MITRE - ATT&CKcon, profile picture
Uploaded byMITRE - ATT&CKcon
PDF, PPTX2,050 views

MITRE ATT&CKcon 2018: From Technique to Detection, Paul Ewing and Ross Wolf, Endgame

The document discusses the process of creating ATT&CK-based analytics for cybersecurity detection, emphasizing the importance of prototyping and continuous refinement. It outlines steps for performing a gap analysis, identifying techniques, and analyzing logs to detect malicious behavior while avoiding false positives. The document also highlights the need to draft and test analytical queries using PowerShell and Event Query Language to effectively identify threats.

Embed presentation

Download as PDF, PPTX
FROM TECHNIQUE TO DETECTION Rapid prototyping of ATT&CK-based analytics Paul Ewing @_paulewing Ross Wolf @rw_access
ATT&CK Detections? Will be powerful Will enable hunters Will transform your SOC
ATT&CK Detections? Will not be as easy as described Will not always lead to analytics Will not be a silver bullet
TIMELINE OF A SOLID ANALYTIC ATT&CK-based analytics required continual grooming as their success depends on it TIME  SUCCESS Initial Logic False Positives Fine Tune Overcompensate Profit
1. SELECT YOUR TECHNIQUE After performing gap-analysis and understanding your environment.
1. SELECT YOUR TECHNIQUE After performing gap-analysis and understanding your environment.
2. DETONATE Find scripts or commands that perform the technique. …after you detonate…be sure to leave yourself some breadcrumbs… Microsoft Windows [Version 10.0.17134.345] (c) 2018 Microsoft Corporation. All rights reserved. C:UsersRoss> C:UsersRoss>reg add hkcuEnvironment /v windir /d "cmd /K reg delete hkcuEnvironment /v windir /f && REM " The operation completed successfully. C:UsersRoss>schtasks /Run /TN MicrosoftWindowsDiskCleanupSilentCleanup /I SUCCESS: Attempted to run the scheduled task "MicrosoftWindowsDiskCleanupSilentCleanup". C:UsersRoss> The operation completed successfully. C:WINDOWSsystem32>cmd /c echo FINDMEFINDME FINDMEFINDME C:WINDOWSsystem32> https://tyranidslair.blogspot.com/2017/05/exploiting-environment-variables-in.html
3. PREP ANALYSIS First let’s create some PS functions to help us gather and parse Sysmon logs. function Get-EventProps { [cmdletbinding()] Param ( [parameter(ValueFromPipeline)] $event ) Process { $eventXml = [xml]$event.ToXML() $eventKeys = $eventXml.Event.EventData.Data $Properties = @{} For ($i=0; $i -lt $eventKeys.Count; $i++) { $Properties[$eventKeys[$i].Name] = $eventKeys[$i].'#text' } [pscustomobject]$Properties } } function Get-LatestLogs { Get-WinEvent -filterhashtable @{logname="Microsoft-Windows- Sysmon/Operational"} -MaxEvents 1000 | Get-EventProps } function Get-LatestProcesses { Get-WinEvent -filterhashtable @{logname="Microsoft-Windows- Sysmon/Operational";id=1} -MaxEvents 1000 | Get-EventProps }
3. PREP ANALYSIS Let’s store the relevant process data C:UsersRossDesktop> C:UsersRossDesktop>powershell Windows Powershell Copyright (c) 2013 Microsoft Corporation. All rights reserved. PS C:UsersRossDesktop> $processLogs = Get-LatestProcesses We need this data We got this data
4.EXPLORE DATA First, find your breadcrumbs that you left earlier. PS C:UsersRossDesktop> $processLogs | Where { $_.CommandLine -like "*FINDMEFINDME*" } ParentCommandLine : cmd /K reg delete hkcuEnvironment /v windir /f && REM system32cleanmgr.exe /autoclean /d C: Description : Windows Command Processor CommandLine : cmd /c echo FINDMEFINDME CurrentDirectory : C:WINDOWSsystem32 Hashes : SHA1=3CE71813199ABAE99348F61F0CAA34E2574F831C Image : C:WindowsSystem32cmd.exe UtcTime : 2018-10-18 21:01:44.471 ProcessGuid : {2FA81719-F4B8-5BC8-0000-0010A1124F01} Company : Microsoft Corporation IntegrityLevel : High FileVersion : 10.0.17134.1 (WinBuild.160101.0800) User : RWOLF-WIN10-VMRoss RuleName : Product : Microsoft® Windows® Operating System LogonId : 0x21ba58 ProcessId : 5816 LogonGuid : {2FA81719-E8A7-5BC8-0000-002058BA2100} TerminalSessionId : 1 ParentProcessGuid : {2FA81719-F482-5BC8-0000-001060044C01} ParentProcessId : 8760 ParentImage : C:WindowsSystem32cmd.exe
4.EXPLORE DATA Walk up the process tree to see when and how the bypass occurred. We’re looking for a transition from medium to high integrity. PS C:UsersRossDesktop> $processLogs | where { $_.ProcessGuid -eq "{2FA81719-F482-5BC8-0000-001060044C01}"} ParentCommandLine : c:windowssystem32svchost.exe -k netsvcs -p -s Schedule Description : Windows Command Processor CommandLine : cmd /K reg delete hkcuEnvironment /v windir /f && REM system32cleanmgr.exe /autoclean /d C: CurrentDirectory : C:WINDOWSsystem32 Hashes : SHA1=3CE71813199ABAE99348F61F0CAA34E2574F831C Image : C:WindowsSystem32cmd.exe UtcTime : 2018-10-18 21:00:50.695 ProcessGuid : {2FA81719-F482-5BC8-0000-001060044C01} Company : Microsoft Corporation IntegrityLevel : High FileVersion : 10.0.17134.1 (WinBuild.160101.0800) User : RWOLF-WIN10-VMRoss RuleName : Product : Microsoft® Windows® Operating System LogonId : 0x21ba58 ProcessId : 8760 LogonGuid : {2FA81719-E8A7-5BC8-0000-002058BA2100} TerminalSessionId : 1 ParentProcessGuid : {2FA81719-DE77-5BC8-0000-001028620100} ParentProcessId : 1288 ParentImage : C:WindowsSystem32svchost.exe
4.EXPLORE DATA Keep walking up the tree until things look normal again. We found the Schedule service running as normal. PS C:UsersRossDesktop> $processLogs | where { $_.ProcessGuid -eq "{2FA81719-DE77-5BC8-0000-001028620100}"} ParentCommandLine : C:WINDOWSsystem32services.exe Description : Host Process for Windows Services CommandLine : c:windowssystem32svchost.exe -k netsvcs -p -s Schedule CurrentDirectory : C:WINDOWSsystem32 Hashes : SHA1=660B76B6FB802417D513ADC967C5CAF77FC2BAC6 Image : C:WindowsSystem32svchost.exe UtcTime : 2018-10-18 19:26:47.110 ProcessGuid : {2FA81719-DE77-5BC8-0000-001028620100} Company : Microsoft Corporation IntegrityLevel : System FileVersion : 10.0.17134.1 (WinBuild.160101.0800) User : NT AUTHORITYSYSTEM RuleName : Product : Microsoft® Windows® Operating System LogonId : 0x3e7 ProcessId : 1288 LogonGuid : {2FA81719-DE75-5BC8-0000-0020E7030000} TerminalSessionId : 0 ParentProcessGuid : {2FA81719-DE75-5BC8-0000-0010C6AC0000} ParentProcessId : 632 ParentImage : C:WindowsSystem32services.exe
4.EXPLORE DATA We went too far. The task scheduler ran the SilentCleanup task, but we’re interested in the task, not the scheduler.
4.EXPLORE DATA What happens when the SilentCleanup task is not abused? PS C:UsersRossDesktop> $processLogs | where { $_.CommandLine -like "*cleanmgr.exe /autoclean*" } ParentCommandLine : c:windowssystem32svchost.exe -k netsvcs -p -s Schedule Description : Windows Command Processor CommandLine : cmd /K reg delete hkcuEnvironment /v windir /f && REM system32cleanmgr.exe /autoclean /d C: CurrentDirectory : C:WINDOWSsystem32 Hashes : SHA1=3CE71813199ABAE99348F61F0CAA34E2574F831C Image : C:WindowsSystem32cmd.exe UtcTime : 2018-10-18 21:00:50.695 ProcessGuid : {2FA81719-F482-5BC8-0000-001060044C01} Company : Microsoft Corporation IntegrityLevel : High FileVersion : 10.0.17134.1 (WinBuild.160101.0800) User : RWOLF-WIN10-VMRoss RuleName : Product : Microsoft® Windows® Operating System LogonId : 0x21ba58 ProcessId : 8760 LogonGuid : {2FA81719-E8A7-5BC8-0000-002058BA2100} TerminalSessionId : 1 ParentProcessGuid : {2FA81719-DE77-5BC8-0000-001028620100} ParentProcessId : 1288 ParentImage : C:WindowsSystem32svchost.exe
4.EXPLORE DATA What happens when the SilentCleanup task is not abused? ParentCommandLine : c:windowssystem32svchost.exe -k netsvcs -p -s Schedule Description : Windows Command Processor CommandLine : cmd /K reg delete hkcuEnvironment /v windir /f && REM system32cleanmgr.exe /autoclean /d C: CurrentDirectory : C:WINDOWSsystem32 Hashes : SHA1=3CE71813199ABAE99348F61F0CAA34E2574F831C Image : C:WindowsSystem32cmd.exe UtcTime : 2018-10-18 20:59:01.667 ProcessGuid : {2FA81719-F415-5BC8-0000-0010F9F64301} Company : Microsoft Corporation IntegrityLevel : High FileVersion : 10.0.17134.1 (WinBuild.160101.0800) User : RWOLF-WIN10-VMRoss RuleName : Product : Microsoft® Windows® Operating System LogonId : 0x21ba58 ProcessId : 5820 LogonGuid : {2FA81719-E8A7-5BC8-0000-002058BA2100} TerminalSessionId : 1 ParentProcessGuid : {2FA81719-DE77-5BC8-0000-001028620100} ParentProcessId : 1288 ParentImage : C:WindowsSystem32svchost.exe
4.EXPLORE DATA What happens when the SilentCleanup task is not abused? ParentCommandLine : c:windowssystem32svchost.exe -k netsvcs -p -s Schedule Description : Disk Space Cleanup Manager for Windows CommandLine : C:WINDOWSsystem32cleanmgr.exe /autoclean /d C: CurrentDirectory : C:WINDOWSsystem32 Hashes : SHA1=2EB39003998F0E518AD937DB120B87E81D5A5893 Image : C:WindowsSystem32cleanmgr.exe UtcTime : 2018-10-18 20:58:07.183 ProcessGuid : {2FA81719-F3DF-5BC8-0000-001024A93F01} Company : Microsoft Corporation IntegrityLevel : High FileVersion : 10.0.17134.1 (WinBuild.160101.0800) User : RWOLF-WIN10-VMRoss RuleName : Product : Microsoft® Windows® Operating System LogonId : 0x21ba58 ProcessId : 2828 LogonGuid : {2FA81719-E8A7-5BC8-0000-002058BA2100} TerminalSessionId : 1 ParentProcessGuid : {2FA81719-DE77-5BC8-0000-001028620100} ParentProcessId : 1288 ParentImage : C:WindowsSystem32svchost.exe
4.EXPLORE DATA What happens when the SilentCleanup task is not abused? ParentCommandLine : c:windowssystem32svchost.exe -k netsvcs -p -s Schedule Description : Disk Space Cleanup Manager for Windows CommandLine : C:WINDOWSsystem32cleanmgr.exe /autoclean /d C: CurrentDirectory : C:WINDOWSsystem32 Hashes : SHA1=2EB39003998F0E518AD937DB120B87E81D5A5893 Image : C:WindowsSystem32cleanmgr.exe UtcTime : 2018-10-18 20:54:13.619 ProcessGuid : {2FA81719-F2F5-5BC8-0000-001036452E01} Company : Microsoft Corporation IntegrityLevel : High FileVersion : 10.0.17134.1 (WinBuild.160101.0800) User : RWOLF-WIN10-VMRoss RuleName : Product : Microsoft® Windows® Operating System LogonId : 0x21ba58 ProcessId : 4864 LogonGuid : {2FA81719-E8A7-5BC8-0000-002058BA2100} TerminalSessionId : 1 ParentProcessGuid : {2FA81719-DE77-5BC8-0000-001028620100} ParentProcessId : 1288 ParentImage : C:WindowsSystem32svchost.exe
5. PROTOTYPE ANALYTIC Draft an analytic in PowerShell that detects the malicious behavior without triggering on the benign behavior. PS C:UsersRossDesktop> $processLogs | where {$_.IntegrityLevel -eq "High"} –and $_.CommandLine -like "* *system32cleanmgr.exe /autoclean*" } ParentCommandLine : c:windowssystem32svchost.exe -k netsvcs -p -s Schedule Description : Windows Command Processor CommandLine : cmd /K reg delete hkcuEnvironment /v windir /f && REM system32cleanmgr.exe /autoclean /d C: CurrentDirectory : C:WINDOWSsystem32 Hashes : SHA1=3CE71813199ABAE99348F61F0CAA34E2574F831C Image : C:WindowsSystem32cmd.exe UtcTime : 2018-10-18 21:00:50.695 ProcessGuid : {2FA81719-F482-5BC8-0000-001060044C01} Company : Microsoft Corporation IntegrityLevel : High FileVersion : 10.0.17134.1 (WinBuild.160101.0800) User : RWOLF-WIN10-VMRoss RuleName : Product : Microsoft® Windows® Operating System LogonId : 0x21ba58 ProcessId : 8760 LogonGuid : {2FA81719-E8A7-5BC8-0000-002058BA2100} TerminalSessionId : 1 ParentProcessGuid : {2FA81719-DE77-5BC8-0000-001028620100} ParentProcessId : 1288 ParentImage : C:WindowsSystem32svchost.exe
5. PROTOTYPE ANALYTIC Draft an analytic in PowerShell. ParentCommandLine : c:windowssystem32svchost.exe -k netsvcs -p -s Schedule Description : Windows Command Processor CommandLine : cmd /K reg delete hkcuEnvironment /v windir /f && REM system32cleanmgr.exe /autoclean /d C: CurrentDirectory : C:WINDOWSsystem32 Hashes : SHA1=3CE71813199ABAE99348F61F0CAA34E2574F831C Image : C:WindowsSystem32cmd.exe UtcTime : 2018-10-18 20:59:01.667 ProcessGuid : {2FA81719-F415-5BC8-0000-0010F9F64301} Company : Microsoft Corporation IntegrityLevel : High FileVersion : 10.0.17134.1 (WinBuild.160101.0800) User : RWOLF-WIN10-VMRoss RuleName : Product : Microsoft® Windows® Operating System LogonId : 0x21ba58 ProcessId : 5820 LogonGuid : {2FA81719-E8A7-5BC8-0000-002058BA2100} TerminalSessionId : 1 ParentProcessGuid : {2FA81719-DE77-5BC8-0000-001028620100} ParentProcessId : 1288 ParentImage : C:WindowsSystem32svchost.exe
6. GO LIVE Rule looks good! Let’s write an EQL query. process where command_line == "* *system32cleanmgr.exe /autoclean*" https://www.endgame.com/blog/technical-blog/introducing-event-query-language
6. GO LIVE Results…uh oh… True or false positive? { "authentication_id": 224881, "command_line": "taskhostw.exe C:WINDOWSsystem32cleanmgr.exe /autoclean /d C:", "event_subtype_full": "creation_event", "event_type_full": "process_event", "md5": "ce95e236fc9fe2d6f16c926c75b18baf", "original_file_name": "taskhostw.exe", "parent_process_name": "svchost.exe", "parent_process_path": "C:WindowsSystem32svchost.exe", "pid": 14920, "ppid": 1700, "process_name": "taskhostw.exe", "process_path": "C:WindowsSystem32taskhostw.exe", "sha1": "2a594345fbcaad453c72bd0937cbf67fb43a74df", "signature_signer": "Microsoft Windows", "signature_status": "trusted", "timestamp_utc": "2018-10-02 16:05:32Z", ... }
6. GO LIVE Oh, this is just another benign instance of the Windows task scheduler on a different OS. { "authentication_id": 224881, "command_line": "taskhostw.exe C:WINDOWSsystem32cleanmgr.exe /autoclean /d C:", "event_subtype_full": "creation_event", "event_type_full": "process_event", "md5": "ce95e236fc9fe2d6f16c926c75b18baf", "original_file_name": "taskhostw.exe", "parent_process_name": "svchost.exe", "parent_process_path": "C:WindowsSystem32svchost.exe", "pid": 14920, "ppid": 1700, "process_name": "taskhostw.exe", "process_path": "C:WindowsSystem32taskhostw.exe", "sha1": "2a594345fbcaad453c72bd0937cbf67fb43a74df", "signature_signer": "Microsoft Windows", "signature_status": "trusted", "timestamp_utc": "2018-10-02 16:05:32Z", ... }
7. FINE TUNING Filter results, unique results, or specifically account for false positives in your environment process where command_line == "* *system32cleanmgr.exe /autoclean*” and process_path != "C:WindowsSystem32taskhostw.exe"
CONCLUSION Seems easy enough? But FPs are everywhere. Always calibrate to the software and configurations in your environment 1. Stealthy PowerShell, this module is common huh? image_load where process_name != "powershell.exe" and image_name == "System.Management.Automation.ni.dll" 2. Emails, Links, Child Browser Process? process where parent_process_name == "outlook.exe" and process_name in ("wscript.exe", "cmd.exe", "powershell.exe", ...) 3. MSHTA Network Connections, never happens? sequence by unique_pid [process where process_name == "mshta.exe"] [network where event_subtype_full == "*connection_attempt_event"] 4. Unusual Lateral Movement via SMB, shouldn’t FP? network where destination_port == 445 and pid != 4 | unique process_path
Thank You.

