How Adversary Emulation Can Enhance Blue Team Performance

Explore how adversary emulation can enhance blue team performance in this conference talk from the Hack In The Box Security Conference. Learn about the development of an adversary emulator designed to address the challenges of blue team training and automated security product testing. Discover how the emulator integrates popular red team tools, allows for quick addition of new attack scenarios, and incorporates real-world APT attacks for realistic training. Examine the architecture, infrastructure builder, and attack simulator components of the emulator. Follow along with a detailed Dogeza Playbook scenario, including red team procedures for initial access and privilege escalation. Gain insights into the integration of Metasploit, Empire, and repurposed APT malware. Understand the key benefits for both red and blue teams, and see how the emulator can be used to evaluate and train blue team members, as well as enhance security product development and participate in ATT&CK evaluations.

Intro
Maturity level
Why Adversary Emulation ?
Our Adversary Emulator Goals
Agenda
Architecture
Infrastructure Builder
Attack Simulator
Playbook design
Playbook - Design Concept
Dogeza Playbook Scenario
Dogeza Red-Blue Team Step
Red Team Procedure: Step 3 Initial Acce • Use CVE-2019-9194 to exploit elFinder for www-data privilege shell . elFinder is a famous file manager for web, and many 3rd party integration
Red Team Procedure: Step 7
Escalate privilege from IIS to system • Use wehshell to trigger privilege escalation
12 • Red team uses several administrative tools to control Victim C
Red team collect top confidential information and send back to Victim B's web, then these stolen data exfiltrate via Victim A's tunnel.
Metasploit Integrated
Empire Integrated
Repurpose the APT malware
APT malware - DBGPRINT
DBGPRINT stager flow
The attack method want to detect
Detect from command line
Detect from process loaded library
Check PowerShell eventlog
04 Check called API
Data Sources Evolution
Investigation ! Not Just Detection
The key benefit for the Red Team
The key benefit for the Blue Team