Professional Documents
Culture Documents
Cyber Threat Hunting Day 5 - WQA
Cyber Threat Hunting Day 5 - WQA
Cyber Threat Hunting Day 5 - WQA
Capstone
Training Day 5
• Threat hunting is a Proactive cyber defense approach. Threat hunting processes perform
proactive and iterative discovery through networks, endpoints, and other infrastructure to
detect and respond to cybersecurity threats that sometimes evade existing security
solutions.
https://twitter.com/Rcfontana/status/1262407505776381952
• Presumptions of Compromise :
Your prevention technology
will eventually fall or have
already failed without your
knowledge. With Adoption
Assume breach mentality will
increase your awareness of
compromised assets
https://www.clearnetwork.com/cyber-threat-hunting-what-why-
and-how/
Digital
Security Threat Forensic &
Monitoring Hunting Incident
Response
Source : https://2016.zeronights.ru/wp-content/uploads/2016/12/ZN16-KHS-Th_Soldatov.pdf
https://hodigital.blog.gov.uk/wp-content/uploads/sites/161/2020/03/Detecting-the-Unknown-A-Guide-to-Threat-Hunting-v2.0.pdf
https://www.lockheedmartin.com/en-us/capabilities/cyber/cyber-kill-
chain.html
1/10/2021 Blue Team Jakarta, Indonesia 23
Threat Hunting Framework : MITRE ATT&CK
Sources : https://threatexpress.com/redteaming/mitre_attack/
Source : Fidelis Cyber Security and Vector8 About Data Source Spectrum
Operating System logs Useful Data sources. By Default capabilities for each Built in Function from OS
OS.
Process Activity Process start, DLL libraries loading, Process install Sysmon (Windows)
driver, Process perform code injection, Process open Auditd (Linux)
port for incoming network connections, connections, Osquery
Process initiate network connection, Process Endpoint Detection Response
create/change file, Process create/change registry Operating System Logs
key/value
Volatile Artifacts Temporary artifact collected from endpoint data Winpmem, Comae, (for Collecton)
sources for the purposes of hunting that might not EDR
touch the disk on the host Volatility
Data Collection : Memory, Network Conn, Process Google Rapid Response (GRR)
Conn, Velociraptor
Non-Volatile Artifacts Artifacts that resides on the endpoint / host disk. Brimorlabs
Data Collection : Prefetch, Amcache, Shimcache, MFT, KAPE
Registry, bash_history, Task Scheduler Kansa
FastIR Collector
Netflow Network traffic flow metadata. NetFlow data is analyzed to create a picture of Silk
network traffic flow and volume. used as a network traffic analyzer to determine Nfsen & Nfdump
its point of origin, destination, volume and paths on the network
Packet Capture Packet Capture is a networking term for intercepting a data packet that is Moloch,
crossing a specific point in a data network. Once a packet is captured in real- Tcpdump,
time, it is stored for a period of time so that it can be analyzed, and then either Wireshark,
be downloaded, archived or discarded. tshark
Network IDS A network-based intrusion detection system (NIDS) detects malicious traffic on Snort, Suricata
a network. NIDS usually require promiscuous network access in order to analyze Bro
all traffic Commercial NIDS
Product
Proxy Log Proxy server logs contain the requests made by users and applications on your Squid
network. This does not only include the most obvious part : web site request by Commercial Proxy
users but also application or service requests made to the internet (for example Product
application updates).
DNS Log One of the constantly re-occurring techniques is DNS-based activities like Passive DNS Log
exfiltration via DNS (Domain Name System) or C2 (Command and Control) DNS Server
communication via DNS. Still, a lot of companies are lacking in DNS logging,
missing DNS-based detection rules, or not aware of their own blindspots.
Data collected : DNS Server, DNS Collected from Network, Host Based (Sysmon
10),
• Network Infrastructure
• Routers
• Switches
• Wireless Access Points
• DNS server
• DHCP server
• SIEM
• Log Management / Analysis Platform {Elastic Stack, Graylog, etc}
• Network Detection Response
• Endpoint Detection Response
• X(Everyting) Detection Response
• Threat Intelligence Platform
• Threat Hunting Platform
• SANS Open Source Blue Team Tools
(https://www.sans.org/webcasts/faster-better-cheaper-improving-
security-operations-open-source-tools-112900)
• Github Awesome Threat Detection and Threat Hunting
(https://github.com/0x4D31/awesome-threat-detection)
1/10/2021 Blue Team Jakarta, Indonesia 48
Types of Threat Hunting
• Siting through the log data available for the threat hunters to spot
irregularities that might be malicious
• Additionally applying patterns on your infra
• Quite useful in Fraud detection
Intelligence Driven
• Base hypotheses on TTPs with further context provided by
assessments of the geopolitical and threat landscapes.
Situational Awareness
• Understand the environment, create a situational awareness, and
identify when it changes in some significant way.
Domain Expertise
• Each hunter has a unique set of experiences and skills that influence
hypothesis generation.
