Hunting Attacks Using ATP part 1

v1 in progress

1. Credential Dumping

  • Overview:

    Credential dumping is a post-exploitation technique where attackers extract account login credentials from the operating system and software. These credentials can be plaintext passwords, password hashes, Kerberos tickets, or authentication tokens. Attackers target processes and databases like the Local Security Authority Subsystem Service (LSASS) memory, Security Account Manager (SAM) database, or Active Directory to obtain these credentials.

    By obtaining credentials, attackers can:

    • Escalate Privileges: Gain higher-level access within the system or domain.

    • Lateral Movement: Move across the network to other systems using valid credentials.

    • Persistence: Maintain long-term access to the environment.

    Common tools used for credential dumping include Mimikatz, Procdump, and built-in Windows utilities like taskmgr or wmic.

  • ATT&CK ID: T1003

  • Trigger Condition:

    • Processes attempting to read LSASS memory.

    • Access to the SAM database by non-system processes.

    • Use of tools or commands known for credential dumping.

    • Unusual process behavior interacting with security components.

  • How to Hunt Using Advanced Hunting:

DeviceProcessEvents
| where FileName in~ ("procdump.exe", "lsass.exe", "dumpert.exe", "mimikatz.exe")
| where ProcessCommandLine has_any ("lsass", "-ma", "sam", "security", "system")
| where InitiatingProcessAccountName != "SYSTEM"
| project Timestamp, DeviceName, InitiatingProcessAccountName, FileName, ProcessCommandLine

  • This query searches for processes commonly associated with credential dumping activities that interact with LSASS or SAM, excluding legitimate system processes. It helps identify potential attempts to extract credentials from the system.

2. Phishing Attachment

  • Overview:

    Phishing attachments are malicious files sent via email, designed to trick users into executing malware or disclosing sensitive information. Attackers often disguise these attachments as legitimate documents, such as invoices, reports, or resumes, to entice users to open them.

    Common characteristics of phishing attachments:

    • Malicious Macros: Embedded scripts in Office documents that execute when the document is opened.

    • Executable Files: Files with extensions like .exe, .scr, or .bat that run code directly.

    • Script Files: JavaScript (.js), VBScript (.vbs), or PowerShell scripts that can download and execute payloads.

    • Archive Files: Compressed files like .zip or .rar that contain malicious content.

    Phishing attachments can lead to:

    • Malware Infection: Installation of ransomware, spyware, or trojans.

    • Credential Theft: Harvesting of login credentials through fake login prompts.

    • System Compromise: Providing attackers with remote access to the system.

  • ATT&CK ID: T1566.001

  • Trigger Condition:

    • Emails containing suspicious attachment types from unknown or spoofed senders.

    • High volume of similar emails sent to multiple recipients.

    • Attachments with double extensions (e.g., invoice.pdf.exe).

    • Use of social engineering language urging immediate action.

  • How to Hunt Using Advanced Hunting:`

EmailAttachmentInfo
| where FileType in~ ("exe", "scr", "js", "vbs", "docm", "xlsm")
| join EmailEvents on NetworkMessageId
| where SenderFromAddress !in ("trusted_sender@domain.com", "noreply@company.com")
| project Timestamp, RecipientEmailAddress, SenderFromAddress, Subject, FileName, FileType

This query identifies emails with potentially malicious attachments from untrusted sources, helping you detect phishing attempts before users interact with them.

Thought لمدة 46 ثانية

Certainly, Medhat. I'll provide the same results with more detailed explanations in the overviews for each attack technique. This will give you a deeper understanding of each attack and how to detect them using advanced hunting in Microsoft Defender Advanced Threat Protection (ATP).

1. Credential Dumping

  • Overview:

    Credential dumping is a post-exploitation technique where attackers extract account login credentials from the operating system and software. These credentials can be plaintext passwords, password hashes, Kerberos tickets, or authentication tokens. Attackers target processes and databases like the Local Security Authority Subsystem Service (LSASS) memory, Security Account Manager (SAM) database, or Active Directory to obtain these credentials.

