GF - ATT&CKing Your Adversaries -- Operationalizing cyber intelligence in your own environment for b

good afternoon and welcome to besides Las Vegas this is attacking your adversaries operationalizing cyber intelligence in your own environment for a better for better sleep and a safer tomorrow we'd like to thank our sponsors especially the inner circle sponsors critical stack and Valley Mail and our stellar sponsors Amazon blackberry and silence if you could please put all of your phones on silent please and at the end there'll be ten minutes of questions please make an orderly queue by the microphone thank you long title thank you reading that we're from mitre I'm here to talk about operationalizing attack specifically taking threat intelligence and applying it to improve your defenses specifically through emulating adversaries and writing detection analytics based on

emulation before we go forward we're gonna do some quick introductions hopefully to establish some credibility who I should trust us my name is Jamie I work um an engineer mitre I mostly work on adversary emulations or the right team side but I do do some detection work mostly detecting myself so a little bit purple team flavor if you're familiar with that concept this is actually my second besides first time in Vegas so this is pretty awesome previously I presented that besides DC and I'm sorry odor also engineer at mitre I tend to focus a little bit more on the cyber threat intelligence side especially within attack and do a little bit of red teaming in as well this is

also my first time not only at besides Las Vegas but really any 'besides so we're really happy to be here and talk with you guys today we both work on the core attack team as well as attack evaluations so the answer to your question is yes we do have a TAC stickers so by all means come up back to the talk and we can give you some of those if you want or talk about anything attacked so if you were here last year a couple of our colleagues Caitie nickles and john wonder presented attacking the status quo this is a really excellent talk but the main focus was cyber intelligence basically the idea of how

do you process find and digest intelligence and create an elixir on that the slides are there on that link it's like it's Katie's SlideShare I definitely check that out but if you're if I need to sell you more on that it's littered with like really awesome memes here's one of them you think that's funny the rest of the deck will be equally amazing so going forward our agenda today we're actually gonna build it on top of that so it's kind of the foundation where we're starting so Sarah's gonna give you a really good overview of intelligence not only what it is but we're to find it and how to use it the use specifically is

carving out behaviors from that intelligence so you know what this is kind of a more tangible unit of measurement when we talk about intelligence from there we're gonna talk about writing detections analytics based on those behaviors as well as emulating those behaviors and talking about the interaction between the analytics you derive as well as the emulation and how those kind of play back and forth great so we'll begin with how to find behaviors from intelligence but before we dive into that I feel like we need to define what cyber threat intelligence is so I like this definition it's sweet short gets to the point but basically it's the process of analyzing information in a way that can help

network defenders and decision makers so when we're talking about analyzing information where does that come from what kind of information are we talking about so as a cyber threat analyst a lot of people would spend their days looking at all these different resources as well as many more and going back to that definition a second ago if I was really good with PowerPoint I would have funneled these all together and basically the output of making all the connections from these different sources into that actionable item is cyber threat intelligence so all of this information can be really overwhelming hard to keep track of but fear not attack can help handy-dandy matrix man I will help us map these behaviors to

attack so what is attack in case you're not aware it's a knowledge base of adversary behavior so it's a really good place to start if you've never heard of apt 1 2 3 or a certain malware it's a great place to start and start building your defenses based on that information it's based on real-world observations so nothing in there is classified everything is open-source and publicly available references are at the bottom of each page that way you can go to that report yourself and see that information for yourself it's free open and globally accessible check it out at attack mite org and last but definitely not least it is community driven we rely heavily on

the community to help make it better whether that's adding a new group that you're researching or you know if we don't have something quite right we want to hear about that to make it better for everybody so how attack is structured is in this matrix format along the top row in blue the column headers are our tactics and you can think of this as the adversaries goal so I know they're a little hard to see but the you know adversaries goal is to gain initial access their goal later on is probably gonna be to laterally move escalate their privileges and so on within each column in the white cells that we have those are the techniques

which is how that goal is actually achieved so for example maybe an adversary their goal was to laterally move and they did that via passed the hash we can then dive a little bit deeper at the procedure level which is how that technique was actually implemented in this example here access token manipulation falls under privilege escalation and defense evasion but by getting to that procedure level of what the adversary was actually doing in that time helps differentiate which tactic that falls under all right so from here we're gonna move into the what is up behavior so this is where we're moving away from our traditional hash value signatures IPS domain names etc and moving more into this format of

