MITRE - ATT&CKcon, profile picture
Uploaded byMITRE - ATT&CKcon
PDF, PPTX5,528 views

MITRE ATT&CKcon 2018: Hunters ATT&CKing with the Data, Roberto Rodriguez, SpecterOps and Jose Luis Rodriguez, Student

The document discusses threat hunting methodologies, emphasizing the importance of data mapping and understanding ATT&CK data sources to improve detection of adversarial techniques. It outlines steps for effective threat hunting, including defining techniques, generating hypotheses, and validating data collection methodologies. Additionally, it highlights tools like the attack-python-client for accessing ATT&CK metadata and encourages collaboration to address gaps in data source mappings.

Embed presentation

Download as PDF, PPTX
1 / 123
2 / 123
Most read
3 / 123
4 / 123
5 / 123
6 / 123
7 / 123
8 / 123
9 / 123
10 / 123
11 / 123
12 / 123
13 / 123
14 / 123
15 / 123
16 / 123
17 / 123
18 / 123
19 / 123
20 / 123
21 / 123
22 / 123
23 / 123
24 / 123
25 / 123
26 / 123
27 / 123
28 / 123
29 / 123
30 / 123
31 / 123
32 / 123
33 / 123
34 / 123
35 / 123
36 / 123
37 / 123
38 / 123
39 / 123
40 / 123
41 / 123
42 / 123
43 / 123
44 / 123
45 / 123
46 / 123
47 / 123
48 / 123
49 / 123
50 / 123
51 / 123
52 / 123
53 / 123
54 / 123
55 / 123
56 / 123
57 / 123
58 / 123
59 / 123
60 / 123
61 / 123
62 / 123
63 / 123
64 / 123
65 / 123
66 / 123
67 / 123
68 / 123
69 / 123
70 / 123
71 / 123
72 / 123
73 / 123
74 / 123
75 / 123
76 / 123
77 / 123
78 / 123
79 / 123
80 / 123
81 / 123
82 / 123
83 / 123
84 / 123
85 / 123
86 / 123
87 / 123
88 / 123
89 / 123
90 / 123
91 / 123
92 / 123
93 / 123
94 / 123
95 / 123
96 / 123
97 / 123
98 / 123
99 / 123
100 / 123
101 / 123
102 / 123
103 / 123
104 / 123
105 / 123
106 / 123
107 / 123
108 / 123
109 / 123
110 / 123
111 / 123
112 / 123
113 / 123
114 / 123
115 / 123
116 / 123
117 / 123
118 / 123
119 / 123
120 / 123
121 / 123
122 / 123
123 / 123
Hunters ATT&CKing With The Right Data 1
@Cyb3rWard0g ● Adversary Detection Analyst @SpecterOps ● Author: ○ ThreatHunter-Playbook ○ Hunting ELK (HELK) ○ ATTACK-Python-Client ○ OSSEM (Open Source Security Event Metadata) ● Form er: Capital One - USA, Senior Threat Hunter 2https://github.com/Cyb3rWard0g
@Cyb3rPandaH ● Cyber Security Student @NOVAcommcollege ● Author: ○ Tableau-ATTCK ● Contributor: ○ ThreatHunter-Playbook, HELK, OSSEM ● Form er: UNACEM- Peru, Senior Business Intelligence Analyst 3https://github.com/Cyb3rPanda
Agenda ● Current Threat Hunting & Data Overview ● Threat Hunting & ATT&CK ● What else do I need to know about ATT&CK data sources? ● Defining a data mapping methodology ● ATT&CKing with the right data! ○ Data mapping examples 4
Threat Hunting & Data LOG IT ALL-> HUNT-> FIND EVIL- REPEAT … Right?, Maybe? 5
Threat Hunting What can be automated? - Not everything can be automated - Enhance SOC operations Lessons Learned - Metrics - Report Findings - Transition to IR? - What didn’t work? Hunt - Data Analytics > Behavioral > Anomalies/Outliers - Validate Detection Pre-Hunt - Define Hunt Model - Set Scope - Define Team Roles - Identify Adversarial Technique - Develop HypothesisThreat Hunting 6
Threat Hunting What can be automated? - Not everything can be automated - Enhance SOC operations Lessons Learned - Metrics - Report Findings - Transition to IR? - What didn’t work? Hunt - Data Analytics > Behavioral > Anomalies/Outliers - Validate Detection Threat Hunting 7 Pre-Hunt - Define Hunt Model - Set Scope - Define Team Roles - Identify Adversarial Technique - Develop Hypothesis
Threat Hunting What can be automated? - Not everything can be automated - Enhance SOC operations Lessons Learned - Metrics - Report Findings - Transition to IR? - What didn’t work? Hunt - Data Analytics > Behavioral > Anomalies/Outliers - Validate Detection Threat Hunting 8 Pre-Hunt - Define Hunt Model - Set Scope - Define Team Roles - Identify Adversarial Technique - Develop Hypothesis
What can be automated? - Not everything can be automated - Enhance SOC operations Lessons Learned - Metrics - Report Findings - Transition to IR? - What didn’t work? Hunt - Data Analytics > Behavioral > Anomalies/Outliers - Validate Detection Threat Hunting 9 Threat Hunting Pre-Hunt - Define Hunt Model - Set Scope - Define Team Roles - Identify Adversarial Technique - Develop Hypothesis
What can be automated? - Not everything can be automated - Enhance SOC operations Lessons Learned - Metrics - Report Findings - Transition to IR? - What didn’t work? Hunt - Data Analytics > Behavioral > Anomalies/Outliers - Validate Detection Threat Hunting 10 Threat Hunting Pre-Hunt - Define Hunt Model - Set Scope - Define Team Roles - Identify Adversarial Technique - Develop Hypothesis
Data Swamps & Threat Hunting (Reality) 11
More data = More problems? ● This benefits security analysts from a data availability perspective! ● How do you prioritize collection of event logs? ● Do you know what you are collecting? ● Do you know the data you are collecting? ● Again, do you know the data you are collecting? 12
Yeah, do you know your data? But, do you know your logs? 13
Threat Hunting & ATT&C How are you doing it? 14
Threat Hunting & ATT&CK https://www.mitre.org/sites/default/files/publications/pr-18-0944-11-mitre-attack-design-and-philosophy.pdf 15 Threat Hunting Identify adversarial technique Develop a hypothesis
Threat Hunting & ATT&CK: Create Account 16https://www.mitre.org/sites/default/files/publications/pr-18-0944-11-mitre-attack-design-and-philosophy.pdf
What is a data source? “Source of information collected by a sensor or logging system that may be used to collect information relevant to identifying the action being performed, sequence of actions , or the results of those actions by an adversary .” https://www.mitre.org/sites/default/files/publications/pr-18-0944-11-mitre-attack-design-and-philosophy.pdf 17
Threat Hunting & ATT&CK Data SourcesHelp detect 18https://www.mitre.org/sites/default/files/publications/pr-18-0944-11-mitre-attack-design-and-philosophy.pdf
Threat Hunting & ATT&CK https://www.mitre.org/sites/default/files/publications/pr-18-0944-11-mitre-attack-design-and-philosophy.pdf Data SourcesHelp detect 19
What else do I need to kn about that? 20
Main Goals ● Expand on the current ATT&CK data sources (Extra Context) ● Help to prioritize the collection of event logs ● Define a methodology to map event logs to ATT&CK data sources ● Allow blue teamers to understand what they could use to validate the detection of specific adversarial techniques ● Allow red teamers to understand what they might look like in the environment while using specific adversarial techniques ● Learn more about event logs and ATT&CK data sources 21
Defining a data mapping methodology What worked for us! 22
Our Methodology ● Explore ATT&CK data sources ● Document event logs related to ATT&Ck data sources ● Develop a data model ● Map event logs to ATT&CK data sources ● Validate data mappings 23
Explore ATT&CK Data So What can we do with ATT&CK data sources? 24
How do I access ATT&CK Metadata? 25
ATTACK-Python-Client Github Project ● A Python module to access up to date ATT&CK content available in STIX via public TAXII server. It leverages cti -python -stix2 and cti - taxii -client python libraries developed by MITRE. ● Goals ○ Allow the integration of ATT&CK content with other platform s ○ Allow security analysts to quickly explore ATT&CK content and apply it in their daily operations ○ Explore all available ATT&CK m etadata at once ○ Learn STIX2 and TAXII Client Python libraries https://github.com/Cyb3rWard0g/ATTACK-Python-Client 26
ATTACK-Python-Client Installation ● Via PIP: pip install attackcti ● Or Straight from Source ○ git clone https://github.com/Cyb3rWard0g /ATTACK-Python-Client ○ cd ATTACK-Python-Client ○ pip install . ● Jupyter Notebooks Available ○ pip install -r requirements.txt ○ cd notebooks ○ jupyter lab https://github.com/Cyb3rWard0g/ATTACK-Python-Client 27
ATT&CK Metadata- Jupyter Notebook https://github.com/Cyb3rWard0g/ATTACK-Python-Client/tree/master/notebooks 28
ATT&CK Techniques (478) and Data Sourc ● Almost 46% of techniques have data sources defined ● Around 54% of techniques do NOT have data sources defined ● Pre-ATT&CKdata sources m aybe? ● Opportunities to collaborate and define those without data sources? https://github.com/Cyb3rWard0g/ATTACK-Python-Client/tree/master/notebooks 29
ATT&CK Techniques (478) and Data Sourc https://github.com/Cyb3rWard0g/ATTACK-Python-Client/tree/master/notebooks 30
Looking for anything to do this weekend? https://github.com/Cyb3rWard0g/ATTACK-Python-Client/tree/master/notebooks 31
ATT&CK Techniques with Data Sources (21 https://github.com/Cyb3rWard0g/ATTACK-Python-Client/tree/master/notebooks 32 Process Monitoring: 157 TechniquesFile Monitoring: 90 Techniques Process Command Line: 87 Techniques
