 Hello, Planet Nordsec. Welcome to this talk, the last talk of the day, Full Circle Detection from Hunting to Actionable Detection. I hope that you enjoy your day and I also hope that you will join us for the panel on Detection Engineering right after this talk. We'll start with a little bit about me. My name is Metser Sonje. I'm a Senior Manager Incident Response at Syntax System. I'm also a core mentor for the DEFCON Bluting Village. I specialize in threat hunting and adversary detection. I love to give talk and I had the honor to do so at Derbycon Bluting Village Nordsec. This is my second year. Sektor, a few B-sides and very soon also I'll be at the sans-diffier summit. You can find me on Twitter or follow me on Twitter if you're interested at ScoobyMTL. Now let's jump into the subject because we have a lot of things to cover today. So here is the process that we're going to go through today. So this is how, it's what I call the Full Circle Detection and it starts with the idea of what or what you want to detect. After that you will need to generate those events. You will need to build your detection. You should share your detection with the community because sharing is caring. Then we're going to go into how we can do some continuous testing of your new and shiny detection. After that we're going to talk about building incident response playbooks. And finally how you can train your analyst. So without further ado we'll jump right in the subject. This is a small slide so it gives me time to drink water on unnoticed. So we'll start with the idea or when we do tread-tunting what we call the hypothesis. So there's a ton of places where you can get ideas for detection. There is of course the Meijer attack framework, that's one of the good place to start. But other than that for more narrow things or newer things that comes out there's Twitter, which is my favorite place to look because it's so dynamic. As long as you follow the right people you'll have information coming pretty much daily on detection idea. There's also community like Slack, the bloodhound Slack and for those who've seen my other talk this is the only time I will mention bloodhound in the stock but it's not only a great tool it's also a great community. So there's also the tread-tunting Slack and of course a lot of community I've moved now to this course or there's the trusted sec discord, the Black Hills InfoSec security discord, the blue team village discord and of course now also the north sec discord that I hope that we'll use to share things for our community as well. Some people prefer to read the InfoSec news site such as Acre news or Gleeping computers. It's also a good source. I mean anything really but again my favorite is Twitter. So if for this talk I'm going to take one example. So our idea will be a blood post from MDSEC and it's called a Fresh Outlook on Mailbase Persistence. If you haven't read this article here's the link it is a great article made by Dumbnick Shell and the TLBR for this article is that you can create as a user a macro or persistence via email or via Outlook I should say and then when you receive an email with some specific keywords some actions will be performed via VB script and that's what we're going to use. So here our looks this is the VBA project OTM file and here's the sample code that we used in our testing. Well it's actually sorry it's not well in our testing but it also in the article that that's a copy of the article. So as you can see just a little bit below the middle here you see in string if the subject of the email is MDSEC then you'll pop a box let's say active planet and you will also pop calc and in our test it actually bypass our EDR and we did see the message box and calc pop. In the article they also at the bottom they talk about detection. So there's two key things that you need to look for to detect this method. So the first one is monitoring for the creation or modification of the file VBA project and it's an app data Microsoft Outlook and by doing this research or testing this this thing I noticed that there's a slight mistake in the MDSEC blood post because the roaming part is actually included in app data. I contacted them they say thank you but last time I checked it was still not modified. So that's another reason why you should always test your thing and not just blindly apply what is what other people assume. This is Sysmon ID 11 and we can also monitor for change or creation event to this registry key here that is Outlook security. Depending on the level it is activated or almost disabled so you can run the macro without any user warning or inputs. You can look for that in Sysmon for us our EDR add these events as well so we could locate those events right in our EDR when you perform our test. So when you do your hunting you will not always find the events that you're looking for and in fact we actually hope that we don't find the events that we're looking for because that would mean that we are probably compromised. So how can you generate these events at will? Well there's a framework called Atomic Red Team and this is the URL that will allow you to do just that because it's not practical also to run these things manually over and over again to test everything. So we're going to use that framework and if you like what you see here about Atomic Red Team there's a workshop tomorrow and there's I think there's still seats so you can register if you want to learn more. But let's jump into this so this is how to build an Atomic Red Team test. So this is a test that existed before as you can see it's a YAML file and it has a few fields but the most interesting one I believe are the last one in Executor so the command. So this one here says that we're going to add a registry key that is and then the value that we want to add. Then in the