 I don't like when days play a bit, whatever. OK, we are alive. Everyone, thanks for coming to indicators of emulation, extra spicy adversary emulation. And we will just get started and go at it. And really quick, next slide, please. Before I say anything, I have to do this for the lawyers and say that any opinions and anything that I say or do is just me, and I'm not representing my company at all. It's in an individual capacity and not the views of my employer, not the views of his employer, period. Yeah, that goes for me as well, previous employees. Yeah, we both have our lawyer disclaimers. So I'm going to start with a little bit of story time. Back at B-Side Chicago. OK, there we go. Back at B-Side Chicago, 2019, Matt Kelly did a really great talk. And it was called Threat Emulation Adversary Focused Red Teams. And in it, he got me thinking about how CTI can benefit red, all things red, adversary emulation, prep team, all of that. And so I'm working on a doctorate at Marymount University. And I decided to incorporate the thing that I'm curious about into my research. And conducting, reading tons of articles and all of that, I came to the kind of conclusion that there's really minimal information out there as far as the practice of CTI applied towards red teaming. It seems more focused on blue team stuff, like extracting indicators of compromise, IOCs, and helping defenders defend the organization. And so of course, there's Atomic Red Team and all of that. I'm talking specifically about the tradecraft of CTI. Traditionally, it's for blue and not necessarily red. So fast forward a little bit. And I got curious about Bryson Bort and size marketplace. And in it, basically, they are putting together something where people can build out capabilities for threat actors, for organizations to use. And I thought, oh, my God, that sounds like so much fun. I kind of want to do it. And so Bryson got me in touch with Adam Machini. And Adam pointed out that basically, if you look at the threat intel reports, they have commands and very, very detailed for Linux, but Windows, not so much. And that semester, I happened to be in a malware analysis course. And I'm like, hmm, maybe I can make this my project for the year. So I decided, why not? Why not explore it a little bit further? So I decided to take it on. And I was like, eh, it'll be easy. All I have to do is just enable command-lined logging and maybe some PowerShell as an extra thing. And it'll be really easy, not hard at all. Like I already know where to get all the samples. There won't be any problems. Yeah. So I got a VM from Windows, so Windows 10. And then I enabled all the logging for the Windows command line and PowerShell. I used Michael Gow's, let's see, malware archeology and lots of Googling to make sure I had it all right. And believe it or not, disabling all of the security on Windows 10, like, holy, holy hell, like, it was a lot of work to be able to just execute malware. I, with the infection rates, I was expecting it would be easy to just, you know, point and click, but I was wrong. So I just want to do, oh, next slide, a couple of next slides. Back. Yes, that one. So I just want to do a really brief shout out to Windows and Microsoft and say, thank you so much. You've done a really good job at protecting us, everyone. He made it really hard for me to click and point and it required a lot of disabling. Next slide, please. So these are the results. What I did is I wanted to create a baseline since it was for an actual doctoral class. So I had to have some sort of methodology behind it to be able to explain. So when you look over the command line logging, it's a little, it can get a little confusing because stuff goes on and before I introduced malware, I wanted to make sure that I understood what the heck was going on first. So I wanted to create a control that I knew was not malicious and doing weird stuff and before I introduced the craziness. So there are three options. One is issuing the commands yourself, which I did. The next one was atomic red team. So I used atomic red team installed it. Shout out to the atomic red team crew. It was so easy. I just followed the instructions and I was able to get it up and running and done and tested in like almost no time. Like it was ridiculous how easy it was. And then finally was testing malware. So I created a test malware, I call it. It's not really, it just pops calc essentially. I compiled a C++ binary and I used Sector 7's red team operator malware dev course to I guess learn how to compile C++ binary. So that was fun. It was very benign. The code's right up there on the left-hand side. It just pops calc. And the other problem I had, if you can see on the right-hand side, all of the no's for command line arguments, I'm like, what the heck am I doing wrong? Like why can't I figure this out? Why aren't these executing? I went to any run. I did hybrid analysis, malware, bizarre. I pulled stuff from buyers total. A fun story about that is someone at some place, which I won't name, I