Building Your MS Sentinel Attacks: Simulating MITRE ATT&CK Techniques In Azure

Hello everyone and good afternoon to my talk. I'm speaking on Microsoft sentinal attack range. Um just a little bit um about myself. I've been in the industry for over 4 years and I've worked in various sectors after from like finance, consulting and also healthcare. I came through as a sock analyst um normal first line of the queue working tickets and if you've been in that you know it is terms of like alert fatigue continual escalation of a lot and also in terms of being fast being under pressure to raise out a ticket customer. So I know what it is like being thrown into a stock environment without having without having this um cues of what you're

seeing. you see different kind of threats you're not so used to, you've not seen before. And that was one of the reason why um I built what they call the Microsoft Sentinel attack range. And what this is going to do is um give analysts so analyst a realistic environment where they can run attacks and also triage breaking between the blue team and the red team trying to break the bridge between that. Um I presently work acetate as a security engineer Microsoft specialist Microsoft specialist um and also helping customers make best use of Microsoft Sentinel. I created the Microsoft Sentinel attack range and I focus on detection engineering automation and stock optimization. And just a side note, um

this is my first time speaking publicly, so we can test it. Thank you.

Um the problems, how do we validate detection rules before an actual attack really happens? Most organizations don't have the capability. They just do most of things are just like theoretical detections. They are not there's no not equals to reward effectiveness. meaning then if you just create a role out of your own head of like based on like an article but without running a real attack you don't know if that role is effective or not um there's been a time where I created a role and I run an attack and the role went silent without generating any alert so trying to stop those kind of loopholes trying to move those kind of rules to production is

what um sentinel attack is going to help you with um production testing is risky and destructive also subs need a realistic training environment. The detection feedback loo requires continuous testing. Um current approach from the previous slide production testing is very risky and it can um the business. So trying to make any of your testing in a life environment is risky and can cause a lot of consequences for the organization. Property exercises. Um this is costly and also time consuming. Not every organization have that budget. Also even if it's going to be approved, it takes probably a couple of months to get a prop exercise approved. And also this has been done probably maybe quarterly or twice a year. So it's going to be as

often as just having a normal lab you can spin up and destroy your own. Um there are gen there are generic um labs environments out there. out the box most of them make use of like spong splunk but we don't have a sentinel focused one like Microsoft sentinel focused one also to mention I'll be mentioning sentinel most times is not sent one but Microsoft sentinel and manual setup um a lot of there will be a lot of inconsistency hard to maintain and also time consuming as well trying to spin up a lab you're not sure of how many VMs will spin up in the last one spinning up another one again so there will be a lot of inconsistency in

Okay. Um, so about what I built which is a Microsoft Sentinel attack range is an open source framework meaning anyone can make use of it for testing sentinel detections analysts. Um, so for example you could run an attack and your analyst get used to those kind of attacks. So when they say it in real life in their product environments they're able to get familiar with those kind of investigation. So meaning you run an attack on a normal day and analyst something has not seen before could take a long time before um they try to triage instead of 15 minutes um but once you're used to those kind of um seen those kind of attacks before your tri time will be

faster um it's fully automated a native attack meaning exactly what is in here is what is in your production exactly so there's no like um I'm trying to is an appake it's not app is exactly what you have in your production how you set up sentinel life in your code environment is what we going to have here as well. It comes with about 20 preconfigured rules and also data connectors and um complete infrastructure as a code deployment. So in this instance I made use of terapform. Terapform is going to be which I used to create every infrastructure which is needed and we are going to see it in couple in a couple of sites coming soon.

Okay. So the architectural overview Azure infrastructure um audio vinets virtual security group virtual machines which are going to come with um extensions which is AMA aure monitor agent is the one that's going to get all your logs from the machine are going to spin straight to Sentinel logic workspace and also winner is what um is going to come also with winner extension which is going to use to get into the environment and get them ready for atomic team to start the attack get environment ready. I'm going to spin up about um Windows DC workstation, Kal Linux machine which is our attack machine, Microsoft sent workspace, log analytical workspace and also every possible attack um simulations which you

can run. Um so here's just a diagram overview of um audio architecture looks like.

