T H R E AT H U N T I N G P L AY B O O K

LEARN HOW TO EMBRACE A PROACTIVE SECURITY POSTURE

TABLE OF CONTENTS

Introduction: Building Resilience 3 Threat Hunting Scenarios 14

Indicators of Threat Attacks 5 1. Use Case: Reg.exe called from Command Shell 15
1. Unusual Outbound Network Traffic 6 2. Use Case: Simultaneous Logins on a Host 16
2. Anomalies In Privileged User Account Activity 7 3. Use Case: Quick Execution of a Series of
3. Geographical Irregularities 7 Suspicious Commands 17

4. Other Log-In Red Flags 8 4. Use Case: Processes Spawning cmd.exe 18

5. Swells In Database Read Volume 8 5. Use Case: RDP Connection Detection 19

6. HTML Response Sizes 9 6. Use Case: All Logins Since Last Boot 20

THREAT HUNTERS: INDICATORS OF THREAT ATTACK

7. Large Numbers Of Requests For The Same File 9 7. Use Case: RPC Activity 21

8. Mismatched Port-Application Traffic 10 8. USE Case: Remote Desktop Logon 23

9. Suspicious Registry Or System File Changes 10 9. USE Case: User Activity from Clearing Event Logs 24

10. DNS Request Anomalies 11 10. USE Case: User Activity from Stopping Windows
Defensive Services 25
11. Unexpected Patching Of Systems 11
11. USE Case: Successful Local Account Login 26
12. Mobile Device Profile Changes 12
12. USE Case: Debuggers for Accessibility applications 27
13. Bundles Of Data In The Wrong Places 12
13. USE Case: User Logged in to Multiple Hosts 28
14. Web Traffic With Unhuman Behavior 13
14. USE Case: Service Search Path Interception 29
15. Signs Of DDoS Activity 13
Summary Chart 30
Learn More 31

2
INTRODUCTION:
BUILDING RESILIENCE
While we’re all familiar with the immune system, it’s less
well-known that its ability to build resilience against
attacks comes from two broad groups called the innate
and the acquired immune systems. Each plays a specific
role in building a robust security posture for the body.

The innate immune system is comprised of defences like

the skin, lungs, eyes, stomach - all aimed at stopping the
infection from getting into the body in the first place.

THREAT HUNTERS: INDICATORS OF THREAT ATTACK

But our bodies are smart enough to know that infectious
agents can and will get through the perimeter defenses,
and so it has developed a second set of defenses. For
example, our white blood cells exist to seek out and
The human body has been said to be ‘at war’. destroy foreign organisms.

Our bodies are constantly under attack from things that The story of the human immune system shares many
are trying to do it harm. These include toxins, bacteria, parallels with the challenges faced by today’s enterprises.
fungi, parasites and viruses. All of these can, under the right Just like the human body, enterprises are under constant
conditions, cause damage and destruction to parts of the attack with 230,000 new malware attacks launched every
body and if these were left unchecked, the human body day. And just as the human body has multiple layers of
would not be able to function. It is the purpose of the immune security, progressive organizations are building resilience
system to act as the body’s own army, in defence against this against these mounting threats by embracing a layered
constant stream of possible infections and toxins. approach to security.

3
Security leaders are beginning to understand, just like
the human body, that perimeter based defense systems
are not ironclad and that threat actors will, eventually,
get in. In response they’re developing ‘white blood cells’
of their own in the form of new capabilities that will
proactively hunt out threats and neutralize them.

Real time threat hunting has many benefits. It allows

security analysts to focus on the most credible threats
and to build a robust story around an event as it
unfolds. CIOs are able to manage risk by arming the
front line with tools, techniques and procedures to
identify unknown and internal threats and increase
team productivity.

THREAT HUNTERS: INDICATORS OF THREAT ATTACK

This guide will help you to operationalize the real-
time threat hunting methodology by unpacking which
indicators of attack and compromise to monitor along
with presenting threat hunting scenarios to further
assist the SOC analyst in their threat hunt for a
potential breach on their network.

4
INDICATORS OF THREAT ATTACKS

There are many indicators of compromise (IOC) and Here are some key indicators of compromise to monitor
indicators of attack (IOA) that threat hunters look (in no particular order)1:
for. These IOCs/IOAs are signals on the network,
that are forensic evidence of compromised activity, 1. Unusual Outbound Network Traffic

that could reveal a threat is imminent or has been 2. Anomalies In Privileged User Account Activity
successful. These IOCs, unusual activities, are 3. Geographical Irregularities
footprints, that a threat hunter is searching for to
4. Other Log-In Red Flags
prevent an imminent attack.
5. Swells In Database Read Volume
6. HTML Response Sizes

