Der Jahresbericht von Elastic Security Labs ist live! Schauen Sie sich einige der Erkenntnisse in diesem Blog an.

Einblicke, die Sie aus dem Jahr 2024 wissen sollten 

Beobachtete Malware zeigt, dass Angreifer handelsübliche Tools zum Missbrauch nutzen – einschließlich generativer KI

Malware-Typen im Elastic Global Threat Report 2024

image6.png

Warum uns generative KI keine Sorgen bereitet

Unternehmen konfigurieren Cloud-Umgebungen falsch und ebnen damit Bedrohungsakteuren den Weg 

Tabelle 24 aus dem Elastic Global Threat Report 2024

image7.png

Im Zuge der erfolgreichen Bekämpfung von Defense Evasion nutzen Angreifer legitime Anmeldedaten, um sich in das System einzuschleichen

Zugriff auf Anmeldeinformationen in der Cloud

Abbildung 19 aus dem Elastic Global Threat Report 2024

image4.png

Zugriff auf Anmeldeinformationen in der Endpoint-Telemetrie

Abbildung 4 aus dem Elastic Global Threat Report 2024

image5.png

Tabelle 17 aus dem Elastic Global Threat Report 2024

image2.png

Abbildung 18 aus dem Elastic Global Threat Report 2024

image1.png

Ein globaler Überblick

Sichere Erkundung der Bedrohungslandschaft

Elastic Security Labs stellt fest, dass Bedrohungsakteure leicht verfügbare, missbrauchte Sicherheitstools und falsch konfigurierte Umgebungen ausnutzen.

158175 - Blog header image_Prancheta 1-04 (1).jpg

The 2024 Elastic Global Threat Report: Visibility enhanced

Der Elastic Global Threat Report 2024: Verbesserte Sichtbarkeit 

Elastic Security Labs ist jetzt die offizielle Anlaufstelle für Bedrohungsforschung. Dort können Sie jederzeit Forschungen zu Sicherheitsbedrohungen finden und teilen, um Ihren Arbeitsplatz und die Branche allgemein besser zu schützen.

library-branding-elastic-security-midnight-web-thumb-1680x980.png

Elastic Security Labs: Follow us for breaking news on security threat research

Elastic Security Labs: Folgen Sie uns für aktuelle Neuigkeiten in der Bedrohungsforschung

In response to the Microsoft HAFNIUM 0-day exploit, Elastic Security has identified IoCs for highly damaging adversary objectives. Users with on-premise Exchange servers are advised to patch as soon as possible. View full details of identified IoCs.

<p>On March 2, 2021, Microsoft released a&nbsp;<a href="https://www.microsoft.com/security/blog/2021/03/02/hafnium-targeting-exchange-servers/">security update</a> describing several 0-day exploits targeting on-premises Microsoft Exchange servers. Four published remote code execution vulnerabilities relate to this activity, for which Microsoft released a&nbsp;<a href="https://msrc-blog.microsoft.com/2021/03/02/multiple-security-updates-released-for-exchange-server">patch</a>. The vulnerabilities include&nbsp;<a href="https://msrc.microsoft.com/update-guide/vulnerability/CVE-2021-26855">CVE-2021-26855</a>,&nbsp;<a href="https://msrc.microsoft.com/update-guide/vulnerability/CVE-2021-26857">CVE-2021-26857</a>,&nbsp;<a href="https://msrc.microsoft.com/update-guide/vulnerability/CVE-2021-26858">CVE-2021-26858</a>, and&nbsp;<a href="https://msrc.microsoft.com/update-guide/vulnerability/CVE-2021-27065">CVE-2021-27065</a>. </p> <p>In addition to verifying the information published by other members of the security community, Elastic Security identified indicators of compromise (IoCs) indicating adversary objectives to obtain credentials, maintain persistence, conduct reconnaissance, and steal data. Users with on-premises Exchange servers are advised to patch as soon as possible and be aware that threats of all kinds are actively attempting to exploit these vulnerabilities. </p> <p>Elastic Security provides a technical overview of Elastic Endpoint and Elastic Endgame capabilities related to this activity in our <a href="https://discuss.elastic.co/t/detection-and-response-for-hafnium-activity/266289">Discuss forum</a>. The overview describes eight existing and two new Elastic Endpoint rules, as well as six existing Elastic Endgame rules which identify threat behaviors. For Elastic Endgame users, we provide three additional EQL queries that detect portions of the attack. Based on telemetry observations, we also include five IoCs. </p>Please visit the <a href="https://discuss.elastic.co/t/detection-and-response-for-hafnium-activity/266289">Discuss forum</a> for full details on our identified IoCs.

blog-banner-digital-red-shield.jpg

blog-thumb-digital-red-shield.jpg

Detection and Response for HAFNIUM activity

Elastic Security has been updated and our users are not affected by SolarWinds’ recent security advisory regarding a supply-chain attack on the Orion management platform. Identify potential attacks using new and existing rules in this post.

