2. whoami
Jack Crook (@jackcr)
Principal Incident Responder, GE-CIRT
Husband of 23 or 24 years?
Father of 4
Grandfather of 1
Finder of Bad Guys
5. How I think about threat hunting
Hypothesis driven approach for identifying malicious
behavior within my environment.
These hypotheses are derived from:
First hand knowledge
Internally developed intel
Trusted partner sharing
Public reporting
Utilize kill chain to focus efforts
6. The three most important ?’s
What am I looking for?
Why am I looking for it?
How do I find it?
9. Reasons
Why do we seem to flounder in that “sea of data”?
Scope of hunt is not properly defined
Scope of hunt is too broad
We try and catch all instances of bad for a particular query
We focus on a single method of finding the indicator
We focus on singular events to attempt to draw conclusions
We look for actions instead of behaviors
13. High level hypotheses
Comprised of multiple actions
Actions typically happen over short time spans
Will often use legitimate windows utilities
Will often use tools brought in with them
Will often need to elevate permissions
Will need to access various machines
Will need to access files on filesystems
23. The thought
Can we take interesting data, that doesn’t always point to
malicious activity, and cluster it in a way that will surface actions
often used by attackers?
24. How do we get there
Develop queries for specific actions based on attacker needs
Accuracy of query is key
Volume of output is not
Enhance data with queries from detection technologies
Store output of queries in central location
Each query makes a link
The sum of links make up a chain
26. Consider the following commands
copy bad.exe 192.168.56.10c$tempbad.exe
dir 192.168.56.10c$temp
wmic /node:192.168.56.10 /user:administrator /password:pass
process call create “bad.exe”
32. Data Movement Source to Dest
Windows Security Event ID = 5145
ObjectType = File
Share Name = *$
Access Mask = 0x1000180
Access Mask = 0x80
Access Mask = 0x130197
Bucket 3 events within 1 sec by ComputerName
33. Enumeration Remote Dir $ Share
Windows Security Event ID = 5145
Share Name = *C$
Share Name = *ADMIN$
Access Mask = 0x100080
Source Address != 127.0.0.1
34. ExecutionWMIC Remote Host
Windows Security Event ID = 4688
Windows Security Event ID = 4624
LogonType = 3
Source Network Address != “”
Search Process = wmiprvse.exe
List Additional processes spawning within same second
35. Authentication Suspicious 4648 Logon
Windows Security Event ID = 4648
Process Name = wmic.exe
Target Server Name != localhost
Target Server Name != *$
37. Feed the Beast
Windows Events
Sysmon
Powershell
AV
Whitelisting
Flow
NIDS/HIDS
38. Considerations
Normalization of fields across data sources
Standardization of time zones across logs
Build queries to surface behaviors on both source and dest
Identify areas across needs for additional opportunities
Experiment with different methods of clustering
39. Benefits
Huge reduction in high volume events
Generates dynamic clusters of “interesting”
Surface patterns of behavior that may otherwise be missed
Can be used for all phases of the Kill Chain
Can cluster behaviors across multiple data sources