Most of the time when we think about the basics of a detection research lab, it is an environment with Windows endpoints, audit policies configured, a log shipper, a server to centralize security event logs and an interface to query, filter and visualize the data collected.

Recently, I started working with Azure Sentinel and even though there are several sources of data and platforms one could integrate it with, I wanted to learn and document how I could deploy an Azure Sentinel with a Windows lab environment in Azure for research purposes.

In this post, I show how to integrateโ€ฆ


Ever since I joined the Microsoft Threat Intelligence Center (MSTIC) R&D team, I have been learning about Azure Resource Manager (ARM) templates to deploy several detection research environments as code. It has been a great journey learning about the syntax and format, and even when some might not like writing templates in JSON format to deploy resources in Azure, I actually like it ๐Ÿ˜†! However, it is a little hard for me sometimes to teach or walk someone through the templates I write because of the JSON format.

Recently, I heard about a new project from Microsoft Azure named Bicepโ€ฆ


On April 21st, 2020, the ATT&CK evals team released the results of their APT29 evaluation , the emulation plan, all payloads used for Day 1 and Day 2 , and a Do-It-Yourself Caldera plugin. On the same day ๐Ÿ˜†, I decided to organize a detection hackathon and used the official emulation plan to generate the data we would use to develop detection rules.

All that data was eventually uploaded to the Mordor project and it was the first time that I was sharing packet capture (PCAP) files along with endpoint logs for a large dataset such as the APT29 scenario.

โ€ฆ


A few weeks ago, I was going over some of the research topics in my to-do list, and the one that sounded interesting to work on during 4th of July weekend ๐Ÿ˜† was the documentation and exploration of relationships between RPC procedures/methods and other external functions such as Win32 APIs in a Windows endpoint. Either you are doing offensive or defensive research, this type of research not only can help you to uncover alternative ways to execute code, but also provide additional context to some of the known techniques out there that leverage specific functions to perform an action.

Inโ€ฆ


Current Telemetry Detection Category Coverage โ€” APT29 Scenario One Only

In late 2019, the ATT&CK Evaluations team evaluated 21 endpoint security vendors to provide insight and transparency over their true capabilities to detect adversary behavior mapped to ATT&CK. The methodology used was based on APT29 techniques for which several organizations shared open source intelligence to help out with the development of the emulation plan.

On April 21st, 2020, the ATT&CK evals team released the results of that evaluation, the emulation plan, all payloads used for Day 1 and Day 2 , and a Do-It-Yourself Caldera plugin. โ€ฆ


Building the environment for scenario two is very easy and takes around 30โ€“45 mins. Once the environment is set up, you will still have to set up your computer to authenticate via certificates with point-to-site VPN.

This post is part of a three-part series where I share my experience deploying the ATT&CK APT29 evaluation environment via Azure Resource Manager (ARM) templates and collecting free telemetry produced after executing the emulation plans for each scenario.

In this post, I share a few steps to connect to the environment via a point-ti-site VPN and a quick video showing every single step takenโ€ฆ


Building the environment for scenario one is very easy and takes around 30โ€“45 mins. Once the environment is set up, you will still have to set up your computer to authenticate via certificates with point-to-site VPN.

This post is part of a three-part series where I share my experience deploying the ATT&CK APT29 evaluation environment via Azure Resource Manager (ARM) templates and collecting free telemetry produced after executing the emulation plans for each scenario.

In this post, I share a few steps to connect to the environment via a point-ti-site VPN and a quick video showing every single step takenโ€ฆ


In late 2019, the ATT&CK Evaluations team evaluated 21 endpoint security vendors using an evaluation methodology based on APT29. On April 21st, 2020, they released the results of that evaluation, the emulation plan, all payloads used for Day 1 and Day 2 , and a Do-It-Yourself Caldera plugin.

One of the main goals of the Mordor project is to create detection research opportunities for the Infosec community by releasing datasets generated after emulating adversarial techniques. Therefore, I saw this as a great opportunity to learn a little bit more about APT29, build the environment and be able to expedite theโ€ฆ


Recently, I started working with Azure Sentinel, and as any other technology that I want to learn more about, I decided to explore a few ways to deploy it. I got a grasp of the basic architecture and got more familiarized with it. As a researcher, I also like to simplify deployments in my lab environment and usually look for ways to implement the infrastructure I work with as code. Therefore, I started to wonder if I could automate the deployment of an Azure Sentinel solution via a template or a few scripts. Even though, it made sense to expediteโ€ฆ


Happy new year everyone ๐ŸŽŠ! Iโ€™m taking a few days off before getting back to work and you know what that means ๐Ÿ˜† Besides working out a little bit more and playing with the dogs, I have some free time to take care of a few things in my to-do list for open source projects or ideas ๐Ÿ˜†๐Ÿป One of them was to find a way to integrate Jupyter Notebooks with the SIGMA project. โ€ฆ

Roberto Rodriguez

Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store