Professional Documents
Culture Documents
Threat Hunting Workshop Process Guide
Threat Hunting Workshop Process Guide
Threat Hunting Workshop Process Guide
Table of Contents
Event Schedules ....................................................................................................................... 3
Executive Briefing (1 hour) ............................................................................................................... 3
Threat Hunting Lab (2 hours) ........................................................................................................... 3
Threat Hunting Workshop (all day) .................................................................................................. 3
911 – Lab Help ......................................................................................................................... 4
Lab Setup................................................................................................................................. 5
Console URLs and Credentials .......................................................................................................... 5
2-Factor Authentication ................................................................................................................... 5
Kahoot Quizzes ..................................................................................... Error! Bookmark not defined.
Lab Walkthroughs ................................................................................................................. 10
Lab 1 – Olympic Destroyer ............................................................................................................. 10
Scenario..............................................................................................................................................................10
Walkthrough ......................................................................................................................................................10
Worksheet Solution Review ...............................................................................................................................11
Lab 2 – Bifrost ................................................................................................................................ 14
Scenario..............................................................................................................................................................14
Walkthrough ......................................................................................................................................................14
Worksheet Solution Review ...............................................................................................................................15
Lab 3 – Poweliks ............................................................................................................................ 16
Scenario:.............................................................................................................................................................16
Walkthrough ......................................................................................................................................................16
Worksheet Solution Review ...............................................................................................................................17
Lab 4 – Threat Hunting ................................................................................................................... 19
Scenario..............................................................................................................................................................19
Walkthrough ......................................................................................................................................................19
Tips for Lab 4 ......................................................................................................................................................20
Worksheet Solution Review ...............................................................................................................................21
Administrative Notes 2
Process Guide v. 1535542487 Cisco Advanced Threat Solutions Team
Event Schedules
Administrative Notes 3
Process Guide v. 1535542487 Cisco Advanced Threat Solutions Team
The Threat Hunting Workshop War Room in WebEx Teams is the primary support channel for
scheduling, setting up, and running the Workshops. If anything breaks in the Threat Lab, ping
an expert in the War Room:
Issue Contact
Lab Support Join the Threat Hunting Workshop War Room in WebEx
Teams: https://eurl.io/#S1mQOXQCz
For specific requests, if you do not have access to the War Room, use the following contacts:
Issue Contact
AMP Lab Account Email amp-tier3@cisco.com
Kahoot / Authy / lab setup Email threatlab@cisco.com
Time Critical / Last Resort Contact Brandon Newport via cell, Spark, or email
Administrative Notes 4
Process Guide v. 1535542487 Cisco Advanced Threat Solutions Team
Lab Setup
This lab environment uses demo data running in one AMP for Endpoints account which is linked
to Cisco Threat Response and Threat Grid. Umbrella has a separate account with the same
username and password as the AMP for Endpoints account. The account credentials will be
provided to the lab proctor in a Quick Reference Guide.
2-Factor Authentication
The lab relies on 2FA to be enabled in the AMP account in order to view command line activity.
Lab proctors should add the Threat Lab 2FA account to their Authy accounts using the QR code
provided in the proctor’s Quick Reference Guide. This QR code is specific to the lab pod
assigned for the Workshop.
If technically feasible, the ideal lab setup includes a large-screen TV or projector showing a slide
show that includes a timeline and login information. This slide deck is available on Box at
https://cisco.box.com/v/threathuntingworkshopslides. The agenda slide has space available for
the Authy desktop app that can continually display the 2FA code during the lab. While most
users will check the 30-day option when logging in, some users may not, or may use a different
browser session, and will need to see the 2FA code.
To set up the desktop Authy app, you must first enable account sync within the Authy mobile
app. Go to Settings > Accounts and enable Authenticator Backups with a backups password of
your choice.
Next, set up the Authy desktop app. Go to https://authy.com/download/ and select Windows
64-bit from the Desktop Direct Download page:
Administrative Notes 5
Process Guide v. 1535542487 Cisco Advanced Threat Solutions Team
Open the desktop app and enter your Backups Password to sync your accounts from your
mobile device to the desktop app:
This desktop app will now display your 2FA codes. Open the Threat Lab account and display it
on screen during the account setup process:
Administrative Notes 6
Process Guide v. 1535542487 Cisco Advanced Threat Solutions Team
Administrative Notes 7
Process Guide v. 1535542487 Cisco Advanced Threat Solutions Team
Kahoot Quizzes
You will need to plan on sharing your web browser on a screen that all participants can see, in
order to view the questions.
