I thought I saw a |-|4X0.- by Thomas Fischer

Okay, the next talk is from Thomas Fisher. Thomas is a vetter in the B-Sides and runs B-Sides in London and he's going to be talking to us about threat hunting. Good afternoon everybody. So I get the onus to go after my predecessor which is a really interesting talk. I hope I'll be just as interesting. I think the second worst slot is right before lunch because everybody wants to get out. So I'm assuming most of you know what that last word is, right? So because I do this, sometimes I do this presentation for some of my clients, so we talk about this and most of them don't actually understand that. And there's a point to this is that it's

actually, I thought I saw a hacksaw, right? So if you know, the point is that what you see is not necessarily what you think it is and you need to kind of look at things in a better way to be able to detect the threats that are attacking your environment. So who am I? So I basically do security research around endpoint detections, specifically focused at data exfiltration. I've got more than 25 years of experience in infosec. And I spent a number of years in IR team positions. So I did IR. I do have my SAN certifications. I also run BSIS. I'm also an IWSA UK chapter board member, actually member engagement. So if you're interested in knowing about IWSA,

feel free to approach me during the break or later on today. So, threat hunting. Threat hunting is not about threat feeds. It's not about threat intelligence. It's really hunting to defend yourself against the offensive side. So, we're looking at new ways of detection, new ways of rapidly countermeasures for threats that are attacking you. So, there is a purpose to it. In the background is that most of your infrastructure is quite opaque, right? So you think you know what you see how your network it looks like you think you know what your applications are where things are lately have we've been doing talking about GDPR or some of our customers and they think they know where their data is

but we usually basically prove to them that they actually don't. The adversaries are becoming a lot more cunning a lot more creative. They use Your infrastructure, and in infrastructure I include the users, the people around, they use them against you. They're using your own solutions against you. They get in and they'll use things like, I was talking to somebody just this week about how you could exfiltrate data with Twitter or do CNCs with Twitter. You know, it's an old concept but it's coming back again this year because You know, social media is a part of the millennials. Social media needs to be active in your environment. So what do you do? You open it up.

Well, that just gives another exit point for the attackers to exfiltrate. Some say it's a natural evolution of IR. If you look at a lot of the science courses right now, they're evolving towards threat hunting as well. IR is traditionally a very structured process, right? You've got steps, you have things that you need to do, you have data that you need to collect. The problem is most of the IR that you're going to do is based on things that you know. But what about things that you don't know? How do you actually detect them? Threat hunting is really about the analysts trying to understand the adversary, trying to locate who's in your network and what

they're doing. You need to be creative and adaptive. It's not a structured methodology. You need to think outside of the box. You need to look at things in a different way. A lot of people are saying, you know, it's like if you're very creative, if you're an artist, you're very fit for threat hunting. Mostly because the way they look at it is that you don't want to look at that structure. You want to find things outside of what you would normally think. there aren't any really good indicators. You can use indicators to start your searches, but mostly you're working outside of the bounds of a traditional indicator. So like when you have your SIM or

when you have your platforms that are triggering alerts like your IDSs, anything that triggers alerts, it's probably not going to help you really in threat hunting because those are knowns and you want to find the unknowns. You're going into deep analysis, but the really big important thing is you're understanding your environment you're defining it and you're looking for normal right so Well, actually, you're defining what normal activity is in your environment. And what you want to do is actually look at what is not normal. And this is very complicated because normal activity doesn't necessarily work today. Because users work different times, users do different things. You see different patterns of traffic on your environment. If you have a very locked down environment, we still have companies that

have very locked down desktops and PCs, then normal can be quite easy to define. I work in a company where you get a choice, you can have a Mac, you can have a PC, you can have whatever you want to work on. We've got people with tablets as well that just use tablets. There's no way of defining what normal traffic looks like in that environment. You'll see patterns and you'll start to see normal progressions of how users use email and how things are transmitting between different servers or how things are transmitting between endpoints and servers. But the whole point is you need to define your normal. Now, so what? Well, if you're doing this, you're

actually building a proactive footprint against the attackers. So if you understand your environment, you can more easily find what's wrong and find what's outside of that normal gap. You start to build an understanding of your infrastructure. You know, I used, when I used to do, so I, in the past, I worked for a consulting company as well. And we would look, you know, we would go in and look at you know, typical doing penetration testing or reviewing, you know, doing risk analysis and things like that. The first question we would ask is, can you give us a network map? Right, one of the first questions. Take the network map, you look, you run your scans, the network does not look at all like what the IT security team thinks