ATT&CK Techniques with Data Sources (21 https://github.com/Cyb3rWard0g/ATTACK-Python-Client/tree/master/notebooks 33 Process Monitoring: 157 TechniquesFile Monitoring: 90 Techniques Process Command Line: 87 Techniques
ATT&CK Windows Data Sources & Platform 34https://github.com/Cyb3rWard0g/ATTACK-Python-Client/tree/master/notebooks
ATT&CK Techniques with Data Sources (21 https://github.com/Cyb3rWard0g/ATTACK-Python-Client/tree/master/notebooks 35 Process Monitoring: 157 TechniquesFile Monitoring: 90 Techniques Process Command Line: 87 Techniques
Prioritization of ATT&CK Data Sources 36 Only 19 (9%) techniques require 1 data source. 200 techniques require at least 2 data sources to analyze them … MORE CONTEXT https://github.com/Cyb3rWard0g/ATTACK-Python-Client/tree/master/notebooks
Prioritization of ATT&CK Data Sources (Top 37https://github.com/Cyb3rWard0g/ATTACK-Python-Client/tree/master/notebooks
Document Event Logs What event logs are related to ATT&CK data sources 38
Windows Technique: Credential In Registry T1214 Windows Registry Process Monitoring Process Command-Line Parameters 39
Windows Security 4688- Process Creation T1214 Windows Registry Process Monitoring Process Command-Line Parameters 40 Windows Security
Windows Security 4689- Process Termination T1214 Windows Registry Process Monitoring Process Command-Line Parameters 41 Windows Security
Windows Sysmon 1- Process Create T1214 Windows Registry Process Monitoring Process Command-Line Parameters 42 Windows Sysmon
Windows Sysmon 10- Process Accessed T1214 Windows Registry Process Monitoring Process Command-Line Parameters 43 Windows Sysmon
Data Dictionaries 44 Windows Sysmon https://github.com/mattifestation/BHUSA2018_Sysmon/blob/master/Whitepaper_Subverting_Sysmon.pdf
Another reason why I should document my https://github.com/mattifestation/BHUSA2018_Sysmon/blob/master/Whitepaper_Subverting_Sysmon.pdf 45
Develop A Data Model 46 Defining data objects and their relationships
What is a data model? ● A data model basically determines the structure of data and the relationships identified among each other. ● MITRE Data Model: ○ Strongly inspired by CybOX, is an organization of the objects that m ay be m onitored from a host-based or network-based perspective. https://car.m itre.org/wiki/Data_Model ● STIX™ Version 2.0. Part 4: Cyber Observable Objects ○ http://docs.oasis-open.org/cti/stix/v2.0/stix-v2.0-part4-cyber- observable-objects.htm l 47
Data Model Levels https://www.1keydata.com/datawarehousing/data-modeling-levels.html 48 Conceptual Model Design Logical Model Design Physical Model Design
Data Modeling & Cyber Threat Intelligence https://oasis-open.github.io/cti-stix-visualization/?url=https://raw.githubusercontent.com/oasis-open/cti- documentation/master/examples/example_json/threat-actor-leveraging-attack-patterns-and-malware.json 49
Data Modeling & Cyber Threat Intelligence https://oasis-open.github.io/cti-documentation/examples/threat-actor-leveraging-attack-patterns-and-malware 50
What about data modeling and security eve 51 Process IPFile
What about data modeling and security eve 52 Process IPconnected_toFile created
What about data modeling and security eve 53 Process IPconnected_toFile created process_name process_command_line process_guid file_name file_directory process_guid dst_ip src_ip process_guid
What about data modeling and security eve 54 Process IPconnected_toFile created process_name process_command_line process_guid file_name file_directory process_guid dst_ip src_ip process_guid
Sysmon Data Model After Documentation 55https://github.com/Cyb3rWard0g/presentations/blob/master/SANS_THIR_2018.pdf
Windows Technique: Credential In Registry T1214 Windows Registry Process Monitoring Process Command-Line Parameters 56
Windows Technique: Credential In Registry T1214 Windows Registry Process Monitoring Process Command-Line Parameters 57 Process Creation Process Termination Process Write To Process Process Access
ATT&CK Data Sources & Data Modeling T1214 Windows Registry Process Monitoring Process Command-Line Parameters 58 Process Creation Process Termination Process Write To Process Process Access Process Processcreated
ATT&CK Data Sources & Data Modeling T1214 Windows Registry Process Monitoring Process Command-Line Parameters 59 Process Creation Process Termination Process Write To Process Process Access Process User Processcreated terminated Process
ATT&CK Data Sources & Data Modeling T1214 Windows Registry Process Monitoring Process Command-Line Parameters 60 Process Creation Process Termination Process Write To Process Process Access Process Process Process Process created wrote_to User terminated Process
ATT&CK Data Sources & Data Modeling T1214 Windows Registry Process Monitoring Process Command-Line Parameters 61 Process Creation Process Termination Process Write To Process Process Access Process Process Process Process Process Process created wrote_to accessed User terminated Process
ATT&CK Data Sources & Data Modeling T1214 Windows Registry Process Monitoring Process Command-Line Parameters 62 Registry Creation Registry Deletion Registry Modification Registry Access Process Registrycreated
ATT&CK Data Sources & Data Modeling T1214 Windows Registry Process Monitoring Process Command-Line Parameters 63 Registry Creation Registry Deletion Registry Modification Registry Access Process Process Registrycreated deleted Registry
ATT&CK Data Sources & Data Modeling T1214 Windows Registry Process Monitoring Process Command-Line Parameters 64 Registry Creation Registry Deletion Registry Modification Registry Access Process Process Process Registrycreated modified deleted Registry Registry
ATT&CK Data Sources & Data Modeling T1214 Windows Registry Process Monitoring Process Command-Line Parameters 65 Registry Creation Registry Deletion Registry Modification Registry Access Process Process Process Process Registrycreated modified accessed deleted Registry Registry Registry
ATT&CK Data Sources & Data Modeling T1214 Windows Registry Process Monitoring Process Command-Line Parameters 66 Registry Creation Registry Deletion Registry Modification Registry Access Process User User User Registrycreated modified accessed deleted Registry Registry Registry
Map Event Logs To ATT&CK Data Sources Blue Teamer: What you have VS what you need! Red Teamer: What you might look like! 67
ATT&CK Data Sources & Data Modeling T1214 Windows Registry Process Monitoring Process Command-Line Parameters 68
ATT&CK Data Sources & Data Modeling T1214 Windows Registry Process Monitoring Process Command-Line Parameters 69 Process Creation Process created Process Process Write To Process Process wrote_to Process Process Access Process accessed Process Process Termination user terminated Process
ATT&CK Data Sources & Event Logs T1214 Windows Registry Process Monitoring Process Command-Line Parameters 70 Process Creation Process created Process Process Termination user terminated Process Write To Process Process Process Process Access Process Process Security 4688 Sysmon 1 Process wrote_to accessed
ATT&CK Data Sources & Event Logs T1214 Windows Registry Process Monitoring Process Command-Line Parameters 71 Process Creation Process created Process Process Write To Process Process Process Process Access Process Process Security 4688 Sysmon 1 Security 4689 Sysmon 5 Process Termination user terminated Process wrote_to accessed
ATT&CK Data Sources & Event Logs T1214 Windows Registry Process Monitoring Process Command-Line Parameters 72 Process Creation Process created Process Process Write To Process Process Process Process Access Process Process Security 4688 Sysmon 1 Security 4689 Sysmon 5 Sysmon 8 Process Termination user terminated Process wrote_to accessed
ATT&CK Data Sources & Event Logs T1214 Windows Registry Process Monitoring Process Command-Line Parameters 73 Process Creation Process created Process Process Write To Process Process Process Process Access Process Process Security 4688 Sysmon 1 Security 4689 Sysmon 5 Sysmon 8 Sysmon 10 Process Termination user terminated Process wrote_to accessed
Prioritization of ATT&CK Data Sources (Top 74https://github.com/Cyb3rWard0g/ATTACK-Python-Client/tree/master/notebooks
File& Process Monitoring (66 Techniques) 68 Process Monitoring File Monitoring 75 Process Creation Security 4688 Sysmon 1 Process Termination Process Write To Process Process Access File Creation File Access Request File Deletion Request File Access File Deletion Security 4689 Sysmon 5 Sysmon 8 Sysmon 10 Sysmon 11 Security 4656 Security 4663
File& Process Monitoring (Technique variat 68 Process Monitoring File Monitoring 76 Process Creation Security 4688 Sysmon 1 Process Termination Process Write To Process Process Access File Creation File Access Request File Deletion Request File Access File Deletion Security 4689 Sysmon 5 Sysmon 8 Sysmon 10 Sysmon 11 Security 4656 Security 4663