More Related Content

PDF
MITRE ATT&CKcon 2018: Sofacy 2018 and the Adversary Playbook, Robert Falcone,...
byMITRE - ATT&CKcon
 
PPTX
Detection Rules Coverage
bySunny Neo
 
PDF
Security Analyst Workshop - 20200212
byFlorian Roth
 
PDF
MITRE ATT&CKcon 2018: VCAF: Expanding the ATT&CK Framework to cover VERIS Thr...
byMITRE - ATT&CKcon
 
PDF
Detection and Response Roles
byFlorian Roth
 
PDF
What you need to know about ExPetr ransomware
byKaspersky
 
PDF
MITRE ATT&CKcon 2.0: The World's Most Dangerous ATT&CKers; Robert Lipovsky, ESET
byMITRE - ATT&CKcon
 
PDF
Helping Small Companies Leverage CTI with an Open Source Threat Mapping
byMITRE - ATT&CKcon
 
MITRE ATT&CKcon 2018: Sofacy 2018 and the Adversary Playbook, Robert Falcone,...
byMITRE - ATT&CKcon
 
Detection Rules Coverage
bySunny Neo
 
Security Analyst Workshop - 20200212
byFlorian Roth
 
MITRE ATT&CKcon 2018: VCAF: Expanding the ATT&CK Framework to cover VERIS Thr...
byMITRE - ATT&CKcon
 
Detection and Response Roles
byFlorian Roth
 
What you need to know about ExPetr ransomware
byKaspersky
 
MITRE ATT&CKcon 2.0: The World's Most Dangerous ATT&CKers; Robert Lipovsky, ESET
byMITRE - ATT&CKcon
 
Helping Small Companies Leverage CTI with an Open Source Threat Mapping
byMITRE - ATT&CKcon
 

What's hot

PDF
OSCP Preparation Guide @ Infosectrain
byInfosecTrain
 
PDF
Endpoint is not enough
bySumedt Jitpukdebodin
 
PDF
Bsides NYC 2018 - Hunting for Lateral Movement
byMauricio Velazco
 
PDF
BlueHat v17 || Where, how, and why is SSL traffic on mobile getting intercept...
byBlueHat Security Conference
 
