The workshop is intended to demonstrate how to develop and run a threat-hunting program in an organization. It starts with understand the concepts of threat-hunting and how it fits into an organization’s BlueTeam. The workshop will cover hands-on sessions on running a structure and unstructured hunt using different log sources commonly available in an IT environment.

1. SACON
SACON International 2020
India | Bangalore | February 21 - 22 | Taj Yeshwantpur
PRACTICAL THREAT HUNTING:
DEVELOPING AND RUNNING A
SUCCESSFUL THREAT HUNTING
PROGRAM
#SACON #THREATHUNTING WASIM HALANI
Network Intelligence (NII)
HEAD R&D
@washalsec
ARPAN RAVAL
Optiv Inc
Senior Threat Analyst
@arpanrvl

2. WHOAMI
❖Wasim Halani
❖Head R&D @Network Intelligence (NII)
❖Offensive Security ~8Years, Elastic, DFIR
❖Speaker at SACON, OWASP, BSides,
Malcon, SecurityBytes
❖Twitter @washalsec

3. WHOAMI
❖Arpan Raval
❖Senior Threat Analyst @Optiv Inc
❖DFIR and Threat Hunting
❖Twitter @arpanrvl

4. DEFINE THREAT HUNTING
WHAT & WHY?

5. What is Threat Hunting?
6
“Threat Hunting is human driven proactive approach to
discover malicious activities that have evaded existing
security control.”
❖ Hypothesis based scientific approach.
❖ Using aggregations and statistics to find out outliers.
❖ Intelligence guided detections.
❖ Attack behavior-based Tactics, Techniques and
Procedures (TTPs)

6. What is Threat Hunting?
7
Detecting the Undetected

7. PROBLEM OF “DWELL TIME”
8
❖In 2011 Verizon Data Breach Report,
average dwell time mentioned was
416 days!
❖In 2018 Fire Eye M Trends report
average dwell time mentioned is
101 days!

8. IoC vs TTP
9
IoC
TTP

9. PYRAMID OF PAIN
C o u r t e s y D a v i d J B i a n c o
HASH VALUES
IP ADDRESS
DOMAIN NAMES
NW/HOST
ARTIFACTS
TOOLS
TTP
Trivial
Easy
Simple
Annoying
Challenging
Tough!

10. PURPOSE OF THREAT HUNTING
11
❖Reduce the Dwell Time
❖Identify Gaps in Visibility
❖Identify Gaps in Detection
❖Design New Detection Mechanism and
Analytics techniques
❖Uncover New Threat and TTPs (Producing
Threat Intelligence).

11. What is NOT Threat Hunting?
12
▪Alert triage
▪Only searching for IoCs in the environment (IoC
Sweeps)
▪Running a Query into tool.
▪Process with guaranteed result.
▪A form of penetration testing or red teaming.

12. What is NOT Threat Hunting?
13
“If a tool can do it autonomously
then it is not Threat Hunting”

13. Characteristics of Threat Hunting
14
▪Human Driven
▪Human Centric
▪Proactive
▪Assume Breach
▪Detect Unknown
▪Iterative
▪Data dependent
▪Hypothesis Driven

14. Threat Hunting in Security Operations
16
SOC
Threat
Hunting
Incident
Response
Search Queries,
CTI Guided
Detections,
Retrohunts
Incident
Detection
Event Analysis
Creation

15. MITRE ATT&CK FRAMEWORK

16. MITRE ATT&CK
MATRICES Techniques
PRE-ATT&CK 174
Enterprise
Windows
macOS
Linux
Cloud
AWS
GCP
Azure
Office 365
Azure AD
SaaS
266
Mobile
Android
iOS
79
ICS 81
Enterprise Techniques
Enterprise Techniques 266
Enterprise Tactics 12
APT Groups 94
Software 414

17. MITRE Explained: Tactic
19
▪Answers Why? for adversary’s actions.
▪Adversary’s objective behind an action
▪Represented by Columns in MITRE ATT&CK Matrix
Enterprise Mobile ICS
Initial Access Initial Access Collection
Execution Persistence Command and Control
Persistence Privilege Escalation Discovery
Privilege Escalation Defense Evasion Evasion
Defense Evasion Credential Access Execution
Credential Access Discovery Impact
Discovery Lateral Movement Impair Process Control
Lateral Movement Impact Inhibit Response Function
Collection Collection Initial Access
Command and Control Exfiltration Lateral Movement
Exfiltration Command and Control Persistence
Impact Network Effects
Remote Service Effects
Matrix Tactic
Enterprise 12
Mobile 13
ICS 11
Example
An adversary want to achieve
credential access.