it looks like. Because people change the network, you know, apps spin up, servers spin up, they're not necessarily aware of what's happening. So, To build that understanding of normal, you're actually building a better view of your architecture, of your infrastructure, and you gain more knowledge. You also need to gain knowledge of what your business does. So, you know, I know if there's one thing that I've learned over the years, because I used to work at end-user, before I worked for a software company, I used to work in the end-user, is the better you understand the business, the more you're likely to understand what's going on in your environment. you need to understand those business workflows

so if users normally come in you know if it's a very factory type environment where people come in at eight o'clock they start they turn on their pcs you know they do their emails and they go off and then they come back a few hours later to the pc you can start to detect patterns of normal workflow on those machines and when you start to see things that are happening outside of that normal workflow there's probably a problem um i use the We had a, one of my previous companies, we had an office out in the middle of Russia and the only link that they had was a satellite link to the back to the

office. At the time all the email was centralized so every morning everybody would come in and the network was just flat saturated. Basically people would say well you know we come in we turn on the PC and network starts to download everybody goes for coffee and breakfast. You come back an hour later your emails in your inbox. because they had like 512k boards, satellite link, 50 people, total saturation. But that kind of activity is normal. So when you see that happening between the periods of 8 and 9, that's okay, that's normal. You start to build that contextual knowledge. If you see something happening outside of that time, then you start to look at what's going

on. So contextual knowledge and awareness of what's happening in your environment is really important. On the opposite side, so what does that give back to the organization? Well, if you do it right, you can start to document. You can start to build a wiki of showing, you know, that's dynamically updated as you gain more knowledge of the environment and see how it's changing. You gain operational knowledge. And for management, that's really important because once you start to gain operational knowledge, you can actually present better reports. You can tell them what's going on, where the money is, where they're spending money, what apps are coming up, who's doing business, well, who's doing new IT projects and

things like that. But, if we go back to threat hunting, so hunting how it feels, hunting the reality is you're in front of a screen and you're looking at logs. You spend your whole day looking, going through things, looking at data, basically. You know? So the basic, you need tools. First thing you need is tools. So what do I need? I need, well, I've got firewalls, I've got IDS, I've got IPSs, I've got network devices, I've got endpoint solutions. I'm very focused on the endpoint solution. If you actually look at a lot of the threat hunting marketing that was done last year, it was all focused around the SIMS and a lot of it, I'd say 90% of it was focused on network events and IDS/IPS events. My

problem with that is that in reality the network nowadays is not structured. It's very dynamic. People move, they have laptops, they go home, the network they connect from their home. So for me the best ability to detect something is if you integrate your whole infrastructure and that whole infrastructure includes the endpoints and those endpoints can be servers, they can be laptops, they can be mobile phones. So if you can get data out of any of those things it just gives you more data to look at things and to find things. Notice how I said look at things and find things. I haven't said we found anything malicious. You're looking for things. There's some open source

tools as well that you can use like BroIDS, PassSIMDNS, you can use Autoruns, PowerShell, WMI, all of this can be used to actually gather logs. WAR is 90% information. I can't remember who said that. If anybody remembers, shout it out. Is it? Yeah. Okay, so it's a misquote of Sun Tzu. I knew it was something like that. Firewall logs. You can go through your firewall logs, look for unusual IP addresses. Look for countries, look for businesses that don't look normal in your standard traffic. Let's say you're an oil and gas company and you start communicating out to some server in China that sells iPhone parts. That's probably a problem because an oil and gas company is not likely to go out and

communicate to a server that builds iPhone parts. Proxy logs. A lot of people don't actually monitor their proxy logs. They're just looking for things that violate HR policies or violate usage policies. But if you start to see unusual traffic like port 22, or if you start to see where bytes in is equal to bytes out, can anybody tell me why it's important to look for bytes in versus bytes out when they're equal? Exfiltration, but you've got bidirectional communications. Most usual network traffic going out to the internet is pull, not push. You're pulling and pushing at the same time, that means somebody is doing something actively outside of your network and putting it in via some web service since it's going through

the proxy. You can use your proxy logs to look for dynamic DNS, look for unique user strings. Let's say you're a majority English or British or Scottish environment, you know that most of the user strings will be in English because you deploy English PCs, right? We deploy English language PCs. If you start to see user strings in Russian or Chinese, Mandarin, then it's probably a starting point where something's gone wrong. Windows logs. There is a lot of information which you can gather in Windows logs. and I'll get to it later, there's some new Windows logs that are in place now in Windows 10 and Server 2016, but I think maybe also 2014 on PowerShell. It's very important. Antivirus logs. Yes, they're helpful because, you know, antivirus

