This is part five of the " Hunting with Splunk: The Basics " series. My first job out of college was at a defense contractor as a system administrator. In that year, I learned a lot about the platform and gained a lot of respect for what Microsoft products could do. As anyone who has Splunked a Windows machine knows, they are a bit…chatty. The good news is that not only can the universal forwarder bring in event log, but by using Splunk Technology Add-ons, it can also collect sysmon data, registry information and performance monitors.
This flexibility provides an analyst looking to hunt with an array of options. This blog post will highlight some of the most valuable places to start hunting in your Windows logs. While not an exhaustive list, these tips will help your hypotheses building and provide a good starting point for hunting on your endpoints.
For instance, if a Windows PC is infected with malware or a virus, searching code will show any processes that were created by that malware. From a hunting perspective, I could hypothesize that rare processes may contain malicious activity and as such, I want to focus my hunt on them.DIY DNS DFIR: You’re Doing it WRONG: Threat Hunting Summit 2016
To do that, I can search Windows data in Splunk with something like:. The search above returns newly created processes as well as their Parent Process ID if created by a parent process. Why is this information important? Child processes will always have the same Parent Process ID as the original process. This helps find malicious processes that were created and provides the information you need to clean up the infection. By identifying rare processes on your machine, you will have insight that you might not have otherwise.
I love hunting for this event and looking at anything that occurs within 2 minutes on either side of it. Event Code is created when an account successfully logs into a Windows environment. This information can be used to create a user baseline of login times and location. This allows Splunk users to determine outliers of normal login, which may lead to malicious intrusion or a compromised account. Event Code also records the different types of logons—for instance, network or local.
Using this information, you can find outliers within your network filtering by time or even logon type.As more companies move their IT operations from physical data centers to the cloud, SOCs need to develop new ways to analyze cloud operations and services for risks and threats. This LogicHub playbook conducts seven investigations in parallel to identify risks within the CloudTrail logs. By automating threat hunting in AWS CloudTrail logs with LogicHub you quickly and easily detect attackers and threats otherwise easily missed in the mountains of data.
SOC teams are able to improve their productivity and response times, while minimizing false positives and false negatives. LogicHub for GitHub is an automated threat detection solution that continually monitors your source code repositories for suspicious behavior and vulnerabilities to help protect your intellectual property. Installed without having to deploy agents and set up with just a few clicks, LogicHub immediately begins analyzing millions of GitHub log events to identify any malicious or unauthorized behavior.
It uses a sophisticated threat ranking engine to automatically prioritize potential threats and provides a high quality feed of security alerts. LogicHub is designed for teams of all sizes, is very cost effective, and scales easily to support very large deployments. LogicHub for Salesforce provides out-of-the-box threat detection. It continuously monitors your feed of Salesforce Audit events to detect any unusual behavior or pattern, and provides you with a high quality feed of relevant alerts.
When attacks deliver files and processes to a target, those files and processes often check in regularly with a remote Command and Control server, which delivers instructions and collects exfiltrated data. But those logs can be vast and the signs of attack subtle. The LogicHub playbook for web proxy threat hunting combines automated steps for data collection, data enrichment, threat analysis, and threat remediation in a fast, efficient, easy-to-customize format.
This particular use case does not make any changes to the environment that could cause potential outages or block legitimate business processes, but instead provides insight to help with those changes. We could not ask for more loyal and generous community.
Read Blog News Newsletter. Watch Videos Webinars. Careers Open Positions. Product Threat Hunting. Code Repositories GitHub LogicHub for GitHub is an automated threat detection solution that continually monitors your source code repositories for suspicious behavior and vulnerabilities to help protect your intellectual property.Our first two posts in this series focused on understanding the fundamentals of threat hunting and preparing your threat hunting program.
To ensure you have all of the resources necessary to hunt various types of threats, watch the video clip below that was taken from our webinar, The Real World of Cyber Threat Hunting. Watch the full webinar here. For organizations on a budget, there are a multitude of great open source tools available for log capture and analysis, host and memory forensics, malware reverse engineering, and more. Check out my post on threat hunting operations on a budget for more, including configuration guides for Logstash and NXLog.
Of course, having the right tools is only half the recipe for threat hunting success. Your analysts need to have a specific skillset to succeed as threat hunters. Here are, in my opinion, the four key skills any threat hunter should possess:. With the right combination of these tools and skillsets, your team will be poised for productive threat hunting.
Stay tuned for my next post in this series covering the five stages of the threat hunting process, and check out our eBook for more threat hunting tips.
Get email updates with the latest from the Digital Guardian Blog. View the discussion thread. Platform Overview. Popular Topics: Data Protection. Security News. Threat Research. Industry Insights. Search the Site. The following are three must-have tools for any threat hunting program: Logs: Threat hunters require data.
