MITRE ATT&CKcon 2018: Sofacy 2018 and the Adversary Playbook, Robert Falcone,...MITRE - ATT&CKcon
Unit 42 researches threat activity and publishes detailed reports on attack campaigns launched by these adversaries. One of these adversaries, known as Sofacy, has been carrying out attack campaigns on high profile targets for many years and has continued into 2018.
To understand how to defend against these threats, an analyst has to read our reports, process them and mentally map them to their defenses. In most cases we expect readers just "block" all of the indicators we include in the report and assume they are covered. Last year we started using ATT&CK to codify the techniques we observed, linking those techniques to indicator patterns and encoding them into STIX 2 objects, with the goal of creating something that a defender can use to answer the question: "How am I defending against this adversary?" We call these documents, "Adversary Playbooks" as they contain our best approximation of how the adversary launches their attacks.
This talk describes the concept of Adversary Playbooks, as well as provides an overview of the attack campaigns Unit 42 has attributed to the Sofacy group in 2018. It uses the discussed attacks to show how these playbooks are constructed and explain some of the challenges of incorporating ATT&CK and STIX 2 together for this purpose.
MITRE ATT&CKcon 2018: VCAF: Expanding the ATT&CK Framework to cover VERIS Thr...MITRE - ATT&CKcon
The Vocabulary for Event Recording and Incident Sharing (VERIS) is a set of metrics designed to provide a common language for describing security incidents in a structured and repeatable manner.
VERIS has been the base analysis framework for supporting the Verizon Data Breach Investigations Report (DBIR) since its inception. However, as organizations work to interpret the richness of information present on the DBIR to a more tactical level, the Threat Action Varieties available on VERIS fail to capture the detail present on the incidents recorded.
This talk presents the Verizon Common Attack Framework (VCAF), an effort from the Security Data Science team and the DBIR team in Verizon to expand and map the ATT&CK framework in alignment with the DBIR Threat Action Varieties to provide this much-sought level of granularity in recording and analyzing recorded breaches.
Additionally, this talk describes possible outcomes when this data is available and organized as such. Examples include applying DBIR-inspired attack vector analytics upon ATT&CK layer information, effectively identifying optimal control choke points on the attack graphs according to specific industries covered by the DBIR.
What you need to know about ExPetr ransomwareKaspersky
On Thursday, 29 June, Kaspersky Lab teamed up with Comae Technologies to present an emergency webinar for businesses to help them understand and defend against the Petya/ExPetr ransomware. The malware has affected companies in a range of industry sectors across the world, with Ukraine, Russia and number of Western European countries most affected.
Juan Andres Guerrero-Saade, senior security researcher in Kaspersky Lab’s Global Research and Analysis Team, will be joined by Matt Suiche from Comae Technologies to present the very latest information on the ransomware’s attack vectors, the infection process and how it spreads through company networks. They will provide mitigation guidance and explain the actions organizations need to take to secure their computers and networks against this threat.
More technical details regarding this threat: https://kas.pr/cf6w
Advice on how to protect your files: https://kas.pr/s8dp
https://kas.pr/2nvh
https://kas.pr/yg72
And how to you can protect yourself with our free tool: https://go.kaspersky.com/Anti-ransomware-tool_soc.html?utm_source=smm_yt&utm_medium=ww_yt_o_0516
Helping Small Companies Leverage CTI with an Open Source Threat MappingMITRE - ATT&CKcon
From MITRE ATT&CKcon Power Hour December 2020
By Valentina Palacín, Sr. Cyber Threat Intelligence Analyst
No one can deny the tremendous impact that ATT&CK had on the cybersecurity industry, nor the usefulness of having a good Threat Library at your disposal. But the question Valentina gets asked over and over by people from small companies is always the same: “How could I leverage threat intelligence using ATT&CK with limited time and resources?” And so far, there hasn't been a good answer. That’s why she decided to come up with the Threat Mapping Catalogue (TMC), a tool that combines the power of the mappings already available in the ATT&CK website, TRAM and the ATT&CK Navigator, to better process, consume and incorporate new mappings while organizing them around different categories.
MITRE ATT&CKcon 2018: Sofacy 2018 and the Adversary Playbook, Robert Falcone,...MITRE - ATT&CKcon
Unit 42 researches threat activity and publishes detailed reports on attack campaigns launched by these adversaries. One of these adversaries, known as Sofacy, has been carrying out attack campaigns on high profile targets for many years and has continued into 2018.
To understand how to defend against these threats, an analyst has to read our reports, process them and mentally map them to their defenses. In most cases we expect readers just "block" all of the indicators we include in the report and assume they are covered. Last year we started using ATT&CK to codify the techniques we observed, linking those techniques to indicator patterns and encoding them into STIX 2 objects, with the goal of creating something that a defender can use to answer the question: "How am I defending against this adversary?" We call these documents, "Adversary Playbooks" as they contain our best approximation of how the adversary launches their attacks.
This talk describes the concept of Adversary Playbooks, as well as provides an overview of the attack campaigns Unit 42 has attributed to the Sofacy group in 2018. It uses the discussed attacks to show how these playbooks are constructed and explain some of the challenges of incorporating ATT&CK and STIX 2 together for this purpose.
MITRE ATT&CKcon 2018: VCAF: Expanding the ATT&CK Framework to cover VERIS Thr...MITRE - ATT&CKcon
The Vocabulary for Event Recording and Incident Sharing (VERIS) is a set of metrics designed to provide a common language for describing security incidents in a structured and repeatable manner.
VERIS has been the base analysis framework for supporting the Verizon Data Breach Investigations Report (DBIR) since its inception. However, as organizations work to interpret the richness of information present on the DBIR to a more tactical level, the Threat Action Varieties available on VERIS fail to capture the detail present on the incidents recorded.
This talk presents the Verizon Common Attack Framework (VCAF), an effort from the Security Data Science team and the DBIR team in Verizon to expand and map the ATT&CK framework in alignment with the DBIR Threat Action Varieties to provide this much-sought level of granularity in recording and analyzing recorded breaches.
Additionally, this talk describes possible outcomes when this data is available and organized as such. Examples include applying DBIR-inspired attack vector analytics upon ATT&CK layer information, effectively identifying optimal control choke points on the attack graphs according to specific industries covered by the DBIR.
What you need to know about ExPetr ransomwareKaspersky
On Thursday, 29 June, Kaspersky Lab teamed up with Comae Technologies to present an emergency webinar for businesses to help them understand and defend against the Petya/ExPetr ransomware. The malware has affected companies in a range of industry sectors across the world, with Ukraine, Russia and number of Western European countries most affected.
Juan Andres Guerrero-Saade, senior security researcher in Kaspersky Lab’s Global Research and Analysis Team, will be joined by Matt Suiche from Comae Technologies to present the very latest information on the ransomware’s attack vectors, the infection process and how it spreads through company networks. They will provide mitigation guidance and explain the actions organizations need to take to secure their computers and networks against this threat.
More technical details regarding this threat: https://kas.pr/cf6w
Advice on how to protect your files: https://kas.pr/s8dp
https://kas.pr/2nvh
https://kas.pr/yg72
And how to you can protect yourself with our free tool: https://go.kaspersky.com/Anti-ransomware-tool_soc.html?utm_source=smm_yt&utm_medium=ww_yt_o_0516
Helping Small Companies Leverage CTI with an Open Source Threat MappingMITRE - ATT&CKcon
From MITRE ATT&CKcon Power Hour December 2020
By Valentina Palacín, Sr. Cyber Threat Intelligence Analyst
No one can deny the tremendous impact that ATT&CK had on the cybersecurity industry, nor the usefulness of having a good Threat Library at your disposal. But the question Valentina gets asked over and over by people from small companies is always the same: “How could I leverage threat intelligence using ATT&CK with limited time and resources?” And so far, there hasn't been a good answer. That’s why she decided to come up with the Threat Mapping Catalogue (TMC), a tool that combines the power of the mappings already available in the ATT&CK website, TRAM and the ATT&CK Navigator, to better process, consume and incorporate new mappings while organizing them around different categories.