<h2>Executive summary</h2><ul><li>Elastic Security’s malware prevention technology, used by both Elastic Endgame and the endpoint security capabilities within Elastic Security, has been updated and is not affected by attacks described in this disclosure</li><li>Existing Elastic Security rules (listed below) can help identify potential attacks</li><li>New Elastic Security rules (listed below) can help detect new threats</li><li>Recommended searches/threat hunts are listed below for Elastic Security (Elastic Endgame recommendations can be found on our <a href="https://support.elastic.co/customers/s/login/">support portal</a>)</li><li>Users can leverage&nbsp;Elastic ML models to detect potential C2 from the SUNBURST attack</li><li>Users are invited to work directly with our protection engineers in our <a href="https://github.com/elastic/detection-rules">public rules repo</a></li></ul><h2>Background</h2><p>On December 13, <a href="https://www.solarwinds.com/securityadvisory">SolarWinds released a security advisory</a>&nbsp;regarding a successful supply-chain attack on the Orion management platform. The attack affects Orion versions 2019.4 HF 5 through 2020.2.1, software products released between March and June of 2020. Likewise, on December 13, <a href="https://www.fireeye.com/blog/threat-research/2020/12/evasive-attacker-leverages-solarwinds-supply-chain-compromises-with-sunburst-backdoor.html">FireEye released information about a global campaign involving SolarWinds supply-chain compromise</a> that affected some versions of Orion software.</p><p>Many details of the intrusion have not been made public, and this content may be later updated as additional information becomes known. Elastic provides this information for users in the free tier, and recommends subscription customers refer to the <a href="https://support.elastic.co/customers/s/login/">support portal</a> for additional information about licensed features.</p><h2>Malware protection</h2><p>We have updated our MalwareScore protection, used by both Elastic Endgame and Elastic Security. This update includes blocklist entries for known bad file hashes, providing essential prevention capability to mitigate deployed SolarWinds client software containing malicious code. Users should receive this update automatically.</p><h2>Free and open behavioral detections</h2><p>We have reviewed public materials disclosed by SolarWinds and FireEye to ensure we have as up-to-date an understanding of tactics, techniques, and procedures (TTPs) as possible. Additionally, Elastic reviewed <a href="https://www.volexity.com/blog/2020/12/14/dark-halo-leverages-solarwinds-compromise-to-breach-organizations/">content published by Volexity</a>&nbsp;describing post-exploitation activities observed during professional services engagements. While information about how the adversary responsible has leveraged this supply-chain compromise is limited, materials published by FireEye and Volexity indicate attempts to obtain lasting operational control by targeting directory services and other forms of authentication with a particular emphasis on information access.</p><p>The following existing behavioral detections for the Elastic Security solution may identify evidence of successful post-exploitation:</p><ul><li><a href="https://github.com/elastic/detection-rules/blob/main/rules/azure/persistence_user_added_as_owner_for_azure_service_principal.toml">User Added as Owner for Azure Service Principal</a></li><li><a href="https://github.com/elastic/detection-rules/blob/main/rules/azure/persistence_mfa_disabled_for_azure_user.toml">Multi-Factor Authentication Disabled for an Azure User</a></li><li><a href="https://github.com/elastic/detection-rules/blob/86b1a56c1bfb42da504923e70bef788177967985/rules/microsoft-365/credential_access_microsoft_365_brute_force_user_account_attempt.toml">Attempts to Brute Force a Microsoft 365 User Account</a></li><li><a href="https://github.com/elastic/detection-rules/blob/73e2690ec0683c3b77d54458da56c5d8b1c41092/rules/microsoft-365/credential_access_microsoft_365_potential_password_spraying_attack.toml">Potential Password Spraying of Microsoft 365 User Accounts</a></li><li><a href="https://github.com/elastic/detection-rules/blob/main/rules/azure/initial_access_consent_grant_attack_via_azure_registered_application.toml">Possible Consent Grant Attack via Azure-Registered Application</a></li><li><a href="https://github.com/elastic/detection-rules/blob/main/rules/azure/credential_access_key_vault_modified.toml">Azure Key Vault Modified</a></li><li><a href="https://github.com/elastic/detection-rules/blob/538aa80bba56535bb32eaab6cad9ef44d959ea30/rules/windows/defense_evasion_process_termination_followed_by_deletion.toml">Process Termination followed by Deletion</a></li><li><a href="https://github.com/elastic/detection-rules/blob/e6645a8be9f70397b096928f28c49899d69adf04/rules/windows/defense_evasion_clearing_windows_event_logs.toml">Clearing Windows Event Logs</a></li></ul><p>Additionally, new behavioral rules are being released for the following activities:</p><ul><li><a href="https://github.com/elastic/detection-rules/blob/3b583cebade7de127f90dcbb7a93b9e083048b3c/rules/windows/collection_email_powershell_exchange_mailbox.toml">Exporting Exchange MailBox via PowerShell</a></li><li><a href="https://github.com/elastic/detection-rules/blob/3b583cebade7de127f90dcbb7a93b9e083048b3c/rules/windows/defense_evasion_solarwinds_backdoor_service_disabled_via_registry.toml">SolarWinds Process Disabling Services via Registry</a></li><li><a href="https://github.com/elastic/detection-rules/blob/3b583cebade7de127f90dcbb7a93b9e083048b3c/rules/windows/execution_apt_solarwinds_backdoor_child_cmd_powershell.toml">Command Execution via SolarWinds Process</a></li><li><a href="https://github.com/elastic/detection-rules/blob/3b583cebade7de127f90dcbb7a93b9e083048b3c/rules/windows/execution_apt_solarwinds_backdoor_unusual_child_processes.toml">Suspicious