At a bare minimum, having data logs to sift through is imperative. SIEM: A centralized security information and event management system can correlate all your log data better than humans alone. SIEM logs ease your ability to pivot from individual pieces of information to links and correlations that reveal the true threat. Here are, in my opinion, the four key skills any threat hunter should possess: Enterprise knowledge: contextual knowledge and awareness of your IT environment Hypothetical thinking: the ability to hypothesize threat attacks, source vectors, and organizational impact Statistics: the ability to interpret significance from statistical data Forensics: the ability to investigate the root cause and develop an attack timeline of events through network and endpoint forensics With the right combination of these tools and skillsets, your team will be poised for productive threat hunting.
Related Blog Posts. Navigating the Five Stages of Threat Hunting. Tim Bandos. Shiva Kashalkar.LogicHub is the leading security automation platform that offers security teams a powerful threat detection engine combined with a flexible workflow engine so that organizations can tailor automated security solutions to their exact needs. One of the many use cases that LogicHub customers benefit from is automating threat hunting in web proxy logs. Automated threat hunting of proxy logs with LogicHub is a powerful and easy start to your threat hunting campaigns by focusing on a smaller subset of important events.
The LogicHub Playbook for Web Proxy Threat Hunting combines automated steps for data collection, data enrichment, threat analysis, and threat remediation in a fast, efficient, easy-to-customize format. To reduce the volume of log entries deserving scrutiny, this playbook searches the data for specific data points:. Once suspicious events are identified, the LogicHub playbooks begins its analysis phase, identifying malware beacons and conducting additional analysis on the logs based on URLs.
To gain further insight into whether the traffic being processed is malicious or even potentially malicious, the playbook automatically collects and analyzes additional data points. In addition, the playbook uses a LogicHub operator to identify whether the domain has been seen in the last 30 days. Young domains and domains registered only for a year may indicate that an attacker has set up a domain for a temporary purpose: to attack.
As many attackers are financially motivated, keeping costs low is key. If any of these flags are hit, the playbook adds to the score used for prioritizing the final results of analysis. Lastly, the playbook aggregates a unique list of domain names after data has been filtered.
These URLs can be run through any number of several third-party tools, such as VirusTotal, to further enrich the data. Using the results from data enrichment phase, the LogicHub platform will rank events by risk, thereby prioritizing events so that threat hunters can focus on the riskiest items in the proxy data.
Beaconing events that use young domains, for example, will be ranked higher than the events whose enrichment data is benign. Automating threat hunting in web proxy logs with LogicHub is powerful, easy, and invaluable for detecting malware and other threats that might otherwise be missed in a mountain of alert data.
Using LogicHub, SOC teams are able to improve their productivity and response times, while minimizing false positives and false negatives. For more information, www. Read Blog News Newsletter.
Watch Videos Webinars. Careers Open Positions. Download PDF Introduction: LogicHub is the leading security automation platform that offers security teams a powerful threat detection engine combined with a flexible workflow engine so that organizations can tailor automated security solutions to their exact needs.While much of the focus of intrusion detection is on phishing messages and malware command and control channels, a sizable amount of intrusions rely upon server side compromises with the actor as the client.
One of the mainstay tools in a good actors chest is the webshell. A webshell allows the actor to essentially have command line access to the web server through an executable script placed on the web server.
Actors often place these scripts on the web server themselves, either after lateral movement from other compromised hosts and user accounts, or after exploiting a Remote File Include or Local File Include vulnerability on the web server itself. Web Shells can be extremely simple, relying upon a small amount of code to execute. Detecting webshells can be done in many different ways. The most robust method is to establish a regular change-management policy for your web servers, and to monitor for any changes to servable content with a file integrity system such as Samhain or TripWire.
This method can result in surprising amount of false positives in web applications. This method seems simple at first. In practice, the actors tend to come from dynamically allocated IP addresses, or through pools of VPN hosts.
One specific APT actor group has a tendency to name their web shells with a combination of two extensions examples: deaspx. Some actors place their web shells within already existing scripts, in these cases the following methods of web shell detection are still useful. Most of the programs designed to interact with web shells allow the actor to change the reported User-Agent.
Most of the time the actor does not. This method can be prone to false positives, but after learning what normal client behavior looks like on your web properties it becomes easy to notice the malicious activity. One of the simplest methods for searching for Web Shell activity is to look through web access logs for traffic that is missing a referer. The traffic from most Web Shell programs does not leave a referer behind. If your org has a strong monitoring system in place, searching for accessed URIs that have not been seen before is a good way to detect newly installed web shells.
Other characteristics of typical attacker Web Shell traffic can be discovered through a daily analysis of web access logs. One characteristic of web shells that stands out is that the client host will often access the web shell script and ONLY the web shell script. This is extremely strange, as most URIs often load additional content from the web server, and are usually browsed to via a linked page. Often the malicious actors will access the web shell script using only one or two client hosts per day.Unusual behavior of information technology assets within an organization may be a hint that the organization is undergoing a cyberattack.
