Viser kun
0:00
S… Speaker 1 (2026-04-13 19-24-41)
In this video,
0:01
S… Speaker 2 (2026-04-13 19-24-41)
we're going to take a look at a hypothetical scenario and walk
0:05
S… Speaker 2 (2026-04-13 19-24-41)
through a couple of options for how to begin a
0:10
S… Speaker 2 (2026-04-13 19-24-41)
threat hunt for that scenario when we're working in
0:14
S… Speaker 1 (2026-04-13 19-24-41)
Elk.
0:15
S… Speaker 2 (2026-04-13 19-24-41)
So the scenario we're going to look at is an attacker has
0:19
S… Speaker 2 (2026-04-13 19-24-41)
compromised the network and has dumped the SAM database to
0:23
S… Speaker 2 (2026-04-13 19-24-41)
be able to steal password hashes and then use them in a pass
0:27
S… Speaker 1 (2026-04-13 19-24-41)
the hash attack.
0:29
S… Speaker 2 (2026-04-13 19-24-41)
to attempt to authenticate at various endpoints across the network.
0:34
S… Speaker 2 (2026-04-13 19-24-41)
So if you watched the example or the hypothetical
0:39
S… Speaker 2 (2026-04-13 19-24-41)
threat hunt we did for Splunk,
0:41
S… Speaker 2 (2026-04-13 19-24-41)
this one's going to be very similar.
0:43
S… Speaker 2 (2026-04-13 19-24-41)
And we're going to start with the first three steps here.
0:46
S… Speaker 1 (2026-04-13 19-24-41)
Number one,
0:47
S… Speaker 2 (2026-04-13 19-24-41)
we want to identify which logs we need to search
0:51
S… Speaker 1 (2026-04-13 19-24-41)
through.
0:52
S… Speaker 2 (2026-04-13 19-24-41)
for this threat hunt.
0:54
S… Speaker 2 (2026-04-13 19-24-41)
Make sure we have those available to us.
0:56
S… Speaker 2 (2026-04-13 19-24-41)
For this one,
0:57
S… Speaker 2 (2026-04-13 19-24-41)
it's going to be fairly simple.
0:58
S… Speaker 2 (2026-04-13 19-24-41)
We need the Windows security logs,
1:01
S… Speaker 2 (2026-04-13 19-24-41)
specifically out of the Windows event logs.
1:03
S… Speaker 2 (2026-04-13 19-24-41)
We could also use some PowerShell logs.
1:06
S… Speaker 2 (2026-04-13 19-24-41)
That would be helpful depending on exactly what we're looking for and what we might
1:10
S… Speaker 2 (2026-04-13 19-24-41)
find after the initial search.
1:13
S… Speaker 2 (2026-04-13 19-24-41)
Don't forget that.
1:14
S… Speaker 2 (2026-04-13 19-24-41)
Depending on what you find after some of your initial searches,
1:18
S… Speaker 2 (2026-04-13 19-24-41)
it's very possible you may need to expand the search.
1:21
S… Speaker 2 (2026-04-13 19-24-41)
scope of what logs you're looking at to continue the hunt but
1:25
S… Speaker 2 (2026-04-13 19-24-41)
for the initial searches we're going to start with we're going to want to look at
1:29
S… Speaker 2 (2026-04-13 19-24-41)
some of the windows event logs specifically the security logs and also the
1:33
S… Speaker 2 (2026-04-13 19-24-41)
sysmon logs as well so there's a couple of different logs but typically
1:38
S… Speaker 2 (2026-04-13 19-24-41)
as long as we have windows event logs accessible to us for
1:42
S… Speaker 2 (2026-04-13 19-24-41)
this hunt and we have sysmon in there as well we should be good
1:46
S… Speaker 1 (2026-04-13 19-24-41)
After that,
1:47
S… Speaker 2 (2026-04-13 19-24-41)
we start building the initial query we want to use for
1:51
S… Speaker 2 (2026-04-13 19-24-41)
the first phase of our hunt here.
1:54
S… Speaker 2 (2026-04-13 19-24-41)
Let's take a look at that query.
1:56
S… Speaker 2 (2026-04-13 19-24-41)
So we're starting out by looking for,
2:00
S… Speaker 2 (2026-04-13 19-24-41)
I should say,
2:00
S… Speaker 2 (2026-04-13 19-24-41)
a specific process running.
2:02
S… Speaker 2 (2026-04-13 19-24-41)
That is what this win event data image is.
2:07
S… Speaker 2 (2026-04-13 19-24-41)
Don't forget, an image is also known as a process.
2:09
S… Speaker 2 (2026-04-13 19-24-41)
And we're looking for the command line or
2:13
S… Speaker 2 (2026-04-13 19-24-41)
command line utility used to manage the registry on Windows.
2:17
S… Speaker 2 (2026-04-13 19-24-41)
So we are looking for the process of reg .exe running.
