Explore prevalent gaps in organizational defenses uncovered through Atomic Red Team testing in this 40-minute Black Hat conference talk. Dive into adversary behaviors spanning multiple events in an event stream, often separated by nuisance events. Learn about the Atomic Red Team framework, example YAML attacks, and frequently missed MITRE ATT&CK techniques leveraging native OS tools. Discover how to prepare for actual incidents using Event Query Language, event sequences, and data pipes for effective threat hunting. Examine a Windows endpoint with Sysmon installed, featuring mixed true and false positives. Investigate the DBGSRV tool, which provides functionality equivalent to reverse TCP connections, process hollowing, and whitelist evasion. Gain insights into identifying true positives, building environmental baselines, and understanding the pitfalls of behavioral detection. Conclude with practical steps to implement DIY Red & Blue team exercises and focus on commonly seen behaviors to improve overall security posture.
Overview
Syllabus
Intro
What is Atomic Red Team?
Example Atomic Technique YAML attack
Easy to Automate, Chain Tests Together.
Frequently Missed MITRE ATT&CK Techniques Often leverage built-in native OS tools
Prepare For Actual Incidents
Atomic Red Team May Help Organizations Prepare
Event Query Language
Event Queries where
Sequences Match multiple events in order Shared properties with by syntax • Timeouts with maxspan 5m • Statefully expire sequences with until condition
Data Pipes Perform data stacking while hunting • Process results by filtering, counting and removing duplicates
Setting the Stage Windows endpoint with Sysmon installed Real background noise • Mixed data set, with true & false positives
Investigative Process
Guiding Questions • Is the path unexpected?
explicate parvuli What descendants were spawned from the interactive PowerShell console?
nota vocatio
DBGSRV: A Fantastic Red-Team Attack Think of this tool as giving you what is functionally equivalent to • Reverse TCP Connection • Process Hollowing • Whitelist Evasion
DBGSRV: Reverse TCP Connection
EQL Analytics Library
Identifying True Positives • Build a baseline of your environment • What do you find multiple times?
Pitfalls of Behavioral Detection • False positives from administrators and background software • Lack of context to improve detections
DIY Red & Blue team - Install and configure Microsoft Sysmon on a Windows endpoint
Conclusion • Understand what data sources you have • Focus on commonly seen behaviors • Practice on small known sets then scale up
Taught by
Black Hat
