Joined by Anton Ovrutsky of SumoLogic Threat Labs, Mike Haag and Paul Michaud to tour Anton’s latest project, the ‘Constructing Defense’ course. Learn about the construction of a multi-cloud lab from the ground up, the execution of real-world TTPs, and detection strategies using a SIEM platform.

It makes sense that defenders’ visibility into cloud environments can be a bit…well, cloudy. We gathered a team of experts to help you clear things up. In the latest installment of our Detection Series, Red Canary’s own Thomas Gardner and Justin Schoenfeld joined MITRE’s Casey Knerr and Atomic Red Team Maintainer Jose Hernandez for an in-depth discussion of the most prevalent cloud techniques.

Contributor zaicurity added this new test that runs a cmdlet explicitly via PowerShell v2. This is a tactic sometimes seen in adversary TTPs and is known as a PowerShell downgrade attack, intended to subvert some of PowerShell’s newer security features (like better transcription, deep script block logging, and more).

This test from contributor thomasxm is an emulation of a particularly stealthy implementation of UUID injection written in C. The code can be stored in UUID forms on the heap and converted back to binary via UuidFromStringA at runtime. Custom implementations of UuidToString and UuidFromString are used to avoid static signatures, making for a more challenging detection.

In another test from thomasxm, NtCreateFile is called via API hashing and dynamic syscall resolution. A new file is created in the user’s temp folder, a common location for droppers. Adversaries typically obfuscated and dynamically resolve API functions to conceal malicious functionality and impair defensive analysis.

Contributor prashanthpulisetti added the second test to this technique. In this test, an encrypted file transfer is simulated to a free temporary FTP server. Adversaries typically exfiltrate sensitive data over FTP and other alternate protocols because they are external to an existing command and control channel or are easier to obfuscate.