TestDrive

Threat Hunting Takeaways

Updated

  1. Attackers are using ways to evade traditional security technologies
    • Outlook
    • MS Word
    • GitHub
    • Windows built in tools - arp, ipconfig, systeminfo, hostname etc.
    • Outbound HTTPS (port 443) connections
  2. Without deep telemetry data, context provided by Watchlist hits and process tree visualization. It is difficult to replay the attack stages and formulate what happened at the device level.
  3. Binary details can be useful to search the blast radius and even contain it by simply adding it to the banned list.

"Threat hunting is an exercise of finding anomaly across normal looking patterns."


Note: Carbon Black is set to Detection only policy for demonstration purposes. Initial stages of this attack could have been prevented leveraging Carbon Black prevention policies.

How to find hostname and IP in windows

  1. Open command terminal in Windows

Type hostname and ipconfig

2. Type hostname and ipconfig to find out about host name and IP address of your logged in Windows environment

Previous Article Investigate each process, command, binary leveraging CB Overview
Next Article Additional Resources and TestDrive Experiences