Fantastic Red-Team Attacks and How to Find Them

Intro
What is Atomic Red Team?
Example Atomic Technique YAML attack
Easy to Automate, Chain Tests Together.
Frequently Missed MITRE ATT&CK Techniques Often leverage built-in native OS tools
Prepare For Actual Incidents
Atomic Red Team May Help Organizations Prepare
Event Query Language
Event Queries where
Sequences Match multiple events in order Shared properties with by syntax • Timeouts with maxspan 5m • Statefully expire sequences with until condition
Data Pipes Perform data stacking while hunting • Process results by filtering, counting and removing duplicates
Setting the Stage Windows endpoint with Sysmon installed Real background noise • Mixed data set, with true & false positives
Investigative Process
Guiding Questions • Is the path unexpected?
explicate parvuli What descendants were spawned from the interactive PowerShell console?
nota vocatio
DBGSRV: A Fantastic Red-Team Attack Think of this tool as giving you what is functionally equivalent to • Reverse TCP Connection • Process Hollowing • Whitelist Evasion
DBGSRV: Reverse TCP Connection
EQL Analytics Library
Identifying True Positives • Build a baseline of your environment • What do you find multiple times?
Pitfalls of Behavioral Detection • False positives from administrators and background software • Lack of context to improve detections
DIY Red & Blue team - Install and configure Microsoft Sysmon on a Windows endpoint
Conclusion • Understand what data sources you have • Focus on commonly seen behaviors • Practice on small known sets then scale up