Becoming a Dark Knight: Adversary Emulation Demonstration for ATT&CK Evaluations

welcome everyone thank you again for coming even though it's the coveted last slot of the day we will try to make it worth your time hi can hear me no what wrong thing have I

done it would really help if you actually turned on the mic right all right so um first and foremost I kind of wanted to say that um a thank thank you to Molly who did the art or the illustr or the color work with her and her husband I drew this but also um this is definitely represented of of a lot of teams and over a long period of time so mad props to everyone that came before us all right my name is cat self I used to be an artist I still am an artist apparently um and I was formerly military inel yeah it's always nervous speaking um formerly I served in the military and

I'm a military intelligence veteran two years at War um also I started this career though this is actually my second career so definitely proof point for those that wanted to transition from one thing that's totally unrelated to another um I start off as a developer then became a red teamer and then became a um threat Hunter then I was hired on to miter as an adversary engineer where now I'm doing jobs I love where I'm ulating adversaries but I'm also the Mac OS and Linux lead for miter attack I'm Kate um prior to joining merer I worked at Facebook now known as meta uh the majority of my career has spent been focusing on Latin America so if anyone

wants to talk Latin American adversaries or cyber groups in the region let me know and in addition to my work I run a cyber security blog called fishing for answers which is available in English and Spanish okay so we wanted to do some quick level setting before we really got into it and demonstrate what is an emulation and how is it different from adversary simulation so we are fully leaning into the comic book references this presentation get ready so as an adversary emulator we have to take what backgirl does for instance and be so convincing that it looks exactly as backgirl would run an operation right there's not a lot of room for flexibility whereas if I'm a normal red

teamer doing a simulation I can take some things that b girl does some things that Supergirl does maybe another adversary and mix the two it's more of an approximation as the adversary so there's more room for flexibility in a simulation and so we're obviously going to focus on adversary emulation for this talk really quick we use miter attack I'm not going to go super into this because we're actually talking about attack evaluations but we are based on miter attack and the goal of this is to be threat formed defense um who here knows what attack valuations is okay oh okay that's good fun fact uh we actually have never done a talk before like kind of detailing what like

is going on on the inside of the development process for attack evaluation so I just want to take a moment to explain that essentially it's a like threat-based approach right so we're using minor attack so we're locked into a specific adversary and specific techniques so we do is we take that information and then we release that to the P or the vendors being like hey for all of those that do detection and protections um this is the actor that we're going to emulate and these are the techniques that are going to be in scope for that emulation and then we take around two three months we develop an emulation and then they come in they set

up their tools in the environment and then we execute our emulation they have no idea what emulation we're going to execute it's a blackbox tesk and then we take all of those screenshots from watching the vendors be able to try to either protect or detect against them and then we openly release that to the public we we don't filter it we don't sit there and make it like fix things it's just here is the data dump discern for yourselves what this vendor can really truly present to you so the goal of the entire thing is to actually empower the users it's to be transparent and these are billion doll companies we wanted to give you all a way to be able

to peek inside of what these really expensive amazing companies are doing they each have these amazing unique solutions that are solving a different problem and not one size fits all in this case right everyone has a different environment everyone has a different problems that they're trying to solve we wanted to give you that information so you can discern for yourselves so that's what a tack evaluations tries to do and we're going to go over how we essentially take a nation state actor right that has unlimited funding that has 40 developers over five to six years and we take all of that and we shove it into 10 developers and two to three months of development cycle right so

we're taking a really hard task and trying to make it this approachable thing and we've actually still this down even better or hopefully more for you all we in this emulation we're actually going to go over an adversary where we only had a month and a half to emulate and we really only had two people on the project we had one developer and one CTI person so we've really tried to break this down to make this much more accessible for you all to be able to recreate it yourselves yeah so even if you are all coming from smaller organizations you might not have a whole adversary emulation Department one of our key takeaways for this presentation

is to hopefully demonstrate a methodology that you can use for yourself and distill down to whatever the resources you have realistically for creating your own emulations okay so this is a graphic that we'll probably come back to multiple times through the presentation but it shows an overview of our process right I will start talking through adversary selection how you do your research how you create a scenario for emulation and then I will pass it over to cat who will talk about the development side side building the tools what does that look like all the troubleshooting and then we will show you how we actually executed our emulation um so this is kind of designed to show the collaborative process

