SlideShare a Scribd company logo

Mapping Detection Coverage

Jared Atkinson
Jared Atkinson

In this presentation, Jared Atkinson and Jonathan Johnson discuss the problem that many security professionals are facing today. How exactly do I know if my detection will actually detect the thing I want to detect? We discuss the importance of testing telemetry coverage and using abstraction to build a representative sample set of Atomic tests to validate detection coverage. Scripts used in presentation can be found below: Process Access: https://gist.github.com/jaredcatkinson/9c7a1af2261a752432230a4148ecfe02 Process Read: https://github.com/redcanaryco/AtomicTestHarnesses/blob/master/Windows/TestHarnesses/T1003.001_DumpLSASS/DumpLSASS.ps1

Technology
1 of 31
Download to read offline
Mapping Detection Coverage Jared Atkinson and Jonathan Johnson © 2022 Specter Ops, Inc.
@jsecurity101 • Consultant @ SpecterOps • Detection, Threat Hunting, Compromise Assessments • Defensive Security Researcher • Windows Internals, All Things Data, Reverse Engineering • Open-Source Author/Contributor • Atomic Test Harnesses • The Defender’s Guide • MSRPC-To-ATT&CK • Windows APIs To Sysmon-Events • Formerly Sr. Threat Researcher @ Red Canary • Host of the Detection: Challenging Paradigms Podcast 2 © 2022 Specter Ops, Inc.
@jaredcatkinson • Chief Strategist @ SpecterOps • Host of Detection: Challenging Paradigms Podcast • Open-Source Developer • PowerForensics • PSReflect-Functions • Writer • On Detection: Tactical to Functional Series • https://posts.specterops.io/on- detection/home • Formerly U.S. Air Force Hunt Team 3 © 2022 Specter Ops, Inc.
Problem Statement • What is the optimal way to build and evaluate detective controls? • It seems that consumers are hungry for this answer. • Vendors seem to be hand waving the solution. • There tends to be a feeling that detection is an art not a science. • Can we establish a scientific process for building and evaluating control? • If so, what are the inputs to this process? • Are there ways to categorize differences between variations to provide more meaning? • This leads us to two sub-questions. • How do I know that my sensory capability is what I think it is? • How do I know that my detection rule is calibrated for the full threat? 4 © 2022 Specter Ops, Inc.
[Tool] Out-Minidump • A PowerShell script used to generate a full-memory process minidump. • Written by Matt Graeber (@mattifestation) in 2013. • Based on procdump’s –ma switch, without the need for a 3rd party binary. 5 https://github.com/PowerShellMafia/PowerSploit/blob/master/Exfiltration/Out-Minidump.ps1
Functional Analysis – Out-Minidump • Relies on the System.Diagnostics.Process .NET class to find LSASS PID • This calls ntdll!NtQuerySystemInformation underneath. • Uses the System.Diagnostics.Process class’s Handle property. • Uses kernel32!OpenProcess underneath. • Generates a crash dump using the Windows API. • Leverages “Reflection” to call dbghelp!MiniDumpWriteDump. 6 © 2022 Specter Ops, Inc.
[Tool] Sharpdump • A C# port of PowerSploit’s Out-Minidump. • Written by Will “harmj0y” Schroeder in 2018. • Used to produce a minidump for a specified process. • Default behavior is to dump LSASS. 7 https://github.com/GhostPack/SharpDump
Functional Analysis – Sharpdump • Relies on the System.Diagnostics.Process .NET class to find LSASS PID • This calls ntdll!NtQuerySystemInformation underneath. • Uses the System.Diagnostics.Process class’s Handle property. • Uses kernel32!OpenProcess underneath. • Generates a crash dump using the Windows API. • Uses P/Invoke to call dbghelp!MiniDumpWriteDump directly. 8 © 2022 Specter Ops, Inc.
Functionally Synonymous 9 © 2022 Specter Ops, Inc. Out-Minidump.ps1 Sharpdump
[Concept] Synonyms • A concept derived from Aristotle’s The Categories. • Synonyms - two literally unique instances (tools) that can be considered equivalent at a higher level of abstraction. • There is an infinite number of variations that exist for any particular technique. • Abstraction allows for the grouping of variations at multiple levels of resolution. • Can be used as a heuristic for similarity. • Can be treated similarly to “morphological distance” in comparing organisms. • Tools that are synonymous at higher, less abstract, levels can be considered more similar. • Tools that are synonymous only at lower, more abstract, levels are more different. • Similarity is an important input for determining a sample set. • We cannot test the infinite set of variations, but we can test a representative sample. • We can use similarity metrics for determining the optimal sample. 10 https://posts.specterops.io/on-detection-tactical-to-functional-ceb3ad0e3809
Functional Synonyms • Out-Minidump and Sharpdump are literally different tools. • They have different cryptographic hash values. • One is written in PowerShell and the other in C#. • When we analyze the functions they call, we realize they are the same. • ntdll!NtQuerySystemInformation • kernel32!OpenProcess • dbghelp!MiniDumpWriteDump • This means the differences are relatively superficial • These changes should only affect signatures targeted specifically towards tool idiosyncrasies. 11 © 2022 Specter Ops, Inc.
[Tool] Dumpert • LSASS memory dumper using direct system calls. • Written by the team at Outflank (@OutflankNL) in 2019. • Replaces high level Win32 function calls with Syscalls. • This creates evasion opportunities when used against certain “naïve” EDR sensors. 12 https://github.com/outflanknl/Dumpert
Functional Analysis – Dumpert • Enumerates processes to determine the process identifier for LSASS. • Uses the NtQuerySystemInformation related system call. • Opens a PROCESS_VM_READ handle to LSASS. • Makes the NtOpenProcess related system call. • Generates a crash dump of the LSASS process. • Calls the dbghelp!MiniDumpWriteDump function. 13 © 2022 Specter Ops, Inc.
Discovering Operations 14 © 2022 Specter Ops, Inc.
Discovering Operations 15 © 2022 Specter Ops, Inc.
Operational/Procedural Synonyms • Dumpert makes different function calls than Out-Minidump. • These tools are not functionally synonymous. • However, both tools perform the same operations in the same order. • These are operationally or procedurally synonymous. • We can say that operational synonyms are less similar than functional synonyms. 16 © 2022 Specter Ops, Inc.
Function Call Stack – Process Access 17 © 2022 Specter Ops, Inc.
Perception • We perceive at the operational level (or we at least act as if this is true): • Sysmon 1 – Process Create • Windows Security 4688 – Process Create • Sysmon 10 – Process Access • Windows Security 4697 – Service Creation • MDE DeviceRegistryEvent – Registry Key Creation • Attackers act via Functions • Out-Minidump calls kernel32!OpenProcess • Dumpert calls syscall!NtOpenProcess • If there is a discrepancy between what we think we can see and what we actually see, then an opportunity for evasion exists. • This is exactly what Dumpert takes advantage of. 18 © 2022 Specter Ops, Inc.
How Should We Test • Telemetry Coverage • Operational • All functional variations that can implement an operation. • Process Read: 8 functional variations • Question to Answer: Was telemetry generated for this operation? • Detection Coverage • Procedural • All procedural variations of a (sub-)technique. • Question(s) to answer: • Did my detection fire when the technique was executed? • At what point and why? • Did it capture multiple variations? • What % coverage do we have? 19 © 2022 Specter Ops, Inc.
Public Testing Solutions • Atomic Red Team: • Started by Red Canary • Meant to test security products. • Tests typically differ based on a tool vs. operation. • Atomic Test Harnesses: • Started by Matt Graeber at Red Canary. • Allows for more granular control over “what” is being tested and “how” to perform operations. • Allows for the selection of different functional variations when implementing an operation. 20 © 2022 Specter Ops, Inc.
Operation – Process Access (6 Variations) 21 © 2022 Specter Ops, Inc.
Process Access Test Harness (Lab) Purpose: Identify the telemetry generated for the Process Access operation Steps: 1. Navigate to https://gist.github.com/jaredcatkinson/9c7a1af2261a752432230a4148ecfe02 and download script. 2. Open PowerShell as Administrator. 3. In PowerShell, run – 1. Import-Module ProcessAccess.ps1 2. Invoke-ProcessAccess –Variant Kernel32!OpenProcess Questions: 1. What telemetry do you see with Sysmon, MDE, or other sensors? 2. (Bonus) If you were to change the target Process, does generated telemetry change? 22 © 2022 Specter Ops, Inc.
Operation – Process Read (8 Variations) 23 © 2022 Specter Ops, Inc.
Process Read Test Harness • Intentional testing • Knowing what I am testing and how I am testing it. 24 © 2022 Specter Ops, Inc.
Process Read Test Harness (Lab) Purpose: Identify the telemetry generated for the Process Read operation. Steps: 1. Navigate to https://github.com/redcanaryco/AtomicTestHarnesses/blob/master/Windows/TestHarnesses/ T1003.001_DumpLSASS/DumpLSASS.ps1 and download the script. 2. Open PowerShell as Administrator. 3. In PowerShell, run: 1. Import-Module DumpLSASS.ps1 2. Invoke-ATHDumpLSASS –Variant Kernel32!ReadProcessMemory Questions: 1. What telemetry do you see with Sysmon, MDE, and other sensors? 2. (Bonus) We don’t have control over detections, but try running this and other supported variants somewhere that you do have detections to identify gaps. 25 © 2022 Specter Ops, Inc.
Atomic Red Team T1003.001 26 https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1003.001/T1003.001.md
Testing Differences • Atomic Red Team (LSASS Memory): • 12 total tool variations • 2 of 8 Process Read functional variations: • Dbghelp!MiniDumpWriteDump and Kernel32!ReadProcessMemory • 10 tools use MiniDumpWriteDump • 4 functional variations • (3) kernel32!CreateToolhelpSnapshot -> kernel32!OpenProcess -> dbghelp!MiniDumpWriteDump • (6) ntdll!NtQuerySystemInformation -> kernel32!OpenProcess -> dbghelp!MiniDumpWriteDump • (2) ntdll!NtQuerySystemInformation -> kernel32!OpenProcess -> kernel32!ReadProcessMemory • (1) syscall!ZwQuerySystemInformation -> syscall!ZwOpenProcess -> dbghelp!MiniDumpWriteDump • Atomic Test Harness (Process Read): • 6 of 8 functional variations • Currently doesn’t support system calls • Know what you’re testing and how those tests are being performed. 27 © 2022 Specter Ops, Inc.
Calculating Functional Variations • Attackers care about the Operational outcome. • Functional choice provides options • Process Enumerate - 21 Functional Options • Process Access - 7 Functional Options • Process Read - 8 Functional Options • Functional Variations can be derived by multiplying the Functional Options of each Operation in a Procedure. • PE x PA x PR = 21 x 7 x 8 = 1,176 28 © 2022 Specter Ops, Inc.
AV Comparatives 29 https://www.av-comparatives.org/wp-content/uploads/2022/09/avc_sp_lsass_ms_2022.pdf
LSASS Memory Operation Graph 30 https://posts.specterops.io/on-detection-tactical-to-functional-fef1e09d3174
The Power of Categorization • As Eleanor Rosch said, “one purpose of categorization is to reduce the infinite differences among stimuli to behaviorally and cognitively usable proportions.” • We can’t comprehend an infinite number of variations. • So long as we treat the problem as infinite, we can never make progress. • 1/∞ ≈ 0, 10/∞ ≈ 0, 100/∞ ≈ 0, 1,000,000/∞ ≈ 0 • Categorization of abstraction allows us to ignore insignificant differences, in order to reduce the infinite to the finite: • Literal - ∞ • Function – 39,333 • Procedural – 4 • Sub-Technical – 1 31 © 2022 Specter Ops, Inc.

