Threat Hunting with Elastic Search | TryHackMe Threat Hunting: Pivoting
We covered part two of threat hunting with elastic search. We covered queries and methodologies to uncover threats and attacker’s techniques such as privilege escalation, pivoting, lateral movement, credentials access & enumeration. This walkthrough was part of Threat Hunting: Pivoting room that’s part of SOC Level 2 track.
Hunting Discovery and Enumeration
The hunt for the Discovery Tactic involves detecting unusual information-gathering activities that typically blend with host and network administration commands. This may entail identifying known tools System Administrators use or some activities to gather host and network data and differentiating benign activities from suspicious ones based on their unusual patterns. In line with this, we will use the following scenarios to build our hunting methodology.
- Host reconnaissance activity
- Internal network scanning
- Active directory execution
Hunting Internal Network Scanning
Internal network connections are always presumed to be benign due to the assumption that they originate from legitimate host services and user activity. However, threat actors tend to blend from this noise while enumerating reachable assets for potential pivot points. One example is scanning open ports on a reachable device, which generates several connections to unique destination ports. We will hunt for behaviours that satisfy this idea.
Hunting Active Directory Enumeration
Domain Enumeration typically generates many LDAP queries. However, it is also typical for an internal network running an Active Directory to create this activity. Given this, threat actors tend to blend in the regular traffic to mask their suspicious activity of harvesting active directory objects to tailor their potential internal attack vectors. Based on this, we will focus on unusual LDAP connections.
Hunting Privilege Escalation
You may think that hunting successful privilege escalation attempts can be as easy as looking for unusual events executed by privileged accounts. However, differentiating them from benign activity could be bothersome since these accounts spawn most activities run by the operating system or System Administrators.
- Elevating access through SeImpersonatePrivilege abuse.
- Abusing excessive service permissions.
Successful privilege escalation attempts always indicate activities generated by a privileged account. In the context of abusing machine vulnerabilities, the user access is typically elevated to the NT Authority\System account.
Aside from abusing account privileges, threat actors also hunt for excessive permissions assigned to their current account access. One example is excessive service permissions allowing low-privileged users to modify and restart services running on a privileged account context.
Hunting Credential Harvesting
Hunting Credential Access involves actively searching for indicators of adversaries attempting to acquire or misuse credentials within a system or network. Recognising red flags requires a deep understanding of typical credential usage, a vigilant approach to identifying anomalies, and a sense of different methods used by adversaries to access credential vaults or locations. In line with these, we will use the following scenarios to build our hunting methodology:
- Dumping host credentials from LSASS.
- Dumping domain credentials via DCSync.
- Obtaining valid accounts via brute-forcing.
Hunting Lateral Movement
The hunt for Lateral Movement involves uncovering suspicious authentication events and remote machine access from a haystack of benign login attempts by regular users. On a typical working day in an internal network, events generating remote access to different hosts and services are expected. May it be access to a file share, remote access troubleshooting, or network-wide deployment of patches. In the following sections, we will delve deeper into strategies and techniques for hunting Lateral Movement activities, interpreting host authentication and network connection events, and recognising anomalies through the following scenarios:
- Lateral Movement via WMI.
- Authentication via Pass-the-Hash.
Room Answers | TryHackMe Threat Hunting: Pivoting
Room answers can be found here.