ODT
Kioptrix 2014 5
byJayesh Patel
 
PDF
Red Team Methodology - A Naked Look
byJason Lang
 
PPT
Penetration testing, What’s this?
byDmitry Evteev
 
PDF
BlueHat v18 || The hitchhiker's guide to north korea's malware galaxy
byBlueHat Security Conference
 
PDF
MITRE AttACK framework it is time you took notice_v1.0
byMichael Gough
 
PDF
【HITCON FreeTalk 2018 - Spectre & Meltdown 漏洞的修補策略與 risk mitigation】
byHacks in Taiwan (HITCON)
 
PPTX
Splunk Enterprise for Information Security Hands-On Breakout Session
bySplunk
 
PPTX
Hands on Security - Disrupting the Kill Chain Breakout Session
bySplunk
 
PPTX
【HITCON Hackathon 2017】 TrendMicro Datasets
byHacks in Taiwan (HITCON)
 
PDF
Automatiza las detecciones de amenazas y evita falsos positivos
byImma Valls Bernaus
 
PDF
Secure development in .NET with EPiServer Solita
byJoona Immonen
 
PDF
Malware collection and analysis
byChong-Kuan Chen
 
PDF
BlueHat v17 || Go Hunt: An Automated Approach for Security Alert Validation
byBlueHat Security Conference
 
PDF
Defcon Blue Team Village 2020: Purple On My Mind: Cost Effective Automated Ad...
byMauricio Velazco
 
PDF
MITRE ATTACKcon Power Hour - October
byMITRE - ATT&CKcon
 
PDF
SplunkLive! Amsterdam 2015 - Analytics based security breakout
bySplunk
 
OSCP Preparation Guide @ Infosectrain
byInfosecTrain
 
Endpoint is not enough
bySumedt Jitpukdebodin
 
Bsides NYC 2018 - Hunting for Lateral Movement
byMauricio Velazco
 
BlueHat v17 || Where, how, and why is SSL traffic on mobile getting intercept...
byBlueHat Security Conference
 
Kioptrix 2014 5
byJayesh Patel
 
Red Team Methodology - A Naked Look
byJason Lang
 
Penetration testing, What’s this?
byDmitry Evteev
 
BlueHat v18 || The hitchhiker's guide to north korea's malware galaxy
byBlueHat Security Conference
 
MITRE AttACK framework it is time you took notice_v1.0
byMichael Gough
 
【HITCON FreeTalk 2018 - Spectre & Meltdown 漏洞的修補策略與 risk mitigation】
byHacks in Taiwan (HITCON)
 
Splunk Enterprise for Information Security Hands-On Breakout Session
bySplunk
 
Hands on Security - Disrupting the Kill Chain Breakout Session
bySplunk
 
【HITCON Hackathon 2017】 TrendMicro Datasets
byHacks in Taiwan (HITCON)
 
Automatiza las detecciones de amenazas y evita falsos positivos
byImma Valls Bernaus
 
Secure development in .NET with EPiServer Solita
byJoona Immonen
 
Malware collection and analysis
byChong-Kuan Chen
 
BlueHat v17 || Go Hunt: An Automated Approach for Security Alert Validation
byBlueHat Security Conference
 
Defcon Blue Team Village 2020: Purple On My Mind: Cost Effective Automated Ad...
byMauricio Velazco
 
MITRE ATTACKcon Power Hour - October
byMITRE - ATT&CKcon
 
SplunkLive! Amsterdam 2015 - Analytics based security breakout
bySplunk
 

Similar to MITRE ATT&CKcon 2018: From Technique to Detection, Paul Ewing and Ross Wolf, Endgame

PPTX
Memory Forensics for IR - Leveraging Volatility to Hunt Advanced Actors
byJared Greenhill
 
PDF
Windows Logging Cheat Sheet ver Jan 2016 - MalwareArchaeology
byMichael Gough
 
PPT
Intrusion Discovery on Windows
bydkaya
 
PDF
Windows Threat Hunting
byGIBIN JOHN
 
PPTX
Catching fileless attacks
byBalaji Rajasekaran
 
PPTX
Windows Incident Response CheatSheet.pptx
byalphaa2test
 
PDF
Sysinternals utilities : a brief introduction to
byAkshay koshti
 
PDF
Malware hunting with the sysinternals tools
byAli Asad Sahu
 
PPTX
Anomalies Detection: Windows OS - Part 1
byRhydham Joshi
 
PPTX
Anomalies Detection: Windows OS - Part 1
byRhydham Joshi
 
PDF
Hunting fileless malware
byOlha Pasko
 
PPTX
Adversary tactics config mgmt-&-logs-oh-my
byJesse Moore
 
DOCX
Computer Forensics Report - FRS301 - FPT University
byDuc Lai Trung Minh
 
PPTX
Windows Live Forensics 101
byArpan Raval
 
PDF
BSidesPGH 2019
byBrianGardiner12
 
PDF
Logs, Logs, Logs - What you need to know to catch a thief
byMichael Gough
 
PDF
Nazar Tymoshyk et al - Night in Defense Workshop: Hunting for a needle in a h...
byNoNameCon
 
PDF
Olha Pasko - Hunting fileless malware [workshop]
byNoNameCon
 
PDF
Clean up
byBrandon Near
 
PPTX
Apparatus finding bad(malware)
byJohn Read
 
Memory Forensics for IR - Leveraging Volatility to Hunt Advanced Actors
byJared Greenhill
 
Windows Logging Cheat Sheet ver Jan 2016 - MalwareArchaeology
byMichael Gough
 
Intrusion Discovery on Windows
bydkaya
 
Windows Threat Hunting
byGIBIN JOHN
 
Catching fileless attacks
byBalaji Rajasekaran
 
Windows Incident Response CheatSheet.pptx
byalphaa2test
 
Sysinternals utilities : a brief introduction to
byAkshay koshti
 
Malware hunting with the sysinternals tools
byAli Asad Sahu
 
Anomalies Detection: Windows OS - Part 1
byRhydham Joshi
 
Anomalies Detection: Windows OS - Part 1
byRhydham Joshi
 
Hunting fileless malware
byOlha Pasko
 
Adversary tactics config mgmt-&-logs-oh-my
byJesse Moore
 
Computer Forensics Report - FRS301 - FPT University
byDuc Lai Trung Minh
 
Windows Live Forensics 101
byArpan Raval
 
BSidesPGH 2019
byBrianGardiner12
 
Logs, Logs, Logs - What you need to know to catch a thief
byMichael Gough
 
Nazar Tymoshyk et al - Night in Defense Workshop: Hunting for a needle in a h...
byNoNameCon
 
