SlideShare ist ein Scribd-Unternehmen logo

MW_Arch Fastest_way_to_hunt_on_Windows_v1.01

Michael Gough
Michael Gough

Want to hunt on Windows systems quickly? Here is an approach. ATT&CK LOG-MD Logging MalwareArchaeology Incident Response Hunting

Technologie
1 von 31
Downloaden Sie, um offline zu lesen
This Is the Fastest Way to Hunt Windows Endpoints Michael Gough MalwareArchaeology.com MalwareArchaeology.com
Who am I • Blue Team Defender Ninja, Malware Archaeologist, Logoholic • I love “properly” configured logs – they tell us Who, What, Where, When and hopefully How Creator of “Windows Logging Cheat Sheet”, “Windows File Auditing Cheat Sheet” “Windows Registry Auditing Cheat Sheet”, “Windows Splunk Logging Cheat Sheet” “Windows PowerShell Logging Cheat Sheet”, “Malware Management Framework” NEW - “Windows HUMIO Logging Cheat Sheet” • Co-Creator of “Log-MD” – Log Malicious Discovery Tool – With @Boettcherpwned – Brakeing Down Security PodCast • Co-host of “Brakeing Down Incident Response” podcast • @HackerHurricane also my Blog MalwareArchaeology.com
Hunting requires some ‘Back to Basics’ to achieve “Totality” MalwareArchaeology.com
Achieve Totality Coverage - Asset Management • Can you see every host? • Do you have ghost assets? • Remote systems (Road Warriors) • Powered down VM’s/Systems • IP Scan all devices and identify the OS Completeness - Deployment • Are your agent(s) installed and running properly Configuration – System Settings • Are the systems configured correctly • Enable all that you want and expect MalwareArchaeology.com Coverage Completeness Configuration
We need a Hunting method MalwareArchaeology.com
What to base a Hunt on? • So what do we look for ? • What do we base our hunts on? • Where do we start? • What is the most extensive list of tactics on the adversaries? MalwareArchaeology.com
IR Reports • IR Firms publish their findings – Many published on MalwareArchaeology.com – I call this Malware Management • MalwareManagementFramework.org • Presentations by those of us that have fought and won/lost against advanced adversaries • These are the best way to get the latest TTP’s • Use these TTP’s to hunt for • And create a framework to map everything you do with the tool(s) you use MalwareArchaeology.com
Mitre Att@ck Adversarial Tactics, Techniques & Common Knowledge • This is a good place to start and map all your detection, prevention, and hunt activities to • Not enough details as to how – You will need to map them – Or find someone that has, maybe a product(s) • But most can be mapped to logging for example • Add Log Management • Add some Sysmon or WLS to the logs for more details • Add LOG-MD-Pro, and other tool or script(s) • Add a solution to query the OS ( I love BigFix) • Add Network tools • Fill other gaps MalwareArchaeology.com
Map them to ATT&CK • Map the tools you have to the ATT&CK Matrix • This will give you a place to start and a way to track and rate your activities MalwareArchaeology.com
Introducing • The Windows ATT&CK Logging Cheat Sheet • 11 Tactics and 187 Techniques mapped to Windows Event IDs MalwareArchaeology.com
Introducing • The Windows LOG-MD ATT&CK Cheat Sheet • 11 Tactics and 187 Techniques mapped to Windows Event IDs, LOG-MD, and Sysmon MalwareArchaeology.com
80/20 rule • Another VERY important point is we need to ignore or not worry about the 20% that you don’t, or can’t cover. • Don’t get hung up on the 20% or you will continue to flounder • Worry about the 80% you CAN or COULD do • You have to learn to walk before you worry about trying to be, or cover 100% (run) • Being good at 80% should be a goal • You will improve over time as you get better MalwareArchaeology.com
What to Hunt for MalwareArchaeology.com
So what to hunt for… quickly • You basically have two options • Three, if you include network traffic, but that is not as fast IMHO and you can add this method as you get better and faster and can integrate it into your hunting methodology – Part of that 20% I just mentioned • That leaves two methods you can do quickly MalwareArchaeology.com
Quick Methods of Hunting These are two faster methods you can hunt on Windows 1. What is in the logs 2. What is not in the logs • These items are faster and easier to hunt for and you probably have a tool(s) that can do a lot of it already (e.g. SCCM, BigFix, Humio, Splunk, LOG-MD, Cb, Endgame, scripts, etc.) MalwareArchaeology.com
The Logs MalwareArchaeology.com
What is in the Logs • Event ID’s – Map them to YOUR ATT&CK Matrix • But you MUST enable the “Right Stuff” first – This is Configuration of the 3 C’s – 1GB Security Log gets you roughly 1 week of data – Some logs will get you a longer period • Windows Logging Cheat Sheet • Windows Advanced Logging Cheat Sheet • Windows PowerShell Logging Cheat Sheet • And other cheat sheets… MalwareArchaeology.com
What is in the Logs • You can hunt them locally if you follow the Cheat Sheet(s) – Enabling Process command Line is key – Write a script or use a tool like LOG-MD to collect log data • Log Management/SIEM is optimal and you will get longer than a week worth of data MalwareArchaeology.com
What is in the Logs • Push and run LOG-MD-Pro, PowerShell, or any script or tool can think of to query the logs • Process Command Line (4688) is a key indicator, New Service (7045), etc. • There are a lot of Event ID’s you can hunt for to indicate things that have happened • Data in IR Reports and the Cheat Sheets are a place to start for Event IDs and commands MalwareArchaeology.com
What is in the Logs • Obvious Log Events such as – Suspicious PowerShell events (200-500, 4100-4104) • obfuscation, web calls, size of block, Base64, etc. – Logins (one account to multiple systems) (4624) – Process CMD Line – e.g. Rundll32 malware.dll (4688) – Quantity of Admin commands run in a short period – New Task (106) – New Service (7045) – What process called SeTcbPrivilege (Mimikatz) 4703 MalwareArchaeology.com
Not in the Logs MalwareArchaeology.com
Non-Logs MalwareArchaeology.com • Map them to YOUR ATT&CK Matrix • Run LOG-MD-Pro or other tool/script to collect things like – AutoRuns – WMI Persistence – Large Registry Keys (Data in a value that is large) – Null Byte in the registry (Interesting Artifacts) – Sticky Keys exploit (Interesting Artifacts) – Locked Files • Other artifacts from IR reports/Preso’s, etc.
Non-Logs MalwareArchaeology.com • Use a tool that can query the OS to look for – Registry Keys, Values, Data – Files and Directories – Yes, hashes if you must • Dates can be stomped, but dates of keys and folders often are not • And you can look for ‘created in the last X hours or days’ if you compare to prior hunts
Your Goal(s) • Elimination !!! • Eliminate that you do NOT have some known bad things, these will get you started, expand from there – Malicious AutoRuns – Malicious PowerShell – WMI Persistence – Large Registry Keys • These four items account for 90+% of all malware we have seen in the past 6+ years MalwareArchaeology.com
Tools MalwareArchaeology.com
My Top 10 Hunting Tools 1. Log Management (Splunk, Humio, ELK, Graylog) 2. Query the OS type tool (BigFix ROCKS!) 3. LOG-MD-Pro (details) 4. n/a 5. n/a 6. n/a 7. n/a 8. n/a 9. n/a 10. n/a MalwareArchaeology.com
Tools to Query the OS • BigFix • Tanium • SCCM • OS Query • InvestiGator • Grr • PowerShell • Kansa • Old Fashioned scripts • EDR-IR tools (Cb, CrowdStrike, Endgame, Red Cloak, etc.) • LOG-MD-Pro (My personal favorite) MalwareArchaeology.com
How do I hunt for PS? • Without Log Management? • Or with it, we consume LOG-MD-Pro logs into Log Management too MalwareArchaeology.com
Resources • Mitre - ATT&CK Framework – attack.mitre.org/wiki/Main_Page • Endgame – The Endgame Guide to Threat Hunting – https://pages.endgame.com/rs/627-YBU- 612/images/The%20Endgame%20Guide%20to%20Threat%20Hunting%20- %20ebook.pdf • Sqrrl - Hunt Evil Your Practical Guide to Threat Hunting – https://sqrrl.com/media/Your-Practical-Guide-to-Threat-Hunting.pdf • SANS Poster – Find Evil – Digital- forensics.sans.org/media/poster_2014_find_evil.pdf MalwareArchaeology.com
Resources LOG-MD.COM • Cyb3rWard0g/ThreatHunter-Playbook – https://github.com/Cyb3rWard0g/ThreatHunter- Playbook • beahunt3r/Windows-Hunting – https://github.com/beahunt3r/Windows-Hunting • ThreatHunting.net • ThreatHunting.org • Findingbad.blogspot.com
Questions? LOG-MD.COM You can find us at: • Log-MD.com • @HackerHurricane • HackerHurricane.com (blog) • MalwareArchaeology.com – Cheat Sheets • Listen to the “Brakeing Down Incident Response” Podcast – BDIRPodcast.com

