├── .gitignore
├── README.md
├── TECHNIQUE TEMPLATE.md
└── hunts
    ├── analyze_producer_consumer_ratio.md
    ├── antivirus_logs.md
    ├── beacon_detection_via_intra_request_time_deltas.md
    ├── checking-how-outsiders-see-you.md
    ├── comparing_host_images_memory_dumps_to_known_good_baselines.md
    ├── critical_process_impersonation.md
    ├── dynamic_dns_c2.md
    ├── emet_log_mining.md
    ├── golden_ticket.md
    ├── http_uri_analysis.md
    ├── http_user_agent_analysis.md
    ├── internet_facing_http_request_analysis.md
    ├── lateral-movement-via-explicit-credentials.md
    ├── lateral-movement-windows-authentication-logs.md
    ├── lateral_movement_detection_via_process_monitoring.md
    ├── net_session_c2.md
    ├── ntfs_extended_attribute_analysis.md
    ├── privileged-group-tracking.md
    ├── psexec-windows-events.md
    ├── ram_dumping.md
    ├── rdp_external_access.md
    ├── renamed-tools.md
    ├── rogue_listeners.md
    ├── shimcache_amcache.md
    ├── suspicious_command_shells.md
    ├── suspicious_process_creation_via_windows_event_logs.md
    ├── webshell_behavior.md
    ├── webshells.md
    ├── whaling-detection-via-unusual-sender-domains.md
    ├── windows_autoruns_analysis.md
    ├── windows_driver_analysis.md
    ├── windows_prefetch_cache_analysis.md
    └── windows_service_analysis.md


/.gitignore:
--------------------------------------------------------------------------------
 1 | # Byte-compiled / optimized / DLL files
 2 | __pycache__/
 3 | *.py[cod]
 4 | *$py.class
 5 | 
 6 | # C extensions
 7 | *.so
 8 | 
 9 | # Distribution / packaging
10 | .Python
11 | env/
12 | build/
13 | develop-eggs/
14 | dist/
15 | downloads/
16 | eggs/
17 | .eggs/
18 | lib/
19 | lib64/
20 | parts/
21 | sdist/
22 | var/
23 | *.egg-info/
24 | .installed.cfg
25 | *.egg
26 | 
27 | # PyInstaller
28 | #  Usually these files are written by a python script from a template
29 | #  before PyInstaller builds the exe, so as to inject date/other infos into it.
30 | *.manifest
31 | *.spec
32 | 
33 | # Installer logs
34 | pip-log.txt
35 | pip-delete-this-directory.txt
36 | 
37 | # Unit test / coverage reports
38 | htmlcov/
39 | .tox/
40 | .coverage
41 | .coverage.*
42 | .cache
43 | nosetests.xml
44 | coverage.xml
45 | *,cover
46 | .hypothesis/
47 | 
48 | # Translations
49 | *.mo
50 | *.pot
51 | 
52 | # Django stuff:
53 | *.log
54 | 
55 | # Sphinx documentation
56 | docs/_build/
57 | 
58 | # PyBuilder
59 | target/
60 | 
61 | #Ipython Notebook
62 | .ipynb_checkpoints
63 | 
64 | *~
65 | _site
66 | Gemfile.lock
67 | 


--------------------------------------------------------------------------------
/README.md:
--------------------------------------------------------------------------------
 1 | # The ThreatHunting Project
 2 | An informational repo about hunting for adversaries in your IT environment.
 3 | 
 4 | Be sure to visit [ThreatHunting.net](http://threathunting.net) for more info about this repo.
 5 | 
 6 | ## License
 7 | Here's the deal, in plain English:
 8 | 
 9 | This repo is here for the community. You are free to use it for personal or commercial use provided you attribute it in some visible manner.  We suggest "Data provided by the ThreatHunting Project, https://github.com/ThreatHuntingProject/ThreatHunting" or something substantially similar.  Please do include the URL, though, to help more people find us.
10 | 
11 | 


--------------------------------------------------------------------------------
/TECHNIQUE TEMPLATE.md:
--------------------------------------------------------------------------------
 1 | #Technique
 2 | 
 3 | **Purpose**: 
 4 | 
 5 | **Data Required**: 
 6 | 
 7 | **Collection Considerations**: 
 8 | 
 9 | **Analysis Techniques**: 
10 | 
11 | **Description**
12 | 
13 | **Other Notes**
14 | 
15 | **More Info**
16 | 
17 | - [insert link here]()
18 | 


--------------------------------------------------------------------------------
/hunts/analyze_producer_consumer_ratio.md:
--------------------------------------------------------------------------------
 1 | #Producer-Consumer Ratio for Detecting Data Exfiltration
 2 | 
 3 | **Purpose**: Find changes in traffic flows that indicate exfil
 4 | 
 5 | **Data Required**: session data (argus, netflow/ipfix, or bro-logs)
 6 | 
 7 | **Collection Considerations**: 
 8 | 
 9 | **Analysis Techniques**: Identify changes in host roles, and investigate. PCR is
10 | a normalized metric of traffic ratios and from a host ranging from -1 to 1. 
11 | 
12 | |  PCR | host role |
13 | | ---: | --------- |
14 | |  1.0 | pure push - FTP upload, multicast, beaconing |
15 | |  0.4 | 70:30 export - Sending Email |
16 | |  0.0 | Balanced Exchange - NTP, ARP probe |
17 | | -0.5 | 3:1 import - HTTP Browsing |
18 | | -1.0 | pure pull - HTTP Download |
19 |     
20 | **Description**
21 | 
22 | The Producer-Consumer Ratio metric introduced at [FlowCON](http://qosient.com/argus/presentations/Argus.FloCon.2014.PCR.Presentation.pdf) by Carter Bullard and John Gerth is defined as:
23 | 
24 |           ( SrcApplicationBytes - DstApplicationBytes )
25 |     PCR = ---------------------------------------------
26 |           ( SrcApplicationBytes + DstApplicationBytes )
27 | 
28 | where:
29 | 
30 |     Application Bytes = (Total Bytes ⎼ Sum( L[2,3,4] Headers )) - Retrans Bytes
31 | 
32 | DNS is less noisy than HTTP for this metric, and is a possible exfil channel. A
33 | positive shift in PCR for DNS traffic may indicate DNS Exfil.
34 | 
35 | 
36 | **Other Notes**
37 | 
38 | 
39 | **More Info**
40 | 
41 | - [PCR - A New Flow Metric, FloCon 2014](http://qosient.com/argus/presentations/Argus.FloCon.2014.PCR.Presentation.pdf)
42 | - [Leveraging Metadata And Machine Learning To Enhance Intrusion Analysis](http://spotidoc.com/doc/367670/leveraging-metadata-and-machine-learning)
43 | - [Github: reservoirlabs/bro-producer-consumer-ratio](https://github.com/reservoirlabs/bro-producer-consumer-ratio)
44 | - [Detecting Data Staging & Exfil Using the Producer-Consumer Ratio](http://detect-respond.blogspot.com/2016/09/detecting-data-staging-exfil-using-PCR-shift.html)
45 | 


--------------------------------------------------------------------------------
/hunts/antivirus_logs.md:
--------------------------------------------------------------------------------
 1 | # Finding Known-Bad in Antivirus Logs
 2 | 
 3 | **Purpose**: Identify things that the AV system has found that you particularly care about
 4 | 
 5 | **Data Required**: Endpoint security logs (AV); List of "bad things" to look for.
 6 | 
 7 | **Collection Considerations**: 
 8 | 
 9 | **Analysis Techniques**: String matching
10 | 
11 | **Description**
12 | 
13 | If you collect all your endpoint security logs in one place, you can search them for specific strings that correspond to things you're particularly interested in finding.  In other words, things you may want to treat as _more important_ than normal alerts the endpoint security tool may already be creating.  
14 | 
15 | Examples of types of strings to look for:
16 | 
17 | * Known webshell filenames
18 | * Anything running under a system directory (%WINDOWS%, %RECYCLER%) or other unusual locations (the webroot)
19 | * AV "street names" you are concerned about
20 | * Packed executables (if this information is logged)
21 | * Known attacker tools (cred dumpers, scanners, etc)
22 | * Any detection with the string "dropper" in the name
23 | 
24 | **More Info**
25 | 
26 | * [Intrusion Hunting for the Masses - David Sharpe (HackMiami 2016)](https://www.youtube.com/watch?v=YLgycMCPo4c)
27 | * [Seek Evil, and Ye Shall Find: A Guide to Cyber Threat Hunting Operations](https://digitalguardian.com/blog/seek-evil-and-ye-shall-find-guide-cyber-threat-hunting-operations), Tim Bandos, Digital Guardian
28 | 
29 | 
30 | 