SolarWinds Child Process</a></li><li><a href="https://github.com/elastic/detection-rules/blob/7.11/rules/azure/initial_access_azure_active_directory_powershell_signin.toml">Azure Active Directory PowerShell Sign-in</a></li><li><a href="https://github.com/elastic/detection-rules/blob/7.11/rules/azure/defense_evasion_azure_service_principal_addition.toml">Azure Service Principal Addition</a></li><li><a href="https://github.com/elastic/detection-rules/blob/5e8b86a84eb9d5291ae64ec440254ca3ae274808/rules/windows/command_and_control_sunburst_c2_activity_detected.toml">SUNBURST Command and Control Activity Detected</a></li><li><a href="https://github.com/elastic/detection-rules/blob/7.11/rules/azure/defense_evasion_azure_application_credential_modification.toml">Azure Application Credential Modification</a></li><li><a href="https://github.com/elastic/detection-rules/blob/main/rules/windows/execution_scheduled_task_powershell_source.toml">Outbound Scheduled Task Activity via PowerShell</a></li></ul><p>Elastic Security users may find value in enabling additional <a href="https://github.com/elastic/detection-rules">detection-rules</a> in <em>all</em> categories, prioritizing triage and analysis of results related to SolarWinds client software.</p><p>Users should note that the detection-rules command-line interface (<a href="https://github.com/elastic/detection-rules/blob/main/CLI.md">CLI</a>) is required to import rules, and the import-rules function can import rules in several formats either individually or from a directory.</p><h2>Threat hunting using Elastic</h2><p>Users who have deployed the Elastic endpoint may find that hunts focused on the following are important leads to prioritize based on public reporting:</p><h3>Disabling services via the Windows registry</h3><h4>EQL</h4><pre>registry where registry.path : "HKLM\\SYSTEM\\*ControlSet*\\Services\\*\\Start" and registry.data.strings == "4" and not (process.name : "services.exe" and user.domain: "NT AUTHORITY")<br /></pre><h4>KQL</h4><pre>registry.path:HKLM\\System\\*ControlSet*\\Services\\*\\Start and registry.data.strings:"4" and not (process.name:"services.exe" and user.domain:"NT AUTHORITY")<br /></pre><h3>Unusual descendants of the SolarWinds client</h3><h4>EQL</h4><pre>process where event.type in ("start","process_started") and process.parent.name:("SolarWinds.BusinessLayerHost.exe","SolarWinds.BusinessLayerHostx64.exe")<br /></pre><h4>KQL</h4><pre>event.category:process and event.type:start and process.parent.name:("SolarWinds.BusinessLayerHost.exe" or "SolarWinds.BusinessLayerHostx64.exe")<br /></pre><h3>Creation of executable files by the SolarWinds client</h3><h4>EQL</h4><pre>file where process.name in ("SolarWinds.BusinessLayerHost.exe", "SolarWinds.BusinessLayerHostx64.exe") and file.name : ("*.dll*", "*.exe*", "*.ps1*", "*.jpg*", "*.png*")<br /></pre><h4>KQL</h4><pre>event.category:file and event.type:creation and file.extension:(dll or DLL or exe or EXE or ps1 or PS1 or jpg or JPG or png or PNG) and process.name:("SolarWinds.BusinessLayerHost.exe" or "SolarWinds.BusinessLayerHostx64.exe")<br /></pre><h3>Unexpected network communications by the SolarWinds client</h3><h4>EQL</h4><pre>network where network.protocol == "http" and process.name: ("SolarWinds.BusinessLayerHostx64.exe", "ConfigurationWizard.exe", "NetflowDatabaseMaintenance.exe", "NetFlowService.exe", "SolarWinds.Administration.exe", "SolarWinds.BusinessLayerHost.exe", "SolarWinds.Collector.Service.exe" , "SolarwindsDiagnostics.exe") and wildcard(http.request.body.content, "POST*/swip/Upload.ashx*", "PUT*/swip/Upload.ashx*", "GET*/swip/SystemDescription*", "HEAD*/swip/SystemDescription*", "GET*/swip/Events*", "HEAD*/swip/Events*") and not wildcard(http.request.body.content, "POST*solarwinds.com*", "PUT*solarwinds.com*", "GET*solarwinds.com*", "HEAD*solarwinds.com*")<br /></pre><h4>KQL</h4><pre>event.category:network and event.type:protocol and network.protocol:http and process.name:(ConfigurationWizard.exe or NetFlowService.exe or NetflowDatabaseMaintenance.exe or SolarWinds.Administration.exe or SolarWinds.BusinessLayerHost.exe or SolarWinds.BusinessLayerHostx64.exe or SolarWinds.Collector.Service.exe or SolarwindsDiagnostics.exe) and http.request.body.content:(((*/swip/Upload.ashx* and (POST* or PUT*)) or (*/swip/SystemDescription* and (GET* or HEAD*)) or (*/swip/Events* and (GET* or HEAD*))) and not *solarwinds.com*)<br /></pre><h2>For our users leveraging machine learning</h2><p>Machine learning is a critical capability when tracking down and detecting unknown threats. Elastic Security ships prebuilt jobs and rules that can jumpstart security teams across any organization. In this case, SUNBURST detection was not the exception. In <a href="https://www.elastic.co/blog/supervised-and-unsupervised-machine-learning-for-dga-detection">this blog</a>, Elastic users can find step-by-step instructions to leverage one of the latest additions to our fleet: a model that combines supervised and unsupervised learning for effectively detect Domain Generation Algorithm (DGA) activity in organizations.</p><h2>Next steps</h2><p>Elastic will update our malware protection signer allowlist to remove an allowlist entry for SolarWinds Worldwide, LLC. As a result, SolarWinds users may see malware alerts for software signed by SolarWinds. These may be false positives.</p><p>Elastic Security's researchers are monitoring this situation for any updates. As new information emerges, we will evaluate and create additional protections as needed.</p><p>Elastic recommends users follow all applicable guidance from SolarWinds in addition to the guidance provided in this document. Users of SolarWinds products should also review reference materials for associated network-based indicators and conduct searches to identify potential evidence of prior or ongoing compromise. Elastic users can easily search for atomic indicators without learning a new query language.</p>

