RSS Feed

Advanced Incident Response & Threat Hunting

Created: 18.11.2020


Below is the skeleton from SAN508 course description. I am using it to make up my study plan. For each step of this plan I estimate my current level of training and I am also collecting resourced for this topic under Resources.

🫑 - level 0. I know nothing and not even where to start. I might have some embarrassingly fundamental knowledge which is not good enough even for the start.

🥒 - level 1. I know something about the subject, but this only gives me an approximate plan and kind of things to look for.

🥗 - level 2. I know something about the subject, I’ve even read something about it. But no hands-on eperience.

🌮 - level 3. I know quite a lot about the subject, I’ve read something about it and some hands-on eperience.

🥘 - level 4. I know a lot about the subject and quite a decent experience. This one I will only use when I am done preparing and have the first mock exam. Bonus - 🍭 real-life expreience (not just labs).

🗒- Topic specific plan. 👌-done, 🚧 - in progress

🗂 - references and resources.

🎯- objectives.

🏺- artifacts

🛠 - tools to learn/use.


  • Forensic Lab Setup and Orientation Using the SIFT Workstation 🥒 - level 1.
  • Malware Persistence Detection and Analysis 🗂 [2], 🌮 - level 3 + 🍭
  • Scaling Data Collection and Analysis 🫑 - level 0.
  • Finding and Analyzing Malicious WMI attacks 🫑 - level 0.


Real Incident Response Tactics


Key tools, techniques, and procedures that an incident response team needs to respond properly to intrusions


Proper scoping of an incident and detecting all compromised systems in the enterprise. First stages of IR is mostly about cleaning up using frequency analysis, leaving for the worst scenario everything less likely. So, in case there are no clues or traces left with the frequency analysis you are moving to the those, that seem less suspicious or not suspicious at all. So, in IR it’s not like you are supposed to investigate every single process on the machine and determine whether it’s malicious or not. This is the worst case scenario and it’s mostly about forensics, I think.

Containment/Intelligence Developmen

Restricting access, monitoring, and learning about the adversary in order to develop threat intelligence


Determining and executing key steps that must be taken to help stop the current incident and the move to real-time remediation


Recording of the threat intelligence to be used in the event of a similar adversary returning to the enterprise.

Avoiding “Whack-A-Mole” Incident Response

Going beyond immediate eradication without proper incident scoping/containment. It’s very bad to do so, since without proper scoping/containment you can’t know the whole picture and you risk leaving some vulnerability unpatched or some machine unrecovered. Moreover, now the attack knows how you behave and that you know and can act appropriately.

[1] The End Of Whac-A-Mole: From Incident Response To Strategic Intelligence

[1] Incident Response book (Packt) + several others + NIST.

Threat Hunting

Hunting versus Reactive Response

[1] SANS+IBM brochure on hunting.

Hunting is usually better since it allows targeted response. Reactive response means that you are looking for everything, even if it’s not really relevant for your enterprise. For example, monitoring log4j vulnerability when you don’t use this framework at all.

Intelligence-Driven Incident Response

[1] SANS poster, Threat Intelligence

So, each time a IR process is triggered + third-party informaiton collected, we “draw” a picture of the most likely threats for this particular organization.

Building a Continuous Incident Response/Threat Hunting Capability

Forensic Analysis versus Threat Hunting Across Endpoints

[1] use VPN to access

Forensic Analysis is time and resources-costly. That’s why you don’t use for every investigation for every machine. Threat hunting can be though of as an immune system, B lymphocytes mark “bad” cells with antibodies and macrophages eat them. So, threat hunting shows the most likely suspects, most likely actors and most likely attack startegies, mark the workstations and forensics is to validate and investigate deeper.

Threat Hunt Team Roles

[1] Find Evil, [2] SecOps, [3] Where Does Threat Hunting Fit?, [4] Building your team


[1] is the main website on the topic.

Threat Hunting in the Enterprise

Identification of Compromised Systems

Finding Active and Dormant Malware

[1] TripWire article (short) about dormant malware

Digitally Signed Malware

Malware Characteristics

Common Hiding Mechanisms

Finding Evil by Understanding Normal

[1] My article about Super Novas

[2] SANS poster about Normal and Abnormal

Incident Response and Hunting across Endpoints

WMIC & PowerShell

[1] Read here

Offline. Detect all registered Event Consumers from an OBJECTS.DATA.