--------------------------------------------------------------------------------
/hunts/beacon_detection_via_intra_request_time_deltas.md:
--------------------------------------------------------------------------------
 1 | #Beacon Detection via Intra-Request Time Deltas
 2 | 
 3 | **Purpose**: Find regular HTTP beaconing behavior which may indicate malware C2
 4 | 
 5 | **Data Required**: HTTP proxy logs
 6 | 
 7 | **Collection Considerations**: 
 8 | 
 9 | **Analysis Techniques**: Visualization (Bar graphs)
10 | 
11 | **Description**
12 | 
13 | Malware C2 often utilizes regular request intervals ("beacons") to maintain control with the attacker's infrastructure.  By examining the intra-request times between requests to the same resource by the same source IP and visualizing the results, you can look for patterns of regular activity.
14 | 
15 | **Other Notes**
16 | 
17 | 
18 | **More Info**
19 | 
20 | - [Detecting Malware Beacons Using Splunk](http://pleasefeedthegeek.wordpress.com/2012/12/20/detecting-malware-beacons-using-splunk/)
21 | 
22 | - [Tweet by @jackcr](https://twitter.com/jackcr/status/747786867093946368)
23 | 


--------------------------------------------------------------------------------
/hunts/checking-how-outsiders-see-you.md:
--------------------------------------------------------------------------------
 1 | #Checking How Outsiders See You
 2 | 
 3 | **Purpose**: Determine whether any of your web sites are serving malware by using third party opinions
 4 | 
 5 | **Data Required**: A list of your Internet-facing domain names and websites
 6 | 
 7 | **Collection Considerations**: You will need a Google Safebrowsing API key to query their service 
 8 | 
 9 | **Analysis Techniques**: None
10 | 
11 | **Description**
12 | Query the Google Safebrowsing database (or others) for their opinions on your own websites.
13 | 
14 | **Other Notes**
15 | 
16 | **More Info**
17 | 
18 | - [Threat Hunting for the Masses](https://www.youtube.com/watch?v=YLgycMCPo4c), David Sharpe, HackMiami 2016
19 | 
20 | 


--------------------------------------------------------------------------------
/hunts/comparing_host_images_memory_dumps_to_known_good_baselines.md:
--------------------------------------------------------------------------------
 1 | #Comparing Host Images/Memory Dumps to Known-Good Baselines
 2 | 
 3 | **Purpose**: Identify deviations from "known-good" which might tend to indicate the presence of malware on a system
 4 | 
 5 | **Data Required**: Memory dumps, Registry dumps, "known good" data
 6 | 
 7 | **Collection Considerations**: This works best when tracked over time rather than as a single comparison. Volatility plugins such as "stalker", "profiler", "regcomp" & "hunter" are useful
 8 | 
 9 | **Analysis Techniques**: 
10 | 
11 | **Description**
12 | 
13 | **Other Notes**
14 | 
15 | **More Info**
16 | 
17 | - [Every Step You Take](http://downloads.volatilityfoundation.org/omfw/2013/OMFW2013_Levy.pdf) (*video needed, if available*)
18 | - “Several Ways to Skin a Rat", Jamie "Gleeda” Levy (*Link needed*)
19 | 
20 | 


--------------------------------------------------------------------------------
/hunts/critical_process_impersonation.md:
--------------------------------------------------------------------------------
 1 | # Finding Malware Process Impersonation via String Distance
 2 | 
 3 | **Purpose**
 4 | 
 5 | Finds malware attempting to hide execution by running with names which are confusingly similar to legitimate system processes.
 6 | 
 7 | **Data Required**
 8 | 
 9 | Endpoint process creation data
10 | 
11 | **Collection Considerations**
12 | 
13 | None
14 | 
15 | **Analysis Techniques**
16 | 
17 | Scripting
18 | 
19 | **Description**
20 | 
21 | A popular technique for hiding malware running on Windows systems is to give it a name that's confusingly similar to a legitimate Windows process, preferably one that is always present on all systems. Using a _string similarity_ algorithm ([Damerau-Levenshtein](https://en.wikipedia.org/wiki/Damerau%E2%80%93Levenshtein_distance) distance), we can compare the names of running processes to a set of defined Windows system processes to look for this sort of impersonation.
22 | 
23 | **Other Notes**
24 | 
25 | None
26 | 
27 | **More Info**
28 | 
29 | - [Hunting for Malware Critical Process Impersonation](http://detect-respond.blogspot.com/2016/11/hunting-for-malware-critical-process.html)


--------------------------------------------------------------------------------
/hunts/dynamic_dns_c2.md:
--------------------------------------------------------------------------------
 1 | #C2 via Dynamic DNS 
 2 | 
 3 | **Purpose**: Identify potential C2 activity
 4 | 
 5 | **Data Required**
 6 | 
 7 | Outgoing logs that contain info about domains
 8 | visited by internal clients, such as DNS query or HTTP proxy logs.
 9 | 
10 | You will also need a list of dynamic DNS provider domain names.
11 | 
12 | **Collection Considerations**
13 | 
14 | None
15 | 
16 | **Analysis Techniques**
17 | Filtering, stack counting
18 | 
19 | **Description**
20 | 
21 | Isolate the log entries that contain domains hosted on dynamic DNS
22 | providers.  Look for sites visited by a low number of unique hosts (IP
23 | addresses). Utilize a lookup or feed of known dynamic DNS (DDNS) domains
24 | to query against data in a SIEM or log aggregator. 
25 | 
26 | **Other Notes**
27 | 
28 | In many business environments, _any_ access to a dynamic DNS provider
29 | may be at least somewhat suspicious.
30 | 
31 | **More Info**
32 | 
33 | - [Seek Evil, and Ye Shall Find: A Guide to Cyber Threat Hunting Operations](https://digitalguardian.com/blog/seek-evil-and-ye-shall-find-guide-cyber-threat-hunting-operations), Tim Bandos, Digital Guardian
34 | - [www.malwaredomains.com Dynamic DNS domain list](http://mirror1.malwaredomains.com/files/dynamic_dns.txt), Malwaredomains.com
35 | 
36 | 


--------------------------------------------------------------------------------
/hunts/emet_log_mining.md:
--------------------------------------------------------------------------------
 1 | #EMET Log Mining
 2 | 
 3 | **Purpose**: Identify potential 0-day exploits by looking for things blocked by EMET
 4 | 
 5 | **Data Required**: Windows Application Event logs (which contain EMET logs)
 6 | 
 7 | **Collection Considerations**: 
 8 | 
 9 | **Analysis Techniques**: 
10 | 
11 | **Description**
12 | 
13 | Window's Enhanced Mitigation Experience Toolkit (EMET) is a set of technologies that monitor for and block certain conditions that commonly arise as the result of common exploit patterns.  It's commonly used on endpoints (but is also available on servers).  
14 | 
15 | The idea here is to examine the EMET logs to find things that it has blocked (processes it has killed before they could become dangerous).  These may be simple bugs in legit applications, or they could be indications of exploit attempts.
16 | 
17 | **Other Notes**
18 | 
19 | It's not clear what actual analysis techniques might be useful here yet, short of simply examining every EMET log individually. Need more research on this one.
20 | 
21 | **More Info**
22 | 
23 | * [Intrusion Hunting for the Masses](https://www.youtube.com/watch?v=YLgycMCPo4c),  David Sharpe (HackMiami 2016)
24 | 
25 | 
26 | 


