Completed
Event Query Language
Class Central Classrooms beta
YouTube videos curated by Class Central.
Classroom Contents
Fantastic Red-Team Attacks and How to Find Them
Automatically move to the next video in the Classroom when playback concludes
- 1 Intro
- 2 What is Atomic Red Team?
- 3 Example Atomic Technique YAML attack
- 4 Easy to Automate, Chain Tests Together.
- 5 Frequently Missed MITRE ATT&CK Techniques Often leverage built-in native OS tools
- 6 Prepare For Actual Incidents
- 7 Atomic Red Team May Help Organizations Prepare
- 8 Event Query Language
- 9 Event Queries where
- 10 Sequences Match multiple events in order Shared properties with by syntax • Timeouts with maxspan 5m • Statefully expire sequences with until condition
- 11 Data Pipes Perform data stacking while hunting • Process results by filtering, counting and removing duplicates
- 12 Setting the Stage Windows endpoint with Sysmon installed Real background noise • Mixed data set, with true & false positives
- 13 Investigative Process
- 14 Guiding Questions • Is the path unexpected?
- 15 explicate parvuli What descendants were spawned from the interactive PowerShell console?
- 16 nota vocatio
- 17 DBGSRV: A Fantastic Red-Team Attack Think of this tool as giving you what is functionally equivalent to • Reverse TCP Connection • Process Hollowing • Whitelist Evasion
- 18 DBGSRV: Reverse TCP Connection
- 19 EQL Analytics Library
- 20 Identifying True Positives • Build a baseline of your environment • What do you find multiple times?
- 21 Pitfalls of Behavioral Detection • False positives from administrators and background software • Lack of context to improve detections
- 22 DIY Red & Blue team - Install and configure Microsoft Sysmon on a Windows endpoint
- 23 Conclusion • Understand what data sources you have • Focus on commonly seen behaviors • Practice on small known sets then scale up