For #Redpill2017, The most offensive security conference in Thailand.
This slide talks about the weak point of endpoint protection such as Antivirus, User Account Control, AppLocker.
Defcon Blue Team Village 2020: Purple On My Mind: Cost Effective Automated Ad...Mauricio Velazco
Demo 1: https://www.youtube.com/watch?v=cpnrCkj1308
Demo 2: https://www.youtube.com/watch?v=JmtjtiI3-fc
Demo 2 1/2: https://www.youtube.com/watch?v=KRdNbYbJSiI
Demo 3: https://www.youtube.com/watch?v=6gB-upKXTZ4
Automated adversary simulation is often perceived as a hard, dangerous and complicated program to implement and run. Fear no longer, our methodology and tooling will let you test and measure your defenses throughout your production environment to test not only your detection rule’s resilience but the whole event pipeline as well as your team’s response procedures. In this talk, we’ll share with the audience the open source tools we built and the methodology we use that will allow them to hit the ground running at nearly no cost.
Oran Brill, Microsoft
Tomer Teller, Microsoft
How often did you find yourself analyzing a security alert only to find out you had already hunted similar alerts in the past? This Déjà vu happens quite often to cybersecurity analysts who work in a SOC. What if we told you that most security alerts can be assigned with a confidence score automatically, letting you, the analyst, focus on the most serious alerts? In this talk, we will present tools and techniques to automate human cybersecurity analyst by leveraging knowledge of past incidents, current security posture and a dash of crowdsourcing. Under the hood, we generate a ”tailor-made” hunting graph based on diverse data sources and security know-how which enables us to extract meaningful insights. By applying custom logic, aggregations and data science we will illustrate how to uncover patterns within the insights and assign a confidence score with appropriate reasoning to the alert, automatically.
Christiaan F Beek, McAfee
Jay Rosenberg, Intezer Labs
The Lazarus, Silent Chollima, Group 123, Hidden Cobra, DarkSeoul, Blockbuster, Operation Troy, 10 Days of Rain attacks are all believed to originate from North Korea. But how can they be attributed with certainty? And what connection does a DDoS and disk wiping attack from July 4 2009, have with WannaCry, one of the largest cyber-attacks in the history of the cyber-sphere?
We have conducted a comparative research over more than 10 years of malware and tools being used by North Korean adversaries. The results were intriguing and we will share our discoveries but also hunt tactics during our talk. We discovered new links between campaigns and were able to group malware families towards actor groups and discovere interesting patterns.
OSCP Exam Preparation Documents.
In This document, we download one vulnerable machine VM image and start analysis on the machine and get root privileged.
Automatiza las detecciones de amenazas y evita falsos positivosImma Valls Bernaus
Eliminar los puntos ciegos significa que tienes suficiente contexto. ¿Pero, puedes obtener información importante de ese contexto cuándo lo necesitas? Aprende a detectar amenazas mientras evitas el ruido de falsos positivos, con el motor de detección de Elastic Security. Verás cómo automatizar la detección de amenazas mediante correlaciones y Machine Learning, con ejemplos reales de cada uno.
Alban Diquet, Data Theorem
Thomas Sileo, Data Theorem
Over the last two years, we've received and analyzed more than three million SSL validation failure reports from more than a thousand of iOS and Android apps available on the Stores, and used all around the world. From mobile banking to music apps, each report was triggered because an unknown or unexpected certificate was being served to the app, preventing it from establishing a secure connection to its server via SSL/TLS.
We've analyzed each of these reports to understand what caused the SSL connection to fail, and then grouped similar failures into various classes of SSL incidents. Throughout this presentation, we will describe the analysis we've made and present our findings.
First, we will provide a high-level overview of where, how, and why SSL incidents are occurring across the world for iOS and Android users, and describe the various classes of incidents we've detected. Some of these types of incidents, such as corporate devices performing traffic inspection, are well-known and understood, although we will provide new insights into how widespread they are.
Then, we will take a closer look at a few notable incidents we detected, which have been caused by unexpected, or even suspicious actors. We will describe our investigations and what we found.
Lastly, we will provide real-world solutions on how to protect apps against traffic interception and attacks, as a mobile developer.
The Offensive Security Certified Professional (OSCP) is one of the most technical and most challenging certifications for information security professionals.
For More information please contact us : https://www.infosectrain.com/
SplunkLive! Amsterdam 2015 - Analytics based security breakoutSplunk
Splunk products provide a flexible and fast security intelligence platform that makes security personnel and processes more efficient by providing quick and flexible access to all of the data and information needed to detect, investigate and remediate threats. This presentation will discuss best practices for building out or enhancing an analytics based security strategy and how Splunk products can make people, process, and technology work better together.
A follow on to the Encyclopedia Of Windows Privilege Escalation published by InsomniaSec at Ruxcon 2011, this talk is aimed at detailing not just escalation from user to admin and admin to system, but persistence and forced authentication as well as a few other treats.
For #Redpill2017, The most offensive security conference in Thailand.
This slide talks about the weak point of endpoint protection such as Antivirus, User Account Control, AppLocker.
Defcon Blue Team Village 2020: Purple On My Mind: Cost Effective Automated Ad...Mauricio Velazco
Demo 1: https://www.youtube.com/watch?v=cpnrCkj1308
Demo 2: https://www.youtube.com/watch?v=JmtjtiI3-fc
Demo 2 1/2: https://www.youtube.com/watch?v=KRdNbYbJSiI
Demo 3: https://www.youtube.com/watch?v=6gB-upKXTZ4
Automated adversary simulation is often perceived as a hard, dangerous and complicated program to implement and run. Fear no longer, our methodology and tooling will let you test and measure your defenses throughout your production environment to test not only your detection rule’s resilience but the whole event pipeline as well as your team’s response procedures. In this talk, we’ll share with the audience the open source tools we built and the methodology we use that will allow them to hit the ground running at nearly no cost.
Oran Brill, Microsoft
Tomer Teller, Microsoft
How often did you find yourself analyzing a security alert only to find out you had already hunted similar alerts in the past? This Déjà vu happens quite often to cybersecurity analysts who work in a SOC. What if we told you that most security alerts can be assigned with a confidence score automatically, letting you, the analyst, focus on the most serious alerts? In this talk, we will present tools and techniques to automate human cybersecurity analyst by leveraging knowledge of past incidents, current security posture and a dash of crowdsourcing. Under the hood, we generate a ”tailor-made” hunting graph based on diverse data sources and security know-how which enables us to extract meaningful insights. By applying custom logic, aggregations and data science we will illustrate how to uncover patterns within the insights and assign a confidence score with appropriate reasoning to the alert, automatically.
Christiaan F Beek, McAfee
Jay Rosenberg, Intezer Labs
The Lazarus, Silent Chollima, Group 123, Hidden Cobra, DarkSeoul, Blockbuster, Operation Troy, 10 Days of Rain attacks are all believed to originate from North Korea. But how can they be attributed with certainty? And what connection does a DDoS and disk wiping attack from July 4 2009, have with WannaCry, one of the largest cyber-attacks in the history of the cyber-sphere?
We have conducted a comparative research over more than 10 years of malware and tools being used by North Korean adversaries. The results were intriguing and we will share our discoveries but also hunt tactics during our talk. We discovered new links between campaigns and were able to group malware families towards actor groups and discovere interesting patterns.