between CTI and red Dev for the purposes of emulation okay so choosing your villain before you even get to adversary selection it's really really important to think about your end objective for the emulation right why are you doing this what in insights are you hoping to glean from doing the emulation versus just a simulation which we talked about the differences at the beginning right um how are you hoping this emulation informs your network defense capabilities think about that before you start anything else once you have that conversation then it's time to choose your villain these are some kind of main points that we ask ourselves on attack evaluations when it comes to selecting an adversary right is there sufficient

open-source recent reporting on this adversary recent meaning within the last 2 years because on attack evaluations everything is open source so that's a limitation that we have to consider is the adversary and their ttps relevant to what you're trying to achieve right relevancy can also mean can your network Defenders detect on these techniques right um so that's really important to consider third is there enough variety of adversarial ttps to create multiple emulation plans as we're going to demonstrate later today sometimes adversary emulation you have to Pivot halfway through scrap your whole scenario and start new right so it's really important that you have enough content that the adversary has enough uh operations and variety of techniques to

create multiple scenarios just in case you need a backup and then finally my favorite question what's cool about this villain why should we we care about them what makes them unique what makes them special so our villain for today is blind Eagle this is the villain that we chose and chose to emulate um and we have a little bit of a video at the end that will show our execution as this adversary so why did we choose this villain I bullied cat into choosing a Latin American adversary basically is what happened um but in reality um this is probably an adversary that we would never realistically use for attack evaluations um like cat said we only had a month and

a half to Dev this adversary um and so we needed kind of an adversary with more straightforward ttps but that are still highly relevant right just because this adversary is not doing bleeding Ed Edge things in kernel mode doesn't mean they're not relevant to every single Network Defender these are techniques that we would expect every Network to Defender Defender to detect on um so these three techniques that I've listed at the bottom of the slide those are the techniques that we prioritized when we turn to deving um our emulation planned as blind Eagle that's essentially going back to our conversation what's unique about this actor these are three main like MVPs that were really important to

us okay so we have our villain let's talk about Gathering the research I think that one of the things that really kind of distinguishes our process is the level of technical depth that we need from reporting right the more technically in- depth the more information the better that we can emulate and act as the adversary um so these are some of things you know we have explicit examples you know technical bits of information that are nice to have and then implicit right if we get any of these implicit items that is just gold that is your MVP really really helpful so I'll show you an example of this so so this is an example of a graphic that we pulled from a

report on a recent blind Eagle campaign um we would consider this to be an explicit piece of evidence and this shows an overview of the entire infection chain of the campaign right at every single step of the attack uh some key bits of information to call out here that really helped our team they have process names file names file types uh obviously full infection change port numbers used for C2 Communications uh user level permissions so this is a piece of di this is a diagram that we referred back to multiple times both on the CTI and Dev side when we were running this emulation actually another point with that as well is that it might be like oh file names

whatever I don't care but when you're linking a bunch of different reports those file names become very relevant right like those same dlls are also used over here and this campaign and like so now I'm like okay they're downloading this file that actually helps me because it actually never touched dis so where am I going to be able to file pull that file and find it and I can now link to another report to be able to create that connection that I didn't previously have before totally and that kind of hits back to our conversation on adversary emulation versus simulation right like we are really trying to be indistinguishable from blind eagle and how they would realistically do

things so these are two Snippets from a report that we would be considered implicit evidence um just as an example if you look on the image on the bottom these were both taken from the same report but this covered a recent blind Eagle campaign that um used quazer rat which is a open- source rat you can get it you know on a public repo but the group actually added a custom functionality the name of this functionality is activar in English or in Spanish and English it's activate RDP right so hm that's interesting for us right nowhere in this report does it say blind Eagle then rdps into the victim environment however why would the heck

would they add this functionality if they weren't intent on using it so from this there's implicit evidence there's an inference that we can make that blind eagle has this capability and we would use that to fill in an information Gap if the dev team came back to us and said okay we need another technique what can we do so now we've gathered our research we have our adversary it's time to create the plan and deliver it to the dev team just so we're clear at this point in the process the dev team's already in the loop blue team's also in the loop the infrastructure team's also in the loop um we really need those early

collaborative processes to inform whatever plan we end up picking so I'm going to go over three key deliverables that the CTI team makes to inform the dev process so we'll start with my favorite this is my favorite thing to create not only is it pretty but it's extremely extremely helpful right this shows an overview of our emulation plan and what we actually did with blind Eagle at a really really high level the first stage the attackers will gain initial access into the victim workstation via spear fishing the user will then open up a PDF that is embedded in that is included in the email clicking a link inside said PDF will take them to a malicious site where they

