One thing every threat hunter knows is that there is often more than one way to skin a… ahem… digital cat. And a lot of threat hunters will share their knowledge and toolsets with other hunters informally, making it hard for the burgeoning hunting novice to get started. I sat down with several hunters to find out what threat hunting tools they are using on a day-to-day basis and how they can help your hunt.
Microsoft Sysinternals Suite — https://docs.microsoft.com/en-us/sysinternals/
The first tool might surprise some of you because it isn’t some obscure Github project with unique (and sometimes hard to pronounce!) project names. Instead, the first on our list is the good old Sysinternals Suite by Microsoft. This suite of tools is hugely helpful to threat hunters in three main ways:
· Process Explorer — Think of Process Explorer as a highly advanced version of Task Manager that allows hunters to see not only the processes, but the DLLs that process has loaded, and the registry keys is has open. This becomes invaluable when looking for suspicious and malicious behaviors.
· Process Monitor — Process Monitor is like Explorer, except it looks more heavily at the filesystem, and can help hunters spot “interesting” changes that may occur.
· Autoruns — This program is gold for helping to detect suspicious applications that may be running at startup, which can be very handy when looking for signs of persistence on a system.
Another tool that can be hugely useful for both threat hunting and incident response is Kansa, a self-described “modular incident response framework in Powershell.” The tool has one major function, and it does it very well. Kansa uses PowerShell Remoting “user contributed modules across hosts in an enterprise to collect data for use during incident response, breach hunts, or for building an environmental baseline.”
This can make gathering large swaths of data much easier, and more importantly it can also make setting up a baseline much faster. For hunters, one of the biggest challenges they face can be establishing the baseline of “what is normal” in their environment. Kansa can help speed up that task tremendously.
Kroll Artifact Parser and Extractor (KAPE) — https://www.kroll.com/en/services/cyber-risk/incident-response-litigation-support/kroll-artifact-parser-extractor-kape
A tool that is used widely by IR professions and the digital forensics crew is KAPE (or the Kroll Artifact Parser and Extractor). KAPE allows analysts to set up specific “targets” (basically specific locations in in the filesystem) and automatically parse through the results and collect all the evidence. But it isn’t just a glorified copy-and-paste tool. It also parses through associated and related data (like EvidenceOfExecution, BrowserHistory, and more) to speed up triage and analysis.
However, threat hunters can also see a lot of value from this tool, especially if they are trying to gather related information from a host during a hunt.
GHIDRA — https://ghidra-sre.org
If you’ve been hanging around the malware reverse engineering scene for a while you are probably familiar with tools such as IDA Pro and GHIDRA, the latter of which was designed by the secretive Research Directorate of the National Security Agency (or No Such Agency, if they had their way!). GHIDRA offers security researchers tools such as a debugger, hex editor, and disassembler all in one, and completely free.
When it comes to threat hunting, having access to these tools to rip apart tools and malware and understand their inner workings can be key!
Regshot — https://github.com/Seabreg/Regshot
While some of our tools, like GHIDRA and Sysinternals, are monolithic in size and scope, Regshot is quite the opposite. Regshot is like a screenshot tool and the “diff” Linux command line tool but for your registry. It allows hunters to grab a complete “screenshot” of their registry quickly and effortlessly, and then take a second “screenshot” and find the differences.
This can be really helpful when hunters are trying to see what has changed in a baseline, or even what may have changed between reboots.
Our last tool is a bit of a black sheep to our list, but it is no less useful. UACME (or UAC-ME) is a tool that can allow anyone to easily defeat Windows User Account Control using a variety of methods. We are definitely not condoning the use of this tool for malicious purposes, but when you are looking for tell-tale methods of maliciousness, and you want to build detection content, this tool can simplify this process considerably.
Threat hunting can often seem daunting to get into, sometimes because it is hard to learn, and sometimes because, without being in the community it can be hard to learn the tricks of the trade. Hopefully with our list, you’ve found a few hidden gems that you might not have tried out yet.
What are your favourite tools that you use during security analysis, threat hunting, or DFIR?