Empfohlen

Windows Incident Response is hard, but doesn't have to be
Windows Incident Response is hard, but doesn't have to beWindows Incident Response is hard, but doesn't have to be
Windows Incident Response is hard, but doesn't have to beMichael Gough
 
You can detect PowerShell attacks
You can detect PowerShell attacksYou can detect PowerShell attacks
You can detect PowerShell attacksMichael Gough
 
The top 10 windows logs event id's used v1.0
The top 10 windows logs event id's used v1.0The top 10 windows logs event id's used v1.0
The top 10 windows logs event id's used v1.0Michael Gough
 
Finding attacks with these 6 events
Finding attacks with these 6 eventsFinding attacks with these 6 events
Finding attacks with these 6 eventsMichael Gough
 
Windows Threat Hunting
Windows Threat HuntingWindows Threat Hunting
Windows Threat HuntingGIBIN JOHN
 
Detecting WMI Exploitation v1.1
Detecting WMI Exploitation v1.1Detecting WMI Exploitation v1.1
Detecting WMI Exploitation v1.1Michael Gough
 
A Threat Hunter Himself
A Threat Hunter HimselfA Threat Hunter Himself
A Threat Hunter HimselfTeymur Kheirkhabarov
 
PHDays 2018 Threat Hunting Hands-On Lab
PHDays 2018 Threat Hunting Hands-On LabPHDays 2018 Threat Hunting Hands-On Lab
PHDays 2018 Threat Hunting Hands-On LabTeymur Kheirkhabarov
 

Empfohlen

Windows Incident Response is hard, but doesn't have to be
Windows Incident Response is hard, but doesn't have to beWindows Incident Response is hard, but doesn't have to be
Windows Incident Response is hard, but doesn't have to beMichael Gough
 
You can detect PowerShell attacks
You can detect PowerShell attacksYou can detect PowerShell attacks
You can detect PowerShell attacksMichael Gough
 
The top 10 windows logs event id's used v1.0
The top 10 windows logs event id's used v1.0The top 10 windows logs event id's used v1.0
The top 10 windows logs event id's used v1.0Michael Gough
 
Finding attacks with these 6 events
Finding attacks with these 6 eventsFinding attacks with these 6 events
Finding attacks with these 6 eventsMichael Gough
 
Windows Threat Hunting
Windows Threat HuntingWindows Threat Hunting
Windows Threat HuntingGIBIN JOHN
 
Detecting WMI Exploitation v1.1
Detecting WMI Exploitation v1.1Detecting WMI Exploitation v1.1
Detecting WMI Exploitation v1.1Michael Gough
 
A Threat Hunter Himself
A Threat Hunter HimselfA Threat Hunter Himself
A Threat Hunter HimselfTeymur Kheirkhabarov
 
PHDays 2018 Threat Hunting Hands-On Lab
PHDays 2018 Threat Hunting Hands-On LabPHDays 2018 Threat Hunting Hands-On Lab
PHDays 2018 Threat Hunting Hands-On LabTeymur Kheirkhabarov
 
Introducing ArTHIR - ATT&CK Remote Threat Hunting Incident Response Windows tool
Introducing ArTHIR - ATT&CK Remote Threat Hunting Incident Response Windows toolIntroducing ArTHIR - ATT&CK Remote Threat Hunting Incident Response Windows tool
Introducing ArTHIR - ATT&CK Remote Threat Hunting Incident Response Windows toolMichael Gough
 
Fantastic Red Team Attacks and How to Find Them
Fantastic Red Team Attacks and How to Find ThemFantastic Red Team Attacks and How to Find Them
Fantastic Red Team Attacks and How to Find ThemRoss Wolf
 
Threat hunting 101 by Sandeep Singh
Threat hunting 101 by Sandeep SinghThreat hunting 101 by Sandeep Singh
Threat hunting 101 by Sandeep SinghOWASP Delhi
 
MindMap - Forensics Windows Registry Cheat Sheet
MindMap - Forensics Windows Registry Cheat SheetMindMap - Forensics Windows Registry Cheat Sheet
MindMap - Forensics Windows Registry Cheat SheetJuan F. Padilla
 
Introduction to Malware Analysis
Introduction to Malware AnalysisIntroduction to Malware Analysis
Introduction to Malware AnalysisAndrew McNicol
 
A Threat Hunter Himself
A Threat Hunter HimselfA Threat Hunter Himself
A Threat Hunter HimselfSergey Soldatov
 
Effective Threat Hunting with Tactical Threat Intelligence
Effective Threat Hunting with Tactical Threat IntelligenceEffective Threat Hunting with Tactical Threat Intelligence
Effective Threat Hunting with Tactical Threat IntelligenceDhruv Majumdar
 