--------------------------------------------------------------------------------
/hunts/golden_ticket.md:
--------------------------------------------------------------------------------
 1 | # Finding Golden and Silver Tickets
 2 | 
 3 | **Purpose**
 4 | 
 5 | Identify suspicious TGT (Golden) and TGS (Silver) tickets by comparing the MaxTicketAge from the domain policy to the difference in the StartTime and EndTime of the cached authentication ticket.
 6 | 
 7 | **Data Required**
 8 | 
 9 | Remote Access to collect susicious tickets OR  
10 | Schedule task to write possible bad tickets to application event log for log/SIEM review
11 | 
12 | **Collection Considerations**
13 | 
14 | Consider running local scripts and collecting the application event log rather than a scan to reduce noise
15 | See [here](https://github.com/spohara79/TGT---Golden-Silver-Ticket)
16 | 
17 | **Analysis Techniques**: 
18 | 
19 | Comparative time analysis of domain policy vs cached tickets
20 | 
21 | **Description**
22 | 
23 | * Retrieve the Kerberos MaxTicketAge from the GPO / Domain Policy
24 | * Use `klist.exe sessions` to view the cached sessions
25 |     * view the TGT or TGS tickets using `klist tgt -li <sessionid>` or `klist tickets -li <sessionid`
26 |         * Extract the EndTime and StartTime values
27 | * Subtract the EndTime from StartTime and compare that value against the configured MaxTicketAge
28 |     * The MaxTicketAge defaults to 10 hours, many TGT/TGS Golden/Silver Tickets are set for a period of years..
29 | 
30 | **Other Notes**    
31 | 
32 | From [ADSecurity](https://adsecurity.org/?p=1515)
33 | 
34 | ***SILVER TICKET DETECTION***    
35 | 
36 | Silver Ticket events may have one of these issues:  
37 | The Account Domain field is blank when it should be DOMAIN  
38 | The Account Domain field is DOMAIN FQDN when it should be DOMAIN.  
39 | Event ID: 4624 (Account Logon)  
40 | Account Domain is FQDN & should be short domain name  
41 | Account Domain:        LAB.ADSECURITY.ORG   [ADSECLAB]  
42 | Event ID: 4634 (Account Logoff)  
43 | Account Domain is blank & should be short domain name  
44 | Account Domain:        _______________   [ADSECLAB]  
45 | Event ID: 4672 (Admin Logon)  
46 | Account Domain is blank & should be short domain name  
47 | Account Domain:        _______________   [ADSECLAB]  
48 |  
49 | ***GOLDEN TICKET DETECTION***
50 | 
51 | Golden Ticket events may have one of these issues:  
52 | The Account Domain field is blank when it should be DOMAIN  
53 | The Account Domain field is DOMAIN FQDN when it should be DOMAIN.  
54 | Event ID: 4624 (Account Logon)  
55 | Account Domain is FQDN & should be short domain name  
56 | Account Domain:        LAB.ADSECURITY.ORG   [ADSECLAB]  
57 |    
58 | Event ID: 4672 (Admin Logon)  
59 | Account Domain is blank & should be short domain name  
60 | Account Domain:        _______________   [ADSECLAB]  
61 |   
62 | MS14-068 Exploit Ticket Detection   
63 | MS14-068 events may have one of these issues:  
64 | The Account Domain field is blank when it should be DOMAIN  
65 | The Account Domain field is DOMAIN FQDN when it should be DOMAIN.  
66 | Account Name is a different account from the Security ID.  
67 |   
68 | PYKEK Events  
69 | Event ID: 4624 (Account Logon)  
70 | The Account Domain field is DOMAIN FQDN when it should be DOMAIN.  
71 | Account Name is a different account from the Security ID  
72 |  Event ID: 4672 (Admin Logon)  
73 | The Account Domain field is DOMAIN FQDN when it should be DOMAIN.  
74 | Account Name is a different account from the Security ID  
75 | Event ID: 4768 (Kerberos TGS Request)  
76 | The Account Domain field is DOMAIN FQDN when it should be DOMAIN.  
77 |   
78 | KEKEO Events  
79 | Event ID: 4624 (Account Logon)  
80 | The Account Domain field is DOMAIN FQDN when it should be DOMAIN.  
81 |  
82 | Event ID: 4672 (Admin Logon)  
83 | Account Domain is blank & should be DOMAIN.  
84 |   
85 | Event ID: 4768 (Kerberos TGS Request)  
86 | The Account Domain field is DOMAIN FQDN when it should be DOMAIN.  
87 | 
88 | **More Info**
89 | 
90 | [Powershell Scripts for Golden and Silver Ticket Hunt](https://github.com/spohara79/TGT---Golden-Silver-Ticket)  
91 | [Detecting Golden and Silver Tickets - ADSecurity](https://adsecurity.org/?p=1515)
92 | 


--------------------------------------------------------------------------------
/hunts/http_uri_analysis.md:
--------------------------------------------------------------------------------
 1 | #Finding the Unknown with HTTP URIs
 2 | 
 3 | **Purpose**: Identify things signatures have not been created for in relation to network traffic behavior. 
 4 | 
 5 | **Data Required**: Proxy logs, IDS, web server logs
 6 | 
 7 | **Collection Considerations**: 
 8 | 
 9 | **Analysis Techniques**: Stack counting, String matching, tokenization, outlier detection, regex
10 | 
11 | **Description**
12 | 
13 | If you collect your proxy logs in a central location, similar to user agent analysis, you can perform queries against the URI to identify patterns of malicious and suspicious activity leaving the environment. Ingress monitoring (proxy or web server logs) is also key for monitoring attackers performing attempts against web servers using suspicious requests. Similar to creating IDS signatures for detecting suspicious behavior, can perform that against mass amounts of data quickly to identify potential export of identifiable information.
14 | 
15 | Examples of types of URI's to look for:
16 | 
17 | * OWASP Top 10
18 | * Credit card strings
19 | * Computer GUID
20 | * Username GUID
21 | * Base64 Encoded
22 | * Encoded with something
23 | 
24 | **More Info**
25 | 
26 | * [OWASP Top 10](https://www.owasp.org/index.php/Category:OWASP_Top_Ten_Project), OWASP Project
27 | * [Evasion Techniques: Sneaking through Your Intrusion Detection/Prevention Systems](http://speed.cis.nctu.edu.tw/~ydlin/pdf/Evasion_Techniques_Sneaking_through_Your_Intrusion_Detection_Prevention_Systems.pdf), Tsung-Huan Cheng, Ying-Dar Lin, Senior Member, IEEE, Yuan-Cheng Lai, and Po-Ching Lin, Member, IEEE
28 | 


--------------------------------------------------------------------------------
/hunts/http_user_agent_analysis.md:
--------------------------------------------------------------------------------
 1 | #HTTP User-Agent Analysis
 2 | 
 3 | **Purpose**: Identify malware by analyzing the User-Agent strings they present
 4 | 
 5 | **Data Required**: HTTP proxy data; list of known-bad UAs (optional)
 6 | 
 7 | **Collection Considerations**: 
 8 | 
 9 | **Analysis Techniques**: Stack counting, String matching, tokenization, outlier detection
10 | 
11 | **Description**
12 | 
13 | * Stack the entire UA string and look for rare occurrences.  There may be a LOT of these, though. Every web plugin changes the UA string a bit, but that doesn't mean there's anything evil.
14 | * Consider more detailed analysis, including
15 |     * tokenizing the string and focusing on strings with the lowest number of tokens, most unique tokens, or some combination
16 |     * Looking for abnormally short or long strings
17 | * Look for list of known-bad UAs
18 | 
19 | **Other Notes**
20 | 
21 | Consider also doing this type of analysis for _incoming_ HTTP transactions (in server logs) to identify potential recon or attack activity.
22 | 
23 | * [Intrusion Hunting for the Masses](https://www.youtube.com/watch?v=YLgycMCPo4c), David Sharpe (HackMiami 2016)
24 | * [Threat Group 3390 Cyberespionage](http://www.secureworks.com/cyber-threat-intelligence/threats/threat-group-3390-targets-organizations-for-cyberespionage/)
25 | * [Detecting Network Traffic from Metasploit's Meterpreter Reverse HTTP Module](http://blog.didierstevens.com/2015/05/11/detecting-network-traffic-from-metasploits-meterpreter-reverse-http-module/), Didier Stevens
26 | * [The User Agent Field: Analyzing and Detecting the
27 | Abnormal or Malicious in your Organization](https://www.sans.org/reading-room/whitepapers/malicious/user-agent-field-analyzing-detecting-abnormal-malicious-organization-33874), Darren Manners
28 | 
29 | 


--------------------------------------------------------------------------------
/hunts/internet_facing_http_request_analysis.md:
--------------------------------------------------------------------------------
 1 | #Internet-Facing HTTP Request Analysis
 2 | 
 3 | **Purpose**: Identify common patterns of HTTP-based attacks
 4 | 
 5 | **Data Required**: Internet-facing HTTP server logs
 6 | 
 7 | **Collection Considerations**: 
 8 | 
 9 | **Analysis Techniques**: Stack counting, Visualization, Outlier detection
10 | 
11 | **Description**
12 | 
13 | Stack server logs by (Src IP, HTTP server, URI) tuples and look for repeated requests for the same resource.  Large numbers of request could indicate:
14 | 
15 | * Attempts to create a working exploit for a supposed vulnerability
16 | * Attempts to use a web shell embedded in the web content directory
17 | 
18 | Using _a priori_ knowledge or by examining file extensions, Identify URI resources that are likely to contain calls to SQL (or similar) backend application layers.  For each unique URI, gather all the the values for the HTTP response sizes.  Using visualization or statistical outlier detection of the response sizes,
19 | 
20 | * identify those which are significantly larger than the others. These may be indicators of successful SQL injection (e.g., database dumps or other unusual information being sent via the HTTP responses).
21 | 
22 | **Other Notes**
23 | 
24 | Using the response sizes, also identify those which are significantly smaller than the others.  These may be indicators of injection errors that cause the app to exit prematurely and send less data than normal.  Or maybe those which are bigger, indicating success!  Regardless, repeated requests for the same resource probably would result in similar-sized responses, so significant variations would be interesting the look into.
25 | 
26 | 
27 | 


