Scribd Logo
Upload

Welcome to Scribd!

  • Advanced APT Hunting With Splunk Takeaway

    Uploaded by

    JJP
    48 views7 pages
    This document provides reference materials from an Advanced APT Hunting with Splunk workshop including links to data sets, apps, blogs, and techniques discussed. It includes links to resources on hunting PowerShell, FTP, DNS, adversary infrastructure, spearphishing attachments, user execution, account persistence, scheduled tasks, audit log clearing, and lateral movement. Additional reading materials on threat hunting, incident response, and the ATT&CK framework are also referenced.

    Original Description:

    Original Title

    Advanced APT Hunting with Splunk Takeaway Doc

    Copyright

    © © All Rights Reserved

    Available Formats

    PDF, TXT or read online from Scribd

    Did you find this document useful?

    Is this content inappropriate?

    Report this Document
    This document provides reference materials from an Advanced APT Hunting with Splunk workshop including links to data sets, apps, blogs, and techniques discussed. It includes links to resources on hunting PowerShell, FTP, DNS, adversary infrastructure, spearphishing attachments, user execution, account persistence, scheduled tasks, audit log clearing, and lateral movement. Additional reading materials on threat hunting, incident response, and the ATT&CK framework are also referenced.

    Copyright:

    © All Rights Reserved
    Download as PDF, TXT or read online from Scribd
    Flag for inappropriate content
    Download as pdf or txt
    48 views7 pages

    Advanced APT Hunting With Splunk Takeaway

    Uploaded by

    JJP
    This document provides reference materials from an Advanced APT Hunting with Splunk workshop including links to data sets, apps, blogs, and techniques discussed. It includes links to resources on hunting PowerShell, FTP, DNS, adversary infrastructure, spearphishing attachments, user execution, account persistence, scheduled tasks, audit log clearing, and lateral movement. Additional reading materials on threat hunting, incident response, and the ATT&CK framework are also referenced.

    Copyright:

    © All Rights Reserved
    Download as PDF, TXT or read online from Scribd
    Flag for inappropriate content
    Download as pdf or txt
    of 7

    Advanced APT Hunting with Splunk

    Thank you for attending Advanced APT Hunting with Splunk. We hope you found it helpful.
    Below are reference materials and links that were found throughout the workshop.

    Depending on how many of the hunts you performed, some of these links may be more
    relevant than others. For grouping purposes, links are grouped by hunt.

    While the BOTSv2 data set and app that we used is not yet available, if you are interested in
    hunting and investigating a Splunk BOTS data set, you have a few options. Below are links to
    blogs and the data sets where you can learn more about downloading your own copy or using
    our sandbox.

    BOTS version 1 data set


    Blog: https://www.splunk.com/blog/2018/05/10/boss-of-the-soc-scoring-server-questions-and-
    answers-and-dataset-open-sourced-and-ready-for-download.html
    Data Set: http://explore.splunk.com/BOTS_1_0_datasets
    Companion investigating app: https://splunkbase.splunk.com/app/3985/

    Sandbox with the Data Set


    Blog: https://www.splunk.com/blog/2018/05/03/introducing-the-security-datasets-
    project.html
    Sandbox Site: http://live.splunk.com/splunk-security-dataset-project

    Apps used during the workshop


    Enterprise Security: https://splunkbase.splunk.com/app/263/
    SA-Investigator: https://splunkbase.splunk.com/app/3749/
    Sankey Visualization: https://splunkbase.splunk.com/app/3112/
    URL Toolbox: https://splunkbase.splunk.com/app/2734/

    If you want to learn more about some of the techniques that we touched on, check out the
    Hunting with Splunk! Blog Series:
    https://www.splunk.com/blog/2017/07/06/hunting-with-splunk-the-basics.html

    Hunt 0
    Quick search to get a list of all sourcetypes in a specific index and when they were first seen and
    last seen

    | metadata type=sourcetypes index=botsv2


    | eval firstTime=strftime(firstTime,"%Y-%m-%d %H:%M:%S")
    | eval lastTime=strftime(lastTime,"%Y-%m-%d %H:%M:%S")
    | eval recentTime=strftime(recentTime,"%Y-%m-%d %H:%M:%S")
    | sort - totalCount

    Last Updated: December 2018 1


    PowerShell Hunt
    PowerShell: https://docs.microsoft.com/en-
    us/powershell/scripting/overview?view=powershell-6

    PowerShell Empire: https://www.powershellempire.com/

    Github site for PowerShell Empire: https://github.com/EmpireProject/Empire

    Web Application Vulnerability Scanner: https://w3af.org

    PowerShell.exe Command-Line Help: https://docs.microsoft.com/en-


    us/powershell/scripting/core-powershell/console/powershell.exe-command-line-
    help?view=powershell-6

