Hackers and malicious players are using new techniques to infiltrate your network, remain in stealth mode for a long period, and collect confidential information, or login credentials from the endpoints in your network. This information is later used to access other systems in your network. Threat hunting capability in Seqrite HawkkHunt helps you detect such hidden threats, unusual behavior, and infiltration activities in your network before they cause actual harm. You can then mitigate these threats and secure your IT infrastructure.
An incident responder (IR) usually relies on investigation of such known Indicators of Compromise (IOCs), and Indicators of Attack(IOAs).
An IOC is digital evidence on a computer that points to a breach of network security. These may be an MD5 hash, a C2 domain or hardcoded IP address, a registry key, filename, etc.
- An altered MD5 hash may point to a file being compromised.
- Callbacks to command-and-control (C2) servers indicate breach or compromise. You may receive information about C2 servers through your own analysis or through threat sharing groups. This may be a particular domain name or a hard-coded IP address.
- A change in typical registry values, or a change in filename may be a red flag. If you find anything from above IOCs, your systems may already have been compromised.
In Seqrite HawkkHunt, you can proactively search for such instances in your historical logs database collected from across the endpoints or hosts in your network. Threat hunting helps you detect compromised processes even though an alert may not have been generated for a process. You can create and run queries that are a combination of specific IOCs indicator filters and store the queries for future use. After you run a specific query on the Threat Hunting page, HawkkHunt performs a search through the database and displays the corresponding alerts or compromised processes. You can use saved queries to run a fresh query or use the filters from a saved query to create a new query and save it for future use.
You can use the following IOC indicator filters to create, run, and save a search query. For the purpose of brevity, we shall call these indicators as filters in the following tasks:
|SHA2||Enter a specific value of SHA2 that you want to search in the HawkkHunt database.|
|MD5||Enter a specific MD5 checksum that you want to search in the HawkkHunt database.|
|Command line||Enter a command line argument that is used to run a particular file or execute a particular process.|
|Name||Enter a name string that you want to search. You can enter a filename also.|
|Path||Enter a file or directory path that you want to search.|
|IP||Enter the IP address of a C2 server that you want to search from the logs.|
|URL||Enter the URL for a suspicious domain to which you suspect that a callback has been made from your network.|