18. MITRE Explained: Tactic
20
ATT&CK TACTIC EXPLAINATION OBJECTIVE
Initial Access Get into your environment Gain access
Credential Access Steal logins and passwords Gain access
Privilege Escalation Gain higher level permissions Gain (more) access
Persistence Maintain foothold Keep access
Defense Evasion Avoid detection Keep access
Discovery Figure out your environment Explore
Lateral Movement Move through your environment Explore
Execution Run malicious code Follow through
Collection Gather data Follow through
Exfiltration Steal data Follow through
Command and Control Contact controlled systems Contact controlled systems
Impact Break things Follow through

19. MITRE Explained: Technique
21
▪Answers how? for adversary’s objective achievement.
▪Adversary used a technique to achieve an objective
▪Represented by individual cell in MITRE ATT&CK
Matrix
Matrix Tactic
PRE-ATT&CK 174
Enterprise 266
Mobile 79
ICS 81
Example
Example: an adversary
may dump credentials to
achieve credential access.

20. MITRE Explained: Technique-Metainfo
22
❖Tactic:
Related MITRE Tactic
❖Platform:
Required platform for a technique to work in.
❖Permissions Required:
Lowest permission for an adversary to implement the technique
❖Effective Permissions:
Permission an adversary achieves after successful implementation
of the technique
❖Data Sources:
Recommended data to be collection for detection of the technique

21. MITRE Explained: Enumeration
23
Tactic Example Technique
Obtaining Persistence via Windows Service Creation
Privilege Escalation via Legitimate Credentials Reuse
Defense Evasion via Office-Based Malware
Credential Access via Memory Credential Dumping
Discovery via Built-In Windows Tools
Lateral Movement via Share Service Accounts
Execution via PowerShell Execution
Collection via Network Share Identification
Exfiltration via Plaintext Exfiltration
Impact via

22. MITRE Explained: Procedure
24
▪Answers what? for adversary’s technique usage.
▪Actual implementation of each technique.
▪Individual technique has a page for description,
examples, sources, references.
Example
A procedure could be an adversary using PowerShell to
inject into lsass.exe to dump credentials by scraping
LSASS memory on a victim.

23. MITRE Explained: Atomic MITRE?
25
❖ Threat Intelligence
❖ Whitepapers
❖ Data Sources

24. MITRE ATTACK MAPPING
HANDS ON 1

25. 31
1. Attackers are compromising user credentials
using mimikatz in your environment.
2. User got compromised after clicking on a link
from a phishing email.
3. Attackers installed autorun in startup.

26. THREAT HUNTING METHODOLOGY
TYPES, PROCESS AND ENABLERS

27. Threat Hunting Approaches
33
▪Long Term
▪Ad-hoc
▪Short Term

28. Threat Hunting Cycle
34
▪Hypothesis Creation
▪Hunt Execution
▪Pattern Identification
▪Incident Detection
▪Detector Creation

29. Threat Hunting Types
36
▪Structured Hunting
▪Unstructured Hunting
▪Intel Guided Hunting
-------------------------------------
▪Host Based
▪Network Based
▪Business Use Case Based

30. Hunting Type: Intel Guided Hunting
37
▪Hypothesis Based
▪Scoped
▪TTP driven or Entity Driven

31. Hunting Type: Structured Hunting
38
▪Hypothesis Based
▪Scoped
▪TTP driven or Entity Driven

32. DATA TRANSFORMATION METHODS

33. HANDS ON LAB 2
STRUCTURED HYPOTHESIS - BITS

34. BITS Jobs
Defense Evasion, Persistence
41
MITRE ID T1197
MITRE Tactic Defense Evasion, Persistence
MITRE
Technique
BITS Jobs
Platform Windows
Required
Privilege
User, Administrator, SYSTEM
Data Sources API monitoring, Packet capture,Windows event logs