From an ATT&CK Data Sources to Event Lo 77
Where do I get this information? 78 ● Data Dictionaries ○ Windows (Security, Sysmon, etc) ○ Carbon Black Logs ● Data Models ○ Relationships ● ATT&CK Data Sources ○ Definitions & Data Mapping ● Common Information Model https://github.com/Cyb3rWard0g/OSSEM
Hunters ATT&CKing with the right data! Threat Hunting Operations 79
Threat Hunting Approach 80 Identify technique(s) Define Technique Variation Generate Hypothesis Simulate Technique Variation Identify Recommended Data Sources Define Data Analytics Validate Detection Perform Data Quality Assessment Execute Hunt Hunter Notes / Report
Threat Hunting & Data 81 Identify technique(s) Define Technique Variation Generate Hypothesis Simulate Technique Variation Identify Recommended Data Sources Define Data Analytics Validate Detection Perform Data Quality Assessment Execute Hunt Hunter Notes / Report
Hunters ATT&CKing with the right data! Detecting potential “overpass-the-hash” techniques 82
Identify Technique: Pass the Hash “Pass the hash (PtH) is a method of authenticating as a user without having access to the user's cleartext password.” https://attack.mitre.org/wiki/Technique/T1075 83
Define Technique Variation: Overpass-The-Hash https://www.blackhat.com/docs/us-14/materials/us-14-Duckwall-Abusing-Microsoft-Kerberos-Sorry-You-Guys-Don't-Get-It-wp.pdf 84 ● Authentication via Kerberos ○ Authentication Protocol based on keys and tickets ● “Upgrading a NT hash into a full Kerberos ticket” ● It requires elevated privileges (privilege::debug or SYSTEM account) ○ (Depends on how this attack is perform ed. You m ight not need)
Technical Details: Normal kerberos Authent https://www.slideshare.net/gentilkiwi/abusing-microsoft-kerberos-sorry-you-guys-dont-get-it 85
Technical Details: Overpass-the-hash https://www.slideshare.net/gentilkiwi/abusing-microsoft-kerberos-sorry-you-guys-dont-get-it 86
Technical Details: Mimikatz- Overpass-The-Hash https://github.com/gentilkiwi/mimikatz/wiki/module-~-sekurlsa#pth 87 ● mimikatz can perform the well -known operation 'Pass -The-Hash' to run a process under another credentials with NTLM (or AES128/156_HMAC) hash of the user’s password, instead of its real password. ● For this, it starts a process with a fake identity, then replaces fake information (NTLM hash of the fake password) with real information (NTLM hash of the real password). ● DEMO
Technical Details: Mimikatz- Overpass-The-Hash https://github.com/gentilkiwi/mimikatz/wiki/module-~-sekurlsa#pth 88
Mimikatz- pth: Security Event 4673 (Client Si 89 Field Values process_name mimikatz.exe service_name Security service_privilege SeTcbPrivilege user_name cbrown Sensitive Privileged Service Operation Process called service
Mimikatz- pth: Security Event 4673 (Client Si 90 Field Values process_name lsass.exe service_name LsaRegisterLogonProcess() service_privilege SeTcbPrivilege user_name cbrown Sensitive Privileged Service Operation Process called service
Mimikatz- pth: Security Event 4624 (Client Si 91 Field Values logon_type 9 user_name cbrown user_network_account_name pedro User Account Successful Authentication User Authenticated Host
Mimikatz- pth: Security Event 4656 (Client Si 92 Field Values process_name mimikatz.exe process_granted_access 0x1010 target_process_name lsass.exe Process Access Process Accessed Process
Mimikatz- pth: Security Event 4656 (Client Si 93 Field Values process_name mimikatz.exe process_granted_access 0x1038 target_process_name lsass.exe Process Access Process Accessed Process
Mimikatz- pth: Security Event 5158 (Client Si 94 Field Values process_name lsass.exe src_ip 0.0.0.0 src_port 50066 Process Network Local Port Bind Allow Process bound_to Port
Mimikatz- pth: Security Event 5156 (Client Si 95 Field Values process_name lsass.exe dst_ip 192.168.64.147 dst_port 88 Process Network Connection Allow Process connected_to Ip
Mimikatz- pth: Sysmon Event 3 (Client Side) 96 Field Values process_name lsass.exe dst_ip 192.168.64.147 dst_port 88 user_name SYSTEM dst_host DC-WD-001 Process Network Connection Allow Process connected_to Ip
Mimikatz- pth: Security Event 4648 (Client Si 97 Field Values user_name cbrown target_user_name pedro target_host_name DC-WD-001 user account authentication with explicit credential User authenticated host
Mimikatz- pth: Security Event 4768 (Server S 98 Field Values user_name pedro ticket_encryption_type 0x17 src_ip 192.168.64.137 Kerberos TGT Request User requested Ticket
Mimikatz- pth: Security Event 4769 (Server S 99 Field Values user_name pedro ticket_encryption_type 0x12 src_ip 192.168.64.137 service_name krbtgt Kerberos Service Ticket Request User requested Ticket
Mimikatz- pth: Security Event 4769 (Server S 100 Field Values user_name pedro ticket_encryption_type 0x12 src_ip 192.168.64.137 service_name DC-WD-001$ Kerberos Service Ticket Request User requested Ticket
Mimikatz- pth: Security Event 4624 (Server S 101 Field Values user_name pedro logon_type 3 src_ip 192.168.64.137 service_name DC-WD-001$ logon_process kerberos User Account Successful Authentication User authenticated Host
Mimikatz- pth: Security Event 5140 (Server S 102 Field Values user_name pedro share_name *C$ src_ip 192.168.64.137 Network Share Access User accessed Network share
Technical Details: Rubeus- Overpass-the-hash https://github.com/GhostPack/Rubeus 103 ● Rubeus is a C# re-implementation of some of the functionality from Benjamin Delpy’s Kekeo project ○ Kerberos structures built by hand… ○ Rubeus works nicely with execute -assembly ○ So why not use Kekeo? Because ASN.1! ■ Requires a commercial ASN.1 library to customize/rebuild the Kekeo codebase ● Author: Will Schroeder @harmj0y @SpecterOps ● DEMO
Technical Details: Rubeus- Overpass-the-hash https://github.com/GhostPack/Rubeus 104
Rubeus- ptt: Security Event 4673 (Client Side 105 Field Values process_name rubeus.exe service_privilege SeCreateGlobalPrivilege user_name cbrown Sensitive Privileged Service Operation Process called service
Rubeus- ptt: Security Event 5158 (Client Side 106 Field Values process_name rubeus.exe src_ip 0.0.0.0 src_port 50209 Process Network Local Port Bind Allow Process bound_to port
Rubeus- ptt: Security Event 5156 (Client Side 107 Field Values process_name rubeus.exe dst_ip 192.168.64.147 dst_port 88 Process Network Connection Allow Process connected_to Ip
Rubeus- ptt: Sysmon 3 (Client Side) 108 Field Values process_name rubeus.exe dst_ip 192.168.64.147 dst_port 88 user_name cbrown dst_host DC-WD-001 Process Network Connection Allow Process connected_to Ip
Rubeus- ptt: Security Event 4768 (Server Sid 109 Field Values user_name pedro ticket_encryption_type 0x17 service_name krbtgt src_ip 192.168.64.137 Kerberos TGT Request User requested Ticket
Rubeus- ptt: Security Event 4769 (Server Sid 110 Field Values user_name pedro ticket_encryption_type 0x12 service_name DC-WD-001$ src_ip 192.168.64.137 Kerberos Service Ticket Request User requested Ticket
Rubeus- ptt: Security Event 4624 (Server Sid 111 Field Values user_name pedro logon_type 3 logon_process Kerberos src_ip 192.168.64.137 User Account Successful Authentication User authenticated Host
Rubeus- ptt: Security Event 5140 (Server Sid 112 Field Values user_name pedro share_name *C$ src_ip 192.168.64.137 Network Share Access User accessed Network share
Mimikatz vs Rubeus- Kerberos Authentication 113
Mimikatz vs Rubeus- Kerberos Authentication 114
Mmmm… Who else connects to the DC via 115
Mmmm… Who else connects to the DC via 116
Mmmm… Who else connects to the DC via 117
Mmmm… Rubeus? 118
Mimikatz Data Mapping- Pass The Hash- T1075 119 T1075 Authentication Logs Process Monitoring User Account Successful Authentication Security 4624 User Account Authentication With Explicit Credentials Process Access Process Network Local Port Bind Allow Process Network Connection Allow Security 4648 Sysmon 10 Security 4656 Process Use of Network Security 5158 Security 5156 Sysmon 3 Kerberos TGT Request Kerberos Service Ticket Request Security 4768 Security 4769 Sensitive Privileged Service Operation Security 4673
Rubeus Data Mapping- Pass The Hash- T1075 120 T1075 Authentication Logs Process Monitoring User Account Successful Authentication Security 4624 User Account Authentication With Explicit Credentials Process Access Process Network Local Port Bind Allow Process Network Connection Allow Security 4648 Sysmon 10 Security 4656 Process Use of Network Security 5158 Security 5156 Sysmon 3 Kerberos TGT Request Kerberos Service Ticket Request Security 4768 Security 4769 Sensitive Privileged Service Operation Security 4673
Thank You! Muchas Grac 121
References OSSEM:https://github.com/Cyb3rWard0g/OSSEM HELK:https://github.com/Cyb3rWard0g/HELK Rubeus: https://github.com/GhostPack/Rubeus Mimikatz: https://github.com/gentilkiwi/mimikatz/wiki/module -~-sekurlsa#pth 122
THREAT HUNTING SLACK CHANNEL 123

