Threat Hunting 101


LogRhythm Insights Automating Rogue Process Hunting



Download 1.98 Mb.
View original pdf
Page5/14
Date10.12.2022
Size1.98 Mb.
#60099
1   2   3   4   5   6   7   8   9   ...   14
Threat hunting 1584038411
LogRhythm Insights Automating Rogue Process Hunting
To ensure the accuracy of the list, the efficiency of threat-hunting suspicious processes, and the speed of notification should a rogue process be spotted, LogRhythm uses an AI Engine (AIE) rule called a Whitelist Rule Block, whereby the ProcessName value from each 4688 event is automatically added . In addition, a list of processes can be manually added to the rule . Once a baseline is established, you can use the same process list across multiple endpoints, with the rule modified to alert the appropriate staff when anew process is spotted .

Recognizing Suspicious Software | Threat Hunting Using a Hash
This method uses an investigation and procedure similar to those for process names . To gather process hashes, you need to install Sysmon on each system that will be baselined or continually monitored Be aware of a few distinct differences from process monitoring
There are more hashes to investigate than program names. Each executable has a unique hash of the binary code that makes up the file . So, when anew version of that same executable (think patches and updates) is created, so is anew hash . If you support two version of Microsoft Word, for example, you’ll have two hashes of winword .exe .

Maintaining a whitelist of known-good hashes is more work . Simply scanning a golden image is insufficient . You need to update the whitelist before patches hit production, likely accomplished by scanning your patched test system for new hashes . There are commercially available whitelists, but in general, they aren’t updated quickly enough . You should lookup hashes against VirusTotal, but you should also consider ignoring or deprioritizing a hash if it received a neutral rating and was first scanned along time ago If you tackle these challenges and build a hash whitelist, you will know within minutes whenever anew binary file executes in your environment . Keep in mind, there are two scenarios when using hashes won’t work

Download 1.98 Mb.

Share with your friends:
1   2   3   4   5   6   7   8   9   ...   14




The database is protected by copyright ©ininet.org 2024
send message

    Main page