I Thought I Saw a |-|4X0.-

it's yours Thanks well anyway so before I start thank you for having me it's great to be here I've actually really love this little conferences I a couple people asked me today why I come to these little conferences it's because it's small it's a small community and you see how tight how tight the community is and it's a different experience because every culture has a different way of addressing problems and talking to each other and communicating so it's always interesting so my presentation this afternoon is I thought I saw a hacksaw it's it's play on words from Tweety pie if you remember the cartoons from the 60s 70s it's about fret hunting so fret hunting

started a couple of years ago as a key word and we'll get into that so before we before that so my name is Thomas ia have been in this industry for a very long time a very long time I did Incident Response for a number of global companies let's just say that way as an end user customer I'm also run besides London so very nice little conference as well not little you're welcome to come if you want and I'm also a board member of the I SS a I like to exchange information I like to share knowledge I like to bring people into the community and and make sure that everybody feels welcome in the

community so what about fret hunting so as I said fret hunting became a key word a few years ago and it's even now I think sands has even got a course on fret hunting now but Friends hunting is essentially above the eye our process right so it's an initial step so that you can initiate your IR process so your incident response process but most of it is because we've come to a position now that most companies have a very opaque infrastructure they don't know what's going on in their infrastructure and that's true you know with new people coming in you see news services you see new application see new devices the old part promise to is the adversaries have

become more and more intelligent and more and more turning and they're playing with the tools that we have in our infrastructure I'm sure you saw Microsoft had to release a statement or a tech note to its customers this week on the dde attacks the funny thing is those dde attacks have been going on pen testers have been using him for three years I used it I used it in a demo three years ago right so it's been there for a while and these attackers know this and they and I using this against us with compromises as given right so we know and we've always said it you're compromised just live with it and figure out how to deal with it later it's a

natural evolution of instant response because insolent response typically you're starting with us something that you know but how do you do an instant response on something that you don't know and we're moving away from automation and we start with starting to look at the you know moving away from the traditional linear type of insulin response and observe orient decide and act this is very military right so you're looking at things you find something and you act upon it so the principle of fret hunting is that it's a process of actively searching inside your environment for evidence of something that you've never detected before so if you think apt right advanced persistent threats this is one

way of finding an advanced persistent threat in your environment because you're looking for something that you've never seen before but the underlying statement is that you actually are capable of looking at those events and have those events somewhere stored somewhere so which you can you can get adamant and analyze them and this is where he comes the analysis part is an interesting is interesting because we're no longer talking about an insert responder we're talking about an analyst who's looking and fighting an adversary right it's essentially a dog and cat game right so the analyst hasn't plated its dog and he's trying to chase the cat so we're looking at things in a different way we really want to kind of

say I'm an analyst how does the adversary attack me what is he doing how do I think like an adversary what am I looking for it's all about being creative and adaptive so you're not relying on any indicators you're not relying on anything that you know so you have to be kind of creative so you have to think outside of the box you have to think like the attackers would think you know if you notice I'm repeating but we have to think like the attackers because what you want to do is find that initial stage but how they entered into your environment and what they did in your environment but in practice you're looking at going through

a lot of logs a lot of events that you've collected there's no particular indicators threat anybody who tells you that they're fret hunting and they're basing it on the little arm they're not fret hunting that's the incident response you do not have alarms when you start your fret hunting process it's a deep analysis of a potentially compromised host right so if you think something's wrong on an on an endpoint or a server you go through that endpoint server as long as you go through everything but so you do a forensics dumps and things like that and you look for something which you've never seen before and I said it before we're not talking about alerts we're talking about things

that do not be at picked up by your traditional or your next-generation detection systems but there's an underlying thing with this is that you have to understand the environment that you're working in you have to define what looks like a normal event var what looks like no more events in your environment so essentially it's the analyst needs to have a fundamental knowledge of how the business works of what's going on in the business they need to understand how users use the applications on a daily basis how endpoints are communicating to servers how to commute so is it communicating to each other because what you're going to look for is something that doesn't fit in that normal pattern that you're

