Fantastic Red-Team Attacks and How to Find Them

Conference:  BlackHat USA 2019



The presentation discusses the use of Atomic Red Team and Event Query Language for behavior-based detection testing in cybersecurity.
  • Atomic Red Team is a free open-source project for testing security controls on the endpoint
  • Tests in Atomic Red Team are based in YAML and mapped to MITRE ATT&CK
  • Event Query Language is used to search through endpoint data for behavior-based detection
  • The presentation includes an exercise showcasing a new attack that was located using these tools
  • Testing and observing outcomes is important for defenders to ensure their tools and methodology are working
  • Understanding data sources and practicing on known datasets is crucial for effective detection coverage
The presenters mention a new attack that was located using the tools discussed in the presentation. They were able to validate that the observed behavior was what they expected to see, despite a lot of noise in the data. This illustrates the importance of testing and observing outcomes to ensure that detection tools are working effectively.


Red team testing in organizations over the last year has shown a dramatic increase in detections mapped to MITRE ATT&CK™ across Windows, Linux and macOS. However, many organizations continue to miss several key techniques that, unsurprisingly, often blend in with day-to-day user operations. One example includes Trusted Developer Utilities which can be readily available on standard user endpoints, not just developer workstations, and such applications allow for code execution. Also, XSL Script processing can be used as an attack vector as there are a number of trusted utilities that can consume and execute scripts via XSL. And finally, in addition to these techniques, trusted .NET default binaries are known to allow unauthorized execution as well, these include tools like InstallUtil, Regsvcs and AddInProcess. Specific techniques, coupled with procedural difficulties within a team, such as alert fatigue and lack of understanding with environmental norms, make reliable detection of these events near impossible.This talk summarizes prevalent and ongoing gaps across organizations uncovered by testing their defenses against a broad spectrum of attacks via Atomic Red Team. Many of these adversary behaviors are not atomic, but span multiple events in an event stream that may be arbitrarily and inconsistently separated in time by nuisance events. Additionally, we introduce and demonstrate the open-sourced Event Query Language for creating high signal-to-noise analytics that close these prevalent behavioral gaps. EQL is event agnostic and can be used to craft analytics that readily link evidence across long sequences of log data. In a live demonstration, we showcase powerful but easy to craft analytics that catch adversarial behavior most commonly missed in organizations today.