Module 6: Theat Hunting Without IoCs
Custom Threat Hunting
What is Custom Threat Hunting?
Targeted investigations looking for specific behaviors, patterns, anomalies, etc. aligning with a hypothesized threat.
Important tools: YARA; CyberChef;
Data Correlation for Threat Hunters
Collect all the data, connect the dots.
Threat Hunting for new IoCs
Introduction to CrowdStrike Falcon
Falcon provides RTR which allows us to execute useful commands and such on hosts monitored.
Example CQL:
CLIENT4
| "#event_simpleName" = DnsRequest
| groupBy([@timestamp, DomainName])Introduction to the Environment
Context for following sections.
Custom Threat Hunting with CrowdStrike Falcon
Display all registered scheduled tasks and group them by their aid (Agent Identifier). To show human-readable DNS names, we'll use ComputerName instead of aid:
Using a wildcard to broaden our search:
Turning HEX data from a Microsoft Shortcut file into some usable information:
Gathering filehashes of IoCs discovered:
With the file hashes in hand, we're now ready to compile a list of all IoCs uncovered so far:
File hashes (SHA256) of 6.exe and 432.lnk
File names 6.exe and 432.lnk
DNS name webdav.4shared.com
Scheduled Task names WindowsUpdate and UpdateHealthCheck
Username lasex69621@cohodl.com and password dE}9tBDaFK'Y%uv
No results by hash, let's search by filename:
Also no results, let's search for the DNS names we found:
Still no results, maybe the scheduled tasks:
Last item to search for being the credentials we found used:
Still nothing.
Iterative Searches using Sandboxes
Use the information discovered to do additional research into IoCs discovered.
Last updated