SlideShare uma empresa Scribd logo

SANS Threat Hunting Summit 2018 - Hunting Lateral Movement with Windows Event Logs

Mauricio Velazco
Mauricio Velazco

Hunting Lateral Movement with Windows Event Logs

Tecnologia
1 de 42
Baixar para ler offline
Hunting Lateral Movement with Windows Event Logs SANS Threat Hunting Summit 2018 Mauricio Velazco @mvelazco
$whoami ✘Peruvian ✘Recovering pentester, threat management lead ✘@mvelazco ✘Derbycon, Bsides, Defcon
1. Intro
✘Techniques that enable an adversary to access and control remote systems on a network. https://attack.mitre.org/wiki/Lateral_Movement Lateral Movement 😸
Attackers are forced to move in the environment
How? ✘Vulnerability Exploitation ✘Logon Scripts ✘Abusing application deployment software ✘Removable media ✘…… ✘Abusing Windows services/features Out of all the incident response engagements that we conducted; 100% of them involved the threat actor compromising valid credentials during the attack. https://www.fireeye.com/blog/threat-research/2015/08/malware_lateral_move.html “ ”
Windows Services used for LM ✘Server Message Block ( SMB ) ✘Service Control Manager (SCM) ✘Task Scheduler ✘Windows Management Instrumentation ( WMI ) ✘Windows Remote Management ( WinRM ) ✘Distributed Component Object Model ( DCOM ) ✘Remote Desktop
AppleScript Application Deployment Software DCOM Exploitation Logon Scripts Pass the Hash RDP Remote File Copy Remote Services Removable Media SSH Hijacking Shared WebRoot Tainted Shared Content Third party Software Win RM Windows Admin Shares (WMI, SCM, Task Sch) https://attack.mitre.org/wiki/Lateral_ Movement
2. The Events
Authentication Events ✘Account Logon -> Credential validation Occurs on the host that is authorative for the credentials ✘Logon/Logoff -> Creation & Destruction of Sessions Ocurrs on the host being accessed https://blogs.msdn.microsoft.com/ericfitz/2005/08/04/deciphering-account-logon-events/
Kerberos
NTLM
4768: Auth Tkt Requested DC Name Account Name Source Ip Keywords Account Logon Events 4769: Service Tkt Requested DC Name Account Name Service Name Client Address Keywords 4776: Credential Validation Computer Name Logon Account Source Workstation Error Code
Hunt Tip #1` ✘ Source Ip requesting TGS for several computers -> Domain Controller Logs Event=4769 And Service Name=*$ group by (Client Address ) where unique(Service Name) > [Threshold ] ✘ This behavior could represent An adversary moving laterally ( or helpdesk deploying software) Host enumeration ( file share, PowerUp Sql, etc ) Bloodhound
Hunt Tip #2` ✘ Possible Lateral Movement using NTLM -> Domain Controler Logs Event=4776 And (ComputerName=Dc1 Or …) group by (Source Workstation) Where unique(Computer Name) > [Threshold ] ✘ This behavior could represent: An adversary moving laterally using NTLM based hacking tools like: metasploit, impacket, crackmapexec, smbexec, etc
Logon/Logoff Events 4625 Computer Name Account Name Logon Type Src Workstation Name Src Network Address Status Sub Status 4624 Computer Name Account Name Logon Type Src Workstation Name Src Network Address
Hunt Tip #3` ✘ Possible Lateral Movement -> Computer Events Event=4624 Or Event=4625 And (Logon Type=3 Or Logon Type=10) group by (Src Network Address) Where unique(Computer Name) > [Threshold ] ✘ This behavior could represent: An adversary moving laterally ( or sysadmins working ) Password Spray / Brute Force Attack BloodHound
Services and Tasks ✘System Events 7045: Service Installed ✘Object Access 4698: A scheduled task was created 7045 Service Name Service File Path Service Account 4698 Account Name Task Name Task Content
TODO: WMI & WinRM ✘WMI-Activity/Trace Event 1: Start of the event sequence Event 2: Actual Event Event 3: End of the event sequence ✘Windows Remote Management Analytical Debug Operational 169: User Authentication
Hunt Tip #4: Edr For The Win ✘Services services.exe ✘WMI wmiprsve.exe ✘Windows Remote Management winrshost.exe wsmprovhost.exe ✘DCOM - MMC20 mmc.exe
Hunt Tip #4` ✘Possible Lateral Movement execution -> Sysmon Events Event=1 And (ParentImage=services.exe Or ParentImage... ... ) And (Image=cmd.exe Or Image=powershell.exe OR Image=mshta.exe Or Image=regsvr32.exe … …) 54 application whitelisting bypass techniques https://github.com/api0cradle/UltimateAppLockerByPassList
3. Oriana
Oriana 1.0 ✘Oriana is a threat hunting tool that leverages a subset of Windows events to run analytics and help defenders identify outliers and suspicious behavior in Windows environments. ○ Get-WinEvent & Export-CSV ○ Django Application, Python 2.7 ○ Bootstrap & DataTables
Oriana 1.0 Host 4624 User 7045 Service 4698 Task Wmi Event Cmdline 4625 5140
HunT 1: Services and Tasks ✘7045 & 4698 ✘Frequency Analysis on Unique Services Unique Tasks ✘Identify “Randomness” of Service Name Task Name
Hunt random: N-gram score ✘Reg expressions are based on a sample and lack context P r o d u c t W F P N e t M o n
DEMO 1
HunT 2: Possible Lateral Movement Event 4624 Type 3 4698 7045
HunT 2: Possible Lateral Movement Session ✘Assumption: Once access has been obtained, an attacker will profile or move laterally to more than one host. Group possible lateral movement events based on time ( X hour spans )
DEMO 2
Hunt 3: Outlier Users/Hosts ✘User # of unique successful authentication events # of unique failed authentication events # of unique hosts a user has authenticated to locally # of unique hosts a user has authenticated to remotely # of unique hosts a user has remotely failed to authenticate # of unique hosts a user has RDP to ✘Host # of unique users that authenticated to a host locally # of unique users that authenticated to a host remotely
DEMO 3
Hunt 4: Suspicious User Behavior
Status SubStatus Description 0xC000006D 0xC000006A Wrong password 0xc000015b 0x0 Acess denied 0xC000006D 0xC0000064 User does not exist 0xc000006e 0xc0000072 Account is disabled 4625: Status & SubStatus
SUB #1 : Privilege Enumeration ✘A user is failing to authenticate to a large number of hosts due to insufficient privileges for the requested logon type ✘This behavior could represent An adversary trying to execute remote commands ( failing ) An adversary trying to mount an administrative share An adversary enumerating privileges across the network An adversary running BloodHound (with no admin privs)
SUB #2 : High number of Destinations ✘A user is successfully authenticating to a large number of hosts ✘This behavior could represent An adversary executing code remotely An adversary enumerating privileges across the network An adversary running BloodHound (with admin privs )
SUB #3 : Roaming User ✘A user account is locally authenticating on several hosts ✘This behavior could represent Compromised credentials usage Credential sharing
SUB #4 : Local Account Spray ✘A local user account is trying to authenticating to a large number of hosts. ✘This behavior could represent An adversary moving laterally with a local account An adversary trying to brute force a local account
DEMO 4
Hunt 5: Suspicious Computer Behavior https://github.com/mvelazc0/Oriana
Oriana 1.0 ✘https://github.com/mvelazc0/Oriana Standalone Docker ! ✘https://medium.com/@mvelazco/ ✘@mvelazco
Hunting Lateral Movement with Windows Event Logs SANS Threat Hunting Summit 2018 Mauricio Velazco @mvelazco