OSCP Exam Preparation Documents.
In This document, we download one vulnerable machine VM image and start analysis on the machine and get root privileged.
Automatiza las detecciones de amenazas y evita falsos positivosImma Valls Bernaus
Eliminar los puntos ciegos significa que tienes suficiente contexto. ¿Pero, puedes obtener información importante de ese contexto cuándo lo necesitas? Aprende a detectar amenazas mientras evitas el ruido de falsos positivos, con el motor de detección de Elastic Security. Verás cómo automatizar la detección de amenazas mediante correlaciones y Machine Learning, con ejemplos reales de cada uno.
Alban Diquet, Data Theorem
Thomas Sileo, Data Theorem
Over the last two years, we've received and analyzed more than three million SSL validation failure reports from more than a thousand of iOS and Android apps available on the Stores, and used all around the world. From mobile banking to music apps, each report was triggered because an unknown or unexpected certificate was being served to the app, preventing it from establishing a secure connection to its server via SSL/TLS.
We've analyzed each of these reports to understand what caused the SSL connection to fail, and then grouped similar failures into various classes of SSL incidents. Throughout this presentation, we will describe the analysis we've made and present our findings.
First, we will provide a high-level overview of where, how, and why SSL incidents are occurring across the world for iOS and Android users, and describe the various classes of incidents we've detected. Some of these types of incidents, such as corporate devices performing traffic inspection, are well-known and understood, although we will provide new insights into how widespread they are.
Then, we will take a closer look at a few notable incidents we detected, which have been caused by unexpected, or even suspicious actors. We will describe our investigations and what we found.
Lastly, we will provide real-world solutions on how to protect apps against traffic interception and attacks, as a mobile developer.
The Offensive Security Certified Professional (OSCP) is one of the most technical and most challenging certifications for information security professionals.
For More information please contact us : https://www.infosectrain.com/
SplunkLive! Amsterdam 2015 - Analytics based security breakoutSplunk
Splunk products provide a flexible and fast security intelligence platform that makes security personnel and processes more efficient by providing quick and flexible access to all of the data and information needed to detect, investigate and remediate threats. This presentation will discuss best practices for building out or enhancing an analytics based security strategy and how Splunk products can make people, process, and technology work better together.
A follow on to the Encyclopedia Of Windows Privilege Escalation published by InsomniaSec at Ruxcon 2011, this talk is aimed at detailing not just escalation from user to admin and admin to system, but persistence and forced authentication as well as a few other treats.
EuroBSDcon 2017 System Performance Analysis MethodologiesBrendan Gregg
keynote by Brendan Gregg. "Traditional performance monitoring makes do with vendor-supplied metrics, often involving interpretation and inference, and with numerous blind spots. Much in the field of systems performance is still living in the past: documentation, procedures, and analysis GUIs built upon the same old metrics. Modern BSD has advanced tracers and PMC tools, providing virtually endless metrics to aid performance analysis. It's time we really used them, but the problem becomes which metrics to use, and how to navigate them quickly to locate the root cause of problems.
There's a new way to approach performance analysis that can guide you through the metrics. Instead of starting with traditional metrics and figuring out their use, you start with the questions you want answered then look for metrics to answer them. Methodologies can provide these questions, as well as a starting point for analysis and guidance for locating the root cause. They also pose questions that the existing metrics may not yet answer, which may be critical in solving the toughest problems. System methodologies include the USE method, workload characterization, drill-down analysis, off-CPU analysis, chain graphs, and more.
This talk will discuss various system performance issues, and the methodologies, tools, and processes used to solve them. Many methodologies will be discussed, from the production proven to the cutting edge, along with recommendations for their implementation on BSD systems. In general, you will learn to think differently about analyzing your systems, and make better use of the modern tools that BSD provides."
A quickfire rundown of concise tips designed to make your daily life with Docker better! There will be something for Docker users of all experience levels.
HKG18-TR14 - Postmortem Debugging with CoresightLinaro
Session ID: HKG18-TR14
Session Name: HKG18-TR14 - Postmortem Debugging with Coresight
Speaker: Leo Yan
Track: Training
★ Session Summary ★
For most cases we can easily debug with kernel's oops dumping info, but sometimes we need to know more information for program execution flow before the issue happens. So we can rely on two tracing methods to reproduce the program execution flow, one method is using software tracing which is kernel's pstore method; another method is to rely on Coresight hardware tracing, this method also can avoid extra workload introduced by tracing itself. Coresight has provided two mechanisms for Postmortem debugging, one method is Coresight CPU debug module so we can extract CPU program counter info, this is quite straightforward to debug CPU lockup issue; Another is Coresight panic kdump, we connect kernel kdump mechanism to extract Coresight tracing data so we can reproduce the last execution flow before panic (even hang issue with some tweaking in kernel). This session wants to go through these topics and demonstrate the debugging tools on 96boards Hikey in 25 minutes session.
---------------------------------------------------
★ Resources ★
Event Page: http://connect.linaro.org/resource/hkg18/hkg18-tr14/
Presentation: http://connect.linaro.org.s3.amazonaws.com/hkg18/presentations/hkg18-tr14.pdf
Video: http://connect.linaro.org.s3.amazonaws.com/hkg18/videos/hkg18-tr14.mp4
---------------------------------------------------
★ Event Details ★
Linaro Connect Hong Kong 2018 (HKG18)
19-23 March 2018
Regal Airport Hotel Hong Kong
---------------------------------------------------
Keyword: Training
'http://www.linaro.org'
'http://connect.linaro.org'
---------------------------------------------------
Follow us on Social Media
https://www.facebook.com/LinaroOrg
https://www.youtube.com/user/linaroorg?sub_confirmation=1
https://www.linkedin.com/company/1026961
My old security advisories on HMI/SCADA and industrial software released betw...Luigi Auriemma
PDF with all my old security advisories on HMI/SCADA and industrial software released between 2010 and 2012:
Wonderware, GE, ABB, Rockwell, 3S, Siemens, Indusoft, and many others.
The post release technologies of Crysis 3 (Slides Only) - Stewart NeedhamStewart Needham
For AAA games now there is a consumer expectation that the developer has a post release strategy. This strategy goes beyond just DLC content. Users expect to receive bug fixes, balancing updates, gamemode variations and constant tuning of the game experience. So how can you architect your game technology to facilitate all of this? Stewart explains the unique patching system developed for Crysis 3 Multiplayer which allowed the team to hot-patch pretty much any asset or data used by the game. He also details the supporting telemetry, server and testing infrastructure required to support this along with some interesting lessons learned.
Tidying up your Nest: Validating ATT&CK Technique Coverage using EDR TelemetryMITRE ATT&CK
From ATT&CKcon 4.0
By Adam Ostrich and Jesse Brown, Red Canary
"Endpoint Detection & Response (EDR) telemetry offers defenders a powerful tool for catching threats. However, understanding how to validate ATT&CK technique coverage using EDR telemetry can be a challenge. As Detection Validation Engineers at a Managed Detection & Response (MDR) provider that ingests nearly a petabyte of endpoint telemetry every day, we’re in the unique and necessary position to analyze this telemetry at scale and validate its efficacy against common adversary tradecraft.
After providing a brief introduction to EDR telemetry, we’ll discuss how to break ATT&CK techniques down to individual data components, perform functional tests, analyze the ways that specific actions translate to telemetry records, and compare this analysis across different EDR sensors. We’ll discuss the tooling we’ve built to assist us in running these tests and analyzing the resulting telemetry, and we’ll explain how security teams can improve their own functional testing efforts by creating an automated validation workflow. Finally, we’ll describe how this approach has enabled us to more effectively understand and use EDR telemetry, highlighting where this telemetry excels and fails at detecting ATT&CK techniques."
