Watching Kittens at Play: Dissecting an Iranian Nation State Interactive Intrusion
2022-06-18, 11:00–11:45, Track 1 (UC Conference Rm A)

State-nexus threat actors are often perceived as mythological creatures that can infiltrate a system with a snap of their fingers and operate without a trace. While threat actors should not be underestimated, they work within the same constraints that operating systems place on all users. Through a retrospective look at a PIONEER KITTEN intrusion, attendees will gain insight into how nation state-nexus actors operate in the wild and how to unearth adversarial tradecraft in their own environment.


Threat hunting intro

  • Discuss briefly the CrowdStrike SEARCH methodology and the processes our threat hunters use to investigate the interactive intrusions like the one we discuss in the talk. Attendees will be able to replicate some of the processes and procedures discussed in this section in their own threat hunting operations.
  • High level trends Falcon OverWatch has seen on the front lines

Adversary overview

  • High level look at the benefit/risk balance of relying on attribution for threat hunting operations
  • Discuss the tactics that we typically see from the adversary PIONEER KITTEN

Core Content:

A detailed walk through of a real world, interactive intrusion, including a deep dive into the techniques used.

  • Discovery
    • quser
    • netstat
    • net user
  • Lateral Movement
    • Scheduled Tasks
    • UNC Path
    • Powershell
    • RDP Configuration changes
  • Persistence
    • Webshell installation
    • IIS manipulation InetMgr
    • Account creation
  • Credential Access
    • WDigest Cleartext password storage


Actionable ways you can threat hunt for nation state adversarial tradecraft in your environment and an understanding of the importance of pulling multiple data sources/artifacts to validate activity

Ryan Thompson is currently working as a Senior Intrusion Researcher at Crowdstrike. His primary functions include conducting post-mortem analysis on hands-on intrusions and researching attacker techniques and trends. Previously, Ryan has worked as an Instructor at Elastic teaching the Air Force, Navy, and Army to conduct threat hunting using open source tools such as Kibana, Suricata, and Zeek. Before that, he was a Senior Security Analyst at Alert Logic providing weekly recommendations to clients using packet analysis, IDS alerts, and log-based investigations. He currently holds several SANS certs and is a TA for SANS FOR508 (GCFA).