answering these questions of why how what so I kind of like to think of it this a little bit as if you were to write indicators on me maybe you would say I have blondish hair wearing a black t-shirt I've 3ish so those are maybe my indicators but my behavior is that I go to Starbucks every morning at 8:00 a.m. and order a coffee and put cream in that coffee so if you were writing your detection to find me in a crowd based on me wearing a black t-shirt well tomorrow if I wear a red shirt that detection is not very good anymore however if we're focusing more on that behavior of looking for something that's

getting coffee very particular amount of cream we're gonna have a you're gonna have better look so how do we find these behaviors my role on the attack team is reading finished reports like the one that you see up here and finding behaviors that will then map to attack so things I look for is generally and finished reporting like this the author's tend to say kind of like that first bullet the Trojan in this case it was a syn ACK ransomware so the Trojan office gates okay we have it told me what it was as telling me something that it's doing so that's what we're gonna build our behavior off of so I'm gonna read through this whole chunk

of text and look for anytime I see that the Trojan the malware anything like that is doing something that's generally a good indicator so from here we're gonna map that to attack I like to start with the tactic because there's currently 12 of them and so it narrows the scope of you know what this is gonna find her and everything goes back to what that adversaries goal was so I'll pick on that first one so it's off you skating code okay that's probably because it doesn't want to be found that's probably gonna fall under defense evasion I'm gonna take that methodology throughout the whole bit of text so in this one we have a lot of defense

evasion as well as a little discovery but so once we have the tactics we can move on to techniques now since I have already done the tactics again this narrows the field I can look within that particular column so in this first example defense evasion narrows down what I'm looking for cuz I realized the matrix can be a little overwhelming another thing I do at this step is I look for keywords in the text and try to just use the attack search bar to try to narrow down what I'm looking for like if you type in if you skate then you're gonna start to see that like that there's a technique called office gated files I do confirm

that by reading what that technique is but we do this through the whole bit of text that information all gets put into probably what most of you know as attack in this example we're using Cenac to do that so now that we have like a profile of something in this case Maur that we want to detect we can start looking at how we build at least at a notional level detection is based on that so we're transitioning from an index of all the behaviors that malware to writing actual detections for that so getting back actually before we continue it's probably good at least in detection to kind of add another layer of context and describing and kind of looking at a

behavior so one way I kind of look at it which is really helpful for detections is to carve out behaviors into stages so like most things in life there's a before there's a during at an actor so one way to look at our behavior is to look at prerequisites so things that are need to happen before the behavior or technique is executed the mechanics what happens when the actual behavior is excuted and then obviously artifacts at the end that residual or forensic things that are kind of left behind from the execution of the behavior so mapping that just notionally to system on event IVs some prerequisites we see things like you know drivers being loaded the

yellows been loaded things like that mechanics would see like kind of process level activity like Creek no thread Reed's etc and then residual artifacts will be things like file creation file rights or things in the registry network connections if we're talking about like a beacon or something so kind of I'll circle back to this later and map all of our stuff for actual use case but this is definitely a useful and probably interesting way to kind of look at a detection or in the context of a behavior so getting back to what's there the mapping Sara went through we can start kind of start looking at the behaviors we're dealing with and go down one by one and figure out how are we

actually going to defend it into this so it's kind of small but does anyone in the front couple rows see anything particularly interesting that they want to see in this example like if you had to start with one what would you just notionally pick I call on you guys in the front

interesting choice unfortunately I did not pick that one fun trivia effect this is actually my favorite thing in attack process doppelganger it was a great guess like but Frost doppelganger is so interesting to me and I hope to prove that to you I'm not gonna like sell you too hard on this but it's pretty interesting um so we'll walk through writing a detection for that as well as how to emulate that and let's get going so before we start anything let's understand what is that so this actual idea was presented at blackhat you're up two years ago really awesome research is you should go check out the slides in this video it's kind of small on the

bottom but will you can check that out basically the idea it's an alternative for process injection the idea is to load and execute malicious code in a separate process but really makes it interesting as it avoids the typical artifacts with process injection so there's no create remote thread and there's also no file rights disk so like things like AV scanners might miss something like this in terms of the actual mechanics of the technique well it's actually it's two-part it's actually really interesting there's two main parts the first part is is it relies on something called transactional NTFS basically the idea is this is a deprecated idea from Microsoft but it's still enabled funny enough but what

