1. Introduction
Now we want to test our defenses. This is called Purple Teaming. Learn more about it in this challenge.
Red and blue teaming are well established concepts in information security, but recent years have given rise to a new, collaborative approach – purple teaming.
2. Tasks
- Use Atomic Red Team and identify 5 gaps in the detection on your endpoint (you can also use your findings from lab4)
- improve the detection by writing rules for these gaps.
The ATT&CK categories are free of choice, but make sure you get the sensor data (e.g. exfiltration might not be a good choice as we do not have a log of network logs), so take your time to find the category of your choice.
3. Solutions
RDP Bruteforce Detection (from LAB3)
(Added RDP Port for better detection)
sequence with maxspan=10m [any where event.action like~ "logon-failed" and destination.port == 3389] [any where event.action like~ "logon-failed" and destination.port == 3389] [any where event.action like~ "logon-failed" and destination.port == 3389] [any where event.action like~ "logon-failed" and destination.port == 3389] [any where event.action like~ "logon-failed" and destination.port == 3389]
Monitor local Administrators Group (from LAB3)
(Optimized for English, German and French)
sequence with maxspan=5m [iam where event.action == "added-user-account"] [iam where event.action == "added-member-to-group" and user.target.group.name like~"Administratoren"] [iam where event.action == "added-user-account"] [iam where event.action == "added-member-to-group" and user.target.group.name like~"Administrators"] [iam where event.action == "added-user-account"] [iam where event.action == "added-member-to-group" and user.target.group.name like~"Administrateurs"]
T1197 Bitsadmin Detection (from LAB4)
process where process.parent.name: ("cmd.exe","powershell.exe") and
process.name: "bitsadmin.exe" and process.args: ("/transfer", "Download", "https://*","http://*")
T1222.001 – Windows File and Directory Permissions Modification (from LAB4)
sequence
[process where process.name:("takeown.exe") and process.args in ("C:\\Windows\\System32\\sethc.exe")]
[process where process.name:("icacls.exe") and process.args in ("C:\\Windows\\System32\\sethc.exe")]
[process where process.name:("cmd.exe") and process.args:("*copy*cmd.exe*")]
T1053.002 – Alternative Hunt for Shedule Task creation (from LAB4)
sequence by host.id, process.entity_id with maxspan=30s
[library where dll.pe.original_file_name : "taskschd.dll"]
[network where network.direction == "outgoing" and destination.port >= 49152 and
source.port >= 49152 and destination.address not in ("127.0.0.1", "::1")]
Both schtasks.exe and direct usage of a custom implementation will cause a process to load the Task Scheduler COM API (taskschd.dll), followed by an outbound network connection where both the source.port and the destination.port are equal or greater than RPC dynamic ports (49152 to 65535) and from the same process.entity_id, which can be translated to this EQL query:
Optimized rules for Lateral Movement Detection
This hunt will check the following patterns:
- Execution of a command interpreter with a
process.argskeyword array related to file copy (copy, move) and a hidden file share (prefixed by a$sign such asc$ admin$) - Staging data from a
shadow copy volume(often associated with credential access via staging ofNTDS.ditorRegistry SAM keyto access stored account password hashes)
process where event.type == "start" and
process.name: ("cmd.exe", "powershell.exe", "robocopy.exe", "xcopy.exe") and
process.args: ("xcopy*", "move*", "cp", "mv") and
process.args: ("*$*", "*HarddiskVolumeShadowCopy*")
The second hunt looks for an incoming remote network event to tcp port 445 (SMB) followed by immediate file creation or modification (can be limited to executable file extension to reduce false positives) and both events are performed by the same (process.entity_id) virtual System process.
Note:
All files copied via server message block (SMB) are represented by a file creation event by the virtual process System (always has a static process.pid value equal to 4 and represents the Windows kernel code and loaded kernel mode drivers)
sequence by host.id with maxspan=30s
[network where event.type == "start" and process.pid == 4 and destination.port == 445 and
network.direction == "incoming" and network.transport == "tcp" and
source.address != "127.0.0.1" and source.address != "::1"
] by process.entity_id
[file where evemt.type in ("creation", "change") and process.pid == 4] by process.entity_id
4. Further Readings
Great inspiration and cool EQL inspiration can be found here:
https://www.elastic.co/de/blog/hunting-for-lateral-movement-using-event-query-language
