SlideShare a Scribd company logo

MITRE ATT&CKcon 2018: From Technique to Detection, Paul Ewing and Ross Wolf, Endgame

MITRE - ATT&CKcon
MITRE - ATT&CKcon

This session is a practical guide for a rapid prototyping of ATT&CK-based analytics – from technique to detection.

Technology
1 of 25
Download to read offline
FROM TECHNIQUE TO DETECTION Rapid prototyping of ATT&CK-based analytics Paul Ewing @_paulewing Ross Wolf @rw_access
ATT&CK Detections? Will be powerful Will enable hunters Will transform your SOC
ATT&CK Detections? Will not be as easy as described Will not always lead to analytics Will not be a silver bullet
TIMELINE OF A SOLID ANALYTIC ATT&CK-based analytics required continual grooming as their success depends on it TIME  SUCCESS Initial Logic False Positives Fine Tune Overcompensate Profit
1. SELECT YOUR TECHNIQUE After performing gap-analysis and understanding your environment.
1. SELECT YOUR TECHNIQUE After performing gap-analysis and understanding your environment.
2. DETONATE Find scripts or commands that perform the technique. …after you detonate…be sure to leave yourself some breadcrumbs… Microsoft Windows [Version 10.0.17134.345] (c) 2018 Microsoft Corporation. All rights reserved. C:UsersRoss> C:UsersRoss>reg add hkcuEnvironment /v windir /d "cmd /K reg delete hkcuEnvironment /v windir /f && REM " The operation completed successfully. C:UsersRoss>schtasks /Run /TN MicrosoftWindowsDiskCleanupSilentCleanup /I SUCCESS: Attempted to run the scheduled task "MicrosoftWindowsDiskCleanupSilentCleanup". C:UsersRoss> The operation completed successfully. C:WINDOWSsystem32>cmd /c echo FINDMEFINDME FINDMEFINDME C:WINDOWSsystem32> https://tyranidslair.blogspot.com/2017/05/exploiting-environment-variables-in.html
3. PREP ANALYSIS First let’s create some PS functions to help us gather and parse Sysmon logs. function Get-EventProps { [cmdletbinding()] Param ( [parameter(ValueFromPipeline)] $event ) Process { $eventXml = [xml]$event.ToXML() $eventKeys = $eventXml.Event.EventData.Data $Properties = @{} For ($i=0; $i -lt $eventKeys.Count; $i++) { $Properties[$eventKeys[$i].Name] = $eventKeys[$i].'#text' } [pscustomobject]$Properties } } function Get-LatestLogs { Get-WinEvent -filterhashtable @{logname="Microsoft-Windows- Sysmon/Operational"} -MaxEvents 1000 | Get-EventProps } function Get-LatestProcesses { Get-WinEvent -filterhashtable @{logname="Microsoft-Windows- Sysmon/Operational";id=1} -MaxEvents 1000 | Get-EventProps }
3. PREP ANALYSIS Let’s store the relevant process data C:UsersRossDesktop> C:UsersRossDesktop>powershell Windows Powershell Copyright (c) 2013 Microsoft Corporation. All rights reserved. PS C:UsersRossDesktop> $processLogs = Get-LatestProcesses We need this data We got this data
4.EXPLORE DATA First, find your breadcrumbs that you left earlier. PS C:UsersRossDesktop> $processLogs | Where { $_.CommandLine -like "*FINDMEFINDME*" } ParentCommandLine : cmd /K reg delete hkcuEnvironment /v windir /f && REM system32cleanmgr.exe /autoclean /d C: Description : Windows Command Processor CommandLine : cmd /c echo FINDMEFINDME CurrentDirectory : C:WINDOWSsystem32 Hashes : SHA1=3CE71813199ABAE99348F61F0CAA34E2574F831C Image : C:WindowsSystem32cmd.exe UtcTime : 2018-10-18 21:01:44.471 ProcessGuid : {2FA81719-F4B8-5BC8-0000-0010A1124F01} Company : Microsoft Corporation IntegrityLevel : High FileVersion : 10.0.17134.1 (WinBuild.160101.0800) User : RWOLF-WIN10-VMRoss RuleName : Product : Microsoft® Windows® Operating System LogonId : 0x21ba58 ProcessId : 5816 LogonGuid : {2FA81719-E8A7-5BC8-0000-002058BA2100} TerminalSessionId : 1 ParentProcessGuid : {2FA81719-F482-5BC8-0000-001060044C01} ParentProcessId : 8760 ParentImage : C:WindowsSystem32cmd.exe
4.EXPLORE DATA Walk up the process tree to see when and how the bypass occurred. We’re looking for a transition from medium to high integrity. PS C:UsersRossDesktop> $processLogs | where { $_.ProcessGuid -eq "{2FA81719-F482-5BC8-0000-001060044C01}"} ParentCommandLine : c:windowssystem32svchost.exe -k netsvcs -p -s Schedule Description : Windows Command Processor CommandLine : cmd /K reg delete hkcuEnvironment /v windir /f && REM system32cleanmgr.exe /autoclean /d C: CurrentDirectory : C:WINDOWSsystem32 Hashes : SHA1=3CE71813199ABAE99348F61F0CAA34E2574F831C Image : C:WindowsSystem32cmd.exe UtcTime : 2018-10-18 21:00:50.695 ProcessGuid : {2FA81719-F482-5BC8-0000-001060044C01} Company : Microsoft Corporation IntegrityLevel : High FileVersion : 10.0.17134.1 (WinBuild.160101.0800) User : RWOLF-WIN10-VMRoss RuleName : Product : Microsoft® Windows® Operating System LogonId : 0x21ba58 ProcessId : 8760 LogonGuid : {2FA81719-E8A7-5BC8-0000-002058BA2100} TerminalSessionId : 1 ParentProcessGuid : {2FA81719-DE77-5BC8-0000-001028620100} ParentProcessId : 1288 ParentImage : C:WindowsSystem32svchost.exe
4.EXPLORE DATA Keep walking up the tree until things look normal again. We found the Schedule service running as normal. PS C:UsersRossDesktop> $processLogs | where { $_.ProcessGuid -eq "{2FA81719-DE77-5BC8-0000-001028620100}"} ParentCommandLine : C:WINDOWSsystem32services.exe Description : Host Process for Windows Services CommandLine : c:windowssystem32svchost.exe -k netsvcs -p -s Schedule CurrentDirectory : C:WINDOWSsystem32 Hashes : SHA1=660B76B6FB802417D513ADC967C5CAF77FC2BAC6 Image : C:WindowsSystem32svchost.exe UtcTime : 2018-10-18 19:26:47.110 ProcessGuid : {2FA81719-DE77-5BC8-0000-001028620100} Company : Microsoft Corporation IntegrityLevel : System FileVersion : 10.0.17134.1 (WinBuild.160101.0800) User : NT AUTHORITYSYSTEM RuleName : Product : Microsoft® Windows® Operating System LogonId : 0x3e7 ProcessId : 1288 LogonGuid : {2FA81719-DE75-5BC8-0000-0020E7030000} TerminalSessionId : 0 ParentProcessGuid : {2FA81719-DE75-5BC8-0000-0010C6AC0000} ParentProcessId : 632 ParentImage : C:WindowsSystem32services.exe
4.EXPLORE DATA We went too far. The task scheduler ran the SilentCleanup task, but we’re interested in the task, not the scheduler.
4.EXPLORE DATA What happens when the SilentCleanup task is not abused? PS C:UsersRossDesktop> $processLogs | where { $_.CommandLine -like "*cleanmgr.exe /autoclean*" } ParentCommandLine : c:windowssystem32svchost.exe -k netsvcs -p -s Schedule Description : Windows Command Processor CommandLine : cmd /K reg delete hkcuEnvironment /v windir /f && REM system32cleanmgr.exe /autoclean /d C: CurrentDirectory : C:WINDOWSsystem32 Hashes : SHA1=3CE71813199ABAE99348F61F0CAA34E2574F831C Image : C:WindowsSystem32cmd.exe UtcTime : 2018-10-18 21:00:50.695 ProcessGuid : {2FA81719-F482-5BC8-0000-001060044C01} Company : Microsoft Corporation IntegrityLevel : High FileVersion : 10.0.17134.1 (WinBuild.160101.0800) User : RWOLF-WIN10-VMRoss RuleName : Product : Microsoft® Windows® Operating System LogonId : 0x21ba58 ProcessId : 8760 LogonGuid : {2FA81719-E8A7-5BC8-0000-002058BA2100} TerminalSessionId : 1 ParentProcessGuid : {2FA81719-DE77-5BC8-0000-001028620100} ParentProcessId : 1288 ParentImage : C:WindowsSystem32svchost.exe
4.EXPLORE DATA What happens when the SilentCleanup task is not abused? ParentCommandLine : c:windowssystem32svchost.exe -k netsvcs -p -s Schedule Description : Windows Command Processor CommandLine : cmd /K reg delete hkcuEnvironment /v windir /f && REM system32cleanmgr.exe /autoclean /d C: CurrentDirectory : C:WINDOWSsystem32 Hashes : SHA1=3CE71813199ABAE99348F61F0CAA34E2574F831C Image : C:WindowsSystem32cmd.exe UtcTime : 2018-10-18 20:59:01.667 ProcessGuid : {2FA81719-F415-5BC8-0000-0010F9F64301} Company : Microsoft Corporation IntegrityLevel : High FileVersion : 10.0.17134.1 (WinBuild.160101.0800) User : RWOLF-WIN10-VMRoss RuleName : Product : Microsoft® Windows® Operating System LogonId : 0x21ba58 ProcessId : 5820 LogonGuid : {2FA81719-E8A7-5BC8-0000-002058BA2100} TerminalSessionId : 1 ParentProcessGuid : {2FA81719-DE77-5BC8-0000-001028620100} ParentProcessId : 1288 ParentImage : C:WindowsSystem32svchost.exe
4.EXPLORE DATA What happens when the SilentCleanup task is not abused? ParentCommandLine : c:windowssystem32svchost.exe -k netsvcs -p -s Schedule Description : Disk Space Cleanup Manager for Windows CommandLine : C:WINDOWSsystem32cleanmgr.exe /autoclean /d C: CurrentDirectory : C:WINDOWSsystem32 Hashes : SHA1=2EB39003998F0E518AD937DB120B87E81D5A5893 Image : C:WindowsSystem32cleanmgr.exe UtcTime : 2018-10-18 20:58:07.183 ProcessGuid : {2FA81719-F3DF-5BC8-0000-001024A93F01} Company : Microsoft Corporation IntegrityLevel : High FileVersion : 10.0.17134.1 (WinBuild.160101.0800) User : RWOLF-WIN10-VMRoss RuleName : Product : Microsoft® Windows® Operating System LogonId : 0x21ba58 ProcessId : 2828 LogonGuid : {2FA81719-E8A7-5BC8-0000-002058BA2100} TerminalSessionId : 1 ParentProcessGuid : {2FA81719-DE77-5BC8-0000-001028620100} ParentProcessId : 1288 ParentImage : C:WindowsSystem32svchost.exe
4.EXPLORE DATA What happens when the SilentCleanup task is not abused? ParentCommandLine : c:windowssystem32svchost.exe -k netsvcs -p -s Schedule Description : Disk Space Cleanup Manager for Windows CommandLine : C:WINDOWSsystem32cleanmgr.exe /autoclean /d C: CurrentDirectory : C:WINDOWSsystem32 Hashes : SHA1=2EB39003998F0E518AD937DB120B87E81D5A5893 Image : C:WindowsSystem32cleanmgr.exe UtcTime : 2018-10-18 20:54:13.619 ProcessGuid : {2FA81719-F2F5-5BC8-0000-001036452E01} Company : Microsoft Corporation IntegrityLevel : High FileVersion : 10.0.17134.1 (WinBuild.160101.0800) User : RWOLF-WIN10-VMRoss RuleName : Product : Microsoft® Windows® Operating System LogonId : 0x21ba58 ProcessId : 4864 LogonGuid : {2FA81719-E8A7-5BC8-0000-002058BA2100} TerminalSessionId : 1 ParentProcessGuid : {2FA81719-DE77-5BC8-0000-001028620100} ParentProcessId : 1288 ParentImage : C:WindowsSystem32svchost.exe
5. PROTOTYPE ANALYTIC Draft an analytic in PowerShell that detects the malicious behavior without triggering on the benign behavior. PS C:UsersRossDesktop> $processLogs | where {$_.IntegrityLevel -eq "High"} –and $_.CommandLine -like "* *system32cleanmgr.exe /autoclean*" } ParentCommandLine : c:windowssystem32svchost.exe -k netsvcs -p -s Schedule Description : Windows Command Processor CommandLine : cmd /K reg delete hkcuEnvironment /v windir /f && REM system32cleanmgr.exe /autoclean /d C: CurrentDirectory : C:WINDOWSsystem32 Hashes : SHA1=3CE71813199ABAE99348F61F0CAA34E2574F831C Image : C:WindowsSystem32cmd.exe UtcTime : 2018-10-18 21:00:50.695 ProcessGuid : {2FA81719-F482-5BC8-0000-001060044C01} Company : Microsoft Corporation IntegrityLevel : High FileVersion : 10.0.17134.1 (WinBuild.160101.0800) User : RWOLF-WIN10-VMRoss RuleName : Product : Microsoft® Windows® Operating System LogonId : 0x21ba58 ProcessId : 8760 LogonGuid : {2FA81719-E8A7-5BC8-0000-002058BA2100} TerminalSessionId : 1 ParentProcessGuid : {2FA81719-DE77-5BC8-0000-001028620100} ParentProcessId : 1288 ParentImage : C:WindowsSystem32svchost.exe
5. PROTOTYPE ANALYTIC Draft an analytic in PowerShell. ParentCommandLine : c:windowssystem32svchost.exe -k netsvcs -p -s Schedule Description : Windows Command Processor CommandLine : cmd /K reg delete hkcuEnvironment /v windir /f && REM system32cleanmgr.exe /autoclean /d C: CurrentDirectory : C:WINDOWSsystem32 Hashes : SHA1=3CE71813199ABAE99348F61F0CAA34E2574F831C Image : C:WindowsSystem32cmd.exe UtcTime : 2018-10-18 20:59:01.667 ProcessGuid : {2FA81719-F415-5BC8-0000-0010F9F64301} Company : Microsoft Corporation IntegrityLevel : High FileVersion : 10.0.17134.1 (WinBuild.160101.0800) User : RWOLF-WIN10-VMRoss RuleName : Product : Microsoft® Windows® Operating System LogonId : 0x21ba58 ProcessId : 5820 LogonGuid : {2FA81719-E8A7-5BC8-0000-002058BA2100} TerminalSessionId : 1 ParentProcessGuid : {2FA81719-DE77-5BC8-0000-001028620100} ParentProcessId : 1288 ParentImage : C:WindowsSystem32svchost.exe
6. GO LIVE Rule looks good! Let’s write an EQL query. process where command_line == "* *system32cleanmgr.exe /autoclean*" https://www.endgame.com/blog/technical-blog/introducing-event-query-language
6. GO LIVE Results…uh oh… True or false positive? { "authentication_id": 224881, "command_line": "taskhostw.exe C:WINDOWSsystem32cleanmgr.exe /autoclean /d C:", "event_subtype_full": "creation_event", "event_type_full": "process_event", "md5": "ce95e236fc9fe2d6f16c926c75b18baf", "original_file_name": "taskhostw.exe", "parent_process_name": "svchost.exe", "parent_process_path": "C:WindowsSystem32svchost.exe", "pid": 14920, "ppid": 1700, "process_name": "taskhostw.exe", "process_path": "C:WindowsSystem32taskhostw.exe", "sha1": "2a594345fbcaad453c72bd0937cbf67fb43a74df", "signature_signer": "Microsoft Windows", "signature_status": "trusted", "timestamp_utc": "2018-10-02 16:05:32Z", ... }
6. GO LIVE Oh, this is just another benign instance of the Windows task scheduler on a different OS. { "authentication_id": 224881, "command_line": "taskhostw.exe C:WINDOWSsystem32cleanmgr.exe /autoclean /d C:", "event_subtype_full": "creation_event", "event_type_full": "process_event", "md5": "ce95e236fc9fe2d6f16c926c75b18baf", "original_file_name": "taskhostw.exe", "parent_process_name": "svchost.exe", "parent_process_path": "C:WindowsSystem32svchost.exe", "pid": 14920, "ppid": 1700, "process_name": "taskhostw.exe", "process_path": "C:WindowsSystem32taskhostw.exe", "sha1": "2a594345fbcaad453c72bd0937cbf67fb43a74df", "signature_signer": "Microsoft Windows", "signature_status": "trusted", "timestamp_utc": "2018-10-02 16:05:32Z", ... }
7. FINE TUNING Filter results, unique results, or specifically account for false positives in your environment process where command_line == "* *system32cleanmgr.exe /autoclean*” and process_path != "C:WindowsSystem32taskhostw.exe"
CONCLUSION Seems easy enough? But FPs are everywhere. Always calibrate to the software and configurations in your environment 1. Stealthy PowerShell, this module is common huh? image_load where process_name != "powershell.exe" and image_name == "System.Management.Automation.ni.dll" 2. Emails, Links, Child Browser Process? process where parent_process_name == "outlook.exe" and process_name in ("wscript.exe", "cmd.exe", "powershell.exe", ...) 3. MSHTA Network Connections, never happens? sequence by unique_pid [process where process_name == "mshta.exe"] [network where event_subtype_full == "*connection_attempt_event"] 4. Unusual Lateral Movement via SMB, shouldn’t FP? network where destination_port == 445 and pid != 4 | unique process_path
Thank You.