Click on Log in, found in top right corner, and use the following credentials:
Username: threatlab@cisco.com
Password: C1sco12345!
Once logged in, click on “Kahoots” in the top menu bar, and then click on “My Kahoots” on the
left. You will then be presented with a list of the available Kahoot quizzes.
There may be other quiz names in the list, however there is one quiz intended to be run after
each lab. Note the following quiz names:
Administrative Notes 8
Process Guide v. 1535542487 Cisco Advanced Threat Solutions Team
Click on the Play button next to the quiz you want to run. Once the next screen loads with the
Quiz title, click under “Game Options” and ensure that “Randomize order of answers” is turned
on. Leave all other options at the defaults, and then click on the green “Classic” button.
Once the quiz loads, you will need to share your web browser on the screen so that the
participants can see the questions, as well as the PIN needed to join the game.
Participants can join by going to http://kahoot.it and using the game PIN. They can use their
web browser on their laptops, or on mobile, or use the mobile Kahoot app to play. Note that
the mobile app is not required, and having the participants use the web browser on their
laptops is recommended.
Click on “Start” once all participants have joined. Please note, you will need to click on “Next”
after each question, and after the scoreboard is displayed between questions. You can also
pause for dramatic effect, or for the participants to complain about the quality of the questions.
Once the quiz is complete, the podium will be displayed with the winners. The results will be
saved automatically in the Kahoot account, in the “My results” section.
Administrative Notes 9
Process Guide v. 1535542487 Cisco Advanced Threat Solutions Team
Lab Walkthroughs
Lab 1 – Olympic Destroyer
Scenario: The CIO read a front-page news article on something called “Olympic Destroyer”,
which was recently used to disrupt the Winter Olympic Games in Pyeongchang. The news
article suggests that other threat actors may be able to reuse this malware in a commodity
attack against other targets. The CIO is asking if our security products are already blocking this
threat or if we need to update to be protected.
Walkthrough
Lab Walkthroughs 10
Process Guide v. 1535542487 Cisco Advanced Threat Solutions Team
Note – the events for the Demo_AMP_Intel host are injected with a different timestamp than
the other demo systems, typically 3-4 weeks prior to the date that demo data was enabled.
This means that any AMP Console reports or dashboards that are filtered to show the last 7
days or last 14 days of data will not include results for Demo_AMP_Intel. This primarily affects
the Vulnerable Applications section of the Worksheet. To easily find the Vulnerable
Lab Walkthroughs 11
Process Guide v. 1535542487 Cisco Advanced Threat Solutions Team
Applications listed for this host, you can go to the Events page filtered for this endpoint by
following these steps:
1. From Threat Response, pivot on the hostname and click “Search for this hostname”
from the AMP for Endpoints section:
2. Find and click on the computer name in the AMP Console’s Search Results page:
3. Expand the Computer Management card and click “Events” in the bottom left corner:
Lab Walkthroughs 12
Process Guide v. 1535542487 Cisco Advanced Threat Solutions Team
5. In the Event Type text box, start typing “vulnerable” to bring up the Vulnerable
Application Detected category:
6. Note the resulting vulnerabilities (Internet Explorer version 11 and Outlook 2016).
Lab Walkthroughs 13
Process Guide v. 1535542487 Cisco Advanced Threat Solutions Team
Lab 2 – Bifrost
Scenario: One of your users was phished. The attacker was very careful, using a legitimate
email account belonging to an employee of a catering company that you’ve done business with
in the past. The email didn’t contain any active code or malicious attachments – just a link to a
website that looked very similar to a portal that is sometimes used for invoicing, but in this
case, the “invoice” was actually a powerful piece of malware. We were able to trace the name
of the file that was downloaded by querying our firewall, which intercepted the file and sent it
to the cloud sandbox for analysis. Unfortunately, the file was already on its way to the victim’s
computer when the alert came back for a malware detection.
