Emulation of ATT&CK techniques and detection with Wazuh

| by John Olatunde
Post icon

Introduction

Attacks emulation plays an important role in identifying the Techniques, Tactics, and Procedures (TTP) used by adversaries. Projects like Atomic Red Team (ART) can help automate the emulation while the adversarial activities can be detected using Wazuh.

The MITRE ATT&CK® framework, which stands for MITRE Adversarial Tactics, Techniques, and Common Knowledge (ATT&CK), is a knowledge base for modeling the behavior of a cyber adversary.

Atomic Red Team is an open source project which includes a series of tests that are mapped to MITRE ATT&CK. It is useful to automate the process of testing different types of attack techniques.

System Monitor (Sysmon) is a system service and device driver which can be used on Windows to monitor and log system activity through the Windows Event Logging service.

Wazuh is a free and open source security platform that provides unified XDR and SIEM capabilities. It protects workloads across on-premises, virtualized, containerized, and cloud-based environments.

This article details how to emulate attacks on a Windows machine with ART, and how to analyze the generated logs with Wazuh. It includes the steps taken to configure Wazuh to capture the events, create detection rules, and generate alerts on the Wazuh dashboard.

MITRE ATT&CK techniques

As an example, for this blog post, the following MITRE attack techniques are emulated using the Atomic Red Team platform:

  • T1053.005 – Scheduled Task/Job

Adversaries may use task scheduling to execute programs at system startup or on a scheduled basis for persistence.

  • T1218.010 – Signed Binary Proxy Execution: Regsvr32

Regsvr32.exe is a Microsoft signed command-line program, which is used to register and unregister object linking and embedding controls, such as dynamic link libraries (DLLs), on Windows machines.

  • T1518.001 – Software Discovery: Security Software Discovery

This technique aims to get a list of installed security software or defensive programs, available on a system or in a cloud environment. The results obtained can be used to shape subsequent attacks.

  • T1548.002 – Abuse Elevation Control Mechanism: Bypass User Account Control

An attacker may bypass User Access Control (UAC) mechanisms to escalate privileges on the system.

  • T1574.002 – Hijack Execution Flow: DLL Side-Loading

Adversaries may execute their own malicious payloads by side-loading DLLs. This technique involves hijacking a DLL that a legitimate application loads.

Setting up the lab environment

This section describes how Sysmon and ART are installed on the Windows sandbox (we used Windows 10 for this example). Due to the nature of the tests, we recommend using a disposable virtual machine.

Sysmon configuration

Sysmon is downloaded from the Microsoft Sysinternals page and is installed with the configuration file sysmonconfig.xml. This file maps Sysmon rules with MITRE attack techniques.

The following command is used to install Sysmon, with the downloaded configuration file, via PowerShell:

sysmon.exe -accepteula -i sysmonconfig.xml

Atomic Red Team installation

Atomic Red Team PowerShell module is installed on the Windows machine using the following instructions.

  • ART Execution Framework and Atomics folder installation

The following command will perform the installation of the Execution Framework as well as the Atomics folder, which contains the tests and binaries that are needed for the emulation:

IEX (IWR 'https://raw.githubusercontent.com/redcanaryco/invoke-atomicredteam/master/install-atomicredteam.ps1' -UseBasicParsing);
Install-AtomicRedTeam -getAtomics
  • Importing the ART module

The following command imports the Invoke-AtomicTest function each time a new instance of ART is started in PowerShell:

Import-Module "C:\AtomicRedTeam\invoke-atomicredteam\Invoke-AtomicRedTeam.psd1" -Force
  • Get details of a particular technique

The command below is used to show details of technique T1548.002:

Invoke-AtomicTest T1548.002 -ShowDetailsBrief
PathToAtomicsFolder = C:\AtomicRedTeam\atomics

T1548.002-1 Bypass UAC using Event Viewer (cmd)
T1548.002-2 Bypass UAC using Event Viewer (PowerShell)
T1548.002-3 Bypass UAC using Fodhelper
T1548.002-4 Bypass UAC using Fodhelper - PowerShell
T1548.002-5 Bypass UAC using ComputerDefaults (PowerShell)
T1548.002-6 Bypass UAC by Mocking Trusted Directories
T1548.002-7 Bypass UAC using sdclt DelegateExecute
T1548.002-8 Disable UAC using reg.exe
T1548.002-9 Bypass UAC using SilentCleanup task
T1548.002-10 UACME Bypass Method 23
T1548.002-11 UACME Bypass Method 31
T1548.002-12 UACME Bypass Method 33
T1548.002-13 UACME Bypass Method 34
T1548.002-14 UACME Bypass Method 39
T1548.002-15 UACME Bypass Method 56
T1548.002-16 UACME Bypass Method 59
T1548.002-17 UACME Bypass Method 61
  • Check/Get prerequisites of a technique