2:22
S… Speaker 2 (2026-04-13 19-24-41)
And then we're looking for a couple of specific things within
2:27
S… Speaker 1 (2026-04-13 19-24-41)
that command line,
2:28
S… Speaker 2 (2026-04-13 19-24-41)
what we're looking for for the win event data command line,
2:32
S… Speaker 2 (2026-04-13 19-24-41)
both above and below that red line.
2:35
S… Speaker 2 (2026-04-13 19-24-41)
This is all one search query.
2:38
S… Speaker 2 (2026-04-13 19-24-41)
It's just on separate lines,
2:39
S… Speaker 2 (2026-04-13 19-24-41)
so I could keep the font readable.
2:41
S… Speaker 2 (2026-04-13 19-24-41)
So we're looking for two specific things.
2:44
S… Speaker 2 (2026-04-13 19-24-41)
Now, as you can see here,
2:45
S… Speaker 2 (2026-04-13 19-24-41)
we're looking for one particular method for
2:49
S… Speaker 2 (2026-04-13 19-24-41)
exporting the SAM database.
2:51
S… Speaker 2 (2026-04-13 19-24-41)
There's a few of them.
2:52
S… Speaker 2 (2026-04-13 19-24-41)
This one, we're looking at exporting it from the registry.
2:55
S… Speaker 2 (2026-04-13 19-24-41)
So this would be looking for those two key
2:59
S… Speaker 2 (2026-04-13 19-24-41)
phrases in the command line.
3:02
S… Speaker 1 (2026-04-13 19-24-41)
Save,
3:03
S… Speaker 2 (2026-04-13 19-24-41)
and then the key we're trying to export.
3:07
S… Speaker 2 (2026-04-13 19-24-41)
the hklm SAM key.
3:09
S… Speaker 2 (2026-04-13 19-24-41)
So that is the specific type of SAM database
3:13
S… Speaker 2 (2026-04-13 19-24-41)
theft that we're looking for with this command.
3:17
S… Speaker 2 (2026-04-13 19-24-41)
And then based on what we find from that command,
3:21
S… Speaker 2 (2026-04-13 19-24-41)
we then want to analyze whatever the results are to figure
3:25
S… Speaker 2 (2026-04-13 19-24-41)
out what we should be doing next.
3:27
S… Speaker 1 (2026-04-13 19-24-41)
And then,
3:28
S… Speaker 2 (2026-04-13 19-24-41)
you know, pivot our search and pivot the hunt as necessary.
3:33
S… Speaker 2 (2026-04-13 19-24-41)
So what should we be looking at next?
3:36
S… Speaker 2 (2026-04-13 19-24-41)
So let's say that we...
3:39
S… Speaker 2 (2026-04-13 19-24-41)
did find evidence of the SAM database
3:43
S… Speaker 2 (2026-04-13 19-24-41)
being exported.
3:45
S… Speaker 2 (2026-04-13 19-24-41)
We want to kind of continue that hunt,
3:48
S… Speaker 2 (2026-04-13 19-24-41)
or really even if we didn't find that,
3:50
S… Speaker 2 (2026-04-13 19-24-41)
if we still find,
3:51
S… Speaker 2 (2026-04-13 19-24-41)
if we still suspect there may be,
3:54
S… Speaker 1 (2026-04-13 19-24-41)
you know,
3:55
S… Speaker 2 (2026-04-13 19-24-41)
credential theft happening on the network,
3:58
S… Speaker 2 (2026-04-13 19-24-41)
but maybe we didn't find anything from the SAM database.
4:01
S… Speaker 2 (2026-04-13 19-24-41)
We want to kind of expand there to search for known tools that
4:05
S… Speaker 2 (2026-04-13 19-24-41)
are used to dump credentials.
4:08
S… Speaker 2 (2026-04-13 19-24-41)
or some sort of unusual access to the LSAS Windows
4:12
S… Speaker 2 (2026-04-13 19-24-41)
process.
4:13
S… Speaker 2 (2026-04-13 19-24-41)
And this is basically can be an alternative to saving
4:18
S… Speaker 2 (2026-04-13 19-24-41)
from the registry for the attacker.
4:20
S… Speaker 2 (2026-04-13 19-24-41)
So in this query right here,
4:22
S… Speaker 2 (2026-04-13 19-24-41)
we're searching for really anything in the logs that has
4:26
S… Speaker 1 (2026-04-13 19-24-41)
in the command line command,
4:28
S… Speaker 2 (2026-04-13 19-24-41)
the use of proc dump or mini cats to
4:32
S… Speaker 2 (2026-04-13 19-24-41)
utilities that can be used to dump credentials.
4:37
S… Speaker 2 (2026-04-13 19-24-41)
If we do have evidence of credential theft,
4:40
S… Speaker 2 (2026-04-13 19-24-41)
we can then pivot into looking for specific authentication
4:45
S… Speaker 1 (2026-04-13 19-24-41)
events.
4:45
S… Speaker 2 (2026-04-13 19-24-41)
We can look for accounts authenticating from unusual locations
4:50
S… Speaker 2 (2026-04-13 19-24-41)
at unusual times using specific methods.