Recommended

BSidesDFW2022-PurpleTeam_Cloud_Identity.pptx
BSidesDFW2022-PurpleTeam_Cloud_Identity.pptxBSidesDFW2022-PurpleTeam_Cloud_Identity.pptx
BSidesDFW2022-PurpleTeam_Cloud_Identity.pptxJasonOstrom1
 
Windows 10 CredentialGuard vs Mimikatz - SEC599
Windows 10 CredentialGuard vs Mimikatz - SEC599Windows 10 CredentialGuard vs Mimikatz - SEC599
Windows 10 CredentialGuard vs Mimikatz - SEC599Erik Van Buggenhout
 
Emily Stamm - Post-Quantum Cryptography
Emily Stamm - Post-Quantum CryptographyEmily Stamm - Post-Quantum Cryptography
Emily Stamm - Post-Quantum CryptographyCSNP
 
PowerShell for Practical Purple Teaming
PowerShell for Practical Purple TeamingPowerShell for Practical Purple Teaming
PowerShell for Practical Purple TeamingNikhil Mittal
 
Sigma and YARA Rules
Sigma and YARA RulesSigma and YARA Rules
Sigma and YARA RulesLionel Faleiro
 
Python-Assisted Red-Teaming Operation
Python-Assisted Red-Teaming OperationPython-Assisted Red-Teaming Operation
Python-Assisted Red-Teaming OperationSatria Ady Pradana
 
Threat hunting - Every day is hunting season
Threat hunting - Every day is hunting seasonThreat hunting - Every day is hunting season
Threat hunting - Every day is hunting seasonBen Boyd
 
Azureの上におとりを置いて、世界中から攻撃される様子を観察した話
Azureの上におとりを置いて、世界中から攻撃される様子を観察した話Azureの上におとりを置いて、世界中から攻撃される様子を観察した話
Azureの上におとりを置いて、世界中から攻撃される様子を観察した話Ryuki Yoshimatsu
 

Recommended

BSidesDFW2022-PurpleTeam_Cloud_Identity.pptx
BSidesDFW2022-PurpleTeam_Cloud_Identity.pptxBSidesDFW2022-PurpleTeam_Cloud_Identity.pptx
BSidesDFW2022-PurpleTeam_Cloud_Identity.pptxJasonOstrom1
 
Windows 10 CredentialGuard vs Mimikatz - SEC599
Windows 10 CredentialGuard vs Mimikatz - SEC599Windows 10 CredentialGuard vs Mimikatz - SEC599
Windows 10 CredentialGuard vs Mimikatz - SEC599Erik Van Buggenhout
 
Emily Stamm - Post-Quantum Cryptography
Emily Stamm - Post-Quantum CryptographyEmily Stamm - Post-Quantum Cryptography
Emily Stamm - Post-Quantum CryptographyCSNP
 
PowerShell for Practical Purple Teaming
PowerShell for Practical Purple TeamingPowerShell for Practical Purple Teaming
PowerShell for Practical Purple TeamingNikhil Mittal
 
Sigma and YARA Rules
Sigma and YARA RulesSigma and YARA Rules
Sigma and YARA RulesLionel Faleiro
 
Python-Assisted Red-Teaming Operation
Python-Assisted Red-Teaming OperationPython-Assisted Red-Teaming Operation
Python-Assisted Red-Teaming OperationSatria Ady Pradana
 
Threat hunting - Every day is hunting season
Threat hunting - Every day is hunting seasonThreat hunting - Every day is hunting season
Threat hunting - Every day is hunting seasonBen Boyd
 