SAP strikes back Your SAP server now counter attacks.Dmitry Iudin
In this presentation, we will demonstrate how attackers can compromise all SAP clients and gain private information from their machines by using the SAP server.
Managing Large-scale Networks with Triggerjathanism
Trigger was designed to increase the speed and efficiency of managing network configuration while reducing human error, and is the bread and butter of how we manage the large-scale network at AOL. In this talk I intend to cover the problems we solved using Python to manage our network infrastructure, especially how each network vendor does things distinctly differently, and about the code and API that makes Trigger tick using detailed examples.
Given at SCaLE 11x, Los Angeles, CA
Video: http://www.youtube.com/watch?v=7zZ9980X_bs
Similar to MITRE ATT&CKcon 2018: From Technique to Detection, Paul Ewing and Ross Wolf, Endgame (20)
ATTACKers Think in Graphs: Building Graphs for Threat IntelligenceMITRE - ATT&CKcon
From MITRE ATT&CKcon Power Hour January 2021
By Valentine Mairet, Security Researcher, McAfee
The MITRE ATT&CK framework is the industry standard to dissect cyberattacks into used techniques. At McAfee, all attack information is disseminated into different categories, including ATT&CK techniques. What results from this exercise is an extensive repository of techniques used in cyberattacks that goes back many years. Much can be learned from looking at historical attack data, but how can we piece all this information together to identify new relationships between threats and attacks? In her recent efforts, Valentine has embraced analyzing ATT&CK data in graphical representations. One lesson learned is that it is not just about merely mapping out attacks and techniques used into graphs, but the strength lies in applying different algorithms to answer specific questions. In this presentation, Valentine will showcase the results and techniques obtained from her research journey using graph and graph algorithms.
From MITRE ATT&CKcon Power Hour January 2021
By Adam Pennington, ATT&CK Lead, MITRE
Adam leads ATT&CK at The MITRE Corporation and collected much of the intelligence leveraged in creating ATT&CK’s initial techniques. He has spent much of his 12 years with MITRE studying and preaching the use of deception for intelligence gathering. Prior to joining MITRE, Adam was a researcher at Carnegie Mellon’s Parallel Data Lab and earned his BS and MS degrees in Computer Science and Electrical and Computer Engineering as well as the 2017 Alumni Service Award from Carnegie Mellon University. Adam has presented and published in a number of venues including FIRST CTI, USENIX Security and ACM Transactions on Information and System Security.
ATTACK-Onomics: Attacking the Economics Behind Techniques Used by AdversariesMITRE - ATT&CKcon
From MITRE ATT&CKcon Power Hour January 2021
By Gert-Jan Bruggink, Defensive Specialist, FalconForce
Adversaries are humans as well. They have objectives, deadlines and resources for programming.
In a sense, very similar to corporations grounded in the economics of effort vs time vs results. Now understanding techniques is one thing, taking it a step further and understanding what the economic impact is of using certain techniques is another. Developing tools takes time. For example, developing a custom process injection module might take days or weeks to develop, where using an open source tool could prevent extensive development costs incurred.
This talk explores the economic considerations for defending against techniques used by adversaries. It explores fundamental considerations all referenced to MITRE’s ATT&CK framework. The objective of this talk is to inspire defensive strategies designed to impact cost incurred by adversaries to perform compromises.
Measure What Matters: How to Use MITRE ATTACK to do the Right Things in the R...MITRE - ATT&CKcon
From MITRE ATT&CKcon Power Hour January 2021
By Daniel Wyleczuk-Stern, Senior Security Engineer, Snowflake
Cyber security is inherently a function of risk management. Risk management is the identification, evaluation, and prioritization of risks followed by the effort to reduce those risks in a coordinated and economical manner (thanks wikipedia!). In this talk, Daniel will be going over some strategies for measuring and prioritizing your cyber risks using MITRE ATT&CK. He'll discuss some lessons learned in atomic testing of techniques vs attack chaining as well as what to measure and how to make decisions with that data.
Using ATTACK to Create Cyber DBTS for Nuclear Power PlantsMITRE - ATT&CKcon
From MITRE ATT&CKcon Power Hour December 2020
By Jacob Benjamin, Principal Industrial Consultant Dragos, INL, & University of Idaho
Design Basis Threat (DBT) is concept introduced by the Nuclear Regulatory Commission (NRC). It is a profile of the type, composition, and capabilities of an adversary. DBT is the key input nuclear power plants use for the design of systems against acts of radiological sabotage and theft of special nuclear material. The NRC expects its licensees, nuclear power plants, to demonstrate that they can defend against the DBT. Currently, cyber is included in DBTs simply as a prescribed list of IT centric security controls. Using MITRE’s ATT&CK framework, Cyber DBTs can be created that are specific to the facility, its material, or adversary activities.
Sharpening your Threat-Hunting Program with ATTACK FrameworkMITRE - ATT&CKcon
From MITRE ATT&CKcon Power Hour December 2020
By Hieu Tran, Threat Detection Team Lead FPT Cybersecurity Division
No matter how sophisticated and thorough your security precautions may be, you cannot assume your security measures are impenetrable. This is why you need a threat hunting program in place. But how can we implement a proper threat hunting program and run it efficiently? In this talk, we will uncover how to sharpen your threat hunting strategy by leveraging ATT&CK. Ultimately, we’ll be demonstrating how effectively employing the hunting methodology in the real-world battlefield, fighting against well-known cyber espionage actors who strongly focus on Southeast Asian countries like Vietnam, the Philippines, Laos, and Cambodia.
From MITRE ATT&CKcon Power Hour December 2020
By Otis Alexander, Principal Cybersecurity Engineer, MITRE
Otis Alexander is a Principal Cyber Security Engineer at the MITRE Corporation and has worked in the areas of security engineering and research, analytic development, and adversary modeling and emulation. Otis is a co-creator of ATT&CK for ICS and has been leading the project since its inception. He also leads an effort to bring MITRE ATT&CK Evaluations to ICS security vendors providing anomaly and threat detection solutions. He advocates for network and host visibility in operational technology environments to increase the situational awareness of defenders.
From Theory to Practice: How My ATTACK Perspectives Have ChangedMITRE - ATT&CKcon
From MITRE ATT&CKcon Power Hour December 2020
By Katie Nickels, Director of Intelligence, Red Canary
Good analysts (and good human beings) change their minds based on new information. In this presentation, Katie will share how her perspectives on ATT&CK have changed since moving from ATT&CK team member to ATT&CK end-user. She will discuss how her ideas about coverage, procedures, and detection creation have evolved and why those perspectives matter. Katie will also share practical examples from observed threats to help explain the nuances of her perspectives. Attendees should expect to leave this presentation with a better understanding of how to handle challenges they’re likely to face when navigating their own ATT&CK journey.
From MITRE ATT&CKcon Power Hour November 2020
By:
Jamie Williams, Lead Cyber Adversarial Engineer, MITRE
Mike Hartley, Lead Cybersecurity Engineer, MITRE
In this presentation from the MITRE ATT&CKcon Power Hour session on November 12, 2020 Jamie Williams and Mike Hartley from MITRE discuss the process for merging PRE-ATT&CK and adding two new tactics to Enterprise ATT&CK – Reconnaissance and Resource Development.