will detect something, but that initial detection could be just something interesting that might lead you to something more interesting. Process maps. If you have dedicated systems images, then you should know which processes are running on those images. Understand which processes are running on those images. Understand which ones have the right to run in privilege execution. Most processes do not need to run privilege. So if you're looking for a process that's running privilege and suddenly you find one, there's probably something wrong, especially if it's not normal in your environment. Put into endpoint detection solutions. We'll get into a little bit more into endpoint detection solutions later. All of this needs to be piped somewhere. It's a lot of data. So SIM and ELK is a good recommendation. There's a

lot of projects running around ELK and Sysmon right now. I highly recommend if you want to get into this, to look at it. Now, there's a tendency to try and orient your, let's say, activities around frameworks. So if you recognize the yellow one, that's the famous kill chain. The blue one, it's part of a kill chain as well, but it's the MITRE ATT&CK. categorizations and they work on the post exploitation. Here's my problem with these categorizations. Categorizations are great for reporting, for documenting what's happened, but the reality is that an attacker might do some recon inside, might escalate persistence straight away. Or it just might go all over the place. So all of these reporting stuff that you're trying to look at and trying to match is very difficult.

Plus, if you actually read MITRE ATT&CK correctly, none of the categorizations that they recommend are unique. So if you have, like, for example, WMI launch, it can actually fall under three or four different categories depending on the context of use. So you need to be very careful when using these types of orientations because context is extremely important. Things happen in a series of events and that context can determine which step you're actually in. Whether you're doing lateral movement or credential access or you're doing privilege escalation. I'll show some examples later. So I don't necessarily recommend this unless you're going into a stage of reporting what you found and things like that and then you can actually document it a little bit better to

say well, you know, this was the privilege escalation phase, this was the exultration phase and for that reason only. It's tempting because you're going to generate a lot of data to look at other solutions. So user analytics. User analytics is a very interesting domain. We're going to see a lot more of that over the next couple of years. Machine learning, we're looking into it right now on our side because of the amount of data that we generate. And machine learning will help us, don't get me wrong. If there's anything that you want to focus your attention right now on is machine learning because we are going into a generation of extreme data generation. So we

are going to be faced with gigabytes and gigabytes, if not trillions of gigabytes of data coming into these environments and we need to be processed. However, there's one big, so there's one problem with machine learning. The second line, user or entity behavior analytics. Show me more than one user that acts exactly the same way. The problem with user-based analytics is that you need to be able to baseline the activity of users. Users do not act the same way all the time, right? They will do things in different orders. Some users might go to Twitter, might spend their time on Facebook. Some users might prefer Twitter. Some users do email, then they'll do Word, then they'll

do PowerPoint, then they'll do Excel, while some will work on all three at the same time. User-based analytics is extremely complex to actually get right because of that fact. Situational awareness is really important when you're looking at threat hunting. What is situational awareness? Once you've mapped out your environment, you look for your critical assets. So let's take an example of an industry. Let's say a bank. The bank, what are their critical assets? Does anybody have an idea what a critical asset for a bank is? It's the image. It's the image? Yeah. So where does the stuff get stored? In the bank. mainframes, right? Or perhaps back-end systems, you know, the back-office systems, depending on the type

of environment that you're talking about. In that structure of mainframes, there might only actually be one or two applications or one or two mainframes that actually manage the transfer of money or keep the transactional records. That's when you want to focus your situational awareness. So identifying that critical asset, then you put the more attention on that critical asset. So if you looking at your logs and you're searching for things, one of the priority search criteria might be those critical assets. So when you're looking for unusual strings, you might actually look at them from the perspective of that critical asset. To do that, you kind of need to do risk assessments. And that goes, and that's

really difficult for IR people to understand. Risk, and a risk assessment If you're looking at the technical risk assessment, maybe you can do it, but you need to look at it from the business perspective. It's like, what are the real risks of the business? We heard one just now for the bank, it's the image. So that's, well, how does that image get destroyed? And that's what you want to flow down into your situational awareness. Some threat hunting is done via intelligence drive. And that's what most of the SIM solutions that look at threat hunting and produce threat hunting will tend to focus on. They'll focus on the ability to bring in indicators and trigger alarms and direct you in the right area. It works because it can help you.