--------------------------------------------------------------------------------
/hunts/lateral-movement-via-explicit-credentials.md:
--------------------------------------------------------------------------------
 1 | # Windows Lateral Movement via Explicit Credentials
 2 | 
 3 | **Purpose**
 4 | 
 5 | Detect lateral movement in a Windows environment
 6 | 
 7 | **Data Required**
 8 | 
 9 | Windows event logs (ID 4648 or 552)
10 | 
11 | **Collection Considerations**
12 | 
13 | Check your domain audit policy to ensure that these events are being
14 | generated.  Also, they are typically generated only on the host on
15 | which the authentication occurs, so you need to collect from both
16 | servers and user endpoints for full visibility.
17 | 
18 | **Analysis Techniques**
19 | 
20 | whitelisting / filtering
21 | 
22 | **Description**
23 | 
24 | Examine event logs for instances of explicit credentials being used
25 | (as with the batch processes being spawned, users using the Runas
26 | command or via pass-the-hash attacks).  Whitelist recurring instances
27 | that are known to be authorized, and keep that whitelist up to date
28 | over time.  Investigate any instances of explicit credential
29 | authentication that may be left.
30 | 
31 | **Other Notes**
32 | 
33 | **More Info**
34 | 
35 | [Seek Evil, and Ye Shall Find: A Guide to Cyber Threat Hunting Operations](https://digitalguardian.com/blog/seek-evil-and-ye-shall-find-guide-cyber-threat-hunting-operations), Tim Bandos, Digital Guardian
36 | 


--------------------------------------------------------------------------------
/hunts/lateral-movement-windows-authentication-logs.md:
--------------------------------------------------------------------------------
 1 | # Detecting Lateral Movement in Windows Event Logs
 2 | 
 3 | **Purpose**
 4 | 
 5 | To detect authentication-based lateral movement in Windows envrionments
 6 | 
 7 | **Data Required**
 8 | 
 9 | Windows Security logs, specifically:
10 | 
11 | * Successful Logon (ID 4624)
12 | * Failed Logon (ID 4625)
13 | * Kerberos Authentication (ID 4768)
14 | * Kerberos Service Ticket (ID 4776)
15 | * Assignment of Administrator Rights (ID 4672)
16 | * Unknown username or password (ID 529)
17 | * Account logon time restriction violation (ID 530)
18 | * Account currently disabled (ID 531)
19 | * User account has expired (ID 532)
20 | * User not allowed to logon to the computer (ID 533)
21 | * User has not been granted the requested logon type (ID 534)
22 | * The account's password has expired (ID 535)
23 | * The NetLogon component is not active (ID 536)
24 | * The logon attempt failed for other reasons (ID 537)
25 | * Account lockout (ID 539)
26 | 
27 | **Collection Considerations**
28 | 
29 | Not all of these events are enabled by default, so you may need to
30 | change your audit policy
31 | 
32 | **Analysis Techniques**
33 | 
34 | Stack counting, outlier detection, visualization
35 | 
36 | **Description**
37 | 
38 | Make note of administrative attempts, visualize this activity and look for deviations from baseline in the number of attempts, the accounts involved in the attempts or the computers on which the attempts occur.
39 | 
40 | Look for instances where multiple users are logged onto an end-user workstation simultaneously or within a relatively short period of time, where the same user account is logged onto more than one host, or where a network login references a non-domain account on the target system.
41 | 
42 | **Other Notes**
43 | 
44 | "Administrative" accounts includes any user with special rights, not necessarily only the Local or Domain "Administrator" accounts.
45 | 
46 | **More Info**
47 | 
48 | * [Detecting Lateral Movement in APTs: Analysis Approach on Windows Event Logs](https://www.first.org/resources/papers/conf2016/FIRST-2016-105.pdf), Shingo ABE, JPCERT/CC
49 | * [Seek Evil, and Ye Shall Find: A Guide to Cyber Threat Hunting Operations](https://digitalguardian.com/blog/seek-evil-and-ye-shall-find-guide-cyber-threat-hunting-operations), Tim Bandos, Digital Guardian
50 | * [CAR-2013-02-008: Simultaneous Logons on a Host](https://car.mitre.org/wiki/CAR-2013-02-008), MITRE Cyber Analytic Repository
51 | * [CAR-2013-02-012: User Logged in to Multiple Hosts](https://car.mitre.org/wiki/CAR-2013-02-012), MITRE Cyber Analytic Repository
52 | * [CAR-2016-04-004: Successful Local Account Login](https://car.mitre.org/wiki/CAR-2016-04-004), MITRE Cyber Analytic Repository
53 | 
54 | 
55 | 
56 | 


--------------------------------------------------------------------------------
/hunts/lateral_movement_detection_via_process_monitoring.md:
--------------------------------------------------------------------------------
 1 | #Lateral Movement Detection via Process Monitoring
 2 | 
 3 | **Purpose**
 4 | 
 5 | Find threat actors moving laterally in the network by looking for examples of common techniques they use to orient themselves on new systems.
 6 | 
 7 | **Data Required**
 8 | 
 9 | Windows process creation logs (security event 4688) or other similar information (e.g., EDR logs)
10 | 
11 | **Collection Considerations**
12 | 
13 | The more endpoints and servers from which you collect process information, the more likely you are to be able to find threat actor activity.
14 | 
15 | **Analysis Techniques**
16 | 
17 | * Counting occurrences within a time window
18 | 
19 | **Description**
20 | 
21 | Several legitimate windows binaries executing within a specified time frame may indicate lateral movement.
22 | 
23 | As an adversary moves from machine to machine they will often want to know things like: who they are, what level of access do they have, what services are running on the machine, what other machines are around them… They will often determine this by using legitimate windows binaries.  When determining this information they will typically do this in minutes vs hours regardless if they are using a script or typing the commands on a command line.  Knowing this, we can use it to our advantage.  Again focusing on windows event logs and focusing on event codes 4688/592 try to identify the following:
24 | 
25 | * net.exe, ipconfig.exe, whoami.exe, nbtstat.exe...
26 | * Cluster x number of processes executing within a 10 minute time frame.
27 | 
28 | For the data that is returned:
29 | 
30 | * identify the parent process and if it’s legitimate?
31 | * What additional processes have executed on the machine within a 1 hour period and do any of those look suspicious?  If there are, are they owned by the same user?
32 | * Are these spawned by the same process or process name?
33 | * Are these processes all owned by the same user?
34 | * Is there previous history of this activity?"
35 | 
36 | **Other Notes**
37 | 
38 | **More Info**
39 | 
40 | * [Hunting Lateral Movement](https://findingbad.blogspot.com/2016/08/hunting-lateral-movement.html)
41 | * [CAR-2013-04-002: Quick execution of a series of suspicious commands](https://car.mitre.org/wiki/CAR-2013-04-002), MITRE Cyber Analytic Repository
42 | * [CAR-2016-03-001: Host Discovery Commands](https://car.mitre.org/wiki/CAR-2016-03-001), MITRE Cyber Analytic Repository
43 | 
44 | 


--------------------------------------------------------------------------------
/hunts/net_session_c2.md:
--------------------------------------------------------------------------------
 1 | #Finding C2 in Network Sessions
 2 | 
 3 | **Purpose**
 4 | 
 5 | Identify anomalous network sessions that may indicate command and control (C2) activity
 6 | 
 7 | **Data Required**
 8 | 
 9 | Network session data, including IP-to-IP metadata, port use, session length/duration
10 | 
11 | **Collection Considerations**
12 | 
13 | Data can be collected from a variety of systems, including firewalls, NSM sensors (Bro), and SiLK
14 | 
15 | **Analysis Techniques**
16 | 
17 | Stacking, baselining
18 | 
19 | **Description**
20 | 
21 | Identifying network sessions that may indicate C2 activity can be achieved in multiple ways. One of the simplest is to analyze specific types of data associated with network sessions. These include outbound IP-to-IP connections, destination IP address connectivity, destination port use, and session length.
22 | 
23 | Stacking is a relatively easy way to analyze the data described above. To do this, you want to isolate network data to outbound sessions that happen at the border of your network and stack the number of occurrences for each type or combination of data. For example, to stack IP-to-IP connections, isolate the data to outbound sessions and count the number of unique connections between the source IP (internal host) and the destination IP (external host); for destination port use, isolate the data and stack the number of occurrences of each destination port. In large networks, you may need to isolate the data to specific internal subnets or classes of hosts.  
24 | 
25 | C2 can appear anywhere in the stacked results, but as a start, it may be useful to investigate activity that appears at the top or bottom of the result set-- these top and bottom outliers represent anomalous data and may be C2. 
26 | 
27 | **More Info**
28 | 
29 | _None at this time._