asked, hey, I'm having problems executing your samples. Like what am I doing wrong? I know with any run you change the dot bend, a dot exe and same, I even used the file command and checked that it was an executable. Different things, right? And they suggested I speak to bleeping computer. Obviously I'm not gonna do that. So there are multiple repositories for malware and I decided, you know what? I'm having such a hard time with this. I'm just gonna go direct to the source. So at URL house, the wonderful thing about that is that when they post fresh samples, they also include the URL. So with the new ones that they posted, I honestly, I just went to the attacker's domain and like pulled the malware myself. I was safe. Don't worry. I was safe. So next slide, please. So these are the results of when I pulled the malware myself. I ended up getting command line arguments, which was great, but there were still over half that I got nothing. And I'm like, what is going on? Is it me? Is it malware? Like what's wrong with this? Next slide, please. So I'm like, oh, there's static analysis, right? So I'll just download Ghidra and I have IDA and I'll just, I'll just futz around with it and figure it out. And it was a little bit harder than that. I didn't really have the time because it was for a class project to sit down and learn all that anti-analysis, anti-BM, all of that defensive Asian stuff as far as how to defeat it and step through and do that for multiple samples on scale. Like I didn't have that time. I will in the future, possibly. And also to Joe Slowick, I don't know if you're familiar with him. He's like the meme master. He posted something recently where it was a guy drinking out of a cup of water. And he was like here, he was like, is this how I drink water? You know, and like not actually drinking from it. And that's how I felt. Like when I was working with Ghidra and IDA and all that stuff. So I'm like, whoa, I'm like, I just need to put this down for a second. Next slide please. So at the deeper summit in 2020, this year, Mauer Archaeology himself, he was giving a talk and I was able to talk to him about some of my problems. And he suggested that I just use a real computer. And I'm like, what? That's like crazy. I would never think to like buy a cheap computer and execute it on there to bypass the VM stuff. So I was like, all right, let's do this. Like I will fully commit to this and I will buy these computers. So the first one I bought, it was dead on arrival. It did not work. And then the second one ended up working. And next slide please. So these are the results of what I did as I grabbed a sample and I wanted to get a good idea as far as what the different sandboxes gave me before I did my actual analysis on a real computer since, you know, whatever. And so on the left-hand corner, you see virus total. And then on the upper part, you see Cape Sandbox and then the bottom Joe Sandbox. Joe Sandbox gave more in this instance. Next slide please. And then this is the actual manual part of it. And it was about 75 pages worth of stuff that I collected from doing it manually. This is just some of them here. Some of them could be helpful. I also grabbed all the PowerShell command line stuff that came out of executing it. Next slide please. So the funny thing too, as a threat intel analyst I decided to look at threat reports and it was a raccoon stealer sample. So I came across a cyber reason blog because something funny happened while I was executing that one. It asked me if I wanted to install the .NET framework. But then in the threat report, it said that, you know, one of the biggest complaints from criminals out there is that the raccoon stealer has a very low success rate. And I'm like, well, gee, like now I know why. Basically, it would require people at least with the version of Windows 10 that I was using to install the .NET framework. So that's a little bit of, like, that's a little, that's a lot more work involved. You know, if they're like, here's an invoice, read it. It's like, oh, man, I have to install this. Yeah, screw that. Like just going to move on with my life, right? Next slide please. Oh, you did it. So then let's see Thursday of this week. I had a friend contact me and he was like, hey, I know you're doing a talk at the Defconn villages. And if I gave you a locked, you know, sample from my org that we don't really care about, that's junk data, would you be interested? Would you want to, you know, see what you can do with it, right? And this was about 24 hours prior to a previous presentation. I'm like, sure. I'm like, let's see what I can come up with and then I will share it with the world. So can I do it? Can I not do it? We'll see. So what I did, I found the sample in virus total and then I loaded it to any run and then I also loaded it to malware bizarre. So the reason why I loaded it to all these different sandboxes is that malware bizarre gives me some really good data. Joe Sandbox, I obviously don't have a corporate thing because, you know, I was doing