Because it can help you find that first step or it can help you find things that are known to pass them off straight to the IR team. So the thing is, I've been talking a lot about all these general concepts, but threat hunting, what it's really about is looking at logs and searching through logs, finding that unusual piece of thing. Now, there's nothing better than a pair of eyes to do this. Right? And this is where I came into some really interesting things. So, before we proceed with the presentation, so we're going to do something. I want you to watch this. Okay? Everybody count how many passes are made by the players wearing white. Okay? Okay, so

remember the number, right? How many counts? We'll get back to it. So, look at this image. Wait a while. Okay. We'll get back to that image as well. So I ran into some research. Well, some, I say training. It's not training. She does training. So Amy Herman, she was, I think she was an MD. Well, no, she was a lawyer. And she took some of her art background career to design a methodology on how to look differently. And when i was i've been reading this book and i've been trying to learn from this book and it dawned on me that well you know we're looking for unknowns but how do we find unknowns because we're always looking at these logs right we

look at logs we see network traffic we see application launches but on a day-to-day basis that just feels normal right i mean we're talking well this looks normal this looks like i've seen it before this ip address i've seen many times Maybe it's normal, right? So you need to retrain your perceptions. And this is where nothing better than a pair of eyes attached to your brain can do more work than any machine. The idea is that we want to identify any pertinent information to what we're looking for, to what we're doing. We prioritize that information, draw some conclusions, and then communicate it. It's a little bit like... Richard's previous presentation, if you were in here, where he's talking about,

you know, people getting people buy-in and talking to them the way that they want to understand or that they were able to understand. It's very difficult to get out of that pattern of, well, I know my job, I know what I'm doing, you know, I see all this traffic before, to look at it differently. It took me a while to actually think about it, right? And Henry David Thoreau wrote, "We find only the world we look for." We are set in preconceived notions, right? So when we see certain things, we think it's this type of activity. So for example, if you see somebody opening PowerShell and it's an admin account, you might think that an administrator is doing some maintenance on

that machine. Or if you see somebody logging in via SSH to a web server and he's got a sysadmin, we'll call it sysadmin, not root, but sysadmin and he manages to log in as sysadmin and then does a sudo -s, yeah, that's an admin taking care of the box. But is it really? And that's where we get back to relinking that context, that understanding, and things like that. So you all walked into this room. How many portraits are there without looking again? Right now, can anybody tell me how many portraits there are? Well, depending on how you define portrait, it might be two or three. How many paintings are there? See, it's taking you a while. That's kind of like if you

want to look for it, you don't think about looking beyond what you're actually trying to do. Who noticed the matchstick head bust? One person. It's right there. So, This is where I was kind of like, "Wow, this is interesting." So if I change my way of looking at things and change my perception, I can actually start to think of things differently. So Leonardo da Vinci coined a phrase called "sempervidere." Does anybody know what it translates to? So it means "knowing how to see." And it's all about changing those preconceived assumptions. Assumptions are dangerous. Intentional blindness. So how many of you noticed... well, what was the count of walls? I don't care. I don't care. Exactly. How many of you noticed the guy in the gorilla suit? Okay.

You were paying... some of you paid attention. But it's the same thing as the Matrix, right? The focus... he's focused on the girl in red and completely ignores the fact that it might be wrong, right? So he's seeing something that he's focused on and he's just ignoring the rest and it's dangerous.

That's what I mean. Assumptions, if you go in with preconceived notions, danger, danger. You don't want to take any preconceived notions. We worked on a case where we found somebody spying on management and management meetings, and one secretary. We thought, oh, must be some kind of... The company was... I can't mention the company, but they were quite important people. supplier of parts and we thought okay so it's a competitor or it's a state nation that's trying to get some information. That was some of the guys were thinking and we backtracked everything that was going on. We found out that it was a millennial that basically picked up a Kali Linux book, picked up some development courses, found some backdoor sysadmin tools, RACs,

re-adapted them, recompiled them so they're not seen by the antivirus or the network, and started releasing it onto the infrastructure. Specifically, copied it over to some servers. Then when he was in the meeting room, he would launch the RAT so it would install the back door. Then he had control. Assumptions. If we'd gone down the way of saying, well, it's got to be some external party, we would have looked for the external entry point. We would look for how that rat got into the environment to find out who actually was doing it. We would have completely missed that it was actually an employee that was spying on his colleagues. Perspective. So there's a lot of linkage between the previous presentation. Perspective is very important. You

can change... perception quite easily, but changing perspective is also just as easy to change. You may see, so the idea is that you're looking at a network, you're looking at network activity. In most cases when you're looking at network activity and you're doing an incident response, you're looking at network logs and you're looking at what, you know, you think you found something. If you change this perspective and take it from the point of view of the endpoint, you'll see something different. You'll see that For example, that web connection or that connection to Twitter isn't actually happening via a browser or isn't happening via a Twitter client. And that's the importance of kind of changing your

