SlideShare una empresa de Scribd logo

Hunt Windows Endpoints Fast with Logs and Non-Logs

Michael Gough
Michael Gough

Want to hunt on Windows systems quickly? Here is an approach. ATT&CK LOG-MD Logging MalwareArchaeology Incident Response Hunting

Tecnología
1 de 31
Descargar para leer sin conexión
This Is the Fastest Way to Hunt Windows Endpoints Michael Gough MalwareArchaeology.com MalwareArchaeology.com
Who am I • Blue Team Defender Ninja, Malware Archaeologist, Logoholic • I love “properly” configured logs – they tell us Who, What, Where, When and hopefully How Creator of “Windows Logging Cheat Sheet”, “Windows File Auditing Cheat Sheet” “Windows Registry Auditing Cheat Sheet”, “Windows Splunk Logging Cheat Sheet” “Windows PowerShell Logging Cheat Sheet”, “Malware Management Framework” NEW - “Windows HUMIO Logging Cheat Sheet” • Co-Creator of “Log-MD” – Log Malicious Discovery Tool – With @Boettcherpwned – Brakeing Down Security PodCast • Co-host of “Brakeing Down Incident Response” podcast • @HackerHurricane also my Blog MalwareArchaeology.com
Hunting requires some ‘Back to Basics’ to achieve “Totality” MalwareArchaeology.com
Achieve Totality Coverage - Asset Management • Can you see every host? • Do you have ghost assets? • Remote systems (Road Warriors) • Powered down VM’s/Systems • IP Scan all devices and identify the OS Completeness - Deployment • Are your agent(s) installed and running properly Configuration – System Settings • Are the systems configured correctly • Enable all that you want and expect MalwareArchaeology.com Coverage Completeness Configuration
We need a Hunting method MalwareArchaeology.com
What to base a Hunt on? • So what do we look for ? • What do we base our hunts on? • Where do we start? • What is the most extensive list of tactics on the adversaries? MalwareArchaeology.com
IR Reports • IR Firms publish their findings – Many published on MalwareArchaeology.com – I call this Malware Management • MalwareManagementFramework.org • Presentations by those of us that have fought and won/lost against advanced adversaries • These are the best way to get the latest TTP’s • Use these TTP’s to hunt for • And create a framework to map everything you do with the tool(s) you use MalwareArchaeology.com
Mitre Att@ck Adversarial Tactics, Techniques & Common Knowledge • This is a good place to start and map all your detection, prevention, and hunt activities to • Not enough details as to how – You will need to map them – Or find someone that has, maybe a product(s) • But most can be mapped to logging for example • Add Log Management • Add some Sysmon or WLS to the logs for more details • Add LOG-MD-Pro, and other tool or script(s) • Add a solution to query the OS ( I love BigFix) • Add Network tools • Fill other gaps MalwareArchaeology.com
Map them to ATT&CK • Map the tools you have to the ATT&CK Matrix • This will give you a place to start and a way to track and rate your activities MalwareArchaeology.com
Introducing • The Windows ATT&CK Logging Cheat Sheet • 11 Tactics and 187 Techniques mapped to Windows Event IDs MalwareArchaeology.com
Introducing • The Windows LOG-MD ATT&CK Cheat Sheet • 11 Tactics and 187 Techniques mapped to Windows Event IDs, LOG-MD, and Sysmon MalwareArchaeology.com
80/20 rule • Another VERY important point is we need to ignore or not worry about the 20% that you don’t, or can’t cover. • Don’t get hung up on the 20% or you will continue to flounder • Worry about the 80% you CAN or COULD do • You have to learn to walk before you worry about trying to be, or cover 100% (run) • Being good at 80% should be a goal • You will improve over time as you get better MalwareArchaeology.com
What to Hunt for MalwareArchaeology.com
So what to hunt for… quickly • You basically have two options • Three, if you include network traffic, but that is not as fast IMHO and you can add this method as you get better and faster and can integrate it into your hunting methodology – Part of that 20% I just mentioned • That leaves two methods you can do quickly MalwareArchaeology.com
Quick Methods of Hunting These are two faster methods you can hunt on Windows 1. What is in the logs 2. What is not in the logs • These items are faster and easier to hunt for and you probably have a tool(s) that can do a lot of it already (e.g. SCCM, BigFix, Humio, Splunk, LOG-MD, Cb, Endgame, scripts, etc.) MalwareArchaeology.com
The Logs MalwareArchaeology.com
What is in the Logs • Event ID’s – Map them to YOUR ATT&CK Matrix • But you MUST enable the “Right Stuff” first – This is Configuration of the 3 C’s – 1GB Security Log gets you roughly 1 week of data – Some logs will get you a longer period • Windows Logging Cheat Sheet • Windows Advanced Logging Cheat Sheet • Windows PowerShell Logging Cheat Sheet • And other cheat sheets… MalwareArchaeology.com
What is in the Logs • You can hunt them locally if you follow the Cheat Sheet(s) – Enabling Process command Line is key – Write a script or use a tool like LOG-MD to collect log data • Log Management/SIEM is optimal and you will get longer than a week worth of data MalwareArchaeology.com
What is in the Logs • Push and run LOG-MD-Pro, PowerShell, or any script or tool can think of to query the logs • Process Command Line (4688) is a key indicator, New Service (7045), etc. • There are a lot of Event ID’s you can hunt for to indicate things that have happened • Data in IR Reports and the Cheat Sheets are a place to start for Event IDs and commands MalwareArchaeology.com
What is in the Logs • Obvious Log Events such as – Suspicious PowerShell events (200-500, 4100-4104) • obfuscation, web calls, size of block, Base64, etc. – Logins (one account to multiple systems) (4624) – Process CMD Line – e.g. Rundll32 malware.dll (4688) – Quantity of Admin commands run in a short period – New Task (106) – New Service (7045) – What process called SeTcbPrivilege (Mimikatz) 4703 MalwareArchaeology.com
Not in the Logs MalwareArchaeology.com
Non-Logs MalwareArchaeology.com • Map them to YOUR ATT&CK Matrix • Run LOG-MD-Pro or other tool/script to collect things like – AutoRuns – WMI Persistence – Large Registry Keys (Data in a value that is large) – Null Byte in the registry (Interesting Artifacts) – Sticky Keys exploit (Interesting Artifacts) – Locked Files • Other artifacts from IR reports/Preso’s, etc.
Non-Logs MalwareArchaeology.com • Use a tool that can query the OS to look for – Registry Keys, Values, Data – Files and Directories – Yes, hashes if you must • Dates can be stomped, but dates of keys and folders often are not • And you can look for ‘created in the last X hours or days’ if you compare to prior hunts
Your Goal(s) • Elimination !!! • Eliminate that you do NOT have some known bad things, these will get you started, expand from there – Malicious AutoRuns – Malicious PowerShell – WMI Persistence – Large Registry Keys • These four items account for 90+% of all malware we have seen in the past 6+ years MalwareArchaeology.com
Tools MalwareArchaeology.com
My Top 10 Hunting Tools 1. Log Management (Splunk, Humio, ELK, Graylog) 2. Query the OS type tool (BigFix ROCKS!) 3. LOG-MD-Pro (details) 4. n/a 5. n/a 6. n/a 7. n/a 8. n/a 9. n/a 10. n/a MalwareArchaeology.com
Tools to Query the OS • BigFix • Tanium • SCCM • OS Query • InvestiGator • Grr • PowerShell • Kansa • Old Fashioned scripts • EDR-IR tools (Cb, CrowdStrike, Endgame, Red Cloak, etc.) • LOG-MD-Pro (My personal favorite) MalwareArchaeology.com
How do I hunt for PS? • Without Log Management? • Or with it, we consume LOG-MD-Pro logs into Log Management too MalwareArchaeology.com
Resources • Mitre - ATT&CK Framework – attack.mitre.org/wiki/Main_Page • Endgame – The Endgame Guide to Threat Hunting – https://pages.endgame.com/rs/627-YBU- 612/images/The%20Endgame%20Guide%20to%20Threat%20Hunting%20- %20ebook.pdf • Sqrrl - Hunt Evil Your Practical Guide to Threat Hunting – https://sqrrl.com/media/Your-Practical-Guide-to-Threat-Hunting.pdf • SANS Poster – Find Evil – Digital- forensics.sans.org/media/poster_2014_find_evil.pdf MalwareArchaeology.com
Resources LOG-MD.COM • Cyb3rWard0g/ThreatHunter-Playbook – https://github.com/Cyb3rWard0g/ThreatHunter- Playbook • beahunt3r/Windows-Hunting – https://github.com/beahunt3r/Windows-Hunting • ThreatHunting.net • ThreatHunting.org • Findingbad.blogspot.com
Questions? LOG-MD.COM You can find us at: • Log-MD.com • @HackerHurricane • HackerHurricane.com (blog) • MalwareArchaeology.com – Cheat Sheets • Listen to the “Brakeing Down Incident Response” Podcast – BDIRPodcast.com

