Workshops @ DEATHCon 2023

Suricata and Zeek are both powerful network content inspection tools that can be used for threat detection. When you send their output logs into Sentinel, you get the power to run threat hunting queries using KQL and set up custom alerts for your security operations team. In this workshop, you'll have access to our lab network with Suricata and Zeek already set up, so you can start learning how to query and use this data for hunting.

In this training, attendees will be given detailed insight into the latest techniques used to deliver prevalent malware strains via email, including QakBot and Emotet, and will hunt through email data to identify this malicious activity, developing rules to detect and block these attacks.

Initially attendees will be introduced to the foundational technologies that enable threat hunting, detection engineering, and response in the email domain, before being given access to the email data of a fictitious company seeded with benign and real-world attack data. Throughout the day, participants will learn to hunt common phishing techniques including:

• VIP Impersonations
• HTML smuggling via links/attachments
• Malicious VBA macros
• Lookalike / homoglyph attacks
• Credential phishing
• Password protected archives
• Exploits (e.g. CVE-2023-23397, CVE-2021-40444)
• Fake invoices (Geek Squad)

Attendees will be guided through the rule creation process, utilizing detection engines including Sublime and Yara, and will be introduced to the signals and email attributes that can be used to craft high-fidelity rules, including targeted user groups, sentiment analysis, sender domain age, and attachment analysis. Having completed the training, attendees will have a strong understanding of the tools and techniques at their disposal to defend their organizations from all manor of email threats.

This workshop will cover how to utilize SACL auditing in Windows and relevant syscalls in Linux (via auditd + Laurel) to generate telemetry when certain important files are accessed.

A few scripts and tools like Trufflehog will be utilized to identity files on endpoints and within file shares that can contain credential material, browser cookie theft will also be covered.

The ideas and concepts for the workshop are covered in two blog posts on the subject:

• https://www.sumologic.com/blog/threat-labs-cloud-theft-linux-credentials/
• https://www.sumologic.com/blog/threat-labs-cloud-theft-windows-credentials/

Participants in the workshop will get some hands on time with:

• Windows SACL auditing
• Trufflehog
• Set-AuditRule by Roberto Rodriguez
• Linux auditd / Laurel telemetry
• Two helper scripts that aid in turning on relevant auditd and SACL auditing
• Utilize a C2 framework to steal cloud credential files
• Utilize Mimikatz to decrypt an Azure token blob file on disk
• Utilize WhiteChocolateMacademiaNut by Justin Bui to steal Chrome/Edge browser cookies

The goal of this workshop is to build end-to-end Machine Learning classifier for (Windows) malware detection using Data Science and Machine Learning techniques. By the end of the workshop, the audience will learn how to choose and extract static features from PE files, perform data preprocessing and feature engineering, choose and optimize a Machine Learning classifier, evaluate the model, and finally pack it for production inferences.

Outline:
1) Static analysis feature selection and extraction using the PE library
2) Data preprocessing using the Pandas library
3) Feature engineering using the Feature Engine library
4) Data visualization using the Scikit Learn and the Matplotlib library
5) Model selection using the LazyPredict and Scikit Learn libraries
6) Hyperparameter optimization using the Scikit Learn library
7) Model performance evaluation using the Scikit Learn library
8) Model packing and inference tests

Lima Charlie is a Build your own EDR toolset for MSSPs to build their own services on top of. There is a wide range of functionality that is provided in Lima Charlie that enabled advanced detection and response scenarios.

I will go through the basics of Lima Charlie and present some interesting advanced detection scenarios. This workshop will act as a primer to using Lima Charlie to create detection content during the event.

Topics:
Sensor
- Installation
- Event Collection
Detection & Response Rules
- Syntax
- Rule Tuning
- Response Actions
Input and Output
- AzureAD/O365
- Microsoft Defender
- Elastic
- Slack
Addons
- Velociraptor
- Zeek
- Rulesets
Yara
Advanced Detection Scenarios
- Memory Strings detection
- Named Pipe Detections
- PCAP Detections
- Artifact Collection and Analysis

Hello, detection engineers! In the ever-evolving world of cybersecurity, it's crucial to stay ahead of the curve. One effective way to achieve this is by leveraging Atomic Red Team, an open-source project that helps you test your detection capabilities against known simulated adversarial techniques. With thousands of attack scenarios, over 7k GitHub stars, 46,379 weekly views, and around 10 new attacks added weekly, the Atomic Red Team library of scripted cyber-attacks has become the industry standard for detection validation and attack simulation. It's even embedded in many Breach and Attack Simulation (BAS) tools on the market today.

Atomic Red Team is a library, and it cannot execute the attacks on its own, which means it needs an execution engine to function. In this blog, we'll use the most popular one, Invoke-AtomicRedTeam, led by Carrie Roberts (@OrOneEqualsOne) and maintained by the Atomic Red Team maintainers. Notably, the Atomic Red Team project is sponsored and hosted by Red Canary, a leading provider of managed detection and response services.