PyWMIPersistenceFinder.py <path\to\OBJECTS.DATA>

Offline. Kansa analysis of WMI

Get-LogparserStack.ps1 -FilePattern *WMIEvtFilter.csv -Delimeter "," -Direction asc -OutFile WMIEvt-stackfiles.csv

# Open with Timeline Explorer

PowerShell Remoting Scalability

Initiate a remote session:

# session created, command run, session terminated
Invoke-Command -ComputerName <pcname> -ScriptBlock {Get-Process | Where-Object -Property name -eq somethingbad}

# session created, commands run, session terminated when the user says it does
Enter-PSSession -ComputerName <pcname> -Credential <login> 
# or
# create a session
New-PSSession -Credentials
# use it with the Invoke-Command as a -Session parameter

It used to be Get-WMIInstance, now it’s Get-CIMInstance to use with other CIM-based servers.

⚠️ Kept getting Access Denied on any Get-WMIInstance Win32Process or Get-CIMInstance -ClassName Win32Process

✍️ https://newbedev.com/get-wmiobject-win32-process-computername-gets-error-access-denied-code-0x80070005

powershell.exe -NoP -NonI -W Hidden -E. You won’t usually

PowerShell Remoting Credential Safeguards

Kansa PowerShell Remoting IR Framework

Running Kansa across multiple PCs.

mkdir Results && cd Results

# check kansa.ps1 for the modules that will be run

.\kansa.ps1 -Pushbin -Target localhost [-TargetList <listoftargets>] -Credential <login> -Authentication Negotiate

Malware Defense Evasion and Identification

Service Hijacking/Replacement

[1] My presentations in injections, part 1

[2] My presentations in injections, part 2

Frequent Compilation

Binary Padding


[1] Incident involving armouring.

My own notes about packing (not ready yet)

Dormant Malware

[1] TripWire article (short)

Signing Code with Valid Certificates


Malware Persistence Identification


AutoStart Locations, RunKeys

Kansa Framework. Collection of the autorun locations

# Step 1. Run autorunsc (or Kansa script) on every machine, getting csv file for each one
# autorun.exe command in Kansa for autoruns search
# a * - all possible locations
# c - codecs as well
# h - generate hashes
# s - verify digital signatures
# '*' - all user profiles
autorunsc.exe /accepteula -a * -c -h -s '*' -nobanner 
# Collection with Kansa
kansa.ps1 -Pushbin -Target <IP|localhost|filewithIPs> -Credential username -Authentication Negotiate 
# don't pass the password here. Type when asked

# Step 2. open the file generated in TimeLine Explorer for analysis. 
# Step 3. Choose files from untrusted vendors and (Blank). 
# Step 4. Look at the images paths (compare with the Find Evil poster)
# Step 5. Look at the hashes, eliminate the known good.
# Step 6. Stacking (generate on file from all csv)
Get-ASEPImagePathLaunchStringMD5UnsignedStack.ps1 > stackedData.csv
# Step 6. Perfom frequency analysis. What stands out?
# Step 7. Use Select-String or grep to identify machines for each suspicuios entry

Service Creation/Replacement

Stacking services with Kansa

Get-LogparserStack.ps1 -FilePattern *services.csv -Delimeter "," -Direction asc|dsc -OutFile allServicesStack.csv
# For each GROUP BY type the column for ordering
# For example Name or Path
# quit for quit

Service Failure Recovery

Scheduled Tasks

DLL Hijacking

[1] My own presentation and corresponding articles

WMI Event Consumers

[1] PhDays 2019, Persistance mechanisms on Windows. Review and put down.

Investigating WMI-Based Attacks

WMI Overview

Since Win2000. Web-based enterprise management. CIM - common information model. It’s both a db of system informaiton AND means to automate its collection. wmic - commandline interface for WMI. It runs with SYSTEM privileges.

Moving laterally: remote desktop or netuse. To code execute from A to B, is one of the core techniques for that.

Can be used in privilege escalation when finding a service that has a unquoted path, for example. Or can be used with rundll32.exe and process call create.