THREAT HUNTERS: INDICATORS OF THREAT ATTACK

7. Large Numbers Of Requests For The Same File
8. Mismatched Port-Application Traffic
9. Suspicious Registry Or System File Changes
10. DNS Request Anomalies
11. Unexpected Patching Of Systems
12. Mobile Device Profile Changes
13. Bundles Of Data In The Wrong Places
14. Web Traffic With Unhuman Behavior
15. Signs Of DDoS Activity

1
As reported by Dark Reading: https://www.darkreading.com/attacks-breaches/top-15-indicators-of-compromise/d/d-id/1140647?page_number=1 5
 1.
UNUSUAL OUTBOUND NETWORK TRAFFIC

The threat hunter should look for suspicious traffic leaving • Successful connections to and from servers with bad
the network. reputation. The reputation intelligence comes from
multiple open source intelligence feeds - OSINT, OTX,
Watch for activity within the network and look for traffic MalwareDomainList.com, PhishTank. Paid intelligence
feeds like Kasperky, DGA Archive etc. are supported if
leaving your perimeter. Compromised systems will often
you have a license for the feeds.
call home to command-and-control servers, and this
traffic may be visible before any real damage is done. • Outgoing traffic to TOR exit nodes.

• Excessive outgoing RDP connections from a host.

• Outgoing access to popular crypto currency mining

VASA Note: Out of the box, VASA will detect any domains.

THREAT HUNTERS: INDICATORS OF THREAT ATTACK

unusual Outbound Network Traffic. Our Machine • Non-proxy http access.
Learning Algorithms will generate Alerts for any
• Excessive NXDOMAIN responses to DNS queries on
anomalous event deviating from the standard user/
any host.
machine behaviours. The following are some of
• External DNS servers being used.
the built-in-detections. Customized rules can be
created to address a specific scenario. • Non-standard DNS servers being used.

• Non-standard SMTP servers being used.

• External SMTP servers being used.

• RDP brute force attack – multiple RDP failures followed

by a success.

6
 2. 3.
ANOMALIES IN PRIVILEGED GEOGRAPHICAL
USER ACCOUNT ACTIVITY IRREGULARITIES

A well-prepared attack is when attackers either escalate Geographical irregularities in log-ins and access patterns
privileges of accounts they’ve already compromised or can provide good evidence that attackers are pulling
use that compromise to leapfrog into other accounts strings from far away. For example, traffic between
with higher privileges. Keeping tabs on unusual account countries that a company doesn’t do business with offers
behavior from privileged accounts not only watches out reason for pause.
for insider attacks, but also account takeover. Watching for
changes — such as time of activity, systems accessed, type Similarly, when one account logs in within a short period

or volume of information accessed — will provide early of time from different IPs around the world, that’s a good

THREAT HUNTERS: INDICATORS OF THREAT ATTACK

indication of a breach. indication of trouble.

VASA Note: RANK’s VASA has built in support for VASA Note: By default, VASA creates a baseline
this scenario. With the assumption that End Point behaviour for clusters of users and machines.
Logs are being collected, upon privileges changes, When VASA detects geographical irregularities
VASA will trigger a High Risk Score Alert, indicating in log-ins, or from abnormal locations/IPs, or
a possible malware detection. timeframes, VASA will trigger Alerts to signal the
Anomaly detected.

7
 4. 5.
OTHER LOG-IN SWELLS IN DATABASE
RED FLAGS READ VOLUME

Log-in irregularities and failures can provide excellent Once an attacker has made it into the network, they seek
clues of network and system probing by attackers. Check to exfiltrate information, there will be signs that someone
for failed logins using user accounts that don’t exist — has been mucking about data stores. One of them is a
these often indicate someone is trying to guess a user’s spike in database read volume.
account credentials and gain authorization Similarly,
attempted and successful log-in activity after hours
can provide clues that it isn’t really an employee who is
accessing data. VASA Note: VASA’s built in intelligence will sense

THREAT HUNTERS: INDICATORS OF THREAT ATTACK

any anomaly in swells of Database Read Volumes,
as well as any increase in SMB file transfers, and
trigger the respective Alert.
VASA Note: As in the previous section, VASA
will generate Alerts for any unusual successful or
unsuccessful login activity.

8
 6. 7.
HTML RESPONSE SIZES LARGE NUMBERS OF
REQUESTS FOR THE
SAME FILE

If attackers use SQL injection to extract data through a It takes a lot of trial and error to compromise a site —
Web application, the requests issued by them will usually attackers have to keep trying different exploits to find
have a larger HTML response size than a normal request. ones that stick. And when they find signs that an exploit
might be successful, they’ll frequently use different
For example, if the attacker extracts the full credit card permutations to launch it.
database, then a single response for that attacker might be
20 to 50 MB, where a normal response is only 200 KB. So while the URL they are attacking will change on each
request, the actual filename portion will probably stay the

THREAT HUNTERS: INDICATORS OF THREAT ATTACK

same. So you might see a single user or IP making 500
requests for ‘join.php,’ when normally a single IP or user
VASA Note: VASA will detect any unusual HTML
would only request that page a few times max.
response size larger than a normal request.