perspective of how you see things. There's a lot more to this and I'm thinking of actually building a whole discussion around this and how to actually look at data and refocus your attention so that you understand the right thing. Right, so remember this image? Does anybody know what it is? So, makes it easier for me. Again, seeing the right things and looking at things from a different perspective. So, back to my problem. It's like, I love the endpoint. I've been a strong advocate of endpoint security for a long time. We lost track of endpoint security. Why? Because it was too complicated, because it was too impacting on the business, because it stopped the machines from working properly. Yeah, yeah, get over it. The endpoint... is

really great. It delivers a lot of data. First thing, processes. Processes, processes. You can actually log and determine what's running, what's normally running, what doesn't belong. So when you see processes being launched, for example, from systems that aren't service hosts, you should probably take a better look. You can see privilege escalation if you actually capture the right thing. So try and understand which applications are supposed to run as sysadmin, which applications are supposed to run as a user. When does a user suddenly become a sysadmin? Those are important things to find. Network activity. Network activity looks completely different when you actually look at it from the endpoint. For one thing, if you do it right, you don't actually have to break TLS to capture

what's going on in the network. Because if you're capturing the right API on the endpoint, you can actually capture whatever that process is feeding into that network connection. Because it's going in before the encryption happens. There's also other things. Some of the ransomware attacks of late, they spawn off a regserv32 process. That regserv32 process then starts to communicate out of the internet. So if you know what regserv32 does, Why the hell is it communicating out to the internet? Same thing with C script. You know, you might use C script to do, to manage your workstations and things like that, C script communicating to a server inside your environment, that's great because it's probably just, you know, the boot, the GPO running a script to modify them, to

update the machine or to lock down the machine. But suddenly you see a C script communicating out to the internet and downloading a binary from the internet, downloading a file and then renaming that file something like, you know, blah blah blah dot bin, then there's a problem. You can also capture... local firewall filters being avoided. So typically you can see that for the command line when the attacker actually issues a net use command or issues a net fire web, you know, like a PF command if you're on that one Ubuntu to change the firewall settings. So you can get even more system information if you're good at it. You can get kernel drivers, you can see what kernel drivers are signed, which aren't signed. You can

check for persistence in run keys, you can check for persistence in other keys. You can look at the scheduled tasks. Most machines don't have, well, scheduled tasks are a normal part of a machine, but when you have a scheduled task that runs at boot, but runs from a local app data folder, there's probably something wrong. So all of these things are things that you're going to look for. And yes, they're kind of indicators of compromise, but an indicator of compromise would tell you, you know, this scheduled task with this parameter, with this string is XYZ attack. What you're looking for is just any scheduled task that starts at boot that runs from an unusual location. Services. Do you know what services are

running on your machine? Typically, most people won't know. because when you look at us even if you look at services in so this is specific to windows of course but if you look at services in in process explorer you might see like five or six service hosts you think oh there's five or six services actually there's not there's a lot more yeah in some cases you actually need to go into service hosts because they're running well dlls and those are the actual services so you need to understand all of that um why the endpoint Why do you want to collect all this data? Because ultimately the attacker is after the endpoint. It's on the endpoint that they're going to do the most damage and they're going to get

what they want. So because I focus a lot on data exfiltration, where do you think the data comes from? They're not attacking your website, pulling them off. They're attacking your website, compromising the user, compromising the endpoint and pushing it out of your network in most cases. So, understanding and having that visibility on the endpoint, collecting the configuration information and all of the things that you can possibly see on the endpoint is the golden goose. Because you have all that data now, you can actually find things. you can generate a crap load of information. You turn on Sysmon and turn on every piece of information you can do, you can easily fill a drive with data. and a

large drive. Our endpoint does a lot of the stuff that Sysmon does. I turned it on one day, I turned everything on. I mean, I was generating, on an active system, I was generating like probably 750 to 800 megabytes per half hour of data. So you've got to be really careful. So you're sitting there, and you're like, oh, there's too much data. So all that was supposed to be built. I did do an analysis of the different types of endpoints that you have. Now depending on the endpoint you get different values. You can get like hashes, just hashes, just registries of file properties. You can get network connectivities, you can get registries, you can get file operations,

command lines. So there's a whole bunch of stuff. Sysmon will give you a lot of that stuff too. The difference between Sysmon and the ones in the background is the ones in the background, of course, you have to pay for. Sysmon is part of Sysinternals. So if you need to work on Windows, I highly recommend Sysinternals because you can do a lot of stuff. Swift on security, if you follow her on Twitter, did a really great set of rules to actually fine tune the Sysmon data that you can capture. And there's a lot of forks happening from there depending on what activity you want to do. And you'll find if you follow through those forks,

