Skip to content

Threat Hunting Guideline

This page serves as a high-level guideline specifically for WA SOC threat hunting activities, showcasing prominent tactics, techniques, and procedures (TTPs). The ADS provides a tailored Kusto Query Language (KQL) queries to assist in threat hunting inside Microsoft Sentinel environment. An overview of why threat hunting is valuable is below:

The MITRE ATT&CK framework is a knowledge base of adversary tactics and techniques based on real-world observations. Relevant KQL queries are mapped to each of the techniques used by threat actor tactics in line with the MITRE ATT&CK framework.

This section highlights queries that can be mapped in the MITRE ATT&CK Framework. Reconnaissance and Resource Development are out of the hunting services initial scope. The Top 10 MITRE ATT&CK Techniques for Ransomware is another sensible resource with a broader scope that can also be used to prioritise detection logic.

Guidelines/Instructions:

  • Review the TTP Hunt results shared with you via email/JIRA ticket.
  • Identify the detected TTP MITRE ATT&CK code, and refer to ADS document
  • Understand the detection objectives and perform triage investigation against detected logs
  • Upon true-positive investigation results, raise an incident ticket with WA SOC. Reference: WA SOC - Incident Reporting
  • Upon false-positive/benign true-positive investigation results, OR if you would like to request specific threat hunt TTPs, please contact cybersecurity@dpc.wa.gov.au

Initial Access

Technique ID Title Data Source ADS
T1566 Phishing Application Log QR Code Phishing Attachment (Quishing)
T1189 Drive-by Compromise File Drive-by Compromise - FakeUpdate

Execution

Technique ID Title Data Source ADS
T1059 MicroSCADA SCILC Application Log MicroSCADA SCILC - Command Execution
T1059.004 Netcat Reverse Shell Execution CommandProcess Potential Netcat Reverse Shell Execution
T1204 MonikerLink - User Execution Network Traffic MonikerLink - User Execution

Persistence

Technique ID Title Data Source ADS
T1505.003 Web shells Process IIS Webshell File Writes
T1505.003 Windows Webshell Creation File Windows Webshell Creation
T1505.003 Linux Webshell Indicators Process Linux Webshell Indicators
T1505.003 Suspicious Child Process Of SQL Server Process Creation Suspicious Child Process Of SQL Server
T1505.004 Suspicious IIS Module Registration NA Suspicious IIS Module Registration
T1543.003 Service Installations in Registry registry_set CobaltStrike: Service Installations in Registry
T1543.003 Potential Persistence Attempt Via Existing Service Tampering (reg.exe) Process Potential Persistence Attempt Via Existing Service Tampering (reg.exe)
T1543.003 Potential Persistence Attempt Via Existing Service Tampering (sc.exe) Process Potential Persistence Attempt Via Existing Service Tampering (sc.exe)
T1053.005 Diamond Sleet APT Scheduled Task Creation - Registry Windows Registry Diamond Sleet APT Scheduled Task Creation - Registry
T1547.001 Potential Persistence Attempt Via Run Keys Command Potential Persistence Attempt Via Run Keys Using Reg.EXE
T1547.001 Diamond Sleet APT Process Activity Indicators Process Potential Persistence Attempt Via Run Keys Using Reg.EXE
T1059.004 Suspicious Nohup Execution Process , Command Suspicious Nohup Execution
T1562.001 Disable or Modify Tools - netsh abuse Windows Registry Disable or Modify Tools - netsh abuse

Privilege Escalation

Technique ID Title Data Source ADS
T1543.003 Potential PSExec.exe abuse Command, Process LOLBins - Potential PSExec.exe abuse

Defense Evasion

Technique ID Title Data Source ADS
T1562.001 AMSI Bypass attack Command Impair Defenses - AMSIBypass Attack
T1562.001 Impair Defenses - Disable Defender Functionalities Via Registry Keys Windows Registry Impair Defenses - Disable Defender Functionalities Via Registry Keys
T1562.001 Impair Defenses: Disable or Modify Tools - Defender Disabling or Exclusions Command Impair Defenses: Disable or Modify Tools - Defender Disabling or Exclusions
T1562.001 Impair Defenses: Disable or Modify Tools - Potential PowerShell Downgrade Attack Command Impair Defenses: Disable or Modify Tools - Potential PowerShell Downgrade Attack
T1562.001 Impair Defenses: Removal Of AMSI Provider Registry Keys Windows Registry Impair Defenses: Removal Of AMSI Provider Registry Keys
T1562.002 Disable Windows Logging MiniNT Windows Registry ImpairDefenses - Disable Windows Logging Mini NT
T1562.002 Impair Defenses: Disable Windows Logging on EventID Active Directory ImpairDefenses - Disable Windows Logging on EventID
T1027.006 HTML Smuggling NA HTML Smuggling
TA0005 Potentially Suspicious Windows App Activity Command, Process Potentially Suspicious Windows App Activity

Credential Access

Technique ID Title Data Source ADS
T1003.001 OS Credential Dumping Command OS Credential Dumping: LSASS Memory
T1003.003 Credential Access File Creation of Ntds.dit to Suspicious Location in Server
T1003.003 OS Credential Dumping Command , Process OS Credential Dumping: NTDS
T1003.003 Credential Access Command, Process Shadow Copies Creation Using Operating Systems Utilities
T1003.008 OS Credential Dumping File , Process OS Credential Dumping: /etc/passwd and /etc/shadow
T1003.003 OS Credential Dumping Command OS Credential Dumping: NTDS using tools
T1552.002 Unsecured Credentials Command, Windows Registry REGISTRY Password Dumping
T1555 Credentials from Password Stores Command Credentials from Password Stores

Discovery

Technique ID Title Data Source ADS
T1016 System Network Configuration Discovery Command EnumerateNetworkTopology
T1016 Info stealer Module Info stealer Grixba
T1016.001 Potential Pikabot C2 Activity Process Suspicious Process Created By Rundll32.EXE
T1033 System Owner/User Discovery Command Identify successful logons to the host
T1082 System Information Discovery NA System Information Discovery
T1016 Discovery Activity Via Dnscmd.exe Command, Process Potential Discovery Activity Via Dnscmd.exe
T1087.002 Active Directory Structure Export Via Ldifde.EXE Command, Process Active Directory Structure Export Via Ldifde.EXE
T1087.002 Suspicious Group And Account Reconnaissance Activity Using Net.EXE Command, Process Suspicious Group And Account Reconnaissance Activity Using Net.EXE

Command and Control

Technique ID Title Data Source ADS
T1090 C2 Proxy Command Proxy
T1090 Proxy - netsh abuse Command, Process Proxy - netsh abuse

Malware / Tools

Technique ID Title Data Source ADS
S0357 Impacket Command Impacket - DirCommand
S0357 Impacket Command Impacket - SecretDumpSMB2
S0154 Cobalt Strike Network Traffic CobaltStrike - DNS
S0154 Cobalt Strike Named Pipe CobaltStrike - NamedPipe
S0650 QakBot Command Qakbot - Process Execution
S0650 QakBot Command Qakbot - Defender Exclusions
S0650 Qakbot Command , Process Qakbot: Post compromise commands
S0521 Bloodhound/Sharphound Command Bloodhound/Sharphound - Execution Commandlets
S0522 ADFind Command ADFind Execution