Elastic Security Labs 的年度报告已上线！查看此博客中的一些见解。

2024 年需要了解的见解 

观察到的恶意软件表明，攻击者正在使用现成的工具进行滥用 — 包括生成式 AI

《2024 年 Elastic 全球威胁报告》中出现的恶意软件类型

image6.png

为什么我们不担心生成式 AI

企业错误配置云环境，使威胁行为者得以蓬勃发展 

表 24 摘自《2024 年 Elastic 全球威胁报告》

image7.png

在成功抵御“防御规避”之后，攻击者正在利用合法凭据进行渗透

云中的凭据访问

图 19 摘自《2024 年 Elastic 全球威胁报告》

image4.png

终端遥测中的凭据访问

图 4 摘自《2024 年 Elastic 全球威胁报告》

image5.png

表 17 摘自《2024 年 Elastic 全球威胁报告》

image2.png

图 18 摘自《2024 年 Elastic 全球威胁报告》

image1.png

全球概述

安全地探索威胁态势

Elastic Security Labs 发现，威胁行为者正在利用现成的被滥用的安全工具和错误配置的环境。

158175 - Blog header image_Prancheta 1-04 (1).jpg

The 2024 Elastic Global Threat Report: Visibility enhanced

《2024 年 Elastic 全球威胁报告：可见性增强》 

Elastic Security Labs 现在已经成为威胁研究的官方一站式域，更容易找到和共享安全威胁研究，从而建立整体更安全的工作场所和保护更严密的行业。

library-branding-elastic-security-midnight-web-thumb-1680x980.png

Elastic Security Labs: Follow us for breaking news on security threat research

Elastic Security Labs：关注我们了解安全威胁研究的突发新闻

In response to the Microsoft HAFNIUM 0-day exploit, Elastic Security has identified IoCs for highly damaging adversary objectives. Users with on-premise Exchange servers are advised to patch as soon as possible. View full details of identified IoCs.

<p>On March 2, 2021, Microsoft released a&nbsp;<a href="https://www.microsoft.com/security/blog/2021/03/02/hafnium-targeting-exchange-servers/">security update</a> describing several 0-day exploits targeting on-premises Microsoft Exchange servers. Four published remote code execution vulnerabilities relate to this activity, for which Microsoft released a&nbsp;<a href="https://msrc-blog.microsoft.com/2021/03/02/multiple-security-updates-released-for-exchange-server">patch</a>. The vulnerabilities include&nbsp;<a href="https://msrc.microsoft.com/update-guide/vulnerability/CVE-2021-26855">CVE-2021-26855</a>,&nbsp;<a href="https://msrc.microsoft.com/update-guide/vulnerability/CVE-2021-26857">CVE-2021-26857</a>,&nbsp;<a href="https://msrc.microsoft.com/update-guide/vulnerability/CVE-2021-26858">CVE-2021-26858</a>, and&nbsp;<a href="https://msrc.microsoft.com/update-guide/vulnerability/CVE-2021-27065">CVE-2021-27065</a>. </p> <p>In addition to verifying the information published by other members of the security community, Elastic Security identified indicators of compromise (IoCs) indicating adversary objectives to obtain credentials, maintain persistence, conduct reconnaissance, and steal data. Users with on-premises Exchange servers are advised to patch as soon as possible and be aware that threats of all kinds are actively attempting to exploit these vulnerabilities. </p> <p>Elastic Security provides a technical overview of Elastic Endpoint and Elastic Endgame capabilities related to this activity in our <a href="https://discuss.elastic.co/t/detection-and-response-for-hafnium-activity/266289">Discuss forum</a>. The overview describes eight existing and two new Elastic Endpoint rules, as well as six existing Elastic Endgame rules which identify threat behaviors. For Elastic Endgame users, we provide three additional EQL queries that detect portions of the attack. Based on telemetry observations, we also include five IoCs. </p>Please visit the <a href="https://discuss.elastic.co/t/detection-and-response-for-hafnium-activity/266289">Discuss forum</a> for full details on our identified IoCs.

blog-banner-digital-red-shield.jpg

blog-thumb-digital-red-shield.jpg

Detection and Response for HAFNIUM activity

Elastic Security has been updated and our users are not affected by SolarWinds’ recent security advisory regarding a supply-chain attack on the Orion management platform. Identify potential attacks using new and existing rules in this post.

