Hunting for malicious files

Hunting for filenames

Known bad filenames

Certain families of malware (especially those created using kits) have known or predictable filenames

Searching for these known filenames is a quick and simple way for a threat hunter to identify or eliminate the possibility of these simple threats

Filetypes worth investigating include:

  • Web shells (.php)

  • Scripts

  • Malicious executables

  • Backdoors

  • etc

File extensions

Most cybersecurity awareness training focuses on the .exe extension when teaching users about dangerous executable files

However, many other executable file extensions are in use by malware authors, including .bat, .cmd, .com, .lnk, .pif, .vb, .scr and .wsh

Depending on the platform in use and environment, other file extensions can also be a threat

  • JavaScript (.js) can be executed in a browser

  • Java JAR (.jar) files can be executed on a computer with Java installed

Left-to-right override

The Unicode character set includes a character (U+202E) that reverses character direction to right-to-left

  • This enables languages like Hebrew and Arabic to be used

This character can be used in the middle of a string, reversing the direction of the remainder of the string

The Unitrix exploit uses the right-to-left character to conceal the actual extension of a file

  • "MyJam[U+202e] 3pm.SCR" displays as "MyJamRCS.mp3"

  • .SCR is an executable file extension, so this file could be malware

Scanning for misuse of the U+202E character may be a good idea when hunting for malware

Hunting for abnormal account activity

Unusual login activity

When threat hunting, access logs are an extremely valuable source of potential threat intelligence

Both successful and failed login attempts can be indicators of an attempted attack

  • Stolen credentials enable attackers to successfully log into accounts

  • Failed logins could be a typo or an attack

Account-related threats to look for include:

  • Brute-force attacks

  • Credential stuffing

  • Failed logins

  • Anomalies in privileged accounts

Brute-force attacks

Brute-force attacks are some of the simplest and loudest password-guessing attacks

A brute-force attacker will repeatedly attempt to log into an account using different passwords

  • Tools like Brutus can do this for them automatically

Looking for massive number of failed logins for an account can help with detection of brute-force attacks

These attacks can also happen "offline" using a stolen password hash

  • Look for evidence of stolen password files on endpoints and domain controllers

Credential stuffing

Credential stuffing is a slightly more sophisticated but equally loud version of a brute-force attack

In a credential-stuffing attack, the attacker will attempt to log into one or more accounts using a list of known, common passwords

  • These lists are readily available on the internet and Dark Web

These attacks work due to weak password and failure to enforce account lockout

  • In 2022, nearly 35000 PayPal accounts were accessed via a credential stuffing attack, exposing personal information including names, addresses, social security numbers, tax identification numbers and dates of birth

Hunting for failed logons

Failed login attempts may or may not be evidence of an attack

A sudden spike in login attempts or login attempts at unusual hours should be investigated

Login attempts to nonexistent accounts are likely part of a username guessing attack

If account lockouts occur, the user should be contacted to determine if the issue was caused by them or an attacker

Anomalies in privileged account activity

Privileged account users have a significant amount of power on an organization's endpoints and networks

  • Any potential breach of a privileged account warrants investigation

Changes in usage habits of a privileged account area potential IOC

  • When the account is being used

  • What systems are being accessed by the account

  • Volume and value of data being accessed, processed, transmitted, etc

Changes in an administrator account's habits may indicate a compromised account

Hunting for privileged account activity

An attacker may create a new account or change an existing account password to maintain persistence

  • Check for password changes outside normal password update schedule

Potential IOCs for account compromise include:

  • Writing or deleting system files, which can be found (in part) via Event IDs 4660 and 4663

  • Failed logins

  • Manipulation of an unusually large number of files that contain sensitive data

  • Writing to removable devices (especially if local or domain group policy if configured to prevent this)

  • Critical files accessed outside or regular business hours

PreviousDetecting lateral movementNextDatabase swells

Last updated