What is Threat Hunting?
Threat hunting is the pursuit of indicators of compromise (IOCs) within public and private cloud servers, endpoints, and networks that may be symptomatic of a compromise, intrusion, or data exfiltration. Though the concept of threat hunting isn’t new, the practice of threat hunting is for many organizations.
Carbon Black EDR continuously collects comprehensive data, giving you all the information you need to proactively hunt threats, uncover suspicious behavior, disrupt attacks in progress, repair damage quickly, manage vulnerability and address gaps in defenses. It allows you to search through raw unfiltered endpoint data by using a powerful query language, even if the endpoint is offline.
The key difference between threat hunting and incident response is that threat hunting is proactive, whereas incident response is reactive. Often times great incident responders make legendary threat hunters because their experience helps them to accurately determine how an attacker will behave and what they might do next.
Table of Contents
1. Accessing the TestDrive Experience
In order to complete this walkthrough please make sure you have the following:
- A valid account in the VMware TestDrive environment (if you do not have one sign up here)
- Allowed outbound communication of TCP & UDP ports 80, 443, 8443; and if using PCoIP, both TCP & UDP 4172 from the computer you are accessing TestDrive.
- A Horizon Client is installed on your machine
Access the TestDrive portal at portal.vmtestdrive.com; sign in with your TestDrive account email and password.
Navigate to the 'Intrinsic Security' tab to view security related experiences.
Locate the appropriate experience. This user experience is VMware Carbon Black EDR. Once located, click the 'launch' button.
If prompted again, click the 'launch via WS1 button'.
Login with your TestDrive username and password. On the next screen, if not displayed, search for 'Threat Hunting with Carbon Black EDR' in the search-box.
Click to open the VDI desktop via either the Horizon App or the web-based console.
- Once you gain access to TestDrive environment
- Make sure you are logged into a TestDrive VDI Windows environment
- Your username should be VMWDP\xxxx
- On the desktop, you will find a text file ReadMe
- In this ReadMe text file, you will find all the information about how to log into Carbon Black Cloud
2. Attack Stages
An attacker has been doing reconnaissance of a user over social media and publically available information using Open Source Intelligence (OSINT) tools. The attacker has realized the user has been posting free coupons. The attacker has set up a command and control (C2) website with a deceiving name "freecoupon.tk" to manipulate this user.
Note: The website freecoupon.tk is set up for demonstration purposes.
The user has received a macro-enabled word in an email. Once the document is opened and enabled content, Google Chrome is opened with a website freecoupon.tk and a notepad automatically. An attacker could print anything on this notepad.
Victim only see a Google Chrome and notepad opened up on their screens, which are benign to think any malicious activity.
Furthermore, from the endpoint only HTTPS protocol used during this attack, which again is not suspicious or even considered to be blocked.
What is actually happening on the endpoint
Attacker have crafted this attack to make it look benign to start and evade all traditional network and endpoint security products.
So this is what visible to victim:
- Email with an attachment (word document)
- Email came from a legit domain and the Word document doesn't look suspicious
- After opening the Word document (+enable content)
- Google Chrome opens with a website which looks like have some coupons etc.
- A notepad which have some text
- All network connections were made over legitimate protocols such as (HTTPS or SMB etc.)
None of these actions would have triggered a user to be suspicious.
What else happened at the victim's endpoint:
- A ping to attacker's staging server
- Download of a reverse shell from attacker's staging server
- Execution of reverse shell on victim's endpoint
- Reverse shell established over
port 443to attacker's command and control (C2) server, from this moment attacker can access and even manipulate victim's endpoint for lateral movement - Executed local endpoint reconnaissance commands such as (systeminfo, arp, hostname etc.) and saved it locally on the endpoint
- Transfer that locally saved file to attacker's server to gain insight of this endpoint, this could have been any other files such as all word or Excel files from the endpoint to attacker's server as well
- Downloaded darkside ransomware from attackers' staging server
- Executed the ransomware
- Cleared all the logs
All of this telemetry data is captured by Carbon Black EDR and you will review it in the next section.
3. Lab Time
3.1. Wear a hat as a Victim
In this section, you will go through the experience as a victim. You will open the email using outlook, open the attachment etc., all the steps what victim had gone through.
This attack is phishing email turned into a ransomware.
- Set up outlook without an email account. For more instructions in detail, CLICK HERE.
- Open & Export, Import from another program or file
- Copy Carter.Hale file from Desktop to Downloads folder
- Import Outlook Data File (.pst) located C:\Users\Public\Downloads\Carter.Hale.pst
- Note: Please be sure to import pst file from the given location.
- Open the Word document attachment in the email from freecoupon [email protected]
For elaborated step-by-step walkthrough and detailed instructions, CLICK HERE.
- On the desktop, double click the shortcut named "Outlook No Account" to launch Outlook.
2. After Outlook is launched, click on the File tab in the Outlook window.
3. Select Open & Export then select Import/Export
4. Select Import from another program or file then click on Next
5. Select Outlook Data File (.pst)
Note: Don't click anywhere other than Browse
6. Click on Browse...
7.Copy Carter.Hale file from Desktop and paste it in Downloads folder then click on Downloads from Windows explorer.
Note: It is important that you type the exact location.
Tip: If you are using Horizon client (not browser), you can copy/paste this location from this guide to TestDrive user experience environment.
8. Select Carter.Hale (This is the outlook pst file)
9. Click on Open
Note: Verify that you are importing the right pst file such as Carter.Hale.pst
10. Click on Next
11. Click on Finish.
12. Click on Inbox
20. [Optional] Read the 1st email from freecoupon [email protected]
21. Click and open attachment, the Word document
22. Click on Enable Editing
23. Click on Enable Content
Note: You will see Google Chrome and notepad opened up automatically. It is part of the user experience, explained in detail here.