VASA Note: Any unusual, or high frequency

scanning of internal machines, is indicative of
reconnaissance activity. Vasa will trigger an
associated alert when it detects this behaviour.

9
 8. 9.
MISMATCHED SUSPICIOUS REGISTRY OR
PORT-APPLICATION SYSTEM FILE CHANGES
TRAFFIC
One of the ways malware writers establish persistence within an infected
host is through registry changes.
Attackers often take advantage of obscure
ports to get around more simple Web filtering Creating a baseline is the most important part when dealing with registry-
techniques. So if an application is using an based IOCs. Defining what a clean registry is supposed to contain
unusual port, it could be sign of command- essentially creates the filter against which you will compare your hosts.
and-control traffic masquerading as “normal” Monitoring and alerting on changes that deviate outside the bounds of the
application behavior. clean ‘template’ can drastically increase security team response time.

For example, if you notice several instances of Similarly, many attackers will leave behind signs that they’ve tampered with
a host in system files and configurations.

THREAT HUNTERS: INDICATORS OF THREAT ATTACK

infected hosts sending C&C communications
masked as DNS requests over port 80. At
What can happen is that the attacker will install packet-sniffing software
first glance, these requests may appear to be
to harvest credit card data as it moves around the network. The attacker
standard DNS queries; however, it is not until
targets a system that can watch the network traffic, then installs the
you actually look at those queries that you see
harvesting tool. While the chances of catching the specific harvesting tool
the traffic going across a nonstandard port.
are slim — because they will be targeted and probably not seen before —
DNS does not use port 80.
there is a good chance to catch the changes to the system that houses the
harvesting tool.

VASA Note: Protocol Masquerading is a

VASA Note: Assuming End Point Logs are being collected,
default detection available on VASA.
VASA will detect any deviation from the baseline behaviours of
the end points and trigger the associated Alert.

10
 10. 11.
DNS REQUEST UNEXPECTED PATCHING
ANOMALIES OF SYSTEMS

According to experts, one of the most effective red flags Patching is generally a good thing, but if a system is
an organization can look for are tell-tale patterns left by inexplicably patched without reason, that could be the
malicious DNS queries. sign that an attacker is locking down a system so that
other bad guys can’t use it for other criminal activity.
Command-and-control traffic is often the most important
traffic to an attacker because it allows them ongoing
management of the attack and it needs to be secure so
that security professionals can’t easily take it over. The
unique patterns of this traffic can be recognized and is a

THREAT HUNTERS: INDICATORS OF THREAT ATTACK

very standard approach to identifying a compromise.

Seeing a large spike in DNS requests from a specific

host can serve as a good indicator of potentially suspect
activity. Watching for patterns of DNS requests to
external hosts, compared against geoIP and reputation
data, and implementing appropriate filtering can help
mitigate C&C over DNS.

VASA Note: VASA will trigger Alerts on any

Abnormal DNS behavior such as high rate of DNS
requests, DNS resolving to multiple IP’s.

11
 12. 13.
MOBILE DEVICE BUNDLES OF DATA IN
PROFILE CHANGES THE WRONG PLACES

As attackers migrate to mobile platforms, enterprises Attackers frequently aggregate data at collection
should keep an eye on unusual changes to mobile users’ points in a system before attempting exfiltration. If you
device settings. They also should watch for replacement suddenly see large gigabytes of information and data
of normal apps with hostile ones that can carry out man- where they should not exist, particularly compressed
in-the-middle attacks or trick users into giving up their in archive formats your company doesn’t’ use, this is a
enterprise credentials. telltale sign of an attack.

If a managed mobile device gains a new configuration In general, files sitting around in unusual locations
profile that was not provided by the enterprise, this may should be scrutinized because they can point to an
indicate a compromise of the user’s device and, from impending breach.

THREAT HUNTERS: INDICATORS OF THREAT ATTACK

there, their enterprise credentials. These hostile profiles
can be installed on a device through a phishing or spear- Files in odd places, like the root folder of the recycle

phishing attack. bin, are hard to find looking through Windows, but
easy and quick to find with a properly crafted Indicator
of Compromise. Executable files in the temp folder is
VASA Note: If an Enterprise, has an MDM another one, often used during privilege escalation,
Solution in place, VASA can be integrated with which rarely has a legitimate existence outside of
the any MDM solution to provide insights on attacker activity.
Mobile Devices.

