TOP 3 EASIEST THREAT HUNTS

EASY THREAT HUNT #1: SEARCHING FOR SUSPICIOUS CHILD PROCESSES

Malicious phishing stands as one of the most commonly observed attack vectors. All too often these attacks leverage Microsoft Office documents with malicious macros embedded in them. This is done in order to avoid detection mechanisms that usually fixate on filtering attached executables and other obvious red flags. The phishing mechanisms lure users to open the document and enable macros, allowing the malicious code to run, carrying out its nefarious ends.

EASY THREAT HUNT #2: LOOKING FOR DNS ENTROPY

Looking through DNS logs can provide a ready-made way to identify potential command and control and/or data exfiltration activity over DNS. The easiest way to do this is extract all requested domains from your infrastructure and start looking at their entropy.

WHAT IS ENTROPY?

In the English language there are certain combinations of letters and patterns that occur very frequently. For example, TH and ST occur over and over again, while other combinations are less common such as ZT or QC. Searching for domain name entropy is the art of searching for strings of text that don’t appear to be “natural.” A great starting point for searching for anomalous entropy can be looking for four or more sequential consonants.

EASY THREAT HUNT #3: SEEK OUT ANOMALOUS USER AGENTS

If an organization has the ability to look at HTTP metadata through a tool like Zeek (formerly known as Bro), there’s a lot of revealing information available for hunters. Some of the lowest hanging fruit on this front can be picked from the HTTP headers, especially the user agent data. User agents will typically identify to a server what browser you are using and what plugins and their versions are installed. However, user agent strings are completely customizable, and are very easy to manipulate. A common trick malware developers use is to generate obviously — and sometimes not so obviously — false user agent strings.

--

--

Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store
Cyborg Security

Cyborg Security

452 Followers

Cyborg Security is a pioneer in cybernetic threat hunting, delivering an advanced, actionable threat hunting platform.