seeing every day so the best threat hunters the ones that sitting there and they're looking at events all day but they also understand the business they also not know that you know the normal business operations is from 9:00 to 5:00 for example in a factory that when people come in in the morning they start their emails so you see a spike of activity email if you son if you see a spike of activity an email in the middle of the night it's probably something wrong with that with that endpoint or that the environment so you have to understand what's going on in that in and that's where you it's it's about building a picture of understanding and defining

normal in your environment but so what so you're building this proactive footprint against your attackers if you have a baseline if you know what you're doing how your environment behaves if something comes out at normal you've actually built a proactive footprint you can detect something in the in your logs and you can say okay something's going on here let's start looking at what's happening let's go deeper you understand your infrastructure better so you start to do a system and application gap analysis you start to do better inventory processes you know the other day I interviewed for a job with a mobile operator in the UK that's been in the news a number of times in the past

couple years first thing I asked the C sir was so how's your inventory management we don't have one we have to build it and I'm like there's a couple of guys I mean based in UK few based in UK probably know which operator I'm talking about but once you if you're doing fret hunting understanding that environment understanding what systems you have in place it's going to give you an organizational knowledge right it's going to give you an understanding of what's happening businesses love organizational knowledge why because you're documenting what's happening in the business you're giving back something to the business telling them this is how you this is how the systems operate this is what these are critical

systems are these are what our critical assets are this is what we need to protect it's a different way of looking at protecting the environment and the important thing is you're building contextual knowledge right and awareness so you start to understand the context of events you start to understand that one is that but when you're seeing a flow between an application and the outside world that's normally happening only to certain partners when you start to see it happening to an unknown IP address in China that something that's contextually out of that out of bounds so that's where you're going to start looking at your fret hunting so you know this is some of graphics that you can find fret hunting

and this is fret hunting the reality you know I work for data protection I look at data protection where is data use it's used on the endpoint so one of my remit when I was doing this was how am I going to analyze all the data but I can gather on the endpoint and I'll talk about that a little bit later but you get just dumps and dumps of data so how do you analyze it well you know you analyze it but fact of the matter Marketing makes you feel like the top image when they talk about threat hunting the reality is is for hunting is a lot more like the bottom image it's a

tedious laborious piece of work so what do you do how do you do this well you need logs lots and lots of logs so typically you might start with your firewalls your IDs and IPS is your network devices some of the endpoint solutions there are open source tools for this as well like bro IDs passive DNS order ons you can do PowerShell logging wmi logging you do dub it when are em all of these things will gather logs for you traditionally what I've seen is that in fact a lot of the except if they link to an endpoint vendor a lot of the people were talking about front hunting they're more focused on the network activity because that's what

you've traditionally collected in the environment you store the network activity war is 99% information right it's pretty much a well-known phrase essentially what you're going to do is you're going to start to log things and look for suspicious things so fire warlocks you might look for unusual IP addresses or countries that you don't do business with proxy logs so if you're using proxies these are interesting things look for unusual proxy traffic why would you see port 22 our proxy bytes in equals bytes out so this is interesting because well think about traffic patterns how many times you see between an endpoint I'm talking about from an endpoint so like from your computer out to the internet

how many times you sieve it the exact amount of data is flowing in and out of an end point exactly not very often somebody's shaking their head in the front you don't most traffic goes in comes in because you're browsing the web or you're downloading from the application and most of the outbound traffic is very small because you're sending small bits of data you're sending a you know like an okay or or things like that looks like unique use of strings right on the windows logs you can look for a lot logon attempts user privilege look groups antivirus logs I mean everybody complains about antivirus logs but you know if you see antivirus look if

there's triggers in your antivirus that could be the sign of somebody trying to download some kind of backdoor or download some kind of rat and they're just trying to see what antivirus you have in place process maps we're getting a little bit more into this but you need to understand what systems run in your environment what are the privilege escalations there's also endpoint detection solutions so you know you think carbon black silence mandiant all of our get a little bit more into some of these later but all of these new endpoint solutions but are basically gathering data for you on the endpoint right they're giving you that data if you know how to use it it

can become very good knowledge you need to analyze this so typically what we see is it you're going to put it into your sim sim this is why some vendors talk about free hunting because you can basically triple quadruple the amount of information you're dumping into the sim there any synth Enders here I know Javad left so he's he's a lien vault they kind of million voids not here but I've seen so we we use Splunk and some of the stuff that we do we had to quadruple our Splunk indexing license when we said actually started doing this properly with with some of our customers because we're a managed service providers well it's very easy so as you can understand