To check the prerequisites needed to test T1548.002, the command below is used:

Invoke-AtomicTest T1548.002 -CheckPrereqs
CheckPrereq's for: T1548.002-10 UACME Bypass Method 23
Prerequisites met: T1548.002-10 UACME Bypass Method 23
CheckPrereq's for: T1548.002-11 UACME Bypass Method 31
Prerequisites met: T1548.002-11 UACME Bypass Method 31
CheckPrereq's for: T1548.002-12 UACME Bypass Method 33
Prerequisites met: T1548.002-12 UACME Bypass Method 33
CheckPrereq's for: T1548.002-13 UACME Bypass Method 34
Prerequisites met: T1548.002-13 UACME Bypass Method 34
CheckPrereq's for: T1548.002-14 UACME Bypass Method 39
Prerequisites met: T1548.002-14 UACME Bypass Method 39
CheckPrereq's for: T1548.002-15 UACME Bypass Method 56
Prerequisites met: T1548.002-15 UACME Bypass Method 56
CheckPrereq's for: T1548.002-16 UACME Bypass Method 59
Prerequisites not met: T1548.002-16 UACME Bypass Method 59
[*] UACME executable must exist on disk at specified location (%temp%\uacme\59 Akagi64.exe)

Try installing prereq's with the -GetPrereqs switch
CheckPrereq's for: T1548.002-17 UACME Bypass Method 61
Prerequisites not met: T1548.002-17 UACME Bypass Method 61
[*] UACME executable must exist on disk at specified location (%temp%\uacme\61 Akagi64.exe)

Try installing prereq's with the -GetPrereqs switch

In this example, we can see that some of the prerequisites are not met. We will satisfy them by running the following command:

Invoke-AtomicTest T1548.002 -GetPrereqs
Attempting to satisfy prereq: UACME executable must exist on disk at specified location (%temp%\uacme\56 Akagi64.exe)
Prereq already met: UACME executable must exist on disk at specified location (%temp%\uacme\56 Akagi64.exe)
GetPrereq's for: T1548.002-16 UACME Bypass Method 59
Attempting to satisfy prereq: UACME executable must exist on disk at specified location (%temp%\uacme\59 Akagi64.exe)
Prereq already met: UACME executable must exist on disk at specified location (%temp%\uacme\59 Akagi64.exe)
GetPrereq's for: T1548.002-17 UACME Bypass Method 61
Attempting to satisfy prereq: UACME executable must exist on disk at specified location (%temp%\uacme\61 Akagi64.exe)
Prereq already met: UACME executable must exist on disk at specified location (%temp%\uacme\61 Akagi64.exe)
  • Run the test for a particular technique

To run the test that emulates the T1548.002 technique, the following command is used:

Invoke-AtomicTest T1548.002
PathToAtomicsFolder = C:\AtomicRedTeam\atomics

Executing test: T1548.002-1 Bypass UAC using Event Viewer (cmd)
  • Clean-up on completion of the test

After a test has been carried out, the changes made can be reverted with the following command. This command will cleanup test for T1548.002:

Invoke-AtomicTest T1548.002 -Cleanup
Executing cleanup for test: T1548.002-13 UACME Bypass Method 34
Done executing cleanup for test: T1548.002-13 UACME Bypass Method 34
Executing cleanup for test: T1548.002-14 UACME Bypass Method 39
Done executing cleanup for test: T1548.002-14 UACME Bypass Method 39
Executing cleanup for test: T1548.002-15 UACME Bypass Method 56
Done executing cleanup for test: T1548.002-15 UACME Bypass Method 56
Executing cleanup for test: T1548.002-16 UACME Bypass Method 59
Done executing cleanup for test: T1548.002-16 UACME Bypass Method 59
Executing cleanup for test: T1548.002-17 UACME Bypass Method 61
Done executing cleanup for test: T1548.002-17 UACME Bypass Method 61

Attack emulation with ART

The MITRE attack techniques below are emulated using the Invoke-AtomicTest command on the Windows sandbox.

