Sýna aðeins
0:00
S… Speaker 1 (2026-04-13 19-24-41)
In this video,
0:01
S… Speaker 2 (2026-04-13 19-24-41)
we're going to take a look at a hypothetical scenario and walk
0:05
S… Speaker 2 (2026-04-13 19-24-41)
through a couple of options for how to begin a
0:10
S… Speaker 2 (2026-04-13 19-24-41)
threat hunt for that scenario when we're working in
0:14
S… Speaker 1 (2026-04-13 19-24-41)
Elk.
0:15
S… Speaker 2 (2026-04-13 19-24-41)
So the scenario we're going to look at is an attacker has
0:19
S… Speaker 2 (2026-04-13 19-24-41)
compromised the network and has dumped the SAM database to
0:23
S… Speaker 2 (2026-04-13 19-24-41)
be able to steal password hashes and then use them in a pass
0:27
S… Speaker 1 (2026-04-13 19-24-41)
the hash attack.
0:29
S… Speaker 2 (2026-04-13 19-24-41)
to attempt to authenticate at various endpoints across the network.
0:34
S… Speaker 2 (2026-04-13 19-24-41)
So if you watched the example or the hypothetical
0:39
S… Speaker 2 (2026-04-13 19-24-41)
threat hunt we did for Splunk,
0:41
S… Speaker 2 (2026-04-13 19-24-41)
this one's going to be very similar.
0:43
S… Speaker 2 (2026-04-13 19-24-41)
And we're going to start with the first three steps here.
0:46
S… Speaker 1 (2026-04-13 19-24-41)
Number one,
0:47
S… Speaker 2 (2026-04-13 19-24-41)
we want to identify which logs we need to search
0:51
S… Speaker 1 (2026-04-13 19-24-41)
through.
0:52
S… Speaker 2 (2026-04-13 19-24-41)
for this threat hunt.
0:54
S… Speaker 2 (2026-04-13 19-24-41)
Make sure we have those available to us.
0:56
S… Speaker 2 (2026-04-13 19-24-41)
For this one,
0:57
S… Speaker 2 (2026-04-13 19-24-41)
it's going to be fairly simple.
0:58
S… Speaker 2 (2026-04-13 19-24-41)
We need the Windows security logs,
1:01
S… Speaker 2 (2026-04-13 19-24-41)
specifically out of the Windows event logs.
1:03
S… Speaker 2 (2026-04-13 19-24-41)
We could also use some PowerShell logs.
1:06
S… Speaker 2 (2026-04-13 19-24-41)
That would be helpful depending on exactly what we're looking for and what we might
1:10
S… Speaker 2 (2026-04-13 19-24-41)
find after the initial search.
1:13
S… Speaker 2 (2026-04-13 19-24-41)
Don't forget that.
1:14
S… Speaker 2 (2026-04-13 19-24-41)
Depending on what you find after some of your initial searches,
1:18
S… Speaker 2 (2026-04-13 19-24-41)
it's very possible you may need to expand the search.
1:21
S… Speaker 2 (2026-04-13 19-24-41)
scope of what logs you're looking at to continue the hunt but
1:25
S… Speaker 2 (2026-04-13 19-24-41)
for the initial searches we're going to start with we're going to want to look at
1:29
S… Speaker 2 (2026-04-13 19-24-41)
some of the windows event logs specifically the security logs and also the
1:33
S… Speaker 2 (2026-04-13 19-24-41)
sysmon logs as well so there's a couple of different logs but typically
1:38
S… Speaker 2 (2026-04-13 19-24-41)
as long as we have windows event logs accessible to us for
1:42
S… Speaker 2 (2026-04-13 19-24-41)
this hunt and we have sysmon in there as well we should be good
1:46
S… Speaker 1 (2026-04-13 19-24-41)
After that,
1:47
S… Speaker 2 (2026-04-13 19-24-41)
we start building the initial query we want to use for
1:51
S… Speaker 2 (2026-04-13 19-24-41)
the first phase of our hunt here.
1:54
S… Speaker 2 (2026-04-13 19-24-41)
Let's take a look at that query.
1:56
S… Speaker 2 (2026-04-13 19-24-41)
So we're starting out by looking for,
2:00
S… Speaker 2 (2026-04-13 19-24-41)
I should say,
2:00
S… Speaker 2 (2026-04-13 19-24-41)
a specific process running.
2:02
S… Speaker 2 (2026-04-13 19-24-41)
That is what this win event data image is.
2:07
S… Speaker 2 (2026-04-13 19-24-41)
Don't forget, an image is also known as a process.
2:09
S… Speaker 2 (2026-04-13 19-24-41)
And we're looking for the command line or
2:13
S… Speaker 2 (2026-04-13 19-24-41)
command line utility used to manage the registry on Windows.
2:17
S… Speaker 2 (2026-04-13 19-24-41)
So we are looking for the process of reg .exe running.