In this workshop, participants will learn how to develop and test cloud-based detections using Atomic Red Team and various cloud-native data sources like Kubernetes audit logs, AWS CloudTrails, and Linux syscall events. We will cover three examples from the MITRE ATT&CK Framework, focusing on the following techniques: T1053.003 (Replace crontab with reference file), T1609 (Exec into a container), and T1136.003 (Create new IAM user). These examples are designed to help you learn the basics of developing and testing cloud-based detections.

Additionally, we'll dive into real-world attack scenarios against AWS to further enhance your understanding of how to detect and respond to threats in the cloud. While we will use Lacework as an illustration for easier data acquisition, it's important to note that you can also utilize out-of-the-box cloud tooling such as AWS CloudTrail logs or other data sources for detecting threats.

Are you fairly new to the world of Detection Engineering? Want to get a solid start with a well-respected (and free to the community) resource that focuses on practical testing?

Atomic Red Team gives you the tools to run techniques that threat actors commonly use, such as different ways to dump credentials, persist malware through modifying the Outlook home page, escalate privileges, modify Group Policy, and more.

In the DEATHCon lab, you can run (and modify) the Red Team scripts, then observe the endpont events that they generate so that you can develop effective detections for behaviors rather than just file hashes and IP addresses. The trick is in writing a detection that is broad enough to cover variations of the techniques, but narrow enough to avoid flooding your SOC with false positive alerts on benign behavior. This workshop will help you develop the skills that you need to go from attacker technique to well-tuned detection with hands-on practice.

How often do you think attackers abuse RPC and LDAP to escalate privileges and move laterally after getting an initial foothold?

If you said "All the time!" you probably have experience with incident response!

LDAP Firewall is a new open-source tool that lets you control and audit LDAP requests in order to protect Domain Controllers, mitigate LDAP-based attacks (such as sAMAccountName spoofing and BloodHound) and tightly control access to the Active Directory schema. The tool inspects incoming LDAP operations (which are used to read or modify entries in the Active Directory schema) and allows or blocks the request based on the configured rules. The operation also gets written into the Windows Event Log with the action took and other relevant fields (Distinguished Name, attributes, OID etc.).

RPC Firewall is another open-source tool released just over a year ago (and recently updated). It allows you to set up auditing of Remote Procedure Calls (RPCs) which will be logged and forwarded to Sentinel so we can hunt and craft detections.

In this workshop we will demonstrate how to run and configure the tools, and how they can be used to block LDAP-based and RPC-based attacks.

As cyber threats continue to increase in frequency and sophistication, it is essential for organizations to have effective security monitoring tools in place. Security Onion is an open-source enterprise security monitoring platform. It provides comprehensive host and network visibility, and among other things, can be used for detection engineering and threat hunting. In this presentation, we will discuss the benefits and features of Security Onion and how it can be utilized to enhance your organization's security posture.

Detection engineering involves developing and deploying custom detections to identify specific types of malicious activity. Security Onion provides a range of built-in detection rules and the flexibility to create custom rules to meet specific needs. We will cover the process of creating and testing custom rules, and discuss best practices for maximizing detection efficacy. Some items we'll cover during this portion of the workshop include:

• Identifying detection opportunities using file, host, log, and network data
• Developing detections within Playbook
• Testing and implementing detections
• Refining detections

Threat hunting involves actively searching for threats that may have evaded detection by traditional security measures. Security Onion provides a range of tools, including full packet capture (PCAP), host-based data collection, and network traffic analysis tools in order to aid in the identification and investigation of potential threats. We will discuss hunting for various behaviors, tactics, and techniques using Security Onion, such the following:

• C2
• Protocol Tunneling
• Suspicious user agents
• Lateral Movement
• Suspicious Command Line Execution
• Misbehaving Powershell

By the end of this workshop, participants have a solid understanding of Security Onion's capabilities and how it can be used to facilitate effective detection engineering, threat hunting, and response to cyber threats.

PowerShell is STILL one of the most commonly-used tools by APT and crimeware threat actors. Out of all the things SOC analysts are likely to see, PS is both the most frequent and also the most frustrating, because there are so many ways to obfuscate and bury malicious code inside normal-looking code. There are also many legitimate enterprise tools that use PowerShell all the time, not to mention all the things systems administrators do with PowerShell that shows up in logs.

In this workshop, you'll think like an attacker and find many ways to slip malicious PowerShell past AV, AMSI, and EDR defenses -- then use what you learned to write threat hunting rules to discover suspicious PowerShell and analyze it to uncover its secrets.

So much threat hunting takes place in Windows environments, partly because there are more commercial tools available and more security pros are familiar with Windows, EDRs, and event logs. But what if your company has critical data and services hosted on Linux systems? Are they invincible to attack? 🤣 Do attackers just not care about Linux, or not know how to attack it? 🤣

In this workshop, we'll attack some Linux servers and sift through the logs to find ways we can more effectively hunt on Linux.

According to "The C2 Matrix" hosted by SANS Security, the golden age of Command and Control (C2) frameworks is here. With this new age, comes a period where everyone is rushing C2 Frameworks out of the door to capitalize on the market, making defenders lives a lot harder to know what to look for on their own systems. To better assist with detecting these newer C2s and responding to security incidents, we will be leveraging Volatility 3 (Python 3 version) to dissect different stages of malware samples utilizing various off-the-shelf C2 frameworks; writing YARA rules to better aid our hunt.

