Threat Hunting and Pyramid of Pain

The buzz word first came in 2014 and individuals who were actually performing activities such as hunting for adversaries within network interested in Threat Hunting agreed with it on all aspects. During Threat Hunting and/or intelligence gathering or incident response we are mostly concentrating on identifying indicators of compromise and normally follow these steps:

  1. Collect Indicators of Compromise – Basic/Advanced Threat intelligence platform – Yes I have collected Indicators of compromise from all over world than what ?
  2. Compare the IOCs with internal logs – SIEM – to understand the extent of infection – lateral movements as we say. One can also use specific tools for this – carbon black, palantir, dark trace etc.
  3. Detect and mitigation – most of the time by running anti-virus and/or restoring the system from backup or re-installing a fresh copy.

Most organisation perform mentioned points believing that this is their Incident Response plan and threat hunting procedure, but they actually only performed 2-3 stages – Identification, Recovery and Follow-up/lesson learned.

This is somewhat I call as Reactive approach, as the name suggests incident response – responding to an incident. However, there is another approach -pro-active approach – where team of experience Incident Responders will look through the network and identify anomalies and/or unwanted entities within a network. Threat Hunting was it called. The days of external organisations notifying you of an infection or data exfil or their own data showing up on pastebin are increasing and organisation must have Threat Hunting and IR capabilities well invested and implemented. Proper Process and procedure are important as well in understanding how to perform these duties. Consider following:

Following is the pyramid of pain

pyramid of pain

The diagram has a scale that shows relationship between the indicators of compromise a Threat Hunter or an incident responder can find and how much pain it will cause to use them to detect the adversary.

Threat hunting and Incident response goes beyond just deploying a product within the network and responding based on what it alerts. It goes beyond normal rule and/or signature based mechanisms to detect threats that one cannot detect with just plug-n-play devices. Both requires human factor to perform these actions. Deep diving into the networks and looking for adversaries (active defense and/or pro-active investigations) is a must have within the organisation and Incident Responders and IT Team must work hand in hand. And don’t forget to involve Forensics. Yes, we need forensics to gather evidence properly.

Threat Hunting phases :

  1. Create and/or define Hypotheses
  2. Investigate via tools and techniques
  3. Identify new patterns and TTP (Tools, techniques and procedure)
  4. Inform and update analytics platform and/or database
  5. Start 1

It’s my pleasure to announce that I recently got honoured to co-author a book with Don Murdoch. The book will be used as a field guide and/or playbook for Threat hunters during Threat Hunting.

Happy Hunting !!!!

Phishing SMS – A failed attempt

Just about an hour ago I received an text from one of my mentors. Excited, I read but I know him very well and knew it wasn’t him.

The phishing text :

It’s possible to do 10 k in 10 day.


I texted him directly with a new message rather than responding the message and verified that it was indeed phishing.

1. The message had no phone number associated.

2. Looking at the details of the name – the sender – they were empty. Normally, if a contact on you address book sends a message you can see their serials stored on your phone.

Possible motives :

1. By sending an text an attacker can verify that number exist or not via a delivery notification.

2. If someone responds – response in this case is not feasible as it has no return number – than attacker can continue with social engineering attack.

3. Likely I was targeted and attacker was trying to deceive me to click on the link and get the some results back to him/her.

Will be analysing the link to understand if it has any embedded and/or crafted scripts that are targeting mobile phones. This may be attempt to exploit Quadroot set of vulnerabilities on Android.

YARA rule for Dridex

Have been learning YARA from few days and below is my first YARA rule for a IOCs collected while analysing a word document. Analysis concluded with presence of Dridex malware.

rule dridex : dridex
description = “Dridex Malware Indicators”
author = “Kunal Makwana”
date = “2016/04/03”
thread_level = 4
in_the_wild = true

$domain = “” nocase
$ip = “” wide ascii
$mail = “” wide ascii

$domain or $ip or $mail

Will be writing more as days go by.

Happy Malware Analysis!!!!!

List of IOCs collected so far


This post is to share indicators of compromise that I collected so far for analysis and investigation that I have been doing.

Most of the them are collected from other websites as json, MISP exports etc. Normally I update that back to but I just wanted to share it on my blog too.