Recomendados

Finding attacks with these 6 events
Finding attacks with these 6 eventsFinding attacks with these 6 events
Finding attacks with these 6 eventsMichael Gough
 
Windows Threat Hunting
Windows Threat HuntingWindows Threat Hunting
Windows Threat HuntingGIBIN JOHN
 
PHDays 2018 Threat Hunting Hands-On Lab
PHDays 2018 Threat Hunting Hands-On LabPHDays 2018 Threat Hunting Hands-On Lab
PHDays 2018 Threat Hunting Hands-On LabTeymur Kheirkhabarov
 
Threat hunting - Every day is hunting season
Threat hunting - Every day is hunting seasonThreat hunting - Every day is hunting season
Threat hunting - Every day is hunting seasonBen Boyd
 
Threat hunting and achieving security maturity
Threat hunting and achieving security maturityThreat hunting and achieving security maturity
Threat hunting and achieving security maturityDNIF
 
Threat Hunting with Splunk Hands-on
Threat Hunting with Splunk Hands-onThreat Hunting with Splunk Hands-on
Threat Hunting with Splunk Hands-onSplunk
 
How to Hunt for Lateral Movement on Your Network
How to Hunt for Lateral Movement on Your NetworkHow to Hunt for Lateral Movement on Your Network
How to Hunt for Lateral Movement on Your NetworkSqrrl
 
Cyber Threat Hunting: Identify and Hunt Down Intruders
Cyber Threat Hunting: Identify and Hunt Down IntrudersCyber Threat Hunting: Identify and Hunt Down Intruders
Cyber Threat Hunting: Identify and Hunt Down IntrudersInfosec
 

Recomendados

Finding attacks with these 6 events
Finding attacks with these 6 eventsFinding attacks with these 6 events
Finding attacks with these 6 eventsMichael Gough
 
Windows Threat Hunting
Windows Threat HuntingWindows Threat Hunting
Windows Threat HuntingGIBIN JOHN
 
PHDays 2018 Threat Hunting Hands-On Lab
PHDays 2018 Threat Hunting Hands-On LabPHDays 2018 Threat Hunting Hands-On Lab
PHDays 2018 Threat Hunting Hands-On LabTeymur Kheirkhabarov
 
Threat hunting - Every day is hunting season
Threat hunting - Every day is hunting seasonThreat hunting - Every day is hunting season
Threat hunting - Every day is hunting seasonBen Boyd
 
Threat hunting and achieving security maturity
Threat hunting and achieving security maturityThreat hunting and achieving security maturity
Threat hunting and achieving security maturityDNIF
 
Threat Hunting with Splunk Hands-on
Threat Hunting with Splunk Hands-onThreat Hunting with Splunk Hands-on
Threat Hunting with Splunk Hands-onSplunk
 
How to Hunt for Lateral Movement on Your Network
How to Hunt for Lateral Movement on Your NetworkHow to Hunt for Lateral Movement on Your Network
How to Hunt for Lateral Movement on Your NetworkSqrrl
 
Cyber Threat Hunting: Identify and Hunt Down Intruders
Cyber Threat Hunting: Identify and Hunt Down IntrudersCyber Threat Hunting: Identify and Hunt Down Intruders
Cyber Threat Hunting: Identify and Hunt Down IntrudersInfosec
 
Hunting for Credentials Dumping in Windows Environment
Hunting for Credentials Dumping in Windows EnvironmentHunting for Credentials Dumping in Windows Environment
Hunting for Credentials Dumping in Windows EnvironmentTeymur Kheirkhabarov
 
You can detect PowerShell attacks
You can detect PowerShell attacksYou can detect PowerShell attacks
You can detect PowerShell attacksMichael Gough
 
Hunting Lateral Movement in Windows Infrastructure
Hunting Lateral Movement in Windows InfrastructureHunting Lateral Movement in Windows Infrastructure
Hunting Lateral Movement in Windows InfrastructureSergey Soldatov
 
Threat hunting in cyber world
Threat hunting in cyber worldThreat hunting in cyber world
Threat hunting in cyber worldAkash Sarode
 
Fantastic Red Team Attacks and How to Find Them
Fantastic Red Team Attacks and How to Find ThemFantastic Red Team Attacks and How to Find Them
Fantastic Red Team Attacks and How to Find ThemRoss Wolf
 
A Threat Hunter Himself
A Threat Hunter HimselfA Threat Hunter Himself
A Threat Hunter HimselfTeymur Kheirkhabarov
 
Bsides 2019 - Intelligent Threat Hunting
Bsides 2019 - Intelligent Threat HuntingBsides 2019 - Intelligent Threat Hunting
Bsides 2019 - Intelligent Threat HuntingDhruv Majumdar
 
Kheirkhabarov24052017_phdays7
Kheirkhabarov24052017_phdays7Kheirkhabarov24052017_phdays7
Kheirkhabarov24052017_phdays7Teymur Kheirkhabarov
 