sim vendors are actually really interested in this because hey lots of more data we can start charging more right get more data we you have to pay more however I've been playing with this and it probably be a subject of a future presentation elk is really good for this right so if you're good with open source and you know the you know elasticsearch and Cabana stack I've seen a lot of good work done with al-quran' this the new thing nowadays is so I didn't write it but I tried to make analytics a picture for analytics grab a picture for analytics and it basically analytics what it is is adding intelligence to that platform so letting the platform do

some of the analysis of what you're the data which you come that's coming in it's a it's a new term for for Sims basically so then I started to go down a road it's like okay you start to talk about attribution you start to talk about oh who did this to me why do they do it to me it's not really the purpose of fret hunting attribution is more part of the incident response process once you've done your forensics dumps once you understood exactly what's happened to your environment you do your report and then you might do some attribution so I've seen people talk about oh we need to link this to lately it's this

one does anybody know what this one is so this is mitre attack so if you've you know if you look at Twitter and stuff it's a lot of talk about minor attack Sam yeah basically it's a kill chain but from the point of view of the post compromised so what's happening on the compromised host so you've got persistence privilege escalation and all the rest right so things typically stages would happen once you've compromised that host so they have a categorization they actually have a really good JSON database where you can pull out the data match some of your events to actually identify let me rephrase that to potentially identify the actor right because they've categorized different activities and

they've mapped them together and they pull them together into into cat into a mapping of actors here's my problem with this right so people start to to map these activities to what they're seeing in their fruit hunting on their instant response process the problem is but if you actually know attackers they do not do things in a in a constant state they are I'd said it before they they adapt through your environment so basically if it comes like this there is no straight line when when an attacker compromises you so you can't really put this what's going on in your environment and you you can't really just detect based on a set of structured information

the structured information what you know this stuff is really good for reporting and force basically saying you know okay I found this information I've done my instant response this is what I saw and these are this is what it had happened and these are the steps that happened based on mitre based on whatever categorization system you're using I don't like to when I'm doing an initial investigation on this or initial search in my events I don't want to categorize I'm going to get into this in a bit but if you start to categorize you're already thinking of the next steps you're already thinking this is the type of attack that I'm seeing when it might

not be so you're limiting your field of vision that's why you should avoid categorizing any attack until you've finished actually analyzing every event so then we started to talk about user analytics so you user and endpoint behavioral analytics if you know what if you know what it is is basically since it's a core analysis of what's going on on the endpoint situational awareness can drive your hunt as well so you identify your critical assets so focus on because you could have a lot of data right you could have a lot if you're in a big company you could have hundreds of thousands of endpoints so focus on the critical aspects focus on your CEOs focus on the top management focus on the

servers that have the most important data you know we have GDP are coming in Europe right everybody's ready for GDP are right yeah but what's the criticality in deep your personal data so when you're doing your fret hunting because you do need to report in those 72 hours remember you focus your attention on the events that are coming from where you're storing critic where you're storing personal data and you've hopefully where you're storing personal data do risk assessments to actually map that that information you can also do intelligence-driven right so you can rely on AFC's TTP's threat feeds what that does is it helps you identify things that already known so you can drive your attention to something that's

unknown so you can move to the next step in that process right I'm talking about a process but there actually is really isn't a process it's about finding things and then just following the thread alright so you either pull that pull that string and you just follow it down the road finding things so machine learning I left it to last because in this slide because machine learning is something special then does are starting to say are we have machine learning in my solution and it'll help you to drive your analysis or to help you drive your detections and things like that the problem is this machine learning comes in various forms okay so the this is

some information from Alex Pinto so if you don't ionic spin so he's he he works for an organization called middle he's actually Brazilian he does a lot of work on machine learning and artificial intelligence and this is his hunting atonement automation maturity model basically what he's saying is that you have different types of quote unquote machine learning the top one is very simple you're matching an IOC doing search your base so you're removing your events the second one is more about statistical methods so you're drawing statistics so you're not doing a static analysis of the events and the data which is seeing the third one is supervised machine learning incorporating everything that you've seen before and then starting to build