Following are the links where you find the list of IOC in CSV format – some indicators are quite old and some are new. I will see if an re-verify but that will take some time.


Happy Hunting!!!!!

A javascript file – Invoice from UK

It’s been quite a while I was able to analyse my spam emails. Recently, I received an email with a zip attachment claiming to be an invoice. Screenshot of the email below.


Email Analysis :

  • sender :
  • IP – extracted from the header : – – Blugaria
  • Sender does not know my name so addressed me with my email id – Chances of using a phishing tool – sending random phishing emails.
  • No mention of the organisation Mr Royce is representing – Likely sunshinecare – but no mention in signature. Sunshhine care is and provides health and social care services in UK.


  • Zip file with my email id : myemailid_addition_028146
  • Contains javascript : addition-7866.js

Javascript analysis:

  • Javascript seems to be incomplete and functions are not properly defined
  • only see eveal :  eval(aZRcdUoP1.split(”).reverse().join(”));
  • aZRcdUoP1 is only defined variable however it is commented out.
  • Function aZRcdUoP1.split is not defined at all.

There is no other html files in the attachment that references the script. Uploaded the file to VirusTotal and results were interesting – 22 vendors identified as malicious –

File was also analysed using jsdetox and jsunpack and nothing was detected. It is likely that same filename was analysed previously via VirusTotal which has links or IOC’s as detected by vendors.Below are the file details:

  • MD5: ee427a22d3a6e25251bbfb7bc3823140
  • SHA1: d675fddd4e85400a8f712792f6711dbf0e003c34
  • SHA256: b35cf64a33c965b36e4de6d7a6e1a6bb088d8070e202326c941700c6dfd8800e

JS was not able to execute as by default windows script host can only execute script with less than or equal to 1022 characters. You can always change it but the solution is beyond this article.

Final words:

The email address and language is quite good but malware/js is quite old and not properly scripted. Attachment is zip and with only one js. also, the malware is widely known.

Security Controls:

  • Endpoint protections – normally all corporate organiations has it
  • Changing file extensions – If for some reasons endpoints are not updated or not available on the system, a good way to make sure foreign files do not execute on the system, one can change their default application – for example an .js file on the system can be opened in notepad – can change from group policies. This will make sure any foreign/malicious javascript that managed to get into the system will open as text file which will not infect the system and notify user of a file which should not be there.
  • Email gateway tuning – must be properly tuned to make sure these type of emails are considered spam – mostly all properly tuned will do so – mentioned email/IP can be updated on the security devices.

The Vendor, The MSSPs and The Consultant

I have been waiting for quite a while to write something about my experience with vendors, MSSPs and consultants. This is my own opinion and is not targeting any specific entity. I have worked with multiple vendors, MSSPs and consultants and what I have always noticed is, the “OUR” attitude. I do understand they are here to make money and sell their services/solutions, but there is nothing wrong in sprinkling it with some honesty.

  • Vendors – Buy our products and you will be safe.
  • MSSPs – Subscribe to our services and you will be safe.
  • Consultants – Implement our recommendations and you will be safe.

We all know once you are connected to Internet eventually there would be someone to target and successfully gain access to your systems. Its not about ‘if’ its about ‘when’ (SANS GCIH). There are no “PERFECT” systems. There are ways to access air-gapped systems too. But this is beyond this article.

I see, Vendors are for detection and prevention – MSSPs are more reactive – but lot of customers and few eyes and sometimes those eyes are not much experienced – Consultants – How many consultants have actually used the product that they are endorsing/recommending – wouldn’t it be good if they are recommending a product/solution that they have actually used.

This attitude is one of the many reason why organisations get breached – ofcourse security awareness and correct implementation of security controls is also required – but imagine, if all three work together and provide honest, correct and pro-active solutions to customers, it would be a completely different picture. Also, organisations need to heavily invest on people. Lot of organisations are relying on outsourcing their security, and completely depending on them. This concept is wrong and every organisations should have security team with expertise in multiple areas internally to have additional eyes on the organisation.

Understand, our adversary – CYBER CRIMINALS – work as a team and with a strategy and we should too.