Threat actors, criminal groups have traditionally been ahead of the detection curve; circumventing automate defenses and stealthily compromising an entire enterprise. As defenders, its crucial to adopt an offensive mindset to level the playing field.
In this presentation, we will first discuss on the various types of techniques used by threat actors which can aid them to stealthily compromise an entire organisation . Next we will look at detection. With the use of open source tooling, we will discuss how defenders can hunt for evidence of compromise by adopting an offensive mindset.
4. PUBLIC
First discussed in mid 2000s
by NSA/US Airforce.
Definition of hunting in
The US Army LandCyber White
Paper released in 2013
THREAT HUNTING
3
“cyber hunt teams will work inside
the Army enterprise to actively
search for and locate threats that
have penetrated the Army
enterprise, but not yet manifested
their intended effects.”
“Counter-reconnaissance, or hunt forces, will
work within Army networks to maneuver, secure,
and defend key cyberspace terrain, identifying
and defeating concealed cyber adversaries that
have bypassed the primary avenues of approach
monitored by automated systems”.
http://dtic.mil/dtic/tr/fulltext/u2/a592724.pdf
5. PUBLIC
• Actively hunting for threats
• Responding to them in real time
• Assume threats has bypassed automated defence
IN SHORT
4
7. PUBLIC
• Endpoint detection and response
• Agent installed on an endpoint
• Collect process logs, autoruns, etc..
• Response function such as file capture, dumping of process memory
host isolation
WHAT'S EDR
6
8. PUBLIC
• How do bad guys attack
• How to detect attacks on windows
machine
7
AGENDA
13. PUBLIC
ATTACK SCENARIO
12
• Acme corporation is a financial corporation based in Singapore. Loony
Tunes corporation, a small start-up in the same industry hires a
freelance hacker to steal sensitive information from Acme.
14. PUBLIC
• Installed by default on many windows system
• Many open source-framework
• Contain many useful functions to leverage on
WHY POWERSHELL
13
18. PUBLIC
• Minimal process or command line logging
• Requires .Net Framework to be installed on windows machine
ENTER .NET ATTACKS
17
19. PUBLIC
• Embeds a serialised C# object into a HTA file
• Upon deserialization, the object can be used to run malicious C# code
• Technique discovered by James Forshaw
.NET TO JSCRIPT
18
25. PUBLIC
• Shared library which contains functions to be used by other
applications
• Don’t have to rewrite code that is already written
DYNAMIC LINK LIBRARY 101
24