Recomendados

Security Analyst Workshop - 20190314
Security Analyst Workshop - 20190314Security Analyst Workshop - 20190314
Security Analyst Workshop - 20190314Florian Roth
 
Hunting Lateral Movement in Windows Infrastructure
Hunting Lateral Movement in Windows InfrastructureHunting Lateral Movement in Windows Infrastructure
Hunting Lateral Movement in Windows InfrastructureSergey Soldatov
 
PHDays 2018 Threat Hunting Hands-On Lab
PHDays 2018 Threat Hunting Hands-On LabPHDays 2018 Threat Hunting Hands-On Lab
PHDays 2018 Threat Hunting Hands-On LabTeymur Kheirkhabarov
 
Hunting for Privilege Escalation in Windows Environment
Hunting for Privilege Escalation in Windows EnvironmentHunting for Privilege Escalation in Windows Environment
Hunting for Privilege Escalation in Windows EnvironmentTeymur Kheirkhabarov
 
Windows Threat Hunting
Windows Threat HuntingWindows Threat Hunting
Windows Threat HuntingGIBIN JOHN
 
Kheirkhabarov24052017_phdays7
Kheirkhabarov24052017_phdays7Kheirkhabarov24052017_phdays7
Kheirkhabarov24052017_phdays7Teymur Kheirkhabarov
 
Threat hunting on the wire
Threat hunting on the wireThreat hunting on the wire
Threat hunting on the wireInfoSec Addicts
 
Threat Hunting with Splunk Hands-on
Threat Hunting with Splunk Hands-onThreat Hunting with Splunk Hands-on
Threat Hunting with Splunk Hands-onSplunk
 

Recomendados

Security Analyst Workshop - 20190314
Security Analyst Workshop - 20190314Security Analyst Workshop - 20190314
Security Analyst Workshop - 20190314Florian Roth
 
Hunting Lateral Movement in Windows Infrastructure
Hunting Lateral Movement in Windows InfrastructureHunting Lateral Movement in Windows Infrastructure
Hunting Lateral Movement in Windows InfrastructureSergey Soldatov
 
PHDays 2018 Threat Hunting Hands-On Lab
PHDays 2018 Threat Hunting Hands-On LabPHDays 2018 Threat Hunting Hands-On Lab
PHDays 2018 Threat Hunting Hands-On LabTeymur Kheirkhabarov
 
Hunting for Privilege Escalation in Windows Environment
Hunting for Privilege Escalation in Windows EnvironmentHunting for Privilege Escalation in Windows Environment
Hunting for Privilege Escalation in Windows EnvironmentTeymur Kheirkhabarov
 
Windows Threat Hunting
Windows Threat HuntingWindows Threat Hunting
Windows Threat HuntingGIBIN JOHN
 
Kheirkhabarov24052017_phdays7
Kheirkhabarov24052017_phdays7Kheirkhabarov24052017_phdays7
Kheirkhabarov24052017_phdays7Teymur Kheirkhabarov
 
Threat hunting on the wire
Threat hunting on the wireThreat hunting on the wire
Threat hunting on the wireInfoSec Addicts
 
Threat Hunting with Splunk Hands-on
Threat Hunting with Splunk Hands-onThreat Hunting with Splunk Hands-on
Threat Hunting with Splunk Hands-onSplunk
 
Q radar architecture deep dive
Q radar architecture deep diveQ radar architecture deep dive
Q radar architecture deep diveKamal Mouline
 
Derbycon - The Unintended Risks of Trusting Active Directory
Derbycon - The Unintended Risks of Trusting Active DirectoryDerbycon - The Unintended Risks of Trusting Active Directory
Derbycon - The Unintended Risks of Trusting Active DirectoryWill Schroeder
 
Beginner's Guide to SIEM
Beginner's Guide to SIEM Beginner's Guide to SIEM
Beginner's Guide to SIEM AlienVault
 
SIEM Architecture
SIEM ArchitectureSIEM Architecture
SIEM ArchitectureNishanth Kumar Pathi
 
A Threat Hunter Himself
A Threat Hunter HimselfA Threat Hunter Himself
A Threat Hunter HimselfTeymur Kheirkhabarov
 
How MITRE ATT&CK helps security operations
How MITRE ATT&CK helps security operationsHow MITRE ATT&CK helps security operations
How MITRE ATT&CK helps security operationsSergey Soldatov
 
How to Hunt for Lateral Movement on Your Network
How to Hunt for Lateral Movement on Your NetworkHow to Hunt for Lateral Movement on Your Network
How to Hunt for Lateral Movement on Your NetworkSqrrl
 
SIEM : Security Information and Event Management
SIEM : Security Information and Event Management SIEM : Security Information and Event Management
SIEM : Security Information and Event Management SHRIYARAI4
 
Lateral Movement: How attackers quietly traverse your Network
Lateral Movement: How attackers quietly traverse your NetworkLateral Movement: How attackers quietly traverse your Network
Lateral Movement: How attackers quietly traverse your NetworkEC-Council
 
Threat Hunting
Threat HuntingThreat Hunting
Threat HuntingSplunk
 
Infocyte - Digital Forensics and Incident Response (DFIR) Training Session
Infocyte - Digital Forensics and Incident Response (DFIR) Training SessionInfocyte - Digital Forensics and Incident Response (DFIR) Training Session
Infocyte - Digital Forensics and Incident Response (DFIR) Training SessionInfocyte
 
Cyber Threat Hunting - Hunting in Memory at Scale
Cyber Threat Hunting - Hunting in Memory at ScaleCyber Threat Hunting - Hunting in Memory at Scale
Cyber Threat Hunting - Hunting in Memory at ScaleInfocyte
 
Security Information and Event Management (SIEM)
Security Information and Event Management (SIEM)Security Information and Event Management (SIEM)
Security Information and Event Management (SIEM)k33a
 
Security operation center (SOC)
Security operation center (SOC)Security operation center (SOC)
Security operation center (SOC)Ahmed Ayman
 
Soc
SocSoc
SocMukesh Chaudhari
 
Malware Analysis Made Simple
Malware Analysis Made SimpleMalware Analysis Made Simple
Malware Analysis Made SimplePaul Melson
 
Threat Hunting with Splunk Hands-on
Threat Hunting with Splunk Hands-onThreat Hunting with Splunk Hands-on
Threat Hunting with Splunk Hands-onSplunk
 
Threat Hunting
Threat HuntingThreat Hunting
Threat HuntingSplunk
 
From SIEM to SOC: Crossing the Cybersecurity Chasm
From SIEM to SOC: Crossing the Cybersecurity ChasmFrom SIEM to SOC: Crossing the Cybersecurity Chasm
From SIEM to SOC: Crossing the Cybersecurity ChasmPriyanka Aash
 
CIS Security Benchmark
CIS Security BenchmarkCIS Security Benchmark
CIS Security BenchmarkRahul Khengare
 
Derbycon 2017: Hunting Lateral Movement For Fun & Profit
Derbycon 2017: Hunting Lateral Movement For Fun & ProfitDerbycon 2017: Hunting Lateral Movement For Fun & Profit
Derbycon 2017: Hunting Lateral Movement For Fun & ProfitMauricio Velazco
 