--------------------------------------------------------------------------------
/hunts/ntfs_extended_attribute_analysis.md:
--------------------------------------------------------------------------------
 1 | #NTFS Extended Attribute Analysis
 2 | 
 3 | **Purpose**: Identify data hiding in extended attributes on files in an NTFS filesystem, which are otherwise rarely used.  
 4 | 
 5 | **Data Required**: NTFS Master File Table (MFT) data from a single host
 6 | 
 7 | **Collection Considerations**: Run `fget.exe` on each NTFS filesystem on a host to capture the raw data, then parse into records and fields with something like `analyzeMFT.py`
 8 | 
 9 | **Analysis Techniques**: Stack counting
10 | 
11 | **Description**
12 | 
13 | The MFT holds detailed metadata about files and directories on a file system.  There are many different attributes that are technically possible to attach to files and dirs, but in practice are never used.  The so-called "Extended Attributes" section is thought to be present for OS/2 compatibility, but no one ever used OS/2, so anything in the EA is pretty suspicious.  
14 | 
15 | Stack the data by full path and filename, "EA" an "EA Information" fields.  Look for:
16 | 
17 | * Rare values in the MFT "EA" or "EA Information" fields.  There may be some legitimate use of these in your environment, but hopefully these uses will have a high count.
18 |     * Anything in `/Windows/winsxs` or `/Windows/CSC` is probably legit
19 | 
20 | 
21 | **Other Notes**
22 | 
23 | **More Info**
24 | 
25 | - [Intrusion Hunting for the Masses](https://www.youtube.com/watch?v=YLgycMCPo4c), David Sharpe (HackMiami 2016)
26 | - [Extracting ZeroAccess from NTFS Extended Attributes](http://journeyintoir.blogspot.com/2012/12/extracting-zeroaccess-from-ntfs.html), Corey Harrell
27 | - [Various articles on HMFT](http://www.hexacorn.com/blog/category/software-releases/hmft/), Hexacorn, Ltd.
28 | 
29 | 


--------------------------------------------------------------------------------
/hunts/privileged-group-tracking.md:
--------------------------------------------------------------------------------
 1 | #Privileged Group Tracking
 2 | 
 3 | **Purpose**
 4 | 
 5 | Detect potential privilege escalation attempts
 6 | 
 7 | **Data Required**
 8 | 
 9 | Windows event logs (ID 4728, 4732, 4756)
10 | 
11 | **Collection Considerations**
12 | 
13 | Event 4728 and 4756 are only logged on domain controllers.  Event 4732
14 | may be logged on either the domain controller or an individual
15 | computer, depending on whether the group is a domain or a local
16 | group. You should ideally collect ID 4732 events on all computers in
17 | the domain for full visibility.
18 | 
19 | **Analysis Techniques**
20 | 
21 | None
22 | 
23 | **Description**
24 | 
25 | Adding a non-privileged account to a privileged group is a common
26 | method for attackers to gain more access to a compromised system or
27 | domain.  In most environments, this operation is not common, so any
28 | occurrences of the listed event types should be investigated.
29 | 
30 | **Other Notes**
31 | 
32 | **More Info**
33 | 
34 | [Seek Evil, and Ye Shall Find: A Guide to Cyber Threat Hunting Operations](https://digitalguardian.com/blog/seek-evil-and-ye-shall-find-guide-cyber-threat-hunting-operations), Tim Bandos, Digital Guardian
35 | 
36 | 
37 | 


--------------------------------------------------------------------------------
/hunts/psexec-windows-events.md:
--------------------------------------------------------------------------------
 1 | #Psexec Windows Events
 2 | 
 3 | **Purpose**: 
 4 | Find instances of psexec service (remote command execution) on Windows sytems by examining event logs pertaining to access control for remote shares.
 5 | 
 6 | **Data Required**: 
 7 | Windows Event Logs (ID 5145)
 8 | 
 9 | **Collection Considerations**: 
10 | None
11 | 
12 | **Analysis Techniques**: 
13 | Filtering
14 | 
15 | **Description**
16 | 
17 | Look for Windows Event ID 5145, _A network share object was checked to
18 | see whether client can be granted desired access_.  Filter for events
19 | where the share is `IPC$` and the service is `PSEXECSVC-*`.  Cross
20 | reference by examining the 5145 events for access to the `ADMIN$`
21 | share for tool/file copies and execution events.
22 | 
23 | **Other Notes** Psexec is one of the most common mechanisms for
24 | malicious lateral movement, but the tool is also occasionally used by
25 | legitimate system administrators.
26 | 
27 | Event 5145 may not be enabled by default, as it requires "Detailed
28 | File Auditing" (which can generate a *lot* of logs).
29 | 
30 | **More Info**
31 | 
32 | - [Tweet #1 by @jackcr](https://twitter.com/jackcr/status/733686717446656001)
33 | - [Tweet #2 by @jackcr](https://twitter.com/jackcr/status/743587901468979202)
34 | - [Tweet by @JPoForenso](https://twitter.com/JPoForenso/status/743663854601670656)
35 | 
36 | 


--------------------------------------------------------------------------------
/hunts/ram_dumping.md:
--------------------------------------------------------------------------------
 1 | #RAM Dumping
 2 | 
 3 | **Purpose**: Examine memory dumps of an individual system, looking for signs of malware or other malicious activities
 4 | 
 5 | **Data Required**: RAM dumps (typically HUGE)
 6 | 
 7 | **Collection Considerations**: Require a specialized tool (e.g., Volatility)
 8 | 
 9 | **Description**
10 | 
11 | RAM dumps of running systems can often contain lots of interesting information, such as lists of running processes, open ports, executable images and logged on users.  Using various tools, you can extract these types of information and potentially look for signs of malicious activities.
12 | 
13 | Checking for "known-bad" is one obvious application.  D. Sharpe suggests also looking for signs of BIOS or firmware implants (detecting tampering with the interrupt table and checking uppermost addresses of real-mode memory).  
14 | 
15 | **Other Notes**
16 | 
17 | Better description needed here.
18 | 
19 | **More Info**
20 | 
21 | * [Intrusion Hunting for the Masses](https://www.youtube.com/watch?v=YLgycMCPo4c), David Sharpe (HackMiami 2016)
22 | * "Art of Memory Forensics", Ligh, Case, Levy, Walters, Wiley Publishing, 2014 (page 75 addresses BIOS/firmware attacks)
23 | 
24 | 


--------------------------------------------------------------------------------
/hunts/rdp_external_access.md:
--------------------------------------------------------------------------------
 1 | #RDP External Access
 2 | 
 3 | **Purpose**: Identify abnormal incoming RDP requests 
 4 | 
 5 | **Data Required**: RDP connection / authorization logs that capture client IP address or client computer name. Data that contains client computer name is preferred over client IP address because it allows the analyst to identify individual clients connecting from the same node (e.g., a VPN node). Useful sources for this data are the Bro RDP analyzer and Windows Event IDs 4624 (Type 10) and 4778.
 6 | 
 7 | **Collection Considerations**: Bro requires a production NSM deployment, Windows events may be easier to collect for many organizations. 
 8 | 
 9 | **Analysis Techniques**: Stack counting, baselining / outlier detection
10 | 
11 | **Description**
12 | 
13 | Identifying abnormal incoming RDP requests has two primary goals: to identify compromised user credentials (e.g., an attacker may use compromised credentials to access the corporate VPN) or to identify internet-facing assets running the RDP service that are being illegitimately accessed. Identifying these requests requires a basic level of friendly intelligence-- at minimum, analysts should be able to identify incoming RDP connections that occur at the edge of the network and ideally, analysts should be able to differentiate artifacts related to legitimate users from foreign users. 
14 | 
15 | Baselining is the most effective technique for identifying abnormal requests-- specifically, baselining when a client computer accesses the network and the user credentials used by the client can be useful when identifying outliers. If a client accesses the network at an abnormal time or if user credentials are used on a client that has never been seen on the network, then they may be worth investigating. 
16 | 
17 | Stack counting can be effective if the analyst can easily identify anomalies in the data set. For example, if an analyst is familiar with the workstation naming convention used on their network, then they may be able to identify when an outside client accesses the network. Stack counting the client computer names for incoming requests is a good start to identifying this type of access. 
18 | 
19 | **More Info**
20 | 
21 | * [Hunting Through RDP Data - Josh Liburdi (BroCon 2015)](https://www.youtube.com/watch?v=mOV_9YMgYZw)
22 | * [CAR-2016-04-005: Remote Desktop Login](https://car.mitre.org/wiki/CAR-2016-04-005), MITRE Cyber Analytic Repository
23 | * [RDP Flowchart - 13CUbed](https://www.13cubed.com/downloads/rdp_flowchart.pdf)
24 | 