<h2>Executive summary</h2><ul><li>Elastic Security’s malware prevention technology, used by both Elastic Endgame and the endpoint security capabilities within Elastic Security, has been updated and is not affected by attacks described in this disclosure</li><li>Existing Elastic Security rules (listed below) can help identify potential attacks</li><li>New Elastic Security rules (listed below) can help detect new threats</li><li>Recommended searches/threat hunts are listed below for Elastic Security (Elastic Endgame recommendations can be found on our <a href="https://support.elastic.co/customers/s/login/">support portal</a>)</li><li>Users can leverage&nbsp;Elastic ML models to detect potential C2 from the SUNBURST attack</li><li>Users are invited to work directly with our protection engineers in our <a href="https://github.com/elastic/detection-rules">public rules repo</a></li></ul><h2>Background</h2><p>On December 13, <a href="https://www.solarwinds.com/securityadvisory">SolarWinds released a security advisory</a>&nbsp;regarding a successful supply-chain attack on the Orion management platform. The attack affects Orion versions 2019.4 HF 5 through 2020.2.1, software products released between March and June of 2020. Likewise, on December 13, <a href="https://www.fireeye.com/blog/threat-research/2020/12/evasive-attacker-leverages-solarwinds-supply-chain-compromises-with-sunburst-backdoor.html">FireEye released information about a global campaign involving SolarWinds supply-chain compromise</a> that affected some versions of Orion software.</p><p>Many details of the intrusion have not been made public, and this content may be later updated as additional information becomes known. Elastic provides this information for users in the free tier, and recommends subscription customers refer to the <a href="https://support.elastic.co/customers/s/login/">support portal</a> for additional information about licensed features.</p><h2>Malware protection</h2><p>We have updated our MalwareScore protection, used by both Elastic Endgame and Elastic Security. This update includes blocklist entries for known bad file hashes, providing essential prevention capability to mitigate deployed SolarWinds client software containing malicious code. Users should receive this update automatically.</p><h2>Free and open behavioral detections</h2><p>We have reviewed public materials disclosed by SolarWinds and FireEye to ensure we have as up-to-date an understanding of tactics, techniques, and procedures (TTPs) as possible. Additionally, Elastic reviewed <a href="https://www.volexity.com/blog/2020/12/14/dark-halo-leverages-solarwinds-compromise-to-breach-organizations/">content published by Volexity</a>&nbsp;describing post-exploitation activities observed during professional services engagements. While information about how the adversary responsible has leveraged this supply-chain compromise is limited, materials published by FireEye and Volexity indicate attempts to obtain lasting operational control by targeting directory services and other forms of authentication with a particular emphasis on information access.</p><p>The following existing behavioral detections for the Elastic Security solution may identify evidence of successful post-exploitation:</p><ul><li><a href="https://github.com/elastic/detection-rules/blob/main/rules/azure/persistence_user_added_as_owner_for_azure_service_principal.toml">User Added as Owner for Azure Service Principal</a></li><li><a href="https://github.com/elastic/detection-rules/blob/main/rules/azure/persistence_mfa_disabled_for_azure_user.toml">Multi-Factor Authentication Disabled for an Azure User</a></li><li><a href="https://github.com/elastic/detection-rules/blob/86b1a56c1bfb42da504923e70bef788177967985/rules/microsoft-365/credential_access_microsoft_365_brute_force_user_account_attempt.toml">Attempts to Brute Force a Microsoft 365 User Account</a></li><li><a href="https://github.com/elastic/detection-rules/blob/73e2690ec0683c3b77d54458da56c5d8b1c41092/rules/microsoft-365/credential_access_microsoft_365_potential_password_spraying_attack.toml">Potential Password Spraying of Microsoft 365 User Accounts</a></li><li><a href="https://github.com/elastic/detection-rules/blob/main/rules/azure/initial_access_consent_grant_attack_via_azure_registered_application.toml">Possible Consent Grant Attack via Azure-Registered Application</a></li><li><a href="https://github.com/elastic/detection-rules/blob/main/rules/azure/credential_access_key_vault_modified.toml">Azure Key Vault Modified</a></li><li><a href="https://github.com/elastic/detection-rules/blob/538aa80bba56535bb32eaab6cad9ef44d959ea30/rules/windows/defense_evasion_process_termination_followed_by_deletion.toml">Process Termination followed by Deletion</a></li><li><a href="https://github.com/elastic/detection-rules/blob/e6645a8be9f70397b096928f28c49899d69adf04/rules/windows/defense_evasion_clearing_windows_event_logs.toml">Clearing Windows Event Logs</a></li></ul><p>Additionally, new behavioral rules are being released for the following activities:</p><ul><li><a href="https://github.com/elastic/detection-rules/blob/3b583cebade7de127f90dcbb7a93b9e083048b3c/rules/windows/collection_email_powershell_exchange_mailbox.toml">Exporting Exchange MailBox via PowerShell</a></li><li><a href="https://github.com/elastic/detection-rules/blob/3b583cebade7de127f90dcbb7a93b9e083048b3c/rules/windows/defense_evasion_solarwinds_backdoor_service_disabled_via_registry.toml">SolarWinds Process Disabling Services via Registry</a></li><li><a href="https://github.com/elastic/detection-rules/blob/3b583cebade7de127f90dcbb7a93b9e083048b3c/rules/windows/execution_apt_solarwinds_backdoor_child_cmd_powershell.toml">Command Execution via SolarWinds Process</a></li><li><a href="https://github.com/elastic/detection-rules/blob/3b583cebade7de127f90dcbb7a93b9e083048b3c/rules/windows/execution_apt_solarwinds_backdoor_unusual_child_processes.toml">Suspicious