will download an async rat payload that's our main payload async rat will establish Communications with the C2 server establish persistence via the user startup folder and then action on objectives is to to steal browser credentials this was the original plan this do not mean this is the end plan so we're clear because Dev team loves trashing CTI plans for a reason not intentionally we'll call it element of surprise so this is another example of a deliverable this is essentially the word version of what we just talked about with the software flow right so this is something that can kind of help the dev team okay so we have the software flow diagram but let's dig deeper what's the

key infrastructure involved um cat's going to go over this a little bit from the dev perspective like when a Dev gets something like this and they're looking EX for initial compromise what is happening what do they need what questions do they need answered and then a third example of this we actually took this and you know made it our own from mandiant and Katie Nichols so shout out to them um this is something that we would expect the dev team to use during the actual attack right this provides um different pivot Points and alternative options at each major St step of the attack life cycle right so okay my scheduled task didn't run whatever tools break we get it what

is my alternative option while still maintaining the Integrity of what the adversary would actually do cool okay they do registry run Keys let's do that instead just a note if you're wondering wow cat and Kate this is such a sparse diagram you're correct that's called open source reporting please help us encourage people to write more blogs and Reporting on this specific issue right yeah this is us like trying this is our Peak right here so slightly depressing you are correct okay cool now I'll hand it over to cat to talk about the dev side all right so we just went over choosing a villain right K went over like what actually makes a good villain for you

you and your organization and then we went over essentially like what those deliverables look like for us on the dev team those deliverables that the CTI gives us are super pivotal that's actually really where we come at the collaboration Point um so we're going to walk through the unsex like sorry here's the funny thing malware development if you take away the malware it's still just development and so that's the reality of what we're going to actually go through so before you even begin and that early stage of collaboration that Kate mentioned right where she was like yeah we bring the the dev team in at this time a lot of times when she's coming up with that emulation plan like

what the red team is doing is that we're actually on those calls we probably are doing other work at the time like everybody else is on three different calls but we're absolutely like involved in those conversations and the reason why that's significant is because I can't do everything my team can't do every single random thing under the sun that an adversary does right again it's a nation state versus a team of tin developers and the time is cut down significantly there's a lot of Randomness that's done out there right so first we have to know like what platform are we even running on is this Windows is this Android like we actually scratched Android in the beginning she's

like what could we do Android it's like no I will not learn Android just for this presentation tears were shed so but it's a part of the scoping right like what platforms do I need what um code do I need to be able to run in like what level are we playing at are we playing at kernel level or are we playing in user land because it makes a huge difference are we all down to the bits and bites like where do they focus on do they focus on the network protocols right like these are all different skill sets that I need to make sure the team has is is staffed appropriately and so once we have a lot

of those key factors done um that's super helpful I will call out this last one you know how Kate mentioned in that other side on blind Eagle these are the things that we really want to emulate so we had this scenario for one round where we lost 60 4% of our team that is a lot and the CTI diagram like this that great CTI plan totally had to get revamped and then we had like we didn't ask that question in the beginning of what what actually makes this actor look like this actor like what are the techniques that have to be done to make this look like blind eagle and so those become the priority that if we stripped out

everything else it still feel like blind eagle with this and that is actually our definition of done it might seem like it's kind of a small logical thing but there's a lot of stuff you actually don't need that's really nice like encryption and ausc are great but honestly they're not really relevant for our scenario the behaviors are much much more relevant for us and those are if you remember from the blind Eagle side those three ttps that we handed over to the dev team like if nothing else we would really love to emulate these because these are quintessential for the actor but also again something that Network Defenders should absolutely be detecting on and should be challenged to

detect on um those are kind of would be returned as priorities to the dev team when they're making these calls so again we take that next product right the emulation and then the most this is the most helpful for us is actually the word picture the diagram is great but there's a lot of assumptions that we all make when we're looking at diagrams diagrams for at least for me as a Dev they're really great when I need to come up for air and I'm like okay where am I at in this scenario like like what is next and what did I just do like what am I expected to have done and then what am I expected to do next right but

when you actually like are looking at this in the beginning it's like all right let me read this out and the most specific point oh that got loud um is to a militia site downloads async graat right that means that I need to have a website well what's going to be on the website how does it download it how does it even know that I'm there to download it what does that even look like is it in a URL to a URL is it some JavaScript stuff that's all Dev time that I have to account for in fact it's also infrastructure time that I have to account for I need to be able to upload

something right I need to be able to download something where is this going to be hosted how is it going to be hosted all of those questions I have to have done before I even play and like the other games right in the other the next phase um so this is usually where we'll actually go through specifically look through the word picture and be like what is it that I need and what teams do I need to bring in at what point in time and then the super sexy part we use jira I really don't care what you use but there has to something where you kind of start breaking things down and scoping for us we usually like have a

