Threat Hunting 101 Flashcards

Question

Open source Threat Hunting tools for smaller organizations or doing it on your own?

Answer 1

Host, Network, and Log Data: GRR, SysMon, Bro, WinBeat Storage and Analytics: ELK Stack: Elastic, Logstach, Kibana Infrastructure: Puppet, Chef, Docker

Answer 2

Offensive Skills Network Analysis - Host Analysis Malware Analysis - Memory Analysis Most importantly - Investigative mind - Attacker mindset - Patience to work long hours to complete a TH exercise - Continuously search for new threats and - Open to use new tools or create them.

Answer 3

External Delivery Method: Phishing - External Download Exploit Method: Office Macro - PDF Vulnerability Internal Delivery Method: USB - Network Share Exploit Method: Native Executable - HTA

Answer 4

- What data I need? - How do I get it? - How do I hunt through that data?

Answer 5

External Vectors / Perimeter Logs - Bro logs - Email and Proxy logs Internal Vectors - Process Data - Registry - Windows Events

Answer 6

- Process execution data - Enhanced Powershell logging - Email logs

Answer 7

- Sysmon/OSquery - Windows Event logs - Email Servers

Answer 8

- Searching Office programs launching Powershell - Command arguments w/encoded command Then query Kibana for that data to get a visualization for that pattern and attack

Answer 9

Traditional - Run keys - Services - Scheduled Tasks Creative/Stealthy - Office Templates - Hijacking Windows features (Applnit DLLs/Accessibility features) Host Analysis skills

Answer 10

``` What? Registry Run Key locations Run, RunOnce, RunOnceEX Where? Powershell script Group policy to deploy Collect to Elastic How? Grouping of executable in run key values Grouping of executable paths Command line commands/Arguments Hashing First seen/last run ```

Answer 11

Recon DNS Zone Transfers, LDAP Enumeration, Port Scanning Access PSExec - RDP - PS Remoting

Answer 12

- WVT logs - Bro/Network logs - Enumeration artefacts - IDS log parsing

Answer 13

Searching Clustering Grouping Stack Counting

Answer 14

``` Process execution metadata Registry access data File data Network data File prevalence ```

Answer 15

``` Network session data Bro logs Proxy logs DNS logs Firewall logs Switch and Router logs ```

Answer 16

Threat Intelligence Alerts Friendly Intelligence

Answer 17

What? WVT Bro logs Where? WinBeat parsing Collect to Elastic ``` How? • Anomalous user/service logins • High count ‘one to many’ connections • Traffic on LDAP ports • Session types/privileges ```

Answer 18

Set some prioritized intelligence requirements (PIRs)

Answer 19

“the process of proactively and iteratively searching through networks to detect and isolate advanced threats that evade existing security solutions” Sqrrl defined

Answer 20

Code injection | API Hooking

Answer 21

Machine Learning | ex. Lateral Movement Data Sets

Answer 22

It builds, maintains, and improves defensive and offensive skills. Gets involved in Machine Learning and scripting

Answer 23

Red Team tests are small, highly portable detection tests mapped to the MITRE ATT&CK Framework.

Answer 24

MITRE ATTACK™ is a knowledge base - model cyber adversaries' tactics and techniques - shows how to detect or stop them

Answer 25

Anomaly-based detection as a good first start. Identifying interesting or unaccountable items in a SEIM - ssh logins at 1 am - Consistent ICMP traffic to unknown IPs This will help give a good starting point to hunt for threats, Additionally - Anonymizing VPNs/Tor from inside the network - Logins from strange locations - More than one remote connection at the same time for the same user or being logged in locally and remotely at the same time.

Answer 26

Penetration testing, you are taking an outside-in approach. But with threat hunting, this is much more of an inside-out approach. - the assumption (or more specifically, the hypothesis) that an adversary could already be inside your IT Infrastructure. Thus, you are taking steps to ascertain that. If your hypothesis is indeed confirmed, you then will try to mitigate them so that they can’t get in again.

Answer 27

There is a very good chance that you will discover other kinds of security vulnerabilities which you thought never existed before.

Answer 28

- First analyze the log files and the respective warnings/ alerts to see what trouble points exist. - You also need to make sure that you have access permissions for resources which you need for hunting . example: Don’t search for account manipulation adversaries if the access permissions and tools are not in place first.

Answer 29

Don't have to address each and every cyber-related issue in the framework, and don’t feel overwhelmed by it. Use the ATT&CK as a support for hypothesis and start from there. If you don’t have a hypothesis at first, start threat-hunting where high-risk and first impact areas are then work from a top-down approach from there.

Answer 30

- look into any known gaps or weaknesses that currently exist - an EDR solution would be the most beneficial technique. - File Integrity Monitoring If there are any suspicious changes to files, a history of employee logins must be examined for any types of anomalous behaviors. - misconfiguration, as this is another backdoor for the cyberattacker.

Answer 31

- On-Demand Investigation Mode: used by security teams to investigate any suspicious or anomalous activities after they have been detected. - Continuous Monitoring or Testing Mode: continuously monitoring and/or testing their security posture to proactively identify and investigate any suspicious events.

Answer 32

the departure of a data packet from the place where it was intended to be stored.

Answer 33

- Users - misconfigurations - Web-based application developed using insecure source code - Inadequate security controls

Answer 34

- EDR solution - File Integrity Monitoring (or FIM for short) - Employee logins must be examined for any types of anomalous behaviors. - Misconfigured systems

Answer 35

Multiple areas for a comprehensive results.

Answer 36

Traffic at all major points (CoreSwitch-Where VLANS are trunked, Firewalls and their ports, InternetPorts, EdgeRouters) System logs that control access - VPN - 2FA - O365/Azure Security Tools AV, Firewalls, IPS

Answer 37

NGFW, WAF Entry Points - VPN, RemoteAccess, EdgeRouters, Wi-Fi DirectoryAuthenticationServices - ActiveDirectory, Azure/O365, IM, 2FA Protection/Detection Tools - IPS/IDS - AV/HIPS - Network Sensors Email

Answer 38

- PRTG - TCPdump - NTOP - Nagios Note: Used for anomaly detection

Answer 39

- Tactic and Technique - Procedure - Collection Requirements - Scope - Exclusions - Analysis Plan

Answer 40

Anomaly Detection uses - anomalous login activity - Anomalous blocking by firewalls - Anomalous denied access events

Answer 41

* expected parent process spawn it? * running out of the expected path? * spelled correctly? * running under the proper SID? * signed by Microsoft?

Answer 42

Responsible for creating new sessions.

Answer 43

Executable Path: %SystemRoot%\System32\smss.exe Parent Process: System Username: NT AUTHORITY\SYSTEM (S-1-5-18) Base Priority: 11 Time of Execution: For Session 0, within seconds of boot time

Answer 44

- managing processes and threads - making Windows API available for other processes - mapping drive letters, create temp files, - handles the shutdown process

Answer 45

Executable Path: %SystemRoot%\System32\csrss.exe Parent Process: Created by child instance of SMSS.EXE but that process will exist so will appear as no parent Username: NT AUTHORITY\SYSTEM (S-1-5-18) Base Priority: 13 Time of Execution: For Sessions 0 & 1, within seconds of boot time

Answer 46

A file that will be used for comparisons against current settings and/or configurations. Compare the current state of a machine, file system, etc. against the baseline to determine anything out of place.

Answer 47