SolarWinds Child Process</a></li><li><a href="https://github.com/elastic/detection-rules/blob/7.11/rules/azure/initial_access_azure_active_directory_powershell_signin.toml">Azure Active Directory PowerShell Sign-in</a></li><li><a href="https://github.com/elastic/detection-rules/blob/7.11/rules/azure/defense_evasion_azure_service_principal_addition.toml">Azure Service Principal Addition</a></li><li><a href="https://github.com/elastic/detection-rules/blob/5e8b86a84eb9d5291ae64ec440254ca3ae274808/rules/windows/command_and_control_sunburst_c2_activity_detected.toml">SUNBURST Command and Control Activity Detected</a></li><li><a href="https://github.com/elastic/detection-rules/blob/7.11/rules/azure/defense_evasion_azure_application_credential_modification.toml">Azure Application Credential Modification</a></li><li><a href="https://github.com/elastic/detection-rules/blob/main/rules/windows/execution_scheduled_task_powershell_source.toml">Outbound Scheduled Task Activity via PowerShell</a></li></ul><p>Elastic Security users may find value in enabling additional <a href="https://github.com/elastic/detection-rules">detection-rules</a> in <em>all</em> categories, prioritizing triage and analysis of results related to SolarWinds client software.</p><p>Users should note that the detection-rules command-line interface (<a href="https://github.com/elastic/detection-rules/blob/main/CLI.md">CLI</a>) is required to import rules, and the import-rules function can import rules in several formats either individually or from a directory.</p><h2>Threat hunting using Elastic</h2><p>Users who have deployed the Elastic endpoint may find that hunts focused on the following are important leads to prioritize based on public reporting:</p><h3>Disabling services via the Windows registry</h3><h4>EQL</h4><pre>registry where registry.path : "HKLM\\SYSTEM\\*ControlSet*\\Services\\*\\Start" and registry.data.strings == "4" and not (process.name : "services.exe" and user.domain: "NT AUTHORITY")<br /></pre><h4>KQL</h4><pre>registry.path:HKLM\\System\\*ControlSet*\\Services\\*\\Start and registry.data.strings:"4" and not (process.name:"services.exe" and user.domain:"NT AUTHORITY")<br /></pre><h3>Unusual descendants of the SolarWinds client</h3><h4>EQL</h4><pre>process where event.type in ("start","process_started") and process.parent.name:("SolarWinds.BusinessLayerHost.exe","SolarWinds.BusinessLayerHostx64.exe")<br /></pre><h4>KQL</h4><pre>event.category:process and event.type:start and process.parent.name:("SolarWinds.BusinessLayerHost.exe" or "SolarWinds.BusinessLayerHostx64.exe")<br /></pre><h3>Creation of executable files by the SolarWinds client</h3><h4>EQL</h4><pre>file where process.name in ("SolarWinds.BusinessLayerHost.exe", "SolarWinds.BusinessLayerHostx64.exe") and file.name : ("*.dll*", "*.exe*", "*.ps1*", "*.jpg*", "*.png*")<br /></pre><h4>KQL</h4><pre>event.category:file and event.type:creation and file.extension:(dll or DLL or exe or EXE or ps1 or PS1 or jpg or JPG or png or PNG) and process.name:("SolarWinds.BusinessLayerHost.exe" or "SolarWinds.BusinessLayerHostx64.exe")<br /></pre><h3>Unexpected network communications by the SolarWinds client</h3><h4>EQL</h4><pre>network where network.protocol == "http" and process.name: ("SolarWinds.BusinessLayerHostx64.exe", "ConfigurationWizard.exe", "NetflowDatabaseMaintenance.exe", "NetFlowService.exe", "SolarWinds.Administration.exe", "SolarWinds.BusinessLayerHost.exe", "SolarWinds.Collector.Service.exe" , "SolarwindsDiagnostics.exe") and wildcard(http.request.body.content, "POST*/swip/Upload.ashx*", "PUT*/swip/Upload.ashx*", "GET*/swip/SystemDescription*", "HEAD*/swip/SystemDescription*", "GET*/swip/Events*", "HEAD*/swip/Events*") and not wildcard(http.request.body.content, "POST*solarwinds.com*", "PUT*solarwinds.com*", "GET*solarwinds.com*", "HEAD*solarwinds.com*")<br /></pre><h4>KQL</h4><pre>event.category:network and event.type:protocol and network.protocol:http and process.name:(ConfigurationWizard.exe or NetFlowService.exe or NetflowDatabaseMaintenance.exe or SolarWinds.Administration.exe or SolarWinds.BusinessLayerHost.exe or SolarWinds.BusinessLayerHostx64.exe or SolarWinds.Collector.Service.exe or SolarwindsDiagnostics.exe) and http.request.body.content:(((*/swip/Upload.ashx* and (POST* or PUT*)) or (*/swip/SystemDescription* and (GET* or HEAD*)) or (*/swip/Events* and (GET* or HEAD*))) and not *solarwinds.com*)<br /></pre><h2>For our users leveraging machine learning</h2><p>Machine learning is a critical capability when tracking down and detecting unknown threats. Elastic Security ships prebuilt jobs and rules that can jumpstart security teams across any organization. In this case, SUNBURST detection was not the exception. In <a href="https://www.elastic.co/blog/supervised-and-unsupervised-machine-learning-for-dga-detection">this blog</a>, Elastic users can find step-by-step instructions to leverage one of the latest additions to our fleet: a model that combines supervised and unsupervised learning for effectively detect Domain Generation Algorithm (DGA) activity in organizations.</p><h2>Next steps</h2><p>Elastic will update our malware protection signer allowlist to remove an allowlist entry for SolarWinds Worldwide, LLC. As a result, SolarWinds users may see malware alerts for software signed by SolarWinds. These may be false positives.</p><p>Elastic Security's researchers are monitoring this situation for any updates. As new information emerges, we will evaluate and create additional protections as needed.</p><p>Elastic recommends users follow all applicable guidance from SolarWinds in addition to the guidance provided in this document. Users of SolarWinds products should also review reference materials for associated network-based indicators and conduct searches to identify potential evidence of prior or ongoing compromise. Elastic users can easily search for atomic indicators without learning a new query language.</p>

