Threat Hunting
Searching for advanced, persistent threats and sophisticated adversaries, as well as sweeping for indicators of compromise and indicators of attack.
Account compromise
Application security
Data loss monitoring
Endpoint security
- Checking for files created on a system
- Detecting IcedID attacks
- Detecting indicators of Remcos RAT malware
- Detecting malicious file obfuscation using certutil.exe
- Detecting recurring malware on a host
- Detecting techniques in the Orangeworm attack group
- Detecting the disabling of security tools
- Detecting Trickbot attacks
- Detecting WhisperGate malware
- Detecting Windows BITS abuse
- Detecting XMRig CPU or GPU mining
- Detecting Zerologon attacks
- Monitoring DNS queries
- Visualizing processes and their parent/child relationships
Network security
Ransomware detection
searcharticle
- Bcdedit boot recovery modifications
- File write spikes
- High file deletion frequency
- High process termination frequency
- Registry key modifications
- Schtasks.exe registering binaries or scripts to run from a public directory
- Schtasks.exe used to force a reboot
- Server Message Block (SMB) traffic connection spikes
- Shadow copies deleted
- TOR traffic
- USN journal deletion
- Wbadmin delete backup files
- Wmic.exe launching processes on a remote system
- Anomaly probability calculation with JA3/JA3s hashes
- First time seen JA3/JA3s hashes
- JA3/JA3s hash overview
- Lookup table creation for scalable anomaly detection with JA3/JA3s hashes
- Rarest JA3s hashes and server combinations
- Windows process and JA3s hash correlation
- .NET assemblies being compiled
- DLL loaded in a specific process
- File hashes associated with the Supernova trojanized DLL
- Systems vulnerable to Supernova malware
- Web shell present in web traffic events
- Previously seen Windows service
- Increases in DNS packet size and volume
- Requests to a large number of subdomains
- Spikes in volume of DNS queries
- New application accessing the Salesforce API
- New high-risk event types for a Salesforce cloud user
- New tables queried by a Salesforce cloud peer group
- New tables queried by a Salesforce cloud user
- Salesforce account compromise
- Spike in exported records from Salesforce cloud
Web activity security