Elastic Security provides free and open protections for SUNBURST

Elastic will offer free Elastic Endpoint Security to the 2020 US presidential and congressional campaigns in partnership with Defending Digital Campaigns.

<p>We are excited to announce that Elastic will offer free, monitored Elastic Endpoint Security to the 2020 US presidential and congressional campaigns in partnership with Defending Digital Campaigns. </p> <p><a href="https://www.defendcampaigns.org/">Defending Digital Campaigns (DDC)</a> is a non-partisan organization that provides low- and no-cost security products and services to federal campaigns to help defend them from cyberattacks and election interference. We are proud to deliver a monitored Elastic Endpoint Security solution, supported by members of the Elastic Security team. </p> <p>Campaigns have faced two significant barriers as they seek to better secure themselves from cyber threats: The high cost of quality cybersecurity products and the experience to organize an effective security strategy. The DDC helps campaigns quickly overcome these barriers of cost and expertise,&nbsp;allowing campaign staff to focus on what they do best. </p> <p>Through DDC, security vendors like Elastic provide products and services directly to campaigns. The U.S. Federal Election Commission uniquely permits DDC to help campaigns receive these capabilities due to the nonprofit C4’s&nbsp;steadfastly non-partisan commitment.&nbsp; </p> <p>"Increasing the cybersecurity defenses of political campaigns is one of the most critical elements of protecting our democracy,” said Michael Kaiser, President and CEO of DDC. “Defending Digital Campaigns, with a mission to make campaigns more cybersecure, is proud to partner with Elastic Security on making endpoint protection, a core cybersecurity service, widely available to campaigns."&nbsp; </p> <p>Elastic Security team members aren’t strangers to the challenge of securing presidential campaigns, and have spent the past year assisting in the early stages of the 2020 U.S. election. Our partnership with DDC enables Elastic Security to achieve an even greater scale and impact — applying security expertise and technology to help maintain the integrity of democracy. </p>For more information or to apply for Elastic Security services for your team’s campaign, please visit the <a href="https://www.elastic.co/campaigns/2020-election-security">Elastic election security</a> page.

blog-banner-election-day.jpg

blog-thumb-election-day.jpg

Elastic partners with DDC to offer free election security to 2020 campaigns

The absence of a turnkey validation toolkit with sufficient detail to account for the range of adversary behavior further limits an organization’s ability to ca