2:22
S… Speaker 2 (2026-04-13 19-24-41)
And then we're looking for a couple of specific things within
2:27
S… Speaker 1 (2026-04-13 19-24-41)
that command line,
2:28
S… Speaker 2 (2026-04-13 19-24-41)
what we're looking for for the win event data command line,
2:32
S… Speaker 2 (2026-04-13 19-24-41)
both above and below that red line.
2:35
S… Speaker 2 (2026-04-13 19-24-41)
This is all one search query.
2:38
S… Speaker 2 (2026-04-13 19-24-41)
It's just on separate lines,
2:39
S… Speaker 2 (2026-04-13 19-24-41)
so I could keep the font readable.
2:41
S… Speaker 2 (2026-04-13 19-24-41)
So we're looking for two specific things.
2:44
S… Speaker 2 (2026-04-13 19-24-41)
Now, as you can see here,
2:45
S… Speaker 2 (2026-04-13 19-24-41)
we're looking for one particular method for
2:49
S… Speaker 2 (2026-04-13 19-24-41)
exporting the SAM database.
2:51
S… Speaker 2 (2026-04-13 19-24-41)
There's a few of them.
2:52
S… Speaker 2 (2026-04-13 19-24-41)
This one, we're looking at exporting it from the registry.
2:55
S… Speaker 2 (2026-04-13 19-24-41)
So this would be looking for those two key
2:59
S… Speaker 2 (2026-04-13 19-24-41)
phrases in the command line.
3:02
S… Speaker 1 (2026-04-13 19-24-41)
Save,
3:03
S… Speaker 2 (2026-04-13 19-24-41)
and then the key we're trying to export.
3:07
S… Speaker 2 (2026-04-13 19-24-41)
the hklm SAM key.
3:09
S… Speaker 2 (2026-04-13 19-24-41)
So that is the specific type of SAM database
3:13
S… Speaker 2 (2026-04-13 19-24-41)
theft that we're looking for with this command.
3:17
S… Speaker 2 (2026-04-13 19-24-41)
And then based on what we find from that command,
3:21
S… Speaker 2 (2026-04-13 19-24-41)
we then want to analyze whatever the results are to figure
3:25
S… Speaker 2 (2026-04-13 19-24-41)
out what we should be doing next.
3:27
S… Speaker 1 (2026-04-13 19-24-41)
And then,
3:28
S… Speaker 2 (2026-04-13 19-24-41)
you know, pivot our search and pivot the hunt as necessary.
3:33
S… Speaker 2 (2026-04-13 19-24-41)
So what should we be looking at next?
3:36
S… Speaker 2 (2026-04-13 19-24-41)
So let's say that we...
3:39
S… Speaker 2 (2026-04-13 19-24-41)
did find evidence of the SAM database
3:43
S… Speaker 2 (2026-04-13 19-24-41)
being exported.
3:45
S… Speaker 2 (2026-04-13 19-24-41)
We want to kind of continue that hunt,
3:48
S… Speaker 2 (2026-04-13 19-24-41)
or really even if we didn't find that,
3:50
S… Speaker 2 (2026-04-13 19-24-41)
if we still find,
3:51
S… Speaker 2 (2026-04-13 19-24-41)
if we still suspect there may be,
3:54
S… Speaker 1 (2026-04-13 19-24-41)
you know,
3:55
S… Speaker 2 (2026-04-13 19-24-41)
credential theft happening on the network,
3:58
S… Speaker 2 (2026-04-13 19-24-41)
but maybe we didn't find anything from the SAM database.
4:01
S… Speaker 2 (2026-04-13 19-24-41)
We want to kind of expand there to search for known tools that
4:05
S… Speaker 2 (2026-04-13 19-24-41)
are used to dump credentials.
4:08
S… Speaker 2 (2026-04-13 19-24-41)
or some sort of unusual access to the LSAS Windows
4:12
S… Speaker 2 (2026-04-13 19-24-41)
process.
4:13
S… Speaker 2 (2026-04-13 19-24-41)
And this is basically can be an alternative to saving
4:18
S… Speaker 2 (2026-04-13 19-24-41)
from the registry for the attacker.
4:20
S… Speaker 2 (2026-04-13 19-24-41)
So in this query right here,
4:22
S… Speaker 2 (2026-04-13 19-24-41)
we're searching for really anything in the logs that has
4:26
S… Speaker 1 (2026-04-13 19-24-41)
in the command line command,
4:28
S… Speaker 2 (2026-04-13 19-24-41)
the use of proc dump or mini cats to
4:32
S… Speaker 2 (2026-04-13 19-24-41)
utilities that can be used to dump credentials.
4:37
S… Speaker 2 (2026-04-13 19-24-41)
If we do have evidence of credential theft,
4:40
S… Speaker 2 (2026-04-13 19-24-41)
we can then pivot into looking for specific authentication
4:45
S… Speaker 1 (2026-04-13 19-24-41)
events.
4:45
S… Speaker 2 (2026-04-13 19-24-41)
We can look for accounts authenticating from unusual locations
4:50
S… Speaker 2 (2026-04-13 19-24-41)
at unusual times using specific methods.