Olha Pasko - Hunting fileless malware [workshop]
byNoNameCon
 
Clean up
byBrandon Near
 
Apparatus finding bad(malware)
byJohn Read
 

More from MITRE - ATT&CKcon

PDF
Sharpening your Threat-Hunting Program with ATTACK Framework
byMITRE - ATT&CKcon
 
PDF
From Theory to Practice: How My ATTACK Perspectives Have Changed
byMITRE - ATT&CKcon
 
PDF
MITRE ATTACKCon Power Hour - December
byMITRE - ATT&CKcon
 
PDF
State of the ATTACK
byMITRE - ATT&CKcon
 
PDF
What's New with ATTACK for ICS?
byMITRE - ATT&CKcon
 
PDF
MITRE ATTACKcon Power Hour - January
byMITRE - ATT&CKcon
 
PDF
MITRE ATT&CKcon Power Hour - November
byMITRE - ATT&CKcon
 
PDF
ATTACK-Onomics: Attacking the Economics Behind Techniques Used by Adversaries
byMITRE - ATT&CKcon
 
PDF
ATTACKing the Cloud: Hopping Between the Matrices
byMITRE - ATT&CKcon
 
PDF
Using ATTACK to Create Cyber DBTS for Nuclear Power Plants
byMITRE - ATT&CKcon
 
PDF
Measure What Matters: How to Use MITRE ATTACK to do the Right Things in the R...
byMITRE - ATT&CKcon
 
PDF
ATTACKers Think in Graphs: Building Graphs for Threat Intelligence
byMITRE - ATT&CKcon
 
PDF
Putting the PRE into ATTACK
byMITRE - ATT&CKcon
 
PDF
What's New with ATTACK for Cloud?
byMITRE - ATT&CKcon
 
PDF
Using MITRE PRE-ATTACK and ATTACK in Cybercrime Education and Research
byMITRE - ATT&CKcon
 
PDF
Transforming Adversary Emulation Into a Data Analysis Question
byMITRE - ATT&CKcon
 
PDF
TA505: A Study of High End Big Game Hunting in 2020
byMITRE - ATT&CKcon
 
PDF
What's a MITRE with your Security?
byMITRE - ATT&CKcon
 
PDF
Mapping the EventBot Mobile Banking Trojan with MITRE ATTACK for Mobile
byMITRE - ATT&CKcon
 
PDF
Starting Over with Sub-Techniques
byMITRE - ATT&CKcon
 
Sharpening your Threat-Hunting Program with ATTACK Framework
byMITRE - ATT&CKcon
 
From Theory to Practice: How My ATTACK Perspectives Have Changed
byMITRE - ATT&CKcon
 
MITRE ATTACKCon Power Hour - December
byMITRE - ATT&CKcon
 
State of the ATTACK
byMITRE - ATT&CKcon
 
What's New with ATTACK for ICS?
byMITRE - ATT&CKcon
 
MITRE ATTACKcon Power Hour - January
byMITRE - ATT&CKcon
 
MITRE ATT&CKcon Power Hour - November
byMITRE - ATT&CKcon
 
ATTACK-Onomics: Attacking the Economics Behind Techniques Used by Adversaries
byMITRE - ATT&CKcon
 
ATTACKing the Cloud: Hopping Between the Matrices
byMITRE - ATT&CKcon
 
Using ATTACK to Create Cyber DBTS for Nuclear Power Plants
byMITRE - ATT&CKcon
 
Measure What Matters: How to Use MITRE ATTACK to do the Right Things in the R...
byMITRE - ATT&CKcon
 
ATTACKers Think in Graphs: Building Graphs for Threat Intelligence
byMITRE - ATT&CKcon
 
Putting the PRE into ATTACK
byMITRE - ATT&CKcon
 
What's New with ATTACK for Cloud?
byMITRE - ATT&CKcon
 
Using MITRE PRE-ATTACK and ATTACK in Cybercrime Education and Research
byMITRE - ATT&CKcon
 
Transforming Adversary Emulation Into a Data Analysis Question
byMITRE - ATT&CKcon
 
TA505: A Study of High End Big Game Hunting in 2020
byMITRE - ATT&CKcon
 
What's a MITRE with your Security?
byMITRE - ATT&CKcon
 
Mapping the EventBot Mobile Banking Trojan with MITRE ATTACK for Mobile
byMITRE - ATT&CKcon
 
Starting Over with Sub-Techniques
byMITRE - ATT&CKcon
 

Recently uploaded

PDF
The year in review - MarvelClient in 2025
bypanagenda
 
PDF
GPUS and How to Program Them by Manya Bansal
byScyllaDB
 
PDF
Security Technologys: Access Control, Firewall, VPN
byShielaLasala
 
PDF
Eredità digitale sugli smartphone: cosa resta di noi nei dispositivi mobili
bySpeck&Tech
 
PDF
Dev Dives: AI that builds with you - UiPath Autopilot for effortless RPA & AP...
byUiPathCommunity
 
PPTX
Unit-4-ARTIFICIAL NEURAL NETWORKS.pptx ANN ppt Artificial neural network
byssuserd4481a
 
PDF
Internet_of_Things_IoT_for_Next_Generation_Smart_Systems_Utilizing.pdf
byRoshanSyed12
 
PPTX
Cloud-and-AI-Platform-FY26-Partner-Playbook.pptx
byiuiuiuiu1
 
PDF
DIGITAL FORENSICS - Notes for Everything.pdf
bypankajkumavatbeit
 
PDF
API-First Architecture in Financial Systems
bycyy111112
 
PDF
Safeguarding AI-Based Financial Infrastructure
byYasir Naveed Riaz
 
PDF
Decoding the DNA: The Digital Networks Act, the Open Internet, and IP interco...
byCSUC - Consorci de Serveis Universitaris de Catalunya
 
PPTX
Kanban India 2025 | Daksh Gupta | Modeling the Models, Generative AI & Kanban
byLeanKanbanIndia
 
PPTX
Chapter 3 Introduction to number system.pptx
byGetachewAbera9
 
PPTX
From Backup to Resilience: How MSPs Are Preparing for 2026
byMSP360
 
PDF
Accelerating Responsible AI Adoption in Public Sector and Private Organizations.
byYasir Naveed Riaz
 
PPTX
Cybercrime in the Digital Age: Risks, Impact & Protection
byYasir Naveed Riaz
 
