Elastic Clusters Pull master branch master branch dev branch Tanium Server 1 Tanium Server 2 Tanium Server n Slack API calls Caldera Attacker Simulation Alerting Orchestration JIRA Ticketing
C2 Actions Anatomy of a Cyber Attack Cyber kill chain methodology Persistence Privilege Escalation Defense Evasion Credential Access Discovery Lateral Movement Execution Collection Exfiltration Network Forensics Network Forensics Target an organization or industry Craft malicious payload Payload sent to Target Compromise System Installation of malware/post exploitation tools Command and Control Ultimate goals achieved Host Forensics
Windows/DNS Enumerate Administrators Initial Access Malicious Excel Macro Spear phishing Persis tence Create HKLM Run Key Execution Download Netcat via Powershell Launch Netcat via Advpack.dll Listen for commands in shell Host B Initial Access Remote execution of RAT Discovery Enumerate Computers Enumerate Windows/DNS Enumerate Administrators etc. Dump passwords with Mimikatz
signals per endpoint, comparisons across estate • Automatic Tanium Signal suppression from the platform • Real-time lookup and correlation with other data sources: • Network: Iceberg, SonarShock • Endpoint: Tanium, Winlogbeat, Auditbeat
tomoshige_n
haiinya
moco1013
tanichu
tsantalis
nttcom
akifumi_wachi
xtalent
frandle256
teacherpeterpan
usaito
carmenintech
mthomps
eitanlees
productmarketing
eileencodes
akosma
chrisshort
sferik
morganepeng
michaelherold
moore
cromwellryan
![19 Signal The ATT&CK Paul Bottomley, paul.m.bottomley [ AT ]](https://files.speakerdeck.com/presentations/6648ecaa5eb94b7cb08b3cdf0e0f6034/slide_18.jpg){kind=link}