    By obtaining credentials, attackers can:

    • Escalate Privileges: Gain higher-level access within the system or domain.

    • Lateral Movement: Move across the network to other systems using valid credentials.

    • Persistence: Maintain long-term access to the environment.

    Common tools used for credential dumping include Mimikatz, Procdump, and built-in Windows utilities like taskmgr or wmic.

  • ATT&CK ID: T1003

  • Trigger Condition:

    • Processes attempting to read LSASS memory.

    • Access to the SAM database by non-system processes.

    • Use of tools or commands known for credential dumping.

    • Unusual process behavior interacting with security components.

  • How to Hunt Using Advanced Hunting:

    kustoنسخ الكودDeviceProcessEvents
| where FileName in~ ("procdump.exe", "lsass.exe", "dumpert.exe", "mimikatz.exe")
| where ProcessCommandLine contains_any ("lsass", "-ma", "sam", "security", "system")
| where InitiatingProcessAccountName != "SYSTEM"
| project Timestamp, DeviceName, InitiatingProcessAccountName, FileName, ProcessCommandLine

    This query searches for processes commonly associated with credential dumping activities that interact with LSASS or SAM, excluding legitimate system processes. It helps identify potential attempts to extract credentials from the system.

2. Phishing Attachment

  • Overview:

    Phishing attachments are malicious files sent via email, designed to trick users into executing malware or disclosing sensitive information. Attackers often disguise these attachments as legitimate documents, such as invoices, reports, or resumes, to entice users to open them.

    Common characteristics of phishing attachments:

    • Malicious Macros: Embedded scripts in Office documents that execute when the document is opened.

    • Executable Files: Files with extensions like .exe, .scr, or .bat that run code directly.

    • Script Files: JavaScript (.js), VBScript (.vbs), or PowerShell scripts that can download and execute payloads.

    • Archive Files: Compressed files like .zip or .rar that contain malicious content.

    Phishing attachments can lead to:

    • Malware Infection: Installation of ransomware, spyware, or trojans.

    • Credential Theft: Harvesting of login credentials through fake login prompts.

    • System Compromise: Providing attackers with remote access to the system.

  • ATT&CK ID: T1566.001

  • Trigger Condition:

    • Emails containing suspicious attachment types from unknown or spoofed senders.

    • High volume of similar emails sent to multiple recipients.

    • Attachments with double extensions (e.g., invoice.pdf.exe).

    • Use of social engineering language urging immediate action.

  • How to Hunt Using Advanced Hunting:

    kustoنسخ الكودEmailAttachmentInfo
| where FileType in~ ("exe", "scr", "js", "vbs", "docm", "xlsm")
| join EmailEvents on NetworkMessageId
| where SenderFromAddress !in ("trusted_sender@domain.com", "noreply@company.com")
| project Timestamp, RecipientEmailAddress, SenderFromAddress, Subject, FileName, FileType

    This query identifies emails with potentially malicious attachments from untrusted sources, helping you detect phishing attempts before users interact with them.

3. Remote Services Lateral Movement

  • Overview:

    Lateral movement via remote services involves attackers using legitimate protocols and services to move within a network. Services like Remote Desktop Protocol (RDP), Server Message Block (SMB), Windows Remote Management (WinRM), and Windows Management Instrumentation (WMI) are commonly exploited.

    Attackers use this technique to:

    • Expand Access: Reach additional systems and data.

    • Avoid Detection: Use legitimate services to blend with normal traffic.

    • Maintain Persistence: Establish multiple footholds within the network.

    They may leverage stolen credentials, exploit vulnerabilities, or use default passwords to gain access.

  • ATT&CK ID: T1021

  • Trigger Condition:

    • Unusual remote login attempts or successes from accounts that don't typically use remote services.

    • Remote connections initiated from non-corporate IP addresses or unexpected geographic locations.

    • Sudden increase in remote service usage.

    • Access to sensitive systems by non-authorized accounts.