models where you can actually trigger events based on or remove the noise that you're seeing based on it's a lot more better intelligence when and a lot better information than you had before but at the end of the day the best artificial turtles will do we do ones that matches the human unfortunately the top part you know you can describe as lame because anybody can do feed matching and IRC matching then you're going from predictive until insert response to proactive incident response and what we really want to do is we want to be in that proactive framework the human part it's just magic okay I mean when we get there with they won't need us anymore

right but at the end of the day nothing is better than a pair of eyes attached to a human brain the human brain can think in many many different ways computers are based on math math have formulas formulas are Statler you know analytic thus they draw a line a human brain can twist things around and move them around and remap things much more quicker than a computer can so this got me into a position where I'm like okay hold on a second maybe I'm doing something wrong when I'm looking at these events so before we carry on I want you to look at this image right focus on the image so those are the you've seen this presentation before

please don't spoil it for the others right so I got I picked up some information I think it was in social engineering podcast where they interviewed Amy E Herman so she is like a professor in art or a doctoral in art but she's taken her in her way of learning and way of thinking to help people and specifically you know like real world in sort of forensics teams like you know police forensics teams to look at a scene in a different manner so she wrote this book visual intelligence and she also has a course called the art of perception which teaches you how to see things differently and when I was reading this I was like okay so hold on

a second maybe I could apply this to actually a fret hunting process where I'm looking at raw data and war events it's like looking at things in a different manner so she describes four phases to this so the assessment is you take your first look you do your first initial information then you analyze then you articulate what you've seen so you describe it and you explain it when you adapt your thick way of thinking to reanalyze to focus better what's going on in front of you because the problem is this is a quote from Henry David Thoreau a u.s. poet we find only what we're looking for so if you think oh I'm looking for apt 29 this is

where we go back to that miter attack stuff if you think I'm looking for this attacker you're only going to think about looking for that attacker and you're only I'm going to look for those types of events so she talks about sap evader which is basically a term from Leonardo da Vinci which he talks about knowing how to see sorry it's just requiring to clear my throat a bit so knowing how to see so rethinking how you're looking at things are you thinking of how you proceed then you have something called a ten intentional blah inattentional blindness so I'm going to get into that a little bit afterwards then you make assumptions so in this face of articulating you make

assumptions so she uses imagery and everything so you see it you see like an event like recently I was in discussion because if you use Microsoft teams which is like slack teams gets launched by update okay so if you're not monitoring update what's being launched by update you miss what teams has been launched so you start to think well okay so if I'm assuming this then that means updates a safe program is it I don't know what if the attacker realizes that if you launch something from update it doesn't get picked up by your detection mechanisms so the attacker is going to find out how to figure go in user updates launch his his applications or his attacks or his

zero days so you can't make assumptions right so when you're looking at the event you need to think ah what's going on I need to analyze this properly perspective you need to refocus what we're back to a little bit if I'm looking for this information I'm always going to look for that information I won't see it so I want you to watch this video and count how many times the plot the players were wearing white pass the ball okay

okay so how many of you think well how many of you counted the balls how many balls are there okay well I'll get to it how many of you think I care how many balls there are I don't there are sixteen do you really want to know passes but did you see the gorillas okay very obvious right I should I accelerate the video actually but that's the way it's played so this isn't mean this is this is a David G Simmons he plays on this inattentional blindness who teaches you how to look again something about looking did you see the black the girl in black leave last one did you see the curtain change color and

this is inattentional blindness I asked you to focus on something you focused on that one thing and you missed out on other things right so it's like the woman in red in matrix so everybody seen matrix here right well most of you have seen matrix you know he's focusing on the woman in red and bam he could be dead right it's the same problem so if you're focusing on finding one specific attacker you might be missing something or you might be missing a step you might be missing an event but could be critical in how your environment was compromised so this picture who knows what this is what is this a picture of sorry I don't have any prizes of I might

have some stickers but some besides London stickers maybe I think you have seen the picture you know the yeah so the picture it is a cow if I draw the cow now you see it right so if I go back do you still see the cow yeah this is about focusing your view and looking at things in a different way right and actually trying to find the details so this is called Renshaw's cow it's a very old picture a cow like you know in the early early days of of Fogg Rafi so as I said I work on protecting the endpoint data lives on the endpoint and for me an endpoint is a server and put you know a mobile could

be a PC laptop whatever so again I play on the words of Tweety right I thought that's what I pretty cat ice water for many pretty heads so something's fishy but it's not my food well actually in our terms is something suspicious not necessarily malicious so when you're going through this data you might see something that looks weird that you've never seen before it does not mean it's malicious right you need to pull more data out to understand exactly what's going on you notice I still haven't actually given you like a timeline or a step-by-step explanation because there is none remember I told said at beginning it's about looking at events and finding something and looking at