A Threat Hunter Himself
A Threat Hunter HimselfA Threat Hunter Himself
A Threat Hunter HimselfSergey Soldatov
 
The top 10 windows logs event id's used v1.0
The top 10 windows logs event id's used v1.0The top 10 windows logs event id's used v1.0
The top 10 windows logs event id's used v1.0Michael Gough
 
Effective Threat Hunting with Tactical Threat Intelligence
Effective Threat Hunting with Tactical Threat IntelligenceEffective Threat Hunting with Tactical Threat Intelligence
Effective Threat Hunting with Tactical Threat IntelligenceDhruv Majumdar
 
Cyber Threat hunting workshop
Cyber Threat hunting workshopCyber Threat hunting workshop
Cyber Threat hunting workshopArpan Raval
 
50 Shades of Sigma
50 Shades of Sigma50 Shades of Sigma
50 Shades of SigmaFlorian Roth
 
Threat Hunting Report
Threat Hunting Report Threat Hunting Report
Threat Hunting Report Morane Decriem
 
Windows logging cheat sheet
Windows logging cheat sheetWindows logging cheat sheet
Windows logging cheat sheetMichael Gough
 
What is Threat Hunting? - Panda Security
What is Threat Hunting? - Panda SecurityWhat is Threat Hunting? - Panda Security
What is Threat Hunting? - Panda SecurityPanda Security
 
How MITRE ATT&CK helps security operations
How MITRE ATT&CK helps security operationsHow MITRE ATT&CK helps security operations
How MITRE ATT&CK helps security operationsSergey Soldatov
 
Threat Hunting Procedures and Measurement Matrice
Threat Hunting Procedures and Measurement MatriceThreat Hunting Procedures and Measurement Matrice
Threat Hunting Procedures and Measurement MatriceVishal Kumar
 
Threat hunting 101 by Sandeep Singh
Threat hunting 101 by Sandeep SinghThreat hunting 101 by Sandeep Singh
Threat hunting 101 by Sandeep SinghOWASP Delhi
 
Threat Hunting
Threat HuntingThreat Hunting
Threat HuntingSplunk
 
Windows IR made easier and faster v1.0
Windows IR made easier and faster v1.0Windows IR made easier and faster v1.0
Windows IR made easier and faster v1.0Michael Gough
 
Logging for hackers SAINTCON
Logging for hackers SAINTCONLogging for hackers SAINTCON
Logging for hackers SAINTCONMichael Gough
 

Más contenido relacionado

La actualidad más candente

Hunting for Credentials Dumping in Windows Environment
Hunting for Credentials Dumping in Windows EnvironmentHunting for Credentials Dumping in Windows Environment
Hunting for Credentials Dumping in Windows EnvironmentTeymur Kheirkhabarov
 
You can detect PowerShell attacks
You can detect PowerShell attacksYou can detect PowerShell attacks
You can detect PowerShell attacksMichael Gough
 
Hunting Lateral Movement in Windows Infrastructure
Hunting Lateral Movement in Windows InfrastructureHunting Lateral Movement in Windows Infrastructure
Hunting Lateral Movement in Windows InfrastructureSergey Soldatov
 
Threat hunting in cyber world
Threat hunting in cyber worldThreat hunting in cyber world
Threat hunting in cyber worldAkash Sarode
 
Fantastic Red Team Attacks and How to Find Them
Fantastic Red Team Attacks and How to Find ThemFantastic Red Team Attacks and How to Find Them
Fantastic Red Team Attacks and How to Find ThemRoss Wolf
 
Bsides 2019 - Intelligent Threat Hunting
Bsides 2019 - Intelligent Threat HuntingBsides 2019 - Intelligent Threat Hunting
Bsides 2019 - Intelligent Threat HuntingDhruv Majumdar
 
The top 10 windows logs event id's used v1.0
The top 10 windows logs event id's used v1.0The top 10 windows logs event id's used v1.0
The top 10 windows logs event id's used v1.0Michael Gough
 
Effective Threat Hunting with Tactical Threat Intelligence
Effective Threat Hunting with Tactical Threat IntelligenceEffective Threat Hunting with Tactical Threat Intelligence
Effective Threat Hunting with Tactical Threat IntelligenceDhruv Majumdar
 
Cyber Threat hunting workshop
Cyber Threat hunting workshopCyber Threat hunting workshop
Cyber Threat hunting workshopArpan Raval
 
50 Shades of Sigma
50 Shades of Sigma50 Shades of Sigma
50 Shades of SigmaFlorian Roth
 
Threat Hunting Report
Threat Hunting Report Threat Hunting Report
Threat Hunting Report Morane Decriem
 
Windows logging cheat sheet
Windows logging cheat sheetWindows logging cheat sheet
Windows logging cheat sheetMichael Gough
 
What is Threat Hunting? - Panda Security
What is Threat Hunting? - Panda SecurityWhat is Threat Hunting? - Panda Security
What is Threat Hunting? - Panda SecurityPanda Security
 
How MITRE ATT&CK helps security operations
How MITRE ATT&CK helps security operationsHow MITRE ATT&CK helps security operations
How MITRE ATT&CK helps security operationsSergey Soldatov
 
Threat Hunting Procedures and Measurement Matrice
Threat Hunting Procedures and Measurement MatriceThreat Hunting Procedures and Measurement Matrice
Threat Hunting Procedures and Measurement MatriceVishal Kumar
 
Threat hunting 101 by Sandeep Singh
Threat hunting 101 by Sandeep SinghThreat hunting 101 by Sandeep Singh
Threat hunting 101 by Sandeep SinghOWASP Delhi
 
Threat Hunting
Threat HuntingThreat Hunting
Threat HuntingSplunk
 

La actualidad más candente (20)

Hunting for Credentials Dumping in Windows Environment
Hunting for Credentials Dumping in Windows EnvironmentHunting for Credentials Dumping in Windows Environment
Hunting for Credentials Dumping in Windows Environment
 
You can detect PowerShell attacks
You can detect PowerShell attacksYou can detect PowerShell attacks
You can detect PowerShell attacks
 
Hunting Lateral Movement in Windows Infrastructure
Hunting Lateral Movement in Windows InfrastructureHunting Lateral Movement in Windows Infrastructure
Hunting Lateral Movement in Windows Infrastructure
 
Threat hunting in cyber world
Threat hunting in cyber worldThreat hunting in cyber world
Threat hunting in cyber world
 
Fantastic Red Team Attacks and How to Find Them
Fantastic Red Team Attacks and How to Find ThemFantastic Red Team Attacks and How to Find Them
Fantastic Red Team Attacks and How to Find Them
 
A Threat Hunter Himself
A Threat Hunter HimselfA Threat Hunter Himself
A Threat Hunter Himself
 
