Learn an easy way to start testing your defenses across MITRE ATT&CK.
Watch an in-depth training on Atomic Red Team, a suite of small, highly portable detection tests mapped to MITRE ATT&CK.
Attendees will learn how to:
- Run a basic atomic test (Regsvr32)
- Test defenses against a chained attack
- Measure progress and impact
00:14 Presenter Introduction
00:56 Webinar Agenda
02:49 Lab 1 – Regsrv32
06:17 “This has become a fairly popular ATT&CK technique over the last year.” -Casey
06:22 “Regsrv32 is a default tool inside of Windows so it’s been with Windows since Windows XP all the way through to Windows 10” -Casey
08:47 “/i is simply a parameter to regsrv32 and this is where we actually pass the URL that we want to be executing into the system.” -Casey
14:51 Lab 1 – Questions & Answers
15:03 Question 1: How is regsrv32 different from rundll32?
15:58 “I would again drive you back to the MITRE framework. This framework has good distinctions about different techniques.” – Casey
17:29 Question 2: In any other security event logs, is there anything else within there that would trigger some kind of event that we could potentially correlate with Sysmon?
17:49 “I haven’t seen anything in any other logs at this point.” -Casey
18:15 Question 3: Is there a big difference when trying to detect this Sysmon versus EDR solutions?
19:02 “There are multiple ways to do it with both of these products.” -Mike
19:40 Lab 2 – Chain Reaction
19:45 “Rarely does a technique occur in isolation.” -Casey
21:18 “The next phase of this test would be the attack enumerates a bunch of different things in your environment.” -Casey
22:00 “The second chain the attacker is going to run is a long sequence of discovery commands. The next chain of attack would be line 21 where we can actually schedule attack tasks for example.” -Casey
25:29 “We have regsrv32 chained with a discovery chained with a persistence.” -Casey
25:50 Lab 2 – Questions & Answers
27:00 Question 1: Is the chaining technique effective over the long term?
27:05 “Depending on scale, probably not… we’re really trying to get people started and batch files are the most simple way to do that.” -Casey
27:32 Question 2: Is there too much data to store across the full stack?
28:03 “Especially with Sysmon, you either collect everything or you filter out a lot of things and collect specific tasks that you’re executing.” -Mike
29:40 Lab 3 – Measuring Progress and Impact
32:49 “If I’m hunting one endpoint at a time, I’m not being completely effective.” -Mike
35:15 “You can pop over to the trends tab, and this is now where you can begin to see over time how you’ve been progressing.” -Mike
37:00 Lab 3 – Questions and Answers
37:05 Question 1: Have we automated the metrics with a SIM to automatically generate metrics?
37:19 “That’s going to depend on all of the different SIM platforms. I don’t know the best way to do that for everyone all at once.” -Mike
38:24 Question 2: Has there been any analytics ran against the MITRE framework?
38:39 “There probably has, but I’m not sure. That is something I will have to follow up with.” -Casey
38:53 Question 3: What are things coming down the pipe on this project?
39:00 “One of the things we have looked at is expanding our ATT&CK chains. Maybe we want to provide some ATT&CK chains that model after a particular actor.” -Casey
39:50 “We would also like to look to the community and provide feedback on things they would like to see or where we could add additional techniques.” -Casey
41:29 Question 4: Any other recommendations other than Carbon Black?
41:40 “This framework is designed to test multiple different products.” -Casey
42:04 Question 5: In terms of testing solutions, how does the heat map allow you to differentiate between the threat blocked, threat detected, and threat information available and gathered for hunting?
42:30 “You will need to build out the other sections of the spreadsheet or just use it as a way to validate.” -Mike
42:53 Question 6: Are we looking at the possibility of some techniques to show the value of disrupting chains so that the deception techniques and disruption logs detection capabilities?
43:05 “As an adversary, if you land in your environment and know your telemetry is being studied, there is certainly value in disrupting and degrading the performance of that telemetry.” -Casey
43:35 Question 7: With certain APTs focusing on certain verticals, are there cases based upon those verticals?
43:47 “We hope you would be able to build these chain reactions that are specific to your industry.” -Casey