Professional Documents
Culture Documents
Summit Archive 1569863860
Summit Archive 1569863860
”
Moment
SANS THIR Summit
John Stoner
October 2019
# whoami > John Stoner
GCIA, GCIH, GCTI
20+ years of cyber security
experience
Creator of SA-Investigator
for Splunk
Blogger on Hunting and
SecOps
Symantec→ArcSight→Splunk-
Principal Security I’ve Seen them all
Strategist Loves The Smiths and all
@stonerpsu 80’s sadtimey music
Training Realistic
Competition FUN!
Fast Forward Four Months
Why Do We
Hunt?
What To Hunt
For?
Models
With Great
Power, Comes
Great
Responsibility
Thought and Planning Is Needed…
Ask A
Question
Background
Research
Construct a
Hypothesis
Experiment
Analyze and
Draw
Conclusion
Report
Findings
Ask A Question
External Stimuli (News, Threat
Intelligence, etc)
http://www.nsftools.com/tips/MSFTP.htm
Construct a Hypothesis
Hypothesis - Exfiltration Over Alternative Protocol
• Data Exfiltration may occur via FTP
What Did I Filename with a dll extension is used to obfuscate a script is being called
Learn? The same seven files were downloaded to two workstations on August 23
Report Findings
Visualize Your Hunt - FTP Exfiltration
Upload
topsecretyeast.pdf
(blocked) IP: 10.0.2.107
Hostname: wrk-btun
IP: 71.39.18.125 FTP Arguments Referenced
Palo Alto Firewall -i –s:winsys64.dll
-i –s:winsys32.dll
-i –s:singlefile.dll
FTP open hildegardsfarm.com
IP: 160.153.91.7 IP: 10.0.2.109
Domain: Hostname: wrk-klagerf
hildegardsfarm.com
Download Upload
dns.py frothly_passwords.kdbx
nc.exe 496 pdfs
psexec.exe topsecretyeast.pdf (aborted)
python-2.7.6.amd64.msi
wget64.exe
winsys64.dll
Blacklist Domains and IP
Parting
Thoughts Apply a Method to Your Hunt