Thanks Kris for a great session today! 

Kris used quite a few queries which are listed below for you to test out and use on your network:

And he also referenced using CTF events or other online resources to learn attacker tactics, so that you can better defend against those attacks in your environments. Here's a few sites that he personally recommends: 

I hope those are all useful to you - let me know in the comments if you have anything else that others might benefit from!

Great seeing all of you on the sessions this week - see you Tuesday for session 4.

Parents
  • First and Foremost, thank you Nick, Kris and the remainder of the team both on video and behind the scenes running chat! You guys are doing an amazing job and there is lots to learn.

    I spent some time running through the live queries this afternoon and as has been said many times the journey down the rabbit hole is more than just a full time job, it needs a small army(thankfully I have the MTR team backing anything I miss/do not find - but am eager to learn as much as I can) I ran a query using the “General MITRE” query located in the forums and am wondering if Kris or another knowledgeable team member can confirm if the following scenario would cause a red flag or is potentially a normal occurrence at times. 

    I found several instances in the last 24 hours where a subset of random user endpoints flagged for T1069 multiple times per end point. 

    At face value this looks like a user is running “net localgroup administrators” via command prompt. This far internet sleuthing has not yet ruled in favour of either direction. 

    A second piece to this question, I had run a query to identify local admin accounts on my endpoints half hour before this. Is there any possibility there is a correlation here? I’m assuming not as I have ~1300 endpoints and not even a fraction of are flagged in this report. 

  • Great to hear you are using MTR! I suppose it goes without saying, but if you think you legitimately have an active incident, please call the MTR team first and don't use this as the opportunity to up-level your threat hunting Slight smile

    Your instances of T1069 are likely not super interesting... unless they are. If you want to get more data about them, I suggest you open up your hunt around the time stamps you see. Using the generic query posted above can be a good place to start to just orient around what else was happening and then decide if/how to selectively hone in on other events or artifacts. If you have remote management tools that report on this kind of data, it is possible that they are leveraging an API to make this call, but it's hard to say without other context. Have a look at a the MITRE mitigations and detections for this sub-technique for a bit more context- https://attack.mitre.org/techniques/T1069/. Andy Martin will also be looking at enumeration in the next session, so some of the queries he mentions will be useful to understand if there is lateral movement or recon going on. 

    You are correct that running a query in Sophos Central to identify local admins wouldn't generate the system data in your previous query. The EDR data you get back as a result Live Discover gets pulled from the Intercept X Advanced w/ EDR data recorder and is in not running a command in a local shell to get it. 

    Bottom line, as with most things threat hunting, the answer to whether this is a red flag is... it depends. You need to understand more about what else is going on both locally and in the rest of the environment. Stay tuned for the session from Andrew Mundell on using a threat hunting framework where he specifically talks through a usable workflow for threat hunting. 

Comment
  • Great to hear you are using MTR! I suppose it goes without saying, but if you think you legitimately have an active incident, please call the MTR team first and don't use this as the opportunity to up-level your threat hunting Slight smile

    Your instances of T1069 are likely not super interesting... unless they are. If you want to get more data about them, I suggest you open up your hunt around the time stamps you see. Using the generic query posted above can be a good place to start to just orient around what else was happening and then decide if/how to selectively hone in on other events or artifacts. If you have remote management tools that report on this kind of data, it is possible that they are leveraging an API to make this call, but it's hard to say without other context. Have a look at a the MITRE mitigations and detections for this sub-technique for a bit more context- https://attack.mitre.org/techniques/T1069/. Andy Martin will also be looking at enumeration in the next session, so some of the queries he mentions will be useful to understand if there is lateral movement or recon going on. 

    You are correct that running a query in Sophos Central to identify local admins wouldn't generate the system data in your previous query. The EDR data you get back as a result Live Discover gets pulled from the Intercept X Advanced w/ EDR data recorder and is in not running a command in a local shell to get it. 

    Bottom line, as with most things threat hunting, the answer to whether this is a red flag is... it depends. You need to understand more about what else is going on both locally and in the rest of the environment. Stay tuned for the session from Andrew Mundell on using a threat hunting framework where he specifically talks through a usable workflow for threat hunting. 

Children
  • Hey Kris! 

    Thank you for the feedback, I suspected for the most part that as with a lot that I am learning with threat hunting; everything can be a concern until you know it isn't, but that also does not mean to panic. It just means to dig in and learn more! (In a safe manner as you referenced above - if in doubt call in the higher-skilled teams)

    Thankfully digging deeper lead me to believe this was not worth escalation to the MTR team. The crazy cool tie back to the threat hunting academy however is it these lessons/courses DID lead to an alternate escalation to the MTR Team, which by the end of their investigation they did not find any IOCs. 

    That said, someone was knocking on the door of two of our systems (attempting to brute force them) and we only learned of this attempt due to these sessions. By the end of the joint investigation with the MTR team, these systems looked to be being hit while off of our network by a remote actor - in today's world with such a rapid deployment to having users work remotely being able to watch for and catch off-net systems(that do connect to the network during business hours) may have saved us a potential compromise down the road. 

    All said, three days in and the stuff we are learning has already helped us strengthen our security footprint!