLoaded - Product - Description - Signed - Signature - SignatureStatus Data fields - ProcessGuid - ProcessId - Image - User - Protocol - SourceIp - SourcePort - DestinationIp - DestinationPort Sysmon 8 Create Remote Thread Data fields - SourceProcessGuid - SourceProcessId - SourceImage - TargetProcessGuid - TargetProcessId - TargetImage - StartModule - StartFunction Sysmon 11 File Create Data fields - ProcessGuid - ProcessId - Image - TargetFileName - CreationUtcTime Identify coverage and gaps ? ? API Auth. logs Process Module Netflow File Windows event logs Windows event logs
  • 33. T1574.012 Hijack Execution Flow: COR_PROFILER PERSISTENCE Data-driven hunt experiment
  • 34. A basic detection research process 1. Research goal definition 2. Initial detection modeling 3. Adversary simulation 4. Detection model definition 5. Detection model validation 6. Documentation & communication
  • 35. 1. Research goal: COR_PROFILER
  • 36. 1. Research goal: COR_PROFILER Creation of malicious dll Use of wmic.exe Modification of the registry to set environment variable Load of dll through .NET processes Where will we find this, and more, data?
  • 37. 2. Initial detection modeling: COR_PROFILER Creation of malicious dll Use of wmic.exe Modification of the registry to set environment variable Load of dll through .NET processes Process Process creation User Process created Process Process created Sysmon 1 Process Creation File Windows Registry Module Data Sources module load Data Components Windows registry key modification File creation Process File created Relationships Environment Activity Event Logs Sysmon 11 File Creation Process Registry Key Value modified Sysmon 13 Registry Value Set Process dll loaded Sysmon 7 Image Loaded
  • 38. 3. Adversary simulation: COR_PROFILER
  • 39. 4. Detection model: Persistence & COR_PROFILER User Process Process File Process Registry Key Value modifies Process dll loads Before reboot After reboot Data Model creates creates creates Creation of malicious dll Use of wmic.exe Modification of the registry to set environment variable Load of dll through .NET processes Environment Activity
  • 40. 4. Detection model: COR_PROFILER Sysmon 13 Registry Value Set Sysmon 1 Process Creation Creation of malicious dll Use of wmic.exe Modification of the registry to set environment variable Load of dll through .NET processes Environment Activity
  • 41. 4. Detection model: COR_PROFILER Sysmon 13 Registry Value Set Sysmon 1 Process Creation Creation of malicious dll Use of wmic.exe Modification of the registry to set environment variable Load of dll through .NET processes Environment Activity
  • 42. 4. Detection model: CMD.EXE ParentProcess cmd.exe also has more child processes
  • 43. 4. Detection model: COR_PROFILER (Before Rebooting) cmd.exe wmic.exe wmiprvse.exe modifies modifies reg.exe creates modifies Registry Entry e0b3489da74f.dll Inprocserver32 CLSID {11111111-1111-1111-1111- 1111deadbeef} Environment Variable COR_ENABLING_PROFILING Environment Variable COR_PROFILER CLSID {11111111-1111-1111- 1111-1111deadbeef} Data Model Simulation Data creates Registry Entry e0b3489da74f.dll Inprocserver32 CLSID {11111111-1111-1111-1111- 1111deadbeef} Environment Variable COR_ENABLING_PROFILING Creation of malicious dll Use of wmic.exe Modification of the registry to set environment variable Load of dll through .NET processes Environment Activity Environment Variable COR_PROFILER CLSID {11111111-1111-1111- 1111-1111deadbeef} Registry Entry e0b3489da74f.dll Inprocserver32 CLSID {11111111-1111-1111-1111- 1111deadbeef} Environment Variable COR_PROFILER CLSID {11111111-1111-1111- 1111-1111deadbeef}
  • 44. 4. Detection model: COR_PROFILER (Before Rebooting) process process process modifies modifies process creates modifies Registry Entry e0b3489da74f.dll Inprocserver32 CLSID {11111111-1111-1111-1111- 1111deadbeef} Environment Variable COR_ENABLING_PROFILING Environment Variable COR_PROFILER CLSID {11111111-1111-1111-1111- 1111deadbeef} Data Model Adversary Behavior creates registry key value Inprocserver32 CLSID {XXX-XXX-XXX-XXX-XXX} registry key value COR_ENABLING_PROFILING Creation of malicious dll Use of wmic.exe Modification of the registry to set environment variable Load of dll through .NET processes Environment Activity registry key value COR_PROFILER CLSID {XXX-XXX-XXX-XXX-XXX}
