3. Outline
´ What is Incident Response
´ SOC/SIEM/use cases/alert
´ What is Threat Hunting
´ TTP/IOC/IOA/APT
´ Use cases
4. Incident Response Life Cycle
Preparation
Detection
and Analysis
Containment Eradication recovery
Post-incident
Activity
5. IOC vs IOA
´ Indicator of compromise
´ Reactive indicators
´ Hash Value , IP address, c2 domain , email address, reg keys, file name
´ Indicator of Attack
´ Proactive indicators
´ Use of specific tools like psexe, powershell cmds, wmic or other OS tools ,
application behavior
6. Tactics, Techniques and Procedures
´ Collection of patterns of activities
´ Divided into different stage of the attack
7. Cyber Kill Chain
Reconnaissance Weaponization Delivery Exploitation
Installation
(Privilege
Escalation )
Command and
control
Action on
Objective
(Exfiltration)
14. Example :-
´ Rare process executions
´ Looking for any specific malware files hashes
´ Network communication to known C2 Domains
´ Presence of Hacking tools like psexe, netcat,scripts
´ Execution of powershell, wmic, cmd
15. TTP by Group
Group name Tactic OilRig TTP – ATT&CK
framework
Windows/Sysmon
EventID
OilRig , MuddyWater
Iranian threat group
Persistence T1053 – Scheduled Task 129, 107
Fin7 , Ke3chang , APT3 -Actor
operating from China
Persistence T1050 – New Service 7045, 4697
APT32 , Fin7 Defense Evasion T1170 - Mshta 8004, 8002
C:WindowsSystem32mshta.exe
C:WindowsSysWOW64mshta.exe
APT18, Revenge RAT
njRAT
Persistence T1060 – Registry Run / Startup Folders
T1112 – Modify Registry
4656, 4657, 4663,
look for changes made to
HKCUSoftwareMicrosoftWindowsCur-rentVersionRun
HKCUSoftwareMicrosoftWindows NTCur-
rentVersionWinlogon
APT32 , Koadic Defense Evasion
Execution
T1117 – Regsvr32 & Rundll32 Look for network connection made
by regserver
Event 3 in Sysmon
Emotet Execution T1047 – Windows Management
Instrumentation
DragonFly, BADCALL(Lazarus
Group)
Defense Evasion T1089 – Disabling Security Tools 2003, 2004,2005,2006
APT28 Defense Evasion T1070 – Indicator Removal on Host 1102 , 104
Ke3chang Credential Access T1003 – Credential Dumping sekurlsa::logonPasswords”
APT39 Credential Access T1003 – Credential Dumping (DCSync) Filter on Event 4662 for DCSync:
- Object Server: DS
- Properties: Control Access
- {1131f6ad-9c07-11d1-f79f-
00c04fc2dcd2}