12
 14. 15.
WEB TRAFFIC WITH SIGNS OF DDOS
UNHUMAN BEHAVIOR ACTIVITY

Web traffic that doesn’t match up with normal human Distributed denial-of-service attacks (DDoS) are
behavior shouldn’t pass the sniff test. frequently used as smokescreens to camouflage other
more pernicious attacks. If an organization experiences
How often do you open 20 or 30 browser windows to signs of DDoS, such as slow network performance,
different sites simultaneously? Computers infected with unavailability of websites, firewall failover, or back-end
a number of different click-fraud malware families may systems working at max capacity for unknown reasons,
generate noisy volumes of Web traffic in short bursts. they shouldn’t just worry about those immediate
Or, for instance, on a corporate network with a locked- problems.
down software policy, where everyone is supposed to be
using one type of browser, an analyst might see a Web In addition to overloading mainstream services, it is

THREAT HUNTERS: INDICATORS OF THREAT ATTACK

session in which the user-agent string which identifies the not unusual for DDoS attacks to overwhelm security
browser to the Web server indicates the use of a browser reporting systems, such as IPS/IDS or SIEM solutions.
that’s far removed from the standard corporate image, or This presents new opportunities for cybercriminals to
maybe a version that doesn’t even exist. plant malware or steal sensitive data. As a result, any
DDoS attack should also be reviewed for related data
breach activity.
VASA Note: VASA will trigger Alerts for the
above use case.
VASA Note: Vasa will trigger alerts for the above
use case.

13
THREAT HUNTING SCENARIOS
Attacks on enterprise networks are coming from a growing The knowledge base is broken down into:
number of different threats, faster than previously thought
• a Use Case label and the Tactic that the
possible. Successful cyber attacks result in exposing sensitive
analytic detects
customer data, an immediate loss of revenue, and a long-lasting
damage to your brand. • a Hypothesis which explains the idea behind
the analytic
SIEMs, IPS, IDS are computer-based technologies that help • a VASA Note explaining relative feature in
protect your network infrastructure. But the reality is the amount RANK’s VASA
of data generated, across many sources, is very huge, and as it is • a SQL Query description of how the analytic
today, is dispersed across multiple areas. With Machine Learning might be implemented
& Artificial Intelligence, these data sources, can all be combined

THREAT HUNTERS: INDICATORS OF THREAT ATTACK

into one single aggregated platform, which becomes more
effective to support the Security Analyst. With Rank’s Virtual
Advisor to Security Analyst (VASA), we have pretty much done
all the work of the security analyst, of looking at logs, searching
through in a fine comb, and present anomaly detection. But not
only that, we have also given the Analyst a Platform to hunt for
threats in REAL TIME.

The following is a knowledge base of SQL queries, based on

the Adversary Tactics, Techniques, and Common Knowledge
(ATT&CK) adversary model, developed by MITRE. These SQL
queries are based on MITRE’s recommended analytics, and are
meant to further assist the SOC analyst in their threat hunt for a
potential breach on their network.

14
 1.
USE CASE: Reg.exe called from Command Shell

Tactic: TTP
MITRE Reference: CAR-2013-03-001: Reg.exe called from Command Shell

Hypothesis: Registry modifications are often essential in SQL Query:

establishing persistence via known Windows mechanisms.
Many legitimate modifications are done graphically via
select source.name, data.process.cmd, count(*) AS
regedit.exe or by using the corresponding channels, or even
hostcount from network-events where type = 'sysmon'
calling the Registry APIs directly. The built-in utility reg.exe
AND data.process.action = 'launch' AND data.process.
provides a command-line interface to the registry, so that
image.file = 'reg.exe' AND data.process.parentImage.file =
queries and modifications can be performed from a shell, such

THREAT HUNTERS: INDICATORS OF THREAT ATTACK

'cmd.exe' AND
as cmd.exe. When a user is responsible for these actions, the
parent of cmd.exe will likely be explorer.exe. Occasionally, (data.process.cmd LIKE '%add%' OR data.process.cmd LIKE
power users and administrators write scripts that do this '%delete%' OR data.process.cmd LIKE '%copy%' OR data.
behavior as well, but likely from a different process tree. process.cmd LIKE '%restore%' OR data.process.cmd LIKE
These background scripts must be learned so they can be '%load%' OR data.process.cmd LIKE '%import%') order by
tuned out accordingly. hostcount DESC

15
 2.
USE CASE: Simultaneous Logins on a Host

Tactic: Situational Awareness

MITRE Reference: CAR-2013-02-008: Simultaneous Logins on a Host

Hypothesis: Multiple users logged into a single SQL Query:

machine at the same time, or even within the
same hour, do not typically occur in networks
select source.name, count(distinct `data.login.user`) as
we have observed.
uniqueUserLogins, timeInterval(date, '1h') from network-events
where type = 'winevent' AND data.winevent.EventID = 4624 AND
data.winevent.LogonType IN (2, 3, 9, 10) AND data.login.status =
VASA Note: VASA has built in anomaly

THREAT HUNTERS: INDICATORS OF THREAT ATTACK

'success'
detection for excessive log-ins. The analyst
group by source.name
can also run the following SQL Queries:
having uniqueUserLogins > 1