couple of epics um those epics whoever does those epics is usually one person because the amount of rabbit holing that has to happen during that period of time is insane like your brain just hurts at the end of the day as usually a sign of success um and it's where we take one Epic right like let's say I'm going to focus on the C2 Handler just because I just did one um I'm going to look at like okay let me take all of the reporting from that emulation plan let me pull that down let me look at it but I'm only going to scope that specifically to what protocol does he use how does it have the buffer like how

does it receive the buffers what is it looking for how does my C2 know that that's my packet right like there's these questions that I have to ask myself and then I start looking at it with that P very very very specific mindset and then that becomes my epic and I actually break that down for example just because an implant has the capability to do something doesn't mean I need it for my emulation plan it's a ton of work to go into uploading and downloading a file for a command in the very specific annoying way that the adversary does it in this obus fashion if I don't need it why am I going to do

all that Dev time and that's where that epic comes in handy right like what's actually needed for the ulation plan not what's super cool and what's nice to have but what's actually needed and then we take that epic and then we break that down to specific tasks because attack evaluations is very very specific on being true to the adversary and actually we're held accountable like here EDR like or here protections and detections products like with your unique snowflake solution here is exactly how we're doing it we have to break down that code really really specific and it needs a lot of focus on it so we'll take like process hollowing we'll really focus exactly how they do process hollowing

and then try to recreate that because at the end of the day the rest of the code is just to get to the technique right because that's what we're supposed to be emulating for the detections and protections like that's the goal so this is cat's crazy chaotic Rabbit Hole brain in a process turns out there is a process to the rabbit hole um this is kind of how I've broken it down um mainly because I'm hoping that this helps somebody else in the future I'm one of those people that like diagrams so I don't feel completely lost it's like oh no I'm not crazy I'm just at this space it's normal to feel crazy at

this phace right so essentially where it starts is on any task that I'm given right because I can't know how to do all of the 400 sub techniques I take one technique and then I try to understand it there's something really powerful about seeking to understand without the assumption that I should already know how to do this so I try to understand the technique and then it goes into like all right let's look at the code Snippets let's look at the diagrams let's look at like that crazy ey chart diagram is phenomenal because the more like I could I had looked at that thing so many times and I'm still understanding it in different ways so

awesome reporting um but the point is is like I take that and I start breaking that down then the next phase is actually emulating the code once you actually start cing something it's a very different attitude it's a very different approach why am I um so then the next thing I do is um essentially you're going to find gaps once you actually start emulating you you're going to find gaps things don't work like you expect them to do then you got to go back to the reporting and then figure out what else is happening with this new knowledge set of trying it out what is different so and then because we're taking something right and we're

taking it and executing it in an environment it was never designed to execute in that is its own phase of development so it's almost like taking hey bgirl you only operate at night let's go shove you into the daytime and then like see how that works out for you so things are just going to change because the reality is we have to put this into this agnostic environment and then make sure everyone can deploy their tools into it so there is that element of component that maybe you guys don't have to go through but we absolutely do so this is what understanding it looks like we're going to start with miter attack because at the end of the

day miter attack is what this is based off of and it's a great tool to be able to understand what is this technique actually about and what are the different variations of it we were not just paid to say that by the way yeah that's actually thing um and actually the eals team as much as like we all like have our own like inner team like jokes and like elbows um it's actually a really cool way to always make sure like hey we just did an emulation on this this needs to be updated but uh the next thing that we do right understanding the technique is we specifically look at how does the community do it because at the end of

the day there's something about Hands-On keyboard that I'm going to get a lot of tribal Knowledge from practicing this even if it's not the way the adversary did it if I've never done process injection before I need to practice it I need to understand what's going on I need to understand what information do I need that actually to be able to accomplish this what permissions do I need there's just some things that you learn by doing so this leads us right once we understand what's happening now I can actually go on Research with a different level of perspective um so that takes us to the diagrams and Co Snippets right now I can go and look at that in this

scenario um we noticed that F uh Society dll was referenced twice right it's referenced in two different reports so just a note of information we're going to put that aside another thing is we notice Asing grat which we are using the simulation plan is also in this repo now great thing about infos seers we love our our proof of concept code downside as people reuse that for malicious means but we're still super grateful because it really worked out for us in the scenario so thank you um so uh we took F Society um and we took this so those are two data points for us to be able to go down on the next rabbit

