Best cybersecurity guy on the web and offering free info to help the community!! Amazing contents as usual, God bless, wish your channel reach 10M+ subscribers
Always thankful for you sharing knowledge, JH. I am curious though about that VST that was checking for external connectivity and flagged it to be not relevant. So only one test will deem the exploit to be not relevant? That got me concern. Also curious about detonating and waiting for 3 seconds. Is there any possibility of this detonation cause the malware to infect hosts horizontally, for instance? 3 seconds also sounds to be a lot. And, bad guys knowing this can tweak their bad stuff to wait longer. As matter of fact, this happens already right? So, I appreciate there is no silver bullet and once again appreciate all you do for the community. It is just that I have seen tools claiming to be the best and doing great stuff and that not always is the case. Really concern about detonating stuff on production, though. I don’t want to sound skeptical and ungrateful, so I apologize in advance. Thank you once again!
Without external exposure to the internet the vulnerability becomes in our opinion less severe that is why it is a big part of the relevancy check. Then we could say the system was protected from the ways attackers are attempting exploitation which is againt externally facing systems with the vulnerability. On your malware concerns/questions each sample of malware we collect and embed in a test is completely defanged and patched to exit if ever executed. There is zero risk to malware impacting the host or hosts around it in any way.
Hi , you have to remember this is just a simulated check not an actual malware detonation. But you are right it can take longer, malware can wait attempt to identify other reachable systems with the same vuln, it may also attempt to gather (extract) creds beforehand on that host to make the blast radius more successful laterally. Most malware wants to phone initally so perhaps the EDR may block it at that level also or first hence 3 secs. Just my take on it.
Hi John, firstly just like to say you always have great topics and you are a fantastic presenter. Yeah you sensed it, from the video its not clear if the whole shebang is local, i.e. probe and console? As opposed to probe local, dashboard is cloud? Might be wrong! So an observation, everyone that uses this, all their vulns are with Prelude, if they ever get smashed, the bad guys have the keys to the world potentially..... Maybe a part 2 needed on this one?
I don't understand what the use case is here as I don't see how to run this tool in production alongside an AV/EDR if this is detonating all sorts of code which, while defanged, is going to create a ton of alert noise on the SOC side. This seems like a lab/validation tool but then the value proposition is much lower and doesn't seem like a sustainable business model.
@@zstewart93 there are potentially dozens of variables to each atomic red team test wouldn't you rather know if you are protected against the latest and greatest of those variables? Not only that but our partner integrations allow us to gain more insight into whether something was protected/unprotected automatically allowing us to measure the performance of specfic host types with specific EDR configurations.
@zstewart93 This is a great point/question. For Prelude's supported EDR integrations (Crowdstrike/SentinelOne/Defender currently) there is alert suppression functionality that auto-closes/comments any Prelude generated alerts. The ability to run these tests at scale (supported by the ability to auto-close test detects) across an entire environment is one of the key design principles and unlocks a tremendous amount of insight/value that you don't get testing on a handful of lab systems. Imagine if someone rolled out a EDR exclusion that was applied to a much broader scope than intended, or a vulnerable application (with vulnerable config) was installed, or a EDR sensor version malfunctioning. All these things are uncovered in real-time with Detect and likely wouldn't be possible by running on a few test lab systems.
Appreciate the grind John, but I mean, this whole video is a commercial and provides no real value to anyone who's not interested into adding another layer and another thing to mess with the SOC..
useless tool. it shows that: " you have EPP and EDR but look this exploit could damage the system" you may think wow i need to change EDR : " next test with another EDR, okay that exploit now is fixed but another may damage the system". So, you could not enhance the EDR or EPP its on vendor side. The you think " what's next?"
Hats off to CISA team for their SLTT briefs and advisories.
Best cybersecurity guy on the web and offering free info to help the community!! Amazing contents as usual, God bless, wish your channel reach 10M+ subscribers
"Maybe you've heard of cisa".
Maybe you've overestimated my knowledge. Thanks for showing me an agency I certainly should have been aware of!
Me too
I just found about them last week because I'm trying to build a rss feed aggregate for my soc team so I came across cisa as a good source.
you are my salesman. Love you man, keep it coming.
Always thankful for you sharing knowledge, JH.