SQL Query:

select `data.login.user`, count(distinct source.name) as

uniqueMachineLogins, timeInterval(date, '1h')
from network-events
where type = 'winevent' AND data.winevent.EventID = 4624 AND
data.winevent.LogonType IN (2, 3, 9, 10) AND data.login.status =
'success'
group by `data.login.user`
having uniqueMachineLogins > 1
16
 3.
USE CASE: Quick execution of a series of suspicious commands

Tactic: TTP
MITRE Reference: CAR-2013-04-002: Quick execution of a series of suspicious commands

Hypothesis: Certain commands are frequently SQL Query:

used by malicious actors and infrequently used
by normal users. By looking for execution of
select source.name, count(date) as numSuspiciousCommnds ,
these commands in short periods of time, we
timeInterval(date, '30m')
can not only see when a malicious user was on
from network-events
the system but also get an idea of what they
where type = 'sysmon' AND data.process.image.file IN ('arp.exe', 'at.
were doing.

THREAT HUNTERS: INDICATORS OF THREAT ATTACK

exe', 'attrib.exe', 'cscript.exe', 'dsquery.exe', 'hostname.exe', 'ipconfig.
exe', 'mimikatz.exe', 'nbstat.exe', 'net.exe', 'netsh.exe', 'nslookup.exe',
'ping.exe', 'quser.exe', 'qwinsta.exe', 'reg.exe', 'runas.exe', 'sc.exe',
VASA Note: We already generate Alerts 'schtasks.exe', 'ssh.exe', 'systeminfo.exe', 'taskkill.exe', 'telnet.exe',
on this use case. The Analyst can dig a bit 'tracert.exe', 'wscript.exe', 'xcopy.exe')
deeper by writing SQL query: group by source.name
having numSuspiciousCommnds > 1

17
 4.
USE CASE: Processes Spawning cmd.exe

Tactic: Situational Awareness

MITRE Reference: CAR-2013-02-003: Processes Spawning cmd.exe

Hypothesis: The Windows Command Prompt (cmd.exe) is

a utility that provides a command line interface to Windows VASA Note: Already exists as anomaly detection,
operating systems. It provides the ability to run additional assuming end point logs through sysmon are
programs and also has several built-in commands such as dir, being captured and sent to VASA. SOC analyst can
copy, mkdir, and type, as well as batch scripts (.bat). lookup the Process report on the VASA dashboard.
Specifically, the hunter looks if cmd.exe is being
Typically, when a user runs a command prompt, the parent spawned, and what parent process has spawned

THREAT HUNTERS: INDICATORS OF THREAT ATTACK

process is explorer.exe or another instance of the prompt. cmd.exe. Finally, the Analyst can dig a bit deeper
There may be automated programs, logon scripts, or by writing SQL query:
administrative tools that launch instances of the command
prompt in order to run scripts or other built-in commands.
Spawning the process cmd.exe from certain parents may be
more indicative of malice. SQL Query:

For example, if Adobe Reader or Outlook launches a

select * from network-events where data.process.image.file = 'cmd.exe'
command shell, this may suggest that a malicious document AND data.process.parentImage.file != 'explorer.exe' AND data.process.
has been loaded and should be investigated. Thus, by looking action = 'launch'
for abnormal parent processes of cmd.exe, it may be possible
to detect adversaries.

18
 5.
USE CASE: RDP Connection Detection

Tactic: Lateral Movement

MITRE Reference: CAR-2013-07-002: https://car.mitre.org/wiki/CAR-2013-07-002

Hypothesis: The Remote Desktop Protocol (RDP), built in to SQL Query:

Microsoft operating systems, allows a user to remotely log
in to the desktop of another host. It allows for interactive
If you are collecting network traffic run:
access of the running windows, and forwards key presses,
mouse clicks, etc. Network administrators, power users, and Select source.name, destination.name, count(*) from network-events,

end-users may use RDP for day-to-day operations. From an where type = 'rdp'

adversary’s perspective, RDP provides a means to laterally

THREAT HUNTERS: INDICATORS OF THREAT ATTACK

If we are not collecting network traffic run:
move to a new host. Determining which RDP connections
correspond to adversary activity can be a difficult problem in Select source.name, destination.name, count(*) from network-events,
highly dynamic environments but will be useful in identifying where destination.port = '3389'

the scope of a compromise.

VASA Note: We already generate Alerts on this

use case.

