The ThreatHunting Project

Hunting for adversaries in your IT environment

View project on GitHub

Procedures Indexed by Goal

0-day Exploits

EMET Log Mining

Attacker tools in use

Suspicious Process Creation via Windows Event Logs

Windows Service Analysis

Psexec Windows Events

Tool Renaming

BIOS/Firmware tampering

RAM Dumping

Command and Control (C2)

C2 via Dynamic DNS

Finding the Unknown with HTTP URIs

Beacon Detection via Intra-Request Time Deltas

Finding C2 in Network Sessions

Compromise of Internet-Facing Service (SQL injection, web shells, etc)

Internet-Facing HTTP Request Analysis

Checking How Outsiders See You

RDP External Access

Finding Known-Bad in Antivirus Logs

Suspicious Process Creation via Windows Event Logs

Finding Webshells

Webshell Behavior

Data Hiding

NTFS Extended Attribute Analysis

Data Staging & Exfiltration

Producer-Consumer Ratio for Detecting Data Exfiltration

Exploits

Suspicious Process Creation via Windows Event Logs

Lateral movement / Compromised Credentials

Psexec Windows Events

Detecting Lateral Movement in Windows Event Logs

RDP External Access

Windows Lateral Movement via Explicit Credentials

Lateral Movement Detection via Process Monitoring

Finding Golden and Silver Tickets

Identify Suspicious Command Shells

Malicious Listening Services

Search for Rogue Listeners

Malware

Finding Known-Bad in Antivirus Logs

Beacon Detection via Intra-Request Time Deltas

Comparing Host Images/Memory Dumps to Known-Good Baselines

RAM Dumping

HTTP User-Agent Analysis

Shimcache/Amcache

Autoruns Analysis

Windows Driver Analysis

Windows Prefetch Cache Analysis

Windows Service Analysis

Finding the Unknown with HTTP URIs

Finding Malware Process Impersonation via String Distance

Phishing

Whaling Detection via Unusual Sender Domains

Privilege Escalation

Privileged Group Tracking

Other

Identify Suspicious Command Shells