Blue Team Blunders: Know your enemy

stories of times past

When I was a young SOC analyst, a couple of months on the job, eager to learn but yet to experience what it was all about, on the alert queue I saw the following alert:

Alert name: Rundll32 being spawned with no command line
Parent Process: InternalAccountingApplication.exe
Parent Process Sha1: Unknown
Process: rundll32.exe
Parent Process Path: C:\Users\username\Downloads\InternalAccountingApplication.exe

The sha1 of the executable was unknown, but it made sense to me - it was an internal accounting application after all! Diving deeper into the activities spawned by the process revealed that InternalAccountingApplication.exe made a network connection to a newly-registered domain that actually seemed legitimate to me at the time..

Weird but not malicious is what went through my mind after assembling all this information together. After all, that was the only alert coming from this host. Maybe the person writing this app was an unexperienced coder who wanted to call rundll32.exe in their application at some point but forgot to add arguments?

I closed the ticket as a false positive.

Little did I know that I have just missed a red team obtaining their initial access with Cobalt Strike! I wasn’t very familiar with it at the time. How was I supposed to know that rundll32.exe was the default Cobalt Strike spawnto? Nowhere did the alert make it clear nor did my own knowledge allow me to fill in the gaps.

Thankfully, I was in an environment that allowed me to learn and I didn’t get into any trouble for the above blunder. To this day I remain grateful to my bosses from that job for being such great and considerate teachers.

One thing was clear, I needed to hit the books!

defending requires offending

When I think back to this incident I can’t help but smile a little. I was so gullible! When I ask myself, what could I have done differently not to blunder like this in the future, the answer was simple - I should have studied the techniques used by attackers.

It is often said that if you want to be a good red teamer, it pays to spend time to consider the ‘defensive’ side of things. After all, your job is to help the blue teamers get better. How good can you be as a coach if you’ve never played the sport?

I’d like to argue that the opposite is also exactly true. How good can you be as a defender without knowing what the modus operandi of attackers is? Had I played around with Cobalt Strike or even examined a Cobalt Strike Malleable C2 profile, I would have known how big of a red flag the above activity was!

solutions

train yourself!

While knowledge of common red team TTPs can certainly be obtained from public reports released by vendors I’d argue that the best way of getting this knowledge is actually sitting your butt down and taking some offensive training. If a C2 framework is trending on Twitter, take some time to play around with it. Know what it looks like if you ever encounter it in the wild. Make sure that the default configuration raises a flag in your mind.

If you’re looking for a specific example of a red team training that you should take as a blue teamer, I wholeheartedly recommend ZeroPointSecurity’s Red Team Ops. They even give you a copy of Cobalt Strike to play around in the labs with!

As a manager, if you aren’t encouraging your employees to do the above, please reconsider. This is one of the most ROI-heavy activities your employees can engage in.

add context

If you’d like to prevent young analysts on your team from making the same mistake I did, a good solution would be to make sure every single rule is well documented with the exact rationale of why we are looking for this activity, expected false and true positives. The alert workflow should allow enough time for the analyst to familiarize themselves with the exact logic and context behind the alert. Even the best documentation is of no good use if you don’t have the time to read it.

conclusion

As a SOC analyst, it’s easy to get complacent and stop being curious about what you’re doing. After all, the majority of your job is to handle false positives. “Exciting” tickets with actual threat actor activity happen rarely. It’s easy to get complacent and to stop developing yourself. Do your best to keep up and I promise you, you will not regret it.