Elastic Security provides free and open protections for SUNBURST

Elastic will offer free Elastic Endpoint Security to the 2020 US presidential and congressional campaigns in partnership with Defending Digital Campaigns.

<p>We are excited to announce that Elastic will offer free, monitored Elastic Endpoint Security to the 2020 US presidential and congressional campaigns in partnership with Defending Digital Campaigns. </p> <p><a href="https://www.defendcampaigns.org/">Defending Digital Campaigns (DDC)</a> is a non-partisan organization that provides low- and no-cost security products and services to federal campaigns to help defend them from cyberattacks and election interference. We are proud to deliver a monitored Elastic Endpoint Security solution, supported by members of the Elastic Security team. </p> <p>Campaigns have faced two significant barriers as they seek to better secure themselves from cyber threats: The high cost of quality cybersecurity products and the experience to organize an effective security strategy. The DDC helps campaigns quickly overcome these barriers of cost and expertise,&nbsp;allowing campaign staff to focus on what they do best. </p> <p>Through DDC, security vendors like Elastic provide products and services directly to campaigns. The U.S. Federal Election Commission uniquely permits DDC to help campaigns receive these capabilities due to the nonprofit C4’s&nbsp;steadfastly non-partisan commitment.&nbsp; </p> <p>"Increasing the cybersecurity defenses of political campaigns is one of the most critical elements of protecting our democracy,” said Michael Kaiser, President and CEO of DDC. “Defending Digital Campaigns, with a mission to make campaigns more cybersecure, is proud to partner with Elastic Security on making endpoint protection, a core cybersecurity service, widely available to campaigns."&nbsp; </p> <p>Elastic Security team members aren’t strangers to the challenge of securing presidential campaigns, and have spent the past year assisting in the early stages of the 2020 U.S. election. Our partnership with DDC enables Elastic Security to achieve an even greater scale and impact — applying security expertise and technology to help maintain the integrity of democracy. </p>For more information or to apply for Elastic Security services for your team’s campaign, please visit the <a href="https://www.elastic.co/campaigns/2020-election-security">Elastic election security</a> page.

blog-banner-election-day.jpg

blog-thumb-election-day.jpg

Elastic partners with DDC to offer free election security to 2020 campaigns

The absence of a turnkey validation toolkit with sufficient detail to account for the range of adversary behavior further limits an organization’s ability to ca

