Emulation of ATT&CK techniques and detection with Wazuh
Introduction
Attacks emulation plays an important role in identifying the Techniques, Tactics, and Procedures (TTP) used by adversaries. Projects like Atomic Red Team (ART) can help automate the emulation while the adversarial activities can be detected using Wazuh.
The MITRE ATT&CK® framework, which stands for MITRE Adversarial Tactics, Techniques, and Common Knowledge (ATT&CK), is a knowledge base for modeling the behavior of a cyber adversary.
Atomic Red Team is an open source project which includes a series of tests that are mapped to MITRE ATT&CK. It is useful to automate the process of testing different types of attack techniques.
System Monitor (Sysmon) is a system service and device driver which can be used on Windows to monitor and log system activity through the Windows Event Logging service.
Wazuh is a free and open source security platform that provides unified XDR and SIEM capabilities. It protects workloads across on-premises, virtualized, containerized, and cloud-based environments.
This article details how to emulate attacks on a Windows machine with ART, and how to analyze the generated logs with Wazuh. It includes the steps taken to configure Wazuh to capture the events, create detection rules, and generate alerts on the Wazuh dashboard.
MITRE ATT&CK techniques
As an example, for this blog post, the following MITRE attack techniques are emulated using the Atomic Red Team platform:
- T1053.005 – Scheduled Task/Job
Adversaries may use task scheduling to execute programs at system startup or on a scheduled basis for persistence.
- T1218.010 – Signed Binary Proxy Execution: Regsvr32
Regsvr32.exe is a Microsoft signed command-line program, which is used to register and unregister object linking and embedding controls, such as dynamic link libraries (DLLs), on Windows machines.
- T1518.001 – Software Discovery: Security Software Discovery
This technique aims to get a list of installed security software or defensive programs, available on a system or in a cloud environment. The results obtained can be used to shape subsequent attacks.
- T1548.002 – Abuse Elevation Control Mechanism: Bypass User Account Control
An attacker may bypass User Access Control (UAC) mechanisms to escalate privileges on the system.
- T1574.002 – Hijack Execution Flow: DLL Side-Loading
Adversaries may execute their own malicious payloads by side-loading DLLs. This technique involves hijacking a DLL that a legitimate application loads.
Setting up the lab environment
This section describes how Sysmon and ART are installed on the Windows sandbox (we used Windows 10 for this example). Due to the nature of the tests, we recommend using a disposable virtual machine.
Sysmon configuration
Sysmon is downloaded from the Microsoft Sysinternals page and is installed with the configuration file sysmonconfig.xml. This file maps Sysmon rules with MITRE attack techniques.
The following command is used to install Sysmon, with the downloaded configuration file, via PowerShell:
sysmon.exe -accepteula -i sysmonconfig.xml
Atomic Red Team installation
Atomic Red Team PowerShell module is installed on the Windows machine using the following instructions.
- ART Execution Framework and Atomics folder installation
The following command will perform the installation of the Execution Framework as well as the Atomics folder, which contains the tests and binaries that are needed for the emulation:
IEX (IWR 'https://raw.githubusercontent.com/redcanaryco/invoke-atomicredteam/master/install-atomicredteam.ps1' -UseBasicParsing); Install-AtomicRedTeam -getAtomics
- Importing the ART module
The following command imports the Invoke-AtomicTest function each time a new instance of ART is started in PowerShell:
Import-Module "C:\AtomicRedTeam\invoke-atomicredteam\Invoke-AtomicRedTeam.psd1" -Force
- Get details of a particular technique
The command below is used to show details of technique T1548.002:
Invoke-AtomicTest T1548.002 -ShowDetailsBrief