Okay. Um so the deployment flow the first thing I'm going to do is just get clone the repository which don't worry at the end of this slide you get a barcode which you can scan that will take you directly to repository. Um first thing you're going to do just change what is in the terapform sas and what's terapform servers that's just um where like variables which you will need other modules are going to make use of. So in there you changing your passwords and also the region where you want it to be deployed into also um if you leave by default every resource that we created we follow we start with the prefix of attack range. So you can change that to

anything you like if you want. So, but that's just in there where you can change your password and also the region where you want it to be deployed to and also um ignore um the IP allowed part because once you run the attack I'm going to show you as well it's going to update itself. Um you just have a single command just to build this old thing a single command deployment which is attack build. It's going to build out every old infrastructure which we're going to see in coming slides. infrastructure automatically deployed. Um the S detection rules deployed as well also all data connectors and that's all we're ready for attack.

So attack capabilities. So in here are all the available attacks you can run. It comes with over 30 plus attacks which you can run. So starting from one of the tactic which is discovery, network scanning, credential hunting, system enumeration, then credential access, password jumping, brute force, credential theft, then um persistence plus execution, registry keys, schedule tags, password techniques, and lastly event impact, lock clearing, time stomping, and ransomware simulation. So we've got multiple attacks which you can run on a single just with a single command and here it comes um preview attack sequence. So what are these sequences? Um so sequence are places where you can run like multiple type of attacks at once. So for example the record is going

to run things out like account discovery, process discovery, network discovery just with one record just with one attack sequence. So it's going to run multiple attacks in one sequence. credential theft um persistence and full chain. So full chain I would say um think of is like um like a Netflix account where you've got like seasonal movies to watch. So you just pick an episode. You just probably want to watch just one episode or just two episode. But if you want to watch the full old movie which has the old episode in the old season that's like what the full chain is going to do for you. It's going to run through every available attacks you can run and also this is not just

limited to the what the attacks that are there. So meaning if you want to like create your own attack and you want to just test it in there, you can create an active playbook and just add it to it and you can run the attack as well. Then crossplatform, Windows and Linux attacks. So here comes um uh these are the available analytical rules that come with by default. So network scanning detection, credential access monitoring, PowerShell execution tracking and persistence mechanism and also like crossplatform attack detection. So this is where um protection engineers should actually spend most of their time creating like more detection based on the attack which we run. Okay. So here is going to be like a live

demo but delto network and some things I'm unsure of. So that's why I have to go ahead and make a recorded video which I'm going to say.

Okay. So the first thing which you're going to do um once you get to CL repo um if you're not new to Azure this Azure CLI so you're not setting up any CLI or anything. As I mentioned earlier, everything is Azure native. So these are just here like open it up and just get clone the repository and once you do that cd into the directory where everything is Azure Azure attack range. So the first thing it's going to do now is just um setup. And what the setup is going to do just to make sure um your environment is ready. Checking out for every just from there is that there is Python there. Making sure it's there. And also making

sure you have a SSH key. If you don't have one, it's going to prompt you to create one for you. And you can ignore the SEDD after that. That was just me trying to max my subscription ID. So that can be ignored.

So once the attack is done um once the set on setup on setup is done it's going to tell you to make sure what is in your attack yama attack range yama file matches what is in your terafformivas and after then telling you you're ready to build and before that I just um I created an command just to make life easier for everyone. So any kind of attack um any kind of commands you want to run they're all available in the command which is I'm going to show you now. So how to build, destroy or update and also every possible attacks and every possible sequences in the I'm trying to bring you. Okay. So the

next thing which is the one single command which is going to be everything for us attack ridge build. And if you remember when I was explaining about terapform tas where I said you can ignore um the IP so automatically it's going to check your present IP if you're new to Azure CLA every time you launch Azure CLI it's going to assign a new IP to you every single time so you can ignore the IP that's not my IP and so it's going to update this IP now to your terafont which once everything is spin up you have access to the

Sorry.

Okay. So, this is going to build um every old infrastructure. As you can see, this was built all within 8 minutes, which I'm going to show you all the resources that were built. And our environment is ready for attack.

So here's the output of all resources that we built. So meaning every every virtual machine needed all the extensions needed.

So the next is going to be every available attacks.

Um so these are all the available attacks in there over 30 plus of them which um you can run. So from process discovery, network discovery, account discovery up straight down to mimik execution, ransomware simulations all over 30 plus attacks which are there and as I mentioned earlier as well you can um create your own your own playbook and add to it.

Um so the next will be um the sequences which um as I mentioned previously these are going to run like multiple attacks. So for example we're going to run the record now is going to run all account anything has to do with like discovery. So account discovery process discovery network discovery system info discovery. So every single every single discovery is going to be run through record and this is the Azure Azure portal which I feel most people will be familiar with showing all resources that we've just built and going straight down to the most interesting one which you want to say Sentinel what we just set up. So, so for people that don't know Sentinel

is just is this is the same. So just like Splunk and as you can see all our corus are inbuilt there automatically and also comes to zone data connectors by default and we're going to go ahead and just check the machines which we just spin up not not long ago. Um, are they sending in logs directly into the sim which we're going to confirm through checking the logs.