Azureの上におとりを置いて、世界中から攻撃される様子を観察した話
Azureの上におとりを置いて、世界中から攻撃される様子を観察した話Azureの上におとりを置いて、世界中から攻撃される様子を観察した話
Azureの上におとりを置いて、世界中から攻撃される様子を観察した話Ryuki Yoshimatsu
 
Threat Hunting with Splunk Hands-on
Threat Hunting with Splunk Hands-onThreat Hunting with Splunk Hands-on
Threat Hunting with Splunk Hands-onSplunk
 
Hunting for Credentials Dumping in Windows Environment
Hunting for Credentials Dumping in Windows EnvironmentHunting for Credentials Dumping in Windows Environment
Hunting for Credentials Dumping in Windows EnvironmentTeymur Kheirkhabarov
 
Threat Intelligence 101 - Steve Lodin - Submitted
Threat Intelligence 101 - Steve Lodin - SubmittedThreat Intelligence 101 - Steve Lodin - Submitted
Threat Intelligence 101 - Steve Lodin - SubmittedSteve Lodin
 
The Unintended Risks of Trusting Active Directory
The Unintended Risks of Trusting Active DirectoryThe Unintended Risks of Trusting Active Directory
The Unintended Risks of Trusting Active DirectoryWill Schroeder
 
Windows Threat Hunting
Windows Threat HuntingWindows Threat Hunting
Windows Threat HuntingGIBIN JOHN
 
Automating the mundanity of technique IDs with ATT&CK Detections Collector
Automating the mundanity of technique IDs with ATT&CK Detections CollectorAutomating the mundanity of technique IDs with ATT&CK Detections Collector
Automating the mundanity of technique IDs with ATT&CK Detections CollectorMITRE ATT&CK
 
Cyber Threat hunting workshop
Cyber Threat hunting workshopCyber Threat hunting workshop
Cyber Threat hunting workshopArpan Raval
 
Six Degrees of Domain Admin - BloodHound at DEF CON 24
Six Degrees of Domain Admin - BloodHound at DEF CON 24Six Degrees of Domain Admin - BloodHound at DEF CON 24
Six Degrees of Domain Admin - BloodHound at DEF CON 24Andy Robbins
 
Mobile Application Penetration Testing
Mobile Application Penetration TestingMobile Application Penetration Testing
Mobile Application Penetration TestingBGA Cyber Security
 
Secure Coding principles by example: Build Security In from the start - Carlo...
Secure Coding principles by example: Build Security In from the start - Carlo...Secure Coding principles by example: Build Security In from the start - Carlo...
Secure Coding principles by example: Build Security In from the start - Carlo...Codemotion
 
Attacker's Perspective of Active Directory
Attacker's Perspective of Active DirectoryAttacker's Perspective of Active Directory
Attacker's Perspective of Active DirectorySunny Neo
 
Secure Software Development Lifecycle - Devoxx MA 2018
Secure Software Development Lifecycle - Devoxx MA 2018Secure Software Development Lifecycle - Devoxx MA 2018
Secure Software Development Lifecycle - Devoxx MA 2018Imola Informatica
 
Knowledge for the masses: Storytelling with ATT&CK
Knowledge for the masses: Storytelling with ATT&CKKnowledge for the masses: Storytelling with ATT&CK
Knowledge for the masses: Storytelling with ATT&CKMITRE ATT&CK
 
Would you Rather Have Telemetry into 2 Attacks or 20? An Insight Into Highly ...
Would you Rather Have Telemetry into 2 Attacks or 20? An Insight Into Highly ...Would you Rather Have Telemetry into 2 Attacks or 20? An Insight Into Highly ...
Would you Rather Have Telemetry into 2 Attacks or 20? An Insight Into Highly ...MITRE ATT&CK
 
Mimikatz
MimikatzMimikatz
Mimikatzrishabh sharma
 
malware analysis
malware analysismalware analysis
malware analysis20CS201AkashR
 
Secure PHP Coding
Secure PHP CodingSecure PHP Coding
Secure PHP CodingNarudom Roongsiriwong, CISSP
 
[Flutter] 來體驗 bloc 小方塊的神奇魔法 @Devfest 2022
[Flutter] 來體驗 bloc 小方塊的神奇魔法 @Devfest 2022[Flutter] 來體驗 bloc 小方塊的神奇魔法 @Devfest 2022
[Flutter] 來體驗 bloc 小方塊的神奇魔法 @Devfest 2022Johnny Sung
 
Bypass_AV-EDR.pdf
Bypass_AV-EDR.pdfBypass_AV-EDR.pdf
Bypass_AV-EDR.pdfFarouk2nd
 
Threat Intelligence
Threat IntelligenceThreat Intelligence
Threat IntelligenceDeepak Kumar (D3)
 
how-to-bypass-AM-PPL
how-to-bypass-AM-PPLhow-to-bypass-AM-PPL
how-to-bypass-AM-PPLnitinscribd
 
Injection on Steroids: Codeless code injection and 0-day techniques
Injection on Steroids: Codeless code injection and 0-day techniquesInjection on Steroids: Codeless code injection and 0-day techniques
Injection on Steroids: Codeless code injection and 0-day techniquesenSilo
 

More Related Content

What's hot

Threat Hunting with Splunk Hands-on
Threat Hunting with Splunk Hands-onThreat Hunting with Splunk Hands-on
Threat Hunting with Splunk Hands-onSplunk
 
Hunting for Credentials Dumping in Windows Environment
Hunting for Credentials Dumping in Windows EnvironmentHunting for Credentials Dumping in Windows Environment
Hunting for Credentials Dumping in Windows EnvironmentTeymur Kheirkhabarov
 
Threat Intelligence 101 - Steve Lodin - Submitted
Threat Intelligence 101 - Steve Lodin - SubmittedThreat Intelligence 101 - Steve Lodin - Submitted
Threat Intelligence 101 - Steve Lodin - SubmittedSteve Lodin
 
The Unintended Risks of Trusting Active Directory
The Unintended Risks of Trusting Active DirectoryThe Unintended Risks of Trusting Active Directory
The Unintended Risks of Trusting Active DirectoryWill Schroeder
 
Windows Threat Hunting
Windows Threat HuntingWindows Threat Hunting
Windows Threat HuntingGIBIN JOHN
 
Automating the mundanity of technique IDs with ATT&CK Detections Collector
Automating the mundanity of technique IDs with ATT&CK Detections CollectorAutomating the mundanity of technique IDs with ATT&CK Detections Collector
Automating the mundanity of technique IDs with ATT&CK Detections CollectorMITRE ATT&CK
 
Cyber Threat hunting workshop
Cyber Threat hunting workshopCyber Threat hunting workshop
Cyber Threat hunting workshopArpan Raval
 
Six Degrees of Domain Admin - BloodHound at DEF CON 24
Six Degrees of Domain Admin - BloodHound at DEF CON 24Six Degrees of Domain Admin - BloodHound at DEF CON 24
Six Degrees of Domain Admin - BloodHound at DEF CON 24Andy Robbins
 
Mobile Application Penetration Testing
Mobile Application Penetration TestingMobile Application Penetration Testing
Mobile Application Penetration TestingBGA Cyber Security
 
Secure Coding principles by example: Build Security In from the start - Carlo...
Secure Coding principles by example: Build Security In from the start - Carlo...Secure Coding principles by example: Build Security In from the start - Carlo...
Secure Coding principles by example: Build Security In from the start - Carlo...Codemotion
 
Attacker's Perspective of Active Directory
Attacker's Perspective of Active DirectoryAttacker's Perspective of Active Directory
Attacker's Perspective of Active DirectorySunny Neo
 
Secure Software Development Lifecycle - Devoxx MA 2018
Secure Software Development Lifecycle - Devoxx MA 2018Secure Software Development Lifecycle - Devoxx MA 2018
Secure Software Development Lifecycle - Devoxx MA 2018Imola Informatica
 
