[go: up one dir, main page]
Scribd
Upload
266 views7 pages

Advanced APT Hunting With Splunk Takeaway

This document provides reference materials from an Advanced APT Hunting with Splunk workshop including links to data sets, apps, blogs, and techniques discussed. It includes links to resources on hunting PowerShell, FTP, DNS, adversary infrastructure, spearphishing attachments, user execution, account persistence, scheduled tasks, audit log clearing, and lateral movement. Additional reading materials on threat hunting, incident response, and the ATT&CK framework are also referenced.

Uploaded by

JJP
Copyright
© © All Rights Reserved
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as PDF, TXT or read online on Scribd
266 views7 pages

Advanced APT Hunting With Splunk Takeaway

This document provides reference materials from an Advanced APT Hunting with Splunk workshop including links to data sets, apps, blogs, and techniques discussed. It includes links to resources on hunting PowerShell, FTP, DNS, adversary infrastructure, spearphishing attachments, user execution, account persistence, scheduled tasks, audit log clearing, and lateral movement. Additional reading materials on threat hunting, incident response, and the ATT&CK framework are also referenced.

Uploaded by

JJP
Copyright
© © All Rights Reserved
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as PDF, TXT or read online on Scribd
You are on page 1/ 7

Advanced APT Hunting with Splunk

Thank you for attending Advanced APT Hunting with Splunk. We hope you found it helpful.
Below are reference materials and links that were found throughout the workshop.

Depending on how many of the hunts you performed, some of these links may be more
relevant than others. For grouping purposes, links are grouped by hunt.

While the BOTSv2 data set and app that we used is not yet available, if you are interested in
hunting and investigating a Splunk BOTS data set, you have a few options. Below are links to
blogs and the data sets where you can learn more about downloading your own copy or using
our sandbox.

BOTS version 1 data set


Blog: https://www.splunk.com/blog/2018/05/10/boss-of-the-soc-scoring-server-questions-and-
answers-and-dataset-open-sourced-and-ready-for-download.html
Data Set: http://explore.splunk.com/BOTS_1_0_datasets
Companion investigating app: https://splunkbase.splunk.com/app/3985/

Sandbox with the Data Set


Blog: https://www.splunk.com/blog/2018/05/03/introducing-the-security-datasets-
project.html
Sandbox Site: http://live.splunk.com/splunk-security-dataset-project

Apps used during the workshop


Enterprise Security: https://splunkbase.splunk.com/app/263/
SA-Investigator: https://splunkbase.splunk.com/app/3749/
Sankey Visualization: https://splunkbase.splunk.com/app/3112/
URL Toolbox: https://splunkbase.splunk.com/app/2734/

If you want to learn more about some of the techniques that we touched on, check out the
Hunting with Splunk! Blog Series:
https://www.splunk.com/blog/2017/07/06/hunting-with-splunk-the-basics.html

Hunt 0
Quick search to get a list of all sourcetypes in a specific index and when they were first seen and
last seen

| metadata type=sourcetypes index=botsv2


| eval firstTime=strftime(firstTime,"%Y-%m-%d %H:%M:%S")
| eval lastTime=strftime(lastTime,"%Y-%m-%d %H:%M:%S")
| eval recentTime=strftime(recentTime,"%Y-%m-%d %H:%M:%S")
| sort - totalCount

Last Updated: December 2018 1


PowerShell Hunt
PowerShell: https://docs.microsoft.com/en-
us/powershell/scripting/overview?view=powershell-6

PowerShell Empire: https://www.powershellempire.com/

Github site for PowerShell Empire: https://github.com/EmpireProject/Empire

Web Application Vulnerability Scanner: https://w3af.org

PowerShell.exe Command-Line Help: https://docs.microsoft.com/en-


us/powershell/scripting/core-powershell/console/powershell.exe-command-line-
help?view=powershell-6

CyberChef: https://gchq.github.io/CyberChef

List of FTP commands for the Microsoft command-line FTP client:


http://www.nsftools.com/tips/MSFTP.htm

WHOAMI utility in Windows 7/8/10 and its use, syntax, commands:


https://www.thewindowsclub.com/whoami-windows

Wevtutil Command Reference: https://docs.microsoft.com/en-us/windows-


server/administration/windows-commands/wevtutil

Quickly Turn ON/OFF Windows Firewall Using Command Line:


http://techgenix.com/quicklyturnonoffwindowsfirewallusingcommandline/

Command-line build with csc.exe: https://docs.microsoft.com/en-us/dotnet/csharp/language-


reference/compiler-options/command-line-building-with-csc-exe

NET.exe Share
https://ss64.com/nt/net-share.html

MITRE ATT&CK Techniques Referenced


PowerShell - https://attack.mitre.org/wiki/Technique/T1086
Commonly Used Port - https://attack.mitre.org/techniques/T1043/
Data Encoding - https://attack.mitre.org/techniques/T1132/
Exfiltration Over Alternative Protocol - https://attack.mitre.org/techniques/T1048/
System Owner/User Discovery - https://attack.mitre.org/techniques/T1033/
Disabling Security Tools - https://attack.mitre.org/techniques/T1089/
Scheduled Task - https://attack.mitre.org/techniques/T1053/
Data from Network Shared Drive - https://attack.mitre.org/techniques/T1039/

