Posted by MIKE ART REBULTAN at https://www.peerlyst.com/posts/threat-hunting-for-non-hunters-mike-art-rebultan-mit-ceh-ecsa.
Threat hunting is a proactive task with an assumption that your organization has already been breached and you wanted to beat the average “dwell time” of 256 days; at least for me as a DFIR practitioner. And this is usually done with the help of different tools that we call “arsenals”; SIEM (security information and event management) and EDR (endpoint detection and response) mostly.
However, security is not just for the IT security folks who are paid mainly to do this kind of “Blue Teaming” work (aka Incident Responders) but it is everyone’s responsibility.
Human is the weakest link among the security chain so as an end-user, anyone should have the basic understanding of how to find malicious activities and files within their workstations.
The malware or malicious software includes but not limited to Keylogger, credential stealers, crypto miner, reverse shell, ransomware, botnet, and more.
This article aims to empower non-security folks to gain a portion of technical knowledge on hunting threats from their Windows systems and able to share to their families and friends as well using freely available and downloadable tools from the Internet.
Hunting Persistent Threat with Autorun Programs
There are so huge places in the system that an adversary can plant their malicious programs and run automatically during boot time without an end-user’s awareness.
Tools from Sysinternals Suite by Microsoft Windows; “autorunsc.exe” (command-line) and “Autoruns.exe” (graphical user interface) can help to see all Autorun programs in your machine which can be downloaded on the link below.
Download URL:
https://docs.microsoft.com/en-us/sysinternals/downloads/sysinternals-suite
Adding the parameter “hyphen h” (-h) to the command autorunsc.exe will give you the MD5 or SHA-256 hashes of the file to check from the Open Source Intelligence (OSInt) websites for Malicious file and URL called VirusTotal (https://www.virustotal.com)
Syntax:
autorunsc.exe –h
The output can also be redirected to a text file for reference and easy recording.
Syntax:
autorunsc.exe -h > autoruns.txt
“autorunsc.exe –help” will give you more choices to play around with the command-line tool on Windows.
More often, the graphical version of the Autoruns would be preferable to others as a simple right-click on the mouse will give you an option to check the program in VirusTotal on the spot.
Threat Hunting Hidden Processes
Anti-Virus (AV) whether traditional or call themselves as “Next-Gen AV” misses more than 70% of malware according to research and it is because they are still signature-based. And sophisticated malicious programs runs as hidden processes to evade AV detections.
The most common of this kind of malware is “rootkit”, a malicious program that runs on the system’s kernel or memory.
Below are the useful tools that can be utilized against this persistent threat on anyone’s PC.
HIDDEN PROCESS FINDER from NoVirusThanks.
GMER is an awesome tool in detecting rogue processes that can be downloaded here: http://www.gmer.net/
This is a PE (portable executable) tool similar to SysInternal Suites and other tools that are mentioned here.
With the aid of the tool from SysInternal Suite – procexp64.exe (for 64bit Windows system), the tool was found spawning different DLL’s and processes which was also identified as malicious based from the Indicators of Compromised or IOC found from VirusTotal –
Threat Hunting Command & Control
Command & Control or C2 or C&C is a computer server that gives directives to digital devices commonly computers and smartphones that have been infected with rootkit or malware such as Ransomware and other variants. These infected devices are called “bots” or “botnet” for Robot. Botnets are also used for sending Spam and Distributed Denial of Service (DDOS) attack against the target.
Known C2 servers will be most likely detected by Firewall if it is enabled in a PC or company provided workstation. Except for “zero day” attack when the C2 server is not yet identified by the EDR and Firewall companies.
This may sound a little technical but good to know when needed since the tool of example will be used here is already included in Windows systems.
By opening the command prompt or CMD as administrator, you will be able to run the tool called NETSTAT.
In the command prompt, just type the tool command below with a hyphen “ano” (-ano), parameters to display all network connections, with port numbers, and process ID’s. The parameter “f” is useful to see the fully qualified domain name or simply as the website address of the established connections over the internet for quick identification.
Syntax:
netstat –ano
netstat –af
The tool will be prompted with few lines depending on how many tabs open in the browsers when connected to the internet and it will also include the connection in C&C if the host machine is infected with malware or botnet.
This network threat hunting process may take a few minutes as it needs to go through the public IP addresses which are LISTENING and ESTABLISHED for checking from OSInt like VirusTotal, OTX, and other websites that provide IOC’s based from IP’s.
If there is no IOC found from the OSINT, a healthy paranoia will be needed to stop the running processes based from the PID (process id) resulted from the NETSTAT tool by simply running the “TASK MANAGER” through typing the “CTRL+ALT+DELETE” at the same time. Find the PID under the DETAILS tab, mouse right-click on it and “END TASK”.
Threat Hunting Malware
Malicious program threat hunting is different from running an Anti-Virus as it does not need to be quarantined or remove immediately. By running an AV may notify the malware creator that the malicious program planted in the host machine has been found and deleted which the adversary will be warned for detection.
“Triaging” an advanced persistent threat (APT) is crucial in hunting the threat actor and tracing their whereabouts.
A simple IOC scanner called LOKI is effective for that detective role playing like Sherlock Holmes.
This slick tool can be downloaded here: https://github.com/Neo23x0/Loki/releases
The tool will give the full directory of both suspicious and malicious file based from its IOC’s that most AV’s does not have yet and may able to delete manually or opt for further malware analysis which is an interesting hobby.
Threat Hunting Rogue Wi-Fi
In my few speaking engagements, I always mention that “Free” is not always good as this is can be a conduit for Social Engineering attacks like Man-In-The-Middle (MITM) or Eaves Dropping technique to steal sensitive information.
It is best to have a healthy paranoia to run tools like my example here to catch rogue access points (AP) in the public.
A handy rogue AP killer and a user-friendly tool called CHELLAM is very useful to stay safe in the wild while the adversary is just one click away to bait their targets and one could be you or your family.
Conclusion
There are so many available tools that can be downloaded in the wild and it is everyone’s discretion on what tool is effective for the individual. As mentioned in my other blogs, a mindset of a hunter is the most important and that cannot be taken from classroom training nor in Ph.D. degree. Again, security is everybody’s responsibility and either you are part of the solution or just another brick in the wall.