Back

Threat Hunting

Hackers and malicious players are using new techniques to infiltrate your network, remain in stealth mode for a long period, and collect confidential information, or login credentials from the endpoints in your network. This information is later used to access other systems in your network. Threat hunting capability in Seqrite HawkkHunt helps you detect such hidden threats, unusual behavior, and infiltration activities in your network before they cause actual harm. You can then mitigate these threats and secure your IT infrastructure.
An incident responder (IR) usually relies on investigation of such known Indicators of Compromise (IOCs), and Indicators of Attack(IOAs).
An IOC is digital evidence on a computer that points to a breach of network security. These may be an MD5 hash, a C2 domain or hardcoded IP address, a registry key, filename, etc.

  • An altered MD5 hash may point to a file being compromised.
  • Callbacks to command-and-control (C2) servers indicate breach or compromise. You may receive information about C2 servers through your own analysis or through threat sharing groups. This may be a particular domain name or a hard-coded IP address.
  • A change in typical registry values, or a change in filename may be a red flag. If you find anything from above IOCs, your systems may already have been compromised.

In Seqrite HawkkHunt, you can proactively search for such instances in your historical logs database collected from across the endpoints or hosts in your network. Threat hunting helps you detect compromised processes even though an alert may not have been generated for a process. You can create and run queries that are a combination of specific IOCs indicator filters and store the queries for future use. After you run a specific query on the Threat Hunting page, HawkkHunt performs a search through the database and displays the corresponding alerts or compromised processes. You can use saved queries to run a fresh query or use the filters from a saved query to create a new query and save it for future use.

You can use the following IOC indicator filters to create, run, and save a search query. For the purpose of brevity, we shall call these indicators as filters in the following tasks:

Filter Description
SHA2 Enter a specific value of SHA2 that you want to search in the HawkkHunt database.
MD5 Enter a specific MD5 checksum that you want to search in the HawkkHunt database.
Command line Enter a command line argument that is used to run a particular file or execute a particular process.
Name Enter a name string that you want to search. You can enter a filename also.
Path Enter a file or directory path that you want to search.
IP Enter the IP address of a C2 server that you want to search from the logs.
URL Enter the URL for a suspicious domain to which you suspect that a callback has been made from your network.

Creating a query

  1. On the HawkkHunt portal, click the Threat Hunting page in the left navigation pane. The Threat Hunting tab is highlighted with a yellow square. You can directly search using appropriate search parameters or create a new query using the query builder.

Creating a query

  1. Click the Add + button to add the filter values. The Filters dialog box is displayed.

  1. In the Search textbox, click and select from the filters that are displayed.

  1. Enter the value of the filter that you want to use in the search query. For example, Name. The filter is selected and displayed in the Search box, enter a value for the indicator. For example, we shall add Name: Powershell.exe

  1. Click Add+ to add the selected IOC and the search value. The value is selected and displayed under Selected Filters.

  1. Click in the Search box and repeat above steps to add other IOC values for the search query. For example, and IP address IP:”202.145.202.114”.
  2. Add more IOC as required. To remove a particular filter, click the corresponding x mark for that value.
  3. Click Apply to apply the search criteria.
  4. Once you are done with adding the filters and their values, click Save Query. The query is saved with time stamp and moved to the Saved Queries tab.

  1. Enter a name for the query in the Query Name column (highlighted in the yellow box). For example, Powershell+IP, and click Save. A confirmation message is displayed and the query is saved.

Using Saved Query to create a new query

  1. On the HawkkHunt portal, click the Threat Hunting page in the left navigation pane. Click Add+. The Filter dialog is displayed.

  1. Click the Saved Queries tab.
    The saved queries are displayed in order of the created timestamps.

  1. Scroll down the query list, or use the sort icons besides the Time Stamp and Query Name columns to sort entries as required. Select the query that you want by clicking on the query. The query tags are displayed in the Query tags section for the selected query.
  2. To add the Filters from the selected query to a new query, click Add Filters. The query is moved to the Add Filter tab and 2 extra buttons, Update Query and Save Query are displayed.

  1. To update the query, add/remove filters as required and click Update Query.
  2. To save as a new query, click Save Query. If you click Save Query, the query is moved to the Saved Queries tab.

  1. Enter a name for the query in the Query Name column, and click Save. A success message is displayed and query is saved.

Deleting Saved Query

You can delete the saved queries if not required.

  1. On the HawkkHunt portal, click the Threat Hunting page in the left navigation pane.
  2. Click Add +.
  3. On the Filter dialog box, click Saved Queries. The saved queries are listed.

  1. Select the query you want to delete.
  2. Click Delete.
  3. Click Yes on the confirmation prompt. The query is deleted.

Running a query

You can create a new query with required indicators and apply the query to get results or you can use previously saved queries to search for threats in the HawkkHunt database.

  1. On the HawkkHunt portal, click the Threat Hunting page in the left navigation pane.
  2. Click Add+. The queries filter dialog is displayed.

  1. Create a new query or click the Saved Queries tab to view the Saved Queries and select the query that you want to run. For this example, we click on Saved Queries tab and select the first query in the list.

  1. Click Add Filters, to add/modify and filters in the selected query.

  1. As a result of previous action, some indicator filters are displayed. Add or remove the indicator filters as required.
  2. Click Apply to run the final query. The results are displayed in the Canvas mode with the corresponding host nodes highlighted in blue on the canvas.
    The right pane displays the corresponding processes that match the query.

Running a saved query

  1. To obtain more information about a particular host, click the Host node. Each small dot or node represents a host endpoint.

Running a saved query

Alert details and process details for that host are displayed in a small box with number or processes and alerts. Alternatively, you can click the corresponding entry in the right pane to get more information on that host.
The following information is displayed about the selected alert:

  • Corresponding hostname
  • Severity of the alert
  • Date and time of the affected file
  • Attack tactic type
  • Status of the alert whether open or closed

  1. To view the Process details for that host, click the Process tab on the upper right corner. The details for only the processes on the host that match the query are displayed.

  1. To start the investigation for a process, click the particular process. The user is navigated to the Alert/Process analysis page from where the user can start the investigation workflow.

Search History

The search History tab displays all the search queries carried out recently. You can use a query from the recent queries or applied queries.

  1. On the HawkkHunt portal, click the Threat Hunting page in the left navigation pane.
  2. Click Add +.
  3. On the Filter dialog box, click Search History. The recently run queries are listed.

  1. Select the query you want to apply. Modify the query if required.
  2. Click Apply. The query is applied, and search results displayed.