  • How to Hunt Using Advanced Hunting:

DeviceLogonEvents
| where LogonType contains "RemoteInteractive"
| where AccountName !in ("expected_remote_user1", "expected_remote_user2")
| where Timestamp between (startofday(ago(1d)) .. endofday(ago(1d)))
| project Timestamp, DeviceName, AccountName, LogonType, RemoteDeviceName, InitiatingProcessAccountName

This query looks for remote logins by unexpected users within the last day, which could indicate lateral movement attempts using remote services.

4. Scheduled Task for Persistence

  • Overview:

    Attackers create scheduled tasks to execute malicious code automatically at system startup or specified intervals, ensuring their activities persist across reboots and remain hidden from users. Scheduled tasks can run programs, scripts, or commands with specified privileges.

    By leveraging scheduled tasks, attackers can:

  • Maintain Persistence: Ensure their malware continues to operate.

  • Automate Actions: Perform regular data exfiltration or system reconnaissance.

  • Elevate Privileges: Run tasks with higher privileges than the current user.

They might disguise tasks with names similar to legitimate system tasks to avoid detection.

  • ATT&CK ID: T1053

  • Trigger Condition:

    • Creation of new scheduled tasks by non-administrative or unusual accounts.

    • Scheduled tasks executing unfamiliar or suspicious executables/scripts.

    • Modifications to existing tasks without proper authorization.

    • Tasks scheduled to run at odd times (e.g., late at night).

  • How to Hunt Using Advanced Hunting:

DeviceProcessEvents
| where FileName == "schtasks.exe" and ProcessCommandLine contains "/create"
| where InitiatingProcessAccountName !in ("Administrator", "ScheduledTaskUser" )
| extend TaskName = extract(@"\/tn\s+([^\s]+)", 1, ProcessCommandLine)
| project Timestamp, DeviceName, InitiatingProcessAccountName, TaskName, ProcessCommandLine

This query identifies the creation of new scheduled tasks by unexpected accounts, which could indicate malicious persistence mechanisms.

5. Process Injection

  • Overview:

    Process injection is a method where attackers inject malicious code into legitimate processes to evade detection and execute code under the context of the target process. This technique allows malware to:

    • Hide Malicious Activities: Blend with legitimate process activities.

    • Bypass Security Controls: Evade application whitelisting and other defenses.

    • Access System Resources: Gain the same permissions as the injected process.

    Common injection methods include:

    • DLL Injection: Loading a malicious DLL into a process.

    • Thread Execution Hijacking: Manipulating threads within a process.

    • Asynchronous Procedure Call (APC) Injection: Queuing malicious code to execute within a process.

  • ATT&CK ID: T1055

  • Trigger Condition:

    • Detection of processes writing to another process's memory space.

    • Creation of remote threads in other processes.

    • Use of API calls associated with injection (e.g., WriteProcessMemory, CreateRemoteThread).

    • Unusual parent-child process relationships or process behaviors.

How to Hunt Using Advanced Hunting:

DeviceProcessEvents
| where ActionType == "ProcessInjected"
| where InitiatingProcessFileName !in ("known_legitimate_process1.exe", "known_legitimate_process2.exe")
| project Timestamp, DeviceName, InitiatingProcessAccountName, InitiatingProcessFileName

  • This query searches for process injection events not associated with known legitimate processes, highlighting potential malicious activities.

6. Exfiltration Over Command and Control Channel

  • Overview:

    Attackers often exfiltrate data using the same channels they use for command and control (C2) communications. By piggybacking data exfiltration over established C2 channels, they reduce the likelihood of detection, as the traffic may appear legitimate or expected.

    Methods include:

    • Embedding Data in C2 Traffic: Hiding exfiltrated data within normal C2 communications.

    • Using Standard Protocols: Utilizing HTTP, HTTPS, or DNS to blend with normal traffic.

    • Encryption: Encrypting data to prevent content inspection from detecting sensitive information.

    This technique can lead to significant data loss without triggering alerts for abnormal outbound connections.

