Threat Hunting Guideline¶
This page serves as a high-level guideline specifically for WA SOC threat hunting activities, showcasing prominent tactics, techniques, and procedures (TTPs). The ADS provides a tailored Kusto Query Language (KQL) queries to assist in threat hunting inside Microsoft Sentinel environment. An overview of why threat hunting is valuable is below:
The MITRE ATT&CK framework is a knowledge base of adversary tactics and techniques based on real-world observations. Relevant KQL queries are mapped to each of the techniques used by threat actor tactics in line with the MITRE ATT&CK framework.
This section highlights queries that can be mapped in the MITRE ATT&CK Framework. Reconnaissance and Resource Development are out of the hunting services initial scope. The Top 10 MITRE ATT&CK Techniques for Ransomware is another sensible resource with a broader scope that can also be used to prioritise detection logic.
Guidelines/Instructions:¶
- Review the TTP Hunt results shared with you via email/JIRA ticket.
- Identify the detected TTP MITRE ATT&CK code, and refer to ADS document
- Understand the detection objectives and perform triage investigation against detected logs
- Upon true-positive investigation results, raise an incident ticket with WA SOC. Reference: WA SOC - Incident Reporting
- Upon false-positive/benign true-positive investigation results, OR if you would like to request specific threat hunt TTPs, please contact cybersecurity@dpc.wa.gov.au
Initial Access¶
| Technique ID | Title | Data Source | ADS |
|---|---|---|---|
| T1566 | Phishing | Application Log | QR Code Phishing Attachment (Quishing) |
| T1189 | Drive-by Compromise | File | Drive-by Compromise - FakeUpdate |
Execution¶
| Technique ID | Title | Data Source | ADS |
|---|---|---|---|
| T1059 | MicroSCADA SCILC | Application Log | MicroSCADA SCILC - Command Execution |
| T1059.004 | Netcat Reverse Shell Execution | Command, Process | Potential Netcat Reverse Shell Execution |
| T1204 | MonikerLink - User Execution | Network Traffic | MonikerLink - User Execution |
Persistence¶
| Technique ID | Title | Data Source | ADS |
|---|---|---|---|
| T1505.003 | Web shells | Process | IIS Webshell File Writes |
| T1505.003 | Windows Webshell Creation | File | Windows Webshell Creation |
| T1505.003 | Linux Webshell Indicators | Process | Linux Webshell Indicators |
| T1505.003 | Suspicious Child Process Of SQL Server | Process Creation | Suspicious Child Process Of SQL Server |
| T1505.004 | Suspicious IIS Module Registration | NA | Suspicious IIS Module Registration |
| T1543.003 | Service Installations in Registry | registry_set | CobaltStrike: Service Installations in Registry |
| T1543.003 | Potential Persistence Attempt Via Existing Service Tampering (reg.exe) | Process | Potential Persistence Attempt Via Existing Service Tampering (reg.exe) |
| T1543.003 | Potential Persistence Attempt Via Existing Service Tampering (sc.exe) | Process | Potential Persistence Attempt Via Existing Service Tampering (sc.exe) |
| T1053.005 | Diamond Sleet APT Scheduled Task Creation - Registry | Windows Registry | Diamond Sleet APT Scheduled Task Creation - Registry |
| T1547.001 | Potential Persistence Attempt Via Run Keys | Command | Potential Persistence Attempt Via Run Keys Using Reg.EXE |
| T1547.001 | Diamond Sleet APT Process Activity Indicators | Process | Potential Persistence Attempt Via Run Keys Using Reg.EXE |
| T1059.004 | Suspicious Nohup Execution | Process , Command | Suspicious Nohup Execution |
| T1562.001 | Disable or Modify Tools - netsh abuse | Windows Registry | Disable or Modify Tools - netsh abuse |
Privilege Escalation¶
| Technique ID | Title | Data Source | ADS |
|---|---|---|---|
| T1543.003 | Potential PSExec.exe abuse | Command, Process | LOLBins - Potential PSExec.exe abuse |
Defense Evasion¶
