Discover and read the best of Twitter Threads about #ThreatHunting

Most recents (24)

1/ #ThreatHunting: I have previously tweeted about using workstation names for hunting.

We have seen in a recent case the workstation name "WIN-799RI0TSTOF", which has already been tracked by @BushidoToken, @teamcymru_S2 and @TheDFIRReport.

🧵

(Picture from the TheDFIRReport)
/2 The TA used the leaked credentials from an employee of the company to connect to the internal network via Citrix Netscaler.

Using the Velociraptor @velocidex Hunt Windows.EventLogs.RDPAuth, we first gather logon data from the systems in our network. Below the description.
3/ Although the hunt says in the description "Best use of this artifact is to collect RDP and Authentication events around a timeframe of interest" this Velo-Search can also be used wonderfully for generic hunting.
Read 9 tweets
1\ #ThreatHunting: How to detect fileless Linux malware

Look for processes in /proc/<PID>/exe where the path shows "(deleted)"

Here are two examples👇
1. BPFDoor deleted binary
2. An attacker abusing memfd_create() to exec their malware in RAM w/o dropping files to disk.
2\ To recover/extract these binaries running in memory - you can copying them out from this location:

/proc/<PID>/exe

Also as an FYI for memfd_create() abuse detection you can hunt for the "memfd: (deleted)" string directly.
3\ You can also review what command line spawned the pid by reviewing:

/proc/<PID>/cmdline

This screenshot shows the cmdline used for the memdf_create() reverse shell. There are a lot of other interesting things you can also review in /proc/PID
Read 4 tweets
Some Free / Some Paid: SIEM Rule Marketplace @SOC_Prime: socprime.com

Great Threat Hunting Guide: threathunting.net/files/hunt-evi…

Detection engineering guide. Excellent places to look first @redcanary : redcanary.com/threat-detecti…
@SANSInstitute Hunt Evil Poster: sans.org/posters/hunt-e…

Good log source guide: "Advice on best log sources and why - Florian Roth @cyb3rops"
Read 9 tweets
1/ #ThreatHunting

AnyDesk
Splashtop
Atera
TeamViewer
SupRemo
ScreenConnect
Remote Utilities

After breaching a network, attackers install, besides the obvious backdoors, other (legitimate) remote desktop products that can be used to re-enter the network. 🧵

#CyberSecurity
2/ The list above is not exhaustive, but defenders and incident responders must make sure that the installed remote desktop products were installed by the customer and not by an attacker.
3/ Especially in the case of an IR investigation, it is imperative to hunt for these products in the network.

But also proactively during a compromise assessment - the credentials for the remote solution could also have been leaked on a private PC (-> if possible, use MFA).
Read 4 tweets
1/ @ESET (see tweet below) has reported that #Emotet uses LNK attachments for the initial infection vector.

We can download a sample from Bazaar by @abuse_ch for doing our own analysis (sample from 2022-05-02).

bazaar.abuse.ch/sample/ce7191e…

#CyberSecurity
2/ exiftool works very well to find out the path and command line arguments of the malicious LNK file:
3/ The analyzed sample from @Netskope calls PowerShell directly. However, in our sample, cmd.exe is called first, then PowerShell with a base64 encoded command argument.

Picture taken from here - an analysis worth reading:
netskope.com/blog/emotet-ne…
Read 8 tweets
1/ #ThreatHunting: @Avast mentions in its Q1 Threat Report that one-third of their observed rootkit activity are due to the Ring-3 rootkit R77.

Here are two hunting approaches to detect R77 on an infected system. 🧵

#CyberSecurity
2/ R77 is an open-source rootkit that attempts to hide the existence on the infected system at various levels (screenshot).

As stated on the GitHub repo, e.g., all entities where the name starts with "$77" are hidden.

github.com/bytecode77/r77…
3/ The installer creates two scheduled tasks for the 32-bit and the 64-bit r77 service, according to the GitHub Readme.

After running the installer on our lab system, no new scheduled task is visible inside the Tasks folder.
Read 10 tweets
1/ As always, an excellently written blog post by @Mandiant.

In addition to the hunting strategies outlined in the blog, I see another hunting-angle that could be worthwhile. 🧵🥷

mandiant.com/resources/unc3…

#CyberSecurity
2/ The TA deployed the C2 agent "on opaque network appliances within the victim environment; think backdoors on SAN arrays, load balancers, and wireless access point controllers. These kinds of devices don’t support antivirus or endpoint detection and response tools (EDRs),
3/ subsequently leaving the underlying operating systems to vendors to manage."

The C2 agent on the compromised servers and systems uses DynDNS domains to communicate with the C2 server.

The use of an internal DNS server, which also logs the DNS queries over an extended
Read 5 tweets
1/ #ThreatHunting: @SentinelOne blogged about a Chinese TA called Moshen Dragon that uses password filters to read plaintext passwords (when they are changed).

sentinelone.com/labs/moshen-dr…
2/ The idea of using a password filter to get plaintext passwords is not new and was (first?) documented back in 2013 by @mubix:

blog.carnal0wnage.com/2013/09/steali…
3/ Thanks to @spotheplanet's code, we can test this scenario in our lab (or use the project linked on the SentinelOne blog):

ired.team/offensive-secu…
Read 11 tweets
#ThreatHunting:

1/ When examing AutoRuns entries during an IR or CA - would you consider a Scheduled Task with the name COMSurrogate and with the following launch string as malicious (spoiler: it is 😉)?