<p>Organizations and practitioners often struggle with a practical way to validate the effectiveness of prevention and detection products, services, or homegrown capabilities. Fortunately, <a href="https://attack.mitre.org/wiki/Main_Page">MITRE's ATT&CK™</a> matrix partially addresses this challenge by identifying almost 200 different kinds of adversarial behavior.&nbsp; As we collectively recognize the need to go beyond malware-only testing, ATT&CK™ is increasingly the standard by which adversarial behavior is assessed. However, it is essential that organizations realize that their coverage of techniques in ATT&CK™ is a process and not a destination given that new tactics are regularly added. For vendors using ATT&CK to express coverage, detections must be robust enough that an adversary can’t simply rename their binary to evade discovery - ATT&CK™ is the counterpoint to those brittle indicators.
</p><p>As useful as the ATT&CK™ framework is conceptually, it only solves a portion of the problem: organizations and practitioners still need to test their defenses against each of the behaviors detailed in the ATT&CK™ matrix. ATT&CK™ can be overwhelming because of the wide array of techniques and, within each technique, sometimes many ways an adversary can implement the technique. This complexity has prompted<a href="https://www.mitre.org/capabilities/cybersecurity/overview/cybersecurity-blog/whats-next-for-attck%E2%84%A2"> MITRE to add sub-techniques later this year</a>.&nbsp; Beyond a basic lack of time to perform assessments, the absence of a turnkey validation toolkit with sufficient detail to account for the range of adversary behavior further limits an organization’s ability to carry out comprehensive assessments.&nbsp;&nbsp;
</p><p><a href="https://github.com/endgameinc/RTA">Endgame’s Red Team Automation (RTA)</a> begins to fill this gap, joining a small number of similarly useful tools like Red Canary’s <a href="https://github.com/redcanaryco/atomic-red-team">Atomic Red</a>, Uber’s <a href="https://github.com/uber-common/metta">Metta</a> project, and MITRE’s own <a href="https://github.com/mitre/caldera">Caldera</a>. Endgame Research created the RTA framework for internal experimentation and automated testing of some of the preventions and detections we deliver to customers in the <a href="https://www.endgame.com/platform">Endgame endpoint protection platform</a>.&nbsp; We are sharing the RTA framework publicly to help organizations accelerate and enable the assessment process and highlight detection coverage and gaps. Organizations can then focus more confidently on monitoring high real-time detections in their enterprise and prioritize filling critical gaps in coverage.
</p><h2>RTA Overview</h2><p>RTA is a set of 38 scripts and supporting executables that generate reliable artifacts which correspond to techniques in the ATT&CK™ framework.&nbsp; Initially, RTA provides coverage of 49 ATT&CK™ techniques and will expand over time. To help get started with RTA, I’ll provide an overview of the technology in RTA, followed by few examples to demonstrate how to start using RTA today. Importantly, we’ve structured RTA to help expand defensive capabilities and support the broader open source community. To that end, I’ll also address how you can contribute techniques to RTA through the GitHub repository.&nbsp;&nbsp;&nbsp;
</p><p>RTA differs from other adversary simulation capabilities in some significant ways.&nbsp; When we started, none of the other frameworks existed publicly. We continue to develop RTA instead of adopting another framework because we’ve found Endgame RTA to have low overhead and is simpler to use and extend.&nbsp; We expect some practitioners will find RTA useful for the same reasons. This blogpost won’t focus on comparing these tools, but will point out some substantive differences so readers can assess which adversary data-generation toolkit may be best for them.&nbsp;&nbsp;
</p><p>To begin using RTA, it is important to understand some of its key features. Some scripts work with a compiled executable, “myapp.exe”, which is capable of creating a local web server for hosting malicious downloads, manipulating timestamps of a file, or generating a user-defined beacon. The remainder of the repo includes dozens of Python-based scripts with the capabilities to:
</p><ul>
	<li>Use native tools to download and execute remote files</li>
	<li>Perform anti-forensics operations such as deleting volume journals</li>
	<li>Perform lateral movement to a target system and take actions</li>
	<li>Setup both common and uncommon persistence mechanisms</li>
	<li>Perform one of several UAC bypass techniques</li>
	<li>And many more...</li>
</ul><p>One way that RTA differs from solutions like Uber’s Metta is that RTA doesn’t directly include the ability to configure a playbook of several sequential adversary behaviors. Enabling this natively is an option for future development, but can now be accomplished with some light scripting. Presently, we prioritize covering the depth and breadth of ATT&CK™ over sequencing or APT simulation features.
</p><p>Figure 1 contains an excerpt of one of these RTA scripts. It is a Python script which wipes the Windows Security event log, corresponding to <a href="https://attack.mitre.org/wiki/Technique/T1107">File Deletion</a> in ATT&CK™. While we chose the Python language for convenience, there’s no technical barrier to changing that language to something else in the future.