3.2. Wear a hat as a security operations center (SOC) analyst
In this section, you will go through the experience of a SOC analyst. From here onwards, think that you did not have access to the endpoint, and yet you need to investigate what happened.
Watch VMware RICK MCELROY discussing building threat hunting into your security operations - HERE.
A few things, you want to keep it handy for the next steps:
- Log into Carbon Black Cloud. Here are the steps.
- Make a note of your logged in TestDrive windows VDI hostname and IP. Here are the steps.
Once you know the hostname and you are logged into CB console, proceed with the next steps.
3.3. Threat Hunting using Carbon Black Cloud
- Select Alerts section and search for the device (hostname) you have written it down in the previous step
Note: Carbon Black is set to Detection only policy for demonstration purposes. Initial stages of this attack could have been prevented leveraging Carbon Black prevention policies.
2. [optional] You can review the alerts shown in Carbon Black for this device.
3. Priority logic, encourages us to start with Severity 10 alerts. Optionally, you can even use Priority filter and only see alerts with severity 10.
After filtering, you might be left with more than 1 Severity 10 alert. Looking at the Type of alerts, we see CB Analytics and Watchlists. To learn more about the difference: VMware Docs Link.
4. Click on Alert Triage of the alert with the reason "A known Ransomware virus was detected running."
5. You can go through each node (process) and review the process map.
"A picture is worth a thousand words"
6. For further investigation of this alert, click on Investigate button from this alert.
In investigate, we get complete telemetry data from the device to formulate our next steps. This helps to reduce the mean time to respond to cyber threats by minimizing their dwell time in your environment.
7. Click on the process analysis of the event for further investigation.
8. You can click on parent process nodes until you see outlook.exe and expand other child processes to get a complete picture of the attack.
Note: Carbon Black is set to Detection only policy for demonstration purposes. Initial stages of this attack could have been prevented leveraging Carbon Black prevention policies.
Investigate each process, command, binary leveraging CB
1. From outlook to word, which indicates that it was an attachment.
Leverage CB, where watchlist is providing information that it is a part of Initial Access and have Visual Basic. This information can help you determine the initial vector of how the attack started.
2. From winword, multiple child processes are created.
Watchlist hits are providing the clear information about the stage of attack along with information like Spearphishing attachment. Again, this is valuable information during alert triage, where additional context is increasing the confidence to formulate next steps.
3. Select chrome.exe process and check the website accessed at the device.
You can either use this information for further investigation or check the blast radius and see who else is going to that website from your organization.
4. Select 1st powershell.exe and use Carbon Black reveal feature to see the command used.
Note: if this command was encoded, Carbon Black would have decoded it automatically.
5. You can see the information, such as which github location was used to download the scripts, etc.
6. [Optional] expand the 1st powershell.exe until the last child process.
7. Expand the 2nd powershell.exe and see the child processes such as
- arp
- hostname
- ipconfig
- netstat
- systeminfo
All of these commands, we use in daily routing. However, not used all at once in such a short time. Especially, not as a child process from outlook, word etc.
8. Expand the 3rd powershell.exe and review the child process. You see a node name freecoupon_forlife.exe
Tip: Right click to open Binary Details to preserve the screen you are currently at.
9. You can click on Binary Details to get additional information about this executable.
Tip: If you did click on Binary Details and not the right click to open in a new tab. You can use the browser "click to go back" button to get to the same screen. You may have to reopen some processes the way you had previously.
10. Furthermore, while highlighting freecoupon_forlife.exe you can click on Take Action (Orange Button) and select Find in VirusTotal
This will open a new tab of auto filled with a hash of this executable, freecoupon_forlife.exe
11. You can review that this binary name freecoupon_forlife.exe is associated with darkside ransomware
12. Expand the 4th and last powershell.exe and review the child processes.
13. Select and highlight free_coupon.exe and scroll down to review events related to this node.
14. Filter the events by netconn
"This was the part of reverse shell stage of the attack"
Note: The connections were outbound using 443 which is allowed in almost all firewalls to access all popular websites. As a threat hunter, you will see this as an anomaly to record since this executable is not approved and trying to reach outbound connections.
Threat Hunting takeaways
- Attackers are using ways to evade traditional security technologies
- Outlook
- MS Word
- GitHub
- Windows built in tools - arp, ipconfig, systeminfo, hostname etc.
- Outbound HTTPS (port 443) connections
- Without deep telemetry data, context provided by Watchlist hits and process tree visualization. It is difficult to replay the attack stages and formulate what happened at the device level.
- Binary details can be useful to search the blast radius and even contain it by simply adding it to the banned list.
"Threat hunting is an exercise of finding anomaly across normal looking patterns."
Note: Carbon Black is set to Detection only policy for demonstration purposes. Initial stages of this attack could have been prevented leveraging Carbon Black prevention policies.
- Open command terminal in Windows
2. Type hostname and ipconfig to find out about host name and IP address of your logged in Windows environment
4. Additional Resources
- Carbon Black Cloud Malware Lab: https://kb.vmtestdrive.com/a/1552312-vmware-carbon-black-cloud-malware-lab
- Carbon Black App Control Lab: https://kb.vmtestdrive.com/a/1559207-vmware-carbon-black-app-control
- Carbon Black Workload Lab: https://kb.vmtestdrive.com/a/1552314-introduction-to-carbon-black-cloud-workload
- Carbon Black Container Lab: https://kb.vmtestdrive.com/a/1552310-securing-modern-applications-with-cbc-container-security
- Carbon Black XDR Lab: https://kb.vmtestdrive.com/a/1655218-threat-hunting-with-carbon-black-xdr-phishing-turned-into-ransomware