More Related Content

PDF
Cyber Threat hunting workshop
byArpan Raval
 
PDF
FIRST CTI Symposium: Turning intelligence into action with MITRE ATT&CK™
byKatie Nickels
 
PPTX
Threat hunting for Beginners
bySKMohamedKasim
 
PDF
MITRE ATT&CKcon 2.0: Prioritizing ATT&CK Informed Defenses the CIS Way; Phili...
byMITRE - ATT&CKcon
 
PDF
Purple Team Exercise Framework Workshop #PTEF
byJorge Orchilles
 
PDF
Introduction to red team operations
bySunny Neo
 
PPTX
ATT&CKing with Threat Intelligence
byChristopher Korban
 
PDF
Breach and attack simulation tools
byBangladesh Network Operators Group
 
Cyber Threat hunting workshop
byArpan Raval
 
FIRST CTI Symposium: Turning intelligence into action with MITRE ATT&CK™
byKatie Nickels
 
Threat hunting for Beginners
bySKMohamedKasim
 
MITRE ATT&CKcon 2.0: Prioritizing ATT&CK Informed Defenses the CIS Way; Phili...
byMITRE - ATT&CKcon
 
Purple Team Exercise Framework Workshop #PTEF
byJorge Orchilles
 
Introduction to red team operations
bySunny Neo
 
ATT&CKing with Threat Intelligence
byChristopher Korban
 
Breach and attack simulation tools
byBangladesh Network Operators Group
 

What's hot

PDF
How MITRE ATT&CK helps security operations
bySergey Soldatov
 
PPTX
Leveraging MITRE ATT&CK - Speaking the Common Language
byErik Van Buggenhout
 
PDF
Would you Rather Have Telemetry into 2 Attacks or 20? An Insight Into Highly ...
byMITRE ATT&CK
 
PPTX
MITRE ATT&CK framework
byBhushan Gurav
 
PDF
Threat Modelling - It's not just for developers
byMITRE ATT&CK
 
PDF
Red Team Framework
by👀 Joe Gray
 
PPTX
Bsides 2019 - Intelligent Threat Hunting
byDhruv Majumdar
 
PDF
Introduction to MITRE ATT&CK
byArpan Raval
 
PDF
MITRE ATT&CK Framework
byn|u - The Open Security Community
 
PDF
State of the ATTACK
byMITRE - ATT&CKcon
 
PDF
MITRE ATT&CKcon 2.0: Using Threat Intelligence to Focus ATT&CK Activities; Da...
byMITRE - ATT&CKcon
 
PPTX
Putting MITRE ATT&CK into Action with What You Have, Where You Are
byKatie Nickels
 
PDF
Adversary Emulation and Red Team Exercises - EDUCAUSE
byJorge Orchilles
 
PDF
Mapping to MITRE ATT&CK: Enhancing Operations Through the Tracking of Interac...
byMITRE ATT&CK
 
PPTX
Threat hunting - Every day is hunting season
byBen Boyd
 
PDF
When Insiders ATT&CK!
byMITRE ATT&CK
 
PDF
ATT&CK Metaverse - Exploring the Limitations of Applying ATT&CK
byMITRE ATT&CK
 
PPTX
Purple Teaming with ATT&CK - x33fcon 2018
byChristopher Korban
 
PDF
Measure What Matters: How to Use MITRE ATTACK to do the Right Things in the R...
byMITRE - ATT&CKcon
 
PDF
ATT&CKcon Intro
byMITRE ATT&CK
 
How MITRE ATT&CK helps security operations
bySergey Soldatov
 
Leveraging MITRE ATT&CK - Speaking the Common Language
byErik Van Buggenhout
 
Would you Rather Have Telemetry into 2 Attacks or 20? An Insight Into Highly ...
byMITRE ATT&CK
 
MITRE ATT&CK framework
byBhushan Gurav
 
Threat Modelling - It's not just for developers
byMITRE ATT&CK
 
Red Team Framework
by👀 Joe Gray
 
Bsides 2019 - Intelligent Threat Hunting
byDhruv Majumdar
 
Introduction to MITRE ATT&CK
byArpan Raval
 
MITRE ATT&CK Framework
byn|u - The Open Security Community
 
State of the ATTACK
byMITRE - ATT&CKcon
 
MITRE ATT&CKcon 2.0: Using Threat Intelligence to Focus ATT&CK Activities; Da...
byMITRE - ATT&CKcon
 
Putting MITRE ATT&CK into Action with What You Have, Where You Are
byKatie Nickels
 
Adversary Emulation and Red Team Exercises - EDUCAUSE
byJorge Orchilles
 
Mapping to MITRE ATT&CK: Enhancing Operations Through the Tracking of Interac...
byMITRE ATT&CK
 
Threat hunting - Every day is hunting season
byBen Boyd
 
When Insiders ATT&CK!
byMITRE ATT&CK
 
ATT&CK Metaverse - Exploring the Limitations of Applying ATT&CK
byMITRE ATT&CK
 
Purple Teaming with ATT&CK - x33fcon 2018
byChristopher Korban
 
Measure What Matters: How to Use MITRE ATTACK to do the Right Things in the R...
byMITRE - ATT&CKcon
 
ATT&CKcon Intro
byMITRE ATT&CK
 

Similar to MITRE ATT&CKcon 2018: Hunters ATT&CKing with the Data, Roberto Rodriguez, SpecterOps and Jose Luis Rodriguez, Student

PDF
Threat Hunting with Elastic at SpectorOps: Welcome to HELK
byElasticsearch
 
PDF
MITRE ATT&CKcon 2.0: Ready to ATT&CK? Bring Your Own Data (BYOD) and Validate...
byMITRE - ATT&CKcon
 
PDF
MITRE ATT&CKcon 2018: ATT&CK: All the Things, Neelsen Cyrus and David Thompso...
byMITRE - ATT&CKcon
 
PDF
Threat Hunting Procedures and Measurement Matrice
byVishal Kumar
 
PDF
MITRE ATT&CKcon 2.0: Prioritizing Data Sources for Minimum Viable Detection; ...
byMITRE - ATT&CKcon
 
PDF
Automation: The Wonderful Wizard of CTI (or is it?)
byMITRE ATT&CK
 
PPTX
2022_Fal-con_CQF_Presentation_Crowdstrike.pptx
byssuser9fc96c
 
PDF
MITRE-Module 2 Slides.pdf
byReZa AdineH
 
PDF
MITRE ATT&CKcon 2.0: ATT&CK Coverage Assessment from a Data Perspective; Olaf...
byMITRE - ATT&CKcon
 
PPTX
Threat hunting and achieving security maturity
byDNIF
 
PPTX
Virtual Splunk User Group - Phantom Workbook Automation & Threat Hunting with...
byHarry McLaren
 
PPTX
How I Learned to Stop Information Sharing and Love the DIKW
bySounil Yu
 
PDF
MITRE ATTACKcon Power Hour - January
byMITRE - ATT&CKcon
 
PDF
MITRE ATT&CKcon 2.0: attckr - A Toolkit for Analysis and Visualization of ATT...
byMITRE - ATT&CKcon
 
PDF
MITRE-Module 3 Slides.pdf
byReZa AdineH
 
PPTX
Security Analytics for Data Discovery - Closing the SIEM Gap
byEric Johansen, CISSP
 
PDF
MITRE ATT&CK Updates: Defensive ATT&CK - Lex Crumpton
byMITRE ATT&CK
 
PDF
MITRE ATTACKcon Power Hour - October
byMITRE - ATT&CKcon
 
PPTX
ATT&CKing Threat Management
byAndy Piazza
 
ODP
Unlock Security Insight from Machine Data
byNarudom Roongsiriwong, CISSP
 
Threat Hunting with Elastic at SpectorOps: Welcome to HELK
byElasticsearch
 
MITRE ATT&CKcon 2.0: Ready to ATT&CK? Bring Your Own Data (BYOD) and Validate...
byMITRE - ATT&CKcon
 
MITRE ATT&CKcon 2018: ATT&CK: All the Things, Neelsen Cyrus and David Thompso...
byMITRE - ATT&CKcon
 
Threat Hunting Procedures and Measurement Matrice
byVishal Kumar
 
MITRE ATT&CKcon 2.0: Prioritizing Data Sources for Minimum Viable Detection; ...
byMITRE - ATT&CKcon
 
Automation: The Wonderful Wizard of CTI (or is it?)
byMITRE ATT&CK
 
2022_Fal-con_CQF_Presentation_Crowdstrike.pptx
byssuser9fc96c
 
MITRE-Module 2 Slides.pdf
byReZa AdineH
 
MITRE ATT&CKcon 2.0: ATT&CK Coverage Assessment from a Data Perspective; Olaf...
byMITRE - ATT&CKcon
 
Threat hunting and achieving security maturity
byDNIF
 
Virtual Splunk User Group - Phantom Workbook Automation & Threat Hunting with...
byHarry McLaren
 
