Hunt 4 Malicious Check of AV Processes

Name:
Hunt 4 Malicious Check of AV Processes

TTP:
T1082 System Information Discovery

Hypothesis:

The attacker may have used the malware to check for antivirus-related processes running in the system.

Campaign Type:
Data Driven

Data Sources:

• Windows Security Event Log (Process Creation, Process Termination)
• Sysmon Event Log (Process Creation, Process Access)

Tools:

• PowerShell
• Splunk or another log management tool
• Sysmon

Scenario:

Initial Access: Attacker gains initial access through phishing or exploitation of a vulnerability.

Defense Evasion: Attacker uses obfuscation or encryption to evade detection.

Discovery: Attacker uses the malware to check for antivirus-related processes running in the system.

Credential Access: The attacker uses the malware to steal sensitive information, including browser data and cryptocurrency wallet credentials.

Command and Control: The attacker uses the malware to communicate with command-and-control (C2) servers using encrypted channels.

Exfiltration: The attacker exfiltrates sensitive data.

Impact: Attacker causes disruption or damage to the organization.

Hunting Strategy:

1. Analyze Windows Security Event Log and Sysmon Event Log for any process creation or process access events related to the malware.
2. Correlate the events and identify any patterns or anomalies.
3. Investigate any outliers or suspicious events.
4. Validate potential threats by checking for known malicious IP addresses, domain names, or file hashes.
5. Remediate by removing the attacker’s access and patching any vulnerabilities that were exploited.
6. Report findings and recommendations to the organization.

Recommendations:

• Implement strong password policies and multi-factor authentication.  
   
• Monitor for any unauthorized access to sensitive data.
• Keep systems and applications up-to-date with the latest security patches.

Step-by-Step Guide to Emulate a Threat Hunt

Prepare the Environment

1. Set up a test environment with necessary security monitoring tools installed.
2. Enable relevant auditing policies for the operating system and applications.
3. Configure a centralized log management system for collecting and storing security events.

Emulate the Attack Techniques

1. Execute commands and actions that simulate the suspected attack techniques.
2. Use relevant attack tools or scripts to generate representative security events.

Emulate Post-Compromise Activities

1. Simulate post-compromise activities, such as privilege escalation, lateral movement, and data exfiltration, to generate corresponding security events.
2. Use appropriate tools and techniques to emulate these activities in a controlled manner.

Collect and Analyze Logs

1. Collect the generated security event logs from your centralized log management system.
2. Use analysis tools to search for events related to the emulated attack techniques.
3. Filter events based on relevant criteria, such as process names, command-line parameters, network connections, and registry activity.

Refine Detections

1. Analyze the collected logs to identify patterns and refine your detection rules.
2. Consider using threat detection frameworks like YARA or SIGMA to create more robust detection rules.
3. Document your analysis and findings to improve future threat hunting efforts.

False Positive Consideration:

Some applications may exhibit similar behavior to the malware.

D3 Diagram: