Successfully reported this slideshow.
We use your LinkedIn profile and activity data to personalize ads and to show you more relevant ads. You can change your ad preferences anytime.

Automated, Collection, and Enrichment (ACE)


Published on

Blackhat Arsenal Presentation introducing the Automated, Collection, and Enrichment (ACE) platform which is a suite of tools for threat hunters to collect data from many endpoints in a network and automatically enrich the data.

Published in: Technology
  • To get professional research papers you must go for experts like ⇒ ⇐
    Are you sure you want to  Yes  No
    Your message goes here

Automated, Collection, and Enrichment (ACE)

  1. 1. Automated Collection & Enrichment (ACE) Jared Atkinson & Robby Winchester
  2. 2. Overview ● Concept ● Setup ○ System Requirements ○ Architecture ○ System Management ● Collection ● Automation ● Enrichment ● Data Export ● Future
  3. 3. What is ACE ● An open source solution that enables agentless threat hunting in an environment ● Allows for scanning of remote Windows and macOS/Linux systems ○ Only requires Local Admin access ○ macOS requires SSH enabled for a “sudoer” account ● Can perform host scans or be scheduled for routine use in an enterprise
  4. 4. Why ACE? ● As consultants performing Compromise Assessments, we rarely have the authority or ability to alter a customer’s environment to support assessment operations ● No external dependencies or agent to install ● Executes solely in memory with nothing being written to disk ● JSON formatted output allows for easy ingestion into SIEM of choice ● It’s free!
  5. 5. Architecture Overview Scan to Target Systems Download Script & Return Results Enriched Data Target Network Management System Scan Tasking ACE
  6. 6. ACE Architecture Enrichments - Enriches scan data - Outputs data from ACE ACE Management - Hosts users/computers/creds - Backend management of ACE Web Server - Initiates scan activity - Hosts scanning scripts - Receives host data Management System - Performs tasking
  7. 7. System Management ● Users - Internal ACE system accounts ○ Create, Enumerate, Remove, Update ● Credentials - Credentials to target systems ○ Add, Enumerate ● Scripts - Scans being run on remote systems ○ Add, Enumerate ● Computers - Computers in target environment ○ AD & Computer List Discovery
  8. 8. System Management Web Server Enrichments ACE Management Management System Add/R em ove AC E O bjects ACE information (Users/Credentials/Computers) Discovery
  9. 9. Automation ● Architecture of ACE allows for easy configuration and use ● Schedule scans ○ Time in future ○ Repeat Scan ‘x’ times at ‘y’ interval ○ Can specify desired scripts/computers per scan ● Take care of collection process behind the scenes ○ Tasking and script execution ○ Upload of completed scan data
  10. 10. Automation Web Server Download Scripts Scheduling Results Enrichments ACE Management Management System Relay Tasking Access ACE Information for Scan
  11. 11. Collection ● Scripts ○ Windows - PowerShell (PS v2 compatible) ○ macOS/Linux - Python (2.7 with no dependencies) ● Downloaded and executed from the Web Server ● Results uploaded to web server via HTTPS POST requests
  12. 12. Collection Web Server Download Scripts Scan Taskings Results Enrichments ACE Management Management System Relay Tasking Access ACE Information for Scan
  13. 13. Enrichment ● RabbitMQ messaging system used for enrichment ○ Queues and exchanges used to manage the data ○ Uses AMQP 0.9.1 messaging protocol ● Currently supports public API VirusTotal enrichment ● Allows for easy additional custom enrichments ○ Currently all written in C#, however RabbitMQ is supported in Python, Java, Ruby, PHP, JavaScript, Go, Elixir, Objective-C, Swift, and Spring AMQP
  14. 14. Enrichment Web Server Scan Results Enrichments ACE Management Management System Scan Results for Enrichment Enriched Data
  15. 15. Pre_Hash File SIEM X ACE Exchange VirusTotal Hash Match C FileWriter C SIEM P ACE Web Server C/P RabbitMQ Enrichment Process
  16. 16. Data Export ● Enriched data can currently be exported from ACE two ways ○ Pulled from a RabbitMQ Queue straight to a SIEM (such as ELK) ■ Logstash can map to RabbitMQ input ○ Written out to flat files ● All data is formatted as one object per line flat JSON ○ Easily can import into SIEM of choice for analysis
  17. 17. Future Enhancements ● Simplified Deployment - 4 Aug ● Sweep Tracking - ~2 months ● Additional Scanning Scripts - Ongoing ○ Add wider Linux/Unix support ○ Additional Windows scripts ● Additional Protocol Support - Ongoing ● Additional Enrichments - Ongoing ○ IP Reputation ● Web GUI - TBD