How I Learned to Stop Information Sharing and Love the DIKW
bySounil Yu
 
MITRE ATTACKcon Power Hour - January
byMITRE - ATT&CKcon
 
MITRE ATT&CKcon 2.0: attckr - A Toolkit for Analysis and Visualization of ATT...
byMITRE - ATT&CKcon
 
MITRE-Module 3 Slides.pdf
byReZa AdineH
 
Security Analytics for Data Discovery - Closing the SIEM Gap
byEric Johansen, CISSP
 
MITRE ATT&CK Updates: Defensive ATT&CK - Lex Crumpton
byMITRE ATT&CK
 
MITRE ATTACKcon Power Hour - October
byMITRE - ATT&CKcon
 
ATT&CKing Threat Management
byAndy Piazza
 
Unlock Security Insight from Machine Data
byNarudom Roongsiriwong, CISSP
 

More from MITRE - ATT&CKcon

PDF
Sharpening your Threat-Hunting Program with ATTACK Framework
byMITRE - ATT&CKcon
 
PDF
From Theory to Practice: How My ATTACK Perspectives Have Changed
byMITRE - ATT&CKcon
 
PDF
MITRE ATT&CKcon 2.0: Lessons in Purple Team Testing with MITRE ATT&CK; Daniel...
byMITRE - ATT&CKcon
 
PDF
ATTACKers Think in Graphs: Building Graphs for Threat Intelligence
byMITRE - ATT&CKcon
 
PDF
ATTACK-Onomics: Attacking the Economics Behind Techniques Used by Adversaries
byMITRE - ATT&CKcon
 
PDF
Helping Small Companies Leverage CTI with an Open Source Threat Mapping
byMITRE - ATT&CKcon
 
PDF
MITRE ATT&CKcon 2.0: Flashback with ATT&CK: Exploring Malware History with AT...
byMITRE - ATT&CKcon
 
PDF
Using ATTACK to Create Cyber DBTS for Nuclear Power Plants
byMITRE - ATT&CKcon
 
PDF
MITRE ATTACKCon Power Hour - December
byMITRE - ATT&CKcon
 
PDF
MITRE ATT&CKcon Power Hour - November
byMITRE - ATT&CKcon
 
PDF
What's New with ATTACK for ICS?
byMITRE - ATT&CKcon
 
PDF
ATTACKing the Cloud: Hopping Between the Matrices
byMITRE - ATT&CKcon
 
PDF
Using MITRE PRE-ATTACK and ATTACK in Cybercrime Education and Research
byMITRE - ATT&CKcon
 
PDF
What's a MITRE with your Security?
byMITRE - ATT&CKcon
 
PDF
Transforming Adversary Emulation Into a Data Analysis Question
byMITRE - ATT&CKcon
 
PDF
TA505: A Study of High End Big Game Hunting in 2020
byMITRE - ATT&CKcon
 
PDF
Putting the PRE into ATTACK
byMITRE - ATT&CKcon
 
PDF
What's New with ATTACK for Cloud?
byMITRE - ATT&CKcon
 
PDF
Mapping the EventBot Mobile Banking Trojan with MITRE ATTACK for Mobile
byMITRE - ATT&CKcon
 
PDF
Starting Over with Sub-Techniques
byMITRE - ATT&CKcon
 
Sharpening your Threat-Hunting Program with ATTACK Framework
byMITRE - ATT&CKcon
 
From Theory to Practice: How My ATTACK Perspectives Have Changed
byMITRE - ATT&CKcon
 
MITRE ATT&CKcon 2.0: Lessons in Purple Team Testing with MITRE ATT&CK; Daniel...
byMITRE - ATT&CKcon
 
ATTACKers Think in Graphs: Building Graphs for Threat Intelligence
byMITRE - ATT&CKcon
 
ATTACK-Onomics: Attacking the Economics Behind Techniques Used by Adversaries
byMITRE - ATT&CKcon
 
Helping Small Companies Leverage CTI with an Open Source Threat Mapping
byMITRE - ATT&CKcon
 
MITRE ATT&CKcon 2.0: Flashback with ATT&CK: Exploring Malware History with AT...
byMITRE - ATT&CKcon
 
Using ATTACK to Create Cyber DBTS for Nuclear Power Plants
byMITRE - ATT&CKcon
 
MITRE ATTACKCon Power Hour - December
byMITRE - ATT&CKcon
 
MITRE ATT&CKcon Power Hour - November
byMITRE - ATT&CKcon
 
What's New with ATTACK for ICS?
byMITRE - ATT&CKcon
 
ATTACKing the Cloud: Hopping Between the Matrices
byMITRE - ATT&CKcon
 
Using MITRE PRE-ATTACK and ATTACK in Cybercrime Education and Research
byMITRE - ATT&CKcon
 
What's a MITRE with your Security?
byMITRE - ATT&CKcon
 
Transforming Adversary Emulation Into a Data Analysis Question
byMITRE - ATT&CKcon
 
TA505: A Study of High End Big Game Hunting in 2020
byMITRE - ATT&CKcon
 
Putting the PRE into ATTACK
byMITRE - ATT&CKcon
 
What's New with ATTACK for Cloud?
byMITRE - ATT&CKcon
 
Mapping the EventBot Mobile Banking Trojan with MITRE ATTACK for Mobile
byMITRE - ATT&CKcon
 
Starting Over with Sub-Techniques
byMITRE - ATT&CKcon
 

Recently uploaded

PPTX
Coded Agents – with UiPath SDK + LangGraph [Virtual Hands-on Workshop]
byUiPathCommunity
 
PDF
Data Virtualization in Action: Scaling APIs and Apps with FME
bySafe Software
 
PDF
Workshop on Sustaining & Growing Open Source Communities - GAS2025
bySammy Fung
 
PDF
100 Insights After the 200th Issue of NewMind AI Journal
byNewMind AI
 
PDF
10 Things AI-First Apps Do Differently by iProgrammer Solutions
byiProgrammer Solutions Private Limited
 
PPTX
Gemini vs ChatGPT : Comparing Top AI Models
byDigicarrom
 
PDF
Access Control 2025: From Security Silo to Software-Defined Ecosystem
byMemoori
 
PPTX
Emancipatory Information Retrieval: Radically Reorienting Information Retriev...
byBhaskar Mitra
 
PDF
DevFest El Jadida 2025 - Product Thinking
byElmehdi AMLOU
 
PPTX
UiPath Autonomous Agents | Building and Orchestrating Agents End-to-End
byUiPathCommunity
 
PDF
Day 3 - Data and Application Security - 2nd Sight Lab Cloud Security Class
by2nd Sight Lab
 
PDF
Internet_of_Things_IoT_for_Next_Generation_Smart_Systems_Utilizing.pdf
byRoshanSyed12
 
PDF
HCSP-Presales-Campus Network Planning and Design V2.0
byVeronica916344
 
PPTX
Top _HR Technology Trends _for 2026_.pptx
byAutomationEdge Technologies
 
PPTX
Technology Consulting _ by Slidesgo.pptx
byfh82277
 
PPTX
Software Analysis &Design ethiopia chap-2.pptx
byAbbas484771
 
PDF
Day 4 - Access, Deployments, and Monitoring - 2nd Sight Lab Cloud Security Class
by2nd Sight Lab
 
PDF
WHITE PAPER_ Ransomware Payment Policy and Resilience Strategy_ A Framework f...
byssuser0d171c
 
PDF
Exam Prep Plan Overview: Amazon Web Services (AWS) Certified
byVICTOR MAESTRE RAMIREZ
 
DOCX
iRobot Post‑Mortem and Alternative Paths - Discussion Document for Boards and...
byDave Litwiller
 
Coded Agents – with UiPath SDK + LangGraph [Virtual Hands-on Workshop]
byUiPathCommunity
 
Data Virtualization in Action: Scaling APIs and Apps with FME
bySafe Software
 
Workshop on Sustaining & Growing Open Source Communities - GAS2025
bySammy Fung
 
100 Insights After the 200th Issue of NewMind AI Journal
byNewMind AI
 
10 Things AI-First Apps Do Differently by iProgrammer Solutions
byiProgrammer Solutions Private Limited
 
Gemini vs ChatGPT : Comparing Top AI Models
byDigicarrom
 
Access Control 2025: From Security Silo to Software-Defined Ecosystem
byMemoori
 
Emancipatory Information Retrieval: Radically Reorienting Information Retriev...
byBhaskar Mitra
 
DevFest El Jadida 2025 - Product Thinking
byElmehdi AMLOU
 
UiPath Autonomous Agents | Building and Orchestrating Agents End-to-End
byUiPathCommunity
 
Day 3 - Data and Application Security - 2nd Sight Lab Cloud Security Class
by2nd Sight Lab
 
Internet_of_Things_IoT_for_Next_Generation_Smart_Systems_Utilizing.pdf
byRoshanSyed12
 
HCSP-Presales-Campus Network Planning and Design V2.0
byVeronica916344
 
Top _HR Technology Trends _for 2026_.pptx
byAutomationEdge Technologies
 
Technology Consulting _ by Slidesgo.pptx
byfh82277
 
Software Analysis &Design ethiopia chap-2.pptx
byAbbas484771
 
Day 4 - Access, Deployments, and Monitoring - 2nd Sight Lab Cloud Security Class
by2nd Sight Lab
 
