01:43 Presenter Introduction
02:25 Tools We’ll Be Using
- MITRE’s ATT&CK Framework
- Cb Response
- Red Canary’s Atomic Red Team
03:08 Webinar Agenda
06:05 “It takes all the MITRE techniques and puts them into a nice visual representation.” -Jimmy
08:40 The UAC Bypass Techniques We Will Review
09:02 “These binaries have a special attribute to them so that when they execute, they’re actually allowed to auto-elevate their permissions.” -Jimmy
11:48 “Without admin rights, you can modify this key to then get to this token.” -Jimmy
17:54 “The researcher that discovered this had opened this binary up in IDA and noticed that it took a kick off elevation command line parameter and that is what actually does that auto elevation and allows the UAC bypass.” -Jimmy
19:00 Using Tools Effectively
19:14 “I can’t stress enough how important it is to use tools like PowerShell Empire.” -Jimmy
21:26 “Once you have completed your hunt, there should be an output. You should have something that says I hunted for this thing, and now I am going to automate it going forward.” -Adam
23:45 Testing Atomically
25:03 “Testing is critical in pretty much every aspect of your security program. If you don’t test it, you don’t know it works.” -Adam
25:18 “The idea of the Atomic Red Team is to enable rapid, iterative testing enabling you to grow your security program and build efficacy.” -Adam
26:36 “One of the ways we can use this is that we have this index we create dynamically when new tests are contributed.” -Adam
27:06 The Testing Cycle
28:50 “At the end of the day, this is not a ‘one and done.’ This is a ‘continue to test so I can iterate through this.’ I continue building out my detection and build out the rest of my security program.” -Adam
32:42 “Looking for encoded commands is a great way to find boatloads of evil.” -Adam
33:10 Encoded PowerShell Video
34:00 “Don’t test on things you aren’t authorized to test on.” -Adam
35:15 Atomic PowerShell
35:22 “Going through the Atomic Red Team, there’s a lot of PowerShell tests.” -Adam
37:42 Privilege Escalation
39:02 Scheduled Tasks
40:05 “You don’t have to catch everything the actor does, you just have to catch them once.” -Adam
40:30 Service Creation
40:33 “Modifying existing services is another thing that PowerUp does to escalate their privileges.” -Adam
43:35 Always Be Testing
43:45 “Follow your ABTs: Always Be Testing.” -Adam
43:49 “It’s one of those things that you will always be testing and always be tuning because the security landscape is always changing.” -Adam
44:28 Questions and Answers
44:43 Question 1: How do I pick where to start?
45:17 “I think you start where you have the best tooling and visibility available to you.” -Adam
47:46 Question 2: What other key indicators are you focusing on if you are hunting privilege escalation?
48:39 “Scoping it around user behavior is also a really interesting one that leads to a lot of really good threat hunting outcomes.” -Adam
51:05 Question 3: Have you actually seen a UAC bypass that works when credentials aren’t required to be entered? And what kind of indicators would you be looking for around a lssas and limerick type attack?
51:59 “We see samples all the time that reuse these publicly available UAC bypasses.” -Jimmy
52:10 “At the end of the day, you should be looking at untrusted processes and things you’ve never seen before touching lsass.” -Jimmy
54:19 Question 4: What kind of metrics would you report up to management to justify for this type of program or to advocate for building more hunting into your processes?
55:02 “Dedicating some percentage of your analyst’s time to searching for well-known documented behaviors should be a gimme.” -Adam
57:36 Question 5: Where and when do you draw the line between threat hunting and incident response procedures when you’re performing atomic testing and hunting engagement?
58:40 “It’s pretty black and white in the sense of that’s normal, that’s not normal. I think overlaying that with the behaviors that you would’ve expected to see is going to lead you down that path of ‘we should probably call people or get the lawyers involved’ or whatever your incident response process is.” -Jimmy
59:58 Question 6: Have we seen technology vendors building signatures to match atomic tests?
01:00:34 “I have actually seen live threat actors pulling artifacts from GitHub Repos.” -Jimmy