rhigham-scwx / shikari Goto Github PK

Title: Hunt for xyz
Hypothesis: Brief description of the activity you feel you are not covered for. E.g. What you will hunt for?
Trigger: What triggered this hunt
Reference: link to TTP description

Acceptance Criteria
This issue can be closed when the abstract has been updated and the report has been written. If the hunt can not be completed, this issue should be marked as blocked. If the hunt is no longer needed, the issue should be labeled as such and then closed.

Tasks

• Validate Security Gap Exists
• Validate Data Visibility/Usability
• Define/Refine Abstract
• Gather and Analyze Data
• Write Report
• Share Findings
• Update the Abstract
• Create New Issue to Repeat the Hunt (if needed)
• Close this Issue

Note:

• Incidents should be escalated as they are found.
• If an abstract does not exist that can be updated and reused, create a new abstract.
• If you plan to test to make sure the security gap exists through adversary emulation, notify your manager and security operations.
• If you find inappropriate content or other compliance issues, check with management to determine next steps.
• If this hunt did not produce logic that can be used to address the known gap, open a new issue to repeat the hunt in the future.

Title: Hunt for malicious users using LOLBins
Hypothesis: Threat Actors are using LOL Binaries to download malicious files.
Trigger: Red Team used certutil, wmic, mshta, and other tools to download malicious payload
Reference:

• https://lolbas-project.github.io/
• https://www.bleepingcomputer.com/news/security/windows-10-finger-command-can-be-abused-to-download-or-steal-files/

Acceptance Criteria
This issue can be closed when the abstract has been updated and the report has been written. If the hunt can not be completed, this issue should be marked as blocked. If the hunt is no longer needed, the issue should be labeled as such and then closed.

Tasks

• Validate Security Gap Exists
• Validate Data Visibility/Usability
• Define/Refine Abstract
• Gather and Analyze Data
• Write Report
• Share Findings
• Update the Abstract
• Create New Issue to Repeat the Hunt (if needed)
• Close this Issue

Note:

• Incidents should be escalated as they are found.
• If an abstract does not exist that can be updated and reused, create a new abstract.
• If you plan to test to make sure the security gap exists through adversary emulation, notify your manager and security operations.
• If you find inappropriate content or other compliance issues, check with management to determine next steps.
• If this hunt did not produce logic that can be used to address the known gap, open a new issue to repeat the hunt in the future.

Title: Hunt for Malicious PowerShell
Hypothesis: Adversaries may abuse PowerShell commands and scripts for execution.
Trigger: Crown Jewels Analysis
Reference:

• https://attack.mitre.org/techniques/T1059/001/
• https://www.crowdstrike.com/blog/tech-center/powershell-hunting/

Acceptance Criteria
This issue can be closed when the abstract has been updated and the report has been written. If the hunt can not be completed, this issue should be marked as blocked. If the hunt is no longer needed, the issue should be labeled as such and then closed.

Tasks

• Validate Security Gap Exists
• Validate Data Visibility/Usability
• Define/Refine Abstract
• Gather and Analyze Data
• Write Report
• Share Findings
• Update the Abstract
• Create New Issue to Repeat the Hunt (if needed)
• Close this Issue

Note:

• Incidents should be escalated as they are found.
• If an abstract does not exist that can be updated and reused, create a new abstract.
• If you plan to test to make sure the security gap exists through adversary emulation, notify your manager and security operations.
• If you find inappropriate content or other compliance issues, check with management to determine next steps.
• If this hunt did not produce logic that can be used to address the known gap, open a new issue to repeat the hunt in the future.

Title: Hunt for Compromised Email Accounts
Hypothesis: Business email compromise has become a very common method of attack.
Trigger: Threat Actor Intel
Reference:

• https://attack.mitre.org/techniques/T1114/003/
• https://attack.mitre.org/techniques/T1078/004/
• https://docs.microsoft.com/en-us/archive/blogs/timmcmic/exchange-and-office-365-mail-forwarding-2

Acceptance Criteria
This issue can be closed when the abstract has been updated and the report has been written. If the hunt can not be completed, this issue should be marked as blocked. If the hunt is no longer needed, the issue should be labeled as such and then closed.

