Threat Hunting

Intro

​​

Threat hunting doesn’t have to be complex, but it’s not for everyone. Knowing how to begin and end a hunt is more important than knowing how to carry out a hunt. If you need a place to start, look at trends in the threat landscape and focus on threats that you do not have automated alerts/detections for. Hunting is a creative process that rewards those who take chances. Finish with something, anything actionable — so long as it provides value.

Guides and Reference

General

• Threat Hunter Playbook - a community-based open source project developed to share threat hunting concepts and aid the development of techniques and hypothesis for hunting campaigns by leveraging security event logs from diverse operating systems.

• huntpedia.pdf - Book written by seasoned threat hunters on thier techniques and theory.

• Open Threat Research Forge - Github repository of Threat Hunting articles, playbooks and tools.

• Awesome Lists Collection: Awesome Threat Detection and Hunting

  • awesome-threat-detection/hunt-evil.pdf

  • awesome-threat-detection/The-Hunters-Handbook.pdf

• ACM's Threat Hunting Labs - These are a series of labs that cover different types of analysis that can be done on network data when threat hunting.

• A Simple Hunting Maturity Model | Enterprise Detection & Response

• HowToHunt - Tutorials and Things to Do while Hunting Vulnerability.

• ThreatHunting Home - Links and Blog on popular threat hunting proceedures

• Tool Analysis Result Sheet - JP-CERT analysis on detecting the use of multiple popular tools within an network environment.

• https://query.prod.cms.rt.microsoft.com/cms/api/am/binary/RE5aC6y?culture=en-us&country=US - Microsoft's Threat Hunting Survival Guide

• https://drive.google.com/file/d/14DluguBRjlUt9GWTUpGIB802qnHD2Olp/view - Introduciton to Threat Hunting part 1

Hunting with MITRE ATTACK

• MITRE ATT&CKcon 2018: Hunters ATT&CKing with the Data, Roberto Rodriguez, SpecterOps and Jose Luis Rodriguez, Student

• Testing the Top MITRE ATT&CK Techniques: PowerShell, Scripting, Regsvr32

• Ten Ways Zeek Can Help You Detect the TTPs of MITRE ATT&CK

• Post-Exploitation Hunting with ATT&CK & Elastic

• How MITRE ATT&CK helps security operations

• MITRE Cyber Analytics Repository

• MITRE ATT&CK Windows Logging Cheat Sheets

• Defensive Gap Assessment with MITRE ATT&CK

• Prioritizing the Remediation of Mitre ATT&CK Framework Gaps

• Finding Related ATT&CK Techniques

• Getting Started with ATT&CK: Detection and Analytics

• Mapping your Blue Team to MITRE ATT&CK™

Hunting in Windows Events

• https://fourcore.io/blogs/threat-hunting-with-windows-event-log-sigma-rules

DNS Hunting

• SANS@MIC -Threat Hunting via DNS - SANS Institute

• Alternative DNS Techniques - Active Countermeasures

Cloud Hunting - Azure/O365

• Threat Hunting with Microsoft O365 Logs
• Threat Hunting in the Microsoft Cloud: Times They Are a-Changin' | John Stoner
• GitHub - microsoft/Microsoft-365-Defender-Hunting-Queries: Sample queries for Advanced hunting in Microsoft 365 Defender

• How Security Center and Log Analytics can be used for Threat Hunting

• GitHub - invictus-ir/Blue-team-app-Office-365-and-Azure

• Threat Hunting in Azure with AC-Hunter - Active Countermeasures

• ThreatHunting/AzureSentinel at master · GossiTheDog/ThreatHunting

• GitHub - darkquasar/AzureHunter: A Cloud Forensics Powershell module to run threat hunting playbooks on data from Azure and O365

• https://github.com/microsoft/Microsoft-365-Defender-Hunting-Queries

• https://docs.microsoft.com/en-us/windows/security/threat-protection/microsoft-defender-atp/advanced-hunting-schema-reference

• https://expel.io/blog/seven-ways-to-spot-business-email-compromise-office-365/

• https://github.com/Bert-JanP/Hunting-Queries-Detection-Rules

Cloud Hunting - AWS

• https://www.splunk.com/en_us/blog/security/cloudtrail-digital-breadcrumbs-for-aws.html