<p>Organizations and practitioners often struggle with a practical way to validate the effectiveness of prevention and detection products, services, or homegrown capabilities. Fortunately, <a href="https://attack.mitre.org/wiki/Main_Page">MITRE's ATT&CK™</a> matrix partially addresses this challenge by identifying almost 200 different kinds of adversarial behavior.&nbsp; As we collectively recognize the need to go beyond malware-only testing, ATT&CK™ is increasingly the standard by which adversarial behavior is assessed. However, it is essential that organizations realize that their coverage of techniques in ATT&CK™ is a process and not a destination given that new tactics are regularly added. For vendors using ATT&CK to express coverage, detections must be robust enough that an adversary can’t simply rename their binary to evade discovery - ATT&CK™ is the counterpoint to those brittle indicators.
</p><p>As useful as the ATT&CK™ framework is conceptually, it only solves a portion of the problem: organizations and practitioners still need to test their defenses against each of the behaviors detailed in the ATT&CK™ matrix. ATT&CK™ can be overwhelming because of the wide array of techniques and, within each technique, sometimes many ways an adversary can implement the technique. This complexity has prompted<a href="https://www.mitre.org/capabilities/cybersecurity/overview/cybersecurity-blog/whats-next-for-attck%E2%84%A2"> MITRE to add sub-techniques later this year</a>.&nbsp; Beyond a basic lack of time to perform assessments, the absence of a turnkey validation toolkit with sufficient detail to account for the range of adversary behavior further limits an organization’s ability to carry out comprehensive assessments.&nbsp;&nbsp;
</p><p><a href="https://github.com/endgameinc/RTA">Endgame’s Red Team Automation (RTA)</a> begins to fill this gap, joining a small number of similarly useful tools like Red Canary’s <a href="https://github.com/redcanaryco/atomic-red-team">Atomic Red</a>, Uber’s <a href="https://github.com/uber-common/metta">Metta</a> project, and MITRE’s own <a href="https://github.com/mitre/caldera">Caldera</a>. Endgame Research created the RTA framework for internal experimentation and automated testing of some of the preventions and detections we deliver to customers in the <a href="https://www.endgame.com/platform">Endgame endpoint protection platform</a>.&nbsp; We are sharing the RTA framework publicly to help organizations accelerate and enable the assessment process and highlight detection coverage and gaps. Organizations can then focus more confidently on monitoring high real-time detections in their enterprise and prioritize filling critical gaps in coverage.
</p><h2>RTA Overview</h2><p>RTA is a set of 38 scripts and supporting executables that generate reliable artifacts which correspond to techniques in the ATT&CK™ framework.&nbsp; Initially, RTA provides coverage of 49 ATT&CK™ techniques and will expand over time. To help get started with RTA, I’ll provide an overview of the technology in RTA, followed by few examples to demonstrate how to start using RTA today. Importantly, we’ve structured RTA to help expand defensive capabilities and support the broader open source community. To that end, I’ll also address how you can contribute techniques to RTA through the GitHub repository.&nbsp;&nbsp;&nbsp;
</p><p>RTA differs from other adversary simulation capabilities in some significant ways.&nbsp; When we started, none of the other frameworks existed publicly. We continue to develop RTA instead of adopting another framework because we’ve found Endgame RTA to have low overhead and is simpler to use and extend.&nbsp; We expect some practitioners will find RTA useful for the same reasons. This blogpost won’t focus on comparing these tools, but will point out some substantive differences so readers can assess which adversary data-generation toolkit may be best for them.&nbsp;&nbsp;
</p><p>To begin using RTA, it is important to understand some of its key features. Some scripts work with a compiled executable, “myapp.exe”, which is capable of creating a local web server for hosting malicious downloads, manipulating timestamps of a file, or generating a user-defined beacon. The remainder of the repo includes dozens of Python-based scripts with the capabilities to:
</p><ul>
	<li>Use native tools to download and execute remote files</li>
	<li>Perform anti-forensics operations such as deleting volume journals</li>
	<li>Perform lateral movement to a target system and take actions</li>
	<li>Setup both common and uncommon persistence mechanisms</li>
	<li>Perform one of several UAC bypass techniques</li>
	<li>And many more...</li>
</ul><p>One way that RTA differs from solutions like Uber’s Metta is that RTA doesn’t directly include the ability to configure a playbook of several sequential adversary behaviors. Enabling this natively is an option for future development, but can now be accomplished with some light scripting. Presently, we prioritize covering the depth and breadth of ATT&CK™ over sequencing or APT simulation features.
</p><p>Figure 1 contains an excerpt of one of these RTA scripts. It is a Python script which wipes the Windows Security event log, corresponding to <a href="https://attack.mitre.org/wiki/Technique/T1107">File Deletion</a> in ATT&CK™. While we chose the Python language for convenience, there’s no technical barrier to changing that language to something else in the future.
</p><p><img src="https://images.contentstack.io/v3/assets/bltefdd0b53724fa2ce/bltd58948b5d3f957a4/5dfd15f5f5916f4381bc7f38/RTA-script-clear-event-log-endgame.png" data-sys-asset-uid="bltd58948b5d3f957a4" alt="RTA-script-clear-event-log-endgame.png"></p> <p><em>Figure 1: Contents of Script to Clear Security Event Log in Windows</em></p><p>The Endgame RTA repository currently has 39 scripts in addition to the “myapp.exe” executable. Over the coming months, we’ll share additional scripts to expand this coverage across even more of the ATT&CK™ matrix. We also actively encourage community engagement to contribute to and expedite the creation of a complete collection of ATT&CK™, and are currently accepting pull requests. RTA is intended to be a tool for the community and by the community.
</p><p><em></em></p><p><img src="https://images.contentstack.io/v3/assets/bltefdd0b53724fa2ce/blta0b8ff61b61d98d8/5dfd1672028cba3ef4ec64fa/RTA-attack-coverage-endgame.png" data-sys-asset-uid="blta0b8ff61b61d98d8" alt="RTA-attack-coverage-endgame.png"></p><p> <em>Figure 2: Current ATT&CK™ coverage using Endgame’s RTA</em>
</p><p>The RTA repo also includes a file containing global configuration settings and utility functions, “common.py”. This can be imported into a new script to take advantage of variables or functions as well as modified to create new variables or capabilities. By updating the LOCAL_IP variable, which is set to localhost by default, RTA scripts can be pointed to hosted payloads on a remote system. By updating the CALLBACK_REGEX variable, the URL associated with some types of beaconing simulation can be changed. This Python file also contains globally-available functions like logging messages during execution which can be presented to the user, evaluating whether a system is 32 or 64 bit; or identifying writable directories.
</p><p>At this time, RTA has very few dependencies aside from Python 2.7. To get the most out of RTA, which demonstrates several living-off-the-land techniques, we recommend that users download and extract to Sysinternals suite to the “bin” subdirectory along with Microsoft’s commandline transform utility, “msxsl.exe”. The RTA README contains the relevant links and instructions.
</p><h2>Putting RTA into action</h2><p>To demonstrate how RTA can support coverage assessments against specific behaviors in ATT&CK™, I’ll walk through a brief scenario. During initial compromise, attackers often incorporate a range of tactics such as combining phishing with a <a href="https://www.endgame.com/blog/technical-blog/bug-feature-debate-back-yet-again-ddeauto-root-cause-analysis">macro-less</a> Word document attack. For example, a recent <a href="https://www.trustwave.com/Resources/SpiderLabs-Blog/Multi-Stage-Email-Word-Attack-Without-Macros/">sample of malware</a> leverages multiple techniques and features to eventually deploy credential-stealing malware. How exactly does this work?
</p><p>First, a phishing lure is sent that contains a Word document and, instead of implementing macros (<a href="https://support.office.com/en-us/article/enable-or-disable-macros-in-office-files-12b036fd-d140-4e74-b45e-16fed1a7e5c6?ui=en-US&rs=en-US&ad=US">consider blocking macros</a>) which are embedded entirely within the document, it contains a link to a remotely-hosted file. This is a different approach but not exactly a new one. It works because the DOCX file fetches external resources once opened, grabbing an RTF file from the Internet and opening it locally.
</p><p>The RTF file is itself weaponized to execute the built-in “mshta.exe” (MSHTA) application and download an HTA file from the Internet, a generic behavior we should universally be on the lookout for. This HTA file contains an obfuscated VBscript with an embedded PowerShell script. You might call it “script-ception” given the number of layers. PowerShell is then invoked to run the script and download a binary which is classified as a “credential stealer”. Figure 3 contains a high-level representation of this activity.
</p><p><em></em></p><p><img src="https://images.contentstack.io/v3/assets/bltefdd0b53724fa2ce/blt060a53f771b1d8d2/5dfd168fc848085fa46e5d7a/RTA-malware-execution-endgame.png" data-sys-asset-uid="blt060a53f771b1d8d2" alt="RTA-malware-execution-endgame.png"></p><p> <em>Figure 3: Visual representation of malware execution process</em>
</p><p>Let’s quickly map these generic tactics to the ATT&CK™ matrix:
</p><ol>
	<li>Phishing (<a href="https://attack.mitre.org/pre-attack/index.php/Technique/PRE-T1144">Pre-T1144</a>) messages with malicious attachments to deliver a Word DOCX file through your email gateway</li>
	<li>Exploitation of a vulnerability (<a href="https://attack.mitre.org/wiki/Technique/T1068">T1068</a>) within the RTF file downloaded <a href="https://medium.com/@networksecurity/oleoutlook-bypass-almost-every-corporate-security-control-with-a-point-n-click-gui-37f4cbc107d0">as an external resource</a> of the Word DOCX file</li>
	<li>Use of the native MSHTA utility (<a href="https://attack.mitre.org/wiki/Technique/T1170">T1170</a>) to pull down an HTA file containing obfuscated (<a href="https://attack.mitre.org/wiki/Technique/T1027">T1027</a>) VBScript (<a href="https://attack.mitre.org/wiki/Technique/T1064">T1064</a>)</li>
	<li>The VBScript invokes PowerShell (<a href="https://attack.mitre.org/wiki/Technique/T1086">T1086</a>) which downloads and executes a malicious compiled executable<ol>
		<li>The request occurs over HTTP, so commonly used ports (<a href="https://attack.mitre.org/wiki/Technique/T1043">T1043</a>) applies</li>
		<li>The download is from an external network location, so remote file copy (<a href="https://attack.mitre.org/wiki/Technique/T1105">T1105</a>) is relevant</li>
	</ol></li>
	
