Behind the Scenes: The Daily Grind of Threat Hunter

I recently shared a command on Twitter and asked folks if they thought this was something fishy. I want to take this opportunity to walk you through the steps that a threat hunter takes in day-to-day operations. This includes formulating a hypothesis, developing a query, and conducting an investigation.

Below is the poll I shared on Twitter and the final results that show the majority of people who thought this activity was malicious.

The command:
"cmd.exe" /d /c "C:\Users\<user>\AppData\Roaming\cmk.exe /d /c whoami"

In the comments, most people shared that the command and the surrounding context could be malicious and warranted a closer look. Although I wrote up a detailed response highlighting the steps I took to investigate this, I decided to document everything through a blog post so everyone could use it as a reference, as not everyone has a Twitter account.

My Investigative Process

In my case, it all started from a threat hunt when I wanted to look for the execution of renamed Windows binaries from an abnormal location. My query was looking for command line interpreters and other binaries running outside C:\Windows default system directories. I also hypothesized that the binary would be renamed. The query looked something like the below:

Process_Name NOT IN (
    'msiexec.exe',
    'cmd.exe',
    'regsvr32.exe',
    'rundll32.exe',
    'cscript.exe',
    'mshta.exe',
    'powershell.exe',
    'msbuild.exe',
    'python.exe'
  )
AND Original_Filename IN(
    'msiexec.exe',
    'cmd.exe',
    'regsvr32.exe',
    'rundll32.exe',
    'cscript.exe',
    'mshta.exe',
    'powershell.exe',
    'msbuild.exe',
    'python.exe'
  )
 AND (
    PATH…