Recommended

MITRE ATT&CKcon 2018: Sofacy 2018 and the Adversary Playbook, Robert Falcone,...
MITRE ATT&CKcon 2018: Sofacy 2018 and the Adversary Playbook, Robert Falcone,...MITRE ATT&CKcon 2018: Sofacy 2018 and the Adversary Playbook, Robert Falcone,...
MITRE ATT&CKcon 2018: Sofacy 2018 and the Adversary Playbook, Robert Falcone,...
MITRE - ATT&CKcon
 
MITRE ATT&CKcon 2018: VCAF: Expanding the ATT&CK Framework to cover VERIS Thr...
MITRE ATT&CKcon 2018: VCAF: Expanding the ATT&CK Framework to cover VERIS Thr...MITRE ATT&CKcon 2018: VCAF: Expanding the ATT&CK Framework to cover VERIS Thr...
MITRE ATT&CKcon 2018: VCAF: Expanding the ATT&CK Framework to cover VERIS Thr...
MITRE - ATT&CKcon
 
Detection Rules Coverage
Detection Rules CoverageDetection Rules Coverage
Detection Rules Coverage
Sunny Neo
 
What you need to know about ExPetr ransomware
What you need to know about ExPetr ransomwareWhat you need to know about ExPetr ransomware
What you need to know about ExPetr ransomware
Kaspersky
 
MITRE ATT&CKcon 2.0: The World's Most Dangerous ATT&CKers; Robert Lipovsky, ESET
MITRE ATT&CKcon 2.0: The World's Most Dangerous ATT&CKers; Robert Lipovsky, ESETMITRE ATT&CKcon 2.0: The World's Most Dangerous ATT&CKers; Robert Lipovsky, ESET
MITRE ATT&CKcon 2.0: The World's Most Dangerous ATT&CKers; Robert Lipovsky, ESET
MITRE - ATT&CKcon
 
Helping Small Companies Leverage CTI with an Open Source Threat Mapping
Helping Small Companies Leverage CTI with an Open Source Threat MappingHelping Small Companies Leverage CTI with an Open Source Threat Mapping
Helping Small Companies Leverage CTI with an Open Source Threat Mapping
MITRE - ATT&CKcon
 
Detection and Response Roles
Detection and Response RolesDetection and Response Roles
Detection and Response Roles
Florian Roth
 
Security Analyst Workshop - 20200212
Security Analyst Workshop - 20200212Security Analyst Workshop - 20200212
Security Analyst Workshop - 20200212
Florian Roth
 

Recommended

MITRE ATT&CKcon 2018: Sofacy 2018 and the Adversary Playbook, Robert Falcone,...
MITRE ATT&CKcon 2018: Sofacy 2018 and the Adversary Playbook, Robert Falcone,...MITRE ATT&CKcon 2018: Sofacy 2018 and the Adversary Playbook, Robert Falcone,...
MITRE ATT&CKcon 2018: Sofacy 2018 and the Adversary Playbook, Robert Falcone,...
MITRE - ATT&CKcon
 
MITRE ATT&CKcon 2018: VCAF: Expanding the ATT&CK Framework to cover VERIS Thr...
MITRE ATT&CKcon 2018: VCAF: Expanding the ATT&CK Framework to cover VERIS Thr...MITRE ATT&CKcon 2018: VCAF: Expanding the ATT&CK Framework to cover VERIS Thr...
MITRE ATT&CKcon 2018: VCAF: Expanding the ATT&CK Framework to cover VERIS Thr...
MITRE - ATT&CKcon
 
Detection Rules Coverage
Detection Rules CoverageDetection Rules Coverage
Detection Rules Coverage
Sunny Neo
 
What you need to know about ExPetr ransomware
What you need to know about ExPetr ransomwareWhat you need to know about ExPetr ransomware
What you need to know about ExPetr ransomware
Kaspersky
 