Bsides 2019 - Intelligent Threat Hunting
Bsides 2019 - Intelligent Threat HuntingBsides 2019 - Intelligent Threat Hunting
Bsides 2019 - Intelligent Threat Hunting
 
Kheirkhabarov24052017_phdays7
Kheirkhabarov24052017_phdays7Kheirkhabarov24052017_phdays7
Kheirkhabarov24052017_phdays7
 
A Threat Hunter Himself
A Threat Hunter HimselfA Threat Hunter Himself
A Threat Hunter Himself
 
The top 10 windows logs event id's used v1.0
The top 10 windows logs event id's used v1.0The top 10 windows logs event id's used v1.0
The top 10 windows logs event id's used v1.0
 
Effective Threat Hunting with Tactical Threat Intelligence
Effective Threat Hunting with Tactical Threat IntelligenceEffective Threat Hunting with Tactical Threat Intelligence
Effective Threat Hunting with Tactical Threat Intelligence
 
Cyber Threat hunting workshop
Cyber Threat hunting workshopCyber Threat hunting workshop
Cyber Threat hunting workshop
 
50 Shades of Sigma
50 Shades of Sigma50 Shades of Sigma
50 Shades of Sigma
 
Threat Hunting Report
Threat Hunting Report Threat Hunting Report
Threat Hunting Report
 
Windows logging cheat sheet
Windows logging cheat sheetWindows logging cheat sheet
Windows logging cheat sheet
 
What is Threat Hunting? - Panda Security
What is Threat Hunting? - Panda SecurityWhat is Threat Hunting? - Panda Security
What is Threat Hunting? - Panda Security
 
How MITRE ATT&CK helps security operations
How MITRE ATT&CK helps security operationsHow MITRE ATT&CK helps security operations
How MITRE ATT&CK helps security operations
 
Threat Hunting Procedures and Measurement Matrice
Threat Hunting Procedures and Measurement MatriceThreat Hunting Procedures and Measurement Matrice
Threat Hunting Procedures and Measurement Matrice
 
Threat hunting 101 by Sandeep Singh
Threat hunting 101 by Sandeep SinghThreat hunting 101 by Sandeep Singh
Threat hunting 101 by Sandeep Singh
 
Threat Hunting
Threat HuntingThreat Hunting
Threat Hunting
 

Similar a Hunt Windows Endpoints Fast with Logs and Non-Logs

Windows IR made easier and faster v1.0
Windows IR made easier and faster v1.0Windows IR made easier and faster v1.0
Windows IR made easier and faster v1.0Michael Gough
 
Logging for hackers SAINTCON
Logging for hackers SAINTCONLogging for hackers SAINTCON
Logging for hackers SAINTCONMichael Gough
 
Logging for Hackers - What you need to know to catch them
Logging for Hackers - What you need to know to catch themLogging for Hackers - What you need to know to catch them
Logging for Hackers - What you need to know to catch themMichael Gough
 
RMISC logging for hackers
RMISC logging for hackersRMISC logging for hackers
RMISC logging for hackersMichael Gough
 
When Security Tools Fail You
When Security Tools Fail YouWhen Security Tools Fail You
When Security Tools Fail YouMichael Gough
 
Sandbox vs manual analysis v2.1
Sandbox vs manual analysis v2.1Sandbox vs manual analysis v2.1
Sandbox vs manual analysis v2.1Michael Gough
 
MITRE AttACK framework it is time you took notice_v1.0
MITRE AttACK framework it is time you took notice_v1.0MITRE AttACK framework it is time you took notice_v1.0
MITRE AttACK framework it is time you took notice_v1.0Michael Gough
 
Sandbox vs manual malware analysis v1.1
Sandbox vs manual malware analysis v1.1Sandbox vs manual malware analysis v1.1
Sandbox vs manual malware analysis v1.1Michael Gough
 
Ask a Malware Archaeologist
Ask a Malware ArchaeologistAsk a Malware Archaeologist
Ask a Malware ArchaeologistMichael Gough
 
Logging for Hackers v1.0
Logging for Hackers v1.0Logging for Hackers v1.0
Logging for Hackers v1.0Michael Gough
 
Commodity malware means YOU
Commodity malware means YOUCommodity malware means YOU
Commodity malware means YOUMichael Gough
 
Windows Incident Response is hard, but doesn't have to be
Windows Incident Response is hard, but doesn't have to beWindows Incident Response is hard, but doesn't have to be
Windows Incident Response is hard, but doesn't have to beMichael Gough
 
Introducing ArTHIR - ATT&CK Remote Threat Hunting Incident Response Windows tool
Introducing ArTHIR - ATT&CK Remote Threat Hunting Incident Response Windows toolIntroducing ArTHIR - ATT&CK Remote Threat Hunting Incident Response Windows tool
Introducing ArTHIR - ATT&CK Remote Threat Hunting Incident Response Windows toolMichael Gough
 
Proper logging can catch breaches like retail PoS
Proper logging can catch breaches like retail PoSProper logging can catch breaches like retail PoS
Proper logging can catch breaches like retail PoSMichael Gough
 
Proper logging can catch breaches like retail PoS
Proper logging can catch breaches like retail PoSProper logging can catch breaches like retail PoS
Proper logging can catch breaches like retail PoSMichael Gough
 
What can you do about ransomware
What can you do about ransomwareWhat can you do about ransomware
What can you do about ransomwareMichael Gough
 
You need a PROcess to catch running processes and their modules_v2.0
You need a PROcess to catch running processes and their modules_v2.0You need a PROcess to catch running processes and their modules_v2.0
You need a PROcess to catch running processes and their modules_v2.0Michael Gough
 
All These Sophisticated Attacks, Can We Really Detect Them - PDF
All These Sophisticated Attacks, Can We Really Detect Them - PDFAll These Sophisticated Attacks, Can We Really Detect Them - PDF
All These Sophisticated Attacks, Can We Really Detect Them - PDFMichael Gough
 
Deeplook into apt and how to detect and defend v1.0
Deeplook into apt and how to detect and defend v1.0Deeplook into apt and how to detect and defend v1.0
Deeplook into apt and how to detect and defend v1.0Michael Gough
 
BSidesOK_You_CAN_detect_PowerShell_attacks_v1.1
BSidesOK_You_CAN_detect_PowerShell_attacks_v1.1BSidesOK_You_CAN_detect_PowerShell_attacks_v1.1
BSidesOK_You_CAN_detect_PowerShell_attacks_v1.1Michael Gough
 

Similar a Hunt Windows Endpoints Fast with Logs and Non-Logs (20)

Windows IR made easier and faster v1.0
Windows IR made easier and faster v1.0Windows IR made easier and faster v1.0
Windows IR made easier and faster v1.0
 
Logging for hackers SAINTCON
Logging for hackers SAINTCONLogging for hackers SAINTCON
Logging for hackers SAINTCON
 
Logging for Hackers - What you need to know to catch them
Logging for Hackers - What you need to know to catch themLogging for Hackers - What you need to know to catch them
Logging for Hackers - What you need to know to catch them
 