So I'm going to use this log for the attack machine and I know that very small but yeah you can see the attack machine meaning logs are coming in for our S log and same for security events where you can see our windows Windows disc and also the Windows workstation. So also you can add multiple multiple workstations automatically all the logs as what we come in straight at the moment just three workstations we've got in there so that's all infrastructure ready and the next thing is just run attack in here and I'm going to run the full chain attack which is going to run through every available attacks we call so starting from network discovery straight

down to ransomware simulation and for each attack it's going to tell you the ones that failed and the one um the one that failed the one that were unreachable and it's going to tell you the one that was skipped. So if an attack um one of the attacks should fail, it's not going to stop the flow. It's going to just ignore that and move straight to the next available attack. And sometimes what happens there is maybe win RM is not set up properly or is not fully loaded that's when so just run and update and run the attack again. That should be fine. As you can see, this took over an hour. Yeah, that took over an hour to run

because I ran through every available attacks. And this is um Unified. So, Unifi XDR, which some people might not be um used to this dashboard. So, this is where you've got defender and also Sentinel in a single in a single screen. So, you can see everything happening in your defender and also everything happen in your Sentinel. And as we can see from our tax which we just run now over 27 alerts are generated and we're going to see also our missions which are at high rates already and just a glance of um available incident in there.

Um yeah so also going to show you in Sentinel we've generated over 26 incidents already from the attack which we ran. So that's all for this and once you once you're done just a single command as well just to destroy everything and within 3 minutes all the infrastructure is gone. So you don't have to worry about incurring any other fee or any additional fee. Just once you're done automatically destroy it.

Yeah. So what are the um success metrics which is um detection coverage across MI techniques alert generation rates and timing also false positive evaluation meaning like um an alert and a rule can generate multiple alerts. So that's where you just go back in there and like tune it and have trying to mature the analytical routes I like fidelity and also context quality and easy clean up. Okay. So um to set this up um normal Azure subation and just basic CLI knowledge but if you're new to Azure in general um you could sign up for 30 days free a free Azure which I going to give you about 200 credits and you can spin up this lab multiple times. If you spin

up this lab once, I probably run like two or three attacks where you'll be charged for probably less than $12 and the major thing that incurring fee is just a public IP assigned to your VMs. Also, um about the GitHub, um there's a barcode at the end. This is going to link you straight there. So, don't bother about it being so long. And there's a medium artic I wrote on it as well with screenshots on how to walk through each of them, which is well detailed than this. And in total time investment probably less than an hour. As you can see the spin up took less than 9 hours to generate all the infrastructure. Running a single attack

would take basically between 5 to 10 minutes just for one attack. So running attacks probably take you maximum of 20 minutes. So it's very easy to deploy. So for example stock managers or like sales team where they need to show up um show sentinel demo for a customer. So you don't have to start getting the um scene in advance. is something you can spin up even before your scheduled meeting and just run spin it up run a single attack and walk your customer your potential customer through it and tell them this how it works this how our analyst pick up this how our analyst priorize ticket and this is how the analyst also escalates tickets

and key takeaways um detection before occurs move beyond theoretical character. So proven controls and also provide realistic training for sins meaning um just making sins more familiar with techniques being used out there. So let them see real real um real realistic alerts, realistic simulations, not just slides or or reading. Let them going through the like going through the try to investigate the real attack like real simulation not just reading of like slides also um enable continuous improvement of detection rules and also bridge the gap between the red and blue teams. No organization are fortunate enough to have like a red team. So in here sprint um run the attack as a red team and also go into KQL and like try

to defend with some KPL queries. Um yeah so that is the if you scan the barcode it's going to take you to the repository where it's going to take you straight to the GitHub repository where the link to the article is and also uh everything has to do with everything has to do with the project and um also I welcome anybody that wants to try to improve this or give feedback on this um you can submit a p request and I'm happy to collaborate also feel free to ask me any question now or reach out to me And I also like to say a very big thank you to Mark and also Tom for helping me be

able to be confident enough to speak of this. Thank you very much.

>> Does anyone have any questions for the destroy that destroy? Okay. So he asks um the destroy at the end does it destroy everything created. Um so yeah destroy all the old infrastructure created. >> Is there any way to delete the cost?

>> Yeah it's possible. So if you just deleted from resource group just remove the um the fraction machines three of them the log will still be lo analysts

in which case a talk for the first