MITRE ATT&CKcon 2.0: The World's Most Dangerous ATT&CKers; Robert Lipovsky, ESET
MITRE ATT&CKcon 2.0: The World's Most Dangerous ATT&CKers; Robert Lipovsky, ESETMITRE ATT&CKcon 2.0: The World's Most Dangerous ATT&CKers; Robert Lipovsky, ESET
MITRE ATT&CKcon 2.0: The World's Most Dangerous ATT&CKers; Robert Lipovsky, ESET
MITRE - ATT&CKcon
 
Helping Small Companies Leverage CTI with an Open Source Threat Mapping
Helping Small Companies Leverage CTI with an Open Source Threat MappingHelping Small Companies Leverage CTI with an Open Source Threat Mapping
Helping Small Companies Leverage CTI with an Open Source Threat Mapping
MITRE - ATT&CKcon
 
Detection and Response Roles
Detection and Response RolesDetection and Response Roles
Detection and Response Roles
Florian Roth
 
Security Analyst Workshop - 20200212
Security Analyst Workshop - 20200212Security Analyst Workshop - 20200212
Security Analyst Workshop - 20200212
Florian Roth
 
Endpoint is not enough
Endpoint is not enoughEndpoint is not enough
Endpoint is not enough
Sumedt Jitpukdebodin
 
Defcon Blue Team Village 2020: Purple On My Mind: Cost Effective Automated Ad...
Defcon Blue Team Village 2020: Purple On My Mind: Cost Effective Automated Ad...Defcon Blue Team Village 2020: Purple On My Mind: Cost Effective Automated Ad...
Defcon Blue Team Village 2020: Purple On My Mind: Cost Effective Automated Ad...
Mauricio Velazco
 
MITRE AttACK framework it is time you took notice_v1.0
MITRE AttACK framework it is time you took notice_v1.0MITRE AttACK framework it is time you took notice_v1.0
MITRE AttACK framework it is time you took notice_v1.0
Michael Gough
 
BlueHat v17 || Go Hunt: An Automated Approach for Security Alert Validation
BlueHat v17 || Go Hunt: An Automated Approach for Security Alert Validation BlueHat v17 || Go Hunt: An Automated Approach for Security Alert Validation
BlueHat v17 || Go Hunt: An Automated Approach for Security Alert Validation
BlueHat Security Conference
 
Penetration testing, What’s this?
Penetration testing, What’s this?Penetration testing, What’s this?
Penetration testing, What’s this?Dmitry Evteev
 
MITRE ATTACKcon Power Hour - October
MITRE ATTACKcon Power Hour - OctoberMITRE ATTACKcon Power Hour - October
MITRE ATTACKcon Power Hour - October
MITRE - ATT&CKcon
 
Red Team Methodology - A Naked Look
Red Team Methodology - A Naked LookRed Team Methodology - A Naked Look
Red Team Methodology - A Naked Look
Jason Lang
 
Splunk Enterprise for Information Security Hands-On Breakout Session
Splunk Enterprise for Information Security Hands-On Breakout SessionSplunk Enterprise for Information Security Hands-On Breakout Session
Splunk Enterprise for Information Security Hands-On Breakout Session
Splunk
 
【HITCON FreeTalk 2018 - Spectre & Meltdown 漏洞的修補策略與 risk mitigation】
【HITCON FreeTalk 2018 - Spectre & Meltdown 漏洞的修補策略與 risk mitigation】【HITCON FreeTalk 2018 - Spectre & Meltdown 漏洞的修補策略與 risk mitigation】
【HITCON FreeTalk 2018 - Spectre & Meltdown 漏洞的修補策略與 risk mitigation】
Hacks in Taiwan (HITCON)
 
Bsides NYC 2018 - Hunting for Lateral Movement
Bsides NYC 2018 - Hunting for Lateral MovementBsides NYC 2018 - Hunting for Lateral Movement
Bsides NYC 2018 - Hunting for Lateral Movement
Mauricio Velazco
 
BlueHat v18 || The hitchhiker's guide to north korea's malware galaxy
BlueHat v18 || The hitchhiker's guide to north korea's malware galaxyBlueHat v18 || The hitchhiker's guide to north korea's malware galaxy
BlueHat v18 || The hitchhiker's guide to north korea's malware galaxy
BlueHat Security Conference
 
Kioptrix 2014 5
Kioptrix 2014 5Kioptrix 2014 5
Kioptrix 2014 5
Jayesh Patel
 
Hands on Security - Disrupting the Kill Chain Breakout Session
Hands on Security - Disrupting the Kill Chain Breakout SessionHands on Security - Disrupting the Kill Chain Breakout Session
Hands on Security - Disrupting the Kill Chain Breakout Session
Splunk
 
Automatiza las detecciones de amenazas y evita falsos positivos
Automatiza las detecciones de amenazas y evita falsos positivosAutomatiza las detecciones de amenazas y evita falsos positivos
Automatiza las detecciones de amenazas y evita falsos positivos
Imma Valls Bernaus
 
BlueHat v17 || Where, how, and why is SSL traffic on mobile getting intercept...
BlueHat v17 || Where, how, and why is SSL traffic on mobile getting intercept...BlueHat v17 || Where, how, and why is SSL traffic on mobile getting intercept...
BlueHat v17 || Where, how, and why is SSL traffic on mobile getting intercept...
BlueHat Security Conference
 
Malware collection and analysis
Malware collection and analysisMalware collection and analysis
Malware collection and analysisChong-Kuan Chen
 
【HITCON Hackathon 2017】 TrendMicro Datasets
【HITCON Hackathon 2017】 TrendMicro Datasets【HITCON Hackathon 2017】 TrendMicro Datasets
【HITCON Hackathon 2017】 TrendMicro Datasets
Hacks in Taiwan (HITCON)
 
OSCP Preparation Guide @ Infosectrain
OSCP Preparation Guide @ InfosectrainOSCP Preparation Guide @ Infosectrain
OSCP Preparation Guide @ Infosectrain
InfosecTrain
 
SplunkLive! Amsterdam 2015 - Analytics based security breakout
SplunkLive! Amsterdam 2015 - Analytics based security breakoutSplunkLive! Amsterdam 2015 - Analytics based security breakout
SplunkLive! Amsterdam 2015 - Analytics based security breakout
Splunk
 
Secure development in .NET with EPiServer Solita
Secure development in .NET with EPiServer SolitaSecure development in .NET with EPiServer Solita
Secure development in .NET with EPiServer Solita
Joona Immonen
 
Windows Attacks AT is the new black
Windows Attacks AT is the new blackWindows Attacks AT is the new black
Windows Attacks AT is the new black
Rob Fuller
 
Windows attacks - AT is the new black
Windows attacks - AT is the new blackWindows attacks - AT is the new black
Windows attacks - AT is the new black
Chris Gates
 

More Related Content

What's hot

Endpoint is not enough
Endpoint is not enoughEndpoint is not enough
Endpoint is not enough
Sumedt Jitpukdebodin
 
Defcon Blue Team Village 2020: Purple On My Mind: Cost Effective Automated Ad...
Defcon Blue Team Village 2020: Purple On My Mind: Cost Effective Automated Ad...Defcon Blue Team Village 2020: Purple On My Mind: Cost Effective Automated Ad...
Defcon Blue Team Village 2020: Purple On My Mind: Cost Effective Automated Ad...
Mauricio Velazco
 
MITRE AttACK framework it is time you took notice_v1.0
MITRE AttACK framework it is time you took notice_v1.0MITRE AttACK framework it is time you took notice_v1.0
MITRE AttACK framework it is time you took notice_v1.0
Michael Gough
 
BlueHat v17 || Go Hunt: An Automated Approach for Security Alert Validation
BlueHat v17 || Go Hunt: An Automated Approach for Security Alert Validation BlueHat v17 || Go Hunt: An Automated Approach for Security Alert Validation
BlueHat v17 || Go Hunt: An Automated Approach for Security Alert Validation
BlueHat Security Conference
 
Penetration testing, What’s this?
Penetration testing, What’s this?Penetration testing, What’s this?
Penetration testing, What’s this?Dmitry Evteev
 
MITRE ATTACKcon Power Hour - October
MITRE ATTACKcon Power Hour - OctoberMITRE ATTACKcon Power Hour - October
MITRE ATTACKcon Power Hour - October
MITRE - ATT&CKcon
 
Red Team Methodology - A Naked Look
Red Team Methodology - A Naked LookRed Team Methodology - A Naked Look
Red Team Methodology - A Naked Look
Jason Lang
 
Splunk Enterprise for Information Security Hands-On Breakout Session
Splunk Enterprise for Information Security Hands-On Breakout SessionSplunk Enterprise for Information Security Hands-On Breakout Session
Splunk Enterprise for Information Security Hands-On Breakout Session
Splunk
 
【HITCON FreeTalk 2018 - Spectre & Meltdown 漏洞的修補策略與 risk mitigation】
【HITCON FreeTalk 2018 - Spectre & Meltdown 漏洞的修補策略與 risk mitigation】【HITCON FreeTalk 2018 - Spectre & Meltdown 漏洞的修補策略與 risk mitigation】
【HITCON FreeTalk 2018 - Spectre & Meltdown 漏洞的修補策略與 risk mitigation】
Hacks in Taiwan (HITCON)
 
Bsides NYC 2018 - Hunting for Lateral Movement
Bsides NYC 2018 - Hunting for Lateral MovementBsides NYC 2018 - Hunting for Lateral Movement
Bsides NYC 2018 - Hunting for Lateral Movement
Mauricio Velazco
 
BlueHat v18 || The hitchhiker's guide to north korea's malware galaxy
BlueHat v18 || The hitchhiker's guide to north korea's malware galaxyBlueHat v18 || The hitchhiker's guide to north korea's malware galaxy
BlueHat v18 || The hitchhiker's guide to north korea's malware galaxy
BlueHat Security Conference
 
Kioptrix 2014 5
Kioptrix 2014 5Kioptrix 2014 5
Kioptrix 2014 5
Jayesh Patel
 
Hands on Security - Disrupting the Kill Chain Breakout Session
Hands on Security - Disrupting the Kill Chain Breakout SessionHands on Security - Disrupting the Kill Chain Breakout Session
Hands on Security - Disrupting the Kill Chain Breakout Session
Splunk
 
Automatiza las detecciones de amenazas y evita falsos positivos
Automatiza las detecciones de amenazas y evita falsos positivosAutomatiza las detecciones de amenazas y evita falsos positivos
Automatiza las detecciones de amenazas y evita falsos positivos
Imma Valls Bernaus
 
BlueHat v17 || Where, how, and why is SSL traffic on mobile getting intercept...
BlueHat v17 || Where, how, and why is SSL traffic on mobile getting intercept...BlueHat v17 || Where, how, and why is SSL traffic on mobile getting intercept...
BlueHat v17 || Where, how, and why is SSL traffic on mobile getting intercept...
BlueHat Security Conference
 
Malware collection and analysis
Malware collection and analysisMalware collection and analysis
Malware collection and analysisChong-Kuan Chen
 
【HITCON Hackathon 2017】 TrendMicro Datasets
【HITCON Hackathon 2017】 TrendMicro Datasets【HITCON Hackathon 2017】 TrendMicro Datasets
【HITCON Hackathon 2017】 TrendMicro Datasets
Hacks in Taiwan (HITCON)
 
OSCP Preparation Guide @ Infosectrain
OSCP Preparation Guide @ InfosectrainOSCP Preparation Guide @ Infosectrain
OSCP Preparation Guide @ Infosectrain
InfosecTrain
 
SplunkLive! Amsterdam 2015 - Analytics based security breakout
SplunkLive! Amsterdam 2015 - Analytics based security breakoutSplunkLive! Amsterdam 2015 - Analytics based security breakout
SplunkLive! Amsterdam 2015 - Analytics based security breakout
Splunk
 
Secure development in .NET with EPiServer Solita
Secure development in .NET with EPiServer SolitaSecure development in .NET with EPiServer Solita
Secure development in .NET with EPiServer Solita
Joona Immonen
 

What's hot (20)

Endpoint is not enough
Endpoint is not enoughEndpoint is not enough
Endpoint is not enough
 
Defcon Blue Team Village 2020: Purple On My Mind: Cost Effective Automated Ad...
Defcon Blue Team Village 2020: Purple On My Mind: Cost Effective Automated Ad...Defcon Blue Team Village 2020: Purple On My Mind: Cost Effective Automated Ad...
Defcon Blue Team Village 2020: Purple On My Mind: Cost Effective Automated Ad...
 