RMISC logging for hackers
RMISC logging for hackersRMISC logging for hackers
RMISC logging for hackers
 
When Security Tools Fail You
When Security Tools Fail YouWhen Security Tools Fail You
When Security Tools Fail You
 
Sandbox vs manual analysis v2.1
Sandbox vs manual analysis v2.1Sandbox vs manual analysis v2.1
Sandbox vs manual analysis v2.1
 
MITRE AttACK framework it is time you took notice_v1.0
MITRE AttACK framework it is time you took notice_v1.0MITRE AttACK framework it is time you took notice_v1.0
MITRE AttACK framework it is time you took notice_v1.0
 
Sandbox vs manual malware analysis v1.1
Sandbox vs manual malware analysis v1.1Sandbox vs manual malware analysis v1.1
Sandbox vs manual malware analysis v1.1
 
Ask a Malware Archaeologist
Ask a Malware ArchaeologistAsk a Malware Archaeologist
Ask a Malware Archaeologist
 
Logging for Hackers v1.0
Logging for Hackers v1.0Logging for Hackers v1.0
Logging for Hackers v1.0
 
Commodity malware means YOU
Commodity malware means YOUCommodity malware means YOU
Commodity malware means YOU
 
Windows Incident Response is hard, but doesn't have to be
Windows Incident Response is hard, but doesn't have to beWindows Incident Response is hard, but doesn't have to be
Windows Incident Response is hard, but doesn't have to be
 
Introducing ArTHIR - ATT&CK Remote Threat Hunting Incident Response Windows tool
Introducing ArTHIR - ATT&CK Remote Threat Hunting Incident Response Windows toolIntroducing ArTHIR - ATT&CK Remote Threat Hunting Incident Response Windows tool
Introducing ArTHIR - ATT&CK Remote Threat Hunting Incident Response Windows tool
 
Proper logging can catch breaches like retail PoS
Proper logging can catch breaches like retail PoSProper logging can catch breaches like retail PoS
Proper logging can catch breaches like retail PoS
 
Proper logging can catch breaches like retail PoS
Proper logging can catch breaches like retail PoSProper logging can catch breaches like retail PoS
Proper logging can catch breaches like retail PoS
 
What can you do about ransomware
What can you do about ransomwareWhat can you do about ransomware
What can you do about ransomware
 
You need a PROcess to catch running processes and their modules_v2.0
You need a PROcess to catch running processes and their modules_v2.0You need a PROcess to catch running processes and their modules_v2.0
You need a PROcess to catch running processes and their modules_v2.0
 
All These Sophisticated Attacks, Can We Really Detect Them - PDF
All These Sophisticated Attacks, Can We Really Detect Them - PDFAll These Sophisticated Attacks, Can We Really Detect Them - PDF
All These Sophisticated Attacks, Can We Really Detect Them - PDF
 
Deeplook into apt and how to detect and defend v1.0
Deeplook into apt and how to detect and defend v1.0Deeplook into apt and how to detect and defend v1.0
Deeplook into apt and how to detect and defend v1.0
 
BSidesOK_You_CAN_detect_PowerShell_attacks_v1.1
BSidesOK_You_CAN_detect_PowerShell_attacks_v1.1BSidesOK_You_CAN_detect_PowerShell_attacks_v1.1
BSidesOK_You_CAN_detect_PowerShell_attacks_v1.1
 

Más de Michael Gough

Incident Response Fails
Incident Response FailsIncident Response Fails
Incident Response FailsMichael Gough
 
Detecting WMI Exploitation v1.1
Detecting WMI Exploitation v1.1Detecting WMI Exploitation v1.1
Detecting WMI Exploitation v1.1Michael Gough
 
Cred stealing emails bsides austin_2018 v1.0
Cred stealing emails bsides austin_2018 v1.0Cred stealing emails bsides austin_2018 v1.0
Cred stealing emails bsides austin_2018 v1.0Michael Gough
 
InnoTech 2017_Defend_Against_Ransomware 3.0
InnoTech 2017_Defend_Against_Ransomware 3.0InnoTech 2017_Defend_Against_Ransomware 3.0
InnoTech 2017_Defend_Against_Ransomware 3.0Michael Gough
 
EDR, ETDR, Next Gen AV is all the rage, so why am I ENRAGED?
EDR, ETDR, Next Gen AV is all the rage, so why am I ENRAGED?EDR, ETDR, Next Gen AV is all the rage, so why am I ENRAGED?
EDR, ETDR, Next Gen AV is all the rage, so why am I ENRAGED?Michael Gough
 
Email keeps getting us pwned - Avoiding Ransomware and malware
Email keeps getting us pwned - Avoiding Ransomware and malwareEmail keeps getting us pwned - Avoiding Ransomware and malware
Email keeps getting us pwned - Avoiding Ransomware and malwareMichael Gough
 
Email keeps getting us pwned v1.1
Email keeps getting us pwned v1.1Email keeps getting us pwned v1.1
Email keeps getting us pwned v1.1Michael Gough
 
DIR ISF - Email keeps getting us pwned v1.1
DIR ISF - Email keeps getting us pwned v1.1DIR ISF - Email keeps getting us pwned v1.1
DIR ISF - Email keeps getting us pwned v1.1Michael Gough
 
Email keeps getting us pwned v1.0
Email keeps getting us pwned v1.0Email keeps getting us pwned v1.0
Email keeps getting us pwned v1.0Michael Gough
 
Mw arch mac_tips and tricks v1.0
Mw arch mac_tips and tricks v1.0Mw arch mac_tips and tricks v1.0
Mw arch mac_tips and tricks v1.0Michael Gough
 

Más de Michael Gough (10)

Incident Response Fails
Incident Response FailsIncident Response Fails
Incident Response Fails
 
Detecting WMI Exploitation v1.1
Detecting WMI Exploitation v1.1Detecting WMI Exploitation v1.1
Detecting WMI Exploitation v1.1
 
Cred stealing emails bsides austin_2018 v1.0
Cred stealing emails bsides austin_2018 v1.0Cred stealing emails bsides austin_2018 v1.0
Cred stealing emails bsides austin_2018 v1.0
 
InnoTech 2017_Defend_Against_Ransomware 3.0
InnoTech 2017_Defend_Against_Ransomware 3.0InnoTech 2017_Defend_Against_Ransomware 3.0
InnoTech 2017_Defend_Against_Ransomware 3.0
 
EDR, ETDR, Next Gen AV is all the rage, so why am I ENRAGED?
EDR, ETDR, Next Gen AV is all the rage, so why am I ENRAGED?EDR, ETDR, Next Gen AV is all the rage, so why am I ENRAGED?
EDR, ETDR, Next Gen AV is all the rage, so why am I ENRAGED?
 
