6 Threat Hunting Ideas You Can Use Today!
by Josh Campbell from Cyborg Security
Threat hunting is often referred to as a semi-scientific practice. This is because hunters will deploy hunts based on a hypothesis, collect evidence, and document their findings — all of which should stir (hopefully) fond memories of grade 9 science class. And just like in high school, the hardest part of the scientific process (and threat hunting) is often coming up with an idea to test scientifically. That is why we put together 6 threat hunting ideas that you can start using today!
BEFORE WE BEGIN
Before we go over our 7 threat hunting ideas, I wanted to let you know that all of the threat hunting ideas you’re going to see below are available for FREE as hunt packages in our HUNTER threat hunting content platform! If you would like the query, runbook, and so much more, go to https://hunter.cyborgsecurity.io click sign up and use promocode “HUNTIDEAS” for your free community edition account!
With that out of the way, let’s dive into some threat hunting ideas about what to look for!
THREAT HUNTING IDEAS #1: LOOK FOR EXPLOITATION OF HIGH VALUE VULNERABILITIES
One of the easiest threat hunting ideas is to simply look for behaviors that align with active exploitation of high profile or high value vulnerabilities. This is because adversaries will often rely very heavily on specific vulnerabilities that they know how to exploit proficiently. A Great example of this is CVE-2021–40444:
MICROSOFT WORD LAUNCHING CONTROL PANEL PROCESS — POTENTIAL CVE-2021–40444 EXPLOIT
Microsoft Word suffered from a ZeroDay attack in September 2021, tracked as CVE-2021–40444. The vulnerability allowed code execution by Microsoft Word without the need of a macro to run. A malicious Word document containing a configuration to load malicious code from a website allowed an attack to download and execute a payload without user interaction after the document is opened. The exploit observed in the wild utilized the Control Panel executable (control.exe) to load DLL files masked as INF files from one of several directories. This is abnormal behavior as these commands are typically related to installing file system filter drivers and is not common for Microsoft Word to perform.
THREAT HUNTING IDEAS #2: LOOK FOR MASQUERADING
Another quick win that hunt teams can focus on is to look for masquerading. Most often adversaries and malware are going to try and blend in with the background activity on their compromised system. This means that they may try to masquerade their processes by using legitimate sounding process names. A common example that has been used widely is Microsoft Defender.
PROCESS MASQUERADING AS MICROSOFT MALWARE PROTECTION ENGINE
The Microsoft Malware Protection engine resides in the C:\Program Files\Windows Defender\ or C:\ProgramData\Microsoft\Windows Defender\ folders. All legitimate executions of the application should be spawned from these locations. This package identifies any outliers that are not executed from these normal folders, indicating a process is masquerading as the legitimate Microsoft Malware Protection Engine.
THREAT HUNTING IDEAS #3: LOOK FOR SUSPICIOUS USE OF ONLINE SERVICES
Another high-fidelity threat hunting idea can be to look for suspicious activity relating to the use of suspicious or prohibited online services. These services are often used to help an actor infiltrate an environment with their tools, but they can also be used as a method of data exfiltration as well.
DROPBOX API USAGE — ATTEMPTED DOWNLOAD/UPLOAD
Identify the usage of DropBox’s HTTP API via URL string. While the DropBox API may be very common, observing an upload/download of a PDF file from a temp directory specifically could be indicative of activity related to Nobelium (UNC2452) reported in May 2021. Nobelium’s BoomBox downloader utilized the DropBox API over HTTP to send machine information and download another payload which is then saved to a folder within the user’s AppData directory and launched with rundll32.exe.
POWERSHELL PASTEBIN DOWNLOAD
This threat abuses Powershell commands to potentially download and execute code hosted on normally benign sources such as Pastebin, Github, and services that are similar in offering. This particular method has been utilized by the REvil ransomware campaign and is a method of malware distribution that can be obfuscated with the trust given to well-known sites.
THREAT HUNTING IDEAS #4: LOOK FOR SUSPICIOUS USE OF THE REGISTRY
A great place to start a hunt is by looking at the registry. A lot of adversaries and malware use the registry for persistence, especially the CurrentVersion registry key. If you are looking for evidence of adversarial activity, the Windows Registry is a great place to start.
ATTEMPTED VBSCRIPT STORED IN NON-RUN CURRENTVERSION REGISTRY KEY VALUE
Identify potential new registry key name that is a non-autorun and non-run key in the HKLM\Software\Microsoft\Windows\CurrentVersion\ registry key containing VBScript in the key value. The Windows Registry is a database of settings used by Microsoft Windows system applications and core utilities. The registry of often abused by adversaries to either store configuration information, hide code, evade detection, inhibit system function, establish persistence among other reasons. The “CurrentVersion” registry key in either HKCU (Current User) or the HKLM (Local Machine) hives is one of the most abused registry keys, more specifically the Run key within CurrentVersion. Because of this the Run key is heavily scrutinized by detection and prevention tools. The targeted technique in this package utilizes only the CurrentVersion key to add the malware’s configuration information and potentially establish persistence. This is most likely due to the Run key’s heavy scrutiny by defense tools.
THREAT HUNTING IDEAS #5: LOOK FOR SUSPICIOUS BEHAVIORS
It may sound a bit like a tautology, but another great way to start hunting is to look for suspicious behaviors. Things like excessive file writes or file modifications can be a give-away for ransomware activity on a system. You can also look for files with highly unusual file extensions.
EXCESSIVE FILE WRITE OR MODIFICATIONS WITH COMMON RANSOMWARE NOTE EXTENSIONS
Ransomware notes are generally known to be dropped in common paths, such as a user’s Desktop so they are more visible; using image files, .txt files and/or .doc files to act as the platform to communicate. Attackers will also leave these ransomware notes in every folder or directory they choose to encrypt. This threat focuses on these notes being dropped excessively, which potentially is indicative of Ransomware activity.
Multiple Ransomware variants drop a Ransom note in each folder it encrypts, once its encrypted all the files within the folder. The logic provided will look for the common file extensions utilized by Ransomware for their notes and set a threshold of at least 20 unique folders where the same file is created or modified.
THREAT HUNTING IDEAS #6: LOOK FOR SUSPICIOUS BEHAVIORS INVOLVING LOLBINS
One of the biggest trends amongst adversaries these days is their growing use of so-called “living-off-the-land” binaries (or LOLBins). These allow actors to carry out activities while avoiding detection by various security platforms through the use of native Windows applications. One example of this is using built-in utilities to delete volume shadow copies (or VSC) in order to prevent restoration.
SHADOW COPIES DELETION USING OPERATING SYSTEMS UTILITIES
Volume Shadow Copy Service is a framework provided in Microsoft Windows operating systems to perform volume backups or for creating consistent, point-in-time copies of data (known as shadow copies). Due to the features that Volume Shadow Copies provide, such as the ability to rollback to a specific point-in-time copy of an NTFS volume, the copies are often targeted by malware. Nearly every Ransomware variant ensures destruction of Volume Shadow Copy (VSC) backups, so that the infected user cannot easily restore their encrypted files. Similarly, the Volume Shadow Copy (VSC) backups have also been observe being targeted by Wiper malware variants (such as the “Olympic Destroyer” malware, which targeted the 2018 Winter Olympics in PyeongChang, South Korea), as well as Loader malware variants (such as the H1N1 Trojan Downloader).
Whether you are just starting out hunting, or you are a seasoned and battle-hardened threat hunter, these threat hunting ideas will get you hunting. Don’t forget, if you want access to the great hunting content, you can request an exclusive FREE account on the threat hunting content platform HUNTER, today!