# Threat Hunting Terminology #### Threat Hunting Terms **Advanced Persistent Threat (APT)** An **Advanced Persistent Threat (APT)** refers to a stealthy, sophisticated, and prolonged cyberattack conducted by a skilled adversary. APTs are often state-sponsored or highly organized cybercriminal groups targeting high-value entities such as governments, corporations, or critical infrastructure. **Key Characteristics of APTs:** 1. **Targeted Attacks:** * APTs are highly targeted, focusing on specific organizations or industries, such as government agencies, financial institutions, or critical infrastructure. 2. **Persistence:** * The attackers aim to maintain long-term access to the compromised systems, often using sophisticated backdoors and stealth techniques. 3. **Sophistication:** * APTs use advanced tools and techniques, including zero-day exploits, custom malware, and social engineering tactics. 4. **Multi-Stage Approach:** * APTs often involve several stages: reconnaissance, initial compromise, establishment of foothold, escalation of privileges, lateral movement, and exfiltration. 5. **Stealth:** * These attackers focus on avoiding detection by using encrypted communication, legitimate software for malicious purposes, and other obfuscation methods. *** **Common Techniques Used in APTs:** 1. **Social Engineering:** * Phishing emails or spear-phishing campaigns targeting specific employees. 2. **Exploitation of Vulnerabilities:** * Leveraging zero-day exploits or unpatched software. 3. **Credential Theft:** * Using techniques like **Kerberoasting**, **Pass-the-Hash**, or keylogging. 4. **Lateral Movement:** * Using compromised credentials to move within the network to access valuable assets. 5. **Data Exfiltration:** * Sending stolen data out of the network without detection, often using encrypted channels. **Examples of APT Groups** 1. **APT28 (Fancy Bear)**: * Believed to be Russian state-sponsored. * Known for targeting government and military organizations. 2. **APT29 (Cozy Bear)**: * Associated with Russian intelligence. * Infamous for the SolarWinds supply chain attack. 3. **APT41**: * A Chinese-based group blending cyber-espionage with financial crime. * Targets include healthcare, telecommunications, and gaming industries. 4. **Lazarus Group**: * Linked to North Korea. * Known for attacks on financial institutions, including the Bangladesh Bank heist. 5. **Equation Group**: * Tied to the NSA. * Pioneered advanced techniques and malware like Stuxnet. **MITRE ATT\&CK Framework** * APTs heavily rely on techniques cataloged in the **MITRE ATT\&CK Framework**. * Examples: * **Persistence**: T1547 (Boot or Logon Autostart Execution). * **Privilege Escalation**: T1068 (Exploitation for Privilege Escalation). * **Defense Evasion**: T1218 (Signed Binary Proxy Execution). *** **Tools Commonly Used by APTs** 1. **Cobalt Strike**: A penetration testing tool often repurposed by attackers. 2. **Mimikatz**: For credential harvesting. 3. **BloodHound**: For mapping Active Directory environments. 4. **Metasploit**: Exploitation framework. 5. **Custom Malware**: Tailored for specific attacks. *** --- # Agent Instructions: Querying This Documentation If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question. Perform an HTTP GET request on the current page URL with the `ask` query parameter: ``` GET https://0xmedhat.gitbook.io/whoami/cthpv2-prep/threat-hunting-terminology.md?ask= ``` The question should be specific, self-contained, and written in natural language. The response will contain a direct answer to the question and relevant excerpts and sources from the documentation. Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.