I was recently at the Threat Hunting Summit in New Orleans. It was great to meet some of you who read my posts, and to get feedback on my talk.
My slide deck is here:
So, we hunt threats a bit differently. Let me explain. We act out adversarial actions, and try to discover innovative tactics that adversaries might use.
I have published these on my blog and on my github page. The purpose in my publishing is to inform defenders of tactics that can be used against defensive systems...
I have mentioned in several talks, that I am interested mainly in architectural flaws, or oversights, that can allow attackers to use trusted tools, in unexpected ways. These are not exploits... There is no patch coming... I am using the tools in the manner that they are meant to be used, mostly, for developers.
I really do enjoy what the DFIR community is doing, from Memory Forensics, to Continuous Monitoring, to Log Aggregation and analysis... And I get it, all that is good stuff.
But then there are hidden caves and corners in the OS, like regsvr32, and the other tools I've written about
These are on your box and nobody knows what the hell it does, or COULD do....
But likely someone has figured that out, and you are unaware...
So, my opinion, and it is purely that, is this, for those of us who do defense. I encourage you to start looking around, ask what can this do? Do we ever use it, how often is this EVER executed? If it does weird stuff. Ban it perhaps...etc... There is a lot of interesting places to hide that you can find.
So, about regsvr32.exe. Here's a native tool. Built into the OS, many of us didn't really understand what it could do, until a few days ago...
regsvr32.exe will be one of my favorite finds, and I am glad it got the attention is has.
I hope that some of you will take on the hunt for strange and interesting in your environment.
I grew up hunting in Colorado. And I can tell you this. You hunt elk very differently than you hunt say Pheasants. Each situation and industry requires diligence.
Maybe instead of investing in some new widget, we should step back, sit down with the output of "dir /s" and understand what the tools and binaries are on our systems...
Thats free. And a rather interesting exercise.
There's plenty more fun to be had here...
Hope that helps!
Ok, Thats all I got.