Email keeps getting us pwned - Avoiding Ransomware and malware
Email keeps getting us pwned - Avoiding Ransomware and malwareEmail keeps getting us pwned - Avoiding Ransomware and malware
Email keeps getting us pwned - Avoiding Ransomware and malware
 
Email keeps getting us pwned v1.1
Email keeps getting us pwned v1.1Email keeps getting us pwned v1.1
Email keeps getting us pwned v1.1
 
DIR ISF - Email keeps getting us pwned v1.1
DIR ISF - Email keeps getting us pwned v1.1DIR ISF - Email keeps getting us pwned v1.1
DIR ISF - Email keeps getting us pwned v1.1
 
Email keeps getting us pwned v1.0
Email keeps getting us pwned v1.0Email keeps getting us pwned v1.0
Email keeps getting us pwned v1.0
 
Mw arch mac_tips and tricks v1.0
Mw arch mac_tips and tricks v1.0Mw arch mac_tips and tricks v1.0
Mw arch mac_tips and tricks v1.0
 

Último

04-2024-HHUG-Sales-and-Marketing-Alignment.pptx
04-2024-HHUG-Sales-and-Marketing-Alignment.pptx04-2024-HHUG-Sales-and-Marketing-Alignment.pptx
04-2024-HHUG-Sales-and-Marketing-Alignment.pptxHampshireHUG
 
Automating Google Workspace (GWS) & more with Apps Script
Automating Google Workspace (GWS) & more with Apps ScriptAutomating Google Workspace (GWS) & more with Apps Script
Automating Google Workspace (GWS) & more with Apps Scriptwesley chun
 
EIS-Webinar-Prompt-Knowledge-Eng-2024-04-08.pptx
EIS-Webinar-Prompt-Knowledge-Eng-2024-04-08.pptxEIS-Webinar-Prompt-Knowledge-Eng-2024-04-08.pptx
EIS-Webinar-Prompt-Knowledge-Eng-2024-04-08.pptxEarley Information Science
 
08448380779 Call Girls In Diplomatic Enclave Women Seeking Men
08448380779 Call Girls In Diplomatic Enclave Women Seeking Men08448380779 Call Girls In Diplomatic Enclave Women Seeking Men
08448380779 Call Girls In Diplomatic Enclave Women Seeking MenDelhi Call girls
 
A Call to Action for Generative AI in 2024
A Call to Action for Generative AI in 2024A Call to Action for Generative AI in 2024
A Call to Action for Generative AI in 2024Results
 
A Year of the Servo Reboot: Where Are We Now?
A Year of the Servo Reboot: Where Are We Now?A Year of the Servo Reboot: Where Are We Now?
A Year of the Servo Reboot: Where Are We Now?Igalia
 
Workshop - Best of Both Worlds_ Combine KG and Vector search for enhanced R...
Workshop - Best of Both Worlds_ Combine KG and Vector search for enhanced R...Workshop - Best of Both Worlds_ Combine KG and Vector search for enhanced R...
Workshop - Best of Both Worlds_ Combine KG and Vector search for enhanced R...Neo4j
 
How to Troubleshoot Apps for the Modern Connected Worker
How to Troubleshoot Apps for the Modern Connected WorkerHow to Troubleshoot Apps for the Modern Connected Worker
How to Troubleshoot Apps for the Modern Connected WorkerThousandEyes
 
A Domino Admins Adventures (Engage 2024)
A Domino Admins Adventures (Engage 2024)A Domino Admins Adventures (Engage 2024)
A Domino Admins Adventures (Engage 2024)Gabriella Davis
 
Powerful Google developer tools for immediate impact! (2023-24 C)
Powerful Google developer tools for immediate impact! (2023-24 C)Powerful Google developer tools for immediate impact! (2023-24 C)
Powerful Google developer tools for immediate impact! (2023-24 C)wesley chun
 
08448380779 Call Girls In Greater Kailash - I Women Seeking Men
08448380779 Call Girls In Greater Kailash - I Women Seeking Men08448380779 Call Girls In Greater Kailash - I Women Seeking Men
08448380779 Call Girls In Greater Kailash - I Women Seeking MenDelhi Call girls
 
From Event to Action: Accelerate Your Decision Making with Real-Time Automation
From Event to Action: Accelerate Your Decision Making with Real-Time AutomationFrom Event to Action: Accelerate Your Decision Making with Real-Time Automation
From Event to Action: Accelerate Your Decision Making with Real-Time AutomationSafe Software
 
🐬 The future of MySQL is Postgres 🐘
🐬 The future of MySQL is Postgres 🐘🐬 The future of MySQL is Postgres 🐘
🐬 The future of MySQL is Postgres 🐘RTylerCroy
 
IAC 2024 - IA Fast Track to Search Focused AI Solutions
IAC 2024 - IA Fast Track to Search Focused AI SolutionsIAC 2024 - IA Fast Track to Search Focused AI Solutions
IAC 2024 - IA Fast Track to Search Focused AI SolutionsEnterprise Knowledge
 
Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...
Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...
Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...Drew Madelung
 
Factors to Consider When Choosing Accounts Payable Services Providers.pptx
Factors to Consider When Choosing Accounts Payable Services Providers.pptxFactors to Consider When Choosing Accounts Payable Services Providers.pptx
Factors to Consider When Choosing Accounts Payable Services Providers.pptxKatpro Technologies
 
Presentation on how to chat with PDF using ChatGPT code interpreter
Presentation on how to chat with PDF using ChatGPT code interpreterPresentation on how to chat with PDF using ChatGPT code interpreter
Presentation on how to chat with PDF using ChatGPT code interpreternaman860154
 
Raspberry Pi 5: Challenges and Solutions in Bringing up an OpenGL/Vulkan Driv...
Raspberry Pi 5: Challenges and Solutions in Bringing up an OpenGL/Vulkan Driv...Raspberry Pi 5: Challenges and Solutions in Bringing up an OpenGL/Vulkan Driv...
Raspberry Pi 5: Challenges and Solutions in Bringing up an OpenGL/Vulkan Driv...Igalia
 
Handwritten Text Recognition for manuscripts and early printed texts
Handwritten Text Recognition for manuscripts and early printed textsHandwritten Text Recognition for manuscripts and early printed texts
Handwritten Text Recognition for manuscripts and early printed textsMaria Levchenko
 
08448380779 Call Girls In Civil Lines Women Seeking Men
08448380779 Call Girls In Civil Lines Women Seeking Men08448380779 Call Girls In Civil Lines Women Seeking Men
08448380779 Call Girls In Civil Lines Women Seeking MenDelhi Call girls
 

Último (20)

04-2024-HHUG-Sales-and-Marketing-Alignment.pptx
04-2024-HHUG-Sales-and-Marketing-Alignment.pptx04-2024-HHUG-Sales-and-Marketing-Alignment.pptx
04-2024-HHUG-Sales-and-Marketing-Alignment.pptx
 
Automating Google Workspace (GWS) & more with Apps Script
Automating Google Workspace (GWS) & more with Apps ScriptAutomating Google Workspace (GWS) & more with Apps Script
Automating Google Workspace (GWS) & more with Apps Script
 