Aventis you open your events and you look for things but you can actually focus it so I focus on the endpoint so one of the key aspects at the endpoint of processes processes processes right so you want to look at which processes are running what are their normal conditions who did who they belong to you know are they signed which vendor which which account they running on privilege escalation if you have a very standard environment if you live in a standard environment corporate environment you should know which processes are allowed to have privilege escalation I think you know cc-cat see CCleaner incident right that what was mentioned earlier actually in this track as well that CC cleaner

incident happens can happen because CC cleaner runs with privilege escalations right and if you compromise that privileged escalation process then you haven't you have a door into into that environment so a lot of third-party applications because they don't want to respect whatever operating systems they want you know and the use of non admin privilege and things like that they try to escalate privileges I also know which users are running as local admin you should actually I mean in in a good corporate environment you shouldn't have any local admins all right you should everything should be running on on a domain or something like that we have very specific local admin network activity which processes are doing outbound

connections which processes are listening so you know I challenge you don't go and look at the processes that actually do network connections the problem is it's getting worse and worse so you know we run office 365 if you put if you pull down the latest version office it's like it connects to every freaking domain in Microsoft when it launches right it goes to Skype it goes to live it goes to Microsoft against the Windows Update like why make sure you understand which process is supposed to be making network connections so you can't simply see this but this is a dump of of a process tree I've got CS key C script C script here right launch from

windward okay that's what are you suspicious but then it doesn't call out to the Internet in a corporate environment why would C script be calling the Internet there's no absolutely no reason for it so that's where you would start to look at things and look at your local firewalls you have a look at what firewalls being set are they being are they being taken down by some script if you want to you really want to go deep and avoid things like stuck Nate you need to understand what's inside the kernel and what dll's and drivers are being loaded you need to understand what the persistence Keys what are the scheduled tasks what are the services

that are running on your environment it gets very complicated right especially a schedule tasks means you think oh I shouldn't have that many scheduled tasks open a default Windows installation there's about 60 or 70 scheduled tasks just for Windows so why the end point well it's a target at the attackers as an attacker if I compromise a sysadmin endpoint I can get full access to the environment I can get full access to the network if I compromise somebody who's managing personal data I can get that personal data right so you collect the configuration you pull as much data as you can the netiquette negative effect is that you quickly go through data explosion and just sitting there in

front of your monitor and your front of the data that you're hoarding like where the hell do I start how am I going to take this time I gonna do this right so I started looking at well let's bring some intelligence into the match right so let's see what all of these different solutions actually bring this is old this is 2006 early 2016 so some of these have have evolved I will decide so I will give the slice to the team so they can post them if they post them if they're out there anyway this isn't the first time to given this but you've definitely you different you definitely have different aspects right but these

are costly solutions I mean you know I'm not all companies on there it's it's not if you have the budget it's good to have a solution like this if you don't have a budget Microsoft actually has a solution for you this one this man will pull most of all of the data but you saw there you can pull from system on but again if you just pull this one out it generates a lot of noise and you can get a lot of data out of it out of it I understand it's just focused on Windows it's just for you know it's easy to talk about Windows on this cuz Linux if you think about line X is pretty easy

to actually get a lot of events from it you just turn on heavy logging and things like that Mac or a Mac I can do a lot of logging on there as well um sis Mon so there's a github from Swift on security if you know the Twitter handle there's a lot of good configurations to understand what you need to collect and and the type of information which you can get from threat hunting so when I started I used Excel so doesn't come out very well here and see if I can maybe expand so basically down here I captured some events where I see like I think it was a writing a file out you know doing some