"powershell.exe" -windowstyle hidden

#CyberSecurity #dfir
2/ @Malwarebytes has found out that the Colibri malware on Windows 10 systems (and up) drops a file called Get-Variable.exe in the path %APPDATA%\Local\Microsoft\WindowsApps.
3/ "It so happens that Get-Variable is a valid PowerShell cmdlet which is used to retrieve the value of a variable in the current console. Additionally, WindowsApps is by default in the path where PowerShell is executed. So when the Get-Variable command is issued on PowerShell
Read 7 tweets
Visualizing #cybersecurity concepts can be a great way to learn more about specific tools, methodologies, and techniques! Here is a thread that shows 6 useful infographics on threat intelligence and related topics!🧵👇#infosec #threatintel

1⃣ - Practical Threat Intel
2⃣ - Tactics, Techniques and Procedures is an important concept to understand when you are working on threat intelligence to understand the capabilities of threat actors! 🤓 #Infosec #ttp
3⃣ - Mitre ATT&CK Matrix is became one of the references to classify and categorize attackers' TTPs! ☠️ #cybersecurity
Read 8 tweets
#ThreatHunting: When investigating a potentially compromised Exchange server, one of the first steps I take is to search the MFT for .aspx files (with @velocidex's MFT Hunt, for example). Examine the results for suspicious file names or paths.
(1/3)

#CyberSecurity Image
The picture above shows different webshells that I identified within the first few minutes of the investigation.
(2/3)
This procedure also has the advantage of finding "hidden" web shells. Attackers can create a virtualDirectory that points to webshells in non-standard directories. Check the @HuntressLabs blog post about which configuration files to examine:

huntress.com/blog/rapid-res…
(3/3)
Read 3 tweets
Spent some time today at work playing with @msftsecurity Windows InstallerFileTakeOver LPE (CVE-2021-41379 bypass - github.com/klinix5/Instal…) and managed to create some detections on it.

Detection will be based on Sysmon/SIEM, here we go... 1/n #threathunting #detection #dfir
The exploit requires the user to overwrite elevation_service.exe with a compromised one (in this case with InstallerFileTakeOver.exe).
We can monitor this using #Sysmon event ID 11 - File Creation events:
event_id:11 AND event_data.TargetFilename:*\\elevation_service.exe
Read 14 tweets
mshtml.dll was loaded into winword process, when Microsoft MSHTML used? I guess, it will be nice for #threathunting perspective
based on sample: app.any.run/tasks/36c14029…
possible another suspicious loads: ExplorerFrame.dll, ieproxy.dll

#CVE-2021-40444 #DFIR #BlueTeam
...run query on prod enviroment, last 30 days - 0 FPs hists. via (MDATP) @MSThreatProtect
Read 3 tweets
If you want the quickest and easiest way to try out #SecurityOnion, just follow the screenshots below to install an Import node and then optionally enable the Analyst Workstation. This can be done in a minimal VM with only 4GB RAM! ImageImageImage
Start Setup and choose Import node: ImageImageImageImage
Read 17 tweets
Detection Quiz!💡
Look at the process creation events depicted below:
1. Can you recognise the technique?
2. Map it to the @MITREattack
3. Which tool was most likely used?
4. Detection ideas?

#ThreatHunting Image
Columns: Time, Parent, ParentIntegrityLevel, Child, ChildIntegrityLevel
Please, provide your answers in form of 1..2..3..4..
Read 20 tweets
In light of the recent #SupplyChain attack on @KaseyaCorp by #REvil, it is worth paying attention to decoder[.]re included within the ransom notes, used additionally to 'mirror' in TOR network. #Ransomware #Cybersecurity #ThreatIntel #ThreatHunting #Malware Image
Similar to decryptor[.]cc and decryptor[.]top in previous #REvil/#Sodinokibi versions, decoder[.]re is used to grant the victims access to the threat actors WEB-site for further negotiations should their connection be limited via #TOR. Image
To access the page in WWW or TOR - the victim needs to provide a valid UID (e.g. "9343467A488841AC") ImageImage
Read 11 tweets
Here is how to hunt/detect 60% (possibly more than 60%) of lateral movement attacks:
On ALL endpoints, look for EID 4624 with LogonType 9 (NewCredentials), and check TargetOutboundUserName field. 1/4
#threathunting #dfir #lateralmovement
Then, check if the TargetOutboundUserName is supposed to be seen on the endpoint. Here is why:
Attackers most likely spawn a new process on the compromised machine with the credentials/tokens they steal. This is done by using "/NETONLY" flag. 2/4
"/NETONLY" flag generates a new logon on the endpoint with the EID 4624 LogonType 9.
LogonType 9 is quite rare in an environment, usually <1% of all logon events. Therefore, it is quite easy to hunt for this event. 3/4
Read 4 tweets
I've had something in my mind now for a few years, but I never published it. So today, you're getting a short thread on "How to Prepare for #ThreatHunting Using the ABLE Framework".