EIS-Webinar-Prompt-Knowledge-Eng-2024-04-08.pptx
EIS-Webinar-Prompt-Knowledge-Eng-2024-04-08.pptxEIS-Webinar-Prompt-Knowledge-Eng-2024-04-08.pptx
EIS-Webinar-Prompt-Knowledge-Eng-2024-04-08.pptx
 
08448380779 Call Girls In Diplomatic Enclave Women Seeking Men
08448380779 Call Girls In Diplomatic Enclave Women Seeking Men08448380779 Call Girls In Diplomatic Enclave Women Seeking Men
08448380779 Call Girls In Diplomatic Enclave Women Seeking Men
 
A Call to Action for Generative AI in 2024
A Call to Action for Generative AI in 2024A Call to Action for Generative AI in 2024
A Call to Action for Generative AI in 2024
 
A Year of the Servo Reboot: Where Are We Now?
A Year of the Servo Reboot: Where Are We Now?A Year of the Servo Reboot: Where Are We Now?
A Year of the Servo Reboot: Where Are We Now?
 
Workshop - Best of Both Worlds_ Combine KG and Vector search for enhanced R...
Workshop - Best of Both Worlds_ Combine KG and Vector search for enhanced R...Workshop - Best of Both Worlds_ Combine KG and Vector search for enhanced R...
Workshop - Best of Both Worlds_ Combine KG and Vector search for enhanced R...
 
How to Troubleshoot Apps for the Modern Connected Worker
How to Troubleshoot Apps for the Modern Connected WorkerHow to Troubleshoot Apps for the Modern Connected Worker
How to Troubleshoot Apps for the Modern Connected Worker
 
A Domino Admins Adventures (Engage 2024)
A Domino Admins Adventures (Engage 2024)A Domino Admins Adventures (Engage 2024)
A Domino Admins Adventures (Engage 2024)
 
Powerful Google developer tools for immediate impact! (2023-24 C)
Powerful Google developer tools for immediate impact! (2023-24 C)Powerful Google developer tools for immediate impact! (2023-24 C)
Powerful Google developer tools for immediate impact! (2023-24 C)
 
08448380779 Call Girls In Greater Kailash - I Women Seeking Men
08448380779 Call Girls In Greater Kailash - I Women Seeking Men08448380779 Call Girls In Greater Kailash - I Women Seeking Men
08448380779 Call Girls In Greater Kailash - I Women Seeking Men
 
From Event to Action: Accelerate Your Decision Making with Real-Time Automation
From Event to Action: Accelerate Your Decision Making with Real-Time AutomationFrom Event to Action: Accelerate Your Decision Making with Real-Time Automation
From Event to Action: Accelerate Your Decision Making with Real-Time Automation
 
🐬 The future of MySQL is Postgres 🐘
🐬 The future of MySQL is Postgres 🐘🐬 The future of MySQL is Postgres 🐘
🐬 The future of MySQL is Postgres 🐘
 
IAC 2024 - IA Fast Track to Search Focused AI Solutions
IAC 2024 - IA Fast Track to Search Focused AI SolutionsIAC 2024 - IA Fast Track to Search Focused AI Solutions
IAC 2024 - IA Fast Track to Search Focused AI Solutions
 
Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...
Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...
Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...
 
Factors to Consider When Choosing Accounts Payable Services Providers.pptx
Factors to Consider When Choosing Accounts Payable Services Providers.pptxFactors to Consider When Choosing Accounts Payable Services Providers.pptx
Factors to Consider When Choosing Accounts Payable Services Providers.pptx
 
Presentation on how to chat with PDF using ChatGPT code interpreter
Presentation on how to chat with PDF using ChatGPT code interpreterPresentation on how to chat with PDF using ChatGPT code interpreter
Presentation on how to chat with PDF using ChatGPT code interpreter
 
Raspberry Pi 5: Challenges and Solutions in Bringing up an OpenGL/Vulkan Driv...
Raspberry Pi 5: Challenges and Solutions in Bringing up an OpenGL/Vulkan Driv...Raspberry Pi 5: Challenges and Solutions in Bringing up an OpenGL/Vulkan Driv...
Raspberry Pi 5: Challenges and Solutions in Bringing up an OpenGL/Vulkan Driv...
 
Handwritten Text Recognition for manuscripts and early printed texts
Handwritten Text Recognition for manuscripts and early printed textsHandwritten Text Recognition for manuscripts and early printed texts
Handwritten Text Recognition for manuscripts and early printed texts
 
08448380779 Call Girls In Civil Lines Women Seeking Men
08448380779 Call Girls In Civil Lines Women Seeking Men08448380779 Call Girls In Civil Lines Women Seeking Men
08448380779 Call Girls In Civil Lines Women Seeking Men
 

