Mastering Threat Hunting: Unveiling Cybersecurity’s Proactive Defense

Saidani Mohamed El Amine
5 min readJul 29, 2023

--

Welcome to Threat Hunting, where we delve into the world of proactive cybersecurity to detect and neutralize potential threats before they can cause harm. In this blog, we will explore the concept of threat hunting, its methodologies, and best practices, equipping you with the knowledge and skills to safeguard your digital assets effectively.

Attack-based Threat Hunting

you focus on seeking evidence that identifies specific attacks. So this ultimately requires that you know about an attack or the type of tactics, techniques, and procedures (TTPs) of potential attackers.

When we’re saying has_______happened on my network? The first question we can start with to build our hypothesis has a specific type of malware manifested on my network has there been a drive-by download has an administrator account been compromised?

Here’s the way how to structure your hunting, start with:

  • What am I looking for?
  • Where am I likely to find it?
  • How to use data to see it?

Here’s an example of how you can use it:

Question: Has credential theft happened on my network?

  • What am I looking for?
  • Evidence of credential dumping application execution: Never before seen, processes, process anomalies
  • Where am I likely to find it?
  • Windows process execution logs
  • How can I use data to see it?
  • Aggregation based on the Windows event ID 4688 by process name, sort for the least frequent.

Here’s the result

Attack Technique Source from which information about attack techniques can be obtained. These sources play a crucial role in understanding and countering cybersecurity threats.

  1. Mitre Att&ck
  2. Vendor research report
  3. Conferences
  4. White papers

Another point that I want to highlight is the difference between Signatures vs. Hunting a quick example I like to give to clarify the difference,

  • Signature: Detect when svch0st.exe executes.
  • Hunting: Detect when any weirdly named process executes.

Let’s have another use case to understand the process well!

Our theory is:

  • Have malicious accounts been created on my network?
  • A new local account created
  • User management tool executed
  • Unauthorized access to the system

What should you look for?

  1. Created not following naming conventions
    — Windows Event ID 4720 — Account Created
    — Search for all the created accounts
  2. Created with insecure properties
    — Windows Event ID 4738 — Account Changed
    — Search for all the account doesn’t match the standards
  3. Created and added to a privileged group
    — Windows Event ID 4732 Member Added to Group
    — Search for all group membership additions immediately following user account creation (EID 4720)
  4. Accounts created at unexpected source user activity times
    — Windows Event ID 4720 — Account Created
    — Windows Event ID 4624 — Logon / 4634 — Logoff
    — Search for all users that created new accounts
    — Standards deviation — Creating user activity times
    — Compare — User account creation to average activity times
  5. Local accounts created on domain members
    — Windows Event ID 4720 — Account Created
    — Search for all local user accounts across domain namine members
  6. Created by a user who’s never created one
    — Windows Event ID 4720 — Account Created
    — Aggregating user account creation event by the source user
  7. Created from a system where one has never been created
    — Windows Event ID 4720 — Account Created
    — Aggregating user account creation events by system

Data-Based Threat Hunting

Data-Based Threat Hunting focuses on considering possible attacks that might manifest in specific evidence sources, this technique requires a much greater understanding of different types of attacks and how they manifest.

Data-based Threat Hunting Process

We can start it like this: Does anything in __________ data look malicious?

  1. What fields are most likely to contain evidence of attacks?
  2. What would be anomalous in these fields?
  3. How can I manipulate those fields to spot anomalies?

Here’s an example to clarify the process: Does anything in HTTP proxy data look malicious?

  1. Q: What fields are most likely to contain evidence of attacks?
    — HTTP User Agent
  2. Q: What would be anomalous in these fields?
    — Rare user agents
  3. Q: How can I manipulate those fields to spot anomalies?
    — Perform frequency analysis on the User-Agent field and sort by the least frequent occurrence

A deeper understanding of data and the value it represents for finding evidence of attacks defines a skilled hunter versus a typical analyst

  • Have a clear understanding of what data sources are available in their environment
  • Possess a broad and diverse Knowledge of evidence data
  • Understand what attacks manifest in specific data sources
  • Capable of performing simulations to see how data sources represent behaviors

Know for understanding evidence data values you can ask these questions to help you:

  • Where does the data come from?
  • What behaviors will it represent?
  • What attack techniques manifest here?
  • What fields exist?
  • What other data sources can I pivot to from here?
  • Is it intentional evidence?
  • Does it exist in my environment?
  • Is coverage universal?
  • Are there any limitations on this source?

Let’s see an example of what we are talking about: Does anything in EID 4688(A New Process Has Been Created) logs look malicious?

  • Malicious binary execution
  • Malicious document opens
  • Malicious use of legitimate applications

Now, let’s start with our first question: What fields are most likely to contain evidence of attacks?

  • New Process Name: full name and path of the executable
  • Creator Process ID: Process that started this process
  • Account Name: the account context the process was run under
  • Timestamp: When the process executed

The second question is: What would be anomalous in EID 4688 fields?

  • Field: New Process Name
  • Generic non-descriptive process names
  • Attempts to mirror legitimate process names
  • Random character process names
  • Uncommon processes

The third question is: How to manipulate data to spot anomalies?

  • Search commonly exploited process
  • Aggregate child process by parent process
  • Search processes paths
  • Aggregate processes by path

Thank you for joining us on this journey into the world of Threat Hunting. If you have any questions or would like to share your thoughts, feel free to leave a comment below. Stay vigilant, stay secure, and until next time!

--

--

Saidani Mohamed El Amine
Saidani Mohamed El Amine

Written by Saidani Mohamed El Amine

Currently working as DevSecOps consultant with focus on security, monitoring, Big Data, and related topics.