Bsides NYC 2018 - Hunting for Lateral Movement
Bsides NYC 2018 - Hunting for Lateral MovementBsides NYC 2018 - Hunting for Lateral Movement
Bsides NYC 2018 - Hunting for Lateral MovementMauricio Velazco
 

Mais conteúdo relacionado

Mais procurados

Q radar architecture deep dive
Q radar architecture deep diveQ radar architecture deep dive
Q radar architecture deep diveKamal Mouline
 
Derbycon - The Unintended Risks of Trusting Active Directory
Derbycon - The Unintended Risks of Trusting Active DirectoryDerbycon - The Unintended Risks of Trusting Active Directory
Derbycon - The Unintended Risks of Trusting Active DirectoryWill Schroeder
 
Beginner's Guide to SIEM
Beginner's Guide to SIEM Beginner's Guide to SIEM
Beginner's Guide to SIEM AlienVault
 
How MITRE ATT&CK helps security operations
How MITRE ATT&CK helps security operationsHow MITRE ATT&CK helps security operations
How MITRE ATT&CK helps security operationsSergey Soldatov
 
How to Hunt for Lateral Movement on Your Network
How to Hunt for Lateral Movement on Your NetworkHow to Hunt for Lateral Movement on Your Network
How to Hunt for Lateral Movement on Your NetworkSqrrl
 
SIEM : Security Information and Event Management
SIEM : Security Information and Event Management SIEM : Security Information and Event Management
SIEM : Security Information and Event Management SHRIYARAI4
 
Lateral Movement: How attackers quietly traverse your Network
Lateral Movement: How attackers quietly traverse your NetworkLateral Movement: How attackers quietly traverse your Network
Lateral Movement: How attackers quietly traverse your NetworkEC-Council
 
Threat Hunting
Threat HuntingThreat Hunting
Threat HuntingSplunk
 
Infocyte - Digital Forensics and Incident Response (DFIR) Training Session
Infocyte - Digital Forensics and Incident Response (DFIR) Training SessionInfocyte - Digital Forensics and Incident Response (DFIR) Training Session
Infocyte - Digital Forensics and Incident Response (DFIR) Training SessionInfocyte
 
Cyber Threat Hunting - Hunting in Memory at Scale
Cyber Threat Hunting - Hunting in Memory at ScaleCyber Threat Hunting - Hunting in Memory at Scale
Cyber Threat Hunting - Hunting in Memory at ScaleInfocyte
 
Security Information and Event Management (SIEM)
Security Information and Event Management (SIEM)Security Information and Event Management (SIEM)
Security Information and Event Management (SIEM)k33a
 
Security operation center (SOC)
Security operation center (SOC)Security operation center (SOC)
Security operation center (SOC)Ahmed Ayman
 
Malware Analysis Made Simple
Malware Analysis Made SimpleMalware Analysis Made Simple
Malware Analysis Made SimplePaul Melson
 
Threat Hunting with Splunk Hands-on
Threat Hunting with Splunk Hands-onThreat Hunting with Splunk Hands-on
Threat Hunting with Splunk Hands-onSplunk
 
Threat Hunting
Threat HuntingThreat Hunting
Threat HuntingSplunk
 
From SIEM to SOC: Crossing the Cybersecurity Chasm
From SIEM to SOC: Crossing the Cybersecurity ChasmFrom SIEM to SOC: Crossing the Cybersecurity Chasm
From SIEM to SOC: Crossing the Cybersecurity ChasmPriyanka Aash
 
CIS Security Benchmark
CIS Security BenchmarkCIS Security Benchmark
CIS Security BenchmarkRahul Khengare
 

Mais procurados (20)

Q radar architecture deep dive
Q radar architecture deep diveQ radar architecture deep dive
Q radar architecture deep dive
 
Derbycon - The Unintended Risks of Trusting Active Directory
Derbycon - The Unintended Risks of Trusting Active DirectoryDerbycon - The Unintended Risks of Trusting Active Directory
Derbycon - The Unintended Risks of Trusting Active Directory
 
Beginner's Guide to SIEM
Beginner's Guide to SIEM Beginner's Guide to SIEM
Beginner's Guide to SIEM
 
SIEM Architecture
SIEM ArchitectureSIEM Architecture
SIEM Architecture
 
A Threat Hunter Himself
A Threat Hunter HimselfA Threat Hunter Himself
A Threat Hunter Himself
 
How MITRE ATT&CK helps security operations
How MITRE ATT&CK helps security operationsHow MITRE ATT&CK helps security operations
How MITRE ATT&CK helps security operations
 
How to Hunt for Lateral Movement on Your Network
How to Hunt for Lateral Movement on Your NetworkHow to Hunt for Lateral Movement on Your Network
How to Hunt for Lateral Movement on Your Network
 
SIEM : Security Information and Event Management
SIEM : Security Information and Event Management SIEM : Security Information and Event Management
SIEM : Security Information and Event Management
 
Lateral Movement: How attackers quietly traverse your Network
Lateral Movement: How attackers quietly traverse your NetworkLateral Movement: How attackers quietly traverse your Network
Lateral Movement: How attackers quietly traverse your Network
 
Threat Hunting
Threat HuntingThreat Hunting
Threat Hunting
 
Infocyte - Digital Forensics and Incident Response (DFIR) Training Session
Infocyte - Digital Forensics and Incident Response (DFIR) Training SessionInfocyte - Digital Forensics and Incident Response (DFIR) Training Session
Infocyte - Digital Forensics and Incident Response (DFIR) Training Session
 
Cyber Threat Hunting - Hunting in Memory at Scale
Cyber Threat Hunting - Hunting in Memory at ScaleCyber Threat Hunting - Hunting in Memory at Scale
Cyber Threat Hunting - Hunting in Memory at Scale
 
Security Information and Event Management (SIEM)
Security Information and Event Management (SIEM)Security Information and Event Management (SIEM)
Security Information and Event Management (SIEM)
 
Security operation center (SOC)
Security operation center (SOC)Security operation center (SOC)
Security operation center (SOC)
 
Soc
SocSoc
Soc
 
Malware Analysis Made Simple
Malware Analysis Made SimpleMalware Analysis Made Simple
Malware Analysis Made Simple
 
Threat Hunting with Splunk Hands-on
Threat Hunting with Splunk Hands-onThreat Hunting with Splunk Hands-on
Threat Hunting with Splunk Hands-on
 
Threat Hunting
Threat HuntingThreat Hunting
Threat Hunting
 
From SIEM to SOC: Crossing the Cybersecurity Chasm
From SIEM to SOC: Crossing the Cybersecurity ChasmFrom SIEM to SOC: Crossing the Cybersecurity Chasm
From SIEM to SOC: Crossing the Cybersecurity Chasm
 
CIS Security Benchmark
CIS Security BenchmarkCIS Security Benchmark
CIS Security Benchmark
 

Semelhante a SANS Threat Hunting Summit 2018 - Hunting Lateral Movement with Windows Event Logs

Derbycon 2017: Hunting Lateral Movement For Fun & Profit
Derbycon 2017: Hunting Lateral Movement For Fun & ProfitDerbycon 2017: Hunting Lateral Movement For Fun & Profit
Derbycon 2017: Hunting Lateral Movement For Fun & ProfitMauricio Velazco
 
Bsides NYC 2018 - Hunting for Lateral Movement
Bsides NYC 2018 - Hunting for Lateral MovementBsides NYC 2018 - Hunting for Lateral Movement
Bsides NYC 2018 - Hunting for Lateral MovementMauricio Velazco
 
