Fantastic Red-Team Attacks and How to Find Them

Black Hat USA 2019

Presented by: Casey Smith (@infosecsmith2), Ross Wolf
Date: Thursday August 08, 2019
Time: 14:30 - 15:20
Location: South Seas ABE

Red team testing in organizations over the last year has shown a dramatic increase in detections mapped to MITRE ATT&CK™ across Windows, Linux and macOS. However, many organizations continue to miss several key techniques that, unsurprisingly, often blend in with day-to-day user operations. One example includes Trusted Developer Utilities which can be readily available on standard user endpoints, not just developer workstations, and such applications allow for code execution. Also, XSL Script processing can be used as an attack vector as there are a number of trusted utilities that can consume and execute scripts via XSL. And finally, in addition to these techniques, trusted .NET default binaries are known to allow unauthorized execution as well, these include tools like InstallUtil, Regsvcs and AddInProcess. Specific techniques, coupled with procedural difficulties within a team, such as alert fatigue and lack of understanding with environmental norms, make reliable detection of these events near impossible.

This talk summarizes prevalent and ongoing gaps across organizations uncovered by testing their defenses against a broad spectrum of attacks via Atomic Red Team. Many of these adversary behaviors are not atomic, but span multiple events in an event stream that may be arbitrarily and inconsistently separated in time by nuisance events.

Additionally, we introduce and demonstrate the open-sourced Event Query Language for creating high signal-to-noise analytics that close these prevalent behavioral gaps. EQL is event agnostic and can be used to craft analytics that readily link evidence across long sequences of log data. In a live demonstration, we showcase powerful but easy to craft analytics that catch adversarial behavior most commonly missed in organizations today.

Casey Smith

Casey Smith leads research and testing efforts at Red Canary, continually working to understand and evaluate the limits of defensive systems. He led the development of Atomic Red Team, an open-source testing platform that security teams can use to assess detection coverage. His background includes security analysis, threat research, penetration testing, and incident response.

Ross Wolf

Ross Wolf is a researcher at Endgame where he creates solutions to simplify detecting adversarial behavior in endpoint data. Prior to Endgame, Ross was an engineer at MITRE where he led projects that automated blue team processes by creating graphs of process activity and grouping related alerts. He was recently co-granted a patent for CALDERA, a project which automated post-compromise adversary emulation. Ross also contributed to ATT&CK and the Cyber Analytics Repository.


KhanFu - Mobile schedules for INFOSEC conferences.
Mobile interface | Alternate Formats