In this presentation, Jared Atkinson and Jonathan Johnson discuss the problem that many security professionals are facing today. How exactly do I know if my detection will actually detect the thing I want to detect? We discuss the importance of testing telemetry coverage and using abstraction to build a representative sample set of Atomic tests to validate detection coverage.
Scripts used in presentation can be found below:
Process Access: https://gist.github.com/jaredcatkinson/9c7a1af2261a752432230a4148ecfe02
Process Read: https://github.com/redcanaryco/AtomicTestHarnesses/blob/master/Windows/TestHarnesses/T1003.001_DumpLSASS/DumpLSASS.ps1
5. [Tool] Out-Minidump
• A PowerShell script used to generate a full-memory process
minidump.
• Written by Matt Graeber (@mattifestation) in 2013.
• Based on procdump’s –ma switch, without the need for a 3rd party
binary.
5
https://github.com/PowerShellMafia/PowerSploit/blob/master/Exfiltration/Out-Minidump.ps1
7. [Tool] Sharpdump
• A C# port of PowerSploit’s Out-Minidump.
• Written by Will “harmj0y” Schroeder in 2018.
• Used to produce a minidump for a specified process.
• Default behavior is to dump LSASS.
7
https://github.com/GhostPack/SharpDump
10. [Concept] Synonyms
• A concept derived from Aristotle’s The Categories.
• Synonyms - two literally unique instances (tools) that can be considered
equivalent at a higher level of abstraction.
• There is an infinite number of variations that exist for any particular technique.
• Abstraction allows for the grouping of variations at multiple levels of resolution.
• Can be used as a heuristic for similarity.
• Can be treated similarly to “morphological distance” in comparing organisms.
• Tools that are synonymous at higher, less abstract, levels can be considered more
similar.
• Tools that are synonymous only at lower, more abstract, levels are more different.
• Similarity is an important input for determining a sample set.
• We cannot test the infinite set of variations, but we can test a representative sample.
• We can use similarity metrics for determining the optimal sample.
10
https://posts.specterops.io/on-detection-tactical-to-functional-ceb3ad0e3809
12. [Tool] Dumpert
• LSASS memory dumper using direct system calls.
• Written by the team at Outflank (@OutflankNL) in 2019.
• Replaces high level Win32 function calls with Syscalls.
• This creates evasion opportunities when used against certain “naïve” EDR
sensors.
12
https://github.com/outflanknl/Dumpert