Hacking Client Side Insecurities
Hacking Client Side InsecuritiesHacking Client Side Insecurities
Hacking Client Side Insecuritiesamiable_indian
 
Which Came First: The Phish or the Opportunity to Defend Against It
Which Came First: The Phish or the Opportunity to Defend Against ItWhich Came First: The Phish or the Opportunity to Defend Against It
Which Came First: The Phish or the Opportunity to Defend Against ItJamieWilliams130
 
Conclusions from Tracking Server Attacks at Scale
Conclusions from Tracking Server Attacks at ScaleConclusions from Tracking Server Attacks at Scale
Conclusions from Tracking Server Attacks at ScaleGuardicore
 
Breaking the cyber kill chain!
Breaking the cyber kill chain!Breaking the cyber kill chain!
Breaking the cyber kill chain!Nahidul Kibria
 
CSW2017 Yuhao song+Huimingliu cyber_wmd_vulnerable_IoT
CSW2017 Yuhao song+Huimingliu cyber_wmd_vulnerable_IoTCSW2017 Yuhao song+Huimingliu cyber_wmd_vulnerable_IoT
CSW2017 Yuhao song+Huimingliu cyber_wmd_vulnerable_IoTCanSecWest
 
How to measure your security response readiness?
How to measure your security response readiness?How to measure your security response readiness?
How to measure your security response readiness?Tomasz Jakubowski
 
Protecting Your organization from WannaCry Ransomware
Protecting Your organization from WannaCry RansomwareProtecting Your organization from WannaCry Ransomware
Protecting Your organization from WannaCry RansomwareQuick Heal Technologies Ltd.
 
Soho routers: swords and shields CyberCamp 2015
Soho routers: swords and shields CyberCamp 2015Soho routers: swords and shields CyberCamp 2015
Soho routers: swords and shields CyberCamp 2015Iván Sanz de Castro
 
Pennington - Defending Against Targeted Ransomware with MITRE ATT&CK
Pennington - Defending Against Targeted Ransomware with MITRE ATT&CKPennington - Defending Against Targeted Ransomware with MITRE ATT&CK
Pennington - Defending Against Targeted Ransomware with MITRE ATT&CKAdam Pennington
 
Duck Hunter - The return of autorun
Duck Hunter - The return of autorunDuck Hunter - The return of autorun
Duck Hunter - The return of autorunNimrod Levy
 
Nimrod duck hunter copy
Nimrod duck hunter copyNimrod duck hunter copy
Nimrod duck hunter copyNimrod Levy
 
Disruptionware-TRustedCISO103020v0.7.pptx
Disruptionware-TRustedCISO103020v0.7.pptxDisruptionware-TRustedCISO103020v0.7.pptx
Disruptionware-TRustedCISO103020v0.7.pptxDebra Baker, CISSP CSSP
 
Issa jason dablow
Issa jason dablowIssa jason dablow
Issa jason dablowISSA LA
 
Anomali Detect 19 - Nickels & Pennington - Turning Intelligence into Action w...
Anomali Detect 19 - Nickels & Pennington - Turning Intelligence into Action w...Anomali Detect 19 - Nickels & Pennington - Turning Intelligence into Action w...
Anomali Detect 19 - Nickels & Pennington - Turning Intelligence into Action w...Adam Pennington
 
Understanding Malware Lateral Spread Used in High Value Attacks
Understanding Malware Lateral Spread Used in High Value AttacksUnderstanding Malware Lateral Spread Used in High Value Attacks
Understanding Malware Lateral Spread Used in High Value AttacksCyphort
 
Mitigating Malware Presentation Jkd 11 10 08 Aitp
Mitigating Malware Presentation Jkd 11 10 08 AitpMitigating Malware Presentation Jkd 11 10 08 Aitp
Mitigating Malware Presentation Jkd 11 10 08 AitpJoann Davis
 

Semelhante a SANS Threat Hunting Summit 2018 - Hunting Lateral Movement with Windows Event Logs (20)

Derbycon 2017: Hunting Lateral Movement For Fun & Profit
Derbycon 2017: Hunting Lateral Movement For Fun & ProfitDerbycon 2017: Hunting Lateral Movement For Fun & Profit
Derbycon 2017: Hunting Lateral Movement For Fun & Profit
 
Bsides NYC 2018 - Hunting for Lateral Movement
Bsides NYC 2018 - Hunting for Lateral MovementBsides NYC 2018 - Hunting for Lateral Movement
Bsides NYC 2018 - Hunting for Lateral Movement
 
Hacking Client Side Insecurities
Hacking Client Side InsecuritiesHacking Client Side Insecurities
Hacking Client Side Insecurities
 
Which Came First: The Phish or the Opportunity to Defend Against It
Which Came First: The Phish or the Opportunity to Defend Against ItWhich Came First: The Phish or the Opportunity to Defend Against It
Which Came First: The Phish or the Opportunity to Defend Against It
 
Conclusions from Tracking Server Attacks at Scale
Conclusions from Tracking Server Attacks at ScaleConclusions from Tracking Server Attacks at Scale
Conclusions from Tracking Server Attacks at Scale
 
Breaking the cyber kill chain!
Breaking the cyber kill chain!Breaking the cyber kill chain!
Breaking the cyber kill chain!
 
Sguil
SguilSguil
Sguil
 
CSW2017 Yuhao song+Huimingliu cyber_wmd_vulnerable_IoT
CSW2017 Yuhao song+Huimingliu cyber_wmd_vulnerable_IoTCSW2017 Yuhao song+Huimingliu cyber_wmd_vulnerable_IoT
CSW2017 Yuhao song+Huimingliu cyber_wmd_vulnerable_IoT
 
How to measure your security response readiness?
How to measure your security response readiness?How to measure your security response readiness?
How to measure your security response readiness?
 
Protecting Your organization from WannaCry Ransomware
Protecting Your organization from WannaCry RansomwareProtecting Your organization from WannaCry Ransomware
Protecting Your organization from WannaCry Ransomware
 
Soho routers: swords and shields CyberCamp 2015
Soho routers: swords and shields CyberCamp 2015Soho routers: swords and shields CyberCamp 2015
Soho routers: swords and shields CyberCamp 2015
 
Pennington - Defending Against Targeted Ransomware with MITRE ATT&CK
Pennington - Defending Against Targeted Ransomware with MITRE ATT&CKPennington - Defending Against Targeted Ransomware with MITRE ATT&CK
Pennington - Defending Against Targeted Ransomware with MITRE ATT&CK
 
Duck Hunter - The return of autorun
Duck Hunter - The return of autorunDuck Hunter - The return of autorun
Duck Hunter - The return of autorun
 
Nimrod duck hunter copy
Nimrod duck hunter copyNimrod duck hunter copy
Nimrod duck hunter copy
 
Disruptionware-TRustedCISO103020v0.7.pptx
Disruptionware-TRustedCISO103020v0.7.pptxDisruptionware-TRustedCISO103020v0.7.pptx
Disruptionware-TRustedCISO103020v0.7.pptx
 
Issa jason dablow
Issa jason dablowIssa jason dablow
Issa jason dablow
 
Anomali Detect 19 - Nickels & Pennington - Turning Intelligence into Action w...
Anomali Detect 19 - Nickels & Pennington - Turning Intelligence into Action w...Anomali Detect 19 - Nickels & Pennington - Turning Intelligence into Action w...
Anomali Detect 19 - Nickels & Pennington - Turning Intelligence into Action w...
 