WHITE PAPER_ Ransomware Payment Policy and Resilience Strategy_ A Framework f...
byssuser0d171c
 
Exam Prep Plan Overview: Amazon Web Services (AWS) Certified
byVICTOR MAESTRE RAMIREZ
 
iRobot Post‑Mortem and Alternative Paths - Discussion Document for Boards and...
byDave Litwiller
 

MITRE ATT&CKcon 2018: Hunters ATT&CKing with the Data, Roberto Rodriguez, SpecterOps and Jose Luis Rodriguez, Student

  • 1.
  • 2.
    @Cyb3rWard0g ● Adversary DetectionAnalyst @SpecterOps ● Author: ○ ThreatHunter-Playbook ○ Hunting ELK (HELK) ○ ATTACK-Python-Client ○ OSSEM (Open Source Security Event Metadata) ● Form er: Capital One - USA, Senior Threat Hunter 2https://github.com/Cyb3rWard0g
  • 3.
    @Cyb3rPandaH ● Cyber SecurityStudent @NOVAcommcollege ● Author: ○ Tableau-ATTCK ● Contributor: ○ ThreatHunter-Playbook, HELK, OSSEM ● Form er: UNACEM- Peru, Senior Business Intelligence Analyst 3https://github.com/Cyb3rPanda
  • 4.
    Agenda ● Current ThreatHunting & Data Overview ● Threat Hunting & ATT&CK ● What else do I need to know about ATT&CK data sources? ● Defining a data mapping methodology ● ATT&CKing with the right data! ○ Data mapping examples 4
  • 5.
    Threat Hunting &Data LOG IT ALL-> HUNT-> FIND EVIL- REPEAT … Right?, Maybe? 5
  • 6.
    Threat Hunting What canbe automated? - Not everything can be automated - Enhance SOC operations Lessons Learned - Metrics - Report Findings - Transition to IR? - What didn’t work? Hunt - Data Analytics > Behavioral > Anomalies/Outliers - Validate Detection Pre-Hunt - Define Hunt Model - Set Scope - Define Team Roles - Identify Adversarial Technique - Develop HypothesisThreat Hunting 6
  • 7.
    Threat Hunting What canbe automated? - Not everything can be automated - Enhance SOC operations Lessons Learned - Metrics - Report Findings - Transition to IR? - What didn’t work? Hunt - Data Analytics > Behavioral > Anomalies/Outliers - Validate Detection Threat Hunting 7 Pre-Hunt - Define Hunt Model - Set Scope - Define Team Roles - Identify Adversarial Technique - Develop Hypothesis
  • 8.
    Threat Hunting What canbe automated? - Not everything can be automated - Enhance SOC operations Lessons Learned - Metrics - Report Findings - Transition to IR? - What didn’t work? Hunt - Data Analytics > Behavioral > Anomalies/Outliers - Validate Detection Threat Hunting 8 Pre-Hunt - Define Hunt Model - Set Scope - Define Team Roles - Identify Adversarial Technique - Develop Hypothesis
  • 9.
    What can be automated? -Not everything can be automated - Enhance SOC operations Lessons Learned - Metrics - Report Findings - Transition to IR? - What didn’t work? Hunt - Data Analytics > Behavioral > Anomalies/Outliers - Validate Detection Threat Hunting 9 Threat Hunting Pre-Hunt - Define Hunt Model - Set Scope - Define Team Roles - Identify Adversarial Technique - Develop Hypothesis
  • 10.
    What can be automated? -Not everything can be automated - Enhance SOC operations Lessons Learned - Metrics - Report Findings - Transition to IR? - What didn’t work? Hunt - Data Analytics > Behavioral > Anomalies/Outliers - Validate Detection Threat Hunting 10 Threat Hunting Pre-Hunt - Define Hunt Model - Set Scope - Define Team Roles - Identify Adversarial Technique - Develop Hypothesis
  • 11.
    Data Swamps &Threat Hunting (Reality) 11
  • 12.
    More data =More problems? ● This benefits security analysts from a data availability perspective! ● How do you prioritize collection of event logs? ● Do you know what you are collecting? ● Do you know the data you are collecting? ● Again, do you know the data you are collecting? 12
  • 13.
    Yeah, do youknow your data? But, do you know your logs? 13
  • 14.
    Threat Hunting &ATT&C How are you doing it? 14
  • 15.
    Threat Hunting &ATT&CK https://www.mitre.org/sites/default/files/publications/pr-18-0944-11-mitre-attack-design-and-philosophy.pdf 15 Threat Hunting Identify adversarial technique Develop a hypothesis
  • 16.
    Threat Hunting &ATT&CK: Create Account 16https://www.mitre.org/sites/default/files/publications/pr-18-0944-11-mitre-attack-design-and-philosophy.pdf
  • 17.
    What is adata source? “Source of information collected by a sensor or logging system that may be used to collect information relevant to identifying the action being performed, sequence of actions , or the results of those actions by an adversary .” https://www.mitre.org/sites/default/files/publications/pr-18-0944-11-mitre-attack-design-and-philosophy.pdf 17
  • 18.
    Threat Hunting &ATT&CK Data SourcesHelp detect 18https://www.mitre.org/sites/default/files/publications/pr-18-0944-11-mitre-attack-design-and-philosophy.pdf
  • 19.
    Threat Hunting &ATT&CK https://www.mitre.org/sites/default/files/publications/pr-18-0944-11-mitre-attack-design-and-philosophy.pdf Data SourcesHelp detect 19
  • 20.
    What else doI need to kn about that? 20
  • 21.
    Main Goals ● Expandon the current ATT&CK data sources (Extra Context) ● Help to prioritize the collection of event logs ● Define a methodology to map event logs to ATT&CK data sources ● Allow blue teamers to understand what they could use to validate the detection of specific adversarial techniques ● Allow red teamers to understand what they might look like in the environment while using specific adversarial techniques ● Learn more about event logs and ATT&CK data sources 21
  • 22.
    Defining a datamapping methodology What worked for us! 22
  • 23.
    Our Methodology ● ExploreATT&CK data sources ● Document event logs related to ATT&Ck data sources ● Develop a data model ● Map event logs to ATT&CK data sources ● Validate data mappings 23
  • 24.
    Explore ATT&CK DataSo What can we do with ATT&CK data sources? 24
  • 25.
    How do Iaccess ATT&CK Metadata? 25
  • 26.
    ATTACK-Python-Client Github Project ●A Python module to access up to date ATT&CK content available in STIX via public TAXII server. It leverages cti -python -stix2 and cti - taxii -client python libraries developed by MITRE. ● Goals ○ Allow the integration of ATT&CK content with other platform s ○ Allow security analysts to quickly explore ATT&CK content and apply it in their daily operations ○ Explore all available ATT&CK m etadata at once ○ Learn STIX2 and TAXII Client Python libraries https://github.com/Cyb3rWard0g/ATTACK-Python-Client 26
  • 27.
    ATTACK-Python-Client Installation ● ViaPIP: pip install attackcti ● Or Straight from Source ○ git clone https://github.com/Cyb3rWard0g /ATTACK-Python-Client ○ cd ATTACK-Python-Client ○ pip install . ● Jupyter Notebooks Available ○ pip install -r requirements.txt ○ cd notebooks ○ jupyter lab https://github.com/Cyb3rWard0g/ATTACK-Python-Client 27
  • 28.
    ATT&CK Metadata- JupyterNotebook https://github.com/Cyb3rWard0g/ATTACK-Python-Client/tree/master/notebooks 28
  • 29.
    ATT&CK Techniques (478)and Data Sourc ● Almost 46% of techniques have data sources defined ● Around 54% of techniques do NOT have data sources defined ● Pre-ATT&CKdata sources m aybe? ● Opportunities to collaborate and define those without data sources? https://github.com/Cyb3rWard0g/ATTACK-Python-Client/tree/master/notebooks 29
  • 30.
    ATT&CK Techniques (478)and Data Sourc https://github.com/Cyb3rWard0g/ATTACK-Python-Client/tree/master/notebooks 30
  • 31.
    Looking for anythingto do this weekend? https://github.com/Cyb3rWard0g/ATTACK-Python-Client/tree/master/notebooks 31
  • 32.
    ATT&CK Techniques withData Sources (21 https://github.com/Cyb3rWard0g/ATTACK-Python-Client/tree/master/notebooks 32 Process Monitoring: 157 TechniquesFile Monitoring: 90 Techniques Process Command Line: 87 Techniques
  • 33.
    ATT&CK Techniques withData Sources (21 https://github.com/Cyb3rWard0g/ATTACK-Python-Client/tree/master/notebooks 33 Process Monitoring: 157 TechniquesFile Monitoring: 90 Techniques Process Command Line: 87 Techniques
  • 34.
    ATT&CK Windows DataSources & Platform 34https://github.com/Cyb3rWard0g/ATTACK-Python-Client/tree/master/notebooks
  • 35.
    ATT&CK Techniques withData Sources (21 https://github.com/Cyb3rWard0g/ATTACK-Python-Client/tree/master/notebooks 35 Process Monitoring: 157 TechniquesFile Monitoring: 90 Techniques Process Command Line: 87 Techniques
  • 36.
    Prioritization of ATT&CKData Sources 36 Only 19 (9%) techniques require 1 data source. 200 techniques require at least 2 data sources to analyze them … MORE CONTEXT https://github.com/Cyb3rWard0g/ATTACK-Python-Client/tree/master/notebooks
  • 37.
    Prioritization of ATT&CKData Sources (Top 37https://github.com/Cyb3rWard0g/ATTACK-Python-Client/tree/master/notebooks
  • 38.