Hunting for Credentials Dumping in Windows Environment
Hunting for Credentials Dumping in Windows EnvironmentHunting for Credentials Dumping in Windows Environment
Hunting for Credentials Dumping in Windows EnvironmentTeymur Kheirkhabarov
 
Kheirkhabarov24052017_phdays7
Kheirkhabarov24052017_phdays7Kheirkhabarov24052017_phdays7
Kheirkhabarov24052017_phdays7Teymur Kheirkhabarov
 
MITRE AttACK framework it is time you took notice_v1.0
MITRE AttACK framework it is time you took notice_v1.0MITRE AttACK framework it is time you took notice_v1.0
MITRE AttACK framework it is time you took notice_v1.0Michael Gough
 
Super Easy Memory Forensics
Super Easy Memory ForensicsSuper Easy Memory Forensics
Super Easy Memory ForensicsIIJ
 
Cyber Threat Hunting Workshop
Cyber Threat Hunting WorkshopCyber Threat Hunting Workshop
Cyber Threat Hunting WorkshopDigit Oktavianto
 
Hunting Lateral Movement in Windows Infrastructure
Hunting Lateral Movement in Windows InfrastructureHunting Lateral Movement in Windows Infrastructure
Hunting Lateral Movement in Windows InfrastructureSergey Soldatov
 
Basic Malware Analysis
Basic Malware AnalysisBasic Malware Analysis
Basic Malware AnalysisAlbert Hui
 
Hunting for Privilege Escalation in Windows Environment
Hunting for Privilege Escalation in Windows EnvironmentHunting for Privilege Escalation in Windows Environment
Hunting for Privilege Escalation in Windows EnvironmentTeymur Kheirkhabarov
 
Windows Forensic 101
Windows Forensic 101Windows Forensic 101
Windows Forensic 101Digit Oktavianto
 
Leveraging MITRE ATT&CK - Speaking the Common Language
Leveraging MITRE ATT&CK - Speaking the Common LanguageLeveraging MITRE ATT&CK - Speaking the Common Language
Leveraging MITRE ATT&CK - Speaking the Common LanguageErik Van Buggenhout
 
How to Hunt for Lateral Movement on Your Network
How to Hunt for Lateral Movement on Your NetworkHow to Hunt for Lateral Movement on Your Network
How to Hunt for Lateral Movement on Your NetworkSqrrl
 
Malware analysis
Malware analysisMalware analysis
Malware analysisPrakashchand Suthar
 
Introduction To OWASP
Introduction To OWASPIntroduction To OWASP
Introduction To OWASPMarco Morana
 
Windows IR made easier and faster v1.0
Windows IR made easier and faster v1.0Windows IR made easier and faster v1.0
Windows IR made easier and faster v1.0Michael Gough
 
Logging for hackers SAINTCON
Logging for hackers SAINTCONLogging for hackers SAINTCON
Logging for hackers SAINTCONMichael Gough
 

Weitere ähnliche Inhalte

Was ist angesagt?

Introducing ArTHIR - ATT&CK Remote Threat Hunting Incident Response Windows tool
Introducing ArTHIR - ATT&CK Remote Threat Hunting Incident Response Windows toolIntroducing ArTHIR - ATT&CK Remote Threat Hunting Incident Response Windows tool
Introducing ArTHIR - ATT&CK Remote Threat Hunting Incident Response Windows toolMichael Gough
 
Fantastic Red Team Attacks and How to Find Them
Fantastic Red Team Attacks and How to Find ThemFantastic Red Team Attacks and How to Find Them
Fantastic Red Team Attacks and How to Find ThemRoss Wolf
 
Threat hunting 101 by Sandeep Singh
Threat hunting 101 by Sandeep SinghThreat hunting 101 by Sandeep Singh
Threat hunting 101 by Sandeep SinghOWASP Delhi
 
MindMap - Forensics Windows Registry Cheat Sheet
MindMap - Forensics Windows Registry Cheat SheetMindMap - Forensics Windows Registry Cheat Sheet
MindMap - Forensics Windows Registry Cheat SheetJuan F. Padilla
 
Introduction to Malware Analysis
Introduction to Malware AnalysisIntroduction to Malware Analysis
Introduction to Malware AnalysisAndrew McNicol
 
Effective Threat Hunting with Tactical Threat Intelligence
Effective Threat Hunting with Tactical Threat IntelligenceEffective Threat Hunting with Tactical Threat Intelligence
Effective Threat Hunting with Tactical Threat IntelligenceDhruv Majumdar
 
Hunting for Credentials Dumping in Windows Environment
Hunting for Credentials Dumping in Windows EnvironmentHunting for Credentials Dumping in Windows Environment
Hunting for Credentials Dumping in Windows EnvironmentTeymur Kheirkhabarov
 
MITRE AttACK framework it is time you took notice_v1.0
MITRE AttACK framework it is time you took notice_v1.0MITRE AttACK framework it is time you took notice_v1.0
MITRE AttACK framework it is time you took notice_v1.0Michael Gough
 
Super Easy Memory Forensics
Super Easy Memory ForensicsSuper Easy Memory Forensics
Super Easy Memory ForensicsIIJ
 
Cyber Threat Hunting Workshop
Cyber Threat Hunting WorkshopCyber Threat Hunting Workshop
Cyber Threat Hunting WorkshopDigit Oktavianto
 
Hunting Lateral Movement in Windows Infrastructure
Hunting Lateral Movement in Windows InfrastructureHunting Lateral Movement in Windows Infrastructure
Hunting Lateral Movement in Windows InfrastructureSergey Soldatov
 
Basic Malware Analysis
Basic Malware AnalysisBasic Malware Analysis
Basic Malware AnalysisAlbert Hui
 
Hunting for Privilege Escalation in Windows Environment
Hunting for Privilege Escalation in Windows EnvironmentHunting for Privilege Escalation in Windows Environment
Hunting for Privilege Escalation in Windows EnvironmentTeymur Kheirkhabarov
 
Leveraging MITRE ATT&CK - Speaking the Common Language
Leveraging MITRE ATT&CK - Speaking the Common LanguageLeveraging MITRE ATT&CK - Speaking the Common Language
Leveraging MITRE ATT&CK - Speaking the Common LanguageErik Van Buggenhout
 
How to Hunt for Lateral Movement on Your Network
How to Hunt for Lateral Movement on Your NetworkHow to Hunt for Lateral Movement on Your Network
How to Hunt for Lateral Movement on Your NetworkSqrrl
 
Introduction To OWASP
Introduction To OWASPIntroduction To OWASP
Introduction To OWASPMarco Morana
 

Was ist angesagt? (20)

Introducing ArTHIR - ATT&CK Remote Threat Hunting Incident Response Windows tool
Introducing ArTHIR - ATT&CK Remote Threat Hunting Incident Response Windows toolIntroducing ArTHIR - ATT&CK Remote Threat Hunting Incident Response Windows tool
Introducing ArTHIR - ATT&CK Remote Threat Hunting Incident Response Windows tool
 
