1. 1. The primary goal of threat hunting is to reduce dwell time.
1.1. threat hunting is a proactive approach to securing your organization’s systems. It is the process of actively looking for signs of malicious activity within enterprise networks, without prior knowledge of those signs. It allows you to uncover threats on your network without signatures or known indicators of compromise (IOCs).
2. Challenges
2.1. Categorizing Unknowns
2.1.1. Prevalence
2.1.1.1. good judgement about the likelihood that events and artifacts are related to attacks by measuring their prevalence, the frequency with which they occur in an environment.
2.1.2. Recentness
2.1.2.1. grouping events and artifacts into the newest and the oldest.
2.1.3. Patterns of behavior
2.1.3.1. There are many actions and behaviors that appear innocuous when considered individually, but can show patterns across an enterprise that indicate malicious intent.
2.1.4. Anomalies
2.1.4.1. Departures from standard behaviors can also help you categorize unknown events and artifacts.
3. 2. Structuring Hunts
3.1. Apply Scientific Method
3.1.1. State the problem to be solved and a hypothesis for solving it
3.1.2. Define metrics to evaluate the success of the effort
3.1.3. Propose a procedure to gather and analyze evidence
3.2. Select The Framework
3.2.1. MITRE
3.3. Structuring a Hunt Process
3.3.1. 1. Propose a Hypothesis
3.3.2. 2. Identify evidence to prove the Hypothesis
3.3.3. 3. Develop Analytics
3.3.4. 4. Automate
3.3.5. 5. Document
3.3.6. 6. Communicate
3.3.6.1. At the conclusion of the hunt you should create a record that includes: 1. The metrics of the hunt (discussed below) 2. The root cause of any compromise detected 3. The scope of affected machines, accounts, and applications 4. A description of the techniques detected 5. IOCs to be used for detecting similar attacks 6. Lessons learned and areas for increasing visibility and improving future hunts 7. Recommendations for changes to the organization’s security controls
3.3.7. E.G.
3.3.7.1. “We can find common registry-based malware persistence that leverages Run, RunOnce, ActiveSetup Installed Components, AppInit_DLLs, and Services registry keys.”
4. 3. Hunting for Fileless Attacks.
4.1. Blanket term to describe two different adversary techniques
4.1.1. 1. using tools and applications already present on a host (“living off the land”)
4.1.1.1. Living Off the Land
4.1.1.1.1. describes techniques used by attackers to conduct their operations with tools already on a host.
4.1.2. 2. malware that is memory resident without a filesystem component.
4.1.2.1. In-Memory Malware
4.1.2.1.1. Attackers inject a malicious payload into applications that are already running.
4.1.2.1.2. is stored in a registry key and piped as input to a running process.
4.1.2.1.3. Anatomy
5. 4./5. Hunting For Persistence - Basics
5.1. Techniques for fileless attacks include:
5.1.1. 1. Storing shellcode within a registry key value, executed by a generally benign Windows application 2. Storing a script within a data structure like the WMI CIM or another database, executed by a script processor such as the Windows Script Host (WSH) 3. Using a PowerShell cmdlet to download malicious scripts from an Internet location and passing them to one of several utilities 4.Using stored procedures to perform inline compilation of C# or other code
5.2. Windows Registry
5.2.1. Run and RunOnce keys, and Windows Services keys.
5.3. Comparative analysis
5.3.1. suspicious persistence items than comparing registry items to a baseline image
5.4. Temporal proximity
5.5. Data enrichment
5.5.1. Setting up automatic searches of MD5 hashes in VirusTotal Checking signer information (untrusted files in the registry could be malware) If you have a strict software install process, looking for installed applications in the registry that don’t appear on the approved list. (The list should be small if you examine a specific category such as run keys.) Using a sandbox to determine the behaviors of executables based on function imports and dynamic execution Ingesting DNS history and searching for persistence mechanisms that perform DNS lookups
5.5.2. Setting up automatic searches of MD5 hashes in
5.5.3. VirusTotal
5.5.4. Checking signer information (untrusted files in the
5.5.5. registry could be malware)
5.5.6. If you have a strict software install process, looking
5.5.6.1. for installed applications in the registry that don’t
5.5.7. appear on the approved list. (The list should be
5.5.8. small if you examine a specific category such as run
5.5.9. keys.)
5.5.10. ;; Using a sandbox to determine the behaviors of
5.5.11. executables based on function imports and dynamic
5.5.12. execution
5.5.13. ;; Ingesting DNS history and searching for persistence
5.5.14. mechanisms that perform DNS lookups
5.6. EXAMPLE
5.6.1. WMI
5.6.1.1. Windows Management Instrumentation (WMI) is Microsoft’s implementation of web-based enterprise management (WBEM)
6. 6. Hunting For Lateral Movement
6.1. There are a few ways to classify lateral movement techniques.
6.1.1. Protocols that enable remote authentication
6.1.1.1. SSH, SMB, and RDP
6.1.2. Frameworks designed for remote execution
6.1.2.1. WinRM, WMI, and RPC
6.1.2.1.1. Windows Management Instrumentation (WMI)
6.1.2.1.2. Windows Remote Management (WinRM)
6.1.2.1.3. Windows Sysinternals PsExec.
6.1.2.1.4. these tools have the option of specifying a target username and password, while others are capable of using the current user context and transparently authenticating to a remote system.
6.1.3. Techniques that don’t rely on a protocol or framework to support remote access or execution, such as the “Sticky Keys” feature abuse
6.1.4. E.g.
6.1.4.1. Hunting for Suspicious Use of PsExec
6.1.4.1.1. PsExec
7. 7. Credential Theaft
7.1. many ways to capture valid credentials
7.1.1. 1. Cracking NTLM hashes (which still works in many environments) 2. Dumping clear-text credentials from the Local Security Authority Subsystem Service, LSASS 3. Using Silver and Golden Ticket attacks (both very popular) 4. Cracking KERBEROS service tickets (KERBEROASTING) with weak passwords
7.2. Example
7.2.1. KERBEROASTING
7.2.1.1. KERBEROS is used in Active Directory environments to authenticate users. It is one of the most popular security support providers (SSPs), otherwise known as authentication protocols, available for Windows.
7.2.1.2. Logging Process B.W 2 Hosts
7.2.1.2.1. 1. The password is hashed, and an authentication request is sent to the domain controller, which validates the user and hash material. 2. The domain controller sends back a ticket-granting ticket, or TGT. 3. With the TGT, a request is sent to the domain controller on behalf of the user for a ticket-granting service (TGS) ticket. 4. The domain controller validates the TGS request and sends back a reply with the TGS ticket. 5. The TGS ticket is handed off to HOSTB from HOSTA. 6. The user is able to access HOSTB from HOSTA. Figure 7-
7.2.1.3. How Attackers Kerberoast
7.2.1.3.1. Here is how KERBEROASTING works. The attacker: 1. Phishes into the environment and gains a foothold on the workstation of a domain user who is also in the local admins group. 2. Locally escalates privileges using the domain account, and uses a tool to obtain credentials (Benjamin Delpy’s Mimikatz does this very well). 3. Uses a native Windows tool that doesn’t trigger alerts to query the domain password policy and to query the SPNs of all service accounts (because in the victim environment those don’t ever expire, and they have the same rights as a domain administrator). 4. Requests a TGS for one of the SPNs – and the domain controller responds with an encrypted TGS ticket. 5. Uses the Mimikatz output obtained earlier or a dictionary wordlist, and a tool like Hashcat, to begin cracking and obtaining the plaintext password of the target SPN.
7.2.1.3.2. Detection