cleanup command we can delete the registry key that we just created. So we're going to use that as the skeleton to build a detection for our own technique. So of course we changed the attack ID at the top but again I'm going to just get to the command part. So here we are adding a registry key which is the type dword with the value 4 and you can see just below the command line. And we're going to also create if the file does not exist we're going to create if the directory does not exist the Microsoft Outlook we're going to create the directory and then we're going to echo Atomic Red Team test into the file VBA project. So we don't this will of course create a file that cannot be run but here we're not really interested in creating a real C2 we're just creating the behavior of that file being created or modified. And then our cleanup command because we don't want to have these things here we're going to delete our registry key and we're going to delete our OTM file as well. These Atomic Red Team they should be usually run on non-production server or dedicated server for testing so just something that is important to notice. So as you can see it's very easy you start from a skeleton and you just put the command that you would run in in CND or in PowerShell and your test is built. So this one is for yeah I think I put them together now in one go that was just the VB the OTM portion of it. Now once you have this and you can successfully detect your action you will need to convert that hunting that you just did into a detection. We're going to follow the Google hunt once mantra meaning that we don't want to do our hunt every day every week or every month we want the hunt to be performed automatically and we want to create either an alert a dashboard or a report so an alert is a ticket but here you need to know that not all detection are alert worthy and here maybe for those who are a bit of a marvel geek we have Tor, Worthy, I hope that you get the reference. So this that this is also this this step that we will refine and optimize the query because this is not really the job in an enlarge our environment at least it's not the job of the threat hunter to come with the perfect query and the most efficient query so you're you might have some specialists to build more performant query as well this is the step that you would do that. Now once you have your detection built it's time to share it the community and again there's an open source project for that called Sigma and this is where you can share your detection logic and I can hear you I can hear some people say oh but I cannot share this is intellectual property and this is where I think you are wrong this is not your intellectual property if anything it's in the sec uh intellectual property in this case because they actually provided the detection methodology for you so the only thing that you're doing is helping other corporation that cannot they don't have the same security team or the same power in their security team to do what you guys are doing so by sharing with the community you are actually helping some companies that rely on Sigma to detect some threat actor and there's there's maybe just one thing is that you can share the exclusion as well so if if you if your detection triggers on things that are normal in for example windows that you can include there because this is generic but if it's if it's more about your own organization for example if your security product triggered the detection and you wipe is that that you might not want to share because now you're kind of telling people what security product you're using so that's where I draw the line the generic thing what happens in at the os level you should share the exclusion on the other end you should keep anything that is more private or intellectual property or call it as you will private creating a Sigma rule is not very different from creating an ERT test so on the left here we have an existing Sigma rule that is to test the application startup in office and I edited that and made my own signature and as you can see it's almost similar and here what's interesting is the detection part of course and we see that we are selecting our registry key and we are looking for or what it contains or that the modification of it these tests and same thing for the LRT test I mean this took me like five minutes to build and I think that the hardest part was to actually figure out how to build the ID and I have to read the documentation for that and you know we don't really read the documentation right why spend five minutes reading the documentation when we can develop for six hours here's a bigger view of the same rule because I'm just used to present on big screen but now I think you could read it again we're going to look at the second part here is the file creation so again I looked at the on the left you have the detection that was there for safety cats and on the right you have our rules and we're looking for the creation or modification of our VBA project OTN file again maybe two minutes building this changing the name changing the description and all the things and I pushed those two rules to detection rules to sigma and also that ART script to ethnic red team they were both accepted so today if you're using ART or if you're using sigma you actually you actually have this built in right now so you would detect this technique and you can test if your defense actually detects when those things are created this is again a closer look at the same rule and here is a little bit of a pro tip when you built a sigma rules you can use encoder.io to convert your sigma rule into a search string for your scene so here you see the elastic equivalent of what we have so it's kind of funny to see that 23 line lines of codes is converted into a very short one one sentence but