</p><p><img src="https://images.contentstack.io/v3/assets/bltefdd0b53724fa2ce/bltd58948b5d3f957a4/5dfd15f5f5916f4381bc7f38/RTA-script-clear-event-log-endgame.png" data-sys-asset-uid="bltd58948b5d3f957a4" alt="RTA-script-clear-event-log-endgame.png"></p> <p><em>Figure 1: Contents of Script to Clear Security Event Log in Windows</em></p><p>The Endgame RTA repository currently has 39 scripts in addition to the “myapp.exe” executable. Over the coming months, we’ll share additional scripts to expand this coverage across even more of the ATT&CK™ matrix. We also actively encourage community engagement to contribute to and expedite the creation of a complete collection of ATT&CK™, and are currently accepting pull requests. RTA is intended to be a tool for the community and by the community.
</p><p><em></em></p><p><img src="https://images.contentstack.io/v3/assets/bltefdd0b53724fa2ce/blta0b8ff61b61d98d8/5dfd1672028cba3ef4ec64fa/RTA-attack-coverage-endgame.png" data-sys-asset-uid="blta0b8ff61b61d98d8" alt="RTA-attack-coverage-endgame.png"></p><p> <em>Figure 2: Current ATT&CK™ coverage using Endgame’s RTA</em>
</p><p>The RTA repo also includes a file containing global configuration settings and utility functions, “common.py”. This can be imported into a new script to take advantage of variables or functions as well as modified to create new variables or capabilities. By updating the LOCAL_IP variable, which is set to localhost by default, RTA scripts can be pointed to hosted payloads on a remote system. By updating the CALLBACK_REGEX variable, the URL associated with some types of beaconing simulation can be changed. This Python file also contains globally-available functions like logging messages during execution which can be presented to the user, evaluating whether a system is 32 or 64 bit; or identifying writable directories.
</p><p>At this time, RTA has very few dependencies aside from Python 2.7. To get the most out of RTA, which demonstrates several living-off-the-land techniques, we recommend that users download and extract to Sysinternals suite to the “bin” subdirectory along with Microsoft’s commandline transform utility, “msxsl.exe”. The RTA README contains the relevant links and instructions.
</p><h2>Putting RTA into action</h2><p>To demonstrate how RTA can support coverage assessments against specific behaviors in ATT&CK™, I’ll walk through a brief scenario. During initial compromise, attackers often incorporate a range of tactics such as combining phishing with a <a href="https://www.endgame.com/blog/technical-blog/bug-feature-debate-back-yet-again-ddeauto-root-cause-analysis">macro-less</a> Word document attack. For example, a recent <a href="https://www.trustwave.com/Resources/SpiderLabs-Blog/Multi-Stage-Email-Word-Attack-Without-Macros/">sample of malware</a> leverages multiple techniques and features to eventually deploy credential-stealing malware. How exactly does this work?
</p><p>First, a phishing lure is sent that contains a Word document and, instead of implementing macros (<a href="https://support.office.com/en-us/article/enable-or-disable-macros-in-office-files-12b036fd-d140-4e74-b45e-16fed1a7e5c6?ui=en-US&rs=en-US&ad=US">consider blocking macros</a>) which are embedded entirely within the document, it contains a link to a remotely-hosted file. This is a different approach but not exactly a new one. It works because the DOCX file fetches external resources once opened, grabbing an RTF file from the Internet and opening it locally.
</p><p>The RTF file is itself weaponized to execute the built-in “mshta.exe” (MSHTA) application and download an HTA file from the Internet, a generic behavior we should universally be on the lookout for. This HTA file contains an obfuscated VBscript with an embedded PowerShell script. You might call it “script-ception” given the number of layers. PowerShell is then invoked to run the script and download a binary which is classified as a “credential stealer”. Figure 3 contains a high-level representation of this activity.
</p><p><em></em></p><p><img src="https://images.contentstack.io/v3/assets/bltefdd0b53724fa2ce/blt060a53f771b1d8d2/5dfd168fc848085fa46e5d7a/RTA-malware-execution-endgame.png" data-sys-asset-uid="blt060a53f771b1d8d2" alt="RTA-malware-execution-endgame.png"></p><p> <em>Figure 3: Visual representation of malware execution process</em>
</p><p>Let’s quickly map these generic tactics to the ATT&CK™ matrix:
</p><ol>
	<li>Phishing (<a href="https://attack.mitre.org/pre-attack/index.php/Technique/PRE-T1144">Pre-T1144</a>) messages with malicious attachments to deliver a Word DOCX file through your email gateway</li>
	<li>Exploitation of a vulnerability (<a href="https://attack.mitre.org/wiki/Technique/T1068">T1068</a>) within the RTF file downloaded <a href="https://medium.com/@networksecurity/oleoutlook-bypass-almost-every-corporate-security-control-with-a-point-n-click-gui-37f4cbc107d0">as an external resource</a> of the Word DOCX file</li>
	<li>Use of the native MSHTA utility (<a href="https://attack.mitre.org/wiki/Technique/T1170">T1170</a>) to pull down an HTA file containing obfuscated (<a href="https://attack.mitre.org/wiki/Technique/T1027">T1027</a>) VBScript (<a href="https://attack.mitre.org/wiki/Technique/T1064">T1064</a>)</li>
	<li>The VBScript invokes PowerShell (<a href="https://attack.mitre.org/wiki/Technique/T1086">T1086</a>) which downloads and executes a malicious compiled executable<ol>
		<li>The request occurs over HTTP, so commonly used ports (<a href="https://attack.mitre.org/wiki/Technique/T1043">T1043</a>) applies</li>
		<li>The download is from an external network location, so remote file copy (<a href="https://attack.mitre.org/wiki/Technique/T1105">T1105</a>) is relevant</li>
	</ol></li>
	