| Technique ID | Title | Data Source | ADS |
|---|---|---|---|
| T1562.001 | AMSI Bypass attack | Command | Impair Defenses - AMSIBypass Attack |
| T1562.001 | Impair Defenses - Disable Defender Functionalities Via Registry Keys | Windows Registry | Impair Defenses - Disable Defender Functionalities Via Registry Keys |
| T1562.001 | Impair Defenses: Disable or Modify Tools - Defender Disabling or Exclusions | Command | Impair Defenses: Disable or Modify Tools - Defender Disabling or Exclusions |
| T1562.001 | Impair Defenses: Disable or Modify Tools - Potential PowerShell Downgrade Attack | Command | Impair Defenses: Disable or Modify Tools - Potential PowerShell Downgrade Attack |
| T1562.001 | Impair Defenses: Removal Of AMSI Provider Registry Keys | Windows Registry | Impair Defenses: Removal Of AMSI Provider Registry Keys |
| T1562.002 | Disable Windows Logging MiniNT | Windows Registry | ImpairDefenses - Disable Windows Logging Mini NT |
| T1562.002 | Impair Defenses: Disable Windows Logging on EventID | Active Directory | ImpairDefenses - Disable Windows Logging on EventID |
| T1027.006 | HTML Smuggling | NA | HTML Smuggling |
| TA0005 | Potentially Suspicious Windows App Activity | Command, Process | Potentially Suspicious Windows App Activity |
Credential Access¶
| Technique ID | Title | Data Source | ADS |
|---|---|---|---|
| T1003.001 | OS Credential Dumping | Command | OS Credential Dumping: LSASS Memory |
| T1003.003 | Credential Access | File | Creation of Ntds.dit to Suspicious Location in Server |
| T1003.003 | OS Credential Dumping | Command , Process | OS Credential Dumping: NTDS |
| T1003.003 | Credential Access | Command, Process | Shadow Copies Creation Using Operating Systems Utilities |
| T1003.008 | OS Credential Dumping | File , Process | OS Credential Dumping: /etc/passwd and /etc/shadow |
| T1003.003 | OS Credential Dumping | Command | OS Credential Dumping: NTDS using tools |
| T1552.002 | Unsecured Credentials | Command, Windows Registry | REGISTRY Password Dumping |
| T1555 | Credentials from Password Stores | Command | Credentials from Password Stores |
Discovery¶
| Technique ID | Title | Data Source | ADS |
|---|---|---|---|
| T1016 | System Network Configuration Discovery | Command | EnumerateNetworkTopology |
| T1016 | Info stealer | Module | Info stealer Grixba |
| T1016.001 | Potential Pikabot C2 Activity | Process | Suspicious Process Created By Rundll32.EXE |
| T1033 | System Owner/User Discovery | Command | Identify successful logons to the host |
| T1082 | System Information Discovery | NA | System Information Discovery |
| T1016 | Discovery Activity Via Dnscmd.exe | Command, Process | Potential Discovery Activity Via Dnscmd.exe |
| T1087.002 | Active Directory Structure Export Via Ldifde.EXE | Command, Process | Active Directory Structure Export Via Ldifde.EXE |
| T1087.002 | Suspicious Group And Account Reconnaissance Activity Using Net.EXE | Command, Process | Suspicious Group And Account Reconnaissance Activity Using Net.EXE |
Command and Control¶
| Technique ID | Title | Data Source | ADS |
|---|---|---|---|
| T1090 | C2 Proxy | Command | Proxy |
| T1090 | Proxy - netsh abuse | Command, Process | Proxy - netsh abuse |
Malware / Tools¶
| Technique ID | Title | Data Source | ADS |
|---|---|---|---|
| S0357 | Impacket | Command | Impacket - DirCommand |
| S0357 | Impacket | Command | Impacket - SecretDumpSMB2 |
| S0154 | Cobalt Strike | Network Traffic | CobaltStrike - DNS |
| S0154 | Cobalt Strike | Named Pipe | CobaltStrike - NamedPipe |
| S0650 | QakBot | Command | Qakbot - Process Execution |
| S0650 | QakBot | Command | Qakbot - Defender Exclusions |
| S0650 | Qakbot | Command , Process | Qakbot: Post compromise commands |
| S0521 | Bloodhound/Sharphound | Command | Bloodhound/Sharphound - Execution Commandlets |
| S0522 | ADFind | Command | ADFind Execution |