tag:blogger.com,1999:blog-6244942915864113008.post6696177728113308024..comments2021-05-24T11:10:43.473-07:00Comments on DFIR and Threat Hunting: Threat Hunting - Getting Closer to Anomalous BehaviorUnknownnoreply@blogger.comBlogger2125tag:blogger.com,1999:blog-6244942915864113008.post-50647961673110344122016-10-17T09:23:59.531-07:002016-10-17T09:23:59.531-07:00Thanks for the comment, Harlan. Ipconfig and nets...Thanks for the comment, Harlan. Ipconfig and netstat can both be used by an attacker to gain information as to where they may be able to move. Probably better stated as host recon tools though. Jack Crookhttps://www.blogger.com/profile/12833839809413917819noreply@blogger.comtag:blogger.com,1999:blog-6244942915864113008.post-33388971723567061572016-10-17T03:55:49.472-07:002016-10-17T03:55:49.472-07:00I consider the above...to be lateral movement tool...<i> I consider the above...to be lateral movement tools and are often used in conjunction with each other.</i><br /><br />I'm not sure that I see/understand how ipconfig.exe and netstat.exe are used for lateral movement, but I do get and agree with your overall point. But it also depends a great deal on the infrastructure...there are those for which these tools are never run until an adversary does so.<br /><br /><i>For identifying odd processes, I agree that it’s difficult to look at these en masse and pick out the bad ones. </i><br /><br />There are so many ways to start with whittling this down, pretty significantly. Parent processes is one...path the executable image is another. For example, GoogleUpdate.exe running from the root of the "AppData\Roaming" folder would generally be considered A BAD THING. Of course, it helps significantly more if there's not only knowledge sharing amongst analysts within an organization, but also outside that organization...if analysts got together and shared more than just the lowest level indicators (IP addresses, domains, etc.).<br /><br /><i>...you need to look at the problem differently. </i><br /><br />Exactly. Don't look at it as an enormous volume of data...instead, look for and pivot off of the anomalies. If you don't know what that would be, that's where knowing your environment, and knowing the adversary's TTPs come in. H. Carveyhttps://www.blogger.com/profile/08966595734678290320noreply@blogger.com