4:54
S… Speaker 2 (2026-04-13 19-24-41)
And we can do that by looking for the event ID 4624
4:58
S… Speaker 2 (2026-04-13 19-24-41)
at a successful login.
5:01
S… Speaker 2 (2026-04-13 19-24-41)
and then looking in the message field specifically to see if the
5:05
S… Speaker 2 (2026-04-13 19-24-41)
authentication attempt was explicitly
5:09
S… Speaker 2 (2026-04-13 19-24-41)
using NTLM to authenticate.
5:13
S… Speaker 1 (2026-04-13 19-24-41)
From there,
5:14
S… Speaker 2 (2026-04-13 19-24-41)
we can also start looking for any sort of tools
5:18
S… Speaker 2 (2026-04-13 19-24-41)
that might be used to perform execution
5:23
S… Speaker 2 (2026-04-13 19-24-41)
via pass the hash attacks.
5:25
S… Speaker 2 (2026-04-13 19-24-41)
So we'd look for anything in the command line that was running WMIC
5:30
S… Speaker 2 (2026-04-13 19-24-41)
for WMI commands,
5:33
S… Speaker 2 (2026-04-13 19-24-41)
running PSEC,
5:35
S… Speaker 2 (2026-04-13 19-24-41)
which is basically remote ways of controlling or running commands
5:39
S… Speaker 2 (2026-04-13 19-24-41)
on computers.
5:40
S… Speaker 1 (2026-04-13 19-24-41)
SMB exec,
5:41
S… Speaker 2 (2026-04-13 19-24-41)
a Python script,
5:42
S… Speaker 2 (2026-04-13 19-24-41)
but any of those that were not done under
5:47
S… Speaker 2 (2026-04-13 19-24-41)
the username of system.
5:49
S… Speaker 2 (2026-04-13 19-24-41)
That is where with KQL,
5:53
S… Speaker 2 (2026-04-13 19-24-41)
we have the not in front of
5:57
S… Speaker 2 (2026-04-13 19-24-41)
what we don't want to include.
5:58
S… Speaker 2 (2026-04-13 19-24-41)
So in this case,
5:59
S… Speaker 2 (2026-04-13 19-24-41)
we're saying do not include or any matches,
6:04
S… Speaker 2 (2026-04-13 19-24-41)
any results that do not match this
6:08
S… Speaker 2 (2026-04-13 19-24-41)
criteria right here.
6:10
S… Speaker 2 (2026-04-13 19-24-41)
That is what we are saying by having the knot in front of there.
6:16
S… Speaker 1 (2026-04-13 19-24-41)
From there,
6:17
S… Speaker 2 (2026-04-13 19-24-41)
we could go on and look for any processes maybe
6:21
S… Speaker 2 (2026-04-13 19-24-41)
that have an unusual parent process.
6:24
S… Speaker 2 (2026-04-13 19-24-41)
So for this last query here,
6:27
S… Speaker 2 (2026-04-13 19-24-41)
we're looking at the process of
6:31
S… Speaker 2 (2026-04-13 19-24-41)
WMI PRV SE,
6:34
S… Speaker 2 (2026-04-13 19-24-41)
which is the WMI provider host.
6:37
S… Speaker 2 (2026-04-13 19-24-41)
It is associated with WMI commands as well.
6:40
S… Speaker 2 (2026-04-13 19-24-41)
We're looking to see if that process
6:44
S… Speaker 2 (2026-04-13 19-24-41)
then launched any other processes with command
6:48
S… Speaker 2 (2026-04-13 19-24-41)
.exe or powershell .exe in the command
6:53
S… Speaker 1 (2026-04-13 19-24-41)
line,
6:54
S… Speaker 2 (2026-04-13 19-24-41)
which would definitely be unusual there.
6:56
S… Speaker 2 (2026-04-13 19-24-41)
It would be a suspicious or potentially malicious use of
7:01
S… Speaker 2 (2026-04-13 19-24-41)
WMI.
7:02
S… Speaker 1 (2026-04-13 19-24-41)
So a very,
7:03
S… Speaker 2 (2026-04-13 19-24-41)
you know, high -level hypothetical threat hunt,
7:05
S… Speaker 2 (2026-04-13 19-24-41)
just to kind of provide some different examples of how we
7:09
S… Speaker 2 (2026-04-13 19-24-41)
can pivot and how we can do searches specifically using KQL
7:14
S… Speaker 2 (2026-04-13 19-24-41)
within Elk.

Denne udskrift blev genereret af AI (automatisk talegenkendelse). Kan indeholde fejl ~ kontrollere mod den oprindelige lyd til kritisk brug. AI-politik

❤️ Elsker du STT.ai? Fortæl det til dine venner!
Oversigt
Klik på Summarize for at generere en AI resumé af denne udskrift.
Opsummering...
Spørg AI om denne transskription
Spørg om noget om denne udskrift! AI vil finde relevante sektioner og svar.