makes it really cool or way this works is kind of like database file locks basically so say Sara and I are two processes we don't want to have like fork a file or override each other so I've been able to process the ability to lock a file right to it and then unlock it so that no one else touches it that's deprecated but it still works so in the second half of this is these guys reverse-engineer the curry process API code path and they found an undocumented I that rather than calling something on disk like executing a binary on disk you can actually execute a memory section so you can kind of see hopefully see how

those two things align and could be like actually pretty interesting and if that's not super clear I spend about an hour making an animation here so hopefully this will help like make that super obvious so there's four main steps to doppelganger it all starts with a legitimate file on disk step one is to create a transaction so you create this lock to the file and you override it with your militia concept content the second is to load it so you load that file into memory so now you have this malicious content and memory under the name of its previous whatever it happened to be on disk third is rollback the transaction so like I said before you have that file

lock if you there's actually a part of NTFS transactions is the ability to like undo a change so you can undo that change which in court in terms of looking it on disk the file is back to being legitimate so AV is going to miss that but now you have this residual thing floating in memory which is actually a malicious as you can see before on that API talk final steps to animate it so you kind of separate the file on disk from the file in memory and you execute that memory section so now you have something malicious running in memory which actually doesn't point to anything on disk super interesting so going forward this is actually so what

Sara talked about for there's like tactics and techniques and procedures and attack I within each technique there's also metadata so we can check out things like you know data sources notional ways to detect or mitigate all these techniques so some jerk off cough wrote all this curated this in the Internet this is actually content from attack on how to detect doppelganger it's split into three main parts I try to make it like a little easier to read by highlighting the crucial parts but the top section is API monitoring so looking at transactional NTFS is done through API calls and they're very unique so if your API minor and you would actually see all these happening

as well as these undocumented API calls those are read pretty good indicators that this technique is going down so in terms of a data source before we move and detection this you should just think about API monitoring in terms of what you can be looking for the next thing is file monitoring so what's really interesting when a process is started there's this routine that happens if you have the ability to do this it's actually maybe a little complex but a good way to detect this would be any time a process is started check out the file that's being executed and see if it has write enabled typically you don't see when someone creates like a handle

to a file they don't enable write and execute because why would you do that those of executing something that has previously been written to is maybe a little weird in terms of moving on oh as well as this is maybe a little more complex but comparing things in memory to things on disk it takes a lot of resources but that also made me an opportunity to detect this kind of behavior so we kind of just bucket that under the data source the file monitoring and then finally this is true for most process injection process monitoring so taking a look at a process and kind of understanding is this something that that process is typically has should be

doing or typically does so an example would be like explorer.exe if that's like you know doing a lot of file i/o and making a lot of network connections and doing like LDAP queries you're probably having to have a bad day that's not shouldn't be happening and that's probably a really good indicator of some type of injection as we can bucket that under process monitoring so this kind of going forward into an actual like emulation this is kind of like we get this mindset of where we need to be looking for artifacts of the actual behavior as well as like other opportunities that don't fit into this existing model so this is actually my favorite part emulating it so you know

we've talked about it we've understand it but let's actually do something so funny enough I actually started for this presentation I started writing custom code I think I got like half an hour in before I like obviously had to run google and search something and there was I forgot the exact string I searched but there was one hit and it happened to be an already done proof of concept for this so shout out to Rubin for already doing a doppelgänger the PowerShell which is exactly what I was trying to do the source is there it's under his a PowerShell suite project the actual payload is start at Dolan the dial-in I think it's a doted term I'm not really

sure what that means but it's super cool and in terms of attack nerd so every time I see something I'm apt to attack immediately so it's windows API calls as well as PowerShell so I decided not to trust the demo gods so I pre-recorded demonstration of this before I started I'll talk about the command-line arguments so at this point I've already started a PowerShell session I've loaded the module into memory so I'm gonna run that command obviously calling the function the first argument to target is the target file that I'm going to overwrite so I'm going to overwrite kappa exe the second flag for me me cat says that actually has the embedded within the power show it has