  • 45. 4. Detection model: COR_PROFILER (Before Rebooting) Data Analytic
  • 46. 4. Detection model: COR_PROFILER (Before Rebooting) Data Analytic dll registered using inprocserver and CLSID COR_PROFILER environment variable configured with same CLSID
  • 47. 4. Detection model: COR_PROFILER (Before Rebooting) Data Analytic Results
  • 48. After a nice weekend... https://wifflegif.com/tags/67564-bombur-gifs
  • 49. 4. Detection model: e0b3489da74f.DLL load Sysmon 7 Image Loaded Creation of malicious dll Use of wmic.exe Modification of the registry to set environment variable Load of dll through .NET processes Environment Activity
  • 50. 4. Detection model: e0b3489da74f.DLL load Sysmon 7 Image Loaded Creation of malicious dll Use of wmic.exe Modification of the registry to set environment variable Load of dll through .NET processes Environment Activity
  • 51. 4. Detection model: Persistence & COR_PROFILER Data Model Adversary Behavior Before Reboot After Reboot process process process modifies modifies process creates modifies creates registry key value Inprocserver32 CLSID {XXX-XXX-XXX-XXX-XXX} dll registry key value COR_ENABLING_PROFILING registry key value COR_PROFILER CLSID {XXX-XXX-XXX-XXX-XXX} process loads dll
  • 52. 4. Detection model : COR_PROFILER (After Reboot) Data Analytic
  • 53. 4. Detection model : COR_PROFILER (After Reboot) Data Analytic dll registered using inprocserver and CLSID COR_PROFILER environment variable configured with same CLSID dll loaded after reboot
  • 54. 4. Detection model : COR_PROFILER (After Rebooting) Data Analytic Results
  • 55. 4. Detection model : COR_PROFILER (After Rebooting) Data Analytic Results
  • 57. 4. Detection model: Visual Studio 2019 (victim) What else does the victim process do?
  • 58. 4. Detection model: Persistence & COR_PROFILER Data Model Adversary Behavior Before Reboot After Reboot process process process modifies modifies process creates modifies creates registry key value Inprocserver32 CLSID {XXX-XXX-XXX-XXX-XXX} dll registry key value COR_ENABLING_PROFILING registry key value COR_PROFILER CLSID {XXX-XXX-XXX-XXX- XXX} process loads process ip Connects to process dll creates creates
  • 59. 4. Detection model : COR_PROFILER (After Reboot) Data Analytic
  • 60. 4. Detection model : COR_PROFILER (After Reboot) Data Analytic dll registered using inprocserver and CLSID COR_PROFILER environment variable configured with same CLSID dll loaded after reboot Child process of process that loaded dll Child process making a network connection
  • 61. 5. Detection model: Persistence & COR_PROFILER
  • 62. 5. Detection model: Persistence & COR_PROFILER regsvr32.exe connected to 151.101.208.133 after being spawned by a powershell.exe that loaded e0b3489da74f.dll due to COR_PROFILER environment variables set by wmiprvse.exe and reg.exe
  • 63. 6. Documentation and communication Before Reboot After Reboot process process process modifies modifies process creates modifies creates registry key value Inprocserver32 CLSID {XXX-XXX-XXX-XXX-XXX} dll registry key value COR_ENABLING_PROFILING registry key value COR_PROFILER CLSID {XXX-XXX-XXX-XXX- XXX} process loads process ip Connects to process dll creates creates
  • 64. 6. Documentation and communication Before Reboot After Reboot process process process modifies modifies process creates modifies creates registry key value Inprocserver32 CLSID {XXX-XXX-XXX-XXX-XXX} dll registry key value COR_ENABLING_PROFILING registry key value COR_PROFILER CLSID {XXX-XXX-XXX-XXX- XXX} process loads process ip Connects to process dll creates creates Behavior Context
  • 65. Conclusion •Modeling data sources can provide more context •We can use this enhanced understanding of data sources and their relationships to more effectively uncover ATT&CK behaviors
  • 66. Contact info and relevant links • attack.mitre.org • redcanary.com/blog/ blue-mockingbird-cryptominer/ • redcanary.com/blog/ cor_profiler-for-persistence/ • 3gstudent.github.io/ 3gstudent.github.io/ Use-CLR-to-maintain-persistence/ Jose Rodriguez @Cyb3rPandaH Jamie Williams @jamieantisocial MITRE ATT&CK @MITREattack • github.com/redcanaryco/atomic-red-team • github.com/Cyb3rWard0g/HELK • github.com/OTRF/OSSEM • github.com/OTRF/Mordor • mitre.org/sites/default/files/publications/ pr-19-3892-ttp-based-hunting.pdf