Network manipulations then starting an application that application you know is started and it's living in local Microsoft win you see the application name right here this actually launched initially from WWE sh o my CX so I'm following these footprints right I'm trying to understand so here you see Excel doing a network connection out to the Internet to my P address so what was interesting is I actually captured the URLs also right so you see members that where something can't read it for me a bit why was this interesting because on this attack they're actually using legitimate websites soul is legal on teen point dot F are these are all sites on actually OVH so they're legitimate

websites they're run by people so you know these are probably compromised websites but if you think about your firewall logs and your proxy logs they're missing this because they don't they don't know that Excel did that connection right they just saw an innocent connection go out to a website and most of the time when you're looking at your firewall logs you're going to miss it as well because you're just seeing an innocent connection going out to the website when you marry it with this and you're going oh hold on a second that's not right Excel shouldn't be going to that website so then we can cover more evidence this is a different attack still Excel I love

it fell you know you know you know how we complain but all of these business applications that use Excel with all the complicated macros and and and you know all these analysis sheet I'm one of those idiots it doesn't it so this is another one this way this is actually a which one is this this is this is a ransomware it starts so here you see a doctor J s file being opened okay and it leads to some network connections then you start to see a W script here so it's doing some kind of script and it's launching a process called a dot to saying you see that same script doing some registry manipulations right I mean

most of this will be in court by standard AV but I'm just showing this is just for a demonstration for showing posters then you see this script right and it's doing all this this for loop I don't what a minute for loop for C colon backslash boo okay so if you know but if you know Windows command line this is essentially a you know command line just going through every file in the disk money out of time I think am i doing for time okay okay so we're good so then you see after it does it's it's it's feeding filenames into this into this command a dot zero dot exe a - err so who recognizes this

command outside the a dot zero right that's what I'm talking about you know learning how to look how many of you use 7-zip and as a command line who's done 7-zip with a command line okay exercise when you go when you go home look up 7-zip command line 7-zip - archive at 7-zip exe a - M xoxo - Oh Mitchy which is the parameters of the archive then you go - P oh and you put a password on it right so there's the key no there's the key for your encrypted data and then it basically does an archive name notice the archive name and then it does that's the original file and then it goes alphand deletes the

original file so remember I told you earlier how the attackers were using to your own tools against you or using tools there are you know normal system tools or normal app user tools against us this is one example they've changed the name yes it's called a dot zero dot exe but it's 7-zip right antiviruses don't flag this because it's 7-zip it's green if you throw this a dot 0 dot exe into virustotal everything's green you look at the properties you know the unchangeable properties of the binary it's 7-zip made by certain you know by the guy who does 7-zip so this is the kind of thing but if you're not looking properly you might miss right

so back to my problem is with generating too much data at the endpoint right so one of the things I started looking at back in 60 in 2016 is how can we move intelligence into that endpoint so have some kind of machine learning that says ok these are normal operations when I see every day so I don't need to report them still working on it I just need to find the right people to actually develop it and do it properly but if you have a rule engine in your endpoint solution you can start to actually build simple rules that all trigger on whitelisted stuff and remove the events before you collect them so you know

there's a fret in your environment so you want to get you want to start looking for right so I gave you some examples of data that I did with pure Excel so how do you get your hands dirty well I talked about earlier you might need a sim you might need or use Excel like me if you're mad but essentially what you're doing is you're looking for things right so look for very long URLs or you are eyes look for weird user agent strings that's in your proxy logs look for DJs and the age of the domains so this is a lot of work it's a lot of things that you can't really automate look at the file execution where it was

started from at data percent temp you'd be surprised how many applications you have to whitelist but running that data chrome is one of them for example you know if chrome is installed but as the user level it's done in that data why because folk party applications are found oh wait I can install binaries and app data and the user can launch them in user mode yeah but so they're the attackers right network ports try and dump do you know run some net stat commands and collect the net stat commands on the endpoints see who's doing a listen seems doing receiving connections use your good old fashioned command lines who am i net user collect all this data

do net view net stats so launch control s see that these bottom ones right these bottom ones are essentially service launching right so launch control is on Mac SC service service you can use online access C's on windows net start windows TAS Liske your PSA might say to find out who ran recently things like that so then you have then you've got your at your scheduled tasks things like you're looking for things that shouldn't be in them so you're gonna generate a lot of data as I said so this isn't some examples what's this one so this is PowerShell so getting tired sorry so this is PowerShell doing network operations again you can go to think

