The document provides a comprehensive overview of threat hunting in cybersecurity, detailing methodologies, terminologies, and practical techniques for detecting advanced threats that evade existing security measures. It emphasizes the importance of proactive and intelligent hunting, leveraging both manual and automated approaches, including the use of machine learning and threat intelligence. The content is structured into various sections, including hunting processes, network and endpoint hunting techniques, and the application of frameworks such as MITRE ATT&CK.

1. THREAT HUNTING IN
CYBERWORLD
AKASH SARODE

2. AKASH SARODE @AKKY2892
 Threat Hunter
 Security researcher
 Twitter - @Akky2892
 Blog – https://akkysanj.wordpress.com
 Github - https://github.com/akky2892
 Creator of NoMoreMalware and HuntIT.
 Author of multiple whitepapers – Machine learning- Learning cybersecurity, Threat hunting –
Hunter or Hunted, Analysis Using Analytics In Cybersecurity.
 Previous Training – Machine learning : The Future.

3. COURSE DESCRIPTION
 Introduction to Threat Hunting
 Threat Hunting Terminology
 Threat Intelligence and IOC
 Hunting methodology
 Threat hunting - Network, Endpoint level
 Operationalizing & Automating Threat hunting
 Use case of Real-time Threat Hunting
 Research & Resources
 Further study and Road Ahead

4. COURSE INDEX
1. Introduction to Threat Hunting
• Threat hunting in Cyberworld
• Why to perform threat hunting
2. Terminologies in hunting
3. Introducing Threat Intelligence
• Threat Intelligence and Threat Hunting = Intelligent hunting
• Indicators of Compromise IOC
4. Threat Hunting methodology
• Threat hunting process & Threat Hunting loop
• Threat Hunting techniques
• Pyramid of pain
• Hunting Maturity model

5. COURSE INDEX
5. Network hunting and Endpoint hunting
• Hunting Webshells
• Hunting malware
• Network traffic hunting
6. Using MITRE ATT&CK framework
• Sigma rules for threat hunting
7. Threat Hunting using SIEM
8. Examples of Threat hunting hunts
9. Real World Hunting Process
10. Machine Learning & Threat Hunting – Advanced hunting
11. Threat Hunting Resources
12. Conclusion
• Red Teamer cyber kill chain vs Blue teamer defense chain

6. INTRODUCTION TO THREAT HUNTING
 The process of proactively and iteratively searching through networks to detect and isolate
advanced threats that evade existing security solutions.
 My definition – Finding stuff.
 Threat Hunting is not a Technology but Approach.
 Data- driven approach rather than traditional alert-driven approach.
 Applying our knowledge in an effective way to look out for any anomalies in the environment.
 Two ways to perform hunting –
 Manual
 Automated/Machine-assisted

8. THREAT HUNTING IN CYBERWORLD
 In Cyberworld, attackers are getting intelligent day-by-day.
 Modern-day attacks cannot be prevented/detected by alerts generated from SIEM.
 Need of hour – Next generation detection system.
 Hunting – not tool dependent, its people dependent.
 Machine Learning can help to certain extent but manual intervention in triage is always
required.
 Instead of reacting to attacks, lets start proactively looking for threats before attack happens.

9. WHY TO PERFORM THREAT HUNTING
 Alert driven approach is not sufficient.
 Hypothesis driven approach will be the future.
 Dependency on tools should be eradicated.
 Hunting can be performed on any tool.
 Benefit - Continuous improvement in detection capabilites, find unknown malicious activity

10. TERMINOLOGIES IN THREAT HUNTING
 SIEM – Security Information & Event management
 IOC- Indicators of Compromise
 TTP – Tools, Techniques & procedures
 IR- Incident response
 EDR – Endpoint detection and response
 UEBA – User entity and behavior analytics
 BIOC – Behavior indicators of compromise

11. THREAT INTELLIGENCE
 Threat Intelligence are feeds which are received in the form of urls, files, domains, etc.
 Can be used to perform intelligent hunting.
 IOC’s of attack/threat are generated by various research companies.
 Sources –
 articles,
 security news,
 new APT public report,
 Twitter

12. THREAT INTELLIGENCE
 BIOC – Behavioral Indicators.
 Threat Hunting is effective by proper intels.
 Threat Intel team proposes new intel, CIRT team builds hypothesis and create detection based on
intel, Threat hunting team hunts with or without intel.
 Various vendors are in market- Cisco Talos, Palo alto Unit 42, Cylance, AlienVault OTX, MISP,
Yara rules.
Threat Intelligence + Threat Hunting = Intelligent
Hunting

