Scribd Logo
Upload

Welcome to Scribd!

  • Threat Hunting A Quick Reference Guide

    Uploaded by

    Cesar Almada
    3 views6 pages

    Original Title

    Threat Hunting a Quick Reference Guide

    Copyright

    © © All Rights Reserved

    Available Formats

    PDF, TXT or read online from Scribd

    Did you find this document useful?

    Is this content inappropriate?

    Report this Document

    Copyright:

    © All Rights Reserved
    Download as PDF, TXT or read online from Scribd
    Flag for inappropriate content
    3 views6 pages

    Threat Hunting A Quick Reference Guide

    Uploaded by

    Cesar Almada

    Copyright:

    © All Rights Reserved
    Download as PDF, TXT or read online from Scribd
    Flag for inappropriate content
    of 6

    Threat Hunting:

    A Quick Reference Guide

    WWW.LOGRHYTHM.COM Page 1
    Threat Hunting Reference: Threat Lifecycle Management
    Detect indicators of compromise across your environment

    Description Importance How To Perform LogRhythm Filter Criteria Important Metadata Fields Recommended Log Sources AIE Tips

    Top Common Event Data Identifies repeated operation From the Executive Impacted Host Origin, All Log Sources N/A
    or security events. Dashboard, double-click Host Impacted,
    each of the top 10 Common User Origin,
    Events to drill-down. Use User Impacted
    LogRhythm Analyzer to
    perform the initial analytics
    pass of events by double-
    click filtering interesting
    data as well as using the
    log table.
    Search on Classification LogRhythm's use of Search in Web Console for Classification is Attack, Varies All Log Sources N/A
    Classification Metadata can general activity. Compromise, Denial
    give insight into log source of Service, Malware,
    events. Grouping all Security Suspicious, Reconnaissance,
    classifications together Vulnerability.
    or selecting a specific
    classification can point you
    in a new direction.

    LOGRHYTHM.COM/SOLUTIONS/SECURITY/THREAT-MANAGEMENT/ Page 2
    Threat Hunting Reference: User
    Leveraging LogRhythm’s User and Entity Behavior Analytics

    Description Importance How To Perform Filter Criteria Important Metadata Recommended Log AIE Tips
    LogRhythm Fields Sources
    Interactive Logins on Service accounts are often Search in Web Console MPE Rule Name is: MPE Rule Name, Windows Security Create a Log Observed
    Service Accounts targeted by attackers, because for Windows Type 2, 7, 10 Host (Origin), Event Logs Ruleblock in AIE grouped
    EVID 4624 : Administrator Logon Type 2
    their password hashes are stored events. Host (Impacted), by metadata fields.
    EVID 4624 : Administrator Logon Type 7
    on large numbers of systems. User (Origin)
    EVID 4624 : Anonymous Logon Type 2
    These accounts are typically not EVID 4624 : Anonymous Logon Type 2
    used for interactive RDP but are EVID 4624 : Anonymous Logon Type 7
    rarely locked down. Attackers take EVID 4624 : Anonymous Logon Type 7
    advantage of this and use them for EVID 4624 : System Logon Type 2
    pivoting around the network. EVID 4624 : System Logon Type 7
    EVID 4624 : User Logon Type 10
    EVID 4624 : User Logon Type 2
    EVID 4624 : User Logon Type 7
    EVID 528 : Administrator Logon Type 10
    EVID 528 : Anonymous Logon Type 10
    EVID 528 : Anonymous Logon Type 10
    EVID 528 : System Logon Type 10
    EVID 528 : User Logon Type 10
    Privileged Account Identifies all activity from users with Search in Web Console for User (Origin) is ‘list: Privileged Users’ Host (Origin), Windows Security Event Create a Behavioral
    Activity the highest access and subject to privileged user account Host (Impacted), logs, *NIX Syslog Ruleblock in AIE grouped
    the highest risk. activity. User (Origin or Impacted) by metadata fields.
    Recommendation: Review
    the LogRhythm Privileged
    Users list in LogRhythm
    Console.
    Domain Admin Identifies all activity from users with Search in Web Console for User by Active Directory Group is Host (Origin), Windows Security N/A
    Activity the highest access and subject to all activity from Domain ‘Domain Admins’ Host (Impacted), Event logs
    the highest risk. Admin users. User (Origin),
    User (Impacted)
    Account Lockouts Locked accounts can indicate Search in Web Console Common Event is Account Locked or Host (Origin), Windows Security Event Create a Log Observed
    potential malicious issues within an for account lock events. Account Unlocked Host (Impacted), logs Ruleblock in AIE grouped
    environment dependent upon the Use the pivot feature to User (Impacted) by metadata fields.
    frequency and the actions leading identify related activity.
    up to the account lock. Multiple
    account locks within a short period
    of time is indicative of account
    sweeping or brute-force operations,
    while administrator locks attacks
    could highlight a targeted account.

    LOGRHYTHM.COM/SOLUTIONS/SECURITY/USER-BEHAVIOR-ANALYTICS/ Page 3
    Threat Hunting Reference: Host
    Leveraging LogRhythm’s Endpoint Monitoring

    Description Importance How To Perform LogRhythm Filter Criteria Important Metadata Fields Recommended Log Sources AIE Tips

    Operational Errors Error and critical messages Search in Web Console for Classification is Host (Impacted), All log sources Create a Threshold Observed
    reflect operational errors, and critical events. ‘Error’,’Critical’ Common Event Ruleblock in AIE grouped
    challenges that could result by Host (Impacted). Set Log
    in platform compromise and Count to 10 in 10 minutes.
    availability issues.
    Anti-Malware Activity Anti-malware activity Search in Web Console for Search for Classification is Host (Impacted), Antivirus, Endpoint Enable the ‘Malware:
    indicates a possible Antivirus activity. Use the ‘Malware’, ‘Failed Malware’ Object Monitoring, IDS/IPS, Malware Event’ rule from the
    compromise of a system. pivot feature to identify Windows, Application Logs LogRhythm Knowledge Base.
    Pivot on Host (Origin) and
    Anti-malware systems related activity. then Host (Impacted) to
    attempt to clean files. identify other components
    This does not necessarily where the malware may
    indicate the compromise has have touched.
    been remediated. Toolkits
    often have one or two
    detections and may leave
    behind undetected code.
    Remote Access PSExec is a powerful Search in Web Console for Log message contains Process Name, Windows Security Logs, Create a Log Observed
    with PSExec tool allowing the user any execution of PSExec. psexec or Process Name Host (Impacted) LogRhythm Process Monitor Ruleblock in AIE grouped
    to execute processes on contains psexec by metadata fields.
    remote systems, including
    interactive command-
    prompt commands. For this
    reason, it is favored among
    attacks when pivoting
    around the network.
    Application Crashes Application crashed often Search in Web Console Classification is ‘Error’ Common Event, Windows Application Logs Create a Threshold Observed
    occur when exploited by for application faults. Host (Impacted), Ruleblock in AIE grouped
    Log Source Type is ‘MS Event
    attackers. Any application Frequency of crashes and Object by Host (Impacted). Set Log
    Log for Win7/Win8/2008/2012
    crash should be investigated users of the application Count to 5 in 10 minutes.
    - Application’
    as a possible exploit. can be identified using the
    timeline and the widgets.

    LOGRHYTHM.COM/SOLUTIONS/SECURITY/ENDPOINT-THREAT-DETECTION/ Page 4
    Threat Hunting Reference: Network
    Leveraging LogRhythm’s Network Behavioral Analytics

    Description Importance How To Perform LogRhythm Filter Criteria Important Metadata Fields Recommended Log Sources AIE Tips

    Outbound Web Traffic Communication from Search in Web Console for Host (origin) is ServerA, Host(Origin), Firewall Create a Log Observed
    from Servers non-Web Server systems host activity. ServerB Host(Impacted), IDS/IPS Ruleblock in AIE grouped
    is suspicious and could Application, Proxy by Metadata fields.
    Recommendation: Create Direction is Outbound
    indicate compromise. Direction Network Monitor
    a list of web servers in Application is HTTP, HTTP
    LogRhythm Console and Alternate , HTTP RPC Endpoint
    use the list for Host (Origin) Mapper, http_tunnel, http2,
    search criteria. http-mgmt, HTTPS
    Outbound Traffic Traffic from internal critical Search in Web Console for Host (origin) is ServerA, Host(Origin), Firewall Create a Log Observed
    from Servers servers to the outside world host activity. ServerB Host(Impacted), IDS/IPS Ruleblock in AIE grouped
    could reflect an IOC. Direction Proxy by metadata fields.
    Recommendation: Create a Direction is Outbound
    Network Monitor
    list of servers in LogRhythm
    Console and use the list for
    Host (Origin) search criteria.
    Outbound Traffic Any non-web, DNS, and Search in Web Console for Host (origin) is ServerA, Host(Origin), Firewall Create a Log Observed
    from Servers common port connection host activity. ServerB Host(Impacted), IDS/IPS Ruleblock in AIE grouped
    (to Unknown Ports) to the outside world from a Direction Proxy by metadata fields.
    Recommendation: Create a Direction is Outbound
    production server Network Monitor
    list of servers in LogRhythm TCP/UDP Port Range
    Console and use the list for (Impacted) is not 1 - 1024.
    Host (Origin) search criteria.
    Communication to Communication with Search in Web Console for Direction is 'Outbound' and Host (Origin), LogRhythm Network Monitor, Create a Log Observed
    Non-Friendly/ Non-Business countries/zones where activity going to locations Location (Impacted) is NOT Host (Impacted), Firewalls, Netflow Ruleblock in AIE grouped
    Geographical Points we don't have business where business is not 'United States', 'blank' TCP/UDP Port (Impacted), by metadata fields.
    relationships are common typically conducted. Country (Impacted)
    indicators of compromise.
    Search for Non-Common Deep Packet Inspection Search in Web Console for Search for Application List Host (Origin), LogRhythm Network Monitor Create a Log Observed
    Corporate Applications can provide better insight network traffic classified by for each of the following: Host (Impacted), Ruleblock in AIE grouped
    to network activity related network monitor using lists Application by metadata fields.
    ‘Network: Functional: Adult/
    topolicy violations or provided by LogRhythm. Mature Content’, ‘Network:
    compromise. Functional: Online Storage’,
    ‘Network: Functional:
    P2P’, ‘Network: Functional:
    Remote Access’, ‘Network:
    Functional:Tunneling’

    LOGRHYTHM.COM/SOLUTIONS/SECURITY/NETWORK-THREAT-DETECTION/ Page 5
    Threat Hunting:
    A Quick Reference Guide

    Gartner SIEM Magic Quadrant Leader

    COMMERCIAL-GRADE NETWORK
    FORENSICS FOR FREE!!
    • Automatic identification of over 2,700 applications
    • Full or selectrive packet capture
    • File reconstruction
    • Customizable dashboard

    DOWNLOAD TODAY!
    Get Gartner’s Complete Analysis LogRhythm.com/NetMonFreemium
    in the SIEM 2016 Magic Quadrant
    A 2016 LEADER
    SIEM Magic Quadrant
    LogRhythm.com/Gartner-MQ

    You might also like