MITRE AttACK framework it is time you took notice_v1.0
MITRE AttACK framework it is time you took notice_v1.0MITRE AttACK framework it is time you took notice_v1.0
MITRE AttACK framework it is time you took notice_v1.0
 
BlueHat v17 || Go Hunt: An Automated Approach for Security Alert Validation
BlueHat v17 || Go Hunt: An Automated Approach for Security Alert Validation BlueHat v17 || Go Hunt: An Automated Approach for Security Alert Validation
BlueHat v17 || Go Hunt: An Automated Approach for Security Alert Validation
 
Penetration testing, What’s this?
Penetration testing, What’s this?Penetration testing, What’s this?
Penetration testing, What’s this?
 
MITRE ATTACKcon Power Hour - October
MITRE ATTACKcon Power Hour - OctoberMITRE ATTACKcon Power Hour - October
MITRE ATTACKcon Power Hour - October
 
Red Team Methodology - A Naked Look
Red Team Methodology - A Naked LookRed Team Methodology - A Naked Look
Red Team Methodology - A Naked Look
 
Splunk Enterprise for Information Security Hands-On Breakout Session
Splunk Enterprise for Information Security Hands-On Breakout SessionSplunk Enterprise for Information Security Hands-On Breakout Session
Splunk Enterprise for Information Security Hands-On Breakout Session
 
【HITCON FreeTalk 2018 - Spectre & Meltdown 漏洞的修補策略與 risk mitigation】
【HITCON FreeTalk 2018 - Spectre & Meltdown 漏洞的修補策略與 risk mitigation】【HITCON FreeTalk 2018 - Spectre & Meltdown 漏洞的修補策略與 risk mitigation】
【HITCON FreeTalk 2018 - Spectre & Meltdown 漏洞的修補策略與 risk mitigation】
 
Bsides NYC 2018 - Hunting for Lateral Movement
Bsides NYC 2018 - Hunting for Lateral MovementBsides NYC 2018 - Hunting for Lateral Movement
Bsides NYC 2018 - Hunting for Lateral Movement
 
BlueHat v18 || The hitchhiker's guide to north korea's malware galaxy
BlueHat v18 || The hitchhiker's guide to north korea's malware galaxyBlueHat v18 || The hitchhiker's guide to north korea's malware galaxy
BlueHat v18 || The hitchhiker's guide to north korea's malware galaxy
 
Kioptrix 2014 5
Kioptrix 2014 5Kioptrix 2014 5
Kioptrix 2014 5
 
Hands on Security - Disrupting the Kill Chain Breakout Session
Hands on Security - Disrupting the Kill Chain Breakout SessionHands on Security - Disrupting the Kill Chain Breakout Session
Hands on Security - Disrupting the Kill Chain Breakout Session
 
Automatiza las detecciones de amenazas y evita falsos positivos
Automatiza las detecciones de amenazas y evita falsos positivosAutomatiza las detecciones de amenazas y evita falsos positivos
Automatiza las detecciones de amenazas y evita falsos positivos
 
BlueHat v17 || Where, how, and why is SSL traffic on mobile getting intercept...
BlueHat v17 || Where, how, and why is SSL traffic on mobile getting intercept...BlueHat v17 || Where, how, and why is SSL traffic on mobile getting intercept...
BlueHat v17 || Where, how, and why is SSL traffic on mobile getting intercept...
 
Malware collection and analysis
Malware collection and analysisMalware collection and analysis
Malware collection and analysis
 
【HITCON Hackathon 2017】 TrendMicro Datasets
【HITCON Hackathon 2017】 TrendMicro Datasets【HITCON Hackathon 2017】 TrendMicro Datasets
【HITCON Hackathon 2017】 TrendMicro Datasets
 
OSCP Preparation Guide @ Infosectrain
OSCP Preparation Guide @ InfosectrainOSCP Preparation Guide @ Infosectrain
OSCP Preparation Guide @ Infosectrain
 
SplunkLive! Amsterdam 2015 - Analytics based security breakout
SplunkLive! Amsterdam 2015 - Analytics based security breakoutSplunkLive! Amsterdam 2015 - Analytics based security breakout
SplunkLive! Amsterdam 2015 - Analytics based security breakout
 
Secure development in .NET with EPiServer Solita
Secure development in .NET with EPiServer SolitaSecure development in .NET with EPiServer Solita
Secure development in .NET with EPiServer Solita
 

Similar to MITRE ATT&CKcon 2018: From Technique to Detection, Paul Ewing and Ross Wolf, Endgame

Windows Attacks AT is the new black
Windows Attacks AT is the new blackWindows Attacks AT is the new black
Windows Attacks AT is the new black
Rob Fuller
 
Windows attacks - AT is the new black
Windows attacks - AT is the new blackWindows attacks - AT is the new black
Windows attacks - AT is the new black
Chris Gates
 
C fosspeed setup_log
C fosspeed setup_logC fosspeed setup_log
C fosspeed setup_log
Ramadan Hasibuan
 
Reverse engineering Swisscom's Centro Grande Modem
Reverse engineering Swisscom's Centro Grande ModemReverse engineering Swisscom's Centro Grande Modem
Reverse engineering Swisscom's Centro Grande Modem
Cyber Security Alliance
 
Whatever it takes - Fixing SQLIA and XSS in the process
Whatever it takes - Fixing SQLIA and XSS in the processWhatever it takes - Fixing SQLIA and XSS in the process
Whatever it takes - Fixing SQLIA and XSS in the process
guest3379bd
 
EuroBSDcon 2017 System Performance Analysis Methodologies
EuroBSDcon 2017 System Performance Analysis MethodologiesEuroBSDcon 2017 System Performance Analysis Methodologies
EuroBSDcon 2017 System Performance Analysis Methodologies
Brendan Gregg
 
Adrian Mouat - Docker Tips and Tricks
Adrian Mouat - Docker Tips and Tricks Adrian Mouat - Docker Tips and Tricks
Adrian Mouat - Docker Tips and Tricks
Kevin Cross
 
Debugging linux kernel tools and techniques
Debugging linux kernel tools and techniquesDebugging linux kernel tools and techniques
Debugging linux kernel tools and techniques
Satpal Parmar
 
Oracle Database In-Memory Option in Action
Oracle Database In-Memory Option in ActionOracle Database In-Memory Option in Action
Oracle Database In-Memory Option in Action
Tanel Poder
 
In Memory Database In Action by Tanel Poder and Kerry Osborne
In Memory Database In Action by Tanel Poder and Kerry OsborneIn Memory Database In Action by Tanel Poder and Kerry Osborne
In Memory Database In Action by Tanel Poder and Kerry Osborne
Enkitec
 
HKG18-TR14 - Postmortem Debugging with Coresight
HKG18-TR14 - Postmortem Debugging with CoresightHKG18-TR14 - Postmortem Debugging with Coresight
HKG18-TR14 - Postmortem Debugging with Coresight
Linaro
 
Positive Technologies - S4 - Scada under x-rays
Positive Technologies - S4 - Scada under x-raysPositive Technologies - S4 - Scada under x-rays
Positive Technologies - S4 - Scada under x-raysqqlan
 
My old security advisories on HMI/SCADA and industrial software released betw...
My old security advisories on HMI/SCADA and industrial software released betw...My old security advisories on HMI/SCADA and industrial software released betw...
My old security advisories on HMI/SCADA and industrial software released betw...
Luigi Auriemma
 
The post release technologies of Crysis 3 (Slides Only) - Stewart Needham
The post release technologies of Crysis 3 (Slides Only) - Stewart NeedhamThe post release technologies of Crysis 3 (Slides Only) - Stewart Needham
The post release technologies of Crysis 3 (Slides Only) - Stewart Needham
Stewart Needham
 
Im-A-Hacker-Get-Me-Out-Of-Here-Breaking-Network-Segregation-Using-Esoteric-Co...
Im-A-Hacker-Get-Me-Out-Of-Here-Breaking-Network-Segregation-Using-Esoteric-Co...Im-A-Hacker-Get-Me-Out-Of-Here-Breaking-Network-Segregation-Using-Esoteric-Co...
Im-A-Hacker-Get-Me-Out-Of-Here-Breaking-Network-Segregation-Using-Esoteric-Co...
YuChianWu
 
Tidying up your Nest: Validating ATT&CK Technique Coverage using EDR Telemetry
Tidying up your Nest: Validating ATT&CK Technique Coverage using EDR TelemetryTidying up your Nest: Validating ATT&CK Technique Coverage using EDR Telemetry
Tidying up your Nest: Validating ATT&CK Technique Coverage using EDR Telemetry
MITRE ATT&CK
 
Ibm aix technical deep dive workshop advanced administration and problem dete...
Ibm aix technical deep dive workshop advanced administration and problem dete...Ibm aix technical deep dive workshop advanced administration and problem dete...
Ibm aix technical deep dive workshop advanced administration and problem dete...
solarisyougood
 
SAP strikes back Your SAP server now counter attacks.
SAP strikes back Your SAP server now counter attacks.SAP strikes back Your SAP server now counter attacks.
SAP strikes back Your SAP server now counter attacks.
Dmitry Iudin
 
Managing Large-scale Networks with Trigger
Managing Large-scale Networks with TriggerManaging Large-scale Networks with Trigger
Managing Large-scale Networks with Trigger
jathanism
 

Similar to MITRE ATT&CKcon 2018: From Technique to Detection, Paul Ewing and Ross Wolf, Endgame (20)

Windows Attacks AT is the new black
Windows Attacks AT is the new blackWindows Attacks AT is the new black
Windows Attacks AT is the new black
 
