This document discusses techniques for hunting bad guys on networks, including identifying client-side attacks, malware command and control channels, post-exploitation activities, and hunting artifacts. It provides examples of using DNS logs, firewall logs, HTTP logs, registry keys, installed software inventories, and the AMCache registry hive to look for anomalous behaviors that could indicate security compromises. The goal is to actively hunt for threats rather than just detecting known bad behaviors.

1. Hunting for Bad Guys
Author: Joff Thyer © 2016

2. About me
• Joff Thyer
• Senior Consultant, Pen Tester and Security Researcher
• Black Hills Information Security
• Security Weekly Co-Host
• SANS Instructor, SEC-573 Python for Pen Tester
• Twitter: @joff_thyer

3. Client Side Attacks
• Humans are more vulnerable than anything else
• Social Engineering opportunities abound
• Spear Phishing
• Phone Calls
• USB Drops
• People download and click, and run things all the time…

4. Client Side Approaches
• Exploit vulnerable
software
• Operating Systems and
Apps.
• Thank you Adobe…
• Browsers and mobile

5. Exploitation challenges
• Accuracy of recon
• What versions of software are people running?
• Defense software watching for exploitation behaviors
• Endpoint defense software signatures
• Address Space Layout Randomization (ASLR)
• Data Execution Prevention (DEP)
• The Enhanced Mitigation Experience Toolkit (EMET)

6. Client Side Approaches
• Just create the malware anyway…
• Why exploit vulnerable software when people will run stuff for you?
• Attractive Apps in Google Play Store
• Awesome spreadsheets – people love running macros!
• Java droppers
• Pretty websites

7. Malware C2 Channel
• Lots of possibilities for creating a C2 channel
• PowerShell Empire MS-Office Macro
• Metasploit Meterpreter MS-Office Macro
• Standalone Visual Basic (wscript / cscript)
• EXE’s and DLL content
• PowerShell Empire Script Stager
• DNSCAT2 covert DNS channel

8. Metasploit EXE’s still work…
• Msfvenom within Metasploit is still
very useful if you:
• Generate a 64-bit binary
• Use a legitimate windows binary as
template
• Use the “exe-only” option rather than
“exe”.

9. Msfvenom - write.exe w/ payload
• Windows x64 write.exe used as
template
• PE/COFF file “.text” section gets
modified with payload (space
permitting)
• Section header characteristics
gets modified to also be
writeable.
• Endpoint detection solutions
don’t seem to be detecting 64-bit
often.

10. C2 established, now what?
• Lets assume your spear phishing campaign has worked, and you have
an established beach head.
• Lets assume your goal is to ex-filtrate sensitive intellectual property
• Next steps?
• Further recon.
• Escalation
• Pivot / Lateral movement

11. Recon / Post Exploitation
• PowerShell Empire, Powerview, and Metasploit all have a rich
collection of post exploitation methods.
• Metasploit examples
• Winenum, enum_ad_users, enum_ad_groups, enum_ad_computers
• Metasploit’s ”extapi”. (thanks Carlos)
• adsi_computer_enum, adsi_dc_enum, adsi_group_enum
• PowerShell Empire / PowerView
• Invoke-ShareFinder
• Invoke-FileFinder
• Get-NetUser
• Get-NetComputer
• Invoke-UserHunter

12. Recon: BloodHound
• “BloodHound uses graph theory to reveal the hidden and often unintended
relationships within an Active Directory environment.”
https://github.com/adaptivethreat/BloodHound
• Gathers all the data in one single PowerShell applet
• Computers, Users, Groups, Sessions, Local Admins
• Download resulting “CSV” files, import into database, and visualize.
PS C:> Get-BloodHoundData | Export-BloodHoundCSV

13. Recon
• Even if you only have a simple backdoor shell
C:> NET USERS /DOMAIN
C:> NET GROUP “Domain Admins” /DOMAIN
C:> NET GROUP “Enterprise Admins” /DOMAIN
C:> NET GROUP “Domain Controllers” /DOMAIN
C:> NET LOCALGROUP Administrators
C:> NET VIEW /DOMAIN:CORP

14. Escalation Opportunities
• PowerShell Empire / PowerUp.ps1 / PowerSploit
• Group Policy Preferences (Get-GPPPassword)
• Invoke-AllChecks
• Unattended installation XML files with creds
• Files with sensitive credential data on shares
• Over-privileged users / medium integrity process / Bypass UAC
• Misconfigured services
• Misconfigured ACLs
• Unquoted Service Paths
• Improper permissions of service EXE files
• The Always Install Elevated registry key for MSI files.
• Path DLL hijacking
• Password Spraying!!

