-
Notifications
You must be signed in to change notification settings - Fork 170
Hunts Mitigations Roadmap
Jake Smith edited this page Aug 22, 2020
·
13 revisions
- Operation CustomInstruction
- Add these YARA rules https://github.com/sbousseaden/YaraHunts
- RID Hijacking - https://pentestlab.blog/2020/02/12/persistence-rid-hijacking/
- T1197 - BITS Jobs
- T1053 - Scheduled Tasks
- look at closed issue 12
- T1504 - PowerShell Profiles
- T1209 - Time Providers
- T1546.015 - Component Object Model Hijacking -> see atomic red team tests which we don't cover atm
- T1180 - Screensaver
- hunting secretsdump https://twitter.com/SBousseaden/status/1286750095296335883?s=20
- event log hunts: https://github.com/OTRF/detection-hackathon-apt29/tree/master/rules%2Fsigma%2Fwindows
- Phantom DLL Hunt
- Wsearch (See Hexacorn Beyond the run key 5 for others)
- https://www.cybereason.com/hubfs/Cybereason%20Labs%20Analysis%20Operation%20Cobalt%20Kitty-Part1.pdf
- Analyze & Implement additional Runkeys from Hexacorn and Autoruns (including AeDebug, Terminal Services, Active Setup, and Taskman)
- TrustedSec Autorun https://www.trustedsec.com/blog/abusing-windows-telemetry-for-persistence/
- Read through every Hexacorn blog
- GINA DLL (slide 167) https://github.com/zerosum0x0/defcon-25-workshop/blob/master/DEFCON25.pdf
- T1027 - Looking for sketchy desktop.ini's https://isc.sans.edu/forums/diary/Desktopini+as+a+postexploitation+tool/25912/
- CLR persistence - https://vxug.fakedoma.in/papers/Common%20Language%20Runtime%20Hook%20for%20Persistence%20_%20Context%20Information%20Security.pdf
- All process command line related hunts (source: event logs process creation command line, and eventually agent DLL)
- T1112 - Modify Registry, https://gist.github.com/Cyb3rWard0g/a4a115fd3ab518a0e593525a379adee3
- T1202 - Indirect Command Execution (ie LOLBINS)
- T1075 - Pass the hash, see sigma
- System Log Event IDs 4614,4610,4611, and 4622 : indicators code has been loaded into the LSA or SAM that is watching password changes.
- T1088 - UAC Bypasses (see closed issue 205)
- T1054 - Hosts file tampering
- Dll Hijacking 1038 - see closed issue 265
- Hunt for malicious network providers
- Cred stealing persistence: https://github.com/gtworek/PSBits/tree/master/PasswordStealing/NPPSpy
- File Association hunt
- T1113 - (needs API monitoring), screen capture (see conversation with Jack in Discord)
- T1117 - Regsvr32
- T1178 and others - Active Directory Persistence - https://adsecurity.org/?p=1929
- Kerberoasting hunt - https://www.trimarcsecurity.com/post/trimarcresearch-detecting-kerberoasting-activity
- ensure correct audit is enabled (add to mitigation)
- Kerberoasting hunt - https://www.trimarcsecurity.com/post/trimarcresearch-detecting-kerberoasting-activity
- T1098 Account Manipulation
- WMI things 1, 2, and other much better references for WMI persistence
- see resources in closed issue #29 including https://twitter.com/mattifestation/status/899646620148539397
- T1158 - Hidden Files/Directories
- WFP filter drivers
netsh wfp show filters - Hersey's Gate https://zerosum0x0.blogspot.com/2020/06/heresys-gate-kernel-zwntdll-scraping.html
- analyze services with .sys endings
- T1137 - Office Application Startup
- Mitigation: Print Spooler service should be disabled on domain controllers
- PoshC2 IOCs
- Shell open command persistence described here: https://blog.malwarebytes.com/threat-analysis/2016/07/untangling-kovter/
- Mitigation to Disable SMB Compression
- Hunt for shares open to everyone T1077 Analyze Windows Admin Shares (https://docs.microsoft.com/en-us/windows/desktop/api/lmshare/nf-lmshare-netshareenum)
- Hunt for directory browsing is enabled (see closed issue 212 https://serverfault.com/a/395919)
- Powershell mitigations (see closed issue 248, transcript logging, lockdown policy, etc)
- hunt for instances of Disallow run (closed issue 257)
- hunt stored credentials in the registry like
"HKLM:SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon" -Name AutoAdminLogon - Analysis of .lnk and .settingcontent-ms files