From MITRE ATT&CKcon Power Hour November 2020
By Matt Snyder, Senior Threat Analytics Engineer, VMware
The market for Security products is flooded with vendors offering all sorts of solutions, and organizations are spending a record amount of money defending their environments. Nevertheless, an increasing number of breaches are reported each year, resulting in organizations spending millions of dollars to remediate them. The Security industry responds with more products, all offering to stop the next breach, and the cycle continues. In this presentation from the MITRE ATT&CKcon Power Hour session on November 12, 2020, Matt discusses what VMware is doing internally to address this fundamental flaw in the Security industry and how they are leveraging the MITRE ATT&CK framework to reshape how we think about security.
From MITRE ATT&CKcon Power Hour November 2020
By Anthony Randazzo, Global Response Lead, Expel
The team at Expel has been migrating to the cloud for the last 10 years, but as usual, security has lagged behind. Which means we don't have a comprehensive detection and response framework for cloud like we do with the Enterprise ATT&CK matrix. Cloud has evolved into a complex beast as technologies and concepts – like Infrastructure As Code, Containers, Kubernetes and so forth – have emerged. These new attack surfaces have been added that introduce additional challenges to detection and response in our cloud environments. We don't know what we don't know about attack life cycles in the cloud. In this presentation from the MITRE ATT&CKcon Power Hour session on November 12, 2020, Anthony shares some interesting lessons learned so far when it comes to finding bad guys in the cloud.
Mapping the EventBot Mobile Banking Trojan with MITRE ATTACK for MobileMITRE - ATT&CKcon
From MITRE ATT&CKcon Power Hour November 2020
By Allie Mellen, Security Strategist, Office of the CSO, Cybereason
In this presentation from the MITRE ATT&CKcon Power Hour session on November 12, Allie discusses how the Cybereason research team uses both MITRE ATT&CK and MITRE ATT&CK for Mobile to map and communicate new malware to the larger security community. Teams use the MITRE ATT&CK framework to share techniques, tactics, and procedures with their team and the community at large. This knowledge base has been incredibly beneficial for the development of specific threat models and methodologies in the private sector, in government, and in the cybersecurity product and service community. Many of these uses have centered around traditional endpoints like laptops and workstations. However, the MITRE ATT&CK team has also created a cutting-edge portion of their framework: MITRE ATT&CK for Mobile.
One of the most recent pieces of malware they have found is EventBot, a mobile banking trojan that targets Android devices and the financial services applications on them, including popular apps like Paypal Business, Revolut, Barclays, UniCredit, CapitalOne UK, HSBC UK, Santander UK, TransferWise, Coinbase, paysafecard, and many more. In this talk, learn about this specific attack, intended targets, a timeline of the attack, and the MITRE ATT&CK for Mobile mapping. Learn why the Cybereason team map to MITRE ATT&CK and MITRE ATT&CK for Mobile and what benefits it has given them and their interactions with the community.
Transforming Adversary Emulation Into a Data Analysis QuestionMITRE - ATT&CKcon
From MITRE ATT&CKcon Power Hour October 2020
By Matan Hart, Co-Founder & CEO Cymptom @machosec
Adversary emulation is commonly used to validate security controls and is considered one of the most popular use-cases for the ATT&CK framework. However, emulating adversary TTPs on production environments is often very limited in testing scope and frequency, and such practice may cause unwanted business disruption. In this talk from the MITRE ATT&CKcon Power Hour session on October 9, 2020, Hart presents a different approach to testing controls against ATT&CK. He demonstrates how it is possible to provide data-based methods to evaluate the exploitability of ATT&CK techniques by gathering information from the network, endpoint, and services; this unique approach does not emulate any sort of malicious action, thus reducing the potential of causing business disruption to the minimum. Hart also outlines a new open-source guideline based on ATT&CK mitigations, that security teams can use to assess their security posture non-intrusively and at scale.
TA505: A Study of High End Big Game Hunting in 2020MITRE - ATT&CKcon
From MITRE ATT&CKcon Power Hour October 2020
By Brandon Levene, Head of Applied Intelligence Google, @seraphimdomain
Opportunistically targeted ransomware deployments, aka Big Game Hunting (BGH), have caused a distinct disruption in the mechanics of monetizing crimeware compromises. This strategy has become the “end game” for the majority of organized cybercrime organizations, and one effect of this shift is the increased emphasis on enterprise-level targets. In this talk from the MITRE ATT&CKCon Power Hour session on October 9, 2020, Levene walks us through research about how a specific BGH threat actor pursues entry points, gains its foothold, pivots, and deploys payloads to maximize their financial gains with minimal effort - and infrastructure! You’ll walk away with an understanding of the latest BGH TTPs seen in enterprise environments, and how they map to the ATT&CK framework so you can build this research into your threat detection strategy and enhance your defenses.
Using MITRE PRE-ATTACK and ATTACK in Cybercrime Education and ResearchMITRE - ATT&CKcon
From MITRE ATT&CKcon Power Hour October 2020
By:
Aunshul Rege, Associate Professor, Temple University, @prof_rege
Rachel Bleiman, PhD Student/NSF Graduate Research Assistant, Temple University, @rab1928
This presentation from the MITRE ATT&CKcon Power Hour session on October 9, 2020, explores the application of the MITRE ATT&CK® and PRE-ATT&CK matrices in cybercrime education and research. Specifically, Rege and Bleiman demonstrate the mapping of the PRE-ATT&CK matrix to social engineering case studies as an experiential learning project in an upper-level cybercrime liberal arts course. It thus allows students to understand the alignment process of threat intelligence to the PRE-ATT&CK framework and also learn about its usefulness/limitations. The talk also discusses the mapping of the ATT&CK matrix, tactics, techniques, software, and groups for two cybercrime datasets created by collating publicly disclosed incidents: (i) critical infrastructure ransomware (CIRW) incidents, and (ii) social engineering (SE) incidents. For the CIRW dataset, 39% of the strains mapped onto the ATT&CK software. For the SE dataset, 49% of the groups and 65% of the techniques map on to the MITRE framework. This helps the researchers identify the framework's usefulness/limitations and also helps our datasets connect to richer information that may not otherwise be available in the publicly disclosed incidents.
From MITRE ATT&CKcon Power Hour October 2020
By Jen Burns, Lead Cybersecurity Engineer, MITRE, @snarejen
Jen Burns is a Lead Cybersecurity Engineer at MITRE and the Lead for MITRE ATT&CK® for Cloud. She’s also a red team developer and lead for ATT&CK Evaluations, using her skills in software engineering and adversary emulation. Previously, she was a tech lead at HubSpot on the Infrastructure Security team where she focused on red teaming and building detections in the cloud environment. This presentation is from the MITRE ATT&CKcon Power Hour session held on October 9, 2020.
From MITRE ATT&CKcon Power Hour - October
By Brian Donohue, Security Evangelist, Red Canary, @thebriandonohue
In early 2018, Red Canary adopted MITRE ATT&CK as the common language that they would use to categorize threats, measure detection coverage, and communicate about malicious behaviors. In the intervening years, they’ve relied on the framework to develop open source tools like Atomic Red Team and help security teams prioritize their defensive efforts with blogs and our annual Threat Detection Report.
In early 2020, MITRE announced that ATT&CK would be expanding its original taxonomy of tactics and techniques to include sub-techniques. In the months that followed MITRE's announcement, Red Canary’s research, intelligence, and detection engineering teams painstakingly remapped their library of thousands of behavioral analytics to sub-techniques. In doing so, they improved their correlational logic, experimented with the idea of conditional technique mapping, and, unfortunately, rendered the 2020 Threat Detection Report out-of-date.
