We covered threat hunting in-depth, compared threat hunting with incident response, covered a MITRE-based approach to hunt for threats based on attackers’ tactics and techniques such as initial access, execution, defense evasion and persistence using Elastic Stack and Kibana. We covered a practical scenario using TryHackMe Threat Hunting: Foothold for demonstration.

Wazuh IDS/IPS Study Notes

The Elastic Stack Study Notes

Threat Hunting | Initial Access

The Initial Access Tactic (TA0001) represents adversaries’ techniques and strategies to breach an organisation. This stage of an attack cycle predominantly focuses on delivering the payload to the target system or network. The primary objective during this phase is to gain a foothold in the network, which can be achieved through a variety of means, such as:

  • Social Engineering techniques such as phishing.
  • Exploiting vulnerabilities through public-facing servers.
  • Spraying credentials through exposed authentication endpoints.
  • Executing commands through malicious flash drives.
  • Installing cracked software with hidden malicious code.

As the attack techniques are varied, our hunting strategies should also be multifaceted and adaptable. Our goal is to identify signs of the various methods outlined above. Hence, we will use the following scenarios to build our hunting methodology:

  • Brute-forcing attempts via SSH.
  • Exploitation of a web application vulnerability.
  • Phishing via links and attachments.

Threat Hunting | Execution Phase

The Execution phase can manifest in several ways, and recognising these signs can be complex due to the many potential execution methods an adversary might employ. However, it all boils down to executing a malicious command.

Unusual process creation, network connections, file modifications, and many more traces can indicate malicious execution. Recognising these red flags requires an in-depth understanding of typical endpoint behaviour and a keen eye for spotting anomalies. In line with these, we will use the following scenarios to build our hunting methodology:

  • Suspicious usage of command-line tools.
  • Abuse of built-in system tools.
  • Execution via programming/scripting tools.

Threat Hunting | Defense Evasion Phase

Despite adversaries’ attempts to evade detection, their activities inevitably leave traces in these logs, providing us with potential leads. With these, we will use the following scenarios to uncover the traces of this tactic:

  • Disabling security software.
  • Log deletion attempts.
  • Executing shellcode through process injection.

Threat Hunting | Persistence Phase

The hunt for persistence involves detecting the system’s subtle changes and activities. This may entail identifying unrecognized or unexpected scripts running at startup, spotting unusual scheduled tasks, or noticing irregularities in system registry keys. We will use the following scenarios to learn more about the traces left when threat actors implant persistence mechanisms.

  • Scheduled Task creation.
  • Registry key modification.

Threat Hunting | Command and Control Phase

The hunt for Command and Control involves uncovering these covert communication channels amidst regular network traffic. Adversaries use standard protocols to blend in with typical network traffic or use cloud storage services as unconventional command channels to avoid raising suspicion. In the following sections, we will delve deeper into strategies and techniques for hunting Command and Control activities, interpreting network events, and recognising anomalies through the following scenarios:

  • Command and Control over DNS.
  • Command and Control over third-party cloud applications.
  • Command and Control over encrypted HTTP traffic.

Room Answers | Threat Hunting: Foothold

Use the Discover tab on the left sidebar (via the hamburger button) to answer the question.

What is the attacker’s successful authentication timestamp on the Jumphost server? (Format: Nov 1, 2018 @ 13:45:00.000)

Jul 3, 2023 @ 14:14:09.000

What is the name of the PHP file accessed by the attacker via the cat command after gaining successful code execution on web01?

config.php

What is the name of the unusual process executed within the timeframe of update.lnk execution on WKSTN-2?

powershell.exe

Tracing back the cmd and PowerShell child processes spawned by installer.exe, what is the first command executed via cmd?

whoami /priv

Using the process ID of the PowerShell process spawned by mshta.exe, what is the destination IP of the network connections made by this process?

167.71.198.43

Following the cmd.exe process spawned by Python, what is the command-line value of the net.exe process?

net users

What is the PID of the cmd.exe process that executed “powershell Set-MpPreference -DisableRealtimeMonitoring $true”?

428

What is the PowerShell command-line argument used to clear the event logs of WKSTN-1?

Clear-EventLog -LogName Security

What is the process PID of chrome.exe’s target for process injection?

4240

What is the name of the parent process of the cmd.exe process that executed the scheduled task creation?

powershell.exe

Using the process ID of malicious reg.exe execution, what is the value of the process command line used to execute the registry modification?

cmd /c “REG ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnceEx\0001\Depend /v 1 /d \”C:\Windows\Temp\installer.exe\””

Video Walkthrough | Threat Hunting: Foothold

About the Author

Mastermind Study Notes is a group of talented authors and writers who are experienced and well-versed across different fields. The group is led by, Motasem Hamdan, who is a Cybersecurity content creator and YouTuber.

View Articles