Exploring Threat Hunting

Here are some quick notes I compiled as I was learning and experiencing with threat hunting

Broad definition

Threat hunting is a methodology in which the defenders assume the system/network is already compromised. In that context, they try to uncover signs of malicious activities performed by the attackers. It focuses on events that did not get flagged by automated rules. It is mainly a human-powered effort in which analysts actively look for anomalies in the data collected, or leverage threat intelligence to look for IOCs or TTPs within their infrastructures.

The Concept of Pyramid of Pain

It was introduced by David J. Bianco and is a way to connect threat intelligence to threat hunting. It illustrates the difficulty for attackers to change certain characteristics of their attacks, but also the difficulty for organizations to find these charateristics. A well documented article about this concept can be found here.

Threat hunting frameworks for a repeatable process

You can choose between 3 different framework in order to structure your hunt: Sqrrl, TaHiTI: Targeted Hunting Integrating Threat Intelligence, and PEAK: Prepare, Execute and Act with Knowledge.

Methodology

A generic approach can use either :

• Hypothesis-driven investigation leveraging new identified threats and attackers’ latest tactics, techniques and procedures (TTPs)
• Investigations leveraging known IOCs, leveraging threat intelligence
• Investigations leveraging advanced analytics and machine learning

In any case, you should aim to improve automated detection over time but analysing lessons learned from your hunts and expanding the detection rules.

To perform threat hunting, you need to develop an hypothesis, understand the source of data, select a proper time boundary for your analysis, and know how your environment behaves in normal conditions.

What to look for

Here is a compilation of some things to look for when performing threat hunting, it is in no way exhautive, but summarizes what I learned while exploring the topic.

1. Hunting on the network:

• ARP:
  • Gratuitous ARP packets
  • Lots of ARP broadcast messages in a small amount of time
  • Two identical MAC addresses with different IP addresses
• ICMP:
  • Sprays of ping requests
  • Unusual type/codes within packets
• TCP:
  • Sprays of SYN Packets
  • Port scanning
  • Lots of TCP SYN packets without SYN/ACK packets
• DNS:
  • DNS requests for domains rarely used within your infrastructure
  • Port 53 used with TCP and not UDP
  • DNS traffic not going to DNS servers
  • DNS Responses to no DNS Queries
• HTTP / HTTPS
  • Traffic encrypted on common HTTP ports
  • URL encoded queries for sql injection
  • Suspicious user-agents: look for rare occurrences, abnormally long or short strings, list of known bad user-agents (such as the ones of web vulnerability scanners)
  • HTTP beaconing behaviour: it might indicate a malware C2 communication (same resource requested by same source IP at regular interval)
  • Suspicious HTTP URIs with no signatures yet. Examples of types of URI’s to look for: OWASP Top 10, credit card strings, computer GUID, username GUID, encoded URIs
  • Find changes in traffic flows that indicate exfiltration using for example the Producer-Consumer Ratio metric (FlowCON)
  • Look for parameters passed to image files (e.g., /bad.png?zz=ls)
• RDP:
  • Abnormal RDP requests: unusual patterns of connection from IP addresses or client computer names
• Malicious listeners
  Find malicious programs listening to network ports using netstats:
• More than one process name bound to the same port on the same system (the ones with the smallest number of occurrences on each system are suspicious)
• For all Internet-accessible servers, identify rare ports or rare binaries

2. Hunting in the emails

Detection of phishing attempts directed toward executive mailboxes:
Senders’ domain is not in the following sections:

• Emails high-profile employees composed themselves (recipient domain)
• Emails sent to non-high-profile employees
• Emails composed by non-high-profile employees (recipient domain)

3. Hunting on the endpoint

• Suspicious command shells
  Identify instances of cmd.exe or powershell.exe where the command shell is launched by an unusual parent, a running service, windows remote management, or winlogon.exe; the command shell executed reg.exe or other command not normally used by end-users
• Privilege escalation
  Review windows event logs related to attempts to add non-privileged accounts to privileged groups
• Known bad
  Antivirus logs, bad strings (webshell filenames, packed executables, known attacker tools, suspicious processes running under a system directory or other unusual locations
• Analysis of memory dumps of individual systems
  Look for signs of malware or other malicious activities: known bad or signs of BIOS or firmware implants. Compare to know good baselines, it works best when tracked over time rather than a point-in-time comparison
• Shimcache / Amcache
  Find rare binaries executed across endpoints in cache entries, collected on each endpoint ideally.
• Autorun analysis
  Find signs of malware persistence by looking for executables starting out of c:programdata, recycle bin, appdata area, %temp%, unsigned executables, short or long filenames, GUID filenames, rare executable filenames or directories
• Windows driver analysis:
  Look for Impossible, zeroed or garbage link dates, stack each binary image and look for unusual link dates, unusual filenames or locations of binaries, rare or incorrect descriptions, display names, missing, invalid or unusual digital signatures
• Suspicious Windows services
  • Rare SERVICE_NAME or DISPLAY_NAME values
  • GUID service names
  • Random service names
  • Blank fields which normally hold values
  • Unusual directories in the BINARY_PATH_NAME
  • Rare DLLs and/or locations
  • Unsigned DLLs or those with invalid signatures
• Lateral movement or compromised credentials
  • Analyze event logs pertaining to access control for remote shares. Filter for events where the share is IPC$ and the service is PSEXECSVC-*. (Psexec is one of the most common mechanisms for malicious lateral movement)
  • Detect authentication-based lateral movement in windows event logs or via process monitoring: windows process creation logs
• Identify data hiding in extended attributes on files in an NTFS filesystem, which are otherwise rarely used.

Here are some good resources to learn more

https://www.crowdstrike.com/cybersecurity-101/threat-hunting/
https://github.com/ThreatHuntingProject/ThreatHunting/blob/master/hunts
https://www.youtube.com/watch?v=YLgycMCPo4c&ab_channel=HackMiami
https://detect-respond.blogspot.com/
https://www.threathunting.net/files/hunt-evil-practical-guide-threat-hunting.pdf
https://github.com/ThreatHuntingProject/ThreatHunting
https://www.splunk.com/en_us/blog/security/hunting-with-splunk-the-basics.html
https://digitalguardian.com/blog/seek-evil-and-ye-shall-find-guide-cyber-threat-hunting-operations
https://findingbad.blogspot.com/2016/07/my-thoughts-on-threat-hunting.html