you'll find people actually building ELK stacks with dashboards to look at this data. So there's a lot of ways to actually find, to actually get this data out of the endpoint and then look at it. Well, you know, I was doing this as a side project trying to build a recommendation for our SOC teams to basically start to look at things in a different way because, you know, we have alarms, those alarms trigger, we know there's a response need to be done, but what about the unknowns that we don't have alarms for? So I started by basically downloading all the data and putting it into Excel. I started querying Excel. I only went to Excel because I could do pivot tables and start to play with pivot tables

and do sums on some of the information. I was actually using Perl at one time with RegEx to go through some of the logs, it just got too complicated with Perl. But I've highlighted some things over here. So this is just basically a standard phishing attack with an Excel spreadsheet macro. And you can see all the steps. So basically... Oops, sorry. So in here you'll see that Excel goes out to a network address, actually accesses a URL, and these are things that you can actually look for. So when you see this, there's something going on. Then in the next step you actually see a file right, so there's a file right of a binary type,

and then you see it actually being spawned with a different name. So these are classic hints that something's been imported into your environment. And then you see that same process going out and then doing some network connections to another site and all these fancy URLs. Well, not fancy, but you know, a URL with binary... I've got to stop talking like I'm talking to management, sorry. You'll see a URL with binary strings at the end. Those are usually CNC commands happening in registration. So you can actually see things going on. And so that's why you pick up. So here's some more evidence. So here's some same type of thing except this time we see Wscript running, going out to some IP addresses, downloading something. So, and you see a very

typical, I say, dropper URL where you've got the host name, some sub directory, you invent a question mark and some hex values. So what did this give? This actually spawned off a few processes from CMD that did some registry changes and then spawned off another process called A2. Then I saw all these CMDs. It's not too bad up here actually. Anybody know a little bit about Windows? Can you tell me what this command is doing? Do you know what this command is doing? What it does is it's just a for loop. that looks for every typical business type document on every drive. The guy just basically wrote a script, a CMD script, that just does a 4 on every drive letter

imaginable. And then he pipes it into another program. This a.0. So this a.0 here. Does anybody recognize that command line? Ignore the a.0. I'll give you a hint. What does a usually stand for in a command line? Archive. a.0 is actually 7-zip. These guys didn't even bother to do anything. They just basically used a version of 7-zip, repackaged it as a.0, and then ran a command line. So, the funny thing is, the mx0 and meh are compression factors for the zip file, minus p, and that whole string, that's the password for the zip file. When he does the zip, he basically takes the original file and renames it to .cryptid. This is a ransomware, right? But he

didn't even use any fancy encryption. He just used a tool that was readily available as an open source. And you know the vendors that say, "Well, we've got a ransom tool that'll decrypt the ransom and all that." It's because the guys are just using stuff like this. And if you're doing this kind of threat hunting and you're looking for the command lines, you can pick up the password because it's not generated. It's just there statically inside the script. and if you get all that command line information which you can with things like this one you've got the password so you've saved yourself so the only thing that i find that's hard is that you're generating a lot of data and you've got to rebuild the context yourself so

what i would really like to see is a drive to behavioral analysis at the end point but that would require computing power so the idea would be that the endpoint would actually start to repackage the information that it's seeing and say, "Okay, this is potentially a phishing attack," because it was an email, the user opened a zip file from that email, and that spawned off something. So that's something that's kind of like my wish, I'm trying to get the guys in my organization to work on this type of activity. It's very hard though, because actually understanding behavior of a process it's not that easy there's very there's a lot of different factors that can go

into well the chain of events that i've shown in that logic on the on the right and it can change so how do you actually carry out for hunting right i've mentioned it a few times it's about looking seeing looking for things but it's also about it well you know getting your hands dirty and doing some parsing so Here I'm visualizing data, right? So I'm just, I've basically, this is Splunk, if you know Splunk. We've broken down the logs that we're getting and looking at the data. This is specifically focused on network activity. So we're looking for specific network, you know, like a network activity coming from a non-standard user to a non-standard IP address, for example. Here we're

looking at finding explorers, launches that aren't in the right place. This one, we're looking for services that well service hosts for aren't launched from service in the right way. So if you look at the top, the second row, we've got a service host launched from Explorer. That would be an indicator of something's gone wrong in that machine. I have to investigate further. These are PowerShell. So I'm going to get back to PowerShell, but we look for a lot of the PowerShell commands. I'll get back to PowerShell. Again, Winlogons where the application is not launched in the right place. What are you looking for? Well, Sometimes you're looking for very long URIs. So if you have a URI that's just not, well, you know, suddenly ends with