this as an independent researcher. And, you know, if you submit it through malware bizarre, you get Joe Sandbox, you get Cape, you get a lot of good stuff to look at and pivot between when you're building out your reports. And then of course, BMRA. So just as a little side note, the threat Intel brain and me kicked in and I'm like, oh, I'm like, I have the sample. I can make them a custom rule. So I looked at the call out for the DNS traffic and pivoted. And it was of course a Nigerian based hosting, not saying that Nigerian hosting is potentially malicious whatever, but I pivoted off of it and I found four additional samples that were malicious. So what I did is I created a custom yard rule using diff and buyers total. And then I passed that along to my contact. And then the next step was I looked up MITRE attack because I'm like, okay, I know that it is Hawkeye. And I know that MITRE attack kind of makes my life easy sometimes and has stuff already done for me. And lo and behold, I look at MITRE attack and no, they don't have what it is that I need. So that means I need to create it from scratch, but how do I do that? So then I use a framework and I use the MITRE attack tactics to guide my research. And this is a print out from Joe sandbox where they kind of map the different behaviors and TTPs of the particular malware sample that we have. Next slide, please. So for initial access, it was an email with an XC attachment and the subject said invoice attached. And it can propagate through USB. As you can see here on the left hand side, you see the raw sample of the email and it says reverse invoice. That was really funny. And I decided to go to the domain in there just to see what was up with it. And that's the yellow thing on the right hand side. And then the sender, the sender down at the bottom, it was actually a Nigerian company as well that was sending the malicious XC. So I of course passed that along to my contact. So next slide. So now we have execution and of course user execution is required and that's T1204.002. And it was execution of a malicious file. Next slide. And now we have WMI T1047. And so what I wanted to do since I had a very short amount of time and I had a lot of stuff to get through. So what I did is I created a process in order to parse all of this and get it out. Basically I go to the Joe sandbox, MITRE ATT&CK section and then I go to the Joe sandbox specific entry in the report, which you can see down at the bottom, the box thing. That's the specific entry that I'm talking about. And then I check atomic red team to see if there's anything that's related to that, such as check if AV anti-various firewall program is installed. And then I Google what isn't there. Next slide please. So when I first did this for T1047 in atomic red team, I didn't find anything that matched the commands that I needed. And so I decided to Google and I found something on stack overflow. So I threw it up there and later in the presentation as I was doing my research, I found the T1518.001. I came back and added it here. So this is a tip if you do decide to leverage this, that sometimes things will be under different atomic tests essentially. Next slide please. So the next one was native API. And when I went to go look at the specific section of Joe Sandbox, I searched and searched and couldn't really find anything beyond just the APIs that were involved with that. So then I went to atomic red team and they had something that had a command that was similar to the 4.0.30319. So I did a search in the actual Joe Sandbox and I found a command on the command line, but there were no specifics tied with it. So this at least gives a beginning of what XE was being used to interface with the APIs and the APIs specifically included. Next slide please. So now we have persistence. Next slide. So I looked at the area, the specific area in Joe Sandbox and I found where fault, where fault was the culprit and I had a hash of where fault. And so I threw that in a various total and it looks like it's a legitimate, legitimate service. So this is interesting that looks like that one is being used for DLL side loading. Next slide. Next we have privilege escalation. So we have a slide after that please. So now we have DLL side loading again. Next slide as well. And then we also have process injection. And so there is an atomic red team for this and I put the command line argument there for that. Next slide. There was a ton of defense evasion with this particular sample of Hawkeye. Everything from invalid code signing to software packing to Sandbox evasion to obfuscating files. Next slide please. So what I did is I tried to pick the previous slide please. I tried to pick stuff out of the defense evasion that I think red teamers and blue and all of that could be able to take advantage of essentially. And so one of them was masquerading. This sample created files inside the actual user directory and so I put the location of what was being created and what it was called and all of that. And there are a ton of