</ol><p>That’s not a small number of techniques but I think we can handle this. Let’s start with the first behavior we see at the endpoint. A user receives a DOCX attachment. Upon viewing the attachment, Microsoft Word then grabs an externally-hosted RTF. Unfortunately, few organizations have a firm understanding of how normal this occurrence is. Because it utilizes native functionality of the Word application to fetch external references, there’s a chance that this is going to be too noisy to generically prompt an alert. Fortunately, there are RTA scripts for simulating unusual network activity associated with Microsoft Office and several otherwise trusted applications.
</p><p>Microsoft Word is also the parent of MSHTA. This native Windows utility is used for downloading and executing HTA files, which is a suspicious generic methodology. In most cases, this application should not be a child of Microsoft Office. This RTA creates a local webserver long enough to download and execute a benign HTA file - a harmless way to prove that you can detect this widely-used generic technique, no matter which payload is ultimately dropped and executed. If your detections only fire if a malware-detection engine properly classifies the sample, reconsider how much that monitoring capability is trusted.
</p><p>In this example, the attacker used the HTA file to download and execute a PowerShell script - another area RTA covers. There are a dozen or more ways that PowerShell can be abused during post-exploitation, including but not limited to input redirection, obfuscation of script contents, use of script-block encoding and some command line arguments. Simple things, like payload encoding, are very easy to express harmlessly (the example performs a ping command) in an RTA as seen in Figure 4.
</p><p><em></em></p><p><img src="https://images.contentstack.io/v3/assets/bltefdd0b53724fa2ce/bltc137c5cbc2863a81/5dfd16a012af1140b8e76f78/RTA-powershell-endgame.jpeg" data-sys-asset-uid="bltc137c5cbc2863a81" alt="RTA-powershell-endgame.jpeg"></p><p> <em>Figure 4: Endgame’s “powershell_args.py” RTA command output</em>
</p><p>Although this attack example demonstrates how RTA can help evaluate defenses against a range of tactics, it is simply one use case. Endgame RTA covers over a quarter of the ATT&CK™ matrix currently, including the creation and removal of common and uncommon persistence mechanisms, a wide variety of commands that perform lateral movement, abusing native tools for encoding or obfuscation and many more!
</p><h2>Bringing RTA to the Community</h2><p>Endgame’s RTA is an internal tool we created for use within Endgame Research and are now releasing as an open source technology that organizations can use today to help assess their ability to detect, triage, and respond to threats. This assessment process has become increasingly important to enterprises as new tactics are discovered and new breaches come to light.&nbsp;&nbsp;
</p><p>We plan to expand the RTA project in two ways.&nbsp; First, we will continue to expand coverage of ATT&CK™, adding scripts for cells not yet covered and deepening coverage in cells we already include. We also plan to enhance the usability of the RTA framework to make it easier to run, providing the raw material for self-assessment.
</p><p>In addition, Roberto Rodriguez of <a href="https://specterops.io/">SpecterOps</a> and I will be presenting a complete method for quantifying the assessment process - regardless of the technology you use for detection - at <a href="http://www.bsidescharm.com/speakers">BSidesCharm</a> in April. We’ll combine RTA with the exceptional work Roberto started in the blogposts <a href="https://cyberwardog.blogspot.com/2017/07/how-hot-is-your-hunt-team.html">How hot is your hunt team</a> and <a href="https://cyberwardog.blogspot.com/2017/12/ready-to-hunt-first-show-me-your-data.html">Ready to hunt? First show me your data</a> to offer more guidance on using ATT&CK™ and RTA to measure your detection coverage.
</p><p>While Roberto’s examples may focus on hunting, as the example I provided in this post demonstrates, RTA has much broader applicability for a range of use cases. Endgame looks forward to working with the community to build out this capability, demonstrate a useful application of the ATT&CK™ matrix and, most importantly, help organizations and practitioners apply concrete methods and metrics for assessing their defensive coverage.
</p>

