We covered a threat hunting challenge using elastic search where we demonstrated searching and analyzing logs to detect signs of keylogging, data exfiltration and data destruction. We used datasets available at TryHackMe Threat Hunting EndGame challenge which is part of SOC2 pathway.
Threat Hunting and MITRE ATT&CK
Threat hunting is a proactive and systematically iterative approach to the active security investigation process/practice that focuses on detecting/finding malicious or suspicious activities. MITRE ATT&CK framework is a joint knowledge base that explains, maps and binds the tactics and techniques used by adversaries. The hunting process leverages the framework as a guide by using known and emerging threats as a reference to develop a hypothesis, conduct an investigation, and categorise and stage activities.
Unified Kill Chain and The “Actions on Objectives” Phase
The “Actions on Objectives” phase is the seventh and final phase of “The Cyber Kill Chain”. The objective of this phase is to accomplish the goal of the adversary activity. Typical objectives include data exfiltration, data destruction/disruption, encryption for ransom, and credential theft. Understanding the adversary’s purpose/objective is vital for successful and effective threat hunting practices.
Again, in the threat hunting process, being familiar with the Unified Kill Chain and MITRE ATT&CK is crucial. Therefore, it will be easy to categorise and stage the detected activity. Also, when hunting for this phase, remember that the attacker has already evaded the established security measures, has persistent access and is ready to accomplish their objectives. Finally, always remember that adversary profiles and motivations vary so that they may perform various or additional/unexpected activities depending on their motivation, purpose and goals.
Proactive Threat Hunting Mindset/Approach
The proactive threat hunting mindset refers to actively hunting the process and seeking out potential threat/breach indicators within a scope. The utmost aim of the proactive approach is identifying the threats before they cause significant damage or go unnoticed in the system. The “unnoticed” part is known as “Dwell Time“. It represents the average time a threat actor has access to a compromised system before it’s detected and eradicated. The longer the dwell time, the more risk of impact on the compromised system as there will be more opportunity to accomplish the goals (actions on objectives). Many security provider reports and analysis outcomes indicate that the current average dwelling time is 20-25 days (per Q1 of 2023). Shrinking the average dwell as much as possible is another aim of all blue teamers. This is where the proactive mindset/approach increases the effectiveness of the threat hunting process.
Active exploration, hypothesis-driven approach, continuous monitoring, leverage threat intelligence, analytics and continuous improvement are key aspects of the proactive mindset. Designing and adopting a proactive threat hunting mindset can take time. However, working on such a track can enhance the security team’s threat detection capabilities and maturity level, decreasing the average dwell time.
Last But Not Least: Atomic Hints for Effective Threat Hunting
- It is always crucial to consider the characteristics, unique factors, operated industry, specific threat landscape and regulatory requirements of the scope and asset owners (organisations). Observing the mentioned key points will help you to implement a tailored and effective threat hunting process.
- The hunting and evaluation approaches may also vary by the implementer’s experience and implementation field. However, the foundation mindset always stays the same: seek, detect and eradicate threats.
- Get the benefit of leveraging threat intelligence and MITRE ATT&CK mapping when it is possible/available. Also, ensure the protection of the privacy and non-disclosure agreement points.
- Following and identifying specific framework steps might sometimes be overwhelming (due to case complexity or the analyst’s experience level). Still, it is always possible to start with a customised (slightly simplified) approach and collaborate with team members and responsible/authorised stakeholders.
Challenge Overview
Case: Collection
Threat hunting exercise focused on TA0009 (also known as a collection). The case example covers hunting keylogger activity.
- Available log sources
- Security
- Sysmon
- Windows PowerShell
- PowerShell Operational
Case: Exfiltration
Threat hunting exercise focused on TA0010 (also known as exfiltration). The case example covers hunting data exfiltration over ICMP.
- Available log sources
- Security
- Sysmon
- Windows PowerShell
- PowerShell Operational
Case: Impact
Threat hunting exercise focused on TA0040 (also known as impact). The case example covers hunting data destruction and manipulation via native system resources.
- Available log sources
- Security
- Sysmon
- System
- Windows PowerShell
- PowerShell Operational
Check out the video below for detailed explanation.
Room Answers | Threat Hunting: Endgame
What is the term used for the adversary lifetime in the network?
Dwell Time
What is the Process ID of the process that downloads the malicious script?
3388
What is the logged mail account?
hunted-victim2323@gmail.com
What is the total number of sent ICMP packets?
21
How many bytes (chunk) is the amount of data carried in each packet?
15
What is the name of the exfiltrated document?
chrome_local_profile.db
What is the server’s IP address (defanged) where the exfiltrated document is sent?
10[.]10[.]87[.]116
What is the name of the system executable used to remove shadow copies?
vssadmin.exe
What is the main shell image that started the attack chain?
powershell.exe
What is the process ID that started the attack chain?
6512
Video Walkthrough | Threat Hunting: Endgame
