Tweet
Title: (Intermediate) Indicators of Emulation
Description:
Cyber threat intelligence, in the past, has primarily focused on extracting, preparing, and analyzing indicators of compromise for digital forensics and incident response, the security operations center, and other teams. This talk proposes that cyber threat intelligence analysts extract indicators of emulation and include them in their threat reports for red team operations, adversary emulation, and purple team exercises. Learn how to extract Indicators of Emulation in Windows-based malware for high-value adversary emulation and purple team exercises based upon org specific data.
Cyber threat intelligence plays a pivotal role in collecting and analyzing data to produce intelligence for an organization. Most of the cyber threat intelligence reports include indicators of compromise that various teams, such as incident response, hunt, and security operations, consume; however, there is limited intelligence in most threat reports geared towards adversary emulation. There is a lack of research or information regarding indicators related to emulating an attacker’s malware, mainly Windows-based malware. As cyber threat intel teams mature through using their internal attack data to produce intelligence, it becomes necessary to determine how to build out existing capabilities and provide additional value to other teams in the organization. Cyber threat intelligence analysts can contribute to adversary emulation exercises through extracting indicators of emulation to include in their threat intelligence reports for a realistic emulation of the adversary.
Here’s what I plan on showing the audience how to do step-by-step and with a pre-recorded demo:
-Audit Log setup for Win10 VM
-Disable Window Defender SmartScreen before downloading samples
-Create custom “test” malware to ensure command-line Audit logging is set up properly (blue teamers popping calc with a custom compiled program made in C++).
-walk through how I picked samples from URLhaus so they can practice at home or use their own org’s samples
-walk through of what I looked for in the command-line
-Discussion of where I am at in the research
-Ideas/suggestions on how to package the Indicators of Emulation for Adversary Emulation, Red Teams, and Purple Exercises.
***I will document everything very well and include it in my presentation as a resource. I only need 15 minutes.
Speaker(s): Ch33r10
Location: Blue Team Vlg / Blue Team Vlg - Talks Track 1
Discord: https://discord.com/channels/7082082...54317658734613
Event starts: 2020-08-07 15:00 (03:00 PM) PDT (UTC -07:00)
Event ends: 2020-08-07 15:30 (03:30 PM) PDT (UTC -07:00)
For the most up-to-date information, please either visit https://info.defcon.org, or use HackerTracker, which is available for iOS and Android. This is an automated message, and this data was last modified 2020-08-02T22:56 (UTC).
Description:
Cyber threat intelligence, in the past, has primarily focused on extracting, preparing, and analyzing indicators of compromise for digital forensics and incident response, the security operations center, and other teams. This talk proposes that cyber threat intelligence analysts extract indicators of emulation and include them in their threat reports for red team operations, adversary emulation, and purple team exercises. Learn how to extract Indicators of Emulation in Windows-based malware for high-value adversary emulation and purple team exercises based upon org specific data.
Cyber threat intelligence plays a pivotal role in collecting and analyzing data to produce intelligence for an organization. Most of the cyber threat intelligence reports include indicators of compromise that various teams, such as incident response, hunt, and security operations, consume; however, there is limited intelligence in most threat reports geared towards adversary emulation. There is a lack of research or information regarding indicators related to emulating an attacker’s malware, mainly Windows-based malware. As cyber threat intel teams mature through using their internal attack data to produce intelligence, it becomes necessary to determine how to build out existing capabilities and provide additional value to other teams in the organization. Cyber threat intelligence analysts can contribute to adversary emulation exercises through extracting indicators of emulation to include in their threat intelligence reports for a realistic emulation of the adversary.
Here’s what I plan on showing the audience how to do step-by-step and with a pre-recorded demo:
-Audit Log setup for Win10 VM
-Disable Window Defender SmartScreen before downloading samples
-Create custom “test” malware to ensure command-line Audit logging is set up properly (blue teamers popping calc with a custom compiled program made in C++).
-walk through how I picked samples from URLhaus so they can practice at home or use their own org’s samples
-walk through of what I looked for in the command-line
-Discussion of where I am at in the research
-Ideas/suggestions on how to package the Indicators of Emulation for Adversary Emulation, Red Teams, and Purple Exercises.
***I will document everything very well and include it in my presentation as a resource. I only need 15 minutes.
Speaker(s): Ch33r10
Location: Blue Team Vlg / Blue Team Vlg - Talks Track 1
Discord: https://discord.com/channels/7082082...54317658734613
Event starts: 2020-08-07 15:00 (03:00 PM) PDT (UTC -07:00)
Event ends: 2020-08-07 15:30 (03:30 PM) PDT (UTC -07:00)
For the most up-to-date information, please either visit https://info.defcon.org, or use HackerTracker, which is available for iOS and Android. This is an automated message, and this data was last modified 2020-08-02T22:56 (UTC).