Understanding Malware Lateral Spread Used in High Value Attacks
Understanding Malware Lateral Spread Used in High Value AttacksUnderstanding Malware Lateral Spread Used in High Value Attacks
Understanding Malware Lateral Spread Used in High Value Attacks
 
Mitigating Malware Presentation Jkd 11 10 08 Aitp
Mitigating Malware Presentation Jkd 11 10 08 AitpMitigating Malware Presentation Jkd 11 10 08 Aitp
Mitigating Malware Presentation Jkd 11 10 08 Aitp
 
Flipping the script
Flipping the scriptFlipping the script
Flipping the script
 

Mais de Mauricio Velazco

PurpleSharp BlackHat Arsenal Asia
PurpleSharp BlackHat Arsenal AsiaPurpleSharp BlackHat Arsenal Asia
PurpleSharp BlackHat Arsenal AsiaMauricio Velazco
 
Detection-as-Code: Test Driven Detection Development.pdf
Detection-as-Code: Test Driven Detection Development.pdfDetection-as-Code: Test Driven Detection Development.pdf
Detection-as-Code: Test Driven Detection Development.pdfMauricio Velazco
 
BlackHat Arsenal 2021 : PurpleSharp - Active Directory Attack Simulations
BlackHat Arsenal 2021 : PurpleSharp - Active Directory Attack SimulationsBlackHat Arsenal 2021 : PurpleSharp - Active Directory Attack Simulations
BlackHat Arsenal 2021 : PurpleSharp - Active Directory Attack SimulationsMauricio Velazco
 
Defcon 29 Adversary Village: PurpleSharp - Automated Adversary Simulation
Defcon 29 Adversary Village: PurpleSharp - Automated Adversary SimulationDefcon 29 Adversary Village: PurpleSharp - Automated Adversary Simulation
Defcon 29 Adversary Village: PurpleSharp - Automated Adversary SimulationMauricio Velazco
 
SANS Purple Team Summit 2021: Active Directory Purple Team Playbooks
SANS Purple Team Summit 2021: Active Directory Purple Team PlaybooksSANS Purple Team Summit 2021: Active Directory Purple Team Playbooks
SANS Purple Team Summit 2021: Active Directory Purple Team PlaybooksMauricio Velazco
 
Defcon Blue Team Village 2020: Purple On My Mind: Cost Effective Automated Ad...
Defcon Blue Team Village 2020: Purple On My Mind: Cost Effective Automated Ad...Defcon Blue Team Village 2020: Purple On My Mind: Cost Effective Automated Ad...
Defcon Blue Team Village 2020: Purple On My Mind: Cost Effective Automated Ad...Mauricio Velazco
 
BlackHat 2020 Arsenal - PurpleSharp: Adversary Simulation for the Blue Team
BlackHat 2020 Arsenal - PurpleSharp: Adversary Simulation for the Blue TeamBlackHat 2020 Arsenal - PurpleSharp: Adversary Simulation for the Blue Team
BlackHat 2020 Arsenal - PurpleSharp: Adversary Simulation for the Blue TeamMauricio Velazco
 
LimaHack 2011 - Stuxnet : El arma del futuro
LimaHack 2011 - Stuxnet : El arma del futuroLimaHack 2011 - Stuxnet : El arma del futuro
LimaHack 2011 - Stuxnet : El arma del futuroMauricio Velazco
 
Peruhack 2015 - Cyberespionaje de Naciones
Peruhack 2015 - Cyberespionaje de NacionesPeruhack 2015 - Cyberespionaje de Naciones
Peruhack 2015 - Cyberespionaje de NacionesMauricio Velazco
 
PeruHack 2014 - Post Explotacion en Entornos Windows
PeruHack 2014 - Post Explotacion en Entornos WindowsPeruHack 2014 - Post Explotacion en Entornos Windows
PeruHack 2014 - Post Explotacion en Entornos WindowsMauricio Velazco
 
Limahack 2010 - Creando exploits para GNU/Linux
Limahack 2010 - Creando exploits para GNU/LinuxLimahack 2010 - Creando exploits para GNU/Linux
Limahack 2010 - Creando exploits para GNU/LinuxMauricio Velazco
 
Limahack 2009 - SSL no esta roto ... o si ?
Limahack 2009 - SSL no esta roto ... o si ?Limahack 2009 - SSL no esta roto ... o si ?
Limahack 2009 - SSL no esta roto ... o si ?Mauricio Velazco
 
ATT&CKcon 2.0 2019 - Tracking and measuring your ATT&CK coverage with ATT&CK2...
ATT&CKcon 2.0 2019 - Tracking and measuring your ATT&CK coverage with ATT&CK2...ATT&CKcon 2.0 2019 - Tracking and measuring your ATT&CK coverage with ATT&CK2...
ATT&CKcon 2.0 2019 - Tracking and measuring your ATT&CK coverage with ATT&CK2...Mauricio Velazco
 
Defcon 27 - Writing custom backdoor payloads with C#
Defcon 27 - Writing custom backdoor payloads with C#Defcon 27 - Writing custom backdoor payloads with C#
Defcon 27 - Writing custom backdoor payloads with C#Mauricio Velazco
 
Bsides Baltimore 2019: Embrace the Red Enhancing detection capabilities with ...
Bsides Baltimore 2019: Embrace the Red Enhancing detection capabilities with ...Bsides Baltimore 2019: Embrace the Red Enhancing detection capabilities with ...
Bsides Baltimore 2019: Embrace the Red Enhancing detection capabilities with ...Mauricio Velazco
 
Derbycon 2019 - I simulate therefore i catch: enhancing detection engineering...
Derbycon 2019 - I simulate therefore i catch: enhancing detection engineering...Derbycon 2019 - I simulate therefore i catch: enhancing detection engineering...
Derbycon 2019 - I simulate therefore i catch: enhancing detection engineering...Mauricio Velazco
 
LinuxWeek 2010 - Client Side Attacks
LinuxWeek 2010 - Client Side AttacksLinuxWeek 2010 - Client Side Attacks
LinuxWeek 2010 - Client Side AttacksMauricio Velazco
 

Mais de Mauricio Velazco (20)

PurpleSharp BlackHat Arsenal Asia
PurpleSharp BlackHat Arsenal AsiaPurpleSharp BlackHat Arsenal Asia
PurpleSharp BlackHat Arsenal Asia
 
Detection-as-Code: Test Driven Detection Development.pdf
Detection-as-Code: Test Driven Detection Development.pdfDetection-as-Code: Test Driven Detection Development.pdf
Detection-as-Code: Test Driven Detection Development.pdf
 
BSides Panama 2022
BSides Panama 2022BSides Panama 2022
BSides Panama 2022
 
BlackHat Arsenal 2021 : PurpleSharp - Active Directory Attack Simulations
BlackHat Arsenal 2021 : PurpleSharp - Active Directory Attack SimulationsBlackHat Arsenal 2021 : PurpleSharp - Active Directory Attack Simulations
BlackHat Arsenal 2021 : PurpleSharp - Active Directory Attack Simulations
 
Defcon 29 Adversary Village: PurpleSharp - Automated Adversary Simulation
Defcon 29 Adversary Village: PurpleSharp - Automated Adversary SimulationDefcon 29 Adversary Village: PurpleSharp - Automated Adversary Simulation
Defcon 29 Adversary Village: PurpleSharp - Automated Adversary Simulation
 
SANS Purple Team Summit 2021: Active Directory Purple Team Playbooks
SANS Purple Team Summit 2021: Active Directory Purple Team PlaybooksSANS Purple Team Summit 2021: Active Directory Purple Team Playbooks
SANS Purple Team Summit 2021: Active Directory Purple Team Playbooks
 
Defcon Blue Team Village 2020: Purple On My Mind: Cost Effective Automated Ad...
Defcon Blue Team Village 2020: Purple On My Mind: Cost Effective Automated Ad...Defcon Blue Team Village 2020: Purple On My Mind: Cost Effective Automated Ad...
Defcon Blue Team Village 2020: Purple On My Mind: Cost Effective Automated Ad...
 
