Adversary Tactics - Tradecraft Analysis

Course Summary

Knowledgeable detection engineers and red team operators know that while there are many effective products, all of them have gaps that can be exploited by a sophisticated adversary. A mature security program must continuously test and enhance product detection configurations to have an effective response capability. Unfortunately, they often run into a number of limitations, primarily in a lack of understanding of the:

• Attack technique itself
• Telemetry used for each detection
• Effectiveness of the detection The result often leads to blind spots within the detection and response capabilities, ineffective detection strategy, and a false sense of security in the organization’s ability to respond to advanced threat actors. When simulating sophisticated attacks, red team operators need to truly understand how a given technique works, the telemetry/artifacts it generates, and the strategies and biases that a defender might use to detect a technique. How organizations may respond to attackers is crucial in red team attack planning, technique selection, and evasion. In Adversary Tactics: Tradecraft Analysis, we will present and apply a general tradecraft analysis methodology for offensive TTPs, focused on Windows components. We will discuss Windows attack techniques and learn to deconstruct how they work underneath the hood. For various techniques, we will identify the layers of telemetry sources and learn to understand potential detection choke points. Finally, the course will culminate with participants creating their own technique evasion and detection strategy. You will be able to use the knowledge gained to both use your telemetry to create robust detection coverage across your organization, and truly assess the efficacy of that coverage. Whether you are a red team operator or detection engineer, you will have a comprehensive understanding of several attack chains. Red team operators will learn an approach to analyzing their own tools, a better understanding of which techniques to select to evade detection, and how to better describe to defenders why an evasion was successful. Detection engineers will understand how to craft a strategy to create robust detections and better detect families of attacks.

Course Syllabus

Day 1:

• Attack and Detection Strategies
• Native PSExec Overview
• Tradecraft Analysis Process
• Capability Identification
• Capability Deconstruction
• IPC Mechanisms

Day 2:

• Securable Objects
• Identifying Choke Points
• Telemetry Source Identification
• How EDR Tools Work
• Organic Logging
• SACLs
• Function Hooking
• Kernel Callback Functions
• ETW

Day 3:

• Operationalizing Telemetry
• Understanding Attacker Controlled Fields
• Operationalizing Detection Research
• Operationalizing Evasion Research
• Understanding the Triage, Investigation, and Remediation Process
• Evading the Response Process
• Documentation and Evaluation Metrics
• Detection Documentation
• Evasion Documentation

Day 4:

• Capstone Exercise

Recommended Reading

OS Internals

A foundational skill to detection and evasion work is operating system internals. It is important for analysts to understand the components of the operating system and how different tools interact with those components. These concepts will be built on throughout the course to understand the different layers involved in each attack.

• Jonathan Johnson’s RPC for Detection Engineers Paper
• Matt Hand’s Driver Reversing Post
• Roberto Rodriguez’s RPC via NtObjectManager Post
• Carsten Sandker’s Offensive Windows IPC

Detection

Detection engineering is a complicated topic that often requires systemic decisions making and tremendous balance. If a detection is too sensitive, then the monitoring team will be inundated with false positives and waste time or potential burn out. If the detection rule is too specific, then evasion will become trivial to achieve for the attacker. These posts will provide a good starting perspective for a discussion around how to achieve a more balanced approach to detection as a whole.

• Funnel of Fidelity
• Capability Abstraction
• Detection Spectrum

Evasion

An evasion engineer’s goal is to conduct their operation while avoiding preventative and potentially detective controls. In order to do this, it is important to understand what aspects of the attack the attacker has control of. These posts provide a foundation for the types of considerations evasion engineers have when making tradecraft decisions.

• Matt Hand’s Dynamic Evasion Post
• Jonathan Johnson’s Evadere Classifications

Telemetry Generation

Telemetry is how analysts perceive actions (good or bad) within the enterprise. Without this information it is impossible to detect attacks at any scale. With that said, not all telemetry is created equally. Events can be generated/captured using many methods which each have some sort of tradeoff. These articles and presentations will help to set the stage for understanding how sensors capture telemetry and what the consequences of those approaches are.

• Dane Stuckey’s System Access Control List Post
• Palantir’s Event Tracing for Windows Post
• Jonathan Johnson’s Mapping Sysmon Events to APIs
• Nick Landers Understanding Modern EDR Tools Presentation
• Matt Graeber and Lee Christensen’s Subverting Sysmon

These posts discuss foundational concepts that will help prepare you for the course content.