--------------------------------------------------------------------------------
/hunts/renamed-tools.md:
--------------------------------------------------------------------------------
 1 | # Tool Renaming
 2 | 
 3 | **Purpose**
 4 | 
 5 | Identify common tools that attackers routinely rename
 6 | 
 7 | **Data Required**
 8 | 
 9 | * HIPS or other related host monitoring solution that logs file metadata.
10 | * Process execution data (e.g., Sysmon, Carbon Black, etc) 
11 | 
12 | **Collection Considerations**
13 | 
14 | Collect from all endpoints and servers
15 | 
16 | **Analysis Techniques**: 
17 | 
18 | String matching, file hash analysis
19 | 
20 | **Description**
21 | 
22 | When an adversary gains access to your network they will often bring a set of tools in with them to facilitate lateral movement, credential theft and data exfiltration.  By analyzing the FileDescription metadata field of a PE file, it is possible to uncover files that have been renamed by an attacker.
23 | 
24 | * An example would be when an attacker renames the SysInternals tool PsExec.exe
25 | * Identify the FileDescription 'Execute Processes Remotely' where the filename does not equal PsExec.exe.
26 | 
27 | Identify common windows executable names or names that are 1-2 characters in length.  Also pay attention to files that reside in the ADMIN$ or IPC$ shares.
28 | 
29 | Look for executable files which have the same hash (MD5, SHA1) but different paths and/or filenames.  
30 | 
31 | Look for previously-unseen binaries that have arguments in common with other known tools (for example, any process with 'sekurlsa' in the command line is likely to be Mimikatz).
32 | 
33 | **More Info**
34 | 
35 | * [CAR-2013-05-009: Running executables with same hash and different names](https://car.mitre.org/wiki/CAR-2013-05-009), MITRE Cyber Analytic Repository
36 | * [CAR-2013-07-001: Suspicious Arguments](https://car.mitre.org/wiki/CAR-2013-07-001), MITRE Cyber Analytic Repository
37 | * [CAR-2013-07-005: Command Line Usage of Archiving Software](https://car.mitre.org/wiki/CAR-2013-07-005), MITRE Cyber Analytic Repository
38 | 
39 | 


--------------------------------------------------------------------------------
/hunts/rogue_listeners.md:
--------------------------------------------------------------------------------
 1 | #Search for Rogue Listeners
 2 | 
 3 | **Purpose**: Find malicious programs that are listening to network ports
 4 | 
 5 | **Data Required**: Netstat data (*netstat -nabo*) or equivalent from local host
 6 | 
 7 | **Collection Considerations**: Requires some sort of agent to collect this data on a regular basis
 8 | 
 9 | **Analysis Techniques**: Stack counting
10 | 
11 | **Description**
12 | 
13 | Extract src & dest host/port fields from all *netstat* data, as well as the full path name for the associated executable.  Look for:
14 | 
15 | * More than one process name bound to the same port on the same system (the ones with the smallest number of occurrences on each system are suspicious)
16 | * For all Internet-accessible servers, which ports show up only once (or just a few times)?
17 | * For all Internet-accessible servers, how many binaries show up only once (or just a few times)?
18 | * Track new listeners over time for each system, use this as a baseline to refine future hunts.
19 | 
20 | **More Info**
21 | 
22 | * [Intrusion Hunting for the Masses](https://www.youtube.com/watch?v=YLgycMCPo4c), David Sharpe (HackMiami 2016)
23 | 
24 | 
25 | 


--------------------------------------------------------------------------------
/hunts/shimcache_amcache.md:
--------------------------------------------------------------------------------
 1 | #Shimcache/Amcache
 2 | 
 3 | **Purpose**: Identify potential malware by finding "rare" binaries executed across endpoints.
 4 | 
 5 | **Data Required**: Windows Shimcache or Amcache entries
 6 | 
 7 | **Collection Considerations**: These are cache entries, not logs, so need to be collected directly from each endpoint, usually by an agent.
 8 | 
 9 | **Analysis Techniques**: Stack counting
10 | 
11 | **Description**
12 | 
13 | Shimcache/Amcache records basic info about the last several (max 1024) executables that ran.  If you collect this list frequently, you can use it to build a list of executable filenames and locations that run on each system.  Shimcache is the older implementation.  Starting with Windows 8 and Server 2012, it was replaced by Amcache.  The format is very different, since Amcache has lots more info it can provide, but the intent is the same.
14 | 
15 | Stack count the filenames and/or directory paths to find rare files executed, rare locations from which files are executed.  Assume rare files are more suspicious and investigate accordingly.
16 | 
17 | **More info**
18 | 
19 | - [Caching Out: The Value of Shimcache for Investigators](https://www.fireeye.com/blog/threat-research/2015/06/caching_out_the_val.html), FireEye
20 | - [Leveraging the Application Compatibility Cache in Forensic Investigations](https://dl.mandiant.com/EE/library/Whitepaper_ShimCacheParser.pdf), Mandiant
21 | - [ShimCacheParser](https://github.com/mandiant/ShimCacheParser), Mandiant
22 | - [amcache.py](https://gist.github.com/williballenthin/ee512eacb672320f2df5#file-amcache_py_examples-md), Will Ballenthin
23 | - [Intrusion Hunting for the Masses](https://www.youtube.com/watch?v=YLgycMCPo4c), David Sharpe (HackMiami 2016)
24 | - [ShimShady: Live Investigations of the Application Compatibility Cache](https://www.fireeye.com/blog/threat-research/2015/10/shim_shady_live_inv.html), Fred House, Claudiu Teodorescu, Andrew Davis (FireEye)


--------------------------------------------------------------------------------
/hunts/suspicious_command_shells.md:
--------------------------------------------------------------------------------
 1 | # Identify Suspicious Command Shells
 2 | 
 3 | **Purpose**: To identify instances of running command shells which may indicate threat actor activity.
 4 | 
 5 | **Data Required**: Process execution data (Sysmon, Carbon Black, etc)
 6 | 
 7 | **Collection Considerations**: Collect from all systems in the domain
 8 | 
 9 | **Analysis Techniques**: Baselining, stack counting
10 | 
11 | **Description**
12 | 
13 | Look for instances of `cmd.exe` or `powershell.exe` where any of the following are true:
14 | 
15 | * The parent process does not normally spawn a command shell (e.g., `word.exe`)
16 | * The command shell executed `reg.exe` or other command not normally used by end-users
17 | * The command shell was launched by a running service or by `winlogon.exe`
18 | * The command shell was started by WinRM ("wsmprovhost.exe" started by "svchost.exe" may indicate remote PowerShell execution)
19 | 
20 | **Other Notes**
21 | 
22 | The same techniques may be useful when applied to more than just command shell binaries.  For example, you might want to search for any instance of a service launching `wmic.exe`.
23 | 
24 | **More Info**
25 | 
26 | * [CAR-2013-02-003: Processes Spawning cmd.exe](https://car.mitre.org/wiki/CAR-2013-02-003), MITRE Cyber Analytic Repository
27 | * [CAR-2013-03-001: Reg.exe called from Command Shell](https://car.mitre.org/wiki/CAR-2013-03-001), MITRE Cyber Analytic Repository
28 | * [CAR-2014-05-002: Services launching Cmd.exe](https://car.mitre.org/wiki/CAR-2014-05-002), MITRE Cyber Analytic Repository
29 | * [CAR-204-11-002: Outlier Parents of Cmd](https://car.mitre.org/wiki/CAR-2014-11-002), MITRE Cyber Analytic Repository
30 | * [CAR-2014-11-004: Remote PowerShell Sessions](https://car.mitre.org/wiki/CAR-2014-11-004), MITRE Cyber Analytic Repository
31 | * [CAR-2014-11-008: Command Launched from WinLogon](https://car.mitre.org/wiki/CAR-2014-11-008), MITRE Cyber Analytic Repository
32 | 
33 | 