Knowledge for the masses: Storytelling with ATT&CK
Knowledge for the masses: Storytelling with ATT&CKKnowledge for the masses: Storytelling with ATT&CK
Knowledge for the masses: Storytelling with ATT&CKMITRE ATT&CK
 
Would you Rather Have Telemetry into 2 Attacks or 20? An Insight Into Highly ...
Would you Rather Have Telemetry into 2 Attacks or 20? An Insight Into Highly ...Would you Rather Have Telemetry into 2 Attacks or 20? An Insight Into Highly ...
Would you Rather Have Telemetry into 2 Attacks or 20? An Insight Into Highly ...MITRE ATT&CK
 
[Flutter] 來體驗 bloc 小方塊的神奇魔法 @Devfest 2022
[Flutter] 來體驗 bloc 小方塊的神奇魔法 @Devfest 2022[Flutter] 來體驗 bloc 小方塊的神奇魔法 @Devfest 2022
[Flutter] 來體驗 bloc 小方塊的神奇魔法 @Devfest 2022Johnny Sung
 
Bypass_AV-EDR.pdf
Bypass_AV-EDR.pdfBypass_AV-EDR.pdf
Bypass_AV-EDR.pdfFarouk2nd
 

What's hot (20)

Threat Hunting with Splunk Hands-on
Threat Hunting with Splunk Hands-onThreat Hunting with Splunk Hands-on
Threat Hunting with Splunk Hands-on
 
Hunting for Credentials Dumping in Windows Environment
Hunting for Credentials Dumping in Windows EnvironmentHunting for Credentials Dumping in Windows Environment
Hunting for Credentials Dumping in Windows Environment
 
Threat Intelligence 101 - Steve Lodin - Submitted
Threat Intelligence 101 - Steve Lodin - SubmittedThreat Intelligence 101 - Steve Lodin - Submitted
Threat Intelligence 101 - Steve Lodin - Submitted
 
The Unintended Risks of Trusting Active Directory
The Unintended Risks of Trusting Active DirectoryThe Unintended Risks of Trusting Active Directory
The Unintended Risks of Trusting Active Directory
 
Windows Threat Hunting
Windows Threat HuntingWindows Threat Hunting
Windows Threat Hunting
 
Automating the mundanity of technique IDs with ATT&CK Detections Collector
Automating the mundanity of technique IDs with ATT&CK Detections CollectorAutomating the mundanity of technique IDs with ATT&CK Detections Collector
Automating the mundanity of technique IDs with ATT&CK Detections Collector
 
Cyber Threat hunting workshop
Cyber Threat hunting workshopCyber Threat hunting workshop
Cyber Threat hunting workshop
 
Six Degrees of Domain Admin - BloodHound at DEF CON 24
Six Degrees of Domain Admin - BloodHound at DEF CON 24Six Degrees of Domain Admin - BloodHound at DEF CON 24
Six Degrees of Domain Admin - BloodHound at DEF CON 24
 
Mobile Application Penetration Testing
Mobile Application Penetration TestingMobile Application Penetration Testing
Mobile Application Penetration Testing
 
Secure Coding principles by example: Build Security In from the start - Carlo...
Secure Coding principles by example: Build Security In from the start - Carlo...Secure Coding principles by example: Build Security In from the start - Carlo...
Secure Coding principles by example: Build Security In from the start - Carlo...
 
Attacker's Perspective of Active Directory
Attacker's Perspective of Active DirectoryAttacker's Perspective of Active Directory
Attacker's Perspective of Active Directory
 
Secure Software Development Lifecycle - Devoxx MA 2018
Secure Software Development Lifecycle - Devoxx MA 2018Secure Software Development Lifecycle - Devoxx MA 2018
Secure Software Development Lifecycle - Devoxx MA 2018
 
Knowledge for the masses: Storytelling with ATT&CK
Knowledge for the masses: Storytelling with ATT&CKKnowledge for the masses: Storytelling with ATT&CK
Knowledge for the masses: Storytelling with ATT&CK
 
Would you Rather Have Telemetry into 2 Attacks or 20? An Insight Into Highly ...
Would you Rather Have Telemetry into 2 Attacks or 20? An Insight Into Highly ...Would you Rather Have Telemetry into 2 Attacks or 20? An Insight Into Highly ...
Would you Rather Have Telemetry into 2 Attacks or 20? An Insight Into Highly ...
 
Mimikatz
MimikatzMimikatz
Mimikatz
 
malware analysis
malware analysismalware analysis
malware analysis
 
Secure PHP Coding
Secure PHP CodingSecure PHP Coding
Secure PHP Coding
 
[Flutter] 來體驗 bloc 小方塊的神奇魔法 @Devfest 2022
[Flutter] 來體驗 bloc 小方塊的神奇魔法 @Devfest 2022[Flutter] 來體驗 bloc 小方塊的神奇魔法 @Devfest 2022
[Flutter] 來體驗 bloc 小方塊的神奇魔法 @Devfest 2022
 
Bypass_AV-EDR.pdf
Bypass_AV-EDR.pdfBypass_AV-EDR.pdf
Bypass_AV-EDR.pdf
 
Threat Intelligence
Threat IntelligenceThreat Intelligence
Threat Intelligence
 

Similar to Mapping Detection Coverage

how-to-bypass-AM-PPL
how-to-bypass-AM-PPLhow-to-bypass-AM-PPL
how-to-bypass-AM-PPLnitinscribd
 
Injection on Steroids: Codeless code injection and 0-day techniques
Injection on Steroids: Codeless code injection and 0-day techniquesInjection on Steroids: Codeless code injection and 0-day techniques
Injection on Steroids: Codeless code injection and 0-day techniquesenSilo
 
EMBA Firmware analysis - TROOPERS22
EMBA Firmware analysis - TROOPERS22EMBA Firmware analysis - TROOPERS22
EMBA Firmware analysis - TROOPERS22MichaelM85042
 
Demystifying Binary Reverse Engineering - Pixels Camp
Demystifying Binary Reverse Engineering - Pixels CampDemystifying Binary Reverse Engineering - Pixels Camp
Demystifying Binary Reverse Engineering - Pixels CampAndré Baptista
 
DEF CON 27 - CHRISTOPHER ROBERTS - firmware slap
DEF CON 27 - CHRISTOPHER ROBERTS - firmware slapDEF CON 27 - CHRISTOPHER ROBERTS - firmware slap
DEF CON 27 - CHRISTOPHER ROBERTS - firmware slapFelipe Prado
 
Testing: ¿what, how, why?
Testing: ¿what, how, why?Testing: ¿what, how, why?
Testing: ¿what, how, why?David Rodenas
 
Automatisez la détection des menaces et évitez les faux positifs
Automatisez la détection des menaces et évitez les faux positifsAutomatisez la détection des menaces et évitez les faux positifs
Automatisez la détection des menaces et évitez les faux positifsElasticsearch
 
Tool Up Your LAMP Stack
Tool Up Your LAMP StackTool Up Your LAMP Stack
Tool Up Your LAMP StackLorna Mitchell
 
Automate threat detections and avoid false positives
Automate threat detections and avoid false positivesAutomate threat detections and avoid false positives
Automate threat detections and avoid false positivesElasticsearch
 
Code quality par Simone Civetta
Code quality par Simone CivettaCode quality par Simone Civetta
Code quality par Simone CivettaCocoaHeads France
 
The Diabolical Developers Guide to Performance Tuning
The Diabolical Developers Guide to Performance TuningThe Diabolical Developers Guide to Performance Tuning
The Diabolical Developers Guide to Performance TuningjClarity
 