The resulting Sysmon events can be seen in the Windows Event Viewer, with their corresponding MITRE ATT&CK technique name and ID, under Application and Services Logs/Microsoft/Windows/Sysmon/Operational.

T1053.005 – Scheduled Task/Job

Test command:

Invoke-AtomicTest T1053.005

Sysmon event:

T1053.005 - Scheduled Task/Job

T1218.010 – Signed Binary Proxy Execution: Regsvr32

Test command:

Invoke-AtomicTest T1218.010

Sysmon event:

T1218.010 - Signed Binary Proxy Execution: Regsvr32

T1518.001 – Software Discovery: Security Software Discovery

Test command:

Invoke-AtomicTest T1518.001

Sysmon event:

T1518.001 - Software Discovery: Security Software Discovery

T1548.002 – Abuse Elevation Control Mechanism: Bypass User Account Control

Test command:

Invoke-AtomicTest T1548.002

Sysmon event:

T1548.002 - Abuse Elevation Control Mechanism: Bypass User Account Control

T1574.002 – Hijack Execution Flow: DLL Side-Loading

Test command:

Invoke-AtomicTest T1574.002

Sysmon event:

T1574.002 - Hijack Execution Flow: DLL Side-Loading

Writing Wazuh detection rules

Configuring Wazuh agent

Installation and enrollment of the Wazuh agent are done on the Windows sandbox. The agent is configured to capture Sysmon events by adding the following settings to the agent configuration file in "C:\Program Files (x86)\ossec-agent\ossec.conf"

<localfile>
  <location>Microsoft-Windows-Sysmon/Operational</location>
  <log_format>eventchannel</log_format>
</localfile>

To apply changes, we restart the agent by running the following PowerShell command as an administrator:

Restart-Service -Name wazuh

Creating detection rules

To generate an alert for the MITRE ATT&CK techniques selected earlier, the following rules are added to the/var/ossec/etc/rules/local_rules.xml file on the Wazuh manager.

<group name="windows,sysmon,">

<rule id="115001" level="10">
  <if_group>windows</if_group>
  <field name="win.eventdata.ruleName" type="pcre2" >technique_id=T1053,technique_name=Scheduled Task</field>
  <description>A Newly Scheduled Task has been Detected on $(win.system.computer)</description>
  <mitre>
    <id>T1053</id>
  </mitre>
</rule>

<rule id="115002" level="10">
  <if_group>windows</if_group>
  <field name="win.eventdata.ruleName" type="pcre2" >technique_id=T1073,technique_name=DLL Side-Loading</field>
  <description>DLL Side-Loading Detected on $(win.system.computer)</description>
  <mitre>
    <id>T1073</id>
    <id>T1574.002</id>
  </mitre>
</rule>

<rule id="115003" level="10">
  <if_group>windows</if_group>
  <field name="win.eventdata.ruleName" type="pcre2" >technique_id=T1218.010,technique_name=Regsvr32</field>
  <description>Signed Binary Proxy Execution using Regsvr32 Detected on $(win.system.computer)</description>
  <mitre>
    <id>T1218</id>
    <id>T1117</id>
  </mitre>
</rule>

<rule id="115004" level="10">
  <if_group>windows</if_group>
  <field name="win.eventdata.ruleName" type="pcre2" >technique_id=T1518.001,technique_name=Security Software Discovery</field>
  <description>Security Software Discovery Attempt has been Detected on $(win.system.computer)</description>
  <mitre>
    <id>T1518</id>
  </mitre>
</rule>

<rule id="115005" level="10">
  <if_group>windows</if_group>
  <field name="win.eventdata.ruleName" type="pcre2" >technique_id=T1548.002,technique_name=Bypass User Access Control</field>
  <description>Privilege Escalation Through Bypass of UAC has been Detected on $(win.system.computer)</description>
  <mitre>
    <id>T1548.002</id>
    <id>T1088</id>
  </mitre>
</rule>

</group>

We restart the Wazuh manager so it starts using the new rules:

# systemctl restart wazuh-manager

Finally, the attack emulation using ART is repeated. This way, we test the new detection rules and see the alerts generated by Wazuh.

Results

Each emulated attack technique is detected with Wazuh using the custom rules created. The alerts for the 5 techniques tested can be seen in the image below.

The alerts for the 5 techniques tested can be seen here

Conclusion

This article demonstrates how to emulate known adversary behavior to ensure that our security controls can effectively detect threats. We used Sysmon and Wazuh detection rules to show examples of detection for different attack techniques.

References