13. THREAT HUNTING METHODOLOGY
 Different methods to perform threat hunting.
 We will be explaining the following –
 Threat Hunting process
 Threat Hunting loop
 Pyramid of pain
 Hunting Maturity model
 ATT&CK for hunts
 Hunt or be Hunted

14. THREAT HUNTING PROCESS
 Ways of hunting –
 Manual – Analyst need to continuously looking for anything that could be
evidence/indicator of intrusion.
 Important for the threat hunter to keep current on the latest security research.
 Automated/Machine-assisted – Analyst uses software that leverages “Machine Learning”
and “UEBA” to inform analyst about potential risks.
 • It helps in providing Predictive and Prescriptive analytics.

15. THREAT HUNTING PROCESS
 Hypothesis driven approach
 What is Hypotheses ?
 Assumption on attack behavior.
 Actionable use case based on observations, intelligence, and experience
 Three types of hypotheses:
 Analytics-Driven: "Machine-learning and UEBA, used to develop aggregated risk scores
that can also serve as hunting hypotheses"[5]
 Situational-Awareness Driven: "Crown Jewel analysis, enterprise risk assessments,
company- or employee-level trends"[5]
 Intelligence-Driven: "Threat intelligence reports, threat intelligence feeds, malware
analysis, vulnerability scans"[
 Hypothesis can be developed using any public APT report, twitter, security news, articles etc.

16. THREAT HUNTING PROCESS

17. THREAT HUNTING LOOP

18. THREAT HUNTING TECHNIQUES
 Searching - use of specialized queries that return results and artifacts.
 Clustering - machine learning model that uses advanced AI search techniques to make
correlations within advanced and vast arrays of data.
 Grouping – grouping artifacts together to identify any anomalies
 Stack counting - stacking is how many times each unique value of column has occurred, like
least commonly accessed file, rarity is suspicious.

19. PYRAMID OF PAIN

20. THREAT HUNTING MATURITY MODEL
Source : sqrrl TMM

21. MITRE ATT&CK FRAMEWORK
 MITRE ATT&CK™ is a globally-accessible knowledge base of adversary tactics and
techniques based on real-world observations.
 It consists of TTP’s – Tactics, Techniques and procedures.
 MITRE has also came up with a project name “CAR” Cyber Analytics Repository.
 The Mitre team has listed down all those adversary behaviors and attack vectors carries out
by an adversary on a victim machine.
 It uses TTP’s Tactics, Techniques and Procedures and maps it to Cyber Kill chain.

22. MITRE ATT&CK FRAMEWORK

23. SIGMA RULES FOR THREAT HUNTING
 Sigma is Generic Signature Format for SIEM Systems written by Florian Roth @Neo23x0 and
Thomas Patzke.
 Sigma is a generic and open signature format that allows you to describe relevant log events
in a straight forward manner.
 Sigma is for log files what Snort is for network traffic and YARA is for files.
 Sigma rules contains mapping of all ATT&CK techniques.
 Using sigma for threat hunting in siem, refer Sigma-to project:-
 https://github.com/akky2892/Sigma-to

24. HUNTING WEBSHELLS
 A web shell is a script written in the supported language of a target web server to be uploaded
to enable remote access of the machine.
 Mostly written in php or Asp
 Multiple attack techniques can be used to upload webshell on webserver – XSS, SQL
injection, RFI, LFI & many more…
 Popular webshells – C99, R57, etc.
 Let’s Hunt it!

25. HUNTING WEBSHELLS - KEYWORDS
 First way for hunting webshells – Look out for reference to suspicious keywords within files on
webserver - eval() or cmd.exe
 For linux –
 Under var/www/html directory, we can search for any php files with suspicious commands
 find . –type ‘*.php’ | xargs egrep –l “(fsockopen|mail|exec|eval|system|base64_decode)”
 For Windows –
 Use Powershell to search in similar way
 Get-childitem –recurse –include “*.php” | select-string
“(fsockopen|mail|exec|eval|system|base64_decode)” | %{“$($._filename)”}

26. HUNTING WEBSHELLS - TOOLS
 Multiple tools can be used to hunt for webshells in your environment. These tools are integrated
with IOC’s , YARA rules to identify maliciousness.
 LOKI IOC Scanner
 PHP-Malware Finder
 unPHP
 Linux Malware detect
 Invoke-ExchangeWebShellHunter
 etc…
 In addition to these techniques, we can also use baselines deviation and file stacking technique to
hunt for webshell.

