Online Courses
Cyber Threat Hunting
Online Courses
Cyber Threat Hunting
  • Cyber Threat Hunting
  • Introduction
    • What is cyber threat hunting?
    • Implementation considerations
    • Threat hunting models
    • Benefits of threat hunting
  • Threat Hunting Artifacts and Types
    • Artifacts and types
    • IOCs and IOAs
    • Indicators of compromise
    • Tactics, techniques and procedures (TTPs)
  • Threat hunting techniques and generative AI
    • Aggregation of data sources
    • Anomalies and baselining
      • Baselining
      • Searching
      • Grouping and clustering with AI
  • Threat hunting methodologies
    • Introduction
    • Structured hunting (MITRE)
    • Unstructured hunting
    • Entity driven hunting
  • Threat hunting data and technologies
    • Data and technologies
    • Network data
    • Endpoint data
    • Security information and event management (SIEM)
    • Threat intelligence platforms
    • Ticketing/SOAR
  • Cyber threat hunting process
    • Introduction
    • Scoping and hypothesis development
    • Formulate
    • Execution
    • Cyber threat hunting: Lessons learned
  • Cyber threat hunting scenarios
    • Structured hunt scenario
    • Unstructured hunt scenario
    • Entity-driven hunt scenario
    • Situation-driven hunt scenario
  • Hunting for network-based threats
    • Network Threats
    • DNS abnormalities
    • Hunting for DDoS activity
    • Hunting for suspicious domains
    • Hunting for irregular traffic
  • Hunting for host-based threats
    • Host-based threats
    • Malware
    • Hunting for irregular processes
    • Process hierarchy
    • Detecting lateral movement
    • Hunting for malicious files
    • Database swells
  • Quiz
Powered by GitBook
On this page
  • Hunting for malware
  • Types
  • Persistence mechanisms
  • Antivirus evasion
  • Antivirus logs
  • Baselines
  • Detection and analysis tools
  1. Hunting for host-based threats

Malware

Hunting for malware

Hunting for malware can be a difficult task

  • Malware actively tries to remain undetected and avoid deletion

To achieve its goals, malware needs to take certain actions:

  • Establishing persistence

  • Avoiding antivirus

Malware can also be detected by testing against known-good baseline configurations

Types

Many different types of malware exist

  • Named for purpose or how they accomplish it

Common types include:

  • Backdoors

  • Credential stealers

  • Cryptojackers

  • Fileless malware

  • Point of Sale (PoS) malware

  • Ransomware

  • Rootkits

  • Worms

Persistence mechanisms

Malware needs a way to ensure that it will be run again after being killed or a computer restart

Common persistence mechanisms include:

  • AutoStart locations in the registry

  • Scheduled tasks/cronjobs

  • Boot process redirection

Persistence mechanisms can also be used to lower a malware's visibility

  • Only performing malicious actions sometime after installation to complicate the correlation of events

Antivirus evasion

Malware can evade antivirus in a variety of different ways

  • Most AVs scan files on the disk for known signatures

Some malware checks the current process list for known AVs and either sleeps or attempts to kill them if one is running

Fileless malware avoids antivirus detection by only running in memory, never saving a file to disk

Antivirus logs

You can string-search endpoint security AV logs for known-bad values

Examples of strings to look for:

  • Known webshells filenames

  • Anything running under a system directory (%WINDOWS%, %RECYCLER%) or other unusual locations (the webroot)

  • AV "street names" you are concerned about

  • PAcked executables (this information needs to be logged)

  • Known hacking tools (credential dumpers, scanners, etc)

  • Strings like "dropper"

Baselines

Comparing memory dumps and registry dumps to known-good baselines may reveal deviations that result from malware activity

Volatility plugins can be used:

  • stalker

  • profiler

  • regcomp

  • hunter

This works best tracked over time, rather than a one-time comparison

Detection and analysis tools

Good starting points for detection include antivirus, IDS and IPS systems

  • Tools designed for analysis of the registry, processes, system files, etc are also valuable

Once potential malware has been identified, tool choice depends on the desired level of analysis

  • VirusTotal is a great tool for hish-level analysis and threat identification

  • For more in-depth analysis, a variety of tools exist:

    • Disassemblers: IDA Pro, radare2

    • Debuggers: Ollydbg, gdb and Windbg

    • Sandboxes: Cuckoo Sandbox and Joe Sandbox

PreviousHost-based threatsNextHunting for irregular processes

Last updated 9 months ago