Hunt Windows Endpoints Fast with Logs and Non-Logs

  • 1. This Is the Fastest Way to Hunt Windows Endpoints Michael Gough MalwareArchaeology.com MalwareArchaeology.com
  • 2. Who am I • Blue Team Defender Ninja, Malware Archaeologist, Logoholic • I love “properly” configured logs – they tell us Who, What, Where, When and hopefully How Creator of “Windows Logging Cheat Sheet”, “Windows File Auditing Cheat Sheet” “Windows Registry Auditing Cheat Sheet”, “Windows Splunk Logging Cheat Sheet” “Windows PowerShell Logging Cheat Sheet”, “Malware Management Framework” NEW - “Windows HUMIO Logging Cheat Sheet” • Co-Creator of “Log-MD” – Log Malicious Discovery Tool – With @Boettcherpwned – Brakeing Down Security PodCast • Co-host of “Brakeing Down Incident Response” podcast • @HackerHurricane also my Blog MalwareArchaeology.com
  • 3. Hunting requires some ‘Back to Basics’ to achieve “Totality” MalwareArchaeology.com
  • 4. Achieve Totality Coverage - Asset Management • Can you see every host? • Do you have ghost assets? • Remote systems (Road Warriors) • Powered down VM’s/Systems • IP Scan all devices and identify the OS Completeness - Deployment • Are your agent(s) installed and running properly Configuration – System Settings • Are the systems configured correctly • Enable all that you want and expect MalwareArchaeology.com Coverage Completeness Configuration
  • 5. We need a Hunting method MalwareArchaeology.com
  • 6. What to base a Hunt on? • So what do we look for ? • What do we base our hunts on? • Where do we start? • What is the most extensive list of tactics on the adversaries? MalwareArchaeology.com
  • 7. IR Reports • IR Firms publish their findings – Many published on MalwareArchaeology.com – I call this Malware Management • MalwareManagementFramework.org • Presentations by those of us that have fought and won/lost against advanced adversaries • These are the best way to get the latest TTP’s • Use these TTP’s to hunt for • And create a framework to map everything you do with the tool(s) you use MalwareArchaeology.com
  • 8. Mitre Att@ck Adversarial Tactics, Techniques & Common Knowledge • This is a good place to start and map all your detection, prevention, and hunt activities to • Not enough details as to how – You will need to map them – Or find someone that has, maybe a product(s) • But most can be mapped to logging for example • Add Log Management • Add some Sysmon or WLS to the logs for more details • Add LOG-MD-Pro, and other tool or script(s) • Add a solution to query the OS ( I love BigFix) • Add Network tools • Fill other gaps MalwareArchaeology.com
  • 9. Map them to ATT&CK • Map the tools you have to the ATT&CK Matrix • This will give you a place to start and a way to track and rate your activities MalwareArchaeology.com
  • 10. Introducing • The Windows ATT&CK Logging Cheat Sheet • 11 Tactics and 187 Techniques mapped to Windows Event IDs MalwareArchaeology.com
  • 11. Introducing • The Windows LOG-MD ATT&CK Cheat Sheet • 11 Tactics and 187 Techniques mapped to Windows Event IDs, LOG-MD, and Sysmon MalwareArchaeology.com
  • 12. 80/20 rule • Another VERY important point is we need to ignore or not worry about the 20% that you don’t, or can’t cover. • Don’t get hung up on the 20% or you will continue to flounder • Worry about the 80% you CAN or COULD do • You have to learn to walk before you worry about trying to be, or cover 100% (run) • Being good at 80% should be a goal • You will improve over time as you get better MalwareArchaeology.com
  • 13. What to Hunt for MalwareArchaeology.com
  • 14. So what to hunt for… quickly • You basically have two options • Three, if you include network traffic, but that is not as fast IMHO and you can add this method as you get better and faster and can integrate it into your hunting methodology – Part of that 20% I just mentioned • That leaves two methods you can do quickly MalwareArchaeology.com
  • 15. Quick Methods of Hunting These are two faster methods you can hunt on Windows 1. What is in the logs 2. What is not in the logs • These items are faster and easier to hunt for and you probably have a tool(s) that can do a lot of it already (e.g. SCCM, BigFix, Humio, Splunk, LOG-MD, Cb, Endgame, scripts, etc.) MalwareArchaeology.com
  • 17. What is in the Logs • Event ID’s – Map them to YOUR ATT&CK Matrix • But you MUST enable the “Right Stuff” first – This is Configuration of the 3 C’s – 1GB Security Log gets you roughly 1 week of data – Some logs will get you a longer period • Windows Logging Cheat Sheet • Windows Advanced Logging Cheat Sheet • Windows PowerShell Logging Cheat Sheet • And other cheat sheets… MalwareArchaeology.com
  • 18. What is in the Logs • You can hunt them locally if you follow the Cheat Sheet(s) – Enabling Process command Line is key – Write a script or use a tool like LOG-MD to collect log data • Log Management/SIEM is optimal and you will get longer than a week worth of data MalwareArchaeology.com
  • 19. What is in the Logs • Push and run LOG-MD-Pro, PowerShell, or any script or tool can think of to query the logs • Process Command Line (4688) is a key indicator, New Service (7045), etc. • There are a lot of Event ID’s you can hunt for to indicate things that have happened • Data in IR Reports and the Cheat Sheets are a place to start for Event IDs and commands MalwareArchaeology.com
  • 20. What is in the Logs • Obvious Log Events such as – Suspicious PowerShell events (200-500, 4100-4104) • obfuscation, web calls, size of block, Base64, etc. – Logins (one account to multiple systems) (4624) – Process CMD Line – e.g. Rundll32 malware.dll (4688) – Quantity of Admin commands run in a short period – New Task (106) – New Service (7045) – What process called SeTcbPrivilege (Mimikatz) 4703 MalwareArchaeology.com
  • 21. Not in the Logs MalwareArchaeology.com
  • 22. Non-Logs MalwareArchaeology.com • Map them to YOUR ATT&CK Matrix • Run LOG-MD-Pro or other tool/script to collect things like – AutoRuns – WMI Persistence – Large Registry Keys (Data in a value that is large) – Null Byte in the registry (Interesting Artifacts) – Sticky Keys exploit (Interesting Artifacts) – Locked Files • Other artifacts from IR reports/Preso’s, etc.
  • 23. Non-Logs MalwareArchaeology.com • Use a tool that can query the OS to look for – Registry Keys, Values, Data – Files and Directories – Yes, hashes if you must • Dates can be stomped, but dates of keys and folders often are not • And you can look for ‘created in the last X hours or days’ if you compare to prior hunts
  • 24. Your Goal(s) • Elimination !!! • Eliminate that you do NOT have some known bad things, these will get you started, expand from there – Malicious AutoRuns – Malicious PowerShell – WMI Persistence – Large Registry Keys • These four items account for 90+% of all malware we have seen in the past 6+ years MalwareArchaeology.com
  • 26. My Top 10 Hunting Tools 1. Log Management (Splunk, Humio, ELK, Graylog) 2. Query the OS type tool (BigFix ROCKS!) 3. LOG-MD-Pro (details) 4. n/a 5. n/a 6. n/a 7. n/a 8. n/a 9. n/a 10. n/a MalwareArchaeology.com
  • 27. Tools to Query the OS • BigFix • Tanium • SCCM • OS Query • InvestiGator • Grr • PowerShell • Kansa • Old Fashioned scripts • EDR-IR tools (Cb, CrowdStrike, Endgame, Red Cloak, etc.) • LOG-MD-Pro (My personal favorite) MalwareArchaeology.com
  • 28. How do I hunt for PS? • Without Log Management? • Or with it, we consume LOG-MD-Pro logs into Log Management too MalwareArchaeology.com
  • 29. Resources • Mitre - ATT&CK Framework – attack.mitre.org/wiki/Main_Page • Endgame – The Endgame Guide to Threat Hunting – https://pages.endgame.com/rs/627-YBU- 612/images/The%20Endgame%20Guide%20to%20Threat%20Hunting%20- %20ebook.pdf • Sqrrl - Hunt Evil Your Practical Guide to Threat Hunting – https://sqrrl.com/media/Your-Practical-Guide-to-Threat-Hunting.pdf • SANS Poster – Find Evil – Digital- forensics.sans.org/media/poster_2014_find_evil.pdf MalwareArchaeology.com
  • 30. Resources LOG-MD.COM • Cyb3rWard0g/ThreatHunter-Playbook – https://github.com/Cyb3rWard0g/ThreatHunter- Playbook • beahunt3r/Windows-Hunting – https://github.com/beahunt3r/Windows-Hunting • ThreatHunting.net • ThreatHunting.org • Findingbad.blogspot.com
  • 31. Questions? LOG-MD.COM You can find us at: • Log-MD.com • @HackerHurricane • HackerHurricane.com (blog) • MalwareArchaeology.com – Cheat Sheets • Listen to the “Brakeing Down Incident Response” Podcast – BDIRPodcast.com