BlackHat 2020 Arsenal - PurpleSharp: Adversary Simulation for the Blue Team
BlackHat 2020 Arsenal - PurpleSharp: Adversary Simulation for the Blue TeamBlackHat 2020 Arsenal - PurpleSharp: Adversary Simulation for the Blue Team
BlackHat 2020 Arsenal - PurpleSharp: Adversary Simulation for the Blue Team
 
LimaHack 2011 - Stuxnet : El arma del futuro
LimaHack 2011 - Stuxnet : El arma del futuroLimaHack 2011 - Stuxnet : El arma del futuro
LimaHack 2011 - Stuxnet : El arma del futuro
 
Peruhack 2015 - Cyberespionaje de Naciones
Peruhack 2015 - Cyberespionaje de NacionesPeruhack 2015 - Cyberespionaje de Naciones
Peruhack 2015 - Cyberespionaje de Naciones
 
PeruHack 2014 - Post Explotacion en Entornos Windows
PeruHack 2014 - Post Explotacion en Entornos WindowsPeruHack 2014 - Post Explotacion en Entornos Windows
PeruHack 2014 - Post Explotacion en Entornos Windows
 
Limahack 2010 - Creando exploits para GNU/Linux
Limahack 2010 - Creando exploits para GNU/LinuxLimahack 2010 - Creando exploits para GNU/Linux
Limahack 2010 - Creando exploits para GNU/Linux
 
Limahack 2009 - SSL no esta roto ... o si ?
Limahack 2009 - SSL no esta roto ... o si ?Limahack 2009 - SSL no esta roto ... o si ?
Limahack 2009 - SSL no esta roto ... o si ?
 
Bsides Latam 2019
Bsides Latam 2019Bsides Latam 2019
Bsides Latam 2019
 
ATT&CKcon 2.0 2019 - Tracking and measuring your ATT&CK coverage with ATT&CK2...
ATT&CKcon 2.0 2019 - Tracking and measuring your ATT&CK coverage with ATT&CK2...ATT&CKcon 2.0 2019 - Tracking and measuring your ATT&CK coverage with ATT&CK2...
ATT&CKcon 2.0 2019 - Tracking and measuring your ATT&CK coverage with ATT&CK2...
 
Defcon 27 - Writing custom backdoor payloads with C#
Defcon 27 - Writing custom backdoor payloads with C#Defcon 27 - Writing custom backdoor payloads with C#
Defcon 27 - Writing custom backdoor payloads with C#
 
Bsides Long Island 2019
Bsides Long Island 2019Bsides Long Island 2019
Bsides Long Island 2019
 
Bsides Baltimore 2019: Embrace the Red Enhancing detection capabilities with ...
Bsides Baltimore 2019: Embrace the Red Enhancing detection capabilities with ...Bsides Baltimore 2019: Embrace the Red Enhancing detection capabilities with ...
Bsides Baltimore 2019: Embrace the Red Enhancing detection capabilities with ...
 
Derbycon 2019 - I simulate therefore i catch: enhancing detection engineering...
Derbycon 2019 - I simulate therefore i catch: enhancing detection engineering...Derbycon 2019 - I simulate therefore i catch: enhancing detection engineering...
Derbycon 2019 - I simulate therefore i catch: enhancing detection engineering...
 
LinuxWeek 2010 - Client Side Attacks
LinuxWeek 2010 - Client Side AttacksLinuxWeek 2010 - Client Side Attacks
LinuxWeek 2010 - Client Side Attacks
 

Último

Advantages of Hiring UIUX Design Service Providers for Your Business
Advantages of Hiring UIUX Design Service Providers for Your BusinessAdvantages of Hiring UIUX Design Service Providers for Your Business
Advantages of Hiring UIUX Design Service Providers for Your BusinessPixlogix Infotech
 
TrustArc Webinar - Stay Ahead of US State Data Privacy Law Developments
TrustArc Webinar - Stay Ahead of US State Data Privacy Law DevelopmentsTrustArc Webinar - Stay Ahead of US State Data Privacy Law Developments
TrustArc Webinar - Stay Ahead of US State Data Privacy Law DevelopmentsTrustArc
 
GenAI Risks & Security Meetup 01052024.pdf
GenAI Risks & Security Meetup 01052024.pdfGenAI Risks & Security Meetup 01052024.pdf
GenAI Risks & Security Meetup 01052024.pdflior mazor
 
What Are The Drone Anti-jamming Systems Technology?
What Are The Drone Anti-jamming Systems Technology?What Are The Drone Anti-jamming Systems Technology?
What Are The Drone Anti-jamming Systems Technology?Antenna Manufacturer Coco
 
Finology Group – Insurtech Innovation Award 2024
Finology Group – Insurtech Innovation Award 2024Finology Group – Insurtech Innovation Award 2024
Finology Group – Insurtech Innovation Award 2024The Digital Insurer
 
Powerful Google developer tools for immediate impact! (2023-24 C)
Powerful Google developer tools for immediate impact! (2023-24 C)Powerful Google developer tools for immediate impact! (2023-24 C)
Powerful Google developer tools for immediate impact! (2023-24 C)wesley chun
 
2024: Domino Containers - The Next Step. News from the Domino Container commu...
2024: Domino Containers - The Next Step. News from the Domino Container commu...2024: Domino Containers - The Next Step. News from the Domino Container commu...
2024: Domino Containers - The Next Step. News from the Domino Container commu...Martijn de Jong
 
Boost PC performance: How more available memory can improve productivity
Boost PC performance: How more available memory can improve productivityBoost PC performance: How more available memory can improve productivity
Boost PC performance: How more available memory can improve productivityPrincipled Technologies
 
Apidays Singapore 2024 - Building Digital Trust in a Digital Economy by Veron...
Apidays Singapore 2024 - Building Digital Trust in a Digital Economy by Veron...Apidays Singapore 2024 - Building Digital Trust in a Digital Economy by Veron...
Apidays Singapore 2024 - Building Digital Trust in a Digital Economy by Veron...apidays
 
🐬 The future of MySQL is Postgres 🐘
🐬 The future of MySQL is Postgres 🐘🐬 The future of MySQL is Postgres 🐘
🐬 The future of MySQL is Postgres 🐘RTylerCroy
 
How to Troubleshoot Apps for the Modern Connected Worker
How to Troubleshoot Apps for the Modern Connected WorkerHow to Troubleshoot Apps for the Modern Connected Worker
How to Troubleshoot Apps for the Modern Connected WorkerThousandEyes
 
