On Detection: Tactical to Functional
Why a Single Test Case is Insufficient
Introduction
In my previous post, I explored the idea that different tools can implement the same operation chain (behavior) in various ways. I referred to these various ways as execution modalities. In that post, we explored five tools that allowed us to understand some of the most common modalities that one would expect to encounter and concluded with an image of a function call stack that represented the Session Enumeration operation with overlaid tools.

In this post, I want to explore the implications of execution modalities on detection engineering. I’m particularly interested in how diverse modalities affect our ability to evaluate detection coverage. Evaluating detection coverage is a problem we’ve seen rise to industry attention with the ATT&CK EDR Evaluations. While the objective of the evaluations is not necessarily to assess detection coverage, that is undoubtedly a question that industry consumers are interested in, and rightfully so. This post will explore why a test not specifically designed to answer coverage questions fails to provide the necessary evidence. But before we do that, let’s revisit what we learned in the previous post. This refresh will set us up for a hypothetical scenario that will allow us to understand the problems that execution modalities create for us.
NetSessionEnum Function Call Stack
In the previous post, we analyzed the netapi32!NetSessionEnum function to generate its function call stack. Based on our analysis, we know that when an application calls netapi32!NetSessionEnum, it calls the lower level srvcli!NetSessionEnum and ms-srvs!NetrSessionEnum functions behind the scenes. We then identified that we could use the “Session Enumeration” operation to group the functions.
We represent the relationship between these functions as a function call stack below:

Tool Samples
In the previous post, we analyzed five Session Enumeration tool samples; however, we will reduce our scope for this post to j
[…]
Content was cut in order to protect the source.Please visit the source for the rest of the article.
Read the original article: