search
Github

FYP

a simple guide on how to use the threat hunting tool

hashtag
Guide

According to MITRE ATT&CK Frameworks, there are a lot of TTP can be used by attacker.

Below are the description and what to search for.

hashtag
Reconnaissance - TA0043

chevron-rightT1595.001hashtag

Name: Scanning IP blocks

Description: Attacker scanning victim's IP block to gather network information.

Data Source: Access Log

Keyword: nmap

Reference: https://attack.mitre.org/techniques/T1595/001/arrow-up-right

chevron-rightT1595.002hashtag

Name: Vulnerability Scanning

Description: Attacker may scan victim for known or unknown vulnerability to exploit

Data Source: Access Log

Keyword: nmap

Reference: https://attack.mitre.org/techniques/T1595/002/arrow-up-right

chevron-rightT1595.003hashtag

Name: Wordlist Scanning

Description: Attacker may use brute forcing or crawling technique to understand the victim's infrastructure

Data Source: Access Log

Keyword: gobuster, dirbuster

Reference: https://attack.mitre.org/techniques/T1595/003/arrow-up-right

hashtag
Initial Access - TA0001

chevron-rightT1133hashtag

Name: External Remote Services

Description: Adversaries may leverage external-facing remote services to initially access and/or persist within a network

Data Source: Auth Log

Keyword: ssh, sshd

Reference: https://attack.mitre.org/techniques/T1133/arrow-up-right

hashtag
Valid Accounts - T1078

chevron-rightT1078.003hashtag

Name: Local Accounts

Description: Adversaries may obtain and abuse credentials of a local account

Data Source: Auth Log

Keyword: failed, Failed, Accept, Accepted, accept, accepted

Reference: https://attack.mitre.org/techniques/T1078/arrow-up-right

hashtag
Execution - TA0002

hashtag
Command and Scripting Interpreter - T1059

chevron-rightT1059.004hashtag

Name: Unix Shell

Description: Adversaries may abuse Unix shell commands and scripts for execution

Data Source: Auth Log

Keyword: COMMAND

Data Source: Command History

Keyword: <anything>

Reference: https://attack.mitre.org/techniques/T1059/004/arrow-up-right

hashtag
Scheduled Task/Job - T1053

chevron-rightT1053.003hashtag

Name: Cron

Description: Adversaries may abuse the cron utility to perform task scheduling for initial or recurring execution of malicious code

Data Source: Auth Log, Syslog

Keyword: CRON

Reference: https://attack.mitre.org/techniques/T1053/003/arrow-up-right

hashtag
Persistence - TA0003

hashtag
Create Account - T1136

chevron-rightT1136.001hashtag

Name: Local Account

Description: Adversaries may create a local account to maintain access to victim systems

Data Source: Auth Log

Keyword: useradd, usermod

Reference: https://attack.mitre.org/techniques/T1136/001/arrow-up-right

hashtag
Privilege Escalation - TA0004

hashtag
Abuse Elevation Control Mechanism - T1548

chevron-rightT1548.003hashtag

Name: Sudo and Sudo Caching

Description: Adversaries may perform sudo caching and/or use the sudoers file to elevate privileges

Data Source: Auth Log

Keyword: sudo

Reference: https://attack.mitre.org/techniques/T1548/003/arrow-up-right

hashtag
Credential Access - TA0006

hashtag
Brute Force - T1110

chevron-rightT1110.001, T1110.002, T1110.003, T1110.004hashtag

Name: Password Guessing, Password Cracking, Password Spraying, Credential Stuffing

Description: Adversaries may use brute force techniques to gain access to accounts when passwords are unknown or when password hashes are obtained

Data Source: Auth Log

Keyword: Failed password, password

Reference: https://attack.mitre.org/techniques/T1110/arrow-up-right

Last updated