``` TripWire SolarWinds AlienVault TrustWave LogRhythm ```

Answer 48

* System Center Configuration Manager (SCCM) * Powershell (Desired State Configuration feature) * cmdlet: (Compar-Object. Get-Service, Get-Process) * Microsoft Security Compliance Manager (SCM) Same as Puppet, Ansible, or Chef

Answer 49

• Accounts on a system (user or service) • Local administrators on a system • Folder permissions • Folders contents – Tasks folder (scheduled tasks) – Network folders containing internal install executables & files

Answer 50

``` Physical media Email (attachments) URL links Drive-by downloads Web advertising Social media File shares Software vulnerabilities ```

Answer 51

Alternate Data Streams Injections Masquerading Packing/Compression (Yoda Packer and UPX) Recompiling Obfuscation Anti-reversing Techniques

Answer 52

Create Streams by: * CreateFile Windows API * WriteFile Windows API To View ADS Streams-Sysinternals OR PowerShell’s cmdlet Get-Item

Answer 53

``` DLL Injection (Windows API CreateRemoteThread()) + others Reflective DLL Injection (Metasploit, PowershellEmpire, C/C++) PE Injection Thread Hijacking ```

Answer 54

* Detect that malware is being run in a virtual machine * Detect that a debugger is attached to the malware * Junk code can be inserted into the malware as misdirection

Answer 55

``` Autostarts Scheduled Task COM Hijacking DLL Hijacking Windows Services ```

Answer 56

* HKLM\Software\Microsoft\Windows\CurrentVersion\Run * HKLM\Software\Microsoft\Windows\CurrentVersion\Policies\ Explorer\Run * HKCU\Software\Microsoft\Windows\CurrentVersion\Run * HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\ Explorer\Run To find Autostart locations: AutoRuns - SysInternals

Answer 57

* Search Order * Phantom DLL * Side Loading

Answer 58

* Service Creation (Created by "sc" command * Service Replacement * Service Recovery

Answer 59

PE Capture ProcScan Meterpreter Payload Detection Reflective Injection Detection

Answer 60

* Fuzzy Hashing (Used by VirusTotal) * Import Hashing (Used by VirusTotal) * Execution Tracing

Answer 61

* Mandiant’s (FireEye) Redline | * Volatility

Answer 62

%SYSTEMROOT%\System32\Winevt\Logs

Answer 63

HKLM\SYSTEM\CurrentControlset\Services\Eventlog

Answer 64

• logons that failed or that were successful. • changes to user permissions. • system services that were created, started, or stopped. • changes to the audit policy. • specific application usage. • events generated by installed applications, such as AV.

Answer 65

Events and Errors Message Center

Answer 66

Hunting Suspicious Accounts - Event ID 4720 (Account Created) • 4624 (successful logon) • 4648 (logon using explicit credentials) • 4625 (failed logon) • 4634 (successful logoff) • 4647 (user initiated logoff)

Answer 67

``` Suspicious Account Events Password Attacks Golden Ticket (Kerberos) RDP Sessions Scheduled Tasks Service Creation Log Rotation Clearing Psexec ```

Answer 68

- Sysmon (sysmonconfig-export.xml - SwiftOnSecurity) - SIEM

Answer 69

- conduct basic static analysis using Merterpreter Reverse Shell (binwalk, ExifTool, and MD5deep) - Kali Linux on some malware found on the internal network ( Analyze and Classify Malware)

Answer 70

When trusting/benchmarking an already compromised environment .