  • ATT&CK ID: T1041

  • Trigger Condition:

    • Unusual outbound connections to rare or suspicious domains/IPs.

    • High volume of data sent to external hosts over C2 channels.

    • Use of non-standard ports for outbound connections.

    • Encrypted or encoded data in outbound communications that deviate from normal patterns.

  • How to Hunt Using Advanced Hunting:

DeviceNetworkEvents
| where RemoteIP !in ("known_good_ip1", "known_good_ip2")
|  where RemoteIP !startswith "10."
       and RemoteIP !startswith "172."
       and RemoteIP !startswith "192.168"
       and RemoteIP !startswith "127.0.0.1"
       and RemoteIP !startswith "::1"
       and RemoteIP !startswith "192.0"
       and isnotempty(RemoteIP)
| where RemotePort !in (80, 443, 53)
| summarize count() by Timestamp , RemoteIP, RemotePort , DeviceName,  InitiatingProcessAccountName, InitiatingProcessFileName , InitiatingProcessFolderPath , InitiatingProcessCommandLine , InitiatingProcessSHA256 , InitiatingProcessParentFileName 
 | order by Timestamp desc

This query identifies high-volume connections to external IPs over uncommon ports, which may indicate data exfiltration activities.

7. Command-Line Interface Usage

  • Overview:

    Attackers use command-line interfaces to execute commands, scripts, or binaries to control systems, perform reconnaissance, and navigate the network. The command line provides powerful capabilities that can be scripted and automated.

    Attackers may use the CLI to:

    • Enumerate System Information: Gather details about the system, network, and users.

    • Manipulate Files and Processes: Create, modify, or delete files and processes.

    • Execute Scripts and Commands: Run malicious code or scripts to perform actions.

    • Bypass Security Controls: Use built-in tools to avoid detection.

    Common tools include cmd.exe, powershell.exe, bash, and scripting languages like Python.

  • ATT&CK ID: T1059

  • Trigger Condition:

    • Execution of command-line interpreters with suspicious arguments.

    • Use of commands associated with reconnaissance or privilege escalation.

    • CLI usage by accounts that don't typically use it.

    • Execution of encoded or obfuscated commands.

  • How to Hunt Using Advanced Hunting:

DeviceProcessEvents
| where FileName in~ ("cmd.exe", "powershell.exe", "wscript.exe", "cscript.exe")
| where ProcessCommandLine has_any ("whoami", "net user", "net localgroup", "ipconfig", "systeminfo", "nslookup")
| where InitiatingProcessAccountName !in ("IT_Admin", "SystemAdmin")
| project Timestamp, DeviceName, InitiatingProcessAccountName, FileName, ProcessCommandLine

This query detects the use of command-line tools executing common enumeration commands by non-administrative users, which may indicate malicious activity.

8. Masquerading

  • Overview:

    Masquerading is a deception technique where attackers disguise malicious files, processes, or services to appear legitimate. This helps them avoid detection by users and security tools.

    Examples include:

    • File Renaming: Naming malicious files with names of legitimate system files (e.g., svchost.exe).

    • Path Manipulation: Placing malicious executables in directories where they are not expected (e.g., user directories instead of system directories).

    • Extension Spoofing: Using file extensions that don't match the file content (e.g., a .txt file containing an executable).

    • Metadata Manipulation: Modifying file attributes, such as timestamps and digital signatures.

    Masquerading can lead to:

    • Execution of Malicious Code: Users or processes inadvertently execute malicious files.

    • Persistence: Malicious services or processes run undetected.

    • Evasion of Security Controls: Security tools may whitelist or ignore files based on their names or locations.

  • ATT&CK ID: T1036

  • Trigger Condition:

    • Executables with system file names located in non-standard directories.

    • Files with mismatched extensions and content types.

    • Processes running from temporary or user directories with system file names.

    • Digital signatures that don't match the claimed publisher.