like 256 hexadecimal numbers, it's probably something. Looking for DGAs and the domain age. It's a little bit more complicated if you're doing it through a SIM because you actually have to, well, DGA you can actually build, you can build, RegEx is for it. But domain age, you actually have to go back and create a domain, see how long it's been for. There are, you can build scripts to actually do that for you and then see the data into it. You're looking for file execution paths. You know, %appdata, %temp, bin. Very few processes should actually launch from there. Network ports. Listening network ports. All unusual processes calling out. So I've got a dashboard that basically looks

at all of the network communications that's done on port 80 or port 443 that doesn't come from IE or Chrome or Netscape or Firefox or whatever. All the standard browsers we have them excluded and we're just looking for that traffic that's coming out, going out to port 80 that doesn't come from a standard application. Command lines. Command lines are really great. because attackers are using the built-in systems to defeat you. It's no longer looking at building and pulling in tools. You can actually do a lot of stuff with the command line. So here are some of the things found. So this one is backdoor. So to do a sticky key vulnerability. So you see you've got the net user adding admin backdoor, the PS exec,

CMD, then he does a copy to copy one, then he uses the copy to, he copies that command, that copy copy to osx.exe and then he inserts it into the registry. This is suspicious PowerShell command that then launches an application out from local app directory. And we had a single character byte character executable. So this was actually, this is the full PowerShell command line. Single byte, single character executables are really great to look for. because or two character executables there's not very many legitimate apps that have that here's some more regexes so um this one is basically all the password dumper type applications that get downloaded by attackers so they can dump your passwords this is reg

server um trying to communicate on http or doing an http uh does anybody know what this one is would would match so this is a dga So dynamic generated domains. This one specifically is Silex. Net local group administrators. So that's when you're adding administrators. I'm running out of time. Execution type applications. So here's one for things like that. So some other points. So register keys to look for. This one is to bypass changing of the system password, the computer password, so that you can attack an AD. This one is to do privilege escalation, bypass UAC. These ones are shell attacks via web. Does anybody know what this is? They're dumping the same database, basically. But to do that, they have to

create a shadow copy because the same database is active and protected. So this is... that's when i you know context situational awareness you want to look for every aspect of the attack to better understand it powershell is a new call so i highly recommend you look at what daniel bohanan's done in in real obfuscation um so you look for strings like this right window style hidden right so that will match windows style hidden and different variations of it used by powershell um Most PowerShell tags will try to hide the Windows cell. You might look for these invoke DLL injection, all these malicious PowerShell modules that people download. Where it gets more complicated is this. Try to detect that

with a regex. That is a valid PowerShell command. It will run. Some people are looking confused. Are you sure? Yes, I'm sure. I've actually seen two new variants of ransomware that are using it. Link it to threat feeds. Threat feeds are helpful because you can basically, once you've detected something, or once the threat feed detects something, you already have a positive, right? So you can push that positive off to an IR team that then can do the full set of investigations in the proper way. So then you need to think, so I'm sorry, I'm rushing through the end, but you need to think about, well, how do you get management to buy into this, right? How do you

do it? Well, the first thing is you need to prepare a team. It's like changing the culture of the team. You need to look for people that are creative. If very structured people will not like threat hunting, basically because you're not looking for anything that you understand. You need to think outside the box. You need to be very creative. You refine the process by making sure you have the right tools. Using internal CTF challenges can help to motivate people. You embed it into the I/O process. That's a little bit more complicated because you need to change the culture. Work culture the culturally of the IR teams you need to change the culture of the socks

and things like that The idea is that we no longer yeah, there's so much change coming in the way the attackers attack us We need to be on top of them and to be on top of them You need to start to think like them to understand and start to look for them you need to be creative and see and look differently and that's that was That's how I see threat hunting. It's not about building a bunch of dashboards or building a bunch of searches in Windows or in Sims and things like that. It's really about changing the way that you see things in your environment, changing the way that you look at the activity that you're seeing in those logs.

And that's the conclusion. Sorry, I rushed through a little bit at the end, but it's more management speak than the actual background on threat hunting. Any questions? Thank you. Thank you.