• https://www.splunk.com/en_us/blog/security/go-with-the-flow-network-telemetry-vpc-data-in-aws.html

• https://labs.bishopfox.com/tech-blog/privilege-escalation-in-aws

• https://labs.bishopfox.com/tech-blog/5-privesc-attack-vectors-in-aws

• https://www.hunters.ai/blog/hunters-research-detecting-obfuscated-attacker-ip-in-aws

• https://pages.awscloud.com/rs/112-TZM-766/images/How-to-Build-a-Threat-Hunting-Capability-in-AWS_Slides.pdf

• https://docs.aws.amazon.com/prescriptive-guidance/latest/security-reference-architecture/architecture.html

Tools

OS/VM

• RedHunt-OS - Virtual Machine for Adversary Emulation and Threat Hunting by RedHunt Labs

• ThreatPursuit-VM - A fully customizable, open-sourced Windows-based distribution focused on threat intelligence analysis and hunting designed for intel and malware analysts as well as threat hunters to get up and running quickly.

Hunting Platforms and Toolkits

• HELK: The Hunting ELK - The Hunting ELK or simply the HELK is one of the first open source hunt platforms with advanced analytics capabilities such as SQL declarative language, graphing, structured streaming, and even machine learning via Jupyter notebooks and Apache Spark over an ELK stack.

• ACM's AI-Hunter - Platform for hunting and detecting malware on your network.

• ThreatHunter's Toolkit - Threat Hunting Toolkit is a Swiss Army knife for threat hunting, log processing, and security-focused data science

  • https://www.blackhillsinfosec.com/wp-content/uploads/2021/11/SLIDES_LookingforNeedlesinNeedlestacks.pdf

  • https://www.youtube.com/watch?v=q7ai6P-cHaQ&t=2107s

DNS

• freq.py - Mark Baggett's tool for detecting randomness using NLP techniques rather than pure entropy calculations. Uses character pair frequency analysis to determine the likelihood of tested strings of characters occurring.

• domain_stats - Domain_stats is a log enhancment utility that is intended help you find threats in your environment. It will identify the following possible threats in your environment.

• dnstwist - Domain name permutation engine for detecting homograph phishing attacks, typo squatting, and brand impersonation

Misc

• Awesome Lists Collection: Cobalt Strike Defense

• DeepBlueCLI - a PowerShell Module for Threat Hunting via Windows Event Logs

• LogonTracer - LogonTracer is a tool to investigate malicious logon by visualizing and analyzing Windows Active Directory event logs.

• APT-Hunter - Threat Hunting tool for windows event logs which made by purple team mindset to provide detect APT movements hidden in the sea of windows event logs to decrease the time to uncover suspicious activity

• PSHunt - Powershell Threat Hunting Module

• PSRecon - Gathers data from a remote Windows host using PowerShell (v2 or later), organizes the data into folders, hashes all extracted data, hashes PowerShell and various system properties, and sends the data off to the security team. The data can be pushed to a share, sent over email, or retained locally.

• Mihari - A framework for continuous OSINT based threat hunting

• Oriana - A threat hunting tool that leverages a subset of Windows events to build relationships, calculate totals and run analytics. The results are presented in a Web layer to help defenders identify outliers and suspicious behavior on corporate environments.

• rastrea2r - A multi-platform open source tool that allows incident responders and SOC analysts to triage suspect systems and hunt for Indicators of Compromise (IOCs) across thousands of endpoints in minutes.

• Zircolite - A standalone SIGMA-based detection tool for EVTX.

• chainsaw - Rapidly Search and Hunt through Windows Event Logs

• https://www.nextron-systems.com/thor-lite/ - fast and flexible multi-platform IOC and YARA scanner

  • LOKI - imple IOC and Incident Response Scanner

  • https://github.com/Neo23x0/signature-base

  • https://www.nextron-systems.com/valhalla/

Splunkhunting

Splunk Apps

• ThreatHunting | Splunkbase

• URL Toolbox | Splunkbase

• URLParser | Splunkbase

• Splunk Security Essentials | Splunkbase

• SA-Investigator for Enterprise Security | Splunkbase

• DFUR-Splunk-App - The "DFUR" Splunk application and data that was presented at the 2020 SANS DFIR Summit.