  • How to Hunt Using Advanced Hunting:

DeviceFileEvents
| where FileName in~ ("svchost.exe", "explorer.exe", "notepad.exe", "cmd.exe")
| where not(FolderPath startswith "C:\\Windows\\")
  and  not(FolderPath startswith "C:\\Users\\")
  and  not(FolderPath startswith "C:\\Temp\\")
  and  not(FolderPath startswith "C:\\ProgramData\\")
| project Timestamp, DeviceName, FileName, FolderPath, SHA256

This query finds executables with system file names that are not in the standard Windows directories, indicating potential masquerading attempts.

9. Obfuscated Files or Information

  • Overview:

    Obfuscation involves altering code or content to make it difficult to read or analyze. Attackers use obfuscation to hide malicious code from security tools and analysts, increasing the chances of successful execution.

    Techniques include:

    • Encoding: Using Base64 or other encoding methods to conceal code.

    • Encryption: Encrypting scripts or binaries to prevent analysis.

    • Compression: Compressing files to alter their signatures.

    • Code Manipulation: Adding junk code, renaming variables, or using dynamic code generation.

    Obfuscated code can:

    • Bypass Security Tools: Evade signature-based detection.

    • Delay Analysis: Make it harder and more time-consuming for analysts to understand the code.

    • Conceal Malicious Intent: Hide the true purpose of the code.

  • ATT&CK ID: T1027

  • Trigger Condition:

    • Execution of scripts or commands containing encoded content.

    • Use of obfuscation functions or methods (e.g., Invoke-Obfuscation, FromBase64String).

    • High entropy in files or scripts, indicating randomness from encryption or compression.

    • Repeated patterns or unusual characters in code.

  • How to Hunt Using Advanced Hunting:

    DeviceProcessEvents
| where FileName == "powershell.exe"
| where ProcessCommandLine matches regex @"(?i)(Invoke\-Obfuscation|FromBase64String|IEX|Compress\-Archive|New\-Object System\.IO\.Compression)"
| project Timestamp, DeviceName, InitiatingProcessAccountName, ProcessCommandLine ,InitiatingProcessFileName ,  InitiatingProcessFolderPath

This query searches for PowerShell executions involving commands or methods commonly used in obfuscation, helping to identify potentially malicious scripts.

10. Use of Valid Accounts

  • Overview:

    Attackers often exploit valid user accounts to gain access to systems and data. Using legitimate credentials allows them to:

  • Bypass Access Controls: Access systems without triggering alarms for unauthorized access.

  • Blend with Normal Activity: Hide within normal user behavior.

  • Maintain Persistence: Retain access even if malware is detected and removed.

Credentials can be obtained through:

  • Phishing: Trick users into revealing their login information.

  • Credential Dumping: Extracting credentials from compromised systems.

  • Password Guessing or Spraying: Attempting common passwords across multiple accounts.

  • Buying Credentials: Purchasing login details from underground markets.

  • ATT&CK ID: T1078

  • Trigger Condition:

    • Logins from valid accounts at unusual times or from unusual locations.

    • Multiple failed login attempts followed by a successful login.

    • Simultaneous logins from different geographic regions.

    • Access to systems or data not typically associated with the account.

How to Hunt Using Advanced Hunting:

DeviceLogonEvents
| where Timestamp > ago(7d)
| where AccountName !in ("ServiceAccount", "AdminAccount")
| summarize LogonCount = count(), DistinctIPs = dcount(RemoteIP) by AccountName
| where LogonCount > 50 or DistinctIPs > 4
| project AccountName, LogonCount, DistinctIPs

This query identifies accounts with a high number of logins or logins from multiple IP addresses over the past week, indicating potential misuse of valid accounts.

--

11. Spearphishing Link

  • Overview:

Spearphishing links are targeted phishing attacks where adversaries send emails containing malicious URLs to specific individuals or organizations. Unlike generic phishing attempts, spearphishing is tailored to the recipient, often using personalized information to increase the likelihood of interaction. The malicious link may lead to:

  • Credential Harvesting: Redirecting to fake login pages to capture user credentials.

  • Malware Download: Initiating downloads of malicious files upon clicking the link.