In this talk from the MITRE ATT&CKcon Power Hour session on October 9, 2020, Brian discusses how refactoring for sub-techniques offered us the opportunity to apply all the lessons learned in more than two years of operationalizing ATT&CK. He also explores how Red Canary has remodeled its ATT&CK mapping to allow for added flexibility and human input and shows what happens when the Red Canary applied their new sub-technique mappings to the 2020 Threat Detection Report.
DevOps and Testing slides at DASA ConnectKari Kakkonen
My and Rik Marselis slides at 30.5.2024 DASA Connect conference. We discuss about what is testing, then what is agile testing and finally what is Testing in DevOps. Finally we had lovely workshop with the participants trying to find out different ways to think about quality and testing in different parts of the DevOps infinity loop.
Key Trends Shaping the Future of Infrastructure.pdfCheryl Hung
Keynote at DIGIT West Expo, Glasgow on 29 May 2024.
Cheryl Hung, ochery.com
Sr Director, Infrastructure Ecosystem, Arm.
The key trends across hardware, cloud and open-source; exploring how these areas are likely to mature and develop over the short and long-term, and then considering how organisations can position themselves to adapt and thrive.
Let's dive deeper into the world of ODC! Ricardo Alves (OutSystems) will join us to tell all about the new Data Fabric. After that, Sezen de Bruijn (OutSystems) will get into the details on how to best design a sturdy architecture within ODC.
JMeter webinar - integration with InfluxDB and GrafanaRTTS
Watch this recorded webinar about real-time monitoring of application performance. See how to integrate Apache JMeter, the open-source leader in performance testing, with InfluxDB, the open-source time-series database, and Grafana, the open-source analytics and visualization application.
In this webinar, we will review the benefits of leveraging InfluxDB and Grafana when executing load tests and demonstrate how these tools are used to visualize performance metrics.
Length: 30 minutes
Session Overview
-------------------------------------------
During this webinar, we will cover the following topics while demonstrating the integrations of JMeter, InfluxDB and Grafana:
- What out-of-the-box solutions are available for real-time monitoring JMeter tests?
- What are the benefits of integrating InfluxDB and Grafana into the load testing stack?
- Which features are provided by Grafana?
- Demonstration of InfluxDB and Grafana using a practice web application
To view the webinar recording, go to:
https://www.rttsweb.com/jmeter-integration-webinar
Neuro-symbolic is not enough, we need neuro-*semantic*Frank van Harmelen
Neuro-symbolic (NeSy) AI is on the rise. However, simply machine learning on just any symbolic structure is not sufficient to really harvest the gains of NeSy. These will only be gained when the symbolic structures have an actual semantics. I give an operational definition of semantics as “predictable inference”.
All of this illustrated with link prediction over knowledge graphs, but the argument is general.
Dev Dives: Train smarter, not harder – active learning and UiPath LLMs for do...UiPathCommunity
💥 Speed, accuracy, and scaling – discover the superpowers of GenAI in action with UiPath Document Understanding and Communications Mining™:
See how to accelerate model training and optimize model performance with active learning
Learn about the latest enhancements to out-of-the-box document processing – with little to no training required
Get an exclusive demo of the new family of UiPath LLMs – GenAI models specialized for processing different types of documents and messages
This is a hands-on session specifically designed for automation developers and AI enthusiasts seeking to enhance their knowledge in leveraging the latest intelligent document processing capabilities offered by UiPath.
Speakers:
👨🏫 Andras Palfi, Senior Product Manager, UiPath
👩🏫 Lenka Dulovicova, Product Program Manager, UiPath
State of ICS and IoT Cyber Threat Landscape Report 2024 previewPrayukth K V
The IoT and OT threat landscape report has been prepared by the Threat Research Team at Sectrio using data from Sectrio, cyber threat intelligence farming facilities spread across over 85 cities around the world. In addition, Sectrio also runs AI-based advanced threat and payload engagement facilities that serve as sinks to attract and engage sophisticated threat actors, and newer malware including new variants and latent threats that are at an earlier stage of development.
The latest edition of the OT/ICS and IoT security Threat Landscape Report 2024 also covers:
State of global ICS asset and network exposure
Sectoral targets and attacks as well as the cost of ransom
Global APT activity, AI usage, actor and tactic profiles, and implications
Rise in volumes of AI-powered cyberattacks
Major cyber events in 2024
Malware and malicious payload trends
Cyberattack types and targets
Vulnerability exploit attempts on CVEs
Attacks on counties – USA
Expansion of bot farms – how, where, and why
In-depth analysis of the cyber threat landscape across North America, South America, Europe, APAC, and the Middle East
Why are attacks on smart factories rising?
Cyber risk predictions
Axis of attacks – Europe
Systemic attacks in the Middle East
Download the full report from here:
https://sectrio.com/resources/ot-threat-landscape-reports/sectrio-releases-ot-ics-and-iot-security-threat-landscape-report-2024/
UiPath Test Automation using UiPath Test Suite series, part 3DianaGray10
Welcome to UiPath Test Automation using UiPath Test Suite series part 3. In this session, we will cover desktop automation along with UI automation.
Topics covered:
UI automation Introduction,
UI automation Sample
Desktop automation flow
Pradeep Chinnala, Senior Consultant Automation Developer @WonderBotz and UiPath MVP
Deepak Rai, Automation Practice Lead, Boundaryless Group and UiPath MVP
UiPath Test Automation using UiPath Test Suite series, part 4DianaGray10
Welcome to UiPath Test Automation using UiPath Test Suite series part 4. In this session, we will cover Test Manager overview along with SAP heatmap.
The UiPath Test Manager overview with SAP heatmap webinar offers a concise yet comprehensive exploration of the role of a Test Manager within SAP environments, coupled with the utilization of heatmaps for effective testing strategies.
Participants will gain insights into the responsibilities, challenges, and best practices associated with test management in SAP projects. Additionally, the webinar delves into the significance of heatmaps as a visual aid for identifying testing priorities, areas of risk, and resource allocation within SAP landscapes. Through this session, attendees can expect to enhance their understanding of test management principles while learning practical approaches to optimize testing processes in SAP environments using heatmap visualization techniques
What will you get from this session?
1. Insights into SAP testing best practices
2. Heatmap utilization for testing
3. Optimization of testing processes
4. Demo
Topics covered:
Execution from the test manager
Orchestrator execution result
Defect reporting
SAP heatmap example with demo
Speaker:
Deepak Rai, Automation Practice Lead, Boundaryless Group and UiPath MVP
Builder.ai Founder Sachin Dev Duggal's Strategic Approach to Create an Innova...Ramesh Iyer
In today's fast-changing business world, Companies that adapt and embrace new ideas often need help to keep up with the competition. However, fostering a culture of innovation takes much work. It takes vision, leadership and willingness to take risks in the right proportion. Sachin Dev Duggal, co-founder of Builder.ai, has perfected the art of this balance, creating a company culture where creativity and growth are nurtured at each stage.
Smart TV Buyer Insights Survey 2024 by 91mobiles.pdf91mobiles
91mobiles recently conducted a Smart TV Buyer Insights Survey in which we asked over 3,000 respondents about the TV they own, aspects they look at on a new TV, and their TV buying preferences.
3. ATT&CK Detections?
Will not be as easy as described
Will not always lead to analytics
Will not be a silver bullet
4. TIMELINE OF A
SOLID ANALYTIC
ATT&CK-based analytics
required continual
grooming as their success
depends on it
TIME
SUCCESS
Initial Logic
False Positives
Fine Tune
Overcompensate
Profit
7. 2. DETONATE
Find scripts or commands
that perform the technique.
…after you detonate…be sure to leave yourself some breadcrumbs…
Microsoft Windows [Version 10.0.17134.345]
(c) 2018 Microsoft Corporation. All rights reserved.
