Hunting for malicious files

Hunting for filenames

Known bad filenames

Certain families of malware (especially those created using kits) have known or predictable filenames

Searching for these known filenames is a quick and simple way for a threat hunter to identify or eliminate the possibility of these simple threats

Filetypes worth investigating include:

Web shells (.php)
Scripts
Malicious executables
Backdoors
etc

File extensions

Most cybersecurity awareness training focuses on the .exe extension when teaching users about dangerous executable files

However, many other executable file extensions are in use by malware authors, including .bat, .cmd, .com, .lnk, .pif, .vb, .scr and .wsh

Depending on the platform in use and environment, other file extensions can also be a threat

JavaScript (.js) can be executed in a browser
Java JAR (.jar) files can be executed on a computer with Java installed

Left-to-right override

The Unicode character set includes a character (U+202E) that reverses character direction to right-to-left

This enables languages like Hebrew and Arabic to be used

This character can be used in the middle of a string, reversing the direction of the remainder of the string

The Unitrix exploit uses the right-to-left character to conceal the actual extension of a file

"MyJam[U+202e] 3pm.SCR" displays as "MyJamRCS.mp3"
.SCR is an executable file extension, so this file could be malware

Scanning for misuse of the U+202E character may be a good idea when hunting for malware

Hunting for abnormal account activity

When threat hunting, access logs are an extremely valuable source of potential threat intelligence

Stolen credentials enable attackers to successfully log into accounts
Failed logins could be a typo or an attack

Brute-force attacks
Credential stuffing
Failed logins
Anomalies in privileged accounts

Brute-force attacks

Brute-force attacks are some of the simplest and loudest password-guessing attacks

A brute-force attacker will repeatedly attempt to log into an account using different passwords

Tools like Brutus can do this for them automatically

Looking for massive number of failed logins for an account can help with detection of brute-force attacks

These attacks can also happen "offline" using a stolen password hash

Look for evidence of stolen password files on endpoints and domain controllers

Credential stuffing

Credential stuffing is a slightly more sophisticated but equally loud version of a brute-force attack

In a credential-stuffing attack, the attacker will attempt to log into one or more accounts using a list of known, common passwords

These lists are readily available on the internet and Dark Web

These attacks work due to weak password and failure to enforce account lockout

In 2022, nearly 35000 PayPal accounts were accessed via a credential stuffing attack, exposing personal information including names, addresses, social security numbers, tax identification numbers and dates of birth

Hunting for failed logons

Failed login attempts may or may not be evidence of an attack

A sudden spike in login attempts or login attempts at unusual hours should be investigated

If account lockouts occur, the user should be contacted to determine if the issue was caused by them or an attacker

Anomalies in privileged account activity

Privileged account users have a significant amount of power on an organization's endpoints and networks

Any potential breach of a privileged account warrants investigation

Changes in usage habits of a privileged account area potential IOC

When the account is being used
What systems are being accessed by the account
Volume and value of data being accessed, processed, transmitted, etc

Changes in an administrator account's habits may indicate a compromised account

Hunting for privileged account activity

An attacker may create a new account or change an existing account password to maintain persistence

Check for password changes outside normal password update schedule

Potential IOCs for account compromise include:

Writing or deleting system files, which can be found (in part) via Event IDs 4660 and 4663
Failed logins
Manipulation of an unusually large number of files that contain sensitive data
Writing to removable devices (especially if local or domain group policy if configured to prevent this)
Critical files accessed outside or regular business hours

PreviousDetecting lateral movement NextDatabase swells

Last updated 1 year ago

hashtagHunting for filenames

hashtagKnown bad filenames

hashtagCertain families of malware (especially those created using kits) have known or predictable filenames

hashtagFile extensions

hashtagMost cybersecurity awareness training focuses on the .exe extension when teaching users about dangerous executable files

hashtagLeft-to-right override

hashtagHunting for abnormal account activity

hashtagUnusual login activity

hashtagBoth successful and failed login attempts can be indicators of an attempted attack

hashtagAccount-related threats to look for include:

hashtagBrute-force attacks

hashtagBrute-force attacks are some of the simplest and loudest password-guessing attacks

hashtagCredential stuffing

hashtagCredential stuffing is a slightly more sophisticated but equally loud version of a brute-force attack

hashtagThese attacks work due to weak password and failure to enforce account lockout

hashtagHunting for failed logons

hashtagAnomalies in privileged account activity

hashtagPrivileged account users have a significant amount of power on an organization's endpoints and networks

hashtagHunting for privileged account activity

hashtagAn attacker may create a new account or change an existing account password to maintain persistence