wise PowerShell communicating out to some IP address right so here I'm just logging network operations from PowerShell come on what's going on okay so this is application starts so we're looking at you know PowerShell so these are actually rule triggers are to highlight data so we're looking at PowerShell running being launched off WMI what I don't have in here is the parent application this is what this is what this is some of the you know just like pure searches that you do what we do in Splunk so you're looking at application this should actually have the parent application so I could show you it was WMI but you can also this is like an analytics interface so here

we're looking for launches of CSRs right CSRs s and normally it's launched in Windows 32 but here we have one that's been launched in temp right so that's typically somebody trying to bypass security trying to get privilege escalations so then you know if I look at all the CMD launches right in the environment I could have that many launches of CMD okay and these are launching from the proper place well except for this bar code people actually bucker PKI from as it does some weird things though that's no you know it's like these are third-party solutions I was talking to you about that do weird things and you have to live with so sometimes you find

things like this you go okay what do I do with it well kind of whitelist it until something happens but what you want to do is you want to focus on really weird things so like you know CMD launching some weird processes so this is the parent application and CMD was watching these parent applications right so for example why is CMD being launched on net exe right well why CMD being launched from this TD server 64 this is stuff that you would go through and try to figure out what's going on and what can help is if you have the actual compat command line associated to this right so you can actually see what command lines being used to understand

if it's bad or if it's good so then so what's this one sorry I forgot Oh weird executable names so this one we're looking for two characters right so we're matching AZ 0 9 - 2 z XC i've got a 1 with one character for example one character executables a weird in environment so you're looking for where they're being launched from so UCSC is normal 7-zip hg and that's where you start to look at ok this is an alt agent source tree so that's probably ok and this is what yeah you're just looking for things right so you're looking for these data aspects so you can bring them into tables and look at them in a different

way so one of the things that I like to look at is basically email attachments that I've kept on so these are some of the email attachments but people have clicked on so you can start from there right so what happens when is PDF got opened or this docx got open so and you can see if they've clicked on a URL as well right so I would be looking at these weird URLs that are really really really long right and from there you can associate it to maybe a launch of an application laws so this is an example some of the stuff found so this is use a new use of being added these PSX

so that all this is essentially a launch of a single character binary so these that the first one is sticky key vulnerability that's just uh this is a a a ransomware so reg X is your friend if you don't know reg X you need to learn right gets to do for it hunting trust me because you need to be able to pass data in a quick matter so these are some of the ones that kind of use so top I'm just looking for stupid things like password dumping programs as someone some attackers have done right there's a story behind that too these are some of the domain name generation uh for a ransomware so you're looking stuff like

this right here's some more so this one was this one was a cute one one of the guys I asked to like one of the guys that was doing this he wrote out every letter exe because he didn't know reg X okay so here looking for a registry key changes so disable password change for example that's that's persistence adding user counts down there we have some more does anybody know what this one is highlighted in green yes but what am i doing yeah exactly you're making copies of the active directory so you can exit the information so you can then you can dump it with maybe castles or just brute force it so PowerShell is the new cool you would

not believe how much PowerShell you find nowadays and I'm not talking like admin powder I'm talking like some really weird crap this stuff

come on

this stuff is powerful it's valid PowerShell it runs okay it's essentially just basically it's variable assignments and at the end you just run all the variables added together right and in PowerShell you can do this so I highly recommend you look at Daniel burrow Hannan's work where he was I think it works Mannion so what's menu but he's done some really cool stuff around this type of PowerShell and written some really cool blogs about how you can obfuscate PowerShell within PowerShell I mean that's literally literally obvious gating PowerShell with in PowerShell you can you can you can dump a PowerShell script into a clipboard and pipe it into PowerShell so these are some of the commands but we see no like

you detect right this is PowerShell running and encoding command so base64-encoded command right so you basically have to take the base64 and decode it to figure out what the hell it's doing it's a lot of work right so you can associate it to FET feeds so you can do virustotal to weed out all the stuff at the virustotal noticed about you can you know if you've got some intelligence feeds like if you work back industry you might have some intelligence feeds so I'm almost finished if you want to do this essentially what you need to do is prepare your team right people have asked me oh can I hire some Fett hunters it's like yeah you can hire four hunters

