Threat Hunting

Yara

# Basic Rule to match string
rule matchString {
	strings:
		$someString = "Match me!"
	condition: 
		$someString
}

# Match any of the following strings
rule matchString {
	strings:
		$someString = "Match me!"
		$someString2 = "Or match me!"
		$someString3 = "Match me too!"
	condition: 
		any of them
}

Cheatsheet

source: https://blog.securitybreak.io/security-infographics-9c4d3bd891ef#18dd

Windows

Just use sysinternals...

https://docs.microsoft.com/en-us/sysinternals/

Linux

View Processes:

ps -aux

List running Services:

systemctl list-units --type=service --state=running

Check your logs: Can be useful to check for "nc" or other attacker tools:

cat /var/log/syslog | Grep <something>

Active TCP and UDP connections:

ss -tulpn

Crontab

Check your crontab:

crontab -l

Clear your crontab:

crontab -r

Log Analysis

# Get number of occurences
wc -l

# Get number of unique occurences
uniq -c

# Sort by number of uniq occurences
cat file.txt | uniq -c | sort -n

PreviousOne Liners NextScripts

Last updated 3 years ago

hashtagYara

hashtagCheatsheet

hashtagWindows

hashtagLinux

hashtagCrontab

hashtagLog Analysis