Atomic Hunting with Atomic Red Team: Starting Your Threat Hunting Journey
By Valentina Palacin
This article is also available in Spanish
Atomic what…?
Threat Hunting is a hot topic lately. You might be aware of the incredible work that people like Olaf Hartong, Roberto and Jose Luis Rodriguez among others are doing using MITRE ATT&CK Framework, Sysmon, ETW, ELK/Splunk… Either because you heard of them or just because your have heard something about that new frontier called “hunting the adversary” as a proactive cybersecurity approach, you may find yourself wanting to know more about it, but a little puzzled to where to begin.
I believe there is a common misconception about the expertise required to dedicate yourself to this line of work, and somehow sometimes people assume that you need to have a high level of expertise as a Sr. Security Analyst or Engineer in order to carry out this type of activity. But, in my opinion, there is no better way to learn that immerse yourself in the activity, so no matter if you consider yourself a junior in cybersecurity related matters, you can learn how to hunt anyway!
I have been asked about where to start several times now, so I decided to write an article about how my colleague Ruth Barbacil (root) and I approached the subject when we first started.
Before getting started…
There is one thing you will need no matter what your skill level is: a threat hunting lab.
If you don’t have one, I encourage you to read Roberto Rodriguez’ article about how to set up a threat hunting lab before continuing reading: https://cyberwardog.blogspot.com/2017/02/setting-up-pentesting-i-mean-threat.html
My own lab is based on Roberto’s article, but instead of setting up a standard ELK instance as indicated in Roberto’s blog (part 5), I would recommend to explore The HELK, Roberto’s project for a specialize Threat Hunting platform: https://github.com/Cyb3rWard0g/HELK
You can also check out Roberto’s Mordor Labs project to deploy a hunting lab on Cloud: https://github.com/OTRF/mordor-labs. His article about how to build a hunting lab using Azure Sentinel is another useful resource to explore: https://medium.com/threat-hunters-forge/azure-sentinel-to-go-b5f6848d3c61
No matter what environment you choose, you will need to define the set up that better fits your needs. Take Roberto’s APT29 Azure lab as an example of this:
And of course, last but not least, keeping ATT&CK open to learn about the techniques, consult the data sources or as general reference is always a must: https://attack.mitre.org/
You have your lab. Now what?
Once you have the environment up, you still have to get yourself familiar with two projects: Atomic Red Team by Red Canary (@redcanaryco) and The Open Source Security Events Metadata (OSSEM), by Roberto and Jose Luis Rodriguez.
- Atomic Red Team
Atomic Red Team is a project developed by Red Canary. The atomic tests focus on replicating the techniques used by the adversaries mapped by MITRE ATT&CK Framework. You can find more information about how to execute the atomic test in the official repository: https://github.com/redcanaryco/atomic-red-team
2. OSSEM
The Open Source Security Events Metadata (OSSEM) is an open source project designed by Roberto and Jose Luis Rodriguez. The OSSEM project focuses “on the documentation and standardization of security event logs from diverse data sources and operating systems.” OSSEM data dictionaries map the data sources to data analytics that can be related to adversary techniques while providing a model for data normalization too. In short, the objective behind the OSSEM project is to help you understand the data collected. You can learn more about it through its official repository: https://github.com/hunters-forge/OSSEM
Executing Atomic Hunts
Now, I will walk you through the process of executing what I like to call an atomic hunt.
- Choose the Atomic Test you want to hunt for
The first thing you need to do is to choose the atomic test you want to hunt for. I like using the atomic test matrix for Windows to help me choose which test I’m going to execute: https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/Indexes/Matrices/windows-matrix.md. For the sake of this example, I’m going to use the Privilege Escalation technique Process Hollowing.
2. Make an hypothesis of what is going to happen on the victim’s system
The next thing I’m going to do is to make an hypothesis of what I think it’s going to happen on the host side after executing the technique. Don’t worry about being wrong on this step. Sometimes you will know exactly how a process works and sometimes you will not. The hunt itself will help you realize what you know, what things you still need to learn about and which are your own rooms of improvement.
I will try to make a diagram with my hypothesis about how the action flow will go, based on what I know about the technique or on what is stated in the technique description.
For example, according to the ATT&CK technique, process hollowing is a way of injecting malicious code into a suspended process to evade process-based defenses by “executing arbitrary code in the address space of a separate live process”. I know that the atomic test for process hollowing “uses PowerShell to create a Hollow from a PE on disk with explorer as the parent”.
I will use this information to elaborate a possible flow for this behavior. Again, don’t worry about being wrong.
Once my diagram is finished, I will help myself relate possible event ids and fields relations using the OSSEM project.
Keep in mind that this is just my initial approach to understanding the test, but that you can go as deep as you want in terms of understanding what the atomic test would do. For this specific test, I avoided analyzing in detail the script “Start-Hollow.ps1” that you will need to execute. If you please, you can go ahead and do it. Just remember that going too deep it’s not necessarily practical for an initial research approach.
3. Delete any previous logs and execute the test
If I have been working with my lab before the execution of this test, I will remove any previous logs (deleting the index) that were gathered before. Reducing the amount of “noise” in the lab will help me better identify the activity that I’m searching for without getting confused about what I am looking at.
Then, I will proceed to carry out the atomic test in my target system as it is indicated in the Atomic Red Team repository: https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1055.012/T1055.012.md.
4. Hunt for the executed text
The next thing I’m going to do is to hunt for the executed test based on the diagram I designed on point 2. If I can’t find the activity with my assumption, since I know exactly what was executed during the test, I will “cheat” by looking at that information specifically. So in the end, I will do a “reverse” hunt chaining processes by process GUID or by other related indicators to reconstruct the chain of events.
5. Verify your hypothesis & document
If necessary, I will modify my diagram to reflect the actual result of the hunt and document what I’ve learned about the different behaviours: Were my assumptions wrong? Why? Did something happen that wasn’t in my initial hypothesis?
As you can see below, my initial hypothesis was way off compared to what actually occurred on the host side:
It is true that you probably do not need to focus on each of the nodes in order to carry out the hunt, but you will get the knowledge of what is important and what is not with time and practice.
6. Repeat
As simple as the title says, I will repeat this activity with as much tests as I want.
Conclusion
To be able to detect the anomalies, you need to learn what your environment’s baseline is. This approach will help you understand exactly which are the logs that your baseline is generating and will allow you to hunt for an specific activity to better understand the events that it triggers. Also, you will need to make sure that your lab has the right auditing policies and data sources that will give you visibility over the events. This point is cover in depth in Roberto’s article about how to set up a threat hunting lab(part 3).
I like to execute the atomic test, since they replicate malicious activity, but I will advise you to repeat this type of exercise not only with what is considered malicious, but also with simple stuff, like opening browsers, opening documents, executing certain programs… anything that could help you understand what is “normal” or “good” expected behaviour.
I also recommend searching for the meaning of events you either find suspicious or that you don’t know why they were logged. With time and patience you’ll realize that you not only have learned a lot about how to carry out hunts, but that you have also gained an invaluable understanding of how the operating system itself works!
I hope you find this article helpful. Feedback and suggestions are very much appreciated. My DMs are always open at @fierytermite.
Happy hunting!
— — — — — — — — — — — — — —
Special thanks to root, Roberto Rodriguez and Jose Luis Rodriguez for their comments and edits! :)