Last Updated: December 2018 2


Data Exfiltration – FTP
File Info on specific file extensions: https://fileinfo.com/extension/

MITRE ATT&CK Techniques Referenced


Exfiltration Over Alternative Protocol - https://attack.mitre.org/techniques/T1048/
Commonly Used Port - https://attack.mitre.org/techniques/T1043/
Remote File Copy - https://attack.mitre.org/techniques/T1105/
PowerShell - https://attack.mitre.org/wiki/Technique/T1086
Scripting - https://attack.mitre.org/techniques/T1064/

Data Exfiltration – DNS


Whois: http://whois.domaintools.com/hildegardsfarm.com

RiskIQ Community Edition: https://community.riskiq.com/login

MITRE Techniques Referenced


Exfiltration Over Alternative Protocol - https://attack.mitre.org/techniques/T1048/
Commonly Used Port - https://attack.mitre.org/techniques/T1043/

Adversary Infrastructure
Censys.IO: http://Censys.io

Robtex: https://www.robtex.com/ip-lookup/45.77.65.211

MITRE ATT&CK Technique Referenced


Acquire and/or use 3rd party infrastructure services -
https://attack.mitre.org/techniques/T1329/

Spearphising Attachment
MIME Types: https://developer.mozilla.org/en-
US/docs/Web/HTTP/Basics_of_HTTP/MIME_types

Whois: https://whois.domaintools.com/

CyberChef: https://gchq.github.io/CyberChef

VirusTotal: https://www.virustotal.com/#/home/search

MITRE ATT&CK Techniques Referenced


Acquire and/or use 3rd party software services -
https://attack.mitre.org/techniques/T1330/

Last Updated: December 2018 3


Spearphishing Attachment - https://attack.mitre.org/techniques/T1193/

User Execution
Phishing with Empire (Blog): https://enigma0x3.net/2016/03/15/phishing-with-empire/

MITRE ATT&CK Techniques


PowerShell - https://attack.mitre.org/techniques/T1086/
User Execution - https://attack.mitre.org/techniques/T1204/

Account Persistence
Windows Command Reference: https://docs.microsoft.com/en-us/windows/security/threat-
protection/auditing/event-4720

Ultimate Windows Security Event Code Reference:


https://www.ultimatewindowssecurity.com/securitylog/encyclopedia/event.aspx?eventID=464
8

MITRE ATT&CK Technique Referenced


Create Account - https://attack.mitre.org/techniques/T1136/

Scheduled Tasks
Schtasks.exe command reference:
https://msdn.microsoft.com/en-us/library/windows/desktop/bb736357(v=vs.85).aspx

MITRE ATT&CK Techniques Referenced


Scheduled Task - https://attack.mitre.org/techniques/T1053/
PowerShell - https://attack.mitre.org/wiki/Technique/T1086
Data Encoding - https://attack.mitre.org/techniques/T1132/

Clearing Audit Logs


Wevtutil Command Reference: https://docs.microsoft.com/en-us/windows-
server/administration/windows-commands/wevtutil

MITRE ATT&CK Techniques


Indicator Removal On Host - https://attack.mitre.org/techniques/T1070/
PowerShell - https://attack.mitre.org/wiki/Technique/T1086
Data Encoding - https://attack.mitre.org/techniques/T1132/

Reconnaissance
What is my browser: https://whatismybrowser.com

Last Updated: December 2018 4


Web browser language identification codes: https://www.metamodpro.com/browser-
language-codes

Whois: https://whois.domaintools.com/

RIPE Database Query: https://apps.db.ripe.net/db-web-ui/#/query

ExpressVPN: https://www.expressvpn.com/

MITRE ATT&CK Technique Referenced


Acquire and/or use 3rd party infrastructure services -
https://attack.mitre.org/techniques/T1329/

Acquire OSINT Data Sets and Information


MIME Types: https://developer.mozilla.org/en-
US/docs/Web/HTTP/Basics_of_HTTP/MIME_types