hole and when it comes to adversary emulation we are big fans of working smarter not harder we don't have a lot of time to be able to execute these so as a result uh we try our best to be able to find other resources right we're not going to be Rees so how can we be able to pull these reports and coding that we can actually recreate in this case thank you Alien Vault um net actually goes a source code really easy which is beautiful so uh we were able to actually take F Society pull that down and then be able to have decompiled code that we could then reference of course when we do this the first thing we

actually have to do is like Kate can we I have so much power in this situation and I love it and I would say actually based on CTI reporting this is absolutely consistent with what the adversary would realistically do cat green light so yeah cuz once we kind of start noticing and you'll notice the next one they definitely there's like some duct tape and bubble gum going on so we have our decompiled code now we can actually take that and then go to the next one and then we'll actually notice that there go um there's handle run right there's a handle run method inside of the decompile code and so what we can do is

we can take like method names like that and then we can actually search the other resources for that now what we're looking at is a decomil code of fety right that's their specifically their process hollowing um dll that they use so we go back to the repo and we find that oh in line Cryptor they have a method also called run handle H or handle run sorry um actually it's got the same parameters and the same logic and then when you actually look at the code side by side it's basically the same exact function just with added functionality added into the decompiled version so this tells us that a lot of the stuff is actually pulled from

different points and then you'll start to notice other patterns right like the fact that they started using lime rat right and then you'll notice that there's a whole lime theme to this Sho so that kind of tells us there's a lot more to the story like there's a lot more resources in here that we'll probably find that's leveraged inside of their code so just notes for red teamers and emulation like the the patterns that you find as a result of emulating and this is another good example of the conversation that would take place between the CTI team and the red team at this point right like hm Kate seems like they're kind of copying and pasting from

this very public repo any thoughts I would say yeah the adversary is not known to create custom implants they absolutely just go based off of what's already out there so just wanted to call that out so this is what it actually looks like specifically for process hollowing right for the difference between the two Community method you're going to be using your ZW query information process it's going to give you back this beautiful little struct with a little pointer the the bottom saying like hey this is your base pointer address however that isn't and like then you're going to go in you're like well I really don't care what you're running there you're going to run this now next

whereas the adversaries code does something different right it specifically calls read process memory which gives you a buffer then it's going to do the get thread context which is going to iterate through an array it's going to find the base Point address plus eight math is hard right like they're adding math into this equation and then they're going to be like okay well we're going to take what you're currently running we're going to unmap it and then we're going to be like you should run this now very kindly and so it's a entirely different atude right in the way that it's going about also should be thrown out way easier to detect as well so if we were just doing

process hollowing it wouldn't get the same effect as if we were actually doing what our adversary is actually doing yeah and just to add to that too this again foot Stomps what we need to do as emulators versus what red team operators would realistic Bally do like something might make a lot more sense to do or emulate but the adversary didn't do it that way does it make our life harder sometimes yes absolutely do we have a responsibility to the actor to really be undistinguishable from what we're doing versus what the adversary is doing yes so that kind of comes with with cost as cat's pointing out so fun fact then we try to do

persistence and that did not go as planned our main developer on this which is Corey Goodspeed um was up to like 11:30 he's like why why is it running reg Services EXE the legitimate binary so what happens in this infection chain right is we have this VBS code VBS code is also um it then downloads three files it downloads F society which is this process hollowing like mechanism fiber and then it also downloads async gr now fiber actually does some other fun functionality we'll get into a little bit but F Society specifically takes the Instinct grat that's pulled down pops it in the memory using process hollowing and then you know executes it but there is never an infected

version and in Pro sorry it process Hollows it it injects it into the reg Services exe that's the that's the specific process that's running with asrat in it but that is never that infected version is never actually downloaded so the way that asyn grat expects to be run is that if you have inst installed it right it's expecting an infected version of reg Services exe to be on disk that it's going to be calling from its service but there isn't one and we were like well where where is it then how does it install persistence and which kind of led us down to the next rabbit hole which is turns out it never installs a service at all that's not a

think and actually and I love what this one report says it's like it works it is persistence like I forgot what it's like it's simple simple but effective but but it is actually effectively creating persistence so that initial VBS file that it gets right like it you click on the link you have the PDF the PDF is actually Mas as a uud yeah uh all the all the acronyms U um that then decompresses a VBS code that VBS code is actually then copied into the windows temp folder and then it just sits there um but that VBS code is actually what pulls down all these other things right which we just talked about the reason why this is significant is

