Hunting cyber threats is much like conventional hunting in that it requires patience and a keen eye, but when done correctly it can be both exhilarating and rewarding.
The first item any cyber threat hunter needs, of course, is the data. Having centralized Security Information & Event Management (SIEM) would be preferred, but even just access to proxy logs and anti-virus logs is highly beneficial. It doesn’t matter if there are hundreds or even billions of events, the hunting process whittles away the noise like a digital wood carver chipping away to reveal his masterpiece.
The second item needed is a list of suspicious-type activities that would be generated out of the logs. It’s imperative to have an intelligence-driven approach to this process, otherwise you’ll likely end up feeling like you’re banging your head against the proverbial brick wall.
Proxy logs are a great place to start your hunt and there are a number of telltale signs to look out for that something is amiss:
Low and slow connections: Is there traffic being sent out port 22 through your proxy servers or even firewalls? Of course, it’s good practice to source restrict this clear-text protocol, but if it’s not locked down, look for any exfiltration patterns in the data.
Same number of bytes in and out: Are there any network connections that exhibit the same pattern of bytes in and bytes out each day? This was more prevalent around five years ago, but malware today still leverages this technique of beaconing out to its master to let them know they’ve implanted successfully. So looking for the same amount of bytes up and bytes down on a frequent basis could be a sign of suspicious activity.
Suspicious sites: Identify a listing of all dynamic DNS sites that are visited by endpoints and look specifically at the outliers across your organization. If only three machines out of 20,000 visit one specific site, it could point to command & control infrastructure. Of course, there could be other explanations as well but it is definitely something worth examining further.
Windows Logs can often be overlooked, but again they provide a good hunting ground.
Key Windows Events to look out for:
Failed logon attempts: It might sound obvious, but looking for successive failed access attempts using multiple accounts could indicate a brute force. Focusing on one failed attempt per account may signify a threat actor trying to log in with passwords they’ve previously dumped from the environment in the hope that one may still work. This would be Event IDs 4625, 529-539.
Explicit credentials: Profile your “A logon was attempted using explicit credentials” event logs and whitelist out normal activity. This would be for Event ID 4648 and/or 552. This log kicks off when a user connects to a system or runs a program locally using alternate creds. Did someone say ‘Lateral Movement’? Threat actors love to move laterally!
Privilege changes: Escalation of privileges will often occur once a foothold has been achieved within an environment. These logs may assist in the identification of such activity. It’s good to profile your IT admin’s legitimate activities as well since they’ll more often than not cause a bit of noise themselves. Event ID 4728, 4732, 4756.
Other low-hanging fruit: Log clearing – Windows Events 104 & 1102; EMET crash logs – 1 & 2; Application crashes and hangs – Windows Events 1000 & 1002; Windows Defender errors – Windows Events 1005, 1006, 1008, 1010, 2001, 2003, 2004, 3002, 5008
AV scanners and software are all primarily signature-based, meaning they detect malware by identifying a segment of code within a file that matches their internal database of malicious code. Unfortunately it’s fairly elementary to identify this code segment that AV will trigger on, make changes, re-compile it and create new code that will no longer be flagged as malicious. However, threat actors do make mistakes when they’ve made a successful intrusion. Here are some of the items to look for and reasons to look for them:
Signs of password dumping programs: Research what your AV provider flags as a password dumping program and go searching! For example, one of McAfee’s password dumping detection tools is called HTool-GSECDump. There are countless examples of threat actors running a password dumper, AV detecting and removing it, and the attacker then successfully executing another dumper that wasn’t detected. So although they’ve achieved their initial objective, they’ve left behind a clue of evidentiary value.
Common backdoors: Knowing your adversary/adversaries is the ultimate goal here. Then you can begin to profile their tactics, techniques, and procedures. You’ll know the tools they most commonly use and the types of backdoors they may leverage. Some common advanced threat backdoors include PlugX, 9002 RAT, Nettraveler, Derusbi, Winnti, Pirpi, etc. If you come across names like these within your AV logs, you’ll know something untoward is taking place. So once again, research what your AV vendor calls these detections and go hunt for them.
Dropper programs: Identify any detections with the name ‘dropper’ in it. A dropper program is intended to download/install a backdoor or virus, only initiating the download when the ‘coast is clear’. If a dropper has been detected, it’s possible there is still something lurking in the depths of the OS it was detected on.
Happy hunting!
It would be easy to go on forever about what to specifically look for during a cyber-hunt, but the types of events listed above are the ones that all businesses should be sifting through day in and day out. Threat actors do everything in their power to blend in and attempt to become a ghost in your network so it is the job of the security professional to be the ghostbuster! Load up on cyber threat knowledge, centralize critical logging data, and don’t stop until you find your Slimer.