Threat Hunting

What is Threat Hunting?

Threat hunting is a security practice that involves proactively searching for signs of malware or malicious activity on a company’s network. The goal of threat hunting is to find and stop attacks before they cause damage. Threat hunting is a relatively new security practice, but it is gaining popularity as more companies become aware of the benefits it can offer. By proactively searching for signs of malware or malicious activity, threat hunters can help find and stop attacks before they cause damage. Threat hunting can be a valuable addition to any security program, and companies that are serious about protecting their data should consider adding it to their security arsenal.

Articles

• The Right Team can keep Small Businesses Safe from Disaster

• Email: Another Source for Data Exfiltration

• Fileless Malware: a New Type of Malware That Doesn’t Rely on Executable Files

• Threat Hunting Concepts: Adversary Behavioral Identification for Predicting Attacks

• Introduction to Malware Endpoint hunting

• Threat Modeling Basics: System Modeling

• What is an Indicator of Compromise (IOC)

Network

• Detecting exfiltration over network protocols

• Don’t Overlook DNS in your Threat Hunting Arsenal

• Stay One Step Ahead of the Hackers by Hunting Suspicious Traffic

Webshells

Webshells are malicious scripts that can be uploaded to a web server in order to gain control of the server. They are often used to take over a server by adding, modifying, or deleting files, and can also be used to execute arbitrary commands on the server. Webshells can be written in any scripting language, but are most commonly written in PHP or ASP.

• Intro to Hunting Webshells

• Hunting Webshells: Tools

• Hunting Webshells: Linux and Windows Commands

Windows

Threat hunting on Windows is the process of proactively searching for signs of malicious activity on a Windows system. This can be done manually or by using automated tools. Some common techniques used in threat hunting include looking for unusual file activity, network traffic, and process behavior.

• Threat Hunting: Windows Event Logs

Tools

There are many different tools that can be used for threat hunting. Some of these tools are designed specifically for threat hunting, while others are more general-purpose tools that can be used for a variety of security tasks.

• Malware hunting: Detection tools

• Threat Hunting: SIEM, ELK Stack, Splunk

• Make Your Incident Response and Threat Hunting Easier With Powershell Hunting Tools

Practice Datasets

When hunting for threats, analysts typically start with some sort of dataset that contains information about the activity that has taken place within a system or network. This dataset can come from a variety of sources, including system logs, network traffic data, and application data. Once a dataset has been collected, the next step is to look for IOCs that may indicate the presence of a threat.

The following articles teach tools to generate practice datasets:

• Generating Logs for Analysis Using SOC-Faker: Part I

MCSI also offers free threat hunting datasets to practice your skills:

• MCSI Threat Hunting Samples

YARA

YARA is a powerful tool for reverse engineering malware. It can be used to identify and classify malware, and to find and extract specific features from malware samples. YARA can also be used to create signatures that can be used to detect and block malware.

Procedure:

The image below explains the process to follow when writing YARA rules:

Articles:

Read the following articles to learn how to write YARA rules:

• YARA: A powerful Malware Analysis Tool for Detecting IOC’s - Part 1

• YARA: A powerful Malware Analysis Tool for Detecting IOC’s - Part 2

• Using YARA for Threat Hunting in Enterprise Environments

Workflow

What is a workflow?

A workflow is a series of steps that are followed in order to complete an engagement. In penetration testing, a workflow is important in order to ensure that all steps are followed in order to complete the testing process. By following a workflow, penetration testers can ensure that they are thorough in their testing and that they do not miss any important steps.

The image below proposes a workflow you can use to learn threat hunting:

Articles:

• A General Overview of Threat Modeling Workflow

• Understanding the Threat Hunting Process Step-by-Step

• Proactive Cyber Security with Approaches to Threat Hunting

• Threat Hunting in Distributed Organizations: The Challenges are not Insurmountable

• Improve Efficiency by Generating a Hypothesis Before Beginning a Threat Hunt

• Train Threat Hunters and Develop your Threat Hunting Program with Threat Emulation