tests for atomic red team so you can just pull the commands out of that that make sense that fit with this. Next slide please. So the next one is modify registry and it stores a large binary data to the registry and I put the registry key that was changed or modified along with what it looked like. I know that there's stuff that could potentially, I'm sure red team, red teamers are like, I know what that is. Next slide please. The next one is hidden files and directories. I couldn't find an atomic red team test specifically for this one for changing Windows Explorer but I did put the key value that was changed. Next slide please. So this one is my educated guess. So in the detailed part of the sandbox report it says that it contains functionality to read the PEV. So from a little bit of exploit dev reading essentially you can create shell code to walk through the PEV the process environment block in order to find the address of kernel 32 DLL. And so I made an educated guess that that's what the shell code was about. Next slide. Next one is credentialed access. So I put in here all the different files that were accessed and stolen from this particular sample and there is an atomic test for it. Next slide. Next one is discovery. And this one queries a list of running processes and there is an atomic test for it next or atomic commands that you can take out and put into whatever you use. The next one remote system discovery. There is an atomic test available for this one as well and it kind of tells you where to go and what's going on, what's reading and stuff like that. The next one please. System info discovery. I put the key, the registry key that was queried in there for the particular emulation and there is an atomic test for this. Next slide. Lateral movement. The only thing that I can talk about, previous slide please. The only thing that I can talk about, the only thing that I can talk about regarding this is that it replicates via USB. Next slide. So collection, it steals data from the local system which is T1005. There's also key logging as well with this and there are atomic red team commands available for this for you to extract. Next slide please. And it also extracts and archives the collected data. So my educated guess on this is that it compresses or encrypts the data prior to X-fill. So that is a good behavior to include as well and there is an atomic red team test with a dependency on PowerShell. Next slide please. It does grab your clipboard data and there is an atomic test available. Next slide. Local email collection. It shows all the different files where the information was harvested essentially and there is an atomic test for this one. Next slide please. Okay, C2. Next slide. Here's the various things that were associated with C2 from an encrypted channel and non-application layer protocol and there are atomic tests available. Next slide. And the thing that I would recommend when you're building this out and looking up a C2 is the C2 matrix. So you can see right here the various functionalities that all of these different C2s, I think they said that they were at 53 now. There's a ton. And there's a black cat talk on it, arsenal, black cat arsenal talk on it and Jorge Archilis talks on it a lot. So he can definitely give you a ton of information about it. C2matrix.com. And use that to pick your C2 that matches with the capabilities. Next slide. So exfiltration. I just took that, they exfilate the data's compressed or encrypted. Next slide. So impact. There really doesn't seem to be a crazy amount of impact like there would be with ransomware. You know, they steal creds, use them later, sell them. Who knows what this particular actor is doing? So now I'm going to add some extra context. Next slide, please. So I looked at the YAR rules specifically in malware bizarre. And I saw that it was kind of, it was really active. Like it was still getting a lot of samples. So not stale. Next slide, please. And you'll see, so I went to malware bizarre and then I pivoted out, looked at the YAR rule. And then I looked at the Joe Sandbox command line. And I saw that this particular YAR rule that was still alerting was from 2015 and they were still using the same string in the command line. So I'm like, oh, that would be really great to include in adversary emulation exercises since it's been pretty consistent for about five years. Next slide, please. So with this, the HTTP traffic doesn't have a header. And then I put, you know, there are files, some files that were written and the process tree for additional context. Next slide, please. It also dropped 11 files and I put all the different files that were dropped in the different folders. Next slide, please. Other characteristics, queries connects over DNS, over HTTPS. The thing that was interesting to me is that it used port zero for listening. And then, you know, injection with create remote thread. So that sounds like something Red Team would be interested in knowing that this particular thing does. So next slide, please. So