because what it actually does is it creates a link file in the user's startup folder that links back to that Windows temp VBS file and then it actually redo the entire like three payload infection chain all over again so it never does this entire part of the diagram which is like Broken Out In reporting which was super surprising to us but it was was exactly what it did and we actually found that in the fiber dll that's downloaded which is one of the files that are downloaded for it and this is an example of like you would never know this unless you tried to emulate this process right so this is not us calling out the reporting saying it was wrong no

this is just our Dev our wonderful devs trying to emulate it and realizing uh actually you can't do it with in the way that we thought it would so it's a huge value ad yeah for real the really cool note here is that this reporting was really based off of two reports like the simulation this shows you how well those reports were done because we were able to emulate to this degree and figure this out that's awesome reporting so mad props to the reporters that did this so the difference between the community versus attack evaluations and solving these gaps right when you have reporting gaps which we're going to have is you guys can go like to VX

underground and download a sample or Twitter or wherever else your fancy is for us we have like a month and a half we do not have the time and quite frankly most of us are not Rees and like if we are re It's like because we have this weird Hobby and it's definitely being leveraged so what we usually have to do because at the end of the day again we have to adhere to CTI right not everyone is going to have those restrictions like we do so we're like well where else is this represented an attack you know what other campaigns have they done which is usually a conversation point for us where it's like okay they don't stall persistence

in this way do we just go forward with this and then just own the fact that reporting says this or do we like can we use the link file and then that's going to be a conversation well is there evidence that a link file has been used in any other campaign right so that's going to be the conversations that we have because at the end of the day we'll have to be able to explain them in the public eye so these are our deliverables um really like the big points of these deliverables is we give you essentially the documentation and source code right sounds kind of common for a red teamer but ours are very specifically written

for the purpose of transparency and the purpose of you all being able to run them yourselves so the documentation that we have there's a very specific file called voice track this is the exact track that is done during the emulation so that means for you who like we have all of our code inside the adversary emulation Library so if you want to go through and you want to run all of this code yourself like we have wizard spider we have sandworm we have um apt29 fin7 of these different groups right you should be able to just copy and paste these lines and be able to execute the emulation as we did um that's kind of the point behind it we

wanted to be able to lower this bar as much as possible because again it's about transparency you should be able to be like okay well does the vendor detect against this in my environment now like that's a really great question right so that's one way to use it another way that we found was really helpful was we actually started citing attack techniques in the actual source code the reason why this is relevant is because when you have someone on the phone that's saying they're like no no no no no no I detected this and you're like no no no no no no no that's not the right code just because you detected something doesn't mean it's the thing that you

meant to detect on right so it's a really great conversation point because not everything is linked the exact same and that essentially is our process um so what we went over was we went over choosing the villain going through that process right of actually selecting a villain that works for you um then the dev process translating all of that CTI information and then putting it into actual requirements developing those requirements going down that rabbit hole and then creating like where where what are you do in those gaps like how do you pivot on that right like what are the decision points um and now we have a great demo why tell when you can [Music]

show okay so I'm going to voice track through this and this will be publicly released next week so you can see this video for yourself if you want uh we might need to resize it you want me to pause mhm all right give me one sec just play it again yep is that better yeah that's better okay just kidding take two okay so like we said initial access spear fishing the victim is going to open up a PDF attachment click the link and it will download a file from a Discord server classic blind Eagle it is zipped and password protected but they provided the password so kind of them we will enter the password to open up the

PDF which is actually a uuee file when the user double clicks we have yep the async rat payload has a call back now let's look at some of the files that that made this happen right uh we will look at the VBS code in that Windows temp folder that's what kicked it off and we will parse through that and now we will go into the link file which cat mentioned is used to establish the persistence um we will verify that and then let's check on the key logger and set it aside for later viewing and now action on objectives asyn grat is going to look to dump credal from the users edge browser so we will

go look on our password stores and yep all right we have the credentials necessary so we are going to go to the site that is being visited by the user fun fact we made this very convincing banking site uh please please respect the process and we are going to look to use those key locked credentials to gain admin access into this site so we will copy and paste we did not use admin admin as user and password and then finally we're going to check our key logger to make sure it's working it's working um so I know that was kind of a very fast walk through but hopefully that gave you some idea of what our end product looked like thank

you a you guys are going to clap thanks it does work work we playay it works wish I could say it was easy but it was not we absolutely recorded this we were not going to do a live demo shout out to our developer Corey because that was a lot of late nights so some key takeaways um the biggest point of this entire presentation was provide transparency to you guys and so if you have questions we welcome them but mostly we just wanted to give you all an opportunity of like what this look like yeah and second thing which we've kind of foot stomped time and time again this is our solution for breaking down