Windows attacks - AT is the new black
Windows attacks - AT is the new blackWindows attacks - AT is the new black
Windows attacks - AT is the new black
 
C fosspeed setup_log
C fosspeed setup_logC fosspeed setup_log
C fosspeed setup_log
 
Reverse engineering Swisscom's Centro Grande Modem
Reverse engineering Swisscom's Centro Grande ModemReverse engineering Swisscom's Centro Grande Modem
Reverse engineering Swisscom's Centro Grande Modem
 
Whatever it takes - Fixing SQLIA and XSS in the process
Whatever it takes - Fixing SQLIA and XSS in the processWhatever it takes - Fixing SQLIA and XSS in the process
Whatever it takes - Fixing SQLIA and XSS in the process
 
EuroBSDcon 2017 System Performance Analysis Methodologies
EuroBSDcon 2017 System Performance Analysis MethodologiesEuroBSDcon 2017 System Performance Analysis Methodologies
EuroBSDcon 2017 System Performance Analysis Methodologies
 
Adrian Mouat - Docker Tips and Tricks
Adrian Mouat - Docker Tips and Tricks Adrian Mouat - Docker Tips and Tricks
Adrian Mouat - Docker Tips and Tricks
 
Debugging linux kernel tools and techniques
Debugging linux kernel tools and techniquesDebugging linux kernel tools and techniques
Debugging linux kernel tools and techniques
 
Audit
AuditAudit
Audit
 
Oracle Database In-Memory Option in Action
Oracle Database In-Memory Option in ActionOracle Database In-Memory Option in Action
Oracle Database In-Memory Option in Action
 
In Memory Database In Action by Tanel Poder and Kerry Osborne
In Memory Database In Action by Tanel Poder and Kerry OsborneIn Memory Database In Action by Tanel Poder and Kerry Osborne
In Memory Database In Action by Tanel Poder and Kerry Osborne
 
HKG18-TR14 - Postmortem Debugging with Coresight
HKG18-TR14 - Postmortem Debugging with CoresightHKG18-TR14 - Postmortem Debugging with Coresight
HKG18-TR14 - Postmortem Debugging with Coresight
 
Positive Technologies - S4 - Scada under x-rays
Positive Technologies - S4 - Scada under x-raysPositive Technologies - S4 - Scada under x-rays
Positive Technologies - S4 - Scada under x-rays
 
My old security advisories on HMI/SCADA and industrial software released betw...
My old security advisories on HMI/SCADA and industrial software released betw...My old security advisories on HMI/SCADA and industrial software released betw...
My old security advisories on HMI/SCADA and industrial software released betw...
 
The post release technologies of Crysis 3 (Slides Only) - Stewart Needham
The post release technologies of Crysis 3 (Slides Only) - Stewart NeedhamThe post release technologies of Crysis 3 (Slides Only) - Stewart Needham
The post release technologies of Crysis 3 (Slides Only) - Stewart Needham
 
Im-A-Hacker-Get-Me-Out-Of-Here-Breaking-Network-Segregation-Using-Esoteric-Co...
Im-A-Hacker-Get-Me-Out-Of-Here-Breaking-Network-Segregation-Using-Esoteric-Co...Im-A-Hacker-Get-Me-Out-Of-Here-Breaking-Network-Segregation-Using-Esoteric-Co...
Im-A-Hacker-Get-Me-Out-Of-Here-Breaking-Network-Segregation-Using-Esoteric-Co...
 
Tidying up your Nest: Validating ATT&CK Technique Coverage using EDR Telemetry
Tidying up your Nest: Validating ATT&CK Technique Coverage using EDR TelemetryTidying up your Nest: Validating ATT&CK Technique Coverage using EDR Telemetry
Tidying up your Nest: Validating ATT&CK Technique Coverage using EDR Telemetry
 
Ibm aix technical deep dive workshop advanced administration and problem dete...
Ibm aix technical deep dive workshop advanced administration and problem dete...Ibm aix technical deep dive workshop advanced administration and problem dete...
Ibm aix technical deep dive workshop advanced administration and problem dete...
 
SAP strikes back Your SAP server now counter attacks.
SAP strikes back Your SAP server now counter attacks.SAP strikes back Your SAP server now counter attacks.
SAP strikes back Your SAP server now counter attacks.
 
Managing Large-scale Networks with Trigger
Managing Large-scale Networks with TriggerManaging Large-scale Networks with Trigger
Managing Large-scale Networks with Trigger
 

More from MITRE - ATT&CKcon

ATTACKers Think in Graphs: Building Graphs for Threat Intelligence
ATTACKers Think in Graphs: Building Graphs for Threat IntelligenceATTACKers Think in Graphs: Building Graphs for Threat Intelligence
ATTACKers Think in Graphs: Building Graphs for Threat Intelligence
MITRE - ATT&CKcon
 
State of the ATTACK
State of the ATTACKState of the ATTACK
State of the ATTACK
MITRE - ATT&CKcon
 
ATTACK-Onomics: Attacking the Economics Behind Techniques Used by Adversaries
ATTACK-Onomics: Attacking the Economics Behind Techniques Used by AdversariesATTACK-Onomics: Attacking the Economics Behind Techniques Used by Adversaries
ATTACK-Onomics: Attacking the Economics Behind Techniques Used by Adversaries
MITRE - ATT&CKcon
 
Measure What Matters: How to Use MITRE ATTACK to do the Right Things in the R...
Measure What Matters: How to Use MITRE ATTACK to do the Right Things in the R...Measure What Matters: How to Use MITRE ATTACK to do the Right Things in the R...
Measure What Matters: How to Use MITRE ATTACK to do the Right Things in the R...
MITRE - ATT&CKcon
 
MITRE ATTACKcon Power Hour - January
MITRE ATTACKcon Power Hour - JanuaryMITRE ATTACKcon Power Hour - January
MITRE ATTACKcon Power Hour - January
MITRE - ATT&CKcon
 
Using ATTACK to Create Cyber DBTS for Nuclear Power Plants
Using ATTACK to Create Cyber DBTS for Nuclear Power PlantsUsing ATTACK to Create Cyber DBTS for Nuclear Power Plants
Using ATTACK to Create Cyber DBTS for Nuclear Power Plants
MITRE - ATT&CKcon
 
Sharpening your Threat-Hunting Program with ATTACK Framework
Sharpening your Threat-Hunting Program with ATTACK FrameworkSharpening your Threat-Hunting Program with ATTACK Framework
Sharpening your Threat-Hunting Program with ATTACK Framework
MITRE - ATT&CKcon
 
What's New with ATTACK for ICS?
What's New with ATTACK for ICS?What's New with ATTACK for ICS?
What's New with ATTACK for ICS?
MITRE - ATT&CKcon
 
From Theory to Practice: How My ATTACK Perspectives Have Changed
From Theory to Practice: How My ATTACK Perspectives Have ChangedFrom Theory to Practice: How My ATTACK Perspectives Have Changed
From Theory to Practice: How My ATTACK Perspectives Have Changed
MITRE - ATT&CKcon
 
Putting the PRE into ATTACK
Putting the PRE into ATTACKPutting the PRE into ATTACK
Putting the PRE into ATTACK
MITRE - ATT&CKcon
 
What's a MITRE with your Security?
What's a MITRE with your Security?What's a MITRE with your Security?
What's a MITRE with your Security?
MITRE - ATT&CKcon
 
ATTACKing the Cloud: Hopping Between the Matrices
ATTACKing the Cloud: Hopping Between the MatricesATTACKing the Cloud: Hopping Between the Matrices
ATTACKing the Cloud: Hopping Between the Matrices
MITRE - ATT&CKcon
 
Mapping the EventBot Mobile Banking Trojan with MITRE ATTACK for Mobile
Mapping the EventBot Mobile Banking Trojan with MITRE ATTACK for MobileMapping the EventBot Mobile Banking Trojan with MITRE ATTACK for Mobile
Mapping the EventBot Mobile Banking Trojan with MITRE ATTACK for Mobile
MITRE - ATT&CKcon
 
Transforming Adversary Emulation Into a Data Analysis Question
Transforming Adversary Emulation Into a Data Analysis QuestionTransforming Adversary Emulation Into a Data Analysis Question
Transforming Adversary Emulation Into a Data Analysis Question
MITRE - ATT&CKcon
 
TA505: A Study of High End Big Game Hunting in 2020
TA505: A Study of High End Big Game Hunting in 2020TA505: A Study of High End Big Game Hunting in 2020
TA505: A Study of High End Big Game Hunting in 2020
MITRE - ATT&CKcon
 
Using MITRE PRE-ATTACK and ATTACK in Cybercrime Education and Research
Using MITRE PRE-ATTACK and ATTACK in Cybercrime Education and ResearchUsing MITRE PRE-ATTACK and ATTACK in Cybercrime Education and Research
Using MITRE PRE-ATTACK and ATTACK in Cybercrime Education and Research
MITRE - ATT&CKcon
 
What's New with ATTACK for Cloud?
What's New with ATTACK for Cloud?What's New with ATTACK for Cloud?
What's New with ATTACK for Cloud?
MITRE - ATT&CKcon
 
Starting Over with Sub-Techniques
Starting Over with Sub-TechniquesStarting Over with Sub-Techniques
Starting Over with Sub-Techniques
MITRE - ATT&CKcon
 
MITRE ATTACKCon Power Hour - December
MITRE ATTACKCon Power Hour - DecemberMITRE ATTACKCon Power Hour - December
MITRE ATTACKCon Power Hour - December
MITRE - ATT&CKcon
 
MITRE ATT&CKcon Power Hour - November
MITRE ATT&CKcon Power Hour - NovemberMITRE ATT&CKcon Power Hour - November
MITRE ATT&CKcon Power Hour - November
MITRE - ATT&CKcon
 

More from MITRE - ATT&CKcon (20)

ATTACKers Think in Graphs: Building Graphs for Threat Intelligence
ATTACKers Think in Graphs: Building Graphs for Threat IntelligenceATTACKers Think in Graphs: Building Graphs for Threat Intelligence
ATTACKers Think in Graphs: Building Graphs for Threat Intelligence
 
State of the ATTACK
State of the ATTACKState of the ATTACK
State of the ATTACK
 
ATTACK-Onomics: Attacking the Economics Behind Techniques Used by Adversaries
ATTACK-Onomics: Attacking the Economics Behind Techniques Used by AdversariesATTACK-Onomics: Attacking the Economics Behind Techniques Used by Adversaries
ATTACK-Onomics: Attacking the Economics Behind Techniques Used by Adversaries
 
Measure What Matters: How to Use MITRE ATTACK to do the Right Things in the R...
Measure What Matters: How to Use MITRE ATTACK to do the Right Things in the R...Measure What Matters: How to Use MITRE ATTACK to do the Right Things in the R...
Measure What Matters: How to Use MITRE ATTACK to do the Right Things in the R...
 
