Threat Hunting Hypothesis Examples: Five Hunts to Start Out
Introduction
Structured threat hunting (often referred to as hypothesis-based hunting) remains one of the best ways that organizations can find previously undetected threats in their environment. It works so well because it structures the hunt around a central proposition, and at the end of the hunt, hunt teams can say, with a high degree of certainty, whether their organization has been impacted by an adversary, behavior, or technique. Despite this, hunters often struggle with divining a hypothesis and building a hunt around it. As a result, we’ve put together a list of the best starter threat hunting hypothesis examples that teams can put into practice right away.
What is a Hunting Hypothesis?
Before we dive into list though, first we need to answer the question “what is a threat hunting hypothesis?”
A hypothesis is a “…tentative assumption made in order to draw out and test its logical or empirical consequences.” Therefore a threat hunting hypothesis is fairly similar in that it is a proposition regarding a tactic, technique, or procedure, often derived from threat intelligence, security research, or an individual hunter’s experience or intuition, which is then tentatively assumed to be correct until a hunt can be carried out to either conclusively prove or disprove its validity.
While there is no set “format” for a threat hunting hypothesis to take, many hunters will try and keep a standard format for their hunts. As you go through the top 5 list, you can click on the button associated with the threat hunting hypothesis to see the hunt in HUNTER. If you don’t have a HUNTER account yet, get your free account here and use promocode ‘HUNTHYPOTHESIS.”
Threat Hunting Hypothesis #1 — Potential Maldoc Execution Chain
Level of Complexity: Easy
Hypothesis: Maldocs (Malware Documents) are malicious documents containing self-executing code or code that requires a user to grant permission or interact with the document before execution. Maldocs are mostly delivered to users via phishing emails. In many cases the user will be required to interact with the document prior to any code executing successfully. Once the document is opened and any required user interaction has been performed, malicious code will execute, such as PowerShell, cmd shell or similar scripting code to establish communication with the attacker’s infrastructure, download a payload or perform local actions such as persistence or sleep until a later time.
Threat Hunting Hypothesis #2 — PowerShell Encoded Command Execution
Level of Complexity: Easy
Hypothesis: Once a moderately skilled attacker has gained initial access to a system, they are likely to employ tools that reside on the system to carry out their attack, or to use as a means of ingress for other tools. This is because these native tools are less likely to be caught by traditional treat detection platforms, and their use is unlikely to raise much attention. This is especially true for tools such as PowerShell that enable an attacker to carry out a number of attacks. In an effort to further obfuscate their PowerShell activity, attackers will likely use the EncodedCommand function to encode commands and arguments and prevent simple string matching. Presence of the EncodedCommand PowerShell tool should be investigated.
Threat Hunting Hypothesis #3 — Attempted VBScript Stored in Non-Run CurrentVersion Registry Key Value
Level of Complexity: Medium
The Windows Registry is a database of settings used by Microsoft Windows system applications and core utilities. The registry of often abused by adversaries to either store configuration information, hide code, evade detection, inhibit system function, establish persistence among other reasons. The “CurrentVersion” registry key in either HKCU (Current User) or the HKLM (Local Machine) hives is one of the most abused registry keys, more specifically the Run key within CurrentVersion. Because of this the Run key is heavily scrutinized by detection and prevention tools. The targeted technique in this package utilizes only the CurrentVersion key to add the malware’s configuration information and potentially establish persistence. This is most likely due to the Run key’s heavy scrutiny by defense tools.
Threat Hunting Hypothesis #4 — Cobalt Strike Beacon Default C2 Structure
Level of Complexity: Medium
Cobalt Strike is a fully-featured and commercially available penetration testing tool offered by Washington, DC-based Strategic Cyber LLC. The tool is advertised for “Adversary Simulations and Red Team Operations” however its significant customization and capabilities have led to its use by a wide variety of threat actors for a variety of motivations. Adversaries employing Cobalt Strike will often use its Beacon component during the efforts to gain initial access. The beacon component, by default, uses a default command and control (C2) structure via DNS queries. Adversaries that are not highly familiar with Cobalt Strike may neglect to customize the C2 structure.
Threat Hunting Hypothesis #5 — LSASS Memory Dumping using WerFault.exe
Level of Complexity: Medium
Local Security Authority Subsystem Service (LSASS) is a process within Windows operating systems that is responsible for the enforcement of various security policies on a system, including verification of user logins. Once a user logs in to the system, it will generate and store credentials within the memory of the lsass.exe process. These credentials can be obtained by adversaries through various means, such as creating a memory dump of the process, which can then be used to perform lateral movement, privilege escalation, and various other attack methodologies.
Conclusion
Did you like these hypotheses? Get access to dozens more by signing up for a HUNTER account today. Get your free account here and use promocode ‘HUNTHYPOTHESIS.”