Threat Hunt Trilogy: A Beast in the Shadow!
2022-08-13, 11:00–12:00 (US/Pacific), Talks (Virtual)

File-less threats operate in silence and stealth, enabling adversaries to bypass automated cybersecurity, lurk in our digital wonderland, and avoid standard detections. They are hidden beasts in shadow! This technical talk will briefly explain the different types of file-less threats and the importance of threat hunting to combat them. A Windows-based file-less threat will also be hunted via the live system, memory, and network packet analysis, followed by a comparative discussion about each method's capabilities. The threat hunts' hypotheses used in this presentation are practical, and all will be mapped with MITRE knowledge bases.

Although file-less threats may require some sort of files to operate or indirectly use them in some part of their lifecycle (e.g., infection chain), their malicious activities are conducted only in the memory. The adversaries misuse the trusted applications or native utilities such as PowerShell and WMI to download and load malicious codes directly into memory and execute them without touching the hard disk.

The newly discovered file-less threat campaign utilizes an innovative technique for the first time to store and hide its shellcode in the Windows event logs, which will be loaded and used by a dropper in the last stage of the infection lifecycle. To put it simply, the file-less threat could be a nightmare for blue teams and threat hunters.

This technical talk will briefly explain the different categories of file-less threats; however, as the title suggests, the focus of this trilogy will be a file-less threat hunt via three different approaches as follows:

• System Live Analysis: A few techniques such as running processes and lineage analysis, command-line Strings, masquerading and obfuscation, and port to process mapping will be used to look for the file-less threat traces on a live active system.

• Memory Forensics: This is one of the most exciting parts as it dives into the main territory of file-less threats and examines PowerShell execution, process tree, hierarchy, and handles to look for any potential signs of threats.

• Network Packet Investigation: Network conversations, malicious HTTP requests, files transferred, and adversaries' commands will be extracted from network packets (i.e., a sample PCAP file) to hunt the files-less threat used in the previous parts.

Finally, a comparative review discusses the advantages and disadvantages of the above techniques. All the three approaches will be conducted using open-source and free tools, native operating system commands, and built-in utilities. The threat hunt hypothesis and educated guesses will be formulated based on the industrial test cases provided by MITRE ATT&CK, D3fend, and CAR [Cyber Analytics Repository].

Meisam is a technical cybersecurity practitioner with solid expertise in providing strategies and technical directions, building new service/business lines, diverse teams, and capabilities. He has over 20 years of experience in information technology, with 16 years dedicated to cybersecurity in leadership and technical roles leading a wide range of services for multi-national clients mainly in Red Teaming, Threat Hunting, DFIR, Cyber Drill, Compromise Assessment, and Penetration Testing. He is also a security researcher [MITRE D3FEND contributor], blogger [], mentor, and speaker in many global events and conferences such as Defcon, BSidesSG, and NASSCOM.