Reaping What They Sow - Hard Lessons Learned Emulating Threat Actors
- 1. Reaping What They Sow - Hard Lessons Learned Emulating Threat Actors Jamie Williams @jamieantisocial @MITREATTACK
- 2. > lsadump::secrets ATT&CK速 & ATT&CK Evals Padawan to some amazing people Halloween & spooky stuff
- 3. Why Emulate Adversaries? Variety of offensive assessment types, each with its own place Intelligence-driven approach provides: - Realism - Scoping - Diversity - Repeatability
- 4. Learn from Achievements Source: https://gph.is/1rQtQVc
- 5. Learn from Achievements Source: https://gph.is/1rQtQVc
- 6. Learn from Achievements Source: https://gph.is/1rQtQVc
- 7. Learn from Achievements Source: https://gph.is/1rQtQVc
- 8. But Also Mistakes Source: https://giphy.com/gifs/8jzdgXpr9Po1a Source: www.microsoft.com/security/blog/2020/06/11/blue-teams-helping-red-teams- a-tale-of-a-process-crash-powershell-and-the-mitre-attck-evaluation/
- 9. But Also Mistakes Source: https://giphy.com/gifs/8jzdgXpr9Po1a Source: www.microsoft.com/security/blog/2020/06/11/blue-teams-helping-red-teams- a-tale-of-a-process-crash-powershell-and-the-mitre-attck-evaluation/
- 10. But Also Mistakes Source: https://giphy.com/gifs/8jzdgXpr9Po1a Source: www.microsoft.com/security/blog/2020/06/11/blue-teams-helping-red-teams- a-tale-of-a-process-crash-powershell-and-the-mitre-attck-evaluation/
- 11. Emulation Recipe 1.Choose an adversary 2.Research 3.Develop & Execute Plan Source: https://giphy.com/gifs/8jzdgXpr9Po1a
- 12. Lesson One One Emulation to Rule them All?
- 13. Make Something Special A lot of great emulation work going on across industry Each emulation has an opportunity to capture a unique scenario / combination of behaviors Source: https://giphy.com/gifs/l0HlVWsgDwQgGz1io
- 14. Techniques Are Like Onions
- 15. Techniques Are Like Onions
- 16. Techniques Are Like Onions
- 17. Techniques Are Like Onions
- 18. Techniques Are Like Onions
- 19. Techniques Are Like Onions
- 20. Adversaries Have Layers Too
- 21. Adversaries Have Layers Too ADVSTORESHELL Cannon certutil CHOPSTICK CORESHELL DealersChoice Downdelph Forfiles Fysbis HIDEDRV JHUHUGIT Koadic Komplex LoJax Mimikatz OLDBAIT Responder USBStealer Winexe X-Agent for Android XAgentOSX XTunnel Zebrocy
- 22. Fish in the Sea Find the right adversary for you: - Relevance - Variance - Available Intelligence Source: https://gph.is/1a55Nwt
- 23. Lesson Two Know Where & How to Harvest Intelligence
- 24. Open Source Aplenty Sources: - https://redcanary.com/blog/blue-mockingbird-cryptominer/ -https://www.clearskysec.com/wp-content/uploads/2017/12/Charming_Kitten_2017.pdf -https://www.anomali.com/blog/rocke-evolves-its-arsenal-with-a-new-malware-family-written-in-golang -https://www.crowdstrike.com/blog/big-game-hunting-with-ryuk-another-lucrative-targeted-ransomware/ -https://www.mcafee.com/enterprise/en-us/assets/reports/rp-operation-sharpshooter.pdf
- 25. But Do vendors report - Routine, ordinary? - Every relevant detail? - What they dont see? Source: https://gph.is/XJ81ub
- 26. Source: https://www.virustotal.com/gui/file/2baebff87a05a40f661ba9d813154dd730948418b690fc1bf90dec8ce07c296f/details Get Your Hands Dirty
- 27. Source: https://www.virustotal.com/gui/file/2baebff87a05a40f661ba9d813154dd730948418b690fc1bf90dec8ce07c296f/details Get Your Hands Dirty T1012 T1112 T1134
- 28. Source: https://www.virustotal.com/gui/file/2baebff87a05a40f661ba9d813154dd730948418b690fc1bf90dec8ce07c296f/details Get Your Hands Dirty
- 31. Lesson Three Follow the Yellow Brick Road
- 32. You Are Not Your Adversary Ignore your preferences/ what you would do Dont fix things that arent broken Be willing to learn and try new things Source: https://giphy.com/gifs/AEMyf9Oj6MpS8
- 33. Trust Your Intelligence You have a roadmap There may be small gaps to fill, circle back/ask around Would they do this? Source: https://giphy.com/gifs/bcZ8T9ctIriAU
- 34. Important Takeaways Adversary emulation is impactful, but also a lot of fun Balance of a lot of delicate skillsets Not an exact science, so learn, share, and get better as you go Source: https://gph.is/1auqnpt