    Document Event Logs Whatevent logs are related to ATT&CK data sources 38
  • 39.
    Windows Technique: CredentialIn Registry T1214 Windows Registry Process Monitoring Process Command-Line Parameters 39
  • 40.
    Windows Security 4688-Process Creation T1214 Windows Registry Process Monitoring Process Command-Line Parameters 40 Windows Security
  • 41.
    Windows Security 4689-Process Termination T1214 Windows Registry Process Monitoring Process Command-Line Parameters 41 Windows Security
  • 42.
    Windows Sysmon 1-Process Create T1214 Windows Registry Process Monitoring Process Command-Line Parameters 42 Windows Sysmon
  • 43.
    Windows Sysmon 10-Process Accessed T1214 Windows Registry Process Monitoring Process Command-Line Parameters 43 Windows Sysmon
  • 44.
  • 45.
    Another reason whyI should document my https://github.com/mattifestation/BHUSA2018_Sysmon/blob/master/Whitepaper_Subverting_Sysmon.pdf 45
  • 46.
    Develop A DataModel 46 Defining data objects and their relationships
  • 47.
    What is adata model? ● A data model basically determines the structure of data and the relationships identified among each other. ● MITRE Data Model: ○ Strongly inspired by CybOX, is an organization of the objects that m ay be m onitored from a host-based or network-based perspective. https://car.m itre.org/wiki/Data_Model ● STIX™ Version 2.0. Part 4: Cyber Observable Objects ○ http://docs.oasis-open.org/cti/stix/v2.0/stix-v2.0-part4-cyber- observable-objects.htm l 47
  • 48.
    Data Model Levels https://www.1keydata.com/datawarehousing/data-modeling-levels.html48 Conceptual Model Design Logical Model Design Physical Model Design
  • 49.
    Data Modeling &Cyber Threat Intelligence https://oasis-open.github.io/cti-stix-visualization/?url=https://raw.githubusercontent.com/oasis-open/cti- documentation/master/examples/example_json/threat-actor-leveraging-attack-patterns-and-malware.json 49
  • 50.
    Data Modeling &Cyber Threat Intelligence https://oasis-open.github.io/cti-documentation/examples/threat-actor-leveraging-attack-patterns-and-malware 50
  • 51.
    What about datamodeling and security eve 51 Process IPFile
  • 52.
    What about datamodeling and security eve 52 Process IPconnected_toFile created
  • 53.
    What about datamodeling and security eve 53 Process IPconnected_toFile created process_name process_command_line process_guid file_name file_directory process_guid dst_ip src_ip process_guid
  • 54.
    What about datamodeling and security eve 54 Process IPconnected_toFile created process_name process_command_line process_guid file_name file_directory process_guid dst_ip src_ip process_guid
  • 55.
    Sysmon Data ModelAfter Documentation 55https://github.com/Cyb3rWard0g/presentations/blob/master/SANS_THIR_2018.pdf
  • 56.
    Windows Technique: CredentialIn Registry T1214 Windows Registry Process Monitoring Process Command-Line Parameters 56
  • 57.
    Windows Technique: CredentialIn Registry T1214 Windows Registry Process Monitoring Process Command-Line Parameters 57 Process Creation Process Termination Process Write To Process Process Access
  • 58.
    ATT&CK Data Sources& Data Modeling T1214 Windows Registry Process Monitoring Process Command-Line Parameters 58 Process Creation Process Termination Process Write To Process Process Access Process Processcreated
  • 59.
    ATT&CK Data Sources& Data Modeling T1214 Windows Registry Process Monitoring Process Command-Line Parameters 59 Process Creation Process Termination Process Write To Process Process Access Process User Processcreated terminated Process
  • 60.
    ATT&CK Data Sources& Data Modeling T1214 Windows Registry Process Monitoring Process Command-Line Parameters 60 Process Creation Process Termination Process Write To Process Process Access Process Process Process Process created wrote_to User terminated Process
  • 61.
    ATT&CK Data Sources& Data Modeling T1214 Windows Registry Process Monitoring Process Command-Line Parameters 61 Process Creation Process Termination Process Write To Process Process Access Process Process Process Process Process Process created wrote_to accessed User terminated Process
  • 62.
    ATT&CK Data Sources& Data Modeling T1214 Windows Registry Process Monitoring Process Command-Line Parameters 62 Registry Creation Registry Deletion Registry Modification Registry Access Process Registrycreated
  • 63.
    ATT&CK Data Sources& Data Modeling T1214 Windows Registry Process Monitoring Process Command-Line Parameters 63 Registry Creation Registry Deletion Registry Modification Registry Access Process Process Registrycreated deleted Registry
  • 64.
    ATT&CK Data Sources& Data Modeling T1214 Windows Registry Process Monitoring Process Command-Line Parameters 64 Registry Creation Registry Deletion Registry Modification Registry Access Process Process Process Registrycreated modified deleted Registry Registry
  • 65.
    ATT&CK Data Sources& Data Modeling T1214 Windows Registry Process Monitoring Process Command-Line Parameters 65 Registry Creation Registry Deletion Registry Modification Registry Access Process Process Process Process Registrycreated modified accessed deleted Registry Registry Registry
  • 66.
    ATT&CK Data Sources& Data Modeling T1214 Windows Registry Process Monitoring Process Command-Line Parameters 66 Registry Creation Registry Deletion Registry Modification Registry Access Process User User User Registrycreated modified accessed deleted Registry Registry Registry
  • 67.
    Map Event LogsTo ATT&CK Data Sources Blue Teamer: What you have VS what you need! Red Teamer: What you might look like! 67
  • 68.
    ATT&CK Data Sources& Data Modeling T1214 Windows Registry Process Monitoring Process Command-Line Parameters 68
  • 69.
    ATT&CK Data Sources& Data Modeling T1214 Windows Registry Process Monitoring Process Command-Line Parameters 69 Process Creation Process created Process Process Write To Process Process wrote_to Process Process Access Process accessed Process Process Termination user terminated Process
  • 70.
    ATT&CK Data Sources& Event Logs T1214 Windows Registry Process Monitoring Process Command-Line Parameters 70 Process Creation Process created Process Process Termination user terminated Process Write To Process Process Process Process Access Process Process Security 4688 Sysmon 1 Process wrote_to accessed
  • 71.
    ATT&CK Data Sources& Event Logs T1214 Windows Registry Process Monitoring Process Command-Line Parameters 71 Process Creation Process created Process Process Write To Process Process Process Process Access Process Process Security 4688 Sysmon 1 Security 4689 Sysmon 5 Process Termination user terminated Process wrote_to accessed
  • 72.
    ATT&CK Data Sources& Event Logs T1214 Windows Registry Process Monitoring Process Command-Line Parameters 72 Process Creation Process created Process Process Write To Process Process Process Process Access Process Process Security 4688 Sysmon 1 Security 4689 Sysmon 5 Sysmon 8 Process Termination user terminated Process wrote_to accessed
  • 73.
    ATT&CK Data Sources& Event Logs T1214 Windows Registry Process Monitoring Process Command-Line Parameters 73 Process Creation Process created Process Process Write To Process Process Process Process Access Process Process Security 4688 Sysmon 1 Security 4689 Sysmon 5 Sysmon 8 Sysmon 10 Process Termination user terminated Process wrote_to accessed
  • 74.
    Prioritization of ATT&CKData Sources (Top 74https://github.com/Cyb3rWard0g/ATTACK-Python-Client/tree/master/notebooks
  • 75.
    File& Process Monitoring(66 Techniques) 68 Process Monitoring File Monitoring 75 Process Creation Security 4688 Sysmon 1 Process Termination Process Write To Process Process Access File Creation File Access Request File Deletion Request File Access File Deletion Security 4689 Sysmon 5 Sysmon 8 Sysmon 10 Sysmon 11 Security 4656 Security 4663
  • 76.
    File& Process Monitoring(Technique variat 68 Process Monitoring File Monitoring 76 Process Creation Security 4688 Sysmon 1 Process Termination Process Write To Process Process Access File Creation File Access Request File Deletion Request File Access File Deletion Security 4689 Sysmon 5 Sysmon 8 Sysmon 10 Sysmon 11 Security 4656 Security 4663
  • 77.
    From an ATT&CKData Sources to Event Lo 77
  • 78.
    Where do Iget this information? 78 ● Data Dictionaries ○ Windows (Security, Sysmon, etc) ○ Carbon Black Logs ● Data Models ○ Relationships ● ATT&CK Data Sources ○ Definitions & Data Mapping ● Common Information Model https://github.com/Cyb3rWard0g/OSSEM
  • 79.
