Threat Hunting: 10 Adversary Behaviors to Hunt For
You’re ready to make the jump from alert-based Investigations to threat hunting. But what should you hunt for? How do you perform the hunts? What data will you need to collect? This is often the greatest question you will need to answer as a hunter. To get you on the right track, I have curated several techniques that might pique your interest. The list isn’t comprehensive, but could be a starting point if you need some ideas.
As a reminder, Sqrrl has developed a hunting methodology called the Threat Hunting Loop. The hunting loop has four steps:
These behaviors are generally aligned to Lockheed’s Cyber Kill Chain and the MITRE Attack Matrix. One way to determine which behaviors to hunt for is to develop a Hunting Heat Map that identifies where you have detection gaps. Below are 10 behaviors that you might consider prioritizing for hunts depending on your current detection capabilities.
Behavior #1 – Misbehaving PowerShell
With many organizations running Microsoft’s Windows OS, it goes without saying that PowerShell is an area that warrants further scrutiny. Nearly every Window’s GUI has a subsequent cmdlet or feature to make automating attacks quick and easy. Additionally, PowerShell is easily bypassed—think those restrictions are working? Better doublecheck.
Further information: Misbehaving PowerShells
Behavior #2 Uncategorized Proxy Events
Uncategorized domains aren’t rare enough to be used for alert-based detection, which is why they are well suited as a hunting input. Hunters can take advantage of rapid URL classification by searching for communication with yet uncategorized domains to find evidence of malicious activity based on domains that are new or used for a specific purpose. This is a simple technique, but one that can find malware that other tools haven’t been able to find.
Further information: Uncategorized Proxy Events
Behavior #3 HTTP User Agents
Malware and active adversaries often need to download additional toolsets, received commands from a C2 server, or even exfiltrated data. A great way to catch sloppy or mis-behaving processes, is to look at the user agent. With PowerShell or even Python, the default user agent string can be a dead give-away that something is not right. Another example would be a user agent that does not exists (such as an outdated browser or a less-than-targeted piece of malware). Knowing what is normal in the environment can help gain a lot of mileage out of user-agent strings and point the hunter to the systems that require a deeper look.
Further information: HTTP User Agents
Behavior #4 Command Line Process Execution
Command line process execution, and the abuse of command line execution, isn’t a rare occurrence in many environments. Because of this reality, the ability to examine command line executions is imperative. In many cases, there are certain flags or arguments that would warrant an immediate look. For example, a process being started from PowerShell with the execution bypass flag set should raise suspicion. A process is often invoked as a system is started, so one area to help identify an odd process is to look at the process ID. Does it have a small number, or is it larger, indicating it was started after the system was booted? Certain processes might be more alarming than others, so it is another area where hunting can help to narrow down interesting behavior.
Further information: Command Line Process Execution
Behavior #5 Internal Reconnaissance
Once a foothold has been established, an attacker may start to look for other interesting targets to exploit or pivot to. Another consideration is to see if this stage is early on in the attack. If so, you might be in a position to prevent further damage. Similar to lateral movement, this behavior should be considered alarming as an active, and possibly human, attacker is looking for another system of interest.
Further information: Internal Reconnaissance
Behavior #6 DNS Tunneling
When an organization is employing advanced traffic inspection capabilities, exfiltration or other C2 traffic is easier to spot. An attacker may choose to obfuscate their traffic by tunneling it through common protocols that would not necessarily cause alarm. Additionally, strict egress filtering rules may reduce the protocols that are permitted to leave the organization. For that reason, tunneling, or hiding, the malicious traffic within legitimate and approved protocols is a means to achieve the goals of the attacker.
Further information: DNS Tunneling
Behavior #7 Lateral Movement
Similar to internal reconnaissance, lateral movement is the stage of the attack where the adversary is moving to a more appealing or capable target. Depending on the goals, the attacker could be automating this movement, such as with credential reuse and ransomware, or it could be slow and methodical to prevent triggering any alarms. As mentioned in the DNS tunneling behavior, the attacker may be required to move to a system that permits certain outbound traffic to complete the objective, and hence, laterally move.
Further information: Lateral Movement
Behavior #8 Data Staging
If data exfiltration is the goal, an adversary may want to collect as many records as possible before attempting to send them outbound. At this stage, the attacker is more than likely rounding up as much information as possible, for example .pdf documents containing customer or sensitive information. Once rounded up, the files may be exfiltrated or perhaps, destroyed.
Further information: Data Staging
Behavior #9 Command and Control
The preverbal C&C traffic! Why compromise one host when you can have an entire army of hosts working for you? In many cases, C&C traffic is used to herd a botnet, meaning the master system is centrally controlling the actions of the bots. In some cases, C&C traffic can point to the fact that an attacker has compromised the system or network and is ready to download additional tools. Regardless of the end goal, this is an area in which a hunter can identify potentially compromised hosts.
Further information: Command and Control
Behavior #10 Web Shells
Leveraging another organization’s infrastructure to further attack or launch intermediary attacks is a tactic used to spread malware or gain persistence. One such methods is to use a web shell. A web based shell enables an attacker to have a shell within a website (PHP based as an example) to manipulate the webserver. Tasks such as file uploads, data transfer or exfiltration, can be easily accomplished. Detecting this activity via traditional means is difficult, which makes this behavior an excellent technique to hunt for.
Further information: Web Shells
Although not comprehensive, this list provides you with some basic ideas on adversary techniques to hunt for. Having a hypothesis provides a means to keep the hunt on target, which the most important piece. Taking what is found on the hunt and enriching the organization’s automated detection capabilities is the goal, which provides the hunter the time to continue to pursue the adversary. Happy hunting!
For more information on Threat Hunting, watch these short clips:
• How Threat Hunting Impacts Security Operations
• How to Overcome Common Threat Hunting Challenges
• How Alert-driven Investigations Differ from Threat Hunting