Session 3 Resources

one of the best webinars I've ever seen!

I copied it from the screen when they showed it. When I run it the Where event IN (4672, 4624,4625) only shows events for 4624, when I remove 4672 and 4624 and leave only 4625, my 4625 results are shown.. Not sure why the loop does not run all the way through. 

SELECT DISTINCT
eventid,
datetime(time, 'unixepoch') Date_Time,
Count(task_message) Logon_Count,
JSON_EXTRACT(swe.data, '$.EventData.LogonType') LogonType,
JSON_EXTRACT(swe.data, '$.EventData.IpAddress') IP_Address,
JSON_EXTRACT(swe.data, '$.EventData.TargetUserName') TargetUserName,
data
FROM sophos_windows_events swe
WHERE eventID IN (4625) AND time > strftime('%s','NOW','-90 DAYS') AND TargetUserName LIKE '%$$UserName$$%'
Group BY LogonType;

Hello,  I am looking for the Logon Events Across Estate Query?

Hey Kris! 

Thank you for the feedback, I suspected for the most part that as with a lot that I am learning with threat hunting; everything can be a concern until you know it isn't, but that also does not mean to panic. It just means to dig in and learn more! (In a safe manner as you referenced above - if in doubt call in the higher-skilled teams)

Thankfully digging deeper lead me to believe this was not worth escalation to the MTR team. The crazy cool tie back to the threat hunting academy however is it these lessons/courses DID lead to an alternate escalation to the MTR Team, which by the end of their investigation they did not find any IOCs. 

That said, someone was knocking on the door of two of our systems (attempting to brute force them) and we only learned of this attempt due to these sessions. By the end of the joint investigation with the MTR team, these systems looked to be being hit while off of our network by a remote actor - in today's world with such a rapid deployment to having users work remotely being able to watch for and catch off-net systems(that do connect to the network during business hours) may have saved us a potential compromise down the road. 

All said, three days in and the stuff we are learning has already helped us strengthen our security footprint!

Great to hear you are using MTR! I suppose it goes without saying, but if you think you legitimately have an active incident, please call the MTR team first and don't use this as the opportunity to up-level your threat hunting

Your instances of T1069 are likely not super interesting... unless they are. If you want to get more data about them, I suggest you open up your hunt around the time stamps you see. Using the generic query posted above can be a good place to start to just orient around what else was happening and then decide if/how to selectively hone in on other events or artifacts. If you have remote management tools that report on this kind of data, it is possible that they are leveraging an API to make this call, but it's hard to say without other context. Have a look at a the MITRE mitigations and detections for this sub-technique for a bit more context- https://attack.mitre.org/techniques/T1069/. Andy Martin will also be looking at enumeration in the next session, so some of the queries he mentions will be useful to understand if there is lateral movement or recon going on. 

You are correct that running a query in Sophos Central to identify local admins wouldn't generate the system data in your previous query. The EDR data you get back as a result Live Discover gets pulled from the Intercept X Advanced w/ EDR data recorder and is in not running a command in a local shell to get it. 

Bottom line, as with most things threat hunting, the answer to whether this is a red flag is... it depends. You need to understand more about what else is going on both locally and in the rest of the environment. Stay tuned for the session from Andrew Mundell on using a threat hunting framework where he specifically talks through a usable workflow for threat hunting.