--------------------------------------------------------------------------------
/hunts/suspicious_process_creation_via_windows_event_logs.md:
--------------------------------------------------------------------------------
 1 | #Suspicious Process Creation via Windows Event Logs
 2 | 
 3 | **Purpose**
 4 | 
 5 | Find attacker tools in use 
 6 | 
 7 | **Data Required**
 8 | 
 9 | Windows process creation logs (Event 4688 & 592) or equivalent (Carbon Black, Sysmon, etc)
10 | 
11 | **Collection Considerations**
12 | 
13 | Collect these from every host in the domain.  
14 | 
15 | **Analysis Techniques**
16 | 
17 | stack counting
18 | 
19 | **Description**
20 | 
21 | Search all process creation log entries and look for:
22 | 
23 | * `svchost.exe` processes that are not children of `services.exe`
24 | * Processes created by binaries in unsual locations, such as
25 | 	* `%windows%\fonts`
26 | 	* `%windows%\help`
27 | 	* `%windows%\wbem`
28 | 	* `%windows%\addins`
29 | 	* `%windows%\debut`
30 | 	* `%windows%\system32\tasks`
31 | 	* `*:\RECYCLER\`
32 | 	* `*:\SystemVolumeInformation\`
33 | 	* `%windir%\Tasks\`
34 | 	* `%systemroot%\debug\`
35 | 
36 | * Known attacker tool names, such as
37 | 	* `rar.exe`
38 |   	* `psexec.exe`
39 |   	* `whoami.exe`
40 | 
41 | * Processes that launched very few times during a 24 hour period
42 | 
43 | 
44 | The following are based on a set of tweets by Jack Crook (@jackcr):
45 | 
46 | "Attackers need to execute tools. Look at Windows Event ID's 4688/592. Stack and look for outliers. Group by execution time and user."
47 | 
48 | "Finding webshells: Look at process creations (4688/592) that are spawned from users that own webserver processes."
49 | 
50 | "One of my favorites is that knowing when attackers bring tools in with them they will likely not execute them very often in a 24hr time period. Looking at precess creations with a hard limit of executing x number of times in a day and ordering by by file path. Can start to weed out, either manually or automated, those processes that have been validated as legit"
51 | 
52 | **Other Notes**
53 | 
54 | Event 4688 is even more valuable if logging policy is set to record the entire command line (some of these suggestions require that info). Review your domain audit policies and/or supplement with additional process logging as necessary.  Sysmon is a very good free tool that can do nearly anything you'd need.
55 | 
56 | 
57 | 
58 | **More Info**
59 | 
60 | * [Tweet by @jackcr #1](https://twitter.com/jackcr/status/707215101007413248)
61 | * [Tweet by @jackcr #2](https://twitter.com/jackcr/status/707551910031728640)
62 | * [Tweet by @jackcr #3](https://twitter.com/jackcr/status/707247278118084608)
63 | * [Tweet by @jackcr #4](https://twitter.com/jackcr/status/707247524516651008)
64 | * [Tweet by @jackcr #5](https://twitter.com/jackcr/status/707247746462384129)
65 | * [Seek Evil, and Ye Shall Find: A Guide to Cyber Threat Hunting Operations](https://digitalguardian.com/blog/seek-evil-and-ye-shall-find-guide-cyber-threat-hunting-operations), Tim Bandos, Digital Guardian
66 | * [CAR-2013-05-002: Suspicious Run Locations](https://car.mitre.org/wiki/CAR-2013-05-002), MITRE Cyber Analytic Repository
67 | * 
68 | 
69 | 


--------------------------------------------------------------------------------
/hunts/webshell_behavior.md:
--------------------------------------------------------------------------------
 1 | # Webshell Behavior
 2 | 
 3 | **Purpose**
 4 | 
 5 | Identify actions taken by attacker when a webshell is initially placed on a webserver
 6 | 
 7 | **Data Required**
 8 | 
 9 | Windows security event logs (4688/592 events), HIPS or other related host monitoring solution that provides audit information about process creation
10 | 
11 | **Collection Considerations**
12 | 
13 | Collect from all webservers
14 | 
15 | **Analysis Techniques**: 
16 | 
17 | Base analysis on bucket times and file / process ownership.
18 | 
19 | **Description**
20 | 
21 | "When a web server gets compromised there are some typical things that will likely occur (Though not in every case). 
22 | 
23 | * A new file will be placed on the web server with a web file extension and in a web accessible directory. 
24 | * Commands will be executed from the webshell. (cmd.exe, powershell.exe…) 
25 | * Additional tools will be uploaded to the web server. (Look for newly created files with extensions of .zip, .rar, .7z, .exe…)
26 | 
27 | Looking for at least 2 of these occurrences from the above in a 15 minute window can help identify suspicious behavior that may need investigating.  Multiple log sources may need to be incorporated for this, but the work in doing so can be well worth the effort."
28 | 
29 | **More Info**
30 | 
31 | * [My Thoughts on Threat Hunting](https://findingbad.blogspot.com/2016/07/my-thoughts-on-threat-hunting.html) (Jack Crook)
32 | 


--------------------------------------------------------------------------------
/hunts/webshells.md:
--------------------------------------------------------------------------------
 1 | # Finding Web Shells
 2 | 
 3 | **Purpose**
 4 | 
 5 | Identify web shells (stand-alone|injected)
 6 | 
 7 | **Data Required**
 8 | 
 9 | Web server logs (apache, IIS, etc.)
10 | 
11 | **Collection Considerations**
12 | 
13 | Collect from all webservers, and ensure that parameters are collected.  
14 | POST data should be collected.  
15 | 
16 | * For apache consider using `mod_security` or `mod_dumpio`
17 | * For IIS use [Failed Request Tracing / Custom Logging](http://serverfault.com/a/90965)
18 | 
19 | **Analysis Techniques**: 
20 | 
21 | Stack counting  
22 | String matching
23 | 
24 | **Description**
25 | 
26 | * Stack by page hits -- pages with few hits are a typical sign
27 |     * Add more fidelity by combining views from below (none if the above is giving higher fidelity, one, two or all):
28 |         * No referer from client
29 |         * Stack by unique visits per IP -- most only visit the webshell (no other page hits, no js, no images, etc.)
30 |             * this isn't true of injected webshells (where they are injected into an existing page)
31 |         * Stack by UA uniqueness.  This is not always rock solid, but good, because many webshells have client software that sets the UA and many don't change the default
32 | * Look for parameters passed to image files (e.g., `/bad.png?zz=ls`)
33 | * More specific to inject webshells that inject into an existing page:
34 |     * Stack by parameter counts per page -- webshells that create new params on an existing page 
35 |         * Again, you can look if referer is missing, UA uniqueness
36 | 
37 | **Other Notes**  
38 | Endpoint detection strategies:
39 | * Look for creation of processes whose parent is the webserver (e.g., apache, w3wp.exe); these will come from functions like:
40 |     * PHP functions like `exec()`, `shell_exec()`, etc.
41 |     * asp(.net) functions like `eval()`, `bind()`, etc.)
42 | * Looking for file additions or file changes (if you have a change management process and schedule to easily differentiate 'known good') -- (using something like inotify on linux (or FileSystemWatcher in .NET), to monitor the webroot folder(s) recursively)
43 | 
44 | 
45 | There are a few webshell hunt techniques located in other hunts:
46 | 
47 | * [Finding Known-Bad in Antivirus Logs](https://github.com/DavidJBianco/ThreatHunting/blob/master/hunts/antivirus_logs.md)
48 | * [Suspicious Process Creation via Windows Event Logs](https://github.com/DavidJBianco/ThreatHunting/blob/master/hunts/suspicious_process_creation_via_windows_event_logs.md)
49 | 
50 | It's important to realize that injected webshells may not be written to disk (e.g., SSJI, XSS, etc.)
51 | 
52 | **More Info**
53 | 
54 | None
55 | 


--------------------------------------------------------------------------------
/hunts/whaling-detection-via-unusual-sender-domains.md:
--------------------------------------------------------------------------------
 1 | # Whaling Detection via Unusual Sender Domains
 2 | 
 3 | **Purpose**: "Whaling" is a variant of spearphishing, where the recipients are chosen because they are executives or senior management within the company. One way to detect these attacks is to look for messages destined to executive mailboxes from senders in domains with which the organization typically does not interact.
 4 | 
 5 | **Data Required**: Email logs containing both sender and recipient addresses
 6 | 
 7 | **Collection Considerations**: Collect email logs consisting of both the external -> internal messages as well as the internal -> internal messages.
 8 | 
 9 | **Analysis Techniques**: filtering, comparing list membership
10 | 
11 | **Description**
12 | From the original source:
13 | 
14 | *To grasp this idea, we must establish parts of the sender and recipient email address. Using john.smith@contoso.com email address as an example, contoso.com would be the domain. And if the email was sent from john.smith@contoso.com to ashley.johnson@example.com then we would refer to contoso.com as the sender domain and example.com as the recipient domain.*
15 | 
16 | *Whaling Detection works by building a list of the sender domains sent to the high-profile employees and alerting on any emails when the sender domain is not found in these three sections:*
17 | 
18 | * Emails the high-profile employees composed themselves (recipient domain)
19 | * Emails sent to non-high-profile employees
20 | * Emails composed by non-high-profile employees (recipient domain)
21 | 
22 | **Other Notes**
23 | Psuedocode for a whaling rule, also from the original source:
24 | 
25 | *ALERT: Recipient=HPE & Sender NOT IN (HPE_Composed_Domains OR NonHPE_Composed_Domains OR Sender_Domains_To_NonHPE)*
26 | 
27 | **More Info**
28 | 
29 | - [Whaling Detection](https://tech.target.com/2019/06/07/Whaling-Detection.html)
30 | 