C:UsersRoss>
C:UsersRoss>reg add hkcuEnvironment /v windir /d "cmd /K reg delete
hkcuEnvironment /v windir /f && REM "
The operation completed successfully.
C:UsersRoss>schtasks /Run /TN MicrosoftWindowsDiskCleanupSilentCleanup /I
SUCCESS: Attempted to run the scheduled task
"MicrosoftWindowsDiskCleanupSilentCleanup".
C:UsersRoss>
The operation completed successfully.
C:WINDOWSsystem32>cmd /c echo FINDMEFINDME
FINDMEFINDME
C:WINDOWSsystem32>
https://tyranidslair.blogspot.com/2017/05/exploiting-environment-variables-in.html
8. 3. PREP
ANALYSIS
First let’s create some PS
functions to help us gather
and parse Sysmon logs.
function Get-EventProps {
[cmdletbinding()]
Param (
[parameter(ValueFromPipeline)]
$event
)
Process {
$eventXml = [xml]$event.ToXML()
$eventKeys = $eventXml.Event.EventData.Data
$Properties = @{}
For ($i=0; $i -lt $eventKeys.Count; $i++) {
$Properties[$eventKeys[$i].Name] = $eventKeys[$i].'#text'
}
[pscustomobject]$Properties
}
}
function Get-LatestLogs {
Get-WinEvent -filterhashtable @{logname="Microsoft-Windows-
Sysmon/Operational"} -MaxEvents 1000 | Get-EventProps
}
function Get-LatestProcesses {
Get-WinEvent -filterhashtable @{logname="Microsoft-Windows-
Sysmon/Operational";id=1} -MaxEvents 1000 | Get-EventProps
}
9. 3. PREP
ANALYSIS
Let’s store the relevant
process data
C:UsersRossDesktop>
C:UsersRossDesktop>powershell
Windows Powershell
Copyright (c) 2013 Microsoft Corporation. All rights reserved.
PS C:UsersRossDesktop> $processLogs = Get-LatestProcesses
We need this data
We got this data
10. 4.EXPLORE
DATA
First, find your
breadcrumbs that you left
earlier.
PS C:UsersRossDesktop> $processLogs | Where { $_.CommandLine -like
"*FINDMEFINDME*" }
ParentCommandLine : cmd /K reg delete hkcuEnvironment /v windir /f && REM
system32cleanmgr.exe /autoclean /d C:
Description : Windows Command Processor
CommandLine : cmd /c echo FINDMEFINDME
CurrentDirectory : C:WINDOWSsystem32
Hashes : SHA1=3CE71813199ABAE99348F61F0CAA34E2574F831C
Image : C:WindowsSystem32cmd.exe
UtcTime : 2018-10-18 21:01:44.471
ProcessGuid : {2FA81719-F4B8-5BC8-0000-0010A1124F01}
Company : Microsoft Corporation
IntegrityLevel : High
FileVersion : 10.0.17134.1 (WinBuild.160101.0800)
User : RWOLF-WIN10-VMRoss
RuleName :
Product : Microsoft® Windows® Operating System
LogonId : 0x21ba58
ProcessId : 5816
LogonGuid : {2FA81719-E8A7-5BC8-0000-002058BA2100}
TerminalSessionId : 1
ParentProcessGuid : {2FA81719-F482-5BC8-0000-001060044C01}
ParentProcessId : 8760
ParentImage : C:WindowsSystem32cmd.exe
11. 4.EXPLORE
DATA
Walk up the process tree
to see when and how the
bypass occurred.
We’re looking for a
transition from medium to
high integrity.
PS C:UsersRossDesktop> $processLogs | where { $_.ProcessGuid -eq
"{2FA81719-F482-5BC8-0000-001060044C01}"}
ParentCommandLine : c:windowssystem32svchost.exe -k netsvcs -p -s Schedule
Description : Windows Command Processor
CommandLine : cmd /K reg delete hkcuEnvironment /v windir /f && REM
system32cleanmgr.exe /autoclean /d C:
CurrentDirectory : C:WINDOWSsystem32
Hashes : SHA1=3CE71813199ABAE99348F61F0CAA34E2574F831C
Image : C:WindowsSystem32cmd.exe
UtcTime : 2018-10-18 21:00:50.695
ProcessGuid : {2FA81719-F482-5BC8-0000-001060044C01}
Company : Microsoft Corporation
IntegrityLevel : High
FileVersion : 10.0.17134.1 (WinBuild.160101.0800)
User : RWOLF-WIN10-VMRoss
RuleName :
Product : Microsoft® Windows® Operating System
LogonId : 0x21ba58
ProcessId : 8760
LogonGuid : {2FA81719-E8A7-5BC8-0000-002058BA2100}
TerminalSessionId : 1
ParentProcessGuid : {2FA81719-DE77-5BC8-0000-001028620100}
ParentProcessId : 1288
ParentImage : C:WindowsSystem32svchost.exe
12. 4.EXPLORE
DATA
Keep walking up the tree
until things look normal
again. We found the
Schedule service running
as normal.
PS C:UsersRossDesktop> $processLogs | where { $_.ProcessGuid -eq
"{2FA81719-DE77-5BC8-0000-001028620100}"}
ParentCommandLine : C:WINDOWSsystem32services.exe
Description : Host Process for Windows Services
CommandLine : c:windowssystem32svchost.exe -k netsvcs -p -s Schedule
CurrentDirectory : C:WINDOWSsystem32
Hashes : SHA1=660B76B6FB802417D513ADC967C5CAF77FC2BAC6
Image : C:WindowsSystem32svchost.exe
UtcTime : 2018-10-18 19:26:47.110
ProcessGuid : {2FA81719-DE77-5BC8-0000-001028620100}
Company : Microsoft Corporation
IntegrityLevel : System
FileVersion : 10.0.17134.1 (WinBuild.160101.0800)
User : NT AUTHORITYSYSTEM
RuleName :
Product : Microsoft® Windows® Operating System
LogonId : 0x3e7
ProcessId : 1288
LogonGuid : {2FA81719-DE75-5BC8-0000-0020E7030000}
TerminalSessionId : 0
ParentProcessGuid : {2FA81719-DE75-5BC8-0000-0010C6AC0000}
ParentProcessId : 632
ParentImage : C:WindowsSystem32services.exe
13. 4.EXPLORE
DATA
We went too far. The task
scheduler ran the
SilentCleanup task, but
we’re interested in the
task, not the scheduler.
14. 4.EXPLORE
DATA
What happens when the
SilentCleanup task is not
abused?
PS C:UsersRossDesktop> $processLogs | where { $_.CommandLine -like
"*cleanmgr.exe /autoclean*" }
ParentCommandLine : c:windowssystem32svchost.exe -k netsvcs -p -s Schedule
Description : Windows Command Processor
CommandLine : cmd /K reg delete hkcuEnvironment /v windir /f && REM
system32cleanmgr.exe /autoclean /d C:
CurrentDirectory : C:WINDOWSsystem32
Hashes : SHA1=3CE71813199ABAE99348F61F0CAA34E2574F831C
Image : C:WindowsSystem32cmd.exe
UtcTime : 2018-10-18 21:00:50.695
ProcessGuid : {2FA81719-F482-5BC8-0000-001060044C01}
Company : Microsoft Corporation
IntegrityLevel : High
FileVersion : 10.0.17134.1 (WinBuild.160101.0800)
User : RWOLF-WIN10-VMRoss
RuleName :
Product : Microsoft® Windows® Operating System
LogonId : 0x21ba58
ProcessId : 8760
LogonGuid : {2FA81719-E8A7-5BC8-0000-002058BA2100}
TerminalSessionId : 1
ParentProcessGuid : {2FA81719-DE77-5BC8-0000-001028620100}
ParentProcessId : 1288
ParentImage : C:WindowsSystem32svchost.exe
15. 4.EXPLORE
DATA
What happens when the
SilentCleanup task is not
abused?