blog-banner-generic-black.png

blog-thumb-generic-black.png

Introducing Endgame Red Team Automation

Start free trial

Blog Footer CTA

Sign up for Elastic Cloud free trial

headshot-devon-kerr-300x300.jpg

Director, Security Research

Devon Kerr

<p>By submitting you acknowledge that you've read and agree to our <a href="/legal/elastic-cloud-account-terms" target="_self">Terms of Service</a>, and you agree to receive the <a href="/legal/privacy-statement#how-we-use-the-information" target="_self">selected communications</a> at the contact details you provided above. See <a href="/legal/privacy-statement/" target="_self">Elastic’s Privacy Statement</a> for more details or to opt-out at any time.</p>

Communication Preferences - ONLY for /communication-preferences

<p>Durch das Absenden erklären Sie, dass Sie unsere <a href="/de/legal/elastic-cloud-account-terms" target="_self">Nutzungsbedingungen</a> gelesen haben und mit ihnen einverstanden sind und dass Sie Elastic erlauben, <a href="/de/legal/privacy-statement#how-we-use-the-information" target="_self">ausgewählte Nachrichten und Informationen</a> an die oben von Ihnen bereitgestellten Kontaktangaben zu senden. Weitere Informationen, darunter auch dazu, wie Sie Ihre Einwilligung zurückziehen können, finden Sie in der <a href="/de/legal/privacy-statement/" target="_self">Datenschutzerklärung von Elastic</a>.</p>

