"Hunting" is a key phase of the incident response lifecycle that aims to identify, on a proactive basis, unknown threats lurking in an environment. In practice, many hunting teams focus on searching for public or purchased IOCs - often representing intelligence that has already been burned. Hunting without specific leads is difficult, and every environment (and incident) has its own unique characteristics.
This presentation will provide analytic techniques that can identify generic evidence of post-compromise activity, with focus on the contemporary approaches that targeted attackers employ for credential harvesting, persistence, and lateral movement in Windows environments. It will illustrate sources of evidence that are ideal for at-scale anomaly analysis, and provide examples of how to effectively collect data and reduce noise.