ParentCommandLine : c:windowssystem32svchost.exe -k netsvcs -p -s Schedule
Description : Windows Command Processor
CommandLine : cmd /K reg delete hkcuEnvironment /v windir /f && REM
system32cleanmgr.exe /autoclean /d C:
CurrentDirectory : C:WINDOWSsystem32
Hashes : SHA1=3CE71813199ABAE99348F61F0CAA34E2574F831C
Image : C:WindowsSystem32cmd.exe
UtcTime : 2018-10-18 20:59:01.667
ProcessGuid : {2FA81719-F415-5BC8-0000-0010F9F64301}
Company : Microsoft Corporation
IntegrityLevel : High
FileVersion : 10.0.17134.1 (WinBuild.160101.0800)
User : RWOLF-WIN10-VMRoss
RuleName :
Product : Microsoft® Windows® Operating System
LogonId : 0x21ba58
ProcessId : 5820
LogonGuid : {2FA81719-E8A7-5BC8-0000-002058BA2100}
TerminalSessionId : 1
ParentProcessGuid : {2FA81719-DE77-5BC8-0000-001028620100}
ParentProcessId : 1288
ParentImage : C:WindowsSystem32svchost.exe
16. 4.EXPLORE
DATA
What happens when the
SilentCleanup task is not
abused?
ParentCommandLine : c:windowssystem32svchost.exe -k netsvcs -p -s Schedule
Description : Disk Space Cleanup Manager for Windows
CommandLine : C:WINDOWSsystem32cleanmgr.exe /autoclean /d C:
CurrentDirectory : C:WINDOWSsystem32
Hashes : SHA1=2EB39003998F0E518AD937DB120B87E81D5A5893
Image : C:WindowsSystem32cleanmgr.exe
UtcTime : 2018-10-18 20:58:07.183
ProcessGuid : {2FA81719-F3DF-5BC8-0000-001024A93F01}
Company : Microsoft Corporation
IntegrityLevel : High
FileVersion : 10.0.17134.1 (WinBuild.160101.0800)
User : RWOLF-WIN10-VMRoss
RuleName :
Product : Microsoft® Windows® Operating System
LogonId : 0x21ba58
ProcessId : 2828
LogonGuid : {2FA81719-E8A7-5BC8-0000-002058BA2100}
TerminalSessionId : 1
ParentProcessGuid : {2FA81719-DE77-5BC8-0000-001028620100}
ParentProcessId : 1288
ParentImage : C:WindowsSystem32svchost.exe
17. 4.EXPLORE
DATA
What happens when the
SilentCleanup task is not
abused?
ParentCommandLine : c:windowssystem32svchost.exe -k netsvcs -p -s Schedule
Description : Disk Space Cleanup Manager for Windows
CommandLine : C:WINDOWSsystem32cleanmgr.exe /autoclean /d C:
CurrentDirectory : C:WINDOWSsystem32
Hashes : SHA1=2EB39003998F0E518AD937DB120B87E81D5A5893
Image : C:WindowsSystem32cleanmgr.exe
UtcTime : 2018-10-18 20:54:13.619
ProcessGuid : {2FA81719-F2F5-5BC8-0000-001036452E01}
Company : Microsoft Corporation
IntegrityLevel : High
FileVersion : 10.0.17134.1 (WinBuild.160101.0800)
User : RWOLF-WIN10-VMRoss
RuleName :
Product : Microsoft® Windows® Operating System
LogonId : 0x21ba58
ProcessId : 4864
LogonGuid : {2FA81719-E8A7-5BC8-0000-002058BA2100}
TerminalSessionId : 1
ParentProcessGuid : {2FA81719-DE77-5BC8-0000-001028620100}
ParentProcessId : 1288
ParentImage : C:WindowsSystem32svchost.exe
18. 5. PROTOTYPE
ANALYTIC
Draft an analytic in
PowerShell that detects
the malicious behavior
without triggering on the
benign behavior.
PS C:UsersRossDesktop> $processLogs | where {$_.IntegrityLevel -eq "High"}
–and $_.CommandLine -like "* *system32cleanmgr.exe /autoclean*" }
ParentCommandLine : c:windowssystem32svchost.exe -k netsvcs -p -s Schedule
Description : Windows Command Processor
CommandLine : cmd /K reg delete hkcuEnvironment /v windir /f && REM
system32cleanmgr.exe /autoclean /d C:
CurrentDirectory : C:WINDOWSsystem32
Hashes : SHA1=3CE71813199ABAE99348F61F0CAA34E2574F831C
Image : C:WindowsSystem32cmd.exe
UtcTime : 2018-10-18 21:00:50.695
ProcessGuid : {2FA81719-F482-5BC8-0000-001060044C01}
Company : Microsoft Corporation
IntegrityLevel : High
FileVersion : 10.0.17134.1 (WinBuild.160101.0800)
User : RWOLF-WIN10-VMRoss
RuleName :
Product : Microsoft® Windows® Operating System
LogonId : 0x21ba58
ProcessId : 8760
LogonGuid : {2FA81719-E8A7-5BC8-0000-002058BA2100}
TerminalSessionId : 1
ParentProcessGuid : {2FA81719-DE77-5BC8-0000-001028620100}
ParentProcessId : 1288
ParentImage : C:WindowsSystem32svchost.exe
20. 6. GO LIVE
Rule looks good!
Let’s write an EQL query.
process where
command_line == "* *system32cleanmgr.exe /autoclean*"
https://www.endgame.com/blog/technical-blog/introducing-event-query-language
22. 6. GO LIVE
Oh, this is just another
benign instance of the
Windows task scheduler
on a different OS.
{
"authentication_id": 224881,
"command_line": "taskhostw.exe C:WINDOWSsystem32cleanmgr.exe
/autoclean /d C:",
"event_subtype_full": "creation_event",
"event_type_full": "process_event",
"md5": "ce95e236fc9fe2d6f16c926c75b18baf",
"original_file_name": "taskhostw.exe",
"parent_process_name": "svchost.exe",
"parent_process_path": "C:WindowsSystem32svchost.exe",
"pid": 14920,
"ppid": 1700,
"process_name": "taskhostw.exe",
"process_path": "C:WindowsSystem32taskhostw.exe",
"sha1": "2a594345fbcaad453c72bd0937cbf67fb43a74df",
"signature_signer": "Microsoft Windows",
"signature_status": "trusted",
"timestamp_utc": "2018-10-02 16:05:32Z",
...
}
23. 7. FINE TUNING
Filter results, unique
results, or specifically
account for false positives
in your environment
process where
command_line == "* *system32cleanmgr.exe /autoclean*”
and process_path != "C:WindowsSystem32taskhostw.exe"
24. CONCLUSION
Seems easy enough?
But FPs are everywhere.
Always calibrate to the
software and configurations
in your environment
1. Stealthy PowerShell, this module is common huh?
image_load where process_name != "powershell.exe" and
image_name == "System.Management.Automation.ni.dll"
2. Emails, Links, Child Browser Process?
process where
parent_process_name == "outlook.exe" and
process_name in ("wscript.exe", "cmd.exe",
"powershell.exe", ...)
3. MSHTA Network Connections, never happens?
sequence by unique_pid
[process where process_name == "mshta.exe"]
[network where event_subtype_full == "*connection_attempt_event"]
4. Unusual Lateral Movement via SMB, shouldn’t FP?
network where destination_port == 445 and pid != 4
| unique process_path