<p>By submitting you acknowledge that you've read and agree to our <a href="/legal/serverless-preview-terms" target="_blank">Terms of Service</a>, and that Elastic may <a href="/legal/privacy-statement#how-we-use-the-information" target="_blank">contact you</a> about our related products and services, using the details you provide above. See <a href="/legal/privacy-statement/" target="_blank">Elastic’s Privacy Statement</a> for more details or to opt-out at any time.</p>

Serverless GDPR Text

<p>Durch das Absenden erklären Sie, dass Sie unsere <a href="/de/legal/serverless-preview-terms" target="_self">Nutzungsbedingungen</a> gelesen haben und mit ihnen einverstanden sind und dass Sie Elastic erlauben, bezüglich unserer zugehörigen Produkte und Dienstleistungen und unter Nutzung der von Ihnen oben bereitgestellten Kontaktangaben <a href="/de/legal/privacy-statement#how-we-use-the-information" target="_self">mit Ihnen in Kontakt zu treten</a>. Weitere Informationen, darunter auch dazu, wie Sie Ihre Einwilligung zurückziehen können, finden Sie in der <a href="/de/legal/privacy-statement/" target="_self">Datenschutzerklärung von Elastic</a>.</p>

<p>By submitting you agree to <a href="/agreements/global/cloud-services-monthly" rel="nofollow">Elastic Cloud Terms of Service</a>. Your personal data will be processed in accordance with <a href="/legal/privacy-statement">Elastic's Privacy Statement</a>.</p>

Cloud Trial GDPR Text

<p>Beim Absenden akzeptieren Sie die <a href="/de/agreements/global/cloud-services-monthly" rel="nofollow">Nutzungsbedingungen von Elastic Cloud</a>. Die Verarbeitung Ihrer personenbezogenen Daten unterliegt der <a href="/de/legal/privacy-statement">Datenschutzerklärung von Elastic</a>.
</p>

<p>By submitting you acknowledge that you've read and agree to our <a href="/legal/terms-of-use" target="_blank">Terms of Service</a>, and that Elastic may <a href="/legal/privacy-statement#how-we-use-the-information" target="_blank">contact you</a> about our related products and services, using the details you provide above. See <a href="/legal/privacy-statement/" target="_blank">Elastic’s Privacy Statement</a> for more details or to opt-out at any time.</p>

Newsletter GDPR Text

<p>Durch das Absenden erklären Sie, dass Sie unsere <a href="/de/legal/terms-of-use" target="_self">Nutzungsbedingungen</a> gelesen haben und mit ihnen einverstanden sind und dass Sie Elastic erlauben, bezüglich unserer zugehörigen Produkte und Dienstleistungen und unter Nutzung der von Ihnen oben bereitgestellten Kontaktangaben <a href="/de/legal/privacy-statement#how-we-use-the-information" target="_self">mit Ihnen in Kontakt zu treten</a>. Weitere Informationen, darunter auch dazu, wie Sie Ihre Einwilligung zurückziehen können, finden Sie in der <a href="/de/legal/privacy-statement/" target="_self">Datenschutzerklärung von Elastic</a>.</p>

Explore similar demos

Overview

Speakers

Close

See more insights

The content on this page is not available in the selected language. As Elastic grows globally, we continue to support content in multiple languages.

The content on this page is not available in the selected language.

Der Inhalt dieser Seite ist in der ausgewählten Sprache nicht verfügbar. Wir bei Elastic arbeiten daran, die bereitgestellten Inhalte in verschiedenen Sprachen anzubieten. Bis dahin bitten wir Sie um etwas Geduld und hoffen auf Ihr Verständnis!

Author

Watch now (no PT)

Watch now

See all top stories

All (no PT translation)

Contact information

Press Release

Share on Reddit

Articles by

Share this story

Share by Email

Thank you for your interest!

Contact Info

Follow us on Youtube

Load More

Share on LinkedIn

Follow us on LinkedIn

Search Integrations

All Solutions

Video for

Follow us on Twitter

See when this webinar starts in my time zone

Register to Watch

Register now

See All Posts

Can't make it? Register and we'll send you the recording. You'll also receive an email with related content

Sie können nicht dabei sein? Registrieren Sie sich, damit wir Ihnen die Aufzeichnung zukommen lassen können. Außerdem erhalten Sie eine E‑Mail mit Begleitmaterial.

Small image for

On-demand webinar

Featured webinar

Register to Attend

Share on Facebook

Reset all

Upcoming webinar

View more posts

Print

Hosted by

Sign In to Attend

View next

Follow us on Facebook

Share

Highlights

Learn More

Read less

You'll also receive an email with related content

Wir schicken Ihnen zudem relevante Informationen, die von Interesse sein könnten.

Thank you for registering. We will send you a confirmation email soon.

Vielen Dank für Ihre Registrierung. Sie erhalten in Kürze eine Bestätigungs-E‑Mail von uns.

Autor

Artikel von Devon Kerr

Director, Security Research, Elastic