PathToAtomicsFolder = C:\AtomicRedTeam\atomics T1548.002-1 Bypass UAC using Event Viewer (cmd) T1548.002-2 Bypass UAC using Event Viewer (PowerShell) T1548.002-3 Bypass UAC using Fodhelper T1548.002-4 Bypass UAC using Fodhelper - PowerShell T1548.002-5 Bypass UAC using ComputerDefaults (PowerShell) T1548.002-6 Bypass UAC by Mocking Trusted Directories T1548.002-7 Bypass UAC using sdclt DelegateExecute T1548.002-8 Disable UAC using reg.exe T1548.002-9 Bypass UAC using SilentCleanup task T1548.002-10 UACME Bypass Method 23 T1548.002-11 UACME Bypass Method 31 T1548.002-12 UACME Bypass Method 33 T1548.002-13 UACME Bypass Method 34 T1548.002-14 UACME Bypass Method 39 T1548.002-15 UACME Bypass Method 56 T1548.002-16 UACME Bypass Method 59 T1548.002-17 UACME Bypass Method 61
- Check/Get prerequisites of a technique
To check the prerequisites needed to test T1548.002, the command below is used:
Invoke-AtomicTest T1548.002 -CheckPrereqs
CheckPrereq's for: T1548.002-10 UACME Bypass Method 23 Prerequisites met: T1548.002-10 UACME Bypass Method 23 CheckPrereq's for: T1548.002-11 UACME Bypass Method 31 Prerequisites met: T1548.002-11 UACME Bypass Method 31 CheckPrereq's for: T1548.002-12 UACME Bypass Method 33 Prerequisites met: T1548.002-12 UACME Bypass Method 33 CheckPrereq's for: T1548.002-13 UACME Bypass Method 34 Prerequisites met: T1548.002-13 UACME Bypass Method 34 CheckPrereq's for: T1548.002-14 UACME Bypass Method 39 Prerequisites met: T1548.002-14 UACME Bypass Method 39 CheckPrereq's for: T1548.002-15 UACME Bypass Method 56 Prerequisites met: T1548.002-15 UACME Bypass Method 56 CheckPrereq's for: T1548.002-16 UACME Bypass Method 59 Prerequisites not met: T1548.002-16 UACME Bypass Method 59 [*] UACME executable must exist on disk at specified location (%temp%\uacme\59 Akagi64.exe) Try installing prereq's with the -GetPrereqs switch CheckPrereq's for: T1548.002-17 UACME Bypass Method 61 Prerequisites not met: T1548.002-17 UACME Bypass Method 61 [*] UACME executable must exist on disk at specified location (%temp%\uacme\61 Akagi64.exe) Try installing prereq's with the -GetPrereqs switch
In this example, we can see that some of the prerequisites are not met. We will satisfy them by running the following command:
Invoke-AtomicTest T1548.002 -GetPrereqs
Attempting to satisfy prereq: UACME executable must exist on disk at specified location (%temp%\uacme\56 Akagi64.exe) Prereq already met: UACME executable must exist on disk at specified location (%temp%\uacme\56 Akagi64.exe) GetPrereq's for: T1548.002-16 UACME Bypass Method 59 Attempting to satisfy prereq: UACME executable must exist on disk at specified location (%temp%\uacme\59 Akagi64.exe) Prereq already met: UACME executable must exist on disk at specified location (%temp%\uacme\59 Akagi64.exe) GetPrereq's for: T1548.002-17 UACME Bypass Method 61 Attempting to satisfy prereq: UACME executable must exist on disk at specified location (%temp%\uacme\61 Akagi64.exe) Prereq already met: UACME executable must exist on disk at specified location (%temp%\uacme\61 Akagi64.exe)
- Run the test for a particular technique
To run the test that emulates the T1548.002 technique, the following command is used:
Invoke-AtomicTest T1548.002
PathToAtomicsFolder = C:\AtomicRedTeam\atomics Executing test: T1548.002-1 Bypass UAC using Event Viewer (cmd)
- Clean-up on completion of the test
After a test has been carried out, the changes made can be reverted with the following command. This command will cleanup test for T1548.002:
Invoke-AtomicTest T1548.002 -Cleanup
Executing cleanup for test: T1548.002-13 UACME Bypass Method 34 Done executing cleanup for test: T1548.002-13 UACME Bypass Method 34 Executing cleanup for test: T1548.002-14 UACME Bypass Method 39 Done executing cleanup for test: T1548.002-14 UACME Bypass Method 39 Executing cleanup for test: T1548.002-15 UACME Bypass Method 56 Done executing cleanup for test: T1548.002-15 UACME Bypass Method 56 Executing cleanup for test: T1548.002-16 UACME Bypass Method 59 Done executing cleanup for test: T1548.002-16 UACME Bypass Method 59 Executing cleanup for test: T1548.002-17 UACME Bypass Method 61 Done executing cleanup for test: T1548.002-17 UACME Bypass Method 61
Attack emulation with ART
The MITRE attack techniques below are emulated using the Invoke-AtomicTest command on the Windows sandbox.