</ol><p>That’s not a small number of techniques but I think we can handle this. Let’s start with the first behavior we see at the endpoint. A user receives a DOCX attachment. Upon viewing the attachment, Microsoft Word then grabs an externally-hosted RTF. Unfortunately, few organizations have a firm understanding of how normal this occurrence is. Because it utilizes native functionality of the Word application to fetch external references, there’s a chance that this is going to be too noisy to generically prompt an alert. Fortunately, there are RTA scripts for simulating unusual network activity associated with Microsoft Office and several otherwise trusted applications.
</p><p>Microsoft Word is also the parent of MSHTA. This native Windows utility is used for downloading and executing HTA files, which is a suspicious generic methodology. In most cases, this application should not be a child of Microsoft Office. This RTA creates a local webserver long enough to download and execute a benign HTA file - a harmless way to prove that you can detect this widely-used generic technique, no matter which payload is ultimately dropped and executed. If your detections only fire if a malware-detection engine properly classifies the sample, reconsider how much that monitoring capability is trusted.
</p><p>In this example, the attacker used the HTA file to download and execute a PowerShell script - another area RTA covers. There are a dozen or more ways that PowerShell can be abused during post-exploitation, including but not limited to input redirection, obfuscation of script contents, use of script-block encoding and some command line arguments. Simple things, like payload encoding, are very easy to express harmlessly (the example performs a ping command) in an RTA as seen in Figure 4.
</p><p><em></em></p><p><img src="https://images.contentstack.io/v3/assets/bltefdd0b53724fa2ce/bltc137c5cbc2863a81/5dfd16a012af1140b8e76f78/RTA-powershell-endgame.jpeg" data-sys-asset-uid="bltc137c5cbc2863a81" alt="RTA-powershell-endgame.jpeg"></p><p> <em>Figure 4: Endgame’s “powershell_args.py” RTA command output</em>
</p><p>Although this attack example demonstrates how RTA can help evaluate defenses against a range of tactics, it is simply one use case. Endgame RTA covers over a quarter of the ATT&CK™ matrix currently, including the creation and removal of common and uncommon persistence mechanisms, a wide variety of commands that perform lateral movement, abusing native tools for encoding or obfuscation and many more!
</p><h2>Bringing RTA to the Community</h2><p>Endgame’s RTA is an internal tool we created for use within Endgame Research and are now releasing as an open source technology that organizations can use today to help assess their ability to detect, triage, and respond to threats. This assessment process has become increasingly important to enterprises as new tactics are discovered and new breaches come to light.&nbsp;&nbsp;
</p><p>We plan to expand the RTA project in two ways.&nbsp; First, we will continue to expand coverage of ATT&CK™, adding scripts for cells not yet covered and deepening coverage in cells we already include. We also plan to enhance the usability of the RTA framework to make it easier to run, providing the raw material for self-assessment.
</p><p>In addition, Roberto Rodriguez of <a href="https://specterops.io/">SpecterOps</a> and I will be presenting a complete method for quantifying the assessment process - regardless of the technology you use for detection - at <a href="http://www.bsidescharm.com/speakers">BSidesCharm</a> in April. We’ll combine RTA with the exceptional work Roberto started in the blogposts <a href="https://cyberwardog.blogspot.com/2017/07/how-hot-is-your-hunt-team.html">How hot is your hunt team</a> and <a href="https://cyberwardog.blogspot.com/2017/12/ready-to-hunt-first-show-me-your-data.html">Ready to hunt? First show me your data</a> to offer more guidance on using ATT&CK™ and RTA to measure your detection coverage.
</p><p>While Roberto’s examples may focus on hunting, as the example I provided in this post demonstrates, RTA has much broader applicability for a range of use cases. Endgame looks forward to working with the community to build out this capability, demonstrate a useful application of the ATT&CK™ matrix and, most importantly, help organizations and practitioners apply concrete methods and metrics for assessing their defensive coverage.
</p>