the me me cats binary so I'm going to double gang calc with me me cats then it's demonstration so obviously enable veracity so you can see all the output it's kind of what's happening here that's me putzing on the command line and run it you see all the output true so that looks good there's some really great output here you can see like memory addresses and stuff so in case you want to go and frenzy look at this popped up screen there's our mimi caps the icon is calc so we fold the windows true tray things so awesome just to confirm that it worked the way I thought cross Explorer look at the process tree

to make sure it makes sense as we scroll down I find my Explorer for my user obsession there's a seem be the power show and then coming off that power show we see this idle process which is identified as his calculator so it looks like the emulation worked so we do have mini cats running in memory as calc is super neat so now that we understand we've confirmed it worked let's see what actually happened on disk in terms of detection so I use detection lab for this as well as some tools I had labeled everything she should be able to replicate this if you want so the first thing I started with system on this is actually spunk I pumped it to a

system on index I looked around for a little bit didn't actually see anything that was like really interesting besides this one process great so you can see that PowerShell process find calc see so it's not necessarily incriminating but I maybe I was digging through the fields and trying to find something that was interesting the only thing I found that was someone interesting was the hash I was wondering if that was like an illegitimate hash so I took it to fires total nope it's not it wasn't identified as anything malicious it actually preserved the hash and the signature of legit calc so that's actually I mean it's not useless but it's like not indicative of something malicious but it's something

that we can definitely put in our back pocket and look at later is like part of a bigger detection strategy so this is sis upon moving on to the next thing counter step is really excellent blog on detecting malicious net usage so the link is there they actually put out a POC for detecting API calls through net it's actually built on top of the fire I PI win trace project so those two links are on the right there so I did was I was able to take that POC from counter cept and kind of a massage it a little bit for this use case so that's a that's the output it's tiny it's actually a lot

but when highlight is if you dig through it you're able to actually see the the eye calls that are associated with doppelganger and all that process create I intentionally left it small because it is really hard to look at and it's actually this methodology is really hard to scale so kind of keep that in mind this is actually really indicative of emotion behavior but deploying this over 50,000 hosts or even two would be really hard to do but it's something that we can definitely keep in our back pocket and consider later third pokémon pretty straightforward sysinternals so I took that into the range set it up launched it I was able to find the powerful

process and went through the trace from that interesting point here is you able to see the file event so you're seeing a powershell you know right to cow and then you see that that second line is like create a lock so i'm assuming that's the transactional NTFS so it locks the file it does some reads and writes it creates a file mapping which i think is it loading into memory and then it the last the third and fourth and bottom is it like unlocking the file so as you see it look kind of like rolls back that transaction on releases the file and then the last two is it creating a thread and a process based on

calc so this in itself isn't inherently malicious but like I said it's kind of a higher level view that utw is a little more accessible data and paired with some other things you can kind of start paying this full picture final thing did I actually expect this but I did see it in the tweet one time I don't have you tweeted it because they deleted view the tweet to their entire account but if you're watching this wherever you are thank you so there is a security event in the windows event rich cache or whatever for transaction changes it's a 4985 event it's actually not super descriptive the title is the state of a transaction has changed which is kind of

not useless but not super explicit I guess but interesting facts here was there's two of them so I'm assuming the transaction start and end and in my case I didn't put a there's no sleep in the emulation so happened within a second each other which is kind of neat I guess and within the metadata of the event there's really nothing interesting there I couldn't figure out what a lot of those fields meant like the new state isn't documented anywhere it's just kind of a value but what's useful here is you're able to see the process information so you're able to see that power show actually spawned this event which I went back through the other

events system that were the same event ID and the only er things doing this was trusted install our svchost.exe on this would be is something outside of like a whitelist is doing a transaction because these transactions are deprecated things that typically you know Microsoft isn't probably probably isn't doing on their in anymore and probably isn't super common on a system so rolling all of that all that like I said before going back to those three stages for prerequisites we kind of look at those that all that output from prom on so all those file events the rights those would be the prerequisites for the doppelganger or the starting of the process in terms the actual mechanics

there's two parts here you can see the system on events so the powershell spawning the cow as well as the data provided from BTW the event tracer from windows so all those api calls and then finally the residual things that are left behind you're going to look at those windows event ids the 4985 i'm kind of set like I said before mapping it to the structure it really gives you a good perspective on what you're dealing with and you can kind of start putting together like a notional approach to defend actually defending this so in this case there's probably a million ways to do this the my approach that I could just kind of thought of was