Walkthrough
Lab Walkthroughs 14
Process Guide v. 1535542487 Cisco Advanced Threat Solutions Team
11. Look for the source: filter DT for "invoice-1563" and observe the zip was downloaded
from iexplore.exe
12. Investigate other PC - Demo_Zbot - and observe that it's in audit only mode
Lab Walkthroughs 15
Process Guide v. 1535542487 Cisco Advanced Threat Solutions Team
Lab 3 – Poweliks
Scenario: It’s early in the workday and you log in to AMP and see a lot of activity in the
dashboard. In fact, if you look at your Inbox tab, you might see several systems with dozens or
even hundreds of individual malware detection events. Which system should we start with?
How do we find out what happened and protect our endpoints so that the intrusion does not
happen again?
Walkthrough
Lab Walkthroughs 16
Process Guide v. 1535542487 Cisco Advanced Threat Solutions Team
17. Research the two new targets (Exploit Prevention and Exploit Prevention Audit) in
AMP’s Device Trajectory
a. Pivot into Device Trajectory from NFM / AMP Event in the Sightings for the
Dorkbot malware hash
i. Observe that the malware was dropped by PowerShell
ii. Observe that the malware was quarantined by Cloud Recall
iii. Observe outbound connection to “legitmalware.xyz” URL
iv. Re-filter Device Trajectory on legitmalware.exe
v. Observe Firefox DFC event reaching out to legitmalware.exe
b. Pivot into Device Trajectory for Demo_AMP_Exploit_Prevention (the other
target) using the Connector GUID pivot menu
i. Observe vulnerable app detected (Firefox)
ii. Observe “Exploit Prevented” event for Firefox
iii. Observe the same Firefox DFC event from the other Exploit Prevention
demo system, indicating that Exploit Prevention blocked the attack
before it could drop Dorkbot on this machine.
Lab Walkthroughs 17
Process Guide v. 1535542487 Cisco Advanced Threat Solutions Team
Lab Walkthroughs 18
Process Guide v. 1535542487 Cisco Advanced Threat Solutions Team
Scenario: John Doe from Human Resources is working on hiring additional security engineers for
your department. Unfortunately, this morning John let you know that he tried to open a
resume from an email attachment, but it did not open correctly - instead of a document, he saw
a command prompt window pop up on his desktop. John doesn't remember anything about
the email message subject, sender, or file attachment name, but he did take a screen capture of
his desktop.
Walkthrough
1. The command prompt window shows the filename and file path:
"C:\Users\johndoe\Desktop\resume.exe".
2. Search for the filename in Threat Response. Type file_name:"resume.exe"
3. Observe: malicious SHA256, file path matches from screenshot
4. Pivot into TG to discover what the malware is
a. Poison Ivy (remote command shell, keylogging, screenshot, etc)
b. Outbound HTTP GET to ret.space:80/checkin and /command URLs
c. Files uploaded to remote IP/domain ret.space
d. Cmd.exe process executed (net use, net user)
e. New user account created
5. Add ret.space to Threat Response investigation
6. Pivot to AMP for Endpoints to find out how the malware got in
a. Created by powershell
b. Quarantined by Cloud Recall
7. Refocus on powershell
a. IOCs
b. Domain connection from Powershell
c. Executed by winword
8. Refocus on winword
a. Executed by explorer
b. Command line: C:\Users\johndoe\Desktop\resume.docm
9. Refocus on resume.docm
a. Created by outlook.exe (confirmed source: email)
b. Note hash and provide to email administrator to track the message
10. Recommendation: enable dynamic file analysis with quarantine on .docm filetypes in
email security solution
Lab Walkthroughs 19
Process Guide v. 1535542487 Cisco Advanced Threat Solutions Team
1. What information can we get from the screenshot? Are there any file names or file
paths we could look up in one of our tools?
