 Hello, everyone. In this presentation, we would be demonstrating a tool we developed for tenacity that can be used to emulate attack techniques from persistence tactic. My name is Herschel. I am a senior threat researcher at college. My research interests lie in the intersection of cyber security and algorithms. In the past, I worked on problems related to password security, fishing detection and capture solving. So that is all about me. Now I request my colleague, Arthur, to introduce himself and to present our tool. So over to Arthur. Hi, I am Arthur. I work as a threat researcher at QALIS. I am an engineer. I like to build and break things. Sometimes I also do bug hunting and have been recognized by Google, Microsoft, Twitter. So another thing that really excites me is reverse engineering and writing mobile marvels. You can reach out to me at a tool.bio.ly. For today's presentation, we will start by giving a basic overview of the attack lifecycle and why persistence plays an important role in it. We will also be explaining why we developed an adversary emulation tool specific for the persistence techniques. Subsequently, we will describe tenacity framework in more detail and we will be going through the design of the framework. The major part of the talk will be spent in demonstrating our tool where we would emulate techniques from Windows and Linux operating system. Finally, we will share our plans about the tool release and new features that we are planning. The slide shows the MITRE attack lifecycle just to give a basic overview of MITRE attack framework for those who are not aware of it. MITRE attack is a globally accessible knowledge base of adversary tactics and techniques based on real world observations. So there are around 14 tactics and more than 500 techniques in this knowledge base. As shown in the slide, MITRE has mapped those tactics to different phases in the attack chain. The techniques from persistent tactics is mostly executed at the early stage of an attack lifecycle. So persistence like contains of consist of techniques that adversaries use to maintain their foothold on system across race charts. So it is one of the most sought after techniques of an attacker. And according to recent reports, three of the top ten techniques are from used by adversaries are from persistence tactic. Hence, we believe that techniques from persistence should be paid most attention to. Let's look some of the techniques from persistence category used by real world adversaries. We have also listed down the attack groups using these techniques. So MIT 1543 create or modify system process. Adversary can create or modify system level processes to repeatedly execute malicious payloads as part of persistence. In case of schedule task, adversaries may you abuse task scheduling functionality to facilitate initial or recurring execution of malicious code. This can also be done in multiple ways like using AT command or Cron or system detimers. Adversaries may create an account to maintain access to victim systems. So this can be either a local account or global or domain or cloud account as well. In boot or logon autostart execution, adversaries may configure system settings to automatically execute a program during system boot or logon. So we would be emulating some of the techniques as part of the demo. The architecture of our tool is shown in the current slide. It has four main components. So one is the framework, the knowledge base, the set of modules and utility function. This tool is written in Python. Users interact with the framework through a sequence of commands. The knowledge base is mostly derived from the MITRE attack database. It contains list of techniques and meta information about each technique such as the platforms, data sources. It also contains info about threat actors that are using these techniques. We have module for each technique which makes use of the helper functions to run the emulation. Each module is a collection of different procedures where procedure is a specific group of commands which attackers execute. So this architecture of our tool helps in adding support for new techniques or tests quite easily. If we look at the features of the framework, the framework is integrated with MITRE attack and users can also filter the techniques using groups, platforms or data sources. So they can also filter using different attack threat actors. After a user runs a specific procedure, the tools also monitors the corresponding event logs. So this feature aids users in detecting attack techniques. The result of the emulation can also be exported in different formats for future use. We are on a Linux platform and we are going to demonstrate the features of this tool and the basic usage of tool. And we would also be emulating some of the Linux techniques. So as it's a Python tool, let's start by running Python module. So to get the basic help usage of the tool and to know different commands that the tool has, we can run the help command. So this will list down all the available commands that tool has. So we would be going in depth about each of the commands. So first let's list down all the modules that we have. So we can to do that, we can use the list command. So we can see that it list sounds all the available modules and the modules are named by using the TID that is the technique ID and their technique name. So this contains modules from both Linux, Mac OS and Windows. So in this case, as we are only going to run emulation for Linux. So we can use the filter command to filter out just the Linux techniques. So to know more about the filter command, we can use help filter. So this list down the usage for filter, we can see there are three options for filter. One is we can filter using platforms and we can filter using groups. For example, suppose if you want to know all the TIDs, all the techniques used by APT3, we can use this command to filter out that. Or we can also filter out using data sources. So in this case, as we need just a Linux command, we can run filter. We are going to filter using platforms, which is Linux. So as we can see, it has filtered down on just Linux techniques. So let's start by emulating one of the techniques. So yeah, we can start by emulating T1136.001, which is create account local account. So to use this module, we can do use T1136.001. That's use and the technique ID for the module. So yeah, so we can see that it's now using the module and we can also notice that the prompt has been changed with the technique ID for that module. So each modules are divided into multiple procedures. So some modules can contain multiple procedures, while some can contain only a single procedure. So to see all the procedures that a module have, we can run the show procedures. So it will list down the procedures that a module have. So in this case, in the case of create account, we have a single procedure. So it's for creating a new user using user add command. And we can see that the procedure