the silos between CTI and redev as well as blue team Etc um for collaboration right but again this is just a solution you are totally able to you know find a solution um and we hope that this methodology was helpful for you and last and not least um something to kind of remember it's really easy to be like oh your attack evaluations you test all these vendors and it's a big thing um we started off as like a fourman team like I came in a couple years ago and I actually started up the CTI team but before that we didn't even have a CTI team it was like one person and it was only like 25% of their time

so a lot of this work was built on the shoulders of guys just kind of H patching it together so it's become bigger because it's just iterated over the years so a lot of the things that we just went over like those IND deliverables those IND deliverables were honestly like blood Sweat and Tears like that is a result of we've distilled down that this is the stuff that actually mattered because this is the stuff that we kept referring to and everything else was nice but it was extra and so we're hoping that maybe like you guys can learn from our lessons so you don't have to go through that same pain and fun announcement our entire

emulation plan for blind Eagle including the video including all the code we are going to release that on GitHub next week so stay tuned so yeah and that is essentially it just a bunch of thank you to the artists to our general manager and to our Dev um and just thank you guys so much for attending we really really appreciate it yeah thank you so [Applause] much questions are welcome straight up mic drop on accident so you guys are welcome to ask any technical questions if you want to ask about the presentation or anything else it's pretty much open also we have a backgirl t-shirt for anyone that actually ask the best question it is a challenge hands down

the challenge flag has been thrown yeah and hopefully this was helpful again we kind of wanted this to just be relevant to the average end user so again if even if you don't even have an adversary emulation capability in your organ organizations this can be done by just one user if you want to pick and choose just a couple of different techniques that were emulated in one of our plans on GitHub publicly available that's absolutely your right to do um that's kind of our intent for this you don't have to be a vendor just to take advantage of this process and you know what last but not least um we just went over process hollowing like take one technique

emulate it and then pop it into an automated test and then run that through throughout like your quarterly annuals or whatever that is to see if your detections are actually still up and running it doesn't have to be this massive emulation plan like there's even micro ulations 100% yay a question thank you is this on so when you were um demoing or talking about process hollowing and you're showing like here's here are ways that it could be done and here's the way we actually have to do it do you in your reports account for or do you cover like here are ways that adversaries might um you know shift their techniques over time like here's what we expect them to

do next when this stops working um do you include that kind of information or um you know kind of lead like is it really so tightly contained that it's only that adversary and if they change their technique or they you know the main guy dies and the new one steps in like they have suddenly this different process but other pieces are the same like do you point out like where it would be easy for them to change or where it could be um you know more effective to do something else that's interesting so more like forward looking like here's capabilities to be anticipate the adversary doing especially since you rely on data that's so old already right like you know your

data is three or four years old well this is what they did three or four years ago we don't really know if they're doing that today but we would Envision you know here are the places that they would make the next logical steps based on what we've seen okay I have to speak to that for sure and then goad goe if I was just a red teamer ABS freaking lutely however we have a techniques go like the point of evals is so here's the fun fact about evals right every single vendor you don't get to put your tiered system on evals and then test that you have your Baseline configuration so whatever you provide us has to be

freely available to your lowest tier with that said that's a lot of work it's a lot of work so since our real goal on attack evaluations is to elevate the entire industry trying to use that Baseline and pushing it that's one reason why we use old reporting it's because there's no excuse not to detect against it right exactly but absolutely if I was just doing a red teamer and I wasn't being like being held like holding vendors accountable to this like technique then I would absolutely go like well this is the genre of what they do between their development team so could I suggest opening up either a part of the repo or you know some shared

documentation where other people who are more familiar with the current techniques could suggest and say Here's how things have changed over time or here's what we're seeing you know this year if it's based on publicly available information you're speaking to my soul yes that's the constraint that we have though right like everything everything has to be backed up by a publicly available resource so that we're maintaining the Integrity of we're backing everything up by data like according to the adversary data would be available but you know perhaps sanitized would that be so there's two ways to contribute so for all of you that are like like so love your question um I expect that shirt yeah he just really wants the

shirt really wants my shirt um there's a couple ways to contribute like I just started a contribution process publicly for ocean Lotus which is what we're doing for Mac OS emulation in the emulation library for those of you that have seen that we can talk about later um but for attack evaluations when we actually announce the actor in the technique scope we actually also do like a call for information and so with that said like you guys have code Snippets Ida files whatever it is send them to our team like we love that that stuff and as long as like it's a credible Source we will absolutely love to incorporate that um we do have to have for the techniques