Fantastic Red Team Attacks and How to Find Them
Fantastic Red Team Attacks and How to Find ThemFantastic Red Team Attacks and How to Find Them
Fantastic Red Team Attacks and How to Find Them
 
Threat hunting 101 by Sandeep Singh
Threat hunting 101 by Sandeep SinghThreat hunting 101 by Sandeep Singh
Threat hunting 101 by Sandeep Singh
 
MindMap - Forensics Windows Registry Cheat Sheet
MindMap - Forensics Windows Registry Cheat SheetMindMap - Forensics Windows Registry Cheat Sheet
MindMap - Forensics Windows Registry Cheat Sheet
 
Introduction to Malware Analysis
Introduction to Malware AnalysisIntroduction to Malware Analysis
Introduction to Malware Analysis
 
A Threat Hunter Himself
A Threat Hunter HimselfA Threat Hunter Himself
A Threat Hunter Himself
 
Effective Threat Hunting with Tactical Threat Intelligence
Effective Threat Hunting with Tactical Threat IntelligenceEffective Threat Hunting with Tactical Threat Intelligence
Effective Threat Hunting with Tactical Threat Intelligence
 
Hunting for Credentials Dumping in Windows Environment
Hunting for Credentials Dumping in Windows EnvironmentHunting for Credentials Dumping in Windows Environment
Hunting for Credentials Dumping in Windows Environment
 
Kheirkhabarov24052017_phdays7
Kheirkhabarov24052017_phdays7Kheirkhabarov24052017_phdays7
Kheirkhabarov24052017_phdays7
 
MITRE AttACK framework it is time you took notice_v1.0
MITRE AttACK framework it is time you took notice_v1.0MITRE AttACK framework it is time you took notice_v1.0
MITRE AttACK framework it is time you took notice_v1.0
 
Super Easy Memory Forensics
Super Easy Memory ForensicsSuper Easy Memory Forensics
Super Easy Memory Forensics
 
Cyber Threat Hunting Workshop
Cyber Threat Hunting WorkshopCyber Threat Hunting Workshop
Cyber Threat Hunting Workshop
 
Hunting Lateral Movement in Windows Infrastructure
Hunting Lateral Movement in Windows InfrastructureHunting Lateral Movement in Windows Infrastructure
Hunting Lateral Movement in Windows Infrastructure
 
Basic Malware Analysis
Basic Malware AnalysisBasic Malware Analysis
Basic Malware Analysis
 
Hunting for Privilege Escalation in Windows Environment
Hunting for Privilege Escalation in Windows EnvironmentHunting for Privilege Escalation in Windows Environment
Hunting for Privilege Escalation in Windows Environment
 
Windows Forensic 101
Windows Forensic 101Windows Forensic 101
Windows Forensic 101
 
Leveraging MITRE ATT&CK - Speaking the Common Language
Leveraging MITRE ATT&CK - Speaking the Common LanguageLeveraging MITRE ATT&CK - Speaking the Common Language
Leveraging MITRE ATT&CK - Speaking the Common Language
 
How to Hunt for Lateral Movement on Your Network
How to Hunt for Lateral Movement on Your NetworkHow to Hunt for Lateral Movement on Your Network
How to Hunt for Lateral Movement on Your Network
 
Malware analysis
Malware analysisMalware analysis
Malware analysis
 
Introduction To OWASP
Introduction To OWASPIntroduction To OWASP
Introduction To OWASP
 

Ähnlich wie MW_Arch Fastest_way_to_hunt_on_Windows_v1.01

Windows IR made easier and faster v1.0
Windows IR made easier and faster v1.0Windows IR made easier and faster v1.0
Windows IR made easier and faster v1.0Michael Gough
 
Logging for hackers SAINTCON
Logging for hackers SAINTCONLogging for hackers SAINTCON
Logging for hackers SAINTCONMichael Gough
 
Logging for Hackers - What you need to know to catch them
Logging for Hackers - What you need to know to catch themLogging for Hackers - What you need to know to catch them
Logging for Hackers - What you need to know to catch themMichael Gough
 
RMISC logging for hackers
RMISC logging for hackersRMISC logging for hackers
RMISC logging for hackersMichael Gough
 
When Security Tools Fail You
When Security Tools Fail YouWhen Security Tools Fail You
When Security Tools Fail YouMichael Gough
 
Sandbox vs manual analysis v2.1
Sandbox vs manual analysis v2.1Sandbox vs manual analysis v2.1
Sandbox vs manual analysis v2.1Michael Gough
 
Sandbox vs manual malware analysis v1.1
Sandbox vs manual malware analysis v1.1Sandbox vs manual malware analysis v1.1
Sandbox vs manual malware analysis v1.1Michael Gough
 
Ask a Malware Archaeologist
Ask a Malware ArchaeologistAsk a Malware Archaeologist
Ask a Malware ArchaeologistMichael Gough
 
Logging for Hackers v1.0
Logging for Hackers v1.0Logging for Hackers v1.0
Logging for Hackers v1.0Michael Gough
 
Commodity malware means YOU
Commodity malware means YOUCommodity malware means YOU
Commodity malware means YOUMichael Gough
 
Proper logging can catch breaches like retail PoS
Proper logging can catch breaches like retail PoSProper logging can catch breaches like retail PoS
Proper logging can catch breaches like retail PoSMichael Gough
 
Proper logging can catch breaches like retail PoS
Proper logging can catch breaches like retail PoSProper logging can catch breaches like retail PoS
Proper logging can catch breaches like retail PoSMichael Gough
 
What can you do about ransomware
What can you do about ransomwareWhat can you do about ransomware
What can you do about ransomwareMichael Gough
 
You need a PROcess to catch running processes and their modules_v2.0
You need a PROcess to catch running processes and their modules_v2.0You need a PROcess to catch running processes and their modules_v2.0
You need a PROcess to catch running processes and their modules_v2.0Michael Gough
 
All These Sophisticated Attacks, Can We Really Detect Them - PDF
All These Sophisticated Attacks, Can We Really Detect Them - PDFAll These Sophisticated Attacks, Can We Really Detect Them - PDF
All These Sophisticated Attacks, Can We Really Detect Them - PDFMichael Gough
 
Deeplook into apt and how to detect and defend v1.0
Deeplook into apt and how to detect and defend v1.0Deeplook into apt and how to detect and defend v1.0
Deeplook into apt and how to detect and defend v1.0Michael Gough
 
BSidesOK_You_CAN_detect_PowerShell_attacks_v1.1
BSidesOK_You_CAN_detect_PowerShell_attacks_v1.1BSidesOK_You_CAN_detect_PowerShell_attacks_v1.1
BSidesOK_You_CAN_detect_PowerShell_attacks_v1.1Michael Gough
 
Info sec is not daunting v1.0
Info sec is not daunting v1.0 Info sec is not daunting v1.0
Info sec is not daunting v1.0 Michael Gough
 
