May 30, 2018
THREAT HUNTING FOR NON-HUNTERS
May 30, 2018
Threat hunting is a proactive task with an assumption that your organization has already been breached, and you wanted to beat the average “dwell time” of 256 days, at least for me as a DFIR practitioner. This is usually done with the help of different tools that we call “arsenals,” primarily SIEM (security information and event management) and EDR (endpoint detection and response).
However, security is not just for the IT security folks who are paid mainly to do this kind of “Blue Teaming” work (aka Incident Responders), but it is everyone’s responsibility.
The human is the weakest link among the security chain, so as an end user, anyone should have the basic understanding of how to find malicious activities and files within their workstations.
The malware or malicious software includes but is not limited to Keylogger, credential stealers, crypto miner, reverse shell, ransomware, botnets, and more.
This article aims to empower non-security folks to gain some technical knowledge on hunting threats from their Windows systems. It also empowers them to be able to share this knowledge with their families and friends, as well freely use available and downloadable tools from the Internet.
Hunting Persistent Threats with Autorun Programs
There are such huge places in the system where an adversary can plant his malicious programs and run automatically during boot time without an end user being aware of it.Tools from SysInternals Suite by Microsoft Windows, “autorunsc.exe” (command-line), and “Autoruns.exe” (graphical user interface) can help to see all Autorun programs on your machine and can be downloaded using the link below.
Adding the parameter “-h” to the command "autorunsc.exe" will give you the MD5 or SHA-256 hashes of the file to check on the Open Source Intelligence (OSInt) websites for malicious files and VirusTotal (https://www.virustotal.com).
The output can also be redirected to a text file for reference and easy recording.
autorunsc.exe -h > autoruns.txt
“autorunsc.exe –help” will give you more choices to play around with the command-line tool on Windows.
More often, the graphical version of the Autoruns would be preferable to others, as a simple right-click on the mouse will give you an option to check the program in VirusTotal on the spot.
Threat Hunting Hidden Processes
Anti-Virus (AV) programs, whether traditional or "Next-Gen AV,” miss more than 70% of malware according to research, and it is because they are still signature-based. Also, sophisticated malicious programs run as hidden processes to evade AV detections.
The most common of this kind of malware is “rootkit,” a malicious program that runs on the system’s kernel or memory.
Below are useful tools than can be utilized against this persistent threat on anyone’s PC.
Hidden Process Finder from NoVirusThanks.
GMER is an awesome tool in detecting rogue processes that can be downloaded here: http://www.gmer.net/
This is a PE (portable executable) tool similar to SysInternal Suites and other tools that are mentioned here.
With the aid of the tool from SysInternal Suite, procexp64.exe (for 64bit Windows system), the tool was found spawning different DLL’s and processes, which were also identified as malicious, based on the Indicators of Compromise (IOC) found from VirusTotal.
Threat Hunting Command & Control
Command & Control, also known as C2 or C&C, is a computer server that gives directives to digital devices, commonly computers and smart phones that have been infected with rootkits or malware, such as ransomware and other variants. These infected devices are called “bots” or “botnets,” short for robots. Botnets are also used for sending spam and Distributed Denial of Service (DDOS) attacks against the target.
Known C2 servers will most likely be detected by firewalls if they are enabled in a PC or company provided workstation. An exception is a “zero day” attack, in which the C2 server is not yet identified by the EDR and firewall companies.
This may sound a little technical, but it is good to know when needed, since the tool of the example that will be used here is already included in Windows systems.
By opening the command prompt or CMD as an administrator, you will be able to run the tool called NETSTAT.
In the command prompt, just type the tool command “-ano,” parameters to display all network connections, port numbers, and process ID’s. The parameter “f” is useful to see the fully qualified domain name or simply the web site address of the established connections over the Internet for quick identification.
The tool will be prompted with a few lines, depending how many tabs are open in the browsers when connected to the Internet. It will also include the connection in C&C if the host machine is infected with malware or botnets.
This network threat hunting process may take a few minutes, as it needs to go through the public IP addresses, which are LISTENING and ESTABLISHED for checking from OSInt like VirusTotal, OTX, and other web sites that provide IOC’s based on IP’s.
If there is no IOC found from the OSInt, a healthy paranoia will be needed to stop the running processes based on the PID (process id) that resulted from the NETSTAT tool by simply running the “TASK MANAGER,” which is done by typing “CTRL+ALT+DELETE” at the same time. Find the PID under the DETAILS tab, right-click on it, and select “END TASK”.
Threat Hunting Malware
Malicious program threat hunting is different from running an anti-virus program, as it does not need to be quarantined or removed immediately. Running an AV program may notify the malware creator that the malicious program planted in the host machine has been found and deleted, which the adversary will be warned of for detection.
“Triaging” an advanced persistent threat (APT) is crucial in hunting the threat actor and tracing his whereabouts.
A simple IOC scanner called LOKI is effective for that detective role, acting like Sherlock Holmes.
This slick tool can be downloaded here: https://github.com/Neo23x0/Loki/releases
The tool will give the full directory of both suspicious and malicious files based on its IOC’s that most AV’s do not have yet, and it may able to delete manually or opt for further malware analysis, which is an interesting hobby.
Threat Hunting Rogue Wi-Fi
In my few speaking engagements, I always mention that “free” is not always good, as this can be a conduit for social engineering attacks like Man-In-The-Middle (MITM) or eavesdropping techniques to steal sensitive information.
It is best to have a healthy paranoia to run tools like my example here to catch rogue access points (AP) in the public.
A handy rogue AP killer and user-friendly tool called CHELLAM is very useful to stay safe in the wild, while the adversary is just one click away to bait his targets, and one of those targets could be you or your family.
There are so many available tools that can be downloaded in the wild, and everyone should use his own discretion in deciding what tool is effective for himself. As mentioned in my other blogs, the mindset of a hunter is most important, and that cannot be developed from classroom training nor from a PhD degree. Again, security is everybody’s responsibility, and either you are part of the solution or just another brick in the wall.