Boost Fertility New Invention Ups Success Rates.pdf
Boost Fertility New Invention Ups Success Rates.pdfBoost Fertility New Invention Ups Success Rates.pdf
Boost Fertility New Invention Ups Success Rates.pdfsudhanshuwaghmare1
 
Automating Google Workspace (GWS) & more with Apps Script
Automating Google Workspace (GWS) & more with Apps ScriptAutomating Google Workspace (GWS) & more with Apps Script
Automating Google Workspace (GWS) & more with Apps Scriptwesley chun
 
A Domino Admins Adventures (Engage 2024)
A Domino Admins Adventures (Engage 2024)A Domino Admins Adventures (Engage 2024)
A Domino Admins Adventures (Engage 2024)Gabriella Davis
 
Artificial Intelligence: Facts and Myths
Artificial Intelligence: Facts and MythsArtificial Intelligence: Facts and Myths
Artificial Intelligence: Facts and MythsJoaquim Jorge
 
Developing An App To Navigate The Roads of Brazil
Developing An App To Navigate The Roads of BrazilDeveloping An App To Navigate The Roads of Brazil
Developing An App To Navigate The Roads of BrazilV3cube
 
Tata AIG General Insurance Company - Insurer Innovation Award 2024
Tata AIG General Insurance Company - Insurer Innovation Award 2024Tata AIG General Insurance Company - Insurer Innovation Award 2024
Tata AIG General Insurance Company - Insurer Innovation Award 2024The Digital Insurer
 
A Year of the Servo Reboot: Where Are We Now?
A Year of the Servo Reboot: Where Are We Now?A Year of the Servo Reboot: Where Are We Now?
A Year of the Servo Reboot: Where Are We Now?Igalia
 
Exploring the Future Potential of AI-Enabled Smartphone Processors
Exploring the Future Potential of AI-Enabled Smartphone ProcessorsExploring the Future Potential of AI-Enabled Smartphone Processors
Exploring the Future Potential of AI-Enabled Smartphone Processorsdebabhi2
 
Apidays New York 2024 - Scaling API-first by Ian Reasor and Radu Cotescu, Adobe
Apidays New York 2024 - Scaling API-first by Ian Reasor and Radu Cotescu, AdobeApidays New York 2024 - Scaling API-first by Ian Reasor and Radu Cotescu, Adobe
Apidays New York 2024 - Scaling API-first by Ian Reasor and Radu Cotescu, Adobeapidays
 

Último (20)

Advantages of Hiring UIUX Design Service Providers for Your Business
Advantages of Hiring UIUX Design Service Providers for Your BusinessAdvantages of Hiring UIUX Design Service Providers for Your Business
Advantages of Hiring UIUX Design Service Providers for Your Business
 
TrustArc Webinar - Stay Ahead of US State Data Privacy Law Developments
TrustArc Webinar - Stay Ahead of US State Data Privacy Law DevelopmentsTrustArc Webinar - Stay Ahead of US State Data Privacy Law Developments
TrustArc Webinar - Stay Ahead of US State Data Privacy Law Developments
 
GenAI Risks & Security Meetup 01052024.pdf
GenAI Risks & Security Meetup 01052024.pdfGenAI Risks & Security Meetup 01052024.pdf
GenAI Risks & Security Meetup 01052024.pdf
 
What Are The Drone Anti-jamming Systems Technology?
What Are The Drone Anti-jamming Systems Technology?What Are The Drone Anti-jamming Systems Technology?
What Are The Drone Anti-jamming Systems Technology?
 
Finology Group – Insurtech Innovation Award 2024
Finology Group – Insurtech Innovation Award 2024Finology Group – Insurtech Innovation Award 2024
Finology Group – Insurtech Innovation Award 2024
 
Powerful Google developer tools for immediate impact! (2023-24 C)
Powerful Google developer tools for immediate impact! (2023-24 C)Powerful Google developer tools for immediate impact! (2023-24 C)
Powerful Google developer tools for immediate impact! (2023-24 C)
 
2024: Domino Containers - The Next Step. News from the Domino Container commu...
2024: Domino Containers - The Next Step. News from the Domino Container commu...2024: Domino Containers - The Next Step. News from the Domino Container commu...
2024: Domino Containers - The Next Step. News from the Domino Container commu...
 
Boost PC performance: How more available memory can improve productivity
Boost PC performance: How more available memory can improve productivityBoost PC performance: How more available memory can improve productivity
Boost PC performance: How more available memory can improve productivity
 
Apidays Singapore 2024 - Building Digital Trust in a Digital Economy by Veron...
Apidays Singapore 2024 - Building Digital Trust in a Digital Economy by Veron...Apidays Singapore 2024 - Building Digital Trust in a Digital Economy by Veron...
Apidays Singapore 2024 - Building Digital Trust in a Digital Economy by Veron...
 
🐬 The future of MySQL is Postgres 🐘
🐬 The future of MySQL is Postgres 🐘🐬 The future of MySQL is Postgres 🐘
🐬 The future of MySQL is Postgres 🐘
 
How to Troubleshoot Apps for the Modern Connected Worker
How to Troubleshoot Apps for the Modern Connected WorkerHow to Troubleshoot Apps for the Modern Connected Worker
How to Troubleshoot Apps for the Modern Connected Worker
 
Boost Fertility New Invention Ups Success Rates.pdf
Boost Fertility New Invention Ups Success Rates.pdfBoost Fertility New Invention Ups Success Rates.pdf
Boost Fertility New Invention Ups Success Rates.pdf
 
Automating Google Workspace (GWS) & more with Apps Script
Automating Google Workspace (GWS) & more with Apps ScriptAutomating Google Workspace (GWS) & more with Apps Script
Automating Google Workspace (GWS) & more with Apps Script
 
A Domino Admins Adventures (Engage 2024)
A Domino Admins Adventures (Engage 2024)A Domino Admins Adventures (Engage 2024)
A Domino Admins Adventures (Engage 2024)
 
Artificial Intelligence: Facts and Myths
Artificial Intelligence: Facts and MythsArtificial Intelligence: Facts and Myths
Artificial Intelligence: Facts and Myths
 
Developing An App To Navigate The Roads of Brazil
Developing An App To Navigate The Roads of BrazilDeveloping An App To Navigate The Roads of Brazil
Developing An App To Navigate The Roads of Brazil
 
Tata AIG General Insurance Company - Insurer Innovation Award 2024
Tata AIG General Insurance Company - Insurer Innovation Award 2024Tata AIG General Insurance Company - Insurer Innovation Award 2024
Tata AIG General Insurance Company - Insurer Innovation Award 2024
 
A Year of the Servo Reboot: Where Are We Now?
A Year of the Servo Reboot: Where Are We Now?A Year of the Servo Reboot: Where Are We Now?
A Year of the Servo Reboot: Where Are We Now?
 