How many breaches have you seen where no malware was used at all? It was just living on the land, some kind of browser exploit, just PowerShell and all that? There's always... The thing is, it depends on how you define malware. If you're talking about a dropper or an executable, there's plenty that happen without. Basically because we're seeing a lot of... the traditional phishing with a Word or Excel attachment that directly launches the PowerShell command. And that PowerShell command, although... So, you're going to get into a debate that I don't... We're going to get into a domain that I don't like. The people who call them fileless attacks, basically what the PowerShell does is they encode the script, the PowerShell script or the executable as

an encoded... Payload into the power shell it downloads it into memory and executes it from memory promise Usually to do persistence they write it into a register key and as soon as they do that Well, they write it somewhere where they can relaunch on reboot as soon as they do that number one It's a file the number two. You've got some kind of presence of scene, right? So even if I don't detect that initial power shell command because well you saw that last power show command It's like I do know what it is comes out as, but it's a traditional download of an executable from a website and then runs the executable. That's what that whole mess translates into. But at the end of the day, those PowerShell

commands do actually run. So I mentioned something earlier, I don't know if you picked up, but event logging is changing in Windows. One of the things that they've added is PowerShell event logging. There's a whole dedicated PowerShell event log now, and if you turn it on, it will explode that PowerShell command. Because it actually looks at the final command that gets run. And Sysmon has been changed to actually pick those up and log them. So you can get that data, and you can see what they're doing. At the end of the day, we're seeing more and more, once they're in, they don't use any additional software. They're just using the built-in commands. I mean, we've

seen, you know, they'll scope, they'll go through the machine, they'll look for things like 7-zip or Win-zip, use that to archive the data that they want to grab, use that archive, and they'll run a hidden embedded Explorer, Internet Explorer, to upload it to a website. You can do all that without any additional software. It's just that initial getting in. There's always some kind of thing, even if it's PowerShell, where to do the persistence, they have to drop something. And it can be a PowerShell command, right? So there was one where we got a scheduled task on boot. It was just basically a PowerShell command. They just repeated the PowerShell command in the scheduled start. So it just redownloaded and

re-ran the payload in the background. So there are ways of, you know, we're seeing it more and more and PowerShell is one of the reasons why we're seeing it more and more. I mean, even if you look at, I think last year, so I tested, I think it was about 30 or 40 ransomwares for customers we're seeing. Probably 30% were just tools like 7-zip. I had one with PHP script. One of the, yeah, they basically downloaded the, one of the oldest versions of PHP, the standalone version. and they just ran a PHP script. And why? Because AV just basically blows it off. It's PHP. What do I bother? When you're looking at the process that's launched, even if it's a different name, you

might look at the internal name, the internal name still says PHP. So, why do I look at it? And that's where I came back to my point of, you need to look at things differently, right? You can't make assumptions of what you're looking at. You need to kind of rethink the way that you're seeing. You can redo that perception. That's why I'm still playing with that aspect on how we can apply it better to things like threat hunting or even to things like IR, right? Looking at things in a different perspective. During your time, have you ever seen an attack which used the smooth update cycle? Not yet. Not yet. Spoofed update server is a little bit more complicated. So my focus

is a lot more on enterprise. And I know very few enterprises that use external update servers. Most, I mean, if you're running SCCM and if you're running, you know, if you actually follow the recommended steps of setting up your Windows update according to Microsoft, you don't need to... I said Microsoft, but I don't know if you guys looked at some of the stuff that they're doing on their Windows 8, I think it's APT? The new version of Windows Defender. It's ATP, right? So they've actually... done a lot of what I was discussing on presenting the processes and looking at the hierarchy of processes, the command lines, that's part of what they're doing now as well. Because they've realized that you can't, you know, the

same way that those tools that they provide that are useful for a sysadmin and that they can't really get rid of, they're being used against us.

It's the same way. It's like looking for, you know, one of the things that's really interesting is, so a few years ago, we were doing some investigations on one of our customers and there's a bunch of workstations out of California for communicating all the time to China. Like, okay, start to look at the processes that are doing that communications because we have that visibility of the process. It's a process called qq.exe. So a few of you smiled. QQ.exe is basically a submodule for Tencent's Chinese software. It's the equivalent of, let's say, some of the Google stuff. And it provides, one of the things it provides, it provides dynamic translation and a DLL that registers into

Office to provide dynamic translation for Chinese people into English and vice versa. Okay. So it's communicating to China on a regular basis. We could never prove what it was actually sending, but the customer went back to revise what they were doing for their Chinese... They were employees, yeah, they were employees. So they gave them a set of tools that they actually had control over. But that's some of the things that you can do if you start to look at things differently, if you start to gather that data. All right. There's one more question up there. So, going back to the Sysmon, during the Sysmon recording, we didn't get the help of staff. Did you notice I did not talk

about how to send Sysmon data back to the... Did you notice how I did not mention how we had been sent Sysmon data back to the... Okay, does that answer your question? - I don't know if anybody has made any attempt to kind of build a streaming framework for system data. - It was maybe up until the scalable way. - Yeah. - The answer's yes. There's lots of attempts at this. The scalability and the reliability. - Two minutes out of time. Thank you.