  • Exploit Delivery: Redirecting to websites that exploit browser or plugin vulnerabilities.

Spearphishing links exploit the trust and familiarity users have with their email communications, making them a potent initial access vector.

  • ATT&CK ID: T1566.002

  • Trigger Condition:

    • Emails containing URLs from newly registered or low-reputation domains.

    • Links with obfuscated URLs or using URL shorteners.

    • Emails with language urging immediate action (e.g., "urgent", "important update").

    • Emails sent to high-profile targets within the organization.

  • How to Hunt Using Advanced Hunting:

EmailUrlInfo
| where UrlDomain != "trusted_domain.com"
| where Url matches regex @"http[s]?://(bit\.ly|tinyurl\.com|ow\.ly|t\.co)/.*"
| join EmailEvents on NetworkMessageId
| where SenderFromAddress !in ("trusted_sender@domain.com")
| project Timestamp, RecipientEmailAddress, SenderFromAddress, Subject, Url

This query identifies emails containing URLs from untrusted domains or using URL shortening services, which could indicate spearphishing attempts.

12. Windows Management Instrumentation (WMI)

  • Overview:

Windows Management Instrumentation (WMI) is a Windows feature that provides a standardized way to access and manipulate system management information. Attackers use WMI for:

  • Lateral Movement: Execute commands on remote systems.

  • Persistence: Create WMI event subscriptions to trigger actions.

  • Execution: Run scripts or programs without dropping files on disk.

WMI is powerful and often overlooked, making it an attractive tool for attackers to execute code stealthily.

  • ATT&CK ID: T1047

  • Trigger Condition:

    • Unusual WMI execution by non-administrative accounts.

    • WMI commands originating from unexpected hosts.

    • Creation of WMI event subscriptions without proper authorization.

  • How to Hunt Using Advanced Hunting:

    DeviceProcessEvents
| where FileName in ("wmic.exe", "wmiapsrv.exe")
| where InitiatingProcessAccountName !in ("Administrator", "WMI_Service")
| project Timestamp, DeviceName, InitiatingProcessAccountName, ProcessCommandLine

This query identifies WMI usage by unexpected accounts, which may indicate malicious activity.

--

13 . DLL Side-Loading

  • Overview:

DLL side-loading involves attackers placing a malicious DLL in a directory where an application will load it instead of the legitimate DLL. This technique exploits the way Windows searches for DLLs, allowing attackers to execute code under the context of a trusted application.

Implications of DLL side-loading:

  • Stealthy Execution: Runs malicious code without raising immediate suspicion.

  • Privilege Escalation: If the application runs with elevated privileges, so does the malicious DLL.

  • Bypassing Security Controls: May avoid detection by application whitelisting.

  • ATT&CK ID: T1574.002

  • Trigger Condition:

    • Applications loading DLLs from unexpected directories.

    • DLLs with mismatched digital signatures or no signature.

    • Recently created DLL files in application directories.

  • How to Hunt Using Advanced Hunting:

DeviceImageLoadEvents
| where InitiatingProcessFileName == "trusted_app.exe"
| where FileName endswith ".dll"
| where not(FolderPath startswith "C:\\Windows\\System32\\")
| project Timestamp, DeviceName, InitiatingProcessFileName, FileName, FolderPath

This query detects when a trusted application loads a DLL from a non-standard directory, indicating potential side-loading.

14. Privilege Escalation via Exploitation

  • Overview:

Attackers exploit software vulnerabilities to elevate their privileges on a system. By leveraging unpatched or zero-day vulnerabilities, they can move from a low-privileged user to an administrator or SYSTEM level.

Consequences include:

  • Full System Control: Ability to manipulate system settings and security controls.

  • Access to Sensitive Data: Read or modify protected files and data.

  • Persistence: Install malware that requires elevated privileges.

  • ATT&CK ID: T1068

  • Trigger Condition:

    • Execution of known exploit code or tools.

    • Processes spawning with higher privileges unexpectedly.

    • Crash logs or error reports indicating exploitation attempts.