19
 6.
USE CASE: All Logins Since Last Boot

Tactic: Analytics
MITRE Reference: CAR-2015-07-001: https://car.mitre.org/wiki/CAR-2015-07-001

Hypothesis: Once a credential dumper like mimikatz SQL Query #1:

runs, every user logged on since boot is potentially
compromised, because the credentials were accessed via
This query will give you the most recent time the machine
the memory of lsass.exe. When such an event occurs,
was restarted:
this analytic will give the forensic context to identify
compromised users. Those users could potentially be select max(`date`) from network-events where data.winevent.EventID

used in later events for additional logons. = 6005 AND source.name = 'enter your machine name here'

THREAT HUNTERS: INDICATORS OF THREAT ATTACK

VASA Note: This has a pre-requisite — the NxLog
SQL Query #2:
configuration has to be changed to include EventID
6005 (which indicates when the machine was Take the date that you get above and find all login events
rebooted). Assuming we receive the EventID - 6005 after that date on that machine using:
to VASA: currently this will be a 2 step process:
select * from network-events where data.winevent.EventID = 4624
AND data.login.machine.name = 'mohan-rank' AND inInterval(`date`,
1529668613000, 'now')

20
 7.
USE CASE: RPC Activity

Tactic: Lateral Movement

MITRE Reference: CAR-2014-05-001: https://car.mitre.org/wiki/CAR-2014-05-001

Hypothesis: Microsoft Windows uses its implementation of Distributed According to ATT&CK, adversaries frequently
Computing Environment/Remote Procedure Call (DCE/RPC), which it calls use RPC connections to remotely
Microsoft RPC, to call certain APIs remotely.
• Create, modify, and manipulate services
A Remote Procedure Call is initiated by communicating to the RPC • Schedule Tasks
Endpoint Mapper, which exists as the Windows service RpcEptMapper
• Query & Invoke Remote Launched
and listens on the port 135/tcp. The endpoint mapper resolves a Executables over RPC.

THREAT HUNTERS: INDICATORS OF THREAT ATTACK

requested endpoint/interface and responds to the client with the port
that the service is listening on. Since the RPC endpoints are assigned ports
when the services start, these ports are dynamically assigned from 49152
to 65535. The connection to the endpoint mapper then terminates and
the client program can communicate directly with the requested service.

RPC is a legitimate functionality of Windows that allows remote

interaction with a variety of services. For a Windows environment to
be properly configured, several programs use RPC to communicate
legitimately with servers. The background and benign RPC activity may
be enormous, but must be learned, especially peer-to-peer RPC between
workstations, which is often indicative of Lateral Movement.

21
 7.
USE CASE: RPC Activity (continued)

SQL Queries:

An equivalent method to the MITRE Framework would be too • Machines that make the most RPC calls:
look for: select source.name, count(*) from network-events where type = 'dce_
rpc' AND destination.port >= 49152 AND source.port >= 49152 AND
• All established RPC calls between internal machines
source.routingMode != 'LOOPBACK' AND source.internal = true AND
select * from network-events where type = 'dce_rpc' AND destination. destination.internal = true
port >= 49152 AND source.port >= 49152 AND source.routingMode !=
'LOOPBACK' AND source.internal = true AND destination.internal = true • RPC endpoints receiving the most calls:

select data.dce_rpc.endpoint, count(*) from network-events where type

• You can further slice and dice this data. For example, you

THREAT HUNTERS: INDICATORS OF THREAT ATTACK

= 'dce_rpc' AND destination.port >= 49152 AND source.port >= 49152
could view the number of rpc calls made between hosts
AND source.routingMode != 'LOOPBACK' AND source.internal = true
by rpc endpoints. You can sort by the count column to
AND destination.internal = true
check outliers.

select source.name, destination.name, data.dce_rpc.endpoint, count(*) • RPC operations:

from network-events where type = 'dce_rpc'
select data.dce_rpc.operation, count(*) from network-events where type
AND destination.port >= 49152 AND source.port >= 49152 AND
= 'dce_rpc' AND destination.port >= 49152 AND source.port >= 49152
source.routingMode != 'LOOPBACK' AND source.internal = true AND
AND source.routingMode != 'LOOPBACK' AND source.internal = true
destination.internal = true
AND destination.internal = true

• Machines that receive the most RPC calls:

select destination.name, count(*) from network-events where type = 'dce_

rpc' AND destination.port >= 49152 AND source.port >= 49152 AND
source.routingMode != 'LOOPBACK' AND source.internal = true AND
destination.internal = true

22
 8.
USE CASE: Remote Desktop Logon

Tactic: Lateral Movement

MITRE Reference: CAR-2016-04-005: https://car.mitre.org/wiki/CAR-2016-04-005

Hypothesis: A remote desktop logon, through Note: Detection already exists in VASA as a rule.
RDP, may be typical of a system administrator
rdp:
or IT support, but only from select workstations. filters:
partition: source.name
Monitoring remote desktop logons and comparing category: suspicious-login
to known/approved originating systems can detect interesting: machine:source.name
expression: type = winevent AND data.winevent.EventID = [4624,
lateral movement of an adversary. 4634] AND data.winevent.LogonType = 10 AND source.name

THREAT HUNTERS: INDICATORS OF THREAT ATTACK

triggers:
score: 65
description: Suspicious Remote Login detected on host
message: ''Suspicious remote login activity detected on host {source.
name}''
killchain: [''Exploitation'']
context:
graph:
- taf_remote_login_destination(type:internal_ip, id:{source.name})
- taf_remote_login_user(type:user, id:{source.name})

23
 9.
USE CASE: User Activity from Clearing Event Logs

Tactic: Defense Evasion Note: Detection already exists in VASA as a rule.