blog-banner-generic-black.png

blog-thumb-generic-black.png

Introducing Endgame Red Team Automation

Start free trial

Blog Footer CTA

Sign up for Elastic Cloud free trial

headshot-devon-kerr-300x300.jpg

安全研究总监

Devon Kerr

<p>By submitting you acknowledge that you've read and agree to our <a href="/legal/elastic-cloud-account-terms" target="_self">Terms of Service</a>, and you agree to receive the <a href="/legal/privacy-statement#how-we-use-the-information" target="_self">selected communications</a> at the contact details you provided above. See <a href="/legal/privacy-statement/" target="_self">Elastic’s Privacy Statement</a> for more details or to opt-out at any time.</p>

Communication Preferences - ONLY for /communication-preferences

<p>提交即表示您确认您已阅读并同意我们的<a href="/cn/legal/elastic-cloud-account-terms" target="_self">服务条款</a>，并且您同意通过您提供的上述联系方式接收<a href="/cn/legal/privacy-statement#how-we-use-the-information" target="_self">所选的通信</a>。如需了解更多信息，或想随时取消订阅，请参阅 <a href="/cn/legal/privacy-statement/" target="_self">Elastic 的隐私声明</a>。</p>

<p>By submitting you acknowledge that you've read and agree to our <a href="/legal/serverless-preview-terms" target="_blank">Terms of Service</a>, and that Elastic may <a href="/legal/privacy-statement#how-we-use-the-information" target="_blank">contact you</a> about our related products and services, using the details you provide above. See <a href="/legal/privacy-statement/" target="_blank">Elastic’s Privacy Statement</a> for more details or to opt-out at any time.</p>

Serverless GDPR Text

<p>提交即表示您确认您已阅读并同意我们的<a href="/cn/legal/serverless-preview-terms" target="_self">服务条款</a>，并且 Elastic 可以使用您提供的上述详细信息与您联系，以向您介绍我们相关的<a href="/cn/legal/privacy-statement#how-we-use-the-information" target="_self">产品和服务</a>。如需了解更多信息，或想随时取消订阅，请参阅 <a href="/cn/legal/privacy-statement/" target="_self">Elastic 的隐私声明</a>。</p>

<p>By submitting you agree to <a href="/agreements/global/cloud-services-monthly" rel="nofollow">Elastic Cloud Terms of Service</a>. Your personal data will be processed in accordance with <a href="/legal/privacy-statement">Elastic's Privacy Statement</a>.</p>

Cloud Trial GDPR Text

<p>提交即表示您同意 <a href="/cn/agreements/global/cloud-services-monthly" rel="nofollow">Elastic Cloud 服务条款</a>。我们将会按照 <a href="/cn/legal/privacy-statement">Elastic 的隐私声明</a>处理您的个人数据。
</p>

<p>By submitting you acknowledge that you've read and agree to our <a href="/legal/terms-of-use" target="_blank">Terms of Service</a>, and that Elastic may <a href="/legal/privacy-statement#how-we-use-the-information" target="_blank">contact you</a> about our related products and services, using the details you provide above. See <a href="/legal/privacy-statement/" target="_blank">Elastic’s Privacy Statement</a> for more details or to opt-out at any time.</p>

Newsletter GDPR Text

<p>提交即表示您确认您已阅读并同意我们的<a href="/cn/legal/terms-of-use" target="_self">服务条款</a>，并且 Elastic 可以使用您提供的上述详细信息与您联系，以向您介绍我们相关的<a href="/cn/legal/privacy-statement#how-we-use-the-information" target="_self">产品和服务</a>。如需了解更多信息，或想随时取消订阅，请参阅 <a href="/cn/legal/privacy-statement/" target="_self">Elastic 的隐私声明</a>。</p>

Explore similar demos

Overview

Speakers

Close

See more insights

The content on this page is not available in the selected language. As Elastic grows globally, we continue to support content in multiple languages.

The content on this page is not available in the selected language.

本页内容尚不支持所选语言。Elastic 正在不断努力，以实现对多种语言内容的支持。感谢您在此期间给予的耐心与陪伴！

Author

Articles by

Learn more

Watch now (no PT)

Watch now

See all top stories

All (no PT translation)

Contact information

Press Release

Share on Reddit

Share this story

Share by Email

Thank you for your interest!

Contact Info

Follow us on Youtube

Load More

Share on LinkedIn

Follow us on LinkedIn

Search Integrations

All Solutions

Video for

Follow us on Twitter

See when this webinar starts in my time zone

查看本次网络研讨会在我的时区的开始时间

Register to Watch

Register now

See All Posts

Can't make it? Register and we'll send you the recording. You'll also receive an email with related content

无法实时参加？注册后我们会给您发送录像。您还将收到相关内容的电子邮件。

作者

文章作者 Devon Kerr

安全研究总监, Elastic