MITRE Technique Referenced


Acquire OSINT data sets and information - https://attack.mitre.org/techniques/T1277/

Lateral Movement
Detecting Lateral Movement through Tracking Event Logs:
http://www.jpcert.or.jp/english/pub/sr/Detecting%20Lateral%20Movement%20through%20Tr
acking%20Event%20Logs_version2.pdf

JPCERT/CC Tool Analysis Result Sheet: https://jpcertcc.github.io/ToolAnalysisResultSheet/

Hunting Lateral Movement in Windows Infrastructure:


https://www.slideshare.net/votadlos/hunting-lateral-movement-in-windows-infrastructure

PowerShell Empire Invoke-WMI: https://www.powershellempire.com/?page_id=124

MITRE ATT&CK Techniques Referenced


Windows Management Instrumentation - https://attack.mitre.org/techniques/T1047/
PowerShell - https://attack.mitre.org/techniques/T1086/
Data Encoding - https://attack.mitre.org/techniques/T1132/

Data Staging
MITRE ATT&CK Techniques Referenced
Data Staged - https://attack.mitre.org/techniques/T1074/

Last Updated: December 2018 5


Remote File Copy - https://attack.mitre.org/techniques/T1105/
Exfiltration Over Alternative Protocol - https://attack.mitre.org/techniques/T1048/

Additional Reading and Resources


SANS - The Who, What, Where, When, Why and How of Effective Threat Hunting:
https://www.sans.org/reading-room/whitepapers/analyst/who-what-where-when-effective-
threat-hunting-36785

NIST 800-61: https://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-61r2.pdf

Pyramid of Pain: https://detect-respond.blogspot.com/2013/03/the-pyramid-of-pain.html

Intelligence-Driven Incident Response: Outwitting the Adversary


Scott J. Roberts and Rebekah Brown
https://www.amazon.com/Intelligence-Driven-Incident-Response-Outwitting-Adversary-
ebook/dp/B074ZRN5T7/ref=sr_1_fkmr0_1?ie=UTF8&qid=1545175707&sr=8-1-fkmr0

Intelligence-Driven Computer Network Defense Informed by Analysis of Adversary Campaigns


and Intrusion Kill Chains
https://www.lockheedmartin.com/content/dam/lockheed-martin/rms/documents/cyber/LM-
White-Paper-Intel-Driven-Defense.pdf

The Design and Philosophy of ATT&CK


https://www.mitre.org/publications/technical-papers/mitre-attack-design-and-philosophy

The Diamond Model of Intrusion Analysis


http://www.dtic.mil/dtic/tr/fulltext/u2/a586960.pdf

Applying the Diamond Model to Star Wars (Blog)


https://threatconnect.com/blog/diamond-model-threat-intelligence-star-wars/

Threat Hunting Webshells with Splunk, James Bower (Video)


https://www.youtube.com/watch?v=FEb8KZoEyzI

Building Threat Hunting Strategies with the Diamond Model:


http://www.activeresponse.org/building-threat-hunting-strategy-with-the-diamond-model/

Documentation Links for Search Commands Used:


Eval: https://docs.splunk.com/Documentation/Splunk/latest/SearchReference/Eval
Fields: https://docs.splunk.com/Documentation/Splunk/latest/SearchReference/fields
Metadata: https://docs.splunk.com/Documentation/Splunk/latest/SearchReference/metadata
Reverse: https://docs.splunk.com/Documentation/Splunk/latest/SearchReference/reverse
Rex: https://docs.splunk.com/Documentation/Splunk/latest/SearchReference/rex

Last Updated: December 2018 6


Search: https://docs.splunk.com/Documentation/Splunk/latest/SearchReference/search
Sort: https://docs.splunk.com/Documentation/Splunk/latest/SearchReference/sort
Stats: https://docs.splunk.com/Documentation/Splunk/latest/SearchReference/stats
Table: https://docs.splunk.com/Documentation/Splunk/latest/SearchReference/table
Tstats: https://docs.splunk.com/Documentation/Splunk/latest/SearchReference/tstats
Timechart: https://docs.splunk.com/Documentation/Splunk/latest/SearchReference/timechart
Transaction:
https://docs.splunk.com/Documentation/Splunk/latest/SearchReference/transaction
Transpose: https://docs.splunk.com/Documentation/Splunk/latest/SearchReference/transpose

Splunk Quick Reference: https://www.splunk.com/pdfs/solution-guides/splunk-quick-


reference-guide.pdf

Splunk Search Reference:


http://docs.splunk.com/Documentation/Splunk/latest/SearchReference/WhatsInThisManual

Last Updated: December 2018 7

You might also like