Automate threat detections and avoid false positives
Automate threat detections and avoid false positives Automate threat detections and avoid false positives
Automate threat detections and avoid false positivesElasticsearch
 
Performance analysis and troubleshooting using DTrace
Performance analysis and troubleshooting using DTracePerformance analysis and troubleshooting using DTrace
Performance analysis and troubleshooting using DTraceGraeme Jenkinson
 
POD-Diagnosis: Error Detection and Diagnosis of Sporadic Operations on Cloud ...
POD-Diagnosis: Error Detection and Diagnosis of Sporadic Operations on Cloud ...POD-Diagnosis: Error Detection and Diagnosis of Sporadic Operations on Cloud ...
POD-Diagnosis: Error Detection and Diagnosis of Sporadic Operations on Cloud ...Liming Zhu
 
Typhoon Managed Execution Toolkit
Typhoon Managed Execution ToolkitTyphoon Managed Execution Toolkit
Typhoon Managed Execution ToolkitDimitry Snezhkov
 
One-Byte Modification for Breaking Memory Forensic Analysis
One-Byte Modification for Breaking Memory Forensic AnalysisOne-Byte Modification for Breaking Memory Forensic Analysis
One-Byte Modification for Breaking Memory Forensic AnalysisTakahiro Haruyama
 
Captain Hook: Pirating AVs to Bypass Exploit Mitigations
Captain Hook: Pirating AVs to Bypass Exploit MitigationsCaptain Hook: Pirating AVs to Bypass Exploit Mitigations
Captain Hook: Pirating AVs to Bypass Exploit MitigationsenSilo
 
Piratng Avs to bypass exploit mitigation
Piratng Avs to bypass exploit mitigationPiratng Avs to bypass exploit mitigation
Piratng Avs to bypass exploit mitigationPriyanka Aash
 
Owning computers without shell access 2
Owning computers without shell access 2Owning computers without shell access 2
Owning computers without shell access 2Royce Davis
 

Similar to Mapping Detection Coverage (20)

how-to-bypass-AM-PPL
how-to-bypass-AM-PPLhow-to-bypass-AM-PPL
how-to-bypass-AM-PPL
 
Injection on Steroids: Codeless code injection and 0-day techniques
Injection on Steroids: Codeless code injection and 0-day techniquesInjection on Steroids: Codeless code injection and 0-day techniques
Injection on Steroids: Codeless code injection and 0-day techniques
 
EMBA Firmware analysis - TROOPERS22
EMBA Firmware analysis - TROOPERS22EMBA Firmware analysis - TROOPERS22
EMBA Firmware analysis - TROOPERS22
 
Demystifying Binary Reverse Engineering - Pixels Camp
Demystifying Binary Reverse Engineering - Pixels CampDemystifying Binary Reverse Engineering - Pixels Camp
Demystifying Binary Reverse Engineering - Pixels Camp
 
DEF CON 27 - CHRISTOPHER ROBERTS - firmware slap
DEF CON 27 - CHRISTOPHER ROBERTS - firmware slapDEF CON 27 - CHRISTOPHER ROBERTS - firmware slap
DEF CON 27 - CHRISTOPHER ROBERTS - firmware slap
 
Testing: ¿what, how, why?
Testing: ¿what, how, why?Testing: ¿what, how, why?
Testing: ¿what, how, why?
 
Automatisez la détection des menaces et évitez les faux positifs
Automatisez la détection des menaces et évitez les faux positifsAutomatisez la détection des menaces et évitez les faux positifs
Automatisez la détection des menaces et évitez les faux positifs
 
Tool up your lamp stack
Tool up your lamp stackTool up your lamp stack
Tool up your lamp stack
 
Tool Up Your LAMP Stack
Tool Up Your LAMP StackTool Up Your LAMP Stack
Tool Up Your LAMP Stack
 
Automate threat detections and avoid false positives
Automate threat detections and avoid false positivesAutomate threat detections and avoid false positives
Automate threat detections and avoid false positives
 
Code quality par Simone Civetta
Code quality par Simone CivettaCode quality par Simone Civetta
Code quality par Simone Civetta
 
The Diabolical Developers Guide to Performance Tuning
The Diabolical Developers Guide to Performance TuningThe Diabolical Developers Guide to Performance Tuning
The Diabolical Developers Guide to Performance Tuning
 
Automate threat detections and avoid false positives
Automate threat detections and avoid false positives Automate threat detections and avoid false positives
Automate threat detections and avoid false positives
 
Performance analysis and troubleshooting using DTrace
Performance analysis and troubleshooting using DTracePerformance analysis and troubleshooting using DTrace
Performance analysis and troubleshooting using DTrace
 
POD-Diagnosis: Error Detection and Diagnosis of Sporadic Operations on Cloud ...
POD-Diagnosis: Error Detection and Diagnosis of Sporadic Operations on Cloud ...POD-Diagnosis: Error Detection and Diagnosis of Sporadic Operations on Cloud ...
POD-Diagnosis: Error Detection and Diagnosis of Sporadic Operations on Cloud ...
 
Typhoon Managed Execution Toolkit
Typhoon Managed Execution ToolkitTyphoon Managed Execution Toolkit
Typhoon Managed Execution Toolkit
 
One-Byte Modification for Breaking Memory Forensic Analysis
One-Byte Modification for Breaking Memory Forensic AnalysisOne-Byte Modification for Breaking Memory Forensic Analysis
One-Byte Modification for Breaking Memory Forensic Analysis
 
Captain Hook: Pirating AVs to Bypass Exploit Mitigations
Captain Hook: Pirating AVs to Bypass Exploit MitigationsCaptain Hook: Pirating AVs to Bypass Exploit Mitigations
Captain Hook: Pirating AVs to Bypass Exploit Mitigations
 
Piratng Avs to bypass exploit mitigation
Piratng Avs to bypass exploit mitigationPiratng Avs to bypass exploit mitigation
Piratng Avs to bypass exploit mitigation
 
Owning computers without shell access 2
Owning computers without shell access 2Owning computers without shell access 2
Owning computers without shell access 2
 

More from Jared Atkinson

Red + Blue, How Purple Are You
Red + Blue, How Purple Are YouRed + Blue, How Purple Are You
Red + Blue, How Purple Are YouJared Atkinson
 
Paranoia 2018: A Process is No One
Paranoia 2018: A Process is No OneParanoia 2018: A Process is No One
Paranoia 2018: A Process is No OneJared Atkinson
 
Purpose Driven Hunt (DerbyCon 2017)
Purpose Driven Hunt (DerbyCon 2017)Purpose Driven Hunt (DerbyCon 2017)
Purpose Driven Hunt (DerbyCon 2017)Jared Atkinson
 
Automated, Collection, and Enrichment (ACE)
Automated, Collection, and Enrichment (ACE)Automated, Collection, and Enrichment (ACE)
Automated, Collection, and Enrichment (ACE)Jared Atkinson
 
BSidesDC - **** it, Do It Live (PowerShell Digital Forensics)
BSidesDC - **** it, Do It Live (PowerShell Digital Forensics)BSidesDC - **** it, Do It Live (PowerShell Digital Forensics)
BSidesDC - **** it, Do It Live (PowerShell Digital Forensics)Jared Atkinson
 
44CON London 2015: Old Dog, New Tricks: Forensics with PowerShell
44CON London 2015: Old Dog, New Tricks: Forensics with PowerShell44CON London 2015: Old Dog, New Tricks: Forensics with PowerShell
44CON London 2015: Old Dog, New Tricks: Forensics with PowerShellJared Atkinson
 
44CON London 2015: NTFS Analysis with PowerForensics
44CON London 2015: NTFS Analysis with PowerForensics44CON London 2015: NTFS Analysis with PowerForensics
44CON London 2015: NTFS Analysis with PowerForensicsJared Atkinson
 