PDF
Is It Possible to Have Wi-Fi Without an Internet Provider
bySidra Jefferi
 
PDF
Greetings All Students Update 3 by Mia Corp
by©LDMMIA, ©Reiki Yoga
 
PDF
Six Shifts For 2026 (And The Next Six Years)
byDavid Armano
 
The year in review - MarvelClient in 2025
bypanagenda
 
GPUS and How to Program Them by Manya Bansal
byScyllaDB
 
Security Technologys: Access Control, Firewall, VPN
byShielaLasala
 
Eredità digitale sugli smartphone: cosa resta di noi nei dispositivi mobili
bySpeck&Tech
 
Dev Dives: AI that builds with you - UiPath Autopilot for effortless RPA & AP...
byUiPathCommunity
 
Unit-4-ARTIFICIAL NEURAL NETWORKS.pptx ANN ppt Artificial neural network
byssuserd4481a
 
Internet_of_Things_IoT_for_Next_Generation_Smart_Systems_Utilizing.pdf
byRoshanSyed12
 
Cloud-and-AI-Platform-FY26-Partner-Playbook.pptx
byiuiuiuiu1
 
DIGITAL FORENSICS - Notes for Everything.pdf
bypankajkumavatbeit
 
API-First Architecture in Financial Systems
bycyy111112
 
Safeguarding AI-Based Financial Infrastructure
byYasir Naveed Riaz
 
Decoding the DNA: The Digital Networks Act, the Open Internet, and IP interco...
byCSUC - Consorci de Serveis Universitaris de Catalunya
 
Kanban India 2025 | Daksh Gupta | Modeling the Models, Generative AI & Kanban
byLeanKanbanIndia
 
Chapter 3 Introduction to number system.pptx
byGetachewAbera9
 
From Backup to Resilience: How MSPs Are Preparing for 2026
byMSP360
 
Accelerating Responsible AI Adoption in Public Sector and Private Organizations.
byYasir Naveed Riaz
 
Cybercrime in the Digital Age: Risks, Impact & Protection
byYasir Naveed Riaz
 
Is It Possible to Have Wi-Fi Without an Internet Provider
bySidra Jefferi
 
Greetings All Students Update 3 by Mia Corp
by©LDMMIA, ©Reiki Yoga
 
Six Shifts For 2026 (And The Next Six Years)
byDavid Armano
 

MITRE ATT&CKcon 2018: From Technique to Detection, Paul Ewing and Ross Wolf, Endgame