have been numbered zero. So yeah, this table represent different arguments and their default values. So we can set any of the value for different arguments. Okay, so first we want to use this procedure, this specific procedure. So we can set the procedure value with the procedure ID that's zero here. So we can set it. Okay, so we have updated the procedure. Now, if we want to change the value for any of the argument, for example, if we want to set the username to some other value. So we can do that using the set command, set username. We can set it to, okay, so it is done by set and argument name and the value that we want to set that argument for. Okay, so yeah, we can see that the username has been successfully updated to our value. Okay, now, so there is another command called show selections, which will just list down the procedures that we have currently selected. In this case, we have just selected one procedure. So that will list down the procedure that we have. Okay, now, if you want to run this command or run this emulation for this technique, so we can do that using the run command. Okay, so we can see that it has it is running the module for create account and it's creating a new user account using user add. Okay, so it will also generate a log. If you want to check the log, we can see that it's using the module create account. Then it's uses the procedure for creation of new user account using user add and the specific command that it runs is this. So it lists down the command that it runs and we can see the it has successfully created a user user with username tenacity test. Okay, now let's just verify the user is created or not. So we can just cat, etc. password and graph it. Yeah, so we can see the new user has been created with username tenacity underscore test. Okay, now if we want to like restore the system to its original state, that's the state before the run command. We can you do that using our cleanup command. Okay, so in this case, what cleanup does is it's our deletes the created user tenacity underscore test. So we can just check the logs. Yeah, we can see that it ran the cleanup command. It used user delete to tenacity to delete this username. So yeah, we can see that it has successfully deleted that user. So this cleanup command comes in hand like when we have to restore the system to its original state so that it doesn't messes up with some configurations or something or cause any issues. We can exit from this prompt using exit command. Okay, now we are out of this prompt. Let's try to emulate another technique or another Linux technique. So we can filter using platforms Linux. Okay, now for this case, let's try to run emulation for T1053, which is a schedule task or job. So we can use the module use T1053. Okay, so it's currently using this module schedule task. Now to see we can also see that the prompt has been changed to T1053. Okay, so we are inside that module. Now to see what are procedures that we have for this specific module, we can run show procedures. Okay. So in this case, we have a total of three procedures. The first one is it uses add command to create a schedule task, then it uses the cron utility and the third one is using the system D timers. So, so in this case, suppose if you have to set the script name to something else or change any of the argument, we have to first select the procedure. So in this case, the procedure here would be one. So we can do that using set procedure one. Okay, so it has selected that procedure. And now we can change the script name using set on the argument name. So in this case, it's script name and the value that we want to set it. Okay, so we can see that it has successfully set the script name to tenacity underscore cron. Okay, now if you want to run this module. So in this case, as we have three procedures, and suppose instead of just running a single procedure, you want to run multiple procedures. We can either do that using set procedure and procedure value separated by comma. But in this case, let's run all of the procedures. So we can do that using set procedure all. Okay, so it will successfully select all of the procedures. So if we want to see the procedures that it has selected, we can do that using show selections. Okay, so we can see that it has successfully selected all of the procedures. Okay, now we can run that run all procedures using the run command. Okay, so it has run the module schedule task or job with all available procedures. That is the three of the procedures. Now let's check log. Okay, we can see that it was selected the module T1053 schedule task. Then it ran this command, which is for creating schedule task using AD. Okay, so it successfully completed that then it's used it created a cron job. It created a file in et cetera, etc on cron.daily. So that's successfully created. Then it ran the system D render commands to create a system D timer. Okay, now let's check if this is been created successfully. Okay, so we can see that the tenacity underscore cron file has been created in etc slash cron.daily. Okay, we can also see that tenacity underscore at log dot log have been created. So this is for the AT command. So as we can see here, it creates a log in the in temp folder. So we can see it has successfully created that log file. Okay, now if you're done with the emulation, we can exit this prompt using the exit command. Okay, so now we are out of the prompt. And suppose we are done with all our emulations and we want to export the result. So we provide multiple options to export the result. So one of them is using Excel. So we can do that using export command. Okay, so now we can see that it has created a new file report dot xx. We can open it up. Okay, so it has the TID, the name of the TID description platform. And it also contains the procedures that we ran. So in this case, the create account contains a single procedure and the schedule task will contain multiple procedures. So which are which are at cron and system D timers. Now let's similar to techniques from persistence tactic on Windows platform. Note that our framework tenacity requires admin drive for execution. Suppose that we are interested in executing only those techniques that are employed by specific threat actor. To list those techniques employed by specific threat actor, we can use the filter command. The syntax of the command is filter followed by groups keyword and the name of the threat actor that we are interested. Let's take an example of leafminder. So according to MITRE attack knowledge base leafminder uses one technique in which it tried to create a local user account on the system. Let's emulate one procedure from this technique. In order to select this technique, we have to use the use command. The syntax of the command is used followed by the technique ID. In this case, it is T1136.001. After the execution of use command, the command prompt has changed to the selected technique ID. A selected technique can contain multiple