Tasks

• Validate Security Gap Exists
• Validate Data Visibility/Usability
• Define/Refine Abstract
• Gather and Analyze Data
• Write Report
• Share Findings
• Update the Abstract
• Create New Issue to Repeat the Hunt (if needed)
• Close this Issue

Note:

• Incidents should be escalated as they are found.
• If an abstract does not exist that can be updated and reused, create a new abstract.
• If you plan to test to make sure the security gap exists through adversary emulation, notify your manager and security operations.
• If you find inappropriate content or other compliance issues, check with management to determine next steps.
• If this hunt did not produce logic that can be used to address the known gap, open a new issue to repeat the hunt in the future.

Title: Detect ADFS Misuse
Hypothesis: Threat actors are exploiting adfs
Trigger: Threat Intel surrounding the SolarWinds breach
Reference:

• https://attack.mitre.org/techniques/T1005/
• https://techcommunity.microsoft.com/t5/azure-sentinel/solarwinds-post-compromise-hunting-with-azure-sentinel/ba-p/1995095
  • detect adfsspoof or adfsdump (yara, image_path, commandline, etc)
  • find supsicious adfs master key export event 4662
  • image_path = Microsoft.IdentityServer.ServiceHost.exe
  • https://github.com/Azure/Azure-Sentinel/blob/master/Workbooks/SolarWindsPostCompromiseHunting.json
  • Importantly, if you have recently rotated ADFS key material this workbook can be useful in identifying attacker logon activity if they logon with old key material. Look for the change activity and anything after the change using the old material.
• https://www.cybersecurity-help.cz/vdb/SB2019071015
  • A remote attacker can convince the ADFS administrator to update a list of banned IP addresses and bypass security restrictions
  • A remote attacker can perform a brute-force attack and cause account lockouts in Active Directory.
• https://www.fireeye.com/blog/threat-research/2021/04/abusing-replication-stealing-adfs-secrets-over-the-network.html
  • alert on HTTP POST requests to the address that hosts the Policy Store Transfer service. If there is an AD FS farm, then the IP addresses of the AD FS servers will need to be whitelisted against the rule.

Acceptance Criteria
This issue can be closed when the abstract has been updated and the report has been written. If the hunt can not be completed, this issue should be marked as blocked. If the hunt is no longer needed, the issue should be labeled as such and then closed.

Tasks

• Validate Security Gap Exists
• Validate Data Visibility/Usability
• Define/Refine Abstract
• Gather and Analyze Data
• Write Report
• Share Findings
• Update the Abstract
• Create New Issue to Repeat the Hunt (if needed)
• Close this Issue

Note:

• Incidents should be escalated as they are found.
• If an abstract does not exist that can be updated and reused, create a new abstract.
• If you plan to test to make sure the security gap exists through adversary emulation, notify your manager and security operations.
• If you find inappropriate content or other compliance issues, check with management to determine next steps.
• If this hunt did not produce logic that can be used to address the known gap, open a new issue to repeat the hunt in the future.

Title: Hunt for compromised web servers and web shells
Hypothesis: Threat Actors have gained access to one or more of our externally facing web servers.
Trigger: Common method of attack. We evaluated our coverage and feel this is a gap.
Reference:

• https://attack.mitre.org/techniques/T1505/003/
• https://us-cert.cisa.gov/ncas/alerts/TA15-314A
• https://github.com/Yara-Rules/rules/tree/master/webshells

Acceptance Criteria
This issue can be closed when the abstract has been updated and the report has been written. If the hunt can not be completed, this issue should be marked as blocked. If the hunt is no longer needed, the issue should be labeled as such and then closed.

Tasks

• Check for existing abstract
• Validate Security Gap Exists
• Validate Data Visibility/Usability
• Define/Refine Abstract
• Gather and Analyze Data
• Write Report
• Share Findings
• Update the Abstract
• Create New Issue to Repeat the Hunt (if needed)
• Close this Issue

Note:

• Incidents should be escalated as they are found.
• If an abstract does not exist that can be updated and reused, create a new abstract.
• If you plan to test to make sure the security gap exists through adversary emulation, notify your manager and security operations.
• If you find inappropriate content or other compliance issues, check with management to determine next steps.
• If this hunt did not produce logic that can be used to address the known gap, open a new issue to repeat the hunt in the future.