We will also briefly discuss the inherent dangers of using off-the-shelf and unverified C2 frameworks.

The primary role of a threat hunter is to scrutinize our current way of thinking about detections and how we find new and equally creative adversarial techniques. One of the easiest ways to do this is by emulating our adversary, being as persistent as our opponent in finding new tooling or methods, and finding ways to exploit the processes as attackers exploit weaknesses in defenses. In our workshop, we will attempt to follow such a process by examing Pyramid. This practical post-exploitation framework uses trusted proxy execution as the basis for its exploitative activities.

We will build defenses around our endpoints to see where the weaknesses lie and how we might exploit them to better protect our endpoints.

Do you want to learn Kusto Query Language (KQL) and practice threat hunting/incident response in a fun, competitive capture-the-flag game?

How about winning fame and glory among your DEATHCon friends, not to mention some exclusive prizes for winning?

Whether you are in it to win it, or just want to learn by doing and practice in a game environment, this CTF has something for everyone!

Velociraptor is an open source DFIR tool that provides access to endpoint data in a simple yet scalablable capability. The power and flexibility of Velociraptor is driven by its Velociraptor Query Language (VQL). This workshop will walk through some building blocks for detection with Velociraptor. It will also show atendees how to optimise performance and results. Finally we will cover some interesting use cases used in real life investigations to super charge your own capabilies. Install and overview

• refresh/links - I will share some recent overview content from Mike for thats optional.
• lab setup (I think a standard VM should suffice)

Building Blocks of Detection: accessors

• Files
• Registry
• Process

Yara

• Performance and best practice
• RDP patch usecase - disk and memory

Content management

• bulk artifacts / IOCs
• server content management

Advanced use cases

• lnk files
• QBot detection and config extraction
• Powershell

This workshop will require use of a Windows VM. I'll run some malware and scripts.

This interactive workshop is designed to guide participants through the process of developing a post-exploitation framework, which includes an injectable agent payload and a server component.

The server component is built using Python3, while the agent is developed in C and C++. I will provide participants with a basic structure for both components, eliminating the need to start from zero.

The framework comes with essential features such as a reflective loader implementation, straightforward C2 communication, command dispatching, and an interactive shell interface on the backend. These features are pre-implemented to allow participants to focus on the core aspects of the workshop.

The workshop kicks off with a concise presentation on the architecture of C2 agents, providing a comprehensive understanding of their structure and functionality. Following this, we delve into the rudimentary development and debugging workflow. Subsequently, participants are guided through the implementation of several features, including:

• Execution of commands on the system shell
• Screenshot capturing functionality
• Process injection functionality
• Process injection using direct system calls

This segment of the workshop is expected to span approximately 3 hours. However, if time permits, there is an array of additional content to explore. This includes:

• File upload and download functionality
• Implementation of an interactive system shell
• Keylogger functionality

While YARA itself can be considered quite performant, using it iteratively while developing and testing new rules against larger data sets can still quickly become a waiting game. Luckily, there are open source projects that provide a massive acceleration of queries by using an inverted 4-gram index. However, the acceleration achieved by such approaches by design depends heavily on the rule-structure, since not all conditions can benefit from the implemented indexing.

In this workshop, participants will gather some first hand experience with one such YARA query accelerator, their typical limitations, and what rules may profit from it the most. Working against a data set representing a wild mix of benign and malicious files, attendees will be tasked with the creation of various rules to solve a set of detection challenges. Additionally, they will be confronted with ensuring rule compatibility with the query accelerator and optimizing rule performance.

You have dead bodies in your basement and you don´t know about it In this workshop we will find avenues to escalate privileges due to historically grown AD environments. We will use different techniques such as analysis of file permissions as well as analysis of object permissions.

In this workshop, we will use Elastic Endpoint (formerly known as EndGame) to hunt and detect threats.

Over time, the efficacy of our detections degrade.

Novel techniques are discovered, novel implementations of classic techniques are developed, and suddenly we find that detection engineering we believe to be protecting our network is no longer adequate.

Testing whether each SIEM/EDR detection rule is configured correctly can be extremely challenging. In many cases, we're not able to peer into the detection logic itself. Knowing with certainty that your security controls are working to protect you really isn't possible without testing against those controls directly. A SIEM or EDR, for example, may claim to detect or block some threat, but does it actually?

In this talk, we'll explore the use of Prelude Detect, a prod-scale continuous security testing platform, to enable diagnostics of SIEM and EDR detection content. Using data gathered in Detect, we'll discuss how continuous security testing can notify defenders of deviations from a known, secure state. Additionally, we'll explore how Detect can identify EDR failures and feed these findings back into the EDR to improve detection capability.

This hands-on workshop is designed to provide attendees with practical experience on attacking and defending Azure AD. participants will execute common attacks for initial access and privilege escalation, then analyze the resulting telemetry to create custom detections and hunting dashboards. The workshop has four hands-on exercises and each contains a Red and a Blue section.