that we hold vendors accountable to we obviously do have to have that um but if it's contributed in like that's a different conversation because we can have the conversation and we'll probably Loop you in with a lot more visibility on that too like if we can't do it we'll we'll do our best to tell you why cool thanks thanks for the question great presentation thank you I just just go over here just get away from me cooped up in a hotel room for 24 hours other question yay uh this might be a bit tall for me um So based on the kind of life cycle that you mentioned right there was a lot of um importance placed on the ex

development of exploits Etc which makes total sense but if I'm thinking about a smaller shop or just you know a place with not that many resources that is being being targeted by these adversaries maybe they don't have the resources to exploit development whether they should or not I think is a different argument but just just say they don't so how do you how do you balance or what what would you call in a way not being able to do that would that be simulation at that point or is there a way to still do it and it be called emulation just because you know what they're doing okay so exploit development is a very specific thing

right like you're talking about something that's breaking outside of a balance of something else right we do our best not to include I say this and I'm like oh I'm crunching uh we do our best to try to stick to the miner attack techniques and attack evaluations because those are the repeatable behaviors because at the end of the day that's actually more helpful um which so that's kind of like where I would lean towards I would actually lean towards not playing around with the exploit realm like we actually do a lot of hand like there is hand waving and attack evaluations where it's like and we're just going to say the user clicked on the document because we're not going

to have a user sit there and go in and click on the document like that's just not going to be a thing and so we're just going to simulate we're going to click on it and we're going to execute it and we're just going to say a user did that right like there's going to be certain hand wavy things um and that's usually where I would throw that out there where it's like what's the real value ad of playing in the exploit land and honestly it's all of the stuff around the exploit that's more value add than it is the actual exploit and that's why we focus on so much of the behaviors an attack versus is the exploits and the

problem too with exploits from the perspective of CTI is since patches are rolled out relatively quickly by the time we sit down to choose the adversary create the plan deit I mean that's like technically a year right by that time the exploit and its patch are already irrelevant because adversaries have moved on to the next thing and your question super valid cuz we talk about this all the time as a team the limitations of not doing exploits cuz that is Absol absolutely what we're seeing in the wild adversaries do that all the time well-known adversaries do that all the time but it's just again speaking to the constraints that our team is under that is something that

unfortunately we're not able to to Really emulate value that make sense yes thank you cool yeah thanks for the question love it bring it we're going to say last question cuz we got to get out of here but go ahead I'll keep it short uh my question is about attribution so once we correlate enough of these incidents and we do have an idea of how many techniques are involved in a single let's say attack scenario at what point are we confident that this is blind Eagle that we're looking at in terms of attribution is there like a giveaway technique sequence is there like a giveaway maybe technique um temporal proximity or something like that that

might give away that this is definitely the threat actor that we think uh is is attacking us here that's a great question we usually leave that to the analysts out there who's reporting we're consuming right so on the attack evaluations team we don't do like attribution really we're because since everything again has to be backed up by solid data reporting we if people ever come up to us and say like how did you know that that was that adversary we say because of X Y and Z right that being said we don't just take things at face value we obviously as analysts there's a certain degree of analytical rigor that is expected of us to really understand just

because an analyst is reporting that this was blind Eagle doesn't mean that we don't question that all the time right like we need to know for in order for reporting to be actionable for us in order to for something like attribution to be actionable for us we have to know how did this reporting come to be like how did did they get the information was it a Honeypot how did they even witness the attack so there's certain elements that we have to look for and certain questions that we have to be that asking to be kind of skeptical um in order to be confident that whatever emulation we create is absolutely reflective of the actor

themselves um for blind Eagle like we had a list of things that they are known to do one of the things is they target Colombia based users almost exclusively um so they're really really selective in geographical targeting that's just an example of something that we know with reading reporting okay that's something that we need to keep in mind does that help answer your question that definitely helps but I remember you also said like you were prioritizing what techniques to to evaluate in your emulation uh is there like a way to figure out which techniques are definitely going to show up in a blind Eagle uh attack scenario I mean definitely checking out the attack page on blind Eagle now that

I'm uh promoting attack too hard that's an excellent question so we pulled those three ttps I listed domain fronting process hollowing and abuse of legitimate Windows ex uh utilities those are the three we called out but only because those were really unique to the actor that we really wanted to emulate that we really felt would add something to the end user in Industry that was us making the call not necessarily saying oh because they did these three they must be blind Eagle does that make sense I see yeah that makes a lot of sense all right I appreciate you guys outstanding for thank you so much for the question thank you guys so much thank you have a

good rest of the conference night