27. ENDPOINT HUNTING
 Endpoint is where the malware behavior is more prevalent.
 Most of the post-exploitation techniques can be hunted using Endpoint logs.
 File activity, Registry activity, Process activity can be used to hunt out for any malicious
behavior.
 Multiple attack techniques such as DLL injection, hook injection, fuzzy hashing can be hunted
down using endpoint logs.
 ATT&CK MITRE is the best way to utilize the efforts and use these to hunt out for threats.

28. DLL HIJACKING
 Post exploitation technique
 Monitoring of Windows API calls, monitoring of windows registry path for any changes.
 VirtualAllocEx reserves or changes a region of memory
 WriteProcessMemory writes data to an area of memory in a specified process
 CreateRemoteThread creates a thread in the address space of another process

29. APPININT DLLS
 Powershell contains powersploit which can be used for code injection.
 Monitoring malicous DLL loads - AppInit DLLs//// DLLs that are specified in the AppInit_DLLs
value in the Registry key HKEY_LOCAL_MACHINESoftwareMicrosoftWindows
NTCurrentVersionWindows are loaded by user32.dll into every process that loads user32.dll.

30. NETWORK HUNTING
 Network Traffic hunting requires network traffic logs.
 Multiple tools can be used to analyze suspicious network traffic.
 In addition to packet capturing, malicious traffic analysis features in Next Generation Firewall,
UTM, IDS/IPS, we also need to hunt for traffic which has bypassed these devices.
 Wireshark can be used.
 Let’s look at simple example :-

31. NETWORK HUNTING – HTTPS TRAFFIC
Normal HTTPS Suspicious HTTPS
Port 443 or 8443 Malware use this port as well.
Traffic is encrypted If traffic is not encrypted & secure
socket layer packet details are empty,
something suspicious
Web server in FQDN format Server will point to IP address instead
of FQDN
HTTPS is Secure version -Secure socket Layer (SSL/TLS)

32. NETWORK HUNTING – HTTPS TRAFFIC

33. THREAT HUNTING USING SIEM
 Threat Hunting is basically searching something.
 We need to have proper & useful data to hunt for threats in enterprise.
 SIEM – Security Information & Event Management is such tool which can prove to be useful
in threat hunting.
 SIEM collects logs from multiple devices of your network enterprise.
 In addition to threat intelligence feeds, SIEM is very useful in querying the log database to
identify any anomaly.
 Let’s look at some of use cases:-

34. THREAT HUNTING USING SIEM
Source : elastic.co

35. THREAT HUNTING USING SIEM
Famous Email word/excel Macro attachments:-
• Phishing email containing .doc with macro file
• Macro contains script to initiate powershell.exe
• Powershell.exe uses legitimate tools like mimikatz for credential dump for gaining hashes from memory.
• What commands are executed using mimikatz.

36. THREAT HUNTING USING SIEM
 Event viewer logs in SIEM can be useful to hunt for multiple threats.
 Sysmon can be used to collect logs specific to endpoint systems based on defined
configuration.
 Search queries are useful in identifying any malicious behavior inside the enteprise
environment.
 In addition to threat intelligence and search queries, analytics is being used in SIEM which
uses Machine learning to automatically identify any anomalies inside the environment.
 We will look out for some examples of hunts to be clear -

37. THREAT HUNTING HUNTS
Threat activity Hunts to look out for
Hunting suspicious accounts See for any unusual accounts logged into machines
with admin right – Event ID – 4672 (Special
privileges assigned to new logon)
Hunting Scheduled tasks Event ID – 4698, 106, 200 & 201
Hunting Pass the hash (PTH) Event ID- 4624 with logon type 3
Logon process – NtLmSsp, Key length – 0
Hunting for service creation Event ID- 4697
Hunting network shares Event ID - 4776
Hunting for process masquerading Look out for process path form where process is
executing – Example explorer.exe should run from
C:Windowsexplorer.exe or
C:Windowssystem32explorer.exe

38. THREAT HUNTING HUNTS
 PTH – Look for remote logins associated with execution/writing of binaries.
 IFEOI – Changes to path - HKLMSOFTWAREMicrosoftWindows NTCurrentVersionImage File
Execution Optionsxyz.exeDebugger
 Rundll32.exe making connection to internet.
 Deletion of shadow copy file using wmic, vssadmin | *delete