More from Jared Atkinson (7)

Red + Blue, How Purple Are You
Red + Blue, How Purple Are YouRed + Blue, How Purple Are You
Red + Blue, How Purple Are You
 
Paranoia 2018: A Process is No One
Paranoia 2018: A Process is No OneParanoia 2018: A Process is No One
Paranoia 2018: A Process is No One
 
Purpose Driven Hunt (DerbyCon 2017)
Purpose Driven Hunt (DerbyCon 2017)Purpose Driven Hunt (DerbyCon 2017)
Purpose Driven Hunt (DerbyCon 2017)
 
Automated, Collection, and Enrichment (ACE)
Automated, Collection, and Enrichment (ACE)Automated, Collection, and Enrichment (ACE)
Automated, Collection, and Enrichment (ACE)
 
BSidesDC - **** it, Do It Live (PowerShell Digital Forensics)
BSidesDC - **** it, Do It Live (PowerShell Digital Forensics)BSidesDC - **** it, Do It Live (PowerShell Digital Forensics)
BSidesDC - **** it, Do It Live (PowerShell Digital Forensics)
 
44CON London 2015: Old Dog, New Tricks: Forensics with PowerShell
44CON London 2015: Old Dog, New Tricks: Forensics with PowerShell44CON London 2015: Old Dog, New Tricks: Forensics with PowerShell
44CON London 2015: Old Dog, New Tricks: Forensics with PowerShell
 
44CON London 2015: NTFS Analysis with PowerForensics
44CON London 2015: NTFS Analysis with PowerForensics44CON London 2015: NTFS Analysis with PowerForensics
44CON London 2015: NTFS Analysis with PowerForensics
 

Recently uploaded

My Hashitalk Indonesia April 2024 Presentation
My Hashitalk Indonesia April 2024 PresentationMy Hashitalk Indonesia April 2024 Presentation
My Hashitalk Indonesia April 2024 PresentationRidwan Fadjar
 
Are Multi-Cloud and Serverless Good or Bad?
Are Multi-Cloud and Serverless Good or Bad?Are Multi-Cloud and Serverless Good or Bad?
Are Multi-Cloud and Serverless Good or Bad?Mattias Andersson
 
Advanced Test Driven-Development @ php[tek] 2024
Advanced Test Driven-Development @ php[tek] 2024Advanced Test Driven-Development @ php[tek] 2024
Advanced Test Driven-Development @ php[tek] 2024Scott Keck-Warren
 
Pigging Solutions Piggable Sweeping Elbows
Pigging Solutions Piggable Sweeping ElbowsPigging Solutions Piggable Sweeping Elbows
Pigging Solutions Piggable Sweeping ElbowsPigging Solutions
 
Tech-Forward - Achieving Business Readiness For Copilot in Microsoft 365
Tech-Forward - Achieving Business Readiness For Copilot in Microsoft 365Tech-Forward - Achieving Business Readiness For Copilot in Microsoft 365
Tech-Forward - Achieving Business Readiness For Copilot in Microsoft 3652toLead Limited
 
New from BookNet Canada for 2024: BNC BiblioShare - Tech Forum 2024
New from BookNet Canada for 2024: BNC BiblioShare - Tech Forum 2024New from BookNet Canada for 2024: BNC BiblioShare - Tech Forum 2024
New from BookNet Canada for 2024: BNC BiblioShare - Tech Forum 2024BookNet Canada
 
Key Features Of Token Development (1).pptx
Key Features Of Token Development (1).pptxKey Features Of Token Development (1).pptx
Key Features Of Token Development (1).pptxLBM Solutions
 
"Federated learning: out of reach no matter how close",Oleksandr Lapshyn
"Federated learning: out of reach no matter how close",Oleksandr Lapshyn"Federated learning: out of reach no matter how close",Oleksandr Lapshyn
"Federated learning: out of reach no matter how close",Oleksandr LapshynFwdays
 
Build your next Gen AI Breakthrough - April 2024
Build your next Gen AI Breakthrough - April 2024Build your next Gen AI Breakthrough - April 2024
Build your next Gen AI Breakthrough - April 2024Neo4j
 
Integration and Automation in Practice: CI/CD in Mule Integration and Automat...
Integration and Automation in Practice: CI/CD in Mule Integration and Automat...Integration and Automation in Practice: CI/CD in Mule Integration and Automat...
Integration and Automation in Practice: CI/CD in Mule Integration and Automat...Patryk Bandurski
 
Bluetooth Controlled Car with Arduino.pdf
Bluetooth Controlled Car with Arduino.pdfBluetooth Controlled Car with Arduino.pdf
Bluetooth Controlled Car with Arduino.pdfngoud9212
 
Unblocking The Main Thread Solving ANRs and Frozen Frames
Unblocking The Main Thread Solving ANRs and Frozen FramesUnblocking The Main Thread Solving ANRs and Frozen Frames
Unblocking The Main Thread Solving ANRs and Frozen FramesSinan KOZAK
 
My INSURER PTE LTD - Insurtech Innovation Award 2024
My INSURER PTE LTD - Insurtech Innovation Award 2024My INSURER PTE LTD - Insurtech Innovation Award 2024
My INSURER PTE LTD - Insurtech Innovation Award 2024The Digital Insurer
 
SQL Database Design For Developers at php[tek] 2024
SQL Database Design For Developers at php[tek] 2024SQL Database Design For Developers at php[tek] 2024
SQL Database Design For Developers at php[tek] 2024Scott Keck-Warren
 
Snow Chain-Integrated Tire for a Safe Drive on Winter Roads
Snow Chain-Integrated Tire for a Safe Drive on Winter RoadsSnow Chain-Integrated Tire for a Safe Drive on Winter Roads
Snow Chain-Integrated Tire for a Safe Drive on Winter RoadsHyundai Motor Group
 
Connect Wave/ connectwave Pitch Deck Presentation
Connect Wave/ connectwave Pitch Deck PresentationConnect Wave/ connectwave Pitch Deck Presentation
Connect Wave/ connectwave Pitch Deck PresentationSlibray Presentation
 
Kotlin Multiplatform & Compose Multiplatform - Starter kit for pragmatics
Kotlin Multiplatform & Compose Multiplatform - Starter kit for pragmaticsKotlin Multiplatform & Compose Multiplatform - Starter kit for pragmatics
Kotlin Multiplatform & Compose Multiplatform - Starter kit for pragmaticscarlostorres15106
 
Unlocking the Potential of the Cloud for IBM Power Systems
Unlocking the Potential of the Cloud for IBM Power SystemsUnlocking the Potential of the Cloud for IBM Power Systems
Unlocking the Potential of the Cloud for IBM Power SystemsPrecisely
 

Recently uploaded (20)

The transition to renewables in India.pdf
The transition to renewables in India.pdfThe transition to renewables in India.pdf
The transition to renewables in India.pdf
 
My Hashitalk Indonesia April 2024 Presentation
My Hashitalk Indonesia April 2024 PresentationMy Hashitalk Indonesia April 2024 Presentation
My Hashitalk Indonesia April 2024 Presentation
 
Are Multi-Cloud and Serverless Good or Bad?
Are Multi-Cloud and Serverless Good or Bad?Are Multi-Cloud and Serverless Good or Bad?
Are Multi-Cloud and Serverless Good or Bad?
 
