Over the last few years threat hunting has risen from being a grassroots hands-on defensive technique to all-out hype as security vendors have jumped on the bandwagon. In this talk I wanted to strip away the marketing and talk about real-life threat hunting at scale and how it differs from traditional security monitoring. I'll cover the key datasets, different analytical approaches, cutting-edge TTPs and the people/skills needed to make it happen. I'll also share some real-world compromises that would have been missed by traditional detection but were found through hands-on threat hunting.
4. “THE PROCESS OF PROACTIVELY AND
ITERATIVELY SEARCHING THROUGH
NETWORKS TO DETECT AND ISOLATE
ADVANCED THREATS THAT EVADE
EXISTING SECURITY SOLUTIONS”
- SQRRL
What is threat hunting?
5. Manual
Alerts from
“products” (AV)
Semi-AutomatedFully Automated
Manual Threat
Hunting
Assisted Hunts
Vuln Scanners
(Nessus)
Manual
Pentesting
Tools (nmap)
Advanced
Threat Hunting
Traditional
security teams
Manual vs Automated
OFFENCE
DEFENCE
17. In-Memory Injection
Detection
• Suspicious threads
• Unknown module
• Unusual Permissions (e.g. RWX)
• Check for MZ
• Check for PE Header
• Check for MS-DOS strings
Injection Techniques
• LoadLibrary
• Process Hollowing
• Reflective Loading
• Hooking
Advanced Attack Detection @ Securitay2017 -
https://youtu.be/ihElrBBJQo8
18. Least Frequency Analysis/Stacking
Frequency
Count
Highest Frequency
Process Name Count
conhost.exe 11730618
cscript.exe 9819507
cmd.exe 1497875
WmiPrvSE.exe 1444628
dllhost.exe 579741
Lowest Frequency
Process Name Count
hpzpsl01.exe 1
ismagent.exe 1
MSIAE02.tmp 1
dJK4oMMtx.exe 1
SketchUp.exe 1
Anomalies
That’s a bit weird
27. How to be a stealthier attacker
Foothold
Execution
Persistence
C2/Exfil
• Avoid SysInternals Autoruns - Scheduled Tasks, Services, Registry, Cron,
Launch Daemons/Agents
• WMI and COM not perfect but better than others
• Use “hide in plain sight” techniques
• Outlook rules, Office templates
• DLL side-loading
• Rootkits
• Anything involving custom applications
• Don’t use persistence if you don’t need to!
• Avoid network comms from processes which don’t have network comms
• Avoid newly registered domains, if possible use Google/Twitter/Youtube etc.
• Avoid DNS tunneling
• Use SSL and outlook/browsers where possible and go low and slow
• Avoid new processes and avoid using command line arguments
• Avoid Windows utilities – cmd, powershell, net, reg, etc.
• Avoid in-memory techniques
• Avoid “hacker tools” – Metasploit, CobaltStrike, Mimikatz
• Avoid “spraying” credentials
• WMI is a better option
• Use direct Windows API access where possible
• Modify tools/binaries – name, hash, description
• Avoid macros/hta files
• Social engineering, exploits, webapps are better
• Abuse third party services Facebook/Linkedin
• Target personal assets instead of corporate assets