basically, I mean, I got someone's throwaway malware sample that they didn't really care about. That was blocked and I was able to extract all that information, find out, you know, it was, it used a Nigerian infrastructure from a Nigerian, I'm assuming, compromised company to send, you know, invoices to the particular organization and built out a thing that they could use to test their defenses regarding adversary emulation exercises. And this was all just from pivoting between multiple sandbox reports and some of my own analysis as well. Not all of it was from Joe Sandbox. I also included some from Cape Sandbox as well. And then me just looking over the sandbox results as well. Next slide, please. Finally, so what you can do if you decide you want to move forward with this is the Purple Team exercise framework. Jorge Archilis talks about this. He just released it through Scythe. It's free and available to the community. And it gives you a really good framework in order to be able to process this and to move forward with a Purple Team exercise. Next slide, please. And CyberwarDog, he did a blog post about tracking the hunt team. And so what I was thinking is that you could do the same thing for Purple and essentially like track overtime and present to your manager or upper management or whomever like the various TTPs that you've been testing over time and your coverage with it. Or, you know, for just throwing out random ideas, right? So you can also use it to track the kind of activity that you're getting from the various malicious items that are being sent to your organization. So for Nigerian infrastructure, you know, you're like, huh, okay, so they're using these general TTPs and here's our coverage for it. Here's what we've tested. And basically the manager can just sit there over time and look at the colors change. So that would be helpful. But as a CTI analyst, like I'm not a red teamer. Like I honestly don't know the commands, whether or not they're right or not without testing all of them and how to go forward with this. So this is where the easy button comes in and I'm going to hand off the presentation to my co-speaker. Hi, everyone. My name is Hayden. I was just listening to you and thinking it was amazing this talk to you. Thank you for inviting me to co-talk with you. So Tira was talking about cyber threat intelligence, adversary emulation, purple teaming. And what's happened is that we both were talking back and forwards. I've been a cyber threat intelligence analyst six months ago, or years ago for six months. And what happened was I would use the copy and paste indicators such as IP addresses and domains from a report, throw it through our site. So Tira was telling me she wants to make it easy for a cyber threat intelligence analyst. So I started to was into coding and learning go lane. So I came up with emulate.go. Now, the problem that we were identifying, well, not a problem, but the concern we had with C2 tools such as PowerShell Empire or many of the others is that they can have a steep learning curve and you need a really deep technical understanding. They can require a lot of dependencies and they can require a bit of a setup as well that you're saying interpret a payload working or things like that. So most of them can be extremely complex and we wanted to abstract that away and focus on cyber threat intelligence of initial access and creating it that way. So the goal was to lower the bar of entry for adversary emulation, abstract away the technicality, focus on initial access and help people learn. So adversary emulation and purple team can be quite advanced, but ultimately when you get down to it, it's attempting an attack or building an exercise for attack, executing it and seeing if you detected it or missed it and then fine tune it. So that's what we were doing. The solution was a client's server implementation. It doesn't have a command line GUI as advanced as Metasploit or a red team atomic framework like that doesn't have any payloads or modules doesn't have dependencies. It is written in go. So if you want to run the go file, you obviously have to install go. I think it's been easy to use. I made some obvious command line arguments. It's limited to two things. Running execution manually and a list of commands. So you can say who am I? You can do a reg edit, but you have to manually do it or put it in a file. And then there's basic logging into JSON format. So let's continue. The basic C2 infrastructure for command and control is obviously the admin sits in the cloud and then it connects to the infected machine. So I was like, okay, let's do that. But with adversary emulation, I really wanted to allow CTI analysts or people who are learning to also test the environment on lateral movement or if one or more systems are infected. So the parent proxy mode works sits in the middle. It receives the commands and forwards them to the child. And that way it's sort of like a daisy chain. And it just adds a little bit more complexity or functionality for testing. So