Hot Sexy call girls in Panjabi Bagh 🔝 9953056974 🔝 Delhi escort Service
Hot Sexy call girls in Panjabi Bagh 🔝 9953056974 🔝 Delhi escort ServiceHot Sexy call girls in Panjabi Bagh 🔝 9953056974 🔝 Delhi escort Service
Hot Sexy call girls in Panjabi Bagh 🔝 9953056974 🔝 Delhi escort Service
 
Advanced Test Driven-Development @ php[tek] 2024
Advanced Test Driven-Development @ php[tek] 2024Advanced Test Driven-Development @ php[tek] 2024
Advanced Test Driven-Development @ php[tek] 2024
 
Pigging Solutions Piggable Sweeping Elbows
Pigging Solutions Piggable Sweeping ElbowsPigging Solutions Piggable Sweeping Elbows
Pigging Solutions Piggable Sweeping Elbows
 
Tech-Forward - Achieving Business Readiness For Copilot in Microsoft 365
Tech-Forward - Achieving Business Readiness For Copilot in Microsoft 365Tech-Forward - Achieving Business Readiness For Copilot in Microsoft 365
Tech-Forward - Achieving Business Readiness For Copilot in Microsoft 365
 
New from BookNet Canada for 2024: BNC BiblioShare - Tech Forum 2024
New from BookNet Canada for 2024: BNC BiblioShare - Tech Forum 2024New from BookNet Canada for 2024: BNC BiblioShare - Tech Forum 2024
New from BookNet Canada for 2024: BNC BiblioShare - Tech Forum 2024
 
Key Features Of Token Development (1).pptx
Key Features Of Token Development (1).pptxKey Features Of Token Development (1).pptx
Key Features Of Token Development (1).pptx
 
"Federated learning: out of reach no matter how close",Oleksandr Lapshyn
"Federated learning: out of reach no matter how close",Oleksandr Lapshyn"Federated learning: out of reach no matter how close",Oleksandr Lapshyn
"Federated learning: out of reach no matter how close",Oleksandr Lapshyn
 
Build your next Gen AI Breakthrough - April 2024
Build your next Gen AI Breakthrough - April 2024Build your next Gen AI Breakthrough - April 2024
Build your next Gen AI Breakthrough - April 2024
 
Integration and Automation in Practice: CI/CD in Mule Integration and Automat...
Integration and Automation in Practice: CI/CD in Mule Integration and Automat...Integration and Automation in Practice: CI/CD in Mule Integration and Automat...
Integration and Automation in Practice: CI/CD in Mule Integration and Automat...
 
Bluetooth Controlled Car with Arduino.pdf
Bluetooth Controlled Car with Arduino.pdfBluetooth Controlled Car with Arduino.pdf
Bluetooth Controlled Car with Arduino.pdf
 
Unblocking The Main Thread Solving ANRs and Frozen Frames
Unblocking The Main Thread Solving ANRs and Frozen FramesUnblocking The Main Thread Solving ANRs and Frozen Frames
Unblocking The Main Thread Solving ANRs and Frozen Frames
 
My INSURER PTE LTD - Insurtech Innovation Award 2024
My INSURER PTE LTD - Insurtech Innovation Award 2024My INSURER PTE LTD - Insurtech Innovation Award 2024
My INSURER PTE LTD - Insurtech Innovation Award 2024
 
SQL Database Design For Developers at php[tek] 2024
SQL Database Design For Developers at php[tek] 2024SQL Database Design For Developers at php[tek] 2024
SQL Database Design For Developers at php[tek] 2024
 
Snow Chain-Integrated Tire for a Safe Drive on Winter Roads
Snow Chain-Integrated Tire for a Safe Drive on Winter RoadsSnow Chain-Integrated Tire for a Safe Drive on Winter Roads
Snow Chain-Integrated Tire for a Safe Drive on Winter Roads
 
Connect Wave/ connectwave Pitch Deck Presentation
Connect Wave/ connectwave Pitch Deck PresentationConnect Wave/ connectwave Pitch Deck Presentation
Connect Wave/ connectwave Pitch Deck Presentation
 
Kotlin Multiplatform & Compose Multiplatform - Starter kit for pragmatics
Kotlin Multiplatform & Compose Multiplatform - Starter kit for pragmaticsKotlin Multiplatform & Compose Multiplatform - Starter kit for pragmatics
Kotlin Multiplatform & Compose Multiplatform - Starter kit for pragmatics
 
Unlocking the Potential of the Cloud for IBM Power Systems
Unlocking the Potential of the Cloud for IBM Power SystemsUnlocking the Potential of the Cloud for IBM Power Systems
Unlocking the Potential of the Cloud for IBM Power Systems
 