The resulting Sysmon events can be seen in the Windows Event Viewer, with their corresponding MITRE ATT&CK technique name and ID, under Application and Services Logs/Microsoft/Windows/Sysmon/Operational.
T1053.005 – Scheduled Task/Job
Test command:
Invoke-AtomicTest T1053.005
Sysmon event:
T1218.010 – Signed Binary Proxy Execution: Regsvr32
Test command:
Invoke-AtomicTest T1218.010
Sysmon event:
T1518.001 – Software Discovery: Security Software Discovery
Test command:
Invoke-AtomicTest T1518.001
Sysmon event:
T1548.002 – Abuse Elevation Control Mechanism: Bypass User Account Control
Test command:
Invoke-AtomicTest T1548.002
Sysmon event:
T1574.002 – Hijack Execution Flow: DLL Side-Loading
Test command:
Invoke-AtomicTest T1574.002
Sysmon event:
Writing Wazuh detection rules
Configuring Wazuh agent
Installation and enrollment of the Wazuh agent are done on the Windows sandbox. The agent is configured to capture Sysmon events by adding the following settings to the agent configuration file in "C:\Program Files (x86)\ossec-agent\ossec.conf"
<localfile> <location>Microsoft-Windows-Sysmon/Operational</location> <log_format>eventchannel</log_format> </localfile>
To apply changes, we restart the agent by running the following PowerShell command as an administrator:
Restart-Service -Name wazuh
Creating detection rules
To generate an alert for the MITRE ATT&CK techniques selected earlier, the following rules are added to the/var/ossec/etc/rules/local_rules.xml file on the Wazuh manager.
<group name="windows,sysmon,">
<rule id="115001" level="10">
<if_group>windows</if_group>
<field name="win.eventdata.ruleName" type="pcre2" >technique_id=T1053,technique_name=Scheduled Task</field>
<description>A Newly Scheduled Task has been Detected on $(win.system.computer)</description>
<mitre>
<id>T1053</id>
</mitre>
</rule>
<rule id="115002" level="10">
<if_group>windows</if_group>
<field name="win.eventdata.ruleName" type="pcre2" >technique_id=T1073,technique_name=DLL Side-Loading</field>
<description>DLL Side-Loading Detected on $(win.system.computer)</description>
<mitre>
<id>T1073</id>
<id>T1574.002</id>
</mitre>
</rule>
<rule id="115003" level="10">
<if_group>windows</if_group>
<field name="win.eventdata.ruleName" type="pcre2" >technique_id=T1218.010,technique_name=Regsvr32</field>
<description>Signed Binary Proxy Execution using Regsvr32 Detected on $(win.system.computer)</description>
<mitre>
<id>T1218</id>
<id>T1117</id>
</mitre>
</rule>
<rule id="115004" level="10">
<if_group>windows</if_group>
<field name="win.eventdata.ruleName" type="pcre2" >technique_id=T1518.001,technique_name=Security Software Discovery</field>
<description>Security Software Discovery Attempt has been Detected on $(win.system.computer)</description>
<mitre>
<id>T1518</id>
</mitre>
</rule>
<rule id="115005" level="10">
<if_group>windows</if_group>
<field name="win.eventdata.ruleName" type="pcre2" >technique_id=T1548.002,technique_name=Bypass User Access Control</field>
<description>Privilege Escalation Through Bypass of UAC has been Detected on $(win.system.computer)</description>
<mitre>
<id>T1548.002</id>
<id>T1088</id>
</mitre>
</rule>
</group>
We restart the Wazuh manager so it starts using the new rules:
# systemctl restart wazuh-manager
Finally, the attack emulation using ART is repeated. This way, we test the new detection rules and see the alerts generated by Wazuh.
Results
Each emulated attack technique is detected with Wazuh using the custom rules created. The alerts for the 5 techniques tested can be seen in the image below.
Conclusion
This article demonstrates how to emulate known adversary behavior to ensure that our security controls can effectively detect threats. We used Sysmon and Wazuh detection rules to show examples of detection for different attack techniques.