--------------------------------------------------------------------------------
/hunts/windows_autoruns_analysis.md:
--------------------------------------------------------------------------------
 1 | #Autoruns Analysis
 2 | 
 3 | **Purpose**: Find malware persistence by examining common mechanisms across a network
 4 | 
 5 | **Data Required**: List of programs configured to start at boot/logon time on each endpoint
 6 | 
 7 | **Collection Considerations**: MS Sysinternals' `autorunsc.exe` is the most common way to collect this from a host
 8 | 
 9 | **Analysis Techniques**: Stack counting, string matching, outlier detection
10 | 
11 | **Description**
12 | 
13 | Gather autoruns data from endpoints across the network and look for:
14 | 
15 | * Executable starting out of `c:programdata`, recycle bin, appdata area, `%temp%`
16 | * Unsigned executables
17 | * Shortest / longest filenames 
18 | * GUID filenames
19 | * Rare executable filenames or directories
20 | 
21 | 
22 | **More Info**
23 | 
24 | * [Intrusion Hunting for the Masses](https://www.youtube.com/watch?v=YLgycMCPo4c), David Sharpe (HackMiami 2016)
25 | * [CAR-2013-01-002: Autorun Differences](https://car.mitre.org/wiki/CAR-2013-01-002), MITRE Cyber Analytic Repository
26 | 


--------------------------------------------------------------------------------
/hunts/windows_driver_analysis.md:
--------------------------------------------------------------------------------
 1 | #Windows Driver Analysis
 2 | 
 3 | **Purpose**: Find malware running in Windows drivers across a network
 4 | 
 5 | **Data Required**: List of drivers loaded on each endpoint
 6 | 
 7 | **Collection Considerations**: Typically use the `driverquery` command on each host.
 8 | 
 9 | **Analysis Techniques**: Stack counting
10 | 
11 | **Description**
12 | 
13 | Examine driver entries for:
14 | 
15 | * Impossible, zeroed or garbage link dates
16 | * Stack each binary image and look for unusual link dates
17 | * Unusual filenames or locations of binaries
18 | * Rare descriptions
19 | * Incorrect descriptions (grammar, typos, punctuation, etc)
20 | * Rare display names
21 | * Missing, invalid or unusual digital signatures
22 | 
23 | **More Info**
24 | 
25 | * [Intrusion Hunting for the Masses](https://www.youtube.com/watch?v=YLgycMCPo4c), David Sharpe (HackMiami 2016)
26 | 
27 | 
28 | 
29 | 


--------------------------------------------------------------------------------
/hunts/windows_prefetch_cache_analysis.md:
--------------------------------------------------------------------------------
 1 | #Windows Prefetch Cache Analysis
 2 | 
 3 | **Purpose**: Identify malware or other suspicious executables that ran on a system.
 4 | 
 5 | **Data Required**: Windows prefetch cache data
 6 | 
 7 | **Collection Considerations**: Requires a special tool to convert binary file format to something we can consume (e.g., Nirsoft `WinPrefetchView`. Probably needs an agent.
 8 | 
 9 | **Analysis Techniques**: Stack counting, outlier detection
10 | 
11 | **Description**
12 | 
13 | Whenever any process executes on a Windows system, Windows writes an entry to the Prefetch cache.  This actually supports an internal mechanism that tries to keep frequently-used binaries quickly accessible to increase performance, but it's good for hunting because it records info about what commands were recently run. 
14 | 
15 | This capability is present on all Windows versions starting with XP, though it is not enabled by default on Windows Server, so mostly this will apply to user endpoints.  Also, for hardware reasons, it's usually disabled for systems with SSDs.  
16 | 
17 | From XP to Windows 7, the default limit was 128 files.  This was increased to 1024 starting with Windows 8.
18 | 
19 | Here's a sample prefetch record (format is tool-dependent, but they should all include the same info):
20 | 
21 | 
22 | 	Filename     : DLLHOST.EXE-61F58501.pf 
23 | 	Created Time     : 9/9/2015 6:15:41 PM 
24 | 	Modified Time     : 9/9/2015 6:15:41 PM
25 | 	File Size     : 5,726
26 | 	Process EXE     : DLLHOST.EXE
27 | 	Process Path     : C:WindowsSystem32dllhost.exe
28 | 	Run Counter     : 1
29 | 	Last Run Time     : 9/9/2015 6:15:08 PM
30 | 	Missing Process     : No 
31 | 
32 | 
33 | Stack the various fields and look for:
34 | 
35 | * Unusual filenames and process EXE values (be sure to ignore the "-61F58501.pf" part, which is not relevant)
36 | * Same names but with unusual create/modify times or file sizes
37 | * Known-bad filenames & locations
38 | * Unusual executable locations
39 | * Unusually short / long names in filename or process EXE fields
40 | 
41 | These are often suspicious, especially if the run count is very low (like 1).
42 | 
43 | Order commands on each host by run time and look for:
44 | 
45 | * Unusual combinations of commands (e.g., "net" followed closely by "ping", "at" or similar).
46 | 
47 | **Other Notes**
48 | 
49 | Order commands on each host by run time and look for:
50 | 
51 | * Commands run at unusual times for each host
52 | 
53 | **More Info**
54 | 
55 | * [Intrusion Hunting for the Masses](https://www.youtube.com/watch?v=YLgycMCPo4c), David Sharpe (HackMiami 2016)
56 | 
57 | 
58 | 


--------------------------------------------------------------------------------
/hunts/windows_service_analysis.md:
--------------------------------------------------------------------------------
 1 | #Windows Service Analysis
 2 | 
 3 | **Purpose**: Find suspicious Windows services running across a network
 4 | 
 5 | **Data Required**: Info about running services on endpoints; For `svchost` services, list of DLLs loaded inside
 6 | 
 7 | **Collection Considerations**: May need a host agent (e.g., MS Sysinternals `psservice.exe` and `listdlls.exe`) to collect this regularly.  Some Windows systems log service configuration, start & stop events, which might also be useful.
 8 | 
 9 | **Analysis Techniques**: Stack counting
10 | 
11 | **Description**
12 | 
13 | An example of the data returned by `psservice.exe` is:
14 | 
15 |   SERVICE_NAME: ALG  
16 |   DISPLAY_NAME: Applicaton Layer Gateway Service  
17 |   Provides support for 3rd party protocol plug-ins for Internet Connec+on Sharing
18 | 
19 |      TYPE : 10 WIN32_OWN_PROCESS
20 |      START_TYPE : 3 DEMAND_START
21 |      ERROR_CONTROL : 1 NORMAL
22 |      BINARY_PATH_NAME : C:WINDOWSSystem32alg.exe
23 |      LOAD_ORDER_GROUP :
24 |      TAG :0
25 |      DEPENDENCIES :
26 |      SERVICE_START_NAME: NT AUTHORITYLocalService
27 |      FAIL_RESET_PERIOD : 900 seconds
28 |      FAILURE_ACTIONS : Restart     DELAY: 120000 seconds
29 |          : Restart     DELAY: 300000 seconds
30 |          : None        DELAY: 0 seconds
31 | 
32 | An example of _listdlls_ output is:
33 | 
34 | 	svchost.exe pid: 620
35 | 	Com		mand line: C:WindowsSystem32svchost.exe -k WerSvcGroup
36 | 	Base       Size      Path
37 | 	0x70eb0000 0x1e000   c:windowssystem32wersvc.dll
38 | 	Verified: Invalid Signature
39 | 	Publisher: n/a  
40 | 	Description: n/a  
41 | 	Product: n/a Version: n/a File version: n/a
42 | 
43 | Look for 
44 | 
45 | * Rare `SERVICE_NAME` or `DISPLAY_NAME` values
46 |     * GUID service names
47 |     * Random service names
48 | * Blank fields which normally hold values
49 | * Unusual directories in the `BINARY_PATH_NAME`
50 | 
51 | For `svchost` services, list all DLLs loaded inside them (using `listdlls`) and look for:
52 | 
53 | * Rare DLLs and/or locations
54 | * Unsigned DLLs or those with invalid signatures
55 | 
56 | **More Info**
57 | 
58 | * [Intrusion Hunting for the Masses](https://www.youtube.com/watch?v=YLgycMCPo4c), David Sharpe (HackMiami 2016)
59 | 
60 | 
61 | 
62 | 


--------------------------------------------------------------------------------