Upload
others
View
3
Download
0
Embed Size (px)
Citation preview
AGENDA
• About Me
• Hunting Philosophy
• Hunting vs Detection
• Building a Hunting Catalog
• Closing thoughts
[~]$ WHOAMI
• Recovering IR Consultant
• Adversary Tracker
• Threat Intel Junkie
• RE/Malware Analysis Rookie
• Varsity Threat Bro
• @ab1ff
2018 – Now | <redacted>2017 – 2018 | IR Consultant, Rapid72013 – 2017 | Lead Analyst, Mandiant2010 – 2013 | SOC Analyst (USGov)2008 – 2010 | Network Engineer /Sysadmin
WHAT IS THREAT HUNTING?
“Hunting is the process of applying intelligence and knowledge of attackers and malware to raw data”
Detection via Products/Technology:• Indicator / Signature based• High fidelity• High confidence, less experience and time needed to
validate
Hunting Philosophy: The Three Buckets
Methodology Based Detection:• “Loose indicators” – eg EXE transferred via SMB• Geared more towards behaviors or TTPs• Medium confidence, more skill and time needed to validate
Hunting• Raw data analysis• Experienced analysts – know what to look for / how to find
threats• Lowest confidence / Most impactful
Source: FireEye via https://www.youtube.com/watch?v=yGmqFOEUuk0
SCENARIO 1: INTEL NOTIFICATION
“We just received notification/material from $ThreeLetterAgency detailing some adversary information and listing breach indicators. Can we search and scan our environment for this and see if anything from the report shows up?”
SCENARIO 2: LOOSEY GOOSEY
“As an analyst, I’m going to deploy open mechanisms to notify the team anytime there's an executable written to ‘AppData\Temp’ or new Windows services are created on user workstations.”
SCENARIO 3: PROFILE
“Attacker’s frequently use HTTP for malicious network communication”
“If I find a weird looking user-agent string in HTTP traffic, I may have discovered an attacker
“Did any system on my network communicate over HTTP using a suspicious or unknown user-agent?”
“How do I answer that question?”
CRITERIA TO HUNT
• Techniques must be able to be measured for efficacy
• Techniques must be able to be ran across the entire target base
• Techniques must be repeatable
EXAMPLE: WINDOWS SERVICES PERSISTENCE
• What is a Windows Service?• In Windows NT operating systems, a Windows
service is a computer program that operates in the background. It is similar in concept to a Unix daemon. A Windows service must conform to the interface rules and protocols of the Service Control Manager, the component responsible for managing Windows services.
^ LOL OK, BBY
Get-WmiObject -Class win32_service -computer "." -Namespace "root\cimv2" | Select-Object -Property Name,Description,PathName,SystemName
GET-WMIOBJECT -CLASS WIN32_SERVICE -COMPUTER "." -NAMESPACE "ROOT\CIMV2" | SELECT-OBJECT -PROPERTY NAME,DESCRIPTION,PATHNAME,SYSTEMNAME | EXPORT-
CSV -PATH .\\NETWORKSHARE1\”${ENV:COMPUTERNAME}.CSV -DELIMITER ';' -NOTYPEINFORMATION
GET-CHILDITEM -FILTER *.CSV | SELECT-OBJECT -EXPANDPROPERTY FULLNAME | IMPORT-CSV | EXPORT-CSV .\MERGED\MERGED.CSV -NOTYPEINFORMATION -APPEND
DETECTION EXAMPLE
• FilePath IS ”C:\temp” AND FileName LIKE “[a-zA-Z\d\-]\.[a-zA-Z]{1,3}$”• Matches on single character filenames with any extensions (eg. 1.txt, A.exe)
• FileName IS “SVCHOST.EXE” AND FilePath != “C:\windows\system32\”• Matches any instance of svchost.exe where the filepath is not C:\windows\system32\