15. Pivoting / Lateral Movement
• Assuming we have a domain admin or widespread locally
administrative credential.
• Either with standalone commands, binaries, Metasploit, or Empire,
we can pivot…
• PSExec / Invoke-PSExec
• Invoke-WMI
• Invoke-PSRemoting

16. Hunt Teaming
• Actively looking for advanced attackers
• Advanced persistent pen-testers / attackers will bypass defenses
• Actively hunt for initial C2, and Post Compromise activity
• Must have close coordination with security and operations teams
• Must analyze lots of data and accelerate decision making

17. Hunt Teaming
• Assumes that defenses will be broken and a compromise will or has
already occurred
• A more data analytical approach to hunt for threats:
• Initial focus on a macro level rather than individual endpoints
• Examine patterns and behavior of live network activity
• Look for deviations from baseline behavior
• Examine artifacts of potential compromise
• Compare endpoint data in a larger group context
• How does endpoint citizen A deviate from citizen B?

18. Hunt Teaming: Baselines
• 20 Critical Security Controls
• https://www.cisecurity.org/critical-controls.cfm
• TOP 5:
• CSC#1: Inventory of Authorized and Unauthorized Devices
• CSC#2: Inventory of Authorized and Unauthorized Software
• CSC#3: Secure Configurations of Hardware and Software
• CSC#4: Continuous Vulnerability Assessment and Remediation
• CSC#5: Controlled Use Of Administrative Privileges

19. Hunting for C2: DNS Logs
• Log queries and count them
• Compare peer group endpoints
• They should all behave similarly
• Vast majority of queries will be “A”, ”CNAME” records
• What if one endpoint is:
• Receiving many NXDOMAIN responses
• Producing lots of lesser used query types (TXT, SOA, MX)
• Querying at a high frequency
• Count them all, produce mean, median and standard deviation

20. Hunting for C2: Proxy Logs
• Malware reliably depends on TCP port 80 (HTTP), and TCP port 443
(HTTPS).
• Malware often uses unusual HTTP User-Agent strings
• Count the frequencies of all user-agent strings over time
• Look very closely at the low frequency counts
• Examine the user-agent strings for legitimacy
• Look closely at the devices using unusual user-agent strings

21. Hunting for C2: Firewall Logs
• Obtain firewall logs with session setup and tear-down
• 48 hours or more of logging is preferred
• Create a script that parses the log and shows TCP
session length for all sessions in the log
• Sort the output in descending order of session length
• Specifically note any sessions that remain open
• Are long duration TCP sessions normal?

22. Hunting for C2: Beacons
• Use a sampling method across TCP/UDP connection tuples to
analyze frequency
• A Discrete Fast Fourier Transform (DFFT) can be used to
convert from the original “time” domain to a “frequency”
domain.
• DFFT application can be used to highlight regular beaconing.
• In other words, beacons will show up with a high correlation on
specific frequencies
• K-Means distance from nearest neighbor clustering
algorithms can be used also.

23. Hunting for C2: HTTP User-Agent
• Either from proxy, firewall logs, or from live traffic
• Obtain frequency count of all HTTP User-Agent headers over time.
• Ensure that the data being assessed are similar client side devices
• Sort the final count by frequency
• Analyze the least frequently seen User-Agent strings
• Compare with baseline software installation on devices.
• Squid proxy quick one liner…
# cat access.log.1 | cut -d']' -f2 | cut -d'"' -f6 | sort | uniq -c | sort -k 1,9 –rn

24. Hunting C2: HTTP URL Length
• RFC2616 does not explicitly limit URL length
• General recommendation that web servers should not rely on URLs >
255 chars
• Malware agents will often use long, and complex URLs
• Environment information encoded within URL
• Data content encoded with base64 within URL

25. Hunting for Credential Use
• We can use a ”Honey Tokens” technique to stage fake credentials in memory?
(Credential Canaries)
• C:> runas /user:CORPservicetech /netonly cmd.exe
• Make the credential look juicy…
• Like “servicetech” or ”localadmin” or similar
• So if attacker uses Mimikatz and/or dumps hashes from memory it is
attractive!
• If ANYONE attempts to use these account names, they are not your friend. LOOK for logon events
using this fake cred!!!!
• https://isc.sans.edu/diary/Detecting+Mimikatz+Use+On+Your+Network/19311

26. Hunting for Pivoting
• Might initiate with an SMB scan to determine neighboring systems
that can be logged into
• Remote login will be attempted with one of:
• PSExec
• WMI
• Windows Remoting / PSRemote

27. Hunting for Pivot: PSExec
• PSExec does the following:
• Logs into remote system
• Creates a new service to start a process
• Removes service once process has executed
• Noisy in event logs – System Event 7045
• Empire tells you: “not opsec safe”

28. PSExec Service Creation
• System Log Event 7045: Service Creation

29. Hunting for Pivot: WMI
• Very quiet in event logs – pretty much
nothing…
• You can enable WMI event tracing but
details are sparse
• Audit of “Process Creation” events
provides limited info.