39. THREAT HUNTING HUNTS
 Disable system restore - Registry Write and Key = HKLMSoftwareMicrosoftWindows
NtSystemRestoreDisableSR and value = 1
 Connection to process other than browser to suspicious domains like .tk, .onion,.tor2web etc.
 Certutil.exe used to download files from internet - certutil.exe -urlcache -split -f
http://example/file.txt

40. THREAT HUNTING HUNTS
 Monitor scheduled tasks – at and schtasks windows task scheduler used to schedule scripts
to be executed.
 Double extensions malwares
 Control.exe used to execute file stored in ADS.
 Gpscript.exe used to executes logon scripts.
 Mavinject.exe used to execute, read ADS files.
 Hh.exe – executing and downloading files
 Scriptrunner.exe – execution
 Regsvr32.exe – Download script from internet
All are windows signed binaries, so none of Endpoint protection will tag it.

41. THREAT HUNTING HUNTS
 Similar to the discussed hunts, there are multiple techniques which can be used to hunt for
threats.
 A collection of many such techniques is collaborated and presented by ATT&CK MITRE &
Sigma rules.
 Hunting using SIEM is the way ahead but there are multiple SIEM vendors – RSA,
Elasticsearch, Arcsight, Qradar etc.
 In order to make life easy, I have prepared a Master Sheet of threat hunting hunts mapping it
to respective SIEM vendors-
 Query it & Hunt IT - https://github.com/akky2892/Sigma-to/blob/master/Sigma-to.xlsx

42. REAL WORLD HUNTING PROCESS
What is threat hunting:- The human-centric process of proactively searching for evidence of
attacks. Anyone can threat hunt; experienced threat hunters have better models.
Threat hunting is the application of one or more models or frameworks to a problem. The
easiest framework to start with is Attack Centric Hunting.
In Attack centric hunting (ACH), you focus on seeking evidence that identifies a specific
attack. It's a 4 step process that starts with a question.
 1. Question - Has an Attack incident occurred on my network?
 2. What am I looking for?
 3. Where am I likely to find it?
 4. How can I manipulate the data to find it?

43. REAL WORLD HUNTING PROCESS
Example:
Question: Has Credential theft happened on my network?
 1. What am I looking for?
a) Evidence of credential dumping application execution.
b) never before seen processes, process anomalies.
 2. Where am I likely to find it ?
a) Windows process execution logs.
 3. How can I manipulate the data to see it ?
a) Aggregate EID 4688 by process name for all endpoints and sort by least frequent
occurrence (LFO). (Event ID4688 = Process Execution event ID. )

44. MACHINE LEARNING & THREAT HUNTING -
ADVANCED HUNTING
 Multiple SIEM vendors, or security product solutions uses Machine Learning or AI to assist
threat hunting.
 Machine learning uses Classification, Association algorithms to identify & detect any kind of
anomalies in network.
 Network traffic spike, unusual user account, computer account behavior, any deviation from
baselines can be identified by such techniques.
 Analytics is widely used in modern day world and it has find it place in Cyber security as well.
 Microsoft Defender, Microsoft ATA, Qradar SIEM, Fireeye, etc.

46. MACHINE LEARNING & THREAT HUNTING -
ADVANCED HUNTING

47. MICROSOFT ATA
Source: Microsoft.com

48. THREAT HUNTING RESOURCES
 Threathunting.net
 MITRE ATT&CK - attack.mitre.org
 https://github.com/ThreatHuntingProject/ThreatHunting - David J Bianco
 https://github.com/VVard0g/ThreatHunter-Playbook - Roberto Rodriguez (@Cyb3rWard0g)
 https://blog.menasec.net
 https://github.com/akky2892/Cyber-Threat-Hunting
 Whitepapers, blogs, articles on threat hunting.
 Research work on twitter - Oddvar Moe, Florian roth, Roberto rodriques, Olaf hangton, David
J Bianco, sqrrl, Samir @ Sbousseaden & many more.
 Sans – Threat Hunting Summit, defcon, Att&ckon, Derbycon, Nullcon Webinars/Webcasts …

49. CONCLUSION
Red Teamer Cyber Kill Chain
Blue Teamer Defense
Chain
Identify
Preven
t
Detect Respond Recover

50. Thank You
&
Hunt IT !