Pentesting Tips: Beyond Automated Testing
Pentesting Tips: Beyond Automated TestingPentesting Tips: Beyond Automated Testing
Pentesting Tips: Beyond Automated TestingAndrew McNicol
 
BSides Vancouver 2018 - Live IR on a Budget
BSides Vancouver 2018 - Live IR on a BudgetBSides Vancouver 2018 - Live IR on a Budget
BSides Vancouver 2018 - Live IR on a Budgetdsplice
 

Ähnlich wie MW_Arch Fastest_way_to_hunt_on_Windows_v1.01 (20)

Windows IR made easier and faster v1.0
Windows IR made easier and faster v1.0Windows IR made easier and faster v1.0
Windows IR made easier and faster v1.0
 
Logging for hackers SAINTCON
Logging for hackers SAINTCONLogging for hackers SAINTCON
Logging for hackers SAINTCON
 
Logging for Hackers - What you need to know to catch them
Logging for Hackers - What you need to know to catch themLogging for Hackers - What you need to know to catch them
Logging for Hackers - What you need to know to catch them
 
RMISC logging for hackers
RMISC logging for hackersRMISC logging for hackers
RMISC logging for hackers
 
When Security Tools Fail You
When Security Tools Fail YouWhen Security Tools Fail You
When Security Tools Fail You
 
Sandbox vs manual analysis v2.1
Sandbox vs manual analysis v2.1Sandbox vs manual analysis v2.1
Sandbox vs manual analysis v2.1
 
Sandbox vs manual malware analysis v1.1
Sandbox vs manual malware analysis v1.1Sandbox vs manual malware analysis v1.1
Sandbox vs manual malware analysis v1.1
 
Ask a Malware Archaeologist
Ask a Malware ArchaeologistAsk a Malware Archaeologist
Ask a Malware Archaeologist
 
Logging for Hackers v1.0
Logging for Hackers v1.0Logging for Hackers v1.0
Logging for Hackers v1.0
 
Commodity malware means YOU
Commodity malware means YOUCommodity malware means YOU
Commodity malware means YOU
 
Proper logging can catch breaches like retail PoS
Proper logging can catch breaches like retail PoSProper logging can catch breaches like retail PoS
Proper logging can catch breaches like retail PoS
 
Proper logging can catch breaches like retail PoS
Proper logging can catch breaches like retail PoSProper logging can catch breaches like retail PoS
Proper logging can catch breaches like retail PoS
 
What can you do about ransomware
What can you do about ransomwareWhat can you do about ransomware
What can you do about ransomware
 
You need a PROcess to catch running processes and their modules_v2.0
You need a PROcess to catch running processes and their modules_v2.0You need a PROcess to catch running processes and their modules_v2.0
You need a PROcess to catch running processes and their modules_v2.0
 
All These Sophisticated Attacks, Can We Really Detect Them - PDF
All These Sophisticated Attacks, Can We Really Detect Them - PDFAll These Sophisticated Attacks, Can We Really Detect Them - PDF
All These Sophisticated Attacks, Can We Really Detect Them - PDF
 
Deeplook into apt and how to detect and defend v1.0
Deeplook into apt and how to detect and defend v1.0Deeplook into apt and how to detect and defend v1.0
Deeplook into apt and how to detect and defend v1.0
 
BSidesOK_You_CAN_detect_PowerShell_attacks_v1.1
BSidesOK_You_CAN_detect_PowerShell_attacks_v1.1BSidesOK_You_CAN_detect_PowerShell_attacks_v1.1
BSidesOK_You_CAN_detect_PowerShell_attacks_v1.1
 
Info sec is not daunting v1.0
Info sec is not daunting v1.0 Info sec is not daunting v1.0
Info sec is not daunting v1.0
 
Pentesting Tips: Beyond Automated Testing
Pentesting Tips: Beyond Automated TestingPentesting Tips: Beyond Automated Testing
Pentesting Tips: Beyond Automated Testing
 
BSides Vancouver 2018 - Live IR on a Budget
BSides Vancouver 2018 - Live IR on a BudgetBSides Vancouver 2018 - Live IR on a Budget
BSides Vancouver 2018 - Live IR on a Budget
 

Mehr von Michael Gough

Incident Response Fails
Incident Response FailsIncident Response Fails
Incident Response FailsMichael Gough
 
Cred stealing emails bsides austin_2018 v1.0
Cred stealing emails bsides austin_2018 v1.0Cred stealing emails bsides austin_2018 v1.0
Cred stealing emails bsides austin_2018 v1.0Michael Gough
 
InnoTech 2017_Defend_Against_Ransomware 3.0
InnoTech 2017_Defend_Against_Ransomware 3.0InnoTech 2017_Defend_Against_Ransomware 3.0
InnoTech 2017_Defend_Against_Ransomware 3.0Michael Gough
 
EDR, ETDR, Next Gen AV is all the rage, so why am I ENRAGED?
EDR, ETDR, Next Gen AV is all the rage, so why am I ENRAGED?EDR, ETDR, Next Gen AV is all the rage, so why am I ENRAGED?
EDR, ETDR, Next Gen AV is all the rage, so why am I ENRAGED?Michael Gough
 
Email keeps getting us pwned - Avoiding Ransomware and malware
Email keeps getting us pwned - Avoiding Ransomware and malwareEmail keeps getting us pwned - Avoiding Ransomware and malware
Email keeps getting us pwned - Avoiding Ransomware and malwareMichael Gough
 
Email keeps getting us pwned v1.1
Email keeps getting us pwned v1.1Email keeps getting us pwned v1.1
Email keeps getting us pwned v1.1Michael Gough
 
DIR ISF - Email keeps getting us pwned v1.1
DIR ISF - Email keeps getting us pwned v1.1DIR ISF - Email keeps getting us pwned v1.1
DIR ISF - Email keeps getting us pwned v1.1Michael Gough
 
Email keeps getting us pwned v1.0
Email keeps getting us pwned v1.0Email keeps getting us pwned v1.0
Email keeps getting us pwned v1.0Michael Gough
 
Mw arch mac_tips and tricks v1.0
Mw arch mac_tips and tricks v1.0Mw arch mac_tips and tricks v1.0
Mw arch mac_tips and tricks v1.0Michael Gough
 

Mehr von Michael Gough (9)

Incident Response Fails
Incident Response FailsIncident Response Fails
Incident Response Fails
 
Cred stealing emails bsides austin_2018 v1.0
Cred stealing emails bsides austin_2018 v1.0Cred stealing emails bsides austin_2018 v1.0
Cred stealing emails bsides austin_2018 v1.0
 
InnoTech 2017_Defend_Against_Ransomware 3.0
InnoTech 2017_Defend_Against_Ransomware 3.0InnoTech 2017_Defend_Against_Ransomware 3.0
InnoTech 2017_Defend_Against_Ransomware 3.0
 
EDR, ETDR, Next Gen AV is all the rage, so why am I ENRAGED?
EDR, ETDR, Next Gen AV is all the rage, so why am I ENRAGED?EDR, ETDR, Next Gen AV is all the rage, so why am I ENRAGED?
EDR, ETDR, Next Gen AV is all the rage, so why am I ENRAGED?
 
