The Kognos autonomous XDR investigative platform uses relationship graphs to capture all activity, interrogate it by dynamically asking pertinent questions based on current observations, and autonomously track malicious users or external actors throughout the network, creating attack campaigns and bubbling the riskiest to the top. Each analysis node is powered by a Knowledge Graph-based inquiry engine which is inspired by the work done on the Mitre ATT&CK Matrix. To generate these attack campaigns, the analysis nodes will perform several thousand queries into the relationships graph and the platform is able to auto-scale from hundreds of these analysis queries per second to thousands, based on need and load. The platform does this 24 hours a day, 365 days a year, and presents the users with a summary view or a forensic timeline of interesting events.
Here is a scenario meant to illustrate several key concepts of the platform. An attack begins as a dropper disguised as a resume is received by a Talent Manager in the HR department. The summary of the campaign is as given above, however here is the detailed evidence timeline of the attack which is enumerated below with their associated timeline entries.
The dropper unpacked the meterpreter implant into the users Startup Autorun folder and executed where it immediately called back to the Command and Control server at 220.127.116.11.
Shortly after, the meterpreter was issued commands to load the Powershell module, this was captured when Powershell core libraries were loaded after the initial process execution. The platform now considers this executable as capable as Powershell itself.
Invoke-Mimikatz was run in-memory and 18.104.22.168 is raw.githubusercontent.com, this feature is extremely difficult to find when executed in this fashion. There are no command-line artifacts and Powershell.exe itself was not invoked from the command line.
A few seconds later the Mimikatz DLL was unpacked into memory and accessed the virtual memory space of lsass.exe, the Local Security and Accounting Subsystem, to scrape for passwords and hashes stored in memory.
Now that credentials have been harvested, the attacker begins to look around the network with Active Directory commands.
Having found the Domain Controller the machine authenticated against, a Shadow Copy of the system drive is created remotely.
The platform is alerted to the Remote Execution and starts tracking on the targeted machine. It recognizes WMI was used to remotely execute commands and tracks it onto the WMI Provider Host executable, correlating the logon event, and follows the process graph to the commands that created the Shadow Copy.
The attack campaign timeline then jumps back to our original host where commands are executed to copy the NTDS.dit, the Active Directory database, to the Windows temp directory.
A share was quickly mounted, the NTDS.dit file copied, and the share deleted.
Sticky Keys is set remotely, to ensure access if the stolen passwords are changed.
Deleting the USN journal is an anti-forensics method commonly used to cover up evidence that sensitive data might have existed on a compromised system.
Finally, in case those actions are starting to filter up to security instrumentation, the actor injects the meterpreter into the WMI Provider Host, and since the Powershell module is still loaded into the meterpreter, the Powershell Libraries follow and are loaded.
There are hundreds to thousands of individual campaigns, that could be inter-related, happening on the average corporate network right now. This small scenario fired on a very small subset of the Knowledge Graph based inquiry engine, but illustrates how the platform can follow actors through the network and generate a coherent timeline for an analyst to quickly read through and gain insights into what is actually happening on their network.
As an analyst, are you seeing what is important?