Threat Hunting Toolset and Operational Security Considerations

Photo by Markus Spiske on Unsplash

Why Threat Hunt?

Hypothesis

Logs and Artifacts

Windows logs

Not Windows logs

  • Firewall logs;
  • Proxy logs;
  • IDS/IPS logs if you have them;
  • Syslog;
  • Netflow.

Artifacts

  • Browser history;
  • Registry hives;
  • Schedules tasks;
  • Prefetch files (not always present on clients with SSD or on Windows Server);
  • Downloads;
  • Windows Event Logs (EVTX files) if you have no way to collect them with something like Windows Event Collection (WEC).
Photo by Nina Mercado on Unsplash

Tools

Elastic

Suricata

Thor Lite/Loki

Chainsaw

NfSen

Powershell

What to hunt for?

  • Unidentifiable PowerShell usage;
  • Unexplainable Scheduled Tasks;
  • DNS domains that look out of the ordinary;
  • Divergent netflows;
  • Suspicious emails and/or attachments;
  • (Sysadmin) activity out of business hours;
  • Unexplainable created accounts or groups in Active Directory;
  • Commercial Cloud Software usage, like OneDrive or Google Drive which might not be allowed.

OpSEC

Communication

Business hours

Gathering data

The hunting server

Conclusion

--

--

Founder// Hunter @ Chapter8.com

Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store