1/9
Good threat hunting starts with a hypothesis. This is, loosely, an educated guess at a type of malicious activity which may be happening. @RobertMLee and I wrote a whitepaper on this, called "Generating Hypotheses for Successful Threat Hunting": sans.org/reading-room/w…

2/9
Once you have the hypothesis, though, then what? That's where the ABLE framework comes in.

There are four key pieces of information you need to know to be ABLE (Ha! Get it?) to hunt. They are:

- The ACTOR
- The BEHAVIOR
- The LOCATION
- The EVIDENCE

3/9
Read 9 tweets
(1/of a few) Doing some training #threathunting runs with #suricata -with pcap from bit.ly/3jNUCyw
Fun fact: Alerts count only for 8% of the total logs produced - we also have protocol logs like Flow records, KRB5, SMB, DNS, TLS, HTTP, DCERPC,Fileinfo Image
(2/of a few)
Just as regular protocol and flow logging of #Suricata gives us:

633 FLOW logs
295 HTTP logs
182 TLS logs
130 DNS logs
114 SMB logs
90 DCERPC logs
66 FILEINFO logs
23 KRB5 logs
2 NTP logs

Let's see some examples of the generated data...
(3/of a few)
Quick and dirty cmd look at the DNS logs generated by #Suricata gives us the domain list for our #threathunting review
Couple of those jump out (at lest to me) Image
Read 17 tweets
A quick thread.

Review of the URL's submitted to URLhaus in the past 30 days.

53109 URLs reported, lets look for patterns; which we can use for threat hunting and detection in DNS entries and proxies logs.

#infosec #cybersecurity #threathunting
25494 of the URLs end with Mozi.m, relating to the Mozi Botnet - securityintelligence.com/posts/botnet-a…. To detect this, we can look for the regex pattern .*Mozi\.m$

A further 4636 of the URLs end with Mozi.a, related to the above. We can detect this using regex pattern .*Mozi\.a$
Finally, there are 10 URLs which contain Mozi within them in different patterns to above. It is therefore worthwhile searching for any case of Mozi within a URL (This will be greedier than the above, but still worthwhile checking)
Read 11 tweets
Wait is over .. Read final part 2 which is focused on aws log data ingestion , #hunting and investigation of Capital one breach TTPs in #AzureSentinel techcommunity.microsoft.com/t5/Azure-Senti…
T1078: Privileged role attached to Instance.
#AzureSentinel #MITRE #AWS #threathunting
github.com/Azure/Azure-Se…
T1078 : Suspicious credential token access of valid IAM Roles
#AzureSentinel #MITRE #AWS #threathunting
github.com/Azure/Azure-Se…
Read 5 tweets
Let's go step-by-step and do some basic live process forensics for #Linux. Today's contestant is a bindshell backdoor waiting for a connection on Ubuntu. We saw something odd when we ran:

netstat -nalp

#DFIR #threathunting #forensics
netstat -nalp shows a process named "x7" PID with a listening port that we don't recognize. #DFIR Image
First thing we'll do is list out /proc/<PID> to see what is going on. Our PID is 5805:

ls -al /proc/5805

The current working directory is /tmp. The binary was in /tmp, but was deleted. A lot of exploits work out of /tmp and /dev/shm on Linux. This is a major red flag. #DFIR Image
Read 13 tweets
Here's how to recover a #Linux binary from a malicious process that has deleted itself from the disk.

cp /proc/<PID>/exe /tmp/recovered_bin

Let's see how this works. #DFIR #threathunting #forensics
Often, malware deletes itself after it starts so file scanners and integrity checks won't find it. It can make analysis harder if you can't get to the binary easily.

But if you remember /proc/<PID>/exe you can recover any deleted binary.

#DFIR #threathunting #forensics
Use the sleep command to simulate a deleted process:

cd /tmp
cp /bin/sleep x
./x 3600 &
[1] 32031
rm x

This copies the sleep command as "x" under /tmp and runs for 3600 seconds. Then, delete "x" so the binary appears removed. Practice on it.

#DFIR #threathunting #forensics
Read 7 tweets
Threat Hunting In #CyberSecurity : Waiting for an alert can be too dangerous.
Threat hunting means to proactively search for malware or attackers that are hiding in your network — and may have been there for some time.
Most time, the goals of these malware or attackers can be to quietly siphoning off data, patiently listening in for confidential information, or working their way through the network looking for credentials powerful enough to steal key information.
Read 19 tweets

Related hashtags

Did Thread Reader help you today?

Support us! We are indie developers!


This site is made by just two indie developers on a laptop doing marketing, support and development! Read more about the story.

Become a Premium Member ($3.00/month or $30.00/year) and get exclusive features!

Become Premium

Too expensive? Make a small donation by buying us coffee ($5) or help with server cost ($10)

Donate via Paypal Become our Patreon

Thank you for your support!