In Part I of this series, we laid the groundwork for effective threat hunting by focusing on authentication logs. Techniques such as detecting
suspicious system user logins, unauthorized access to systems, and identifying anomalies in login patterns helped establish a structured approach to
uncovering potential threats. These foundational methods highlight how a proactive mindset can transform log data into actionable insights.
But threat hunting doesn’t stop at authentication logs. Attackers constantly evolve their tactics, and as defenders, we must expand our scope to analyze
other critical log categories. Advanced threat hunting involves diving deeper into network traffic, endpoint behaviors, file changes, and application activity. By
leveraging command-line tools like grep, awk, and cut, we can efficiently parse vast amounts of data to uncover hidden threats.
In this continuation, we’ll explore advanced techniques that build upon the basics from Part I. These strategies will enable you to go beyond surface-level
anomalies and detect more sophisticated threats lurking in your systems. Let’s dive in!
Network logs provide visibility into the communication patterns within your organization. Here’s how to leverage them for threat hunting:
Unusual Data Transfers
Large uploads or downloads to unfamiliar destinations often indicate data exfiltration or unauthorized activity. To identify such
anomalies, you can use tools like grep, awk, or cut to parse network logs, which often include fields such as source/destination IPs, ports,
and data size.
Examples
For Firewall Logs (iptables, ufw):
grep "DPT" /var/log/syslog | awk '$NF > 5000 {print $1, $2, $3, $NF}'
DPT indicates the destination port. $NF (last field) may represent packet size or data transferred.
For Proxy Logs (e.g., Squid):
grep "POST" /var/log/squid/access.log | awk '$5 > 5000 {print $1, $4, $5}'
$5 is the size of the uploaded data. $1 and $4 show the client IP and timestamp.
For Network Monitoring Tools (e.g., Zeek):
awk '$9 > 5000 {print $1, $2, $3, $9}' conn.log
$9 refers to the total bytes transferred.
Outbound Connections to Unknown IPs
Flag connections to untrusted or foreign IPs by filtering logs for external traffic:
grep "OUTBOUND" /var/log/firewall.log | awk '{print $5}' | sort | uniq -c | sort -nr
Combine this with a threat intelligence feed to match flagged IPs against known malicious addresses.
Port Scanning Attempts
Repeated attempts on different ports from the same IP could indicate reconnaissance:
grep "connection attempt" /var/log/network.log | awk '{print $5}' | sort | uniq -c | sort -nr
File integrity logs are vital for spotting unauthorized changes to critical files.
Detect Unexpected Modifications
Look for changes in system configuration files:
grep "modified" /var/log/fim.log | grep "/etc/" | cut -d " " -f1,3,5
This example filters logs for modifications in the /etc directory.
Identify Suspicious File Names
Flag unusual file names or extensions in monitored directories:
find /monitored/dir -type f -name "*.exe" -o -name "*.tmp"
Admin accounts are a key target for attackers. Monitoring their usage is crucial.
Track Privilege Escalation Attempts
Identify when a user gains elevated privileges unexpectedly:
grep "sudo:" /var/log/auth.log | awk '$NF == "success" {print $1, $2, $3, $11}'
Multiple Admin Logins
Detect concurrent logins from different locations:
grep "Accepted publickey" /var/log/auth.log | awk '{print $9, $11}' | sort | uniq -c
This identifies unique user-IP combinations.
Endpoint logs provide granular insights into device activities.
Identify Unusual Processes
Look for rare processes running on endpoints:
ps aux | awk '{print $1, $2, $11}' | sort | uniq -c | sort -n
Spot Persistence Mechanisms
Track newly created startup items:
grep "cron" /var/log/cron.log | grep "added"
Logs from web applications and APIs often reveal exploitation attempts.
Detect Abnormal API Calls
Spot spikes in API usage:
grep "API" /var/log/application.log | awk '{print $1, $3}' | sort | uniq -c | sort -nr
SQL Injection Attempts
Identify patterns indicative of injection attacks:
grep -E "SELECT|UNION|DROP|INSERT" /var/log/web.log | cut -d " " -f1,4,8
Repeated Failed Authentication
Flag brute-force attempts:
grep "failed login" /var/log/application.log | awk '{print $5}' | sort | uniq -c | sort -nr
Integrating external threat intelligence can elevate your threat-hunting capabilities.
Correlate Indicators of Compromise (IOCs)
Cross-reference IPs from logs with external feeds:
grep "IP" /var/log/firewall.log | cut -d " " -f5 | while read ip; do curl -s "https://threatfeed.com/api/$ip"; done
Flag Suspicious Domains
Use domain reputation services to flag high-risk domains accessed by users:
grep "domain" /var/log/dns.log | cut -d " " -f5 | while read domain; do curl -s "https://reputation.noc.org/api/?domain=$domain"; done
Advanced threat hunting requires a deep understanding of your environment and effective use of tools to parse and analyze logs. By applying techniques like
network traffic analysis, file integrity monitoring, and contextual intelligence integration, you can uncover threats that traditional automated systems might
overlook. Combine these strategies with the fundamentals covered in Part I to build a robust, proactive defense against cyber threats.
Happy hunting!