    CyberChef: https://gchq.github.io/CyberChef

    List of FTP commands for the Microsoft command-line FTP client:


    http://www.nsftools.com/tips/MSFTP.htm

    WHOAMI utility in Windows 7/8/10 and its use, syntax, commands:


    https://www.thewindowsclub.com/whoami-windows

    Wevtutil Command Reference: https://docs.microsoft.com/en-us/windows-


    server/administration/windows-commands/wevtutil

    Quickly Turn ON/OFF Windows Firewall Using Command Line:


    http://techgenix.com/quicklyturnonoffwindowsfirewallusingcommandline/

    Command-line build with csc.exe: https://docs.microsoft.com/en-us/dotnet/csharp/language-


    reference/compiler-options/command-line-building-with-csc-exe

    NET.exe Share
    https://ss64.com/nt/net-share.html

    MITRE ATT&CK Techniques Referenced


    PowerShell - https://attack.mitre.org/wiki/Technique/T1086
    Commonly Used Port - https://attack.mitre.org/techniques/T1043/
    Data Encoding - https://attack.mitre.org/techniques/T1132/
    Exfiltration Over Alternative Protocol - https://attack.mitre.org/techniques/T1048/
    System Owner/User Discovery - https://attack.mitre.org/techniques/T1033/
    Disabling Security Tools - https://attack.mitre.org/techniques/T1089/
    Scheduled Task - https://attack.mitre.org/techniques/T1053/
    Data from Network Shared Drive - https://attack.mitre.org/techniques/T1039/

    Last Updated: December 2018 2


    Data Exfiltration – FTP
    File Info on specific file extensions: https://fileinfo.com/extension/

    MITRE ATT&CK Techniques Referenced


    Exfiltration Over Alternative Protocol - https://attack.mitre.org/techniques/T1048/
    Commonly Used Port - https://attack.mitre.org/techniques/T1043/
    Remote File Copy - https://attack.mitre.org/techniques/T1105/
    PowerShell - https://attack.mitre.org/wiki/Technique/T1086
    Scripting - https://attack.mitre.org/techniques/T1064/

    Data Exfiltration – DNS


    Whois: http://whois.domaintools.com/hildegardsfarm.com

    RiskIQ Community Edition: https://community.riskiq.com/login

    MITRE Techniques Referenced


    Exfiltration Over Alternative Protocol - https://attack.mitre.org/techniques/T1048/
    Commonly Used Port - https://attack.mitre.org/techniques/T1043/

    Adversary Infrastructure
    Censys.IO: http://Censys.io

    Robtex: https://www.robtex.com/ip-lookup/45.77.65.211

    MITRE ATT&CK Technique Referenced


    Acquire and/or use 3rd party infrastructure services -
    https://attack.mitre.org/techniques/T1329/

    Spearphising Attachment
    MIME Types: https://developer.mozilla.org/en-
    US/docs/Web/HTTP/Basics_of_HTTP/MIME_types

    Whois: https://whois.domaintools.com/

    CyberChef: https://gchq.github.io/CyberChef

    VirusTotal: https://www.virustotal.com/#/home/search

    MITRE ATT&CK Techniques Referenced


    Acquire and/or use 3rd party software services -
    https://attack.mitre.org/techniques/T1330/

    Last Updated: December 2018 3


    Spearphishing Attachment - https://attack.mitre.org/techniques/T1193/

    User Execution
    Phishing with Empire (Blog): https://enigma0x3.net/2016/03/15/phishing-with-empire/

    MITRE ATT&CK Techniques


    PowerShell - https://attack.mitre.org/techniques/T1086/
    User Execution - https://attack.mitre.org/techniques/T1204/

    Account Persistence
    Windows Command Reference: https://docs.microsoft.com/en-us/windows/security/threat-
    protection/auditing/event-4720

    Ultimate Windows Security Event Code Reference:


    https://www.ultimatewindowssecurity.com/securitylog/encyclopedia/event.aspx?eventID=464
    8

    MITRE ATT&CK Technique Referenced


    Create Account - https://attack.mitre.org/techniques/T1136/

    Scheduled Tasks
    Schtasks.exe command reference:
    https://msdn.microsoft.com/en-us/library/windows/desktop/bb736357(v=vs.85).aspx

    MITRE ATT&CK Techniques Referenced


    Scheduled Task - https://attack.mitre.org/techniques/T1053/
    PowerShell - https://attack.mitre.org/wiki/Technique/T1086
    Data Encoding - https://attack.mitre.org/techniques/T1132/

    Clearing Audit Logs


    Wevtutil Command Reference: https://docs.microsoft.com/en-us/windows-
    server/administration/windows-commands/wevtutil

    MITRE ATT&CK Techniques


    Indicator Removal On Host - https://attack.mitre.org/techniques/T1070/
    PowerShell - https://attack.mitre.org/wiki/Technique/T1086
    Data Encoding - https://attack.mitre.org/techniques/T1132/

    Reconnaissance
    What is my browser: https://whatismybrowser.com

    Last Updated: December 2018 4


    Web browser language identification codes: https://www.metamodpro.com/browser-
    language-codes

    Whois: https://whois.domaintools.com/

    RIPE Database Query: https://apps.db.ripe.net/db-web-ui/#/query

    ExpressVPN: https://www.expressvpn.com/

    MITRE ATT&CK Technique Referenced


    Acquire and/or use 3rd party infrastructure services -
    https://attack.mitre.org/techniques/T1329/