  • How to Hunt Using Advanced Hunting:

DeviceProcessEvents
| where ProcessTokenElevation == "TokenElevationTypeFull"
| where InitiatingProcessTokenElevation != "TokenElevationTypeFull"
| where InitiatingProcessAccountName != "Administrator"
| project Timestamp, DeviceName, FileName, ProcessCommandLine, InitiatingProcessFileName , FolderPath , InitiatingProcessFolderPath

This query identifies processes that have escalated privileges from a lower-privileged parent process, which may indicate privilege escalation exploits.

15 . Remote File Copy

  • Overview:

Attackers copy files to or from a remote system to stage tools, exfiltrate data, or collect information. Methods for remote file copying include:

  • SMB (File Shares): Accessing shared folders over the network.

  • Remote Desktop Protocol (RDP): Using clipboard or drive redirection features.

  • Third-party Tools: Using utilities like scp, ftp, or custom tools.

Remote file copy can be a precursor to further attacks or data exfiltration.

  • ATT&CK ID: T1105

  • Trigger Condition:

  • Unusual file transfers between systems.

  • Use of network protocols or ports not commonly used in the environment.

  • File access by accounts outside of normal usage patterns.

  • How to Hunt Using Advanced Hunting:

    DeviceNetworkEvents
| where RemotePort in (139, 445)
| where InitiatingProcessFileName !in ("explorer.exe", "svchost.exe")
| where InitiatingProcessAccountName !in ("AuthorizedUser")
| project Timestamp, DeviceName, InitiatingProcessFileName, InitiatingProcessFolderPath , RemoteIP, RemotePort

  • This query identifies processes initiating SMB connections to copy files, excluding known legitimate processes and accounts.

  1. Input Capture: Keylogging

  • Overview:

    Keylogging involves capturing keystrokes to harvest sensitive information like passwords, credit card numbers, and personal messages. Attackers install keylogger malware that records keystrokes and sends the data back to them.

Risks include:

  • Credential Theft: Capture of usernames and passwords.

  • Data Leakage: Exposure of confidential information.

  • Privacy Invasion: Monitoring of personal communications.

  • ATT&CK ID: T1056.001

  • Trigger Condition:

    • Installation of software that hooks into keyboard inputs.

    • Processes accessing keyboard APIs or device drivers unusually.

    • Unrecognized applications running in the background.

  • How to Hunt Using Advanced Hunting:

DeviceProcessEvents
| where ProcessCommandLine matches regex @"SetWindowsHookEx|GetAsyncKeyState|GetForegroundWindow"
| where InitiatingProcessFileName !in ("known_legitimate_app.exe")
| project Timestamp, DeviceName, FileName, ProcessCommandLine

This query searches for processes using APIs commonly associated with keylogging, excluding known legitimate applications.

17. Data Encrypted for Impact: Ransomware

  • Overview:

    Ransomware encrypts files on a victim's system, rendering them unusable until a ransom is paid. Attackers often target critical systems and backups to maximize impact. Ransomware can spread through:

    • Phishing Emails: Malicious attachments or links.

    • Exploiting Vulnerabilities: Unpatched systems or software.

    • Remote Desktop Protocol (RDP): Brute-force attacks on exposed RDP services.

    The impact includes operational disruption, data loss, and financial costs.

  • ATT&CK ID: T1486

  • Trigger Condition:

    • Rapid file modifications or encryptions.

    • Creation of ransom note files (e.g., README.txt, DECRYPT_INSTRUCTIONS.html).

    • Processes scanning and modifying multiple files across directories.

  • How to Hunt Using Advanced Hunting:

DeviceFileEvents
| where ActionType == "FileModified"
| summarize ModificationCount = count() by FileName ,  InitiatingProcessFileName, InitiatingProcessFolderPath,  DeviceName, InitiatingProcessSHA256,  bin(Timestamp, 1m)
| where ModificationCount > 100
| project Timestamp, DeviceName, InitiatingProcessFileName , FileName , InitiatingProcessFolderPath , InitiatingProcessSHA256, ModificationCount

This query detects processes that modify a large number of files in a short period, which is indicative of ransomware activity.