  • 1.
    FROM TECHNIQUE TO DETECTION Rapidprototyping of ATT&CK-based analytics Paul Ewing @_paulewing Ross Wolf @rw_access
  • 2.
    ATT&CK Detections? Will bepowerful Will enable hunters Will transform your SOC
  • 3.
    ATT&CK Detections? Will notbe as easy as described Will not always lead to analytics Will not be a silver bullet
  • 4.
    TIMELINE OF A SOLIDANALYTIC ATT&CK-based analytics required continual grooming as their success depends on it TIME  SUCCESS Initial Logic False Positives Fine Tune Overcompensate Profit
  • 5.
    1. SELECT YOUR TECHNIQUE Afterperforming gap-analysis and understanding your environment.
  • 6.
    1. SELECT YOUR TECHNIQUE Afterperforming gap-analysis and understanding your environment.
  • 7.
    2. DETONATE Find scriptsor commands that perform the technique. …after you detonate…be sure to leave yourself some breadcrumbs… Microsoft Windows [Version 10.0.17134.345] (c) 2018 Microsoft Corporation. All rights reserved. C:UsersRoss> C:UsersRoss>reg add hkcuEnvironment /v windir /d "cmd /K reg delete hkcuEnvironment /v windir /f && REM " The operation completed successfully. C:UsersRoss>schtasks /Run /TN MicrosoftWindowsDiskCleanupSilentCleanup /I SUCCESS: Attempted to run the scheduled task "MicrosoftWindowsDiskCleanupSilentCleanup". C:UsersRoss> The operation completed successfully. C:WINDOWSsystem32>cmd /c echo FINDMEFINDME FINDMEFINDME C:WINDOWSsystem32> https://tyranidslair.blogspot.com/2017/05/exploiting-environment-variables-in.html
  • 8.
    3. PREP ANALYSIS First let’screate some PS functions to help us gather and parse Sysmon logs. function Get-EventProps { [cmdletbinding()] Param ( [parameter(ValueFromPipeline)] $event ) Process { $eventXml = [xml]$event.ToXML() $eventKeys = $eventXml.Event.EventData.Data $Properties = @{} For ($i=0; $i -lt $eventKeys.Count; $i++) { $Properties[$eventKeys[$i].Name] = $eventKeys[$i].'#text' } [pscustomobject]$Properties } } function Get-LatestLogs { Get-WinEvent -filterhashtable @{logname="Microsoft-Windows- Sysmon/Operational"} -MaxEvents 1000 | Get-EventProps } function Get-LatestProcesses { Get-WinEvent -filterhashtable @{logname="Microsoft-Windows- Sysmon/Operational";id=1} -MaxEvents 1000 | Get-EventProps }
  • 9.
    3. PREP ANALYSIS Let’s storethe relevant process data C:UsersRossDesktop> C:UsersRossDesktop>powershell Windows Powershell Copyright (c) 2013 Microsoft Corporation. All rights reserved. PS C:UsersRossDesktop> $processLogs = Get-LatestProcesses We need this data We got this data
  • 10.
    4.EXPLORE DATA First, find your breadcrumbsthat you left earlier. PS C:UsersRossDesktop> $processLogs | Where { $_.CommandLine -like "*FINDMEFINDME*" } ParentCommandLine : cmd /K reg delete hkcuEnvironment /v windir /f && REM system32cleanmgr.exe /autoclean /d C: Description : Windows Command Processor CommandLine : cmd /c echo FINDMEFINDME CurrentDirectory : C:WINDOWSsystem32 Hashes : SHA1=3CE71813199ABAE99348F61F0CAA34E2574F831C Image : C:WindowsSystem32cmd.exe UtcTime : 2018-10-18 21:01:44.471 ProcessGuid : {2FA81719-F4B8-5BC8-0000-0010A1124F01} Company : Microsoft Corporation IntegrityLevel : High FileVersion : 10.0.17134.1 (WinBuild.160101.0800) User : RWOLF-WIN10-VMRoss RuleName : Product : Microsoft® Windows® Operating System LogonId : 0x21ba58 ProcessId : 5816 LogonGuid : {2FA81719-E8A7-5BC8-0000-002058BA2100} TerminalSessionId : 1 ParentProcessGuid : {2FA81719-F482-5BC8-0000-001060044C01} ParentProcessId : 8760 ParentImage : C:WindowsSystem32cmd.exe
  • 11.
    4.EXPLORE DATA Walk up theprocess tree to see when and how the bypass occurred. We’re looking for a transition from medium to high integrity. PS C:UsersRossDesktop> $processLogs | where { $_.ProcessGuid -eq "{2FA81719-F482-5BC8-0000-001060044C01}"} ParentCommandLine : c:windowssystem32svchost.exe -k netsvcs -p -s Schedule Description : Windows Command Processor CommandLine : cmd /K reg delete hkcuEnvironment /v windir /f && REM system32cleanmgr.exe /autoclean /d C: CurrentDirectory : C:WINDOWSsystem32 Hashes : SHA1=3CE71813199ABAE99348F61F0CAA34E2574F831C Image : C:WindowsSystem32cmd.exe UtcTime : 2018-10-18 21:00:50.695 ProcessGuid : {2FA81719-F482-5BC8-0000-001060044C01} Company : Microsoft Corporation IntegrityLevel : High FileVersion : 10.0.17134.1 (WinBuild.160101.0800) User : RWOLF-WIN10-VMRoss RuleName : Product : Microsoft® Windows® Operating System LogonId : 0x21ba58 ProcessId : 8760 LogonGuid : {2FA81719-E8A7-5BC8-0000-002058BA2100} TerminalSessionId : 1 ParentProcessGuid : {2FA81719-DE77-5BC8-0000-001028620100} ParentProcessId : 1288 ParentImage : C:WindowsSystem32svchost.exe
  • 12.
    4.EXPLORE DATA Keep walking upthe tree until things look normal again. We found the Schedule service running as normal. PS C:UsersRossDesktop> $processLogs | where { $_.ProcessGuid -eq "{2FA81719-DE77-5BC8-0000-001028620100}"} ParentCommandLine : C:WINDOWSsystem32services.exe Description : Host Process for Windows Services CommandLine : c:windowssystem32svchost.exe -k netsvcs -p -s Schedule CurrentDirectory : C:WINDOWSsystem32 Hashes : SHA1=660B76B6FB802417D513ADC967C5CAF77FC2BAC6 Image : C:WindowsSystem32svchost.exe UtcTime : 2018-10-18 19:26:47.110 ProcessGuid : {2FA81719-DE77-5BC8-0000-001028620100} Company : Microsoft Corporation IntegrityLevel : System FileVersion : 10.0.17134.1 (WinBuild.160101.0800) User : NT AUTHORITYSYSTEM RuleName : Product : Microsoft® Windows® Operating System LogonId : 0x3e7 ProcessId : 1288 LogonGuid : {2FA81719-DE75-5BC8-0000-0020E7030000} TerminalSessionId : 0 ParentProcessGuid : {2FA81719-DE75-5BC8-0000-0010C6AC0000} ParentProcessId : 632 ParentImage : C:WindowsSystem32services.exe
  • 13.
    4.EXPLORE DATA We went toofar. The task scheduler ran the SilentCleanup task, but we’re interested in the task, not the scheduler.
  • 14.
    4.EXPLORE DATA What happens whenthe SilentCleanup task is not abused? PS C:UsersRossDesktop> $processLogs | where { $_.CommandLine -like "*cleanmgr.exe /autoclean*" } ParentCommandLine : c:windowssystem32svchost.exe -k netsvcs -p -s Schedule Description : Windows Command Processor CommandLine : cmd /K reg delete hkcuEnvironment /v windir /f && REM system32cleanmgr.exe /autoclean /d C: CurrentDirectory : C:WINDOWSsystem32 Hashes : SHA1=3CE71813199ABAE99348F61F0CAA34E2574F831C Image : C:WindowsSystem32cmd.exe UtcTime : 2018-10-18 21:00:50.695 ProcessGuid : {2FA81719-F482-5BC8-0000-001060044C01} Company : Microsoft Corporation IntegrityLevel : High FileVersion : 10.0.17134.1 (WinBuild.160101.0800) User : RWOLF-WIN10-VMRoss RuleName : Product : Microsoft® Windows® Operating System LogonId : 0x21ba58 ProcessId : 8760 LogonGuid : {2FA81719-E8A7-5BC8-0000-002058BA2100} TerminalSessionId : 1 ParentProcessGuid : {2FA81719-DE77-5BC8-0000-001028620100} ParentProcessId : 1288 ParentImage : C:WindowsSystem32svchost.exe
  • 15.