Email keeps getting us pwned - Avoiding Ransomware and malware
Email keeps getting us pwned - Avoiding Ransomware and malwareEmail keeps getting us pwned - Avoiding Ransomware and malware
Email keeps getting us pwned - Avoiding Ransomware and malware
 
Email keeps getting us pwned v1.1
Email keeps getting us pwned v1.1Email keeps getting us pwned v1.1
Email keeps getting us pwned v1.1
 
DIR ISF - Email keeps getting us pwned v1.1
DIR ISF - Email keeps getting us pwned v1.1DIR ISF - Email keeps getting us pwned v1.1
DIR ISF - Email keeps getting us pwned v1.1
 
Email keeps getting us pwned v1.0
Email keeps getting us pwned v1.0Email keeps getting us pwned v1.0
Email keeps getting us pwned v1.0
 
Mw arch mac_tips and tricks v1.0
Mw arch mac_tips and tricks v1.0Mw arch mac_tips and tricks v1.0
Mw arch mac_tips and tricks v1.0
 

Kürzlich hochgeladen

Why Teams call analytics are critical to your entire business
Why Teams call analytics are critical to your entire businessWhy Teams call analytics are critical to your entire business
Why Teams call analytics are critical to your entire businesspanagenda
 
Strategize a Smooth Tenant-to-tenant Migration and Copilot Takeoff
Strategize a Smooth Tenant-to-tenant Migration and Copilot TakeoffStrategize a Smooth Tenant-to-tenant Migration and Copilot Takeoff
Strategize a Smooth Tenant-to-tenant Migration and Copilot Takeoffsammart93
 
TrustArc Webinar - Stay Ahead of US State Data Privacy Law Developments
TrustArc Webinar - Stay Ahead of US State Data Privacy Law DevelopmentsTrustArc Webinar - Stay Ahead of US State Data Privacy Law Developments
TrustArc Webinar - Stay Ahead of US State Data Privacy Law DevelopmentsTrustArc
 
Architecting Cloud Native Applications
Architecting Cloud Native ApplicationsArchitecting Cloud Native Applications
Architecting Cloud Native ApplicationsWSO2
 
Emergent Methods: Multi-lingual narrative tracking in the news - real-time ex...
Emergent Methods: Multi-lingual narrative tracking in the news - real-time ex...Emergent Methods: Multi-lingual narrative tracking in the news - real-time ex...
Emergent Methods: Multi-lingual narrative tracking in the news - real-time ex...Zilliz
 
Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...
Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...
Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...Drew Madelung
 
EMPOWERMENT TECHNOLOGY GRADE 11 QUARTER 2 REVIEWER
EMPOWERMENT TECHNOLOGY GRADE 11 QUARTER 2 REVIEWEREMPOWERMENT TECHNOLOGY GRADE 11 QUARTER 2 REVIEWER
EMPOWERMENT TECHNOLOGY GRADE 11 QUARTER 2 REVIEWERMadyBayot
 
AWS Community Day CPH - Three problems of Terraform
AWS Community Day CPH - Three problems of TerraformAWS Community Day CPH - Three problems of Terraform
AWS Community Day CPH - Three problems of TerraformAndrey Devyatkin
 
How to Troubleshoot Apps for the Modern Connected Worker
How to Troubleshoot Apps for the Modern Connected WorkerHow to Troubleshoot Apps for the Modern Connected Worker
How to Troubleshoot Apps for the Modern Connected WorkerThousandEyes
 
AXA XL - Insurer Innovation Award Americas 2024
AXA XL - Insurer Innovation Award Americas 2024AXA XL - Insurer Innovation Award Americas 2024
AXA XL - Insurer Innovation Award Americas 2024The Digital Insurer
 
Apidays Singapore 2024 - Building Digital Trust in a Digital Economy by Veron...
Apidays Singapore 2024 - Building Digital Trust in a Digital Economy by Veron...Apidays Singapore 2024 - Building Digital Trust in a Digital Economy by Veron...
Apidays Singapore 2024 - Building Digital Trust in a Digital Economy by Veron...apidays
 
ICT role in 21st century education and its challenges
ICT role in 21st century education and its challengesICT role in 21st century education and its challenges
ICT role in 21st century education and its challengesrafiqahmad00786416
 
Apidays Singapore 2024 - Scalable LLM APIs for AI and Generative AI Applicati...
Apidays Singapore 2024 - Scalable LLM APIs for AI and Generative AI Applicati...Apidays Singapore 2024 - Scalable LLM APIs for AI and Generative AI Applicati...
Apidays Singapore 2024 - Scalable LLM APIs for AI and Generative AI Applicati...apidays
 
Strategies for Landing an Oracle DBA Job as a Fresher
Strategies for Landing an Oracle DBA Job as a FresherStrategies for Landing an Oracle DBA Job as a Fresher
Strategies for Landing an Oracle DBA Job as a FresherRemote DBA Services
 
Data Cloud, More than a CDP by Matt Robison
Data Cloud, More than a CDP by Matt RobisonData Cloud, More than a CDP by Matt Robison
Data Cloud, More than a CDP by Matt RobisonAnna Loughnan Colquhoun
 
Exploring the Future Potential of AI-Enabled Smartphone Processors
Exploring the Future Potential of AI-Enabled Smartphone ProcessorsExploring the Future Potential of AI-Enabled Smartphone Processors
Exploring the Future Potential of AI-Enabled Smartphone Processorsdebabhi2
 
presentation ICT roal in 21st century education
presentation ICT roal in 21st century educationpresentation ICT roal in 21st century education
presentation ICT roal in 21st century educationjfdjdjcjdnsjd
 
Cloud Frontiers: A Deep Dive into Serverless Spatial Data and FME
Cloud Frontiers: A Deep Dive into Serverless Spatial Data and FMECloud Frontiers: A Deep Dive into Serverless Spatial Data and FME
Cloud Frontiers: A Deep Dive into Serverless Spatial Data and FMESafe Software
 
A Year of the Servo Reboot: Where Are We Now?
A Year of the Servo Reboot: Where Are We Now?A Year of the Servo Reboot: Where Are We Now?
A Year of the Servo Reboot: Where Are We Now?Igalia
 

Kürzlich hochgeladen (20)

Why Teams call analytics are critical to your entire business
Why Teams call analytics are critical to your entire businessWhy Teams call analytics are critical to your entire business
Why Teams call analytics are critical to your entire business
 
Strategize a Smooth Tenant-to-tenant Migration and Copilot Takeoff
Strategize a Smooth Tenant-to-tenant Migration and Copilot TakeoffStrategize a Smooth Tenant-to-tenant Migration and Copilot Takeoff
Strategize a Smooth Tenant-to-tenant Migration and Copilot Takeoff
 
TrustArc Webinar - Stay Ahead of US State Data Privacy Law Developments
TrustArc Webinar - Stay Ahead of US State Data Privacy Law DevelopmentsTrustArc Webinar - Stay Ahead of US State Data Privacy Law Developments
TrustArc Webinar - Stay Ahead of US State Data Privacy Law Developments
 
Architecting Cloud Native Applications
Architecting Cloud Native ApplicationsArchitecting Cloud Native Applications
Architecting Cloud Native Applications
 
Emergent Methods: Multi-lingual narrative tracking in the news - real-time ex...
Emergent Methods: Multi-lingual narrative tracking in the news - real-time ex...Emergent Methods: Multi-lingual narrative tracking in the news - real-time ex...
Emergent Methods: Multi-lingual narrative tracking in the news - real-time ex...
 
Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...
Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...
Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...
 
EMPOWERMENT TECHNOLOGY GRADE 11 QUARTER 2 REVIEWER
EMPOWERMENT TECHNOLOGY GRADE 11 QUARTER 2 REVIEWEREMPOWERMENT TECHNOLOGY GRADE 11 QUARTER 2 REVIEWER
EMPOWERMENT TECHNOLOGY GRADE 11 QUARTER 2 REVIEWER
 
AWS Community Day CPH - Three problems of Terraform
AWS Community Day CPH - Three problems of TerraformAWS Community Day CPH - Three problems of Terraform
AWS Community Day CPH - Three problems of Terraform
 
How to Troubleshoot Apps for the Modern Connected Worker
How to Troubleshoot Apps for the Modern Connected WorkerHow to Troubleshoot Apps for the Modern Connected Worker
How to Troubleshoot Apps for the Modern Connected Worker
 
AXA XL - Insurer Innovation Award Americas 2024
AXA XL - Insurer Innovation Award Americas 2024AXA XL - Insurer Innovation Award Americas 2024
AXA XL - Insurer Innovation Award Americas 2024
 
Apidays Singapore 2024 - Building Digital Trust in a Digital Economy by Veron...
Apidays Singapore 2024 - Building Digital Trust in a Digital Economy by Veron...Apidays Singapore 2024 - Building Digital Trust in a Digital Economy by Veron...
Apidays Singapore 2024 - Building Digital Trust in a Digital Economy by Veron...
 
ICT role in 21st century education and its challenges
ICT role in 21st century education and its challengesICT role in 21st century education and its challenges
ICT role in 21st century education and its challenges
 
+971581248768>> SAFE AND ORIGINAL ABORTION PILLS FOR SALE IN DUBAI AND ABUDHA...
+971581248768>> SAFE AND ORIGINAL ABORTION PILLS FOR SALE IN DUBAI AND ABUDHA...+971581248768>> SAFE AND ORIGINAL ABORTION PILLS FOR SALE IN DUBAI AND ABUDHA...
+971581248768>> SAFE AND ORIGINAL ABORTION PILLS FOR SALE IN DUBAI AND ABUDHA...
 
Apidays Singapore 2024 - Scalable LLM APIs for AI and Generative AI Applicati...
Apidays Singapore 2024 - Scalable LLM APIs for AI and Generative AI Applicati...Apidays Singapore 2024 - Scalable LLM APIs for AI and Generative AI Applicati...
Apidays Singapore 2024 - Scalable LLM APIs for AI and Generative AI Applicati...
 
Strategies for Landing an Oracle DBA Job as a Fresher
Strategies for Landing an Oracle DBA Job as a FresherStrategies for Landing an Oracle DBA Job as a Fresher
Strategies for Landing an Oracle DBA Job as a Fresher
 
Data Cloud, More than a CDP by Matt Robison
Data Cloud, More than a CDP by Matt RobisonData Cloud, More than a CDP by Matt Robison
Data Cloud, More than a CDP by Matt Robison
 
Exploring the Future Potential of AI-Enabled Smartphone Processors
Exploring the Future Potential of AI-Enabled Smartphone ProcessorsExploring the Future Potential of AI-Enabled Smartphone Processors
Exploring the Future Potential of AI-Enabled Smartphone Processors
 
presentation ICT roal in 21st century education
presentation ICT roal in 21st century educationpresentation ICT roal in 21st century education
presentation ICT roal in 21st century education
 
Cloud Frontiers: A Deep Dive into Serverless Spatial Data and FME
Cloud Frontiers: A Deep Dive into Serverless Spatial Data and FMECloud Frontiers: A Deep Dive into Serverless Spatial Data and FME
Cloud Frontiers: A Deep Dive into Serverless Spatial Data and FME
 
A Year of the Servo Reboot: Where Are We Now?
A Year of the Servo Reboot: Where Are We Now?A Year of the Servo Reboot: Where Are We Now?
A Year of the Servo Reboot: Where Are We Now?
 