2. Threat Response will automatically parse out any IP addresses, domains, file hashes
(SHA256, SHA1, or MD5), MAC addresses, and URLs. Other observables need to be
referenced using the format <type>:"<value>" where “type” could be one of the
following:
file_path pki-serial md5
file_name user imei
mac_address email imsi
device ip amp_computer_
hostname ipv6 guid
domain sha256 amp-device
url sha1
As an example, to look up a file named test.pdf, type the following into the New
Investigation search box:
3. When you pivot into an AMP event from a sighting in Threat Response, your Device
Trajectory view will be filtered to only show events directly related to the observable
(typically a hash, IP address, or URL). You can clear the filter criteria to see all events, or
type something else into the filter bar to focus Device Trajectory on events related to a
different SHA256 hash, file or process name, IP, or domain.
4. Command line capture data in AMP Device Trajectory can be an invaluable resource
when you are looking for the reason why a file or process was
launched. If you see an icon that looks like the picture on the left,
this tells you that a benign (green) process was executed with some
command line arguments. You may need to scroll down to see the
command line section of the event within Device Trajectory
depending on your screen resolution; it will appear at the bottom of
the event, below the parent file certificate information.
Lab Walkthroughs 20
Process Guide v. 1535542487 Cisco Advanced Threat Solutions Team
Lab Walkthroughs 21
Process Guide v. 1535542487 Cisco Advanced Threat Solutions Team
However, we will only see two Verdicts – one from each queried module:
Cisco Threat Response, which is the core interface used to display information and pivot
between research products, is not a separate product and is available at no extra charge to any
licensed user of AMP for Endpoints or Threat Grid.
The Umbrella module within Cisco Threat Response uses two APIs: the first is the Investigate
API, which enables Threat Response to query Umbrella’s database for judgments and verdicts
on URLs, IPs, and domains. This API is sold separately from all Umbrella packages. The second
API used in Threat Response’s Umbrella module is the Umbrella Enforcement API, which allows
security administrators to blacklist domains within the Threat Response UI using the context
menu. This Enforcement API is available with the Platform bundle of Cisco Umbrella.
NOTE: This example Bill of Materials uses default values of 1000 endpoints
and a 12-month subscription length. SKUs are subject to change; consult your
local Advanced Threat Security team for a detailed price estimation.
Requesting a Workshop
Requesting a Room
Note: The lab pods assigned during the Workshop Registration phase will be
fully configured. Use the instructions in this section to configure your own
internal AMP, Threat Grid, and Umbrella Investigate accounts.
This workshop relies only on Demo Data within the AMP for Endpoints console. To recreate the
lab environment on your own, you will need access to the following Cisco Security products:
To configure the lab environment, start by linking Threat Grid with AMP for Endpoints. Take
the API key from the Threat Grid user account details page (obfuscated in this example):
Paste the API key into the Threat Grid API key field within the Edit Business page in the AMP for
Endpoints console (https://console.amp.cisco.com/business/edit):
Next, generate an API key for Threat Response within the AMP for Endpoints console by going
to Accounts > API Credentials:
Click the button to add a new API credential and name it Threat Response. Select the Read &
Write scope and enable Command Line access, then click Create:
Take note of the API Client ID and API Key, as they will not be displayed again, and add them to
the AMP for Endpoints module in Threat Response by going to
https://visibility.amp.cisco.com/#/modules and clicking the “Add New Module” button:
Note: Be sure to select the appropriate URL from the dropdown based on your
AMP cloud location. The default URL points to the North American cloud, but
there are options to select the APJC or EU clouds instead.
Finally, add the Umbrella Investigate module. You will need to generate a new API access token
from https://investigate.umbrella.com/tokens-view:
Copy the access token, return to the Threat Response modules page, and enter it into the API
Key field in the Umbrella module type:
Return to Umbrella and navigate to Policies > Policy Components > Integrations using the
navigation bar on the left side of the screen:
Once you click the blue “Create” button, the integration will be created in a disabled state.
Click on the integration name from the list of integrations to expand its settings and click the
checkbox for “Enable” to turn it on:
Copy the custom threat intelligence feed URL that begins with “https://s-
platform.api.opendns.com/1.0/events?customerKey=” and paste it into the “Custom Umbrella
Integration URL” field in the Threat Response Umbrella module:
Optionally, you can also add a VirusTotal module if you have a subscription to their Public or
Private API by following the same steps. This is not required, as we do not use VirusTotal during
this lab, but it can be useful to see the differences between judgments from various sources.