• CyberMenace - A one stop shop hunting app in Splunk that can ingest Zeek, Suricata, Sysmon, and Windows event data to find malicious indicators of compromise relating to the MITRE ATT&CK Matrix.

Splunk Hunting Resources

• Hunting with Splunk: The Basics

• ATT&CKized Splunk - Threat Hunting with MITRE’s ATT&CK using SplunkSecurity Affairs

• Detecting malware beacons using Splunk | geekery

• red|blue: Automating APT Scanning with Loki Scanner and Splunk

• Detecting dynamic DNS domains in Splunk | Splunk

• hunting_the_known_unknowns_with_DNS.pdf

• https://www.deepwatch.com/blog/threat-hunting-in-splunk/

• SEC1244 - Cops and Robbers: Simulating the Adversary to Test Your Splunk Security Analytics

Hunting Theory

• Types of Hunts - **This will cause some disagreement amongst threat hunting theorists, but this is the common thought process.** There are 3 types of hunts:

  • Automated - IoC ingest, should be performed by your SIEM and SOAR

  • Continuous - Situational awareness and Behavioral analytics. If these can be turned into alerting searches, all the better. Otherwise these should be scheduled at reasonable intervals.

  • On demand - Looking for specific activity. This typically has a temporal element such as responding to given intelligence.

• 3 types of Hunt hypothesis

  • Threat Intelligence - These are hunts for specific indicators. These are easy low handing fruit, and should be followed by adding the indicators to any alerting mechanisms present.

  • Situational Awareness - These hunts are for looking at normal system and network operations and identifying activity that is outside of normal operations. This can include changes in volume/frequency of events, the methodology of certain activities, or the specific data points associated with certain events.

    • One of the biggest threat hunting skills is not only seeing what data doesnt belong, but also see what data is missing.

  • Domain Expertise - This is one that requires specific knowledge of your local environment. These hunts look for similar items as Situational Awareness, with the added context of looking for oddities in your specific organizations operations. Many of these will be violations of corporate policy or local practice and standards.

• Hunt determinations

  • Can this hunt be automated?

  • Can this hunt be repeatable?

  • Are the indicators in this hunt monitored by other services?

  • Are we already hardened against these indicators?

• Hunting Strategy questions:

  • What are you hunting?

  • Where will you find it?

  • How will you find it?

  • When will you find it?

  • *Ask these questions from each point int he Diamond Model

• a-simple-hunting-maturity-model

• the-pyramid-of-pain

  • Threat Hunting with Elastic Stack - pg. 29

Techniques

Repeatable hunts

These are hunt theories and searches that can and should be performed on the regular.

• ThreatHuntingProject's Hunts List

• Windows Commands Abused by Attackers - JPCERT

• Cisco Talos Intelligence Group - Comprehensive Threat Intelligence: Hunting for LoLBins

• ThreatHunting.se Hunt Posts

• https://github.com/paladin316/ThreatHunting

Long Tail Analysis

https://www.ericconrad.com/2015/01/long-tail-analysis-with-eric-conrad.html

Crown Jewel Analysis

Preparing for CJA requires organizations to do the following:

• Identify the organization’s core missions.

• Map the mission to the assets and information upon which it relies.

• Discover and document the resources on the network.

• Construct attack graphs. → Determine dependencies on other systems or information. → Analyze potential attack paths for the assets and their interconnections. → Rate any potential vulnerabilities according to severity.

• This type of analysis allows hunters to prioritize their efforts to protect their most tempting targets by generating hypotheses about the threats that could impact the organization the most.

• Crown Jewel Analysis - Crafting the Infosec Playbook: pg. 21

Misc

• Finding the Elusive Active Directory Threat Hunting - 2017-BSidesCharm-DetectingtheElusive-ActiveDirectoryThreatHunting-Final.pdf

• Quantify Your Hunt: Not Your Parent’s Red Teaming Redux

• 2019 Threat Detection Report

• A Process is No One : Hunting for Token Manipulation

• https://pberba.github.io/security/2021/11/22/linux-threat-hunting-for-persistence-sysmon-auditd-webshell/

• https://github.com/schwartz1375/aws - Repo for threat hunting in AWS.