Exploring the Future Potential of AI-Enabled Smartphone Processors
Exploring the Future Potential of AI-Enabled Smartphone ProcessorsExploring the Future Potential of AI-Enabled Smartphone Processors
Exploring the Future Potential of AI-Enabled Smartphone Processors
 
Apidays New York 2024 - Scaling API-first by Ian Reasor and Radu Cotescu, Adobe
Apidays New York 2024 - Scaling API-first by Ian Reasor and Radu Cotescu, AdobeApidays New York 2024 - Scaling API-first by Ian Reasor and Radu Cotescu, Adobe
Apidays New York 2024 - Scaling API-first by Ian Reasor and Radu Cotescu, Adobe
 

SANS Threat Hunting Summit 2018 - Hunting Lateral Movement with Windows Event Logs

  • 1. Hunting Lateral Movement with Windows Event Logs SANS Threat Hunting Summit 2018 Mauricio Velazco @mvelazco
  • 2. $whoami ✘Peruvian ✘Recovering pentester, threat management lead ✘@mvelazco ✘Derbycon, Bsides, Defcon
  • 4. ✘Techniques that enable an adversary to access and control remote systems on a network. https://attack.mitre.org/wiki/Lateral_Movement Lateral Movement 😸
  • 5. Attackers are forced to move in the environment
  • 6. How? ✘Vulnerability Exploitation ✘Logon Scripts ✘Abusing application deployment software ✘Removable media ✘…… ✘Abusing Windows services/features Out of all the incident response engagements that we conducted; 100% of them involved the threat actor compromising valid credentials during the attack. https://www.fireeye.com/blog/threat-research/2015/08/malware_lateral_move.html “ ”
  • 7. Windows Services used for LM ✘Server Message Block ( SMB ) ✘Service Control Manager (SCM) ✘Task Scheduler ✘Windows Management Instrumentation ( WMI ) ✘Windows Remote Management ( WinRM ) ✘Distributed Component Object Model ( DCOM ) ✘Remote Desktop
  • 8. AppleScript Application Deployment Software DCOM Exploitation Logon Scripts Pass the Hash RDP Remote File Copy Remote Services Removable Media SSH Hijacking Shared WebRoot Tainted Shared Content Third party Software Win RM Windows Admin Shares (WMI, SCM, Task Sch) https://attack.mitre.org/wiki/Lateral_ Movement
  • 10. Authentication Events ✘Account Logon -> Credential validation Occurs on the host that is authorative for the credentials ✘Logon/Logoff -> Creation & Destruction of Sessions Ocurrs on the host being accessed https://blogs.msdn.microsoft.com/ericfitz/2005/08/04/deciphering-account-logon-events/
  • 12. NTLM
  • 13. 4768: Auth Tkt Requested DC Name Account Name Source Ip Keywords Account Logon Events 4769: Service Tkt Requested DC Name Account Name Service Name Client Address Keywords 4776: Credential Validation Computer Name Logon Account Source Workstation Error Code
  • 14. Hunt Tip #1` ✘ Source Ip requesting TGS for several computers -> Domain Controller Logs Event=4769 And Service Name=*$ group by (Client Address ) where unique(Service Name) > [Threshold ] ✘ This behavior could represent An adversary moving laterally ( or helpdesk deploying software) Host enumeration ( file share, PowerUp Sql, etc ) Bloodhound
  • 15. Hunt Tip #2` ✘ Possible Lateral Movement using NTLM -> Domain Controler Logs Event=4776 And (ComputerName=Dc1 Or …) group by (Source Workstation) Where unique(Computer Name) > [Threshold ] ✘ This behavior could represent: An adversary moving laterally using NTLM based hacking tools like: metasploit, impacket, crackmapexec, smbexec, etc
  • 16. Logon/Logoff Events 4625 Computer Name Account Name Logon Type Src Workstation Name Src Network Address Status Sub Status 4624 Computer Name Account Name Logon Type Src Workstation Name Src Network Address
  • 17. Hunt Tip #3` ✘ Possible Lateral Movement -> Computer Events Event=4624 Or Event=4625 And (Logon Type=3 Or Logon Type=10) group by (Src Network Address) Where unique(Computer Name) > [Threshold ] ✘ This behavior could represent: An adversary moving laterally ( or sysadmins working ) Password Spray / Brute Force Attack BloodHound
  • 18. Services and Tasks ✘System Events 7045: Service Installed ✘Object Access 4698: A scheduled task was created 7045 Service Name Service File Path Service Account 4698 Account Name Task Name Task Content
  • 19. TODO: WMI & WinRM ✘WMI-Activity/Trace Event 1: Start of the event sequence Event 2: Actual Event Event 3: End of the event sequence ✘Windows Remote Management Analytical Debug Operational 169: User Authentication
  • 20. Hunt Tip #4: Edr For The Win ✘Services services.exe ✘WMI wmiprsve.exe ✘Windows Remote Management winrshost.exe wsmprovhost.exe ✘DCOM - MMC20 mmc.exe
  • 21. Hunt Tip #4` ✘Possible Lateral Movement execution -> Sysmon Events Event=1 And (ParentImage=services.exe Or ParentImage... ... ) And (Image=cmd.exe Or Image=powershell.exe OR Image=mshta.exe Or Image=regsvr32.exe … …) 54 application whitelisting bypass techniques https://github.com/api0cradle/UltimateAppLockerByPassList
  • 23. Oriana 1.0 ✘Oriana is a threat hunting tool that leverages a subset of Windows events to run analytics and help defenders identify outliers and suspicious behavior in Windows environments. ○ Get-WinEvent & Export-CSV ○ Django Application, Python 2.7 ○ Bootstrap & DataTables
  • 25. HunT 1: Services and Tasks ✘7045 & 4698 ✘Frequency Analysis on Unique Services Unique Tasks ✘Identify “Randomness” of Service Name Task Name
  • 26. Hunt random: N-gram score ✘Reg expressions are based on a sample and lack context P r o d u c t W F P N e t M o n
  • 28. HunT 2: Possible Lateral Movement Event 4624 Type 3 4698 7045
  • 29. HunT 2: Possible Lateral Movement Session ✘Assumption: Once access has been obtained, an attacker will profile or move laterally to more than one host. Group possible lateral movement events based on time ( X hour spans )
  • 31. Hunt 3: Outlier Users/Hosts ✘User # of unique successful authentication events # of unique failed authentication events # of unique hosts a user has authenticated to locally # of unique hosts a user has authenticated to remotely # of unique hosts a user has remotely failed to authenticate # of unique hosts a user has RDP to ✘Host # of unique users that authenticated to a host locally # of unique users that authenticated to a host remotely
  • 33. Hunt 4: Suspicious User Behavior
  • 34. Status SubStatus Description 0xC000006D 0xC000006A Wrong password 0xc000015b 0x0 Acess denied 0xC000006D 0xC0000064 User does not exist 0xc000006e 0xc0000072 Account is disabled 4625: Status & SubStatus
  • 35. SUB #1 : Privilege Enumeration ✘A user is failing to authenticate to a large number of hosts due to insufficient privileges for the requested logon type ✘This behavior could represent An adversary trying to execute remote commands ( failing ) An adversary trying to mount an administrative share An adversary enumerating privileges across the network An adversary running BloodHound (with no admin privs)
  • 36. SUB #2 : High number of Destinations ✘A user is successfully authenticating to a large number of hosts ✘This behavior could represent An adversary executing code remotely An adversary enumerating privileges across the network An adversary running BloodHound (with admin privs )
  • 37. SUB #3 : Roaming User ✘A user account is locally authenticating on several hosts ✘This behavior could represent Compromised credentials usage Credential sharing
  • 38. SUB #4 : Local Account Spray ✘A local user account is trying to authenticating to a large number of hosts. ✘This behavior could represent An adversary moving laterally with a local account An adversary trying to brute force a local account
  • 40. Hunt 5: Suspicious Computer Behavior https://github.com/mvelazc0/Oriana
  • 42. Hunting Lateral Movement with Windows Event Logs SANS Threat Hunting Summit 2018 Mauricio Velazco @mvelazco