3. Threat hunting is a approach to answer that question.
Am i compromised today?
4. What is hunting?
Hunting as the process of proactively and
iteratively searching through networks to
detect and isolate advanced threats that
evade existing security solutions.
“You Can’t Hunt That With a Bow and Arrow!
5. What is Threat hunting is and is not.
Threat hunting != Throwing arrow!
24. Hunt other TTPs
“net” Reconnaissance of Domain Admin Group
Command
C: > net group "Domain Admin" /domain
Credential Harvesting with WMI and WCE
net use 172.31.3.16 PASSWORD /user:SANDBOXAdministrator
copy w.exe 172.31.3.16c$PerfLogs
wmic /NODE:172.31.3.16 /USER:"SANDBOXAdministrator" /PASSWORD:"PASSWORD" process call create "cmd /c C:Perflogsw.exe -w >
C:Perflogso.txt"
Ref: http://www.crypsisgroup.com/images/site/CG_WhitePaper_Splunkmon_1216.pdf
28. Hunting Command and Control(c2)
C2 via Dynamic DNS
Finding the Unknown with HTTP URIs
Beacon Detection via Intra-Request Time Deltas
Finding C2 in Network Sessions
32. Producer-Consumer Ratio for Detecting Data Exfiltration
Ref
https://github.com/ThreatHuntingProject/ThreatHunting/blob/master/hunts/analyze_producer_consumer_ratio.md
35. Query
(NewProcessName: "svchost.exe" AND NOT NewProcessName: "C:WindowsSystem32svchost.exe") OR (NewProcessName:
"smss.exe" AND NOT NewProcessName: "C:WindowsSystem32smss.exe") OR (NewProcessName: "wininit.exe" AND NOT
NewProcessName: "C:WindowsSystem32wininit.exe") OR (NewProcessName: "taskhost.exe" AND NOT NewProcessName:
"C:WindowsSystem32taskhost.exe") OR (NewProcessName: "lsass.exe" AND NOT NewProcessName:
"C:WindowsSystem32lsass.exe") OR (NewProcessName: "winlogon.exe" AND NOT NewProcessName:
"C:WindowsSystem32winlogon.exe") OR (NewProcessName: "explorer.exe" AND NOT NewProcessName:
"C:Windowsexplorer.exe") OR (NewProcessName: "lsm.exe" AND NOT NewProcessName: "C:WindowsSystem32lsm.exe")
OR (NewProcessName: "services.exe" AND NOT NewProcessName: "C:WindowsSystem32services.exe") OR
(NewProcessName: "csrss.exe" AND NOT NewProcessName: "C:WindowsSystem32csrss.exe")
New in this con
Blue team activity
Defense
Anyone from incident response
Hunting is assume that you are already compromised and now you want to know/verify it.
Pentesting
Web application
Synack
Owasp
Sofo
Not a new concept
Not Alert Driven
Not a tool or product
Not standardized
Not a silver bullet
It take over month
When everyone in bdnog your org is in under attack