We’ve all had the paranoia that someone is listening to our phone conversations. You mean you’ve never heard that clicking noise or heavy breathing that isn’t coming from the primary conversation? Okay, maybe I’m just paranoid. In many organizations, the Read More »
Registry data, Command-line auditing, Netflow
Preferred Hunting Techniques
Visualization, Outlier analysis, Baselining, Stacking
Carbon Black (Response and Protection), Sysmon, Bro, PowerShell, Sqrrl, REMnux
Not all attacks require the use of malware, but most of them can be traced back to some form of unwanted malicious code executing on a trusted system. The files can be compiled executables, simple scripts, or even office documents hiding malicious macros. While these types of files are normal, experienced hunters know that you can hunt for compromises by examining the download and execution of specific file types known to be associated with malware. In this post, I’ll discuss a few techniques you can use to hunt on the network for file types that could be suspicious given the right context.
On the heels of our “Hunting For Web Shells” webinar, I wanted to follow up with a short post that came from an attendee question. I’m paraphrasing here but it was something along the lines of,
“I’m new to the infosec world, where can I go to learn more about things like web shells or overall information security?”
My answer was immediate and unequivocal, Twitter is where you need to be. I don’t know where I’d be today both in the evolution of my career and evolution as a person without such an epic treasure trove of people and information readily available 24 hours a day, 7 days a week, 365 days a year.
DNS traffic is the backbone of the internet. It performs essential function of resolving user requested URLs to the IP addresses hosting them. Without that the world-wide-web would not be able to work. Unfortunately, being so critical and ever-present it also provides cyber criminals with the perfect environment to hide. DNS traffic can not be blocked, it is everywhere, it is as common as internet itself and it is extremely noisy. In a typical large enterprise users generate more than 30 millions of DNS requests per hour requesting over a million of different domains!
In this article, we’ll be discussing a couple starting points of hunting for web shells on your network. A web shell offers varied functionality to an attacker in a single file. Imagine an attacker having command line access to your web server through an executable file placed somewhere on the web server. It’s even scarier when you imagine that single file hidden somewhere amongst thousands of other legitimate files on the server.
You’re ready to make the jump from alert-based Investigations to threat hunting. But what should you hunt for? How do you perform the hunts? What data will you need to collect? This is often the greatest question you will need to answer as a hunter. To get you on the right track, I have curated several techniques that might pique your interest. The list isn’t comprehensive, but could be a starting point if you need some ideas.
What are the best ways for hunters to take the fight to an adversary? How should analysts sort out which tasks can be automated verses those that require human attention? In this interview, we sat down with Matthew Hosburgh from Radian to discuss these questions and more.
We’ll look for instances where multiple users are logged onto an end-user workstation simultaneously or within a relatively short period of time, where the same user account is logged onto more than one host, or where a network login references a non-domain account on the target system.
In the first installment of this two-part blog, we built a hypothesis that was leveraged to hunt for mis-behaving PowerShell. With MITRE’s ATT&CK matrix, the focus of the hunt was on the automated exfiltration of data. With the goal of the hunt set, one host stood out amongst the rest. The indicator that something was awry was a host leveraging a PowerShell user-agent string. The second sign was based on the beacon frequency. With Sqrrl’s hunting platform, two alerts were generated for the traffic: beacon and an exfil alert. Armed with a strong conviction, the offending host would be further examined to determine what was causing these alerts.