again, the modes as any C2 tool are is it has an admin interface. It runs in the cloud or it pretends to be an external attacker. The parent mode obviously proxies the commands back and forwards, but you don't have to use it. The client mode receives the commands from either the admin or parent and executes them. Pretty simple. So we tried to abstract away everything and help people or even CTI analysts sort of be more beneficial to an adversary emulation. So the two types of modes I mentioned before is on the left, the normal one. You type host name, who am I, and you can see my machine hidden local. The list one, you just supply a file with a list of commands and it will just run through them automatically and send the results back. So nice and easy. And the dash log is just into a JSON format with the time stamp of command execution, the command that was executed or requested, and then the results. This just allows you as someone if you're at home or in your org, that if you have like 100 commands or you execute them and try the next day, you have time stamps to correlate in your detection tools. So with my tool, I wanted to add TLS. The reason being is that when you're emulating an adversary, they probably don't use clear text. And I didn't, I was trying to think of things that would get in the way of testing. And if you have a command and control tool reaching outside your network, your IPS or something in the cloud, whichever detection tool you have is going to trigger and alert and most probably block it. So I added some certificates and I was playing with go and got it working. And I sort of cheated a bit because the idea is to abstract away some of the complexity. So I didn't want anyone to have to build their own certificates, the X509, the key, the product key, stuff like that. So what I did is I included it in the files. And when you build them, they're included in the executable or the binaries. And I marked it as insecure skip verify, which means that it skips the verification because TLS is meant to be tied to a domain. And obviously if you're putting it on different boxes, you're putting it in the cloud, you don't want to have to generate a certificate all the time. So this was just to help make it easier. So regarding encryption, if you don't know, the clear text version is on the left and you can see the command being recorded over the network in clear text. And TLS garbles it. So it's version 1.3, which I was lucky with, I guess. And then because the tool prints to the screen in all three different modes, malware wouldn't print to the screen. It's great for learning, but it's not so much great for emulation. And I didn't want people detecting the print to the screen or printing to their terminal. So I wanted you to be able to silence it and then it would just go blank and you wouldn't see anything printed to the screen. So that was my thinking. I did add a pause function. So in the bottom left here, you can just see that it shows the options running in clear text or logging is on and off. And I mostly did that to only script goodies just because why not? In addition to just letting you see the options and then if you do the dash skip, you can skip this bit and it'll just run through automatically so you can run it quickly. So I recorded some demos of this. I wanted to show all the different modes with some normal and then the TOS demonstration and then I also wanted to show a registry edit with BlueSpawn, which is an open source EDR and a scheduled task execution. So let's get to that. I will drag over here. See, I have them all in my folder recorded ready to go. So I didn't have any technical issues. The thing here is it's just a host name in the cloud called Ubuntu and then I set up a lab. So this is a domain controller. So I have the emulate and the executable on Linux because I was moving over to the Windows file. But it's just dash, dot slash emulate. The mode is admin and then you choose the listening port, listening IP address and port. So it's just 8888. The options are on the left. You've got your TOS, none, logging none, pause none. And then it even tells you where to connect the client to. So when you run the executable, you actually choose client mode and then you'll do client connect with the same IP address and the same ports and it should just connect nice and easily and you don't have to worry about making sure you've done it right. Yep, it just works like that and then you can enter who am I or host name. Just a nice demo to show it working and then it prints to the screen on the client side so that you know it's working correctly and what results it's giving. And then this is why I put silence in just so that when the client executes it doesn't detect on printing to the screen because that would be rather embarrassing. So the admin list works this way in the same way. So we do emulate. The mode is admin list. You supply the port and IP with the dash listen again and my typing is really slow and then you just do the dash commands with the file. So