    Hunters ATT&CKing with theright data! Threat Hunting Operations 79
  • 80.
    Threat Hunting Approach 80 Identifytechnique(s) Define Technique Variation Generate Hypothesis Simulate Technique Variation Identify Recommended Data Sources Define Data Analytics Validate Detection Perform Data Quality Assessment Execute Hunt Hunter Notes / Report
  • 81.
    Threat Hunting &Data 81 Identify technique(s) Define Technique Variation Generate Hypothesis Simulate Technique Variation Identify Recommended Data Sources Define Data Analytics Validate Detection Perform Data Quality Assessment Execute Hunt Hunter Notes / Report
  • 82.
    Hunters ATT&CKing with theright data! Detecting potential “overpass-the-hash” techniques 82
  • 83.
    Identify Technique: Passthe Hash “Pass the hash (PtH) is a method of authenticating as a user without having access to the user's cleartext password.” https://attack.mitre.org/wiki/Technique/T1075 83
  • 84.
    Define Technique Variation:Overpass-The-Hash https://www.blackhat.com/docs/us-14/materials/us-14-Duckwall-Abusing-Microsoft-Kerberos-Sorry-You-Guys-Don't-Get-It-wp.pdf 84 ● Authentication via Kerberos ○ Authentication Protocol based on keys and tickets ● “Upgrading a NT hash into a full Kerberos ticket” ● It requires elevated privileges (privilege::debug or SYSTEM account) ○ (Depends on how this attack is perform ed. You m ight not need)
  • 85.
    Technical Details: Normalkerberos Authent https://www.slideshare.net/gentilkiwi/abusing-microsoft-kerberos-sorry-you-guys-dont-get-it 85
  • 86.
  • 87.
    Technical Details: Mimikatz-Overpass-The-Hash https://github.com/gentilkiwi/mimikatz/wiki/module-~-sekurlsa#pth 87 ● mimikatz can perform the well -known operation 'Pass -The-Hash' to run a process under another credentials with NTLM (or AES128/156_HMAC) hash of the user’s password, instead of its real password. ● For this, it starts a process with a fake identity, then replaces fake information (NTLM hash of the fake password) with real information (NTLM hash of the real password). ● DEMO
  • 88.
    Technical Details: Mimikatz-Overpass-The-Hash https://github.com/gentilkiwi/mimikatz/wiki/module-~-sekurlsa#pth 88
  • 89.
    Mimikatz- pth: SecurityEvent 4673 (Client Si 89 Field Values process_name mimikatz.exe service_name Security service_privilege SeTcbPrivilege user_name cbrown Sensitive Privileged Service Operation Process called service
  • 90.
    Mimikatz- pth: SecurityEvent 4673 (Client Si 90 Field Values process_name lsass.exe service_name LsaRegisterLogonProcess() service_privilege SeTcbPrivilege user_name cbrown Sensitive Privileged Service Operation Process called service
  • 91.
    Mimikatz- pth: SecurityEvent 4624 (Client Si 91 Field Values logon_type 9 user_name cbrown user_network_account_name pedro User Account Successful Authentication User Authenticated Host
  • 92.
    Mimikatz- pth: SecurityEvent 4656 (Client Si 92 Field Values process_name mimikatz.exe process_granted_access 0x1010 target_process_name lsass.exe Process Access Process Accessed Process
  • 93.
    Mimikatz- pth: SecurityEvent 4656 (Client Si 93 Field Values process_name mimikatz.exe process_granted_access 0x1038 target_process_name lsass.exe Process Access Process Accessed Process
  • 94.
    Mimikatz- pth: SecurityEvent 5158 (Client Si 94 Field Values process_name lsass.exe src_ip 0.0.0.0 src_port 50066 Process Network Local Port Bind Allow Process bound_to Port
  • 95.
    Mimikatz- pth: SecurityEvent 5156 (Client Si 95 Field Values process_name lsass.exe dst_ip 192.168.64.147 dst_port 88 Process Network Connection Allow Process connected_to Ip
  • 96.
    Mimikatz- pth: SysmonEvent 3 (Client Side) 96 Field Values process_name lsass.exe dst_ip 192.168.64.147 dst_port 88 user_name SYSTEM dst_host DC-WD-001 Process Network Connection Allow Process connected_to Ip
  • 97.
    Mimikatz- pth: SecurityEvent 4648 (Client Si 97 Field Values user_name cbrown target_user_name pedro target_host_name DC-WD-001 user account authentication with explicit credential User authenticated host
  • 98.
    Mimikatz- pth: SecurityEvent 4768 (Server S 98 Field Values user_name pedro ticket_encryption_type 0x17 src_ip 192.168.64.137 Kerberos TGT Request User requested Ticket
  • 99.
    Mimikatz- pth: SecurityEvent 4769 (Server S 99 Field Values user_name pedro ticket_encryption_type 0x12 src_ip 192.168.64.137 service_name krbtgt Kerberos Service Ticket Request User requested Ticket
  • 100.
    Mimikatz- pth: SecurityEvent 4769 (Server S 100 Field Values user_name pedro ticket_encryption_type 0x12 src_ip 192.168.64.137 service_name DC-WD-001$ Kerberos Service Ticket Request User requested Ticket
  • 101.
    Mimikatz- pth: SecurityEvent 4624 (Server S 101 Field Values user_name pedro logon_type 3 src_ip 192.168.64.137 service_name DC-WD-001$ logon_process kerberos User Account Successful Authentication User authenticated Host
  • 102.
    Mimikatz- pth: SecurityEvent 5140 (Server S 102 Field Values user_name pedro share_name *C$ src_ip 192.168.64.137 Network Share Access User accessed Network share
  • 103.
    Technical Details: Rubeus-Overpass-the-hash https://github.com/GhostPack/Rubeus 103 ● Rubeus is a C# re-implementation of some of the functionality from Benjamin Delpy’s Kekeo project ○ Kerberos structures built by hand… ○ Rubeus works nicely with execute -assembly ○ So why not use Kekeo? Because ASN.1! ■ Requires a commercial ASN.1 library to customize/rebuild the Kekeo codebase ● Author: Will Schroeder @harmj0y @SpecterOps ● DEMO
  • 104.
    Technical Details: Rubeus-Overpass-the-hash https://github.com/GhostPack/Rubeus 104
  • 105.
    Rubeus- ptt: SecurityEvent 4673 (Client Side 105 Field Values process_name rubeus.exe service_privilege SeCreateGlobalPrivilege user_name cbrown Sensitive Privileged Service Operation Process called service
  • 106.
    Rubeus- ptt: SecurityEvent 5158 (Client Side 106 Field Values process_name rubeus.exe src_ip 0.0.0.0 src_port 50209 Process Network Local Port Bind Allow Process bound_to port
  • 107.
    Rubeus- ptt: SecurityEvent 5156 (Client Side 107 Field Values process_name rubeus.exe dst_ip 192.168.64.147 dst_port 88 Process Network Connection Allow Process connected_to Ip
  • 108.
    Rubeus- ptt: Sysmon3 (Client Side) 108 Field Values process_name rubeus.exe dst_ip 192.168.64.147 dst_port 88 user_name cbrown dst_host DC-WD-001 Process Network Connection Allow Process connected_to Ip
  • 109.
    Rubeus- ptt: SecurityEvent 4768 (Server Sid 109 Field Values user_name pedro ticket_encryption_type 0x17 service_name krbtgt src_ip 192.168.64.137 Kerberos TGT Request User requested Ticket
  • 110.
    Rubeus- ptt: SecurityEvent 4769 (Server Sid 110 Field Values user_name pedro ticket_encryption_type 0x12 service_name DC-WD-001$ src_ip 192.168.64.137 Kerberos Service Ticket Request User requested Ticket
  • 111.
    Rubeus- ptt: SecurityEvent 4624 (Server Sid 111 Field Values user_name pedro logon_type 3 logon_process Kerberos src_ip 192.168.64.137 User Account Successful Authentication User authenticated Host
  • 112.
    Rubeus- ptt: SecurityEvent 5140 (Server Sid 112 Field Values user_name pedro share_name *C$ src_ip 192.168.64.137 Network Share Access User accessed Network share
  • 113.
    Mimikatz vs Rubeus-Kerberos Authentication 113
  • 114.
    Mimikatz vs Rubeus-Kerberos Authentication 114
  • 115.
    Mmmm… Who elseconnects to the DC via 115
  • 116.
    Mmmm… Who elseconnects to the DC via 116
  • 117.
    Mmmm… Who elseconnects to the DC via 117
  • 118.
  • 119.
    Mimikatz Data Mapping-Pass The Hash- T1075 119 T1075 Authentication Logs Process Monitoring User Account Successful Authentication Security 4624 User Account Authentication With Explicit Credentials Process Access Process Network Local Port Bind Allow Process Network Connection Allow Security 4648 Sysmon 10 Security 4656 Process Use of Network Security 5158 Security 5156 Sysmon 3 Kerberos TGT Request Kerberos Service Ticket Request Security 4768 Security 4769 Sensitive Privileged Service Operation Security 4673
  • 120.
    Rubeus Data Mapping-Pass The Hash- T1075 120 T1075 Authentication Logs Process Monitoring User Account Successful Authentication Security 4624 User Account Authentication With Explicit Credentials Process Access Process Network Local Port Bind Allow Process Network Connection Allow Security 4648 Sysmon 10 Security 4656 Process Use of Network Security 5158 Security 5156 Sysmon 3 Kerberos TGT Request Kerberos Service Ticket Request Security 4768 Security 4769 Sensitive Privileged Service Operation Security 4673
  • 121.
  • 122.
  • 123.