Elevate Cyber Defense with Qualys Advanced Hunting

Introduction

In today's cyber threat landscape, proactive approaches such as threat hunting have become key in any organization's defense strategy, identifying and tackling threats before they become an incident.

That is why Qualys is delighted to introduce Advanced Hunting, our threat-hunting functionality in the Endpoint Detection and Response (EDR) platform that allows security teams to actively search for potential threats, identify potential breaches, and uncover malicious activities that might have bypassed traditional detection methods. To further streamline the hunting process, our Threat Research Unit has developed a set of curated, predefined hunting queries, allowing teams to jump-start their investigations with insights based on the latest threat intelligence.

Qualys EDR Advanced Hunting

Advanced Hunting is based on Qualys Query Language (QQL). It provides an expressive and flexible way for analysts to perform various operations like Search by Field, String matching, Exact matching, Full Text Search, etc.

This blog explores Advanced Hunting and how it empowers cybersecurity professionals to enhance their environment's overall security.

Qualys's TRU offers a curated collection of custom pre-built hunting queries tailored to hunt for trending threats, MITRE ATT&CK TTPs, and common use cases. These queries help analysts search for anomalies in their endpoints and eliminate potential threats.

• Common Hunting Queries: Investigate common hunting scenarios.
• Trending Threat: Hunt for trending threats.
• ATT&CK TTP: Investigate MITRE ATT&CK TTPs.

Advanced Hunting is located at Qualys > Endpoint Detection and Response > Hunting > Advanced Hunting. In the next section, we will briefly examine advanced hunting in action while investigating a ransomware attack.

Use-Case: Investigation using Advanced Hunting

The following scenario elaborates on how hunting queries can be used. The malware is executed in the Qualys Research Environment in "Detect Only" mode to capture relevant events.

An analyst ran a predefined advanced hunting query - "Registry Run Keys Modification" and found a suspicious registry modification.

• We found the following suspicious registry entry created in the system -

• Let's investigate further and check how this registry was created in the system.

The Process Tree of this event shows "powershell.exe" has created this registry entry with the following arguments -

• This "powershell.exe" is executed by cmd.exe (PID: 8420)

• The process cmd.exe (PID: 8420) also executed the following processes

• This "cmd.exe" is executed by WinUpdater.exe (PID: 4524).

• "WinUpdater.exe" is executed from the following location:

• Using the following hunting query, we can find the activity performed by "WinUpdater.exe"

• WinUpdater.exe has
  • Established Network connection

• Bmatter.exe is executed via cmd.exe by WinUpdater.exe

• Using the following hunting query, we can find the files modified by "bmatter.exe"

• Several files are renamed by the process "bmatter.exe" to the "X6NHiD5Oz" extension.
• This suggests that "bmatter.exe" is ransomware.

• Using the following hunting query, we can find which process has created "WinUpdater.exe"

• The "WinUpdater" is created by "firefox.exe", a web browser.
• The malware must have come into the system via a download.

Thus, using Advanced Hunting, we have identified the threat and its activities. The user can explore further and find more information about the threat using Advanced Hunting.

Hunting and documenting help us piece together attacker activity like the one below.

Hunting Queries Examples

In this section, we have listed some examples of hunting queries:

1. Processes or Executables: Querying for a specific process that is running on certain endpoints.

2. Suspicious PowerShell Scripts: Query that can help detect the execution of encoded PowerShell commands that might indicate potential compromise.

3. Scheduled Task Created: Search for abnormal scheduled tasks created in system that point to temp. This may suggest an attacker is trying to maintain persistence on the system after initial access.

4. File Hashes: Searching for known malicious hash values (MD5, SHA256) across all endpoints.

5. Network Connections: Identify endpoints that have made suspicious outbound connections to suspicious IP addresses.

6. Winlogon registry Changes: Detecting unusual changes in the Windows Registry that could be malware persistence.

7. System Information Discovery: Query for commands that are used for getting system information in the last 24 hours.

8. Inhibit System Recovery: Identify deletion of Shadow Copy using VSSAdmin

9. Archive Collected Data: Data is archived using utilities like 7z, WinRAR, etc.

10. Suspicious File Downloads via Curl: Detects the execution of curl.exe with arguments indicative of file downloads, often used in malicious activities for downloading files.

Conclusion

Qualys' Advanced Hunting offers a powerful approach for identifying and responding to emerging threats in real time. With curated, predefined hunting queries created by our Threat Research Unit, security teams can quickly and effectively launch targeted investigations, maximizing the efficiency and impact of their threat-hunting efforts. By enabling teams to proactively search for and address potential risks, Advanced Hunting enhances incident response capabilities and helps prevent costly security breaches. Advanced hunting within the Qualys EDR platform is an invaluable tool for organizations seeking a proactive and flexible approach to endpoint security.

Contributors

• Akshay Thorve, Senior Threat Engineer, Qualys

Related

Public link

Please use the above public link if you want to share this noodl on another website.