Creating a WMI consumer:

# Step 1. Create an event filter that's going to monitor the systems and events and do something once certain conditions are met.
$FilterArgs = @{name='Pentestlab-WMI';
                Query="SELECT * FROM __InstanceModificationEvent WITHIN 60 WHERE TargetInstance ISA 'Win32_PerfFormattedData_PerfOS_System' AND TargetInstance.SystemUpTime >= 240 AND TargetInstance.SystemUpTime < 325"};
$Filter=New-CimInstance -Namespace root/subscription -ClassName __EventFilter -Property $FilterArgs
# Step 2. Create an Event Consumer that's the action that's going to take place once the conditions specified by the even filter are met.
$ConsumerArgs = @{name='Pentestlab-WMI';         CommandLineTemplate="$($Env:SystemRoot)\System32\pentestlab.exe";}
$Consumer=New-CimInstance -Namespace root/subscription -ClassName CommandLineEventConsumer -Property $ConsumerArgs
# Step 3. Bind the Filter to the Consumer.
$FilterToConsumerArgs = @{
Filter = [Ref] $Filter;
Consumer = [Ref] $Consumer;
$FilterToConsumerBinding = New-CimInstance -Namespace root/subscription -ClassName __FilterToConsumerBinding -Property $FilterToConsumerArgs

The above steps can be specified in a MOF file and compiled. So, either use Powershell or mofcomp.exe. Get-WmiObject and Remover-WmiObject to detect and remove suspicious entries.

Just create a process with wmic:

wmic process call create "path\to\process"

Tools 🛠: Event Logs, Sysmon and commercial tools like Falcon, CarbonBlack, Tanium.

Get-WmiObject -Namespace root\Subscription -Class __EventFilter
Get-WmiObject -Namespace root\Subscription -Class __EventConsumer
Get-WmiObject -Namespace root\Subscription -Class __FilterToConsumerBinding

Kansa includes the scripts for these commands for autocollection.

There are several types of event consumers:

  1. 🎯 ActiveScriptEventConsumer. Execute a predefined VB or JScript. This one is frequently used by attackers. scrcons.exe -> cmd.exe -> schticks.exe -> ActiveScript Event Consumer.
  2. 🎯 CommandLineEventConsumer. Launch a process. This one is also frequently used by attackers. wmiprvse.exe is the parent process. svchost -> services -> wmiprvse.exe -> CommandLine Event Consumer.
  3. LogFileEventConsumer. Write to a txt.
  4. NTEventLogEventConsumer. Log a message to Event Log.
  5. SMTPEventConsumer. Email a message via SMTP.
  6. Custom. Requires custom COM object.

WMI Attacks Across the Kill Chain

APT29. Used for privilege escalation and lateral movement.

Auditing the WMI Repository

Create and delete entries. Windows\System32\wbem\Repository\OBJECTS.DATA - objects, managed by WMI. INDEX.BTR - Binary Tree Index of the files in OBJECTS. MAPPING[1-3].MAP - correlates data between OBJECTS and INDEX.BTR.

Known good 😇: SCM Event, BVTFilter, TSlogonEvents.vbs, TSLogonFilter, RAevent.vbs, RmAssistEventFilter, KernCap.vbs, NTEventLogConsumer, WSCEAA.exe (for Dell devices).

WMI File System and Registry Residue

MOF files - compiled versions of event consumers. Can be located anywhere and named lots of diffreent things. But by default: %SystemRoot%\System32\wbem.

⚠️ Original mof file can be deleted after it’s added to the repo.

Set-WmiInstance can be used instead of mof files.

Autorecover. Pragma autorecover in config.mof. If this option is included, a copy is saved C:\Windows\System32\wbem\AutoRecover. Most of the adversaries use this setting. The time and dates are usually different for this backup than for other backups.

CIMOM. HKLM\SOFTWARE\Microsoft\Wbem\CIMOM. Use the Autorecover MOFs to see the original MOF files names.

Command-Line Analysis and WMI Logs

If something malicious was found on the system and is likely to be present on other systems:

wmic process where name="somethingbad" delete
# or with Powershell:

PyWMIPersistenceFinder.py is used for offline analysis of OBJECTS file. If data is deleted from the DB, the data might be still there. And this script parses the db, even the unallocated entries of this db.

Stacking with Kansa

Get-LogparserStack.ps1 -FilePattern *wmisFilters.csv|wmisEvents.csv|wmisConsumers.csv -Delimeter "," -Direction asc|dsc -OutFile wmisStack.csv
# GROUP BY Name or/and query
# Use Select-String or grep to identify the machines for suspiction entries

WMI Process Anomalies

  1. svchost -> services -> wmiprvse.exe -> CommandLine Event Consumer. If wmiprvse.exe has another parent or unusuall child (powershell) it’s suspicious.
  2. scrcons.exe -> cmd.exe -> schticks.exe -> ActiveScript Event Consumer.
  3. Encoded command lines
  4. Invoke-WmiMethod and Invoke-CimMethod
  5. /node:
  6. wmic process call create

Create a baseline for what’s normal for your systems.


[1] About some APT groups

[2] Practical Malware Analysis book

[3] Tips on SANS For508