procedures. In order to look at the procedures available within a given technique ID, we can use show procedures command. So within this technique ID, there are two different procedures available for emulation. In the first procedure, the tool uses net user add command for creating a local user account. And it uses default arguments of user name and password given in table 1. And the second procedure uses PowerShell command that no new local user and uses default values for the argument user name and password as listed in table 2. Let's say that we want to emulate procedure 0. So in order to select the procedure for emulation, we need to use set procedures command. So in order to verify which procedures we have selected for emulation, we can also use show selections command. So we have selected procedure 0 for our emulation. Now we have selected a technique and we have chosen a procedure for emulation. Now we can execute the run command. After execution of run command, the retail output is available in tenacity.log file. So this log file shows what were the different commands that were executed as part of run modeling. As mentioned in our presentation, our framework has been integrated with Windows event log. So if a new user account is created and the auditing for user account management is enabled, then an event with ID 4720 gets locked in Windows security log. On this system, the auditing for user account management was not enabled. So our tool enables the user auditing for user account management using audit poll command and then it executes net user command to create a local user account. So after executing this command, we filter the Windows security log using get event log PowerShell command let and we make sure that we only extract out the most recent events. This get event log has been provided with the event ID and the timestamp for filtering purposes. So once we extract that log, we store it in the tenacity.log file and you can see details about the event with ID 4720. So once the Windows security logs are passed and the events are extracted and stored in tenacity.log will perform cleanup activity. Since a user account was created, we deleted using net user delete command and since the auditing for user account management was not enabled prior. So we reset it back and we change its setting to no auditing. Now, let's say we want to emulate a procedure from some other technique. So we can type exit command to exit from the current selected module. So we saw an example where we filter technique by a threat actor name but we can also filter technique by micro data sources. Let's say that we want to filter techniques by a data source category service. So we can use filter data sources is a keyword and we can use service. So there are few techniques that involve data sources as a service. So let's pick one technique which is create or modify system process Windows service for emulation. Again, we select this technique using use command. So once we select the technique, we can use show procedures command to get a list of procedures available under this technique. So this technique has two procedures. The first procedure creates a service using a C command and the second procedure creates a service using new service power shell command. So let's pick the first procedure for emulation. So in order to choose a procedure for emulation, we use set procedures command. And now since we have picked procedure zero for emulation, we can execute the run command. Again, once this run command has been executed, we can refer to tenacity.log file for more detailed output. As you can see, we are enabling auditing for security system extension because when a new service gets created and event with ID 4697 gets logged in window security log. Since the auditing for this category was not enabled previously, our tool uses audit poll command to enable auditing for security system extension. Then it creates a service with the arguments provided in the table and then it starts the service. So after the service is created and it has been started, we analyze the window security log using get event log command let where we filter the window security log using the event ID of the interest. In this case, it is 4697 and we also provide the timestamp as a filtering criteria so that we get only the most recent events. So once we find an event with ID 4697, we extract out that event from the window security log and we store it back in our tenacity.log file. So once the event has been logged to tenacity.log, we perform a series of cleanup activities. First we stop the service, then we delete it and then we disable the auditing for security system extension. So we try to get the system back in its original state. Let's run emulation for one more technique. We would use the schedule task technique. So in order to see the procedure that are available within the schedule task technique, we can use show procedures command. So again, there are two different procedures that are available with this technique. So the first procedure uses schedule task command for creating a schedule task and the second procedure uses a PowerShell command for creating a schedule task. Let's select the first procedure for our emulation. So we would type set procedures followed by the procedure ID, which is zero. So once we have selected a procedure for emulation, we can execute it through run command. Once the procedure has been executed, we can refer to tenacity.log file for detailed execution output. So again, we are enabling the auditing for other object access events because when a new schedule task gets created, an event with ID 4698 gets locked in window security log. If the auditing for other object access event is not enabled, this event ID won't be available in window security log. So we enable this category using audit poll command and then we create a schedule task using SCH tier task command. And after executing this command, we filter our events of using an event ID of interest and the timestamp. So after extracting event with ID 4698, we store it back in tenacity.log file along with other details. Finally, we perform cleanup activities. We delete the created schedule task and then we reset the auditing to its original form. Now, if you want to run emulation for some other technique, exit from this module and choose the technique of your choice. The development of our tool is still in progress and we are planning to release our tool as soon as it is ready. Currently, our framework has been integrated with window security log, but in future, we are also planning to integrate our framework with other popular log sources such as sysmon. Our framework currently supports techniques from persistence tactics, but it can be extended for other tactics as well. We are also working on making the usability of our tool better by adding more logging and exporting options. So thank you for joining us and if you have any questions, we would be happy to answer them. Thank you.