MITRE Reference: CAR-2016-04-002: eventlogclear:

https://car.mitre.org/wiki/CAR-2016-04-002 filters:
partition: source.name
category: suspicious-host-activity
interesting: machine:source.name
expression: type = winevent AND (data.winevent.EventID = 106
OR data.winevent.EventID = 104) AND source.name
Hypothesis: It is unlikely that event log data would be
cleared during normal operations, and it is likely that triggers:
score: 65
malicious attackers may try to cover their tracks by description: Windows Event Log cleared on host
clearing an event log. When an event log gets cleared, it is message: ''Event Log was cleared on host {source.name}. Could be
indicative of malware.''
suspicious. Alerting when a “Clear Event Log” is generated killchain: [''C2'']

THREAT HUNTERS: INDICATORS OF THREAT ATTACK

could point to this intruder technique. Centrally collecting
auditlogclear:
events has the added benefit of making it much harder for filters:
attackers to cover their tracks. Event Forwarding permits partition: source.name
category: suspicious-host-activity
sources to forward multiple copies of a collected event interesting: machine:source.name
expression: type = winevent AND (data.winevent.EventID = 1102
to multiple collectors, thus enabling redundant event
OR data.winevent.EventID = 1100) AND source.name
collection. Using a redundant event collection model can
triggers:
minimize the single point of failure risk. score: 65
description: Audit Log cleared on host
message: ''Audit Log was cleared on host {source.name}. Could be
indicative of malware.''
killchain: [''C2'']

24
 10.
USE CASE: User Activity from Stopping Windows
Defensive Services
Tactic: Defense Evasion Note: Detection already exists in VASA as rules.

MITRE Reference: CAR-2016-04-003: firewallchanges:

https://car.mitre.org/wiki/CAR-2016-04-003 filters:
partition: source.name
category: suspicious-host-activity
interesting: machine:source.name
expression: type = winevent AND data.winevent.EventID = [2004,
Hypothesis: Spyware and malware remain a serious 2005, 2006, 2033, 2009] AND source.name
problem and Microsoft developed security services,
triggers:
Windows Defender and Windows Firewall, to combat score: 65
this threat. In the event Windows Defender or Windows description: Windows Firewall changes detected
message: ''Firewall changes detected on host {source.name}. Could

THREAT HUNTERS: INDICATORS OF THREAT ATTACK

Firewall is turned off, administrators should correct the be indicative of a compromise.''
killchain: [''C2'']
issue immediately to prevent the possibility of infection or
further infection and investigate to determine if caused by defender:
filters:
crash or user manipulation.
partition: source.name
category: suspicious-host-activity
interesting: machine:source.name
expression: type = winevent AND data.winevent.EventID = [1005,
1006, 1008, 1010, 3002, 5008] AND source.name
SQL Query:
triggers:
score: 65
Ensure that NxLog is configured to receive EventID 7036. description: Windows Defender Alert
Then the query is simply: message: ''Windows Defender Alerts detected on host {source.
name}.''
killchain: [''Installation'']
select * from network-events where data.winevent.EventID = 7036

25
 11.
USE CASE: Successful Local Account Login

Tactic: Lateral Movement

MITRE Reference: CAR-2016-04-004: https://car.mitre.org/wiki/CAR-2016-04-004

Hypothesis: The successful use of Pass The Hash for lateral SQL Query:
movement between workstations would trigger event ID
4624, with an event level of Information, from the security
select * from network-events where type = 'winevent'
log. This behavior would be a LogonType of 3 using NTLM
AND data.winevent.EventID = 4624 AND data.winevent.
authentication where it is not a domain logon and not the
TargetUserName != 'ANONYMOUS LOGON' AND data.
ANONYMOUS LOGON account.
winevent.AuthenticationPackageName = 'NTLM'

THREAT HUNTERS: INDICATORS OF THREAT ATTACK

26
 12.
USE CASE: Debuggers for Accessibility Applications

Tactic: Execution, Persistence, Privilege Escalation

MITRE Reference: CAR-2014-11-003: https://car.mitre.org/wiki/CAR-2014-11-003

Hypothesis: The Windows Registry location “HKLM\ SQL Query:

Software\Microsoft\Windows NT\CurrentVersion\Image
File Execution Options” allows for parameters to be set
select * from network-events where type = 'sysmon' AND
for applications during execution. One feature used by
data.process.action = 'launch' AND textMatches(data.
malicious actors is the “Debugger” option. When a key
process.cmd, '.* .*(sethc|utilman|osk|narrator|magnify)\.exe')
has this value enabled, a Debugging command line can be
specified. Windows will launch the Debugging command

THREAT HUNTERS: INDICATORS OF THREAT ATTACK

line, and pass the original command line in as an argument.