35. BITS Jobs
Defense Evasion, Persistence
42
Description
Windows Background Intelligent Transfer Service (BITS) is
a low-bandwidth, asynchronous file transfer mechanism
exposed through Component Object Model (COM). BITS is
commonly used by updaters, messengers, and other
applications preferred to operate in the background
(using available idle bandwidth) without interrupting other
networked applications.
Implementation
Bitsadmin.exe
Powershell.exe Start-BitsTransfer

36. BITS Jobs
Defense Evasion, Persistence
43
Source Event ID
Event
Field
Details
Windows Security
Event Logs
4688 New
Process
Name
*bitsadmin.exe
Windows Security
Event Logs
4688 Process
Command
Line
*create*
Proxy-Logs userAgent
Microsoft BITS/*

37. Hunting Type: Unstructured Hunting
44
▪Data Driven
▪Anomaly/Outlier based

38. HANDS ON LAB 3
PROCESS ANOMALY

39. HYPOTHESIS GENERATION PROCESS
46

40. Accessibility Feature Abuse
47
Title
Adversaries are trying to achieve persistence through accessibility
features by abusing debugger registry key.
MITRE ID T1015
MITRE Tactic
Persistence
Privilege Escalation
MITRE
Technique
Accessibility Features
Cyber Kill
Chain
Persistence
Platform Windows
Required
Privilege
Administrator
Data Sources Windows Registry, File monitoring, Process monitoring

41. HYPOTHESIS GENERATION PROCESS
48
Source Event
ID
Event Field Details
Sysmon 12, 13 TargetObject 'HKLMSOFTWAREMicrosoftWindows
NTCurrentVersionImage File Execution
Options' AND 'Debugger'
Windows Security
Event Logs
4657 Object Name sethc.exe, utilman.exe, osk.exe,
Magnify.exe, Narrator.exe,
DisplaySwitch.exe,AtBroker.exe
Windows Security
Event Logs
4657 ObjectValue
Name
Debugger

42. Accessibility Features
Persistence, Privilege Escalation
49
Description
Windows contains accessibility features that may be
launched with a key combination before a user has logged
in (for example, when the user is on the Windows logon
screen). An adversary can modify the way these programs
are launched to get a command prompt or backdoor
without logging in to the system.
Implementation
Binary Replacement
OR
Registry Value Change
Limitations
Depending on Windows versions
The replaced binary needs to be digitally signed for
x64 systems,
The binary must reside in %systemdir%
It must be protected by Windows File or Resource
Protection (WFP/WRP)

43. Accessibility Features
Persistence, Privilege Escalation
50
Source
Event
ID
Event Field Details
Sysmon
12, 13 TargetObject *SOFTWAREMicrosoftWindows
NTCurrentVersionImage File
Execution Options<AFU>Debugger
AFU=sethc.exe, utilman.exe, osk.exe,
Magnify.exe, Narrator.exe,
DisplaySwitch.exe, AtBroker.exe
Windows Security
Event Logs
4657 Object Name sethc.exe, utilman.exe, osk.exe,
Magnify.exe, Narrator.exe,
DisplaySwitch.exe, AtBroker.exe
Windows Security
Event Logs
4657 Object Value
Name
Debugger

44. Windows Management Instrumentation
Event Subscription
Persistence
51
MITRE ID T1084
MITRE Tactic Persistence
MITRE
Technique
Registry Run Keys / Startup Folder
Platform Windows
Required
Privilege
Administrator, SYSTEM
Data Sources WMI Objects

45. Windows Management Instrumentation
Event Subscription
Persistence
52
Description
WMI can be used to install event filters, providers,
consumers, and bindings that execute code when a
defined event occurs. Adversaries may use the capabilities
of WMI to subscribe to an event and execute arbitrary
code when that event occurs, providing persistence on a
system.
Implementation
❖ An Event Consumer: An action to perform upon
triggering an event of interest
❖ An Event Filter: The event of interest
❖ A Filter to Consumer Binding: The
registration mechanism that binds a filter to
a consumer

46. THANK
YOU