that's a little bit how the animal works there's a lot of things that goes around it but I can see also on the top here you can look for other seam as well like Splunk, QRadar, ArcSight is in there you can look at ElastAlert and a lot of other formats so very useful to convert and make sure that everything works and you can try this in your path you can adjust of course here you can test this string on your seam and you need to adjust the field sometimes because you might not call it file dot path in your environment now that you have a way to test a way to detect it's time to make sure that your full detection pipeline is working properly so we want to make sure that once an event on the host it creates the ticket or it shows in the report or in the dashboard so one thing that you should do is run your atomic rate team often the easiest way to do that is to use schedule tasks on windows or cron job on Linux systems if you are more advanced you can use Docker and CICD pipelines that you would run every night or something like that you should also put the source system or systems in your allow or ignore list because you don't want to create tickets for your analyst nobody wants to close hundred of tickets every morning for each detection and you should also send that to a test queue and not in the real incident queue or the live queue but you need also yeah last thing is you need also something that will validate that those tickets were created now the incident response playbook so just to make sure that we are all talking about the same thing for me an incident response playbook is a step by step for your site analyst in this case we're talking about business email compromise incident response playbook or BEC right now i know of two open source frameworks that help you build incident response playbook there's the react project that you can find on github at this address it's built by the same people who run the os cd project which built detection push atomic red teams and they push sigma as well so very close to what i'm presenting here today awesome job by these guys by the way they made building blocks and pretty much so they are more at the procedure level so they would tell you for example how you if you want to get pkap for example in the process level you'll say get pkap at the procedure level you'd say how to get pkap in product x how to get pkap in product b they will also be very soon released in july at the sense they fear uh we're going to release our own playbook uh so syntax playbook and it's more at the process level um and it's built on draw isle which is an open source version of or equivalent of visio and we also have wiki and text page um yeah process level i said that and uh we put the procedure more in the micro plays and we call them micro plays so very little things so again what you're going to see in this project is more the bill the big uh big step like get the pkap but you won't get how to get pkap in your specific product that you can look in the react and we're actually talking to maybe merge the two projects together at some point now you've put a lot of effort in building all of them you now need to train your analyst because it's not because you are one of your team member has become an expert in this type of c2 things that everyone in your sock uh is now an expert also we know that in the sock there's a lot of rotation of employees people get promoted they get in they get out um so you have a big movement usually in most of the sock so it's it's important that the training is easy to consume i really like to do video and powerpoint to support that but of course when you're during an incident you don't really have time to go through a video uh in order to understand the attack so you also need some type of information within the wiki that you can quickly grab and quickly understand what's happening but the video is very good for new employees or one wants you when you release sorry a new detection as a little bonus you can start automating when you are here so you can use sore security orchestration automation and response and there's again two open source sour that i know of one is called shuffle the other one is walkoff by our friend uh at the nsa and the type of things that you can start automating the easiest one are probably a virus total api call so i think all the stuff that i know one of the first thing they do when they receive a file ash an ip address a filing is that they look at virus total they go to virus total and they search for it uh you can automate you can have that information pulled and ready already in your ticket uh and just to see everything and you don't need to do that thing all over uh every time for ip addresses gray noise which is kind of a reverse threat intel feed is also something very interesting and for anything email related spam house is a good place to start as well so with that it conclude my talk they told me i was not able to do the talk in 25 minutes and here i am sitting at 22 minutes so i i think challenge accepted and challenge complete if you will and so this picture is um it's a little bit what i i feel that um it represents how we the defender can actually stand up to the red team if we unite we are bigger we far outnumber them and yet in most cases i feel that we are always trying to catch up with them because they share a lot together all the tools are the methodology there they they are yeah they share a lot more than the defender do so this is my call to you to share more things with other blue teamer again my name is mattress only you can find me on twitter that's to be ntl i hope you have enjoyed the talk i hope that if you are interested in this subject you'll join the workshop tomorrow and also you'll join us in a few minutes for the live panel thank you very much and have a great day