4:54
S… Speaker 2 (2026-04-13 19-24-41)
And we can do that by looking for the event ID 4624
4:58
S… Speaker 2 (2026-04-13 19-24-41)
at a successful login.
5:01
S… Speaker 2 (2026-04-13 19-24-41)
and then looking in the message field specifically to see if the
5:05
S… Speaker 2 (2026-04-13 19-24-41)
authentication attempt was explicitly
5:09
S… Speaker 2 (2026-04-13 19-24-41)
using NTLM to authenticate.
5:13
S… Speaker 1 (2026-04-13 19-24-41)
From there,
5:14
S… Speaker 2 (2026-04-13 19-24-41)
we can also start looking for any sort of tools
5:18
S… Speaker 2 (2026-04-13 19-24-41)
that might be used to perform execution
5:23
S… Speaker 2 (2026-04-13 19-24-41)
via pass the hash attacks.
5:25
S… Speaker 2 (2026-04-13 19-24-41)
So we'd look for anything in the command line that was running WMIC
5:30
S… Speaker 2 (2026-04-13 19-24-41)
for WMI commands,
5:33
S… Speaker 2 (2026-04-13 19-24-41)
running PSEC,
5:35
S… Speaker 2 (2026-04-13 19-24-41)
which is basically remote ways of controlling or running commands
5:39
S… Speaker 2 (2026-04-13 19-24-41)
on computers.
5:40
S… Speaker 1 (2026-04-13 19-24-41)
SMB exec,
5:41
S… Speaker 2 (2026-04-13 19-24-41)
a Python script,
5:42
S… Speaker 2 (2026-04-13 19-24-41)
but any of those that were not done under
5:47
S… Speaker 2 (2026-04-13 19-24-41)
the username of system.
5:49
S… Speaker 2 (2026-04-13 19-24-41)
That is where with KQL,
5:53
S… Speaker 2 (2026-04-13 19-24-41)
we have the not in front of
5:57
S… Speaker 2 (2026-04-13 19-24-41)
what we don't want to include.
5:58
S… Speaker 2 (2026-04-13 19-24-41)
So in this case,
5:59
S… Speaker 2 (2026-04-13 19-24-41)
we're saying do not include or any matches,
6:04
S… Speaker 2 (2026-04-13 19-24-41)
any results that do not match this
6:08
S… Speaker 2 (2026-04-13 19-24-41)
criteria right here.
6:10
S… Speaker 2 (2026-04-13 19-24-41)
That is what we are saying by having the knot in front of there.
6:16
S… Speaker 1 (2026-04-13 19-24-41)
From there,
6:17
S… Speaker 2 (2026-04-13 19-24-41)
we could go on and look for any processes maybe
6:21
S… Speaker 2 (2026-04-13 19-24-41)
that have an unusual parent process.
6:24
S… Speaker 2 (2026-04-13 19-24-41)
So for this last query here,
6:27
S… Speaker 2 (2026-04-13 19-24-41)
we're looking at the process of
6:31
S… Speaker 2 (2026-04-13 19-24-41)
WMI PRV SE,
6:34
S… Speaker 2 (2026-04-13 19-24-41)
which is the WMI provider host.
6:37
S… Speaker 2 (2026-04-13 19-24-41)
It is associated with WMI commands as well.
6:40
S… Speaker 2 (2026-04-13 19-24-41)
We're looking to see if that process
6:44
S… Speaker 2 (2026-04-13 19-24-41)
then launched any other processes with command
6:48
S… Speaker 2 (2026-04-13 19-24-41)
.exe or powershell .exe in the command
6:53
S… Speaker 1 (2026-04-13 19-24-41)
line,
6:54
S… Speaker 2 (2026-04-13 19-24-41)
which would definitely be unusual there.
6:56
S… Speaker 2 (2026-04-13 19-24-41)
It would be a suspicious or potentially malicious use of
7:01
S… Speaker 2 (2026-04-13 19-24-41)
WMI.
7:02
S… Speaker 1 (2026-04-13 19-24-41)
So a very,
7:03
S… Speaker 2 (2026-04-13 19-24-41)
you know, high -level hypothetical threat hunt,
7:05
S… Speaker 2 (2026-04-13 19-24-41)
just to kind of provide some different examples of how we
7:09
S… Speaker 2 (2026-04-13 19-24-41)
can pivot and how we can do searches specifically using KQL
7:14
S… Speaker 2 (2026-04-13 19-24-41)
within Elk.

Þessi afritun var búin til af AI (sjálfvirk talgreining). Getur innihaldið villur - staðfesta gegn upprunalegu hljóðinu til mikilvægrar notkunar. AI stefna

❤️ Elska STT.ai? Segðu vinum þínum!
Samantekt
Smelltu á Samantekt til að búa til AI samantekt á þessari afritun.
Samantekt...
Spyrja AI um þessa afritun
Spyrðu eitthvað um þetta afritunarrit - AI mun finna viðeigandi hluta og svara.