18. Brute Force

  • Overview:

    Brute-force attacks involve systematically trying numerous passwords or passphrases with the hope of eventually guessing correctly. Attackers target user accounts, administrative accounts, or network services like SSH and RDP.

    Consequences include:

    • Unauthorized Access: Gain entry to systems or accounts.

    • Account Lockouts: Disrupt services by triggering lockout policies.

    • Credential Stuffing: Using leaked credentials from other breaches.

  • ATT&CK ID: T1110

  • Trigger Condition:

    • Multiple failed login attempts from the same source.

    • Sequential login attempts across multiple accounts.

    • Logins at unusual times or from unknown IP addresses.

  • How to Hunt Using Advanced Hunting:

    DeviceLogonEvents
| where ActionType == "LogonFailed"
| summarize FailureCount = count() by AccountName, RemoteIP, bin(Timestamp, 5m)
| where FailureCount > 10
| project Timestamp, AccountName, RemoteIP, FailureCount

This query identifies accounts with multiple failed login attempts within a 5-minute window, indicating potential brute-force attempts.

19 . Unsecured Credentials: Credentials in Files

  • Overview:

Attackers search for credentials stored insecurely in files on the system. These may include configuration files, scripts, or documents that contain plaintext usernames and passwords.

Risks include:

  • Credential Theft: Easy access to passwords without needing to crack hashes.

  • Lateral Movement: Use obtained credentials to access other systems.

  • Privilege Escalation: Gain higher-level access if privileged credentials are found.

  • ATT&CK ID: T1552.001

  • Trigger Condition:

    • Access to files known to store credentials (e.g., config.php, .env files).

    • Use of command-line tools to search for files containing password strings.

    • Unusual processes reading sensitive files.

  • How to Hunt Using Advanced Hunting:

DeviceFileEvents
| where FileName matches regex @".*(\.env|config\.php|id_rsa)$"
| where ActionType == "FileAccessed"
| where InitiatingProcessFileName !in ("known_good_processes")
| project Timestamp, DeviceName, InitiatingProcessFileName, FileName, FolderPath

This query detects processes accessing files that commonly store credentials, excluding known legitimate processes.

20 . File and Directory Discovery

  • Overview:

    Attackers perform file and directory discovery to locate files, directories, and resources on a system or network. This reconnaissance helps them identify sensitive information, configuration files, or potential targets for data exfiltration. They may use built-in commands or scripts to list files, search for specific file types (e.g., documents, spreadsheets), or locate configuration files that may contain credentials.

Common methods include:

  • Command-Line Tools: Using commands like dir, ls, tree, or find.

  • Scripting Languages: Employing PowerShell, Python, or batch scripts to automate searches.

  • Third-Party Tools: Utilizing file search utilities to expedite the process.

Understanding the file system structure allows attackers to plan their next steps, such as privilege escalation, lateral movement, or data theft.

  • ATT&CK ID: T1083

  • Trigger Condition:

    • Execution of commands that enumerate files and directories.

    • Processes accessing a large number of files in a short period.

    • Unusual users or processes performing extensive file system queries.

    • Use of scripts to search for files with specific extensions (e.g., .docx, .xlsx, .pdf).

  • How to Hunt Using Advanced Hunting:

DeviceProcessEvents
| where FileName in~ ("cmd.exe", "powershell.exe", "python.exe", "bash")
| where ProcessCommandLine has_any ("dir", "ls", "Get-ChildItem", "Get-Item", "findstr", "grep")
| where InitiatingProcessAccountName !in ("AdminUser", "BackupService")
| project Timestamp, DeviceName, InitiatingProcessAccountName, ProcessCommandLine

This query identifies the use of file and directory listing commands by unexpected users or processes, which may indicate reconnaissance activities.

PreviousHunting Attacks Using ATP part 2NextIntroduction to Threat Hunting

Last updated