I am curious though about that VST that was checking for external connectivity and flagged it to be not relevant. So only one test will deem the exploit to be not relevant? That got me concern.
Also curious about detonating and waiting for 3 seconds. Is there any possibility of this detonation cause the malware to infect hosts horizontally, for instance? 3 seconds also sounds to be a lot. And, bad guys knowing this can tweak their bad stuff to wait longer. As matter of fact, this happens already right? So, I appreciate there is no silver bullet and once again appreciate all you do for the community. It is just that I have seen tools claiming to be the best and doing great stuff and that not always is the case. Really concern about detonating stuff on production, though.
I don’t want to sound skeptical and ungrateful, so I apologize in advance.
Thank you once again!
Without external exposure to the internet the vulnerability becomes in our opinion less severe that is why it is a big part of the relevancy check. Then we could say the system was protected from the ways attackers are attempting exploitation which is againt externally facing systems with the vulnerability.
On your malware concerns/questions each sample of malware we collect and embed in a test is completely defanged and patched to exit if ever executed. There is zero risk to malware impacting the host or hosts around it in any way.
Hi , you have to remember this is just a simulated check not an actual malware detonation. But you are right it can take longer, malware can wait attempt to identify other reachable systems with the same vuln, it may also attempt to gather (extract) creds beforehand on that host to make the blast radius more successful laterally. Most malware wants to phone initally so perhaps the EDR may block it at that level also or first hence 3 secs. Just my take on it.
this is one of the first question asked by the interviewer when you applied for jobs in GRC.
lets all take a moment and look at his hair xD your hear looks really nice! nice video :)
You would be my favourite cybersecurity master mr. Hammond
and now a home version?
Hi John, firstly just like to say you always have great topics and you are a fantastic presenter. Yeah you sensed it, from the video its not clear if the whole shebang is local, i.e. probe and console? As opposed to probe local, dashboard is cloud? Might be wrong! So an observation, everyone that uses this, all their vulns are with Prelude, if they ever get smashed, the bad guys have the keys to the world potentially..... Maybe a part 2 needed on this one?
I don't understand what the use case is here as I don't see how to run this tool in production alongside an AV/EDR if this is detonating all sorts of code which, while defanged, is going to create a ton of alert noise on the SOC side. This seems like a lab/validation tool but then the value proposition is much lower and doesn't seem like a sustainable business model.
At that point why not just run atomic redteam for free?
@@zstewart93 there are potentially dozens of variables to each atomic red team test wouldn't you rather know if you are protected against the latest and greatest of those variables? Not only that but our partner integrations allow us to gain more insight into whether something was protected/unprotected automatically allowing us to measure the performance of specfic host types with specific EDR configurations.
@zstewart93 This is a great point/question. For Prelude's supported EDR integrations (Crowdstrike/SentinelOne/Defender currently) there is alert suppression functionality that auto-closes/comments any Prelude generated alerts. The ability to run these tests at scale (supported by the ability to auto-close test detects) across an entire environment is one of the key design principles and unlocks a tremendous amount of insight/value that you don't get testing on a handful of lab systems. Imagine if someone rolled out a EDR exclusion that was applied to a much broader scope than intended, or a vulnerable application (with vulnerable config) was installed, or a EDR sensor version malfunctioning. All these things are uncovered in real-time with Detect and likely wouldn't be possible by running on a few test lab systems.
was waiting for the Ubuntu test, out of curiousity.
John, is it safe to send you a Malware :)
Judging by that thumbnail, John, your opsec needs refining--4/6 monitors hacked 😂
Interesting...🤔
It looks great although I do prefer using my redteam atomic+wazuh and Bitdefender to my main system and all of my vm's
Too bad its written in go lang. Then ppl wont use it
Early crew. :3
Appreciate the grind John, but I mean, this whole video is a commercial and provides no real value to anyone who's not interested into adding another layer and another thing to mess with the SOC..
❤❤❤❤❤❤❤❤
useless tool.
it shows that: " you have EPP and EDR but look this exploit could damage the system" you may think wow i need to change EDR : " next test with another EDR, okay that exploit now is fixed but another may damage the system". So, you could not enhance the EDR or EPP its on vendor side. The you think " what's next?"
Am I first?
NOPE
I’ve sent this to my cyber smart relatives. Thanks for trying to protect us. You are a genius for sure!