# Situation-driven hunt scenario ## Purpose Sensitive data like PII is of utmost importance to your organization, and it is one of the crown jewels for your organization PII is stored is encrypted locations at rest, transmitted over encrypted channels in motion and in use Your internal risk assessment indicates that data exfiltration via password-protected attachments is a concern The **purpose** of this situation-driven threat hunt would be to identify if data exfiltration via password-protected attachments is happening in your environment ## Scope You review the mechanisms to password-protect files to determine the **scope** Here are some of the ways that files can be archived/password-protected: * Most common method is through zip files * Another method is via password-protected rar archives * 7zip can also be used to archive and encrypt * Some threat actors use .cab files Determine what techniques and tools you would focus on Identify data that is needed for the hunt, based on the techniques and tools in use ### Hypothesis development * Based on information gathered, you should identify the tool needed for your hunt * The analytic question is if your organization is targeted by this campaign, there would be outbound emails with password-protected attachments * The expected outcome is to be able to prove the hypotheses by locating these outbound emails in your environment ## Formulate The hunter should **formulate** a plan to conduct the hunt, based on the scope **Identify** data sources needed for the hunt, based on the hypothesis: * Email gateway logs to identify outbound emails with password-protected attachments * DLP logs to determine if these outbound emails are allowed/blocked * Endpoint logs to determine the processes or command line arguments to identify compression/encryption of data * Endpoint logs to identify file creation with the respective extension/headers **Determine** analysis techniques needed to answer questions from the hypothesis * Searching techniques to look for the respective artifacts * Grouping techniques to group by archival type if needed **Understand** the tools required to gather and analyze data * Email gateway that routes your outbound email * DLP solution to log outbound emails with password-protected files * Endpoint logs for process creation, file creation and command execution ## Execute After planning, **execute** the hunt by collecting and analyzing relevant data to answer questions from the hypotheses **Gather** data from all the sources identified in the previous stage * Email gateway logs * DLP logs * Endpoint logs **Utilize** analysis techniques to prove or disprove hypotheses * Search DLP logs to identify this activity and determine the result * Search email gateway logs for the password-protected .zip, .7z, .rar, .cab files * Search endpoint logs to look for any new files created with .zip, .7z, .rar, .cab files based on output from DLP logs * Also look for file access to identify files that are port of the archive **Employ** additional tools/techniques/data sets as needed * Identify if any additional data is needed for analysis, like capturing command line arguments from endpoints * For example, additional password-protected file types may need to be considered for the hunt * You may have different DLP solutions that you need to gather data from for complete coverage **Capture** results as you proceed with the hunt * As you are done reviewing each file type and data type, document the results * If there are any challenges with data required for analysis, identify and document them **Develop** threat hunt reports that capture all essential details of the hunt along with any additional observations * Summarize findings for each analytic question from the hypothesis * Outline results from each data set analyzed * Document any gaps identified that limited your ability to gather or analyze data ## Feedback **Identify** lessons from each stage of the hunt to use in the **feedback** stage to improve the hunting process **Involve** all parties from the hunt and seek their feedback for the different stages * How valuable was the internal risk assessment data that was used as a trigger for the hunt? * Were there any additional data elements that could have been gathered? * Did we select the right data points to focus on in the Scope stage? * Did we consider all data sources for analysis? * Were there any deviations in logging? * Were there any tools that we were missing to collect and analyze data? --- # Agent Instructions: Querying This Documentation If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question. Perform an HTTP GET request on the current page URL with the `ask` query parameter: ``` GET https://davidjosearaujo.gitbook.io/online-courses/cyber-threat-hunting/cyber-threat-hunting-scenarios/situation-driven-hunt-scenario.md?ask= ``` The question should be specific, self-contained, and written in natural language. The response will contain a direct answer to the question and relevant excerpts and sources from the documentation. Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.