Adversaries can set a Debugger for Accessibility

Applications. The analytic looks for the original command
line as an argument to the Debugger.

When the strings “sethc.exe”, “utilman.exe”, “osk.exe”,

“narrator.exe”, and “Magnify.exe” are detected in the
arguments, but not as the main executable, it is very likely
that a Debugger is set.

27
 13.
USE CASE: User Logged in to Multiple Hosts

Tactic: Lateral Movement

MITRE Reference: CAR-2013-02-012: https://car.mitre.org/wiki/CAR-2013-02-012

Hypothesis: Most users use only one or two machines SQL Query:
during the normal course of business. User accounts that
log in to multiple machines, especially over a short period of
select timeInterval(date, '1h'), `data.login.user`,
time, may be compromised. Remote logins among multiple
count(distinct data.login.machine.name) as machinecount
machines may be an indicator of lateral movement.
from network-events where data.winevent.EventID = 4624
having machinecount > 1

THREAT HUNTERS: INDICATORS OF THREAT ATTACK

28
 14.
USE CASE: Service Search Path Interception

Tactic:
MITRE Reference: CAR-2014-07-001: https://car.mitre.org/wiki/CAR-2014-07-001

Hypothesis: According to ATT&CK, an adversary SQL Query:

may escalate privileges by intercepting the search
path for legitimately installed services. As a result, select data.process.cmd, data.process.image.file from network-events where
Windows will launch the target executable instead type = 'sysmon' AND data.process.action = 'launch' AND data.process.
of the desired binary and command line. This can parentImage.file = 'services.exe' AND NOT textMatches(data.process.cmd,

be done when there are spaces in the binary path '\''.*') AND textMatches(data.process.cmd, '.* .*') AND NOT textMatches(data.
process.image.path, '.* .*')
and the path is unquoted. Search path interception

THREAT HUNTERS: INDICATORS OF THREAT ATTACK

should never happen legitimately and will likely
Now, once you have the above results, you can add additional
be the result of an adversary abusing a system
filters to filter out processes known to you to reduce the list so
misconfiguration. With a few regular expressions,
that you can visually compare the command line and the file that
it is possible to identify the execution of services
was executed. If the file executed is not in the command line
with intercepted search paths.
then it is a problem.

e.g. filtering can be done using:

select data.process.cmd, data.process.image.file from network-events where

type = 'sysmon' AND data.process.action = 'launch' AND data.process.
parentImage.file = 'services.exe' AND NOT textMatches(data.process.cmd,
'\''.*') AND textMatches(data.process.cmd, '.* .*') AND NOT textMatches(data.
process.image.path, '.* .*') AND data.process.image.file != 'svchost.exe' AND
data.process.image.file != 'upfc.exe'

29
SUMMARY CHART

Indicators of Compromise
Unusual Outbound Network Traffic ü
Anomalies in Priviledged User Account Activity ü
Geographical Irregularities ü
Other Log-in Red Flags ü
Swells in Database Read Volume ü
HTML Response Sizes ü

THREAT HUNTERS: INDICATORS OF THREAT ATTACK

Large Numbers of Requests For The Same File ü
Mismatched Port-Application Traffic ü
Suspicious Registry or System File Changes ü
DNS Request Anomalies ü
Unexpected Patches of Systems ü
Mobile Device Profile Changes ü
Bundles of Data In The Wrong Places ü
Web Traffic With Unhuman Behaviour ü
Signals of DDoS Activity ü

30
LEARN MORE

For additional details on arming security analysts with the

right tools to become Threat Hunters capable of preventing Next gen security analytics
today’s known threats, and tomorrow’s unknown risks, visit for the zero-day world.
the Rank Software website at www.ranksoftwareinc.com.
VASA by RANK Software brings all the pieces
Rank Software helps security professionals re-establish of your threat hunting strategy together
in one place. Ingest billions of signals from
confidence in their enterprise security posture in an
across your business. Enrich them with
increasingly complex and hostile cyber landscape. powerful context and behavioural analysis.
Identify the most credible threats. Investigate
Leading businesses around the world choose RANK Software on one screen and reduce false positives.

THREAT HUNTERS: INDICATORS OF THREAT ATTACK

to help them improve their security posture.

Here are some of the reasons why:

• Reduce Risk. Lower the risk of a successful cyber attack.

• Control Cost. Increase efficiency of security professionals.

• Faster Response. Identify and act on threats in real time.

• Stay Ahead. Future proof your enterprise security posture.

• Improve Alignment. Enable your business to address

emerging threats.

31