Mapping Detection Coverage

  • 1. Mapping Detection Coverage Jared Atkinson and Jonathan Johnson © 2022 Specter Ops, Inc.
  • 2. @jsecurity101 • Consultant @ SpecterOps • Detection, Threat Hunting, Compromise Assessments • Defensive Security Researcher • Windows Internals, All Things Data, Reverse Engineering • Open-Source Author/Contributor • Atomic Test Harnesses • The Defender’s Guide • MSRPC-To-ATT&CK • Windows APIs To Sysmon-Events • Formerly Sr. Threat Researcher @ Red Canary • Host of the Detection: Challenging Paradigms Podcast 2 © 2022 Specter Ops, Inc.
  • 3. @jaredcatkinson • Chief Strategist @ SpecterOps • Host of Detection: Challenging Paradigms Podcast • Open-Source Developer • PowerForensics • PSReflect-Functions • Writer • On Detection: Tactical to Functional Series • https://posts.specterops.io/on- detection/home • Formerly U.S. Air Force Hunt Team 3 © 2022 Specter Ops, Inc.
  • 4. Problem Statement • What is the optimal way to build and evaluate detective controls? • It seems that consumers are hungry for this answer. • Vendors seem to be hand waving the solution. • There tends to be a feeling that detection is an art not a science. • Can we establish a scientific process for building and evaluating control? • If so, what are the inputs to this process? • Are there ways to categorize differences between variations to provide more meaning? • This leads us to two sub-questions. • How do I know that my sensory capability is what I think it is? • How do I know that my detection rule is calibrated for the full threat? 4 © 2022 Specter Ops, Inc.
  • 5. [Tool] Out-Minidump • A PowerShell script used to generate a full-memory process minidump. • Written by Matt Graeber (@mattifestation) in 2013. • Based on procdump’s –ma switch, without the need for a 3rd party binary. 5 https://github.com/PowerShellMafia/PowerSploit/blob/master/Exfiltration/Out-Minidump.ps1
  • 6. Functional Analysis – Out-Minidump • Relies on the System.Diagnostics.Process .NET class to find LSASS PID • This calls ntdll!NtQuerySystemInformation underneath. • Uses the System.Diagnostics.Process class’s Handle property. • Uses kernel32!OpenProcess underneath. • Generates a crash dump using the Windows API. • Leverages “Reflection” to call dbghelp!MiniDumpWriteDump. 6 © 2022 Specter Ops, Inc.
  • 7. [Tool] Sharpdump • A C# port of PowerSploit’s Out-Minidump. • Written by Will “harmj0y” Schroeder in 2018. • Used to produce a minidump for a specified process. • Default behavior is to dump LSASS. 7 https://github.com/GhostPack/SharpDump
  • 8. Functional Analysis – Sharpdump • Relies on the System.Diagnostics.Process .NET class to find LSASS PID • This calls ntdll!NtQuerySystemInformation underneath. • Uses the System.Diagnostics.Process class’s Handle property. • Uses kernel32!OpenProcess underneath. • Generates a crash dump using the Windows API. • Uses P/Invoke to call dbghelp!MiniDumpWriteDump directly. 8 © 2022 Specter Ops, Inc.
  • 9. Functionally Synonymous 9 © 2022 Specter Ops, Inc. Out-Minidump.ps1 Sharpdump
  • 10. [Concept] Synonyms • A concept derived from Aristotle’s The Categories. • Synonyms - two literally unique instances (tools) that can be considered equivalent at a higher level of abstraction. • There is an infinite number of variations that exist for any particular technique. • Abstraction allows for the grouping of variations at multiple levels of resolution. • Can be used as a heuristic for similarity. • Can be treated similarly to “morphological distance” in comparing organisms. • Tools that are synonymous at higher, less abstract, levels can be considered more similar. • Tools that are synonymous only at lower, more abstract, levels are more different. • Similarity is an important input for determining a sample set. • We cannot test the infinite set of variations, but we can test a representative sample. • We can use similarity metrics for determining the optimal sample. 10 https://posts.specterops.io/on-detection-tactical-to-functional-ceb3ad0e3809
  • 11. Functional Synonyms • Out-Minidump and Sharpdump are literally different tools. • They have different cryptographic hash values. • One is written in PowerShell and the other in C#. • When we analyze the functions they call, we realize they are the same. • ntdll!NtQuerySystemInformation • kernel32!OpenProcess • dbghelp!MiniDumpWriteDump • This means the differences are relatively superficial • These changes should only affect signatures targeted specifically towards tool idiosyncrasies. 11 © 2022 Specter Ops, Inc.
  • 12. [Tool] Dumpert • LSASS memory dumper using direct system calls. • Written by the team at Outflank (@OutflankNL) in 2019. • Replaces high level Win32 function calls with Syscalls. • This creates evasion opportunities when used against certain “naïve” EDR sensors. 12 https://github.com/outflanknl/Dumpert
  • 13. Functional Analysis – Dumpert • Enumerates processes to determine the process identifier for LSASS. • Uses the NtQuerySystemInformation related system call. • Opens a PROCESS_VM_READ handle to LSASS. • Makes the NtOpenProcess related system call. • Generates a crash dump of the LSASS process. • Calls the dbghelp!MiniDumpWriteDump function. 13 © 2022 Specter Ops, Inc.
  • 16. Operational/Procedural Synonyms • Dumpert makes different function calls than Out-Minidump. • These tools are not functionally synonymous. • However, both tools perform the same operations in the same order. • These are operationally or procedurally synonymous. • We can say that operational synonyms are less similar than functional synonyms. 16 © 2022 Specter Ops, Inc.
  • 17. Function Call Stack – Process Access 17 © 2022 Specter Ops, Inc.
  • 18. Perception • We perceive at the operational level (or we at least act as if this is true): • Sysmon 1 – Process Create • Windows Security 4688 – Process Create • Sysmon 10 – Process Access • Windows Security 4697 – Service Creation • MDE DeviceRegistryEvent – Registry Key Creation • Attackers act via Functions • Out-Minidump calls kernel32!OpenProcess • Dumpert calls syscall!NtOpenProcess • If there is a discrepancy between what we think we can see and what we actually see, then an opportunity for evasion exists. • This is exactly what Dumpert takes advantage of. 18 © 2022 Specter Ops, Inc.
  • 19. How Should We Test • Telemetry Coverage • Operational • All functional variations that can implement an operation. • Process Read: 8 functional variations • Question to Answer: Was telemetry generated for this operation? • Detection Coverage • Procedural • All procedural variations of a (sub-)technique. • Question(s) to answer: • Did my detection fire when the technique was executed? • At what point and why? • Did it capture multiple variations? • What % coverage do we have? 19 © 2022 Specter Ops, Inc.
  • 20. Public Testing Solutions • Atomic Red Team: • Started by Red Canary • Meant to test security products. • Tests typically differ based on a tool vs. operation. • Atomic Test Harnesses: • Started by Matt Graeber at Red Canary. • Allows for more granular control over “what” is being tested and “how” to perform operations. • Allows for the selection of different functional variations when implementing an operation. 20 © 2022 Specter Ops, Inc.
  • 21. Operation – Process Access (6 Variations) 21 © 2022 Specter Ops, Inc.
  • 22. Process Access Test Harness (Lab) Purpose: Identify the telemetry generated for the Process Access operation Steps: 1. Navigate to https://gist.github.com/jaredcatkinson/9c7a1af2261a752432230a4148ecfe02 and download script. 2. Open PowerShell as Administrator. 3. In PowerShell, run – 1. Import-Module ProcessAccess.ps1 2. Invoke-ProcessAccess –Variant Kernel32!OpenProcess Questions: 1. What telemetry do you see with Sysmon, MDE, or other sensors? 2. (Bonus) If you were to change the target Process, does generated telemetry change? 22 © 2022 Specter Ops, Inc.
  • 23. Operation – Process Read (8 Variations) 23 © 2022 Specter Ops, Inc.
  • 24. Process Read Test Harness • Intentional testing • Knowing what I am testing and how I am testing it. 24 © 2022 Specter Ops, Inc.
  • 25. Process Read Test Harness (Lab) Purpose: Identify the telemetry generated for the Process Read operation. Steps: 1. Navigate to https://github.com/redcanaryco/AtomicTestHarnesses/blob/master/Windows/TestHarnesses/ T1003.001_DumpLSASS/DumpLSASS.ps1 and download the script. 2. Open PowerShell as Administrator. 3. In PowerShell, run: 1. Import-Module DumpLSASS.ps1 2. Invoke-ATHDumpLSASS –Variant Kernel32!ReadProcessMemory Questions: 1. What telemetry do you see with Sysmon, MDE, and other sensors? 2. (Bonus) We don’t have control over detections, but try running this and other supported variants somewhere that you do have detections to identify gaps. 25 © 2022 Specter Ops, Inc.
  • 26. Atomic Red Team T1003.001 26 https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1003.001/T1003.001.md
  • 27. Testing Differences • Atomic Red Team (LSASS Memory): • 12 total tool variations • 2 of 8 Process Read functional variations: • Dbghelp!MiniDumpWriteDump and Kernel32!ReadProcessMemory • 10 tools use MiniDumpWriteDump • 4 functional variations • (3) kernel32!CreateToolhelpSnapshot -> kernel32!OpenProcess -> dbghelp!MiniDumpWriteDump • (6) ntdll!NtQuerySystemInformation -> kernel32!OpenProcess -> dbghelp!MiniDumpWriteDump • (2) ntdll!NtQuerySystemInformation -> kernel32!OpenProcess -> kernel32!ReadProcessMemory • (1) syscall!ZwQuerySystemInformation -> syscall!ZwOpenProcess -> dbghelp!MiniDumpWriteDump • Atomic Test Harness (Process Read): • 6 of 8 functional variations • Currently doesn’t support system calls • Know what you’re testing and how those tests are being performed. 27 © 2022 Specter Ops, Inc.
  • 28. Calculating Functional Variations • Attackers care about the Operational outcome. • Functional choice provides options • Process Enumerate - 21 Functional Options • Process Access - 7 Functional Options • Process Read - 8 Functional Options • Functional Variations can be derived by multiplying the Functional Options of each Operation in a Procedure. • PE x PA x PR = 21 x 7 x 8 = 1,176 28 © 2022 Specter Ops, Inc.
  • 30. LSASS Memory Operation Graph 30 https://posts.specterops.io/on-detection-tactical-to-functional-fef1e09d3174
  • 31. The Power of Categorization • As Eleanor Rosch said, “one purpose of categorization is to reduce the infinite differences among stimuli to behaviorally and cognitively usable proportions.” • We can’t comprehend an infinite number of variations. • So long as we treat the problem as infinite, we can never make progress. • 1/∞ ≈ 0, 10/∞ ≈ 0, 100/∞ ≈ 0, 1,000,000/∞ ≈ 0 • Categorization of abstraction allows us to ignore insignificant differences, in order to reduce the infinite to the finite: • Literal - ∞ • Function – 39,333 • Procedural – 4 • Sub-Technical – 1 31 © 2022 Specter Ops, Inc.