Attack-Based Hunting focuses on identifying specific cyberattacks by analyzing evidence that might not be detectable through conventional security mechanisms. This methodology is ideal for beginners as it requires foundational knowledge of specific attacks rather than broad cybersecurity experience.

ABH Process Workflow

The workflow of Attack-Based Hunting begins with targeted questions aimed at uncovering specific threats within your network.

It starts by asking questions like "Has _________ happened on my network?" Examples include:

• A specific type of malware manifest.
• A download of a malicious .exe file.
• C2 communication.

Questions to Ask Based on the Attack You Are Looking For:

1. What are you looking for? (e.g., a specific type of filename, a username)
2. Where will you find the attack evidence? (e.g., memory, host-based, network)
3. How can you manipulate the data to see it?

Example: Detecting Credential Theft

Scenario: Credential theft often involves the use of unauthorized applications to dump credentials from system memory, leading to unauthorized access.

• What to look for: Execution of uncommon or unauthorized processes that could be dumping credentials.
• Where to find it: Logs of process execution, particularly Windows Event ID 4688, which logs new process creation.
• Data manipulation: Aggregate data by process name and examine the least frequently occurring entries to spot anomalies.

💡 Note: In our lab exercise, we