30. Hunting for Pivot: WMI/PsExec
SysInternals Sysmon

31. Hunting: Useful Windows Event IDs
• Must collect events from workstations also!
• Security, and Application Event Logs
• 1102: Audit Log Cleared
• 4624 / 4625: Logon Success and Failure
• 4688: Process Creation
• 4720 / 4722: User Account Created / Enabled
• 4732: Member added to security enabled localgroup
• 7045: New service installed

32. Hunting: Who are you talking to?

33. Hunting Artifacts
• What software is installed across the domain?
• Do all workstations adhere to a single baseline?
• If not, why?
• What are the “Run”, and “RunOnce” registry keys across the
domain?
• Count strings by frequency and sort
• Look for low frequency counts

34. Hunting Artifacts: Domain Wide
• Use ADSI/LDAP to query for list of workstations
$DirSearcher = New-Object `
System.DirectoryServices.DirectorySearcher([adsi]’’)
$DirSearcher.Filter = ‘(objectClass=Computer)’
$DirSearcher.FindAll().GetEnumerator() `
| ForEach-Object { $_.Properties.name }
•OR, if you have RSAT then,
Get-ADComputer -Filter ‘ObjectClass -eq “Computer”’
| select -expand DNSHostName

35. Hunting Artifacts: Run/RunOnce Keys
$cred = Get-Credential
Invoke-Command -Credential $cred -ComputerName
myhostname -ScriptBlock {Get-Item
HKLM:SoftwareMicrosoftWindowsCurrentVersion
Run}
Invoke-Command -Credential $cred -ComputerName
myhostname -ScriptBlock {Get-Item
HKLM:SoftwareMicrosoftWindowsCurrentVersion
RunOnce}

36. Hunting: Run/RunOnce (WMI)
$HKLM = 2147483650
$reg_run = "SoftwareMicrosoftWindowsCurrentVersionRun"
$registry = Get-WmiObject StdRegProv `
-Namespace Root/Default `
-Credential $cred `
-ComputerName $Target –List
$enum = $registry.EnumValues($HKLM, $reg_run)
ForEach ($key in $enum.sNames) {
$value = ($registry.GetStringValue($HKLM, $reg_run, $key)).sValue
Write-Output " [+] $reg_run : $key = $value”
}

37. Hunting: Installed Software
Invoke-Command
-Credential $cred `
-ComputerName myhostname `
-ScriptBlock `
{Get-ItemProperty `
HKLM:SoftwareMicrosoftWindowsUninstall* `
| Select displayname, publisher, installdate}

38. Hunting Artifacts: WMIC
• WMI/WBEM is a really powerful way of getting information across the domain
C:> wmic product get name,version
C:>wmic /node:@systems.txt product get
description,name,vendor /format:csv > SoftwareInventory.txt
• The /node:@systems.txt allows you to run the same command on multiple systems. You do
not need to do this here. We are simply telling you how the file was created.

39. Hunting Artifacts: more WMIC
You can pull the
.exe
You can also pull
the registry keys

40. Hunting Artifacts: AMCache
• In Windows 8 and up, the AMCache registry hive is a part of the
application experience and compatibility features
• Formally known as “RecentFileCache.bcf” but some patched versions
of Windows 7 use “AMCache.hve” also.
• Its all part of the Microsoft compatibility SHIM infrastructure.
• Sweet! Microsoft Windows has its own rootkit!
• Google: “amcache goldmine” (Yogesh Katri)
• http://www.swiftforensics.com/2013/12/amcachehve-in-windows-8-goldmine-for.html

41. Hunting Artifacts: AMCache
• The Application Experience toolkit stores a lot of interesting
information into the AMCache registry hive.
• This becomes a really good place to perform forensic activities.

42. Hunting Artifacts: AMCache
• Information that is stored in this hive includes:
• Full executable path
• Created and modified timestamps
• SHA1 hash of the file
• PE linker timestamp
• PE header data and some file version info

43. Hunting Artifacts: AMCache
• Using PowerShell we can perform some recursion through
the AMCache hive
• Local administrator access required.
• You will probably find that the registry hive file is locked by
the application experience service processes
• Volume Shadow Copies are your friend
• Create or use existing volume shadow copy
• Mount the registry hive in PowerShell and explore…

44. Hunting Artifacts: AMCache

45. Hunting Artifacts: AMCache
• you can visit my BitBucket repo, and fetch a script to do similar
things…
• https://bitbucket.org/jsthyer/getamcache

46. Conclusion
• Move from detecting known bad, to seeking out probable threats.
• Leverage the design of your networks, and/or consider new design
elements to help show you probable threats!
• Move beyond what outside security vendors consider is a threat to
what YOU consider to be a threat.
• There are never silver bullets, only hard work.
• Happy Hunting!