1/ #ThreatHunting: I have previously tweeted about using workstation names for hunting.
We have seen in a recent case the workstation name "WIN-799RI0TSTOF", which has already been tracked by @BushidoToken, @teamcymru_S2 and @TheDFIRReport.
🧵
(Picture from the TheDFIRReport)
/2 The TA used the leaked credentials from an employee of the company to connect to the internal network via Citrix Netscaler.
Using the Velociraptor @velocidex Hunt Windows.EventLogs.RDPAuth, we first gather logon data from the systems in our network. Below the description.
3/ Although the hunt says in the description "Best use of this artifact is to collect RDP and Authentication events around a timeframe of interest" this Velo-Search can also be used wonderfully for generic hunting.
4/ Next, we evaluate the source IP from where the users log into the network.
Through automated (geo-lookups) or comparison with threat lists, potentially hacked accounts could be identified.
In this case, however, we knew the compromised user, which simplified the analysis.
5/ The IP address from the RDP log on is listed on Shodan with an exposed RDP port - very likely a hacked server that is now being used for further activities by attackers.
The hostname "WIN-799RI0TSTOF" is interesting.
6/ @BushidoToken talked about the analysis of workstation names before:
7/ "These workstation names are not unique to these threats per se, but point to commonality in threat actor TTPs."
Quote from @teamcymru_S2
8/ With these workstation names, it is now possible to hunt very specifically in the (security) logs or to set up alarms if this hostnames appears somewhere in the internal network.
9/ Additional hunts with workstation names:
Share this Scrolly Tale with your friends.
A Scrolly Tale is a new way to read Twitter threads with a more visually immersive experience.
Discover more beautiful Scrolly Tales like this.