it'd be commando.txt and we're attempting to launch it in admin list mode. So on the client is the same but you do client list mode and then you do the IP address and port. So what happens is when you run it it should automatically execute it like that. So we just ran who am I host name. Who am I host name power shell.exeos not advanced commands just to demo and help you guys see the tool in motion. So that's how it works. Let me close windows media player. The parent mode is pretty cool or at least I think it's pretty cool. So here I've got Ubuntu on the left. I've got two window power shells open and then I'm just using the admin dash listen mode import 999 and then I'm just using dash parent mode and then the flags are pretty simple. So it's dot parent connect where is the parent going to connect to that's the admin server and then dash parent listen is what port is it going to listen on. So it makes sense. Nice and easy. And then emulate.exe the mode is client client connect connects to the parent and then it just forwards the commands through. So when you're in your org or you're learning at home you can do more than one machine which is pretty cool. And here I type net stat incorrectly. That's why it doesn't doesn't quite work. And yeah, there you go. So the basic logging format again is in JSON. So if I skip through the I've just done admin list the listen with the IP address and port again the dash command because we're going to execute in command and then dash log with the name emulog which will create emulog.json. Simple as that. And then on the client mode you don't have to do the logging. It's only the admin interface that logs which is more realistic. But I guess you could I could build logging for the client if everyone demands it or if it's useful but I thought just doing it on the admin was fine. And then if I skip through and you kept the emulog.json file it's pretty ugly. It's just there. It's just basic JSON. I think that's it. But if you put it in nano it is actually in a JSON object. So it's got the time, the command and the output that it receives. So that allows you to correlate between the different detection tools. The TLS option is pretty similar. You just add dash TLS. So as you can see here it's emulate dash mode admin dash listen. I did port 0000 just to show that it can listen multiple interfaces. But dash TLS is really the important key here. And then on the client side you also need to put dash TLS. Otherwise the handshake won't work. It will think SSL on one end and non SSL on the other. And then you run that and I'm just using Wireshark to show that the encryption actually works. I'm not talking at my ass. But it does the client hello handshake and you're off to the races. So that's pretty cool. And it also works with PowerShell and that stuff after it executes and runs through. So that is to show just some recon commands. So Xena or Cheerio was giving me her research and there was one that executed multiple recon commands. And one was even the WLAN export profile, but I left it in because I thought it would be funny being in AWS. It doesn't have a Wi-Fi profile. So that's the file you add it in and the log name is advance and so it will become advanced. And then I just already have it in the window CMD it clicks through it runs it and it all logs to a JSON file even though it's quite a lot of output and then I use jQuery just to see how it's ugly when you cat the file because it's JSON. But if you use jQuery it's a little bit better formatted you could probably clean it up a lot better but it was just I made it larger for the demo and you can see it executes CMD and then it creates the results close close all right cool so the research Zina gave me there was a registry ad command with environment CMD start things like that I wanted to show a demo where this registry ad can actually be tipped by an open source EDR called blue spawn so in an example of doing something real world we're in the effort to do so we have it set up here I'm listening on port 44 we're going to execute blue spawn which is the open source EDR to see if we can trip it or it detects something so then we're going to go into client mode with TLS and then as you can see I'm admin one because I've seen where I could really execute and then I copy paste I do this in PowerShell just because I felt like it and then it goes through as reported as completing successfully and you can see even on the client it shows you and then when you go to blue spawn you can see the MITRE technique T1183 and the registry edit so this was actually from awesome training I did this reg edit and I thought they did a demo with blue spawn I thought it would be great to show everyone that how the tool can be used in the idea of adversary emulation now the next one we wanted to show was a scheduled task slash job which is T1053 in the MITRE framework and this was from Cape Sandbox 32597 so it's scheduled tasks and it creates scheduled tasks it executes when someone logs on so it's a typical persistence mechanism