MW_Arch Fastest_way_to_hunt_on_Windows_v1.01

  • 1. This Is the Fastest Way to Hunt Windows Endpoints Michael Gough MalwareArchaeology.com MalwareArchaeology.com
  • 2. Who am I • Blue Team Defender Ninja, Malware Archaeologist, Logoholic • I love “properly” configured logs – they tell us Who, What, Where, When and hopefully How Creator of “Windows Logging Cheat Sheet”, “Windows File Auditing Cheat Sheet” “Windows Registry Auditing Cheat Sheet”, “Windows Splunk Logging Cheat Sheet” “Windows PowerShell Logging Cheat Sheet”, “Malware Management Framework” NEW - “Windows HUMIO Logging Cheat Sheet” • Co-Creator of “Log-MD” – Log Malicious Discovery Tool – With @Boettcherpwned – Brakeing Down Security PodCast • Co-host of “Brakeing Down Incident Response” podcast • @HackerHurricane also my Blog MalwareArchaeology.com
  • 3. Hunting requires some ‘Back to Basics’ to achieve “Totality” MalwareArchaeology.com
  • 4. Achieve Totality Coverage - Asset Management • Can you see every host? • Do you have ghost assets? • Remote systems (Road Warriors) • Powered down VM’s/Systems • IP Scan all devices and identify the OS Completeness - Deployment • Are your agent(s) installed and running properly Configuration – System Settings • Are the systems configured correctly • Enable all that you want and expect MalwareArchaeology.com Coverage Completeness Configuration
  • 5. We need a Hunting method MalwareArchaeology.com
  • 6. What to base a Hunt on? • So what do we look for ? • What do we base our hunts on? • Where do we start? • What is the most extensive list of tactics on the adversaries? MalwareArchaeology.com
  • 7. IR Reports • IR Firms publish their findings – Many published on MalwareArchaeology.com – I call this Malware Management • MalwareManagementFramework.org • Presentations by those of us that have fought and won/lost against advanced adversaries • These are the best way to get the latest TTP’s • Use these TTP’s to hunt for • And create a framework to map everything you do with the tool(s) you use MalwareArchaeology.com
  • 8. Mitre Att@ck Adversarial Tactics, Techniques & Common Knowledge • This is a good place to start and map all your detection, prevention, and hunt activities to • Not enough details as to how – You will need to map them – Or find someone that has, maybe a product(s) • But most can be mapped to logging for example • Add Log Management • Add some Sysmon or WLS to the logs for more details • Add LOG-MD-Pro, and other tool or script(s) • Add a solution to query the OS ( I love BigFix) • Add Network tools • Fill other gaps MalwareArchaeology.com
  • 9. Map them to ATT&CK • Map the tools you have to the ATT&CK Matrix • This will give you a place to start and a way to track and rate your activities MalwareArchaeology.com
  • 10. Introducing • The Windows ATT&CK Logging Cheat Sheet • 11 Tactics and 187 Techniques mapped to Windows Event IDs MalwareArchaeology.com
  • 11. Introducing • The Windows LOG-MD ATT&CK Cheat Sheet • 11 Tactics and 187 Techniques mapped to Windows Event IDs, LOG-MD, and Sysmon MalwareArchaeology.com
  • 12. 80/20 rule • Another VERY important point is we need to ignore or not worry about the 20% that you don’t, or can’t cover. • Don’t get hung up on the 20% or you will continue to flounder • Worry about the 80% you CAN or COULD do • You have to learn to walk before you worry about trying to be, or cover 100% (run) • Being good at 80% should be a goal • You will improve over time as you get better MalwareArchaeology.com
  • 13. What to Hunt for MalwareArchaeology.com
  • 14. So what to hunt for… quickly • You basically have two options • Three, if you include network traffic, but that is not as fast IMHO and you can add this method as you get better and faster and can integrate it into your hunting methodology – Part of that 20% I just mentioned • That leaves two methods you can do quickly MalwareArchaeology.com
  • 15. Quick Methods of Hunting These are two faster methods you can hunt on Windows 1. What is in the logs 2. What is not in the logs • These items are faster and easier to hunt for and you probably have a tool(s) that can do a lot of it already (e.g. SCCM, BigFix, Humio, Splunk, LOG-MD, Cb, Endgame, scripts, etc.) MalwareArchaeology.com
  • 17. What is in the Logs • Event ID’s – Map them to YOUR ATT&CK Matrix • But you MUST enable the “Right Stuff” first – This is Configuration of the 3 C’s – 1GB Security Log gets you roughly 1 week of data – Some logs will get you a longer period • Windows Logging Cheat Sheet • Windows Advanced Logging Cheat Sheet • Windows PowerShell Logging Cheat Sheet • And other cheat sheets… MalwareArchaeology.com
  • 18. What is in the Logs • You can hunt them locally if you follow the Cheat Sheet(s) – Enabling Process command Line is key – Write a script or use a tool like LOG-MD to collect log data • Log Management/SIEM is optimal and you will get longer than a week worth of data MalwareArchaeology.com
  • 19. What is in the Logs • Push and run LOG-MD-Pro, PowerShell, or any script or tool can think of to query the logs • Process Command Line (4688) is a key indicator, New Service (7045), etc. • There are a lot of Event ID’s you can hunt for to indicate things that have happened • Data in IR Reports and the Cheat Sheets are a place to start for Event IDs and commands MalwareArchaeology.com
  • 20. What is in the Logs • Obvious Log Events such as – Suspicious PowerShell events (200-500, 4100-4104) • obfuscation, web calls, size of block, Base64, etc. – Logins (one account to multiple systems) (4624) – Process CMD Line – e.g. Rundll32 malware.dll (4688) – Quantity of Admin commands run in a short period – New Task (106) – New Service (7045) – What process called SeTcbPrivilege (Mimikatz) 4703 MalwareArchaeology.com
  • 21. Not in the Logs MalwareArchaeology.com
  • 22. Non-Logs MalwareArchaeology.com • Map them to YOUR ATT&CK Matrix • Run LOG-MD-Pro or other tool/script to collect things like – AutoRuns – WMI Persistence – Large Registry Keys (Data in a value that is large) – Null Byte in the registry (Interesting Artifacts) – Sticky Keys exploit (Interesting Artifacts) – Locked Files • Other artifacts from IR reports/Preso’s, etc.
  • 23. Non-Logs MalwareArchaeology.com • Use a tool that can query the OS to look for – Registry Keys, Values, Data – Files and Directories – Yes, hashes if you must • Dates can be stomped, but dates of keys and folders often are not • And you can look for ‘created in the last X hours or days’ if you compare to prior hunts
  • 24. Your Goal(s) • Elimination !!! • Eliminate that you do NOT have some known bad things, these will get you started, expand from there – Malicious AutoRuns – Malicious PowerShell – WMI Persistence – Large Registry Keys • These four items account for 90+% of all malware we have seen in the past 6+ years MalwareArchaeology.com
  • 26. My Top 10 Hunting Tools 1. Log Management (Splunk, Humio, ELK, Graylog) 2. Query the OS type tool (BigFix ROCKS!) 3. LOG-MD-Pro (details) 4. n/a 5. n/a 6. n/a 7. n/a 8. n/a 9. n/a 10. n/a MalwareArchaeology.com
  • 27. Tools to Query the OS • BigFix • Tanium • SCCM • OS Query • InvestiGator • Grr • PowerShell • Kansa • Old Fashioned scripts • EDR-IR tools (Cb, CrowdStrike, Endgame, Red Cloak, etc.) • LOG-MD-Pro (My personal favorite) MalwareArchaeology.com
  • 28. How do I hunt for PS? • Without Log Management? • Or with it, we consume LOG-MD-Pro logs into Log Management too MalwareArchaeology.com
  • 29. Resources • Mitre - ATT&CK Framework – attack.mitre.org/wiki/Main_Page • Endgame – The Endgame Guide to Threat Hunting – https://pages.endgame.com/rs/627-YBU- 612/images/The%20Endgame%20Guide%20to%20Threat%20Hunting%20- %20ebook.pdf • Sqrrl - Hunt Evil Your Practical Guide to Threat Hunting – https://sqrrl.com/media/Your-Practical-Guide-to-Threat-Hunting.pdf • SANS Poster – Find Evil – Digital- forensics.sans.org/media/poster_2014_find_evil.pdf MalwareArchaeology.com
  • 30. Resources LOG-MD.COM • Cyb3rWard0g/ThreatHunter-Playbook – https://github.com/Cyb3rWard0g/ThreatHunter- Playbook • beahunt3r/Windows-Hunting – https://github.com/beahunt3r/Windows-Hunting • ThreatHunting.net • ThreatHunting.org • Findingbad.blogspot.com
  • 31. Questions? LOG-MD.COM You can find us at: • Log-MD.com • @HackerHurricane • HackerHurricane.com (blog) • MalwareArchaeology.com – Cheat Sheets • Listen to the “Brakeing Down Incident Response” Podcast – BDIRPodcast.com