looking at starting with a Windows Event log so saying anytime you see this event ID with something that is like a user lying process like CMD or PowerShell or it's not like trust installer or SVC host fire an alert on that and then start working backwards so you see you get that alert and you say hey you know through this process create a transaction that's weird immediately go to system on and see the parent-child relationship so see what spawned off from that and then from there you know maybe a etw is kind of hard to scale but enable it just on those two processes and say hey you know what are these two guys doing or three

or whatever how many that lineage looks like enable everything there so you get really good introspection and if you want to confirm that like this is actually adopt looking take a look at the file events and say hey is anyone in this process tree actually been doing writes and you can actually like I said those transaction data is actually in proc Mon she able to kind of correlate and paint that full picture so this is actually a really big point on why you actually emulate and behaviors instead of just write protections because you're able to see like the trade-offs as well as like the additional artifacts that you didn't necessarily consider when you're just understanding the technique

a big point also is once you've done all this and you have like a rip something really solid don't keep you between your ears share write it down there's some really great places to do this minor we actually have our own internal it's called the cyber analytic repository it's on github basically it's an index of a bunch of analytics for how to detect behaviors and attack we're always looking for contributions so if you if it's this technique or something else submit it there as well as there's some really other great products if you've heard of like Sigma or in-game zqw or eql and there's other like OS query there's great places to kind of document this

and not just get it written down but share with the community get feedback and kind of build the industry and practice and tied entirely great so just to expand a little bit on everything Jamie just touched on we also wanted to point out another resource if you're interested in emulating techniques or whole operations yourself would be called Dara I don't know if anybody in this room was able to attend their training yesterday but they went very in-depth with how to do this I'm gonna do it in a minute but basically for this the start you know you don't want a payload I use the same one but in this tool you just add the payload to the

payloads folder pretty straightforward we then create a new ability that references that payload and in this example I added a new adversary to then reference that ability so as you can see there we go that I ran it the file snaps the same because it was just detecting or like it just was telling me that it ran it I could then go through all the steps that Jamie went through to actually detect all the artifacts of that that script but what is particularly interesting to me with caldera is that you can actually emulate an entire operation so I took this from their default noisy neighbor operation but you can apply it to in this example maybe

the syn/ack tower at large or you know any apt group or really whatever you want so as you can see in this operation it goes through lateral movement discovery execution all of that you can customize to what you're hoping to emulate so with that okay so yeah we kind of blew that through that really quickly so I have a lot of time for like questions and comments and discussions of you guys want but to kind of summarize what we talked about today three main points first one is understanding your adversaries not just where to get information about these adversaries but what they're doing so not a lot of times you see a lot of focus on indicators

which is useful and has its pre-act practice but in terms of like really we had we preach in kind of like very often push this idea of threat inform defense like sarah mentioned earlier understand your adversaries and apply that to everything you do defensively so whether you're buying something installing something said to your configuration be use the justification for that action to point to a specific thing adversaries do that makes that you know whatever that move makes sense and like Sarah said before when you're looking at this intelligence don't just look at indicators look at the what hows and whys and the tak really helps build that framework and structure for documenting and understanding all these different

portions secondly emulate behaviors so like it showed understanding behavior is one thing and like really understanding like how it works and what how it could be done but emulating will uncover more information like things that you didn't expect or like typically there's more than one noise can attack scat ass to skin a cat there's also many ways to execute a technique so like Sarah said before there's very different procedures for any given behavior or technique so you really want to get a pretty good wider scope of the different breadth of many different ways you can execute something and finally apply emulations to your environment you know whatever you have in your environment needed to near defenses specifically to what you

have so you may have more or less than things that we document online or other people are talking about so you definitely want to understand and make best use of whatever resources you have available for you so we're going to leave this slide up this is our contact information so attack is on that first URL we have a blog medium site where we do some interesting articles about various other use cases of attack as well as there's our email and our Twitter if you want to obviously send us something or contribute something to attack like this sarah said before i think the running number is 70% of the content in the last year was from

contributions of the community so we definitely appreciate all the adoption from the community as well as everything you guys do to help improve and maintain attack so yeah like I said we got through that really quick we had probably a little too much coffee this morning but if we have any questions we can flip back through slides talk about attack in general and we have stickers so if anyone's interested definitely come up and we can give you a couple stickers and business cards or whatnot otherwise thank you for your time and awesome