• Hypothesis : The Windows Command Prompt (cmd.exe) is a utility that provides command line
interface to Windows operating systems. It provides the ability to run additional programs and
also has several built-in commands such as dir, copy, mkdir, and type, as well as batch scripts
(.bat).
• Typically, when a user runs a command prompt, the parent process is explorer.exe or another
instance of the prompt. There may be automated programs, logon scripts, or administrative
tools that launch instances of the command prompt in order to run scripts or other built-in
commands. Spawning the process cmd.exe from certain parents may be more indicative of
malice.
• Example Use Case Hunting : if Adobe Reader or Outlook launches a command shell, this may
suggest that a malicious document has been loaded and should be investigated. Thus, by
looking for abnormal parent processes of cmd.exe, it may be possible to detect adversaries.
MITRE Reference:
CAR-2020-09-001 : Scheduled Task – FileAccess: https://car.mitre.org/analytics/CAR-2020-09-
001/
MITRE Reference:
CAR-2020-09-001 : Credential Dumping via Windows Task Manager :
https://car.mitre.org/analytics/CAR-2019-08-001/
• Hypothesis : The Windows Task Manager may be used to dump the memory space of
lsass.exe to disk for processing with a credential access tool such as Mimikatz. This is
performed by launching Task Manager as a privileged user, selecting lsass.exe, and
clicking “Create dump file”. This saves a dump file to disk with a deterministic name
that includes the name of the process being dumped.
• Example Use Case Hunting :
Hunting for File Creation (thinking about Sysmon Event ID 11 for example), with the
process image is taskmgr.exe
• Next, we will want to learn as much as we can about the internal system
initiating the sessions. What operating system is it using? What is the
system’s function (user desktop, network hardware, etc)? Is there a functional
baseline to work with to see if this traffic pattern is normal? If we have
previous packet captures from the system, or have other similar systems we
can compare it against, this might help identify if the pattern we are seeing is
normal.
• As an example, many IoT devices check in regularly with a central console. We
may find that all devices exhibiting a specific suspicious behavior are all the
same model of IoT device.
• You may also want to see if the source is running any kind of endpoint
security software or if the logs are being collected to a central location. If we
get to the end of our threat hunt and deem the system as suspicious, the
additional data provided could be extremely valuable in performing a root
cause analysis.
https://attack.mitre.org/
Servers Applications
• Web servers • Web applications
• Application/API servers, dev servers • COTS applications
• Database servers • Custom, in-house applications
• File servers, backup/DR servers • Source co d e repos, dev/staging
• DNS servers apps
• Domain controllers, AD, ADFS Cloud / Containerized Infrastructure
• VPN gateways, remote access • Office 365, Azure Cloud
• Hypervisors • AWS, Google Cloud
• VPS providers, serverless app/API
Endpoints
providers
• Laptops, workstations, kiosks, VMs
• Docker containers, Kubernetes
• AV/EDR/EPP
SIEM/SOAR
Network Stack
• Potentially both a destination and source of
• Routers, switches, WAPs
logs
• Firewalls, VPN, SSO, WAFs, IDS/IPS, malware
Open Source Intel
sandboxes • Threat indicator feeds
• Web proxies, DNS resolvers • GeoIP location
• Email servers, spam/phishing filter gateways • Passive DNS
Mobile Devices • Domain registration, whois
• MDM, mobile a p p telemetry • Certificate transparency
• Social media
• Breach dumps
• https://docs.microsoft.com/en-us/sysinternals/downloads/sysmon
• Available
here:
21
1/10/2021 Blue Team Jakarta, Indonesia 108
Kibana – Key Features
• Discover
(search)
• Visualize
• Dashboard
• Index Pattern
Filter
• Examples:
• filebeat-* indices
• logstash-* indices
• winlogbeat-*
indices
Pie Chart:
Top Hostnames
• Free in 7.x
• Work in progress – currently supported data types and
detection rules are limited, new features being a dded
• C a n accelerate or complement simple SIEM use cases
• Not (yet) a full replacement for building out custom
Kibana queries, visualizations, and dashboards
• https://www.elastic.co/products/siem
• Also in development: Elastic Endpoint Security (based on
Endgame integration)
• Elastic Stack
• https://www.elastic.co/guide/en/elastic-stack/current/installing-elastic-stack
.html
• https://www.elastic.co/cloud/elasticsearch-service/signup
• https://www.elastic.co/downloads/beats/winlogbeat
• https://www.elastic.co/beats/filebeat
• https://www.elastic.co/siem
• https://github.com/elastic/detection-rules
• Sysmon: https://docs.microsoft.com/en-us/sysinternals/downloads/sysmon
• MITRE ATT&CK Framework: https://attack.mitre.org/
• Windows Event ID References:
• https://www.ultimatewindowssecurity.com/securitylog/encyclopedia/
• https://www.malwarearchaeology.com/cheat-sheets