    4.EXPLORE DATA What happens whenthe SilentCleanup task is not abused? ParentCommandLine : c:windowssystem32svchost.exe -k netsvcs -p -s Schedule Description : Windows Command Processor CommandLine : cmd /K reg delete hkcuEnvironment /v windir /f && REM system32cleanmgr.exe /autoclean /d C: CurrentDirectory : C:WINDOWSsystem32 Hashes : SHA1=3CE71813199ABAE99348F61F0CAA34E2574F831C Image : C:WindowsSystem32cmd.exe UtcTime : 2018-10-18 20:59:01.667 ProcessGuid : {2FA81719-F415-5BC8-0000-0010F9F64301} Company : Microsoft Corporation IntegrityLevel : High FileVersion : 10.0.17134.1 (WinBuild.160101.0800) User : RWOLF-WIN10-VMRoss RuleName : Product : Microsoft® Windows® Operating System LogonId : 0x21ba58 ProcessId : 5820 LogonGuid : {2FA81719-E8A7-5BC8-0000-002058BA2100} TerminalSessionId : 1 ParentProcessGuid : {2FA81719-DE77-5BC8-0000-001028620100} ParentProcessId : 1288 ParentImage : C:WindowsSystem32svchost.exe
  • 16.
    4.EXPLORE DATA What happens whenthe SilentCleanup task is not abused? ParentCommandLine : c:windowssystem32svchost.exe -k netsvcs -p -s Schedule Description : Disk Space Cleanup Manager for Windows CommandLine : C:WINDOWSsystem32cleanmgr.exe /autoclean /d C: CurrentDirectory : C:WINDOWSsystem32 Hashes : SHA1=2EB39003998F0E518AD937DB120B87E81D5A5893 Image : C:WindowsSystem32cleanmgr.exe UtcTime : 2018-10-18 20:58:07.183 ProcessGuid : {2FA81719-F3DF-5BC8-0000-001024A93F01} Company : Microsoft Corporation IntegrityLevel : High FileVersion : 10.0.17134.1 (WinBuild.160101.0800) User : RWOLF-WIN10-VMRoss RuleName : Product : Microsoft® Windows® Operating System LogonId : 0x21ba58 ProcessId : 2828 LogonGuid : {2FA81719-E8A7-5BC8-0000-002058BA2100} TerminalSessionId : 1 ParentProcessGuid : {2FA81719-DE77-5BC8-0000-001028620100} ParentProcessId : 1288 ParentImage : C:WindowsSystem32svchost.exe
  • 17.
    4.EXPLORE DATA What happens whenthe SilentCleanup task is not abused? ParentCommandLine : c:windowssystem32svchost.exe -k netsvcs -p -s Schedule Description : Disk Space Cleanup Manager for Windows CommandLine : C:WINDOWSsystem32cleanmgr.exe /autoclean /d C: CurrentDirectory : C:WINDOWSsystem32 Hashes : SHA1=2EB39003998F0E518AD937DB120B87E81D5A5893 Image : C:WindowsSystem32cleanmgr.exe UtcTime : 2018-10-18 20:54:13.619 ProcessGuid : {2FA81719-F2F5-5BC8-0000-001036452E01} Company : Microsoft Corporation IntegrityLevel : High FileVersion : 10.0.17134.1 (WinBuild.160101.0800) User : RWOLF-WIN10-VMRoss RuleName : Product : Microsoft® Windows® Operating System LogonId : 0x21ba58 ProcessId : 4864 LogonGuid : {2FA81719-E8A7-5BC8-0000-002058BA2100} TerminalSessionId : 1 ParentProcessGuid : {2FA81719-DE77-5BC8-0000-001028620100} ParentProcessId : 1288 ParentImage : C:WindowsSystem32svchost.exe
  • 18.
    5. PROTOTYPE ANALYTIC Draft ananalytic in PowerShell that detects the malicious behavior without triggering on the benign behavior. PS C:UsersRossDesktop> $processLogs | where {$_.IntegrityLevel -eq "High"} –and $_.CommandLine -like "* *system32cleanmgr.exe /autoclean*" } ParentCommandLine : c:windowssystem32svchost.exe -k netsvcs -p -s Schedule Description : Windows Command Processor CommandLine : cmd /K reg delete hkcuEnvironment /v windir /f && REM system32cleanmgr.exe /autoclean /d C: CurrentDirectory : C:WINDOWSsystem32 Hashes : SHA1=3CE71813199ABAE99348F61F0CAA34E2574F831C Image : C:WindowsSystem32cmd.exe UtcTime : 2018-10-18 21:00:50.695 ProcessGuid : {2FA81719-F482-5BC8-0000-001060044C01} Company : Microsoft Corporation IntegrityLevel : High FileVersion : 10.0.17134.1 (WinBuild.160101.0800) User : RWOLF-WIN10-VMRoss RuleName : Product : Microsoft® Windows® Operating System LogonId : 0x21ba58 ProcessId : 8760 LogonGuid : {2FA81719-E8A7-5BC8-0000-002058BA2100} TerminalSessionId : 1 ParentProcessGuid : {2FA81719-DE77-5BC8-0000-001028620100} ParentProcessId : 1288 ParentImage : C:WindowsSystem32svchost.exe
  • 19.
    5. PROTOTYPE ANALYTIC Draft ananalytic in PowerShell. ParentCommandLine : c:windowssystem32svchost.exe -k netsvcs -p -s Schedule Description : Windows Command Processor CommandLine : cmd /K reg delete hkcuEnvironment /v windir /f && REM system32cleanmgr.exe /autoclean /d C: CurrentDirectory : C:WINDOWSsystem32 Hashes : SHA1=3CE71813199ABAE99348F61F0CAA34E2574F831C Image : C:WindowsSystem32cmd.exe UtcTime : 2018-10-18 20:59:01.667 ProcessGuid : {2FA81719-F415-5BC8-0000-0010F9F64301} Company : Microsoft Corporation IntegrityLevel : High FileVersion : 10.0.17134.1 (WinBuild.160101.0800) User : RWOLF-WIN10-VMRoss RuleName : Product : Microsoft® Windows® Operating System LogonId : 0x21ba58 ProcessId : 5820 LogonGuid : {2FA81719-E8A7-5BC8-0000-002058BA2100} TerminalSessionId : 1 ParentProcessGuid : {2FA81719-DE77-5BC8-0000-001028620100} ParentProcessId : 1288 ParentImage : C:WindowsSystem32svchost.exe
  • 20.
    6. GO LIVE Rulelooks good! Let’s write an EQL query. process where command_line == "* *system32cleanmgr.exe /autoclean*" https://www.endgame.com/blog/technical-blog/introducing-event-query-language
  • 21.
    6. GO LIVE Results…uhoh… True or false positive? { "authentication_id": 224881, "command_line": "taskhostw.exe C:WINDOWSsystem32cleanmgr.exe /autoclean /d C:", "event_subtype_full": "creation_event", "event_type_full": "process_event", "md5": "ce95e236fc9fe2d6f16c926c75b18baf", "original_file_name": "taskhostw.exe", "parent_process_name": "svchost.exe", "parent_process_path": "C:WindowsSystem32svchost.exe", "pid": 14920, "ppid": 1700, "process_name": "taskhostw.exe", "process_path": "C:WindowsSystem32taskhostw.exe", "sha1": "2a594345fbcaad453c72bd0937cbf67fb43a74df", "signature_signer": "Microsoft Windows", "signature_status": "trusted", "timestamp_utc": "2018-10-02 16:05:32Z", ... }
  • 22.
    6. GO LIVE Oh,this is just another benign instance of the Windows task scheduler on a different OS. { "authentication_id": 224881, "command_line": "taskhostw.exe C:WINDOWSsystem32cleanmgr.exe /autoclean /d C:", "event_subtype_full": "creation_event", "event_type_full": "process_event", "md5": "ce95e236fc9fe2d6f16c926c75b18baf", "original_file_name": "taskhostw.exe", "parent_process_name": "svchost.exe", "parent_process_path": "C:WindowsSystem32svchost.exe", "pid": 14920, "ppid": 1700, "process_name": "taskhostw.exe", "process_path": "C:WindowsSystem32taskhostw.exe", "sha1": "2a594345fbcaad453c72bd0937cbf67fb43a74df", "signature_signer": "Microsoft Windows", "signature_status": "trusted", "timestamp_utc": "2018-10-02 16:05:32Z", ... }
  • 23.
    7. FINE TUNING Filterresults, unique results, or specifically account for false positives in your environment process where command_line == "* *system32cleanmgr.exe /autoclean*” and process_path != "C:WindowsSystem32taskhostw.exe"
  • 24.
    CONCLUSION Seems easy enough? ButFPs are everywhere. Always calibrate to the software and configurations in your environment 1. Stealthy PowerShell, this module is common huh? image_load where process_name != "powershell.exe" and image_name == "System.Management.Automation.ni.dll" 2. Emails, Links, Child Browser Process? process where parent_process_name == "outlook.exe" and process_name in ("wscript.exe", "cmd.exe", "powershell.exe", ...) 3. MSHTA Network Connections, never happens? sequence by unique_pid [process where process_name == "mshta.exe"] [network where event_subtype_full == "*connection_attempt_event"] 4. Unusual Lateral Movement via SMB, shouldn’t FP? network where destination_port == 445 and pid != 4 | unique process_path
  • 25.