Blackhat Arsenal Presentation introducing the Automated, Collection, and Enrichment (ACE) platform which is a suite of tools for threat hunters to collect data from many endpoints in a network and automatically enrich the data.
2. Overview
● Concept
● Setup
○ System Requirements
○ Architecture
○ System Management
● Collection
● Automation
● Enrichment
● Data Export
● Future
3. What is ACE
● An open source solution that enables agentless threat
hunting in an environment
● Allows for scanning of remote Windows and macOS/Linux
systems
○ Only requires Local Admin access
○ macOS requires SSH enabled for a “sudoer” account
● Can perform host scans or be scheduled for routine use in
an enterprise
4. Why ACE?
● As consultants performing Compromise Assessments, we
rarely have the authority or ability to alter a
customer’s environment to support assessment operations
● No external dependencies or agent to install
● Executes solely in memory with nothing being written to
disk
● JSON formatted output allows for easy ingestion into SIEM
of choice
● It’s free!
5. Architecture Overview
Scan to Target Systems
Download Script & Return Results
Enriched Data
Target Network
Management
System
Scan Tasking
ACE
6. ACE Architecture
Enrichments
- Enriches scan data
- Outputs data from ACE
ACE Management
- Hosts users/computers/creds
- Backend management of ACE
Web Server
- Initiates scan activity
- Hosts scanning scripts
- Receives host data
Management
System
- Performs tasking
7. System Management
● Users - Internal ACE system accounts
○ Create, Enumerate, Remove, Update
● Credentials - Credentials to target systems
○ Add, Enumerate
● Scripts - Scans being run on remote systems
○ Add, Enumerate
● Computers - Computers in target environment
○ AD & Computer List Discovery
9. Automation
● Architecture of ACE allows for easy configuration and use
● Schedule scans
○ Time in future
○ Repeat Scan ‘x’ times at ‘y’ interval
○ Can specify desired scripts/computers per scan
● Take care of collection process behind the scenes
○ Tasking and script execution
○ Upload of completed scan data
11. Collection
● Scripts
○ Windows - PowerShell (PS v2 compatible)
○ macOS/Linux - Python (2.7 with no dependencies)
● Downloaded and executed from the Web Server
● Results uploaded to web server via HTTPS POST requests
13. Enrichment
● RabbitMQ messaging system used for enrichment
○ Queues and exchanges used to manage the data
○ Uses AMQP 0.9.1 messaging protocol
● Currently supports public API VirusTotal enrichment
● Allows for easy additional custom enrichments
○ Currently all written in C#, however RabbitMQ is supported in Python,
Java, Ruby, PHP, JavaScript, Go, Elixir, Objective-C, Swift, and
Spring AMQP
16. Data Export
● Enriched data can currently be exported from ACE two ways
○ Pulled from a RabbitMQ Queue straight to a SIEM (such as ELK)
■ Logstash can map to RabbitMQ input
○ Written out to flat files
● All data is formatted as one object per line flat JSON
○ Easily can import into SIEM of choice for analysis
17. Future Enhancements
● Simplified Deployment - 4 Aug
● Sweep Tracking - ~2 months
● Additional Scanning Scripts - Ongoing
○ Add wider Linux/Unix support
○ Additional Windows scripts
● Additional Protocol Support - Ongoing
● Additional Enrichments - Ongoing
○ IP Reputation
● Web GUI - TBD