MITRE ATTACKcon Power Hour - January
MITRE ATTACKcon Power Hour - JanuaryMITRE ATTACKcon Power Hour - January
MITRE ATTACKcon Power Hour - January
 
Using ATTACK to Create Cyber DBTS for Nuclear Power Plants
Using ATTACK to Create Cyber DBTS for Nuclear Power PlantsUsing ATTACK to Create Cyber DBTS for Nuclear Power Plants
Using ATTACK to Create Cyber DBTS for Nuclear Power Plants
 
Sharpening your Threat-Hunting Program with ATTACK Framework
Sharpening your Threat-Hunting Program with ATTACK FrameworkSharpening your Threat-Hunting Program with ATTACK Framework
Sharpening your Threat-Hunting Program with ATTACK Framework
 
What's New with ATTACK for ICS?
What's New with ATTACK for ICS?What's New with ATTACK for ICS?
What's New with ATTACK for ICS?
 
From Theory to Practice: How My ATTACK Perspectives Have Changed
From Theory to Practice: How My ATTACK Perspectives Have ChangedFrom Theory to Practice: How My ATTACK Perspectives Have Changed
From Theory to Practice: How My ATTACK Perspectives Have Changed
 
Putting the PRE into ATTACK
Putting the PRE into ATTACKPutting the PRE into ATTACK
Putting the PRE into ATTACK
 
What's a MITRE with your Security?
What's a MITRE with your Security?What's a MITRE with your Security?
What's a MITRE with your Security?
 
ATTACKing the Cloud: Hopping Between the Matrices
ATTACKing the Cloud: Hopping Between the MatricesATTACKing the Cloud: Hopping Between the Matrices
ATTACKing the Cloud: Hopping Between the Matrices
 
Mapping the EventBot Mobile Banking Trojan with MITRE ATTACK for Mobile
Mapping the EventBot Mobile Banking Trojan with MITRE ATTACK for MobileMapping the EventBot Mobile Banking Trojan with MITRE ATTACK for Mobile
Mapping the EventBot Mobile Banking Trojan with MITRE ATTACK for Mobile
 
Transforming Adversary Emulation Into a Data Analysis Question
Transforming Adversary Emulation Into a Data Analysis QuestionTransforming Adversary Emulation Into a Data Analysis Question
Transforming Adversary Emulation Into a Data Analysis Question
 
TA505: A Study of High End Big Game Hunting in 2020
TA505: A Study of High End Big Game Hunting in 2020TA505: A Study of High End Big Game Hunting in 2020
TA505: A Study of High End Big Game Hunting in 2020
 
Using MITRE PRE-ATTACK and ATTACK in Cybercrime Education and Research
Using MITRE PRE-ATTACK and ATTACK in Cybercrime Education and ResearchUsing MITRE PRE-ATTACK and ATTACK in Cybercrime Education and Research
Using MITRE PRE-ATTACK and ATTACK in Cybercrime Education and Research
 
What's New with ATTACK for Cloud?
What's New with ATTACK for Cloud?What's New with ATTACK for Cloud?
What's New with ATTACK for Cloud?
 
Starting Over with Sub-Techniques
Starting Over with Sub-TechniquesStarting Over with Sub-Techniques
Starting Over with Sub-Techniques
 
MITRE ATTACKCon Power Hour - December
MITRE ATTACKCon Power Hour - DecemberMITRE ATTACKCon Power Hour - December
MITRE ATTACKCon Power Hour - December
 
MITRE ATT&CKcon Power Hour - November
MITRE ATT&CKcon Power Hour - NovemberMITRE ATT&CKcon Power Hour - November
MITRE ATT&CKcon Power Hour - November
 

Recently uploaded

AI for Every Business: Unlocking Your Product's Universal Potential by VP of ...
AI for Every Business: Unlocking Your Product's Universal Potential by VP of ...AI for Every Business: Unlocking Your Product's Universal Potential by VP of ...
AI for Every Business: Unlocking Your Product's Universal Potential by VP of ...
Product School
 
How world-class product teams are winning in the AI era by CEO and Founder, P...
How world-class product teams are winning in the AI era by CEO and Founder, P...How world-class product teams are winning in the AI era by CEO and Founder, P...
How world-class product teams are winning in the AI era by CEO and Founder, P...
Product School
 
FIDO Alliance Osaka Seminar: Passkeys at Amazon.pdf
FIDO Alliance Osaka Seminar: Passkeys at Amazon.pdfFIDO Alliance Osaka Seminar: Passkeys at Amazon.pdf
FIDO Alliance Osaka Seminar: Passkeys at Amazon.pdf
FIDO Alliance
 
Bits & Pixels using AI for Good.........
Bits & Pixels using AI for Good.........Bits & Pixels using AI for Good.........
Bits & Pixels using AI for Good.........
Alison B. Lowndes
 
DevOps and Testing slides at DASA Connect
DevOps and Testing slides at DASA ConnectDevOps and Testing slides at DASA Connect
DevOps and Testing slides at DASA Connect
Kari Kakkonen
 
Mission to Decommission: Importance of Decommissioning Products to Increase E...
Mission to Decommission: Importance of Decommissioning Products to Increase E...Mission to Decommission: Importance of Decommissioning Products to Increase E...
Mission to Decommission: Importance of Decommissioning Products to Increase E...
Product School
 
Key Trends Shaping the Future of Infrastructure.pdf
Key Trends Shaping the Future of Infrastructure.pdfKey Trends Shaping the Future of Infrastructure.pdf
Key Trends Shaping the Future of Infrastructure.pdf
Cheryl Hung
 
ODC, Data Fabric and Architecture User Group
ODC, Data Fabric and Architecture User GroupODC, Data Fabric and Architecture User Group
ODC, Data Fabric and Architecture User Group
CatarinaPereira64715
 
De-mystifying Zero to One: Design Informed Techniques for Greenfield Innovati...
De-mystifying Zero to One: Design Informed Techniques for Greenfield Innovati...De-mystifying Zero to One: Design Informed Techniques for Greenfield Innovati...
De-mystifying Zero to One: Design Informed Techniques for Greenfield Innovati...
Product School
 
JMeter webinar - integration with InfluxDB and Grafana
JMeter webinar - integration with InfluxDB and GrafanaJMeter webinar - integration with InfluxDB and Grafana
JMeter webinar - integration with InfluxDB and Grafana
RTTS
 
Neuro-symbolic is not enough, we need neuro-*semantic*
Neuro-symbolic is not enough, we need neuro-*semantic*Neuro-symbolic is not enough, we need neuro-*semantic*
Neuro-symbolic is not enough, we need neuro-*semantic*
Frank van Harmelen
 
Dev Dives: Train smarter, not harder – active learning and UiPath LLMs for do...
Dev Dives: Train smarter, not harder – active learning and UiPath LLMs for do...Dev Dives: Train smarter, not harder – active learning and UiPath LLMs for do...
Dev Dives: Train smarter, not harder – active learning and UiPath LLMs for do...
UiPathCommunity
 
State of ICS and IoT Cyber Threat Landscape Report 2024 preview
State of ICS and IoT Cyber Threat Landscape Report 2024 previewState of ICS and IoT Cyber Threat Landscape Report 2024 preview
State of ICS and IoT Cyber Threat Landscape Report 2024 preview
Prayukth K V
 
UiPath Test Automation using UiPath Test Suite series, part 3
UiPath Test Automation using UiPath Test Suite series, part 3UiPath Test Automation using UiPath Test Suite series, part 3
UiPath Test Automation using UiPath Test Suite series, part 3
DianaGray10
 
UiPath Test Automation using UiPath Test Suite series, part 4
UiPath Test Automation using UiPath Test Suite series, part 4UiPath Test Automation using UiPath Test Suite series, part 4
UiPath Test Automation using UiPath Test Suite series, part 4
DianaGray10
 
Builder.ai Founder Sachin Dev Duggal's Strategic Approach to Create an Innova...
Builder.ai Founder Sachin Dev Duggal's Strategic Approach to Create an Innova...Builder.ai Founder Sachin Dev Duggal's Strategic Approach to Create an Innova...
Builder.ai Founder Sachin Dev Duggal's Strategic Approach to Create an Innova...
Ramesh Iyer
 
FIDO Alliance Osaka Seminar: Overview.pdf
FIDO Alliance Osaka Seminar: Overview.pdfFIDO Alliance Osaka Seminar: Overview.pdf
FIDO Alliance Osaka Seminar: Overview.pdf
FIDO Alliance
 
Smart TV Buyer Insights Survey 2024 by 91mobiles.pdf
Smart TV Buyer Insights Survey 2024 by 91mobiles.pdfSmart TV Buyer Insights Survey 2024 by 91mobiles.pdf
Smart TV Buyer Insights Survey 2024 by 91mobiles.pdf
91mobiles
 
Assuring Contact Center Experiences for Your Customers With ThousandEyes
Assuring Contact Center Experiences for Your Customers With ThousandEyesAssuring Contact Center Experiences for Your Customers With ThousandEyes
Assuring Contact Center Experiences for Your Customers With ThousandEyes
ThousandEyes
 
Unsubscribed: Combat Subscription Fatigue With a Membership Mentality by Head...
Unsubscribed: Combat Subscription Fatigue With a Membership Mentality by Head...Unsubscribed: Combat Subscription Fatigue With a Membership Mentality by Head...
Unsubscribed: Combat Subscription Fatigue With a Membership Mentality by Head...
Product School
 

Recently uploaded (20)

AI for Every Business: Unlocking Your Product's Universal Potential by VP of ...
AI for Every Business: Unlocking Your Product's Universal Potential by VP of ...AI for Every Business: Unlocking Your Product's Universal Potential by VP of ...
AI for Every Business: Unlocking Your Product's Universal Potential by VP of ...
 
How world-class product teams are winning in the AI era by CEO and Founder, P...
How world-class product teams are winning in the AI era by CEO and Founder, P...How world-class product teams are winning in the AI era by CEO and Founder, P...
How world-class product teams are winning in the AI era by CEO and Founder, P...
 
FIDO Alliance Osaka Seminar: Passkeys at Amazon.pdf
FIDO Alliance Osaka Seminar: Passkeys at Amazon.pdfFIDO Alliance Osaka Seminar: Passkeys at Amazon.pdf
FIDO Alliance Osaka Seminar: Passkeys at Amazon.pdf
 
Bits & Pixels using AI for Good.........
Bits & Pixels using AI for Good.........Bits & Pixels using AI for Good.........
Bits & Pixels using AI for Good.........
 
DevOps and Testing slides at DASA Connect
DevOps and Testing slides at DASA ConnectDevOps and Testing slides at DASA Connect
DevOps and Testing slides at DASA Connect
 
Mission to Decommission: Importance of Decommissioning Products to Increase E...
Mission to Decommission: Importance of Decommissioning Products to Increase E...Mission to Decommission: Importance of Decommissioning Products to Increase E...
Mission to Decommission: Importance of Decommissioning Products to Increase E...
 