I just don't believe in it because you need to have an understanding of how the business operates so you need to know somebody you need to have somebody who's been in the existing Incident Response Team for a while you need to find thinkers as well people that don't just process a procedure people think out of the box and do things and look at things in a different manner who will think out you know who it will be creative who will draw a picture instead of typing words for example there's ways actually there's psychometric tests that you can actually test people but I don't get into that because nowadays our so a little bit thing start

small right get one a person give him a task like okay this Friday said doing your normal instant response do some fret hunting see if you can find something one of the things that some some people I've talked to you recommend is you actually give like a bounty right you do like an internal CTF the first guy you find something that we've never seen before it gets like an Amazon gift certificate incorporate what you doing into your incident response and your existing knowledge you know your security policies include procedures once you have the hang of it you can start to build harder stronger threat of stronger runs and threat hunts so I hope that was interesting I mean this wasn't

the first time I've given this presentation a lot of people ask me questions afterwards and it makes you think in a different way right if you never heard a threat hunting if you if you're doing into it response and you're tired of that just like that one all the time procedure this is a different way of looking at this thank you questions

come on guys they're tired they want to go home [Music] still have prizes yeah yes if you have that kind of threat for example you would have on your browser that could for example grabbing hook in this case you would just see I mean you would just have something else but it will still be still be Chrome right so this is where we come to you have to go back in time so you have to have that you know historical data that you could potentially have what you would be looking for in this situation is what see our exes were downloaded or installed that you can detect because chrome actually when it when it installs

on your CRX it actually downloads it into tempo it into into temp and then and then puts it into memory to run it and to put it into your app data folder right there there's a footprint of that CRX somewhere so what you need to understand is look at underst you know if you have if you're in an organizational if you're in an organization that's got policies and things like that you probably limit the number of CRX is you can store if you're not unique kind of need to track what's your X's are being installed and why are they being installed right that's where maybe fret intelligence comes in as well right so if you're

seeing that chrome is sending you remember I once tried I had proxy bytes in bytes out so you're gonna see a lot of traffic going to that one map to that to those sites to what are the IP addresses but are not necessarily the normal sites that you would see coming out of that endpoint right because mark if when the users running chrome will probably be going to Google you see you like having on Google his bank is seeing so that what you're going to see is additional traffic at the same time it's going to my P addresses that you never seen before it it's kind of when you come into having to trend what's the

normal network activity coming out of the endpoints and highlighting that difference in the normal and this new data traffic what you're seeing that's probably where machine learning is actually going to help because you'll be able to baseline normal sites of the user would go to and then have that machine learning aspect highlights it-it's never seen before

yeah so one of the things because because I tend to focus on the end point here this you should be collecting all the you know when you're doing this one of the reasons I said you need a similar and alq is because you actually merging the network truck your network data on your endpoint right so the example I gave with Excel what I would have the next step would have been to actually dump the network data as well from the network perspective see where it's going and see what I see what maybe I captured in the proxies or if I did any you know peek apps or anything like that because it's look this because one of the tools

picked up and pcaps so you need to merge everything it's I give a snapshot of what we're looking at there's another question back so he's asking what about privacy and anonymity of the data gdpr there's I do a gdpr talk as well there's one technical word in GDP off it's not encryption sweida anonymization student an organization is basically taken away taking away those characteristics so here's the issue most of the endpoint solutions would just gather the data send it to the year send it to your server anything like that so if you really want to keep that privacy you'd have to put in process servers taking the feed the data that's coming off the endpoints or coming off

the network and then just remove any potentially let's say identifiable information however if I go to the context of gdpr because that's easier that kind of data is allowed under the gdpr as long as you've told people etc because there is a provision and the GDP arvit says that you are allowed to collect personal data in the case of protecting that personal data yeah so using security tools to help you protect your environment so you have that kind of like exception course so this would fall under that exception clause as long as you handle it right report it and you notify people what you're doing it so that it's not really what you probably the answer what you wanted to hear but

that's how you get around it yeah it depends on the policy essentially more questions nope well thank you very much against all this for thank you [Applause]