Threat Hunting Series: The Threat Hunting Process

Something I haven’t mentioned in the previous posts, which I think is a good idea to do now, is that all the information I am trying to communicate is neither new nor revolutionary.

I used the resources I posted in “Threat Hunting Series: What Makes a Good Threat Hunter” to learn and then apply this knowledge to my day job. We all stand on the shoulders of giants, and Chris Sanders is one of them, from whom I learned a ton. Some of the concepts I will cover below are based on his methodology.

The threat hunting mental models

The threat hunting process

The threat hunting process in action

Attack Based Example

HKCU:\SOFTWARE\Microsoft\Office\16.0\Word\Security\Trusted Documents\TrustRecords

(process.parent.executable:*\\WINWORD.EXE AND process.executable:(*\\cmd.exe OR *\\powershell.exe OR *\\rundll32.exe OR *\\regsvr32.exe OR *\\mshta.exe OR *\\certutil.exe OR *\\wscript.exe OR *\\cscript.exe))

Source=*sysmon* EventCode=1 ((ParentImage=”*\\WINWORD.EXE”) AND (Image=”*\\cmd.exe” OR Image=”*\\powershell.exe” OR Image=”*\\rundll32.exe” OR Image=”*\\regsvr32.exe” OR Image=”*\\mshta.exe” OR Image=”*\\certutil.exe” OR Image=”*\\wscript.exe” OR Image=”*\\cscript.exe”))

Data-Based Example

source=*sysmon* EventCode=1 (Image=”C:\\$Recycle.bin\\*” OR Image=”C:\\ProgramData\\*” OR Image=”C:\\Users\\Public\\*” OR Image=”C:\\Users\\*\\AppData\\Local\\Temp\\*” OR Image=”C:\\Users\\*\\AppData\\Roaming\\Temp\\*”) | stats count by host Image

Conclusion

References:

--

--

Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store