    Acquire OSINT Data Sets and Information


    MIME Types: https://developer.mozilla.org/en-
    US/docs/Web/HTTP/Basics_of_HTTP/MIME_types

    MITRE Technique Referenced


    Acquire OSINT data sets and information - https://attack.mitre.org/techniques/T1277/

    Lateral Movement
    Detecting Lateral Movement through Tracking Event Logs:
    http://www.jpcert.or.jp/english/pub/sr/Detecting%20Lateral%20Movement%20through%20Tr
    acking%20Event%20Logs_version2.pdf

    JPCERT/CC Tool Analysis Result Sheet: https://jpcertcc.github.io/ToolAnalysisResultSheet/

    Hunting Lateral Movement in Windows Infrastructure:


    https://www.slideshare.net/votadlos/hunting-lateral-movement-in-windows-infrastructure

    PowerShell Empire Invoke-WMI: https://www.powershellempire.com/?page_id=124

    MITRE ATT&CK Techniques Referenced


    Windows Management Instrumentation - https://attack.mitre.org/techniques/T1047/
    PowerShell - https://attack.mitre.org/techniques/T1086/
    Data Encoding - https://attack.mitre.org/techniques/T1132/

    Data Staging
    MITRE ATT&CK Techniques Referenced
    Data Staged - https://attack.mitre.org/techniques/T1074/

    Last Updated: December 2018 5


    Remote File Copy - https://attack.mitre.org/techniques/T1105/
    Exfiltration Over Alternative Protocol - https://attack.mitre.org/techniques/T1048/

    Additional Reading and Resources


    SANS - The Who, What, Where, When, Why and How of Effective Threat Hunting:
    https://www.sans.org/reading-room/whitepapers/analyst/who-what-where-when-effective-
    threat-hunting-36785

    NIST 800-61: https://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-61r2.pdf

    Pyramid of Pain: https://detect-respond.blogspot.com/2013/03/the-pyramid-of-pain.html

    Intelligence-Driven Incident Response: Outwitting the Adversary


    Scott J. Roberts and Rebekah Brown
    https://www.amazon.com/Intelligence-Driven-Incident-Response-Outwitting-Adversary-
    ebook/dp/B074ZRN5T7/ref=sr_1_fkmr0_1?ie=UTF8&qid=1545175707&sr=8-1-fkmr0

    Intelligence-Driven Computer Network Defense Informed by Analysis of Adversary Campaigns


    and Intrusion Kill Chains
    https://www.lockheedmartin.com/content/dam/lockheed-martin/rms/documents/cyber/LM-
    White-Paper-Intel-Driven-Defense.pdf

    The Design and Philosophy of ATT&CK


    https://www.mitre.org/publications/technical-papers/mitre-attack-design-and-philosophy

    The Diamond Model of Intrusion Analysis


    http://www.dtic.mil/dtic/tr/fulltext/u2/a586960.pdf

    Applying the Diamond Model to Star Wars (Blog)


    https://threatconnect.com/blog/diamond-model-threat-intelligence-star-wars/

    Threat Hunting Webshells with Splunk, James Bower (Video)


    https://www.youtube.com/watch?v=FEb8KZoEyzI

    Building Threat Hunting Strategies with the Diamond Model:


    http://www.activeresponse.org/building-threat-hunting-strategy-with-the-diamond-model/

    Documentation Links for Search Commands Used:


    Eval: https://docs.splunk.com/Documentation/Splunk/latest/SearchReference/Eval
    Fields: https://docs.splunk.com/Documentation/Splunk/latest/SearchReference/fields
    Metadata: https://docs.splunk.com/Documentation/Splunk/latest/SearchReference/metadata
    Reverse: https://docs.splunk.com/Documentation/Splunk/latest/SearchReference/reverse
    Rex: https://docs.splunk.com/Documentation/Splunk/latest/SearchReference/rex

    Last Updated: December 2018 6


    Search: https://docs.splunk.com/Documentation/Splunk/latest/SearchReference/search
    Sort: https://docs.splunk.com/Documentation/Splunk/latest/SearchReference/sort
    Stats: https://docs.splunk.com/Documentation/Splunk/latest/SearchReference/stats
    Table: https://docs.splunk.com/Documentation/Splunk/latest/SearchReference/table
    Tstats: https://docs.splunk.com/Documentation/Splunk/latest/SearchReference/tstats
    Timechart: https://docs.splunk.com/Documentation/Splunk/latest/SearchReference/timechart
    Transaction:
    https://docs.splunk.com/Documentation/Splunk/latest/SearchReference/transaction
    Transpose: https://docs.splunk.com/Documentation/Splunk/latest/SearchReference/transpose

    Splunk Quick Reference: https://www.splunk.com/pdfs/solution-guides/splunk-quick-


    reference-guide.pdf

    Splunk Search Reference:


    http://docs.splunk.com/Documentation/Splunk/latest/SearchReference/WhatsInThisManual

    Last Updated: December 2018 7

    You might also like