Threat-hunting teams will often assess the environment for commonly-known and documented threats by implementing Indicators of Compromise IOCs.
Finally, we will see how hunters can use IOCs to improve the detection of, and response to, malicious activities within the organization. They include items such as logs, configured services, cron jobs, patch states, user accounts and others. Locations of artifacts vary widely, which significantly increases the regions where IOCs may be searched for or obtained. Due to the fact that most malware communicates with external entities through the network, hunters will often scour that network for artifacts that could contain malicious content.
External monitoring servers may also be set up to aid in traffic monitoring. Hunters will also have various tools that perform:.
The Top Tools and Skills for Threat Hunting Success
Hunters will also scour endpoints for various artifacts. The sources of these are numerous and often available. The Registry: Hunters are normally interested in the registry because most tools and malware interact and store configuration information within it. Hunters will mostly discover altered registry keys and values to enable automatic malware execution or disable the firewall and antivirus. The File System: Hunters often look for suspicious activities performed by malware within file systems, such as suspicious reading e.
Scouring the network and IT infrastructure by identifying IOCs allows hunters to detect attacks and act swiftly, thus preventing breaches from occurring. Threat-hunting departments thus limit damages by stopping attacks in early stages.
Some of the most common examples of IOCs include:. IOCs, however, are not limited to the above only. They then share this information to improve incident response and computer forensics among security communities to standardize IOC documentation and reporting. Hunters must employ a variety of different techniques to hunt for threat agents. One of the simplest, most common methods is IOC searching.
IOC searching can be defined as the process of querying data for specific artifacts. In other words, hunters will get exactly the results they searched for, even if the search was not based on full information.
IOC searching is an art that requires the hunter to make finely-tuned searches to reduce the chances of causing a result overload. An overly-broad search will result in too many returns, inhibiting the hunter from performing a realistic assessment. As noted in a piece in the Digital Guardian, IOCs and IOAs can be differentiated by their differences of focus on activities of our attackers while the attack is in progress.
Indicators of Compromise IOCs pertain to things in the past — think of them as clues about events that have already happened — while Indicators of Attack IOAs can help us understand the current situation, identifying the how and why of events that are taking place in the moment. Through the collection and monitoring of IOCs in real time, threat-hunting teams are often in a better position to detect security incidents that might have escaped detection by other security tools at the organization.
Afterwards, organizations can document these findings to share with other companies. This will help multiple threat-hunting teams with the aim of eventually automating the detection, prevention and reporting of security incidents.
The inclusion of IOCs within the threat-hunting process is one critical effort toward securing the organization against malware and cyberattacks.Threat hunting requires proactively looking within the network and searching for anomalies that might indicate a breach. The vast amount of data that needs to be collected and analyzed means that it is a painstaking and time-consuming process, and the speed of this process can hamper its effectiveness. However, that can be highly improved by the use of proper data collection and analysis methods.
As a threat hunter, you require adequate data in order to perform your hunt. Without the right data, you cannot hunt. Generally, data can be classified into three sections:. Endpoint data comes from endpoint devices within the network. These devices can, for instance, be end-user devices such as mobile phones, laptops and desktop PCs, but may also cover hardware such as servers like in a data center.
Definitions of what an endpoint actually is will significantly vary, but for the most part, it is what we have described above. You will be interested in collecting the following data from within endpoints:.
This data will have its sources from network devices such as firewalls, switches and routers, DNS and proxy servers. You will mostly be interested in collecting the following data from network devices:. You want to be collecting the following data from security solutions:. One of the most important parts of a threat-hunting process is having experienced personnel employ effective data collection and analysis methods.
This technique is used when you have a large data set and you establish specific data points on groups called clusters of the large data set. It is advisable to use this method when the data points you are working on do not share behavioral characteristics. Using this method, you will be able to find precise cumulative behaviors. You can, for example, find an unusual number of instances of a common occurrence using various applications such as outlier detection.
This technique is best used when you are hunting for artifacts that are unique yet similar. It takes these unique artifacts and identifies them by using specific criteria.
The specific criteria that are used to group data are determined by, for instance, events occurring within a certain time. Specific items of interest are also taken and used as input. This is a technique in which hunters can query data for certain specific artifacts which can be used in most tools. However, it is ineffective due to the fact that hunters only get results that they searched for, making it quite difficult to obtain outliers from the search results.
The hunter is forced to make specific searches, since general searches would otherwise result in an overload of results. Care should be taken while performing searches, since a very narrow search might yield ineffective results.
This technique is used when investigating a hypothesis. The hunter counts the number of occurrences for specific value types while examining the outliers of the results. This technique is most effective as long as the hunter has thoughtfully filtered the input. Hunters can predict the volume of output if they properly understand the input. There are some things to note, though. When using stacking, you should count the number of command artifact executions.
Even though the standard data collection methods described above exist and are manual, threat hunters are also able to employ machine learning or data science-powered techniques which involve creating frameworks of feedback given to automated classification systems.