A Process is No One - Hunting for Token Manipulation

Explore the fundamentals of threat hunting and learn how to generate effective hunt hypotheses in this Black Hat conference talk. Discover the often-overlooked first step in the threat hunting process, which can guide targeted collection and analysis of forensic artifacts. Delve into the benefits of hypothesis-driven hunting, the hacker lifecycle, and the MITRE ATT&CK framework. Gain insights into building hunt hypotheses, identifying tactics and procedures, and properly scoping and documenting your hunt. Focus on access token manipulation in Windows authentication, understanding token types, impersonation, and visualization techniques. Learn about collection requirements for access tokens and explore various attack methods, including creating impostor tokens and new logon sessions. Conclude with a demonstration and Q&A session to solidify your understanding of this critical cybersecurity approach.

Introduction
What is Hunting
Normal Hunt Cycle
Hypothesis Driven Hunting
Benefits
HypothesisDriven Hunting
Hacker Lifecycle
Mitre Attack Framework
Tactics Techniques Procedures
Tactics
Procedures
Why is this useful
What is this process
Building the hunt hypothesis
Identifying the tactic
Identifying the procedures
Scope
Documentation
Conclusion
Benefit
Tactics and Techniques
Access Token Manipulation
Windows Authentication
Access tokens
Token types
General overview
Token impersonation
Visualization
Create a Process
Make an Impostor Token
Create a New logon session
Collection Requirements
Collecting Access Tokens
Get Access Token
Impersonation
GetSystem
Kerberos ticket granting ticket
Get Kerberos ticket granting ticket
Make token attack
Scope of analysis
Excluded factors
Demo
Questions