This course focuses on teaching participants how to start Threat Hunting by emphasizing the importance of hunt hypothesis generation to guide targeted data collection and forensic artifact analysis. The course covers the Hacker Lifecycle, Mitre Attack Framework, tactics, procedures, and the process of building a hunt hypothesis. Participants will learn about Access Token Manipulation, Windows Authentication, different token types, token impersonation, and visualization techniques. The teaching method includes a combination of theoretical concepts, practical demonstrations, and Q&A sessions. This course is intended for individuals interested in starting Threat Hunting within their organizations and those looking to enhance their skills in cybersecurity and digital forensics.
A Process is No One - Hunting for Token Manipulation
Overview
Syllabus
Introduction
What is Hunting
Normal Hunt Cycle
Hypothesis Driven Hunting
Benefits
HypothesisDriven Hunting
Hacker Lifecycle
Mitre Attack Framework
Tactics Techniques Procedures
Tactics
Procedures
Why is this useful
What is this process
Building the hunt hypothesis
Identifying the tactic
Identifying the procedures
Scope
Documentation
Conclusion
Benefit
Tactics and Techniques
Access Token Manipulation
Windows Authentication
Access tokens
Token types
General overview
Token impersonation
Visualization
Create a Process
Make an Impostor Token
Create a New logon session
Collection Requirements
Collecting Access Tokens
Get Access Token
Impersonation
GetSystem
Kerberos ticket granting ticket
Get Kerberos ticket granting ticket
Make token attack
Scope of analysis
Excluded factors
Demo
Questions
Taught by
Black Hat
