Fantastic Red-Team Attacks and How to Find Them

Fantastic Red-Team Attacks and How to Find Them

Black Hat via YouTube Direct link

Setting the Stage Windows endpoint with Sysmon installed Real background noise • Mixed data set, with true & false positives

12 of 23

12 of 23

Setting the Stage Windows endpoint with Sysmon installed Real background noise • Mixed data set, with true & false positives

Class Central Classrooms beta

YouTube videos curated by Class Central.

Classroom Contents

Fantastic Red-Team Attacks and How to Find Them

Automatically move to the next video in the Classroom when playback concludes

  1. 1 Intro
  2. 2 What is Atomic Red Team?
  3. 3 Example Atomic Technique YAML attack
  4. 4 Easy to Automate, Chain Tests Together.
  5. 5 Frequently Missed MITRE ATT&CK Techniques Often leverage built-in native OS tools
  6. 6 Prepare For Actual Incidents
  7. 7 Atomic Red Team May Help Organizations Prepare
  8. 8 Event Query Language
  9. 9 Event Queries where
  10. 10 Sequences Match multiple events in order Shared properties with by syntax • Timeouts with maxspan 5m • Statefully expire sequences with until condition
  11. 11 Data Pipes Perform data stacking while hunting • Process results by filtering, counting and removing duplicates
  12. 12 Setting the Stage Windows endpoint with Sysmon installed Real background noise • Mixed data set, with true & false positives
  13. 13 Investigative Process
  14. 14 Guiding Questions • Is the path unexpected?
  15. 15 explicate parvuli What descendants were spawned from the interactive PowerShell console?
  16. 16 nota vocatio
  17. 17 DBGSRV: A Fantastic Red-Team Attack Think of this tool as giving you what is functionally equivalent to • Reverse TCP Connection • Process Hollowing • Whitelist Evasion
  18. 18 DBGSRV: Reverse TCP Connection
  19. 19 EQL Analytics Library
  20. 20 Identifying True Positives • Build a baseline of your environment • What do you find multiple times?
  21. 21 Pitfalls of Behavioral Detection • False positives from administrators and background software • Lack of context to improve detections
  22. 22 DIY Red & Blue team - Install and configure Microsoft Sysmon on a Windows endpoint
  23. 23 Conclusion • Understand what data sources you have • Focus on commonly seen behaviors • Practice on small known sets then scale up

Never Stop Learning.

Get personalized course recommendations, track subjects and courses with reminders, and more.

Someone learning on their laptop while sitting on the floor.