Key Trends Shaping the Future of Infrastructure.pdf
Key Trends Shaping the Future of Infrastructure.pdfKey Trends Shaping the Future of Infrastructure.pdf
Key Trends Shaping the Future of Infrastructure.pdf
 
ODC, Data Fabric and Architecture User Group
ODC, Data Fabric and Architecture User GroupODC, Data Fabric and Architecture User Group
ODC, Data Fabric and Architecture User Group
 
De-mystifying Zero to One: Design Informed Techniques for Greenfield Innovati...
De-mystifying Zero to One: Design Informed Techniques for Greenfield Innovati...De-mystifying Zero to One: Design Informed Techniques for Greenfield Innovati...
De-mystifying Zero to One: Design Informed Techniques for Greenfield Innovati...
 
JMeter webinar - integration with InfluxDB and Grafana
JMeter webinar - integration with InfluxDB and GrafanaJMeter webinar - integration with InfluxDB and Grafana
JMeter webinar - integration with InfluxDB and Grafana
 
Neuro-symbolic is not enough, we need neuro-*semantic*
Neuro-symbolic is not enough, we need neuro-*semantic*Neuro-symbolic is not enough, we need neuro-*semantic*
Neuro-symbolic is not enough, we need neuro-*semantic*
 
Dev Dives: Train smarter, not harder – active learning and UiPath LLMs for do...
Dev Dives: Train smarter, not harder – active learning and UiPath LLMs for do...Dev Dives: Train smarter, not harder – active learning and UiPath LLMs for do...
Dev Dives: Train smarter, not harder – active learning and UiPath LLMs for do...
 
State of ICS and IoT Cyber Threat Landscape Report 2024 preview
State of ICS and IoT Cyber Threat Landscape Report 2024 previewState of ICS and IoT Cyber Threat Landscape Report 2024 preview
State of ICS and IoT Cyber Threat Landscape Report 2024 preview
 
UiPath Test Automation using UiPath Test Suite series, part 3
UiPath Test Automation using UiPath Test Suite series, part 3UiPath Test Automation using UiPath Test Suite series, part 3
UiPath Test Automation using UiPath Test Suite series, part 3
 
UiPath Test Automation using UiPath Test Suite series, part 4
UiPath Test Automation using UiPath Test Suite series, part 4UiPath Test Automation using UiPath Test Suite series, part 4
UiPath Test Automation using UiPath Test Suite series, part 4
 
Builder.ai Founder Sachin Dev Duggal's Strategic Approach to Create an Innova...
Builder.ai Founder Sachin Dev Duggal's Strategic Approach to Create an Innova...Builder.ai Founder Sachin Dev Duggal's Strategic Approach to Create an Innova...
Builder.ai Founder Sachin Dev Duggal's Strategic Approach to Create an Innova...
 
FIDO Alliance Osaka Seminar: Overview.pdf
FIDO Alliance Osaka Seminar: Overview.pdfFIDO Alliance Osaka Seminar: Overview.pdf
FIDO Alliance Osaka Seminar: Overview.pdf
 
Smart TV Buyer Insights Survey 2024 by 91mobiles.pdf
Smart TV Buyer Insights Survey 2024 by 91mobiles.pdfSmart TV Buyer Insights Survey 2024 by 91mobiles.pdf
Smart TV Buyer Insights Survey 2024 by 91mobiles.pdf
 
Assuring Contact Center Experiences for Your Customers With ThousandEyes
Assuring Contact Center Experiences for Your Customers With ThousandEyesAssuring Contact Center Experiences for Your Customers With ThousandEyes
Assuring Contact Center Experiences for Your Customers With ThousandEyes
 
Unsubscribed: Combat Subscription Fatigue With a Membership Mentality by Head...
Unsubscribed: Combat Subscription Fatigue With a Membership Mentality by Head...Unsubscribed: Combat Subscription Fatigue With a Membership Mentality by Head...
Unsubscribed: Combat Subscription Fatigue With a Membership Mentality by Head...
 

MITRE ATT&CKcon 2018: From Technique to Detection, Paul Ewing and Ross Wolf, Endgame

