The ThreatHunting Project

Hunting for adversaries in your IT environment

View project on GitHub

Hunting Procedures Indexed by Data Required

Anti-Virus Logs

Finding Known-Bad in Antivirus Logs

Bro NSM Logs

RDP External Access

C2 via Dynamic DNS

Finding the Unknown with HTTP URIs

Producer-Consumer Ratio for Detecting Data Exfiltration

Finding C2 in Network Sessions

Whaling Detection via Unusual Sender Domains

DNS Query Logs

C2 via Dynamic DNS

Email (SMTP logs or similar)

Whaling Detection via Unusual Sender Domains

Host Dumps (RAM, Registry, Filesystem, Processes, etc)

Comparing Host Images/Memory Dumps to Known-Good Baselines

RAM Dumping

Comparing Host Images/Memory Dumps to Known-Good Baselines

NTFS Extended Attribute Analysis

Search for Rogue Listeners

Shimcache/Amcache

Autoruns Analysis

Windows Driver Analysis

Windows Prefetch Cache Analysis

Windows Service Analysis

HTTP Proxy Logs

Beacon Detection via Intra-Request Time Deltas

HTTP User-Agent Analysis

C2 via Dynamic DNS

Finding the Unknown with HTTP URIs

HTTP Server Logs

Internet-Facing HTTP Request Analysis

Finding Webshells

Network Sessions (Netflow or similar)

Producer-Consumer Ratio for Detecting Data Exfiltration

Finding C2 in Network Sessions

Process Creation Audit Logs

Suspicious Process Creation via Windows Event Logs

Webshell Behavior

Lateral Movement Detection via Process Monitoring

Finding Malware Process Impersonation via String Distance

Identify Suspicious Command Shells

Windows Event Logs

EMET Log Mining

Suspicious Process Creation via Windows Event Logs

Psexec Windows Events

Detecting Lateral Movement in Windows Event Logs

RDP External Access

Windows Lateral Movement via Explicit Credentials

Privileged Group Tracking

Webshell Behavior

Lateral Movement Detection via Process Monitoring

Other

Checking How Outsiders See You

Tool Renaming

Finding Golden and Silver Tickets