One of the most common questions we hear in the industry asking is “how do I become a threat hunter?” This is because, unlike most other fields, there are few courses, certifications, or classes to teach true threat hunting. Instead, threat hunting is practice that often requires individuals to put aside the growing “cert culture” in cyber and get back to basics, teaching themselves. But just because you have to teach yourself doesn’t mean there aren’t excellent resources out there to help you along the way!
In our first instalment of this blog series, we covered some of the most common vulnerabilities and techniques threat hunters should be familiar with, and more importantly how you can hunt for them in your organizations. This time around, we are covering more sophisticated techniques that adversaries, from basic cyber criminals to advanced threat actors, use. Sit down, buckle up, and get ready for 3 MORE videos that will make you an even better threat hunter!
Downloading Files on MS Windows
https://www.youtube.com/watch?v=1yshdcf0AAU
While the Windows operating system, offers legitimate users several ways to download files, for an adversary it isn’t always so easy. This is because in the early stages of a compromise, the actor may only be limited to a basic shell offering simple tools. However, those malicious actors have developed a number of methods of “ingressing” tools into an environment and threat hunters need to know what to look for to identify suspicious download activity.
RDP Hijacking with Tscon.exe
https://www.youtube.com/watch?v=OBfmMvq-9v0
Actors of all skill levels are known to actively target RDP for a variety of reasons. It is therefore imperative that threat hunters are familiar with its normal (and abnormal) behaviors in an environment. In this video we dive into how actors can hijack inactive RDP sessions using the Living off the Land (LotL) binary Tscon.exe
User Account Control Bypass via Registry Modification
https://www.youtube.com/watch?v=U45hJN2dPgo
User Account Control (more commonly referred to as UAC) to many is often known as nothing more than that annoying pop up within Windows asking you to confirm what you are doing. However, to cyber adversaries is does pose a challenge. However, with some minor registry modifications, these actors can bypass UAC altogether. Join Lee Archinal as he explains how actors do it, and how hunters can look for it in their environment.
Conclusion
While the consensus is that cyber threat hunting is field that often demands self-study, that doesn’t mean that both those in, and those seeking to get into, the field can’t use a little helping hand. And if you want to keep up to date with the latest techniques, don’t forget to subscribe to our YouTube channel where we post regular “how-to” videos!