  • 1. FROM TECHNIQUE TO DETECTION Rapid prototyping of ATT&CK-based analytics Paul Ewing @_paulewing Ross Wolf @rw_access
  • 2. ATT&CK Detections? Will be powerful Will enable hunters Will transform your SOC
  • 3. ATT&CK Detections? Will not be as easy as described Will not always lead to analytics Will not be a silver bullet
  • 4. TIMELINE OF A SOLID ANALYTIC ATT&CK-based analytics required continual grooming as their success depends on it TIME  SUCCESS Initial Logic False Positives Fine Tune Overcompensate Profit
  • 5. 1. SELECT YOUR TECHNIQUE After performing gap-analysis and understanding your environment.
  • 6. 1. SELECT YOUR TECHNIQUE After performing gap-analysis and understanding your environment.
  • 7. 2. DETONATE Find scripts or commands that perform the technique. …after you detonate…be sure to leave yourself some breadcrumbs… Microsoft Windows [Version 10.0.17134.345] (c) 2018 Microsoft Corporation. All rights reserved. C:UsersRoss> C:UsersRoss>reg add hkcuEnvironment /v windir /d "cmd /K reg delete hkcuEnvironment /v windir /f && REM " The operation completed successfully. C:UsersRoss>schtasks /Run /TN MicrosoftWindowsDiskCleanupSilentCleanup /I SUCCESS: Attempted to run the scheduled task "MicrosoftWindowsDiskCleanupSilentCleanup". C:UsersRoss> The operation completed successfully. C:WINDOWSsystem32>cmd /c echo FINDMEFINDME FINDMEFINDME C:WINDOWSsystem32> https://tyranidslair.blogspot.com/2017/05/exploiting-environment-variables-in.html
  • 8. 3. PREP ANALYSIS First let’s create some PS functions to help us gather and parse Sysmon logs. function Get-EventProps { [cmdletbinding()] Param ( [parameter(ValueFromPipeline)] $event ) Process { $eventXml = [xml]$event.ToXML() $eventKeys = $eventXml.Event.EventData.Data $Properties = @{} For ($i=0; $i -lt $eventKeys.Count; $i++) { $Properties[$eventKeys[$i].Name] = $eventKeys[$i].'#text' } [pscustomobject]$Properties } } function Get-LatestLogs { Get-WinEvent -filterhashtable @{logname="Microsoft-Windows- Sysmon/Operational"} -MaxEvents 1000 | Get-EventProps } function Get-LatestProcesses { Get-WinEvent -filterhashtable @{logname="Microsoft-Windows- Sysmon/Operational";id=1} -MaxEvents 1000 | Get-EventProps }
  • 9. 3. PREP ANALYSIS Let’s store the relevant process data C:UsersRossDesktop> C:UsersRossDesktop>powershell Windows Powershell Copyright (c) 2013 Microsoft Corporation. All rights reserved. PS C:UsersRossDesktop> $processLogs = Get-LatestProcesses We need this data We got this data
  • 10. 4.EXPLORE DATA First, find your breadcrumbs that you left earlier. PS C:UsersRossDesktop> $processLogs | Where { $_.CommandLine -like "*FINDMEFINDME*" } ParentCommandLine : cmd /K reg delete hkcuEnvironment /v windir /f && REM system32cleanmgr.exe /autoclean /d C: Description : Windows Command Processor CommandLine : cmd /c echo FINDMEFINDME CurrentDirectory : C:WINDOWSsystem32 Hashes : SHA1=3CE71813199ABAE99348F61F0CAA34E2574F831C Image : C:WindowsSystem32cmd.exe UtcTime : 2018-10-18 21:01:44.471 ProcessGuid : {2FA81719-F4B8-5BC8-0000-0010A1124F01} Company : Microsoft Corporation IntegrityLevel : High FileVersion : 10.0.17134.1 (WinBuild.160101.0800) User : RWOLF-WIN10-VMRoss RuleName : Product : Microsoft® Windows® Operating System LogonId : 0x21ba58 ProcessId : 5816 LogonGuid : {2FA81719-E8A7-5BC8-0000-002058BA2100} TerminalSessionId : 1 ParentProcessGuid : {2FA81719-F482-5BC8-0000-001060044C01} ParentProcessId : 8760 ParentImage : C:WindowsSystem32cmd.exe
  • 11. 4.EXPLORE DATA Walk up the process tree to see when and how the bypass occurred. We’re looking for a transition from medium to high integrity. PS C:UsersRossDesktop> $processLogs | where { $_.ProcessGuid -eq "{2FA81719-F482-5BC8-0000-001060044C01}"} ParentCommandLine : c:windowssystem32svchost.exe -k netsvcs -p -s Schedule Description : Windows Command Processor CommandLine : cmd /K reg delete hkcuEnvironment /v windir /f && REM system32cleanmgr.exe /autoclean /d C: CurrentDirectory : C:WINDOWSsystem32 Hashes : SHA1=3CE71813199ABAE99348F61F0CAA34E2574F831C Image : C:WindowsSystem32cmd.exe UtcTime : 2018-10-18 21:00:50.695 ProcessGuid : {2FA81719-F482-5BC8-0000-001060044C01} Company : Microsoft Corporation IntegrityLevel : High FileVersion : 10.0.17134.1 (WinBuild.160101.0800) User : RWOLF-WIN10-VMRoss RuleName : Product : Microsoft® Windows® Operating System LogonId : 0x21ba58 ProcessId : 8760 LogonGuid : {2FA81719-E8A7-5BC8-0000-002058BA2100} TerminalSessionId : 1 ParentProcessGuid : {2FA81719-DE77-5BC8-0000-001028620100} ParentProcessId : 1288 ParentImage : C:WindowsSystem32svchost.exe
  • 12. 4.EXPLORE DATA Keep walking up the tree until things look normal again. We found the Schedule service running as normal. PS C:UsersRossDesktop> $processLogs | where { $_.ProcessGuid -eq "{2FA81719-DE77-5BC8-0000-001028620100}"} ParentCommandLine : C:WINDOWSsystem32services.exe Description : Host Process for Windows Services CommandLine : c:windowssystem32svchost.exe -k netsvcs -p -s Schedule CurrentDirectory : C:WINDOWSsystem32 Hashes : SHA1=660B76B6FB802417D513ADC967C5CAF77FC2BAC6 Image : C:WindowsSystem32svchost.exe UtcTime : 2018-10-18 19:26:47.110 ProcessGuid : {2FA81719-DE77-5BC8-0000-001028620100} Company : Microsoft Corporation IntegrityLevel : System FileVersion : 10.0.17134.1 (WinBuild.160101.0800) User : NT AUTHORITYSYSTEM RuleName : Product : Microsoft® Windows® Operating System LogonId : 0x3e7 ProcessId : 1288 LogonGuid : {2FA81719-DE75-5BC8-0000-0020E7030000} TerminalSessionId : 0 ParentProcessGuid : {2FA81719-DE75-5BC8-0000-0010C6AC0000} ParentProcessId : 632 ParentImage : C:WindowsSystem32services.exe
  • 13. 4.EXPLORE DATA We went too far. The task scheduler ran the SilentCleanup task, but we’re interested in the task, not the scheduler.
  • 14. 4.EXPLORE DATA What happens when the SilentCleanup task is not abused? PS C:UsersRossDesktop> $processLogs | where { $_.CommandLine -like "*cleanmgr.exe /autoclean*" } ParentCommandLine : c:windowssystem32svchost.exe -k netsvcs -p -s Schedule Description : Windows Command Processor CommandLine : cmd /K reg delete hkcuEnvironment /v windir /f && REM system32cleanmgr.exe /autoclean /d C: CurrentDirectory : C:WINDOWSsystem32 Hashes : SHA1=3CE71813199ABAE99348F61F0CAA34E2574F831C Image : C:WindowsSystem32cmd.exe UtcTime : 2018-10-18 21:00:50.695 ProcessGuid : {2FA81719-F482-5BC8-0000-001060044C01} Company : Microsoft Corporation IntegrityLevel : High FileVersion : 10.0.17134.1 (WinBuild.160101.0800) User : RWOLF-WIN10-VMRoss RuleName : Product : Microsoft® Windows® Operating System LogonId : 0x21ba58 ProcessId : 8760 LogonGuid : {2FA81719-E8A7-5BC8-0000-002058BA2100} TerminalSessionId : 1 ParentProcessGuid : {2FA81719-DE77-5BC8-0000-001028620100} ParentProcessId : 1288 ParentImage : C:WindowsSystem32svchost.exe
  • 15. 4.EXPLORE DATA What happens when the SilentCleanup task is not abused? ParentCommandLine : c:windowssystem32svchost.exe -k netsvcs -p -s Schedule Description : Windows Command Processor CommandLine : cmd /K reg delete hkcuEnvironment /v windir /f && REM system32cleanmgr.exe /autoclean /d C: CurrentDirectory : C:WINDOWSsystem32 Hashes : SHA1=3CE71813199ABAE99348F61F0CAA34E2574F831C Image : C:WindowsSystem32cmd.exe UtcTime : 2018-10-18 20:59:01.667 ProcessGuid : {2FA81719-F415-5BC8-0000-0010F9F64301} Company : Microsoft Corporation IntegrityLevel : High FileVersion : 10.0.17134.1 (WinBuild.160101.0800) User : RWOLF-WIN10-VMRoss RuleName : Product : Microsoft® Windows® Operating System LogonId : 0x21ba58 ProcessId : 5820 LogonGuid : {2FA81719-E8A7-5BC8-0000-002058BA2100} TerminalSessionId : 1 ParentProcessGuid : {2FA81719-DE77-5BC8-0000-001028620100} ParentProcessId : 1288 ParentImage : C:WindowsSystem32svchost.exe
  • 16. 4.EXPLORE DATA What happens when the SilentCleanup task is not abused? ParentCommandLine : c:windowssystem32svchost.exe -k netsvcs -p -s Schedule Description : Disk Space Cleanup Manager for Windows CommandLine : C:WINDOWSsystem32cleanmgr.exe /autoclean /d C: CurrentDirectory : C:WINDOWSsystem32 Hashes : SHA1=2EB39003998F0E518AD937DB120B87E81D5A5893 Image : C:WindowsSystem32cleanmgr.exe UtcTime : 2018-10-18 20:58:07.183 ProcessGuid : {2FA81719-F3DF-5BC8-0000-001024A93F01} Company : Microsoft Corporation IntegrityLevel : High FileVersion : 10.0.17134.1 (WinBuild.160101.0800) User : RWOLF-WIN10-VMRoss RuleName : Product : Microsoft® Windows® Operating System LogonId : 0x21ba58 ProcessId : 2828 LogonGuid : {2FA81719-E8A7-5BC8-0000-002058BA2100} TerminalSessionId : 1 ParentProcessGuid : {2FA81719-DE77-5BC8-0000-001028620100} ParentProcessId : 1288 ParentImage : C:WindowsSystem32svchost.exe
  • 17. 4.EXPLORE DATA What happens when the SilentCleanup task is not abused? ParentCommandLine : c:windowssystem32svchost.exe -k netsvcs -p -s Schedule Description : Disk Space Cleanup Manager for Windows CommandLine : C:WINDOWSsystem32cleanmgr.exe /autoclean /d C: CurrentDirectory : C:WINDOWSsystem32 Hashes : SHA1=2EB39003998F0E518AD937DB120B87E81D5A5893 Image : C:WindowsSystem32cleanmgr.exe UtcTime : 2018-10-18 20:54:13.619 ProcessGuid : {2FA81719-F2F5-5BC8-0000-001036452E01} Company : Microsoft Corporation IntegrityLevel : High FileVersion : 10.0.17134.1 (WinBuild.160101.0800) User : RWOLF-WIN10-VMRoss RuleName : Product : Microsoft® Windows® Operating System LogonId : 0x21ba58 ProcessId : 4864 LogonGuid : {2FA81719-E8A7-5BC8-0000-002058BA2100} TerminalSessionId : 1 ParentProcessGuid : {2FA81719-DE77-5BC8-0000-001028620100} ParentProcessId : 1288 ParentImage : C:WindowsSystem32svchost.exe
  • 18. 5. PROTOTYPE ANALYTIC Draft an analytic in PowerShell that detects the malicious behavior without triggering on the benign behavior. PS C:UsersRossDesktop> $processLogs | where {$_.IntegrityLevel -eq "High"} –and $_.CommandLine -like "* *system32cleanmgr.exe /autoclean*" } ParentCommandLine : c:windowssystem32svchost.exe -k netsvcs -p -s Schedule Description : Windows Command Processor CommandLine : cmd /K reg delete hkcuEnvironment /v windir /f && REM system32cleanmgr.exe /autoclean /d C: CurrentDirectory : C:WINDOWSsystem32 Hashes : SHA1=3CE71813199ABAE99348F61F0CAA34E2574F831C Image : C:WindowsSystem32cmd.exe UtcTime : 2018-10-18 21:00:50.695 ProcessGuid : {2FA81719-F482-5BC8-0000-001060044C01} Company : Microsoft Corporation IntegrityLevel : High FileVersion : 10.0.17134.1 (WinBuild.160101.0800) User : RWOLF-WIN10-VMRoss RuleName : Product : Microsoft® Windows® Operating System LogonId : 0x21ba58 ProcessId : 8760 LogonGuid : {2FA81719-E8A7-5BC8-0000-002058BA2100} TerminalSessionId : 1 ParentProcessGuid : {2FA81719-DE77-5BC8-0000-001028620100} ParentProcessId : 1288 ParentImage : C:WindowsSystem32svchost.exe
  • 19. 5. PROTOTYPE ANALYTIC Draft an analytic in PowerShell. ParentCommandLine : c:windowssystem32svchost.exe -k netsvcs -p -s Schedule Description : Windows Command Processor CommandLine : cmd /K reg delete hkcuEnvironment /v windir /f && REM system32cleanmgr.exe /autoclean /d C: CurrentDirectory : C:WINDOWSsystem32 Hashes : SHA1=3CE71813199ABAE99348F61F0CAA34E2574F831C Image : C:WindowsSystem32cmd.exe UtcTime : 2018-10-18 20:59:01.667 ProcessGuid : {2FA81719-F415-5BC8-0000-0010F9F64301} Company : Microsoft Corporation IntegrityLevel : High FileVersion : 10.0.17134.1 (WinBuild.160101.0800) User : RWOLF-WIN10-VMRoss RuleName : Product : Microsoft® Windows® Operating System LogonId : 0x21ba58 ProcessId : 5820 LogonGuid : {2FA81719-E8A7-5BC8-0000-002058BA2100} TerminalSessionId : 1 ParentProcessGuid : {2FA81719-DE77-5BC8-0000-001028620100} ParentProcessId : 1288 ParentImage : C:WindowsSystem32svchost.exe
  • 20. 6. GO LIVE Rule looks good! Let’s write an EQL query. process where command_line == "* *system32cleanmgr.exe /autoclean*" https://www.endgame.com/blog/technical-blog/introducing-event-query-language
  • 21. 6. GO LIVE Results…uh oh… True or false positive? { "authentication_id": 224881, "command_line": "taskhostw.exe C:WINDOWSsystem32cleanmgr.exe /autoclean /d C:", "event_subtype_full": "creation_event", "event_type_full": "process_event", "md5": "ce95e236fc9fe2d6f16c926c75b18baf", "original_file_name": "taskhostw.exe", "parent_process_name": "svchost.exe", "parent_process_path": "C:WindowsSystem32svchost.exe", "pid": 14920, "ppid": 1700, "process_name": "taskhostw.exe", "process_path": "C:WindowsSystem32taskhostw.exe", "sha1": "2a594345fbcaad453c72bd0937cbf67fb43a74df", "signature_signer": "Microsoft Windows", "signature_status": "trusted", "timestamp_utc": "2018-10-02 16:05:32Z", ... }
  • 22. 6. GO LIVE Oh, this is just another benign instance of the Windows task scheduler on a different OS. { "authentication_id": 224881, "command_line": "taskhostw.exe C:WINDOWSsystem32cleanmgr.exe /autoclean /d C:", "event_subtype_full": "creation_event", "event_type_full": "process_event", "md5": "ce95e236fc9fe2d6f16c926c75b18baf", "original_file_name": "taskhostw.exe", "parent_process_name": "svchost.exe", "parent_process_path": "C:WindowsSystem32svchost.exe", "pid": 14920, "ppid": 1700, "process_name": "taskhostw.exe", "process_path": "C:WindowsSystem32taskhostw.exe", "sha1": "2a594345fbcaad453c72bd0937cbf67fb43a74df", "signature_signer": "Microsoft Windows", "signature_status": "trusted", "timestamp_utc": "2018-10-02 16:05:32Z", ... }
  • 23. 7. FINE TUNING Filter results, unique results, or specifically account for false positives in your environment process where command_line == "* *system32cleanmgr.exe /autoclean*” and process_path != "C:WindowsSystem32taskhostw.exe"
  • 24. CONCLUSION Seems easy enough? But FPs are everywhere. Always calibrate to the software and configurations in your environment 1. Stealthy PowerShell, this module is common huh? image_load where process_name != "powershell.exe" and image_name == "System.Management.Automation.ni.dll" 2. Emails, Links, Child Browser Process? process where parent_process_name == "outlook.exe" and process_name in ("wscript.exe", "cmd.exe", "powershell.exe", ...) 3. MSHTA Network Connections, never happens? sequence by unique_pid [process where process_name == "mshta.exe"] [network where event_subtype_full == "*connection_attempt_event"] 4. Unusual Lateral Movement via SMB, shouldn’t FP? network where destination_port == 445 and pid != 4 | unique process_path