Transcript
of some like activities that you can do in threat hunting. Again, these aren't things that rise to the level of detection, like you'll see that you can't like, you know, programmatically do this easily, you know, to where you could say like, if you see this, flag it because... For example, detections are typically very specific. You're looking for something very specific. For an example here, if you said, you know what, I want to know, give me a detection every time explore.exe launches command line exec. And if you create a detection for that, then you'd get lots and lots and lots of alerts that would show up in your console. Or for any one of these, you would get detection alerts, which you didn't go, but this doesn't mean anything. So, Kevin, you're showing this as a hunting? Yeah, yeah. So, we'll get into this. I'll show you how to do the query. But something to look at right now. So, I'll explain what we're going to do first. So, we're going to go into AdLumen, we're going to export all the process execution logs from across our environment. And I'll show you how you can limit it to maybe specific hosts, if you're just looking at one host, or how you can limit it to like a specific domain or something like that. And then what we're going to do is we're going to take that data, we're going to use AdLumen to get it as a CSV, and then we're going to apply that expertise analysis in a way we can go through it really fast, right? The old easy way for hunting is literally to just go through every result and just see if it's something or nothing. But I'll tell you when you're dealing with 5 million results, you can't do that. So, you do have to sort of do like, you know, some heavy lifting, there's some scripting and stuff that's involved in it, just that makes your life a lot easier and makes it more effective and faster. But the first thing we're going to do is so we're going to go through and we're going to get all those process executions from throughout the environment, right? And then we're going to do a count of how many, how many hosts have less than have seen less than 10 executions of this parent child process pair. So for when a process runs, like something ran that process, right? Unless you're process zero. Kevin, are you showing a demo of the AdLumen portal? I'm super... It's a process support. Got it. Yeah. So when you run a process, it's spawned by its parent, unless you're process zero, right? The God process. So what we're doing is we're looking at what are the processes that are being spawned from other processes? And we're counting them, right? So if we see less than a large number of occurrence, which like here, we've decided 10 is where we're going to start at. We want to take that and save it, right? And then we're going to look across the hosts in our environment and see how many hosts are doing that execution, right? So what we know... So let's look at the bottom, right? Outlook.exe to PowerShell.exe. Top of your head, that's super duper suspicious, right? Because like what's Outlook.exe running PowerShell.exe for, right? Like was it because there was some exploit or some hook or something like that? But when you start digging into these actual process executions and you look at the command line, you'll see that it's actually an Outlook add-on that uses PowerScript or PowerShell, and it actually gets run by Outlook.exe. And that's why, you know, even though that sounds super malicious, you go through, what is this, like 17 results or something like that, and you got nothing. And they're all different, right? And you can do this for each one of these, right? And some of these are more suspicious than others. Some of them are definitely suspicious, right? In this case, right? A CEC host shouldn't directly be calling the installUtil, right? That's just not how it works. Things like Chrome to command.exe can be suspicious, export notepad is okay, right? That kind of stuff. You would pour through each one of these. So you'd look at them and first answer the other question, does this look weird? And you'd pour through each one of them, trying to then investigate, if you will, whether or not, or research whether or not it maps back to something that is anomalous. Yep. And this is like, again, a really basic way anybody can apply to their environment, any environment pretty much. It's going to be more difficult, the larger your environment is. So that's why I recommend you can limit by host or if you have multiple domains or networks or something like that, right? But this doesn't require you to have anything special, right? Other than a tool that can get you the logs you need and the process execution logs for Windows, which is like most tools should do that for you these days.